HCoop / jackhill / guix / guix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
gnu: openssl: Make search paths single-entry.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
5 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
6 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
7 ;;; Copyright © 2015, 2016, 2017 Leo Famulari <leo@famulari.name>
8 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
9 ;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
10 ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
11 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
12 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
13 ;;;
14 ;;; This file is part of GNU Guix.
15 ;;;
16 ;;; GNU Guix is free software; you can redistribute it and/or modify it
17 ;;; under the terms of the GNU General Public License as published by
18 ;;; the Free Software Foundation; either version 3 of the License, or (at
19 ;;; your option) any later version.
20 ;;;
21 ;;; GNU Guix is distributed in the hope that it will be useful, but
22 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
23 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 ;;; GNU General Public License for more details.
25 ;;;
26 ;;; You should have received a copy of the GNU General Public License
27 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
28
29 (define-module (gnu packages tls)
30 #:use-module ((guix licenses) #:prefix license:)
31 #:use-module (guix packages)
32 #:use-module (guix download)
33 #:use-module (guix utils)
34 #:use-module (guix build-system gnu)
35 #:use-module (guix build-system perl)
36 #:use-module (guix build-system python)
37 #:use-module (guix build-system cmake)
38 #:use-module (gnu packages compression)
39 #:use-module (gnu packages)
40 #:use-module (gnu packages dns)
41 #:use-module (gnu packages guile)
42 #:use-module (gnu packages libbsd)
43 #:use-module (gnu packages libffi)
44 #:use-module (gnu packages libidn)
45 #:use-module (gnu packages linux)
46 #:use-module (gnu packages ncurses)
47 #:use-module (gnu packages nettle)
48 #:use-module (gnu packages perl)
49 #:use-module (gnu packages pkg-config)
50 #:use-module (gnu packages python)
51 #:use-module (gnu packages texinfo)
52 #:use-module (gnu packages base)
53 #:use-module (srfi srfi-1))
54
55 (define-public libtasn1
56 (package
57 (name "libtasn1")
58 (version "4.12")
59 (source
60 (origin
61 (method url-fetch)
62 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
63 version ".tar.gz"))
64 (sha256
65 (base32
66 "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7"))
67 (patches (search-patches "libtasn1-CVE-2017-10790.patch"))))
68 (build-system gnu-build-system)
69 (native-inputs `(("perl" ,perl)))
70 (home-page "https://www.gnu.org/software/libtasn1/")
71 (synopsis "ASN.1 library")
72 (description
73 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
74 for transmitting machine-neutral encodings of data objects in computer
75 networking, allowing for formal validation of data according to some
76 specifications.")
77 (license license:lgpl2.0+)))
78
79 (define-public asn1c
80 (package
81 (name "asn1c")
82 (version "0.9.28")
83 (source (origin
84 (method url-fetch)
85 (uri (string-append "https://lionet.info/soft/asn1c-"
86 version ".tar.gz"))
87 (sha256
88 (base32
89 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
90 (build-system gnu-build-system)
91 (native-inputs
92 `(("perl" ,perl)))
93 (home-page "https://lionet.info/asn1c")
94 (synopsis "ASN.1 to C compiler")
95 (description "The ASN.1 to C compiler takes ASN.1 module
96 files and generates C++ compatible C source code. That code can be
97 used to serialize the native C structures into compact and unambiguous
98 BER/XER/PER-based data files, and deserialize the files back.
99
100 Various ASN.1 based formats are widely used in the industry, such as to encode
101 the X.509 certificates employed in the HTTPS handshake, to exchange control
102 data between mobile phones and cellular networks, to car-to-car communication
103 in intelligent transportation networks.")
104 (license license:bsd-2)))
105
106 (define-public p11-kit
107 (package
108 (name "p11-kit")
109 (version "0.23.9")
110 (source
111 (origin
112 (method url-fetch)
113 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
114 "download/" version "/p11-kit-" version ".tar.gz"))
115 (sha256
116 (base32
117 "0qyvnkb5hfi94wv3bn67y20hcbbvynvjwxpk7k9sh1si6ff69hg1"))))
118 (build-system gnu-build-system)
119 (native-inputs
120 `(("pkg-config" ,pkg-config)))
121 (inputs
122 `(("libffi" ,libffi)
123 ("libtasn1" ,libtasn1)))
124 (arguments
125 `(#:configure-flags '("--without-trust-paths")))
126 (home-page "http://p11-glue.freedesktop.org/p11-kit.html")
127 (synopsis "PKCS#11 library")
128 (description
129 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
130 provides a standard configuration setup for installing PKCS#11 modules
131 in such a way that they are discoverable. It also solves problems with
132 coordinating the use of PKCS#11 by different components or libraries
133 living in the same process.")
134 (license license:bsd-3)))
135
136
137 ;; TODO Add net-tools-for-tests to #:disallowed-references when we can afford
138 ;; rebuild GnuTLS (i.e. core-updates).
139 (define-public gnutls
140 (package
141 (name "gnutls")
142 (version "3.5.13")
143 (source (origin
144 (method url-fetch)
145 (uri
146 ;; Note: Releases are no longer on ftp.gnu.org since the
147 ;; schism (after version 3.1.5).
148 (string-append "mirror://gnupg/gnutls/v"
149 (version-major+minor version)
150 "/gnutls-" version ".tar.xz"))
151 (patches
152 (search-patches "gnutls-skip-trust-store-test.patch"
153 "gnutls-skip-pkgconfig-test.patch"))
154 (sha256
155 (base32
156 "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr"))))
157 (build-system gnu-build-system)
158 (arguments
159 '(#:configure-flags
160 (list
161 ;; GnuTLS doesn't consult any environment variables to specify
162 ;; the location of the system-wide trust store. Instead it has a
163 ;; configure-time option. Unless specified, its configure script
164 ;; attempts to auto-detect the location by looking for common
165 ;; places in the file system, none of which are present in our
166 ;; chroot build environment. If not found, then no default trust
167 ;; store is used, so each program has to provide its own
168 ;; fallback, and users have to configure each program
169 ;; independently. This seems suboptimal.
170 "--with-default-trust-store-dir=/etc/ssl/certs"
171
172 ;; FIXME: Temporarily disable p11-kit support since it is not
173 ;; working on mips64el.
174 "--without-p11-kit")
175
176 #:phases (modify-phases %standard-phases
177 (add-after
178 'install 'move-doc
179 (lambda* (#:key outputs #:allow-other-keys)
180 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
181 (let* ((out (assoc-ref outputs "out"))
182 (doc (assoc-ref outputs "doc"))
183 (mandir (string-append doc "/share/man/man3"))
184 (oldman (string-append out "/share/man/man3")))
185 (mkdir-p mandir)
186 (copy-recursively oldman mandir)
187 (delete-file-recursively oldman)
188 #t))))))
189 (outputs '("out" ;4.4 MiB
190 "debug"
191 "doc")) ;4.1 MiB of man pages
192 (native-inputs
193 `(("net-tools" ,net-tools-for-tests)
194 ("pkg-config" ,pkg-config)
195 ("which" ,which)))
196 (inputs
197 `(("guile" ,guile-2.2)))
198 (propagated-inputs
199 ;; These are all in the 'Requires.private' field of gnutls.pc.
200 `(("libtasn1" ,libtasn1)
201 ("libidn2" ,libidn2)
202 ("nettle" ,nettle)
203 ("zlib" ,zlib)))
204 (home-page "https://www.gnu.org/software/gnutls/")
205 (synopsis "Transport layer security library")
206 (description
207 "GnuTLS is a secure communications library implementing the SSL, TLS
208 and DTLS protocols. It is provided in the form of a C library to support the
209 protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
210 required structures.")
211 (license license:lgpl2.1+)
212 (properties '((ftp-server . "ftp.gnutls.org")
213 (ftp-directory . "/gcrypt/gnutls")))))
214
215 (define-public gnutls/guile-2.2
216 (deprecated-package "guile2.2-gnutls" gnutls))
217
218 (define-public gnutls/guile-2.0
219 ;; GnuTLS for Guile 2.0.
220 (package
221 (inherit gnutls)
222 (name "guile2.0-gnutls")
223 (inputs `(("guile" ,guile-2.0)
224 ,@(alist-delete "guile" (package-inputs gnutls))))))
225
226 (define-public gnutls/dane
227 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
228 ;; Authentication of Named Entities. This is required for GNS functionality
229 ;; by GNUnet and gnURL. This is done in an extra package definition
230 ;; to have the choice between GnuTLS with Dane and without Dane.
231 (package
232 (inherit gnutls)
233 (name "gnutls-dane")
234 (inputs `(("unbound" ,unbound)
235 ,@(package-inputs gnutls)))))
236
237 (define-public openssl
238 (package
239 (name "openssl")
240 (version "1.0.2m")
241 (source (origin
242 (method url-fetch)
243 (uri (list (string-append "https://www.openssl.org/source/openssl-"
244 version ".tar.gz")
245 (string-append "ftp://ftp.openssl.org/source/"
246 name "-" version ".tar.gz")
247 (string-append "ftp://ftp.openssl.org/source/old/"
248 (string-trim-right version char-set:letter)
249 "/" name "-" version ".tar.gz")))
250 (sha256
251 (base32
252 "03vvlfnxx4lhxc83ikfdl6jqph4h52y7lb7li03va6dkqrgg2vwc"))
253 (snippet
254 '(begin
255 ;; Remove ELF files. 'substitute*' can't read them.
256 (delete-file "test/ssltest_old")
257 (delete-file "test/v3ext")
258 (delete-file "test/x509aux")
259 #t))
260 (patches (search-patches "openssl-runpath.patch"
261 "openssl-c-rehash-in.patch"))))
262 (build-system gnu-build-system)
263 (outputs '("out"
264 "doc" ;1.5MiB of man3 pages
265 "static")) ;6MiB of .a files
266 (native-inputs `(("perl" ,perl)))
267 (arguments
268 `(#:disallowed-references (,perl)
269 #:parallel-build? #f
270 #:parallel-tests? #f
271 #:test-target "test"
272
273 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
274 ;; so we explicitly disallow it here.
275 #:disallowed-references ,(list (canonical-package perl))
276 #:phases
277 (modify-phases %standard-phases
278 (add-before
279 'configure 'patch-Makefile.org
280 (lambda* (#:key outputs #:allow-other-keys)
281 ;; The default MANDIR is some unusual place. Fix that.
282 (let ((out (assoc-ref outputs "out")))
283 (patch-makefile-SHELL "Makefile.org")
284 (substitute* "Makefile.org"
285 (("^MANDIR[[:blank:]]*=.*$")
286 (string-append "MANDIR = " out "/share/man\n")))
287 #t)))
288 (replace
289 'configure
290 (lambda* (#:key outputs #:allow-other-keys)
291 (let ((out (assoc-ref outputs "out")))
292 (zero?
293 (system* "./config"
294 "shared" ;build shared libraries
295 "--libdir=lib"
296
297 ;; The default for this catch-all directory is
298 ;; PREFIX/ssl. Change that to something more
299 ;; conventional.
300 (string-append "--openssldir=" out
301 "/share/openssl-" ,version)
302
303 (string-append "--prefix=" out)
304
305 ;; XXX FIXME: Work around a code generation bug in GCC
306 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
307 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
308 ,@(if (and (not (%current-target-system))
309 (string-prefix? "armhf" (%current-system)))
310 '("-mfpu=vfpv3")
311 '()))))))
312 (add-after
313 'install 'make-libraries-writable
314 (lambda* (#:key outputs #:allow-other-keys)
315 ;; Make libraries writable so that 'strip' does its job.
316 (let ((out (assoc-ref outputs "out")))
317 (for-each (lambda (file)
318 (chmod file #o644))
319 (find-files (string-append out "/lib")
320 "\\.so"))
321 #t)))
322 (add-after 'install 'move-static-libraries
323 (lambda* (#:key outputs #:allow-other-keys)
324 ;; Move static libraries to the "static" output.
325 (let* ((out (assoc-ref outputs "out"))
326 (lib (string-append out "/lib"))
327 (static (assoc-ref outputs "static"))
328 (slib (string-append static "/lib")))
329 (for-each (lambda (file)
330 (install-file file slib)
331 (delete-file file))
332 (find-files lib "\\.a$"))
333 #t)))
334 (add-after 'install 'move-man3-pages
335 (lambda* (#:key outputs #:allow-other-keys)
336 ;; Move section 3 man pages to "doc".
337 (let* ((out (assoc-ref outputs "out"))
338 (man3 (string-append out "/share/man/man3"))
339 (doc (assoc-ref outputs "doc"))
340 (target (string-append doc "/share/man/man3")))
341 (mkdir-p target)
342 (for-each (lambda (file)
343 (rename-file file
344 (string-append target "/"
345 (basename file))))
346 (find-files man3))
347 (delete-file-recursively man3)
348 #t)))
349 (add-before
350 'patch-source-shebangs 'patch-tests
351 (lambda* (#:key inputs native-inputs #:allow-other-keys)
352 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
353 (substitute* (find-files "test" ".*")
354 (("/bin/sh")
355 (string-append bash "/bin/sh"))
356 (("/bin/rm")
357 "rm"))
358 #t)))
359 (add-after
360 'install 'remove-miscellany
361 (lambda* (#:key outputs #:allow-other-keys)
362 ;; The 'misc' directory contains random undocumented shell and Perl
363 ;; scripts. Remove them to avoid retaining a reference on Perl.
364 (let ((out (assoc-ref outputs "out")))
365 (delete-file-recursively (string-append out "/share/openssl-"
366 ,version "/misc"))
367 #t))))))
368 (native-search-paths
369 (list (search-path-specification
370 (variable "SSL_CERT_DIR")
371 (separator #f) ;single entry
372 (files '("etc/ssl/certs")))
373 (search-path-specification
374 (variable "SSL_CERT_FILE")
375 (file-type 'regular)
376 (separator #f) ;single entry
377 (files '("etc/ssl/certs/ca-certificates.crt")))))
378 (synopsis "SSL/TLS implementation")
379 (description
380 "OpenSSL is an implementation of SSL/TLS.")
381 (license license:openssl)
382 (home-page "http://www.openssl.org/")))
383
384 (define-public openssl-next
385 (package
386 (inherit openssl)
387 (name "openssl")
388 (version "1.1.0g")
389 (source (origin
390 (method url-fetch)
391 (uri (list (string-append "https://www.openssl.org/source/openssl-"
392 version ".tar.gz")
393 (string-append "ftp://ftp.openssl.org/source/"
394 name "-" version ".tar.gz")
395 (string-append "ftp://ftp.openssl.org/source/old/"
396 (string-trim-right version char-set:letter)
397 "/" name "-" version ".tar.gz")))
398 (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
399 (sha256
400 (base32
401 "1bvka2wf33w2vxv7yw578nnjqyhz2b3chvfb0l4k2ffscw950kfy"))))
402 (outputs '("out"
403 "doc" ;1.3MiB of man3 pages
404 "static")) ; 5.5MiB of .a files
405 (arguments
406 (substitute-keyword-arguments (package-arguments openssl)
407 ((#:phases phases)
408 `(modify-phases ,phases
409 (delete 'patch-tests) ; These two phases are not needed by
410 (delete 'patch-Makefile.org) ; OpenSSL 1.1.0.
411
412 ;; Override configure phase since -rpath is now a configure option.
413 (replace 'configure
414 (lambda* (#:key outputs #:allow-other-keys)
415 (let* ((out (assoc-ref outputs "out"))
416 (lib (string-append out "/lib")))
417 (zero?
418 (system* "./config"
419 "shared" ;build shared libraries
420 "--libdir=lib"
421
422 ;; The default for this catch-all directory is
423 ;; PREFIX/ssl. Change that to something more
424 ;; conventional.
425 (string-append "--openssldir=" out
426 "/share/openssl-" ,version)
427
428 (string-append "--prefix=" out)
429 (string-append "-Wl,-rpath," lib)
430
431 ;; XXX FIXME: Work around a code generation bug in GCC
432 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
433 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
434 ,@(if (and (not (%current-target-system))
435 (string-prefix? "armhf" (%current-system)))
436 '("-mfpu=vfpv3")
437 '()))))))
438
439 ;; XXX: Duplicate this phase to make sure 'version' evaluates
440 ;; in the current scope and not the inherited one.
441 (replace 'remove-miscellany
442 (lambda* (#:key outputs #:allow-other-keys)
443 ;; The 'misc' directory contains random undocumented shell and Perl
444 ;; scripts. Remove them to avoid retaining a reference on Perl.
445 (let ((out (assoc-ref outputs "out")))
446 (delete-file-recursively (string-append out "/share/openssl-"
447 ,version "/misc"))
448 #t)))))))))
449
450 (define-public libressl
451 (package
452 (name "libressl")
453 (version "2.5.5")
454 (source (origin
455 (method url-fetch)
456 (uri (string-append "mirror://openbsd/LibreSSL/"
457 name "-" version ".tar.gz"))
458 (sha256
459 (base32
460 "1i77viqy1afvbr392npk9v54k9zhr9zq2vhv6pliza22b0ymwzz5"))))
461 (build-system gnu-build-system)
462 (arguments
463 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
464 ;; and libc would return ENOSYS, which is not properly handled.
465 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
466 '(#:configure-flags '("ac_cv_func_getentropy=no"
467 ;; Provide a TLS-enabled netcat.
468 "--enable-nc")))
469 (native-search-paths
470 ;; FIXME: These two variables must designate a single file or directory
471 ;; and are not actually "search paths." In practice it works OK in
472 ;; user profiles because there's always just one item that matches the
473 ;; specification.
474 (list (search-path-specification
475 (variable "SSL_CERT_DIR")
476 (files '("etc/ssl/certs")))
477 (search-path-specification
478 (variable "SSL_CERT_FILE")
479 (files '("etc/ssl/certs/ca-certificates.crt")))))
480 (home-page "https://www.libressl.org/")
481 (synopsis "SSL/TLS implementation")
482 (description "LibreSSL is a version of the TLS/crypto stack, forked from
483 OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
484 and applying best practice development processes. This package also includes a
485 netcat implementation that supports TLS.")
486 ;; Files taken from OpenSSL keep their license, others are under various
487 ;; non-copyleft licenses.
488 (license (list license:openssl
489 (license:non-copyleft
490 "file://COPYING"
491 "See COPYING in the distribution.")))))
492
493 (define-public python-acme
494 (package
495 (name "python-acme")
496 ;; Remember to update the hash of certbot when updating python-acme.
497 (version "0.19.0")
498 (source (origin
499 (method url-fetch)
500 (uri (pypi-uri "acme" version))
501 (sha256
502 (base32
503 "08p8w50zciqlhgn3ab0wbbvi1zyg3x37r1gywq0z1allsij3v8hz"))))
504 (build-system python-build-system)
505 (arguments
506 `(#:phases
507 (modify-phases %standard-phases
508 (add-after 'build 'build-documentation
509 (lambda _
510 (zero? (system* "make" "-C" "docs" "man" "info"))))
511 (add-after 'install 'install-documentation
512 (lambda* (#:key outputs #:allow-other-keys)
513 (let* ((out (assoc-ref outputs "out"))
514 (man (string-append out "/share/man/man1"))
515 (info (string-append out "/info")))
516 (install-file "docs/_build/texinfo/acme-python.info" info)
517 (install-file "docs/_build/man/acme-python.1" man)
518 #t))))))
519 ;; TODO: Add optional inputs for testing.
520 (native-inputs
521 `(("python-mock" ,python-mock)
522 ;; For documentation
523 ("python-sphinx" ,python-sphinx)
524 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
525 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
526 ("texinfo" ,texinfo)))
527 (propagated-inputs
528 `(("python-six" ,python-six)
529 ("python-requests" ,python-requests)
530 ("python-pytz" ,python-pytz)
531 ("python-pyrfc3339" ,python-pyrfc3339)
532 ("python-pyasn1" ,python-pyasn1)
533 ("python-cryptography" ,python-cryptography)
534 ("python-pyopenssl" ,python-pyopenssl)))
535 (home-page "https://github.com/letsencrypt/letsencrypt")
536 (synopsis "ACME protocol implementation in Python")
537 (description "ACME protocol implementation in Python")
538 (license license:asl2.0)))
539
540 (define-public certbot
541 (package
542 (name "certbot")
543 ;; Certbot and python-acme are developed in the same repository, and their
544 ;; versions should remain synchronized.
545 (version (package-version python-acme))
546 (source (origin
547 (method url-fetch)
548 (uri (pypi-uri name version))
549 (sha256
550 (base32
551 "0lwxqz3r0fg3dy06fgba1dfs7n6ribc25z0rh5rqbl7mvy8hf8x7"))))
552 (build-system python-build-system)
553 (arguments
554 `(,@(substitute-keyword-arguments (package-arguments python-acme)
555 ((#:phases phases)
556 `(modify-phases ,phases
557 (replace 'install-documentation
558 (lambda* (#:key outputs #:allow-other-keys)
559 (let* ((out (assoc-ref outputs "out"))
560 (man1 (string-append out "/share/man/man1"))
561 (man7 (string-append out "/share/man/man7"))
562 (info (string-append out "/info")))
563 (install-file "docs/_build/texinfo/Certbot.info" info)
564 (install-file "docs/_build/man/certbot.1" man1)
565 (install-file "docs/_build/man/certbot.7" man7)
566 #t))))))))
567 ;; TODO: Add optional inputs for testing.
568 (native-inputs
569 `(("python-nose" ,python-nose)
570 ("python-mock" ,python-mock)
571 ;; For documentation
572 ("python-sphinx" ,python-sphinx)
573 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
574 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
575 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
576 ("texinfo" ,texinfo)))
577 (propagated-inputs
578 `(("python-acme" ,python-acme)
579 ("python-zope-interface" ,python-zope-interface)
580 ("python-pyrfc3339" ,python-pyrfc3339)
581 ("python-pyopenssl" ,python-pyopenssl)
582 ("python-configobj" ,python-configobj)
583 ("python-configargparse" ,python-configargparse)
584 ("python-zope-component" ,python-zope-component)
585 ("python-parsedatetime" ,python-parsedatetime)
586 ("python-six" ,python-six)
587 ("python-psutil" ,python-psutil)
588 ("python-requests" ,python-requests)
589 ("python-pytz" ,python-pytz)))
590 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
591 (description "Certbot automatically receives and installs X.509 certificates
592 to enable Transport Layer Security (TLS) on servers. It interoperates with the
593 Let’s Encrypt certificate authority (CA), which issues browser-trusted
594 certificates for free.")
595 (home-page "https://certbot.eff.org/")
596 (license license:asl2.0)))
597
598 (define-public letsencrypt
599 (package (inherit certbot)
600 (name "letsencrypt")
601 (properties `((superseded . ,certbot)))))
602
603 (define-public perl-net-ssleay
604 (package
605 (name "perl-net-ssleay")
606 (version "1.81")
607 (source (origin
608 (method url-fetch)
609 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
610 "Net-SSLeay-" version ".tar.gz"))
611 (sha256
612 (base32
613 "0z8vya34g88bc41kx955sv7y4niwbbywji8liqbl52v29qbvdjq0"))))
614 (build-system perl-build-system)
615 (inputs `(("openssl" ,openssl)))
616 (arguments
617 `(#:phases
618 (modify-phases %standard-phases
619 (add-before
620 'configure 'set-ssl-prefix
621 (lambda* (#:key inputs #:allow-other-keys)
622 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
623 #t)))))
624 (synopsis "Perl extension for using OpenSSL")
625 (description
626 "This module offers some high level convenience functions for accessing
627 web pages on SSL servers (for symmetry, the same API is offered for accessing
628 http servers, too), an sslcat() function for writing your own clients, and
629 finally access to the SSL api of the SSLeay/OpenSSL package so you can write
630 servers or clients for more complicated applications.")
631 (license license:perl-license)
632 (home-page "http://search.cpan.org/~mikem/Net-SSLeay-1.66/")))
633
634 (define-public perl-crypt-openssl-rsa
635 (package
636 (name "perl-crypt-openssl-rsa")
637 (version "0.28")
638 (source
639 (origin
640 (method url-fetch)
641 (uri (string-append
642 "mirror://cpan/authors/id/P/PE/PERLER/Crypt-OpenSSL-RSA-"
643 version
644 ".tar.gz"))
645 (sha256
646 (base32
647 "1gnpvv09b2gpifwdzc5jnhama3d1a4c39lzj9hcaicsb8rvzjmsk"))))
648 (build-system perl-build-system)
649 (inputs
650 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
651 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
652 ("openssl" ,openssl)))
653 (arguments perl-crypt-arguments)
654 (home-page
655 "http://search.cpan.org/dist/Crypt-OpenSSL-RSA")
656 (synopsis
657 "RSA encoding and decoding, using the openSSL libraries")
658 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
659 OpenSSL libraries).")
660 (license license:perl-license)))
661
662 (define perl-crypt-arguments
663 `(#:phases (modify-phases %standard-phases
664 (add-before 'configure 'patch-Makefile.PL
665 (lambda* (#:key inputs #:allow-other-keys)
666 (substitute* "Makefile.PL"
667 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
668 (assoc-ref inputs "openssl")
669 "/lib -lcrypto'],")))
670 #t)))))
671
672 (define-public perl-crypt-openssl-bignum
673 (package
674 (name "perl-crypt-openssl-bignum")
675 (version "0.08")
676 (source
677 (origin
678 (method url-fetch)
679 (uri (string-append
680 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
681 version
682 ".tar.gz"))
683 (sha256
684 (base32
685 "0gamn4dff1bz77nswacy1dlpn9fkwahzw7yvvik4nbwwy2s63hc8"))))
686 (build-system perl-build-system)
687 (inputs `(("openssl" ,openssl)))
688 (arguments perl-crypt-arguments)
689 (home-page
690 "http://search.cpan.org/dist/Crypt-OpenSSL-Bignum")
691 (synopsis
692 "OpenSSL's multiprecision integer arithmetic in Perl")
693 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
694 arithmetic in Perl.")
695 ;; At your option either gpl1+ or the Artistic License
696 (license license:perl-license)))
697
698 (define-public perl-crypt-openssl-random
699 (package
700 (name "perl-crypt-openssl-random")
701 (version "0.11")
702 (source
703 (origin
704 (method url-fetch)
705 (uri (string-append
706 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
707 version
708 ".tar.gz"))
709 (sha256
710 (base32
711 "0yjcabkibrkafywvdkmd1xpi6br48skyk3l15ni176wvlg38335v"))))
712 (build-system perl-build-system)
713 (inputs `(("openssl" ,openssl)))
714 (arguments perl-crypt-arguments)
715 (home-page
716 "http://search.cpan.org/dist/Crypt-OpenSSL-Random")
717 (synopsis
718 "OpenSSL/LibreSSL pseudo-random number generator access")
719 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
720 number generator")
721 (license license:perl-license)))
722
723 (define-public acme-client
724 (package
725 (name "acme-client")
726 (version "0.1.16")
727 (source (origin
728 (method url-fetch)
729 (uri (string-append "https://kristaps.bsd.lv/" name "/"
730 "snapshots/" name "-portable-"
731 version ".tgz"))
732 (sha256
733 (base32
734 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
735 (build-system gnu-build-system)
736 (arguments
737 '(#:tests? #f ; no test suite
738 #:make-flags
739 (list "CC=gcc"
740 (string-append "PREFIX=" (assoc-ref %outputs "out")))
741 #:phases
742 (modify-phases %standard-phases
743 (add-after 'unpack 'patch-paths
744 (lambda* (#:key inputs #:allow-other-keys)
745 (let ((pem (string-append (assoc-ref inputs "libressl")
746 "/etc/ssl/cert.pem")))
747 (substitute* "http.c"
748 (("/etc/ssl/cert.pem") pem))
749 #t)))
750 (delete 'configure)))) ; no './configure' script
751 (native-inputs
752 `(("pkg-config" ,pkg-config)))
753 (inputs
754 `(("libbsd" ,libbsd)
755 ("libressl" ,libressl)))
756 (synopsis "Let's Encrypt client by the OpenBSD project")
757 (description "acme-client is a Let's Encrypt client implemented in C. It
758 uses a modular design, and attempts to secure itself by dropping privileges and
759 operating in a chroot where possible. acme-client is developed on OpenBSD and
760 then ported to the GNU / Linux environment.")
761 (home-page "https://kristaps.bsd.lv/acme-client/")
762 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
763 ;; and 'jsmn.c' are distributed under the Expat license.
764 (license (list license:isc license:expat))))
765
766 ;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
767 ;; variant exists in addition to the "-apache" one.
768 (define-public mbedtls-apache
769 (package
770 (name "mbedtls-apache")
771 (version "2.6.0")
772 (source
773 (origin
774 (method url-fetch)
775 ;; XXX: The download links on the website are script redirection links
776 ;; which effectively lead to the format listed in the uri here.
777 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
778 version "-apache.tgz"))
779 (sha256
780 (base32
781 "11wnj34rfqxjggmdgf042i49lr6civgbqwv2p7p8bn6k2919vg4r"))))
782 (build-system cmake-build-system)
783 (native-inputs
784 `(("perl" ,perl)))
785 (synopsis "Small TLS library")
786 (description
787 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
788 for developers to include cryptographic and SSL/TLS capabilities in their
789 (embedded) products, facilitating this functionality with a minimal
790 coding footprint.")
791 (home-page "https://tls.mbed.org")
792 (license license:asl2.0)))
jackhill's copy of GNU Guix: https://guix.gnu.org/