1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
5 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
6 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
7 ;;; Copyright © 2015, 2016, 2017 Leo Famulari <leo@famulari.name>
8 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
9 ;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
10 ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
11 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
12 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
14 ;;; This file is part of GNU Guix.
16 ;;; GNU Guix is free software; you can redistribute it and/or modify it
17 ;;; under the terms of the GNU General Public License as published by
18 ;;; the Free Software Foundation; either version 3 of the License, or (at
19 ;;; your option) any later version.
21 ;;; GNU Guix is distributed in the hope that it will be useful, but
22 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
23 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 ;;; GNU General Public License for more details.
26 ;;; You should have received a copy of the GNU General Public License
27 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
29 (define-module (gnu packages tls)
30 #:use-module ((guix licenses) #:prefix license:)
31 #:use-module (guix packages)
32 #:use-module (guix download)
33 #:use-module (guix utils)
34 #:use-module (guix build-system gnu)
35 #:use-module (guix build-system perl)
36 #:use-module (guix build-system python)
37 #:use-module (guix build-system cmake)
38 #:use-module (guix build-system haskell)
39 #:use-module (gnu packages compression)
40 #:use-module (gnu packages)
41 #:use-module (gnu packages check)
42 #:use-module (gnu packages dns)
43 #:use-module (gnu packages guile)
44 #:use-module (gnu packages haskell)
45 #:use-module (gnu packages haskell-check)
46 #:use-module (gnu packages haskell-crypto)
47 #:use-module (gnu packages libbsd)
48 #:use-module (gnu packages libffi)
49 #:use-module (gnu packages libidn)
50 #:use-module (gnu packages linux)
51 #:use-module (gnu packages ncurses)
52 #:use-module (gnu packages nettle)
53 #:use-module (gnu packages perl)
54 #:use-module (gnu packages pkg-config)
55 #:use-module (gnu packages python)
56 #:use-module (gnu packages python-crypto)
57 #:use-module (gnu packages python-web)
58 #:use-module (gnu packages texinfo)
59 #:use-module (gnu packages base)
60 #:use-module (srfi srfi-1))
62 (define-public libtasn1
66 (replacement libtasn1/fixed)
70 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
74 "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7"))))
75 (build-system gnu-build-system)
76 (native-inputs `(("perl" ,perl)))
77 (home-page "https://www.gnu.org/software/libtasn1/")
78 (synopsis "ASN.1 library")
80 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
81 for transmitting machine-neutral encodings of data objects in computer
82 networking, allowing for formal validation of data according to some
84 (license license:lgpl2.0+)))
86 (define libtasn1/fixed
90 (inherit (package-source libtasn1))
91 (patches (search-patches "libtasn1-CVE-2017-10790.patch"))))))
99 (uri (string-append "https://lionet.info/soft/asn1c-"
103 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
104 (build-system gnu-build-system)
107 (home-page "https://lionet.info/asn1c")
108 (synopsis "ASN.1 to C compiler")
109 (description "The ASN.1 to C compiler takes ASN.1 module
110 files and generates C++ compatible C source code. That code can be
111 used to serialize the native C structures into compact and unambiguous
112 BER/XER/PER-based data files, and deserialize the files back.
114 Various ASN.1 based formats are widely used in the industry, such as to encode
115 the X.509 certificates employed in the HTTPS handshake, to exchange control
116 data between mobile phones and cellular networks, to car-to-car communication
117 in intelligent transportation networks.")
118 (license license:bsd-2)))
120 (define-public p11-kit
127 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
128 "download/" version "/p11-kit-" version ".tar.gz"))
131 "0qyvnkb5hfi94wv3bn67y20hcbbvynvjwxpk7k9sh1si6ff69hg1"))))
132 (build-system gnu-build-system)
134 `(("pkg-config" ,pkg-config)))
137 ("libtasn1" ,libtasn1)))
139 `(#:configure-flags '("--without-trust-paths")))
140 (home-page "http://p11-glue.freedesktop.org/p11-kit.html")
141 (synopsis "PKCS#11 library")
143 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
144 provides a standard configuration setup for installing PKCS#11 modules
145 in such a way that they are discoverable. It also solves problems with
146 coordinating the use of PKCS#11 by different components or libraries
147 living in the same process.")
148 (license license:bsd-3)))
151 ;; TODO Add net-tools-for-tests to #:disallowed-references when we can afford
152 ;; rebuild GnuTLS (i.e. core-updates).
153 (define-public gnutls
160 ;; Note: Releases are no longer on ftp.gnu.org since the
161 ;; schism (after version 3.1.5).
162 (string-append "mirror://gnupg/gnutls/v"
163 (version-major+minor version)
164 "/gnutls-" version ".tar.xz"))
166 (search-patches "gnutls-skip-trust-store-test.patch"
167 "gnutls-skip-pkgconfig-test.patch"))
170 "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr"))))
171 (build-system gnu-build-system)
175 ;; GnuTLS doesn't consult any environment variables to specify
176 ;; the location of the system-wide trust store. Instead it has a
177 ;; configure-time option. Unless specified, its configure script
178 ;; attempts to auto-detect the location by looking for common
179 ;; places in the file system, none of which are present in our
180 ;; chroot build environment. If not found, then no default trust
181 ;; store is used, so each program has to provide its own
182 ;; fallback, and users have to configure each program
183 ;; independently. This seems suboptimal.
184 "--with-default-trust-store-dir=/etc/ssl/certs"
186 ;; FIXME: Temporarily disable p11-kit support since it is not
187 ;; working on mips64el.
190 #:phases (modify-phases %standard-phases
193 (lambda* (#:key outputs #:allow-other-keys)
194 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
195 (let* ((out (assoc-ref outputs "out"))
196 (doc (assoc-ref outputs "doc"))
197 (mandir (string-append doc "/share/man/man3"))
198 (oldman (string-append out "/share/man/man3")))
200 (copy-recursively oldman mandir)
201 (delete-file-recursively oldman)
203 (outputs '("out" ;4.4 MiB
205 "doc")) ;4.1 MiB of man pages
207 `(("net-tools" ,net-tools-for-tests)
208 ("pkg-config" ,pkg-config)
211 `(("guile" ,guile-2.2)))
213 ;; These are all in the 'Requires.private' field of gnutls.pc.
214 `(("libtasn1" ,libtasn1)
218 (home-page "https://www.gnu.org/software/gnutls/")
219 (synopsis "Transport layer security library")
221 "GnuTLS is a secure communications library implementing the SSL, TLS
222 and DTLS protocols. It is provided in the form of a C library to support the
223 protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
224 required structures.")
225 (license license:lgpl2.1+)
226 (properties '((ftp-server . "ftp.gnutls.org")
227 (ftp-directory . "/gcrypt/gnutls")))))
229 (define-public gnutls/guile-2.2
230 (deprecated-package "guile2.2-gnutls" gnutls))
232 (define-public gnutls/guile-2.0
233 ;; GnuTLS for Guile 2.0.
236 (name "guile2.0-gnutls")
237 (inputs `(("guile" ,guile-2.0)
238 ,@(alist-delete "guile" (package-inputs gnutls))))))
240 (define-public gnutls/dane
241 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
242 ;; Authentication of Named Entities. This is required for GNS functionality
243 ;; by GNUnet and gnURL. This is done in an extra package definition
244 ;; to have the choice between GnuTLS with Dane and without Dane.
248 (inputs `(("unbound" ,unbound)
249 ,@(package-inputs gnutls)))))
251 (define-public openssl
255 (replacement openssl-1.0.2m)
258 (uri (list (string-append "ftp://ftp.openssl.org/source/"
259 name "-" version ".tar.gz")
260 (string-append "ftp://ftp.openssl.org/source/old/"
261 (string-trim-right version char-set:letter)
262 "/" name "-" version ".tar.gz")))
265 "037kvpisc6qh5dkppcwbm5bg2q800xh2hma3vghz8xcycmdij1yf"))
268 ;; Remove ELF files. 'substitute*' can't read them.
269 (delete-file "test/ssltest_old")
270 (delete-file "test/v3ext")
271 (delete-file "test/x509aux")
273 (patches (search-patches "openssl-runpath.patch"
274 "openssl-c-rehash-in.patch"))))
275 (build-system gnu-build-system)
277 "doc" ;1.5MiB of man3 pages
278 "static")) ;6MiB of .a files
279 (native-inputs `(("perl" ,perl)))
281 `(#:disallowed-references (,perl)
286 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
287 ;; so we explicitly disallow it here.
288 #:disallowed-references ,(list (canonical-package perl))
290 (modify-phases %standard-phases
292 'configure 'patch-Makefile.org
293 (lambda* (#:key outputs #:allow-other-keys)
294 ;; The default MANDIR is some unusual place. Fix that.
295 (let ((out (assoc-ref outputs "out")))
296 (patch-makefile-SHELL "Makefile.org")
297 (substitute* "Makefile.org"
298 (("^MANDIR[[:blank:]]*=.*$")
299 (string-append "MANDIR = " out "/share/man\n")))
303 (lambda* (#:key outputs #:allow-other-keys)
304 (let ((out (assoc-ref outputs "out")))
307 "shared" ;build shared libraries
310 ;; The default for this catch-all directory is
311 ;; PREFIX/ssl. Change that to something more
313 (string-append "--openssldir=" out
314 "/share/openssl-" ,version)
316 (string-append "--prefix=" out)
318 ;; XXX FIXME: Work around a code generation bug in GCC
319 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
320 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
321 ,@(if (and (not (%current-target-system))
322 (string-prefix? "armhf" (%current-system)))
326 'install 'make-libraries-writable
327 (lambda* (#:key outputs #:allow-other-keys)
328 ;; Make libraries writable so that 'strip' does its job.
329 (let ((out (assoc-ref outputs "out")))
330 (for-each (lambda (file)
332 (find-files (string-append out "/lib")
335 (add-after 'install 'move-static-libraries
336 (lambda* (#:key outputs #:allow-other-keys)
337 ;; Move static libraries to the "static" output.
338 (let* ((out (assoc-ref outputs "out"))
339 (lib (string-append out "/lib"))
340 (static (assoc-ref outputs "static"))
341 (slib (string-append static "/lib")))
342 (for-each (lambda (file)
343 (install-file file slib)
345 (find-files lib "\\.a$"))
347 (add-after 'install 'move-man3-pages
348 (lambda* (#:key outputs #:allow-other-keys)
349 ;; Move section 3 man pages to "doc".
350 (let* ((out (assoc-ref outputs "out"))
351 (man3 (string-append out "/share/man/man3"))
352 (doc (assoc-ref outputs "doc"))
353 (target (string-append doc "/share/man/man3")))
355 (for-each (lambda (file)
357 (string-append target "/"
360 (delete-file-recursively man3)
363 'patch-source-shebangs 'patch-tests
364 (lambda* (#:key inputs native-inputs #:allow-other-keys)
365 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
366 (substitute* (find-files "test" ".*")
368 (string-append bash "/bin/sh"))
373 'install 'remove-miscellany
374 (lambda* (#:key outputs #:allow-other-keys)
375 ;; The 'misc' directory contains random undocumented shell and Perl
376 ;; scripts. Remove them to avoid retaining a reference on Perl.
377 (let ((out (assoc-ref outputs "out")))
378 (delete-file-recursively (string-append out "/share/openssl-"
382 ;; FIXME: These two variables must designate a single file or directory
383 ;; and are not actually "search paths." In practice it works OK in user
384 ;; profiles because there's always just one item that matches the
386 (list (search-path-specification
387 (variable "SSL_CERT_DIR")
388 (files '("etc/ssl/certs")))
389 (search-path-specification
390 (variable "SSL_CERT_FILE")
391 (files '("etc/ssl/certs/ca-certificates.crt")))))
392 (synopsis "SSL/TLS implementation")
394 "OpenSSL is an implementation of SSL/TLS.")
395 (license license:openssl)
396 (home-page "http://www.openssl.org/")))
398 ;; Fixes CVE-2017-3735 and CVE-2017-3736.
399 ;; See <https://www.openssl.org/news/cl102.txt>.
400 (define-public openssl-1.0.2m
405 (inherit (package-source openssl))
406 (uri (list (string-append "https://www.openssl.org/source/openssl-"
408 (string-append "ftp://ftp.openssl.org/source/openssl-"
410 (string-append "ftp://ftp.openssl.org/source/old/"
411 (string-trim-right version char-set:letter)
412 "/openssl-" version ".tar.gz")))
415 "03vvlfnxx4lhxc83ikfdl6jqph4h52y7lb7li03va6dkqrgg2vwc"))))))
417 (define-public openssl-next
424 (uri (list (string-append "https://www.openssl.org/source/openssl-"
426 (string-append "ftp://ftp.openssl.org/source/"
427 name "-" version ".tar.gz")
428 (string-append "ftp://ftp.openssl.org/source/old/"
429 (string-trim-right version char-set:letter)
430 "/" name "-" version ".tar.gz")))
431 (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
434 "1bvka2wf33w2vxv7yw578nnjqyhz2b3chvfb0l4k2ffscw950kfy"))))
436 "doc" ;1.3MiB of man3 pages
437 "static")) ; 5.5MiB of .a files
439 (substitute-keyword-arguments (package-arguments openssl)
441 `(modify-phases ,phases
442 (delete 'patch-tests) ; These two phases are not needed by
443 (delete 'patch-Makefile.org) ; OpenSSL 1.1.0.
445 ;; Override configure phase since -rpath is now a configure option.
447 (lambda* (#:key outputs #:allow-other-keys)
448 (let* ((out (assoc-ref outputs "out"))
449 (lib (string-append out "/lib")))
452 "shared" ;build shared libraries
455 ;; The default for this catch-all directory is
456 ;; PREFIX/ssl. Change that to something more
458 (string-append "--openssldir=" out
459 "/share/openssl-" ,version)
461 (string-append "--prefix=" out)
462 (string-append "-Wl,-rpath," lib)
464 ;; XXX FIXME: Work around a code generation bug in GCC
465 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
466 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
467 ,@(if (and (not (%current-target-system))
468 (string-prefix? "armhf" (%current-system)))
472 ;; XXX: Duplicate this phase to make sure 'version' evaluates
473 ;; in the current scope and not the inherited one.
474 (replace 'remove-miscellany
475 (lambda* (#:key outputs #:allow-other-keys)
476 ;; The 'misc' directory contains random undocumented shell and Perl
477 ;; scripts. Remove them to avoid retaining a reference on Perl.
478 (let ((out (assoc-ref outputs "out")))
479 (delete-file-recursively (string-append out "/share/openssl-"
483 (define-public libressl
489 (uri (string-append "mirror://openbsd/LibreSSL/"
490 name "-" version ".tar.gz"))
493 "1i77viqy1afvbr392npk9v54k9zhr9zq2vhv6pliza22b0ymwzz5"))))
494 (build-system gnu-build-system)
496 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
497 ;; and libc would return ENOSYS, which is not properly handled.
498 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
499 '(#:configure-flags '("ac_cv_func_getentropy=no"
500 ;; Provide a TLS-enabled netcat.
503 ;; FIXME: These two variables must designate a single file or directory
504 ;; and are not actually "search paths." In practice it works OK in
505 ;; user profiles because there's always just one item that matches the
507 (list (search-path-specification
508 (variable "SSL_CERT_DIR")
509 (files '("etc/ssl/certs")))
510 (search-path-specification
511 (variable "SSL_CERT_FILE")
512 (files '("etc/ssl/certs/ca-certificates.crt")))))
513 (home-page "https://www.libressl.org/")
514 (synopsis "SSL/TLS implementation")
515 (description "LibreSSL is a version of the TLS/crypto stack, forked from
516 OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
517 and applying best practice development processes. This package also includes a
518 netcat implementation that supports TLS.")
519 ;; Files taken from OpenSSL keep their license, others are under various
520 ;; non-copyleft licenses.
521 (license (list license:openssl
522 (license:non-copyleft
524 "See COPYING in the distribution.")))))
526 (define-public python-acme
529 ;; Remember to update the hash of certbot when updating python-acme.
533 (uri (pypi-uri "acme" version))
536 "08p8w50zciqlhgn3ab0wbbvi1zyg3x37r1gywq0z1allsij3v8hz"))))
537 (build-system python-build-system)
540 (modify-phases %standard-phases
541 (add-after 'build 'build-documentation
543 (zero? (system* "make" "-C" "docs" "man" "info"))))
544 (add-after 'install 'install-documentation
545 (lambda* (#:key outputs #:allow-other-keys)
546 (let* ((out (assoc-ref outputs "out"))
547 (man (string-append out "/share/man/man1"))
548 (info (string-append out "/info")))
549 (install-file "docs/_build/texinfo/acme-python.info" info)
550 (install-file "docs/_build/man/acme-python.1" man)
552 ;; TODO: Add optional inputs for testing.
554 `(("python-mock" ,python-mock-2)
556 ("python-sphinx" ,python-sphinx)
557 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
558 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
559 ("texinfo" ,texinfo)))
561 `(("python-six" ,python-six)
562 ("python-requests" ,python-requests)
563 ("python-pytz" ,python-pytz)
564 ("python-pyrfc3339" ,python-pyrfc3339)
565 ("python-pyasn1" ,python-pyasn1)
566 ("python-cryptography" ,python-cryptography)
567 ("python-pyopenssl" ,python-pyopenssl)))
568 (home-page "https://github.com/letsencrypt/letsencrypt")
569 (synopsis "ACME protocol implementation in Python")
570 (description "ACME protocol implementation in Python")
571 (license license:asl2.0)))
573 (define-public certbot
576 ;; Certbot and python-acme are developed in the same repository, and their
577 ;; versions should remain synchronized.
578 (version (package-version python-acme))
581 (uri (pypi-uri name version))
584 "0lwxqz3r0fg3dy06fgba1dfs7n6ribc25z0rh5rqbl7mvy8hf8x7"))))
585 (build-system python-build-system)
587 `(,@(substitute-keyword-arguments (package-arguments python-acme)
589 `(modify-phases ,phases
590 (replace 'install-documentation
591 (lambda* (#:key outputs #:allow-other-keys)
592 (let* ((out (assoc-ref outputs "out"))
593 (man1 (string-append out "/share/man/man1"))
594 (man7 (string-append out "/share/man/man7"))
595 (info (string-append out "/info")))
596 (install-file "docs/_build/texinfo/Certbot.info" info)
597 (install-file "docs/_build/man/certbot.1" man1)
598 (install-file "docs/_build/man/certbot.7" man7)
600 ;; TODO: Add optional inputs for testing.
602 `(("python-nose" ,python-nose)
603 ("python-mock" ,python-mock-2)
605 ("python-sphinx" ,python-sphinx)
606 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
607 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
608 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
609 ("texinfo" ,texinfo)))
611 `(("python-acme" ,python-acme)
612 ("python-zope-interface" ,python-zope-interface)
613 ("python-pyrfc3339" ,python-pyrfc3339)
614 ("python-pyopenssl" ,python-pyopenssl)
615 ("python-configobj" ,python-configobj)
616 ("python-configargparse" ,python-configargparse)
617 ("python-zope-component" ,python-zope-component)
618 ("python-parsedatetime" ,python-parsedatetime)
619 ("python-six" ,python-six)
620 ("python-psutil" ,python-psutil)
621 ("python-requests" ,python-requests)
622 ("python-pytz" ,python-pytz)))
623 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
624 (description "Certbot automatically receives and installs X.509 certificates
625 to enable Transport Layer Security (TLS) on servers. It interoperates with the
626 Let’s Encrypt certificate authority (CA), which issues browser-trusted
627 certificates for free.")
628 (home-page "https://certbot.eff.org/")
629 (license license:asl2.0)))
631 (define-public letsencrypt
632 (package (inherit certbot)
634 (properties `((superseded . ,certbot)))))
636 (define-public perl-net-ssleay
638 (name "perl-net-ssleay")
642 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
643 "Net-SSLeay-" version ".tar.gz"))
646 "0z8vya34g88bc41kx955sv7y4niwbbywji8liqbl52v29qbvdjq0"))))
647 (build-system perl-build-system)
648 (inputs `(("openssl" ,openssl)))
651 (modify-phases %standard-phases
653 'configure 'set-ssl-prefix
654 (lambda* (#:key inputs #:allow-other-keys)
655 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
657 (synopsis "Perl extension for using OpenSSL")
659 "This module offers some high level convenience functions for accessing
660 web pages on SSL servers (for symmetry, the same API is offered for accessing
661 http servers, too), an sslcat() function for writing your own clients, and
662 finally access to the SSL api of the SSLeay/OpenSSL package so you can write
663 servers or clients for more complicated applications.")
664 (license license:perl-license)
665 (home-page "http://search.cpan.org/~mikem/Net-SSLeay-1.66/")))
667 (define-public perl-crypt-openssl-rsa
669 (name "perl-crypt-openssl-rsa")
675 "mirror://cpan/authors/id/P/PE/PERLER/Crypt-OpenSSL-RSA-"
680 "1gnpvv09b2gpifwdzc5jnhama3d1a4c39lzj9hcaicsb8rvzjmsk"))))
681 (build-system perl-build-system)
683 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
684 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
685 ("openssl" ,openssl)))
686 (arguments perl-crypt-arguments)
688 "http://search.cpan.org/dist/Crypt-OpenSSL-RSA")
690 "RSA encoding and decoding, using the openSSL libraries")
691 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
692 OpenSSL libraries).")
693 (license license:perl-license)))
695 (define perl-crypt-arguments
696 `(#:phases (modify-phases %standard-phases
697 (add-before 'configure 'patch-Makefile.PL
698 (lambda* (#:key inputs #:allow-other-keys)
699 (substitute* "Makefile.PL"
700 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
701 (assoc-ref inputs "openssl")
702 "/lib -lcrypto'],")))
705 (define-public perl-crypt-openssl-bignum
707 (name "perl-crypt-openssl-bignum")
713 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
718 "0gamn4dff1bz77nswacy1dlpn9fkwahzw7yvvik4nbwwy2s63hc8"))))
719 (build-system perl-build-system)
720 (inputs `(("openssl" ,openssl)))
721 (arguments perl-crypt-arguments)
723 "http://search.cpan.org/dist/Crypt-OpenSSL-Bignum")
725 "OpenSSL's multiprecision integer arithmetic in Perl")
726 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
727 arithmetic in Perl.")
728 ;; At your option either gpl1+ or the Artistic License
729 (license license:perl-license)))
731 (define-public perl-crypt-openssl-random
733 (name "perl-crypt-openssl-random")
739 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
744 "0yjcabkibrkafywvdkmd1xpi6br48skyk3l15ni176wvlg38335v"))))
745 (build-system perl-build-system)
746 (inputs `(("openssl" ,openssl)))
747 (arguments perl-crypt-arguments)
749 "http://search.cpan.org/dist/Crypt-OpenSSL-Random")
751 "OpenSSL/LibreSSL pseudo-random number generator access")
752 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
754 (license license:perl-license)))
756 (define-public acme-client
762 (uri (string-append "https://kristaps.bsd.lv/" name "/"
763 "snapshots/" name "-portable-"
767 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
768 (build-system gnu-build-system)
770 '(#:tests? #f ; no test suite
773 (string-append "PREFIX=" (assoc-ref %outputs "out")))
775 (modify-phases %standard-phases
776 (add-after 'unpack 'patch-paths
777 (lambda* (#:key inputs #:allow-other-keys)
778 (let ((pem (string-append (assoc-ref inputs "libressl")
779 "/etc/ssl/cert.pem")))
780 (substitute* "http.c"
781 (("/etc/ssl/cert.pem") pem))
783 (delete 'configure)))) ; no './configure' script
785 `(("pkg-config" ,pkg-config)))
788 ("libressl" ,libressl)))
789 (synopsis "Let's Encrypt client by the OpenBSD project")
790 (description "acme-client is a Let's Encrypt client implemented in C. It
791 uses a modular design, and attempts to secure itself by dropping privileges and
792 operating in a chroot where possible. acme-client is developed on OpenBSD and
793 then ported to the GNU / Linux environment.")
794 (home-page "https://kristaps.bsd.lv/acme-client/")
795 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
796 ;; and 'jsmn.c' are distributed under the Expat license.
797 (license (list license:isc license:expat))))
799 ;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
800 ;; variant exists in addition to the "-apache" one.
801 (define-public mbedtls-apache
803 (name "mbedtls-apache")
808 ;; XXX: The download links on the website are script redirection links
809 ;; which effectively lead to the format listed in the uri here.
810 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
811 version "-apache.tgz"))
814 "11wnj34rfqxjggmdgf042i49lr6civgbqwv2p7p8bn6k2919vg4r"))))
815 (build-system cmake-build-system)
818 (synopsis "Small TLS library")
820 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
821 for developers to include cryptographic and SSL/TLS capabilities in their
822 (embedded) products, facilitating this functionality with a minimal
824 (home-page "https://tls.mbed.org")
825 (license license:asl2.0)))
827 (define-public ghc-tls
833 (uri (string-append "https://hackage.haskell.org/package/"
834 "tls/tls-" version ".tar.gz"))
837 "1rdidf18i781c0vdvy9yn79yh08hmcacf6fp3sgghyiy3h0wyh5l"))))
838 (build-system haskell-build-system)
840 `(("ghc-mtl" ,ghc-mtl)
841 ("ghc-cereal" ,ghc-cereal)
842 ("ghc-data-default-class" ,ghc-data-default-class)
843 ("ghc-memory" ,ghc-memory)
844 ("ghc-cryptonite" ,ghc-cryptonite)
845 ("ghc-asn1-types" ,ghc-asn1-types)
846 ("ghc-asn1-encoding" ,ghc-asn1-encoding)
847 ("ghc-x509" ,ghc-x509)
848 ("ghc-x509-store" ,ghc-x509-store)
849 ("ghc-x509-validation" ,ghc-x509-validation)
850 ("ghc-async" ,ghc-async)
851 ("ghc-network" ,ghc-network)
852 ("ghc-hourglass" ,ghc-hourglass)))
854 `(("ghc-tasty" ,ghc-tasty)
855 ("ghc-tasty-quickcheck" ,ghc-tasty-quickcheck)
856 ("ghc-quickcheck" ,ghc-quickcheck)))
857 (home-page "https://github.com/vincenthz/hs-tls")
859 "TLS/SSL protocol native implementation (Server and Client)")
861 "Native Haskell TLS and SSL protocol implementation for server and client.
862 This provides a high-level implementation of a sensitive security protocol,
863 eliminating a common set of security issues through the use of the advanced
864 type system, high level constructions and common Haskell features. Currently
865 implement the SSL3.0, TLS1.0, TLS1.1 and TLS1.2 protocol, and support RSA and
866 Ephemeral (Elliptic curve and regular) Diffie Hellman key exchanges, and many
868 (license license:bsd-3)))