about summary refs log tree commit diff
path: root/pkgs/development/libraries/gnutls/default.nix
blob: 33b35446d72578a66961c5e93bbbc4ed47d75d1b (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
{ lib
, stdenv
, fetchurl
, fetchpatch2
, zlib
, lzo
, libtasn1
, nettle
, pkg-config
, lzip
, perl
, gmp
, autoconf
, automake
, libidn2
, libiconv
, texinfo
, unbound
, dns-root-data
, gettext
, util-linux
, cxxBindings ? !stdenv.hostPlatform.isStatic # tries to link libstdc++.so
, tpmSupport ? false
, trousers
, which
, nettools
, libunistring
, withP11-kit ? !stdenv.hostPlatform.isStatic
, p11-kit
, Security  # darwin Security.framework
  # certificate compression - only zlib now, more possible: zstd, brotli

  # for passthru.tests
, curlWithGnuTls
, emacs
, ffmpeg
, haskellPackages
, knot-resolver
, ngtcp2-gnutls
, ocamlPackages
, pkgsStatic
, python3Packages
, qemu
, rsyslog
, openconnect
, samba

, gitUpdater
}:

let

  # XXX: Gnulib's `test-select' fails on FreeBSD:
  # https://hydra.nixos.org/build/2962084/nixlog/1/raw .
  doCheck = !stdenv.isFreeBSD && !stdenv.isDarwin
    && stdenv.buildPlatform == stdenv.hostPlatform;

  inherit (stdenv.hostPlatform) isDarwin;
in

stdenv.mkDerivation rec {
  pname = "gnutls";
  version = "3.8.6";

  src = fetchurl {
    url = "mirror://gnupg/gnutls/v${lib.versions.majorMinor version}/gnutls-${version}.tar.xz";
    hash = "sha256-LhWIquU8sy1Dk38fTsoo/r2cDHqhc0/F3WGn6B4OvN0=";
  };

  outputs = [ "bin" "dev" "out" ]
    ++ lib.optionals (!stdenv.hostPlatform.isMinGW) [ "man" "devdoc" ];

  # Not normally useful docs.
  outputInfo = "devdoc";
  outputDoc = "devdoc";

  patches = [
    ./nix-ssl-cert-file.patch
    # Revert https://gitlab.com/gnutls/gnutls/-/merge_requests/1800
    # dlopen isn't as easy in NixPkgs, as noticed in tests broken by this.
    # Without getting the libs into RPATH they won't be found.
    (fetchpatch2 {
      name = "revert-dlopen-compression.patch";
      url = "https://gitlab.com/gnutls/gnutls/-/commit/8584908d6b679cd4e7676de437117a793e18347c.diff";
      revert = true;
      hash = "sha256-r/+Gmwqy0Yc1LHL/PdPLXlErUBC5JxquLzCBAN3LuRM=";
    })
  ];

  # Skip some tests:
  #  - pkg-config: building against the result won't work before installing (3.5.11)
  #  - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular)
  #  - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11)
  #  - psk-file: no idea; it broke between 3.6.3 and 3.6.4
  # Change p11-kit test to use pkg-config to find p11-kit
  postPatch = ''
    sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh
    sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c
    sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh
  '' + lib.optionalString stdenv.hostPlatform.isMusl '' # See https://gitlab.com/gnutls/gnutls/-/issues/945
    sed '2iecho "certtool tests skipped in musl build"\nexit 0' -i tests/cert-tests/certtool.sh
  '';

  preConfigure = "patchShebangs .";
  configureFlags =
    lib.optionals withP11-kit [
      "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"
      "--with-default-trust-store-pkcs11=pkcs11:"
    ] ++ [
      "--disable-dependency-tracking"
      "--enable-fast-install"
      "--with-unbound-root-key-file=${dns-root-data}/root.key"
      (lib.withFeature withP11-kit "p11-kit")
      (lib.enableFeature cxxBindings "cxx")
    ] ++ lib.optionals (stdenv.hostPlatform.isMinGW) [
      "--disable-doc"
    ];

  enableParallelBuilding = true;

  hardeningDisable = [ "trivialautovarinit" ];

  buildInputs = [ lzo lzip libtasn1 libidn2 zlib gmp libunistring unbound gettext libiconv ]
    ++ lib.optional (withP11-kit) p11-kit
    ++ lib.optional (tpmSupport && stdenv.isLinux) trousers;

  nativeBuildInputs = [ perl pkg-config texinfo ] ++ [ autoconf automake ]
    ++ lib.optionals doCheck [ which nettools util-linux ];

  propagatedBuildInputs = [ nettle ]
    # Builds dynamically linking against gnutls seem to need the framework now.
    ++ lib.optional isDarwin Security;

  inherit doCheck;
  # stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` breaks tests.
  # Also empty files won't work, and we want to avoid potentially impure /etc/
  preCheck = "NIX_SSL_CERT_FILE=${./dummy.crt}";

  # Fixup broken libtool and pkg-config files
  preFixup = lib.optionalString (!isDarwin) ''
    sed ${lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"} \
        -e 's,-lz,-L${zlib.out}/lib -lz,' \
        -e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \
        -e 's,-lgmp,-L${gmp.out}/lib -lgmp,' \
        -i $out/lib/*.la "$dev/lib/pkgconfig/gnutls.pc"
  '' + ''
    # It seems only useful for static linking but basically noone does that.
    substituteInPlace "$out/lib/libgnutls.la" \
      --replace "-lunistring" ""
  '';


  passthru.updateScript = gitUpdater {
    url = "https://gitlab.com/gnutls/gnutls.git";
  };

  passthru.tests = {
    inherit ngtcp2-gnutls curlWithGnuTls ffmpeg emacs qemu knot-resolver samba openconnect;
    inherit (ocamlPackages) ocamlnet;
    haskell-gnutls = haskellPackages.gnutls;
    python3-gnutls = python3Packages.python3-gnutls;
    rsyslog = rsyslog.override { withGnutls = true; };
    static = pkgsStatic.gnutls;
  };

  meta = with lib; {
    description = "GNU Transport Layer Security Library";

    longDescription = ''
      GnuTLS is a project that aims to develop a library which
      provides a secure layer, over a reliable transport
      layer. Currently the GnuTLS library implements the proposed standards by
      the IETF's TLS working group.

      Quoting from the TLS protocol specification:

      "The TLS protocol provides communications privacy over the
      Internet. The protocol allows client/server applications to
      communicate in a way that is designed to prevent eavesdropping,
      tampering, or message forgery."
    '';

    homepage = "https://gnutls.org/";
    license = licenses.lgpl21Plus;
    maintainers = with maintainers; [ vcunat ];
    platforms = platforms.all;
  };
}