HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
gnu: coq-coquelicot: Update to 3.0.2.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
CommitLineData
233e7676 1;;; GNU Guix --- Functional package management for GNU
3c0f7910 2;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
05f6e601 3;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
29a7c98a 4;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df 5;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b 6;;; Copyright © 2015 David Thompson <davet@gnu.org>
2a5b5bfd 7;;; Copyright © 2015, 2016, 2017, 2018 Leo Famulari <leo@famulari.name>
2ed12d3f 8;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
0741932b 9;;; Copyright © 2016, 2017, 2018 Nils Gillmann <ng0@n0.is>
375cef6c 10;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
ee33f9a7 11;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
d5c472a2 12;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
a92c6b1a 13;;; Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr>
fbf5ca3c 14;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
e8b3a158 15;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
7543f865 16;;;
233e7676 17;;; This file is part of GNU Guix.
7543f865 18;;;
233e7676 19;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865
LC		 20;;; under the terms of the GNU General Public License as published by
21;;; the Free Software Foundation; either version 3 of the License, or (at
22;;; your option) any later version.
23;;;
233e7676 24;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865
LC		 25;;; WITHOUT ANY WARRANTY; without even the implied warranty of
26;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27;;; GNU General Public License for more details.
28;;;
29;;; You should have received a copy of the GNU General Public License
233e7676 30;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865 31
a7fd7b68 32(define-module (gnu packages tls)
e9aa8d0c 33 #:use-module ((guix licenses) #:prefix license:)
7543f865
LC		 34 #:use-module (guix packages)
35 #:use-module (guix download)
29a7c98a 36 #:use-module (guix utils)
7543f865 37 #:use-module (guix build-system gnu)
cc2b77df 38 #:use-module (guix build-system perl)
7890e3ba 39 #:use-module (guix build-system python)
88522738 40 #:use-module (guix build-system cmake)
587d1752 41 #:use-module (guix build-system haskell)
e8b3a158 42 #:use-module (guix build-system trivial)
f61e0e79 43 #:use-module (gnu packages compression)
013ce67b 44 #:use-module (gnu packages)
e8b3a158 45 #:use-module (gnu packages bash)
ac257f12 46 #:use-module (gnu packages check)
e8b3a158 47 #:use-module (gnu packages curl)
5b9aa107 48 #:use-module (gnu packages dns)
e8b3a158 49 #:use-module (gnu packages gawk)
1ffa7090 50 #:use-module (gnu packages guile)
587d1752
RW		 51 #:use-module (gnu packages haskell)
52 #:use-module (gnu packages haskell-check)
53 #:use-module (gnu packages haskell-crypto)
0581c273 54 #:use-module (gnu packages libbsd)
27e86bed 55 #:use-module (gnu packages libffi)
866f469e 56 #:use-module (gnu packages libidn)
5d4c90ae 57 #:use-module (gnu packages linux)
7890e3ba 58 #:use-module (gnu packages ncurses)
27e86bed 59 #:use-module (gnu packages nettle)
1ffa7090 60 #:use-module (gnu packages perl)
27e86bed 61 #:use-module (gnu packages pkg-config)
7890e3ba 62 #:use-module (gnu packages python)
cc6f4912 63 #:use-module (gnu packages python-crypto)
1b2f753d 64 #:use-module (gnu packages python-web)
44d10b1f 65 #:use-module (gnu packages python-xyz)
a31f4d35 66 #:use-module (gnu packages texinfo)
33dc54b0 67 #:use-module (gnu packages time)
079f013b
LC		 68 #:use-module (gnu packages base)
69 #:use-module (srfi srfi-1))
7543f865
LC		 70
71(define-public libtasn1
72 (package
73 (name "libtasn1")
2a5b5bfd 74 (version "4.13")
7543f865
LC		 75 (source
76 (origin
77 (method url-fetch)
78 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
79 version ".tar.gz"))
80 (sha256
81 (base32
2a5b5bfd 82 "1jlc1iahj8k3haz28j55nzg7sgni5h41vqy461i1bpbx6668wlky"))))
7543f865 83 (build-system gnu-build-system)
d9f84612
MB		 84 (arguments
85 `(#:configure-flags '("--disable-static")))
3ea110b7 86 (native-inputs `(("perl" ,perl)))
6fd52309 87 (home-page "https://www.gnu.org/software/libtasn1/")
f50d2669 88 (synopsis "ASN.1 library")
7543f865 89 (description
79c311b8
LC		 90 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
91for transmitting machine-neutral encodings of data objects in computer
a22dc0c4
LC		 92networking, allowing for formal validation of data according to some
93specifications.")
e9aa8d0c 94 (license license:lgpl2.0+)))
7543f865 95
375cef6c
HG		 96(define-public asn1c
97 (package
98 (name "asn1c")
ff7da7e0 99 (version "0.9.28")
375cef6c
HG		 100 (source (origin
101 (method url-fetch)
102 (uri (string-append "https://lionet.info/soft/asn1c-"
103 version ".tar.gz"))
104 (sha256
105 (base32
ff7da7e0 106 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
375cef6c
HG		 107 (build-system gnu-build-system)
108 (native-inputs
109 `(("perl" ,perl)))
110 (home-page "https://lionet.info/asn1c")
111 (synopsis "ASN.1 to C compiler")
112 (description "The ASN.1 to C compiler takes ASN.1 module
113files and generates C++ compatible C source code. That code can be
114used to serialize the native C structures into compact and unambiguous
115BER/XER/PER-based data files, and deserialize the files back.
116
117Various ASN.1 based formats are widely used in the industry, such as to encode
118the X.509 certificates employed in the HTTPS handshake, to exchange control
119data between mobile phones and cellular networks, to car-to-car communication
120in intelligent transportation networks.")
121 (license license:bsd-2)))
122
27e86bed
AE		 123(define-public p11-kit
124 (package
125 (name "p11-kit")
39855bfe 126 (version "0.23.15")
27e86bed
AE		 127 (source
128 (origin
129 (method url-fetch)
e6ad9bda
MB		 130 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
131 "download/" version "/p11-kit-" version ".tar.gz"))
39855bfe 132 (patches (search-patches "p11-kit-jks-timestamps.patch"))
27e86bed
AE		 133 (sha256
134 (base32
39855bfe 135 "166pwj00cffv4qq4dvx0k53zka0b0r1fa0whc49007vsqyh3khgp"))))
27e86bed
AE		 136 (build-system gnu-build-system)
137 (native-inputs
138 `(("pkg-config" ,pkg-config)))
139 (inputs
140 `(("libffi" ,libffi)
141 ("libtasn1" ,libtasn1)))
142 (arguments
d5c472a2
MB		 143 `(#:configure-flags '("--without-trust-paths")
144 #:phases (modify-phases %standard-phases
145 (add-before 'check 'prepare-tests
146 (lambda _
147 ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up
148 ;; and looks for .cache and other directories (only).
149 ;; For simplicity just drop it since it is irrelevant
150 ;; in the build container.
151 (substitute* "Makefile"
152 (("test-runtime\\$\\(EXEEXT\\)") ""))
153 #t)))))
4631e6c9 154 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
27e86bed
AE		 155 (synopsis "PKCS#11 library")
156 (description
157 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
158provides a standard configuration setup for installing PKCS#11 modules
159in such a way that they are discoverable. It also solves problems with
160coordinating the use of PKCS#11 by different components or libraries
161living in the same process.")
e9aa8d0c 162 (license license:bsd-3)))
27e86bed 163
7543f865
LC		 164(define-public gnutls
165 (package
166 (name "gnutls")
06f5bc4e 167 (version "3.6.5")
d7d408d5
LC		 168 (source (origin
169 (method url-fetch)
170 (uri
171 ;; Note: Releases are no longer on ftp.gnu.org since the
172 ;; schism (after version 3.1.5).
d93627e4 173 (string-append "mirror://gnupg/gnutls/v"
29a7c98a 174 (version-major+minor version)
d93627e4 175 "/gnutls-" version ".tar.xz"))
06f5bc4e 176 (patches (search-patches "gnutls-skip-trust-store-test.patch"))
d7d408d5
LC		 177 (sha256
178 (base32
06f5bc4e
MB		 179 "0ddvg97dyrh8dkffv1mdc0knxx5my3qdbzv97s4a6jggmk9wwgh7"))
180 (modules '((guix build utils)))
181 (snippet
182 '(begin
183 ;; XXX: The generated configure script in GnuTLS 3.6.5
184 ;; apparently does not know about Guile 2.2.
185 (substitute* "configure"
186 (("guile_versions_to_search=\"2\\.0 1\\.8\"")
187 "guile_versions_to_search=\"2.2 2.0 1.8\""))
188 #t))))
7543f865 189 (build-system gnu-build-system)
b94ae0b8 190 (arguments
76b21274
LF		 191 `(; Ensure we don't keep a reference to this buggy software.
192 #:disallowed-references (,net-tools)
193 #:configure-flags
a0700787 194 (list
aa7c7f21
MW		 195 ;; GnuTLS doesn't consult any environment variables to specify
196 ;; the location of the system-wide trust store. Instead it has a
197 ;; configure-time option. Unless specified, its configure script
198 ;; attempts to auto-detect the location by looking for common
8f65585b 199 ;; places in the file system, none of which are present in our
aa7c7f21
MW		 200 ;; chroot build environment. If not found, then no default trust
201 ;; store is used, so each program has to provide its own
202 ;; fallback, and users have to configure each program
203 ;; independently. This seems suboptimal.
866f469e
MW		 204 "--with-default-trust-store-dir=/etc/ssl/certs"
205
206 ;; FIXME: Temporarily disable p11-kit support since it is not
207 ;; working on mips64el.
606c6380
LC		 208 "--without-p11-kit")
209
210 #:phases (modify-phases %standard-phases
211 (add-after
212 'install 'move-doc
213 (lambda* (#:key outputs #:allow-other-keys)
214 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
215 (let* ((out (assoc-ref outputs "out"))
216 (doc (assoc-ref outputs "doc"))
9cdce047 217 (mandir (string-append doc "/share/man/man3"))
606c6380
LC		 218 (oldman (string-append out "/share/man/man3")))
219 (mkdir-p mandir)
220 (copy-recursively oldman mandir)
221 (delete-file-recursively oldman)
222 #t))))))
223 (outputs '("out" ;4.4 MiB
224 "debug"
225 "doc")) ;4.1 MiB of man pages
a1db0975 226 (native-inputs
c06d8ba5 227 `(("net-tools" ,net-tools)
5d4c90ae 228 ("pkg-config" ,pkg-config)
d2fcfd3d 229 ("which" ,which)))
7543f865 230 (inputs
a0700787 231 `(("guile" ,guile-2.2)))
7543f865 232 (propagated-inputs
d2fcfd3d 233 ;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865 234 `(("libtasn1" ,libtasn1)
55e61c4d 235 ("libidn2" ,libidn2)
866f469e 236 ("nettle" ,nettle)
f61e0e79 237 ("zlib" ,zlib)))
c19700c3 238 (home-page "https://www.gnu.org/software/gnutls/")
f50d2669 239 (synopsis "Transport layer security library")
7543f865 240 (description
a22dc0c4 241 "GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8 242and DTLS protocols. It is provided in the form of a C library to support the
a22dc0c4
LC		 243protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
244required structures.")
63e8bb12
LC		 245 (license license:lgpl2.1+)
246 (properties '((ftp-server . "ftp.gnutls.org")
247 (ftp-directory . "/gcrypt/gnutls")))))
cc2b77df 248
079f013b 249(define-public gnutls/guile-2.2
a0700787
LC		 250 (deprecated-package "guile2.2-gnutls" gnutls))
251
252(define-public gnutls/guile-2.0
253 ;; GnuTLS for Guile 2.0.
079f013b 254 (package
58ea4d40 255 (inherit gnutls)
a0700787
LC		 256 (name "guile2.0-gnutls")
257 (inputs `(("guile" ,guile-2.0)
58ea4d40 258 ,@(alist-delete "guile" (package-inputs gnutls))))))
079f013b 259
5b9aa107 260(define-public gnutls/dane
261 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
262 ;; Authentication of Named Entities. This is required for GNS functionality
263 ;; by GNUnet and gnURL. This is done in an extra package definition
264 ;; to have the choice between GnuTLS with Dane and without Dane.
265 (package
266 (inherit gnutls)
267 (name "gnutls-dane")
268 (inputs `(("unbound" ,unbound)
269 ,@(package-inputs gnutls)))))
270
cc2b77df
AE		 271(define-public openssl
272 (package
273 (name "openssl")
a92c6b1a 274 (replacement openssl/fixed)
01710194 275 (version "1.0.2p")
cc2b77df 276 (source (origin
4cff124b 277 (method url-fetch)
bdf0b6fc
MB		 278 (uri (list (string-append "https://www.openssl.org/source/openssl-"
279 version ".tar.gz")
280 (string-append "ftp://ftp.openssl.org/source/"
c7f5c3ea 281 "openssl-" version ".tar.gz")
4cff124b
LC		 282 (string-append "ftp://ftp.openssl.org/source/old/"
283 (string-trim-right version char-set:letter)
c7f5c3ea 284 "/openssl-" version ".tar.gz")))
4cff124b
LC		 285 (sha256
286 (base32
01710194 287 "003xh9f898i56344vpvpxxxzmikivxig4xwlm7vbi7m8n43qxaah"))
fc1adab1 288 (patches (search-patches "openssl-runpath.patch"
1d8de185 289 "openssl-c-rehash-in.patch"))))
cc2b77df 290 (build-system gnu-build-system)
8c78aeb7 291 (outputs '("out"
a909b576 292 "doc" ;1.5MiB of man3 pages
8c78aeb7 293 "static")) ;6MiB of .a files
cc2b77df
AE		 294 (native-inputs `(("perl" ,perl)))
295 (arguments
d03781c3
LC		 296 `(#:disallowed-references (,perl)
297 #:parallel-build? #f
cc2b77df
AE		 298 #:parallel-tests? #f
299 #:test-target "test"
8c9ec203
LF		 300
301 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
302 ;; so we explicitly disallow it here.
303 #:disallowed-references ,(list (canonical-package perl))
cc2b77df 304 #:phases
b6cb1358 305 (modify-phases %standard-phases
4fb254a3 306 (add-before
86c8f1da 307 'configure 'patch-Makefile.org
4fb254a3
LC		 308 (lambda* (#:key outputs #:allow-other-keys)
309 ;; The default MANDIR is some unusual place. Fix that.
310 (let ((out (assoc-ref outputs "out")))
86c8f1da 311 (patch-makefile-SHELL "Makefile.org")
4fb254a3
LC		 312 (substitute* "Makefile.org"
313 (("^MANDIR[[:blank:]]*=.*$")
314 (string-append "MANDIR = " out "/share/man\n")))
315 #t)))
b6cb1358
LC		 316 (replace
317 'configure
318 (lambda* (#:key outputs #:allow-other-keys)
319 (let ((out (assoc-ref outputs "out")))
0d98cb9a 320 (invoke "./config"
5011d3f4
SB		 321 "shared" ;build shared libraries
322 "--libdir=lib"
4fb254a3 323
5011d3f4
SB		 324 ;; The default for this catch-all directory is
325 ;; PREFIX/ssl. Change that to something more
326 ;; conventional.
327 (string-append "--openssldir=" out
328 "/share/openssl-" ,version)
4fb254a3 329
18784d8f 330 (string-append "--prefix=" out)))))
fe8199a8
LC		 331 (add-after
332 'install 'make-libraries-writable
333 (lambda* (#:key outputs #:allow-other-keys)
334 ;; Make libraries writable so that 'strip' does its job.
335 (let ((out (assoc-ref outputs "out")))
336 (for-each (lambda (file)
337 (chmod file #o644))
338 (find-files (string-append out "/lib")
339 "\\.so"))
340 #t)))
8c78aeb7
LC		 341 (add-after 'install 'move-static-libraries
342 (lambda* (#:key outputs #:allow-other-keys)
343 ;; Move static libraries to the "static" output.
344 (let* ((out (assoc-ref outputs "out"))
345 (lib (string-append out "/lib"))
346 (static (assoc-ref outputs "static"))
347 (slib (string-append static "/lib")))
8c78aeb7
LC		 348 (for-each (lambda (file)
349 (install-file file slib)
350 (delete-file file))
351 (find-files lib "\\.a$"))
352 #t)))
a909b576
LC		 353 (add-after 'install 'move-man3-pages
354 (lambda* (#:key outputs #:allow-other-keys)
355 ;; Move section 3 man pages to "doc".
356 (let* ((out (assoc-ref outputs "out"))
357 (man3 (string-append out "/share/man/man3"))
358 (doc (assoc-ref outputs "doc"))
359 (target (string-append doc "/share/man/man3")))
360 (mkdir-p target)
361 (for-each (lambda (file)
362 (rename-file file
363 (string-append target "/"
364 (basename file))))
365 (find-files man3))
5c838ec9 366 (delete-file-recursively man3)
a909b576 367 #t)))
b6cb1358
LC		 368 (add-before
369 'patch-source-shebangs 'patch-tests
370 (lambda* (#:key inputs native-inputs #:allow-other-keys)
371 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
372 (substitute* (find-files "test" ".*")
373 (("/bin/sh")
08a78c2f 374 (string-append bash "/bin/sh"))
b6cb1358 375 (("/bin/rm")
86c8f1da
MW		 376 "rm"))
377 #t)))
784d6e91
LC		 378 (add-after
379 'install 'remove-miscellany
380 (lambda* (#:key outputs #:allow-other-keys)
381 ;; The 'misc' directory contains random undocumented shell and Perl
382 ;; scripts. Remove them to avoid retaining a reference on Perl.
383 (let ((out (assoc-ref outputs "out")))
384 (delete-file-recursively (string-append out "/share/openssl-"
385 ,version "/misc"))
386 #t))))))
cc2b77df 387 (native-search-paths
cc2b77df
AE		 388 (list (search-path-specification
389 (variable "SSL_CERT_DIR")
5d7a47cc 390 (separator #f) ;single entry
cc2b77df
AE		 391 (files '("etc/ssl/certs")))
392 (search-path-specification
393 (variable "SSL_CERT_FILE")
5d7a47cc
MB		 394 (file-type 'regular)
395 (separator #f) ;single entry
cc2b77df
AE		 396 (files '("etc/ssl/certs/ca-certificates.crt")))))
397 (synopsis "SSL/TLS implementation")
398 (description
e881752c 399 "OpenSSL is an implementation of SSL/TLS.")
e9aa8d0c 400 (license license:openssl)
4631e6c9 401 (home-page "https://www.openssl.org/")))
cc2b77df 402
a92c6b1a
TGR		 403(define-public openssl/fixed
404 (hidden-package
405 (package
406 (inherit openssl)
407 (source (origin
408 (inherit (package-source openssl))
409 (patches (append (origin-patches (package-source openssl))
410 (search-patches "openssl-CVE-2019-1559.patch"))))))))
411
763899f0
LF		 412(define-public openssl-next
413 (package
a215c938 414 (inherit openssl)
763899f0 415 (name "openssl")
28337566 416 (version "1.1.1b")
763899f0
LF		 417 (source (origin
418 (method url-fetch)
77576be4
MB		 419 (uri (list (string-append "https://www.openssl.org/source/openssl-"
420 version ".tar.gz")
421 (string-append "ftp://ftp.openssl.org/source/"
c7f5c3ea 422 "openssl-" version ".tar.gz")
763899f0
LF		 423 (string-append "ftp://ftp.openssl.org/source/old/"
424 (string-trim-right version char-set:letter)
c7f5c3ea 425 "/openssl-" version ".tar.gz")))
9e9e5d5a 426 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
763899f0
LF		 427 (sha256
428 (base32
28337566 429 "0jza8cmznnyiia43056dij1jdmz62dx17wsn0zxksh9h6817nmaw"))))
763899f0 430 (outputs '("out"
6ec43b0d 431 "doc" ; 6.8 MiB of man3 pages and full HTML documentation
9e9e5d5a 432 "static")) ; 6.4 MiB of .a files
763899f0
LF		 433 (arguments
434 (substitute-keyword-arguments (package-arguments openssl)
435 ((#:phases phases)
436 `(modify-phases ,phases
437 (delete 'patch-tests) ; These two phases are not needed by
6ec43b0d 438 (delete 'patch-Makefile.org) ; OpenSSL 1.1.
763899f0 439
fc184fe2
MB		 440 ;; Override configure phase since -rpath is now a configure option.
441 (replace 'configure
763899f0 442 (lambda* (#:key outputs #:allow-other-keys)
fc184fe2
MB		 443 (let* ((out (assoc-ref outputs "out"))
444 (lib (string-append out "/lib")))
9e9e5d5a
LF		 445 ;; It's not a shebang so patch-source-shebangs misses it.
446 (substitute* "config"
447 (("/usr/bin/env")
448 (string-append (assoc-ref %build-inputs "coreutils")
449 "/bin/env")))
0d98cb9a 450 (invoke "./config"
5011d3f4
SB		 451 "shared" ;build shared libraries
452 "--libdir=lib"
fc184fe2 453
5011d3f4
SB		 454 ;; The default for this catch-all directory is
455 ;; PREFIX/ssl. Change that to something more
456 ;; conventional.
457 (string-append "--openssldir=" out
458 "/share/openssl-" ,version)
fc184fe2 459
5011d3f4 460 (string-append "--prefix=" out)
799de468 461 (string-append "-Wl,-rpath," lib)))))
fc184fe2 462
9e9e5d5a
LF		 463 (delete 'move-man3-pages)
464 (add-after 'install 'move-extra-documentation
465 (lambda* (#:key outputs #:allow-other-keys)
466 ;; Move man3 pages and full HTML documentation to "doc".
467 (let* ((out (assoc-ref outputs "out"))
468 (man3 (string-append out "/share/man/man3"))
469 (html (string-append out "/share/doc/openssl"))
470 (doc (assoc-ref outputs "doc"))
471 (man-target (string-append doc "/share/man/man3"))
472 (html-target (string-append doc "/share/doc/openssl")))
473 (copy-recursively man3 man-target)
474 (delete-file-recursively man3)
475 (copy-recursively html html-target)
476 (delete-file-recursively html)
477 #t)))
fc184fe2
MB		 478 ;; XXX: Duplicate this phase to make sure 'version' evaluates
479 ;; in the current scope and not the inherited one.
480 (replace 'remove-miscellany
481 (lambda* (#:key outputs #:allow-other-keys)
482 ;; The 'misc' directory contains random undocumented shell and Perl
483 ;; scripts. Remove them to avoid retaining a reference on Perl.
484 (let ((out (assoc-ref outputs "out")))
485 (delete-file-recursively (string-append out "/share/openssl-"
486 ,version "/misc"))
763899f0
LF		 487 #t)))))))))
488
cb6a802c
AE		 489(define-public libressl
490 (package
491 (name "libressl")
0effadca 492 (version "2.7.4")
644e5f17
TGR		 493 (source (origin
494 (method url-fetch)
495 (uri (string-append "mirror://openbsd/LibreSSL/"
496 name "-" version ".tar.gz"))
497 (sha256
498 (base32
0effadca 499 "19kxa5i97q7p6rrps9qm0nd8zqhdjvzx02j72400c73cl2nryfhy"))))
cb6a802c 500 (build-system gnu-build-system)
a2d64899
LC		 501 (arguments
502 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
503 ;; and libc would return ENOSYS, which is not properly handled.
504 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
df08f385
LF		 505 '(#:configure-flags '("ac_cv_func_getentropy=no"
506 ;; Provide a TLS-enabled netcat.
507 "--enable-nc")))
cb6a802c
AE		 508 (native-search-paths
509 ;; FIXME: These two variables must designate a single file or directory
510 ;; and are not actually "search paths." In practice it works OK in
511 ;; user profiles because there's always just one item that matches the
512 ;; specification.
513 (list (search-path-specification
514 (variable "SSL_CERT_DIR")
515 (files '("etc/ssl/certs")))
516 (search-path-specification
517 (variable "SSL_CERT_FILE")
518 (files '("etc/ssl/certs/ca-certificates.crt")))))
2ed12d3f 519 (home-page "https://www.libressl.org/")
cb6a802c 520 (synopsis "SSL/TLS implementation")
df08f385
LF		 521 (description "LibreSSL is a version of the TLS/crypto stack, forked from
522OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
523and applying best practice development processes. This package also includes a
524netcat implementation that supports TLS.")
cb6a802c
AE		 525 ;; Files taken from OpenSSL keep their license, others are under various
526 ;; non-copyleft licenses.
527 (license (list license:openssl
528 (license:non-copyleft
529 "file://COPYING"
530 "See COPYING in the distribution.")))))
531
6cefd53d 532(define-public python-acme
7890e3ba 533 (package
6cefd53d 534 (name "python-acme")
686d4259 535 ;; Remember to update the hash of certbot when updating python-acme.
ed362d16 536 (version "0.31.0")
7890e3ba 537 (source (origin
9495cf9a 538 (method url-fetch)
f349d36e 539 (uri (pypi-uri "acme" version))
881006b6
MB		 540 (sha256
541 (base32
ed362d16 542 "1gxjv09c695lj8swspa390nch117i60qkrgy135383vfk00jsp3y"))))
7890e3ba
LF		 543 (build-system python-build-system)
544 (arguments
6cefd53d 545 `(#:phases
9bee9d87 546 (modify-phases %standard-phases
1fc8476d
MB		 547 (add-after 'build 'build-documentation
548 (lambda _
d4bd2453 549 (invoke "make" "-C" "docs" "man" "info")))
1fc8476d 550 (add-after 'install 'install-documentation
50a7963a
LF		 551 (lambda* (#:key outputs #:allow-other-keys)
552 (let* ((out (assoc-ref outputs "out"))
553 (man (string-append out "/share/man/man1"))
554 (info (string-append out "/info")))
1fc8476d
MB		 555 (install-file "docs/_build/texinfo/acme-python.info" info)
556 (install-file "docs/_build/man/acme-python.1" man)
557 #t))))))
50a7963a 558 ;; TODO: Add optional inputs for testing.
7890e3ba 559 (native-inputs
4ae65558 560 `(("python-mock" ,python-mock)
b494bbe4 561 ("python-pytest" ,python-pytest)
50a7963a
LF		 562 ;; For documentation
563 ("python-sphinx" ,python-sphinx)
564 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
565 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
50a7963a 566 ("texinfo" ,texinfo)))
7890e3ba 567 (propagated-inputs
92572184
LF		 568 `(("python-josepy" ,python-josepy)
569 ("python-six" ,python-six)
6cefd53d 570 ("python-requests" ,python-requests)
b494bbe4 571 ("python-requests-toolbelt" ,python-requests-toolbelt)
6cefd53d
LF		 572 ("python-pytz" ,python-pytz)
573 ("python-pyrfc3339" ,python-pyrfc3339)
574 ("python-pyasn1" ,python-pyasn1)
575 ("python-cryptography" ,python-cryptography)
576 ("python-pyopenssl" ,python-pyopenssl)))
4631e6c9 577 (home-page "https://github.com/certbot/certbot")
7890e3ba
LF		 578 (synopsis "ACME protocol implementation in Python")
579 (description "ACME protocol implementation in Python")
580 (license license:asl2.0)))
581
9495cf9a 582(define-public certbot
9fd0838b 583 (package
9495cf9a 584 (name "certbot")
686d4259
LF		 585 ;; Certbot and python-acme are developed in the same repository, and their
586 ;; versions should remain synchronized.
587 (version (package-version python-acme))
9fd0838b
DT		 588 (source (origin
589 (method url-fetch)
f349d36e 590 (uri (pypi-uri name version))
9fd0838b
DT		 591 (sha256
592 (base32
ed362d16 593 "0wq4jgyzli684h154w26xplp0fzyks2vlrnmhafhyb0h1bw9cc8c"))))
9fd0838b
DT		 594 (build-system python-build-system)
595 (arguments
fed1898d 596 `(,@(substitute-keyword-arguments (package-arguments python-acme)
f26d6e4e
LF		 597 ((#:phases phases)
598 `(modify-phases ,phases
1fc8476d 599 (replace 'install-documentation
f26d6e4e
LF		 600 (lambda* (#:key outputs #:allow-other-keys)
601 (let* ((out (assoc-ref outputs "out"))
602 (man1 (string-append out "/share/man/man1"))
603 (man7 (string-append out "/share/man/man7"))
604 (info (string-append out "/info")))
1fc8476d
MB		 605 (install-file "docs/_build/texinfo/Certbot.info" info)
606 (install-file "docs/_build/man/certbot.1" man1)
607 (install-file "docs/_build/man/certbot.7" man7)
608 #t))))))))
f9263d9a 609 ;; TODO: Add optional inputs for testing.
9fd0838b 610 (native-inputs
fed1898d 611 `(("python-nose" ,python-nose)
4ae65558 612 ("python-mock" ,python-mock)
f9263d9a 613 ;; For documentation
fed1898d
LF		 614 ("python-sphinx" ,python-sphinx)
615 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
616 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
617 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
f9263d9a 618 ("texinfo" ,texinfo)))
9fd0838b 619 (propagated-inputs
fed1898d
LF		 620 `(("python-acme" ,python-acme)
621 ("python-zope-interface" ,python-zope-interface)
622 ("python-pyrfc3339" ,python-pyrfc3339)
623 ("python-pyopenssl" ,python-pyopenssl)
624 ("python-configobj" ,python-configobj)
625 ("python-configargparse" ,python-configargparse)
626 ("python-zope-component" ,python-zope-component)
627 ("python-parsedatetime" ,python-parsedatetime)
628 ("python-six" ,python-six)
629 ("python-psutil" ,python-psutil)
630 ("python-requests" ,python-requests)
631 ("python-pytz" ,python-pytz)))
d8a1be63 632 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
80968df0
TGR		 633 (description "Certbot automatically receives and installs X.509 certificates
634to enable Transport Layer Security (TLS) on servers. It interoperates with the
635Let’s Encrypt certificate authority (CA), which issues browser-trusted
636certificates for free.")
24778368 637 (home-page "https://certbot.eff.org/")
9fd0838b
DT		 638 (license license:asl2.0)))
639
9495cf9a
LF		 640(define-public letsencrypt
641 (package (inherit certbot)
56ab55d1
LF		 642 (name "letsencrypt")
643 (properties `((superseded . ,certbot)))))
9495cf9a 644
cc2b77df
AE		 645(define-public perl-net-ssleay
646 (package
647 (name "perl-net-ssleay")
fe15613c 648 (version "1.85")
cc2b77df
AE		 649 (source (origin
650 (method url-fetch)
651 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
652 "Net-SSLeay-" version ".tar.gz"))
653 (sha256
654 (base32
fe15613c 655 "1j5h4ycm8538397l204d2d5fkm9595aj174pj7bkpbhwzfwqi0cx"))))
cc2b77df
AE		 656 (build-system perl-build-system)
657 (inputs `(("openssl" ,openssl)))
658 (arguments
1084ec08
MW		 659 `(#:phases
660 (modify-phases %standard-phases
1084ec08
MW		 661 (add-before
662 'configure 'set-ssl-prefix
663 (lambda* (#:key inputs #:allow-other-keys)
664 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
665 #t)))))
cc2b77df
AE		 666 (synopsis "Perl extension for using OpenSSL")
667 (description
668 "This module offers some high level convenience functions for accessing
669web pages on SSL servers (for symmetry, the same API is offered for accessing
670http servers, too), an sslcat() function for writing your own clients, and
671finally access to the SSL api of the SSLeay/OpenSSL package so you can write
672servers or clients for more complicated applications.")
2f3108ad 673 (license license:perl-license)
9aba9b12 674 (home-page "https://metacpan.org/release/Net-SSLeay")))
4532c0c0
DM		 675
676(define-public perl-crypt-openssl-rsa
677 (package
678 (name "perl-crypt-openssl-rsa")
a9994b27 679 (version "0.31")
4532c0c0
DM		 680 (source
681 (origin
682 (method url-fetch)
683 (uri (string-append
683b8d47 684 "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-"
4532c0c0
DM		 685 version
686 ".tar.gz"))
687 (sha256
688 (base32
a9994b27 689 "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1"))))
4532c0c0 690 (build-system perl-build-system)
683b8d47
TGR		 691 (native-inputs
692 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
4532c0c0
DM		 693 (inputs
694 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
695 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
696 ("openssl" ,openssl)))
697 (arguments perl-crypt-arguments)
698 (home-page
9aba9b12 699 "https://metacpan.org/release/Crypt-OpenSSL-RSA")
4532c0c0
DM		 700 (synopsis
701 "RSA encoding and decoding, using the openSSL libraries")
702 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
703OpenSSL libraries).")
2f3108ad 704 (license license:perl-license)))
adff71ca
DM		 705
706(define perl-crypt-arguments
707 `(#:phases (modify-phases %standard-phases
708 (add-before 'configure 'patch-Makefile.PL
709 (lambda* (#:key inputs #:allow-other-keys)
710 (substitute* "Makefile.PL"
711 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
712 (assoc-ref inputs "openssl")
713 "/lib -lcrypto'],")))
714 #t)))))
715
716(define-public perl-crypt-openssl-bignum
717 (package
718 (name "perl-crypt-openssl-bignum")
7e8aac18 719 (version "0.09")
adff71ca
DM		 720 (source
721 (origin
722 (method url-fetch)
723 (uri (string-append
724 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
725 version
726 ".tar.gz"))
727 (sha256
728 (base32
7e8aac18 729 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
adff71ca
DM		 730 (build-system perl-build-system)
731 (inputs `(("openssl" ,openssl)))
732 (arguments perl-crypt-arguments)
733 (home-page
9aba9b12 734 "https://metacpan.org/release/Crypt-OpenSSL-Bignum")
adff71ca
DM		 735 (synopsis
736 "OpenSSL's multiprecision integer arithmetic in Perl")
737 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
738arithmetic in Perl.")
739 ;; At your option either gpl1+ or the Artistic License
2f3108ad 740 (license license:perl-license)))
cccb4d26 741
c80590f6
TGR		 742(define-public perl-crypt-openssl-guess
743 (package
744 (name "perl-crypt-openssl-guess")
745 (version "0.11")
746 (source
747 (origin
748 (method url-fetch)
749 (uri (string-append
750 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
751 version ".tar.gz"))
752 (sha256
753 (base32
754 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
755 (build-system perl-build-system)
9aba9b12 756 (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess")
c80590f6
TGR		 757 (synopsis "Guess the OpenSSL include path")
758 (description
759 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
760correct OpenSSL include path. It is intended for use in your
761@file{Makefile.PL}.")
762 (license license:perl-license)))
763
cccb4d26
DM		 764(define-public perl-crypt-openssl-random
765 (package
766 (name "perl-crypt-openssl-random")
b30c23c4 767 (version "0.13")
cccb4d26
DM		 768 (source
769 (origin
770 (method url-fetch)
771 (uri (string-append
772 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
773 version
774 ".tar.gz"))
775 (sha256
776 (base32
b30c23c4 777 "0vmvrb3shrzjzri3qn524dzdasbq8zhhbpc1vmq8sx68n4jhizb0"))))
cccb4d26 778 (build-system perl-build-system)
b30c23c4
TGR		 779 (native-inputs
780 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
781 (inputs
782 `(("openssl" ,openssl)))
cccb4d26
DM		 783 (arguments perl-crypt-arguments)
784 (home-page
9aba9b12 785 "https://metacpan.org/release/Crypt-OpenSSL-Random")
cccb4d26
DM		 786 (synopsis
787 "OpenSSL/LibreSSL pseudo-random number generator access")
788 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
789number generator")
2f3108ad 790 (license license:perl-license)))
0581c273
LF		 791
792(define-public acme-client
793 (package
794 (name "acme-client")
4a6b2a21 795 (version "0.1.16")
0581c273
LF		 796 (source (origin
797 (method url-fetch)
798 (uri (string-append "https://kristaps.bsd.lv/" name "/"
799 "snapshots/" name "-portable-"
800 version ".tgz"))
801 (sha256
802 (base32
4a6b2a21 803 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
0581c273
LF		 804 (build-system gnu-build-system)
805 (arguments
806 '(#:tests? #f ; no test suite
807 #:make-flags
808 (list "CC=gcc"
809 (string-append "PREFIX=" (assoc-ref %outputs "out")))
810 #:phases
811 (modify-phases %standard-phases
7c1a7bf4
LF		 812 (add-after 'unpack 'patch-paths
813 (lambda* (#:key inputs #:allow-other-keys)
814 (let ((pem (string-append (assoc-ref inputs "libressl")
815 "/etc/ssl/cert.pem")))
816 (substitute* "http.c"
817 (("/etc/ssl/cert.pem") pem))
818 #t)))
0581c273 819 (delete 'configure)))) ; no './configure' script
4b569a4f
LF		 820 (native-inputs
821 `(("pkg-config" ,pkg-config)))
0581c273
LF		 822 (inputs
823 `(("libbsd" ,libbsd)
824 ("libressl" ,libressl)))
825 (synopsis "Let's Encrypt client by the OpenBSD project")
826 (description "acme-client is a Let's Encrypt client implemented in C. It
827uses a modular design, and attempts to secure itself by dropping privileges and
828operating in a chroot where possible. acme-client is developed on OpenBSD and
829then ported to the GNU / Linux environment.")
830 (home-page "https://kristaps.bsd.lv/acme-client/")
831 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
832 ;; and 'jsmn.c' are distributed under the Expat license.
833 (license (list license:isc license:expat))))
88522738 834
835;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
836;; variant exists in addition to the "-apache" one.
837(define-public mbedtls-apache
838 (package
839 (name "mbedtls-apache")
5a7899fd 840 (version "2.16.0")
88522738 841 (source
842 (origin
843 (method url-fetch)
844 ;; XXX: The download links on the website are script redirection links
845 ;; which effectively lead to the format listed in the uri here.
846 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
847 version "-apache.tgz"))
848 (sha256
849 (base32
5a7899fd 850 "1qlscr0m97favkqmrlj90rlgw40h8lcypxz0snvr1iwkj1pbbnp3"))))
88522738 851 (build-system cmake-build-system)
a64d9d56
RW		 852 (arguments
853 `(#:configure-flags
854 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON")))
88522738 855 (native-inputs
38a9bf80
TGR		 856 `(("perl" ,perl)
857 ("python" ,python)))
88522738 858 (synopsis "Small TLS library")
859 (description
860 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
861for developers to include cryptographic and SSL/TLS capabilities in their
862(embedded) products, facilitating this functionality with a minimal
863coding footprint.")
864 (home-page "https://tls.mbed.org")
865 (license license:asl2.0)))
587d1752 866
8e87aa04
TGR		 867;; The Hiawatha Web server requires some specific features to be enabled.
868(define-public mbedtls-for-hiawatha
869 (hidden-package
870 (package
871 (inherit mbedtls-apache)
872 (arguments
873 (substitute-keyword-arguments
874 `(#:phases
875 (modify-phases %standard-phases
876 (add-after 'configure 'configure-extra-features
877 (lambda _
878 (for-each (lambda (feature)
879 (invoke "scripts/config.pl" "set" feature))
880 (list "MBEDTLS_THREADING_C"
881 "MBEDTLS_THREADING_PTHREAD"))
882 #t)))
883 ,@(package-arguments mbedtls-apache)))))))
884
587d1752
RW		 885(define-public ghc-tls
886 (package
887 (name "ghc-tls")
66c5de39 888 (version "1.4.1")
587d1752
RW		 889 (source (origin
890 (method url-fetch)
891 (uri (string-append "https://hackage.haskell.org/package/"
892 "tls/tls-" version ".tar.gz"))
893 (sha256
894 (base32
66c5de39 895 "1y083724mym28n6xfaz7pcc7zqxdhjpaxpbvzxfbs25qq2px3smv"))))
587d1752
RW		 896 (build-system haskell-build-system)
897 (inputs
f54f0475 898 `(("ghc-cereal" ,ghc-cereal)
587d1752
RW		 899 ("ghc-data-default-class" ,ghc-data-default-class)
900 ("ghc-memory" ,ghc-memory)
901 ("ghc-cryptonite" ,ghc-cryptonite)
902 ("ghc-asn1-types" ,ghc-asn1-types)
903 ("ghc-asn1-encoding" ,ghc-asn1-encoding)
904 ("ghc-x509" ,ghc-x509)
905 ("ghc-x509-store" ,ghc-x509-store)
906 ("ghc-x509-validation" ,ghc-x509-validation)
907 ("ghc-async" ,ghc-async)
908 ("ghc-network" ,ghc-network)
909 ("ghc-hourglass" ,ghc-hourglass)))
910 (native-inputs
911 `(("ghc-tasty" ,ghc-tasty)
912 ("ghc-tasty-quickcheck" ,ghc-tasty-quickcheck)
913 ("ghc-quickcheck" ,ghc-quickcheck)))
914 (home-page "https://github.com/vincenthz/hs-tls")
915 (synopsis
916 "TLS/SSL protocol native implementation (Server and Client)")
917 (description
918 "Native Haskell TLS and SSL protocol implementation for server and client.
919This provides a high-level implementation of a sensitive security protocol,
920eliminating a common set of security issues through the use of the advanced
921type system, high level constructions and common Haskell features. Currently
922implement the SSL3.0, TLS1.0, TLS1.1 and TLS1.2 protocol, and support RSA and
923Ephemeral (Elliptic curve and regular) Diffie Hellman key exchanges, and many
924extensions.")
925 (license license:bsd-3)))
e8b3a158
CL		 926
927(define-public dehydrated
928 (package
929 (name "dehydrated")
930 (version "0.6.2")
931 (source (origin
932 (method url-fetch/tarbomb)
933 (uri (string-append
934 "https://github.com/lukas2511/dehydrated/archive/v"
935 version ".tar.gz"))
936 (sha256
937 (base32
938 "03p80yj6bnzjc6dkp5hb9wpplmlrla8n5src71cnzw4rj53q8cqn"))
939 (file-name (string-append name "-" version ".tar.gz"))))
940 (build-system trivial-build-system)
941 (arguments
942 `(#:modules ((guix build utils))
943 #:builder
944 (begin
945 (use-modules (guix build utils))
946 (let* ((source (assoc-ref %build-inputs "source"))
947 (out (assoc-ref %outputs "out"))
948 (bin (string-append out "/bin"))
949 (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
950 (mkdir-p bin)
951 (with-directory-excursion bin
952 (copy-file
953 (in-vicinity source (string-append "/dehydrated-" ,version
954 "/dehydrated"))
955 (in-vicinity bin "dehydrated"))
956 (patch-shebang "dehydrated" (list bash))
957
958 ;; Do not try to write in the store.
959 (substitute* "dehydrated"
960 (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
961
962 (setenv "PATH" bash)
963 (wrap-program "dehydrated"
964 `("PATH" ":" prefix
965 ,(map (lambda (dir)
966 (string-append dir "/bin"))
967 (map (lambda (input)
968 (assoc-ref %build-inputs input))
969 '("coreutils"
970 "curl"
971 "diffutils"
972 "gawk"
973 "grep"
974 "openssl"
975 "sed"))))))
976 #t))))
977 (inputs
978 `(("bash" ,bash)
979 ("coreutils" ,coreutils)
980 ("curl" ,curl)
981 ("diffutils" ,diffutils)
982 ("gawk" ,gawk)
983 ("grep" ,grep)
984 ("openssl" ,openssl)
985 ("sed" ,sed)))
986 (home-page "https://dehydrated.io/")
987 (synopsis "Let's Encrypt/ACME client implemented as a shell script")
988 (description "Dehydrated is a client for signing certificates with an
989ACME-server (currently only provided by Let's Encrypt) implemented as a
990relatively simple Bash script.")
991 (license license:expat)))
jackhill's copy of GNU Guix: https://guix.gnu.org/