1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
5 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
6 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
7 ;;; Copyright © 2015, 2016, 2017, 2018 Leo Famulari <leo@famulari.name>
8 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
9 ;;; Copyright © 2016, 2017, 2018 Nils Gillmann <ng0@n0.is>
10 ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
11 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
12 ;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
13 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
14 ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
15 ;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
17 ;;; This file is part of GNU Guix.
19 ;;; GNU Guix is free software; you can redistribute it and/or modify it
20 ;;; under the terms of the GNU General Public License as published by
21 ;;; the Free Software Foundation; either version 3 of the License, or (at
22 ;;; your option) any later version.
24 ;;; GNU Guix is distributed in the hope that it will be useful, but
25 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
26 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 ;;; GNU General Public License for more details.
29 ;;; You should have received a copy of the GNU General Public License
30 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
32 (define-module (gnu packages tls)
33 #:use-module ((guix licenses) #:prefix license:)
34 #:use-module (guix packages)
35 #:use-module (guix download)
36 #:use-module (guix utils)
37 #:use-module (guix build-system gnu)
38 #:use-module (guix build-system perl)
39 #:use-module (guix build-system python)
40 #:use-module (guix build-system cmake)
41 #:use-module (guix build-system haskell)
42 #:use-module (guix build-system trivial)
43 #:use-module (gnu packages compression)
44 #:use-module (gnu packages)
45 #:use-module (gnu packages bash)
46 #:use-module (gnu packages check)
47 #:use-module (gnu packages curl)
48 #:use-module (gnu packages dns)
49 #:use-module (gnu packages gawk)
50 #:use-module (gnu packages guile)
51 #:use-module (gnu packages haskell)
52 #:use-module (gnu packages haskell-check)
53 #:use-module (gnu packages haskell-crypto)
54 #:use-module (gnu packages libbsd)
55 #:use-module (gnu packages libffi)
56 #:use-module (gnu packages libidn)
57 #:use-module (gnu packages linux)
58 #:use-module (gnu packages ncurses)
59 #:use-module (gnu packages nettle)
60 #:use-module (gnu packages perl)
61 #:use-module (gnu packages pkg-config)
62 #:use-module (gnu packages python)
63 #:use-module (gnu packages python-crypto)
64 #:use-module (gnu packages python-web)
65 #:use-module (gnu packages python-xyz)
66 #:use-module (gnu packages texinfo)
67 #:use-module (gnu packages time)
68 #:use-module (gnu packages base)
69 #:use-module (srfi srfi-1))
71 (define-public libtasn1
78 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
82 "1jlc1iahj8k3haz28j55nzg7sgni5h41vqy461i1bpbx6668wlky"))))
83 (build-system gnu-build-system)
85 `(#:configure-flags '("--disable-static")))
86 (native-inputs `(("perl" ,perl)))
87 (home-page "https://www.gnu.org/software/libtasn1/")
88 (synopsis "ASN.1 library")
90 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
91 for transmitting machine-neutral encodings of data objects in computer
92 networking, allowing for formal validation of data according to some
94 (license license:lgpl2.0+)))
102 (uri (string-append "https://lionet.info/soft/asn1c-"
106 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
107 (build-system gnu-build-system)
110 (home-page "https://lionet.info/asn1c")
111 (synopsis "ASN.1 to C compiler")
112 (description "The ASN.1 to C compiler takes ASN.1 module
113 files and generates C++ compatible C source code. That code can be
114 used to serialize the native C structures into compact and unambiguous
115 BER/XER/PER-based data files, and deserialize the files back.
117 Various ASN.1 based formats are widely used in the industry, such as to encode
118 the X.509 certificates employed in the HTTPS handshake, to exchange control
119 data between mobile phones and cellular networks, to car-to-car communication
120 in intelligent transportation networks.")
121 (license license:bsd-2)))
123 (define-public p11-kit
130 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
131 "download/" version "/p11-kit-" version ".tar.gz"))
134 "0w0dkq9388grbbn4bv2p55vy1j51f7nd9hzlc9gz4fbm4dnzmf8w"))))
135 (build-system gnu-build-system)
137 `(("pkg-config" ,pkg-config)))
140 ("libtasn1" ,libtasn1)))
142 `(#:configure-flags '("--without-trust-paths")
143 #:phases (modify-phases %standard-phases
144 (add-before 'check 'prepare-tests
146 ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up
147 ;; and looks for .cache and other directories (only).
148 ;; For simplicity just drop it since it is irrelevant
149 ;; in the build container.
150 (substitute* "Makefile"
151 (("test-runtime\\$\\(EXEEXT\\)") ""))
153 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
154 (synopsis "PKCS#11 library")
156 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
157 provides a standard configuration setup for installing PKCS#11 modules
158 in such a way that they are discoverable. It also solves problems with
159 coordinating the use of PKCS#11 by different components or libraries
160 living in the same process.")
161 (license license:bsd-3)))
163 (define-public gnutls
170 ;; Note: Releases are no longer on ftp.gnu.org since the
171 ;; schism (after version 3.1.5).
172 (string-append "mirror://gnupg/gnutls/v"
173 (version-major+minor version)
174 "/gnutls-" version ".tar.xz"))
175 (patches (search-patches "gnutls-skip-trust-store-test.patch"))
178 "0ddvg97dyrh8dkffv1mdc0knxx5my3qdbzv97s4a6jggmk9wwgh7"))
179 (modules '((guix build utils)))
182 ;; XXX: The generated configure script in GnuTLS 3.6.5
183 ;; apparently does not know about Guile 2.2.
184 (substitute* "configure"
185 (("guile_versions_to_search=\"2\\.0 1\\.8\"")
186 "guile_versions_to_search=\"2.2 2.0 1.8\""))
188 (build-system gnu-build-system)
190 `(; Ensure we don't keep a reference to this buggy software.
191 #:disallowed-references (,net-tools)
194 ;; GnuTLS doesn't consult any environment variables to specify
195 ;; the location of the system-wide trust store. Instead it has a
196 ;; configure-time option. Unless specified, its configure script
197 ;; attempts to auto-detect the location by looking for common
198 ;; places in the file system, none of which are present in our
199 ;; chroot build environment. If not found, then no default trust
200 ;; store is used, so each program has to provide its own
201 ;; fallback, and users have to configure each program
202 ;; independently. This seems suboptimal.
203 "--with-default-trust-store-dir=/etc/ssl/certs"
205 ;; FIXME: Temporarily disable p11-kit support since it is not
206 ;; working on mips64el.
209 #:phases (modify-phases %standard-phases
212 (lambda* (#:key outputs #:allow-other-keys)
213 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
214 (let* ((out (assoc-ref outputs "out"))
215 (doc (assoc-ref outputs "doc"))
216 (mandir (string-append doc "/share/man/man3"))
217 (oldman (string-append out "/share/man/man3")))
219 (copy-recursively oldman mandir)
220 (delete-file-recursively oldman)
222 (outputs '("out" ;4.4 MiB
224 "doc")) ;4.1 MiB of man pages
226 `(("net-tools" ,net-tools)
227 ("pkg-config" ,pkg-config)
230 `(("guile" ,guile-2.2)))
232 ;; These are all in the 'Requires.private' field of gnutls.pc.
233 `(("libtasn1" ,libtasn1)
237 (home-page "https://www.gnu.org/software/gnutls/")
238 (synopsis "Transport layer security library")
240 "GnuTLS is a secure communications library implementing the SSL, TLS
241 and DTLS protocols. It is provided in the form of a C library to support the
242 protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
243 required structures.")
244 (license license:lgpl2.1+)
245 (properties '((ftp-server . "ftp.gnutls.org")
246 (ftp-directory . "/gcrypt/gnutls")))))
248 (define-public gnutls/guile-2.2
249 (deprecated-package "guile2.2-gnutls" gnutls))
251 (define-public gnutls/guile-2.0
252 ;; GnuTLS for Guile 2.0.
255 (name "guile2.0-gnutls")
256 (inputs `(("guile" ,guile-2.0)
257 ,@(alist-delete "guile" (package-inputs gnutls))))))
259 (define-public gnutls/dane
260 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
261 ;; Authentication of Named Entities. This is required for GNS functionality
262 ;; by GNUnet and gnURL. This is done in an extra package definition
263 ;; to have the choice between GnuTLS with Dane and without Dane.
267 (inputs `(("unbound" ,unbound)
268 ,@(package-inputs gnutls)))))
270 (define-public openssl
276 (uri (list (string-append "https://www.openssl.org/source/openssl-"
278 (string-append "ftp://ftp.openssl.org/source/"
279 name "-" version ".tar.gz")
280 (string-append "ftp://ftp.openssl.org/source/old/"
281 (string-trim-right version char-set:letter)
282 "/" name "-" version ".tar.gz")))
285 "003xh9f898i56344vpvpxxxzmikivxig4xwlm7vbi7m8n43qxaah"))
286 (patches (search-patches "openssl-runpath.patch"
287 "openssl-c-rehash-in.patch"))))
288 (build-system gnu-build-system)
290 "doc" ;1.5MiB of man3 pages
291 "static")) ;6MiB of .a files
292 (native-inputs `(("perl" ,perl)))
294 `(#:disallowed-references (,perl)
299 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
300 ;; so we explicitly disallow it here.
301 #:disallowed-references ,(list (canonical-package perl))
303 (modify-phases %standard-phases
305 'configure 'patch-Makefile.org
306 (lambda* (#:key outputs #:allow-other-keys)
307 ;; The default MANDIR is some unusual place. Fix that.
308 (let ((out (assoc-ref outputs "out")))
309 (patch-makefile-SHELL "Makefile.org")
310 (substitute* "Makefile.org"
311 (("^MANDIR[[:blank:]]*=.*$")
312 (string-append "MANDIR = " out "/share/man\n")))
316 (lambda* (#:key outputs #:allow-other-keys)
317 (let ((out (assoc-ref outputs "out")))
319 "shared" ;build shared libraries
322 ;; The default for this catch-all directory is
323 ;; PREFIX/ssl. Change that to something more
325 (string-append "--openssldir=" out
326 "/share/openssl-" ,version)
328 (string-append "--prefix=" out)))))
330 'install 'make-libraries-writable
331 (lambda* (#:key outputs #:allow-other-keys)
332 ;; Make libraries writable so that 'strip' does its job.
333 (let ((out (assoc-ref outputs "out")))
334 (for-each (lambda (file)
336 (find-files (string-append out "/lib")
339 (add-after 'install 'move-static-libraries
340 (lambda* (#:key outputs #:allow-other-keys)
341 ;; Move static libraries to the "static" output.
342 (let* ((out (assoc-ref outputs "out"))
343 (lib (string-append out "/lib"))
344 (static (assoc-ref outputs "static"))
345 (slib (string-append static "/lib")))
346 (for-each (lambda (file)
347 (install-file file slib)
349 (find-files lib "\\.a$"))
351 (add-after 'install 'move-man3-pages
352 (lambda* (#:key outputs #:allow-other-keys)
353 ;; Move section 3 man pages to "doc".
354 (let* ((out (assoc-ref outputs "out"))
355 (man3 (string-append out "/share/man/man3"))
356 (doc (assoc-ref outputs "doc"))
357 (target (string-append doc "/share/man/man3")))
359 (for-each (lambda (file)
361 (string-append target "/"
364 (delete-file-recursively man3)
367 'patch-source-shebangs 'patch-tests
368 (lambda* (#:key inputs native-inputs #:allow-other-keys)
369 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
370 (substitute* (find-files "test" ".*")
372 (string-append bash "/bin/sh"))
377 'install 'remove-miscellany
378 (lambda* (#:key outputs #:allow-other-keys)
379 ;; The 'misc' directory contains random undocumented shell and Perl
380 ;; scripts. Remove them to avoid retaining a reference on Perl.
381 (let ((out (assoc-ref outputs "out")))
382 (delete-file-recursively (string-append out "/share/openssl-"
386 (list (search-path-specification
387 (variable "SSL_CERT_DIR")
388 (separator #f) ;single entry
389 (files '("etc/ssl/certs")))
390 (search-path-specification
391 (variable "SSL_CERT_FILE")
393 (separator #f) ;single entry
394 (files '("etc/ssl/certs/ca-certificates.crt")))))
395 (synopsis "SSL/TLS implementation")
397 "OpenSSL is an implementation of SSL/TLS.")
398 (license license:openssl)
399 (home-page "https://www.openssl.org/")))
401 (define-public openssl-next
408 (uri (list (string-append "https://www.openssl.org/source/openssl-"
410 (string-append "ftp://ftp.openssl.org/source/"
411 name "-" version ".tar.gz")
412 (string-append "ftp://ftp.openssl.org/source/old/"
413 (string-trim-right version char-set:letter)
414 "/" name "-" version ".tar.gz")))
415 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
418 "0hcz7znzznbibpy3iyyhvlqrq44y88plxwdj32wjzgbwic7i687w"))))
420 "doc" ; 6.8 MiB of man3 pages and full HTML documentation
421 "static")) ; 6.4 MiB of .a files
423 (substitute-keyword-arguments (package-arguments openssl)
425 `(modify-phases ,phases
426 (delete 'patch-tests) ; These two phases are not needed by
427 (delete 'patch-Makefile.org) ; OpenSSL 1.1.
429 ;; Override configure phase since -rpath is now a configure option.
431 (lambda* (#:key outputs #:allow-other-keys)
432 (let* ((out (assoc-ref outputs "out"))
433 (lib (string-append out "/lib")))
434 ;; It's not a shebang so patch-source-shebangs misses it.
435 (substitute* "config"
437 (string-append (assoc-ref %build-inputs "coreutils")
440 "shared" ;build shared libraries
443 ;; The default for this catch-all directory is
444 ;; PREFIX/ssl. Change that to something more
446 (string-append "--openssldir=" out
447 "/share/openssl-" ,version)
449 (string-append "--prefix=" out)
450 (string-append "-Wl,-rpath," lib)
452 ;; XXX FIXME: Work around a code generation bug in GCC
453 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
454 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
455 ,@(if (and (not (%current-target-system))
456 (string-prefix? "armhf" (%current-system)))
460 (delete 'move-man3-pages)
461 (add-after 'install 'move-extra-documentation
462 (lambda* (#:key outputs #:allow-other-keys)
463 ;; Move man3 pages and full HTML documentation to "doc".
464 (let* ((out (assoc-ref outputs "out"))
465 (man3 (string-append out "/share/man/man3"))
466 (html (string-append out "/share/doc/openssl"))
467 (doc (assoc-ref outputs "doc"))
468 (man-target (string-append doc "/share/man/man3"))
469 (html-target (string-append doc "/share/doc/openssl")))
470 (copy-recursively man3 man-target)
471 (delete-file-recursively man3)
472 (copy-recursively html html-target)
473 (delete-file-recursively html)
475 ;; XXX: Duplicate this phase to make sure 'version' evaluates
476 ;; in the current scope and not the inherited one.
477 (replace 'remove-miscellany
478 (lambda* (#:key outputs #:allow-other-keys)
479 ;; The 'misc' directory contains random undocumented shell and Perl
480 ;; scripts. Remove them to avoid retaining a reference on Perl.
481 (let ((out (assoc-ref outputs "out")))
482 (delete-file-recursively (string-append out "/share/openssl-"
486 (define-public libressl
492 (uri (string-append "mirror://openbsd/LibreSSL/"
493 name "-" version ".tar.gz"))
496 "19kxa5i97q7p6rrps9qm0nd8zqhdjvzx02j72400c73cl2nryfhy"))))
497 (build-system gnu-build-system)
499 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
500 ;; and libc would return ENOSYS, which is not properly handled.
501 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
502 '(#:configure-flags '("ac_cv_func_getentropy=no"
503 ;; Provide a TLS-enabled netcat.
506 ;; FIXME: These two variables must designate a single file or directory
507 ;; and are not actually "search paths." In practice it works OK in
508 ;; user profiles because there's always just one item that matches the
510 (list (search-path-specification
511 (variable "SSL_CERT_DIR")
512 (files '("etc/ssl/certs")))
513 (search-path-specification
514 (variable "SSL_CERT_FILE")
515 (files '("etc/ssl/certs/ca-certificates.crt")))))
516 (home-page "https://www.libressl.org/")
517 (synopsis "SSL/TLS implementation")
518 (description "LibreSSL is a version of the TLS/crypto stack, forked from
519 OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
520 and applying best practice development processes. This package also includes a
521 netcat implementation that supports TLS.")
522 ;; Files taken from OpenSSL keep their license, others are under various
523 ;; non-copyleft licenses.
524 (license (list license:openssl
525 (license:non-copyleft
527 "See COPYING in the distribution.")))))
529 (define-public python-acme
532 ;; Remember to update the hash of certbot when updating python-acme.
536 (uri (pypi-uri "acme" version))
539 "0z5l966b1asbcdzl77bmywf22c1q0xill00jj7qyml9wx2nh7qm2"))))
540 (build-system python-build-system)
543 (modify-phases %standard-phases
544 (add-after 'build 'build-documentation
546 (invoke "make" "-C" "docs" "man" "info")))
547 (add-after 'install 'install-documentation
548 (lambda* (#:key outputs #:allow-other-keys)
549 (let* ((out (assoc-ref outputs "out"))
550 (man (string-append out "/share/man/man1"))
551 (info (string-append out "/info")))
552 (install-file "docs/_build/texinfo/acme-python.info" info)
553 (install-file "docs/_build/man/acme-python.1" man)
555 ;; TODO: Add optional inputs for testing.
557 `(("python-mock" ,python-mock)
558 ("python-pytest" ,python-pytest)
560 ("python-sphinx" ,python-sphinx)
561 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
562 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
563 ("texinfo" ,texinfo)))
565 `(("python-josepy" ,python-josepy)
566 ("python-six" ,python-six)
567 ("python-requests" ,python-requests)
568 ("python-requests-toolbelt" ,python-requests-toolbelt)
569 ("python-pytz" ,python-pytz)
570 ("python-pyrfc3339" ,python-pyrfc3339)
571 ("python-pyasn1" ,python-pyasn1)
572 ("python-cryptography" ,python-cryptography)
573 ("python-pyopenssl" ,python-pyopenssl)))
574 (home-page "https://github.com/certbot/certbot")
575 (synopsis "ACME protocol implementation in Python")
576 (description "ACME protocol implementation in Python")
577 (license license:asl2.0)))
579 (define-public certbot
582 ;; Certbot and python-acme are developed in the same repository, and their
583 ;; versions should remain synchronized.
584 (version (package-version python-acme))
587 (uri (pypi-uri name version))
590 "14i6yrcb9s7ygy99gccfc8jscymi24xb72s5lgg9b2y40z909ikg"))))
591 (build-system python-build-system)
593 `(,@(substitute-keyword-arguments (package-arguments python-acme)
595 `(modify-phases ,phases
596 (replace 'install-documentation
597 (lambda* (#:key outputs #:allow-other-keys)
598 (let* ((out (assoc-ref outputs "out"))
599 (man1 (string-append out "/share/man/man1"))
600 (man7 (string-append out "/share/man/man7"))
601 (info (string-append out "/info")))
602 (install-file "docs/_build/texinfo/Certbot.info" info)
603 (install-file "docs/_build/man/certbot.1" man1)
604 (install-file "docs/_build/man/certbot.7" man7)
606 ;; TODO: Add optional inputs for testing.
608 `(("python-nose" ,python-nose)
609 ("python-mock" ,python-mock)
611 ("python-sphinx" ,python-sphinx)
612 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
613 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
614 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
615 ("texinfo" ,texinfo)))
617 `(("python-acme" ,python-acme)
618 ("python-zope-interface" ,python-zope-interface)
619 ("python-pyrfc3339" ,python-pyrfc3339)
620 ("python-pyopenssl" ,python-pyopenssl)
621 ("python-configobj" ,python-configobj)
622 ("python-configargparse" ,python-configargparse)
623 ("python-zope-component" ,python-zope-component)
624 ("python-parsedatetime" ,python-parsedatetime)
625 ("python-six" ,python-six)
626 ("python-psutil" ,python-psutil)
627 ("python-requests" ,python-requests)
628 ("python-pytz" ,python-pytz)))
629 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
630 (description "Certbot automatically receives and installs X.509 certificates
631 to enable Transport Layer Security (TLS) on servers. It interoperates with the
632 Let’s Encrypt certificate authority (CA), which issues browser-trusted
633 certificates for free.")
634 (home-page "https://certbot.eff.org/")
635 (license license:asl2.0)))
637 (define-public letsencrypt
638 (package (inherit certbot)
640 (properties `((superseded . ,certbot)))))
642 (define-public perl-net-ssleay
644 (name "perl-net-ssleay")
648 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
649 "Net-SSLeay-" version ".tar.gz"))
652 "1j5h4ycm8538397l204d2d5fkm9595aj174pj7bkpbhwzfwqi0cx"))))
653 (build-system perl-build-system)
654 (inputs `(("openssl" ,openssl)))
657 (modify-phases %standard-phases
659 'configure 'set-ssl-prefix
660 (lambda* (#:key inputs #:allow-other-keys)
661 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
663 (synopsis "Perl extension for using OpenSSL")
665 "This module offers some high level convenience functions for accessing
666 web pages on SSL servers (for symmetry, the same API is offered for accessing
667 http servers, too), an sslcat() function for writing your own clients, and
668 finally access to the SSL api of the SSLeay/OpenSSL package so you can write
669 servers or clients for more complicated applications.")
670 (license license:perl-license)
671 (home-page "https://metacpan.org/release/Net-SSLeay")))
673 (define-public perl-crypt-openssl-rsa
675 (name "perl-crypt-openssl-rsa")
681 "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-"
686 "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1"))))
687 (build-system perl-build-system)
689 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
691 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
692 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
693 ("openssl" ,openssl)))
694 (arguments perl-crypt-arguments)
696 "https://metacpan.org/release/Crypt-OpenSSL-RSA")
698 "RSA encoding and decoding, using the openSSL libraries")
699 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
700 OpenSSL libraries).")
701 (license license:perl-license)))
703 (define perl-crypt-arguments
704 `(#:phases (modify-phases %standard-phases
705 (add-before 'configure 'patch-Makefile.PL
706 (lambda* (#:key inputs #:allow-other-keys)
707 (substitute* "Makefile.PL"
708 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
709 (assoc-ref inputs "openssl")
710 "/lib -lcrypto'],")))
713 (define-public perl-crypt-openssl-bignum
715 (name "perl-crypt-openssl-bignum")
721 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
726 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
727 (build-system perl-build-system)
728 (inputs `(("openssl" ,openssl)))
729 (arguments perl-crypt-arguments)
731 "https://metacpan.org/release/Crypt-OpenSSL-Bignum")
733 "OpenSSL's multiprecision integer arithmetic in Perl")
734 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
735 arithmetic in Perl.")
736 ;; At your option either gpl1+ or the Artistic License
737 (license license:perl-license)))
739 (define-public perl-crypt-openssl-guess
741 (name "perl-crypt-openssl-guess")
747 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
751 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
752 (build-system perl-build-system)
753 (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess")
754 (synopsis "Guess the OpenSSL include path")
756 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
757 correct OpenSSL include path. It is intended for use in your
758 @file{Makefile.PL}.")
759 (license license:perl-license)))
761 (define-public perl-crypt-openssl-random
763 (name "perl-crypt-openssl-random")
769 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
774 "0vmvrb3shrzjzri3qn524dzdasbq8zhhbpc1vmq8sx68n4jhizb0"))))
775 (build-system perl-build-system)
777 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
779 `(("openssl" ,openssl)))
780 (arguments perl-crypt-arguments)
782 "https://metacpan.org/release/Crypt-OpenSSL-Random")
784 "OpenSSL/LibreSSL pseudo-random number generator access")
785 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
787 (license license:perl-license)))
789 (define-public acme-client
795 (uri (string-append "https://kristaps.bsd.lv/" name "/"
796 "snapshots/" name "-portable-"
800 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
801 (build-system gnu-build-system)
803 '(#:tests? #f ; no test suite
806 (string-append "PREFIX=" (assoc-ref %outputs "out")))
808 (modify-phases %standard-phases
809 (add-after 'unpack 'patch-paths
810 (lambda* (#:key inputs #:allow-other-keys)
811 (let ((pem (string-append (assoc-ref inputs "libressl")
812 "/etc/ssl/cert.pem")))
813 (substitute* "http.c"
814 (("/etc/ssl/cert.pem") pem))
816 (delete 'configure)))) ; no './configure' script
818 `(("pkg-config" ,pkg-config)))
821 ("libressl" ,libressl)))
822 (synopsis "Let's Encrypt client by the OpenBSD project")
823 (description "acme-client is a Let's Encrypt client implemented in C. It
824 uses a modular design, and attempts to secure itself by dropping privileges and
825 operating in a chroot where possible. acme-client is developed on OpenBSD and
826 then ported to the GNU / Linux environment.")
827 (home-page "https://kristaps.bsd.lv/acme-client/")
828 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
829 ;; and 'jsmn.c' are distributed under the Expat license.
830 (license (list license:isc license:expat))))
832 ;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
833 ;; variant exists in addition to the "-apache" one.
834 (define-public mbedtls-apache
836 (name "mbedtls-apache")
841 ;; XXX: The download links on the website are script redirection links
842 ;; which effectively lead to the format listed in the uri here.
843 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
844 version "-apache.tgz"))
847 "1qlscr0m97favkqmrlj90rlgw40h8lcypxz0snvr1iwkj1pbbnp3"))))
848 (build-system cmake-build-system)
851 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON")))
855 (synopsis "Small TLS library")
857 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
858 for developers to include cryptographic and SSL/TLS capabilities in their
859 (embedded) products, facilitating this functionality with a minimal
861 (home-page "https://tls.mbed.org")
862 (license license:asl2.0)))
864 ;; The Hiawatha Web server requires some specific features to be enabled.
865 (define-public mbedtls-for-hiawatha
868 (inherit mbedtls-apache)
870 (substitute-keyword-arguments
872 (modify-phases %standard-phases
873 (add-after 'configure 'configure-extra-features
875 (for-each (lambda (feature)
876 (invoke "scripts/config.pl" "set" feature))
877 (list "MBEDTLS_THREADING_C"
878 "MBEDTLS_THREADING_PTHREAD"))
880 ,@(package-arguments mbedtls-apache)))))))
882 (define-public ghc-tls
888 (uri (string-append "https://hackage.haskell.org/package/"
889 "tls/tls-" version ".tar.gz"))
892 "1y083724mym28n6xfaz7pcc7zqxdhjpaxpbvzxfbs25qq2px3smv"))))
893 (build-system haskell-build-system)
895 `(("ghc-cereal" ,ghc-cereal)
896 ("ghc-data-default-class" ,ghc-data-default-class)
897 ("ghc-memory" ,ghc-memory)
898 ("ghc-cryptonite" ,ghc-cryptonite)
899 ("ghc-asn1-types" ,ghc-asn1-types)
900 ("ghc-asn1-encoding" ,ghc-asn1-encoding)
901 ("ghc-x509" ,ghc-x509)
902 ("ghc-x509-store" ,ghc-x509-store)
903 ("ghc-x509-validation" ,ghc-x509-validation)
904 ("ghc-async" ,ghc-async)
905 ("ghc-network" ,ghc-network)
906 ("ghc-hourglass" ,ghc-hourglass)))
908 `(("ghc-tasty" ,ghc-tasty)
909 ("ghc-tasty-quickcheck" ,ghc-tasty-quickcheck)
910 ("ghc-quickcheck" ,ghc-quickcheck)))
911 (home-page "https://github.com/vincenthz/hs-tls")
913 "TLS/SSL protocol native implementation (Server and Client)")
915 "Native Haskell TLS and SSL protocol implementation for server and client.
916 This provides a high-level implementation of a sensitive security protocol,
917 eliminating a common set of security issues through the use of the advanced
918 type system, high level constructions and common Haskell features. Currently
919 implement the SSL3.0, TLS1.0, TLS1.1 and TLS1.2 protocol, and support RSA and
920 Ephemeral (Elliptic curve and regular) Diffie Hellman key exchanges, and many
922 (license license:bsd-3)))
924 (define-public dehydrated
929 (method url-fetch/tarbomb)
931 "https://github.com/lukas2511/dehydrated/archive/v"
935 "03p80yj6bnzjc6dkp5hb9wpplmlrla8n5src71cnzw4rj53q8cqn"))
936 (file-name (string-append name "-" version ".tar.gz"))))
937 (build-system trivial-build-system)
939 `(#:modules ((guix build utils))
942 (use-modules (guix build utils))
943 (let* ((source (assoc-ref %build-inputs "source"))
944 (out (assoc-ref %outputs "out"))
945 (bin (string-append out "/bin"))
946 (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
948 (with-directory-excursion bin
950 (in-vicinity source (string-append "/dehydrated-" ,version
952 (in-vicinity bin "dehydrated"))
953 (patch-shebang "dehydrated" (list bash))
955 ;; Do not try to write in the store.
956 (substitute* "dehydrated"
957 (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
960 (wrap-program "dehydrated"
963 (string-append dir "/bin"))
965 (assoc-ref %build-inputs input))
976 ("coreutils" ,coreutils)
978 ("diffutils" ,diffutils)
983 (home-page "https://dehydrated.io/")
984 (synopsis "Let's Encrypt/ACME client implemented as a shell script")
985 (description "Dehydrated is a client for signing certificates with an
986 ACME-server (currently only provided by Let's Encrypt) implemented as a
987 relatively simple Bash script.")
988 (license license:expat)))