diff options
Diffstat (limited to 'gnu/packages/tls.scm')
| -rw-r--r-- | gnu/packages/tls.scm | 151 |
1 files changed, 45 insertions, 106 deletions
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 28fe820aa3..297e16dd70 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -5,7 +5,7 @@ ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2015 David Thompson <davet@gnu.org> ;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Leo Famulari <leo@famulari.name> -;;; Copyright © 2016, 2017, 2019 Efraim Flashner <efraim@flashner.co.il> +;;; Copyright © 2016, 2017, 2019, 2021 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2016, 2017, 2018 Nikita <nikita@n0.is> ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com> ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net> @@ -15,6 +15,7 @@ ;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org> ;;; Copyright © 2019 Mathieu Othacehe <m.othacehe@gmail.com> ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org> +;;; Copyright © 2020, 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;; Copyright © 2021 Solene Rapenne <solene@perso.pw> ;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re> ;;; @@ -60,6 +61,7 @@ #:use-module (gnu packages linux) #:use-module (gnu packages ncurses) #:use-module (gnu packages nettle) + #:use-module (gnu packages networking) #:use-module (gnu packages perl) #:use-module (gnu packages pkg-config) #:use-module (gnu packages python) @@ -75,7 +77,7 @@ (define-public libtasn1 (package (name "libtasn1") - (version "4.16.0") + (version "4.17.0") (source (origin (method url-fetch) @@ -83,7 +85,7 @@ version ".tar.gz")) (sha256 (base32 - "179jskl7dmfp1rd2khkzmlibzgki4wi6hvmmwfv7q49r728b03qf")))) + "19a53i1ajs4dd8nnlr2i6gbzvla84ay71g3y1phvh8krx8f5brzc")))) (build-system gnu-build-system) (arguments `(#:configure-flags '("--disable-static"))) @@ -166,8 +168,7 @@ living in the same process.") (define-public gnutls (package (name "gnutls") - (version "3.6.15") - (replacement gnutls-3.6.16) + (version "3.7.2") (source (origin (method url-fetch) ;; Note: Releases are no longer on ftp.gnu.org since the @@ -176,20 +177,20 @@ living in the same process.") (version-major+minor version) "/gnutls-" version ".tar.xz")) (patches (search-patches "gnutls-skip-trust-store-test.patch" - "gnutls-cross.patch" - "gnutls-CVE-2021-20231.patch" - "gnutls-CVE-2021-20232.patch")) + "gnutls-cross.patch")) (sha256 (base32 - "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f")))) + "0li7mwjnm64mbxhacz0rpf6i9qd83f53fvbrx96alpqqk9d6qvk4")))) (build-system gnu-build-system) (arguments `(#:tests? ,(not (or (%current-target-system) (hurd-target?))) - ;; Ensure we don't keep a reference to net-tools. - #:disallowed-references ,(if (hurd-target?) '() (list net-tools)) + ;; Ensure we don't keep a reference to the tools used for testing. + #:disallowed-references ,(if (hurd-target?) + '() + (list net-tools iproute socat)) #:configure-flags - (list + (cons* ;; GnuTLS doesn't consult any environment variables to specify ;; the location of the system-wide trust store. Instead it has a ;; configure-time option. Unless specified, its configure script @@ -210,13 +211,25 @@ living in the same process.") (string-append "--with-guile-extension-dir=" "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/extensions") - ;; FIXME: Temporarily disable p11-kit support since it is not - ;; working on mips64el. - "--without-p11-kit") + (let ((system ,(or (%current-target-system) + (%current-system)))) + (if (string-prefix? "mips64el" system) + (list + ;; FIXME: Temporarily disable p11-kit support since it is + ;; not working on mips64el. + "--without-p11-kit") + '()))) #:phases (modify-phases %standard-phases - (add-after - 'install 'move-doc + ;; fastopen.sh fails to connect to the server in the builder + ;; environment (see: + ;; https://gitlab.com/gnutls/gnutls/-/issues/1095). + (add-after 'unpack 'disable-failing-tests + (lambda _ + (substitute* "tests/fastopen.sh" + (("^unset RETCODE") + "exit 77\n")))) ;skip + (add-after 'install 'move-doc (lambda* (#:key outputs #:allow-other-keys) ;; Copy the 4.1 MiB of section 3 man pages to "doc". (let* ((out (assoc-ref outputs "out")) @@ -225,8 +238,7 @@ living in the same process.") (oldman (string-append out "/share/man/man3"))) (mkdir-p mandir) (copy-recursively oldman mandir) - (delete-file-recursively oldman) - #t)))))) + (delete-file-recursively oldman))))))) (outputs '("out" ;4.4 MiB "debug" "doc")) ;4.1 MiB of man pages @@ -236,10 +248,14 @@ living in the same process.") '()) ,@(if (hurd-target?) '() - `(("net-tools" ,net-tools))) + `(("net-tools" ,net-tools) + ("iproute" ,iproute) ;for 'ss' + ("socat" ,socat))) ;several tests rely on it ("pkg-config" ,pkg-config) + ("texinfo" ,texinfo) ("which" ,which) - ,@(if (hurd-target?) '() + ,@(if (hurd-target?) + '() `(("datefudge" ,datefudge))) ;tests rely on 'datefudge' ("util-linux" ,util-linux))) ;one test needs 'setsid' (inputs @@ -249,7 +265,12 @@ living in the same process.") `(("libtasn1" ,libtasn1) ("libidn2" ,libidn2) ("nettle" ,nettle) - ("zlib" ,zlib))) + ("zlib" ,zlib) + ,@(let ((system (or (%current-target-system) + (%current-system)))) + (if (string-prefix? "mips64el" system) + '() + `(("p11-kit" ,p11-kit)))))) (home-page "https://www.gnu.org/software/gnutls/") (synopsis "Transport layer security library") (description @@ -261,68 +282,6 @@ required structures.") (properties '((ftp-server . "ftp.gnutls.org") (ftp-directory . "/gcrypt/gnutls"))))) -;; Replacement package to fix CVE-2021-20305. -(define gnutls-3.6.16 - (package - (inherit gnutls) - (version "3.6.16") - (source (origin - (method url-fetch) - (uri (string-append "mirror://gnupg/gnutls/v" - (version-major+minor version) - "/gnutls-" version ".tar.xz")) - (patches (search-patches "gnutls-skip-trust-store-test.patch" - "gnutls-cross.patch")) - (sha256 - (base32 - "1czk511pslz367shf32f2jvvkp7y1323bcv88c2qng98mj0v6y8v")))) - (arguments - (if (%current-target-system) - (substitute-keyword-arguments (package-arguments gnutls) - ((#:phases phases '%standard-phases) - `(modify-phases ,phases - (add-before 'configure 'build-eccdata-headers - (lambda* (#:key configure-flags #:allow-other-keys) - ;; Build the 'ecc/eccdata' program using the native - ;; compiler, not the cross-compiler as happens by default, - ;; and use it to build lib/nettle/ecc/ecc-*.h. In GnuTLS - ;; 3.6.15, this was not necessary because the tarball - ;; contained pre-generated lib/nettle/ecc/ecc-*.h files as - ;; well as 'ecc/eccdata.stamp'. - (let ((jobs (number->string (parallel-job-count))) - (patch (assoc-ref %standard-phases - 'patch-generated-file-shebangs))) - (mkdir "+native-build") - (with-directory-excursion "+native-build" - ;; Build natively, with the native compiler, GMP, etc. - (invoke "../configure" - (string-append "SHELL=" (which "sh")) - (string-append "CONFIG_SHELL=" (which "sh")) - "NETTLE_CFLAGS= " "NETTLE_LIBS= " - "HOGWEED_CFLAGS= " "HOGWEED_LIBS= " - "LIBTASN1_CFLAGS= " "LIBTASN1_LIBS= " - "ac_cv_func_nettle_rsa_sec_decrypt=yes" - "--without-p11-kit" "--disable-guile") - (patch) - (invoke "make" "-C" "gl" "-j" jobs) - (invoke "make" "-C" "lib/nettle" "V=1" "-j" jobs)) - - ;; Copy the files we obtained during native build. - (for-each (lambda (file) - (install-file file "lib/nettle/ecc")) - (find-files - "+native-build/lib/nettle/ecc" - "^(eccdata\\.stamp|ecc-.*\\.h)$")))))))) - (package-arguments gnutls))) - (native-inputs - (if (%current-target-system) - `(("libtasn1" ,libtasn1) ;for 'ecc/eccdata' - ("libidn2" ,libidn2) - ("nettle" ,nettle) - ("zlib" ,zlib) - ,@(package-native-inputs gnutls)) - (package-native-inputs gnutls))))) - (define-public gnutls/guile-2.0 ;; GnuTLS for Guile 2.0. (package/inherit gnutls @@ -353,8 +312,7 @@ required structures.") (define-public openssl (package (name "openssl") - (version "1.1.1j") - (replacement openssl-1.1.1k) + (version "1.1.1k") (source (origin (method url-fetch) (uri (list (string-append "https://www.openssl.org/source/openssl-" @@ -367,7 +325,7 @@ required structures.") (patches (search-patches "openssl-1.1-c-rehash-in.patch")) (sha256 (base32 - "1gw17520vh13izy1xf5q0a2fqgcayymjjj5bk0dlkxndfnszrwma")))) + "1rdfzcrxy9y38wqdw5942vmdax9hjhgrprzxm42csal7p5shhal9")))) (build-system gnu-build-system) (outputs '("out" "doc" ;6.8 MiB of man3 pages and full HTML documentation @@ -488,25 +446,6 @@ required structures.") (license license:openssl) (home-page "https://www.openssl.org/"))) -;; Replacement package to fix CVE-2021-3449 and CVE-2021-3450. -(define openssl-1.1.1k - (package - (inherit openssl) - (version "1.1.1k") - (source (origin - (method url-fetch) - (uri (list (string-append "https://www.openssl.org/source/openssl-" - version ".tar.gz") - (string-append "ftp://ftp.openssl.org/source/" - "openssl-" version ".tar.gz") - (string-append "ftp://ftp.openssl.org/source/old/" - (string-trim-right version char-set:letter) - "/openssl-" version ".tar.gz"))) - (patches (search-patches "openssl-1.1-c-rehash-in.patch")) - (sha256 - (base32 - "1rdfzcrxy9y38wqdw5942vmdax9hjhgrprzxm42csal7p5shhal9")))))) - (define-public openssl-1.0 (package (inherit openssl) |