From db6dda59f36c699316d8757008d4d4ccca6f708a Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Sat, 22 Jul 2023 00:08:50 +0200
Subject: [PATCH] edk2: backport OpenSSL 1.1.1t to the tree

Original bug: https://bugzilla.tianocore.org/show_bug.cgi?id=4342

Note that we use `excludes` here because EDK2 vendors OpenSSL via git
submodules, we unbundle it, refetch it ourselves and apply in
`postPatch`. Therefore, we also need to unpatch the
`CryptoPkg/Library/OpensslLib/openssl`.

Instead of upgrading EDK2, we decided to backport the patch manually
because upgrading caused breakages in 23.05.
---
 pkgs/development/compilers/edk2/default.nix | 28 ++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/compilers/edk2/default.nix b/pkgs/development/compilers/edk2/default.nix
index 878d3f75683832d..cee815f496ee591 100644
--- a/pkgs/development/compilers/edk2/default.nix
+++ b/pkgs/development/compilers/edk2/default.nix
@@ -34,6 +34,13 @@ buildType = if stdenv.isDarwin then
   else
     "GCC5";
 
+  vendoredOpenSSL = fetchFromGitHub {
+    owner = "openssl";
+    repo = "openssl";
+    rev = "830bf8e1e4749ad65c51b6a1d0d769ae689404ba";
+    sha256 = "sha256-gI2+Vm67j1+xLvzBb+DF0YFTOHW7myotRsXRzluzSLY=";
+  };
+
 edk2 = buildStdenv.mkDerivation {
   pname = "edk2";
   version = "202211";
@@ -44,9 +51,17 @@ edk2 = buildStdenv.mkDerivation {
       url = "https://src.fedoraproject.org/rpms/edk2/raw/08f2354cd280b4ce5a7888aa85cf520e042955c3/f/0021-Tweak-the-tools_def-to-support-cross-compiling.patch";
       sha256 = "sha256-E1/fiFNVx0aB1kOej2DJ2DlBIs9tAAcxoedym2Zhjxw=";
     })
+    # Apply EDK2-specific OpenSSL 1.1.1t changes
+    (fetchpatch {
+      url = "https://bugzilla.tianocore.org/attachment.cgi?id=1330";
+      hash = "sha256-HAwa9gqTxA5+8UQf5NiRdZYSmE6ykQsDbkHFj7oLygg=";
+      # Normally, EDK2 vendors OpenSSL via Git submodules
+      # We unbundle them because fetchpatch and fetchers interaction are not ideal in nixpkgs.
+      # i.e. we cannot patch a git submodule at the right moment.
+      excludes = [ "CryptoPkg/Library/OpensslLib/openssl" ];
+    })
   ];
 
-  # submodules
   src = fetchFromGitHub {
     owner = "tianocore";
     repo = "edk2";
@@ -55,6 +70,17 @@ edk2 = buildStdenv.mkDerivation {
     sha256 = "sha256-0jE73xPyenAcgJ1mS35oTc5cYw7jJvVYxhPdhTWpKA0=";
   };
 
+  postUnpack = ''
+    rm -rf source/CryptoPkg/Library/OpensslLib/openssl
+  '';
+
+  # Update the OpenSSL used APIs to 1.1.1t in EDK2…
+  # OpenSSL3 PoC exist: https://patchew.org/EDK2/cover.1679026329.git.yi1.li@intel.com/
+  # Unvendor only when OpenSSL3 support lands otherwise fix everything that breaks, I guess?
+  postPatch = ''
+    cp -r ${vendoredOpenSSL} CryptoPkg/Library/OpensslLib/openssl
+  '';
+
   nativeBuildInputs = [ pythonEnv ];
   depsBuildBuild = [ buildPackages.stdenv.cc buildPackages.util-linux buildPackages.bash ];
   strictDeps = true;