diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md index 82cadca537f04..d46f2ba112f62 100644 --- a/nixos/doc/manual/release-notes/rl-2411.section.md +++ b/nixos/doc/manual/release-notes/rl-2411.section.md @@ -447,6 +447,8 @@ and FFmpeg 4 especially should be avoided in favour of newer versions as it may be removed soon. +- `openssl` now defaults to the latest version line `3.3.x`, instead of `3.0.x` before. While there should be no major code incompatibilities, newer OpenSSL versions typically strengthen the default security level. This means that you may have to explicitly allow weak ciphers, hashes and key lengths if necessary. See: [OpenSSL security level documentation](https://docs.openssl.org/3.3/man3/SSL_CTX_set_security_level/). + ## Other Notable Changes {#sec-release-24.11-notable-changes} diff --git a/pkgs/development/libraries/openssl/3.3/CVE-2024-5535.patch b/pkgs/development/libraries/openssl/3.3/CVE-2024-5535.patch deleted file mode 100644 index 2d0f822b25eea..0000000000000 --- a/pkgs/development/libraries/openssl/3.3/CVE-2024-5535.patch +++ /dev/null @@ -1,108 +0,0 @@ -From e86ac436f0bd54d4517745483e2315650fae7b2c Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 11:14:33 +0100 -Subject: [PATCH] Fix SSL_select_next_proto - -Ensure that the provided client list is non-NULL and starts with a valid -entry. When called from the ALPN callback the client list should already -have been validated by OpenSSL so this should not cause a problem. When -called from the NPN callback the client list is locally configured and -will not have already been validated. Therefore SSL_select_next_proto -should not assume that it is correctly formatted. - -We implement stricter checking of the client protocol list. We also do the -same for the server list while we are about it. - -CVE-2024-5535 - -Reviewed-by: Tomas Mraz -Reviewed-by: Neil Horman -(Merged from https://github.com/openssl/openssl/pull/24716) - -(cherry picked from commit 2ebbe2d7ca8551c4cb5fbb391ab9af411708090e) ---- - ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++------------------- - 1 file changed, 40 insertions(+), 23 deletions(-) - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 5ec6ac4b63dc5..4c20ac4bf1fe7 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -3530,37 +3530,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, - unsigned int server_len, - const unsigned char *client, unsigned int client_len) - { -- unsigned int i, j; -- const unsigned char *result; -- int status = OPENSSL_NPN_UNSUPPORTED; -+ PACKET cpkt, csubpkt, spkt, ssubpkt; -+ -+ if (!PACKET_buf_init(&cpkt, client, client_len) -+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) -+ || PACKET_remaining(&csubpkt) == 0) { -+ *out = NULL; -+ *outlen = 0; -+ return OPENSSL_NPN_NO_OVERLAP; -+ } -+ -+ /* -+ * Set the default opportunistic protocol. Will be overwritten if we find -+ * a match. -+ */ -+ *out = (unsigned char *)PACKET_data(&csubpkt); -+ *outlen = (unsigned char)PACKET_remaining(&csubpkt); - - /* - * For each protocol in server preference order, see if we support it. - */ -- for (i = 0; i < server_len;) { -- for (j = 0; j < client_len;) { -- if (server[i] == client[j] && -- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { -- /* We found a match */ -- result = &server[i]; -- status = OPENSSL_NPN_NEGOTIATED; -- goto found; -+ if (PACKET_buf_init(&spkt, server, server_len)) { -+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { -+ if (PACKET_remaining(&ssubpkt) == 0) -+ continue; /* Invalid - ignore it */ -+ if (PACKET_buf_init(&cpkt, client, client_len)) { -+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { -+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), -+ PACKET_remaining(&ssubpkt))) { -+ /* We found a match */ -+ *out = (unsigned char *)PACKET_data(&ssubpkt); -+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); -+ return OPENSSL_NPN_NEGOTIATED; -+ } -+ } -+ /* Ignore spurious trailing bytes in the client list */ -+ } else { -+ /* This should never happen */ -+ return OPENSSL_NPN_NO_OVERLAP; - } -- j += client[j]; -- j++; - } -- i += server[i]; -- i++; -+ /* Ignore spurious trailing bytes in the server list */ - } - -- /* There's no overlap between our protocols and the server's list. */ -- result = client; -- status = OPENSSL_NPN_NO_OVERLAP; -- -- found: -- *out = (unsigned char *)result + 1; -- *outlen = result[0]; -- return status; -+ /* -+ * There's no overlap between our protocols and the server's list. We use -+ * the default opportunistic protocol selected earlier -+ */ -+ return OPENSSL_NPN_NO_OVERLAP; - } - - #ifndef OPENSSL_NO_NEXTPROTONEG diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index 0f1749b2389bd..0313841dce302 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -25,7 +25,13 @@ let inherit version; src = fetchurl { - url = "https://www.openssl.org/source/openssl-${version}.tar.gz"; + url = if lib.versionOlder version "3.0" then + let + versionFixed = builtins.replaceStrings ["."] ["_"] version; + in + "https://github.com/openssl/openssl/releases/download/OpenSSL_${versionFixed}/openssl-${version}.tar.gz" + else + "https://github.com/openssl/openssl/releases/download/openssl-${version}/openssl-${version}.tar.gz"; inherit hash; }; @@ -280,8 +286,8 @@ in { }; openssl_3 = common { - version = "3.0.14"; - hash = "sha256-7soDXU3U6E/CWEbZUtpil0hK+gZQpvhMaC453zpBI8o="; + version = "3.0.15"; + hash = "sha256-I8Zm0O3yDxQkmz2PA2isrumrWFsJ4d6CEHxm4fPslTM="; patches = [ ./3.0/nix-ssl-cert-file.patch @@ -290,8 +296,6 @@ in { # This patch disables build-time detection. ./3.0/openssl-disable-kernel-detection.patch - ./3.3/CVE-2024-5535.patch - (if stdenv.hostPlatform.isDarwin then ./use-etc-ssl-certs-darwin.patch else ./use-etc-ssl-certs.patch) @@ -305,8 +309,8 @@ in { }; openssl_3_2 = common { - version = "3.2.2"; - hash = "sha256-GXFJwY2enyksQ/BACsq6EuX1LKz+BQ89GZJ36nOOwuc="; + version = "3.2.3"; + hash = "sha256-UrXxxrgCK8WGjDCMVPt3cF5wLWxvRZT5mg3yFqz0Yjk="; patches = [ ./3.0/nix-ssl-cert-file.patch @@ -315,8 +319,6 @@ in { # This patch disables build-time detection. ./3.0/openssl-disable-kernel-detection.patch - ./3.3/CVE-2024-5535.patch - (if stdenv.hostPlatform.isDarwin then ./3.2/use-etc-ssl-certs-darwin.patch else ./3.2/use-etc-ssl-certs.patch) @@ -330,8 +332,8 @@ in { }; openssl_3_3 = common { - version = "3.3.1"; - hash = "sha256-d3zVlihMiDN1oqehG/XSeG/FQTJV76sgxQ1v/m0CC34="; + version = "3.3.2"; + hash = "sha256-LopAsBl5r+i+C7+z3l3BxnCf7bRtbInBDaEUq1/D0oE="; patches = [ ./3.0/nix-ssl-cert-file.patch @@ -340,8 +342,6 @@ in { # This patch disables build-time detection. ./3.0/openssl-disable-kernel-detection.patch - ./3.3/CVE-2024-5535.patch - (if stdenv.hostPlatform.isDarwin then ./3.2/use-etc-ssl-certs-darwin.patch else ./3.2/use-etc-ssl-certs.patch) diff --git a/pkgs/development/libraries/tpm2-tss/default.nix b/pkgs/development/libraries/tpm2-tss/default.nix index 6d3a29c28ba79..e0962119da5b6 100644 --- a/pkgs/development/libraries/tpm2-tss/default.nix +++ b/pkgs/development/libraries/tpm2-tss/default.nix @@ -1,7 +1,7 @@ { stdenv, lib, fetchFromGitHub , autoreconfHook, autoconf-archive, pkg-config, doxygen, perl , openssl, json_c, curl, libgcrypt -, cmocka, uthash, ibm-sw-tpm2, iproute2, procps, which +, cmocka, uthash, swtpm, iproute2, procps, which , libuuid }: let @@ -40,7 +40,7 @@ stdenv.mkDerivation rec { ++ lib.optional doInstallCheck cmocka; nativeInstallCheckInputs = [ - cmocka which openssl procps_pkg iproute2 ibm-sw-tpm2 + cmocka which openssl procps_pkg iproute2 swtpm ]; strictDeps = true; diff --git a/pkgs/tools/security/ibm-sw-tpm2/default.nix b/pkgs/tools/security/ibm-sw-tpm2/default.nix index 76123a7c893fb..8030b5ba15650 100644 --- a/pkgs/tools/security/ibm-sw-tpm2/default.nix +++ b/pkgs/tools/security/ibm-sw-tpm2/default.nix @@ -1,7 +1,6 @@ { lib , stdenv -, fetchurl -, fetchpatch +, fetchFromGitHub , openssl }: let @@ -12,28 +11,18 @@ let in stdenv.mkDerivation rec { pname = "ibm-sw-tpm2"; - version = "1682"; + version = "1682-unstable-2024-08-02"; - src = fetchurl { - url = "mirror://sourceforge/ibmswtpm2/ibmtpm${version}.tar.gz"; - hash = "sha256-PLZC+HGheyPVCwRuX5X0ScIodBX8HnrrS9u4kg28s48="; + src = fetchFromGitHub { + owner = "kgoldman"; + repo = "ibmswtpm2"; + rev = "rev183-2024-08-02"; + hash = "sha256-D2GAkiePBow2iixYMOOeJrnh5hk2lO07dV++lK4X8qE="; }; - patches = [ - # Backport openssl-3.1 from development branch. - # Can be removed with next release. - (fetchpatch { - name = "openssl-3.1.patch"; - url = "https://github.com/kgoldman/ibmswtpm2/commit/15501bf4973d334ca9420fa2fb0f0fe1800871e0.patch"; - includes = [ "TpmToOsslMath.h" ]; - stripLen = 1; - hash = "sha256-8TwyZVy8pQwq5Fl8cy9xJWtdckwL+QK0+DL5EHDLYUY="; - }) - ]; - buildInputs = [ openssl ]; - sourceRoot = "src"; + sourceRoot = "${src.name}/src"; inherit makefile; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index c04d093c616a3..8fe90d0d8c5f0 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -22889,7 +22889,7 @@ with pkgs; inherit (darwin.apple_sdk_11_0.frameworks) Security; }; - openssl = openssl_3; + openssl = openssl_3_3; openssl_legacy = openssl.override { conf = ../development/libraries/openssl/3.0/legacy.cnf;