HCoop / jackhill / guix / guix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'master' into staging
[jackhill/guix/guix.git] / gnu / packages / tls.scm
1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
5 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
6 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
7 ;;; Copyright © 2015, 2016, 2017, 2018 Leo Famulari <leo@famulari.name>
8 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
9 ;;; Copyright © 2016, 2017, 2018 Nils Gillmann <ng0@n0.is>
10 ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
11 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
12 ;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
13 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
14 ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
15 ;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
16 ;;;
17 ;;; This file is part of GNU Guix.
18 ;;;
19 ;;; GNU Guix is free software; you can redistribute it and/or modify it
20 ;;; under the terms of the GNU General Public License as published by
21 ;;; the Free Software Foundation; either version 3 of the License, or (at
22 ;;; your option) any later version.
23 ;;;
24 ;;; GNU Guix is distributed in the hope that it will be useful, but
25 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
26 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 ;;; GNU General Public License for more details.
28 ;;;
29 ;;; You should have received a copy of the GNU General Public License
30 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
31
32 (define-module (gnu packages tls)
33 #:use-module ((guix licenses) #:prefix license:)
34 #:use-module (guix packages)
35 #:use-module (guix download)
36 #:use-module (guix utils)
37 #:use-module (guix build-system gnu)
38 #:use-module (guix build-system perl)
39 #:use-module (guix build-system python)
40 #:use-module (guix build-system cmake)
41 #:use-module (guix build-system haskell)
42 #:use-module (guix build-system trivial)
43 #:use-module (gnu packages compression)
44 #:use-module (gnu packages)
45 #:use-module (gnu packages bash)
46 #:use-module (gnu packages check)
47 #:use-module (gnu packages curl)
48 #:use-module (gnu packages dns)
49 #:use-module (gnu packages gawk)
50 #:use-module (gnu packages guile)
51 #:use-module (gnu packages haskell)
52 #:use-module (gnu packages haskell-check)
53 #:use-module (gnu packages haskell-crypto)
54 #:use-module (gnu packages libbsd)
55 #:use-module (gnu packages libffi)
56 #:use-module (gnu packages libidn)
57 #:use-module (gnu packages linux)
58 #:use-module (gnu packages ncurses)
59 #:use-module (gnu packages nettle)
60 #:use-module (gnu packages perl)
61 #:use-module (gnu packages pkg-config)
62 #:use-module (gnu packages python)
63 #:use-module (gnu packages python-crypto)
64 #:use-module (gnu packages python-web)
65 #:use-module (gnu packages python-xyz)
66 #:use-module (gnu packages texinfo)
67 #:use-module (gnu packages time)
68 #:use-module (gnu packages base)
69 #:use-module (srfi srfi-1))
70
71 (define-public libtasn1
72 (package
73 (name "libtasn1")
74 (version "4.13")
75 (source
76 (origin
77 (method url-fetch)
78 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
79 version ".tar.gz"))
80 (sha256
81 (base32
82 "1jlc1iahj8k3haz28j55nzg7sgni5h41vqy461i1bpbx6668wlky"))))
83 (build-system gnu-build-system)
84 (arguments
85 `(#:configure-flags '("--disable-static")))
86 (native-inputs `(("perl" ,perl)))
87 (home-page "https://www.gnu.org/software/libtasn1/")
88 (synopsis "ASN.1 library")
89 (description
90 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
91 for transmitting machine-neutral encodings of data objects in computer
92 networking, allowing for formal validation of data according to some
93 specifications.")
94 (license license:lgpl2.0+)))
95
96 (define-public asn1c
97 (package
98 (name "asn1c")
99 (version "0.9.28")
100 (source (origin
101 (method url-fetch)
102 (uri (string-append "https://lionet.info/soft/asn1c-"
103 version ".tar.gz"))
104 (sha256
105 (base32
106 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
107 (build-system gnu-build-system)
108 (native-inputs
109 `(("perl" ,perl)))
110 (home-page "https://lionet.info/asn1c")
111 (synopsis "ASN.1 to C compiler")
112 (description "The ASN.1 to C compiler takes ASN.1 module
113 files and generates C++ compatible C source code. That code can be
114 used to serialize the native C structures into compact and unambiguous
115 BER/XER/PER-based data files, and deserialize the files back.
116
117 Various ASN.1 based formats are widely used in the industry, such as to encode
118 the X.509 certificates employed in the HTTPS handshake, to exchange control
119 data between mobile phones and cellular networks, to car-to-car communication
120 in intelligent transportation networks.")
121 (license license:bsd-2)))
122
123 (define-public p11-kit
124 (package
125 (name "p11-kit")
126 (version "0.23.14")
127 (source
128 (origin
129 (method url-fetch)
130 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
131 "download/" version "/p11-kit-" version ".tar.gz"))
132 (sha256
133 (base32
134 "0w0dkq9388grbbn4bv2p55vy1j51f7nd9hzlc9gz4fbm4dnzmf8w"))))
135 (build-system gnu-build-system)
136 (native-inputs
137 `(("pkg-config" ,pkg-config)))
138 (inputs
139 `(("libffi" ,libffi)
140 ("libtasn1" ,libtasn1)))
141 (arguments
142 `(#:configure-flags '("--without-trust-paths")
143 #:phases (modify-phases %standard-phases
144 (add-before 'check 'prepare-tests
145 (lambda _
146 ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up
147 ;; and looks for .cache and other directories (only).
148 ;; For simplicity just drop it since it is irrelevant
149 ;; in the build container.
150 (substitute* "Makefile"
151 (("test-runtime\\$\\(EXEEXT\\)") ""))
152 #t)))))
153 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
154 (synopsis "PKCS#11 library")
155 (description
156 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
157 provides a standard configuration setup for installing PKCS#11 modules
158 in such a way that they are discoverable. It also solves problems with
159 coordinating the use of PKCS#11 by different components or libraries
160 living in the same process.")
161 (license license:bsd-3)))
162
163 (define-public gnutls
164 (package
165 (name "gnutls")
166 (version "3.6.5")
167 (source (origin
168 (method url-fetch)
169 (uri
170 ;; Note: Releases are no longer on ftp.gnu.org since the
171 ;; schism (after version 3.1.5).
172 (string-append "mirror://gnupg/gnutls/v"
173 (version-major+minor version)
174 "/gnutls-" version ".tar.xz"))
175 (patches (search-patches "gnutls-skip-trust-store-test.patch"))
176 (sha256
177 (base32
178 "0ddvg97dyrh8dkffv1mdc0knxx5my3qdbzv97s4a6jggmk9wwgh7"))
179 (modules '((guix build utils)))
180 (snippet
181 '(begin
182 ;; XXX: The generated configure script in GnuTLS 3.6.5
183 ;; apparently does not know about Guile 2.2.
184 (substitute* "configure"
185 (("guile_versions_to_search=\"2\\.0 1\\.8\"")
186 "guile_versions_to_search=\"2.2 2.0 1.8\""))
187 #t))))
188 (build-system gnu-build-system)
189 (arguments
190 `(; Ensure we don't keep a reference to this buggy software.
191 #:disallowed-references (,net-tools)
192 #:configure-flags
193 (list
194 ;; GnuTLS doesn't consult any environment variables to specify
195 ;; the location of the system-wide trust store. Instead it has a
196 ;; configure-time option. Unless specified, its configure script
197 ;; attempts to auto-detect the location by looking for common
198 ;; places in the file system, none of which are present in our
199 ;; chroot build environment. If not found, then no default trust
200 ;; store is used, so each program has to provide its own
201 ;; fallback, and users have to configure each program
202 ;; independently. This seems suboptimal.
203 "--with-default-trust-store-dir=/etc/ssl/certs"
204
205 ;; FIXME: Temporarily disable p11-kit support since it is not
206 ;; working on mips64el.
207 "--without-p11-kit")
208
209 #:phases (modify-phases %standard-phases
210 (add-after
211 'install 'move-doc
212 (lambda* (#:key outputs #:allow-other-keys)
213 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
214 (let* ((out (assoc-ref outputs "out"))
215 (doc (assoc-ref outputs "doc"))
216 (mandir (string-append doc "/share/man/man3"))
217 (oldman (string-append out "/share/man/man3")))
218 (mkdir-p mandir)
219 (copy-recursively oldman mandir)
220 (delete-file-recursively oldman)
221 #t))))))
222 (outputs '("out" ;4.4 MiB
223 "debug"
224 "doc")) ;4.1 MiB of man pages
225 (native-inputs
226 `(("net-tools" ,net-tools)
227 ("pkg-config" ,pkg-config)
228 ("which" ,which)))
229 (inputs
230 `(("guile" ,guile-2.2)))
231 (propagated-inputs
232 ;; These are all in the 'Requires.private' field of gnutls.pc.
233 `(("libtasn1" ,libtasn1)
234 ("libidn2" ,libidn2)
235 ("nettle" ,nettle)
236 ("zlib" ,zlib)))
237 (home-page "https://www.gnu.org/software/gnutls/")
238 (synopsis "Transport layer security library")
239 (description
240 "GnuTLS is a secure communications library implementing the SSL, TLS
241 and DTLS protocols. It is provided in the form of a C library to support the
242 protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
243 required structures.")
244 (license license:lgpl2.1+)
245 (properties '((ftp-server . "ftp.gnutls.org")
246 (ftp-directory . "/gcrypt/gnutls")))))
247
248 (define-public gnutls/guile-2.2
249 (deprecated-package "guile2.2-gnutls" gnutls))
250
251 (define-public gnutls/guile-2.0
252 ;; GnuTLS for Guile 2.0.
253 (package
254 (inherit gnutls)
255 (name "guile2.0-gnutls")
256 (inputs `(("guile" ,guile-2.0)
257 ,@(alist-delete "guile" (package-inputs gnutls))))))
258
259 (define-public gnutls/dane
260 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
261 ;; Authentication of Named Entities. This is required for GNS functionality
262 ;; by GNUnet and gnURL. This is done in an extra package definition
263 ;; to have the choice between GnuTLS with Dane and without Dane.
264 (package
265 (inherit gnutls)
266 (name "gnutls-dane")
267 (inputs `(("unbound" ,unbound)
268 ,@(package-inputs gnutls)))))
269
270 (define-public openssl
271 (package
272 (name "openssl")
273 (version "1.0.2p")
274 (source (origin
275 (method url-fetch)
276 (uri (list (string-append "https://www.openssl.org/source/openssl-"
277 version ".tar.gz")
278 (string-append "ftp://ftp.openssl.org/source/"
279 name "-" version ".tar.gz")
280 (string-append "ftp://ftp.openssl.org/source/old/"
281 (string-trim-right version char-set:letter)
282 "/" name "-" version ".tar.gz")))
283 (sha256
284 (base32
285 "003xh9f898i56344vpvpxxxzmikivxig4xwlm7vbi7m8n43qxaah"))
286 (patches (search-patches "openssl-runpath.patch"
287 "openssl-c-rehash-in.patch"))))
288 (build-system gnu-build-system)
289 (outputs '("out"
290 "doc" ;1.5MiB of man3 pages
291 "static")) ;6MiB of .a files
292 (native-inputs `(("perl" ,perl)))
293 (arguments
294 `(#:disallowed-references (,perl)
295 #:parallel-build? #f
296 #:parallel-tests? #f
297 #:test-target "test"
298
299 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
300 ;; so we explicitly disallow it here.
301 #:disallowed-references ,(list (canonical-package perl))
302 #:phases
303 (modify-phases %standard-phases
304 (add-before
305 'configure 'patch-Makefile.org
306 (lambda* (#:key outputs #:allow-other-keys)
307 ;; The default MANDIR is some unusual place. Fix that.
308 (let ((out (assoc-ref outputs "out")))
309 (patch-makefile-SHELL "Makefile.org")
310 (substitute* "Makefile.org"
311 (("^MANDIR[[:blank:]]*=.*$")
312 (string-append "MANDIR = " out "/share/man\n")))
313 #t)))
314 (replace
315 'configure
316 (lambda* (#:key outputs #:allow-other-keys)
317 (let ((out (assoc-ref outputs "out")))
318 (invoke "./config"
319 "shared" ;build shared libraries
320 "--libdir=lib"
321
322 ;; The default for this catch-all directory is
323 ;; PREFIX/ssl. Change that to something more
324 ;; conventional.
325 (string-append "--openssldir=" out
326 "/share/openssl-" ,version)
327
328 (string-append "--prefix=" out)))))
329 (add-after
330 'install 'make-libraries-writable
331 (lambda* (#:key outputs #:allow-other-keys)
332 ;; Make libraries writable so that 'strip' does its job.
333 (let ((out (assoc-ref outputs "out")))
334 (for-each (lambda (file)
335 (chmod file #o644))
336 (find-files (string-append out "/lib")
337 "\\.so"))
338 #t)))
339 (add-after 'install 'move-static-libraries
340 (lambda* (#:key outputs #:allow-other-keys)
341 ;; Move static libraries to the "static" output.
342 (let* ((out (assoc-ref outputs "out"))
343 (lib (string-append out "/lib"))
344 (static (assoc-ref outputs "static"))
345 (slib (string-append static "/lib")))
346 (for-each (lambda (file)
347 (install-file file slib)
348 (delete-file file))
349 (find-files lib "\\.a$"))
350 #t)))
351 (add-after 'install 'move-man3-pages
352 (lambda* (#:key outputs #:allow-other-keys)
353 ;; Move section 3 man pages to "doc".
354 (let* ((out (assoc-ref outputs "out"))
355 (man3 (string-append out "/share/man/man3"))
356 (doc (assoc-ref outputs "doc"))
357 (target (string-append doc "/share/man/man3")))
358 (mkdir-p target)
359 (for-each (lambda (file)
360 (rename-file file
361 (string-append target "/"
362 (basename file))))
363 (find-files man3))
364 (delete-file-recursively man3)
365 #t)))
366 (add-before
367 'patch-source-shebangs 'patch-tests
368 (lambda* (#:key inputs native-inputs #:allow-other-keys)
369 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
370 (substitute* (find-files "test" ".*")
371 (("/bin/sh")
372 (string-append bash "/bin/sh"))
373 (("/bin/rm")
374 "rm"))
375 #t)))
376 (add-after
377 'install 'remove-miscellany
378 (lambda* (#:key outputs #:allow-other-keys)
379 ;; The 'misc' directory contains random undocumented shell and Perl
380 ;; scripts. Remove them to avoid retaining a reference on Perl.
381 (let ((out (assoc-ref outputs "out")))
382 (delete-file-recursively (string-append out "/share/openssl-"
383 ,version "/misc"))
384 #t))))))
385 (native-search-paths
386 (list (search-path-specification
387 (variable "SSL_CERT_DIR")
388 (separator #f) ;single entry
389 (files '("etc/ssl/certs")))
390 (search-path-specification
391 (variable "SSL_CERT_FILE")
392 (file-type 'regular)
393 (separator #f) ;single entry
394 (files '("etc/ssl/certs/ca-certificates.crt")))))
395 (synopsis "SSL/TLS implementation")
396 (description
397 "OpenSSL is an implementation of SSL/TLS.")
398 (license license:openssl)
399 (home-page "https://www.openssl.org/")))
400
401 (define-public openssl-next
402 (package
403 (inherit openssl)
404 (name "openssl")
405 (version "1.1.1a")
406 (source (origin
407 (method url-fetch)
408 (uri (list (string-append "https://www.openssl.org/source/openssl-"
409 version ".tar.gz")
410 (string-append "ftp://ftp.openssl.org/source/"
411 name "-" version ".tar.gz")
412 (string-append "ftp://ftp.openssl.org/source/old/"
413 (string-trim-right version char-set:letter)
414 "/" name "-" version ".tar.gz")))
415 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
416 (sha256
417 (base32
418 "0hcz7znzznbibpy3iyyhvlqrq44y88plxwdj32wjzgbwic7i687w"))))
419 (outputs '("out"
420 "doc" ; 6.8 MiB of man3 pages and full HTML documentation
421 "static")) ; 6.4 MiB of .a files
422 (arguments
423 (substitute-keyword-arguments (package-arguments openssl)
424 ((#:phases phases)
425 `(modify-phases ,phases
426 (delete 'patch-tests) ; These two phases are not needed by
427 (delete 'patch-Makefile.org) ; OpenSSL 1.1.
428
429 ;; Override configure phase since -rpath is now a configure option.
430 (replace 'configure
431 (lambda* (#:key outputs #:allow-other-keys)
432 (let* ((out (assoc-ref outputs "out"))
433 (lib (string-append out "/lib")))
434 ;; It's not a shebang so patch-source-shebangs misses it.
435 (substitute* "config"
436 (("/usr/bin/env")
437 (string-append (assoc-ref %build-inputs "coreutils")
438 "/bin/env")))
439 (invoke "./config"
440 "shared" ;build shared libraries
441 "--libdir=lib"
442
443 ;; The default for this catch-all directory is
444 ;; PREFIX/ssl. Change that to something more
445 ;; conventional.
446 (string-append "--openssldir=" out
447 "/share/openssl-" ,version)
448
449 (string-append "--prefix=" out)
450 (string-append "-Wl,-rpath," lib)
451
452 ;; XXX FIXME: Work around a code generation bug in GCC
453 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
454 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
455 ,@(if (and (not (%current-target-system))
456 (string-prefix? "armhf" (%current-system)))
457 '("-mfpu=vfpv3")
458 '())))))
459
460 (delete 'move-man3-pages)
461 (add-after 'install 'move-extra-documentation
462 (lambda* (#:key outputs #:allow-other-keys)
463 ;; Move man3 pages and full HTML documentation to "doc".
464 (let* ((out (assoc-ref outputs "out"))
465 (man3 (string-append out "/share/man/man3"))
466 (html (string-append out "/share/doc/openssl"))
467 (doc (assoc-ref outputs "doc"))
468 (man-target (string-append doc "/share/man/man3"))
469 (html-target (string-append doc "/share/doc/openssl")))
470 (copy-recursively man3 man-target)
471 (delete-file-recursively man3)
472 (copy-recursively html html-target)
473 (delete-file-recursively html)
474 #t)))
475 ;; XXX: Duplicate this phase to make sure 'version' evaluates
476 ;; in the current scope and not the inherited one.
477 (replace 'remove-miscellany
478 (lambda* (#:key outputs #:allow-other-keys)
479 ;; The 'misc' directory contains random undocumented shell and Perl
480 ;; scripts. Remove them to avoid retaining a reference on Perl.
481 (let ((out (assoc-ref outputs "out")))
482 (delete-file-recursively (string-append out "/share/openssl-"
483 ,version "/misc"))
484 #t)))))))))
485
486 (define-public libressl
487 (package
488 (name "libressl")
489 (version "2.7.4")
490 (source (origin
491 (method url-fetch)
492 (uri (string-append "mirror://openbsd/LibreSSL/"
493 name "-" version ".tar.gz"))
494 (sha256
495 (base32
496 "19kxa5i97q7p6rrps9qm0nd8zqhdjvzx02j72400c73cl2nryfhy"))))
497 (build-system gnu-build-system)
498 (arguments
499 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
500 ;; and libc would return ENOSYS, which is not properly handled.
501 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
502 '(#:configure-flags '("ac_cv_func_getentropy=no"
503 ;; Provide a TLS-enabled netcat.
504 "--enable-nc")))
505 (native-search-paths
506 ;; FIXME: These two variables must designate a single file or directory
507 ;; and are not actually "search paths." In practice it works OK in
508 ;; user profiles because there's always just one item that matches the
509 ;; specification.
510 (list (search-path-specification
511 (variable "SSL_CERT_DIR")
512 (files '("etc/ssl/certs")))
513 (search-path-specification
514 (variable "SSL_CERT_FILE")
515 (files '("etc/ssl/certs/ca-certificates.crt")))))
516 (home-page "https://www.libressl.org/")
517 (synopsis "SSL/TLS implementation")
518 (description "LibreSSL is a version of the TLS/crypto stack, forked from
519 OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
520 and applying best practice development processes. This package also includes a
521 netcat implementation that supports TLS.")
522 ;; Files taken from OpenSSL keep their license, others are under various
523 ;; non-copyleft licenses.
524 (license (list license:openssl
525 (license:non-copyleft
526 "file://COPYING"
527 "See COPYING in the distribution.")))))
528
529 (define-public python-acme
530 (package
531 (name "python-acme")
532 ;; Remember to update the hash of certbot when updating python-acme.
533 (version "0.29.1")
534 (source (origin
535 (method url-fetch)
536 (uri (pypi-uri "acme" version))
537 (sha256
538 (base32
539 "0z5l966b1asbcdzl77bmywf22c1q0xill00jj7qyml9wx2nh7qm2"))))
540 (build-system python-build-system)
541 (arguments
542 `(#:phases
543 (modify-phases %standard-phases
544 (add-after 'build 'build-documentation
545 (lambda _
546 (invoke "make" "-C" "docs" "man" "info")))
547 (add-after 'install 'install-documentation
548 (lambda* (#:key outputs #:allow-other-keys)
549 (let* ((out (assoc-ref outputs "out"))
550 (man (string-append out "/share/man/man1"))
551 (info (string-append out "/info")))
552 (install-file "docs/_build/texinfo/acme-python.info" info)
553 (install-file "docs/_build/man/acme-python.1" man)
554 #t))))))
555 ;; TODO: Add optional inputs for testing.
556 (native-inputs
557 `(("python-mock" ,python-mock)
558 ("python-pytest" ,python-pytest)
559 ;; For documentation
560 ("python-sphinx" ,python-sphinx)
561 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
562 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
563 ("texinfo" ,texinfo)))
564 (propagated-inputs
565 `(("python-josepy" ,python-josepy)
566 ("python-six" ,python-six)
567 ("python-requests" ,python-requests)
568 ("python-requests-toolbelt" ,python-requests-toolbelt)
569 ("python-pytz" ,python-pytz)
570 ("python-pyrfc3339" ,python-pyrfc3339)
571 ("python-pyasn1" ,python-pyasn1)
572 ("python-cryptography" ,python-cryptography)
573 ("python-pyopenssl" ,python-pyopenssl)))
574 (home-page "https://github.com/certbot/certbot")
575 (synopsis "ACME protocol implementation in Python")
576 (description "ACME protocol implementation in Python")
577 (license license:asl2.0)))
578
579 (define-public certbot
580 (package
581 (name "certbot")
582 ;; Certbot and python-acme are developed in the same repository, and their
583 ;; versions should remain synchronized.
584 (version (package-version python-acme))
585 (source (origin
586 (method url-fetch)
587 (uri (pypi-uri name version))
588 (sha256
589 (base32
590 "14i6yrcb9s7ygy99gccfc8jscymi24xb72s5lgg9b2y40z909ikg"))))
591 (build-system python-build-system)
592 (arguments
593 `(,@(substitute-keyword-arguments (package-arguments python-acme)
594 ((#:phases phases)
595 `(modify-phases ,phases
596 (replace 'install-documentation
597 (lambda* (#:key outputs #:allow-other-keys)
598 (let* ((out (assoc-ref outputs "out"))
599 (man1 (string-append out "/share/man/man1"))
600 (man7 (string-append out "/share/man/man7"))
601 (info (string-append out "/info")))
602 (install-file "docs/_build/texinfo/Certbot.info" info)
603 (install-file "docs/_build/man/certbot.1" man1)
604 (install-file "docs/_build/man/certbot.7" man7)
605 #t))))))))
606 ;; TODO: Add optional inputs for testing.
607 (native-inputs
608 `(("python-nose" ,python-nose)
609 ("python-mock" ,python-mock)
610 ;; For documentation
611 ("python-sphinx" ,python-sphinx)
612 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
613 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
614 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
615 ("texinfo" ,texinfo)))
616 (propagated-inputs
617 `(("python-acme" ,python-acme)
618 ("python-zope-interface" ,python-zope-interface)
619 ("python-pyrfc3339" ,python-pyrfc3339)
620 ("python-pyopenssl" ,python-pyopenssl)
621 ("python-configobj" ,python-configobj)
622 ("python-configargparse" ,python-configargparse)
623 ("python-zope-component" ,python-zope-component)
624 ("python-parsedatetime" ,python-parsedatetime)
625 ("python-six" ,python-six)
626 ("python-psutil" ,python-psutil)
627 ("python-requests" ,python-requests)
628 ("python-pytz" ,python-pytz)))
629 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
630 (description "Certbot automatically receives and installs X.509 certificates
631 to enable Transport Layer Security (TLS) on servers. It interoperates with the
632 Let’s Encrypt certificate authority (CA), which issues browser-trusted
633 certificates for free.")
634 (home-page "https://certbot.eff.org/")
635 (license license:asl2.0)))
636
637 (define-public letsencrypt
638 (package (inherit certbot)
639 (name "letsencrypt")
640 (properties `((superseded . ,certbot)))))
641
642 (define-public perl-net-ssleay
643 (package
644 (name "perl-net-ssleay")
645 (version "1.85")
646 (source (origin
647 (method url-fetch)
648 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
649 "Net-SSLeay-" version ".tar.gz"))
650 (sha256
651 (base32
652 "1j5h4ycm8538397l204d2d5fkm9595aj174pj7bkpbhwzfwqi0cx"))))
653 (build-system perl-build-system)
654 (inputs `(("openssl" ,openssl)))
655 (arguments
656 `(#:phases
657 (modify-phases %standard-phases
658 (add-before
659 'configure 'set-ssl-prefix
660 (lambda* (#:key inputs #:allow-other-keys)
661 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
662 #t)))))
663 (synopsis "Perl extension for using OpenSSL")
664 (description
665 "This module offers some high level convenience functions for accessing
666 web pages on SSL servers (for symmetry, the same API is offered for accessing
667 http servers, too), an sslcat() function for writing your own clients, and
668 finally access to the SSL api of the SSLeay/OpenSSL package so you can write
669 servers or clients for more complicated applications.")
670 (license license:perl-license)
671 (home-page "https://metacpan.org/release/Net-SSLeay")))
672
673 (define-public perl-crypt-openssl-rsa
674 (package
675 (name "perl-crypt-openssl-rsa")
676 (version "0.31")
677 (source
678 (origin
679 (method url-fetch)
680 (uri (string-append
681 "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-"
682 version
683 ".tar.gz"))
684 (sha256
685 (base32
686 "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1"))))
687 (build-system perl-build-system)
688 (native-inputs
689 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
690 (inputs
691 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
692 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
693 ("openssl" ,openssl)))
694 (arguments perl-crypt-arguments)
695 (home-page
696 "https://metacpan.org/release/Crypt-OpenSSL-RSA")
697 (synopsis
698 "RSA encoding and decoding, using the openSSL libraries")
699 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
700 OpenSSL libraries).")
701 (license license:perl-license)))
702
703 (define perl-crypt-arguments
704 `(#:phases (modify-phases %standard-phases
705 (add-before 'configure 'patch-Makefile.PL
706 (lambda* (#:key inputs #:allow-other-keys)
707 (substitute* "Makefile.PL"
708 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
709 (assoc-ref inputs "openssl")
710 "/lib -lcrypto'],")))
711 #t)))))
712
713 (define-public perl-crypt-openssl-bignum
714 (package
715 (name "perl-crypt-openssl-bignum")
716 (version "0.09")
717 (source
718 (origin
719 (method url-fetch)
720 (uri (string-append
721 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
722 version
723 ".tar.gz"))
724 (sha256
725 (base32
726 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
727 (build-system perl-build-system)
728 (inputs `(("openssl" ,openssl)))
729 (arguments perl-crypt-arguments)
730 (home-page
731 "https://metacpan.org/release/Crypt-OpenSSL-Bignum")
732 (synopsis
733 "OpenSSL's multiprecision integer arithmetic in Perl")
734 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
735 arithmetic in Perl.")
736 ;; At your option either gpl1+ or the Artistic License
737 (license license:perl-license)))
738
739 (define-public perl-crypt-openssl-guess
740 (package
741 (name "perl-crypt-openssl-guess")
742 (version "0.11")
743 (source
744 (origin
745 (method url-fetch)
746 (uri (string-append
747 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
748 version ".tar.gz"))
749 (sha256
750 (base32
751 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
752 (build-system perl-build-system)
753 (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess")
754 (synopsis "Guess the OpenSSL include path")
755 (description
756 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
757 correct OpenSSL include path. It is intended for use in your
758 @file{Makefile.PL}.")
759 (license license:perl-license)))
760
761 (define-public perl-crypt-openssl-random
762 (package
763 (name "perl-crypt-openssl-random")
764 (version "0.13")
765 (source
766 (origin
767 (method url-fetch)
768 (uri (string-append
769 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
770 version
771 ".tar.gz"))
772 (sha256
773 (base32
774 "0vmvrb3shrzjzri3qn524dzdasbq8zhhbpc1vmq8sx68n4jhizb0"))))
775 (build-system perl-build-system)
776 (native-inputs
777 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
778 (inputs
779 `(("openssl" ,openssl)))
780 (arguments perl-crypt-arguments)
781 (home-page
782 "https://metacpan.org/release/Crypt-OpenSSL-Random")
783 (synopsis
784 "OpenSSL/LibreSSL pseudo-random number generator access")
785 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
786 number generator")
787 (license license:perl-license)))
788
789 (define-public acme-client
790 (package
791 (name "acme-client")
792 (version "0.1.16")
793 (source (origin
794 (method url-fetch)
795 (uri (string-append "https://kristaps.bsd.lv/" name "/"
796 "snapshots/" name "-portable-"
797 version ".tgz"))
798 (sha256
799 (base32
800 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
801 (build-system gnu-build-system)
802 (arguments
803 '(#:tests? #f ; no test suite
804 #:make-flags
805 (list "CC=gcc"
806 (string-append "PREFIX=" (assoc-ref %outputs "out")))
807 #:phases
808 (modify-phases %standard-phases
809 (add-after 'unpack 'patch-paths
810 (lambda* (#:key inputs #:allow-other-keys)
811 (let ((pem (string-append (assoc-ref inputs "libressl")
812 "/etc/ssl/cert.pem")))
813 (substitute* "http.c"
814 (("/etc/ssl/cert.pem") pem))
815 #t)))
816 (delete 'configure)))) ; no './configure' script
817 (native-inputs
818 `(("pkg-config" ,pkg-config)))
819 (inputs
820 `(("libbsd" ,libbsd)
821 ("libressl" ,libressl)))
822 (synopsis "Let's Encrypt client by the OpenBSD project")
823 (description "acme-client is a Let's Encrypt client implemented in C. It
824 uses a modular design, and attempts to secure itself by dropping privileges and
825 operating in a chroot where possible. acme-client is developed on OpenBSD and
826 then ported to the GNU / Linux environment.")
827 (home-page "https://kristaps.bsd.lv/acme-client/")
828 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
829 ;; and 'jsmn.c' are distributed under the Expat license.
830 (license (list license:isc license:expat))))
831
832 ;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
833 ;; variant exists in addition to the "-apache" one.
834 (define-public mbedtls-apache
835 (package
836 (name "mbedtls-apache")
837 (version "2.16.0")
838 (source
839 (origin
840 (method url-fetch)
841 ;; XXX: The download links on the website are script redirection links
842 ;; which effectively lead to the format listed in the uri here.
843 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
844 version "-apache.tgz"))
845 (sha256
846 (base32
847 "1qlscr0m97favkqmrlj90rlgw40h8lcypxz0snvr1iwkj1pbbnp3"))))
848 (build-system cmake-build-system)
849 (arguments
850 `(#:configure-flags
851 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON")))
852 (native-inputs
853 `(("perl" ,perl)
854 ("python" ,python)))
855 (synopsis "Small TLS library")
856 (description
857 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
858 for developers to include cryptographic and SSL/TLS capabilities in their
859 (embedded) products, facilitating this functionality with a minimal
860 coding footprint.")
861 (home-page "https://tls.mbed.org")
862 (license license:asl2.0)))
863
864 ;; The Hiawatha Web server requires some specific features to be enabled.
865 (define-public mbedtls-for-hiawatha
866 (hidden-package
867 (package
868 (inherit mbedtls-apache)
869 (arguments
870 (substitute-keyword-arguments
871 `(#:phases
872 (modify-phases %standard-phases
873 (add-after 'configure 'configure-extra-features
874 (lambda _
875 (for-each (lambda (feature)
876 (invoke "scripts/config.pl" "set" feature))
877 (list "MBEDTLS_THREADING_C"
878 "MBEDTLS_THREADING_PTHREAD"))
879 #t)))
880 ,@(package-arguments mbedtls-apache)))))))
881
882 (define-public ghc-tls
883 (package
884 (name "ghc-tls")
885 (version "1.4.1")
886 (source (origin
887 (method url-fetch)
888 (uri (string-append "https://hackage.haskell.org/package/"
889 "tls/tls-" version ".tar.gz"))
890 (sha256
891 (base32
892 "1y083724mym28n6xfaz7pcc7zqxdhjpaxpbvzxfbs25qq2px3smv"))))
893 (build-system haskell-build-system)
894 (inputs
895 `(("ghc-cereal" ,ghc-cereal)
896 ("ghc-data-default-class" ,ghc-data-default-class)
897 ("ghc-memory" ,ghc-memory)
898 ("ghc-cryptonite" ,ghc-cryptonite)
899 ("ghc-asn1-types" ,ghc-asn1-types)
900 ("ghc-asn1-encoding" ,ghc-asn1-encoding)
901 ("ghc-x509" ,ghc-x509)
902 ("ghc-x509-store" ,ghc-x509-store)
903 ("ghc-x509-validation" ,ghc-x509-validation)
904 ("ghc-async" ,ghc-async)
905 ("ghc-network" ,ghc-network)
906 ("ghc-hourglass" ,ghc-hourglass)))
907 (native-inputs
908 `(("ghc-tasty" ,ghc-tasty)
909 ("ghc-tasty-quickcheck" ,ghc-tasty-quickcheck)
910 ("ghc-quickcheck" ,ghc-quickcheck)))
911 (home-page "https://github.com/vincenthz/hs-tls")
912 (synopsis
913 "TLS/SSL protocol native implementation (Server and Client)")
914 (description
915 "Native Haskell TLS and SSL protocol implementation for server and client.
916 This provides a high-level implementation of a sensitive security protocol,
917 eliminating a common set of security issues through the use of the advanced
918 type system, high level constructions and common Haskell features. Currently
919 implement the SSL3.0, TLS1.0, TLS1.1 and TLS1.2 protocol, and support RSA and
920 Ephemeral (Elliptic curve and regular) Diffie Hellman key exchanges, and many
921 extensions.")
922 (license license:bsd-3)))
923
924 (define-public dehydrated
925 (package
926 (name "dehydrated")
927 (version "0.6.2")
928 (source (origin
929 (method url-fetch/tarbomb)
930 (uri (string-append
931 "https://github.com/lukas2511/dehydrated/archive/v"
932 version ".tar.gz"))
933 (sha256
934 (base32
935 "03p80yj6bnzjc6dkp5hb9wpplmlrla8n5src71cnzw4rj53q8cqn"))
936 (file-name (string-append name "-" version ".tar.gz"))))
937 (build-system trivial-build-system)
938 (arguments
939 `(#:modules ((guix build utils))
940 #:builder
941 (begin
942 (use-modules (guix build utils))
943 (let* ((source (assoc-ref %build-inputs "source"))
944 (out (assoc-ref %outputs "out"))
945 (bin (string-append out "/bin"))
946 (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
947 (mkdir-p bin)
948 (with-directory-excursion bin
949 (copy-file
950 (in-vicinity source (string-append "/dehydrated-" ,version
951 "/dehydrated"))
952 (in-vicinity bin "dehydrated"))
953 (patch-shebang "dehydrated" (list bash))
954
955 ;; Do not try to write in the store.
956 (substitute* "dehydrated"
957 (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
958
959 (setenv "PATH" bash)
960 (wrap-program "dehydrated"
961 `("PATH" ":" prefix
962 ,(map (lambda (dir)
963 (string-append dir "/bin"))
964 (map (lambda (input)
965 (assoc-ref %build-inputs input))
966 '("coreutils"
967 "curl"
968 "diffutils"
969 "gawk"
970 "grep"
971 "openssl"
972 "sed"))))))
973 #t))))
974 (inputs
975 `(("bash" ,bash)
976 ("coreutils" ,coreutils)
977 ("curl" ,curl)
978 ("diffutils" ,diffutils)
979 ("gawk" ,gawk)
980 ("grep" ,grep)
981 ("openssl" ,openssl)
982 ("sed" ,sed)))
983 (home-page "https://dehydrated.io/")
984 (synopsis "Let's Encrypt/ACME client implemented as a shell script")
985 (description "Dehydrated is a client for signing certificates with an
986 ACME-server (currently only provided by Let's Encrypt) implemented as a
987 relatively simple Bash script.")
988 (license license:expat)))
jackhill's copy of GNU Guix: https://guix.gnu.org/