nixpkgs/pkgs/development/libraries/gnutls/default.nix
rnhmjoj 6f3b6a2fea
gnutls: enable p11-kit by default
GnuTLS has a single hard-coded location for the system trust store,
currently set to the path used by NixOS, Debian, Arch, Gentoo, etc.
Since not all distributions use the same path, notably Fedora and RHEL,
the certificate validation will break on some non-NixOS system.

This can be solved by enabling the p11-kit integration, so that by
default p11-kit (properly configured for all major distos) will provide
GnuTLS with the CA roots though the PKCS #11 API.
2021-11-18 22:38:22 +01:00

121 lines
4.7 KiB
Nix

{ config, lib, stdenv, fetchurl, zlib, lzo, libtasn1, nettle, pkg-config, lzip
, perl, gmp, autoconf, automake, libidn, p11-kit, libiconv
, unbound, dns-root-data, gettext, util-linux
, guileBindings ? config.gnutls.guile or false, guile
, tpmSupport ? false, trousers, which, nettools, libunistring
, withSecurity ? false, Security # darwin Security.framework
}:
assert guileBindings -> guile != null;
let
# XXX: Gnulib's `test-select' fails on FreeBSD:
# https://hydra.nixos.org/build/2962084/nixlog/1/raw .
doCheck = !stdenv.isFreeBSD && !stdenv.isDarwin
&& stdenv.buildPlatform == stdenv.hostPlatform;
inherit (stdenv.hostPlatform) isDarwin;
in
stdenv.mkDerivation rec {
pname = "gnutls";
version = "3.7.2";
src = fetchurl {
url = "mirror://gnupg/gnutls/v${lib.versions.majorMinor version}/gnutls-${version}.tar.xz";
sha256 = "646e6c5a9a185faa4cea796d378a1ba8e1148dbb197ca6605f95986a25af2752";
};
outputs = [ "bin" "dev" "out" "man" "devdoc" ];
# Not normally useful docs.
outputInfo = "devdoc";
outputDoc = "devdoc";
patches = [ ./nix-ssl-cert-file.patch ]
# Disable native add_system_trust.
++ lib.optional (isDarwin && !withSecurity) ./no-security-framework.patch;
# Skip some tests:
# - pkg-config: building against the result won't work before installing (3.5.11)
# - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular)
# - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11)
# - psk-file: no idea; it broke between 3.6.3 and 3.6.4
# Change p11-kit test to use pkg-config to find p11-kit
postPatch = ''
sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh
sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c
sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh
'' + lib.optionalString stdenv.hostPlatform.isMusl '' # See https://gitlab.com/gnutls/gnutls/-/issues/945
sed '2iecho "certtool tests skipped in musl build"\nexit 0' -i tests/cert-tests/certtool.sh
'';
preConfigure = "patchShebangs .";
configureFlags =
lib.optionals stdenv.isLinux [
"--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"
"--with-default-trust-store-pkcs11=pkcs11:"
] ++ [
"--disable-dependency-tracking"
"--enable-fast-install"
"--with-unbound-root-key-file=${dns-root-data}/root.key"
] ++ lib.optional guileBindings [
"--enable-guile"
"--with-guile-site-dir=\${out}/share/guile/site"
"--with-guile-site-ccache-dir=\${out}/share/guile/site"
"--with-guile-extension-dir=\${out}/share/guile/site"
];
enableParallelBuilding = true;
buildInputs = [ lzo lzip libtasn1 libidn p11-kit zlib gmp libunistring unbound gettext libiconv ]
++ lib.optional (isDarwin && withSecurity) Security
++ lib.optional (tpmSupport && stdenv.isLinux) trousers
++ lib.optional guileBindings guile;
nativeBuildInputs = [ perl pkg-config ]
++ lib.optionals (isDarwin && !withSecurity) [ autoconf automake ]
++ lib.optionals doCheck [ which nettools util-linux ];
propagatedBuildInputs = [ nettle ];
inherit doCheck;
# stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` breaks tests.
# Also empty files won't work, and we want to avoid potentially impure /etc/
preCheck = "NIX_SSL_CERT_FILE=${./dummy.crt}";
# Fixup broken libtool and pkg-config files
preFixup = lib.optionalString (!isDarwin) ''
sed ${lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"} \
-e 's,-lz,-L${zlib.out}/lib -lz,' \
-e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \
-e 's,-lgmp,-L${gmp.out}/lib -lgmp,' \
-i $out/lib/*.la "$dev/lib/pkgconfig/gnutls.pc"
'' + ''
# It seems only useful for static linking but basically noone does that.
substituteInPlace "$out/lib/libgnutls.la" \
--replace "-lunistring" ""
'';
meta = with lib; {
description = "The GNU Transport Layer Security Library";
longDescription = ''
GnuTLS is a project that aims to develop a library which
provides a secure layer, over a reliable transport
layer. Currently the GnuTLS library implements the proposed standards by
the IETF's TLS working group.
Quoting from the TLS protocol specification:
"The TLS protocol provides communications privacy over the
Internet. The protocol allows client/server applications to
communicate in a way that is designed to prevent eavesdropping,
tampering, or message forgery."
'';
homepage = "https://gnutls.org/";
license = licenses.lgpl21Plus;
maintainers = with maintainers; [ eelco fpletz ];
platforms = platforms.all;
};
}