diff options
Diffstat (limited to 'gnu/packages/tls.scm')
| -rw-r--r-- | gnu/packages/tls.scm | 299 |
1 files changed, 135 insertions, 164 deletions
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 9e52225d52..7b2f43d993 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -85,7 +85,7 @@ (define-public libtasn1 (package (name "libtasn1") - (version "4.17.0") + (version "4.18.0") (source (origin (method url-fetch) @@ -93,7 +93,7 @@ version ".tar.gz")) (sha256 (base32 - "19a53i1ajs4dd8nnlr2i6gbzvla84ay71g3y1phvh8krx8f5brzc")))) + "160qrlsa707a15bzdl70fvdwcxgfs43vc950cx6dcqrmjmac2ra3")))) (build-system gnu-build-system) (arguments `(#:configure-flags '("--disable-static"))) @@ -137,52 +137,51 @@ in intelligent transportation networks.") (define-public p11-kit (package (name "p11-kit") - (version "0.23.22") + (version "0.24.1") (source (origin - (method url-fetch) - (uri (string-append "https://github.com/p11-glue/p11-kit/releases/" - "download/" version "/p11-kit-" version ".tar.xz")) - (sha256 - (base32 "1dn6br4v033d3gp2max9lsr3y4q0nj6iyr1yq3kzi8ym7lal13wa")))) + (method url-fetch) + (uri (string-append "https://github.com/p11-glue/p11-kit/releases/" + "download/" version "/p11-kit-" version ".tar.xz")) + (sha256 + (base32 "1y5fm9gwhkh902r26p90qf1g2h1ziqrk4hgf9i9sxm2wzlz7ignq")))) (build-system gnu-build-system) (native-inputs - `(,@(if (hurd-target?) - `(("autoconf" ,autoconf) - ("automake" ,automake) - ("gettext" ,gettext-minimal) ;for autopoint - ("libtool" ,libtool)) - '()) - ("pkg-config" ,pkg-config))) + (append (list pkg-config) + (if (hurd-target?) + (list autoconf automake gettext-minimal libtool) + '()))) (inputs - `(("libffi" ,libffi) - ,@(if (hurd-target?) - `(("libbsd" ,libbsd) - ("hurd-patch" ,(search-patch "p11-kit-hurd.patch"))) - '()) - ("libtasn1" ,libtasn1))) + (append (list libffi libtasn1) + (if (hurd-target?) + (list libbsd) + '()))) (arguments - `(#:configure-flags '("--without-trust-paths") - #:phases (modify-phases %standard-phases - ,@(if (hurd-target?) - '((add-after 'unpack 'apply-hurd-patch - (lambda* (#:key inputs #:allow-other-keys) - (let ((patch (assoc-ref inputs "hurd-patch"))) - (invoke "patch" "-p1" "--batch" "-i" - patch)))) - (replace 'bootstrap - (lambda _ - (invoke "autoreconf" "-fiv")))) - '()) - (add-before 'check 'prepare-tests - (lambda _ - ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up - ;; and looks for .cache and other directories (only). - ;; For simplicity just drop it since it is irrelevant - ;; in the build container. - (substitute* "Makefile" - (("test-runtime\\$\\(EXEEXT\\)") "")) - #t))))) + (list #:configure-flags + ;; Use the default certificates so that users such as flatpak + ;; find them. See <https://issues.guix.gnu.org/49957>. + #~'("--with-trust-paths=/etc/ssl/certs/ca-certificates.crt") + #:phases #~(modify-phases %standard-phases + #$@(if (hurd-target?) + #~((add-after 'unpack 'apply-hurd-patch + (lambda* (#:key inputs #:allow-other-keys) + (define patch + #$(local-file + (search-patch "p11-kit-hurd.patch"))) + (invoke "patch" "-p1" "--batch" "-i" + patch))) + (replace 'bootstrap + (lambda _ + (invoke "autoreconf" "-fiv")))) + #~()) + (add-before 'check 'prepare-tests + (lambda _ + ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up + ;; and looks for .cache and other directories (only). + ;; For simplicity just drop it since it is irrelevant + ;; in the build container. + (substitute* "Makefile" + (("test-runtime\\$\\(EXEEXT\\)") ""))))))) (home-page "https://p11-glue.github.io/p11-glue/p11-kit.html") (synopsis "PKCS#11 library") (description @@ -193,28 +192,10 @@ coordinating the use of PKCS#11 by different components or libraries living in the same process.") (license license:bsd-3))) -(define-public p11-kit-next - (package - (inherit p11-kit) - (version "0.24.1") - (source - (origin - (method url-fetch) - (uri (string-append "https://github.com/p11-glue/p11-kit/releases/" - "download/" version "/p11-kit-" version ".tar.xz")) - (sha256 - (base32 "1y5fm9gwhkh902r26p90qf1g2h1ziqrk4hgf9i9sxm2wzlz7ignq")))) - (arguments - ;; Use the default certificates so that users such as flatpak find them. - ;; See <https://issues.guix.gnu.org/49957>. - (substitute-keyword-arguments (package-arguments p11-kit) - ((#:configure-flags flags ''()) - ''("--with-trust-paths=/etc/ssl/certs/ca-certificates.crt")))))) - (define-public gnutls (package (name "gnutls") - (version "3.7.2") + (version "3.7.6") (source (origin (method url-fetch) ;; Note: Releases are no longer on ftp.gnu.org since the @@ -223,101 +204,94 @@ living in the same process.") (version-major+minor version) "/gnutls-" version ".tar.xz")) (patches (search-patches "gnutls-skip-trust-store-test.patch" - "gnutls-cross.patch" - "gnutls-guile-eintr-eagain.patch")) + "gnutls-cross.patch")) (sha256 (base32 - "0li7mwjnm64mbxhacz0rpf6i9qd83f53fvbrx96alpqqk9d6qvk4")))) + "1zv2097v9f6f4c66q7yn3c6gggjk9jz38095ma7v3gs5lccmf1kp")))) (build-system gnu-build-system) (arguments - `(#:tests? ,(not (or (%current-target-system) - (hurd-target?))) - ;; Ensure we don't keep a reference to the tools used for testing. - #:disallowed-references ,(if (hurd-target?) - '() - (list net-tools iproute socat)) - #:configure-flags - (cons* - ;; GnuTLS doesn't consult any environment variables to specify - ;; the location of the system-wide trust store. Instead it has a - ;; configure-time option. Unless specified, its configure script - ;; attempts to auto-detect the location by looking for common - ;; places in the file system, none of which are present in our - ;; chroot build environment. If not found, then no default trust - ;; store is used, so each program has to provide its own - ;; fallback, and users have to configure each program - ;; independently. This seems suboptimal. - "--with-default-trust-store-dir=/etc/ssl/certs" + (list #:tests? (not (or (%current-target-system) + (hurd-target?))) + ;; Ensure we don't keep a reference to the tools used for testing. + #:disallowed-references (if (hurd-target?) + '() + (list net-tools iproute socat)) + #:configure-flags + #~(cons* + ;; GnuTLS doesn't consult any environment variables to specify + ;; the location of the system-wide trust store. Instead it has a + ;; configure-time option. Unless specified, its configure script + ;; attempts to auto-detect the location by looking for common + ;; places in the file system, none of which are present in our + ;; chroot build environment. If not found, then no default trust + ;; store is used, so each program has to provide its own + ;; fallback, and users have to configure each program + ;; independently. This seems suboptimal. + "--with-default-trust-store-dir=/etc/ssl/certs" - ;; Tell the build system that we want Guile bindings installed to - ;; the output instead of Guiles own module directory. - (string-append "--with-guile-site-dir=" - "$(datarootdir)/guile/site/$(GUILE_EFFECTIVE_VERSION)") - (string-append "--with-guile-site-ccache-dir=" - "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/site-ccache") - (string-append "--with-guile-extension-dir=" - "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/extensions") + ;; Tell the build system that we want Guile bindings installed to + ;; the output instead of Guiles own module directory. + (string-append "--with-guile-site-dir=" + "$(datarootdir)/guile/site/$(GUILE_EFFECTIVE_VERSION)") + (string-append "--with-guile-site-ccache-dir=" + "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/site-ccache") + (string-append "--with-guile-extension-dir=" + "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/extensions") - (let ((system ,(or (%current-target-system) - (%current-system)))) - (if (string-prefix? "mips64el" system) - (list - ;; FIXME: Temporarily disable p11-kit support since it is - ;; not working on mips64el. - "--without-p11-kit") - '()))) + (let ((system #$(or (%current-target-system) + (%current-system)))) + (if (string-prefix? "mips64el" system) + (list + ;; FIXME: Temporarily disable p11-kit support since it is + ;; not working on mips64el. + "--without-p11-kit") + '()))) - #:phases (modify-phases %standard-phases - ;; fastopen.sh fails to connect to the server in the builder - ;; environment (see: - ;; https://gitlab.com/gnutls/gnutls/-/issues/1095). - (add-after 'unpack 'disable-failing-tests - (lambda _ - (substitute* "tests/fastopen.sh" - (("^unset RETCODE") - "exit 77\n")))) ;skip - (add-after 'install 'move-doc - (lambda* (#:key outputs #:allow-other-keys) - ;; Copy the 4.1 MiB of section 3 man pages to "doc". - (let* ((out (assoc-ref outputs "out")) - (doc (assoc-ref outputs "doc")) - (mandir (string-append doc "/share/man/man3")) - (oldman (string-append out "/share/man/man3"))) - (mkdir-p mandir) - (copy-recursively oldman mandir) - (delete-file-recursively oldman))))))) + #:phases + #~(modify-phases %standard-phases + ;; fastopen.sh fails to connect to the server in the builder + ;; environment (see: + ;; https://gitlab.com/gnutls/gnutls/-/issues/1095). + (add-after 'unpack 'disable-failing-tests + (lambda _ + (substitute* "tests/fastopen.sh" + (("^unset RETCODE") + "exit 77\n")))) ;skip + (add-after 'install 'move-doc + (lambda* (#:key outputs #:allow-other-keys) + ;; Copy the 4.1 MiB of section 3 man pages to "doc". + (let* ((out (assoc-ref outputs "out")) + (doc (assoc-ref outputs "doc")) + (mandir (string-append doc "/share/man/man3")) + (oldman (string-append out "/share/man/man3"))) + (mkdir-p mandir) + (copy-recursively oldman mandir) + (delete-file-recursively oldman))))))) (outputs '("out" ;4.4 MiB "debug" "doc")) ;4.1 MiB of man pages (native-inputs - `(,@(if (%current-target-system) ;for cross-build - `(("guile" ,guile-3.0)) ;to create .go files - '()) - ,@(if (hurd-target?) - '() - `(("net-tools" ,net-tools) - ("iproute" ,iproute) ;for 'ss' - ("socat" ,socat))) ;several tests rely on it - ("pkg-config" ,pkg-config) - ("texinfo" ,texinfo) - ("which" ,which) - ,@(if (hurd-target?) - '() - `(("datefudge" ,datefudge))) ;tests rely on 'datefudge' - ("util-linux" ,util-linux))) ;one test needs 'setsid' + (append (list pkg-config texinfo which + util-linux) ;one test needs 'setsid' + (if (%current-target-system) ;for cross-build + (list guile-3.0) ;to create .go files + '()) + (if (hurd-target?) + '() + (list net-tools + iproute ;for 'ss' + socat ;several tests rely on it + datefudge)))) ;tests rely on 'datefudge' (inputs (list guile-3.0)) (propagated-inputs ;; These are all in the 'Requires.private' field of gnutls.pc. - `(("libtasn1" ,libtasn1) - ("libidn2" ,libidn2) - ("nettle" ,nettle) - ("zlib" ,zlib) - ,@(let ((system (or (%current-target-system) - (%current-system)))) - (if (string-prefix? "mips64el" system) - '() - `(("p11-kit" ,p11-kit)))))) + (append (list libtasn1 libidn2 nettle zlib) + (let ((system (or (%current-target-system) + (%current-system)))) + (if (string-prefix? "mips64el" system) + '() + (list p11-kit))))) (home-page "https://www.gnu.org/software/gnutls/") (synopsis "Transport layer security library") (description @@ -329,13 +303,6 @@ required structures.") (properties '((ftp-server . "ftp.gnutls.org") (ftp-directory . "/gcrypt/gnutls"))))) -(define-public gnutls/guile-2.0 - ;; GnuTLS for Guile 2.0. - (package/inherit gnutls - (name "guile2.0-gnutls") - (inputs `(("guile" ,guile-2.0) - ,@(alist-delete "guile" (package-inputs gnutls)))))) - (define-public gnutls/dane ;; GnuTLS with build libgnutls-dane, implementing DNS-based ;; Authentication of Named Entities. This is required for GNS functionality @@ -343,15 +310,14 @@ required structures.") ;; to have the choice between GnuTLS with Dane and without Dane. (package/inherit gnutls (name "gnutls-dane") - (inputs `(("unbound" ,unbound) - ,@(package-inputs gnutls))))) + (inputs (modify-inputs (package-inputs gnutls) + (prepend unbound))))) (define-public guile2.2-gnutls (package/inherit gnutls (name "guile2.2-gnutls") - (inputs `(("guile" ,guile-2.2) - ,@(alist-delete "guile" - (package-inputs gnutls)))))) + (inputs (modify-inputs (package-inputs gnutls) + (replace "guile" guile-2.2))))) (define (target->openssl-target target) "Return the value to set CONFIGURE_TARGET_ARCH to when cross-compiling @@ -384,7 +350,7 @@ OpenSSL for TARGET." (define-public openssl (package (name "openssl") - (version "1.1.1l") + (version "1.1.1n") (replacement openssl/fixed) (source (origin (method url-fetch) @@ -398,7 +364,7 @@ OpenSSL for TARGET." (patches (search-patches "openssl-1.1-c-rehash-in.patch")) (sha256 (base32 - "1lbblxps2fhmz7bqh058iywh5wxfignbfx1s1kz2fj63b5g3wyhb")))) + "0ymif8rlc5cf5qp5bh2pxlrgq6xryh7g4sqfvrdjg9gnli8ypp20")))) (build-system gnu-build-system) (outputs '("out" "doc" ;6.8 MiB of man3 pages and full HTML documentation @@ -423,15 +389,20 @@ OpenSSL for TARGET." #$(target->openssl-target (%current-target-system)))))) #~()) - ;; This test seems to be dependant on kernel features. - ;; https://github.com/openssl/openssl/issues/12242 - #$@(if (or (target-arm?) - (target-riscv64?)) - #~((replace 'check - (lambda* (#:key tests? test-target #:allow-other-keys) - (when tests? - (invoke "make" "TESTS=-test_afalg" test-target))))) - #~()) + (replace 'check + (lambda* (#:key tests? test-target #:allow-other-keys) + (when tests? + ;; 'test_ssl_new.t' in 1.1.1n and 3.0.3 fails due to an expired + ;; certificate: + ;; <https://github.com/openssl/openssl/issues/18441>. + ;; Skip it. + ;; + ;; 'test_afalg' seems to be dependent on kernel features: + ;; <https://github.com/openssl/openssl/issues/12242>. + (invoke "make" test-target + #$(if (or (target-arm?) (target-riscv64?)) + "TESTS=-test_afalg -tls_ssl_new" + "TESTS=-test_ssl_new"))))) (replace 'configure (lambda* (#:key configure-flags #:allow-other-keys) (let* ((out #$output) |