HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
gnu: Add qmidiroute.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
CommitLineData
233e7676 1;;; GNU Guix --- Functional package management for GNU
3c0f7910 2;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
e3df6938 3;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
29a7c98a 4;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df 5;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b 6;;; Copyright © 2015 David Thompson <davet@gnu.org>
df0625ab 7;;; Copyright © 2015, 2016, 2017 Leo Famulari <leo@famulari.name>
2ed12d3f 8;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
5b9aa107 9;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
375cef6c 10;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
ee33f9a7 11;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
88e2511e 12;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
7543f865 13;;;
233e7676 14;;; This file is part of GNU Guix.
7543f865 15;;;
233e7676 16;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865
LC		 17;;; under the terms of the GNU General Public License as published by
18;;; the Free Software Foundation; either version 3 of the License, or (at
19;;; your option) any later version.
20;;;
233e7676 21;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865
LC		 22;;; WITHOUT ANY WARRANTY; without even the implied warranty of
23;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24;;; GNU General Public License for more details.
25;;;
26;;; You should have received a copy of the GNU General Public License
233e7676 27;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865 28
a7fd7b68 29(define-module (gnu packages tls)
e9aa8d0c 30 #:use-module ((guix licenses) #:prefix license:)
7543f865
LC		 31 #:use-module (guix packages)
32 #:use-module (guix download)
29a7c98a 33 #:use-module (guix utils)
7543f865 34 #:use-module (guix build-system gnu)
cc2b77df 35 #:use-module (guix build-system perl)
7890e3ba 36 #:use-module (guix build-system python)
88522738 37 #:use-module (guix build-system cmake)
587d1752 38 #:use-module (guix build-system haskell)
f61e0e79 39 #:use-module (gnu packages compression)
013ce67b 40 #:use-module (gnu packages)
5b9aa107 41 #:use-module (gnu packages dns)
1ffa7090 42 #:use-module (gnu packages guile)
587d1752
RW		 43 #:use-module (gnu packages haskell)
44 #:use-module (gnu packages haskell-check)
45 #:use-module (gnu packages haskell-crypto)
0581c273 46 #:use-module (gnu packages libbsd)
27e86bed 47 #:use-module (gnu packages libffi)
866f469e 48 #:use-module (gnu packages libidn)
5d4c90ae 49 #:use-module (gnu packages linux)
7890e3ba 50 #:use-module (gnu packages ncurses)
27e86bed 51 #:use-module (gnu packages nettle)
1ffa7090 52 #:use-module (gnu packages perl)
27e86bed 53 #:use-module (gnu packages pkg-config)
7890e3ba 54 #:use-module (gnu packages python)
cc6f4912 55 #:use-module (gnu packages python-crypto)
1b2f753d 56 #:use-module (gnu packages python-web)
a31f4d35 57 #:use-module (gnu packages texinfo)
079f013b
LC		 58 #:use-module (gnu packages base)
59 #:use-module (srfi srfi-1))
7543f865
LC		 60
61(define-public libtasn1
62 (package
63 (name "libtasn1")
ee33f9a7 64 (version "4.12")
e3df6938 65 (replacement libtasn1/fixed)
7543f865
LC		 66 (source
67 (origin
68 (method url-fetch)
69 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
70 version ".tar.gz"))
71 (sha256
72 (base32
ee33f9a7 73 "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7"))))
7543f865 74 (build-system gnu-build-system)
3ea110b7 75 (native-inputs `(("perl" ,perl)))
6fd52309 76 (home-page "https://www.gnu.org/software/libtasn1/")
f50d2669 77 (synopsis "ASN.1 library")
7543f865 78 (description
79c311b8
LC		 79 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
80for transmitting machine-neutral encodings of data objects in computer
a22dc0c4
LC		 81networking, allowing for formal validation of data according to some
82specifications.")
e9aa8d0c 83 (license license:lgpl2.0+)))
7543f865 84
e3df6938
MW		 85(define libtasn1/fixed
86 (package
87 (inherit libtasn1)
88 (source (origin
89 (inherit (package-source libtasn1))
90 (patches (search-patches "libtasn1-CVE-2017-10790.patch"))))))
91
375cef6c
HG		 92(define-public asn1c
93 (package
94 (name "asn1c")
ff7da7e0 95 (version "0.9.28")
375cef6c
HG		 96 (source (origin
97 (method url-fetch)
98 (uri (string-append "https://lionet.info/soft/asn1c-"
99 version ".tar.gz"))
100 (sha256
101 (base32
ff7da7e0 102 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
375cef6c
HG		 103 (build-system gnu-build-system)
104 (native-inputs
105 `(("perl" ,perl)))
106 (home-page "https://lionet.info/asn1c")
107 (synopsis "ASN.1 to C compiler")
108 (description "The ASN.1 to C compiler takes ASN.1 module
109files and generates C++ compatible C source code. That code can be
110used to serialize the native C structures into compact and unambiguous
111BER/XER/PER-based data files, and deserialize the files back.
112
113Various ASN.1 based formats are widely used in the industry, such as to encode
114the X.509 certificates employed in the HTTPS handshake, to exchange control
115data between mobile phones and cellular networks, to car-to-car communication
116in intelligent transportation networks.")
117 (license license:bsd-2)))
118
27e86bed
AE		 119(define-public p11-kit
120 (package
121 (name "p11-kit")
2a6e049a 122 (version "0.23.9")
27e86bed
AE		 123 (source
124 (origin
125 (method url-fetch)
e6ad9bda
MB		 126 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
127 "download/" version "/p11-kit-" version ".tar.gz"))
27e86bed
AE		 128 (sha256
129 (base32
2a6e049a 130 "0qyvnkb5hfi94wv3bn67y20hcbbvynvjwxpk7k9sh1si6ff69hg1"))))
27e86bed
AE		 131 (build-system gnu-build-system)
132 (native-inputs
133 `(("pkg-config" ,pkg-config)))
134 (inputs
135 `(("libffi" ,libffi)
136 ("libtasn1" ,libtasn1)))
137 (arguments
138 `(#:configure-flags '("--without-trust-paths")))
139 (home-page "http://p11-glue.freedesktop.org/p11-kit.html")
140 (synopsis "PKCS#11 library")
141 (description
142 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
143provides a standard configuration setup for installing PKCS#11 modules
144in such a way that they are discoverable. It also solves problems with
145coordinating the use of PKCS#11 by different components or libraries
146living in the same process.")
e9aa8d0c 147 (license license:bsd-3)))
27e86bed 148
f96dbf6b
LF		 149
150;; TODO Add net-tools-for-tests to #:disallowed-references when we can afford
151;; rebuild GnuTLS (i.e. core-updates).
7543f865
LC		 152(define-public gnutls
153 (package
154 (name "gnutls")
5bace4c8 155 (version "3.5.13")
d7d408d5
LC		 156 (source (origin
157 (method url-fetch)
158 (uri
159 ;; Note: Releases are no longer on ftp.gnu.org since the
160 ;; schism (after version 3.1.5).
d93627e4 161 (string-append "mirror://gnupg/gnutls/v"
29a7c98a 162 (version-major+minor version)
d93627e4 163 "/gnutls-" version ".tar.xz"))
5bace4c8
MB		 164 (patches
165 (search-patches "gnutls-skip-trust-store-test.patch"
166 "gnutls-skip-pkgconfig-test.patch"))
d7d408d5
LC		 167 (sha256
168 (base32
5bace4c8 169 "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr"))))
7543f865 170 (build-system gnu-build-system)
b94ae0b8
AK		 171 (arguments
172 '(#:configure-flags
a0700787 173 (list
aa7c7f21
MW		 174 ;; GnuTLS doesn't consult any environment variables to specify
175 ;; the location of the system-wide trust store. Instead it has a
176 ;; configure-time option. Unless specified, its configure script
177 ;; attempts to auto-detect the location by looking for common
8f65585b 178 ;; places in the file system, none of which are present in our
aa7c7f21
MW		 179 ;; chroot build environment. If not found, then no default trust
180 ;; store is used, so each program has to provide its own
181 ;; fallback, and users have to configure each program
182 ;; independently. This seems suboptimal.
866f469e
MW		 183 "--with-default-trust-store-dir=/etc/ssl/certs"
184
185 ;; FIXME: Temporarily disable p11-kit support since it is not
186 ;; working on mips64el.
606c6380
LC		 187 "--without-p11-kit")
188
189 #:phases (modify-phases %standard-phases
190 (add-after
191 'install 'move-doc
192 (lambda* (#:key outputs #:allow-other-keys)
193 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
194 (let* ((out (assoc-ref outputs "out"))
195 (doc (assoc-ref outputs "doc"))
9cdce047 196 (mandir (string-append doc "/share/man/man3"))
606c6380
LC		 197 (oldman (string-append out "/share/man/man3")))
198 (mkdir-p mandir)
199 (copy-recursively oldman mandir)
200 (delete-file-recursively oldman)
201 #t))))))
202 (outputs '("out" ;4.4 MiB
203 "debug"
204 "doc")) ;4.1 MiB of man pages
a1db0975 205 (native-inputs
f96dbf6b 206 `(("net-tools" ,net-tools-for-tests)
5d4c90ae 207 ("pkg-config" ,pkg-config)
d2fcfd3d 208 ("which" ,which)))
7543f865 209 (inputs
a0700787 210 `(("guile" ,guile-2.2)))
7543f865 211 (propagated-inputs
d2fcfd3d 212 ;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865 213 `(("libtasn1" ,libtasn1)
55e61c4d 214 ("libidn2" ,libidn2)
866f469e 215 ("nettle" ,nettle)
f61e0e79 216 ("zlib" ,zlib)))
c19700c3 217 (home-page "https://www.gnu.org/software/gnutls/")
f50d2669 218 (synopsis "Transport layer security library")
7543f865 219 (description
a22dc0c4 220 "GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8 221and DTLS protocols. It is provided in the form of a C library to support the
a22dc0c4
LC		 222protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
223required structures.")
63e8bb12
LC		 224 (license license:lgpl2.1+)
225 (properties '((ftp-server . "ftp.gnutls.org")
226 (ftp-directory . "/gcrypt/gnutls")))))
cc2b77df 227
079f013b 228(define-public gnutls/guile-2.2
a0700787
LC		 229 (deprecated-package "guile2.2-gnutls" gnutls))
230
231(define-public gnutls/guile-2.0
232 ;; GnuTLS for Guile 2.0.
079f013b 233 (package
58ea4d40 234 (inherit gnutls)
a0700787
LC		 235 (name "guile2.0-gnutls")
236 (inputs `(("guile" ,guile-2.0)
58ea4d40 237 ,@(alist-delete "guile" (package-inputs gnutls))))))
079f013b 238
5b9aa107 239(define-public gnutls/dane
240 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
241 ;; Authentication of Named Entities. This is required for GNS functionality
242 ;; by GNUnet and gnURL. This is done in an extra package definition
243 ;; to have the choice between GnuTLS with Dane and without Dane.
244 (package
245 (inherit gnutls)
246 (name "gnutls-dane")
247 (inputs `(("unbound" ,unbound)
248 ,@(package-inputs gnutls)))))
249
cc2b77df
AE		 250(define-public openssl
251 (package
252 (name "openssl")
811e1028 253 (version "1.0.2l")
1df4f5c9 254 (replacement openssl-1.0.2m)
cc2b77df 255 (source (origin
4cff124b
LC		 256 (method url-fetch)
257 (uri (list (string-append "ftp://ftp.openssl.org/source/"
258 name "-" version ".tar.gz")
259 (string-append "ftp://ftp.openssl.org/source/old/"
260 (string-trim-right version char-set:letter)
261 "/" name "-" version ".tar.gz")))
262 (sha256
263 (base32
811e1028 264 "037kvpisc6qh5dkppcwbm5bg2q800xh2hma3vghz8xcycmdij1yf"))
8a9b08b5
ST		 265 (snippet
266 '(begin
267 ;; Remove ELF files. 'substitute*' can't read them.
268 (delete-file "test/ssltest_old")
269 (delete-file "test/v3ext")
270 (delete-file "test/x509aux")
271 #t))
fc1adab1 272 (patches (search-patches "openssl-runpath.patch"
1d8de185 273 "openssl-c-rehash-in.patch"))))
cc2b77df 274 (build-system gnu-build-system)
8c78aeb7 275 (outputs '("out"
a909b576 276 "doc" ;1.5MiB of man3 pages
8c78aeb7 277 "static")) ;6MiB of .a files
cc2b77df
AE		 278 (native-inputs `(("perl" ,perl)))
279 (arguments
d03781c3
LC		 280 `(#:disallowed-references (,perl)
281 #:parallel-build? #f
cc2b77df
AE		 282 #:parallel-tests? #f
283 #:test-target "test"
8c9ec203
LF		 284
285 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
286 ;; so we explicitly disallow it here.
287 #:disallowed-references ,(list (canonical-package perl))
cc2b77df 288 #:phases
b6cb1358 289 (modify-phases %standard-phases
4fb254a3 290 (add-before
86c8f1da 291 'configure 'patch-Makefile.org
4fb254a3
LC		 292 (lambda* (#:key outputs #:allow-other-keys)
293 ;; The default MANDIR is some unusual place. Fix that.
294 (let ((out (assoc-ref outputs "out")))
86c8f1da 295 (patch-makefile-SHELL "Makefile.org")
4fb254a3
LC		 296 (substitute* "Makefile.org"
297 (("^MANDIR[[:blank:]]*=.*$")
298 (string-append "MANDIR = " out "/share/man\n")))
299 #t)))
b6cb1358
LC		 300 (replace
301 'configure
302 (lambda* (#:key outputs #:allow-other-keys)
303 (let ((out (assoc-ref outputs "out")))
304 (zero?
305 (system* "./config"
306 "shared" ;build shared libraries
307 "--libdir=lib"
4fb254a3
LC		 308
309 ;; The default for this catch-all directory is
310 ;; PREFIX/ssl. Change that to something more
311 ;; conventional.
312 (string-append "--openssldir=" out
313 "/share/openssl-" ,version)
314
b6cb1358
LC		 315 (string-append "--prefix=" out)
316
317 ;; XXX FIXME: Work around a code generation bug in GCC
318 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
319 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
320 ,@(if (and (not (%current-target-system))
321 (string-prefix? "armhf" (%current-system)))
322 '("-mfpu=vfpv3")
323 '()))))))
fe8199a8
LC		 324 (add-after
325 'install 'make-libraries-writable
326 (lambda* (#:key outputs #:allow-other-keys)
327 ;; Make libraries writable so that 'strip' does its job.
328 (let ((out (assoc-ref outputs "out")))
329 (for-each (lambda (file)
330 (chmod file #o644))
331 (find-files (string-append out "/lib")
332 "\\.so"))
333 #t)))
8c78aeb7
LC		 334 (add-after 'install 'move-static-libraries
335 (lambda* (#:key outputs #:allow-other-keys)
336 ;; Move static libraries to the "static" output.
337 (let* ((out (assoc-ref outputs "out"))
338 (lib (string-append out "/lib"))
339 (static (assoc-ref outputs "static"))
340 (slib (string-append static "/lib")))
8c78aeb7
LC		 341 (for-each (lambda (file)
342 (install-file file slib)
343 (delete-file file))
344 (find-files lib "\\.a$"))
345 #t)))
a909b576
LC		 346 (add-after 'install 'move-man3-pages
347 (lambda* (#:key outputs #:allow-other-keys)
348 ;; Move section 3 man pages to "doc".
349 (let* ((out (assoc-ref outputs "out"))
350 (man3 (string-append out "/share/man/man3"))
351 (doc (assoc-ref outputs "doc"))
352 (target (string-append doc "/share/man/man3")))
353 (mkdir-p target)
354 (for-each (lambda (file)
355 (rename-file file
356 (string-append target "/"
357 (basename file))))
358 (find-files man3))
5c838ec9 359 (delete-file-recursively man3)
a909b576 360 #t)))
b6cb1358
LC		 361 (add-before
362 'patch-source-shebangs 'patch-tests
363 (lambda* (#:key inputs native-inputs #:allow-other-keys)
364 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
365 (substitute* (find-files "test" ".*")
366 (("/bin/sh")
08a78c2f 367 (string-append bash "/bin/sh"))
b6cb1358 368 (("/bin/rm")
86c8f1da
MW		 369 "rm"))
370 #t)))
784d6e91
LC		 371 (add-after
372 'install 'remove-miscellany
373 (lambda* (#:key outputs #:allow-other-keys)
374 ;; The 'misc' directory contains random undocumented shell and Perl
375 ;; scripts. Remove them to avoid retaining a reference on Perl.
376 (let ((out (assoc-ref outputs "out")))
377 (delete-file-recursively (string-append out "/share/openssl-"
378 ,version "/misc"))
379 #t))))))
cc2b77df
AE		 380 (native-search-paths
381 ;; FIXME: These two variables must designate a single file or directory
382 ;; and are not actually "search paths." In practice it works OK in user
383 ;; profiles because there's always just one item that matches the
384 ;; specification.
385 (list (search-path-specification
386 (variable "SSL_CERT_DIR")
387 (files '("etc/ssl/certs")))
388 (search-path-specification
389 (variable "SSL_CERT_FILE")
390 (files '("etc/ssl/certs/ca-certificates.crt")))))
391 (synopsis "SSL/TLS implementation")
392 (description
e881752c 393 "OpenSSL is an implementation of SSL/TLS.")
e9aa8d0c 394 (license license:openssl)
cc2b77df
AE		 395 (home-page "http://www.openssl.org/")))
396
1df4f5c9
MB		 397;; Fixes CVE-2017-3735 and CVE-2017-3736.
398;; See <https://www.openssl.org/news/cl102.txt>.
399(define-public openssl-1.0.2m
400 (package
401 (inherit openssl)
402 (version "1.0.2m")
403 (source (origin
404 (inherit (package-source openssl))
405 (uri (list (string-append "https://www.openssl.org/source/openssl-"
406 version ".tar.gz")
407 (string-append "ftp://ftp.openssl.org/source/openssl-"
408 version ".tar.gz")
409 (string-append "ftp://ftp.openssl.org/source/old/"
410 (string-trim-right version char-set:letter)
411 "/openssl-" version ".tar.gz")))
412 (sha256
413 (base32
414 "03vvlfnxx4lhxc83ikfdl6jqph4h52y7lb7li03va6dkqrgg2vwc"))))))
415
763899f0
LF		 416(define-public openssl-next
417 (package
418 (inherit openssl)
419 (name "openssl")
77576be4 420 (version "1.1.0g")
763899f0
LF		 421 (source (origin
422 (method url-fetch)
77576be4
MB		 423 (uri (list (string-append "https://www.openssl.org/source/openssl-"
424 version ".tar.gz")
425 (string-append "ftp://ftp.openssl.org/source/"
763899f0
LF		 426 name "-" version ".tar.gz")
427 (string-append "ftp://ftp.openssl.org/source/old/"
428 (string-trim-right version char-set:letter)
429 "/" name "-" version ".tar.gz")))
430 (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
431 (sha256
432 (base32
77576be4 433 "1bvka2wf33w2vxv7yw578nnjqyhz2b3chvfb0l4k2ffscw950kfy"))))
763899f0
LF		 434 (outputs '("out"
435 "doc" ;1.3MiB of man3 pages
436 "static")) ; 5.5MiB of .a files
437 (arguments
438 (substitute-keyword-arguments (package-arguments openssl)
439 ((#:phases phases)
440 `(modify-phases ,phases
441 (delete 'patch-tests) ; These two phases are not needed by
442 (delete 'patch-Makefile.org) ; OpenSSL 1.1.0.
443
fc184fe2
MB		 444 ;; Override configure phase since -rpath is now a configure option.
445 (replace 'configure
763899f0 446 (lambda* (#:key outputs #:allow-other-keys)
fc184fe2
MB		 447 (let* ((out (assoc-ref outputs "out"))
448 (lib (string-append out "/lib")))
449 (zero?
450 (system* "./config"
451 "shared" ;build shared libraries
452 "--libdir=lib"
453
454 ;; The default for this catch-all directory is
455 ;; PREFIX/ssl. Change that to something more
456 ;; conventional.
457 (string-append "--openssldir=" out
458 "/share/openssl-" ,version)
459
460 (string-append "--prefix=" out)
461 (string-append "-Wl,-rpath," lib)
462
463 ;; XXX FIXME: Work around a code generation bug in GCC
464 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
465 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
466 ,@(if (and (not (%current-target-system))
467 (string-prefix? "armhf" (%current-system)))
468 '("-mfpu=vfpv3")
469 '()))))))
470
471 ;; XXX: Duplicate this phase to make sure 'version' evaluates
472 ;; in the current scope and not the inherited one.
473 (replace 'remove-miscellany
474 (lambda* (#:key outputs #:allow-other-keys)
475 ;; The 'misc' directory contains random undocumented shell and Perl
476 ;; scripts. Remove them to avoid retaining a reference on Perl.
477 (let ((out (assoc-ref outputs "out")))
478 (delete-file-recursively (string-append out "/share/openssl-"
479 ,version "/misc"))
763899f0
LF		 480 #t)))))))))
481
cb6a802c
AE		 482(define-public libressl
483 (package
484 (name "libressl")
1d919d32 485 (version "2.5.5")
644e5f17
TGR		 486 (source (origin
487 (method url-fetch)
488 (uri (string-append "mirror://openbsd/LibreSSL/"
489 name "-" version ".tar.gz"))
490 (sha256
491 (base32
492 "1i77viqy1afvbr392npk9v54k9zhr9zq2vhv6pliza22b0ymwzz5"))))
cb6a802c 493 (build-system gnu-build-system)
a2d64899
LC		 494 (arguments
495 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
496 ;; and libc would return ENOSYS, which is not properly handled.
497 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
df08f385
LF		 498 '(#:configure-flags '("ac_cv_func_getentropy=no"
499 ;; Provide a TLS-enabled netcat.
500 "--enable-nc")))
cb6a802c
AE		 501 (native-search-paths
502 ;; FIXME: These two variables must designate a single file or directory
503 ;; and are not actually "search paths." In practice it works OK in
504 ;; user profiles because there's always just one item that matches the
505 ;; specification.
506 (list (search-path-specification
507 (variable "SSL_CERT_DIR")
508 (files '("etc/ssl/certs")))
509 (search-path-specification
510 (variable "SSL_CERT_FILE")
511 (files '("etc/ssl/certs/ca-certificates.crt")))))
2ed12d3f 512 (home-page "https://www.libressl.org/")
cb6a802c 513 (synopsis "SSL/TLS implementation")
df08f385
LF		 514 (description "LibreSSL is a version of the TLS/crypto stack, forked from
515OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
516and applying best practice development processes. This package also includes a
517netcat implementation that supports TLS.")
cb6a802c
AE		 518 ;; Files taken from OpenSSL keep their license, others are under various
519 ;; non-copyleft licenses.
520 (license (list license:openssl
521 (license:non-copyleft
522 "file://COPYING"
523 "See COPYING in the distribution.")))))
524
6cefd53d 525(define-public python-acme
7890e3ba 526 (package
6cefd53d 527 (name "python-acme")
686d4259 528 ;; Remember to update the hash of certbot when updating python-acme.
eb93f1c9 529 (version "0.19.0")
7890e3ba 530 (source (origin
9495cf9a 531 (method url-fetch)
f349d36e 532 (uri (pypi-uri "acme" version))
881006b6
MB		 533 (sha256
534 (base32
eb93f1c9 535 "08p8w50zciqlhgn3ab0wbbvi1zyg3x37r1gywq0z1allsij3v8hz"))))
7890e3ba
LF		 536 (build-system python-build-system)
537 (arguments
6cefd53d 538 `(#:phases
9bee9d87 539 (modify-phases %standard-phases
1fc8476d
MB		 540 (add-after 'build 'build-documentation
541 (lambda _
542 (zero? (system* "make" "-C" "docs" "man" "info"))))
543 (add-after 'install 'install-documentation
50a7963a
LF		 544 (lambda* (#:key outputs #:allow-other-keys)
545 (let* ((out (assoc-ref outputs "out"))
546 (man (string-append out "/share/man/man1"))
547 (info (string-append out "/info")))
1fc8476d
MB		 548 (install-file "docs/_build/texinfo/acme-python.info" info)
549 (install-file "docs/_build/man/acme-python.1" man)
550 #t))))))
50a7963a 551 ;; TODO: Add optional inputs for testing.
7890e3ba 552 (native-inputs
fed1898d 553 `(("python-mock" ,python-mock-2)
50a7963a
LF		 554 ;; For documentation
555 ("python-sphinx" ,python-sphinx)
556 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
557 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
50a7963a 558 ("texinfo" ,texinfo)))
7890e3ba 559 (propagated-inputs
57fe07db 560 `(("python-six" ,python-six)
6cefd53d
LF		 561 ("python-requests" ,python-requests)
562 ("python-pytz" ,python-pytz)
563 ("python-pyrfc3339" ,python-pyrfc3339)
564 ("python-pyasn1" ,python-pyasn1)
565 ("python-cryptography" ,python-cryptography)
566 ("python-pyopenssl" ,python-pyopenssl)))
7890e3ba
LF		 567 (home-page "https://github.com/letsencrypt/letsencrypt")
568 (synopsis "ACME protocol implementation in Python")
569 (description "ACME protocol implementation in Python")
570 (license license:asl2.0)))
571
9495cf9a 572(define-public certbot
9fd0838b 573 (package
9495cf9a 574 (name "certbot")
686d4259
LF		 575 ;; Certbot and python-acme are developed in the same repository, and their
576 ;; versions should remain synchronized.
577 (version (package-version python-acme))
9fd0838b
DT		 578 (source (origin
579 (method url-fetch)
f349d36e 580 (uri (pypi-uri name version))
9fd0838b
DT		 581 (sha256
582 (base32
eb93f1c9 583 "0lwxqz3r0fg3dy06fgba1dfs7n6ribc25z0rh5rqbl7mvy8hf8x7"))))
9fd0838b
DT		 584 (build-system python-build-system)
585 (arguments
fed1898d 586 `(,@(substitute-keyword-arguments (package-arguments python-acme)
f26d6e4e
LF		 587 ((#:phases phases)
588 `(modify-phases ,phases
1fc8476d 589 (replace 'install-documentation
f26d6e4e
LF		 590 (lambda* (#:key outputs #:allow-other-keys)
591 (let* ((out (assoc-ref outputs "out"))
592 (man1 (string-append out "/share/man/man1"))
593 (man7 (string-append out "/share/man/man7"))
594 (info (string-append out "/info")))
1fc8476d
MB		 595 (install-file "docs/_build/texinfo/Certbot.info" info)
596 (install-file "docs/_build/man/certbot.1" man1)
597 (install-file "docs/_build/man/certbot.7" man7)
598 #t))))))))
f9263d9a 599 ;; TODO: Add optional inputs for testing.
9fd0838b 600 (native-inputs
fed1898d
LF		 601 `(("python-nose" ,python-nose)
602 ("python-mock" ,python-mock-2)
f9263d9a 603 ;; For documentation
fed1898d
LF		 604 ("python-sphinx" ,python-sphinx)
605 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
606 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
607 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
f9263d9a 608 ("texinfo" ,texinfo)))
9fd0838b 609 (propagated-inputs
fed1898d
LF		 610 `(("python-acme" ,python-acme)
611 ("python-zope-interface" ,python-zope-interface)
612 ("python-pyrfc3339" ,python-pyrfc3339)
613 ("python-pyopenssl" ,python-pyopenssl)
614 ("python-configobj" ,python-configobj)
615 ("python-configargparse" ,python-configargparse)
616 ("python-zope-component" ,python-zope-component)
617 ("python-parsedatetime" ,python-parsedatetime)
618 ("python-six" ,python-six)
619 ("python-psutil" ,python-psutil)
620 ("python-requests" ,python-requests)
621 ("python-pytz" ,python-pytz)))
d8a1be63 622 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
80968df0
TGR		 623 (description "Certbot automatically receives and installs X.509 certificates
624to enable Transport Layer Security (TLS) on servers. It interoperates with the
625Let’s Encrypt certificate authority (CA), which issues browser-trusted
626certificates for free.")
24778368 627 (home-page "https://certbot.eff.org/")
9fd0838b
DT		 628 (license license:asl2.0)))
629
9495cf9a
LF		 630(define-public letsencrypt
631 (package (inherit certbot)
56ab55d1
LF		 632 (name "letsencrypt")
633 (properties `((superseded . ,certbot)))))
9495cf9a 634
cc2b77df
AE		 635(define-public perl-net-ssleay
636 (package
637 (name "perl-net-ssleay")
76cb9060 638 (version "1.81")
cc2b77df
AE		 639 (source (origin
640 (method url-fetch)
641 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
642 "Net-SSLeay-" version ".tar.gz"))
643 (sha256
644 (base32
76cb9060 645 "0z8vya34g88bc41kx955sv7y4niwbbywji8liqbl52v29qbvdjq0"))))
cc2b77df
AE		 646 (build-system perl-build-system)
647 (inputs `(("openssl" ,openssl)))
648 (arguments
1084ec08
MW		 649 `(#:phases
650 (modify-phases %standard-phases
1084ec08
MW		 651 (add-before
652 'configure 'set-ssl-prefix
653 (lambda* (#:key inputs #:allow-other-keys)
654 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
655 #t)))))
cc2b77df
AE		 656 (synopsis "Perl extension for using OpenSSL")
657 (description
658 "This module offers some high level convenience functions for accessing
659web pages on SSL servers (for symmetry, the same API is offered for accessing
660http servers, too), an sslcat() function for writing your own clients, and
661finally access to the SSL api of the SSLeay/OpenSSL package so you can write
662servers or clients for more complicated applications.")
2f3108ad 663 (license license:perl-license)
cc2b77df 664 (home-page "http://search.cpan.org/~mikem/Net-SSLeay-1.66/")))
4532c0c0
DM		 665
666(define-public perl-crypt-openssl-rsa
667 (package
668 (name "perl-crypt-openssl-rsa")
669 (version "0.28")
670 (source
671 (origin
672 (method url-fetch)
673 (uri (string-append
674 "mirror://cpan/authors/id/P/PE/PERLER/Crypt-OpenSSL-RSA-"
675 version
676 ".tar.gz"))
677 (sha256
678 (base32
679 "1gnpvv09b2gpifwdzc5jnhama3d1a4c39lzj9hcaicsb8rvzjmsk"))))
680 (build-system perl-build-system)
681 (inputs
682 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
683 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
684 ("openssl" ,openssl)))
685 (arguments perl-crypt-arguments)
686 (home-page
687 "http://search.cpan.org/dist/Crypt-OpenSSL-RSA")
688 (synopsis
689 "RSA encoding and decoding, using the openSSL libraries")
690 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
691OpenSSL libraries).")
2f3108ad 692 (license license:perl-license)))
adff71ca
DM		 693
694(define perl-crypt-arguments
695 `(#:phases (modify-phases %standard-phases
696 (add-before 'configure 'patch-Makefile.PL
697 (lambda* (#:key inputs #:allow-other-keys)
698 (substitute* "Makefile.PL"
699 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
700 (assoc-ref inputs "openssl")
701 "/lib -lcrypto'],")))
702 #t)))))
703
704(define-public perl-crypt-openssl-bignum
705 (package
706 (name "perl-crypt-openssl-bignum")
94793c1d 707 (version "0.08")
adff71ca
DM		 708 (source
709 (origin
710 (method url-fetch)
711 (uri (string-append
712 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
713 version
714 ".tar.gz"))
715 (sha256
716 (base32
94793c1d 717 "0gamn4dff1bz77nswacy1dlpn9fkwahzw7yvvik4nbwwy2s63hc8"))))
adff71ca
DM		 718 (build-system perl-build-system)
719 (inputs `(("openssl" ,openssl)))
720 (arguments perl-crypt-arguments)
721 (home-page
722 "http://search.cpan.org/dist/Crypt-OpenSSL-Bignum")
723 (synopsis
724 "OpenSSL's multiprecision integer arithmetic in Perl")
725 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
726arithmetic in Perl.")
727 ;; At your option either gpl1+ or the Artistic License
2f3108ad 728 (license license:perl-license)))
cccb4d26
DM		 729
730(define-public perl-crypt-openssl-random
731 (package
732 (name "perl-crypt-openssl-random")
733 (version "0.11")
734 (source
735 (origin
736 (method url-fetch)
737 (uri (string-append
738 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
739 version
740 ".tar.gz"))
741 (sha256
742 (base32
743 "0yjcabkibrkafywvdkmd1xpi6br48skyk3l15ni176wvlg38335v"))))
744 (build-system perl-build-system)
745 (inputs `(("openssl" ,openssl)))
746 (arguments perl-crypt-arguments)
747 (home-page
748 "http://search.cpan.org/dist/Crypt-OpenSSL-Random")
749 (synopsis
750 "OpenSSL/LibreSSL pseudo-random number generator access")
751 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
752number generator")
2f3108ad 753 (license license:perl-license)))
0581c273
LF		 754
755(define-public acme-client
756 (package
757 (name "acme-client")
4a6b2a21 758 (version "0.1.16")
0581c273
LF		 759 (source (origin
760 (method url-fetch)
761 (uri (string-append "https://kristaps.bsd.lv/" name "/"
762 "snapshots/" name "-portable-"
763 version ".tgz"))
764 (sha256
765 (base32
4a6b2a21 766 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
0581c273
LF		 767 (build-system gnu-build-system)
768 (arguments
769 '(#:tests? #f ; no test suite
770 #:make-flags
771 (list "CC=gcc"
772 (string-append "PREFIX=" (assoc-ref %outputs "out")))
773 #:phases
774 (modify-phases %standard-phases
7c1a7bf4
LF		 775 (add-after 'unpack 'patch-paths
776 (lambda* (#:key inputs #:allow-other-keys)
777 (let ((pem (string-append (assoc-ref inputs "libressl")
778 "/etc/ssl/cert.pem")))
779 (substitute* "http.c"
780 (("/etc/ssl/cert.pem") pem))
781 #t)))
0581c273 782 (delete 'configure)))) ; no './configure' script
4b569a4f
LF		 783 (native-inputs
784 `(("pkg-config" ,pkg-config)))
0581c273
LF		 785 (inputs
786 `(("libbsd" ,libbsd)
787 ("libressl" ,libressl)))
788 (synopsis "Let's Encrypt client by the OpenBSD project")
789 (description "acme-client is a Let's Encrypt client implemented in C. It
790uses a modular design, and attempts to secure itself by dropping privileges and
791operating in a chroot where possible. acme-client is developed on OpenBSD and
792then ported to the GNU / Linux environment.")
793 (home-page "https://kristaps.bsd.lv/acme-client/")
794 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
795 ;; and 'jsmn.c' are distributed under the Expat license.
796 (license (list license:isc license:expat))))
88522738 797
798;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
799;; variant exists in addition to the "-apache" one.
800(define-public mbedtls-apache
801 (package
802 (name "mbedtls-apache")
97497465 803 (version "2.6.0")
88522738 804 (source
805 (origin
806 (method url-fetch)
807 ;; XXX: The download links on the website are script redirection links
808 ;; which effectively lead to the format listed in the uri here.
809 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
810 version "-apache.tgz"))
811 (sha256
812 (base32
97497465 813 "11wnj34rfqxjggmdgf042i49lr6civgbqwv2p7p8bn6k2919vg4r"))))
88522738 814 (build-system cmake-build-system)
815 (native-inputs
816 `(("perl" ,perl)))
817 (synopsis "Small TLS library")
818 (description
819 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
820for developers to include cryptographic and SSL/TLS capabilities in their
821(embedded) products, facilitating this functionality with a minimal
822coding footprint.")
823 (home-page "https://tls.mbed.org")
824 (license license:asl2.0)))
587d1752
RW		 825
826(define-public ghc-tls
827 (package
828 (name "ghc-tls")
829 (version "1.3.8")
830 (source (origin
831 (method url-fetch)
832 (uri (string-append "https://hackage.haskell.org/package/"
833 "tls/tls-" version ".tar.gz"))
834 (sha256
835 (base32
836 "1rdidf18i781c0vdvy9yn79yh08hmcacf6fp3sgghyiy3h0wyh5l"))))
837 (build-system haskell-build-system)
838 (inputs
839 `(("ghc-mtl" ,ghc-mtl)
840 ("ghc-cereal" ,ghc-cereal)
841 ("ghc-data-default-class" ,ghc-data-default-class)
842 ("ghc-memory" ,ghc-memory)
843 ("ghc-cryptonite" ,ghc-cryptonite)
844 ("ghc-asn1-types" ,ghc-asn1-types)
845 ("ghc-asn1-encoding" ,ghc-asn1-encoding)
846 ("ghc-x509" ,ghc-x509)
847 ("ghc-x509-store" ,ghc-x509-store)
848 ("ghc-x509-validation" ,ghc-x509-validation)
849 ("ghc-async" ,ghc-async)
850 ("ghc-network" ,ghc-network)
851 ("ghc-hourglass" ,ghc-hourglass)))
852 (native-inputs
853 `(("ghc-tasty" ,ghc-tasty)
854 ("ghc-tasty-quickcheck" ,ghc-tasty-quickcheck)
855 ("ghc-quickcheck" ,ghc-quickcheck)))
856 (home-page "https://github.com/vincenthz/hs-tls")
857 (synopsis
858 "TLS/SSL protocol native implementation (Server and Client)")
859 (description
860 "Native Haskell TLS and SSL protocol implementation for server and client.
861This provides a high-level implementation of a sensitive security protocol,
862eliminating a common set of security issues through the use of the advanced
863type system, high level constructions and common Haskell features. Currently
864implement the SSL3.0, TLS1.0, TLS1.1 and TLS1.2 protocol, and support RSA and
865Ephemeral (Elliptic curve and regular) Diffie Hellman key exchanges, and many
866extensions.")
867 (license license:bsd-3)))
jackhill's copy of GNU Guix: https://guix.gnu.org/