From 93840b48780adc5cee3c7259a2440d756f6bf32c Mon Sep 17 00:00:00 2001
From: ajs124 <git@ajs124.de>
Date: Mon, 11 Sep 2023 17:27:39 +0200
Subject: openssl_1_1: 1.1.1v -> 1.1.1w

https://github.com/openssl/openssl/blob/OpenSSL_1_1_1w/NEWS
---
 .../libraries/openssl/1.1/CVE-2023-4807.patch      | 44 ----------------------
 pkgs/development/libraries/openssl/default.nix     |  7 +---
 pkgs/top-level/release.nix                         |  2 +-
 3 files changed, 3 insertions(+), 50 deletions(-)
 delete mode 100644 pkgs/development/libraries/openssl/1.1/CVE-2023-4807.patch

(limited to 'pkgs')

diff --git a/pkgs/development/libraries/openssl/1.1/CVE-2023-4807.patch b/pkgs/development/libraries/openssl/1.1/CVE-2023-4807.patch
deleted file mode 100644
index 7312b41fc7403..0000000000000
--- a/pkgs/development/libraries/openssl/1.1/CVE-2023-4807.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 4bfac4471f53c4f74c8d81020beb938f92d84ca5 Mon Sep 17 00:00:00 2001
-From: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Date: Tue, 22 Aug 2023 16:07:30 +0200
-Subject: [PATCH] Avoid clobbering non-volatile XMM registers
-
-This affects some Poly1305 assembler functions
-which are only used for certain CPU types.
-
-Remove those functions for Windows targets,
-as a simple interim solution.
-
-Fixes #21522
-
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Paul Dale <pauli@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/21808)
-
-(cherry picked from commit 7b8e27bc2e02238986d89ef0ece067ec1b48e165)
----
- crypto/poly1305/asm/poly1305-x86_64.pl | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/poly1305-x86_64.pl
-index fa9bfb7a7b81..24bab9d0bcf9 100755
---- a/crypto/poly1305/asm/poly1305-x86_64.pl
-+++ b/crypto/poly1305/asm/poly1305-x86_64.pl
-@@ -195,7 +195,7 @@ sub poly1305_iteration {
- 	bt	\$`5+32`,%r9		# AVX2?
- 	cmovc	%rax,%r10
- ___
--$code.=<<___	if ($avx>3);
-+$code.=<<___	if ($avx>3 && !$win64);
- 	mov	\$`(1<<31|1<<21|1<<16)`,%rax
- 	shr	\$32,%r9
- 	and	%rax,%r9
-@@ -2724,7 +2724,7 @@ sub poly1305_iteration {
- .cfi_endproc
- .size	poly1305_blocks_avx512,.-poly1305_blocks_avx512
- ___
--if ($avx>3) {
-+if ($avx>3 && !$win64) {
- ########################################################################
- # VPMADD52 version using 2^44 radix.
- #
diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
index 93786881a5200..2318753405674 100644
--- a/pkgs/development/libraries/openssl/default.nix
+++ b/pkgs/development/libraries/openssl/default.nix
@@ -236,14 +236,11 @@ in {
   # the permitted insecure version to ensure it gets cached for our users
   # and backport this to stable release (23.05).
   openssl_1_1 = common {
-    version = "1.1.1v";
-    sha256 = "sha256-1ml+KHHncjhGBALpNi1H0YOCsV758karpse9eA04prA=";
+    version = "1.1.1w";
+    sha256 = "sha256-zzCYlQy02FOtlcCEHx+cbT3BAtzPys1SHZOSUgi3asg=";
     patches = [
       ./1.1/nix-ssl-cert-file.patch
 
-      # https://www.openssl.org/news/secadv/20230908.txt
-      ./1.1/CVE-2023-4807.patch
-
       (if stdenv.hostPlatform.isDarwin
        then ./use-etc-ssl-certs-darwin.patch
        else ./use-etc-ssl-certs.patch)
diff --git a/pkgs/top-level/release.nix b/pkgs/top-level/release.nix
index a34b7e1ad5484..93f7ec0e8d9d3 100644
--- a/pkgs/top-level/release.nix
+++ b/pkgs/top-level/release.nix
@@ -26,7 +26,7 @@
       # for no real reason.
       # Remove them for 23.11.
       "nodejs-16.20.2"
-      "openssl-1.1.1v"
+      "openssl-1.1.1w"
     ];
   }; }
 }:
-- 
cgit 1.4.1