;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015 David Thompson <davet@gnu.org>
-;;; Copyright © 2015, 2016 Leo Famulari <leo@famulari.name>
;;; Copyright © 2015, 2016, 2017 Leo Famulari <leo@famulari.name>
-;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
-;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
+;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;;
;;; This file is part of GNU Guix.
#:use-module (guix build-system gnu)
#:use-module (guix build-system perl)
#:use-module (guix build-system python)
+ #:use-module (guix build-system cmake)
#:use-module (gnu packages compression)
#:use-module (gnu packages)
#:use-module (gnu packages guile)
(define-public libtasn1
(package
(name "libtasn1")
- (version "4.9")
+ (version "4.10")
(source
(origin
(method url-fetch)
(uri (string-append "mirror://gnu/libtasn1/libtasn1-"
version ".tar.gz"))
+ (patches (search-patches "libtasn1-CVE-2017-6891.patch"))
(sha256
(base32
- "0869cp6jx7cajgv6cnddsh3vc7bimmdkdjn80y1jpb4iss7plvsg"))))
+ "00jsix5hny0g768zv4hk78dib7w0qmk5fbizf4jj37r51nd4s6k8"))))
(build-system gnu-build-system)
(native-inputs `(("perl" ,perl)))
- (home-page "http://www.gnu.org/software/libtasn1/")
+ (home-page "https://www.gnu.org/software/libtasn1/")
(synopsis "ASN.1 library")
(description
"GNU libtasn1 is a library implementing the ASN.1 notation. It is used
(define-public asn1c
(package
(name "asn1c")
- (version "0.9.27")
+ (version "0.9.28")
(source (origin
(method url-fetch)
(uri (string-append "https://lionet.info/soft/asn1c-"
version ".tar.gz"))
(sha256
(base32
- "17nvn2kzvlryasr9dzqg6gs27b9lvqpval0k31pb64bjqbhn8pq2"))))
+ "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
(build-system gnu-build-system)
(native-inputs
`(("perl" ,perl)))
(define-public gnutls
(package
(name "gnutls")
- (version "3.5.4")
- (replacement gnutls-3.5.8)
+ (version "3.5.10")
(source (origin
(method url-fetch)
(uri
"/gnutls-" version ".tar.xz"))
(sha256
(base32
- "1sx8p7v452s9m854r2c5pvcd1k15a3caiv5h35fhrxz0691h2f2f"))))
+ "17apwvdkkazh5w8z8mbanpj2yj8s2002qwy46wz4v3akpa33wi5g"))))
(build-system gnu-build-system)
(arguments
'(#:configure-flags
- (list (string-append "--with-guile-site-dir="
- (assoc-ref %outputs "out")
- "/share/guile/site/2.0")
+ (list
;; GnuTLS doesn't consult any environment variables to specify
;; the location of the system-wide trust store. Instead it has a
;; configure-time option. Unless specified, its configure script
("pkg-config" ,pkg-config)
("which" ,which)))
(inputs
- `(("guile" ,guile-2.0)
- ("perl" ,perl)))
+ `(("guile" ,guile-2.2)))
(propagated-inputs
;; These are all in the 'Requires.private' field of gnutls.pc.
`(("libtasn1" ,libtasn1)
- ("libidn" ,libidn)
+ ("libidn2" ,libidn2)
("nettle" ,nettle)
("zlib" ,zlib)))
(home-page "https://www.gnu.org/software/gnutls/")
(properties '((ftp-server . "ftp.gnutls.org")
(ftp-directory . "/gcrypt/gnutls")))))
-(define gnutls-3.5.8 ;fixes GNUTLS-SA-2017-{1,2}
- (package
- (inherit gnutls)
- (version "3.5.8")
- (source (origin
- (method url-fetch)
- (uri (string-append "mirror://gnupg/gnutls/v"
- (version-major+minor version)
- "/gnutls-" version ".tar.xz"))
- (sha256
- (base32
- "1zyl2z63s68hx1dpxqx0lykmlf3rwrzlrf44sq3h7dvjmr1z55qf"))))
- (replacement #f)))
-
(define-public gnutls/guile-2.2
- ;; GnuTLS for Guile 2.2. This is supported by GnuTLS >= 3.5.5.
+ (deprecated-package "guile2.2-gnutls" gnutls))
+
+(define-public gnutls/guile-2.0
+ ;; GnuTLS for Guile 2.0.
(package
- (inherit gnutls-3.5.8)
- (name "guile2.2-gnutls")
- (arguments
- ;; Remove '--with-guile-site-dir=…/2.0'.
- (substitute-keyword-arguments (package-arguments gnutls-3.5.8)
- ((#:configure-flags flags)
- `(cdr ,flags))))
- (inputs `(("guile" ,guile-next)
- ,@(alist-delete "guile" (package-inputs gnutls-3.5.8))))))
+ (inherit gnutls)
+ (name "guile2.0-gnutls")
+ (inputs `(("guile" ,guile-2.0)
+ ,@(alist-delete "guile" (package-inputs gnutls))))))
(define-public openssl
(package
(name "openssl")
- (version "1.0.2j")
+ (version "1.0.2k")
(source (origin
(method url-fetch)
(uri (list (string-append "ftp://ftp.openssl.org/source/"
"/" name "-" version ".tar.gz")))
(sha256
(base32
- "0cf4ar97ijfc7mg35zdgpad6x8ivkdx9qii6mz35khi1ps9g5bz7"))
+ "1h6qi35w6hv6rd73p4cdgdzg732pdrfgpp37cgwz1v9a3z37ffbb"))
(patches (search-patches "openssl-runpath.patch"
"openssl-c-rehash-in.patch"))))
(build-system gnu-build-system)
(lib (string-append out "/lib"))
(static (assoc-ref outputs "static"))
(slib (string-append static "/lib")))
- (mkdir-p slib)
(for-each (lambda (file)
(install-file file slib)
(delete-file file))
(let ((bash (assoc-ref (or native-inputs inputs) "bash")))
(substitute* (find-files "test" ".*")
(("/bin/sh")
- (string-append bash "/bin/bash"))
+ (string-append bash "/bin/sh"))
(("/bin/rm")
"rm"))
#t)))
(package
(inherit openssl)
(name "openssl")
- (version "1.1.0c")
+ (version "1.1.0e")
(source (origin
(method url-fetch)
(uri (list (string-append "ftp://ftp.openssl.org/source/"
(patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
(sha256
(base32
- "1xfn5ydl14myd9wgxm4nxy5a42cpp1g12ijf3g9m4mz0l90n8hzw"))))
+ "0k47sdd9gs6yxfv6ldlgpld2lyzrkcv9kz4cf88ck04xjwc8dgjp"))))
(outputs '("out"
"doc" ;1.3MiB of man3 pages
"static")) ; 5.5MiB of .a files
(define-public libressl
(package
(name "libressl")
- (version "2.5.0")
+ (version "2.5.4")
(source
(origin
(method url-fetch)
version ".tar.gz"))
(sha256
(base32
- "1bkfvapi4z826slycmicvs7hwgk4l82gd8w6nqvznldbammvyll6"))))
+ "1ykf6dqlbafafhbdfmcj19pjj1z6wmsq0rmyqga1i0xv5x95nyhh"))))
(build-system gnu-build-system)
+ (arguments
+ ;; Do as if 'getentropy' was missing since older Linux kernels lack it
+ ;; and libc would return ENOSYS, which is not properly handled.
+ ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
+ '(#:configure-flags '("ac_cv_func_getentropy=no")))
(native-search-paths
;; FIXME: These two variables must designate a single file or directory
;; and are not actually "search paths." In practice it works OK in
(search-path-specification
(variable "SSL_CERT_FILE")
(files '("etc/ssl/certs/ca-certificates.crt")))))
- (home-page "http://www.libressl.org/")
+ (home-page "https://www.libressl.org/")
(synopsis "SSL/TLS implementation")
(description "LibreSSL is a version of the TLS/crypto stack forked
from OpenSSL in 2014, with the goals of modernizing the codebase, improving
(define-public python-acme
(package
(name "python-acme")
- (version "0.10.1")
+ ;; Remember to update the hash of certbot when updating python-acme.
+ (version "0.14.1")
(source (origin
(method url-fetch)
(uri (pypi-uri "acme" version))
(sha256
(base32
- "04d2464klbhvrsrlmca10qxyd968qz7xizdppr53cihnlfq2y77m"))))
+ "0asmkfkzbswnkrvbj5m01xgy4f6g1fjbj2nir1hhrn3ipcdrsv8f"))))
(build-system python-build-system)
(arguments
`(#:phases
(modify-phases %standard-phases
- (add-after 'install 'docs
+ (add-after 'unpack 'patch-dependency
+ ;; This module is part of the Python standard library, so we don't
+ ;; need to use an external package.
+ ;; https://github.com/certbot/certbot/pull/2249
+ (lambda _
+ (substitute* "setup.py"
+ (("'argparse',") ""))
+ #t))
+ (add-after 'build 'build-documentation
+ (lambda _
+ (zero? (system* "make" "-C" "docs" "man" "info"))))
+ (add-after 'install 'install-documentation
(lambda* (#:key outputs #:allow-other-keys)
(let* ((out (assoc-ref outputs "out"))
(man (string-append out "/share/man/man1"))
(info (string-append out "/info")))
- (and (zero? (system* "make" "-C" "docs" "man" "info"))
- (install-file "docs/_build/texinfo/acme-python.info" info)
- (install-file "docs/_build/man/acme-python.1" man)
- #t)))))))
+ (install-file "docs/_build/texinfo/acme-python.info" info)
+ (install-file "docs/_build/man/acme-python.1" man)
+ #t))))))
;; TODO: Add optional inputs for testing.
(native-inputs
`(("python-mock" ,python-mock)
("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
("texinfo" ,texinfo)))
(propagated-inputs
- `(("python-ndg-httpsclient" ,python-ndg-httpsclient)
- ("python-werkzeug" ,python-werkzeug)
- ("python-six" ,python-six)
+ `(("python-six" ,python-six)
("python-requests" ,python-requests)
("python-pytz" ,python-pytz)
("python-pyrfc3339" ,python-pyrfc3339)
(define-public certbot
(package
(name "certbot")
- (version "0.10.1")
+ ;; Certbot and python-acme are developed in the same repository, and their
+ ;; versions should remain synchronized.
+ (version (package-version python-acme))
(source (origin
(method url-fetch)
(uri (pypi-uri name version))
(sha256
(base32
- "0hx71ba7w8kf8hpg1wy5zf8ggczb57g3kcsdg83kxjpqnfnrkmp0"))))
+ "0rdby57hw35qdrbl7kigscphnz4kqb608bqzrcb73nb99092i6si"))))
(build-system python-build-system)
(arguments
`(#:python ,python-2
- #:phases
- (modify-phases %standard-phases
- (add-after 'build 'docs
- (lambda* (#:key outputs #:allow-other-keys)
- (let* ((out (assoc-ref outputs "out"))
- (man1 (string-append out "/share/man/man1"))
- (man7 (string-append out "/share/man/man7"))
- (info (string-append out "/info")))
- (and
- (zero? (system* "make" "-C" "docs" "man" "info"))
- (install-file "docs/_build/texinfo/Certbot.info" info)
- (install-file "docs/_build/man/certbot.1" man1)
- (install-file "docs/_build/man/certbot.7" man7)
- #t)))))))
+ ,@(substitute-keyword-arguments (package-arguments python-acme)
+ ((#:phases phases)
+ `(modify-phases ,phases
+ (replace 'install-documentation
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let* ((out (assoc-ref outputs "out"))
+ (man1 (string-append out "/share/man/man1"))
+ (man7 (string-append out "/share/man/man7"))
+ (info (string-append out "/info")))
+ (install-file "docs/_build/texinfo/Certbot.info" info)
+ (install-file "docs/_build/man/certbot.1" man1)
+ (install-file "docs/_build/man/certbot.7" man7)
+ #t))))))))
;; TODO: Add optional inputs for testing.
(native-inputs
`(("python2-nose" ,python2-nose)
(propagated-inputs
`(("python2-acme" ,python2-acme)
("python2-zope-interface" ,python2-zope-interface)
- ("python2-pythondialog" ,python2-pythondialog)
("python2-pyrfc3339" ,python2-pyrfc3339)
("python2-pyopenssl" ,python2-pyopenssl)
("python2-configobj" ,python2-configobj)
("python2-requests" ,python2-requests)
("python2-pytz" ,python2-pytz)))
(synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
- (description "Tool to automatically receive and install X.509 certificates
-to enable TLS on servers. The client will interoperate with the Let’s Encrypt CA which
-will be issuing browser-trusted certificates for free.")
+ (description "Certbot automatically receives and installs X.509 certificates
+to enable Transport Layer Security (TLS) on servers. It interoperates with the
+Let’s Encrypt certificate authority (CA), which issues browser-trusted
+certificates for free.")
(home-page "https://certbot.eff.org/")
(license license:asl2.0)))
http servers, too), an sslcat() function for writing your own clients, and
finally access to the SSL api of the SSLeay/OpenSSL package so you can write
servers or clients for more complicated applications.")
- (license (package-license perl))
+ (license license:perl-license)
(home-page "http://search.cpan.org/~mikem/Net-SSLeay-1.66/")))
(define-public perl-crypt-openssl-rsa
"RSA encoding and decoding, using the openSSL libraries")
(description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
OpenSSL libraries).")
- (license (package-license perl))))
+ (license license:perl-license)))
(define perl-crypt-arguments
`(#:phases (modify-phases %standard-phases
(description "Crypt::OpenSSL::Bignum provides multiprecision integer
arithmetic in Perl.")
;; At your option either gpl1+ or the Artistic License
- (license (package-license perl))))
+ (license license:perl-license)))
(define-public perl-crypt-openssl-random
(package
"OpenSSL/LibreSSL pseudo-random number generator access")
(description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
number generator")
- (license (package-license perl))))
+ (license license:perl-license)))
(define-public acme-client
(package
(name "acme-client")
- (version "0.1.15")
+ (version "0.1.16")
(source (origin
(method url-fetch)
(uri (string-append "https://kristaps.bsd.lv/" name "/"
version ".tgz"))
(sha256
(base32
- "07p723391whrswl4rir0l1k03l457sjscnj0cfaxr8mfnkx4y3wi"))))
+ "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
(build-system gnu-build-system)
(arguments
'(#:tests? #f ; no test suite
;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
;; and 'jsmn.c' are distributed under the Expat license.
(license (list license:isc license:expat))))
+
+;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
+;; variant exists in addition to the "-apache" one.
+(define-public mbedtls-apache
+ (package
+ (name "mbedtls-apache")
+ (version "2.4.2")
+ (source
+ (origin
+ (method url-fetch)
+ ;; XXX: The download links on the website are script redirection links
+ ;; which effectively lead to the format listed in the uri here.
+ (uri (string-append "https://tls.mbed.org/download/mbedtls-"
+ version "-apache.tgz"))
+ (sha256
+ (base32
+ "065hn5zibzflivabdh9p41dknda7wicl2zhc936dmakqfjprip8p"))))
+ (build-system cmake-build-system)
+ (native-inputs
+ `(("perl" ,perl)))
+ (synopsis "Small TLS library")
+ (description
+ "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
+for developers to include cryptographic and SSL/TLS capabilities in their
+(embedded) products, facilitating this functionality with a minimal
+coding footprint.")
+ (home-page "https://tls.mbed.org")
+ (license license:asl2.0)))