From 8bb9fd1f3f35a2035aafcbe81c1e2a23d01a408f Mon Sep 17 00:00:00 2001 From: Christian Ulrich Date: Thu, 23 Dec 2021 18:22:55 +0100 Subject: [PATCH] remove gnutls --- default.nix | 6 -- pkgs/gnutls/default.nix | 119 ---------------------- pkgs/gnutls/fix-gnulib-tests-arm.patch | 45 --------- pkgs/gnutls/nix-ssl-cert-file.patch | 19 ---- pkgs/gnutls/no-security-framework.patch | 126 ------------------------ 5 files changed, 315 deletions(-) delete mode 100644 pkgs/gnutls/default.nix delete mode 100644 pkgs/gnutls/fix-gnulib-tests-arm.patch delete mode 100644 pkgs/gnutls/nix-ssl-cert-file.patch delete mode 100644 pkgs/gnutls/no-security-framework.patch diff --git a/default.nix b/default.nix index 1fbc8ce..f607bd2 100644 --- a/default.nix +++ b/default.nix @@ -9,12 +9,6 @@ self: super: gintro = super.callPackage ./pkgs/nim-packages/gintro/default.nix { }; - gnutls-latest = super.callPackage ./pkgs/gnutls/default.nix { - inherit (super.darwin.apple_sdk.frameworks) Security; - util-linux = super.util-linuxMinimal; # break the cyclic dependency - autoconf = super.buildPackages.autoconf269; - }; - gnutls-latest-debug = super.enableDebugging self.gnutls-latest; groupchat = super.callPackage ./pkgs/nim-packages/groupchat.nix { }; diff --git a/pkgs/gnutls/default.nix b/pkgs/gnutls/default.nix deleted file mode 100644 index 4c40949..0000000 --- a/pkgs/gnutls/default.nix +++ /dev/null @@ -1,119 +0,0 @@ -{ config, lib, stdenv, fetchurl, zlib, lzo, libtasn1, nettle, pkg-config, lzip -, perl, gmp, autoconf, automake, libidn, p11-kit, libiconv -, unbound, dns-root-data, gettext, cacert, util-linux -, guileBindings ? config.gnutls.guile or false, guile -, tpmSupport ? false, trousers, which, nettools, libunistring -, withSecurity ? false, Security # darwin Security.framework -}: - -assert guileBindings -> guile != null; -let - - # XXX: Gnulib's `test-select' fails on FreeBSD: - # https://hydra.nixos.org/build/2962084/nixlog/1/raw . - doCheck = !stdenv.isFreeBSD && !stdenv.isDarwin - && stdenv.buildPlatform == stdenv.hostPlatform; - - inherit (stdenv.hostPlatform) isDarwin; -in - -stdenv.mkDerivation rec { - pname = "gnutls"; - version = "3.7.2"; - - src = fetchurl { - url = "mirror://gnupg/gnutls/v${lib.versions.majorMinor version}/gnutls-${version}.tar.xz"; - sha256 = "646e6c5a9a185faa4cea796d378a1ba8e1148dbb197ca6605f95986a25af2752"; - }; - - outputs = [ "bin" "dev" "out" "man" "devdoc" ]; - # Not normally useful docs. - outputInfo = "devdoc"; - outputDoc = "devdoc"; - - patches = [ ./nix-ssl-cert-file.patch ] - # Disable native add_system_trust. - ++ lib.optional (isDarwin && !withSecurity) ./no-security-framework.patch; - - # Skip some tests: - # - pkg-config: building against the result won't work before installing (3.5.11) - # - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular) - # - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11) - # - psk-file: no idea; it broke between 3.6.3 and 3.6.4 - # Change p11-kit test to use pkg-config to find p11-kit - postPatch = '' - sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh - sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c - sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh - '' + lib.optionalString stdenv.hostPlatform.isMusl '' # See https://gitlab.com/gnutls/gnutls/-/issues/945 - sed '2iecho "certtool tests skipped in musl build"\nexit 0' -i tests/cert-tests/certtool.sh - ''; - - preConfigure = "patchShebangs ."; - configureFlags = - lib.optional stdenv.isLinux "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt" - ++ [ - "--disable-dependency-tracking" - "--enable-fast-install" - "--with-unbound-root-key-file=${dns-root-data}/root.key" - ] ++ lib.optional guileBindings [ - "--enable-guile" - "--with-guile-site-dir=\${out}/share/guile/site" - "--with-guile-site-ccache-dir=\${out}/share/guile/site" - "--with-guile-extension-dir=\${out}/share/guile/site" - ]; - - enableParallelBuilding = true; - - buildInputs = [ lzo lzip libtasn1 libidn p11-kit zlib gmp libunistring unbound gettext libiconv ] - ++ lib.optional (isDarwin && withSecurity) Security - ++ lib.optional (tpmSupport && stdenv.isLinux) trousers - ++ lib.optional guileBindings guile; - - nativeBuildInputs = [ perl pkg-config ] - ++ lib.optionals (isDarwin && !withSecurity) [ autoconf automake ] - ++ lib.optionals doCheck [ which nettools util-linux ]; - - propagatedBuildInputs = [ nettle ]; - - inherit doCheck; - # stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` broke tests with: - # Error setting the x509 trust file: Error while reading file. - checkInputs = [ cacert ]; - - # Fixup broken libtool and pkg-config files - preFixup = lib.optionalString (!isDarwin) '' - sed ${lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"} \ - -e 's,-lz,-L${zlib.out}/lib -lz,' \ - -e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \ - -e 's,-lgmp,-L${gmp.out}/lib -lgmp,' \ - -i $out/lib/*.la "$dev/lib/pkgconfig/gnutls.pc" - '' + '' - # It seems only useful for static linking but basically noone does that. - substituteInPlace "$out/lib/libgnutls.la" \ - --replace "-lunistring" "" - ''; - - meta = with lib; { - description = "The GNU Transport Layer Security Library"; - - longDescription = '' - GnuTLS is a project that aims to develop a library which - provides a secure layer, over a reliable transport - layer. Currently the GnuTLS library implements the proposed standards by - the IETF's TLS working group. - - Quoting from the TLS protocol specification: - - "The TLS protocol provides communications privacy over the - Internet. The protocol allows client/server applications to - communicate in a way that is designed to prevent eavesdropping, - tampering, or message forgery." - ''; - - homepage = "https://gnutls.org/"; - license = licenses.lgpl21Plus; - maintainers = with maintainers; [ eelco fpletz ]; - platforms = platforms.all; - }; -} diff --git a/pkgs/gnutls/fix-gnulib-tests-arm.patch b/pkgs/gnutls/fix-gnulib-tests-arm.patch deleted file mode 100644 index 5a222a9..0000000 --- a/pkgs/gnutls/fix-gnulib-tests-arm.patch +++ /dev/null @@ -1,45 +0,0 @@ ->From 175e0bc72808d564074c4adcc72aeadb74adfcc6 Mon Sep 17 00:00:00 2001 -From: Paul Eggert -Date: Thu, 27 Aug 2020 17:52:58 -0700 -Subject: [PATCH] perror, strerror_r: remove unportable tests - -Problem reported by Florian Weimer in: -https://lists.gnu.org/r/bug-gnulib/2020-08/msg00220.html -* tests/test-perror2.c (main): -* tests/test-strerror_r.c (main): Omit unportable tests. ---- - tests/test-perror2.c | 3 --- - tests/test-strerror_r.c | 3 --- - 2 files changed, 6 deletions(-) - -diff --git a/gl/tests/test-perror2.c b/gl/tests/test-perror2.c -index 1d14eda7b..c6214dd25 100644 ---- a/gl/tests/test-perror2.c -+++ b/gl/tests/test-perror2.c -@@ -79,9 +79,6 @@ main (void) - errno = -5; - perror (""); - ASSERT (!ferror (stderr)); -- ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1)); -- ASSERT (msg2 == msg4 || STREQ (msg2, str2)); -- ASSERT (msg3 == msg4 || STREQ (msg3, str3)); - ASSERT (STREQ (msg4, str4)); - - free (str1); -diff --git a/gl/tests/test-strerror_r.c b/gl/tests/test-strerror_r.c -index b11d6fd9f..c1dbcf837 100644 ---- a/gl/tests/test-strerror_r.c -+++ b/gl/tests/test-strerror_r.c -@@ -165,9 +165,6 @@ main (void) - - strerror_r (EACCES, buf, sizeof buf); - strerror_r (-5, buf, sizeof buf); -- ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1)); -- ASSERT (msg2 == msg4 || STREQ (msg2, str2)); -- ASSERT (msg3 == msg4 || STREQ (msg3, str3)); - ASSERT (STREQ (msg4, str4)); - - free (str1); --- -2.17.1 - diff --git a/pkgs/gnutls/nix-ssl-cert-file.patch b/pkgs/gnutls/nix-ssl-cert-file.patch deleted file mode 100644 index 90d1e85..0000000 --- a/pkgs/gnutls/nix-ssl-cert-file.patch +++ /dev/null @@ -1,19 +0,0 @@ -allow overriding system trust store location via $NIX_SSL_CERT_FILE - -diff --git a/lib/system/certs.c b/lib/system/certs.c -index 611c645..6ef6edb 100644 ---- a/lib/system/certs.c -+++ b/lib/system/certs.c -@@ -369,6 +369,11 @@ gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list, - unsigned int tl_flags, - unsigned int tl_vflags) - { -- return add_system_trust(list, tl_flags|GNUTLS_TL_NO_DUPLICATES, tl_vflags); -+ tl_flags = tl_flags|GNUTLS_TL_NO_DUPLICATES; -+ const char *file = secure_getenv("NIX_SSL_CERT_FILE"); -+ return file -+ ? gnutls_x509_trust_list_add_trust_file( -+ list, file, NULL/*CRL*/, GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags) -+ : add_system_trust(list, tl_flags, tl_vflags); - } - diff --git a/pkgs/gnutls/no-security-framework.patch b/pkgs/gnutls/no-security-framework.patch deleted file mode 100644 index 7f5808e..0000000 --- a/pkgs/gnutls/no-security-framework.patch +++ /dev/null @@ -1,126 +0,0 @@ -commit 9bcdde1ab9cdff6a4471f9a926dd488ab70c7247 -Author: Daiderd Jordan -Date: Mon Apr 22 16:38:27 2019 +0200 - - Revert "gnutls_x509_trust_list_add_system_trust: Add macOS keychain support" - - This reverts commit c0eb46d3463cd21b3f822ac377ff37f067f66b8d. - -diff --git a/configure.ac b/configure.ac -index 8ad597bfd..8d14f26cd 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -781,7 +781,7 @@ dnl auto detect https://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004. - AC_ARG_WITH([default-trust-store-file], - [AS_HELP_STRING([--with-default-trust-store-file=FILE], - [use the given file default trust store])], with_default_trust_store_file="$withval", -- [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x && test x$have_macosx = x;then -+ [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x;then - for i in \ - /etc/ssl/ca-bundle.pem \ - /etc/ssl/certs/ca-certificates.crt \ -diff --git a/lib/Makefile.am b/lib/Makefile.am -index fe9cf63a2..745695f7e 100644 ---- a/lib/Makefile.am -+++ b/lib/Makefile.am -@@ -203,10 +203,6 @@ if WINDOWS - thirdparty_libadd += -lcrypt32 - endif - --if MACOSX --libgnutls_la_LDFLAGS += -framework Security -framework CoreFoundation --endif -- - libgnutls_la_LIBADD += $(thirdparty_libadd) - - # C++ library -diff --git a/lib/system/certs.c b/lib/system/certs.c -index 611c645e0..912b0aa5e 100644 ---- a/lib/system/certs.c -+++ b/lib/system/certs.c -@@ -44,12 +44,6 @@ - # endif - #endif - --#ifdef __APPLE__ --# include --# include --# include --#endif -- - /* System specific function wrappers for certificate stores. - */ - -@@ -276,72 +270,6 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, - - return r; - } --#elif defined(__APPLE__) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070 --static --int osstatus_error(status) --{ -- CFStringRef err_str = SecCopyErrorMessageString(status, NULL); -- _gnutls_debug_log("Error loading system root certificates: %s\n", -- CFStringGetCStringPtr(err_str, kCFStringEncodingUTF8)); -- CFRelease(err_str); -- return GNUTLS_E_FILE_ERROR; --} -- --static --int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, -- unsigned int tl_vflags) --{ -- int r=0; -- -- SecTrustSettingsDomain domain[] = { kSecTrustSettingsDomainUser, -- kSecTrustSettingsDomainAdmin, -- kSecTrustSettingsDomainSystem }; -- for (size_t d=0; d 0) -- r++; -- CFRelease(der); -- } -- CFRelease(certs); -- } -- --#ifdef DEFAULT_BLACKLIST_FILE -- ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM); -- if (ret < 0) { -- _gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE); -- } --#endif -- -- return r; --} - #else - - #define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE