From 0c743ca36f22e962e9b7ab85cc10b1339c0a3e1a Mon Sep 17 00:00:00 2001
From: ajs124 <git@ajs124.de>
Date: Tue, 11 Oct 2022 16:53:28 +0200
Subject: [PATCH] openssl: 3.0.5 -> 3.0.6

fixes CVE-2022-3358

https://www.openssl.org/news/secadv/20221011.txt
---
 .../openssl-disable-kernel-detection.patch    | 33 ++++++++++---------
 .../development/libraries/openssl/default.nix | 10 +++---
 2 files changed, 23 insertions(+), 20 deletions(-)

diff --git a/pkgs/development/libraries/openssl/3.0/openssl-disable-kernel-detection.patch b/pkgs/development/libraries/openssl/3.0/openssl-disable-kernel-detection.patch
index baf162e88d09f..04585565a331a 100644
--- a/pkgs/development/libraries/openssl/3.0/openssl-disable-kernel-detection.patch
+++ b/pkgs/development/libraries/openssl/3.0/openssl-disable-kernel-detection.patch
@@ -1,22 +1,25 @@
 diff --git a/Configure b/Configure
-index f0ad787bc4..a48d2008c6 100755
+index a558e5ab1a..9a884f0b0f 100755
 --- a/Configure
 +++ b/Configure
-@@ -1688,17 +1688,6 @@ unless ($disabled{devcryptoeng}) {
+@@ -1714,20 +1714,6 @@ unless ($disabled{devcryptoeng}) {
+ 
  unless ($disabled{ktls}) {
      $config{ktls}="";
-     if ($target =~ m/^linux/) {
--        my $usr = "/usr/$config{cross_compile_prefix}";
--        chop($usr);
--        if ($config{cross_compile_prefix} eq "") {
--            $usr = "/usr";
--        }
--        my $minver = (4 << 16) + (13 << 8) + 0;
--        my @verstr = split(" ",`cat $usr/include/linux/version.h | grep LINUX_VERSION_CODE`);
--
--        if ($verstr[2] < $minver) {
+-    my $cc = $config{CROSS_COMPILE}.$config{CC};
+-    if ($target =~ m/^linux/) {
+-        system("printf '#include <sys/types.h>\n#include <linux/tls.h>' | $cc -E - >/dev/null 2>&1");
+-        if ($? != 0) {
 -            disable('too-old-kernel', 'ktls');
 -        }
-     } elsif ($target =~ m/^BSD/) {
-         my $cc = $config{CROSS_COMPILE}.$config{CC};
-         system("printf '#include <sys/types.h>\n#include <sys/ktls.h>' | $cc -E - >/dev/null 2>&1");
+-    } elsif ($target =~ m/^BSD/) {
+-        system("printf '#include <sys/types.h>\n#include <sys/ktls.h>' | $cc -E - >/dev/null 2>&1");
+-        if ($? != 0) {
+-            disable('too-old-freebsd', 'ktls');
+-        }
+-    } else {
+-        disable('not-linux-or-freebsd', 'ktls');
+-    }
+ }
+ 
+ push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls});
diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
index 78cc680c7be50..af1250af7807a 100644
--- a/pkgs/development/libraries/openssl/default.nix
+++ b/pkgs/development/libraries/openssl/default.nix
@@ -16,14 +16,14 @@
 # files.
 
 let
-  common = { version, sha256, patches ? [], withDocs ? false, extraMeta ? {} }:
+  common = { version, hash, patches ? [], withDocs ? false, extraMeta ? {} }:
    stdenv.mkDerivation rec {
     pname = "openssl";
     inherit version;
 
     src = fetchurl {
       url = "https://www.openssl.org/source/${pname}-${version}.tar.gz";
-      inherit sha256;
+      inherit hash;
     };
 
     inherit patches;
@@ -214,7 +214,7 @@ in {
 
   openssl_1_1 = common rec {
     version = "1.1.1q";
-    sha256 = "sha256-15Oc5hQCnN/wtsIPDi5XAxWKSJpyslB7i9Ub+Mj9EMo=";
+    hash = "sha256-15Oc5hQCnN/wtsIPDi5XAxWKSJpyslB7i9Ub+Mj9EMo=";
     patches = [
       ./1.1/nix-ssl-cert-file.patch
 
@@ -228,8 +228,8 @@ in {
   };
 
   openssl_3 = common {
-    version = "3.0.5";
-    sha256 = "sha256-qn2Nm+9xrWUlxVuhHl9Dl4ic5Jwsk0nc6m0+TwsCSno=";
+    version = "3.0.6";
+    hash = "sha256-5KEKKYaUXj8aHy69aKx4BEmhdzuWtqF0/fZQ1ryWEfE=";
     patches = [
       ./3.0/nix-ssl-cert-file.patch