HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
gnu: brightnessctl: Add elogind support.
[jackhill/guix/guix.git] / gnu / packages / tls.scm
CommitLineData
233e7676 1;;; GNU Guix --- Functional package management for GNU
4604d43c 2;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2019, 2020, 2021 Ludovic Courtès <ludo@gnu.org>
74e2c0e0 3;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2021 Mark H Weaver <mhw@netris.org>
29a7c98a 4;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
cc2b77df 5;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
9fd0838b 6;;; Copyright © 2015 David Thompson <davet@gnu.org>
ad67d208 7;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Leo Famulari <leo@famulari.name>
db388401 8;;; Copyright © 2016, 2017, 2019 Efraim Flashner <efraim@flashner.co.il>
3c986a7d 9;;; Copyright © 2016, 2017, 2018 Nikita <nikita@n0.is>
375cef6c 10;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
ee33f9a7 11;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
250a216c 12;;; Copyright © 2017, 2018, 2019, 2020, 2021 Marius Bakke <marius@gnu.org>
db201657 13;;; Copyright © 2017–2019, 2021 Tobias Geerinckx-Rice <me@tobias.gr>
fbf5ca3c 14;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
e8b3a158 15;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
bdcdd550 16;;; Copyright © 2019 Mathieu Othacehe <m.othacehe@gmail.com>
a9bcc647 17;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
0b70eb03 18;;; Copyright © 2021 Solene Rapenne <solene@perso.pw>
7543f865 19;;;
233e7676 20;;; This file is part of GNU Guix.
7543f865 21;;;
233e7676 22;;; GNU Guix is free software; you can redistribute it and/or modify it
7543f865
LC		 23;;; under the terms of the GNU General Public License as published by
24;;; the Free Software Foundation; either version 3 of the License, or (at
25;;; your option) any later version.
26;;;
233e7676 27;;; GNU Guix is distributed in the hope that it will be useful, but
7543f865
LC		 28;;; WITHOUT ANY WARRANTY; without even the implied warranty of
29;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
30;;; GNU General Public License for more details.
31;;;
32;;; You should have received a copy of the GNU General Public License
233e7676 33;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
7543f865 34
a7fd7b68 35(define-module (gnu packages tls)
e9aa8d0c 36 #:use-module ((guix licenses) #:prefix license:)
7543f865
LC		 37 #:use-module (guix packages)
38 #:use-module (guix download)
ea22aa1f 39 #:use-module (guix git-download)
29a7c98a 40 #:use-module (guix utils)
7543f865 41 #:use-module (guix build-system gnu)
ea22aa1f 42 #:use-module (guix build-system go)
cc2b77df 43 #:use-module (guix build-system perl)
7890e3ba 44 #:use-module (guix build-system python)
88522738 45 #:use-module (guix build-system cmake)
e8b3a158 46 #:use-module (guix build-system trivial)
f61e0e79 47 #:use-module (gnu packages compression)
013ce67b 48 #:use-module (gnu packages)
e8b3a158 49 #:use-module (gnu packages bash)
ac257f12 50 #:use-module (gnu packages check)
e8b3a158 51 #:use-module (gnu packages curl)
5b9aa107 52 #:use-module (gnu packages dns)
e8b3a158 53 #:use-module (gnu packages gawk)
1ffa7090 54 #:use-module (gnu packages guile)
a9bcc647 55 #:use-module (gnu packages hurd)
0581c273 56 #:use-module (gnu packages libbsd)
27e86bed 57 #:use-module (gnu packages libffi)
866f469e 58 #:use-module (gnu packages libidn)
5d4c90ae 59 #:use-module (gnu packages linux)
7890e3ba 60 #:use-module (gnu packages ncurses)
27e86bed 61 #:use-module (gnu packages nettle)
1ffa7090 62 #:use-module (gnu packages perl)
27e86bed 63 #:use-module (gnu packages pkg-config)
7890e3ba 64 #:use-module (gnu packages python)
cc6f4912 65 #:use-module (gnu packages python-crypto)
1b2f753d 66 #:use-module (gnu packages python-web)
44d10b1f 67 #:use-module (gnu packages python-xyz)
9d0c291e 68 #:use-module (gnu packages sphinx)
a31f4d35 69 #:use-module (gnu packages texinfo)
33dc54b0 70 #:use-module (gnu packages time)
079f013b
LC		 71 #:use-module (gnu packages base)
72 #:use-module (srfi srfi-1))
7543f865
LC		 73
74(define-public libtasn1
75 (package
76 (name "libtasn1")
3a22f04a 77 (version "4.16.0")
7543f865
LC		 78 (source
79 (origin
80 (method url-fetch)
81 (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
82 version ".tar.gz"))
83 (sha256
84 (base32
3a22f04a 85 "179jskl7dmfp1rd2khkzmlibzgki4wi6hvmmwfv7q49r728b03qf"))))
7543f865 86 (build-system gnu-build-system)
d9f84612
MB		 87 (arguments
88 `(#:configure-flags '("--disable-static")))
3ea110b7 89 (native-inputs `(("perl" ,perl)))
6fd52309 90 (home-page "https://www.gnu.org/software/libtasn1/")
f50d2669 91 (synopsis "ASN.1 library")
7543f865 92 (description
79c311b8
LC		 93 "GNU libtasn1 is a library implementing the ASN.1 notation. It is used
94for transmitting machine-neutral encodings of data objects in computer
a22dc0c4
LC		 95networking, allowing for formal validation of data according to some
96specifications.")
e9aa8d0c 97 (license license:lgpl2.0+)))
7543f865 98
375cef6c
HG		 99(define-public asn1c
100 (package
101 (name "asn1c")
ff7da7e0 102 (version "0.9.28")
375cef6c
HG		 103 (source (origin
104 (method url-fetch)
105 (uri (string-append "https://lionet.info/soft/asn1c-"
106 version ".tar.gz"))
107 (sha256
108 (base32
ff7da7e0 109 "1fc64g45ykmv73kdndr4zdm4wxhimhrir4rxnygxvwkych5l81w0"))))
375cef6c
HG		 110 (build-system gnu-build-system)
111 (native-inputs
112 `(("perl" ,perl)))
113 (home-page "https://lionet.info/asn1c")
114 (synopsis "ASN.1 to C compiler")
115 (description "The ASN.1 to C compiler takes ASN.1 module
116files and generates C++ compatible C source code. That code can be
117used to serialize the native C structures into compact and unambiguous
118BER/XER/PER-based data files, and deserialize the files back.
119
120Various ASN.1 based formats are widely used in the industry, such as to encode
121the X.509 certificates employed in the HTTPS handshake, to exchange control
122data between mobile phones and cellular networks, to car-to-car communication
123in intelligent transportation networks.")
124 (license license:bsd-2)))
125
27e86bed
AE		 126(define-public p11-kit
127 (package
128 (name "p11-kit")
c84c0dbc 129 (version "0.23.22")
27e86bed
AE		 130 (source
131 (origin
132 (method url-fetch)
e6ad9bda 133 (uri (string-append "https://github.com/p11-glue/p11-kit/releases/"
eae94df6 134 "download/" version "/p11-kit-" version ".tar.xz"))
27e86bed 135 (sha256
9ed46007 136 (base32 "1dn6br4v033d3gp2max9lsr3y4q0nj6iyr1yq3kzi8ym7lal13wa"))))
27e86bed
AE		 137 (build-system gnu-build-system)
138 (native-inputs
139 `(("pkg-config" ,pkg-config)))
140 (inputs
141 `(("libffi" ,libffi)
142 ("libtasn1" ,libtasn1)))
143 (arguments
d5c472a2
MB		 144 `(#:configure-flags '("--without-trust-paths")
145 #:phases (modify-phases %standard-phases
146 (add-before 'check 'prepare-tests
147 (lambda _
148 ;; "test-runtime" expects XDG_RUNTIME_DIR to be set up
149 ;; and looks for .cache and other directories (only).
150 ;; For simplicity just drop it since it is irrelevant
151 ;; in the build container.
152 (substitute* "Makefile"
153 (("test-runtime\\$\\(EXEEXT\\)") ""))
154 #t)))))
4631e6c9 155 (home-page "https://p11-glue.freedesktop.org/p11-kit.html")
27e86bed
AE		 156 (synopsis "PKCS#11 library")
157 (description
158 "p11-kit provides a way to load and enumerate PKCS#11 modules. It
159provides a standard configuration setup for installing PKCS#11 modules
160in such a way that they are discoverable. It also solves problems with
161coordinating the use of PKCS#11 by different components or libraries
162living in the same process.")
e9aa8d0c 163 (license license:bsd-3)))
27e86bed 164
7543f865
LC		 165(define-public gnutls
166 (package
167 (name "gnutls")
51a365c1 168 (version "3.6.15")
0b70eb03 169 (replacement gnutls-3.6.16)
d7d408d5 170 (source (origin
51a365c1 171 (method url-fetch)
d7d408d5
LC		 172 ;; Note: Releases are no longer on ftp.gnu.org since the
173 ;; schism (after version 3.1.5).
51a365c1
LC		 174 (uri (string-append "mirror://gnupg/gnutls/v"
175 (version-major+minor version)
176 "/gnutls-" version ".tar.xz"))
177 (patches (search-patches "gnutls-skip-trust-store-test.patch"
e12210dc
LF		 178 "gnutls-cross.patch"
179 "gnutls-CVE-2021-20231.patch"
180 "gnutls-CVE-2021-20232.patch"))
51a365c1
LC		 181 (sha256
182 (base32
183 "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f"))))
7543f865 184 (build-system gnu-build-system)
b94ae0b8 185 (arguments
525a351e
MO		 186 `(#:tests? ,(not (or (%current-target-system)
187 (hurd-target?)))
9015ed66 188 ;; Ensure we don't keep a reference to net-tools.
9ee8b41f 189 #:disallowed-references ,(if (hurd-target?) '() (list net-tools))
76b21274 190 #:configure-flags
a0700787 191 (list
aa7c7f21
MW		 192 ;; GnuTLS doesn't consult any environment variables to specify
193 ;; the location of the system-wide trust store. Instead it has a
194 ;; configure-time option. Unless specified, its configure script
195 ;; attempts to auto-detect the location by looking for common
8f65585b 196 ;; places in the file system, none of which are present in our
aa7c7f21
MW		 197 ;; chroot build environment. If not found, then no default trust
198 ;; store is used, so each program has to provide its own
199 ;; fallback, and users have to configure each program
200 ;; independently. This seems suboptimal.
866f469e
MW		 201 "--with-default-trust-store-dir=/etc/ssl/certs"
202
7892edc2
MB		 203 ;; Tell the build system that we want Guile bindings installed to
204 ;; the output instead of Guiles own module directory.
205 (string-append "--with-guile-site-dir="
206 "$(datarootdir)/guile/site/$(GUILE_EFFECTIVE_VERSION)")
207 (string-append "--with-guile-site-ccache-dir="
208 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/site-ccache")
209 (string-append "--with-guile-extension-dir="
210 "$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/extensions")
211
866f469e
MW		 212 ;; FIXME: Temporarily disable p11-kit support since it is not
213 ;; working on mips64el.
606c6380
LC		 214 "--without-p11-kit")
215
216 #:phases (modify-phases %standard-phases
217 (add-after
218 'install 'move-doc
219 (lambda* (#:key outputs #:allow-other-keys)
220 ;; Copy the 4.1 MiB of section 3 man pages to "doc".
221 (let* ((out (assoc-ref outputs "out"))
222 (doc (assoc-ref outputs "doc"))
9cdce047 223 (mandir (string-append doc "/share/man/man3"))
606c6380
LC		 224 (oldman (string-append out "/share/man/man3")))
225 (mkdir-p mandir)
226 (copy-recursively oldman mandir)
227 (delete-file-recursively oldman)
228 #t))))))
229 (outputs '("out" ;4.4 MiB
230 "debug"
231 "doc")) ;4.1 MiB of man pages
a1db0975 232 (native-inputs
51a365c1
LC		 233 `(,@(if (%current-target-system) ;for cross-build
234 `(("guile" ,guile-3.0)) ;to create .go files
235 '())
236 ,@(if (hurd-target?)
237 '()
a9bcc647 238 `(("net-tools" ,net-tools)))
5d4c90ae 239 ("pkg-config" ,pkg-config)
ac83dc82 240 ("which" ,which)
2d49f175
JN		 241 ,@(if (hurd-target?) '()
242 `(("datefudge" ,datefudge))) ;tests rely on 'datefudge'
971c8bb0 243 ("util-linux" ,util-linux))) ;one test needs 'setsid'
7543f865 244 (inputs
67a3c8ed 245 `(("guile" ,guile-3.0)))
7543f865 246 (propagated-inputs
d2fcfd3d 247 ;; These are all in the 'Requires.private' field of gnutls.pc.
7543f865 248 `(("libtasn1" ,libtasn1)
55e61c4d 249 ("libidn2" ,libidn2)
866f469e 250 ("nettle" ,nettle)
f61e0e79 251 ("zlib" ,zlib)))
c19700c3 252 (home-page "https://www.gnu.org/software/gnutls/")
f50d2669 253 (synopsis "Transport layer security library")
7543f865 254 (description
a22dc0c4 255 "GnuTLS is a secure communications library implementing the SSL, TLS
79c311b8 256and DTLS protocols. It is provided in the form of a C library to support the
b30407b8 257protocols, as well as to parse and write X.509, PKCS #12, OpenPGP and other
a22dc0c4 258required structures.")
63e8bb12
LC		 259 (license license:lgpl2.1+)
260 (properties '((ftp-server . "ftp.gnutls.org")
261 (ftp-directory . "/gcrypt/gnutls")))))
74e2c0e0 262
0b70eb03
SR		 263;; Replacement package to fix CVE-2021-20305.
264(define gnutls-3.6.16
265 (package
266 (inherit gnutls)
267 (version "3.6.16")
268 (source (origin
269 (method url-fetch)
270 (uri (string-append "mirror://gnupg/gnutls/v"
271 (version-major+minor version)
272 "/gnutls-" version ".tar.xz"))
273 (patches (search-patches "gnutls-skip-trust-store-test.patch"
274 "gnutls-cross.patch"))
275 (sha256
276 (base32
4604d43c
LC		 277 "1czk511pslz367shf32f2jvvkp7y1323bcv88c2qng98mj0v6y8v"))))
278 (arguments
279 (if (%current-target-system)
280 (substitute-keyword-arguments (package-arguments gnutls)
281 ((#:phases phases '%standard-phases)
282 `(modify-phases ,phases
283 (add-before 'configure 'build-eccdata-headers
284 (lambda* (#:key configure-flags #:allow-other-keys)
285 ;; Build the 'ecc/eccdata' program using the native
286 ;; compiler, not the cross-compiler as happens by default,
287 ;; and use it to build lib/nettle/ecc/ecc-*.h. In GnuTLS
288 ;; 3.6.15, this was not necessary because the tarball
289 ;; contained pre-generated lib/nettle/ecc/ecc-*.h files as
290 ;; well as 'ecc/eccdata.stamp'.
291 (let ((jobs (number->string (parallel-job-count)))
292 (patch (assoc-ref %standard-phases
293 'patch-generated-file-shebangs)))
294 (mkdir "+native-build")
295 (with-directory-excursion "+native-build"
296 ;; Build natively, with the native compiler, GMP, etc.
297 (invoke "../configure"
298 (string-append "SHELL=" (which "sh"))
299 (string-append "CONFIG_SHELL=" (which "sh"))
300 "NETTLE_CFLAGS= " "NETTLE_LIBS= "
301 "HOGWEED_CFLAGS= " "HOGWEED_LIBS= "
302 "LIBTASN1_CFLAGS= " "LIBTASN1_LIBS= "
303 "ac_cv_func_nettle_rsa_sec_decrypt=yes"
304 "--without-p11-kit" "--disable-guile")
305 (patch)
306 (invoke "make" "-C" "gl" "-j" jobs)
307 (invoke "make" "-C" "lib/nettle" "V=1" "-j" jobs))
308
309 ;; Copy the files we obtained during native build.
310 (for-each (lambda (file)
311 (install-file file "lib/nettle/ecc"))
312 (find-files
313 "+native-build/lib/nettle/ecc"
314 "^(eccdata\\.stamp|ecc-.*\\.h)$"))))))))
315 (package-arguments gnutls)))
316 (native-inputs
317 (if (%current-target-system)
318 `(("libtasn1" ,libtasn1) ;for 'ecc/eccdata'
319 ("libidn2" ,libidn2)
320 ("nettle" ,nettle)
321 ("zlib" ,zlib)
322 ,@(package-native-inputs gnutls))
323 (package-native-inputs gnutls)))))
0b70eb03 324
a270af31
LF		 325(define-public gnutls/guile-2.0
326 ;; GnuTLS for Guile 2.0.
327 (package/inherit gnutls
a0700787
LC		 328 (name "guile2.0-gnutls")
329 (inputs `(("guile" ,guile-2.0)
58ea4d40 330 ,@(alist-delete "guile" (package-inputs gnutls))))))
079f013b 331
5b9aa107 332(define-public gnutls/dane
333 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
334 ;; Authentication of Named Entities. This is required for GNS functionality
335 ;; by GNUnet and gnURL. This is done in an extra package definition
336 ;; to have the choice between GnuTLS with Dane and without Dane.
51a365c1 337 (package/inherit gnutls
5b9aa107 338 (name "gnutls-dane")
339 (inputs `(("unbound" ,unbound)
340 ,@(package-inputs gnutls)))))
341
67a3c8ed 342(define-public guile2.2-gnutls
74e2c0e0 343 (package/inherit gnutls
67a3c8ed
MB		 344 (name "guile2.2-gnutls")
345 (inputs `(("guile" ,guile-2.2)
d630d781 346 ,@(alist-delete "guile"
5f9f034e 347 (package-inputs gnutls))))))
d630d781 348
4e6c9f56
LC		 349(define-public guile3.0-gnutls
350 (deprecated-package "guile3.0-gnutls" gnutls))
67a3c8ed 351
cc2b77df
AE		 352(define-public openssl
353 (package
354 (name "openssl")
0cb4032f 355 (version "1.1.1j")
250a216c 356 (replacement openssl-1.1.1k)
cc2b77df 357 (source (origin
4cff124b 358 (method url-fetch)
bdf0b6fc
MB		 359 (uri (list (string-append "https://www.openssl.org/source/openssl-"
360 version ".tar.gz")
361 (string-append "ftp://ftp.openssl.org/source/"
c7f5c3ea 362 "openssl-" version ".tar.gz")
4cff124b
LC		 363 (string-append "ftp://ftp.openssl.org/source/old/"
364 (string-trim-right version char-set:letter)
c7f5c3ea 365 "/openssl-" version ".tar.gz")))
c4868e38 366 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
4cff124b
LC		 367 (sha256
368 (base32
0cb4032f 369 "1gw17520vh13izy1xf5q0a2fqgcayymjjj5bk0dlkxndfnszrwma"))))
cc2b77df 370 (build-system gnu-build-system)
8c78aeb7 371 (outputs '("out"
e74f153a
MB		 372 "doc" ;6.8 MiB of man3 pages and full HTML documentation
373 "static")) ;6.4 MiB of .a files
cc2b77df
AE		 374 (native-inputs `(("perl" ,perl)))
375 (arguments
88b52527 376 `(#:parallel-tests? #f
cc2b77df 377 #:test-target "test"
8c9ec203
LF		 378
379 ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
380 ;; so we explicitly disallow it here.
381 #:disallowed-references ,(list (canonical-package perl))
cc2b77df 382 #:phases
b6cb1358 383 (modify-phases %standard-phases
d4dbcb81
EF		 384 ,@(if (%current-target-system)
385 '((add-before
386 'configure 'set-cross-compile
387 (lambda* (#:key target outputs #:allow-other-keys)
388 (setenv "CROSS_COMPILE" (string-append target "-"))
389 (setenv "CONFIGURE_TARGET_ARCH"
390 (cond
391 ((string-prefix? "i586" target)
392 "hurd-x86")
393 ((string-prefix? "i686" target)
394 "linux-x86")
395 ((string-prefix? "x86_64" target)
396 "linux-x86_64")
397 ((string-prefix? "mips64el" target)
398 "linux-mips64")
399 ((string-prefix? "arm" target)
400 "linux-armv4")
401 ((string-prefix? "aarch64" target)
c8535c25
EF		 402 "linux-aarch64")
403 ((string-prefix? "powerpc64le" target)
404 "linux-ppc64le")
405 ((string-prefix? "powerpc64" target)
406 "linux-ppc64")
407 ((string-prefix? "powerpc" target)
408 "linux-ppc")))
d4dbcb81
EF		 409 #t)))
410 '())
e74f153a
MB		 411 (replace 'configure
412 (lambda* (#:key outputs #:allow-other-keys)
413 (let* ((out (assoc-ref outputs "out"))
414 (lib (string-append out "/lib")))
415 ;; It's not a shebang so patch-source-shebangs misses it.
416 (substitute* "config"
417 (("/usr/bin/env")
418 (string-append (assoc-ref %build-inputs "coreutils")
419 "/bin/env")))
bdcdd550 420 (invoke ,@(if (%current-target-system)
d4dbcb81
EF		 421 '("./Configure")
422 '("./config"))
e74f153a
MB		 423 "shared" ;build shared libraries
424 "--libdir=lib"
4fb254a3 425
e74f153a
MB		 426 ;; The default for this catch-all directory is
427 ;; PREFIX/ssl. Change that to something more
428 ;; conventional.
429 (string-append "--openssldir=" out
b082ea94
LF		 430 "/share/openssl-"
431 ,(package-version this-package))
4fb254a3 432
e74f153a 433 (string-append "--prefix=" out)
bdcdd550 434 (string-append "-Wl,-rpath," lib)
d4dbcb81
EF		 435 ,@(if (%current-target-system)
436 '((getenv "CONFIGURE_TARGET_ARCH"))
437 '())))))
8c78aeb7
LC		 438 (add-after 'install 'move-static-libraries
439 (lambda* (#:key outputs #:allow-other-keys)
440 ;; Move static libraries to the "static" output.
441 (let* ((out (assoc-ref outputs "out"))
442 (lib (string-append out "/lib"))
443 (static (assoc-ref outputs "static"))
444 (slib (string-append static "/lib")))
8c78aeb7
LC		 445 (for-each (lambda (file)
446 (install-file file slib)
447 (delete-file file))
448 (find-files lib "\\.a$"))
449 #t)))
e74f153a 450 (add-after 'install 'move-extra-documentation
a909b576 451 (lambda* (#:key outputs #:allow-other-keys)
e74f153a
MB		 452 ;; Move man3 pages and full HTML documentation to "doc".
453 (let* ((out (assoc-ref outputs "out"))
454 (man3 (string-append out "/share/man/man3"))
455 (html (string-append out "/share/doc/openssl"))
456 (doc (assoc-ref outputs "doc"))
457 (man-target (string-append doc "/share/man/man3"))
458 (html-target (string-append doc "/share/doc/openssl")))
459 (copy-recursively man3 man-target)
460 (delete-file-recursively man3)
461 (copy-recursively html html-target)
462 (delete-file-recursively html)
463 #t)))
784d6e91
LC		 464 (add-after
465 'install 'remove-miscellany
466 (lambda* (#:key outputs #:allow-other-keys)
467 ;; The 'misc' directory contains random undocumented shell and Perl
468 ;; scripts. Remove them to avoid retaining a reference on Perl.
469 (let ((out (assoc-ref outputs "out")))
470 (delete-file-recursively (string-append out "/share/openssl-"
b082ea94
LF		 471 ,(package-version this-package)
472 "/misc"))
784d6e91 473 #t))))))
cc2b77df 474 (native-search-paths
cc2b77df
AE		 475 (list (search-path-specification
476 (variable "SSL_CERT_DIR")
5d7a47cc 477 (separator #f) ;single entry
cc2b77df
AE		 478 (files '("etc/ssl/certs")))
479 (search-path-specification
480 (variable "SSL_CERT_FILE")
5d7a47cc
MB		 481 (file-type 'regular)
482 (separator #f) ;single entry
cc2b77df
AE		 483 (files '("etc/ssl/certs/ca-certificates.crt")))))
484 (synopsis "SSL/TLS implementation")
485 (description
e881752c 486 "OpenSSL is an implementation of SSL/TLS.")
e9aa8d0c 487 (license license:openssl)
4631e6c9 488 (home-page "https://www.openssl.org/")))
cc2b77df 489
250a216c
MB		 490;; Replacement package to fix CVE-2021-3449 and CVE-2021-3450.
491(define openssl-1.1.1k
492 (package
493 (inherit openssl)
494 (version "1.1.1k")
495 (source (origin
496 (method url-fetch)
497 (uri (list (string-append "https://www.openssl.org/source/openssl-"
498 version ".tar.gz")
499 (string-append "ftp://ftp.openssl.org/source/"
500 "openssl-" version ".tar.gz")
501 (string-append "ftp://ftp.openssl.org/source/old/"
502 (string-trim-right version char-set:letter)
503 "/openssl-" version ".tar.gz")))
504 (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
505 (sha256
506 (base32
507 "1rdfzcrxy9y38wqdw5942vmdax9hjhgrprzxm42csal7p5shhal9"))))))
508
e74f153a 509(define-public openssl-1.0
763899f0
LF		 510 (package
511 (inherit openssl)
512 (name "openssl")
b0b79542 513 (version "1.0.2u")
763899f0 514 (source (origin
e74f153a
MB		 515 (method url-fetch)
516 (uri (list (string-append "https://www.openssl.org/source/openssl-"
517 version ".tar.gz")
518 (string-append "ftp://ftp.openssl.org/source/"
519 "openssl-" version ".tar.gz")
520 (string-append "ftp://ftp.openssl.org/source/old/"
521 (string-trim-right version char-set:letter)
522 "/openssl-" version ".tar.gz")))
763899f0
LF		 523 (sha256
524 (base32
b0b79542 525 "05lxcs4hzyfqd5jn0d9p0fvqna62v2s4pc9qgmq0dpcknkzwdl7c"))
e74f153a
MB		 526 (patches (search-patches "openssl-runpath.patch"
527 "openssl-c-rehash-in.patch"))))
763899f0 528 (outputs '("out"
e74f153a
MB		 529 "doc" ;1.5MiB of man3 pages
530 "static")) ;6MiB of .a files
763899f0
LF		 531 (arguments
532 (substitute-keyword-arguments (package-arguments openssl)
8fc24f30
MB		 533 ;; Parallel build is not supported in 1.0.x.
534 ((#:parallel-build? _ #f) #f)
763899f0
LF		 535 ((#:phases phases)
536 `(modify-phases ,phases
e74f153a
MB		 537 (add-before 'patch-source-shebangs 'patch-tests
538 (lambda* (#:key inputs native-inputs #:allow-other-keys)
539 (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
540 (substitute* (find-files "test" ".*")
541 (("/bin/sh")
542 (string-append bash "/bin/sh"))
543 (("/bin/rm")
544 "rm"))
545 #t)))
546 (add-before 'configure 'patch-Makefile.org
763899f0 547 (lambda* (#:key outputs #:allow-other-keys)
e74f153a
MB		 548 ;; The default MANDIR is some unusual place. Fix that.
549 (let ((out (assoc-ref outputs "out")))
550 (patch-makefile-SHELL "Makefile.org")
551 (substitute* "Makefile.org"
552 (("^MANDIR[[:blank:]]*=.*$")
553 (string-append "MANDIR = " out "/share/man\n")))
554 #t)))
bdcdd550
MO		 555 (replace 'configure
556 ;; Override this phase because OpenSSL 1.0 does not understand -rpath.
557 (lambda* (#:key outputs #:allow-other-keys)
558 (let ((out (assoc-ref outputs "out")))
559 (invoke ,@(if (%current-target-system)
560 '("./Configure")
561 '("./config"))
562 "shared" ;build shared libraries
563 "--libdir=lib"
fc184fe2 564
bdcdd550
MO		 565 ;; The default for this catch-all directory is
566 ;; PREFIX/ssl. Change that to something more
567 ;; conventional.
568 (string-append "--openssldir=" out
569 "/share/openssl-" ,version)
fc184fe2 570
bdcdd550
MO		 571 (string-append "--prefix=" out)
572 ,@(if (%current-target-system)
573 '((getenv "CONFIGURE_TARGET_ARCH"))
574 '())))))
e74f153a
MB		 575 (delete 'move-extra-documentation)
576 (add-after 'install 'move-man3-pages
577 (lambda* (#:key outputs #:allow-other-keys)
578 ;; Move section 3 man pages to "doc".
579 (let* ((out (assoc-ref outputs "out"))
580 (man3 (string-append out "/share/man/man3"))
581 (doc (assoc-ref outputs "doc"))
582 (target (string-append doc "/share/man/man3")))
583 (mkdir-p target)
584 (for-each (lambda (file)
585 (rename-file file
586 (string-append target "/"
587 (basename file))))
588 (find-files man3))
589 (delete-file-recursively man3)
590 #t)))
fc184fe2
MB		 591 ;; XXX: Duplicate this phase to make sure 'version' evaluates
592 ;; in the current scope and not the inherited one.
593 (replace 'remove-miscellany
594 (lambda* (#:key outputs #:allow-other-keys)
595 ;; The 'misc' directory contains random undocumented shell and Perl
596 ;; scripts. Remove them to avoid retaining a reference on Perl.
597 (let ((out (assoc-ref outputs "out")))
598 (delete-file-recursively (string-append out "/share/openssl-"
599 ,version "/misc"))
763899f0
LF		 600 #t)))))))))
601
cb6a802c
AE		 602(define-public libressl
603 (package
604 (name "libressl")
618dbc14 605 (version "3.3.3")
644e5f17
TGR		 606 (source (origin
607 (method url-fetch)
608 (uri (string-append "mirror://openbsd/LibreSSL/"
ce1178d5 609 "libressl-" version ".tar.gz"))
644e5f17
TGR		 610 (sha256
611 (base32
618dbc14 612 "0rihprcgxsydsbcqgd1952k2cfn4jmp7rlyp1c6sglfc6rdmcwd4"))))
cb6a802c 613 (build-system gnu-build-system)
a2d64899 614 (arguments
db201657
TGR		 615 ;; Do as if 'getentropy' were missing: Linux kernels before 3.17 lack its
616 ;; underlying 'getrandom' system call and ENOSYS isn't properly handled.
a2d64899 617 ;; See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00235.html>.
df08f385
LF		 618 '(#:configure-flags '("ac_cv_func_getentropy=no"
619 ;; Provide a TLS-enabled netcat.
620 "--enable-nc")))
cb6a802c 621 (native-search-paths
cb6a802c
AE		 622 (list (search-path-specification
623 (variable "SSL_CERT_DIR")
04cfe91e 624 (separator #f) ;single entry
cb6a802c
AE		 625 (files '("etc/ssl/certs")))
626 (search-path-specification
627 (variable "SSL_CERT_FILE")
04cfe91e 628 (separator #f) ;single entry
cb6a802c 629 (files '("etc/ssl/certs/ca-certificates.crt")))))
2ed12d3f 630 (home-page "https://www.libressl.org/")
cb6a802c 631 (synopsis "SSL/TLS implementation")
df08f385
LF		 632 (description "LibreSSL is a version of the TLS/crypto stack, forked from
633OpenSSL in 2014 with the goals of modernizing the codebase, improving security,
634and applying best practice development processes. This package also includes a
635netcat implementation that supports TLS.")
cb6a802c
AE		 636 ;; Files taken from OpenSSL keep their license, others are under various
637 ;; non-copyleft licenses.
638 (license (list license:openssl
639 (license:non-copyleft
640 "file://COPYING"
641 "See COPYING in the distribution.")))))
642
6cefd53d 643(define-public python-acme
7890e3ba 644 (package
6cefd53d 645 (name "python-acme")
686d4259 646 ;; Remember to update the hash of certbot when updating python-acme.
069399ee 647 (version "1.15.0")
7890e3ba 648 (source (origin
9495cf9a 649 (method url-fetch)
f349d36e 650 (uri (pypi-uri "acme" version))
881006b6
MB		 651 (sha256
652 (base32
069399ee 653 "0kgf1d3gl7dg1rz3q4093kf8g0p2d0m40c7qmn96ihz2224wa307"))))
7890e3ba
LF		 654 (build-system python-build-system)
655 (arguments
6cefd53d 656 `(#:phases
9bee9d87 657 (modify-phases %standard-phases
1fc8476d
MB		 658 (add-after 'build 'build-documentation
659 (lambda _
d4bd2453 660 (invoke "make" "-C" "docs" "man" "info")))
1fc8476d 661 (add-after 'install 'install-documentation
50a7963a
LF		 662 (lambda* (#:key outputs #:allow-other-keys)
663 (let* ((out (assoc-ref outputs "out"))
664 (man (string-append out "/share/man/man1"))
665 (info (string-append out "/info")))
1fc8476d
MB		 666 (install-file "docs/_build/texinfo/acme-python.info" info)
667 (install-file "docs/_build/man/acme-python.1" man)
668 #t))))))
7890e3ba 669 (native-inputs
c3a75373 670 `(("python-pytest" ,python-pytest)
50a7963a
LF		 671 ;; For documentation
672 ("python-sphinx" ,python-sphinx)
673 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
674 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
50a7963a 675 ("texinfo" ,texinfo)))
7890e3ba 676 (propagated-inputs
92572184 677 `(("python-josepy" ,python-josepy)
6cefd53d 678 ("python-requests" ,python-requests)
b494bbe4 679 ("python-requests-toolbelt" ,python-requests-toolbelt)
6cefd53d
LF		 680 ("python-pytz" ,python-pytz)
681 ("python-pyrfc3339" ,python-pyrfc3339)
682 ("python-pyasn1" ,python-pyasn1)
683 ("python-cryptography" ,python-cryptography)
684 ("python-pyopenssl" ,python-pyopenssl)))
4631e6c9 685 (home-page "https://github.com/certbot/certbot")
7890e3ba
LF		 686 (synopsis "ACME protocol implementation in Python")
687 (description "ACME protocol implementation in Python")
688 (license license:asl2.0)))
689
9495cf9a 690(define-public certbot
9fd0838b 691 (package
9495cf9a 692 (name "certbot")
686d4259
LF		 693 ;; Certbot and python-acme are developed in the same repository, and their
694 ;; versions should remain synchronized.
695 (version (package-version python-acme))
9fd0838b
DT		 696 (source (origin
697 (method url-fetch)
b380463b 698 (uri (pypi-uri "certbot" version))
9fd0838b
DT		 699 (sha256
700 (base32
069399ee 701 "1qcznszgqdgx1nhk4vdi896gknvx8rg4w8iw15lwqg6byhiyazyv"))))
9fd0838b
DT		 702 (build-system python-build-system)
703 (arguments
fed1898d 704 `(,@(substitute-keyword-arguments (package-arguments python-acme)
f26d6e4e
LF		 705 ((#:phases phases)
706 `(modify-phases ,phases
1fc8476d 707 (replace 'install-documentation
f26d6e4e
LF		 708 (lambda* (#:key outputs #:allow-other-keys)
709 (let* ((out (assoc-ref outputs "out"))
710 (man1 (string-append out "/share/man/man1"))
711 (man7 (string-append out "/share/man/man7"))
712 (info (string-append out "/info")))
1fc8476d
MB		 713 (install-file "docs/_build/texinfo/Certbot.info" info)
714 (install-file "docs/_build/man/certbot.1" man1)
715 (install-file "docs/_build/man/certbot.7" man7)
716 #t))))))))
9fd0838b 717 (native-inputs
d05c14df
TGR		 718 `(("python-mock" ,python-mock)
719 ("python-pytest" ,python-pytest)
f9263d9a 720 ;; For documentation
fed1898d
LF		 721 ("python-sphinx" ,python-sphinx)
722 ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
723 ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
724 ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
f9263d9a 725 ("texinfo" ,texinfo)))
9fd0838b 726 (propagated-inputs
fed1898d 727 `(("python-acme" ,python-acme)
d05c14df 728 ("python-cryptography" ,python-cryptography)
fed1898d
LF		 729 ("python-zope-interface" ,python-zope-interface)
730 ("python-pyrfc3339" ,python-pyrfc3339)
731 ("python-pyopenssl" ,python-pyopenssl)
732 ("python-configobj" ,python-configobj)
733 ("python-configargparse" ,python-configargparse)
b977d900 734 ("python-distro" ,python-distro)
fed1898d
LF		 735 ("python-zope-component" ,python-zope-component)
736 ("python-parsedatetime" ,python-parsedatetime)
fed1898d
LF		 737 ("python-psutil" ,python-psutil)
738 ("python-requests" ,python-requests)
739 ("python-pytz" ,python-pytz)))
d8a1be63 740 (synopsis "Let's Encrypt client by the Electronic Frontier Foundation")
80968df0
TGR		 741 (description "Certbot automatically receives and installs X.509 certificates
742to enable Transport Layer Security (TLS) on servers. It interoperates with the
743Let’s Encrypt certificate authority (CA), which issues browser-trusted
744certificates for free.")
24778368 745 (home-page "https://certbot.eff.org/")
9fd0838b
DT		 746 (license license:asl2.0)))
747
9495cf9a
LF		 748(define-public letsencrypt
749 (package (inherit certbot)
56ab55d1
LF		 750 (name "letsencrypt")
751 (properties `((superseded . ,certbot)))))
9495cf9a 752
cc2b77df
AE		 753(define-public perl-net-ssleay
754 (package
755 (name "perl-net-ssleay")
966e4bea 756 (version "1.88")
cc2b77df
AE		 757 (source (origin
758 (method url-fetch)
c50f15d6 759 (uri (string-append "mirror://cpan/authors/id/C/CH/CHRISN/"
cc2b77df
AE		 760 "Net-SSLeay-" version ".tar.gz"))
761 (sha256
762 (base32
966e4bea 763 "1pfgh4h3szcpvqlcimc60pjbk9zwls99x5863sva0wc47i4dl010"))))
cc2b77df
AE		 764 (build-system perl-build-system)
765 (inputs `(("openssl" ,openssl)))
766 (arguments
1084ec08
MW		 767 `(#:phases
768 (modify-phases %standard-phases
1084ec08
MW		 769 (add-before
770 'configure 'set-ssl-prefix
771 (lambda* (#:key inputs #:allow-other-keys)
772 (setenv "OPENSSL_PREFIX" (assoc-ref inputs "openssl"))
773 #t)))))
cc2b77df
AE		 774 (synopsis "Perl extension for using OpenSSL")
775 (description
776 "This module offers some high level convenience functions for accessing
777web pages on SSL servers (for symmetry, the same API is offered for accessing
778http servers, too), an sslcat() function for writing your own clients, and
779finally access to the SSL api of the SSLeay/OpenSSL package so you can write
780servers or clients for more complicated applications.")
2f3108ad 781 (license license:perl-license)
9aba9b12 782 (home-page "https://metacpan.org/release/Net-SSLeay")))
4532c0c0
DM		 783
784(define-public perl-crypt-openssl-rsa
785 (package
786 (name "perl-crypt-openssl-rsa")
a9994b27 787 (version "0.31")
4532c0c0
DM		 788 (source
789 (origin
790 (method url-fetch)
791 (uri (string-append
683b8d47 792 "mirror://cpan/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-"
4532c0c0
DM		 793 version
794 ".tar.gz"))
795 (sha256
796 (base32
a9994b27 797 "0djl5i6kibl7862b6ih29q8dhg5zpwzq77q9j8hp6xngshx40ws1"))))
4532c0c0 798 (build-system perl-build-system)
683b8d47
TGR		 799 (native-inputs
800 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
4532c0c0
DM		 801 (inputs
802 `(("perl-crypt-openssl-bignum" ,perl-crypt-openssl-bignum)
803 ("perl-crypt-openssl-random" ,perl-crypt-openssl-random)
804 ("openssl" ,openssl)))
805 (arguments perl-crypt-arguments)
806 (home-page
9aba9b12 807 "https://metacpan.org/release/Crypt-OpenSSL-RSA")
4532c0c0
DM		 808 (synopsis
809 "RSA encoding and decoding, using the openSSL libraries")
810 (description "Crypt::OpenSSL::RSA does RSA encoding and decoding (using the
811OpenSSL libraries).")
2f3108ad 812 (license license:perl-license)))
adff71ca
DM		 813
814(define perl-crypt-arguments
815 `(#:phases (modify-phases %standard-phases
816 (add-before 'configure 'patch-Makefile.PL
817 (lambda* (#:key inputs #:allow-other-keys)
818 (substitute* "Makefile.PL"
819 (("'LIBS'.*=>.*") (string-append "'LIBS' => ['-L"
820 (assoc-ref inputs "openssl")
821 "/lib -lcrypto'],")))
822 #t)))))
823
824(define-public perl-crypt-openssl-bignum
825 (package
826 (name "perl-crypt-openssl-bignum")
7e8aac18 827 (version "0.09")
adff71ca
DM		 828 (source
829 (origin
830 (method url-fetch)
831 (uri (string-append
832 "mirror://cpan/authors/id/K/KM/KMX/Crypt-OpenSSL-Bignum-"
833 version
834 ".tar.gz"))
835 (sha256
836 (base32
7e8aac18 837 "1p22znbajq91lbk2k3yg12ig7hy5b4vy8igxwqkmbm4nhgxp4ki3"))))
adff71ca
DM		 838 (build-system perl-build-system)
839 (inputs `(("openssl" ,openssl)))
840 (arguments perl-crypt-arguments)
841 (home-page
9aba9b12 842 "https://metacpan.org/release/Crypt-OpenSSL-Bignum")
adff71ca
DM		 843 (synopsis
844 "OpenSSL's multiprecision integer arithmetic in Perl")
845 (description "Crypt::OpenSSL::Bignum provides multiprecision integer
846arithmetic in Perl.")
847 ;; At your option either gpl1+ or the Artistic License
2f3108ad 848 (license license:perl-license)))
cccb4d26 849
c80590f6
TGR		 850(define-public perl-crypt-openssl-guess
851 (package
852 (name "perl-crypt-openssl-guess")
853 (version "0.11")
854 (source
855 (origin
856 (method url-fetch)
857 (uri (string-append
858 "mirror://cpan/authors/id/A/AK/AKIYM/Crypt-OpenSSL-Guess-"
859 version ".tar.gz"))
860 (sha256
861 (base32
862 "0rvi9l4ljcbhwwvspq019nfq2h2v746dk355h2nwnlmqikiihsxa"))))
863 (build-system perl-build-system)
9aba9b12 864 (home-page "https://metacpan.org/release/Crypt-OpenSSL-Guess")
c80590f6
TGR		 865 (synopsis "Guess the OpenSSL include path")
866 (description
867 "The Crypt::OpenSSL::Guess Perl module provides helpers to guess the
868correct OpenSSL include path. It is intended for use in your
869@file{Makefile.PL}.")
870 (license license:perl-license)))
871
cccb4d26
DM		 872(define-public perl-crypt-openssl-random
873 (package
874 (name "perl-crypt-openssl-random")
fa2d19cc 875 (version "0.15")
cccb4d26
DM		 876 (source
877 (origin
878 (method url-fetch)
879 (uri (string-append
880 "mirror://cpan/authors/id/R/RU/RURBAN/Crypt-OpenSSL-Random-"
881 version
882 ".tar.gz"))
883 (sha256
fa2d19cc 884 (base32 "1x6ffps8q7mnawmcfq740llzy7i10g3319vap0wiw4d33fm6z1zh"))))
cccb4d26 885 (build-system perl-build-system)
b30c23c4
TGR		 886 (native-inputs
887 `(("perl-crypt-openssl-guess" ,perl-crypt-openssl-guess)))
888 (inputs
889 `(("openssl" ,openssl)))
cccb4d26
DM		 890 (arguments perl-crypt-arguments)
891 (home-page
9aba9b12 892 "https://metacpan.org/release/Crypt-OpenSSL-Random")
cccb4d26
DM		 893 (synopsis
894 "OpenSSL/LibreSSL pseudo-random number generator access")
895 (description "Crypt::OpenSSL::Random is a OpenSSL/LibreSSL pseudo-random
896number generator")
2f3108ad 897 (license license:perl-license)))
0581c273
LF		 898
899(define-public acme-client
900 (package
901 (name "acme-client")
4a6b2a21 902 (version "0.1.16")
0581c273
LF		 903 (source (origin
904 (method url-fetch)
905 (uri (string-append "https://kristaps.bsd.lv/" name "/"
906 "snapshots/" name "-portable-"
907 version ".tgz"))
908 (sha256
909 (base32
4a6b2a21 910 "00q05b3b1dfnfp7sr1nbd212n0mqrycl3cr9lbs51m7ncaihbrz9"))))
0581c273
LF		 911 (build-system gnu-build-system)
912 (arguments
913 '(#:tests? #f ; no test suite
914 #:make-flags
915 (list "CC=gcc"
916 (string-append "PREFIX=" (assoc-ref %outputs "out")))
917 #:phases
918 (modify-phases %standard-phases
7c1a7bf4
LF		 919 (add-after 'unpack 'patch-paths
920 (lambda* (#:key inputs #:allow-other-keys)
921 (let ((pem (string-append (assoc-ref inputs "libressl")
922 "/etc/ssl/cert.pem")))
923 (substitute* "http.c"
924 (("/etc/ssl/cert.pem") pem))
925 #t)))
0581c273 926 (delete 'configure)))) ; no './configure' script
4b569a4f
LF		 927 (native-inputs
928 `(("pkg-config" ,pkg-config)))
0581c273
LF		 929 (inputs
930 `(("libbsd" ,libbsd)
931 ("libressl" ,libressl)))
932 (synopsis "Let's Encrypt client by the OpenBSD project")
933 (description "acme-client is a Let's Encrypt client implemented in C. It
934uses a modular design, and attempts to secure itself by dropping privileges and
935operating in a chroot where possible. acme-client is developed on OpenBSD and
936then ported to the GNU / Linux environment.")
937 (home-page "https://kristaps.bsd.lv/acme-client/")
938 ;; acme-client is distributed under the ISC license, but the files 'jsmn.h'
939 ;; and 'jsmn.c' are distributed under the Expat license.
940 (license (list license:isc license:expat))))
88522738 941
942;; The "-apache" variant is the upstreamed prefered variant. A "-gpl"
943;; variant exists in addition to the "-apache" one.
944(define-public mbedtls-apache
945 (package
946 (name "mbedtls-apache")
5cdb25c6
TGR		 947 ;; XXX Check whether ‘-Wformat-signedness’ still breaks mbedtls-for-hiawatha
948 ;; when updating.
927ecd4e 949 (version "2.23.0")
88522738 950 (source
951 (origin
927ecd4e
TGR		 952 (method git-fetch)
953 (uri (git-reference
954 (url "https://github.com/ARMmbed/mbedtls")
955 (commit (string-append "mbedtls-" version))))
88522738 956 (sha256
927ecd4e
TGR		 957 (base32 "13fa9h2i989cbf8n8c0j019mshv6wg213va18my1s787lhcq2d62"))
958 (file-name (git-file-name name version))))
88522738 959 (build-system cmake-build-system)
a64d9d56
RW		 960 (arguments
961 `(#:configure-flags
92ebd8ed 962 (list "-DUSE_SHARED_MBEDTLS_LIBRARY=ON"
927ecd4e
TGR		 963 "-DUSE_STATIC_MBEDTLS_LIBRARY=OFF")
964 #:phases
965 (modify-phases %standard-phases
966 (add-after 'unpack 'make-source-writable
967 (lambda _
968 (for-each make-file-writable (find-files "."))
927ecd4e 969 #t)))))
88522738 970 (native-inputs
38a9bf80
TGR		 971 `(("perl" ,perl)
972 ("python" ,python)))
88522738 973 (synopsis "Small TLS library")
974 (description
975 "@code{mbed TLS}, formerly known as PolarSSL, makes it trivially easy
976for developers to include cryptographic and SSL/TLS capabilities in their
977(embedded) products, facilitating this functionality with a minimal
978coding footprint.")
979 (home-page "https://tls.mbed.org")
980 (license license:asl2.0)))
587d1752 981
8e87aa04
TGR		 982;; The Hiawatha Web server requires some specific features to be enabled.
983(define-public mbedtls-for-hiawatha
984 (hidden-package
985 (package
986 (inherit mbedtls-apache)
987 (arguments
5cdb25c6
TGR		 988 (substitute-keyword-arguments (package-arguments mbedtls-apache)
989 ((#:phases phases)
990 `(modify-phases ,phases
991 (add-before 'configure 'configure-extra-features
992 (lambda _
993 (for-each (lambda (feature)
994 (invoke "scripts/config.pl" "set" feature))
995 (list "MBEDTLS_THREADING_C"
996 "MBEDTLS_THREADING_PTHREAD"))
997 ;; XXX The above enables code that breaks with -Werror…
998 (substitute* "CMakeLists.txt"
999 ((" -Wformat-signedness") ""))
1000 #t)))))))))
8e87aa04 1001
e8b3a158
CL		 1002(define-public dehydrated
1003 (package
1004 (name "dehydrated")
69b98261 1005 (version "0.7.0")
e8b3a158 1006 (source (origin
2850d877 1007 (method url-fetch)
e8b3a158 1008 (uri (string-append
bb5ab9bf 1009 "https://github.com/dehydrated-io/dehydrated/releases/download/"
2850d877 1010 "v" version "/dehydrated-" version ".tar.gz"))
e8b3a158
CL		 1011 (sha256
1012 (base32
69b98261 1013 "1yf4kldyd5y13r6qxrkcbbk74ykngq7jzy0351vb2r3ywp114pqw"))))
e8b3a158
CL		 1014 (build-system trivial-build-system)
1015 (arguments
c150d637
TGR		 1016 `(#:modules ((guix build utils)
1017 (srfi srfi-26))
e8b3a158
CL		 1018 #:builder
1019 (begin
c150d637
TGR		 1020 (use-modules (guix build utils)
1021 (srfi srfi-26))
e8b3a158 1022 (let* ((source (assoc-ref %build-inputs "source"))
2850d877
EF		 1023 (tar (assoc-ref %build-inputs "tar"))
1024 (gz (assoc-ref %build-inputs "gzip"))
e8b3a158
CL		 1025 (out (assoc-ref %outputs "out"))
1026 (bin (string-append out "/bin"))
c150d637
TGR		 1027 (doc (string-append out "/share/doc/" ,name "-" ,version))
1028 (man (string-append out "/share/man"))
e8b3a158 1029 (bash (in-vicinity (assoc-ref %build-inputs "bash") "bin")))
2850d877
EF		 1030
1031 (setenv "PATH" (string-append gz "/bin"))
1032 (invoke (string-append tar "/bin/tar") "xvf" source)
1033 (chdir (string-append ,name "-" ,version))
1034
c150d637
TGR		 1035 (copy-recursively "docs" doc)
1036 (install-file "LICENSE" doc)
1037
1038 (mkdir-p man)
1039 (rename-file (string-append doc "/man")
1040 (string-append man "/man1"))
1041 (for-each (cut invoke "gzip" "-9" <>)
1042 (find-files man ".*"))
1043
2850d877 1044 (install-file "dehydrated" bin)
e8b3a158 1045 (with-directory-excursion bin
e8b3a158
CL		 1046 (patch-shebang "dehydrated" (list bash))
1047
c150d637 1048 ;; Do not try to write to the store.
e8b3a158
CL		 1049 (substitute* "dehydrated"
1050 (("SCRIPTDIR=\"\\$.*\"") "SCRIPTDIR=~/.dehydrated"))
1051
1052 (setenv "PATH" bash)
1053 (wrap-program "dehydrated"
1054 `("PATH" ":" prefix
1055 ,(map (lambda (dir)
1056 (string-append dir "/bin"))
1057 (map (lambda (input)
1058 (assoc-ref %build-inputs input))
1059 '("coreutils"
1060 "curl"
1061 "diffutils"
1062 "gawk"
1063 "grep"
1064 "openssl"
1065 "sed"))))))
1066 #t))))
1067 (inputs
1068 `(("bash" ,bash)
1069 ("coreutils" ,coreutils)
1070 ("curl" ,curl)
1071 ("diffutils" ,diffutils)
1072 ("gawk" ,gawk)
1073 ("grep" ,grep)
1074 ("openssl" ,openssl)
1075 ("sed" ,sed)))
2850d877
EF		 1076 (native-inputs
1077 `(("gzip" ,gzip)
1078 ("tar" ,tar)))
e8b3a158
CL		 1079 (home-page "https://dehydrated.io/")
1080 (synopsis "Let's Encrypt/ACME client implemented as a shell script")
1081 (description "Dehydrated is a client for signing certificates with an
1082ACME-server (currently only provided by Let's Encrypt) implemented as a
1083relatively simple Bash script.")
1084 (license license:expat)))
ea22aa1f
LF		 1085
1086(define-public go-github-com-certifi-gocertifi
db388401
LF		 1087 (let ((commit "a5e0173ced670013bfb649c7e806bc9529c986ec")
1088 (revision "1"))
1089 (package
1090 (name "go-github-com-certifi-gocertifi")
1091 (version (git-version "2018.01.18" revision commit))
1092 (source (origin
1093 (method git-fetch)
1094 (uri (git-reference
1095 (url "https://github.com/certifi/gocertifi")
1096 (commit commit)))
1097 (file-name (git-file-name name version))
1098 (sha256
1099 (base32
1100 "1n9drccl3q1rr8wg3nf60slkf1lgsmz5ahifrglbdrc6har3rryj"))))
1101 (build-system go-build-system)
1102 (arguments
1103 '(#:import-path "github.com/certifi/gocertifi"))
1104 (synopsis "X.509 TLS root certificate bundle for Go")
1105 (description "This package is a Go language X.509 TLS root certificate bundle,
ea22aa1f 1106derived from Mozilla's collection.")
db388401
LF		 1107 (home-page "https://certifi.io")
1108 (license license:mpl2.0))))
1b518888
GH		 1109
1110(define-public s2n
1111 (package
1112 (name "s2n")
1113 (version "1.0.0")
1114 (source (origin
1115 (method git-fetch)
1116 (uri (git-reference
1117 (url (string-append "https://github.com/awslabs/" name))
1118 (commit (string-append "v" version))))
1119 (file-name (git-file-name name version))
1120 (sha256
1121 (base32
1122 "1q6kmgwb8jxmc4ijzk9pkqzz8lsbfsv9hyzqvy944w7306zx1r5h"))))
1123 (build-system cmake-build-system)
1124 (arguments
1125 '(#:tests? #f ; tests fail to build for static library
1126 #:configure-flags
1127 '("-DBUILD_TESTING=OFF"
1128 "-DBUILD_SHARED_LIBS=ON")))
1129 (propagated-inputs
1130 `(("openssl" ,openssl)
1131 ("openssl:static" ,openssl "static")))
1132 (synopsis "SSL/TLS implementation")
1133 (description "This library provides a C99 implementation of SSL/TLS.")
1134 (home-page "https://github.com/awslabs/s2n")
1135 (license license:asl2.0)))
jackhill's copy of GNU Guix: https://guix.gnu.org/