Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl_1_1: 1.1.1l -> 1.1.1m #150733

Merged
merged 1 commit into from
Dec 21, 2021
Merged

openssl_1_1: 1.1.1l -> 1.1.1m #150733

merged 1 commit into from
Dec 21, 2021

Conversation

mweinelt
Copy link
Member

Motivation for this change

Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]

  • None

https://www.openssl.org/news/openssl-1.1.1-notes.html

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.05 Release Notes (or backporting 21.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@mweinelt mweinelt changed the title openssl_1_1: 1.1.1l -> 1.1.1m openssl_1_1: 1.1.1l -> 1.1.1m; openssl_3_0: 3.0.0 -> 3.0.1 Dec 14, 2021
@mweinelt
Copy link
Member Author

mweinelt commented Dec 14, 2021
edited
Loading 

 Changes between 1.1.1l and 1.1.1m [14 Dec 2021]

  *) Avoid loading of a dynamic engine twice.

     [Bernd Edlinger]

  *) Fixed building on Debian with kfreebsd kernels

     [Mattias Ellert]

  *) Prioritise DANE TLSA issuer certs over peer certs

     [Viktor Dukhovni]

  *) Fixed random API for MacOS prior to 10.12

     These MacOS versions don't support the CommonCrypto APIs

     [Lenny Primak]

https://www.openssl.org/news/cl111.txt

@mweinelt mweinelt requested a review from dasJ December 14, 2021 17:55
@mweinelt mweinelt added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Dec 14, 2021
@mweinelt mweinelt requested a review from grahamc December 14, 2021 23:54
@mweinelt mweinelt mentioned this pull request Dec 15, 2021
Merged
13 tasks
@mweinelt mweinelt changed the title openssl_1_1: 1.1.1l -> 1.1.1m; openssl_3_0: 3.0.0 -> 3.0.1 openssl_1_1: 1.1.1l -> 1.1.1m Dec 15, 2021
@mweinelt mweinelt removed the 1.severity: security Issues which raise a security issue, or PRs that fix one label Dec 15, 2021
@risicle
Copy link
Contributor

risicle commented Dec 18, 2021

On macos 10.15:

builder for '/nix/store/1i3y3irby62hapfa0ljasld2l12bp40d-openssl-1.1.1m.drv' failed with exit code 1; last 10 log lines:
  applying patch /nix/store/2cqnhs2ds0gn7xrq0zcwbj7gsv6l5xr7-use-etc-ssl-certs-darwin.patch
  patching file include/internal/cryptlib.h
  applying patch /nix/store/zj80b7imvm8s8dsnnnnyyyxmm7bfk0z4-macos-yosemite-compat.patch
  patching file crypto/rand/rand_unix.c
  Reversed (or previously applied) patch detected!  Assume -R? [n]
  Apply anyway? [n]
  Skipping patch.
  2 out of 2 hunks ignored -- saving rejects to file crypto/rand/rand_unix.c.rej
  patching file include/crypto/rand.h
  Hunk #1 succeeded at 30 with fuzz 2 (offset 10 lines).
cannot build derivation '/nix/store/4rjcnjfhj0dgw2rci6m6xz6ckkrd49kk-libkrb5-1.18.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/36nnvhpvlxl1n9dp4m6v3biv0ipzq65k-libssh2-1.10.0.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/h4lyvmysvf23gj42scxqx0940vdic9rc-nghttp2-1.43.0.drv': 1 dependencies couldn't be built

ofborg appears to have same issue.

@risicle
Copy link
Contributor

risicle commented Dec 18, 2021

☝️ and of course, this corresponds to the entry in the release notes "Fixed random API for MacOS prior to 10.12". Suspect we can drop that patch.

(perhaps conditionally if version >= m? am considering overridden versions...)

mweinelt
mweinelt commented Dec 18, 2021
View reviewed changes
pkgs/development/libraries/openssl/default.nix
patches = [
./1.1/nix-ssl-cert-file.patch

(if stdenv.hostPlatform.isDarwin
then ./use-etc-ssl-certs-darwin.patch
else ./use-etc-ssl-certs.patch)
] ++ lib.optionals (stdenv.isDarwin) [
] ++ lib.optionals (stdenv.isDarwin && (builtins.substring 5 5 version) < "m") [
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@risicle PTAL.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Early-stage openssl certainly builds now. Still building the full loop though.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't take effect without rec after common.

applying patch /nix/store/zj80b7imvm8s8dsnnnnyyyxmm7bfk0z4-macos-yosemite-compat.patch
patching file crypto/rand/rand_unix.c
Reversed (or previously applied) patch detected!  Assume -R? [n] 
Apply anyway? [n] 
Skipping patch.

Just out of curiosity, what does the version here without rec refer to?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It refer to lib.version. with lib; (or with itself) considered harmful.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created a PR #155079.

@risicle
Copy link
Contributor

risicle commented Dec 21, 2021
edited
Loading

Have managed to build both the full openssl and the one overridden in nassl on macos 10.15 👍 (cherry-picked to master)

@mweinelt
Copy link
Member Author

Okay, let's stage this bad boy!

@mweinelt mweinelt merged commit 8cd976f into NixOS:staging Dec 21, 2021
@mweinelt mweinelt deleted the openssl branch December 21, 2021 02:33
@github-actions github-actions bot mentioned this pull request Dec 21, 2021
Merged
1 task
@github-actions
Copy link
Contributor

Successfully created backport PR #151497 for staging-21.11.

@github-actions
Copy link
Contributor

The process '/usr/bin/git' failed with exit code 1

@mstone mstone mentioned this pull request Feb 16, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@taku0 taku0 taku0 left review comments

@risicle risicle risicle left review comments

@dasJ dasJ dasJ approved these changes

@grahamc grahamc Awaiting requested review from grahamc

Assignees
No one assigned
Labels
10.rebuild-darwin: 501+ 10.rebuild-darwin: 5001+ 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mweinelt @risicle @taku0 @dasJ