HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
gnu: docker-cli: Don't install the same executable twice.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
CommitLineData
233e7676 1;;; GNU Guix --- Functional package management for GNU
3c0f7910 2;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
05f6e601 3;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
29a7c98a 4;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df 5;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b 6;;; Copyright © 2015 David Thompson <davet@gnu.org>
2a5b5bfd 7;;; Copyright © 2015, 2016, 2017, 2018 Leo Famulari <leo@famulari.name>
2ed12d3f 8;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
0741932b 9;;; Copyright © 2016, 2017, 2018 Nils Gillmann <ng0@n0.is>
375cef6c 10;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
ee33f9a7 11;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
d5c472a2 12;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
fe15613c 13;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
fbf5ca3c 14;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
e8b3a158 15;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
7543f865 16;;;
233e7676 17;;; This file is part of GNU Guix.
7543f865 18;;;
233e7676 19;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865
LC		 20;;; under the terms of the GNU General Public License as published by
21;;; the Free Software Foundation; either version 3 of the License, or (at
22;;; your option) any later version.
23;;;
233e7676 24;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865
LC		 25;;; WITHOUT ANY WARRANTY; without even the implied warranty of
26;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27;;; GNU General Public License for more details.
28;;;
29;;; You should have received a copy of the GNU General Public License
233e7676 30;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865 31
a7fd7b68 32(define-module (gnu packages tls)
e9aa8d0c 33 #:use-module ((guix licenses) #:prefix license:)
7543f865
LC		 34 #:use-module (guix packages)
35 #:use-module (guix download)
29a7c98a 36 #:use-module (guix utils)
7543f865 37 #:use-module (guix build-system gnu)
cc2b77df 38 #:use-module (guix build-system perl)
7890e3ba 39 #:use-module (guix build-system python)
88522738 40 #:use-module (guix build-system cmake)
587d1752 41 #:use-module (guix build-system haskell)
e8b3a158 42 #:use-module (guix build-system trivial)
f61e0e79 43 #:use-module (gnu packages compression)
013ce67b 44 #:use-module (gnu packages)
e8b3a158 45 #:use-module (gnu packages bash)
ac257f12 46 #:use-module (gnu packages check)
e8b3a158 47 #:use-module (gnu packages curl)
5b9aa107 48 #:use-module (gnu packages dns)
e8b3a158 49 #:use-module (gnu packages gawk)
1ffa7090 50 #:use-module (gnu packages guile)
587d1752
RW		 51 #:use-module (gnu packages haskell)
52 #:use-module (gnu packages haskell-check)
53 #:use-module (gnu packages haskell-crypto)
0581c273 54 #:use-module (gnu packages libbsd)
27e86bed 55 #:use-module (gnu packages libffi)
866f469e 56 #:use-module (gnu packages libidn)
5d4c90ae 57 #:use-module (gnu packages linux)
7890e3ba 58 #:use-module (gnu packages ncurses)
27e86bed 59 #:use-module (gnu packages nettle)
1ffa7090 60 #:use-module (gnu packages perl)
27e86bed 61 #:use-module (gnu packages pkg-config)
7890e3ba 62 #:use-module (gnu packages python)
cc6f4912 63 #:use-module (gnu packages python-crypto)
1b2f753d 64 #:use-module (gnu packages python-web)
a31f4d35 65 #:use-module (gnu packages texinfo)
33dc54b0 66 #:use-module (gnu packages time)
079f013b
LC		 67 #:use-module (gnu packages base)
68 #:use-module (srfi srfi-1))
7543f865
LC		 69
70(define-public libtasn1
71 (package
72 (name "libtasn1")
2a5b5bfd 73 (version "4.13")
7543f865
LC		 74 (source
75 (origin
76 (method url-fetch)
77 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
78 version ".tar.gz"))
79 (sha256
80 (base32
2a5b5bfd 81 "1jlc1iahj8k3haz28j55nzg7sgni5h41vqy461i1bpbx6668wlky"))))
7543f865 82 (build-system gnu-build-system)
d9f84612
MB		 83 (arguments
84 `(#:configure-flags '("--disable-static")))
3ea110b7 85 (native-inputs `(("perl" ,perl)))
6fd52309 86 (home-page "https://www.gnu.org/software/libtasn1/")
f50d2669 87 (synopsis "ASN.1 library")
7543f865 88 (description
79c311b8
LC		 89 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
90for transmitting machine-neutral encodings of data objects in computer
a22dc0c4
LC		 91networking, allowing for formal validation of data according to some
92specifications.")
e9aa8d0c 93 (license license:lgpl2.0+)))
7543f865 94
375cef6c
HG		 95(define-public asn1c
96 (package
97 (name "asn1c")
ff7da7e0 98 (version "0.9.28")
375cef6c
HG		 99 (source (origin
100 (method url-fetch)
101 (uri (string-append "https://lionet.info/soft/asn1c-"
102 version ".tar.gz"))
103 (sha256
104 (base32
ff7da7e0 105 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
375cef6c
HG		 106 (build-system gnu-build-system)
107 (native-inputs
108 `(("perl" ,perl)))
109 (home-page "https://lionet.info/asn1c")
110 (synopsis "ASN.1 to C compiler")
111 (description "The ASN.1 to C compiler takes ASN.1 module
112files and generates C++ compatible C source code. That code can be
113used to serialize the native C structures into compact and unambiguous
114BER/XER/PER-based data files, and deserialize the files back.
115
116Various ASN.1 based formats are widely used in the industry, such as to encode
117the X.509 certificates employed in the HTTPS handshake, to exchange control
118data between mobile phones and cellular networks, to car-to-car communication
119in intelligent transportation networks.")
120 (license license:bsd-2)))
121
27e86bed
AE		 122(define-public p11-kit
123 (package
124 (name "p11-kit")
99088aa7 125 (version "0.23.14")
27e86bed
AE		 126 (source
127 (origin
128 (method url-fetch)
e6ad9bda
MB		 129 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
130 "download/" version "/p11-kit-" version ".tar.gz"))
27e86bed
AE		 131 (sha256
132 (base32
99088aa7 133 "0w0dkq9388grbbn4bv2p55vy1j51f7nd9hzlc9gz4fbm4dnzmf8w"))))
27e86bed
AE		 134 (build-system gnu-build-system)
135 (native-inputs
136 `(("pkg-config" ,pkg-config)))
137 (inputs
138 `(("libffi" ,libffi)
139 ("libtasn1" ,libtasn1)))
140 (arguments
d5c472a2
MB		 141 `(#:configure-flags '("--without-trust-paths")
142 #:phases (modify-phases %standard-phases
143 (add-before 'check 'prepare-tests
144 (lambda _
145 ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up
146 ;; and looks for .cache and other directories (only).
147 ;; For simplicity just drop it since it is irrelevant
148 ;; in the build container.
149 (substitute* "Makefile"
150 (("test-runtime\\$\\(EXEEXT\\)") ""))
151 #t)))))
4631e6c9 152 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
27e86bed
AE		 153 (synopsis "PKCS#11 library")
154 (description
155 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
156provides a standard configuration setup for installing PKCS#11 modules
157in such a way that they are discoverable. It also solves problems with
158coordinating the use of PKCS#11 by different components or libraries
159living in the same process.")
e9aa8d0c 160 (license license:bsd-3)))
27e86bed 161
7543f865
LC		 162(define-public gnutls
163 (package
164 (name "gnutls")
6a778c75 165 (version "3.5.18")
d7d408d5
LC		 166 (source (origin
167 (method url-fetch)
168 (uri
169 ;; Note: Releases are no longer on ftp.gnu.org since the
170 ;; schism (after version 3.1.5).
d93627e4 171 (string-append "mirror://gnupg/gnutls/v"
29a7c98a 172 (version-major+minor version)
d93627e4 173 "/gnutls-" version ".tar.xz"))
5bace4c8
MB		 174 (patches
175 (search-patches "gnutls-skip-trust-store-test.patch"
176 "gnutls-skip-pkgconfig-test.patch"))
d7d408d5
LC		 177 (sha256
178 (base32
6a778c75 179 "0d02x28fwkkx7xzn7807nww6idchizzq3plx8sfcyiw7wzclh8mf"))))
7543f865 180 (build-system gnu-build-system)
b94ae0b8 181 (arguments
76b21274
LF		 182 `(; Ensure we don't keep a reference to this buggy software.
183 #:disallowed-references (,net-tools)
184 #:configure-flags
a0700787 185 (list
aa7c7f21
MW		 186 ;; GnuTLS doesn't consult any environment variables to specify
187 ;; the location of the system-wide trust store. Instead it has a
188 ;; configure-time option. Unless specified, its configure script
189 ;; attempts to auto-detect the location by looking for common
8f65585b 190 ;; places in the file system, none of which are present in our
aa7c7f21
MW		 191 ;; chroot build environment. If not found, then no default trust
192 ;; store is used, so each program has to provide its own
193 ;; fallback, and users have to configure each program
194 ;; independently. This seems suboptimal.
866f469e
MW		 195 "--with-default-trust-store-dir=/etc/ssl/certs"
196
197 ;; FIXME: Temporarily disable p11-kit support since it is not
198 ;; working on mips64el.
606c6380
LC		 199 "--without-p11-kit")
200
201 #:phases (modify-phases %standard-phases
202 (add-after
203 'install 'move-doc
204 (lambda* (#:key outputs #:allow-other-keys)
205 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
206 (let* ((out (assoc-ref outputs "out"))
207 (doc (assoc-ref outputs "doc"))
9cdce047 208 (mandir (string-append doc "/share/man/man3"))
606c6380
LC		 209 (oldman (string-append out "/share/man/man3")))
210 (mkdir-p mandir)
211 (copy-recursively oldman mandir)
212 (delete-file-recursively oldman)
213 #t))))))
214 (outputs '("out" ;4.4 MiB
215 "debug"
216 "doc")) ;4.1 MiB of man pages
a1db0975 217 (native-inputs
c06d8ba5 218 `(("net-tools" ,net-tools)
5d4c90ae 219 ("pkg-config" ,pkg-config)
d2fcfd3d 220 ("which" ,which)))
7543f865 221 (inputs
a0700787 222 `(("guile" ,guile-2.2)))
7543f865 223 (propagated-inputs
d2fcfd3d 224 ;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865 225 `(("libtasn1" ,libtasn1)
55e61c4d 226 ("libidn2" ,libidn2)
866f469e 227 ("nettle" ,nettle)
f61e0e79 228 ("zlib" ,zlib)))
c19700c3 229 (home-page "https://www.gnu.org/software/gnutls/")
f50d2669 230 (synopsis "Transport layer security library")
7543f865 231 (description
a22dc0c4 232 "GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8 233and DTLS protocols. It is provided in the form of a C library to support the
a22dc0c4
LC		 234protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
235required structures.")
63e8bb12
LC		 236 (license license:lgpl2.1+)
237 (properties '((ftp-server . "ftp.gnutls.org")
238 (ftp-directory . "/gcrypt/gnutls")))))
cc2b77df 239
079f013b 240(define-public gnutls/guile-2.2
a0700787
LC		 241 (deprecated-package "guile2.2-gnutls" gnutls))
242
243(define-public gnutls/guile-2.0
244 ;; GnuTLS for Guile 2.0.
079f013b 245 (package
58ea4d40 246 (inherit gnutls)
a0700787
LC		 247 (name "guile2.0-gnutls")
248 (inputs `(("guile" ,guile-2.0)
58ea4d40 249 ,@(alist-delete "guile" (package-inputs gnutls))))))
079f013b 250
5b9aa107 251(define-public gnutls/dane
252 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
253 ;; Authentication of Named Entities. This is required for GNS functionality
254 ;; by GNUnet and gnURL. This is done in an extra package definition
255 ;; to have the choice between GnuTLS with Dane and without Dane.
256 (package
257 (inherit gnutls)
258 (name "gnutls-dane")
259 (inputs `(("unbound" ,unbound)
260 ,@(package-inputs gnutls)))))
261
cc2b77df
AE		 262(define-public openssl
263 (package
264 (name "openssl")
01710194 265 (version "1.0.2p")
cc2b77df 266 (source (origin
4cff124b 267 (method url-fetch)
bdf0b6fc
MB		 268 (uri (list (string-append "https://www.openssl.org/source/openssl-"
269 version ".tar.gz")
270 (string-append "ftp://ftp.openssl.org/source/"
4cff124b
LC		 271 name "-" version ".tar.gz")
272 (string-append "ftp://ftp.openssl.org/source/old/"
273 (string-trim-right version char-set:letter)
274 "/" name "-" version ".tar.gz")))
275 (sha256
276 (base32
01710194 277 "003xh9f898i56344vpvpxxxzmikivxig4xwlm7vbi7m8n43qxaah"))
fc1adab1 278 (patches (search-patches "openssl-runpath.patch"
1d8de185 279 "openssl-c-rehash-in.patch"))))
cc2b77df 280 (build-system gnu-build-system)
8c78aeb7 281 (outputs '("out"
a909b576 282 "doc" ;1.5MiB of man3 pages
8c78aeb7 283 "static")) ;6MiB of .a files
cc2b77df
AE		 284 (native-inputs `(("perl" ,perl)))
285 (arguments
d03781c3
LC		 286 `(#:disallowed-references (,perl)
287 #:parallel-build? #f
cc2b77df
AE		 288 #:parallel-tests? #f
289 #:test-target "test"
8c9ec203
LF		 290
291 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
292 ;; so we explicitly disallow it here.
293 #:disallowed-references ,(list (canonical-package perl))
cc2b77df 294 #:phases
b6cb1358 295 (modify-phases %standard-phases
4fb254a3 296 (add-before
86c8f1da 297 'configure 'patch-Makefile.org
4fb254a3
LC		 298 (lambda* (#:key outputs #:allow-other-keys)
299 ;; The default MANDIR is some unusual place. Fix that.
300 (let ((out (assoc-ref outputs "out")))
86c8f1da 301 (patch-makefile-SHELL "Makefile.org")
4fb254a3
LC		 302 (substitute* "Makefile.org"
303 (("^MANDIR[[:blank:]]*=.*$")
304 (string-append "MANDIR = " out "/share/man\n")))
305 #t)))
b6cb1358
LC		 306 (replace
307 'configure
308 (lambda* (#:key outputs #:allow-other-keys)
309 (let ((out (assoc-ref outputs "out")))
0d98cb9a 310 (invoke "./config"
5011d3f4
SB		 311 "shared" ;build shared libraries
312 "--libdir=lib"
4fb254a3 313
5011d3f4
SB		 314 ;; The default for this catch-all directory is
315 ;; PREFIX/ssl. Change that to something more
316 ;; conventional.
317 (string-append "--openssldir=" out
318 "/share/openssl-" ,version)
4fb254a3 319
18784d8f 320 (string-append "--prefix=" out)))))
fe8199a8
LC		 321 (add-after
322 'install 'make-libraries-writable
323 (lambda* (#:key outputs #:allow-other-keys)
324 ;; Make libraries writable so that 'strip' does its job.
325 (let ((out (assoc-ref outputs "out")))
326 (for-each (lambda (file)
327 (chmod file #o644))
328 (find-files (string-append out "/lib")
329 "\\.so"))
330 #t)))
8c78aeb7
LC		 331 (add-after 'install 'move-static-libraries
332 (lambda* (#:key outputs #:allow-other-keys)
333 ;; Move static libraries to the "static" output.
334 (let* ((out (assoc-ref outputs "out"))
335 (lib (string-append out "/lib"))
336 (static (assoc-ref outputs "static"))
337 (slib (string-append static "/lib")))
8c78aeb7
LC		 338 (for-each (lambda (file)
339 (install-file file slib)
340 (delete-file file))
341 (find-files lib "\\.a$"))
342 #t)))
a909b576
LC		 343 (add-after 'install 'move-man3-pages
344 (lambda* (#:key outputs #:allow-other-keys)
345 ;; Move section 3 man pages to "doc".
346 (let* ((out (assoc-ref outputs "out"))
347 (man3 (string-append out "/share/man/man3"))
348 (doc (assoc-ref outputs "doc"))
349 (target (string-append doc "/share/man/man3")))
350 (mkdir-p target)
351 (for-each (lambda (file)
352 (rename-file file
353 (string-append target "/"
354 (basename file))))
355 (find-files man3))
5c838ec9 356 (delete-file-recursively man3)
a909b576 357 #t)))
b6cb1358
LC		 358 (add-before
359 'patch-source-shebangs 'patch-tests
360 (lambda* (#:key inputs native-inputs #:allow-other-keys)
361 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
362 (substitute* (find-files "test" ".*")
363 (("/bin/sh")
08a78c2f 364 (string-append bash "/bin/sh"))
b6cb1358 365 (("/bin/rm")
86c8f1da
MW		 366 "rm"))
367 #t)))
784d6e91
LC		 368 (add-after
369 'install 'remove-miscellany
370 (lambda* (#:key outputs #:allow-other-keys)
371 ;; The 'misc' directory contains random undocumented shell and Perl
372 ;; scripts. Remove them to avoid retaining a reference on Perl.
373 (let ((out (assoc-ref outputs "out")))
374 (delete-file-recursively (string-append out "/share/openssl-"
375 ,version "/misc"))
376 #t))))))
cc2b77df 377 (native-search-paths
cc2b77df
AE		 378 (list (search-path-specification
379 (variable "SSL_CERT_DIR")
5d7a47cc 380 (separator #f) ;single entry
cc2b77df
AE		 381 (files '("etc/ssl/certs")))
382 (search-path-specification
383 (variable "SSL_CERT_FILE")
5d7a47cc
MB		 384 (file-type 'regular)
385 (separator #f) ;single entry
cc2b77df
AE		 386 (files '("etc/ssl/certs/ca-certificates.crt")))))
387 (synopsis "SSL/TLS implementation")
388 (description
e881752c 389 "OpenSSL is an implementation of SSL/TLS.")
e9aa8d0c 390 (license license:openssl)
4631e6c9 391 (home-page "https://www.openssl.org/")))
cc2b77df 392
763899f0
LF		 393(define-public openssl-next
394 (package
395 (inherit openssl)
396 (name "openssl")
6ec43b0d 397 (version "1.1.1a")
763899f0
LF		 398 (source (origin
399 (method url-fetch)
77576be4
MB		 400 (uri (list (string-append "https://www.openssl.org/source/openssl-"
401 version ".tar.gz")
402 (string-append "ftp://ftp.openssl.org/source/"
763899f0
LF		 403 name "-" version ".tar.gz")
404 (string-append "ftp://ftp.openssl.org/source/old/"
405 (string-trim-right version char-set:letter)
406 "/" name "-" version ".tar.gz")))
9e9e5d5a 407 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
763899f0
LF		 408 (sha256
409 (base32
6ec43b0d 410 "0hcz7znzznbibpy3iyyhvlqrq44y88plxwdj32wjzgbwic7i687w"))))
763899f0 411 (outputs '("out"
6ec43b0d 412 "doc" ; 6.8 MiB of man3 pages and full HTML documentation
9e9e5d5a 413 "static")) ; 6.4 MiB of .a files
763899f0
LF		 414 (arguments
415 (substitute-keyword-arguments (package-arguments openssl)
416 ((#:phases phases)
417 `(modify-phases ,phases
418 (delete 'patch-tests) ; These two phases are not needed by
6ec43b0d 419 (delete 'patch-Makefile.org) ; OpenSSL 1.1.
763899f0 420
fc184fe2
MB		 421 ;; Override configure phase since -rpath is now a configure option.
422 (replace 'configure
763899f0 423 (lambda* (#:key outputs #:allow-other-keys)
fc184fe2
MB		 424 (let* ((out (assoc-ref outputs "out"))
425 (lib (string-append out "/lib")))
9e9e5d5a
LF		 426 ;; It's not a shebang so patch-source-shebangs misses it.
427 (substitute* "config"
428 (("/usr/bin/env")
429 (string-append (assoc-ref %build-inputs "coreutils")
430 "/bin/env")))
0d98cb9a 431 (invoke "./config"
5011d3f4
SB		 432 "shared" ;build shared libraries
433 "--libdir=lib"
fc184fe2 434
5011d3f4
SB		 435 ;; The default for this catch-all directory is
436 ;; PREFIX/ssl. Change that to something more
437 ;; conventional.
438 (string-append "--openssldir=" out
439 "/share/openssl-" ,version)
fc184fe2 440
5011d3f4
SB		 441 (string-append "--prefix=" out)
442 (string-append "-Wl,-rpath," lib)
fc184fe2 443
5011d3f4
SB		 444 ;; XXX FIXME: Work around a code generation bug in GCC
445 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
446 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
447 ,@(if (and (not (%current-target-system))
448 (string-prefix? "armhf" (%current-system)))
449 '("-mfpu=vfpv3")
0d98cb9a 450 '())))))
fc184fe2 451
9e9e5d5a
LF		 452 (delete 'move-man3-pages)
453 (add-after 'install 'move-extra-documentation
454 (lambda* (#:key outputs #:allow-other-keys)
455 ;; Move man3 pages and full HTML documentation to "doc".
456 (let* ((out (assoc-ref outputs "out"))
457 (man3 (string-append out "/share/man/man3"))
458 (html (string-append out "/share/doc/openssl"))
459 (doc (assoc-ref outputs "doc"))
460 (man-target (string-append doc "/share/man/man3"))
461 (html-target (string-append doc "/share/doc/openssl")))
462 (copy-recursively man3 man-target)
463 (delete-file-recursively man3)
464 (copy-recursively html html-target)
465 (delete-file-recursively html)
466 #t)))
fc184fe2
MB		 467 ;; XXX: Duplicate this phase to make sure 'version' evaluates
468 ;; in the current scope and not the inherited one.
469 (replace 'remove-miscellany
470 (lambda* (#:key outputs #:allow-other-keys)
471 ;; The 'misc' directory contains random undocumented shell and Perl
472 ;; scripts. Remove them to avoid retaining a reference on Perl.
473 (let ((out (assoc-ref outputs "out")))
474 (delete-file-recursively (string-append out "/share/openssl-"
475 ,version "/misc"))
763899f0
LF		 476 #t)))))))))
477
cb6a802c
AE		 478(define-public libressl
479 (package
480 (name "libressl")
0effadca 481 (version "2.7.4")
644e5f17
TGR		 482 (source (origin
483 (method url-fetch)
484 (uri (string-append "mirror://openbsd/LibreSSL/"
485 name "-" version ".tar.gz"))
486 (sha256
487 (base32
0effadca 488 "19kxa5i97q7p6rrps9qm0nd8zqhdjvzx02j72400c73cl2nryfhy"))))
cb6a802c 489 (build-system gnu-build-system)
a2d64899
LC		 490 (arguments
491 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
492 ;; and libc would return ENOSYS, which is not properly handled.
493 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
df08f385
LF		 494 '(#:configure-flags '("ac_cv_func_getentropy=no"
495 ;; Provide a TLS-enabled netcat.
496 "--enable-nc")))
cb6a802c
AE		 497 (native-search-paths
498 ;; FIXME: These two variables must designate a single file or directory
499 ;; and are not actually "search paths." In practice it works OK in
500 ;; user profiles because there's always just one item that matches the
501 ;; specification.
502 (list (search-path-specification
503 (variable "SSL_CERT_DIR")
504 (files '("etc/ssl/certs")))
505 (search-path-specification
506 (variable "SSL_CERT_FILE")
507 (files '("etc/ssl/certs/ca-certificates.crt")))))
2ed12d3f 508 (home-page "https://www.libressl.org/")
cb6a802c 509 (synopsis "SSL/TLS implementation")
df08f385
LF		 510 (description "LibreSSL is a version of the TLS/crypto stack, forked from
511OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
512and applying best practice development processes. This package also includes a
513netcat implementation that supports TLS.")
cb6a802c
AE		 514 ;; Files taken from OpenSSL keep their license, others are under various
515 ;; non-copyleft licenses.
516 (license (list license:openssl
517 (license:non-copyleft
518 "file://COPYING"
519 "See COPYING in the distribution.")))))
520
6cefd53d 521(define-public python-acme
7890e3ba 522 (package
6cefd53d 523 (name "python-acme")
686d4259 524 ;; Remember to update the hash of certbot when updating python-acme.
59c9d4f1 525 (version "0.29.1")
7890e3ba 526 (source (origin
9495cf9a 527 (method url-fetch)
f349d36e 528 (uri (pypi-uri "acme" version))
881006b6
MB		 529 (sha256
530 (base32
59c9d4f1 531 "0z5l966b1asbcdzl77bmywf22c1q0xill00jj7qyml9wx2nh7qm2"))))
7890e3ba
LF		 532 (build-system python-build-system)
533 (arguments
6cefd53d 534 `(#:phases
9bee9d87 535 (modify-phases %standard-phases
1fc8476d
MB		 536 (add-after 'build 'build-documentation
537 (lambda _
d4bd2453 538 (invoke "make" "-C" "docs" "man" "info")))
1fc8476d 539 (add-after 'install 'install-documentation
50a7963a
LF		 540 (lambda* (#:key outputs #:allow-other-keys)
541 (let* ((out (assoc-ref outputs "out"))
542 (man (string-append out "/share/man/man1"))
543 (info (string-append out "/info")))
1fc8476d
MB		 544 (install-file "docs/_build/texinfo/acme-python.info" info)
545 (install-file "docs/_build/man/acme-python.1" man)
546 #t))))))
50a7963a 547 ;; TODO: Add optional inputs for testing.
7890e3ba 548 (native-inputs
4ae65558 549 `(("python-mock" ,python-mock)
b494bbe4 550 ("python-pytest" ,python-pytest)
50a7963a
LF		 551 ;; For documentation
552 ("python-sphinx" ,python-sphinx)
553 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
554 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
50a7963a 555 ("texinfo" ,texinfo)))
7890e3ba 556 (propagated-inputs
92572184
LF		 557 `(("python-josepy" ,python-josepy)
558 ("python-six" ,python-six)
6cefd53d 559 ("python-requests" ,python-requests)
b494bbe4 560 ("python-requests-toolbelt" ,python-requests-toolbelt)
6cefd53d
LF		 561 ("python-pytz" ,python-pytz)
562 ("python-pyrfc3339" ,python-pyrfc3339)
563 ("python-pyasn1" ,python-pyasn1)
564 ("python-cryptography" ,python-cryptography)
565 ("python-pyopenssl" ,python-pyopenssl)))
4631e6c9 566 (home-page "https://github.com/certbot/certbot")
7890e3ba
LF		 567 (synopsis "ACME protocol implementation in Python")
568 (description "ACME protocol implementation in Python")
569 (license license:asl2.0)))
570
9495cf9a 571(define-public certbot
9fd0838b 572 (package
9495cf9a 573 (name "certbot")
686d4259
LF		 574 ;; Certbot and python-acme are developed in the same repository, and their
575 ;; versions should remain synchronized.
576 (version (package-version python-acme))
9fd0838b
DT		 577 (source (origin
578 (method url-fetch)
f349d36e 579 (uri (pypi-uri name version))
9fd0838b
DT		 580 (sha256
581 (base32
59c9d4f1 582 "14i6yrcb9s7ygy99gccfc8jscymi24xb72s5lgg9b2y40z909ikg"))))
9fd0838b
DT		 583 (build-system python-build-system)
584 (arguments
fed1898d 585 `(,@(substitute-keyword-arguments (package-arguments python-acme)
f26d6e4e
LF		 586 ((#:phases phases)
587 `(modify-phases ,phases
1fc8476d 588 (replace 'install-documentation
f26d6e4e
LF		 589 (lambda* (#:key outputs #:allow-other-keys)
590 (let* ((out (assoc-ref outputs "out"))
591 (man1 (string-append out "/share/man/man1"))
592 (man7 (string-append out "/share/man/man7"))
593 (info (string-append out "/info")))
1fc8476d
MB		 594 (install-file "docs/_build/texinfo/Certbot.info" info)
595 (install-file "docs/_build/man/certbot.1" man1)
596 (install-file "docs/_build/man/certbot.7" man7)
597 #t))))))))
f9263d9a 598 ;; TODO: Add optional inputs for testing.
9fd0838b 599 (native-inputs
fed1898d 600 `(("python-nose" ,python-nose)
4ae65558 601 ("python-mock" ,python-mock)
f9263d9a 602 ;; For documentation
fed1898d
LF		 603 ("python-sphinx" ,python-sphinx)
604 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
605 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
606 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
f9263d9a 607 ("texinfo" ,texinfo)))
9fd0838b 608 (propagated-inputs
fed1898d
LF		 609 `(("python-acme" ,python-acme)
610 ("python-zope-interface" ,python-zope-interface)
611 ("python-pyrfc3339" ,python-pyrfc3339)
612 ("python-pyopenssl" ,python-pyopenssl)
613 ("python-configobj" ,python-configobj)
614 ("python-configargparse" ,python-configargparse)
615 ("python-zope-component" ,python-zope-component)
616 ("python-parsedatetime" ,python-parsedatetime)
617 ("python-six" ,python-six)
618 ("python-psutil" ,python-psutil)
619 ("python-requests" ,python-requests)
620 ("python-pytz" ,python-pytz)))
d8a1be63 621 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
80968df0
TGR		 622 (description "Certbot automatically receives and installs X.509 certificates
623to enable Transport Layer Security (TLS) on servers. It interoperates with the
624Let’s Encrypt certificate authority (CA), which issues browser-trusted
625certificates for free.")
24778368 626 (home-page "https://certbot.eff.org/")
9fd0838b
DT		 627 (license license:asl2.0)))
628
9495cf9a
LF		 629(define-public letsencrypt
630 (package (inherit certbot)
56ab55d1
LF		 631 (name "letsencrypt")
632 (properties `((superseded . ,certbot)))))
9495cf9a 633
cc2b77df
AE		 634(define-public perl-net-ssleay
635 (package
636 (name "perl-net-ssleay")
fe15613c 637 (version "1.85")
cc2b77df
AE		 638 (source (origin
639 (method url-fetch)
640 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
641 "Net-SSLeay-" version ".tar.gz"))
642 (sha256
643 (base32
fe15613c 644 "1j5h4ycm8538397l204d2d5fkm9595aj174pj7bkpbhwzfwqi0cx"))))
cc2b77df
AE		 645 (build-system perl-build-system)
646 (inputs `(("openssl" ,openssl)))
647 (arguments
1084ec08
MW		 648 `(#:phases
649 (modify-phases %standard-phases
1084ec08
MW		 650 (add-before
651 'configure 'set-ssl-prefix
652 (lambda* (#:key inputs #:allow-other-keys)
653 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
654 #t)))))
cc2b77df
AE		 655 (synopsis "Perl extension for using OpenSSL")
656 (description
657 "This module offers some high level convenience functions for accessing
658web pages on SSL servers (for symmetry, the same API is offered for accessing
659http servers, too), an sslcat() function for writing your own clients, and
660finally access to the SSL api of the SSLeay/OpenSSL package so you can write
661servers or clients for more complicated applications.")
2f3108ad 662 (license license:perl-license)
9aba9b12 663 (home-page "https://metacpan.org/release/Net-SSLeay")))
4532c0c0
DM		 664
665(define-public perl-crypt-openssl-rsa
666 (package
667 (name "perl-crypt-openssl-rsa")
a9994b27 668 (version "0.31")
4532c0c0
DM		 669 (source
670 (origin
671 (method url-fetch)
672 (uri (string-append
683b8d47 673 "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-"
4532c0c0
DM		 674 version
675 ".tar.gz"))
676 (sha256
677 (base32
a9994b27 678 "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1"))))
4532c0c0 679 (build-system perl-build-system)
683b8d47
TGR		 680 (native-inputs
681 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
4532c0c0
DM		 682 (inputs
683 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
684 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
685 ("openssl" ,openssl)))
686 (arguments perl-crypt-arguments)
687 (home-page
9aba9b12 688 "https://metacpan.org/release/Crypt-OpenSSL-RSA")
4532c0c0
DM		 689 (synopsis
690 "RSA encoding and decoding, using the openSSL libraries")
691 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
692OpenSSL libraries).")
2f3108ad 693 (license license:perl-license)))
adff71ca
DM		 694
695(define perl-crypt-arguments
696 `(#:phases (modify-phases %standard-phases
697 (add-before 'configure 'patch-Makefile.PL
698 (lambda* (#:key inputs #:allow-other-keys)
699 (substitute* "Makefile.PL"
700 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
701 (assoc-ref inputs "openssl")
702 "/lib -lcrypto'],")))
703 #t)))))
704
705(define-public perl-crypt-openssl-bignum
706 (package
707 (name "perl-crypt-openssl-bignum")
7e8aac18 708 (version "0.09")
adff71ca
DM		 709 (source
710 (origin
711 (method url-fetch)
712 (uri (string-append
713 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
714 version
715 ".tar.gz"))
716 (sha256
717 (base32
7e8aac18 718 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
adff71ca
DM		 719 (build-system perl-build-system)
720 (inputs `(("openssl" ,openssl)))
721 (arguments perl-crypt-arguments)
722 (home-page
9aba9b12 723 "https://metacpan.org/release/Crypt-OpenSSL-Bignum")
adff71ca
DM		 724 (synopsis
725 "OpenSSL's multiprecision integer arithmetic in Perl")
726 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
727arithmetic in Perl.")
728 ;; At your option either gpl1+ or the Artistic License
2f3108ad 729 (license license:perl-license)))
cccb4d26 730
c80590f6
TGR		 731(define-public perl-crypt-openssl-guess
732 (package
733 (name "perl-crypt-openssl-guess")
734 (version "0.11")
735 (source
736 (origin
737 (method url-fetch)
738 (uri (string-append
739 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
740 version ".tar.gz"))
741 (sha256
742 (base32
743 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
744 (build-system perl-build-system)
9aba9b12 745 (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess")
c80590f6
TGR		 746 (synopsis "Guess the OpenSSL include path")
747 (description
748 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
749correct OpenSSL include path. It is intended for use in your
750@file{Makefile.PL}.")
751 (license license:perl-license)))
752
cccb4d26
DM		 753(define-public perl-crypt-openssl-random
754 (package
755 (name "perl-crypt-openssl-random")
b30c23c4 756 (version "0.13")
cccb4d26
DM		 757 (source
758 (origin
759 (method url-fetch)
760 (uri (string-append
761 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
762 version
763 ".tar.gz"))
764 (sha256
765 (base32
b30c23c4 766 "0vmvrb3shrzjzri3qn524dzdasbq8zhhbpc1vmq8sx68n4jhizb0"))))
cccb4d26 767 (build-system perl-build-system)
b30c23c4
TGR		 768 (native-inputs
769 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
770 (inputs
771 `(("openssl" ,openssl)))
cccb4d26
DM		 772 (arguments perl-crypt-arguments)
773 (home-page
9aba9b12 774 "https://metacpan.org/release/Crypt-OpenSSL-Random")
cccb4d26
DM		 775 (synopsis
776 "OpenSSL/LibreSSL pseudo-random number generator access")
777 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
778number generator")
2f3108ad 779 (license license:perl-license)))
0581c273
LF		 780
781(define-public acme-client
782 (package
783 (name "acme-client")
4a6b2a21 784 (version "0.1.16")
0581c273
LF		 785 (source (origin
786 (method url-fetch)
787 (uri (string-append "https://kristaps.bsd.lv/" name "/"
788 "snapshots/" name "-portable-"
789 version ".tgz"))
790 (sha256
791 (base32
4a6b2a21 792 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
0581c273
LF		 793 (build-system gnu-build-system)
794 (arguments
795 '(#:tests? #f ; no test suite
796 #:make-flags
797 (list "CC=gcc"
798 (string-append "PREFIX=" (assoc-ref %outputs "out")))
799 #:phases
800 (modify-phases %standard-phases
7c1a7bf4
LF		 801 (add-after 'unpack 'patch-paths
802 (lambda* (#:key inputs #:allow-other-keys)
803 (let ((pem (string-append (assoc-ref inputs "libressl")
804 "/etc/ssl/cert.pem")))
805 (substitute* "http.c"
806 (("/etc/ssl/cert.pem") pem))
807 #t)))
0581c273 808 (delete 'configure)))) ; no './configure' script
4b569a4f
LF		 809 (native-inputs
810 `(("pkg-config" ,pkg-config)))
0581c273
LF		 811 (inputs
812 `(("libbsd" ,libbsd)
813 ("libressl" ,libressl)))
814 (synopsis "Let's Encrypt client by the OpenBSD project")
815 (description "acme-client is a Let's Encrypt client implemented in C. It
816uses a modular design, and attempts to secure itself by dropping privileges and
817operating in a chroot where possible. acme-client is developed on OpenBSD and
818then ported to the GNU / Linux environment.")
819 (home-page "https://kristaps.bsd.lv/acme-client/")
820 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
821 ;; and 'jsmn.c' are distributed under the Expat license.
822 (license (list license:isc license:expat))))
88522738 823
824;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
825;; variant exists in addition to the "-apache" one.
826(define-public mbedtls-apache
827 (package
828 (name "mbedtls-apache")
5a7899fd 829 (version "2.16.0")
88522738 830 (source
831 (origin
832 (method url-fetch)
833 ;; XXX: The download links on the website are script redirection links
834 ;; which effectively lead to the format listed in the uri here.
835 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
836 version "-apache.tgz"))
837 (sha256
838 (base32
5a7899fd 839 "1qlscr0m97favkqmrlj90rlgw40h8lcypxz0snvr1iwkj1pbbnp3"))))
88522738 840 (build-system cmake-build-system)
a64d9d56
RW		 841 (arguments
842 `(#:configure-flags
843 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON")))
88522738 844 (native-inputs
38a9bf80
TGR		 845 `(("perl" ,perl)
846 ("python" ,python)))
88522738 847 (synopsis "Small TLS library")
848 (description
849 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
850for developers to include cryptographic and SSL/TLS capabilities in their
851(embedded) products, facilitating this functionality with a minimal
852coding footprint.")
853 (home-page "https://tls.mbed.org")
854 (license license:asl2.0)))
587d1752 855
8e87aa04
TGR		 856;; The Hiawatha Web server requires some specific features to be enabled.
857(define-public mbedtls-for-hiawatha
858 (hidden-package
859 (package
860 (inherit mbedtls-apache)
861 (arguments
862 (substitute-keyword-arguments
863 `(#:phases
864 (modify-phases %standard-phases
865 (add-after 'configure 'configure-extra-features
866 (lambda _
867 (for-each (lambda (feature)
868 (invoke "scripts/config.pl" "set" feature))
869 (list "MBEDTLS_THREADING_C"
870 "MBEDTLS_THREADING_PTHREAD"))
871 #t)))
872 ,@(package-arguments mbedtls-apache)))))))
873
587d1752
RW		 874(define-public ghc-tls
875 (package
876 (name "ghc-tls")
66c5de39 877 (version "1.4.1")
587d1752
RW		 878 (source (origin
879 (method url-fetch)
880 (uri (string-append "https://hackage.haskell.org/package/"
881 "tls/tls-" version ".tar.gz"))
882 (sha256
883 (base32
66c5de39 884 "1y083724mym28n6xfaz7pcc7zqxdhjpaxpbvzxfbs25qq2px3smv"))))
587d1752
RW		 885 (build-system haskell-build-system)
886 (inputs
f54f0475 887 `(("ghc-cereal" ,ghc-cereal)
587d1752
RW		 888 ("ghc-data-default-class" ,ghc-data-default-class)
889 ("ghc-memory" ,ghc-memory)
890 ("ghc-cryptonite" ,ghc-cryptonite)
891 ("ghc-asn1-types" ,ghc-asn1-types)
892 ("ghc-asn1-encoding" ,ghc-asn1-encoding)
893 ("ghc-x509" ,ghc-x509)
894 ("ghc-x509-store" ,ghc-x509-store)
895 ("ghc-x509-validation" ,ghc-x509-validation)
896 ("ghc-async" ,ghc-async)
897 ("ghc-network" ,ghc-network)
898 ("ghc-hourglass" ,ghc-hourglass)))
899 (native-inputs
900 `(("ghc-tasty" ,ghc-tasty)
901 ("ghc-tasty-quickcheck" ,ghc-tasty-quickcheck)
902 ("ghc-quickcheck" ,ghc-quickcheck)))
903 (home-page "https://github.com/vincenthz/hs-tls")
904 (synopsis
905 "TLS/SSL protocol native implementation (Server and Client)")
906 (description
907 "Native Haskell TLS and SSL protocol implementation for server and client.
908This provides a high-level implementation of a sensitive security protocol,
909eliminating a common set of security issues through the use of the advanced
910type system, high level constructions and common Haskell features. Currently
911implement the SSL3.0, TLS1.0, TLS1.1 and TLS1.2 protocol, and support RSA and
912Ephemeral (Elliptic curve and regular) Diffie Hellman key exchanges, and many
913extensions.")
914 (license license:bsd-3)))
e8b3a158
CL		 915
916(define-public dehydrated
917 (package
918 (name "dehydrated")
919 (version "0.6.2")
920 (source (origin
921 (method url-fetch/tarbomb)
922 (uri (string-append
923 "https://github.com/lukas2511/dehydrated/archive/v"
924 version ".tar.gz"))
925 (sha256
926 (base32
927 "03p80yj6bnzjc6dkp5hb9wpplmlrla8n5src71cnzw4rj53q8cqn"))
928 (file-name (string-append name "-" version ".tar.gz"))))
929 (build-system trivial-build-system)
930 (arguments
931 `(#:modules ((guix build utils))
932 #:builder
933 (begin
934 (use-modules (guix build utils))
935 (let* ((source (assoc-ref %build-inputs "source"))
936 (out (assoc-ref %outputs "out"))
937 (bin (string-append out "/bin"))
938 (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
939 (mkdir-p bin)
940 (with-directory-excursion bin
941 (copy-file
942 (in-vicinity source (string-append "/dehydrated-" ,version
943 "/dehydrated"))
944 (in-vicinity bin "dehydrated"))
945 (patch-shebang "dehydrated" (list bash))
946
947 ;; Do not try to write in the store.
948 (substitute* "dehydrated"
949 (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
950
951 (setenv "PATH" bash)
952 (wrap-program "dehydrated"
953 `("PATH" ":" prefix
954 ,(map (lambda (dir)
955 (string-append dir "/bin"))
956 (map (lambda (input)
957 (assoc-ref %build-inputs input))
958 '("coreutils"
959 "curl"
960 "diffutils"
961 "gawk"
962 "grep"
963 "openssl"
964 "sed"))))))
965 #t))))
966 (inputs
967 `(("bash" ,bash)
968 ("coreutils" ,coreutils)
969 ("curl" ,curl)
970 ("diffutils" ,diffutils)
971 ("gawk" ,gawk)
972 ("grep" ,grep)
973 ("openssl" ,openssl)
974 ("sed" ,sed)))
975 (home-page "https://dehydrated.io/")
976 (synopsis "Let's Encrypt/ACME client implemented as a shell script")
977 (description "Dehydrated is a client for signing certificates with an
978ACME-server (currently only provided by Let's Encrypt) implemented as a
979relatively simple Bash script.")
980 (license license:expat)))
jackhill's copy of GNU Guix: https://guix.gnu.org/