;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015 David Thompson <davet@gnu.org>
-;;; Copyright © 2015, 2016 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2015, 2016, 2017 Leo Famulari <leo@famulari.name>
;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
-;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
+;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;;
;;; This file is part of GNU Guix.
#:use-module (guix build-system gnu)
#:use-module (guix build-system perl)
#:use-module (guix build-system python)
+ #:use-module (guix build-system cmake)
#:use-module (gnu packages compression)
#:use-module (gnu packages)
#:use-module (gnu packages guile)
#:use-module (gnu packages pkg-config)
#:use-module (gnu packages python)
#:use-module (gnu packages texinfo)
- #:use-module (gnu packages base))
+ #:use-module (gnu packages base)
+ #:use-module (srfi srfi-1))
(define-public libtasn1
(package
(package
(name "gnutls")
(version "3.5.4")
+ (replacement gnutls-3.5.8)
(source (origin
(method url-fetch)
(uri
(properties '((ftp-server . "ftp.gnutls.org")
(ftp-directory . "/gcrypt/gnutls")))))
+(define gnutls-3.5.8 ;fixes GNUTLS-SA-2017-{1,2}
+ (package
+ (inherit gnutls)
+ (version "3.5.8")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "mirror://gnupg/gnutls/v"
+ (version-major+minor version)
+ "/gnutls-" version ".tar.xz"))
+ (sha256
+ (base32
+ "1zyl2z63s68hx1dpxqx0lykmlf3rwrzlrf44sq3h7dvjmr1z55qf"))))
+ (replacement #f)))
+
+(define-public gnutls/guile-2.2
+ ;; GnuTLS for Guile 2.2. This is supported by GnuTLS >= 3.5.5.
+ (package
+ (inherit gnutls-3.5.8)
+ (name "guile2.2-gnutls")
+ (arguments
+ ;; Remove '--with-guile-site-dir=…/2.0'.
+ (substitute-keyword-arguments (package-arguments gnutls-3.5.8)
+ ((#:configure-flags flags)
+ `(cdr ,flags))))
+ (inputs `(("guile" ,guile-next)
+ ,@(alist-delete "guile" (package-inputs gnutls-3.5.8))))))
+
(define-public openssl
(package
(name "openssl")
+ (replacement openssl-1.0.2k)
(version "1.0.2j")
(source (origin
(method url-fetch)
(license license:openssl)
(home-page "http://www.openssl.org/")))
+(define openssl-1.0.2k
+ (package
+ (inherit openssl)
+ (name "openssl")
+ (version "1.0.2k")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (list (string-append "ftp://ftp.openssl.org/source/"
+ name "-" version ".tar.gz")
+ (string-append "ftp://ftp.openssl.org/source/old/"
+ (string-trim-right version char-set:letter)
+ "/" name "-" version ".tar.gz")))
+ (sha256
+ (base32
+ "1h6qi35w6hv6rd73p4cdgdzg732pdrfgpp37cgwz1v9a3z37ffbb"))
+ (patches (search-patches "openssl-runpath.patch"
+ "openssl-c-rehash-in.patch"))))))
+
(define-public openssl-next
(package
(inherit openssl)
+ (replacement #f)
(name "openssl")
- (version "1.1.0b")
+ (version "1.1.0e")
(source (origin
(method url-fetch)
(uri (list (string-append "ftp://ftp.openssl.org/source/"
(patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
(sha256
(base32
- "1xznrqvb1dbngv2k2nb6da6fdw00c01sy2i36yjdxr4vpxrf0pd4"))))
+ "0k47sdd9gs6yxfv6ldlgpld2lyzrkcv9kz4cf88ck04xjwc8dgjp"))))
(outputs '("out"
"doc" ;1.3MiB of man3 pages
"static")) ; 5.5MiB of .a files
(delete 'patch-tests) ; These two phases are not needed by
(delete 'patch-Makefile.org) ; OpenSSL 1.1.0.
- (add-after 'configure 'patch-runpath
+ ;; Override configure phase since -rpath is now a configure option.
+ (replace 'configure
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let* ((out (assoc-ref outputs "out"))
+ (lib (string-append out "/lib")))
+ (zero?
+ (system* "./config"
+ "shared" ;build shared libraries
+ "--libdir=lib"
+
+ ;; The default for this catch-all directory is
+ ;; PREFIX/ssl. Change that to something more
+ ;; conventional.
+ (string-append "--openssldir=" out
+ "/share/openssl-" ,version)
+
+ (string-append "--prefix=" out)
+ (string-append "-Wl,-rpath," lib)
+
+ ;; XXX FIXME: Work around a code generation bug in GCC
+ ;; 4.9.3 on ARM when compiled with -mfpu=neon. See:
+ ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
+ ,@(if (and (not (%current-target-system))
+ (string-prefix? "armhf" (%current-system)))
+ '("-mfpu=vfpv3")
+ '()))))))
+
+ ;; XXX: Duplicate this phase to make sure 'version' evaluates
+ ;; in the current scope and not the inherited one.
+ (replace 'remove-miscellany
(lambda* (#:key outputs #:allow-other-keys)
- (let ((lib (string-append (assoc-ref outputs "out") "/lib")))
- (substitute* "Makefile.shared"
- (("\\$\\$\\{SHAREDCMD\\} \\$\\$\\{SHAREDFLAGS\\}")
- (string-append "$${SHAREDCMD} $${SHAREDFLAGS}"
- " -Wl,-rpath," lib)))
+ ;; The 'misc' directory contains random undocumented shell and Perl
+ ;; scripts. Remove them to avoid retaining a reference on Perl.
+ (let ((out (assoc-ref outputs "out")))
+ (delete-file-recursively (string-append out "/share/openssl-"
+ ,version "/misc"))
#t)))))))))
(define-public libressl
(package
(name "libressl")
- (version "2.5.0")
+ (version "2.5.1")
(source
(origin
(method url-fetch)
version ".tar.gz"))
(sha256
(base32
- "1bkfvapi4z826slycmicvs7hwgk4l82gd8w6nqvznldbammvyll6"))))
+ "1kc709scgd76vk7fld4jnb4wb5lxdv1cj8zsgyjb33xp4jlf06pp"))))
(build-system gnu-build-system)
(native-search-paths
;; FIXME: These two variables must designate a single file or directory
(define-public python-acme
(package
(name "python-acme")
- (version "0.9.3")
+ ;; Remember to update the hash of certbot when updating python-acme.
+ (version "0.12.0")
(source (origin
(method url-fetch)
(uri (pypi-uri "acme" version))
(sha256
- (base32
- "16a02bb0apnk1bm68bcabdmmwd6rnvnjzanrmcb46bpbapwz3vx6"))))
+ (base32
+ "1pzv8fcfwdqzvvpyhgjz412is0b98yj9495k8sidzzqgbdmvlp50"))))
(build-system python-build-system)
(arguments
`(#:phases
(define-public certbot
(package
(name "certbot")
- (version "0.9.3")
+ ;; Certbot and python-acme are developed in the same repository, and their
+ ;; versions should remain synchronized.
+ (version (package-version python-acme))
(source (origin
(method url-fetch)
(uri (pypi-uri name version))
(sha256
(base32
- "1c7k4lfq5j78d1rvrwrb9082ngwibz92cwkf4kazaa9b76w9q538"))))
+ "1dw86gb8lyap5ckjawmli1hxgbchw2g62g1lqfvxyqjv0df94waa"))))
(build-system python-build-system)
(arguments
`(#:python ,python-2
("python2-requests" ,python2-requests)
("python2-pytz" ,python2-pytz)))
(synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
- (description "Tool to automatically receive and install X.509 certificates
-to enable TLS on servers. The client will interoperate with the Let’s Encrypt CA which
-will be issuing browser-trusted certificates for free.")
+ (description "Certbot automatically receives and installs X.509 certificates
+to enable Transport Layer Security (TLS) on servers. It interoperates with the
+Let’s Encrypt certificate authority (CA), which issues browser-trusted
+certificates for free.")
(home-page "https://certbot.eff.org/")
(license license:asl2.0)))
(define-public acme-client
(package
(name "acme-client")
- (version "0.1.14")
+ (version "0.1.16")
(source (origin
(method url-fetch)
(uri (string-append "https://kristaps.bsd.lv/" name "/"
version ".tgz"))
(sha256
(base32
- "1qq4xk41pn65m3v7nnvkmxg96pr06vz6hzdrm0vcmlp3clzpbahl"))))
+ "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
(build-system gnu-build-system)
(arguments
'(#:tests? #f ; no test suite
(string-append "PREFIX=" (assoc-ref %outputs "out")))
#:phases
(modify-phases %standard-phases
+ (add-after 'unpack 'patch-paths
+ (lambda* (#:key inputs #:allow-other-keys)
+ (let ((pem (string-append (assoc-ref inputs "libressl")
+ "/etc/ssl/cert.pem")))
+ (substitute* "http.c"
+ (("/etc/ssl/cert.pem") pem))
+ #t)))
(delete 'configure)))) ; no './configure' script
+ (native-inputs
+ `(("pkg-config" ,pkg-config)))
(inputs
`(("libbsd" ,libbsd)
("libressl" ,libressl)))
;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
;; and 'jsmn.c' are distributed under the Expat license.
(license (list license:isc license:expat))))
+
+;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
+;; variant exists in addition to the "-apache" one.
+(define-public mbedtls-apache
+ (package
+ (name "mbedtls-apache")
+ (version "2.4.0")
+ (source
+ (origin
+ (method url-fetch)
+ ;; XXX: The download links on the website are script redirection links
+ ;; which effectively lead to the format listed in the uri here.
+ (uri (string-append "https://tls.mbed.org/download/mbedtls-"
+ version "-apache.tgz"))
+ (sha256
+ (base32
+ "03bzbfidigljva6xj49k38q3kwlbj75lrky4a0ainylzsfg5bhy1"))))
+ (build-system cmake-build-system)
+ (native-inputs
+ `(("perl" ,perl)))
+ (synopsis "Small TLS library")
+ (description
+ "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
+for developers to include cryptographic and SSL/TLS capabilities in their
+(embedded) products, facilitating this functionality with a minimal
+coding footprint.")
+ (home-page "https://tls.mbed.org")
+ (license license:asl2.0)))