HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
gnu: tarlz: Update to 0.21.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
CommitLineData
233e7676 1;;; GNU Guix --- Functional package management for GNU
4604d43c 2;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2019, 2020, 2021 Ludovic Courtès <ludo@gnu.org>
74e2c0e0 3;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2021 Mark H Weaver <mhw@netris.org>
29a7c98a 4;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df 5;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b 6;;; Copyright © 2015 David Thompson <davet@gnu.org>
ad67d208 7;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Leo Famulari <leo@famulari.name>
db388401 8;;; Copyright © 2016, 2017, 2019 Efraim Flashner <efraim@flashner.co.il>
3c986a7d 9;;; Copyright © 2016, 2017, 2018 Nikita <nikita@n0.is>
375cef6c 10;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
ee33f9a7 11;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
250a216c 12;;; Copyright © 2017, 2018, 2019, 2020, 2021 Marius Bakke <marius@gnu.org>
db201657 13;;; Copyright © 2017–2019, 2021 Tobias Geerinckx-Rice <me@tobias.gr>
fbf5ca3c 14;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
e8b3a158 15;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
bdcdd550 16;;; Copyright © 2019 Mathieu Othacehe <m.othacehe@gmail.com>
a9bcc647 17;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
0b70eb03 18;;; Copyright © 2021 Solene Rapenne <solene@perso.pw>
76a9bad3 19;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re>
2bb789f6 20;;; Copyright © 2021 Matthew James Kraai <kraai@ftbfs.org>
7543f865 21;;;
233e7676 22;;; This file is part of GNU Guix.
7543f865 23;;;
233e7676 24;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865
LC		 25;;; under the terms of the GNU General Public License as published by
26;;; the Free Software Foundation; either version 3 of the License, or (at
27;;; your option) any later version.
28;;;
233e7676 29;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865
LC		 30;;; WITHOUT ANY WARRANTY; without even the implied warranty of
31;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
32;;; GNU General Public License for more details.
33;;;
34;;; You should have received a copy of the GNU General Public License
233e7676 35;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865 36
a7fd7b68 37(define-module (gnu packages tls)
e9aa8d0c 38 #:use-module ((guix licenses) #:prefix license:)
7543f865
LC		 39 #:use-module (guix packages)
40 #:use-module (guix download)
ea22aa1f 41 #:use-module (guix git-download)
29a7c98a 42 #:use-module (guix utils)
7543f865 43 #:use-module (guix build-system gnu)
ea22aa1f 44 #:use-module (guix build-system go)
cc2b77df 45 #:use-module (guix build-system perl)
7890e3ba 46 #:use-module (guix build-system python)
88522738 47 #:use-module (guix build-system cmake)
e8b3a158 48 #:use-module (guix build-system trivial)
f61e0e79 49 #:use-module (gnu packages compression)
013ce67b 50 #:use-module (gnu packages)
e8b3a158 51 #:use-module (gnu packages bash)
ac257f12 52 #:use-module (gnu packages check)
e8b3a158 53 #:use-module (gnu packages curl)
5b9aa107 54 #:use-module (gnu packages dns)
e8b3a158 55 #:use-module (gnu packages gawk)
1ffa7090 56 #:use-module (gnu packages guile)
a9bcc647 57 #:use-module (gnu packages hurd)
0581c273 58 #:use-module (gnu packages libbsd)
27e86bed 59 #:use-module (gnu packages libffi)
866f469e 60 #:use-module (gnu packages libidn)
5d4c90ae 61 #:use-module (gnu packages linux)
7890e3ba 62 #:use-module (gnu packages ncurses)
27e86bed 63 #:use-module (gnu packages nettle)
1ffa7090 64 #:use-module (gnu packages perl)
27e86bed 65 #:use-module (gnu packages pkg-config)
7890e3ba 66 #:use-module (gnu packages python)
cc6f4912 67 #:use-module (gnu packages python-crypto)
1b2f753d 68 #:use-module (gnu packages python-web)
44d10b1f 69 #:use-module (gnu packages python-xyz)
9d0c291e 70 #:use-module (gnu packages sphinx)
a31f4d35 71 #:use-module (gnu packages texinfo)
33dc54b0 72 #:use-module (gnu packages time)
079f013b
LC		 73 #:use-module (gnu packages base)
74 #:use-module (srfi srfi-1))
7543f865
LC		 75
76(define-public libtasn1
77 (package
78 (name "libtasn1")
3a22f04a 79 (version "4.16.0")
7543f865
LC		 80 (source
81 (origin
82 (method url-fetch)
83 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
84 version ".tar.gz"))
85 (sha256
86 (base32
3a22f04a 87 "179jskl7dmfp1rd2khkzmlibzgki4wi6hvmmwfv7q49r728b03qf"))))
7543f865 88 (build-system gnu-build-system)
d9f84612
MB		 89 (arguments
90 `(#:configure-flags '("--disable-static")))
3ea110b7 91 (native-inputs `(("perl" ,perl)))
6fd52309 92 (home-page "https://www.gnu.org/software/libtasn1/")
f50d2669 93 (synopsis "ASN.1 library")
7543f865 94 (description
79c311b8
LC		 95 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
96for transmitting machine-neutral encodings of data objects in computer
a22dc0c4
LC		 97networking, allowing for formal validation of data according to some
98specifications.")
e9aa8d0c 99 (license license:lgpl2.0+)))
7543f865 100
375cef6c
HG		 101(define-public asn1c
102 (package
103 (name "asn1c")
ff7da7e0 104 (version "0.9.28")
375cef6c
HG		 105 (source (origin
106 (method url-fetch)
107 (uri (string-append "https://lionet.info/soft/asn1c-"
108 version ".tar.gz"))
109 (sha256
110 (base32
ff7da7e0 111 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
375cef6c
HG		 112 (build-system gnu-build-system)
113 (native-inputs
114 `(("perl" ,perl)))
115 (home-page "https://lionet.info/asn1c")
116 (synopsis "ASN.1 to C compiler")
117 (description "The ASN.1 to C compiler takes ASN.1 module
118files and generates C++ compatible C source code. That code can be
119used to serialize the native C structures into compact and unambiguous
120BER/XER/PER-based data files, and deserialize the files back.
121
122Various ASN.1 based formats are widely used in the industry, such as to encode
123the X.509 certificates employed in the HTTPS handshake, to exchange control
124data between mobile phones and cellular networks, to car-to-car communication
125in intelligent transportation networks.")
126 (license license:bsd-2)))
127
27e86bed
AE		 128(define-public p11-kit
129 (package
130 (name "p11-kit")
c84c0dbc 131 (version "0.23.22")
27e86bed
AE		 132 (source
133 (origin
134 (method url-fetch)
e6ad9bda 135 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
eae94df6 136 "download/" version "/p11-kit-" version ".tar.xz"))
27e86bed 137 (sha256
9ed46007 138 (base32 "1dn6br4v033d3gp2max9lsr3y4q0nj6iyr1yq3kzi8ym7lal13wa"))))
27e86bed
AE		 139 (build-system gnu-build-system)
140 (native-inputs
141 `(("pkg-config" ,pkg-config)))
142 (inputs
143 `(("libffi" ,libffi)
144 ("libtasn1" ,libtasn1)))
145 (arguments
d5c472a2
MB		 146 `(#:configure-flags '("--without-trust-paths")
147 #:phases (modify-phases %standard-phases
148 (add-before 'check 'prepare-tests
149 (lambda _
150 ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up
151 ;; and looks for .cache and other directories (only).
152 ;; For simplicity just drop it since it is irrelevant
153 ;; in the build container.
154 (substitute* "Makefile"
155 (("test-runtime\\$\\(EXEEXT\\)") ""))
156 #t)))))
4631e6c9 157 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
27e86bed
AE		 158 (synopsis "PKCS#11 library")
159 (description
160 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
161provides a standard configuration setup for installing PKCS#11 modules
162in such a way that they are discoverable. It also solves problems with
163coordinating the use of PKCS#11 by different components or libraries
164living in the same process.")
e9aa8d0c 165 (license license:bsd-3)))
27e86bed 166
7543f865
LC		 167(define-public gnutls
168 (package
169 (name "gnutls")
51a365c1 170 (version "3.6.15")
0b70eb03 171 (replacement gnutls-3.6.16)
d7d408d5 172 (source (origin
51a365c1 173 (method url-fetch)
d7d408d5
LC		 174 ;; Note: Releases are no longer on ftp.gnu.org since the
175 ;; schism (after version 3.1.5).
51a365c1
LC		 176 (uri (string-append "mirror://gnupg/gnutls/v"
177 (version-major+minor version)
178 "/gnutls-" version ".tar.xz"))
179 (patches (search-patches "gnutls-skip-trust-store-test.patch"
e12210dc
LF		 180 "gnutls-cross.patch"
181 "gnutls-CVE-2021-20231.patch"
182 "gnutls-CVE-2021-20232.patch"))
51a365c1
LC		 183 (sha256
184 (base32
185 "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f"))))
7543f865 186 (build-system gnu-build-system)
b94ae0b8 187 (arguments
525a351e
MO		 188 `(#:tests? ,(not (or (%current-target-system)
189 (hurd-target?)))
9015ed66 190 ;; Ensure we don't keep a reference to net-tools.
9ee8b41f 191 #:disallowed-references ,(if (hurd-target?) '() (list net-tools))
76b21274 192 #:configure-flags
a0700787 193 (list
aa7c7f21
MW		 194 ;; GnuTLS doesn't consult any environment variables to specify
195 ;; the location of the system-wide trust store. Instead it has a
196 ;; configure-time option. Unless specified, its configure script
197 ;; attempts to auto-detect the location by looking for common
8f65585b 198 ;; places in the file system, none of which are present in our
aa7c7f21
MW		 199 ;; chroot build environment. If not found, then no default trust
200 ;; store is used, so each program has to provide its own
201 ;; fallback, and users have to configure each program
202 ;; independently. This seems suboptimal.
866f469e
MW		 203 "--with-default-trust-store-dir=/etc/ssl/certs"
204
7892edc2
MB		 205 ;; Tell the build system that we want Guile bindings installed to
206 ;; the output instead of Guiles own module directory.
207 (string-append "--with-guile-site-dir="
208 "$(datarootdir)/guile/site/$(GUILE_EFFECTIVE_VERSION)")
209 (string-append "--with-guile-site-ccache-dir="
210 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/site-ccache")
211 (string-append "--with-guile-extension-dir="
212 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/extensions")
213
866f469e
MW		 214 ;; FIXME: Temporarily disable p11-kit support since it is not
215 ;; working on mips64el.
606c6380
LC		 216 "--without-p11-kit")
217
218 #:phases (modify-phases %standard-phases
219 (add-after
220 'install 'move-doc
221 (lambda* (#:key outputs #:allow-other-keys)
222 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
223 (let* ((out (assoc-ref outputs "out"))
224 (doc (assoc-ref outputs "doc"))
9cdce047 225 (mandir (string-append doc "/share/man/man3"))
606c6380
LC		 226 (oldman (string-append out "/share/man/man3")))
227 (mkdir-p mandir)
228 (copy-recursively oldman mandir)
229 (delete-file-recursively oldman)
230 #t))))))
231 (outputs '("out" ;4.4 MiB
232 "debug"
233 "doc")) ;4.1 MiB of man pages
a1db0975 234 (native-inputs
51a365c1
LC		 235 `(,@(if (%current-target-system) ;for cross-build
236 `(("guile" ,guile-3.0)) ;to create .go files
237 '())
238 ,@(if (hurd-target?)
239 '()
a9bcc647 240 `(("net-tools" ,net-tools)))
5d4c90ae 241 ("pkg-config" ,pkg-config)
ac83dc82 242 ("which" ,which)
2d49f175
JN		 243 ,@(if (hurd-target?) '()
244 `(("datefudge" ,datefudge))) ;tests rely on 'datefudge'
971c8bb0 245 ("util-linux" ,util-linux))) ;one test needs 'setsid'
7543f865 246 (inputs
67a3c8ed 247 `(("guile" ,guile-3.0)))
7543f865 248 (propagated-inputs
d2fcfd3d 249 ;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865 250 `(("libtasn1" ,libtasn1)
55e61c4d 251 ("libidn2" ,libidn2)
866f469e 252 ("nettle" ,nettle)
f61e0e79 253 ("zlib" ,zlib)))
c19700c3 254 (home-page "https://www.gnu.org/software/gnutls/")
f50d2669 255 (synopsis "Transport layer security library")
7543f865 256 (description
a22dc0c4 257 "GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8 258and DTLS protocols. It is provided in the form of a C library to support the
b30407b8 259protocols, as well as to parse and write X.509, PKCS #12, OpenPGP and other
a22dc0c4 260required structures.")
63e8bb12
LC		 261 (license license:lgpl2.1+)
262 (properties '((ftp-server . "ftp.gnutls.org")
263 (ftp-directory . "/gcrypt/gnutls")))))
74e2c0e0 264
0b70eb03
SR		 265;; Replacement package to fix CVE-2021-20305.
266(define gnutls-3.6.16
267 (package
268 (inherit gnutls)
269 (version "3.6.16")
270 (source (origin
271 (method url-fetch)
272 (uri (string-append "mirror://gnupg/gnutls/v"
273 (version-major+minor version)
274 "/gnutls-" version ".tar.xz"))
275 (patches (search-patches "gnutls-skip-trust-store-test.patch"
276 "gnutls-cross.patch"))
277 (sha256
278 (base32
4604d43c
LC		 279 "1czk511pslz367shf32f2jvvkp7y1323bcv88c2qng98mj0v6y8v"))))
280 (arguments
281 (if (%current-target-system)
282 (substitute-keyword-arguments (package-arguments gnutls)
283 ((#:phases phases '%standard-phases)
284 `(modify-phases ,phases
285 (add-before 'configure 'build-eccdata-headers
286 (lambda* (#:key configure-flags #:allow-other-keys)
287 ;; Build the 'ecc/eccdata' program using the native
288 ;; compiler, not the cross-compiler as happens by default,
289 ;; and use it to build lib/nettle/ecc/ecc-*.h. In GnuTLS
290 ;; 3.6.15, this was not necessary because the tarball
291 ;; contained pre-generated lib/nettle/ecc/ecc-*.h files as
292 ;; well as 'ecc/eccdata.stamp'.
293 (let ((jobs (number->string (parallel-job-count)))
294 (patch (assoc-ref %standard-phases
295 'patch-generated-file-shebangs)))
296 (mkdir "+native-build")
297 (with-directory-excursion "+native-build"
298 ;; Build natively, with the native compiler, GMP, etc.
299 (invoke "../configure"
300 (string-append "SHELL=" (which "sh"))
301 (string-append "CONFIG_SHELL=" (which "sh"))
302 "NETTLE_CFLAGS= " "NETTLE_LIBS= "
303 "HOGWEED_CFLAGS= " "HOGWEED_LIBS= "
304 "LIBTASN1_CFLAGS= " "LIBTASN1_LIBS= "
305 "ac_cv_func_nettle_rsa_sec_decrypt=yes"
306 "--without-p11-kit" "--disable-guile")
307 (patch)
308 (invoke "make" "-C" "gl" "-j" jobs)
309 (invoke "make" "-C" "lib/nettle" "V=1" "-j" jobs))
310
311 ;; Copy the files we obtained during native build.
312 (for-each (lambda (file)
313 (install-file file "lib/nettle/ecc"))
314 (find-files
315 "+native-build/lib/nettle/ecc"
316 "^(eccdata\\.stamp|ecc-.*\\.h)$"))))))))
317 (package-arguments gnutls)))
318 (native-inputs
319 (if (%current-target-system)
320 `(("libtasn1" ,libtasn1) ;for 'ecc/eccdata'
321 ("libidn2" ,libidn2)
322 ("nettle" ,nettle)
323 ("zlib" ,zlib)
324 ,@(package-native-inputs gnutls))
325 (package-native-inputs gnutls)))))
0b70eb03 326
a270af31
LF		 327(define-public gnutls/guile-2.0
328 ;; GnuTLS for Guile 2.0.
329 (package/inherit gnutls
a0700787
LC		 330 (name "guile2.0-gnutls")
331 (inputs `(("guile" ,guile-2.0)
58ea4d40 332 ,@(alist-delete "guile" (package-inputs gnutls))))))
079f013b 333
5b9aa107 334(define-public gnutls/dane
335 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
336 ;; Authentication of Named Entities. This is required for GNS functionality
337 ;; by GNUnet and gnURL. This is done in an extra package definition
338 ;; to have the choice between GnuTLS with Dane and without Dane.
51a365c1 339 (package/inherit gnutls
5b9aa107 340 (name "gnutls-dane")
341 (inputs `(("unbound" ,unbound)
342 ,@(package-inputs gnutls)))))
343
67a3c8ed 344(define-public guile2.2-gnutls
74e2c0e0 345 (package/inherit gnutls
67a3c8ed
MB		 346 (name "guile2.2-gnutls")
347 (inputs `(("guile" ,guile-2.2)
d630d781 348 ,@(alist-delete "guile"
5f9f034e 349 (package-inputs gnutls))))))
d630d781 350
4e6c9f56
LC		 351(define-public guile3.0-gnutls
352 (deprecated-package "guile3.0-gnutls" gnutls))
67a3c8ed 353
cc2b77df
AE		 354(define-public openssl
355 (package
356 (name "openssl")
0cb4032f 357 (version "1.1.1j")
250a216c 358 (replacement openssl-1.1.1k)
cc2b77df 359 (source (origin
4cff124b 360 (method url-fetch)
bdf0b6fc
MB		 361 (uri (list (string-append "https://www.openssl.org/source/openssl-"
362 version ".tar.gz")
363 (string-append "ftp://ftp.openssl.org/source/"
c7f5c3ea 364 "openssl-" version ".tar.gz")
4cff124b
LC		 365 (string-append "ftp://ftp.openssl.org/source/old/"
366 (string-trim-right version char-set:letter)
c7f5c3ea 367 "/openssl-" version ".tar.gz")))
c4868e38 368 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
4cff124b
LC		 369 (sha256
370 (base32
0cb4032f 371 "1gw17520vh13izy1xf5q0a2fqgcayymjjj5bk0dlkxndfnszrwma"))))
cc2b77df 372 (build-system gnu-build-system)
8c78aeb7 373 (outputs '("out"
e74f153a
MB		 374 "doc" ;6.8 MiB of man3 pages and full HTML documentation
375 "static")) ;6.4 MiB of .a files
cc2b77df
AE		 376 (native-inputs `(("perl" ,perl)))
377 (arguments
88b52527 378 `(#:parallel-tests? #f
cc2b77df 379 #:test-target "test"
8c9ec203
LF		 380
381 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
382 ;; so we explicitly disallow it here.
383 #:disallowed-references ,(list (canonical-package perl))
cc2b77df 384 #:phases
b6cb1358 385 (modify-phases %standard-phases
d4dbcb81
EF		 386 ,@(if (%current-target-system)
387 '((add-before
388 'configure 'set-cross-compile
389 (lambda* (#:key target outputs #:allow-other-keys)
390 (setenv "CROSS_COMPILE" (string-append target "-"))
391 (setenv "CONFIGURE_TARGET_ARCH"
392 (cond
393 ((string-prefix? "i586" target)
394 "hurd-x86")
395 ((string-prefix? "i686" target)
396 "linux-x86")
397 ((string-prefix? "x86_64" target)
398 "linux-x86_64")
399 ((string-prefix? "mips64el" target)
400 "linux-mips64")
401 ((string-prefix? "arm" target)
402 "linux-armv4")
403 ((string-prefix? "aarch64" target)
c8535c25
EF		 404 "linux-aarch64")
405 ((string-prefix? "powerpc64le" target)
406 "linux-ppc64le")
407 ((string-prefix? "powerpc64" target)
408 "linux-ppc64")
409 ((string-prefix? "powerpc" target)
410 "linux-ppc")))
d4dbcb81
EF		 411 #t)))
412 '())
e74f153a
MB		 413 (replace 'configure
414 (lambda* (#:key outputs #:allow-other-keys)
415 (let* ((out (assoc-ref outputs "out"))
416 (lib (string-append out "/lib")))
417 ;; It's not a shebang so patch-source-shebangs misses it.
418 (substitute* "config"
419 (("/usr/bin/env")
420 (string-append (assoc-ref %build-inputs "coreutils")
421 "/bin/env")))
bdcdd550 422 (invoke ,@(if (%current-target-system)
d4dbcb81
EF		 423 '("./Configure")
424 '("./config"))
e74f153a
MB		 425 "shared" ;build shared libraries
426 "--libdir=lib"
4fb254a3 427
e74f153a
MB		 428 ;; The default for this catch-all directory is
429 ;; PREFIX/ssl. Change that to something more
430 ;; conventional.
431 (string-append "--openssldir=" out
b082ea94
LF		 432 "/share/openssl-"
433 ,(package-version this-package))
4fb254a3 434
e74f153a 435 (string-append "--prefix=" out)
bdcdd550 436 (string-append "-Wl,-rpath," lib)
d4dbcb81
EF		 437 ,@(if (%current-target-system)
438 '((getenv "CONFIGURE_TARGET_ARCH"))
439 '())))))
8c78aeb7
LC		 440 (add-after 'install 'move-static-libraries
441 (lambda* (#:key outputs #:allow-other-keys)
442 ;; Move static libraries to the "static" output.
443 (let* ((out (assoc-ref outputs "out"))
444 (lib (string-append out "/lib"))
445 (static (assoc-ref outputs "static"))
446 (slib (string-append static "/lib")))
8c78aeb7
LC		 447 (for-each (lambda (file)
448 (install-file file slib)
449 (delete-file file))
450 (find-files lib "\\.a$"))
451 #t)))
e74f153a 452 (add-after 'install 'move-extra-documentation
a909b576 453 (lambda* (#:key outputs #:allow-other-keys)
e74f153a
MB		 454 ;; Move man3 pages and full HTML documentation to "doc".
455 (let* ((out (assoc-ref outputs "out"))
456 (man3 (string-append out "/share/man/man3"))
457 (html (string-append out "/share/doc/openssl"))
458 (doc (assoc-ref outputs "doc"))
459 (man-target (string-append doc "/share/man/man3"))
460 (html-target (string-append doc "/share/doc/openssl")))
461 (copy-recursively man3 man-target)
462 (delete-file-recursively man3)
463 (copy-recursively html html-target)
464 (delete-file-recursively html)
465 #t)))
784d6e91
LC		 466 (add-after
467 'install 'remove-miscellany
468 (lambda* (#:key outputs #:allow-other-keys)
469 ;; The 'misc' directory contains random undocumented shell and Perl
470 ;; scripts. Remove them to avoid retaining a reference on Perl.
471 (let ((out (assoc-ref outputs "out")))
472 (delete-file-recursively (string-append out "/share/openssl-"
b082ea94
LF		 473 ,(package-version this-package)
474 "/misc"))
784d6e91 475 #t))))))
cc2b77df 476 (native-search-paths
cc2b77df
AE		 477 (list (search-path-specification
478 (variable "SSL_CERT_DIR")
5d7a47cc 479 (separator #f) ;single entry
cc2b77df
AE		 480 (files '("etc/ssl/certs")))
481 (search-path-specification
482 (variable "SSL_CERT_FILE")
5d7a47cc
MB		 483 (file-type 'regular)
484 (separator #f) ;single entry
cc2b77df
AE		 485 (files '("etc/ssl/certs/ca-certificates.crt")))))
486 (synopsis "SSL/TLS implementation")
487 (description
e881752c 488 "OpenSSL is an implementation of SSL/TLS.")
e9aa8d0c 489 (license license:openssl)
4631e6c9 490 (home-page "https://www.openssl.org/")))
cc2b77df 491
250a216c
MB		 492;; Replacement package to fix CVE-2021-3449 and CVE-2021-3450.
493(define openssl-1.1.1k
494 (package
495 (inherit openssl)
496 (version "1.1.1k")
497 (source (origin
498 (method url-fetch)
499 (uri (list (string-append "https://www.openssl.org/source/openssl-"
500 version ".tar.gz")
501 (string-append "ftp://ftp.openssl.org/source/"
502 "openssl-" version ".tar.gz")
503 (string-append "ftp://ftp.openssl.org/source/old/"
504 (string-trim-right version char-set:letter)
505 "/openssl-" version ".tar.gz")))
506 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
507 (sha256
508 (base32
509 "1rdfzcrxy9y38wqdw5942vmdax9hjhgrprzxm42csal7p5shhal9"))))))
510
e74f153a 511(define-public openssl-1.0
763899f0
LF		 512 (package
513 (inherit openssl)
514 (name "openssl")
b0b79542 515 (version "1.0.2u")
763899f0 516 (source (origin
e74f153a
MB		 517 (method url-fetch)
518 (uri (list (string-append "https://www.openssl.org/source/openssl-"
519 version ".tar.gz")
520 (string-append "ftp://ftp.openssl.org/source/"
521 "openssl-" version ".tar.gz")
522 (string-append "ftp://ftp.openssl.org/source/old/"
523 (string-trim-right version char-set:letter)
524 "/openssl-" version ".tar.gz")))
763899f0
LF		 525 (sha256
526 (base32
b0b79542 527 "05lxcs4hzyfqd5jn0d9p0fvqna62v2s4pc9qgmq0dpcknkzwdl7c"))
e74f153a
MB		 528 (patches (search-patches "openssl-runpath.patch"
529 "openssl-c-rehash-in.patch"))))
763899f0 530 (outputs '("out"
e74f153a
MB		 531 "doc" ;1.5MiB of man3 pages
532 "static")) ;6MiB of .a files
763899f0
LF		 533 (arguments
534 (substitute-keyword-arguments (package-arguments openssl)
8fc24f30
MB		 535 ;; Parallel build is not supported in 1.0.x.
536 ((#:parallel-build? _ #f) #f)
763899f0
LF		 537 ((#:phases phases)
538 `(modify-phases ,phases
e74f153a
MB		 539 (add-before 'patch-source-shebangs 'patch-tests
540 (lambda* (#:key inputs native-inputs #:allow-other-keys)
541 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
542 (substitute* (find-files "test" ".*")
543 (("/bin/sh")
544 (string-append bash "/bin/sh"))
545 (("/bin/rm")
546 "rm"))
547 #t)))
548 (add-before 'configure 'patch-Makefile.org
763899f0 549 (lambda* (#:key outputs #:allow-other-keys)
e74f153a
MB		 550 ;; The default MANDIR is some unusual place. Fix that.
551 (let ((out (assoc-ref outputs "out")))
552 (patch-makefile-SHELL "Makefile.org")
553 (substitute* "Makefile.org"
554 (("^MANDIR[[:blank:]]*=.*$")
555 (string-append "MANDIR = " out "/share/man\n")))
556 #t)))
bdcdd550
MO		 557 (replace 'configure
558 ;; Override this phase because OpenSSL 1.0 does not understand -rpath.
559 (lambda* (#:key outputs #:allow-other-keys)
560 (let ((out (assoc-ref outputs "out")))
561 (invoke ,@(if (%current-target-system)
562 '("./Configure")
563 '("./config"))
564 "shared" ;build shared libraries
565 "--libdir=lib"
fc184fe2 566
bdcdd550
MO		 567 ;; The default for this catch-all directory is
568 ;; PREFIX/ssl. Change that to something more
569 ;; conventional.
570 (string-append "--openssldir=" out
571 "/share/openssl-" ,version)
fc184fe2 572
bdcdd550
MO		 573 (string-append "--prefix=" out)
574 ,@(if (%current-target-system)
575 '((getenv "CONFIGURE_TARGET_ARCH"))
576 '())))))
e74f153a
MB		 577 (delete 'move-extra-documentation)
578 (add-after 'install 'move-man3-pages
579 (lambda* (#:key outputs #:allow-other-keys)
580 ;; Move section 3 man pages to "doc".
581 (let* ((out (assoc-ref outputs "out"))
582 (man3 (string-append out "/share/man/man3"))
583 (doc (assoc-ref outputs "doc"))
584 (target (string-append doc "/share/man/man3")))
585 (mkdir-p target)
586 (for-each (lambda (file)
587 (rename-file file
588 (string-append target "/"
589 (basename file))))
590 (find-files man3))
591 (delete-file-recursively man3)
592 #t)))
fc184fe2
MB		 593 ;; XXX: Duplicate this phase to make sure 'version' evaluates
594 ;; in the current scope and not the inherited one.
595 (replace 'remove-miscellany
596 (lambda* (#:key outputs #:allow-other-keys)
597 ;; The 'misc' directory contains random undocumented shell and Perl
598 ;; scripts. Remove them to avoid retaining a reference on Perl.
599 (let ((out (assoc-ref outputs "out")))
600 (delete-file-recursively (string-append out "/share/openssl-"
601 ,version "/misc"))
763899f0
LF		 602 #t)))))))))
603
cb6a802c
AE		 604(define-public libressl
605 (package
606 (name "libressl")
618dbc14 607 (version "3.3.3")
644e5f17
TGR		 608 (source (origin
609 (method url-fetch)
610 (uri (string-append "mirror://openbsd/LibreSSL/"
ce1178d5 611 "libressl-" version ".tar.gz"))
644e5f17
TGR		 612 (sha256
613 (base32
618dbc14 614 "0rihprcgxsydsbcqgd1952k2cfn4jmp7rlyp1c6sglfc6rdmcwd4"))))
cb6a802c 615 (build-system gnu-build-system)
a2d64899 616 (arguments
76a9bad3
BW		 617 `(#:configure-flags
618 (list
619 ;; Do as if 'getentropy' were missing: Linux kernels before 3.17 lack its
620 ;; underlying 'getrandom' system call and ENOSYS isn't properly handled.
621 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
622 "ac_cv_func_getentropy=no"
623 ;; FIXME It's using it's own bundled certificate, instead it should
624 ;; behave like OpenSSL by using environment variables.
625 (string-append "--with-openssldir=" %output
626 "/share/libressl-"
627 ,(package-version this-package))
628 ;; Provide a TLS-enabled netcat.
629 "--enable-nc")))
2ed12d3f 630 (home-page "https://www.libressl.org/")
cb6a802c 631 (synopsis "SSL/TLS implementation")
df08f385
LF		 632 (description "LibreSSL is a version of the TLS/crypto stack, forked from
633OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
634and applying best practice development processes. This package also includes a
635netcat implementation that supports TLS.")
cb6a802c
AE		 636 ;; Files taken from OpenSSL keep their license, others are under various
637 ;; non-copyleft licenses.
638 (license (list license:openssl
639 (license:non-copyleft
640 "file://COPYING"
641 "See COPYING in the distribution.")))))
642
6cefd53d 643(define-public python-acme
7890e3ba 644 (package
6cefd53d 645 (name "python-acme")
686d4259 646 ;; Remember to update the hash of certbot when updating python-acme.
2bb789f6 647 (version "1.16.0")
7890e3ba 648 (source (origin
9495cf9a 649 (method url-fetch)
f349d36e 650 (uri (pypi-uri "acme" version))
881006b6
MB		 651 (sha256
652 (base32
2bb789f6 653 "0mvqc8z30sxgr1m4p3yi3rm76sndnvl5khv4ybwx6zyq42403y51"))))
7890e3ba
LF		 654 (build-system python-build-system)
655 (arguments
6cefd53d 656 `(#:phases
9bee9d87 657 (modify-phases %standard-phases
1fc8476d
MB		 658 (add-after 'build 'build-documentation
659 (lambda _
d4bd2453 660 (invoke "make" "-C" "docs" "man" "info")))
1fc8476d 661 (add-after 'install 'install-documentation
50a7963a
LF		 662 (lambda* (#:key outputs #:allow-other-keys)
663 (let* ((out (assoc-ref outputs "out"))
664 (man (string-append out "/share/man/man1"))
665 (info (string-append out "/info")))
1fc8476d
MB		 666 (install-file "docs/_build/texinfo/acme-python.info" info)
667 (install-file "docs/_build/man/acme-python.1" man)
668 #t))))))
7890e3ba 669 (native-inputs
c3a75373 670 `(("python-pytest" ,python-pytest)
50a7963a
LF		 671 ;; For documentation
672 ("python-sphinx" ,python-sphinx)
673 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
674 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
50a7963a 675 ("texinfo" ,texinfo)))
7890e3ba 676 (propagated-inputs
92572184 677 `(("python-josepy" ,python-josepy)
6cefd53d 678 ("python-requests" ,python-requests)
b494bbe4 679 ("python-requests-toolbelt" ,python-requests-toolbelt)
6cefd53d
LF		 680 ("python-pytz" ,python-pytz)
681 ("python-pyrfc3339" ,python-pyrfc3339)
682 ("python-pyasn1" ,python-pyasn1)
683 ("python-cryptography" ,python-cryptography)
684 ("python-pyopenssl" ,python-pyopenssl)))
4631e6c9 685 (home-page "https://github.com/certbot/certbot")
7890e3ba
LF		 686 (synopsis "ACME protocol implementation in Python")
687 (description "ACME protocol implementation in Python")
688 (license license:asl2.0)))
689
9495cf9a 690(define-public certbot
9fd0838b 691 (package
9495cf9a 692 (name "certbot")
686d4259
LF		 693 ;; Certbot and python-acme are developed in the same repository, and their
694 ;; versions should remain synchronized.
695 (version (package-version python-acme))
9fd0838b
DT		 696 (source (origin
697 (method url-fetch)
b380463b 698 (uri (pypi-uri "certbot" version))
9fd0838b
DT		 699 (sha256
700 (base32
2bb789f6 701 "0z90pcndbks8f62f47m5nkqcmkabb8r526by29lp30x4gjc0xs04"))))
9fd0838b
DT		 702 (build-system python-build-system)
703 (arguments
fed1898d 704 `(,@(substitute-keyword-arguments (package-arguments python-acme)
f26d6e4e
LF		 705 ((#:phases phases)
706 `(modify-phases ,phases
1fc8476d 707 (replace 'install-documentation
f26d6e4e
LF		 708 (lambda* (#:key outputs #:allow-other-keys)
709 (let* ((out (assoc-ref outputs "out"))
710 (man1 (string-append out "/share/man/man1"))
711 (man7 (string-append out "/share/man/man7"))
712 (info (string-append out "/info")))
1fc8476d
MB		 713 (install-file "docs/_build/texinfo/Certbot.info" info)
714 (install-file "docs/_build/man/certbot.1" man1)
715 (install-file "docs/_build/man/certbot.7" man7)
716 #t))))))))
9fd0838b 717 (native-inputs
d05c14df
TGR		 718 `(("python-mock" ,python-mock)
719 ("python-pytest" ,python-pytest)
f9263d9a 720 ;; For documentation
fed1898d
LF		 721 ("python-sphinx" ,python-sphinx)
722 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
723 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
724 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
f9263d9a 725 ("texinfo" ,texinfo)))
9fd0838b 726 (propagated-inputs
fed1898d 727 `(("python-acme" ,python-acme)
d05c14df 728 ("python-cryptography" ,python-cryptography)
fed1898d
LF		 729 ("python-zope-interface" ,python-zope-interface)
730 ("python-pyrfc3339" ,python-pyrfc3339)
731 ("python-pyopenssl" ,python-pyopenssl)
732 ("python-configobj" ,python-configobj)
733 ("python-configargparse" ,python-configargparse)
b977d900 734 ("python-distro" ,python-distro)
fed1898d
LF		 735 ("python-zope-component" ,python-zope-component)
736 ("python-parsedatetime" ,python-parsedatetime)
fed1898d
LF		 737 ("python-psutil" ,python-psutil)
738 ("python-requests" ,python-requests)
739 ("python-pytz" ,python-pytz)))
d8a1be63 740 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
80968df0
TGR		 741 (description "Certbot automatically receives and installs X.509 certificates
742to enable Transport Layer Security (TLS) on servers. It interoperates with the
743Let’s Encrypt certificate authority (CA), which issues browser-trusted
744certificates for free.")
24778368 745 (home-page "https://certbot.eff.org/")
9fd0838b
DT		 746 (license license:asl2.0)))
747
9495cf9a
LF		 748(define-public letsencrypt
749 (package (inherit certbot)
56ab55d1
LF		 750 (name "letsencrypt")
751 (properties `((superseded . ,certbot)))))
9495cf9a 752
cc2b77df
AE		 753(define-public perl-net-ssleay
754 (package
755 (name "perl-net-ssleay")
966e4bea 756 (version "1.88")
cc2b77df
AE		 757 (source (origin
758 (method url-fetch)
c50f15d6 759 (uri (string-append "mirror://cpan/authors/id/C/CH/CHRISN/"
cc2b77df
AE		 760 "Net-SSLeay-" version ".tar.gz"))
761 (sha256
762 (base32
966e4bea 763 "1pfgh4h3szcpvqlcimc60pjbk9zwls99x5863sva0wc47i4dl010"))))
cc2b77df
AE		 764 (build-system perl-build-system)
765 (inputs `(("openssl" ,openssl)))
766 (arguments
1084ec08
MW		 767 `(#:phases
768 (modify-phases %standard-phases
1084ec08
MW		 769 (add-before
770 'configure 'set-ssl-prefix
771 (lambda* (#:key inputs #:allow-other-keys)
772 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
773 #t)))))
cc2b77df
AE		 774 (synopsis "Perl extension for using OpenSSL")
775 (description
776 "This module offers some high level convenience functions for accessing
777web pages on SSL servers (for symmetry, the same API is offered for accessing
778http servers, too), an sslcat() function for writing your own clients, and
779finally access to the SSL api of the SSLeay/OpenSSL package so you can write
780servers or clients for more complicated applications.")
2f3108ad 781 (license license:perl-license)
9aba9b12 782 (home-page "https://metacpan.org/release/Net-SSLeay")))
4532c0c0
DM		 783
784(define-public perl-crypt-openssl-rsa
785 (package
786 (name "perl-crypt-openssl-rsa")
a9994b27 787 (version "0.31")
4532c0c0
DM		 788 (source
789 (origin
790 (method url-fetch)
791 (uri (string-append
683b8d47 792 "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-"
4532c0c0
DM		 793 version
794 ".tar.gz"))
795 (sha256
796 (base32
a9994b27 797 "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1"))))
4532c0c0 798 (build-system perl-build-system)
683b8d47
TGR		 799 (native-inputs
800 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
4532c0c0
DM		 801 (inputs
802 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
803 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
804 ("openssl" ,openssl)))
805 (arguments perl-crypt-arguments)
806 (home-page
9aba9b12 807 "https://metacpan.org/release/Crypt-OpenSSL-RSA")
4532c0c0
DM		 808 (synopsis
809 "RSA encoding and decoding, using the openSSL libraries")
810 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
811OpenSSL libraries).")
2f3108ad 812 (license license:perl-license)))
adff71ca
DM		 813
814(define perl-crypt-arguments
815 `(#:phases (modify-phases %standard-phases
816 (add-before 'configure 'patch-Makefile.PL
817 (lambda* (#:key inputs #:allow-other-keys)
818 (substitute* "Makefile.PL"
819 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
820 (assoc-ref inputs "openssl")
821 "/lib -lcrypto'],")))
822 #t)))))
823
824(define-public perl-crypt-openssl-bignum
825 (package
826 (name "perl-crypt-openssl-bignum")
7e8aac18 827 (version "0.09")
adff71ca
DM		 828 (source
829 (origin
830 (method url-fetch)
831 (uri (string-append
832 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
833 version
834 ".tar.gz"))
835 (sha256
836 (base32
7e8aac18 837 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
adff71ca
DM		 838 (build-system perl-build-system)
839 (inputs `(("openssl" ,openssl)))
840 (arguments perl-crypt-arguments)
841 (home-page
9aba9b12 842 "https://metacpan.org/release/Crypt-OpenSSL-Bignum")
adff71ca
DM		 843 (synopsis
844 "OpenSSL's multiprecision integer arithmetic in Perl")
845 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
846arithmetic in Perl.")
847 ;; At your option either gpl1+ or the Artistic License
2f3108ad 848 (license license:perl-license)))
cccb4d26 849
c80590f6
TGR		 850(define-public perl-crypt-openssl-guess
851 (package
852 (name "perl-crypt-openssl-guess")
853 (version "0.11")
854 (source
855 (origin
856 (method url-fetch)
857 (uri (string-append
858 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
859 version ".tar.gz"))
860 (sha256
861 (base32
862 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
863 (build-system perl-build-system)
9aba9b12 864 (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess")
c80590f6
TGR		 865 (synopsis "Guess the OpenSSL include path")
866 (description
867 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
868correct OpenSSL include path. It is intended for use in your
869@file{Makefile.PL}.")
870 (license license:perl-license)))
871
cccb4d26
DM		 872(define-public perl-crypt-openssl-random
873 (package
874 (name "perl-crypt-openssl-random")
fa2d19cc 875 (version "0.15")
cccb4d26
DM		 876 (source
877 (origin
878 (method url-fetch)
879 (uri (string-append
880 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
881 version
882 ".tar.gz"))
883 (sha256
fa2d19cc 884 (base32 "1x6ffps8q7mnawmcfq740llzy7i10g3319vap0wiw4d33fm6z1zh"))))
cccb4d26 885 (build-system perl-build-system)
b30c23c4
TGR		 886 (native-inputs
887 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
888 (inputs
889 `(("openssl" ,openssl)))
cccb4d26
DM		 890 (arguments perl-crypt-arguments)
891 (home-page
9aba9b12 892 "https://metacpan.org/release/Crypt-OpenSSL-Random")
cccb4d26
DM		 893 (synopsis
894 "OpenSSL/LibreSSL pseudo-random number generator access")
895 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
896number generator")
2f3108ad 897 (license license:perl-license)))
0581c273
LF		 898
899(define-public acme-client
900 (package
901 (name "acme-client")
4a6b2a21 902 (version "0.1.16")
0581c273
LF		 903 (source (origin
904 (method url-fetch)
905 (uri (string-append "https://kristaps.bsd.lv/" name "/"
906 "snapshots/" name "-portable-"
907 version ".tgz"))
908 (sha256
909 (base32
4a6b2a21 910 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
0581c273
LF		 911 (build-system gnu-build-system)
912 (arguments
913 '(#:tests? #f ; no test suite
914 #:make-flags
915 (list "CC=gcc"
916 (string-append "PREFIX=" (assoc-ref %outputs "out")))
917 #:phases
918 (modify-phases %standard-phases
7c1a7bf4
LF		 919 (add-after 'unpack 'patch-paths
920 (lambda* (#:key inputs #:allow-other-keys)
921 (let ((pem (string-append (assoc-ref inputs "libressl")
922 "/etc/ssl/cert.pem")))
923 (substitute* "http.c"
924 (("/etc/ssl/cert.pem") pem))
925 #t)))
0581c273 926 (delete 'configure)))) ; no './configure' script
4b569a4f
LF		 927 (native-inputs
928 `(("pkg-config" ,pkg-config)))
0581c273
LF		 929 (inputs
930 `(("libbsd" ,libbsd)
931 ("libressl" ,libressl)))
932 (synopsis "Let's Encrypt client by the OpenBSD project")
933 (description "acme-client is a Let's Encrypt client implemented in C. It
934uses a modular design, and attempts to secure itself by dropping privileges and
935operating in a chroot where possible. acme-client is developed on OpenBSD and
936then ported to the GNU / Linux environment.")
937 (home-page "https://kristaps.bsd.lv/acme-client/")
938 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
939 ;; and 'jsmn.c' are distributed under the Expat license.
940 (license (list license:isc license:expat))))
88522738 941
942;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
943;; variant exists in addition to the "-apache" one.
944(define-public mbedtls-apache
945 (package
946 (name "mbedtls-apache")
5cdb25c6
TGR		 947 ;; XXX Check whether ‘-Wformat-signedness’ still breaks mbedtls-for-hiawatha
948 ;; when updating.
927ecd4e 949 (version "2.23.0")
88522738 950 (source
951 (origin
927ecd4e
TGR		 952 (method git-fetch)
953 (uri (git-reference
954 (url "https://github.com/ARMmbed/mbedtls")
955 (commit (string-append "mbedtls-" version))))
88522738 956 (sha256
927ecd4e
TGR		 957 (base32 "13fa9h2i989cbf8n8c0j019mshv6wg213va18my1s787lhcq2d62"))
958 (file-name (git-file-name name version))))
88522738 959 (build-system cmake-build-system)
a64d9d56
RW		 960 (arguments
961 `(#:configure-flags
92ebd8ed 962 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON"
927ecd4e
TGR		 963 "-DUSE_STATIC_MBEDTLS_LIBRARY=OFF")
964 #:phases
965 (modify-phases %standard-phases
966 (add-after 'unpack 'make-source-writable
967 (lambda _
968 (for-each make-file-writable (find-files "."))
927ecd4e 969 #t)))))
88522738 970 (native-inputs
38a9bf80
TGR		 971 `(("perl" ,perl)
972 ("python" ,python)))
88522738 973 (synopsis "Small TLS library")
974 (description
975 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
976for developers to include cryptographic and SSL/TLS capabilities in their
977(embedded) products, facilitating this functionality with a minimal
978coding footprint.")
d4febc56 979 (home-page "https://www.trustedfirmware.org/projects/mbed-tls/")
88522738 980 (license license:asl2.0)))
587d1752 981
8e87aa04
TGR		 982;; The Hiawatha Web server requires some specific features to be enabled.
983(define-public mbedtls-for-hiawatha
984 (hidden-package
985 (package
986 (inherit mbedtls-apache)
987 (arguments
5cdb25c6
TGR		 988 (substitute-keyword-arguments (package-arguments mbedtls-apache)
989 ((#:phases phases)
990 `(modify-phases ,phases
991 (add-before 'configure 'configure-extra-features
992 (lambda _
993 (for-each (lambda (feature)
994 (invoke "scripts/config.pl" "set" feature))
995 (list "MBEDTLS_THREADING_C"
996 "MBEDTLS_THREADING_PTHREAD"))
997 ;; XXX The above enables code that breaks with -Werror…
998 (substitute* "CMakeLists.txt"
999 ((" -Wformat-signedness") ""))
1000 #t)))))))))
8e87aa04 1001
e8b3a158
CL		 1002(define-public dehydrated
1003 (package
1004 (name "dehydrated")
69b98261 1005 (version "0.7.0")
e8b3a158 1006 (source (origin
2850d877 1007 (method url-fetch)
e8b3a158 1008 (uri (string-append
bb5ab9bf 1009 "https://github.com/dehydrated-io/dehydrated/releases/download/"
2850d877 1010 "v" version "/dehydrated-" version ".tar.gz"))
e8b3a158
CL		 1011 (sha256
1012 (base32
69b98261 1013 "1yf4kldyd5y13r6qxrkcbbk74ykngq7jzy0351vb2r3ywp114pqw"))))
e8b3a158
CL		 1014 (build-system trivial-build-system)
1015 (arguments
c150d637
TGR		 1016 `(#:modules ((guix build utils)
1017 (srfi srfi-26))
e8b3a158
CL		 1018 #:builder
1019 (begin
c150d637
TGR		 1020 (use-modules (guix build utils)
1021 (srfi srfi-26))
e8b3a158 1022 (let* ((source (assoc-ref %build-inputs "source"))
2850d877
EF		 1023 (tar (assoc-ref %build-inputs "tar"))
1024 (gz (assoc-ref %build-inputs "gzip"))
e8b3a158
CL		 1025 (out (assoc-ref %outputs "out"))
1026 (bin (string-append out "/bin"))
c150d637
TGR		 1027 (doc (string-append out "/share/doc/" ,name "-" ,version))
1028 (man (string-append out "/share/man"))
e8b3a158 1029 (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
2850d877
EF		 1030
1031 (setenv "PATH" (string-append gz "/bin"))
1032 (invoke (string-append tar "/bin/tar") "xvf" source)
1033 (chdir (string-append ,name "-" ,version))
1034
c150d637
TGR		 1035 (copy-recursively "docs" doc)
1036 (install-file "LICENSE" doc)
1037
1038 (mkdir-p man)
1039 (rename-file (string-append doc "/man")
1040 (string-append man "/man1"))
1041 (for-each (cut invoke "gzip" "-9" <>)
1042 (find-files man ".*"))
1043
2850d877 1044 (install-file "dehydrated" bin)
e8b3a158 1045 (with-directory-excursion bin
e8b3a158
CL		 1046 (patch-shebang "dehydrated" (list bash))
1047
c150d637 1048 ;; Do not try to write to the store.
e8b3a158
CL		 1049 (substitute* "dehydrated"
1050 (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
1051
1052 (setenv "PATH" bash)
1053 (wrap-program "dehydrated"
1054 `("PATH" ":" prefix
1055 ,(map (lambda (dir)
1056 (string-append dir "/bin"))
1057 (map (lambda (input)
1058 (assoc-ref %build-inputs input))
1059 '("coreutils"
1060 "curl"
1061 "diffutils"
1062 "gawk"
1063 "grep"
1064 "openssl"
1065 "sed"))))))
1066 #t))))
1067 (inputs
1068 `(("bash" ,bash)
1069 ("coreutils" ,coreutils)
1070 ("curl" ,curl)
1071 ("diffutils" ,diffutils)
1072 ("gawk" ,gawk)
1073 ("grep" ,grep)
1074 ("openssl" ,openssl)
1075 ("sed" ,sed)))
2850d877
EF		 1076 (native-inputs
1077 `(("gzip" ,gzip)
1078 ("tar" ,tar)))
e8b3a158
CL		 1079 (home-page "https://dehydrated.io/")
1080 (synopsis "Let's Encrypt/ACME client implemented as a shell script")
1081 (description "Dehydrated is a client for signing certificates with an
1082ACME-server (currently only provided by Let's Encrypt) implemented as a
1083relatively simple Bash script.")
1084 (license license:expat)))
ea22aa1f
LF		 1085
1086(define-public go-github-com-certifi-gocertifi
db388401
LF		 1087 (let ((commit "a5e0173ced670013bfb649c7e806bc9529c986ec")
1088 (revision "1"))
1089 (package
1090 (name "go-github-com-certifi-gocertifi")
1091 (version (git-version "2018.01.18" revision commit))
1092 (source (origin
1093 (method git-fetch)
1094 (uri (git-reference
1095 (url "https://github.com/certifi/gocertifi")
1096 (commit commit)))
1097 (file-name (git-file-name name version))
1098 (sha256
1099 (base32
1100 "1n9drccl3q1rr8wg3nf60slkf1lgsmz5ahifrglbdrc6har3rryj"))))
1101 (build-system go-build-system)
1102 (arguments
1103 '(#:import-path "github.com/certifi/gocertifi"))
1104 (synopsis "X.509 TLS root certificate bundle for Go")
1105 (description "This package is a Go language X.509 TLS root certificate bundle,
ea22aa1f 1106derived from Mozilla's collection.")
db388401
LF		 1107 (home-page "https://certifi.io")
1108 (license license:mpl2.0))))
1b518888
GH		 1109
1110(define-public s2n
1111 (package
1112 (name "s2n")
08c579ed 1113 (version "1.0.10")
1b518888
GH		 1114 (source (origin
1115 (method git-fetch)
1116 (uri (git-reference
1117 (url (string-append "https://github.com/awslabs/" name))
1118 (commit (string-append "v" version))))
1119 (file-name (git-file-name name version))
1120 (sha256
1121 (base32
08c579ed 1122 "0ampvh2n235hhd9nabgjjvja7d5r5kj45q56ass1k8g52a6xg0jq"))))
1b518888
GH		 1123 (build-system cmake-build-system)
1124 (arguments
1125 '(#:tests? #f ; tests fail to build for static library
1126 #:configure-flags
1127 '("-DBUILD_TESTING=OFF"
1128 "-DBUILD_SHARED_LIBS=ON")))
1129 (propagated-inputs
1130 `(("openssl" ,openssl)
1131 ("openssl:static" ,openssl "static")))
9f9118bd
TGR		 1132 (synopsis "SSL/TLS implementation in C99")
1133 (description
1134 "This library provides a C99 implementation of SSL/TLS. It is designed to
1135be familiar to users of the widely-used POSIX I/O APIs. It supports blocking,
1136non-blocking, and full-duplex I/O. There are no locks or mutexes.
1137
1138As it can be difficult to keep track of which encryption algorithms and
1139protocols are best to use, s2n-tls features a simple API to use the latest
1140default set of preferences. Remaining on a specific version for backwards
1141compatibility is also supported.")
1b518888
GH		 1142 (home-page "https://github.com/awslabs/s2n")
1143 (license license:asl2.0)))
jackhill's copy of GNU Guix: https://guix.gnu.org/