HCoop / jackhill / guix / guix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
gnu: openssl: Support cross-compilation to the Hurd.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
5 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
6 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
7 ;;; Copyright © 2015, 2016, 2017, 2018, 2019 Leo Famulari <leo@famulari.name>
8 ;;; Copyright © 2016, 2017, 2019 Efraim Flashner <efraim@flashner.co.il>
9 ;;; Copyright © 2016, 2017, 2018 ng0 <ng0@n0.is>
10 ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
11 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
12 ;;; Copyright © 2017, 2018, 2019, 2020 Marius Bakke <mbakke@fastmail.com>
13 ;;; Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr>
14 ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
15 ;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
16 ;;; Copyright © 2019 Mathieu Othacehe <m.othacehe@gmail.com>
17 ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
18 ;;;
19 ;;; This file is part of GNU Guix.
20 ;;;
21 ;;; GNU Guix is free software; you can redistribute it and/or modify it
22 ;;; under the terms of the GNU General Public License as published by
23 ;;; the Free Software Foundation; either version 3 of the License, or (at
24 ;;; your option) any later version.
25 ;;;
26 ;;; GNU Guix is distributed in the hope that it will be useful, but
27 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
28 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
29 ;;; GNU General Public License for more details.
30 ;;;
31 ;;; You should have received a copy of the GNU General Public License
32 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
33
34 (define-module (gnu packages tls)
35 #:use-module ((guix licenses) #:prefix license:)
36 #:use-module (guix packages)
37 #:use-module (guix download)
38 #:use-module (guix git-download)
39 #:use-module (guix utils)
40 #:use-module (guix build-system gnu)
41 #:use-module (guix build-system go)
42 #:use-module (guix build-system perl)
43 #:use-module (guix build-system python)
44 #:use-module (guix build-system cmake)
45 #:use-module (guix build-system trivial)
46 #:use-module (gnu packages compression)
47 #:use-module (gnu packages)
48 #:use-module (gnu packages bash)
49 #:use-module (gnu packages check)
50 #:use-module (gnu packages curl)
51 #:use-module (gnu packages dns)
52 #:use-module (gnu packages gawk)
53 #:use-module (gnu packages guile)
54 #:use-module (gnu packages hurd)
55 #:use-module (gnu packages libbsd)
56 #:use-module (gnu packages libffi)
57 #:use-module (gnu packages libidn)
58 #:use-module (gnu packages linux)
59 #:use-module (gnu packages ncurses)
60 #:use-module (gnu packages nettle)
61 #:use-module (gnu packages perl)
62 #:use-module (gnu packages pkg-config)
63 #:use-module (gnu packages python)
64 #:use-module (gnu packages python-crypto)
65 #:use-module (gnu packages python-web)
66 #:use-module (gnu packages python-xyz)
67 #:use-module (gnu packages sphinx)
68 #:use-module (gnu packages texinfo)
69 #:use-module (gnu packages time)
70 #:use-module (gnu packages base)
71 #:use-module (srfi srfi-1))
72
73 (define-public libtasn1
74 (package
75 (name "libtasn1")
76 (version "4.16.0")
77 (source
78 (origin
79 (method url-fetch)
80 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
81 version ".tar.gz"))
82 (sha256
83 (base32
84 "179jskl7dmfp1rd2khkzmlibzgki4wi6hvmmwfv7q49r728b03qf"))))
85 (build-system gnu-build-system)
86 (arguments
87 `(#:configure-flags '("--disable-static")))
88 (native-inputs `(("perl" ,perl)))
89 (home-page "https://www.gnu.org/software/libtasn1/")
90 (synopsis "ASN.1 library")
91 (description
92 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
93 for transmitting machine-neutral encodings of data objects in computer
94 networking, allowing for formal validation of data according to some
95 specifications.")
96 (license license:lgpl2.0+)))
97
98 (define-public asn1c
99 (package
100 (name "asn1c")
101 (version "0.9.28")
102 (source (origin
103 (method url-fetch)
104 (uri (string-append "https://lionet.info/soft/asn1c-"
105 version ".tar.gz"))
106 (sha256
107 (base32
108 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
109 (build-system gnu-build-system)
110 (native-inputs
111 `(("perl" ,perl)))
112 (home-page "https://lionet.info/asn1c")
113 (synopsis "ASN.1 to C compiler")
114 (description "The ASN.1 to C compiler takes ASN.1 module
115 files and generates C++ compatible C source code. That code can be
116 used to serialize the native C structures into compact and unambiguous
117 BER/XER/PER-based data files, and deserialize the files back.
118
119 Various ASN.1 based formats are widely used in the industry, such as to encode
120 the X.509 certificates employed in the HTTPS handshake, to exchange control
121 data between mobile phones and cellular networks, to car-to-car communication
122 in intelligent transportation networks.")
123 (license license:bsd-2)))
124
125 (define-public p11-kit
126 (package
127 (name "p11-kit")
128 (version "0.23.20")
129 (source
130 (origin
131 (method url-fetch)
132 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
133 "download/" version "/p11-kit-" version ".tar.xz"))
134 (sha256
135 (base32
136 "0131maw666ha4d6iyj13fkz18c4pnb3lw2xwv5kvkmnzqcj61n0l"))))
137 (build-system gnu-build-system)
138 (native-inputs
139 `(("pkg-config" ,pkg-config)))
140 (inputs
141 `(("libffi" ,libffi)
142 ("libtasn1" ,libtasn1)))
143 (arguments
144 `(#:configure-flags '("--without-trust-paths")
145 #:phases (modify-phases %standard-phases
146 (add-before 'check 'prepare-tests
147 (lambda _
148 ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up
149 ;; and looks for .cache and other directories (only).
150 ;; For simplicity just drop it since it is irrelevant
151 ;; in the build container.
152 (substitute* "Makefile"
153 (("test-runtime\\$\\(EXEEXT\\)") ""))
154 #t)))))
155 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
156 (synopsis "PKCS#11 library")
157 (description
158 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
159 provides a standard configuration setup for installing PKCS#11 modules
160 in such a way that they are discoverable. It also solves problems with
161 coordinating the use of PKCS#11 by different components or libraries
162 living in the same process.")
163 (license license:bsd-3)))
164
165 (define-public gnutls
166 (package
167 (name "gnutls")
168 (replacement gnutls-3.6.13)
169 (version "3.6.12")
170 (source (origin
171 (method url-fetch)
172 (uri
173 ;; Note: Releases are no longer on ftp.gnu.org since the
174 ;; schism (after version 3.1.5).
175 (string-append "mirror://gnupg/gnutls/v"
176 (version-major+minor version)
177 "/gnutls-" version ".tar.xz"))
178 (patches (search-patches "gnutls-skip-trust-store-test.patch"))
179 (sha256
180 (base32
181 "0jvca1qahn9lrwv6f5kfs95icirc15b2a8x9fzczyj996ipg3b5z"))))
182 (build-system gnu-build-system)
183 (arguments
184 `(; Ensure we don't keep a reference to this buggy software.
185 #:disallowed-references (,net-tools)
186 #:configure-flags
187 (list
188 ;; GnuTLS doesn't consult any environment variables to specify
189 ;; the location of the system-wide trust store. Instead it has a
190 ;; configure-time option. Unless specified, its configure script
191 ;; attempts to auto-detect the location by looking for common
192 ;; places in the file system, none of which are present in our
193 ;; chroot build environment. If not found, then no default trust
194 ;; store is used, so each program has to provide its own
195 ;; fallback, and users have to configure each program
196 ;; independently. This seems suboptimal.
197 "--with-default-trust-store-dir=/etc/ssl/certs"
198
199 ;; Tell the build system that we want Guile bindings installed to
200 ;; the output instead of Guiles own module directory.
201 (string-append "--with-guile-site-dir="
202 "$(datarootdir)/guile/site/$(GUILE_EFFECTIVE_VERSION)")
203 (string-append "--with-guile-site-ccache-dir="
204 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/site-ccache")
205 (string-append "--with-guile-extension-dir="
206 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/extensions")
207
208 ;; FIXME: Temporarily disable p11-kit support since it is not
209 ;; working on mips64el.
210 "--without-p11-kit")
211
212 #:phases (modify-phases %standard-phases
213 (add-after
214 'install 'move-doc
215 (lambda* (#:key outputs #:allow-other-keys)
216 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
217 (let* ((out (assoc-ref outputs "out"))
218 (doc (assoc-ref outputs "doc"))
219 (mandir (string-append doc "/share/man/man3"))
220 (oldman (string-append out "/share/man/man3")))
221 (mkdir-p mandir)
222 (copy-recursively oldman mandir)
223 (delete-file-recursively oldman)
224 #t))))))
225 (outputs '("out" ;4.4 MiB
226 "debug"
227 "doc")) ;4.1 MiB of man pages
228 (native-inputs
229 `(,@(if (hurd-target?) '()
230 `(("net-tools" ,net-tools)))
231 ("pkg-config" ,pkg-config)
232 ("which" ,which)
233 ("datefudge" ,datefudge) ;tests rely on 'datefudge'
234 ("util-linux" ,util-linux))) ;one test needs 'setsid'
235 (inputs
236 `(("guile" ,guile-3.0)))
237 (propagated-inputs
238 ;; These are all in the 'Requires.private' field of gnutls.pc.
239 `(("libtasn1" ,libtasn1)
240 ("libidn2" ,libidn2)
241 ("nettle" ,nettle)
242 ("zlib" ,zlib)))
243 (home-page "https://www.gnu.org/software/gnutls/")
244 (synopsis "Transport layer security library")
245 (description
246 "GnuTLS is a secure communications library implementing the SSL, TLS
247 and DTLS protocols. It is provided in the form of a C library to support the
248 protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
249 required structures.")
250 (license license:lgpl2.1+)
251 (properties '((ftp-server . "ftp.gnutls.org")
252 (ftp-directory . "/gcrypt/gnutls")))))
253
254 (define-public gnutls-3.6.13
255 (package
256 (inherit gnutls)
257 (version "3.6.13")
258 (source (origin
259 (method url-fetch)
260 (uri (string-append "mirror://gnupg/gnutls/v"
261 (version-major+minor version)
262 "/gnutls-3.6.13.tar.xz"))
263 (patches (search-patches "gnutls-skip-trust-store-test.patch"))
264 (sha256
265 (base32
266 "0f1gnm0756qms5cpx6yn6xb8d3imc2gkqmygf12n9x6r8zs1s11j"))))))
267
268 (define-public gnutls/guile-2.0
269 ;; GnuTLS for Guile 2.0.
270 (package/inherit gnutls
271 (name "guile2.0-gnutls")
272 (inputs `(("guile" ,guile-2.0)
273 ,@(alist-delete "guile" (package-inputs gnutls))))))
274
275 (define-public gnutls/dane
276 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
277 ;; Authentication of Named Entities. This is required for GNS functionality
278 ;; by GNUnet and gnURL. This is done in an extra package definition
279 ;; to have the choice between GnuTLS with Dane and without Dane.
280 (package/inherit gnutls
281 (name "gnutls-dane")
282 (inputs `(("unbound" ,unbound)
283 ,@(package-inputs gnutls)))))
284
285 (define-public guile2.2-gnutls
286 (package
287 (inherit gnutls)
288 (name "guile2.2-gnutls")
289 (inputs `(("guile" ,guile-2.2)
290 ,@(alist-delete "guile"
291 (package-inputs gnutls))))))
292
293 (define-public guile3.0-gnutls
294 (deprecated-package "guile3.0-gnutls" gnutls))
295
296 (define-public openssl
297 (package
298 (name "openssl")
299 (version "1.1.1f")
300 (source (origin
301 (method url-fetch)
302 (uri (list (string-append "https://www.openssl.org/source/openssl-"
303 version ".tar.gz")
304 (string-append "ftp://ftp.openssl.org/source/"
305 "openssl-" version ".tar.gz")
306 (string-append "ftp://ftp.openssl.org/source/old/"
307 (string-trim-right version char-set:letter)
308 "/openssl-" version ".tar.gz")))
309 (sha256
310 (base32
311 "0d9zv9srjqivs8nn099fpbjv1wyhfcb8lzy491dpmfngdvz6nv0q"))
312 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))))
313 (build-system gnu-build-system)
314 (outputs '("out"
315 "doc" ;6.8 MiB of man3 pages and full HTML documentation
316 "static")) ;6.4 MiB of .a files
317 (native-inputs `(("perl" ,perl)))
318 (arguments
319 `(#:parallel-tests? #f
320 #:test-target "test"
321
322 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
323 ;; so we explicitly disallow it here.
324 #:disallowed-references ,(list (canonical-package perl))
325 #:phases
326 (modify-phases %standard-phases
327 ,@(if (%current-target-system)
328 '((add-before
329 'configure 'set-cross-compile
330 (lambda* (#:key target outputs #:allow-other-keys)
331 (setenv "CROSS_COMPILE" (string-append target "-"))
332 (setenv "CONFIGURE_TARGET_ARCH"
333 (cond
334 ((string-prefix? "i586" target)
335 "hurd-x86")
336 ((string-prefix? "i686" target)
337 "linux-x86")
338 ((string-prefix? "x86_64" target)
339 "linux-x86_64")
340 ((string-prefix? "arm" target)
341 "linux-armv4")
342 ((string-prefix? "aarch64" target)
343 "linux-aarch64")))
344 #t)))
345 '())
346 (replace 'configure
347 (lambda* (#:key outputs #:allow-other-keys)
348 (let* ((out (assoc-ref outputs "out"))
349 (lib (string-append out "/lib")))
350 ;; It's not a shebang so patch-source-shebangs misses it.
351 (substitute* "config"
352 (("/usr/bin/env")
353 (string-append (assoc-ref %build-inputs "coreutils")
354 "/bin/env")))
355 (invoke ,@(if (%current-target-system)
356 '("./Configure")
357 '("./config"))
358 "shared" ;build shared libraries
359 "--libdir=lib"
360
361 ;; The default for this catch-all directory is
362 ;; PREFIX/ssl. Change that to something more
363 ;; conventional.
364 (string-append "--openssldir=" out
365 "/share/openssl-" ,version)
366
367 (string-append "--prefix=" out)
368 (string-append "-Wl,-rpath," lib)
369 ,@(if (%current-target-system)
370 '((getenv "CONFIGURE_TARGET_ARCH"))
371 '())))))
372 (add-after 'install 'move-static-libraries
373 (lambda* (#:key outputs #:allow-other-keys)
374 ;; Move static libraries to the "static" output.
375 (let* ((out (assoc-ref outputs "out"))
376 (lib (string-append out "/lib"))
377 (static (assoc-ref outputs "static"))
378 (slib (string-append static "/lib")))
379 (for-each (lambda (file)
380 (install-file file slib)
381 (delete-file file))
382 (find-files lib "\\.a$"))
383 #t)))
384 (add-after 'install 'move-extra-documentation
385 (lambda* (#:key outputs #:allow-other-keys)
386 ;; Move man3 pages and full HTML documentation to "doc".
387 (let* ((out (assoc-ref outputs "out"))
388 (man3 (string-append out "/share/man/man3"))
389 (html (string-append out "/share/doc/openssl"))
390 (doc (assoc-ref outputs "doc"))
391 (man-target (string-append doc "/share/man/man3"))
392 (html-target (string-append doc "/share/doc/openssl")))
393 (copy-recursively man3 man-target)
394 (delete-file-recursively man3)
395 (copy-recursively html html-target)
396 (delete-file-recursively html)
397 #t)))
398 (add-after
399 'install 'remove-miscellany
400 (lambda* (#:key outputs #:allow-other-keys)
401 ;; The 'misc' directory contains random undocumented shell and Perl
402 ;; scripts. Remove them to avoid retaining a reference on Perl.
403 (let ((out (assoc-ref outputs "out")))
404 (delete-file-recursively (string-append out "/share/openssl-"
405 ,version "/misc"))
406 #t))))))
407 (native-search-paths
408 (list (search-path-specification
409 (variable "SSL_CERT_DIR")
410 (separator #f) ;single entry
411 (files '("etc/ssl/certs")))
412 (search-path-specification
413 (variable "SSL_CERT_FILE")
414 (file-type 'regular)
415 (separator #f) ;single entry
416 (files '("etc/ssl/certs/ca-certificates.crt")))))
417 (synopsis "SSL/TLS implementation")
418 (description
419 "OpenSSL is an implementation of SSL/TLS.")
420 (license license:openssl)
421 (home-page "https://www.openssl.org/")))
422
423 (define-public openssl-1.0
424 (package
425 (inherit openssl)
426 (name "openssl")
427 (version "1.0.2u")
428 (source (origin
429 (method url-fetch)
430 (uri (list (string-append "https://www.openssl.org/source/openssl-"
431 version ".tar.gz")
432 (string-append "ftp://ftp.openssl.org/source/"
433 "openssl-" version ".tar.gz")
434 (string-append "ftp://ftp.openssl.org/source/old/"
435 (string-trim-right version char-set:letter)
436 "/openssl-" version ".tar.gz")))
437 (sha256
438 (base32
439 "05lxcs4hzyfqd5jn0d9p0fvqna62v2s4pc9qgmq0dpcknkzwdl7c"))
440 (patches (search-patches "openssl-runpath.patch"
441 "openssl-c-rehash-in.patch"))))
442 (outputs '("out"
443 "doc" ;1.5MiB of man3 pages
444 "static")) ;6MiB of .a files
445 (arguments
446 (substitute-keyword-arguments (package-arguments openssl)
447 ;; Parallel build is not supported in 1.0.x.
448 ((#:parallel-build? _ #f) #f)
449 ((#:phases phases)
450 `(modify-phases ,phases
451 (add-before 'patch-source-shebangs 'patch-tests
452 (lambda* (#:key inputs native-inputs #:allow-other-keys)
453 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
454 (substitute* (find-files "test" ".*")
455 (("/bin/sh")
456 (string-append bash "/bin/sh"))
457 (("/bin/rm")
458 "rm"))
459 #t)))
460 (add-before 'configure 'patch-Makefile.org
461 (lambda* (#:key outputs #:allow-other-keys)
462 ;; The default MANDIR is some unusual place. Fix that.
463 (let ((out (assoc-ref outputs "out")))
464 (patch-makefile-SHELL "Makefile.org")
465 (substitute* "Makefile.org"
466 (("^MANDIR[[:blank:]]*=.*$")
467 (string-append "MANDIR = " out "/share/man\n")))
468 #t)))
469 (replace 'configure
470 ;; Override this phase because OpenSSL 1.0 does not understand -rpath.
471 (lambda* (#:key outputs #:allow-other-keys)
472 (let ((out (assoc-ref outputs "out")))
473 (invoke ,@(if (%current-target-system)
474 '("./Configure")
475 '("./config"))
476 "shared" ;build shared libraries
477 "--libdir=lib"
478
479 ;; The default for this catch-all directory is
480 ;; PREFIX/ssl. Change that to something more
481 ;; conventional.
482 (string-append "--openssldir=" out
483 "/share/openssl-" ,version)
484
485 (string-append "--prefix=" out)
486 ,@(if (%current-target-system)
487 '((getenv "CONFIGURE_TARGET_ARCH"))
488 '())))))
489 (delete 'move-extra-documentation)
490 (add-after 'install 'move-man3-pages
491 (lambda* (#:key outputs #:allow-other-keys)
492 ;; Move section 3 man pages to "doc".
493 (let* ((out (assoc-ref outputs "out"))
494 (man3 (string-append out "/share/man/man3"))
495 (doc (assoc-ref outputs "doc"))
496 (target (string-append doc "/share/man/man3")))
497 (mkdir-p target)
498 (for-each (lambda (file)
499 (rename-file file
500 (string-append target "/"
501 (basename file))))
502 (find-files man3))
503 (delete-file-recursively man3)
504 #t)))
505 ;; XXX: Duplicate this phase to make sure 'version' evaluates
506 ;; in the current scope and not the inherited one.
507 (replace 'remove-miscellany
508 (lambda* (#:key outputs #:allow-other-keys)
509 ;; The 'misc' directory contains random undocumented shell and Perl
510 ;; scripts. Remove them to avoid retaining a reference on Perl.
511 (let ((out (assoc-ref outputs "out")))
512 (delete-file-recursively (string-append out "/share/openssl-"
513 ,version "/misc"))
514 #t)))))))))
515
516 (define-public libressl
517 (package
518 (name "libressl")
519 (version "3.0.2")
520 (source (origin
521 (method url-fetch)
522 (uri (string-append "mirror://openbsd/LibreSSL/"
523 "libressl-" version ".tar.gz"))
524 (sha256
525 (base32
526 "13ir2lpxz8y1m151k7lrx306498nzfhwlvgkgv97v5cvywmifyyz"))))
527 (build-system gnu-build-system)
528 (arguments
529 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
530 ;; and libc would return ENOSYS, which is not properly handled.
531 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
532 '(#:configure-flags '("ac_cv_func_getentropy=no"
533 ;; Provide a TLS-enabled netcat.
534 "--enable-nc")))
535 (native-search-paths
536 (list (search-path-specification
537 (variable "SSL_CERT_DIR")
538 (separator #f) ;single entry
539 (files '("etc/ssl/certs")))
540 (search-path-specification
541 (variable "SSL_CERT_FILE")
542 (separator #f) ;single entry
543 (files '("etc/ssl/certs/ca-certificates.crt")))))
544 (home-page "https://www.libressl.org/")
545 (synopsis "SSL/TLS implementation")
546 (description "LibreSSL is a version of the TLS/crypto stack, forked from
547 OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
548 and applying best practice development processes. This package also includes a
549 netcat implementation that supports TLS.")
550 ;; Files taken from OpenSSL keep their license, others are under various
551 ;; non-copyleft licenses.
552 (license (list license:openssl
553 (license:non-copyleft
554 "file://COPYING"
555 "See COPYING in the distribution.")))))
556
557 (define-public python-acme
558 (package
559 (name "python-acme")
560 ;; Remember to update the hash of certbot when updating python-acme.
561 (version "1.3.0")
562 (source (origin
563 (method url-fetch)
564 (uri (pypi-uri "acme" version))
565 (sha256
566 (base32
567 "03fjmg0fgfy7xfn3i8rzn9i0i4amajmijkash84qb8mlphgrxpn0"))))
568 (build-system python-build-system)
569 (arguments
570 `(#:phases
571 (modify-phases %standard-phases
572 (add-after 'build 'build-documentation
573 (lambda _
574 (invoke "make" "-C" "docs" "man" "info")))
575 (add-after 'install 'install-documentation
576 (lambda* (#:key outputs #:allow-other-keys)
577 (let* ((out (assoc-ref outputs "out"))
578 (man (string-append out "/share/man/man1"))
579 (info (string-append out "/info")))
580 (install-file "docs/_build/texinfo/acme-python.info" info)
581 (install-file "docs/_build/man/acme-python.1" man)
582 #t))))))
583 ;; TODO: Add optional inputs for testing.
584 (native-inputs
585 `(("python-mock" ,python-mock)
586 ("python-pytest" ,python-pytest)
587 ;; For documentation
588 ("python-sphinx" ,python-sphinx)
589 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
590 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
591 ("texinfo" ,texinfo)))
592 (propagated-inputs
593 `(("python-josepy" ,python-josepy)
594 ("python-six" ,python-six)
595 ("python-requests" ,python-requests)
596 ("python-requests-toolbelt" ,python-requests-toolbelt)
597 ("python-pytz" ,python-pytz)
598 ("python-pyrfc3339" ,python-pyrfc3339)
599 ("python-pyasn1" ,python-pyasn1)
600 ("python-cryptography" ,python-cryptography)
601 ("python-pyopenssl" ,python-pyopenssl)))
602 (home-page "https://github.com/certbot/certbot")
603 (synopsis "ACME protocol implementation in Python")
604 (description "ACME protocol implementation in Python")
605 (license license:asl2.0)))
606
607 (define-public certbot
608 (package
609 (name "certbot")
610 ;; Certbot and python-acme are developed in the same repository, and their
611 ;; versions should remain synchronized.
612 (version (package-version python-acme))
613 (source (origin
614 (method url-fetch)
615 (uri (pypi-uri "certbot" version))
616 (sha256
617 (base32
618 "1n5i0k6kwmd6wvivshfl3k4djwcpwx390c39xmr2hhrgpk5r285w"))))
619 (build-system python-build-system)
620 (arguments
621 `(,@(substitute-keyword-arguments (package-arguments python-acme)
622 ((#:phases phases)
623 `(modify-phases ,phases
624 (replace 'install-documentation
625 (lambda* (#:key outputs #:allow-other-keys)
626 (let* ((out (assoc-ref outputs "out"))
627 (man1 (string-append out "/share/man/man1"))
628 (man7 (string-append out "/share/man/man7"))
629 (info (string-append out "/info")))
630 (install-file "docs/_build/texinfo/Certbot.info" info)
631 (install-file "docs/_build/man/certbot.1" man1)
632 (install-file "docs/_build/man/certbot.7" man7)
633 #t))))))))
634 ;; TODO: Add optional inputs for testing.
635 (native-inputs
636 `(("python-mock" ,python-mock)
637 ("python-pytest" ,python-pytest)
638 ;; For documentation
639 ("python-sphinx" ,python-sphinx)
640 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
641 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
642 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
643 ("texinfo" ,texinfo)))
644 (propagated-inputs
645 `(("python-acme" ,python-acme)
646 ("python-cryptography" ,python-cryptography)
647 ("python-zope-interface" ,python-zope-interface)
648 ("python-pyrfc3339" ,python-pyrfc3339)
649 ("python-pyopenssl" ,python-pyopenssl)
650 ("python-configobj" ,python-configobj)
651 ("python-configargparse" ,python-configargparse)
652 ("python-distro" ,python-distro)
653 ("python-zope-component" ,python-zope-component)
654 ("python-parsedatetime" ,python-parsedatetime)
655 ("python-six" ,python-six)
656 ("python-psutil" ,python-psutil)
657 ("python-requests" ,python-requests)
658 ("python-pytz" ,python-pytz)))
659 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
660 (description "Certbot automatically receives and installs X.509 certificates
661 to enable Transport Layer Security (TLS) on servers. It interoperates with the
662 Let’s Encrypt certificate authority (CA), which issues browser-trusted
663 certificates for free.")
664 (home-page "https://certbot.eff.org/")
665 (license license:asl2.0)))
666
667 (define-public letsencrypt
668 (package (inherit certbot)
669 (name "letsencrypt")
670 (properties `((superseded . ,certbot)))))
671
672 (define-public perl-net-ssleay
673 (package
674 (name "perl-net-ssleay")
675 (version "1.88")
676 (source (origin
677 (method url-fetch)
678 (uri (string-append "mirror://cpan/authors/id/C/CH/CHRISN/"
679 "Net-SSLeay-" version ".tar.gz"))
680 (sha256
681 (base32
682 "1pfgh4h3szcpvqlcimc60pjbk9zwls99x5863sva0wc47i4dl010"))))
683 (build-system perl-build-system)
684 (inputs `(("openssl" ,openssl)))
685 (arguments
686 `(#:phases
687 (modify-phases %standard-phases
688 (add-before
689 'configure 'set-ssl-prefix
690 (lambda* (#:key inputs #:allow-other-keys)
691 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
692 #t)))))
693 (synopsis "Perl extension for using OpenSSL")
694 (description
695 "This module offers some high level convenience functions for accessing
696 web pages on SSL servers (for symmetry, the same API is offered for accessing
697 http servers, too), an sslcat() function for writing your own clients, and
698 finally access to the SSL api of the SSLeay/OpenSSL package so you can write
699 servers or clients for more complicated applications.")
700 (license license:perl-license)
701 (home-page "https://metacpan.org/release/Net-SSLeay")))
702
703 (define-public perl-crypt-openssl-rsa
704 (package
705 (name "perl-crypt-openssl-rsa")
706 (version "0.31")
707 (source
708 (origin
709 (method url-fetch)
710 (uri (string-append
711 "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-"
712 version
713 ".tar.gz"))
714 (sha256
715 (base32
716 "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1"))))
717 (build-system perl-build-system)
718 (native-inputs
719 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
720 (inputs
721 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
722 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
723 ("openssl" ,openssl)))
724 (arguments perl-crypt-arguments)
725 (home-page
726 "https://metacpan.org/release/Crypt-OpenSSL-RSA")
727 (synopsis
728 "RSA encoding and decoding, using the openSSL libraries")
729 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
730 OpenSSL libraries).")
731 (license license:perl-license)))
732
733 (define perl-crypt-arguments
734 `(#:phases (modify-phases %standard-phases
735 (add-before 'configure 'patch-Makefile.PL
736 (lambda* (#:key inputs #:allow-other-keys)
737 (substitute* "Makefile.PL"
738 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
739 (assoc-ref inputs "openssl")
740 "/lib -lcrypto'],")))
741 #t)))))
742
743 (define-public perl-crypt-openssl-bignum
744 (package
745 (name "perl-crypt-openssl-bignum")
746 (version "0.09")
747 (source
748 (origin
749 (method url-fetch)
750 (uri (string-append
751 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
752 version
753 ".tar.gz"))
754 (sha256
755 (base32
756 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
757 (build-system perl-build-system)
758 (inputs `(("openssl" ,openssl)))
759 (arguments perl-crypt-arguments)
760 (home-page
761 "https://metacpan.org/release/Crypt-OpenSSL-Bignum")
762 (synopsis
763 "OpenSSL's multiprecision integer arithmetic in Perl")
764 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
765 arithmetic in Perl.")
766 ;; At your option either gpl1+ or the Artistic License
767 (license license:perl-license)))
768
769 (define-public perl-crypt-openssl-guess
770 (package
771 (name "perl-crypt-openssl-guess")
772 (version "0.11")
773 (source
774 (origin
775 (method url-fetch)
776 (uri (string-append
777 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
778 version ".tar.gz"))
779 (sha256
780 (base32
781 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
782 (build-system perl-build-system)
783 (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess")
784 (synopsis "Guess the OpenSSL include path")
785 (description
786 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
787 correct OpenSSL include path. It is intended for use in your
788 @file{Makefile.PL}.")
789 (license license:perl-license)))
790
791 (define-public perl-crypt-openssl-random
792 (package
793 (name "perl-crypt-openssl-random")
794 (version "0.15")
795 (source
796 (origin
797 (method url-fetch)
798 (uri (string-append
799 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
800 version
801 ".tar.gz"))
802 (sha256
803 (base32 "1x6ffps8q7mnawmcfq740llzy7i10g3319vap0wiw4d33fm6z1zh"))))
804 (build-system perl-build-system)
805 (native-inputs
806 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
807 (inputs
808 `(("openssl" ,openssl)))
809 (arguments perl-crypt-arguments)
810 (home-page
811 "https://metacpan.org/release/Crypt-OpenSSL-Random")
812 (synopsis
813 "OpenSSL/LibreSSL pseudo-random number generator access")
814 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
815 number generator")
816 (license license:perl-license)))
817
818 (define-public acme-client
819 (package
820 (name "acme-client")
821 (version "0.1.16")
822 (source (origin
823 (method url-fetch)
824 (uri (string-append "https://kristaps.bsd.lv/" name "/"
825 "snapshots/" name "-portable-"
826 version ".tgz"))
827 (sha256
828 (base32
829 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
830 (build-system gnu-build-system)
831 (arguments
832 '(#:tests? #f ; no test suite
833 #:make-flags
834 (list "CC=gcc"
835 (string-append "PREFIX=" (assoc-ref %outputs "out")))
836 #:phases
837 (modify-phases %standard-phases
838 (add-after 'unpack 'patch-paths
839 (lambda* (#:key inputs #:allow-other-keys)
840 (let ((pem (string-append (assoc-ref inputs "libressl")
841 "/etc/ssl/cert.pem")))
842 (substitute* "http.c"
843 (("/etc/ssl/cert.pem") pem))
844 #t)))
845 (delete 'configure)))) ; no './configure' script
846 (native-inputs
847 `(("pkg-config" ,pkg-config)))
848 (inputs
849 `(("libbsd" ,libbsd)
850 ("libressl" ,libressl)))
851 (synopsis "Let's Encrypt client by the OpenBSD project")
852 (description "acme-client is a Let's Encrypt client implemented in C. It
853 uses a modular design, and attempts to secure itself by dropping privileges and
854 operating in a chroot where possible. acme-client is developed on OpenBSD and
855 then ported to the GNU / Linux environment.")
856 (home-page "https://kristaps.bsd.lv/acme-client/")
857 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
858 ;; and 'jsmn.c' are distributed under the Expat license.
859 (license (list license:isc license:expat))))
860
861 ;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
862 ;; variant exists in addition to the "-apache" one.
863 (define-public mbedtls-apache
864 (package
865 (name "mbedtls-apache")
866 (version "2.16.5")
867 (source
868 (origin
869 (method url-fetch)
870 ;; XXX: The download links on the website are script redirection links
871 ;; which effectively lead to the format listed in the uri here.
872 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
873 version "-apache.tgz"))
874 (sha256
875 (base32
876 "0kdhwy241xsk4isbadqx6z80m8sf76da5sbmqv8qy11yr37cdd35"))))
877 (build-system cmake-build-system)
878 (arguments
879 `(#:configure-flags
880 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON"
881 "-DUSE_STATIC_MBEDTLS_LIBRARY=OFF")))
882 (native-inputs
883 `(("perl" ,perl)
884 ("python" ,python)))
885 (synopsis "Small TLS library")
886 (description
887 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
888 for developers to include cryptographic and SSL/TLS capabilities in their
889 (embedded) products, facilitating this functionality with a minimal
890 coding footprint.")
891 (home-page "https://tls.mbed.org")
892 (license license:asl2.0)))
893
894 ;; The Hiawatha Web server requires some specific features to be enabled.
895 (define-public mbedtls-for-hiawatha
896 (hidden-package
897 (package
898 (inherit mbedtls-apache)
899 (arguments
900 (substitute-keyword-arguments
901 `(#:phases
902 (modify-phases %standard-phases
903 (add-after 'configure 'configure-extra-features
904 (lambda _
905 (for-each (lambda (feature)
906 (invoke "scripts/config.pl" "set" feature))
907 (list "MBEDTLS_THREADING_C"
908 "MBEDTLS_THREADING_PTHREAD"))
909 #t)))
910 ,@(package-arguments mbedtls-apache)))))))
911
912 (define-public dehydrated
913 (package
914 (name "dehydrated")
915 (version "0.6.5")
916 (source (origin
917 (method url-fetch)
918 (uri (string-append
919 "https://github.com/dehydrated-io/dehydrated/releases/download/"
920 "v" version "/dehydrated-" version ".tar.gz"))
921 (sha256
922 (base32
923 "0dgskgbdd95p13jx6s13p77y15wngb5cm6p4305cf2s54w0bvahh"))))
924 (build-system trivial-build-system)
925 (arguments
926 `(#:modules ((guix build utils)
927 (srfi srfi-26))
928 #:builder
929 (begin
930 (use-modules (guix build utils)
931 (srfi srfi-26))
932 (let* ((source (assoc-ref %build-inputs "source"))
933 (tar (assoc-ref %build-inputs "tar"))
934 (gz (assoc-ref %build-inputs "gzip"))
935 (out (assoc-ref %outputs "out"))
936 (bin (string-append out "/bin"))
937 (doc (string-append out "/share/doc/" ,name "-" ,version))
938 (man (string-append out "/share/man"))
939 (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
940
941 (setenv "PATH" (string-append gz "/bin"))
942 (invoke (string-append tar "/bin/tar") "xvf" source)
943 (chdir (string-append ,name "-" ,version))
944
945 (copy-recursively "docs" doc)
946 (install-file "LICENSE" doc)
947
948 (mkdir-p man)
949 (rename-file (string-append doc "/man")
950 (string-append man "/man1"))
951 (for-each (cut invoke "gzip" "-9" <>)
952 (find-files man ".*"))
953
954 (install-file "dehydrated" bin)
955 (with-directory-excursion bin
956 (patch-shebang "dehydrated" (list bash))
957
958 ;; Do not try to write to the store.
959 (substitute* "dehydrated"
960 (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
961
962 (setenv "PATH" bash)
963 (wrap-program "dehydrated"
964 `("PATH" ":" prefix
965 ,(map (lambda (dir)
966 (string-append dir "/bin"))
967 (map (lambda (input)
968 (assoc-ref %build-inputs input))
969 '("coreutils"
970 "curl"
971 "diffutils"
972 "gawk"
973 "grep"
974 "openssl"
975 "sed"))))))
976 #t))))
977 (inputs
978 `(("bash" ,bash)
979 ("coreutils" ,coreutils)
980 ("curl" ,curl)
981 ("diffutils" ,diffutils)
982 ("gawk" ,gawk)
983 ("grep" ,grep)
984 ("openssl" ,openssl)
985 ("sed" ,sed)))
986 (native-inputs
987 `(("gzip" ,gzip)
988 ("tar" ,tar)))
989 (home-page "https://dehydrated.io/")
990 (synopsis "Let's Encrypt/ACME client implemented as a shell script")
991 (description "Dehydrated is a client for signing certificates with an
992 ACME-server (currently only provided by Let's Encrypt) implemented as a
993 relatively simple Bash script.")
994 (license license:expat)))
995
996 (define-public go-github-com-certifi-gocertifi
997 (let ((commit "a5e0173ced670013bfb649c7e806bc9529c986ec")
998 (revision "1"))
999 (package
1000 (name "go-github-com-certifi-gocertifi")
1001 (version (git-version "2018.01.18" revision commit))
1002 (source (origin
1003 (method git-fetch)
1004 (uri (git-reference
1005 (url "https://github.com/certifi/gocertifi")
1006 (commit commit)))
1007 (file-name (git-file-name name version))
1008 (sha256
1009 (base32
1010 "1n9drccl3q1rr8wg3nf60slkf1lgsmz5ahifrglbdrc6har3rryj"))))
1011 (build-system go-build-system)
1012 (arguments
1013 '(#:import-path "github.com/certifi/gocertifi"))
1014 (synopsis "X.509 TLS root certificate bundle for Go")
1015 (description "This package is a Go language X.509 TLS root certificate bundle,
1016 derived from Mozilla's collection.")
1017 (home-page "https://certifi.io")
1018 (license license:mpl2.0))))
jackhill's copy of GNU Guix: https://guix.gnu.org/