Openssl assumes that CFLAGS contains all of the flags that will be
passed to the compiler. This assumption fails for nixpkgs due to
our cc-wrapper.
On mips platforms, openssl scans CFLAGS to see if the user passed a
-march flag; if not, it adds its own:
if ($target =~ /linux.*-mips/ && !$disabled{asm}
&& !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
# minimally required architecture flags for assembly modules
my $value;
$value = '-mips2' if ($target =~ /mips32/);
$value = '-mips3' if ($target =~ /mips64/);
unshift @{$config{cflags}}, $value;
unshift @{$config{cxxflags}}, $value if $config{CXX};
}
Unfortunately since nixpkgs adds `-march=` in the wrapper, rather
than the CFLAGS, openssl can't see it. The result is two
conflicting `-march=` flags and a build failure when the user has
customized `hostPlatform.gcc.arch`:
openssl-mips64el-unknown-linux-gnuabin32> mips64el-unknown-linux-gnuabin32-gcc -I. -Iinclude -Iapps/include -fPIC -pthread -mabi=n32 -mips3 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSLDIR="\"/nix/store/8kwvrgwdk56ml6sz5swr71fv9mv4592w-openssl-mips64el-unknown-linux-gnuabin32-3.0.9/etc/ssl\"" -DENGINESDIR="\"/nix/store/8kwvrgwdk56ml6sz5swr71fv9mv4592w-openssl-mips64el-unknown-linux-gnuabin32-3.0.9/lib/engines-3\"" -DMODULESDIR="\"/nix/store/8kwvrgwdk56ml6sz5swr71fv9mv4592w-openssl-mips64el-unknown-linux-gnuabin32-3.0.9/lib/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -MMD -MF apps/lib/libapps-lib-engine.d.tmp -MT apps/lib/libapps-lib-engine.o -c -o apps/lib/libapps-lib-engine.o apps/lib/engine.c
cc1: error: '-mips3' conflicts with the other architecture options, which specify a mips64r2 processor
cc1: error: '-mips3' conflicts with the other architecture options, which specify a mips64r2 processor
make[1]: *** [Makefile:4254: apps/lib/libapps-lib-app_libctx.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: *** [Makefile:4262: apps/lib/libapps-lib-app_params.o] Error 1
make[1]: *** [Makefile:4270: apps/lib/libapps-lib-app_provider.o] Error 1
This commit defeats the perl code above by passing `CFLAGS=-march`
to openssl's `./Configure` script.
We were caching this insecure package as part of a decision during 23.05, we will now cache
openssl-1.1.1u too as this is now the de-facto OpenSSL package on 23.05, which is EOL.
Replaces perl based c_rehash script with shell script wrapping `openssl rehash`
with the same functionality.
Fixes: #19965
Supersedes: #156776, #83446
Possibly related to: #157093, #82924
openssl_3, but with a openssl.cnf that enables legacy ciphers
this way we can migrate away from openssl_1_1, while not breaking
applications relying on deprecated stuff
https://www.openssl.org/news/secadv/20220705.txt
We already acted on the first public disclosure, so this release removes
the previous patch and upgrades to the release including the fix.
Related: CVE-2022-2274
Fixes: CVE-2022-2097
With their new versioning scheme, OpenSSL have committed[1] to API and
ABI compatibility for the whole 3.x.x release series, so we shouldn't
be overly specific in our attribute name.
[1]: https://www.openssl.org/blog/blog/2018/11/28/version/
