HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
gnu: perl-net-ssleay: Update to 1.88.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
CommitLineData
233e7676 1;;; GNU Guix --- Functional package management for GNU
3c0f7910 2;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
05f6e601 3;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
29a7c98a 4;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df 5;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b 6;;; Copyright © 2015 David Thompson <davet@gnu.org>
2a5b5bfd 7;;; Copyright © 2015, 2016, 2017, 2018 Leo Famulari <leo@famulari.name>
2850d877 8;;; Copyright © 2016, 2017, 2019 Efraim Flashner <efraim@flashner.co.il>
47956fa0 9;;; Copyright © 2016, 2017, 2018 ng0 <ng0@n0.is>
375cef6c 10;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
ee33f9a7 11;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
d5c472a2 12;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
a92c6b1a 13;;; Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr>
fbf5ca3c 14;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
e8b3a158 15;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
7543f865 16;;;
233e7676 17;;; This file is part of GNU Guix.
7543f865 18;;;
233e7676 19;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865
LC		 20;;; under the terms of the GNU General Public License as published by
21;;; the Free Software Foundation; either version 3 of the License, or (at
22;;; your option) any later version.
23;;;
233e7676 24;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865
LC		 25;;; WITHOUT ANY WARRANTY; without even the implied warranty of
26;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27;;; GNU General Public License for more details.
28;;;
29;;; You should have received a copy of the GNU General Public License
233e7676 30;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865 31
a7fd7b68 32(define-module (gnu packages tls)
e9aa8d0c 33 #:use-module ((guix licenses) #:prefix license:)
7543f865
LC		 34 #:use-module (guix packages)
35 #:use-module (guix download)
29a7c98a 36 #:use-module (guix utils)
7543f865 37 #:use-module (guix build-system gnu)
cc2b77df 38 #:use-module (guix build-system perl)
7890e3ba 39 #:use-module (guix build-system python)
88522738 40 #:use-module (guix build-system cmake)
e8b3a158 41 #:use-module (guix build-system trivial)
f61e0e79 42 #:use-module (gnu packages compression)
013ce67b 43 #:use-module (gnu packages)
e8b3a158 44 #:use-module (gnu packages bash)
ac257f12 45 #:use-module (gnu packages check)
e8b3a158 46 #:use-module (gnu packages curl)
5b9aa107 47 #:use-module (gnu packages dns)
e8b3a158 48 #:use-module (gnu packages gawk)
1ffa7090 49 #:use-module (gnu packages guile)
0581c273 50 #:use-module (gnu packages libbsd)
27e86bed 51 #:use-module (gnu packages libffi)
866f469e 52 #:use-module (gnu packages libidn)
5d4c90ae 53 #:use-module (gnu packages linux)
7890e3ba 54 #:use-module (gnu packages ncurses)
27e86bed 55 #:use-module (gnu packages nettle)
1ffa7090 56 #:use-module (gnu packages perl)
27e86bed 57 #:use-module (gnu packages pkg-config)
7890e3ba 58 #:use-module (gnu packages python)
cc6f4912 59 #:use-module (gnu packages python-crypto)
1b2f753d 60 #:use-module (gnu packages python-web)
44d10b1f 61 #:use-module (gnu packages python-xyz)
9d0c291e 62 #:use-module (gnu packages sphinx)
a31f4d35 63 #:use-module (gnu packages texinfo)
33dc54b0 64 #:use-module (gnu packages time)
079f013b
LC		 65 #:use-module (gnu packages base)
66 #:use-module (srfi srfi-1))
7543f865
LC		 67
68(define-public libtasn1
69 (package
70 (name "libtasn1")
2a5b5bfd 71 (version "4.13")
7543f865
LC		 72 (source
73 (origin
74 (method url-fetch)
75 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
76 version ".tar.gz"))
77 (sha256
78 (base32
2a5b5bfd 79 "1jlc1iahj8k3haz28j55nzg7sgni5h41vqy461i1bpbx6668wlky"))))
7543f865 80 (build-system gnu-build-system)
d9f84612
MB		 81 (arguments
82 `(#:configure-flags '("--disable-static")))
3ea110b7 83 (native-inputs `(("perl" ,perl)))
6fd52309 84 (home-page "https://www.gnu.org/software/libtasn1/")
f50d2669 85 (synopsis "ASN.1 library")
7543f865 86 (description
79c311b8
LC		 87 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
88for transmitting machine-neutral encodings of data objects in computer
a22dc0c4
LC		 89networking, allowing for formal validation of data according to some
90specifications.")
e9aa8d0c 91 (license license:lgpl2.0+)))
7543f865 92
375cef6c
HG		 93(define-public asn1c
94 (package
95 (name "asn1c")
ff7da7e0 96 (version "0.9.28")
375cef6c
HG		 97 (source (origin
98 (method url-fetch)
99 (uri (string-append "https://lionet.info/soft/asn1c-"
100 version ".tar.gz"))
101 (sha256
102 (base32
ff7da7e0 103 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
375cef6c
HG		 104 (build-system gnu-build-system)
105 (native-inputs
106 `(("perl" ,perl)))
107 (home-page "https://lionet.info/asn1c")
108 (synopsis "ASN.1 to C compiler")
109 (description "The ASN.1 to C compiler takes ASN.1 module
110files and generates C++ compatible C source code. That code can be
111used to serialize the native C structures into compact and unambiguous
112BER/XER/PER-based data files, and deserialize the files back.
113
114Various ASN.1 based formats are widely used in the industry, such as to encode
115the X.509 certificates employed in the HTTPS handshake, to exchange control
116data between mobile phones and cellular networks, to car-to-car communication
117in intelligent transportation networks.")
118 (license license:bsd-2)))
119
27e86bed
AE		 120(define-public p11-kit
121 (package
122 (name "p11-kit")
39855bfe 123 (version "0.23.15")
27e86bed
AE		 124 (source
125 (origin
126 (method url-fetch)
e6ad9bda
MB		 127 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
128 "download/" version "/p11-kit-" version ".tar.gz"))
39855bfe 129 (patches (search-patches "p11-kit-jks-timestamps.patch"))
27e86bed
AE		 130 (sha256
131 (base32
39855bfe 132 "166pwj00cffv4qq4dvx0k53zka0b0r1fa0whc49007vsqyh3khgp"))))
27e86bed
AE		 133 (build-system gnu-build-system)
134 (native-inputs
135 `(("pkg-config" ,pkg-config)))
136 (inputs
137 `(("libffi" ,libffi)
138 ("libtasn1" ,libtasn1)))
139 (arguments
d5c472a2
MB		 140 `(#:configure-flags '("--without-trust-paths")
141 #:phases (modify-phases %standard-phases
142 (add-before 'check 'prepare-tests
143 (lambda _
144 ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up
145 ;; and looks for .cache and other directories (only).
146 ;; For simplicity just drop it since it is irrelevant
147 ;; in the build container.
148 (substitute* "Makefile"
149 (("test-runtime\\$\\(EXEEXT\\)") ""))
150 #t)))))
4631e6c9 151 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
27e86bed
AE		 152 (synopsis "PKCS#11 library")
153 (description
154 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
155provides a standard configuration setup for installing PKCS#11 modules
156in such a way that they are discoverable. It also solves problems with
157coordinating the use of PKCS#11 by different components or libraries
158living in the same process.")
e9aa8d0c 159 (license license:bsd-3)))
27e86bed 160
7543f865
LC		 161(define-public gnutls
162 (package
163 (name "gnutls")
06f5bc4e 164 (version "3.6.5")
d7d408d5
LC		 165 (source (origin
166 (method url-fetch)
167 (uri
168 ;; Note: Releases are no longer on ftp.gnu.org since the
169 ;; schism (after version 3.1.5).
d93627e4 170 (string-append "mirror://gnupg/gnutls/v"
29a7c98a 171 (version-major+minor version)
d93627e4 172 "/gnutls-" version ".tar.xz"))
06f5bc4e 173 (patches (search-patches "gnutls-skip-trust-store-test.patch"))
d7d408d5
LC		 174 (sha256
175 (base32
06f5bc4e
MB		 176 "0ddvg97dyrh8dkffv1mdc0knxx5my3qdbzv97s4a6jggmk9wwgh7"))
177 (modules '((guix build utils)))
178 (snippet
179 '(begin
180 ;; XXX: The generated configure script in GnuTLS 3.6.5
181 ;; apparently does not know about Guile 2.2.
182 (substitute* "configure"
183 (("guile_versions_to_search=\"2\\.0 1\\.8\"")
184 "guile_versions_to_search=\"2.2 2.0 1.8\""))
185 #t))))
7543f865 186 (build-system gnu-build-system)
b94ae0b8 187 (arguments
76b21274
LF		 188 `(; Ensure we don't keep a reference to this buggy software.
189 #:disallowed-references (,net-tools)
190 #:configure-flags
a0700787 191 (list
aa7c7f21
MW		 192 ;; GnuTLS doesn't consult any environment variables to specify
193 ;; the location of the system-wide trust store. Instead it has a
194 ;; configure-time option. Unless specified, its configure script
195 ;; attempts to auto-detect the location by looking for common
8f65585b 196 ;; places in the file system, none of which are present in our
aa7c7f21
MW		 197 ;; chroot build environment. If not found, then no default trust
198 ;; store is used, so each program has to provide its own
199 ;; fallback, and users have to configure each program
200 ;; independently. This seems suboptimal.
866f469e
MW		 201 "--with-default-trust-store-dir=/etc/ssl/certs"
202
203 ;; FIXME: Temporarily disable p11-kit support since it is not
204 ;; working on mips64el.
606c6380
LC		 205 "--without-p11-kit")
206
207 #:phases (modify-phases %standard-phases
208 (add-after
209 'install 'move-doc
210 (lambda* (#:key outputs #:allow-other-keys)
211 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
212 (let* ((out (assoc-ref outputs "out"))
213 (doc (assoc-ref outputs "doc"))
9cdce047 214 (mandir (string-append doc "/share/man/man3"))
606c6380
LC		 215 (oldman (string-append out "/share/man/man3")))
216 (mkdir-p mandir)
217 (copy-recursively oldman mandir)
218 (delete-file-recursively oldman)
219 #t))))))
220 (outputs '("out" ;4.4 MiB
221 "debug"
222 "doc")) ;4.1 MiB of man pages
a1db0975 223 (native-inputs
c06d8ba5 224 `(("net-tools" ,net-tools)
5d4c90ae 225 ("pkg-config" ,pkg-config)
d2fcfd3d 226 ("which" ,which)))
7543f865 227 (inputs
a0700787 228 `(("guile" ,guile-2.2)))
7543f865 229 (propagated-inputs
d2fcfd3d 230 ;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865 231 `(("libtasn1" ,libtasn1)
55e61c4d 232 ("libidn2" ,libidn2)
866f469e 233 ("nettle" ,nettle)
f61e0e79 234 ("zlib" ,zlib)))
c19700c3 235 (home-page "https://www.gnu.org/software/gnutls/")
f50d2669 236 (synopsis "Transport layer security library")
7543f865 237 (description
a22dc0c4 238 "GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8 239and DTLS protocols. It is provided in the form of a C library to support the
a22dc0c4
LC		 240protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
241required structures.")
63e8bb12
LC		 242 (license license:lgpl2.1+)
243 (properties '((ftp-server . "ftp.gnutls.org")
244 (ftp-directory . "/gcrypt/gnutls")))))
cc2b77df 245
079f013b 246(define-public gnutls/guile-2.2
a0700787
LC		 247 (deprecated-package "guile2.2-gnutls" gnutls))
248
249(define-public gnutls/guile-2.0
250 ;; GnuTLS for Guile 2.0.
079f013b 251 (package
58ea4d40 252 (inherit gnutls)
a0700787
LC		 253 (name "guile2.0-gnutls")
254 (inputs `(("guile" ,guile-2.0)
58ea4d40 255 ,@(alist-delete "guile" (package-inputs gnutls))))))
079f013b 256
5b9aa107 257(define-public gnutls/dane
258 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
259 ;; Authentication of Named Entities. This is required for GNS functionality
260 ;; by GNUnet and gnURL. This is done in an extra package definition
261 ;; to have the choice between GnuTLS with Dane and without Dane.
262 (package
263 (inherit gnutls)
264 (name "gnutls-dane")
265 (inputs `(("unbound" ,unbound)
266 ,@(package-inputs gnutls)))))
267
cc2b77df
AE		 268(define-public openssl
269 (package
270 (name "openssl")
a92c6b1a 271 (replacement openssl/fixed)
01710194 272 (version "1.0.2p")
cc2b77df 273 (source (origin
4cff124b 274 (method url-fetch)
bdf0b6fc
MB		 275 (uri (list (string-append "https://www.openssl.org/source/openssl-"
276 version ".tar.gz")
277 (string-append "ftp://ftp.openssl.org/source/"
c7f5c3ea 278 "openssl-" version ".tar.gz")
4cff124b
LC		 279 (string-append "ftp://ftp.openssl.org/source/old/"
280 (string-trim-right version char-set:letter)
c7f5c3ea 281 "/openssl-" version ".tar.gz")))
4cff124b
LC		 282 (sha256
283 (base32
01710194 284 "003xh9f898i56344vpvpxxxzmikivxig4xwlm7vbi7m8n43qxaah"))
fc1adab1 285 (patches (search-patches "openssl-runpath.patch"
1d8de185 286 "openssl-c-rehash-in.patch"))))
cc2b77df 287 (build-system gnu-build-system)
8c78aeb7 288 (outputs '("out"
a909b576 289 "doc" ;1.5MiB of man3 pages
8c78aeb7 290 "static")) ;6MiB of .a files
cc2b77df
AE		 291 (native-inputs `(("perl" ,perl)))
292 (arguments
d03781c3
LC		 293 `(#:disallowed-references (,perl)
294 #:parallel-build? #f
cc2b77df
AE		 295 #:parallel-tests? #f
296 #:test-target "test"
8c9ec203
LF		 297
298 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
299 ;; so we explicitly disallow it here.
300 #:disallowed-references ,(list (canonical-package perl))
cc2b77df 301 #:phases
b6cb1358 302 (modify-phases %standard-phases
4fb254a3 303 (add-before
86c8f1da 304 'configure 'patch-Makefile.org
4fb254a3
LC		 305 (lambda* (#:key outputs #:allow-other-keys)
306 ;; The default MANDIR is some unusual place. Fix that.
307 (let ((out (assoc-ref outputs "out")))
86c8f1da 308 (patch-makefile-SHELL "Makefile.org")
4fb254a3
LC		 309 (substitute* "Makefile.org"
310 (("^MANDIR[[:blank:]]*=.*$")
311 (string-append "MANDIR = " out "/share/man\n")))
312 #t)))
b6cb1358
LC		 313 (replace
314 'configure
315 (lambda* (#:key outputs #:allow-other-keys)
316 (let ((out (assoc-ref outputs "out")))
0d98cb9a 317 (invoke "./config"
5011d3f4
SB		 318 "shared" ;build shared libraries
319 "--libdir=lib"
4fb254a3 320
5011d3f4
SB		 321 ;; The default for this catch-all directory is
322 ;; PREFIX/ssl. Change that to something more
323 ;; conventional.
324 (string-append "--openssldir=" out
325 "/share/openssl-" ,version)
4fb254a3 326
18784d8f 327 (string-append "--prefix=" out)))))
fe8199a8
LC		 328 (add-after
329 'install 'make-libraries-writable
330 (lambda* (#:key outputs #:allow-other-keys)
331 ;; Make libraries writable so that 'strip' does its job.
332 (let ((out (assoc-ref outputs "out")))
333 (for-each (lambda (file)
334 (chmod file #o644))
335 (find-files (string-append out "/lib")
336 "\\.so"))
337 #t)))
8c78aeb7
LC		 338 (add-after 'install 'move-static-libraries
339 (lambda* (#:key outputs #:allow-other-keys)
340 ;; Move static libraries to the "static" output.
341 (let* ((out (assoc-ref outputs "out"))
342 (lib (string-append out "/lib"))
343 (static (assoc-ref outputs "static"))
344 (slib (string-append static "/lib")))
8c78aeb7
LC		 345 (for-each (lambda (file)
346 (install-file file slib)
347 (delete-file file))
348 (find-files lib "\\.a$"))
349 #t)))
a909b576
LC		 350 (add-after 'install 'move-man3-pages
351 (lambda* (#:key outputs #:allow-other-keys)
352 ;; Move section 3 man pages to "doc".
353 (let* ((out (assoc-ref outputs "out"))
354 (man3 (string-append out "/share/man/man3"))
355 (doc (assoc-ref outputs "doc"))
356 (target (string-append doc "/share/man/man3")))
357 (mkdir-p target)
358 (for-each (lambda (file)
359 (rename-file file
360 (string-append target "/"
361 (basename file))))
362 (find-files man3))
5c838ec9 363 (delete-file-recursively man3)
a909b576 364 #t)))
b6cb1358
LC		 365 (add-before
366 'patch-source-shebangs 'patch-tests
367 (lambda* (#:key inputs native-inputs #:allow-other-keys)
368 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
369 (substitute* (find-files "test" ".*")
370 (("/bin/sh")
08a78c2f 371 (string-append bash "/bin/sh"))
b6cb1358 372 (("/bin/rm")
86c8f1da
MW		 373 "rm"))
374 #t)))
784d6e91
LC		 375 (add-after
376 'install 'remove-miscellany
377 (lambda* (#:key outputs #:allow-other-keys)
378 ;; The 'misc' directory contains random undocumented shell and Perl
379 ;; scripts. Remove them to avoid retaining a reference on Perl.
380 (let ((out (assoc-ref outputs "out")))
381 (delete-file-recursively (string-append out "/share/openssl-"
382 ,version "/misc"))
383 #t))))))
cc2b77df 384 (native-search-paths
cc2b77df
AE		 385 (list (search-path-specification
386 (variable "SSL_CERT_DIR")
5d7a47cc 387 (separator #f) ;single entry
cc2b77df
AE		 388 (files '("etc/ssl/certs")))
389 (search-path-specification
390 (variable "SSL_CERT_FILE")
5d7a47cc
MB		 391 (file-type 'regular)
392 (separator #f) ;single entry
cc2b77df
AE		 393 (files '("etc/ssl/certs/ca-certificates.crt")))))
394 (synopsis "SSL/TLS implementation")
395 (description
e881752c 396 "OpenSSL is an implementation of SSL/TLS.")
e9aa8d0c 397 (license license:openssl)
4631e6c9 398 (home-page "https://www.openssl.org/")))
cc2b77df 399
a92c6b1a
TGR		 400(define-public openssl/fixed
401 (hidden-package
402 (package
403 (inherit openssl)
404 (source (origin
405 (inherit (package-source openssl))
406 (patches (append (origin-patches (package-source openssl))
407 (search-patches "openssl-CVE-2019-1559.patch"))))))))
408
763899f0
LF		 409(define-public openssl-next
410 (package
a215c938 411 (inherit openssl)
763899f0 412 (name "openssl")
558c7330 413 (version "1.1.1c")
763899f0
LF		 414 (source (origin
415 (method url-fetch)
77576be4
MB		 416 (uri (list (string-append "https://www.openssl.org/source/openssl-"
417 version ".tar.gz")
418 (string-append "ftp://ftp.openssl.org/source/"
c7f5c3ea 419 "openssl-" version ".tar.gz")
763899f0
LF		 420 (string-append "ftp://ftp.openssl.org/source/old/"
421 (string-trim-right version char-set:letter)
c7f5c3ea 422 "/openssl-" version ".tar.gz")))
9e9e5d5a 423 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
763899f0
LF		 424 (sha256
425 (base32
558c7330 426 "142c7zdlz06hjrrvinb9f276czc78bnkyhd9xma621qmmmwk1yzn"))))
763899f0 427 (outputs '("out"
6ec43b0d 428 "doc" ; 6.8 MiB of man3 pages and full HTML documentation
9e9e5d5a 429 "static")) ; 6.4 MiB of .a files
763899f0
LF		 430 (arguments
431 (substitute-keyword-arguments (package-arguments openssl)
432 ((#:phases phases)
433 `(modify-phases ,phases
434 (delete 'patch-tests) ; These two phases are not needed by
6ec43b0d 435 (delete 'patch-Makefile.org) ; OpenSSL 1.1.
763899f0 436
fc184fe2
MB		 437 ;; Override configure phase since -rpath is now a configure option.
438 (replace 'configure
763899f0 439 (lambda* (#:key outputs #:allow-other-keys)
fc184fe2
MB		 440 (let* ((out (assoc-ref outputs "out"))
441 (lib (string-append out "/lib")))
9e9e5d5a
LF		 442 ;; It's not a shebang so patch-source-shebangs misses it.
443 (substitute* "config"
444 (("/usr/bin/env")
445 (string-append (assoc-ref %build-inputs "coreutils")
446 "/bin/env")))
0d98cb9a 447 (invoke "./config"
5011d3f4
SB		 448 "shared" ;build shared libraries
449 "--libdir=lib"
fc184fe2 450
5011d3f4
SB		 451 ;; The default for this catch-all directory is
452 ;; PREFIX/ssl. Change that to something more
453 ;; conventional.
454 (string-append "--openssldir=" out
455 "/share/openssl-" ,version)
fc184fe2 456
5011d3f4 457 (string-append "--prefix=" out)
799de468 458 (string-append "-Wl,-rpath," lib)))))
fc184fe2 459
9e9e5d5a
LF		 460 (delete 'move-man3-pages)
461 (add-after 'install 'move-extra-documentation
462 (lambda* (#:key outputs #:allow-other-keys)
463 ;; Move man3 pages and full HTML documentation to "doc".
464 (let* ((out (assoc-ref outputs "out"))
465 (man3 (string-append out "/share/man/man3"))
466 (html (string-append out "/share/doc/openssl"))
467 (doc (assoc-ref outputs "doc"))
468 (man-target (string-append doc "/share/man/man3"))
469 (html-target (string-append doc "/share/doc/openssl")))
470 (copy-recursively man3 man-target)
471 (delete-file-recursively man3)
472 (copy-recursively html html-target)
473 (delete-file-recursively html)
474 #t)))
fc184fe2
MB		 475 ;; XXX: Duplicate this phase to make sure 'version' evaluates
476 ;; in the current scope and not the inherited one.
477 (replace 'remove-miscellany
478 (lambda* (#:key outputs #:allow-other-keys)
479 ;; The 'misc' directory contains random undocumented shell and Perl
480 ;; scripts. Remove them to avoid retaining a reference on Perl.
481 (let ((out (assoc-ref outputs "out")))
482 (delete-file-recursively (string-append out "/share/openssl-"
483 ,version "/misc"))
763899f0
LF		 484 #t)))))))))
485
cb6a802c
AE		 486(define-public libressl
487 (package
488 (name "libressl")
0effadca 489 (version "2.7.4")
644e5f17
TGR		 490 (source (origin
491 (method url-fetch)
492 (uri (string-append "mirror://openbsd/LibreSSL/"
493 name "-" version ".tar.gz"))
494 (sha256
495 (base32
0effadca 496 "19kxa5i97q7p6rrps9qm0nd8zqhdjvzx02j72400c73cl2nryfhy"))))
cb6a802c 497 (build-system gnu-build-system)
a2d64899
LC		 498 (arguments
499 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
500 ;; and libc would return ENOSYS, which is not properly handled.
501 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
df08f385
LF		 502 '(#:configure-flags '("ac_cv_func_getentropy=no"
503 ;; Provide a TLS-enabled netcat.
504 "--enable-nc")))
cb6a802c
AE		 505 (native-search-paths
506 ;; FIXME: These two variables must designate a single file or directory
507 ;; and are not actually "search paths." In practice it works OK in
508 ;; user profiles because there's always just one item that matches the
509 ;; specification.
510 (list (search-path-specification
511 (variable "SSL_CERT_DIR")
512 (files '("etc/ssl/certs")))
513 (search-path-specification
514 (variable "SSL_CERT_FILE")
515 (files '("etc/ssl/certs/ca-certificates.crt")))))
2ed12d3f 516 (home-page "https://www.libressl.org/")
cb6a802c 517 (synopsis "SSL/TLS implementation")
df08f385
LF		 518 (description "LibreSSL is a version of the TLS/crypto stack, forked from
519OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
520and applying best practice development processes. This package also includes a
521netcat implementation that supports TLS.")
cb6a802c
AE		 522 ;; Files taken from OpenSSL keep their license, others are under various
523 ;; non-copyleft licenses.
524 (license (list license:openssl
525 (license:non-copyleft
526 "file://COPYING"
527 "See COPYING in the distribution.")))))
528
6cefd53d 529(define-public python-acme
7890e3ba 530 (package
6cefd53d 531 (name "python-acme")
686d4259 532 ;; Remember to update the hash of certbot when updating python-acme.
7bd30ea9 533 (version "0.34.2")
7890e3ba 534 (source (origin
9495cf9a 535 (method url-fetch)
f349d36e 536 (uri (pypi-uri "acme" version))
881006b6
MB		 537 (sha256
538 (base32
7bd30ea9 539 "0anwc102fmlva6x2k1bxrgdb7mi1jy9wgrqjzvk2nam8pky0snxx"))))
7890e3ba
LF		 540 (build-system python-build-system)
541 (arguments
6cefd53d 542 `(#:phases
9bee9d87 543 (modify-phases %standard-phases
1fc8476d
MB		 544 (add-after 'build 'build-documentation
545 (lambda _
d4bd2453 546 (invoke "make" "-C" "docs" "man" "info")))
1fc8476d 547 (add-after 'install 'install-documentation
50a7963a
LF		 548 (lambda* (#:key outputs #:allow-other-keys)
549 (let* ((out (assoc-ref outputs "out"))
550 (man (string-append out "/share/man/man1"))
551 (info (string-append out "/info")))
1fc8476d
MB		 552 (install-file "docs/_build/texinfo/acme-python.info" info)
553 (install-file "docs/_build/man/acme-python.1" man)
554 #t))))))
50a7963a 555 ;; TODO: Add optional inputs for testing.
7890e3ba 556 (native-inputs
4ae65558 557 `(("python-mock" ,python-mock)
b494bbe4 558 ("python-pytest" ,python-pytest)
50a7963a
LF		 559 ;; For documentation
560 ("python-sphinx" ,python-sphinx)
561 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
562 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
50a7963a 563 ("texinfo" ,texinfo)))
7890e3ba 564 (propagated-inputs
92572184
LF		 565 `(("python-josepy" ,python-josepy)
566 ("python-six" ,python-six)
6cefd53d 567 ("python-requests" ,python-requests)
b494bbe4 568 ("python-requests-toolbelt" ,python-requests-toolbelt)
6cefd53d
LF		 569 ("python-pytz" ,python-pytz)
570 ("python-pyrfc3339" ,python-pyrfc3339)
571 ("python-pyasn1" ,python-pyasn1)
572 ("python-cryptography" ,python-cryptography)
573 ("python-pyopenssl" ,python-pyopenssl)))
4631e6c9 574 (home-page "https://github.com/certbot/certbot")
7890e3ba
LF		 575 (synopsis "ACME protocol implementation in Python")
576 (description "ACME protocol implementation in Python")
577 (license license:asl2.0)))
578
9495cf9a 579(define-public certbot
9fd0838b 580 (package
9495cf9a 581 (name "certbot")
686d4259
LF		 582 ;; Certbot and python-acme are developed in the same repository, and their
583 ;; versions should remain synchronized.
584 (version (package-version python-acme))
9fd0838b
DT		 585 (source (origin
586 (method url-fetch)
f349d36e 587 (uri (pypi-uri name version))
9fd0838b
DT		 588 (sha256
589 (base32
7bd30ea9 590 "1fy91rnq4wwblp5gi2qb2c3xk6j2w1maf5f52228pk8cn7f2swrh"))))
9fd0838b
DT		 591 (build-system python-build-system)
592 (arguments
fed1898d 593 `(,@(substitute-keyword-arguments (package-arguments python-acme)
f26d6e4e
LF		 594 ((#:phases phases)
595 `(modify-phases ,phases
1fc8476d 596 (replace 'install-documentation
f26d6e4e
LF		 597 (lambda* (#:key outputs #:allow-other-keys)
598 (let* ((out (assoc-ref outputs "out"))
599 (man1 (string-append out "/share/man/man1"))
600 (man7 (string-append out "/share/man/man7"))
601 (info (string-append out "/info")))
1fc8476d
MB		 602 (install-file "docs/_build/texinfo/Certbot.info" info)
603 (install-file "docs/_build/man/certbot.1" man1)
604 (install-file "docs/_build/man/certbot.7" man7)
605 #t))))))))
f9263d9a 606 ;; TODO: Add optional inputs for testing.
9fd0838b 607 (native-inputs
d05c14df
TGR		 608 `(("python-mock" ,python-mock)
609 ("python-pytest" ,python-pytest)
f9263d9a 610 ;; For documentation
fed1898d
LF		 611 ("python-sphinx" ,python-sphinx)
612 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
613 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
614 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
f9263d9a 615 ("texinfo" ,texinfo)))
9fd0838b 616 (propagated-inputs
fed1898d 617 `(("python-acme" ,python-acme)
d05c14df 618 ("python-cryptography" ,python-cryptography)
fed1898d
LF		 619 ("python-zope-interface" ,python-zope-interface)
620 ("python-pyrfc3339" ,python-pyrfc3339)
621 ("python-pyopenssl" ,python-pyopenssl)
622 ("python-configobj" ,python-configobj)
623 ("python-configargparse" ,python-configargparse)
624 ("python-zope-component" ,python-zope-component)
625 ("python-parsedatetime" ,python-parsedatetime)
626 ("python-six" ,python-six)
627 ("python-psutil" ,python-psutil)
628 ("python-requests" ,python-requests)
629 ("python-pytz" ,python-pytz)))
d8a1be63 630 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
80968df0
TGR		 631 (description "Certbot automatically receives and installs X.509 certificates
632to enable Transport Layer Security (TLS) on servers. It interoperates with the
633Let’s Encrypt certificate authority (CA), which issues browser-trusted
634certificates for free.")
24778368 635 (home-page "https://certbot.eff.org/")
9fd0838b
DT		 636 (license license:asl2.0)))
637
9495cf9a
LF		 638(define-public letsencrypt
639 (package (inherit certbot)
56ab55d1
LF		 640 (name "letsencrypt")
641 (properties `((superseded . ,certbot)))))
9495cf9a 642
cc2b77df
AE		 643(define-public perl-net-ssleay
644 (package
645 (name "perl-net-ssleay")
966e4bea 646 (version "1.88")
cc2b77df
AE		 647 (source (origin
648 (method url-fetch)
649 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
650 "Net-SSLeay-" version ".tar.gz"))
651 (sha256
652 (base32
966e4bea 653 "1pfgh4h3szcpvqlcimc60pjbk9zwls99x5863sva0wc47i4dl010"))))
cc2b77df
AE		 654 (build-system perl-build-system)
655 (inputs `(("openssl" ,openssl)))
656 (arguments
1084ec08
MW		 657 `(#:phases
658 (modify-phases %standard-phases
1084ec08
MW		 659 (add-before
660 'configure 'set-ssl-prefix
661 (lambda* (#:key inputs #:allow-other-keys)
662 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
663 #t)))))
cc2b77df
AE		 664 (synopsis "Perl extension for using OpenSSL")
665 (description
666 "This module offers some high level convenience functions for accessing
667web pages on SSL servers (for symmetry, the same API is offered for accessing
668http servers, too), an sslcat() function for writing your own clients, and
669finally access to the SSL api of the SSLeay/OpenSSL package so you can write
670servers or clients for more complicated applications.")
2f3108ad 671 (license license:perl-license)
9aba9b12 672 (home-page "https://metacpan.org/release/Net-SSLeay")))
4532c0c0
DM		 673
674(define-public perl-crypt-openssl-rsa
675 (package
676 (name "perl-crypt-openssl-rsa")
a9994b27 677 (version "0.31")
4532c0c0
DM		 678 (source
679 (origin
680 (method url-fetch)
681 (uri (string-append
683b8d47 682 "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-"
4532c0c0
DM		 683 version
684 ".tar.gz"))
685 (sha256
686 (base32
a9994b27 687 "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1"))))
4532c0c0 688 (build-system perl-build-system)
683b8d47
TGR		 689 (native-inputs
690 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
4532c0c0
DM		 691 (inputs
692 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
693 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
694 ("openssl" ,openssl)))
695 (arguments perl-crypt-arguments)
696 (home-page
9aba9b12 697 "https://metacpan.org/release/Crypt-OpenSSL-RSA")
4532c0c0
DM		 698 (synopsis
699 "RSA encoding and decoding, using the openSSL libraries")
700 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
701OpenSSL libraries).")
2f3108ad 702 (license license:perl-license)))
adff71ca
DM		 703
704(define perl-crypt-arguments
705 `(#:phases (modify-phases %standard-phases
706 (add-before 'configure 'patch-Makefile.PL
707 (lambda* (#:key inputs #:allow-other-keys)
708 (substitute* "Makefile.PL"
709 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
710 (assoc-ref inputs "openssl")
711 "/lib -lcrypto'],")))
712 #t)))))
713
714(define-public perl-crypt-openssl-bignum
715 (package
716 (name "perl-crypt-openssl-bignum")
7e8aac18 717 (version "0.09")
adff71ca
DM		 718 (source
719 (origin
720 (method url-fetch)
721 (uri (string-append
722 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
723 version
724 ".tar.gz"))
725 (sha256
726 (base32
7e8aac18 727 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
adff71ca
DM		 728 (build-system perl-build-system)
729 (inputs `(("openssl" ,openssl)))
730 (arguments perl-crypt-arguments)
731 (home-page
9aba9b12 732 "https://metacpan.org/release/Crypt-OpenSSL-Bignum")
adff71ca
DM		 733 (synopsis
734 "OpenSSL's multiprecision integer arithmetic in Perl")
735 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
736arithmetic in Perl.")
737 ;; At your option either gpl1+ or the Artistic License
2f3108ad 738 (license license:perl-license)))
cccb4d26 739
c80590f6
TGR		 740(define-public perl-crypt-openssl-guess
741 (package
742 (name "perl-crypt-openssl-guess")
743 (version "0.11")
744 (source
745 (origin
746 (method url-fetch)
747 (uri (string-append
748 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
749 version ".tar.gz"))
750 (sha256
751 (base32
752 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
753 (build-system perl-build-system)
9aba9b12 754 (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess")
c80590f6
TGR		 755 (synopsis "Guess the OpenSSL include path")
756 (description
757 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
758correct OpenSSL include path. It is intended for use in your
759@file{Makefile.PL}.")
760 (license license:perl-license)))
761
cccb4d26
DM		 762(define-public perl-crypt-openssl-random
763 (package
764 (name "perl-crypt-openssl-random")
fa2d19cc 765 (version "0.15")
cccb4d26
DM		 766 (source
767 (origin
768 (method url-fetch)
769 (uri (string-append
770 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
771 version
772 ".tar.gz"))
773 (sha256
fa2d19cc 774 (base32 "1x6ffps8q7mnawmcfq740llzy7i10g3319vap0wiw4d33fm6z1zh"))))
cccb4d26 775 (build-system perl-build-system)
b30c23c4
TGR		 776 (native-inputs
777 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
778 (inputs
779 `(("openssl" ,openssl)))
cccb4d26
DM		 780 (arguments perl-crypt-arguments)
781 (home-page
9aba9b12 782 "https://metacpan.org/release/Crypt-OpenSSL-Random")
cccb4d26
DM		 783 (synopsis
784 "OpenSSL/LibreSSL pseudo-random number generator access")
785 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
786number generator")
2f3108ad 787 (license license:perl-license)))
0581c273
LF		 788
789(define-public acme-client
790 (package
791 (name "acme-client")
4a6b2a21 792 (version "0.1.16")
0581c273
LF		 793 (source (origin
794 (method url-fetch)
795 (uri (string-append "https://kristaps.bsd.lv/" name "/"
796 "snapshots/" name "-portable-"
797 version ".tgz"))
798 (sha256
799 (base32
4a6b2a21 800 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
0581c273
LF		 801 (build-system gnu-build-system)
802 (arguments
803 '(#:tests? #f ; no test suite
804 #:make-flags
805 (list "CC=gcc"
806 (string-append "PREFIX=" (assoc-ref %outputs "out")))
807 #:phases
808 (modify-phases %standard-phases
7c1a7bf4
LF		 809 (add-after 'unpack 'patch-paths
810 (lambda* (#:key inputs #:allow-other-keys)
811 (let ((pem (string-append (assoc-ref inputs "libressl")
812 "/etc/ssl/cert.pem")))
813 (substitute* "http.c"
814 (("/etc/ssl/cert.pem") pem))
815 #t)))
0581c273 816 (delete 'configure)))) ; no './configure' script
4b569a4f
LF		 817 (native-inputs
818 `(("pkg-config" ,pkg-config)))
0581c273
LF		 819 (inputs
820 `(("libbsd" ,libbsd)
821 ("libressl" ,libressl)))
822 (synopsis "Let's Encrypt client by the OpenBSD project")
823 (description "acme-client is a Let's Encrypt client implemented in C. It
824uses a modular design, and attempts to secure itself by dropping privileges and
825operating in a chroot where possible. acme-client is developed on OpenBSD and
826then ported to the GNU / Linux environment.")
827 (home-page "https://kristaps.bsd.lv/acme-client/")
828 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
829 ;; and 'jsmn.c' are distributed under the Expat license.
830 (license (list license:isc license:expat))))
88522738 831
832;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
833;; variant exists in addition to the "-apache" one.
834(define-public mbedtls-apache
835 (package
836 (name "mbedtls-apache")
a02d3903 837 (version "2.16.1")
88522738 838 (source
839 (origin
840 (method url-fetch)
841 ;; XXX: The download links on the website are script redirection links
842 ;; which effectively lead to the format listed in the uri here.
843 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
844 version "-apache.tgz"))
845 (sha256
846 (base32
a02d3903 847 "08zz88gcb2jmpfsgy5b6qc3li6l39yw1dbimd18aziyd889nvl7b"))))
88522738 848 (build-system cmake-build-system)
a64d9d56
RW		 849 (arguments
850 `(#:configure-flags
851 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON")))
88522738 852 (native-inputs
38a9bf80
TGR		 853 `(("perl" ,perl)
854 ("python" ,python)))
88522738 855 (synopsis "Small TLS library")
856 (description
857 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
858for developers to include cryptographic and SSL/TLS capabilities in their
859(embedded) products, facilitating this functionality with a minimal
860coding footprint.")
861 (home-page "https://tls.mbed.org")
862 (license license:asl2.0)))
587d1752 863
8e87aa04
TGR		 864;; The Hiawatha Web server requires some specific features to be enabled.
865(define-public mbedtls-for-hiawatha
866 (hidden-package
867 (package
868 (inherit mbedtls-apache)
869 (arguments
870 (substitute-keyword-arguments
871 `(#:phases
872 (modify-phases %standard-phases
873 (add-after 'configure 'configure-extra-features
874 (lambda _
875 (for-each (lambda (feature)
876 (invoke "scripts/config.pl" "set" feature))
877 (list "MBEDTLS_THREADING_C"
878 "MBEDTLS_THREADING_PTHREAD"))
879 #t)))
880 ,@(package-arguments mbedtls-apache)))))))
881
e8b3a158
CL		 882(define-public dehydrated
883 (package
884 (name "dehydrated")
885 (version "0.6.2")
886 (source (origin
2850d877 887 (method url-fetch)
e8b3a158 888 (uri (string-append
2850d877
EF		 889 "https://github.com/lukas2511/dehydrated/releases/download/"
890 "v" version "/dehydrated-" version ".tar.gz"))
e8b3a158
CL		 891 (sha256
892 (base32
2850d877 893 "03p80yj6bnzjc6dkp5hb9wpplmlrla8n5src71cnzw4rj53q8cqn"))))
e8b3a158
CL		 894 (build-system trivial-build-system)
895 (arguments
896 `(#:modules ((guix build utils))
897 #:builder
898 (begin
899 (use-modules (guix build utils))
900 (let* ((source (assoc-ref %build-inputs "source"))
2850d877
EF		 901 (tar (assoc-ref %build-inputs "tar"))
902 (gz (assoc-ref %build-inputs "gzip"))
e8b3a158
CL		 903 (out (assoc-ref %outputs "out"))
904 (bin (string-append out "/bin"))
2850d877 905 (doc (string-append out "/share/doc/"))
e8b3a158 906 (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
2850d877
EF		 907
908 (setenv "PATH" (string-append gz "/bin"))
909 (invoke (string-append tar "/bin/tar") "xvf" source)
910 (chdir (string-append ,name "-" ,version))
911
912 (install-file "dehydrated" bin)
913 (install-file "LICENSE" (string-append doc ,name "-" ,version))
e8b3a158 914 (with-directory-excursion bin
e8b3a158
CL		 915 (patch-shebang "dehydrated" (list bash))
916
917 ;; Do not try to write in the store.
918 (substitute* "dehydrated"
919 (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
920
921 (setenv "PATH" bash)
922 (wrap-program "dehydrated"
923 `("PATH" ":" prefix
924 ,(map (lambda (dir)
925 (string-append dir "/bin"))
926 (map (lambda (input)
927 (assoc-ref %build-inputs input))
928 '("coreutils"
929 "curl"
930 "diffutils"
931 "gawk"
932 "grep"
933 "openssl"
934 "sed"))))))
935 #t))))
936 (inputs
937 `(("bash" ,bash)
938 ("coreutils" ,coreutils)
939 ("curl" ,curl)
940 ("diffutils" ,diffutils)
941 ("gawk" ,gawk)
942 ("grep" ,grep)
943 ("openssl" ,openssl)
944 ("sed" ,sed)))
2850d877
EF		 945 (native-inputs
946 `(("gzip" ,gzip)
947 ("tar" ,tar)))
e8b3a158
CL		 948 (home-page "https://dehydrated.io/")
949 (synopsis "Let's Encrypt/ACME client implemented as a shell script")
950 (description "Dehydrated is a client for signing certificates with an
951ACME-server (currently only provided by Let's Encrypt) implemented as a
952relatively simple Bash script.")
953 (license license:expat)))
jackhill's copy of GNU Guix: https://guix.gnu.org/