diff options
Diffstat (limited to 'nixpkgs/pkgs/development/libraries/gnutls')
4 files changed, 320 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/libraries/gnutls/default.nix b/nixpkgs/pkgs/development/libraries/gnutls/default.nix new file mode 100644 index 000000000000..21e818de8675 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/gnutls/default.nix @@ -0,0 +1,130 @@ +{ config, lib, stdenv, fetchurl, zlib, lzo, libtasn1, nettle, pkg-config, lzip +, perl, gmp, autoconf, automake, libidn2, libiconv +, unbound, dns-root-data, gettext, util-linux +, cxxBindings ? !stdenv.hostPlatform.isStatic # tries to link libstdc++.so +, guileBindings ? config.gnutls.guile or false, guile +, tpmSupport ? false, trousers, which, nettools, libunistring +, withP11-kit ? !stdenv.hostPlatform.isStatic, p11-kit +, withSecurity ? true, Security # darwin Security.framework +# certificate compression - only zlib now, more possible: zstd, brotli +}: + +assert guileBindings -> guile != null; +let + + # XXX: Gnulib's `test-select' fails on FreeBSD: + # https://hydra.nixos.org/build/2962084/nixlog/1/raw . + doCheck = !stdenv.isFreeBSD && !stdenv.isDarwin + && stdenv.buildPlatform == stdenv.hostPlatform; + + inherit (stdenv.hostPlatform) isDarwin; +in + +stdenv.mkDerivation rec { + pname = "gnutls"; + version = "3.7.6"; + + src = fetchurl { + url = "mirror://gnupg/gnutls/v${lib.versions.majorMinor version}/gnutls-${version}.tar.xz"; + sha256 = "1zv2097v9f6f4c66q7yn3c6gggjk9jz38095ma7v3gs5lccmf1kp"; + }; + + outputs = [ "bin" "dev" "out" "man" "devdoc" ]; + # Not normally useful docs. + outputInfo = "devdoc"; + outputDoc = "devdoc"; + + patches = [ ./nix-ssl-cert-file.patch ] + # Disable native add_system_trust. + # FIXME: apparently it's not enough to drop the framework anymore; maybe related to + # https://gitlab.com/gnutls/gnutls/-/commit/c19cb93d492e45141bfef9b926dfeba36003261c + ++ lib.optional (isDarwin && !withSecurity) ./no-security-framework.patch; + + # Skip some tests: + # - pkg-config: building against the result won't work before installing (3.5.11) + # - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular) + # - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11) + # - psk-file: no idea; it broke between 3.6.3 and 3.6.4 + # Change p11-kit test to use pkg-config to find p11-kit + postPatch = '' + sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh + sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c + sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh + '' + lib.optionalString stdenv.hostPlatform.isMusl '' # See https://gitlab.com/gnutls/gnutls/-/issues/945 + sed '2iecho "certtool tests skipped in musl build"\nexit 0' -i tests/cert-tests/certtool.sh + ''; + + preConfigure = "patchShebangs ."; + configureFlags = + lib.optionals withP11-kit [ + "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt" + "--with-default-trust-store-pkcs11=pkcs11:" + ] ++ [ + "--disable-dependency-tracking" + "--enable-fast-install" + "--with-unbound-root-key-file=${dns-root-data}/root.key" + (lib.withFeature withP11-kit "p11-kit") + (lib.enableFeature cxxBindings "cxx") + ] ++ lib.optional guileBindings [ + "--enable-guile" + "--with-guile-site-dir=\${out}/share/guile/site" + "--with-guile-site-ccache-dir=\${out}/share/guile/site" + "--with-guile-extension-dir=\${out}/share/guile/site" + ]; + + enableParallelBuilding = true; + + buildInputs = [ lzo lzip libtasn1 libidn2 zlib gmp libunistring unbound gettext libiconv ] + ++ lib.optional (withP11-kit) p11-kit + ++ lib.optional (tpmSupport && stdenv.isLinux) trousers + ++ lib.optional guileBindings guile; + + nativeBuildInputs = [ perl pkg-config ] + ++ lib.optionals (isDarwin && !withSecurity) [ autoconf automake ] + ++ lib.optionals doCheck [ which nettools util-linux ]; + + propagatedBuildInputs = [ nettle ] + # Builds dynamically linking against gnutls seem to need the framework now. + ++ lib.optional (isDarwin && withSecurity) Security; + + inherit doCheck; + # stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` breaks tests. + # Also empty files won't work, and we want to avoid potentially impure /etc/ + preCheck = "NIX_SSL_CERT_FILE=${./dummy.crt}"; + + # Fixup broken libtool and pkg-config files + preFixup = lib.optionalString (!isDarwin) '' + sed ${lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"} \ + -e 's,-lz,-L${zlib.out}/lib -lz,' \ + -e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \ + -e 's,-lgmp,-L${gmp.out}/lib -lgmp,' \ + -i $out/lib/*.la "$dev/lib/pkgconfig/gnutls.pc" + '' + '' + # It seems only useful for static linking but basically noone does that. + substituteInPlace "$out/lib/libgnutls.la" \ + --replace "-lunistring" "" + ''; + + meta = with lib; { + description = "The GNU Transport Layer Security Library"; + + longDescription = '' + GnuTLS is a project that aims to develop a library which + provides a secure layer, over a reliable transport + layer. Currently the GnuTLS library implements the proposed standards by + the IETF's TLS working group. + + Quoting from the TLS protocol specification: + + "The TLS protocol provides communications privacy over the + Internet. The protocol allows client/server applications to + communicate in a way that is designed to prevent eavesdropping, + tampering, or message forgery." + ''; + + homepage = "https://gnutls.org/"; + license = licenses.lgpl21Plus; + maintainers = with maintainers; [ vcunat ]; + platforms = platforms.all; + }; +} diff --git a/nixpkgs/pkgs/development/libraries/gnutls/dummy.crt b/nixpkgs/pkgs/development/libraries/gnutls/dummy.crt new file mode 100644 index 000000000000..77300f6376b2 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/gnutls/dummy.crt @@ -0,0 +1,45 @@ +ACCVRAIZ1 +-----BEGIN CERTIFICATE----- +MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE +AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw +CQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQ +BgNVBAMMCUFDQ1ZSQUlaMTEQMA4GA1UECwwHUEtJQUNDVjENMAsGA1UECgwEQUND +VjELMAkGA1UEBhMCRVMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCb +qau/YUqXry+XZpp0X9DZlv3P4uRm7x8fRzPCRKPfmt4ftVTdFXxpNRFvu8gMjmoY +HtiP2Ra8EEg2XPBjs5BaXCQ316PWywlxufEBcoSwfdtNgM3802/J+Nq2DoLSRYWo +G2ioPej0RGy9ocLLA76MPhMAhN9KSMDjIgro6TenGEyxCQ0jVn8ETdkXhBilyNpA +lHPrzg5XPAOBOp0KoVdDaaxXbXmQeOW1tDvYvEyNKKGno6e6Ak4l0Squ7a4DIrhr +IA8wKFSVf+DuzgpmndFALW4ir50awQUZ0m/A8p/4e7MCQvtQqR0tkw8jq8bBD5L/ +0KIV9VMJcRz/RROE5iZe+OCIHAr8Fraocwa48GOEAqDGWuzndN9wrqODJerWx5eH +k6fGioozl2A3ED6XPm4pFdahD9GILBKfb6qkxkLrQaLjlUPTAYVtjrs78yM2x/47 +4KElB0iryYl0/wiPgL/AlmXz7uxLaL2diMMxs0Dx6M/2OLuc5NF/1OVYm3z61PMO +m3WR5LpSLhl+0fXNWhn8ugb2+1KoS5kE3fj5tItQo05iifCHJPqDQsGH+tUtKSpa +cXpkatcnYGMN285J9Y0fkIkyF/hzQ7jSWpOGYdbhdQrqeWZ2iE9x6wQl1gpaepPl +uUsXQA+xtrn13k/c4LOsOxFwYIRKQ26ZIMApcQrAZQIDAQABo4ICyzCCAscwfQYI +KwYBBQUHAQEEcTBvMEwGCCsGAQUFBzAChkBodHRwOi8vd3d3LmFjY3YuZXMvZmls +ZWFkbWluL0FyY2hpdm9zL2NlcnRpZmljYWRvcy9yYWl6YWNjdjEuY3J0MB8GCCsG +AQUFBzABhhNodHRwOi8vb2NzcC5hY2N2LmVzMB0GA1UdDgQWBBTSh7Tj3zcnk1X2 +VuqB5TbMjB4/vTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNKHtOPfNyeT +VfZW6oHlNsyMHj+9MIIBcwYDVR0gBIIBajCCAWYwggFiBgRVHSAAMIIBWDCCASIG +CCsGAQUFBwICMIIBFB6CARAAQQB1AHQAbwByAGkAZABhAGQAIABkAGUAIABDAGUA +cgB0AGkAZgBpAGMAYQBjAGkA8wBuACAAUgBhAO0AegAgAGQAZQAgAGwAYQAgAEEA +QwBDAFYAIAAoAEEAZwBlAG4AYwBpAGEAIABkAGUAIABUAGUAYwBuAG8AbABvAGcA +7QBhACAAeQAgAEMAZQByAHQAaQBmAGkAYwBhAGMAaQDzAG4AIABFAGwAZQBjAHQA +cgDzAG4AaQBjAGEALAAgAEMASQBGACAAUQA0ADYAMAAxADEANQA2AEUAKQAuACAA +QwBQAFMAIABlAG4AIABoAHQAdABwADoALwAvAHcAdwB3AC4AYQBjAGMAdgAuAGUA +czAwBggrBgEFBQcCARYkaHR0cDovL3d3dy5hY2N2LmVzL2xlZ2lzbGFjaW9uX2Mu +aHRtMFUGA1UdHwROMEwwSqBIoEaGRGh0dHA6Ly93d3cuYWNjdi5lcy9maWxlYWRt +aW4vQXJjaGl2b3MvY2VydGlmaWNhZG9zL3JhaXphY2N2MV9kZXIuY3JsMA4GA1Ud +DwEB/wQEAwIBBjAXBgNVHREEEDAOgQxhY2N2QGFjY3YuZXMwDQYJKoZIhvcNAQEF +BQADggIBAJcxAp/n/UNnSEQU5CmH7UwoZtCPNdpNYbdKl02125DgBS4OxnnQ8pdp +D70ER9m+27Up2pvZrqmZ1dM8MJP1jaGo/AaNRPTKFpV8M9xii6g3+CfYCS0b78gU +JyCpZET/LtZ1qmxNYEAZSUNUY9rizLpm5U9EelvZaoErQNV/+QEnWCzI7UiRfD+m +AM/EKXMRNt6GGT6d7hmKG9Ww7Y49nCrADdg9ZuM8Db3VlFzi4qc1GwQA9j9ajepD +vV+JHanBsMyZ4k0ACtrJJ1vnE5Bc5PUzolVt3OAJTS+xJlsndQAJxGJ3KQhfnlms +tn6tn1QwIgPBHnFk/vk4CpYY3QIUrCPLBhwepH2NDd4nQeit2hW3sCPdK6jT2iWH +7ehVRE2I9DZ+hJp4rPcOVkkO1jMl1oRQQmwgEh0q1b688nCBpHBgvgW1m54ERL5h +I6zppSSMEYCUWqKiuUnSwdzRp+0xESyeGabu4VXhwOrPDYTkF7eifKXeVSUG7szA +h1xA2syVP1XgNce4hL60Xc16gwFy7ofmXx2utYXGJt/mwZrpHgJHnyqobalbz+xF +d3+YJ5oyXSrjhO7FmGYvliAd3djDJ9ew+f7Zfc3Qn48LFFhRny+Lwzgt3uiP1o2H +pPVWQxaZLPSkVrQ0uGE3ycJYgBugl6H8WY3pEfbRD0tVNEYqi4Y7 +-----END CERTIFICATE----- diff --git a/nixpkgs/pkgs/development/libraries/gnutls/nix-ssl-cert-file.patch b/nixpkgs/pkgs/development/libraries/gnutls/nix-ssl-cert-file.patch new file mode 100644 index 000000000000..90d1e85ee8c0 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/gnutls/nix-ssl-cert-file.patch @@ -0,0 +1,19 @@ +allow overriding system trust store location via $NIX_SSL_CERT_FILE + +diff --git a/lib/system/certs.c b/lib/system/certs.c +index 611c645..6ef6edb 100644 +--- a/lib/system/certs.c ++++ b/lib/system/certs.c +@@ -369,6 +369,11 @@ gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list, + unsigned int tl_flags, + unsigned int tl_vflags) + { +- return add_system_trust(list, tl_flags|GNUTLS_TL_NO_DUPLICATES, tl_vflags); ++ tl_flags = tl_flags|GNUTLS_TL_NO_DUPLICATES; ++ const char *file = secure_getenv("NIX_SSL_CERT_FILE"); ++ return file ++ ? gnutls_x509_trust_list_add_trust_file( ++ list, file, NULL/*CRL*/, GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags) ++ : add_system_trust(list, tl_flags, tl_vflags); + } + diff --git a/nixpkgs/pkgs/development/libraries/gnutls/no-security-framework.patch b/nixpkgs/pkgs/development/libraries/gnutls/no-security-framework.patch new file mode 100644 index 000000000000..7f5808e50535 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/gnutls/no-security-framework.patch @@ -0,0 +1,126 @@ +commit 9bcdde1ab9cdff6a4471f9a926dd488ab70c7247 +Author: Daiderd Jordan <daiderd@gmail.com> +Date: Mon Apr 22 16:38:27 2019 +0200 + + Revert "gnutls_x509_trust_list_add_system_trust: Add macOS keychain support" + + This reverts commit c0eb46d3463cd21b3f822ac377ff37f067f66b8d. + +diff --git a/configure.ac b/configure.ac +index 8ad597bfd..8d14f26cd 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -781,7 +781,7 @@ dnl auto detect https://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004. + AC_ARG_WITH([default-trust-store-file], + [AS_HELP_STRING([--with-default-trust-store-file=FILE], + [use the given file default trust store])], with_default_trust_store_file="$withval", +- [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x && test x$have_macosx = x;then ++ [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x;then + for i in \ + /etc/ssl/ca-bundle.pem \ + /etc/ssl/certs/ca-certificates.crt \ +diff --git a/lib/Makefile.am b/lib/Makefile.am +index fe9cf63a2..745695f7e 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -203,10 +203,6 @@ if WINDOWS + thirdparty_libadd += -lcrypt32 + endif + +-if MACOSX +-libgnutls_la_LDFLAGS += -framework Security -framework CoreFoundation +-endif +- + libgnutls_la_LIBADD += $(thirdparty_libadd) + + # C++ library +diff --git a/lib/system/certs.c b/lib/system/certs.c +index 611c645e0..912b0aa5e 100644 +--- a/lib/system/certs.c ++++ b/lib/system/certs.c +@@ -44,12 +44,6 @@ + # endif + #endif + +-#ifdef __APPLE__ +-# include <CoreFoundation/CoreFoundation.h> +-# include <Security/Security.h> +-# include <Availability.h> +-#endif +- + /* System specific function wrappers for certificate stores. + */ + +@@ -276,72 +270,6 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, + + return r; + } +-#elif defined(__APPLE__) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070 +-static +-int osstatus_error(status) +-{ +- CFStringRef err_str = SecCopyErrorMessageString(status, NULL); +- _gnutls_debug_log("Error loading system root certificates: %s\n", +- CFStringGetCStringPtr(err_str, kCFStringEncodingUTF8)); +- CFRelease(err_str); +- return GNUTLS_E_FILE_ERROR; +-} +- +-static +-int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, +- unsigned int tl_vflags) +-{ +- int r=0; +- +- SecTrustSettingsDomain domain[] = { kSecTrustSettingsDomainUser, +- kSecTrustSettingsDomainAdmin, +- kSecTrustSettingsDomainSystem }; +- for (size_t d=0; d<sizeof(domain)/sizeof(*domain); d++) { +- CFArrayRef certs = NULL; +- OSStatus status = SecTrustSettingsCopyCertificates(domain[d], +- &certs); +- if (status == errSecNoTrustSettings) +- continue; +- if (status != errSecSuccess) +- return osstatus_error(status); +- +- int cert_count = CFArrayGetCount(certs); +- for (int i=0; i<cert_count; i++) { +- SecCertificateRef cert = +- (void*)CFArrayGetValueAtIndex(certs, i); +- CFDataRef der; +- status = SecItemExport(cert, kSecFormatX509Cert, 0, +- NULL, &der); +- if (status != errSecSuccess) { +- CFRelease(der); +- CFRelease(certs); +- return osstatus_error(status); +- } +- +- if (gnutls_x509_trust_list_add_trust_mem(list, +- &(gnutls_datum_t) { +- .data = (void*)CFDataGetBytePtr(der), +- .size = CFDataGetLength(der), +- }, +- NULL, +- GNUTLS_X509_FMT_DER, +- tl_flags, +- tl_vflags) > 0) +- r++; +- CFRelease(der); +- } +- CFRelease(certs); +- } +- +-#ifdef DEFAULT_BLACKLIST_FILE +- ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM); +- if (ret < 0) { +- _gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE); +- } +-#endif +- +- return r; +-} + #else + + #define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE |