diff options
Diffstat (limited to 'nixpkgs/pkgs/development/libraries/gnutls')
3 files changed, 232 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/libraries/gnutls/default.nix b/nixpkgs/pkgs/development/libraries/gnutls/default.nix new file mode 100644 index 000000000000..3bef1d935564 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/gnutls/default.nix @@ -0,0 +1,170 @@ +{ config +, lib +, stdenv +, fetchurl +, zlib +, lzo +, libtasn1 +, nettle +, pkg-config +, lzip +, perl +, gmp +, autoconf +, automake +, libidn2 +, libiconv +, texinfo +, unbound +, dns-root-data +, gettext +, util-linux +, cxxBindings ? !stdenv.hostPlatform.isStatic # tries to link libstdc++.so +, tpmSupport ? false +, trousers +, which +, nettools +, libunistring +, withP11-kit ? !stdenv.hostPlatform.isStatic +, p11-kit +, Security # darwin Security.framework + # certificate compression - only zlib now, more possible: zstd, brotli + + # for passthru.tests +, curlWithGnuTls +, emacs +, ffmpeg +, haskellPackages +, knot-resolver +, ngtcp2-gnutls +, ocamlPackages +, python3Packages +, qemu +, rsyslog +, openconnect +, samba +}: + +let + + # XXX: Gnulib's `test-select' fails on FreeBSD: + # https://hydra.nixos.org/build/2962084/nixlog/1/raw . + doCheck = !stdenv.isFreeBSD && !stdenv.isDarwin + && stdenv.buildPlatform == stdenv.hostPlatform; + + inherit (stdenv.hostPlatform) isDarwin; +in + +stdenv.mkDerivation rec { + pname = "gnutls"; + version = "3.8.3"; + + src = fetchurl { + url = "mirror://gnupg/gnutls/v${lib.versions.majorMinor version}/gnutls-${version}.tar.xz"; + hash = "sha256-90/FlUsn1Oxt+7Ed6ph4iLWxJCiaNwOvytoO5SD0Fz4="; + }; + + outputs = [ "bin" "dev" "out" ] + ++ lib.optionals (!stdenv.hostPlatform.isMinGW) [ "man" "devdoc" ]; + + # Not normally useful docs. + outputInfo = "devdoc"; + outputDoc = "devdoc"; + + patches = [ + ./nix-ssl-cert-file.patch + ]; + + # Skip some tests: + # - pkg-config: building against the result won't work before installing (3.5.11) + # - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular) + # - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11) + # - psk-file: no idea; it broke between 3.6.3 and 3.6.4 + # Change p11-kit test to use pkg-config to find p11-kit + postPatch = '' + sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh + sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c + sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh + '' + lib.optionalString stdenv.hostPlatform.isMusl '' # See https://gitlab.com/gnutls/gnutls/-/issues/945 + sed '2iecho "certtool tests skipped in musl build"\nexit 0' -i tests/cert-tests/certtool.sh + ''; + + preConfigure = "patchShebangs ."; + configureFlags = + lib.optionals withP11-kit [ + "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt" + "--with-default-trust-store-pkcs11=pkcs11:" + ] ++ [ + "--disable-dependency-tracking" + "--enable-fast-install" + "--with-unbound-root-key-file=${dns-root-data}/root.key" + (lib.withFeature withP11-kit "p11-kit") + (lib.enableFeature cxxBindings "cxx") + ] ++ lib.optionals (stdenv.hostPlatform.isMinGW) [ + "--disable-doc" + ]; + + enableParallelBuilding = true; + + hardeningDisable = [ "trivialautovarinit" ]; + + buildInputs = [ lzo lzip libtasn1 libidn2 zlib gmp libunistring unbound gettext libiconv ] + ++ lib.optional (withP11-kit) p11-kit + ++ lib.optional (tpmSupport && stdenv.isLinux) trousers; + + nativeBuildInputs = [ perl pkg-config texinfo ] + ++ lib.optionals doCheck [ which nettools util-linux ]; + + propagatedBuildInputs = [ nettle ] + # Builds dynamically linking against gnutls seem to need the framework now. + ++ lib.optional isDarwin Security; + + inherit doCheck; + # stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` breaks tests. + # Also empty files won't work, and we want to avoid potentially impure /etc/ + preCheck = "NIX_SSL_CERT_FILE=${./dummy.crt}"; + + # Fixup broken libtool and pkg-config files + preFixup = lib.optionalString (!isDarwin) '' + sed ${lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"} \ + -e 's,-lz,-L${zlib.out}/lib -lz,' \ + -e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \ + -e 's,-lgmp,-L${gmp.out}/lib -lgmp,' \ + -i $out/lib/*.la "$dev/lib/pkgconfig/gnutls.pc" + '' + '' + # It seems only useful for static linking but basically noone does that. + substituteInPlace "$out/lib/libgnutls.la" \ + --replace "-lunistring" "" + ''; + + passthru.tests = { + inherit ngtcp2-gnutls curlWithGnuTls ffmpeg emacs qemu knot-resolver samba openconnect; + inherit (ocamlPackages) ocamlnet; + haskell-gnutls = haskellPackages.gnutls; + python3-gnutls = python3Packages.python3-gnutls; + rsyslog = rsyslog.override { withGnutls = true; }; + }; + + meta = with lib; { + description = "The GNU Transport Layer Security Library"; + + longDescription = '' + GnuTLS is a project that aims to develop a library which + provides a secure layer, over a reliable transport + layer. Currently the GnuTLS library implements the proposed standards by + the IETF's TLS working group. + + Quoting from the TLS protocol specification: + + "The TLS protocol provides communications privacy over the + Internet. The protocol allows client/server applications to + communicate in a way that is designed to prevent eavesdropping, + tampering, or message forgery." + ''; + + homepage = "https://gnutls.org/"; + license = licenses.lgpl21Plus; + maintainers = with maintainers; [ vcunat ]; + platforms = platforms.all; + }; +} diff --git a/nixpkgs/pkgs/development/libraries/gnutls/dummy.crt b/nixpkgs/pkgs/development/libraries/gnutls/dummy.crt new file mode 100644 index 000000000000..77300f6376b2 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/gnutls/dummy.crt @@ -0,0 +1,45 @@ +ACCVRAIZ1 +-----BEGIN CERTIFICATE----- +MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE +AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw +CQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQ +BgNVBAMMCUFDQ1ZSQUlaMTEQMA4GA1UECwwHUEtJQUNDVjENMAsGA1UECgwEQUND +VjELMAkGA1UEBhMCRVMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCb +qau/YUqXry+XZpp0X9DZlv3P4uRm7x8fRzPCRKPfmt4ftVTdFXxpNRFvu8gMjmoY +HtiP2Ra8EEg2XPBjs5BaXCQ316PWywlxufEBcoSwfdtNgM3802/J+Nq2DoLSRYWo +G2ioPej0RGy9ocLLA76MPhMAhN9KSMDjIgro6TenGEyxCQ0jVn8ETdkXhBilyNpA +lHPrzg5XPAOBOp0KoVdDaaxXbXmQeOW1tDvYvEyNKKGno6e6Ak4l0Squ7a4DIrhr +IA8wKFSVf+DuzgpmndFALW4ir50awQUZ0m/A8p/4e7MCQvtQqR0tkw8jq8bBD5L/ +0KIV9VMJcRz/RROE5iZe+OCIHAr8Fraocwa48GOEAqDGWuzndN9wrqODJerWx5eH +k6fGioozl2A3ED6XPm4pFdahD9GILBKfb6qkxkLrQaLjlUPTAYVtjrs78yM2x/47 +4KElB0iryYl0/wiPgL/AlmXz7uxLaL2diMMxs0Dx6M/2OLuc5NF/1OVYm3z61PMO +m3WR5LpSLhl+0fXNWhn8ugb2+1KoS5kE3fj5tItQo05iifCHJPqDQsGH+tUtKSpa +cXpkatcnYGMN285J9Y0fkIkyF/hzQ7jSWpOGYdbhdQrqeWZ2iE9x6wQl1gpaepPl +uUsXQA+xtrn13k/c4LOsOxFwYIRKQ26ZIMApcQrAZQIDAQABo4ICyzCCAscwfQYI +KwYBBQUHAQEEcTBvMEwGCCsGAQUFBzAChkBodHRwOi8vd3d3LmFjY3YuZXMvZmls +ZWFkbWluL0FyY2hpdm9zL2NlcnRpZmljYWRvcy9yYWl6YWNjdjEuY3J0MB8GCCsG +AQUFBzABhhNodHRwOi8vb2NzcC5hY2N2LmVzMB0GA1UdDgQWBBTSh7Tj3zcnk1X2 +VuqB5TbMjB4/vTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNKHtOPfNyeT +VfZW6oHlNsyMHj+9MIIBcwYDVR0gBIIBajCCAWYwggFiBgRVHSAAMIIBWDCCASIG +CCsGAQUFBwICMIIBFB6CARAAQQB1AHQAbwByAGkAZABhAGQAIABkAGUAIABDAGUA +cgB0AGkAZgBpAGMAYQBjAGkA8wBuACAAUgBhAO0AegAgAGQAZQAgAGwAYQAgAEEA +QwBDAFYAIAAoAEEAZwBlAG4AYwBpAGEAIABkAGUAIABUAGUAYwBuAG8AbABvAGcA +7QBhACAAeQAgAEMAZQByAHQAaQBmAGkAYwBhAGMAaQDzAG4AIABFAGwAZQBjAHQA +cgDzAG4AaQBjAGEALAAgAEMASQBGACAAUQA0ADYAMAAxADEANQA2AEUAKQAuACAA +QwBQAFMAIABlAG4AIABoAHQAdABwADoALwAvAHcAdwB3AC4AYQBjAGMAdgAuAGUA +czAwBggrBgEFBQcCARYkaHR0cDovL3d3dy5hY2N2LmVzL2xlZ2lzbGFjaW9uX2Mu +aHRtMFUGA1UdHwROMEwwSqBIoEaGRGh0dHA6Ly93d3cuYWNjdi5lcy9maWxlYWRt +aW4vQXJjaGl2b3MvY2VydGlmaWNhZG9zL3JhaXphY2N2MV9kZXIuY3JsMA4GA1Ud +DwEB/wQEAwIBBjAXBgNVHREEEDAOgQxhY2N2QGFjY3YuZXMwDQYJKoZIhvcNAQEF +BQADggIBAJcxAp/n/UNnSEQU5CmH7UwoZtCPNdpNYbdKl02125DgBS4OxnnQ8pdp +D70ER9m+27Up2pvZrqmZ1dM8MJP1jaGo/AaNRPTKFpV8M9xii6g3+CfYCS0b78gU +JyCpZET/LtZ1qmxNYEAZSUNUY9rizLpm5U9EelvZaoErQNV/+QEnWCzI7UiRfD+m +AM/EKXMRNt6GGT6d7hmKG9Ww7Y49nCrADdg9ZuM8Db3VlFzi4qc1GwQA9j9ajepD +vV+JHanBsMyZ4k0ACtrJJ1vnE5Bc5PUzolVt3OAJTS+xJlsndQAJxGJ3KQhfnlms +tn6tn1QwIgPBHnFk/vk4CpYY3QIUrCPLBhwepH2NDd4nQeit2hW3sCPdK6jT2iWH +7ehVRE2I9DZ+hJp4rPcOVkkO1jMl1oRQQmwgEh0q1b688nCBpHBgvgW1m54ERL5h +I6zppSSMEYCUWqKiuUnSwdzRp+0xESyeGabu4VXhwOrPDYTkF7eifKXeVSUG7szA +h1xA2syVP1XgNce4hL60Xc16gwFy7ofmXx2utYXGJt/mwZrpHgJHnyqobalbz+xF +d3+YJ5oyXSrjhO7FmGYvliAd3djDJ9ew+f7Zfc3Qn48LFFhRny+Lwzgt3uiP1o2H +pPVWQxaZLPSkVrQ0uGE3ycJYgBugl6H8WY3pEfbRD0tVNEYqi4Y7 +-----END CERTIFICATE----- diff --git a/nixpkgs/pkgs/development/libraries/gnutls/nix-ssl-cert-file.patch b/nixpkgs/pkgs/development/libraries/gnutls/nix-ssl-cert-file.patch new file mode 100644 index 000000000000..c0f27f7b5a45 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/gnutls/nix-ssl-cert-file.patch @@ -0,0 +1,17 @@ +allow overriding system trust store location via $NIX_SSL_CERT_FILE + +--- a/lib/system/certs.c ++++ b/lib/system/certs.c +@@ -404,6 +404,10 @@ gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list, + unsigned int tl_flags, + unsigned int tl_vflags) + { +- return add_system_trust(list, tl_flags | GNUTLS_TL_NO_DUPLICATES, +- tl_vflags); ++ tl_flags = tl_flags|GNUTLS_TL_NO_DUPLICATES; ++ const char *file = secure_getenv("NIX_SSL_CERT_FILE"); ++ return file ++ ? gnutls_x509_trust_list_add_trust_file( ++ list, file, NULL/*CRL*/, GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags) ++ : add_system_trust(list, tl_flags, tl_vflags); + } |