HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
gnu: Move testing packages from python.scm to check.scm.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
CommitLineData
233e7676 1;;; GNU Guix --- Functional package management for GNU
3c0f7910 2;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
e3df6938 3;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
29a7c98a 4;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df 5;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b 6;;; Copyright © 2015 David Thompson <davet@gnu.org>
df0625ab 7;;; Copyright © 2015, 2016, 2017 Leo Famulari <leo@famulari.name>
2ed12d3f 8;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
5b9aa107 9;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
375cef6c 10;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
ee33f9a7 11;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
88e2511e 12;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
7543f865 13;;;
233e7676 14;;; This file is part of GNU Guix.
7543f865 15;;;
233e7676 16;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865
LC		 17;;; under the terms of the GNU General Public License as published by
18;;; the Free Software Foundation; either version 3 of the License, or (at
19;;; your option) any later version.
20;;;
233e7676 21;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865
LC		 22;;; WITHOUT ANY WARRANTY; without even the implied warranty of
23;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24;;; GNU General Public License for more details.
25;;;
26;;; You should have received a copy of the GNU General Public License
233e7676 27;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865 28
a7fd7b68 29(define-module (gnu packages tls)
e9aa8d0c 30 #:use-module ((guix licenses) #:prefix license:)
7543f865
LC		 31 #:use-module (guix packages)
32 #:use-module (guix download)
29a7c98a 33 #:use-module (guix utils)
7543f865 34 #:use-module (guix build-system gnu)
cc2b77df 35 #:use-module (guix build-system perl)
7890e3ba 36 #:use-module (guix build-system python)
88522738 37 #:use-module (guix build-system cmake)
587d1752 38 #:use-module (guix build-system haskell)
f61e0e79 39 #:use-module (gnu packages compression)
013ce67b 40 #:use-module (gnu packages)
ac257f12 41 #:use-module (gnu packages check)
5b9aa107 42 #:use-module (gnu packages dns)
1ffa7090 43 #:use-module (gnu packages guile)
587d1752
RW		 44 #:use-module (gnu packages haskell)
45 #:use-module (gnu packages haskell-check)
46 #:use-module (gnu packages haskell-crypto)
0581c273 47 #:use-module (gnu packages libbsd)
27e86bed 48 #:use-module (gnu packages libffi)
866f469e 49 #:use-module (gnu packages libidn)
5d4c90ae 50 #:use-module (gnu packages linux)
7890e3ba 51 #:use-module (gnu packages ncurses)
27e86bed 52 #:use-module (gnu packages nettle)
1ffa7090 53 #:use-module (gnu packages perl)
27e86bed 54 #:use-module (gnu packages pkg-config)
7890e3ba 55 #:use-module (gnu packages python)
cc6f4912 56 #:use-module (gnu packages python-crypto)
1b2f753d 57 #:use-module (gnu packages python-web)
a31f4d35 58 #:use-module (gnu packages texinfo)
079f013b
LC		 59 #:use-module (gnu packages base)
60 #:use-module (srfi srfi-1))
7543f865
LC		 61
62(define-public libtasn1
63 (package
64 (name "libtasn1")
ee33f9a7 65 (version "4.12")
e3df6938 66 (replacement libtasn1/fixed)
7543f865
LC		 67 (source
68 (origin
69 (method url-fetch)
70 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
71 version ".tar.gz"))
72 (sha256
73 (base32
ee33f9a7 74 "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7"))))
7543f865 75 (build-system gnu-build-system)
3ea110b7 76 (native-inputs `(("perl" ,perl)))
6fd52309 77 (home-page "https://www.gnu.org/software/libtasn1/")
f50d2669 78 (synopsis "ASN.1 library")
7543f865 79 (description
79c311b8
LC		 80 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
81for transmitting machine-neutral encodings of data objects in computer
a22dc0c4
LC		 82networking, allowing for formal validation of data according to some
83specifications.")
e9aa8d0c 84 (license license:lgpl2.0+)))
7543f865 85
e3df6938
MW		 86(define libtasn1/fixed
87 (package
88 (inherit libtasn1)
89 (source (origin
90 (inherit (package-source libtasn1))
91 (patches (search-patches "libtasn1-CVE-2017-10790.patch"))))))
92
375cef6c
HG		 93(define-public asn1c
94 (package
95 (name "asn1c")
ff7da7e0 96 (version "0.9.28")
375cef6c
HG		 97 (source (origin
98 (method url-fetch)
99 (uri (string-append "https://lionet.info/soft/asn1c-"
100 version ".tar.gz"))
101 (sha256
102 (base32
ff7da7e0 103 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
375cef6c
HG		 104 (build-system gnu-build-system)
105 (native-inputs
106 `(("perl" ,perl)))
107 (home-page "https://lionet.info/asn1c")
108 (synopsis "ASN.1 to C compiler")
109 (description "The ASN.1 to C compiler takes ASN.1 module
110files and generates C++ compatible C source code. That code can be
111used to serialize the native C structures into compact and unambiguous
112BER/XER/PER-based data files, and deserialize the files back.
113
114Various ASN.1 based formats are widely used in the industry, such as to encode
115the X.509 certificates employed in the HTTPS handshake, to exchange control
116data between mobile phones and cellular networks, to car-to-car communication
117in intelligent transportation networks.")
118 (license license:bsd-2)))
119
27e86bed
AE		 120(define-public p11-kit
121 (package
122 (name "p11-kit")
2a6e049a 123 (version "0.23.9")
27e86bed
AE		 124 (source
125 (origin
126 (method url-fetch)
e6ad9bda
MB		 127 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
128 "download/" version "/p11-kit-" version ".tar.gz"))
27e86bed
AE		 129 (sha256
130 (base32
2a6e049a 131 "0qyvnkb5hfi94wv3bn67y20hcbbvynvjwxpk7k9sh1si6ff69hg1"))))
27e86bed
AE		 132 (build-system gnu-build-system)
133 (native-inputs
134 `(("pkg-config" ,pkg-config)))
135 (inputs
136 `(("libffi" ,libffi)
137 ("libtasn1" ,libtasn1)))
138 (arguments
139 `(#:configure-flags '("--without-trust-paths")))
140 (home-page "http://p11-glue.freedesktop.org/p11-kit.html")
141 (synopsis "PKCS#11 library")
142 (description
143 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
144provides a standard configuration setup for installing PKCS#11 modules
145in such a way that they are discoverable. It also solves problems with
146coordinating the use of PKCS#11 by different components or libraries
147living in the same process.")
e9aa8d0c 148 (license license:bsd-3)))
27e86bed 149
f96dbf6b
LF		 150
151;; TODO Add net-tools-for-tests to #:disallowed-references when we can afford
152;; rebuild GnuTLS (i.e. core-updates).
7543f865
LC		 153(define-public gnutls
154 (package
155 (name "gnutls")
5bace4c8 156 (version "3.5.13")
d7d408d5
LC		 157 (source (origin
158 (method url-fetch)
159 (uri
160 ;; Note: Releases are no longer on ftp.gnu.org since the
161 ;; schism (after version 3.1.5).
d93627e4 162 (string-append "mirror://gnupg/gnutls/v"
29a7c98a 163 (version-major+minor version)
d93627e4 164 "/gnutls-" version ".tar.xz"))
5bace4c8
MB		 165 (patches
166 (search-patches "gnutls-skip-trust-store-test.patch"
167 "gnutls-skip-pkgconfig-test.patch"))
d7d408d5
LC		 168 (sha256
169 (base32
5bace4c8 170 "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr"))))
7543f865 171 (build-system gnu-build-system)
b94ae0b8
AK		 172 (arguments
173 '(#:configure-flags
a0700787 174 (list
aa7c7f21
MW		 175 ;; GnuTLS doesn't consult any environment variables to specify
176 ;; the location of the system-wide trust store. Instead it has a
177 ;; configure-time option. Unless specified, its configure script
178 ;; attempts to auto-detect the location by looking for common
8f65585b 179 ;; places in the file system, none of which are present in our
aa7c7f21
MW		 180 ;; chroot build environment. If not found, then no default trust
181 ;; store is used, so each program has to provide its own
182 ;; fallback, and users have to configure each program
183 ;; independently. This seems suboptimal.
866f469e
MW		 184 "--with-default-trust-store-dir=/etc/ssl/certs"
185
186 ;; FIXME: Temporarily disable p11-kit support since it is not
187 ;; working on mips64el.
606c6380
LC		 188 "--without-p11-kit")
189
190 #:phases (modify-phases %standard-phases
191 (add-after
192 'install 'move-doc
193 (lambda* (#:key outputs #:allow-other-keys)
194 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
195 (let* ((out (assoc-ref outputs "out"))
196 (doc (assoc-ref outputs "doc"))
9cdce047 197 (mandir (string-append doc "/share/man/man3"))
606c6380
LC		 198 (oldman (string-append out "/share/man/man3")))
199 (mkdir-p mandir)
200 (copy-recursively oldman mandir)
201 (delete-file-recursively oldman)
202 #t))))))
203 (outputs '("out" ;4.4 MiB
204 "debug"
205 "doc")) ;4.1 MiB of man pages
a1db0975 206 (native-inputs
f96dbf6b 207 `(("net-tools" ,net-tools-for-tests)
5d4c90ae 208 ("pkg-config" ,pkg-config)
d2fcfd3d 209 ("which" ,which)))
7543f865 210 (inputs
a0700787 211 `(("guile" ,guile-2.2)))
7543f865 212 (propagated-inputs
d2fcfd3d 213 ;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865 214 `(("libtasn1" ,libtasn1)
55e61c4d 215 ("libidn2" ,libidn2)
866f469e 216 ("nettle" ,nettle)
f61e0e79 217 ("zlib" ,zlib)))
c19700c3 218 (home-page "https://www.gnu.org/software/gnutls/")
f50d2669 219 (synopsis "Transport layer security library")
7543f865 220 (description
a22dc0c4 221 "GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8 222and DTLS protocols. It is provided in the form of a C library to support the
a22dc0c4
LC		 223protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
224required structures.")
63e8bb12
LC		 225 (license license:lgpl2.1+)
226 (properties '((ftp-server . "ftp.gnutls.org")
227 (ftp-directory . "/gcrypt/gnutls")))))
cc2b77df 228
079f013b 229(define-public gnutls/guile-2.2
a0700787
LC		 230 (deprecated-package "guile2.2-gnutls" gnutls))
231
232(define-public gnutls/guile-2.0
233 ;; GnuTLS for Guile 2.0.
079f013b 234 (package
58ea4d40 235 (inherit gnutls)
a0700787
LC		 236 (name "guile2.0-gnutls")
237 (inputs `(("guile" ,guile-2.0)
58ea4d40 238 ,@(alist-delete "guile" (package-inputs gnutls))))))
079f013b 239
5b9aa107 240(define-public gnutls/dane
241 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
242 ;; Authentication of Named Entities. This is required for GNS functionality
243 ;; by GNUnet and gnURL. This is done in an extra package definition
244 ;; to have the choice between GnuTLS with Dane and without Dane.
245 (package
246 (inherit gnutls)
247 (name "gnutls-dane")
248 (inputs `(("unbound" ,unbound)
249 ,@(package-inputs gnutls)))))
250
cc2b77df
AE		 251(define-public openssl
252 (package
253 (name "openssl")
811e1028 254 (version "1.0.2l")
1df4f5c9 255 (replacement openssl-1.0.2m)
cc2b77df 256 (source (origin
4cff124b
LC		 257 (method url-fetch)
258 (uri (list (string-append "ftp://ftp.openssl.org/source/"
259 name "-" version ".tar.gz")
260 (string-append "ftp://ftp.openssl.org/source/old/"
261 (string-trim-right version char-set:letter)
262 "/" name "-" version ".tar.gz")))
263 (sha256
264 (base32
811e1028 265 "037kvpisc6qh5dkppcwbm5bg2q800xh2hma3vghz8xcycmdij1yf"))
8a9b08b5
ST		 266 (snippet
267 '(begin
268 ;; Remove ELF files. 'substitute*' can't read them.
269 (delete-file "test/ssltest_old")
270 (delete-file "test/v3ext")
271 (delete-file "test/x509aux")
272 #t))
fc1adab1 273 (patches (search-patches "openssl-runpath.patch"
1d8de185 274 "openssl-c-rehash-in.patch"))))
cc2b77df 275 (build-system gnu-build-system)
8c78aeb7 276 (outputs '("out"
a909b576 277 "doc" ;1.5MiB of man3 pages
8c78aeb7 278 "static")) ;6MiB of .a files
cc2b77df
AE		 279 (native-inputs `(("perl" ,perl)))
280 (arguments
d03781c3
LC		 281 `(#:disallowed-references (,perl)
282 #:parallel-build? #f
cc2b77df
AE		 283 #:parallel-tests? #f
284 #:test-target "test"
8c9ec203
LF		 285
286 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
287 ;; so we explicitly disallow it here.
288 #:disallowed-references ,(list (canonical-package perl))
cc2b77df 289 #:phases
b6cb1358 290 (modify-phases %standard-phases
4fb254a3 291 (add-before
86c8f1da 292 'configure 'patch-Makefile.org
4fb254a3
LC		 293 (lambda* (#:key outputs #:allow-other-keys)
294 ;; The default MANDIR is some unusual place. Fix that.
295 (let ((out (assoc-ref outputs "out")))
86c8f1da 296 (patch-makefile-SHELL "Makefile.org")
4fb254a3
LC		 297 (substitute* "Makefile.org"
298 (("^MANDIR[[:blank:]]*=.*$")
299 (string-append "MANDIR = " out "/share/man\n")))
300 #t)))
b6cb1358
LC		 301 (replace
302 'configure
303 (lambda* (#:key outputs #:allow-other-keys)
304 (let ((out (assoc-ref outputs "out")))
305 (zero?
306 (system* "./config"
307 "shared" ;build shared libraries
308 "--libdir=lib"
4fb254a3
LC		 309
310 ;; The default for this catch-all directory is
311 ;; PREFIX/ssl. Change that to something more
312 ;; conventional.
313 (string-append "--openssldir=" out
314 "/share/openssl-" ,version)
315
b6cb1358
LC		 316 (string-append "--prefix=" out)
317
318 ;; XXX FIXME: Work around a code generation bug in GCC
319 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
320 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
321 ,@(if (and (not (%current-target-system))
322 (string-prefix? "armhf" (%current-system)))
323 '("-mfpu=vfpv3")
324 '()))))))
fe8199a8
LC		 325 (add-after
326 'install 'make-libraries-writable
327 (lambda* (#:key outputs #:allow-other-keys)
328 ;; Make libraries writable so that 'strip' does its job.
329 (let ((out (assoc-ref outputs "out")))
330 (for-each (lambda (file)
331 (chmod file #o644))
332 (find-files (string-append out "/lib")
333 "\\.so"))
334 #t)))
8c78aeb7
LC		 335 (add-after 'install 'move-static-libraries
336 (lambda* (#:key outputs #:allow-other-keys)
337 ;; Move static libraries to the "static" output.
338 (let* ((out (assoc-ref outputs "out"))
339 (lib (string-append out "/lib"))
340 (static (assoc-ref outputs "static"))
341 (slib (string-append static "/lib")))
8c78aeb7
LC		 342 (for-each (lambda (file)
343 (install-file file slib)
344 (delete-file file))
345 (find-files lib "\\.a$"))
346 #t)))
a909b576
LC		 347 (add-after 'install 'move-man3-pages
348 (lambda* (#:key outputs #:allow-other-keys)
349 ;; Move section 3 man pages to "doc".
350 (let* ((out (assoc-ref outputs "out"))
351 (man3 (string-append out "/share/man/man3"))
352 (doc (assoc-ref outputs "doc"))
353 (target (string-append doc "/share/man/man3")))
354 (mkdir-p target)
355 (for-each (lambda (file)
356 (rename-file file
357 (string-append target "/"
358 (basename file))))
359 (find-files man3))
5c838ec9 360 (delete-file-recursively man3)
a909b576 361 #t)))
b6cb1358
LC		 362 (add-before
363 'patch-source-shebangs 'patch-tests
364 (lambda* (#:key inputs native-inputs #:allow-other-keys)
365 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
366 (substitute* (find-files "test" ".*")
367 (("/bin/sh")
08a78c2f 368 (string-append bash "/bin/sh"))
b6cb1358 369 (("/bin/rm")
86c8f1da
MW		 370 "rm"))
371 #t)))
784d6e91
LC		 372 (add-after
373 'install 'remove-miscellany
374 (lambda* (#:key outputs #:allow-other-keys)
375 ;; The 'misc' directory contains random undocumented shell and Perl
376 ;; scripts. Remove them to avoid retaining a reference on Perl.
377 (let ((out (assoc-ref outputs "out")))
378 (delete-file-recursively (string-append out "/share/openssl-"
379 ,version "/misc"))
380 #t))))))
cc2b77df
AE		 381 (native-search-paths
382 ;; FIXME: These two variables must designate a single file or directory
383 ;; and are not actually "search paths." In practice it works OK in user
384 ;; profiles because there's always just one item that matches the
385 ;; specification.
386 (list (search-path-specification
387 (variable "SSL_CERT_DIR")
388 (files '("etc/ssl/certs")))
389 (search-path-specification
390 (variable "SSL_CERT_FILE")
391 (files '("etc/ssl/certs/ca-certificates.crt")))))
392 (synopsis "SSL/TLS implementation")
393 (description
e881752c 394 "OpenSSL is an implementation of SSL/TLS.")
e9aa8d0c 395 (license license:openssl)
cc2b77df
AE		 396 (home-page "http://www.openssl.org/")))
397
1df4f5c9
MB		 398;; Fixes CVE-2017-3735 and CVE-2017-3736.
399;; See <https://www.openssl.org/news/cl102.txt>.
400(define-public openssl-1.0.2m
401 (package
402 (inherit openssl)
403 (version "1.0.2m")
404 (source (origin
405 (inherit (package-source openssl))
406 (uri (list (string-append "https://www.openssl.org/source/openssl-"
407 version ".tar.gz")
408 (string-append "ftp://ftp.openssl.org/source/openssl-"
409 version ".tar.gz")
410 (string-append "ftp://ftp.openssl.org/source/old/"
411 (string-trim-right version char-set:letter)
412 "/openssl-" version ".tar.gz")))
413 (sha256
414 (base32
415 "03vvlfnxx4lhxc83ikfdl6jqph4h52y7lb7li03va6dkqrgg2vwc"))))))
416
763899f0
LF		 417(define-public openssl-next
418 (package
419 (inherit openssl)
420 (name "openssl")
77576be4 421 (version "1.1.0g")
763899f0
LF		 422 (source (origin
423 (method url-fetch)
77576be4
MB		 424 (uri (list (string-append "https://www.openssl.org/source/openssl-"
425 version ".tar.gz")
426 (string-append "ftp://ftp.openssl.org/source/"
763899f0
LF		 427 name "-" version ".tar.gz")
428 (string-append "ftp://ftp.openssl.org/source/old/"
429 (string-trim-right version char-set:letter)
430 "/" name "-" version ".tar.gz")))
431 (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
432 (sha256
433 (base32
77576be4 434 "1bvka2wf33w2vxv7yw578nnjqyhz2b3chvfb0l4k2ffscw950kfy"))))
763899f0
LF		 435 (outputs '("out"
436 "doc" ;1.3MiB of man3 pages
437 "static")) ; 5.5MiB of .a files
438 (arguments
439 (substitute-keyword-arguments (package-arguments openssl)
440 ((#:phases phases)
441 `(modify-phases ,phases
442 (delete 'patch-tests) ; These two phases are not needed by
443 (delete 'patch-Makefile.org) ; OpenSSL 1.1.0.
444
fc184fe2
MB		 445 ;; Override configure phase since -rpath is now a configure option.
446 (replace 'configure
763899f0 447 (lambda* (#:key outputs #:allow-other-keys)
fc184fe2
MB		 448 (let* ((out (assoc-ref outputs "out"))
449 (lib (string-append out "/lib")))
450 (zero?
451 (system* "./config"
452 "shared" ;build shared libraries
453 "--libdir=lib"
454
455 ;; The default for this catch-all directory is
456 ;; PREFIX/ssl. Change that to something more
457 ;; conventional.
458 (string-append "--openssldir=" out
459 "/share/openssl-" ,version)
460
461 (string-append "--prefix=" out)
462 (string-append "-Wl,-rpath," lib)
463
464 ;; XXX FIXME: Work around a code generation bug in GCC
465 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
466 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
467 ,@(if (and (not (%current-target-system))
468 (string-prefix? "armhf" (%current-system)))
469 '("-mfpu=vfpv3")
470 '()))))))
471
472 ;; XXX: Duplicate this phase to make sure 'version' evaluates
473 ;; in the current scope and not the inherited one.
474 (replace 'remove-miscellany
475 (lambda* (#:key outputs #:allow-other-keys)
476 ;; The 'misc' directory contains random undocumented shell and Perl
477 ;; scripts. Remove them to avoid retaining a reference on Perl.
478 (let ((out (assoc-ref outputs "out")))
479 (delete-file-recursively (string-append out "/share/openssl-"
480 ,version "/misc"))
763899f0
LF		 481 #t)))))))))
482
cb6a802c
AE		 483(define-public libressl
484 (package
485 (name "libressl")
1d919d32 486 (version "2.5.5")
644e5f17
TGR		 487 (source (origin
488 (method url-fetch)
489 (uri (string-append "mirror://openbsd/LibreSSL/"
490 name "-" version ".tar.gz"))
491 (sha256
492 (base32
493 "1i77viqy1afvbr392npk9v54k9zhr9zq2vhv6pliza22b0ymwzz5"))))
cb6a802c 494 (build-system gnu-build-system)
a2d64899
LC		 495 (arguments
496 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
497 ;; and libc would return ENOSYS, which is not properly handled.
498 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
df08f385
LF		 499 '(#:configure-flags '("ac_cv_func_getentropy=no"
500 ;; Provide a TLS-enabled netcat.
501 "--enable-nc")))
cb6a802c
AE		 502 (native-search-paths
503 ;; FIXME: These two variables must designate a single file or directory
504 ;; and are not actually "search paths." In practice it works OK in
505 ;; user profiles because there's always just one item that matches the
506 ;; specification.
507 (list (search-path-specification
508 (variable "SSL_CERT_DIR")
509 (files '("etc/ssl/certs")))
510 (search-path-specification
511 (variable "SSL_CERT_FILE")
512 (files '("etc/ssl/certs/ca-certificates.crt")))))
2ed12d3f 513 (home-page "https://www.libressl.org/")
cb6a802c 514 (synopsis "SSL/TLS implementation")
df08f385
LF		 515 (description "LibreSSL is a version of the TLS/crypto stack, forked from
516OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
517and applying best practice development processes. This package also includes a
518netcat implementation that supports TLS.")
cb6a802c
AE		 519 ;; Files taken from OpenSSL keep their license, others are under various
520 ;; non-copyleft licenses.
521 (license (list license:openssl
522 (license:non-copyleft
523 "file://COPYING"
524 "See COPYING in the distribution.")))))
525
6cefd53d 526(define-public python-acme
7890e3ba 527 (package
6cefd53d 528 (name "python-acme")
686d4259 529 ;; Remember to update the hash of certbot when updating python-acme.
eb93f1c9 530 (version "0.19.0")
7890e3ba 531 (source (origin
9495cf9a 532 (method url-fetch)
f349d36e 533 (uri (pypi-uri "acme" version))
881006b6
MB		 534 (sha256
535 (base32
eb93f1c9 536 "08p8w50zciqlhgn3ab0wbbvi1zyg3x37r1gywq0z1allsij3v8hz"))))
7890e3ba
LF		 537 (build-system python-build-system)
538 (arguments
6cefd53d 539 `(#:phases
9bee9d87 540 (modify-phases %standard-phases
1fc8476d
MB		 541 (add-after 'build 'build-documentation
542 (lambda _
543 (zero? (system* "make" "-C" "docs" "man" "info"))))
544 (add-after 'install 'install-documentation
50a7963a
LF		 545 (lambda* (#:key outputs #:allow-other-keys)
546 (let* ((out (assoc-ref outputs "out"))
547 (man (string-append out "/share/man/man1"))
548 (info (string-append out "/info")))
1fc8476d
MB		 549 (install-file "docs/_build/texinfo/acme-python.info" info)
550 (install-file "docs/_build/man/acme-python.1" man)
551 #t))))))
50a7963a 552 ;; TODO: Add optional inputs for testing.
7890e3ba 553 (native-inputs
fed1898d 554 `(("python-mock" ,python-mock-2)
50a7963a
LF		 555 ;; For documentation
556 ("python-sphinx" ,python-sphinx)
557 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
558 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
50a7963a 559 ("texinfo" ,texinfo)))
7890e3ba 560 (propagated-inputs
57fe07db 561 `(("python-six" ,python-six)
6cefd53d
LF		 562 ("python-requests" ,python-requests)
563 ("python-pytz" ,python-pytz)
564 ("python-pyrfc3339" ,python-pyrfc3339)
565 ("python-pyasn1" ,python-pyasn1)
566 ("python-cryptography" ,python-cryptography)
567 ("python-pyopenssl" ,python-pyopenssl)))
7890e3ba
LF		 568 (home-page "https://github.com/letsencrypt/letsencrypt")
569 (synopsis "ACME protocol implementation in Python")
570 (description "ACME protocol implementation in Python")
571 (license license:asl2.0)))
572
9495cf9a 573(define-public certbot
9fd0838b 574 (package
9495cf9a 575 (name "certbot")
686d4259
LF		 576 ;; Certbot and python-acme are developed in the same repository, and their
577 ;; versions should remain synchronized.
578 (version (package-version python-acme))
9fd0838b
DT		 579 (source (origin
580 (method url-fetch)
f349d36e 581 (uri (pypi-uri name version))
9fd0838b
DT		 582 (sha256
583 (base32
eb93f1c9 584 "0lwxqz3r0fg3dy06fgba1dfs7n6ribc25z0rh5rqbl7mvy8hf8x7"))))
9fd0838b
DT		 585 (build-system python-build-system)
586 (arguments
fed1898d 587 `(,@(substitute-keyword-arguments (package-arguments python-acme)
f26d6e4e
LF		 588 ((#:phases phases)
589 `(modify-phases ,phases
1fc8476d 590 (replace 'install-documentation
f26d6e4e
LF		 591 (lambda* (#:key outputs #:allow-other-keys)
592 (let* ((out (assoc-ref outputs "out"))
593 (man1 (string-append out "/share/man/man1"))
594 (man7 (string-append out "/share/man/man7"))
595 (info (string-append out "/info")))
1fc8476d
MB		 596 (install-file "docs/_build/texinfo/Certbot.info" info)
597 (install-file "docs/_build/man/certbot.1" man1)
598 (install-file "docs/_build/man/certbot.7" man7)
599 #t))))))))
f9263d9a 600 ;; TODO: Add optional inputs for testing.
9fd0838b 601 (native-inputs
fed1898d
LF		 602 `(("python-nose" ,python-nose)
603 ("python-mock" ,python-mock-2)
f9263d9a 604 ;; For documentation
fed1898d
LF		 605 ("python-sphinx" ,python-sphinx)
606 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
607 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
608 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
f9263d9a 609 ("texinfo" ,texinfo)))
9fd0838b 610 (propagated-inputs
fed1898d
LF		 611 `(("python-acme" ,python-acme)
612 ("python-zope-interface" ,python-zope-interface)
613 ("python-pyrfc3339" ,python-pyrfc3339)
614 ("python-pyopenssl" ,python-pyopenssl)
615 ("python-configobj" ,python-configobj)
616 ("python-configargparse" ,python-configargparse)
617 ("python-zope-component" ,python-zope-component)
618 ("python-parsedatetime" ,python-parsedatetime)
619 ("python-six" ,python-six)
620 ("python-psutil" ,python-psutil)
621 ("python-requests" ,python-requests)
622 ("python-pytz" ,python-pytz)))
d8a1be63 623 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
80968df0
TGR		 624 (description "Certbot automatically receives and installs X.509 certificates
625to enable Transport Layer Security (TLS) on servers. It interoperates with the
626Let’s Encrypt certificate authority (CA), which issues browser-trusted
627certificates for free.")
24778368 628 (home-page "https://certbot.eff.org/")
9fd0838b
DT		 629 (license license:asl2.0)))
630
9495cf9a
LF		 631(define-public letsencrypt
632 (package (inherit certbot)
56ab55d1
LF		 633 (name "letsencrypt")
634 (properties `((superseded . ,certbot)))))
9495cf9a 635
cc2b77df
AE		 636(define-public perl-net-ssleay
637 (package
638 (name "perl-net-ssleay")
76cb9060 639 (version "1.81")
cc2b77df
AE		 640 (source (origin
641 (method url-fetch)
642 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
643 "Net-SSLeay-" version ".tar.gz"))
644 (sha256
645 (base32
76cb9060 646 "0z8vya34g88bc41kx955sv7y4niwbbywji8liqbl52v29qbvdjq0"))))
cc2b77df
AE		 647 (build-system perl-build-system)
648 (inputs `(("openssl" ,openssl)))
649 (arguments
1084ec08
MW		 650 `(#:phases
651 (modify-phases %standard-phases
1084ec08
MW		 652 (add-before
653 'configure 'set-ssl-prefix
654 (lambda* (#:key inputs #:allow-other-keys)
655 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
656 #t)))))
cc2b77df
AE		 657 (synopsis "Perl extension for using OpenSSL")
658 (description
659 "This module offers some high level convenience functions for accessing
660web pages on SSL servers (for symmetry, the same API is offered for accessing
661http servers, too), an sslcat() function for writing your own clients, and
662finally access to the SSL api of the SSLeay/OpenSSL package so you can write
663servers or clients for more complicated applications.")
2f3108ad 664 (license license:perl-license)
cc2b77df 665 (home-page "http://search.cpan.org/~mikem/Net-SSLeay-1.66/")))
4532c0c0
DM		 666
667(define-public perl-crypt-openssl-rsa
668 (package
669 (name "perl-crypt-openssl-rsa")
670 (version "0.28")
671 (source
672 (origin
673 (method url-fetch)
674 (uri (string-append
675 "mirror://cpan/authors/id/P/PE/PERLER/Crypt-OpenSSL-RSA-"
676 version
677 ".tar.gz"))
678 (sha256
679 (base32
680 "1gnpvv09b2gpifwdzc5jnhama3d1a4c39lzj9hcaicsb8rvzjmsk"))))
681 (build-system perl-build-system)
682 (inputs
683 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
684 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
685 ("openssl" ,openssl)))
686 (arguments perl-crypt-arguments)
687 (home-page
688 "http://search.cpan.org/dist/Crypt-OpenSSL-RSA")
689 (synopsis
690 "RSA encoding and decoding, using the openSSL libraries")
691 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
692OpenSSL libraries).")
2f3108ad 693 (license license:perl-license)))
adff71ca
DM		 694
695(define perl-crypt-arguments
696 `(#:phases (modify-phases %standard-phases
697 (add-before 'configure 'patch-Makefile.PL
698 (lambda* (#:key inputs #:allow-other-keys)
699 (substitute* "Makefile.PL"
700 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
701 (assoc-ref inputs "openssl")
702 "/lib -lcrypto'],")))
703 #t)))))
704
705(define-public perl-crypt-openssl-bignum
706 (package
707 (name "perl-crypt-openssl-bignum")
94793c1d 708 (version "0.08")
adff71ca
DM		 709 (source
710 (origin
711 (method url-fetch)
712 (uri (string-append
713 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
714 version
715 ".tar.gz"))
716 (sha256
717 (base32
94793c1d 718 "0gamn4dff1bz77nswacy1dlpn9fkwahzw7yvvik4nbwwy2s63hc8"))))
adff71ca
DM		 719 (build-system perl-build-system)
720 (inputs `(("openssl" ,openssl)))
721 (arguments perl-crypt-arguments)
722 (home-page
723 "http://search.cpan.org/dist/Crypt-OpenSSL-Bignum")
724 (synopsis
725 "OpenSSL's multiprecision integer arithmetic in Perl")
726 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
727arithmetic in Perl.")
728 ;; At your option either gpl1+ or the Artistic License
2f3108ad 729 (license license:perl-license)))
cccb4d26
DM		 730
731(define-public perl-crypt-openssl-random
732 (package
733 (name "perl-crypt-openssl-random")
734 (version "0.11")
735 (source
736 (origin
737 (method url-fetch)
738 (uri (string-append
739 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
740 version
741 ".tar.gz"))
742 (sha256
743 (base32
744 "0yjcabkibrkafywvdkmd1xpi6br48skyk3l15ni176wvlg38335v"))))
745 (build-system perl-build-system)
746 (inputs `(("openssl" ,openssl)))
747 (arguments perl-crypt-arguments)
748 (home-page
749 "http://search.cpan.org/dist/Crypt-OpenSSL-Random")
750 (synopsis
751 "OpenSSL/LibreSSL pseudo-random number generator access")
752 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
753number generator")
2f3108ad 754 (license license:perl-license)))
0581c273
LF		 755
756(define-public acme-client
757 (package
758 (name "acme-client")
4a6b2a21 759 (version "0.1.16")
0581c273
LF		 760 (source (origin
761 (method url-fetch)
762 (uri (string-append "https://kristaps.bsd.lv/" name "/"
763 "snapshots/" name "-portable-"
764 version ".tgz"))
765 (sha256
766 (base32
4a6b2a21 767 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
0581c273
LF		 768 (build-system gnu-build-system)
769 (arguments
770 '(#:tests? #f ; no test suite
771 #:make-flags
772 (list "CC=gcc"
773 (string-append "PREFIX=" (assoc-ref %outputs "out")))
774 #:phases
775 (modify-phases %standard-phases
7c1a7bf4
LF		 776 (add-after 'unpack 'patch-paths
777 (lambda* (#:key inputs #:allow-other-keys)
778 (let ((pem (string-append (assoc-ref inputs "libressl")
779 "/etc/ssl/cert.pem")))
780 (substitute* "http.c"
781 (("/etc/ssl/cert.pem") pem))
782 #t)))
0581c273 783 (delete 'configure)))) ; no './configure' script
4b569a4f
LF		 784 (native-inputs
785 `(("pkg-config" ,pkg-config)))
0581c273
LF		 786 (inputs
787 `(("libbsd" ,libbsd)
788 ("libressl" ,libressl)))
789 (synopsis "Let's Encrypt client by the OpenBSD project")
790 (description "acme-client is a Let's Encrypt client implemented in C. It
791uses a modular design, and attempts to secure itself by dropping privileges and
792operating in a chroot where possible. acme-client is developed on OpenBSD and
793then ported to the GNU / Linux environment.")
794 (home-page "https://kristaps.bsd.lv/acme-client/")
795 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
796 ;; and 'jsmn.c' are distributed under the Expat license.
797 (license (list license:isc license:expat))))
88522738 798
799;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
800;; variant exists in addition to the "-apache" one.
801(define-public mbedtls-apache
802 (package
803 (name "mbedtls-apache")
97497465 804 (version "2.6.0")
88522738 805 (source
806 (origin
807 (method url-fetch)
808 ;; XXX: The download links on the website are script redirection links
809 ;; which effectively lead to the format listed in the uri here.
810 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
811 version "-apache.tgz"))
812 (sha256
813 (base32
97497465 814 "11wnj34rfqxjggmdgf042i49lr6civgbqwv2p7p8bn6k2919vg4r"))))
88522738 815 (build-system cmake-build-system)
816 (native-inputs
817 `(("perl" ,perl)))
818 (synopsis "Small TLS library")
819 (description
820 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
821for developers to include cryptographic and SSL/TLS capabilities in their
822(embedded) products, facilitating this functionality with a minimal
823coding footprint.")
824 (home-page "https://tls.mbed.org")
825 (license license:asl2.0)))
587d1752
RW		 826
827(define-public ghc-tls
828 (package
829 (name "ghc-tls")
830 (version "1.3.8")
831 (source (origin
832 (method url-fetch)
833 (uri (string-append "https://hackage.haskell.org/package/"
834 "tls/tls-" version ".tar.gz"))
835 (sha256
836 (base32
837 "1rdidf18i781c0vdvy9yn79yh08hmcacf6fp3sgghyiy3h0wyh5l"))))
838 (build-system haskell-build-system)
839 (inputs
840 `(("ghc-mtl" ,ghc-mtl)
841 ("ghc-cereal" ,ghc-cereal)
842 ("ghc-data-default-class" ,ghc-data-default-class)
843 ("ghc-memory" ,ghc-memory)
844 ("ghc-cryptonite" ,ghc-cryptonite)
845 ("ghc-asn1-types" ,ghc-asn1-types)
846 ("ghc-asn1-encoding" ,ghc-asn1-encoding)
847 ("ghc-x509" ,ghc-x509)
848 ("ghc-x509-store" ,ghc-x509-store)
849 ("ghc-x509-validation" ,ghc-x509-validation)
850 ("ghc-async" ,ghc-async)
851 ("ghc-network" ,ghc-network)
852 ("ghc-hourglass" ,ghc-hourglass)))
853 (native-inputs
854 `(("ghc-tasty" ,ghc-tasty)
855 ("ghc-tasty-quickcheck" ,ghc-tasty-quickcheck)
856 ("ghc-quickcheck" ,ghc-quickcheck)))
857 (home-page "https://github.com/vincenthz/hs-tls")
858 (synopsis
859 "TLS/SSL protocol native implementation (Server and Client)")
860 (description
861 "Native Haskell TLS and SSL protocol implementation for server and client.
862This provides a high-level implementation of a sensitive security protocol,
863eliminating a common set of security issues through the use of the advanced
864type system, high level constructions and common Haskell features. Currently
865implement the SSL3.0, TLS1.0, TLS1.1 and TLS1.2 protocol, and support RSA and
866Ephemeral (Elliptic curve and regular) Diffie Hellman key exchanges, and many
867extensions.")
868 (license license:bsd-3)))
jackhill's copy of GNU Guix: https://guix.gnu.org/