openssl: 3.0.9 -> 3.0.10 · pyrox.dev/nixpkgs@b889dfd

lol

openssl: 3.0.9 -> 3.0.10

https://github.com/openssl/openssl/blob/openssl-3.0/NEWS.md#major-changes-between-openssl-309-and-openssl-3010-1-aug-2023

ajs124 2 years ago b889dfdb 7a031b95

+2 -59

2 changed files

expand all

pkgs

development

libraries

openssl

3.0

CVE-2023-2975.patch

default.nix

-54

pkgs/development/libraries/openssl/3.0/CVE-2023-2975.patch

··· 1 - From 6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc Mon Sep 17 00:00:00 2001 2 - From: Tomas Mraz <tomas@openssl.org> 3 - Date: Tue, 4 Jul 2023 17:30:35 +0200 4 - Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode 5 - 6 - The AES-SIV mode allows for multiple associated data items 7 - authenticated separately with any of these being 0 length. 8 - 9 - The provided implementation ignores such empty associated data 10 - which is incorrect in regards to the RFC 5297 and is also 11 - a security issue because such empty associated data then become 12 - unauthenticated if an application expects to authenticate them. 13 - 14 - Fixes CVE-2023-2975 15 - 16 - Reviewed-by: Matt Caswell <matt@openssl.org> 17 - Reviewed-by: Paul Dale <pauli@openssl.org> 18 - (Merged from https://github.com/openssl/openssl/pull/21384) 19 - 20 - (cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9) 21 - --- 22 - .../implementations/ciphers/cipher_aes_siv.c | 18 +++++++++++------- 23 - 1 file changed, 11 insertions(+), 7 deletions(-) 24 - 25 - diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c 26 - index 45010b90db2a..b396c8651a32 100644 27 - --- a/providers/implementations/ciphers/cipher_aes_siv.c 28 - +++ b/providers/implementations/ciphers/cipher_aes_siv.c 29 - @@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl, 30 - if (!ossl_prov_is_running()) 31 - return 0; 32 - 33 - - if (inl == 0) { 34 - - *outl = 0; 35 - - return 1; 36 - - } 37 - + /* Ignore just empty encryption/decryption call and not AAD. */ 38 - + if (out != NULL) { 39 - + if (inl == 0) { 40 - + if (outl != NULL) 41 - + *outl = 0; 42 - + return 1; 43 - + } 44 - 45 - - if (outsize < inl) { 46 - - ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); 47 - - return 0; 48 - + if (outsize < inl) { 49 - + ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); 50 - + return 0; 51 - + } 52 - } 53 - 54 - if (ctx->hw->cipher(ctx, out, in, inl) <= 0)

+2 -5

pkgs/development/libraries/openssl/default.nix

··· 254 254 }; 255 255 256 256 openssl_3 = common { 257 - version = "3.0.9"; 258 - sha256 = "sha256-6xqwR4FHQ2D3fDGKuJ2MWgOrw45j1lpgPKu/GwCh3JA="; 257 + version = "3.0.10"; 258 + sha256 = "sha256-F2HU9bE6ECi5tvPUuOF/6wztyTcPav5h1xk9LNzoMyM="; 259 259 patches = [ 260 260 ./3.0/nix-ssl-cert-file.patch 261 261 262 262 # openssl will only compile in KTLS if the current kernel supports it. 263 263 # This patch disables build-time detection. 264 264 ./3.0/openssl-disable-kernel-detection.patch 265 - 266 - # https://www.openssl.org/news/secadv/20230714.txt 267 - ./3.0/CVE-2023-2975.patch 268 265 269 266 (if stdenv.hostPlatform.isDarwin 270 267 then ./use-etc-ssl-certs-darwin.patch