add gnutls 3.7.2
This commit is contained in:
parent
6a5e746151
commit
4a429e60a1
|
@ -9,6 +9,13 @@ self: super:
|
||||||
|
|
||||||
gintro = super.callPackage ./pkgs/nim-packages/gintro/default.nix { };
|
gintro = super.callPackage ./pkgs/nim-packages/gintro/default.nix { };
|
||||||
|
|
||||||
|
gnutls = super.callPackage ./pkgs/gnutls/default.nix {
|
||||||
|
inherit (super.darwin.apple_sdk.frameworks) Security;
|
||||||
|
util-linux = super.utillinuxMinimal; # break the cyclic dependency
|
||||||
|
};
|
||||||
|
|
||||||
|
#gnutls-debug = super.enableDebugging self.gnutls;
|
||||||
|
|
||||||
groupchat = super.callPackage ./pkgs/nim-packages/groupchat.nix { };
|
groupchat = super.callPackage ./pkgs/nim-packages/groupchat.nix { };
|
||||||
|
|
||||||
hid = super.callPackage ./pkgs/hid/default.nix { };
|
hid = super.callPackage ./pkgs/hid/default.nix { };
|
||||||
|
|
|
@ -0,0 +1,123 @@
|
||||||
|
{ config, lib, stdenv, fetchurl, zlib, lzo, libtasn1, nettle, pkg-config, lzip
|
||||||
|
, perl, gmp, autoconf, automake, libidn, p11-kit, libiconv
|
||||||
|
, unbound, dns-root-data, gettext, cacert, util-linux
|
||||||
|
, guileBindings ? config.gnutls.guile or false, guile
|
||||||
|
, tpmSupport ? false, trousers, which, nettools, libunistring
|
||||||
|
, withSecurity ? false, Security # darwin Security.framework
|
||||||
|
}:
|
||||||
|
|
||||||
|
assert guileBindings -> guile != null;
|
||||||
|
let
|
||||||
|
version = "3.7.2";
|
||||||
|
|
||||||
|
# XXX: Gnulib's `test-select' fails on FreeBSD:
|
||||||
|
# https://hydra.nixos.org/build/2962084/nixlog/1/raw .
|
||||||
|
doCheck = !stdenv.isFreeBSD && !stdenv.isDarwin && lib.versionAtLeast version "3.4"
|
||||||
|
&& stdenv.buildPlatform == stdenv.hostPlatform;
|
||||||
|
|
||||||
|
inherit (stdenv.hostPlatform) isDarwin;
|
||||||
|
in
|
||||||
|
|
||||||
|
stdenv.mkDerivation {
|
||||||
|
name = "gnutls-${version}";
|
||||||
|
inherit version;
|
||||||
|
|
||||||
|
src = fetchurl {
|
||||||
|
url = "mirror://gnupg/gnutls/v3.7/gnutls-${version}.tar.xz";
|
||||||
|
sha256 = "0li7mwjnm64mbxhacz0rpf6i9qd83f53fvbrx96alpqqk9d6qvk4";
|
||||||
|
};
|
||||||
|
|
||||||
|
outputs = [ "bin" "dev" "out" "man" "devdoc" ];
|
||||||
|
# Not normally useful docs.
|
||||||
|
outputInfo = "devdoc";
|
||||||
|
outputDoc = "devdoc";
|
||||||
|
|
||||||
|
patches = [ ./nix-ssl-cert-file.patch ]
|
||||||
|
# Disable native add_system_trust.
|
||||||
|
++ lib.optional (isDarwin && !withSecurity) ./no-security-framework.patch;
|
||||||
|
|
||||||
|
# Skip some tests:
|
||||||
|
# - pkg-config: building against the result won't work before installing (3.5.11)
|
||||||
|
# - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular)
|
||||||
|
# - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11)
|
||||||
|
# - psk-file: no idea; it broke between 3.6.3 and 3.6.4
|
||||||
|
# Change p11-kit test to use pkg-config to find p11-kit
|
||||||
|
postPatch = lib.optionalString (lib.versionAtLeast version "3.6") ''
|
||||||
|
sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh
|
||||||
|
sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c
|
||||||
|
sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh
|
||||||
|
'' + lib.optionalString stdenv.hostPlatform.isMusl '' # See https://gitlab.com/gnutls/gnutls/-/issues/945
|
||||||
|
sed '2iecho "certtool tests skipped in musl build"\nexit 0' -i tests/cert-tests/certtool.sh
|
||||||
|
'';
|
||||||
|
|
||||||
|
hardeningDisable = [ "fortify" ];
|
||||||
|
dontStrip = true;
|
||||||
|
|
||||||
|
preConfigure = "patchShebangs .";
|
||||||
|
configureFlags =
|
||||||
|
lib.optional stdenv.isLinux "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"
|
||||||
|
++ [
|
||||||
|
"--disable-dependency-tracking"
|
||||||
|
"--enable-fast-install"
|
||||||
|
"--with-unbound-root-key-file=${dns-root-data}/root.key"
|
||||||
|
] ++ lib.optional guileBindings [
|
||||||
|
"--enable-guile"
|
||||||
|
"--with-guile-site-dir=\${out}/share/guile/site"
|
||||||
|
"--with-guile-site-ccache-dir=\${out}/share/guile/site"
|
||||||
|
"--with-guile-extension-dir=\${out}/share/guile/site"
|
||||||
|
];
|
||||||
|
|
||||||
|
enableParallelBuilding = true;
|
||||||
|
|
||||||
|
buildInputs = [ lzo lzip libtasn1 libidn p11-kit zlib gmp libunistring unbound gettext libiconv ]
|
||||||
|
++ lib.optional (isDarwin && withSecurity) Security
|
||||||
|
++ lib.optional (tpmSupport && stdenv.isLinux) trousers
|
||||||
|
++ lib.optional guileBindings guile;
|
||||||
|
|
||||||
|
nativeBuildInputs = [ perl pkg-config ]
|
||||||
|
++ lib.optionals (isDarwin && !withSecurity) [ autoconf automake ]
|
||||||
|
++ lib.optionals doCheck [ which nettools util-linux ];
|
||||||
|
|
||||||
|
propagatedBuildInputs = [ nettle ];
|
||||||
|
|
||||||
|
inherit doCheck;
|
||||||
|
# stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` broke tests with:
|
||||||
|
# Error setting the x509 trust file: Error while reading file.
|
||||||
|
checkInputs = [ cacert ];
|
||||||
|
|
||||||
|
# Fixup broken libtool and pkg-config files
|
||||||
|
preFixup = lib.optionalString (!isDarwin) ''
|
||||||
|
sed ${lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"} \
|
||||||
|
-e 's,-lz,-L${zlib.out}/lib -lz,' \
|
||||||
|
-e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \
|
||||||
|
-e 's,-lgmp,-L${gmp.out}/lib -lgmp,' \
|
||||||
|
-i $out/lib/*.la "$dev/lib/pkgconfig/gnutls.pc"
|
||||||
|
'' + ''
|
||||||
|
# It seems only useful for static linking but basically noone does that.
|
||||||
|
substituteInPlace "$out/lib/libgnutls.la" \
|
||||||
|
--replace "-lunistring" ""
|
||||||
|
'';
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
|
description = "The GNU Transport Layer Security Library";
|
||||||
|
|
||||||
|
longDescription = ''
|
||||||
|
GnuTLS is a project that aims to develop a library which
|
||||||
|
provides a secure layer, over a reliable transport
|
||||||
|
layer. Currently the GnuTLS library implements the proposed standards by
|
||||||
|
the IETF's TLS working group.
|
||||||
|
|
||||||
|
Quoting from the TLS protocol specification:
|
||||||
|
|
||||||
|
"The TLS protocol provides communications privacy over the
|
||||||
|
Internet. The protocol allows client/server applications to
|
||||||
|
communicate in a way that is designed to prevent eavesdropping,
|
||||||
|
tampering, or message forgery."
|
||||||
|
'';
|
||||||
|
|
||||||
|
homepage = "https://www.gnu.org/software/gnutls/";
|
||||||
|
license = licenses.lgpl21Plus;
|
||||||
|
maintainers = with maintainers; [ eelco fpletz ];
|
||||||
|
platforms = platforms.all;
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,45 @@
|
||||||
|
>From 175e0bc72808d564074c4adcc72aeadb74adfcc6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Paul Eggert <eggert@cs.ucla.edu>
|
||||||
|
Date: Thu, 27 Aug 2020 17:52:58 -0700
|
||||||
|
Subject: [PATCH] perror, strerror_r: remove unportable tests
|
||||||
|
|
||||||
|
Problem reported by Florian Weimer in:
|
||||||
|
https://lists.gnu.org/r/bug-gnulib/2020-08/msg00220.html
|
||||||
|
* tests/test-perror2.c (main):
|
||||||
|
* tests/test-strerror_r.c (main): Omit unportable tests.
|
||||||
|
---
|
||||||
|
tests/test-perror2.c | 3 ---
|
||||||
|
tests/test-strerror_r.c | 3 ---
|
||||||
|
2 files changed, 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/gl/tests/test-perror2.c b/gl/tests/test-perror2.c
|
||||||
|
index 1d14eda7b..c6214dd25 100644
|
||||||
|
--- a/gl/tests/test-perror2.c
|
||||||
|
+++ b/gl/tests/test-perror2.c
|
||||||
|
@@ -79,9 +79,6 @@ main (void)
|
||||||
|
errno = -5;
|
||||||
|
perror ("");
|
||||||
|
ASSERT (!ferror (stderr));
|
||||||
|
- ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1));
|
||||||
|
- ASSERT (msg2 == msg4 || STREQ (msg2, str2));
|
||||||
|
- ASSERT (msg3 == msg4 || STREQ (msg3, str3));
|
||||||
|
ASSERT (STREQ (msg4, str4));
|
||||||
|
|
||||||
|
free (str1);
|
||||||
|
diff --git a/gl/tests/test-strerror_r.c b/gl/tests/test-strerror_r.c
|
||||||
|
index b11d6fd9f..c1dbcf837 100644
|
||||||
|
--- a/gl/tests/test-strerror_r.c
|
||||||
|
+++ b/gl/tests/test-strerror_r.c
|
||||||
|
@@ -165,9 +165,6 @@ main (void)
|
||||||
|
|
||||||
|
strerror_r (EACCES, buf, sizeof buf);
|
||||||
|
strerror_r (-5, buf, sizeof buf);
|
||||||
|
- ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1));
|
||||||
|
- ASSERT (msg2 == msg4 || STREQ (msg2, str2));
|
||||||
|
- ASSERT (msg3 == msg4 || STREQ (msg3, str3));
|
||||||
|
ASSERT (STREQ (msg4, str4));
|
||||||
|
|
||||||
|
free (str1);
|
||||||
|
--
|
||||||
|
2.17.1
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
allow overriding system trust store location via $NIX_SSL_CERT_FILE
|
||||||
|
|
||||||
|
diff --git a/lib/system/certs.c b/lib/system/certs.c
|
||||||
|
index 611c645..6ef6edb 100644
|
||||||
|
--- a/lib/system/certs.c
|
||||||
|
+++ b/lib/system/certs.c
|
||||||
|
@@ -369,6 +369,11 @@ gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list,
|
||||||
|
unsigned int tl_flags,
|
||||||
|
unsigned int tl_vflags)
|
||||||
|
{
|
||||||
|
- return add_system_trust(list, tl_flags|GNUTLS_TL_NO_DUPLICATES, tl_vflags);
|
||||||
|
+ tl_flags = tl_flags|GNUTLS_TL_NO_DUPLICATES;
|
||||||
|
+ const char *file = secure_getenv("NIX_SSL_CERT_FILE");
|
||||||
|
+ return file
|
||||||
|
+ ? gnutls_x509_trust_list_add_trust_file(
|
||||||
|
+ list, file, NULL/*CRL*/, GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags)
|
||||||
|
+ : add_system_trust(list, tl_flags, tl_vflags);
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,126 @@
|
||||||
|
commit 9bcdde1ab9cdff6a4471f9a926dd488ab70c7247
|
||||||
|
Author: Daiderd Jordan <daiderd@gmail.com>
|
||||||
|
Date: Mon Apr 22 16:38:27 2019 +0200
|
||||||
|
|
||||||
|
Revert "gnutls_x509_trust_list_add_system_trust: Add macOS keychain support"
|
||||||
|
|
||||||
|
This reverts commit c0eb46d3463cd21b3f822ac377ff37f067f66b8d.
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 8ad597bfd..8d14f26cd 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -781,7 +781,7 @@ dnl auto detect https://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.
|
||||||
|
AC_ARG_WITH([default-trust-store-file],
|
||||||
|
[AS_HELP_STRING([--with-default-trust-store-file=FILE],
|
||||||
|
[use the given file default trust store])], with_default_trust_store_file="$withval",
|
||||||
|
- [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x && test x$have_macosx = x;then
|
||||||
|
+ [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x;then
|
||||||
|
for i in \
|
||||||
|
/etc/ssl/ca-bundle.pem \
|
||||||
|
/etc/ssl/certs/ca-certificates.crt \
|
||||||
|
diff --git a/lib/Makefile.am b/lib/Makefile.am
|
||||||
|
index fe9cf63a2..745695f7e 100644
|
||||||
|
--- a/lib/Makefile.am
|
||||||
|
+++ b/lib/Makefile.am
|
||||||
|
@@ -203,10 +203,6 @@ if WINDOWS
|
||||||
|
thirdparty_libadd += -lcrypt32
|
||||||
|
endif
|
||||||
|
|
||||||
|
-if MACOSX
|
||||||
|
-libgnutls_la_LDFLAGS += -framework Security -framework CoreFoundation
|
||||||
|
-endif
|
||||||
|
-
|
||||||
|
libgnutls_la_LIBADD += $(thirdparty_libadd)
|
||||||
|
|
||||||
|
# C++ library
|
||||||
|
diff --git a/lib/system/certs.c b/lib/system/certs.c
|
||||||
|
index 611c645e0..912b0aa5e 100644
|
||||||
|
--- a/lib/system/certs.c
|
||||||
|
+++ b/lib/system/certs.c
|
||||||
|
@@ -44,12 +44,6 @@
|
||||||
|
# endif
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-#ifdef __APPLE__
|
||||||
|
-# include <CoreFoundation/CoreFoundation.h>
|
||||||
|
-# include <Security/Security.h>
|
||||||
|
-# include <Availability.h>
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
/* System specific function wrappers for certificate stores.
|
||||||
|
*/
|
||||||
|
|
||||||
|
@@ -276,72 +270,6 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
|
||||||
|
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
-#elif defined(__APPLE__) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070
|
||||||
|
-static
|
||||||
|
-int osstatus_error(status)
|
||||||
|
-{
|
||||||
|
- CFStringRef err_str = SecCopyErrorMessageString(status, NULL);
|
||||||
|
- _gnutls_debug_log("Error loading system root certificates: %s\n",
|
||||||
|
- CFStringGetCStringPtr(err_str, kCFStringEncodingUTF8));
|
||||||
|
- CFRelease(err_str);
|
||||||
|
- return GNUTLS_E_FILE_ERROR;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static
|
||||||
|
-int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
|
||||||
|
- unsigned int tl_vflags)
|
||||||
|
-{
|
||||||
|
- int r=0;
|
||||||
|
-
|
||||||
|
- SecTrustSettingsDomain domain[] = { kSecTrustSettingsDomainUser,
|
||||||
|
- kSecTrustSettingsDomainAdmin,
|
||||||
|
- kSecTrustSettingsDomainSystem };
|
||||||
|
- for (size_t d=0; d<sizeof(domain)/sizeof(*domain); d++) {
|
||||||
|
- CFArrayRef certs = NULL;
|
||||||
|
- OSStatus status = SecTrustSettingsCopyCertificates(domain[d],
|
||||||
|
- &certs);
|
||||||
|
- if (status == errSecNoTrustSettings)
|
||||||
|
- continue;
|
||||||
|
- if (status != errSecSuccess)
|
||||||
|
- return osstatus_error(status);
|
||||||
|
-
|
||||||
|
- int cert_count = CFArrayGetCount(certs);
|
||||||
|
- for (int i=0; i<cert_count; i++) {
|
||||||
|
- SecCertificateRef cert =
|
||||||
|
- (void*)CFArrayGetValueAtIndex(certs, i);
|
||||||
|
- CFDataRef der;
|
||||||
|
- status = SecItemExport(cert, kSecFormatX509Cert, 0,
|
||||||
|
- NULL, &der);
|
||||||
|
- if (status != errSecSuccess) {
|
||||||
|
- CFRelease(der);
|
||||||
|
- CFRelease(certs);
|
||||||
|
- return osstatus_error(status);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (gnutls_x509_trust_list_add_trust_mem(list,
|
||||||
|
- &(gnutls_datum_t) {
|
||||||
|
- .data = (void*)CFDataGetBytePtr(der),
|
||||||
|
- .size = CFDataGetLength(der),
|
||||||
|
- },
|
||||||
|
- NULL,
|
||||||
|
- GNUTLS_X509_FMT_DER,
|
||||||
|
- tl_flags,
|
||||||
|
- tl_vflags) > 0)
|
||||||
|
- r++;
|
||||||
|
- CFRelease(der);
|
||||||
|
- }
|
||||||
|
- CFRelease(certs);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
-#ifdef DEFAULT_BLACKLIST_FILE
|
||||||
|
- ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM);
|
||||||
|
- if (ret < 0) {
|
||||||
|
- _gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE);
|
||||||
|
- }
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
- return r;
|
||||||
|
-}
|
||||||
|
#else
|
||||||
|
|
||||||
|
#define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE
|
Loading…
Reference in New Issue