Unverified Commit c5aab69e authored by Fabián Heredia Montiel's avatar Fabián Heredia Montiel Committed by GitHub
Browse files

Merge pull request #254574 from helsinki-systems/upd/openssl_1_1 

openssl_1_1: 1.1.1v -> 1.1.1w
parents fb0fd7a1 93840b48

pkgs/development/libraries/openssl/1.1/CVE-2023-4807.patch

deleted100644 → 0
+0 −44
Original line number Diff line number Diff line 
From 4bfac4471f53c4f74c8d81020beb938f92d84ca5 Mon Sep 17 00:00:00 2001

From: Bernd Edlinger <bernd.edlinger@hotmail.de>

Date: Tue, 22 Aug 2023 16:07:30 +0200

Subject: [PATCH] Avoid clobbering non-volatile XMM registers



This affects some Poly1305 assembler functions

which are only used for certain CPU types.



Remove those functions for Windows targets,

as a simple interim solution.



Fixes #21522



Reviewed-by: Tomas Mraz <tomas@openssl.org>

Reviewed-by: Paul Dale <pauli@openssl.org>

(Merged from https://github.com/openssl/openssl/pull/21808)



(cherry picked from commit 7b8e27bc2e02238986d89ef0ece067ec1b48e165)

---

 crypto/poly1305/asm/poly1305-x86_64.pl | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)



diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/poly1305-x86_64.pl

index fa9bfb7a7b81..24bab9d0bcf9 100755

--- a/crypto/poly1305/asm/poly1305-x86_64.pl

+++ b/crypto/poly1305/asm/poly1305-x86_64.pl

@@ -195,7 +195,7 @@ sub poly1305_iteration {

 	bt	\$`5+32`,%r9		# AVX2?

 	cmovc	%rax,%r10

 ___

-$code.=<<___	if ($avx>3);

+$code.=<<___	if ($avx>3 && !$win64);

 	mov	\$`(1<<31|1<<21|1<<16)`,%rax

 	shr	\$32,%r9

 	and	%rax,%r9

@@ -2724,7 +2724,7 @@ sub poly1305_iteration {

 .cfi_endproc

 .size	poly1305_blocks_avx512,.-poly1305_blocks_avx512

 ___

-if ($avx>3) {

+if ($avx>3 && !$win64) {

 ########################################################################

 # VPMADD52 version using 2^44 radix.

 #

pkgs/development/libraries/openssl/default.nix

+2 −5
Original line number Diff line number Diff line
@@ -236,14 +236,11 @@ in { 
  # the permitted insecure version to ensure it gets cached for our users

  # and backport this to stable release (23.05).

  openssl_1_1 = common {

    version = "1.1.1v";

    sha256 = "sha256-1ml+KHHncjhGBALpNi1H0YOCsV758karpse9eA04prA=";

    version = "1.1.1w";

    sha256 = "sha256-zzCYlQy02FOtlcCEHx+cbT3BAtzPys1SHZOSUgi3asg=";

    patches = [

      ./1.1/nix-ssl-cert-file.patch



      # https://www.openssl.org/news/secadv/20230908.txt

      ./1.1/CVE-2023-4807.patch



      (if stdenv.hostPlatform.isDarwin

       then ./use-etc-ssl-certs-darwin.patch

       else ./use-etc-ssl-certs.patch)

pkgs/top-level/release.nix

+1 −1
Original line number Diff line number Diff line
@@ -26,7 +26,7 @@ 
      # for no real reason.

      # Remove them for 23.11.

      "nodejs-16.20.2"

      "openssl-1.1.1v"

      "openssl-1.1.1w"

    ];

  }; }

}: