;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2021 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015 David Thompson <davet@gnu.org>
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2017, 2018, 2019, 2020 Marius Bakke <mbakke@fastmail.com>
-;;; Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2017–2019, 2021 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
;;; Copyright © 2019 Mathieu Othacehe <m.othacehe@gmail.com>
(define-public gnutls
(package
(name "gnutls")
- ;; XXX Unversion openconnect's "gnutls" input when ungrafting.
+ (version "3.6.15")
(replacement gnutls/fixed)
- (version "3.6.12")
(source (origin
- (method url-fetch)
- (uri
+ (method url-fetch)
;; Note: Releases are no longer on ftp.gnu.org since the
;; schism (after version 3.1.5).
- (string-append "mirror://gnupg/gnutls/v"
- (version-major+minor version)
- "/gnutls-" version ".tar.xz"))
- (patches (search-patches "gnutls-skip-trust-store-test.patch"))
- (sha256
- (base32
- "0jvca1qahn9lrwv6f5kfs95icirc15b2a8x9fzczyj996ipg3b5z"))))
+ (uri (string-append "mirror://gnupg/gnutls/v"
+ (version-major+minor version)
+ "/gnutls-" version ".tar.xz"))
+ (patches (search-patches "gnutls-skip-trust-store-test.patch"
+ "gnutls-cross.patch"))
+ (sha256
+ (base32
+ "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f"))))
(build-system gnu-build-system)
(arguments
`(#:tests? ,(not (or (%current-target-system)
"debug"
"doc")) ;4.1 MiB of man pages
(native-inputs
- `(,@(if (hurd-target?) '()
+ `(,@(if (%current-target-system) ;for cross-build
+ `(("guile" ,guile-3.0)) ;to create .go files
+ '())
+ ,@(if (hurd-target?)
+ '()
`(("net-tools" ,net-tools)))
("pkg-config" ,pkg-config)
("which" ,which)
(description
"GnuTLS is a secure communications library implementing the SSL, TLS
and DTLS protocols. It is provided in the form of a C library to support the
-protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
+protocols, as well as to parse and write X.509, PKCS #12, OpenPGP and other
required structures.")
(license license:lgpl2.1+)
(properties '((ftp-server . "ftp.gnutls.org")
(ftp-directory . "/gcrypt/gnutls")))))
-;; Replacement package to fix multiple security vulnerabilities.
-(define-public gnutls/fixed
+(define gnutls/fixed
(package
(inherit gnutls)
- (version "3.6.15")
(source (origin
- (method url-fetch)
- (uri (string-append "mirror://gnupg/gnutls/v"
- (version-major+minor version)
- "/gnutls-" version ".tar.xz"))
- (patches (search-patches "gnutls-skip-trust-store-test.patch"
- "gnutls-cross.patch"))
- (sha256
- (base32
- "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f"))))
- (native-inputs
- `(,@(if (%current-target-system) ;for cross-build
- `(("guile" ,guile-3.0)) ;to create .go files
- '())
- ,@(package-native-inputs gnutls)))))
+ (inherit (package-source gnutls))
+ (patches (append (search-patches "gnutls-CVE-2021-20231.patch"
+ "gnutls-CVE-2021-20232.patch")
+ (origin-patches (package-source gnutls))))))))
(define-public gnutls/guile-2.0
;; GnuTLS for Guile 2.0.
;; Authentication of Named Entities. This is required for GNS functionality
;; by GNUnet and gnURL. This is done in an extra package definition
;; to have the choice between GnuTLS with Dane and without Dane.
- (package/inherit gnutls/fixed
+ (package/inherit gnutls
(name "gnutls-dane")
(inputs `(("unbound" ,unbound)
,@(package-inputs gnutls)))))
(define-public guile2.2-gnutls
- (package
- (inherit gnutls)
+ (package/inherit gnutls
(name "guile2.2-gnutls")
(inputs `(("guile" ,guile-2.2)
,@(alist-delete "guile"
(define-public openssl
(package
(name "openssl")
- (version "1.1.1f")
- (replacement openssl-1.1.1i)
+ (replacement openssl/fixed)
+ (version "1.1.1i")
(source (origin
(method url-fetch)
(uri (list (string-append "https://www.openssl.org/source/openssl-"
(string-append "ftp://ftp.openssl.org/source/old/"
(string-trim-right version char-set:letter)
"/openssl-" version ".tar.gz")))
+ (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
(sha256
(base32
- "0d9zv9srjqivs8nn099fpbjv1wyhfcb8lzy491dpmfngdvz6nv0q"))
- (patches (search-patches "openssl-1.1-c-rehash-in.patch"))))
+ "0hjj1phcwkz69lx1lrvr9grhpl4y529mwqycqc1hdla1zqsnmgp8"))))
(build-system gnu-build-system)
(outputs '("out"
"doc" ;6.8 MiB of man3 pages and full HTML documentation
;; PREFIX/ssl. Change that to something more
;; conventional.
(string-append "--openssldir=" out
- "/share/openssl-" ,version)
+ "/share/openssl-"
+ ,(package-version this-package))
(string-append "--prefix=" out)
(string-append "-Wl,-rpath," lib)
;; scripts. Remove them to avoid retaining a reference on Perl.
(let ((out (assoc-ref outputs "out")))
(delete-file-recursively (string-append out "/share/openssl-"
- ,version "/misc"))
+ ,(package-version this-package)
+ "/misc"))
#t))))))
(native-search-paths
(list (search-path-specification
(license license:openssl)
(home-page "https://www.openssl.org/")))
-(define openssl-1.1.1i
+(define-public openssl/fixed
(package
(inherit openssl)
- (version "1.1.1i")
+ (version "1.1.1k")
(source (origin
(method url-fetch)
(uri (list (string-append "https://www.openssl.org/source/openssl-"
(patches (search-patches "openssl-1.1-c-rehash-in.patch"))
(sha256
(base32
- "0hjj1phcwkz69lx1lrvr9grhpl4y529mwqycqc1hdla1zqsnmgp8"))))))
+ "1rdfzcrxy9y38wqdw5942vmdax9hjhgrprzxm42csal7p5shhal9"))))))
(define-public openssl-1.0
(package
(define-public libressl
(package
(name "libressl")
- (version "3.1.4")
+ (version "3.1.5")
(source (origin
(method url-fetch)
(uri (string-append "mirror://openbsd/LibreSSL/"
"libressl-" version ".tar.gz"))
(sha256
(base32
- "1dnbbnr43jashxivnafmh9gnn57c7ayva788ba03z633k6f18k21"))))
+ "1504a1sf43frw43j14pij0q1f48rm5q86ggrlxxhw708qp7ds4rc"))))
(build-system gnu-build-system)
(arguments
- ;; Do as if 'getentropy' was missing since older Linux kernels lack it
- ;; and libc would return ENOSYS, which is not properly handled.
+ ;; Do as if 'getentropy' were missing: Linux kernels before 3.17 lack its
+ ;; underlying 'getrandom' system call and ENOSYS isn't properly handled.
;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
'(#:configure-flags '("ac_cv_func_getentropy=no"
;; Provide a TLS-enabled netcat.
(package
(name "python-acme")
;; Remember to update the hash of certbot when updating python-acme.
- (version "1.10.1")
+ (version "1.14.0")
(source (origin
(method url-fetch)
(uri (pypi-uri "acme" version))
(sha256
(base32
- "1n1g29f3qzy77xn06dss9nc92wndgm8phgjrvx740sy9xnd5bfzw"))))
+ "0d8wzac7qnsq1kzb67f2a8wi30i4r327y6jmraxqqqj30gxwrnk1"))))
(build-system python-build-system)
(arguments
`(#:phases
(install-file "docs/_build/texinfo/acme-python.info" info)
(install-file "docs/_build/man/acme-python.1" man)
#t))))))
- ;; TODO: Add optional inputs for testing.
(native-inputs
- `(("python-mock" ,python-mock)
- ("python-pytest" ,python-pytest)
+ `(("python-pytest" ,python-pytest)
;; For documentation
("python-sphinx" ,python-sphinx)
("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
("texinfo" ,texinfo)))
(propagated-inputs
`(("python-josepy" ,python-josepy)
- ("python-six" ,python-six)
("python-requests" ,python-requests)
("python-requests-toolbelt" ,python-requests-toolbelt)
("python-pytz" ,python-pytz)
(uri (pypi-uri "certbot" version))
(sha256
(base32
- "1dww9m1a2p3a9vpxs5j29f8cdkqywqb4j70z3cnkpl7017yf77hd"))))
+ "1ss1d1iw7cq8xzg1apydmzv2x5s0p4n74wlpmf7a7p5qdc6ak7lm"))))
(build-system python-build-system)
(arguments
`(,@(substitute-keyword-arguments (package-arguments python-acme)
(install-file "docs/_build/man/certbot.1" man1)
(install-file "docs/_build/man/certbot.7" man7)
#t))))))))
- ;; TODO: Add optional inputs for testing.
(native-inputs
`(("python-mock" ,python-mock)
("python-pytest" ,python-pytest)
("python-distro" ,python-distro)
("python-zope-component" ,python-zope-component)
("python-parsedatetime" ,python-parsedatetime)
- ("python-six" ,python-six)
("python-psutil" ,python-psutil)
("python-requests" ,python-requests)
("python-pytz" ,python-pytz)))
derived from Mozilla's collection.")
(home-page "https://certifi.io")
(license license:mpl2.0))))
+
+(define-public s2n
+ (package
+ (name "s2n")
+ (version "1.0.0")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url (string-append "https://github.com/awslabs/" name))
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1q6kmgwb8jxmc4ijzk9pkqzz8lsbfsv9hyzqvy944w7306zx1r5h"))))
+ (build-system cmake-build-system)
+ (arguments
+ '(#:tests? #f ; tests fail to build for static library
+ #:configure-flags
+ '("-DBUILD_TESTING=OFF"
+ "-DBUILD_SHARED_LIBS=ON")))
+ (propagated-inputs
+ `(("openssl" ,openssl)
+ ("openssl:static" ,openssl "static")))
+ (synopsis "SSL/TLS implementation")
+ (description "This library provides a C99 implementation of SSL/TLS.")
+ (home-page "https://github.com/awslabs/s2n")
+ (license license:asl2.0)))