Commit | Line | Data |
---|---|---|
233e7676 | 1 | ;;; GNU Guix --- Functional package management for GNU |
3c0f7910 | 2 | ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org> |
e3df6938 | 3 | ;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver <mhw@netris.org> |
29a7c98a | 4 | ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net> |
cc2b77df | 5 | ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr> |
9fd0838b | 6 | ;;; Copyright © 2015 David Thompson <davet@gnu.org> |
df0625ab | 7 | ;;; Copyright © 2015, 2016, 2017 Leo Famulari <leo@famulari.name> |
2ed12d3f | 8 | ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il> |
5b9aa107 | 9 | ;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org> |
375cef6c | 10 | ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com> |
ee33f9a7 | 11 | ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net> |
88e2511e | 12 | ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com> |
7543f865 | 13 | ;;; |
233e7676 | 14 | ;;; This file is part of GNU Guix. |
7543f865 | 15 | ;;; |
233e7676 | 16 | ;;; GNU Guix is free software; you can redistribute it and/or modify it |
7543f865 LC |
17 | ;;; under the terms of the GNU General Public License as published by |
18 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
19 | ;;; your option) any later version. | |
20 | ;;; | |
233e7676 | 21 | ;;; GNU Guix is distributed in the hope that it will be useful, but |
7543f865 LC |
22 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of |
23 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
24 | ;;; GNU General Public License for more details. | |
25 | ;;; | |
26 | ;;; You should have received a copy of the GNU General Public License | |
233e7676 | 27 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. |
7543f865 | 28 | |
a7fd7b68 | 29 | (define-module (gnu packages tls) |
e9aa8d0c | 30 | #:use-module ((guix licenses) #:prefix license:) |
7543f865 LC |
31 | #:use-module (guix packages) |
32 | #:use-module (guix download) | |
29a7c98a | 33 | #:use-module (guix utils) |
7543f865 | 34 | #:use-module (guix build-system gnu) |
cc2b77df | 35 | #:use-module (guix build-system perl) |
7890e3ba | 36 | #:use-module (guix build-system python) |
88522738 | 37 | #:use-module (guix build-system cmake) |
f61e0e79 | 38 | #:use-module (gnu packages compression) |
013ce67b | 39 | #:use-module (gnu packages) |
5b9aa107 | 40 | #:use-module (gnu packages dns) |
1ffa7090 | 41 | #:use-module (gnu packages guile) |
0581c273 | 42 | #:use-module (gnu packages libbsd) |
27e86bed | 43 | #:use-module (gnu packages libffi) |
866f469e | 44 | #:use-module (gnu packages libidn) |
5d4c90ae | 45 | #:use-module (gnu packages linux) |
7890e3ba | 46 | #:use-module (gnu packages ncurses) |
27e86bed | 47 | #:use-module (gnu packages nettle) |
1ffa7090 | 48 | #:use-module (gnu packages perl) |
27e86bed | 49 | #:use-module (gnu packages pkg-config) |
7890e3ba | 50 | #:use-module (gnu packages python) |
a31f4d35 | 51 | #:use-module (gnu packages texinfo) |
079f013b LC |
52 | #:use-module (gnu packages base) |
53 | #:use-module (srfi srfi-1)) | |
7543f865 LC |
54 | |
55 | (define-public libtasn1 | |
56 | (package | |
57 | (name "libtasn1") | |
ee33f9a7 | 58 | (version "4.12") |
7543f865 LC |
59 | (source |
60 | (origin | |
61 | (method url-fetch) | |
62 | (uri (string-append "mirror://gnu/libtasn1/libtasn1-" | |
63 | version ".tar.gz")) | |
64 | (sha256 | |
65 | (base32 | |
3651c471 EF |
66 | "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7")) |
67 | (patches (search-patches "libtasn1-CVE-2017-10790.patch")))) | |
7543f865 | 68 | (build-system gnu-build-system) |
3ea110b7 | 69 | (native-inputs `(("perl" ,perl))) |
6fd52309 | 70 | (home-page "https://www.gnu.org/software/libtasn1/") |
f50d2669 | 71 | (synopsis "ASN.1 library") |
7543f865 | 72 | (description |
79c311b8 LC |
73 | "GNU libtasn1 is a library implementing the ASN.1 notation. It is used |
74 | for transmitting machine-neutral encodings of data objects in computer | |
a22dc0c4 LC |
75 | networking, allowing for formal validation of data according to some |
76 | specifications.") | |
e9aa8d0c | 77 | (license license:lgpl2.0+))) |
7543f865 | 78 | |
375cef6c HG |
79 | (define-public asn1c |
80 | (package | |
81 | (name "asn1c") | |
ff7da7e0 | 82 | (version "0.9.28") |
375cef6c HG |
83 | (source (origin |
84 | (method url-fetch) | |
85 | (uri (string-append "https://lionet.info/soft/asn1c-" | |
86 | version ".tar.gz")) | |
87 | (sha256 | |
88 | (base32 | |
ff7da7e0 | 89 | "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0")))) |
375cef6c HG |
90 | (build-system gnu-build-system) |
91 | (native-inputs | |
92 | `(("perl" ,perl))) | |
93 | (home-page "https://lionet.info/asn1c") | |
94 | (synopsis "ASN.1 to C compiler") | |
95 | (description "The ASN.1 to C compiler takes ASN.1 module | |
96 | files and generates C++ compatible C source code. That code can be | |
97 | used to serialize the native C structures into compact and unambiguous | |
98 | BER/XER/PER-based data files, and deserialize the files back. | |
99 | ||
100 | Various ASN.1 based formats are widely used in the industry, such as to encode | |
101 | the X.509 certificates employed in the HTTPS handshake, to exchange control | |
102 | data between mobile phones and cellular networks, to car-to-car communication | |
103 | in intelligent transportation networks.") | |
104 | (license license:bsd-2))) | |
105 | ||
27e86bed AE |
106 | (define-public p11-kit |
107 | (package | |
108 | (name "p11-kit") | |
2a6e049a | 109 | (version "0.23.9") |
27e86bed AE |
110 | (source |
111 | (origin | |
112 | (method url-fetch) | |
e6ad9bda MB |
113 | (uri (string-append "https://github.com/p11-glue/p11-kit/releases/" |
114 | "download/" version "/p11-kit-" version ".tar.gz")) | |
27e86bed AE |
115 | (sha256 |
116 | (base32 | |
2a6e049a | 117 | "0qyvnkb5hfi94wv3bn67y20hcbbvynvjwxpk7k9sh1si6ff69hg1")))) |
27e86bed AE |
118 | (build-system gnu-build-system) |
119 | (native-inputs | |
120 | `(("pkg-config" ,pkg-config))) | |
121 | (inputs | |
122 | `(("libffi" ,libffi) | |
123 | ("libtasn1" ,libtasn1))) | |
124 | (arguments | |
125 | `(#:configure-flags '("--without-trust-paths"))) | |
126 | (home-page "http://p11-glue.freedesktop.org/p11-kit.html") | |
127 | (synopsis "PKCS#11 library") | |
128 | (description | |
129 | "p11-kit provides a way to load and enumerate PKCS#11 modules. It | |
130 | provides a standard configuration setup for installing PKCS#11 modules | |
131 | in such a way that they are discoverable. It also solves problems with | |
132 | coordinating the use of PKCS#11 by different components or libraries | |
133 | living in the same process.") | |
e9aa8d0c | 134 | (license license:bsd-3))) |
27e86bed | 135 | |
f96dbf6b LF |
136 | |
137 | ;; TODO Add net-tools-for-tests to #:disallowed-references when we can afford | |
138 | ;; rebuild GnuTLS (i.e. core-updates). | |
7543f865 LC |
139 | (define-public gnutls |
140 | (package | |
141 | (name "gnutls") | |
5bace4c8 | 142 | (version "3.5.13") |
d7d408d5 LC |
143 | (source (origin |
144 | (method url-fetch) | |
145 | (uri | |
146 | ;; Note: Releases are no longer on ftp.gnu.org since the | |
147 | ;; schism (after version 3.1.5). | |
d93627e4 | 148 | (string-append "mirror://gnupg/gnutls/v" |
29a7c98a | 149 | (version-major+minor version) |
d93627e4 | 150 | "/gnutls-" version ".tar.xz")) |
5bace4c8 MB |
151 | (patches |
152 | (search-patches "gnutls-skip-trust-store-test.patch" | |
153 | "gnutls-skip-pkgconfig-test.patch")) | |
d7d408d5 LC |
154 | (sha256 |
155 | (base32 | |
5bace4c8 | 156 | "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr")))) |
7543f865 | 157 | (build-system gnu-build-system) |
b94ae0b8 AK |
158 | (arguments |
159 | '(#:configure-flags | |
a0700787 | 160 | (list |
aa7c7f21 MW |
161 | ;; GnuTLS doesn't consult any environment variables to specify |
162 | ;; the location of the system-wide trust store. Instead it has a | |
163 | ;; configure-time option. Unless specified, its configure script | |
164 | ;; attempts to auto-detect the location by looking for common | |
8f65585b | 165 | ;; places in the file system, none of which are present in our |
aa7c7f21 MW |
166 | ;; chroot build environment. If not found, then no default trust |
167 | ;; store is used, so each program has to provide its own | |
168 | ;; fallback, and users have to configure each program | |
169 | ;; independently. This seems suboptimal. | |
866f469e MW |
170 | "--with-default-trust-store-dir=/etc/ssl/certs" |
171 | ||
172 | ;; FIXME: Temporarily disable p11-kit support since it is not | |
173 | ;; working on mips64el. | |
606c6380 LC |
174 | "--without-p11-kit") |
175 | ||
176 | #:phases (modify-phases %standard-phases | |
177 | (add-after | |
178 | 'install 'move-doc | |
179 | (lambda* (#:key outputs #:allow-other-keys) | |
180 | ;; Copy the 4.1 MiB of section 3 man pages to "doc". | |
181 | (let* ((out (assoc-ref outputs "out")) | |
182 | (doc (assoc-ref outputs "doc")) | |
9cdce047 | 183 | (mandir (string-append doc "/share/man/man3")) |
606c6380 LC |
184 | (oldman (string-append out "/share/man/man3"))) |
185 | (mkdir-p mandir) | |
186 | (copy-recursively oldman mandir) | |
187 | (delete-file-recursively oldman) | |
188 | #t)))))) | |
189 | (outputs '("out" ;4.4 MiB | |
190 | "debug" | |
191 | "doc")) ;4.1 MiB of man pages | |
a1db0975 | 192 | (native-inputs |
f96dbf6b | 193 | `(("net-tools" ,net-tools-for-tests) |
5d4c90ae | 194 | ("pkg-config" ,pkg-config) |
d2fcfd3d | 195 | ("which" ,which))) |
7543f865 | 196 | (inputs |
a0700787 | 197 | `(("guile" ,guile-2.2))) |
7543f865 | 198 | (propagated-inputs |
d2fcfd3d | 199 | ;; These are all in the 'Requires.private' field of gnutls.pc. |
7543f865 | 200 | `(("libtasn1" ,libtasn1) |
55e61c4d | 201 | ("libidn2" ,libidn2) |
866f469e | 202 | ("nettle" ,nettle) |
f61e0e79 | 203 | ("zlib" ,zlib))) |
c19700c3 | 204 | (home-page "https://www.gnu.org/software/gnutls/") |
f50d2669 | 205 | (synopsis "Transport layer security library") |
7543f865 | 206 | (description |
a22dc0c4 | 207 | "GnuTLS is a secure communications library implementing the SSL, TLS |
79c311b8 | 208 | and DTLS protocols. It is provided in the form of a C library to support the |
a22dc0c4 LC |
209 | protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other |
210 | required structures.") | |
63e8bb12 LC |
211 | (license license:lgpl2.1+) |
212 | (properties '((ftp-server . "ftp.gnutls.org") | |
213 | (ftp-directory . "/gcrypt/gnutls"))))) | |
cc2b77df | 214 | |
079f013b | 215 | (define-public gnutls/guile-2.2 |
a0700787 LC |
216 | (deprecated-package "guile2.2-gnutls" gnutls)) |
217 | ||
218 | (define-public gnutls/guile-2.0 | |
219 | ;; GnuTLS for Guile 2.0. | |
079f013b | 220 | (package |
58ea4d40 | 221 | (inherit gnutls) |
a0700787 LC |
222 | (name "guile2.0-gnutls") |
223 | (inputs `(("guile" ,guile-2.0) | |
58ea4d40 | 224 | ,@(alist-delete "guile" (package-inputs gnutls)))))) |
079f013b | 225 | |
5b9aa107 | 226 | (define-public gnutls/dane |
227 | ;; GnuTLS with build libgnutls-dane, implementing DNS-based | |
228 | ;; Authentication of Named Entities. This is required for GNS functionality | |
229 | ;; by GNUnet and gnURL. This is done in an extra package definition | |
230 | ;; to have the choice between GnuTLS with Dane and without Dane. | |
231 | (package | |
232 | (inherit gnutls) | |
233 | (name "gnutls-dane") | |
234 | (inputs `(("unbound" ,unbound) | |
235 | ,@(package-inputs gnutls))))) | |
236 | ||
cc2b77df AE |
237 | (define-public openssl |
238 | (package | |
239 | (name "openssl") | |
bdf0b6fc | 240 | (version "1.0.2m") |
cc2b77df | 241 | (source (origin |
4cff124b | 242 | (method url-fetch) |
bdf0b6fc MB |
243 | (uri (list (string-append "https://www.openssl.org/source/openssl-" |
244 | version ".tar.gz") | |
245 | (string-append "ftp://ftp.openssl.org/source/" | |
4cff124b LC |
246 | name "-" version ".tar.gz") |
247 | (string-append "ftp://ftp.openssl.org/source/old/" | |
248 | (string-trim-right version char-set:letter) | |
249 | "/" name "-" version ".tar.gz"))) | |
250 | (sha256 | |
251 | (base32 | |
bdf0b6fc | 252 | "03vvlfnxx4lhxc83ikfdl6jqph4h52y7lb7li03va6dkqrgg2vwc")) |
8a9b08b5 ST |
253 | (snippet |
254 | '(begin | |
255 | ;; Remove ELF files. 'substitute*' can't read them. | |
256 | (delete-file "test/ssltest_old") | |
257 | (delete-file "test/v3ext") | |
258 | (delete-file "test/x509aux") | |
259 | #t)) | |
fc1adab1 | 260 | (patches (search-patches "openssl-runpath.patch" |
1d8de185 | 261 | "openssl-c-rehash-in.patch")))) |
cc2b77df | 262 | (build-system gnu-build-system) |
8c78aeb7 | 263 | (outputs '("out" |
a909b576 | 264 | "doc" ;1.5MiB of man3 pages |
8c78aeb7 | 265 | "static")) ;6MiB of .a files |
cc2b77df AE |
266 | (native-inputs `(("perl" ,perl))) |
267 | (arguments | |
d03781c3 LC |
268 | `(#:disallowed-references (,perl) |
269 | #:parallel-build? #f | |
cc2b77df AE |
270 | #:parallel-tests? #f |
271 | #:test-target "test" | |
8c9ec203 LF |
272 | |
273 | ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure, | |
274 | ;; so we explicitly disallow it here. | |
275 | #:disallowed-references ,(list (canonical-package perl)) | |
cc2b77df | 276 | #:phases |
b6cb1358 | 277 | (modify-phases %standard-phases |
4fb254a3 | 278 | (add-before |
86c8f1da | 279 | 'configure 'patch-Makefile.org |
4fb254a3 LC |
280 | (lambda* (#:key outputs #:allow-other-keys) |
281 | ;; The default MANDIR is some unusual place. Fix that. | |
282 | (let ((out (assoc-ref outputs "out"))) | |
86c8f1da | 283 | (patch-makefile-SHELL "Makefile.org") |
4fb254a3 LC |
284 | (substitute* "Makefile.org" |
285 | (("^MANDIR[[:blank:]]*=.*$") | |
286 | (string-append "MANDIR = " out "/share/man\n"))) | |
287 | #t))) | |
b6cb1358 LC |
288 | (replace |
289 | 'configure | |
290 | (lambda* (#:key outputs #:allow-other-keys) | |
291 | (let ((out (assoc-ref outputs "out"))) | |
292 | (zero? | |
293 | (system* "./config" | |
294 | "shared" ;build shared libraries | |
295 | "--libdir=lib" | |
4fb254a3 LC |
296 | |
297 | ;; The default for this catch-all directory is | |
298 | ;; PREFIX/ssl. Change that to something more | |
299 | ;; conventional. | |
300 | (string-append "--openssldir=" out | |
301 | "/share/openssl-" ,version) | |
302 | ||
b6cb1358 LC |
303 | (string-append "--prefix=" out) |
304 | ||
305 | ;; XXX FIXME: Work around a code generation bug in GCC | |
306 | ;; 4.9.3 on ARM when compiled with -mfpu=neon. See: | |
307 | ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917> | |
308 | ,@(if (and (not (%current-target-system)) | |
309 | (string-prefix? "armhf" (%current-system))) | |
310 | '("-mfpu=vfpv3") | |
311 | '())))))) | |
fe8199a8 LC |
312 | (add-after |
313 | 'install 'make-libraries-writable | |
314 | (lambda* (#:key outputs #:allow-other-keys) | |
315 | ;; Make libraries writable so that 'strip' does its job. | |
316 | (let ((out (assoc-ref outputs "out"))) | |
317 | (for-each (lambda (file) | |
318 | (chmod file #o644)) | |
319 | (find-files (string-append out "/lib") | |
320 | "\\.so")) | |
321 | #t))) | |
8c78aeb7 LC |
322 | (add-after 'install 'move-static-libraries |
323 | (lambda* (#:key outputs #:allow-other-keys) | |
324 | ;; Move static libraries to the "static" output. | |
325 | (let* ((out (assoc-ref outputs "out")) | |
326 | (lib (string-append out "/lib")) | |
327 | (static (assoc-ref outputs "static")) | |
328 | (slib (string-append static "/lib"))) | |
8c78aeb7 LC |
329 | (for-each (lambda (file) |
330 | (install-file file slib) | |
331 | (delete-file file)) | |
332 | (find-files lib "\\.a$")) | |
333 | #t))) | |
a909b576 LC |
334 | (add-after 'install 'move-man3-pages |
335 | (lambda* (#:key outputs #:allow-other-keys) | |
336 | ;; Move section 3 man pages to "doc". | |
337 | (let* ((out (assoc-ref outputs "out")) | |
338 | (man3 (string-append out "/share/man/man3")) | |
339 | (doc (assoc-ref outputs "doc")) | |
340 | (target (string-append doc "/share/man/man3"))) | |
341 | (mkdir-p target) | |
342 | (for-each (lambda (file) | |
343 | (rename-file file | |
344 | (string-append target "/" | |
345 | (basename file)))) | |
346 | (find-files man3)) | |
5c838ec9 | 347 | (delete-file-recursively man3) |
a909b576 | 348 | #t))) |
b6cb1358 LC |
349 | (add-before |
350 | 'patch-source-shebangs 'patch-tests | |
351 | (lambda* (#:key inputs native-inputs #:allow-other-keys) | |
352 | (let ((bash (assoc-ref (or native-inputs inputs) "bash"))) | |
353 | (substitute* (find-files "test" ".*") | |
354 | (("/bin/sh") | |
08a78c2f | 355 | (string-append bash "/bin/sh")) |
b6cb1358 | 356 | (("/bin/rm") |
86c8f1da MW |
357 | "rm")) |
358 | #t))) | |
784d6e91 LC |
359 | (add-after |
360 | 'install 'remove-miscellany | |
361 | (lambda* (#:key outputs #:allow-other-keys) | |
362 | ;; The 'misc' directory contains random undocumented shell and Perl | |
363 | ;; scripts. Remove them to avoid retaining a reference on Perl. | |
364 | (let ((out (assoc-ref outputs "out"))) | |
365 | (delete-file-recursively (string-append out "/share/openssl-" | |
366 | ,version "/misc")) | |
367 | #t)))))) | |
cc2b77df AE |
368 | (native-search-paths |
369 | ;; FIXME: These two variables must designate a single file or directory | |
370 | ;; and are not actually "search paths." In practice it works OK in user | |
371 | ;; profiles because there's always just one item that matches the | |
372 | ;; specification. | |
373 | (list (search-path-specification | |
374 | (variable "SSL_CERT_DIR") | |
375 | (files '("etc/ssl/certs"))) | |
376 | (search-path-specification | |
377 | (variable "SSL_CERT_FILE") | |
378 | (files '("etc/ssl/certs/ca-certificates.crt"))))) | |
379 | (synopsis "SSL/TLS implementation") | |
380 | (description | |
e881752c | 381 | "OpenSSL is an implementation of SSL/TLS.") |
e9aa8d0c | 382 | (license license:openssl) |
cc2b77df AE |
383 | (home-page "http://www.openssl.org/"))) |
384 | ||
763899f0 LF |
385 | (define-public openssl-next |
386 | (package | |
387 | (inherit openssl) | |
388 | (name "openssl") | |
77576be4 | 389 | (version "1.1.0g") |
763899f0 LF |
390 | (source (origin |
391 | (method url-fetch) | |
77576be4 MB |
392 | (uri (list (string-append "https://www.openssl.org/source/openssl-" |
393 | version ".tar.gz") | |
394 | (string-append "ftp://ftp.openssl.org/source/" | |
763899f0 LF |
395 | name "-" version ".tar.gz") |
396 | (string-append "ftp://ftp.openssl.org/source/old/" | |
397 | (string-trim-right version char-set:letter) | |
398 | "/" name "-" version ".tar.gz"))) | |
399 | (patches (search-patches "openssl-1.1.0-c-rehash-in.patch")) | |
400 | (sha256 | |
401 | (base32 | |
77576be4 | 402 | "1bvka2wf33w2vxv7yw578nnjqyhz2b3chvfb0l4k2ffscw950kfy")))) |
763899f0 LF |
403 | (outputs '("out" |
404 | "doc" ;1.3MiB of man3 pages | |
405 | "static")) ; 5.5MiB of .a files | |
406 | (arguments | |
407 | (substitute-keyword-arguments (package-arguments openssl) | |
408 | ((#:phases phases) | |
409 | `(modify-phases ,phases | |
410 | (delete 'patch-tests) ; These two phases are not needed by | |
411 | (delete 'patch-Makefile.org) ; OpenSSL 1.1.0. | |
412 | ||
fc184fe2 MB |
413 | ;; Override configure phase since -rpath is now a configure option. |
414 | (replace 'configure | |
763899f0 | 415 | (lambda* (#:key outputs #:allow-other-keys) |
fc184fe2 MB |
416 | (let* ((out (assoc-ref outputs "out")) |
417 | (lib (string-append out "/lib"))) | |
418 | (zero? | |
419 | (system* "./config" | |
420 | "shared" ;build shared libraries | |
421 | "--libdir=lib" | |
422 | ||
423 | ;; The default for this catch-all directory is | |
424 | ;; PREFIX/ssl. Change that to something more | |
425 | ;; conventional. | |
426 | (string-append "--openssldir=" out | |
427 | "/share/openssl-" ,version) | |
428 | ||
429 | (string-append "--prefix=" out) | |
430 | (string-append "-Wl,-rpath," lib) | |
431 | ||
432 | ;; XXX FIXME: Work around a code generation bug in GCC | |
433 | ;; 4.9.3 on ARM when compiled with -mfpu=neon. See: | |
434 | ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917> | |
435 | ,@(if (and (not (%current-target-system)) | |
436 | (string-prefix? "armhf" (%current-system))) | |
437 | '("-mfpu=vfpv3") | |
438 | '())))))) | |
439 | ||
440 | ;; XXX: Duplicate this phase to make sure 'version' evaluates | |
441 | ;; in the current scope and not the inherited one. | |
442 | (replace 'remove-miscellany | |
443 | (lambda* (#:key outputs #:allow-other-keys) | |
444 | ;; The 'misc' directory contains random undocumented shell and Perl | |
445 | ;; scripts. Remove them to avoid retaining a reference on Perl. | |
446 | (let ((out (assoc-ref outputs "out"))) | |
447 | (delete-file-recursively (string-append out "/share/openssl-" | |
448 | ,version "/misc")) | |
763899f0 LF |
449 | #t))))))))) |
450 | ||
cb6a802c AE |
451 | (define-public libressl |
452 | (package | |
453 | (name "libressl") | |
1d919d32 | 454 | (version "2.5.5") |
644e5f17 TGR |
455 | (source (origin |
456 | (method url-fetch) | |
457 | (uri (string-append "mirror://openbsd/LibreSSL/" | |
458 | name "-" version ".tar.gz")) | |
459 | (sha256 | |
460 | (base32 | |
461 | "1i77viqy1afvbr392npk9v54k9zhr9zq2vhv6pliza22b0ymwzz5")))) | |
cb6a802c | 462 | (build-system gnu-build-system) |
a2d64899 LC |
463 | (arguments |
464 | ;; Do as if 'getentropy' was missing since older Linux kernels lack it | |
465 | ;; and libc would return ENOSYS, which is not properly handled. | |
466 | ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>. | |
df08f385 LF |
467 | '(#:configure-flags '("ac_cv_func_getentropy=no" |
468 | ;; Provide a TLS-enabled netcat. | |
469 | "--enable-nc"))) | |
cb6a802c AE |
470 | (native-search-paths |
471 | ;; FIXME: These two variables must designate a single file or directory | |
472 | ;; and are not actually "search paths." In practice it works OK in | |
473 | ;; user profiles because there's always just one item that matches the | |
474 | ;; specification. | |
475 | (list (search-path-specification | |
476 | (variable "SSL_CERT_DIR") | |
477 | (files '("etc/ssl/certs"))) | |
478 | (search-path-specification | |
479 | (variable "SSL_CERT_FILE") | |
480 | (files '("etc/ssl/certs/ca-certificates.crt"))))) | |
2ed12d3f | 481 | (home-page "https://www.libressl.org/") |
cb6a802c | 482 | (synopsis "SSL/TLS implementation") |
df08f385 LF |
483 | (description "LibreSSL is a version of the TLS/crypto stack, forked from |
484 | OpenSSL in 2014 with the goals of modernizing the codebase, improving security, | |
485 | and applying best practice development processes. This package also includes a | |
486 | netcat implementation that supports TLS.") | |
cb6a802c AE |
487 | ;; Files taken from OpenSSL keep their license, others are under various |
488 | ;; non-copyleft licenses. | |
489 | (license (list license:openssl | |
490 | (license:non-copyleft | |
491 | "file://COPYING" | |
492 | "See COPYING in the distribution."))))) | |
493 | ||
6cefd53d | 494 | (define-public python-acme |
7890e3ba | 495 | (package |
6cefd53d | 496 | (name "python-acme") |
686d4259 | 497 | ;; Remember to update the hash of certbot when updating python-acme. |
eb93f1c9 | 498 | (version "0.19.0") |
7890e3ba | 499 | (source (origin |
9495cf9a | 500 | (method url-fetch) |
f349d36e | 501 | (uri (pypi-uri "acme" version)) |
881006b6 MB |
502 | (sha256 |
503 | (base32 | |
eb93f1c9 | 504 | "08p8w50zciqlhgn3ab0wbbvi1zyg3x37r1gywq0z1allsij3v8hz")))) |
7890e3ba LF |
505 | (build-system python-build-system) |
506 | (arguments | |
6cefd53d | 507 | `(#:phases |
9bee9d87 | 508 | (modify-phases %standard-phases |
1fc8476d MB |
509 | (add-after 'build 'build-documentation |
510 | (lambda _ | |
511 | (zero? (system* "make" "-C" "docs" "man" "info")))) | |
512 | (add-after 'install 'install-documentation | |
50a7963a LF |
513 | (lambda* (#:key outputs #:allow-other-keys) |
514 | (let* ((out (assoc-ref outputs "out")) | |
515 | (man (string-append out "/share/man/man1")) | |
516 | (info (string-append out "/info"))) | |
1fc8476d MB |
517 | (install-file "docs/_build/texinfo/acme-python.info" info) |
518 | (install-file "docs/_build/man/acme-python.1" man) | |
519 | #t)))))) | |
50a7963a | 520 | ;; TODO: Add optional inputs for testing. |
7890e3ba | 521 | (native-inputs |
4ae65558 | 522 | `(("python-mock" ,python-mock) |
50a7963a LF |
523 | ;; For documentation |
524 | ("python-sphinx" ,python-sphinx) | |
525 | ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput) | |
526 | ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme) | |
50a7963a | 527 | ("texinfo" ,texinfo))) |
7890e3ba | 528 | (propagated-inputs |
57fe07db | 529 | `(("python-six" ,python-six) |
6cefd53d LF |
530 | ("python-requests" ,python-requests) |
531 | ("python-pytz" ,python-pytz) | |
532 | ("python-pyrfc3339" ,python-pyrfc3339) | |
533 | ("python-pyasn1" ,python-pyasn1) | |
534 | ("python-cryptography" ,python-cryptography) | |
535 | ("python-pyopenssl" ,python-pyopenssl))) | |
7890e3ba LF |
536 | (home-page "https://github.com/letsencrypt/letsencrypt") |
537 | (synopsis "ACME protocol implementation in Python") | |
538 | (description "ACME protocol implementation in Python") | |
539 | (license license:asl2.0))) | |
540 | ||
9495cf9a | 541 | (define-public certbot |
9fd0838b | 542 | (package |
9495cf9a | 543 | (name "certbot") |
686d4259 LF |
544 | ;; Certbot and python-acme are developed in the same repository, and their |
545 | ;; versions should remain synchronized. | |
546 | (version (package-version python-acme)) | |
9fd0838b DT |
547 | (source (origin |
548 | (method url-fetch) | |
f349d36e | 549 | (uri (pypi-uri name version)) |
9fd0838b DT |
550 | (sha256 |
551 | (base32 | |
eb93f1c9 | 552 | "0lwxqz3r0fg3dy06fgba1dfs7n6ribc25z0rh5rqbl7mvy8hf8x7")))) |
9fd0838b DT |
553 | (build-system python-build-system) |
554 | (arguments | |
fed1898d | 555 | `(,@(substitute-keyword-arguments (package-arguments python-acme) |
f26d6e4e LF |
556 | ((#:phases phases) |
557 | `(modify-phases ,phases | |
1fc8476d | 558 | (replace 'install-documentation |
f26d6e4e LF |
559 | (lambda* (#:key outputs #:allow-other-keys) |
560 | (let* ((out (assoc-ref outputs "out")) | |
561 | (man1 (string-append out "/share/man/man1")) | |
562 | (man7 (string-append out "/share/man/man7")) | |
563 | (info (string-append out "/info"))) | |
1fc8476d MB |
564 | (install-file "docs/_build/texinfo/Certbot.info" info) |
565 | (install-file "docs/_build/man/certbot.1" man1) | |
566 | (install-file "docs/_build/man/certbot.7" man7) | |
567 | #t)))))))) | |
f9263d9a | 568 | ;; TODO: Add optional inputs for testing. |
9fd0838b | 569 | (native-inputs |
fed1898d | 570 | `(("python-nose" ,python-nose) |
4ae65558 | 571 | ("python-mock" ,python-mock) |
f9263d9a | 572 | ;; For documentation |
fed1898d LF |
573 | ("python-sphinx" ,python-sphinx) |
574 | ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme) | |
575 | ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface) | |
576 | ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput) | |
f9263d9a | 577 | ("texinfo" ,texinfo))) |
9fd0838b | 578 | (propagated-inputs |
fed1898d LF |
579 | `(("python-acme" ,python-acme) |
580 | ("python-zope-interface" ,python-zope-interface) | |
581 | ("python-pyrfc3339" ,python-pyrfc3339) | |
582 | ("python-pyopenssl" ,python-pyopenssl) | |
583 | ("python-configobj" ,python-configobj) | |
584 | ("python-configargparse" ,python-configargparse) | |
585 | ("python-zope-component" ,python-zope-component) | |
586 | ("python-parsedatetime" ,python-parsedatetime) | |
587 | ("python-six" ,python-six) | |
588 | ("python-psutil" ,python-psutil) | |
589 | ("python-requests" ,python-requests) | |
590 | ("python-pytz" ,python-pytz))) | |
d8a1be63 | 591 | (synopsis "Let's Encrypt client by the Electronic Frontier Foundation") |
80968df0 TGR |
592 | (description "Certbot automatically receives and installs X.509 certificates |
593 | to enable Transport Layer Security (TLS) on servers. It interoperates with the | |
594 | Let’s Encrypt certificate authority (CA), which issues browser-trusted | |
595 | certificates for free.") | |
24778368 | 596 | (home-page "https://certbot.eff.org/") |
9fd0838b DT |
597 | (license license:asl2.0))) |
598 | ||
9495cf9a LF |
599 | (define-public letsencrypt |
600 | (package (inherit certbot) | |
56ab55d1 LF |
601 | (name "letsencrypt") |
602 | (properties `((superseded . ,certbot))))) | |
9495cf9a | 603 | |
cc2b77df AE |
604 | (define-public perl-net-ssleay |
605 | (package | |
606 | (name "perl-net-ssleay") | |
76cb9060 | 607 | (version "1.81") |
cc2b77df AE |
608 | (source (origin |
609 | (method url-fetch) | |
610 | (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/" | |
611 | "Net-SSLeay-" version ".tar.gz")) | |
612 | (sha256 | |
613 | (base32 | |
76cb9060 | 614 | "0z8vya34g88bc41kx955sv7y4niwbbywji8liqbl52v29qbvdjq0")))) |
cc2b77df AE |
615 | (build-system perl-build-system) |
616 | (inputs `(("openssl" ,openssl))) | |
617 | (arguments | |
1084ec08 MW |
618 | `(#:phases |
619 | (modify-phases %standard-phases | |
1084ec08 MW |
620 | (add-before |
621 | 'configure 'set-ssl-prefix | |
622 | (lambda* (#:key inputs #:allow-other-keys) | |
623 | (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl")) | |
624 | #t))))) | |
cc2b77df AE |
625 | (synopsis "Perl extension for using OpenSSL") |
626 | (description | |
627 | "This module offers some high level convenience functions for accessing | |
628 | web pages on SSL servers (for symmetry, the same API is offered for accessing | |
629 | http servers, too), an sslcat() function for writing your own clients, and | |
630 | finally access to the SSL api of the SSLeay/OpenSSL package so you can write | |
631 | servers or clients for more complicated applications.") | |
2f3108ad | 632 | (license license:perl-license) |
cc2b77df | 633 | (home-page "http://search.cpan.org/~mikem/Net-SSLeay-1.66/"))) |
4532c0c0 DM |
634 | |
635 | (define-public perl-crypt-openssl-rsa | |
636 | (package | |
637 | (name "perl-crypt-openssl-rsa") | |
638 | (version "0.28") | |
639 | (source | |
640 | (origin | |
641 | (method url-fetch) | |
642 | (uri (string-append | |
643 | "mirror://cpan/authors/id/P/PE/PERLER/Crypt-OpenSSL-RSA-" | |
644 | version | |
645 | ".tar.gz")) | |
646 | (sha256 | |
647 | (base32 | |
648 | "1gnpvv09b2gpifwdzc5jnhama3d1a4c39lzj9hcaicsb8rvzjmsk")))) | |
649 | (build-system perl-build-system) | |
650 | (inputs | |
651 | `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum) | |
652 | ("perl-crypt-openssl-random" ,perl-crypt-openssl-random) | |
653 | ("openssl" ,openssl))) | |
654 | (arguments perl-crypt-arguments) | |
655 | (home-page | |
656 | "http://search.cpan.org/dist/Crypt-OpenSSL-RSA") | |
657 | (synopsis | |
658 | "RSA encoding and decoding, using the openSSL libraries") | |
659 | (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the | |
660 | OpenSSL libraries).") | |
2f3108ad | 661 | (license license:perl-license))) |
adff71ca DM |
662 | |
663 | (define perl-crypt-arguments | |
664 | `(#:phases (modify-phases %standard-phases | |
665 | (add-before 'configure 'patch-Makefile.PL | |
666 | (lambda* (#:key inputs #:allow-other-keys) | |
667 | (substitute* "Makefile.PL" | |
668 | (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L" | |
669 | (assoc-ref inputs "openssl") | |
670 | "/lib -lcrypto'],"))) | |
671 | #t))))) | |
672 | ||
673 | (define-public perl-crypt-openssl-bignum | |
674 | (package | |
675 | (name "perl-crypt-openssl-bignum") | |
94793c1d | 676 | (version "0.08") |
adff71ca DM |
677 | (source |
678 | (origin | |
679 | (method url-fetch) | |
680 | (uri (string-append | |
681 | "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-" | |
682 | version | |
683 | ".tar.gz")) | |
684 | (sha256 | |
685 | (base32 | |
94793c1d | 686 | "0gamn4dff1bz77nswacy1dlpn9fkwahzw7yvvik4nbwwy2s63hc8")))) |
adff71ca DM |
687 | (build-system perl-build-system) |
688 | (inputs `(("openssl" ,openssl))) | |
689 | (arguments perl-crypt-arguments) | |
690 | (home-page | |
691 | "http://search.cpan.org/dist/Crypt-OpenSSL-Bignum") | |
692 | (synopsis | |
693 | "OpenSSL's multiprecision integer arithmetic in Perl") | |
694 | (description "Crypt::OpenSSL::Bignum provides multiprecision integer | |
695 | arithmetic in Perl.") | |
696 | ;; At your option either gpl1+ or the Artistic License | |
2f3108ad | 697 | (license license:perl-license))) |
cccb4d26 DM |
698 | |
699 | (define-public perl-crypt-openssl-random | |
700 | (package | |
701 | (name "perl-crypt-openssl-random") | |
702 | (version "0.11") | |
703 | (source | |
704 | (origin | |
705 | (method url-fetch) | |
706 | (uri (string-append | |
707 | "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-" | |
708 | version | |
709 | ".tar.gz")) | |
710 | (sha256 | |
711 | (base32 | |
712 | "0yjcabkibrkafywvdkmd1xpi6br48skyk3l15ni176wvlg38335v")))) | |
713 | (build-system perl-build-system) | |
714 | (inputs `(("openssl" ,openssl))) | |
715 | (arguments perl-crypt-arguments) | |
716 | (home-page | |
717 | "http://search.cpan.org/dist/Crypt-OpenSSL-Random") | |
718 | (synopsis | |
719 | "OpenSSL/LibreSSL pseudo-random number generator access") | |
720 | (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random | |
721 | number generator") | |
2f3108ad | 722 | (license license:perl-license))) |
0581c273 LF |
723 | |
724 | (define-public acme-client | |
725 | (package | |
726 | (name "acme-client") | |
4a6b2a21 | 727 | (version "0.1.16") |
0581c273 LF |
728 | (source (origin |
729 | (method url-fetch) | |
730 | (uri (string-append "https://kristaps.bsd.lv/" name "/" | |
731 | "snapshots/" name "-portable-" | |
732 | version ".tgz")) | |
733 | (sha256 | |
734 | (base32 | |
4a6b2a21 | 735 | "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9")))) |
0581c273 LF |
736 | (build-system gnu-build-system) |
737 | (arguments | |
738 | '(#:tests? #f ; no test suite | |
739 | #:make-flags | |
740 | (list "CC=gcc" | |
741 | (string-append "PREFIX=" (assoc-ref %outputs "out"))) | |
742 | #:phases | |
743 | (modify-phases %standard-phases | |
7c1a7bf4 LF |
744 | (add-after 'unpack 'patch-paths |
745 | (lambda* (#:key inputs #:allow-other-keys) | |
746 | (let ((pem (string-append (assoc-ref inputs "libressl") | |
747 | "/etc/ssl/cert.pem"))) | |
748 | (substitute* "http.c" | |
749 | (("/etc/ssl/cert.pem") pem)) | |
750 | #t))) | |
0581c273 | 751 | (delete 'configure)))) ; no './configure' script |
4b569a4f LF |
752 | (native-inputs |
753 | `(("pkg-config" ,pkg-config))) | |
0581c273 LF |
754 | (inputs |
755 | `(("libbsd" ,libbsd) | |
756 | ("libressl" ,libressl))) | |
757 | (synopsis "Let's Encrypt client by the OpenBSD project") | |
758 | (description "acme-client is a Let's Encrypt client implemented in C. It | |
759 | uses a modular design, and attempts to secure itself by dropping privileges and | |
760 | operating in a chroot where possible. acme-client is developed on OpenBSD and | |
761 | then ported to the GNU / Linux environment.") | |
762 | (home-page "https://kristaps.bsd.lv/acme-client/") | |
763 | ;; acme-client is distributed under the ISC license, but the files 'jsmn.h' | |
764 | ;; and 'jsmn.c' are distributed under the Expat license. | |
765 | (license (list license:isc license:expat)))) | |
88522738 | 766 | |
767 | ;; The "-apache" variant is the upstreamed prefered variant. A "-gpl" | |
768 | ;; variant exists in addition to the "-apache" one. | |
769 | (define-public mbedtls-apache | |
770 | (package | |
771 | (name "mbedtls-apache") | |
97497465 | 772 | (version "2.6.0") |
88522738 | 773 | (source |
774 | (origin | |
775 | (method url-fetch) | |
776 | ;; XXX: The download links on the website are script redirection links | |
777 | ;; which effectively lead to the format listed in the uri here. | |
778 | (uri (string-append "https://tls.mbed.org/download/mbedtls-" | |
779 | version "-apache.tgz")) | |
780 | (sha256 | |
781 | (base32 | |
97497465 | 782 | "11wnj34rfqxjggmdgf042i49lr6civgbqwv2p7p8bn6k2919vg4r")))) |
88522738 | 783 | (build-system cmake-build-system) |
784 | (native-inputs | |
785 | `(("perl" ,perl))) | |
786 | (synopsis "Small TLS library") | |
787 | (description | |
788 | "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy | |
789 | for developers to include cryptographic and SSL/TLS capabilities in their | |
790 | (embedded) products, facilitating this functionality with a minimal | |
791 | coding footprint.") | |
792 | (home-page "https://tls.mbed.org") | |
793 | (license license:asl2.0))) |