commit c5aab69eaafe229f15dc198eb8fde5f65e6c688b · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #254574 from helsinki-systems/upd/openssl_1_1

openssl_1_1: 1.1.1v -> 1.1.1w

authored by Fabián Heredia Montiel and committed by GitHub 2 years ago c5aab69e fb0fd7a1

+3 -50

3 changed files

expand all

unified split

pkgs

development

libraries

openssl

1.1

CVE-2023-4807.patch

default.nix

top-level

release.nix

-44

pkgs/development/libraries/openssl/1.1/CVE-2023-4807.patch

··· 1 - From 4bfac4471f53c4f74c8d81020beb938f92d84ca5 Mon Sep 17 00:00:00 2001 2 - From: Bernd Edlinger <bernd.edlinger@hotmail.de> 3 - Date: Tue, 22 Aug 2023 16:07:30 +0200 4 - Subject: [PATCH] Avoid clobbering non-volatile XMM registers 5 - 6 - This affects some Poly1305 assembler functions 7 - which are only used for certain CPU types. 8 - 9 - Remove those functions for Windows targets, 10 - as a simple interim solution. 11 - 12 - Fixes #21522 13 - 14 - Reviewed-by: Tomas Mraz <tomas@openssl.org> 15 - Reviewed-by: Paul Dale <pauli@openssl.org> 16 - (Merged from https://github.com/openssl/openssl/pull/21808) 17 - 18 - (cherry picked from commit 7b8e27bc2e02238986d89ef0ece067ec1b48e165) 19 - --- 20 - crypto/poly1305/asm/poly1305-x86_64.pl | 4 ++-- 21 - 1 file changed, 2 insertions(+), 2 deletions(-) 22 - 23 - diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/poly1305-x86_64.pl 24 - index fa9bfb7a7b81..24bab9d0bcf9 100755 25 - --- a/crypto/poly1305/asm/poly1305-x86_64.pl 26 - +++ b/crypto/poly1305/asm/poly1305-x86_64.pl 27 - @@ -195,7 +195,7 @@ sub poly1305_iteration { 28 - bt \$`5+32`,%r9 # AVX2? 29 - cmovc %rax,%r10 30 - ___ 31 - -$code.=<<___ if ($avx>3); 32 - +$code.=<<___ if ($avx>3 && !$win64); 33 - mov \$`(1<<31|1<<21|1<<16)`,%rax 34 - shr \$32,%r9 35 - and %rax,%r9 36 - @@ -2724,7 +2724,7 @@ sub poly1305_iteration { 37 - .cfi_endproc 38 - .size poly1305_blocks_avx512,.-poly1305_blocks_avx512 39 - ___ 40 - -if ($avx>3) { 41 - +if ($avx>3 && !$win64) { 42 - ######################################################################## 43 - # VPMADD52 version using 2^44 radix. 44 - #

···

+2 -5

pkgs/development/libraries/openssl/default.nix

··· 236 # the permitted insecure version to ensure it gets cached for our users 237 # and backport this to stable release (23.05). 238 openssl_1_1 = common { 239 - version = "1.1.1v"; 240 - sha256 = "sha256-1ml+KHHncjhGBALpNi1H0YOCsV758karpse9eA04prA="; 241 patches = [ 242 ./1.1/nix-ssl-cert-file.patch 243 - 244 - # https://www.openssl.org/news/secadv/20230908.txt 245 - ./1.1/CVE-2023-4807.patch 246 247 (if stdenv.hostPlatform.isDarwin 248 then ./use-etc-ssl-certs-darwin.patch

··· 236 # the permitted insecure version to ensure it gets cached for our users 237 # and backport this to stable release (23.05). 238 openssl_1_1 = common { 239 + version = "1.1.1w"; 240 + sha256 = "sha256-zzCYlQy02FOtlcCEHx+cbT3BAtzPys1SHZOSUgi3asg="; 241 patches = [ 242 ./1.1/nix-ssl-cert-file.patch 243 244 (if stdenv.hostPlatform.isDarwin 245 then ./use-etc-ssl-certs-darwin.patch

+1 -1

pkgs/top-level/release.nix

··· 26 # for no real reason. 27 # Remove them for 23.11. 28 "nodejs-16.20.2" 29 - "openssl-1.1.1v" 30 ]; 31 }; } 32 }:

··· 26 # for no real reason. 27 # Remove them for 23.11. 28 "nodejs-16.20.2" 29 + "openssl-1.1.1w" 30 ]; 31 }; } 32 }: