From 2fe351c7e31f47400d752a59ab7b1e2e89acf392 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Thu, 19 Mar 2015 15:57:17 +0100
Subject: [PATCH] openssl: Update to 1.0.1m

Fixes various "Moderate" / "Low" CVEs:
http://openssl.org/news/secadv_20150319.txt
---
 .../libraries/openssl/cert-file.patch         | 42 +++++++++----------
 .../development/libraries/openssl/default.nix |  6 ++-
 2 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/pkgs/development/libraries/openssl/cert-file.patch b/pkgs/development/libraries/openssl/cert-file.patch
index 26b51c0295e..e6e66111201 100644
--- a/pkgs/development/libraries/openssl/cert-file.patch
+++ b/pkgs/development/libraries/openssl/cert-file.patch
@@ -1,6 +1,6 @@
-diff -ru -x '*~' openssl-1.0.0e-orig/crypto/x509/x509_def.c openssl-1.0.0e/crypto/x509/x509_def.c
---- openssl-1.0.0e-orig/crypto/x509/x509_def.c	1999-09-11 19:54:11.000000000 +0200
-+++ openssl-1.0.0e/crypto/x509/x509_def.c	2011-09-12 18:30:59.386501609 +0200
+diff -ru openssl-1.0.1m-orig/crypto/x509/x509_def.c openssl-1.0.1m/crypto/x509/x509_def.c
+--- openssl-1.0.1m-orig/crypto/x509/x509_def.c	2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.1m/crypto/x509/x509_def.c	2015-03-19 15:50:44.676683616 +0100
 @@ -57,6 +57,10 @@
   */
  
@@ -12,30 +12,28 @@ diff -ru -x '*~' openssl-1.0.0e-orig/crypto/x509/x509_def.c openssl-1.0.0e/crypt
  #include "cryptlib.h"
  #include <openssl/crypto.h>
  #include <openssl/x509.h>
-@@ -71,7 +75,25 @@
- 	{ return(X509_CERT_DIR); }
+@@ -78,7 +82,23 @@
  
  const char *X509_get_default_cert_file(void)
--	{ return(X509_CERT_FILE); }
-+	{
-+	static char buf[PATH_MAX] = X509_CERT_FILE;
-+	static int init = 0;
-+	if (!init) {
-+	    init = 1;
-+	    char * s = getenv("OPENSSL_X509_CERT_FILE");
-+	    if (s) {
+ {
+-    return (X509_CERT_FILE);
++    static char buf[PATH_MAX] = X509_CERT_FILE;
++    static int init = 0;
++    if (!init) {
++        init = 1;
++        char * s = getenv("OPENSSL_X509_CERT_FILE");
++        if (s) {
 +#ifndef OPENSSL_SYS_WINDOWS
-+	        if (getuid() == geteuid()) {
++            if (getuid() == geteuid()) {
 +#endif
-+		        strncpy(buf, s, sizeof(buf));
-+		        buf[sizeof(buf) - 1] = 0;
++                strncpy(buf, s, sizeof(buf));
++                buf[sizeof(buf) - 1] = 0;
 +#ifndef OPENSSL_SYS_WINDOWS
-+	        }
++            }
 +#endif
-+	    }
-+	}
-+	return buf;
-+	}
++        }
++    }
++    return buf;
+ }
  
  const char *X509_get_default_cert_dir_env(void)
- 	{ return(X509_CERT_DIR_EVP); }
diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
index 9a1df52d3f7..7255e91f282 100644
--- a/pkgs/development/libraries/openssl/default.nix
+++ b/pkgs/development/libraries/openssl/default.nix
@@ -2,7 +2,7 @@
 , withCryptodev ? false, cryptodevHeaders }:
 
 let
-  name = "openssl-1.0.1l";
+  name = "openssl-1.0.1m";
 
   opensslCrossSystem = stdenv.lib.attrByPath [ "openssl" "system" ]
     (throw "openssl needs its platform name cross building" null)
@@ -18,6 +18,8 @@ let
       # hardcoding something like /etc/ssl/cert.pem is impure and
       # cannot be overriden per-process.  For security, the
       # environment variable is ignored for setuid binaries.
+      # FIXME: drop this patch; it really isn't necessary, because
+      # OpenSSL already supports a ‘SSL_CERT_FILE’ variable.
       ./cert-file.patch
     ]
 
@@ -43,7 +45,7 @@ stdenv.mkDerivation {
       "http://www.openssl.org/source/${name}.tar.gz"
       "http://openssl.linux-mirror.org/source/${name}.tar.gz"
     ];
-    sha256 = "1m6i80y9c9g7h4303bqbxnsk5wm6jd0n57hwqr0g4jaxzr44vkxj";
+    sha256 = "0x7gvyybmqm4lv62mlhlm80f1rn7il2qh8224rahqv0i15xhnpq9";
   };
 
   patches = patchesCross false;