Merge branch 'master' into mesa-updates

Change-Id: I4cd94a58b62d8c3987e4a60c76b37894ad851e35

1 files changed, 49 insertions, 59 deletions

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 806a761d9b..2f212e9f90 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -200,7 +200,7 @@ living in the same process.")
   (package
     (name "gnutls")
     (version "3.7.7")
-    (replacement gnutls-3.8.2)
+    (replacement gnutls/fixed)
     (source (origin
               (method url-fetch)
               ;; Note: Releases are no longer on ftp.gnu.org since the
@@ -305,11 +305,12 @@ required structures.")
 (define-deprecated/public-alias gnutls-latest gnutls)
 
 ;; Replacement for gnutls@3.7.7 to address GNUTLS-SA-2020-07-14 /
-;; CVE-2023-0361 and GNUTLS-SA-2023-10-23 / CVE-2023-5981.
-(define gnutls-3.8.2
+;; CVE-2023-0361, GNUTLS-SA-2023-10-23 / CVE-2023-5981, GNUTLS-SA-2024-01-14 /
+;; CVE-2024-0553, and GNUTLS-SA-2024-01-09 / CVE-2024-0567
+(define gnutls/fixed
   (package
     (inherit gnutls)
-    (version "3.8.2")
+    (version "3.8.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnupg/gnutls/v"
@@ -318,7 +319,7 @@ required structures.")
               (patches (search-patches "gnutls-skip-trust-store-test.patch"))
               (sha256
                (base32
-                "0xzgmp1ck5ifvdki4jg29r278w2p1m3a0qz38g99v6zsdw0yarg7"))))))
+                "0ghpyhhfa3nsraph6dws50jb3dc8g2cfl7dizdnyrm179fawakzp"))))))
 
 (define-public gnutls/dane
   ;; GnuTLS with build libgnutls-dane, implementing DNS-based
@@ -335,7 +336,7 @@ required structures.")
     ;; This package supersedes the Guile bindings that came with GnuTLS until
     ;; version 3.7.8 included.
     (name "guile-gnutls")
-    (version "3.7.12")
+    (version "3.7.14")
     (home-page "https://gitlab.com/gnutls/guile/")
     (source (origin
               ;; url-fetch is used here to avoid a circular dependency with
@@ -343,12 +344,11 @@ required structures.")
               (method url-fetch)
               (uri (string-append
                     "https://gitlab.com/gnutls/guile/uploads/"
-                    "3fe12c208bdc6155c5116cf5eac7a2ad"
+                    "1fdc941351d54cd7affda1bb912b9ca5"
                     "/guile-gnutls-" version ".tar.gz"))
               (sha256
                (base32
-                "0dp3zsbnwgb4q4p8n6i5vnlwq52v5hp8f5c44ngyag89fcaz2fjx"))
-              (patches (search-patches "gnutls-cross.patch"))))
+                "0ldnxq5qxzy92jd8w5c717bgx4038x9qmi43bzl6kmlkzpagqayy"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -973,14 +973,10 @@ correct OpenSSL include path.  It is intended for use in your
 number generator")
   (license license:perl-license)))
 
-;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
-;; variant exists in addition to the "-apache" one.
-(define-public mbedtls-apache
+(define-public mbedtls-lts
   (package
-    (name "mbedtls-apache")
-    ;; XXX Check whether ‘-Wformat-signedness’ still breaks mbedtls-for-hiawatha
-    ;; when updating.
-    (version "2.28.5")
+    (name "mbedtls")
+    (version "2.28.7")
     (source
      (origin
        (method git-fetch)
@@ -989,17 +985,17 @@ number generator")
              (commit (string-append "mbedtls-" version))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "1jlkvvyigpjvv404b8vmx68f1v6g1h2zr6rd78dhc0xgqi018phs"))))
+        (base32 "070i5pxciw04swfqk1rmdprhsafn4cias3dlmkm467pqpjnhb394"))))
     (build-system cmake-build-system)
     (arguments
-     `(#:configure-flags
-       (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON"
-             "-DUSE_STATIC_MBEDTLS_LIBRARY=OFF")
-       #:phases
-       (modify-phases %standard-phases
-         (add-after 'unpack 'make-source-writable
-           (lambda _
-             (for-each make-file-writable (find-files ".")))))))
+     (list #:configure-flags
+           #~(list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON"
+                   "-DUSE_STATIC_MBEDTLS_LIBRARY=OFF")
+           #:phases
+           #~(modify-phases %standard-phases
+               (add-after 'unpack 'make-source-writable
+                 (lambda _
+                   (for-each make-file-writable (find-files ".")))))))
     (native-inputs
      (list perl python))
     (synopsis "Small TLS library")
@@ -1009,47 +1005,41 @@ for developers to include cryptographic and SSL/TLS capabilities in their
 (embedded) products, facilitating this functionality with a minimal
 coding footprint.")
     (home-page "https://www.trustedfirmware.org/projects/mbed-tls/")
-    (license license:asl2.0)))
+    (license (list license:asl2.0 license:gpl2+)))) ;dual licensed
+
+(define-public mbedtls
+  (package
+    (inherit mbedtls-lts)
+    (name "mbedtls")
+    (version "3.5.2")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://github.com/ARMmbed/mbedtls")
+                    (commit (string-append "mbedtls-" version))))
+              (file-name (git-file-name name version))
+              (sha256
+               (base32
+                "1wsjrx98h74q0q4zqwsghiqvjz4aqgvigpxb9f8xjw0w4sfsclcm"))))))
+
+(define-public mbedtls-apache
+  (deprecated-package "mbedtls-apache" mbedtls-lts))
 
 ;; The Hiawatha Web server requires some specific features to be enabled.
 (define-public mbedtls-for-hiawatha
   (hidden-package
    (package
-     (inherit mbedtls-apache)
-     (name "mbedtls-apache")
-     (version "2.26.0")
-     (source
-      (origin
-        (method git-fetch)
-        (uri (git-reference
-              (url "https://github.com/ARMmbed/mbedtls")
-              (commit (string-append "mbedtls-" version))))
-        (sha256
-         (base32 "0scwpmrgvg6q7rvqkc352d2fqlsx0aylcbyibcp1f1rsn8iiif2m"))
-        (file-name (git-file-name name version))
-        (modules '((guix build utils)))
-        (snippet
-         '(begin
-            ;; Can be removed with the next version.
-            ;; Reduce level of format truncation warnings due to false positives.
-            ;; https://github.com/ARMmbed/mbedtls/commit/2065a8d8af27c6cb1e40c9462b5933336dca7434
-            (substitute* "CMakeLists.txt"
-              (("Wformat-truncation=2") "Wformat-truncation"))
-            #t))))
+     (inherit mbedtls-lts)
      (arguments
-      (substitute-keyword-arguments (package-arguments mbedtls-apache)
+      (substitute-keyword-arguments (package-arguments mbedtls-lts)
         ((#:phases phases)
-         `(modify-phases ,phases
-            (add-before 'configure 'configure-extra-features
-              (lambda _
-                (for-each (lambda (feature)
-                            (invoke "scripts/config.pl" "set" feature))
-                          (list "MBEDTLS_THREADING_C"
-                                "MBEDTLS_THREADING_PTHREAD"))
-                ;; XXX The above enables code that breaks with -Werror…
-                (substitute* "CMakeLists.txt"
-                  ((" -Wformat-signedness") ""))
-                #t)))))))))
+         #~(modify-phases #$phases
+             (add-before 'configure 'configure-extra-features
+               (lambda _
+                 (for-each (lambda (feature)
+                             (invoke "scripts/config.pl" "set" feature))
+                           (list "MBEDTLS_THREADING_C"
+                                 "MBEDTLS_THREADING_PTHREAD")))))))))))
 
 (define-public dehydrated
   (package