pyrox.dev / nixpkgs
lol
fork atom

gnutls: remove 3.5.10

Nix packages are expected to honor NIX_SSL_CERT_FILE and this removes the
dependency on the framework while bootstrapping the stdenv.
(+ nitpick changes from vcunat)

The patch is based on https://gitlab.com/gnutls/gnutls/commit/c0eb46d3463cd21b3f822ac377ff37f067f66b8d

Daiderd Jordan 33e7d721 a6a88bff

+164 -55
unified split
-10
pkgs/development/libraries/gnutls/3.5.10.nix
··· 1 - { callPackage, fetchurl, libunistring, ... } @ args: 2 - 3 - callPackage ./generic.nix (args // rec { 4 - version = "3.5.10"; 5 - 6 - src = fetchurl { 7 - url = "mirror://gnupg/gnutls/v3.5/gnutls-${version}.tar.xz"; 8 - sha256 = "17apwvdkkazh5w8z8mbanpj2yj8s2002qwy46wz4v3akpa33wi5g"; 9 - }; 10 - })
-22
pkgs/development/libraries/gnutls/3.6.nix
··· 1 - { callPackage, fetchurl, ... } @ args: 2 - 3 - callPackage ./generic.nix (args // rec { 4 - version = "3.6.7"; 5 - 6 - src = fetchurl { 7 - url = "mirror://gnupg/gnutls/v3.6/gnutls-${version}.tar.xz"; 8 - sha256 = "1ql8l6l5bxks2pgpwb1602zc0j6ivhpy27hdfc49h8xgbanhjd2v"; 9 - }; 10 - 11 - # Skip some tests: 12 - # - pkgconfig: building against the result won't work before installing (3.5.11) 13 - # - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular) 14 - # - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11) 15 - # - psk-file: no idea; it broke between 3.6.3 and 3.6.4 16 - # Change p11-kit test to use pkg-config to find p11-kit 17 - postPatch = '' 18 - sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh 19 - sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c 20 - sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh 21 - ''; 22 - })
+35 -16
pkgs/development/libraries/gnutls/generic.nix pkgs/development/libraries/gnutls/default.nix
··· 1 - { config, lib, stdenv, zlib, lzo, libtasn1, nettle, pkgconfig, lzip 2 - , perl, gmp, autogen, libidn, p11-kit, libiconv 1 + { config, lib, stdenv, fetchurl, zlib, lzo, libtasn1, nettle, pkgconfig, lzip 2 + , perl, gmp, autoconf, autogen, automake, libidn, p11-kit, libiconv 3 + , unbound, dns-root-data, gettext 3 4 , guileBindings ? config.gnutls.guile or false, guile 4 5 , tpmSupport ? false, trousers, which, nettools, libunistring 5 - , unbound, dns-root-data, gettext 6 - 7 - # Version dependent args 8 - , version, src, patches ? [], postPatch ? "", nativeBuildInputs ? [] 9 - , buildInputs ? [] 10 - , ...}: 6 + , withSecurity ? false, Security # darwin Security.framework 7 + }: 11 8 12 9 assert guileBindings -> guile != null; 13 10 let 11 + version = "3.6.7"; 12 + 14 13 # XXX: Gnulib's `test-select' fails on FreeBSD: 15 14 # http://hydra.nixos.org/build/2962084/nixlog/1/raw . 16 15 doCheck = !stdenv.isFreeBSD && !stdenv.isDarwin && lib.versionAtLeast version "3.4" 17 16 && stdenv.buildPlatform == stdenv.hostPlatform; 17 + 18 + inherit (stdenv.hostPlatform) isDarwin; 18 19 in 20 + 19 21 stdenv.mkDerivation { 20 22 name = "gnutls-${version}"; 23 + inherit version; 21 24 22 - inherit src patches; 25 + src = fetchurl { 26 + url = "mirror://gnupg/gnutls/v3.6/gnutls-${version}.tar.xz"; 27 + sha256 = "1ql8l6l5bxks2pgpwb1602zc0j6ivhpy27hdfc49h8xgbanhjd2v"; 28 + }; 23 29 24 30 outputs = [ "bin" "dev" "out" "man" "devdoc" ]; 25 31 outputInfo = "devdoc"; 26 32 33 + # Disable native add_system_trust. 34 + patches = lib.optional (isDarwin && !withSecurity) ./no-security-framework.patch; 35 + 36 + # Skip some tests: 37 + # - pkgconfig: building against the result won't work before installing (3.5.11) 38 + # - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular) 39 + # - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11) 40 + # - psk-file: no idea; it broke between 3.6.3 and 3.6.4 41 + # Change p11-kit test to use pkg-config to find p11-kit 27 42 postPatch = lib.optionalString (lib.versionAtLeast version "3.4") '' 28 - sed '2iecho "name constraints tests skipped due to datefudge problems"\nexit 0' \ 29 - -i tests/cert-tests/name-constraints 30 - '' + postPatch; 43 + sed '2iecho "name constraints tests skipped due to datefudge problems"\nexit 0' -i tests/cert-tests/name-constraints 44 + '' + lib.optionalString (lib.versionAtLeast version "3.6") '' 45 + sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh 46 + sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c 47 + sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh 48 + ''; 31 49 32 50 preConfigure = "patchShebangs ."; 33 51 configureFlags = ··· 42 60 enableParallelBuilding = true; 43 61 44 62 buildInputs = [ lzo lzip libtasn1 libidn p11-kit zlib gmp autogen libunistring unbound gettext libiconv ] 63 + ++ lib.optional (isDarwin && withSecurity) Security 45 64 ++ lib.optional (tpmSupport && stdenv.isLinux) trousers 46 - ++ lib.optional guileBindings guile 47 - ++ buildInputs; 65 + ++ lib.optional guileBindings guile; 48 66 49 - nativeBuildInputs = [ perl pkgconfig ] ++ nativeBuildInputs 67 + nativeBuildInputs = [ perl pkgconfig ] 68 + ++ lib.optionals (isDarwin && !withSecurity) [ autoconf automake ] 50 69 ++ lib.optionals doCheck [ which nettools ]; 51 70 52 71 propagatedBuildInputs = [ nettle ]; ··· 54 73 inherit doCheck; 55 74 56 75 # Fixup broken libtool and pkgconfig files 57 - preFixup = lib.optionalString (!stdenv.isDarwin) '' 76 + preFixup = lib.optionalString (!isDarwin) '' 58 77 sed ${lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"} \ 59 78 -e 's,-lz,-L${zlib.out}/lib -lz,' \ 60 79 -e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \
+126
pkgs/development/libraries/gnutls/no-security-framework.patch
··· 1 + commit 9bcdde1ab9cdff6a4471f9a926dd488ab70c7247 2 + Author: Daiderd Jordan <daiderd@gmail.com> 3 + Date: Mon Apr 22 16:38:27 2019 +0200 4 + 5 + Revert "gnutls_x509_trust_list_add_system_trust: Add macOS keychain support" 6 + 7 + This reverts commit c0eb46d3463cd21b3f822ac377ff37f067f66b8d. 8 + 9 + diff --git a/configure.ac b/configure.ac 10 + index 8ad597bfd..8d14f26cd 100644 11 + --- a/configure.ac 12 + +++ b/configure.ac 13 + @@ -781,7 +781,7 @@ dnl auto detect https://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004. 14 + AC_ARG_WITH([default-trust-store-file], 15 + [AS_HELP_STRING([--with-default-trust-store-file=FILE], 16 + [use the given file default trust store])], with_default_trust_store_file="$withval", 17 + - [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x && test x$have_macosx = x;then 18 + + [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x;then 19 + for i in \ 20 + /etc/ssl/ca-bundle.pem \ 21 + /etc/ssl/certs/ca-certificates.crt \ 22 + diff --git a/lib/Makefile.am b/lib/Makefile.am 23 + index fe9cf63a2..745695f7e 100644 24 + --- a/lib/Makefile.am 25 + +++ b/lib/Makefile.am 26 + @@ -203,10 +203,6 @@ if WINDOWS 27 + thirdparty_libadd += -lcrypt32 28 + endif 29 + 30 + -if MACOSX 31 + -libgnutls_la_LDFLAGS += -framework Security -framework CoreFoundation 32 + -endif 33 + - 34 + libgnutls_la_LIBADD += $(thirdparty_libadd) 35 + 36 + # C++ library 37 + diff --git a/lib/system/certs.c b/lib/system/certs.c 38 + index 611c645e0..912b0aa5e 100644 39 + --- a/lib/system/certs.c 40 + +++ b/lib/system/certs.c 41 + @@ -44,12 +44,6 @@ 42 + # endif 43 + #endif 44 + 45 + -#ifdef __APPLE__ 46 + -# include <CoreFoundation/CoreFoundation.h> 47 + -# include <Security/Security.h> 48 + -# include <Availability.h> 49 + -#endif 50 + - 51 + /* System specific function wrappers for certificate stores. 52 + */ 53 + 54 + @@ -276,72 +270,6 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, 55 + 56 + return r; 57 + } 58 + -#elif defined(__APPLE__) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070 59 + -static 60 + -int osstatus_error(status) 61 + -{ 62 + - CFStringRef err_str = SecCopyErrorMessageString(status, NULL); 63 + - _gnutls_debug_log("Error loading system root certificates: %s\n", 64 + - CFStringGetCStringPtr(err_str, kCFStringEncodingUTF8)); 65 + - CFRelease(err_str); 66 + - return GNUTLS_E_FILE_ERROR; 67 + -} 68 + - 69 + -static 70 + -int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, 71 + - unsigned int tl_vflags) 72 + -{ 73 + - int r=0; 74 + - 75 + - SecTrustSettingsDomain domain[] = { kSecTrustSettingsDomainUser, 76 + - kSecTrustSettingsDomainAdmin, 77 + - kSecTrustSettingsDomainSystem }; 78 + - for (size_t d=0; d<sizeof(domain)/sizeof(*domain); d++) { 79 + - CFArrayRef certs = NULL; 80 + - OSStatus status = SecTrustSettingsCopyCertificates(domain[d], 81 + - &certs); 82 + - if (status == errSecNoTrustSettings) 83 + - continue; 84 + - if (status != errSecSuccess) 85 + - return osstatus_error(status); 86 + - 87 + - int cert_count = CFArrayGetCount(certs); 88 + - for (int i=0; i<cert_count; i++) { 89 + - SecCertificateRef cert = 90 + - (void*)CFArrayGetValueAtIndex(certs, i); 91 + - CFDataRef der; 92 + - status = SecItemExport(cert, kSecFormatX509Cert, 0, 93 + - NULL, &der); 94 + - if (status != errSecSuccess) { 95 + - CFRelease(der); 96 + - CFRelease(certs); 97 + - return osstatus_error(status); 98 + - } 99 + - 100 + - if (gnutls_x509_trust_list_add_trust_mem(list, 101 + - &(gnutls_datum_t) { 102 + - .data = (void*)CFDataGetBytePtr(der), 103 + - .size = CFDataGetLength(der), 104 + - }, 105 + - NULL, 106 + - GNUTLS_X509_FMT_DER, 107 + - tl_flags, 108 + - tl_vflags) > 0) 109 + - r++; 110 + - CFRelease(der); 111 + - } 112 + - CFRelease(certs); 113 + - } 114 + - 115 + -#ifdef DEFAULT_BLACKLIST_FILE 116 + - ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM); 117 + - if (ret < 0) { 118 + - _gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE); 119 + - } 120 + -#endif 121 + - 122 + - return r; 123 + -} 124 + #else 125 + 126 + #define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE
+3 -7
pkgs/top-level/all-packages.nix
··· 10402 10402 then callPackage ../development/libraries/gnu-efi { } 10403 10403 else null; 10404 10404 10405 - gnutls = callPackage 10406 - (if stdenv.isDarwin 10407 - # Avoid > 3.5.10 due to frameworks for now; see discussion on: 10408 - # https://github.com/NixOS/nixpkgs/commit/d6454e6a1 10409 - then ../development/libraries/gnutls/3.5.10.nix 10410 - else ../development/libraries/gnutls/3.6.nix) 10411 - { }; 10405 + gnutls = callPackage ../development/libraries/gnutls/default.nix { 10406 + inherit (darwin.apple_sdk.frameworks) Security; 10407 + }; 10412 10408 10413 10409 gnutls-kdh = callPackage ../development/libraries/gnutls-kdh/3.5.nix { 10414 10410 gperf = gperf_3_0;