HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
gnu: ruby-minitest-hooks: Update to 1.4.2.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
CommitLineData
233e7676 1;;; GNU Guix --- Functional package management for GNU
3c0f7910 2;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
e3df6938 3;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
29a7c98a 4;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df 5;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b 6;;; Copyright © 2015 David Thompson <davet@gnu.org>
df0625ab 7;;; Copyright © 2015, 2016, 2017 Leo Famulari <leo@famulari.name>
2ed12d3f 8;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
0741932b 9;;; Copyright © 2016, 2017, 2018 Nils Gillmann <ng0@n0.is>
375cef6c 10;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
ee33f9a7 11;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
88e2511e 12;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
c80590f6 13;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
fbf5ca3c 14;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
7543f865 15;;;
233e7676 16;;; This file is part of GNU Guix.
7543f865 17;;;
233e7676 18;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865
LC		 19;;; under the terms of the GNU General Public License as published by
20;;; the Free Software Foundation; either version 3 of the License, or (at
21;;; your option) any later version.
22;;;
233e7676 23;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865
LC		 24;;; WITHOUT ANY WARRANTY; without even the implied warranty of
25;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26;;; GNU General Public License for more details.
27;;;
28;;; You should have received a copy of the GNU General Public License
233e7676 29;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865 30
a7fd7b68 31(define-module (gnu packages tls)
e9aa8d0c 32 #:use-module ((guix licenses) #:prefix license:)
7543f865
LC		 33 #:use-module (guix packages)
34 #:use-module (guix download)
29a7c98a 35 #:use-module (guix utils)
7543f865 36 #:use-module (guix build-system gnu)
cc2b77df 37 #:use-module (guix build-system perl)
7890e3ba 38 #:use-module (guix build-system python)
88522738 39 #:use-module (guix build-system cmake)
587d1752 40 #:use-module (guix build-system haskell)
f61e0e79 41 #:use-module (gnu packages compression)
013ce67b 42 #:use-module (gnu packages)
ac257f12 43 #:use-module (gnu packages check)
5b9aa107 44 #:use-module (gnu packages dns)
1ffa7090 45 #:use-module (gnu packages guile)
587d1752
RW		 46 #:use-module (gnu packages haskell)
47 #:use-module (gnu packages haskell-check)
48 #:use-module (gnu packages haskell-crypto)
0581c273 49 #:use-module (gnu packages libbsd)
27e86bed 50 #:use-module (gnu packages libffi)
866f469e 51 #:use-module (gnu packages libidn)
5d4c90ae 52 #:use-module (gnu packages linux)
7890e3ba 53 #:use-module (gnu packages ncurses)
27e86bed 54 #:use-module (gnu packages nettle)
1ffa7090 55 #:use-module (gnu packages perl)
27e86bed 56 #:use-module (gnu packages pkg-config)
7890e3ba 57 #:use-module (gnu packages python)
cc6f4912 58 #:use-module (gnu packages python-crypto)
1b2f753d 59 #:use-module (gnu packages python-web)
a31f4d35 60 #:use-module (gnu packages texinfo)
33dc54b0 61 #:use-module (gnu packages time)
079f013b
LC		 62 #:use-module (gnu packages base)
63 #:use-module (srfi srfi-1))
7543f865
LC		 64
65(define-public libtasn1
66 (package
67 (name "libtasn1")
ee33f9a7 68 (version "4.12")
e3df6938 69 (replacement libtasn1/fixed)
7543f865
LC		 70 (source
71 (origin
72 (method url-fetch)
73 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
74 version ".tar.gz"))
75 (sha256
76 (base32
3651c471
EF		 77 "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7"))
78 (patches (search-patches "libtasn1-CVE-2017-10790.patch"))))
7543f865 79 (build-system gnu-build-system)
3ea110b7 80 (native-inputs `(("perl" ,perl)))
6fd52309 81 (home-page "https://www.gnu.org/software/libtasn1/")
f50d2669 82 (synopsis "ASN.1 library")
7543f865 83 (description
79c311b8
LC		 84 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
85for transmitting machine-neutral encodings of data objects in computer
a22dc0c4
LC		 86networking, allowing for formal validation of data according to some
87specifications.")
e9aa8d0c 88 (license license:lgpl2.0+)))
7543f865 89
e3df6938
MW		 90(define libtasn1/fixed
91 (package
92 (inherit libtasn1)
93 (source (origin
94 (inherit (package-source libtasn1))
31c7002b
LF		 95 (patches (search-patches "libtasn1-CVE-2017-10790.patch"
96 "libtasn1-CVE-2018-6003.patch"))))))
e3df6938 97
375cef6c
HG		 98(define-public asn1c
99 (package
100 (name "asn1c")
ff7da7e0 101 (version "0.9.28")
375cef6c
HG		 102 (source (origin
103 (method url-fetch)
104 (uri (string-append "https://lionet.info/soft/asn1c-"
105 version ".tar.gz"))
106 (sha256
107 (base32
ff7da7e0 108 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
375cef6c
HG		 109 (build-system gnu-build-system)
110 (native-inputs
111 `(("perl" ,perl)))
112 (home-page "https://lionet.info/asn1c")
113 (synopsis "ASN.1 to C compiler")
114 (description "The ASN.1 to C compiler takes ASN.1 module
115files and generates C++ compatible C source code. That code can be
116used to serialize the native C structures into compact and unambiguous
117BER/XER/PER-based data files, and deserialize the files back.
118
119Various ASN.1 based formats are widely used in the industry, such as to encode
120the X.509 certificates employed in the HTTPS handshake, to exchange control
121data between mobile phones and cellular networks, to car-to-car communication
122in intelligent transportation networks.")
123 (license license:bsd-2)))
124
27e86bed
AE		 125(define-public p11-kit
126 (package
127 (name "p11-kit")
954b6771 128 (version "0.23.10")
27e86bed
AE		 129 (source
130 (origin
131 (method url-fetch)
e6ad9bda
MB		 132 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
133 "download/" version "/p11-kit-" version ".tar.gz"))
27e86bed
AE		 134 (sha256
135 (base32
954b6771 136 "0hxfwnyb5yllvlsh0cj6favcph36gm94b6df7zhl7xay48zjl8gr"))))
27e86bed
AE		 137 (build-system gnu-build-system)
138 (native-inputs
139 `(("pkg-config" ,pkg-config)))
140 (inputs
141 `(("libffi" ,libffi)
142 ("libtasn1" ,libtasn1)))
143 (arguments
144 `(#:configure-flags '("--without-trust-paths")))
4631e6c9 145 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
27e86bed
AE		 146 (synopsis "PKCS#11 library")
147 (description
148 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
149provides a standard configuration setup for installing PKCS#11 modules
150in such a way that they are discoverable. It also solves problems with
151coordinating the use of PKCS#11 by different components or libraries
152living in the same process.")
e9aa8d0c 153 (license license:bsd-3)))
27e86bed 154
7543f865
LC		 155(define-public gnutls
156 (package
157 (name "gnutls")
5bace4c8 158 (version "3.5.13")
d7d408d5
LC		 159 (source (origin
160 (method url-fetch)
161 (uri
162 ;; Note: Releases are no longer on ftp.gnu.org since the
163 ;; schism (after version 3.1.5).
d93627e4 164 (string-append "mirror://gnupg/gnutls/v"
29a7c98a 165 (version-major+minor version)
d93627e4 166 "/gnutls-" version ".tar.xz"))
5bace4c8
MB		 167 (patches
168 (search-patches "gnutls-skip-trust-store-test.patch"
169 "gnutls-skip-pkgconfig-test.patch"))
d7d408d5
LC		 170 (sha256
171 (base32
5bace4c8 172 "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr"))))
7543f865 173 (build-system gnu-build-system)
b94ae0b8 174 (arguments
76b21274
LF		 175 `(; Ensure we don't keep a reference to this buggy software.
176 #:disallowed-references (,net-tools)
177 #:configure-flags
a0700787 178 (list
aa7c7f21
MW		 179 ;; GnuTLS doesn't consult any environment variables to specify
180 ;; the location of the system-wide trust store. Instead it has a
181 ;; configure-time option. Unless specified, its configure script
182 ;; attempts to auto-detect the location by looking for common
8f65585b 183 ;; places in the file system, none of which are present in our
aa7c7f21
MW		 184 ;; chroot build environment. If not found, then no default trust
185 ;; store is used, so each program has to provide its own
186 ;; fallback, and users have to configure each program
187 ;; independently. This seems suboptimal.
866f469e
MW		 188 "--with-default-trust-store-dir=/etc/ssl/certs"
189
190 ;; FIXME: Temporarily disable p11-kit support since it is not
191 ;; working on mips64el.
606c6380
LC		 192 "--without-p11-kit")
193
194 #:phases (modify-phases %standard-phases
195 (add-after
196 'install 'move-doc
197 (lambda* (#:key outputs #:allow-other-keys)
198 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
199 (let* ((out (assoc-ref outputs "out"))
200 (doc (assoc-ref outputs "doc"))
9cdce047 201 (mandir (string-append doc "/share/man/man3"))
606c6380
LC		 202 (oldman (string-append out "/share/man/man3")))
203 (mkdir-p mandir)
204 (copy-recursively oldman mandir)
205 (delete-file-recursively oldman)
206 #t))))))
207 (outputs '("out" ;4.4 MiB
208 "debug"
209 "doc")) ;4.1 MiB of man pages
a1db0975 210 (native-inputs
c06d8ba5 211 `(("net-tools" ,net-tools)
5d4c90ae 212 ("pkg-config" ,pkg-config)
d2fcfd3d 213 ("which" ,which)))
7543f865 214 (inputs
a0700787 215 `(("guile" ,guile-2.2)))
7543f865 216 (propagated-inputs
d2fcfd3d 217 ;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865 218 `(("libtasn1" ,libtasn1)
55e61c4d 219 ("libidn2" ,libidn2)
866f469e 220 ("nettle" ,nettle)
f61e0e79 221 ("zlib" ,zlib)))
c19700c3 222 (home-page "https://www.gnu.org/software/gnutls/")
f50d2669 223 (synopsis "Transport layer security library")
7543f865 224 (description
a22dc0c4 225 "GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8 226and DTLS protocols. It is provided in the form of a C library to support the
a22dc0c4
LC		 227protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
228required structures.")
63e8bb12
LC		 229 (license license:lgpl2.1+)
230 (properties '((ftp-server . "ftp.gnutls.org")
231 (ftp-directory . "/gcrypt/gnutls")))))
cc2b77df 232
079f013b 233(define-public gnutls/guile-2.2
a0700787
LC		 234 (deprecated-package "guile2.2-gnutls" gnutls))
235
236(define-public gnutls/guile-2.0
237 ;; GnuTLS for Guile 2.0.
079f013b 238 (package
58ea4d40 239 (inherit gnutls)
a0700787
LC		 240 (name "guile2.0-gnutls")
241 (inputs `(("guile" ,guile-2.0)
58ea4d40 242 ,@(alist-delete "guile" (package-inputs gnutls))))))
079f013b 243
5b9aa107 244(define-public gnutls/dane
245 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
246 ;; Authentication of Named Entities. This is required for GNS functionality
247 ;; by GNUnet and gnURL. This is done in an extra package definition
248 ;; to have the choice between GnuTLS with Dane and without Dane.
249 (package
250 (inherit gnutls)
251 (name "gnutls-dane")
252 (inputs `(("unbound" ,unbound)
253 ,@(package-inputs gnutls)))))
254
cc2b77df
AE		 255(define-public openssl
256 (package
257 (name "openssl")
590bdc14 258 (replacement openssl-1.0.2o)
4a158286 259 (version "1.0.2n")
cc2b77df 260 (source (origin
4cff124b 261 (method url-fetch)
bdf0b6fc
MB		 262 (uri (list (string-append "https://www.openssl.org/source/openssl-"
263 version ".tar.gz")
264 (string-append "ftp://ftp.openssl.org/source/"
4cff124b
LC		 265 name "-" version ".tar.gz")
266 (string-append "ftp://ftp.openssl.org/source/old/"
267 (string-trim-right version char-set:letter)
268 "/" name "-" version ".tar.gz")))
269 (sha256
270 (base32
4a158286 271 "1zm82pyq5a9jm10q6iv7d3dih3xwjds4x30fqph3k317byvsn2rp"))
8a9b08b5
ST		 272 (snippet
273 '(begin
274 ;; Remove ELF files. 'substitute*' can't read them.
275 (delete-file "test/ssltest_old")
276 (delete-file "test/v3ext")
277 (delete-file "test/x509aux")
278 #t))
fc1adab1 279 (patches (search-patches "openssl-runpath.patch"
1d8de185 280 "openssl-c-rehash-in.patch"))))
cc2b77df 281 (build-system gnu-build-system)
8c78aeb7 282 (outputs '("out"
a909b576 283 "doc" ;1.5MiB of man3 pages
8c78aeb7 284 "static")) ;6MiB of .a files
cc2b77df
AE		 285 (native-inputs `(("perl" ,perl)))
286 (arguments
d03781c3
LC		 287 `(#:disallowed-references (,perl)
288 #:parallel-build? #f
cc2b77df
AE		 289 #:parallel-tests? #f
290 #:test-target "test"
8c9ec203
LF		 291
292 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
293 ;; so we explicitly disallow it here.
294 #:disallowed-references ,(list (canonical-package perl))
cc2b77df 295 #:phases
b6cb1358 296 (modify-phases %standard-phases
4fb254a3 297 (add-before
86c8f1da 298 'configure 'patch-Makefile.org
4fb254a3
LC		 299 (lambda* (#:key outputs #:allow-other-keys)
300 ;; The default MANDIR is some unusual place. Fix that.
301 (let ((out (assoc-ref outputs "out")))
86c8f1da 302 (patch-makefile-SHELL "Makefile.org")
4fb254a3
LC		 303 (substitute* "Makefile.org"
304 (("^MANDIR[[:blank:]]*=.*$")
305 (string-append "MANDIR = " out "/share/man\n")))
306 #t)))
b6cb1358
LC		 307 (replace
308 'configure
309 (lambda* (#:key outputs #:allow-other-keys)
310 (let ((out (assoc-ref outputs "out")))
311 (zero?
312 (system* "./config"
313 "shared" ;build shared libraries
314 "--libdir=lib"
4fb254a3
LC		 315
316 ;; The default for this catch-all directory is
317 ;; PREFIX/ssl. Change that to something more
318 ;; conventional.
319 (string-append "--openssldir=" out
320 "/share/openssl-" ,version)
321
b6cb1358
LC		 322 (string-append "--prefix=" out)
323
324 ;; XXX FIXME: Work around a code generation bug in GCC
325 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
326 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
327 ,@(if (and (not (%current-target-system))
328 (string-prefix? "armhf" (%current-system)))
329 '("-mfpu=vfpv3")
330 '()))))))
fe8199a8
LC		 331 (add-after
332 'install 'make-libraries-writable
333 (lambda* (#:key outputs #:allow-other-keys)
334 ;; Make libraries writable so that 'strip' does its job.
335 (let ((out (assoc-ref outputs "out")))
336 (for-each (lambda (file)
337 (chmod file #o644))
338 (find-files (string-append out "/lib")
339 "\\.so"))
340 #t)))
8c78aeb7
LC		 341 (add-after 'install 'move-static-libraries
342 (lambda* (#:key outputs #:allow-other-keys)
343 ;; Move static libraries to the "static" output.
344 (let* ((out (assoc-ref outputs "out"))
345 (lib (string-append out "/lib"))
346 (static (assoc-ref outputs "static"))
347 (slib (string-append static "/lib")))
8c78aeb7
LC		 348 (for-each (lambda (file)
349 (install-file file slib)
350 (delete-file file))
351 (find-files lib "\\.a$"))
352 #t)))
a909b576
LC		 353 (add-after 'install 'move-man3-pages
354 (lambda* (#:key outputs #:allow-other-keys)
355 ;; Move section 3 man pages to "doc".
356 (let* ((out (assoc-ref outputs "out"))
357 (man3 (string-append out "/share/man/man3"))
358 (doc (assoc-ref outputs "doc"))
359 (target (string-append doc "/share/man/man3")))
360 (mkdir-p target)
361 (for-each (lambda (file)
362 (rename-file file
363 (string-append target "/"
364 (basename file))))
365 (find-files man3))
5c838ec9 366 (delete-file-recursively man3)
a909b576 367 #t)))
b6cb1358
LC		 368 (add-before
369 'patch-source-shebangs 'patch-tests
370 (lambda* (#:key inputs native-inputs #:allow-other-keys)
371 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
372 (substitute* (find-files "test" ".*")
373 (("/bin/sh")
08a78c2f 374 (string-append bash "/bin/sh"))
b6cb1358 375 (("/bin/rm")
86c8f1da
MW		 376 "rm"))
377 #t)))
784d6e91
LC		 378 (add-after
379 'install 'remove-miscellany
380 (lambda* (#:key outputs #:allow-other-keys)
381 ;; The 'misc' directory contains random undocumented shell and Perl
382 ;; scripts. Remove them to avoid retaining a reference on Perl.
383 (let ((out (assoc-ref outputs "out")))
384 (delete-file-recursively (string-append out "/share/openssl-"
385 ,version "/misc"))
386 #t))))))
cc2b77df 387 (native-search-paths
cc2b77df
AE		 388 (list (search-path-specification
389 (variable "SSL_CERT_DIR")
5d7a47cc 390 (separator #f) ;single entry
cc2b77df
AE		 391 (files '("etc/ssl/certs")))
392 (search-path-specification
393 (variable "SSL_CERT_FILE")
5d7a47cc
MB		 394 (file-type 'regular)
395 (separator #f) ;single entry
cc2b77df
AE		 396 (files '("etc/ssl/certs/ca-certificates.crt")))))
397 (synopsis "SSL/TLS implementation")
398 (description
e881752c 399 "OpenSSL is an implementation of SSL/TLS.")
e9aa8d0c 400 (license license:openssl)
4631e6c9 401 (home-page "https://www.openssl.org/")))
cc2b77df 402
590bdc14
LF		 403(define openssl-1.0.2o
404 (package
405 (inherit openssl)
406 (name "openssl")
407 (version "1.0.2o")
408 (source (origin
409 (inherit (package-source openssl))
410 (uri (list (string-append "https://www.openssl.org/source/openssl-"
411 version ".tar.gz")
412 (string-append "ftp://ftp.openssl.org/source/"
413 name "-" version ".tar.gz")
414 (string-append "ftp://ftp.openssl.org/source/old/"
415 (string-trim-right version char-set:letter)
416 "/" name "-" version ".tar.gz")))
417 (sha256
418 (base32
419 "0kcy13l701054nhpbd901mz32v1kn4g311z0nifd83xs2jbmqgzc"))
420 ;; Erase the inherited snippet, which isn't applicable to
421 ;; OpenSSL 1.0.2o.
422 (snippet #f)))))
423
763899f0
LF		 424(define-public openssl-next
425 (package
426 (inherit openssl)
427 (name "openssl")
0fc3af7d 428 (version "1.1.0h")
763899f0
LF		 429 (source (origin
430 (method url-fetch)
77576be4
MB		 431 (uri (list (string-append "https://www.openssl.org/source/openssl-"
432 version ".tar.gz")
433 (string-append "ftp://ftp.openssl.org/source/"
763899f0
LF		 434 name "-" version ".tar.gz")
435 (string-append "ftp://ftp.openssl.org/source/old/"
436 (string-trim-right version char-set:letter)
437 "/" name "-" version ".tar.gz")))
438 (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
439 (sha256
440 (base32
0fc3af7d 441 "05x509lccqjscgyi935z809pwfm708islypwhmjnb6cyvrn64daq"))))
763899f0
LF		 442 (outputs '("out"
443 "doc" ;1.3MiB of man3 pages
444 "static")) ; 5.5MiB of .a files
445 (arguments
446 (substitute-keyword-arguments (package-arguments openssl)
447 ((#:phases phases)
448 `(modify-phases ,phases
449 (delete 'patch-tests) ; These two phases are not needed by
450 (delete 'patch-Makefile.org) ; OpenSSL 1.1.0.
451
fc184fe2
MB		 452 ;; Override configure phase since -rpath is now a configure option.
453 (replace 'configure
763899f0 454 (lambda* (#:key outputs #:allow-other-keys)
fc184fe2
MB		 455 (let* ((out (assoc-ref outputs "out"))
456 (lib (string-append out "/lib")))
457 (zero?
458 (system* "./config"
459 "shared" ;build shared libraries
460 "--libdir=lib"
461
462 ;; The default for this catch-all directory is
463 ;; PREFIX/ssl. Change that to something more
464 ;; conventional.
465 (string-append "--openssldir=" out
466 "/share/openssl-" ,version)
467
468 (string-append "--prefix=" out)
469 (string-append "-Wl,-rpath," lib)
470
471 ;; XXX FIXME: Work around a code generation bug in GCC
472 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
473 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
474 ,@(if (and (not (%current-target-system))
475 (string-prefix? "armhf" (%current-system)))
476 '("-mfpu=vfpv3")
477 '()))))))
478
479 ;; XXX: Duplicate this phase to make sure 'version' evaluates
480 ;; in the current scope and not the inherited one.
481 (replace 'remove-miscellany
482 (lambda* (#:key outputs #:allow-other-keys)
483 ;; The 'misc' directory contains random undocumented shell and Perl
484 ;; scripts. Remove them to avoid retaining a reference on Perl.
485 (let ((out (assoc-ref outputs "out")))
486 (delete-file-recursively (string-append out "/share/openssl-"
487 ,version "/misc"))
763899f0
LF		 488 #t)))))))))
489
cb6a802c
AE		 490(define-public libressl
491 (package
492 (name "libressl")
7edb3e50 493 (version "2.7.2")
644e5f17
TGR		 494 (source (origin
495 (method url-fetch)
496 (uri (string-append "mirror://openbsd/LibreSSL/"
497 name "-" version ".tar.gz"))
498 (sha256
499 (base32
7edb3e50 500 "1589f0kg7kj51j9hid542s4isb96s1azjaqsfprpy5s2qdwqfyli"))))
cb6a802c 501 (build-system gnu-build-system)
a2d64899
LC		 502 (arguments
503 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
504 ;; and libc would return ENOSYS, which is not properly handled.
505 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
df08f385
LF		 506 '(#:configure-flags '("ac_cv_func_getentropy=no"
507 ;; Provide a TLS-enabled netcat.
508 "--enable-nc")))
cb6a802c
AE		 509 (native-search-paths
510 ;; FIXME: These two variables must designate a single file or directory
511 ;; and are not actually "search paths." In practice it works OK in
512 ;; user profiles because there's always just one item that matches the
513 ;; specification.
514 (list (search-path-specification
515 (variable "SSL_CERT_DIR")
516 (files '("etc/ssl/certs")))
517 (search-path-specification
518 (variable "SSL_CERT_FILE")
519 (files '("etc/ssl/certs/ca-certificates.crt")))))
2ed12d3f 520 (home-page "https://www.libressl.org/")
cb6a802c 521 (synopsis "SSL/TLS implementation")
df08f385
LF		 522 (description "LibreSSL is a version of the TLS/crypto stack, forked from
523OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
524and applying best practice development processes. This package also includes a
525netcat implementation that supports TLS.")
cb6a802c
AE		 526 ;; Files taken from OpenSSL keep their license, others are under various
527 ;; non-copyleft licenses.
528 (license (list license:openssl
529 (license:non-copyleft
530 "file://COPYING"
531 "See COPYING in the distribution.")))))
532
6cefd53d 533(define-public python-acme
7890e3ba 534 (package
6cefd53d 535 (name "python-acme")
686d4259 536 ;; Remember to update the hash of certbot when updating python-acme.
ae81bf4f 537 (version "0.23.0")
7890e3ba 538 (source (origin
9495cf9a 539 (method url-fetch)
f349d36e 540 (uri (pypi-uri "acme" version))
881006b6
MB		 541 (sha256
542 (base32
ae81bf4f 543 "0l257dq1i2gka6ynldidpwaz1aa726643crqqckga1w5awsndh88"))))
7890e3ba
LF		 544 (build-system python-build-system)
545 (arguments
6cefd53d 546 `(#:phases
9bee9d87 547 (modify-phases %standard-phases
1fc8476d
MB		 548 (add-after 'build 'build-documentation
549 (lambda _
550 (zero? (system* "make" "-C" "docs" "man" "info"))))
551 (add-after 'install 'install-documentation
50a7963a
LF		 552 (lambda* (#:key outputs #:allow-other-keys)
553 (let* ((out (assoc-ref outputs "out"))
554 (man (string-append out "/share/man/man1"))
555 (info (string-append out "/info")))
1fc8476d
MB		 556 (install-file "docs/_build/texinfo/acme-python.info" info)
557 (install-file "docs/_build/man/acme-python.1" man)
558 #t))))))
50a7963a 559 ;; TODO: Add optional inputs for testing.
7890e3ba 560 (native-inputs
4ae65558 561 `(("python-mock" ,python-mock)
50a7963a
LF		 562 ;; For documentation
563 ("python-sphinx" ,python-sphinx)
564 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
565 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
50a7963a 566 ("texinfo" ,texinfo)))
7890e3ba 567 (propagated-inputs
92572184
LF		 568 `(("python-josepy" ,python-josepy)
569 ("python-six" ,python-six)
6cefd53d
LF		 570 ("python-requests" ,python-requests)
571 ("python-pytz" ,python-pytz)
572 ("python-pyrfc3339" ,python-pyrfc3339)
573 ("python-pyasn1" ,python-pyasn1)
574 ("python-cryptography" ,python-cryptography)
575 ("python-pyopenssl" ,python-pyopenssl)))
4631e6c9 576 (home-page "https://github.com/certbot/certbot")
7890e3ba
LF		 577 (synopsis "ACME protocol implementation in Python")
578 (description "ACME protocol implementation in Python")
579 (license license:asl2.0)))
580
9495cf9a 581(define-public certbot
9fd0838b 582 (package
9495cf9a 583 (name "certbot")
686d4259
LF		 584 ;; Certbot and python-acme are developed in the same repository, and their
585 ;; versions should remain synchronized.
586 (version (package-version python-acme))
9fd0838b
DT		 587 (source (origin
588 (method url-fetch)
f349d36e 589 (uri (pypi-uri name version))
9fd0838b
DT		 590 (sha256
591 (base32
ae81bf4f 592 "0gh5fr61c3mj5vdkn68k17wcvri9rdj506cmmz6631i2l5flrzvc"))))
9fd0838b
DT		 593 (build-system python-build-system)
594 (arguments
fed1898d 595 `(,@(substitute-keyword-arguments (package-arguments python-acme)
f26d6e4e
LF		 596 ((#:phases phases)
597 `(modify-phases ,phases
1fc8476d 598 (replace 'install-documentation
f26d6e4e
LF		 599 (lambda* (#:key outputs #:allow-other-keys)
600 (let* ((out (assoc-ref outputs "out"))
601 (man1 (string-append out "/share/man/man1"))
602 (man7 (string-append out "/share/man/man7"))
603 (info (string-append out "/info")))
1fc8476d
MB		 604 (install-file "docs/_build/texinfo/Certbot.info" info)
605 (install-file "docs/_build/man/certbot.1" man1)
606 (install-file "docs/_build/man/certbot.7" man7)
607 #t))))))))
f9263d9a 608 ;; TODO: Add optional inputs for testing.
9fd0838b 609 (native-inputs
fed1898d 610 `(("python-nose" ,python-nose)
4ae65558 611 ("python-mock" ,python-mock)
f9263d9a 612 ;; For documentation
fed1898d
LF		 613 ("python-sphinx" ,python-sphinx)
614 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
615 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
616 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
f9263d9a 617 ("texinfo" ,texinfo)))
9fd0838b 618 (propagated-inputs
fed1898d
LF		 619 `(("python-acme" ,python-acme)
620 ("python-zope-interface" ,python-zope-interface)
621 ("python-pyrfc3339" ,python-pyrfc3339)
622 ("python-pyopenssl" ,python-pyopenssl)
623 ("python-configobj" ,python-configobj)
624 ("python-configargparse" ,python-configargparse)
625 ("python-zope-component" ,python-zope-component)
626 ("python-parsedatetime" ,python-parsedatetime)
627 ("python-six" ,python-six)
628 ("python-psutil" ,python-psutil)
629 ("python-requests" ,python-requests)
630 ("python-pytz" ,python-pytz)))
d8a1be63 631 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
80968df0
TGR		 632 (description "Certbot automatically receives and installs X.509 certificates
633to enable Transport Layer Security (TLS) on servers. It interoperates with the
634Let’s Encrypt certificate authority (CA), which issues browser-trusted
635certificates for free.")
24778368 636 (home-page "https://certbot.eff.org/")
9fd0838b
DT		 637 (license license:asl2.0)))
638
9495cf9a
LF		 639(define-public letsencrypt
640 (package (inherit certbot)
56ab55d1
LF		 641 (name "letsencrypt")
642 (properties `((superseded . ,certbot)))))
9495cf9a 643
cc2b77df
AE		 644(define-public perl-net-ssleay
645 (package
646 (name "perl-net-ssleay")
d6adba78 647 (version "1.82")
cc2b77df
AE		 648 (source (origin
649 (method url-fetch)
650 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
651 "Net-SSLeay-" version ".tar.gz"))
652 (sha256
653 (base32
d6adba78 654 "1rf78z1macgmp6mwd7c2xq4yfw6wpf28hfwfz1d5wslqr4cwb5aq"))))
cc2b77df
AE		 655 (build-system perl-build-system)
656 (inputs `(("openssl" ,openssl)))
657 (arguments
1084ec08
MW		 658 `(#:phases
659 (modify-phases %standard-phases
1084ec08
MW		 660 (add-before
661 'configure 'set-ssl-prefix
662 (lambda* (#:key inputs #:allow-other-keys)
663 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
664 #t)))))
cc2b77df
AE		 665 (synopsis "Perl extension for using OpenSSL")
666 (description
667 "This module offers some high level convenience functions for accessing
668web pages on SSL servers (for symmetry, the same API is offered for accessing
669http servers, too), an sslcat() function for writing your own clients, and
670finally access to the SSL api of the SSLeay/OpenSSL package so you can write
671servers or clients for more complicated applications.")
2f3108ad 672 (license license:perl-license)
cc2b77df 673 (home-page "http://search.cpan.org/~mikem/Net-SSLeay-1.66/")))
4532c0c0
DM		 674
675(define-public perl-crypt-openssl-rsa
676 (package
677 (name "perl-crypt-openssl-rsa")
678 (version "0.28")
679 (source
680 (origin
681 (method url-fetch)
682 (uri (string-append
683 "mirror://cpan/authors/id/P/PE/PERLER/Crypt-OpenSSL-RSA-"
684 version
685 ".tar.gz"))
686 (sha256
687 (base32
688 "1gnpvv09b2gpifwdzc5jnhama3d1a4c39lzj9hcaicsb8rvzjmsk"))))
689 (build-system perl-build-system)
690 (inputs
691 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
692 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
693 ("openssl" ,openssl)))
694 (arguments perl-crypt-arguments)
695 (home-page
696 "http://search.cpan.org/dist/Crypt-OpenSSL-RSA")
697 (synopsis
698 "RSA encoding and decoding, using the openSSL libraries")
699 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
700OpenSSL libraries).")
2f3108ad 701 (license license:perl-license)))
adff71ca
DM		 702
703(define perl-crypt-arguments
704 `(#:phases (modify-phases %standard-phases
705 (add-before 'configure 'patch-Makefile.PL
706 (lambda* (#:key inputs #:allow-other-keys)
707 (substitute* "Makefile.PL"
708 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
709 (assoc-ref inputs "openssl")
710 "/lib -lcrypto'],")))
711 #t)))))
712
713(define-public perl-crypt-openssl-bignum
714 (package
715 (name "perl-crypt-openssl-bignum")
7e8aac18 716 (version "0.09")
adff71ca
DM		 717 (source
718 (origin
719 (method url-fetch)
720 (uri (string-append
721 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
722 version
723 ".tar.gz"))
724 (sha256
725 (base32
7e8aac18 726 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
adff71ca
DM		 727 (build-system perl-build-system)
728 (inputs `(("openssl" ,openssl)))
729 (arguments perl-crypt-arguments)
730 (home-page
731 "http://search.cpan.org/dist/Crypt-OpenSSL-Bignum")
732 (synopsis
733 "OpenSSL's multiprecision integer arithmetic in Perl")
734 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
735arithmetic in Perl.")
736 ;; At your option either gpl1+ or the Artistic License
2f3108ad 737 (license license:perl-license)))
cccb4d26 738
c80590f6
TGR		 739(define-public perl-crypt-openssl-guess
740 (package
741 (name "perl-crypt-openssl-guess")
742 (version "0.11")
743 (source
744 (origin
745 (method url-fetch)
746 (uri (string-append
747 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
748 version ".tar.gz"))
749 (sha256
750 (base32
751 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
752 (build-system perl-build-system)
753 (home-page "http://search.cpan.org/dist/Crypt-OpenSSL-Guess/")
754 (synopsis "Guess the OpenSSL include path")
755 (description
756 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
757correct OpenSSL include path. It is intended for use in your
758@file{Makefile.PL}.")
759 (license license:perl-license)))
760
cccb4d26
DM		 761(define-public perl-crypt-openssl-random
762 (package
763 (name "perl-crypt-openssl-random")
b30c23c4 764 (version "0.13")
cccb4d26
DM		 765 (source
766 (origin
767 (method url-fetch)
768 (uri (string-append
769 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
770 version
771 ".tar.gz"))
772 (sha256
773 (base32
b30c23c4 774 "0vmvrb3shrzjzri3qn524dzdasbq8zhhbpc1vmq8sx68n4jhizb0"))))
cccb4d26 775 (build-system perl-build-system)
b30c23c4
TGR		 776 (native-inputs
777 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
778 (inputs
779 `(("openssl" ,openssl)))
cccb4d26
DM		 780 (arguments perl-crypt-arguments)
781 (home-page
782 "http://search.cpan.org/dist/Crypt-OpenSSL-Random")
783 (synopsis
784 "OpenSSL/LibreSSL pseudo-random number generator access")
785 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
786number generator")
2f3108ad 787 (license license:perl-license)))
0581c273
LF		 788
789(define-public acme-client
790 (package
791 (name "acme-client")
4a6b2a21 792 (version "0.1.16")
0581c273
LF		 793 (source (origin
794 (method url-fetch)
795 (uri (string-append "https://kristaps.bsd.lv/" name "/"
796 "snapshots/" name "-portable-"
797 version ".tgz"))
798 (sha256
799 (base32
4a6b2a21 800 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
0581c273
LF		 801 (build-system gnu-build-system)
802 (arguments
803 '(#:tests? #f ; no test suite
804 #:make-flags
805 (list "CC=gcc"
806 (string-append "PREFIX=" (assoc-ref %outputs "out")))
807 #:phases
808 (modify-phases %standard-phases
7c1a7bf4
LF		 809 (add-after 'unpack 'patch-paths
810 (lambda* (#:key inputs #:allow-other-keys)
811 (let ((pem (string-append (assoc-ref inputs "libressl")
812 "/etc/ssl/cert.pem")))
813 (substitute* "http.c"
814 (("/etc/ssl/cert.pem") pem))
815 #t)))
0581c273 816 (delete 'configure)))) ; no './configure' script
4b569a4f
LF		 817 (native-inputs
818 `(("pkg-config" ,pkg-config)))
0581c273
LF		 819 (inputs
820 `(("libbsd" ,libbsd)
821 ("libressl" ,libressl)))
822 (synopsis "Let's Encrypt client by the OpenBSD project")
823 (description "acme-client is a Let's Encrypt client implemented in C. It
824uses a modular design, and attempts to secure itself by dropping privileges and
825operating in a chroot where possible. acme-client is developed on OpenBSD and
826then ported to the GNU / Linux environment.")
827 (home-page "https://kristaps.bsd.lv/acme-client/")
828 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
829 ;; and 'jsmn.c' are distributed under the Expat license.
830 (license (list license:isc license:expat))))
88522738 831
832;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
833;; variant exists in addition to the "-apache" one.
834(define-public mbedtls-apache
835 (package
836 (name "mbedtls-apache")
d2fd5c65 837 (version "2.7.2")
88522738 838 (source
839 (origin
840 (method url-fetch)
841 ;; XXX: The download links on the website are script redirection links
842 ;; which effectively lead to the format listed in the uri here.
843 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
844 version "-apache.tgz"))
845 (sha256
846 (base32
d2fd5c65 847 "1mvkqlxxvl6yp1g5g9dk4l7h3wl6149p3pfwgwzgs7xybyxw4f7x"))))
88522738 848 (build-system cmake-build-system)
a64d9d56
RW		 849 (arguments
850 `(#:configure-flags
851 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON")))
88522738 852 (native-inputs
853 `(("perl" ,perl)))
854 (synopsis "Small TLS library")
855 (description
856 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
857for developers to include cryptographic and SSL/TLS capabilities in their
858(embedded) products, facilitating this functionality with a minimal
859coding footprint.")
860 (home-page "https://tls.mbed.org")
861 (license license:asl2.0)))
587d1752
RW		 862
863(define-public ghc-tls
864 (package
865 (name "ghc-tls")
866 (version "1.3.8")
867 (source (origin
868 (method url-fetch)
869 (uri (string-append "https://hackage.haskell.org/package/"
870 "tls/tls-" version ".tar.gz"))
871 (sha256
872 (base32
873 "1rdidf18i781c0vdvy9yn79yh08hmcacf6fp3sgghyiy3h0wyh5l"))))
874 (build-system haskell-build-system)
875 (inputs
876 `(("ghc-mtl" ,ghc-mtl)
877 ("ghc-cereal" ,ghc-cereal)
878 ("ghc-data-default-class" ,ghc-data-default-class)
879 ("ghc-memory" ,ghc-memory)
880 ("ghc-cryptonite" ,ghc-cryptonite)
881 ("ghc-asn1-types" ,ghc-asn1-types)
882 ("ghc-asn1-encoding" ,ghc-asn1-encoding)
883 ("ghc-x509" ,ghc-x509)
884 ("ghc-x509-store" ,ghc-x509-store)
885 ("ghc-x509-validation" ,ghc-x509-validation)
886 ("ghc-async" ,ghc-async)
887 ("ghc-network" ,ghc-network)
888 ("ghc-hourglass" ,ghc-hourglass)))
889 (native-inputs
890 `(("ghc-tasty" ,ghc-tasty)
891 ("ghc-tasty-quickcheck" ,ghc-tasty-quickcheck)
892 ("ghc-quickcheck" ,ghc-quickcheck)))
893 (home-page "https://github.com/vincenthz/hs-tls")
894 (synopsis
895 "TLS/SSL protocol native implementation (Server and Client)")
896 (description
897 "Native Haskell TLS and SSL protocol implementation for server and client.
898This provides a high-level implementation of a sensitive security protocol,
899eliminating a common set of security issues through the use of the advanced
900type system, high level constructions and common Haskell features. Currently
901implement the SSL3.0, TLS1.0, TLS1.1 and TLS1.2 protocol, and support RSA and
902Ephemeral (Elliptic curve and regular) Diffie Hellman key exchanges, and many
903extensions.")
904 (license license:bsd-3)))
jackhill's copy of GNU Guix: https://guix.gnu.org/