From 252cf06eb910f64c167356a2e69c8a9a54948e70 Mon Sep 17 00:00:00 2001
From: Thomas Waldmann <tw@waldmann-edv.de>
Date: Mon, 11 May 2026 23:20:23 +0200
Subject: [PATCH] CI: NetBSD: build a fresh OpenSSL from source, we need >= 3.2

---
 .github/workflows/ci.yml | 24 ++++++++++++++++++++++++
 setup.py                 |  9 +++++++++
 2 files changed, 33 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6ca963edb..25340da81 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -412,6 +412,30 @@ jobs:
                 touch ${TMPDIR}/testfile
                 lsextattr user ${TMPDIR}/testfile && echo "[xattr] *** xattrs SUPPORTED on ${TMPDIR}! ***"
 
+                # NetBSD 10 has a too old OpenSSL, build a fresher one.
+                VERSION="3.5.6"
+                echo "--- Building OpenSSL ${VERSION} ---"
+                PREFIX="/usr/local"
+                JOBS=$(sysctl -n hw.ncpu)
+
+                pushd /tmp
+                ftp -o "openssl-${VERSION}.tar.gz" "https://www.openssl.org/source/openssl-${VERSION}.tar.gz"
+                tar xzf "openssl-${VERSION}.tar.gz"
+                pushd "openssl-${VERSION}"
+
+                ./Configure --prefix="${PREFIX}" --openssldir="${PREFIX}/etc/ssl" --libdir=lib \
+                            -Wl,-rpath,${PREFIX}/lib shared threads no-tests no-docs
+                export LD_LIBRARY_PATH="/usr/local/lib${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
+                make -j"${JOBS}"
+                sudo -E make install
+                popd
+                rm -rf "/tmp/openssl-${VERSION}" "/tmp/openssl-${VERSION}.tar.gz"
+                popd
+
+                "${PREFIX}/bin/openssl" version
+                export BORG_OPENSSL_PREFIX="${PREFIX}"
+                export PKG_CONFIG_PATH="/usr/local/lib/pkgconfig${PKG_CONFIG_PATH:+:$PKG_CONFIG_PATH}"
+
                 tox3 -e py311-none
                 ;;
 
diff --git a/setup.py b/setup.py
index 976ea227d..57c2afbd1 100644
--- a/setup.py
+++ b/setup.py
@@ -29,6 +29,7 @@ sys.path += [os.path.dirname(__file__)]
 
 is_win32 = sys.platform.startswith("win32")
 is_openbsd = sys.platform.startswith("openbsd")
+is_netbsd = sys.platform.startswith("netbsd")
 
 # Number of threads to use for cythonize, not used on Windows
 cpu_threads = multiprocessing.cpu_count() if multiprocessing and multiprocessing.get_start_method() != "spawn" else None
@@ -150,6 +151,14 @@ if not on_rtd:
             include_dirs=[os.path.join(openssl_prefix, "include", openssl_name)],
             extra_objects=[os.path.join(openssl_prefix, "lib", openssl_name, "libcrypto.a")],
         )
+    elif is_netbsd and os.environ.get("BORG_OPENSSL_PREFIX"):
+        # Similarly for NetBSD, if we built a custom OpenSSL, link it statically
+        # to avoid dynamic linker conflicts with the system OpenSSL loaded by Python.
+        openssl_prefix = os.environ.get("BORG_OPENSSL_PREFIX")
+        crypto_ext_lib = dict(
+            include_dirs=[os.path.join(openssl_prefix, "include")],
+            extra_objects=[os.path.join(openssl_prefix, "lib", "libcrypto.a")],
+        )
     else:
         crypto_ext_lib = lib_ext_kwargs(pc, "BORG_OPENSSL_PREFIX", "crypto", "libcrypto", ">=3.2.0")