HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
gnu: cmake-bootstrap: Update to 3.21.3.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
CommitLineData
233e7676 1;;; GNU Guix --- Functional package management for GNU
4604d43c 2;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2019, 2020, 2021 Ludovic Courtès <ludo@gnu.org>
74e2c0e0 3;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2021 Mark H Weaver <mhw@netris.org>
29a7c98a 4;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df 5;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b 6;;; Copyright © 2015 David Thompson <davet@gnu.org>
363fe99c 7;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020, 2021 Leo Famulari <leo@famulari.name>
ce98de1f 8;;; Copyright © 2016, 2017, 2019, 2021 Efraim Flashner <efraim@flashner.co.il>
3c986a7d 9;;; Copyright © 2016, 2017, 2018 Nikita <nikita@n0.is>
375cef6c 10;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
ee33f9a7 11;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
250a216c 12;;; Copyright © 2017, 2018, 2019, 2020, 2021 Marius Bakke <marius@gnu.org>
77e2df87 13;;; Copyright © 2017–2021 Tobias Geerinckx-Rice <me@tobias.gr>
fbf5ca3c 14;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
e8b3a158 15;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
bdcdd550 16;;; Copyright © 2019 Mathieu Othacehe <m.othacehe@gmail.com>
a9bcc647 17;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
63858f8c 18;;; Copyright © 2020, 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
0b70eb03 19;;; Copyright © 2021 Solene Rapenne <solene@perso.pw>
76a9bad3 20;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re>
f64a35b9 21;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
2bb789f6 22;;; Copyright © 2021 Matthew James Kraai <kraai@ftbfs.org>
811b62d8 23;;; Copyright © 2021 John Kehayias <john.kehayias@protonmail.com>
7543f865 24;;;
233e7676 25;;; This file is part of GNU Guix.
7543f865 26;;;
233e7676 27;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865
LC		 28;;; under the terms of the GNU General Public License as published by
29;;; the Free Software Foundation; either version 3 of the License, or (at
30;;; your option) any later version.
31;;;
233e7676 32;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865
LC		 33;;; WITHOUT ANY WARRANTY; without even the implied warranty of
34;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
35;;; GNU General Public License for more details.
36;;;
37;;; You should have received a copy of the GNU General Public License
233e7676 38;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865 39
a7fd7b68 40(define-module (gnu packages tls)
e9aa8d0c 41 #:use-module ((guix licenses) #:prefix license:)
7543f865
LC		 42 #:use-module (guix packages)
43 #:use-module (guix download)
ea22aa1f 44 #:use-module (guix git-download)
29a7c98a 45 #:use-module (guix utils)
7c0eaa1f 46 #:use-module (guix gexp)
7543f865 47 #:use-module (guix build-system gnu)
ea22aa1f 48 #:use-module (guix build-system go)
cc2b77df 49 #:use-module (guix build-system perl)
7890e3ba 50 #:use-module (guix build-system python)
88522738 51 #:use-module (guix build-system cmake)
e8b3a158 52 #:use-module (guix build-system trivial)
f61e0e79 53 #:use-module (gnu packages compression)
013ce67b 54 #:use-module (gnu packages)
363fe99c 55 #:use-module (gnu packages autotools)
e8b3a158 56 #:use-module (gnu packages bash)
ac257f12 57 #:use-module (gnu packages check)
e8b3a158 58 #:use-module (gnu packages curl)
5b9aa107 59 #:use-module (gnu packages dns)
e8b3a158 60 #:use-module (gnu packages gawk)
1a244b78 61 #:use-module (gnu packages gettext)
1ffa7090 62 #:use-module (gnu packages guile)
a9bcc647 63 #:use-module (gnu packages hurd)
0581c273 64 #:use-module (gnu packages libbsd)
27e86bed 65 #:use-module (gnu packages libffi)
866f469e 66 #:use-module (gnu packages libidn)
5d4c90ae 67 #:use-module (gnu packages linux)
7890e3ba 68 #:use-module (gnu packages ncurses)
27e86bed 69 #:use-module (gnu packages nettle)
e7ab9c33 70 #:use-module (gnu packages networking)
1ffa7090 71 #:use-module (gnu packages perl)
27e86bed 72 #:use-module (gnu packages pkg-config)
7890e3ba 73 #:use-module (gnu packages python)
cc6f4912 74 #:use-module (gnu packages python-crypto)
1b2f753d 75 #:use-module (gnu packages python-web)
44d10b1f 76 #:use-module (gnu packages python-xyz)
9d0c291e 77 #:use-module (gnu packages sphinx)
a31f4d35 78 #:use-module (gnu packages texinfo)
33dc54b0 79 #:use-module (gnu packages time)
079f013b
LC		 80 #:use-module (gnu packages base)
81 #:use-module (srfi srfi-1))
7543f865
LC		 82
83(define-public libtasn1
84 (package
85 (name "libtasn1")
ce98de1f 86 (version "4.17.0")
7543f865
LC		 87 (source
88 (origin
89 (method url-fetch)
90 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
91 version ".tar.gz"))
92 (sha256
93 (base32
ce98de1f 94 "19a53i1ajs4dd8nnlr2i6gbzvla84ay71g3y1phvh8krx8f5brzc"))))
7543f865 95 (build-system gnu-build-system)
d9f84612
MB		 96 (arguments
97 `(#:configure-flags '("--disable-static")))
3ea110b7 98 (native-inputs `(("perl" ,perl)))
6fd52309 99 (home-page "https://www.gnu.org/software/libtasn1/")
f50d2669 100 (synopsis "ASN.1 library")
7543f865 101 (description
79c311b8
LC		 102 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
103for transmitting machine-neutral encodings of data objects in computer
a22dc0c4
LC		 104networking, allowing for formal validation of data according to some
105specifications.")
e9aa8d0c 106 (license license:lgpl2.0+)))
7543f865 107
375cef6c
HG		 108(define-public asn1c
109 (package
110 (name "asn1c")
ff7da7e0 111 (version "0.9.28")
375cef6c
HG		 112 (source (origin
113 (method url-fetch)
114 (uri (string-append "https://lionet.info/soft/asn1c-"
115 version ".tar.gz"))
116 (sha256
117 (base32
ff7da7e0 118 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
375cef6c
HG		 119 (build-system gnu-build-system)
120 (native-inputs
121 `(("perl" ,perl)))
122 (home-page "https://lionet.info/asn1c")
123 (synopsis "ASN.1 to C compiler")
124 (description "The ASN.1 to C compiler takes ASN.1 module
125files and generates C++ compatible C source code. That code can be
126used to serialize the native C structures into compact and unambiguous
127BER/XER/PER-based data files, and deserialize the files back.
128
129Various ASN.1 based formats are widely used in the industry, such as to encode
130the X.509 certificates employed in the HTTPS handshake, to exchange control
131data between mobile phones and cellular networks, to car-to-car communication
132in intelligent transportation networks.")
133 (license license:bsd-2)))
134
27e86bed
AE		 135(define-public p11-kit
136 (package
137 (name "p11-kit")
c84c0dbc 138 (version "0.23.22")
27e86bed
AE		 139 (source
140 (origin
141 (method url-fetch)
e6ad9bda 142 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
eae94df6 143 "download/" version "/p11-kit-" version ".tar.xz"))
27e86bed 144 (sha256
9ed46007 145 (base32 "1dn6br4v033d3gp2max9lsr3y4q0nj6iyr1yq3kzi8ym7lal13wa"))))
27e86bed
AE		 146 (build-system gnu-build-system)
147 (native-inputs
1a244b78
MO		 148 `(,@(if (hurd-target?)
149 `(("autoconf" ,autoconf)
150 ("automake" ,automake)
151 ("gettext" ,gettext-minimal) ;for autopoint
152 ("libtool" ,libtool))
153 '())
154 ("pkg-config" ,pkg-config)))
27e86bed
AE		 155 (inputs
156 `(("libffi" ,libffi)
1a244b78
MO		 157 ,@(if (hurd-target?)
158 `(("libbsd" ,libbsd)
159 ("hurd-patch" ,(search-patch "p11-kit-hurd.patch")))
160 '())
27e86bed
AE		 161 ("libtasn1" ,libtasn1)))
162 (arguments
d5c472a2
MB		 163 `(#:configure-flags '("--without-trust-paths")
164 #:phases (modify-phases %standard-phases
1a244b78
MO		 165 ,@(if (hurd-target?)
166 '((add-after 'unpack 'apply-hurd-patch
167 (lambda* (#:key inputs #:allow-other-keys)
168 (let ((patch (assoc-ref inputs "hurd-patch")))
169 (invoke "patch" "-p1" "--batch" "-i"
170 patch))))
171 (replace 'bootstrap
172 (lambda _
173 (invoke "autoreconf" "-fiv"))))
174 '())
d5c472a2
MB		 175 (add-before 'check 'prepare-tests
176 (lambda _
177 ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up
178 ;; and looks for .cache and other directories (only).
179 ;; For simplicity just drop it since it is irrelevant
180 ;; in the build container.
181 (substitute* "Makefile"
182 (("test-runtime\\$\\(EXEEXT\\)") ""))
183 #t)))))
b0735c79 184 (home-page "https://p11-glue.github.io/p11-glue/p11-kit.html")
27e86bed
AE		 185 (synopsis "PKCS#11 library")
186 (description
187 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
188provides a standard configuration setup for installing PKCS#11 modules
189in such a way that they are discoverable. It also solves problems with
190coordinating the use of PKCS#11 by different components or libraries
191living in the same process.")
e9aa8d0c 192 (license license:bsd-3)))
27e86bed 193
811b62d8
JK		 194(define-public p11-kit-next
195 (package
196 (inherit p11-kit)
197 (version "0.24.0")
198 (source
199 (origin
200 (method url-fetch)
201 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
202 "download/" version "/p11-kit-" version ".tar.xz"))
203 (sha256
b4d29851
LC		 204 (base32 "11f6saclxsclc1f3lbavzw8kikws4cr3mfd1avly8dgnhh2i9rl1"))))
205 (arguments
206 ;; Use the default certificates so that users such as flatpak find them.
207 ;; See <https://issues.guix.gnu.org/49957>.
208 (substitute-keyword-arguments (package-arguments p11-kit)
209 ((#:configure-flags flags ''())
210 ''("--with-trust-paths=/etc/ssl/certs/ca-certificates.crt"))))))
811b62d8 211
7543f865
LC		 212(define-public gnutls
213 (package
214 (name "gnutls")
63858f8c 215 (version "3.7.2")
d7d408d5 216 (source (origin
51a365c1 217 (method url-fetch)
d7d408d5
LC		 218 ;; Note: Releases are no longer on ftp.gnu.org since the
219 ;; schism (after version 3.1.5).
51a365c1
LC		 220 (uri (string-append "mirror://gnupg/gnutls/v"
221 (version-major+minor version)
222 "/gnutls-" version ".tar.xz"))
223 (patches (search-patches "gnutls-skip-trust-store-test.patch"
69dde4e3
LC		 224 "gnutls-cross.patch"
225 "gnutls-guile-eintr-eagain.patch"))
51a365c1
LC		 226 (sha256
227 (base32
63858f8c 228 "0li7mwjnm64mbxhacz0rpf6i9qd83f53fvbrx96alpqqk9d6qvk4"))))
7543f865 229 (build-system gnu-build-system)
b94ae0b8 230 (arguments
525a351e
MO		 231 `(#:tests? ,(not (or (%current-target-system)
232 (hurd-target?)))
e7ab9c33
LC		 233 ;; Ensure we don't keep a reference to the tools used for testing.
234 #:disallowed-references ,(if (hurd-target?)
235 '()
236 (list net-tools iproute socat))
76b21274 237 #:configure-flags
28a13226 238 (cons*
aa7c7f21
MW		 239 ;; GnuTLS doesn't consult any environment variables to specify
240 ;; the location of the system-wide trust store. Instead it has a
241 ;; configure-time option. Unless specified, its configure script
242 ;; attempts to auto-detect the location by looking for common
8f65585b 243 ;; places in the file system, none of which are present in our
aa7c7f21
MW		 244 ;; chroot build environment. If not found, then no default trust
245 ;; store is used, so each program has to provide its own
246 ;; fallback, and users have to configure each program
247 ;; independently. This seems suboptimal.
866f469e
MW		 248 "--with-default-trust-store-dir=/etc/ssl/certs"
249
7892edc2
MB		 250 ;; Tell the build system that we want Guile bindings installed to
251 ;; the output instead of Guiles own module directory.
252 (string-append "--with-guile-site-dir="
253 "$(datarootdir)/guile/site/$(GUILE_EFFECTIVE_VERSION)")
254 (string-append "--with-guile-site-ccache-dir="
255 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/site-ccache")
256 (string-append "--with-guile-extension-dir="
257 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/extensions")
258
28a13226
CB		 259 (let ((system ,(or (%current-target-system)
260 (%current-system))))
261 (if (string-prefix? "mips64el" system)
262 (list
263 ;; FIXME: Temporarily disable p11-kit support since it is
264 ;; not working on mips64el.
265 "--without-p11-kit")
266 '())))
606c6380
LC		 267
268 #:phases (modify-phases %standard-phases
5cf6f6fe
MC		 269 ;; fastopen.sh fails to connect to the server in the builder
270 ;; environment (see:
271 ;; https://gitlab.com/gnutls/gnutls/-/issues/1095).
272 (add-after 'unpack 'disable-failing-tests
273 (lambda _
0b40d1a3
LC		 274 (substitute* "tests/fastopen.sh"
275 (("^unset RETCODE")
63858f8c 276 "exit 77\n")))) ;skip
5cf6f6fe 277 (add-after 'install 'move-doc
606c6380
LC		 278 (lambda* (#:key outputs #:allow-other-keys)
279 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
280 (let* ((out (assoc-ref outputs "out"))
281 (doc (assoc-ref outputs "doc"))
9cdce047 282 (mandir (string-append doc "/share/man/man3"))
606c6380
LC		 283 (oldman (string-append out "/share/man/man3")))
284 (mkdir-p mandir)
285 (copy-recursively oldman mandir)
63858f8c 286 (delete-file-recursively oldman)))))))
606c6380
LC		 287 (outputs '("out" ;4.4 MiB
288 "debug"
289 "doc")) ;4.1 MiB of man pages
a1db0975 290 (native-inputs
51a365c1
LC		 291 `(,@(if (%current-target-system) ;for cross-build
292 `(("guile" ,guile-3.0)) ;to create .go files
293 '())
294 ,@(if (hurd-target?)
e7ab9c33
LC		 295 '()
296 `(("net-tools" ,net-tools)
297 ("iproute" ,iproute) ;for 'ss'
298 ("socat" ,socat))) ;several tests rely on it
5d4c90ae 299 ("pkg-config" ,pkg-config)
5cf6f6fe 300 ("texinfo" ,texinfo)
ac83dc82 301 ("which" ,which)
01f07072
MC		 302 ,@(if (hurd-target?)
303 '()
2d49f175 304 `(("datefudge" ,datefudge))) ;tests rely on 'datefudge'
971c8bb0 305 ("util-linux" ,util-linux))) ;one test needs 'setsid'
7543f865 306 (inputs
8a594487 307 `(("guile" ,guile-3.0)))
7543f865 308 (propagated-inputs
d2fcfd3d 309 ;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865 310 `(("libtasn1" ,libtasn1)
55e61c4d 311 ("libidn2" ,libidn2)
866f469e 312 ("nettle" ,nettle)
8a594487
CB		 313 ("zlib" ,zlib)
314 ,@(let ((system (or (%current-target-system)
315 (%current-system))))
316 (if (string-prefix? "mips64el" system)
317 '()
318 `(("p11-kit" ,p11-kit))))))
c19700c3 319 (home-page "https://www.gnu.org/software/gnutls/")
f50d2669 320 (synopsis "Transport layer security library")
7543f865 321 (description
a22dc0c4 322 "GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8 323and DTLS protocols. It is provided in the form of a C library to support the
b30407b8 324protocols, as well as to parse and write X.509, PKCS #12, OpenPGP and other
a22dc0c4 325required structures.")
63e8bb12
LC		 326 (license license:lgpl2.1+)
327 (properties '((ftp-server . "ftp.gnutls.org")
328 (ftp-directory . "/gcrypt/gnutls")))))
cc2b77df 329
a270af31
LF		 330(define-public gnutls/guile-2.0
331 ;; GnuTLS for Guile 2.0.
332 (package/inherit gnutls
a0700787
LC		 333 (name "guile2.0-gnutls")
334 (inputs `(("guile" ,guile-2.0)
58ea4d40 335 ,@(alist-delete "guile" (package-inputs gnutls))))))
079f013b 336
5b9aa107 337(define-public gnutls/dane
338 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
339 ;; Authentication of Named Entities. This is required for GNS functionality
340 ;; by GNUnet and gnURL. This is done in an extra package definition
341 ;; to have the choice between GnuTLS with Dane and without Dane.
a270af31 342 (package/inherit gnutls
5b9aa107 343 (name "gnutls-dane")
344 (inputs `(("unbound" ,unbound)
345 ,@(package-inputs gnutls)))))
346
67a3c8ed 347(define-public guile2.2-gnutls
74e2c0e0 348 (package/inherit gnutls
67a3c8ed
MB		 349 (name "guile2.2-gnutls")
350 (inputs `(("guile" ,guile-2.2)
d630d781 351 ,@(alist-delete "guile"
5f9f034e 352 (package-inputs gnutls))))))
d630d781 353
4e6c9f56
LC		 354(define-public guile3.0-gnutls
355 (deprecated-package "guile3.0-gnutls" gnutls))
67a3c8ed 356
7fabe9c8
MD		 357(define (target->openssl-target target)
358 "Return the value to set CONFIGURE_TARGET_ARCH to when cross-compiling
359OpenSSL for TARGET."
360 ;; Keep this code outside the build code,
361 ;; such that new targets can be added
362 ;; without causing rebuilds for other targets.
363 (cond ((string-prefix? "i586" target)
364 "hurd-x86")
365 ((string-prefix? "i686" target)
366 "linux-x86")
367 ((string-prefix? "x86_64" target)
368 "linux-x86_64")
369 ((string-prefix? "mips64el" target)
370 "linux-mips64")
371 ((string-prefix? "arm" target)
372 "linux-armv4")
373 ((string-prefix? "aarch64" target)
374 "linux-aarch64")
375 ((string-prefix? "powerpc64le" target)
376 "linux-ppc64le")
377 ((string-prefix? "powerpc64" target)
378 "linux-ppc64")
379 ((string-prefix? "powerpc" target)
3a73399e
EF		 380 "linux-ppc")
381 ((string-prefix? "riscv64" target)
382 ;; linux64-riscv64 isn't recognized until 3.0.0.
383 "linux-generic64")))
7fabe9c8 384
cc2b77df
AE		 385(define-public openssl
386 (package
b4ccf3df
MO		 387 (name "openssl")
388 (version "1.1.1k")
d9dfbf88 389 (replacement openssl-1.1.1l)
b4ccf3df
MO		 390 (source (origin
391 (method url-fetch)
392 (uri (list (string-append "https://www.openssl.org/source/openssl-"
393 version ".tar.gz")
394 (string-append "ftp://ftp.openssl.org/source/"
395 "openssl-" version ".tar.gz")
396 (string-append "ftp://ftp.openssl.org/source/old/"
397 (string-trim-right version char-set:letter)
398 "/openssl-" version ".tar.gz")))
399 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
400 (sha256
401 (base32
402 "1rdfzcrxy9y38wqdw5942vmdax9hjhgrprzxm42csal7p5shhal9"))))
403 (build-system gnu-build-system)
404 (outputs '("out"
405 "doc" ;6.8 MiB of man3 pages and full HTML documentation
406 "static")) ;6.4 MiB of .a files
407 (native-inputs `(("perl" ,perl)))
408 (arguments
409 `(#:parallel-tests? #f
410 #:test-target "test"
8c9ec203 411
b4ccf3df
MO		 412 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
413 ;; so we explicitly disallow it here.
414 #:disallowed-references ,(list (canonical-package perl))
415 #:phases
7c0eaa1f 416 ,#~
b4ccf3df 417 (modify-phases %standard-phases
7c0eaa1f
MD		 418 #$@(if (%current-target-system)
419 #~((add-before
420 'configure 'set-cross-compile
f64a35b9 421 (lambda* (#:key target #:allow-other-keys)
7c0eaa1f
MD		 422 (setenv "CROSS_COMPILE" (string-append target "-"))
423 (setenv "CONFIGURE_TARGET_ARCH"
7fabe9c8
MD		 424 #$(target->openssl-target
425 (%current-target-system))))))
7c0eaa1f 426 #~())
199a1235
EF		 427 ;; This test seems to be dependant on kernel features.
428 ;; https://github.com/openssl/openssl/issues/12242
3a73399e
EF		 429 #$@(if (or (target-arm?)
430 (target-riscv64?))
199a1235
EF		 431 #~((replace 'check
432 (lambda* (#:key tests? test-target #:allow-other-keys)
433 (when tests?
434 (invoke "make" "TESTS=-test_afalg" test-target)))))
435 #~())
b4ccf3df 436 (replace 'configure
f64a35b9
MD		 437 (lambda* (#:key configure-flags #:allow-other-keys)
438 (let* ((out #$output)
b4ccf3df
MO		 439 (lib (string-append out "/lib")))
440 ;; It's not a shebang so patch-source-shebangs misses it.
441 (substitute* "config"
442 (("/usr/bin/env")
443 (string-append (assoc-ref %build-inputs "coreutils")
444 "/bin/env")))
445 (apply
7c0eaa1f
MD		 446 invoke #$@(if (%current-target-system)
447 #~("./Configure")
448 #~("./config"))
919d687a
EF		 449 "shared" ;build shared libraries
450 "--libdir=lib"
4fb254a3 451
919d687a
EF		 452 ;; The default for this catch-all directory is
453 ;; PREFIX/ssl. Change that to something more
454 ;; conventional.
455 (string-append "--openssldir=" out
456 "/share/openssl-"
7c0eaa1f 457 #$(package-version this-package))
4fb254a3 458
919d687a
EF		 459 (string-append "--prefix=" out)
460 (string-append "-Wl,-rpath," lib)
7c0eaa1f
MD		 461 #$@(if (%current-target-system)
462 #~((getenv "CONFIGURE_TARGET_ARCH"))
463 #~())
c2dd2552 464 configure-flags)
b4ccf3df
MO		 465 ;; Output the configure variables.
466 (invoke "perl" "configdata.pm" "--dump"))))
467 (add-after 'install 'move-static-libraries
f64a35b9 468 (lambda _
b4ccf3df 469 ;; Move static libraries to the "static" output.
f64a35b9 470 (let* ((out #$output)
b4ccf3df 471 (lib (string-append out "/lib"))
f64a35b9 472 (static #$output:static)
b4ccf3df
MO		 473 (slib (string-append static "/lib")))
474 (for-each (lambda (file)
475 (install-file file slib)
476 (delete-file file))
c14c2eba 477 (find-files lib "\\.a$")))))
b4ccf3df 478 (add-after 'install 'move-extra-documentation
f64a35b9 479 (lambda _
3e42c2bf 480 ;; Move man pages and full HTML documentation to "doc".
f64a35b9 481 (let* ((out #$output)
3e42c2bf
MD		 482 (man (string-append out "/share/man"))
483 (html (string-append out "/share/doc/openssl"))
f64a35b9 484 (doc #$output:doc)
3e42c2bf 485 (man-target (string-append doc "/share/man"))
b4ccf3df 486 (html-target (string-append doc "/share/doc/openssl")))
3e42c2bf 487 (mkdir-p (dirname man-target))
0196b866 488 (mkdir-p (dirname html-target))
3e42c2bf 489 (rename-file man man-target)
0196b866 490 (rename-file html html-target))))
b4ccf3df
MO		 491 (add-after
492 'install 'remove-miscellany
f64a35b9 493 (lambda _
b4ccf3df
MO		 494 ;; The 'misc' directory contains random undocumented shell and Perl
495 ;; scripts. Remove them to avoid retaining a reference on Perl.
f64a35b9
MD		 496 (delete-file-recursively (string-append #$output "/share/openssl-"
497 #$(package-version this-package)
498 "/misc")))))))
b4ccf3df
MO		 499 (native-search-paths
500 (list (search-path-specification
501 (variable "SSL_CERT_DIR")
502 (separator #f) ;single entry
503 (files '("etc/ssl/certs")))
504 (search-path-specification
505 (variable "SSL_CERT_FILE")
506 (file-type 'regular)
507 (separator #f) ;single entry
508 (files '("etc/ssl/certs/ca-certificates.crt")))))
509 (synopsis "SSL/TLS implementation")
510 (description
511 "OpenSSL is an implementation of SSL/TLS.")
512 (license license:openssl)
513 (home-page "https://www.openssl.org/")))
cc2b77df 514
5422920b
EF		 515;; Replacement package to fix multiple CVEs.
516(define openssl-1.1.1l
763899f0
LF		 517 (package
518 (inherit openssl)
5422920b 519 (version "1.1.1l")
763899f0 520 (source (origin
e74f153a
MB		 521 (method url-fetch)
522 (uri (list (string-append "https://www.openssl.org/source/openssl-"
523 version ".tar.gz")
524 (string-append "ftp://ftp.openssl.org/source/"
525 "openssl-" version ".tar.gz")
526 (string-append "ftp://ftp.openssl.org/source/old/"
527 (string-trim-right version char-set:letter)
528 "/openssl-" version ".tar.gz")))
250a216c 529 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
763899f0
LF		 530 (sha256
531 (base32
5422920b 532 "1lbblxps2fhmz7bqh058iywh5wxfignbfx1s1kz2fj63b5g3wyhb"))))))
250a216c 533
12099eac
LF		 534;; We will not add any new uses of this package. If you add new code that uses
535;; this package, your change will be reverted!
536;;
537;; The only acceptable use for this package is to bootstrap Rust, in
538;; ((gnu packages rust) rust-1.19).
539;;
540;; OpenSSL 1.0 is no longer suppported upstream [0] and has several security
541;; vulnerabilities that will not be fixed [1].
542;;
543;; For more information from the Guix point of view, see
544;; <https://bugs.gnu.org/46602>.
545;;
546;; [0] https://www.openssl.org/policies/releasestrat.html
547;; [1] https://www.openssl.org/news/vulnerabilities.html
e74f153a 548(define-public openssl-1.0
12099eac
LF		 549 (hidden-package
550 (package
551 (inherit openssl)
552 (name "openssl")
553 (version "1.0.2u")
554 (source (origin
555 (method url-fetch)
556 (uri (list (string-append "https://www.openssl.org/source/openssl-"
557 version ".tar.gz")
558 (string-append "ftp://ftp.openssl.org/source/"
559 "openssl-" version ".tar.gz")
560 (string-append "ftp://ftp.openssl.org/source/old/"
561 (string-trim-right version char-set:letter)
562 "/openssl-" version ".tar.gz")))
563 (sha256
564 (base32
565 "05lxcs4hzyfqd5jn0d9p0fvqna62v2s4pc9qgmq0dpcknkzwdl7c"))
566 (patches (search-patches "openssl-runpath.patch"
567 "openssl-c-rehash-in.patch"))))
568 (outputs '("out"
569 "doc" ;1.5MiB of man3 pages
570 "static")) ;6MiB of .a files
571 (arguments
572 (substitute-keyword-arguments (package-arguments openssl)
573 ;; Parallel build is not supported in 1.0.x.
574 ((#:parallel-build? _ #f) #f)
575 ((#:phases phases)
d9dfbf88 576 #~(modify-phases #$phases
12099eac
LF		 577 (add-before 'patch-source-shebangs 'patch-tests
578 (lambda* (#:key inputs native-inputs #:allow-other-keys)
579 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
580 (substitute* (find-files "test" ".*")
581 (("/bin/sh")
582 (string-append bash "/bin/sh"))
583 (("/bin/rm")
584 "rm"))
585 #t)))
586 (add-before 'configure 'patch-Makefile.org
587 (lambda* (#:key outputs #:allow-other-keys)
588 ;; The default MANDIR is some unusual place. Fix that.
589 (let ((out (assoc-ref outputs "out")))
590 (patch-makefile-SHELL "Makefile.org")
591 (substitute* "Makefile.org"
592 (("^MANDIR[[:blank:]]*=.*$")
593 (string-append "MANDIR = " out "/share/man\n")))
594 #t)))
595 (replace 'configure
596 ;; Override this phase because OpenSSL 1.0 does not understand -rpath.
597 (lambda* (#:key outputs #:allow-other-keys)
598 (let ((out (assoc-ref outputs "out")))
d9dfbf88
LC		 599 (invoke #$@(if (%current-target-system)
600 #~("./Configure")
601 #~("./config"))
12099eac
LF		 602 "shared" ;build shared libraries
603 "--libdir=lib"
fc184fe2 604
12099eac
LF		 605 ;; The default for this catch-all directory is
606 ;; PREFIX/ssl. Change that to something more
607 ;; conventional.
608 (string-append "--openssldir=" out
d9dfbf88 609 "/share/openssl-" #$version)
fc184fe2 610
12099eac 611 (string-append "--prefix=" out)
d9dfbf88
LC		 612 #$@(if (%current-target-system)
613 '((getenv "CONFIGURE_TARGET_ARCH"))
614 '())))))
12099eac
LF		 615 (delete 'move-extra-documentation)
616 (add-after 'install 'move-man3-pages
617 (lambda* (#:key outputs #:allow-other-keys)
618 ;; Move section 3 man pages to "doc".
619 (let* ((out (assoc-ref outputs "out"))
620 (man3 (string-append out "/share/man/man3"))
621 (doc (assoc-ref outputs "doc"))
622 (target (string-append doc "/share/man/man3")))
623 (mkdir-p target)
624 (for-each (lambda (file)
625 (rename-file file
626 (string-append target "/"
627 (basename file))))
628 (find-files man3))
629 (delete-file-recursively man3)
630 #t)))
631 ;; XXX: Duplicate this phase to make sure 'version' evaluates
632 ;; in the current scope and not the inherited one.
633 (replace 'remove-miscellany
634 (lambda* (#:key outputs #:allow-other-keys)
635 ;; The 'misc' directory contains random undocumented shell and Perl
636 ;; scripts. Remove them to avoid retaining a reference on Perl.
637 (let ((out (assoc-ref outputs "out")))
638 (delete-file-recursively (string-append out "/share/openssl-"
d9dfbf88 639 #$version "/misc"))
12099eac 640 #t))))))))))
763899f0 641
cb6a802c
AE		 642(define-public libressl
643 (package
644 (name "libressl")
618dbc14 645 (version "3.3.3")
644e5f17
TGR		 646 (source (origin
647 (method url-fetch)
648 (uri (string-append "mirror://openbsd/LibreSSL/"
ce1178d5 649 "libressl-" version ".tar.gz"))
644e5f17
TGR		 650 (sha256
651 (base32
618dbc14 652 "0rihprcgxsydsbcqgd1952k2cfn4jmp7rlyp1c6sglfc6rdmcwd4"))))
cb6a802c 653 (build-system gnu-build-system)
a2d64899 654 (arguments
76a9bad3
BW		 655 `(#:configure-flags
656 (list
657 ;; Do as if 'getentropy' were missing: Linux kernels before 3.17 lack its
658 ;; underlying 'getrandom' system call and ENOSYS isn't properly handled.
659 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
660 "ac_cv_func_getentropy=no"
661 ;; FIXME It's using it's own bundled certificate, instead it should
662 ;; behave like OpenSSL by using environment variables.
663 (string-append "--with-openssldir=" %output
664 "/share/libressl-"
665 ,(package-version this-package))
666 ;; Provide a TLS-enabled netcat.
667 "--enable-nc")))
2ed12d3f 668 (home-page "https://www.libressl.org/")
cb6a802c 669 (synopsis "SSL/TLS implementation")
df08f385
LF		 670 (description "LibreSSL is a version of the TLS/crypto stack, forked from
671OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
672and applying best practice development processes. This package also includes a
673netcat implementation that supports TLS.")
cb6a802c
AE		 674 ;; Files taken from OpenSSL keep their license, others are under various
675 ;; non-copyleft licenses.
676 (license (list license:openssl
677 (license:non-copyleft
678 "file://COPYING"
679 "See COPYING in the distribution.")))))
680
6cefd53d 681(define-public python-acme
7890e3ba 682 (package
6cefd53d 683 (name "python-acme")
686d4259 684 ;; Remember to update the hash of certbot when updating python-acme.
0ca6e136 685 (version "1.17.0")
7890e3ba 686 (source (origin
9495cf9a 687 (method url-fetch)
f349d36e 688 (uri (pypi-uri "acme" version))
881006b6
MB		 689 (sha256
690 (base32
0ca6e136 691 "03ij1wp7jwvppv70qbjkgdg7w824yh6j4gfb68jj20wicx08xx1a"))))
7890e3ba
LF		 692 (build-system python-build-system)
693 (arguments
6cefd53d 694 `(#:phases
9bee9d87 695 (modify-phases %standard-phases
1fc8476d
MB		 696 (add-after 'build 'build-documentation
697 (lambda _
d4bd2453 698 (invoke "make" "-C" "docs" "man" "info")))
1fc8476d 699 (add-after 'install 'install-documentation
50a7963a
LF		 700 (lambda* (#:key outputs #:allow-other-keys)
701 (let* ((out (assoc-ref outputs "out"))
702 (man (string-append out "/share/man/man1"))
703 (info (string-append out "/info")))
1fc8476d
MB		 704 (install-file "docs/_build/texinfo/acme-python.info" info)
705 (install-file "docs/_build/man/acme-python.1" man)
706 #t))))))
7890e3ba 707 (native-inputs
c3a75373 708 `(("python-pytest" ,python-pytest)
50a7963a
LF		 709 ;; For documentation
710 ("python-sphinx" ,python-sphinx)
711 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
712 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
50a7963a 713 ("texinfo" ,texinfo)))
7890e3ba 714 (propagated-inputs
92572184 715 `(("python-josepy" ,python-josepy)
6cefd53d 716 ("python-requests" ,python-requests)
b494bbe4 717 ("python-requests-toolbelt" ,python-requests-toolbelt)
6cefd53d
LF		 718 ("python-pytz" ,python-pytz)
719 ("python-pyrfc3339" ,python-pyrfc3339)
720 ("python-pyasn1" ,python-pyasn1)
721 ("python-cryptography" ,python-cryptography)
722 ("python-pyopenssl" ,python-pyopenssl)))
4631e6c9 723 (home-page "https://github.com/certbot/certbot")
7890e3ba
LF		 724 (synopsis "ACME protocol implementation in Python")
725 (description "ACME protocol implementation in Python")
726 (license license:asl2.0)))
727
9495cf9a 728(define-public certbot
9fd0838b 729 (package
9495cf9a 730 (name "certbot")
686d4259
LF		 731 ;; Certbot and python-acme are developed in the same repository, and their
732 ;; versions should remain synchronized.
733 (version (package-version python-acme))
9fd0838b
DT		 734 (source (origin
735 (method url-fetch)
b380463b 736 (uri (pypi-uri "certbot" version))
9fd0838b
DT		 737 (sha256
738 (base32
0ca6e136 739 "0wyipx6q78fmvngf1i6g50s01qpjqh07qlk1b5vyxwgl3080lhgg"))))
9fd0838b
DT		 740 (build-system python-build-system)
741 (arguments
fed1898d 742 `(,@(substitute-keyword-arguments (package-arguments python-acme)
f26d6e4e
LF		 743 ((#:phases phases)
744 `(modify-phases ,phases
1fc8476d 745 (replace 'install-documentation
f26d6e4e
LF		 746 (lambda* (#:key outputs #:allow-other-keys)
747 (let* ((out (assoc-ref outputs "out"))
748 (man1 (string-append out "/share/man/man1"))
749 (man7 (string-append out "/share/man/man7"))
750 (info (string-append out "/info")))
1fc8476d
MB		 751 (install-file "docs/_build/texinfo/Certbot.info" info)
752 (install-file "docs/_build/man/certbot.1" man1)
753 (install-file "docs/_build/man/certbot.7" man7)
754 #t))))))))
9fd0838b 755 (native-inputs
d05c14df
TGR		 756 `(("python-mock" ,python-mock)
757 ("python-pytest" ,python-pytest)
f9263d9a 758 ;; For documentation
fed1898d
LF		 759 ("python-sphinx" ,python-sphinx)
760 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
761 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
762 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
f9263d9a 763 ("texinfo" ,texinfo)))
9fd0838b 764 (propagated-inputs
fed1898d 765 `(("python-acme" ,python-acme)
d05c14df 766 ("python-cryptography" ,python-cryptography)
fed1898d
LF		 767 ("python-zope-interface" ,python-zope-interface)
768 ("python-pyrfc3339" ,python-pyrfc3339)
769 ("python-pyopenssl" ,python-pyopenssl)
770 ("python-configobj" ,python-configobj)
771 ("python-configargparse" ,python-configargparse)
b977d900 772 ("python-distro" ,python-distro)
fed1898d
LF		 773 ("python-zope-component" ,python-zope-component)
774 ("python-parsedatetime" ,python-parsedatetime)
fed1898d
LF		 775 ("python-psutil" ,python-psutil)
776 ("python-requests" ,python-requests)
777 ("python-pytz" ,python-pytz)))
d8a1be63 778 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
80968df0
TGR		 779 (description "Certbot automatically receives and installs X.509 certificates
780to enable Transport Layer Security (TLS) on servers. It interoperates with the
781Let’s Encrypt certificate authority (CA), which issues browser-trusted
782certificates for free.")
24778368 783 (home-page "https://certbot.eff.org/")
9fd0838b
DT		 784 (license license:asl2.0)))
785
9495cf9a
LF		 786(define-public letsencrypt
787 (package (inherit certbot)
56ab55d1
LF		 788 (name "letsencrypt")
789 (properties `((superseded . ,certbot)))))
9495cf9a 790
cc2b77df
AE		 791(define-public perl-net-ssleay
792 (package
793 (name "perl-net-ssleay")
966e4bea 794 (version "1.88")
cc2b77df
AE		 795 (source (origin
796 (method url-fetch)
c50f15d6 797 (uri (string-append "mirror://cpan/authors/id/C/CH/CHRISN/"
cc2b77df
AE		 798 "Net-SSLeay-" version ".tar.gz"))
799 (sha256
800 (base32
966e4bea 801 "1pfgh4h3szcpvqlcimc60pjbk9zwls99x5863sva0wc47i4dl010"))))
cc2b77df
AE		 802 (build-system perl-build-system)
803 (inputs `(("openssl" ,openssl)))
804 (arguments
1084ec08
MW		 805 `(#:phases
806 (modify-phases %standard-phases
1084ec08
MW		 807 (add-before
808 'configure 'set-ssl-prefix
809 (lambda* (#:key inputs #:allow-other-keys)
810 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
811 #t)))))
cc2b77df
AE		 812 (synopsis "Perl extension for using OpenSSL")
813 (description
814 "This module offers some high level convenience functions for accessing
815web pages on SSL servers (for symmetry, the same API is offered for accessing
816http servers, too), an sslcat() function for writing your own clients, and
817finally access to the SSL api of the SSLeay/OpenSSL package so you can write
818servers or clients for more complicated applications.")
2f3108ad 819 (license license:perl-license)
9aba9b12 820 (home-page "https://metacpan.org/release/Net-SSLeay")))
4532c0c0
DM		 821
822(define-public perl-crypt-openssl-rsa
823 (package
824 (name "perl-crypt-openssl-rsa")
a9994b27 825 (version "0.31")
4532c0c0
DM		 826 (source
827 (origin
828 (method url-fetch)
829 (uri (string-append
683b8d47 830 "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-"
4532c0c0
DM		 831 version
832 ".tar.gz"))
833 (sha256
834 (base32
a9994b27 835 "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1"))))
4532c0c0 836 (build-system perl-build-system)
683b8d47
TGR		 837 (native-inputs
838 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
4532c0c0
DM		 839 (inputs
840 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
841 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
842 ("openssl" ,openssl)))
843 (arguments perl-crypt-arguments)
844 (home-page
9aba9b12 845 "https://metacpan.org/release/Crypt-OpenSSL-RSA")
4532c0c0
DM		 846 (synopsis
847 "RSA encoding and decoding, using the openSSL libraries")
848 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
849OpenSSL libraries).")
2f3108ad 850 (license license:perl-license)))
adff71ca
DM		 851
852(define perl-crypt-arguments
853 `(#:phases (modify-phases %standard-phases
854 (add-before 'configure 'patch-Makefile.PL
855 (lambda* (#:key inputs #:allow-other-keys)
856 (substitute* "Makefile.PL"
857 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
858 (assoc-ref inputs "openssl")
859 "/lib -lcrypto'],")))
860 #t)))))
861
862(define-public perl-crypt-openssl-bignum
863 (package
864 (name "perl-crypt-openssl-bignum")
7e8aac18 865 (version "0.09")
adff71ca
DM		 866 (source
867 (origin
868 (method url-fetch)
869 (uri (string-append
870 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
871 version
872 ".tar.gz"))
873 (sha256
874 (base32
7e8aac18 875 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
adff71ca
DM		 876 (build-system perl-build-system)
877 (inputs `(("openssl" ,openssl)))
878 (arguments perl-crypt-arguments)
879 (home-page
9aba9b12 880 "https://metacpan.org/release/Crypt-OpenSSL-Bignum")
adff71ca
DM		 881 (synopsis
882 "OpenSSL's multiprecision integer arithmetic in Perl")
883 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
884arithmetic in Perl.")
885 ;; At your option either gpl1+ or the Artistic License
2f3108ad 886 (license license:perl-license)))
cccb4d26 887
c80590f6
TGR		 888(define-public perl-crypt-openssl-guess
889 (package
890 (name "perl-crypt-openssl-guess")
891 (version "0.11")
892 (source
893 (origin
894 (method url-fetch)
895 (uri (string-append
896 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
897 version ".tar.gz"))
898 (sha256
899 (base32
900 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
901 (build-system perl-build-system)
9aba9b12 902 (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess")
c80590f6
TGR		 903 (synopsis "Guess the OpenSSL include path")
904 (description
905 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
906correct OpenSSL include path. It is intended for use in your
907@file{Makefile.PL}.")
908 (license license:perl-license)))
909
cccb4d26
DM		 910(define-public perl-crypt-openssl-random
911 (package
912 (name "perl-crypt-openssl-random")
fa2d19cc 913 (version "0.15")
cccb4d26
DM		 914 (source
915 (origin
916 (method url-fetch)
917 (uri (string-append
918 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
919 version
920 ".tar.gz"))
921 (sha256
fa2d19cc 922 (base32 "1x6ffps8q7mnawmcfq740llzy7i10g3319vap0wiw4d33fm6z1zh"))))
cccb4d26 923 (build-system perl-build-system)
b30c23c4
TGR		 924 (native-inputs
925 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
926 (inputs
927 `(("openssl" ,openssl)))
cccb4d26
DM		 928 (arguments perl-crypt-arguments)
929 (home-page
9aba9b12 930 "https://metacpan.org/release/Crypt-OpenSSL-Random")
cccb4d26
DM		 931 (synopsis
932 "OpenSSL/LibreSSL pseudo-random number generator access")
933 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
934number generator")
2f3108ad 935 (license license:perl-license)))
0581c273
LF		 936
937(define-public acme-client
938 (package
939 (name "acme-client")
4a6b2a21 940 (version "0.1.16")
0581c273
LF		 941 (source (origin
942 (method url-fetch)
943 (uri (string-append "https://kristaps.bsd.lv/" name "/"
944 "snapshots/" name "-portable-"
945 version ".tgz"))
946 (sha256
947 (base32
4a6b2a21 948 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
0581c273
LF		 949 (build-system gnu-build-system)
950 (arguments
951 '(#:tests? #f ; no test suite
952 #:make-flags
953 (list "CC=gcc"
954 (string-append "PREFIX=" (assoc-ref %outputs "out")))
955 #:phases
956 (modify-phases %standard-phases
7c1a7bf4
LF		 957 (add-after 'unpack 'patch-paths
958 (lambda* (#:key inputs #:allow-other-keys)
d468a03a 959 (let ((pem (search-input-file inputs "/etc/ssl/cert.pem")))
7c1a7bf4
LF		 960 (substitute* "http.c"
961 (("/etc/ssl/cert.pem") pem))
962 #t)))
0581c273 963 (delete 'configure)))) ; no './configure' script
4b569a4f
LF		 964 (native-inputs
965 `(("pkg-config" ,pkg-config)))
0581c273
LF		 966 (inputs
967 `(("libbsd" ,libbsd)
968 ("libressl" ,libressl)))
969 (synopsis "Let's Encrypt client by the OpenBSD project")
970 (description "acme-client is a Let's Encrypt client implemented in C. It
971uses a modular design, and attempts to secure itself by dropping privileges and
972operating in a chroot where possible. acme-client is developed on OpenBSD and
973then ported to the GNU / Linux environment.")
974 (home-page "https://kristaps.bsd.lv/acme-client/")
975 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
976 ;; and 'jsmn.c' are distributed under the Expat license.
977 (license (list license:isc license:expat))))
88522738 978
979;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
980;; variant exists in addition to the "-apache" one.
981(define-public mbedtls-apache
982 (package
983 (name "mbedtls-apache")
5cdb25c6
TGR		 984 ;; XXX Check whether ‘-Wformat-signedness’ still breaks mbedtls-for-hiawatha
985 ;; when updating.
0ec75598 986 (version "2.26.0")
88522738 987 (source
988 (origin
927ecd4e
TGR		 989 (method git-fetch)
990 (uri (git-reference
991 (url "https://github.com/ARMmbed/mbedtls")
992 (commit (string-append "mbedtls-" version))))
88522738 993 (sha256
0ec75598
MJK		 994 (base32 "0scwpmrgvg6q7rvqkc352d2fqlsx0aylcbyibcp1f1rsn8iiif2m"))
995 (file-name (git-file-name name version))
996 (modules '((guix build utils)))
997 (snippet
998 '(begin
999 ;; Can be removed with the next version.
1000 ;; Reduce level of format truncation warnings due to false positives.
1001 ;; https://github.com/ARMmbed/mbedtls/commit/2065a8d8af27c6cb1e40c9462b5933336dca7434
1002 (substitute* "CMakeLists.txt"
1003 (("Wformat-truncation=2") "Wformat-truncation"))
1004 #t))))
88522738 1005 (build-system cmake-build-system)
a64d9d56
RW		 1006 (arguments
1007 `(#:configure-flags
92ebd8ed 1008 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON"
927ecd4e
TGR		 1009 "-DUSE_STATIC_MBEDTLS_LIBRARY=OFF")
1010 #:phases
1011 (modify-phases %standard-phases
1012 (add-after 'unpack 'make-source-writable
1013 (lambda _
1014 (for-each make-file-writable (find-files "."))
927ecd4e 1015 #t)))))
88522738 1016 (native-inputs
38a9bf80
TGR		 1017 `(("perl" ,perl)
1018 ("python" ,python)))
88522738 1019 (synopsis "Small TLS library")
1020 (description
1021 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
1022for developers to include cryptographic and SSL/TLS capabilities in their
1023(embedded) products, facilitating this functionality with a minimal
1024coding footprint.")
d4febc56 1025 (home-page "https://www.trustedfirmware.org/projects/mbed-tls/")
88522738 1026 (license license:asl2.0)))
587d1752 1027
8e87aa04
TGR		 1028;; The Hiawatha Web server requires some specific features to be enabled.
1029(define-public mbedtls-for-hiawatha
1030 (hidden-package
1031 (package
1032 (inherit mbedtls-apache)
1033 (arguments
5cdb25c6
TGR		 1034 (substitute-keyword-arguments (package-arguments mbedtls-apache)
1035 ((#:phases phases)
1036 `(modify-phases ,phases
1037 (add-before 'configure 'configure-extra-features
1038 (lambda _
1039 (for-each (lambda (feature)
1040 (invoke "scripts/config.pl" "set" feature))
1041 (list "MBEDTLS_THREADING_C"
1042 "MBEDTLS_THREADING_PTHREAD"))
1043 ;; XXX The above enables code that breaks with -Werror…
1044 (substitute* "CMakeLists.txt"
1045 ((" -Wformat-signedness") ""))
1046 #t)))))))))
8e87aa04 1047
e8b3a158
CL		 1048(define-public dehydrated
1049 (package
1050 (name "dehydrated")
69b98261 1051 (version "0.7.0")
e8b3a158 1052 (source (origin
2850d877 1053 (method url-fetch)
e8b3a158 1054 (uri (string-append
bb5ab9bf 1055 "https://github.com/dehydrated-io/dehydrated/releases/download/"
2850d877 1056 "v" version "/dehydrated-" version ".tar.gz"))
e8b3a158
CL		 1057 (sha256
1058 (base32
69b98261 1059 "1yf4kldyd5y13r6qxrkcbbk74ykngq7jzy0351vb2r3ywp114pqw"))))
e8b3a158
CL		 1060 (build-system trivial-build-system)
1061 (arguments
c150d637
TGR		 1062 `(#:modules ((guix build utils)
1063 (srfi srfi-26))
e8b3a158
CL		 1064 #:builder
1065 (begin
c150d637
TGR		 1066 (use-modules (guix build utils)
1067 (srfi srfi-26))
e8b3a158 1068 (let* ((source (assoc-ref %build-inputs "source"))
2850d877
EF		 1069 (tar (assoc-ref %build-inputs "tar"))
1070 (gz (assoc-ref %build-inputs "gzip"))
e8b3a158
CL		 1071 (out (assoc-ref %outputs "out"))
1072 (bin (string-append out "/bin"))
c150d637
TGR		 1073 (doc (string-append out "/share/doc/" ,name "-" ,version))
1074 (man (string-append out "/share/man"))
e8b3a158 1075 (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
2850d877
EF		 1076
1077 (setenv "PATH" (string-append gz "/bin"))
1078 (invoke (string-append tar "/bin/tar") "xvf" source)
1079 (chdir (string-append ,name "-" ,version))
1080
c150d637
TGR		 1081 (copy-recursively "docs" doc)
1082 (install-file "LICENSE" doc)
1083
1084 (mkdir-p man)
1085 (rename-file (string-append doc "/man")
1086 (string-append man "/man1"))
1087 (for-each (cut invoke "gzip" "-9" <>)
1088 (find-files man ".*"))
1089
2850d877 1090 (install-file "dehydrated" bin)
e8b3a158 1091 (with-directory-excursion bin
e8b3a158
CL		 1092 (patch-shebang "dehydrated" (list bash))
1093
c150d637 1094 ;; Do not try to write to the store.
e8b3a158
CL		 1095 (substitute* "dehydrated"
1096 (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
1097
1098 (setenv "PATH" bash)
1099 (wrap-program "dehydrated"
1100 `("PATH" ":" prefix
1101 ,(map (lambda (dir)
1102 (string-append dir "/bin"))
1103 (map (lambda (input)
1104 (assoc-ref %build-inputs input))
1105 '("coreutils"
1106 "curl"
1107 "diffutils"
1108 "gawk"
1109 "grep"
1110 "openssl"
1111 "sed"))))))
1112 #t))))
1113 (inputs
1114 `(("bash" ,bash)
1115 ("coreutils" ,coreutils)
1116 ("curl" ,curl)
1117 ("diffutils" ,diffutils)
1118 ("gawk" ,gawk)
1119 ("grep" ,grep)
1120 ("openssl" ,openssl)
1121 ("sed" ,sed)))
2850d877
EF		 1122 (native-inputs
1123 `(("gzip" ,gzip)
1124 ("tar" ,tar)))
d0cc63cc
MC		 1125 ;; The following definition is copied from the cURL package to prevent a
1126 ;; cycle between the curl and tls modules.
77e2df87 1127 (native-search-paths
d0cc63cc
MC		 1128 (list (search-path-specification
1129 (variable "CURL_CA_BUNDLE")
1130 (file-type 'regular)
1131 (separator #f)
1132 (files '("etc/ssl/certs/ca-certificates.crt")))))
e8b3a158 1133 (home-page "https://dehydrated.io/")
bc5152a2
TGR		 1134 (synopsis "ACME client implemented as a shell script")
1135 (description "Dehydrated is a client for obtaining certificates from an
1136ACME server (such as Let's Encrypt) implemented as a relatively simple Bash
1137script.")
e8b3a158 1138 (license license:expat)))
ea22aa1f
LF		 1139
1140(define-public go-github-com-certifi-gocertifi
db388401
LF		 1141 (let ((commit "a5e0173ced670013bfb649c7e806bc9529c986ec")
1142 (revision "1"))
1143 (package
1144 (name "go-github-com-certifi-gocertifi")
1145 (version (git-version "2018.01.18" revision commit))
1146 (source (origin
1147 (method git-fetch)
1148 (uri (git-reference
1149 (url "https://github.com/certifi/gocertifi")
1150 (commit commit)))
1151 (file-name (git-file-name name version))
1152 (sha256
1153 (base32
1154 "1n9drccl3q1rr8wg3nf60slkf1lgsmz5ahifrglbdrc6har3rryj"))))
1155 (build-system go-build-system)
1156 (arguments
1157 '(#:import-path "github.com/certifi/gocertifi"))
1158 (synopsis "X.509 TLS root certificate bundle for Go")
1159 (description "This package is a Go language X.509 TLS root certificate bundle,
ea22aa1f 1160derived from Mozilla's collection.")
db388401
LF		 1161 (home-page "https://certifi.io")
1162 (license license:mpl2.0))))
1b518888
GH		 1163
1164(define-public s2n
02f849ad
GH		 1165 (let* ((commit "7f43b102def1d52422f6c3e48d5cb3e6dd26c646")
1166 (revision "1"))
1167 (package
1168 (name "s2n")
1169 (version (git-version "1.0.10" revision commit))
1170 (source (origin
1171 (method git-fetch)
1172 (uri (git-reference
1173 (url "https://github.com/aws/s2n-tls")
1174 (commit commit)))
1175 (file-name (git-file-name name version))
1176 (sha256
1177 (base32
1178 "06rqg0vcispi63cmcza9j7ix80l0w6wmbw81qlg4fq8l1lg9nyvl"))))
1179 (build-system cmake-build-system)
1180 (arguments
1181 '(#:configure-flags
1182 '("-DBUILD_SHARED_LIBS=ON")))
1183 (propagated-inputs
1184 `(("openssl" ,openssl)
1185 ("openssl:static" ,openssl "static")))
1186 (synopsis "SSL/TLS implementation in C99")
1187 (description
1188 "This library provides a C99 implementation of SSL/TLS. It is designed
1189to be familiar to users of the widely-used POSIX I/O APIs. It supports
1190blocking, non-blocking, and full-duplex I/O. There are no locks or mutexes.
9f9118bd
TGR		 1191
1192As it can be difficult to keep track of which encryption algorithms and
1193protocols are best to use, s2n-tls features a simple API to use the latest
1194default set of preferences. Remaining on a specific version for backwards
1195compatibility is also supported.")
02f849ad
GH		 1196 (home-page "https://github.com/aws/s2n-tls")
1197 (license license:asl2.0))))
363fe99c
LF		 1198
1199(define-public wolfssl
1200 (package
1201 (name "wolfssl")
1eaf8eb7 1202 (version "4.8.1")
363fe99c
LF		 1203 (source (origin
1204 (method git-fetch)
1205 (uri (git-reference
1206 (url "https://github.com/wolfSSL/wolfssl")
1207 (commit (string-append "v" version "-stable"))))
1208 (file-name (git-file-name name version))
1209 (sha256
1210 (base32
1eaf8eb7 1211 "0w5pd40j6h4j2f0b7c2n1n979y9qk8aln3ss2gb0jfsid1hrmx5k"))))
363fe99c
LF		 1212 (build-system gnu-build-system)
1213 (arguments
1214 '(#:configure-flags
1215 '("--enable-reproducible-build")))
1216 (native-inputs
1217 `(("autoconf" ,autoconf)
1218 ("automake" ,automake)
1219 ("libtool" ,libtool)))
1220 (synopsis "SSL/TLS implementation")
1221 (description "The wolfSSL embedded SSL library (formerly CyaSSL) is an
1222SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and
1223resource-constrained environments - primarily because of its small size, speed,
1224and feature set. wolfSSL supports industry standards up to the current TLS 1.3
1225and DTLS 1.2, is up to 20 times smaller than OpenSSL, and offers progressive
1226ciphers such as ChaCha20, Curve25519, NTRU, and Blake2b.")
1227 (home-page "https://www.wolfssl.com/")
1228 (license license:gpl2+))) ; Audit
da9272fa
GH		 1229
1230(define-public aws-lc
1231 (let ((commit "d0a5455417d80e68581e197d95720c3fb25e3926")
1232 (revision "0"))
1233 (package
1234 (name "aws-lc")
1235 (version (git-version "0.0.0" revision commit))
1236 (source (origin
1237 (method git-fetch)
1238 (uri (git-reference
1239 (url (string-append "https://github.com/awslabs/" name))
1240 (commit commit)))
1241 (file-name (git-file-name name version))
1242 (sha256
1243 (base32
1244 "1ysj3x1f2lcdvwzyb9x3waykz1j7r21viv5z5vgc0ja9xv7znm9g"))))
1245 (build-system cmake-build-system)
1246 (arguments
1247 '(#:tests? #f ; re-enable but with go and perl dependencies
1248 #:configure-flags
1249 '("-DBUILD_SHARED_LIBS=ON")))
1250 (synopsis "General purpose cryptographic library")
1251 (description "AWS libcrypto (aws-lc) contains portable C implementations
1252of algorithms needed for TLS and common applications, and includes optimized
1253assembly versions for x86 and ARM.")
1254 (home-page "https://github.com/awslabs/aws-lc")
1255 (license license:asl2.0))))
jackhill's copy of GNU Guix: https://guix.gnu.org/