core/pkgs/by-name/gn/gnutls/default.nix

170 lines
6.1 KiB
Nix
Raw Normal View History

2024-05-13 21:24:10 +00:00
{ lib, stdenv, fetchurl, fetchpatch2, zlib, lzo, libtasn1, nettle, pkg-config
, lzip, perl, gmp, autoconf, automake, libidn2, libiconv, texinfo, unbound
, dns-root-data, gettext, util-linux
2024-05-02 00:46:19 +00:00
, cxxBindings ? !stdenv.hostPlatform.isStatic # tries to link libstdc++.so
2024-05-13 21:24:10 +00:00
, tpmSupport ? false, trousers, which, nettools, libunistring
, withP11-kit ? !stdenv.hostPlatform.isStatic, p11-kit
, Security # darwin Security.framework
# certificate compression - only zlib now, more possible: zstd, brotli
# for passthru.tests
2024-05-02 00:46:19 +00:00
# , curlWithGnuTls
# , emacs
# , ffmpeg
# , haskellPackages
# , knot-resolver
# , ngtcp2-gnutls
# , ocamlPackages
# , pkgsStatic
# , python3Packages
# , qemu
# , rsyslog
# , openconnect
# , samba
}:
let
# XXX: Gnulib's `test-select' fails on FreeBSD:
# https://hydra.nixos.org/build/2962084/nixlog/1/raw .
2024-05-13 21:24:10 +00:00
doCheck = !stdenv.isFreeBSD && !stdenv.isDarwin && stdenv.buildPlatform
== stdenv.hostPlatform;
2024-05-02 00:46:19 +00:00
inherit (stdenv.hostPlatform) isDarwin;
2024-05-13 21:24:10 +00:00
in stdenv.mkDerivation rec {
2024-05-02 00:46:19 +00:00
pname = "gnutls";
version = "3.8.4";
src = fetchurl {
2024-05-13 21:24:10 +00:00
url = "mirror://gnupg/gnutls/v${
lib.versions.majorMinor version
}/gnutls-${version}.tar.xz";
2024-05-02 00:46:19 +00:00
hash = "sha256-K+pOFUeU8/ABgPoqXFH+iwBax6Mc1YvUTN+n8268Ops=";
};
outputs = [ "bin" "dev" "out" ]
++ lib.optionals (!stdenv.hostPlatform.isMinGW) [ "man" "devdoc" ];
# Not normally useful docs.
outputInfo = "devdoc";
outputDoc = "devdoc";
patches = [
./nix-ssl-cert-file.patch
# Revert https://gitlab.com/gnutls/gnutls/-/merge_requests/1800
# dlopen isn't as easy in NixPkgs, as noticed in tests broken by this.
# Without getting the libs into RPATH they won't be found.
(fetchpatch2 {
name = "revert-dlopen-compression.patch";
2024-05-13 21:24:10 +00:00
url =
"https://gitlab.com/gnutls/gnutls/-/commit/8584908d6b679cd4e7676de437117a793e18347c.diff";
2024-05-02 00:46:19 +00:00
revert = true;
hash = "sha256-r/+Gmwqy0Yc1LHL/PdPLXlErUBC5JxquLzCBAN3LuRM=";
})
];
# Skip some tests:
# - pkg-config: building against the result won't work before installing (3.5.11)
# - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular)
# - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11)
# - psk-file: no idea; it broke between 3.6.3 and 3.6.4
# Change p11-kit test to use pkg-config to find p11-kit
postPatch = ''
sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh
sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c
sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh
2024-05-13 21:24:10 +00:00
'' + lib.optionalString stdenv.hostPlatform.isMusl ''
# See https://gitlab.com/gnutls/gnutls/-/issues/945
sed '2iecho "certtool tests skipped in musl build"\nexit 0' -i tests/cert-tests/certtool.sh
2024-05-02 00:46:19 +00:00
'' + lib.optionalString stdenv.hostPlatform.isStatic ''
# Adapted from https://gitlab.com/gnutls/gnutls/-/commit/d214cd4570fb1559a20e941bb7ceac7df52e96d3
# Can be removed with 3.8.5+.
sed -i lib/nettle/backport/rsa-sign-tr.c -e \
'/^#include <nettle\/rsa\.h>/i\
#define nettle_rsa_compute_root_tr _gnutls_nettle_backport_rsa_compute_root_tr'
'';
preConfigure = "patchShebangs .";
2024-05-13 21:24:10 +00:00
configureFlags = lib.optionals withP11-kit [
"--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"
"--with-default-trust-store-pkcs11=pkcs11:"
] ++ [
"--disable-dependency-tracking"
"--enable-fast-install"
"--with-unbound-root-key-file=${dns-root-data}/root.key"
(lib.withFeature withP11-kit "p11-kit")
(lib.enableFeature cxxBindings "cxx")
] ++ lib.optionals (stdenv.hostPlatform.isMinGW) [ "--disable-doc" ];
2024-05-02 00:46:19 +00:00
enableParallelBuilding = true;
hardeningDisable = [ "trivialautovarinit" ];
2024-05-13 21:24:10 +00:00
buildInputs =
[ lzo lzip libtasn1 libidn2 zlib gmp libunistring unbound gettext libiconv ]
2024-05-02 00:46:19 +00:00
++ lib.optional (withP11-kit) p11-kit
++ lib.optional (tpmSupport && stdenv.isLinux) trousers;
nativeBuildInputs = [ perl pkg-config texinfo ] ++ [ autoconf automake ]
++ lib.optionals doCheck [ which nettools util-linux ];
2024-05-13 21:24:10 +00:00
propagatedBuildInputs = [
nettle
]
# Builds dynamically linking against gnutls seem to need the framework now.
2024-05-02 00:46:19 +00:00
++ lib.optional isDarwin Security;
inherit doCheck;
# stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` breaks tests.
# Also empty files won't work, and we want to avoid potentially impure /etc/
preCheck = "NIX_SSL_CERT_FILE=${./dummy.crt}";
# Fixup broken libtool and pkg-config files
preFixup = lib.optionalString (!isDarwin) ''
2024-05-13 21:24:10 +00:00
sed ${
lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"
} \
2024-05-02 00:46:19 +00:00
-e 's,-lz,-L${zlib.out}/lib -lz,' \
-e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \
-e 's,-lgmp,-L${gmp.out}/lib -lgmp,' \
-i $out/lib/*.la "$dev/lib/pkgconfig/gnutls.pc"
'' + ''
# It seems only useful for static linking but basically noone does that.
substituteInPlace "$out/lib/libgnutls.la" \
--replace "-lunistring" ""
'';
# passthru.tests = {
# inherit ngtcp2-gnutls curlWithGnuTls ffmpeg emacs qemu knot-resolver samba openconnect;
# inherit (ocamlPackages) ocamlnet;
# haskell-gnutls = haskellPackages.gnutls;
# python3-gnutls = python3Packages.python3-gnutls;
# rsyslog = rsyslog.override { withGnutls = true; };
# static = pkgsStatic.gnutls;
# };
meta = with lib; {
description = "The GNU Transport Layer Security Library";
longDescription = ''
GnuTLS is a project that aims to develop a library which
provides a secure layer, over a reliable transport
layer. Currently the GnuTLS library implements the proposed standards by
the IETF's TLS working group.
Quoting from the TLS protocol specification:
"The TLS protocol provides communications privacy over the
Internet. The protocol allows client/server applications to
communicate in a way that is designed to prevent eavesdropping,
tampering, or message forgery."
'';
homepage = "https://gnutls.org/";
license = licenses.lgpl21Plus;
maintainers = with maintainers; [ vcunat ];
platforms = platforms.all;
};
}