Merge branch 'master' into staging

5 files changed, 46 insertions, 14 deletions

diff --git a/pkgs/tools/security/b2sum/default.nix b/pkgs/tools/security/b2sum/default.nix
index 1679b7fddd072..f9d2855e739fc 100644
--- a/pkgs/tools/security/b2sum/default.nix
+++ b/pkgs/tools/security/b2sum/default.nix
@@ -23,6 +23,7 @@ stdenv.mkDerivation rec {
     homepage = "https://blake2.net";
     license = with licenses; [ asl20 cc0 openssl ];
     maintainers = with maintainers; [ kirelagin ];
-    platforms = platforms.all;
+    # "This code requires at least SSE2."
+    platforms = with platforms; [ "x86_64-linux" "i686-linux" ] ++ darwin;
   };
 }
diff --git a/pkgs/tools/security/monkeysphere/default.nix b/pkgs/tools/security/monkeysphere/default.nix
index 0ce44b11acc54..114ba57e17005 100644
--- a/pkgs/tools/security/monkeysphere/default.nix
+++ b/pkgs/tools/security/monkeysphere/default.nix
@@ -2,13 +2,23 @@
 , perl, libassuan, libgcrypt
 , perlPackages, lockfileProgs, gnupg, coreutils
 # For the tests:
-, bash, openssh, which, socat, cpio, hexdump
+, bash, openssh, which, socat, cpio, hexdump, openssl
 }:
 
-stdenv.mkDerivation rec {
+let
+  # A patch is needed to run the tests inside the Nix sandbox:
+  # /etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell"
+  # sshd: "User nixbld not allowed because shell /noshell does not exist"
+  opensshUnsafe = openssh.overrideAttrs (oldAttrs: {
+    patches = oldAttrs.patches ++ [ ./openssh-nixos-sandbox.patch ];
+  });
+in stdenv.mkDerivation rec {
   name = "monkeysphere-${version}";
   version = "0.42";
 
+  # The patched OpenSSH binary MUST NOT be used (except in the check phase):
+  disallowedRequisites = [ opensshUnsafe ];
+
   src = fetchurl {
     url = "http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_${version}.orig.tar.gz";
     sha256 = "1haqgjxm8v2xnhc652lx79p2cqggb9gxgaf19w9l9akar2qmdjf1";
@@ -23,7 +33,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ makeWrapper ];
   buildInputs = [ perl libassuan libgcrypt ]
     ++ stdenv.lib.optional doCheck
-      ([ gnupg openssh which socat cpio hexdump lockfileProgs ] ++
+      ([ gnupg opensshUnsafe which socat cpio hexdump lockfileProgs ] ++
       (with perlPackages; [ CryptOpenSSLRSA CryptOpenSSLBignum ]));
 
   makeFlags = ''
@@ -31,15 +41,19 @@ stdenv.mkDerivation rec {
     DESTDIR=$(out)
   '';
 
-  # The tests "drain" entropy (GnuPG still uses /dev/random) and they don't run
-  # inside of the sandbox, because nixbld isn't allowed to login via SSH
-  # (/etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell",
-  # sshd: "User nixbld not allowed because shell /noshell does not exist").
+  # The tests should be run (and succeed) when making changes to this package
+  # but they aren't enabled by default because they "drain" entropy (GnuPG
+  # still uses /dev/random).
   doCheck = false;
-  preCheck = ''
+  preCheck = stdenv.lib.optionalString doCheck ''
     patchShebangs tests/
     patchShebangs src/
-    sed -i "s,/usr/sbin/sshd,${openssh}/bin/sshd," tests/basic
+    sed -i \
+      -e "s,/usr/sbin/sshd,${opensshUnsafe}/bin/sshd," \
+      -e "s,/bin/true,${coreutils}/bin/true," \
+      -e "s,/bin/false,${coreutils}/bin/false," \
+      -e "s,openssl\ req,${openssl}/bin/openssl req," \
+      tests/basic
     sed -i "s/<(hd/<(hexdump/" tests/keytrans
   '';
 
diff --git a/pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch b/pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch
new file mode 100644
index 0000000000000..2a9a1fc8dfa94
--- /dev/null
+++ b/pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch
@@ -0,0 +1,17 @@
+diff --git a/auth.c b/auth.c
+index d2a8cd65..811a129f 100644
+--- a/auth.c
++++ b/auth.c
+@@ -580,6 +580,12 @@ getpwnamallow(const char *user)
+ #endif
+ 
+ 	pw = getpwnam(user);
++        if (pw != NULL) {
++		// This is only for testing purposes,
++		// DO NOT USE THIS PATCH IN PRODUCTION!
++		char *shell = "/bin/sh";
++		pw->pw_shell = shell;
++        }
+ 
+ #if defined(_AIX) && defined(HAVE_SETAUTHDB)
+ 	aix_restoreauthdb();
diff --git a/pkgs/tools/security/neopg/default.nix b/pkgs/tools/security/neopg/default.nix
index 7cb442bdf6273..cf5f760cda47e 100644
--- a/pkgs/tools/security/neopg/default.nix
+++ b/pkgs/tools/security/neopg/default.nix
@@ -12,13 +12,13 @@
 
 stdenv.mkDerivation rec {
   name = "neopg-${version}";
-  version = "0.0.5";
+  version = "0.0.4";
 
   src = fetchFromGitHub {
     owner = "das-labor";
     repo = "neopg";
     rev = "v${version}";
-    sha256 = "1ky3pwg6w8kyaa9iksfx6rryva87mbj1h3yi2mrzp2h7jhrfffpp";
+    sha256 = "0hhkl326ff6f76k8pwggpzmivbm13fz497nlyy6ybn5bmi9xfblm";
     fetchSubmodules = true;
   };
 
diff --git a/pkgs/tools/security/vault/default.nix b/pkgs/tools/security/vault/default.nix
index ac79fc8d464cc..4d646cfd332f7 100644
--- a/pkgs/tools/security/vault/default.nix
+++ b/pkgs/tools/security/vault/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   name = "vault-${version}";
-  version = "1.0.0";
+  version = "1.0.1";
 
   src = fetchFromGitHub {
     owner = "hashicorp";
     repo = "vault";
     rev = "v${version}";
-    sha256 = "0wqqf9mif6icfl888w2izvml7vqs4hkd5hrq4dhzcyig5w1bp0if";
+    sha256 = "17gyl8hb72gwb3vy7nrp3cj9lrj0zgb8xja0bgwqpv511hg1qwwf";
   };
 
   nativeBuildInputs = [ go gox removeReferencesTo ];