gnu: Remove snakemake@4.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
CommitLineData
233e7676 1;;; GNU Guix --- Functional package management for GNU
aa2441c2 2;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2019 Ludovic Courtès <ludo@gnu.org>
05f6e601 3;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
29a7c98a 4;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df 5;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b 6;;; Copyright © 2015 David Thompson <davet@gnu.org>
ea22aa1f 7;;; Copyright © 2015, 2016, 2017, 2018, 2019 Leo Famulari <leo@famulari.name>
2850d877 8;;; Copyright © 2016, 2017, 2019 Efraim Flashner <efraim@flashner.co.il>
47956fa0 9;;; Copyright © 2016, 2017, 2018 ng0 <ng0@n0.is>
375cef6c 10;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
ee33f9a7 11;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
e74f153a 12;;; Copyright © 2017, 2018, 2019 Marius Bakke <mbakke@fastmail.com>
a92c6b1a 13;;; Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr>
fbf5ca3c 14;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
e8b3a158 15;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
7543f865 16;;;
233e7676 17;;; This file is part of GNU Guix.
7543f865 18;;;
233e7676 19;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865
LC
20;;; under the terms of the GNU General Public License as published by
21;;; the Free Software Foundation; either version 3 of the License, or (at
22;;; your option) any later version.
23;;;
233e7676 24;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865
LC
25;;; WITHOUT ANY WARRANTY; without even the implied warranty of
26;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27;;; GNU General Public License for more details.
28;;;
29;;; You should have received a copy of the GNU General Public License
233e7676 30;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865 31
a7fd7b68 32(define-module (gnu packages tls)
e9aa8d0c 33 #:use-module ((guix licenses) #:prefix license:)
7543f865
LC
34 #:use-module (guix packages)
35 #:use-module (guix download)
ea22aa1f 36 #:use-module (guix git-download)
29a7c98a 37 #:use-module (guix utils)
7543f865 38 #:use-module (guix build-system gnu)
ea22aa1f 39 #:use-module (guix build-system go)
cc2b77df 40 #:use-module (guix build-system perl)
7890e3ba 41 #:use-module (guix build-system python)
88522738 42 #:use-module (guix build-system cmake)
e8b3a158 43 #:use-module (guix build-system trivial)
f61e0e79 44 #:use-module (gnu packages compression)
013ce67b 45 #:use-module (gnu packages)
e8b3a158 46 #:use-module (gnu packages bash)
ac257f12 47 #:use-module (gnu packages check)
e8b3a158 48 #:use-module (gnu packages curl)
5b9aa107 49 #:use-module (gnu packages dns)
e8b3a158 50 #:use-module (gnu packages gawk)
1ffa7090 51 #:use-module (gnu packages guile)
0581c273 52 #:use-module (gnu packages libbsd)
27e86bed 53 #:use-module (gnu packages libffi)
866f469e 54 #:use-module (gnu packages libidn)
5d4c90ae 55 #:use-module (gnu packages linux)
7890e3ba 56 #:use-module (gnu packages ncurses)
27e86bed 57 #:use-module (gnu packages nettle)
1ffa7090 58 #:use-module (gnu packages perl)
27e86bed 59 #:use-module (gnu packages pkg-config)
7890e3ba 60 #:use-module (gnu packages python)
cc6f4912 61 #:use-module (gnu packages python-crypto)
1b2f753d 62 #:use-module (gnu packages python-web)
44d10b1f 63 #:use-module (gnu packages python-xyz)
9d0c291e 64 #:use-module (gnu packages sphinx)
a31f4d35 65 #:use-module (gnu packages texinfo)
33dc54b0 66 #:use-module (gnu packages time)
079f013b
LC
67 #:use-module (gnu packages base)
68 #:use-module (srfi srfi-1))
7543f865
LC
69
70(define-public libtasn1
71 (package
72 (name "libtasn1")
d7342997 73 (version "4.14")
7543f865
LC
74 (source
75 (origin
76 (method url-fetch)
77 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
78 version ".tar.gz"))
79 (sha256
80 (base32
d7342997 81 "025sqnlzji78ss2fi78dajc0v0h5fi02wp39hws41sn8qnjlnq4y"))))
7543f865 82 (build-system gnu-build-system)
d9f84612
MB
83 (arguments
84 `(#:configure-flags '("--disable-static")))
3ea110b7 85 (native-inputs `(("perl" ,perl)))
6fd52309 86 (home-page "https://www.gnu.org/software/libtasn1/")
f50d2669 87 (synopsis "ASN.1 library")
7543f865 88 (description
79c311b8
LC
89 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
90for transmitting machine-neutral encodings of data objects in computer
a22dc0c4
LC
91networking, allowing for formal validation of data according to some
92specifications.")
e9aa8d0c 93 (license license:lgpl2.0+)))
7543f865 94
375cef6c
HG
95(define-public asn1c
96 (package
97 (name "asn1c")
ff7da7e0 98 (version "0.9.28")
375cef6c
HG
99 (source (origin
100 (method url-fetch)
101 (uri (string-append "https://lionet.info/soft/asn1c-"
102 version ".tar.gz"))
103 (sha256
104 (base32
ff7da7e0 105 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
375cef6c
HG
106 (build-system gnu-build-system)
107 (native-inputs
108 `(("perl" ,perl)))
109 (home-page "https://lionet.info/asn1c")
110 (synopsis "ASN.1 to C compiler")
111 (description "The ASN.1 to C compiler takes ASN.1 module
112files and generates C++ compatible C source code. That code can be
113used to serialize the native C structures into compact and unambiguous
114BER/XER/PER-based data files, and deserialize the files back.
115
116Various ASN.1 based formats are widely used in the industry, such as to encode
117the X.509 certificates employed in the HTTPS handshake, to exchange control
118data between mobile phones and cellular networks, to car-to-car communication
119in intelligent transportation networks.")
120 (license license:bsd-2)))
121
27e86bed
AE
122(define-public p11-kit
123 (package
124 (name "p11-kit")
93832080 125 (version "0.23.18.1")
27e86bed
AE
126 (source
127 (origin
128 (method url-fetch)
e6ad9bda
MB
129 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
130 "download/" version "/p11-kit-" version ".tar.gz"))
27e86bed
AE
131 (sha256
132 (base32
93832080 133 "0vrwab1082f7l5sbzpb28nrs3q4d2q7wzbi8c977rpah026bvhrl"))))
27e86bed
AE
134 (build-system gnu-build-system)
135 (native-inputs
136 `(("pkg-config" ,pkg-config)))
137 (inputs
138 `(("libffi" ,libffi)
139 ("libtasn1" ,libtasn1)))
140 (arguments
d5c472a2
MB
141 `(#:configure-flags '("--without-trust-paths")
142 #:phases (modify-phases %standard-phases
143 (add-before 'check 'prepare-tests
144 (lambda _
145 ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up
146 ;; and looks for .cache and other directories (only).
147 ;; For simplicity just drop it since it is irrelevant
148 ;; in the build container.
149 (substitute* "Makefile"
150 (("test-runtime\\$\\(EXEEXT\\)") ""))
151 #t)))))
4631e6c9 152 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
27e86bed
AE
153 (synopsis "PKCS#11 library")
154 (description
155 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
156provides a standard configuration setup for installing PKCS#11 modules
157in such a way that they are discoverable. It also solves problems with
158coordinating the use of PKCS#11 by different components or libraries
159living in the same process.")
e9aa8d0c 160 (license license:bsd-3)))
27e86bed 161
7543f865
LC
162(define-public gnutls
163 (package
164 (name "gnutls")
bffe4305 165 (version "3.6.9")
d7d408d5
LC
166 (source (origin
167 (method url-fetch)
168 (uri
169 ;; Note: Releases are no longer on ftp.gnu.org since the
170 ;; schism (after version 3.1.5).
d93627e4 171 (string-append "mirror://gnupg/gnutls/v"
29a7c98a 172 (version-major+minor version)
d93627e4 173 "/gnutls-" version ".tar.xz"))
06f5bc4e 174 (patches (search-patches "gnutls-skip-trust-store-test.patch"))
d7d408d5
LC
175 (sha256
176 (base32
bffe4305 177 "1jqz5s3lv8sa53348cfi9nr5pw5l55n8m40b8msdvv0pb2jzqca3"))))
7543f865 178 (build-system gnu-build-system)
b94ae0b8 179 (arguments
76b21274
LF
180 `(; Ensure we don't keep a reference to this buggy software.
181 #:disallowed-references (,net-tools)
182 #:configure-flags
a0700787 183 (list
aa7c7f21
MW
184 ;; GnuTLS doesn't consult any environment variables to specify
185 ;; the location of the system-wide trust store. Instead it has a
186 ;; configure-time option. Unless specified, its configure script
187 ;; attempts to auto-detect the location by looking for common
8f65585b 188 ;; places in the file system, none of which are present in our
aa7c7f21
MW
189 ;; chroot build environment. If not found, then no default trust
190 ;; store is used, so each program has to provide its own
191 ;; fallback, and users have to configure each program
192 ;; independently. This seems suboptimal.
866f469e
MW
193 "--with-default-trust-store-dir=/etc/ssl/certs"
194
7892edc2
MB
195 ;; Tell the build system that we want Guile bindings installed to
196 ;; the output instead of Guiles own module directory.
197 (string-append "--with-guile-site-dir="
198 "$(datarootdir)/guile/site/$(GUILE_EFFECTIVE_VERSION)")
199 (string-append "--with-guile-site-ccache-dir="
200 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/site-ccache")
201 (string-append "--with-guile-extension-dir="
202 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/extensions")
203
866f469e
MW
204 ;; FIXME: Temporarily disable p11-kit support since it is not
205 ;; working on mips64el.
606c6380
LC
206 "--without-p11-kit")
207
208 #:phases (modify-phases %standard-phases
209 (add-after
210 'install 'move-doc
211 (lambda* (#:key outputs #:allow-other-keys)
212 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
213 (let* ((out (assoc-ref outputs "out"))
214 (doc (assoc-ref outputs "doc"))
9cdce047 215 (mandir (string-append doc "/share/man/man3"))
606c6380
LC
216 (oldman (string-append out "/share/man/man3")))
217 (mkdir-p mandir)
218 (copy-recursively oldman mandir)
219 (delete-file-recursively oldman)
220 #t))))))
221 (outputs '("out" ;4.4 MiB
222 "debug"
223 "doc")) ;4.1 MiB of man pages
a1db0975 224 (native-inputs
c06d8ba5 225 `(("net-tools" ,net-tools)
5d4c90ae 226 ("pkg-config" ,pkg-config)
d2fcfd3d 227 ("which" ,which)))
7543f865 228 (inputs
a0700787 229 `(("guile" ,guile-2.2)))
7543f865 230 (propagated-inputs
d2fcfd3d 231 ;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865 232 `(("libtasn1" ,libtasn1)
55e61c4d 233 ("libidn2" ,libidn2)
866f469e 234 ("nettle" ,nettle)
f61e0e79 235 ("zlib" ,zlib)))
c19700c3 236 (home-page "https://www.gnu.org/software/gnutls/")
f50d2669 237 (synopsis "Transport layer security library")
7543f865 238 (description
a22dc0c4 239 "GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8 240and DTLS protocols. It is provided in the form of a C library to support the
a22dc0c4
LC
241protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
242required structures.")
63e8bb12
LC
243 (license license:lgpl2.1+)
244 (properties '((ftp-server . "ftp.gnutls.org")
245 (ftp-directory . "/gcrypt/gnutls")))))
cc2b77df 246
a0700787
LC
247(define-public gnutls/guile-2.0
248 ;; GnuTLS for Guile 2.0.
079f013b 249 (package
58ea4d40 250 (inherit gnutls)
a0700787
LC
251 (name "guile2.0-gnutls")
252 (inputs `(("guile" ,guile-2.0)
58ea4d40 253 ,@(alist-delete "guile" (package-inputs gnutls))))))
079f013b 254
5b9aa107 255(define-public gnutls/dane
256 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
257 ;; Authentication of Named Entities. This is required for GNS functionality
258 ;; by GNUnet and gnURL. This is done in an extra package definition
259 ;; to have the choice between GnuTLS with Dane and without Dane.
260 (package
261 (inherit gnutls)
262 (name "gnutls-dane")
263 (inputs `(("unbound" ,unbound)
264 ,@(package-inputs gnutls)))))
265
cc2b77df
AE
266(define-public openssl
267 (package
268 (name "openssl")
d9bbfe04 269 (version "1.1.1c")
9ff87bb9 270 (replacement openssl-1.1.1d)
cc2b77df 271 (source (origin
4cff124b 272 (method url-fetch)
bdf0b6fc
MB
273 (uri (list (string-append "https://www.openssl.org/source/openssl-"
274 version ".tar.gz")
275 (string-append "ftp://ftp.openssl.org/source/"
c7f5c3ea 276 "openssl-" version ".tar.gz")
4cff124b
LC
277 (string-append "ftp://ftp.openssl.org/source/old/"
278 (string-trim-right version char-set:letter)
c7f5c3ea 279 "/openssl-" version ".tar.gz")))
4cff124b
LC
280 (sha256
281 (base32
d9bbfe04 282 "142c7zdlz06hjrrvinb9f276czc78bnkyhd9xma621qmmmwk1yzn"))
e74f153a 283 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))))
cc2b77df 284 (build-system gnu-build-system)
8c78aeb7 285 (outputs '("out"
e74f153a
MB
286 "doc" ;6.8 MiB of man3 pages and full HTML documentation
287 "static")) ;6.4 MiB of .a files
cc2b77df
AE
288 (native-inputs `(("perl" ,perl)))
289 (arguments
d03781c3
LC
290 `(#:disallowed-references (,perl)
291 #:parallel-build? #f
cc2b77df
AE
292 #:parallel-tests? #f
293 #:test-target "test"
8c9ec203
LF
294
295 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
296 ;; so we explicitly disallow it here.
297 #:disallowed-references ,(list (canonical-package perl))
cc2b77df 298 #:phases
b6cb1358 299 (modify-phases %standard-phases
e74f153a
MB
300 (replace 'configure
301 (lambda* (#:key outputs #:allow-other-keys)
302 (let* ((out (assoc-ref outputs "out"))
303 (lib (string-append out "/lib")))
304 ;; It's not a shebang so patch-source-shebangs misses it.
305 (substitute* "config"
306 (("/usr/bin/env")
307 (string-append (assoc-ref %build-inputs "coreutils")
308 "/bin/env")))
309 (invoke "./config"
310 "shared" ;build shared libraries
311 "--libdir=lib"
4fb254a3 312
e74f153a
MB
313 ;; The default for this catch-all directory is
314 ;; PREFIX/ssl. Change that to something more
315 ;; conventional.
316 (string-append "--openssldir=" out
317 "/share/openssl-" ,version)
4fb254a3 318
e74f153a
MB
319 (string-append "--prefix=" out)
320 (string-append "-Wl,-rpath," lib)))))
8c78aeb7
LC
321 (add-after 'install 'move-static-libraries
322 (lambda* (#:key outputs #:allow-other-keys)
323 ;; Move static libraries to the "static" output.
324 (let* ((out (assoc-ref outputs "out"))
325 (lib (string-append out "/lib"))
326 (static (assoc-ref outputs "static"))
327 (slib (string-append static "/lib")))
8c78aeb7
LC
328 (for-each (lambda (file)
329 (install-file file slib)
330 (delete-file file))
331 (find-files lib "\\.a$"))
332 #t)))
e74f153a 333 (add-after 'install 'move-extra-documentation
a909b576 334 (lambda* (#:key outputs #:allow-other-keys)
e74f153a
MB
335 ;; Move man3 pages and full HTML documentation to "doc".
336 (let* ((out (assoc-ref outputs "out"))
337 (man3 (string-append out "/share/man/man3"))
338 (html (string-append out "/share/doc/openssl"))
339 (doc (assoc-ref outputs "doc"))
340 (man-target (string-append doc "/share/man/man3"))
341 (html-target (string-append doc "/share/doc/openssl")))
342 (copy-recursively man3 man-target)
343 (delete-file-recursively man3)
344 (copy-recursively html html-target)
345 (delete-file-recursively html)
346 #t)))
784d6e91
LC
347 (add-after
348 'install 'remove-miscellany
349 (lambda* (#:key outputs #:allow-other-keys)
350 ;; The 'misc' directory contains random undocumented shell and Perl
351 ;; scripts. Remove them to avoid retaining a reference on Perl.
352 (let ((out (assoc-ref outputs "out")))
353 (delete-file-recursively (string-append out "/share/openssl-"
354 ,version "/misc"))
355 #t))))))
cc2b77df 356 (native-search-paths
cc2b77df
AE
357 (list (search-path-specification
358 (variable "SSL_CERT_DIR")
5d7a47cc 359 (separator #f) ;single entry
cc2b77df
AE
360 (files '("etc/ssl/certs")))
361 (search-path-specification
362 (variable "SSL_CERT_FILE")
5d7a47cc
MB
363 (file-type 'regular)
364 (separator #f) ;single entry
cc2b77df
AE
365 (files '("etc/ssl/certs/ca-certificates.crt")))))
366 (synopsis "SSL/TLS implementation")
367 (description
e881752c 368 "OpenSSL is an implementation of SSL/TLS.")
e9aa8d0c 369 (license license:openssl)
4631e6c9 370 (home-page "https://www.openssl.org/")))
cc2b77df 371
9ff87bb9
LC
372(define openssl-1.1.1d
373 (package/inherit
374 openssl
375 (version "1.1.1d")
376 (source (origin
763899f0 377 (method url-fetch)
77576be4
MB
378 (uri (list (string-append "https://www.openssl.org/source/openssl-"
379 version ".tar.gz")
380 (string-append "ftp://ftp.openssl.org/source/"
c7f5c3ea 381 "openssl-" version ".tar.gz")
763899f0
LF
382 (string-append "ftp://ftp.openssl.org/source/old/"
383 (string-trim-right version char-set:letter)
c7f5c3ea 384 "/openssl-" version ".tar.gz")))
9ff87bb9
LC
385 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
386 (sha256
387 (base32
388 "1whinyw402z3b9xlb3qaxv4b9sk4w1bgh9k0y8df1z4x3yy92fhy"))))))
389
e74f153a 390(define-public openssl-1.0
763899f0
LF
391 (package
392 (inherit openssl)
393 (name "openssl")
6661b025 394 (version "1.0.2s")
d6718086 395 (replacement openssl-1.0.2t)
763899f0 396 (source (origin
e74f153a
MB
397 (method url-fetch)
398 (uri (list (string-append "https://www.openssl.org/source/openssl-"
399 version ".tar.gz")
400 (string-append "ftp://ftp.openssl.org/source/"
401 "openssl-" version ".tar.gz")
402 (string-append "ftp://ftp.openssl.org/source/old/"
403 (string-trim-right version char-set:letter)
404 "/openssl-" version ".tar.gz")))
763899f0
LF
405 (sha256
406 (base32
6661b025 407 "15mbmg8hf7s12vr3v2bdc0pi9y4pdbnsxhzk4fyyap42jaa5rgfa"))
e74f153a
MB
408 (patches (search-patches "openssl-runpath.patch"
409 "openssl-c-rehash-in.patch"))))
763899f0 410 (outputs '("out"
e74f153a
MB
411 "doc" ;1.5MiB of man3 pages
412 "static")) ;6MiB of .a files
763899f0
LF
413 (arguments
414 (substitute-keyword-arguments (package-arguments openssl)
415 ((#:phases phases)
416 `(modify-phases ,phases
e74f153a
MB
417 (add-before 'patch-source-shebangs 'patch-tests
418 (lambda* (#:key inputs native-inputs #:allow-other-keys)
419 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
420 (substitute* (find-files "test" ".*")
421 (("/bin/sh")
422 (string-append bash "/bin/sh"))
423 (("/bin/rm")
424 "rm"))
425 #t)))
426 (add-before 'configure 'patch-Makefile.org
763899f0 427 (lambda* (#:key outputs #:allow-other-keys)
e74f153a
MB
428 ;; The default MANDIR is some unusual place. Fix that.
429 (let ((out (assoc-ref outputs "out")))
430 (patch-makefile-SHELL "Makefile.org")
431 (substitute* "Makefile.org"
432 (("^MANDIR[[:blank:]]*=.*$")
433 (string-append "MANDIR = " out "/share/man\n")))
434 #t)))
435 (replace 'configure
436 ;; Override this phase because OpenSSL 1.0 does not understand -rpath.
437 (lambda* (#:key outputs #:allow-other-keys)
438 (let ((out (assoc-ref outputs "out")))
439 (invoke "./config"
440 "shared" ;build shared libraries
441 "--libdir=lib"
fc184fe2 442
e74f153a
MB
443 ;; The default for this catch-all directory is
444 ;; PREFIX/ssl. Change that to something more
445 ;; conventional.
446 (string-append "--openssldir=" out
447 "/share/openssl-" ,version)
fc184fe2 448
e74f153a
MB
449 (string-append "--prefix=" out)))))
450 (delete 'move-extra-documentation)
451 (add-after 'install 'move-man3-pages
452 (lambda* (#:key outputs #:allow-other-keys)
453 ;; Move section 3 man pages to "doc".
454 (let* ((out (assoc-ref outputs "out"))
455 (man3 (string-append out "/share/man/man3"))
456 (doc (assoc-ref outputs "doc"))
457 (target (string-append doc "/share/man/man3")))
458 (mkdir-p target)
459 (for-each (lambda (file)
460 (rename-file file
461 (string-append target "/"
462 (basename file))))
463 (find-files man3))
464 (delete-file-recursively man3)
465 #t)))
fc184fe2
MB
466 ;; XXX: Duplicate this phase to make sure 'version' evaluates
467 ;; in the current scope and not the inherited one.
468 (replace 'remove-miscellany
469 (lambda* (#:key outputs #:allow-other-keys)
470 ;; The 'misc' directory contains random undocumented shell and Perl
471 ;; scripts. Remove them to avoid retaining a reference on Perl.
472 (let ((out (assoc-ref outputs "out")))
473 (delete-file-recursively (string-append out "/share/openssl-"
474 ,version "/misc"))
763899f0
LF
475 #t)))))))))
476
d6718086
MB
477(define openssl-1.0.2t
478 (package
479 (inherit openssl)
480 (version "1.0.2t")
481 (source (origin
482 (inherit (package-source openssl-1.0))
483 (uri (list (string-append "https://www.openssl.org/source/openssl-"
484 version ".tar.gz")
485 (string-append "ftp://ftp.openssl.org/source/"
486 "openssl-" version ".tar.gz")
487 (string-append "ftp://ftp.openssl.org/source/old/"
488 (string-trim-right version char-set:letter)
489 "/openssl-" version ".tar.gz")))
490 (sha256
491 (base32
492 "1g67ra0ph7gpz6fgvv1i96d792jmd6ymci5kk53vbikszr74djql"))))
493 (arguments
494 (substitute-keyword-arguments (package-arguments openssl-1.0)
495 ;; Parallel build is not supported in 1.0.x.
496 ((#:parallel-build? _ #f) #f)))))
497
cb6a802c
AE
498(define-public libressl
499 (package
500 (name "libressl")
0effadca 501 (version "2.7.4")
644e5f17
TGR
502 (source (origin
503 (method url-fetch)
504 (uri (string-append "mirror://openbsd/LibreSSL/"
505 name "-" version ".tar.gz"))
506 (sha256
507 (base32
0effadca 508 "19kxa5i97q7p6rrps9qm0nd8zqhdjvzx02j72400c73cl2nryfhy"))))
cb6a802c 509 (build-system gnu-build-system)
a2d64899
LC
510 (arguments
511 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
512 ;; and libc would return ENOSYS, which is not properly handled.
513 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
df08f385
LF
514 '(#:configure-flags '("ac_cv_func_getentropy=no"
515 ;; Provide a TLS-enabled netcat.
516 "--enable-nc")))
cb6a802c
AE
517 (native-search-paths
518 ;; FIXME: These two variables must designate a single file or directory
519 ;; and are not actually "search paths." In practice it works OK in
520 ;; user profiles because there's always just one item that matches the
521 ;; specification.
522 (list (search-path-specification
523 (variable "SSL_CERT_DIR")
524 (files '("etc/ssl/certs")))
525 (search-path-specification
526 (variable "SSL_CERT_FILE")
527 (files '("etc/ssl/certs/ca-certificates.crt")))))
2ed12d3f 528 (home-page "https://www.libressl.org/")
cb6a802c 529 (synopsis "SSL/TLS implementation")
df08f385
LF
530 (description "LibreSSL is a version of the TLS/crypto stack, forked from
531OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
532and applying best practice development processes. This package also includes a
533netcat implementation that supports TLS.")
cb6a802c
AE
534 ;; Files taken from OpenSSL keep their license, others are under various
535 ;; non-copyleft licenses.
536 (license (list license:openssl
537 (license:non-copyleft
538 "file://COPYING"
539 "See COPYING in the distribution.")))))
540
6cefd53d 541(define-public python-acme
7890e3ba 542 (package
6cefd53d 543 (name "python-acme")
686d4259 544 ;; Remember to update the hash of certbot when updating python-acme.
70fcf816 545 (version "0.37.2")
7890e3ba 546 (source (origin
9495cf9a 547 (method url-fetch)
f349d36e 548 (uri (pypi-uri "acme" version))
881006b6
MB
549 (sha256
550 (base32
70fcf816 551 "0p3zqhna9p8iy5i9mfhzdf5bmjigs05r6rlwnxykk4n67fp8yyc8"))))
7890e3ba
LF
552 (build-system python-build-system)
553 (arguments
6cefd53d 554 `(#:phases
9bee9d87 555 (modify-phases %standard-phases
1fc8476d
MB
556 (add-after 'build 'build-documentation
557 (lambda _
d4bd2453 558 (invoke "make" "-C" "docs" "man" "info")))
1fc8476d 559 (add-after 'install 'install-documentation
50a7963a
LF
560 (lambda* (#:key outputs #:allow-other-keys)
561 (let* ((out (assoc-ref outputs "out"))
562 (man (string-append out "/share/man/man1"))
563 (info (string-append out "/info")))
1fc8476d
MB
564 (install-file "docs/_build/texinfo/acme-python.info" info)
565 (install-file "docs/_build/man/acme-python.1" man)
566 #t))))))
50a7963a 567 ;; TODO: Add optional inputs for testing.
7890e3ba 568 (native-inputs
4ae65558 569 `(("python-mock" ,python-mock)
b494bbe4 570 ("python-pytest" ,python-pytest)
50a7963a
LF
571 ;; For documentation
572 ("python-sphinx" ,python-sphinx)
573 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
574 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
50a7963a 575 ("texinfo" ,texinfo)))
7890e3ba 576 (propagated-inputs
92572184
LF
577 `(("python-josepy" ,python-josepy)
578 ("python-six" ,python-six)
6cefd53d 579 ("python-requests" ,python-requests)
b494bbe4 580 ("python-requests-toolbelt" ,python-requests-toolbelt)
6cefd53d
LF
581 ("python-pytz" ,python-pytz)
582 ("python-pyrfc3339" ,python-pyrfc3339)
583 ("python-pyasn1" ,python-pyasn1)
584 ("python-cryptography" ,python-cryptography)
585 ("python-pyopenssl" ,python-pyopenssl)))
4631e6c9 586 (home-page "https://github.com/certbot/certbot")
7890e3ba
LF
587 (synopsis "ACME protocol implementation in Python")
588 (description "ACME protocol implementation in Python")
589 (license license:asl2.0)))
590
9495cf9a 591(define-public certbot
9fd0838b 592 (package
9495cf9a 593 (name "certbot")
686d4259
LF
594 ;; Certbot and python-acme are developed in the same repository, and their
595 ;; versions should remain synchronized.
596 (version (package-version python-acme))
9fd0838b
DT
597 (source (origin
598 (method url-fetch)
b380463b 599 (uri (pypi-uri "certbot" version))
9fd0838b
DT
600 (sha256
601 (base32
70fcf816 602 "1xbfv4fwkgfp9qqzlk8wxbhchc61349m26q9fg35j9fnm253cm74"))))
9fd0838b
DT
603 (build-system python-build-system)
604 (arguments
fed1898d 605 `(,@(substitute-keyword-arguments (package-arguments python-acme)
f26d6e4e
LF
606 ((#:phases phases)
607 `(modify-phases ,phases
1fc8476d 608 (replace 'install-documentation
f26d6e4e
LF
609 (lambda* (#:key outputs #:allow-other-keys)
610 (let* ((out (assoc-ref outputs "out"))
611 (man1 (string-append out "/share/man/man1"))
612 (man7 (string-append out "/share/man/man7"))
613 (info (string-append out "/info")))
1fc8476d
MB
614 (install-file "docs/_build/texinfo/Certbot.info" info)
615 (install-file "docs/_build/man/certbot.1" man1)
616 (install-file "docs/_build/man/certbot.7" man7)
617 #t))))))))
f9263d9a 618 ;; TODO: Add optional inputs for testing.
9fd0838b 619 (native-inputs
d05c14df
TGR
620 `(("python-mock" ,python-mock)
621 ("python-pytest" ,python-pytest)
f9263d9a 622 ;; For documentation
fed1898d
LF
623 ("python-sphinx" ,python-sphinx)
624 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
625 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
626 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
f9263d9a 627 ("texinfo" ,texinfo)))
9fd0838b 628 (propagated-inputs
fed1898d 629 `(("python-acme" ,python-acme)
d05c14df 630 ("python-cryptography" ,python-cryptography)
fed1898d
LF
631 ("python-zope-interface" ,python-zope-interface)
632 ("python-pyrfc3339" ,python-pyrfc3339)
633 ("python-pyopenssl" ,python-pyopenssl)
634 ("python-configobj" ,python-configobj)
635 ("python-configargparse" ,python-configargparse)
636 ("python-zope-component" ,python-zope-component)
637 ("python-parsedatetime" ,python-parsedatetime)
638 ("python-six" ,python-six)
639 ("python-psutil" ,python-psutil)
640 ("python-requests" ,python-requests)
641 ("python-pytz" ,python-pytz)))
d8a1be63 642 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
80968df0
TGR
643 (description "Certbot automatically receives and installs X.509 certificates
644to enable Transport Layer Security (TLS) on servers. It interoperates with the
645Let’s Encrypt certificate authority (CA), which issues browser-trusted
646certificates for free.")
24778368 647 (home-page "https://certbot.eff.org/")
9fd0838b
DT
648 (license license:asl2.0)))
649
9495cf9a
LF
650(define-public letsencrypt
651 (package (inherit certbot)
56ab55d1
LF
652 (name "letsencrypt")
653 (properties `((superseded . ,certbot)))))
9495cf9a 654
cc2b77df
AE
655(define-public perl-net-ssleay
656 (package
657 (name "perl-net-ssleay")
966e4bea 658 (version "1.88")
cc2b77df
AE
659 (source (origin
660 (method url-fetch)
c50f15d6 661 (uri (string-append "mirror://cpan/authors/id/C/CH/CHRISN/"
cc2b77df
AE
662 "Net-SSLeay-" version ".tar.gz"))
663 (sha256
664 (base32
966e4bea 665 "1pfgh4h3szcpvqlcimc60pjbk9zwls99x5863sva0wc47i4dl010"))))
cc2b77df
AE
666 (build-system perl-build-system)
667 (inputs `(("openssl" ,openssl)))
668 (arguments
1084ec08
MW
669 `(#:phases
670 (modify-phases %standard-phases
1084ec08
MW
671 (add-before
672 'configure 'set-ssl-prefix
673 (lambda* (#:key inputs #:allow-other-keys)
674 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
675 #t)))))
cc2b77df
AE
676 (synopsis "Perl extension for using OpenSSL")
677 (description
678 "This module offers some high level convenience functions for accessing
679web pages on SSL servers (for symmetry, the same API is offered for accessing
680http servers, too), an sslcat() function for writing your own clients, and
681finally access to the SSL api of the SSLeay/OpenSSL package so you can write
682servers or clients for more complicated applications.")
2f3108ad 683 (license license:perl-license)
9aba9b12 684 (home-page "https://metacpan.org/release/Net-SSLeay")))
4532c0c0
DM
685
686(define-public perl-crypt-openssl-rsa
687 (package
688 (name "perl-crypt-openssl-rsa")
a9994b27 689 (version "0.31")
4532c0c0
DM
690 (source
691 (origin
692 (method url-fetch)
693 (uri (string-append
683b8d47 694 "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-"
4532c0c0
DM
695 version
696 ".tar.gz"))
697 (sha256
698 (base32
a9994b27 699 "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1"))))
4532c0c0 700 (build-system perl-build-system)
683b8d47
TGR
701 (native-inputs
702 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
4532c0c0
DM
703 (inputs
704 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
705 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
706 ("openssl" ,openssl)))
707 (arguments perl-crypt-arguments)
708 (home-page
9aba9b12 709 "https://metacpan.org/release/Crypt-OpenSSL-RSA")
4532c0c0
DM
710 (synopsis
711 "RSA encoding and decoding, using the openSSL libraries")
712 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
713OpenSSL libraries).")
2f3108ad 714 (license license:perl-license)))
adff71ca
DM
715
716(define perl-crypt-arguments
717 `(#:phases (modify-phases %standard-phases
718 (add-before 'configure 'patch-Makefile.PL
719 (lambda* (#:key inputs #:allow-other-keys)
720 (substitute* "Makefile.PL"
721 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
722 (assoc-ref inputs "openssl")
723 "/lib -lcrypto'],")))
724 #t)))))
725
726(define-public perl-crypt-openssl-bignum
727 (package
728 (name "perl-crypt-openssl-bignum")
7e8aac18 729 (version "0.09")
adff71ca
DM
730 (source
731 (origin
732 (method url-fetch)
733 (uri (string-append
734 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
735 version
736 ".tar.gz"))
737 (sha256
738 (base32
7e8aac18 739 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
adff71ca
DM
740 (build-system perl-build-system)
741 (inputs `(("openssl" ,openssl)))
742 (arguments perl-crypt-arguments)
743 (home-page
9aba9b12 744 "https://metacpan.org/release/Crypt-OpenSSL-Bignum")
adff71ca
DM
745 (synopsis
746 "OpenSSL's multiprecision integer arithmetic in Perl")
747 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
748arithmetic in Perl.")
749 ;; At your option either gpl1+ or the Artistic License
2f3108ad 750 (license license:perl-license)))
cccb4d26 751
c80590f6
TGR
752(define-public perl-crypt-openssl-guess
753 (package
754 (name "perl-crypt-openssl-guess")
755 (version "0.11")
756 (source
757 (origin
758 (method url-fetch)
759 (uri (string-append
760 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
761 version ".tar.gz"))
762 (sha256
763 (base32
764 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
765 (build-system perl-build-system)
9aba9b12 766 (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess")
c80590f6
TGR
767 (synopsis "Guess the OpenSSL include path")
768 (description
769 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
770correct OpenSSL include path. It is intended for use in your
771@file{Makefile.PL}.")
772 (license license:perl-license)))
773
cccb4d26
DM
774(define-public perl-crypt-openssl-random
775 (package
776 (name "perl-crypt-openssl-random")
fa2d19cc 777 (version "0.15")
cccb4d26
DM
778 (source
779 (origin
780 (method url-fetch)
781 (uri (string-append
782 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
783 version
784 ".tar.gz"))
785 (sha256
fa2d19cc 786 (base32 "1x6ffps8q7mnawmcfq740llzy7i10g3319vap0wiw4d33fm6z1zh"))))
cccb4d26 787 (build-system perl-build-system)
b30c23c4
TGR
788 (native-inputs
789 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
790 (inputs
791 `(("openssl" ,openssl)))
cccb4d26
DM
792 (arguments perl-crypt-arguments)
793 (home-page
9aba9b12 794 "https://metacpan.org/release/Crypt-OpenSSL-Random")
cccb4d26
DM
795 (synopsis
796 "OpenSSL/LibreSSL pseudo-random number generator access")
797 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
798number generator")
2f3108ad 799 (license license:perl-license)))
0581c273
LF
800
801(define-public acme-client
802 (package
803 (name "acme-client")
4a6b2a21 804 (version "0.1.16")
0581c273
LF
805 (source (origin
806 (method url-fetch)
807 (uri (string-append "https://kristaps.bsd.lv/" name "/"
808 "snapshots/" name "-portable-"
809 version ".tgz"))
810 (sha256
811 (base32
4a6b2a21 812 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
0581c273
LF
813 (build-system gnu-build-system)
814 (arguments
815 '(#:tests? #f ; no test suite
816 #:make-flags
817 (list "CC=gcc"
818 (string-append "PREFIX=" (assoc-ref %outputs "out")))
819 #:phases
820 (modify-phases %standard-phases
7c1a7bf4
LF
821 (add-after 'unpack 'patch-paths
822 (lambda* (#:key inputs #:allow-other-keys)
823 (let ((pem (string-append (assoc-ref inputs "libressl")
824 "/etc/ssl/cert.pem")))
825 (substitute* "http.c"
826 (("/etc/ssl/cert.pem") pem))
827 #t)))
0581c273 828 (delete 'configure)))) ; no './configure' script
4b569a4f
LF
829 (native-inputs
830 `(("pkg-config" ,pkg-config)))
0581c273
LF
831 (inputs
832 `(("libbsd" ,libbsd)
833 ("libressl" ,libressl)))
834 (synopsis "Let's Encrypt client by the OpenBSD project")
835 (description "acme-client is a Let's Encrypt client implemented in C. It
836uses a modular design, and attempts to secure itself by dropping privileges and
837operating in a chroot where possible. acme-client is developed on OpenBSD and
838then ported to the GNU / Linux environment.")
839 (home-page "https://kristaps.bsd.lv/acme-client/")
840 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
841 ;; and 'jsmn.c' are distributed under the Expat license.
842 (license (list license:isc license:expat))))
88522738 843
844;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
845;; variant exists in addition to the "-apache" one.
846(define-public mbedtls-apache
847 (package
848 (name "mbedtls-apache")
add80637 849 (version "2.16.3")
88522738 850 (source
851 (origin
852 (method url-fetch)
853 ;; XXX: The download links on the website are script redirection links
854 ;; which effectively lead to the format listed in the uri here.
855 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
856 version "-apache.tgz"))
857 (sha256
858 (base32
add80637 859 "0qd65lnr63vmx2gxla6lcmm5gawlnaj4wy4h4vmdc3h9h9nyw6zc"))))
88522738 860 (build-system cmake-build-system)
a64d9d56
RW
861 (arguments
862 `(#:configure-flags
863 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON")))
88522738 864 (native-inputs
38a9bf80
TGR
865 `(("perl" ,perl)
866 ("python" ,python)))
88522738 867 (synopsis "Small TLS library")
868 (description
869 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
870for developers to include cryptographic and SSL/TLS capabilities in their
871(embedded) products, facilitating this functionality with a minimal
872coding footprint.")
873 (home-page "https://tls.mbed.org")
874 (license license:asl2.0)))
587d1752 875
8e87aa04
TGR
876;; The Hiawatha Web server requires some specific features to be enabled.
877(define-public mbedtls-for-hiawatha
878 (hidden-package
879 (package
880 (inherit mbedtls-apache)
881 (arguments
882 (substitute-keyword-arguments
883 `(#:phases
884 (modify-phases %standard-phases
885 (add-after 'configure 'configure-extra-features
886 (lambda _
887 (for-each (lambda (feature)
888 (invoke "scripts/config.pl" "set" feature))
889 (list "MBEDTLS_THREADING_C"
890 "MBEDTLS_THREADING_PTHREAD"))
891 #t)))
892 ,@(package-arguments mbedtls-apache)))))))
893
e8b3a158
CL
894(define-public dehydrated
895 (package
896 (name "dehydrated")
2359e235 897 (version "0.6.5")
e8b3a158 898 (source (origin
2850d877 899 (method url-fetch)
e8b3a158 900 (uri (string-append
2850d877
EF
901 "https://github.com/lukas2511/dehydrated/releases/download/"
902 "v" version "/dehydrated-" version ".tar.gz"))
e8b3a158
CL
903 (sha256
904 (base32
2359e235 905 "0dgskgbdd95p13jx6s13p77y15wngb5cm6p4305cf2s54w0bvahh"))))
e8b3a158
CL
906 (build-system trivial-build-system)
907 (arguments
908 `(#:modules ((guix build utils))
909 #:builder
910 (begin
911 (use-modules (guix build utils))
912 (let* ((source (assoc-ref %build-inputs "source"))
2850d877
EF
913 (tar (assoc-ref %build-inputs "tar"))
914 (gz (assoc-ref %build-inputs "gzip"))
e8b3a158
CL
915 (out (assoc-ref %outputs "out"))
916 (bin (string-append out "/bin"))
2850d877 917 (doc (string-append out "/share/doc/"))
e8b3a158 918 (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
2850d877
EF
919
920 (setenv "PATH" (string-append gz "/bin"))
921 (invoke (string-append tar "/bin/tar") "xvf" source)
922 (chdir (string-append ,name "-" ,version))
923
924 (install-file "dehydrated" bin)
925 (install-file "LICENSE" (string-append doc ,name "-" ,version))
e8b3a158 926 (with-directory-excursion bin
e8b3a158
CL
927 (patch-shebang "dehydrated" (list bash))
928
929 ;; Do not try to write in the store.
930 (substitute* "dehydrated"
931 (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
932
933 (setenv "PATH" bash)
934 (wrap-program "dehydrated"
935 `("PATH" ":" prefix
936 ,(map (lambda (dir)
937 (string-append dir "/bin"))
938 (map (lambda (input)
939 (assoc-ref %build-inputs input))
940 '("coreutils"
941 "curl"
942 "diffutils"
943 "gawk"
944 "grep"
945 "openssl"
946 "sed"))))))
947 #t))))
948 (inputs
949 `(("bash" ,bash)
950 ("coreutils" ,coreutils)
951 ("curl" ,curl)
952 ("diffutils" ,diffutils)
953 ("gawk" ,gawk)
954 ("grep" ,grep)
955 ("openssl" ,openssl)
956 ("sed" ,sed)))
2850d877
EF
957 (native-inputs
958 `(("gzip" ,gzip)
959 ("tar" ,tar)))
e8b3a158
CL
960 (home-page "https://dehydrated.io/")
961 (synopsis "Let's Encrypt/ACME client implemented as a shell script")
962 (description "Dehydrated is a client for signing certificates with an
963ACME-server (currently only provided by Let's Encrypt) implemented as a
964relatively simple Bash script.")
965 (license license:expat)))
ea22aa1f
LF
966
967(define-public go-github-com-certifi-gocertifi
968 (let ((commit "d2eda712971317d7dd278bc2a52acda7e945f97e")
969 (revision "0"))
970 (package
971 (name "go-github-com-certifi-gocertifi")
972 (version (git-version "2018.01.18" revision commit))
973 (source (origin
974 (method git-fetch)
975 (uri (git-reference
976 (url "https://github.com/certifi/gocertifi")
977 (commit commit)))
978 (file-name (git-file-name name version))
979 (sha256
980 (base32
981 "0f3v26xps7gadw4qfmh1kxbpgp0cgqdd61a257xnnvnd7ll6k8dh"))))
982 (build-system go-build-system)
983 (arguments
984 '(#:import-path "github.com/certifi/gocertifi"))
985 (synopsis "X.509 TLS root certificate bundle for Go")
986 (description "This package is a Go language X.509 TLS root certificate bundle,
987derived from Mozilla's collection.")
988 (home-page "https://certifi.io")
989 (license license:mpl2.0))))