77 lines
3 KiB
Nix
77 lines
3 KiB
Nix
{ lib, stdenv, fetchFromGitLab, cmake }:
|
||
|
||
stdenv.mkDerivation rec {
|
||
pname = "olm";
|
||
version = "3.2.16";
|
||
|
||
src = fetchFromGitLab {
|
||
domain = "gitlab.matrix.org";
|
||
owner = "matrix-org";
|
||
repo = pname;
|
||
rev = version;
|
||
sha256 = "sha256-JX20mpuLO+UoNc8iQlXEHAbH9sfblkBbM1gE27Ve0ac=";
|
||
};
|
||
|
||
nativeBuildInputs = [ cmake ];
|
||
|
||
doCheck = true;
|
||
|
||
postPatch = ''
|
||
substituteInPlace olm.pc.in \
|
||
--replace '$'{exec_prefix}/@CMAKE_INSTALL_LIBDIR@ @CMAKE_INSTALL_FULL_LIBDIR@ \
|
||
--replace '$'{prefix}/@CMAKE_INSTALL_INCLUDEDIR@ @CMAKE_INSTALL_FULL_INCLUDEDIR@
|
||
'';
|
||
|
||
meta = with lib; {
|
||
description = "Implements double cryptographic ratchet and Megolm ratchet";
|
||
homepage = "https://gitlab.matrix.org/matrix-org/olm";
|
||
license = licenses.asl20;
|
||
maintainers = with maintainers; [ tilpner oxzi ];
|
||
knownVulnerabilities = [ ''
|
||
The libolm end‐to‐end encryption library used in many Matrix
|
||
clients and Jitsi Meet has been deprecated upstream, and relies
|
||
on a cryptography library that has known side‐channel issues and
|
||
disclaims that its implementations are not cryptographically secure
|
||
and should not be used when cryptographic security is required.
|
||
|
||
It is not known if the issues can be exploited over the network in
|
||
practical conditions. Upstream does not believe such an attack is
|
||
feasible, but has stated that the library should not be used going
|
||
forward, and there are no plans to move to another cryptography
|
||
implementation or otherwise further maintain the library at all.
|
||
|
||
You should make an informed decision about whether to override this
|
||
security warning, especially if you critically rely on end‐to‐end
|
||
encryption. If you don’t care about that, or don’t use the Matrix
|
||
functionality of a multi‐protocol client depending on libolm,
|
||
then there should be no additional risk.
|
||
|
||
Some clients are investigating migrating away from libolm to maintained
|
||
libraries without known vulnerabilities.
|
||
|
||
For further information, see:
|
||
|
||
* The CVE records for the known vulnerabilities:
|
||
|
||
* CVE-2024-45191
|
||
* CVE-2024-45192
|
||
* CVE-2024-45193
|
||
|
||
* The libolm deprecation notice:
|
||
<https://gitlab.matrix.org/matrix-org/olm/-/blob/6d4b5b07887821a95b144091c8497d09d377f985/README.md#important-libolm-is-now-deprecated>
|
||
|
||
* The warning from the cryptography code used by libolm:
|
||
<https://gitlab.matrix.org/matrix-org/olm/-/blob/6d4b5b07887821a95b144091c8497d09d377f985/lib/crypto-algorithms/README.md>
|
||
|
||
* The blog post disclosing the details of the known vulnerabilities:
|
||
<https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/>
|
||
|
||
* The statement about the deprecation and vulnerabilities from the
|
||
Matrix.org Foundation:
|
||
<https://matrix.org/blog/2024/08/libolm-deprecation/>
|
||
|
||
* A (likely incomplete) aggregation of client tracking issue links:
|
||
<https://github.com/NixOS/nixpkgs/pull/334638#issuecomment-2289025802>
|
||
'' ];
|
||
};
|
||
}
|