;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015 David Thompson <davet@gnu.org>
-;;; Copyright © 2015, 2016 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2015, 2016, 2017 Leo Famulari <leo@famulari.name>
;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
-;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
+;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
+;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;;
;;; This file is part of GNU Guix.
;;;
#:use-module (guix build-system gnu)
#:use-module (guix build-system perl)
#:use-module (guix build-system python)
+ #:use-module (guix build-system cmake)
#:use-module (gnu packages compression)
#:use-module (gnu packages)
#:use-module (gnu packages guile)
+ #:use-module (gnu packages libbsd)
#:use-module (gnu packages libffi)
#:use-module (gnu packages libidn)
#:use-module (gnu packages linux)
#:use-module (gnu packages pkg-config)
#:use-module (gnu packages python)
#:use-module (gnu packages texinfo)
- #:use-module (gnu packages base))
+ #:use-module (gnu packages base)
+ #:use-module (srfi srfi-1))
(define-public libtasn1
(package
specifications.")
(license license:lgpl2.0+)))
+(define-public asn1c
+ (package
+ (name "asn1c")
+ (version "0.9.27")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://lionet.info/soft/asn1c-"
+ version ".tar.gz"))
+ (sha256
+ (base32
+ "17nvn2kzvlryasr9dzqg6gs27b9lvqpval0k31pb64bjqbhn8pq2"))))
+ (build-system gnu-build-system)
+ (native-inputs
+ `(("perl" ,perl)))
+ (home-page "https://lionet.info/asn1c")
+ (synopsis "ASN.1 to C compiler")
+ (description "The ASN.1 to C compiler takes ASN.1 module
+files and generates C++ compatible C source code. That code can be
+used to serialize the native C structures into compact and unambiguous
+BER/XER/PER-based data files, and deserialize the files back.
+
+Various ASN.1 based formats are widely used in the industry, such as to encode
+the X.509 certificates employed in the HTTPS handshake, to exchange control
+data between mobile phones and cellular networks, to car-to-car communication
+in intelligent transportation networks.")
+ (license license:bsd-2)))
+
(define-public p11-kit
(package
(name "p11-kit")
(define-public gnutls
(package
(name "gnutls")
- (version "3.5.3")
+ (version "3.5.4")
+ (replacement gnutls-3.5.8)
(source (origin
(method url-fetch)
(uri
"/gnutls-" version ".tar.xz"))
(sha256
(base32
- "1vqzvcdqhx5fbrds6myrk259vw9khgmaxvzbk59bk88hkacvri4j"))))
+ "1sx8p7v452s9m854r2c5pvcd1k15a3caiv5h35fhrxz0691h2f2f"))))
(build-system gnu-build-system)
(arguments
'(#:configure-flags
;; the location of the system-wide trust store. Instead it has a
;; configure-time option. Unless specified, its configure script
;; attempts to auto-detect the location by looking for common
- ;; places in the filesystem, none of which are present in our
+ ;; places in the file system, none of which are present in our
;; chroot build environment. If not found, then no default trust
;; store is used, so each program has to provide its own
;; fallback, and users have to configure each program
(properties '((ftp-server . "ftp.gnutls.org")
(ftp-directory . "/gcrypt/gnutls")))))
+(define gnutls-3.5.8 ;fixes GNUTLS-SA-2017-{1,2}
+ (package
+ (inherit gnutls)
+ (version "3.5.8")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "mirror://gnupg/gnutls/v"
+ (version-major+minor version)
+ "/gnutls-" version ".tar.xz"))
+ (sha256
+ (base32
+ "1zyl2z63s68hx1dpxqx0lykmlf3rwrzlrf44sq3h7dvjmr1z55qf"))))
+ (replacement #f)))
+
+(define-public gnutls/guile-2.2
+ ;; GnuTLS for Guile 2.2. This is supported by GnuTLS >= 3.5.5.
+ (package
+ (inherit gnutls-3.5.8)
+ (name "guile2.2-gnutls")
+ (arguments
+ ;; Remove '--with-guile-site-dir=…/2.0'.
+ (substitute-keyword-arguments (package-arguments gnutls-3.5.8)
+ ((#:configure-flags flags)
+ `(cdr ,flags))))
+ (inputs `(("guile" ,guile-next)
+ ,@(alist-delete "guile" (package-inputs gnutls-3.5.8))))))
+
(define-public openssl
(package
(name "openssl")
- (version "1.0.2h")
+ (replacement openssl-1.0.2k)
+ (version "1.0.2j")
(source (origin
(method url-fetch)
(uri (list (string-append "ftp://ftp.openssl.org/source/"
"/" name "-" version ".tar.gz")))
(sha256
(base32
- "06996ds1rk8xhnyb5y273a7xkcxhggp4bq1g02rab55d7bjhfh0x"))
+ "0cf4ar97ijfc7mg35zdgpad6x8ivkdx9qii6mz35khi1ps9g5bz7"))
(patches (search-patches "openssl-runpath.patch"
- "openssl-c-rehash-in.patch"
- "openssl-CVE-2016-2177.patch"
- "openssl-CVE-2016-2178.patch"))))
+ "openssl-c-rehash-in.patch"))))
(build-system gnu-build-system)
(outputs '("out"
"doc" ;1.5MiB of man3 pages
(string-append target "/"
(basename file))))
(find-files man3))
+ (delete-file-recursively man3)
#t)))
(add-before
'patch-source-shebangs 'patch-tests
(license license:openssl)
(home-page "http://www.openssl.org/")))
+(define openssl-1.0.2k
+ (package
+ (inherit openssl)
+ (name "openssl")
+ (version "1.0.2k")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (list (string-append "ftp://ftp.openssl.org/source/"
+ name "-" version ".tar.gz")
+ (string-append "ftp://ftp.openssl.org/source/old/"
+ (string-trim-right version char-set:letter)
+ "/" name "-" version ".tar.gz")))
+ (sha256
+ (base32
+ "1h6qi35w6hv6rd73p4cdgdzg732pdrfgpp37cgwz1v9a3z37ffbb"))
+ (patches (search-patches "openssl-runpath.patch"
+ "openssl-c-rehash-in.patch"))))))
+
+(define-public openssl-next
+ (package
+ (inherit openssl)
+ (replacement #f)
+ (name "openssl")
+ (version "1.1.0e")
+ (source (origin
+ (method url-fetch)
+ (uri (list (string-append "ftp://ftp.openssl.org/source/"
+ name "-" version ".tar.gz")
+ (string-append "ftp://ftp.openssl.org/source/old/"
+ (string-trim-right version char-set:letter)
+ "/" name "-" version ".tar.gz")))
+ (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
+ (sha256
+ (base32
+ "0k47sdd9gs6yxfv6ldlgpld2lyzrkcv9kz4cf88ck04xjwc8dgjp"))))
+ (outputs '("out"
+ "doc" ;1.3MiB of man3 pages
+ "static")) ; 5.5MiB of .a files
+ (arguments
+ (substitute-keyword-arguments (package-arguments openssl)
+ ((#:phases phases)
+ `(modify-phases ,phases
+ (delete 'patch-tests) ; These two phases are not needed by
+ (delete 'patch-Makefile.org) ; OpenSSL 1.1.0.
+
+ ;; Override configure phase since -rpath is now a configure option.
+ (replace 'configure
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let* ((out (assoc-ref outputs "out"))
+ (lib (string-append out "/lib")))
+ (zero?
+ (system* "./config"
+ "shared" ;build shared libraries
+ "--libdir=lib"
+
+ ;; The default for this catch-all directory is
+ ;; PREFIX/ssl. Change that to something more
+ ;; conventional.
+ (string-append "--openssldir=" out
+ "/share/openssl-" ,version)
+
+ (string-append "--prefix=" out)
+ (string-append "-Wl,-rpath," lib)
+
+ ;; XXX FIXME: Work around a code generation bug in GCC
+ ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
+ ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
+ ,@(if (and (not (%current-target-system))
+ (string-prefix? "armhf" (%current-system)))
+ '("-mfpu=vfpv3")
+ '()))))))
+
+ ;; XXX: Duplicate this phase to make sure 'version' evaluates
+ ;; in the current scope and not the inherited one.
+ (replace 'remove-miscellany
+ (lambda* (#:key outputs #:allow-other-keys)
+ ;; The 'misc' directory contains random undocumented shell and Perl
+ ;; scripts. Remove them to avoid retaining a reference on Perl.
+ (let ((out (assoc-ref outputs "out")))
+ (delete-file-recursively (string-append out "/share/openssl-"
+ ,version "/misc"))
+ #t)))))))))
+
(define-public libressl
(package
(name "libressl")
- (version "2.4.2")
+ (version "2.5.1")
(source
(origin
(method url-fetch)
version ".tar.gz"))
(sha256
(base32
- "1qyrcyzrrn6r9cqvm66ib72qyr65q4hrdyiq1vb24a6nwmwdg1sz"))))
+ "1kc709scgd76vk7fld4jnb4wb5lxdv1cj8zsgyjb33xp4jlf06pp"))))
(build-system gnu-build-system)
(native-search-paths
;; FIXME: These two variables must designate a single file or directory
(define-public python-acme
(package
(name "python-acme")
- (version "0.8.1")
+ ;; Remember to update the hash of certbot when updating python-acme.
+ (version "0.12.0")
(source (origin
(method url-fetch)
- (uri (string-append
- "https://pypi.python.org/packages/"
- "f5/7a/11a99b5d1d1c692f6eed27cfab69e6ba4d2f0c2a461d2607e6a930ff2c68/"
- "acme-" version ".tar.gz"))
+ (uri (pypi-uri "acme" version))
(sha256
- (base32
- "17vx2miczpd8ww4xizmc0nca2c7jf04wnhfnswx2bxhb537lmsnk"))))
+ (base32
+ "1pzv8fcfwdqzvvpyhgjz412is0b98yj9495k8sidzzqgbdmvlp50"))))
(build-system python-build-system)
(arguments
`(#:phases
(modify-phases %standard-phases
- (add-before 'install 'disable-egg-compression
- (lambda _
- ;; Do not compress the egg.
- ;; See <http://bugs.gnu.org/20765>.
- (let ((port (open-file "setup.cfg" "a")))
- (display "\n[easy_install]\nzip_ok = 0\n"
- port)
- (close-port port)
- #t)))
(add-after 'install 'docs
(lambda* (#:key outputs #:allow-other-keys)
(let* ((out (assoc-ref outputs "out"))
("python-sphinx" ,python-sphinx)
("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
- ("python-setuptools" ,python-setuptools)
("texinfo" ,texinfo)))
(propagated-inputs
`(("python-ndg-httpsclient" ,python-ndg-httpsclient)
(define-public certbot
(package
(name "certbot")
- (version "0.8.1")
+ ;; Certbot and python-acme are developed in the same repository, and their
+ ;; versions should remain synchronized.
+ (version (package-version python-acme))
(source (origin
(method url-fetch)
- (uri (string-append
- "https://pypi.python.org/packages/"
- "a2/3b/4756e6a0ceb14e084042a2a65c615d68d25621c6fd446d0fc10d14c4ce7d/"
- name "-" version ".tar.gz"))
+ (uri (pypi-uri name version))
(sha256
(base32
- "0w972cf2mk74aji5d8dylg3jw6wczg01gb4asf3ndv8c64yxza3c"))))
+ "1dw86gb8lyap5ckjawmli1hxgbchw2g62g1lqfvxyqjv0df94waa"))))
(build-system python-build-system)
(arguments
`(#:python ,python-2
("python2-psutil" ,python2-psutil)
("python2-requests" ,python2-requests)
("python2-pytz" ,python2-pytz)))
- (synopsis "Let's Encrypt client")
- (description "Tool to automatically receive and install X.509 certificates
-to enable TLS on servers. The client will interoperate with the Let’s Encrypt CA which
-will be issuing browser-trusted certificates for free.")
+ (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
+ (description "Certbot automatically receives and installs X.509 certificates
+to enable Transport Layer Security (TLS) on servers. It interoperates with the
+Let’s Encrypt certificate authority (CA), which issues browser-trusted
+certificates for free.")
(home-page "https://certbot.eff.org/")
(license license:asl2.0)))
(define-public letsencrypt
(package (inherit certbot)
- (name "letsencrypt")))
+ (name "letsencrypt")
+ (properties `((superseded . ,certbot)))))
(define-public perl-net-ssleay
(package
(description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
number generator")
(license (package-license perl))))
+
+(define-public acme-client
+ (package
+ (name "acme-client")
+ (version "0.1.16")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://kristaps.bsd.lv/" name "/"
+ "snapshots/" name "-portable-"
+ version ".tgz"))
+ (sha256
+ (base32
+ "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
+ (build-system gnu-build-system)
+ (arguments
+ '(#:tests? #f ; no test suite
+ #:make-flags
+ (list "CC=gcc"
+ (string-append "PREFIX=" (assoc-ref %outputs "out")))
+ #:phases
+ (modify-phases %standard-phases
+ (add-after 'unpack 'patch-paths
+ (lambda* (#:key inputs #:allow-other-keys)
+ (let ((pem (string-append (assoc-ref inputs "libressl")
+ "/etc/ssl/cert.pem")))
+ (substitute* "http.c"
+ (("/etc/ssl/cert.pem") pem))
+ #t)))
+ (delete 'configure)))) ; no './configure' script
+ (native-inputs
+ `(("pkg-config" ,pkg-config)))
+ (inputs
+ `(("libbsd" ,libbsd)
+ ("libressl" ,libressl)))
+ (synopsis "Let's Encrypt client by the OpenBSD project")
+ (description "acme-client is a Let's Encrypt client implemented in C. It
+uses a modular design, and attempts to secure itself by dropping privileges and
+operating in a chroot where possible. acme-client is developed on OpenBSD and
+then ported to the GNU / Linux environment.")
+ (home-page "https://kristaps.bsd.lv/acme-client/")
+ ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
+ ;; and 'jsmn.c' are distributed under the Expat license.
+ (license (list license:isc license:expat))))
+
+;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
+;; variant exists in addition to the "-apache" one.
+(define-public mbedtls-apache
+ (package
+ (name "mbedtls-apache")
+ (version "2.4.0")
+ (source
+ (origin
+ (method url-fetch)
+ ;; XXX: The download links on the website are script redirection links
+ ;; which effectively lead to the format listed in the uri here.
+ (uri (string-append "https://tls.mbed.org/download/mbedtls-"
+ version "-apache.tgz"))
+ (sha256
+ (base32
+ "03bzbfidigljva6xj49k38q3kwlbj75lrky4a0ainylzsfg5bhy1"))))
+ (build-system cmake-build-system)
+ (native-inputs
+ `(("perl" ,perl)))
+ (synopsis "Small TLS library")
+ (description
+ "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
+for developers to include cryptographic and SSL/TLS capabilities in their
+(embedded) products, facilitating this functionality with a minimal
+coding footprint.")
+ (home-page "https://tls.mbed.org")
+ (license license:asl2.0)))