HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
gnu: Remove acme-client.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
CommitLineData
233e7676 1;;; GNU Guix --- Functional package management for GNU
0fffcfa4 2;;; Copyright © 2012-2017, 2019-2022 Ludovic Courtès <ludo@gnu.org>
74e2c0e0 3;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2021 Mark H Weaver <mhw@netris.org>
29a7c98a 4;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df 5;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b 6;;; Copyright © 2015 David Thompson <davet@gnu.org>
363fe99c 7;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020, 2021 Leo Famulari <leo@famulari.name>
c591bb68 8;;; Copyright © 2016, 2017, 2019, 2021, 2022 Efraim Flashner <efraim@flashner.co.il>
3c986a7d 9;;; Copyright © 2016, 2017, 2018 Nikita <nikita@n0.is>
375cef6c 10;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
ee33f9a7 11;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
2932c421 12;;; Copyright © 2017-2022 Marius Bakke <marius@gnu.org>
77e2df87 13;;; Copyright © 2017–2021 Tobias Geerinckx-Rice <me@tobias.gr>
fbf5ca3c 14;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
e8b3a158 15;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
bdcdd550 16;;; Copyright © 2019 Mathieu Othacehe <m.othacehe@gmail.com>
a9bcc647 17;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
63858f8c 18;;; Copyright © 2020, 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
0b70eb03 19;;; Copyright © 2021 Solene Rapenne <solene@perso.pw>
76a9bad3 20;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re>
f64a35b9 21;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
2bb789f6 22;;; Copyright © 2021 Matthew James Kraai <kraai@ftbfs.org>
811b62d8 23;;; Copyright © 2021 John Kehayias <john.kehayias@protonmail.com>
a5a408c3 24;;; Copyright © 2022 Greg Hogan <code@greghogan.com>
7543f865 25;;;
233e7676 26;;; This file is part of GNU Guix.
7543f865 27;;;
233e7676 28;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865
LC		 29;;; under the terms of the GNU General Public License as published by
30;;; the Free Software Foundation; either version 3 of the License, or (at
31;;; your option) any later version.
32;;;
233e7676 33;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865
LC		 34;;; WITHOUT ANY WARRANTY; without even the implied warranty of
35;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
36;;; GNU General Public License for more details.
37;;;
38;;; You should have received a copy of the GNU General Public License
233e7676 39;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865 40
a7fd7b68 41(define-module (gnu packages tls)
e9aa8d0c 42 #:use-module ((guix licenses) #:prefix license:)
7543f865
LC		 43 #:use-module (guix packages)
44 #:use-module (guix download)
ea22aa1f 45 #:use-module (guix git-download)
29a7c98a 46 #:use-module (guix utils)
7c0eaa1f 47 #:use-module (guix gexp)
7543f865 48 #:use-module (guix build-system gnu)
ea22aa1f 49 #:use-module (guix build-system go)
cc2b77df 50 #:use-module (guix build-system perl)
7890e3ba 51 #:use-module (guix build-system python)
88522738 52 #:use-module (guix build-system cmake)
e8b3a158 53 #:use-module (guix build-system trivial)
2200530b 54 #:use-module ((guix search-paths) #:select ($SSL_CERT_DIR $SSL_CERT_FILE))
f61e0e79 55 #:use-module (gnu packages compression)
013ce67b 56 #:use-module (gnu packages)
363fe99c 57 #:use-module (gnu packages autotools)
e8b3a158 58 #:use-module (gnu packages bash)
ac257f12 59 #:use-module (gnu packages check)
e8b3a158 60 #:use-module (gnu packages curl)
5b9aa107 61 #:use-module (gnu packages dns)
e8b3a158 62 #:use-module (gnu packages gawk)
1a244b78 63 #:use-module (gnu packages gettext)
1ffa7090 64 #:use-module (gnu packages guile)
a9bcc647 65 #:use-module (gnu packages hurd)
0581c273 66 #:use-module (gnu packages libbsd)
27e86bed 67 #:use-module (gnu packages libffi)
866f469e 68 #:use-module (gnu packages libidn)
69ed946b 69 #:use-module (gnu packages libunistring)
5d4c90ae 70 #:use-module (gnu packages linux)
7890e3ba 71 #:use-module (gnu packages ncurses)
27e86bed 72 #:use-module (gnu packages nettle)
e7ab9c33 73 #:use-module (gnu packages networking)
1ffa7090 74 #:use-module (gnu packages perl)
27e86bed 75 #:use-module (gnu packages pkg-config)
7890e3ba 76 #:use-module (gnu packages python)
cc6f4912 77 #:use-module (gnu packages python-crypto)
1b2f753d 78 #:use-module (gnu packages python-web)
44d10b1f 79 #:use-module (gnu packages python-xyz)
9d0c291e 80 #:use-module (gnu packages sphinx)
a31f4d35 81 #:use-module (gnu packages texinfo)
33dc54b0 82 #:use-module (gnu packages time)
079f013b
LC		 83 #:use-module (gnu packages base)
84 #:use-module (srfi srfi-1))
7543f865
LC		 85
86(define-public libtasn1
87 (package
88 (name "libtasn1")
ce98de1f 89 (version "4.17.0")
7543f865
LC		 90 (source
91 (origin
92 (method url-fetch)
93 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
94 version ".tar.gz"))
95 (sha256
96 (base32
ce98de1f 97 "19a53i1ajs4dd8nnlr2i6gbzvla84ay71g3y1phvh8krx8f5brzc"))))
7543f865 98 (build-system gnu-build-system)
d9f84612
MB		 99 (arguments
100 `(#:configure-flags '("--disable-static")))
8394619b 101 (native-inputs (list perl))
6fd52309 102 (home-page "https://www.gnu.org/software/libtasn1/")
f50d2669 103 (synopsis "ASN.1 library")
7543f865 104 (description
79c311b8
LC		 105 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
106for transmitting machine-neutral encodings of data objects in computer
a22dc0c4
LC		 107networking, allowing for formal validation of data according to some
108specifications.")
e9aa8d0c 109 (license license:lgpl2.0+)))
7543f865 110
375cef6c
HG		 111(define-public asn1c
112 (package
113 (name "asn1c")
ff7da7e0 114 (version "0.9.28")
375cef6c
HG		 115 (source (origin
116 (method url-fetch)
117 (uri (string-append "https://lionet.info/soft/asn1c-"
118 version ".tar.gz"))
119 (sha256
120 (base32
ff7da7e0 121 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
375cef6c
HG		 122 (build-system gnu-build-system)
123 (native-inputs
8394619b 124 (list perl))
375cef6c
HG		 125 (home-page "https://lionet.info/asn1c")
126 (synopsis "ASN.1 to C compiler")
127 (description "The ASN.1 to C compiler takes ASN.1 module
128files and generates C++ compatible C source code. That code can be
129used to serialize the native C structures into compact and unambiguous
130BER/XER/PER-based data files, and deserialize the files back.
131
132Various ASN.1 based formats are widely used in the industry, such as to encode
133the X.509 certificates employed in the HTTPS handshake, to exchange control
134data between mobile phones and cellular networks, to car-to-car communication
135in intelligent transportation networks.")
136 (license license:bsd-2)))
137
27e86bed
AE		 138(define-public p11-kit
139 (package
140 (name "p11-kit")
c84c0dbc 141 (version "0.23.22")
27e86bed
AE		 142 (source
143 (origin
144 (method url-fetch)
e6ad9bda 145 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
eae94df6 146 "download/" version "/p11-kit-" version ".tar.xz"))
27e86bed 147 (sha256
9ed46007 148 (base32 "1dn6br4v033d3gp2max9lsr3y4q0nj6iyr1yq3kzi8ym7lal13wa"))))
27e86bed
AE		 149 (build-system gnu-build-system)
150 (native-inputs
1a244b78
MO		 151 `(,@(if (hurd-target?)
152 `(("autoconf" ,autoconf)
153 ("automake" ,automake)
154 ("gettext" ,gettext-minimal) ;for autopoint
155 ("libtool" ,libtool))
156 '())
157 ("pkg-config" ,pkg-config)))
27e86bed
AE		 158 (inputs
159 `(("libffi" ,libffi)
1a244b78
MO		 160 ,@(if (hurd-target?)
161 `(("libbsd" ,libbsd)
162 ("hurd-patch" ,(search-patch "p11-kit-hurd.patch")))
163 '())
27e86bed
AE		 164 ("libtasn1" ,libtasn1)))
165 (arguments
d5c472a2
MB		 166 `(#:configure-flags '("--without-trust-paths")
167 #:phases (modify-phases %standard-phases
1a244b78
MO		 168 ,@(if (hurd-target?)
169 '((add-after 'unpack 'apply-hurd-patch
170 (lambda* (#:key inputs #:allow-other-keys)
171 (let ((patch (assoc-ref inputs "hurd-patch")))
172 (invoke "patch" "-p1" "--batch" "-i"
173 patch))))
174 (replace 'bootstrap
175 (lambda _
176 (invoke "autoreconf" "-fiv"))))
177 '())
d5c472a2
MB		 178 (add-before 'check 'prepare-tests
179 (lambda _
180 ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up
181 ;; and looks for .cache and other directories (only).
182 ;; For simplicity just drop it since it is irrelevant
183 ;; in the build container.
184 (substitute* "Makefile"
185 (("test-runtime\\$\\(EXEEXT\\)") ""))
186 #t)))))
b0735c79 187 (home-page "https://p11-glue.github.io/p11-glue/p11-kit.html")
27e86bed
AE		 188 (synopsis "PKCS#11 library")
189 (description
190 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
191provides a standard configuration setup for installing PKCS#11 modules
192in such a way that they are discoverable. It also solves problems with
193coordinating the use of PKCS#11 by different components or libraries
194living in the same process.")
e9aa8d0c 195 (license license:bsd-3)))
27e86bed 196
811b62d8
JK		 197(define-public p11-kit-next
198 (package
199 (inherit p11-kit)
12fd5a86 200 (version "0.24.1")
811b62d8
JK		 201 (source
202 (origin
203 (method url-fetch)
204 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
205 "download/" version "/p11-kit-" version ".tar.xz"))
206 (sha256
12fd5a86 207 (base32 "1y5fm9gwhkh902r26p90qf1g2h1ziqrk4hgf9i9sxm2wzlz7ignq"))))
b4d29851
LC		 208 (arguments
209 ;; Use the default certificates so that users such as flatpak find them.
210 ;; See <https://issues.guix.gnu.org/49957>.
211 (substitute-keyword-arguments (package-arguments p11-kit)
212 ((#:configure-flags flags ''())
213 ''("--with-trust-paths=/etc/ssl/certs/ca-certificates.crt"))))))
811b62d8 214
7543f865
LC		 215(define-public gnutls
216 (package
217 (name "gnutls")
63858f8c 218 (version "3.7.2")
d7d408d5 219 (source (origin
51a365c1 220 (method url-fetch)
d7d408d5
LC		 221 ;; Note: Releases are no longer on ftp.gnu.org since the
222 ;; schism (after version 3.1.5).
51a365c1
LC		 223 (uri (string-append "mirror://gnupg/gnutls/v"
224 (version-major+minor version)
225 "/gnutls-" version ".tar.xz"))
226 (patches (search-patches "gnutls-skip-trust-store-test.patch"
69dde4e3
LC		 227 "gnutls-cross.patch"
228 "gnutls-guile-eintr-eagain.patch"))
51a365c1
LC		 229 (sha256
230 (base32
63858f8c 231 "0li7mwjnm64mbxhacz0rpf6i9qd83f53fvbrx96alpqqk9d6qvk4"))))
7543f865 232 (build-system gnu-build-system)
b94ae0b8 233 (arguments
525a351e
MO		 234 `(#:tests? ,(not (or (%current-target-system)
235 (hurd-target?)))
e7ab9c33
LC		 236 ;; Ensure we don't keep a reference to the tools used for testing.
237 #:disallowed-references ,(if (hurd-target?)
238 '()
239 (list net-tools iproute socat))
76b21274 240 #:configure-flags
28a13226 241 (cons*
aa7c7f21
MW		 242 ;; GnuTLS doesn't consult any environment variables to specify
243 ;; the location of the system-wide trust store. Instead it has a
244 ;; configure-time option. Unless specified, its configure script
245 ;; attempts to auto-detect the location by looking for common
8f65585b 246 ;; places in the file system, none of which are present in our
aa7c7f21
MW		 247 ;; chroot build environment. If not found, then no default trust
248 ;; store is used, so each program has to provide its own
249 ;; fallback, and users have to configure each program
250 ;; independently. This seems suboptimal.
866f469e
MW		 251 "--with-default-trust-store-dir=/etc/ssl/certs"
252
7892edc2
MB		 253 ;; Tell the build system that we want Guile bindings installed to
254 ;; the output instead of Guiles own module directory.
255 (string-append "--with-guile-site-dir="
256 "$(datarootdir)/guile/site/$(GUILE_EFFECTIVE_VERSION)")
257 (string-append "--with-guile-site-ccache-dir="
258 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/site-ccache")
259 (string-append "--with-guile-extension-dir="
260 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/extensions")
261
28a13226
CB		 262 (let ((system ,(or (%current-target-system)
263 (%current-system))))
264 (if (string-prefix? "mips64el" system)
265 (list
266 ;; FIXME: Temporarily disable p11-kit support since it is
267 ;; not working on mips64el.
268 "--without-p11-kit")
269 '())))
606c6380
LC		 270
271 #:phases (modify-phases %standard-phases
5cf6f6fe
MC		 272 ;; fastopen.sh fails to connect to the server in the builder
273 ;; environment (see:
274 ;; https://gitlab.com/gnutls/gnutls/-/issues/1095).
275 (add-after 'unpack 'disable-failing-tests
276 (lambda _
0b40d1a3
LC		 277 (substitute* "tests/fastopen.sh"
278 (("^unset RETCODE")
63858f8c 279 "exit 77\n")))) ;skip
5cf6f6fe 280 (add-after 'install 'move-doc
606c6380
LC		 281 (lambda* (#:key outputs #:allow-other-keys)
282 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
283 (let* ((out (assoc-ref outputs "out"))
284 (doc (assoc-ref outputs "doc"))
9cdce047 285 (mandir (string-append doc "/share/man/man3"))
606c6380
LC		 286 (oldman (string-append out "/share/man/man3")))
287 (mkdir-p mandir)
288 (copy-recursively oldman mandir)
63858f8c 289 (delete-file-recursively oldman)))))))
606c6380
LC		 290 (outputs '("out" ;4.4 MiB
291 "debug"
292 "doc")) ;4.1 MiB of man pages
a1db0975 293 (native-inputs
51a365c1
LC		 294 `(,@(if (%current-target-system) ;for cross-build
295 `(("guile" ,guile-3.0)) ;to create .go files
296 '())
297 ,@(if (hurd-target?)
e7ab9c33
LC		 298 '()
299 `(("net-tools" ,net-tools)
300 ("iproute" ,iproute) ;for 'ss'
301 ("socat" ,socat))) ;several tests rely on it
5d4c90ae 302 ("pkg-config" ,pkg-config)
5cf6f6fe 303 ("texinfo" ,texinfo)
ac83dc82 304 ("which" ,which)
01f07072
MC		 305 ,@(if (hurd-target?)
306 '()
2d49f175 307 `(("datefudge" ,datefudge))) ;tests rely on 'datefudge'
971c8bb0 308 ("util-linux" ,util-linux))) ;one test needs 'setsid'
7543f865 309 (inputs
8394619b 310 (list guile-3.0))
7543f865 311 (propagated-inputs
d2fcfd3d 312 ;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865 313 `(("libtasn1" ,libtasn1)
55e61c4d 314 ("libidn2" ,libidn2)
866f469e 315 ("nettle" ,nettle)
8a594487
CB		 316 ("zlib" ,zlib)
317 ,@(let ((system (or (%current-target-system)
318 (%current-system))))
319 (if (string-prefix? "mips64el" system)
320 '()
321 `(("p11-kit" ,p11-kit))))))
c19700c3 322 (home-page "https://www.gnu.org/software/gnutls/")
f50d2669 323 (synopsis "Transport layer security library")
7543f865 324 (description
a22dc0c4 325 "GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8 326and DTLS protocols. It is provided in the form of a C library to support the
b30407b8 327protocols, as well as to parse and write X.509, PKCS #12, OpenPGP and other
a22dc0c4 328required structures.")
63e8bb12
LC		 329 (license license:lgpl2.1+)
330 (properties '((ftp-server . "ftp.gnutls.org")
331 (ftp-directory . "/gcrypt/gnutls")))))
cc2b77df 332
5a96748a 333(define-public gnutls-latest
5a96748a
LC		 334 (package
335 (inherit gnutls)
336 (version "3.7.7")
337 (source (origin
338 (method url-fetch)
339 (uri (string-append "mirror://gnupg/gnutls/v"
340 (version-major+minor version)
341 "/gnutls-" version ".tar.xz"))
342 (patches (search-patches "gnutls-skip-trust-store-test.patch"
343 "gnutls-cross.patch"))
344 (sha256
345 (base32
69ed946b
LC		 346 "01i1gl15k6qwvxmxx0by1mn9nlmcmym18wdpm7dn9awfsp8474dy"))))
347
348 ;; Disable Guile bindings: they are now provided by Guile-GnuTLS.
349 (inputs (modify-inputs (package-inputs gnutls)
350 (delete "guile")
351 (append libunistring))) ;GnuTLS depends on it
352 (native-inputs (modify-inputs (package-native-inputs gnutls)
353 (delete "guile")))))
5a96748a 354
a270af31
LF		 355(define-public gnutls/guile-2.0
356 ;; GnuTLS for Guile 2.0.
357 (package/inherit gnutls
a0700787
LC		 358 (name "guile2.0-gnutls")
359 (inputs `(("guile" ,guile-2.0)
58ea4d40 360 ,@(alist-delete "guile" (package-inputs gnutls))))))
079f013b 361
5b9aa107 362(define-public gnutls/dane
363 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
364 ;; Authentication of Named Entities. This is required for GNS functionality
365 ;; by GNUnet and gnURL. This is done in an extra package definition
366 ;; to have the choice between GnuTLS with Dane and without Dane.
a270af31 367 (package/inherit gnutls
5b9aa107 368 (name "gnutls-dane")
369 (inputs `(("unbound" ,unbound)
370 ,@(package-inputs gnutls)))))
371
67a3c8ed 372(define-public guile2.2-gnutls
74e2c0e0 373 (package/inherit gnutls
67a3c8ed
MB		 374 (name "guile2.2-gnutls")
375 (inputs `(("guile" ,guile-2.2)
d630d781 376 ,@(alist-delete "guile"
5f9f034e 377 (package-inputs gnutls))))))
d630d781 378
a1cd9308
LC		 379(define-public guile-gnutls
380 (package
381 ;; This package supersedes the Guile bindings that came with GnuTLS until
382 ;; version 3.7.8 included.
383 (name "guile-gnutls")
384 (version "3.7.9")
385 (home-page "https://gitlab.com/gnutls/guile/")
386 (source (origin
387 (method git-fetch)
388 (uri (git-reference
389 (url home-page)
390 (commit (string-append "v" version))))
391 (sha256
392 (base32
393 "00sfpqjmd263ka51fq4xf7nvaaxyfqsr3r8fj94jgx45q6q6n6wq"))
d5f07aa8
LC		 394 (file-name (git-file-name name version))
395 (patches (search-patches "gnutls-cross.patch"))))
a1cd9308
LC		 396 (build-system gnu-build-system)
397 (arguments
398 '(#:configure-flags
399 ;; Tell the build system that we want Guile bindings installed to
400 ;; the output instead of Guiles own module directory.
401 (list "--disable-static"
402 (string-append "--with-guile-site-dir="
403 "$(datarootdir)/guile/site/$(GUILE_EFFECTIVE_VERSION)")
404 (string-append "--with-guile-site-ccache-dir="
405 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/site-ccache")
406 (string-append "--with-guile-extension-dir="
407 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/extensions"))))
408 (native-inputs
409 (list autoconf
410 automake
411 libtool
412 pkg-config
413 texinfo
d5f07aa8 414 gnutls ;XXX: 'guile-snarf' invokes the native 'cpp'
a1cd9308
LC		 415 guile-3.0))
416 (inputs
d5f07aa8
LC		 417 (list gnutls-latest
418 guile-3.0))
a1cd9308
LC		 419 (synopsis "Guile bindings to GnuTLS")
420 (description
421 "This package provides Guile bindings to GnuTLS, a library implementation
422the @acronym{TLS, Transport-Layer Security} protocol. It supersedes the Guile
423bindings that were formerly provided as part of GnuTLS.")
424 (license license:lgpl2.1+)))
425
7fabe9c8
MD		 426(define (target->openssl-target target)
427 "Return the value to set CONFIGURE_TARGET_ARCH to when cross-compiling
428OpenSSL for TARGET."
429 ;; Keep this code outside the build code,
430 ;; such that new targets can be added
431 ;; without causing rebuilds for other targets.
a5a88b02
VK		 432 (if (target-mingw? target)
433 (string-append
434 "mingw"
435 (if (target-x86-64? target)
436 "64"
437 ""))
438 (let ((kernel
439 (cond ((target-hurd? target)
440 "hurd")
441 ((target-linux? target)
442 "linux")
443 (else
444 (error "unsupported openssl target kernel"))))
445 (arch
446 (cond
447 ((target-x86-32? target)
448 "x86")
449 ((target-x86-64? target)
450 "x86_64")
451 ((target-mips64el? target)
452 "mips64")
453 ((target-arm32? target)
454 "armv4")
455 ((target-aarch64? target)
456 "aarch64")
457 ((target-ppc64le? target)
458 "ppc64le")
459 ((target-ppc32? target)
460 "ppc")
461 ((and (target-powerpc? target)
462 (target-64bit? target))
463 "ppc64")
464 ((target-64bit? target)
465 ;; linux64-riscv64 isn't recognized until 3.0.0.
466 "generic64")
467 (else
468 (error "unsupported openssl target architecture")))))
469 (string-append kernel "-" arch))))
7fabe9c8 470
db2444ad 471(define-public openssl-1.1
cc2b77df 472 (package
b4ccf3df 473 (name "openssl")
a095d983 474 (version "1.1.1l")
1402c6ab 475 (replacement openssl/fixed)
b4ccf3df
MO		 476 (source (origin
477 (method url-fetch)
478 (uri (list (string-append "https://www.openssl.org/source/openssl-"
479 version ".tar.gz")
480 (string-append "ftp://ftp.openssl.org/source/"
481 "openssl-" version ".tar.gz")
482 (string-append "ftp://ftp.openssl.org/source/old/"
483 (string-trim-right version char-set:letter)
484 "/openssl-" version ".tar.gz")))
485 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
486 (sha256
487 (base32
a095d983 488 "1lbblxps2fhmz7bqh058iywh5wxfignbfx1s1kz2fj63b5g3wyhb"))))
b4ccf3df
MO		 489 (build-system gnu-build-system)
490 (outputs '("out"
a095d983
MC		 491 "doc" ;6.8 MiB of man3 pages and full HTML documentation
492 "static")) ;6.4 MiB of .a files
8394619b 493 (native-inputs (list perl))
b4ccf3df
MO		 494 (arguments
495 `(#:parallel-tests? #f
496 #:test-target "test"
8c9ec203 497
b4ccf3df
MO		 498 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
499 ;; so we explicitly disallow it here.
500 #:disallowed-references ,(list (canonical-package perl))
501 #:phases
7c0eaa1f 502 ,#~
b4ccf3df 503 (modify-phases %standard-phases
7c0eaa1f
MD		 504 #$@(if (%current-target-system)
505 #~((add-before
506 'configure 'set-cross-compile
f64a35b9 507 (lambda* (#:key target #:allow-other-keys)
7c0eaa1f
MD		 508 (setenv "CROSS_COMPILE" (string-append target "-"))
509 (setenv "CONFIGURE_TARGET_ARCH"
7fabe9c8
MD		 510 #$(target->openssl-target
511 (%current-target-system))))))
7c0eaa1f 512 #~())
199a1235
EF		 513 ;; This test seems to be dependant on kernel features.
514 ;; https://github.com/openssl/openssl/issues/12242
3a73399e
EF		 515 #$@(if (or (target-arm?)
516 (target-riscv64?))
a095d983
MC		 517 #~((replace 'check
518 (lambda* (#:key tests? test-target #:allow-other-keys)
519 (when tests?
520 (invoke "make" "TESTS=-test_afalg" test-target)))))
521 #~())
b4ccf3df 522 (replace 'configure
f64a35b9
MD		 523 (lambda* (#:key configure-flags #:allow-other-keys)
524 (let* ((out #$output)
b4ccf3df
MO		 525 (lib (string-append out "/lib")))
526 ;; It's not a shebang so patch-source-shebangs misses it.
527 (substitute* "config"
528 (("/usr/bin/env")
529 (string-append (assoc-ref %build-inputs "coreutils")
530 "/bin/env")))
531 (apply
7c0eaa1f
MD		 532 invoke #$@(if (%current-target-system)
533 #~("./Configure")
534 #~("./config"))
a095d983 535 "shared" ;build shared libraries
919d687a 536 "--libdir=lib"
4fb254a3 537
919d687a
EF		 538 ;; The default for this catch-all directory is
539 ;; PREFIX/ssl. Change that to something more
540 ;; conventional.
541 (string-append "--openssldir=" out
542 "/share/openssl-"
7c0eaa1f 543 #$(package-version this-package))
4fb254a3 544
919d687a
EF		 545 (string-append "--prefix=" out)
546 (string-append "-Wl,-rpath," lib)
7c0eaa1f
MD		 547 #$@(if (%current-target-system)
548 #~((getenv "CONFIGURE_TARGET_ARCH"))
549 #~())
c2dd2552 550 configure-flags)
b4ccf3df
MO		 551 ;; Output the configure variables.
552 (invoke "perl" "configdata.pm" "--dump"))))
553 (add-after 'install 'move-static-libraries
f64a35b9 554 (lambda _
b4ccf3df 555 ;; Move static libraries to the "static" output.
f64a35b9 556 (let* ((out #$output)
b4ccf3df 557 (lib (string-append out "/lib"))
f64a35b9 558 (static #$output:static)
b4ccf3df
MO		 559 (slib (string-append static "/lib")))
560 (for-each (lambda (file)
561 (install-file file slib)
562 (delete-file file))
e167044f
VK		 563 (find-files
564 lib
565 #$(if (target-mingw?)
566 '(lambda (filename _)
567 (and (string-suffix? ".a" filename)
568 (not (string-suffix? ".dll.a" filename))))
569 "\\.a$"))))))
b4ccf3df 570 (add-after 'install 'move-extra-documentation
f64a35b9 571 (lambda _
3e42c2bf 572 ;; Move man pages and full HTML documentation to "doc".
f64a35b9 573 (let* ((out #$output)
3e42c2bf
MD		 574 (man (string-append out "/share/man"))
575 (html (string-append out "/share/doc/openssl"))
f64a35b9 576 (doc #$output:doc)
3e42c2bf 577 (man-target (string-append doc "/share/man"))
b4ccf3df 578 (html-target (string-append doc "/share/doc/openssl")))
3e42c2bf 579 (mkdir-p (dirname man-target))
0196b866 580 (mkdir-p (dirname html-target))
3e42c2bf 581 (rename-file man man-target)
0196b866 582 (rename-file html html-target))))
b4ccf3df
MO		 583 (add-after
584 'install 'remove-miscellany
f64a35b9 585 (lambda _
b4ccf3df
MO		 586 ;; The 'misc' directory contains random undocumented shell and Perl
587 ;; scripts. Remove them to avoid retaining a reference on Perl.
f64a35b9
MD		 588 (delete-file-recursively (string-append #$output "/share/openssl-"
589 #$(package-version this-package)
590 "/misc")))))))
b4ccf3df 591 (native-search-paths
2200530b 592 (list $SSL_CERT_DIR $SSL_CERT_FILE))
b4ccf3df
MO		 593 (synopsis "SSL/TLS implementation")
594 (description
595 "OpenSSL is an implementation of SSL/TLS.")
596 (license license:openssl)
597 (home-page "https://www.openssl.org/")))
cc2b77df 598
1402c6ab
EF		 599(define openssl/fixed
600 (package
db2444ad 601 (inherit openssl-1.1)
1402c6ab 602 (name "openssl")
24f0c34c 603 (version "1.1.1s")
1402c6ab
EF		 604 (source (origin
605 (method url-fetch)
606 (uri (list (string-append "https://www.openssl.org/source/openssl-"
607 version ".tar.gz")
608 (string-append "ftp://ftp.openssl.org/source/"
609 "openssl-" version ".tar.gz")
610 (string-append "ftp://ftp.openssl.org/source/old/"
611 (string-trim-right version char-set:letter)
612 "/openssl-" version ".tar.gz")))
613 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
614 (sha256
615 (base32
24f0c34c 616 "1amnwis6z2piqs022cpbcg828rql62yjnsqxnvdg0vzfc3kh3b65"))))))
1402c6ab 617
2932c421
MB		 618(define-public openssl-3.0
619 (package
db2444ad 620 (inherit openssl-1.1)
e0b9cd7c 621 (version "3.0.7")
2932c421
MB		 622 (source (origin
623 (method url-fetch)
624 (uri (list (string-append "https://www.openssl.org/source/openssl-"
625 version ".tar.gz")
626 (string-append "ftp://ftp.openssl.org/source/"
627 "openssl-" version ".tar.gz")
628 (string-append "ftp://ftp.openssl.org/source/old/"
629 (string-trim-right version char-set:letter)
630 "/openssl-" version ".tar.gz")))
631 (patches (search-patches "openssl-3.0-c-rehash-in.patch"))
632 (sha256
633 (base32
e0b9cd7c 634 "0virbkcrw7nn3gr5r51z722gs1ppig0casj0c9pnj3i65829s143"))))
2932c421 635 (arguments
db2444ad 636 (substitute-keyword-arguments (package-arguments openssl-1.1)
2932c421
MB		 637 ((#:phases phases '%standard-phases)
638 #~(modify-phases #$phases
639 (add-before 'configure 'configure-perl
640 (lambda* (#:key native-inputs inputs #:allow-other-keys)
641 (setenv "HASHBANGPERL"
642 (search-input-file (or native-inputs inputs)
643 "/bin/perl"))))))))
644 (license license:asl2.0)))
645
db2444ad
MB		 646(define-public openssl openssl-1.1)
647
f73c2aba
NG		 648(define-public bearssl
649 (package
650 (name "bearssl")
651 (version "0.6")
652 (source (origin
653 (method url-fetch)
654 (uri (string-append "https://www.bearssl.org/"
655 "bearssl-" version ".tar.gz"))
656 (sha256
657 (base32
658 "057zhgy9w4y8z2996r0pq5k2k39lpvmmvz4df8db8qa9f6hvn1b7"))))
659 (build-system gnu-build-system)
660 (arguments
661 (list
662 #:make-flags
663 #~(list #$(string-append "CC=" (cc-for-target))
664 #$(string-append "LD=" (cc-for-target))
665 #$(string-append "LDDLL=" (cc-for-target)))
666 #:phases
667 #~(modify-phases %standard-phases
668 (delete 'configure) ;no configure script
669 (replace 'check
670 (lambda* (#:key tests? #:allow-other-keys)
671 (when tests?
672 (with-directory-excursion "build"
673 (invoke "./testcrypto" "all")
674 (invoke "./testx509")))))
675 (replace 'install ;no install rule
676 (lambda _
677 (let* ((out #$output)
678 (bin (string-append out "/bin"))
679 (doc (string-append out "/share/doc/" #$name "-" #$version))
680 (lib (string-append out "/lib"))
681 (include (string-append out "/include")))
682 (install-file "build/brssl" bin)
683 (for-each (lambda (f) (install-file f include))
684 (find-files "inc" "\\.h$"))
685 (install-file "LICENSE.txt" doc)
686 (install-file "build/libbearssl.so" lib)))))))
687 (home-page "https://bearssl.org/")
688 (synopsis "Small SSL/TLS library")
689 (description "BearSSL is an implementation of the SSL/TLS
690protocol (RFC 5246) written in C. It aims at being correct and
691secure. In particular, insecure protocol versions and choices of
692algorithms are not supported, by design; cryptographic algorithm
693implementations are constant-time by default. It should also be
694small, both in RAM and code footprint. For instance, a minimal server
695implementation may fit in about 20 kilobytes of compiled code and 25
696kilobytes of RAM.")
697 (license license:expat)))
698
cb6a802c
AE		 699(define-public libressl
700 (package
701 (name "libressl")
70f43c0c 702 (version "3.6.1")
644e5f17
TGR		 703 (source (origin
704 (method url-fetch)
705 (uri (string-append "mirror://openbsd/LibreSSL/"
ce1178d5 706 "libressl-" version ".tar.gz"))
644e5f17
TGR		 707 (sha256
708 (base32
70f43c0c 709 "0x37037rb0zx34zp0kbbqj2xwd57gh1m6bfn52f92fz92q9wdymc"))))
cb6a802c 710 (build-system gnu-build-system)
a2d64899 711 (arguments
76a9bad3
BW		 712 `(#:configure-flags
713 (list
714 ;; Do as if 'getentropy' were missing: Linux kernels before 3.17 lack its
715 ;; underlying 'getrandom' system call and ENOSYS isn't properly handled.
716 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
717 "ac_cv_func_getentropy=no"
718 ;; FIXME It's using it's own bundled certificate, instead it should
719 ;; behave like OpenSSL by using environment variables.
dac4fd03 720 (string-append "--with-openssldir=" (assoc-ref %outputs "out")
76a9bad3
BW		 721 "/share/libressl-"
722 ,(package-version this-package))
723 ;; Provide a TLS-enabled netcat.
724 "--enable-nc")))
0fffcfa4
LC		 725 (properties
726 `((release-monitoring-url . "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/")))
2ed12d3f 727 (home-page "https://www.libressl.org/")
cb6a802c 728 (synopsis "SSL/TLS implementation")
df08f385
LF		 729 (description "LibreSSL is a version of the TLS/crypto stack, forked from
730OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
731and applying best practice development processes. This package also includes a
732netcat implementation that supports TLS.")
cb6a802c
AE		 733 ;; Files taken from OpenSSL keep their license, others are under various
734 ;; non-copyleft licenses.
735 (license (list license:openssl
736 (license:non-copyleft
737 "file://COPYING"
738 "See COPYING in the distribution.")))))
739
6cefd53d 740(define-public python-acme
7890e3ba 741 (package
6cefd53d 742 (name "python-acme")
686d4259 743 ;; Remember to update the hash of certbot when updating python-acme.
334c849b 744 (version "1.28.0")
7890e3ba 745 (source (origin
9495cf9a 746 (method url-fetch)
f349d36e 747 (uri (pypi-uri "acme" version))
881006b6
MB		 748 (sha256
749 (base32
334c849b 750 "12fmw4g63pzbrmmrkk6hgg0k5px6jyx3scv9fmn60h21387jv0hz"))))
7890e3ba
LF		 751 (build-system python-build-system)
752 (arguments
6cefd53d 753 `(#:phases
9bee9d87 754 (modify-phases %standard-phases
1fc8476d
MB		 755 (add-after 'build 'build-documentation
756 (lambda _
d4bd2453 757 (invoke "make" "-C" "docs" "man" "info")))
1fc8476d 758 (add-after 'install 'install-documentation
50a7963a
LF		 759 (lambda* (#:key outputs #:allow-other-keys)
760 (let* ((out (assoc-ref outputs "out"))
761 (man (string-append out "/share/man/man1"))
762 (info (string-append out "/info")))
1fc8476d 763 (install-file "docs/_build/texinfo/acme-python.info" info)
334c849b
MB		 764 (install-file "docs/_build/man/acme-python.1" man))))
765 (replace 'check
766 (lambda* (#:key tests? #:allow-other-keys)
767 (when tests?
768 (invoke "pytest" "-vv")))))))
7890e3ba 769 (native-inputs
8394619b
LC		 770 (list python-pytest
771 ;; For documentation
772 python-sphinx
773 python-sphinxcontrib-programoutput
774 python-sphinx-rtd-theme
775 texinfo))
7890e3ba 776 (propagated-inputs
2ec85ed4
JP		 777 (list python-chardet
778 python-josepy
8394619b
LC		 779 python-requests
780 python-requests-toolbelt
781 python-pytz
782 python-pyrfc3339
783 python-pyasn1
784 python-cryptography
785 python-pyopenssl))
4631e6c9 786 (home-page "https://github.com/certbot/certbot")
7890e3ba
LF		 787 (synopsis "ACME protocol implementation in Python")
788 (description "ACME protocol implementation in Python")
789 (license license:asl2.0)))
790
9495cf9a 791(define-public certbot
9fd0838b 792 (package
9495cf9a 793 (name "certbot")
686d4259
LF		 794 ;; Certbot and python-acme are developed in the same repository, and their
795 ;; versions should remain synchronized.
796 (version (package-version python-acme))
9fd0838b
DT		 797 (source (origin
798 (method url-fetch)
b380463b 799 (uri (pypi-uri "certbot" version))
9fd0838b
DT		 800 (sha256
801 (base32
334c849b 802 "0p4cpakx1kc8lczlgxqryr2asnyrvw6p5wmkamkjqdsf3z7xhm2b"))))
9fd0838b
DT		 803 (build-system python-build-system)
804 (arguments
fed1898d 805 `(,@(substitute-keyword-arguments (package-arguments python-acme)
f26d6e4e
LF		 806 ((#:phases phases)
807 `(modify-phases ,phases
1fc8476d 808 (replace 'install-documentation
f26d6e4e
LF		 809 (lambda* (#:key outputs #:allow-other-keys)
810 (let* ((out (assoc-ref outputs "out"))
811 (man1 (string-append out "/share/man/man1"))
812 (man7 (string-append out "/share/man/man7"))
813 (info (string-append out "/info")))
1fc8476d
MB		 814 (install-file "docs/_build/texinfo/Certbot.info" info)
815 (install-file "docs/_build/man/certbot.1" man1)
816 (install-file "docs/_build/man/certbot.7" man7)
817 #t))))))))
9fd0838b 818 (native-inputs
8394619b
LC		 819 (list python-mock
820 python-pytest
821 ;; For documentation
822 python-sphinx
823 python-sphinx-rtd-theme
824 python-sphinx-repoze-autointerface
825 python-sphinxcontrib-programoutput
826 texinfo))
9fd0838b 827 (propagated-inputs
8394619b
LC		 828 (list python-acme
829 python-cryptography
830 python-zope-interface
831 python-pyrfc3339
832 python-pyopenssl
833 python-configobj
834 python-configargparse
835 python-distro
836 python-zope-component
837 python-parsedatetime
838 python-psutil
839 python-requests
840 python-pytz))
d8a1be63 841 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
80968df0
TGR		 842 (description "Certbot automatically receives and installs X.509 certificates
843to enable Transport Layer Security (TLS) on servers. It interoperates with the
844Let’s Encrypt certificate authority (CA), which issues browser-trusted
845certificates for free.")
24778368 846 (home-page "https://certbot.eff.org/")
9fd0838b
DT		 847 (license license:asl2.0)))
848
9495cf9a
LF		 849(define-public letsencrypt
850 (package (inherit certbot)
56ab55d1
LF		 851 (name "letsencrypt")
852 (properties `((superseded . ,certbot)))))
9495cf9a 853
cc2b77df
AE		 854(define-public perl-net-ssleay
855 (package
856 (name "perl-net-ssleay")
c591bb68 857 (version "1.92")
cc2b77df
AE		 858 (source (origin
859 (method url-fetch)
c50f15d6 860 (uri (string-append "mirror://cpan/authors/id/C/CH/CHRISN/"
cc2b77df
AE		 861 "Net-SSLeay-" version ".tar.gz"))
862 (sha256
863 (base32
c591bb68 864 "1acnjd5180dca26dmjq0b9ib0dbavlrzd6fnf4nidrzj02rz5hj7"))))
cc2b77df 865 (build-system perl-build-system)
8394619b 866 (inputs (list openssl))
cc2b77df 867 (arguments
1084ec08
MW		 868 `(#:phases
869 (modify-phases %standard-phases
1084ec08
MW		 870 (add-before
871 'configure 'set-ssl-prefix
872 (lambda* (#:key inputs #:allow-other-keys)
873 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
874 #t)))))
cc2b77df
AE		 875 (synopsis "Perl extension for using OpenSSL")
876 (description
877 "This module offers some high level convenience functions for accessing
878web pages on SSL servers (for symmetry, the same API is offered for accessing
879http servers, too), an sslcat() function for writing your own clients, and
880finally access to the SSL api of the SSLeay/OpenSSL package so you can write
881servers or clients for more complicated applications.")
2f3108ad 882 (license license:perl-license)
9aba9b12 883 (home-page "https://metacpan.org/release/Net-SSLeay")))
4532c0c0
DM		 884
885(define-public perl-crypt-openssl-rsa
886 (package
887 (name "perl-crypt-openssl-rsa")
a9994b27 888 (version "0.31")
4532c0c0
DM		 889 (source
890 (origin
891 (method url-fetch)
892 (uri (string-append
683b8d47 893 "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-"
4532c0c0
DM		 894 version
895 ".tar.gz"))
896 (sha256
897 (base32
a9994b27 898 "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1"))))
4532c0c0 899 (build-system perl-build-system)
683b8d47 900 (native-inputs
8394619b 901 (list perl-crypt-openssl-guess))
4532c0c0 902 (inputs
8394619b 903 (list perl-crypt-openssl-bignum perl-crypt-openssl-random openssl))
4532c0c0
DM		 904 (arguments perl-crypt-arguments)
905 (home-page
9aba9b12 906 "https://metacpan.org/release/Crypt-OpenSSL-RSA")
4532c0c0
DM		 907 (synopsis
908 "RSA encoding and decoding, using the openSSL libraries")
909 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
910OpenSSL libraries).")
2f3108ad 911 (license license:perl-license)))
adff71ca
DM		 912
913(define perl-crypt-arguments
914 `(#:phases (modify-phases %standard-phases
915 (add-before 'configure 'patch-Makefile.PL
916 (lambda* (#:key inputs #:allow-other-keys)
917 (substitute* "Makefile.PL"
918 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
919 (assoc-ref inputs "openssl")
920 "/lib -lcrypto'],")))
921 #t)))))
922
923(define-public perl-crypt-openssl-bignum
924 (package
925 (name "perl-crypt-openssl-bignum")
7e8aac18 926 (version "0.09")
adff71ca
DM		 927 (source
928 (origin
929 (method url-fetch)
930 (uri (string-append
931 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
932 version
933 ".tar.gz"))
934 (sha256
935 (base32
7e8aac18 936 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
adff71ca 937 (build-system perl-build-system)
8394619b 938 (inputs (list openssl))
adff71ca
DM		 939 (arguments perl-crypt-arguments)
940 (home-page
9aba9b12 941 "https://metacpan.org/release/Crypt-OpenSSL-Bignum")
adff71ca
DM		 942 (synopsis
943 "OpenSSL's multiprecision integer arithmetic in Perl")
944 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
945arithmetic in Perl.")
946 ;; At your option either gpl1+ or the Artistic License
2f3108ad 947 (license license:perl-license)))
cccb4d26 948
c80590f6
TGR		 949(define-public perl-crypt-openssl-guess
950 (package
951 (name "perl-crypt-openssl-guess")
952 (version "0.11")
953 (source
954 (origin
955 (method url-fetch)
956 (uri (string-append
957 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
958 version ".tar.gz"))
959 (sha256
960 (base32
961 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
962 (build-system perl-build-system)
9aba9b12 963 (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess")
c80590f6
TGR		 964 (synopsis "Guess the OpenSSL include path")
965 (description
966 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
967correct OpenSSL include path. It is intended for use in your
968@file{Makefile.PL}.")
969 (license license:perl-license)))
970
cccb4d26
DM		 971(define-public perl-crypt-openssl-random
972 (package
973 (name "perl-crypt-openssl-random")
fa2d19cc 974 (version "0.15")
cccb4d26
DM		 975 (source
976 (origin
977 (method url-fetch)
978 (uri (string-append
979 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
980 version
981 ".tar.gz"))
982 (sha256
fa2d19cc 983 (base32 "1x6ffps8q7mnawmcfq740llzy7i10g3319vap0wiw4d33fm6z1zh"))))
cccb4d26 984 (build-system perl-build-system)
b30c23c4 985 (native-inputs
8394619b 986 (list perl-crypt-openssl-guess))
b30c23c4 987 (inputs
8394619b 988 (list openssl))
cccb4d26
DM		 989 (arguments perl-crypt-arguments)
990 (home-page
9aba9b12 991 "https://metacpan.org/release/Crypt-OpenSSL-Random")
cccb4d26
DM		 992 (synopsis
993 "OpenSSL/LibreSSL pseudo-random number generator access")
994 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
995number generator")
2f3108ad 996 (license license:perl-license)))
0581c273 997
88522738 998;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
999;; variant exists in addition to the "-apache" one.
1000(define-public mbedtls-apache
1001 (package
1002 (name "mbedtls-apache")
5cdb25c6
TGR		 1003 ;; XXX Check whether ‘-Wformat-signedness’ still breaks mbedtls-for-hiawatha
1004 ;; when updating.
0ec75598 1005 (version "2.26.0")
88522738 1006 (source
1007 (origin
927ecd4e
TGR		 1008 (method git-fetch)
1009 (uri (git-reference
1010 (url "https://github.com/ARMmbed/mbedtls")
1011 (commit (string-append "mbedtls-" version))))
88522738 1012 (sha256
0ec75598
MJK		 1013 (base32 "0scwpmrgvg6q7rvqkc352d2fqlsx0aylcbyibcp1f1rsn8iiif2m"))
1014 (file-name (git-file-name name version))
1015 (modules '((guix build utils)))
1016 (snippet
1017 '(begin
1018 ;; Can be removed with the next version.
1019 ;; Reduce level of format truncation warnings due to false positives.
1020 ;; https://github.com/ARMmbed/mbedtls/commit/2065a8d8af27c6cb1e40c9462b5933336dca7434
1021 (substitute* "CMakeLists.txt"
1022 (("Wformat-truncation=2") "Wformat-truncation"))
1023 #t))))
88522738 1024 (build-system cmake-build-system)
a64d9d56
RW		 1025 (arguments
1026 `(#:configure-flags
92ebd8ed 1027 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON"
927ecd4e
TGR		 1028 "-DUSE_STATIC_MBEDTLS_LIBRARY=OFF")
1029 #:phases
1030 (modify-phases %standard-phases
1031 (add-after 'unpack 'make-source-writable
1032 (lambda _
1033 (for-each make-file-writable (find-files "."))
927ecd4e 1034 #t)))))
88522738 1035 (native-inputs
8394619b 1036 (list perl python))
88522738 1037 (synopsis "Small TLS library")
1038 (description
1039 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
1040for developers to include cryptographic and SSL/TLS capabilities in their
1041(embedded) products, facilitating this functionality with a minimal
1042coding footprint.")
d4febc56 1043 (home-page "https://www.trustedfirmware.org/projects/mbed-tls/")
88522738 1044 (license license:asl2.0)))
587d1752 1045
8e87aa04
TGR		 1046;; The Hiawatha Web server requires some specific features to be enabled.
1047(define-public mbedtls-for-hiawatha
1048 (hidden-package
1049 (package
1050 (inherit mbedtls-apache)
1051 (arguments
5cdb25c6
TGR		 1052 (substitute-keyword-arguments (package-arguments mbedtls-apache)
1053 ((#:phases phases)
1054 `(modify-phases ,phases
1055 (add-before 'configure 'configure-extra-features
1056 (lambda _
1057 (for-each (lambda (feature)
1058 (invoke "scripts/config.pl" "set" feature))
1059 (list "MBEDTLS_THREADING_C"
1060 "MBEDTLS_THREADING_PTHREAD"))
1061 ;; XXX The above enables code that breaks with -Werror…
1062 (substitute* "CMakeLists.txt"
1063 ((" -Wformat-signedness") ""))
1064 #t)))))))))
8e87aa04 1065
e8b3a158 1066(define-public dehydrated
c7449927
TGR		 1067 (package
1068 (name "dehydrated")
1069 (version "0.7.1")
1070 (source
1071 (origin
1072 (method git-fetch)
1073 (uri (git-reference
1074 (url "https://github.com/dehydrated-io/dehydrated")
1075 (commit (string-append "v" version))))
1076 (file-name (git-file-name name version))
1077 (sha256
1078 (base32 "1mhf3v9ynwrxrkqawqpxnwfn5dmrlkqcvkxdrk59nkxjpdx1wkrb"))))
1079 (build-system trivial-build-system)
1080 (arguments
1081 (list
1082 #:modules '((guix build utils)
1083 (srfi srfi-26))
1084 #:builder
1085 #~(begin
1086 (use-modules (guix build utils)
1087 (srfi srfi-26))
1088 (let* ((source (assoc-ref %build-inputs "source"))
1089 (gzip (search-input-file %build-inputs "bin/gzip"))
1090 (bin (string-append #$output "/bin"))
1091 (doc (string-append #$output "/share/doc/"
1092 #$name "-" #$version))
1093 (man (string-append #$output "/share/man"))
1094 (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
2850d877 1095
c7449927 1096 (chdir source)
2850d877 1097
c7449927
TGR		 1098 (copy-recursively "docs" doc)
1099 (install-file "LICENSE" doc)
c150d637 1100
c7449927
TGR		 1101 (mkdir-p man)
1102 (rename-file (string-append doc "/man")
1103 (string-append man "/man1"))
1104 (for-each (cut invoke gzip "-9n" <>)
1105 (find-files man ".*"))
c150d637 1106
c7449927
TGR		 1107 (install-file "dehydrated" bin)
1108 (with-directory-excursion bin
1109 (patch-shebang "dehydrated" (list bash))
e8b3a158 1110
c7449927
TGR		 1111 ;; Do not try to write to the store.
1112 (substitute* "dehydrated"
1113 (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
e8b3a158 1114
c7449927
TGR		 1115 (setenv "PATH" bash)
1116 (wrap-program "dehydrated"
1117 `("PATH" ":" prefix
08d60c86
TGR		 1118 ,(map (lambda (file)
1119 (dirname (search-input-file %build-inputs file)))
1120 (list
1121 ;; From check_dependencies() — keep them in sync.
1122 "bin/grep"
1123 "bin/diff"
1124 "bin/sed"
1125 "bin/awk"
1126 "bin/curl"
1127 "bin/cut" ; also mktemp, head, tail
1128 "bin/hexdump"
1129 ;; Additional requirements.
1130 "bin/openssl")))))))))
c7449927
TGR		 1131 (inputs
1132 (list bash
1133 coreutils
1134 curl
1135 diffutils
1136 gawk
1137 grep
1138 openssl
1139 sed
1140 util-linux+udev))
1141 (native-inputs
1142 (list gzip))
1143 ;; The following definition is copied from the cURL package to prevent a
1144 ;; cycle between the curl and tls modules.
1145 (native-search-paths
1146 (list (search-path-specification
1147 (variable "CURL_CA_BUNDLE")
1148 (file-type 'regular)
1149 (separator #f)
1150 (files '("etc/ssl/certs/ca-certificates.crt")))))
1151 (home-page "https://dehydrated.io/")
1152 (synopsis "ACME client implemented as a shell script")
1153 (description "Dehydrated is a client for obtaining certificates from an
bc5152a2
TGR		 1154ACME server (such as Let's Encrypt) implemented as a relatively simple Bash
1155script.")
c7449927 1156 (license license:expat)))
ea22aa1f
LF		 1157
1158(define-public go-github-com-certifi-gocertifi
db388401
LF		 1159 (let ((commit "a5e0173ced670013bfb649c7e806bc9529c986ec")
1160 (revision "1"))
1161 (package
1162 (name "go-github-com-certifi-gocertifi")
1163 (version (git-version "2018.01.18" revision commit))
1164 (source (origin
1165 (method git-fetch)
1166 (uri (git-reference
1167 (url "https://github.com/certifi/gocertifi")
1168 (commit commit)))
1169 (file-name (git-file-name name version))
1170 (sha256
1171 (base32
1172 "1n9drccl3q1rr8wg3nf60slkf1lgsmz5ahifrglbdrc6har3rryj"))))
1173 (build-system go-build-system)
1174 (arguments
1175 '(#:import-path "github.com/certifi/gocertifi"))
1176 (synopsis "X.509 TLS root certificate bundle for Go")
1177 (description "This package is a Go language X.509 TLS root certificate bundle,
ea22aa1f 1178derived from Mozilla's collection.")
db388401
LF		 1179 (home-page "https://certifi.io")
1180 (license license:mpl2.0))))
1b518888
GH		 1181
1182(define-public s2n
cf48bf86
GH		 1183 (package
1184 (name "s2n")
af856afb 1185 ;; Update only when updating aws-crt-cpp.
bc3e3245 1186 (version "1.3.10")
cf48bf86
GH		 1187 (source (origin
1188 (method git-fetch)
1189 (uri (git-reference
1190 (url "https://github.com/aws/s2n-tls")
1191 (commit (string-append "v" version))))
1192 (file-name (git-file-name name version))
1193 (sha256
1194 (base32
bc3e3245 1195 "15fr6zwglw74x5qd090752kqn7n3cyi4gmz94ip45g3hflschxd3"))))
cf48bf86
GH		 1196 (build-system cmake-build-system)
1197 (arguments
1198 '(#:configure-flags
af856afb
GH		 1199 '("-DBUILD_SHARED_LIBS=ON"
1200 ;; Remove in next update; see https://github.com/aws/s2n-tls/pull/3108
1201 ;; Building with 'Werror' results in compilation error (even building
1202 ;; with gcc) when replacing the aws-lc input with openssl.
1203 "-DUNSAFE_TREAT_WARNINGS_AS_ERRORS=OFF")))
1204 (propagated-inputs (list aws-lc))
1205 (supported-systems '("x86_64-linux"))
cf48bf86
GH		 1206 (synopsis "SSL/TLS implementation in C99")
1207 (description
1208 "This library provides a C99 implementation of SSL/TLS. It is designed to
1209be familiar to users of the widely-used POSIX I/O APIs. It supports blocking,
1210non-blocking, and full-duplex I/O. There are no locks or mutexes.
9f9118bd
TGR		 1211
1212As it can be difficult to keep track of which encryption algorithms and
1213protocols are best to use, s2n-tls features a simple API to use the latest
1214default set of preferences. Remaining on a specific version for backwards
1215compatibility is also supported.")
02f849ad 1216 (home-page "https://github.com/aws/s2n-tls")
cf48bf86 1217 (license license:asl2.0)))
363fe99c
LF		 1218
1219(define-public wolfssl
1220 (package
1221 (name "wolfssl")
b8dd3e59 1222 (version "5.5.1")
363fe99c
LF		 1223 (source (origin
1224 (method git-fetch)
1225 (uri (git-reference
1226 (url "https://github.com/wolfSSL/wolfssl")
1227 (commit (string-append "v" version "-stable"))))
1228 (file-name (git-file-name name version))
1229 (sha256
1230 (base32
b8dd3e59 1231 "0pz25acm842cl6l51vqr8pgxci6rda8sznms757p7rnm9fw3jdl0"))))
363fe99c
LF		 1232 (build-system gnu-build-system)
1233 (arguments
1234 '(#:configure-flags
b8dd3e59
FL		 1235 '("--enable-distro"
1236 "--enable-pkcs11"
1237 "--disable-examples"
1238 "--enable-jobserver=no")))
363fe99c 1239 (native-inputs
8394619b 1240 (list autoconf automake libtool))
363fe99c
LF		 1241 (synopsis "SSL/TLS implementation")
1242 (description "The wolfSSL embedded SSL library (formerly CyaSSL) is an
1243SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and
1244resource-constrained environments - primarily because of its small size, speed,
1245and feature set. wolfSSL supports industry standards up to the current TLS 1.3
1246and DTLS 1.2, is up to 20 times smaller than OpenSSL, and offers progressive
1247ciphers such as ChaCha20, Curve25519, NTRU, and Blake2b.")
1248 (home-page "https://www.wolfssl.com/")
1249 (license license:gpl2+))) ; Audit
da9272fa
GH		 1250
1251(define-public aws-lc
25a1c60b
GH		 1252 (package
1253 (name "aws-lc")
a5a408c3 1254 ;; Update only when updating aws-crt-cpp.
25a1c60b
GH		 1255 (version "1.0.2")
1256 (source (origin
1257 (method git-fetch)
1258 (uri (git-reference
1259 (url (string-append "https://github.com/awslabs/" name))
1260 (commit (string-append "v" version))))
1261 (file-name (git-file-name name version))
1262 (sha256
1263 (base32
a5a408c3 1264 "16y4iy2rqrmb7b1c394wyq7a5vbjb41599524my6b6q1vk1pi307"))))
25a1c60b
GH		 1265 (build-system cmake-build-system)
1266 (arguments
a5a408c3 1267 '(#:test-target "run_minimal_tests"
25a1c60b
GH		 1268 #:configure-flags
1269 '("-DBUILD_SHARED_LIBS=ON")))
1270 (synopsis "General purpose cryptographic library")
1271 (description "AWS libcrypto (aws-lc) contains portable C implementations
da9272fa
GH		 1272of algorithms needed for TLS and common applications, and includes optimized
1273assembly versions for x86 and ARM.")
25a1c60b
GH		 1274 (home-page "https://github.com/awslabs/aws-lc")
1275 (license license:asl2.0)))
jackhill's copy of GNU Guix: https://guix.gnu.org/