[jackhill/guix/guix.git] / gnu / packages / tls.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015 David Thompson <davet@gnu.org>
;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016 Nils Gillmann <niasterisk@grrlz.net>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu packages tls)
  #:use-module ((guix licenses) #:prefix license:)
  #:use-module (guix packages)
  #:use-module (guix download)
  #:use-module (guix utils)
  #:use-module (guix build-system gnu)
  #:use-module (guix build-system perl)
  #:use-module (guix build-system python)
  #:use-module (gnu packages compression)
  #:use-module (gnu packages)
  #:use-module (gnu packages guile)
  #:use-module (gnu packages libffi)
  #:use-module (gnu packages libidn)
  #:use-module (gnu packages ncurses)
  #:use-module (gnu packages nettle)
  #:use-module (gnu packages perl)
  #:use-module (gnu packages pkg-config)
  #:use-module (gnu packages python)
  #:use-module (gnu packages texinfo)
  #:use-module (gnu packages base))

(define-public libtasn1
  (package
    (name "libtasn1")
    (version "4.7")
    (source
     (origin
      (method url-fetch)
      (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
                          version ".tar.gz"))
      (sha256
       (base32
        "1j8iixynchziw1y39lnibyl5h81m4p78w3i4f28q2vgwjgf801x4"))))
    (build-system gnu-build-system)
    (native-inputs `(("perl" ,perl)))
    (home-page "http://www.gnu.org/software/libtasn1/")
    (synopsis "ASN.1 library")
    (description
     "GNU libtasn1 is a library implementing the ASN.1 notation.  It is used
for transmitting machine-neutral encodings of data objects in computer
networking, allowing for formal validation of data according to some
specifications.")
    (replacement libtasn1/fixed)
    (license license:lgpl2.0+)))

(define libtasn1/fixed                            ;for CVE-2016-4008
  (package
    (inherit libtasn1)
    (source
     (let ((version "4.8"))
       (origin
         (method url-fetch)
         (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
                             version ".tar.gz"))
         (sha256
          (base32
           "04y5m29pqmvkfdbppmsdifyx89v8xclxzklpfc7a1fkr9p4jz07s")))))))

(define-public p11-kit
  (package
    (name "p11-kit")
    (version "0.23.1")
    (source
     (origin
      (method url-fetch)
      (uri (string-append "https://p11-glue.freedesktop.org/releases/p11-kit-"
                          version ".tar.gz"))
      (sha256
       (base32
        "1i3a1wdpagm0p3y1bwaz5x5rjhcpqbcrnhkcp10p259vkxk72wz5"))
      (modules '((guix build utils))) ; for substitute*
      (snippet
        '(begin
           ;; Drop one test that fails, also when trying to compile manually.
           ;; Reported upstream at
           ;; https://bugs.freedesktop.org/show_bug.cgi?id=89027
           (substitute* "Makefile.in"
             (("test-module\\$\\(EXEEXT\\) ") ""))))))
    (build-system gnu-build-system)
    (native-inputs
     `(("pkg-config" ,pkg-config)))
    (inputs
     `(("libffi" ,libffi)
       ("libtasn1" ,libtasn1)))
    (arguments
     `(#:configure-flags '("--without-trust-paths")))
    (home-page "http://p11-glue.freedesktop.org/p11-kit.html")
    (synopsis "PKCS#11 library")
    (description
     "p11-kit provides a way to load and enumerate PKCS#11 modules.  It
provides a standard configuration setup for installing PKCS#11 modules
in such a way that they are discoverable.  It also solves problems with
coordinating the use of PKCS#11 by different components or libraries
living in the same process.")
    (license license:bsd-3)))

(define-public gnutls
  (package
    (name "gnutls")
    (version "3.4.9")
    (source (origin
             (method url-fetch)
             (uri
              ;; Note: Releases are no longer on ftp.gnu.org since the
              ;; schism (after version 3.1.5).
              (string-append "mirror://gnupg/gnutls/v"
                             (version-major+minor version)
                             "/gnutls-" version ".tar.xz"))
             (sha256
              (base32
               "0gvwyl0kdp1qpzbzp46wqfdzzrmwy9n54sgcjvvm1m1kpanlyna8"))))
    (build-system gnu-build-system)
    (arguments
     '(#:configure-flags
       (list (string-append "--with-guile-site-dir="
                            (assoc-ref %outputs "out")
                            "/share/guile/site/2.0")
             ;; GnuTLS doesn't consult any environment variables to specify
             ;; the location of the system-wide trust store.  Instead it has a
             ;; configure-time option.  Unless specified, its configure script
             ;; attempts to auto-detect the location by looking for common
             ;; places in the filesystem, none of which are present in our
             ;; chroot build environment.  If not found, then no default trust
             ;; store is used, so each program has to provide its own
             ;; fallback, and users have to configure each program
             ;; independently.  This seems suboptimal.
             "--with-default-trust-store-dir=/etc/ssl/certs"

             ;; FIXME: Temporarily disable p11-kit support since it is not
             ;; working on mips64el.
             "--without-p11-kit")

       #:phases (modify-phases %standard-phases
                  (add-after
                   'install 'move-doc
                   (lambda* (#:key outputs #:allow-other-keys)
                     ;; Copy the 4.1 MiB of section 3 man pages to "doc".
                     (let* ((out    (assoc-ref outputs "out"))
                            (doc    (assoc-ref outputs "doc"))
                            (mandir (string-append doc "/share/man/man3"))
                            (oldman (string-append out "/share/man/man3")))
                       (mkdir-p mandir)
                       (copy-recursively oldman mandir)
                       (delete-file-recursively oldman)
                       #t))))))
    (outputs '("out"                              ;4.4 MiB
               "debug"
               "doc"))                            ;4.1 MiB of man pages
    (native-inputs
     `(("pkg-config" ,pkg-config)
       ("which" ,which)))
    (inputs
     `(("guile" ,guile-2.0)
       ("perl" ,perl)))
    (propagated-inputs
     ;; These are all in the 'Requires.private' field of gnutls.pc.
     `(("libtasn1" ,libtasn1)
       ("libidn" ,libidn)
       ("nettle" ,nettle)
       ("zlib" ,zlib)))
    (home-page "http://www.gnu.org/software/gnutls/")
    (synopsis "Transport layer security library")
    (description
     "GnuTLS is a secure communications library implementing the SSL, TLS
and DTLS protocols.  It is provided in the form of a C library to support the
protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
required structures.")
    (license license:lgpl2.1+)
    (properties '((ftp-server . "ftp.gnutls.org")
                  (ftp-directory . "/gcrypt/gnutls")))))

(define-public openssl
  (package
   (name "openssl")
   (version "1.0.2g")
   (source (origin
             (method url-fetch)
             (uri (list (string-append "ftp://ftp.openssl.org/source/"
                                       name "-" version ".tar.gz")
                        (string-append "ftp://ftp.openssl.org/source/old/"
                                       (string-trim-right version char-set:letter)
                                       "/" name "-" version ".tar.gz")))
             (sha256
              (base32
               "0cxajjayi859czi545ddafi24m9nwsnjsw4q82zrmqvwj2rv315p"))
             (patches (search-patches "openssl-runpath.patch"
                                      "openssl-c-rehash-in.patch"))))
   (build-system gnu-build-system)
   (native-inputs `(("perl" ,perl)))
   (arguments
    `(#:disallowed-references (,perl)
      #:parallel-build? #f
      #:parallel-tests? #f
      #:test-target "test"

      ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
      ;; so we explicitly disallow it here.
      #:disallowed-references ,(list (canonical-package perl))
      #:phases
      (modify-phases %standard-phases
        (add-before
         'configure 'patch-Makefile.org
         (lambda* (#:key outputs #:allow-other-keys)
           ;; The default MANDIR is some unusual place.  Fix that.
           (let ((out (assoc-ref outputs "out")))
             (patch-makefile-SHELL "Makefile.org")
             (substitute* "Makefile.org"
               (("^MANDIR[[:blank:]]*=.*$")
                (string-append "MANDIR = " out "/share/man\n")))
             #t)))
        (replace
         'configure
         (lambda* (#:key outputs #:allow-other-keys)
           (let ((out (assoc-ref outputs "out")))
             (zero?
              (system* "./config"
                       "shared"                   ;build shared libraries
                       "--libdir=lib"

                       ;; The default for this catch-all directory is
                       ;; PREFIX/ssl.  Change that to something more
                       ;; conventional.
                       (string-append "--openssldir=" out
                                      "/share/openssl-" ,version)

                       (string-append "--prefix=" out)

                       ;; XXX FIXME: Work around a code generation bug in GCC
                       ;; 4.9.3 on ARM when compiled with -mfpu=neon.  See:
                       ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
                       ,@(if (and (not (%current-target-system))
                                  (string-prefix? "armhf" (%current-system)))
                             '("-mfpu=vfpv3")
                             '()))))))
        (add-after
         'install 'make-libraries-writable
         (lambda* (#:key outputs #:allow-other-keys)
           ;; Make libraries writable so that 'strip' does its job.
           (let ((out (assoc-ref outputs "out")))
             (for-each (lambda (file)
                         (chmod file #o644))
                       (find-files (string-append out "/lib")
                                   "\\.so"))
             #t)))
        (add-before
         'patch-source-shebangs 'patch-tests
         (lambda* (#:key inputs native-inputs #:allow-other-keys)
           (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
             (substitute* (find-files "test" ".*")
               (("/bin/sh")
                (string-append bash "/bin/bash"))
               (("/bin/rm")
                "rm"))
             #t)))
        (add-after
         'install 'remove-miscellany
         (lambda* (#:key outputs #:allow-other-keys)
           ;; The 'misc' directory contains random undocumented shell and Perl
           ;; scripts.  Remove them to avoid retaining a reference on Perl.
           (let ((out (assoc-ref outputs "out")))
             (delete-file-recursively (string-append out "/share/openssl-"
                                                     ,version "/misc"))
             #t))))))
   (native-search-paths
    ;; FIXME: These two variables must designate a single file or directory
    ;; and are not actually "search paths."  In practice it works OK in user
    ;; profiles because there's always just one item that matches the
    ;; specification.
    (list (search-path-specification
           (variable "SSL_CERT_DIR")
           (files '("etc/ssl/certs")))
          (search-path-specification
           (variable "SSL_CERT_FILE")
           (files '("etc/ssl/certs/ca-certificates.crt")))))
   (synopsis "SSL/TLS implementation")
   (description
    "OpenSSL is an implementation of SSL/TLS.")
   (license license:openssl)
   (home-page "http://www.openssl.org/")))

(define-public libressl
  (package
    (name "libressl")
    (version "2.3.3")
    (source
     (origin
      (method url-fetch)
      (uri (string-append
             "http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-"
             version ".tar.gz"))
      (sha256 (base32
               "1a8anm8nsfyxds03csk738m2cmzjbsb867my1rz5ij3w31k32wvn"))))
    (build-system gnu-build-system)
    (native-search-paths
      ;; FIXME: These two variables must designate a single file or directory
      ;; and are not actually "search paths."  In practice it works OK in
      ;; user profiles because there's always just one item that matches the
      ;; specification.
     (list (search-path-specification
            (variable "SSL_CERT_DIR")
            (files '("etc/ssl/certs")))
           (search-path-specification
            (variable "SSL_CERT_FILE")
            (files '("etc/ssl/certs/ca-certificates.crt")))))
    (home-page "http://www.libressl.org/")
    (synopsis "SSL/TLS implementation")
    (description "LibreSSL is a version of the TLS/crypto stack forked
from OpenSSL in 2014, with the goals of modernizing the codebase, improving
security, and applying best practice development processes.")
    ;; Files taken from OpenSSL keep their license, others are under various
    ;; non-copyleft licenses.
    (license (list license:openssl
                   (license:non-copyleft
                     "file://COPYING"
                     "See COPYING in the distribution.")))))

(define-public python-acme
  (package
    (name "python-acme")
    (version "0.5.0")
    (source (origin
      (method url-fetch)
      (uri (pypi-uri "acme" version))
      (sha256
        (base32
         "1g8scfkhs3l06588h73py81xb1gvkkdzaxanl21whcvdclycc186"))))
    (build-system python-build-system)
    (arguments
     `(#:phases
       (modify-phases %standard-phases
         (add-before 'install 'disable-egg-compression
           (lambda _
             ;; Do not compress the egg.
             ;; See <http://bugs.gnu.org/20765>.
             (let ((port (open-file "setup.cfg" "a")))
               (display "\n[easy_install]\nzip_ok = 0\n"
                        port)
               (close-port port)
               #t)))
         (add-after 'install 'docs
           (lambda* (#:key outputs #:allow-other-keys)
             (let* ((out (assoc-ref outputs "out"))
                    (man (string-append out "/share/man/man1"))
                    (info (string-append out "/info")))
               (and (zero? (system* "make" "-C" "docs" "man" "info"))
                    (install-file "docs/_build/texinfo/acme-python.info" info)
                    (install-file "docs/_build/man/acme-python.1" man)
                    #t)))))))
    ;; TODO: Add optional inputs for testing.
    (native-inputs
     `(("python-mock" ,python-mock)
       ;; For documentation
       ("python-sphinx" ,python-sphinx)
       ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
       ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
       ("python-setuptools" ,python-setuptools)
       ("texinfo" ,texinfo)))
    (propagated-inputs
     `(("python-ndg-httpsclient" ,python-ndg-httpsclient)
       ("python-werkzeug" ,python-werkzeug)
       ("python-six" ,python-six)
       ("python-requests" ,python-requests)
       ("python-pytz" ,python-pytz)
       ("python-pyrfc3339" ,python-pyrfc3339)
       ("python-pyasn1" ,python-pyasn1)
       ("python-cryptography" ,python-cryptography)
       ("python-pyopenssl" ,python-pyopenssl)))
    (home-page "https://github.com/letsencrypt/letsencrypt")
    (synopsis "ACME protocol implementation in Python")
    (description "ACME protocol implementation in Python")
    (license license:asl2.0)))

(define-public python2-acme
  (package-with-python2 python-acme))

(define-public letsencrypt
  (package
    (name "letsencrypt")
    (version "0.5.0")
    (source (origin
              (method url-fetch)
              (uri (pypi-uri "letsencrypt" version))
              (sha256
               (base32
                "0nnijs26kkw07yylszc97p3jw09y98j54xihjp0rprrbp1q2p2p3"))))
    (build-system python-build-system)
    (arguments
     `(#:python ,python-2
       #:phases
       (modify-phases %standard-phases
         (add-after 'install 'docs
           (lambda* (#:key outputs #:allow-other-keys)
             (let* ((out (assoc-ref outputs "out"))
                    (man1 (string-append out "/share/man/man1"))
                    (man7 (string-append out "/share/man/man7"))
                    (info (string-append out "/info")))
               (substitute* "docs/man/letsencrypt.rst"
                 (("letsencrypt --help all")
                  (string-append out "/bin/letsencrypt" " --help all")))
               (and
                 (zero? (system* "make" "-C" "docs" "man" "info"))
                 (install-file "docs/_build/texinfo/LetsEncrypt.info" info)
                 (install-file "docs/_build/man/letsencrypt.1" man1)
                 (install-file "docs/_build/man/letsencrypt.7" man7)
                 #t)))))))
    ;; TODO: Add optional inputs for testing.
    (native-inputs
     `(("python2-nose" ,python2-nose)
       ("python2-mock" ,python2-mock)
       ;; For documentation
       ("python2-sphinx" ,python2-sphinx)
       ("python2-sphinx-rtd-theme" ,python2-sphinx-rtd-theme)
       ("python2-sphinx-repoze-autointerface" ,python2-sphinx-repoze-autointerface)
       ("python2-sphinxcontrib-programoutput" ,python2-sphinxcontrib-programoutput)
       ("texinfo" ,texinfo)))
    (propagated-inputs
     `(("python2-acme" ,python2-acme)
       ("python2-zope-interface" ,python2-zope-interface)
       ("python2-pythondialog" ,python2-pythondialog)
       ("python2-pyrfc3339" ,python2-pyrfc3339)
       ("python2-pyopenssl" ,python2-pyopenssl)
       ("python2-configobj" ,python2-configobj)
       ("python2-configargparse" ,python2-configargparse)
       ("python2-zope-component" ,python2-zope-component)
       ("python2-parsedatetime" ,python2-parsedatetime)
       ("python2-six" ,python2-six)
       ("python2-psutil" ,python2-psutil)
       ("python2-requests" ,python2-requests)
       ("python2-pytz" ,python2-pytz)))
    (synopsis "Let's Encrypt client")
    (description "Tool to automatically receive and install X.509 certificates
to enable TLS on servers.  The client will interoperate with the Let’s Encrypt CA which
will be issuing browser-trusted certificates for free.")
    (home-page "https://letsencrypt.org/")
    (license license:asl2.0)))

(define-public perl-net-ssleay
  (package
    (name "perl-net-ssleay")
    (version "1.68")
    (source (origin
              (method url-fetch)
              (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
                                  "Net-SSLeay-" version ".tar.gz"))
              (sha256
               (base32
                "1m2wwzhjwsg0drlhp9w12fl6bsgj69v8gdz72jqrqll3qr7f408p"))))
    (build-system perl-build-system)
    (native-inputs
     `(("patch" ,patch)
       ("patch/disable-ede-test"
        ,(search-patch "perl-net-ssleay-disable-ede-test.patch"))))
    (inputs `(("openssl" ,openssl)))
    (arguments
     `(#:phases
       (modify-phases %standard-phases
         (add-after
          'unpack 'apply-patch
          (lambda* (#:key inputs #:allow-other-keys)
            ;; XXX We apply this patch here instead of in the 'origin' because
            ;; this package's build system fails badly when the source file
            ;; times are zeroed.
            ;; XXX Try removing this patch for perl-net-ssleay > 1.68
            (zero? (system* "patch" "--force" "-p1" "-i"
                            (assoc-ref inputs "patch/disable-ede-test")))))
         (add-before
          'configure 'set-ssl-prefix
          (lambda* (#:key inputs #:allow-other-keys)
            (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
            #t)))))
    (synopsis "Perl extension for using OpenSSL")
    (description
     "This module offers some high level convenience functions for accessing
web pages on SSL servers (for symmetry, the same API is offered for accessing
http servers, too), an sslcat() function for writing your own clients, and
finally access to the SSL api of the SSLeay/OpenSSL package so you can write
servers or clients for more complicated applications.")
    (license (package-license perl))
    (home-page "http://search.cpan.org/~mikem/Net-SSLeay-1.66/")))
Commit	Line	Data
233e7676	1	;;; GNU Guix --- Functional package management for GNU
caeadfdd	2	;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
80cc3a0a	3	;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
29a7c98a	4	;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df	5	;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b	6	;;; Copyright © 2015 David Thompson <davet@gnu.org>
7890e3ba	7	;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
3ea110b7	8	;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
7b150a24	9	;;; Copyright © 2016 Nils Gillmann <niasterisk@grrlz.net>
7543f865	10	;;;
233e7676	11	;;; This file is part of GNU Guix.
7543f865	12	;;;
233e7676	13	;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865 LC	14	;;; under the terms of the GNU General Public License as published by
	15	;;; the Free Software Foundation; either version 3 of the License, or (at
	16	;;; your option) any later version.
	17	;;;
233e7676	18	;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865 LC	19	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	20	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	21	;;; GNU General Public License for more details.
	22	;;;
	23	;;; You should have received a copy of the GNU General Public License
233e7676	24	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865	25
a7fd7b68	26	(define-module (gnu packages tls)
e9aa8d0c	27	#:use-module ((guix licenses) #:prefix license:)
7543f865 LC	28	#:use-module (guix packages)
7543f865 LC	29	#:use-module (guix download)
29a7c98a	30	#:use-module (guix utils)
7543f865	31	#:use-module (guix build-system gnu)
cc2b77df	32	#:use-module (guix build-system perl)
7890e3ba	33	#:use-module (guix build-system python)
f61e0e79	34	#:use-module (gnu packages compression)
013ce67b	35	#:use-module (gnu packages)
1ffa7090	36	#:use-module (gnu packages guile)
27e86bed	37	#:use-module (gnu packages libffi)
866f469e	38	#:use-module (gnu packages libidn)
7890e3ba	39	#:use-module (gnu packages ncurses)
27e86bed	40	#:use-module (gnu packages nettle)
1ffa7090	41	#:use-module (gnu packages perl)
27e86bed	42	#:use-module (gnu packages pkg-config)
7890e3ba	43	#:use-module (gnu packages python)
a31f4d35	44	#:use-module (gnu packages texinfo)
ce0614dd	45	#:use-module (gnu packages base))
7543f865 LC	46
	47	(define-public libtasn1
	48	(package
	49	(name "libtasn1")
3ea110b7	50	(version "4.7")
7543f865 LC	51	(source
	52	(origin
	53	(method url-fetch)
	54	(uri (string-append "mirror://gnu/libtasn1/libtasn1-"
	55	version ".tar.gz"))
	56	(sha256
	57	(base32
3ea110b7	58	"1j8iixynchziw1y39lnibyl5h81m4p78w3i4f28q2vgwjgf801x4"))))
7543f865	59	(build-system gnu-build-system)
3ea110b7	60	(native-inputs `(("perl" ,perl)))
7543f865	61	(home-page "http://www.gnu.org/software/libtasn1/")
f50d2669	62	(synopsis "ASN.1 library")
7543f865	63	(description
79c311b8 LC	64	"GNU libtasn1 is a library implementing the ASN.1 notation. It is used
79c311b8 LC	65	for transmitting machine-neutral encodings of data objects in computer
a22dc0c4 LC	66	networking, allowing for formal validation of data according to some
a22dc0c4 LC	67	specifications.")
f28cb89e	68	(replacement libtasn1/fixed)
e9aa8d0c	69	(license license:lgpl2.0+)))
7543f865	70
f28cb89e LC	71	(define libtasn1/fixed ;for CVE-2016-4008
	72	(package
	73	(inherit libtasn1)
	74	(source
	75	(let ((version "4.8"))
	76	(origin
	77	(method url-fetch)
	78	(uri (string-append "mirror://gnu/libtasn1/libtasn1-"
	79	version ".tar.gz"))
	80	(sha256
	81	(base32
	82	"04y5m29pqmvkfdbppmsdifyx89v8xclxzklpfc7a1fkr9p4jz07s")))))))
	83
27e86bed AE	84	(define-public p11-kit
	85	(package
	86	(name "p11-kit")
14fe9488	87	(version "0.23.1")
27e86bed AE	88	(source
	89	(origin
	90	(method url-fetch)
5cc3096c	91	(uri (string-append "https://p11-glue.freedesktop.org/releases/p11-kit-"
27e86bed AE	92	version ".tar.gz"))
	93	(sha256
	94	(base32
14fe9488	95	"1i3a1wdpagm0p3y1bwaz5x5rjhcpqbcrnhkcp10p259vkxk72wz5"))
27e86bed AE	96	(modules '((guix build utils))) ; for substitute*
	97	(snippet
	98	'(begin
	99	;; Drop one test that fails, also when trying to compile manually.
	100	;; Reported upstream at
	101	;; https://bugs.freedesktop.org/show_bug.cgi?id=89027
	102	(substitute* "Makefile.in"
	103	(("test-module\\$\\(EXEEXT\\) ") ""))))))
	104	(build-system gnu-build-system)
	105	(native-inputs
	106	`(("pkg-config" ,pkg-config)))
	107	(inputs
	108	`(("libffi" ,libffi)
	109	("libtasn1" ,libtasn1)))
	110	(arguments
	111	`(#:configure-flags '("--without-trust-paths")))
	112	(home-page "http://p11-glue.freedesktop.org/p11-kit.html")
	113	(synopsis "PKCS#11 library")
	114	(description
	115	"p11-kit provides a way to load and enumerate PKCS#11 modules. It
	116	provides a standard configuration setup for installing PKCS#11 modules
	117	in such a way that they are discoverable. It also solves problems with
	118	coordinating the use of PKCS#11 by different components or libraries
	119	living in the same process.")
e9aa8d0c	120	(license license:bsd-3)))
27e86bed	121
7543f865 LC	122	(define-public gnutls
	123	(package
	124	(name "gnutls")
7de5236a	125	(version "3.4.9")
d7d408d5 LC	126	(source (origin
	127	(method url-fetch)
	128	(uri
	129	;; Note: Releases are no longer on ftp.gnu.org since the
	130	;; schism (after version 3.1.5).
d93627e4	131	(string-append "mirror://gnupg/gnutls/v"
29a7c98a	132	(version-major+minor version)
d93627e4	133	"/gnutls-" version ".tar.xz"))
d7d408d5 LC	134	(sha256
d7d408d5 LC	135	(base32
7de5236a	136	"0gvwyl0kdp1qpzbzp46wqfdzzrmwy9n54sgcjvvm1m1kpanlyna8"))))
7543f865	137	(build-system gnu-build-system)
b94ae0b8 AK	138	(arguments
	139	'(#:configure-flags
	140	(list (string-append "--with-guile-site-dir="
	141	(assoc-ref %outputs "out")
aa7c7f21 MW	142	"/share/guile/site/2.0")
	143	;; GnuTLS doesn't consult any environment variables to specify
	144	;; the location of the system-wide trust store. Instead it has a
	145	;; configure-time option. Unless specified, its configure script
	146	;; attempts to auto-detect the location by looking for common
	147	;; places in the filesystem, none of which are present in our
	148	;; chroot build environment. If not found, then no default trust
	149	;; store is used, so each program has to provide its own
	150	;; fallback, and users have to configure each program
	151	;; independently. This seems suboptimal.
866f469e MW	152	"--with-default-trust-store-dir=/etc/ssl/certs"
	153
	154	;; FIXME: Temporarily disable p11-kit support since it is not
	155	;; working on mips64el.
606c6380 LC	156	"--without-p11-kit")
	157
	158	#:phases (modify-phases %standard-phases
	159	(add-after
	160	'install 'move-doc
	161	(lambda* (#:key outputs #:allow-other-keys)
	162	;; Copy the 4.1 MiB of section 3 man pages to "doc".
	163	(let* ((out (assoc-ref outputs "out"))
	164	(doc (assoc-ref outputs "doc"))
9cdce047	165	(mandir (string-append doc "/share/man/man3"))
606c6380 LC	166	(oldman (string-append out "/share/man/man3")))
	167	(mkdir-p mandir)
	168	(copy-recursively oldman mandir)
	169	(delete-file-recursively oldman)
	170	#t))))))
	171	(outputs '("out" ;4.4 MiB
	172	"debug"
	173	"doc")) ;4.1 MiB of man pages
a1db0975	174	(native-inputs
d2fcfd3d SB	175	`(("pkg-config" ,pkg-config)
d2fcfd3d SB	176	("which" ,which)))
7543f865 LC	177	(inputs
7543f865 LC	178	`(("guile" ,guile-2.0)
0cb9b456	179	("perl" ,perl)))
7543f865	180	(propagated-inputs
d2fcfd3d	181	;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865	182	`(("libtasn1" ,libtasn1)
866f469e MW	183	("libidn" ,libidn)
866f469e MW	184	("nettle" ,nettle)
f61e0e79	185	("zlib" ,zlib)))
7543f865	186	(home-page "http://www.gnu.org/software/gnutls/")
f50d2669	187	(synopsis "Transport layer security library")
7543f865	188	(description
a22dc0c4	189	"GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8	190	and DTLS protocols. It is provided in the form of a C library to support the
a22dc0c4 LC	191	protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
a22dc0c4 LC	192	required structures.")
63e8bb12 LC	193	(license license:lgpl2.1+)
	194	(properties '((ftp-server . "ftp.gnutls.org")
	195	(ftp-directory . "/gcrypt/gnutls")))))
cc2b77df AE	196
	197	(define-public openssl
	198	(package
	199	(name "openssl")
4cff124b	200	(version "1.0.2g")
cc2b77df	201	(source (origin
4cff124b LC	202	(method url-fetch)
	203	(uri (list (string-append "ftp://ftp.openssl.org/source/"
	204	name "-" version ".tar.gz")
	205	(string-append "ftp://ftp.openssl.org/source/old/"
	206	(string-trim-right version char-set:letter)
	207	"/" name "-" version ".tar.gz")))
	208	(sha256
	209	(base32
	210	"0cxajjayi859czi545ddafi24m9nwsnjsw4q82zrmqvwj2rv315p"))
fc1adab1 AK	211	(patches (search-patches "openssl-runpath.patch"
fc1adab1 AK	212	"openssl-c-rehash-in.patch"))))
cc2b77df AE	213	(build-system gnu-build-system)
	214	(native-inputs `(("perl" ,perl)))
	215	(arguments
d03781c3 LC	216	`(#:disallowed-references (,perl)
d03781c3 LC	217	#:parallel-build? #f
cc2b77df AE	218	#:parallel-tests? #f
cc2b77df AE	219	#:test-target "test"
8c9ec203 LF	220
	221	;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
	222	;; so we explicitly disallow it here.
	223	#:disallowed-references ,(list (canonical-package perl))
cc2b77df	224	#:phases
b6cb1358	225	(modify-phases %standard-phases
4fb254a3	226	(add-before
86c8f1da	227	'configure 'patch-Makefile.org
4fb254a3 LC	228	(lambda* (#:key outputs #:allow-other-keys)
	229	;; The default MANDIR is some unusual place. Fix that.
	230	(let ((out (assoc-ref outputs "out")))
86c8f1da	231	(patch-makefile-SHELL "Makefile.org")
4fb254a3 LC	232	(substitute* "Makefile.org"
	233	(("^MANDIR[[:blank:]]=.$")
	234	(string-append "MANDIR = " out "/share/man\n")))
	235	#t)))
b6cb1358 LC	236	(replace
	237	'configure
	238	(lambda* (#:key outputs #:allow-other-keys)
	239	(let ((out (assoc-ref outputs "out")))
	240	(zero?
	241	(system* "./config"
	242	"shared" ;build shared libraries
	243	"--libdir=lib"
4fb254a3 LC	244
	245	;; The default for this catch-all directory is
	246	;; PREFIX/ssl. Change that to something more
	247	;; conventional.
	248	(string-append "--openssldir=" out
	249	"/share/openssl-" ,version)
	250
b6cb1358 LC	251	(string-append "--prefix=" out)
	252
	253	;; XXX FIXME: Work around a code generation bug in GCC
	254	;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
	255	;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
	256	,@(if (and (not (%current-target-system))
	257	(string-prefix? "armhf" (%current-system)))
	258	'("-mfpu=vfpv3")
	259	'()))))))
fe8199a8 LC	260	(add-after
	261	'install 'make-libraries-writable
	262	(lambda* (#:key outputs #:allow-other-keys)
	263	;; Make libraries writable so that 'strip' does its job.
	264	(let ((out (assoc-ref outputs "out")))
	265	(for-each (lambda (file)
	266	(chmod file #o644))
	267	(find-files (string-append out "/lib")
	268	"\\.so"))
	269	#t)))
b6cb1358 LC	270	(add-before
	271	'patch-source-shebangs 'patch-tests
	272	(lambda* (#:key inputs native-inputs #:allow-other-keys)
	273	(let ((bash (assoc-ref (or native-inputs inputs) "bash")))
	274	(substitute* (find-files "test" ".*")
	275	(("/bin/sh")
	276	(string-append bash "/bin/bash"))
	277	(("/bin/rm")
86c8f1da MW	278	"rm"))
86c8f1da MW	279	#t)))
784d6e91 LC	280	(add-after
	281	'install 'remove-miscellany
	282	(lambda* (#:key outputs #:allow-other-keys)
	283	;; The 'misc' directory contains random undocumented shell and Perl
	284	;; scripts. Remove them to avoid retaining a reference on Perl.
	285	(let ((out (assoc-ref outputs "out")))
	286	(delete-file-recursively (string-append out "/share/openssl-"
	287	,version "/misc"))
	288	#t))))))
cc2b77df AE	289	(native-search-paths
	290	;; FIXME: These two variables must designate a single file or directory
	291	;; and are not actually "search paths." In practice it works OK in user
	292	;; profiles because there's always just one item that matches the
	293	;; specification.
	294	(list (search-path-specification
	295	(variable "SSL_CERT_DIR")
	296	(files '("etc/ssl/certs")))
	297	(search-path-specification
	298	(variable "SSL_CERT_FILE")
	299	(files '("etc/ssl/certs/ca-certificates.crt")))))
	300	(synopsis "SSL/TLS implementation")
	301	(description
e881752c	302	"OpenSSL is an implementation of SSL/TLS.")
e9aa8d0c	303	(license license:openssl)
cc2b77df AE	304	(home-page "http://www.openssl.org/")))
cc2b77df AE	305
cb6a802c AE	306	(define-public libressl
	307	(package
	308	(name "libressl")
7b150a24	309	(version "2.3.3")
cb6a802c AE	310	(source
	311	(origin
	312	(method url-fetch)
	313	(uri (string-append
	314	"http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-"
	315	version ".tar.gz"))
	316	(sha256 (base32
7b150a24	317	"1a8anm8nsfyxds03csk738m2cmzjbsb867my1rz5ij3w31k32wvn"))))
cb6a802c AE	318	(build-system gnu-build-system)
	319	(native-search-paths
	320	;; FIXME: These two variables must designate a single file or directory
	321	;; and are not actually "search paths." In practice it works OK in
	322	;; user profiles because there's always just one item that matches the
	323	;; specification.
	324	(list (search-path-specification
	325	(variable "SSL_CERT_DIR")
	326	(files '("etc/ssl/certs")))
	327	(search-path-specification
	328	(variable "SSL_CERT_FILE")
	329	(files '("etc/ssl/certs/ca-certificates.crt")))))
	330	(home-page "http://www.libressl.org/")
	331	(synopsis "SSL/TLS implementation")
	332	(description "LibreSSL is a version of the TLS/crypto stack forked
	333	from OpenSSL in 2014, with the goals of modernizing the codebase, improving
	334	security, and applying best practice development processes.")
	335	;; Files taken from OpenSSL keep their license, others are under various
	336	;; non-copyleft licenses.
	337	(license (list license:openssl
	338	(license:non-copyleft
	339	"file://COPYING"
	340	"See COPYING in the distribution.")))))
	341
6cefd53d	342	(define-public python-acme
7890e3ba	343	(package
6cefd53d	344	(name "python-acme")
a94d455f	345	(version "0.5.0")
7890e3ba LF	346	(source (origin
7890e3ba LF	347	(method url-fetch)
ef900645	348	(uri (pypi-uri "acme" version))
7890e3ba LF	349	(sha256
7890e3ba LF	350	(base32
a94d455f	351	"1g8scfkhs3l06588h73py81xb1gvkkdzaxanl21whcvdclycc186"))))
7890e3ba LF	352	(build-system python-build-system)
7890e3ba LF	353	(arguments
6cefd53d	354	`(#:phases
9bee9d87 LF	355	(modify-phases %standard-phases
	356	(add-before 'install 'disable-egg-compression
	357	(lambda _
	358	;; Do not compress the egg.
	359	;; See <http://bugs.gnu.org/20765>.
	360	(let ((port (open-file "setup.cfg" "a")))
	361	(display "\n[easy_install]\nzip_ok = 0\n"
	362	port)
	363	(close-port port)
50a7963a LF	364	#t)))
	365	(add-after 'install 'docs
	366	(lambda* (#:key outputs #:allow-other-keys)
	367	(let* ((out (assoc-ref outputs "out"))
	368	(man (string-append out "/share/man/man1"))
	369	(info (string-append out "/info")))
	370	(and (zero? (system* "make" "-C" "docs" "man" "info"))
	371	(install-file "docs/_build/texinfo/acme-python.info" info)
	372	(install-file "docs/_build/man/acme-python.1" man)
	373	#t)))))))
	374	;; TODO: Add optional inputs for testing.
7890e3ba	375	(native-inputs
6cefd53d	376	`(("python-mock" ,python-mock)
50a7963a LF	377	;; For documentation
	378	("python-sphinx" ,python-sphinx)
	379	("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
	380	("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
	381	("python-setuptools" ,python-setuptools)
	382	("texinfo" ,texinfo)))
7890e3ba	383	(propagated-inputs
6cefd53d LF	384	`(("python-ndg-httpsclient" ,python-ndg-httpsclient)
	385	("python-werkzeug" ,python-werkzeug)
	386	("python-six" ,python-six)
	387	("python-requests" ,python-requests)
	388	("python-pytz" ,python-pytz)
	389	("python-pyrfc3339" ,python-pyrfc3339)
	390	("python-pyasn1" ,python-pyasn1)
	391	("python-cryptography" ,python-cryptography)
	392	("python-pyopenssl" ,python-pyopenssl)))
7890e3ba LF	393	(home-page "https://github.com/letsencrypt/letsencrypt")
	394	(synopsis "ACME protocol implementation in Python")
	395	(description "ACME protocol implementation in Python")
	396	(license license:asl2.0)))
	397
6cefd53d LF	398	(define-public python2-acme
	399	(package-with-python2 python-acme))
	400
9fd0838b DT	401	(define-public letsencrypt
	402	(package
	403	(name "letsencrypt")
a94d455f	404	(version "0.5.0")
9fd0838b DT	405	(source (origin
9fd0838b DT	406	(method url-fetch)
ef900645	407	(uri (pypi-uri "letsencrypt" version))
9fd0838b DT	408	(sha256
9fd0838b DT	409	(base32
a94d455f	410	"0nnijs26kkw07yylszc97p3jw09y98j54xihjp0rprrbp1q2p2p3"))))
9fd0838b DT	411	(build-system python-build-system)
9fd0838b DT	412	(arguments
f9263d9a LF	413	`(#:python ,python-2
	414	#:phases
	415	(modify-phases %standard-phases
	416	(add-after 'install 'docs
	417	(lambda* (#:key outputs #:allow-other-keys)
	418	(let* ((out (assoc-ref outputs "out"))
	419	(man1 (string-append out "/share/man/man1"))
	420	(man7 (string-append out "/share/man/man7"))
	421	(info (string-append out "/info")))
	422	(substitute* "docs/man/letsencrypt.rst"
	423	(("letsencrypt --help all")
	424	(string-append out "/bin/letsencrypt" " --help all")))
	425	(and
	426	(zero? (system* "make" "-C" "docs" "man" "info"))
	427	(install-file "docs/_build/texinfo/LetsEncrypt.info" info)
	428	(install-file "docs/_build/man/letsencrypt.1" man1)
	429	(install-file "docs/_build/man/letsencrypt.7" man7)
	430	#t)))))))
	431	;; TODO: Add optional inputs for testing.
9fd0838b DT	432	(native-inputs
9fd0838b DT	433	`(("python2-nose" ,python2-nose)
f9263d9a LF	434	("python2-mock" ,python2-mock)
	435	;; For documentation
	436	("python2-sphinx" ,python2-sphinx)
	437	("python2-sphinx-rtd-theme" ,python2-sphinx-rtd-theme)
	438	("python2-sphinx-repoze-autointerface" ,python2-sphinx-repoze-autointerface)
	439	("python2-sphinxcontrib-programoutput" ,python2-sphinxcontrib-programoutput)
	440	("texinfo" ,texinfo)))
9fd0838b	441	(propagated-inputs
6cefd53d	442	`(("python2-acme" ,python2-acme)
9fd0838b DT	443	("python2-zope-interface" ,python2-zope-interface)
	444	("python2-pythondialog" ,python2-pythondialog)
	445	("python2-pyrfc3339" ,python2-pyrfc3339)
	446	("python2-pyopenssl" ,python2-pyopenssl)
	447	("python2-configobj" ,python2-configobj)
	448	("python2-configargparse" ,python2-configargparse)
	449	("python2-zope-component" ,python2-zope-component)
	450	("python2-parsedatetime" ,python2-parsedatetime)
	451	("python2-six" ,python2-six)
	452	("python2-psutil" ,python2-psutil)
	453	("python2-requests" ,python2-requests)
	454	("python2-pytz" ,python2-pytz)))
	455	(synopsis "Let's Encrypt client")
	456	(description "Tool to automatically receive and install X.509 certificates
	457	to enable TLS on servers. The client will interoperate with the Let’s Encrypt CA which
	458	will be issuing browser-trusted certificates for free.")
	459	(home-page "https://letsencrypt.org/")
	460	(license license:asl2.0)))
	461
cc2b77df AE	462	(define-public perl-net-ssleay
	463	(package
	464	(name "perl-net-ssleay")
	465	(version "1.68")
	466	(source (origin
	467	(method url-fetch)
	468	(uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
	469	"Net-SSLeay-" version ".tar.gz"))
	470	(sha256
	471	(base32
1084ec08	472	"1m2wwzhjwsg0drlhp9w12fl6bsgj69v8gdz72jqrqll3qr7f408p"))))
cc2b77df	473	(build-system perl-build-system)
1084ec08 MW	474	(native-inputs
	475	`(("patch" ,patch)
	476	("patch/disable-ede-test"
	477	,(search-patch "perl-net-ssleay-disable-ede-test.patch"))))
cc2b77df AE	478	(inputs `(("openssl" ,openssl)))
cc2b77df AE	479	(arguments
1084ec08 MW	480	`(#:phases
	481	(modify-phases %standard-phases
	482	(add-after
	483	'unpack 'apply-patch
	484	(lambda* (#:key inputs #:allow-other-keys)
	485	;; XXX We apply this patch here instead of in the 'origin' because
	486	;; this package's build system fails badly when the source file
	487	;; times are zeroed.
	488	;; XXX Try removing this patch for perl-net-ssleay > 1.68
	489	(zero? (system* "patch" "--force" "-p1" "-i"
	490	(assoc-ref inputs "patch/disable-ede-test")))))
	491	(add-before
	492	'configure 'set-ssl-prefix
	493	(lambda* (#:key inputs #:allow-other-keys)
	494	(setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
	495	#t)))))
cc2b77df AE	496	(synopsis "Perl extension for using OpenSSL")
	497	(description
	498	"This module offers some high level convenience functions for accessing
	499	web pages on SSL servers (for symmetry, the same API is offered for accessing
	500	http servers, too), an sslcat() function for writing your own clients, and
	501	finally access to the SSL api of the SSLeay/OpenSSL package so you can write
	502	servers or clients for more complicated applications.")
	503	(license (package-license perl))
	504	(home-page "http://search.cpan.org/~mikem/Net-SSLeay-1.66/")))