HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge remote-tracking branch 'origin/master' into wip-texlive
[jackhill/guix/guix.git] / gnu / packages / tls.scm
CommitLineData
233e7676 1;;; GNU Guix --- Functional package management for GNU
3c0f7910 2;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
05f6e601 3;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
29a7c98a 4;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df 5;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b 6;;; Copyright © 2015 David Thompson <davet@gnu.org>
ea22aa1f 7;;; Copyright © 2015, 2016, 2017, 2018, 2019 Leo Famulari <leo@famulari.name>
2850d877 8;;; Copyright © 2016, 2017, 2019 Efraim Flashner <efraim@flashner.co.il>
47956fa0 9;;; Copyright © 2016, 2017, 2018 ng0 <ng0@n0.is>
375cef6c 10;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
ee33f9a7 11;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
d5c472a2 12;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
a92c6b1a 13;;; Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr>
fbf5ca3c 14;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
e8b3a158 15;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
7543f865 16;;;
233e7676 17;;; This file is part of GNU Guix.
7543f865 18;;;
233e7676 19;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865
LC		 20;;; under the terms of the GNU General Public License as published by
21;;; the Free Software Foundation; either version 3 of the License, or (at
22;;; your option) any later version.
23;;;
233e7676 24;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865
LC		 25;;; WITHOUT ANY WARRANTY; without even the implied warranty of
26;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27;;; GNU General Public License for more details.
28;;;
29;;; You should have received a copy of the GNU General Public License
233e7676 30;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865 31
a7fd7b68 32(define-module (gnu packages tls)
e9aa8d0c 33 #:use-module ((guix licenses) #:prefix license:)
7543f865
LC		 34 #:use-module (guix packages)
35 #:use-module (guix download)
ea22aa1f 36 #:use-module (guix git-download)
29a7c98a 37 #:use-module (guix utils)
7543f865 38 #:use-module (guix build-system gnu)
ea22aa1f 39 #:use-module (guix build-system go)
cc2b77df 40 #:use-module (guix build-system perl)
7890e3ba 41 #:use-module (guix build-system python)
88522738 42 #:use-module (guix build-system cmake)
e8b3a158 43 #:use-module (guix build-system trivial)
f61e0e79 44 #:use-module (gnu packages compression)
013ce67b 45 #:use-module (gnu packages)
e8b3a158 46 #:use-module (gnu packages bash)
ac257f12 47 #:use-module (gnu packages check)
e8b3a158 48 #:use-module (gnu packages curl)
5b9aa107 49 #:use-module (gnu packages dns)
e8b3a158 50 #:use-module (gnu packages gawk)
1ffa7090 51 #:use-module (gnu packages guile)
0581c273 52 #:use-module (gnu packages libbsd)
27e86bed 53 #:use-module (gnu packages libffi)
866f469e 54 #:use-module (gnu packages libidn)
5d4c90ae 55 #:use-module (gnu packages linux)
7890e3ba 56 #:use-module (gnu packages ncurses)
27e86bed 57 #:use-module (gnu packages nettle)
1ffa7090 58 #:use-module (gnu packages perl)
27e86bed 59 #:use-module (gnu packages pkg-config)
7890e3ba 60 #:use-module (gnu packages python)
cc6f4912 61 #:use-module (gnu packages python-crypto)
1b2f753d 62 #:use-module (gnu packages python-web)
44d10b1f 63 #:use-module (gnu packages python-xyz)
9d0c291e 64 #:use-module (gnu packages sphinx)
a31f4d35 65 #:use-module (gnu packages texinfo)
33dc54b0 66 #:use-module (gnu packages time)
079f013b
LC		 67 #:use-module (gnu packages base)
68 #:use-module (srfi srfi-1))
7543f865
LC		 69
70(define-public libtasn1
71 (package
72 (name "libtasn1")
2a5b5bfd 73 (version "4.13")
7543f865
LC		 74 (source
75 (origin
76 (method url-fetch)
77 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
78 version ".tar.gz"))
79 (sha256
80 (base32
2a5b5bfd 81 "1jlc1iahj8k3haz28j55nzg7sgni5h41vqy461i1bpbx6668wlky"))))
7543f865 82 (build-system gnu-build-system)
d9f84612
MB		 83 (arguments
84 `(#:configure-flags '("--disable-static")))
3ea110b7 85 (native-inputs `(("perl" ,perl)))
6fd52309 86 (home-page "https://www.gnu.org/software/libtasn1/")
f50d2669 87 (synopsis "ASN.1 library")
7543f865 88 (description
79c311b8
LC		 89 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
90for transmitting machine-neutral encodings of data objects in computer
a22dc0c4
LC		 91networking, allowing for formal validation of data according to some
92specifications.")
e9aa8d0c 93 (license license:lgpl2.0+)))
7543f865 94
375cef6c
HG		 95(define-public asn1c
96 (package
97 (name "asn1c")
ff7da7e0 98 (version "0.9.28")
375cef6c
HG		 99 (source (origin
100 (method url-fetch)
101 (uri (string-append "https://lionet.info/soft/asn1c-"
102 version ".tar.gz"))
103 (sha256
104 (base32
ff7da7e0 105 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
375cef6c
HG		 106 (build-system gnu-build-system)
107 (native-inputs
108 `(("perl" ,perl)))
109 (home-page "https://lionet.info/asn1c")
110 (synopsis "ASN.1 to C compiler")
111 (description "The ASN.1 to C compiler takes ASN.1 module
112files and generates C++ compatible C source code. That code can be
113used to serialize the native C structures into compact and unambiguous
114BER/XER/PER-based data files, and deserialize the files back.
115
116Various ASN.1 based formats are widely used in the industry, such as to encode
117the X.509 certificates employed in the HTTPS handshake, to exchange control
118data between mobile phones and cellular networks, to car-to-car communication
119in intelligent transportation networks.")
120 (license license:bsd-2)))
121
27e86bed
AE		 122(define-public p11-kit
123 (package
124 (name "p11-kit")
39855bfe 125 (version "0.23.15")
27e86bed
AE		 126 (source
127 (origin
128 (method url-fetch)
e6ad9bda
MB		 129 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
130 "download/" version "/p11-kit-" version ".tar.gz"))
39855bfe 131 (patches (search-patches "p11-kit-jks-timestamps.patch"))
27e86bed
AE		 132 (sha256
133 (base32
39855bfe 134 "166pwj00cffv4qq4dvx0k53zka0b0r1fa0whc49007vsqyh3khgp"))))
27e86bed
AE		 135 (build-system gnu-build-system)
136 (native-inputs
137 `(("pkg-config" ,pkg-config)))
138 (inputs
139 `(("libffi" ,libffi)
140 ("libtasn1" ,libtasn1)))
141 (arguments
d5c472a2
MB		 142 `(#:configure-flags '("--without-trust-paths")
143 #:phases (modify-phases %standard-phases
144 (add-before 'check 'prepare-tests
145 (lambda _
146 ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up
147 ;; and looks for .cache and other directories (only).
148 ;; For simplicity just drop it since it is irrelevant
149 ;; in the build container.
150 (substitute* "Makefile"
151 (("test-runtime\\$\\(EXEEXT\\)") ""))
152 #t)))))
4631e6c9 153 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
27e86bed
AE		 154 (synopsis "PKCS#11 library")
155 (description
156 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
157provides a standard configuration setup for installing PKCS#11 modules
158in such a way that they are discoverable. It also solves problems with
159coordinating the use of PKCS#11 by different components or libraries
160living in the same process.")
e9aa8d0c 161 (license license:bsd-3)))
27e86bed 162
7543f865
LC		 163(define-public gnutls
164 (package
165 (name "gnutls")
06f5bc4e 166 (version "3.6.5")
d7d408d5
LC		 167 (source (origin
168 (method url-fetch)
169 (uri
170 ;; Note: Releases are no longer on ftp.gnu.org since the
171 ;; schism (after version 3.1.5).
d93627e4 172 (string-append "mirror://gnupg/gnutls/v"
29a7c98a 173 (version-major+minor version)
d93627e4 174 "/gnutls-" version ".tar.xz"))
06f5bc4e 175 (patches (search-patches "gnutls-skip-trust-store-test.patch"))
d7d408d5
LC		 176 (sha256
177 (base32
06f5bc4e
MB		 178 "0ddvg97dyrh8dkffv1mdc0knxx5my3qdbzv97s4a6jggmk9wwgh7"))
179 (modules '((guix build utils)))
180 (snippet
181 '(begin
182 ;; XXX: The generated configure script in GnuTLS 3.6.5
183 ;; apparently does not know about Guile 2.2.
184 (substitute* "configure"
185 (("guile_versions_to_search=\"2\\.0 1\\.8\"")
186 "guile_versions_to_search=\"2.2 2.0 1.8\""))
187 #t))))
7543f865 188 (build-system gnu-build-system)
b94ae0b8 189 (arguments
76b21274
LF		 190 `(; Ensure we don't keep a reference to this buggy software.
191 #:disallowed-references (,net-tools)
192 #:configure-flags
a0700787 193 (list
aa7c7f21
MW		 194 ;; GnuTLS doesn't consult any environment variables to specify
195 ;; the location of the system-wide trust store. Instead it has a
196 ;; configure-time option. Unless specified, its configure script
197 ;; attempts to auto-detect the location by looking for common
8f65585b 198 ;; places in the file system, none of which are present in our
aa7c7f21
MW		 199 ;; chroot build environment. If not found, then no default trust
200 ;; store is used, so each program has to provide its own
201 ;; fallback, and users have to configure each program
202 ;; independently. This seems suboptimal.
866f469e
MW		 203 "--with-default-trust-store-dir=/etc/ssl/certs"
204
205 ;; FIXME: Temporarily disable p11-kit support since it is not
206 ;; working on mips64el.
606c6380
LC		 207 "--without-p11-kit")
208
209 #:phases (modify-phases %standard-phases
210 (add-after
211 'install 'move-doc
212 (lambda* (#:key outputs #:allow-other-keys)
213 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
214 (let* ((out (assoc-ref outputs "out"))
215 (doc (assoc-ref outputs "doc"))
9cdce047 216 (mandir (string-append doc "/share/man/man3"))
606c6380
LC		 217 (oldman (string-append out "/share/man/man3")))
218 (mkdir-p mandir)
219 (copy-recursively oldman mandir)
220 (delete-file-recursively oldman)
221 #t))))))
222 (outputs '("out" ;4.4 MiB
223 "debug"
224 "doc")) ;4.1 MiB of man pages
a1db0975 225 (native-inputs
c06d8ba5 226 `(("net-tools" ,net-tools)
5d4c90ae 227 ("pkg-config" ,pkg-config)
d2fcfd3d 228 ("which" ,which)))
7543f865 229 (inputs
a0700787 230 `(("guile" ,guile-2.2)))
7543f865 231 (propagated-inputs
d2fcfd3d 232 ;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865 233 `(("libtasn1" ,libtasn1)
55e61c4d 234 ("libidn2" ,libidn2)
866f469e 235 ("nettle" ,nettle)
f61e0e79 236 ("zlib" ,zlib)))
c19700c3 237 (home-page "https://www.gnu.org/software/gnutls/")
f50d2669 238 (synopsis "Transport layer security library")
7543f865 239 (description
a22dc0c4 240 "GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8 241and DTLS protocols. It is provided in the form of a C library to support the
a22dc0c4
LC		 242protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
243required structures.")
63e8bb12
LC		 244 (license license:lgpl2.1+)
245 (properties '((ftp-server . "ftp.gnutls.org")
246 (ftp-directory . "/gcrypt/gnutls")))))
cc2b77df 247
079f013b 248(define-public gnutls/guile-2.2
a0700787
LC		 249 (deprecated-package "guile2.2-gnutls" gnutls))
250
251(define-public gnutls/guile-2.0
252 ;; GnuTLS for Guile 2.0.
079f013b 253 (package
58ea4d40 254 (inherit gnutls)
a0700787
LC		 255 (name "guile2.0-gnutls")
256 (inputs `(("guile" ,guile-2.0)
58ea4d40 257 ,@(alist-delete "guile" (package-inputs gnutls))))))
079f013b 258
5b9aa107 259(define-public gnutls/dane
260 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
261 ;; Authentication of Named Entities. This is required for GNS functionality
262 ;; by GNUnet and gnURL. This is done in an extra package definition
263 ;; to have the choice between GnuTLS with Dane and without Dane.
264 (package
265 (inherit gnutls)
266 (name "gnutls-dane")
267 (inputs `(("unbound" ,unbound)
268 ,@(package-inputs gnutls)))))
269
cc2b77df
AE		 270(define-public openssl
271 (package
272 (name "openssl")
a92c6b1a 273 (replacement openssl/fixed)
01710194 274 (version "1.0.2p")
cc2b77df 275 (source (origin
4cff124b 276 (method url-fetch)
bdf0b6fc
MB		 277 (uri (list (string-append "https://www.openssl.org/source/openssl-"
278 version ".tar.gz")
279 (string-append "ftp://ftp.openssl.org/source/"
c7f5c3ea 280 "openssl-" version ".tar.gz")
4cff124b
LC		 281 (string-append "ftp://ftp.openssl.org/source/old/"
282 (string-trim-right version char-set:letter)
c7f5c3ea 283 "/openssl-" version ".tar.gz")))
4cff124b
LC		 284 (sha256
285 (base32
01710194 286 "003xh9f898i56344vpvpxxxzmikivxig4xwlm7vbi7m8n43qxaah"))
fc1adab1 287 (patches (search-patches "openssl-runpath.patch"
1d8de185 288 "openssl-c-rehash-in.patch"))))
cc2b77df 289 (build-system gnu-build-system)
8c78aeb7 290 (outputs '("out"
a909b576 291 "doc" ;1.5MiB of man3 pages
8c78aeb7 292 "static")) ;6MiB of .a files
cc2b77df
AE		 293 (native-inputs `(("perl" ,perl)))
294 (arguments
d03781c3
LC		 295 `(#:disallowed-references (,perl)
296 #:parallel-build? #f
cc2b77df
AE		 297 #:parallel-tests? #f
298 #:test-target "test"
8c9ec203
LF		 299
300 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
301 ;; so we explicitly disallow it here.
302 #:disallowed-references ,(list (canonical-package perl))
cc2b77df 303 #:phases
b6cb1358 304 (modify-phases %standard-phases
4fb254a3 305 (add-before
86c8f1da 306 'configure 'patch-Makefile.org
4fb254a3
LC		 307 (lambda* (#:key outputs #:allow-other-keys)
308 ;; The default MANDIR is some unusual place. Fix that.
309 (let ((out (assoc-ref outputs "out")))
86c8f1da 310 (patch-makefile-SHELL "Makefile.org")
4fb254a3
LC		 311 (substitute* "Makefile.org"
312 (("^MANDIR[[:blank:]]*=.*$")
313 (string-append "MANDIR = " out "/share/man\n")))
314 #t)))
b6cb1358
LC		 315 (replace
316 'configure
317 (lambda* (#:key outputs #:allow-other-keys)
318 (let ((out (assoc-ref outputs "out")))
0d98cb9a 319 (invoke "./config"
5011d3f4
SB		 320 "shared" ;build shared libraries
321 "--libdir=lib"
4fb254a3 322
5011d3f4
SB		 323 ;; The default for this catch-all directory is
324 ;; PREFIX/ssl. Change that to something more
325 ;; conventional.
326 (string-append "--openssldir=" out
327 "/share/openssl-" ,version)
4fb254a3 328
18784d8f 329 (string-append "--prefix=" out)))))
fe8199a8
LC		 330 (add-after
331 'install 'make-libraries-writable
332 (lambda* (#:key outputs #:allow-other-keys)
333 ;; Make libraries writable so that 'strip' does its job.
334 (let ((out (assoc-ref outputs "out")))
335 (for-each (lambda (file)
336 (chmod file #o644))
337 (find-files (string-append out "/lib")
338 "\\.so"))
339 #t)))
8c78aeb7
LC		 340 (add-after 'install 'move-static-libraries
341 (lambda* (#:key outputs #:allow-other-keys)
342 ;; Move static libraries to the "static" output.
343 (let* ((out (assoc-ref outputs "out"))
344 (lib (string-append out "/lib"))
345 (static (assoc-ref outputs "static"))
346 (slib (string-append static "/lib")))
8c78aeb7
LC		 347 (for-each (lambda (file)
348 (install-file file slib)
349 (delete-file file))
350 (find-files lib "\\.a$"))
351 #t)))
a909b576
LC		 352 (add-after 'install 'move-man3-pages
353 (lambda* (#:key outputs #:allow-other-keys)
354 ;; Move section 3 man pages to "doc".
355 (let* ((out (assoc-ref outputs "out"))
356 (man3 (string-append out "/share/man/man3"))
357 (doc (assoc-ref outputs "doc"))
358 (target (string-append doc "/share/man/man3")))
359 (mkdir-p target)
360 (for-each (lambda (file)
361 (rename-file file
362 (string-append target "/"
363 (basename file))))
364 (find-files man3))
5c838ec9 365 (delete-file-recursively man3)
a909b576 366 #t)))
b6cb1358
LC		 367 (add-before
368 'patch-source-shebangs 'patch-tests
369 (lambda* (#:key inputs native-inputs #:allow-other-keys)
370 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
371 (substitute* (find-files "test" ".*")
372 (("/bin/sh")
08a78c2f 373 (string-append bash "/bin/sh"))
b6cb1358 374 (("/bin/rm")
86c8f1da
MW		 375 "rm"))
376 #t)))
784d6e91
LC		 377 (add-after
378 'install 'remove-miscellany
379 (lambda* (#:key outputs #:allow-other-keys)
380 ;; The 'misc' directory contains random undocumented shell and Perl
381 ;; scripts. Remove them to avoid retaining a reference on Perl.
382 (let ((out (assoc-ref outputs "out")))
383 (delete-file-recursively (string-append out "/share/openssl-"
384 ,version "/misc"))
385 #t))))))
cc2b77df 386 (native-search-paths
cc2b77df
AE		 387 (list (search-path-specification
388 (variable "SSL_CERT_DIR")
5d7a47cc 389 (separator #f) ;single entry
cc2b77df
AE		 390 (files '("etc/ssl/certs")))
391 (search-path-specification
392 (variable "SSL_CERT_FILE")
5d7a47cc
MB		 393 (file-type 'regular)
394 (separator #f) ;single entry
cc2b77df
AE		 395 (files '("etc/ssl/certs/ca-certificates.crt")))))
396 (synopsis "SSL/TLS implementation")
397 (description
e881752c 398 "OpenSSL is an implementation of SSL/TLS.")
e9aa8d0c 399 (license license:openssl)
4631e6c9 400 (home-page "https://www.openssl.org/")))
cc2b77df 401
a92c6b1a
TGR		 402(define-public openssl/fixed
403 (hidden-package
404 (package
405 (inherit openssl)
406 (source (origin
407 (inherit (package-source openssl))
408 (patches (append (origin-patches (package-source openssl))
409 (search-patches "openssl-CVE-2019-1559.patch"))))))))
410
763899f0
LF		 411(define-public openssl-next
412 (package
a215c938 413 (inherit openssl)
763899f0 414 (name "openssl")
558c7330 415 (version "1.1.1c")
763899f0
LF		 416 (source (origin
417 (method url-fetch)
77576be4
MB		 418 (uri (list (string-append "https://www.openssl.org/source/openssl-"
419 version ".tar.gz")
420 (string-append "ftp://ftp.openssl.org/source/"
c7f5c3ea 421 "openssl-" version ".tar.gz")
763899f0
LF		 422 (string-append "ftp://ftp.openssl.org/source/old/"
423 (string-trim-right version char-set:letter)
c7f5c3ea 424 "/openssl-" version ".tar.gz")))
9e9e5d5a 425 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
763899f0
LF		 426 (sha256
427 (base32
558c7330 428 "142c7zdlz06hjrrvinb9f276czc78bnkyhd9xma621qmmmwk1yzn"))))
763899f0 429 (outputs '("out"
6ec43b0d 430 "doc" ; 6.8 MiB of man3 pages and full HTML documentation
9e9e5d5a 431 "static")) ; 6.4 MiB of .a files
763899f0
LF		 432 (arguments
433 (substitute-keyword-arguments (package-arguments openssl)
434 ((#:phases phases)
435 `(modify-phases ,phases
436 (delete 'patch-tests) ; These two phases are not needed by
6ec43b0d 437 (delete 'patch-Makefile.org) ; OpenSSL 1.1.
763899f0 438
fc184fe2
MB		 439 ;; Override configure phase since -rpath is now a configure option.
440 (replace 'configure
763899f0 441 (lambda* (#:key outputs #:allow-other-keys)
fc184fe2
MB		 442 (let* ((out (assoc-ref outputs "out"))
443 (lib (string-append out "/lib")))
9e9e5d5a
LF		 444 ;; It's not a shebang so patch-source-shebangs misses it.
445 (substitute* "config"
446 (("/usr/bin/env")
447 (string-append (assoc-ref %build-inputs "coreutils")
448 "/bin/env")))
0d98cb9a 449 (invoke "./config"
5011d3f4
SB		 450 "shared" ;build shared libraries
451 "--libdir=lib"
fc184fe2 452
5011d3f4
SB		 453 ;; The default for this catch-all directory is
454 ;; PREFIX/ssl. Change that to something more
455 ;; conventional.
456 (string-append "--openssldir=" out
457 "/share/openssl-" ,version)
fc184fe2 458
5011d3f4 459 (string-append "--prefix=" out)
799de468 460 (string-append "-Wl,-rpath," lib)))))
fc184fe2 461
9e9e5d5a
LF		 462 (delete 'move-man3-pages)
463 (add-after 'install 'move-extra-documentation
464 (lambda* (#:key outputs #:allow-other-keys)
465 ;; Move man3 pages and full HTML documentation to "doc".
466 (let* ((out (assoc-ref outputs "out"))
467 (man3 (string-append out "/share/man/man3"))
468 (html (string-append out "/share/doc/openssl"))
469 (doc (assoc-ref outputs "doc"))
470 (man-target (string-append doc "/share/man/man3"))
471 (html-target (string-append doc "/share/doc/openssl")))
472 (copy-recursively man3 man-target)
473 (delete-file-recursively man3)
474 (copy-recursively html html-target)
475 (delete-file-recursively html)
476 #t)))
fc184fe2
MB		 477 ;; XXX: Duplicate this phase to make sure 'version' evaluates
478 ;; in the current scope and not the inherited one.
479 (replace 'remove-miscellany
480 (lambda* (#:key outputs #:allow-other-keys)
481 ;; The 'misc' directory contains random undocumented shell and Perl
482 ;; scripts. Remove them to avoid retaining a reference on Perl.
483 (let ((out (assoc-ref outputs "out")))
484 (delete-file-recursively (string-append out "/share/openssl-"
485 ,version "/misc"))
763899f0
LF		 486 #t)))))))))
487
cb6a802c
AE		 488(define-public libressl
489 (package
490 (name "libressl")
0effadca 491 (version "2.7.4")
644e5f17
TGR		 492 (source (origin
493 (method url-fetch)
494 (uri (string-append "mirror://openbsd/LibreSSL/"
495 name "-" version ".tar.gz"))
496 (sha256
497 (base32
0effadca 498 "19kxa5i97q7p6rrps9qm0nd8zqhdjvzx02j72400c73cl2nryfhy"))))
cb6a802c 499 (build-system gnu-build-system)
a2d64899
LC		 500 (arguments
501 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
502 ;; and libc would return ENOSYS, which is not properly handled.
503 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
df08f385
LF		 504 '(#:configure-flags '("ac_cv_func_getentropy=no"
505 ;; Provide a TLS-enabled netcat.
506 "--enable-nc")))
cb6a802c
AE		 507 (native-search-paths
508 ;; FIXME: These two variables must designate a single file or directory
509 ;; and are not actually "search paths." In practice it works OK in
510 ;; user profiles because there's always just one item that matches the
511 ;; specification.
512 (list (search-path-specification
513 (variable "SSL_CERT_DIR")
514 (files '("etc/ssl/certs")))
515 (search-path-specification
516 (variable "SSL_CERT_FILE")
517 (files '("etc/ssl/certs/ca-certificates.crt")))))
2ed12d3f 518 (home-page "https://www.libressl.org/")
cb6a802c 519 (synopsis "SSL/TLS implementation")
df08f385
LF		 520 (description "LibreSSL is a version of the TLS/crypto stack, forked from
521OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
522and applying best practice development processes. This package also includes a
523netcat implementation that supports TLS.")
cb6a802c
AE		 524 ;; Files taken from OpenSSL keep their license, others are under various
525 ;; non-copyleft licenses.
526 (license (list license:openssl
527 (license:non-copyleft
528 "file://COPYING"
529 "See COPYING in the distribution.")))))
530
6cefd53d 531(define-public python-acme
7890e3ba 532 (package
6cefd53d 533 (name "python-acme")
686d4259 534 ;; Remember to update the hash of certbot when updating python-acme.
14727aaa 535 (version "0.35.1")
7890e3ba 536 (source (origin
9495cf9a 537 (method url-fetch)
f349d36e 538 (uri (pypi-uri "acme" version))
881006b6
MB		 539 (sha256
540 (base32
14727aaa 541 "08y4ankn0di34c9d1c3pqd9by9n0ckzz7b5ld1g0fx6c32sbi259"))))
7890e3ba
LF		 542 (build-system python-build-system)
543 (arguments
6cefd53d 544 `(#:phases
9bee9d87 545 (modify-phases %standard-phases
1fc8476d
MB		 546 (add-after 'build 'build-documentation
547 (lambda _
d4bd2453 548 (invoke "make" "-C" "docs" "man" "info")))
1fc8476d 549 (add-after 'install 'install-documentation
50a7963a
LF		 550 (lambda* (#:key outputs #:allow-other-keys)
551 (let* ((out (assoc-ref outputs "out"))
552 (man (string-append out "/share/man/man1"))
553 (info (string-append out "/info")))
1fc8476d
MB		 554 (install-file "docs/_build/texinfo/acme-python.info" info)
555 (install-file "docs/_build/man/acme-python.1" man)
556 #t))))))
50a7963a 557 ;; TODO: Add optional inputs for testing.
7890e3ba 558 (native-inputs
4ae65558 559 `(("python-mock" ,python-mock)
b494bbe4 560 ("python-pytest" ,python-pytest)
50a7963a
LF		 561 ;; For documentation
562 ("python-sphinx" ,python-sphinx)
563 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
564 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
50a7963a 565 ("texinfo" ,texinfo)))
7890e3ba 566 (propagated-inputs
92572184
LF		 567 `(("python-josepy" ,python-josepy)
568 ("python-six" ,python-six)
6cefd53d 569 ("python-requests" ,python-requests)
b494bbe4 570 ("python-requests-toolbelt" ,python-requests-toolbelt)
6cefd53d
LF		 571 ("python-pytz" ,python-pytz)
572 ("python-pyrfc3339" ,python-pyrfc3339)
573 ("python-pyasn1" ,python-pyasn1)
574 ("python-cryptography" ,python-cryptography)
575 ("python-pyopenssl" ,python-pyopenssl)))
4631e6c9 576 (home-page "https://github.com/certbot/certbot")
7890e3ba
LF		 577 (synopsis "ACME protocol implementation in Python")
578 (description "ACME protocol implementation in Python")
579 (license license:asl2.0)))
580
9495cf9a 581(define-public certbot
9fd0838b 582 (package
9495cf9a 583 (name "certbot")
686d4259
LF		 584 ;; Certbot and python-acme are developed in the same repository, and their
585 ;; versions should remain synchronized.
586 (version (package-version python-acme))
9fd0838b
DT		 587 (source (origin
588 (method url-fetch)
f349d36e 589 (uri (pypi-uri name version))
9fd0838b
DT		 590 (sha256
591 (base32
14727aaa 592 "0q0855qvsvs4mgglss5iim7f1p22rv4rn1n6j731vv869v0yrs6p"))))
9fd0838b
DT		 593 (build-system python-build-system)
594 (arguments
fed1898d 595 `(,@(substitute-keyword-arguments (package-arguments python-acme)
f26d6e4e
LF		 596 ((#:phases phases)
597 `(modify-phases ,phases
1fc8476d 598 (replace 'install-documentation
f26d6e4e
LF		 599 (lambda* (#:key outputs #:allow-other-keys)
600 (let* ((out (assoc-ref outputs "out"))
601 (man1 (string-append out "/share/man/man1"))
602 (man7 (string-append out "/share/man/man7"))
603 (info (string-append out "/info")))
1fc8476d
MB		 604 (install-file "docs/_build/texinfo/Certbot.info" info)
605 (install-file "docs/_build/man/certbot.1" man1)
606 (install-file "docs/_build/man/certbot.7" man7)
607 #t))))))))
f9263d9a 608 ;; TODO: Add optional inputs for testing.
9fd0838b 609 (native-inputs
d05c14df
TGR		 610 `(("python-mock" ,python-mock)
611 ("python-pytest" ,python-pytest)
f9263d9a 612 ;; For documentation
fed1898d
LF		 613 ("python-sphinx" ,python-sphinx)
614 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
615 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
616 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
f9263d9a 617 ("texinfo" ,texinfo)))
9fd0838b 618 (propagated-inputs
fed1898d 619 `(("python-acme" ,python-acme)
d05c14df 620 ("python-cryptography" ,python-cryptography)
fed1898d
LF		 621 ("python-zope-interface" ,python-zope-interface)
622 ("python-pyrfc3339" ,python-pyrfc3339)
623 ("python-pyopenssl" ,python-pyopenssl)
624 ("python-configobj" ,python-configobj)
625 ("python-configargparse" ,python-configargparse)
626 ("python-zope-component" ,python-zope-component)
627 ("python-parsedatetime" ,python-parsedatetime)
628 ("python-six" ,python-six)
629 ("python-psutil" ,python-psutil)
630 ("python-requests" ,python-requests)
631 ("python-pytz" ,python-pytz)))
d8a1be63 632 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
80968df0
TGR		 633 (description "Certbot automatically receives and installs X.509 certificates
634to enable Transport Layer Security (TLS) on servers. It interoperates with the
635Let’s Encrypt certificate authority (CA), which issues browser-trusted
636certificates for free.")
24778368 637 (home-page "https://certbot.eff.org/")
9fd0838b
DT		 638 (license license:asl2.0)))
639
9495cf9a
LF		 640(define-public letsencrypt
641 (package (inherit certbot)
56ab55d1
LF		 642 (name "letsencrypt")
643 (properties `((superseded . ,certbot)))))
9495cf9a 644
cc2b77df
AE		 645(define-public perl-net-ssleay
646 (package
647 (name "perl-net-ssleay")
966e4bea 648 (version "1.88")
cc2b77df
AE		 649 (source (origin
650 (method url-fetch)
c50f15d6 651 (uri (string-append "mirror://cpan/authors/id/C/CH/CHRISN/"
cc2b77df
AE		 652 "Net-SSLeay-" version ".tar.gz"))
653 (sha256
654 (base32
966e4bea 655 "1pfgh4h3szcpvqlcimc60pjbk9zwls99x5863sva0wc47i4dl010"))))
cc2b77df
AE		 656 (build-system perl-build-system)
657 (inputs `(("openssl" ,openssl)))
658 (arguments
1084ec08
MW		 659 `(#:phases
660 (modify-phases %standard-phases
1084ec08
MW		 661 (add-before
662 'configure 'set-ssl-prefix
663 (lambda* (#:key inputs #:allow-other-keys)
664 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
665 #t)))))
cc2b77df
AE		 666 (synopsis "Perl extension for using OpenSSL")
667 (description
668 "This module offers some high level convenience functions for accessing
669web pages on SSL servers (for symmetry, the same API is offered for accessing
670http servers, too), an sslcat() function for writing your own clients, and
671finally access to the SSL api of the SSLeay/OpenSSL package so you can write
672servers or clients for more complicated applications.")
2f3108ad 673 (license license:perl-license)
9aba9b12 674 (home-page "https://metacpan.org/release/Net-SSLeay")))
4532c0c0
DM		 675
676(define-public perl-crypt-openssl-rsa
677 (package
678 (name "perl-crypt-openssl-rsa")
a9994b27 679 (version "0.31")
4532c0c0
DM		 680 (source
681 (origin
682 (method url-fetch)
683 (uri (string-append
683b8d47 684 "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-"
4532c0c0
DM		 685 version
686 ".tar.gz"))
687 (sha256
688 (base32
a9994b27 689 "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1"))))
4532c0c0 690 (build-system perl-build-system)
683b8d47
TGR		 691 (native-inputs
692 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
4532c0c0
DM		 693 (inputs
694 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
695 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
696 ("openssl" ,openssl)))
697 (arguments perl-crypt-arguments)
698 (home-page
9aba9b12 699 "https://metacpan.org/release/Crypt-OpenSSL-RSA")
4532c0c0
DM		 700 (synopsis
701 "RSA encoding and decoding, using the openSSL libraries")
702 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
703OpenSSL libraries).")
2f3108ad 704 (license license:perl-license)))
adff71ca
DM		 705
706(define perl-crypt-arguments
707 `(#:phases (modify-phases %standard-phases
708 (add-before 'configure 'patch-Makefile.PL
709 (lambda* (#:key inputs #:allow-other-keys)
710 (substitute* "Makefile.PL"
711 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
712 (assoc-ref inputs "openssl")
713 "/lib -lcrypto'],")))
714 #t)))))
715
716(define-public perl-crypt-openssl-bignum
717 (package
718 (name "perl-crypt-openssl-bignum")
7e8aac18 719 (version "0.09")
adff71ca
DM		 720 (source
721 (origin
722 (method url-fetch)
723 (uri (string-append
724 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
725 version
726 ".tar.gz"))
727 (sha256
728 (base32
7e8aac18 729 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
adff71ca
DM		 730 (build-system perl-build-system)
731 (inputs `(("openssl" ,openssl)))
732 (arguments perl-crypt-arguments)
733 (home-page
9aba9b12 734 "https://metacpan.org/release/Crypt-OpenSSL-Bignum")
adff71ca
DM		 735 (synopsis
736 "OpenSSL's multiprecision integer arithmetic in Perl")
737 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
738arithmetic in Perl.")
739 ;; At your option either gpl1+ or the Artistic License
2f3108ad 740 (license license:perl-license)))
cccb4d26 741
c80590f6
TGR		 742(define-public perl-crypt-openssl-guess
743 (package
744 (name "perl-crypt-openssl-guess")
745 (version "0.11")
746 (source
747 (origin
748 (method url-fetch)
749 (uri (string-append
750 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
751 version ".tar.gz"))
752 (sha256
753 (base32
754 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
755 (build-system perl-build-system)
9aba9b12 756 (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess")
c80590f6
TGR		 757 (synopsis "Guess the OpenSSL include path")
758 (description
759 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
760correct OpenSSL include path. It is intended for use in your
761@file{Makefile.PL}.")
762 (license license:perl-license)))
763
cccb4d26
DM		 764(define-public perl-crypt-openssl-random
765 (package
766 (name "perl-crypt-openssl-random")
fa2d19cc 767 (version "0.15")
cccb4d26
DM		 768 (source
769 (origin
770 (method url-fetch)
771 (uri (string-append
772 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
773 version
774 ".tar.gz"))
775 (sha256
fa2d19cc 776 (base32 "1x6ffps8q7mnawmcfq740llzy7i10g3319vap0wiw4d33fm6z1zh"))))
cccb4d26 777 (build-system perl-build-system)
b30c23c4
TGR		 778 (native-inputs
779 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
780 (inputs
781 `(("openssl" ,openssl)))
cccb4d26
DM		 782 (arguments perl-crypt-arguments)
783 (home-page
9aba9b12 784 "https://metacpan.org/release/Crypt-OpenSSL-Random")
cccb4d26
DM		 785 (synopsis
786 "OpenSSL/LibreSSL pseudo-random number generator access")
787 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
788number generator")
2f3108ad 789 (license license:perl-license)))
0581c273
LF		 790
791(define-public acme-client
792 (package
793 (name "acme-client")
4a6b2a21 794 (version "0.1.16")
0581c273
LF		 795 (source (origin
796 (method url-fetch)
797 (uri (string-append "https://kristaps.bsd.lv/" name "/"
798 "snapshots/" name "-portable-"
799 version ".tgz"))
800 (sha256
801 (base32
4a6b2a21 802 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
0581c273
LF		 803 (build-system gnu-build-system)
804 (arguments
805 '(#:tests? #f ; no test suite
806 #:make-flags
807 (list "CC=gcc"
808 (string-append "PREFIX=" (assoc-ref %outputs "out")))
809 #:phases
810 (modify-phases %standard-phases
7c1a7bf4
LF		 811 (add-after 'unpack 'patch-paths
812 (lambda* (#:key inputs #:allow-other-keys)
813 (let ((pem (string-append (assoc-ref inputs "libressl")
814 "/etc/ssl/cert.pem")))
815 (substitute* "http.c"
816 (("/etc/ssl/cert.pem") pem))
817 #t)))
0581c273 818 (delete 'configure)))) ; no './configure' script
4b569a4f
LF		 819 (native-inputs
820 `(("pkg-config" ,pkg-config)))
0581c273
LF		 821 (inputs
822 `(("libbsd" ,libbsd)
823 ("libressl" ,libressl)))
824 (synopsis "Let's Encrypt client by the OpenBSD project")
825 (description "acme-client is a Let's Encrypt client implemented in C. It
826uses a modular design, and attempts to secure itself by dropping privileges and
827operating in a chroot where possible. acme-client is developed on OpenBSD and
828then ported to the GNU / Linux environment.")
829 (home-page "https://kristaps.bsd.lv/acme-client/")
830 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
831 ;; and 'jsmn.c' are distributed under the Expat license.
832 (license (list license:isc license:expat))))
88522738 833
834;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
835;; variant exists in addition to the "-apache" one.
836(define-public mbedtls-apache
837 (package
838 (name "mbedtls-apache")
1307aa44 839 (version "2.16.2")
88522738 840 (source
841 (origin
842 (method url-fetch)
843 ;; XXX: The download links on the website are script redirection links
844 ;; which effectively lead to the format listed in the uri here.
845 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
846 version "-apache.tgz"))
847 (sha256
848 (base32
1307aa44 849 "1906hbwlkq32075hca4vjad03dcc36aycvmaz8yvhr3ygg6lz0x6"))))
88522738 850 (build-system cmake-build-system)
a64d9d56
RW		 851 (arguments
852 `(#:configure-flags
853 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON")))
88522738 854 (native-inputs
38a9bf80
TGR		 855 `(("perl" ,perl)
856 ("python" ,python)))
88522738 857 (synopsis "Small TLS library")
858 (description
859 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
860for developers to include cryptographic and SSL/TLS capabilities in their
861(embedded) products, facilitating this functionality with a minimal
862coding footprint.")
863 (home-page "https://tls.mbed.org")
864 (license license:asl2.0)))
587d1752 865
8e87aa04
TGR		 866;; The Hiawatha Web server requires some specific features to be enabled.
867(define-public mbedtls-for-hiawatha
868 (hidden-package
869 (package
870 (inherit mbedtls-apache)
871 (arguments
872 (substitute-keyword-arguments
873 `(#:phases
874 (modify-phases %standard-phases
875 (add-after 'configure 'configure-extra-features
876 (lambda _
877 (for-each (lambda (feature)
878 (invoke "scripts/config.pl" "set" feature))
879 (list "MBEDTLS_THREADING_C"
880 "MBEDTLS_THREADING_PTHREAD"))
881 #t)))
882 ,@(package-arguments mbedtls-apache)))))))
883
e8b3a158
CL		 884(define-public dehydrated
885 (package
886 (name "dehydrated")
887 (version "0.6.2")
888 (source (origin
2850d877 889 (method url-fetch)
e8b3a158 890 (uri (string-append
2850d877
EF		 891 "https://github.com/lukas2511/dehydrated/releases/download/"
892 "v" version "/dehydrated-" version ".tar.gz"))
e8b3a158
CL		 893 (sha256
894 (base32
2850d877 895 "03p80yj6bnzjc6dkp5hb9wpplmlrla8n5src71cnzw4rj53q8cqn"))))
e8b3a158
CL		 896 (build-system trivial-build-system)
897 (arguments
898 `(#:modules ((guix build utils))
899 #:builder
900 (begin
901 (use-modules (guix build utils))
902 (let* ((source (assoc-ref %build-inputs "source"))
2850d877
EF		 903 (tar (assoc-ref %build-inputs "tar"))
904 (gz (assoc-ref %build-inputs "gzip"))
e8b3a158
CL		 905 (out (assoc-ref %outputs "out"))
906 (bin (string-append out "/bin"))
2850d877 907 (doc (string-append out "/share/doc/"))
e8b3a158 908 (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
2850d877
EF		 909
910 (setenv "PATH" (string-append gz "/bin"))
911 (invoke (string-append tar "/bin/tar") "xvf" source)
912 (chdir (string-append ,name "-" ,version))
913
914 (install-file "dehydrated" bin)
915 (install-file "LICENSE" (string-append doc ,name "-" ,version))
e8b3a158 916 (with-directory-excursion bin
e8b3a158
CL		 917 (patch-shebang "dehydrated" (list bash))
918
919 ;; Do not try to write in the store.
920 (substitute* "dehydrated"
921 (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
922
923 (setenv "PATH" bash)
924 (wrap-program "dehydrated"
925 `("PATH" ":" prefix
926 ,(map (lambda (dir)
927 (string-append dir "/bin"))
928 (map (lambda (input)
929 (assoc-ref %build-inputs input))
930 '("coreutils"
931 "curl"
932 "diffutils"
933 "gawk"
934 "grep"
935 "openssl"
936 "sed"))))))
937 #t))))
938 (inputs
939 `(("bash" ,bash)
940 ("coreutils" ,coreutils)
941 ("curl" ,curl)
942 ("diffutils" ,diffutils)
943 ("gawk" ,gawk)
944 ("grep" ,grep)
945 ("openssl" ,openssl)
946 ("sed" ,sed)))
2850d877
EF		 947 (native-inputs
948 `(("gzip" ,gzip)
949 ("tar" ,tar)))
e8b3a158
CL		 950 (home-page "https://dehydrated.io/")
951 (synopsis "Let's Encrypt/ACME client implemented as a shell script")
952 (description "Dehydrated is a client for signing certificates with an
953ACME-server (currently only provided by Let's Encrypt) implemented as a
954relatively simple Bash script.")
955 (license license:expat)))
ea22aa1f
LF		 956
957(define-public go-github-com-certifi-gocertifi
958 (let ((commit "d2eda712971317d7dd278bc2a52acda7e945f97e")
959 (revision "0"))
960 (package
961 (name "go-github-com-certifi-gocertifi")
962 (version (git-version "2018.01.18" revision commit))
963 (source (origin
964 (method git-fetch)
965 (uri (git-reference
966 (url "https://github.com/certifi/gocertifi")
967 (commit commit)))
968 (file-name (git-file-name name version))
969 (sha256
970 (base32
971 "0f3v26xps7gadw4qfmh1kxbpgp0cgqdd61a257xnnvnd7ll6k8dh"))))
972 (build-system go-build-system)
973 (arguments
974 '(#:import-path "github.com/certifi/gocertifi"))
975 (synopsis "X.509 TLS root certificate bundle for Go")
976 (description "This package is a Go language X.509 TLS root certificate bundle,
977derived from Mozilla's collection.")
978 (home-page "https://certifi.io")
979 (license license:mpl2.0))))
jackhill's copy of GNU Guix: https://guix.gnu.org/