summaryrefslogtreecommitdiff
path: root/gnu/packages/tls.scm
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/tls.scm')
-rw-r--r--gnu/packages/tls.scm303
1 files changed, 183 insertions, 120 deletions
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index f58bc9396e..9b2669e095 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -56,6 +56,7 @@
#:use-module (gnu packages)
#:use-module (gnu packages autotools)
#:use-module (gnu packages bash)
+ #:use-module (gnu packages build-tools)
#:use-module (gnu packages check)
#:use-module (gnu packages curl)
#:use-module (gnu packages dns)
@@ -66,6 +67,7 @@
#:use-module (gnu packages libbsd)
#:use-module (gnu packages libffi)
#:use-module (gnu packages libidn)
+ #:use-module (gnu packages libunistring)
#:use-module (gnu packages linux)
#:use-module (gnu packages ncurses)
#:use-module (gnu packages nettle)
@@ -79,6 +81,7 @@
#:use-module (gnu packages sphinx)
#:use-module (gnu packages texinfo)
#:use-module (gnu packages time)
+ #:use-module (gnu packages version-control)
#:use-module (gnu packages base)
#:use-module (srfi srfi-1))
@@ -304,8 +307,6 @@ required structures.")
(ftp-directory . "/gcrypt/gnutls")))))
(define-public gnutls-latest
- ;; Version 3.7.7 introduces 'set-session-record-port-close!', which allows
- ;; us to get rid of the wrapper port in 'tls-wrap'.
(package
(inherit gnutls)
(version "3.7.7")
@@ -318,7 +319,14 @@ required structures.")
"gnutls-cross.patch"))
(sha256
(base32
- "01i1gl15k6qwvxmxx0by1mn9nlmcmym18wdpm7dn9awfsp8474dy"))))))
+ "01i1gl15k6qwvxmxx0by1mn9nlmcmym18wdpm7dn9awfsp8474dy"))))
+
+ ;; Disable Guile bindings: they are now provided by Guile-GnuTLS.
+ (inputs (modify-inputs (package-inputs gnutls)
+ (delete "guile")
+ (append libunistring))) ;GnuTLS depends on it
+ (native-inputs (modify-inputs (package-native-inputs gnutls)
+ (delete "guile")))))
(define-public gnutls/dane
;; GnuTLS with build libgnutls-dane, implementing DNS-based
@@ -336,6 +344,69 @@ required structures.")
(inputs (modify-inputs (package-inputs gnutls)
(replace "guile" guile-2.2)))))
+(define-public guile-gnutls
+ (package
+ ;; This package supersedes the Guile bindings that came with GnuTLS until
+ ;; version 3.7.8 included.
+ (name "guile-gnutls")
+ (version "3.7.11")
+ (home-page "https://gitlab.com/gnutls/guile/")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url home-page)
+ (commit (string-append "v" version))))
+ (sha256
+ (base32
+ "06d7v3i0d9ayp7zqk1rsy4z0wfpq69n0r54f1xrppb9gn7q9iva6"))
+ (file-name (git-file-name name version))
+ (patches (search-patches "gnutls-cross.patch"))))
+ (build-system gnu-build-system)
+ (arguments
+ (list
+ #:configure-flags
+ ;; Tell the build system that we want Guile bindings installed to the
+ ;; output instead of Guiles own module directory.
+ #~(list "--disable-static"
+ (string-append "--with-guile-site-dir="
+ "$(datarootdir)/guile/site/$(GUILE_EFFECTIVE_VERSION)")
+ (string-append "--with-guile-site-ccache-dir="
+ "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/site-ccache")
+ (string-append "--with-guile-extension-dir="
+ "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/extensions"))
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'patch-more-shebangs
+ (lambda _
+ (for-each patch-shebang
+ '("autopull.sh" "autogen.sh"))))
+ (replace 'bootstrap
+ (lambda _
+ (invoke "bash" "./bootstrap" "--no-git"))))))
+ (native-inputs
+ (list autoconf
+ automake
+ libtool
+ pkg-config
+ texinfo
+ gnutls-latest ;XXX: 'guile-snarf' invokes the native 'cpp'
+ guile-3.0
+ (gnulib-checkout
+ #:version "2022-12-06"
+ #:commit "440b528b1d81dd31b2a2e4dde20d5c837c147811"
+ #:hash (base32 "15mq43abbnkbamchc9lynrvrd5ql8qacgyx2ph4kkngxf1bz3pqy"))))
+ (inputs
+ (list gnutls-latest
+ guile-3.0))
+ (properties '((release-tag-prefix . "v")
+ (release-tag-version-delimiter . ".")))
+ (synopsis "Guile bindings to GnuTLS")
+ (description
+ "This package provides Guile bindings to GnuTLS, a library implementation
+the @acronym{TLS, Transport-Layer Security} protocol. It supersedes the Guile
+bindings that were formerly provided as part of GnuTLS.")
+ (license license:lgpl2.1+)))
+
(define (target->openssl-target target)
"Return the value to set CONFIGURE_TARGET_ARCH to when cross-compiling
OpenSSL for TARGET."
@@ -513,10 +584,29 @@ OpenSSL for TARGET."
(license license:openssl)
(home-page "https://www.openssl.org/")))
+(define openssl/fixed
+ (package
+ (inherit openssl-1.1)
+ (name "openssl")
+ (version "1.1.1s")
+ (source (origin
+ (method url-fetch)
+ (uri (list (string-append "https://www.openssl.org/source/openssl-"
+ version ".tar.gz")
+ (string-append "ftp://ftp.openssl.org/source/"
+ "openssl-" version ".tar.gz")
+ (string-append "ftp://ftp.openssl.org/source/old/"
+ (string-trim-right version char-set:letter)
+ "/openssl-" version ".tar.gz")))
+ (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
+ (sha256
+ (base32
+ "1amnwis6z2piqs022cpbcg828rql62yjnsqxnvdg0vzfc3kh3b65"))))))
+
(define-public openssl-3.0
(package
(inherit openssl-1.1)
- (version "3.0.5")
+ (version "3.0.7")
(source (origin
(method url-fetch)
(uri (list (string-append "https://www.openssl.org/source/openssl-"
@@ -529,7 +619,7 @@ OpenSSL for TARGET."
(patches (search-patches "openssl-3.0-c-rehash-in.patch"))
(sha256
(base32
- "0yja085lygkdxbf4k4rckkj9r24p8dgix8avqljnbbbixydqszda"))))
+ "0virbkcrw7nn3gr5r51z722gs1ppig0casj0c9pnj3i65829s143"))))
(arguments
(substitute-keyword-arguments (package-arguments openssl-1.1)
((#:phases phases '%standard-phases)
@@ -597,14 +687,14 @@ kilobytes of RAM.")
(define-public libressl
(package
(name "libressl")
- (version "3.3.6")
+ (version "3.6.1")
(source (origin
(method url-fetch)
(uri (string-append "mirror://openbsd/LibreSSL/"
"libressl-" version ".tar.gz"))
(sha256
(base32
- "16jbzqj9wy2z10x8ppx63idw44k0d3wly0grpar0s6g1cn9q8a1z"))))
+ "0x37037rb0zx34zp0kbbqj2xwd57gh1m6bfn52f92fz92q9wdymc"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags
@@ -893,47 +983,6 @@ correct OpenSSL include path. It is intended for use in your
number generator")
(license license:perl-license)))
-(define-public acme-client
- (package
- (name "acme-client")
- (version "0.1.16")
- (source (origin
- (method url-fetch)
- (uri (string-append "https://kristaps.bsd.lv/" name "/"
- "snapshots/" name "-portable-"
- version ".tgz"))
- (sha256
- (base32
- "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
- (build-system gnu-build-system)
- (arguments
- '(#:tests? #f ; no test suite
- #:make-flags
- (list "CC=gcc"
- (string-append "PREFIX=" (assoc-ref %outputs "out")))
- #:phases
- (modify-phases %standard-phases
- (add-after 'unpack 'patch-paths
- (lambda* (#:key inputs #:allow-other-keys)
- (let ((pem (search-input-file inputs "/etc/ssl/cert.pem")))
- (substitute* "http.c"
- (("/etc/ssl/cert.pem") pem))
- #t)))
- (delete 'configure)))) ; no './configure' script
- (native-inputs
- (list pkg-config))
- (inputs
- (list libbsd libressl))
- (synopsis "Let's Encrypt client by the OpenBSD project")
- (description "acme-client is a Let's Encrypt client implemented in C. It
-uses a modular design, and attempts to secure itself by dropping privileges and
-operating in a chroot where possible. acme-client is developed on OpenBSD and
-then ported to the GNU / Linux environment.")
- (home-page "https://kristaps.bsd.lv/acme-client/")
- ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
- ;; and 'jsmn.c' are distributed under the Expat license.
- (license (list license:isc license:expat))))
-
;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
;; variant exists in addition to the "-apache" one.
(define-public mbedtls-apache
@@ -941,25 +990,16 @@ then ported to the GNU / Linux environment.")
(name "mbedtls-apache")
;; XXX Check whether ‘-Wformat-signedness’ still breaks mbedtls-for-hiawatha
;; when updating.
- (version "2.26.0")
+ (version "2.28.0")
(source
(origin
(method git-fetch)
(uri (git-reference
(url "https://github.com/ARMmbed/mbedtls")
(commit (string-append "mbedtls-" version))))
- (sha256
- (base32 "0scwpmrgvg6q7rvqkc352d2fqlsx0aylcbyibcp1f1rsn8iiif2m"))
(file-name (git-file-name name version))
- (modules '((guix build utils)))
- (snippet
- '(begin
- ;; Can be removed with the next version.
- ;; Reduce level of format truncation warnings due to false positives.
- ;; https://github.com/ARMmbed/mbedtls/commit/2065a8d8af27c6cb1e40c9462b5933336dca7434
- (substitute* "CMakeLists.txt"
- (("Wformat-truncation=2") "Wformat-truncation"))
- #t))))
+ (sha256
+ (base32 "0s37dsi29v7146fi9k4frvx5rz2snxdm6c3rwq2fvnca2r80hfjl"))))
(build-system cmake-build-system)
(arguments
`(#:configure-flags
@@ -969,8 +1009,7 @@ then ported to the GNU / Linux environment.")
(modify-phases %standard-phases
(add-after 'unpack 'make-source-writable
(lambda _
- (for-each make-file-writable (find-files "."))
- #t)))))
+ (for-each make-file-writable (find-files ".")))))))
(native-inputs
(list perl python))
(synopsis "Small TLS library")
@@ -987,6 +1026,26 @@ coding footprint.")
(hidden-package
(package
(inherit mbedtls-apache)
+ (name "mbedtls-apache")
+ (version "2.26.0")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/ARMmbed/mbedtls")
+ (commit (string-append "mbedtls-" version))))
+ (sha256
+ (base32 "0scwpmrgvg6q7rvqkc352d2fqlsx0aylcbyibcp1f1rsn8iiif2m"))
+ (file-name (git-file-name name version))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; Can be removed with the next version.
+ ;; Reduce level of format truncation warnings due to false positives.
+ ;; https://github.com/ARMmbed/mbedtls/commit/2065a8d8af27c6cb1e40c9462b5933336dca7434
+ (substitute* "CMakeLists.txt"
+ (("Wformat-truncation=2") "Wformat-truncation"))
+ #t))))
(arguments
(substitute-keyword-arguments (package-arguments mbedtls-apache)
((#:phases phases)
@@ -1005,68 +1064,68 @@ coding footprint.")
(define-public dehydrated
(package
(name "dehydrated")
- (version "0.7.0")
- (source (origin
- (method url-fetch)
- (uri (string-append
- "https://github.com/dehydrated-io/dehydrated/releases/download/"
- "v" version "/dehydrated-" version ".tar.gz"))
- (sha256
- (base32
- "1yf4kldyd5y13r6qxrkcbbk74ykngq7jzy0351vb2r3ywp114pqw"))))
+ (version "0.7.1")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/dehydrated-io/dehydrated")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "1mhf3v9ynwrxrkqawqpxnwfn5dmrlkqcvkxdrk59nkxjpdx1wkrb"))))
(build-system trivial-build-system)
(arguments
- `(#:modules ((guix build utils)
+ (list
+ #:modules '((guix build utils)
(srfi srfi-26))
- #:builder
- (begin
- (use-modules (guix build utils)
- (srfi srfi-26))
- (let* ((source (assoc-ref %build-inputs "source"))
- (tar (assoc-ref %build-inputs "tar"))
- (gz (assoc-ref %build-inputs "gzip"))
- (out (assoc-ref %outputs "out"))
- (bin (string-append out "/bin"))
- (doc (string-append out "/share/doc/" ,name "-" ,version))
- (man (string-append out "/share/man"))
- (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
+ #:builder
+ #~(begin
+ (use-modules (guix build utils)
+ (srfi srfi-26))
+ (let* ((source (assoc-ref %build-inputs "source"))
+ (gzip (search-input-file %build-inputs "bin/gzip"))
+ (bin (string-append #$output "/bin"))
+ (doc (string-append #$output "/share/doc/"
+ #$name "-" #$version))
+ (man (string-append #$output "/share/man"))
+ (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
- (setenv "PATH" (string-append gz "/bin"))
- (invoke (string-append tar "/bin/tar") "xvf" source)
- (chdir (string-append ,name "-" ,version))
+ (chdir source)
- (copy-recursively "docs" doc)
- (install-file "LICENSE" doc)
+ (copy-recursively "docs" doc)
+ (install-file "LICENSE" doc)
- (mkdir-p man)
- (rename-file (string-append doc "/man")
- (string-append man "/man1"))
- (for-each (cut invoke "gzip" "-9" <>)
- (find-files man ".*"))
+ (mkdir-p man)
+ (rename-file (string-append doc "/man")
+ (string-append man "/man1"))
+ (for-each (cut invoke gzip "-9n" <>)
+ (find-files man ".*"))
- (install-file "dehydrated" bin)
- (with-directory-excursion bin
- (patch-shebang "dehydrated" (list bash))
+ (install-file "dehydrated" bin)
+ (with-directory-excursion bin
+ (patch-shebang "dehydrated" (list bash))
- ;; Do not try to write to the store.
- (substitute* "dehydrated"
- (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
+ ;; Do not try to write to the store.
+ (substitute* "dehydrated"
+ (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
- (setenv "PATH" bash)
- (wrap-program "dehydrated"
- `("PATH" ":" prefix
- ,(map (lambda (dir)
- (string-append dir "/bin"))
- (map (lambda (input)
- (assoc-ref %build-inputs input))
- '("coreutils"
- "curl"
- "diffutils"
- "gawk"
- "grep"
- "openssl"
- "sed"))))))
- #t))))
+ (setenv "PATH" bash)
+ (wrap-program "dehydrated"
+ `("PATH" ":" prefix
+ ,(map (lambda (file)
+ (dirname (search-input-file %build-inputs file)))
+ (list
+ ;; From check_dependencies() — keep them in sync.
+ "bin/grep"
+ "bin/diff"
+ "bin/sed"
+ "bin/awk"
+ "bin/curl"
+ "bin/cut" ; also mktemp, head, tail
+ "bin/hexdump"
+ ;; Additional requirements.
+ "bin/openssl")))))))))
(inputs
(list bash
coreutils
@@ -1075,9 +1134,10 @@ coding footprint.")
gawk
grep
openssl
- sed))
+ sed
+ util-linux+udev))
(native-inputs
- (list gzip tar))
+ (list gzip))
;; The following definition is copied from the cURL package to prevent a
;; cycle between the curl and tls modules.
(native-search-paths
@@ -1157,7 +1217,7 @@ compatibility is also supported.")
(define-public wolfssl
(package
(name "wolfssl")
- (version "4.8.1")
+ (version "5.5.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -1166,11 +1226,14 @@ compatibility is also supported.")
(file-name (git-file-name name version))
(sha256
(base32
- "0w5pd40j6h4j2f0b7c2n1n979y9qk8aln3ss2gb0jfsid1hrmx5k"))))
+ "0pz25acm842cl6l51vqr8pgxci6rda8sznms757p7rnm9fw3jdl0"))))
(build-system gnu-build-system)
(arguments
'(#:configure-flags
- '("--enable-reproducible-build")))
+ '("--enable-distro"
+ "--enable-pkcs11"
+ "--disable-examples"
+ "--enable-jobserver=no")))
(native-inputs
(list autoconf automake libtool))
(synopsis "SSL/TLS implementation")