pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / pkgs / development / libraries / gnutls / default.nix
at 24.05-pre 148 lines 5.4 kB view raw
github-actions[bot] Merge master into staging-next
0ee8715a
1{ config, lib, stdenv, fetchurl, zlib, lzo, libtasn1, nettle, pkg-config, lzip 2, perl, gmp, autoconf, automake, libidn2, libiconv 3, fetchpatch, texinfo 4, unbound, dns-root-data, gettext, util-linux 5, cxxBindings ? !stdenv.hostPlatform.isStatic # tries to link libstdc++.so 6, tpmSupport ? false, trousers, which, nettools, libunistring 7, withP11-kit ? !stdenv.hostPlatform.isStatic, p11-kit 8, Security # darwin Security.framework 9# certificate compression - only zlib now, more possible: zstd, brotli 10 11# for passthru.tests 12, curlWithGnuTls 13, emacs 14, ffmpeg 15, haskellPackages 16, knot-resolver 17, ngtcp2-gnutls 18, ocamlPackages 19, python3Packages 20, qemu 21, rsyslog 22, openconnect 23, samba 24}: 25 26let 27 28 # XXX: Gnulib's `test-select' fails on FreeBSD: 29 # https://hydra.nixos.org/build/2962084/nixlog/1/raw . 30 doCheck = !stdenv.isFreeBSD && !stdenv.isDarwin 31 && stdenv.buildPlatform == stdenv.hostPlatform; 32 33 inherit (stdenv.hostPlatform) isDarwin; 34in 35 36stdenv.mkDerivation rec { 37 pname = "gnutls"; 38 version = "3.8.1"; 39 40 src = fetchurl { 41 url = "mirror://gnupg/gnutls/v${lib.versions.majorMinor version}/gnutls-${version}.tar.xz"; 42 hash = "sha256-uoueFa4gq6iPRGYZePW1hjSUMW/n5yLt6dBp/mKUgpw="; 43 }; 44 45 outputs = [ "bin" "dev" "out" "man" "devdoc" ]; 46 # Not normally useful docs. 47 outputInfo = "devdoc"; 48 outputDoc = "devdoc"; 49 50 patches = [ 51 (fetchpatch { #TODO: when updating drop this patch and texinfo 52 name = "GNUTLS_NO_EXTENSIONS.patch"; 53 url = "https://gitlab.com/gnutls/gnutls/-/commit/abfa8634db940115a11a07596ce53c8f9c4f87d2.diff"; 54 hash = "sha256-3M5WdNoVx9gUwTUPgu/sXmsaNg+j5d6liXs0UZz8fGU="; 55 }) 56 57 ./nix-ssl-cert-file.patch 58 ]; 59 60 # Skip some tests: 61 # - pkg-config: building against the result won't work before installing (3.5.11) 62 # - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular) 63 # - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11) 64 # - psk-file: no idea; it broke between 3.6.3 and 3.6.4 65 # Change p11-kit test to use pkg-config to find p11-kit 66 postPatch = '' 67 sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh 68 sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c 69 sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh 70 '' + lib.optionalString stdenv.hostPlatform.isMusl '' # See https://gitlab.com/gnutls/gnutls/-/issues/945 71 sed '2iecho "certtool tests skipped in musl build"\nexit 0' -i tests/cert-tests/certtool.sh 72 ''; 73 74 preConfigure = "patchShebangs ."; 75 configureFlags = 76 lib.optionals withP11-kit [ 77 "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt" 78 "--with-default-trust-store-pkcs11=pkcs11:" 79 ] ++ [ 80 "--disable-dependency-tracking" 81 "--enable-fast-install" 82 "--with-unbound-root-key-file=${dns-root-data}/root.key" 83 (lib.withFeature withP11-kit "p11-kit") 84 (lib.enableFeature cxxBindings "cxx") 85 ]; 86 87 enableParallelBuilding = true; 88 89 buildInputs = [ lzo lzip libtasn1 libidn2 zlib gmp libunistring unbound gettext libiconv ] 90 ++ lib.optional (withP11-kit) p11-kit 91 ++ lib.optional (tpmSupport && stdenv.isLinux) trousers; 92 93 nativeBuildInputs = [ perl pkg-config texinfo ] 94 ++ lib.optionals doCheck [ which nettools util-linux ]; 95 96 propagatedBuildInputs = [ nettle ] 97 # Builds dynamically linking against gnutls seem to need the framework now. 98 ++ lib.optional isDarwin Security; 99 100 inherit doCheck; 101 # stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` breaks tests. 102 # Also empty files won't work, and we want to avoid potentially impure /etc/ 103 preCheck = "NIX_SSL_CERT_FILE=${./dummy.crt}"; 104 105 # Fixup broken libtool and pkg-config files 106 preFixup = lib.optionalString (!isDarwin) '' 107 sed ${lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"} \ 108 -e 's,-lz,-L${zlib.out}/lib -lz,' \ 109 -e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \ 110 -e 's,-lgmp,-L${gmp.out}/lib -lgmp,' \ 111 -i $out/lib/*.la "$dev/lib/pkgconfig/gnutls.pc" 112 '' + '' 113 # It seems only useful for static linking but basically noone does that. 114 substituteInPlace "$out/lib/libgnutls.la" \ 115 --replace "-lunistring" "" 116 ''; 117 118 passthru.tests = { 119 inherit ngtcp2-gnutls curlWithGnuTls ffmpeg emacs qemu knot-resolver samba openconnect; 120 inherit (ocamlPackages) ocamlnet; 121 haskell-gnutls = haskellPackages.gnutls; 122 python3-gnutls = python3Packages.python3-gnutls; 123 rsyslog = rsyslog.override { withGnutls = true; }; 124 }; 125 126 meta = with lib; { 127 description = "The GNU Transport Layer Security Library"; 128 129 longDescription = '' 130 GnuTLS is a project that aims to develop a library which 131 provides a secure layer, over a reliable transport 132 layer. Currently the GnuTLS library implements the proposed standards by 133 the IETF's TLS working group. 134 135 Quoting from the TLS protocol specification: 136 137 "The TLS protocol provides communications privacy over the 138 Internet. The protocol allows client/server applications to 139 communicate in a way that is designed to prevent eavesdropping, 140 tampering, or message forgery." 141 ''; 142 143 homepage = "https://gnutls.org/"; 144 license = licenses.lgpl21Plus; 145 maintainers = with maintainers; [ vcunat ]; 146 platforms = platforms.all; 147 }; 148}