diff options
author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2022-07-05 22:44:41 +0200 |
---|---|---|
committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2022-07-05 23:14:10 +0200 |
commit | 1dbf7b45e26a6ef990ea72387dc1195e185c5fa0 (patch) | |
tree | 9eb8e4897e07f291e78e589455d94ebeea15b2c9 /pkgs/development/libraries/openssl | |
parent | 4a077da28ea45ebe0d06caa21c40c73846421fea (diff) |
openssl_3: 3.0.4 -> 3.0.5
https://www.openssl.org/news/secadv/20220705.txt We already acted on the first public disclosure, so this release removes the previous patch and upgrades to the release including the fix. Related: CVE-2022-2274 Fixes: CVE-2022-2097
Diffstat (limited to 'pkgs/development/libraries/openssl')
-rw-r--r-- | pkgs/development/libraries/openssl/3.0/rsa-fix-bn_reduce_once_in_place-call-for-rsaz_mod_exp_avx512_x2.patch | 34 | ||||
-rw-r--r-- | pkgs/development/libraries/openssl/default.nix | 8 |
2 files changed, 2 insertions, 40 deletions
diff --git a/pkgs/development/libraries/openssl/3.0/rsa-fix-bn_reduce_once_in_place-call-for-rsaz_mod_exp_avx512_x2.patch b/pkgs/development/libraries/openssl/3.0/rsa-fix-bn_reduce_once_in_place-call-for-rsaz_mod_exp_avx512_x2.patch deleted file mode 100644 index e144a7188897e..0000000000000 --- a/pkgs/development/libraries/openssl/3.0/rsa-fix-bn_reduce_once_in_place-call-for-rsaz_mod_exp_avx512_x2.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 4d8a88c134df634ba610ff8db1eb8478ac5fd345 Mon Sep 17 00:00:00 2001 -From: Xi Ruoyao <xry111@xry111.site> -Date: Wed, 22 Jun 2022 18:07:05 +0800 -Subject: [PATCH] rsa: fix bn_reduce_once_in_place call for - rsaz_mod_exp_avx512_x2 - -bn_reduce_once_in_place expects the number of BN_ULONG, but factor_size -is moduli bit size. - -Fixes #18625. - -Signed-off-by: Xi Ruoyao <xry111@xry111.site> - -Reviewed-by: Tomas Mraz <tomas@openssl.org> -Reviewed-by: Paul Dale <pauli@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/18626) ---- - crypto/bn/rsaz_exp_x2.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/crypto/bn/rsaz_exp_x2.c b/crypto/bn/rsaz_exp_x2.c -index 6b04486e3f56..f979cebd6fb7 100644 ---- a/crypto/bn/rsaz_exp_x2.c -+++ b/crypto/bn/rsaz_exp_x2.c -@@ -257,6 +257,9 @@ int ossl_rsaz_mod_exp_avx512_x2(BN_ULONG *res1, - from_words52(res1, factor_size, rr1_red); - from_words52(res2, factor_size, rr2_red); - -+ /* bn_reduce_once_in_place expects number of BN_ULONG, not bit size */ -+ factor_size /= sizeof(BN_ULONG) * 8; -+ - bn_reduce_once_in_place(res1, /*carry=*/0, m1, storage, factor_size); - bn_reduce_once_in_place(res2, /*carry=*/0, m2, storage, factor_size); - diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index db6e0101fec78..0017691d0b452 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -201,8 +201,8 @@ in { }; openssl_3 = common { - version = "3.0.4"; - sha256 = "sha256-KDGEPppmigq0eOcCCtY9LWXlH3KXdHLcc+/O+6/AwA8="; + version = "3.0.5"; + sha256 = "sha256-qn2Nm+9xrWUlxVuhHl9Dl4ic5Jwsk0nc6m0+TwsCSno="; patches = [ ./3.0/nix-ssl-cert-file.patch @@ -210,10 +210,6 @@ in { # This patch disables build-time detection. ./3.0/openssl-disable-kernel-detection.patch - # https://guidovranken.com/2022/06/27/notes-on-openssl-remote-memory-corruption/ - # https://github.com/openssl/openssl/commit/4d8a88c134df634ba610ff8db1eb8478ac5fd345.patch - 3.0/rsa-fix-bn_reduce_once_in_place-call-for-rsaz_mod_exp_avx512_x2.patch - (if stdenv.hostPlatform.isDarwin then ./use-etc-ssl-certs-darwin.patch else ./use-etc-ssl-certs.patch) |