feat: Add OpenSSL 3.5.1 support to nix-based development shells

README.md

@@ -154,7 +154,7 @@ s2n-tls avoids implementing rarely used options and extensions, as well as featu
 The security of TLS and its associated encryption algorithms depends upon secure random number generation. s2n-tls provides every thread with two separate random number generators. One for "public" randomly generated data that may appear in the clear, and one for "private" data that should remain secret. This approach lessens the risk of potential predictability weaknesses in random number generation algorithms from leaking information across contexts.
 
 ##### Modularized encryption
-s2n-tls has been structured so that different encryption libraries may be used. Today s2n-tls supports AWS-LC, OpenSSL (versions 1.0.2, 1.1.1 and 3.0.x), LibreSSL, and BoringSSL to perform the underlying cryptographic operations. Check the [libcrypto build documentation](docs/BUILD.md#building-with-a-specific-libcrypto) for a list of libcrypto-specific features.
+s2n-tls has been structured so that different encryption libraries may be used. Today s2n-tls supports AWS-LC, OpenSSL (versions 1.0.2, 1.1.1, 3.0.x and 3.5.x), LibreSSL, and BoringSSL to perform the underlying cryptographic operations. Check the [libcrypto build documentation](docs/BUILD.md#building-with-a-specific-libcrypto) for a list of libcrypto-specific features.
 
 ##### Timing blinding
 s2n-tls includes structured support for blinding time-based side-channels that may leak sensitive data. For example, if s2n-tls fails to parse a TLS record or handshake message, s2n-tls will add a randomized delay of between 10 and 30 seconds, granular to nanoseconds, before responding. This raises the complexity of real-world timing side-channel attacks by a factor of at least tens of trillions.

flake.nix

@@ -28,6 +28,7 @@
         openssl_1_0_2 = import ./nix/openssl_1_0_2.nix { pkgs = pkgs; };
         openssl_1_1_1 = import ./nix/openssl_1_1_1.nix { pkgs = pkgs; };
         openssl_3_0 = import ./nix/openssl_3_0.nix { pkgs = pkgs; };
+        openssl_3_5_1 = import ./nix/openssl_3_5_1.nix { pkgs = pkgs; };
         libressl = import ./nix/libressl.nix { pkgs = pkgs; };
         common_packages = [
           # Integration Deps
@@ -107,7 +108,7 @@
         # Import devShells from the separate module
         devShells = import ./nix/devshells.nix {
           inherit pkgs system common_packages openssl_1_0_2 openssl_1_1_1
-            openssl_3_0 libressl aws-lc aws-lc-fips-2022 aws-lc-fips-2024
+            openssl_3_0 openssl_3_5_1 libressl aws-lc aws-lc-fips-2022 aws-lc-fips-2024
             writeScript;
         };
         packages.devShell = devShells.default.inputDerivation;

nix/devshells.nix

@@ -1,5 +1,5 @@
-{ pkgs, system, common_packages, openssl_1_0_2, openssl_1_1_1, openssl_3_0
-, libressl, aws-lc, aws-lc-fips-2022, aws-lc-fips-2024, writeScript }:
+{ pkgs, system, common_packages, openssl_1_0_2, openssl_1_1_1, openssl_3_0,
+openssl_3_5_1, libressl, aws-lc, aws-lc-fips-2022, aws-lc-fips-2024, writeScript }:
 
 let
   # Define the default devShell
@@ -18,6 +18,7 @@ let
       if openssl_1_0_2 != null then "${openssl_1_0_2}" else "";
     OPENSSL_1_1_1_INSTALL_DIR = "${openssl_1_1_1}";
     OPENSSL_3_0_INSTALL_DIR = "${openssl_3_0}";
+    OPENSSL_3_5_1_INSTALL_DIR = "${openssl_3_5_1}";
     AWSLC_INSTALL_DIR = "${aws-lc}";
     AWSLC_FIPS_2022_INSTALL_DIR = "${aws-lc-fips-2022}";
     AWSLC_FIPS_2024_INSTALL_DIR = "${aws-lc-fips-2024}";
@@ -76,6 +77,21 @@ let
     '';
   });
 
+  openssl351 = default.overrideAttrs (finalAttrs: previousAttrs: {
+  buildInputs = [ pkgs.cmake openssl_3_5_1 ];
+  S2N_LIBCRYPTO = "openssl-3.5.1";
+  # Integ s_client/server tests expect openssl 3.5.1
+  shellHook = ''
+    echo Setting up $S2N_LIBCRYPTO environment from flake.nix...
+    export OPENSSL_PATH=${openssl_3_5_1}
+    export PATH=$OPENSSL_PATH/bin:$PATH
+    export LD_LIBRARY_PATH=$OPENSSL_PATH/lib:$LD_LIBRARY_PATH
+
+    export PS1="[nix $S2N_LIBCRYPTO] $PS1"
+    source ${writeScript ./shell.sh}
+  '';
+});
+
   # Define the awslc devShell
   awslc_shell = default.overrideAttrs (finalAttrs: previousAttrs: {
     # Re-include cmake to update the environment with a new libcrypto.
@@ -118,6 +134,7 @@ let
 in {
   default = default;
   openssl111 = openssl111;
+  openssl351 = openssl351;
   libressl = libressl_shell;
   openssl102 = openssl102;
   awslc = awslc_shell;

nix/openssl_3_5_1.nix

@@ -0,0 +1,34 @@
+{ pkgs }:
+pkgs.stdenv.mkDerivation rec {
+  pname = "openssl";
+  version = "3.5.1";
+
+  src = pkgs.fetchzip {
+    url =
+      "https://github.com/openssl/openssl/archive/refs/tags/openssl-3.5.1.zip";
+    sha256 = "sha256-y8TjWvz6E75CQgEc/6g6hjOyY8QZYX9uf1u1gyIs+dg=";
+  };
+
+  buildInputs = [ pkgs.gnumake pkgs.perl ];
+
+  patchPhase = ''
+    substitute ./Configure ./Configure --replace /usr/bin/env ${pkgs.coreutils}/bin/env
+  '';
+
+  configurePhase = ''
+    ./Configure shared -g3 -fPIC              \
+         no-md2 no-rc5 no-rfc3779 no-sctp no-ssl-trace no-zlib     \
+         no-hw no-mdc2 no-seed no-idea enable-ec_nistp_64_gcc_128 no-camellia\
+         no-bf no-ripemd no-dsa no-ssl2 no-ssl3 no-capieng no-dtls          \
+         -DSSL_FORBID_ENULL -DOPENSSL_NO_DTLS1 -DOPENSSL_NO_HEARTBEATS      \
+         --prefix=$out
+  '';
+
+  buildPhase = ''
+    make -j $(nproc)
+  '';
+
+  installPhase = ''
+    make install
+  '';
+}

nix/shell.sh

@@ -28,6 +28,7 @@ function libcrypto_alias {
 libcrypto_alias openssl102 "${OPENSSL_1_0_2_INSTALL_DIR}/bin/openssl"
 libcrypto_alias openssl111 "${OPENSSL_1_1_1_INSTALL_DIR}/bin/openssl"
 libcrypto_alias openssl30 "${OPENSSL_3_0_INSTALL_DIR}/bin/openssl"
+libcrypto_alias openssl351 "${OPENSSL_3_5_1_INSTALL_DIR}/bin/openssl"
 libcrypto_alias awslc "${AWSLC_INSTALL_DIR}/bin/bssl"
 libcrypto_alias awslcfips2022 "${AWSLC_FIPS_2022_INSTALL_DIR}/bin/bssl"
 libcrypto_alias awslcfips2024 "${AWSLC_FIPS_2024_INSTALL_DIR}/bin/bssl"