openssl: 1.0.2p -> 1.0.2q

CVE-2018-0734: https://www.openssl.org/news/vulnerabilities.html#2018-0734 CVE-2018-5407: https://www.openssl.org/news/vulnerabilities.html#2018-5407 No patches can any longer be shared between 1.0.2 and 1.1, so reorganize patches into subdirectories (and remove an unused one).
2024-09-20 20:39:04 +02:00 · 2018-11-20 15:56:23 +00:00 · 2018-11-20 15:56:23 +00:00 · ae29a9e688
parent ad17b8164a
commit ae29a9e688
5 changed files with 27 additions and 21 deletions
--- a/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch
+++ b/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch
@ -0,0 +1,16 @@
+diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
+index e6d0e6e1a6..b89456fd87 100644
+--- a/crypto/x509/by_file.c
+++ b/crypto/x509/by_file.c
+@@ -97,7 +97,10 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp,
+     switch (cmd) {
+     case X509_L_FILE_LOAD:
+         if (argl == X509_FILETYPE_DEFAULT) {
+-            file = ossl_safe_getenv(X509_get_default_cert_file_env());
+            file = ossl_safe_getenv("NIX_SSL_CERT_FILE");
+
+            if (!file)
+                file = ossl_safe_getenv(X509_get_default_cert_file_env());
+ 
+             if (file)
+                 ok = (X509_load_cert_crl_file(ctx, file,
--- a/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs-darwin.patch
+++ b/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs-darwin.patch
--- a/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs.patch
+++ b/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs.patch
--- a/pkgs/development/libraries/openssl/darwin-arch.patch
+++ b/pkgs/development/libraries/openssl/darwin-arch.patch
@ -1,12 +0,0 @@
-diff -ru -x '*~' openssl-1.0.1c-orig/Configure openssl-1.0.1c/Configure
--- openssl-1.0.1c-orig/Configure	2012-03-14 23:20:40.000000000 +0100
-+++ openssl-1.0.1c/Configure	2012-12-18 17:29:30.268090633 +0100
-@@ -579,7 +579,7 @@
- "darwin64-ppc-cc","cc:-arch ppc64 -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc64_asm}:osx64:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
- "darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:".eval{my $asm=$x86_asm;$asm=~s/cast\-586\.o//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
- "debug-darwin-i386-cc","cc:-arch i386 -g3 -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-+"darwin64-x86_64-cc","cc:-O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
- "debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
- # iPhoneOS/iOS
- "iphoneos-cross","llvm-gcc:-O3 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fomit-frame-pointer -fno-common::-D_REENTRANT:iOS:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
--- a/pkgs/development/libraries/openssl/default.nix
+++ b/pkgs/development/libraries/openssl/default.nix
@ -15,13 +15,7 @@ let
      inherit sha256;
    };

-    patches =
-      (args.patches or [])
-      ++ [ ./nix-ssl-cert-file.patch ]
-      ++ optional (versionOlder version "1.1.0")
-          (if stdenv.hostPlatform.isDarwin then ./use-etc-ssl-certs-darwin.patch else ./use-etc-ssl-certs.patch)
-      ++ optional (versionOlder version "1.0.2" && stdenv.hostPlatform.isDarwin)
-           ./darwin-arch.patch;
+    inherit patches;

    postPatch = ''
      patchShebangs Configure
@ -125,13 +119,21 @@ let
 in {

  openssl_1_0_2 = common {
-    version = "1.0.2p";
-    sha256 = "003xh9f898i56344vpvpxxxzmikivxig4xwlm7vbi7m8n43qxaah";
+    version = "1.0.2q";
+    sha256 = "115nisqy7kazbg6br2wrcra9nphyph1l4dgp563b9cf2rv5wyi2p";
+    patches = [
+      ./1.0.2/nix-ssl-cert-file.patch
+
+      (if stdenv.hostPlatform.isDarwin
+       then ./1.0.2/use-etc-ssl-certs-darwin.patch
+       else ./1.0.2/use-etc-ssl-certs.patch)
+    ];
  };

  openssl_1_1 = common {
    version = "1.1.1";
    sha256 = "0gbab2fjgms1kx5xjvqx8bxhr98k4r8l2fa8vw7kvh491xd8fdi8";
+    patches = [ ./nix-ssl-cert-file.patch ];
  };

 }