hostapd build fails when specifying libressl

[mrobbetts]

Issue description

Overriding the system openssl package with:

nixpkgs.config.packageOverrides = pkgs: rec {
    ...
    openssl = pkgs.libressl_2_4;
    ...

in configuration.nix, results in the build error:

building path(s) ‘/nix/store/5rgfnrmy639f660nr5fkqx301kndmkg9-hostapd-2.5’
unpacking sources
unpacking source archive /nix/store/pzr1m2yyirk2fn6myz3a5wd5hz8apihs-hostapd-2.5.tar.gz
source root is hostapd-2.5
setting SOURCE_DATE_EPOCH to timestamp 1443380525 of file hostapd-2.5/src/wps/wps_validate.c
patching sources
configuring
'defconfig' -> '.config'
     1  # Example hostapd build time configuration
     2  #
     3  # This file lists the configuration options that are used when building the
     4  # hostapd binary. All lines starting with # are ignored. Configuration option
     5  # lines must be commented out complete, if they are not to be included, i.e.,
     6  # just setting VARIABLE=n is not disabling that variable.
     7  #
     8  # This file is included in Makefile, so variables like CFLAGS and LIBS can also
     9  # be modified from here. In most cass, these lines should use += in order not
    10  # to override previous values of the variables.
    11  
    12  # Driver interface for Host AP driver
    13  CONFIG_DRIVER_HOSTAP=y
    14  
    15  # Driver interface for wired authenticator
    16  #CONFIG_DRIVER_WIRED=y
    17  
    18  # Driver interface for drivers using the nl80211 kernel interface
    19  CONFIG_DRIVER_NL80211=y
    20  
    21  # driver_nl80211.c requires libnl. If you are compiling it yourself
    22  # you may need to point hostapd to your version of libnl.
    23  #
    24  #CFLAGS += -I$<path to libnl include files>
    25  #LIBS += -L$<path to libnl library files>
    26  
    27  # Use libnl v2.0 (or 3.0) libraries.
    28  #CONFIG_LIBNL20=y
    29  
    30  # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
    31  #CONFIG_LIBNL32=y
    32  
    33  
    34  # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
    35  #CONFIG_DRIVER_BSD=y
    36  #CFLAGS += -I/usr/local/include
    37  #LIBS += -L/usr/local/lib
    38  #LIBS_p += -L/usr/local/lib
    39  #LIBS_c += -L/usr/local/lib
    40  
    41  # Driver interface for no driver (e.g., RADIUS server only)
    42  #CONFIG_DRIVER_NONE=y
    43  
    44  # IEEE 802.11F/IAPP
    45  CONFIG_IAPP=y
    46  
    47  # WPA2/IEEE 802.11i RSN pre-authentication
    48  CONFIG_RSN_PREAUTH=y
    49  
    50  # PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
    51  CONFIG_PEERKEY=y
    52  
    53  # IEEE 802.11w (management frame protection)
    54  CONFIG_IEEE80211W=y
    55  
    56  # Integrated EAP server
    57  CONFIG_EAP=y
    58  
    59  # EAP Re-authentication Protocol (ERP) in integrated EAP server
    60  CONFIG_ERP=y
    61  
    62  # EAP-MD5 for the integrated EAP server
    63  CONFIG_EAP_MD5=y
    64  
    65  # EAP-TLS for the integrated EAP server
    66  CONFIG_EAP_TLS=y
    67  
    68  # EAP-MSCHAPv2 for the integrated EAP server
    69  CONFIG_EAP_MSCHAPV2=y
    70  
    71  # EAP-PEAP for the integrated EAP server
    72  CONFIG_EAP_PEAP=y
    73  
    74  # EAP-GTC for the integrated EAP server
    75  CONFIG_EAP_GTC=y
    76  
    77  # EAP-TTLS for the integrated EAP server
    78  CONFIG_EAP_TTLS=y
    79  
    80  # EAP-SIM for the integrated EAP server
    81  #CONFIG_EAP_SIM=y
    82  
    83  # EAP-AKA for the integrated EAP server
    84  #CONFIG_EAP_AKA=y
    85  
    86  # EAP-AKA' for the integrated EAP server
    87  # This requires CONFIG_EAP_AKA to be enabled, too.
    88  #CONFIG_EAP_AKA_PRIME=y
    89  
    90  # EAP-PAX for the integrated EAP server
    91  #CONFIG_EAP_PAX=y
    92  
    93  # EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
    94  #CONFIG_EAP_PSK=y
    95  
    96  # EAP-pwd for the integrated EAP server (secure authentication with a password)
    97  #CONFIG_EAP_PWD=y
    98  
    99  # EAP-SAKE for the integrated EAP server
   100  #CONFIG_EAP_SAKE=y
   101  
   102  # EAP-GPSK for the integrated EAP server
   103  #CONFIG_EAP_GPSK=y
   104  # Include support for optional SHA256 cipher suite in EAP-GPSK
   105  #CONFIG_EAP_GPSK_SHA256=y
   106  
   107  # EAP-FAST for the integrated EAP server
   108  # Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
   109  # for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
   110  # with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
   111  #CONFIG_EAP_FAST=y
   112  
   113  # Wi-Fi Protected Setup (WPS)
   114  #CONFIG_WPS=y
   115  # Enable UPnP support for external WPS Registrars
   116  #CONFIG_WPS_UPNP=y
   117  # Enable WPS support with NFC config method
   118  #CONFIG_WPS_NFC=y
   119  
   120  # EAP-IKEv2
   121  #CONFIG_EAP_IKEV2=y
   122  
   123  # Trusted Network Connect (EAP-TNC)
   124  #CONFIG_EAP_TNC=y
   125  
   126  # EAP-EKE for the integrated EAP server
   127  #CONFIG_EAP_EKE=y
   128  
   129  # PKCS#12 (PFX) support (used to read private key and certificate file from
   130  # a file that usually has extension .p12 or .pfx)
   131  CONFIG_PKCS12=y
   132  
   133  # RADIUS authentication server. This provides access to the integrated EAP
   134  # server from external hosts using RADIUS.
   135  #CONFIG_RADIUS_SERVER=y
   136  
   137  # Build IPv6 support for RADIUS operations
   138  CONFIG_IPV6=y
   139  
   140  # IEEE Std 802.11r-2008 (Fast BSS Transition)
   141  #CONFIG_IEEE80211R=y
   142  
   143  # Use the hostapd's IEEE 802.11 authentication (ACL), but without
   144  # the IEEE 802.11 Management capability (e.g., FreeBSD/net80211)
   145  #CONFIG_DRIVER_RADIUS_ACL=y
   146  
   147  # IEEE 802.11n (High Throughput) support
   148  #CONFIG_IEEE80211N=y
   149  
   150  # Wireless Network Management (IEEE Std 802.11v-2011)
   151  # Note: This is experimental and not complete implementation.
   152  #CONFIG_WNM=y
   153  
   154  # IEEE 802.11ac (Very High Throughput) support
   155  #CONFIG_IEEE80211AC=y
   156  
   157  # Remove debugging code that is printing out debug messages to stdout.
   158  # This can be used to reduce the size of the hostapd considerably if debugging
   159  # code is not needed.
   160  #CONFIG_NO_STDOUT_DEBUG=y
   161  
   162  # Add support for writing debug log to a file: -f /tmp/hostapd.log
   163  # Disabled by default.
   164  #CONFIG_DEBUG_FILE=y
   165  
   166  # Add support for sending all debug messages (regardless of debug verbosity)
   167  # to the Linux kernel tracing facility. This helps debug the entire stack by
   168  # making it easy to record everything happening from the driver up into the
   169  # same file, e.g., using trace-cmd.
   170  #CONFIG_DEBUG_LINUX_TRACING=y
   171  
   172  # Remove support for RADIUS accounting
   173  #CONFIG_NO_ACCOUNTING=y
   174  
   175  # Remove support for RADIUS
   176  #CONFIG_NO_RADIUS=y
   177  
   178  # Remove support for VLANs
   179  #CONFIG_NO_VLAN=y
   180  
   181  # Enable support for fully dynamic VLANs. This enables hostapd to
   182  # automatically create bridge and VLAN interfaces if necessary.
   183  #CONFIG_FULL_DYNAMIC_VLAN=y
   184  
   185  # Use netlink-based kernel API for VLAN operations instead of ioctl()
   186  # Note: This requires libnl 3.1 or newer.
   187  #CONFIG_VLAN_NETLINK=y
   188  
   189  # Remove support for dumping internal state through control interface commands
   190  # This can be used to reduce binary size at the cost of disabling a debugging
   191  # option.
   192  #CONFIG_NO_DUMP_STATE=y
   193  
   194  # Enable tracing code for developer debugging
   195  # This tracks use of memory allocations and other registrations and reports
   196  # incorrect use with a backtrace of call (or allocation) location.
   197  #CONFIG_WPA_TRACE=y
   198  # For BSD, comment out these.
   199  #LIBS += -lexecinfo
   200  #LIBS_p += -lexecinfo
   201  #LIBS_c += -lexecinfo
   202  
   203  # Use libbfd to get more details for developer debugging
   204  # This enables use of libbfd to get more detailed symbols for the backtraces
   205  # generated by CONFIG_WPA_TRACE=y.
   206  #CONFIG_WPA_TRACE_BFD=y
   207  # For BSD, comment out these.
   208  #LIBS += -lbfd -liberty -lz
   209  #LIBS_p += -lbfd -liberty -lz
   210  #LIBS_c += -lbfd -liberty -lz
   211  
   212  # hostapd depends on strong random number generation being available from the
   213  # operating system. os_get_random() function is used to fetch random data when
   214  # needed, e.g., for key generation. On Linux and BSD systems, this works by
   215  # reading /dev/urandom. It should be noted that the OS entropy pool needs to be
   216  # properly initialized before hostapd is started. This is important especially
   217  # on embedded devices that do not have a hardware random number generator and
   218  # may by default start up with minimal entropy available for random number
   219  # generation.
   220  #
   221  # As a safety net, hostapd is by default trying to internally collect
   222  # additional entropy for generating random data to mix in with the data
   223  # fetched from the OS. This by itself is not considered to be very strong, but
   224  # it may help in cases where the system pool is not initialized properly.
   225  # However, it is very strongly recommended that the system pool is initialized
   226  # with enough entropy either by using hardware assisted random number
   227  # generator or by storing state over device reboots.
   228  #
   229  # hostapd can be configured to maintain its own entropy store over restarts to
   230  # enhance random number generation. This is not perfect, but it is much more
   231  # secure than using the same sequence of random numbers after every reboot.
   232  # This can be enabled with -e<entropy file> command line option. The specified
   233  # file needs to be readable and writable by hostapd.
   234  #
   235  # If the os_get_random() is known to provide strong random data (e.g., on
   236  # Linux/BSD, the board in question is known to have reliable source of random
   237  # data from /dev/urandom), the internal hostapd random pool can be disabled.
   238  # This will save some in binary size and CPU use. However, this should only be
   239  # considered for builds that are known to be used on devices that meet the
   240  # requirements described above.
   241  #CONFIG_NO_RANDOM_POOL=y
   242  
   243  # Should we use poll instead of select? Select is used by default.
   244  #CONFIG_ELOOP_POLL=y
   245  
   246  # Should we use epoll instead of select? Select is used by default.
   247  #CONFIG_ELOOP_EPOLL=y
   248  
   249  # Select TLS implementation
   250  # openssl = OpenSSL (default)
   251  # gnutls = GnuTLS
   252  # internal = Internal TLSv1 implementation (experimental)
   253  # none = Empty template
   254  #CONFIG_TLS=openssl
   255  
   256  # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
   257  # can be enabled to get a stronger construction of messages when block ciphers
   258  # are used.
   259  #CONFIG_TLSV11=y
   260  
   261  # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
   262  # can be enabled to enable use of stronger crypto algorithms.
   263  #CONFIG_TLSV12=y
   264  
   265  # If CONFIG_TLS=internal is used, additional library and include paths are
   266  # needed for LibTomMath. Alternatively, an integrated, minimal version of
   267  # LibTomMath can be used. See beginning of libtommath.c for details on benefits
   268  # and drawbacks of this option.
   269  #CONFIG_INTERNAL_LIBTOMMATH=y
   270  #ifndef CONFIG_INTERNAL_LIBTOMMATH
   271  #LTM_PATH=/usr/src/libtommath-0.39
   272  #CFLAGS += -I$(LTM_PATH)
   273  #LIBS += -L$(LTM_PATH)
   274  #LIBS_p += -L$(LTM_PATH)
   275  #endif
   276  # At the cost of about 4 kB of additional binary size, the internal LibTomMath
   277  # can be configured to include faster routines for exptmod, sqr, and div to
   278  # speed up DH and RSA calculation considerably
   279  #CONFIG_INTERNAL_LIBTOMMATH_FAST=y
   280  
   281  # Interworking (IEEE 802.11u)
   282  # This can be used to enable functionality to improve interworking with
   283  # external networks.
   284  #CONFIG_INTERWORKING=y
   285  
   286  # Hotspot 2.0
   287  #CONFIG_HS20=y
   288  
   289  # Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file
   290  #CONFIG_SQLITE=y
   291  
   292  # Enable Fast Session Transfer (FST)
   293  #CONFIG_FST=y
   294  
   295  # Enable CLI commands for FST testing
   296  #CONFIG_FST_TEST=y
   297  
   298  # Testing options
   299  # This can be used to enable some testing options (see also the example
   300  # configuration file) that are really useful only for testing clients that
   301  # connect to this hostapd. These options allow, for example, to drop a
   302  # certain percentage of probe requests or auth/(re)assoc frames.
   303  #
   304  #CONFIG_TESTING_OPTIONS=y
   305  
   306  # Automatic Channel Selection
   307  # This will allow hostapd to pick the channel automatically when channel is set
   308  # to "acs_survey" or "0". Eventually, other ACS algorithms can be added in
   309  # similar way.
   310  #
   311  # Automatic selection is currently only done through initialization, later on
   312  # we hope to do background checks to keep us moving to more ideal channels as
   313  # time goes by. ACS is currently only supported through the nl80211 driver and
   314  # your driver must have survey dump capability that is filled by the driver
   315  # during scanning.
   316  #
   317  # You can customize the ACS survey algorithm with the hostapd.conf variable
   318  # acs_num_scans.
   319  #
   320  # Supported ACS drivers:
   321  # * ath9k
   322  # * ath5k
   323  # * ath10k
   324  #
   325  # For more details refer to:
   326  # http://wireless.kernel.org/en/users/Documentation/acs
   327  #
   328  #CONFIG_ACS=y
   329  CONFIG_DRIVER_WIRED=y
   330  CONFIG_LIBNL32=y
   331  CONFIG_EAP_SIM=y
   332  CONFIG_EAP_AKA=y
   333  CONFIG_EAP_AKA_PRIME=y
   334  CONFIG_EAP_PAX=y
   335  CONFIG_EAP_PWD=y
   336  CONFIG_EAP_SAKE=y
   337  CONFIG_EAP_GPSK=y
   338  CONFIG_EAP_GPSK_SHA256=y
   339  CONFIG_EAP_FAST=y
   340  CONFIG_EAP_IKEV2=y
   341  CONFIG_EAP_TNC=y
   342  CONFIG_EAP_EKE=y
   343  CONFIG_RADIUS_SERVER=y
   344  CONFIG_IEEE80211R=y
   345  CONFIG_IEEE80211N=y
   346  CONFIG_IEEE80211AC=y
   347  CONFIG_FULL_DYNAMIC_VLAN=y
   348  CONFIG_VLAN_NETLINK=y
   349  CONFIG_TLS=openssl
   350  CONFIG_TLSV11=y
   351  CONFIG_TLSV12=y
   352  CONFIG_INTERNETWORKING=y
   353  CONFIG_HS20=y
   354  CONFIG_ACS=y
   355  CONFIG_SQLITE=y
   356  
building
make flags: SHELL=/nix/store/b4xk5zs6w92xnzg851idlh2380401id1-bash-4.3-p42/bin/bash    
  CC  main.c
  CC  config_file.c
  CC  ../src/ap/hostapd.c
  CC  ../src/ap/wpa_auth_glue.c
  CC  ../src/ap/drv_callbacks.c
  CC  ../src/ap/ap_drv_ops.c
  CC  ../src/ap/utils.c
  CC  ../src/ap/authsrv.c
  CC  ../src/ap/ieee802_1x.c
  CC  ../src/ap/ap_config.c
  CC  ../src/ap/eap_user_db.c
  CC  ../src/ap/ieee802_11_auth.c
  CC  ../src/ap/sta_info.c
  CC  ../src/ap/wpa_auth.c
  CC  ../src/ap/tkip_countermeasures.c
  CC  ../src/ap/ap_mlme.c
  CC  ../src/ap/wpa_auth_ie.c
  CC  ../src/ap/preauth_auth.c
  CC  ../src/ap/pmksa_cache_auth.c
  CC  ../src/ap/ieee802_11_shared.c
  CC  ../src/ap/beacon.c
  CC  ../src/ap/bss_load.c
  CC  ../src/drivers/drivers.c
  CC  ../src/utils/eloop.c
  CC  ../src/utils/common.c
  CC  ../src/utils/wpa_debug.c
  CC  ../src/utils/wpabuf.c
  CC  ../src/utils/os_unix.c
  CC  ../src/utils/ip_addr.c
  CC  ../src/common/ieee802_11_common.c
  CC  ../src/common/wpa_common.c
  CC  ../src/common/hw_features_common.c
  CC  ../src/eapol_auth/eapol_auth_sm.c
  CC  ../src/eapol_auth/eapol_auth_dump.c
  CC  ../src/radius/radius.c
  CC  ../src/radius/radius_client.c
  CC  ../src/radius/radius_das.c
  CC  ../src/ap/accounting.c
  CC  ../src/ap/vlan_init.c
  CC  ../src/ap/vlan_util.c
  CC  ctrl_iface.c
  CC  ../src/ap/ctrl_iface_ap.c
  CC  ../src/ap/iapp.c
  CC  ../src/ap/peerkey_auth.c
  CC  ../src/ap/wpa_auth_ft.c
  CC  ../src/drivers/driver_hostap.c
  CC  ../src/drivers/driver_wired.c
  CC  ../src/drivers/driver_nl80211.c
  CC  ../src/drivers/driver_nl80211_capa.c
  CC  ../src/drivers/driver_nl80211_event.c
  CC  ../src/drivers/driver_nl80211_monitor.c
  CC  ../src/drivers/driver_nl80211_scan.c
  CC  ../src/utils/radiotap.c
  CC  ../src/drivers/netlink.c
  CC  ../src/drivers/linux_ioctl.c
  CC  ../src/drivers/rfkill.c
  CC  ../src/l2_packet/l2_packet_linux.c
  CC  ../src/eap_server/eap_server_md5.c
  CC  ../src/eap_server/eap_server_tls.c
  CC  ../src/eap_server/eap_server_peap.c
  CC  ../src/eap_common/eap_peap_common.c
  CC  ../src/eap_server/eap_server_ttls.c
  CC  ../src/eap_server/eap_server_mschapv2.c
  CC  ../src/eap_server/eap_server_gtc.c
  CC  ../src/eap_server/eap_server_sim.c
  CC  ../src/eap_server/eap_server_aka.c
  CC  ../src/eap_common/eap_sim_common.c
  CC  ../src/eap_server/eap_sim_db.c
  CC  ../src/eap_server/eap_server_pax.c
  CC  ../src/eap_common/eap_pax_common.c
  CC  ../src/eap_server/eap_server_sake.c
  CC  ../src/eap_common/eap_sake_common.c
  CC  ../src/eap_server/eap_server_gpsk.c
  CC  ../src/eap_common/eap_gpsk_common.c
  CC  ../src/eap_server/eap_server_pwd.c
  CC  ../src/eap_common/eap_pwd_common.c
  CC  ../src/eap_server/eap_server_eke.c
  CC  ../src/eap_common/eap_eke_common.c
  CC  ../src/eap_server/eap_server_fast.c
  CC  ../src/eap_common/eap_fast_common.c
  CC  ../src/eap_server/eap_server_ikev2.c
  CC  ../src/eap_server/ikev2.c
  CC  ../src/eap_common/eap_ikev2_common.c
  CC  ../src/eap_common/ikev2_common.c
  CC  ../src/eap_server/eap_server_tnc.c
  CC  ../src/eap_server/tncs.c
  CC  eap_register.c
  CC  ../src/eap_server/eap_server.c
  CC  ../src/eap_common/eap_common.c
  CC  ../src/eap_server/eap_server_methods.c
  CC  ../src/eap_server/eap_server_identity.c
  CC  ../src/crypto/ms_funcs.c
  CC  ../src/eap_common/chap.c
  CC  ../src/eap_server/eap_server_tls_common.c
../src/crypto/tls_openssl.c: In function 'tls_parse_pkcs12':
../src/crypto/tls_openssl.c:2233:3: warning: implicit declaration of function 'SSL_clear_chain_certs' [-Wimplicit-function-declaration]
   SSL_clear_chain_certs(ssl);
   ^
../src/crypto/tls_openssl.c:2239:8: warning: implicit declaration of function 'SSL_add1_chain_cert' [-Wimplicit-function-declaration]
    if (SSL_add1_chain_cert(ssl, cert) != 1) {
        ^
../src/crypto/tls_openssl.c:2251:9: warning: implicit declaration of function 'SSL_build_cert_chain' [-Wimplicit-function-declaration]
   res = SSL_build_cert_chain(ssl,
         ^
../src/crypto/tls_openssl.c:2252:9: error: 'SSL_BUILD_CHAIN_FLAG_CHECK' undeclared (first use in this function)
         SSL_BUILD_CHAIN_FLAG_CHECK |
         ^
../src/crypto/tls_openssl.c:2252:9: note: each undeclared identifier is reported only once for each function it appears in
../src/crypto/tls_openssl.c:2253:9: error: 'SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR' undeclared (first use in this function)
         SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
         ^
../src/crypto/tls_openssl.c: In function 'tls_connection_get_random':
../src/crypto/tls_openssl.c:2830:28: warning: implicit declaration of function 'SSL_get_client_random' [-Wimplicit-function-declaration]
  keys->client_random_len = SSL_get_client_random(
                            ^
../src/crypto/tls_openssl.c:2833:28: warning: implicit declaration of function 'SSL_get_server_random' [-Wimplicit-function-declaration]
  keys->server_random_len = SSL_get_server_random(
                            ^
../src/crypto/tls_openssl.c: In function 'openssl_get_keyblock_size':
../src/crypto/tls_openssl.c:2883:11: warning: implicit declaration of function 'SSL_CIPHER_get_cipher_nid' [-Wimplicit-function-declaration]
  cipher = SSL_CIPHER_get_cipher_nid(ssl_cipher);
           ^
../src/crypto/tls_openssl.c:2884:11: warning: implicit declaration of function 'SSL_CIPHER_get_digest_nid' [-Wimplicit-function-declaration]
  digest = SSL_CIPHER_get_digest_nid(ssl_cipher);
           ^
../src/crypto/tls_openssl.c: In function 'openssl_tls_prf':
../src/crypto/tls_openssl.c:3029:19: warning: implicit declaration of function 'SSL_SESSION_get_master_key' [-Wimplicit-function-declaration]
  master_key_len = SSL_SESSION_get_master_key(sess, master_key,
                   ^
../src/crypto/tls_openssl.c: In function 'tls_connection_set_cipher_list':
../src/crypto/tls_openssl.c:3404:3: warning: implicit declaration of function 'SSL_set_security_level' [-Wimplicit-function-declaration]
   SSL_set_security_level(conn->ssl, 0);
   ^
../src/crypto/tls_openssl.c:3405:13: warning: implicit declaration of function 'SSL_get_security_level' [-Wimplicit-function-declaration]
  } else if (SSL_get_security_level(conn->ssl) == 0) {
             ^
make: *** [Makefile:958: ../src/crypto/tls_openssl.o] Error 1
builder for ‘/nix/store/pq5g2kb3f1386g035334px2dj1kylshq-hostapd-2.5.drv’ failed with exit code 2
cannot build derivation ‘/nix/store/wr3zi8lrwh35gvs874d3sgyr4qh1j17a-system-path.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/aba4rl2m8gyxhmvpgq76i2k2i02vk7dh-unit-hostapd.service.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/5hbnxc34pinqwal35p0a0wc2z5dasbp5-dbus-conf.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/ia7hg3a3krdi0dh2kwcdbkligxig0h4z-unit-polkit.service.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/6dzj162vn30fwmg8sj0big6lw5izklvv-unit-dbus.service.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/7nxficfpxkjha9hdn9dfviq8svlrskkq-system-units.drv’: 3 dependencies couldn't be built
cannot build derivation ‘/nix/store/512wvwj68dp1mw2rqdz3qwxd7l35z67s-etc.drv’: 2 dependencies couldn't be built
cannot build derivation ‘/nix/store/qb8marma8mxdmvzn27xzzi3yyq4pxyqr-nixos-system-braid-16.09.git.7646bea.drv’: 2 dependencies couldn't be built
error: build of ‘/nix/store/qb8marma8mxdmvzn27xzzi3yyq4pxyqr-nixos-system-braid-16.09.git.7646bea.drv’ failed

Leaving the libressl override in place, but further adding:

nixpkgs.config.packageOverrides = pkgs: rec {
    ...
    hostapd = pkgs.hostapd.override {
        openssl = pkgs.openssl_1_0_2;
    };
    ...
};

(to override back for just this one package) fixes the problem, and my other packages build just fine and seem to be using libreSSL as intended.

I would guess that libreSSL has removed some degree of compatibility with openSSL here that hostapd's build script relies on, but I'm not familiar enough with either project to know how important it is. Do you think this is a bug for hostapd upstream to solve, or something we can work around in nix?

Technical details

• System: (NixOS: nixos-version, Ubuntu/Fedora: lsb_release -a, ...)
  16.09.git.7646bea (Flounder)
• Nix version: (run nix-env --version)
  nix-env (Nix) 1.11.2
• Nixpkgs version: (run nix-instantiate --eval '<nixpkgs>' -A lib.nixpkgsVersion)
  "16.09.git.7646bea5"

[mrobbetts]

Thanks @fpletz! Man, that was fast.

Seems to work perfectly :)

[fpletz]

We're also using libressl instead of openssl for all packages at my company in our nixpkgs fork so we have some experience what kind of things fail and how to fix it. You can always have a look at https://github.com/mayflower/nixpkgs if we already have a patch if you happen to find other issues. We generally upstream our changes, but as libressl is not the default implementation on nixpkgs it often does not make a lot of sense to bloat the repo with patches. A fetchpatch as in this case is cheap, though. ;)