Commit | Line | Data |
---|---|---|
233e7676 | 1 | ;;; GNU Guix --- Functional package management for GNU |
4604d43c | 2 | ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2019, 2020, 2021 Ludovic Courtès <ludo@gnu.org> |
74e2c0e0 | 3 | ;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2021 Mark H Weaver <mhw@netris.org> |
29a7c98a | 4 | ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net> |
cc2b77df | 5 | ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr> |
9fd0838b | 6 | ;;; Copyright © 2015 David Thompson <davet@gnu.org> |
ad67d208 | 7 | ;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Leo Famulari <leo@famulari.name> |
db388401 | 8 | ;;; Copyright © 2016, 2017, 2019 Efraim Flashner <efraim@flashner.co.il> |
3c986a7d | 9 | ;;; Copyright © 2016, 2017, 2018 Nikita <nikita@n0.is> |
375cef6c | 10 | ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com> |
ee33f9a7 | 11 | ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net> |
250a216c | 12 | ;;; Copyright © 2017, 2018, 2019, 2020, 2021 Marius Bakke <marius@gnu.org> |
db201657 | 13 | ;;; Copyright © 2017–2019, 2021 Tobias Geerinckx-Rice <me@tobias.gr> |
fbf5ca3c | 14 | ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com> |
e8b3a158 | 15 | ;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org> |
bdcdd550 | 16 | ;;; Copyright © 2019 Mathieu Othacehe <m.othacehe@gmail.com> |
a9bcc647 | 17 | ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org> |
0b70eb03 | 18 | ;;; Copyright © 2021 Solene Rapenne <solene@perso.pw> |
76a9bad3 | 19 | ;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re> |
2bb789f6 | 20 | ;;; Copyright © 2021 Matthew James Kraai <kraai@ftbfs.org> |
7543f865 | 21 | ;;; |
233e7676 | 22 | ;;; This file is part of GNU Guix. |
7543f865 | 23 | ;;; |
233e7676 | 24 | ;;; GNU Guix is free software; you can redistribute it and/or modify it |
7543f865 LC |
25 | ;;; under the terms of the GNU General Public License as published by |
26 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
27 | ;;; your option) any later version. | |
28 | ;;; | |
233e7676 | 29 | ;;; GNU Guix is distributed in the hope that it will be useful, but |
7543f865 LC |
30 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of |
31 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
32 | ;;; GNU General Public License for more details. | |
33 | ;;; | |
34 | ;;; You should have received a copy of the GNU General Public License | |
233e7676 | 35 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. |
7543f865 | 36 | |
a7fd7b68 | 37 | (define-module (gnu packages tls) |
e9aa8d0c | 38 | #:use-module ((guix licenses) #:prefix license:) |
7543f865 LC |
39 | #:use-module (guix packages) |
40 | #:use-module (guix download) | |
ea22aa1f | 41 | #:use-module (guix git-download) |
29a7c98a | 42 | #:use-module (guix utils) |
7543f865 | 43 | #:use-module (guix build-system gnu) |
ea22aa1f | 44 | #:use-module (guix build-system go) |
cc2b77df | 45 | #:use-module (guix build-system perl) |
7890e3ba | 46 | #:use-module (guix build-system python) |
88522738 | 47 | #:use-module (guix build-system cmake) |
e8b3a158 | 48 | #:use-module (guix build-system trivial) |
f61e0e79 | 49 | #:use-module (gnu packages compression) |
013ce67b | 50 | #:use-module (gnu packages) |
e8b3a158 | 51 | #:use-module (gnu packages bash) |
ac257f12 | 52 | #:use-module (gnu packages check) |
e8b3a158 | 53 | #:use-module (gnu packages curl) |
5b9aa107 | 54 | #:use-module (gnu packages dns) |
e8b3a158 | 55 | #:use-module (gnu packages gawk) |
1ffa7090 | 56 | #:use-module (gnu packages guile) |
a9bcc647 | 57 | #:use-module (gnu packages hurd) |
0581c273 | 58 | #:use-module (gnu packages libbsd) |
27e86bed | 59 | #:use-module (gnu packages libffi) |
866f469e | 60 | #:use-module (gnu packages libidn) |
5d4c90ae | 61 | #:use-module (gnu packages linux) |
7890e3ba | 62 | #:use-module (gnu packages ncurses) |
27e86bed | 63 | #:use-module (gnu packages nettle) |
1ffa7090 | 64 | #:use-module (gnu packages perl) |
27e86bed | 65 | #:use-module (gnu packages pkg-config) |
7890e3ba | 66 | #:use-module (gnu packages python) |
cc6f4912 | 67 | #:use-module (gnu packages python-crypto) |
1b2f753d | 68 | #:use-module (gnu packages python-web) |
44d10b1f | 69 | #:use-module (gnu packages python-xyz) |
9d0c291e | 70 | #:use-module (gnu packages sphinx) |
a31f4d35 | 71 | #:use-module (gnu packages texinfo) |
33dc54b0 | 72 | #:use-module (gnu packages time) |
079f013b LC |
73 | #:use-module (gnu packages base) |
74 | #:use-module (srfi srfi-1)) | |
7543f865 LC |
75 | |
76 | (define-public libtasn1 | |
77 | (package | |
78 | (name "libtasn1") | |
3a22f04a | 79 | (version "4.16.0") |
7543f865 LC |
80 | (source |
81 | (origin | |
82 | (method url-fetch) | |
83 | (uri (string-append "mirror://gnu/libtasn1/libtasn1-" | |
84 | version ".tar.gz")) | |
85 | (sha256 | |
86 | (base32 | |
3a22f04a | 87 | "179jskl7dmfp1rd2khkzmlibzgki4wi6hvmmwfv7q49r728b03qf")))) |
7543f865 | 88 | (build-system gnu-build-system) |
d9f84612 MB |
89 | (arguments |
90 | `(#:configure-flags '("--disable-static"))) | |
3ea110b7 | 91 | (native-inputs `(("perl" ,perl))) |
6fd52309 | 92 | (home-page "https://www.gnu.org/software/libtasn1/") |
f50d2669 | 93 | (synopsis "ASN.1 library") |
7543f865 | 94 | (description |
79c311b8 LC |
95 | "GNU libtasn1 is a library implementing the ASN.1 notation. It is used |
96 | for transmitting machine-neutral encodings of data objects in computer | |
a22dc0c4 LC |
97 | networking, allowing for formal validation of data according to some |
98 | specifications.") | |
e9aa8d0c | 99 | (license license:lgpl2.0+))) |
7543f865 | 100 | |
375cef6c HG |
101 | (define-public asn1c |
102 | (package | |
103 | (name "asn1c") | |
ff7da7e0 | 104 | (version "0.9.28") |
375cef6c HG |
105 | (source (origin |
106 | (method url-fetch) | |
107 | (uri (string-append "https://lionet.info/soft/asn1c-" | |
108 | version ".tar.gz")) | |
109 | (sha256 | |
110 | (base32 | |
ff7da7e0 | 111 | "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0")))) |
375cef6c HG |
112 | (build-system gnu-build-system) |
113 | (native-inputs | |
114 | `(("perl" ,perl))) | |
115 | (home-page "https://lionet.info/asn1c") | |
116 | (synopsis "ASN.1 to C compiler") | |
117 | (description "The ASN.1 to C compiler takes ASN.1 module | |
118 | files and generates C++ compatible C source code. That code can be | |
119 | used to serialize the native C structures into compact and unambiguous | |
120 | BER/XER/PER-based data files, and deserialize the files back. | |
121 | ||
122 | Various ASN.1 based formats are widely used in the industry, such as to encode | |
123 | the X.509 certificates employed in the HTTPS handshake, to exchange control | |
124 | data between mobile phones and cellular networks, to car-to-car communication | |
125 | in intelligent transportation networks.") | |
126 | (license license:bsd-2))) | |
127 | ||
27e86bed AE |
128 | (define-public p11-kit |
129 | (package | |
130 | (name "p11-kit") | |
c84c0dbc | 131 | (version "0.23.22") |
27e86bed AE |
132 | (source |
133 | (origin | |
134 | (method url-fetch) | |
e6ad9bda | 135 | (uri (string-append "https://github.com/p11-glue/p11-kit/releases/" |
eae94df6 | 136 | "download/" version "/p11-kit-" version ".tar.xz")) |
27e86bed | 137 | (sha256 |
9ed46007 | 138 | (base32 "1dn6br4v033d3gp2max9lsr3y4q0nj6iyr1yq3kzi8ym7lal13wa")))) |
27e86bed AE |
139 | (build-system gnu-build-system) |
140 | (native-inputs | |
141 | `(("pkg-config" ,pkg-config))) | |
142 | (inputs | |
143 | `(("libffi" ,libffi) | |
144 | ("libtasn1" ,libtasn1))) | |
145 | (arguments | |
d5c472a2 MB |
146 | `(#:configure-flags '("--without-trust-paths") |
147 | #:phases (modify-phases %standard-phases | |
148 | (add-before 'check 'prepare-tests | |
149 | (lambda _ | |
150 | ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up | |
151 | ;; and looks for .cache and other directories (only). | |
152 | ;; For simplicity just drop it since it is irrelevant | |
153 | ;; in the build container. | |
154 | (substitute* "Makefile" | |
155 | (("test-runtime\\$\\(EXEEXT\\)") "")) | |
156 | #t))))) | |
4631e6c9 | 157 | (home-page "https://p11-glue.freedesktop.org/p11-kit.html") |
27e86bed AE |
158 | (synopsis "PKCS#11 library") |
159 | (description | |
160 | "p11-kit provides a way to load and enumerate PKCS#11 modules. It | |
161 | provides a standard configuration setup for installing PKCS#11 modules | |
162 | in such a way that they are discoverable. It also solves problems with | |
163 | coordinating the use of PKCS#11 by different components or libraries | |
164 | living in the same process.") | |
e9aa8d0c | 165 | (license license:bsd-3))) |
27e86bed | 166 | |
7543f865 LC |
167 | (define-public gnutls |
168 | (package | |
169 | (name "gnutls") | |
51a365c1 | 170 | (version "3.6.15") |
0b70eb03 | 171 | (replacement gnutls-3.6.16) |
d7d408d5 | 172 | (source (origin |
51a365c1 | 173 | (method url-fetch) |
d7d408d5 LC |
174 | ;; Note: Releases are no longer on ftp.gnu.org since the |
175 | ;; schism (after version 3.1.5). | |
51a365c1 LC |
176 | (uri (string-append "mirror://gnupg/gnutls/v" |
177 | (version-major+minor version) | |
178 | "/gnutls-" version ".tar.xz")) | |
179 | (patches (search-patches "gnutls-skip-trust-store-test.patch" | |
e12210dc LF |
180 | "gnutls-cross.patch" |
181 | "gnutls-CVE-2021-20231.patch" | |
182 | "gnutls-CVE-2021-20232.patch")) | |
51a365c1 LC |
183 | (sha256 |
184 | (base32 | |
185 | "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f")))) | |
7543f865 | 186 | (build-system gnu-build-system) |
b94ae0b8 | 187 | (arguments |
525a351e MO |
188 | `(#:tests? ,(not (or (%current-target-system) |
189 | (hurd-target?))) | |
9015ed66 | 190 | ;; Ensure we don't keep a reference to net-tools. |
9ee8b41f | 191 | #:disallowed-references ,(if (hurd-target?) '() (list net-tools)) |
76b21274 | 192 | #:configure-flags |
a0700787 | 193 | (list |
aa7c7f21 MW |
194 | ;; GnuTLS doesn't consult any environment variables to specify |
195 | ;; the location of the system-wide trust store. Instead it has a | |
196 | ;; configure-time option. Unless specified, its configure script | |
197 | ;; attempts to auto-detect the location by looking for common | |
8f65585b | 198 | ;; places in the file system, none of which are present in our |
aa7c7f21 MW |
199 | ;; chroot build environment. If not found, then no default trust |
200 | ;; store is used, so each program has to provide its own | |
201 | ;; fallback, and users have to configure each program | |
202 | ;; independently. This seems suboptimal. | |
866f469e MW |
203 | "--with-default-trust-store-dir=/etc/ssl/certs" |
204 | ||
7892edc2 MB |
205 | ;; Tell the build system that we want Guile bindings installed to |
206 | ;; the output instead of Guiles own module directory. | |
207 | (string-append "--with-guile-site-dir=" | |
208 | "$(datarootdir)/guile/site/$(GUILE_EFFECTIVE_VERSION)") | |
209 | (string-append "--with-guile-site-ccache-dir=" | |
210 | "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/site-ccache") | |
211 | (string-append "--with-guile-extension-dir=" | |
212 | "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/extensions") | |
213 | ||
866f469e MW |
214 | ;; FIXME: Temporarily disable p11-kit support since it is not |
215 | ;; working on mips64el. | |
606c6380 LC |
216 | "--without-p11-kit") |
217 | ||
218 | #:phases (modify-phases %standard-phases | |
219 | (add-after | |
220 | 'install 'move-doc | |
221 | (lambda* (#:key outputs #:allow-other-keys) | |
222 | ;; Copy the 4.1 MiB of section 3 man pages to "doc". | |
223 | (let* ((out (assoc-ref outputs "out")) | |
224 | (doc (assoc-ref outputs "doc")) | |
9cdce047 | 225 | (mandir (string-append doc "/share/man/man3")) |
606c6380 LC |
226 | (oldman (string-append out "/share/man/man3"))) |
227 | (mkdir-p mandir) | |
228 | (copy-recursively oldman mandir) | |
229 | (delete-file-recursively oldman) | |
230 | #t)))))) | |
231 | (outputs '("out" ;4.4 MiB | |
232 | "debug" | |
233 | "doc")) ;4.1 MiB of man pages | |
a1db0975 | 234 | (native-inputs |
51a365c1 LC |
235 | `(,@(if (%current-target-system) ;for cross-build |
236 | `(("guile" ,guile-3.0)) ;to create .go files | |
237 | '()) | |
238 | ,@(if (hurd-target?) | |
239 | '() | |
a9bcc647 | 240 | `(("net-tools" ,net-tools))) |
5d4c90ae | 241 | ("pkg-config" ,pkg-config) |
ac83dc82 | 242 | ("which" ,which) |
2d49f175 JN |
243 | ,@(if (hurd-target?) '() |
244 | `(("datefudge" ,datefudge))) ;tests rely on 'datefudge' | |
971c8bb0 | 245 | ("util-linux" ,util-linux))) ;one test needs 'setsid' |
7543f865 | 246 | (inputs |
67a3c8ed | 247 | `(("guile" ,guile-3.0))) |
7543f865 | 248 | (propagated-inputs |
d2fcfd3d | 249 | ;; These are all in the 'Requires.private' field of gnutls.pc. |
7543f865 | 250 | `(("libtasn1" ,libtasn1) |
55e61c4d | 251 | ("libidn2" ,libidn2) |
866f469e | 252 | ("nettle" ,nettle) |
f61e0e79 | 253 | ("zlib" ,zlib))) |
c19700c3 | 254 | (home-page "https://www.gnu.org/software/gnutls/") |
f50d2669 | 255 | (synopsis "Transport layer security library") |
7543f865 | 256 | (description |
a22dc0c4 | 257 | "GnuTLS is a secure communications library implementing the SSL, TLS |
79c311b8 | 258 | and DTLS protocols. It is provided in the form of a C library to support the |
b30407b8 | 259 | protocols, as well as to parse and write X.509, PKCS #12, OpenPGP and other |
a22dc0c4 | 260 | required structures.") |
63e8bb12 LC |
261 | (license license:lgpl2.1+) |
262 | (properties '((ftp-server . "ftp.gnutls.org") | |
263 | (ftp-directory . "/gcrypt/gnutls"))))) | |
74e2c0e0 | 264 | |
0b70eb03 SR |
265 | ;; Replacement package to fix CVE-2021-20305. |
266 | (define gnutls-3.6.16 | |
267 | (package | |
268 | (inherit gnutls) | |
269 | (version "3.6.16") | |
270 | (source (origin | |
271 | (method url-fetch) | |
272 | (uri (string-append "mirror://gnupg/gnutls/v" | |
273 | (version-major+minor version) | |
274 | "/gnutls-" version ".tar.xz")) | |
275 | (patches (search-patches "gnutls-skip-trust-store-test.patch" | |
276 | "gnutls-cross.patch")) | |
277 | (sha256 | |
278 | (base32 | |
4604d43c LC |
279 | "1czk511pslz367shf32f2jvvkp7y1323bcv88c2qng98mj0v6y8v")))) |
280 | (arguments | |
281 | (if (%current-target-system) | |
282 | (substitute-keyword-arguments (package-arguments gnutls) | |
283 | ((#:phases phases '%standard-phases) | |
284 | `(modify-phases ,phases | |
285 | (add-before 'configure 'build-eccdata-headers | |
286 | (lambda* (#:key configure-flags #:allow-other-keys) | |
287 | ;; Build the 'ecc/eccdata' program using the native | |
288 | ;; compiler, not the cross-compiler as happens by default, | |
289 | ;; and use it to build lib/nettle/ecc/ecc-*.h. In GnuTLS | |
290 | ;; 3.6.15, this was not necessary because the tarball | |
291 | ;; contained pre-generated lib/nettle/ecc/ecc-*.h files as | |
292 | ;; well as 'ecc/eccdata.stamp'. | |
293 | (let ((jobs (number->string (parallel-job-count))) | |
294 | (patch (assoc-ref %standard-phases | |
295 | 'patch-generated-file-shebangs))) | |
296 | (mkdir "+native-build") | |
297 | (with-directory-excursion "+native-build" | |
298 | ;; Build natively, with the native compiler, GMP, etc. | |
299 | (invoke "../configure" | |
300 | (string-append "SHELL=" (which "sh")) | |
301 | (string-append "CONFIG_SHELL=" (which "sh")) | |
302 | "NETTLE_CFLAGS= " "NETTLE_LIBS= " | |
303 | "HOGWEED_CFLAGS= " "HOGWEED_LIBS= " | |
304 | "LIBTASN1_CFLAGS= " "LIBTASN1_LIBS= " | |
305 | "ac_cv_func_nettle_rsa_sec_decrypt=yes" | |
306 | "--without-p11-kit" "--disable-guile") | |
307 | (patch) | |
308 | (invoke "make" "-C" "gl" "-j" jobs) | |
309 | (invoke "make" "-C" "lib/nettle" "V=1" "-j" jobs)) | |
310 | ||
311 | ;; Copy the files we obtained during native build. | |
312 | (for-each (lambda (file) | |
313 | (install-file file "lib/nettle/ecc")) | |
314 | (find-files | |
315 | "+native-build/lib/nettle/ecc" | |
316 | "^(eccdata\\.stamp|ecc-.*\\.h)$")))))))) | |
317 | (package-arguments gnutls))) | |
318 | (native-inputs | |
319 | (if (%current-target-system) | |
320 | `(("libtasn1" ,libtasn1) ;for 'ecc/eccdata' | |
321 | ("libidn2" ,libidn2) | |
322 | ("nettle" ,nettle) | |
323 | ("zlib" ,zlib) | |
324 | ,@(package-native-inputs gnutls)) | |
325 | (package-native-inputs gnutls))))) | |
0b70eb03 | 326 | |
a270af31 LF |
327 | (define-public gnutls/guile-2.0 |
328 | ;; GnuTLS for Guile 2.0. | |
329 | (package/inherit gnutls | |
a0700787 LC |
330 | (name "guile2.0-gnutls") |
331 | (inputs `(("guile" ,guile-2.0) | |
58ea4d40 | 332 | ,@(alist-delete "guile" (package-inputs gnutls)))))) |
079f013b | 333 | |
5b9aa107 | 334 | (define-public gnutls/dane |
335 | ;; GnuTLS with build libgnutls-dane, implementing DNS-based | |
336 | ;; Authentication of Named Entities. This is required for GNS functionality | |
337 | ;; by GNUnet and gnURL. This is done in an extra package definition | |
338 | ;; to have the choice between GnuTLS with Dane and without Dane. | |
51a365c1 | 339 | (package/inherit gnutls |
5b9aa107 | 340 | (name "gnutls-dane") |
341 | (inputs `(("unbound" ,unbound) | |
342 | ,@(package-inputs gnutls))))) | |
343 | ||
67a3c8ed | 344 | (define-public guile2.2-gnutls |
74e2c0e0 | 345 | (package/inherit gnutls |
67a3c8ed MB |
346 | (name "guile2.2-gnutls") |
347 | (inputs `(("guile" ,guile-2.2) | |
d630d781 | 348 | ,@(alist-delete "guile" |
5f9f034e | 349 | (package-inputs gnutls)))))) |
d630d781 | 350 | |
4e6c9f56 LC |
351 | (define-public guile3.0-gnutls |
352 | (deprecated-package "guile3.0-gnutls" gnutls)) | |
67a3c8ed | 353 | |
cc2b77df AE |
354 | (define-public openssl |
355 | (package | |
356 | (name "openssl") | |
0cb4032f | 357 | (version "1.1.1j") |
250a216c | 358 | (replacement openssl-1.1.1k) |
cc2b77df | 359 | (source (origin |
4cff124b | 360 | (method url-fetch) |
bdf0b6fc MB |
361 | (uri (list (string-append "https://www.openssl.org/source/openssl-" |
362 | version ".tar.gz") | |
363 | (string-append "ftp://ftp.openssl.org/source/" | |
c7f5c3ea | 364 | "openssl-" version ".tar.gz") |
4cff124b LC |
365 | (string-append "ftp://ftp.openssl.org/source/old/" |
366 | (string-trim-right version char-set:letter) | |
c7f5c3ea | 367 | "/openssl-" version ".tar.gz"))) |
c4868e38 | 368 | (patches (search-patches "openssl-1.1-c-rehash-in.patch")) |
4cff124b LC |
369 | (sha256 |
370 | (base32 | |
0cb4032f | 371 | "1gw17520vh13izy1xf5q0a2fqgcayymjjj5bk0dlkxndfnszrwma")))) |
cc2b77df | 372 | (build-system gnu-build-system) |
8c78aeb7 | 373 | (outputs '("out" |
e74f153a MB |
374 | "doc" ;6.8 MiB of man3 pages and full HTML documentation |
375 | "static")) ;6.4 MiB of .a files | |
cc2b77df AE |
376 | (native-inputs `(("perl" ,perl))) |
377 | (arguments | |
88b52527 | 378 | `(#:parallel-tests? #f |
cc2b77df | 379 | #:test-target "test" |
8c9ec203 LF |
380 | |
381 | ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure, | |
382 | ;; so we explicitly disallow it here. | |
383 | #:disallowed-references ,(list (canonical-package perl)) | |
cc2b77df | 384 | #:phases |
b6cb1358 | 385 | (modify-phases %standard-phases |
d4dbcb81 EF |
386 | ,@(if (%current-target-system) |
387 | '((add-before | |
388 | 'configure 'set-cross-compile | |
389 | (lambda* (#:key target outputs #:allow-other-keys) | |
390 | (setenv "CROSS_COMPILE" (string-append target "-")) | |
391 | (setenv "CONFIGURE_TARGET_ARCH" | |
392 | (cond | |
393 | ((string-prefix? "i586" target) | |
394 | "hurd-x86") | |
395 | ((string-prefix? "i686" target) | |
396 | "linux-x86") | |
397 | ((string-prefix? "x86_64" target) | |
398 | "linux-x86_64") | |
399 | ((string-prefix? "mips64el" target) | |
400 | "linux-mips64") | |
401 | ((string-prefix? "arm" target) | |
402 | "linux-armv4") | |
403 | ((string-prefix? "aarch64" target) | |
c8535c25 EF |
404 | "linux-aarch64") |
405 | ((string-prefix? "powerpc64le" target) | |
406 | "linux-ppc64le") | |
407 | ((string-prefix? "powerpc64" target) | |
408 | "linux-ppc64") | |
409 | ((string-prefix? "powerpc" target) | |
410 | "linux-ppc"))) | |
d4dbcb81 EF |
411 | #t))) |
412 | '()) | |
e74f153a MB |
413 | (replace 'configure |
414 | (lambda* (#:key outputs #:allow-other-keys) | |
415 | (let* ((out (assoc-ref outputs "out")) | |
416 | (lib (string-append out "/lib"))) | |
417 | ;; It's not a shebang so patch-source-shebangs misses it. | |
418 | (substitute* "config" | |
419 | (("/usr/bin/env") | |
420 | (string-append (assoc-ref %build-inputs "coreutils") | |
421 | "/bin/env"))) | |
bdcdd550 | 422 | (invoke ,@(if (%current-target-system) |
d4dbcb81 EF |
423 | '("./Configure") |
424 | '("./config")) | |
e74f153a MB |
425 | "shared" ;build shared libraries |
426 | "--libdir=lib" | |
4fb254a3 | 427 | |
e74f153a MB |
428 | ;; The default for this catch-all directory is |
429 | ;; PREFIX/ssl. Change that to something more | |
430 | ;; conventional. | |
431 | (string-append "--openssldir=" out | |
b082ea94 LF |
432 | "/share/openssl-" |
433 | ,(package-version this-package)) | |
4fb254a3 | 434 | |
e74f153a | 435 | (string-append "--prefix=" out) |
bdcdd550 | 436 | (string-append "-Wl,-rpath," lib) |
d4dbcb81 EF |
437 | ,@(if (%current-target-system) |
438 | '((getenv "CONFIGURE_TARGET_ARCH")) | |
439 | '()))))) | |
8c78aeb7 LC |
440 | (add-after 'install 'move-static-libraries |
441 | (lambda* (#:key outputs #:allow-other-keys) | |
442 | ;; Move static libraries to the "static" output. | |
443 | (let* ((out (assoc-ref outputs "out")) | |
444 | (lib (string-append out "/lib")) | |
445 | (static (assoc-ref outputs "static")) | |
446 | (slib (string-append static "/lib"))) | |
8c78aeb7 LC |
447 | (for-each (lambda (file) |
448 | (install-file file slib) | |
449 | (delete-file file)) | |
450 | (find-files lib "\\.a$")) | |
451 | #t))) | |
e74f153a | 452 | (add-after 'install 'move-extra-documentation |
a909b576 | 453 | (lambda* (#:key outputs #:allow-other-keys) |
e74f153a MB |
454 | ;; Move man3 pages and full HTML documentation to "doc". |
455 | (let* ((out (assoc-ref outputs "out")) | |
456 | (man3 (string-append out "/share/man/man3")) | |
457 | (html (string-append out "/share/doc/openssl")) | |
458 | (doc (assoc-ref outputs "doc")) | |
459 | (man-target (string-append doc "/share/man/man3")) | |
460 | (html-target (string-append doc "/share/doc/openssl"))) | |
461 | (copy-recursively man3 man-target) | |
462 | (delete-file-recursively man3) | |
463 | (copy-recursively html html-target) | |
464 | (delete-file-recursively html) | |
465 | #t))) | |
784d6e91 LC |
466 | (add-after |
467 | 'install 'remove-miscellany | |
468 | (lambda* (#:key outputs #:allow-other-keys) | |
469 | ;; The 'misc' directory contains random undocumented shell and Perl | |
470 | ;; scripts. Remove them to avoid retaining a reference on Perl. | |
471 | (let ((out (assoc-ref outputs "out"))) | |
472 | (delete-file-recursively (string-append out "/share/openssl-" | |
b082ea94 LF |
473 | ,(package-version this-package) |
474 | "/misc")) | |
784d6e91 | 475 | #t)))))) |
cc2b77df | 476 | (native-search-paths |
cc2b77df AE |
477 | (list (search-path-specification |
478 | (variable "SSL_CERT_DIR") | |
5d7a47cc | 479 | (separator #f) ;single entry |
cc2b77df AE |
480 | (files '("etc/ssl/certs"))) |
481 | (search-path-specification | |
482 | (variable "SSL_CERT_FILE") | |
5d7a47cc MB |
483 | (file-type 'regular) |
484 | (separator #f) ;single entry | |
cc2b77df AE |
485 | (files '("etc/ssl/certs/ca-certificates.crt"))))) |
486 | (synopsis "SSL/TLS implementation") | |
487 | (description | |
e881752c | 488 | "OpenSSL is an implementation of SSL/TLS.") |
e9aa8d0c | 489 | (license license:openssl) |
4631e6c9 | 490 | (home-page "https://www.openssl.org/"))) |
cc2b77df | 491 | |
250a216c MB |
492 | ;; Replacement package to fix CVE-2021-3449 and CVE-2021-3450. |
493 | (define openssl-1.1.1k | |
494 | (package | |
495 | (inherit openssl) | |
496 | (version "1.1.1k") | |
497 | (source (origin | |
498 | (method url-fetch) | |
499 | (uri (list (string-append "https://www.openssl.org/source/openssl-" | |
500 | version ".tar.gz") | |
501 | (string-append "ftp://ftp.openssl.org/source/" | |
502 | "openssl-" version ".tar.gz") | |
503 | (string-append "ftp://ftp.openssl.org/source/old/" | |
504 | (string-trim-right version char-set:letter) | |
505 | "/openssl-" version ".tar.gz"))) | |
506 | (patches (search-patches "openssl-1.1-c-rehash-in.patch")) | |
507 | (sha256 | |
508 | (base32 | |
509 | "1rdfzcrxy9y38wqdw5942vmdax9hjhgrprzxm42csal7p5shhal9")))))) | |
510 | ||
e74f153a | 511 | (define-public openssl-1.0 |
763899f0 LF |
512 | (package |
513 | (inherit openssl) | |
514 | (name "openssl") | |
b0b79542 | 515 | (version "1.0.2u") |
763899f0 | 516 | (source (origin |
e74f153a MB |
517 | (method url-fetch) |
518 | (uri (list (string-append "https://www.openssl.org/source/openssl-" | |
519 | version ".tar.gz") | |
520 | (string-append "ftp://ftp.openssl.org/source/" | |
521 | "openssl-" version ".tar.gz") | |
522 | (string-append "ftp://ftp.openssl.org/source/old/" | |
523 | (string-trim-right version char-set:letter) | |
524 | "/openssl-" version ".tar.gz"))) | |
763899f0 LF |
525 | (sha256 |
526 | (base32 | |
b0b79542 | 527 | "05lxcs4hzyfqd5jn0d9p0fvqna62v2s4pc9qgmq0dpcknkzwdl7c")) |
e74f153a MB |
528 | (patches (search-patches "openssl-runpath.patch" |
529 | "openssl-c-rehash-in.patch")))) | |
763899f0 | 530 | (outputs '("out" |
e74f153a MB |
531 | "doc" ;1.5MiB of man3 pages |
532 | "static")) ;6MiB of .a files | |
763899f0 LF |
533 | (arguments |
534 | (substitute-keyword-arguments (package-arguments openssl) | |
8fc24f30 MB |
535 | ;; Parallel build is not supported in 1.0.x. |
536 | ((#:parallel-build? _ #f) #f) | |
763899f0 LF |
537 | ((#:phases phases) |
538 | `(modify-phases ,phases | |
e74f153a MB |
539 | (add-before 'patch-source-shebangs 'patch-tests |
540 | (lambda* (#:key inputs native-inputs #:allow-other-keys) | |
541 | (let ((bash (assoc-ref (or native-inputs inputs) "bash"))) | |
542 | (substitute* (find-files "test" ".*") | |
543 | (("/bin/sh") | |
544 | (string-append bash "/bin/sh")) | |
545 | (("/bin/rm") | |
546 | "rm")) | |
547 | #t))) | |
548 | (add-before 'configure 'patch-Makefile.org | |
763899f0 | 549 | (lambda* (#:key outputs #:allow-other-keys) |
e74f153a MB |
550 | ;; The default MANDIR is some unusual place. Fix that. |
551 | (let ((out (assoc-ref outputs "out"))) | |
552 | (patch-makefile-SHELL "Makefile.org") | |
553 | (substitute* "Makefile.org" | |
554 | (("^MANDIR[[:blank:]]*=.*$") | |
555 | (string-append "MANDIR = " out "/share/man\n"))) | |
556 | #t))) | |
bdcdd550 MO |
557 | (replace 'configure |
558 | ;; Override this phase because OpenSSL 1.0 does not understand -rpath. | |
559 | (lambda* (#:key outputs #:allow-other-keys) | |
560 | (let ((out (assoc-ref outputs "out"))) | |
561 | (invoke ,@(if (%current-target-system) | |
562 | '("./Configure") | |
563 | '("./config")) | |
564 | "shared" ;build shared libraries | |
565 | "--libdir=lib" | |
fc184fe2 | 566 | |
bdcdd550 MO |
567 | ;; The default for this catch-all directory is |
568 | ;; PREFIX/ssl. Change that to something more | |
569 | ;; conventional. | |
570 | (string-append "--openssldir=" out | |
571 | "/share/openssl-" ,version) | |
fc184fe2 | 572 | |
bdcdd550 MO |
573 | (string-append "--prefix=" out) |
574 | ,@(if (%current-target-system) | |
575 | '((getenv "CONFIGURE_TARGET_ARCH")) | |
576 | '()))))) | |
e74f153a MB |
577 | (delete 'move-extra-documentation) |
578 | (add-after 'install 'move-man3-pages | |
579 | (lambda* (#:key outputs #:allow-other-keys) | |
580 | ;; Move section 3 man pages to "doc". | |
581 | (let* ((out (assoc-ref outputs "out")) | |
582 | (man3 (string-append out "/share/man/man3")) | |
583 | (doc (assoc-ref outputs "doc")) | |
584 | (target (string-append doc "/share/man/man3"))) | |
585 | (mkdir-p target) | |
586 | (for-each (lambda (file) | |
587 | (rename-file file | |
588 | (string-append target "/" | |
589 | (basename file)))) | |
590 | (find-files man3)) | |
591 | (delete-file-recursively man3) | |
592 | #t))) | |
fc184fe2 MB |
593 | ;; XXX: Duplicate this phase to make sure 'version' evaluates |
594 | ;; in the current scope and not the inherited one. | |
595 | (replace 'remove-miscellany | |
596 | (lambda* (#:key outputs #:allow-other-keys) | |
597 | ;; The 'misc' directory contains random undocumented shell and Perl | |
598 | ;; scripts. Remove them to avoid retaining a reference on Perl. | |
599 | (let ((out (assoc-ref outputs "out"))) | |
600 | (delete-file-recursively (string-append out "/share/openssl-" | |
601 | ,version "/misc")) | |
763899f0 LF |
602 | #t))))))))) |
603 | ||
cb6a802c AE |
604 | (define-public libressl |
605 | (package | |
606 | (name "libressl") | |
618dbc14 | 607 | (version "3.3.3") |
644e5f17 TGR |
608 | (source (origin |
609 | (method url-fetch) | |
610 | (uri (string-append "mirror://openbsd/LibreSSL/" | |
ce1178d5 | 611 | "libressl-" version ".tar.gz")) |
644e5f17 TGR |
612 | (sha256 |
613 | (base32 | |
618dbc14 | 614 | "0rihprcgxsydsbcqgd1952k2cfn4jmp7rlyp1c6sglfc6rdmcwd4")))) |
cb6a802c | 615 | (build-system gnu-build-system) |
a2d64899 | 616 | (arguments |
76a9bad3 BW |
617 | `(#:configure-flags |
618 | (list | |
619 | ;; Do as if 'getentropy' were missing: Linux kernels before 3.17 lack its | |
620 | ;; underlying 'getrandom' system call and ENOSYS isn't properly handled. | |
621 | ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>. | |
622 | "ac_cv_func_getentropy=no" | |
623 | ;; FIXME It's using it's own bundled certificate, instead it should | |
624 | ;; behave like OpenSSL by using environment variables. | |
625 | (string-append "--with-openssldir=" %output | |
626 | "/share/libressl-" | |
627 | ,(package-version this-package)) | |
628 | ;; Provide a TLS-enabled netcat. | |
629 | "--enable-nc"))) | |
2ed12d3f | 630 | (home-page "https://www.libressl.org/") |
cb6a802c | 631 | (synopsis "SSL/TLS implementation") |
df08f385 LF |
632 | (description "LibreSSL is a version of the TLS/crypto stack, forked from |
633 | OpenSSL in 2014 with the goals of modernizing the codebase, improving security, | |
634 | and applying best practice development processes. This package also includes a | |
635 | netcat implementation that supports TLS.") | |
cb6a802c AE |
636 | ;; Files taken from OpenSSL keep their license, others are under various |
637 | ;; non-copyleft licenses. | |
638 | (license (list license:openssl | |
639 | (license:non-copyleft | |
640 | "file://COPYING" | |
641 | "See COPYING in the distribution."))))) | |
642 | ||
6cefd53d | 643 | (define-public python-acme |
7890e3ba | 644 | (package |
6cefd53d | 645 | (name "python-acme") |
686d4259 | 646 | ;; Remember to update the hash of certbot when updating python-acme. |
2bb789f6 | 647 | (version "1.16.0") |
7890e3ba | 648 | (source (origin |
9495cf9a | 649 | (method url-fetch) |
f349d36e | 650 | (uri (pypi-uri "acme" version)) |
881006b6 MB |
651 | (sha256 |
652 | (base32 | |
2bb789f6 | 653 | "0mvqc8z30sxgr1m4p3yi3rm76sndnvl5khv4ybwx6zyq42403y51")))) |
7890e3ba LF |
654 | (build-system python-build-system) |
655 | (arguments | |
6cefd53d | 656 | `(#:phases |
9bee9d87 | 657 | (modify-phases %standard-phases |
1fc8476d MB |
658 | (add-after 'build 'build-documentation |
659 | (lambda _ | |
d4bd2453 | 660 | (invoke "make" "-C" "docs" "man" "info"))) |
1fc8476d | 661 | (add-after 'install 'install-documentation |
50a7963a LF |
662 | (lambda* (#:key outputs #:allow-other-keys) |
663 | (let* ((out (assoc-ref outputs "out")) | |
664 | (man (string-append out "/share/man/man1")) | |
665 | (info (string-append out "/info"))) | |
1fc8476d MB |
666 | (install-file "docs/_build/texinfo/acme-python.info" info) |
667 | (install-file "docs/_build/man/acme-python.1" man) | |
668 | #t)))))) | |
7890e3ba | 669 | (native-inputs |
c3a75373 | 670 | `(("python-pytest" ,python-pytest) |
50a7963a LF |
671 | ;; For documentation |
672 | ("python-sphinx" ,python-sphinx) | |
673 | ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput) | |
674 | ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme) | |
50a7963a | 675 | ("texinfo" ,texinfo))) |
7890e3ba | 676 | (propagated-inputs |
92572184 | 677 | `(("python-josepy" ,python-josepy) |
6cefd53d | 678 | ("python-requests" ,python-requests) |
b494bbe4 | 679 | ("python-requests-toolbelt" ,python-requests-toolbelt) |
6cefd53d LF |
680 | ("python-pytz" ,python-pytz) |
681 | ("python-pyrfc3339" ,python-pyrfc3339) | |
682 | ("python-pyasn1" ,python-pyasn1) | |
683 | ("python-cryptography" ,python-cryptography) | |
684 | ("python-pyopenssl" ,python-pyopenssl))) | |
4631e6c9 | 685 | (home-page "https://github.com/certbot/certbot") |
7890e3ba LF |
686 | (synopsis "ACME protocol implementation in Python") |
687 | (description "ACME protocol implementation in Python") | |
688 | (license license:asl2.0))) | |
689 | ||
9495cf9a | 690 | (define-public certbot |
9fd0838b | 691 | (package |
9495cf9a | 692 | (name "certbot") |
686d4259 LF |
693 | ;; Certbot and python-acme are developed in the same repository, and their |
694 | ;; versions should remain synchronized. | |
695 | (version (package-version python-acme)) | |
9fd0838b DT |
696 | (source (origin |
697 | (method url-fetch) | |
b380463b | 698 | (uri (pypi-uri "certbot" version)) |
9fd0838b DT |
699 | (sha256 |
700 | (base32 | |
2bb789f6 | 701 | "0z90pcndbks8f62f47m5nkqcmkabb8r526by29lp30x4gjc0xs04")))) |
9fd0838b DT |
702 | (build-system python-build-system) |
703 | (arguments | |
fed1898d | 704 | `(,@(substitute-keyword-arguments (package-arguments python-acme) |
f26d6e4e LF |
705 | ((#:phases phases) |
706 | `(modify-phases ,phases | |
1fc8476d | 707 | (replace 'install-documentation |
f26d6e4e LF |
708 | (lambda* (#:key outputs #:allow-other-keys) |
709 | (let* ((out (assoc-ref outputs "out")) | |
710 | (man1 (string-append out "/share/man/man1")) | |
711 | (man7 (string-append out "/share/man/man7")) | |
712 | (info (string-append out "/info"))) | |
1fc8476d MB |
713 | (install-file "docs/_build/texinfo/Certbot.info" info) |
714 | (install-file "docs/_build/man/certbot.1" man1) | |
715 | (install-file "docs/_build/man/certbot.7" man7) | |
716 | #t)))))))) | |
9fd0838b | 717 | (native-inputs |
d05c14df TGR |
718 | `(("python-mock" ,python-mock) |
719 | ("python-pytest" ,python-pytest) | |
f9263d9a | 720 | ;; For documentation |
fed1898d LF |
721 | ("python-sphinx" ,python-sphinx) |
722 | ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme) | |
723 | ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface) | |
724 | ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput) | |
f9263d9a | 725 | ("texinfo" ,texinfo))) |
9fd0838b | 726 | (propagated-inputs |
fed1898d | 727 | `(("python-acme" ,python-acme) |
d05c14df | 728 | ("python-cryptography" ,python-cryptography) |
fed1898d LF |
729 | ("python-zope-interface" ,python-zope-interface) |
730 | ("python-pyrfc3339" ,python-pyrfc3339) | |
731 | ("python-pyopenssl" ,python-pyopenssl) | |
732 | ("python-configobj" ,python-configobj) | |
733 | ("python-configargparse" ,python-configargparse) | |
b977d900 | 734 | ("python-distro" ,python-distro) |
fed1898d LF |
735 | ("python-zope-component" ,python-zope-component) |
736 | ("python-parsedatetime" ,python-parsedatetime) | |
fed1898d LF |
737 | ("python-psutil" ,python-psutil) |
738 | ("python-requests" ,python-requests) | |
739 | ("python-pytz" ,python-pytz))) | |
d8a1be63 | 740 | (synopsis "Let's Encrypt client by the Electronic Frontier Foundation") |
80968df0 TGR |
741 | (description "Certbot automatically receives and installs X.509 certificates |
742 | to enable Transport Layer Security (TLS) on servers. It interoperates with the | |
743 | Let’s Encrypt certificate authority (CA), which issues browser-trusted | |
744 | certificates for free.") | |
24778368 | 745 | (home-page "https://certbot.eff.org/") |
9fd0838b DT |
746 | (license license:asl2.0))) |
747 | ||
9495cf9a LF |
748 | (define-public letsencrypt |
749 | (package (inherit certbot) | |
56ab55d1 LF |
750 | (name "letsencrypt") |
751 | (properties `((superseded . ,certbot))))) | |
9495cf9a | 752 | |
cc2b77df AE |
753 | (define-public perl-net-ssleay |
754 | (package | |
755 | (name "perl-net-ssleay") | |
966e4bea | 756 | (version "1.88") |
cc2b77df AE |
757 | (source (origin |
758 | (method url-fetch) | |
c50f15d6 | 759 | (uri (string-append "mirror://cpan/authors/id/C/CH/CHRISN/" |
cc2b77df AE |
760 | "Net-SSLeay-" version ".tar.gz")) |
761 | (sha256 | |
762 | (base32 | |
966e4bea | 763 | "1pfgh4h3szcpvqlcimc60pjbk9zwls99x5863sva0wc47i4dl010")))) |
cc2b77df AE |
764 | (build-system perl-build-system) |
765 | (inputs `(("openssl" ,openssl))) | |
766 | (arguments | |
1084ec08 MW |
767 | `(#:phases |
768 | (modify-phases %standard-phases | |
1084ec08 MW |
769 | (add-before |
770 | 'configure 'set-ssl-prefix | |
771 | (lambda* (#:key inputs #:allow-other-keys) | |
772 | (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl")) | |
773 | #t))))) | |
cc2b77df AE |
774 | (synopsis "Perl extension for using OpenSSL") |
775 | (description | |
776 | "This module offers some high level convenience functions for accessing | |
777 | web pages on SSL servers (for symmetry, the same API is offered for accessing | |
778 | http servers, too), an sslcat() function for writing your own clients, and | |
779 | finally access to the SSL api of the SSLeay/OpenSSL package so you can write | |
780 | servers or clients for more complicated applications.") | |
2f3108ad | 781 | (license license:perl-license) |
9aba9b12 | 782 | (home-page "https://metacpan.org/release/Net-SSLeay"))) |
4532c0c0 DM |
783 | |
784 | (define-public perl-crypt-openssl-rsa | |
785 | (package | |
786 | (name "perl-crypt-openssl-rsa") | |
a9994b27 | 787 | (version "0.31") |
4532c0c0 DM |
788 | (source |
789 | (origin | |
790 | (method url-fetch) | |
791 | (uri (string-append | |
683b8d47 | 792 | "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-" |
4532c0c0 DM |
793 | version |
794 | ".tar.gz")) | |
795 | (sha256 | |
796 | (base32 | |
a9994b27 | 797 | "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1")))) |
4532c0c0 | 798 | (build-system perl-build-system) |
683b8d47 TGR |
799 | (native-inputs |
800 | `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess))) | |
4532c0c0 DM |
801 | (inputs |
802 | `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum) | |
803 | ("perl-crypt-openssl-random" ,perl-crypt-openssl-random) | |
804 | ("openssl" ,openssl))) | |
805 | (arguments perl-crypt-arguments) | |
806 | (home-page | |
9aba9b12 | 807 | "https://metacpan.org/release/Crypt-OpenSSL-RSA") |
4532c0c0 DM |
808 | (synopsis |
809 | "RSA encoding and decoding, using the openSSL libraries") | |
810 | (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the | |
811 | OpenSSL libraries).") | |
2f3108ad | 812 | (license license:perl-license))) |
adff71ca DM |
813 | |
814 | (define perl-crypt-arguments | |
815 | `(#:phases (modify-phases %standard-phases | |
816 | (add-before 'configure 'patch-Makefile.PL | |
817 | (lambda* (#:key inputs #:allow-other-keys) | |
818 | (substitute* "Makefile.PL" | |
819 | (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L" | |
820 | (assoc-ref inputs "openssl") | |
821 | "/lib -lcrypto'],"))) | |
822 | #t))))) | |
823 | ||
824 | (define-public perl-crypt-openssl-bignum | |
825 | (package | |
826 | (name "perl-crypt-openssl-bignum") | |
7e8aac18 | 827 | (version "0.09") |
adff71ca DM |
828 | (source |
829 | (origin | |
830 | (method url-fetch) | |
831 | (uri (string-append | |
832 | "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-" | |
833 | version | |
834 | ".tar.gz")) | |
835 | (sha256 | |
836 | (base32 | |
7e8aac18 | 837 | "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3")))) |
adff71ca DM |
838 | (build-system perl-build-system) |
839 | (inputs `(("openssl" ,openssl))) | |
840 | (arguments perl-crypt-arguments) | |
841 | (home-page | |
9aba9b12 | 842 | "https://metacpan.org/release/Crypt-OpenSSL-Bignum") |
adff71ca DM |
843 | (synopsis |
844 | "OpenSSL's multiprecision integer arithmetic in Perl") | |
845 | (description "Crypt::OpenSSL::Bignum provides multiprecision integer | |
846 | arithmetic in Perl.") | |
847 | ;; At your option either gpl1+ or the Artistic License | |
2f3108ad | 848 | (license license:perl-license))) |
cccb4d26 | 849 | |
c80590f6 TGR |
850 | (define-public perl-crypt-openssl-guess |
851 | (package | |
852 | (name "perl-crypt-openssl-guess") | |
853 | (version "0.11") | |
854 | (source | |
855 | (origin | |
856 | (method url-fetch) | |
857 | (uri (string-append | |
858 | "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-" | |
859 | version ".tar.gz")) | |
860 | (sha256 | |
861 | (base32 | |
862 | "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa")))) | |
863 | (build-system perl-build-system) | |
9aba9b12 | 864 | (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess") |
c80590f6 TGR |
865 | (synopsis "Guess the OpenSSL include path") |
866 | (description | |
867 | "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the | |
868 | correct OpenSSL include path. It is intended for use in your | |
869 | @file{Makefile.PL}.") | |
870 | (license license:perl-license))) | |
871 | ||
cccb4d26 DM |
872 | (define-public perl-crypt-openssl-random |
873 | (package | |
874 | (name "perl-crypt-openssl-random") | |
fa2d19cc | 875 | (version "0.15") |
cccb4d26 DM |
876 | (source |
877 | (origin | |
878 | (method url-fetch) | |
879 | (uri (string-append | |
880 | "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-" | |
881 | version | |
882 | ".tar.gz")) | |
883 | (sha256 | |
fa2d19cc | 884 | (base32 "1x6ffps8q7mnawmcfq740llzy7i10g3319vap0wiw4d33fm6z1zh")))) |
cccb4d26 | 885 | (build-system perl-build-system) |
b30c23c4 TGR |
886 | (native-inputs |
887 | `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess))) | |
888 | (inputs | |
889 | `(("openssl" ,openssl))) | |
cccb4d26 DM |
890 | (arguments perl-crypt-arguments) |
891 | (home-page | |
9aba9b12 | 892 | "https://metacpan.org/release/Crypt-OpenSSL-Random") |
cccb4d26 DM |
893 | (synopsis |
894 | "OpenSSL/LibreSSL pseudo-random number generator access") | |
895 | (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random | |
896 | number generator") | |
2f3108ad | 897 | (license license:perl-license))) |
0581c273 LF |
898 | |
899 | (define-public acme-client | |
900 | (package | |
901 | (name "acme-client") | |
4a6b2a21 | 902 | (version "0.1.16") |
0581c273 LF |
903 | (source (origin |
904 | (method url-fetch) | |
905 | (uri (string-append "https://kristaps.bsd.lv/" name "/" | |
906 | "snapshots/" name "-portable-" | |
907 | version ".tgz")) | |
908 | (sha256 | |
909 | (base32 | |
4a6b2a21 | 910 | "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9")))) |
0581c273 LF |
911 | (build-system gnu-build-system) |
912 | (arguments | |
913 | '(#:tests? #f ; no test suite | |
914 | #:make-flags | |
915 | (list "CC=gcc" | |
916 | (string-append "PREFIX=" (assoc-ref %outputs "out"))) | |
917 | #:phases | |
918 | (modify-phases %standard-phases | |
7c1a7bf4 LF |
919 | (add-after 'unpack 'patch-paths |
920 | (lambda* (#:key inputs #:allow-other-keys) | |
921 | (let ((pem (string-append (assoc-ref inputs "libressl") | |
922 | "/etc/ssl/cert.pem"))) | |
923 | (substitute* "http.c" | |
924 | (("/etc/ssl/cert.pem") pem)) | |
925 | #t))) | |
0581c273 | 926 | (delete 'configure)))) ; no './configure' script |
4b569a4f LF |
927 | (native-inputs |
928 | `(("pkg-config" ,pkg-config))) | |
0581c273 LF |
929 | (inputs |
930 | `(("libbsd" ,libbsd) | |
931 | ("libressl" ,libressl))) | |
932 | (synopsis "Let's Encrypt client by the OpenBSD project") | |
933 | (description "acme-client is a Let's Encrypt client implemented in C. It | |
934 | uses a modular design, and attempts to secure itself by dropping privileges and | |
935 | operating in a chroot where possible. acme-client is developed on OpenBSD and | |
936 | then ported to the GNU / Linux environment.") | |
937 | (home-page "https://kristaps.bsd.lv/acme-client/") | |
938 | ;; acme-client is distributed under the ISC license, but the files 'jsmn.h' | |
939 | ;; and 'jsmn.c' are distributed under the Expat license. | |
940 | (license (list license:isc license:expat)))) | |
88522738 | 941 | |
942 | ;; The "-apache" variant is the upstreamed prefered variant. A "-gpl" | |
943 | ;; variant exists in addition to the "-apache" one. | |
944 | (define-public mbedtls-apache | |
945 | (package | |
946 | (name "mbedtls-apache") | |
5cdb25c6 TGR |
947 | ;; XXX Check whether ‘-Wformat-signedness’ still breaks mbedtls-for-hiawatha |
948 | ;; when updating. | |
927ecd4e | 949 | (version "2.23.0") |
88522738 | 950 | (source |
951 | (origin | |
927ecd4e TGR |
952 | (method git-fetch) |
953 | (uri (git-reference | |
954 | (url "https://github.com/ARMmbed/mbedtls") | |
955 | (commit (string-append "mbedtls-" version)))) | |
88522738 | 956 | (sha256 |
927ecd4e TGR |
957 | (base32 "13fa9h2i989cbf8n8c0j019mshv6wg213va18my1s787lhcq2d62")) |
958 | (file-name (git-file-name name version)))) | |
88522738 | 959 | (build-system cmake-build-system) |
a64d9d56 RW |
960 | (arguments |
961 | `(#:configure-flags | |
92ebd8ed | 962 | (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON" |
927ecd4e TGR |
963 | "-DUSE_STATIC_MBEDTLS_LIBRARY=OFF") |
964 | #:phases | |
965 | (modify-phases %standard-phases | |
966 | (add-after 'unpack 'make-source-writable | |
967 | (lambda _ | |
968 | (for-each make-file-writable (find-files ".")) | |
927ecd4e | 969 | #t))))) |
88522738 | 970 | (native-inputs |
38a9bf80 TGR |
971 | `(("perl" ,perl) |
972 | ("python" ,python))) | |
88522738 | 973 | (synopsis "Small TLS library") |
974 | (description | |
975 | "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy | |
976 | for developers to include cryptographic and SSL/TLS capabilities in their | |
977 | (embedded) products, facilitating this functionality with a minimal | |
978 | coding footprint.") | |
d4febc56 | 979 | (home-page "https://www.trustedfirmware.org/projects/mbed-tls/") |
88522738 | 980 | (license license:asl2.0))) |
587d1752 | 981 | |
8e87aa04 TGR |
982 | ;; The Hiawatha Web server requires some specific features to be enabled. |
983 | (define-public mbedtls-for-hiawatha | |
984 | (hidden-package | |
985 | (package | |
986 | (inherit mbedtls-apache) | |
987 | (arguments | |
5cdb25c6 TGR |
988 | (substitute-keyword-arguments (package-arguments mbedtls-apache) |
989 | ((#:phases phases) | |
990 | `(modify-phases ,phases | |
991 | (add-before 'configure 'configure-extra-features | |
992 | (lambda _ | |
993 | (for-each (lambda (feature) | |
994 | (invoke "scripts/config.pl" "set" feature)) | |
995 | (list "MBEDTLS_THREADING_C" | |
996 | "MBEDTLS_THREADING_PTHREAD")) | |
997 | ;; XXX The above enables code that breaks with -Werror… | |
998 | (substitute* "CMakeLists.txt" | |
999 | ((" -Wformat-signedness") "")) | |
1000 | #t))))))))) | |
8e87aa04 | 1001 | |
e8b3a158 CL |
1002 | (define-public dehydrated |
1003 | (package | |
1004 | (name "dehydrated") | |
69b98261 | 1005 | (version "0.7.0") |
e8b3a158 | 1006 | (source (origin |
2850d877 | 1007 | (method url-fetch) |
e8b3a158 | 1008 | (uri (string-append |
bb5ab9bf | 1009 | "https://github.com/dehydrated-io/dehydrated/releases/download/" |
2850d877 | 1010 | "v" version "/dehydrated-" version ".tar.gz")) |
e8b3a158 CL |
1011 | (sha256 |
1012 | (base32 | |
69b98261 | 1013 | "1yf4kldyd5y13r6qxrkcbbk74ykngq7jzy0351vb2r3ywp114pqw")))) |
e8b3a158 CL |
1014 | (build-system trivial-build-system) |
1015 | (arguments | |
c150d637 TGR |
1016 | `(#:modules ((guix build utils) |
1017 | (srfi srfi-26)) | |
e8b3a158 CL |
1018 | #:builder |
1019 | (begin | |
c150d637 TGR |
1020 | (use-modules (guix build utils) |
1021 | (srfi srfi-26)) | |
e8b3a158 | 1022 | (let* ((source (assoc-ref %build-inputs "source")) |
2850d877 EF |
1023 | (tar (assoc-ref %build-inputs "tar")) |
1024 | (gz (assoc-ref %build-inputs "gzip")) | |
e8b3a158 CL |
1025 | (out (assoc-ref %outputs "out")) |
1026 | (bin (string-append out "/bin")) | |
c150d637 TGR |
1027 | (doc (string-append out "/share/doc/" ,name "-" ,version)) |
1028 | (man (string-append out "/share/man")) | |
e8b3a158 | 1029 | (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin"))) |
2850d877 EF |
1030 | |
1031 | (setenv "PATH" (string-append gz "/bin")) | |
1032 | (invoke (string-append tar "/bin/tar") "xvf" source) | |
1033 | (chdir (string-append ,name "-" ,version)) | |
1034 | ||
c150d637 TGR |
1035 | (copy-recursively "docs" doc) |
1036 | (install-file "LICENSE" doc) | |
1037 | ||
1038 | (mkdir-p man) | |
1039 | (rename-file (string-append doc "/man") | |
1040 | (string-append man "/man1")) | |
1041 | (for-each (cut invoke "gzip" "-9" <>) | |
1042 | (find-files man ".*")) | |
1043 | ||
2850d877 | 1044 | (install-file "dehydrated" bin) |
e8b3a158 | 1045 | (with-directory-excursion bin |
e8b3a158 CL |
1046 | (patch-shebang "dehydrated" (list bash)) |
1047 | ||
c150d637 | 1048 | ;; Do not try to write to the store. |
e8b3a158 CL |
1049 | (substitute* "dehydrated" |
1050 | (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated")) | |
1051 | ||
1052 | (setenv "PATH" bash) | |
1053 | (wrap-program "dehydrated" | |
1054 | `("PATH" ":" prefix | |
1055 | ,(map (lambda (dir) | |
1056 | (string-append dir "/bin")) | |
1057 | (map (lambda (input) | |
1058 | (assoc-ref %build-inputs input)) | |
1059 | '("coreutils" | |
1060 | "curl" | |
1061 | "diffutils" | |
1062 | "gawk" | |
1063 | "grep" | |
1064 | "openssl" | |
1065 | "sed")))))) | |
1066 | #t)))) | |
1067 | (inputs | |
1068 | `(("bash" ,bash) | |
1069 | ("coreutils" ,coreutils) | |
1070 | ("curl" ,curl) | |
1071 | ("diffutils" ,diffutils) | |
1072 | ("gawk" ,gawk) | |
1073 | ("grep" ,grep) | |
1074 | ("openssl" ,openssl) | |
1075 | ("sed" ,sed))) | |
2850d877 EF |
1076 | (native-inputs |
1077 | `(("gzip" ,gzip) | |
1078 | ("tar" ,tar))) | |
e8b3a158 CL |
1079 | (home-page "https://dehydrated.io/") |
1080 | (synopsis "Let's Encrypt/ACME client implemented as a shell script") | |
1081 | (description "Dehydrated is a client for signing certificates with an | |
1082 | ACME-server (currently only provided by Let's Encrypt) implemented as a | |
1083 | relatively simple Bash script.") | |
1084 | (license license:expat))) | |
ea22aa1f LF |
1085 | |
1086 | (define-public go-github-com-certifi-gocertifi | |
db388401 LF |
1087 | (let ((commit "a5e0173ced670013bfb649c7e806bc9529c986ec") |
1088 | (revision "1")) | |
1089 | (package | |
1090 | (name "go-github-com-certifi-gocertifi") | |
1091 | (version (git-version "2018.01.18" revision commit)) | |
1092 | (source (origin | |
1093 | (method git-fetch) | |
1094 | (uri (git-reference | |
1095 | (url "https://github.com/certifi/gocertifi") | |
1096 | (commit commit))) | |
1097 | (file-name (git-file-name name version)) | |
1098 | (sha256 | |
1099 | (base32 | |
1100 | "1n9drccl3q1rr8wg3nf60slkf1lgsmz5ahifrglbdrc6har3rryj")))) | |
1101 | (build-system go-build-system) | |
1102 | (arguments | |
1103 | '(#:import-path "github.com/certifi/gocertifi")) | |
1104 | (synopsis "X.509 TLS root certificate bundle for Go") | |
1105 | (description "This package is a Go language X.509 TLS root certificate bundle, | |
ea22aa1f | 1106 | derived from Mozilla's collection.") |
db388401 LF |
1107 | (home-page "https://certifi.io") |
1108 | (license license:mpl2.0)))) | |
1b518888 GH |
1109 | |
1110 | (define-public s2n | |
1111 | (package | |
1112 | (name "s2n") | |
08c579ed | 1113 | (version "1.0.10") |
1b518888 GH |
1114 | (source (origin |
1115 | (method git-fetch) | |
1116 | (uri (git-reference | |
1117 | (url (string-append "https://github.com/awslabs/" name)) | |
1118 | (commit (string-append "v" version)))) | |
1119 | (file-name (git-file-name name version)) | |
1120 | (sha256 | |
1121 | (base32 | |
08c579ed | 1122 | "0ampvh2n235hhd9nabgjjvja7d5r5kj45q56ass1k8g52a6xg0jq")))) |
1b518888 GH |
1123 | (build-system cmake-build-system) |
1124 | (arguments | |
1125 | '(#:tests? #f ; tests fail to build for static library | |
1126 | #:configure-flags | |
1127 | '("-DBUILD_TESTING=OFF" | |
1128 | "-DBUILD_SHARED_LIBS=ON"))) | |
1129 | (propagated-inputs | |
1130 | `(("openssl" ,openssl) | |
1131 | ("openssl:static" ,openssl "static"))) | |
9f9118bd TGR |
1132 | (synopsis "SSL/TLS implementation in C99") |
1133 | (description | |
1134 | "This library provides a C99 implementation of SSL/TLS. It is designed to | |
1135 | be familiar to users of the widely-used POSIX I/O APIs. It supports blocking, | |
1136 | non-blocking, and full-duplex I/O. There are no locks or mutexes. | |
1137 | ||
1138 | As it can be difficult to keep track of which encryption algorithms and | |
1139 | protocols are best to use, s2n-tls features a simple API to use the latest | |
1140 | default set of preferences. Remaining on a specific version for backwards | |
1141 | compatibility is also supported.") | |
1b518888 GH |
1142 | (home-page "https://github.com/awslabs/s2n") |
1143 | (license license:asl2.0))) |