diff options
Diffstat (limited to 'gnu/packages/tls.scm')
| -rw-r--r-- | gnu/packages/tls.scm | 420 |
1 files changed, 184 insertions, 236 deletions
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 3e202a901b..04271ce16f 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -5,7 +5,7 @@ ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2015 David Thompson <davet@gnu.org> ;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Leo Famulari <leo@famulari.name> -;;; Copyright © 2016, 2017, 2019 Efraim Flashner <efraim@flashner.co.il> +;;; Copyright © 2016, 2017, 2019, 2021 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2016, 2017, 2018 Nikita <nikita@n0.is> ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com> ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net> @@ -15,8 +15,10 @@ ;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org> ;;; Copyright © 2019 Mathieu Othacehe <m.othacehe@gmail.com> ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org> +;;; Copyright © 2020, 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;; Copyright © 2021 Solene Rapenne <solene@perso.pw> ;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re> +;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be> ;;; Copyright © 2021 Matthew James Kraai <kraai@ftbfs.org> ;;; ;;; This file is part of GNU Guix. @@ -40,6 +42,7 @@ #:use-module (guix download) #:use-module (guix git-download) #:use-module (guix utils) + #:use-module (guix gexp) #:use-module (guix build-system gnu) #:use-module (guix build-system go) #:use-module (guix build-system perl) @@ -61,6 +64,7 @@ #:use-module (gnu packages linux) #:use-module (gnu packages ncurses) #:use-module (gnu packages nettle) + #:use-module (gnu packages networking) #:use-module (gnu packages perl) #:use-module (gnu packages pkg-config) #:use-module (gnu packages python) @@ -76,7 +80,7 @@ (define-public libtasn1 (package (name "libtasn1") - (version "4.16.0") + (version "4.17.0") (source (origin (method url-fetch) @@ -84,7 +88,7 @@ version ".tar.gz")) (sha256 (base32 - "179jskl7dmfp1rd2khkzmlibzgki4wi6hvmmwfv7q49r728b03qf")))) + "19a53i1ajs4dd8nnlr2i6gbzvla84ay71g3y1phvh8krx8f5brzc")))) (build-system gnu-build-system) (arguments `(#:configure-flags '("--disable-static"))) @@ -167,8 +171,7 @@ living in the same process.") (define-public gnutls (package (name "gnutls") - (version "3.6.15") - (replacement gnutls-3.6.16) + (version "3.7.2") (source (origin (method url-fetch) ;; Note: Releases are no longer on ftp.gnu.org since the @@ -177,20 +180,20 @@ living in the same process.") (version-major+minor version) "/gnutls-" version ".tar.xz")) (patches (search-patches "gnutls-skip-trust-store-test.patch" - "gnutls-cross.patch" - "gnutls-CVE-2021-20231.patch" - "gnutls-CVE-2021-20232.patch")) + "gnutls-cross.patch")) (sha256 (base32 - "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f")))) + "0li7mwjnm64mbxhacz0rpf6i9qd83f53fvbrx96alpqqk9d6qvk4")))) (build-system gnu-build-system) (arguments `(#:tests? ,(not (or (%current-target-system) (hurd-target?))) - ;; Ensure we don't keep a reference to net-tools. - #:disallowed-references ,(if (hurd-target?) '() (list net-tools)) + ;; Ensure we don't keep a reference to the tools used for testing. + #:disallowed-references ,(if (hurd-target?) + '() + (list net-tools iproute socat)) #:configure-flags - (list + (cons* ;; GnuTLS doesn't consult any environment variables to specify ;; the location of the system-wide trust store. Instead it has a ;; configure-time option. Unless specified, its configure script @@ -211,13 +214,25 @@ living in the same process.") (string-append "--with-guile-extension-dir=" "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/extensions") - ;; FIXME: Temporarily disable p11-kit support since it is not - ;; working on mips64el. - "--without-p11-kit") + (let ((system ,(or (%current-target-system) + (%current-system)))) + (if (string-prefix? "mips64el" system) + (list + ;; FIXME: Temporarily disable p11-kit support since it is + ;; not working on mips64el. + "--without-p11-kit") + '()))) #:phases (modify-phases %standard-phases - (add-after - 'install 'move-doc + ;; fastopen.sh fails to connect to the server in the builder + ;; environment (see: + ;; https://gitlab.com/gnutls/gnutls/-/issues/1095). + (add-after 'unpack 'disable-failing-tests + (lambda _ + (substitute* "tests/fastopen.sh" + (("^unset RETCODE") + "exit 77\n")))) ;skip + (add-after 'install 'move-doc (lambda* (#:key outputs #:allow-other-keys) ;; Copy the 4.1 MiB of section 3 man pages to "doc". (let* ((out (assoc-ref outputs "out")) @@ -226,8 +241,7 @@ living in the same process.") (oldman (string-append out "/share/man/man3"))) (mkdir-p mandir) (copy-recursively oldman mandir) - (delete-file-recursively oldman) - #t)))))) + (delete-file-recursively oldman))))))) (outputs '("out" ;4.4 MiB "debug" "doc")) ;4.1 MiB of man pages @@ -237,10 +251,14 @@ living in the same process.") '()) ,@(if (hurd-target?) '() - `(("net-tools" ,net-tools))) + `(("net-tools" ,net-tools) + ("iproute" ,iproute) ;for 'ss' + ("socat" ,socat))) ;several tests rely on it ("pkg-config" ,pkg-config) + ("texinfo" ,texinfo) ("which" ,which) - ,@(if (hurd-target?) '() + ,@(if (hurd-target?) + '() `(("datefudge" ,datefudge))) ;tests rely on 'datefudge' ("util-linux" ,util-linux))) ;one test needs 'setsid' (inputs @@ -250,7 +268,12 @@ living in the same process.") `(("libtasn1" ,libtasn1) ("libidn2" ,libidn2) ("nettle" ,nettle) - ("zlib" ,zlib))) + ("zlib" ,zlib) + ,@(let ((system (or (%current-target-system) + (%current-system)))) + (if (string-prefix? "mips64el" system) + '() + `(("p11-kit" ,p11-kit)))))) (home-page "https://www.gnu.org/software/gnutls/") (synopsis "Transport layer security library") (description @@ -262,68 +285,6 @@ required structures.") (properties '((ftp-server . "ftp.gnutls.org") (ftp-directory . "/gcrypt/gnutls"))))) -;; Replacement package to fix CVE-2021-20305. -(define gnutls-3.6.16 - (package - (inherit gnutls) - (version "3.6.16") - (source (origin - (method url-fetch) - (uri (string-append "mirror://gnupg/gnutls/v" - (version-major+minor version) - "/gnutls-" version ".tar.xz")) - (patches (search-patches "gnutls-skip-trust-store-test.patch" - "gnutls-cross.patch")) - (sha256 - (base32 - "1czk511pslz367shf32f2jvvkp7y1323bcv88c2qng98mj0v6y8v")))) - (arguments - (if (%current-target-system) - (substitute-keyword-arguments (package-arguments gnutls) - ((#:phases phases '%standard-phases) - `(modify-phases ,phases - (add-before 'configure 'build-eccdata-headers - (lambda* (#:key configure-flags #:allow-other-keys) - ;; Build the 'ecc/eccdata' program using the native - ;; compiler, not the cross-compiler as happens by default, - ;; and use it to build lib/nettle/ecc/ecc-*.h. In GnuTLS - ;; 3.6.15, this was not necessary because the tarball - ;; contained pre-generated lib/nettle/ecc/ecc-*.h files as - ;; well as 'ecc/eccdata.stamp'. - (let ((jobs (number->string (parallel-job-count))) - (patch (assoc-ref %standard-phases - 'patch-generated-file-shebangs))) - (mkdir "+native-build") - (with-directory-excursion "+native-build" - ;; Build natively, with the native compiler, GMP, etc. - (invoke "../configure" - (string-append "SHELL=" (which "sh")) - (string-append "CONFIG_SHELL=" (which "sh")) - "NETTLE_CFLAGS= " "NETTLE_LIBS= " - "HOGWEED_CFLAGS= " "HOGWEED_LIBS= " - "LIBTASN1_CFLAGS= " "LIBTASN1_LIBS= " - "ac_cv_func_nettle_rsa_sec_decrypt=yes" - "--without-p11-kit" "--disable-guile") - (patch) - (invoke "make" "-C" "gl" "-j" jobs) - (invoke "make" "-C" "lib/nettle" "V=1" "-j" jobs)) - - ;; Copy the files we obtained during native build. - (for-each (lambda (file) - (install-file file "lib/nettle/ecc")) - (find-files - "+native-build/lib/nettle/ecc" - "^(eccdata\\.stamp|ecc-.*\\.h)$")))))))) - (package-arguments gnutls))) - (native-inputs - (if (%current-target-system) - `(("libtasn1" ,libtasn1) ;for 'ecc/eccdata' - ("libidn2" ,libidn2) - ("nettle" ,nettle) - ("zlib" ,zlib) - ,@(package-native-inputs gnutls)) - (package-native-inputs gnutls))))) - (define-public gnutls/guile-2.0 ;; GnuTLS for Guile 2.0. (package/inherit gnutls @@ -351,148 +312,34 @@ required structures.") (define-public guile3.0-gnutls (deprecated-package "guile3.0-gnutls" gnutls)) -(define-public openssl - (package - (name "openssl") - (version "1.1.1j") - (replacement openssl-1.1.1k) - (source (origin - (method url-fetch) - (uri (list (string-append "https://www.openssl.org/source/openssl-" - version ".tar.gz") - (string-append "ftp://ftp.openssl.org/source/" - "openssl-" version ".tar.gz") - (string-append "ftp://ftp.openssl.org/source/old/" - (string-trim-right version char-set:letter) - "/openssl-" version ".tar.gz"))) - (patches (search-patches "openssl-1.1-c-rehash-in.patch")) - (sha256 - (base32 - "1gw17520vh13izy1xf5q0a2fqgcayymjjj5bk0dlkxndfnszrwma")))) - (build-system gnu-build-system) - (outputs '("out" - "doc" ;6.8 MiB of man3 pages and full HTML documentation - "static")) ;6.4 MiB of .a files - (native-inputs `(("perl" ,perl))) - (arguments - `(#:parallel-tests? #f - #:test-target "test" - - ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure, - ;; so we explicitly disallow it here. - #:disallowed-references ,(list (canonical-package perl)) - #:phases - (modify-phases %standard-phases - ,@(if (%current-target-system) - '((add-before - 'configure 'set-cross-compile - (lambda* (#:key target outputs #:allow-other-keys) - (setenv "CROSS_COMPILE" (string-append target "-")) - (setenv "CONFIGURE_TARGET_ARCH" - (cond - ((string-prefix? "i586" target) - "hurd-x86") - ((string-prefix? "i686" target) - "linux-x86") - ((string-prefix? "x86_64" target) - "linux-x86_64") - ((string-prefix? "mips64el" target) - "linux-mips64") - ((string-prefix? "arm" target) - "linux-armv4") - ((string-prefix? "aarch64" target) - "linux-aarch64") - ((string-prefix? "powerpc64le" target) - "linux-ppc64le") - ((string-prefix? "powerpc64" target) - "linux-ppc64") - ((string-prefix? "powerpc" target) - "linux-ppc"))) - #t))) - '()) - (replace 'configure - (lambda* (#:key outputs #:allow-other-keys) - (let* ((out (assoc-ref outputs "out")) - (lib (string-append out "/lib"))) - ;; It's not a shebang so patch-source-shebangs misses it. - (substitute* "config" - (("/usr/bin/env") - (string-append (assoc-ref %build-inputs "coreutils") - "/bin/env"))) - (invoke ,@(if (%current-target-system) - '("./Configure") - '("./config")) - "shared" ;build shared libraries - "--libdir=lib" - - ;; The default for this catch-all directory is - ;; PREFIX/ssl. Change that to something more - ;; conventional. - (string-append "--openssldir=" out - "/share/openssl-" - ,(package-version this-package)) +(define (target->openssl-target target) + "Return the value to set CONFIGURE_TARGET_ARCH to when cross-compiling +OpenSSL for TARGET." + ;; Keep this code outside the build code, + ;; such that new targets can be added + ;; without causing rebuilds for other targets. + (cond ((string-prefix? "i586" target) + "hurd-x86") + ((string-prefix? "i686" target) + "linux-x86") + ((string-prefix? "x86_64" target) + "linux-x86_64") + ((string-prefix? "mips64el" target) + "linux-mips64") + ((string-prefix? "arm" target) + "linux-armv4") + ((string-prefix? "aarch64" target) + "linux-aarch64") + ((string-prefix? "powerpc64le" target) + "linux-ppc64le") + ((string-prefix? "powerpc64" target) + "linux-ppc64") + ((string-prefix? "powerpc" target) + "linux-ppc"))) - (string-append "--prefix=" out) - (string-append "-Wl,-rpath," lib) - ,@(if (%current-target-system) - '((getenv "CONFIGURE_TARGET_ARCH")) - '()))))) - (add-after 'install 'move-static-libraries - (lambda* (#:key outputs #:allow-other-keys) - ;; Move static libraries to the "static" output. - (let* ((out (assoc-ref outputs "out")) - (lib (string-append out "/lib")) - (static (assoc-ref outputs "static")) - (slib (string-append static "/lib"))) - (for-each (lambda (file) - (install-file file slib) - (delete-file file)) - (find-files lib "\\.a$")) - #t))) - (add-after 'install 'move-extra-documentation - (lambda* (#:key outputs #:allow-other-keys) - ;; Move man3 pages and full HTML documentation to "doc". - (let* ((out (assoc-ref outputs "out")) - (man3 (string-append out "/share/man/man3")) - (html (string-append out "/share/doc/openssl")) - (doc (assoc-ref outputs "doc")) - (man-target (string-append doc "/share/man/man3")) - (html-target (string-append doc "/share/doc/openssl"))) - (copy-recursively man3 man-target) - (delete-file-recursively man3) - (copy-recursively html html-target) - (delete-file-recursively html) - #t))) - (add-after - 'install 'remove-miscellany - (lambda* (#:key outputs #:allow-other-keys) - ;; The 'misc' directory contains random undocumented shell and Perl - ;; scripts. Remove them to avoid retaining a reference on Perl. - (let ((out (assoc-ref outputs "out"))) - (delete-file-recursively (string-append out "/share/openssl-" - ,(package-version this-package) - "/misc")) - #t)))))) - (native-search-paths - (list (search-path-specification - (variable "SSL_CERT_DIR") - (separator #f) ;single entry - (files '("etc/ssl/certs"))) - (search-path-specification - (variable "SSL_CERT_FILE") - (file-type 'regular) - (separator #f) ;single entry - (files '("etc/ssl/certs/ca-certificates.crt"))))) - (synopsis "SSL/TLS implementation") - (description - "OpenSSL is an implementation of SSL/TLS.") - (license license:openssl) - (home-page "https://www.openssl.org/"))) - -;; Replacement package to fix CVE-2021-3449 and CVE-2021-3450. -(define openssl-1.1.1k +(define-public openssl (package - (inherit openssl) + (name "openssl") (version "1.1.1k") (source (origin (method url-fetch) @@ -506,7 +353,109 @@ required structures.") (patches (search-patches "openssl-1.1-c-rehash-in.patch")) (sha256 (base32 - "1rdfzcrxy9y38wqdw5942vmdax9hjhgrprzxm42csal7p5shhal9")))))) + "1rdfzcrxy9y38wqdw5942vmdax9hjhgrprzxm42csal7p5shhal9")))) + (build-system gnu-build-system) + (outputs '("out" + "doc" ;6.8 MiB of man3 pages and full HTML documentation + "static")) ;6.4 MiB of .a files + (native-inputs `(("perl" ,perl))) + (arguments + `(#:parallel-tests? #f + #:test-target "test" + + ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure, + ;; so we explicitly disallow it here. + #:disallowed-references ,(list (canonical-package perl)) + #:phases + ,#~ + (modify-phases %standard-phases + #$@(if (%current-target-system) + #~((add-before + 'configure 'set-cross-compile + (lambda* (#:key target #:allow-other-keys) + (setenv "CROSS_COMPILE" (string-append target "-")) + (setenv "CONFIGURE_TARGET_ARCH" + #$(target->openssl-target + (%current-target-system)))))) + #~()) + (replace 'configure + (lambda* (#:key configure-flags #:allow-other-keys) + (let* ((out #$output) + (lib (string-append out "/lib"))) + ;; It's not a shebang so patch-source-shebangs misses it. + (substitute* "config" + (("/usr/bin/env") + (string-append (assoc-ref %build-inputs "coreutils") + "/bin/env"))) + (apply + invoke #$@(if (%current-target-system) + #~("./Configure") + #~("./config")) + "shared" ;build shared libraries + "--libdir=lib" + + ;; The default for this catch-all directory is + ;; PREFIX/ssl. Change that to something more + ;; conventional. + (string-append "--openssldir=" out + "/share/openssl-" + #$(package-version this-package)) + + (string-append "--prefix=" out) + (string-append "-Wl,-rpath," lib) + #$@(if (%current-target-system) + #~((getenv "CONFIGURE_TARGET_ARCH")) + #~()) + configure-flags) + ;; Output the configure variables. + (invoke "perl" "configdata.pm" "--dump")))) + (add-after 'install 'move-static-libraries + (lambda _ + ;; Move static libraries to the "static" output. + (let* ((out #$output) + (lib (string-append out "/lib")) + (static #$output:static) + (slib (string-append static "/lib"))) + (for-each (lambda (file) + (install-file file slib) + (delete-file file)) + (find-files lib "\\.a$"))))) + (add-after 'install 'move-extra-documentation + (lambda _ + ;; Move man pages and full HTML documentation to "doc". + (let* ((out #$output) + (man (string-append out "/share/man")) + (html (string-append out "/share/doc/openssl")) + (doc #$output:doc) + (man-target (string-append doc "/share/man")) + (html-target (string-append doc "/share/doc/openssl"))) + (mkdir-p (dirname man-target)) + (mkdir-p (dirname html-target)) + (rename-file man man-target) + (rename-file html html-target)))) + (add-after + 'install 'remove-miscellany + (lambda _ + ;; The 'misc' directory contains random undocumented shell and Perl + ;; scripts. Remove them to avoid retaining a reference on Perl. + (delete-file-recursively (string-append #$output "/share/openssl-" + #$(package-version this-package) + "/misc"))))))) + (native-search-paths + (list (search-path-specification + (variable "SSL_CERT_DIR") + (separator #f) ;single entry + (files '("etc/ssl/certs"))) + (search-path-specification + (variable "SSL_CERT_FILE") + (file-type 'regular) + (separator #f) ;single entry + (files '("etc/ssl/certs/ca-certificates.crt"))))) + (synopsis "SSL/TLS implementation") + (description + "OpenSSL is an implementation of SSL/TLS.") + (license license:openssl) + (home-page "https://www.openssl.org/"))) (define-public openssl-1.0 (package @@ -535,7 +484,7 @@ required structures.") ;; Parallel build is not supported in 1.0.x. ((#:parallel-build? _ #f) #f) ((#:phases phases) - `(modify-phases ,phases + #~(modify-phases #$phases (add-before 'patch-source-shebangs 'patch-tests (lambda* (#:key inputs native-inputs #:allow-other-keys) (let ((bash (assoc-ref (or native-inputs inputs) "bash"))) @@ -558,9 +507,9 @@ required structures.") ;; Override this phase because OpenSSL 1.0 does not understand -rpath. (lambda* (#:key outputs #:allow-other-keys) (let ((out (assoc-ref outputs "out"))) - (invoke ,@(if (%current-target-system) - '("./Configure") - '("./config")) + (invoke #$@(if (%current-target-system) + #~("./Configure") + #~("./config")) "shared" ;build shared libraries "--libdir=lib" @@ -568,12 +517,12 @@ required structures.") ;; PREFIX/ssl. Change that to something more ;; conventional. (string-append "--openssldir=" out - "/share/openssl-" ,version) + "/share/openssl-" #$version) (string-append "--prefix=" out) - ,@(if (%current-target-system) - '((getenv "CONFIGURE_TARGET_ARCH")) - '()))))) + #$@(if (%current-target-system) + '((getenv "CONFIGURE_TARGET_ARCH")) + '()))))) (delete 'move-extra-documentation) (add-after 'install 'move-man3-pages (lambda* (#:key outputs #:allow-other-keys) @@ -598,7 +547,7 @@ required structures.") ;; scripts. Remove them to avoid retaining a reference on Perl. (let ((out (assoc-ref outputs "out"))) (delete-file-recursively (string-append out "/share/openssl-" - ,version "/misc")) + #$version "/misc")) #t))))))))) (define-public libressl @@ -918,8 +867,7 @@ number generator") (modify-phases %standard-phases (add-after 'unpack 'patch-paths (lambda* (#:key inputs #:allow-other-keys) - (let ((pem (string-append (assoc-ref inputs "libressl") - "/etc/ssl/cert.pem"))) + (let ((pem (search-input-file inputs "/etc/ssl/cert.pem"))) (substitute* "http.c" (("/etc/ssl/cert.pem") pem)) #t))) |