HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
gnu: libgc: Update to 7.6.12.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
CommitLineData
233e7676 1;;; GNU Guix --- Functional package management for GNU
3c0f7910 2;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
05f6e601 3;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
29a7c98a 4;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df 5;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b 6;;; Copyright © 2015 David Thompson <davet@gnu.org>
2a5b5bfd 7;;; Copyright © 2015, 2016, 2017, 2018 Leo Famulari <leo@famulari.name>
2850d877 8;;; Copyright © 2016, 2017, 2019 Efraim Flashner <efraim@flashner.co.il>
0741932b 9;;; Copyright © 2016, 2017, 2018 Nils Gillmann <ng0@n0.is>
375cef6c 10;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
ee33f9a7 11;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
d5c472a2 12;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
a92c6b1a 13;;; Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr>
fbf5ca3c 14;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
e8b3a158 15;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
7543f865 16;;;
233e7676 17;;; This file is part of GNU Guix.
7543f865 18;;;
233e7676 19;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865
LC		 20;;; under the terms of the GNU General Public License as published by
21;;; the Free Software Foundation; either version 3 of the License, or (at
22;;; your option) any later version.
23;;;
233e7676 24;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865
LC		 25;;; WITHOUT ANY WARRANTY; without even the implied warranty of
26;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27;;; GNU General Public License for more details.
28;;;
29;;; You should have received a copy of the GNU General Public License
233e7676 30;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865 31
a7fd7b68 32(define-module (gnu packages tls)
e9aa8d0c 33 #:use-module ((guix licenses) #:prefix license:)
7543f865
LC		 34 #:use-module (guix packages)
35 #:use-module (guix download)
29a7c98a 36 #:use-module (guix utils)
7543f865 37 #:use-module (guix build-system gnu)
cc2b77df 38 #:use-module (guix build-system perl)
7890e3ba 39 #:use-module (guix build-system python)
88522738 40 #:use-module (guix build-system cmake)
587d1752 41 #:use-module (guix build-system haskell)
e8b3a158 42 #:use-module (guix build-system trivial)
f61e0e79 43 #:use-module (gnu packages compression)
013ce67b 44 #:use-module (gnu packages)
e8b3a158 45 #:use-module (gnu packages bash)
ac257f12 46 #:use-module (gnu packages check)
e8b3a158 47 #:use-module (gnu packages curl)
5b9aa107 48 #:use-module (gnu packages dns)
e8b3a158 49 #:use-module (gnu packages gawk)
1ffa7090 50 #:use-module (gnu packages guile)
587d1752
RW		 51 #:use-module (gnu packages haskell)
52 #:use-module (gnu packages haskell-check)
53 #:use-module (gnu packages haskell-crypto)
0581c273 54 #:use-module (gnu packages libbsd)
27e86bed 55 #:use-module (gnu packages libffi)
866f469e 56 #:use-module (gnu packages libidn)
5d4c90ae 57 #:use-module (gnu packages linux)
7890e3ba 58 #:use-module (gnu packages ncurses)
27e86bed 59 #:use-module (gnu packages nettle)
1ffa7090 60 #:use-module (gnu packages perl)
27e86bed 61 #:use-module (gnu packages pkg-config)
7890e3ba 62 #:use-module (gnu packages python)
cc6f4912 63 #:use-module (gnu packages python-crypto)
1b2f753d 64 #:use-module (gnu packages python-web)
44d10b1f 65 #:use-module (gnu packages python-xyz)
a31f4d35 66 #:use-module (gnu packages texinfo)
33dc54b0 67 #:use-module (gnu packages time)
079f013b
LC		 68 #:use-module (gnu packages base)
69 #:use-module (srfi srfi-1))
7543f865
LC		 70
71(define-public libtasn1
72 (package
73 (name "libtasn1")
2a5b5bfd 74 (version "4.13")
7543f865
LC		 75 (source
76 (origin
77 (method url-fetch)
78 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
79 version ".tar.gz"))
80 (sha256
81 (base32
2a5b5bfd 82 "1jlc1iahj8k3haz28j55nzg7sgni5h41vqy461i1bpbx6668wlky"))))
7543f865 83 (build-system gnu-build-system)
d9f84612
MB		 84 (arguments
85 `(#:configure-flags '("--disable-static")))
3ea110b7 86 (native-inputs `(("perl" ,perl)))
6fd52309 87 (home-page "https://www.gnu.org/software/libtasn1/")
f50d2669 88 (synopsis "ASN.1 library")
7543f865 89 (description
79c311b8
LC		 90 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
91for transmitting machine-neutral encodings of data objects in computer
a22dc0c4
LC		 92networking, allowing for formal validation of data according to some
93specifications.")
e9aa8d0c 94 (license license:lgpl2.0+)))
7543f865 95
375cef6c
HG		 96(define-public asn1c
97 (package
98 (name "asn1c")
ff7da7e0 99 (version "0.9.28")
375cef6c
HG		 100 (source (origin
101 (method url-fetch)
102 (uri (string-append "https://lionet.info/soft/asn1c-"
103 version ".tar.gz"))
104 (sha256
105 (base32
ff7da7e0 106 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
375cef6c
HG		 107 (build-system gnu-build-system)
108 (native-inputs
109 `(("perl" ,perl)))
110 (home-page "https://lionet.info/asn1c")
111 (synopsis "ASN.1 to C compiler")
112 (description "The ASN.1 to C compiler takes ASN.1 module
113files and generates C++ compatible C source code. That code can be
114used to serialize the native C structures into compact and unambiguous
115BER/XER/PER-based data files, and deserialize the files back.
116
117Various ASN.1 based formats are widely used in the industry, such as to encode
118the X.509 certificates employed in the HTTPS handshake, to exchange control
119data between mobile phones and cellular networks, to car-to-car communication
120in intelligent transportation networks.")
121 (license license:bsd-2)))
122
27e86bed
AE		 123(define-public p11-kit
124 (package
125 (name "p11-kit")
39855bfe 126 (version "0.23.15")
27e86bed
AE		 127 (source
128 (origin
129 (method url-fetch)
e6ad9bda
MB		 130 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
131 "download/" version "/p11-kit-" version ".tar.gz"))
39855bfe 132 (patches (search-patches "p11-kit-jks-timestamps.patch"))
27e86bed
AE		 133 (sha256
134 (base32
39855bfe 135 "166pwj00cffv4qq4dvx0k53zka0b0r1fa0whc49007vsqyh3khgp"))))
27e86bed
AE		 136 (build-system gnu-build-system)
137 (native-inputs
138 `(("pkg-config" ,pkg-config)))
139 (inputs
140 `(("libffi" ,libffi)
141 ("libtasn1" ,libtasn1)))
142 (arguments
d5c472a2
MB		 143 `(#:configure-flags '("--without-trust-paths")
144 #:phases (modify-phases %standard-phases
145 (add-before 'check 'prepare-tests
146 (lambda _
147 ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up
148 ;; and looks for .cache and other directories (only).
149 ;; For simplicity just drop it since it is irrelevant
150 ;; in the build container.
151 (substitute* "Makefile"
152 (("test-runtime\\$\\(EXEEXT\\)") ""))
153 #t)))))
4631e6c9 154 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
27e86bed
AE		 155 (synopsis "PKCS#11 library")
156 (description
157 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
158provides a standard configuration setup for installing PKCS#11 modules
159in such a way that they are discoverable. It also solves problems with
160coordinating the use of PKCS#11 by different components or libraries
161living in the same process.")
e9aa8d0c 162 (license license:bsd-3)))
27e86bed 163
7543f865
LC		 164(define-public gnutls
165 (package
166 (name "gnutls")
a46dcdfa 167 (version "3.6.6")
d7d408d5
LC		 168 (source (origin
169 (method url-fetch)
170 (uri
171 ;; Note: Releases are no longer on ftp.gnu.org since the
172 ;; schism (after version 3.1.5).
d93627e4 173 (string-append "mirror://gnupg/gnutls/v"
29a7c98a 174 (version-major+minor version)
d93627e4 175 "/gnutls-" version ".tar.xz"))
06f5bc4e 176 (patches (search-patches "gnutls-skip-trust-store-test.patch"))
d7d408d5
LC		 177 (sha256
178 (base32
a46dcdfa 179 "19rcfgsfxb01cyz8jxmmgkjqc7y5s97amajzyknk1i1amywcm6mv"))))
7543f865 180 (build-system gnu-build-system)
b94ae0b8 181 (arguments
76b21274
LF		 182 `(; Ensure we don't keep a reference to this buggy software.
183 #:disallowed-references (,net-tools)
184 #:configure-flags
a0700787 185 (list
aa7c7f21
MW		 186 ;; GnuTLS doesn't consult any environment variables to specify
187 ;; the location of the system-wide trust store. Instead it has a
188 ;; configure-time option. Unless specified, its configure script
189 ;; attempts to auto-detect the location by looking for common
8f65585b 190 ;; places in the file system, none of which are present in our
aa7c7f21
MW		 191 ;; chroot build environment. If not found, then no default trust
192 ;; store is used, so each program has to provide its own
193 ;; fallback, and users have to configure each program
194 ;; independently. This seems suboptimal.
866f469e
MW		 195 "--with-default-trust-store-dir=/etc/ssl/certs"
196
197 ;; FIXME: Temporarily disable p11-kit support since it is not
198 ;; working on mips64el.
606c6380
LC		 199 "--without-p11-kit")
200
201 #:phases (modify-phases %standard-phases
202 (add-after
203 'install 'move-doc
204 (lambda* (#:key outputs #:allow-other-keys)
205 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
206 (let* ((out (assoc-ref outputs "out"))
207 (doc (assoc-ref outputs "doc"))
9cdce047 208 (mandir (string-append doc "/share/man/man3"))
606c6380
LC		 209 (oldman (string-append out "/share/man/man3")))
210 (mkdir-p mandir)
211 (copy-recursively oldman mandir)
212 (delete-file-recursively oldman)
213 #t))))))
214 (outputs '("out" ;4.4 MiB
215 "debug"
216 "doc")) ;4.1 MiB of man pages
a1db0975 217 (native-inputs
c06d8ba5 218 `(("net-tools" ,net-tools)
5d4c90ae 219 ("pkg-config" ,pkg-config)
d2fcfd3d 220 ("which" ,which)))
7543f865 221 (inputs
a0700787 222 `(("guile" ,guile-2.2)))
7543f865 223 (propagated-inputs
d2fcfd3d 224 ;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865 225 `(("libtasn1" ,libtasn1)
55e61c4d 226 ("libidn2" ,libidn2)
866f469e 227 ("nettle" ,nettle)
f61e0e79 228 ("zlib" ,zlib)))
c19700c3 229 (home-page "https://www.gnu.org/software/gnutls/")
f50d2669 230 (synopsis "Transport layer security library")
7543f865 231 (description
a22dc0c4 232 "GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8 233and DTLS protocols. It is provided in the form of a C library to support the
a22dc0c4
LC		 234protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
235required structures.")
63e8bb12
LC		 236 (license license:lgpl2.1+)
237 (properties '((ftp-server . "ftp.gnutls.org")
238 (ftp-directory . "/gcrypt/gnutls")))))
cc2b77df 239
079f013b 240(define-public gnutls/guile-2.2
a0700787
LC		 241 (deprecated-package "guile2.2-gnutls" gnutls))
242
243(define-public gnutls/guile-2.0
244 ;; GnuTLS for Guile 2.0.
079f013b 245 (package
58ea4d40 246 (inherit gnutls)
a0700787
LC		 247 (name "guile2.0-gnutls")
248 (inputs `(("guile" ,guile-2.0)
58ea4d40 249 ,@(alist-delete "guile" (package-inputs gnutls))))))
079f013b 250
5b9aa107 251(define-public gnutls/dane
252 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
253 ;; Authentication of Named Entities. This is required for GNS functionality
254 ;; by GNUnet and gnURL. This is done in an extra package definition
255 ;; to have the choice between GnuTLS with Dane and without Dane.
256 (package
257 (inherit gnutls)
258 (name "gnutls-dane")
259 (inputs `(("unbound" ,unbound)
260 ,@(package-inputs gnutls)))))
261
cc2b77df
AE		 262(define-public openssl
263 (package
264 (name "openssl")
0e5f3282 265 (version "1.0.2r")
cc2b77df 266 (source (origin
4cff124b 267 (method url-fetch)
bdf0b6fc
MB		 268 (uri (list (string-append "https://www.openssl.org/source/openssl-"
269 version ".tar.gz")
270 (string-append "ftp://ftp.openssl.org/source/"
c7f5c3ea 271 "openssl-" version ".tar.gz")
4cff124b
LC		 272 (string-append "ftp://ftp.openssl.org/source/old/"
273 (string-trim-right version char-set:letter)
c7f5c3ea 274 "/openssl-" version ".tar.gz")))
4cff124b
LC		 275 (sha256
276 (base32
0e5f3282 277 "1mnh27zf6r1bhm5d9fxqq9slv2gz0d9z2ij9i679b0wapa5x0ldf"))
fc1adab1 278 (patches (search-patches "openssl-runpath.patch"
1d8de185 279 "openssl-c-rehash-in.patch"))))
cc2b77df 280 (build-system gnu-build-system)
8c78aeb7 281 (outputs '("out"
a909b576 282 "doc" ;1.5MiB of man3 pages
8c78aeb7 283 "static")) ;6MiB of .a files
cc2b77df
AE		 284 (native-inputs `(("perl" ,perl)))
285 (arguments
d03781c3
LC		 286 `(#:disallowed-references (,perl)
287 #:parallel-build? #f
cc2b77df
AE		 288 #:parallel-tests? #f
289 #:test-target "test"
8c9ec203
LF		 290
291 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
292 ;; so we explicitly disallow it here.
293 #:disallowed-references ,(list (canonical-package perl))
cc2b77df 294 #:phases
b6cb1358 295 (modify-phases %standard-phases
4fb254a3 296 (add-before
86c8f1da 297 'configure 'patch-Makefile.org
4fb254a3
LC		 298 (lambda* (#:key outputs #:allow-other-keys)
299 ;; The default MANDIR is some unusual place. Fix that.
300 (let ((out (assoc-ref outputs "out")))
86c8f1da 301 (patch-makefile-SHELL "Makefile.org")
4fb254a3
LC		 302 (substitute* "Makefile.org"
303 (("^MANDIR[[:blank:]]*=.*$")
304 (string-append "MANDIR = " out "/share/man\n")))
305 #t)))
b6cb1358
LC		 306 (replace
307 'configure
308 (lambda* (#:key outputs #:allow-other-keys)
309 (let ((out (assoc-ref outputs "out")))
0d98cb9a 310 (invoke "./config"
5011d3f4
SB		 311 "shared" ;build shared libraries
312 "--libdir=lib"
4fb254a3 313
5011d3f4
SB		 314 ;; The default for this catch-all directory is
315 ;; PREFIX/ssl. Change that to something more
316 ;; conventional.
317 (string-append "--openssldir=" out
318 "/share/openssl-" ,version)
4fb254a3 319
18784d8f 320 (string-append "--prefix=" out)))))
8c78aeb7
LC		 321 (add-after 'install 'move-static-libraries
322 (lambda* (#:key outputs #:allow-other-keys)
323 ;; Move static libraries to the "static" output.
324 (let* ((out (assoc-ref outputs "out"))
325 (lib (string-append out "/lib"))
326 (static (assoc-ref outputs "static"))
327 (slib (string-append static "/lib")))
8c78aeb7
LC		 328 (for-each (lambda (file)
329 (install-file file slib)
330 (delete-file file))
331 (find-files lib "\\.a$"))
332 #t)))
a909b576
LC		 333 (add-after 'install 'move-man3-pages
334 (lambda* (#:key outputs #:allow-other-keys)
335 ;; Move section 3 man pages to "doc".
336 (let* ((out (assoc-ref outputs "out"))
337 (man3 (string-append out "/share/man/man3"))
338 (doc (assoc-ref outputs "doc"))
339 (target (string-append doc "/share/man/man3")))
340 (mkdir-p target)
341 (for-each (lambda (file)
342 (rename-file file
343 (string-append target "/"
344 (basename file))))
345 (find-files man3))
5c838ec9 346 (delete-file-recursively man3)
a909b576 347 #t)))
b6cb1358
LC		 348 (add-before
349 'patch-source-shebangs 'patch-tests
350 (lambda* (#:key inputs native-inputs #:allow-other-keys)
351 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
352 (substitute* (find-files "test" ".*")
353 (("/bin/sh")
08a78c2f 354 (string-append bash "/bin/sh"))
b6cb1358 355 (("/bin/rm")
86c8f1da
MW		 356 "rm"))
357 #t)))
784d6e91
LC		 358 (add-after
359 'install 'remove-miscellany
360 (lambda* (#:key outputs #:allow-other-keys)
361 ;; The 'misc' directory contains random undocumented shell and Perl
362 ;; scripts. Remove them to avoid retaining a reference on Perl.
363 (let ((out (assoc-ref outputs "out")))
364 (delete-file-recursively (string-append out "/share/openssl-"
365 ,version "/misc"))
366 #t))))))
cc2b77df 367 (native-search-paths
cc2b77df
AE		 368 (list (search-path-specification
369 (variable "SSL_CERT_DIR")
5d7a47cc 370 (separator #f) ;single entry
cc2b77df
AE		 371 (files '("etc/ssl/certs")))
372 (search-path-specification
373 (variable "SSL_CERT_FILE")
5d7a47cc
MB		 374 (file-type 'regular)
375 (separator #f) ;single entry
cc2b77df
AE		 376 (files '("etc/ssl/certs/ca-certificates.crt")))))
377 (synopsis "SSL/TLS implementation")
378 (description
e881752c 379 "OpenSSL is an implementation of SSL/TLS.")
e9aa8d0c 380 (license license:openssl)
4631e6c9 381 (home-page "https://www.openssl.org/")))
cc2b77df 382
763899f0
LF		 383(define-public openssl-next
384 (package
385 (inherit openssl)
386 (name "openssl")
28337566 387 (version "1.1.1b")
763899f0
LF		 388 (source (origin
389 (method url-fetch)
77576be4
MB		 390 (uri (list (string-append "https://www.openssl.org/source/openssl-"
391 version ".tar.gz")
392 (string-append "ftp://ftp.openssl.org/source/"
c7f5c3ea 393 "openssl-" version ".tar.gz")
763899f0
LF		 394 (string-append "ftp://ftp.openssl.org/source/old/"
395 (string-trim-right version char-set:letter)
c7f5c3ea 396 "/openssl-" version ".tar.gz")))
9e9e5d5a 397 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
763899f0
LF		 398 (sha256
399 (base32
28337566 400 "0jza8cmznnyiia43056dij1jdmz62dx17wsn0zxksh9h6817nmaw"))))
763899f0 401 (outputs '("out"
6ec43b0d 402 "doc" ; 6.8 MiB of man3 pages and full HTML documentation
9e9e5d5a 403 "static")) ; 6.4 MiB of .a files
763899f0
LF		 404 (arguments
405 (substitute-keyword-arguments (package-arguments openssl)
406 ((#:phases phases)
407 `(modify-phases ,phases
408 (delete 'patch-tests) ; These two phases are not needed by
6ec43b0d 409 (delete 'patch-Makefile.org) ; OpenSSL 1.1.
763899f0 410
fc184fe2
MB		 411 ;; Override configure phase since -rpath is now a configure option.
412 (replace 'configure
763899f0 413 (lambda* (#:key outputs #:allow-other-keys)
fc184fe2
MB		 414 (let* ((out (assoc-ref outputs "out"))
415 (lib (string-append out "/lib")))
9e9e5d5a
LF		 416 ;; It's not a shebang so patch-source-shebangs misses it.
417 (substitute* "config"
418 (("/usr/bin/env")
419 (string-append (assoc-ref %build-inputs "coreutils")
420 "/bin/env")))
0d98cb9a 421 (invoke "./config"
5011d3f4
SB		 422 "shared" ;build shared libraries
423 "--libdir=lib"
fc184fe2 424
5011d3f4
SB		 425 ;; The default for this catch-all directory is
426 ;; PREFIX/ssl. Change that to something more
427 ;; conventional.
428 (string-append "--openssldir=" out
429 "/share/openssl-" ,version)
fc184fe2 430
5011d3f4 431 (string-append "--prefix=" out)
799de468 432 (string-append "-Wl,-rpath," lib)))))
fc184fe2 433
9e9e5d5a
LF		 434 (delete 'move-man3-pages)
435 (add-after 'install 'move-extra-documentation
436 (lambda* (#:key outputs #:allow-other-keys)
437 ;; Move man3 pages and full HTML documentation to "doc".
438 (let* ((out (assoc-ref outputs "out"))
439 (man3 (string-append out "/share/man/man3"))
440 (html (string-append out "/share/doc/openssl"))
441 (doc (assoc-ref outputs "doc"))
442 (man-target (string-append doc "/share/man/man3"))
443 (html-target (string-append doc "/share/doc/openssl")))
444 (copy-recursively man3 man-target)
445 (delete-file-recursively man3)
446 (copy-recursively html html-target)
447 (delete-file-recursively html)
448 #t)))
fc184fe2
MB		 449 ;; XXX: Duplicate this phase to make sure 'version' evaluates
450 ;; in the current scope and not the inherited one.
451 (replace 'remove-miscellany
452 (lambda* (#:key outputs #:allow-other-keys)
453 ;; The 'misc' directory contains random undocumented shell and Perl
454 ;; scripts. Remove them to avoid retaining a reference on Perl.
455 (let ((out (assoc-ref outputs "out")))
456 (delete-file-recursively (string-append out "/share/openssl-"
457 ,version "/misc"))
763899f0
LF		 458 #t)))))))))
459
cb6a802c
AE		 460(define-public libressl
461 (package
462 (name "libressl")
0effadca 463 (version "2.7.4")
644e5f17
TGR		 464 (source (origin
465 (method url-fetch)
466 (uri (string-append "mirror://openbsd/LibreSSL/"
467 name "-" version ".tar.gz"))
468 (sha256
469 (base32
0effadca 470 "19kxa5i97q7p6rrps9qm0nd8zqhdjvzx02j72400c73cl2nryfhy"))))
cb6a802c 471 (build-system gnu-build-system)
a2d64899
LC		 472 (arguments
473 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
474 ;; and libc would return ENOSYS, which is not properly handled.
475 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
df08f385
LF		 476 '(#:configure-flags '("ac_cv_func_getentropy=no"
477 ;; Provide a TLS-enabled netcat.
478 "--enable-nc")))
cb6a802c
AE		 479 (native-search-paths
480 ;; FIXME: These two variables must designate a single file or directory
481 ;; and are not actually "search paths." In practice it works OK in
482 ;; user profiles because there's always just one item that matches the
483 ;; specification.
484 (list (search-path-specification
485 (variable "SSL_CERT_DIR")
486 (files '("etc/ssl/certs")))
487 (search-path-specification
488 (variable "SSL_CERT_FILE")
489 (files '("etc/ssl/certs/ca-certificates.crt")))))
2ed12d3f 490 (home-page "https://www.libressl.org/")
cb6a802c 491 (synopsis "SSL/TLS implementation")
df08f385
LF		 492 (description "LibreSSL is a version of the TLS/crypto stack, forked from
493OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
494and applying best practice development processes. This package also includes a
495netcat implementation that supports TLS.")
cb6a802c
AE		 496 ;; Files taken from OpenSSL keep their license, others are under various
497 ;; non-copyleft licenses.
498 (license (list license:openssl
499 (license:non-copyleft
500 "file://COPYING"
501 "See COPYING in the distribution.")))))
502
6cefd53d 503(define-public python-acme
7890e3ba 504 (package
6cefd53d 505 (name "python-acme")
686d4259 506 ;; Remember to update the hash of certbot when updating python-acme.
ed362d16 507 (version "0.31.0")
7890e3ba 508 (source (origin
9495cf9a 509 (method url-fetch)
f349d36e 510 (uri (pypi-uri "acme" version))
881006b6
MB		 511 (sha256
512 (base32
ed362d16 513 "1gxjv09c695lj8swspa390nch117i60qkrgy135383vfk00jsp3y"))))
7890e3ba
LF		 514 (build-system python-build-system)
515 (arguments
6cefd53d 516 `(#:phases
9bee9d87 517 (modify-phases %standard-phases
1fc8476d
MB		 518 (add-after 'build 'build-documentation
519 (lambda _
d4bd2453 520 (invoke "make" "-C" "docs" "man" "info")))
1fc8476d 521 (add-after 'install 'install-documentation
50a7963a
LF		 522 (lambda* (#:key outputs #:allow-other-keys)
523 (let* ((out (assoc-ref outputs "out"))
524 (man (string-append out "/share/man/man1"))
525 (info (string-append out "/info")))
1fc8476d
MB		 526 (install-file "docs/_build/texinfo/acme-python.info" info)
527 (install-file "docs/_build/man/acme-python.1" man)
528 #t))))))
50a7963a 529 ;; TODO: Add optional inputs for testing.
7890e3ba 530 (native-inputs
4ae65558 531 `(("python-mock" ,python-mock)
b494bbe4 532 ("python-pytest" ,python-pytest)
50a7963a
LF		 533 ;; For documentation
534 ("python-sphinx" ,python-sphinx)
535 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
536 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
50a7963a 537 ("texinfo" ,texinfo)))
7890e3ba 538 (propagated-inputs
92572184
LF		 539 `(("python-josepy" ,python-josepy)
540 ("python-six" ,python-six)
6cefd53d 541 ("python-requests" ,python-requests)
b494bbe4 542 ("python-requests-toolbelt" ,python-requests-toolbelt)
6cefd53d
LF		 543 ("python-pytz" ,python-pytz)
544 ("python-pyrfc3339" ,python-pyrfc3339)
545 ("python-pyasn1" ,python-pyasn1)
546 ("python-cryptography" ,python-cryptography)
547 ("python-pyopenssl" ,python-pyopenssl)))
4631e6c9 548 (home-page "https://github.com/certbot/certbot")
7890e3ba
LF		 549 (synopsis "ACME protocol implementation in Python")
550 (description "ACME protocol implementation in Python")
551 (license license:asl2.0)))
552
9495cf9a 553(define-public certbot
9fd0838b 554 (package
9495cf9a 555 (name "certbot")
686d4259
LF		 556 ;; Certbot and python-acme are developed in the same repository, and their
557 ;; versions should remain synchronized.
558 (version (package-version python-acme))
9fd0838b
DT		 559 (source (origin
560 (method url-fetch)
f349d36e 561 (uri (pypi-uri name version))
9fd0838b
DT		 562 (sha256
563 (base32
ed362d16 564 "0wq4jgyzli684h154w26xplp0fzyks2vlrnmhafhyb0h1bw9cc8c"))))
9fd0838b
DT		 565 (build-system python-build-system)
566 (arguments
fed1898d 567 `(,@(substitute-keyword-arguments (package-arguments python-acme)
f26d6e4e
LF		 568 ((#:phases phases)
569 `(modify-phases ,phases
1fc8476d 570 (replace 'install-documentation
f26d6e4e
LF		 571 (lambda* (#:key outputs #:allow-other-keys)
572 (let* ((out (assoc-ref outputs "out"))
573 (man1 (string-append out "/share/man/man1"))
574 (man7 (string-append out "/share/man/man7"))
575 (info (string-append out "/info")))
1fc8476d
MB		 576 (install-file "docs/_build/texinfo/Certbot.info" info)
577 (install-file "docs/_build/man/certbot.1" man1)
578 (install-file "docs/_build/man/certbot.7" man7)
579 #t))))))))
f9263d9a 580 ;; TODO: Add optional inputs for testing.
9fd0838b 581 (native-inputs
fed1898d 582 `(("python-nose" ,python-nose)
4ae65558 583 ("python-mock" ,python-mock)
f9263d9a 584 ;; For documentation
fed1898d
LF		 585 ("python-sphinx" ,python-sphinx)
586 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
587 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
588 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
f9263d9a 589 ("texinfo" ,texinfo)))
9fd0838b 590 (propagated-inputs
fed1898d
LF		 591 `(("python-acme" ,python-acme)
592 ("python-zope-interface" ,python-zope-interface)
593 ("python-pyrfc3339" ,python-pyrfc3339)
594 ("python-pyopenssl" ,python-pyopenssl)
595 ("python-configobj" ,python-configobj)
596 ("python-configargparse" ,python-configargparse)
597 ("python-zope-component" ,python-zope-component)
598 ("python-parsedatetime" ,python-parsedatetime)
599 ("python-six" ,python-six)
600 ("python-psutil" ,python-psutil)
601 ("python-requests" ,python-requests)
602 ("python-pytz" ,python-pytz)))
d8a1be63 603 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
80968df0
TGR		 604 (description "Certbot automatically receives and installs X.509 certificates
605to enable Transport Layer Security (TLS) on servers. It interoperates with the
606Let’s Encrypt certificate authority (CA), which issues browser-trusted
607certificates for free.")
24778368 608 (home-page "https://certbot.eff.org/")
9fd0838b
DT		 609 (license license:asl2.0)))
610
9495cf9a
LF		 611(define-public letsencrypt
612 (package (inherit certbot)
56ab55d1
LF		 613 (name "letsencrypt")
614 (properties `((superseded . ,certbot)))))
9495cf9a 615
cc2b77df
AE		 616(define-public perl-net-ssleay
617 (package
618 (name "perl-net-ssleay")
fe15613c 619 (version "1.85")
cc2b77df
AE		 620 (source (origin
621 (method url-fetch)
622 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
623 "Net-SSLeay-" version ".tar.gz"))
624 (sha256
625 (base32
fe15613c 626 "1j5h4ycm8538397l204d2d5fkm9595aj174pj7bkpbhwzfwqi0cx"))))
cc2b77df
AE		 627 (build-system perl-build-system)
628 (inputs `(("openssl" ,openssl)))
629 (arguments
1084ec08
MW		 630 `(#:phases
631 (modify-phases %standard-phases
1084ec08
MW		 632 (add-before
633 'configure 'set-ssl-prefix
634 (lambda* (#:key inputs #:allow-other-keys)
635 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
636 #t)))))
cc2b77df
AE		 637 (synopsis "Perl extension for using OpenSSL")
638 (description
639 "This module offers some high level convenience functions for accessing
640web pages on SSL servers (for symmetry, the same API is offered for accessing
641http servers, too), an sslcat() function for writing your own clients, and
642finally access to the SSL api of the SSLeay/OpenSSL package so you can write
643servers or clients for more complicated applications.")
2f3108ad 644 (license license:perl-license)
9aba9b12 645 (home-page "https://metacpan.org/release/Net-SSLeay")))
4532c0c0
DM		 646
647(define-public perl-crypt-openssl-rsa
648 (package
649 (name "perl-crypt-openssl-rsa")
a9994b27 650 (version "0.31")
4532c0c0
DM		 651 (source
652 (origin
653 (method url-fetch)
654 (uri (string-append
683b8d47 655 "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-"
4532c0c0
DM		 656 version
657 ".tar.gz"))
658 (sha256
659 (base32
a9994b27 660 "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1"))))
4532c0c0 661 (build-system perl-build-system)
683b8d47
TGR		 662 (native-inputs
663 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
4532c0c0
DM		 664 (inputs
665 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
666 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
667 ("openssl" ,openssl)))
668 (arguments perl-crypt-arguments)
669 (home-page
9aba9b12 670 "https://metacpan.org/release/Crypt-OpenSSL-RSA")
4532c0c0
DM		 671 (synopsis
672 "RSA encoding and decoding, using the openSSL libraries")
673 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
674OpenSSL libraries).")
2f3108ad 675 (license license:perl-license)))
adff71ca
DM		 676
677(define perl-crypt-arguments
678 `(#:phases (modify-phases %standard-phases
679 (add-before 'configure 'patch-Makefile.PL
680 (lambda* (#:key inputs #:allow-other-keys)
681 (substitute* "Makefile.PL"
682 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
683 (assoc-ref inputs "openssl")
684 "/lib -lcrypto'],")))
685 #t)))))
686
687(define-public perl-crypt-openssl-bignum
688 (package
689 (name "perl-crypt-openssl-bignum")
7e8aac18 690 (version "0.09")
adff71ca
DM		 691 (source
692 (origin
693 (method url-fetch)
694 (uri (string-append
695 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
696 version
697 ".tar.gz"))
698 (sha256
699 (base32
7e8aac18 700 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
adff71ca
DM		 701 (build-system perl-build-system)
702 (inputs `(("openssl" ,openssl)))
703 (arguments perl-crypt-arguments)
704 (home-page
9aba9b12 705 "https://metacpan.org/release/Crypt-OpenSSL-Bignum")
adff71ca
DM		 706 (synopsis
707 "OpenSSL's multiprecision integer arithmetic in Perl")
708 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
709arithmetic in Perl.")
710 ;; At your option either gpl1+ or the Artistic License
2f3108ad 711 (license license:perl-license)))
cccb4d26 712
c80590f6
TGR		 713(define-public perl-crypt-openssl-guess
714 (package
715 (name "perl-crypt-openssl-guess")
716 (version "0.11")
717 (source
718 (origin
719 (method url-fetch)
720 (uri (string-append
721 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
722 version ".tar.gz"))
723 (sha256
724 (base32
725 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
726 (build-system perl-build-system)
9aba9b12 727 (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess")
c80590f6
TGR		 728 (synopsis "Guess the OpenSSL include path")
729 (description
730 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
731correct OpenSSL include path. It is intended for use in your
732@file{Makefile.PL}.")
733 (license license:perl-license)))
734
cccb4d26
DM		 735(define-public perl-crypt-openssl-random
736 (package
737 (name "perl-crypt-openssl-random")
b30c23c4 738 (version "0.13")
cccb4d26
DM		 739 (source
740 (origin
741 (method url-fetch)
742 (uri (string-append
743 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
744 version
745 ".tar.gz"))
746 (sha256
747 (base32
b30c23c4 748 "0vmvrb3shrzjzri3qn524dzdasbq8zhhbpc1vmq8sx68n4jhizb0"))))
cccb4d26 749 (build-system perl-build-system)
b30c23c4
TGR		 750 (native-inputs
751 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
752 (inputs
753 `(("openssl" ,openssl)))
cccb4d26
DM		 754 (arguments perl-crypt-arguments)
755 (home-page
9aba9b12 756 "https://metacpan.org/release/Crypt-OpenSSL-Random")
cccb4d26
DM		 757 (synopsis
758 "OpenSSL/LibreSSL pseudo-random number generator access")
759 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
760number generator")
2f3108ad 761 (license license:perl-license)))
0581c273
LF		 762
763(define-public acme-client
764 (package
765 (name "acme-client")
4a6b2a21 766 (version "0.1.16")
0581c273
LF		 767 (source (origin
768 (method url-fetch)
769 (uri (string-append "https://kristaps.bsd.lv/" name "/"
770 "snapshots/" name "-portable-"
771 version ".tgz"))
772 (sha256
773 (base32
4a6b2a21 774 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
0581c273
LF		 775 (build-system gnu-build-system)
776 (arguments
777 '(#:tests? #f ; no test suite
778 #:make-flags
779 (list "CC=gcc"
780 (string-append "PREFIX=" (assoc-ref %outputs "out")))
781 #:phases
782 (modify-phases %standard-phases
7c1a7bf4
LF		 783 (add-after 'unpack 'patch-paths
784 (lambda* (#:key inputs #:allow-other-keys)
785 (let ((pem (string-append (assoc-ref inputs "libressl")
786 "/etc/ssl/cert.pem")))
787 (substitute* "http.c"
788 (("/etc/ssl/cert.pem") pem))
789 #t)))
0581c273 790 (delete 'configure)))) ; no './configure' script
4b569a4f
LF		 791 (native-inputs
792 `(("pkg-config" ,pkg-config)))
0581c273
LF		 793 (inputs
794 `(("libbsd" ,libbsd)
795 ("libressl" ,libressl)))
796 (synopsis "Let's Encrypt client by the OpenBSD project")
797 (description "acme-client is a Let's Encrypt client implemented in C. It
798uses a modular design, and attempts to secure itself by dropping privileges and
799operating in a chroot where possible. acme-client is developed on OpenBSD and
800then ported to the GNU / Linux environment.")
801 (home-page "https://kristaps.bsd.lv/acme-client/")
802 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
803 ;; and 'jsmn.c' are distributed under the Expat license.
804 (license (list license:isc license:expat))))
88522738 805
806;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
807;; variant exists in addition to the "-apache" one.
808(define-public mbedtls-apache
809 (package
810 (name "mbedtls-apache")
5a7899fd 811 (version "2.16.0")
88522738 812 (source
813 (origin
814 (method url-fetch)
815 ;; XXX: The download links on the website are script redirection links
816 ;; which effectively lead to the format listed in the uri here.
817 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
818 version "-apache.tgz"))
819 (sha256
820 (base32
5a7899fd 821 "1qlscr0m97favkqmrlj90rlgw40h8lcypxz0snvr1iwkj1pbbnp3"))))
88522738 822 (build-system cmake-build-system)
a64d9d56
RW		 823 (arguments
824 `(#:configure-flags
825 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON")))
88522738 826 (native-inputs
38a9bf80
TGR		 827 `(("perl" ,perl)
828 ("python" ,python)))
88522738 829 (synopsis "Small TLS library")
830 (description
831 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
832for developers to include cryptographic and SSL/TLS capabilities in their
833(embedded) products, facilitating this functionality with a minimal
834coding footprint.")
835 (home-page "https://tls.mbed.org")
836 (license license:asl2.0)))
587d1752 837
8e87aa04
TGR		 838;; The Hiawatha Web server requires some specific features to be enabled.
839(define-public mbedtls-for-hiawatha
840 (hidden-package
841 (package
842 (inherit mbedtls-apache)
843 (arguments
844 (substitute-keyword-arguments
845 `(#:phases
846 (modify-phases %standard-phases
847 (add-after 'configure 'configure-extra-features
848 (lambda _
849 (for-each (lambda (feature)
850 (invoke "scripts/config.pl" "set" feature))
851 (list "MBEDTLS_THREADING_C"
852 "MBEDTLS_THREADING_PTHREAD"))
853 #t)))
854 ,@(package-arguments mbedtls-apache)))))))
855
587d1752
RW		 856(define-public ghc-tls
857 (package
858 (name "ghc-tls")
66c5de39 859 (version "1.4.1")
587d1752
RW		 860 (source (origin
861 (method url-fetch)
862 (uri (string-append "https://hackage.haskell.org/package/"
863 "tls/tls-" version ".tar.gz"))
864 (sha256
865 (base32
66c5de39 866 "1y083724mym28n6xfaz7pcc7zqxdhjpaxpbvzxfbs25qq2px3smv"))))
587d1752
RW		 867 (build-system haskell-build-system)
868 (inputs
f54f0475 869 `(("ghc-cereal" ,ghc-cereal)
587d1752
RW		 870 ("ghc-data-default-class" ,ghc-data-default-class)
871 ("ghc-memory" ,ghc-memory)
872 ("ghc-cryptonite" ,ghc-cryptonite)
873 ("ghc-asn1-types" ,ghc-asn1-types)
874 ("ghc-asn1-encoding" ,ghc-asn1-encoding)
875 ("ghc-x509" ,ghc-x509)
876 ("ghc-x509-store" ,ghc-x509-store)
877 ("ghc-x509-validation" ,ghc-x509-validation)
878 ("ghc-async" ,ghc-async)
879 ("ghc-network" ,ghc-network)
880 ("ghc-hourglass" ,ghc-hourglass)))
881 (native-inputs
882 `(("ghc-tasty" ,ghc-tasty)
883 ("ghc-tasty-quickcheck" ,ghc-tasty-quickcheck)
884 ("ghc-quickcheck" ,ghc-quickcheck)))
885 (home-page "https://github.com/vincenthz/hs-tls")
886 (synopsis
887 "TLS/SSL protocol native implementation (Server and Client)")
888 (description
889 "Native Haskell TLS and SSL protocol implementation for server and client.
890This provides a high-level implementation of a sensitive security protocol,
891eliminating a common set of security issues through the use of the advanced
892type system, high level constructions and common Haskell features. Currently
893implement the SSL3.0, TLS1.0, TLS1.1 and TLS1.2 protocol, and support RSA and
894Ephemeral (Elliptic curve and regular) Diffie Hellman key exchanges, and many
895extensions.")
896 (license license:bsd-3)))
e8b3a158
CL		 897
898(define-public dehydrated
899 (package
900 (name "dehydrated")
901 (version "0.6.2")
902 (source (origin
2850d877 903 (method url-fetch)
e8b3a158 904 (uri (string-append
2850d877
EF		 905 "https://github.com/lukas2511/dehydrated/releases/download/"
906 "v" version "/dehydrated-" version ".tar.gz"))
e8b3a158
CL		 907 (sha256
908 (base32
2850d877 909 "03p80yj6bnzjc6dkp5hb9wpplmlrla8n5src71cnzw4rj53q8cqn"))))
e8b3a158
CL		 910 (build-system trivial-build-system)
911 (arguments
912 `(#:modules ((guix build utils))
913 #:builder
914 (begin
915 (use-modules (guix build utils))
916 (let* ((source (assoc-ref %build-inputs "source"))
2850d877
EF		 917 (tar (assoc-ref %build-inputs "tar"))
918 (gz (assoc-ref %build-inputs "gzip"))
e8b3a158
CL		 919 (out (assoc-ref %outputs "out"))
920 (bin (string-append out "/bin"))
2850d877 921 (doc (string-append out "/share/doc/"))
e8b3a158 922 (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
2850d877
EF		 923
924 (setenv "PATH" (string-append gz "/bin"))
925 (invoke (string-append tar "/bin/tar") "xvf" source)
926 (chdir (string-append ,name "-" ,version))
927
928 (install-file "dehydrated" bin)
929 (install-file "LICENSE" (string-append doc ,name "-" ,version))
e8b3a158 930 (with-directory-excursion bin
e8b3a158
CL		 931 (patch-shebang "dehydrated" (list bash))
932
933 ;; Do not try to write in the store.
934 (substitute* "dehydrated"
935 (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
936
937 (setenv "PATH" bash)
938 (wrap-program "dehydrated"
939 `("PATH" ":" prefix
940 ,(map (lambda (dir)
941 (string-append dir "/bin"))
942 (map (lambda (input)
943 (assoc-ref %build-inputs input))
944 '("coreutils"
945 "curl"
946 "diffutils"
947 "gawk"
948 "grep"
949 "openssl"
950 "sed"))))))
951 #t))))
952 (inputs
953 `(("bash" ,bash)
954 ("coreutils" ,coreutils)
955 ("curl" ,curl)
956 ("diffutils" ,diffutils)
957 ("gawk" ,gawk)
958 ("grep" ,grep)
959 ("openssl" ,openssl)
960 ("sed" ,sed)))
2850d877
EF		 961 (native-inputs
962 `(("gzip" ,gzip)
963 ("tar" ,tar)))
e8b3a158
CL		 964 (home-page "https://dehydrated.io/")
965 (synopsis "Let's Encrypt/ACME client implemented as a shell script")
966 (description "Dehydrated is a client for signing certificates with an
967ACME-server (currently only provided by Let's Encrypt) implemented as a
968relatively simple Bash script.")
969 (license license:expat)))
jackhill's copy of GNU Guix: https://guix.gnu.org/