add gnutls 3.7.2

default.nix

@@ -9,6 +9,13 @@ self: super:
 
   gintro = super.callPackage ./pkgs/nim-packages/gintro/default.nix { };
 
+  gnutls = super.callPackage ./pkgs/gnutls/default.nix {
+    inherit (super.darwin.apple_sdk.frameworks) Security;
+    util-linux = super.utillinuxMinimal; # break the cyclic dependency
+  };
+
+  #gnutls-debug = super.enableDebugging self.gnutls;
+
   groupchat = super.callPackage ./pkgs/nim-packages/groupchat.nix { };
 
   hid = super.callPackage ./pkgs/hid/default.nix { };

pkgs/gnutls/default.nix

@@ -0,0 +1,123 @@
+{ config, lib, stdenv, fetchurl, zlib, lzo, libtasn1, nettle, pkg-config, lzip
+, perl, gmp, autoconf, automake, libidn, p11-kit, libiconv
+, unbound, dns-root-data, gettext, cacert, util-linux
+, guileBindings ? config.gnutls.guile or false, guile
+, tpmSupport ? false, trousers, which, nettools, libunistring
+, withSecurity ? false, Security  # darwin Security.framework
+}:
+
+assert guileBindings -> guile != null;
+let
+  version = "3.7.2";
+
+  # XXX: Gnulib's `test-select' fails on FreeBSD:
+  # https://hydra.nixos.org/build/2962084/nixlog/1/raw .
+  doCheck = !stdenv.isFreeBSD && !stdenv.isDarwin && lib.versionAtLeast version "3.4"
+      && stdenv.buildPlatform == stdenv.hostPlatform;
+
+  inherit (stdenv.hostPlatform) isDarwin;
+in
+
+stdenv.mkDerivation {
+  name = "gnutls-${version}";
+  inherit version;
+
+  src = fetchurl {
+    url = "mirror://gnupg/gnutls/v3.7/gnutls-${version}.tar.xz";
+    sha256 = "0li7mwjnm64mbxhacz0rpf6i9qd83f53fvbrx96alpqqk9d6qvk4";
+  };
+
+  outputs = [ "bin" "dev" "out" "man" "devdoc" ];
+  # Not normally useful docs.
+  outputInfo = "devdoc";
+  outputDoc  = "devdoc";
+
+  patches = [ ./nix-ssl-cert-file.patch ]
+    # Disable native add_system_trust.
+    ++ lib.optional (isDarwin && !withSecurity) ./no-security-framework.patch;
+
+  # Skip some tests:
+  #  - pkg-config: building against the result won't work before installing (3.5.11)
+  #  - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular)
+  #  - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11)
+  #  - psk-file: no idea; it broke between 3.6.3 and 3.6.4
+  # Change p11-kit test to use pkg-config to find p11-kit
+  postPatch = lib.optionalString (lib.versionAtLeast version "3.6") ''
+    sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh
+    sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c
+    sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh
+  '' + lib.optionalString stdenv.hostPlatform.isMusl '' # See https://gitlab.com/gnutls/gnutls/-/issues/945
+    sed '2iecho "certtool tests skipped in musl build"\nexit 0' -i tests/cert-tests/certtool.sh
+  '';
+
+  hardeningDisable = [ "fortify" ];
+  dontStrip = true;
+
+  preConfigure = "patchShebangs .";
+  configureFlags =
+    lib.optional stdenv.isLinux "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"
+  ++ [
+    "--disable-dependency-tracking"
+    "--enable-fast-install"
+    "--with-unbound-root-key-file=${dns-root-data}/root.key"
+  ] ++ lib.optional guileBindings [
+    "--enable-guile"
+    "--with-guile-site-dir=\${out}/share/guile/site"
+    "--with-guile-site-ccache-dir=\${out}/share/guile/site"
+    "--with-guile-extension-dir=\${out}/share/guile/site"
+  ];
+
+  enableParallelBuilding = true;
+
+  buildInputs = [ lzo lzip libtasn1 libidn p11-kit zlib gmp libunistring unbound gettext libiconv ]
+    ++ lib.optional (isDarwin && withSecurity) Security
+    ++ lib.optional (tpmSupport && stdenv.isLinux) trousers
+    ++ lib.optional guileBindings guile;
+
+  nativeBuildInputs = [ perl pkg-config ]
+    ++ lib.optionals (isDarwin && !withSecurity) [ autoconf automake ]
+    ++ lib.optionals doCheck [ which nettools util-linux ];
+
+  propagatedBuildInputs = [ nettle ];
+
+  inherit doCheck;
+  # stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` broke tests with:
+  #   Error setting the x509 trust file: Error while reading file.
+  checkInputs = [ cacert ];
+
+  # Fixup broken libtool and pkg-config files
+  preFixup = lib.optionalString (!isDarwin) ''
+    sed ${lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"} \
+        -e 's,-lz,-L${zlib.out}/lib -lz,' \
+        -e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \
+        -e 's,-lgmp,-L${gmp.out}/lib -lgmp,' \
+        -i $out/lib/*.la "$dev/lib/pkgconfig/gnutls.pc"
+  '' + ''
+    # It seems only useful for static linking but basically noone does that.
+    substituteInPlace "$out/lib/libgnutls.la" \
+      --replace "-lunistring" ""
+  '';
+
+  meta = with lib; {
+    description = "The GNU Transport Layer Security Library";
+
+    longDescription = ''
+       GnuTLS is a project that aims to develop a library which
+       provides a secure layer, over a reliable transport
+       layer. Currently the GnuTLS library implements the proposed standards by
+       the IETF's TLS working group.
+
+       Quoting from the TLS protocol specification:
+
+       "The TLS protocol provides communications privacy over the
+       Internet. The protocol allows client/server applications to
+       communicate in a way that is designed to prevent eavesdropping,
+       tampering, or message forgery."
+    '';
+
+    homepage = "https://www.gnu.org/software/gnutls/";
+    license = licenses.lgpl21Plus;
+    maintainers = with maintainers; [ eelco fpletz ];
+    platforms = platforms.all;
+  };
+}

pkgs/gnutls/fix-gnulib-tests-arm.patch

@@ -0,0 +1,45 @@
+>From 175e0bc72808d564074c4adcc72aeadb74adfcc6 Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Thu, 27 Aug 2020 17:52:58 -0700
+Subject: [PATCH] perror, strerror_r: remove unportable tests
+
+Problem reported by Florian Weimer in:
+https://lists.gnu.org/r/bug-gnulib/2020-08/msg00220.html
+* tests/test-perror2.c (main):
+* tests/test-strerror_r.c (main): Omit unportable tests.
+---
+ tests/test-perror2.c    | 3 ---
+ tests/test-strerror_r.c | 3 ---
+ 2 files changed, 6 deletions(-)
+
+diff --git a/gl/tests/test-perror2.c b/gl/tests/test-perror2.c
+index 1d14eda7b..c6214dd25 100644
+--- a/gl/tests/test-perror2.c
++++ b/gl/tests/test-perror2.c
+@@ -79,9 +79,6 @@ main (void)
+     errno = -5;
+     perror ("");
+     ASSERT (!ferror (stderr));
+-    ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1));
+-    ASSERT (msg2 == msg4 || STREQ (msg2, str2));
+-    ASSERT (msg3 == msg4 || STREQ (msg3, str3));
+     ASSERT (STREQ (msg4, str4));
+ 
+     free (str1);
+diff --git a/gl/tests/test-strerror_r.c b/gl/tests/test-strerror_r.c
+index b11d6fd9f..c1dbcf837 100644
+--- a/gl/tests/test-strerror_r.c
++++ b/gl/tests/test-strerror_r.c
+@@ -165,9 +165,6 @@ main (void)
+ 
+     strerror_r (EACCES, buf, sizeof buf);
+     strerror_r (-5, buf, sizeof buf);
+-    ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1));
+-    ASSERT (msg2 == msg4 || STREQ (msg2, str2));
+-    ASSERT (msg3 == msg4 || STREQ (msg3, str3));
+     ASSERT (STREQ (msg4, str4));
+ 
+     free (str1);
+-- 
+2.17.1
+

pkgs/gnutls/nix-ssl-cert-file.patch

@@ -0,0 +1,19 @@
+allow overriding system trust store location via $NIX_SSL_CERT_FILE
+
+diff --git a/lib/system/certs.c b/lib/system/certs.c
+index 611c645..6ef6edb 100644
+--- a/lib/system/certs.c
++++ b/lib/system/certs.c
+@@ -369,6 +369,11 @@ gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list,
+ 					unsigned int tl_flags,
+ 					unsigned int tl_vflags)
+ {
+-	return add_system_trust(list, tl_flags|GNUTLS_TL_NO_DUPLICATES, tl_vflags);
++	tl_flags = tl_flags|GNUTLS_TL_NO_DUPLICATES;
++	const char *file = secure_getenv("NIX_SSL_CERT_FILE");
++	return file
++		? gnutls_x509_trust_list_add_trust_file(
++			list, file, NULL/*CRL*/, GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags)
++		: add_system_trust(list, tl_flags, tl_vflags);
+ }
+ 

pkgs/gnutls/no-security-framework.patch

@@ -0,0 +1,126 @@
+commit 9bcdde1ab9cdff6a4471f9a926dd488ab70c7247
+Author: Daiderd Jordan <daiderd@gmail.com>
+Date:   Mon Apr 22 16:38:27 2019 +0200
+
+    Revert "gnutls_x509_trust_list_add_system_trust: Add macOS keychain support"
+    
+    This reverts commit c0eb46d3463cd21b3f822ac377ff37f067f66b8d.
+
+diff --git a/configure.ac b/configure.ac
+index 8ad597bfd..8d14f26cd 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -781,7 +781,7 @@ dnl auto detect https://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.
+ AC_ARG_WITH([default-trust-store-file],
+   [AS_HELP_STRING([--with-default-trust-store-file=FILE],
+     [use the given file default trust store])], with_default_trust_store_file="$withval",
+-  [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x && test x$have_macosx = x;then
++  [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x;then
+   for i in \
+     /etc/ssl/ca-bundle.pem \
+     /etc/ssl/certs/ca-certificates.crt \
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index fe9cf63a2..745695f7e 100644
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -203,10 +203,6 @@ if WINDOWS
+ thirdparty_libadd += -lcrypt32
+ endif
+ 
+-if MACOSX
+-libgnutls_la_LDFLAGS += -framework Security -framework CoreFoundation
+-endif
+-
+ libgnutls_la_LIBADD += $(thirdparty_libadd)
+ 
+ # C++ library
+diff --git a/lib/system/certs.c b/lib/system/certs.c
+index 611c645e0..912b0aa5e 100644
+--- a/lib/system/certs.c
++++ b/lib/system/certs.c
+@@ -44,12 +44,6 @@
+ # endif
+ #endif
+ 
+-#ifdef __APPLE__
+-# include <CoreFoundation/CoreFoundation.h>
+-# include <Security/Security.h>
+-# include <Availability.h>
+-#endif
+-
+ /* System specific function wrappers for certificate stores.
+  */
+ 
+@@ -276,72 +270,6 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
+ 
+ 	return r;
+ }
+-#elif defined(__APPLE__) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070
+-static
+-int osstatus_error(status)
+-{
+-	CFStringRef err_str = SecCopyErrorMessageString(status, NULL);
+-	_gnutls_debug_log("Error loading system root certificates: %s\n",
+-			  CFStringGetCStringPtr(err_str, kCFStringEncodingUTF8));
+-	CFRelease(err_str);
+-	return GNUTLS_E_FILE_ERROR;
+-}
+-
+-static
+-int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
+-		     unsigned int tl_vflags)
+-{
+-	int r=0;
+-
+-	SecTrustSettingsDomain domain[] = { kSecTrustSettingsDomainUser,
+-					    kSecTrustSettingsDomainAdmin,
+-					    kSecTrustSettingsDomainSystem };
+-	for (size_t d=0; d<sizeof(domain)/sizeof(*domain); d++) {
+-		CFArrayRef certs = NULL;
+-		OSStatus status = SecTrustSettingsCopyCertificates(domain[d],
+-								   &certs);
+-		if (status == errSecNoTrustSettings)
+-			continue;
+-		if (status != errSecSuccess)
+-			return osstatus_error(status);
+-
+-		int cert_count = CFArrayGetCount(certs);
+-		for (int i=0; i<cert_count; i++) {
+-			SecCertificateRef cert =
+-				(void*)CFArrayGetValueAtIndex(certs, i);
+-			CFDataRef der;
+-			status = SecItemExport(cert, kSecFormatX509Cert, 0,
+-					       NULL, &der);
+-			if (status != errSecSuccess) {
+-				CFRelease(der);
+-				CFRelease(certs);
+-				return osstatus_error(status);
+-			}
+-
+-			if (gnutls_x509_trust_list_add_trust_mem(list,
+-								 &(gnutls_datum_t) {
+-									.data = (void*)CFDataGetBytePtr(der),
+-									.size = CFDataGetLength(der),
+-								 },
+-								 NULL,
+-			                                         GNUTLS_X509_FMT_DER,
+-								 tl_flags,
+-								 tl_vflags) > 0)
+-				r++;
+-			CFRelease(der);
+-		}
+-		CFRelease(certs);
+-	}
+-
+-#ifdef DEFAULT_BLACKLIST_FILE
+-	ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM);
+-	if (ret < 0) {
+-		_gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE);
+-	}
+-#endif
+-
+-	return r;
+-}
+ #else
+ 
+ #define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE