HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
gnu: guix-build-coordinator: Update to 0-65.26fe4a7.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
CommitLineData
233e7676 1;;; GNU Guix --- Functional package management for GNU
0fffcfa4 2;;; Copyright © 2012-2017, 2019-2022 Ludovic Courtès <ludo@gnu.org>
74e2c0e0 3;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2021 Mark H Weaver <mhw@netris.org>
29a7c98a 4;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df 5;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b 6;;; Copyright © 2015 David Thompson <davet@gnu.org>
363fe99c 7;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020, 2021 Leo Famulari <leo@famulari.name>
c591bb68 8;;; Copyright © 2016, 2017, 2019, 2021, 2022 Efraim Flashner <efraim@flashner.co.il>
3c986a7d 9;;; Copyright © 2016, 2017, 2018 Nikita <nikita@n0.is>
375cef6c 10;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
ee33f9a7 11;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
2932c421 12;;; Copyright © 2017-2022 Marius Bakke <marius@gnu.org>
77e2df87 13;;; Copyright © 2017–2021 Tobias Geerinckx-Rice <me@tobias.gr>
fbf5ca3c 14;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
e8b3a158 15;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
bdcdd550 16;;; Copyright © 2019 Mathieu Othacehe <m.othacehe@gmail.com>
a9bcc647 17;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
63858f8c 18;;; Copyright © 2020, 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
0b70eb03 19;;; Copyright © 2021 Solene Rapenne <solene@perso.pw>
76a9bad3 20;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re>
f64a35b9 21;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
2bb789f6 22;;; Copyright © 2021 Matthew James Kraai <kraai@ftbfs.org>
811b62d8 23;;; Copyright © 2021 John Kehayias <john.kehayias@protonmail.com>
a5a408c3 24;;; Copyright © 2022 Greg Hogan <code@greghogan.com>
7543f865 25;;;
233e7676 26;;; This file is part of GNU Guix.
7543f865 27;;;
233e7676 28;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865
LC		 29;;; under the terms of the GNU General Public License as published by
30;;; the Free Software Foundation; either version 3 of the License, or (at
31;;; your option) any later version.
32;;;
233e7676 33;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865
LC		 34;;; WITHOUT ANY WARRANTY; without even the implied warranty of
35;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
36;;; GNU General Public License for more details.
37;;;
38;;; You should have received a copy of the GNU General Public License
233e7676 39;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865 40
a7fd7b68 41(define-module (gnu packages tls)
e9aa8d0c 42 #:use-module ((guix licenses) #:prefix license:)
7543f865
LC		 43 #:use-module (guix packages)
44 #:use-module (guix download)
ea22aa1f 45 #:use-module (guix git-download)
29a7c98a 46 #:use-module (guix utils)
7c0eaa1f 47 #:use-module (guix gexp)
7543f865 48 #:use-module (guix build-system gnu)
ea22aa1f 49 #:use-module (guix build-system go)
cc2b77df 50 #:use-module (guix build-system perl)
7890e3ba 51 #:use-module (guix build-system python)
88522738 52 #:use-module (guix build-system cmake)
e8b3a158 53 #:use-module (guix build-system trivial)
2200530b 54 #:use-module ((guix search-paths) #:select ($SSL_CERT_DIR $SSL_CERT_FILE))
f61e0e79 55 #:use-module (gnu packages compression)
013ce67b 56 #:use-module (gnu packages)
363fe99c 57 #:use-module (gnu packages autotools)
e8b3a158 58 #:use-module (gnu packages bash)
ac257f12 59 #:use-module (gnu packages check)
e8b3a158 60 #:use-module (gnu packages curl)
5b9aa107 61 #:use-module (gnu packages dns)
e8b3a158 62 #:use-module (gnu packages gawk)
1a244b78 63 #:use-module (gnu packages gettext)
1ffa7090 64 #:use-module (gnu packages guile)
a9bcc647 65 #:use-module (gnu packages hurd)
0581c273 66 #:use-module (gnu packages libbsd)
27e86bed 67 #:use-module (gnu packages libffi)
866f469e 68 #:use-module (gnu packages libidn)
5d4c90ae 69 #:use-module (gnu packages linux)
7890e3ba 70 #:use-module (gnu packages ncurses)
27e86bed 71 #:use-module (gnu packages nettle)
e7ab9c33 72 #:use-module (gnu packages networking)
1ffa7090 73 #:use-module (gnu packages perl)
27e86bed 74 #:use-module (gnu packages pkg-config)
7890e3ba 75 #:use-module (gnu packages python)
cc6f4912 76 #:use-module (gnu packages python-crypto)
1b2f753d 77 #:use-module (gnu packages python-web)
44d10b1f 78 #:use-module (gnu packages python-xyz)
9d0c291e 79 #:use-module (gnu packages sphinx)
a31f4d35 80 #:use-module (gnu packages texinfo)
33dc54b0 81 #:use-module (gnu packages time)
079f013b
LC		 82 #:use-module (gnu packages base)
83 #:use-module (srfi srfi-1))
7543f865
LC		 84
85(define-public libtasn1
86 (package
87 (name "libtasn1")
ce98de1f 88 (version "4.17.0")
7543f865
LC		 89 (source
90 (origin
91 (method url-fetch)
92 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
93 version ".tar.gz"))
94 (sha256
95 (base32
ce98de1f 96 "19a53i1ajs4dd8nnlr2i6gbzvla84ay71g3y1phvh8krx8f5brzc"))))
7543f865 97 (build-system gnu-build-system)
d9f84612
MB		 98 (arguments
99 `(#:configure-flags '("--disable-static")))
8394619b 100 (native-inputs (list perl))
6fd52309 101 (home-page "https://www.gnu.org/software/libtasn1/")
f50d2669 102 (synopsis "ASN.1 library")
7543f865 103 (description
79c311b8
LC		 104 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
105for transmitting machine-neutral encodings of data objects in computer
a22dc0c4
LC		 106networking, allowing for formal validation of data according to some
107specifications.")
e9aa8d0c 108 (license license:lgpl2.0+)))
7543f865 109
375cef6c
HG		 110(define-public asn1c
111 (package
112 (name "asn1c")
ff7da7e0 113 (version "0.9.28")
375cef6c
HG		 114 (source (origin
115 (method url-fetch)
116 (uri (string-append "https://lionet.info/soft/asn1c-"
117 version ".tar.gz"))
118 (sha256
119 (base32
ff7da7e0 120 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
375cef6c
HG		 121 (build-system gnu-build-system)
122 (native-inputs
8394619b 123 (list perl))
375cef6c
HG		 124 (home-page "https://lionet.info/asn1c")
125 (synopsis "ASN.1 to C compiler")
126 (description "The ASN.1 to C compiler takes ASN.1 module
127files and generates C++ compatible C source code. That code can be
128used to serialize the native C structures into compact and unambiguous
129BER/XER/PER-based data files, and deserialize the files back.
130
131Various ASN.1 based formats are widely used in the industry, such as to encode
132the X.509 certificates employed in the HTTPS handshake, to exchange control
133data between mobile phones and cellular networks, to car-to-car communication
134in intelligent transportation networks.")
135 (license license:bsd-2)))
136
27e86bed
AE		 137(define-public p11-kit
138 (package
139 (name "p11-kit")
c84c0dbc 140 (version "0.23.22")
27e86bed
AE		 141 (source
142 (origin
143 (method url-fetch)
e6ad9bda 144 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
eae94df6 145 "download/" version "/p11-kit-" version ".tar.xz"))
27e86bed 146 (sha256
9ed46007 147 (base32 "1dn6br4v033d3gp2max9lsr3y4q0nj6iyr1yq3kzi8ym7lal13wa"))))
27e86bed
AE		 148 (build-system gnu-build-system)
149 (native-inputs
1a244b78
MO		 150 `(,@(if (hurd-target?)
151 `(("autoconf" ,autoconf)
152 ("automake" ,automake)
153 ("gettext" ,gettext-minimal) ;for autopoint
154 ("libtool" ,libtool))
155 '())
156 ("pkg-config" ,pkg-config)))
27e86bed
AE		 157 (inputs
158 `(("libffi" ,libffi)
1a244b78
MO		 159 ,@(if (hurd-target?)
160 `(("libbsd" ,libbsd)
161 ("hurd-patch" ,(search-patch "p11-kit-hurd.patch")))
162 '())
27e86bed
AE		 163 ("libtasn1" ,libtasn1)))
164 (arguments
d5c472a2
MB		 165 `(#:configure-flags '("--without-trust-paths")
166 #:phases (modify-phases %standard-phases
1a244b78
MO		 167 ,@(if (hurd-target?)
168 '((add-after 'unpack 'apply-hurd-patch
169 (lambda* (#:key inputs #:allow-other-keys)
170 (let ((patch (assoc-ref inputs "hurd-patch")))
171 (invoke "patch" "-p1" "--batch" "-i"
172 patch))))
173 (replace 'bootstrap
174 (lambda _
175 (invoke "autoreconf" "-fiv"))))
176 '())
d5c472a2
MB		 177 (add-before 'check 'prepare-tests
178 (lambda _
179 ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up
180 ;; and looks for .cache and other directories (only).
181 ;; For simplicity just drop it since it is irrelevant
182 ;; in the build container.
183 (substitute* "Makefile"
184 (("test-runtime\\$\\(EXEEXT\\)") ""))
185 #t)))))
b0735c79 186 (home-page "https://p11-glue.github.io/p11-glue/p11-kit.html")
27e86bed
AE		 187 (synopsis "PKCS#11 library")
188 (description
189 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
190provides a standard configuration setup for installing PKCS#11 modules
191in such a way that they are discoverable. It also solves problems with
192coordinating the use of PKCS#11 by different components or libraries
193living in the same process.")
e9aa8d0c 194 (license license:bsd-3)))
27e86bed 195
811b62d8
JK		 196(define-public p11-kit-next
197 (package
198 (inherit p11-kit)
12fd5a86 199 (version "0.24.1")
811b62d8
JK		 200 (source
201 (origin
202 (method url-fetch)
203 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
204 "download/" version "/p11-kit-" version ".tar.xz"))
205 (sha256
12fd5a86 206 (base32 "1y5fm9gwhkh902r26p90qf1g2h1ziqrk4hgf9i9sxm2wzlz7ignq"))))
b4d29851
LC		 207 (arguments
208 ;; Use the default certificates so that users such as flatpak find them.
209 ;; See <https://issues.guix.gnu.org/49957>.
210 (substitute-keyword-arguments (package-arguments p11-kit)
211 ((#:configure-flags flags ''())
212 ''("--with-trust-paths=/etc/ssl/certs/ca-certificates.crt"))))))
811b62d8 213
7543f865
LC		 214(define-public gnutls
215 (package
216 (name "gnutls")
63858f8c 217 (version "3.7.2")
d7d408d5 218 (source (origin
51a365c1 219 (method url-fetch)
d7d408d5
LC		 220 ;; Note: Releases are no longer on ftp.gnu.org since the
221 ;; schism (after version 3.1.5).
51a365c1
LC		 222 (uri (string-append "mirror://gnupg/gnutls/v"
223 (version-major+minor version)
224 "/gnutls-" version ".tar.xz"))
225 (patches (search-patches "gnutls-skip-trust-store-test.patch"
69dde4e3
LC		 226 "gnutls-cross.patch"
227 "gnutls-guile-eintr-eagain.patch"))
51a365c1
LC		 228 (sha256
229 (base32
63858f8c 230 "0li7mwjnm64mbxhacz0rpf6i9qd83f53fvbrx96alpqqk9d6qvk4"))))
7543f865 231 (build-system gnu-build-system)
b94ae0b8 232 (arguments
525a351e
MO		 233 `(#:tests? ,(not (or (%current-target-system)
234 (hurd-target?)))
e7ab9c33
LC		 235 ;; Ensure we don't keep a reference to the tools used for testing.
236 #:disallowed-references ,(if (hurd-target?)
237 '()
238 (list net-tools iproute socat))
76b21274 239 #:configure-flags
28a13226 240 (cons*
aa7c7f21
MW		 241 ;; GnuTLS doesn't consult any environment variables to specify
242 ;; the location of the system-wide trust store. Instead it has a
243 ;; configure-time option. Unless specified, its configure script
244 ;; attempts to auto-detect the location by looking for common
8f65585b 245 ;; places in the file system, none of which are present in our
aa7c7f21
MW		 246 ;; chroot build environment. If not found, then no default trust
247 ;; store is used, so each program has to provide its own
248 ;; fallback, and users have to configure each program
249 ;; independently. This seems suboptimal.
866f469e
MW		 250 "--with-default-trust-store-dir=/etc/ssl/certs"
251
7892edc2
MB		 252 ;; Tell the build system that we want Guile bindings installed to
253 ;; the output instead of Guiles own module directory.
254 (string-append "--with-guile-site-dir="
255 "$(datarootdir)/guile/site/$(GUILE_EFFECTIVE_VERSION)")
256 (string-append "--with-guile-site-ccache-dir="
257 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/site-ccache")
258 (string-append "--with-guile-extension-dir="
259 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/extensions")
260
28a13226
CB		 261 (let ((system ,(or (%current-target-system)
262 (%current-system))))
263 (if (string-prefix? "mips64el" system)
264 (list
265 ;; FIXME: Temporarily disable p11-kit support since it is
266 ;; not working on mips64el.
267 "--without-p11-kit")
268 '())))
606c6380
LC		 269
270 #:phases (modify-phases %standard-phases
5cf6f6fe
MC		 271 ;; fastopen.sh fails to connect to the server in the builder
272 ;; environment (see:
273 ;; https://gitlab.com/gnutls/gnutls/-/issues/1095).
274 (add-after 'unpack 'disable-failing-tests
275 (lambda _
0b40d1a3
LC		 276 (substitute* "tests/fastopen.sh"
277 (("^unset RETCODE")
63858f8c 278 "exit 77\n")))) ;skip
5cf6f6fe 279 (add-after 'install 'move-doc
606c6380
LC		 280 (lambda* (#:key outputs #:allow-other-keys)
281 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
282 (let* ((out (assoc-ref outputs "out"))
283 (doc (assoc-ref outputs "doc"))
9cdce047 284 (mandir (string-append doc "/share/man/man3"))
606c6380
LC		 285 (oldman (string-append out "/share/man/man3")))
286 (mkdir-p mandir)
287 (copy-recursively oldman mandir)
63858f8c 288 (delete-file-recursively oldman)))))))
606c6380
LC		 289 (outputs '("out" ;4.4 MiB
290 "debug"
291 "doc")) ;4.1 MiB of man pages
a1db0975 292 (native-inputs
51a365c1
LC		 293 `(,@(if (%current-target-system) ;for cross-build
294 `(("guile" ,guile-3.0)) ;to create .go files
295 '())
296 ,@(if (hurd-target?)
e7ab9c33
LC		 297 '()
298 `(("net-tools" ,net-tools)
299 ("iproute" ,iproute) ;for 'ss'
300 ("socat" ,socat))) ;several tests rely on it
5d4c90ae 301 ("pkg-config" ,pkg-config)
5cf6f6fe 302 ("texinfo" ,texinfo)
ac83dc82 303 ("which" ,which)
01f07072
MC		 304 ,@(if (hurd-target?)
305 '()
2d49f175 306 `(("datefudge" ,datefudge))) ;tests rely on 'datefudge'
971c8bb0 307 ("util-linux" ,util-linux))) ;one test needs 'setsid'
7543f865 308 (inputs
8394619b 309 (list guile-3.0))
7543f865 310 (propagated-inputs
d2fcfd3d 311 ;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865 312 `(("libtasn1" ,libtasn1)
55e61c4d 313 ("libidn2" ,libidn2)
866f469e 314 ("nettle" ,nettle)
8a594487
CB		 315 ("zlib" ,zlib)
316 ,@(let ((system (or (%current-target-system)
317 (%current-system))))
318 (if (string-prefix? "mips64el" system)
319 '()
320 `(("p11-kit" ,p11-kit))))))
c19700c3 321 (home-page "https://www.gnu.org/software/gnutls/")
f50d2669 322 (synopsis "Transport layer security library")
7543f865 323 (description
a22dc0c4 324 "GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8 325and DTLS protocols. It is provided in the form of a C library to support the
b30407b8 326protocols, as well as to parse and write X.509, PKCS #12, OpenPGP and other
a22dc0c4 327required structures.")
63e8bb12
LC		 328 (license license:lgpl2.1+)
329 (properties '((ftp-server . "ftp.gnutls.org")
330 (ftp-directory . "/gcrypt/gnutls")))))
cc2b77df 331
5a96748a
LC		 332(define-public gnutls-latest
333 ;; Version 3.7.7 introduces 'set-session-record-port-close!', which allows
334 ;; us to get rid of the wrapper port in 'tls-wrap'.
335 (package
336 (inherit gnutls)
337 (version "3.7.7")
338 (source (origin
339 (method url-fetch)
340 (uri (string-append "mirror://gnupg/gnutls/v"
341 (version-major+minor version)
342 "/gnutls-" version ".tar.xz"))
343 (patches (search-patches "gnutls-skip-trust-store-test.patch"
344 "gnutls-cross.patch"))
345 (sha256
346 (base32
347 "01i1gl15k6qwvxmxx0by1mn9nlmcmym18wdpm7dn9awfsp8474dy"))))))
348
a270af31
LF		 349(define-public gnutls/guile-2.0
350 ;; GnuTLS for Guile 2.0.
351 (package/inherit gnutls
a0700787
LC		 352 (name "guile2.0-gnutls")
353 (inputs `(("guile" ,guile-2.0)
58ea4d40 354 ,@(alist-delete "guile" (package-inputs gnutls))))))
079f013b 355
5b9aa107 356(define-public gnutls/dane
357 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
358 ;; Authentication of Named Entities. This is required for GNS functionality
359 ;; by GNUnet and gnURL. This is done in an extra package definition
360 ;; to have the choice between GnuTLS with Dane and without Dane.
a270af31 361 (package/inherit gnutls
5b9aa107 362 (name "gnutls-dane")
363 (inputs `(("unbound" ,unbound)
364 ,@(package-inputs gnutls)))))
365
67a3c8ed 366(define-public guile2.2-gnutls
74e2c0e0 367 (package/inherit gnutls
67a3c8ed
MB		 368 (name "guile2.2-gnutls")
369 (inputs `(("guile" ,guile-2.2)
d630d781 370 ,@(alist-delete "guile"
5f9f034e 371 (package-inputs gnutls))))))
d630d781 372
a1cd9308
LC		 373(define-public guile-gnutls
374 (package
375 ;; This package supersedes the Guile bindings that came with GnuTLS until
376 ;; version 3.7.8 included.
377 (name "guile-gnutls")
378 (version "3.7.9")
379 (home-page "https://gitlab.com/gnutls/guile/")
380 (source (origin
381 (method git-fetch)
382 (uri (git-reference
383 (url home-page)
384 (commit (string-append "v" version))))
385 (sha256
386 (base32
387 "00sfpqjmd263ka51fq4xf7nvaaxyfqsr3r8fj94jgx45q6q6n6wq"))
388 (file-name (git-file-name name version))))
389 (build-system gnu-build-system)
390 (arguments
391 '(#:configure-flags
392 ;; Tell the build system that we want Guile bindings installed to
393 ;; the output instead of Guiles own module directory.
394 (list "--disable-static"
395 (string-append "--with-guile-site-dir="
396 "$(datarootdir)/guile/site/$(GUILE_EFFECTIVE_VERSION)")
397 (string-append "--with-guile-site-ccache-dir="
398 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/site-ccache")
399 (string-append "--with-guile-extension-dir="
400 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/extensions"))))
401 (native-inputs
402 (list autoconf
403 automake
404 libtool
405 pkg-config
406 texinfo
407 guile-3.0))
408 (inputs
409 (list gnutls-latest))
410 (synopsis "Guile bindings to GnuTLS")
411 (description
412 "This package provides Guile bindings to GnuTLS, a library implementation
413the @acronym{TLS, Transport-Layer Security} protocol. It supersedes the Guile
414bindings that were formerly provided as part of GnuTLS.")
415 (license license:lgpl2.1+)))
416
7fabe9c8
MD		 417(define (target->openssl-target target)
418 "Return the value to set CONFIGURE_TARGET_ARCH to when cross-compiling
419OpenSSL for TARGET."
420 ;; Keep this code outside the build code,
421 ;; such that new targets can be added
422 ;; without causing rebuilds for other targets.
a5a88b02
VK		 423 (if (target-mingw? target)
424 (string-append
425 "mingw"
426 (if (target-x86-64? target)
427 "64"
428 ""))
429 (let ((kernel
430 (cond ((target-hurd? target)
431 "hurd")
432 ((target-linux? target)
433 "linux")
434 (else
435 (error "unsupported openssl target kernel"))))
436 (arch
437 (cond
438 ((target-x86-32? target)
439 "x86")
440 ((target-x86-64? target)
441 "x86_64")
442 ((target-mips64el? target)
443 "mips64")
444 ((target-arm32? target)
445 "armv4")
446 ((target-aarch64? target)
447 "aarch64")
448 ((target-ppc64le? target)
449 "ppc64le")
450 ((target-ppc32? target)
451 "ppc")
452 ((and (target-powerpc? target)
453 (target-64bit? target))
454 "ppc64")
455 ((target-64bit? target)
456 ;; linux64-riscv64 isn't recognized until 3.0.0.
457 "generic64")
458 (else
459 (error "unsupported openssl target architecture")))))
460 (string-append kernel "-" arch))))
7fabe9c8 461
db2444ad 462(define-public openssl-1.1
cc2b77df 463 (package
b4ccf3df 464 (name "openssl")
a095d983 465 (version "1.1.1l")
1402c6ab 466 (replacement openssl/fixed)
b4ccf3df
MO		 467 (source (origin
468 (method url-fetch)
469 (uri (list (string-append "https://www.openssl.org/source/openssl-"
470 version ".tar.gz")
471 (string-append "ftp://ftp.openssl.org/source/"
472 "openssl-" version ".tar.gz")
473 (string-append "ftp://ftp.openssl.org/source/old/"
474 (string-trim-right version char-set:letter)
475 "/openssl-" version ".tar.gz")))
476 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
477 (sha256
478 (base32
a095d983 479 "1lbblxps2fhmz7bqh058iywh5wxfignbfx1s1kz2fj63b5g3wyhb"))))
b4ccf3df
MO		 480 (build-system gnu-build-system)
481 (outputs '("out"
a095d983
MC		 482 "doc" ;6.8 MiB of man3 pages and full HTML documentation
483 "static")) ;6.4 MiB of .a files
8394619b 484 (native-inputs (list perl))
b4ccf3df
MO		 485 (arguments
486 `(#:parallel-tests? #f
487 #:test-target "test"
8c9ec203 488
b4ccf3df
MO		 489 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
490 ;; so we explicitly disallow it here.
491 #:disallowed-references ,(list (canonical-package perl))
492 #:phases
7c0eaa1f 493 ,#~
b4ccf3df 494 (modify-phases %standard-phases
7c0eaa1f
MD		 495 #$@(if (%current-target-system)
496 #~((add-before
497 'configure 'set-cross-compile
f64a35b9 498 (lambda* (#:key target #:allow-other-keys)
7c0eaa1f
MD		 499 (setenv "CROSS_COMPILE" (string-append target "-"))
500 (setenv "CONFIGURE_TARGET_ARCH"
7fabe9c8
MD		 501 #$(target->openssl-target
502 (%current-target-system))))))
7c0eaa1f 503 #~())
199a1235
EF		 504 ;; This test seems to be dependant on kernel features.
505 ;; https://github.com/openssl/openssl/issues/12242
3a73399e
EF		 506 #$@(if (or (target-arm?)
507 (target-riscv64?))
a095d983
MC		 508 #~((replace 'check
509 (lambda* (#:key tests? test-target #:allow-other-keys)
510 (when tests?
511 (invoke "make" "TESTS=-test_afalg" test-target)))))
512 #~())
b4ccf3df 513 (replace 'configure
f64a35b9
MD		 514 (lambda* (#:key configure-flags #:allow-other-keys)
515 (let* ((out #$output)
b4ccf3df
MO		 516 (lib (string-append out "/lib")))
517 ;; It's not a shebang so patch-source-shebangs misses it.
518 (substitute* "config"
519 (("/usr/bin/env")
520 (string-append (assoc-ref %build-inputs "coreutils")
521 "/bin/env")))
522 (apply
7c0eaa1f
MD		 523 invoke #$@(if (%current-target-system)
524 #~("./Configure")
525 #~("./config"))
a095d983 526 "shared" ;build shared libraries
919d687a 527 "--libdir=lib"
4fb254a3 528
919d687a
EF		 529 ;; The default for this catch-all directory is
530 ;; PREFIX/ssl. Change that to something more
531 ;; conventional.
532 (string-append "--openssldir=" out
533 "/share/openssl-"
7c0eaa1f 534 #$(package-version this-package))
4fb254a3 535
919d687a
EF		 536 (string-append "--prefix=" out)
537 (string-append "-Wl,-rpath," lib)
7c0eaa1f
MD		 538 #$@(if (%current-target-system)
539 #~((getenv "CONFIGURE_TARGET_ARCH"))
540 #~())
c2dd2552 541 configure-flags)
b4ccf3df
MO		 542 ;; Output the configure variables.
543 (invoke "perl" "configdata.pm" "--dump"))))
544 (add-after 'install 'move-static-libraries
f64a35b9 545 (lambda _
b4ccf3df 546 ;; Move static libraries to the "static" output.
f64a35b9 547 (let* ((out #$output)
b4ccf3df 548 (lib (string-append out "/lib"))
f64a35b9 549 (static #$output:static)
b4ccf3df
MO		 550 (slib (string-append static "/lib")))
551 (for-each (lambda (file)
552 (install-file file slib)
553 (delete-file file))
e167044f
VK		 554 (find-files
555 lib
556 #$(if (target-mingw?)
557 '(lambda (filename _)
558 (and (string-suffix? ".a" filename)
559 (not (string-suffix? ".dll.a" filename))))
560 "\\.a$"))))))
b4ccf3df 561 (add-after 'install 'move-extra-documentation
f64a35b9 562 (lambda _
3e42c2bf 563 ;; Move man pages and full HTML documentation to "doc".
f64a35b9 564 (let* ((out #$output)
3e42c2bf
MD		 565 (man (string-append out "/share/man"))
566 (html (string-append out "/share/doc/openssl"))
f64a35b9 567 (doc #$output:doc)
3e42c2bf 568 (man-target (string-append doc "/share/man"))
b4ccf3df 569 (html-target (string-append doc "/share/doc/openssl")))
3e42c2bf 570 (mkdir-p (dirname man-target))
0196b866 571 (mkdir-p (dirname html-target))
3e42c2bf 572 (rename-file man man-target)
0196b866 573 (rename-file html html-target))))
b4ccf3df
MO		 574 (add-after
575 'install 'remove-miscellany
f64a35b9 576 (lambda _
b4ccf3df
MO		 577 ;; The 'misc' directory contains random undocumented shell and Perl
578 ;; scripts. Remove them to avoid retaining a reference on Perl.
f64a35b9
MD		 579 (delete-file-recursively (string-append #$output "/share/openssl-"
580 #$(package-version this-package)
581 "/misc")))))))
b4ccf3df 582 (native-search-paths
2200530b 583 (list $SSL_CERT_DIR $SSL_CERT_FILE))
b4ccf3df
MO		 584 (synopsis "SSL/TLS implementation")
585 (description
586 "OpenSSL is an implementation of SSL/TLS.")
587 (license license:openssl)
588 (home-page "https://www.openssl.org/")))
cc2b77df 589
1402c6ab
EF		 590(define openssl/fixed
591 (package
db2444ad 592 (inherit openssl-1.1)
1402c6ab 593 (name "openssl")
39dcbc7f 594 (version "1.1.1q")
1402c6ab
EF		 595 (source (origin
596 (method url-fetch)
597 (uri (list (string-append "https://www.openssl.org/source/openssl-"
598 version ".tar.gz")
599 (string-append "ftp://ftp.openssl.org/source/"
600 "openssl-" version ".tar.gz")
601 (string-append "ftp://ftp.openssl.org/source/old/"
602 (string-trim-right version char-set:letter)
603 "/openssl-" version ".tar.gz")))
604 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
605 (sha256
606 (base32
39dcbc7f 607 "1jhhzp4gh6ymidxm1ckjk948l583awp0w3y2nvqdz7022kk9r4yp"))))))
1402c6ab 608
2932c421
MB		 609(define-public openssl-3.0
610 (package
db2444ad 611 (inherit openssl-1.1)
fe24e0c2 612 (version "3.0.5")
2932c421
MB		 613 (source (origin
614 (method url-fetch)
615 (uri (list (string-append "https://www.openssl.org/source/openssl-"
616 version ".tar.gz")
617 (string-append "ftp://ftp.openssl.org/source/"
618 "openssl-" version ".tar.gz")
619 (string-append "ftp://ftp.openssl.org/source/old/"
620 (string-trim-right version char-set:letter)
621 "/openssl-" version ".tar.gz")))
622 (patches (search-patches "openssl-3.0-c-rehash-in.patch"))
623 (sha256
624 (base32
fe24e0c2 625 "0yja085lygkdxbf4k4rckkj9r24p8dgix8avqljnbbbixydqszda"))))
2932c421 626 (arguments
db2444ad 627 (substitute-keyword-arguments (package-arguments openssl-1.1)
2932c421
MB		 628 ((#:phases phases '%standard-phases)
629 #~(modify-phases #$phases
630 (add-before 'configure 'configure-perl
631 (lambda* (#:key native-inputs inputs #:allow-other-keys)
632 (setenv "HASHBANGPERL"
633 (search-input-file (or native-inputs inputs)
634 "/bin/perl"))))))))
635 (license license:asl2.0)))
636
db2444ad
MB		 637(define-public openssl openssl-1.1)
638
f73c2aba
NG		 639(define-public bearssl
640 (package
641 (name "bearssl")
642 (version "0.6")
643 (source (origin
644 (method url-fetch)
645 (uri (string-append "https://www.bearssl.org/"
646 "bearssl-" version ".tar.gz"))
647 (sha256
648 (base32
649 "057zhgy9w4y8z2996r0pq5k2k39lpvmmvz4df8db8qa9f6hvn1b7"))))
650 (build-system gnu-build-system)
651 (arguments
652 (list
653 #:make-flags
654 #~(list #$(string-append "CC=" (cc-for-target))
655 #$(string-append "LD=" (cc-for-target))
656 #$(string-append "LDDLL=" (cc-for-target)))
657 #:phases
658 #~(modify-phases %standard-phases
659 (delete 'configure) ;no configure script
660 (replace 'check
661 (lambda* (#:key tests? #:allow-other-keys)
662 (when tests?
663 (with-directory-excursion "build"
664 (invoke "./testcrypto" "all")
665 (invoke "./testx509")))))
666 (replace 'install ;no install rule
667 (lambda _
668 (let* ((out #$output)
669 (bin (string-append out "/bin"))
670 (doc (string-append out "/share/doc/" #$name "-" #$version))
671 (lib (string-append out "/lib"))
672 (include (string-append out "/include")))
673 (install-file "build/brssl" bin)
674 (for-each (lambda (f) (install-file f include))
675 (find-files "inc" "\\.h$"))
676 (install-file "LICENSE.txt" doc)
677 (install-file "build/libbearssl.so" lib)))))))
678 (home-page "https://bearssl.org/")
679 (synopsis "Small SSL/TLS library")
680 (description "BearSSL is an implementation of the SSL/TLS
681protocol (RFC 5246) written in C. It aims at being correct and
682secure. In particular, insecure protocol versions and choices of
683algorithms are not supported, by design; cryptographic algorithm
684implementations are constant-time by default. It should also be
685small, both in RAM and code footprint. For instance, a minimal server
686implementation may fit in about 20 kilobytes of compiled code and 25
687kilobytes of RAM.")
688 (license license:expat)))
689
cb6a802c
AE		 690(define-public libressl
691 (package
692 (name "libressl")
1be7f437 693 (version "3.3.6")
644e5f17
TGR		 694 (source (origin
695 (method url-fetch)
696 (uri (string-append "mirror://openbsd/LibreSSL/"
ce1178d5 697 "libressl-" version ".tar.gz"))
644e5f17
TGR		 698 (sha256
699 (base32
1be7f437 700 "16jbzqj9wy2z10x8ppx63idw44k0d3wly0grpar0s6g1cn9q8a1z"))))
cb6a802c 701 (build-system gnu-build-system)
a2d64899 702 (arguments
76a9bad3
BW		 703 `(#:configure-flags
704 (list
705 ;; Do as if 'getentropy' were missing: Linux kernels before 3.17 lack its
706 ;; underlying 'getrandom' system call and ENOSYS isn't properly handled.
707 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
708 "ac_cv_func_getentropy=no"
709 ;; FIXME It's using it's own bundled certificate, instead it should
710 ;; behave like OpenSSL by using environment variables.
dac4fd03 711 (string-append "--with-openssldir=" (assoc-ref %outputs "out")
76a9bad3
BW		 712 "/share/libressl-"
713 ,(package-version this-package))
714 ;; Provide a TLS-enabled netcat.
715 "--enable-nc")))
0fffcfa4
LC		 716 (properties
717 `((release-monitoring-url . "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/")))
2ed12d3f 718 (home-page "https://www.libressl.org/")
cb6a802c 719 (synopsis "SSL/TLS implementation")
df08f385
LF		 720 (description "LibreSSL is a version of the TLS/crypto stack, forked from
721OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
722and applying best practice development processes. This package also includes a
723netcat implementation that supports TLS.")
cb6a802c
AE		 724 ;; Files taken from OpenSSL keep their license, others are under various
725 ;; non-copyleft licenses.
726 (license (list license:openssl
727 (license:non-copyleft
728 "file://COPYING"
729 "See COPYING in the distribution.")))))
730
6cefd53d 731(define-public python-acme
7890e3ba 732 (package
6cefd53d 733 (name "python-acme")
686d4259 734 ;; Remember to update the hash of certbot when updating python-acme.
334c849b 735 (version "1.28.0")
7890e3ba 736 (source (origin
9495cf9a 737 (method url-fetch)
f349d36e 738 (uri (pypi-uri "acme" version))
881006b6
MB		 739 (sha256
740 (base32
334c849b 741 "12fmw4g63pzbrmmrkk6hgg0k5px6jyx3scv9fmn60h21387jv0hz"))))
7890e3ba
LF		 742 (build-system python-build-system)
743 (arguments
6cefd53d 744 `(#:phases
9bee9d87 745 (modify-phases %standard-phases
1fc8476d
MB		 746 (add-after 'build 'build-documentation
747 (lambda _
d4bd2453 748 (invoke "make" "-C" "docs" "man" "info")))
1fc8476d 749 (add-after 'install 'install-documentation
50a7963a
LF		 750 (lambda* (#:key outputs #:allow-other-keys)
751 (let* ((out (assoc-ref outputs "out"))
752 (man (string-append out "/share/man/man1"))
753 (info (string-append out "/info")))
1fc8476d 754 (install-file "docs/_build/texinfo/acme-python.info" info)
334c849b
MB		 755 (install-file "docs/_build/man/acme-python.1" man))))
756 (replace 'check
757 (lambda* (#:key tests? #:allow-other-keys)
758 (when tests?
759 (invoke "pytest" "-vv")))))))
7890e3ba 760 (native-inputs
8394619b
LC		 761 (list python-pytest
762 ;; For documentation
763 python-sphinx
764 python-sphinxcontrib-programoutput
765 python-sphinx-rtd-theme
766 texinfo))
7890e3ba 767 (propagated-inputs
2ec85ed4
JP		 768 (list python-chardet
769 python-josepy
8394619b
LC		 770 python-requests
771 python-requests-toolbelt
772 python-pytz
773 python-pyrfc3339
774 python-pyasn1
775 python-cryptography
776 python-pyopenssl))
4631e6c9 777 (home-page "https://github.com/certbot/certbot")
7890e3ba
LF		 778 (synopsis "ACME protocol implementation in Python")
779 (description "ACME protocol implementation in Python")
780 (license license:asl2.0)))
781
9495cf9a 782(define-public certbot
9fd0838b 783 (package
9495cf9a 784 (name "certbot")
686d4259
LF		 785 ;; Certbot and python-acme are developed in the same repository, and their
786 ;; versions should remain synchronized.
787 (version (package-version python-acme))
9fd0838b
DT		 788 (source (origin
789 (method url-fetch)
b380463b 790 (uri (pypi-uri "certbot" version))
9fd0838b
DT		 791 (sha256
792 (base32
334c849b 793 "0p4cpakx1kc8lczlgxqryr2asnyrvw6p5wmkamkjqdsf3z7xhm2b"))))
9fd0838b
DT		 794 (build-system python-build-system)
795 (arguments
fed1898d 796 `(,@(substitute-keyword-arguments (package-arguments python-acme)
f26d6e4e
LF		 797 ((#:phases phases)
798 `(modify-phases ,phases
1fc8476d 799 (replace 'install-documentation
f26d6e4e
LF		 800 (lambda* (#:key outputs #:allow-other-keys)
801 (let* ((out (assoc-ref outputs "out"))
802 (man1 (string-append out "/share/man/man1"))
803 (man7 (string-append out "/share/man/man7"))
804 (info (string-append out "/info")))
1fc8476d
MB		 805 (install-file "docs/_build/texinfo/Certbot.info" info)
806 (install-file "docs/_build/man/certbot.1" man1)
807 (install-file "docs/_build/man/certbot.7" man7)
808 #t))))))))
9fd0838b 809 (native-inputs
8394619b
LC		 810 (list python-mock
811 python-pytest
812 ;; For documentation
813 python-sphinx
814 python-sphinx-rtd-theme
815 python-sphinx-repoze-autointerface
816 python-sphinxcontrib-programoutput
817 texinfo))
9fd0838b 818 (propagated-inputs
8394619b
LC		 819 (list python-acme
820 python-cryptography
821 python-zope-interface
822 python-pyrfc3339
823 python-pyopenssl
824 python-configobj
825 python-configargparse
826 python-distro
827 python-zope-component
828 python-parsedatetime
829 python-psutil
830 python-requests
831 python-pytz))
d8a1be63 832 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
80968df0
TGR		 833 (description "Certbot automatically receives and installs X.509 certificates
834to enable Transport Layer Security (TLS) on servers. It interoperates with the
835Let’s Encrypt certificate authority (CA), which issues browser-trusted
836certificates for free.")
24778368 837 (home-page "https://certbot.eff.org/")
9fd0838b
DT		 838 (license license:asl2.0)))
839
9495cf9a
LF		 840(define-public letsencrypt
841 (package (inherit certbot)
56ab55d1
LF		 842 (name "letsencrypt")
843 (properties `((superseded . ,certbot)))))
9495cf9a 844
cc2b77df
AE		 845(define-public perl-net-ssleay
846 (package
847 (name "perl-net-ssleay")
c591bb68 848 (version "1.92")
cc2b77df
AE		 849 (source (origin
850 (method url-fetch)
c50f15d6 851 (uri (string-append "mirror://cpan/authors/id/C/CH/CHRISN/"
cc2b77df
AE		 852 "Net-SSLeay-" version ".tar.gz"))
853 (sha256
854 (base32
c591bb68 855 "1acnjd5180dca26dmjq0b9ib0dbavlrzd6fnf4nidrzj02rz5hj7"))))
cc2b77df 856 (build-system perl-build-system)
8394619b 857 (inputs (list openssl))
cc2b77df 858 (arguments
1084ec08
MW		 859 `(#:phases
860 (modify-phases %standard-phases
1084ec08
MW		 861 (add-before
862 'configure 'set-ssl-prefix
863 (lambda* (#:key inputs #:allow-other-keys)
864 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
865 #t)))))
cc2b77df
AE		 866 (synopsis "Perl extension for using OpenSSL")
867 (description
868 "This module offers some high level convenience functions for accessing
869web pages on SSL servers (for symmetry, the same API is offered for accessing
870http servers, too), an sslcat() function for writing your own clients, and
871finally access to the SSL api of the SSLeay/OpenSSL package so you can write
872servers or clients for more complicated applications.")
2f3108ad 873 (license license:perl-license)
9aba9b12 874 (home-page "https://metacpan.org/release/Net-SSLeay")))
4532c0c0
DM		 875
876(define-public perl-crypt-openssl-rsa
877 (package
878 (name "perl-crypt-openssl-rsa")
a9994b27 879 (version "0.31")
4532c0c0
DM		 880 (source
881 (origin
882 (method url-fetch)
883 (uri (string-append
683b8d47 884 "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-"
4532c0c0
DM		 885 version
886 ".tar.gz"))
887 (sha256
888 (base32
a9994b27 889 "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1"))))
4532c0c0 890 (build-system perl-build-system)
683b8d47 891 (native-inputs
8394619b 892 (list perl-crypt-openssl-guess))
4532c0c0 893 (inputs
8394619b 894 (list perl-crypt-openssl-bignum perl-crypt-openssl-random openssl))
4532c0c0
DM		 895 (arguments perl-crypt-arguments)
896 (home-page
9aba9b12 897 "https://metacpan.org/release/Crypt-OpenSSL-RSA")
4532c0c0
DM		 898 (synopsis
899 "RSA encoding and decoding, using the openSSL libraries")
900 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
901OpenSSL libraries).")
2f3108ad 902 (license license:perl-license)))
adff71ca
DM		 903
904(define perl-crypt-arguments
905 `(#:phases (modify-phases %standard-phases
906 (add-before 'configure 'patch-Makefile.PL
907 (lambda* (#:key inputs #:allow-other-keys)
908 (substitute* "Makefile.PL"
909 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
910 (assoc-ref inputs "openssl")
911 "/lib -lcrypto'],")))
912 #t)))))
913
914(define-public perl-crypt-openssl-bignum
915 (package
916 (name "perl-crypt-openssl-bignum")
7e8aac18 917 (version "0.09")
adff71ca
DM		 918 (source
919 (origin
920 (method url-fetch)
921 (uri (string-append
922 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
923 version
924 ".tar.gz"))
925 (sha256
926 (base32
7e8aac18 927 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
adff71ca 928 (build-system perl-build-system)
8394619b 929 (inputs (list openssl))
adff71ca
DM		 930 (arguments perl-crypt-arguments)
931 (home-page
9aba9b12 932 "https://metacpan.org/release/Crypt-OpenSSL-Bignum")
adff71ca
DM		 933 (synopsis
934 "OpenSSL's multiprecision integer arithmetic in Perl")
935 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
936arithmetic in Perl.")
937 ;; At your option either gpl1+ or the Artistic License
2f3108ad 938 (license license:perl-license)))
cccb4d26 939
c80590f6
TGR		 940(define-public perl-crypt-openssl-guess
941 (package
942 (name "perl-crypt-openssl-guess")
943 (version "0.11")
944 (source
945 (origin
946 (method url-fetch)
947 (uri (string-append
948 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
949 version ".tar.gz"))
950 (sha256
951 (base32
952 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
953 (build-system perl-build-system)
9aba9b12 954 (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess")
c80590f6
TGR		 955 (synopsis "Guess the OpenSSL include path")
956 (description
957 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
958correct OpenSSL include path. It is intended for use in your
959@file{Makefile.PL}.")
960 (license license:perl-license)))
961
cccb4d26
DM		 962(define-public perl-crypt-openssl-random
963 (package
964 (name "perl-crypt-openssl-random")
fa2d19cc 965 (version "0.15")
cccb4d26
DM		 966 (source
967 (origin
968 (method url-fetch)
969 (uri (string-append
970 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
971 version
972 ".tar.gz"))
973 (sha256
fa2d19cc 974 (base32 "1x6ffps8q7mnawmcfq740llzy7i10g3319vap0wiw4d33fm6z1zh"))))
cccb4d26 975 (build-system perl-build-system)
b30c23c4 976 (native-inputs
8394619b 977 (list perl-crypt-openssl-guess))
b30c23c4 978 (inputs
8394619b 979 (list openssl))
cccb4d26
DM		 980 (arguments perl-crypt-arguments)
981 (home-page
9aba9b12 982 "https://metacpan.org/release/Crypt-OpenSSL-Random")
cccb4d26
DM		 983 (synopsis
984 "OpenSSL/LibreSSL pseudo-random number generator access")
985 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
986number generator")
2f3108ad 987 (license license:perl-license)))
0581c273
LF		 988
989(define-public acme-client
990 (package
991 (name "acme-client")
4a6b2a21 992 (version "0.1.16")
0581c273
LF		 993 (source (origin
994 (method url-fetch)
995 (uri (string-append "https://kristaps.bsd.lv/" name "/"
996 "snapshots/" name "-portable-"
997 version ".tgz"))
998 (sha256
999 (base32
4a6b2a21 1000 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
0581c273
LF		 1001 (build-system gnu-build-system)
1002 (arguments
1003 '(#:tests? #f ; no test suite
1004 #:make-flags
1005 (list "CC=gcc"
1006 (string-append "PREFIX=" (assoc-ref %outputs "out")))
1007 #:phases
1008 (modify-phases %standard-phases
7c1a7bf4
LF		 1009 (add-after 'unpack 'patch-paths
1010 (lambda* (#:key inputs #:allow-other-keys)
d468a03a 1011 (let ((pem (search-input-file inputs "/etc/ssl/cert.pem")))
7c1a7bf4
LF		 1012 (substitute* "http.c"
1013 (("/etc/ssl/cert.pem") pem))
1014 #t)))
0581c273 1015 (delete 'configure)))) ; no './configure' script
4b569a4f 1016 (native-inputs
8394619b 1017 (list pkg-config))
0581c273 1018 (inputs
8394619b 1019 (list libbsd libressl))
0581c273
LF		 1020 (synopsis "Let's Encrypt client by the OpenBSD project")
1021 (description "acme-client is a Let's Encrypt client implemented in C. It
1022uses a modular design, and attempts to secure itself by dropping privileges and
1023operating in a chroot where possible. acme-client is developed on OpenBSD and
1024then ported to the GNU / Linux environment.")
1025 (home-page "https://kristaps.bsd.lv/acme-client/")
1026 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
1027 ;; and 'jsmn.c' are distributed under the Expat license.
1028 (license (list license:isc license:expat))))
88522738 1029
1030;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
1031;; variant exists in addition to the "-apache" one.
1032(define-public mbedtls-apache
1033 (package
1034 (name "mbedtls-apache")
5cdb25c6
TGR		 1035 ;; XXX Check whether ‘-Wformat-signedness’ still breaks mbedtls-for-hiawatha
1036 ;; when updating.
0ec75598 1037 (version "2.26.0")
88522738 1038 (source
1039 (origin
927ecd4e
TGR		 1040 (method git-fetch)
1041 (uri (git-reference
1042 (url "https://github.com/ARMmbed/mbedtls")
1043 (commit (string-append "mbedtls-" version))))
88522738 1044 (sha256
0ec75598
MJK		 1045 (base32 "0scwpmrgvg6q7rvqkc352d2fqlsx0aylcbyibcp1f1rsn8iiif2m"))
1046 (file-name (git-file-name name version))
1047 (modules '((guix build utils)))
1048 (snippet
1049 '(begin
1050 ;; Can be removed with the next version.
1051 ;; Reduce level of format truncation warnings due to false positives.
1052 ;; https://github.com/ARMmbed/mbedtls/commit/2065a8d8af27c6cb1e40c9462b5933336dca7434
1053 (substitute* "CMakeLists.txt"
1054 (("Wformat-truncation=2") "Wformat-truncation"))
1055 #t))))
88522738 1056 (build-system cmake-build-system)
a64d9d56
RW		 1057 (arguments
1058 `(#:configure-flags
92ebd8ed 1059 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON"
927ecd4e
TGR		 1060 "-DUSE_STATIC_MBEDTLS_LIBRARY=OFF")
1061 #:phases
1062 (modify-phases %standard-phases
1063 (add-after 'unpack 'make-source-writable
1064 (lambda _
1065 (for-each make-file-writable (find-files "."))
927ecd4e 1066 #t)))))
88522738 1067 (native-inputs
8394619b 1068 (list perl python))
88522738 1069 (synopsis "Small TLS library")
1070 (description
1071 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
1072for developers to include cryptographic and SSL/TLS capabilities in their
1073(embedded) products, facilitating this functionality with a minimal
1074coding footprint.")
d4febc56 1075 (home-page "https://www.trustedfirmware.org/projects/mbed-tls/")
88522738 1076 (license license:asl2.0)))
587d1752 1077
8e87aa04
TGR		 1078;; The Hiawatha Web server requires some specific features to be enabled.
1079(define-public mbedtls-for-hiawatha
1080 (hidden-package
1081 (package
1082 (inherit mbedtls-apache)
1083 (arguments
5cdb25c6
TGR		 1084 (substitute-keyword-arguments (package-arguments mbedtls-apache)
1085 ((#:phases phases)
1086 `(modify-phases ,phases
1087 (add-before 'configure 'configure-extra-features
1088 (lambda _
1089 (for-each (lambda (feature)
1090 (invoke "scripts/config.pl" "set" feature))
1091 (list "MBEDTLS_THREADING_C"
1092 "MBEDTLS_THREADING_PTHREAD"))
1093 ;; XXX The above enables code that breaks with -Werror…
1094 (substitute* "CMakeLists.txt"
1095 ((" -Wformat-signedness") ""))
1096 #t)))))))))
8e87aa04 1097
e8b3a158
CL		 1098(define-public dehydrated
1099 (package
1100 (name "dehydrated")
69b98261 1101 (version "0.7.0")
e8b3a158 1102 (source (origin
2850d877 1103 (method url-fetch)
e8b3a158 1104 (uri (string-append
bb5ab9bf 1105 "https://github.com/dehydrated-io/dehydrated/releases/download/"
2850d877 1106 "v" version "/dehydrated-" version ".tar.gz"))
e8b3a158
CL		 1107 (sha256
1108 (base32
69b98261 1109 "1yf4kldyd5y13r6qxrkcbbk74ykngq7jzy0351vb2r3ywp114pqw"))))
e8b3a158
CL		 1110 (build-system trivial-build-system)
1111 (arguments
c150d637
TGR		 1112 `(#:modules ((guix build utils)
1113 (srfi srfi-26))
e8b3a158
CL		 1114 #:builder
1115 (begin
c150d637
TGR		 1116 (use-modules (guix build utils)
1117 (srfi srfi-26))
e8b3a158 1118 (let* ((source (assoc-ref %build-inputs "source"))
2850d877
EF		 1119 (tar (assoc-ref %build-inputs "tar"))
1120 (gz (assoc-ref %build-inputs "gzip"))
e8b3a158
CL		 1121 (out (assoc-ref %outputs "out"))
1122 (bin (string-append out "/bin"))
c150d637
TGR		 1123 (doc (string-append out "/share/doc/" ,name "-" ,version))
1124 (man (string-append out "/share/man"))
e8b3a158 1125 (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
2850d877
EF		 1126
1127 (setenv "PATH" (string-append gz "/bin"))
1128 (invoke (string-append tar "/bin/tar") "xvf" source)
1129 (chdir (string-append ,name "-" ,version))
1130
c150d637
TGR		 1131 (copy-recursively "docs" doc)
1132 (install-file "LICENSE" doc)
1133
1134 (mkdir-p man)
1135 (rename-file (string-append doc "/man")
1136 (string-append man "/man1"))
1137 (for-each (cut invoke "gzip" "-9" <>)
1138 (find-files man ".*"))
1139
2850d877 1140 (install-file "dehydrated" bin)
e8b3a158 1141 (with-directory-excursion bin
e8b3a158
CL		 1142 (patch-shebang "dehydrated" (list bash))
1143
c150d637 1144 ;; Do not try to write to the store.
e8b3a158
CL		 1145 (substitute* "dehydrated"
1146 (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
1147
1148 (setenv "PATH" bash)
1149 (wrap-program "dehydrated"
1150 `("PATH" ":" prefix
1151 ,(map (lambda (dir)
1152 (string-append dir "/bin"))
1153 (map (lambda (input)
1154 (assoc-ref %build-inputs input))
1155 '("coreutils"
1156 "curl"
1157 "diffutils"
1158 "gawk"
1159 "grep"
1160 "openssl"
1161 "sed"))))))
1162 #t))))
1163 (inputs
8394619b
LC		 1164 (list bash
1165 coreutils
1166 curl
1167 diffutils
1168 gawk
1169 grep
1170 openssl
1171 sed))
2850d877 1172 (native-inputs
8394619b 1173 (list gzip tar))
d0cc63cc
MC		 1174 ;; The following definition is copied from the cURL package to prevent a
1175 ;; cycle between the curl and tls modules.
77e2df87 1176 (native-search-paths
d0cc63cc
MC		 1177 (list (search-path-specification
1178 (variable "CURL_CA_BUNDLE")
1179 (file-type 'regular)
1180 (separator #f)
1181 (files '("etc/ssl/certs/ca-certificates.crt")))))
e8b3a158 1182 (home-page "https://dehydrated.io/")
bc5152a2
TGR		 1183 (synopsis "ACME client implemented as a shell script")
1184 (description "Dehydrated is a client for obtaining certificates from an
1185ACME server (such as Let's Encrypt) implemented as a relatively simple Bash
1186script.")
e8b3a158 1187 (license license:expat)))
ea22aa1f
LF		 1188
1189(define-public go-github-com-certifi-gocertifi
db388401
LF		 1190 (let ((commit "a5e0173ced670013bfb649c7e806bc9529c986ec")
1191 (revision "1"))
1192 (package
1193 (name "go-github-com-certifi-gocertifi")
1194 (version (git-version "2018.01.18" revision commit))
1195 (source (origin
1196 (method git-fetch)
1197 (uri (git-reference
1198 (url "https://github.com/certifi/gocertifi")
1199 (commit commit)))
1200 (file-name (git-file-name name version))
1201 (sha256
1202 (base32
1203 "1n9drccl3q1rr8wg3nf60slkf1lgsmz5ahifrglbdrc6har3rryj"))))
1204 (build-system go-build-system)
1205 (arguments
1206 '(#:import-path "github.com/certifi/gocertifi"))
1207 (synopsis "X.509 TLS root certificate bundle for Go")
1208 (description "This package is a Go language X.509 TLS root certificate bundle,
ea22aa1f 1209derived from Mozilla's collection.")
db388401
LF		 1210 (home-page "https://certifi.io")
1211 (license license:mpl2.0))))
1b518888
GH		 1212
1213(define-public s2n
cf48bf86
GH		 1214 (package
1215 (name "s2n")
af856afb 1216 ;; Update only when updating aws-crt-cpp.
bc3e3245 1217 (version "1.3.10")
cf48bf86
GH		 1218 (source (origin
1219 (method git-fetch)
1220 (uri (git-reference
1221 (url "https://github.com/aws/s2n-tls")
1222 (commit (string-append "v" version))))
1223 (file-name (git-file-name name version))
1224 (sha256
1225 (base32
bc3e3245 1226 "15fr6zwglw74x5qd090752kqn7n3cyi4gmz94ip45g3hflschxd3"))))
cf48bf86
GH		 1227 (build-system cmake-build-system)
1228 (arguments
1229 '(#:configure-flags
af856afb
GH		 1230 '("-DBUILD_SHARED_LIBS=ON"
1231 ;; Remove in next update; see https://github.com/aws/s2n-tls/pull/3108
1232 ;; Building with 'Werror' results in compilation error (even building
1233 ;; with gcc) when replacing the aws-lc input with openssl.
1234 "-DUNSAFE_TREAT_WARNINGS_AS_ERRORS=OFF")))
1235 (propagated-inputs (list aws-lc))
1236 (supported-systems '("x86_64-linux"))
cf48bf86
GH		 1237 (synopsis "SSL/TLS implementation in C99")
1238 (description
1239 "This library provides a C99 implementation of SSL/TLS. It is designed to
1240be familiar to users of the widely-used POSIX I/O APIs. It supports blocking,
1241non-blocking, and full-duplex I/O. There are no locks or mutexes.
9f9118bd
TGR		 1242
1243As it can be difficult to keep track of which encryption algorithms and
1244protocols are best to use, s2n-tls features a simple API to use the latest
1245default set of preferences. Remaining on a specific version for backwards
1246compatibility is also supported.")
02f849ad 1247 (home-page "https://github.com/aws/s2n-tls")
cf48bf86 1248 (license license:asl2.0)))
363fe99c
LF		 1249
1250(define-public wolfssl
1251 (package
1252 (name "wolfssl")
1eaf8eb7 1253 (version "4.8.1")
363fe99c
LF		 1254 (source (origin
1255 (method git-fetch)
1256 (uri (git-reference
1257 (url "https://github.com/wolfSSL/wolfssl")
1258 (commit (string-append "v" version "-stable"))))
1259 (file-name (git-file-name name version))
1260 (sha256
1261 (base32
1eaf8eb7 1262 "0w5pd40j6h4j2f0b7c2n1n979y9qk8aln3ss2gb0jfsid1hrmx5k"))))
363fe99c
LF		 1263 (build-system gnu-build-system)
1264 (arguments
1265 '(#:configure-flags
1266 '("--enable-reproducible-build")))
1267 (native-inputs
8394619b 1268 (list autoconf automake libtool))
363fe99c
LF		 1269 (synopsis "SSL/TLS implementation")
1270 (description "The wolfSSL embedded SSL library (formerly CyaSSL) is an
1271SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and
1272resource-constrained environments - primarily because of its small size, speed,
1273and feature set. wolfSSL supports industry standards up to the current TLS 1.3
1274and DTLS 1.2, is up to 20 times smaller than OpenSSL, and offers progressive
1275ciphers such as ChaCha20, Curve25519, NTRU, and Blake2b.")
1276 (home-page "https://www.wolfssl.com/")
1277 (license license:gpl2+))) ; Audit
da9272fa
GH		 1278
1279(define-public aws-lc
25a1c60b
GH		 1280 (package
1281 (name "aws-lc")
a5a408c3 1282 ;; Update only when updating aws-crt-cpp.
25a1c60b
GH		 1283 (version "1.0.2")
1284 (source (origin
1285 (method git-fetch)
1286 (uri (git-reference
1287 (url (string-append "https://github.com/awslabs/" name))
1288 (commit (string-append "v" version))))
1289 (file-name (git-file-name name version))
1290 (sha256
1291 (base32
a5a408c3 1292 "16y4iy2rqrmb7b1c394wyq7a5vbjb41599524my6b6q1vk1pi307"))))
25a1c60b
GH		 1293 (build-system cmake-build-system)
1294 (arguments
a5a408c3 1295 '(#:test-target "run_minimal_tests"
25a1c60b
GH		 1296 #:configure-flags
1297 '("-DBUILD_SHARED_LIBS=ON")))
1298 (synopsis "General purpose cryptographic library")
1299 (description "AWS libcrypto (aws-lc) contains portable C implementations
da9272fa
GH		 1300of algorithms needed for TLS and common applications, and includes optimized
1301assembly versions for x86 and ARM.")
25a1c60b
GH		 1302 (home-page "https://github.com/awslabs/aws-lc")
1303 (license license:asl2.0)))
jackhill's copy of GNU Guix: https://guix.gnu.org/