gnu: mbedtls-apache: Update to 2.13.0 [security fixes].
[jackhill/guix/guix.git] / gnu / packages / tls.scm
CommitLineData
233e7676 1;;; GNU Guix --- Functional package management for GNU
3c0f7910 2;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
05f6e601 3;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
29a7c98a 4;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df 5;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b 6;;; Copyright © 2015 David Thompson <davet@gnu.org>
2a5b5bfd 7;;; Copyright © 2015, 2016, 2017, 2018 Leo Famulari <leo@famulari.name>
2ed12d3f 8;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
0741932b 9;;; Copyright © 2016, 2017, 2018 Nils Gillmann <ng0@n0.is>
375cef6c 10;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
ee33f9a7 11;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
d5c472a2 12;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
fe15613c 13;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
fbf5ca3c 14;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
e8b3a158 15;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
7543f865 16;;;
233e7676 17;;; This file is part of GNU Guix.
7543f865 18;;;
233e7676 19;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865
LC
20;;; under the terms of the GNU General Public License as published by
21;;; the Free Software Foundation; either version 3 of the License, or (at
22;;; your option) any later version.
23;;;
233e7676 24;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865
LC
25;;; WITHOUT ANY WARRANTY; without even the implied warranty of
26;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27;;; GNU General Public License for more details.
28;;;
29;;; You should have received a copy of the GNU General Public License
233e7676 30;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865 31
a7fd7b68 32(define-module (gnu packages tls)
e9aa8d0c 33 #:use-module ((guix licenses) #:prefix license:)
7543f865
LC
34 #:use-module (guix packages)
35 #:use-module (guix download)
29a7c98a 36 #:use-module (guix utils)
7543f865 37 #:use-module (guix build-system gnu)
cc2b77df 38 #:use-module (guix build-system perl)
7890e3ba 39 #:use-module (guix build-system python)
88522738 40 #:use-module (guix build-system cmake)
587d1752 41 #:use-module (guix build-system haskell)
e8b3a158 42 #:use-module (guix build-system trivial)
f61e0e79 43 #:use-module (gnu packages compression)
013ce67b 44 #:use-module (gnu packages)
e8b3a158 45 #:use-module (gnu packages bash)
ac257f12 46 #:use-module (gnu packages check)
e8b3a158 47 #:use-module (gnu packages curl)
5b9aa107 48 #:use-module (gnu packages dns)
e8b3a158 49 #:use-module (gnu packages gawk)
1ffa7090 50 #:use-module (gnu packages guile)
587d1752
RW
51 #:use-module (gnu packages haskell)
52 #:use-module (gnu packages haskell-check)
53 #:use-module (gnu packages haskell-crypto)
0581c273 54 #:use-module (gnu packages libbsd)
27e86bed 55 #:use-module (gnu packages libffi)
866f469e 56 #:use-module (gnu packages libidn)
5d4c90ae 57 #:use-module (gnu packages linux)
7890e3ba 58 #:use-module (gnu packages ncurses)
27e86bed 59 #:use-module (gnu packages nettle)
1ffa7090 60 #:use-module (gnu packages perl)
27e86bed 61 #:use-module (gnu packages pkg-config)
7890e3ba 62 #:use-module (gnu packages python)
cc6f4912 63 #:use-module (gnu packages python-crypto)
1b2f753d 64 #:use-module (gnu packages python-web)
a31f4d35 65 #:use-module (gnu packages texinfo)
33dc54b0 66 #:use-module (gnu packages time)
079f013b
LC
67 #:use-module (gnu packages base)
68 #:use-module (srfi srfi-1))
7543f865
LC
69
70(define-public libtasn1
71 (package
72 (name "libtasn1")
2a5b5bfd 73 (version "4.13")
7543f865
LC
74 (source
75 (origin
76 (method url-fetch)
77 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
78 version ".tar.gz"))
79 (sha256
80 (base32
2a5b5bfd 81 "1jlc1iahj8k3haz28j55nzg7sgni5h41vqy461i1bpbx6668wlky"))))
7543f865 82 (build-system gnu-build-system)
3ea110b7 83 (native-inputs `(("perl" ,perl)))
6fd52309 84 (home-page "https://www.gnu.org/software/libtasn1/")
f50d2669 85 (synopsis "ASN.1 library")
7543f865 86 (description
79c311b8
LC
87 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
88for transmitting machine-neutral encodings of data objects in computer
a22dc0c4
LC
89networking, allowing for formal validation of data according to some
90specifications.")
e9aa8d0c 91 (license license:lgpl2.0+)))
7543f865 92
375cef6c
HG
93(define-public asn1c
94 (package
95 (name "asn1c")
ff7da7e0 96 (version "0.9.28")
375cef6c
HG
97 (source (origin
98 (method url-fetch)
99 (uri (string-append "https://lionet.info/soft/asn1c-"
100 version ".tar.gz"))
101 (sha256
102 (base32
ff7da7e0 103 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
375cef6c
HG
104 (build-system gnu-build-system)
105 (native-inputs
106 `(("perl" ,perl)))
107 (home-page "https://lionet.info/asn1c")
108 (synopsis "ASN.1 to C compiler")
109 (description "The ASN.1 to C compiler takes ASN.1 module
110files and generates C++ compatible C source code. That code can be
111used to serialize the native C structures into compact and unambiguous
112BER/XER/PER-based data files, and deserialize the files back.
113
114Various ASN.1 based formats are widely used in the industry, such as to encode
115the X.509 certificates employed in the HTTPS handshake, to exchange control
116data between mobile phones and cellular networks, to car-to-car communication
117in intelligent transportation networks.")
118 (license license:bsd-2)))
119
27e86bed
AE
120(define-public p11-kit
121 (package
122 (name "p11-kit")
99088aa7 123 (version "0.23.14")
27e86bed
AE
124 (source
125 (origin
126 (method url-fetch)
e6ad9bda
MB
127 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
128 "download/" version "/p11-kit-" version ".tar.gz"))
27e86bed
AE
129 (sha256
130 (base32
99088aa7 131 "0w0dkq9388grbbn4bv2p55vy1j51f7nd9hzlc9gz4fbm4dnzmf8w"))))
27e86bed
AE
132 (build-system gnu-build-system)
133 (native-inputs
134 `(("pkg-config" ,pkg-config)))
135 (inputs
136 `(("libffi" ,libffi)
137 ("libtasn1" ,libtasn1)))
138 (arguments
d5c472a2
MB
139 `(#:configure-flags '("--without-trust-paths")
140 #:phases (modify-phases %standard-phases
141 (add-before 'check 'prepare-tests
142 (lambda _
143 ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up
144 ;; and looks for .cache and other directories (only).
145 ;; For simplicity just drop it since it is irrelevant
146 ;; in the build container.
147 (substitute* "Makefile"
148 (("test-runtime\\$\\(EXEEXT\\)") ""))
149 #t)))))
4631e6c9 150 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
27e86bed
AE
151 (synopsis "PKCS#11 library")
152 (description
153 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
154provides a standard configuration setup for installing PKCS#11 modules
155in such a way that they are discoverable. It also solves problems with
156coordinating the use of PKCS#11 by different components or libraries
157living in the same process.")
e9aa8d0c 158 (license license:bsd-3)))
27e86bed 159
7543f865
LC
160(define-public gnutls
161 (package
162 (name "gnutls")
6a778c75 163 (version "3.5.18")
d7d408d5
LC
164 (source (origin
165 (method url-fetch)
166 (uri
167 ;; Note: Releases are no longer on ftp.gnu.org since the
168 ;; schism (after version 3.1.5).
d93627e4 169 (string-append "mirror://gnupg/gnutls/v"
29a7c98a 170 (version-major+minor version)
d93627e4 171 "/gnutls-" version ".tar.xz"))
5bace4c8
MB
172 (patches
173 (search-patches "gnutls-skip-trust-store-test.patch"
174 "gnutls-skip-pkgconfig-test.patch"))
d7d408d5
LC
175 (sha256
176 (base32
6a778c75 177 "0d02x28fwkkx7xzn7807nww6idchizzq3plx8sfcyiw7wzclh8mf"))))
7543f865 178 (build-system gnu-build-system)
b94ae0b8 179 (arguments
76b21274
LF
180 `(; Ensure we don't keep a reference to this buggy software.
181 #:disallowed-references (,net-tools)
182 #:configure-flags
a0700787 183 (list
aa7c7f21
MW
184 ;; GnuTLS doesn't consult any environment variables to specify
185 ;; the location of the system-wide trust store. Instead it has a
186 ;; configure-time option. Unless specified, its configure script
187 ;; attempts to auto-detect the location by looking for common
8f65585b 188 ;; places in the file system, none of which are present in our
aa7c7f21
MW
189 ;; chroot build environment. If not found, then no default trust
190 ;; store is used, so each program has to provide its own
191 ;; fallback, and users have to configure each program
192 ;; independently. This seems suboptimal.
866f469e
MW
193 "--with-default-trust-store-dir=/etc/ssl/certs"
194
195 ;; FIXME: Temporarily disable p11-kit support since it is not
196 ;; working on mips64el.
606c6380
LC
197 "--without-p11-kit")
198
199 #:phases (modify-phases %standard-phases
200 (add-after
201 'install 'move-doc
202 (lambda* (#:key outputs #:allow-other-keys)
203 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
204 (let* ((out (assoc-ref outputs "out"))
205 (doc (assoc-ref outputs "doc"))
9cdce047 206 (mandir (string-append doc "/share/man/man3"))
606c6380
LC
207 (oldman (string-append out "/share/man/man3")))
208 (mkdir-p mandir)
209 (copy-recursively oldman mandir)
210 (delete-file-recursively oldman)
211 #t))))))
212 (outputs '("out" ;4.4 MiB
213 "debug"
214 "doc")) ;4.1 MiB of man pages
a1db0975 215 (native-inputs
c06d8ba5 216 `(("net-tools" ,net-tools)
5d4c90ae 217 ("pkg-config" ,pkg-config)
d2fcfd3d 218 ("which" ,which)))
7543f865 219 (inputs
a0700787 220 `(("guile" ,guile-2.2)))
7543f865 221 (propagated-inputs
d2fcfd3d 222 ;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865 223 `(("libtasn1" ,libtasn1)
55e61c4d 224 ("libidn2" ,libidn2)
866f469e 225 ("nettle" ,nettle)
f61e0e79 226 ("zlib" ,zlib)))
c19700c3 227 (home-page "https://www.gnu.org/software/gnutls/")
f50d2669 228 (synopsis "Transport layer security library")
7543f865 229 (description
a22dc0c4 230 "GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8 231and DTLS protocols. It is provided in the form of a C library to support the
a22dc0c4
LC
232protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
233required structures.")
63e8bb12
LC
234 (license license:lgpl2.1+)
235 (properties '((ftp-server . "ftp.gnutls.org")
236 (ftp-directory . "/gcrypt/gnutls")))))
cc2b77df 237
079f013b 238(define-public gnutls/guile-2.2
a0700787
LC
239 (deprecated-package "guile2.2-gnutls" gnutls))
240
241(define-public gnutls/guile-2.0
242 ;; GnuTLS for Guile 2.0.
079f013b 243 (package
58ea4d40 244 (inherit gnutls)
a0700787
LC
245 (name "guile2.0-gnutls")
246 (inputs `(("guile" ,guile-2.0)
58ea4d40 247 ,@(alist-delete "guile" (package-inputs gnutls))))))
079f013b 248
5b9aa107 249(define-public gnutls/dane
250 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
251 ;; Authentication of Named Entities. This is required for GNS functionality
252 ;; by GNUnet and gnURL. This is done in an extra package definition
253 ;; to have the choice between GnuTLS with Dane and without Dane.
254 (package
255 (inherit gnutls)
256 (name "gnutls-dane")
257 (inputs `(("unbound" ,unbound)
258 ,@(package-inputs gnutls)))))
259
cc2b77df
AE
260(define-public openssl
261 (package
262 (name "openssl")
b8ea0db3 263 (replacement openssl/fixed)
5f69388d 264 (version "1.0.2o")
cc2b77df 265 (source (origin
4cff124b 266 (method url-fetch)
bdf0b6fc
MB
267 (uri (list (string-append "https://www.openssl.org/source/openssl-"
268 version ".tar.gz")
269 (string-append "ftp://ftp.openssl.org/source/"
4cff124b
LC
270 name "-" version ".tar.gz")
271 (string-append "ftp://ftp.openssl.org/source/old/"
272 (string-trim-right version char-set:letter)
273 "/" name "-" version ".tar.gz")))
274 (sha256
275 (base32
5f69388d 276 "0kcy13l701054nhpbd901mz32v1kn4g311z0nifd83xs2jbmqgzc"))
fc1adab1 277 (patches (search-patches "openssl-runpath.patch"
1d8de185 278 "openssl-c-rehash-in.patch"))))
cc2b77df 279 (build-system gnu-build-system)
8c78aeb7 280 (outputs '("out"
a909b576 281 "doc" ;1.5MiB of man3 pages
8c78aeb7 282 "static")) ;6MiB of .a files
cc2b77df
AE
283 (native-inputs `(("perl" ,perl)))
284 (arguments
d03781c3
LC
285 `(#:disallowed-references (,perl)
286 #:parallel-build? #f
cc2b77df
AE
287 #:parallel-tests? #f
288 #:test-target "test"
8c9ec203
LF
289
290 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
291 ;; so we explicitly disallow it here.
292 #:disallowed-references ,(list (canonical-package perl))
cc2b77df 293 #:phases
b6cb1358 294 (modify-phases %standard-phases
4fb254a3 295 (add-before
86c8f1da 296 'configure 'patch-Makefile.org
4fb254a3
LC
297 (lambda* (#:key outputs #:allow-other-keys)
298 ;; The default MANDIR is some unusual place. Fix that.
299 (let ((out (assoc-ref outputs "out")))
86c8f1da 300 (patch-makefile-SHELL "Makefile.org")
4fb254a3
LC
301 (substitute* "Makefile.org"
302 (("^MANDIR[[:blank:]]*=.*$")
303 (string-append "MANDIR = " out "/share/man\n")))
304 #t)))
b6cb1358
LC
305 (replace
306 'configure
307 (lambda* (#:key outputs #:allow-other-keys)
308 (let ((out (assoc-ref outputs "out")))
0d98cb9a 309 (invoke "./config"
5011d3f4
SB
310 "shared" ;build shared libraries
311 "--libdir=lib"
4fb254a3 312
5011d3f4
SB
313 ;; The default for this catch-all directory is
314 ;; PREFIX/ssl. Change that to something more
315 ;; conventional.
316 (string-append "--openssldir=" out
317 "/share/openssl-" ,version)
4fb254a3 318
5011d3f4 319 (string-append "--prefix=" out)
b6cb1358 320
5011d3f4
SB
321 ;; XXX FIXME: Work around a code generation bug in GCC
322 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
323 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
324 ,@(if (and (not (%current-target-system))
325 (string-prefix? "armhf" (%current-system)))
326 '("-mfpu=vfpv3")
0d98cb9a 327 '())))))
fe8199a8
LC
328 (add-after
329 'install 'make-libraries-writable
330 (lambda* (#:key outputs #:allow-other-keys)
331 ;; Make libraries writable so that 'strip' does its job.
332 (let ((out (assoc-ref outputs "out")))
333 (for-each (lambda (file)
334 (chmod file #o644))
335 (find-files (string-append out "/lib")
336 "\\.so"))
337 #t)))
8c78aeb7
LC
338 (add-after 'install 'move-static-libraries
339 (lambda* (#:key outputs #:allow-other-keys)
340 ;; Move static libraries to the "static" output.
341 (let* ((out (assoc-ref outputs "out"))
342 (lib (string-append out "/lib"))
343 (static (assoc-ref outputs "static"))
344 (slib (string-append static "/lib")))
8c78aeb7
LC
345 (for-each (lambda (file)
346 (install-file file slib)
347 (delete-file file))
348 (find-files lib "\\.a$"))
349 #t)))
a909b576
LC
350 (add-after 'install 'move-man3-pages
351 (lambda* (#:key outputs #:allow-other-keys)
352 ;; Move section 3 man pages to "doc".
353 (let* ((out (assoc-ref outputs "out"))
354 (man3 (string-append out "/share/man/man3"))
355 (doc (assoc-ref outputs "doc"))
356 (target (string-append doc "/share/man/man3")))
357 (mkdir-p target)
358 (for-each (lambda (file)
359 (rename-file file
360 (string-append target "/"
361 (basename file))))
362 (find-files man3))
5c838ec9 363 (delete-file-recursively man3)
a909b576 364 #t)))
b6cb1358
LC
365 (add-before
366 'patch-source-shebangs 'patch-tests
367 (lambda* (#:key inputs native-inputs #:allow-other-keys)
368 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
369 (substitute* (find-files "test" ".*")
370 (("/bin/sh")
08a78c2f 371 (string-append bash "/bin/sh"))
b6cb1358 372 (("/bin/rm")
86c8f1da
MW
373 "rm"))
374 #t)))
784d6e91
LC
375 (add-after
376 'install 'remove-miscellany
377 (lambda* (#:key outputs #:allow-other-keys)
378 ;; The 'misc' directory contains random undocumented shell and Perl
379 ;; scripts. Remove them to avoid retaining a reference on Perl.
380 (let ((out (assoc-ref outputs "out")))
381 (delete-file-recursively (string-append out "/share/openssl-"
382 ,version "/misc"))
383 #t))))))
cc2b77df 384 (native-search-paths
cc2b77df
AE
385 (list (search-path-specification
386 (variable "SSL_CERT_DIR")
5d7a47cc 387 (separator #f) ;single entry
cc2b77df
AE
388 (files '("etc/ssl/certs")))
389 (search-path-specification
390 (variable "SSL_CERT_FILE")
5d7a47cc
MB
391 (file-type 'regular)
392 (separator #f) ;single entry
cc2b77df
AE
393 (files '("etc/ssl/certs/ca-certificates.crt")))))
394 (synopsis "SSL/TLS implementation")
395 (description
e881752c 396 "OpenSSL is an implementation of SSL/TLS.")
e9aa8d0c 397 (license license:openssl)
4631e6c9 398 (home-page "https://www.openssl.org/")))
cc2b77df 399
b8ea0db3
LF
400(define openssl/fixed
401 (package
402 (inherit openssl)
403 (source (origin
404 (inherit (package-source openssl))
405 (patches (append (origin-patches (package-source openssl))
406 (search-patches "openssl-1.0.2-CVE-2018-0495.patch"
407 "openssl-1.0.2-CVE-2018-0732.patch")))))))
408
763899f0
LF
409(define-public openssl-next
410 (package
411 (inherit openssl)
412 (name "openssl")
9e9e5d5a 413 (version "1.1.1")
763899f0
LF
414 (source (origin
415 (method url-fetch)
77576be4
MB
416 (uri (list (string-append "https://www.openssl.org/source/openssl-"
417 version ".tar.gz")
418 (string-append "ftp://ftp.openssl.org/source/"
763899f0
LF
419 name "-" version ".tar.gz")
420 (string-append "ftp://ftp.openssl.org/source/old/"
421 (string-trim-right version char-set:letter)
422 "/" name "-" version ".tar.gz")))
9e9e5d5a 423 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
763899f0
LF
424 (sha256
425 (base32
9e9e5d5a 426 "0gbab2fjgms1kx5xjvqx8bxhr98k4r8l2fa8vw7kvh491xd8fdi8"))))
763899f0 427 (outputs '("out"
9e9e5d5a
LF
428 "doc" ; 6.7 MiB of man3 pages and full HTML documentation
429 "static")) ; 6.4 MiB of .a files
763899f0
LF
430 (arguments
431 (substitute-keyword-arguments (package-arguments openssl)
432 ((#:phases phases)
433 `(modify-phases ,phases
434 (delete 'patch-tests) ; These two phases are not needed by
435 (delete 'patch-Makefile.org) ; OpenSSL 1.1.0.
436
fc184fe2
MB
437 ;; Override configure phase since -rpath is now a configure option.
438 (replace 'configure
763899f0 439 (lambda* (#:key outputs #:allow-other-keys)
fc184fe2
MB
440 (let* ((out (assoc-ref outputs "out"))
441 (lib (string-append out "/lib")))
9e9e5d5a
LF
442 ;; It's not a shebang so patch-source-shebangs misses it.
443 (substitute* "config"
444 (("/usr/bin/env")
445 (string-append (assoc-ref %build-inputs "coreutils")
446 "/bin/env")))
0d98cb9a 447 (invoke "./config"
5011d3f4
SB
448 "shared" ;build shared libraries
449 "--libdir=lib"
fc184fe2 450
5011d3f4
SB
451 ;; The default for this catch-all directory is
452 ;; PREFIX/ssl. Change that to something more
453 ;; conventional.
454 (string-append "--openssldir=" out
455 "/share/openssl-" ,version)
fc184fe2 456
5011d3f4
SB
457 (string-append "--prefix=" out)
458 (string-append "-Wl,-rpath," lib)
fc184fe2 459
5011d3f4
SB
460 ;; XXX FIXME: Work around a code generation bug in GCC
461 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
462 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
463 ,@(if (and (not (%current-target-system))
464 (string-prefix? "armhf" (%current-system)))
465 '("-mfpu=vfpv3")
0d98cb9a 466 '())))))
fc184fe2 467
9e9e5d5a
LF
468 (delete 'move-man3-pages)
469 (add-after 'install 'move-extra-documentation
470 (lambda* (#:key outputs #:allow-other-keys)
471 ;; Move man3 pages and full HTML documentation to "doc".
472 (let* ((out (assoc-ref outputs "out"))
473 (man3 (string-append out "/share/man/man3"))
474 (html (string-append out "/share/doc/openssl"))
475 (doc (assoc-ref outputs "doc"))
476 (man-target (string-append doc "/share/man/man3"))
477 (html-target (string-append doc "/share/doc/openssl")))
478 (copy-recursively man3 man-target)
479 (delete-file-recursively man3)
480 (copy-recursively html html-target)
481 (delete-file-recursively html)
482 #t)))
fc184fe2
MB
483 ;; XXX: Duplicate this phase to make sure 'version' evaluates
484 ;; in the current scope and not the inherited one.
485 (replace 'remove-miscellany
486 (lambda* (#:key outputs #:allow-other-keys)
487 ;; The 'misc' directory contains random undocumented shell and Perl
488 ;; scripts. Remove them to avoid retaining a reference on Perl.
489 (let ((out (assoc-ref outputs "out")))
490 (delete-file-recursively (string-append out "/share/openssl-"
491 ,version "/misc"))
763899f0
LF
492 #t)))))))))
493
cb6a802c
AE
494(define-public libressl
495 (package
496 (name "libressl")
0effadca 497 (version "2.7.4")
644e5f17
TGR
498 (source (origin
499 (method url-fetch)
500 (uri (string-append "mirror://openbsd/LibreSSL/"
501 name "-" version ".tar.gz"))
502 (sha256
503 (base32
0effadca 504 "19kxa5i97q7p6rrps9qm0nd8zqhdjvzx02j72400c73cl2nryfhy"))))
cb6a802c 505 (build-system gnu-build-system)
a2d64899
LC
506 (arguments
507 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
508 ;; and libc would return ENOSYS, which is not properly handled.
509 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
df08f385
LF
510 '(#:configure-flags '("ac_cv_func_getentropy=no"
511 ;; Provide a TLS-enabled netcat.
512 "--enable-nc")))
cb6a802c
AE
513 (native-search-paths
514 ;; FIXME: These two variables must designate a single file or directory
515 ;; and are not actually "search paths." In practice it works OK in
516 ;; user profiles because there's always just one item that matches the
517 ;; specification.
518 (list (search-path-specification
519 (variable "SSL_CERT_DIR")
520 (files '("etc/ssl/certs")))
521 (search-path-specification
522 (variable "SSL_CERT_FILE")
523 (files '("etc/ssl/certs/ca-certificates.crt")))))
2ed12d3f 524 (home-page "https://www.libressl.org/")
cb6a802c 525 (synopsis "SSL/TLS implementation")
df08f385
LF
526 (description "LibreSSL is a version of the TLS/crypto stack, forked from
527OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
528and applying best practice development processes. This package also includes a
529netcat implementation that supports TLS.")
cb6a802c
AE
530 ;; Files taken from OpenSSL keep their license, others are under various
531 ;; non-copyleft licenses.
532 (license (list license:openssl
533 (license:non-copyleft
534 "file://COPYING"
535 "See COPYING in the distribution.")))))
536
6cefd53d 537(define-public python-acme
7890e3ba 538 (package
6cefd53d 539 (name "python-acme")
686d4259 540 ;; Remember to update the hash of certbot when updating python-acme.
d4bd2453 541 (version "0.27.1")
7890e3ba 542 (source (origin
9495cf9a 543 (method url-fetch)
f349d36e 544 (uri (pypi-uri "acme" version))
881006b6
MB
545 (sha256
546 (base32
d4bd2453 547 "142gynlfx7yv0sdba3gpdxlnhg9chhz7hpdxdrp630z17h1bk9ri"))))
7890e3ba
LF
548 (build-system python-build-system)
549 (arguments
6cefd53d 550 `(#:phases
9bee9d87 551 (modify-phases %standard-phases
1fc8476d
MB
552 (add-after 'build 'build-documentation
553 (lambda _
d4bd2453 554 (invoke "make" "-C" "docs" "man" "info")))
1fc8476d 555 (add-after 'install 'install-documentation
50a7963a
LF
556 (lambda* (#:key outputs #:allow-other-keys)
557 (let* ((out (assoc-ref outputs "out"))
558 (man (string-append out "/share/man/man1"))
559 (info (string-append out "/info")))
1fc8476d
MB
560 (install-file "docs/_build/texinfo/acme-python.info" info)
561 (install-file "docs/_build/man/acme-python.1" man)
562 #t))))))
50a7963a 563 ;; TODO: Add optional inputs for testing.
7890e3ba 564 (native-inputs
4ae65558 565 `(("python-mock" ,python-mock)
b494bbe4 566 ("python-pytest" ,python-pytest)
50a7963a
LF
567 ;; For documentation
568 ("python-sphinx" ,python-sphinx)
569 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
570 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
50a7963a 571 ("texinfo" ,texinfo)))
7890e3ba 572 (propagated-inputs
92572184
LF
573 `(("python-josepy" ,python-josepy)
574 ("python-six" ,python-six)
6cefd53d 575 ("python-requests" ,python-requests)
b494bbe4 576 ("python-requests-toolbelt" ,python-requests-toolbelt)
6cefd53d
LF
577 ("python-pytz" ,python-pytz)
578 ("python-pyrfc3339" ,python-pyrfc3339)
579 ("python-pyasn1" ,python-pyasn1)
580 ("python-cryptography" ,python-cryptography)
581 ("python-pyopenssl" ,python-pyopenssl)))
4631e6c9 582 (home-page "https://github.com/certbot/certbot")
7890e3ba
LF
583 (synopsis "ACME protocol implementation in Python")
584 (description "ACME protocol implementation in Python")
585 (license license:asl2.0)))
586
9495cf9a 587(define-public certbot
9fd0838b 588 (package
9495cf9a 589 (name "certbot")
686d4259
LF
590 ;; Certbot and python-acme are developed in the same repository, and their
591 ;; versions should remain synchronized.
592 (version (package-version python-acme))
9fd0838b
DT
593 (source (origin
594 (method url-fetch)
f349d36e 595 (uri (pypi-uri name version))
9fd0838b
DT
596 (sha256
597 (base32
d4bd2453 598 "0anh3vjy9sif1bkp25nj76ii37xx8hh0igcx60ppag12xlabsw1m"))))
9fd0838b
DT
599 (build-system python-build-system)
600 (arguments
fed1898d 601 `(,@(substitute-keyword-arguments (package-arguments python-acme)
f26d6e4e
LF
602 ((#:phases phases)
603 `(modify-phases ,phases
1fc8476d 604 (replace 'install-documentation
f26d6e4e
LF
605 (lambda* (#:key outputs #:allow-other-keys)
606 (let* ((out (assoc-ref outputs "out"))
607 (man1 (string-append out "/share/man/man1"))
608 (man7 (string-append out "/share/man/man7"))
609 (info (string-append out "/info")))
1fc8476d
MB
610 (install-file "docs/_build/texinfo/Certbot.info" info)
611 (install-file "docs/_build/man/certbot.1" man1)
612 (install-file "docs/_build/man/certbot.7" man7)
613 #t))))))))
f9263d9a 614 ;; TODO: Add optional inputs for testing.
9fd0838b 615 (native-inputs
fed1898d 616 `(("python-nose" ,python-nose)
4ae65558 617 ("python-mock" ,python-mock)
f9263d9a 618 ;; For documentation
d4bd2453 619 ("python-sphinx" ,python-sphinx-1.6)
fed1898d
LF
620 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
621 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
622 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
f9263d9a 623 ("texinfo" ,texinfo)))
9fd0838b 624 (propagated-inputs
fed1898d
LF
625 `(("python-acme" ,python-acme)
626 ("python-zope-interface" ,python-zope-interface)
627 ("python-pyrfc3339" ,python-pyrfc3339)
628 ("python-pyopenssl" ,python-pyopenssl)
629 ("python-configobj" ,python-configobj)
630 ("python-configargparse" ,python-configargparse)
631 ("python-zope-component" ,python-zope-component)
632 ("python-parsedatetime" ,python-parsedatetime)
633 ("python-six" ,python-six)
634 ("python-psutil" ,python-psutil)
635 ("python-requests" ,python-requests)
636 ("python-pytz" ,python-pytz)))
d8a1be63 637 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
80968df0
TGR
638 (description "Certbot automatically receives and installs X.509 certificates
639to enable Transport Layer Security (TLS) on servers. It interoperates with the
640Let’s Encrypt certificate authority (CA), which issues browser-trusted
641certificates for free.")
24778368 642 (home-page "https://certbot.eff.org/")
9fd0838b
DT
643 (license license:asl2.0)))
644
9495cf9a
LF
645(define-public letsencrypt
646 (package (inherit certbot)
56ab55d1
LF
647 (name "letsencrypt")
648 (properties `((superseded . ,certbot)))))
9495cf9a 649
cc2b77df
AE
650(define-public perl-net-ssleay
651 (package
652 (name "perl-net-ssleay")
fe15613c 653 (version "1.85")
cc2b77df
AE
654 (source (origin
655 (method url-fetch)
656 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
657 "Net-SSLeay-" version ".tar.gz"))
658 (sha256
659 (base32
fe15613c 660 "1j5h4ycm8538397l204d2d5fkm9595aj174pj7bkpbhwzfwqi0cx"))))
cc2b77df
AE
661 (build-system perl-build-system)
662 (inputs `(("openssl" ,openssl)))
663 (arguments
1084ec08
MW
664 `(#:phases
665 (modify-phases %standard-phases
1084ec08
MW
666 (add-before
667 'configure 'set-ssl-prefix
668 (lambda* (#:key inputs #:allow-other-keys)
669 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
670 #t)))))
cc2b77df
AE
671 (synopsis "Perl extension for using OpenSSL")
672 (description
673 "This module offers some high level convenience functions for accessing
674web pages on SSL servers (for symmetry, the same API is offered for accessing
675http servers, too), an sslcat() function for writing your own clients, and
676finally access to the SSL api of the SSLeay/OpenSSL package so you can write
677servers or clients for more complicated applications.")
2f3108ad 678 (license license:perl-license)
9aba9b12 679 (home-page "https://metacpan.org/release/Net-SSLeay")))
4532c0c0
DM
680
681(define-public perl-crypt-openssl-rsa
682 (package
683 (name "perl-crypt-openssl-rsa")
a9994b27 684 (version "0.31")
4532c0c0
DM
685 (source
686 (origin
687 (method url-fetch)
688 (uri (string-append
683b8d47 689 "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-"
4532c0c0
DM
690 version
691 ".tar.gz"))
692 (sha256
693 (base32
a9994b27 694 "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1"))))
4532c0c0 695 (build-system perl-build-system)
683b8d47
TGR
696 (native-inputs
697 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
4532c0c0
DM
698 (inputs
699 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
700 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
701 ("openssl" ,openssl)))
702 (arguments perl-crypt-arguments)
703 (home-page
9aba9b12 704 "https://metacpan.org/release/Crypt-OpenSSL-RSA")
4532c0c0
DM
705 (synopsis
706 "RSA encoding and decoding, using the openSSL libraries")
707 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
708OpenSSL libraries).")
2f3108ad 709 (license license:perl-license)))
adff71ca
DM
710
711(define perl-crypt-arguments
712 `(#:phases (modify-phases %standard-phases
713 (add-before 'configure 'patch-Makefile.PL
714 (lambda* (#:key inputs #:allow-other-keys)
715 (substitute* "Makefile.PL"
716 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
717 (assoc-ref inputs "openssl")
718 "/lib -lcrypto'],")))
719 #t)))))
720
721(define-public perl-crypt-openssl-bignum
722 (package
723 (name "perl-crypt-openssl-bignum")
7e8aac18 724 (version "0.09")
adff71ca
DM
725 (source
726 (origin
727 (method url-fetch)
728 (uri (string-append
729 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
730 version
731 ".tar.gz"))
732 (sha256
733 (base32
7e8aac18 734 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
adff71ca
DM
735 (build-system perl-build-system)
736 (inputs `(("openssl" ,openssl)))
737 (arguments perl-crypt-arguments)
738 (home-page
9aba9b12 739 "https://metacpan.org/release/Crypt-OpenSSL-Bignum")
adff71ca
DM
740 (synopsis
741 "OpenSSL's multiprecision integer arithmetic in Perl")
742 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
743arithmetic in Perl.")
744 ;; At your option either gpl1+ or the Artistic License
2f3108ad 745 (license license:perl-license)))
cccb4d26 746
c80590f6
TGR
747(define-public perl-crypt-openssl-guess
748 (package
749 (name "perl-crypt-openssl-guess")
750 (version "0.11")
751 (source
752 (origin
753 (method url-fetch)
754 (uri (string-append
755 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
756 version ".tar.gz"))
757 (sha256
758 (base32
759 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
760 (build-system perl-build-system)
9aba9b12 761 (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess")
c80590f6
TGR
762 (synopsis "Guess the OpenSSL include path")
763 (description
764 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
765correct OpenSSL include path. It is intended for use in your
766@file{Makefile.PL}.")
767 (license license:perl-license)))
768
cccb4d26
DM
769(define-public perl-crypt-openssl-random
770 (package
771 (name "perl-crypt-openssl-random")
b30c23c4 772 (version "0.13")
cccb4d26
DM
773 (source
774 (origin
775 (method url-fetch)
776 (uri (string-append
777 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
778 version
779 ".tar.gz"))
780 (sha256
781 (base32
b30c23c4 782 "0vmvrb3shrzjzri3qn524dzdasbq8zhhbpc1vmq8sx68n4jhizb0"))))
cccb4d26 783 (build-system perl-build-system)
b30c23c4
TGR
784 (native-inputs
785 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
786 (inputs
787 `(("openssl" ,openssl)))
cccb4d26
DM
788 (arguments perl-crypt-arguments)
789 (home-page
9aba9b12 790 "https://metacpan.org/release/Crypt-OpenSSL-Random")
cccb4d26
DM
791 (synopsis
792 "OpenSSL/LibreSSL pseudo-random number generator access")
793 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
794number generator")
2f3108ad 795 (license license:perl-license)))
0581c273
LF
796
797(define-public acme-client
798 (package
799 (name "acme-client")
4a6b2a21 800 (version "0.1.16")
0581c273
LF
801 (source (origin
802 (method url-fetch)
803 (uri (string-append "https://kristaps.bsd.lv/" name "/"
804 "snapshots/" name "-portable-"
805 version ".tgz"))
806 (sha256
807 (base32
4a6b2a21 808 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
0581c273
LF
809 (build-system gnu-build-system)
810 (arguments
811 '(#:tests? #f ; no test suite
812 #:make-flags
813 (list "CC=gcc"
814 (string-append "PREFIX=" (assoc-ref %outputs "out")))
815 #:phases
816 (modify-phases %standard-phases
7c1a7bf4
LF
817 (add-after 'unpack 'patch-paths
818 (lambda* (#:key inputs #:allow-other-keys)
819 (let ((pem (string-append (assoc-ref inputs "libressl")
820 "/etc/ssl/cert.pem")))
821 (substitute* "http.c"
822 (("/etc/ssl/cert.pem") pem))
823 #t)))
0581c273 824 (delete 'configure)))) ; no './configure' script
4b569a4f
LF
825 (native-inputs
826 `(("pkg-config" ,pkg-config)))
0581c273
LF
827 (inputs
828 `(("libbsd" ,libbsd)
829 ("libressl" ,libressl)))
830 (synopsis "Let's Encrypt client by the OpenBSD project")
831 (description "acme-client is a Let's Encrypt client implemented in C. It
832uses a modular design, and attempts to secure itself by dropping privileges and
833operating in a chroot where possible. acme-client is developed on OpenBSD and
834then ported to the GNU / Linux environment.")
835 (home-page "https://kristaps.bsd.lv/acme-client/")
836 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
837 ;; and 'jsmn.c' are distributed under the Expat license.
838 (license (list license:isc license:expat))))
88522738 839
840;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
841;; variant exists in addition to the "-apache" one.
842(define-public mbedtls-apache
843 (package
844 (name "mbedtls-apache")
38a9bf80 845 (version "2.13.0")
88522738 846 (source
847 (origin
848 (method url-fetch)
849 ;; XXX: The download links on the website are script redirection links
850 ;; which effectively lead to the format listed in the uri here.
851 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
852 version "-apache.tgz"))
853 (sha256
854 (base32
38a9bf80 855 "1nh6xfyxs3mnnpgc6pancvdhv6ihz9lhsxdlg90gqa8n5r6lwfsr"))))
88522738 856 (build-system cmake-build-system)
a64d9d56
RW
857 (arguments
858 `(#:configure-flags
859 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON")))
88522738 860 (native-inputs
38a9bf80
TGR
861 `(("perl" ,perl)
862 ("python" ,python)))
88522738 863 (synopsis "Small TLS library")
864 (description
865 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
866for developers to include cryptographic and SSL/TLS capabilities in their
867(embedded) products, facilitating this functionality with a minimal
868coding footprint.")
869 (home-page "https://tls.mbed.org")
870 (license license:asl2.0)))
587d1752
RW
871
872(define-public ghc-tls
873 (package
874 (name "ghc-tls")
66c5de39 875 (version "1.4.1")
587d1752
RW
876 (source (origin
877 (method url-fetch)
878 (uri (string-append "https://hackage.haskell.org/package/"
879 "tls/tls-" version ".tar.gz"))
880 (sha256
881 (base32
66c5de39 882 "1y083724mym28n6xfaz7pcc7zqxdhjpaxpbvzxfbs25qq2px3smv"))))
587d1752
RW
883 (build-system haskell-build-system)
884 (inputs
f54f0475 885 `(("ghc-cereal" ,ghc-cereal)
587d1752
RW
886 ("ghc-data-default-class" ,ghc-data-default-class)
887 ("ghc-memory" ,ghc-memory)
888 ("ghc-cryptonite" ,ghc-cryptonite)
889 ("ghc-asn1-types" ,ghc-asn1-types)
890 ("ghc-asn1-encoding" ,ghc-asn1-encoding)
891 ("ghc-x509" ,ghc-x509)
892 ("ghc-x509-store" ,ghc-x509-store)
893 ("ghc-x509-validation" ,ghc-x509-validation)
894 ("ghc-async" ,ghc-async)
895 ("ghc-network" ,ghc-network)
896 ("ghc-hourglass" ,ghc-hourglass)))
897 (native-inputs
898 `(("ghc-tasty" ,ghc-tasty)
899 ("ghc-tasty-quickcheck" ,ghc-tasty-quickcheck)
900 ("ghc-quickcheck" ,ghc-quickcheck)))
901 (home-page "https://github.com/vincenthz/hs-tls")
902 (synopsis
903 "TLS/SSL protocol native implementation (Server and Client)")
904 (description
905 "Native Haskell TLS and SSL protocol implementation for server and client.
906This provides a high-level implementation of a sensitive security protocol,
907eliminating a common set of security issues through the use of the advanced
908type system, high level constructions and common Haskell features. Currently
909implement the SSL3.0, TLS1.0, TLS1.1 and TLS1.2 protocol, and support RSA and
910Ephemeral (Elliptic curve and regular) Diffie Hellman key exchanges, and many
911extensions.")
912 (license license:bsd-3)))
e8b3a158
CL
913
914(define-public dehydrated
915 (package
916 (name "dehydrated")
917 (version "0.6.2")
918 (source (origin
919 (method url-fetch/tarbomb)
920 (uri (string-append
921 "https://github.com/lukas2511/dehydrated/archive/v"
922 version ".tar.gz"))
923 (sha256
924 (base32
925 "03p80yj6bnzjc6dkp5hb9wpplmlrla8n5src71cnzw4rj53q8cqn"))
926 (file-name (string-append name "-" version ".tar.gz"))))
927 (build-system trivial-build-system)
928 (arguments
929 `(#:modules ((guix build utils))
930 #:builder
931 (begin
932 (use-modules (guix build utils))
933 (let* ((source (assoc-ref %build-inputs "source"))
934 (out (assoc-ref %outputs "out"))
935 (bin (string-append out "/bin"))
936 (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
937 (mkdir-p bin)
938 (with-directory-excursion bin
939 (copy-file
940 (in-vicinity source (string-append "/dehydrated-" ,version
941 "/dehydrated"))
942 (in-vicinity bin "dehydrated"))
943 (patch-shebang "dehydrated" (list bash))
944
945 ;; Do not try to write in the store.
946 (substitute* "dehydrated"
947 (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
948
949 (setenv "PATH" bash)
950 (wrap-program "dehydrated"
951 `("PATH" ":" prefix
952 ,(map (lambda (dir)
953 (string-append dir "/bin"))
954 (map (lambda (input)
955 (assoc-ref %build-inputs input))
956 '("coreutils"
957 "curl"
958 "diffutils"
959 "gawk"
960 "grep"
961 "openssl"
962 "sed"))))))
963 #t))))
964 (inputs
965 `(("bash" ,bash)
966 ("coreutils" ,coreutils)
967 ("curl" ,curl)
968 ("diffutils" ,diffutils)
969 ("gawk" ,gawk)
970 ("grep" ,grep)
971 ("openssl" ,openssl)
972 ("sed" ,sed)))
973 (home-page "https://dehydrated.io/")
974 (synopsis "Let's Encrypt/ACME client implemented as a shell script")
975 (description "Dehydrated is a client for signing certificates with an
976ACME-server (currently only provided by Let's Encrypt) implemented as a
977relatively simple Bash script.")
978 (license license:expat)))