HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
gnu: you-get: Update to 0.4.985.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
CommitLineData
233e7676 1;;; GNU Guix --- Functional package management for GNU
3c0f7910 2;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
e3df6938 3;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
29a7c98a 4;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df 5;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b 6;;; Copyright © 2015 David Thompson <davet@gnu.org>
df0625ab 7;;; Copyright © 2015, 2016, 2017 Leo Famulari <leo@famulari.name>
2ed12d3f 8;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
5b9aa107 9;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
375cef6c 10;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
ee33f9a7 11;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
88e2511e 12;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
7543f865 13;;;
233e7676 14;;; This file is part of GNU Guix.
7543f865 15;;;
233e7676 16;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865
LC		 17;;; under the terms of the GNU General Public License as published by
18;;; the Free Software Foundation; either version 3 of the License, or (at
19;;; your option) any later version.
20;;;
233e7676 21;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865
LC		 22;;; WITHOUT ANY WARRANTY; without even the implied warranty of
23;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24;;; GNU General Public License for more details.
25;;;
26;;; You should have received a copy of the GNU General Public License
233e7676 27;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865 28
a7fd7b68 29(define-module (gnu packages tls)
e9aa8d0c 30 #:use-module ((guix licenses) #:prefix license:)
7543f865
LC		 31 #:use-module (guix packages)
32 #:use-module (guix download)
29a7c98a 33 #:use-module (guix utils)
7543f865 34 #:use-module (guix build-system gnu)
cc2b77df 35 #:use-module (guix build-system perl)
7890e3ba 36 #:use-module (guix build-system python)
88522738 37 #:use-module (guix build-system cmake)
587d1752 38 #:use-module (guix build-system haskell)
f61e0e79 39 #:use-module (gnu packages compression)
013ce67b 40 #:use-module (gnu packages)
ac257f12 41 #:use-module (gnu packages check)
5b9aa107 42 #:use-module (gnu packages dns)
1ffa7090 43 #:use-module (gnu packages guile)
587d1752
RW		 44 #:use-module (gnu packages haskell)
45 #:use-module (gnu packages haskell-check)
46 #:use-module (gnu packages haskell-crypto)
0581c273 47 #:use-module (gnu packages libbsd)
27e86bed 48 #:use-module (gnu packages libffi)
866f469e 49 #:use-module (gnu packages libidn)
5d4c90ae 50 #:use-module (gnu packages linux)
7890e3ba 51 #:use-module (gnu packages ncurses)
27e86bed 52 #:use-module (gnu packages nettle)
1ffa7090 53 #:use-module (gnu packages perl)
27e86bed 54 #:use-module (gnu packages pkg-config)
7890e3ba 55 #:use-module (gnu packages python)
cc6f4912 56 #:use-module (gnu packages python-crypto)
1b2f753d 57 #:use-module (gnu packages python-web)
a31f4d35 58 #:use-module (gnu packages texinfo)
33dc54b0 59 #:use-module (gnu packages time)
079f013b
LC		 60 #:use-module (gnu packages base)
61 #:use-module (srfi srfi-1))
7543f865
LC		 62
63(define-public libtasn1
64 (package
65 (name "libtasn1")
ee33f9a7 66 (version "4.12")
e3df6938 67 (replacement libtasn1/fixed)
7543f865
LC		 68 (source
69 (origin
70 (method url-fetch)
71 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
72 version ".tar.gz"))
73 (sha256
74 (base32
ee33f9a7 75 "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7"))))
7543f865 76 (build-system gnu-build-system)
3ea110b7 77 (native-inputs `(("perl" ,perl)))
6fd52309 78 (home-page "https://www.gnu.org/software/libtasn1/")
f50d2669 79 (synopsis "ASN.1 library")
7543f865 80 (description
79c311b8
LC		 81 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
82for transmitting machine-neutral encodings of data objects in computer
a22dc0c4
LC		 83networking, allowing for formal validation of data according to some
84specifications.")
e9aa8d0c 85 (license license:lgpl2.0+)))
7543f865 86
e3df6938
MW		 87(define libtasn1/fixed
88 (package
89 (inherit libtasn1)
90 (source (origin
91 (inherit (package-source libtasn1))
92 (patches (search-patches "libtasn1-CVE-2017-10790.patch"))))))
93
375cef6c
HG		 94(define-public asn1c
95 (package
96 (name "asn1c")
ff7da7e0 97 (version "0.9.28")
375cef6c
HG		 98 (source (origin
99 (method url-fetch)
100 (uri (string-append "https://lionet.info/soft/asn1c-"
101 version ".tar.gz"))
102 (sha256
103 (base32
ff7da7e0 104 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
375cef6c
HG		 105 (build-system gnu-build-system)
106 (native-inputs
107 `(("perl" ,perl)))
108 (home-page "https://lionet.info/asn1c")
109 (synopsis "ASN.1 to C compiler")
110 (description "The ASN.1 to C compiler takes ASN.1 module
111files and generates C++ compatible C source code. That code can be
112used to serialize the native C structures into compact and unambiguous
113BER/XER/PER-based data files, and deserialize the files back.
114
115Various ASN.1 based formats are widely used in the industry, such as to encode
116the X.509 certificates employed in the HTTPS handshake, to exchange control
117data between mobile phones and cellular networks, to car-to-car communication
118in intelligent transportation networks.")
119 (license license:bsd-2)))
120
27e86bed
AE		 121(define-public p11-kit
122 (package
123 (name "p11-kit")
2a6e049a 124 (version "0.23.9")
27e86bed
AE		 125 (source
126 (origin
127 (method url-fetch)
e6ad9bda
MB		 128 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
129 "download/" version "/p11-kit-" version ".tar.gz"))
27e86bed
AE		 130 (sha256
131 (base32
2a6e049a 132 "0qyvnkb5hfi94wv3bn67y20hcbbvynvjwxpk7k9sh1si6ff69hg1"))))
27e86bed
AE		 133 (build-system gnu-build-system)
134 (native-inputs
135 `(("pkg-config" ,pkg-config)))
136 (inputs
137 `(("libffi" ,libffi)
138 ("libtasn1" ,libtasn1)))
139 (arguments
140 `(#:configure-flags '("--without-trust-paths")))
141 (home-page "http://p11-glue.freedesktop.org/p11-kit.html")
142 (synopsis "PKCS#11 library")
143 (description
144 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
145provides a standard configuration setup for installing PKCS#11 modules
146in such a way that they are discoverable. It also solves problems with
147coordinating the use of PKCS#11 by different components or libraries
148living in the same process.")
e9aa8d0c 149 (license license:bsd-3)))
27e86bed 150
f96dbf6b
LF		 151
152;; TODO Add net-tools-for-tests to #:disallowed-references when we can afford
153;; rebuild GnuTLS (i.e. core-updates).
7543f865
LC		 154(define-public gnutls
155 (package
156 (name "gnutls")
5bace4c8 157 (version "3.5.13")
d7d408d5
LC		 158 (source (origin
159 (method url-fetch)
160 (uri
161 ;; Note: Releases are no longer on ftp.gnu.org since the
162 ;; schism (after version 3.1.5).
d93627e4 163 (string-append "mirror://gnupg/gnutls/v"
29a7c98a 164 (version-major+minor version)
d93627e4 165 "/gnutls-" version ".tar.xz"))
5bace4c8
MB		 166 (patches
167 (search-patches "gnutls-skip-trust-store-test.patch"
168 "gnutls-skip-pkgconfig-test.patch"))
d7d408d5
LC		 169 (sha256
170 (base32
5bace4c8 171 "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr"))))
7543f865 172 (build-system gnu-build-system)
b94ae0b8
AK		 173 (arguments
174 '(#:configure-flags
a0700787 175 (list
aa7c7f21
MW		 176 ;; GnuTLS doesn't consult any environment variables to specify
177 ;; the location of the system-wide trust store. Instead it has a
178 ;; configure-time option. Unless specified, its configure script
179 ;; attempts to auto-detect the location by looking for common
8f65585b 180 ;; places in the file system, none of which are present in our
aa7c7f21
MW		 181 ;; chroot build environment. If not found, then no default trust
182 ;; store is used, so each program has to provide its own
183 ;; fallback, and users have to configure each program
184 ;; independently. This seems suboptimal.
866f469e
MW		 185 "--with-default-trust-store-dir=/etc/ssl/certs"
186
187 ;; FIXME: Temporarily disable p11-kit support since it is not
188 ;; working on mips64el.
606c6380
LC		 189 "--without-p11-kit")
190
191 #:phases (modify-phases %standard-phases
192 (add-after
193 'install 'move-doc
194 (lambda* (#:key outputs #:allow-other-keys)
195 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
196 (let* ((out (assoc-ref outputs "out"))
197 (doc (assoc-ref outputs "doc"))
9cdce047 198 (mandir (string-append doc "/share/man/man3"))
606c6380
LC		 199 (oldman (string-append out "/share/man/man3")))
200 (mkdir-p mandir)
201 (copy-recursively oldman mandir)
202 (delete-file-recursively oldman)
203 #t))))))
204 (outputs '("out" ;4.4 MiB
205 "debug"
206 "doc")) ;4.1 MiB of man pages
a1db0975 207 (native-inputs
f96dbf6b 208 `(("net-tools" ,net-tools-for-tests)
5d4c90ae 209 ("pkg-config" ,pkg-config)
d2fcfd3d 210 ("which" ,which)))
7543f865 211 (inputs
a0700787 212 `(("guile" ,guile-2.2)))
7543f865 213 (propagated-inputs
d2fcfd3d 214 ;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865 215 `(("libtasn1" ,libtasn1)
55e61c4d 216 ("libidn2" ,libidn2)
866f469e 217 ("nettle" ,nettle)
f61e0e79 218 ("zlib" ,zlib)))
c19700c3 219 (home-page "https://www.gnu.org/software/gnutls/")
f50d2669 220 (synopsis "Transport layer security library")
7543f865 221 (description
a22dc0c4 222 "GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8 223and DTLS protocols. It is provided in the form of a C library to support the
a22dc0c4
LC		 224protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
225required structures.")
63e8bb12
LC		 226 (license license:lgpl2.1+)
227 (properties '((ftp-server . "ftp.gnutls.org")
228 (ftp-directory . "/gcrypt/gnutls")))))
cc2b77df 229
079f013b 230(define-public gnutls/guile-2.2
a0700787
LC		 231 (deprecated-package "guile2.2-gnutls" gnutls))
232
233(define-public gnutls/guile-2.0
234 ;; GnuTLS for Guile 2.0.
079f013b 235 (package
58ea4d40 236 (inherit gnutls)
a0700787
LC		 237 (name "guile2.0-gnutls")
238 (inputs `(("guile" ,guile-2.0)
58ea4d40 239 ,@(alist-delete "guile" (package-inputs gnutls))))))
079f013b 240
5b9aa107 241(define-public gnutls/dane
242 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
243 ;; Authentication of Named Entities. This is required for GNS functionality
244 ;; by GNUnet and gnURL. This is done in an extra package definition
245 ;; to have the choice between GnuTLS with Dane and without Dane.
246 (package
247 (inherit gnutls)
248 (name "gnutls-dane")
249 (inputs `(("unbound" ,unbound)
250 ,@(package-inputs gnutls)))))
251
cc2b77df
AE		 252(define-public openssl
253 (package
254 (name "openssl")
811e1028 255 (version "1.0.2l")
1df4f5c9 256 (replacement openssl-1.0.2m)
cc2b77df 257 (source (origin
4cff124b
LC		 258 (method url-fetch)
259 (uri (list (string-append "ftp://ftp.openssl.org/source/"
260 name "-" version ".tar.gz")
261 (string-append "ftp://ftp.openssl.org/source/old/"
262 (string-trim-right version char-set:letter)
263 "/" name "-" version ".tar.gz")))
264 (sha256
265 (base32
811e1028 266 "037kvpisc6qh5dkppcwbm5bg2q800xh2hma3vghz8xcycmdij1yf"))
8a9b08b5
ST		 267 (snippet
268 '(begin
269 ;; Remove ELF files. 'substitute*' can't read them.
270 (delete-file "test/ssltest_old")
271 (delete-file "test/v3ext")
272 (delete-file "test/x509aux")
273 #t))
fc1adab1 274 (patches (search-patches "openssl-runpath.patch"
1d8de185 275 "openssl-c-rehash-in.patch"))))
cc2b77df 276 (build-system gnu-build-system)
8c78aeb7 277 (outputs '("out"
a909b576 278 "doc" ;1.5MiB of man3 pages
8c78aeb7 279 "static")) ;6MiB of .a files
cc2b77df
AE		 280 (native-inputs `(("perl" ,perl)))
281 (arguments
d03781c3
LC		 282 `(#:disallowed-references (,perl)
283 #:parallel-build? #f
cc2b77df
AE		 284 #:parallel-tests? #f
285 #:test-target "test"
8c9ec203
LF		 286
287 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
288 ;; so we explicitly disallow it here.
289 #:disallowed-references ,(list (canonical-package perl))
cc2b77df 290 #:phases
b6cb1358 291 (modify-phases %standard-phases
4fb254a3 292 (add-before
86c8f1da 293 'configure 'patch-Makefile.org
4fb254a3
LC		 294 (lambda* (#:key outputs #:allow-other-keys)
295 ;; The default MANDIR is some unusual place. Fix that.
296 (let ((out (assoc-ref outputs "out")))
86c8f1da 297 (patch-makefile-SHELL "Makefile.org")
4fb254a3
LC		 298 (substitute* "Makefile.org"
299 (("^MANDIR[[:blank:]]*=.*$")
300 (string-append "MANDIR = " out "/share/man\n")))
301 #t)))
b6cb1358
LC		 302 (replace
303 'configure
304 (lambda* (#:key outputs #:allow-other-keys)
305 (let ((out (assoc-ref outputs "out")))
306 (zero?
307 (system* "./config"
308 "shared" ;build shared libraries
309 "--libdir=lib"
4fb254a3
LC		 310
311 ;; The default for this catch-all directory is
312 ;; PREFIX/ssl. Change that to something more
313 ;; conventional.
314 (string-append "--openssldir=" out
315 "/share/openssl-" ,version)
316
b6cb1358
LC		 317 (string-append "--prefix=" out)
318
319 ;; XXX FIXME: Work around a code generation bug in GCC
320 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
321 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
322 ,@(if (and (not (%current-target-system))
323 (string-prefix? "armhf" (%current-system)))
324 '("-mfpu=vfpv3")
325 '()))))))
fe8199a8
LC		 326 (add-after
327 'install 'make-libraries-writable
328 (lambda* (#:key outputs #:allow-other-keys)
329 ;; Make libraries writable so that 'strip' does its job.
330 (let ((out (assoc-ref outputs "out")))
331 (for-each (lambda (file)
332 (chmod file #o644))
333 (find-files (string-append out "/lib")
334 "\\.so"))
335 #t)))
8c78aeb7
LC		 336 (add-after 'install 'move-static-libraries
337 (lambda* (#:key outputs #:allow-other-keys)
338 ;; Move static libraries to the "static" output.
339 (let* ((out (assoc-ref outputs "out"))
340 (lib (string-append out "/lib"))
341 (static (assoc-ref outputs "static"))
342 (slib (string-append static "/lib")))
8c78aeb7
LC		 343 (for-each (lambda (file)
344 (install-file file slib)
345 (delete-file file))
346 (find-files lib "\\.a$"))
347 #t)))
a909b576
LC		 348 (add-after 'install 'move-man3-pages
349 (lambda* (#:key outputs #:allow-other-keys)
350 ;; Move section 3 man pages to "doc".
351 (let* ((out (assoc-ref outputs "out"))
352 (man3 (string-append out "/share/man/man3"))
353 (doc (assoc-ref outputs "doc"))
354 (target (string-append doc "/share/man/man3")))
355 (mkdir-p target)
356 (for-each (lambda (file)
357 (rename-file file
358 (string-append target "/"
359 (basename file))))
360 (find-files man3))
5c838ec9 361 (delete-file-recursively man3)
a909b576 362 #t)))
b6cb1358
LC		 363 (add-before
364 'patch-source-shebangs 'patch-tests
365 (lambda* (#:key inputs native-inputs #:allow-other-keys)
366 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
367 (substitute* (find-files "test" ".*")
368 (("/bin/sh")
08a78c2f 369 (string-append bash "/bin/sh"))
b6cb1358 370 (("/bin/rm")
86c8f1da
MW		 371 "rm"))
372 #t)))
784d6e91
LC		 373 (add-after
374 'install 'remove-miscellany
375 (lambda* (#:key outputs #:allow-other-keys)
376 ;; The 'misc' directory contains random undocumented shell and Perl
377 ;; scripts. Remove them to avoid retaining a reference on Perl.
378 (let ((out (assoc-ref outputs "out")))
379 (delete-file-recursively (string-append out "/share/openssl-"
380 ,version "/misc"))
381 #t))))))
cc2b77df
AE		 382 (native-search-paths
383 ;; FIXME: These two variables must designate a single file or directory
384 ;; and are not actually "search paths." In practice it works OK in user
385 ;; profiles because there's always just one item that matches the
386 ;; specification.
387 (list (search-path-specification
388 (variable "SSL_CERT_DIR")
389 (files '("etc/ssl/certs")))
390 (search-path-specification
391 (variable "SSL_CERT_FILE")
392 (files '("etc/ssl/certs/ca-certificates.crt")))))
393 (synopsis "SSL/TLS implementation")
394 (description
e881752c 395 "OpenSSL is an implementation of SSL/TLS.")
e9aa8d0c 396 (license license:openssl)
cc2b77df
AE		 397 (home-page "http://www.openssl.org/")))
398
1df4f5c9
MB		 399;; Fixes CVE-2017-3735 and CVE-2017-3736.
400;; See <https://www.openssl.org/news/cl102.txt>.
401(define-public openssl-1.0.2m
402 (package
403 (inherit openssl)
404 (version "1.0.2m")
405 (source (origin
406 (inherit (package-source openssl))
407 (uri (list (string-append "https://www.openssl.org/source/openssl-"
408 version ".tar.gz")
409 (string-append "ftp://ftp.openssl.org/source/openssl-"
410 version ".tar.gz")
411 (string-append "ftp://ftp.openssl.org/source/old/"
412 (string-trim-right version char-set:letter)
413 "/openssl-" version ".tar.gz")))
414 (sha256
415 (base32
416 "03vvlfnxx4lhxc83ikfdl6jqph4h52y7lb7li03va6dkqrgg2vwc"))))))
417
763899f0
LF		 418(define-public openssl-next
419 (package
420 (inherit openssl)
421 (name "openssl")
77576be4 422 (version "1.1.0g")
763899f0
LF		 423 (source (origin
424 (method url-fetch)
77576be4
MB		 425 (uri (list (string-append "https://www.openssl.org/source/openssl-"
426 version ".tar.gz")
427 (string-append "ftp://ftp.openssl.org/source/"
763899f0
LF		 428 name "-" version ".tar.gz")
429 (string-append "ftp://ftp.openssl.org/source/old/"
430 (string-trim-right version char-set:letter)
431 "/" name "-" version ".tar.gz")))
432 (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
433 (sha256
434 (base32
77576be4 435 "1bvka2wf33w2vxv7yw578nnjqyhz2b3chvfb0l4k2ffscw950kfy"))))
763899f0
LF		 436 (outputs '("out"
437 "doc" ;1.3MiB of man3 pages
438 "static")) ; 5.5MiB of .a files
439 (arguments
440 (substitute-keyword-arguments (package-arguments openssl)
441 ((#:phases phases)
442 `(modify-phases ,phases
443 (delete 'patch-tests) ; These two phases are not needed by
444 (delete 'patch-Makefile.org) ; OpenSSL 1.1.0.
445
fc184fe2
MB		 446 ;; Override configure phase since -rpath is now a configure option.
447 (replace 'configure
763899f0 448 (lambda* (#:key outputs #:allow-other-keys)
fc184fe2
MB		 449 (let* ((out (assoc-ref outputs "out"))
450 (lib (string-append out "/lib")))
451 (zero?
452 (system* "./config"
453 "shared" ;build shared libraries
454 "--libdir=lib"
455
456 ;; The default for this catch-all directory is
457 ;; PREFIX/ssl. Change that to something more
458 ;; conventional.
459 (string-append "--openssldir=" out
460 "/share/openssl-" ,version)
461
462 (string-append "--prefix=" out)
463 (string-append "-Wl,-rpath," lib)
464
465 ;; XXX FIXME: Work around a code generation bug in GCC
466 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
467 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
468 ,@(if (and (not (%current-target-system))
469 (string-prefix? "armhf" (%current-system)))
470 '("-mfpu=vfpv3")
471 '()))))))
472
473 ;; XXX: Duplicate this phase to make sure 'version' evaluates
474 ;; in the current scope and not the inherited one.
475 (replace 'remove-miscellany
476 (lambda* (#:key outputs #:allow-other-keys)
477 ;; The 'misc' directory contains random undocumented shell and Perl
478 ;; scripts. Remove them to avoid retaining a reference on Perl.
479 (let ((out (assoc-ref outputs "out")))
480 (delete-file-recursively (string-append out "/share/openssl-"
481 ,version "/misc"))
763899f0
LF		 482 #t)))))))))
483
cb6a802c
AE		 484(define-public libressl
485 (package
486 (name "libressl")
1d919d32 487 (version "2.5.5")
644e5f17
TGR		 488 (source (origin
489 (method url-fetch)
490 (uri (string-append "mirror://openbsd/LibreSSL/"
491 name "-" version ".tar.gz"))
492 (sha256
493 (base32
494 "1i77viqy1afvbr392npk9v54k9zhr9zq2vhv6pliza22b0ymwzz5"))))
cb6a802c 495 (build-system gnu-build-system)
a2d64899
LC		 496 (arguments
497 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
498 ;; and libc would return ENOSYS, which is not properly handled.
499 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
df08f385
LF		 500 '(#:configure-flags '("ac_cv_func_getentropy=no"
501 ;; Provide a TLS-enabled netcat.
502 "--enable-nc")))
cb6a802c
AE		 503 (native-search-paths
504 ;; FIXME: These two variables must designate a single file or directory
505 ;; and are not actually "search paths." In practice it works OK in
506 ;; user profiles because there's always just one item that matches the
507 ;; specification.
508 (list (search-path-specification
509 (variable "SSL_CERT_DIR")
510 (files '("etc/ssl/certs")))
511 (search-path-specification
512 (variable "SSL_CERT_FILE")
513 (files '("etc/ssl/certs/ca-certificates.crt")))))
2ed12d3f 514 (home-page "https://www.libressl.org/")
cb6a802c 515 (synopsis "SSL/TLS implementation")
df08f385
LF		 516 (description "LibreSSL is a version of the TLS/crypto stack, forked from
517OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
518and applying best practice development processes. This package also includes a
519netcat implementation that supports TLS.")
cb6a802c
AE		 520 ;; Files taken from OpenSSL keep their license, others are under various
521 ;; non-copyleft licenses.
522 (license (list license:openssl
523 (license:non-copyleft
524 "file://COPYING"
525 "See COPYING in the distribution.")))))
526
6cefd53d 527(define-public python-acme
7890e3ba 528 (package
6cefd53d 529 (name "python-acme")
686d4259 530 ;; Remember to update the hash of certbot when updating python-acme.
eb93f1c9 531 (version "0.19.0")
7890e3ba 532 (source (origin
9495cf9a 533 (method url-fetch)
f349d36e 534 (uri (pypi-uri "acme" version))
881006b6
MB		 535 (sha256
536 (base32
eb93f1c9 537 "08p8w50zciqlhgn3ab0wbbvi1zyg3x37r1gywq0z1allsij3v8hz"))))
7890e3ba
LF		 538 (build-system python-build-system)
539 (arguments
6cefd53d 540 `(#:phases
9bee9d87 541 (modify-phases %standard-phases
1fc8476d
MB		 542 (add-after 'build 'build-documentation
543 (lambda _
544 (zero? (system* "make" "-C" "docs" "man" "info"))))
545 (add-after 'install 'install-documentation
50a7963a
LF		 546 (lambda* (#:key outputs #:allow-other-keys)
547 (let* ((out (assoc-ref outputs "out"))
548 (man (string-append out "/share/man/man1"))
549 (info (string-append out "/info")))
1fc8476d
MB		 550 (install-file "docs/_build/texinfo/acme-python.info" info)
551 (install-file "docs/_build/man/acme-python.1" man)
552 #t))))))
50a7963a 553 ;; TODO: Add optional inputs for testing.
7890e3ba 554 (native-inputs
fed1898d 555 `(("python-mock" ,python-mock-2)
50a7963a
LF		 556 ;; For documentation
557 ("python-sphinx" ,python-sphinx)
558 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
559 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
50a7963a 560 ("texinfo" ,texinfo)))
7890e3ba 561 (propagated-inputs
57fe07db 562 `(("python-six" ,python-six)
6cefd53d
LF		 563 ("python-requests" ,python-requests)
564 ("python-pytz" ,python-pytz)
565 ("python-pyrfc3339" ,python-pyrfc3339)
566 ("python-pyasn1" ,python-pyasn1)
567 ("python-cryptography" ,python-cryptography)
568 ("python-pyopenssl" ,python-pyopenssl)))
7890e3ba
LF		 569 (home-page "https://github.com/letsencrypt/letsencrypt")
570 (synopsis "ACME protocol implementation in Python")
571 (description "ACME protocol implementation in Python")
572 (license license:asl2.0)))
573
9495cf9a 574(define-public certbot
9fd0838b 575 (package
9495cf9a 576 (name "certbot")
686d4259
LF		 577 ;; Certbot and python-acme are developed in the same repository, and their
578 ;; versions should remain synchronized.
579 (version (package-version python-acme))
9fd0838b
DT		 580 (source (origin
581 (method url-fetch)
f349d36e 582 (uri (pypi-uri name version))
9fd0838b
DT		 583 (sha256
584 (base32
eb93f1c9 585 "0lwxqz3r0fg3dy06fgba1dfs7n6ribc25z0rh5rqbl7mvy8hf8x7"))))
9fd0838b
DT		 586 (build-system python-build-system)
587 (arguments
fed1898d 588 `(,@(substitute-keyword-arguments (package-arguments python-acme)
f26d6e4e
LF		 589 ((#:phases phases)
590 `(modify-phases ,phases
1fc8476d 591 (replace 'install-documentation
f26d6e4e
LF		 592 (lambda* (#:key outputs #:allow-other-keys)
593 (let* ((out (assoc-ref outputs "out"))
594 (man1 (string-append out "/share/man/man1"))
595 (man7 (string-append out "/share/man/man7"))
596 (info (string-append out "/info")))
1fc8476d
MB		 597 (install-file "docs/_build/texinfo/Certbot.info" info)
598 (install-file "docs/_build/man/certbot.1" man1)
599 (install-file "docs/_build/man/certbot.7" man7)
600 #t))))))))
f9263d9a 601 ;; TODO: Add optional inputs for testing.
9fd0838b 602 (native-inputs
fed1898d
LF		 603 `(("python-nose" ,python-nose)
604 ("python-mock" ,python-mock-2)
f9263d9a 605 ;; For documentation
fed1898d
LF		 606 ("python-sphinx" ,python-sphinx)
607 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
608 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
609 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
f9263d9a 610 ("texinfo" ,texinfo)))
9fd0838b 611 (propagated-inputs
fed1898d
LF		 612 `(("python-acme" ,python-acme)
613 ("python-zope-interface" ,python-zope-interface)
614 ("python-pyrfc3339" ,python-pyrfc3339)
615 ("python-pyopenssl" ,python-pyopenssl)
616 ("python-configobj" ,python-configobj)
617 ("python-configargparse" ,python-configargparse)
618 ("python-zope-component" ,python-zope-component)
619 ("python-parsedatetime" ,python-parsedatetime)
620 ("python-six" ,python-six)
621 ("python-psutil" ,python-psutil)
622 ("python-requests" ,python-requests)
623 ("python-pytz" ,python-pytz)))
d8a1be63 624 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
80968df0
TGR		 625 (description "Certbot automatically receives and installs X.509 certificates
626to enable Transport Layer Security (TLS) on servers. It interoperates with the
627Let’s Encrypt certificate authority (CA), which issues browser-trusted
628certificates for free.")
24778368 629 (home-page "https://certbot.eff.org/")
9fd0838b
DT		 630 (license license:asl2.0)))
631
9495cf9a
LF		 632(define-public letsencrypt
633 (package (inherit certbot)
56ab55d1
LF		 634 (name "letsencrypt")
635 (properties `((superseded . ,certbot)))))
9495cf9a 636
cc2b77df
AE		 637(define-public perl-net-ssleay
638 (package
639 (name "perl-net-ssleay")
76cb9060 640 (version "1.81")
cc2b77df
AE		 641 (source (origin
642 (method url-fetch)
643 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
644 "Net-SSLeay-" version ".tar.gz"))
645 (sha256
646 (base32
76cb9060 647 "0z8vya34g88bc41kx955sv7y4niwbbywji8liqbl52v29qbvdjq0"))))
cc2b77df
AE		 648 (build-system perl-build-system)
649 (inputs `(("openssl" ,openssl)))
650 (arguments
1084ec08
MW		 651 `(#:phases
652 (modify-phases %standard-phases
1084ec08
MW		 653 (add-before
654 'configure 'set-ssl-prefix
655 (lambda* (#:key inputs #:allow-other-keys)
656 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
657 #t)))))
cc2b77df
AE		 658 (synopsis "Perl extension for using OpenSSL")
659 (description
660 "This module offers some high level convenience functions for accessing
661web pages on SSL servers (for symmetry, the same API is offered for accessing
662http servers, too), an sslcat() function for writing your own clients, and
663finally access to the SSL api of the SSLeay/OpenSSL package so you can write
664servers or clients for more complicated applications.")
2f3108ad 665 (license license:perl-license)
cc2b77df 666 (home-page "http://search.cpan.org/~mikem/Net-SSLeay-1.66/")))
4532c0c0
DM		 667
668(define-public perl-crypt-openssl-rsa
669 (package
670 (name "perl-crypt-openssl-rsa")
671 (version "0.28")
672 (source
673 (origin
674 (method url-fetch)
675 (uri (string-append
676 "mirror://cpan/authors/id/P/PE/PERLER/Crypt-OpenSSL-RSA-"
677 version
678 ".tar.gz"))
679 (sha256
680 (base32
681 "1gnpvv09b2gpifwdzc5jnhama3d1a4c39lzj9hcaicsb8rvzjmsk"))))
682 (build-system perl-build-system)
683 (inputs
684 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
685 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
686 ("openssl" ,openssl)))
687 (arguments perl-crypt-arguments)
688 (home-page
689 "http://search.cpan.org/dist/Crypt-OpenSSL-RSA")
690 (synopsis
691 "RSA encoding and decoding, using the openSSL libraries")
692 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
693OpenSSL libraries).")
2f3108ad 694 (license license:perl-license)))
adff71ca
DM		 695
696(define perl-crypt-arguments
697 `(#:phases (modify-phases %standard-phases
698 (add-before 'configure 'patch-Makefile.PL
699 (lambda* (#:key inputs #:allow-other-keys)
700 (substitute* "Makefile.PL"
701 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
702 (assoc-ref inputs "openssl")
703 "/lib -lcrypto'],")))
704 #t)))))
705
706(define-public perl-crypt-openssl-bignum
707 (package
708 (name "perl-crypt-openssl-bignum")
94793c1d 709 (version "0.08")
adff71ca
DM		 710 (source
711 (origin
712 (method url-fetch)
713 (uri (string-append
714 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
715 version
716 ".tar.gz"))
717 (sha256
718 (base32
94793c1d 719 "0gamn4dff1bz77nswacy1dlpn9fkwahzw7yvvik4nbwwy2s63hc8"))))
adff71ca
DM		 720 (build-system perl-build-system)
721 (inputs `(("openssl" ,openssl)))
722 (arguments perl-crypt-arguments)
723 (home-page
724 "http://search.cpan.org/dist/Crypt-OpenSSL-Bignum")
725 (synopsis
726 "OpenSSL's multiprecision integer arithmetic in Perl")
727 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
728arithmetic in Perl.")
729 ;; At your option either gpl1+ or the Artistic License
2f3108ad 730 (license license:perl-license)))
cccb4d26
DM		 731
732(define-public perl-crypt-openssl-random
733 (package
734 (name "perl-crypt-openssl-random")
735 (version "0.11")
736 (source
737 (origin
738 (method url-fetch)
739 (uri (string-append
740 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
741 version
742 ".tar.gz"))
743 (sha256
744 (base32
745 "0yjcabkibrkafywvdkmd1xpi6br48skyk3l15ni176wvlg38335v"))))
746 (build-system perl-build-system)
747 (inputs `(("openssl" ,openssl)))
748 (arguments perl-crypt-arguments)
749 (home-page
750 "http://search.cpan.org/dist/Crypt-OpenSSL-Random")
751 (synopsis
752 "OpenSSL/LibreSSL pseudo-random number generator access")
753 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
754number generator")
2f3108ad 755 (license license:perl-license)))
0581c273
LF		 756
757(define-public acme-client
758 (package
759 (name "acme-client")
4a6b2a21 760 (version "0.1.16")
0581c273
LF		 761 (source (origin
762 (method url-fetch)
763 (uri (string-append "https://kristaps.bsd.lv/" name "/"
764 "snapshots/" name "-portable-"
765 version ".tgz"))
766 (sha256
767 (base32
4a6b2a21 768 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
0581c273
LF		 769 (build-system gnu-build-system)
770 (arguments
771 '(#:tests? #f ; no test suite
772 #:make-flags
773 (list "CC=gcc"
774 (string-append "PREFIX=" (assoc-ref %outputs "out")))
775 #:phases
776 (modify-phases %standard-phases
7c1a7bf4
LF		 777 (add-after 'unpack 'patch-paths
778 (lambda* (#:key inputs #:allow-other-keys)
779 (let ((pem (string-append (assoc-ref inputs "libressl")
780 "/etc/ssl/cert.pem")))
781 (substitute* "http.c"
782 (("/etc/ssl/cert.pem") pem))
783 #t)))
0581c273 784 (delete 'configure)))) ; no './configure' script
4b569a4f
LF		 785 (native-inputs
786 `(("pkg-config" ,pkg-config)))
0581c273
LF		 787 (inputs
788 `(("libbsd" ,libbsd)
789 ("libressl" ,libressl)))
790 (synopsis "Let's Encrypt client by the OpenBSD project")
791 (description "acme-client is a Let's Encrypt client implemented in C. It
792uses a modular design, and attempts to secure itself by dropping privileges and
793operating in a chroot where possible. acme-client is developed on OpenBSD and
794then ported to the GNU / Linux environment.")
795 (home-page "https://kristaps.bsd.lv/acme-client/")
796 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
797 ;; and 'jsmn.c' are distributed under the Expat license.
798 (license (list license:isc license:expat))))
88522738 799
800;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
801;; variant exists in addition to the "-apache" one.
802(define-public mbedtls-apache
803 (package
804 (name "mbedtls-apache")
97497465 805 (version "2.6.0")
88522738 806 (source
807 (origin
808 (method url-fetch)
809 ;; XXX: The download links on the website are script redirection links
810 ;; which effectively lead to the format listed in the uri here.
811 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
812 version "-apache.tgz"))
813 (sha256
814 (base32
97497465 815 "11wnj34rfqxjggmdgf042i49lr6civgbqwv2p7p8bn6k2919vg4r"))))
88522738 816 (build-system cmake-build-system)
817 (native-inputs
818 `(("perl" ,perl)))
819 (synopsis "Small TLS library")
820 (description
821 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
822for developers to include cryptographic and SSL/TLS capabilities in their
823(embedded) products, facilitating this functionality with a minimal
824coding footprint.")
825 (home-page "https://tls.mbed.org")
826 (license license:asl2.0)))
587d1752
RW		 827
828(define-public ghc-tls
829 (package
830 (name "ghc-tls")
831 (version "1.3.8")
832 (source (origin
833 (method url-fetch)
834 (uri (string-append "https://hackage.haskell.org/package/"
835 "tls/tls-" version ".tar.gz"))
836 (sha256
837 (base32
838 "1rdidf18i781c0vdvy9yn79yh08hmcacf6fp3sgghyiy3h0wyh5l"))))
839 (build-system haskell-build-system)
840 (inputs
841 `(("ghc-mtl" ,ghc-mtl)
842 ("ghc-cereal" ,ghc-cereal)
843 ("ghc-data-default-class" ,ghc-data-default-class)
844 ("ghc-memory" ,ghc-memory)
845 ("ghc-cryptonite" ,ghc-cryptonite)
846 ("ghc-asn1-types" ,ghc-asn1-types)
847 ("ghc-asn1-encoding" ,ghc-asn1-encoding)
848 ("ghc-x509" ,ghc-x509)
849 ("ghc-x509-store" ,ghc-x509-store)
850 ("ghc-x509-validation" ,ghc-x509-validation)
851 ("ghc-async" ,ghc-async)
852 ("ghc-network" ,ghc-network)
853 ("ghc-hourglass" ,ghc-hourglass)))
854 (native-inputs
855 `(("ghc-tasty" ,ghc-tasty)
856 ("ghc-tasty-quickcheck" ,ghc-tasty-quickcheck)
857 ("ghc-quickcheck" ,ghc-quickcheck)))
858 (home-page "https://github.com/vincenthz/hs-tls")
859 (synopsis
860 "TLS/SSL protocol native implementation (Server and Client)")
861 (description
862 "Native Haskell TLS and SSL protocol implementation for server and client.
863This provides a high-level implementation of a sensitive security protocol,
864eliminating a common set of security issues through the use of the advanced
865type system, high level constructions and common Haskell features. Currently
866implement the SSL3.0, TLS1.0, TLS1.1 and TLS1.2 protocol, and support RSA and
867Ephemeral (Elliptic curve and regular) Diffie Hellman key exchanges, and many
868extensions.")
869 (license license:bsd-3)))
jackhill's copy of GNU Guix: https://guix.gnu.org/