NixOS · emilazy · Sep 16, 2024 · Aug 22, 2024 · Aug 22, 2024 · Sep 4, 2024
diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -447,6 +447,8 @@
   and FFmpeg 4 especially should be avoided in favour of newer versions
   as it may be removed soon.
 
+- `openssl` now defaults to the latest version line `3.3.x`, instead of `3.0.x` before. While there should be no major code incompatibilities, newer OpenSSL versions typically strengthen the default security level. This means that you may have to explicitly allow weak ciphers, hashes and key lengths if necessary. See: [OpenSSL security level documentation](https://docs.openssl.org/3.3/man3/SSL_CTX_set_security_level/).
+
 ## Other Notable Changes {#sec-release-24.11-notable-changes}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

diff --git a/pkgs/development/libraries/openssl/3.3/CVE-2024-5535.patch b/pkgs/development/libraries/openssl/3.3/CVE-2024-5535.patch
diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
@@ -25,7 +25,13 @@ let
     inherit version;
 
     src = fetchurl {
-      url = "https://www.openssl.org/source/openssl-${version}.tar.gz";
+      url = if lib.versionOlder version "3.0" then
+        let
+          versionFixed = builtins.replaceStrings ["."] ["_"] version;
+        in
+          "https://github.com/openssl/openssl/releases/download/OpenSSL_${versionFixed}/openssl-${version}.tar.gz"
+      else
+        "https://github.com/openssl/openssl/releases/download/openssl-${version}/openssl-${version}.tar.gz";
       inherit hash;
     };
 
@@ -280,8 +286,8 @@ in {
   };
 
   openssl_3 = common {
-    version = "3.0.14";
-    hash = "sha256-7soDXU3U6E/CWEbZUtpil0hK+gZQpvhMaC453zpBI8o=";
+    version = "3.0.15";
+    hash = "sha256-I8Zm0O3yDxQkmz2PA2isrumrWFsJ4d6CEHxm4fPslTM=";
 
     patches = [
       ./3.0/nix-ssl-cert-file.patch
@@ -290,8 +296,6 @@ in {
       # This patch disables build-time detection.
       ./3.0/openssl-disable-kernel-detection.patch
 
-      ./3.3/CVE-2024-5535.patch
-
       (if stdenv.hostPlatform.isDarwin
        then ./use-etc-ssl-certs-darwin.patch
        else ./use-etc-ssl-certs.patch)
@@ -305,8 +309,8 @@ in {
   };
 
   openssl_3_2 = common {
-    version = "3.2.2";
-    hash = "sha256-GXFJwY2enyksQ/BACsq6EuX1LKz+BQ89GZJ36nOOwuc=";
+    version = "3.2.3";
+    hash = "sha256-UrXxxrgCK8WGjDCMVPt3cF5wLWxvRZT5mg3yFqz0Yjk=";
 
     patches = [
       ./3.0/nix-ssl-cert-file.patch
@@ -315,8 +319,6 @@ in {
       # This patch disables build-time detection.
       ./3.0/openssl-disable-kernel-detection.patch
 
-      ./3.3/CVE-2024-5535.patch
-
       (if stdenv.hostPlatform.isDarwin
        then ./3.2/use-etc-ssl-certs-darwin.patch
        else ./3.2/use-etc-ssl-certs.patch)
@@ -330,8 +332,8 @@ in {
   };
 
   openssl_3_3 = common {
-    version = "3.3.1";
-    hash = "sha256-d3zVlihMiDN1oqehG/XSeG/FQTJV76sgxQ1v/m0CC34=";
+    version = "3.3.2";
+    hash = "sha256-LopAsBl5r+i+C7+z3l3BxnCf7bRtbInBDaEUq1/D0oE=";
 
     patches = [
       ./3.0/nix-ssl-cert-file.patch
@@ -340,8 +342,6 @@ in {
       # This patch disables build-time detection.
       ./3.0/openssl-disable-kernel-detection.patch
 
-      ./3.3/CVE-2024-5535.patch
-
       (if stdenv.hostPlatform.isDarwin
        then ./3.2/use-etc-ssl-certs-darwin.patch
        else ./3.2/use-etc-ssl-certs.patch)

diff --git a/pkgs/development/libraries/tpm2-tss/default.nix b/pkgs/development/libraries/tpm2-tss/default.nix
@@ -1,7 +1,7 @@
 { stdenv, lib, fetchFromGitHub
 , autoreconfHook, autoconf-archive, pkg-config, doxygen, perl
 , openssl, json_c, curl, libgcrypt
-, cmocka, uthash, ibm-sw-tpm2, iproute2, procps, which
+, cmocka, uthash, swtpm, iproute2, procps, which
 , libuuid
 }:
 let
@@ -40,7 +40,7 @@ stdenv.mkDerivation rec {
   ++ lib.optional doInstallCheck cmocka;
 
   nativeInstallCheckInputs = [
-    cmocka which openssl procps_pkg iproute2 ibm-sw-tpm2
+    cmocka which openssl procps_pkg iproute2 swtpm
   ];
 
   strictDeps = true;

diff --git a/pkgs/tools/security/ibm-sw-tpm2/default.nix b/pkgs/tools/security/ibm-sw-tpm2/default.nix
@@ -1,7 +1,6 @@
 { lib
 , stdenv
-, fetchurl
-, fetchpatch
+, fetchFromGitHub
 , openssl
 }:
 let
@@ -12,28 +11,18 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "ibm-sw-tpm2";
-  version = "1682";
+  version = "1682-unstable-2024-08-02";
 
-  src = fetchurl {
-    url = "mirror://sourceforge/ibmswtpm2/ibmtpm${version}.tar.gz";
-    hash = "sha256-PLZC+HGheyPVCwRuX5X0ScIodBX8HnrrS9u4kg28s48=";
+  src = fetchFromGitHub {
+    owner = "kgoldman";
+    repo = "ibmswtpm2";
+    rev = "rev183-2024-08-02";
+    hash = "sha256-D2GAkiePBow2iixYMOOeJrnh5hk2lO07dV++lK4X8qE=";
   };
 
-  patches = [
-    # Backport openssl-3.1 from development branch.
-    # Can be removed with next release.
-    (fetchpatch {
-      name = "openssl-3.1.patch";
-      url = "https://github.com/kgoldman/ibmswtpm2/commit/15501bf4973d334ca9420fa2fb0f0fe1800871e0.patch";
-      includes = [ "TpmToOsslMath.h" ];
-      stripLen = 1;
-      hash = "sha256-8TwyZVy8pQwq5Fl8cy9xJWtdckwL+QK0+DL5EHDLYUY=";
-    })
-  ];
-
   buildInputs = [ openssl ];
 
-  sourceRoot = "src";
+  sourceRoot = "${src.name}/src";
 
   inherit makefile;
 

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
@@ -22889,7 +22889,7 @@ with pkgs;
     inherit (darwin.apple_sdk_11_0.frameworks) Security;
   };
 
-  openssl = openssl_3;
+  openssl = openssl_3_3;
 
   openssl_legacy = openssl.override {
     conf = ../development/libraries/openssl/3.0/legacy.cnf;