HCoop / jackhill / guix / guix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
gnu: Add python-josepy.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
5 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
6 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
7 ;;; Copyright © 2015, 2016, 2017 Leo Famulari <leo@famulari.name>
8 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
9 ;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
10 ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
11 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
12 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
13 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
14 ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
15 ;;;
16 ;;; This file is part of GNU Guix.
17 ;;;
18 ;;; GNU Guix is free software; you can redistribute it and/or modify it
19 ;;; under the terms of the GNU General Public License as published by
20 ;;; the Free Software Foundation; either version 3 of the License, or (at
21 ;;; your option) any later version.
22 ;;;
23 ;;; GNU Guix is distributed in the hope that it will be useful, but
24 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
25 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 ;;; GNU General Public License for more details.
27 ;;;
28 ;;; You should have received a copy of the GNU General Public License
29 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
30
31 (define-module (gnu packages tls)
32 #:use-module ((guix licenses) #:prefix license:)
33 #:use-module (guix packages)
34 #:use-module (guix download)
35 #:use-module (guix utils)
36 #:use-module (guix build-system gnu)
37 #:use-module (guix build-system perl)
38 #:use-module (guix build-system python)
39 #:use-module (guix build-system cmake)
40 #:use-module (guix build-system haskell)
41 #:use-module (gnu packages compression)
42 #:use-module (gnu packages)
43 #:use-module (gnu packages check)
44 #:use-module (gnu packages dns)
45 #:use-module (gnu packages guile)
46 #:use-module (gnu packages haskell)
47 #:use-module (gnu packages haskell-check)
48 #:use-module (gnu packages haskell-crypto)
49 #:use-module (gnu packages libbsd)
50 #:use-module (gnu packages libffi)
51 #:use-module (gnu packages libidn)
52 #:use-module (gnu packages linux)
53 #:use-module (gnu packages ncurses)
54 #:use-module (gnu packages nettle)
55 #:use-module (gnu packages perl)
56 #:use-module (gnu packages pkg-config)
57 #:use-module (gnu packages python)
58 #:use-module (gnu packages python-crypto)
59 #:use-module (gnu packages python-web)
60 #:use-module (gnu packages texinfo)
61 #:use-module (gnu packages time)
62 #:use-module (gnu packages base)
63 #:use-module (srfi srfi-1))
64
65 (define-public libtasn1
66 (package
67 (name "libtasn1")
68 (version "4.12")
69 (replacement libtasn1/fixed)
70 (source
71 (origin
72 (method url-fetch)
73 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
74 version ".tar.gz"))
75 (sha256
76 (base32
77 "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7"))))
78 (build-system gnu-build-system)
79 (native-inputs `(("perl" ,perl)))
80 (home-page "https://www.gnu.org/software/libtasn1/")
81 (synopsis "ASN.1 library")
82 (description
83 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
84 for transmitting machine-neutral encodings of data objects in computer
85 networking, allowing for formal validation of data according to some
86 specifications.")
87 (license license:lgpl2.0+)))
88
89 (define libtasn1/fixed
90 (package
91 (inherit libtasn1)
92 (source (origin
93 (inherit (package-source libtasn1))
94 (patches (search-patches "libtasn1-CVE-2017-10790.patch"))))))
95
96 (define-public asn1c
97 (package
98 (name "asn1c")
99 (version "0.9.28")
100 (source (origin
101 (method url-fetch)
102 (uri (string-append "https://lionet.info/soft/asn1c-"
103 version ".tar.gz"))
104 (sha256
105 (base32
106 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
107 (build-system gnu-build-system)
108 (native-inputs
109 `(("perl" ,perl)))
110 (home-page "https://lionet.info/asn1c")
111 (synopsis "ASN.1 to C compiler")
112 (description "The ASN.1 to C compiler takes ASN.1 module
113 files and generates C++ compatible C source code. That code can be
114 used to serialize the native C structures into compact and unambiguous
115 BER/XER/PER-based data files, and deserialize the files back.
116
117 Various ASN.1 based formats are widely used in the industry, such as to encode
118 the X.509 certificates employed in the HTTPS handshake, to exchange control
119 data between mobile phones and cellular networks, to car-to-car communication
120 in intelligent transportation networks.")
121 (license license:bsd-2)))
122
123 (define-public p11-kit
124 (package
125 (name "p11-kit")
126 (version "0.23.9")
127 (source
128 (origin
129 (method url-fetch)
130 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
131 "download/" version "/p11-kit-" version ".tar.gz"))
132 (sha256
133 (base32
134 "0qyvnkb5hfi94wv3bn67y20hcbbvynvjwxpk7k9sh1si6ff69hg1"))))
135 (build-system gnu-build-system)
136 (native-inputs
137 `(("pkg-config" ,pkg-config)))
138 (inputs
139 `(("libffi" ,libffi)
140 ("libtasn1" ,libtasn1)))
141 (arguments
142 `(#:configure-flags '("--without-trust-paths")))
143 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
144 (synopsis "PKCS#11 library")
145 (description
146 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
147 provides a standard configuration setup for installing PKCS#11 modules
148 in such a way that they are discoverable. It also solves problems with
149 coordinating the use of PKCS#11 by different components or libraries
150 living in the same process.")
151 (license license:bsd-3)))
152
153
154 ;; TODO Add net-tools-for-tests to #:disallowed-references when we can afford
155 ;; rebuild GnuTLS (i.e. core-updates).
156 (define-public gnutls
157 (package
158 (name "gnutls")
159 (version "3.5.13")
160 (source (origin
161 (method url-fetch)
162 (uri
163 ;; Note: Releases are no longer on ftp.gnu.org since the
164 ;; schism (after version 3.1.5).
165 (string-append "mirror://gnupg/gnutls/v"
166 (version-major+minor version)
167 "/gnutls-" version ".tar.xz"))
168 (patches
169 (search-patches "gnutls-skip-trust-store-test.patch"
170 "gnutls-skip-pkgconfig-test.patch"))
171 (sha256
172 (base32
173 "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr"))))
174 (build-system gnu-build-system)
175 (arguments
176 '(#:configure-flags
177 (list
178 ;; GnuTLS doesn't consult any environment variables to specify
179 ;; the location of the system-wide trust store. Instead it has a
180 ;; configure-time option. Unless specified, its configure script
181 ;; attempts to auto-detect the location by looking for common
182 ;; places in the file system, none of which are present in our
183 ;; chroot build environment. If not found, then no default trust
184 ;; store is used, so each program has to provide its own
185 ;; fallback, and users have to configure each program
186 ;; independently. This seems suboptimal.
187 "--with-default-trust-store-dir=/etc/ssl/certs"
188
189 ;; FIXME: Temporarily disable p11-kit support since it is not
190 ;; working on mips64el.
191 "--without-p11-kit")
192
193 #:phases (modify-phases %standard-phases
194 (add-after
195 'install 'move-doc
196 (lambda* (#:key outputs #:allow-other-keys)
197 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
198 (let* ((out (assoc-ref outputs "out"))
199 (doc (assoc-ref outputs "doc"))
200 (mandir (string-append doc "/share/man/man3"))
201 (oldman (string-append out "/share/man/man3")))
202 (mkdir-p mandir)
203 (copy-recursively oldman mandir)
204 (delete-file-recursively oldman)
205 #t))))))
206 (outputs '("out" ;4.4 MiB
207 "debug"
208 "doc")) ;4.1 MiB of man pages
209 (native-inputs
210 `(("net-tools" ,net-tools-for-tests)
211 ("pkg-config" ,pkg-config)
212 ("which" ,which)))
213 (inputs
214 `(("guile" ,guile-2.2)))
215 (propagated-inputs
216 ;; These are all in the 'Requires.private' field of gnutls.pc.
217 `(("libtasn1" ,libtasn1)
218 ("libidn2" ,libidn2)
219 ("nettle" ,nettle)
220 ("zlib" ,zlib)))
221 (home-page "https://www.gnu.org/software/gnutls/")
222 (synopsis "Transport layer security library")
223 (description
224 "GnuTLS is a secure communications library implementing the SSL, TLS
225 and DTLS protocols. It is provided in the form of a C library to support the
226 protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
227 required structures.")
228 (license license:lgpl2.1+)
229 (properties '((ftp-server . "ftp.gnutls.org")
230 (ftp-directory . "/gcrypt/gnutls")))))
231
232 (define-public gnutls/guile-2.2
233 (deprecated-package "guile2.2-gnutls" gnutls))
234
235 (define-public gnutls/guile-2.0
236 ;; GnuTLS for Guile 2.0.
237 (package
238 (inherit gnutls)
239 (name "guile2.0-gnutls")
240 (inputs `(("guile" ,guile-2.0)
241 ,@(alist-delete "guile" (package-inputs gnutls))))))
242
243 (define-public gnutls/dane
244 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
245 ;; Authentication of Named Entities. This is required for GNS functionality
246 ;; by GNUnet and gnURL. This is done in an extra package definition
247 ;; to have the choice between GnuTLS with Dane and without Dane.
248 (package
249 (inherit gnutls)
250 (name "gnutls-dane")
251 (inputs `(("unbound" ,unbound)
252 ,@(package-inputs gnutls)))))
253
254 (define-public openssl
255 (package
256 (name "openssl")
257 (version "1.0.2l")
258 (replacement openssl-1.0.2n)
259 (source (origin
260 (method url-fetch)
261 (uri (list (string-append "ftp://ftp.openssl.org/source/"
262 name "-" version ".tar.gz")
263 (string-append "ftp://ftp.openssl.org/source/old/"
264 (string-trim-right version char-set:letter)
265 "/" name "-" version ".tar.gz")))
266 (sha256
267 (base32
268 "037kvpisc6qh5dkppcwbm5bg2q800xh2hma3vghz8xcycmdij1yf"))
269 (snippet
270 '(begin
271 ;; Remove ELF files. 'substitute*' can't read them.
272 (delete-file "test/ssltest_old")
273 (delete-file "test/v3ext")
274 (delete-file "test/x509aux")
275 #t))
276 (patches (search-patches "openssl-runpath.patch"
277 "openssl-c-rehash-in.patch"))))
278 (build-system gnu-build-system)
279 (outputs '("out"
280 "doc" ;1.5MiB of man3 pages
281 "static")) ;6MiB of .a files
282 (native-inputs `(("perl" ,perl)))
283 (arguments
284 `(#:disallowed-references (,perl)
285 #:parallel-build? #f
286 #:parallel-tests? #f
287 #:test-target "test"
288
289 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
290 ;; so we explicitly disallow it here.
291 #:disallowed-references ,(list (canonical-package perl))
292 #:phases
293 (modify-phases %standard-phases
294 (add-before
295 'configure 'patch-Makefile.org
296 (lambda* (#:key outputs #:allow-other-keys)
297 ;; The default MANDIR is some unusual place. Fix that.
298 (let ((out (assoc-ref outputs "out")))
299 (patch-makefile-SHELL "Makefile.org")
300 (substitute* "Makefile.org"
301 (("^MANDIR[[:blank:]]*=.*$")
302 (string-append "MANDIR = " out "/share/man\n")))
303 #t)))
304 (replace
305 'configure
306 (lambda* (#:key outputs #:allow-other-keys)
307 (let ((out (assoc-ref outputs "out")))
308 (zero?
309 (system* "./config"
310 "shared" ;build shared libraries
311 "--libdir=lib"
312
313 ;; The default for this catch-all directory is
314 ;; PREFIX/ssl. Change that to something more
315 ;; conventional.
316 (string-append "--openssldir=" out
317 "/share/openssl-" ,version)
318
319 (string-append "--prefix=" out)
320
321 ;; XXX FIXME: Work around a code generation bug in GCC
322 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
323 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
324 ,@(if (and (not (%current-target-system))
325 (string-prefix? "armhf" (%current-system)))
326 '("-mfpu=vfpv3")
327 '()))))))
328 (add-after
329 'install 'make-libraries-writable
330 (lambda* (#:key outputs #:allow-other-keys)
331 ;; Make libraries writable so that 'strip' does its job.
332 (let ((out (assoc-ref outputs "out")))
333 (for-each (lambda (file)
334 (chmod file #o644))
335 (find-files (string-append out "/lib")
336 "\\.so"))
337 #t)))
338 (add-after 'install 'move-static-libraries
339 (lambda* (#:key outputs #:allow-other-keys)
340 ;; Move static libraries to the "static" output.
341 (let* ((out (assoc-ref outputs "out"))
342 (lib (string-append out "/lib"))
343 (static (assoc-ref outputs "static"))
344 (slib (string-append static "/lib")))
345 (for-each (lambda (file)
346 (install-file file slib)
347 (delete-file file))
348 (find-files lib "\\.a$"))
349 #t)))
350 (add-after 'install 'move-man3-pages
351 (lambda* (#:key outputs #:allow-other-keys)
352 ;; Move section 3 man pages to "doc".
353 (let* ((out (assoc-ref outputs "out"))
354 (man3 (string-append out "/share/man/man3"))
355 (doc (assoc-ref outputs "doc"))
356 (target (string-append doc "/share/man/man3")))
357 (mkdir-p target)
358 (for-each (lambda (file)
359 (rename-file file
360 (string-append target "/"
361 (basename file))))
362 (find-files man3))
363 (delete-file-recursively man3)
364 #t)))
365 (add-before
366 'patch-source-shebangs 'patch-tests
367 (lambda* (#:key inputs native-inputs #:allow-other-keys)
368 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
369 (substitute* (find-files "test" ".*")
370 (("/bin/sh")
371 (string-append bash "/bin/sh"))
372 (("/bin/rm")
373 "rm"))
374 #t)))
375 (add-after
376 'install 'remove-miscellany
377 (lambda* (#:key outputs #:allow-other-keys)
378 ;; The 'misc' directory contains random undocumented shell and Perl
379 ;; scripts. Remove them to avoid retaining a reference on Perl.
380 (let ((out (assoc-ref outputs "out")))
381 (delete-file-recursively (string-append out "/share/openssl-"
382 ,version "/misc"))
383 #t))))))
384 (native-search-paths
385 ;; FIXME: These two variables must designate a single file or directory
386 ;; and are not actually "search paths." In practice it works OK in user
387 ;; profiles because there's always just one item that matches the
388 ;; specification.
389 (list (search-path-specification
390 (variable "SSL_CERT_DIR")
391 (files '("etc/ssl/certs")))
392 (search-path-specification
393 (variable "SSL_CERT_FILE")
394 (files '("etc/ssl/certs/ca-certificates.crt")))))
395 (synopsis "SSL/TLS implementation")
396 (description
397 "OpenSSL is an implementation of SSL/TLS.")
398 (license license:openssl)
399 (home-page "https://www.openssl.org/")))
400
401 ;; Fixes CVE-2017-3735, CVE-2017-3736, CVE-2017-3737, and CVE-2017-3738.
402 ;; See <https://www.openssl.org/news/cl102.txt>.
403 (define-public openssl-1.0.2n
404 (package
405 (inherit openssl)
406 (version "1.0.2n")
407 (source (origin
408 (inherit (package-source openssl))
409 (uri (list (string-append "https://www.openssl.org/source/openssl-"
410 version ".tar.gz")
411 (string-append "ftp://ftp.openssl.org/source/openssl-"
412 version ".tar.gz")
413 (string-append "ftp://ftp.openssl.org/source/old/"
414 (string-trim-right version char-set:letter)
415 "/openssl-" version ".tar.gz")))
416 (sha256
417 (base32
418 "1zm82pyq5a9jm10q6iv7d3dih3xwjds4x30fqph3k317byvsn2rp"))))))
419
420 (define-public openssl-next
421 (package
422 (inherit openssl)
423 (name "openssl")
424 (version "1.1.0g")
425 (source (origin
426 (method url-fetch)
427 (uri (list (string-append "https://www.openssl.org/source/openssl-"
428 version ".tar.gz")
429 (string-append "ftp://ftp.openssl.org/source/"
430 name "-" version ".tar.gz")
431 (string-append "ftp://ftp.openssl.org/source/old/"
432 (string-trim-right version char-set:letter)
433 "/" name "-" version ".tar.gz")))
434 (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
435 (sha256
436 (base32
437 "1bvka2wf33w2vxv7yw578nnjqyhz2b3chvfb0l4k2ffscw950kfy"))))
438 (outputs '("out"
439 "doc" ;1.3MiB of man3 pages
440 "static")) ; 5.5MiB of .a files
441 (arguments
442 (substitute-keyword-arguments (package-arguments openssl)
443 ((#:phases phases)
444 `(modify-phases ,phases
445 (delete 'patch-tests) ; These two phases are not needed by
446 (delete 'patch-Makefile.org) ; OpenSSL 1.1.0.
447
448 ;; Override configure phase since -rpath is now a configure option.
449 (replace 'configure
450 (lambda* (#:key outputs #:allow-other-keys)
451 (let* ((out (assoc-ref outputs "out"))
452 (lib (string-append out "/lib")))
453 (zero?
454 (system* "./config"
455 "shared" ;build shared libraries
456 "--libdir=lib"
457
458 ;; The default for this catch-all directory is
459 ;; PREFIX/ssl. Change that to something more
460 ;; conventional.
461 (string-append "--openssldir=" out
462 "/share/openssl-" ,version)
463
464 (string-append "--prefix=" out)
465 (string-append "-Wl,-rpath," lib)
466
467 ;; XXX FIXME: Work around a code generation bug in GCC
468 ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
469 ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
470 ,@(if (and (not (%current-target-system))
471 (string-prefix? "armhf" (%current-system)))
472 '("-mfpu=vfpv3")
473 '()))))))
474
475 ;; XXX: Duplicate this phase to make sure 'version' evaluates
476 ;; in the current scope and not the inherited one.
477 (replace 'remove-miscellany
478 (lambda* (#:key outputs #:allow-other-keys)
479 ;; The 'misc' directory contains random undocumented shell and Perl
480 ;; scripts. Remove them to avoid retaining a reference on Perl.
481 (let ((out (assoc-ref outputs "out")))
482 (delete-file-recursively (string-append out "/share/openssl-"
483 ,version "/misc"))
484 #t)))))))))
485
486 (define-public libressl
487 (package
488 (name "libressl")
489 (version "2.6.4")
490 (source (origin
491 (method url-fetch)
492 (uri (string-append "mirror://openbsd/LibreSSL/"
493 name "-" version ".tar.gz"))
494 (sha256
495 (base32
496 "07yi37a2ghsgj2b4w30q1s4d2inqnix7ika1m21y57p9z71212k3"))))
497 (build-system gnu-build-system)
498 (arguments
499 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
500 ;; and libc would return ENOSYS, which is not properly handled.
501 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
502 '(#:configure-flags '("ac_cv_func_getentropy=no"
503 ;; Provide a TLS-enabled netcat.
504 "--enable-nc")))
505 (native-search-paths
506 ;; FIXME: These two variables must designate a single file or directory
507 ;; and are not actually "search paths." In practice it works OK in
508 ;; user profiles because there's always just one item that matches the
509 ;; specification.
510 (list (search-path-specification
511 (variable "SSL_CERT_DIR")
512 (files '("etc/ssl/certs")))
513 (search-path-specification
514 (variable "SSL_CERT_FILE")
515 (files '("etc/ssl/certs/ca-certificates.crt")))))
516 (home-page "https://www.libressl.org/")
517 (synopsis "SSL/TLS implementation")
518 (description "LibreSSL is a version of the TLS/crypto stack, forked from
519 OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
520 and applying best practice development processes. This package also includes a
521 netcat implementation that supports TLS.")
522 ;; Files taken from OpenSSL keep their license, others are under various
523 ;; non-copyleft licenses.
524 (license (list license:openssl
525 (license:non-copyleft
526 "file://COPYING"
527 "See COPYING in the distribution.")))))
528
529 (define-public python-acme
530 (package
531 (name "python-acme")
532 ;; Remember to update the hash of certbot when updating python-acme.
533 (version "0.20.0")
534 (source (origin
535 (method url-fetch)
536 (uri (pypi-uri "acme" version))
537 (sha256
538 (base32
539 "1md3llp6640dviv9bzyy7qzn3szxil38645cjqcg7hlcdknil4j5"))))
540 (build-system python-build-system)
541 (arguments
542 `(#:phases
543 (modify-phases %standard-phases
544 (add-after 'build 'build-documentation
545 (lambda _
546 (zero? (system* "make" "-C" "docs" "man" "info"))))
547 (add-after 'install 'install-documentation
548 (lambda* (#:key outputs #:allow-other-keys)
549 (let* ((out (assoc-ref outputs "out"))
550 (man (string-append out "/share/man/man1"))
551 (info (string-append out "/info")))
552 (install-file "docs/_build/texinfo/acme-python.info" info)
553 (install-file "docs/_build/man/acme-python.1" man)
554 #t))))))
555 ;; TODO: Add optional inputs for testing.
556 (native-inputs
557 `(("python-mock" ,python-mock-2)
558 ;; For documentation
559 ("python-sphinx" ,python-sphinx)
560 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
561 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
562 ("texinfo" ,texinfo)))
563 (propagated-inputs
564 `(("python-six" ,python-six)
565 ("python-requests" ,python-requests)
566 ("python-pytz" ,python-pytz)
567 ("python-pyrfc3339" ,python-pyrfc3339)
568 ("python-pyasn1" ,python-pyasn1)
569 ("python-cryptography" ,python-cryptography)
570 ("python-pyopenssl" ,python-pyopenssl)))
571 (home-page "https://github.com/certbot/certbot")
572 (synopsis "ACME protocol implementation in Python")
573 (description "ACME protocol implementation in Python")
574 (license license:asl2.0)))
575
576 (define-public certbot
577 (package
578 (name "certbot")
579 ;; Certbot and python-acme are developed in the same repository, and their
580 ;; versions should remain synchronized.
581 (version (package-version python-acme))
582 (source (origin
583 (method url-fetch)
584 (uri (pypi-uri name version))
585 (sha256
586 (base32
587 "126y6jg1nyd8js2jchl4dbmpg507hawaxnyw7510qh7vcidm1gya"))))
588 (build-system python-build-system)
589 (arguments
590 `(,@(substitute-keyword-arguments (package-arguments python-acme)
591 ((#:phases phases)
592 `(modify-phases ,phases
593 (replace 'install-documentation
594 (lambda* (#:key outputs #:allow-other-keys)
595 (let* ((out (assoc-ref outputs "out"))
596 (man1 (string-append out "/share/man/man1"))
597 (man7 (string-append out "/share/man/man7"))
598 (info (string-append out "/info")))
599 (install-file "docs/_build/texinfo/Certbot.info" info)
600 (install-file "docs/_build/man/certbot.1" man1)
601 (install-file "docs/_build/man/certbot.7" man7)
602 #t))))))))
603 ;; TODO: Add optional inputs for testing.
604 (native-inputs
605 `(("python-nose" ,python-nose)
606 ("python-mock" ,python-mock-2)
607 ;; For documentation
608 ("python-sphinx" ,python-sphinx)
609 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
610 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
611 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
612 ("texinfo" ,texinfo)))
613 (propagated-inputs
614 `(("python-acme" ,python-acme)
615 ("python-zope-interface" ,python-zope-interface)
616 ("python-pyrfc3339" ,python-pyrfc3339)
617 ("python-pyopenssl" ,python-pyopenssl)
618 ("python-configobj" ,python-configobj)
619 ("python-configargparse" ,python-configargparse)
620 ("python-zope-component" ,python-zope-component)
621 ("python-parsedatetime" ,python-parsedatetime)
622 ("python-six" ,python-six)
623 ("python-psutil" ,python-psutil)
624 ("python-requests" ,python-requests)
625 ("python-pytz" ,python-pytz)))
626 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
627 (description "Certbot automatically receives and installs X.509 certificates
628 to enable Transport Layer Security (TLS) on servers. It interoperates with the
629 Let’s Encrypt certificate authority (CA), which issues browser-trusted
630 certificates for free.")
631 (home-page "https://certbot.eff.org/")
632 (license license:asl2.0)))
633
634 (define-public letsencrypt
635 (package (inherit certbot)
636 (name "letsencrypt")
637 (properties `((superseded . ,certbot)))))
638
639 (define-public perl-net-ssleay
640 (package
641 (name "perl-net-ssleay")
642 (version "1.81")
643 (source (origin
644 (method url-fetch)
645 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
646 "Net-SSLeay-" version ".tar.gz"))
647 (sha256
648 (base32
649 "0z8vya34g88bc41kx955sv7y4niwbbywji8liqbl52v29qbvdjq0"))))
650 (build-system perl-build-system)
651 (inputs `(("openssl" ,openssl)))
652 (arguments
653 `(#:phases
654 (modify-phases %standard-phases
655 (add-before
656 'configure 'set-ssl-prefix
657 (lambda* (#:key inputs #:allow-other-keys)
658 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
659 #t)))))
660 (synopsis "Perl extension for using OpenSSL")
661 (description
662 "This module offers some high level convenience functions for accessing
663 web pages on SSL servers (for symmetry, the same API is offered for accessing
664 http servers, too), an sslcat() function for writing your own clients, and
665 finally access to the SSL api of the SSLeay/OpenSSL package so you can write
666 servers or clients for more complicated applications.")
667 (license license:perl-license)
668 (home-page "http://search.cpan.org/~mikem/Net-SSLeay-1.66/")))
669
670 (define-public perl-crypt-openssl-rsa
671 (package
672 (name "perl-crypt-openssl-rsa")
673 (version "0.28")
674 (source
675 (origin
676 (method url-fetch)
677 (uri (string-append
678 "mirror://cpan/authors/id/P/PE/PERLER/Crypt-OpenSSL-RSA-"
679 version
680 ".tar.gz"))
681 (sha256
682 (base32
683 "1gnpvv09b2gpifwdzc5jnhama3d1a4c39lzj9hcaicsb8rvzjmsk"))))
684 (build-system perl-build-system)
685 (inputs
686 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
687 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
688 ("openssl" ,openssl)))
689 (arguments perl-crypt-arguments)
690 (home-page
691 "http://search.cpan.org/dist/Crypt-OpenSSL-RSA")
692 (synopsis
693 "RSA encoding and decoding, using the openSSL libraries")
694 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
695 OpenSSL libraries).")
696 (license license:perl-license)))
697
698 (define perl-crypt-arguments
699 `(#:phases (modify-phases %standard-phases
700 (add-before 'configure 'patch-Makefile.PL
701 (lambda* (#:key inputs #:allow-other-keys)
702 (substitute* "Makefile.PL"
703 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
704 (assoc-ref inputs "openssl")
705 "/lib -lcrypto'],")))
706 #t)))))
707
708 (define-public perl-crypt-openssl-bignum
709 (package
710 (name "perl-crypt-openssl-bignum")
711 (version "0.09")
712 (source
713 (origin
714 (method url-fetch)
715 (uri (string-append
716 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
717 version
718 ".tar.gz"))
719 (sha256
720 (base32
721 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
722 (build-system perl-build-system)
723 (inputs `(("openssl" ,openssl)))
724 (arguments perl-crypt-arguments)
725 (home-page
726 "http://search.cpan.org/dist/Crypt-OpenSSL-Bignum")
727 (synopsis
728 "OpenSSL's multiprecision integer arithmetic in Perl")
729 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
730 arithmetic in Perl.")
731 ;; At your option either gpl1+ or the Artistic License
732 (license license:perl-license)))
733
734 (define-public perl-crypt-openssl-random
735 (package
736 (name "perl-crypt-openssl-random")
737 (version "0.11")
738 (source
739 (origin
740 (method url-fetch)
741 (uri (string-append
742 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
743 version
744 ".tar.gz"))
745 (sha256
746 (base32
747 "0yjcabkibrkafywvdkmd1xpi6br48skyk3l15ni176wvlg38335v"))))
748 (build-system perl-build-system)
749 (inputs `(("openssl" ,openssl)))
750 (arguments perl-crypt-arguments)
751 (home-page
752 "http://search.cpan.org/dist/Crypt-OpenSSL-Random")
753 (synopsis
754 "OpenSSL/LibreSSL pseudo-random number generator access")
755 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
756 number generator")
757 (license license:perl-license)))
758
759 (define-public acme-client
760 (package
761 (name "acme-client")
762 (version "0.1.16")
763 (source (origin
764 (method url-fetch)
765 (uri (string-append "https://kristaps.bsd.lv/" name "/"
766 "snapshots/" name "-portable-"
767 version ".tgz"))
768 (sha256
769 (base32
770 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
771 (build-system gnu-build-system)
772 (arguments
773 '(#:tests? #f ; no test suite
774 #:make-flags
775 (list "CC=gcc"
776 (string-append "PREFIX=" (assoc-ref %outputs "out")))
777 #:phases
778 (modify-phases %standard-phases
779 (add-after 'unpack 'patch-paths
780 (lambda* (#:key inputs #:allow-other-keys)
781 (let ((pem (string-append (assoc-ref inputs "libressl")
782 "/etc/ssl/cert.pem")))
783 (substitute* "http.c"
784 (("/etc/ssl/cert.pem") pem))
785 #t)))
786 (delete 'configure)))) ; no './configure' script
787 (native-inputs
788 `(("pkg-config" ,pkg-config)))
789 (inputs
790 `(("libbsd" ,libbsd)
791 ("libressl" ,libressl)))
792 (synopsis "Let's Encrypt client by the OpenBSD project")
793 (description "acme-client is a Let's Encrypt client implemented in C. It
794 uses a modular design, and attempts to secure itself by dropping privileges and
795 operating in a chroot where possible. acme-client is developed on OpenBSD and
796 then ported to the GNU / Linux environment.")
797 (home-page "https://kristaps.bsd.lv/acme-client/")
798 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
799 ;; and 'jsmn.c' are distributed under the Expat license.
800 (license (list license:isc license:expat))))
801
802 ;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
803 ;; variant exists in addition to the "-apache" one.
804 (define-public mbedtls-apache
805 (package
806 (name "mbedtls-apache")
807 (version "2.6.0")
808 (source
809 (origin
810 (method url-fetch)
811 ;; XXX: The download links on the website are script redirection links
812 ;; which effectively lead to the format listed in the uri here.
813 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
814 version "-apache.tgz"))
815 (sha256
816 (base32
817 "11wnj34rfqxjggmdgf042i49lr6civgbqwv2p7p8bn6k2919vg4r"))))
818 (build-system cmake-build-system)
819 (arguments
820 `(#:configure-flags
821 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON")))
822 (native-inputs
823 `(("perl" ,perl)))
824 (synopsis "Small TLS library")
825 (description
826 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
827 for developers to include cryptographic and SSL/TLS capabilities in their
828 (embedded) products, facilitating this functionality with a minimal
829 coding footprint.")
830 (home-page "https://tls.mbed.org")
831 (license license:asl2.0)))
832
833 (define-public ghc-tls
834 (package
835 (name "ghc-tls")
836 (version "1.3.8")
837 (source (origin
838 (method url-fetch)
839 (uri (string-append "https://hackage.haskell.org/package/"
840 "tls/tls-" version ".tar.gz"))
841 (sha256
842 (base32
843 "1rdidf18i781c0vdvy9yn79yh08hmcacf6fp3sgghyiy3h0wyh5l"))))
844 (build-system haskell-build-system)
845 (inputs
846 `(("ghc-mtl" ,ghc-mtl)
847 ("ghc-cereal" ,ghc-cereal)
848 ("ghc-data-default-class" ,ghc-data-default-class)
849 ("ghc-memory" ,ghc-memory)
850 ("ghc-cryptonite" ,ghc-cryptonite)
851 ("ghc-asn1-types" ,ghc-asn1-types)
852 ("ghc-asn1-encoding" ,ghc-asn1-encoding)
853 ("ghc-x509" ,ghc-x509)
854 ("ghc-x509-store" ,ghc-x509-store)
855 ("ghc-x509-validation" ,ghc-x509-validation)
856 ("ghc-async" ,ghc-async)
857 ("ghc-network" ,ghc-network)
858 ("ghc-hourglass" ,ghc-hourglass)))
859 (native-inputs
860 `(("ghc-tasty" ,ghc-tasty)
861 ("ghc-tasty-quickcheck" ,ghc-tasty-quickcheck)
862 ("ghc-quickcheck" ,ghc-quickcheck)))
863 (home-page "https://github.com/vincenthz/hs-tls")
864 (synopsis
865 "TLS/SSL protocol native implementation (Server and Client)")
866 (description
867 "Native Haskell TLS and SSL protocol implementation for server and client.
868 This provides a high-level implementation of a sensitive security protocol,
869 eliminating a common set of security issues through the use of the advanced
870 type system, high level constructions and common Haskell features. Currently
871 implement the SSL3.0, TLS1.0, TLS1.1 and TLS1.2 protocol, and support RSA and
872 Ephemeral (Elliptic curve and regular) Diffie Hellman key exchanges, and many
873 extensions.")
874 (license license:bsd-3)))
jackhill's copy of GNU Guix: https://guix.gnu.org/