b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge pull request #254574 from helsinki-systems/upd/openssl_1_1

Browse source 
openssl_1_1: 1.1.1v -> 1.1.1w
This commit is contained in:
Fabián Heredia Montiel 2023-09-14 11:35:26 -06:00 committed by GitHub
parent fb0fd7a13f 93840b4878
commit c5aab69eaa
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 3 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
pkgs/development/libraries/openssl/1.1/CVE-2023-4807.patch
View file

@ -1,44 +0,0 @@
From 4bfac4471f53c4f74c8d81020beb938f92d84ca5 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Tue, 22 Aug 2023 16:07:30 +0200
Subject: [PATCH] Avoid clobbering non-volatile XMM registers
This affects some Poly1305 assembler functions
which are only used for certain CPU types.
Remove those functions for Windows targets,
as a simple interim solution.
Fixes #21522
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21808)
(cherry picked from commit 7b8e27bc2e02238986d89ef0ece067ec1b48e165)
---
crypto/poly1305/asm/poly1305-x86_64.pl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/poly1305-x86_64.pl
index fa9bfb7a7b81..24bab9d0bcf9 100755
--- a/crypto/poly1305/asm/poly1305-x86_64.pl
+++ b/crypto/poly1305/asm/poly1305-x86_64.pl
@@ -195,7 +195,7 @@ sub poly1305_iteration {
bt \$`5+32`,%r9 # AVX2?
cmovc %rax,%r10
___
-$code.=<<___ if ($avx>3);
+$code.=<<___ if ($avx>3 && !$win64);
mov \$`(1<<31|1<<21|1<<16)`,%rax
shr \$32,%r9
and %rax,%r9
@@ -2724,7 +2724,7 @@ sub poly1305_iteration {
.cfi_endproc
.size poly1305_blocks_avx512,.-poly1305_blocks_avx512
___
-if ($avx>3) {
+if ($avx>3 && !$win64) {
########################################################################
# VPMADD52 version using 2^44 radix.
#

7
pkgs/development/libraries/openssl/default.nix
View file

@ -236,14 +236,11 @@ in {
# the permitted insecure version to ensure it gets cached for our users
# and backport this to stable release (23.05).
openssl_1_1 = common {
version = "1.1.1v";
sha256 = "sha256-1ml+KHHncjhGBALpNi1H0YOCsV758karpse9eA04prA=";
version = "1.1.1w";
sha256 = "sha256-zzCYlQy02FOtlcCEHx+cbT3BAtzPys1SHZOSUgi3asg=";
patches = [
./1.1/nix-ssl-cert-file.patch
# https://www.openssl.org/news/secadv/20230908.txt
./1.1/CVE-2023-4807.patch
(if stdenv.hostPlatform.isDarwin
then ./use-etc-ssl-certs-darwin.patch
else ./use-etc-ssl-certs.patch)

2
pkgs/top-level/release.nix
View file

@ -26,7 +26,7 @@
# for no real reason.
# Remove them for 23.11.
"nodejs-16.20.2"
"openssl-1.1.1v"
"openssl-1.1.1w"
];
}; }
}: