Merge branch 'staging' into closure-size

11 files changed, 88 insertions, 171 deletions

diff --git a/pkgs/tools/security/eid-mw/default.nix b/pkgs/tools/security/eid-mw/default.nix
index eba1bef1870..72524291441 100644
--- a/pkgs/tools/security/eid-mw/default.nix
+++ b/pkgs/tools/security/eid-mw/default.nix
@@ -1,12 +1,12 @@
 { stdenv, fetchFromGitHub, autoreconfHook, gtk3, nssTools, pcsclite
 , pkgconfig }:
 
-let version = "4.1.11"; in
+let version = "4.1.12"; in
 stdenv.mkDerivation {
   name = "eid-mw-${version}";
 
   src = fetchFromGitHub {
-    sha256 = "09rp4x1vg0j4rb2dl74f8a7szqx73saacjz09jkih1sz6vwi0j0w";
+    sha256 = "12nnzh3idnl5bdjqmm8si5nj7yr42mkxhzq70s760bnfmvbqgbmc";
     rev = "v${version}";
     repo = "eid-mw";
     owner = "Fedict";
diff --git a/pkgs/tools/security/muscleframework/default.nix b/pkgs/tools/security/muscleframework/default.nix
deleted file mode 100644
index c1b9dad91ff..00000000000
--- a/pkgs/tools/security/muscleframework/default.nix
+++ /dev/null
@@ -1,31 +0,0 @@
-# The tarball has different plugins in it, and as I don't need all of them,
-# I only build one of those in this derivation
-# This is an arbitrary decision, and this simplicity fit my needs.
-# Anyone can extend the extension to build all the plugins, or to make
-# different derivations for each plugin.
-
-{stdenv, fetchurl, libmusclecard, pkgconfig, pcsclite}:
-stdenv.mkDerivation {
-  name = "muscleframework-mcardplugin-1.1.7";
-
-  src = fetchurl {
-    url = https://alioth.debian.org/frs/download.php/3056/muscleframework-1.1.7.tar.gz;
-    sha256 = "081sq25fa3k1gz0asq2995krx7pzxbfq5vx1ahsd5sbmwnplv94v";
-  };
-
-  preConfigure = ''
-    cd MCardPlugin
-    configureFlags="$configureFlags --enable-muscledropdir=$out/pcsc/services"
-  '';
-
-  buildInputs = [ libmusclecard pkgconfig pcsclite];
-
-  meta = with stdenv.lib; {
-    description = "MUSCLE smart card framework - mcard plugin";
-    homepage = http://muscleplugins.alioth.debian.org/;
-    license = licenses.bsd3;
-    maintainers = with maintainers; [viric];
-    # XXX: don't build before libmusclecard is fixed
-    # platforms = with stdenv.lib.platforms; linux;
-  };
-}
diff --git a/pkgs/tools/security/muscletool/default.nix b/pkgs/tools/security/muscletool/default.nix
deleted file mode 100644
index 34f75609e4f..00000000000
--- a/pkgs/tools/security/muscletool/default.nix
+++ /dev/null
@@ -1,20 +0,0 @@
-{stdenv, fetchurl, libmusclecard, pcsclite, pkgconfig }:
-stdenv.mkDerivation {
-  name = "muscletool-2.1.1";
-
-  src = fetchurl {
-    url = https://alioth.debian.org/frs/download.php/3180/muscletool-2.1.1.tar.bz2;
-    sha256 = "11d812ijvhsaxwkr05hzxfl0n6ji9hwl5j1kv56f9gv8kyy3b9kw";
-  };
-
-  buildInputs = [ libmusclecard pcsclite pkgconfig ];
-
-  meta = with stdenv.lib; {
-    description = "Smart card applications for use with MUSCLE plugins";
-    homepage = http://muscleapps.alioth.debian.org/;
-    license = licenses.bsd3;
-    maintainers = with maintainers; [viric];
-    # XXX: don't build before libmusclecard is fixed
-    # platforms = with stdenv.lib.platforms; linux;
-  };
-}
diff --git a/pkgs/tools/security/opensc-dnie-wrapper/default.nix b/pkgs/tools/security/opensc-dnie-wrapper/default.nix
deleted file mode 100644
index 8003073159a..00000000000
--- a/pkgs/tools/security/opensc-dnie-wrapper/default.nix
+++ /dev/null
@@ -1,67 +0,0 @@
-{stdenv, makeWrapper, ed, libopensc_dnie}:
-
-let
-   opensc = libopensc_dnie.opensc;
-in
-stdenv.mkDerivation rec {
-  name = "${opensc.name}-dnie-wrapper";
-
-  buildInputs = [ makeWrapper ];
-  
-  phases = [ "installPhase" ];
-
-  installPhase = ''
-    mkdir -p $out/etc
-    cp ${opensc}/etc/opensc.conf $out/etc
-    chmod +w $out/etc/opensc.conf
-
-    # NOTE: The libopensc-dnie.so driver requires /usr/bin/pinentry available, to sign
-
-    ${ed}/bin/ed $out/etc/opensc.conf << EOF
-    /card_drivers
-    a
-    card_drivers = dnie;
-    card_driver dnie {
-      module = ${libopensc_dnie}/lib/libopensc-dnie.so;
-    }
-    .
-    w
-    q
-    EOF
-
-    # Disable pkcs15 file caching, otherwise the card does not work
-    sed -i 's/use_caching = true/use_caching = false/' $out/etc/opensc.conf
-
-    for a in ${opensc}/bin/*; do
-      makeWrapper $a $out/bin/`basename $a` \
-        --set OPENSC_CONF $out/etc/opensc.conf
-    done
-
-    # Special wrapper for pkcs11-tool, which needs an additional parameter
-    rm $out/bin/pkcs11-tool
-    makeWrapper ${opensc}/bin/pkcs11-tool $out/bin/pkcs11-tool \
-      --set OPENSC_CONF $out/etc/opensc.conf \
-      --add-flags "--module ${opensc}/lib/opensc-pkcs11.so"
-
-    # Add, as bonus, a wrapper for the firefox in the PATH, that loads the
-    # proper opensc configuration.
-    cat > $out/bin/firefox-dnie << EOF
-    #!${stdenv.shell}
-    export OPENSC_CONF=$out/etc/opensc.conf
-    exec firefox
-    EOF
-    chmod +x $out/bin/firefox-dnie
-  '';
-
-  meta = {
-    description = "Access to the opensc tools and firefox using the Spanish national ID SmartCard";
-    longDescription = ''
-      Opensc needs a special configuration and special drivers to use the SmartCard
-      the Spanish government provides to the citizens as ID card.
-      Some wrapper scripts take care for the proper opensc configuration to be used, in order
-      to access the certificates in the SmartCard through the opensc tools or firefox.
-      Opensc will require a pcscd daemon running, managing the access to the card reader.
-    '';
-    maintainers = with stdenv.lib.maintainers; [viric];
-  };
-}
diff --git a/pkgs/tools/security/pamtester/default.nix b/pkgs/tools/security/pamtester/default.nix
new file mode 100644
index 00000000000..cdafed53408
--- /dev/null
+++ b/pkgs/tools/security/pamtester/default.nix
@@ -0,0 +1,20 @@
+{ stdenv, fetchurl, pam }:
+
+stdenv.mkDerivation rec {
+  name = "pamtester-0.1.2";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/pamtester/${name}.tar.gz";
+    sha256 = "1mdj1wj0adcnx354fs17928yn2xfr1hj5mfraq282dagi873sqw3";
+  };
+
+  buildInputs = [ pam ];
+
+  meta = with stdenv.lib; {
+    description = "Utility program to test the PAM facility.";
+    homepage = http://pamtester.sourceforge.net/;
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ abbradar ];
+  };
+}
diff --git a/pkgs/tools/security/pass/default.nix b/pkgs/tools/security/pass/default.nix
index 3315683967c..03720d6abe1 100644
--- a/pkgs/tools/security/pass/default.nix
+++ b/pkgs/tools/security/pass/default.nix
@@ -25,7 +25,7 @@ stdenv.mkDerivation rec {
 
   meta = with stdenv.lib; {
     description = "Stores, retrieves, generates, and synchronizes passwords securely";
-    homepage    = http://zx2c4.com/projects/password-store/;
+    homepage    = http://www.passwordstore.org/;
     license     = licenses.gpl2Plus;
     maintainers = with maintainers; [ lovek323 the-kenny ];
     platforms   = platforms.unix;
diff --git a/pkgs/tools/security/pinentry-mac/default.nix b/pkgs/tools/security/pinentry-mac/default.nix
new file mode 100644
index 00000000000..faf8c613ea8
--- /dev/null
+++ b/pkgs/tools/security/pinentry-mac/default.nix
@@ -0,0 +1,26 @@
+{ fetchurl, stdenv }:
+
+stdenv.mkDerivation rec {
+  name = "pinentry-mac-0.9.4";
+
+  src = fetchurl {
+    url = "https://github.com/GPGTools/pinentry-mac/archive/v0.9.4.tar.gz";
+    sha256 = "037ebb010377d3a3879ae2a832cefc4513f5c397d7d887d7b86b4e5d9a628271";
+  };
+
+  postPatch = ''
+    substituteInPlace ./Makefile --replace "xcodebuild" "/usr/bin/xcodebuild"
+  '';
+
+  installPhase = ''
+    mkdir -p $out/Applications
+    mv build/Release/pinentry-mac.app $out/Applications
+  '';
+
+  meta = {
+    description = "Pinentry for GPG on Mac";
+    license = stdenv.lib.licenses.gpl2Plus;
+    homepage = "https://github.com/GPGTools/pinentry-mac";
+    platforms = stdenv.lib.platforms.darwin;
+  };
+}
diff --git a/pkgs/tools/security/sshuttle/default.nix b/pkgs/tools/security/sshuttle/default.nix
index e085bfaaa91..62d3d2613cc 100644
--- a/pkgs/tools/security/sshuttle/default.nix
+++ b/pkgs/tools/security/sshuttle/default.nix
@@ -1,59 +1,33 @@
-{ stdenv, fetchFromGitHub, fetchpatch, makeWrapper, pandoc
-, coreutils, iptables, nettools, openssh, procps,  pythonPackages }:
+{ stdenv, pythonPackages, fetchurl, makeWrapper, pandoc
+, coreutils, iptables, nettools, openssh, procps }:
   
-let version = "0.71"; in
-stdenv.mkDerivation rec {
+pythonPackages.buildPythonPackage rec {
+  version = "0.76";
   name = "sshuttle-${version}";
 
-  src = fetchFromGitHub {
-    sha256 = "0yr8nih97jg6azfj3k7064lfbh3g36l6vwyjlngl4ph6mgcki1cm";
-    rev = name;
-    repo = "sshuttle";
-    owner = "sshuttle";
+  src = fetchurl {
+    sha256 = "1q0hr0vhdvv23cw5dqndsmf61283mvs6b14662ci00xj6zp5v48b";
+    url = "https://pypi.python.org/packages/source/s/sshuttle/${name}.tar.gz";
   };
 
-  patches = [
-    (fetchpatch {
-      sha256 = "1yrjyvdz6k6zk020dmbagf8w49w8vhfbzgfpsq9jqdh2hbykv3m3";
-      url = https://github.com/sshuttle/sshuttle/commit/3cf5002b62650c26a50e18af8d8c5c91d754bab9.patch;
-    })
-    (fetchpatch {
-      sha256 = "091gg28cnmx200q46bcnxpp9ih9p5qlq0r3bxfm0f4qalg8rmp2g";
-      url = https://github.com/sshuttle/sshuttle/commit/d70b5f2b89e593506834cf8ea10785d96c801dfc.patch;
-    })
-    (fetchpatch {
-      sha256 = "17l9h8clqlbyxdkssavxqpb902j7b3yabrrdalybfpkhj69x8ghk";
-      url = https://github.com/sshuttle/sshuttle/commit/a38963301e9c29fbe3232f0a41ea080b642c5ad2.patch;
-    })
-  ];
+  patches = [ ./sudo.patch ];
 
-  nativeBuildInputs = [ makeWrapper pandoc ];
+  propagatedBuildInputs = with pythonPackages; [ PyXAPI mock pytest ];
+  nativeBuildInputs = [ makeWrapper pandoc pythonPackages.setuptools_scm ];
   buildInputs =
-    [ coreutils iptables nettools openssh procps pythonPackages.python ];
-  pythonPaths = with pythonPackages; [ PyXAPI ];
+    [ coreutils openssh ] ++
+    stdenv.lib.optionals stdenv.isLinux [ iptables nettools procps ];
 
-  preConfigure = ''
-    cd src
-  '';
-
-  installPhase = let
+  postInstall = let
     mapPath = f: x: stdenv.lib.concatStringsSep ":" (map f x);
   in ''
-    mkdir -p $out/share/sshuttle
-    cp -R sshuttle *.py compat $out/share/sshuttle
-
-    mkdir -p $out/bin
-    ln -s $out/share/sshuttle/sshuttle $out/bin
-    wrapProgram $out/bin/sshuttle \
-      --prefix PATH : "${mapPath (x: "${x}/bin") buildInputs}" \
-      --prefix PYTHONPATH : "${mapPath (x: "$(toPythonPath ${x})") pythonPaths}"
-
-    install -Dm644 sshuttle.8 $out/share/man/man8/sshuttle.8
+  wrapProgram $out/bin/sshuttle \
+    --prefix PATH : "${mapPath (x: "${x}/bin") buildInputs}" \
   '';
   
   meta = with stdenv.lib; {
     inherit version;
-    inherit (src.meta) homepage;
+    homepage = https://github.com/sshuttle/sshuttle/;
     description = "Transparent proxy server that works as a poor man's VPN";
     longDescription = ''
       Forward connections over SSH, without requiring administrator access to the
diff --git a/pkgs/tools/security/sshuttle/sudo.patch b/pkgs/tools/security/sshuttle/sudo.patch
new file mode 100644
index 00000000000..761bfaef852
--- /dev/null
+++ b/pkgs/tools/security/sshuttle/sudo.patch
@@ -0,0 +1,13 @@
+diff --git a/sshuttle/client.py b/sshuttle/client.py
+index 7a7b6d7..8dde615 100644
+--- a/sshuttle/client.py
++++ b/sshuttle/client.py
+@@ -158,7 +158,7 @@ class FirewallClient:
+     def __init__(self, method_name):
+         self.auto_nets = []
+         python_path = os.path.dirname(os.path.dirname(__file__))
+-        argvbase = ([sys.executable, sys.argv[0]] +
++        argvbase = ([sys.argv[0]] +
+                     ['-v'] * (helpers.verbose or 0) +
+                     ['--method', method_name] +
+                     ['--firewall'])
diff --git a/pkgs/tools/security/sudo/default.nix b/pkgs/tools/security/sudo/default.nix
index 6720c737866..df8024e040e 100644
--- a/pkgs/tools/security/sudo/default.nix
+++ b/pkgs/tools/security/sudo/default.nix
@@ -20,6 +20,7 @@ stdenv.mkDerivation rec {
     "--with-rundir=/run/sudo"
     "--with-vardir=/var/db/sudo"
     "--with-logpath=/var/log/sudo.log"
+    "--with-iologdir=/var/log/sudo-io"
     "--with-sendmail=${sendmailPath}"
   ] ++ stdenv.lib.optional withInsults [
     "--with-insults"
diff --git a/pkgs/tools/security/tor/torbrowser.nix b/pkgs/tools/security/tor/torbrowser.nix
index e6ce333cc91..ccfd4ae044d 100644
--- a/pkgs/tools/security/tor/torbrowser.nix
+++ b/pkgs/tools/security/tor/torbrowser.nix
@@ -46,14 +46,15 @@ in stdenv.mkDerivation rec {
     cp -R * $out/share/tor-browser
 
     cat > "$out/bin/tor-browser" << EOF
-      export HOME="\$HOME/.torbrowser4"
-      if [ ! -d \$HOME ]; then
-        mkdir -p \$HOME && cp -R $out/share/tor-browser/Browser/TorBrowser/Data \$HOME/ && chmod -R +w \$HOME
-        echo "pref(\"extensions.torlauncher.tordatadir_path\", \"\$HOME/Data/Tor/\");" >> \
-          ~/Data/Browser/profile.default/preferences/extension-overrides.js
-      fi
-      export LD_LIBRARY_PATH=${ldLibraryPath}:$out/share/tor-browser/Browser/TorBrowser/Tor
-      $out/share/tor-browser/Browser/firefox -no-remote -profile ~/Data/Browser/profile.default "$@"
+    #!${stdenv.shell}
+    export HOME="\$HOME/.torbrowser4"
+    if [ ! -d \$HOME ]; then
+      mkdir -p \$HOME && cp -R $out/share/tor-browser/Browser/TorBrowser/Data \$HOME/ && chmod -R +w \$HOME
+      echo "pref(\"extensions.torlauncher.tordatadir_path\", \"\$HOME/Data/Tor/\");" >> \
+        ~/Data/Browser/profile.default/preferences/extension-overrides.js
+    fi
+    export LD_LIBRARY_PATH=${ldLibraryPath}:$out/share/tor-browser/Browser/TorBrowser/Tor
+    $out/share/tor-browser/Browser/firefox -no-remote -profile ~/Data/Browser/profile.default "$@"
     EOF
     chmod +x $out/bin/tor-browser
   '';