gnutls: remove 3.5.10

Nix packages are expected to honor NIX_SSL_CERT_FILE and this removes the
dependency on the framework while bootstrapping the stdenv.
(+ nitpick changes from vcunat)

The patch is based on https://gitlab.com/gnutls/gnutls/commit/c0eb46d3463cd21b3f822ac377ff37f067f66b8d

4 files changed, 161 insertions, 48 deletions

diff --git a/pkgs/development/libraries/gnutls/3.5.10.nix b/pkgs/development/libraries/gnutls/3.5.10.nix
deleted file mode 100644
index a44e2b04ed7..00000000000
--- a/pkgs/development/libraries/gnutls/3.5.10.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{ callPackage, fetchurl, libunistring, ... } @ args:
-
-callPackage ./generic.nix (args // rec {
-  version = "3.5.10";
-
-  src = fetchurl {
-    url = "mirror://gnupg/gnutls/v3.5/gnutls-${version}.tar.xz";
-    sha256 = "17apwvdkkazh5w8z8mbanpj2yj8s2002qwy46wz4v3akpa33wi5g";
-  };
-})
diff --git a/pkgs/development/libraries/gnutls/3.6.nix b/pkgs/development/libraries/gnutls/3.6.nix
deleted file mode 100644
index b05624ee0b2..00000000000
--- a/pkgs/development/libraries/gnutls/3.6.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ callPackage, fetchurl, ... } @ args:
-
-callPackage ./generic.nix (args // rec {
-  version = "3.6.7";
-
-  src = fetchurl {
-    url = "mirror://gnupg/gnutls/v3.6/gnutls-${version}.tar.xz";
-    sha256 = "1ql8l6l5bxks2pgpwb1602zc0j6ivhpy27hdfc49h8xgbanhjd2v";
-  };
-
-  # Skip some tests:
-  #  - pkgconfig: building against the result won't work before installing (3.5.11)
-  #  - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular)
-  #  - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11)
-  #  - psk-file: no idea; it broke between 3.6.3 and 3.6.4
-  # Change p11-kit test to use pkg-config to find p11-kit
-  postPatch = ''
-    sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh
-    sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c
-    sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh
-  '';
-})
diff --git a/pkgs/development/libraries/gnutls/generic.nix b/pkgs/development/libraries/gnutls/default.nix
index 086c0560cc4..b0ddbbee30c 100644
--- a/pkgs/development/libraries/gnutls/generic.nix
+++ b/pkgs/development/libraries/gnutls/default.nix
@@ -1,33 +1,51 @@
-{ config, lib, stdenv, zlib, lzo, libtasn1, nettle, pkgconfig, lzip
-, perl, gmp, autogen, libidn, p11-kit, libiconv
+{ config, lib, stdenv, fetchurl, zlib, lzo, libtasn1, nettle, pkgconfig, lzip
+, perl, gmp, autoconf, autogen, automake, libidn, p11-kit, libiconv
+, unbound, dns-root-data, gettext
 , guileBindings ? config.gnutls.guile or false, guile
 , tpmSupport ? false, trousers, which, nettools, libunistring
-, unbound, dns-root-data, gettext
-
-# Version dependent args
-, version, src, patches ? [], postPatch ? "", nativeBuildInputs ? []
-, buildInputs ? []
-, ...}:
+, withSecurity ? false, Security  # darwin Security.framework
+}:
 
 assert guileBindings -> guile != null;
 let
+  version = "3.6.7";
+
   # XXX: Gnulib's `test-select' fails on FreeBSD:
   # http://hydra.nixos.org/build/2962084/nixlog/1/raw .
   doCheck = !stdenv.isFreeBSD && !stdenv.isDarwin && lib.versionAtLeast version "3.4"
       && stdenv.buildPlatform == stdenv.hostPlatform;
+
+  inherit (stdenv.hostPlatform) isDarwin;
 in
+
 stdenv.mkDerivation {
   name = "gnutls-${version}";
+  inherit version;
 
-  inherit src patches;
+  src = fetchurl {
+    url = "mirror://gnupg/gnutls/v3.6/gnutls-${version}.tar.xz";
+    sha256 = "1ql8l6l5bxks2pgpwb1602zc0j6ivhpy27hdfc49h8xgbanhjd2v";
+  };
 
   outputs = [ "bin" "dev" "out" "man" "devdoc" ];
   outputInfo = "devdoc";
 
+  # Disable native add_system_trust.
+  patches = lib.optional (isDarwin && !withSecurity) ./no-security-framework.patch;
+
+  # Skip some tests:
+  #  - pkgconfig: building against the result won't work before installing (3.5.11)
+  #  - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular)
+  #  - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11)
+  #  - psk-file: no idea; it broke between 3.6.3 and 3.6.4
+  # Change p11-kit test to use pkg-config to find p11-kit
   postPatch = lib.optionalString (lib.versionAtLeast version "3.4") ''
-    sed '2iecho "name constraints tests skipped due to datefudge problems"\nexit 0' \
-      -i tests/cert-tests/name-constraints
-  '' + postPatch;
+    sed '2iecho "name constraints tests skipped due to datefudge problems"\nexit 0' -i tests/cert-tests/name-constraints
+  '' + lib.optionalString (lib.versionAtLeast version "3.6") ''
+    sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh
+    sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c
+    sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh
+  '';
 
   preConfigure = "patchShebangs .";
   configureFlags =
@@ -42,11 +60,12 @@ stdenv.mkDerivation {
   enableParallelBuilding = true;
 
   buildInputs = [ lzo lzip libtasn1 libidn p11-kit zlib gmp autogen libunistring unbound gettext libiconv ]
+    ++ lib.optional (isDarwin && withSecurity) Security
     ++ lib.optional (tpmSupport && stdenv.isLinux) trousers
-    ++ lib.optional guileBindings guile
-    ++ buildInputs;
+    ++ lib.optional guileBindings guile;
 
-  nativeBuildInputs = [ perl pkgconfig ] ++ nativeBuildInputs
+  nativeBuildInputs = [ perl pkgconfig ]
+    ++ lib.optionals (isDarwin && !withSecurity) [ autoconf automake ]
     ++ lib.optionals doCheck [ which nettools ];
 
   propagatedBuildInputs = [ nettle ];
@@ -54,7 +73,7 @@ stdenv.mkDerivation {
   inherit doCheck;
 
   # Fixup broken libtool and pkgconfig files
-  preFixup = lib.optionalString (!stdenv.isDarwin) ''
+  preFixup = lib.optionalString (!isDarwin) ''
     sed ${lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"} \
         -e 's,-lz,-L${zlib.out}/lib -lz,' \
         -e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \
diff --git a/pkgs/development/libraries/gnutls/no-security-framework.patch b/pkgs/development/libraries/gnutls/no-security-framework.patch
new file mode 100644
index 00000000000..7f5808e5053
--- /dev/null
+++ b/pkgs/development/libraries/gnutls/no-security-framework.patch
@@ -0,0 +1,126 @@
+commit 9bcdde1ab9cdff6a4471f9a926dd488ab70c7247
+Author: Daiderd Jordan <daiderd@gmail.com>
+Date:   Mon Apr 22 16:38:27 2019 +0200
+
+    Revert "gnutls_x509_trust_list_add_system_trust: Add macOS keychain support"
+    
+    This reverts commit c0eb46d3463cd21b3f822ac377ff37f067f66b8d.
+
+diff --git a/configure.ac b/configure.ac
+index 8ad597bfd..8d14f26cd 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -781,7 +781,7 @@ dnl auto detect https://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.
+ AC_ARG_WITH([default-trust-store-file],
+   [AS_HELP_STRING([--with-default-trust-store-file=FILE],
+     [use the given file default trust store])], with_default_trust_store_file="$withval",
+-  [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x && test x$have_macosx = x;then
++  [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x;then
+   for i in \
+     /etc/ssl/ca-bundle.pem \
+     /etc/ssl/certs/ca-certificates.crt \
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index fe9cf63a2..745695f7e 100644
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -203,10 +203,6 @@ if WINDOWS
+ thirdparty_libadd += -lcrypt32
+ endif
+ 
+-if MACOSX
+-libgnutls_la_LDFLAGS += -framework Security -framework CoreFoundation
+-endif
+-
+ libgnutls_la_LIBADD += $(thirdparty_libadd)
+ 
+ # C++ library
+diff --git a/lib/system/certs.c b/lib/system/certs.c
+index 611c645e0..912b0aa5e 100644
+--- a/lib/system/certs.c
++++ b/lib/system/certs.c
+@@ -44,12 +44,6 @@
+ # endif
+ #endif
+ 
+-#ifdef __APPLE__
+-# include <CoreFoundation/CoreFoundation.h>
+-# include <Security/Security.h>
+-# include <Availability.h>
+-#endif
+-
+ /* System specific function wrappers for certificate stores.
+  */
+ 
+@@ -276,72 +270,6 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
+ 
+ 	return r;
+ }
+-#elif defined(__APPLE__) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070
+-static
+-int osstatus_error(status)
+-{
+-	CFStringRef err_str = SecCopyErrorMessageString(status, NULL);
+-	_gnutls_debug_log("Error loading system root certificates: %s\n",
+-			  CFStringGetCStringPtr(err_str, kCFStringEncodingUTF8));
+-	CFRelease(err_str);
+-	return GNUTLS_E_FILE_ERROR;
+-}
+-
+-static
+-int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
+-		     unsigned int tl_vflags)
+-{
+-	int r=0;
+-
+-	SecTrustSettingsDomain domain[] = { kSecTrustSettingsDomainUser,
+-					    kSecTrustSettingsDomainAdmin,
+-					    kSecTrustSettingsDomainSystem };
+-	for (size_t d=0; d<sizeof(domain)/sizeof(*domain); d++) {
+-		CFArrayRef certs = NULL;
+-		OSStatus status = SecTrustSettingsCopyCertificates(domain[d],
+-								   &certs);
+-		if (status == errSecNoTrustSettings)
+-			continue;
+-		if (status != errSecSuccess)
+-			return osstatus_error(status);
+-
+-		int cert_count = CFArrayGetCount(certs);
+-		for (int i=0; i<cert_count; i++) {
+-			SecCertificateRef cert =
+-				(void*)CFArrayGetValueAtIndex(certs, i);
+-			CFDataRef der;
+-			status = SecItemExport(cert, kSecFormatX509Cert, 0,
+-					       NULL, &der);
+-			if (status != errSecSuccess) {
+-				CFRelease(der);
+-				CFRelease(certs);
+-				return osstatus_error(status);
+-			}
+-
+-			if (gnutls_x509_trust_list_add_trust_mem(list,
+-								 &(gnutls_datum_t) {
+-									.data = (void*)CFDataGetBytePtr(der),
+-									.size = CFDataGetLength(der),
+-								 },
+-								 NULL,
+-			                                         GNUTLS_X509_FMT_DER,
+-								 tl_flags,
+-								 tl_vflags) > 0)
+-				r++;
+-			CFRelease(der);
+-		}
+-		CFRelease(certs);
+-	}
+-
+-#ifdef DEFAULT_BLACKLIST_FILE
+-	ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM);
+-	if (ret < 0) {
+-		_gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE);
+-	}
+-#endif
+-
+-	return r;
+-}
+ #else
+ 
+ #define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE