;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015 David Thompson <davet@gnu.org>
-;;; Copyright © 2015, 2016, 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2015, 2016, 2017, 2018 Leo Famulari <leo@famulari.name>
;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
-;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
+;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
;;;
;;; This file is part of GNU Guix.
;;;
#:use-module (guix build-system perl)
#:use-module (guix build-system python)
#:use-module (guix build-system cmake)
+ #:use-module (guix build-system haskell)
#:use-module (gnu packages compression)
#:use-module (gnu packages)
+ #:use-module (gnu packages check)
+ #:use-module (gnu packages dns)
#:use-module (gnu packages guile)
+ #:use-module (gnu packages haskell)
+ #:use-module (gnu packages haskell-check)
+ #:use-module (gnu packages haskell-crypto)
#:use-module (gnu packages libbsd)
#:use-module (gnu packages libffi)
#:use-module (gnu packages libidn)
#:use-module (gnu packages perl)
#:use-module (gnu packages pkg-config)
#:use-module (gnu packages python)
+ #:use-module (gnu packages python-crypto)
+ #:use-module (gnu packages python-web)
#:use-module (gnu packages texinfo)
+ #:use-module (gnu packages time)
#:use-module (gnu packages base)
#:use-module (srfi srfi-1))
(define-public libtasn1
(package
(name "libtasn1")
- (version "4.12")
- (replacement libtasn1/fixed)
+ (version "4.13")
(source
(origin
(method url-fetch)
version ".tar.gz"))
(sha256
(base32
- "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7"))))
+ "1jlc1iahj8k3haz28j55nzg7sgni5h41vqy461i1bpbx6668wlky"))))
(build-system gnu-build-system)
(native-inputs `(("perl" ,perl)))
(home-page "https://www.gnu.org/software/libtasn1/")
specifications.")
(license license:lgpl2.0+)))
-(define libtasn1/fixed
- (package
- (inherit libtasn1)
- (source (origin
- (inherit (package-source libtasn1))
- (patches (search-patches "libtasn1-CVE-2017-10790.patch"))))))
-
(define-public asn1c
(package
(name "asn1c")
(define-public p11-kit
(package
(name "p11-kit")
- (version "0.23.7")
+ (version "0.23.10")
(source
(origin
(method url-fetch)
"download/" version "/p11-kit-" version ".tar.gz"))
(sha256
(base32
- "0hdy4h8byvcvd4av504xqfqyd1h6xy914j034mq3c6v4ya37r3lq"))))
+ "0hxfwnyb5yllvlsh0cj6favcph36gm94b6df7zhl7xay48zjl8gr"))))
(build-system gnu-build-system)
(native-inputs
`(("pkg-config" ,pkg-config)))
("libtasn1" ,libtasn1)))
(arguments
`(#:configure-flags '("--without-trust-paths")))
- (home-page "http://p11-glue.freedesktop.org/p11-kit.html")
+ (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
(synopsis "PKCS#11 library")
(description
"p11-kit provides a way to load and enumerate PKCS#11 modules. It
living in the same process.")
(license license:bsd-3)))
-
-;; TODO Add net-tools-for-tests to #:disallowed-references when we can afford
-;; rebuild GnuTLS (i.e. core-updates).
(define-public gnutls
(package
(name "gnutls")
- (version "3.5.13")
+ (version "3.5.18")
(source (origin
(method url-fetch)
(uri
"gnutls-skip-pkgconfig-test.patch"))
(sha256
(base32
- "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr"))))
+ "0d02x28fwkkx7xzn7807nww6idchizzq3plx8sfcyiw7wzclh8mf"))))
(build-system gnu-build-system)
(arguments
- '(#:configure-flags
+ `(; Ensure we don't keep a reference to this buggy software.
+ #:disallowed-references (,net-tools)
+ #:configure-flags
(list
;; GnuTLS doesn't consult any environment variables to specify
;; the location of the system-wide trust store. Instead it has a
"debug"
"doc")) ;4.1 MiB of man pages
(native-inputs
- `(("net-tools" ,net-tools-for-tests)
+ `(("net-tools" ,net-tools)
("pkg-config" ,pkg-config)
("which" ,which)))
(inputs
(inputs `(("guile" ,guile-2.0)
,@(alist-delete "guile" (package-inputs gnutls))))))
+(define-public gnutls/dane
+ ;; GnuTLS with build libgnutls-dane, implementing DNS-based
+ ;; Authentication of Named Entities. This is required for GNS functionality
+ ;; by GNUnet and gnURL. This is done in an extra package definition
+ ;; to have the choice between GnuTLS with Dane and without Dane.
+ (package
+ (inherit gnutls)
+ (name "gnutls-dane")
+ (inputs `(("unbound" ,unbound)
+ ,@(package-inputs gnutls)))))
+
(define-public openssl
(package
(name "openssl")
- (version "1.0.2l")
+ (version "1.0.2n")
(source (origin
(method url-fetch)
- (uri (list (string-append "ftp://ftp.openssl.org/source/"
+ (uri (list (string-append "https://www.openssl.org/source/openssl-"
+ version ".tar.gz")
+ (string-append "ftp://ftp.openssl.org/source/"
name "-" version ".tar.gz")
(string-append "ftp://ftp.openssl.org/source/old/"
(string-trim-right version char-set:letter)
"/" name "-" version ".tar.gz")))
(sha256
(base32
- "037kvpisc6qh5dkppcwbm5bg2q800xh2hma3vghz8xcycmdij1yf"))
+ "1zm82pyq5a9jm10q6iv7d3dih3xwjds4x30fqph3k317byvsn2rp"))
(snippet
'(begin
;; Remove ELF files. 'substitute*' can't read them.
'configure
(lambda* (#:key outputs #:allow-other-keys)
(let ((out (assoc-ref outputs "out")))
- (zero?
- (system* "./config"
- "shared" ;build shared libraries
- "--libdir=lib"
-
- ;; The default for this catch-all directory is
- ;; PREFIX/ssl. Change that to something more
- ;; conventional.
- (string-append "--openssldir=" out
- "/share/openssl-" ,version)
-
- (string-append "--prefix=" out)
-
- ;; XXX FIXME: Work around a code generation bug in GCC
- ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
- ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
- ,@(if (and (not (%current-target-system))
- (string-prefix? "armhf" (%current-system)))
- '("-mfpu=vfpv3")
- '()))))))
+ (invoke "./config"
+ "shared" ;build shared libraries
+ "--libdir=lib"
+
+ ;; The default for this catch-all directory is
+ ;; PREFIX/ssl. Change that to something more
+ ;; conventional.
+ (string-append "--openssldir=" out
+ "/share/openssl-" ,version)
+
+ (string-append "--prefix=" out)
+
+ ;; XXX FIXME: Work around a code generation bug in GCC
+ ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
+ ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
+ ,@(if (and (not (%current-target-system))
+ (string-prefix? "armhf" (%current-system)))
+ '("-mfpu=vfpv3")
+ '())))))
(add-after
'install 'make-libraries-writable
(lambda* (#:key outputs #:allow-other-keys)
,version "/misc"))
#t))))))
(native-search-paths
- ;; FIXME: These two variables must designate a single file or directory
- ;; and are not actually "search paths." In practice it works OK in user
- ;; profiles because there's always just one item that matches the
- ;; specification.
(list (search-path-specification
(variable "SSL_CERT_DIR")
+ (separator #f) ;single entry
(files '("etc/ssl/certs")))
(search-path-specification
(variable "SSL_CERT_FILE")
+ (file-type 'regular)
+ (separator #f) ;single entry
(files '("etc/ssl/certs/ca-certificates.crt")))))
(synopsis "SSL/TLS implementation")
(description
"OpenSSL is an implementation of SSL/TLS.")
(license license:openssl)
- (home-page "http://www.openssl.org/")))
+ (home-page "https://www.openssl.org/")))
(define-public openssl-next
(package
(inherit openssl)
(name "openssl")
- (version "1.1.0f")
+ (version "1.1.0g")
(source (origin
(method url-fetch)
- (uri (list (string-append "ftp://ftp.openssl.org/source/"
+ (uri (list (string-append "https://www.openssl.org/source/openssl-"
+ version ".tar.gz")
+ (string-append "ftp://ftp.openssl.org/source/"
name "-" version ".tar.gz")
(string-append "ftp://ftp.openssl.org/source/old/"
(string-trim-right version char-set:letter)
(patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
(sha256
(base32
- "0r97n4n552ns571diz54qsgarihrxvbn7kvyv8wjyfs9ybrldxqj"))))
+ "1bvka2wf33w2vxv7yw578nnjqyhz2b3chvfb0l4k2ffscw950kfy"))))
(outputs '("out"
"doc" ;1.3MiB of man3 pages
"static")) ; 5.5MiB of .a files
(lambda* (#:key outputs #:allow-other-keys)
(let* ((out (assoc-ref outputs "out"))
(lib (string-append out "/lib")))
- (zero?
- (system* "./config"
- "shared" ;build shared libraries
- "--libdir=lib"
-
- ;; The default for this catch-all directory is
- ;; PREFIX/ssl. Change that to something more
- ;; conventional.
- (string-append "--openssldir=" out
- "/share/openssl-" ,version)
-
- (string-append "--prefix=" out)
- (string-append "-Wl,-rpath," lib)
-
- ;; XXX FIXME: Work around a code generation bug in GCC
- ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
- ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
- ,@(if (and (not (%current-target-system))
- (string-prefix? "armhf" (%current-system)))
- '("-mfpu=vfpv3")
- '()))))))
+ (invoke "./config"
+ "shared" ;build shared libraries
+ "--libdir=lib"
+
+ ;; The default for this catch-all directory is
+ ;; PREFIX/ssl. Change that to something more
+ ;; conventional.
+ (string-append "--openssldir=" out
+ "/share/openssl-" ,version)
+
+ (string-append "--prefix=" out)
+ (string-append "-Wl,-rpath," lib)
+
+ ;; XXX FIXME: Work around a code generation bug in GCC
+ ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
+ ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
+ ,@(if (and (not (%current-target-system))
+ (string-prefix? "armhf" (%current-system)))
+ '("-mfpu=vfpv3")
+ '())))))
;; XXX: Duplicate this phase to make sure 'version' evaluates
;; in the current scope and not the inherited one.
(define-public libressl
(package
(name "libressl")
- (version "2.5.5")
+ (version "2.6.4")
(source (origin
(method url-fetch)
(uri (string-append "mirror://openbsd/LibreSSL/"
name "-" version ".tar.gz"))
(sha256
(base32
- "1i77viqy1afvbr392npk9v54k9zhr9zq2vhv6pliza22b0ymwzz5"))))
+ "07yi37a2ghsgj2b4w30q1s4d2inqnix7ika1m21y57p9z71212k3"))))
(build-system gnu-build-system)
(arguments
;; Do as if 'getentropy' was missing since older Linux kernels lack it
(package
(name "python-acme")
;; Remember to update the hash of certbot when updating python-acme.
- (version "0.16.0")
+ (version "0.22.0")
(source (origin
(method url-fetch)
(uri (pypi-uri "acme" version))
- (sha256
- (base32
- "1kg9bnwywsr18hgvqyhxqqi90l2qa7449f41q3fdq2y59h9nk2sk"))))
+ (sha256
+ (base32
+ "1s2zamyb99zdyga3c75xxgnj0z2hixw8wv24v1l4p49fncnxab2a"))))
(build-system python-build-system)
(arguments
`(#:phases
#t))))))
;; TODO: Add optional inputs for testing.
(native-inputs
- `(("python-mock" ,python-mock-2)
+ `(("python-mock" ,python-mock)
;; For documentation
("python-sphinx" ,python-sphinx)
("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
("texinfo" ,texinfo)))
(propagated-inputs
- `(("python-six" ,python-six)
+ `(("python-josepy" ,python-josepy)
+ ("python-six" ,python-six)
("python-requests" ,python-requests)
("python-pytz" ,python-pytz)
("python-pyrfc3339" ,python-pyrfc3339)
("python-pyasn1" ,python-pyasn1)
("python-cryptography" ,python-cryptography)
("python-pyopenssl" ,python-pyopenssl)))
- (home-page "https://github.com/letsencrypt/letsencrypt")
+ (home-page "https://github.com/certbot/certbot")
(synopsis "ACME protocol implementation in Python")
(description "ACME protocol implementation in Python")
(license license:asl2.0)))
-(define-public python2-acme
- (package-with-python2 python-acme))
-
(define-public certbot
(package
(name "certbot")
(uri (pypi-uri name version))
(sha256
(base32
- "11p1vsps5rbpha3k5jnmf9i6rcp6299h9b34wdh21cq6dgyh2n3r"))))
+ "1cyb3lhxrw7ghyhrl2wc95vqhdaxz6n4pai66c573gcly7c7sc7f"))))
(build-system python-build-system)
(arguments
`(,@(substitute-keyword-arguments (package-arguments python-acme)
;; TODO: Add optional inputs for testing.
(native-inputs
`(("python-nose" ,python-nose)
- ("python-mock" ,python-mock-2)
+ ("python-mock" ,python-mock)
;; For documentation
("python-sphinx" ,python-sphinx)
("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
(define-public perl-net-ssleay
(package
(name "perl-net-ssleay")
- (version "1.81")
+ (version "1.82")
(source (origin
(method url-fetch)
(uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
"Net-SSLeay-" version ".tar.gz"))
(sha256
(base32
- "0z8vya34g88bc41kx955sv7y4niwbbywji8liqbl52v29qbvdjq0"))))
+ "1rf78z1macgmp6mwd7c2xq4yfw6wpf28hfwfz1d5wslqr4cwb5aq"))))
(build-system perl-build-system)
(inputs `(("openssl" ,openssl)))
(arguments
(define-public perl-crypt-openssl-bignum
(package
(name "perl-crypt-openssl-bignum")
- (version "0.06")
+ (version "0.09")
(source
(origin
(method url-fetch)
".tar.gz"))
(sha256
(base32
- "05yzrdglrrzp191krf77zrwfkmzrfwrsrx1vyskbj94522lszk67"))))
+ "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
(build-system perl-build-system)
(inputs `(("openssl" ,openssl)))
(arguments perl-crypt-arguments)
(define-public mbedtls-apache
(package
(name "mbedtls-apache")
- (version "2.5.1")
+ (version "2.7.0")
(source
(origin
(method url-fetch)
version "-apache.tgz"))
(sha256
(base32
- "1yc1rj0izjihj9hbzvskpa4gjzqf4dm2i84nmmm2s9j1i66fp6jm"))))
+ "1vsmgxnw7dpvma51896n63yaf9sncmf885ax2jfcg89ssin6vdmf"))
+ ;; An RFC 5114 constant was accidentally renamed in version 2.7.0.
+ ;; See https://github.com/ARMmbed/mbedtls/pull/1362.
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ (substitute* "include/mbedtls/dhm.h"
+ (("#define MBEDTLS_DHM_RFC5114_MODP_P")
+ "#define MBEDTLS_DHM_RFC5114_MODP_2048_P"))
+ #t))))
(build-system cmake-build-system)
+ (arguments
+ `(#:configure-flags
+ (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON")))
(native-inputs
`(("perl" ,perl)))
(synopsis "Small TLS library")
coding footprint.")
(home-page "https://tls.mbed.org")
(license license:asl2.0)))
+
+(define-public ghc-tls
+ (package
+ (name "ghc-tls")
+ (version "1.3.8")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://hackage.haskell.org/package/"
+ "tls/tls-" version ".tar.gz"))
+ (sha256
+ (base32
+ "1rdidf18i781c0vdvy9yn79yh08hmcacf6fp3sgghyiy3h0wyh5l"))))
+ (build-system haskell-build-system)
+ (inputs
+ `(("ghc-mtl" ,ghc-mtl)
+ ("ghc-cereal" ,ghc-cereal)
+ ("ghc-data-default-class" ,ghc-data-default-class)
+ ("ghc-memory" ,ghc-memory)
+ ("ghc-cryptonite" ,ghc-cryptonite)
+ ("ghc-asn1-types" ,ghc-asn1-types)
+ ("ghc-asn1-encoding" ,ghc-asn1-encoding)
+ ("ghc-x509" ,ghc-x509)
+ ("ghc-x509-store" ,ghc-x509-store)
+ ("ghc-x509-validation" ,ghc-x509-validation)
+ ("ghc-async" ,ghc-async)
+ ("ghc-network" ,ghc-network)
+ ("ghc-hourglass" ,ghc-hourglass)))
+ (native-inputs
+ `(("ghc-tasty" ,ghc-tasty)
+ ("ghc-tasty-quickcheck" ,ghc-tasty-quickcheck)
+ ("ghc-quickcheck" ,ghc-quickcheck)))
+ (home-page "https://github.com/vincenthz/hs-tls")
+ (synopsis
+ "TLS/SSL protocol native implementation (Server and Client)")
+ (description
+ "Native Haskell TLS and SSL protocol implementation for server and client.
+This provides a high-level implementation of a sensitive security protocol,
+eliminating a common set of security issues through the use of the advanced
+type system, high level constructions and common Haskell features. Currently
+implement the SSL3.0, TLS1.0, TLS1.1 and TLS1.2 protocol, and support RSA and
+Ephemeral (Elliptic curve and regular) Diffie Hellman key exchanges, and many
+extensions.")
+ (license license:bsd-3)))