HCoop / jackhill / guix / guix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'master' into core-updates
[jackhill/guix/guix.git] / gnu / packages / tls.scm
1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
5 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
6 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
7 ;;; Copyright © 2015, 2016, 2017 Leo Famulari <leo@famulari.name>
8 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
9 ;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
10 ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
11 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
12 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
13 ;;;
14 ;;; This file is part of GNU Guix.
15 ;;;
16 ;;; GNU Guix is free software; you can redistribute it and/or modify it
17 ;;; under the terms of the GNU General Public License as published by
18 ;;; the Free Software Foundation; either version 3 of the License, or (at
19 ;;; your option) any later version.
20 ;;;
21 ;;; GNU Guix is distributed in the hope that it will be useful, but
22 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
23 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 ;;; GNU General Public License for more details.
25 ;;;
26 ;;; You should have received a copy of the GNU General Public License
27 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
28
29 (define-module (gnu packages tls)
30 #:use-module ((guix licenses) #:prefix license:)
31 #:use-module (guix packages)
32 #:use-module (guix download)
33 #:use-module (guix utils)
34 #:use-module (guix build-system gnu)
35 #:use-module (guix build-system perl)
36 #:use-module (guix build-system python)
37 #:use-module (guix build-system cmake)
38 #:use-module (gnu packages compression)
39 #:use-module (gnu packages)
40 #:use-module (gnu packages dns)
41 #:use-module (gnu packages guile)
42 #:use-module (gnu packages libbsd)
43 #:use-module (gnu packages libffi)
44 #:use-module (gnu packages libidn)
45 #:use-module (gnu packages linux)
46 #:use-module (gnu packages ncurses)
47 #:use-module (gnu packages nettle)
48 #:use-module (gnu packages perl)
49 #:use-module (gnu packages pkg-config)
50 #:use-module (gnu packages python)
51 #:use-module (gnu packages texinfo)
52 #:use-module (gnu packages base)
53 #:use-module (srfi srfi-1))
54
55 (define-public libtasn1
56 (package
57 (name "libtasn1")
58 (version "4.12")
59 (source
60 (origin
61 (method url-fetch)
62 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
63 version ".tar.gz"))
64 (sha256
65 (base32
66 "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7"))
67 (patches (search-patches "libtasn1-CVE-2017-10790.patch"))))
68 (build-system gnu-build-system)
69 (native-inputs `(("perl" ,perl)))
70 (home-page "https://www.gnu.org/software/libtasn1/")
71 (synopsis "ASN.1 library")
72 (description
73 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
74 for transmitting machine-neutral encodings of data objects in computer
75 networking, allowing for formal validation of data according to some
76 specifications.")
77 (license license:lgpl2.0+)))
78
79 (define-public asn1c
80 (package
81 (name "asn1c")
82 (version "0.9.28")
83 (source (origin
84 (method url-fetch)
85 (uri (string-append "https://lionet.info/soft/asn1c-"
86 version ".tar.gz"))
87 (sha256
88 (base32
89 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
90 (build-system gnu-build-system)
91 (native-inputs
92 `(("perl" ,perl)))
93 (home-page "https://lionet.info/asn1c")
94 (synopsis "ASN.1 to C compiler")
95 (description "The ASN.1 to C compiler takes ASN.1 module
96 files and generates C++ compatible C source code. That code can be
97 used to serialize the native C structures into compact and unambiguous
98 BER/XER/PER-based data files, and deserialize the files back.
99
100 Various ASN.1 based formats are widely used in the industry, such as to encode
101 the X.509 certificates employed in the HTTPS handshake, to exchange control
102 data between mobile phones and cellular networks, to car-to-car communication
103 in intelligent transportation networks.")
104 (license license:bsd-2)))
105
106 (define-public p11-kit
107 (package
108 (name "p11-kit")
109 (version "0.23.9")
110 (source
111 (origin
112 (method url-fetch)
113 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
114 "download/" version "/p11-kit-" version ".tar.gz"))
115 (sha256
116 (base32
117 "0qyvnkb5hfi94wv3bn67y20hcbbvynvjwxpk7k9sh1si6ff69hg1"))))
118 (build-system gnu-build-system)
119 (native-inputs
120 `(("pkg-config" ,pkg-config)))
121 (inputs
122 `(("libffi" ,libffi)
123 ("libtasn1" ,libtasn1)))
124 (arguments
125 `(#:configure-flags '("--without-trust-paths")))
126 (home-page "http://p11-glue.freedesktop.org/p11-kit.html")
127 (synopsis "PKCS#11 library")
128 (description
129 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
130 provides a standard configuration setup for installing PKCS#11 modules
131 in such a way that they are discoverable. It also solves problems with
132 coordinating the use of PKCS#11 by different components or libraries
133 living in the same process.")
134 (license license:bsd-3)))
135
136
137 ;; TODO Add net-tools-for-tests to #:disallowed-references when we can afford
138 ;; rebuild GnuTLS (i.e. core-updates).
139 (define-public gnutls
140 (package
141 (name "gnutls")
142 (version "3.5.13")
143 (source (origin
144 (method url-fetch)
145 (uri
146 ;; Note: Releases are no longer on ftp.gnu.org since the
147 ;; schism (after version 3.1.5).
148 (string-append "mirror://gnupg/gnutls/v"
149 (version-major+minor version)
150 "/gnutls-" version ".tar.xz"))
151 (patches
152 (search-patches "gnutls-skip-trust-store-test.patch"
153 "gnutls-skip-pkgconfig-test.patch"))
154 (sha256
155 (base32
156 "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr"))))
157 (build-system gnu-build-system)
158 (arguments
159 '(#:configure-flags
160 (list
161 ;; GnuTLS doesn't consult any environment variables to specify
162 ;; the location of the system-wide trust store. Instead it has a
163 ;; configure-time option. Unless specified, its configure script
164 ;; attempts to auto-detect the location by looking for common
165 ;; places in the file system, none of which are present in our
166 ;; chroot build environment. If not found, then no default trust
167 ;; store is used, so each program has to provide its own
168 ;; fallback, and users have to configure each program
169 ;; independently. This seems suboptimal.
170 "--with-default-trust-store-dir=/etc/ssl/certs"
171
172 ;; FIXME: Temporarily disable p11-kit support since it is not
173 ;; working on mips64el.
174 "--without-p11-kit")
175
176 #:phases (modify-phases %standard-phases
177 (add-after
178 'install 'move-doc
179 (lambda* (#:key outputs #:allow-other-keys)
180 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
181 (let* ((out (assoc-ref outputs "out"))
182 (doc (assoc-ref outputs "doc"))
183 (mandir (string-append doc "/share/man/man3"))
184 (oldman (string-append out "/share/man/man3")))
185 (mkdir-p mandir)
186 (copy-recursively oldman mandir)
187 (delete-file-recursively oldman)
188 #t))))))
189 (outputs '("out" ;4.4 MiB
190 "debug"
191 "doc")) ;4.1 MiB of man pages
192 (native-inputs
193 `(("net-tools" ,net-tools-for-tests)
194 ("pkg-config" ,pkg-config)
195 ("which" ,which)))
196 (inputs
197 `(("guile" ,guile-2.2)))
198 (propagated-inputs
199 ;; These are all in the 'Requires.private' field of gnutls.pc.
200 `(("libtasn1" ,libtasn1)
201 ("libidn2" ,libidn2)
202 ("nettle" ,nettle)
203 ("zlib" ,zlib)))
204 (home-page "https://www.gnu.org/software/gnutls/")
205 (synopsis "Transport layer security library")
206 (description
207 "GnuTLS is a secure communications library implementing the SSL, TLS
208 and DTLS protocols. It is provided in the form of a C library to support the
209 protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
210 required structures.")
211 (license license:lgpl2.1+)
212 (properties '((ftp-server . "ftp.gnutls.org")
213 (ftp-directory . "/gcrypt/gnutls")))))
214
215 (define-public gnutls/guile-2.2
216 (deprecated-package "guile2.2-gnutls" gnutls))
217
218 (define-public gnutls/guile-2.0
219 ;; GnuTLS for Guile 2.0.
220 (package
221 (inherit gnutls)
222 (name "guile2.0-gnutls")
223 (inputs `(("guile" ,guile-2.0)
224 ,@(alist-delete "guile" (package-inputs gnutls))))))
225
226 (define-public gnutls/dane
227 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
228 ;; Authentication of Named Entities. This is required for GNS functionality
229 ;; by GNUnet and gnURL. This is done in an extra package definition
230 ;; to have the choice between GnuTLS with Dane and without Dane.
231 (package
232 (inherit gnutls)
233 (name "gnutls-dane")
234 (inputs `(("unbound" ,unbound)
235 ,@(package-inputs gnutls)))))
236
237 (define-public openssl
238 (package
239 (name "openssl")
240 (version "1.0.2l")
241 (source (origin
242 (method url-fetch)
243 (uri (list (string-append "ftp://ftp.openssl.org/source/"
244 name "-" version ".tar.gz")
245 (string-append "ftp://ftp.openssl.org/source/old/"
246 (string-trim-right version char-set:letter)
247 "/" name "-" version ".tar.gz")))
248 (sha256
249 (base32
250 "037kvpisc6qh5dkppcwbm5bg2q800xh2hma3vghz8xcycmdij1yf"))
251 (snippet
252 '(begin
253 ;; Remove ELF files. 'substitute*' can't read them.
254 (delete-file "test/ssltest_old")
255 (delete-file "test/v3ext")
256 (delete-file "test/x509aux")
257 #t))
258 (patches (search-patches "openssl-runpath.patch"
259 "openssl-c-rehash-in.patch"))))
260 (build-system gnu-build-system)
261 (outputs '("out"
262 "doc" ;1.5MiB of man3 pages
263 "static")) ;6MiB of .a files
264 (native-inputs `(("perl" ,perl)))
265 (arguments
266 `(#:disallowed-references (,perl)
267 #:parallel-build? #f
268 #:parallel-tests? #f
269 #:test-target "test"
270
271 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
272 ;; so we explicitly disallow it here.
273 #:disallowed-references ,(list (canonical-package perl))
274 #:phases
275 (modify-phases %standard-phases
276 (add-before
277 'configure 'patch-Makefile.org
278 (lambda* (#:key outputs #:allow-other-keys)
279 ;; The default MANDIR is some unusual place. Fix that.
280 (let ((out (assoc-ref outputs "out")))
281 (patch-makefile-SHELL "Makefile.org")
282 (substitute* "Makefile.org"
283 (("^MANDIR[[:blank:]]*=.*$")
284 (string-append "MANDIR = " out "/share/man\n")))
285 #t)))
286 (replace
287 'configure
288 (lambda* (#:key outputs #:allow-other-keys)
289 (let ((out (assoc-ref outputs "out")))
290 (zero?
291 (system* "./config"
292 "shared" ;build shared libraries
293 "--libdir=lib"
294
295 ;; The default for this catch-all directory is
296 ;; PREFIX/ssl. Change that to something more
297 ;; conventional.
298 (string-append "--openssldir=" out
299 "/share/openssl-" ,version)
300
301 (string-append "--prefix=" out)
302
303 ;; XXX FIXME: Work around a code generation bug in GCC
304 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
305 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
306 ,@(if (and (not (%current-target-system))
307 (string-prefix? "armhf" (%current-system)))
308 '("-mfpu=vfpv3")
309 '()))))))
310 (add-after
311 'install 'make-libraries-writable
312 (lambda* (#:key outputs #:allow-other-keys)
313 ;; Make libraries writable so that 'strip' does its job.
314 (let ((out (assoc-ref outputs "out")))
315 (for-each (lambda (file)
316 (chmod file #o644))
317 (find-files (string-append out "/lib")
318 "\\.so"))
319 #t)))
320 (add-after 'install 'move-static-libraries
321 (lambda* (#:key outputs #:allow-other-keys)
322 ;; Move static libraries to the "static" output.
323 (let* ((out (assoc-ref outputs "out"))
324 (lib (string-append out "/lib"))
325 (static (assoc-ref outputs "static"))
326 (slib (string-append static "/lib")))
327 (for-each (lambda (file)
328 (install-file file slib)
329 (delete-file file))
330 (find-files lib "\\.a$"))
331 #t)))
332 (add-after 'install 'move-man3-pages
333 (lambda* (#:key outputs #:allow-other-keys)
334 ;; Move section 3 man pages to "doc".
335 (let* ((out (assoc-ref outputs "out"))
336 (man3 (string-append out "/share/man/man3"))
337 (doc (assoc-ref outputs "doc"))
338 (target (string-append doc "/share/man/man3")))
339 (mkdir-p target)
340 (for-each (lambda (file)
341 (rename-file file
342 (string-append target "/"
343 (basename file))))
344 (find-files man3))
345 (delete-file-recursively man3)
346 #t)))
347 (add-before
348 'patch-source-shebangs 'patch-tests
349 (lambda* (#:key inputs native-inputs #:allow-other-keys)
350 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
351 (substitute* (find-files "test" ".*")
352 (("/bin/sh")
353 (string-append bash "/bin/sh"))
354 (("/bin/rm")
355 "rm"))
356 #t)))
357 (add-after
358 'install 'remove-miscellany
359 (lambda* (#:key outputs #:allow-other-keys)
360 ;; The 'misc' directory contains random undocumented shell and Perl
361 ;; scripts. Remove them to avoid retaining a reference on Perl.
362 (let ((out (assoc-ref outputs "out")))
363 (delete-file-recursively (string-append out "/share/openssl-"
364 ,version "/misc"))
365 #t))))))
366 (native-search-paths
367 ;; FIXME: These two variables must designate a single file or directory
368 ;; and are not actually "search paths." In practice it works OK in user
369 ;; profiles because there's always just one item that matches the
370 ;; specification.
371 (list (search-path-specification
372 (variable "SSL_CERT_DIR")
373 (files '("etc/ssl/certs")))
374 (search-path-specification
375 (variable "SSL_CERT_FILE")
376 (files '("etc/ssl/certs/ca-certificates.crt")))))
377 (synopsis "SSL/TLS implementation")
378 (description
379 "OpenSSL is an implementation of SSL/TLS.")
380 (license license:openssl)
381 (home-page "http://www.openssl.org/")))
382
383 (define-public openssl-next
384 (package
385 (inherit openssl)
386 (name "openssl")
387 (version "1.1.0f")
388 (source (origin
389 (method url-fetch)
390 (uri (list (string-append "ftp://ftp.openssl.org/source/"
391 name "-" version ".tar.gz")
392 (string-append "ftp://ftp.openssl.org/source/old/"
393 (string-trim-right version char-set:letter)
394 "/" name "-" version ".tar.gz")))
395 (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
396 (sha256
397 (base32
398 "0r97n4n552ns571diz54qsgarihrxvbn7kvyv8wjyfs9ybrldxqj"))))
399 (outputs '("out"
400 "doc" ;1.3MiB of man3 pages
401 "static")) ; 5.5MiB of .a files
402 (arguments
403 (substitute-keyword-arguments (package-arguments openssl)
404 ((#:phases phases)
405 `(modify-phases ,phases
406 (delete 'patch-tests) ; These two phases are not needed by
407 (delete 'patch-Makefile.org) ; OpenSSL 1.1.0.
408
409 ;; Override configure phase since -rpath is now a configure option.
410 (replace 'configure
411 (lambda* (#:key outputs #:allow-other-keys)
412 (let* ((out (assoc-ref outputs "out"))
413 (lib (string-append out "/lib")))
414 (zero?
415 (system* "./config"
416 "shared" ;build shared libraries
417 "--libdir=lib"
418
419 ;; The default for this catch-all directory is
420 ;; PREFIX/ssl. Change that to something more
421 ;; conventional.
422 (string-append "--openssldir=" out
423 "/share/openssl-" ,version)
424
425 (string-append "--prefix=" out)
426 (string-append "-Wl,-rpath," lib)
427
428 ;; XXX FIXME: Work around a code generation bug in GCC
429 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
430 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
431 ,@(if (and (not (%current-target-system))
432 (string-prefix? "armhf" (%current-system)))
433 '("-mfpu=vfpv3")
434 '()))))))
435
436 ;; XXX: Duplicate this phase to make sure 'version' evaluates
437 ;; in the current scope and not the inherited one.
438 (replace 'remove-miscellany
439 (lambda* (#:key outputs #:allow-other-keys)
440 ;; The 'misc' directory contains random undocumented shell and Perl
441 ;; scripts. Remove them to avoid retaining a reference on Perl.
442 (let ((out (assoc-ref outputs "out")))
443 (delete-file-recursively (string-append out "/share/openssl-"
444 ,version "/misc"))
445 #t)))))))))
446
447 (define-public libressl
448 (package
449 (name "libressl")
450 (version "2.5.5")
451 (source (origin
452 (method url-fetch)
453 (uri (string-append "mirror://openbsd/LibreSSL/"
454 name "-" version ".tar.gz"))
455 (sha256
456 (base32
457 "1i77viqy1afvbr392npk9v54k9zhr9zq2vhv6pliza22b0ymwzz5"))))
458 (build-system gnu-build-system)
459 (arguments
460 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
461 ;; and libc would return ENOSYS, which is not properly handled.
462 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
463 '(#:configure-flags '("ac_cv_func_getentropy=no"
464 ;; Provide a TLS-enabled netcat.
465 "--enable-nc")))
466 (native-search-paths
467 ;; FIXME: These two variables must designate a single file or directory
468 ;; and are not actually "search paths." In practice it works OK in
469 ;; user profiles because there's always just one item that matches the
470 ;; specification.
471 (list (search-path-specification
472 (variable "SSL_CERT_DIR")
473 (files '("etc/ssl/certs")))
474 (search-path-specification
475 (variable "SSL_CERT_FILE")
476 (files '("etc/ssl/certs/ca-certificates.crt")))))
477 (home-page "https://www.libressl.org/")
478 (synopsis "SSL/TLS implementation")
479 (description "LibreSSL is a version of the TLS/crypto stack, forked from
480 OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
481 and applying best practice development processes. This package also includes a
482 netcat implementation that supports TLS.")
483 ;; Files taken from OpenSSL keep their license, others are under various
484 ;; non-copyleft licenses.
485 (license (list license:openssl
486 (license:non-copyleft
487 "file://COPYING"
488 "See COPYING in the distribution.")))))
489
490 (define-public python-acme
491 (package
492 (name "python-acme")
493 ;; Remember to update the hash of certbot when updating python-acme.
494 (version "0.19.0")
495 (source (origin
496 (method url-fetch)
497 (uri (pypi-uri "acme" version))
498 (sha256
499 (base32
500 "08p8w50zciqlhgn3ab0wbbvi1zyg3x37r1gywq0z1allsij3v8hz"))))
501 (build-system python-build-system)
502 (arguments
503 `(#:phases
504 (modify-phases %standard-phases
505 (add-after 'build 'build-documentation
506 (lambda _
507 (zero? (system* "make" "-C" "docs" "man" "info"))))
508 (add-after 'install 'install-documentation
509 (lambda* (#:key outputs #:allow-other-keys)
510 (let* ((out (assoc-ref outputs "out"))
511 (man (string-append out "/share/man/man1"))
512 (info (string-append out "/info")))
513 (install-file "docs/_build/texinfo/acme-python.info" info)
514 (install-file "docs/_build/man/acme-python.1" man)
515 #t))))))
516 ;; TODO: Add optional inputs for testing.
517 (native-inputs
518 `(("python-mock" ,python-mock-2)
519 ;; For documentation
520 ("python-sphinx" ,python-sphinx)
521 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
522 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
523 ("texinfo" ,texinfo)))
524 (propagated-inputs
525 `(("python-six" ,python-six)
526 ("python-requests" ,python-requests)
527 ("python-pytz" ,python-pytz)
528 ("python-pyrfc3339" ,python-pyrfc3339)
529 ("python-pyasn1" ,python-pyasn1)
530 ("python-cryptography" ,python-cryptography)
531 ("python-pyopenssl" ,python-pyopenssl)))
532 (home-page "https://github.com/letsencrypt/letsencrypt")
533 (synopsis "ACME protocol implementation in Python")
534 (description "ACME protocol implementation in Python")
535 (license license:asl2.0)))
536
537 (define-public certbot
538 (package
539 (name "certbot")
540 ;; Certbot and python-acme are developed in the same repository, and their
541 ;; versions should remain synchronized.
542 (version (package-version python-acme))
543 (source (origin
544 (method url-fetch)
545 (uri (pypi-uri name version))
546 (sha256
547 (base32
548 "0lwxqz3r0fg3dy06fgba1dfs7n6ribc25z0rh5rqbl7mvy8hf8x7"))))
549 (build-system python-build-system)
550 (arguments
551 `(,@(substitute-keyword-arguments (package-arguments python-acme)
552 ((#:phases phases)
553 `(modify-phases ,phases
554 (replace 'install-documentation
555 (lambda* (#:key outputs #:allow-other-keys)
556 (let* ((out (assoc-ref outputs "out"))
557 (man1 (string-append out "/share/man/man1"))
558 (man7 (string-append out "/share/man/man7"))
559 (info (string-append out "/info")))
560 (install-file "docs/_build/texinfo/Certbot.info" info)
561 (install-file "docs/_build/man/certbot.1" man1)
562 (install-file "docs/_build/man/certbot.7" man7)
563 #t))))))))
564 ;; TODO: Add optional inputs for testing.
565 (native-inputs
566 `(("python-nose" ,python-nose)
567 ("python-mock" ,python-mock-2)
568 ;; For documentation
569 ("python-sphinx" ,python-sphinx)
570 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
571 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
572 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
573 ("texinfo" ,texinfo)))
574 (propagated-inputs
575 `(("python-acme" ,python-acme)
576 ("python-zope-interface" ,python-zope-interface)
577 ("python-pyrfc3339" ,python-pyrfc3339)
578 ("python-pyopenssl" ,python-pyopenssl)
579 ("python-configobj" ,python-configobj)
580 ("python-configargparse" ,python-configargparse)
581 ("python-zope-component" ,python-zope-component)
582 ("python-parsedatetime" ,python-parsedatetime)
583 ("python-six" ,python-six)
584 ("python-psutil" ,python-psutil)
585 ("python-requests" ,python-requests)
586 ("python-pytz" ,python-pytz)))
587 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
588 (description "Certbot automatically receives and installs X.509 certificates
589 to enable Transport Layer Security (TLS) on servers. It interoperates with the
590 Let’s Encrypt certificate authority (CA), which issues browser-trusted
591 certificates for free.")
592 (home-page "https://certbot.eff.org/")
593 (license license:asl2.0)))
594
595 (define-public letsencrypt
596 (package (inherit certbot)
597 (name "letsencrypt")
598 (properties `((superseded . ,certbot)))))
599
600 (define-public perl-net-ssleay
601 (package
602 (name "perl-net-ssleay")
603 (version "1.81")
604 (source (origin
605 (method url-fetch)
606 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
607 "Net-SSLeay-" version ".tar.gz"))
608 (sha256
609 (base32
610 "0z8vya34g88bc41kx955sv7y4niwbbywji8liqbl52v29qbvdjq0"))))
611 (build-system perl-build-system)
612 (inputs `(("openssl" ,openssl)))
613 (arguments
614 `(#:phases
615 (modify-phases %standard-phases
616 (add-before
617 'configure 'set-ssl-prefix
618 (lambda* (#:key inputs #:allow-other-keys)
619 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
620 #t)))))
621 (synopsis "Perl extension for using OpenSSL")
622 (description
623 "This module offers some high level convenience functions for accessing
624 web pages on SSL servers (for symmetry, the same API is offered for accessing
625 http servers, too), an sslcat() function for writing your own clients, and
626 finally access to the SSL api of the SSLeay/OpenSSL package so you can write
627 servers or clients for more complicated applications.")
628 (license license:perl-license)
629 (home-page "http://search.cpan.org/~mikem/Net-SSLeay-1.66/")))
630
631 (define-public perl-crypt-openssl-rsa
632 (package
633 (name "perl-crypt-openssl-rsa")
634 (version "0.28")
635 (source
636 (origin
637 (method url-fetch)
638 (uri (string-append
639 "mirror://cpan/authors/id/P/PE/PERLER/Crypt-OpenSSL-RSA-"
640 version
641 ".tar.gz"))
642 (sha256
643 (base32
644 "1gnpvv09b2gpifwdzc5jnhama3d1a4c39lzj9hcaicsb8rvzjmsk"))))
645 (build-system perl-build-system)
646 (inputs
647 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
648 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
649 ("openssl" ,openssl)))
650 (arguments perl-crypt-arguments)
651 (home-page
652 "http://search.cpan.org/dist/Crypt-OpenSSL-RSA")
653 (synopsis
654 "RSA encoding and decoding, using the openSSL libraries")
655 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
656 OpenSSL libraries).")
657 (license license:perl-license)))
658
659 (define perl-crypt-arguments
660 `(#:phases (modify-phases %standard-phases
661 (add-before 'configure 'patch-Makefile.PL
662 (lambda* (#:key inputs #:allow-other-keys)
663 (substitute* "Makefile.PL"
664 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
665 (assoc-ref inputs "openssl")
666 "/lib -lcrypto'],")))
667 #t)))))
668
669 (define-public perl-crypt-openssl-bignum
670 (package
671 (name "perl-crypt-openssl-bignum")
672 (version "0.08")
673 (source
674 (origin
675 (method url-fetch)
676 (uri (string-append
677 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
678 version
679 ".tar.gz"))
680 (sha256
681 (base32
682 "0gamn4dff1bz77nswacy1dlpn9fkwahzw7yvvik4nbwwy2s63hc8"))))
683 (build-system perl-build-system)
684 (inputs `(("openssl" ,openssl)))
685 (arguments perl-crypt-arguments)
686 (home-page
687 "http://search.cpan.org/dist/Crypt-OpenSSL-Bignum")
688 (synopsis
689 "OpenSSL's multiprecision integer arithmetic in Perl")
690 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
691 arithmetic in Perl.")
692 ;; At your option either gpl1+ or the Artistic License
693 (license license:perl-license)))
694
695 (define-public perl-crypt-openssl-random
696 (package
697 (name "perl-crypt-openssl-random")
698 (version "0.11")
699 (source
700 (origin
701 (method url-fetch)
702 (uri (string-append
703 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
704 version
705 ".tar.gz"))
706 (sha256
707 (base32
708 "0yjcabkibrkafywvdkmd1xpi6br48skyk3l15ni176wvlg38335v"))))
709 (build-system perl-build-system)
710 (inputs `(("openssl" ,openssl)))
711 (arguments perl-crypt-arguments)
712 (home-page
713 "http://search.cpan.org/dist/Crypt-OpenSSL-Random")
714 (synopsis
715 "OpenSSL/LibreSSL pseudo-random number generator access")
716 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
717 number generator")
718 (license license:perl-license)))
719
720 (define-public acme-client
721 (package
722 (name "acme-client")
723 (version "0.1.16")
724 (source (origin
725 (method url-fetch)
726 (uri (string-append "https://kristaps.bsd.lv/" name "/"
727 "snapshots/" name "-portable-"
728 version ".tgz"))
729 (sha256
730 (base32
731 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
732 (build-system gnu-build-system)
733 (arguments
734 '(#:tests? #f ; no test suite
735 #:make-flags
736 (list "CC=gcc"
737 (string-append "PREFIX=" (assoc-ref %outputs "out")))
738 #:phases
739 (modify-phases %standard-phases
740 (add-after 'unpack 'patch-paths
741 (lambda* (#:key inputs #:allow-other-keys)
742 (let ((pem (string-append (assoc-ref inputs "libressl")
743 "/etc/ssl/cert.pem")))
744 (substitute* "http.c"
745 (("/etc/ssl/cert.pem") pem))
746 #t)))
747 (delete 'configure)))) ; no './configure' script
748 (native-inputs
749 `(("pkg-config" ,pkg-config)))
750 (inputs
751 `(("libbsd" ,libbsd)
752 ("libressl" ,libressl)))
753 (synopsis "Let's Encrypt client by the OpenBSD project")
754 (description "acme-client is a Let's Encrypt client implemented in C. It
755 uses a modular design, and attempts to secure itself by dropping privileges and
756 operating in a chroot where possible. acme-client is developed on OpenBSD and
757 then ported to the GNU / Linux environment.")
758 (home-page "https://kristaps.bsd.lv/acme-client/")
759 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
760 ;; and 'jsmn.c' are distributed under the Expat license.
761 (license (list license:isc license:expat))))
762
763 ;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
764 ;; variant exists in addition to the "-apache" one.
765 (define-public mbedtls-apache
766 (package
767 (name "mbedtls-apache")
768 (version "2.6.0")
769 (source
770 (origin
771 (method url-fetch)
772 ;; XXX: The download links on the website are script redirection links
773 ;; which effectively lead to the format listed in the uri here.
774 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
775 version "-apache.tgz"))
776 (sha256
777 (base32
778 "11wnj34rfqxjggmdgf042i49lr6civgbqwv2p7p8bn6k2919vg4r"))))
779 (build-system cmake-build-system)
780 (native-inputs
781 `(("perl" ,perl)))
782 (synopsis "Small TLS library")
783 (description
784 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
785 for developers to include cryptographic and SSL/TLS capabilities in their
786 (embedded) products, facilitating this functionality with a minimal
787 coding footprint.")
788 (home-page "https://tls.mbed.org")
789 (license license:asl2.0)))
jackhill's copy of GNU Guix: https://guix.gnu.org/