From 33e7d721b6400aefacf1e138380836accc376229 Mon Sep 17 00:00:00 2001 From: Daiderd Jordan Date: Sun, 31 Mar 2019 11:59:16 +0200 Subject: gnutls: remove 3.5.10 Nix packages are expected to honor NIX_SSL_CERT_FILE and this removes the dependency on the framework while bootstrapping the stdenv. (+ nitpick changes from vcunat) The patch is based on https://gitlab.com/gnutls/gnutls/commit/c0eb46d3463cd21b3f822ac377ff37f067f66b8d --- pkgs/development/libraries/gnutls/3.5.10.nix | 10 -- pkgs/development/libraries/gnutls/3.6.nix | 22 ---- pkgs/development/libraries/gnutls/default.nix | 110 ++++++++++++++++++ pkgs/development/libraries/gnutls/generic.nix | 91 --------------- .../libraries/gnutls/no-security-framework.patch | 126 +++++++++++++++++++++ 5 files changed, 236 insertions(+), 123 deletions(-) delete mode 100644 pkgs/development/libraries/gnutls/3.5.10.nix delete mode 100644 pkgs/development/libraries/gnutls/3.6.nix create mode 100644 pkgs/development/libraries/gnutls/default.nix delete mode 100644 pkgs/development/libraries/gnutls/generic.nix create mode 100644 pkgs/development/libraries/gnutls/no-security-framework.patch (limited to 'pkgs/development/libraries/gnutls') diff --git a/pkgs/development/libraries/gnutls/3.5.10.nix b/pkgs/development/libraries/gnutls/3.5.10.nix deleted file mode 100644 index a44e2b04ed7..00000000000 --- a/pkgs/development/libraries/gnutls/3.5.10.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ callPackage, fetchurl, libunistring, ... } @ args: - -callPackage ./generic.nix (args // rec { - version = "3.5.10"; - - src = fetchurl { - url = "mirror://gnupg/gnutls/v3.5/gnutls-${version}.tar.xz"; - sha256 = "17apwvdkkazh5w8z8mbanpj2yj8s2002qwy46wz4v3akpa33wi5g"; - }; -}) diff --git a/pkgs/development/libraries/gnutls/3.6.nix b/pkgs/development/libraries/gnutls/3.6.nix deleted file mode 100644 index b05624ee0b2..00000000000 --- a/pkgs/development/libraries/gnutls/3.6.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ callPackage, fetchurl, ... } @ args: - -callPackage ./generic.nix (args // rec { - version = "3.6.7"; - - src = fetchurl { - url = "mirror://gnupg/gnutls/v3.6/gnutls-${version}.tar.xz"; - sha256 = "1ql8l6l5bxks2pgpwb1602zc0j6ivhpy27hdfc49h8xgbanhjd2v"; - }; - - # Skip some tests: - # - pkgconfig: building against the result won't work before installing (3.5.11) - # - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular) - # - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11) - # - psk-file: no idea; it broke between 3.6.3 and 3.6.4 - # Change p11-kit test to use pkg-config to find p11-kit - postPatch = '' - sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh - sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c - sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh - ''; -}) diff --git a/pkgs/development/libraries/gnutls/default.nix b/pkgs/development/libraries/gnutls/default.nix new file mode 100644 index 00000000000..b0ddbbee30c --- /dev/null +++ b/pkgs/development/libraries/gnutls/default.nix @@ -0,0 +1,110 @@ +{ config, lib, stdenv, fetchurl, zlib, lzo, libtasn1, nettle, pkgconfig, lzip +, perl, gmp, autoconf, autogen, automake, libidn, p11-kit, libiconv +, unbound, dns-root-data, gettext +, guileBindings ? config.gnutls.guile or false, guile +, tpmSupport ? false, trousers, which, nettools, libunistring +, withSecurity ? false, Security # darwin Security.framework +}: + +assert guileBindings -> guile != null; +let + version = "3.6.7"; + + # XXX: Gnulib's `test-select' fails on FreeBSD: + # http://hydra.nixos.org/build/2962084/nixlog/1/raw . + doCheck = !stdenv.isFreeBSD && !stdenv.isDarwin && lib.versionAtLeast version "3.4" + && stdenv.buildPlatform == stdenv.hostPlatform; + + inherit (stdenv.hostPlatform) isDarwin; +in + +stdenv.mkDerivation { + name = "gnutls-${version}"; + inherit version; + + src = fetchurl { + url = "mirror://gnupg/gnutls/v3.6/gnutls-${version}.tar.xz"; + sha256 = "1ql8l6l5bxks2pgpwb1602zc0j6ivhpy27hdfc49h8xgbanhjd2v"; + }; + + outputs = [ "bin" "dev" "out" "man" "devdoc" ]; + outputInfo = "devdoc"; + + # Disable native add_system_trust. + patches = lib.optional (isDarwin && !withSecurity) ./no-security-framework.patch; + + # Skip some tests: + # - pkgconfig: building against the result won't work before installing (3.5.11) + # - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular) + # - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11) + # - psk-file: no idea; it broke between 3.6.3 and 3.6.4 + # Change p11-kit test to use pkg-config to find p11-kit + postPatch = lib.optionalString (lib.versionAtLeast version "3.4") '' + sed '2iecho "name constraints tests skipped due to datefudge problems"\nexit 0' -i tests/cert-tests/name-constraints + '' + lib.optionalString (lib.versionAtLeast version "3.6") '' + sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh + sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c + sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh + ''; + + preConfigure = "patchShebangs ."; + configureFlags = + lib.optional stdenv.isLinux "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt" + ++ [ + "--disable-dependency-tracking" + "--enable-fast-install" + "--with-unbound-root-key-file=${dns-root-data}/root.key" + ] ++ lib.optional guileBindings + [ "--enable-guile" "--with-guile-site-dir=\${out}/share/guile/site" ]; + + enableParallelBuilding = true; + + buildInputs = [ lzo lzip libtasn1 libidn p11-kit zlib gmp autogen libunistring unbound gettext libiconv ] + ++ lib.optional (isDarwin && withSecurity) Security + ++ lib.optional (tpmSupport && stdenv.isLinux) trousers + ++ lib.optional guileBindings guile; + + nativeBuildInputs = [ perl pkgconfig ] + ++ lib.optionals (isDarwin && !withSecurity) [ autoconf automake ] + ++ lib.optionals doCheck [ which nettools ]; + + propagatedBuildInputs = [ nettle ]; + + inherit doCheck; + + # Fixup broken libtool and pkgconfig files + preFixup = lib.optionalString (!isDarwin) '' + sed ${lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"} \ + -e 's,-lz,-L${zlib.out}/lib -lz,' \ + -e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \ + -e 's,-lgmp,-L${gmp.out}/lib -lgmp,' \ + -i $out/lib/*.la "$dev/lib/pkgconfig/gnutls.pc" + '' + '' + # It seems only useful for static linking but basically noone does that. + substituteInPlace "$out/lib/libgnutls.la" \ + --replace "-lunistring" "" + ''; + + meta = with lib; { + description = "The GNU Transport Layer Security Library"; + + longDescription = '' + GnuTLS is a project that aims to develop a library which + provides a secure layer, over a reliable transport + layer. Currently the GnuTLS library implements the proposed standards by + the IETF's TLS working group. + + Quoting from the TLS protocol specification: + + "The TLS protocol provides communications privacy over the + Internet. The protocol allows client/server applications to + communicate in a way that is designed to prevent eavesdropping, + tampering, or message forgery." + ''; + + homepage = https://www.gnu.org/software/gnutls/; + license = licenses.lgpl21Plus; + maintainers = with maintainers; [ eelco fpletz ]; + platforms = platforms.all; + }; +} diff --git a/pkgs/development/libraries/gnutls/generic.nix b/pkgs/development/libraries/gnutls/generic.nix deleted file mode 100644 index 086c0560cc4..00000000000 --- a/pkgs/development/libraries/gnutls/generic.nix +++ /dev/null @@ -1,91 +0,0 @@ -{ config, lib, stdenv, zlib, lzo, libtasn1, nettle, pkgconfig, lzip -, perl, gmp, autogen, libidn, p11-kit, libiconv -, guileBindings ? config.gnutls.guile or false, guile -, tpmSupport ? false, trousers, which, nettools, libunistring -, unbound, dns-root-data, gettext - -# Version dependent args -, version, src, patches ? [], postPatch ? "", nativeBuildInputs ? [] -, buildInputs ? [] -, ...}: - -assert guileBindings -> guile != null; -let - # XXX: Gnulib's `test-select' fails on FreeBSD: - # http://hydra.nixos.org/build/2962084/nixlog/1/raw . - doCheck = !stdenv.isFreeBSD && !stdenv.isDarwin && lib.versionAtLeast version "3.4" - && stdenv.buildPlatform == stdenv.hostPlatform; -in -stdenv.mkDerivation { - name = "gnutls-${version}"; - - inherit src patches; - - outputs = [ "bin" "dev" "out" "man" "devdoc" ]; - outputInfo = "devdoc"; - - postPatch = lib.optionalString (lib.versionAtLeast version "3.4") '' - sed '2iecho "name constraints tests skipped due to datefudge problems"\nexit 0' \ - -i tests/cert-tests/name-constraints - '' + postPatch; - - preConfigure = "patchShebangs ."; - configureFlags = - lib.optional stdenv.isLinux "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt" - ++ [ - "--disable-dependency-tracking" - "--enable-fast-install" - "--with-unbound-root-key-file=${dns-root-data}/root.key" - ] ++ lib.optional guileBindings - [ "--enable-guile" "--with-guile-site-dir=\${out}/share/guile/site" ]; - - enableParallelBuilding = true; - - buildInputs = [ lzo lzip libtasn1 libidn p11-kit zlib gmp autogen libunistring unbound gettext libiconv ] - ++ lib.optional (tpmSupport && stdenv.isLinux) trousers - ++ lib.optional guileBindings guile - ++ buildInputs; - - nativeBuildInputs = [ perl pkgconfig ] ++ nativeBuildInputs - ++ lib.optionals doCheck [ which nettools ]; - - propagatedBuildInputs = [ nettle ]; - - inherit doCheck; - - # Fixup broken libtool and pkgconfig files - preFixup = lib.optionalString (!stdenv.isDarwin) '' - sed ${lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"} \ - -e 's,-lz,-L${zlib.out}/lib -lz,' \ - -e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \ - -e 's,-lgmp,-L${gmp.out}/lib -lgmp,' \ - -i $out/lib/*.la "$dev/lib/pkgconfig/gnutls.pc" - '' + '' - # It seems only useful for static linking but basically noone does that. - substituteInPlace "$out/lib/libgnutls.la" \ - --replace "-lunistring" "" - ''; - - meta = with lib; { - description = "The GNU Transport Layer Security Library"; - - longDescription = '' - GnuTLS is a project that aims to develop a library which - provides a secure layer, over a reliable transport - layer. Currently the GnuTLS library implements the proposed standards by - the IETF's TLS working group. - - Quoting from the TLS protocol specification: - - "The TLS protocol provides communications privacy over the - Internet. The protocol allows client/server applications to - communicate in a way that is designed to prevent eavesdropping, - tampering, or message forgery." - ''; - - homepage = https://www.gnu.org/software/gnutls/; - license = licenses.lgpl21Plus; - maintainers = with maintainers; [ eelco fpletz ]; - platforms = platforms.all; - }; -} diff --git a/pkgs/development/libraries/gnutls/no-security-framework.patch b/pkgs/development/libraries/gnutls/no-security-framework.patch new file mode 100644 index 00000000000..7f5808e5053 --- /dev/null +++ b/pkgs/development/libraries/gnutls/no-security-framework.patch @@ -0,0 +1,126 @@ +commit 9bcdde1ab9cdff6a4471f9a926dd488ab70c7247 +Author: Daiderd Jordan +Date: Mon Apr 22 16:38:27 2019 +0200 + + Revert "gnutls_x509_trust_list_add_system_trust: Add macOS keychain support" + + This reverts commit c0eb46d3463cd21b3f822ac377ff37f067f66b8d. + +diff --git a/configure.ac b/configure.ac +index 8ad597bfd..8d14f26cd 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -781,7 +781,7 @@ dnl auto detect https://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004. + AC_ARG_WITH([default-trust-store-file], + [AS_HELP_STRING([--with-default-trust-store-file=FILE], + [use the given file default trust store])], with_default_trust_store_file="$withval", +- [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x && test x$have_macosx = x;then ++ [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x;then + for i in \ + /etc/ssl/ca-bundle.pem \ + /etc/ssl/certs/ca-certificates.crt \ +diff --git a/lib/Makefile.am b/lib/Makefile.am +index fe9cf63a2..745695f7e 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -203,10 +203,6 @@ if WINDOWS + thirdparty_libadd += -lcrypt32 + endif + +-if MACOSX +-libgnutls_la_LDFLAGS += -framework Security -framework CoreFoundation +-endif +- + libgnutls_la_LIBADD += $(thirdparty_libadd) + + # C++ library +diff --git a/lib/system/certs.c b/lib/system/certs.c +index 611c645e0..912b0aa5e 100644 +--- a/lib/system/certs.c ++++ b/lib/system/certs.c +@@ -44,12 +44,6 @@ + # endif + #endif + +-#ifdef __APPLE__ +-# include +-# include +-# include +-#endif +- + /* System specific function wrappers for certificate stores. + */ + +@@ -276,72 +270,6 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, + + return r; + } +-#elif defined(__APPLE__) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070 +-static +-int osstatus_error(status) +-{ +- CFStringRef err_str = SecCopyErrorMessageString(status, NULL); +- _gnutls_debug_log("Error loading system root certificates: %s\n", +- CFStringGetCStringPtr(err_str, kCFStringEncodingUTF8)); +- CFRelease(err_str); +- return GNUTLS_E_FILE_ERROR; +-} +- +-static +-int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, +- unsigned int tl_vflags) +-{ +- int r=0; +- +- SecTrustSettingsDomain domain[] = { kSecTrustSettingsDomainUser, +- kSecTrustSettingsDomainAdmin, +- kSecTrustSettingsDomainSystem }; +- for (size_t d=0; d 0) +- r++; +- CFRelease(der); +- } +- CFRelease(certs); +- } +- +-#ifdef DEFAULT_BLACKLIST_FILE +- ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM); +- if (ret < 0) { +- _gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE); +- } +-#endif +- +- return r; +-} + #else + + #define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE -- cgit 1.4.1