HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
gnu: Add python-josepy.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
CommitLineData
233e7676 1;;; GNU Guix --- Functional package management for GNU
3c0f7910 2;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
e3df6938 3;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
29a7c98a 4;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df 5;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b 6;;; Copyright © 2015 David Thompson <davet@gnu.org>
df0625ab 7;;; Copyright © 2015, 2016, 2017 Leo Famulari <leo@famulari.name>
2ed12d3f 8;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
5b9aa107 9;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
375cef6c 10;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
ee33f9a7 11;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
88e2511e 12;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
7e8aac18 13;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
fbf5ca3c 14;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
7543f865 15;;;
233e7676 16;;; This file is part of GNU Guix.
7543f865 17;;;
233e7676 18;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865
LC		 19;;; under the terms of the GNU General Public License as published by
20;;; the Free Software Foundation; either version 3 of the License, or (at
21;;; your option) any later version.
22;;;
233e7676 23;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865
LC		 24;;; WITHOUT ANY WARRANTY; without even the implied warranty of
25;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26;;; GNU General Public License for more details.
27;;;
28;;; You should have received a copy of the GNU General Public License
233e7676 29;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865 30
a7fd7b68 31(define-module (gnu packages tls)
e9aa8d0c 32 #:use-module ((guix licenses) #:prefix license:)
7543f865
LC		 33 #:use-module (guix packages)
34 #:use-module (guix download)
29a7c98a 35 #:use-module (guix utils)
7543f865 36 #:use-module (guix build-system gnu)
cc2b77df 37 #:use-module (guix build-system perl)
7890e3ba 38 #:use-module (guix build-system python)
88522738 39 #:use-module (guix build-system cmake)
587d1752 40 #:use-module (guix build-system haskell)
f61e0e79 41 #:use-module (gnu packages compression)
013ce67b 42 #:use-module (gnu packages)
ac257f12 43 #:use-module (gnu packages check)
5b9aa107 44 #:use-module (gnu packages dns)
1ffa7090 45 #:use-module (gnu packages guile)
587d1752
RW		 46 #:use-module (gnu packages haskell)
47 #:use-module (gnu packages haskell-check)
48 #:use-module (gnu packages haskell-crypto)
0581c273 49 #:use-module (gnu packages libbsd)
27e86bed 50 #:use-module (gnu packages libffi)
866f469e 51 #:use-module (gnu packages libidn)
5d4c90ae 52 #:use-module (gnu packages linux)
7890e3ba 53 #:use-module (gnu packages ncurses)
27e86bed 54 #:use-module (gnu packages nettle)
1ffa7090 55 #:use-module (gnu packages perl)
27e86bed 56 #:use-module (gnu packages pkg-config)
7890e3ba 57 #:use-module (gnu packages python)
cc6f4912 58 #:use-module (gnu packages python-crypto)
1b2f753d 59 #:use-module (gnu packages python-web)
a31f4d35 60 #:use-module (gnu packages texinfo)
33dc54b0 61 #:use-module (gnu packages time)
079f013b
LC		 62 #:use-module (gnu packages base)
63 #:use-module (srfi srfi-1))
7543f865
LC		 64
65(define-public libtasn1
66 (package
67 (name "libtasn1")
ee33f9a7 68 (version "4.12")
e3df6938 69 (replacement libtasn1/fixed)
7543f865
LC		 70 (source
71 (origin
72 (method url-fetch)
73 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
74 version ".tar.gz"))
75 (sha256
76 (base32
ee33f9a7 77 "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7"))))
7543f865 78 (build-system gnu-build-system)
3ea110b7 79 (native-inputs `(("perl" ,perl)))
6fd52309 80 (home-page "https://www.gnu.org/software/libtasn1/")
f50d2669 81 (synopsis "ASN.1 library")
7543f865 82 (description
79c311b8
LC		 83 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
84for transmitting machine-neutral encodings of data objects in computer
a22dc0c4
LC		 85networking, allowing for formal validation of data according to some
86specifications.")
e9aa8d0c 87 (license license:lgpl2.0+)))
7543f865 88
e3df6938
MW		 89(define libtasn1/fixed
90 (package
91 (inherit libtasn1)
92 (source (origin
93 (inherit (package-source libtasn1))
94 (patches (search-patches "libtasn1-CVE-2017-10790.patch"))))))
95
375cef6c
HG		 96(define-public asn1c
97 (package
98 (name "asn1c")
ff7da7e0 99 (version "0.9.28")
375cef6c
HG		 100 (source (origin
101 (method url-fetch)
102 (uri (string-append "https://lionet.info/soft/asn1c-"
103 version ".tar.gz"))
104 (sha256
105 (base32
ff7da7e0 106 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
375cef6c
HG		 107 (build-system gnu-build-system)
108 (native-inputs
109 `(("perl" ,perl)))
110 (home-page "https://lionet.info/asn1c")
111 (synopsis "ASN.1 to C compiler")
112 (description "The ASN.1 to C compiler takes ASN.1 module
113files and generates C++ compatible C source code. That code can be
114used to serialize the native C structures into compact and unambiguous
115BER/XER/PER-based data files, and deserialize the files back.
116
117Various ASN.1 based formats are widely used in the industry, such as to encode
118the X.509 certificates employed in the HTTPS handshake, to exchange control
119data between mobile phones and cellular networks, to car-to-car communication
120in intelligent transportation networks.")
121 (license license:bsd-2)))
122
27e86bed
AE		 123(define-public p11-kit
124 (package
125 (name "p11-kit")
2a6e049a 126 (version "0.23.9")
27e86bed
AE		 127 (source
128 (origin
129 (method url-fetch)
e6ad9bda
MB		 130 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
131 "download/" version "/p11-kit-" version ".tar.gz"))
27e86bed
AE		 132 (sha256
133 (base32
2a6e049a 134 "0qyvnkb5hfi94wv3bn67y20hcbbvynvjwxpk7k9sh1si6ff69hg1"))))
27e86bed
AE		 135 (build-system gnu-build-system)
136 (native-inputs
137 `(("pkg-config" ,pkg-config)))
138 (inputs
139 `(("libffi" ,libffi)
140 ("libtasn1" ,libtasn1)))
141 (arguments
142 `(#:configure-flags '("--without-trust-paths")))
4631e6c9 143 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
27e86bed
AE		 144 (synopsis "PKCS#11 library")
145 (description
146 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
147provides a standard configuration setup for installing PKCS#11 modules
148in such a way that they are discoverable. It also solves problems with
149coordinating the use of PKCS#11 by different components or libraries
150living in the same process.")
e9aa8d0c 151 (license license:bsd-3)))
27e86bed 152
f96dbf6b
LF		 153
154;; TODO Add net-tools-for-tests to #:disallowed-references when we can afford
155;; rebuild GnuTLS (i.e. core-updates).
7543f865
LC		 156(define-public gnutls
157 (package
158 (name "gnutls")
5bace4c8 159 (version "3.5.13")
d7d408d5
LC		 160 (source (origin
161 (method url-fetch)
162 (uri
163 ;; Note: Releases are no longer on ftp.gnu.org since the
164 ;; schism (after version 3.1.5).
d93627e4 165 (string-append "mirror://gnupg/gnutls/v"
29a7c98a 166 (version-major+minor version)
d93627e4 167 "/gnutls-" version ".tar.xz"))
5bace4c8
MB		 168 (patches
169 (search-patches "gnutls-skip-trust-store-test.patch"
170 "gnutls-skip-pkgconfig-test.patch"))
d7d408d5
LC		 171 (sha256
172 (base32
5bace4c8 173 "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr"))))
7543f865 174 (build-system gnu-build-system)
b94ae0b8
AK		 175 (arguments
176 '(#:configure-flags
a0700787 177 (list
aa7c7f21
MW		 178 ;; GnuTLS doesn't consult any environment variables to specify
179 ;; the location of the system-wide trust store. Instead it has a
180 ;; configure-time option. Unless specified, its configure script
181 ;; attempts to auto-detect the location by looking for common
8f65585b 182 ;; places in the file system, none of which are present in our
aa7c7f21
MW		 183 ;; chroot build environment. If not found, then no default trust
184 ;; store is used, so each program has to provide its own
185 ;; fallback, and users have to configure each program
186 ;; independently. This seems suboptimal.
866f469e
MW		 187 "--with-default-trust-store-dir=/etc/ssl/certs"
188
189 ;; FIXME: Temporarily disable p11-kit support since it is not
190 ;; working on mips64el.
606c6380
LC		 191 "--without-p11-kit")
192
193 #:phases (modify-phases %standard-phases
194 (add-after
195 'install 'move-doc
196 (lambda* (#:key outputs #:allow-other-keys)
197 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
198 (let* ((out (assoc-ref outputs "out"))
199 (doc (assoc-ref outputs "doc"))
9cdce047 200 (mandir (string-append doc "/share/man/man3"))
606c6380
LC		 201 (oldman (string-append out "/share/man/man3")))
202 (mkdir-p mandir)
203 (copy-recursively oldman mandir)
204 (delete-file-recursively oldman)
205 #t))))))
206 (outputs '("out" ;4.4 MiB
207 "debug"
208 "doc")) ;4.1 MiB of man pages
a1db0975 209 (native-inputs
f96dbf6b 210 `(("net-tools" ,net-tools-for-tests)
5d4c90ae 211 ("pkg-config" ,pkg-config)
d2fcfd3d 212 ("which" ,which)))
7543f865 213 (inputs
a0700787 214 `(("guile" ,guile-2.2)))
7543f865 215 (propagated-inputs
d2fcfd3d 216 ;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865 217 `(("libtasn1" ,libtasn1)
55e61c4d 218 ("libidn2" ,libidn2)
866f469e 219 ("nettle" ,nettle)
f61e0e79 220 ("zlib" ,zlib)))
c19700c3 221 (home-page "https://www.gnu.org/software/gnutls/")
f50d2669 222 (synopsis "Transport layer security library")
7543f865 223 (description
a22dc0c4 224 "GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8 225and DTLS protocols. It is provided in the form of a C library to support the
a22dc0c4
LC		 226protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
227required structures.")
63e8bb12
LC		 228 (license license:lgpl2.1+)
229 (properties '((ftp-server . "ftp.gnutls.org")
230 (ftp-directory . "/gcrypt/gnutls")))))
cc2b77df 231
079f013b 232(define-public gnutls/guile-2.2
a0700787
LC		 233 (deprecated-package "guile2.2-gnutls" gnutls))
234
235(define-public gnutls/guile-2.0
236 ;; GnuTLS for Guile 2.0.
079f013b 237 (package
58ea4d40 238 (inherit gnutls)
a0700787
LC		 239 (name "guile2.0-gnutls")
240 (inputs `(("guile" ,guile-2.0)
58ea4d40 241 ,@(alist-delete "guile" (package-inputs gnutls))))))
079f013b 242
5b9aa107 243(define-public gnutls/dane
244 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
245 ;; Authentication of Named Entities. This is required for GNS functionality
246 ;; by GNUnet and gnURL. This is done in an extra package definition
247 ;; to have the choice between GnuTLS with Dane and without Dane.
248 (package
249 (inherit gnutls)
250 (name "gnutls-dane")
251 (inputs `(("unbound" ,unbound)
252 ,@(package-inputs gnutls)))))
253
cc2b77df
AE		 254(define-public openssl
255 (package
256 (name "openssl")
811e1028 257 (version "1.0.2l")
87dbb634 258 (replacement openssl-1.0.2n)
cc2b77df 259 (source (origin
4cff124b
LC		 260 (method url-fetch)
261 (uri (list (string-append "ftp://ftp.openssl.org/source/"
262 name "-" version ".tar.gz")
263 (string-append "ftp://ftp.openssl.org/source/old/"
264 (string-trim-right version char-set:letter)
265 "/" name "-" version ".tar.gz")))
266 (sha256
267 (base32
811e1028 268 "037kvpisc6qh5dkppcwbm5bg2q800xh2hma3vghz8xcycmdij1yf"))
8a9b08b5
ST		 269 (snippet
270 '(begin
271 ;; Remove ELF files. 'substitute*' can't read them.
272 (delete-file "test/ssltest_old")
273 (delete-file "test/v3ext")
274 (delete-file "test/x509aux")
275 #t))
fc1adab1 276 (patches (search-patches "openssl-runpath.patch"
1d8de185 277 "openssl-c-rehash-in.patch"))))
cc2b77df 278 (build-system gnu-build-system)
8c78aeb7 279 (outputs '("out"
a909b576 280 "doc" ;1.5MiB of man3 pages
8c78aeb7 281 "static")) ;6MiB of .a files
cc2b77df
AE		 282 (native-inputs `(("perl" ,perl)))
283 (arguments
d03781c3
LC		 284 `(#:disallowed-references (,perl)
285 #:parallel-build? #f
cc2b77df
AE		 286 #:parallel-tests? #f
287 #:test-target "test"
8c9ec203
LF		 288
289 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
290 ;; so we explicitly disallow it here.
291 #:disallowed-references ,(list (canonical-package perl))
cc2b77df 292 #:phases
b6cb1358 293 (modify-phases %standard-phases
4fb254a3 294 (add-before
86c8f1da 295 'configure 'patch-Makefile.org
4fb254a3
LC		 296 (lambda* (#:key outputs #:allow-other-keys)
297 ;; The default MANDIR is some unusual place. Fix that.
298 (let ((out (assoc-ref outputs "out")))
86c8f1da 299 (patch-makefile-SHELL "Makefile.org")
4fb254a3
LC		 300 (substitute* "Makefile.org"
301 (("^MANDIR[[:blank:]]*=.*$")
302 (string-append "MANDIR = " out "/share/man\n")))
303 #t)))
b6cb1358
LC		 304 (replace
305 'configure
306 (lambda* (#:key outputs #:allow-other-keys)
307 (let ((out (assoc-ref outputs "out")))
308 (zero?
309 (system* "./config"
310 "shared" ;build shared libraries
311 "--libdir=lib"
4fb254a3
LC		 312
313 ;; The default for this catch-all directory is
314 ;; PREFIX/ssl. Change that to something more
315 ;; conventional.
316 (string-append "--openssldir=" out
317 "/share/openssl-" ,version)
318
b6cb1358
LC		 319 (string-append "--prefix=" out)
320
321 ;; XXX FIXME: Work around a code generation bug in GCC
322 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
323 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
324 ,@(if (and (not (%current-target-system))
325 (string-prefix? "armhf" (%current-system)))
326 '("-mfpu=vfpv3")
327 '()))))))
fe8199a8
LC		 328 (add-after
329 'install 'make-libraries-writable
330 (lambda* (#:key outputs #:allow-other-keys)
331 ;; Make libraries writable so that 'strip' does its job.
332 (let ((out (assoc-ref outputs "out")))
333 (for-each (lambda (file)
334 (chmod file #o644))
335 (find-files (string-append out "/lib")
336 "\\.so"))
337 #t)))
8c78aeb7
LC		 338 (add-after 'install 'move-static-libraries
339 (lambda* (#:key outputs #:allow-other-keys)
340 ;; Move static libraries to the "static" output.
341 (let* ((out (assoc-ref outputs "out"))
342 (lib (string-append out "/lib"))
343 (static (assoc-ref outputs "static"))
344 (slib (string-append static "/lib")))
8c78aeb7
LC		 345 (for-each (lambda (file)
346 (install-file file slib)
347 (delete-file file))
348 (find-files lib "\\.a$"))
349 #t)))
a909b576
LC		 350 (add-after 'install 'move-man3-pages
351 (lambda* (#:key outputs #:allow-other-keys)
352 ;; Move section 3 man pages to "doc".
353 (let* ((out (assoc-ref outputs "out"))
354 (man3 (string-append out "/share/man/man3"))
355 (doc (assoc-ref outputs "doc"))
356 (target (string-append doc "/share/man/man3")))
357 (mkdir-p target)
358 (for-each (lambda (file)
359 (rename-file file
360 (string-append target "/"
361 (basename file))))
362 (find-files man3))
5c838ec9 363 (delete-file-recursively man3)
a909b576 364 #t)))
b6cb1358
LC		 365 (add-before
366 'patch-source-shebangs 'patch-tests
367 (lambda* (#:key inputs native-inputs #:allow-other-keys)
368 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
369 (substitute* (find-files "test" ".*")
370 (("/bin/sh")
08a78c2f 371 (string-append bash "/bin/sh"))
b6cb1358 372 (("/bin/rm")
86c8f1da
MW		 373 "rm"))
374 #t)))
784d6e91
LC		 375 (add-after
376 'install 'remove-miscellany
377 (lambda* (#:key outputs #:allow-other-keys)
378 ;; The 'misc' directory contains random undocumented shell and Perl
379 ;; scripts. Remove them to avoid retaining a reference on Perl.
380 (let ((out (assoc-ref outputs "out")))
381 (delete-file-recursively (string-append out "/share/openssl-"
382 ,version "/misc"))
383 #t))))))
cc2b77df
AE		 384 (native-search-paths
385 ;; FIXME: These two variables must designate a single file or directory
386 ;; and are not actually "search paths." In practice it works OK in user
387 ;; profiles because there's always just one item that matches the
388 ;; specification.
389 (list (search-path-specification
390 (variable "SSL_CERT_DIR")
391 (files '("etc/ssl/certs")))
392 (search-path-specification
393 (variable "SSL_CERT_FILE")
394 (files '("etc/ssl/certs/ca-certificates.crt")))))
395 (synopsis "SSL/TLS implementation")
396 (description
e881752c 397 "OpenSSL is an implementation of SSL/TLS.")
e9aa8d0c 398 (license license:openssl)
4631e6c9 399 (home-page "https://www.openssl.org/")))
cc2b77df 400
87dbb634 401;; Fixes CVE-2017-3735, CVE-2017-3736, CVE-2017-3737, and CVE-2017-3738.
1df4f5c9 402;; See <https://www.openssl.org/news/cl102.txt>.
87dbb634 403(define-public openssl-1.0.2n
1df4f5c9
MB		 404 (package
405 (inherit openssl)
87dbb634 406 (version "1.0.2n")
1df4f5c9
MB		 407 (source (origin
408 (inherit (package-source openssl))
409 (uri (list (string-append "https://www.openssl.org/source/openssl-"
410 version ".tar.gz")
411 (string-append "ftp://ftp.openssl.org/source/openssl-"
412 version ".tar.gz")
413 (string-append "ftp://ftp.openssl.org/source/old/"
414 (string-trim-right version char-set:letter)
415 "/openssl-" version ".tar.gz")))
416 (sha256
417 (base32
87dbb634 418 "1zm82pyq5a9jm10q6iv7d3dih3xwjds4x30fqph3k317byvsn2rp"))))))
1df4f5c9 419
763899f0
LF		 420(define-public openssl-next
421 (package
422 (inherit openssl)
423 (name "openssl")
77576be4 424 (version "1.1.0g")
763899f0
LF		 425 (source (origin
426 (method url-fetch)
77576be4
MB		 427 (uri (list (string-append "https://www.openssl.org/source/openssl-"
428 version ".tar.gz")
429 (string-append "ftp://ftp.openssl.org/source/"
763899f0
LF		 430 name "-" version ".tar.gz")
431 (string-append "ftp://ftp.openssl.org/source/old/"
432 (string-trim-right version char-set:letter)
433 "/" name "-" version ".tar.gz")))
434 (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
435 (sha256
436 (base32
77576be4 437 "1bvka2wf33w2vxv7yw578nnjqyhz2b3chvfb0l4k2ffscw950kfy"))))
763899f0
LF		 438 (outputs '("out"
439 "doc" ;1.3MiB of man3 pages
440 "static")) ; 5.5MiB of .a files
441 (arguments
442 (substitute-keyword-arguments (package-arguments openssl)
443 ((#:phases phases)
444 `(modify-phases ,phases
445 (delete 'patch-tests) ; These two phases are not needed by
446 (delete 'patch-Makefile.org) ; OpenSSL 1.1.0.
447
fc184fe2
MB		 448 ;; Override configure phase since -rpath is now a configure option.
449 (replace 'configure
763899f0 450 (lambda* (#:key outputs #:allow-other-keys)
fc184fe2
MB		 451 (let* ((out (assoc-ref outputs "out"))
452 (lib (string-append out "/lib")))
453 (zero?
454 (system* "./config"
455 "shared" ;build shared libraries
456 "--libdir=lib"
457
458 ;; The default for this catch-all directory is
459 ;; PREFIX/ssl. Change that to something more
460 ;; conventional.
461 (string-append "--openssldir=" out
462 "/share/openssl-" ,version)
463
464 (string-append "--prefix=" out)
465 (string-append "-Wl,-rpath," lib)
466
467 ;; XXX FIXME: Work around a code generation bug in GCC
468 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
469 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
470 ,@(if (and (not (%current-target-system))
471 (string-prefix? "armhf" (%current-system)))
472 '("-mfpu=vfpv3")
473 '()))))))
474
475 ;; XXX: Duplicate this phase to make sure 'version' evaluates
476 ;; in the current scope and not the inherited one.
477 (replace 'remove-miscellany
478 (lambda* (#:key outputs #:allow-other-keys)
479 ;; The 'misc' directory contains random undocumented shell and Perl
480 ;; scripts. Remove them to avoid retaining a reference on Perl.
481 (let ((out (assoc-ref outputs "out")))
482 (delete-file-recursively (string-append out "/share/openssl-"
483 ,version "/misc"))
763899f0
LF		 484 #t)))))))))
485
cb6a802c
AE		 486(define-public libressl
487 (package
488 (name "libressl")
09a91adc 489 (version "2.6.4")
644e5f17
TGR		 490 (source (origin
491 (method url-fetch)
492 (uri (string-append "mirror://openbsd/LibreSSL/"
493 name "-" version ".tar.gz"))
494 (sha256
495 (base32
09a91adc 496 "07yi37a2ghsgj2b4w30q1s4d2inqnix7ika1m21y57p9z71212k3"))))
cb6a802c 497 (build-system gnu-build-system)
a2d64899
LC		 498 (arguments
499 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
500 ;; and libc would return ENOSYS, which is not properly handled.
501 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
df08f385
LF		 502 '(#:configure-flags '("ac_cv_func_getentropy=no"
503 ;; Provide a TLS-enabled netcat.
504 "--enable-nc")))
cb6a802c
AE		 505 (native-search-paths
506 ;; FIXME: These two variables must designate a single file or directory
507 ;; and are not actually "search paths." In practice it works OK in
508 ;; user profiles because there's always just one item that matches the
509 ;; specification.
510 (list (search-path-specification
511 (variable "SSL_CERT_DIR")
512 (files '("etc/ssl/certs")))
513 (search-path-specification
514 (variable "SSL_CERT_FILE")
515 (files '("etc/ssl/certs/ca-certificates.crt")))))
2ed12d3f 516 (home-page "https://www.libressl.org/")
cb6a802c 517 (synopsis "SSL/TLS implementation")
df08f385
LF		 518 (description "LibreSSL is a version of the TLS/crypto stack, forked from
519OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
520and applying best practice development processes. This package also includes a
521netcat implementation that supports TLS.")
cb6a802c
AE		 522 ;; Files taken from OpenSSL keep their license, others are under various
523 ;; non-copyleft licenses.
524 (license (list license:openssl
525 (license:non-copyleft
526 "file://COPYING"
527 "See COPYING in the distribution.")))))
528
6cefd53d 529(define-public python-acme
7890e3ba 530 (package
6cefd53d 531 (name "python-acme")
686d4259 532 ;; Remember to update the hash of certbot when updating python-acme.
cf69135d 533 (version "0.20.0")
7890e3ba 534 (source (origin
9495cf9a 535 (method url-fetch)
f349d36e 536 (uri (pypi-uri "acme" version))
881006b6
MB		 537 (sha256
538 (base32
cf69135d 539 "1md3llp6640dviv9bzyy7qzn3szxil38645cjqcg7hlcdknil4j5"))))
7890e3ba
LF		 540 (build-system python-build-system)
541 (arguments
6cefd53d 542 `(#:phases
9bee9d87 543 (modify-phases %standard-phases
1fc8476d
MB		 544 (add-after 'build 'build-documentation
545 (lambda _
546 (zero? (system* "make" "-C" "docs" "man" "info"))))
547 (add-after 'install 'install-documentation
50a7963a
LF		 548 (lambda* (#:key outputs #:allow-other-keys)
549 (let* ((out (assoc-ref outputs "out"))
550 (man (string-append out "/share/man/man1"))
551 (info (string-append out "/info")))
1fc8476d
MB		 552 (install-file "docs/_build/texinfo/acme-python.info" info)
553 (install-file "docs/_build/man/acme-python.1" man)
554 #t))))))
50a7963a 555 ;; TODO: Add optional inputs for testing.
7890e3ba 556 (native-inputs
fed1898d 557 `(("python-mock" ,python-mock-2)
50a7963a
LF		 558 ;; For documentation
559 ("python-sphinx" ,python-sphinx)
560 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
561 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
50a7963a 562 ("texinfo" ,texinfo)))
7890e3ba 563 (propagated-inputs
57fe07db 564 `(("python-six" ,python-six)
6cefd53d
LF		 565 ("python-requests" ,python-requests)
566 ("python-pytz" ,python-pytz)
567 ("python-pyrfc3339" ,python-pyrfc3339)
568 ("python-pyasn1" ,python-pyasn1)
569 ("python-cryptography" ,python-cryptography)
570 ("python-pyopenssl" ,python-pyopenssl)))
4631e6c9 571 (home-page "https://github.com/certbot/certbot")
7890e3ba
LF		 572 (synopsis "ACME protocol implementation in Python")
573 (description "ACME protocol implementation in Python")
574 (license license:asl2.0)))
575
9495cf9a 576(define-public certbot
9fd0838b 577 (package
9495cf9a 578 (name "certbot")
686d4259
LF		 579 ;; Certbot and python-acme are developed in the same repository, and their
580 ;; versions should remain synchronized.
581 (version (package-version python-acme))
9fd0838b
DT		 582 (source (origin
583 (method url-fetch)
f349d36e 584 (uri (pypi-uri name version))
9fd0838b
DT		 585 (sha256
586 (base32
cf69135d 587 "126y6jg1nyd8js2jchl4dbmpg507hawaxnyw7510qh7vcidm1gya"))))
9fd0838b
DT		 588 (build-system python-build-system)
589 (arguments
fed1898d 590 `(,@(substitute-keyword-arguments (package-arguments python-acme)
f26d6e4e
LF		 591 ((#:phases phases)
592 `(modify-phases ,phases
1fc8476d 593 (replace 'install-documentation
f26d6e4e
LF		 594 (lambda* (#:key outputs #:allow-other-keys)
595 (let* ((out (assoc-ref outputs "out"))
596 (man1 (string-append out "/share/man/man1"))
597 (man7 (string-append out "/share/man/man7"))
598 (info (string-append out "/info")))
1fc8476d
MB		 599 (install-file "docs/_build/texinfo/Certbot.info" info)
600 (install-file "docs/_build/man/certbot.1" man1)
601 (install-file "docs/_build/man/certbot.7" man7)
602 #t))))))))
f9263d9a 603 ;; TODO: Add optional inputs for testing.
9fd0838b 604 (native-inputs
fed1898d
LF		 605 `(("python-nose" ,python-nose)
606 ("python-mock" ,python-mock-2)
f9263d9a 607 ;; For documentation
fed1898d
LF		 608 ("python-sphinx" ,python-sphinx)
609 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
610 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
611 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
f9263d9a 612 ("texinfo" ,texinfo)))
9fd0838b 613 (propagated-inputs
fed1898d
LF		 614 `(("python-acme" ,python-acme)
615 ("python-zope-interface" ,python-zope-interface)
616 ("python-pyrfc3339" ,python-pyrfc3339)
617 ("python-pyopenssl" ,python-pyopenssl)
618 ("python-configobj" ,python-configobj)
619 ("python-configargparse" ,python-configargparse)
620 ("python-zope-component" ,python-zope-component)
621 ("python-parsedatetime" ,python-parsedatetime)
622 ("python-six" ,python-six)
623 ("python-psutil" ,python-psutil)
624 ("python-requests" ,python-requests)
625 ("python-pytz" ,python-pytz)))
d8a1be63 626 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
80968df0
TGR		 627 (description "Certbot automatically receives and installs X.509 certificates
628to enable Transport Layer Security (TLS) on servers. It interoperates with the
629Let’s Encrypt certificate authority (CA), which issues browser-trusted
630certificates for free.")
24778368 631 (home-page "https://certbot.eff.org/")
9fd0838b
DT		 632 (license license:asl2.0)))
633
9495cf9a
LF		 634(define-public letsencrypt
635 (package (inherit certbot)
56ab55d1
LF		 636 (name "letsencrypt")
637 (properties `((superseded . ,certbot)))))
9495cf9a 638
cc2b77df
AE		 639(define-public perl-net-ssleay
640 (package
641 (name "perl-net-ssleay")
76cb9060 642 (version "1.81")
cc2b77df
AE		 643 (source (origin
644 (method url-fetch)
645 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
646 "Net-SSLeay-" version ".tar.gz"))
647 (sha256
648 (base32
76cb9060 649 "0z8vya34g88bc41kx955sv7y4niwbbywji8liqbl52v29qbvdjq0"))))
cc2b77df
AE		 650 (build-system perl-build-system)
651 (inputs `(("openssl" ,openssl)))
652 (arguments
1084ec08
MW		 653 `(#:phases
654 (modify-phases %standard-phases
1084ec08
MW		 655 (add-before
656 'configure 'set-ssl-prefix
657 (lambda* (#:key inputs #:allow-other-keys)
658 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
659 #t)))))
cc2b77df
AE		 660 (synopsis "Perl extension for using OpenSSL")
661 (description
662 "This module offers some high level convenience functions for accessing
663web pages on SSL servers (for symmetry, the same API is offered for accessing
664http servers, too), an sslcat() function for writing your own clients, and
665finally access to the SSL api of the SSLeay/OpenSSL package so you can write
666servers or clients for more complicated applications.")
2f3108ad 667 (license license:perl-license)
cc2b77df 668 (home-page "http://search.cpan.org/~mikem/Net-SSLeay-1.66/")))
4532c0c0
DM		 669
670(define-public perl-crypt-openssl-rsa
671 (package
672 (name "perl-crypt-openssl-rsa")
673 (version "0.28")
674 (source
675 (origin
676 (method url-fetch)
677 (uri (string-append
678 "mirror://cpan/authors/id/P/PE/PERLER/Crypt-OpenSSL-RSA-"
679 version
680 ".tar.gz"))
681 (sha256
682 (base32
683 "1gnpvv09b2gpifwdzc5jnhama3d1a4c39lzj9hcaicsb8rvzjmsk"))))
684 (build-system perl-build-system)
685 (inputs
686 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
687 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
688 ("openssl" ,openssl)))
689 (arguments perl-crypt-arguments)
690 (home-page
691 "http://search.cpan.org/dist/Crypt-OpenSSL-RSA")
692 (synopsis
693 "RSA encoding and decoding, using the openSSL libraries")
694 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
695OpenSSL libraries).")
2f3108ad 696 (license license:perl-license)))
adff71ca
DM		 697
698(define perl-crypt-arguments
699 `(#:phases (modify-phases %standard-phases
700 (add-before 'configure 'patch-Makefile.PL
701 (lambda* (#:key inputs #:allow-other-keys)
702 (substitute* "Makefile.PL"
703 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
704 (assoc-ref inputs "openssl")
705 "/lib -lcrypto'],")))
706 #t)))))
707
708(define-public perl-crypt-openssl-bignum
709 (package
710 (name "perl-crypt-openssl-bignum")
7e8aac18 711 (version "0.09")
adff71ca
DM		 712 (source
713 (origin
714 (method url-fetch)
715 (uri (string-append
716 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
717 version
718 ".tar.gz"))
719 (sha256
720 (base32
7e8aac18 721 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
adff71ca
DM		 722 (build-system perl-build-system)
723 (inputs `(("openssl" ,openssl)))
724 (arguments perl-crypt-arguments)
725 (home-page
726 "http://search.cpan.org/dist/Crypt-OpenSSL-Bignum")
727 (synopsis
728 "OpenSSL's multiprecision integer arithmetic in Perl")
729 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
730arithmetic in Perl.")
731 ;; At your option either gpl1+ or the Artistic License
2f3108ad 732 (license license:perl-license)))
cccb4d26
DM		 733
734(define-public perl-crypt-openssl-random
735 (package
736 (name "perl-crypt-openssl-random")
737 (version "0.11")
738 (source
739 (origin
740 (method url-fetch)
741 (uri (string-append
742 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
743 version
744 ".tar.gz"))
745 (sha256
746 (base32
747 "0yjcabkibrkafywvdkmd1xpi6br48skyk3l15ni176wvlg38335v"))))
748 (build-system perl-build-system)
749 (inputs `(("openssl" ,openssl)))
750 (arguments perl-crypt-arguments)
751 (home-page
752 "http://search.cpan.org/dist/Crypt-OpenSSL-Random")
753 (synopsis
754 "OpenSSL/LibreSSL pseudo-random number generator access")
755 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
756number generator")
2f3108ad 757 (license license:perl-license)))
0581c273
LF		 758
759(define-public acme-client
760 (package
761 (name "acme-client")
4a6b2a21 762 (version "0.1.16")
0581c273
LF		 763 (source (origin
764 (method url-fetch)
765 (uri (string-append "https://kristaps.bsd.lv/" name "/"
766 "snapshots/" name "-portable-"
767 version ".tgz"))
768 (sha256
769 (base32
4a6b2a21 770 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
0581c273
LF		 771 (build-system gnu-build-system)
772 (arguments
773 '(#:tests? #f ; no test suite
774 #:make-flags
775 (list "CC=gcc"
776 (string-append "PREFIX=" (assoc-ref %outputs "out")))
777 #:phases
778 (modify-phases %standard-phases
7c1a7bf4
LF		 779 (add-after 'unpack 'patch-paths
780 (lambda* (#:key inputs #:allow-other-keys)
781 (let ((pem (string-append (assoc-ref inputs "libressl")
782 "/etc/ssl/cert.pem")))
783 (substitute* "http.c"
784 (("/etc/ssl/cert.pem") pem))
785 #t)))
0581c273 786 (delete 'configure)))) ; no './configure' script
4b569a4f
LF		 787 (native-inputs
788 `(("pkg-config" ,pkg-config)))
0581c273
LF		 789 (inputs
790 `(("libbsd" ,libbsd)
791 ("libressl" ,libressl)))
792 (synopsis "Let's Encrypt client by the OpenBSD project")
793 (description "acme-client is a Let's Encrypt client implemented in C. It
794uses a modular design, and attempts to secure itself by dropping privileges and
795operating in a chroot where possible. acme-client is developed on OpenBSD and
796then ported to the GNU / Linux environment.")
797 (home-page "https://kristaps.bsd.lv/acme-client/")
798 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
799 ;; and 'jsmn.c' are distributed under the Expat license.
800 (license (list license:isc license:expat))))
88522738 801
802;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
803;; variant exists in addition to the "-apache" one.
804(define-public mbedtls-apache
805 (package
806 (name "mbedtls-apache")
97497465 807 (version "2.6.0")
88522738 808 (source
809 (origin
810 (method url-fetch)
811 ;; XXX: The download links on the website are script redirection links
812 ;; which effectively lead to the format listed in the uri here.
813 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
814 version "-apache.tgz"))
815 (sha256
816 (base32
97497465 817 "11wnj34rfqxjggmdgf042i49lr6civgbqwv2p7p8bn6k2919vg4r"))))
88522738 818 (build-system cmake-build-system)
a64d9d56
RW		 819 (arguments
820 `(#:configure-flags
821 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON")))
88522738 822 (native-inputs
823 `(("perl" ,perl)))
824 (synopsis "Small TLS library")
825 (description
826 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
827for developers to include cryptographic and SSL/TLS capabilities in their
828(embedded) products, facilitating this functionality with a minimal
829coding footprint.")
830 (home-page "https://tls.mbed.org")
831 (license license:asl2.0)))
587d1752
RW		 832
833(define-public ghc-tls
834 (package
835 (name "ghc-tls")
836 (version "1.3.8")
837 (source (origin
838 (method url-fetch)
839 (uri (string-append "https://hackage.haskell.org/package/"
840 "tls/tls-" version ".tar.gz"))
841 (sha256
842 (base32
843 "1rdidf18i781c0vdvy9yn79yh08hmcacf6fp3sgghyiy3h0wyh5l"))))
844 (build-system haskell-build-system)
845 (inputs
846 `(("ghc-mtl" ,ghc-mtl)
847 ("ghc-cereal" ,ghc-cereal)
848 ("ghc-data-default-class" ,ghc-data-default-class)
849 ("ghc-memory" ,ghc-memory)
850 ("ghc-cryptonite" ,ghc-cryptonite)
851 ("ghc-asn1-types" ,ghc-asn1-types)
852 ("ghc-asn1-encoding" ,ghc-asn1-encoding)
853 ("ghc-x509" ,ghc-x509)
854 ("ghc-x509-store" ,ghc-x509-store)
855 ("ghc-x509-validation" ,ghc-x509-validation)
856 ("ghc-async" ,ghc-async)
857 ("ghc-network" ,ghc-network)
858 ("ghc-hourglass" ,ghc-hourglass)))
859 (native-inputs
860 `(("ghc-tasty" ,ghc-tasty)
861 ("ghc-tasty-quickcheck" ,ghc-tasty-quickcheck)
862 ("ghc-quickcheck" ,ghc-quickcheck)))
863 (home-page "https://github.com/vincenthz/hs-tls")
864 (synopsis
865 "TLS/SSL protocol native implementation (Server and Client)")
866 (description
867 "Native Haskell TLS and SSL protocol implementation for server and client.
868This provides a high-level implementation of a sensitive security protocol,
869eliminating a common set of security issues through the use of the advanced
870type system, high level constructions and common Haskell features. Currently
871implement the SSL3.0, TLS1.0, TLS1.1 and TLS1.2 protocol, and support RSA and
872Ephemeral (Elliptic curve and regular) Diffie Hellman key exchanges, and many
873extensions.")
874 (license license:bsd-3)))
jackhill's copy of GNU Guix: https://guix.gnu.org/