pkgs/development/libraries/gnutls/default.nix at devShellTools-shell · tjh.dev/nixpkgs

tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
nixpkgs / pkgs / development / libraries / gnutls / default.nix
at devShellTools-shell 6.4 kB view raw
  1{
  2  lib,
  3  stdenv,
  4  fetchurl,
  5  zlib,
  6  libtasn1,
  7  nettle,
  8  pkg-config,
  9  perl,
 10  gmp,
 11  autoconf,
 12  automake,
 13  libidn2,
 14  libiconv,
 15  texinfo,
 16  unbound,
 17  dns-root-data,
 18  gettext,
 19  util-linux,
 20  cxxBindings ? !stdenv.hostPlatform.isStatic, # tries to link libstdc++.so
 21  tpmSupport ? false,
 22  trousers,
 23  which,
 24  net-tools,
 25  libunistring,
 26  withP11-kit ? !stdenv.hostPlatform.isStatic,
 27  p11-kit,
 28  # certificate compression - only zlib now, more possible: zstd, brotli
 29
 30  # for passthru.tests
 31  curlWithGnuTls,
 32  emacs,
 33  ffmpeg,
 34  haskellPackages,
 35  knot-resolver,
 36  ngtcp2-gnutls,
 37  ocamlPackages,
 38  pkgsStatic,
 39  python3Packages,
 40  qemu,
 41  rsyslog,
 42  openconnect,
 43  samba,
 44
 45  gitUpdater,
 46}:
 47
 48let
 49
 50  # XXX: Gnulib's `test-select' fails on FreeBSD:
 51  # https://hydra.nixos.org/build/2962084/nixlog/1/raw .
 52  doCheck =
 53    !stdenv.hostPlatform.isFreeBSD
 54    && !stdenv.hostPlatform.isDarwin
 55    && stdenv.buildPlatform == stdenv.hostPlatform;
 56
 57  inherit (stdenv.hostPlatform) isDarwin;
 58in
 59
 60stdenv.mkDerivation rec {
 61  pname = "gnutls";
 62  version = "3.8.10";
 63
 64  src = fetchurl {
 65    url = "mirror://gnupg/gnutls/v${lib.versions.majorMinor version}/gnutls-${version}.tar.xz";
 66    hash = "sha256-23+rfM55Hncn677yM0MByCHXmlUOxVye8Ja2ELA+trc=";
 67  };
 68
 69  outputs = [
 70    "bin"
 71    "dev"
 72    "out"
 73  ]
 74  ++ lib.optionals (!stdenv.hostPlatform.isMinGW) [
 75    "man"
 76    "devdoc"
 77  ];
 78
 79  # Not normally useful docs.
 80  outputInfo = "devdoc";
 81  outputDoc = "devdoc";
 82
 83  patches = [
 84    ./nix-ssl-cert-file.patch
 85  ];
 86
 87  # Skip some tests:
 88  #  - pkg-config: building against the result won't work before installing (3.5.11)
 89  #  - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular)
 90  #  - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11)
 91  #  - psk-file: no idea; it broke between 3.6.3 and 3.6.4
 92  #  - ktls: requires tls module loaded into kernel and ktls-utils which depends on gnutls
 93  # Change p11-kit test to use pkg-config to find p11-kit
 94  postPatch = ''
 95    sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh
 96    sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c
 97    sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh
 98  ''
 99  + lib.optionalString stdenv.hostPlatform.isMusl ''
100    # See https://gitlab.com/gnutls/gnutls/-/issues/945
101    sed '2iecho "certtool tests skipped in musl build"\nexit 0' -i tests/cert-tests/certtool.sh
102  ''
103  + lib.optionalString stdenv.hostPlatform.isLinux ''
104    sed '2iexit 77' -i tests/{ktls,ktls_keyupdate}.sh
105    sed '/-DUSE_KTLS/d' -i tests/Makefile.{am,in}
106    sed '/gnutls_ktls/d' -i tests/Makefile.am
107    sed '/ENABLE_KTLS_TRUE/d' -i tests/Makefile.in
108  ''
109  # https://gitlab.com/gnutls/gnutls/-/issues/1721
110  + ''
111    sed '2iexit 77' -i tests/system-override-compress-cert.sh
112  '';
113
114  preConfigure = "patchShebangs .";
115  configureFlags =
116    lib.optionals withP11-kit [
117      "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"
118      "--with-default-trust-store-pkcs11=pkcs11:"
119    ]
120    ++ [
121      "--disable-dependency-tracking"
122      "--enable-fast-install"
123      "--with-unbound-root-key-file=${dns-root-data}/root.key"
124      (lib.withFeature withP11-kit "p11-kit")
125      (lib.enableFeature cxxBindings "cxx")
126    ]
127    ++ lib.optionals stdenv.hostPlatform.isLinux [
128      "--enable-ktls"
129    ]
130    ++ lib.optionals (stdenv.hostPlatform.isMinGW) [
131      "--disable-doc"
132    ]
133    ++ lib.optionals (stdenv.hostPlatform.isLinux && tpmSupport) [
134      "--with-trousers-lib=${trousers}/lib/libtspi.so"
135    ]
136    ++ [
137      # do not dlopen in nixpkgs
138      "--with-zlib=link"
139    ];
140
141  enableParallelBuilding = true;
142
143  hardeningDisable = [ "trivialautovarinit" ];
144
145  buildInputs = [
146    libtasn1
147    libidn2
148    zlib
149    gmp
150    libunistring
151    unbound
152    gettext
153    libiconv
154  ]
155  ++ lib.optional withP11-kit p11-kit
156  ++ lib.optional (tpmSupport && stdenv.hostPlatform.isLinux) trousers;
157
158  nativeBuildInputs = [
159    perl
160    pkg-config
161    texinfo
162  ]
163  ++ [
164    autoconf
165    automake
166  ]
167  ++ lib.optionals doCheck [
168    which
169    net-tools
170    util-linux
171  ];
172
173  propagatedBuildInputs = [ nettle ];
174
175  inherit doCheck;
176  # stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` breaks tests.
177  # Also empty files won't work, and we want to avoid potentially impure /etc/
178  preCheck = "NIX_SSL_CERT_FILE=${./dummy.crt}";
179
180  # Fixup broken libtool and pkg-config files
181  preFixup =
182    lib.optionalString (!isDarwin) ''
183      sed ${lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"} \
184          -e 's,-lz,-L${zlib.out}/lib -lz,' \
185          -e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \
186          -e 's,-lgmp,-L${gmp.out}/lib -lgmp,' \
187          -i $out/lib/*.la "$dev/lib/pkgconfig/gnutls.pc"
188    ''
189    + ''
190      # It seems only useful for static linking but basically noone does that.
191      substituteInPlace "$out/lib/libgnutls.la" \
192        --replace "-lunistring" ""
193    '';
194
195  passthru.updateScript = gitUpdater {
196    url = "https://gitlab.com/gnutls/gnutls.git";
197  };
198
199  passthru.tests = {
200    inherit
201      ngtcp2-gnutls
202      curlWithGnuTls
203      ffmpeg
204      emacs
205      qemu
206      knot-resolver
207      samba
208      openconnect
209      ;
210    #inherit (ocamlPackages) ocamlnet;
211    #haskell-gnutls = haskellPackages.gnutls;
212    python3-gnutls = python3Packages.python3-gnutls;
213    rsyslog = rsyslog.override { withGnutls = true; };
214    static = pkgsStatic.gnutls;
215  };
216
217  meta = with lib; {
218    description = "GNU Transport Layer Security Library";
219
220    longDescription = ''
221      GnuTLS is a project that aims to develop a library which
222      provides a secure layer, over a reliable transport
223      layer. Currently the GnuTLS library implements the proposed standards by
224      the IETF's TLS working group.
225
226      Quoting from the TLS protocol specification:
227
228      "The TLS protocol provides communications privacy over the
229      Internet. The protocol allows client/server applications to
230      communicate in a way that is designed to prevent eavesdropping,
231      tampering, or message forgery."
232    '';
233
234    homepage = "https://gnutls.org/";
235    license = licenses.lgpl21Plus;
236    maintainers = with maintainers; [ vcunat ];
237    platforms = platforms.all;
238  };
239}