From 4a429e60a13188d628925fc9f96c9c858657b110 Mon Sep 17 00:00:00 2001 From: Christian Ulrich Date: Fri, 16 Jul 2021 00:57:04 +0200 Subject: [PATCH] add gnutls 3.7.2 --- default.nix | 7 ++ pkgs/gnutls/default.nix | 123 +++++++++++++++++++++++ pkgs/gnutls/fix-gnulib-tests-arm.patch | 45 +++++++++ pkgs/gnutls/nix-ssl-cert-file.patch | 19 ++++ pkgs/gnutls/no-security-framework.patch | 126 ++++++++++++++++++++++++ 5 files changed, 320 insertions(+) create mode 100644 pkgs/gnutls/default.nix create mode 100644 pkgs/gnutls/fix-gnulib-tests-arm.patch create mode 100644 pkgs/gnutls/nix-ssl-cert-file.patch create mode 100644 pkgs/gnutls/no-security-framework.patch diff --git a/default.nix b/default.nix index 4c9c7fc..113ec16 100644 --- a/default.nix +++ b/default.nix @@ -9,6 +9,13 @@ self: super: gintro = super.callPackage ./pkgs/nim-packages/gintro/default.nix { }; + gnutls = super.callPackage ./pkgs/gnutls/default.nix { + inherit (super.darwin.apple_sdk.frameworks) Security; + util-linux = super.utillinuxMinimal; # break the cyclic dependency + }; + + #gnutls-debug = super.enableDebugging self.gnutls; + groupchat = super.callPackage ./pkgs/nim-packages/groupchat.nix { }; hid = super.callPackage ./pkgs/hid/default.nix { }; diff --git a/pkgs/gnutls/default.nix b/pkgs/gnutls/default.nix new file mode 100644 index 0000000..d3000be --- /dev/null +++ b/pkgs/gnutls/default.nix @@ -0,0 +1,123 @@ +{ config, lib, stdenv, fetchurl, zlib, lzo, libtasn1, nettle, pkg-config, lzip +, perl, gmp, autoconf, automake, libidn, p11-kit, libiconv +, unbound, dns-root-data, gettext, cacert, util-linux +, guileBindings ? config.gnutls.guile or false, guile +, tpmSupport ? false, trousers, which, nettools, libunistring +, withSecurity ? false, Security # darwin Security.framework +}: + +assert guileBindings -> guile != null; +let + version = "3.7.2"; + + # XXX: Gnulib's `test-select' fails on FreeBSD: + # https://hydra.nixos.org/build/2962084/nixlog/1/raw . + doCheck = !stdenv.isFreeBSD && !stdenv.isDarwin && lib.versionAtLeast version "3.4" + && stdenv.buildPlatform == stdenv.hostPlatform; + + inherit (stdenv.hostPlatform) isDarwin; +in + +stdenv.mkDerivation { + name = "gnutls-${version}"; + inherit version; + + src = fetchurl { + url = "mirror://gnupg/gnutls/v3.7/gnutls-${version}.tar.xz"; + sha256 = "0li7mwjnm64mbxhacz0rpf6i9qd83f53fvbrx96alpqqk9d6qvk4"; + }; + + outputs = [ "bin" "dev" "out" "man" "devdoc" ]; + # Not normally useful docs. + outputInfo = "devdoc"; + outputDoc = "devdoc"; + + patches = [ ./nix-ssl-cert-file.patch ] + # Disable native add_system_trust. + ++ lib.optional (isDarwin && !withSecurity) ./no-security-framework.patch; + + # Skip some tests: + # - pkg-config: building against the result won't work before installing (3.5.11) + # - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular) + # - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11) + # - psk-file: no idea; it broke between 3.6.3 and 3.6.4 + # Change p11-kit test to use pkg-config to find p11-kit + postPatch = lib.optionalString (lib.versionAtLeast version "3.6") '' + sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh + sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c + sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh + '' + lib.optionalString stdenv.hostPlatform.isMusl '' # See https://gitlab.com/gnutls/gnutls/-/issues/945 + sed '2iecho "certtool tests skipped in musl build"\nexit 0' -i tests/cert-tests/certtool.sh + ''; + + hardeningDisable = [ "fortify" ]; + dontStrip = true; + + preConfigure = "patchShebangs ."; + configureFlags = + lib.optional stdenv.isLinux "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt" + ++ [ + "--disable-dependency-tracking" + "--enable-fast-install" + "--with-unbound-root-key-file=${dns-root-data}/root.key" + ] ++ lib.optional guileBindings [ + "--enable-guile" + "--with-guile-site-dir=\${out}/share/guile/site" + "--with-guile-site-ccache-dir=\${out}/share/guile/site" + "--with-guile-extension-dir=\${out}/share/guile/site" + ]; + + enableParallelBuilding = true; + + buildInputs = [ lzo lzip libtasn1 libidn p11-kit zlib gmp libunistring unbound gettext libiconv ] + ++ lib.optional (isDarwin && withSecurity) Security + ++ lib.optional (tpmSupport && stdenv.isLinux) trousers + ++ lib.optional guileBindings guile; + + nativeBuildInputs = [ perl pkg-config ] + ++ lib.optionals (isDarwin && !withSecurity) [ autoconf automake ] + ++ lib.optionals doCheck [ which nettools util-linux ]; + + propagatedBuildInputs = [ nettle ]; + + inherit doCheck; + # stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` broke tests with: + # Error setting the x509 trust file: Error while reading file. + checkInputs = [ cacert ]; + + # Fixup broken libtool and pkg-config files + preFixup = lib.optionalString (!isDarwin) '' + sed ${lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"} \ + -e 's,-lz,-L${zlib.out}/lib -lz,' \ + -e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \ + -e 's,-lgmp,-L${gmp.out}/lib -lgmp,' \ + -i $out/lib/*.la "$dev/lib/pkgconfig/gnutls.pc" + '' + '' + # It seems only useful for static linking but basically noone does that. + substituteInPlace "$out/lib/libgnutls.la" \ + --replace "-lunistring" "" + ''; + + meta = with lib; { + description = "The GNU Transport Layer Security Library"; + + longDescription = '' + GnuTLS is a project that aims to develop a library which + provides a secure layer, over a reliable transport + layer. Currently the GnuTLS library implements the proposed standards by + the IETF's TLS working group. + + Quoting from the TLS protocol specification: + + "The TLS protocol provides communications privacy over the + Internet. The protocol allows client/server applications to + communicate in a way that is designed to prevent eavesdropping, + tampering, or message forgery." + ''; + + homepage = "https://www.gnu.org/software/gnutls/"; + license = licenses.lgpl21Plus; + maintainers = with maintainers; [ eelco fpletz ]; + platforms = platforms.all; + }; +} diff --git a/pkgs/gnutls/fix-gnulib-tests-arm.patch b/pkgs/gnutls/fix-gnulib-tests-arm.patch new file mode 100644 index 0000000..5a222a9 --- /dev/null +++ b/pkgs/gnutls/fix-gnulib-tests-arm.patch @@ -0,0 +1,45 @@ +>From 175e0bc72808d564074c4adcc72aeadb74adfcc6 Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Thu, 27 Aug 2020 17:52:58 -0700 +Subject: [PATCH] perror, strerror_r: remove unportable tests + +Problem reported by Florian Weimer in: +https://lists.gnu.org/r/bug-gnulib/2020-08/msg00220.html +* tests/test-perror2.c (main): +* tests/test-strerror_r.c (main): Omit unportable tests. +--- + tests/test-perror2.c | 3 --- + tests/test-strerror_r.c | 3 --- + 2 files changed, 6 deletions(-) + +diff --git a/gl/tests/test-perror2.c b/gl/tests/test-perror2.c +index 1d14eda7b..c6214dd25 100644 +--- a/gl/tests/test-perror2.c ++++ b/gl/tests/test-perror2.c +@@ -79,9 +79,6 @@ main (void) + errno = -5; + perror (""); + ASSERT (!ferror (stderr)); +- ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1)); +- ASSERT (msg2 == msg4 || STREQ (msg2, str2)); +- ASSERT (msg3 == msg4 || STREQ (msg3, str3)); + ASSERT (STREQ (msg4, str4)); + + free (str1); +diff --git a/gl/tests/test-strerror_r.c b/gl/tests/test-strerror_r.c +index b11d6fd9f..c1dbcf837 100644 +--- a/gl/tests/test-strerror_r.c ++++ b/gl/tests/test-strerror_r.c +@@ -165,9 +165,6 @@ main (void) + + strerror_r (EACCES, buf, sizeof buf); + strerror_r (-5, buf, sizeof buf); +- ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1)); +- ASSERT (msg2 == msg4 || STREQ (msg2, str2)); +- ASSERT (msg3 == msg4 || STREQ (msg3, str3)); + ASSERT (STREQ (msg4, str4)); + + free (str1); +-- +2.17.1 + diff --git a/pkgs/gnutls/nix-ssl-cert-file.patch b/pkgs/gnutls/nix-ssl-cert-file.patch new file mode 100644 index 0000000..90d1e85 --- /dev/null +++ b/pkgs/gnutls/nix-ssl-cert-file.patch @@ -0,0 +1,19 @@ +allow overriding system trust store location via $NIX_SSL_CERT_FILE + +diff --git a/lib/system/certs.c b/lib/system/certs.c +index 611c645..6ef6edb 100644 +--- a/lib/system/certs.c ++++ b/lib/system/certs.c +@@ -369,6 +369,11 @@ gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list, + unsigned int tl_flags, + unsigned int tl_vflags) + { +- return add_system_trust(list, tl_flags|GNUTLS_TL_NO_DUPLICATES, tl_vflags); ++ tl_flags = tl_flags|GNUTLS_TL_NO_DUPLICATES; ++ const char *file = secure_getenv("NIX_SSL_CERT_FILE"); ++ return file ++ ? gnutls_x509_trust_list_add_trust_file( ++ list, file, NULL/*CRL*/, GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags) ++ : add_system_trust(list, tl_flags, tl_vflags); + } + diff --git a/pkgs/gnutls/no-security-framework.patch b/pkgs/gnutls/no-security-framework.patch new file mode 100644 index 0000000..7f5808e --- /dev/null +++ b/pkgs/gnutls/no-security-framework.patch @@ -0,0 +1,126 @@ +commit 9bcdde1ab9cdff6a4471f9a926dd488ab70c7247 +Author: Daiderd Jordan +Date: Mon Apr 22 16:38:27 2019 +0200 + + Revert "gnutls_x509_trust_list_add_system_trust: Add macOS keychain support" + + This reverts commit c0eb46d3463cd21b3f822ac377ff37f067f66b8d. + +diff --git a/configure.ac b/configure.ac +index 8ad597bfd..8d14f26cd 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -781,7 +781,7 @@ dnl auto detect https://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004. + AC_ARG_WITH([default-trust-store-file], + [AS_HELP_STRING([--with-default-trust-store-file=FILE], + [use the given file default trust store])], with_default_trust_store_file="$withval", +- [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x && test x$have_macosx = x;then ++ [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x;then + for i in \ + /etc/ssl/ca-bundle.pem \ + /etc/ssl/certs/ca-certificates.crt \ +diff --git a/lib/Makefile.am b/lib/Makefile.am +index fe9cf63a2..745695f7e 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -203,10 +203,6 @@ if WINDOWS + thirdparty_libadd += -lcrypt32 + endif + +-if MACOSX +-libgnutls_la_LDFLAGS += -framework Security -framework CoreFoundation +-endif +- + libgnutls_la_LIBADD += $(thirdparty_libadd) + + # C++ library +diff --git a/lib/system/certs.c b/lib/system/certs.c +index 611c645e0..912b0aa5e 100644 +--- a/lib/system/certs.c ++++ b/lib/system/certs.c +@@ -44,12 +44,6 @@ + # endif + #endif + +-#ifdef __APPLE__ +-# include +-# include +-# include +-#endif +- + /* System specific function wrappers for certificate stores. + */ + +@@ -276,72 +270,6 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, + + return r; + } +-#elif defined(__APPLE__) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070 +-static +-int osstatus_error(status) +-{ +- CFStringRef err_str = SecCopyErrorMessageString(status, NULL); +- _gnutls_debug_log("Error loading system root certificates: %s\n", +- CFStringGetCStringPtr(err_str, kCFStringEncodingUTF8)); +- CFRelease(err_str); +- return GNUTLS_E_FILE_ERROR; +-} +- +-static +-int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, +- unsigned int tl_vflags) +-{ +- int r=0; +- +- SecTrustSettingsDomain domain[] = { kSecTrustSettingsDomainUser, +- kSecTrustSettingsDomainAdmin, +- kSecTrustSettingsDomainSystem }; +- for (size_t d=0; d 0) +- r++; +- CFRelease(der); +- } +- CFRelease(certs); +- } +- +-#ifdef DEFAULT_BLACKLIST_FILE +- ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM); +- if (ret < 0) { +- _gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE); +- } +-#endif +- +- return r; +-} + #else + + #define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE