From caeadfddb01d2cda19d2f761ba9906ef8f162173 Mon Sep 17 00:00:00 2001
From: Ludovic Courtès <ludo@gnu.org>
Date: Tue, 1 Mar 2016 15:57:37 +0100
Subject: gnu: openssl: Replace with 1.0.2g [fixes
 CVE-2016-{0800,0705,0798,0797,0799,0702,0703,0704}].

See <http://openssl.org/news/secadv/20160301.txt>.
Also fixes <http://bugs.gnu.org/22831>.

* gnu/packages/patches/openssl-c-rehash-in.patch: New file.
* gnu/packages/tls.scm (openssl)[replacement]: New field.
(openssl-1.0.2g): New variable.
---
 gnu/packages/tls.scm | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

(limited to 'gnu/packages/tls.scm')

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 57f0ca1114..dc27366448 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
@@ -179,6 +179,7 @@ required structures.")
 
 (define-public openssl
   (package
+   (replacement openssl-1.0.2g)
    (name "openssl")
    (version "1.0.2f")
    (source (origin
@@ -282,6 +283,26 @@ required structures.")
    (license license:openssl)
    (home-page "http://www.openssl.org/")))
 
+(define openssl-1.0.2g
+  (package
+    (inherit openssl)
+    (replacement #f)
+    (source
+     (let ((name "openssl") (version "1.0.2g"))
+       (origin
+         (method url-fetch)
+         (uri (list (string-append "ftp://ftp.openssl.org/source/"
+                                   name "-" version ".tar.gz")
+                    (string-append "ftp://ftp.openssl.org/source/old/"
+                                   (string-trim-right version char-set:letter)
+                                   "/" name "-" version ".tar.gz")))
+         (sha256
+          (base32
+           "0cxajjayi859czi545ddafi24m9nwsnjsw4q82zrmqvwj2rv315p"))
+         (patches (map search-patch
+                       '("openssl-runpath.patch"
+                         "openssl-c-rehash-in.patch"))))))))
+
 (define-public libressl
   (package
     (name "libressl")
-- 
cgit 1.4.1


From 599860d2b9dbe4b9f60871a79edfabfdfecb4129 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Tue, 1 Mar 2016 16:30:13 -0500
Subject: gnu: libressl: Update to 2.2.6.

* gnu/packages/tls.scm (libressl): Update to 2.2.6.
---
 gnu/packages/tls.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'gnu/packages/tls.scm')

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index dc27366448..11a59db95e 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -306,7 +306,7 @@ required structures.")
 (define-public libressl
   (package
     (name "libressl")
-    (version "2.2.5")
+    (version "2.2.6")
     (source
      (origin
       (method url-fetch)
@@ -314,7 +314,7 @@ required structures.")
              "http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-"
              version ".tar.gz"))
       (sha256 (base32
-               "0jwidi7fafcdh5qml72dx0ad0kfsk94qxzm29i7wd3cx8v8dxjp3"))))
+               "0kynb15l5gq1qgp3p4ncn20sc65sbl8lk89vyr07s17xrya9kq8y"))))
     (build-system gnu-build-system)
     (native-search-paths
       ;; FIXME: These two variables must designate a single file or directory
-- 
cgit 1.4.1


From ed742bc4b4f25e5baff80c1f8529c20b6d98b513 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Wed, 2 Mar 2016 01:51:47 -0500
Subject: gnu: openssl: Enable ssl2 at build time to ensure ABI compatible
 graft.

Fixes <https://debbugs.gnu.org/22876>
Reported by Christopher Allan Webber <cwebber@dustycloud.org>.

* gnu/packages/tls.scm (openssl-1.0.2g)[arguments]: Override the inherited
  'configure' phase to add "enable-ssl2" as an argument to ./config.
---
 gnu/packages/tls.scm | 36 +++++++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

(limited to 'gnu/packages/tls.scm')

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 11a59db95e..e942bb30bc 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -301,7 +301,41 @@ required structures.")
            "0cxajjayi859czi545ddafi24m9nwsnjsw4q82zrmqvwj2rv315p"))
          (patches (map search-patch
                        '("openssl-runpath.patch"
-                         "openssl-c-rehash-in.patch"))))))))
+                         "openssl-c-rehash-in.patch"))))))
+    (arguments
+     (substitute-keyword-arguments (package-arguments openssl)
+       ((#:phases phases)
+        `(modify-phases ,phases
+           (replace 'configure
+             (lambda* (#:key outputs #:allow-other-keys)
+               (let ((out (assoc-ref outputs "out")))
+                 (zero?
+                  (system*
+                   "./config"
+
+                   ;; XXX TEMPORARY, FOR GRAFTING ONLY
+                   ;;     Enable ssl2 code to preserve
+                   ;;     ABI compatibility with 1.0.2f
+                   "enable-ssl2"
+
+                   "shared"             ;build shared libraries
+                   "--libdir=lib"
+
+                   ;; The default for this catch-all directory is
+                   ;; PREFIX/ssl.  Change that to something more
+                   ;; conventional.
+                   (string-append "--openssldir=" out
+                                  "/share/openssl-" ,(package-version openssl))
+
+                   (string-append "--prefix=" out)
+
+                   ;; XXX FIXME: Work around a code generation bug in GCC
+                   ;; 4.9.3 on ARM when compiled with -mfpu=neon.  See:
+                   ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
+                   ,@(if (and (not (%current-target-system))
+                              (string-prefix? "armhf" (%current-system)))
+                         '("-mfpu=vfpv3")
+                         '()))))))))))))
 
 (define-public libressl
   (package
-- 
cgit 1.4.1


From eda0522aabbda8415b1266fd9a8fab8a5e02cf50 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Wed, 2 Mar 2016 04:19:43 -0500
Subject: gnu: letsencrypt, python-acme: Update to 0.4.2.

These packages should be updated together.

* gnu/packages/tls.scm (letsencrypt): Update to 0.4.2.
(python-acme, python2-acme): Update to 0.4.2.
---
 gnu/packages/tls.scm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'gnu/packages/tls.scm')

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index e942bb30bc..b6bf2578ea 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -376,13 +376,13 @@ security, and applying best practice development processes.")
 (define-public python-acme
   (package
     (name "python-acme")
-    (version "0.4.0")
+    (version "0.4.2")
     (source (origin
       (method url-fetch)
       (uri (pypi-uri "acme" version))
       (sha256
         (base32
-         "173j2zkslh43fzf3wkl1jdzfjry361m0mhlc3jpwp7hk7lrclzjg"))))
+         "1dh0qlsi309b37wa0nw0h2gvs94yk12lc4mhr3rb9c4h46m0hn8a"))))
     (build-system python-build-system)
     (arguments
      `(#:phases
@@ -435,13 +435,13 @@ security, and applying best practice development processes.")
 (define-public letsencrypt
   (package
     (name "letsencrypt")
-    (version "0.4.0")
+    (version "0.4.2")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "letsencrypt" version))
               (sha256
                (base32
-                "1wwq8yvfdybf4d0gv4yfddkrg865s7rhng5xg563kks4wza1a2wp"))))
+                "1rjbblj60w7jwc5y04sy6fbxcynvakvazikg1pdmhyic5jmj9bg3"))))
     (build-system python-build-system)
     (arguments
      `(#:python ,python-2
-- 
cgit 1.4.1