This is the hash for the GitHub snapshot of the 3.4.1 tag, not the
official tarball we're using. When the PR doing this update was
updated after the tarballs came out, updating the hash was forgotten.
I've checked the hashes of the other OpenSSL versions and they're
fine.
Fixes: c05c515eff ("openssl_3_4: init at 3.4.1; openssl_3_3: remove")
Updates OpenSSL 3.x latest to 3.4.1
Security Fixes in 3.4.1:
* Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected. ([CVE-2024-12797])
* Fixed timing side-channel in ECDSA signature computation. ([CVE-2024-13176](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176))
Release notes:
https://github.com/openssl/openssl/blob/openssl-3.4.0/NEWS.md#openssl-34
Some significant changes:
* Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_*
functions with improved semantics
* SHAKE-128 and SHAKE-256 implementations have no default digest length anymore.
That means these algorithms cannot be used with EVP_DigestFinal/_ex() unless the xoflen param is set before.
* An empty renegotiate extension will be used in TLS client hellos instead of the empty renegotiation SCSV, for
all connections with a minimum TLS version > 1.0.
* Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and SSL_CTX_flush_sessions() functions in favor
of their respective _ex functions which are Y2038-safe on platforms with Y2038-safe time_t
Some new features:
* Support for directly fetched composite signature algorithms such as RSA-SHA2-256 including new API functions
* New options -not_before and -not_after for explicit setting start and end dates of certificates created with
the req and x509 apps
* Support for attribute certificates
* Support for pkeyutl in combination with key encapsulation (e.q.
PQC-KEMs): -encap/-decap
Signed-off-by: Markus Theil <theil.markus@gmail.com>
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.
Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.
A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.
This commit was automatically created and can be verified using
nix-build a08b3a4d19.tar.gz \
--argstr baseRev 57b193d8dd
result/bin/apply-formatting $NIXPKGS_PATH
In preparation for the deprecation of `stdenv.isX`.
These shorthands are not conducive to cross-compilation because they
hide the platforms.
Darwin might get cross-compilation for which the continued usage of `stdenv.isDarwin` will get in the way
One example of why this is bad and especially affects compiler packages
https://www.github.com/NixOS/nixpkgs/pull/343059
There are too many files to go through manually but a treewide should
get users thinking when they see a `hostPlatform.isX` in a place where it
doesn't make sense.
```
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv.is" "stdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv'.is" "stdenv'.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "clangStdenv.is" "clangStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "gccStdenv.is" "gccStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenvNoCC.is" "stdenvNoCC.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "inherit (stdenv) is" "inherit (stdenv.hostPlatform) is"
fd --type f "\.nix" | xargs sd --fixed-strings "buildStdenv.is" "buildStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "effectiveStdenv.is" "effectiveStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "originalStdenv.is" "originalStdenv.hostPlatform.is"
```
OpenSSL used to provide their software downloads on openssl.org.
Now they use links to Github releases.
OpenSSL 1.1.1w is also available at Github, but with a small
difference in the URL scheme.
Signed-off-by: Markus Theil <theil.markus@gmail.com>
This changes openssl to use makeBinaryWrapper since makeWrapper uses
non-overridable runtimeShell that causes infinite recursion. That is,
fetchurl in pkgs/top-level/all-packages.nix is bootstrapped by
overriding dependencies to use stdenv.fetchurlBoot.
Upstream commit: e86ac436f0
This patch fixes the ALPN negotiation in OpenSSL.
It applies to all used versions >= 3.0, but was taken
from the 3.3 branch. Therefore I added it to the 3.3
directory.
Signed-off-by: Markus Theil <theil.markus@gmail.com>
Changelog: https://github.com/openssl/openssl/blob/openssl-3.2/CHANGES.md#changes-between-321-and-322-4-jun-2024
CVEs fixed:
- Fixed potential use after free after SSL_free_buffers() is called.
(CVE-2024-4741)
- Fixed an issue where checking excessively long DSA keys or parameters may be very slow.
(CVE-2024-4603)
- Fixed an issue where some non-default TLS server configurations can cause unbounded memory
growth when processing TLSv1.3 sessions. An attacker may exploit certain server configurations
to trigger unbounded memory growth that would lead to a Denial of Service.
(CVE-2024-2511)
Signed-off-by: Markus Theil <theil.markus@gmail.com>
Changelog: https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#changes-between-3013-and-3014-4-jun-2024
CVEs fixed:
- Fixed potential use after free after SSL_free_buffers() is called.
(CVE-2024-4741)
- Fixed an issue where checking excessively long DSA keys or parameters may be very slow.
(CVE-2024-4603)
- Fixed an issue where some non-default TLS server configurations can cause unbounded
memory growth when processing TLSv1.3 sessions. An attacker may exploit certain
server configurations to trigger unbounded memory growth that would lead to a
Denial of Service.
(CVE-2024-2511)
Signed-off-by: Markus Theil <theil.markus@gmail.com>
