HCoop / jackhill / guix / guix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
gnu: icecat: Update to 60.7.2-guix1 [security fixes].
[jackhill/guix/guix.git] / gnu / packages / tls.scm
1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
5 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
6 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
7 ;;; Copyright © 2015, 2016, 2017, 2018 Leo Famulari <leo@famulari.name>
8 ;;; Copyright © 2016, 2017, 2019 Efraim Flashner <efraim@flashner.co.il>
9 ;;; Copyright © 2016, 2017, 2018 ng0 <ng0@n0.is>
10 ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
11 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
12 ;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
13 ;;; Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr>
14 ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
15 ;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
16 ;;;
17 ;;; This file is part of GNU Guix.
18 ;;;
19 ;;; GNU Guix is free software; you can redistribute it and/or modify it
20 ;;; under the terms of the GNU General Public License as published by
21 ;;; the Free Software Foundation; either version 3 of the License, or (at
22 ;;; your option) any later version.
23 ;;;
24 ;;; GNU Guix is distributed in the hope that it will be useful, but
25 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
26 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 ;;; GNU General Public License for more details.
28 ;;;
29 ;;; You should have received a copy of the GNU General Public License
30 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
31
32 (define-module (gnu packages tls)
33 #:use-module ((guix licenses) #:prefix license:)
34 #:use-module (guix packages)
35 #:use-module (guix download)
36 #:use-module (guix utils)
37 #:use-module (guix build-system gnu)
38 #:use-module (guix build-system perl)
39 #:use-module (guix build-system python)
40 #:use-module (guix build-system cmake)
41 #:use-module (guix build-system trivial)
42 #:use-module (gnu packages compression)
43 #:use-module (gnu packages)
44 #:use-module (gnu packages bash)
45 #:use-module (gnu packages check)
46 #:use-module (gnu packages curl)
47 #:use-module (gnu packages dns)
48 #:use-module (gnu packages gawk)
49 #:use-module (gnu packages guile)
50 #:use-module (gnu packages libbsd)
51 #:use-module (gnu packages libffi)
52 #:use-module (gnu packages libidn)
53 #:use-module (gnu packages linux)
54 #:use-module (gnu packages ncurses)
55 #:use-module (gnu packages nettle)
56 #:use-module (gnu packages perl)
57 #:use-module (gnu packages pkg-config)
58 #:use-module (gnu packages python)
59 #:use-module (gnu packages python-crypto)
60 #:use-module (gnu packages python-web)
61 #:use-module (gnu packages python-xyz)
62 #:use-module (gnu packages sphinx)
63 #:use-module (gnu packages texinfo)
64 #:use-module (gnu packages time)
65 #:use-module (gnu packages base)
66 #:use-module (srfi srfi-1))
67
68 (define-public libtasn1
69 (package
70 (name "libtasn1")
71 (version "4.13")
72 (source
73 (origin
74 (method url-fetch)
75 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
76 version ".tar.gz"))
77 (sha256
78 (base32
79 "1jlc1iahj8k3haz28j55nzg7sgni5h41vqy461i1bpbx6668wlky"))))
80 (build-system gnu-build-system)
81 (arguments
82 `(#:configure-flags '("--disable-static")))
83 (native-inputs `(("perl" ,perl)))
84 (home-page "https://www.gnu.org/software/libtasn1/")
85 (synopsis "ASN.1 library")
86 (description
87 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
88 for transmitting machine-neutral encodings of data objects in computer
89 networking, allowing for formal validation of data according to some
90 specifications.")
91 (license license:lgpl2.0+)))
92
93 (define-public asn1c
94 (package
95 (name "asn1c")
96 (version "0.9.28")
97 (source (origin
98 (method url-fetch)
99 (uri (string-append "https://lionet.info/soft/asn1c-"
100 version ".tar.gz"))
101 (sha256
102 (base32
103 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
104 (build-system gnu-build-system)
105 (native-inputs
106 `(("perl" ,perl)))
107 (home-page "https://lionet.info/asn1c")
108 (synopsis "ASN.1 to C compiler")
109 (description "The ASN.1 to C compiler takes ASN.1 module
110 files and generates C++ compatible C source code. That code can be
111 used to serialize the native C structures into compact and unambiguous
112 BER/XER/PER-based data files, and deserialize the files back.
113
114 Various ASN.1 based formats are widely used in the industry, such as to encode
115 the X.509 certificates employed in the HTTPS handshake, to exchange control
116 data between mobile phones and cellular networks, to car-to-car communication
117 in intelligent transportation networks.")
118 (license license:bsd-2)))
119
120 (define-public p11-kit
121 (package
122 (name "p11-kit")
123 (version "0.23.15")
124 (source
125 (origin
126 (method url-fetch)
127 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
128 "download/" version "/p11-kit-" version ".tar.gz"))
129 (patches (search-patches "p11-kit-jks-timestamps.patch"))
130 (sha256
131 (base32
132 "166pwj00cffv4qq4dvx0k53zka0b0r1fa0whc49007vsqyh3khgp"))))
133 (build-system gnu-build-system)
134 (native-inputs
135 `(("pkg-config" ,pkg-config)))
136 (inputs
137 `(("libffi" ,libffi)
138 ("libtasn1" ,libtasn1)))
139 (arguments
140 `(#:configure-flags '("--without-trust-paths")
141 #:phases (modify-phases %standard-phases
142 (add-before 'check 'prepare-tests
143 (lambda _
144 ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up
145 ;; and looks for .cache and other directories (only).
146 ;; For simplicity just drop it since it is irrelevant
147 ;; in the build container.
148 (substitute* "Makefile"
149 (("test-runtime\\$\\(EXEEXT\\)") ""))
150 #t)))))
151 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
152 (synopsis "PKCS#11 library")
153 (description
154 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
155 provides a standard configuration setup for installing PKCS#11 modules
156 in such a way that they are discoverable. It also solves problems with
157 coordinating the use of PKCS#11 by different components or libraries
158 living in the same process.")
159 (license license:bsd-3)))
160
161 (define-public gnutls
162 (package
163 (name "gnutls")
164 (version "3.6.5")
165 (source (origin
166 (method url-fetch)
167 (uri
168 ;; Note: Releases are no longer on ftp.gnu.org since the
169 ;; schism (after version 3.1.5).
170 (string-append "mirror://gnupg/gnutls/v"
171 (version-major+minor version)
172 "/gnutls-" version ".tar.xz"))
173 (patches (search-patches "gnutls-skip-trust-store-test.patch"))
174 (sha256
175 (base32
176 "0ddvg97dyrh8dkffv1mdc0knxx5my3qdbzv97s4a6jggmk9wwgh7"))
177 (modules '((guix build utils)))
178 (snippet
179 '(begin
180 ;; XXX: The generated configure script in GnuTLS 3.6.5
181 ;; apparently does not know about Guile 2.2.
182 (substitute* "configure"
183 (("guile_versions_to_search=\"2\\.0 1\\.8\"")
184 "guile_versions_to_search=\"2.2 2.0 1.8\""))
185 #t))))
186 (build-system gnu-build-system)
187 (arguments
188 `(; Ensure we don't keep a reference to this buggy software.
189 #:disallowed-references (,net-tools)
190 #:configure-flags
191 (list
192 ;; GnuTLS doesn't consult any environment variables to specify
193 ;; the location of the system-wide trust store. Instead it has a
194 ;; configure-time option. Unless specified, its configure script
195 ;; attempts to auto-detect the location by looking for common
196 ;; places in the file system, none of which are present in our
197 ;; chroot build environment. If not found, then no default trust
198 ;; store is used, so each program has to provide its own
199 ;; fallback, and users have to configure each program
200 ;; independently. This seems suboptimal.
201 "--with-default-trust-store-dir=/etc/ssl/certs"
202
203 ;; FIXME: Temporarily disable p11-kit support since it is not
204 ;; working on mips64el.
205 "--without-p11-kit")
206
207 #:phases (modify-phases %standard-phases
208 (add-after
209 'install 'move-doc
210 (lambda* (#:key outputs #:allow-other-keys)
211 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
212 (let* ((out (assoc-ref outputs "out"))
213 (doc (assoc-ref outputs "doc"))
214 (mandir (string-append doc "/share/man/man3"))
215 (oldman (string-append out "/share/man/man3")))
216 (mkdir-p mandir)
217 (copy-recursively oldman mandir)
218 (delete-file-recursively oldman)
219 #t))))))
220 (outputs '("out" ;4.4 MiB
221 "debug"
222 "doc")) ;4.1 MiB of man pages
223 (native-inputs
224 `(("net-tools" ,net-tools)
225 ("pkg-config" ,pkg-config)
226 ("which" ,which)))
227 (inputs
228 `(("guile" ,guile-2.2)))
229 (propagated-inputs
230 ;; These are all in the 'Requires.private' field of gnutls.pc.
231 `(("libtasn1" ,libtasn1)
232 ("libidn2" ,libidn2)
233 ("nettle" ,nettle)
234 ("zlib" ,zlib)))
235 (home-page "https://www.gnu.org/software/gnutls/")
236 (synopsis "Transport layer security library")
237 (description
238 "GnuTLS is a secure communications library implementing the SSL, TLS
239 and DTLS protocols. It is provided in the form of a C library to support the
240 protocols, as well as to parse and write X.5009, PKCS 12, OpenPGP and other
241 required structures.")
242 (license license:lgpl2.1+)
243 (properties '((ftp-server . "ftp.gnutls.org")
244 (ftp-directory . "/gcrypt/gnutls")))))
245
246 (define-public gnutls/guile-2.2
247 (deprecated-package "guile2.2-gnutls" gnutls))
248
249 (define-public gnutls/guile-2.0
250 ;; GnuTLS for Guile 2.0.
251 (package
252 (inherit gnutls)
253 (name "guile2.0-gnutls")
254 (inputs `(("guile" ,guile-2.0)
255 ,@(alist-delete "guile" (package-inputs gnutls))))))
256
257 (define-public gnutls/dane
258 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
259 ;; Authentication of Named Entities. This is required for GNS functionality
260 ;; by GNUnet and gnURL. This is done in an extra package definition
261 ;; to have the choice between GnuTLS with Dane and without Dane.
262 (package
263 (inherit gnutls)
264 (name "gnutls-dane")
265 (inputs `(("unbound" ,unbound)
266 ,@(package-inputs gnutls)))))
267
268 (define-public openssl
269 (package
270 (name "openssl")
271 (replacement openssl/fixed)
272 (version "1.0.2p")
273 (source (origin
274 (method url-fetch)
275 (uri (list (string-append "https://www.openssl.org/source/openssl-"
276 version ".tar.gz")
277 (string-append "ftp://ftp.openssl.org/source/"
278 "openssl-" version ".tar.gz")
279 (string-append "ftp://ftp.openssl.org/source/old/"
280 (string-trim-right version char-set:letter)
281 "/openssl-" version ".tar.gz")))
282 (sha256
283 (base32
284 "003xh9f898i56344vpvpxxxzmikivxig4xwlm7vbi7m8n43qxaah"))
285 (patches (search-patches "openssl-runpath.patch"
286 "openssl-c-rehash-in.patch"))))
287 (build-system gnu-build-system)
288 (outputs '("out"
289 "doc" ;1.5MiB of man3 pages
290 "static")) ;6MiB of .a files
291 (native-inputs `(("perl" ,perl)))
292 (arguments
293 `(#:disallowed-references (,perl)
294 #:parallel-build? #f
295 #:parallel-tests? #f
296 #:test-target "test"
297
298 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
299 ;; so we explicitly disallow it here.
300 #:disallowed-references ,(list (canonical-package perl))
301 #:phases
302 (modify-phases %standard-phases
303 (add-before
304 'configure 'patch-Makefile.org
305 (lambda* (#:key outputs #:allow-other-keys)
306 ;; The default MANDIR is some unusual place. Fix that.
307 (let ((out (assoc-ref outputs "out")))
308 (patch-makefile-SHELL "Makefile.org")
309 (substitute* "Makefile.org"
310 (("^MANDIR[[:blank:]]*=.*$")
311 (string-append "MANDIR = " out "/share/man\n")))
312 #t)))
313 (replace
314 'configure
315 (lambda* (#:key outputs #:allow-other-keys)
316 (let ((out (assoc-ref outputs "out")))
317 (invoke "./config"
318 "shared" ;build shared libraries
319 "--libdir=lib"
320
321 ;; The default for this catch-all directory is
322 ;; PREFIX/ssl. Change that to something more
323 ;; conventional.
324 (string-append "--openssldir=" out
325 "/share/openssl-" ,version)
326
327 (string-append "--prefix=" out)))))
328 (add-after
329 'install 'make-libraries-writable
330 (lambda* (#:key outputs #:allow-other-keys)
331 ;; Make libraries writable so that 'strip' does its job.
332 (let ((out (assoc-ref outputs "out")))
333 (for-each (lambda (file)
334 (chmod file #o644))
335 (find-files (string-append out "/lib")
336 "\\.so"))
337 #t)))
338 (add-after 'install 'move-static-libraries
339 (lambda* (#:key outputs #:allow-other-keys)
340 ;; Move static libraries to the "static" output.
341 (let* ((out (assoc-ref outputs "out"))
342 (lib (string-append out "/lib"))
343 (static (assoc-ref outputs "static"))
344 (slib (string-append static "/lib")))
345 (for-each (lambda (file)
346 (install-file file slib)
347 (delete-file file))
348 (find-files lib "\\.a$"))
349 #t)))
350 (add-after 'install 'move-man3-pages
351 (lambda* (#:key outputs #:allow-other-keys)
352 ;; Move section 3 man pages to "doc".
353 (let* ((out (assoc-ref outputs "out"))
354 (man3 (string-append out "/share/man/man3"))
355 (doc (assoc-ref outputs "doc"))
356 (target (string-append doc "/share/man/man3")))
357 (mkdir-p target)
358 (for-each (lambda (file)
359 (rename-file file
360 (string-append target "/"
361 (basename file))))
362 (find-files man3))
363 (delete-file-recursively man3)
364 #t)))
365 (add-before
366 'patch-source-shebangs 'patch-tests
367 (lambda* (#:key inputs native-inputs #:allow-other-keys)
368 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
369 (substitute* (find-files "test" ".*")
370 (("/bin/sh")
371 (string-append bash "/bin/sh"))
372 (("/bin/rm")
373 "rm"))
374 #t)))
375 (add-after
376 'install 'remove-miscellany
377 (lambda* (#:key outputs #:allow-other-keys)
378 ;; The 'misc' directory contains random undocumented shell and Perl
379 ;; scripts. Remove them to avoid retaining a reference on Perl.
380 (let ((out (assoc-ref outputs "out")))
381 (delete-file-recursively (string-append out "/share/openssl-"
382 ,version "/misc"))
383 #t))))))
384 (native-search-paths
385 (list (search-path-specification
386 (variable "SSL_CERT_DIR")
387 (separator #f) ;single entry
388 (files '("etc/ssl/certs")))
389 (search-path-specification
390 (variable "SSL_CERT_FILE")
391 (file-type 'regular)
392 (separator #f) ;single entry
393 (files '("etc/ssl/certs/ca-certificates.crt")))))
394 (synopsis "SSL/TLS implementation")
395 (description
396 "OpenSSL is an implementation of SSL/TLS.")
397 (license license:openssl)
398 (home-page "https://www.openssl.org/")))
399
400 (define-public openssl/fixed
401 (hidden-package
402 (package
403 (inherit openssl)
404 (source (origin
405 (inherit (package-source openssl))
406 (patches (append (origin-patches (package-source openssl))
407 (search-patches "openssl-CVE-2019-1559.patch"))))))))
408
409 (define-public openssl-next
410 (package
411 (inherit openssl)
412 (name "openssl")
413 (version "1.1.1c")
414 (source (origin
415 (method url-fetch)
416 (uri (list (string-append "https://www.openssl.org/source/openssl-"
417 version ".tar.gz")
418 (string-append "ftp://ftp.openssl.org/source/"
419 "openssl-" version ".tar.gz")
420 (string-append "ftp://ftp.openssl.org/source/old/"
421 (string-trim-right version char-set:letter)
422 "/openssl-" version ".tar.gz")))
423 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
424 (sha256
425 (base32
426 "142c7zdlz06hjrrvinb9f276czc78bnkyhd9xma621qmmmwk1yzn"))))
427 (outputs '("out"
428 "doc" ; 6.8 MiB of man3 pages and full HTML documentation
429 "static")) ; 6.4 MiB of .a files
430 (arguments
431 (substitute-keyword-arguments (package-arguments openssl)
432 ((#:phases phases)
433 `(modify-phases ,phases
434 (delete 'patch-tests) ; These two phases are not needed by
435 (delete 'patch-Makefile.org) ; OpenSSL 1.1.
436
437 ;; Override configure phase since -rpath is now a configure option.
438 (replace 'configure
439 (lambda* (#:key outputs #:allow-other-keys)
440 (let* ((out (assoc-ref outputs "out"))
441 (lib (string-append out "/lib")))
442 ;; It's not a shebang so patch-source-shebangs misses it.
443 (substitute* "config"
444 (("/usr/bin/env")
445 (string-append (assoc-ref %build-inputs "coreutils")
446 "/bin/env")))
447 (invoke "./config"
448 "shared" ;build shared libraries
449 "--libdir=lib"
450
451 ;; The default for this catch-all directory is
452 ;; PREFIX/ssl. Change that to something more
453 ;; conventional.
454 (string-append "--openssldir=" out
455 "/share/openssl-" ,version)
456
457 (string-append "--prefix=" out)
458 (string-append "-Wl,-rpath," lib)))))
459
460 (delete 'move-man3-pages)
461 (add-after 'install 'move-extra-documentation
462 (lambda* (#:key outputs #:allow-other-keys)
463 ;; Move man3 pages and full HTML documentation to "doc".
464 (let* ((out (assoc-ref outputs "out"))
465 (man3 (string-append out "/share/man/man3"))
466 (html (string-append out "/share/doc/openssl"))
467 (doc (assoc-ref outputs "doc"))
468 (man-target (string-append doc "/share/man/man3"))
469 (html-target (string-append doc "/share/doc/openssl")))
470 (copy-recursively man3 man-target)
471 (delete-file-recursively man3)
472 (copy-recursively html html-target)
473 (delete-file-recursively html)
474 #t)))
475 ;; XXX: Duplicate this phase to make sure 'version' evaluates
476 ;; in the current scope and not the inherited one.
477 (replace 'remove-miscellany
478 (lambda* (#:key outputs #:allow-other-keys)
479 ;; The 'misc' directory contains random undocumented shell and Perl
480 ;; scripts. Remove them to avoid retaining a reference on Perl.
481 (let ((out (assoc-ref outputs "out")))
482 (delete-file-recursively (string-append out "/share/openssl-"
483 ,version "/misc"))
484 #t)))))))))
485
486 (define-public libressl
487 (package
488 (name "libressl")
489 (version "2.7.4")
490 (source (origin
491 (method url-fetch)
492 (uri (string-append "mirror://openbsd/LibreSSL/"
493 name "-" version ".tar.gz"))
494 (sha256
495 (base32
496 "19kxa5i97q7p6rrps9qm0nd8zqhdjvzx02j72400c73cl2nryfhy"))))
497 (build-system gnu-build-system)
498 (arguments
499 ;; Do as if 'getentropy' was missing since older Linux kernels lack it
500 ;; and libc would return ENOSYS, which is not properly handled.
501 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
502 '(#:configure-flags '("ac_cv_func_getentropy=no"
503 ;; Provide a TLS-enabled netcat.
504 "--enable-nc")))
505 (native-search-paths
506 ;; FIXME: These two variables must designate a single file or directory
507 ;; and are not actually "search paths." In practice it works OK in
508 ;; user profiles because there's always just one item that matches the
509 ;; specification.
510 (list (search-path-specification
511 (variable "SSL_CERT_DIR")
512 (files '("etc/ssl/certs")))
513 (search-path-specification
514 (variable "SSL_CERT_FILE")
515 (files '("etc/ssl/certs/ca-certificates.crt")))))
516 (home-page "https://www.libressl.org/")
517 (synopsis "SSL/TLS implementation")
518 (description "LibreSSL is a version of the TLS/crypto stack, forked from
519 OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
520 and applying best practice development processes. This package also includes a
521 netcat implementation that supports TLS.")
522 ;; Files taken from OpenSSL keep their license, others are under various
523 ;; non-copyleft licenses.
524 (license (list license:openssl
525 (license:non-copyleft
526 "file://COPYING"
527 "See COPYING in the distribution.")))))
528
529 (define-public python-acme
530 (package
531 (name "python-acme")
532 ;; Remember to update the hash of certbot when updating python-acme.
533 (version "0.34.2")
534 (source (origin
535 (method url-fetch)
536 (uri (pypi-uri "acme" version))
537 (sha256
538 (base32
539 "0anwc102fmlva6x2k1bxrgdb7mi1jy9wgrqjzvk2nam8pky0snxx"))))
540 (build-system python-build-system)
541 (arguments
542 `(#:phases
543 (modify-phases %standard-phases
544 (add-after 'build 'build-documentation
545 (lambda _
546 (invoke "make" "-C" "docs" "man" "info")))
547 (add-after 'install 'install-documentation
548 (lambda* (#:key outputs #:allow-other-keys)
549 (let* ((out (assoc-ref outputs "out"))
550 (man (string-append out "/share/man/man1"))
551 (info (string-append out "/info")))
552 (install-file "docs/_build/texinfo/acme-python.info" info)
553 (install-file "docs/_build/man/acme-python.1" man)
554 #t))))))
555 ;; TODO: Add optional inputs for testing.
556 (native-inputs
557 `(("python-mock" ,python-mock)
558 ("python-pytest" ,python-pytest)
559 ;; For documentation
560 ("python-sphinx" ,python-sphinx)
561 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
562 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
563 ("texinfo" ,texinfo)))
564 (propagated-inputs
565 `(("python-josepy" ,python-josepy)
566 ("python-six" ,python-six)
567 ("python-requests" ,python-requests)
568 ("python-requests-toolbelt" ,python-requests-toolbelt)
569 ("python-pytz" ,python-pytz)
570 ("python-pyrfc3339" ,python-pyrfc3339)
571 ("python-pyasn1" ,python-pyasn1)
572 ("python-cryptography" ,python-cryptography)
573 ("python-pyopenssl" ,python-pyopenssl)))
574 (home-page "https://github.com/certbot/certbot")
575 (synopsis "ACME protocol implementation in Python")
576 (description "ACME protocol implementation in Python")
577 (license license:asl2.0)))
578
579 (define-public certbot
580 (package
581 (name "certbot")
582 ;; Certbot and python-acme are developed in the same repository, and their
583 ;; versions should remain synchronized.
584 (version (package-version python-acme))
585 (source (origin
586 (method url-fetch)
587 (uri (pypi-uri name version))
588 (sha256
589 (base32
590 "1fy91rnq4wwblp5gi2qb2c3xk6j2w1maf5f52228pk8cn7f2swrh"))))
591 (build-system python-build-system)
592 (arguments
593 `(,@(substitute-keyword-arguments (package-arguments python-acme)
594 ((#:phases phases)
595 `(modify-phases ,phases
596 (replace 'install-documentation
597 (lambda* (#:key outputs #:allow-other-keys)
598 (let* ((out (assoc-ref outputs "out"))
599 (man1 (string-append out "/share/man/man1"))
600 (man7 (string-append out "/share/man/man7"))
601 (info (string-append out "/info")))
602 (install-file "docs/_build/texinfo/Certbot.info" info)
603 (install-file "docs/_build/man/certbot.1" man1)
604 (install-file "docs/_build/man/certbot.7" man7)
605 #t))))))))
606 ;; TODO: Add optional inputs for testing.
607 (native-inputs
608 `(("python-mock" ,python-mock)
609 ("python-pytest" ,python-pytest)
610 ;; For documentation
611 ("python-sphinx" ,python-sphinx)
612 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
613 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
614 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
615 ("texinfo" ,texinfo)))
616 (propagated-inputs
617 `(("python-acme" ,python-acme)
618 ("python-cryptography" ,python-cryptography)
619 ("python-zope-interface" ,python-zope-interface)
620 ("python-pyrfc3339" ,python-pyrfc3339)
621 ("python-pyopenssl" ,python-pyopenssl)
622 ("python-configobj" ,python-configobj)
623 ("python-configargparse" ,python-configargparse)
624 ("python-zope-component" ,python-zope-component)
625 ("python-parsedatetime" ,python-parsedatetime)
626 ("python-six" ,python-six)
627 ("python-psutil" ,python-psutil)
628 ("python-requests" ,python-requests)
629 ("python-pytz" ,python-pytz)))
630 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
631 (description "Certbot automatically receives and installs X.509 certificates
632 to enable Transport Layer Security (TLS) on servers. It interoperates with the
633 Let’s Encrypt certificate authority (CA), which issues browser-trusted
634 certificates for free.")
635 (home-page "https://certbot.eff.org/")
636 (license license:asl2.0)))
637
638 (define-public letsencrypt
639 (package (inherit certbot)
640 (name "letsencrypt")
641 (properties `((superseded . ,certbot)))))
642
643 (define-public perl-net-ssleay
644 (package
645 (name "perl-net-ssleay")
646 (version "1.85")
647 (source (origin
648 (method url-fetch)
649 (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
650 "Net-SSLeay-" version ".tar.gz"))
651 (sha256
652 (base32
653 "1j5h4ycm8538397l204d2d5fkm9595aj174pj7bkpbhwzfwqi0cx"))))
654 (build-system perl-build-system)
655 (inputs `(("openssl" ,openssl)))
656 (arguments
657 `(#:phases
658 (modify-phases %standard-phases
659 (add-before
660 'configure 'set-ssl-prefix
661 (lambda* (#:key inputs #:allow-other-keys)
662 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
663 #t)))))
664 (synopsis "Perl extension for using OpenSSL")
665 (description
666 "This module offers some high level convenience functions for accessing
667 web pages on SSL servers (for symmetry, the same API is offered for accessing
668 http servers, too), an sslcat() function for writing your own clients, and
669 finally access to the SSL api of the SSLeay/OpenSSL package so you can write
670 servers or clients for more complicated applications.")
671 (license license:perl-license)
672 (home-page "https://metacpan.org/release/Net-SSLeay")))
673
674 (define-public perl-crypt-openssl-rsa
675 (package
676 (name "perl-crypt-openssl-rsa")
677 (version "0.31")
678 (source
679 (origin
680 (method url-fetch)
681 (uri (string-append
682 "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-"
683 version
684 ".tar.gz"))
685 (sha256
686 (base32
687 "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1"))))
688 (build-system perl-build-system)
689 (native-inputs
690 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
691 (inputs
692 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
693 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
694 ("openssl" ,openssl)))
695 (arguments perl-crypt-arguments)
696 (home-page
697 "https://metacpan.org/release/Crypt-OpenSSL-RSA")
698 (synopsis
699 "RSA encoding and decoding, using the openSSL libraries")
700 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
701 OpenSSL libraries).")
702 (license license:perl-license)))
703
704 (define perl-crypt-arguments
705 `(#:phases (modify-phases %standard-phases
706 (add-before 'configure 'patch-Makefile.PL
707 (lambda* (#:key inputs #:allow-other-keys)
708 (substitute* "Makefile.PL"
709 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
710 (assoc-ref inputs "openssl")
711 "/lib -lcrypto'],")))
712 #t)))))
713
714 (define-public perl-crypt-openssl-bignum
715 (package
716 (name "perl-crypt-openssl-bignum")
717 (version "0.09")
718 (source
719 (origin
720 (method url-fetch)
721 (uri (string-append
722 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
723 version
724 ".tar.gz"))
725 (sha256
726 (base32
727 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
728 (build-system perl-build-system)
729 (inputs `(("openssl" ,openssl)))
730 (arguments perl-crypt-arguments)
731 (home-page
732 "https://metacpan.org/release/Crypt-OpenSSL-Bignum")
733 (synopsis
734 "OpenSSL's multiprecision integer arithmetic in Perl")
735 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
736 arithmetic in Perl.")
737 ;; At your option either gpl1+ or the Artistic License
738 (license license:perl-license)))
739
740 (define-public perl-crypt-openssl-guess
741 (package
742 (name "perl-crypt-openssl-guess")
743 (version "0.11")
744 (source
745 (origin
746 (method url-fetch)
747 (uri (string-append
748 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
749 version ".tar.gz"))
750 (sha256
751 (base32
752 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
753 (build-system perl-build-system)
754 (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess")
755 (synopsis "Guess the OpenSSL include path")
756 (description
757 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
758 correct OpenSSL include path. It is intended for use in your
759 @file{Makefile.PL}.")
760 (license license:perl-license)))
761
762 (define-public perl-crypt-openssl-random
763 (package
764 (name "perl-crypt-openssl-random")
765 (version "0.15")
766 (source
767 (origin
768 (method url-fetch)
769 (uri (string-append
770 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
771 version
772 ".tar.gz"))
773 (sha256
774 (base32 "1x6ffps8q7mnawmcfq740llzy7i10g3319vap0wiw4d33fm6z1zh"))))
775 (build-system perl-build-system)
776 (native-inputs
777 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
778 (inputs
779 `(("openssl" ,openssl)))
780 (arguments perl-crypt-arguments)
781 (home-page
782 "https://metacpan.org/release/Crypt-OpenSSL-Random")
783 (synopsis
784 "OpenSSL/LibreSSL pseudo-random number generator access")
785 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
786 number generator")
787 (license license:perl-license)))
788
789 (define-public acme-client
790 (package
791 (name "acme-client")
792 (version "0.1.16")
793 (source (origin
794 (method url-fetch)
795 (uri (string-append "https://kristaps.bsd.lv/" name "/"
796 "snapshots/" name "-portable-"
797 version ".tgz"))
798 (sha256
799 (base32
800 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
801 (build-system gnu-build-system)
802 (arguments
803 '(#:tests? #f ; no test suite
804 #:make-flags
805 (list "CC=gcc"
806 (string-append "PREFIX=" (assoc-ref %outputs "out")))
807 #:phases
808 (modify-phases %standard-phases
809 (add-after 'unpack 'patch-paths
810 (lambda* (#:key inputs #:allow-other-keys)
811 (let ((pem (string-append (assoc-ref inputs "libressl")
812 "/etc/ssl/cert.pem")))
813 (substitute* "http.c"
814 (("/etc/ssl/cert.pem") pem))
815 #t)))
816 (delete 'configure)))) ; no './configure' script
817 (native-inputs
818 `(("pkg-config" ,pkg-config)))
819 (inputs
820 `(("libbsd" ,libbsd)
821 ("libressl" ,libressl)))
822 (synopsis "Let's Encrypt client by the OpenBSD project")
823 (description "acme-client is a Let's Encrypt client implemented in C. It
824 uses a modular design, and attempts to secure itself by dropping privileges and
825 operating in a chroot where possible. acme-client is developed on OpenBSD and
826 then ported to the GNU / Linux environment.")
827 (home-page "https://kristaps.bsd.lv/acme-client/")
828 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
829 ;; and 'jsmn.c' are distributed under the Expat license.
830 (license (list license:isc license:expat))))
831
832 ;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
833 ;; variant exists in addition to the "-apache" one.
834 (define-public mbedtls-apache
835 (package
836 (name "mbedtls-apache")
837 (version "2.16.1")
838 (source
839 (origin
840 (method url-fetch)
841 ;; XXX: The download links on the website are script redirection links
842 ;; which effectively lead to the format listed in the uri here.
843 (uri (string-append "https://tls.mbed.org/download/mbedtls-"
844 version "-apache.tgz"))
845 (sha256
846 (base32
847 "08zz88gcb2jmpfsgy5b6qc3li6l39yw1dbimd18aziyd889nvl7b"))))
848 (build-system cmake-build-system)
849 (arguments
850 `(#:configure-flags
851 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON")))
852 (native-inputs
853 `(("perl" ,perl)
854 ("python" ,python)))
855 (synopsis "Small TLS library")
856 (description
857 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
858 for developers to include cryptographic and SSL/TLS capabilities in their
859 (embedded) products, facilitating this functionality with a minimal
860 coding footprint.")
861 (home-page "https://tls.mbed.org")
862 (license license:asl2.0)))
863
864 ;; The Hiawatha Web server requires some specific features to be enabled.
865 (define-public mbedtls-for-hiawatha
866 (hidden-package
867 (package
868 (inherit mbedtls-apache)
869 (arguments
870 (substitute-keyword-arguments
871 `(#:phases
872 (modify-phases %standard-phases
873 (add-after 'configure 'configure-extra-features
874 (lambda _
875 (for-each (lambda (feature)
876 (invoke "scripts/config.pl" "set" feature))
877 (list "MBEDTLS_THREADING_C"
878 "MBEDTLS_THREADING_PTHREAD"))
879 #t)))
880 ,@(package-arguments mbedtls-apache)))))))
881
882 (define-public dehydrated
883 (package
884 (name "dehydrated")
885 (version "0.6.2")
886 (source (origin
887 (method url-fetch)
888 (uri (string-append
889 "https://github.com/lukas2511/dehydrated/releases/download/"
890 "v" version "/dehydrated-" version ".tar.gz"))
891 (sha256
892 (base32
893 "03p80yj6bnzjc6dkp5hb9wpplmlrla8n5src71cnzw4rj53q8cqn"))))
894 (build-system trivial-build-system)
895 (arguments
896 `(#:modules ((guix build utils))
897 #:builder
898 (begin
899 (use-modules (guix build utils))
900 (let* ((source (assoc-ref %build-inputs "source"))
901 (tar (assoc-ref %build-inputs "tar"))
902 (gz (assoc-ref %build-inputs "gzip"))
903 (out (assoc-ref %outputs "out"))
904 (bin (string-append out "/bin"))
905 (doc (string-append out "/share/doc/"))
906 (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
907
908 (setenv "PATH" (string-append gz "/bin"))
909 (invoke (string-append tar "/bin/tar") "xvf" source)
910 (chdir (string-append ,name "-" ,version))
911
912 (install-file "dehydrated" bin)
913 (install-file "LICENSE" (string-append doc ,name "-" ,version))
914 (with-directory-excursion bin
915 (patch-shebang "dehydrated" (list bash))
916
917 ;; Do not try to write in the store.
918 (substitute* "dehydrated"
919 (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
920
921 (setenv "PATH" bash)
922 (wrap-program "dehydrated"
923 `("PATH" ":" prefix
924 ,(map (lambda (dir)
925 (string-append dir "/bin"))
926 (map (lambda (input)
927 (assoc-ref %build-inputs input))
928 '("coreutils"
929 "curl"
930 "diffutils"
931 "gawk"
932 "grep"
933 "openssl"
934 "sed"))))))
935 #t))))
936 (inputs
937 `(("bash" ,bash)
938 ("coreutils" ,coreutils)
939 ("curl" ,curl)
940 ("diffutils" ,diffutils)
941 ("gawk" ,gawk)
942 ("grep" ,grep)
943 ("openssl" ,openssl)
944 ("sed" ,sed)))
945 (native-inputs
946 `(("gzip" ,gzip)
947 ("tar" ,tar)))
948 (home-page "https://dehydrated.io/")
949 (synopsis "Let's Encrypt/ACME client implemented as a shell script")
950 (description "Dehydrated is a client for signing certificates with an
951 ACME-server (currently only provided by Let's Encrypt) implemented as a
952 relatively simple Bash script.")
953 (license license:expat)))
jackhill's copy of GNU Guix: https://guix.gnu.org/