openssl: 1.0.2p -> 1.0.2q

CVE-2018-0734: https://www.openssl.org/news/vulnerabilities.html#2018-0734 CVE-2018-5407: https://www.openssl.org/news/vulnerabilities.html#2018-5407 No patches can any longer be shared between 1.0.2 and 1.1, so reorganize patches into subdirectories (and remove an unused one).
NixOS · Nov 20, 2018 · ae29a9e · ae29a9e
1 parent ad17b81
commit ae29a9e
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 21 deletions.
diff --git a/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch b/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch
@@ -0,0 +1,16 @@
+diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
+index e6d0e6e1a6..b89456fd87 100644
+--- a/crypto/x509/by_file.c
++++ b/crypto/x509/by_file.c
+@@ -97,7 +97,10 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp,
+     switch (cmd) {
+     case X509_L_FILE_LOAD:
+         if (argl == X509_FILETYPE_DEFAULT) {
+-            file = ossl_safe_getenv(X509_get_default_cert_file_env());
++            file = ossl_safe_getenv("NIX_SSL_CERT_FILE");
++
++            if (!file)
++                file = ossl_safe_getenv(X509_get_default_cert_file_env());
+
+             if (file)
+                 ok = (X509_load_cert_crl_file(ctx, file,
diff --git a/...es/openssl/use-etc-ssl-certs-darwin.patch → ...nssl/1.0.2/use-etc-ssl-certs-darwin.patch b/...es/openssl/use-etc-ssl-certs-darwin.patch → ...nssl/1.0.2/use-etc-ssl-certs-darwin.patch
diff --git a/...libraries/openssl/use-etc-ssl-certs.patch → ...ies/openssl/1.0.2/use-etc-ssl-certs.patch b/...libraries/openssl/use-etc-ssl-certs.patch → ...ies/openssl/1.0.2/use-etc-ssl-certs.patch
diff --git a/pkgs/development/libraries/openssl/darwin-arch.patch b/pkgs/development/libraries/openssl/darwin-arch.patch
diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
@@ -15,13 +15,7 @@ let
       inherit sha256;
     };
 
-    patches =
-      (args.patches or [])
-      ++ [ ./nix-ssl-cert-file.patch ]
-      ++ optional (versionOlder version "1.1.0")
-          (if stdenv.hostPlatform.isDarwin then ./use-etc-ssl-certs-darwin.patch else ./use-etc-ssl-certs.patch)
-      ++ optional (versionOlder version "1.0.2" && stdenv.hostPlatform.isDarwin)
-           ./darwin-arch.patch;
+    inherit patches;
 
     postPatch = ''
       patchShebangs Configure
@@ -125,13 +119,21 @@ let
 in {
 
   openssl_1_0_2 = common {
-    version = "1.0.2p";
-    sha256 = "003xh9f898i56344vpvpxxxzmikivxig4xwlm7vbi7m8n43qxaah";
+    version = "1.0.2q";
+    sha256 = "115nisqy7kazbg6br2wrcra9nphyph1l4dgp563b9cf2rv5wyi2p";
+    patches = [
+      ./1.0.2/nix-ssl-cert-file.patch
+
+      (if stdenv.hostPlatform.isDarwin
+       then ./1.0.2/use-etc-ssl-certs-darwin.patch
+       else ./1.0.2/use-etc-ssl-certs.patch)
+    ];
   };
 
   openssl_1_1 = common {
     version = "1.1.1";
     sha256 = "0gbab2fjgms1kx5xjvqx8bxhr98k4r8l2fa8vw7kvh491xd8fdi8";
+    patches = [ ./nix-ssl-cert-file.patch ];
   };
 
 }