1 files changed, 47 insertions, 6 deletions

diff --git a/pkgs/servers/invidious/lsquic.nix b/pkgs/servers/invidious/lsquic.nix
index 9c3bc68615cad..ca04c97c12800 100644
--- a/pkgs/servers/invidious/lsquic.nix
+++ b/pkgs/servers/invidious/lsquic.nix
@@ -1,11 +1,19 @@
-{ lib, boringssl, stdenv, fetchgit, fetchFromGitHub, cmake, zlib, perl, libevent, gcc10Stdenv, buildGoModule }:
+{ lib, boringssl, stdenv, fetchgit, fetchFromGitHub, fetchurl, cmake, zlib, perl, libevent }:
 let
   versions = builtins.fromJSON (builtins.readFile ./versions.json);
 
-  buildGoModuleGcc10 = buildGoModule.override { stdenv = gcc10Stdenv; };
+  fetchGitilesPatch = { name, url, sha256 }:
+    fetchurl {
+      url = "${url}%5E%21?format=TEXT";
+      inherit name sha256;
+      downloadToTemp = true;
+      postFetch = ''
+        base64 -d < $downloadedFile > $out
+      '';
+    };
 
   # lsquic requires a specific boringssl version (noted in its README)
-  boringssl' = (boringssl.overrideAttrs (old: {
+  boringssl' = boringssl.overrideAttrs ({ preBuild, ... }: {
     version = versions.boringssl.rev;
     src = fetchgit {
       url = "https://boringssl.googlesource.com/boringssl";
@@ -15,10 +23,43 @@ let
     patches = [
       # Use /etc/ssl/certs/ca-certificates.crt instead of /etc/ssl/cert.pem
       ./use-etc-ssl-certs.patch
+
+      # because lsquic requires that specific boringssl version and that
+      # version does not yet include fixes for gcc11 build errors, they
+      # must be backported
+      (fetchGitilesPatch {
+        name = "fix-mismatch-between-header-and-implementation-of-bn_sqr_comba8.patch";
+        url = "https://boringssl.googlesource.com/boringssl/+/139adff9b27eaf0bdaac664ec4c9a7db2fe3f920";
+        sha256 = "05sp602dvh50v46jkzmh4sf4wqnq5bwy553596g2rhxg75bailjj";
+      })
+      (fetchGitilesPatch {
+        name = "use-an-unsized-helper-for-truncated-SHA-512-variants.patch";
+        url = "https://boringssl.googlesource.com/boringssl/+/a24ab549e6ae246b391155d7bed3790ac0e07de2";
+        sha256 = "0483jkpg4g64v23ln2blb74xnmzdjcn3r7w4zk7nfg8j3q5f9lxm";
+      })
+/*
+      # the following patch is too complex, so we will modify the build flags
+      # of crypto/fipsmodule/CMakeFiles/fipsmodule.dir/bcm.c.o in preBuild
+      # and turn off -Werror=stringop-overflow
+      (fetchGitilesPatch {
+        name = "make-md32_common.h-single-included-and-use-an-unsized-helper-for-SHA-256.patch";
+        url = "https://boringssl.googlesource.com/boringssl/+/597ffef971dd980b7de5e97a0c9b7ca26eec94bc";
+        sha256 = "1y0bkkdf1ccd6crx326agp01q22clm4ai4p982y7r6dkmxmh52qr";
+      })
+*/
+      (fetchGitilesPatch {
+        name = "fix-array-parameter-warnings.patch";
+        url = "https://boringssl.googlesource.com/boringssl/+/92c6fbfc4c44dc8462d260d836020d2b793e7804";
+        sha256 = "0h4sl95i8b0dj0na4ngf50wg54raxyjxl1zzwdc810abglp10vnv";
+      })
     ];
-  })).override {
-    buildGoModule = buildGoModuleGcc10;
-  };
+
+    preBuild = ''
+      ${preBuild}
+      sed -e '/^build crypto\/fipsmodule\/CMakeFiles\/fipsmodule\.dir\/bcm\.c\.o:/,/^ *FLAGS =/ s/^ *FLAGS = -Werror/& -Wno-error=stringop-overflow/' \
+          -i build.ninja
+    '';
+  });
 in
 stdenv.mkDerivation rec {
   pname = "lsquic";