HCoop / jackhill / guix / guix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'master' into staging
[jackhill/guix/guix.git] / gnu / packages / tls.scm
1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
5 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
6 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
7 ;;; Copyright © 2015, 2016, 2017 Leo Famulari <leo@famulari.name>
8 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
9 ;;; Copyright © 2016, 2017, 2018 Nils Gillmann <ng0@n0.is>
10 ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
11 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
12 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
13 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
14 ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
15 ;;;
16 ;;; This file is part of GNU Guix.
17 ;;;
18 ;;; GNU Guix is free software; you can redistribute it and/or modify it
19 ;;; under the terms of the GNU General Public License as published by
20 ;;; the Free Software Foundation; either version 3 of the License, or (at
21 ;;; your option) any later version.
22 ;;;
23 ;;; GNU Guix is distributed in the hope that it will be useful, but
24 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
25 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 ;;; GNU General Public License for more details.
27 ;;;
28 ;;; You should have received a copy of the GNU General Public License
29 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
30
31 (define-module (gnu packages tls)
32 #:use-module ((guix licenses) #:prefix license:)
33 #:use-module (guix packages)
34 #:use-module (guix download)
35 #:use-module (guix utils)
36 #:use-module (guix build-system gnu)
37 #:use-module (guix build-system perl)
38 #:use-module (guix build-system python)
39 #:use-module (guix build-system cmake)
40 #:use-module (guix build-system haskell)
41 #:use-module (gnu packages compression)
42 #:use-module (gnu packages)
43 #:use-module (gnu packages check)
44 #:use-module (gnu packages dns)
45 #:use-module (gnu packages guile)
46 #:use-module (gnu packages haskell)
47 #:use-module (gnu packages haskell-check)
48 #:use-module (gnu packages haskell-crypto)
49 #:use-module (gnu packages libbsd)
50 #:use-module (gnu packages libffi)
51 #:use-module (gnu packages libidn)
52 #:use-module (gnu packages linux)
53 #:use-module (gnu packages ncurses)
54 #:use-module (gnu packages nettle)
55 #:use-module (gnu packages perl)
56 #:use-module (gnu packages pkg-config)
57 #:use-module (gnu packages python)
58 #:use-module (gnu packages python-crypto)
59 #:use-module (gnu packages python-web)
60 #:use-module (gnu packages texinfo)
61 #:use-module (gnu packages time)
62 #:use-module (gnu packages base)
63 #:use-module (srfi srfi-1))
64
65 (define-public libtasn1
66 (package
67 (name "libtasn1")
68 (version "4.12")
69 (replacement libtasn1/fixed)
70 (source
71 (origin
72 (method url-fetch)
73 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
74 version ".tar.gz"))
75 (sha256
76 (base32
77 "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7"))
78 (patches (search-patches "libtasn1-CVE-2017-10790.patch"))))
79 (build-system gnu-build-system)
80 (native-inputs `(("perl" ,perl)))
81 (home-page "https://www.gnu.org/software/libtasn1/")
82 (synopsis "ASN.1 library")
83 (description
84 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
85 for transmitting machine-neutral encodings of data objects in computer
86 networking, allowing for formal validation of data according to some
87 specifications.")
88 (license license:lgpl2.0+)))
89
90 (define libtasn1/fixed
91 (package
92 (inherit libtasn1)
93 (source (origin
94 (inherit (package-source libtasn1))
95 (patches (search-patches "libtasn1-CVE-2017-10790.patch"
96 "libtasn1-CVE-2018-6003.patch"))))))
97
98 (define-public asn1c
99 (package
100 (name "asn1c")
101 (version "0.9.28")
102 (source (origin
103 (method url-fetch)
104 (uri (string-append "https://lionet.info/soft/asn1c-"
105 version ".tar.gz"))
106 (sha256
107 (base32
108 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
109 (build-system gnu-build-system)
110 (native-inputs
111 `(("perl" ,perl)))
112 (home-page "https://lionet.info/asn1c")
113 (synopsis "ASN.1 to C compiler")
114 (description "The ASN.1 to C compiler takes ASN.1 module
115 files and generates C++ compatible C source code. That code can be
116 used to serialize the native C structures into compact and unambiguous
117 BER/XER/PER-based data files, and deserialize the files back.
118
119 Various ASN.1 based formats are widely used in the industry, such as to encode
120 the X.509 certificates employed in the HTTPS handshake, to exchange control
121 data between mobile phones and cellular networks, to car-to-car communication
122 in intelligent transportation networks.")
123 (license license:bsd-2)))
124
125 (define-public p11-kit
126 (package
127 (name "p11-kit")
128 (version "0.23.10")
129 (source
130 (origin
131 (method url-fetch)
132 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
133 "download/" version "/p11-kit-" version ".tar.gz"))
134 (sha256
135 (base32
136 "0hxfwnyb5yllvlsh0cj6favcph36gm94b6df7zhl7xay48zjl8gr"))))
137 (build-system gnu-build-system)
138 (native-inputs
139 `(("pkg-config" ,pkg-config)))
140 (inputs
141 `(("libffi" ,libffi)
142 ("libtasn1" ,libtasn1)))
143 (arguments
144 `(#:configure-flags '("--without-trust-paths")))
145 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
146 (synopsis "PKCS#11 library")
147 (description
148 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
149 provides a standard configuration setup for installing PKCS#11 modules
150 in such a way that they are discoverable. It also solves problems with
151 coordinating the use of PKCS#11 by different components or libraries
152 living in the same process.")
153 (license license:bsd-3)))
154
155 (define-public gnutls
156 (package
157 (name "gnutls")
158 (version "3.5.13")
159 (source (origin
160 (method url-fetch)
161 (uri
162 ;; Note: Releases are no longer on ftp.gnu.org since the
163 ;; schism (after version 3.1.5).
164 (string-append "mirror://gnupg/gnutls/v"
165 (version-major+minor version)
166 "/gnutls-" version ".tar.xz"))
167 (patches
168 (search-patches "gnutls-skip-trust-store-test.patch"
169 "gnutls-skip-pkgconfig-test.patch"))
170 (sha256
171 (base32
172 "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr"))))
173 (build-system gnu-build-system)
174 (arguments
175 `(; Ensure we don't keep a reference to this buggy software.
176 #:disallowed-references (,net-tools)
177 #:configure-flags
178 (list
179 ;; GnuTLS doesn't consult any environment variables to specify
180 ;; the location of the system-wide trust store. Instead it has a
181 ;; configure-time option. Unless specified, its configure script
182 ;; attempts to auto-detect the location by looking for common
183 ;; places in the file system, none of which are present in our
184 ;; chroot build environment. If not found, then no default trust
185 ;; store is used, so each program has to provide its own
186 ;; fallback, and users have to configure each program
187 ;; independently. This seems suboptimal.
188 "--with-default-trust-store-dir=/etc/ssl/certs"
189
190 ;; FIXME: Temporarily disable p11-kit support since it is not
191 ;; working on mips64el.
192 "--without-p11-kit")
193
194 #:phases (modify-phases %standard-phases
195 (add-after
196 'install 'move-doc
197 (lambda* (#:key outputs #:allow-other-keys)
198 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
199 (let* ((out (assoc-ref outputs "out"))
200 (doc (assoc-ref outputs "doc"))
201 (mandir (string-append doc "/share/man/man3"))
202 (oldman (string-append out "/share/man/man3")))
203 (mkdir-p mandir)
204 (copy-recursively oldman mandir)
205 (delete-file-recursively oldman)
206 #t))))))
207 (outputs '("out" ;4.4 MiB
208 "debug"
209 "doc")) ;4.1 MiB of man pages
210 (native-inputs
211 `(("net-tools" ,net-tools)
212 ("pkg-config" ,pkg-config)
213 ("which" ,which)))
214 (inputs
215 `(("guile" ,guile-2.2)))
216 (propagated-inputs
217 ;; These are all in the 'Requires.private' field of gnutls.pc.
218 `(("libtasn1" ,libtasn1)
219 ("libidn2" ,libidn2)
220 ("nettle" ,nettle)
221 ("zlib" ,zlib)))
222 (home-page "https://www.gnu.org/software/gnutls/")
223 (synopsis "Transport layer security library")
224 (description
225 "GnuTLS is a secure communications library implementing the SSL, TLS
226 and DTLS protocols. It is provided in the form of a C library to support the
227 protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
228 required structures.")
229 (license license:lgpl2.1+)
230 (properties '((ftp-server . "ftp.gnutls.org")
231 (ftp-directory . "/gcrypt/gnutls")))))
232
233 (define-public gnutls/guile-2.2
234 (deprecated-package "guile2.2-gnutls" gnutls))
235
236 (define-public gnutls/guile-2.0
237 ;; GnuTLS for Guile 2.0.
238 (package
239 (inherit gnutls)
240 (name "guile2.0-gnutls")
241 (inputs `(("guile" ,guile-2.0)
242 ,@(alist-delete "guile" (package-inputs gnutls))))))
243
244 (define-public gnutls/dane
245 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
246 ;; Authentication of Named Entities. This is required for GNS functionality
247 ;; by GNUnet and gnURL. This is done in an extra package definition
248 ;; to have the choice between GnuTLS with Dane and without Dane.
249 (package
250 (inherit gnutls)
251 (name "gnutls-dane")
252 (inputs `(("unbound" ,unbound)
253 ,@(package-inputs gnutls)))))
254
255 (define-public openssl
256 (package
257 (name "openssl")
258 (replacement openssl-1.0.2o)
259 (version "1.0.2n")
260 (source (origin
261 (method url-fetch)
262 (uri (list (string-append "https://www.openssl.org/source/openssl-"
263 version ".tar.gz")
264 (string-append "ftp://ftp.openssl.org/source/"
265 name "-" version ".tar.gz")
266 (string-append "ftp://ftp.openssl.org/source/old/"
267 (string-trim-right version char-set:letter)
268 "/" name "-" version ".tar.gz")))
269 (sha256
270 (base32
271 "1zm82pyq5a9jm10q6iv7d3dih3xwjds4x30fqph3k317byvsn2rp"))
272 (snippet
273 '(begin
274 ;; Remove ELF files. 'substitute*' can't read them.
275 (delete-file "test/ssltest_old")
276 (delete-file "test/v3ext")
277 (delete-file "test/x509aux")
278 #t))
279 (patches (search-patches "openssl-runpath.patch"
280 "openssl-c-rehash-in.patch"))))
281 (build-system gnu-build-system)
282 (outputs '("out"
283 "doc" ;1.5MiB of man3 pages
284 "static")) ;6MiB of .a files
285 (native-inputs `(("perl" ,perl)))
286 (arguments
287 `(#:disallowed-references (,perl)
288 #:parallel-build? #f
289 #:parallel-tests? #f
290 #:test-target "test"
291
292 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
293 ;; so we explicitly disallow it here.
294 #:disallowed-references ,(list (canonical-package perl))
295 #:phases
296 (modify-phases %standard-phases
297 (add-before
298 'configure 'patch-Makefile.org
299 (lambda* (#:key outputs #:allow-other-keys)
300 ;; The default MANDIR is some unusual place. Fix that.
301 (let ((out (assoc-ref outputs "out")))
302 (patch-makefile-SHELL "Makefile.org")
303 (substitute* "Makefile.org"
304 (("^MANDIR[[:blank:]]*=.*$")
305 (string-append "MANDIR = " out "/share/man\n")))
306 #t)))
307 (replace
308 'configure
309 (lambda* (#:key outputs #:allow-other-keys)
310 (let ((out (assoc-ref outputs "out")))
311 (zero?
312 (system* "./config"
313 "shared" ;build shared libraries
314 "--libdir=lib"
315
316 ;; The default for this catch-all directory is
317 ;; PREFIX/ssl. Change that to something more
318 ;; conventional.
319 (string-append "--openssldir=" out
320 "/share/openssl-" ,version)
321
322 (string-append "--prefix=" out)
323
324 ;; XXX FIXME: Work around a code generation bug in GCC
325 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
326 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
327 ,@(if (and (not (%current-target-system))
328 (string-prefix? "armhf" (%current-system)))
329 '("-mfpu=vfpv3")
330 '()))))))
331 (add-after
332 'install 'make-libraries-writable
333 (lambda* (#:key outputs #:allow-other-keys)
334 ;; Make libraries writable so that 'strip' does its job.
335 (let ((out (assoc-ref outputs "out")))
336 (for-each (lambda (file)
337 (chmod file #o644))
338 (find-files (string-append out "/lib")
339 "\\.so"))
340 #t)))
341 (add-after 'install 'move-static-libraries
342 (lambda* (#:key outputs #:allow-other-keys)
343 ;; Move static libraries to the "static" output.
344 (let* ((out (assoc-ref outputs "out"))
345 (lib (string-append out "/lib"))
346 (static (assoc-ref outputs "static"))
347 (slib (string-append static "/lib")))
348 (for-each (lambda (file)
349 (install-file file slib)
350 (delete-file file))
351 (find-files lib "\\.a$"))
352 #t)))
353 (add-after 'install 'move-man3-pages
354 (lambda* (#:key outputs #:allow-other-keys)
355 ;; Move section 3 man pages to "doc".
356 (let* ((out (assoc-ref outputs "out"))
357 (man3 (string-append out "/share/man/man3"))
358 (doc (assoc-ref outputs "doc"))
359 (target (string-append doc "/share/man/man3")))
360 (mkdir-p target)
361 (for-each (lambda (file)
362 (rename-file file
363 (string-append target "/"
364 (basename file))))
365 (find-files man3))
366 (delete-file-recursively man3)
367 #t)))
368 (add-before
369 'patch-source-shebangs 'patch-tests
370 (lambda* (#:key inputs native-inputs #:allow-other-keys)
371 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
372 (substitute* (find-files "test" ".*")
373 (("/bin/sh")
374 (string-append bash "/bin/sh"))
375 (("/bin/rm")
376 "rm"))
377 #t)))
378 (add-after
379 'install 'remove-miscellany
380 (lambda* (#:key outputs #:allow-other-keys)
381 ;; The 'misc' directory contains random undocumented shell and Perl
382 ;; scripts. Remove them to avoid retaining a reference on Perl.
383 (let ((out (assoc-ref outputs "out")))
384 (delete-file-recursively (string-append out "/share/openssl-"
385 ,version "/misc"))
386 #t))))))
387 (native-search-paths
388 (list (search-path-specification
389 (variable "SSL_CERT_DIR")
390 (separator #f) ;single entry
391 (files '("etc/ssl/certs")))
392 (search-path-specification
393 (variable "SSL_CERT_FILE")
394 (file-type 'regular)
395 (separator #f) ;single entry
396 (files '("etc/ssl/certs/ca-certificates.crt")))))
397 (synopsis "SSL/TLS implementation")
398 (description
399 "OpenSSL is an implementation of SSL/TLS.")
400 (license license:openssl)
401 (home-page "https://www.openssl.org/")))
402
403 (define openssl-1.0.2o
404 (package
405 (inherit openssl)
406 (name "openssl")
407 (version "1.0.2o")
408 (source (origin
409 (inherit (package-source openssl))
410 (uri (list (string-append "https://www.openssl.org/source/openssl-"
411 version ".tar.gz")
412 (string-append "ftp://ftp.openssl.org/source/"
413 name "-" version ".tar.gz")
414 (string-append "ftp://ftp.openssl.org/source/old/"
415 (string-trim-right version char-set:letter)
416 "/" name "-" version ".tar.gz")))
417 (sha256
418 (base32
419 "0kcy13l701054nhpbd901mz32v1kn4g311z0nifd83xs2jbmqgzc"))
420 ;; Erase the inherited snippet, which isn't applicable to
421 ;; OpenSSL 1.0.2o.
422 (snippet #f)))))
423
424 (define-public openssl-next
425 (package
426 (inherit openssl)
427 (name "openssl")
428 (version "1.1.0h")
429 (source (origin
430 (method url-fetch)
431 (uri (list (string-append "https://www.openssl.org/source/openssl-"
432 version ".tar.gz")
433 (string-append "ftp://ftp.openssl.org/source/"
434 name "-" version ".tar.gz")
435 (string-append "ftp://ftp.openssl.org/source/old/"
436 (string-trim-right version char-set:letter)
437 "/" name "-" version ".tar.gz")))
438 (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
439 (sha256
440 (base32
441 "05x509lccqjscgyi935z809pwfm708islypwhmjnb6cyvrn64daq"))))
442 (outputs '("out"
443 "doc" ;1.3MiB of man3 pages
444 "static")) ; 5.5MiB of .a files
445 (arguments
446 (substitute-keyword-arguments (package-arguments openssl)
447 ((#:phases phases)
448 `(modify-phases ,phases
449 (delete 'patch-tests) ; These two phases are not needed by
450 (delete 'patch-Makefile.org) ; OpenSSL 1.1.0.
451
452 ;; Override configure phase since -rpath is now a configure option.
453 (replace 'configure
454 (lambda* (#:key outputs #:allow-other-keys)
455 (let* ((out (assoc-ref outputs "out"))
456 (lib (string-append out "/lib")))
457 (zero?
458 (system* "./config"
459 "shared" ;build shared libraries
460 "--libdir=lib"
461
462 ;; The default for this catch-all directory is
463 ;; PREFIX/ssl. Change that to something more
464 ;; conventional.
465 (string-append "--openssldir=" out
466 "/share/openssl-" ,version)
467
468 (string-append "--prefix=" out)
469 (string-append "-Wl,-rpath," lib)
470
471 ;; XXX FIXME: Work around a code generation bug in GCC
472 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
473 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
474 ,@(if (and (not (%current-target-system))
475 (string-prefix? "armhf" (%current-system)))
476 '("-mfpu=vfpv3")
477 '()))))))
478
479 ;; XXX: Duplicate this phase to make sure 'version' evaluates
480 ;; in the current scope and not the inherited one.
481 (replace 'remove-miscellany
482 (lambda* (#:key outputs #:allow-other-keys)
483 ;; The 'misc' directory contains random undocumented shell and Perl
484 ;; scripts. Remove them to avoid retaining a reference on Perl.
485 (let ((out (assoc-ref outputs "out")))
486 (delete-file-recursively (string-append out "/share/openssl-"
487 ,version "/misc"))
488 #t)))))))))
489
490 (define-public libressl
491 (package
492 (name "libressl")
493 (version "2.7.2")
494 (source (origin
495 (method url-fetch)
496 (uri (string-append "mirror://openbsd/LibreSSL/"
497 name "-" version ".tar.gz"))
498 (sha256
499 (base32
500 "1589f0kg7kj51j9hid542s4isb96s1azjaqsfprpy5s2qdwqfyli"))))
501 (build-system gnu-build-system)
502 (arguments
503 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
504 ;; and libc would return ENOSYS, which is not properly handled.
505 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
506 '(#:configure-flags '("ac_cv_func_getentropy=no"
507 ;; Provide a TLS-enabled netcat.
508 "--enable-nc")))
509 (native-search-paths
510 ;; FIXME: These two variables must designate a single file or directory
511 ;; and are not actually "search paths." In practice it works OK in
512 ;; user profiles because there's always just one item that matches the
513 ;; specification.
514 (list (search-path-specification
515 (variable "SSL_CERT_DIR")
516 (files '("etc/ssl/certs")))
517 (search-path-specification
518 (variable "SSL_CERT_FILE")
519 (files '("etc/ssl/certs/ca-certificates.crt")))))
520 (home-page "https://www.libressl.org/")
521 (synopsis "SSL/TLS implementation")
522 (description "LibreSSL is a version of the TLS/crypto stack, forked from
523 OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
524 and applying best practice development processes. This package also includes a
525 netcat implementation that supports TLS.")
526 ;; Files taken from OpenSSL keep their license, others are under various
527 ;; non-copyleft licenses.
528 (license (list license:openssl
529 (license:non-copyleft
530 "file://COPYING"
531 "See COPYING in the distribution.")))))
532
533 (define-public python-acme
534 (package
535 (name "python-acme")
536 ;; Remember to update the hash of certbot when updating python-acme.
537 (version "0.23.0")
538 (source (origin
539 (method url-fetch)
540 (uri (pypi-uri "acme" version))
541 (sha256
542 (base32
543 "0l257dq1i2gka6ynldidpwaz1aa726643crqqckga1w5awsndh88"))))
544 (build-system python-build-system)
545 (arguments
546 `(#:phases
547 (modify-phases %standard-phases
548 (add-after 'build 'build-documentation
549 (lambda _
550 (zero? (system* "make" "-C" "docs" "man" "info"))))
551 (add-after 'install 'install-documentation
552 (lambda* (#:key outputs #:allow-other-keys)
553 (let* ((out (assoc-ref outputs "out"))
554 (man (string-append out "/share/man/man1"))
555 (info (string-append out "/info")))
556 (install-file "docs/_build/texinfo/acme-python.info" info)
557 (install-file "docs/_build/man/acme-python.1" man)
558 #t))))))
559 ;; TODO: Add optional inputs for testing.
560 (native-inputs
561 `(("python-mock" ,python-mock)
562 ;; For documentation
563 ("python-sphinx" ,python-sphinx)
564 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
565 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
566 ("texinfo" ,texinfo)))
567 (propagated-inputs
568 `(("python-josepy" ,python-josepy)
569 ("python-six" ,python-six)
570 ("python-requests" ,python-requests)
571 ("python-pytz" ,python-pytz)
572 ("python-pyrfc3339" ,python-pyrfc3339)
573 ("python-pyasn1" ,python-pyasn1)
574 ("python-cryptography" ,python-cryptography)
575 ("python-pyopenssl" ,python-pyopenssl)))
576 (home-page "https://github.com/certbot/certbot")
577 (synopsis "ACME protocol implementation in Python")
578 (description "ACME protocol implementation in Python")
579 (license license:asl2.0)))
580
581 (define-public certbot
582 (package
583 (name "certbot")
584 ;; Certbot and python-acme are developed in the same repository, and their
585 ;; versions should remain synchronized.
586 (version (package-version python-acme))
587 (source (origin
588 (method url-fetch)
589 (uri (pypi-uri name version))
590 (sha256
591 (base32
592 "0gh5fr61c3mj5vdkn68k17wcvri9rdj506cmmz6631i2l5flrzvc"))))
593 (build-system python-build-system)
594 (arguments
595 `(,@(substitute-keyword-arguments (package-arguments python-acme)
596 ((#:phases phases)
597 `(modify-phases ,phases
598 (replace 'install-documentation
599 (lambda* (#:key outputs #:allow-other-keys)
600 (let* ((out (assoc-ref outputs "out"))
601 (man1 (string-append out "/share/man/man1"))
602 (man7 (string-append out "/share/man/man7"))
603 (info (string-append out "/info")))
604 (install-file "docs/_build/texinfo/Certbot.info" info)
605 (install-file "docs/_build/man/certbot.1" man1)
606 (install-file "docs/_build/man/certbot.7" man7)
607 #t))))))))
608 ;; TODO: Add optional inputs for testing.
609 (native-inputs
610 `(("python-nose" ,python-nose)
611 ("python-mock" ,python-mock)
612 ;; For documentation
613 ("python-sphinx" ,python-sphinx)
614 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
615 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
616 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
617 ("texinfo" ,texinfo)))
618 (propagated-inputs
619 `(("python-acme" ,python-acme)
620 ("python-zope-interface" ,python-zope-interface)
621 ("python-pyrfc3339" ,python-pyrfc3339)
622 ("python-pyopenssl" ,python-pyopenssl)
623 ("python-configobj" ,python-configobj)
624 ("python-configargparse" ,python-configargparse)
625 ("python-zope-component" ,python-zope-component)
626 ("python-parsedatetime" ,python-parsedatetime)
627 ("python-six" ,python-six)
628 ("python-psutil" ,python-psutil)
629 ("python-requests" ,python-requests)
630 ("python-pytz" ,python-pytz)))
631 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
632 (description "Certbot automatically receives and installs X.509 certificates
633 to enable Transport Layer Security (TLS) on servers. It interoperates with the
634 Let’s Encrypt certificate authority (CA), which issues browser-trusted
635 certificates for free.")
636 (home-page "https://certbot.eff.org/")
637 (license license:asl2.0)))
638
639 (define-public letsencrypt
640 (package (inherit certbot)
641 (name "letsencrypt")
642 (properties `((superseded . ,certbot)))))
643
644 (define-public perl-net-ssleay
645 (package
646 (name "perl-net-ssleay")
647 (version "1.82")
648 (source (origin
649 (method url-fetch)
650 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
651 "Net-SSLeay-" version ".tar.gz"))
652 (sha256
653 (base32
654 "1rf78z1macgmp6mwd7c2xq4yfw6wpf28hfwfz1d5wslqr4cwb5aq"))))
655 (build-system perl-build-system)
656 (inputs `(("openssl" ,openssl)))
657 (arguments
658 `(#:phases
659 (modify-phases %standard-phases
660 (add-before
661 'configure 'set-ssl-prefix
662 (lambda* (#:key inputs #:allow-other-keys)
663 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
664 #t)))))
665 (synopsis "Perl extension for using OpenSSL")
666 (description
667 "This module offers some high level convenience functions for accessing
668 web pages on SSL servers (for symmetry, the same API is offered for accessing
669 http servers, too), an sslcat() function for writing your own clients, and
670 finally access to the SSL api of the SSLeay/OpenSSL package so you can write
671 servers or clients for more complicated applications.")
672 (license license:perl-license)
673 (home-page "http://search.cpan.org/~mikem/Net-SSLeay-1.66/")))
674
675 (define-public perl-crypt-openssl-rsa
676 (package
677 (name "perl-crypt-openssl-rsa")
678 (version "0.28")
679 (source
680 (origin
681 (method url-fetch)
682 (uri (string-append
683 "mirror://cpan/authors/id/P/PE/PERLER/Crypt-OpenSSL-RSA-"
684 version
685 ".tar.gz"))
686 (sha256
687 (base32
688 "1gnpvv09b2gpifwdzc5jnhama3d1a4c39lzj9hcaicsb8rvzjmsk"))))
689 (build-system perl-build-system)
690 (inputs
691 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
692 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
693 ("openssl" ,openssl)))
694 (arguments perl-crypt-arguments)
695 (home-page
696 "http://search.cpan.org/dist/Crypt-OpenSSL-RSA")
697 (synopsis
698 "RSA encoding and decoding, using the openSSL libraries")
699 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
700 OpenSSL libraries).")
701 (license license:perl-license)))
702
703 (define perl-crypt-arguments
704 `(#:phases (modify-phases %standard-phases
705 (add-before 'configure 'patch-Makefile.PL
706 (lambda* (#:key inputs #:allow-other-keys)
707 (substitute* "Makefile.PL"
708 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
709 (assoc-ref inputs "openssl")
710 "/lib -lcrypto'],")))
711 #t)))))
712
713 (define-public perl-crypt-openssl-bignum
714 (package
715 (name "perl-crypt-openssl-bignum")
716 (version "0.09")
717 (source
718 (origin
719 (method url-fetch)
720 (uri (string-append
721 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
722 version
723 ".tar.gz"))
724 (sha256
725 (base32
726 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
727 (build-system perl-build-system)
728 (inputs `(("openssl" ,openssl)))
729 (arguments perl-crypt-arguments)
730 (home-page
731 "http://search.cpan.org/dist/Crypt-OpenSSL-Bignum")
732 (synopsis
733 "OpenSSL's multiprecision integer arithmetic in Perl")
734 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
735 arithmetic in Perl.")
736 ;; At your option either gpl1+ or the Artistic License
737 (license license:perl-license)))
738
739 (define-public perl-crypt-openssl-random
740 (package
741 (name "perl-crypt-openssl-random")
742 (version "0.11")
743 (source
744 (origin
745 (method url-fetch)
746 (uri (string-append
747 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
748 version
749 ".tar.gz"))
750 (sha256
751 (base32
752 "0yjcabkibrkafywvdkmd1xpi6br48skyk3l15ni176wvlg38335v"))))
753 (build-system perl-build-system)
754 (inputs `(("openssl" ,openssl)))
755 (arguments perl-crypt-arguments)
756 (home-page
757 "http://search.cpan.org/dist/Crypt-OpenSSL-Random")
758 (synopsis
759 "OpenSSL/LibreSSL pseudo-random number generator access")
760 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
761 number generator")
762 (license license:perl-license)))
763
764 (define-public acme-client
765 (package
766 (name "acme-client")
767 (version "0.1.16")
768 (source (origin
769 (method url-fetch)
770 (uri (string-append "https://kristaps.bsd.lv/" name "/"
771 "snapshots/" name "-portable-"
772 version ".tgz"))
773 (sha256
774 (base32
775 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
776 (build-system gnu-build-system)
777 (arguments
778 '(#:tests? #f ; no test suite
779 #:make-flags
780 (list "CC=gcc"
781 (string-append "PREFIX=" (assoc-ref %outputs "out")))
782 #:phases
783 (modify-phases %standard-phases
784 (add-after 'unpack 'patch-paths
785 (lambda* (#:key inputs #:allow-other-keys)
786 (let ((pem (string-append (assoc-ref inputs "libressl")
787 "/etc/ssl/cert.pem")))
788 (substitute* "http.c"
789 (("/etc/ssl/cert.pem") pem))
790 #t)))
791 (delete 'configure)))) ; no './configure' script
792 (native-inputs
793 `(("pkg-config" ,pkg-config)))
794 (inputs
795 `(("libbsd" ,libbsd)
796 ("libressl" ,libressl)))
797 (synopsis "Let's Encrypt client by the OpenBSD project")
798 (description "acme-client is a Let's Encrypt client implemented in C. It
799 uses a modular design, and attempts to secure itself by dropping privileges and
800 operating in a chroot where possible. acme-client is developed on OpenBSD and
801 then ported to the GNU / Linux environment.")
802 (home-page "https://kristaps.bsd.lv/acme-client/")
803 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
804 ;; and 'jsmn.c' are distributed under the Expat license.
805 (license (list license:isc license:expat))))
806
807 ;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
808 ;; variant exists in addition to the "-apache" one.
809 (define-public mbedtls-apache
810 (package
811 (name "mbedtls-apache")
812 (version "2.7.2")
813 (source
814 (origin
815 (method url-fetch)
816 ;; XXX: The download links on the website are script redirection links
817 ;; which effectively lead to the format listed in the uri here.
818 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
819 version "-apache.tgz"))
820 (sha256
821 (base32
822 "1mvkqlxxvl6yp1g5g9dk4l7h3wl6149p3pfwgwzgs7xybyxw4f7x"))))
823 (build-system cmake-build-system)
824 (arguments
825 `(#:configure-flags
826 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON")))
827 (native-inputs
828 `(("perl" ,perl)))
829 (synopsis "Small TLS library")
830 (description
831 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
832 for developers to include cryptographic and SSL/TLS capabilities in their
833 (embedded) products, facilitating this functionality with a minimal
834 coding footprint.")
835 (home-page "https://tls.mbed.org")
836 (license license:asl2.0)))
837
838 (define-public ghc-tls
839 (package
840 (name "ghc-tls")
841 (version "1.3.8")
842 (source (origin
843 (method url-fetch)
844 (uri (string-append "https://hackage.haskell.org/package/"
845 "tls/tls-" version ".tar.gz"))
846 (sha256
847 (base32
848 "1rdidf18i781c0vdvy9yn79yh08hmcacf6fp3sgghyiy3h0wyh5l"))))
849 (build-system haskell-build-system)
850 (inputs
851 `(("ghc-mtl" ,ghc-mtl)
852 ("ghc-cereal" ,ghc-cereal)
853 ("ghc-data-default-class" ,ghc-data-default-class)
854 ("ghc-memory" ,ghc-memory)
855 ("ghc-cryptonite" ,ghc-cryptonite)
856 ("ghc-asn1-types" ,ghc-asn1-types)
857 ("ghc-asn1-encoding" ,ghc-asn1-encoding)
858 ("ghc-x509" ,ghc-x509)
859 ("ghc-x509-store" ,ghc-x509-store)
860 ("ghc-x509-validation" ,ghc-x509-validation)
861 ("ghc-async" ,ghc-async)
862 ("ghc-network" ,ghc-network)
863 ("ghc-hourglass" ,ghc-hourglass)))
864 (native-inputs
865 `(("ghc-tasty" ,ghc-tasty)
866 ("ghc-tasty-quickcheck" ,ghc-tasty-quickcheck)
867 ("ghc-quickcheck" ,ghc-quickcheck)))
868 (home-page "https://github.com/vincenthz/hs-tls")
869 (synopsis
870 "TLS/SSL protocol native implementation (Server and Client)")
871 (description
872 "Native Haskell TLS and SSL protocol implementation for server and client.
873 This provides a high-level implementation of a sensitive security protocol,
874 eliminating a common set of security issues through the use of the advanced
875 type system, high level constructions and common Haskell features. Currently
876 implement the SSL3.0, TLS1.0, TLS1.1 and TLS1.2 protocol, and support RSA and
877 Ephemeral (Elliptic curve and regular) Diffie Hellman key exchanges, and many
878 extensions.")
879 (license license:bsd-3)))
jackhill's copy of GNU Guix: https://guix.gnu.org/