[jackhill/guix/guix.git] / gnu / packages / tls.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015 David Thompson <davet@gnu.org>
;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu packages tls)
  #:use-module ((guix licenses) #:prefix license:)
  #:use-module (guix packages)
  #:use-module (guix download)
  #:use-module (guix utils)
  #:use-module (guix build-system gnu)
  #:use-module (guix build-system perl)
  #:use-module (guix build-system python)
  #:use-module (gnu packages compression)
  #:use-module (gnu packages)
  #:use-module (gnu packages guile)
  #:use-module (gnu packages libffi)
  #:use-module (gnu packages libidn)
  #:use-module (gnu packages ncurses)
  #:use-module (gnu packages nettle)
  #:use-module (gnu packages perl)
  #:use-module (gnu packages pkg-config)
  #:use-module (gnu packages python)
  #:use-module (gnu packages texinfo)
  #:use-module (gnu packages base))

(define-public libtasn1
  (package
    (name "libtasn1")
    (version "4.7")
    (source
     (origin
      (method url-fetch)
      (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
                          version ".tar.gz"))
      (sha256
       (base32
        "1j8iixynchziw1y39lnibyl5h81m4p78w3i4f28q2vgwjgf801x4"))))
    (build-system gnu-build-system)
    (native-inputs `(("perl" ,perl)))
    (home-page "http://www.gnu.org/software/libtasn1/")
    (synopsis "ASN.1 library")
    (description
     "GNU libtasn1 is a library implementing the ASN.1 notation.  It is used
for transmitting machine-neutral encodings of data objects in computer
networking, allowing for formal validation of data according to some
specifications.")
    (license license:lgpl2.0+)))

(define-public p11-kit
  (package
    (name "p11-kit")
    (version "0.23.1")
    (source
     (origin
      (method url-fetch)
      (uri (string-append "https://p11-glue.freedesktop.org/releases/p11-kit-"
                          version ".tar.gz"))
      (sha256
       (base32
        "1i3a1wdpagm0p3y1bwaz5x5rjhcpqbcrnhkcp10p259vkxk72wz5"))
      (modules '((guix build utils))) ; for substitute*
      (snippet
        '(begin
           ;; Drop one test that fails, also when trying to compile manually.
           ;; Reported upstream at
           ;; https://bugs.freedesktop.org/show_bug.cgi?id=89027
           (substitute* "Makefile.in"
             (("test-module\\$\\(EXEEXT\\) ") ""))))))
    (build-system gnu-build-system)
    (native-inputs
     `(("pkg-config" ,pkg-config)))
    (inputs
     `(("libffi" ,libffi)
       ("libtasn1" ,libtasn1)))
    (arguments
     `(#:configure-flags '("--without-trust-paths")))
    (home-page "http://p11-glue.freedesktop.org/p11-kit.html")
    (synopsis "PKCS#11 library")
    (description
     "p11-kit provides a way to load and enumerate PKCS#11 modules.  It
provides a standard configuration setup for installing PKCS#11 modules
in such a way that they are discoverable.  It also solves problems with
coordinating the use of PKCS#11 by different components or libraries
living in the same process.")
    (license license:bsd-3)))

(define-public gnutls
  (package
    (name "gnutls")
    (version "3.4.7")
    (source (origin
             (method url-fetch)
             (uri
              ;; Note: Releases are no longer on ftp.gnu.org since the
              ;; schism (after version 3.1.5).
              (string-append "mirror://gnupg/gnutls/v"
                             (version-major+minor version)
                             "/gnutls-" version ".tar.xz"))
             (sha256
              (base32
               "0nifi3mr5jhz608pidkp8cjs4vwfj1m2qczsjrgpnp99615rxgn1"))))
    (build-system gnu-build-system)
    (arguments
     '(#:configure-flags
       (list (string-append "--with-guile-site-dir="
                            (assoc-ref %outputs "out")
                            "/share/guile/site/2.0")
             ;; GnuTLS doesn't consult any environment variables to specify
             ;; the location of the system-wide trust store.  Instead it has a
             ;; configure-time option.  Unless specified, its configure script
             ;; attempts to auto-detect the location by looking for common
             ;; places in the filesystem, none of which are present in our
             ;; chroot build environment.  If not found, then no default trust
             ;; store is used, so each program has to provide its own
             ;; fallback, and users have to configure each program
             ;; independently.  This seems suboptimal.
             "--with-default-trust-store-dir=/etc/ssl/certs"

             ;; FIXME: Temporarily disable p11-kit support since it is not
             ;; working on mips64el.
             "--without-p11-kit")

       #:phases (modify-phases %standard-phases
                  (add-after
                   'install 'move-doc
                   (lambda* (#:key outputs #:allow-other-keys)
                     ;; Copy the 4.1 MiB of section 3 man pages to "doc".
                     (let* ((out    (assoc-ref outputs "out"))
                            (doc    (assoc-ref outputs "doc"))
                            (mandir (string-append doc "/share/man/man3"))
                            (oldman (string-append out "/share/man/man3")))
                       (mkdir-p mandir)
                       (copy-recursively oldman mandir)
                       (delete-file-recursively oldman)
                       #t))))))
    (outputs '("out"                              ;4.4 MiB
               "debug"
               "doc"))                            ;4.1 MiB of man pages
    (native-inputs
     `(("pkg-config" ,pkg-config)
       ("which" ,which)))
    (inputs
     `(("guile" ,guile-2.0)
       ("perl" ,perl)))
    (propagated-inputs
     ;; These are all in the 'Requires.private' field of gnutls.pc.
     `(("libtasn1" ,libtasn1)
       ("libidn" ,libidn)
       ("nettle" ,nettle)
       ("zlib" ,zlib)))
    (home-page "http://www.gnu.org/software/gnutls/")
    (synopsis "Transport layer security library")
    (description
     "GnuTLS is a secure communications library implementing the SSL, TLS
and DTLS protocols.  It is provided in the form of a C library to support the
protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
required structures.")
    (license license:lgpl2.1+)))

(define-public openssl
  (package
   (name "openssl")
   (version "1.0.2f")
   (source (origin
            (method url-fetch)
            (uri (list (string-append "ftp://ftp.openssl.org/source/"
                                      name "-" version ".tar.gz")
                       (string-append "ftp://ftp.openssl.org/source/old/"
                                      (string-trim-right version char-set:letter)
                                      "/" name "-" version ".tar.gz")))
            (sha256
             (base32
              "171fkdg9v6j29d962nh6kb79kfm8kkhy7n9makw39d7jvvj4wawk"))
            (patches (map search-patch
                          '("openssl-runpath.patch"
                            "openssl-c-rehash.patch")))))
   (build-system gnu-build-system)
   (native-inputs `(("perl" ,perl)))
   (arguments
    `(#:parallel-build? #f
      #:parallel-tests? #f
      #:test-target "test"
      #:phases
      (modify-phases %standard-phases
        (add-before
         'configure 'patch-Makefile.org
         (lambda* (#:key outputs #:allow-other-keys)
           ;; The default MANDIR is some unusual place.  Fix that.
           (let ((out (assoc-ref outputs "out")))
             (patch-makefile-SHELL "Makefile.org")
             (substitute* "Makefile.org"
               (("^MANDIR[[:blank:]]*=.*$")
                (string-append "MANDIR = " out "/share/man\n")))
             #t)))
        (replace
         'configure
         (lambda* (#:key outputs #:allow-other-keys)
           (let ((out (assoc-ref outputs "out")))
             (zero?
              (system* "./config"
                       "shared"                   ;build shared libraries
                       "--libdir=lib"

                       ;; The default for this catch-all directory is
                       ;; PREFIX/ssl.  Change that to something more
                       ;; conventional.
                       (string-append "--openssldir=" out
                                      "/share/openssl-" ,version)

                       (string-append "--prefix=" out)

                       ;; XXX FIXME: Work around a code generation bug in GCC
                       ;; 4.9.3 on ARM when compiled with -mfpu=neon.  See:
                       ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
                       ,@(if (and (not (%current-target-system))
                                  (string-prefix? "armhf" (%current-system)))
                             '("-mfpu=vfpv3")
                             '()))))))
        (add-after
         'install 'make-libraries-writable
         (lambda* (#:key outputs #:allow-other-keys)
           ;; Make libraries writable so that 'strip' does its job.
           (let ((out (assoc-ref outputs "out")))
             (for-each (lambda (file)
                         (chmod file #o644))
                       (find-files (string-append out "/lib")
                                   "\\.so"))
             #t)))
        (add-before
         'patch-source-shebangs 'patch-tests
         (lambda* (#:key inputs native-inputs #:allow-other-keys)
           (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
             (substitute* (find-files "test" ".*")
               (("/bin/sh")
                (string-append bash "/bin/bash"))
               (("/bin/rm")
                "rm"))
             #t)))
        (add-after
         'install 'remove-miscellany
         (lambda* (#:key outputs #:allow-other-keys)
           ;; The 'misc' directory contains random undocumented shell and Perl
           ;; scripts.  Remove them to avoid retaining a reference on Perl.
           (let ((out (assoc-ref outputs "out")))
             (delete-file-recursively (string-append out "/share/openssl-"
                                                     ,version "/misc"))
             #t))))))
   (native-search-paths
    ;; FIXME: These two variables must designate a single file or directory
    ;; and are not actually "search paths."  In practice it works OK in user
    ;; profiles because there's always just one item that matches the
    ;; specification.
    (list (search-path-specification
           (variable "SSL_CERT_DIR")
           (files '("etc/ssl/certs")))
          (search-path-specification
           (variable "SSL_CERT_FILE")
           (files '("etc/ssl/certs/ca-certificates.crt")))))
   (synopsis "SSL/TLS implementation")
   (description
    "OpenSSL is an implementation of SSL/TLS.")
   (license license:openssl)
   (home-page "http://www.openssl.org/")))

(define-public libressl
  (package
    (name "libressl")
    (version "2.2.5")
    (source
     (origin
      (method url-fetch)
      (uri (string-append
             "http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-"
             version ".tar.gz"))
      (sha256 (base32
               "0jwidi7fafcdh5qml72dx0ad0kfsk94qxzm29i7wd3cx8v8dxjp3"))))
    (build-system gnu-build-system)
    (native-search-paths
      ;; FIXME: These two variables must designate a single file or directory
      ;; and are not actually "search paths."  In practice it works OK in
      ;; user profiles because there's always just one item that matches the
      ;; specification.
     (list (search-path-specification
            (variable "SSL_CERT_DIR")
            (files '("etc/ssl/certs")))
           (search-path-specification
            (variable "SSL_CERT_FILE")
            (files '("etc/ssl/certs/ca-certificates.crt")))))
    (home-page "http://www.libressl.org/")
    (synopsis "SSL/TLS implementation")
    (description "LibreSSL is a version of the TLS/crypto stack forked
from OpenSSL in 2014, with the goals of modernizing the codebase, improving
security, and applying best practice development processes.")
    ;; Files taken from OpenSSL keep their license, others are under various
    ;; non-copyleft licenses.
    (license (list license:openssl
                   (license:non-copyleft
                     "file://COPYING"
                     "See COPYING in the distribution.")))))

(define-public python-acme
  (package
    (name "python-acme")
    (version "0.4.0")
    (source (origin
      (method url-fetch)
      (uri (pypi-uri "acme" version))
      (sha256
        (base32
         "173j2zkslh43fzf3wkl1jdzfjry361m0mhlc3jpwp7hk7lrclzjg"))))
    (build-system python-build-system)
    (arguments
     `(#:phases
       (modify-phases %standard-phases
         (add-before 'install 'disable-egg-compression
           (lambda _
             ;; Do not compress the egg.
             ;; See <http://bugs.gnu.org/20765>.
             (let ((port (open-file "setup.cfg" "a")))
               (display "\n[easy_install]\nzip_ok = 0\n"
                        port)
               (close-port port)
               #t))))))
    ;; TODO: Add optional inputs for testing and building documentation.
    (native-inputs
     `(("python-mock" ,python-mock)
       ("python-setuptools" ,python-setuptools)))
    (propagated-inputs
     `(("python-ndg-httpsclient" ,python-ndg-httpsclient)
       ("python-werkzeug" ,python-werkzeug)
       ("python-six" ,python-six)
       ("python-requests" ,python-requests)
       ("python-pytz" ,python-pytz)
       ("python-pyrfc3339" ,python-pyrfc3339)
       ("python-pyasn1" ,python-pyasn1)
       ("python-cryptography" ,python-cryptography)
       ("python-pyopenssl" ,python-pyopenssl)))
    (home-page "https://github.com/letsencrypt/letsencrypt")
    (synopsis "ACME protocol implementation in Python")
    (description "ACME protocol implementation in Python")
    (license license:asl2.0)))

(define-public python2-acme
  (package-with-python2 python-acme))

(define-public letsencrypt
  (package
    (name "letsencrypt")
    (version "0.4.0")
    (source (origin
              (method url-fetch)
              (uri (pypi-uri "letsencrypt" version))
              (sha256
               (base32
                "1wwq8yvfdybf4d0gv4yfddkrg865s7rhng5xg563kks4wza1a2wp"))))
    (build-system python-build-system)
    (arguments
     `(#:python ,python-2
       #:phases
       (modify-phases %standard-phases
         (add-after 'install 'docs
           (lambda* (#:key outputs #:allow-other-keys)
             (let* ((out (assoc-ref outputs "out"))
                    (man1 (string-append out "/share/man/man1"))
                    (man7 (string-append out "/share/man/man7"))
                    (info (string-append out "/info")))
               (substitute* "docs/man/letsencrypt.rst"
                 (("letsencrypt --help all")
                  (string-append out "/bin/letsencrypt" " --help all")))
               (and
                 (zero? (system* "make" "-C" "docs" "man" "info"))
                 (install-file "docs/_build/texinfo/LetsEncrypt.info" info)
                 (install-file "docs/_build/man/letsencrypt.1" man1)
                 (install-file "docs/_build/man/letsencrypt.7" man7)
                 #t)))))))
    ;; TODO: Add optional inputs for testing.
    (native-inputs
     `(("python2-nose" ,python2-nose)
       ("python2-mock" ,python2-mock)
       ;; For documentation
       ("python2-sphinx" ,python2-sphinx)
       ("python2-sphinx-rtd-theme" ,python2-sphinx-rtd-theme)
       ("python2-sphinx-repoze-autointerface" ,python2-sphinx-repoze-autointerface)
       ("python2-sphinxcontrib-programoutput" ,python2-sphinxcontrib-programoutput)
       ("texinfo" ,texinfo)))
    (propagated-inputs
     `(("python2-acme" ,python2-acme)
       ("python2-zope-interface" ,python2-zope-interface)
       ("python2-pythondialog" ,python2-pythondialog)
       ("python2-pyrfc3339" ,python2-pyrfc3339)
       ("python2-pyopenssl" ,python2-pyopenssl)
       ("python2-configobj" ,python2-configobj)
       ("python2-configargparse" ,python2-configargparse)
       ("python2-zope-component" ,python2-zope-component)
       ("python2-parsedatetime" ,python2-parsedatetime)
       ("python2-six" ,python2-six)
       ("python2-psutil" ,python2-psutil)
       ("python2-requests" ,python2-requests)
       ("python2-pytz" ,python2-pytz)))
    (synopsis "Let's Encrypt client")
    (description "Tool to automatically receive and install X.509 certificates
to enable TLS on servers.  The client will interoperate with the Let’s Encrypt CA which
will be issuing browser-trusted certificates for free.")
    (home-page "https://letsencrypt.org/")
    (license license:asl2.0)))

(define-public perl-net-ssleay
  (package
    (name "perl-net-ssleay")
    (version "1.68")
    (source (origin
              (method url-fetch)
              (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
                                  "Net-SSLeay-" version ".tar.gz"))
              (sha256
               (base32
                "1m2wwzhjwsg0drlhp9w12fl6bsgj69v8gdz72jqrqll3qr7f408p"))))
    (build-system perl-build-system)
    (native-inputs
     `(("patch" ,patch)
       ("patch/disable-ede-test"
        ,(search-patch "perl-net-ssleay-disable-ede-test.patch"))))
    (inputs `(("openssl" ,openssl)))
    (arguments
     `(#:phases
       (modify-phases %standard-phases
         (add-after
          'unpack 'apply-patch
          (lambda* (#:key inputs #:allow-other-keys)
            ;; XXX We apply this patch here instead of in the 'origin' because
            ;; this package's build system fails badly when the source file
            ;; times are zeroed.
            ;; XXX Try removing this patch for perl-net-ssleay > 1.68
            (zero? (system* "patch" "--force" "-p1" "-i"
                            (assoc-ref inputs "patch/disable-ede-test")))))
         (add-before
          'configure 'set-ssl-prefix
          (lambda* (#:key inputs #:allow-other-keys)
            (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
            #t)))))
    (synopsis "Perl extension for using OpenSSL")
    (description
     "This module offers some high level convenience functions for accessing
web pages on SSL servers (for symmetry, the same API is offered for accessing
http servers, too), an sslcat() function for writing your own clients, and
finally access to the SSL api of the SSLeay/OpenSSL package so you can write
servers or clients for more complicated applications.")
    (license (package-license perl))
    (home-page "http://search.cpan.org/~mikem/Net-SSLeay-1.66/")))
Commit	Line	Data
233e7676	1	;;; GNU Guix --- Functional package management for GNU
ce0614dd	2	;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
80cc3a0a	3	;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
29a7c98a	4	;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df	5	;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b	6	;;; Copyright © 2015 David Thompson <davet@gnu.org>
7890e3ba	7	;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
3ea110b7	8	;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
7543f865	9	;;;
233e7676	10	;;; This file is part of GNU Guix.
7543f865	11	;;;
233e7676	12	;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865 LC	13	;;; under the terms of the GNU General Public License as published by
	14	;;; the Free Software Foundation; either version 3 of the License, or (at
	15	;;; your option) any later version.
	16	;;;
233e7676	17	;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865 LC	18	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	19	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	;;; GNU General Public License for more details.
	21	;;;
	22	;;; You should have received a copy of the GNU General Public License
233e7676	23	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865	24
a7fd7b68	25	(define-module (gnu packages tls)
e9aa8d0c	26	#:use-module ((guix licenses) #:prefix license:)
7543f865 LC	27	#:use-module (guix packages)
7543f865 LC	28	#:use-module (guix download)
29a7c98a	29	#:use-module (guix utils)
7543f865	30	#:use-module (guix build-system gnu)
cc2b77df	31	#:use-module (guix build-system perl)
7890e3ba	32	#:use-module (guix build-system python)
f61e0e79	33	#:use-module (gnu packages compression)
013ce67b	34	#:use-module (gnu packages)
1ffa7090	35	#:use-module (gnu packages guile)
27e86bed	36	#:use-module (gnu packages libffi)
866f469e	37	#:use-module (gnu packages libidn)
7890e3ba	38	#:use-module (gnu packages ncurses)
27e86bed	39	#:use-module (gnu packages nettle)
1ffa7090	40	#:use-module (gnu packages perl)
27e86bed	41	#:use-module (gnu packages pkg-config)
7890e3ba	42	#:use-module (gnu packages python)
a31f4d35	43	#:use-module (gnu packages texinfo)
ce0614dd	44	#:use-module (gnu packages base))
7543f865 LC	45
	46	(define-public libtasn1
	47	(package
	48	(name "libtasn1")
3ea110b7	49	(version "4.7")
7543f865 LC	50	(source
	51	(origin
	52	(method url-fetch)
	53	(uri (string-append "mirror://gnu/libtasn1/libtasn1-"
	54	version ".tar.gz"))
	55	(sha256
	56	(base32
3ea110b7	57	"1j8iixynchziw1y39lnibyl5h81m4p78w3i4f28q2vgwjgf801x4"))))
7543f865	58	(build-system gnu-build-system)
3ea110b7	59	(native-inputs `(("perl" ,perl)))
7543f865	60	(home-page "http://www.gnu.org/software/libtasn1/")
f50d2669	61	(synopsis "ASN.1 library")
7543f865	62	(description
79c311b8 LC	63	"GNU libtasn1 is a library implementing the ASN.1 notation. It is used
79c311b8 LC	64	for transmitting machine-neutral encodings of data objects in computer
a22dc0c4 LC	65	networking, allowing for formal validation of data according to some
a22dc0c4 LC	66	specifications.")
e9aa8d0c	67	(license license:lgpl2.0+)))
7543f865	68
27e86bed AE	69	(define-public p11-kit
	70	(package
	71	(name "p11-kit")
14fe9488	72	(version "0.23.1")
27e86bed AE	73	(source
	74	(origin
	75	(method url-fetch)
5cc3096c	76	(uri (string-append "https://p11-glue.freedesktop.org/releases/p11-kit-"
27e86bed AE	77	version ".tar.gz"))
	78	(sha256
	79	(base32
14fe9488	80	"1i3a1wdpagm0p3y1bwaz5x5rjhcpqbcrnhkcp10p259vkxk72wz5"))
27e86bed AE	81	(modules '((guix build utils))) ; for substitute*
	82	(snippet
	83	'(begin
	84	;; Drop one test that fails, also when trying to compile manually.
	85	;; Reported upstream at
	86	;; https://bugs.freedesktop.org/show_bug.cgi?id=89027
	87	(substitute* "Makefile.in"
	88	(("test-module\\$\\(EXEEXT\\) ") ""))))))
	89	(build-system gnu-build-system)
	90	(native-inputs
	91	`(("pkg-config" ,pkg-config)))
	92	(inputs
	93	`(("libffi" ,libffi)
	94	("libtasn1" ,libtasn1)))
	95	(arguments
	96	`(#:configure-flags '("--without-trust-paths")))
	97	(home-page "http://p11-glue.freedesktop.org/p11-kit.html")
	98	(synopsis "PKCS#11 library")
	99	(description
	100	"p11-kit provides a way to load and enumerate PKCS#11 modules. It
	101	provides a standard configuration setup for installing PKCS#11 modules
	102	in such a way that they are discoverable. It also solves problems with
	103	coordinating the use of PKCS#11 by different components or libraries
	104	living in the same process.")
e9aa8d0c	105	(license license:bsd-3)))
27e86bed	106
7543f865 LC	107	(define-public gnutls
	108	(package
	109	(name "gnutls")
5a75865f	110	(version "3.4.7")
d7d408d5 LC	111	(source (origin
	112	(method url-fetch)
	113	(uri
	114	;; Note: Releases are no longer on ftp.gnu.org since the
	115	;; schism (after version 3.1.5).
d93627e4	116	(string-append "mirror://gnupg/gnutls/v"
29a7c98a	117	(version-major+minor version)
d93627e4	118	"/gnutls-" version ".tar.xz"))
d7d408d5 LC	119	(sha256
d7d408d5 LC	120	(base32
5a75865f	121	"0nifi3mr5jhz608pidkp8cjs4vwfj1m2qczsjrgpnp99615rxgn1"))))
7543f865	122	(build-system gnu-build-system)
b94ae0b8 AK	123	(arguments
	124	'(#:configure-flags
	125	(list (string-append "--with-guile-site-dir="
	126	(assoc-ref %outputs "out")
aa7c7f21 MW	127	"/share/guile/site/2.0")
	128	;; GnuTLS doesn't consult any environment variables to specify
	129	;; the location of the system-wide trust store. Instead it has a
	130	;; configure-time option. Unless specified, its configure script
	131	;; attempts to auto-detect the location by looking for common
	132	;; places in the filesystem, none of which are present in our
	133	;; chroot build environment. If not found, then no default trust
	134	;; store is used, so each program has to provide its own
	135	;; fallback, and users have to configure each program
	136	;; independently. This seems suboptimal.
866f469e MW	137	"--with-default-trust-store-dir=/etc/ssl/certs"
	138
	139	;; FIXME: Temporarily disable p11-kit support since it is not
	140	;; working on mips64el.
606c6380 LC	141	"--without-p11-kit")
	142
	143	#:phases (modify-phases %standard-phases
	144	(add-after
	145	'install 'move-doc
	146	(lambda* (#:key outputs #:allow-other-keys)
	147	;; Copy the 4.1 MiB of section 3 man pages to "doc".
	148	(let* ((out (assoc-ref outputs "out"))
	149	(doc (assoc-ref outputs "doc"))
9cdce047	150	(mandir (string-append doc "/share/man/man3"))
606c6380 LC	151	(oldman (string-append out "/share/man/man3")))
	152	(mkdir-p mandir)
	153	(copy-recursively oldman mandir)
	154	(delete-file-recursively oldman)
	155	#t))))))
	156	(outputs '("out" ;4.4 MiB
	157	"debug"
	158	"doc")) ;4.1 MiB of man pages
a1db0975	159	(native-inputs
d2fcfd3d SB	160	`(("pkg-config" ,pkg-config)
d2fcfd3d SB	161	("which" ,which)))
7543f865 LC	162	(inputs
7543f865 LC	163	`(("guile" ,guile-2.0)
0cb9b456	164	("perl" ,perl)))
7543f865	165	(propagated-inputs
d2fcfd3d	166	;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865	167	`(("libtasn1" ,libtasn1)
866f469e MW	168	("libidn" ,libidn)
866f469e MW	169	("nettle" ,nettle)
f61e0e79	170	("zlib" ,zlib)))
7543f865	171	(home-page "http://www.gnu.org/software/gnutls/")
f50d2669	172	(synopsis "Transport layer security library")
7543f865	173	(description
a22dc0c4	174	"GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8	175	and DTLS protocols. It is provided in the form of a C library to support the
a22dc0c4 LC	176	protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
a22dc0c4 LC	177	required structures.")
e9aa8d0c	178	(license license:lgpl2.1+)))
cc2b77df AE	179
	180	(define-public openssl
	181	(package
	182	(name "openssl")
19f33952	183	(version "1.0.2f")
cc2b77df AE	184	(source (origin
cc2b77df AE	185	(method url-fetch)
e81e5fa5 EF	186	(uri (list (string-append "ftp://ftp.openssl.org/source/"
	187	name "-" version ".tar.gz")
	188	(string-append "ftp://ftp.openssl.org/source/old/"
80cc3a0a MW	189	(string-trim-right version char-set:letter)
80cc3a0a MW	190	"/" name "-" version ".tar.gz")))
cc2b77df AE	191	(sha256
cc2b77df AE	192	(base32
19f33952	193	"171fkdg9v6j29d962nh6kb79kfm8kkhy7n9makw39d7jvvj4wawk"))
784d6e91 LC	194	(patches (map search-patch
	195	'("openssl-runpath.patch"
	196	"openssl-c-rehash.patch")))))
cc2b77df AE	197	(build-system gnu-build-system)
	198	(native-inputs `(("perl" ,perl)))
	199	(arguments
e1202717	200	`(#:parallel-build? #f
cc2b77df AE	201	#:parallel-tests? #f
	202	#:test-target "test"
	203	#:phases
b6cb1358	204	(modify-phases %standard-phases
4fb254a3	205	(add-before
86c8f1da	206	'configure 'patch-Makefile.org
4fb254a3 LC	207	(lambda* (#:key outputs #:allow-other-keys)
	208	;; The default MANDIR is some unusual place. Fix that.
	209	(let ((out (assoc-ref outputs "out")))
86c8f1da	210	(patch-makefile-SHELL "Makefile.org")
4fb254a3 LC	211	(substitute* "Makefile.org"
	212	(("^MANDIR[[:blank:]]=.$")
	213	(string-append "MANDIR = " out "/share/man\n")))
	214	#t)))
b6cb1358 LC	215	(replace
	216	'configure
	217	(lambda* (#:key outputs #:allow-other-keys)
	218	(let ((out (assoc-ref outputs "out")))
	219	(zero?
	220	(system* "./config"
	221	"shared" ;build shared libraries
	222	"--libdir=lib"
4fb254a3 LC	223
	224	;; The default for this catch-all directory is
	225	;; PREFIX/ssl. Change that to something more
	226	;; conventional.
	227	(string-append "--openssldir=" out
	228	"/share/openssl-" ,version)
	229
b6cb1358 LC	230	(string-append "--prefix=" out)
	231
	232	;; XXX FIXME: Work around a code generation bug in GCC
	233	;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
	234	;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
	235	,@(if (and (not (%current-target-system))
	236	(string-prefix? "armhf" (%current-system)))
	237	'("-mfpu=vfpv3")
	238	'()))))))
fe8199a8 LC	239	(add-after
	240	'install 'make-libraries-writable
	241	(lambda* (#:key outputs #:allow-other-keys)
	242	;; Make libraries writable so that 'strip' does its job.
	243	(let ((out (assoc-ref outputs "out")))
	244	(for-each (lambda (file)
	245	(chmod file #o644))
	246	(find-files (string-append out "/lib")
	247	"\\.so"))
	248	#t)))
b6cb1358 LC	249	(add-before
	250	'patch-source-shebangs 'patch-tests
	251	(lambda* (#:key inputs native-inputs #:allow-other-keys)
	252	(let ((bash (assoc-ref (or native-inputs inputs) "bash")))
	253	(substitute* (find-files "test" ".*")
	254	(("/bin/sh")
	255	(string-append bash "/bin/bash"))
	256	(("/bin/rm")
86c8f1da MW	257	"rm"))
86c8f1da MW	258	#t)))
784d6e91 LC	259	(add-after
	260	'install 'remove-miscellany
	261	(lambda* (#:key outputs #:allow-other-keys)
	262	;; The 'misc' directory contains random undocumented shell and Perl
	263	;; scripts. Remove them to avoid retaining a reference on Perl.
	264	(let ((out (assoc-ref outputs "out")))
	265	(delete-file-recursively (string-append out "/share/openssl-"
	266	,version "/misc"))
	267	#t))))))
cc2b77df AE	268	(native-search-paths
	269	;; FIXME: These two variables must designate a single file or directory
	270	;; and are not actually "search paths." In practice it works OK in user
	271	;; profiles because there's always just one item that matches the
	272	;; specification.
	273	(list (search-path-specification
	274	(variable "SSL_CERT_DIR")
	275	(files '("etc/ssl/certs")))
	276	(search-path-specification
	277	(variable "SSL_CERT_FILE")
	278	(files '("etc/ssl/certs/ca-certificates.crt")))))
	279	(synopsis "SSL/TLS implementation")
	280	(description
e881752c	281	"OpenSSL is an implementation of SSL/TLS.")
e9aa8d0c	282	(license license:openssl)
cc2b77df AE	283	(home-page "http://www.openssl.org/")))
cc2b77df AE	284
cb6a802c AE	285	(define-public libressl
	286	(package
	287	(name "libressl")
bb2120cd	288	(version "2.2.5")
cb6a802c AE	289	(source
	290	(origin
	291	(method url-fetch)
	292	(uri (string-append
	293	"http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-"
	294	version ".tar.gz"))
	295	(sha256 (base32
bb2120cd	296	"0jwidi7fafcdh5qml72dx0ad0kfsk94qxzm29i7wd3cx8v8dxjp3"))))
cb6a802c AE	297	(build-system gnu-build-system)
	298	(native-search-paths
	299	;; FIXME: These two variables must designate a single file or directory
	300	;; and are not actually "search paths." In practice it works OK in
	301	;; user profiles because there's always just one item that matches the
	302	;; specification.
	303	(list (search-path-specification
	304	(variable "SSL_CERT_DIR")
	305	(files '("etc/ssl/certs")))
	306	(search-path-specification
	307	(variable "SSL_CERT_FILE")
	308	(files '("etc/ssl/certs/ca-certificates.crt")))))
	309	(home-page "http://www.libressl.org/")
	310	(synopsis "SSL/TLS implementation")
	311	(description "LibreSSL is a version of the TLS/crypto stack forked
	312	from OpenSSL in 2014, with the goals of modernizing the codebase, improving
	313	security, and applying best practice development processes.")
	314	;; Files taken from OpenSSL keep their license, others are under various
	315	;; non-copyleft licenses.
	316	(license (list license:openssl
	317	(license:non-copyleft
	318	"file://COPYING"
	319	"See COPYING in the distribution.")))))
	320
6cefd53d	321	(define-public python-acme
7890e3ba	322	(package
6cefd53d	323	(name "python-acme")
42e92e06	324	(version "0.4.0")
7890e3ba LF	325	(source (origin
7890e3ba LF	326	(method url-fetch)
ef900645	327	(uri (pypi-uri "acme" version))
7890e3ba LF	328	(sha256
7890e3ba LF	329	(base32
42e92e06	330	"173j2zkslh43fzf3wkl1jdzfjry361m0mhlc3jpwp7hk7lrclzjg"))))
7890e3ba LF	331	(build-system python-build-system)
7890e3ba LF	332	(arguments
6cefd53d	333	`(#:phases
9bee9d87 LF	334	(modify-phases %standard-phases
	335	(add-before 'install 'disable-egg-compression
	336	(lambda _
	337	;; Do not compress the egg.
	338	;; See <http://bugs.gnu.org/20765>.
	339	(let ((port (open-file "setup.cfg" "a")))
	340	(display "\n[easy_install]\nzip_ok = 0\n"
	341	port)
	342	(close-port port)
	343	#t))))))
7890e3ba LF	344	;; TODO: Add optional inputs for testing and building documentation.
7890e3ba LF	345	(native-inputs
6cefd53d LF	346	`(("python-mock" ,python-mock)
6cefd53d LF	347	("python-setuptools" ,python-setuptools)))
7890e3ba	348	(propagated-inputs
6cefd53d LF	349	`(("python-ndg-httpsclient" ,python-ndg-httpsclient)
	350	("python-werkzeug" ,python-werkzeug)
	351	("python-six" ,python-six)
	352	("python-requests" ,python-requests)
	353	("python-pytz" ,python-pytz)
	354	("python-pyrfc3339" ,python-pyrfc3339)
	355	("python-pyasn1" ,python-pyasn1)
	356	("python-cryptography" ,python-cryptography)
	357	("python-pyopenssl" ,python-pyopenssl)))
7890e3ba LF	358	(home-page "https://github.com/letsencrypt/letsencrypt")
	359	(synopsis "ACME protocol implementation in Python")
	360	(description "ACME protocol implementation in Python")
	361	(license license:asl2.0)))
	362
6cefd53d LF	363	(define-public python2-acme
	364	(package-with-python2 python-acme))
	365
9fd0838b DT	366	(define-public letsencrypt
	367	(package
	368	(name "letsencrypt")
42e92e06	369	(version "0.4.0")
9fd0838b DT	370	(source (origin
9fd0838b DT	371	(method url-fetch)
ef900645	372	(uri (pypi-uri "letsencrypt" version))
9fd0838b DT	373	(sha256
9fd0838b DT	374	(base32
42e92e06	375	"1wwq8yvfdybf4d0gv4yfddkrg865s7rhng5xg563kks4wza1a2wp"))))
9fd0838b DT	376	(build-system python-build-system)
9fd0838b DT	377	(arguments
f9263d9a LF	378	`(#:python ,python-2
	379	#:phases
	380	(modify-phases %standard-phases
	381	(add-after 'install 'docs
	382	(lambda* (#:key outputs #:allow-other-keys)
	383	(let* ((out (assoc-ref outputs "out"))
	384	(man1 (string-append out "/share/man/man1"))
	385	(man7 (string-append out "/share/man/man7"))
	386	(info (string-append out "/info")))
	387	(substitute* "docs/man/letsencrypt.rst"
	388	(("letsencrypt --help all")
	389	(string-append out "/bin/letsencrypt" " --help all")))
	390	(and
	391	(zero? (system* "make" "-C" "docs" "man" "info"))
	392	(install-file "docs/_build/texinfo/LetsEncrypt.info" info)
	393	(install-file "docs/_build/man/letsencrypt.1" man1)
	394	(install-file "docs/_build/man/letsencrypt.7" man7)
	395	#t)))))))
	396	;; TODO: Add optional inputs for testing.
9fd0838b DT	397	(native-inputs
9fd0838b DT	398	`(("python2-nose" ,python2-nose)
f9263d9a LF	399	("python2-mock" ,python2-mock)
	400	;; For documentation
	401	("python2-sphinx" ,python2-sphinx)
	402	("python2-sphinx-rtd-theme" ,python2-sphinx-rtd-theme)
	403	("python2-sphinx-repoze-autointerface" ,python2-sphinx-repoze-autointerface)
	404	("python2-sphinxcontrib-programoutput" ,python2-sphinxcontrib-programoutput)
	405	("texinfo" ,texinfo)))
9fd0838b	406	(propagated-inputs
6cefd53d	407	`(("python2-acme" ,python2-acme)
9fd0838b DT	408	("python2-zope-interface" ,python2-zope-interface)
	409	("python2-pythondialog" ,python2-pythondialog)
	410	("python2-pyrfc3339" ,python2-pyrfc3339)
	411	("python2-pyopenssl" ,python2-pyopenssl)
	412	("python2-configobj" ,python2-configobj)
	413	("python2-configargparse" ,python2-configargparse)
	414	("python2-zope-component" ,python2-zope-component)
	415	("python2-parsedatetime" ,python2-parsedatetime)
	416	("python2-six" ,python2-six)
	417	("python2-psutil" ,python2-psutil)
	418	("python2-requests" ,python2-requests)
	419	("python2-pytz" ,python2-pytz)))
	420	(synopsis "Let's Encrypt client")
	421	(description "Tool to automatically receive and install X.509 certificates
	422	to enable TLS on servers. The client will interoperate with the Let’s Encrypt CA which
	423	will be issuing browser-trusted certificates for free.")
	424	(home-page "https://letsencrypt.org/")
	425	(license license:asl2.0)))
	426
cc2b77df AE	427	(define-public perl-net-ssleay
	428	(package
	429	(name "perl-net-ssleay")
	430	(version "1.68")
	431	(source (origin
	432	(method url-fetch)
	433	(uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
	434	"Net-SSLeay-" version ".tar.gz"))
	435	(sha256
	436	(base32
1084ec08	437	"1m2wwzhjwsg0drlhp9w12fl6bsgj69v8gdz72jqrqll3qr7f408p"))))
cc2b77df	438	(build-system perl-build-system)
1084ec08 MW	439	(native-inputs
	440	`(("patch" ,patch)
	441	("patch/disable-ede-test"
	442	,(search-patch "perl-net-ssleay-disable-ede-test.patch"))))
cc2b77df AE	443	(inputs `(("openssl" ,openssl)))
cc2b77df AE	444	(arguments
1084ec08 MW	445	`(#:phases
	446	(modify-phases %standard-phases
	447	(add-after
	448	'unpack 'apply-patch
	449	(lambda* (#:key inputs #:allow-other-keys)
	450	;; XXX We apply this patch here instead of in the 'origin' because
	451	;; this package's build system fails badly when the source file
	452	;; times are zeroed.
	453	;; XXX Try removing this patch for perl-net-ssleay > 1.68
	454	(zero? (system* "patch" "--force" "-p1" "-i"
	455	(assoc-ref inputs "patch/disable-ede-test")))))
	456	(add-before
	457	'configure 'set-ssl-prefix
	458	(lambda* (#:key inputs #:allow-other-keys)
	459	(setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
	460	#t)))))
cc2b77df AE	461	(synopsis "Perl extension for using OpenSSL")
	462	(description
	463	"This module offers some high level convenience functions for accessing
	464	web pages on SSL servers (for symmetry, the same API is offered for accessing
	465	http servers, too), an sslcat() function for writing your own clients, and
	466	finally access to the SSL api of the SSLeay/OpenSSL package so you can write
	467	servers or clients for more complicated applications.")
	468	(license (package-license perl))
	469	(home-page "http://search.cpan.org/~mikem/Net-SSLeay-1.66/")))