Commit | Line | Data |
---|---|---|
233e7676 | 1 | ;;; GNU Guix --- Functional package management for GNU |
0fffcfa4 | 2 | ;;; Copyright © 2012-2017, 2019-2022 Ludovic Courtès <ludo@gnu.org> |
74e2c0e0 | 3 | ;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2021 Mark H Weaver <mhw@netris.org> |
29a7c98a | 4 | ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net> |
cc2b77df | 5 | ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr> |
9fd0838b | 6 | ;;; Copyright © 2015 David Thompson <davet@gnu.org> |
363fe99c | 7 | ;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020, 2021 Leo Famulari <leo@famulari.name> |
c591bb68 | 8 | ;;; Copyright © 2016, 2017, 2019, 2021, 2022 Efraim Flashner <efraim@flashner.co.il> |
3c986a7d | 9 | ;;; Copyright © 2016, 2017, 2018 Nikita <nikita@n0.is> |
375cef6c | 10 | ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com> |
ee33f9a7 | 11 | ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net> |
2932c421 | 12 | ;;; Copyright © 2017-2022 Marius Bakke <marius@gnu.org> |
77e2df87 | 13 | ;;; Copyright © 2017–2021 Tobias Geerinckx-Rice <me@tobias.gr> |
fbf5ca3c | 14 | ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com> |
e8b3a158 | 15 | ;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org> |
bdcdd550 | 16 | ;;; Copyright © 2019 Mathieu Othacehe <m.othacehe@gmail.com> |
a9bcc647 | 17 | ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org> |
63858f8c | 18 | ;;; Copyright © 2020, 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com> |
0b70eb03 | 19 | ;;; Copyright © 2021 Solene Rapenne <solene@perso.pw> |
76a9bad3 | 20 | ;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re> |
f64a35b9 | 21 | ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be> |
2bb789f6 | 22 | ;;; Copyright © 2021 Matthew James Kraai <kraai@ftbfs.org> |
811b62d8 | 23 | ;;; Copyright © 2021 John Kehayias <john.kehayias@protonmail.com> |
a5a408c3 | 24 | ;;; Copyright © 2022 Greg Hogan <code@greghogan.com> |
7543f865 | 25 | ;;; |
233e7676 | 26 | ;;; This file is part of GNU Guix. |
7543f865 | 27 | ;;; |
233e7676 | 28 | ;;; GNU Guix is free software; you can redistribute it and/or modify it |
7543f865 LC |
29 | ;;; under the terms of the GNU General Public License as published by |
30 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
31 | ;;; your option) any later version. | |
32 | ;;; | |
233e7676 | 33 | ;;; GNU Guix is distributed in the hope that it will be useful, but |
7543f865 LC |
34 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of |
35 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
36 | ;;; GNU General Public License for more details. | |
37 | ;;; | |
38 | ;;; You should have received a copy of the GNU General Public License | |
233e7676 | 39 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. |
7543f865 | 40 | |
a7fd7b68 | 41 | (define-module (gnu packages tls) |
e9aa8d0c | 42 | #:use-module ((guix licenses) #:prefix license:) |
7543f865 LC |
43 | #:use-module (guix packages) |
44 | #:use-module (guix download) | |
ea22aa1f | 45 | #:use-module (guix git-download) |
29a7c98a | 46 | #:use-module (guix utils) |
7c0eaa1f | 47 | #:use-module (guix gexp) |
7543f865 | 48 | #:use-module (guix build-system gnu) |
ea22aa1f | 49 | #:use-module (guix build-system go) |
cc2b77df | 50 | #:use-module (guix build-system perl) |
7890e3ba | 51 | #:use-module (guix build-system python) |
88522738 | 52 | #:use-module (guix build-system cmake) |
e8b3a158 | 53 | #:use-module (guix build-system trivial) |
2200530b | 54 | #:use-module ((guix search-paths) #:select ($SSL_CERT_DIR $SSL_CERT_FILE)) |
f61e0e79 | 55 | #:use-module (gnu packages compression) |
013ce67b | 56 | #:use-module (gnu packages) |
363fe99c | 57 | #:use-module (gnu packages autotools) |
e8b3a158 | 58 | #:use-module (gnu packages bash) |
ac257f12 | 59 | #:use-module (gnu packages check) |
e8b3a158 | 60 | #:use-module (gnu packages curl) |
5b9aa107 | 61 | #:use-module (gnu packages dns) |
e8b3a158 | 62 | #:use-module (gnu packages gawk) |
1a244b78 | 63 | #:use-module (gnu packages gettext) |
1ffa7090 | 64 | #:use-module (gnu packages guile) |
a9bcc647 | 65 | #:use-module (gnu packages hurd) |
0581c273 | 66 | #:use-module (gnu packages libbsd) |
27e86bed | 67 | #:use-module (gnu packages libffi) |
866f469e | 68 | #:use-module (gnu packages libidn) |
5d4c90ae | 69 | #:use-module (gnu packages linux) |
7890e3ba | 70 | #:use-module (gnu packages ncurses) |
27e86bed | 71 | #:use-module (gnu packages nettle) |
e7ab9c33 | 72 | #:use-module (gnu packages networking) |
1ffa7090 | 73 | #:use-module (gnu packages perl) |
27e86bed | 74 | #:use-module (gnu packages pkg-config) |
7890e3ba | 75 | #:use-module (gnu packages python) |
cc6f4912 | 76 | #:use-module (gnu packages python-crypto) |
1b2f753d | 77 | #:use-module (gnu packages python-web) |
44d10b1f | 78 | #:use-module (gnu packages python-xyz) |
9d0c291e | 79 | #:use-module (gnu packages sphinx) |
a31f4d35 | 80 | #:use-module (gnu packages texinfo) |
33dc54b0 | 81 | #:use-module (gnu packages time) |
079f013b LC |
82 | #:use-module (gnu packages base) |
83 | #:use-module (srfi srfi-1)) | |
7543f865 LC |
84 | |
85 | (define-public libtasn1 | |
86 | (package | |
87 | (name "libtasn1") | |
ce98de1f | 88 | (version "4.17.0") |
7543f865 LC |
89 | (source |
90 | (origin | |
91 | (method url-fetch) | |
92 | (uri (string-append "mirror://gnu/libtasn1/libtasn1-" | |
93 | version ".tar.gz")) | |
94 | (sha256 | |
95 | (base32 | |
ce98de1f | 96 | "19a53i1ajs4dd8nnlr2i6gbzvla84ay71g3y1phvh8krx8f5brzc")))) |
7543f865 | 97 | (build-system gnu-build-system) |
d9f84612 MB |
98 | (arguments |
99 | `(#:configure-flags '("--disable-static"))) | |
8394619b | 100 | (native-inputs (list perl)) |
6fd52309 | 101 | (home-page "https://www.gnu.org/software/libtasn1/") |
f50d2669 | 102 | (synopsis "ASN.1 library") |
7543f865 | 103 | (description |
79c311b8 LC |
104 | "GNU libtasn1 is a library implementing the ASN.1 notation. It is used |
105 | for transmitting machine-neutral encodings of data objects in computer | |
a22dc0c4 LC |
106 | networking, allowing for formal validation of data according to some |
107 | specifications.") | |
e9aa8d0c | 108 | (license license:lgpl2.0+))) |
7543f865 | 109 | |
375cef6c HG |
110 | (define-public asn1c |
111 | (package | |
112 | (name "asn1c") | |
ff7da7e0 | 113 | (version "0.9.28") |
375cef6c HG |
114 | (source (origin |
115 | (method url-fetch) | |
116 | (uri (string-append "https://lionet.info/soft/asn1c-" | |
117 | version ".tar.gz")) | |
118 | (sha256 | |
119 | (base32 | |
ff7da7e0 | 120 | "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0")))) |
375cef6c HG |
121 | (build-system gnu-build-system) |
122 | (native-inputs | |
8394619b | 123 | (list perl)) |
375cef6c HG |
124 | (home-page "https://lionet.info/asn1c") |
125 | (synopsis "ASN.1 to C compiler") | |
126 | (description "The ASN.1 to C compiler takes ASN.1 module | |
127 | files and generates C++ compatible C source code. That code can be | |
128 | used to serialize the native C structures into compact and unambiguous | |
129 | BER/XER/PER-based data files, and deserialize the files back. | |
130 | ||
131 | Various ASN.1 based formats are widely used in the industry, such as to encode | |
132 | the X.509 certificates employed in the HTTPS handshake, to exchange control | |
133 | data between mobile phones and cellular networks, to car-to-car communication | |
134 | in intelligent transportation networks.") | |
135 | (license license:bsd-2))) | |
136 | ||
27e86bed AE |
137 | (define-public p11-kit |
138 | (package | |
139 | (name "p11-kit") | |
c84c0dbc | 140 | (version "0.23.22") |
27e86bed AE |
141 | (source |
142 | (origin | |
143 | (method url-fetch) | |
e6ad9bda | 144 | (uri (string-append "https://github.com/p11-glue/p11-kit/releases/" |
eae94df6 | 145 | "download/" version "/p11-kit-" version ".tar.xz")) |
27e86bed | 146 | (sha256 |
9ed46007 | 147 | (base32 "1dn6br4v033d3gp2max9lsr3y4q0nj6iyr1yq3kzi8ym7lal13wa")))) |
27e86bed AE |
148 | (build-system gnu-build-system) |
149 | (native-inputs | |
1a244b78 MO |
150 | `(,@(if (hurd-target?) |
151 | `(("autoconf" ,autoconf) | |
152 | ("automake" ,automake) | |
153 | ("gettext" ,gettext-minimal) ;for autopoint | |
154 | ("libtool" ,libtool)) | |
155 | '()) | |
156 | ("pkg-config" ,pkg-config))) | |
27e86bed AE |
157 | (inputs |
158 | `(("libffi" ,libffi) | |
1a244b78 MO |
159 | ,@(if (hurd-target?) |
160 | `(("libbsd" ,libbsd) | |
161 | ("hurd-patch" ,(search-patch "p11-kit-hurd.patch"))) | |
162 | '()) | |
27e86bed AE |
163 | ("libtasn1" ,libtasn1))) |
164 | (arguments | |
d5c472a2 MB |
165 | `(#:configure-flags '("--without-trust-paths") |
166 | #:phases (modify-phases %standard-phases | |
1a244b78 MO |
167 | ,@(if (hurd-target?) |
168 | '((add-after 'unpack 'apply-hurd-patch | |
169 | (lambda* (#:key inputs #:allow-other-keys) | |
170 | (let ((patch (assoc-ref inputs "hurd-patch"))) | |
171 | (invoke "patch" "-p1" "--batch" "-i" | |
172 | patch)))) | |
173 | (replace 'bootstrap | |
174 | (lambda _ | |
175 | (invoke "autoreconf" "-fiv")))) | |
176 | '()) | |
d5c472a2 MB |
177 | (add-before 'check 'prepare-tests |
178 | (lambda _ | |
179 | ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up | |
180 | ;; and looks for .cache and other directories (only). | |
181 | ;; For simplicity just drop it since it is irrelevant | |
182 | ;; in the build container. | |
183 | (substitute* "Makefile" | |
184 | (("test-runtime\\$\\(EXEEXT\\)") "")) | |
185 | #t))))) | |
b0735c79 | 186 | (home-page "https://p11-glue.github.io/p11-glue/p11-kit.html") |
27e86bed AE |
187 | (synopsis "PKCS#11 library") |
188 | (description | |
189 | "p11-kit provides a way to load and enumerate PKCS#11 modules. It | |
190 | provides a standard configuration setup for installing PKCS#11 modules | |
191 | in such a way that they are discoverable. It also solves problems with | |
192 | coordinating the use of PKCS#11 by different components or libraries | |
193 | living in the same process.") | |
e9aa8d0c | 194 | (license license:bsd-3))) |
27e86bed | 195 | |
811b62d8 JK |
196 | (define-public p11-kit-next |
197 | (package | |
198 | (inherit p11-kit) | |
12fd5a86 | 199 | (version "0.24.1") |
811b62d8 JK |
200 | (source |
201 | (origin | |
202 | (method url-fetch) | |
203 | (uri (string-append "https://github.com/p11-glue/p11-kit/releases/" | |
204 | "download/" version "/p11-kit-" version ".tar.xz")) | |
205 | (sha256 | |
12fd5a86 | 206 | (base32 "1y5fm9gwhkh902r26p90qf1g2h1ziqrk4hgf9i9sxm2wzlz7ignq")))) |
b4d29851 LC |
207 | (arguments |
208 | ;; Use the default certificates so that users such as flatpak find them. | |
209 | ;; See <https://issues.guix.gnu.org/49957>. | |
210 | (substitute-keyword-arguments (package-arguments p11-kit) | |
211 | ((#:configure-flags flags ''()) | |
212 | ''("--with-trust-paths=/etc/ssl/certs/ca-certificates.crt")))))) | |
811b62d8 | 213 | |
7543f865 LC |
214 | (define-public gnutls |
215 | (package | |
216 | (name "gnutls") | |
63858f8c | 217 | (version "3.7.2") |
d7d408d5 | 218 | (source (origin |
51a365c1 | 219 | (method url-fetch) |
d7d408d5 LC |
220 | ;; Note: Releases are no longer on ftp.gnu.org since the |
221 | ;; schism (after version 3.1.5). | |
51a365c1 LC |
222 | (uri (string-append "mirror://gnupg/gnutls/v" |
223 | (version-major+minor version) | |
224 | "/gnutls-" version ".tar.xz")) | |
225 | (patches (search-patches "gnutls-skip-trust-store-test.patch" | |
69dde4e3 LC |
226 | "gnutls-cross.patch" |
227 | "gnutls-guile-eintr-eagain.patch")) | |
51a365c1 LC |
228 | (sha256 |
229 | (base32 | |
63858f8c | 230 | "0li7mwjnm64mbxhacz0rpf6i9qd83f53fvbrx96alpqqk9d6qvk4")))) |
7543f865 | 231 | (build-system gnu-build-system) |
b94ae0b8 | 232 | (arguments |
525a351e MO |
233 | `(#:tests? ,(not (or (%current-target-system) |
234 | (hurd-target?))) | |
e7ab9c33 LC |
235 | ;; Ensure we don't keep a reference to the tools used for testing. |
236 | #:disallowed-references ,(if (hurd-target?) | |
237 | '() | |
238 | (list net-tools iproute socat)) | |
76b21274 | 239 | #:configure-flags |
28a13226 | 240 | (cons* |
aa7c7f21 MW |
241 | ;; GnuTLS doesn't consult any environment variables to specify |
242 | ;; the location of the system-wide trust store. Instead it has a | |
243 | ;; configure-time option. Unless specified, its configure script | |
244 | ;; attempts to auto-detect the location by looking for common | |
8f65585b | 245 | ;; places in the file system, none of which are present in our |
aa7c7f21 MW |
246 | ;; chroot build environment. If not found, then no default trust |
247 | ;; store is used, so each program has to provide its own | |
248 | ;; fallback, and users have to configure each program | |
249 | ;; independently. This seems suboptimal. | |
866f469e MW |
250 | "--with-default-trust-store-dir=/etc/ssl/certs" |
251 | ||
7892edc2 MB |
252 | ;; Tell the build system that we want Guile bindings installed to |
253 | ;; the output instead of Guiles own module directory. | |
254 | (string-append "--with-guile-site-dir=" | |
255 | "$(datarootdir)/guile/site/$(GUILE_EFFECTIVE_VERSION)") | |
256 | (string-append "--with-guile-site-ccache-dir=" | |
257 | "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/site-ccache") | |
258 | (string-append "--with-guile-extension-dir=" | |
259 | "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/extensions") | |
260 | ||
28a13226 CB |
261 | (let ((system ,(or (%current-target-system) |
262 | (%current-system)))) | |
263 | (if (string-prefix? "mips64el" system) | |
264 | (list | |
265 | ;; FIXME: Temporarily disable p11-kit support since it is | |
266 | ;; not working on mips64el. | |
267 | "--without-p11-kit") | |
268 | '()))) | |
606c6380 LC |
269 | |
270 | #:phases (modify-phases %standard-phases | |
5cf6f6fe MC |
271 | ;; fastopen.sh fails to connect to the server in the builder |
272 | ;; environment (see: | |
273 | ;; https://gitlab.com/gnutls/gnutls/-/issues/1095). | |
274 | (add-after 'unpack 'disable-failing-tests | |
275 | (lambda _ | |
0b40d1a3 LC |
276 | (substitute* "tests/fastopen.sh" |
277 | (("^unset RETCODE") | |
63858f8c | 278 | "exit 77\n")))) ;skip |
5cf6f6fe | 279 | (add-after 'install 'move-doc |
606c6380 LC |
280 | (lambda* (#:key outputs #:allow-other-keys) |
281 | ;; Copy the 4.1 MiB of section 3 man pages to "doc". | |
282 | (let* ((out (assoc-ref outputs "out")) | |
283 | (doc (assoc-ref outputs "doc")) | |
9cdce047 | 284 | (mandir (string-append doc "/share/man/man3")) |
606c6380 LC |
285 | (oldman (string-append out "/share/man/man3"))) |
286 | (mkdir-p mandir) | |
287 | (copy-recursively oldman mandir) | |
63858f8c | 288 | (delete-file-recursively oldman))))))) |
606c6380 LC |
289 | (outputs '("out" ;4.4 MiB |
290 | "debug" | |
291 | "doc")) ;4.1 MiB of man pages | |
a1db0975 | 292 | (native-inputs |
51a365c1 LC |
293 | `(,@(if (%current-target-system) ;for cross-build |
294 | `(("guile" ,guile-3.0)) ;to create .go files | |
295 | '()) | |
296 | ,@(if (hurd-target?) | |
e7ab9c33 LC |
297 | '() |
298 | `(("net-tools" ,net-tools) | |
299 | ("iproute" ,iproute) ;for 'ss' | |
300 | ("socat" ,socat))) ;several tests rely on it | |
5d4c90ae | 301 | ("pkg-config" ,pkg-config) |
5cf6f6fe | 302 | ("texinfo" ,texinfo) |
ac83dc82 | 303 | ("which" ,which) |
01f07072 MC |
304 | ,@(if (hurd-target?) |
305 | '() | |
2d49f175 | 306 | `(("datefudge" ,datefudge))) ;tests rely on 'datefudge' |
971c8bb0 | 307 | ("util-linux" ,util-linux))) ;one test needs 'setsid' |
7543f865 | 308 | (inputs |
8394619b | 309 | (list guile-3.0)) |
7543f865 | 310 | (propagated-inputs |
d2fcfd3d | 311 | ;; These are all in the 'Requires.private' field of gnutls.pc. |
7543f865 | 312 | `(("libtasn1" ,libtasn1) |
55e61c4d | 313 | ("libidn2" ,libidn2) |
866f469e | 314 | ("nettle" ,nettle) |
8a594487 CB |
315 | ("zlib" ,zlib) |
316 | ,@(let ((system (or (%current-target-system) | |
317 | (%current-system)))) | |
318 | (if (string-prefix? "mips64el" system) | |
319 | '() | |
320 | `(("p11-kit" ,p11-kit)))))) | |
c19700c3 | 321 | (home-page "https://www.gnu.org/software/gnutls/") |
f50d2669 | 322 | (synopsis "Transport layer security library") |
7543f865 | 323 | (description |
a22dc0c4 | 324 | "GnuTLS is a secure communications library implementing the SSL, TLS |
79c311b8 | 325 | and DTLS protocols. It is provided in the form of a C library to support the |
b30407b8 | 326 | protocols, as well as to parse and write X.509, PKCS #12, OpenPGP and other |
a22dc0c4 | 327 | required structures.") |
63e8bb12 LC |
328 | (license license:lgpl2.1+) |
329 | (properties '((ftp-server . "ftp.gnutls.org") | |
330 | (ftp-directory . "/gcrypt/gnutls"))))) | |
cc2b77df | 331 | |
5a96748a LC |
332 | (define-public gnutls-latest |
333 | ;; Version 3.7.7 introduces 'set-session-record-port-close!', which allows | |
334 | ;; us to get rid of the wrapper port in 'tls-wrap'. | |
335 | (package | |
336 | (inherit gnutls) | |
337 | (version "3.7.7") | |
338 | (source (origin | |
339 | (method url-fetch) | |
340 | (uri (string-append "mirror://gnupg/gnutls/v" | |
341 | (version-major+minor version) | |
342 | "/gnutls-" version ".tar.xz")) | |
343 | (patches (search-patches "gnutls-skip-trust-store-test.patch" | |
344 | "gnutls-cross.patch")) | |
345 | (sha256 | |
346 | (base32 | |
347 | "01i1gl15k6qwvxmxx0by1mn9nlmcmym18wdpm7dn9awfsp8474dy")))))) | |
348 | ||
a270af31 LF |
349 | (define-public gnutls/guile-2.0 |
350 | ;; GnuTLS for Guile 2.0. | |
351 | (package/inherit gnutls | |
a0700787 LC |
352 | (name "guile2.0-gnutls") |
353 | (inputs `(("guile" ,guile-2.0) | |
58ea4d40 | 354 | ,@(alist-delete "guile" (package-inputs gnutls)))))) |
079f013b | 355 | |
5b9aa107 | 356 | (define-public gnutls/dane |
357 | ;; GnuTLS with build libgnutls-dane, implementing DNS-based | |
358 | ;; Authentication of Named Entities. This is required for GNS functionality | |
359 | ;; by GNUnet and gnURL. This is done in an extra package definition | |
360 | ;; to have the choice between GnuTLS with Dane and without Dane. | |
a270af31 | 361 | (package/inherit gnutls |
5b9aa107 | 362 | (name "gnutls-dane") |
363 | (inputs `(("unbound" ,unbound) | |
364 | ,@(package-inputs gnutls))))) | |
365 | ||
67a3c8ed | 366 | (define-public guile2.2-gnutls |
74e2c0e0 | 367 | (package/inherit gnutls |
67a3c8ed MB |
368 | (name "guile2.2-gnutls") |
369 | (inputs `(("guile" ,guile-2.2) | |
d630d781 | 370 | ,@(alist-delete "guile" |
5f9f034e | 371 | (package-inputs gnutls)))))) |
d630d781 | 372 | |
a1cd9308 LC |
373 | (define-public guile-gnutls |
374 | (package | |
375 | ;; This package supersedes the Guile bindings that came with GnuTLS until | |
376 | ;; version 3.7.8 included. | |
377 | (name "guile-gnutls") | |
378 | (version "3.7.9") | |
379 | (home-page "https://gitlab.com/gnutls/guile/") | |
380 | (source (origin | |
381 | (method git-fetch) | |
382 | (uri (git-reference | |
383 | (url home-page) | |
384 | (commit (string-append "v" version)))) | |
385 | (sha256 | |
386 | (base32 | |
387 | "00sfpqjmd263ka51fq4xf7nvaaxyfqsr3r8fj94jgx45q6q6n6wq")) | |
388 | (file-name (git-file-name name version)))) | |
389 | (build-system gnu-build-system) | |
390 | (arguments | |
391 | '(#:configure-flags | |
392 | ;; Tell the build system that we want Guile bindings installed to | |
393 | ;; the output instead of Guiles own module directory. | |
394 | (list "--disable-static" | |
395 | (string-append "--with-guile-site-dir=" | |
396 | "$(datarootdir)/guile/site/$(GUILE_EFFECTIVE_VERSION)") | |
397 | (string-append "--with-guile-site-ccache-dir=" | |
398 | "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/site-ccache") | |
399 | (string-append "--with-guile-extension-dir=" | |
400 | "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/extensions")))) | |
401 | (native-inputs | |
402 | (list autoconf | |
403 | automake | |
404 | libtool | |
405 | pkg-config | |
406 | texinfo | |
407 | guile-3.0)) | |
408 | (inputs | |
409 | (list gnutls-latest)) | |
410 | (synopsis "Guile bindings to GnuTLS") | |
411 | (description | |
412 | "This package provides Guile bindings to GnuTLS, a library implementation | |
413 | the @acronym{TLS, Transport-Layer Security} protocol. It supersedes the Guile | |
414 | bindings that were formerly provided as part of GnuTLS.") | |
415 | (license license:lgpl2.1+))) | |
416 | ||
7fabe9c8 MD |
417 | (define (target->openssl-target target) |
418 | "Return the value to set CONFIGURE_TARGET_ARCH to when cross-compiling | |
419 | OpenSSL for TARGET." | |
420 | ;; Keep this code outside the build code, | |
421 | ;; such that new targets can be added | |
422 | ;; without causing rebuilds for other targets. | |
a5a88b02 VK |
423 | (if (target-mingw? target) |
424 | (string-append | |
425 | "mingw" | |
426 | (if (target-x86-64? target) | |
427 | "64" | |
428 | "")) | |
429 | (let ((kernel | |
430 | (cond ((target-hurd? target) | |
431 | "hurd") | |
432 | ((target-linux? target) | |
433 | "linux") | |
434 | (else | |
435 | (error "unsupported openssl target kernel")))) | |
436 | (arch | |
437 | (cond | |
438 | ((target-x86-32? target) | |
439 | "x86") | |
440 | ((target-x86-64? target) | |
441 | "x86_64") | |
442 | ((target-mips64el? target) | |
443 | "mips64") | |
444 | ((target-arm32? target) | |
445 | "armv4") | |
446 | ((target-aarch64? target) | |
447 | "aarch64") | |
448 | ((target-ppc64le? target) | |
449 | "ppc64le") | |
450 | ((target-ppc32? target) | |
451 | "ppc") | |
452 | ((and (target-powerpc? target) | |
453 | (target-64bit? target)) | |
454 | "ppc64") | |
455 | ((target-64bit? target) | |
456 | ;; linux64-riscv64 isn't recognized until 3.0.0. | |
457 | "generic64") | |
458 | (else | |
459 | (error "unsupported openssl target architecture"))))) | |
460 | (string-append kernel "-" arch)))) | |
7fabe9c8 | 461 | |
db2444ad | 462 | (define-public openssl-1.1 |
cc2b77df | 463 | (package |
b4ccf3df | 464 | (name "openssl") |
a095d983 | 465 | (version "1.1.1l") |
1402c6ab | 466 | (replacement openssl/fixed) |
b4ccf3df MO |
467 | (source (origin |
468 | (method url-fetch) | |
469 | (uri (list (string-append "https://www.openssl.org/source/openssl-" | |
470 | version ".tar.gz") | |
471 | (string-append "ftp://ftp.openssl.org/source/" | |
472 | "openssl-" version ".tar.gz") | |
473 | (string-append "ftp://ftp.openssl.org/source/old/" | |
474 | (string-trim-right version char-set:letter) | |
475 | "/openssl-" version ".tar.gz"))) | |
476 | (patches (search-patches "openssl-1.1-c-rehash-in.patch")) | |
477 | (sha256 | |
478 | (base32 | |
a095d983 | 479 | "1lbblxps2fhmz7bqh058iywh5wxfignbfx1s1kz2fj63b5g3wyhb")))) |
b4ccf3df MO |
480 | (build-system gnu-build-system) |
481 | (outputs '("out" | |
a095d983 MC |
482 | "doc" ;6.8 MiB of man3 pages and full HTML documentation |
483 | "static")) ;6.4 MiB of .a files | |
8394619b | 484 | (native-inputs (list perl)) |
b4ccf3df MO |
485 | (arguments |
486 | `(#:parallel-tests? #f | |
487 | #:test-target "test" | |
8c9ec203 | 488 | |
b4ccf3df MO |
489 | ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure, |
490 | ;; so we explicitly disallow it here. | |
491 | #:disallowed-references ,(list (canonical-package perl)) | |
492 | #:phases | |
7c0eaa1f | 493 | ,#~ |
b4ccf3df | 494 | (modify-phases %standard-phases |
7c0eaa1f MD |
495 | #$@(if (%current-target-system) |
496 | #~((add-before | |
497 | 'configure 'set-cross-compile | |
f64a35b9 | 498 | (lambda* (#:key target #:allow-other-keys) |
7c0eaa1f MD |
499 | (setenv "CROSS_COMPILE" (string-append target "-")) |
500 | (setenv "CONFIGURE_TARGET_ARCH" | |
7fabe9c8 MD |
501 | #$(target->openssl-target |
502 | (%current-target-system)))))) | |
7c0eaa1f | 503 | #~()) |
199a1235 EF |
504 | ;; This test seems to be dependant on kernel features. |
505 | ;; https://github.com/openssl/openssl/issues/12242 | |
3a73399e EF |
506 | #$@(if (or (target-arm?) |
507 | (target-riscv64?)) | |
a095d983 MC |
508 | #~((replace 'check |
509 | (lambda* (#:key tests? test-target #:allow-other-keys) | |
510 | (when tests? | |
511 | (invoke "make" "TESTS=-test_afalg" test-target))))) | |
512 | #~()) | |
b4ccf3df | 513 | (replace 'configure |
f64a35b9 MD |
514 | (lambda* (#:key configure-flags #:allow-other-keys) |
515 | (let* ((out #$output) | |
b4ccf3df MO |
516 | (lib (string-append out "/lib"))) |
517 | ;; It's not a shebang so patch-source-shebangs misses it. | |
518 | (substitute* "config" | |
519 | (("/usr/bin/env") | |
520 | (string-append (assoc-ref %build-inputs "coreutils") | |
521 | "/bin/env"))) | |
522 | (apply | |
7c0eaa1f MD |
523 | invoke #$@(if (%current-target-system) |
524 | #~("./Configure") | |
525 | #~("./config")) | |
a095d983 | 526 | "shared" ;build shared libraries |
919d687a | 527 | "--libdir=lib" |
4fb254a3 | 528 | |
919d687a EF |
529 | ;; The default for this catch-all directory is |
530 | ;; PREFIX/ssl. Change that to something more | |
531 | ;; conventional. | |
532 | (string-append "--openssldir=" out | |
533 | "/share/openssl-" | |
7c0eaa1f | 534 | #$(package-version this-package)) |
4fb254a3 | 535 | |
919d687a EF |
536 | (string-append "--prefix=" out) |
537 | (string-append "-Wl,-rpath," lib) | |
7c0eaa1f MD |
538 | #$@(if (%current-target-system) |
539 | #~((getenv "CONFIGURE_TARGET_ARCH")) | |
540 | #~()) | |
c2dd2552 | 541 | configure-flags) |
b4ccf3df MO |
542 | ;; Output the configure variables. |
543 | (invoke "perl" "configdata.pm" "--dump")))) | |
544 | (add-after 'install 'move-static-libraries | |
f64a35b9 | 545 | (lambda _ |
b4ccf3df | 546 | ;; Move static libraries to the "static" output. |
f64a35b9 | 547 | (let* ((out #$output) |
b4ccf3df | 548 | (lib (string-append out "/lib")) |
f64a35b9 | 549 | (static #$output:static) |
b4ccf3df MO |
550 | (slib (string-append static "/lib"))) |
551 | (for-each (lambda (file) | |
552 | (install-file file slib) | |
553 | (delete-file file)) | |
e167044f VK |
554 | (find-files |
555 | lib | |
556 | #$(if (target-mingw?) | |
557 | '(lambda (filename _) | |
558 | (and (string-suffix? ".a" filename) | |
559 | (not (string-suffix? ".dll.a" filename)))) | |
560 | "\\.a$")))))) | |
b4ccf3df | 561 | (add-after 'install 'move-extra-documentation |
f64a35b9 | 562 | (lambda _ |
3e42c2bf | 563 | ;; Move man pages and full HTML documentation to "doc". |
f64a35b9 | 564 | (let* ((out #$output) |
3e42c2bf MD |
565 | (man (string-append out "/share/man")) |
566 | (html (string-append out "/share/doc/openssl")) | |
f64a35b9 | 567 | (doc #$output:doc) |
3e42c2bf | 568 | (man-target (string-append doc "/share/man")) |
b4ccf3df | 569 | (html-target (string-append doc "/share/doc/openssl"))) |
3e42c2bf | 570 | (mkdir-p (dirname man-target)) |
0196b866 | 571 | (mkdir-p (dirname html-target)) |
3e42c2bf | 572 | (rename-file man man-target) |
0196b866 | 573 | (rename-file html html-target)))) |
b4ccf3df MO |
574 | (add-after |
575 | 'install 'remove-miscellany | |
f64a35b9 | 576 | (lambda _ |
b4ccf3df MO |
577 | ;; The 'misc' directory contains random undocumented shell and Perl |
578 | ;; scripts. Remove them to avoid retaining a reference on Perl. | |
f64a35b9 MD |
579 | (delete-file-recursively (string-append #$output "/share/openssl-" |
580 | #$(package-version this-package) | |
581 | "/misc"))))))) | |
b4ccf3df | 582 | (native-search-paths |
2200530b | 583 | (list $SSL_CERT_DIR $SSL_CERT_FILE)) |
b4ccf3df MO |
584 | (synopsis "SSL/TLS implementation") |
585 | (description | |
586 | "OpenSSL is an implementation of SSL/TLS.") | |
587 | (license license:openssl) | |
588 | (home-page "https://www.openssl.org/"))) | |
cc2b77df | 589 | |
1402c6ab EF |
590 | (define openssl/fixed |
591 | (package | |
db2444ad | 592 | (inherit openssl-1.1) |
1402c6ab | 593 | (name "openssl") |
39dcbc7f | 594 | (version "1.1.1q") |
1402c6ab EF |
595 | (source (origin |
596 | (method url-fetch) | |
597 | (uri (list (string-append "https://www.openssl.org/source/openssl-" | |
598 | version ".tar.gz") | |
599 | (string-append "ftp://ftp.openssl.org/source/" | |
600 | "openssl-" version ".tar.gz") | |
601 | (string-append "ftp://ftp.openssl.org/source/old/" | |
602 | (string-trim-right version char-set:letter) | |
603 | "/openssl-" version ".tar.gz"))) | |
604 | (patches (search-patches "openssl-1.1-c-rehash-in.patch")) | |
605 | (sha256 | |
606 | (base32 | |
39dcbc7f | 607 | "1jhhzp4gh6ymidxm1ckjk948l583awp0w3y2nvqdz7022kk9r4yp")))))) |
1402c6ab | 608 | |
2932c421 MB |
609 | (define-public openssl-3.0 |
610 | (package | |
db2444ad | 611 | (inherit openssl-1.1) |
fe24e0c2 | 612 | (version "3.0.5") |
2932c421 MB |
613 | (source (origin |
614 | (method url-fetch) | |
615 | (uri (list (string-append "https://www.openssl.org/source/openssl-" | |
616 | version ".tar.gz") | |
617 | (string-append "ftp://ftp.openssl.org/source/" | |
618 | "openssl-" version ".tar.gz") | |
619 | (string-append "ftp://ftp.openssl.org/source/old/" | |
620 | (string-trim-right version char-set:letter) | |
621 | "/openssl-" version ".tar.gz"))) | |
622 | (patches (search-patches "openssl-3.0-c-rehash-in.patch")) | |
623 | (sha256 | |
624 | (base32 | |
fe24e0c2 | 625 | "0yja085lygkdxbf4k4rckkj9r24p8dgix8avqljnbbbixydqszda")))) |
2932c421 | 626 | (arguments |
db2444ad | 627 | (substitute-keyword-arguments (package-arguments openssl-1.1) |
2932c421 MB |
628 | ((#:phases phases '%standard-phases) |
629 | #~(modify-phases #$phases | |
630 | (add-before 'configure 'configure-perl | |
631 | (lambda* (#:key native-inputs inputs #:allow-other-keys) | |
632 | (setenv "HASHBANGPERL" | |
633 | (search-input-file (or native-inputs inputs) | |
634 | "/bin/perl")))))))) | |
635 | (license license:asl2.0))) | |
636 | ||
db2444ad MB |
637 | (define-public openssl openssl-1.1) |
638 | ||
f73c2aba NG |
639 | (define-public bearssl |
640 | (package | |
641 | (name "bearssl") | |
642 | (version "0.6") | |
643 | (source (origin | |
644 | (method url-fetch) | |
645 | (uri (string-append "https://www.bearssl.org/" | |
646 | "bearssl-" version ".tar.gz")) | |
647 | (sha256 | |
648 | (base32 | |
649 | "057zhgy9w4y8z2996r0pq5k2k39lpvmmvz4df8db8qa9f6hvn1b7")))) | |
650 | (build-system gnu-build-system) | |
651 | (arguments | |
652 | (list | |
653 | #:make-flags | |
654 | #~(list #$(string-append "CC=" (cc-for-target)) | |
655 | #$(string-append "LD=" (cc-for-target)) | |
656 | #$(string-append "LDDLL=" (cc-for-target))) | |
657 | #:phases | |
658 | #~(modify-phases %standard-phases | |
659 | (delete 'configure) ;no configure script | |
660 | (replace 'check | |
661 | (lambda* (#:key tests? #:allow-other-keys) | |
662 | (when tests? | |
663 | (with-directory-excursion "build" | |
664 | (invoke "./testcrypto" "all") | |
665 | (invoke "./testx509"))))) | |
666 | (replace 'install ;no install rule | |
667 | (lambda _ | |
668 | (let* ((out #$output) | |
669 | (bin (string-append out "/bin")) | |
670 | (doc (string-append out "/share/doc/" #$name "-" #$version)) | |
671 | (lib (string-append out "/lib")) | |
672 | (include (string-append out "/include"))) | |
673 | (install-file "build/brssl" bin) | |
674 | (for-each (lambda (f) (install-file f include)) | |
675 | (find-files "inc" "\\.h$")) | |
676 | (install-file "LICENSE.txt" doc) | |
677 | (install-file "build/libbearssl.so" lib))))))) | |
678 | (home-page "https://bearssl.org/") | |
679 | (synopsis "Small SSL/TLS library") | |
680 | (description "BearSSL is an implementation of the SSL/TLS | |
681 | protocol (RFC 5246) written in C. It aims at being correct and | |
682 | secure. In particular, insecure protocol versions and choices of | |
683 | algorithms are not supported, by design; cryptographic algorithm | |
684 | implementations are constant-time by default. It should also be | |
685 | small, both in RAM and code footprint. For instance, a minimal server | |
686 | implementation may fit in about 20 kilobytes of compiled code and 25 | |
687 | kilobytes of RAM.") | |
688 | (license license:expat))) | |
689 | ||
cb6a802c AE |
690 | (define-public libressl |
691 | (package | |
692 | (name "libressl") | |
1be7f437 | 693 | (version "3.3.6") |
644e5f17 TGR |
694 | (source (origin |
695 | (method url-fetch) | |
696 | (uri (string-append "mirror://openbsd/LibreSSL/" | |
ce1178d5 | 697 | "libressl-" version ".tar.gz")) |
644e5f17 TGR |
698 | (sha256 |
699 | (base32 | |
1be7f437 | 700 | "16jbzqj9wy2z10x8ppx63idw44k0d3wly0grpar0s6g1cn9q8a1z")))) |
cb6a802c | 701 | (build-system gnu-build-system) |
a2d64899 | 702 | (arguments |
76a9bad3 BW |
703 | `(#:configure-flags |
704 | (list | |
705 | ;; Do as if 'getentropy' were missing: Linux kernels before 3.17 lack its | |
706 | ;; underlying 'getrandom' system call and ENOSYS isn't properly handled. | |
707 | ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>. | |
708 | "ac_cv_func_getentropy=no" | |
709 | ;; FIXME It's using it's own bundled certificate, instead it should | |
710 | ;; behave like OpenSSL by using environment variables. | |
dac4fd03 | 711 | (string-append "--with-openssldir=" (assoc-ref %outputs "out") |
76a9bad3 BW |
712 | "/share/libressl-" |
713 | ,(package-version this-package)) | |
714 | ;; Provide a TLS-enabled netcat. | |
715 | "--enable-nc"))) | |
0fffcfa4 LC |
716 | (properties |
717 | `((release-monitoring-url . "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/"))) | |
2ed12d3f | 718 | (home-page "https://www.libressl.org/") |
cb6a802c | 719 | (synopsis "SSL/TLS implementation") |
df08f385 LF |
720 | (description "LibreSSL is a version of the TLS/crypto stack, forked from |
721 | OpenSSL in 2014 with the goals of modernizing the codebase, improving security, | |
722 | and applying best practice development processes. This package also includes a | |
723 | netcat implementation that supports TLS.") | |
cb6a802c AE |
724 | ;; Files taken from OpenSSL keep their license, others are under various |
725 | ;; non-copyleft licenses. | |
726 | (license (list license:openssl | |
727 | (license:non-copyleft | |
728 | "file://COPYING" | |
729 | "See COPYING in the distribution."))))) | |
730 | ||
6cefd53d | 731 | (define-public python-acme |
7890e3ba | 732 | (package |
6cefd53d | 733 | (name "python-acme") |
686d4259 | 734 | ;; Remember to update the hash of certbot when updating python-acme. |
334c849b | 735 | (version "1.28.0") |
7890e3ba | 736 | (source (origin |
9495cf9a | 737 | (method url-fetch) |
f349d36e | 738 | (uri (pypi-uri "acme" version)) |
881006b6 MB |
739 | (sha256 |
740 | (base32 | |
334c849b | 741 | "12fmw4g63pzbrmmrkk6hgg0k5px6jyx3scv9fmn60h21387jv0hz")))) |
7890e3ba LF |
742 | (build-system python-build-system) |
743 | (arguments | |
6cefd53d | 744 | `(#:phases |
9bee9d87 | 745 | (modify-phases %standard-phases |
1fc8476d MB |
746 | (add-after 'build 'build-documentation |
747 | (lambda _ | |
d4bd2453 | 748 | (invoke "make" "-C" "docs" "man" "info"))) |
1fc8476d | 749 | (add-after 'install 'install-documentation |
50a7963a LF |
750 | (lambda* (#:key outputs #:allow-other-keys) |
751 | (let* ((out (assoc-ref outputs "out")) | |
752 | (man (string-append out "/share/man/man1")) | |
753 | (info (string-append out "/info"))) | |
1fc8476d | 754 | (install-file "docs/_build/texinfo/acme-python.info" info) |
334c849b MB |
755 | (install-file "docs/_build/man/acme-python.1" man)))) |
756 | (replace 'check | |
757 | (lambda* (#:key tests? #:allow-other-keys) | |
758 | (when tests? | |
759 | (invoke "pytest" "-vv"))))))) | |
7890e3ba | 760 | (native-inputs |
8394619b LC |
761 | (list python-pytest |
762 | ;; For documentation | |
763 | python-sphinx | |
764 | python-sphinxcontrib-programoutput | |
765 | python-sphinx-rtd-theme | |
766 | texinfo)) | |
7890e3ba | 767 | (propagated-inputs |
2ec85ed4 JP |
768 | (list python-chardet |
769 | python-josepy | |
8394619b LC |
770 | python-requests |
771 | python-requests-toolbelt | |
772 | python-pytz | |
773 | python-pyrfc3339 | |
774 | python-pyasn1 | |
775 | python-cryptography | |
776 | python-pyopenssl)) | |
4631e6c9 | 777 | (home-page "https://github.com/certbot/certbot") |
7890e3ba LF |
778 | (synopsis "ACME protocol implementation in Python") |
779 | (description "ACME protocol implementation in Python") | |
780 | (license license:asl2.0))) | |
781 | ||
9495cf9a | 782 | (define-public certbot |
9fd0838b | 783 | (package |
9495cf9a | 784 | (name "certbot") |
686d4259 LF |
785 | ;; Certbot and python-acme are developed in the same repository, and their |
786 | ;; versions should remain synchronized. | |
787 | (version (package-version python-acme)) | |
9fd0838b DT |
788 | (source (origin |
789 | (method url-fetch) | |
b380463b | 790 | (uri (pypi-uri "certbot" version)) |
9fd0838b DT |
791 | (sha256 |
792 | (base32 | |
334c849b | 793 | "0p4cpakx1kc8lczlgxqryr2asnyrvw6p5wmkamkjqdsf3z7xhm2b")))) |
9fd0838b DT |
794 | (build-system python-build-system) |
795 | (arguments | |
fed1898d | 796 | `(,@(substitute-keyword-arguments (package-arguments python-acme) |
f26d6e4e LF |
797 | ((#:phases phases) |
798 | `(modify-phases ,phases | |
1fc8476d | 799 | (replace 'install-documentation |
f26d6e4e LF |
800 | (lambda* (#:key outputs #:allow-other-keys) |
801 | (let* ((out (assoc-ref outputs "out")) | |
802 | (man1 (string-append out "/share/man/man1")) | |
803 | (man7 (string-append out "/share/man/man7")) | |
804 | (info (string-append out "/info"))) | |
1fc8476d MB |
805 | (install-file "docs/_build/texinfo/Certbot.info" info) |
806 | (install-file "docs/_build/man/certbot.1" man1) | |
807 | (install-file "docs/_build/man/certbot.7" man7) | |
808 | #t)))))))) | |
9fd0838b | 809 | (native-inputs |
8394619b LC |
810 | (list python-mock |
811 | python-pytest | |
812 | ;; For documentation | |
813 | python-sphinx | |
814 | python-sphinx-rtd-theme | |
815 | python-sphinx-repoze-autointerface | |
816 | python-sphinxcontrib-programoutput | |
817 | texinfo)) | |
9fd0838b | 818 | (propagated-inputs |
8394619b LC |
819 | (list python-acme |
820 | python-cryptography | |
821 | python-zope-interface | |
822 | python-pyrfc3339 | |
823 | python-pyopenssl | |
824 | python-configobj | |
825 | python-configargparse | |
826 | python-distro | |
827 | python-zope-component | |
828 | python-parsedatetime | |
829 | python-psutil | |
830 | python-requests | |
831 | python-pytz)) | |
d8a1be63 | 832 | (synopsis "Let's Encrypt client by the Electronic Frontier Foundation") |
80968df0 TGR |
833 | (description "Certbot automatically receives and installs X.509 certificates |
834 | to enable Transport Layer Security (TLS) on servers. It interoperates with the | |
835 | Let’s Encrypt certificate authority (CA), which issues browser-trusted | |
836 | certificates for free.") | |
24778368 | 837 | (home-page "https://certbot.eff.org/") |
9fd0838b DT |
838 | (license license:asl2.0))) |
839 | ||
9495cf9a LF |
840 | (define-public letsencrypt |
841 | (package (inherit certbot) | |
56ab55d1 LF |
842 | (name "letsencrypt") |
843 | (properties `((superseded . ,certbot))))) | |
9495cf9a | 844 | |
cc2b77df AE |
845 | (define-public perl-net-ssleay |
846 | (package | |
847 | (name "perl-net-ssleay") | |
c591bb68 | 848 | (version "1.92") |
cc2b77df AE |
849 | (source (origin |
850 | (method url-fetch) | |
c50f15d6 | 851 | (uri (string-append "mirror://cpan/authors/id/C/CH/CHRISN/" |
cc2b77df AE |
852 | "Net-SSLeay-" version ".tar.gz")) |
853 | (sha256 | |
854 | (base32 | |
c591bb68 | 855 | "1acnjd5180dca26dmjq0b9ib0dbavlrzd6fnf4nidrzj02rz5hj7")))) |
cc2b77df | 856 | (build-system perl-build-system) |
8394619b | 857 | (inputs (list openssl)) |
cc2b77df | 858 | (arguments |
1084ec08 MW |
859 | `(#:phases |
860 | (modify-phases %standard-phases | |
1084ec08 MW |
861 | (add-before |
862 | 'configure 'set-ssl-prefix | |
863 | (lambda* (#:key inputs #:allow-other-keys) | |
864 | (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl")) | |
865 | #t))))) | |
cc2b77df AE |
866 | (synopsis "Perl extension for using OpenSSL") |
867 | (description | |
868 | "This module offers some high level convenience functions for accessing | |
869 | web pages on SSL servers (for symmetry, the same API is offered for accessing | |
870 | http servers, too), an sslcat() function for writing your own clients, and | |
871 | finally access to the SSL api of the SSLeay/OpenSSL package so you can write | |
872 | servers or clients for more complicated applications.") | |
2f3108ad | 873 | (license license:perl-license) |
9aba9b12 | 874 | (home-page "https://metacpan.org/release/Net-SSLeay"))) |
4532c0c0 DM |
875 | |
876 | (define-public perl-crypt-openssl-rsa | |
877 | (package | |
878 | (name "perl-crypt-openssl-rsa") | |
a9994b27 | 879 | (version "0.31") |
4532c0c0 DM |
880 | (source |
881 | (origin | |
882 | (method url-fetch) | |
883 | (uri (string-append | |
683b8d47 | 884 | "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-" |
4532c0c0 DM |
885 | version |
886 | ".tar.gz")) | |
887 | (sha256 | |
888 | (base32 | |
a9994b27 | 889 | "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1")))) |
4532c0c0 | 890 | (build-system perl-build-system) |
683b8d47 | 891 | (native-inputs |
8394619b | 892 | (list perl-crypt-openssl-guess)) |
4532c0c0 | 893 | (inputs |
8394619b | 894 | (list perl-crypt-openssl-bignum perl-crypt-openssl-random openssl)) |
4532c0c0 DM |
895 | (arguments perl-crypt-arguments) |
896 | (home-page | |
9aba9b12 | 897 | "https://metacpan.org/release/Crypt-OpenSSL-RSA") |
4532c0c0 DM |
898 | (synopsis |
899 | "RSA encoding and decoding, using the openSSL libraries") | |
900 | (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the | |
901 | OpenSSL libraries).") | |
2f3108ad | 902 | (license license:perl-license))) |
adff71ca DM |
903 | |
904 | (define perl-crypt-arguments | |
905 | `(#:phases (modify-phases %standard-phases | |
906 | (add-before 'configure 'patch-Makefile.PL | |
907 | (lambda* (#:key inputs #:allow-other-keys) | |
908 | (substitute* "Makefile.PL" | |
909 | (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L" | |
910 | (assoc-ref inputs "openssl") | |
911 | "/lib -lcrypto'],"))) | |
912 | #t))))) | |
913 | ||
914 | (define-public perl-crypt-openssl-bignum | |
915 | (package | |
916 | (name "perl-crypt-openssl-bignum") | |
7e8aac18 | 917 | (version "0.09") |
adff71ca DM |
918 | (source |
919 | (origin | |
920 | (method url-fetch) | |
921 | (uri (string-append | |
922 | "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-" | |
923 | version | |
924 | ".tar.gz")) | |
925 | (sha256 | |
926 | (base32 | |
7e8aac18 | 927 | "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3")))) |
adff71ca | 928 | (build-system perl-build-system) |
8394619b | 929 | (inputs (list openssl)) |
adff71ca DM |
930 | (arguments perl-crypt-arguments) |
931 | (home-page | |
9aba9b12 | 932 | "https://metacpan.org/release/Crypt-OpenSSL-Bignum") |
adff71ca DM |
933 | (synopsis |
934 | "OpenSSL's multiprecision integer arithmetic in Perl") | |
935 | (description "Crypt::OpenSSL::Bignum provides multiprecision integer | |
936 | arithmetic in Perl.") | |
937 | ;; At your option either gpl1+ or the Artistic License | |
2f3108ad | 938 | (license license:perl-license))) |
cccb4d26 | 939 | |
c80590f6 TGR |
940 | (define-public perl-crypt-openssl-guess |
941 | (package | |
942 | (name "perl-crypt-openssl-guess") | |
943 | (version "0.11") | |
944 | (source | |
945 | (origin | |
946 | (method url-fetch) | |
947 | (uri (string-append | |
948 | "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-" | |
949 | version ".tar.gz")) | |
950 | (sha256 | |
951 | (base32 | |
952 | "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa")))) | |
953 | (build-system perl-build-system) | |
9aba9b12 | 954 | (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess") |
c80590f6 TGR |
955 | (synopsis "Guess the OpenSSL include path") |
956 | (description | |
957 | "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the | |
958 | correct OpenSSL include path. It is intended for use in your | |
959 | @file{Makefile.PL}.") | |
960 | (license license:perl-license))) | |
961 | ||
cccb4d26 DM |
962 | (define-public perl-crypt-openssl-random |
963 | (package | |
964 | (name "perl-crypt-openssl-random") | |
fa2d19cc | 965 | (version "0.15") |
cccb4d26 DM |
966 | (source |
967 | (origin | |
968 | (method url-fetch) | |
969 | (uri (string-append | |
970 | "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-" | |
971 | version | |
972 | ".tar.gz")) | |
973 | (sha256 | |
fa2d19cc | 974 | (base32 "1x6ffps8q7mnawmcfq740llzy7i10g3319vap0wiw4d33fm6z1zh")))) |
cccb4d26 | 975 | (build-system perl-build-system) |
b30c23c4 | 976 | (native-inputs |
8394619b | 977 | (list perl-crypt-openssl-guess)) |
b30c23c4 | 978 | (inputs |
8394619b | 979 | (list openssl)) |
cccb4d26 DM |
980 | (arguments perl-crypt-arguments) |
981 | (home-page | |
9aba9b12 | 982 | "https://metacpan.org/release/Crypt-OpenSSL-Random") |
cccb4d26 DM |
983 | (synopsis |
984 | "OpenSSL/LibreSSL pseudo-random number generator access") | |
985 | (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random | |
986 | number generator") | |
2f3108ad | 987 | (license license:perl-license))) |
0581c273 LF |
988 | |
989 | (define-public acme-client | |
990 | (package | |
991 | (name "acme-client") | |
4a6b2a21 | 992 | (version "0.1.16") |
0581c273 LF |
993 | (source (origin |
994 | (method url-fetch) | |
995 | (uri (string-append "https://kristaps.bsd.lv/" name "/" | |
996 | "snapshots/" name "-portable-" | |
997 | version ".tgz")) | |
998 | (sha256 | |
999 | (base32 | |
4a6b2a21 | 1000 | "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9")))) |
0581c273 LF |
1001 | (build-system gnu-build-system) |
1002 | (arguments | |
1003 | '(#:tests? #f ; no test suite | |
1004 | #:make-flags | |
1005 | (list "CC=gcc" | |
1006 | (string-append "PREFIX=" (assoc-ref %outputs "out"))) | |
1007 | #:phases | |
1008 | (modify-phases %standard-phases | |
7c1a7bf4 LF |
1009 | (add-after 'unpack 'patch-paths |
1010 | (lambda* (#:key inputs #:allow-other-keys) | |
d468a03a | 1011 | (let ((pem (search-input-file inputs "/etc/ssl/cert.pem"))) |
7c1a7bf4 LF |
1012 | (substitute* "http.c" |
1013 | (("/etc/ssl/cert.pem") pem)) | |
1014 | #t))) | |
0581c273 | 1015 | (delete 'configure)))) ; no './configure' script |
4b569a4f | 1016 | (native-inputs |
8394619b | 1017 | (list pkg-config)) |
0581c273 | 1018 | (inputs |
8394619b | 1019 | (list libbsd libressl)) |
0581c273 LF |
1020 | (synopsis "Let's Encrypt client by the OpenBSD project") |
1021 | (description "acme-client is a Let's Encrypt client implemented in C. It | |
1022 | uses a modular design, and attempts to secure itself by dropping privileges and | |
1023 | operating in a chroot where possible. acme-client is developed on OpenBSD and | |
1024 | then ported to the GNU / Linux environment.") | |
1025 | (home-page "https://kristaps.bsd.lv/acme-client/") | |
1026 | ;; acme-client is distributed under the ISC license, but the files 'jsmn.h' | |
1027 | ;; and 'jsmn.c' are distributed under the Expat license. | |
1028 | (license (list license:isc license:expat)))) | |
88522738 | 1029 | |
1030 | ;; The "-apache" variant is the upstreamed prefered variant. A "-gpl" | |
1031 | ;; variant exists in addition to the "-apache" one. | |
1032 | (define-public mbedtls-apache | |
1033 | (package | |
1034 | (name "mbedtls-apache") | |
5cdb25c6 TGR |
1035 | ;; XXX Check whether ‘-Wformat-signedness’ still breaks mbedtls-for-hiawatha |
1036 | ;; when updating. | |
0ec75598 | 1037 | (version "2.26.0") |
88522738 | 1038 | (source |
1039 | (origin | |
927ecd4e TGR |
1040 | (method git-fetch) |
1041 | (uri (git-reference | |
1042 | (url "https://github.com/ARMmbed/mbedtls") | |
1043 | (commit (string-append "mbedtls-" version)))) | |
88522738 | 1044 | (sha256 |
0ec75598 MJK |
1045 | (base32 "0scwpmrgvg6q7rvqkc352d2fqlsx0aylcbyibcp1f1rsn8iiif2m")) |
1046 | (file-name (git-file-name name version)) | |
1047 | (modules '((guix build utils))) | |
1048 | (snippet | |
1049 | '(begin | |
1050 | ;; Can be removed with the next version. | |
1051 | ;; Reduce level of format truncation warnings due to false positives. | |
1052 | ;; https://github.com/ARMmbed/mbedtls/commit/2065a8d8af27c6cb1e40c9462b5933336dca7434 | |
1053 | (substitute* "CMakeLists.txt" | |
1054 | (("Wformat-truncation=2") "Wformat-truncation")) | |
1055 | #t)))) | |
88522738 | 1056 | (build-system cmake-build-system) |
a64d9d56 RW |
1057 | (arguments |
1058 | `(#:configure-flags | |
92ebd8ed | 1059 | (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON" |
927ecd4e TGR |
1060 | "-DUSE_STATIC_MBEDTLS_LIBRARY=OFF") |
1061 | #:phases | |
1062 | (modify-phases %standard-phases | |
1063 | (add-after 'unpack 'make-source-writable | |
1064 | (lambda _ | |
1065 | (for-each make-file-writable (find-files ".")) | |
927ecd4e | 1066 | #t))))) |
88522738 | 1067 | (native-inputs |
8394619b | 1068 | (list perl python)) |
88522738 | 1069 | (synopsis "Small TLS library") |
1070 | (description | |
1071 | "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy | |
1072 | for developers to include cryptographic and SSL/TLS capabilities in their | |
1073 | (embedded) products, facilitating this functionality with a minimal | |
1074 | coding footprint.") | |
d4febc56 | 1075 | (home-page "https://www.trustedfirmware.org/projects/mbed-tls/") |
88522738 | 1076 | (license license:asl2.0))) |
587d1752 | 1077 | |
8e87aa04 TGR |
1078 | ;; The Hiawatha Web server requires some specific features to be enabled. |
1079 | (define-public mbedtls-for-hiawatha | |
1080 | (hidden-package | |
1081 | (package | |
1082 | (inherit mbedtls-apache) | |
1083 | (arguments | |
5cdb25c6 TGR |
1084 | (substitute-keyword-arguments (package-arguments mbedtls-apache) |
1085 | ((#:phases phases) | |
1086 | `(modify-phases ,phases | |
1087 | (add-before 'configure 'configure-extra-features | |
1088 | (lambda _ | |
1089 | (for-each (lambda (feature) | |
1090 | (invoke "scripts/config.pl" "set" feature)) | |
1091 | (list "MBEDTLS_THREADING_C" | |
1092 | "MBEDTLS_THREADING_PTHREAD")) | |
1093 | ;; XXX The above enables code that breaks with -Werror… | |
1094 | (substitute* "CMakeLists.txt" | |
1095 | ((" -Wformat-signedness") "")) | |
1096 | #t))))))))) | |
8e87aa04 | 1097 | |
e8b3a158 CL |
1098 | (define-public dehydrated |
1099 | (package | |
1100 | (name "dehydrated") | |
69b98261 | 1101 | (version "0.7.0") |
e8b3a158 | 1102 | (source (origin |
2850d877 | 1103 | (method url-fetch) |
e8b3a158 | 1104 | (uri (string-append |
bb5ab9bf | 1105 | "https://github.com/dehydrated-io/dehydrated/releases/download/" |
2850d877 | 1106 | "v" version "/dehydrated-" version ".tar.gz")) |
e8b3a158 CL |
1107 | (sha256 |
1108 | (base32 | |
69b98261 | 1109 | "1yf4kldyd5y13r6qxrkcbbk74ykngq7jzy0351vb2r3ywp114pqw")))) |
e8b3a158 CL |
1110 | (build-system trivial-build-system) |
1111 | (arguments | |
c150d637 TGR |
1112 | `(#:modules ((guix build utils) |
1113 | (srfi srfi-26)) | |
e8b3a158 CL |
1114 | #:builder |
1115 | (begin | |
c150d637 TGR |
1116 | (use-modules (guix build utils) |
1117 | (srfi srfi-26)) | |
e8b3a158 | 1118 | (let* ((source (assoc-ref %build-inputs "source")) |
2850d877 EF |
1119 | (tar (assoc-ref %build-inputs "tar")) |
1120 | (gz (assoc-ref %build-inputs "gzip")) | |
e8b3a158 CL |
1121 | (out (assoc-ref %outputs "out")) |
1122 | (bin (string-append out "/bin")) | |
c150d637 TGR |
1123 | (doc (string-append out "/share/doc/" ,name "-" ,version)) |
1124 | (man (string-append out "/share/man")) | |
e8b3a158 | 1125 | (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin"))) |
2850d877 EF |
1126 | |
1127 | (setenv "PATH" (string-append gz "/bin")) | |
1128 | (invoke (string-append tar "/bin/tar") "xvf" source) | |
1129 | (chdir (string-append ,name "-" ,version)) | |
1130 | ||
c150d637 TGR |
1131 | (copy-recursively "docs" doc) |
1132 | (install-file "LICENSE" doc) | |
1133 | ||
1134 | (mkdir-p man) | |
1135 | (rename-file (string-append doc "/man") | |
1136 | (string-append man "/man1")) | |
1137 | (for-each (cut invoke "gzip" "-9" <>) | |
1138 | (find-files man ".*")) | |
1139 | ||
2850d877 | 1140 | (install-file "dehydrated" bin) |
e8b3a158 | 1141 | (with-directory-excursion bin |
e8b3a158 CL |
1142 | (patch-shebang "dehydrated" (list bash)) |
1143 | ||
c150d637 | 1144 | ;; Do not try to write to the store. |
e8b3a158 CL |
1145 | (substitute* "dehydrated" |
1146 | (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated")) | |
1147 | ||
1148 | (setenv "PATH" bash) | |
1149 | (wrap-program "dehydrated" | |
1150 | `("PATH" ":" prefix | |
1151 | ,(map (lambda (dir) | |
1152 | (string-append dir "/bin")) | |
1153 | (map (lambda (input) | |
1154 | (assoc-ref %build-inputs input)) | |
1155 | '("coreutils" | |
1156 | "curl" | |
1157 | "diffutils" | |
1158 | "gawk" | |
1159 | "grep" | |
1160 | "openssl" | |
1161 | "sed")))))) | |
1162 | #t)))) | |
1163 | (inputs | |
8394619b LC |
1164 | (list bash |
1165 | coreutils | |
1166 | curl | |
1167 | diffutils | |
1168 | gawk | |
1169 | grep | |
1170 | openssl | |
1171 | sed)) | |
2850d877 | 1172 | (native-inputs |
8394619b | 1173 | (list gzip tar)) |
d0cc63cc MC |
1174 | ;; The following definition is copied from the cURL package to prevent a |
1175 | ;; cycle between the curl and tls modules. | |
77e2df87 | 1176 | (native-search-paths |
d0cc63cc MC |
1177 | (list (search-path-specification |
1178 | (variable "CURL_CA_BUNDLE") | |
1179 | (file-type 'regular) | |
1180 | (separator #f) | |
1181 | (files '("etc/ssl/certs/ca-certificates.crt"))))) | |
e8b3a158 | 1182 | (home-page "https://dehydrated.io/") |
bc5152a2 TGR |
1183 | (synopsis "ACME client implemented as a shell script") |
1184 | (description "Dehydrated is a client for obtaining certificates from an | |
1185 | ACME server (such as Let's Encrypt) implemented as a relatively simple Bash | |
1186 | script.") | |
e8b3a158 | 1187 | (license license:expat))) |
ea22aa1f LF |
1188 | |
1189 | (define-public go-github-com-certifi-gocertifi | |
db388401 LF |
1190 | (let ((commit "a5e0173ced670013bfb649c7e806bc9529c986ec") |
1191 | (revision "1")) | |
1192 | (package | |
1193 | (name "go-github-com-certifi-gocertifi") | |
1194 | (version (git-version "2018.01.18" revision commit)) | |
1195 | (source (origin | |
1196 | (method git-fetch) | |
1197 | (uri (git-reference | |
1198 | (url "https://github.com/certifi/gocertifi") | |
1199 | (commit commit))) | |
1200 | (file-name (git-file-name name version)) | |
1201 | (sha256 | |
1202 | (base32 | |
1203 | "1n9drccl3q1rr8wg3nf60slkf1lgsmz5ahifrglbdrc6har3rryj")))) | |
1204 | (build-system go-build-system) | |
1205 | (arguments | |
1206 | '(#:import-path "github.com/certifi/gocertifi")) | |
1207 | (synopsis "X.509 TLS root certificate bundle for Go") | |
1208 | (description "This package is a Go language X.509 TLS root certificate bundle, | |
ea22aa1f | 1209 | derived from Mozilla's collection.") |
db388401 LF |
1210 | (home-page "https://certifi.io") |
1211 | (license license:mpl2.0)))) | |
1b518888 GH |
1212 | |
1213 | (define-public s2n | |
cf48bf86 GH |
1214 | (package |
1215 | (name "s2n") | |
af856afb | 1216 | ;; Update only when updating aws-crt-cpp. |
bc3e3245 | 1217 | (version "1.3.10") |
cf48bf86 GH |
1218 | (source (origin |
1219 | (method git-fetch) | |
1220 | (uri (git-reference | |
1221 | (url "https://github.com/aws/s2n-tls") | |
1222 | (commit (string-append "v" version)))) | |
1223 | (file-name (git-file-name name version)) | |
1224 | (sha256 | |
1225 | (base32 | |
bc3e3245 | 1226 | "15fr6zwglw74x5qd090752kqn7n3cyi4gmz94ip45g3hflschxd3")))) |
cf48bf86 GH |
1227 | (build-system cmake-build-system) |
1228 | (arguments | |
1229 | '(#:configure-flags | |
af856afb GH |
1230 | '("-DBUILD_SHARED_LIBS=ON" |
1231 | ;; Remove in next update; see https://github.com/aws/s2n-tls/pull/3108 | |
1232 | ;; Building with 'Werror' results in compilation error (even building | |
1233 | ;; with gcc) when replacing the aws-lc input with openssl. | |
1234 | "-DUNSAFE_TREAT_WARNINGS_AS_ERRORS=OFF"))) | |
1235 | (propagated-inputs (list aws-lc)) | |
1236 | (supported-systems '("x86_64-linux")) | |
cf48bf86 GH |
1237 | (synopsis "SSL/TLS implementation in C99") |
1238 | (description | |
1239 | "This library provides a C99 implementation of SSL/TLS. It is designed to | |
1240 | be familiar to users of the widely-used POSIX I/O APIs. It supports blocking, | |
1241 | non-blocking, and full-duplex I/O. There are no locks or mutexes. | |
9f9118bd TGR |
1242 | |
1243 | As it can be difficult to keep track of which encryption algorithms and | |
1244 | protocols are best to use, s2n-tls features a simple API to use the latest | |
1245 | default set of preferences. Remaining on a specific version for backwards | |
1246 | compatibility is also supported.") | |
02f849ad | 1247 | (home-page "https://github.com/aws/s2n-tls") |
cf48bf86 | 1248 | (license license:asl2.0))) |
363fe99c LF |
1249 | |
1250 | (define-public wolfssl | |
1251 | (package | |
1252 | (name "wolfssl") | |
1eaf8eb7 | 1253 | (version "4.8.1") |
363fe99c LF |
1254 | (source (origin |
1255 | (method git-fetch) | |
1256 | (uri (git-reference | |
1257 | (url "https://github.com/wolfSSL/wolfssl") | |
1258 | (commit (string-append "v" version "-stable")))) | |
1259 | (file-name (git-file-name name version)) | |
1260 | (sha256 | |
1261 | (base32 | |
1eaf8eb7 | 1262 | "0w5pd40j6h4j2f0b7c2n1n979y9qk8aln3ss2gb0jfsid1hrmx5k")))) |
363fe99c LF |
1263 | (build-system gnu-build-system) |
1264 | (arguments | |
1265 | '(#:configure-flags | |
1266 | '("--enable-reproducible-build"))) | |
1267 | (native-inputs | |
8394619b | 1268 | (list autoconf automake libtool)) |
363fe99c LF |
1269 | (synopsis "SSL/TLS implementation") |
1270 | (description "The wolfSSL embedded SSL library (formerly CyaSSL) is an | |
1271 | SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and | |
1272 | resource-constrained environments - primarily because of its small size, speed, | |
1273 | and feature set. wolfSSL supports industry standards up to the current TLS 1.3 | |
1274 | and DTLS 1.2, is up to 20 times smaller than OpenSSL, and offers progressive | |
1275 | ciphers such as ChaCha20, Curve25519, NTRU, and Blake2b.") | |
1276 | (home-page "https://www.wolfssl.com/") | |
1277 | (license license:gpl2+))) ; Audit | |
da9272fa GH |
1278 | |
1279 | (define-public aws-lc | |
25a1c60b GH |
1280 | (package |
1281 | (name "aws-lc") | |
a5a408c3 | 1282 | ;; Update only when updating aws-crt-cpp. |
25a1c60b GH |
1283 | (version "1.0.2") |
1284 | (source (origin | |
1285 | (method git-fetch) | |
1286 | (uri (git-reference | |
1287 | (url (string-append "https://github.com/awslabs/" name)) | |
1288 | (commit (string-append "v" version)))) | |
1289 | (file-name (git-file-name name version)) | |
1290 | (sha256 | |
1291 | (base32 | |
a5a408c3 | 1292 | "16y4iy2rqrmb7b1c394wyq7a5vbjb41599524my6b6q1vk1pi307")))) |
25a1c60b GH |
1293 | (build-system cmake-build-system) |
1294 | (arguments | |
a5a408c3 | 1295 | '(#:test-target "run_minimal_tests" |
25a1c60b GH |
1296 | #:configure-flags |
1297 | '("-DBUILD_SHARED_LIBS=ON"))) | |
1298 | (synopsis "General purpose cryptographic library") | |
1299 | (description "AWS libcrypto (aws-lc) contains portable C implementations | |
da9272fa GH |
1300 | of algorithms needed for TLS and common applications, and includes optimized |
1301 | assembly versions for x86 and ARM.") | |
25a1c60b GH |
1302 | (home-page "https://github.com/awslabs/aws-lc") |
1303 | (license license:asl2.0))) |