libressl_3_2, libressl_3_4: add patch for CVE-2021-41581

pkgs/development/libraries/libressl/CVE-2021-41581.patch

@@ -0,0 +1,53 @@
+Based on upstream https://github.com/openbsd/src/commit/62ceddea5b1d64a1a362bbb7071d9e15adcde6b1
+with paths switched to apply to libressl-portable and CVS header
+hunk removed.
+
+--- a/crypto/x509/x509_constraints.c
++++ b/crypto/x509/x509_constraints.c
+@@ -339,16 +339,16 @@
+ 			if (c == '.')
+ 				goto bad;
+ 		}
+-		if (wi > DOMAIN_PART_MAX_LEN)
+-			goto bad;
+ 		if (accept) {
++			if (wi >= DOMAIN_PART_MAX_LEN)
++				goto bad;
+ 			working[wi++] = c;
+ 			accept = 0;
+ 			continue;
+ 		}
+ 		if (candidate_local != NULL) {
+ 			/* We are looking for the domain part */
+-			if (wi > DOMAIN_PART_MAX_LEN)
++			if (wi >= DOMAIN_PART_MAX_LEN)
+ 				goto bad;
+ 			working[wi++] = c;
+ 			if (i == len - 1) {
+@@ -363,7 +363,7 @@
+ 			continue;
+ 		}
+ 		/* We are looking for the local part */
+-		if (wi > LOCAL_PART_MAX_LEN)
++		if (wi >= LOCAL_PART_MAX_LEN)
+ 			break;
+ 
+ 		if (quoted) {
+@@ -383,6 +383,8 @@
+ 			 */
+ 			if (c == 9)
+ 				goto bad;
++			if (wi >= LOCAL_PART_MAX_LEN)
++				goto bad;
+ 			working[wi++] = c;
+ 			continue; /* all's good inside our quoted string */
+ 		}
+@@ -412,6 +414,8 @@
+ 		}
+ 		if (!local_part_ok(c))
+ 			goto bad;
++		if (wi >= LOCAL_PART_MAX_LEN)
++			goto bad;
+ 		working[wi++] = c;
+ 	}
+ 	if (candidate_local == NULL || candidate_domain == NULL)

pkgs/development/libraries/libressl/default.nix

@@ -3,6 +3,7 @@
 , lib
 , cmake
 , cacert
+, fetchpatch
 , buildShared ? !stdenv.hostPlatform.isStatic
 }:
 
@@ -82,9 +83,15 @@ in {
   libressl_3_2 = generic {
     version = "3.2.5";
     sha256 = "1zkwrs3b19s1ybz4q9hrb7pqsbsi8vxcs44qanfy11fkc7ynb2kr";
+    patches = [
+      ./CVE-2021-41581.patch
+    ];
   };
   libressl_3_4 = generic {
     version = "3.4.0";
     sha256 = "1lhn76nd59p1dfd27b4636zj6wh3f5xsi8b3sxqnl820imsswbp5";
+    patches = [
+      ./CVE-2021-41581.patch
+    ];
   };
 }