pkgs/development/libraries/gnutls/default.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / pkgs / development / libraries / gnutls / default.nix
at 25.11-pre 236 lines 6.1 kB view raw
  1{
  2  lib,
  3  stdenv,
  4  fetchurl,
  5  zlib,
  6  libtasn1,
  7  nettle,
  8  pkg-config,
  9  perl,
 10  gmp,
 11  autoconf,
 12  automake,
 13  libidn2,
 14  libiconv,
 15  texinfo,
 16  unbound,
 17  dns-root-data,
 18  gettext,
 19  util-linux,
 20  cxxBindings ? !stdenv.hostPlatform.isStatic, # tries to link libstdc++.so
 21  tpmSupport ? false,
 22  trousers,
 23  which,
 24  nettools,
 25  libunistring,
 26  withP11-kit ? !stdenv.hostPlatform.isStatic,
 27  p11-kit,
 28  # certificate compression - only zlib now, more possible: zstd, brotli
 29
 30  # for passthru.tests
 31  curlWithGnuTls,
 32  emacs,
 33  ffmpeg,
 34  haskellPackages,
 35  knot-resolver,
 36  ngtcp2-gnutls,
 37  ocamlPackages,
 38  pkgsStatic,
 39  python3Packages,
 40  qemu,
 41  rsyslog,
 42  openconnect,
 43  samba,
 44
 45  gitUpdater,
 46}:
 47
 48let
 49
 50  # XXX: Gnulib's `test-select' fails on FreeBSD:
 51  # https://hydra.nixos.org/build/2962084/nixlog/1/raw .
 52  doCheck =
 53    !stdenv.hostPlatform.isFreeBSD
 54    && !stdenv.hostPlatform.isDarwin
 55    && stdenv.buildPlatform == stdenv.hostPlatform;
 56
 57  inherit (stdenv.hostPlatform) isDarwin;
 58in
 59
 60stdenv.mkDerivation rec {
 61  pname = "gnutls";
 62  version = "3.8.9";
 63
 64  src = fetchurl {
 65    url = "mirror://gnupg/gnutls/v${lib.versions.majorMinor version}/gnutls-${version}.tar.xz";
 66    hash = "sha256-aeET2ALRZwxNWsG5kECx8tXHwF2uxQA4E8BJtRhIIO0=";
 67  };
 68
 69  outputs =
 70    [
 71      "bin"
 72      "dev"
 73      "out"
 74    ]
 75    ++ lib.optionals (!stdenv.hostPlatform.isMinGW) [
 76      "man"
 77      "devdoc"
 78    ];
 79
 80  # Not normally useful docs.
 81  outputInfo = "devdoc";
 82  outputDoc = "devdoc";
 83
 84  patches = [
 85    ./nix-ssl-cert-file.patch
 86  ];
 87
 88  # Skip some tests:
 89  #  - pkg-config: building against the result won't work before installing (3.5.11)
 90  #  - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular)
 91  #  - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11)
 92  #  - psk-file: no idea; it broke between 3.6.3 and 3.6.4
 93  #  - ktls: requires tls module loaded into kernel
 94  # Change p11-kit test to use pkg-config to find p11-kit
 95  postPatch =
 96    ''
 97      sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh
 98      sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c
 99      sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh
100    ''
101    + lib.optionalString stdenv.hostPlatform.isMusl ''
102      # See https://gitlab.com/gnutls/gnutls/-/issues/945
103      sed '2iecho "certtool tests skipped in musl build"\nexit 0' -i tests/cert-tests/certtool.sh
104    ''
105    + lib.optionalString stdenv.hostPlatform.isLinux ''
106      sed '2iexit 77' -i tests/{ktls,ktls_keyupdate}.sh
107    '';
108
109  preConfigure = "patchShebangs .";
110  configureFlags =
111    lib.optionals withP11-kit [
112      "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"
113      "--with-default-trust-store-pkcs11=pkcs11:"
114    ]
115    ++ [
116      "--disable-dependency-tracking"
117      "--enable-fast-install"
118      "--with-unbound-root-key-file=${dns-root-data}/root.key"
119      (lib.withFeature withP11-kit "p11-kit")
120      (lib.enableFeature cxxBindings "cxx")
121    ]
122    ++ lib.optionals stdenv.hostPlatform.isLinux [
123      "--enable-ktls"
124    ]
125    ++ lib.optionals (stdenv.hostPlatform.isMinGW) [
126      "--disable-doc"
127    ]
128    ++ lib.optionals (stdenv.hostPlatform.isLinux && tpmSupport) [
129      "--with-trousers-lib=${trousers}/lib/libtspi.so"
130    ]
131    ++ [
132      # do not dlopen in nixpkgs
133      "--with-zlib=link"
134    ];
135
136  enableParallelBuilding = true;
137
138  hardeningDisable = [ "trivialautovarinit" ];
139
140  buildInputs =
141    [
142      libtasn1
143      libidn2
144      zlib
145      gmp
146      libunistring
147      unbound
148      gettext
149      libiconv
150    ]
151    ++ lib.optional withP11-kit p11-kit
152    ++ lib.optional (tpmSupport && stdenv.hostPlatform.isLinux) trousers;
153
154  nativeBuildInputs =
155    [
156      perl
157      pkg-config
158      texinfo
159    ]
160    ++ [
161      autoconf
162      automake
163    ]
164    ++ lib.optionals doCheck [
165      which
166      nettools
167      util-linux
168    ];
169
170  propagatedBuildInputs = [ nettle ];
171
172  inherit doCheck;
173  # stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` breaks tests.
174  # Also empty files won't work, and we want to avoid potentially impure /etc/
175  preCheck = "NIX_SSL_CERT_FILE=${./dummy.crt}";
176
177  # Fixup broken libtool and pkg-config files
178  preFixup =
179    lib.optionalString (!isDarwin) ''
180      sed ${lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"} \
181          -e 's,-lz,-L${zlib.out}/lib -lz,' \
182          -e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \
183          -e 's,-lgmp,-L${gmp.out}/lib -lgmp,' \
184          -i $out/lib/*.la "$dev/lib/pkgconfig/gnutls.pc"
185    ''
186    + ''
187      # It seems only useful for static linking but basically noone does that.
188      substituteInPlace "$out/lib/libgnutls.la" \
189        --replace "-lunistring" ""
190    '';
191
192  passthru.updateScript = gitUpdater {
193    url = "https://gitlab.com/gnutls/gnutls.git";
194  };
195
196  passthru.tests = {
197    inherit
198      ngtcp2-gnutls
199      curlWithGnuTls
200      ffmpeg
201      emacs
202      qemu
203      knot-resolver
204      samba
205      openconnect
206      ;
207    #inherit (ocamlPackages) ocamlnet;
208    #haskell-gnutls = haskellPackages.gnutls;
209    python3-gnutls = python3Packages.python3-gnutls;
210    rsyslog = rsyslog.override { withGnutls = true; };
211    static = pkgsStatic.gnutls;
212  };
213
214  meta = with lib; {
215    description = "GNU Transport Layer Security Library";
216
217    longDescription = ''
218      GnuTLS is a project that aims to develop a library which
219      provides a secure layer, over a reliable transport
220      layer. Currently the GnuTLS library implements the proposed standards by
221      the IETF's TLS working group.
222
223      Quoting from the TLS protocol specification:
224
225      "The TLS protocol provides communications privacy over the
226      Internet. The protocol allows client/server applications to
227      communicate in a way that is designed to prevent eavesdropping,
228      tampering, or message forgery."
229    '';
230
231    homepage = "https://gnutls.org/";
232    license = licenses.lgpl21Plus;
233    maintainers = with maintainers; [ vcunat ];
234    platforms = platforms.all;
235  };
236}