HCoop / jackhill / guix / guix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
gnu: emacs-svg-icon: Fix grammar.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2021 Mark H Weaver <mhw@netris.org>
4 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
5 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
6 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
7 ;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Leo Famulari <leo@famulari.name>
8 ;;; Copyright © 2016, 2017, 2019 Efraim Flashner <efraim@flashner.co.il>
9 ;;; Copyright © 2016, 2017, 2018 Nikita <nikita@n0.is>
10 ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
11 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
12 ;;; Copyright © 2017, 2018, 2019, 2020 Marius Bakke <mbakke@fastmail.com>
13 ;;; Copyright © 2017–2019, 2021 Tobias Geerinckx-Rice <me@tobias.gr>
14 ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
15 ;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
16 ;;; Copyright © 2019 Mathieu Othacehe <m.othacehe@gmail.com>
17 ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
18 ;;;
19 ;;; This file is part of GNU Guix.
20 ;;;
21 ;;; GNU Guix is free software; you can redistribute it and/or modify it
22 ;;; under the terms of the GNU General Public License as published by
23 ;;; the Free Software Foundation; either version 3 of the License, or (at
24 ;;; your option) any later version.
25 ;;;
26 ;;; GNU Guix is distributed in the hope that it will be useful, but
27 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
28 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
29 ;;; GNU General Public License for more details.
30 ;;;
31 ;;; You should have received a copy of the GNU General Public License
32 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
33
34 (define-module (gnu packages tls)
35 #:use-module ((guix licenses) #:prefix license:)
36 #:use-module (guix packages)
37 #:use-module (guix download)
38 #:use-module (guix git-download)
39 #:use-module (guix utils)
40 #:use-module (guix build-system gnu)
41 #:use-module (guix build-system go)
42 #:use-module (guix build-system perl)
43 #:use-module (guix build-system python)
44 #:use-module (guix build-system cmake)
45 #:use-module (guix build-system trivial)
46 #:use-module (gnu packages compression)
47 #:use-module (gnu packages)
48 #:use-module (gnu packages bash)
49 #:use-module (gnu packages check)
50 #:use-module (gnu packages curl)
51 #:use-module (gnu packages dns)
52 #:use-module (gnu packages gawk)
53 #:use-module (gnu packages guile)
54 #:use-module (gnu packages hurd)
55 #:use-module (gnu packages libbsd)
56 #:use-module (gnu packages libffi)
57 #:use-module (gnu packages libidn)
58 #:use-module (gnu packages linux)
59 #:use-module (gnu packages ncurses)
60 #:use-module (gnu packages nettle)
61 #:use-module (gnu packages perl)
62 #:use-module (gnu packages pkg-config)
63 #:use-module (gnu packages python)
64 #:use-module (gnu packages python-crypto)
65 #:use-module (gnu packages python-web)
66 #:use-module (gnu packages python-xyz)
67 #:use-module (gnu packages sphinx)
68 #:use-module (gnu packages texinfo)
69 #:use-module (gnu packages time)
70 #:use-module (gnu packages base)
71 #:use-module (srfi srfi-1))
72
73 (define-public libtasn1
74 (package
75 (name "libtasn1")
76 (version "4.16.0")
77 (source
78 (origin
79 (method url-fetch)
80 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
81 version ".tar.gz"))
82 (sha256
83 (base32
84 "179jskl7dmfp1rd2khkzmlibzgki4wi6hvmmwfv7q49r728b03qf"))))
85 (build-system gnu-build-system)
86 (arguments
87 `(#:configure-flags '("--disable-static")))
88 (native-inputs `(("perl" ,perl)))
89 (home-page "https://www.gnu.org/software/libtasn1/")
90 (synopsis "ASN.1 library")
91 (description
92 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
93 for transmitting machine-neutral encodings of data objects in computer
94 networking, allowing for formal validation of data according to some
95 specifications.")
96 (license license:lgpl2.0+)))
97
98 (define-public asn1c
99 (package
100 (name "asn1c")
101 (version "0.9.28")
102 (source (origin
103 (method url-fetch)
104 (uri (string-append "https://lionet.info/soft/asn1c-"
105 version ".tar.gz"))
106 (sha256
107 (base32
108 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
109 (build-system gnu-build-system)
110 (native-inputs
111 `(("perl" ,perl)))
112 (home-page "https://lionet.info/asn1c")
113 (synopsis "ASN.1 to C compiler")
114 (description "The ASN.1 to C compiler takes ASN.1 module
115 files and generates C++ compatible C source code. That code can be
116 used to serialize the native C structures into compact and unambiguous
117 BER/XER/PER-based data files, and deserialize the files back.
118
119 Various ASN.1 based formats are widely used in the industry, such as to encode
120 the X.509 certificates employed in the HTTPS handshake, to exchange control
121 data between mobile phones and cellular networks, to car-to-car communication
122 in intelligent transportation networks.")
123 (license license:bsd-2)))
124
125 (define-public p11-kit
126 (package
127 (name "p11-kit")
128 (version "0.23.22")
129 (source
130 (origin
131 (method url-fetch)
132 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
133 "download/" version "/p11-kit-" version ".tar.xz"))
134 (sha256
135 (base32 "1dn6br4v033d3gp2max9lsr3y4q0nj6iyr1yq3kzi8ym7lal13wa"))))
136 (build-system gnu-build-system)
137 (native-inputs
138 `(("pkg-config" ,pkg-config)))
139 (inputs
140 `(("libffi" ,libffi)
141 ("libtasn1" ,libtasn1)))
142 (arguments
143 `(#:configure-flags '("--without-trust-paths")
144 #:phases (modify-phases %standard-phases
145 (add-before 'check 'prepare-tests
146 (lambda _
147 ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up
148 ;; and looks for .cache and other directories (only).
149 ;; For simplicity just drop it since it is irrelevant
150 ;; in the build container.
151 (substitute* "Makefile"
152 (("test-runtime\\$\\(EXEEXT\\)") ""))
153 #t)))))
154 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
155 (synopsis "PKCS#11 library")
156 (description
157 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
158 provides a standard configuration setup for installing PKCS#11 modules
159 in such a way that they are discoverable. It also solves problems with
160 coordinating the use of PKCS#11 by different components or libraries
161 living in the same process.")
162 (license license:bsd-3)))
163
164 (define-public gnutls
165 (package
166 (name "gnutls")
167 (version "3.6.15")
168 (replacement gnutls/fixed)
169 (source (origin
170 (method url-fetch)
171 ;; Note: Releases are no longer on ftp.gnu.org since the
172 ;; schism (after version 3.1.5).
173 (uri (string-append "mirror://gnupg/gnutls/v"
174 (version-major+minor version)
175 "/gnutls-" version ".tar.xz"))
176 (patches (search-patches "gnutls-skip-trust-store-test.patch"
177 "gnutls-cross.patch"))
178 (sha256
179 (base32
180 "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f"))))
181 (build-system gnu-build-system)
182 (arguments
183 `(#:tests? ,(not (or (%current-target-system)
184 (hurd-target?)))
185 ;; Ensure we don't keep a reference to net-tools.
186 #:disallowed-references ,(if (hurd-target?) '() (list net-tools))
187 #:configure-flags
188 (list
189 ;; GnuTLS doesn't consult any environment variables to specify
190 ;; the location of the system-wide trust store. Instead it has a
191 ;; configure-time option. Unless specified, its configure script
192 ;; attempts to auto-detect the location by looking for common
193 ;; places in the file system, none of which are present in our
194 ;; chroot build environment. If not found, then no default trust
195 ;; store is used, so each program has to provide its own
196 ;; fallback, and users have to configure each program
197 ;; independently. This seems suboptimal.
198 "--with-default-trust-store-dir=/etc/ssl/certs"
199
200 ;; Tell the build system that we want Guile bindings installed to
201 ;; the output instead of Guiles own module directory.
202 (string-append "--with-guile-site-dir="
203 "$(datarootdir)/guile/site/$(GUILE_EFFECTIVE_VERSION)")
204 (string-append "--with-guile-site-ccache-dir="
205 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/site-ccache")
206 (string-append "--with-guile-extension-dir="
207 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/extensions")
208
209 ;; FIXME: Temporarily disable p11-kit support since it is not
210 ;; working on mips64el.
211 "--without-p11-kit")
212
213 #:phases (modify-phases %standard-phases
214 (add-after
215 'install 'move-doc
216 (lambda* (#:key outputs #:allow-other-keys)
217 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
218 (let* ((out (assoc-ref outputs "out"))
219 (doc (assoc-ref outputs "doc"))
220 (mandir (string-append doc "/share/man/man3"))
221 (oldman (string-append out "/share/man/man3")))
222 (mkdir-p mandir)
223 (copy-recursively oldman mandir)
224 (delete-file-recursively oldman)
225 #t))))))
226 (outputs '("out" ;4.4 MiB
227 "debug"
228 "doc")) ;4.1 MiB of man pages
229 (native-inputs
230 `(,@(if (%current-target-system) ;for cross-build
231 `(("guile" ,guile-3.0)) ;to create .go files
232 '())
233 ,@(if (hurd-target?)
234 '()
235 `(("net-tools" ,net-tools)))
236 ("pkg-config" ,pkg-config)
237 ("which" ,which)
238 ,@(if (hurd-target?) '()
239 `(("datefudge" ,datefudge))) ;tests rely on 'datefudge'
240 ("util-linux" ,util-linux))) ;one test needs 'setsid'
241 (inputs
242 `(("guile" ,guile-3.0)))
243 (propagated-inputs
244 ;; These are all in the 'Requires.private' field of gnutls.pc.
245 `(("libtasn1" ,libtasn1)
246 ("libidn2" ,libidn2)
247 ("nettle" ,nettle)
248 ("zlib" ,zlib)))
249 (home-page "https://www.gnu.org/software/gnutls/")
250 (synopsis "Transport layer security library")
251 (description
252 "GnuTLS is a secure communications library implementing the SSL, TLS
253 and DTLS protocols. It is provided in the form of a C library to support the
254 protocols, as well as to parse and write X.509, PKCS #12, OpenPGP and other
255 required structures.")
256 (license license:lgpl2.1+)
257 (properties '((ftp-server . "ftp.gnutls.org")
258 (ftp-directory . "/gcrypt/gnutls")))))
259
260 (define gnutls/fixed
261 (package
262 (inherit gnutls)
263 (source (origin
264 (inherit (package-source gnutls))
265 (patches (append (search-patches "gnutls-CVE-2021-20231.patch"
266 "gnutls-CVE-2021-20232.patch")
267 (origin-patches (package-source gnutls))))))))
268
269 (define-public gnutls/guile-2.0
270 ;; GnuTLS for Guile 2.0.
271 (package/inherit gnutls
272 (name "guile2.0-gnutls")
273 (inputs `(("guile" ,guile-2.0)
274 ,@(alist-delete "guile" (package-inputs gnutls))))))
275
276 (define-public gnutls/dane
277 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
278 ;; Authentication of Named Entities. This is required for GNS functionality
279 ;; by GNUnet and gnURL. This is done in an extra package definition
280 ;; to have the choice between GnuTLS with Dane and without Dane.
281 (package/inherit gnutls
282 (name "gnutls-dane")
283 (inputs `(("unbound" ,unbound)
284 ,@(package-inputs gnutls)))))
285
286 (define-public guile2.2-gnutls
287 (package/inherit gnutls
288 (name "guile2.2-gnutls")
289 (inputs `(("guile" ,guile-2.2)
290 ,@(alist-delete "guile"
291 (package-inputs gnutls))))))
292
293 (define-public guile3.0-gnutls
294 (deprecated-package "guile3.0-gnutls" gnutls))
295
296 (define-public openssl
297 (package
298 (name "openssl")
299 (replacement openssl/fixed)
300 (version "1.1.1i")
301 (source (origin
302 (method url-fetch)
303 (uri (list (string-append "https://www.openssl.org/source/openssl-"
304 version ".tar.gz")
305 (string-append "ftp://ftp.openssl.org/source/"
306 "openssl-" version ".tar.gz")
307 (string-append "ftp://ftp.openssl.org/source/old/"
308 (string-trim-right version char-set:letter)
309 "/openssl-" version ".tar.gz")))
310 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
311 (sha256
312 (base32
313 "0hjj1phcwkz69lx1lrvr9grhpl4y529mwqycqc1hdla1zqsnmgp8"))))
314 (build-system gnu-build-system)
315 (outputs '("out"
316 "doc" ;6.8 MiB of man3 pages and full HTML documentation
317 "static")) ;6.4 MiB of .a files
318 (native-inputs `(("perl" ,perl)))
319 (arguments
320 `(#:parallel-tests? #f
321 #:test-target "test"
322
323 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
324 ;; so we explicitly disallow it here.
325 #:disallowed-references ,(list (canonical-package perl))
326 #:phases
327 (modify-phases %standard-phases
328 ,@(if (%current-target-system)
329 '((add-before
330 'configure 'set-cross-compile
331 (lambda* (#:key target outputs #:allow-other-keys)
332 (setenv "CROSS_COMPILE" (string-append target "-"))
333 (setenv "CONFIGURE_TARGET_ARCH"
334 (cond
335 ((string-prefix? "i586" target)
336 "hurd-x86")
337 ((string-prefix? "i686" target)
338 "linux-x86")
339 ((string-prefix? "x86_64" target)
340 "linux-x86_64")
341 ((string-prefix? "mips64el" target)
342 "linux-mips64")
343 ((string-prefix? "arm" target)
344 "linux-armv4")
345 ((string-prefix? "aarch64" target)
346 "linux-aarch64")
347 ((string-prefix? "powerpc64le" target)
348 "linux-ppc64le")
349 ((string-prefix? "powerpc64" target)
350 "linux-ppc64")
351 ((string-prefix? "powerpc" target)
352 "linux-ppc")))
353 #t)))
354 '())
355 (replace 'configure
356 (lambda* (#:key outputs #:allow-other-keys)
357 (let* ((out (assoc-ref outputs "out"))
358 (lib (string-append out "/lib")))
359 ;; It's not a shebang so patch-source-shebangs misses it.
360 (substitute* "config"
361 (("/usr/bin/env")
362 (string-append (assoc-ref %build-inputs "coreutils")
363 "/bin/env")))
364 (invoke ,@(if (%current-target-system)
365 '("./Configure")
366 '("./config"))
367 "shared" ;build shared libraries
368 "--libdir=lib"
369
370 ;; The default for this catch-all directory is
371 ;; PREFIX/ssl. Change that to something more
372 ;; conventional.
373 (string-append "--openssldir=" out
374 "/share/openssl-"
375 ,(package-version this-package))
376
377 (string-append "--prefix=" out)
378 (string-append "-Wl,-rpath," lib)
379 ,@(if (%current-target-system)
380 '((getenv "CONFIGURE_TARGET_ARCH"))
381 '())))))
382 (add-after 'install 'move-static-libraries
383 (lambda* (#:key outputs #:allow-other-keys)
384 ;; Move static libraries to the "static" output.
385 (let* ((out (assoc-ref outputs "out"))
386 (lib (string-append out "/lib"))
387 (static (assoc-ref outputs "static"))
388 (slib (string-append static "/lib")))
389 (for-each (lambda (file)
390 (install-file file slib)
391 (delete-file file))
392 (find-files lib "\\.a$"))
393 #t)))
394 (add-after 'install 'move-extra-documentation
395 (lambda* (#:key outputs #:allow-other-keys)
396 ;; Move man3 pages and full HTML documentation to "doc".
397 (let* ((out (assoc-ref outputs "out"))
398 (man3 (string-append out "/share/man/man3"))
399 (html (string-append out "/share/doc/openssl"))
400 (doc (assoc-ref outputs "doc"))
401 (man-target (string-append doc "/share/man/man3"))
402 (html-target (string-append doc "/share/doc/openssl")))
403 (copy-recursively man3 man-target)
404 (delete-file-recursively man3)
405 (copy-recursively html html-target)
406 (delete-file-recursively html)
407 #t)))
408 (add-after
409 'install 'remove-miscellany
410 (lambda* (#:key outputs #:allow-other-keys)
411 ;; The 'misc' directory contains random undocumented shell and Perl
412 ;; scripts. Remove them to avoid retaining a reference on Perl.
413 (let ((out (assoc-ref outputs "out")))
414 (delete-file-recursively (string-append out "/share/openssl-"
415 ,(package-version this-package)
416 "/misc"))
417 #t))))))
418 (native-search-paths
419 (list (search-path-specification
420 (variable "SSL_CERT_DIR")
421 (separator #f) ;single entry
422 (files '("etc/ssl/certs")))
423 (search-path-specification
424 (variable "SSL_CERT_FILE")
425 (file-type 'regular)
426 (separator #f) ;single entry
427 (files '("etc/ssl/certs/ca-certificates.crt")))))
428 (synopsis "SSL/TLS implementation")
429 (description
430 "OpenSSL is an implementation of SSL/TLS.")
431 (license license:openssl)
432 (home-page "https://www.openssl.org/")))
433
434 (define-public openssl/fixed
435 (package
436 (inherit openssl)
437 (version "1.1.1k")
438 (source (origin
439 (method url-fetch)
440 (uri (list (string-append "https://www.openssl.org/source/openssl-"
441 version ".tar.gz")
442 (string-append "ftp://ftp.openssl.org/source/"
443 "openssl-" version ".tar.gz")
444 (string-append "ftp://ftp.openssl.org/source/old/"
445 (string-trim-right version char-set:letter)
446 "/openssl-" version ".tar.gz")))
447 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
448 (sha256
449 (base32
450 "1rdfzcrxy9y38wqdw5942vmdax9hjhgrprzxm42csal7p5shhal9"))))))
451
452 (define-public openssl-1.0
453 (package
454 (inherit openssl)
455 (name "openssl")
456 (version "1.0.2u")
457 (source (origin
458 (method url-fetch)
459 (uri (list (string-append "https://www.openssl.org/source/openssl-"
460 version ".tar.gz")
461 (string-append "ftp://ftp.openssl.org/source/"
462 "openssl-" version ".tar.gz")
463 (string-append "ftp://ftp.openssl.org/source/old/"
464 (string-trim-right version char-set:letter)
465 "/openssl-" version ".tar.gz")))
466 (sha256
467 (base32
468 "05lxcs4hzyfqd5jn0d9p0fvqna62v2s4pc9qgmq0dpcknkzwdl7c"))
469 (patches (search-patches "openssl-runpath.patch"
470 "openssl-c-rehash-in.patch"))))
471 (outputs '("out"
472 "doc" ;1.5MiB of man3 pages
473 "static")) ;6MiB of .a files
474 (arguments
475 (substitute-keyword-arguments (package-arguments openssl)
476 ;; Parallel build is not supported in 1.0.x.
477 ((#:parallel-build? _ #f) #f)
478 ((#:phases phases)
479 `(modify-phases ,phases
480 (add-before 'patch-source-shebangs 'patch-tests
481 (lambda* (#:key inputs native-inputs #:allow-other-keys)
482 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
483 (substitute* (find-files "test" ".*")
484 (("/bin/sh")
485 (string-append bash "/bin/sh"))
486 (("/bin/rm")
487 "rm"))
488 #t)))
489 (add-before 'configure 'patch-Makefile.org
490 (lambda* (#:key outputs #:allow-other-keys)
491 ;; The default MANDIR is some unusual place. Fix that.
492 (let ((out (assoc-ref outputs "out")))
493 (patch-makefile-SHELL "Makefile.org")
494 (substitute* "Makefile.org"
495 (("^MANDIR[[:blank:]]*=.*$")
496 (string-append "MANDIR = " out "/share/man\n")))
497 #t)))
498 (replace 'configure
499 ;; Override this phase because OpenSSL 1.0 does not understand -rpath.
500 (lambda* (#:key outputs #:allow-other-keys)
501 (let ((out (assoc-ref outputs "out")))
502 (invoke ,@(if (%current-target-system)
503 '("./Configure")
504 '("./config"))
505 "shared" ;build shared libraries
506 "--libdir=lib"
507
508 ;; The default for this catch-all directory is
509 ;; PREFIX/ssl. Change that to something more
510 ;; conventional.
511 (string-append "--openssldir=" out
512 "/share/openssl-" ,version)
513
514 (string-append "--prefix=" out)
515 ,@(if (%current-target-system)
516 '((getenv "CONFIGURE_TARGET_ARCH"))
517 '())))))
518 (delete 'move-extra-documentation)
519 (add-after 'install 'move-man3-pages
520 (lambda* (#:key outputs #:allow-other-keys)
521 ;; Move section 3 man pages to "doc".
522 (let* ((out (assoc-ref outputs "out"))
523 (man3 (string-append out "/share/man/man3"))
524 (doc (assoc-ref outputs "doc"))
525 (target (string-append doc "/share/man/man3")))
526 (mkdir-p target)
527 (for-each (lambda (file)
528 (rename-file file
529 (string-append target "/"
530 (basename file))))
531 (find-files man3))
532 (delete-file-recursively man3)
533 #t)))
534 ;; XXX: Duplicate this phase to make sure 'version' evaluates
535 ;; in the current scope and not the inherited one.
536 (replace 'remove-miscellany
537 (lambda* (#:key outputs #:allow-other-keys)
538 ;; The 'misc' directory contains random undocumented shell and Perl
539 ;; scripts. Remove them to avoid retaining a reference on Perl.
540 (let ((out (assoc-ref outputs "out")))
541 (delete-file-recursively (string-append out "/share/openssl-"
542 ,version "/misc"))
543 #t)))))))))
544
545 (define-public libressl
546 (package
547 (name "libressl")
548 (version "3.1.5")
549 (source (origin
550 (method url-fetch)
551 (uri (string-append "mirror://openbsd/LibreSSL/"
552 "libressl-" version ".tar.gz"))
553 (sha256
554 (base32
555 "1504a1sf43frw43j14pij0q1f48rm5q86ggrlxxhw708qp7ds4rc"))))
556 (build-system gnu-build-system)
557 (arguments
558 ;; Do as if 'getentropy' were missing: Linux kernels before 3.17 lack its
559 ;; underlying 'getrandom' system call and ENOSYS isn't properly handled.
560 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
561 '(#:configure-flags '("ac_cv_func_getentropy=no"
562 ;; Provide a TLS-enabled netcat.
563 "--enable-nc")))
564 (native-search-paths
565 (list (search-path-specification
566 (variable "SSL_CERT_DIR")
567 (separator #f) ;single entry
568 (files '("etc/ssl/certs")))
569 (search-path-specification
570 (variable "SSL_CERT_FILE")
571 (separator #f) ;single entry
572 (files '("etc/ssl/certs/ca-certificates.crt")))))
573 (home-page "https://www.libressl.org/")
574 (synopsis "SSL/TLS implementation")
575 (description "LibreSSL is a version of the TLS/crypto stack, forked from
576 OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
577 and applying best practice development processes. This package also includes a
578 netcat implementation that supports TLS.")
579 ;; Files taken from OpenSSL keep their license, others are under various
580 ;; non-copyleft licenses.
581 (license (list license:openssl
582 (license:non-copyleft
583 "file://COPYING"
584 "See COPYING in the distribution.")))))
585
586 (define-public python-acme
587 (package
588 (name "python-acme")
589 ;; Remember to update the hash of certbot when updating python-acme.
590 (version "1.14.0")
591 (source (origin
592 (method url-fetch)
593 (uri (pypi-uri "acme" version))
594 (sha256
595 (base32
596 "0d8wzac7qnsq1kzb67f2a8wi30i4r327y6jmraxqqqj30gxwrnk1"))))
597 (build-system python-build-system)
598 (arguments
599 `(#:phases
600 (modify-phases %standard-phases
601 (add-after 'build 'build-documentation
602 (lambda _
603 (invoke "make" "-C" "docs" "man" "info")))
604 (add-after 'install 'install-documentation
605 (lambda* (#:key outputs #:allow-other-keys)
606 (let* ((out (assoc-ref outputs "out"))
607 (man (string-append out "/share/man/man1"))
608 (info (string-append out "/info")))
609 (install-file "docs/_build/texinfo/acme-python.info" info)
610 (install-file "docs/_build/man/acme-python.1" man)
611 #t))))))
612 (native-inputs
613 `(("python-pytest" ,python-pytest)
614 ;; For documentation
615 ("python-sphinx" ,python-sphinx)
616 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
617 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
618 ("texinfo" ,texinfo)))
619 (propagated-inputs
620 `(("python-josepy" ,python-josepy)
621 ("python-requests" ,python-requests)
622 ("python-requests-toolbelt" ,python-requests-toolbelt)
623 ("python-pytz" ,python-pytz)
624 ("python-pyrfc3339" ,python-pyrfc3339)
625 ("python-pyasn1" ,python-pyasn1)
626 ("python-cryptography" ,python-cryptography)
627 ("python-pyopenssl" ,python-pyopenssl)))
628 (home-page "https://github.com/certbot/certbot")
629 (synopsis "ACME protocol implementation in Python")
630 (description "ACME protocol implementation in Python")
631 (license license:asl2.0)))
632
633 (define-public certbot
634 (package
635 (name "certbot")
636 ;; Certbot and python-acme are developed in the same repository, and their
637 ;; versions should remain synchronized.
638 (version (package-version python-acme))
639 (source (origin
640 (method url-fetch)
641 (uri (pypi-uri "certbot" version))
642 (sha256
643 (base32
644 "1ss1d1iw7cq8xzg1apydmzv2x5s0p4n74wlpmf7a7p5qdc6ak7lm"))))
645 (build-system python-build-system)
646 (arguments
647 `(,@(substitute-keyword-arguments (package-arguments python-acme)
648 ((#:phases phases)
649 `(modify-phases ,phases
650 (replace 'install-documentation
651 (lambda* (#:key outputs #:allow-other-keys)
652 (let* ((out (assoc-ref outputs "out"))
653 (man1 (string-append out "/share/man/man1"))
654 (man7 (string-append out "/share/man/man7"))
655 (info (string-append out "/info")))
656 (install-file "docs/_build/texinfo/Certbot.info" info)
657 (install-file "docs/_build/man/certbot.1" man1)
658 (install-file "docs/_build/man/certbot.7" man7)
659 #t))))))))
660 (native-inputs
661 `(("python-mock" ,python-mock)
662 ("python-pytest" ,python-pytest)
663 ;; For documentation
664 ("python-sphinx" ,python-sphinx)
665 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
666 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
667 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
668 ("texinfo" ,texinfo)))
669 (propagated-inputs
670 `(("python-acme" ,python-acme)
671 ("python-cryptography" ,python-cryptography)
672 ("python-zope-interface" ,python-zope-interface)
673 ("python-pyrfc3339" ,python-pyrfc3339)
674 ("python-pyopenssl" ,python-pyopenssl)
675 ("python-configobj" ,python-configobj)
676 ("python-configargparse" ,python-configargparse)
677 ("python-distro" ,python-distro)
678 ("python-zope-component" ,python-zope-component)
679 ("python-parsedatetime" ,python-parsedatetime)
680 ("python-psutil" ,python-psutil)
681 ("python-requests" ,python-requests)
682 ("python-pytz" ,python-pytz)))
683 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
684 (description "Certbot automatically receives and installs X.509 certificates
685 to enable Transport Layer Security (TLS) on servers. It interoperates with the
686 Let’s Encrypt certificate authority (CA), which issues browser-trusted
687 certificates for free.")
688 (home-page "https://certbot.eff.org/")
689 (license license:asl2.0)))
690
691 (define-public letsencrypt
692 (package (inherit certbot)
693 (name "letsencrypt")
694 (properties `((superseded . ,certbot)))))
695
696 (define-public perl-net-ssleay
697 (package
698 (name "perl-net-ssleay")
699 (version "1.88")
700 (source (origin
701 (method url-fetch)
702 (uri (string-append "mirror://cpan/authors/id/C/CH/CHRISN/"
703 "Net-SSLeay-" version ".tar.gz"))
704 (sha256
705 (base32
706 "1pfgh4h3szcpvqlcimc60pjbk9zwls99x5863sva0wc47i4dl010"))))
707 (build-system perl-build-system)
708 (inputs `(("openssl" ,openssl)))
709 (arguments
710 `(#:phases
711 (modify-phases %standard-phases
712 (add-before
713 'configure 'set-ssl-prefix
714 (lambda* (#:key inputs #:allow-other-keys)
715 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
716 #t)))))
717 (synopsis "Perl extension for using OpenSSL")
718 (description
719 "This module offers some high level convenience functions for accessing
720 web pages on SSL servers (for symmetry, the same API is offered for accessing
721 http servers, too), an sslcat() function for writing your own clients, and
722 finally access to the SSL api of the SSLeay/OpenSSL package so you can write
723 servers or clients for more complicated applications.")
724 (license license:perl-license)
725 (home-page "https://metacpan.org/release/Net-SSLeay")))
726
727 (define-public perl-crypt-openssl-rsa
728 (package
729 (name "perl-crypt-openssl-rsa")
730 (version "0.31")
731 (source
732 (origin
733 (method url-fetch)
734 (uri (string-append
735 "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-"
736 version
737 ".tar.gz"))
738 (sha256
739 (base32
740 "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1"))))
741 (build-system perl-build-system)
742 (native-inputs
743 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
744 (inputs
745 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
746 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
747 ("openssl" ,openssl)))
748 (arguments perl-crypt-arguments)
749 (home-page
750 "https://metacpan.org/release/Crypt-OpenSSL-RSA")
751 (synopsis
752 "RSA encoding and decoding, using the openSSL libraries")
753 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
754 OpenSSL libraries).")
755 (license license:perl-license)))
756
757 (define perl-crypt-arguments
758 `(#:phases (modify-phases %standard-phases
759 (add-before 'configure 'patch-Makefile.PL
760 (lambda* (#:key inputs #:allow-other-keys)
761 (substitute* "Makefile.PL"
762 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
763 (assoc-ref inputs "openssl")
764 "/lib -lcrypto'],")))
765 #t)))))
766
767 (define-public perl-crypt-openssl-bignum
768 (package
769 (name "perl-crypt-openssl-bignum")
770 (version "0.09")
771 (source
772 (origin
773 (method url-fetch)
774 (uri (string-append
775 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
776 version
777 ".tar.gz"))
778 (sha256
779 (base32
780 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
781 (build-system perl-build-system)
782 (inputs `(("openssl" ,openssl)))
783 (arguments perl-crypt-arguments)
784 (home-page
785 "https://metacpan.org/release/Crypt-OpenSSL-Bignum")
786 (synopsis
787 "OpenSSL's multiprecision integer arithmetic in Perl")
788 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
789 arithmetic in Perl.")
790 ;; At your option either gpl1+ or the Artistic License
791 (license license:perl-license)))
792
793 (define-public perl-crypt-openssl-guess
794 (package
795 (name "perl-crypt-openssl-guess")
796 (version "0.11")
797 (source
798 (origin
799 (method url-fetch)
800 (uri (string-append
801 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
802 version ".tar.gz"))
803 (sha256
804 (base32
805 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
806 (build-system perl-build-system)
807 (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess")
808 (synopsis "Guess the OpenSSL include path")
809 (description
810 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
811 correct OpenSSL include path. It is intended for use in your
812 @file{Makefile.PL}.")
813 (license license:perl-license)))
814
815 (define-public perl-crypt-openssl-random
816 (package
817 (name "perl-crypt-openssl-random")
818 (version "0.15")
819 (source
820 (origin
821 (method url-fetch)
822 (uri (string-append
823 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
824 version
825 ".tar.gz"))
826 (sha256
827 (base32 "1x6ffps8q7mnawmcfq740llzy7i10g3319vap0wiw4d33fm6z1zh"))))
828 (build-system perl-build-system)
829 (native-inputs
830 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
831 (inputs
832 `(("openssl" ,openssl)))
833 (arguments perl-crypt-arguments)
834 (home-page
835 "https://metacpan.org/release/Crypt-OpenSSL-Random")
836 (synopsis
837 "OpenSSL/LibreSSL pseudo-random number generator access")
838 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
839 number generator")
840 (license license:perl-license)))
841
842 (define-public acme-client
843 (package
844 (name "acme-client")
845 (version "0.1.16")
846 (source (origin
847 (method url-fetch)
848 (uri (string-append "https://kristaps.bsd.lv/" name "/"
849 "snapshots/" name "-portable-"
850 version ".tgz"))
851 (sha256
852 (base32
853 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
854 (build-system gnu-build-system)
855 (arguments
856 '(#:tests? #f ; no test suite
857 #:make-flags
858 (list "CC=gcc"
859 (string-append "PREFIX=" (assoc-ref %outputs "out")))
860 #:phases
861 (modify-phases %standard-phases
862 (add-after 'unpack 'patch-paths
863 (lambda* (#:key inputs #:allow-other-keys)
864 (let ((pem (string-append (assoc-ref inputs "libressl")
865 "/etc/ssl/cert.pem")))
866 (substitute* "http.c"
867 (("/etc/ssl/cert.pem") pem))
868 #t)))
869 (delete 'configure)))) ; no './configure' script
870 (native-inputs
871 `(("pkg-config" ,pkg-config)))
872 (inputs
873 `(("libbsd" ,libbsd)
874 ("libressl" ,libressl)))
875 (synopsis "Let's Encrypt client by the OpenBSD project")
876 (description "acme-client is a Let's Encrypt client implemented in C. It
877 uses a modular design, and attempts to secure itself by dropping privileges and
878 operating in a chroot where possible. acme-client is developed on OpenBSD and
879 then ported to the GNU / Linux environment.")
880 (home-page "https://kristaps.bsd.lv/acme-client/")
881 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
882 ;; and 'jsmn.c' are distributed under the Expat license.
883 (license (list license:isc license:expat))))
884
885 ;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
886 ;; variant exists in addition to the "-apache" one.
887 (define-public mbedtls-apache
888 (package
889 (name "mbedtls-apache")
890 ;; XXX Check whether ‘-Wformat-signedness’ still breaks mbedtls-for-hiawatha
891 ;; when updating.
892 (version "2.23.0")
893 (source
894 (origin
895 (method git-fetch)
896 (uri (git-reference
897 (url "https://github.com/ARMmbed/mbedtls")
898 (commit (string-append "mbedtls-" version))))
899 (sha256
900 (base32 "13fa9h2i989cbf8n8c0j019mshv6wg213va18my1s787lhcq2d62"))
901 (file-name (git-file-name name version))))
902 (build-system cmake-build-system)
903 (arguments
904 `(#:configure-flags
905 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON"
906 "-DUSE_STATIC_MBEDTLS_LIBRARY=OFF")
907 #:phases
908 (modify-phases %standard-phases
909 (add-after 'unpack 'make-source-writable
910 (lambda _
911 (for-each make-file-writable (find-files "."))
912 #t)))))
913 (native-inputs
914 `(("perl" ,perl)
915 ("python" ,python)))
916 (synopsis "Small TLS library")
917 (description
918 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
919 for developers to include cryptographic and SSL/TLS capabilities in their
920 (embedded) products, facilitating this functionality with a minimal
921 coding footprint.")
922 (home-page "https://tls.mbed.org")
923 (license license:asl2.0)))
924
925 ;; The Hiawatha Web server requires some specific features to be enabled.
926 (define-public mbedtls-for-hiawatha
927 (hidden-package
928 (package
929 (inherit mbedtls-apache)
930 (arguments
931 (substitute-keyword-arguments (package-arguments mbedtls-apache)
932 ((#:phases phases)
933 `(modify-phases ,phases
934 (add-before 'configure 'configure-extra-features
935 (lambda _
936 (for-each (lambda (feature)
937 (invoke "scripts/config.pl" "set" feature))
938 (list "MBEDTLS_THREADING_C"
939 "MBEDTLS_THREADING_PTHREAD"))
940 ;; XXX The above enables code that breaks with -Werror…
941 (substitute* "CMakeLists.txt"
942 ((" -Wformat-signedness") ""))
943 #t)))))))))
944
945 (define-public dehydrated
946 (package
947 (name "dehydrated")
948 (version "0.7.0")
949 (source (origin
950 (method url-fetch)
951 (uri (string-append
952 "https://github.com/dehydrated-io/dehydrated/releases/download/"
953 "v" version "/dehydrated-" version ".tar.gz"))
954 (sha256
955 (base32
956 "1yf4kldyd5y13r6qxrkcbbk74ykngq7jzy0351vb2r3ywp114pqw"))))
957 (build-system trivial-build-system)
958 (arguments
959 `(#:modules ((guix build utils)
960 (srfi srfi-26))
961 #:builder
962 (begin
963 (use-modules (guix build utils)
964 (srfi srfi-26))
965 (let* ((source (assoc-ref %build-inputs "source"))
966 (tar (assoc-ref %build-inputs "tar"))
967 (gz (assoc-ref %build-inputs "gzip"))
968 (out (assoc-ref %outputs "out"))
969 (bin (string-append out "/bin"))
970 (doc (string-append out "/share/doc/" ,name "-" ,version))
971 (man (string-append out "/share/man"))
972 (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
973
974 (setenv "PATH" (string-append gz "/bin"))
975 (invoke (string-append tar "/bin/tar") "xvf" source)
976 (chdir (string-append ,name "-" ,version))
977
978 (copy-recursively "docs" doc)
979 (install-file "LICENSE" doc)
980
981 (mkdir-p man)
982 (rename-file (string-append doc "/man")
983 (string-append man "/man1"))
984 (for-each (cut invoke "gzip" "-9" <>)
985 (find-files man ".*"))
986
987 (install-file "dehydrated" bin)
988 (with-directory-excursion bin
989 (patch-shebang "dehydrated" (list bash))
990
991 ;; Do not try to write to the store.
992 (substitute* "dehydrated"
993 (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
994
995 (setenv "PATH" bash)
996 (wrap-program "dehydrated"
997 `("PATH" ":" prefix
998 ,(map (lambda (dir)
999 (string-append dir "/bin"))
1000 (map (lambda (input)
1001 (assoc-ref %build-inputs input))
1002 '("coreutils"
1003 "curl"
1004 "diffutils"
1005 "gawk"
1006 "grep"
1007 "openssl"
1008 "sed"))))))
1009 #t))))
1010 (inputs
1011 `(("bash" ,bash)
1012 ("coreutils" ,coreutils)
1013 ("curl" ,curl)
1014 ("diffutils" ,diffutils)
1015 ("gawk" ,gawk)
1016 ("grep" ,grep)
1017 ("openssl" ,openssl)
1018 ("sed" ,sed)))
1019 (native-inputs
1020 `(("gzip" ,gzip)
1021 ("tar" ,tar)))
1022 (home-page "https://dehydrated.io/")
1023 (synopsis "Let's Encrypt/ACME client implemented as a shell script")
1024 (description "Dehydrated is a client for signing certificates with an
1025 ACME-server (currently only provided by Let's Encrypt) implemented as a
1026 relatively simple Bash script.")
1027 (license license:expat)))
1028
1029 (define-public go-github-com-certifi-gocertifi
1030 (let ((commit "a5e0173ced670013bfb649c7e806bc9529c986ec")
1031 (revision "1"))
1032 (package
1033 (name "go-github-com-certifi-gocertifi")
1034 (version (git-version "2018.01.18" revision commit))
1035 (source (origin
1036 (method git-fetch)
1037 (uri (git-reference
1038 (url "https://github.com/certifi/gocertifi")
1039 (commit commit)))
1040 (file-name (git-file-name name version))
1041 (sha256
1042 (base32
1043 "1n9drccl3q1rr8wg3nf60slkf1lgsmz5ahifrglbdrc6har3rryj"))))
1044 (build-system go-build-system)
1045 (arguments
1046 '(#:import-path "github.com/certifi/gocertifi"))
1047 (synopsis "X.509 TLS root certificate bundle for Go")
1048 (description "This package is a Go language X.509 TLS root certificate bundle,
1049 derived from Mozilla's collection.")
1050 (home-page "https://certifi.io")
1051 (license license:mpl2.0))))
1052
1053 (define-public s2n
1054 (package
1055 (name "s2n")
1056 (version "1.0.0")
1057 (source (origin
1058 (method git-fetch)
1059 (uri (git-reference
1060 (url (string-append "https://github.com/awslabs/" name))
1061 (commit (string-append "v" version))))
1062 (file-name (git-file-name name version))
1063 (sha256
1064 (base32
1065 "1q6kmgwb8jxmc4ijzk9pkqzz8lsbfsv9hyzqvy944w7306zx1r5h"))))
1066 (build-system cmake-build-system)
1067 (arguments
1068 '(#:tests? #f ; tests fail to build for static library
1069 #:configure-flags
1070 '("-DBUILD_TESTING=OFF"
1071 "-DBUILD_SHARED_LIBS=ON")))
1072 (propagated-inputs
1073 `(("openssl" ,openssl)
1074 ("openssl:static" ,openssl "static")))
1075 (synopsis "SSL/TLS implementation")
1076 (description "This library provides a C99 implementation of SSL/TLS.")
1077 (home-page "https://github.com/awslabs/s2n")
1078 (license license:asl2.0)))
jackhill's copy of GNU Guix: https://guix.gnu.org/