From ae29a9e688845f276c60aa48e3d8426a2b9b2d6d Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Tue, 20 Nov 2018 15:56:23 +0000 Subject: [PATCH 1/2] openssl: 1.0.2p -> 1.0.2q CVE-2018-0734: https://www.openssl.org/news/vulnerabilities.html#2018-0734 CVE-2018-5407: https://www.openssl.org/news/vulnerabilities.html#2018-5407 No patches can any longer be shared between 1.0.2 and 1.1, so reorganize patches into subdirectories (and remove an unused one). --- .../openssl/1.0.2/nix-ssl-cert-file.patch | 16 +++++++++++++++ .../use-etc-ssl-certs-darwin.patch | 0 .../{ => 1.0.2}/use-etc-ssl-certs.patch | 0 .../libraries/openssl/darwin-arch.patch | 12 ----------- .../development/libraries/openssl/default.nix | 20 ++++++++++--------- 5 files changed, 27 insertions(+), 21 deletions(-) create mode 100644 pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch rename pkgs/development/libraries/openssl/{ => 1.0.2}/use-etc-ssl-certs-darwin.patch (100%) rename pkgs/development/libraries/openssl/{ => 1.0.2}/use-etc-ssl-certs.patch (100%) delete mode 100644 pkgs/development/libraries/openssl/darwin-arch.patch diff --git a/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch b/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch new file mode 100644 index 000000000000..5765409fdd57 --- /dev/null +++ b/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch @@ -0,0 +1,16 @@ +diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c +index e6d0e6e1a6..b89456fd87 100644 +--- a/crypto/x509/by_file.c ++++ b/crypto/x509/by_file.c +@@ -97,7 +97,10 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, + switch (cmd) { + case X509_L_FILE_LOAD: + if (argl == X509_FILETYPE_DEFAULT) { +- file = ossl_safe_getenv(X509_get_default_cert_file_env()); ++ file = ossl_safe_getenv("NIX_SSL_CERT_FILE"); ++ ++ if (!file) ++ file = ossl_safe_getenv(X509_get_default_cert_file_env()); + + if (file) + ok = (X509_load_cert_crl_file(ctx, file, diff --git a/pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch b/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs-darwin.patch similarity index 100% rename from pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch rename to pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs-darwin.patch diff --git a/pkgs/development/libraries/openssl/use-etc-ssl-certs.patch b/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs.patch similarity index 100% rename from pkgs/development/libraries/openssl/use-etc-ssl-certs.patch rename to pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs.patch diff --git a/pkgs/development/libraries/openssl/darwin-arch.patch b/pkgs/development/libraries/openssl/darwin-arch.patch deleted file mode 100644 index 63db3efc0846..000000000000 --- a/pkgs/development/libraries/openssl/darwin-arch.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -ru -x '*~' openssl-1.0.1c-orig/Configure openssl-1.0.1c/Configure ---- openssl-1.0.1c-orig/Configure 2012-03-14 23:20:40.000000000 +0100 -+++ openssl-1.0.1c/Configure 2012-12-18 17:29:30.268090633 +0100 -@@ -579,7 +579,7 @@ - "darwin64-ppc-cc","cc:-arch ppc64 -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc64_asm}:osx64:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", - "darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:".eval{my $asm=$x86_asm;$asm=~s/cast\-586\.o//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", - "debug-darwin-i386-cc","cc:-arch i386 -g3 -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", --"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", -+"darwin64-x86_64-cc","cc:-O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", - "debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", - # iPhoneOS/iOS - "iphoneos-cross","llvm-gcc:-O3 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fomit-frame-pointer -fno-common::-D_REENTRANT:iOS:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index 2ad4b8d904bf..3e643807f1cf 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -15,13 +15,7 @@ let inherit sha256; }; - patches = - (args.patches or []) - ++ [ ./nix-ssl-cert-file.patch ] - ++ optional (versionOlder version "1.1.0") - (if stdenv.hostPlatform.isDarwin then ./use-etc-ssl-certs-darwin.patch else ./use-etc-ssl-certs.patch) - ++ optional (versionOlder version "1.0.2" && stdenv.hostPlatform.isDarwin) - ./darwin-arch.patch; + inherit patches; postPatch = '' patchShebangs Configure @@ -125,13 +119,21 @@ let in { openssl_1_0_2 = common { - version = "1.0.2p"; - sha256 = "003xh9f898i56344vpvpxxxzmikivxig4xwlm7vbi7m8n43qxaah"; + version = "1.0.2q"; + sha256 = "115nisqy7kazbg6br2wrcra9nphyph1l4dgp563b9cf2rv5wyi2p"; + patches = [ + ./1.0.2/nix-ssl-cert-file.patch + + (if stdenv.hostPlatform.isDarwin + then ./1.0.2/use-etc-ssl-certs-darwin.patch + else ./1.0.2/use-etc-ssl-certs.patch) + ]; }; openssl_1_1 = common { version = "1.1.1"; sha256 = "0gbab2fjgms1kx5xjvqx8bxhr98k4r8l2fa8vw7kvh491xd8fdi8"; + patches = [ ./nix-ssl-cert-file.patch ]; }; } From d012516c44dc6937e0b3eab5c3b6c5af6222da86 Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Tue, 20 Nov 2018 15:56:49 +0000 Subject: [PATCH 2/2] openssl_1_1: 1.1.1 -> 1.1.1a CVE-2018-0734: https://www.openssl.org/news/vulnerabilities.html#2018-0734 CVE-2018-0735: https://www.openssl.org/news/vulnerabilities.html#2018-0735 --- .../libraries/openssl/1.1/nix-ssl-cert-file.patch | 15 +++++++++++++++ pkgs/development/libraries/openssl/default.nix | 6 +++--- .../libraries/openssl/nix-ssl-cert-file.patch | 14 -------------- 3 files changed, 18 insertions(+), 17 deletions(-) create mode 100644 pkgs/development/libraries/openssl/1.1/nix-ssl-cert-file.patch delete mode 100644 pkgs/development/libraries/openssl/nix-ssl-cert-file.patch diff --git a/pkgs/development/libraries/openssl/1.1/nix-ssl-cert-file.patch b/pkgs/development/libraries/openssl/1.1/nix-ssl-cert-file.patch new file mode 100644 index 000000000000..9e871cfb1d31 --- /dev/null +++ b/pkgs/development/libraries/openssl/1.1/nix-ssl-cert-file.patch @@ -0,0 +1,15 @@ +diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c +index 244512c935..f0b70d7ea1 100644 +--- a/crypto/x509/by_file.c ++++ b/crypto/x509/by_file.c +@@ -46,7 +46,9 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, + switch (cmd) { + case X509_L_FILE_LOAD: + if (argl == X509_FILETYPE_DEFAULT) { +- file = ossl_safe_getenv(X509_get_default_cert_file_env()); ++ file = ossl_safe_getenv("NIX_SSL_CERT_FILE"); ++ if (!file) ++ file = ossl_safe_getenv(X509_get_default_cert_file_env()); + if (file) + ok = (X509_load_cert_crl_file(ctx, file, + X509_FILETYPE_PEM) != 0); diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index 3e643807f1cf..8efcbd58dd12 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -131,9 +131,9 @@ in { }; openssl_1_1 = common { - version = "1.1.1"; - sha256 = "0gbab2fjgms1kx5xjvqx8bxhr98k4r8l2fa8vw7kvh491xd8fdi8"; - patches = [ ./nix-ssl-cert-file.patch ]; + version = "1.1.1a"; + sha256 = "0hcz7znzznbibpy3iyyhvlqrq44y88plxwdj32wjzgbwic7i687w"; + patches = [ ./1.1/nix-ssl-cert-file.patch ]; }; } diff --git a/pkgs/development/libraries/openssl/nix-ssl-cert-file.patch b/pkgs/development/libraries/openssl/nix-ssl-cert-file.patch deleted file mode 100644 index 893fb3eb6643..000000000000 --- a/pkgs/development/libraries/openssl/nix-ssl-cert-file.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -ru -x '*~' openssl-1.0.2j-orig/crypto/x509/by_file.c openssl-1.0.2j/crypto/x509/by_file.c ---- openssl-1.0.2j-orig/crypto/x509/by_file.c 2016-09-26 11:49:07.000000000 +0200 -+++ openssl-1.0.2j/crypto/x509/by_file.c 2016-10-13 16:54:31.400288302 +0200 -@@ -97,7 +97,9 @@ - switch (cmd) { - case X509_L_FILE_LOAD: - if (argl == X509_FILETYPE_DEFAULT) { -- file = getenv(X509_get_default_cert_file_env()); -+ file = getenv("NIX_SSL_CERT_FILE"); -+ if (!file) -+ file = getenv(X509_get_default_cert_file_env()); - if (file) - ok = (X509_load_cert_crl_file(ctx, file, - X509_FILETYPE_PEM) != 0);