In preparation for the deprecation of `stdenv.isX`.
These shorthands are not conducive to cross-compilation because they
hide the platforms.
Darwin might get cross-compilation for which the continued usage of `stdenv.isDarwin` will get in the way
One example of why this is bad and especially affects compiler packages
https://www.github.com/NixOS/nixpkgs/pull/343059
There are too many files to go through manually but a treewide should
get users thinking when they see a `hostPlatform.isX` in a place where it
doesn't make sense.
```
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv.is" "stdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv'.is" "stdenv'.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "clangStdenv.is" "clangStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "gccStdenv.is" "gccStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenvNoCC.is" "stdenvNoCC.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "inherit (stdenv) is" "inherit (stdenv.hostPlatform) is"
fd --type f "\.nix" | xargs sd --fixed-strings "buildStdenv.is" "buildStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "effectiveStdenv.is" "effectiveStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "originalStdenv.is" "originalStdenv.hostPlatform.is"
```
OpenSSL used to provide their software downloads on openssl.org.
Now they use links to Github releases.
OpenSSL 1.1.1w is also available at Github, but with a small
difference in the URL scheme.
Signed-off-by: Markus Theil <theil.markus@gmail.com>
This changes openssl to use makeBinaryWrapper since makeWrapper uses
non-overridable runtimeShell that causes infinite recursion. That is,
fetchurl in pkgs/top-level/all-packages.nix is bootstrapped by
overriding dependencies to use stdenv.fetchurlBoot.
Upstream commit: https://github.com/openssl/openssl/commit/e86ac436f0
This patch fixes the ALPN negotiation in OpenSSL.
It applies to all used versions >= 3.0, but was taken
from the 3.3 branch. Therefore I added it to the 3.3
directory.
Signed-off-by: Markus Theil <theil.markus@gmail.com>
Changelog: https://github.com/openssl/openssl/blob/openssl-3.2/CHANGES.md#changes-between-321-and-322-4-jun-2024
CVEs fixed:
- Fixed potential use after free after SSL_free_buffers() is called.
(CVE-2024-4741)
- Fixed an issue where checking excessively long DSA keys or parameters may be very slow.
(CVE-2024-4603)
- Fixed an issue where some non-default TLS server configurations can cause unbounded memory
growth when processing TLSv1.3 sessions. An attacker may exploit certain server configurations
to trigger unbounded memory growth that would lead to a Denial of Service.
(CVE-2024-2511)
Signed-off-by: Markus Theil <theil.markus@gmail.com>
Changelog: https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#changes-between-3013-and-3014-4-jun-2024
CVEs fixed:
- Fixed potential use after free after SSL_free_buffers() is called.
(CVE-2024-4741)
- Fixed an issue where checking excessively long DSA keys or parameters may be very slow.
(CVE-2024-4603)
- Fixed an issue where some non-default TLS server configurations can cause unbounded
memory growth when processing TLSv1.3 sessions. An attacker may exploit certain
server configurations to trigger unbounded memory growth that would lead to a
Denial of Service.
(CVE-2024-2511)
Signed-off-by: Markus Theil <theil.markus@gmail.com>
OpenSSL 3.1 is the most recent release to develop against,
while OpenSSL 3.0 is a LTS release, most developers should
probably choose now (see:
https://github.com/openssl/openssl/issues/20722).
Add OpenSSL 3.1.1 in order to allow development against this
version with Nix.
Currently OpenSSL 3.0 and 3.1 are independent release lines.
Signed-off-by: Markus Theil <theil.markus@gmail.com>
