X-Git-Url: https://git.hcoop.net/jackhill/guix/guix.git/blobdiff_plain/5a2f019c7d35d539036825a7d0cc184f0c7dc60a..5d904d63f4d43e3f0e4be38c5f5404e029c00a22:/gnu/packages/tls.scm diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index d8cc1ccbc2..60e29bfe82 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -6,10 +6,11 @@ ;;; Copyright © 2015 David Thompson ;;; Copyright © 2015, 2016, 2017 Leo Famulari ;;; Copyright © 2016, 2017 Efraim Flashner -;;; Copyright © 2016, 2017 ng0 +;;; Copyright © 2016, 2017, 2018 Nils Gillmann ;;; Copyright © 2016 Hartmut Goebel ;;; Copyright © 2017 Ricardo Wurmus ;;; Copyright © 2017 Marius Bakke +;;; Copyright © 2017 Tobias Geerinckx-Rice ;;; Copyright © 2017 Rutger Helling ;;; ;;; This file is part of GNU Guix. @@ -73,7 +74,8 @@ version ".tar.gz")) (sha256 (base32 - "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7")))) + "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7")) + (patches (search-patches "libtasn1-CVE-2017-10790.patch")))) (build-system gnu-build-system) (native-inputs `(("perl" ,perl))) (home-page "https://www.gnu.org/software/libtasn1/") @@ -90,7 +92,8 @@ specifications.") (inherit libtasn1) (source (origin (inherit (package-source libtasn1)) - (patches (search-patches "libtasn1-CVE-2017-10790.patch")))))) + (patches (search-patches "libtasn1-CVE-2017-10790.patch" + "libtasn1-CVE-2018-6003.patch")))))) (define-public asn1c (package @@ -122,7 +125,7 @@ in intelligent transportation networks.") (define-public p11-kit (package (name "p11-kit") - (version "0.23.9") + (version "0.23.10") (source (origin (method url-fetch) @@ -130,7 +133,7 @@ in intelligent transportation networks.") "download/" version "/p11-kit-" version ".tar.gz")) (sha256 (base32 - "0qyvnkb5hfi94wv3bn67y20hcbbvynvjwxpk7k9sh1si6ff69hg1")))) + "0hxfwnyb5yllvlsh0cj6favcph36gm94b6df7zhl7xay48zjl8gr")))) (build-system gnu-build-system) (native-inputs `(("pkg-config" ,pkg-config))) @@ -139,7 +142,7 @@ in intelligent transportation networks.") ("libtasn1" ,libtasn1))) (arguments `(#:configure-flags '("--without-trust-paths"))) - (home-page "http://p11-glue.freedesktop.org/p11-kit.html") + (home-page "https://p11-glue.freedesktop.org/p11-kit.html") (synopsis "PKCS#11 library") (description "p11-kit provides a way to load and enumerate PKCS#11 modules. It @@ -149,9 +152,6 @@ coordinating the use of PKCS#11 by different components or libraries living in the same process.") (license license:bsd-3))) - -;; TODO Add net-tools-for-tests to #:disallowed-references when we can afford -;; rebuild GnuTLS (i.e. core-updates). (define-public gnutls (package (name "gnutls") @@ -172,7 +172,9 @@ living in the same process.") "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr")))) (build-system gnu-build-system) (arguments - '(#:configure-flags + `(; Ensure we don't keep a reference to this buggy software. + #:disallowed-references (,net-tools) + #:configure-flags (list ;; GnuTLS doesn't consult any environment variables to specify ;; the location of the system-wide trust store. Instead it has a @@ -206,7 +208,7 @@ living in the same process.") "debug" "doc")) ;4.1 MiB of man pages (native-inputs - `(("net-tools" ,net-tools-for-tests) + `(("net-tools" ,net-tools) ("pkg-config" ,pkg-config) ("which" ,which))) (inputs @@ -253,18 +255,20 @@ required structures.") (define-public openssl (package (name "openssl") - (version "1.0.2l") - (replacement openssl-1.0.2m) + (replacement openssl-1.0.2o) + (version "1.0.2n") (source (origin (method url-fetch) - (uri (list (string-append "ftp://ftp.openssl.org/source/" + (uri (list (string-append "https://www.openssl.org/source/openssl-" + version ".tar.gz") + (string-append "ftp://ftp.openssl.org/source/" name "-" version ".tar.gz") (string-append "ftp://ftp.openssl.org/source/old/" (string-trim-right version char-set:letter) "/" name "-" version ".tar.gz"))) (sha256 (base32 - "037kvpisc6qh5dkppcwbm5bg2q800xh2hma3vghz8xcycmdij1yf")) + "1zm82pyq5a9jm10q6iv7d3dih3xwjds4x30fqph3k317byvsn2rp")) (snippet '(begin ;; Remove ELF files. 'substitute*' can't read them. @@ -381,46 +385,47 @@ required structures.") ,version "/misc")) #t)))))) (native-search-paths - ;; FIXME: These two variables must designate a single file or directory - ;; and are not actually "search paths." In practice it works OK in user - ;; profiles because there's always just one item that matches the - ;; specification. (list (search-path-specification (variable "SSL_CERT_DIR") + (separator #f) ;single entry (files '("etc/ssl/certs"))) (search-path-specification (variable "SSL_CERT_FILE") + (file-type 'regular) + (separator #f) ;single entry (files '("etc/ssl/certs/ca-certificates.crt"))))) (synopsis "SSL/TLS implementation") (description "OpenSSL is an implementation of SSL/TLS.") (license license:openssl) - (home-page "http://www.openssl.org/"))) + (home-page "https://www.openssl.org/"))) -;; Fixes CVE-2017-3735 and CVE-2017-3736. -;; See . -(define-public openssl-1.0.2m +(define openssl-1.0.2o (package (inherit openssl) - (version "1.0.2m") + (name "openssl") + (version "1.0.2o") (source (origin (inherit (package-source openssl)) (uri (list (string-append "https://www.openssl.org/source/openssl-" version ".tar.gz") - (string-append "ftp://ftp.openssl.org/source/openssl-" - version ".tar.gz") + (string-append "ftp://ftp.openssl.org/source/" + name "-" version ".tar.gz") (string-append "ftp://ftp.openssl.org/source/old/" (string-trim-right version char-set:letter) - "/openssl-" version ".tar.gz"))) + "/" name "-" version ".tar.gz"))) (sha256 (base32 - "03vvlfnxx4lhxc83ikfdl6jqph4h52y7lb7li03va6dkqrgg2vwc")))))) + "0kcy13l701054nhpbd901mz32v1kn4g311z0nifd83xs2jbmqgzc")) + ;; Erase the inherited snippet, which isn't applicable to + ;; OpenSSL 1.0.2o. + (snippet #f))))) (define-public openssl-next (package (inherit openssl) (name "openssl") - (version "1.1.0g") + (version "1.1.0h") (source (origin (method url-fetch) (uri (list (string-append "https://www.openssl.org/source/openssl-" @@ -433,7 +438,7 @@ required structures.") (patches (search-patches "openssl-1.1.0-c-rehash-in.patch")) (sha256 (base32 - "1bvka2wf33w2vxv7yw578nnjqyhz2b3chvfb0l4k2ffscw950kfy")))) + "05x509lccqjscgyi935z809pwfm708islypwhmjnb6cyvrn64daq")))) (outputs '("out" "doc" ;1.3MiB of man3 pages "static")) ; 5.5MiB of .a files @@ -485,14 +490,14 @@ required structures.") (define-public libressl (package (name "libressl") - (version "2.6.3") + (version "2.7.2") (source (origin (method url-fetch) (uri (string-append "mirror://openbsd/LibreSSL/" name "-" version ".tar.gz")) (sha256 (base32 - "162wgzmg4zzqj5cxrsrmkfv1623dc4g8h3fsf1lvjw9i4sc6bbdf")))) + "1589f0kg7kj51j9hid542s4isb96s1azjaqsfprpy5s2qdwqfyli")))) (build-system gnu-build-system) (arguments ;; Do as if 'getentropy' was missing since older Linux kernels lack it @@ -529,13 +534,13 @@ netcat implementation that supports TLS.") (package (name "python-acme") ;; Remember to update the hash of certbot when updating python-acme. - (version "0.19.0") + (version "0.23.0") (source (origin (method url-fetch) (uri (pypi-uri "acme" version)) (sha256 (base32 - "08p8w50zciqlhgn3ab0wbbvi1zyg3x37r1gywq0z1allsij3v8hz")))) + "0l257dq1i2gka6ynldidpwaz1aa726643crqqckga1w5awsndh88")))) (build-system python-build-system) (arguments `(#:phases @@ -553,21 +558,22 @@ netcat implementation that supports TLS.") #t)))))) ;; TODO: Add optional inputs for testing. (native-inputs - `(("python-mock" ,python-mock-2) + `(("python-mock" ,python-mock) ;; For documentation ("python-sphinx" ,python-sphinx) ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput) ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme) ("texinfo" ,texinfo))) (propagated-inputs - `(("python-six" ,python-six) + `(("python-josepy" ,python-josepy) + ("python-six" ,python-six) ("python-requests" ,python-requests) ("python-pytz" ,python-pytz) ("python-pyrfc3339" ,python-pyrfc3339) ("python-pyasn1" ,python-pyasn1) ("python-cryptography" ,python-cryptography) ("python-pyopenssl" ,python-pyopenssl))) - (home-page "https://github.com/letsencrypt/letsencrypt") + (home-page "https://github.com/certbot/certbot") (synopsis "ACME protocol implementation in Python") (description "ACME protocol implementation in Python") (license license:asl2.0))) @@ -583,7 +589,7 @@ netcat implementation that supports TLS.") (uri (pypi-uri name version)) (sha256 (base32 - "0lwxqz3r0fg3dy06fgba1dfs7n6ribc25z0rh5rqbl7mvy8hf8x7")))) + "0gh5fr61c3mj5vdkn68k17wcvri9rdj506cmmz6631i2l5flrzvc")))) (build-system python-build-system) (arguments `(,@(substitute-keyword-arguments (package-arguments python-acme) @@ -602,7 +608,7 @@ netcat implementation that supports TLS.") ;; TODO: Add optional inputs for testing. (native-inputs `(("python-nose" ,python-nose) - ("python-mock" ,python-mock-2) + ("python-mock" ,python-mock) ;; For documentation ("python-sphinx" ,python-sphinx) ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme) @@ -638,14 +644,14 @@ certificates for free.") (define-public perl-net-ssleay (package (name "perl-net-ssleay") - (version "1.81") + (version "1.82") (source (origin (method url-fetch) (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/" "Net-SSLeay-" version ".tar.gz")) (sha256 (base32 - "0z8vya34g88bc41kx955sv7y4niwbbywji8liqbl52v29qbvdjq0")))) + "1rf78z1macgmp6mwd7c2xq4yfw6wpf28hfwfz1d5wslqr4cwb5aq")))) (build-system perl-build-system) (inputs `(("openssl" ,openssl))) (arguments @@ -707,7 +713,7 @@ OpenSSL libraries).") (define-public perl-crypt-openssl-bignum (package (name "perl-crypt-openssl-bignum") - (version "0.08") + (version "0.09") (source (origin (method url-fetch) @@ -717,7 +723,7 @@ OpenSSL libraries).") ".tar.gz")) (sha256 (base32 - "0gamn4dff1bz77nswacy1dlpn9fkwahzw7yvvik4nbwwy2s63hc8")))) + "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3")))) (build-system perl-build-system) (inputs `(("openssl" ,openssl))) (arguments perl-crypt-arguments) @@ -803,7 +809,7 @@ then ported to the GNU / Linux environment.") (define-public mbedtls-apache (package (name "mbedtls-apache") - (version "2.6.0") + (version "2.7.2") (source (origin (method url-fetch) @@ -813,7 +819,7 @@ then ported to the GNU / Linux environment.") version "-apache.tgz")) (sha256 (base32 - "11wnj34rfqxjggmdgf042i49lr6civgbqwv2p7p8bn6k2919vg4r")))) + "1mvkqlxxvl6yp1g5g9dk4l7h3wl6149p3pfwgwzgs7xybyxw4f7x")))) (build-system cmake-build-system) (arguments `(#:configure-flags