openssl: 1.0.2p -> 1.0.2q

CVE-2018-0734: https://www.openssl.org/news/vulnerabilities.html#2018-0734
CVE-2018-5407: https://www.openssl.org/news/vulnerabilities.html#2018-5407

No patches can any longer be shared between 1.0.2 and 1.1, so reorganize
patches into subdirectories (and remove an unused one).

5 files changed, 27 insertions, 21 deletions

diff --git a/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch b/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch
new file mode 100644
index 00000000000..5765409fdd5
--- /dev/null
+++ b/pkgs/development/libraries/openssl/1.0.2/nix-ssl-cert-file.patch
@@ -0,0 +1,16 @@
+diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
+index e6d0e6e1a6..b89456fd87 100644
+--- a/crypto/x509/by_file.c
++++ b/crypto/x509/by_file.c
+@@ -97,7 +97,10 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp,
+     switch (cmd) {
+     case X509_L_FILE_LOAD:
+         if (argl == X509_FILETYPE_DEFAULT) {
+-            file = ossl_safe_getenv(X509_get_default_cert_file_env());
++            file = ossl_safe_getenv("NIX_SSL_CERT_FILE");
++
++            if (!file)
++                file = ossl_safe_getenv(X509_get_default_cert_file_env());
+ 
+             if (file)
+                 ok = (X509_load_cert_crl_file(ctx, file,
diff --git a/pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch b/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs-darwin.patch
index 3d9ee7e6a82..3d9ee7e6a82 100644
--- a/pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch
+++ b/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs-darwin.patch
diff --git a/pkgs/development/libraries/openssl/use-etc-ssl-certs.patch b/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs.patch
index 813c6bdf44a..813c6bdf44a 100644
--- a/pkgs/development/libraries/openssl/use-etc-ssl-certs.patch
+++ b/pkgs/development/libraries/openssl/1.0.2/use-etc-ssl-certs.patch
diff --git a/pkgs/development/libraries/openssl/darwin-arch.patch b/pkgs/development/libraries/openssl/darwin-arch.patch
deleted file mode 100644
index 63db3efc084..00000000000
--- a/pkgs/development/libraries/openssl/darwin-arch.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -ru -x '*~' openssl-1.0.1c-orig/Configure openssl-1.0.1c/Configure
---- openssl-1.0.1c-orig/Configure	2012-03-14 23:20:40.000000000 +0100
-+++ openssl-1.0.1c/Configure	2012-12-18 17:29:30.268090633 +0100
-@@ -579,7 +579,7 @@
- "darwin64-ppc-cc","cc:-arch ppc64 -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc64_asm}:osx64:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
- "darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:".eval{my $asm=$x86_asm;$asm=~s/cast\-586\.o//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
- "debug-darwin-i386-cc","cc:-arch i386 -g3 -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
--"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-+"darwin64-x86_64-cc","cc:-O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
- "debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
- # iPhoneOS/iOS
- "iphoneos-cross","llvm-gcc:-O3 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fomit-frame-pointer -fno-common::-D_REENTRANT:iOS:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
index 2ad4b8d904b..3e643807f1c 100644
--- a/pkgs/development/libraries/openssl/default.nix
+++ b/pkgs/development/libraries/openssl/default.nix
@@ -15,13 +15,7 @@ let
       inherit sha256;
     };
 
-    patches =
-      (args.patches or [])
-      ++ [ ./nix-ssl-cert-file.patch ]
-      ++ optional (versionOlder version "1.1.0")
-          (if stdenv.hostPlatform.isDarwin then ./use-etc-ssl-certs-darwin.patch else ./use-etc-ssl-certs.patch)
-      ++ optional (versionOlder version "1.0.2" && stdenv.hostPlatform.isDarwin)
-           ./darwin-arch.patch;
+    inherit patches;
 
     postPatch = ''
       patchShebangs Configure
@@ -125,13 +119,21 @@ let
 in {
 
   openssl_1_0_2 = common {
-    version = "1.0.2p";
-    sha256 = "003xh9f898i56344vpvpxxxzmikivxig4xwlm7vbi7m8n43qxaah";
+    version = "1.0.2q";
+    sha256 = "115nisqy7kazbg6br2wrcra9nphyph1l4dgp563b9cf2rv5wyi2p";
+    patches = [
+      ./1.0.2/nix-ssl-cert-file.patch
+
+      (if stdenv.hostPlatform.isDarwin
+       then ./1.0.2/use-etc-ssl-certs-darwin.patch
+       else ./1.0.2/use-etc-ssl-certs.patch)
+    ];
   };
 
   openssl_1_1 = common {
     version = "1.1.1";
     sha256 = "0gbab2fjgms1kx5xjvqx8bxhr98k4r8l2fa8vw7kvh491xd8fdi8";
+    patches = [ ./nix-ssl-cert-file.patch ];
   };
 
 }