HCoop / jackhill / guix / guix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
gnu: certbot, python-acme: Update to 0.33.0.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
5 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
6 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
7 ;;; Copyright © 2015, 2016, 2017, 2018 Leo Famulari <leo@famulari.name>
8 ;;; Copyright © 2016, 2017, 2019 Efraim Flashner <efraim@flashner.co.il>
9 ;;; Copyright © 2016, 2017, 2018 ng0 <ng0@n0.is>
10 ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
11 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
12 ;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
13 ;;; Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr>
14 ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
15 ;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
16 ;;;
17 ;;; This file is part of GNU Guix.
18 ;;;
19 ;;; GNU Guix is free software; you can redistribute it and/or modify it
20 ;;; under the terms of the GNU General Public License as published by
21 ;;; the Free Software Foundation; either version 3 of the License, or (at
22 ;;; your option) any later version.
23 ;;;
24 ;;; GNU Guix is distributed in the hope that it will be useful, but
25 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
26 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 ;;; GNU General Public License for more details.
28 ;;;
29 ;;; You should have received a copy of the GNU General Public License
30 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
31
32 (define-module (gnu packages tls)
33 #:use-module ((guix licenses) #:prefix license:)
34 #:use-module (guix packages)
35 #:use-module (guix download)
36 #:use-module (guix utils)
37 #:use-module (guix build-system gnu)
38 #:use-module (guix build-system perl)
39 #:use-module (guix build-system python)
40 #:use-module (guix build-system cmake)
41 #:use-module (guix build-system trivial)
42 #:use-module (gnu packages compression)
43 #:use-module (gnu packages)
44 #:use-module (gnu packages bash)
45 #:use-module (gnu packages check)
46 #:use-module (gnu packages curl)
47 #:use-module (gnu packages dns)
48 #:use-module (gnu packages gawk)
49 #:use-module (gnu packages guile)
50 #:use-module (gnu packages libbsd)
51 #:use-module (gnu packages libffi)
52 #:use-module (gnu packages libidn)
53 #:use-module (gnu packages linux)
54 #:use-module (gnu packages ncurses)
55 #:use-module (gnu packages nettle)
56 #:use-module (gnu packages perl)
57 #:use-module (gnu packages pkg-config)
58 #:use-module (gnu packages python)
59 #:use-module (gnu packages python-crypto)
60 #:use-module (gnu packages python-web)
61 #:use-module (gnu packages python-xyz)
62 #:use-module (gnu packages texinfo)
63 #:use-module (gnu packages time)
64 #:use-module (gnu packages base)
65 #:use-module (srfi srfi-1))
66
67 (define-public libtasn1
68 (package
69 (name "libtasn1")
70 (version "4.13")
71 (source
72 (origin
73 (method url-fetch)
74 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
75 version ".tar.gz"))
76 (sha256
77 (base32
78 "1jlc1iahj8k3haz28j55nzg7sgni5h41vqy461i1bpbx6668wlky"))))
79 (build-system gnu-build-system)
80 (arguments
81 `(#:configure-flags '("--disable-static")))
82 (native-inputs `(("perl" ,perl)))
83 (home-page "https://www.gnu.org/software/libtasn1/")
84 (synopsis "ASN.1 library")
85 (description
86 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
87 for transmitting machine-neutral encodings of data objects in computer
88 networking, allowing for formal validation of data according to some
89 specifications.")
90 (license license:lgpl2.0+)))
91
92 (define-public asn1c
93 (package
94 (name "asn1c")
95 (version "0.9.28")
96 (source (origin
97 (method url-fetch)
98 (uri (string-append "https://lionet.info/soft/asn1c-"
99 version ".tar.gz"))
100 (sha256
101 (base32
102 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
103 (build-system gnu-build-system)
104 (native-inputs
105 `(("perl" ,perl)))
106 (home-page "https://lionet.info/asn1c")
107 (synopsis "ASN.1 to C compiler")
108 (description "The ASN.1 to C compiler takes ASN.1 module
109 files and generates C++ compatible C source code. That code can be
110 used to serialize the native C structures into compact and unambiguous
111 BER/XER/PER-based data files, and deserialize the files back.
112
113 Various ASN.1 based formats are widely used in the industry, such as to encode
114 the X.509 certificates employed in the HTTPS handshake, to exchange control
115 data between mobile phones and cellular networks, to car-to-car communication
116 in intelligent transportation networks.")
117 (license license:bsd-2)))
118
119 (define-public p11-kit
120 (package
121 (name "p11-kit")
122 (version "0.23.15")
123 (source
124 (origin
125 (method url-fetch)
126 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
127 "download/" version "/p11-kit-" version ".tar.gz"))
128 (patches (search-patches "p11-kit-jks-timestamps.patch"))
129 (sha256
130 (base32
131 "166pwj00cffv4qq4dvx0k53zka0b0r1fa0whc49007vsqyh3khgp"))))
132 (build-system gnu-build-system)
133 (native-inputs
134 `(("pkg-config" ,pkg-config)))
135 (inputs
136 `(("libffi" ,libffi)
137 ("libtasn1" ,libtasn1)))
138 (arguments
139 `(#:configure-flags '("--without-trust-paths")
140 #:phases (modify-phases %standard-phases
141 (add-before 'check 'prepare-tests
142 (lambda _
143 ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up
144 ;; and looks for .cache and other directories (only).
145 ;; For simplicity just drop it since it is irrelevant
146 ;; in the build container.
147 (substitute* "Makefile"
148 (("test-runtime\\$\\(EXEEXT\\)") ""))
149 #t)))))
150 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
151 (synopsis "PKCS#11 library")
152 (description
153 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
154 provides a standard configuration setup for installing PKCS#11 modules
155 in such a way that they are discoverable. It also solves problems with
156 coordinating the use of PKCS#11 by different components or libraries
157 living in the same process.")
158 (license license:bsd-3)))
159
160 (define-public gnutls
161 (package
162 (name "gnutls")
163 (version "3.6.5")
164 (source (origin
165 (method url-fetch)
166 (uri
167 ;; Note: Releases are no longer on ftp.gnu.org since the
168 ;; schism (after version 3.1.5).
169 (string-append "mirror://gnupg/gnutls/v"
170 (version-major+minor version)
171 "/gnutls-" version ".tar.xz"))
172 (patches (search-patches "gnutls-skip-trust-store-test.patch"))
173 (sha256
174 (base32
175 "0ddvg97dyrh8dkffv1mdc0knxx5my3qdbzv97s4a6jggmk9wwgh7"))
176 (modules '((guix build utils)))
177 (snippet
178 '(begin
179 ;; XXX: The generated configure script in GnuTLS 3.6.5
180 ;; apparently does not know about Guile 2.2.
181 (substitute* "configure"
182 (("guile_versions_to_search=\"2\\.0 1\\.8\"")
183 "guile_versions_to_search=\"2.2 2.0 1.8\""))
184 #t))))
185 (build-system gnu-build-system)
186 (arguments
187 `(; Ensure we don't keep a reference to this buggy software.
188 #:disallowed-references (,net-tools)
189 #:configure-flags
190 (list
191 ;; GnuTLS doesn't consult any environment variables to specify
192 ;; the location of the system-wide trust store. Instead it has a
193 ;; configure-time option. Unless specified, its configure script
194 ;; attempts to auto-detect the location by looking for common
195 ;; places in the file system, none of which are present in our
196 ;; chroot build environment. If not found, then no default trust
197 ;; store is used, so each program has to provide its own
198 ;; fallback, and users have to configure each program
199 ;; independently. This seems suboptimal.
200 "--with-default-trust-store-dir=/etc/ssl/certs"
201
202 ;; FIXME: Temporarily disable p11-kit support since it is not
203 ;; working on mips64el.
204 "--without-p11-kit")
205
206 #:phases (modify-phases %standard-phases
207 (add-after
208 'install 'move-doc
209 (lambda* (#:key outputs #:allow-other-keys)
210 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
211 (let* ((out (assoc-ref outputs "out"))
212 (doc (assoc-ref outputs "doc"))
213 (mandir (string-append doc "/share/man/man3"))
214 (oldman (string-append out "/share/man/man3")))
215 (mkdir-p mandir)
216 (copy-recursively oldman mandir)
217 (delete-file-recursively oldman)
218 #t))))))
219 (outputs '("out" ;4.4 MiB
220 "debug"
221 "doc")) ;4.1 MiB of man pages
222 (native-inputs
223 `(("net-tools" ,net-tools)
224 ("pkg-config" ,pkg-config)
225 ("which" ,which)))
226 (inputs
227 `(("guile" ,guile-2.2)))
228 (propagated-inputs
229 ;; These are all in the 'Requires.private' field of gnutls.pc.
230 `(("libtasn1" ,libtasn1)
231 ("libidn2" ,libidn2)
232 ("nettle" ,nettle)
233 ("zlib" ,zlib)))
234 (home-page "https://www.gnu.org/software/gnutls/")
235 (synopsis "Transport layer security library")
236 (description
237 "GnuTLS is a secure communications library implementing the SSL, TLS
238 and DTLS protocols. It is provided in the form of a C library to support the
239 protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
240 required structures.")
241 (license license:lgpl2.1+)
242 (properties '((ftp-server . "ftp.gnutls.org")
243 (ftp-directory . "/gcrypt/gnutls")))))
244
245 (define-public gnutls/guile-2.2
246 (deprecated-package "guile2.2-gnutls" gnutls))
247
248 (define-public gnutls/guile-2.0
249 ;; GnuTLS for Guile 2.0.
250 (package
251 (inherit gnutls)
252 (name "guile2.0-gnutls")
253 (inputs `(("guile" ,guile-2.0)
254 ,@(alist-delete "guile" (package-inputs gnutls))))))
255
256 (define-public gnutls/dane
257 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
258 ;; Authentication of Named Entities. This is required for GNS functionality
259 ;; by GNUnet and gnURL. This is done in an extra package definition
260 ;; to have the choice between GnuTLS with Dane and without Dane.
261 (package
262 (inherit gnutls)
263 (name "gnutls-dane")
264 (inputs `(("unbound" ,unbound)
265 ,@(package-inputs gnutls)))))
266
267 (define-public openssl
268 (package
269 (name "openssl")
270 (replacement openssl/fixed)
271 (version "1.0.2p")
272 (source (origin
273 (method url-fetch)
274 (uri (list (string-append "https://www.openssl.org/source/openssl-"
275 version ".tar.gz")
276 (string-append "ftp://ftp.openssl.org/source/"
277 "openssl-" version ".tar.gz")
278 (string-append "ftp://ftp.openssl.org/source/old/"
279 (string-trim-right version char-set:letter)
280 "/openssl-" version ".tar.gz")))
281 (sha256
282 (base32
283 "003xh9f898i56344vpvpxxxzmikivxig4xwlm7vbi7m8n43qxaah"))
284 (patches (search-patches "openssl-runpath.patch"
285 "openssl-c-rehash-in.patch"))))
286 (build-system gnu-build-system)
287 (outputs '("out"
288 "doc" ;1.5MiB of man3 pages
289 "static")) ;6MiB of .a files
290 (native-inputs `(("perl" ,perl)))
291 (arguments
292 `(#:disallowed-references (,perl)
293 #:parallel-build? #f
294 #:parallel-tests? #f
295 #:test-target "test"
296
297 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
298 ;; so we explicitly disallow it here.
299 #:disallowed-references ,(list (canonical-package perl))
300 #:phases
301 (modify-phases %standard-phases
302 (add-before
303 'configure 'patch-Makefile.org
304 (lambda* (#:key outputs #:allow-other-keys)
305 ;; The default MANDIR is some unusual place. Fix that.
306 (let ((out (assoc-ref outputs "out")))
307 (patch-makefile-SHELL "Makefile.org")
308 (substitute* "Makefile.org"
309 (("^MANDIR[[:blank:]]*=.*$")
310 (string-append "MANDIR = " out "/share/man\n")))
311 #t)))
312 (replace
313 'configure
314 (lambda* (#:key outputs #:allow-other-keys)
315 (let ((out (assoc-ref outputs "out")))
316 (invoke "./config"
317 "shared" ;build shared libraries
318 "--libdir=lib"
319
320 ;; The default for this catch-all directory is
321 ;; PREFIX/ssl. Change that to something more
322 ;; conventional.
323 (string-append "--openssldir=" out
324 "/share/openssl-" ,version)
325
326 (string-append "--prefix=" out)))))
327 (add-after
328 'install 'make-libraries-writable
329 (lambda* (#:key outputs #:allow-other-keys)
330 ;; Make libraries writable so that 'strip' does its job.
331 (let ((out (assoc-ref outputs "out")))
332 (for-each (lambda (file)
333 (chmod file #o644))
334 (find-files (string-append out "/lib")
335 "\\.so"))
336 #t)))
337 (add-after 'install 'move-static-libraries
338 (lambda* (#:key outputs #:allow-other-keys)
339 ;; Move static libraries to the "static" output.
340 (let* ((out (assoc-ref outputs "out"))
341 (lib (string-append out "/lib"))
342 (static (assoc-ref outputs "static"))
343 (slib (string-append static "/lib")))
344 (for-each (lambda (file)
345 (install-file file slib)
346 (delete-file file))
347 (find-files lib "\\.a$"))
348 #t)))
349 (add-after 'install 'move-man3-pages
350 (lambda* (#:key outputs #:allow-other-keys)
351 ;; Move section 3 man pages to "doc".
352 (let* ((out (assoc-ref outputs "out"))
353 (man3 (string-append out "/share/man/man3"))
354 (doc (assoc-ref outputs "doc"))
355 (target (string-append doc "/share/man/man3")))
356 (mkdir-p target)
357 (for-each (lambda (file)
358 (rename-file file
359 (string-append target "/"
360 (basename file))))
361 (find-files man3))
362 (delete-file-recursively man3)
363 #t)))
364 (add-before
365 'patch-source-shebangs 'patch-tests
366 (lambda* (#:key inputs native-inputs #:allow-other-keys)
367 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
368 (substitute* (find-files "test" ".*")
369 (("/bin/sh")
370 (string-append bash "/bin/sh"))
371 (("/bin/rm")
372 "rm"))
373 #t)))
374 (add-after
375 'install 'remove-miscellany
376 (lambda* (#:key outputs #:allow-other-keys)
377 ;; The 'misc' directory contains random undocumented shell and Perl
378 ;; scripts. Remove them to avoid retaining a reference on Perl.
379 (let ((out (assoc-ref outputs "out")))
380 (delete-file-recursively (string-append out "/share/openssl-"
381 ,version "/misc"))
382 #t))))))
383 (native-search-paths
384 (list (search-path-specification
385 (variable "SSL_CERT_DIR")
386 (separator #f) ;single entry
387 (files '("etc/ssl/certs")))
388 (search-path-specification
389 (variable "SSL_CERT_FILE")
390 (file-type 'regular)
391 (separator #f) ;single entry
392 (files '("etc/ssl/certs/ca-certificates.crt")))))
393 (synopsis "SSL/TLS implementation")
394 (description
395 "OpenSSL is an implementation of SSL/TLS.")
396 (license license:openssl)
397 (home-page "https://www.openssl.org/")))
398
399 (define-public openssl/fixed
400 (hidden-package
401 (package
402 (inherit openssl)
403 (source (origin
404 (inherit (package-source openssl))
405 (patches (append (origin-patches (package-source openssl))
406 (search-patches "openssl-CVE-2019-1559.patch"))))))))
407
408 (define-public openssl-next
409 (package
410 (inherit openssl)
411 (name "openssl")
412 (version "1.1.1b")
413 (source (origin
414 (method url-fetch)
415 (uri (list (string-append "https://www.openssl.org/source/openssl-"
416 version ".tar.gz")
417 (string-append "ftp://ftp.openssl.org/source/"
418 "openssl-" version ".tar.gz")
419 (string-append "ftp://ftp.openssl.org/source/old/"
420 (string-trim-right version char-set:letter)
421 "/openssl-" version ".tar.gz")))
422 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
423 (sha256
424 (base32
425 "0jza8cmznnyiia43056dij1jdmz62dx17wsn0zxksh9h6817nmaw"))))
426 (outputs '("out"
427 "doc" ; 6.8 MiB of man3 pages and full HTML documentation
428 "static")) ; 6.4 MiB of .a files
429 (arguments
430 (substitute-keyword-arguments (package-arguments openssl)
431 ((#:phases phases)
432 `(modify-phases ,phases
433 (delete 'patch-tests) ; These two phases are not needed by
434 (delete 'patch-Makefile.org) ; OpenSSL 1.1.
435
436 ;; Override configure phase since -rpath is now a configure option.
437 (replace 'configure
438 (lambda* (#:key outputs #:allow-other-keys)
439 (let* ((out (assoc-ref outputs "out"))
440 (lib (string-append out "/lib")))
441 ;; It's not a shebang so patch-source-shebangs misses it.
442 (substitute* "config"
443 (("/usr/bin/env")
444 (string-append (assoc-ref %build-inputs "coreutils")
445 "/bin/env")))
446 (invoke "./config"
447 "shared" ;build shared libraries
448 "--libdir=lib"
449
450 ;; The default for this catch-all directory is
451 ;; PREFIX/ssl. Change that to something more
452 ;; conventional.
453 (string-append "--openssldir=" out
454 "/share/openssl-" ,version)
455
456 (string-append "--prefix=" out)
457 (string-append "-Wl,-rpath," lib)))))
458
459 (delete 'move-man3-pages)
460 (add-after 'install 'move-extra-documentation
461 (lambda* (#:key outputs #:allow-other-keys)
462 ;; Move man3 pages and full HTML documentation to "doc".
463 (let* ((out (assoc-ref outputs "out"))
464 (man3 (string-append out "/share/man/man3"))
465 (html (string-append out "/share/doc/openssl"))
466 (doc (assoc-ref outputs "doc"))
467 (man-target (string-append doc "/share/man/man3"))
468 (html-target (string-append doc "/share/doc/openssl")))
469 (copy-recursively man3 man-target)
470 (delete-file-recursively man3)
471 (copy-recursively html html-target)
472 (delete-file-recursively html)
473 #t)))
474 ;; XXX: Duplicate this phase to make sure 'version' evaluates
475 ;; in the current scope and not the inherited one.
476 (replace 'remove-miscellany
477 (lambda* (#:key outputs #:allow-other-keys)
478 ;; The 'misc' directory contains random undocumented shell and Perl
479 ;; scripts. Remove them to avoid retaining a reference on Perl.
480 (let ((out (assoc-ref outputs "out")))
481 (delete-file-recursively (string-append out "/share/openssl-"
482 ,version "/misc"))
483 #t)))))))))
484
485 (define-public libressl
486 (package
487 (name "libressl")
488 (version "2.7.4")
489 (source (origin
490 (method url-fetch)
491 (uri (string-append "mirror://openbsd/LibreSSL/"
492 name "-" version ".tar.gz"))
493 (sha256
494 (base32
495 "19kxa5i97q7p6rrps9qm0nd8zqhdjvzx02j72400c73cl2nryfhy"))))
496 (build-system gnu-build-system)
497 (arguments
498 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
499 ;; and libc would return ENOSYS, which is not properly handled.
500 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
501 '(#:configure-flags '("ac_cv_func_getentropy=no"
502 ;; Provide a TLS-enabled netcat.
503 "--enable-nc")))
504 (native-search-paths
505 ;; FIXME: These two variables must designate a single file or directory
506 ;; and are not actually "search paths." In practice it works OK in
507 ;; user profiles because there's always just one item that matches the
508 ;; specification.
509 (list (search-path-specification
510 (variable "SSL_CERT_DIR")
511 (files '("etc/ssl/certs")))
512 (search-path-specification
513 (variable "SSL_CERT_FILE")
514 (files '("etc/ssl/certs/ca-certificates.crt")))))
515 (home-page "https://www.libressl.org/")
516 (synopsis "SSL/TLS implementation")
517 (description "LibreSSL is a version of the TLS/crypto stack, forked from
518 OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
519 and applying best practice development processes. This package also includes a
520 netcat implementation that supports TLS.")
521 ;; Files taken from OpenSSL keep their license, others are under various
522 ;; non-copyleft licenses.
523 (license (list license:openssl
524 (license:non-copyleft
525 "file://COPYING"
526 "See COPYING in the distribution.")))))
527
528 (define-public python-acme
529 (package
530 (name "python-acme")
531 ;; Remember to update the hash of certbot when updating python-acme.
532 (version "0.33.0")
533 (source (origin
534 (method url-fetch)
535 (uri (pypi-uri "acme" version))
536 (sha256
537 (base32
538 "0gmnbjanv8dl8035n2b30wisqn4w9rr6fxzxrbrbnhhd40pnlplx"))))
539 (build-system python-build-system)
540 (arguments
541 `(#:phases
542 (modify-phases %standard-phases
543 (add-after 'build 'build-documentation
544 (lambda _
545 (invoke "make" "-C" "docs" "man" "info")))
546 (add-after 'install 'install-documentation
547 (lambda* (#:key outputs #:allow-other-keys)
548 (let* ((out (assoc-ref outputs "out"))
549 (man (string-append out "/share/man/man1"))
550 (info (string-append out "/info")))
551 (install-file "docs/_build/texinfo/acme-python.info" info)
552 (install-file "docs/_build/man/acme-python.1" man)
553 #t))))))
554 ;; TODO: Add optional inputs for testing.
555 (native-inputs
556 `(("python-mock" ,python-mock)
557 ("python-pytest" ,python-pytest)
558 ;; For documentation
559 ("python-sphinx" ,python-sphinx)
560 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
561 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
562 ("texinfo" ,texinfo)))
563 (propagated-inputs
564 `(("python-josepy" ,python-josepy)
565 ("python-six" ,python-six)
566 ("python-requests" ,python-requests)
567 ("python-requests-toolbelt" ,python-requests-toolbelt)
568 ("python-pytz" ,python-pytz)
569 ("python-pyrfc3339" ,python-pyrfc3339)
570 ("python-pyasn1" ,python-pyasn1)
571 ("python-cryptography" ,python-cryptography)
572 ("python-pyopenssl" ,python-pyopenssl)))
573 (home-page "https://github.com/certbot/certbot")
574 (synopsis "ACME protocol implementation in Python")
575 (description "ACME protocol implementation in Python")
576 (license license:asl2.0)))
577
578 (define-public certbot
579 (package
580 (name "certbot")
581 ;; Certbot and python-acme are developed in the same repository, and their
582 ;; versions should remain synchronized.
583 (version (package-version python-acme))
584 (source (origin
585 (method url-fetch)
586 (uri (pypi-uri name version))
587 (sha256
588 (base32
589 "0iiqr306zy56y8wpxsvzw1izs184pzps72kxhssmznqlgz5ngni5"))))
590 (build-system python-build-system)
591 (arguments
592 `(,@(substitute-keyword-arguments (package-arguments python-acme)
593 ((#:phases phases)
594 `(modify-phases ,phases
595 (replace 'install-documentation
596 (lambda* (#:key outputs #:allow-other-keys)
597 (let* ((out (assoc-ref outputs "out"))
598 (man1 (string-append out "/share/man/man1"))
599 (man7 (string-append out "/share/man/man7"))
600 (info (string-append out "/info")))
601 (install-file "docs/_build/texinfo/Certbot.info" info)
602 (install-file "docs/_build/man/certbot.1" man1)
603 (install-file "docs/_build/man/certbot.7" man7)
604 #t))))))))
605 ;; TODO: Add optional inputs for testing.
606 (native-inputs
607 `(("python-mock" ,python-mock)
608 ("python-pytest" ,python-pytest)
609 ;; For documentation
610 ("python-sphinx" ,python-sphinx)
611 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
612 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
613 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
614 ("texinfo" ,texinfo)))
615 (propagated-inputs
616 `(("python-acme" ,python-acme)
617 ("python-cryptography" ,python-cryptography)
618 ("python-zope-interface" ,python-zope-interface)
619 ("python-pyrfc3339" ,python-pyrfc3339)
620 ("python-pyopenssl" ,python-pyopenssl)
621 ("python-configobj" ,python-configobj)
622 ("python-configargparse" ,python-configargparse)
623 ("python-zope-component" ,python-zope-component)
624 ("python-parsedatetime" ,python-parsedatetime)
625 ("python-six" ,python-six)
626 ("python-psutil" ,python-psutil)
627 ("python-requests" ,python-requests)
628 ("python-pytz" ,python-pytz)))
629 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
630 (description "Certbot automatically receives and installs X.509 certificates
631 to enable Transport Layer Security (TLS) on servers. It interoperates with the
632 Let’s Encrypt certificate authority (CA), which issues browser-trusted
633 certificates for free.")
634 (home-page "https://certbot.eff.org/")
635 (license license:asl2.0)))
636
637 (define-public letsencrypt
638 (package (inherit certbot)
639 (name "letsencrypt")
640 (properties `((superseded . ,certbot)))))
641
642 (define-public perl-net-ssleay
643 (package
644 (name "perl-net-ssleay")
645 (version "1.85")
646 (source (origin
647 (method url-fetch)
648 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
649 "Net-SSLeay-" version ".tar.gz"))
650 (sha256
651 (base32
652 "1j5h4ycm8538397l204d2d5fkm9595aj174pj7bkpbhwzfwqi0cx"))))
653 (build-system perl-build-system)
654 (inputs `(("openssl" ,openssl)))
655 (arguments
656 `(#:phases
657 (modify-phases %standard-phases
658 (add-before
659 'configure 'set-ssl-prefix
660 (lambda* (#:key inputs #:allow-other-keys)
661 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
662 #t)))))
663 (synopsis "Perl extension for using OpenSSL")
664 (description
665 "This module offers some high level convenience functions for accessing
666 web pages on SSL servers (for symmetry, the same API is offered for accessing
667 http servers, too), an sslcat() function for writing your own clients, and
668 finally access to the SSL api of the SSLeay/OpenSSL package so you can write
669 servers or clients for more complicated applications.")
670 (license license:perl-license)
671 (home-page "https://metacpan.org/release/Net-SSLeay")))
672
673 (define-public perl-crypt-openssl-rsa
674 (package
675 (name "perl-crypt-openssl-rsa")
676 (version "0.31")
677 (source
678 (origin
679 (method url-fetch)
680 (uri (string-append
681 "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-"
682 version
683 ".tar.gz"))
684 (sha256
685 (base32
686 "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1"))))
687 (build-system perl-build-system)
688 (native-inputs
689 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
690 (inputs
691 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
692 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
693 ("openssl" ,openssl)))
694 (arguments perl-crypt-arguments)
695 (home-page
696 "https://metacpan.org/release/Crypt-OpenSSL-RSA")
697 (synopsis
698 "RSA encoding and decoding, using the openSSL libraries")
699 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
700 OpenSSL libraries).")
701 (license license:perl-license)))
702
703 (define perl-crypt-arguments
704 `(#:phases (modify-phases %standard-phases
705 (add-before 'configure 'patch-Makefile.PL
706 (lambda* (#:key inputs #:allow-other-keys)
707 (substitute* "Makefile.PL"
708 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
709 (assoc-ref inputs "openssl")
710 "/lib -lcrypto'],")))
711 #t)))))
712
713 (define-public perl-crypt-openssl-bignum
714 (package
715 (name "perl-crypt-openssl-bignum")
716 (version "0.09")
717 (source
718 (origin
719 (method url-fetch)
720 (uri (string-append
721 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
722 version
723 ".tar.gz"))
724 (sha256
725 (base32
726 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
727 (build-system perl-build-system)
728 (inputs `(("openssl" ,openssl)))
729 (arguments perl-crypt-arguments)
730 (home-page
731 "https://metacpan.org/release/Crypt-OpenSSL-Bignum")
732 (synopsis
733 "OpenSSL's multiprecision integer arithmetic in Perl")
734 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
735 arithmetic in Perl.")
736 ;; At your option either gpl1+ or the Artistic License
737 (license license:perl-license)))
738
739 (define-public perl-crypt-openssl-guess
740 (package
741 (name "perl-crypt-openssl-guess")
742 (version "0.11")
743 (source
744 (origin
745 (method url-fetch)
746 (uri (string-append
747 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
748 version ".tar.gz"))
749 (sha256
750 (base32
751 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
752 (build-system perl-build-system)
753 (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess")
754 (synopsis "Guess the OpenSSL include path")
755 (description
756 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
757 correct OpenSSL include path. It is intended for use in your
758 @file{Makefile.PL}.")
759 (license license:perl-license)))
760
761 (define-public perl-crypt-openssl-random
762 (package
763 (name "perl-crypt-openssl-random")
764 (version "0.15")
765 (source
766 (origin
767 (method url-fetch)
768 (uri (string-append
769 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
770 version
771 ".tar.gz"))
772 (sha256
773 (base32 "1x6ffps8q7mnawmcfq740llzy7i10g3319vap0wiw4d33fm6z1zh"))))
774 (build-system perl-build-system)
775 (native-inputs
776 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
777 (inputs
778 `(("openssl" ,openssl)))
779 (arguments perl-crypt-arguments)
780 (home-page
781 "https://metacpan.org/release/Crypt-OpenSSL-Random")
782 (synopsis
783 "OpenSSL/LibreSSL pseudo-random number generator access")
784 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
785 number generator")
786 (license license:perl-license)))
787
788 (define-public acme-client
789 (package
790 (name "acme-client")
791 (version "0.1.16")
792 (source (origin
793 (method url-fetch)
794 (uri (string-append "https://kristaps.bsd.lv/" name "/"
795 "snapshots/" name "-portable-"
796 version ".tgz"))
797 (sha256
798 (base32
799 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
800 (build-system gnu-build-system)
801 (arguments
802 '(#:tests? #f ; no test suite
803 #:make-flags
804 (list "CC=gcc"
805 (string-append "PREFIX=" (assoc-ref %outputs "out")))
806 #:phases
807 (modify-phases %standard-phases
808 (add-after 'unpack 'patch-paths
809 (lambda* (#:key inputs #:allow-other-keys)
810 (let ((pem (string-append (assoc-ref inputs "libressl")
811 "/etc/ssl/cert.pem")))
812 (substitute* "http.c"
813 (("/etc/ssl/cert.pem") pem))
814 #t)))
815 (delete 'configure)))) ; no './configure' script
816 (native-inputs
817 `(("pkg-config" ,pkg-config)))
818 (inputs
819 `(("libbsd" ,libbsd)
820 ("libressl" ,libressl)))
821 (synopsis "Let's Encrypt client by the OpenBSD project")
822 (description "acme-client is a Let's Encrypt client implemented in C. It
823 uses a modular design, and attempts to secure itself by dropping privileges and
824 operating in a chroot where possible. acme-client is developed on OpenBSD and
825 then ported to the GNU / Linux environment.")
826 (home-page "https://kristaps.bsd.lv/acme-client/")
827 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
828 ;; and 'jsmn.c' are distributed under the Expat license.
829 (license (list license:isc license:expat))))
830
831 ;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
832 ;; variant exists in addition to the "-apache" one.
833 (define-public mbedtls-apache
834 (package
835 (name "mbedtls-apache")
836 (version "2.16.1")
837 (source
838 (origin
839 (method url-fetch)
840 ;; XXX: The download links on the website are script redirection links
841 ;; which effectively lead to the format listed in the uri here.
842 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
843 version "-apache.tgz"))
844 (sha256
845 (base32
846 "08zz88gcb2jmpfsgy5b6qc3li6l39yw1dbimd18aziyd889nvl7b"))))
847 (build-system cmake-build-system)
848 (arguments
849 `(#:configure-flags
850 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON")))
851 (native-inputs
852 `(("perl" ,perl)
853 ("python" ,python)))
854 (synopsis "Small TLS library")
855 (description
856 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
857 for developers to include cryptographic and SSL/TLS capabilities in their
858 (embedded) products, facilitating this functionality with a minimal
859 coding footprint.")
860 (home-page "https://tls.mbed.org")
861 (license license:asl2.0)))
862
863 ;; The Hiawatha Web server requires some specific features to be enabled.
864 (define-public mbedtls-for-hiawatha
865 (hidden-package
866 (package
867 (inherit mbedtls-apache)
868 (arguments
869 (substitute-keyword-arguments
870 `(#:phases
871 (modify-phases %standard-phases
872 (add-after 'configure 'configure-extra-features
873 (lambda _
874 (for-each (lambda (feature)
875 (invoke "scripts/config.pl" "set" feature))
876 (list "MBEDTLS_THREADING_C"
877 "MBEDTLS_THREADING_PTHREAD"))
878 #t)))
879 ,@(package-arguments mbedtls-apache)))))))
880
881 (define-public dehydrated
882 (package
883 (name "dehydrated")
884 (version "0.6.2")
885 (source (origin
886 (method url-fetch)
887 (uri (string-append
888 "https://github.com/lukas2511/dehydrated/releases/download/"
889 "v" version "/dehydrated-" version ".tar.gz"))
890 (sha256
891 (base32
892 "03p80yj6bnzjc6dkp5hb9wpplmlrla8n5src71cnzw4rj53q8cqn"))))
893 (build-system trivial-build-system)
894 (arguments
895 `(#:modules ((guix build utils))
896 #:builder
897 (begin
898 (use-modules (guix build utils))
899 (let* ((source (assoc-ref %build-inputs "source"))
900 (tar (assoc-ref %build-inputs "tar"))
901 (gz (assoc-ref %build-inputs "gzip"))
902 (out (assoc-ref %outputs "out"))
903 (bin (string-append out "/bin"))
904 (doc (string-append out "/share/doc/"))
905 (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
906
907 (setenv "PATH" (string-append gz "/bin"))
908 (invoke (string-append tar "/bin/tar") "xvf" source)
909 (chdir (string-append ,name "-" ,version))
910
911 (install-file "dehydrated" bin)
912 (install-file "LICENSE" (string-append doc ,name "-" ,version))
913 (with-directory-excursion bin
914 (patch-shebang "dehydrated" (list bash))
915
916 ;; Do not try to write in the store.
917 (substitute* "dehydrated"
918 (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
919
920 (setenv "PATH" bash)
921 (wrap-program "dehydrated"
922 `("PATH" ":" prefix
923 ,(map (lambda (dir)
924 (string-append dir "/bin"))
925 (map (lambda (input)
926 (assoc-ref %build-inputs input))
927 '("coreutils"
928 "curl"
929 "diffutils"
930 "gawk"
931 "grep"
932 "openssl"
933 "sed"))))))
934 #t))))
935 (inputs
936 `(("bash" ,bash)
937 ("coreutils" ,coreutils)
938 ("curl" ,curl)
939 ("diffutils" ,diffutils)
940 ("gawk" ,gawk)
941 ("grep" ,grep)
942 ("openssl" ,openssl)
943 ("sed" ,sed)))
944 (native-inputs
945 `(("gzip" ,gzip)
946 ("tar" ,tar)))
947 (home-page "https://dehydrated.io/")
948 (synopsis "Let's Encrypt/ACME client implemented as a shell script")
949 (description "Dehydrated is a client for signing certificates with an
950 ACME-server (currently only provided by Let's Encrypt) implemented as a
951 relatively simple Bash script.")
952 (license license:expat)))
jackhill's copy of GNU Guix: https://guix.gnu.org/