From bbae16baa9cbb6a1bf1574bd272fc23a46c5217b Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Wed, 2 Nov 2022 17:17:03 +0100
Subject: [PATCH] quictls: 3.0.5+quick_unstable-2022-07.05 -> 3.0.7+quic1

Fixes CVE-2022-3786 and CVE-2022-3602.
See eeca5969b3f42ac943639aaec503816f053e5e53 and 70ca403dc22e97fb4b73ab74af29e1c8a1f45f69.
---
 pkgs/development/libraries/quictls/default.nix | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/pkgs/development/libraries/quictls/default.nix b/pkgs/development/libraries/quictls/default.nix
index 22981bfef7af..cd0ae4d3eef4 100644
--- a/pkgs/development/libraries/quictls/default.nix
+++ b/pkgs/development/libraries/quictls/default.nix
@@ -12,13 +12,13 @@
 
 stdenv.mkDerivation rec {
   pname = "quictls";
-  version = "3.0.5+quick_unstable-2022-07.05";
+  version = "3.0.7+quic1";
 
   src = fetchFromGitHub {
     owner = "quictls";
     repo = "openssl";
-    rev = "75e940831d0570d6b020cfebf128ae500f424867";
-    sha256 = "sha256-1HBGKafcCbM0RZWLvyl3vpSfGBsAcGDgjz1Nm/qclWM=";
+    rev = "openssl-${version}";
+    sha256 = "sha256-ZRS0ZV+/U4PD2lVE+PsUAWSuk5EFg5mOKYlwgY3Ecus=";
   };
 
   patches = [
@@ -108,6 +108,9 @@ stdenv.mkDerivation rec {
     "-DUSE_CRYPTODEV_DIGESTS"
   ] ++ lib.optional enableSSL2 "enable-ssl2"
     ++ lib.optional enableSSL3 "enable-ssl3"
+    # We select KTLS here instead of the configure-time detection (which we patch out).
+    # KTLS should work on FreeBSD 13+ as well, so we could enable it if someone tests it.
+    ++ lib.optional (stdenv.isLinux && lib.versionAtLeast version "3.0.0") "enable-ktls"
     ++ lib.optional stdenv.hostPlatform.isAarch64 "no-afalgeng"
     # OpenSSL needs a specific `no-shared` configure flag.
     # See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options