Merge #139545: libressl: 3.2.5 -> 3.4.0, enable tests

2021-10-17 19:34:59 +02:00 · 2021-10-17 19:34:59 +02:00 · 53eab6a258
parent 96e897e2ae 01cc988d96
commit 53eab6a258
3 changed files with 85 additions and 3 deletions
--- a/pkgs/development/libraries/libressl/CVE-2021-41581.patch
+++ b/pkgs/development/libraries/libressl/CVE-2021-41581.patch
@ -0,0 +1,53 @@
+Based on upstream https://github.com/openbsd/src/commit/62ceddea5b1d64a1a362bbb7071d9e15adcde6b1
+with paths switched to apply to libressl-portable and CVS header
+hunk removed.
+
+--- a/crypto/x509/x509_constraints.c
+++ b/crypto/x509/x509_constraints.c
+@@ -339,16 +339,16 @@
+ 			if (c == '.')
+ 				goto bad;
+ 		}
+-		if (wi > DOMAIN_PART_MAX_LEN)
+-			goto bad;
+ 		if (accept) {
+			if (wi >= DOMAIN_PART_MAX_LEN)
+				goto bad;
+ 			working[wi++] = c;
+ 			accept = 0;
+ 			continue;
+ 		}
+ 		if (candidate_local != NULL) {
+ 			/* We are looking for the domain part */
+-			if (wi > DOMAIN_PART_MAX_LEN)
+			if (wi >= DOMAIN_PART_MAX_LEN)
+ 				goto bad;
+ 			working[wi++] = c;
+ 			if (i == len - 1) {
+@@ -363,7 +363,7 @@
+ 			continue;
+ 		}
+ 		/* We are looking for the local part */
+-		if (wi > LOCAL_PART_MAX_LEN)
+		if (wi >= LOCAL_PART_MAX_LEN)
+ 			break;
+ 
+ 		if (quoted) {
+@@ -383,6 +383,8 @@
+ 			 */
+ 			if (c == 9)
+ 				goto bad;
+			if (wi >= LOCAL_PART_MAX_LEN)
+				goto bad;
+ 			working[wi++] = c;
+ 			continue; /* all's good inside our quoted string */
+ 		}
+@@ -412,6 +414,8 @@
+ 		}
+ 		if (!local_part_ok(c))
+ 			goto bad;
+		if (wi >= LOCAL_PART_MAX_LEN)
+			goto bad;
+ 		working[wi++] = c;
+ 	}
+ 	if (candidate_local == NULL || candidate_domain == NULL)
--- a/pkgs/development/libraries/libressl/default.nix
+++ b/pkgs/development/libraries/libressl/default.nix
@ -1,8 +1,16 @@
-{ stdenv, fetchurl, lib, cmake, cacert, fetchpatch
+{ stdenv
+, fetchurl
+, lib
+, cmake
+, cacert
+, fetchpatch
 , buildShared ? !stdenv.hostPlatform.isStatic
 }:

 let
+  ldLibPathEnvName = if stdenv.isDarwin
+    then "DYLD_LIBRARY_PATH"
+    else "LD_LIBRARY_PATH";

  generic = { version, sha256, patches ? [] }: stdenv.mkDerivation rec {
    pname = "libressl";
@ -42,6 +50,15 @@ let
      substituteInPlace ./tls/tls_config.c --replace '"/etc/ssl/cert.pem"' '"${cacert}/etc/ssl/certs/ca-bundle.crt"'
    '';

+    doCheck = true;
+    preCheck = ''
+      export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName}
+      export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)"
+    '';
+    postCheck = ''
+      export ${ldLibPathEnvName}=$PREVIOUS_${ldLibPathEnvName}
+    '';
+
    outputs = [ "bin" "dev" "out" "man" "nc" ];

    postFixup = ''
@ -66,5 +83,15 @@ in {
  libressl_3_2 = generic {
    version = "3.2.5";
    sha256 = "1zkwrs3b19s1ybz4q9hrb7pqsbsi8vxcs44qanfy11fkc7ynb2kr";
+    patches = [
+      ./CVE-2021-41581.patch
+    ];
+  };
+  libressl_3_4 = generic {
+    version = "3.4.0";
+    sha256 = "1lhn76nd59p1dfd27b4636zj6wh3f5xsi8b3sxqnl820imsswbp5";
+    patches = [
+      ./CVE-2021-41581.patch
+    ];
  };
 }
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -18689,11 +18689,12 @@ with pkgs;
  openvdb = callPackage ../development/libraries/openvdb {};

  inherit (callPackages ../development/libraries/libressl { })
-    libressl_3_2;
+    libressl_3_2
+    libressl_3_4;

  # Please keep this pointed to the latest version. See also
  # https://discourse.nixos.org/t/nixpkgs-policy-regarding-libraries-available-in-multiple-versions/7026/2
-  libressl = libressl_3_2;
+  libressl = libressl_3_4;

  boringssl = callPackage ../development/libraries/boringssl { };

@ -32755,6 +32756,7 @@ with pkgs;

  wasm-pack = callPackage ../development/tools/wasm-pack {
    inherit (darwin.apple_sdk.frameworks) Security;
+    libressl = libressl_3_2;
  };

  wavegain = callPackage ../applications/audio/wavegain { };