ghostfox/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

push sheeet
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Details
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Details
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Details
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Details
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Details
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
Details

Browse Source
This commit is contained in:
Dark Steveneq
2025-10-09 14:15:47 +02:00
commit 646b892680
49168 changed files with 5897842 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

239
pkgs/development/libraries/gnutls/default.nix Normal file
View File

@@ -0,0 +1,239 @@
{
lib,
stdenv,
fetchurl,
zlib,
libtasn1,
nettle,
pkg-config,
perl,
gmp,
autoconf,
automake,
libidn2,
libiconv,
texinfo,
unbound,
dns-root-data,
gettext,
util-linux,
cxxBindings ? !stdenv.hostPlatform.isStatic, # tries to link libstdc++.so
tpmSupport ? false,
trousers,
which,
net-tools,
libunistring,
withP11-kit ? !stdenv.hostPlatform.isStatic,
p11-kit,
# certificate compression - only zlib now, more possible: zstd, brotli
# for passthru.tests
curlWithGnuTls,
emacs,
ffmpeg,
haskellPackages,
knot-resolver,
ngtcp2-gnutls,
ocamlPackages,
pkgsStatic,
python3Packages,
qemu,
rsyslog,
openconnect,
samba,
gitUpdater,
}:
let
# XXX: Gnulib's `test-select' fails on FreeBSD:
# https://hydra.nixos.org/build/2962084/nixlog/1/raw .
doCheck =
!stdenv.hostPlatform.isFreeBSD
&& !stdenv.hostPlatform.isDarwin
&& stdenv.buildPlatform == stdenv.hostPlatform;
inherit (stdenv.hostPlatform) isDarwin;
in
stdenv.mkDerivation rec {
pname = "gnutls";
version = "3.8.10";
src = fetchurl {
url = "mirror://gnupg/gnutls/v${lib.versions.majorMinor version}/gnutls-${version}.tar.xz";
hash = "sha256-23+rfM55Hncn677yM0MByCHXmlUOxVye8Ja2ELA+trc=";
};
outputs = [
"bin"
"dev"
"out"
]
++ lib.optionals (!stdenv.hostPlatform.isMinGW) [
"man"
"devdoc"
];
# Not normally useful docs.
outputInfo = "devdoc";
outputDoc = "devdoc";
patches = [
./nix-ssl-cert-file.patch
];
# Skip some tests:
# - pkg-config: building against the result won't work before installing (3.5.11)
# - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular)
# - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11)
# - psk-file: no idea; it broke between 3.6.3 and 3.6.4
# - ktls: requires tls module loaded into kernel and ktls-utils which depends on gnutls
# Change p11-kit test to use pkg-config to find p11-kit
postPatch = ''
sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh
sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c
sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh
''
+ lib.optionalString stdenv.hostPlatform.isMusl ''
# See https://gitlab.com/gnutls/gnutls/-/issues/945
sed '2iecho "certtool tests skipped in musl build"\nexit 0' -i tests/cert-tests/certtool.sh
''
+ lib.optionalString stdenv.hostPlatform.isLinux ''
sed '2iexit 77' -i tests/{ktls,ktls_keyupdate}.sh
sed '/-DUSE_KTLS/d' -i tests/Makefile.{am,in}
sed '/gnutls_ktls/d' -i tests/Makefile.am
sed '/ENABLE_KTLS_TRUE/d' -i tests/Makefile.in
''
# https://gitlab.com/gnutls/gnutls/-/issues/1721
+ ''
sed '2iexit 77' -i tests/system-override-compress-cert.sh
'';
preConfigure = "patchShebangs .";
configureFlags =
lib.optionals withP11-kit [
"--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"
"--with-default-trust-store-pkcs11=pkcs11:"
]
++ [
"--disable-dependency-tracking"
"--enable-fast-install"
"--with-unbound-root-key-file=${dns-root-data}/root.key"
(lib.withFeature withP11-kit "p11-kit")
(lib.enableFeature cxxBindings "cxx")
]
++ lib.optionals stdenv.hostPlatform.isLinux [
"--enable-ktls"
]
++ lib.optionals (stdenv.hostPlatform.isMinGW) [
"--disable-doc"
]
++ lib.optionals (stdenv.hostPlatform.isLinux && tpmSupport) [
"--with-trousers-lib=${trousers}/lib/libtspi.so"
]
++ [
# do not dlopen in nixpkgs
"--with-zlib=link"
];
enableParallelBuilding = true;
hardeningDisable = [ "trivialautovarinit" ];
buildInputs = [
libtasn1
libidn2
zlib
gmp
libunistring
unbound
gettext
libiconv
]
++ lib.optional withP11-kit p11-kit
++ lib.optional (tpmSupport && stdenv.hostPlatform.isLinux) trousers;
nativeBuildInputs = [
perl
pkg-config
texinfo
]
++ [
autoconf
automake
]
++ lib.optionals doCheck [
which
net-tools
util-linux
];
propagatedBuildInputs = [ nettle ];
inherit doCheck;
# stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` breaks tests.
# Also empty files won't work, and we want to avoid potentially impure /etc/
preCheck = "NIX_SSL_CERT_FILE=${./dummy.crt}";
# Fixup broken libtool and pkg-config files
preFixup =
lib.optionalString (!isDarwin) ''
sed ${lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"} \
-e 's,-lz,-L${zlib.out}/lib -lz,' \
-e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \
-e 's,-lgmp,-L${gmp.out}/lib -lgmp,' \
-i $out/lib/*.la "$dev/lib/pkgconfig/gnutls.pc"
''
+ ''
# It seems only useful for static linking but basically noone does that.
substituteInPlace "$out/lib/libgnutls.la" \
--replace "-lunistring" ""
'';
passthru.updateScript = gitUpdater {
url = "https://gitlab.com/gnutls/gnutls.git";
};
passthru.tests = {
inherit
ngtcp2-gnutls
curlWithGnuTls
ffmpeg
emacs
qemu
knot-resolver
samba
openconnect
;
#inherit (ocamlPackages) ocamlnet;
#haskell-gnutls = haskellPackages.gnutls;
python3-gnutls = python3Packages.python3-gnutls;
rsyslog = rsyslog.override { withGnutls = true; };
static = pkgsStatic.gnutls;
};
meta = with lib; {
description = "GNU Transport Layer Security Library";
longDescription = ''
GnuTLS is a project that aims to develop a library which
provides a secure layer, over a reliable transport
layer. Currently the GnuTLS library implements the proposed standards by
the IETF's TLS working group.
Quoting from the TLS protocol specification:
"The TLS protocol provides communications privacy over the
Internet. The protocol allows client/server applications to
communicate in a way that is designed to prevent eavesdropping,
tampering, or message forgery."
'';
homepage = "https://gnutls.org/";
license = licenses.lgpl21Plus;
maintainers = with maintainers; [ vcunat ];
platforms = platforms.all;
};
}

45
pkgs/development/libraries/gnutls/dummy.crt Normal file
View File

@@ -0,0 +1,45 @@
ACCVRAIZ1
-----BEGIN CERTIFICATE-----
MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE
AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw
CQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQ
BgNVBAMMCUFDQ1ZSQUlaMTEQMA4GA1UECwwHUEtJQUNDVjENMAsGA1UECgwEQUND
VjELMAkGA1UEBhMCRVMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCb
qau/YUqXry+XZpp0X9DZlv3P4uRm7x8fRzPCRKPfmt4ftVTdFXxpNRFvu8gMjmoY
HtiP2Ra8EEg2XPBjs5BaXCQ316PWywlxufEBcoSwfdtNgM3802/J+Nq2DoLSRYWo
G2ioPej0RGy9ocLLA76MPhMAhN9KSMDjIgro6TenGEyxCQ0jVn8ETdkXhBilyNpA
lHPrzg5XPAOBOp0KoVdDaaxXbXmQeOW1tDvYvEyNKKGno6e6Ak4l0Squ7a4DIrhr
IA8wKFSVf+DuzgpmndFALW4ir50awQUZ0m/A8p/4e7MCQvtQqR0tkw8jq8bBD5L/
0KIV9VMJcRz/RROE5iZe+OCIHAr8Fraocwa48GOEAqDGWuzndN9wrqODJerWx5eH
k6fGioozl2A3ED6XPm4pFdahD9GILBKfb6qkxkLrQaLjlUPTAYVtjrs78yM2x/47
4KElB0iryYl0/wiPgL/AlmXz7uxLaL2diMMxs0Dx6M/2OLuc5NF/1OVYm3z61PMO
m3WR5LpSLhl+0fXNWhn8ugb2+1KoS5kE3fj5tItQo05iifCHJPqDQsGH+tUtKSpa
cXpkatcnYGMN285J9Y0fkIkyF/hzQ7jSWpOGYdbhdQrqeWZ2iE9x6wQl1gpaepPl
uUsXQA+xtrn13k/c4LOsOxFwYIRKQ26ZIMApcQrAZQIDAQABo4ICyzCCAscwfQYI
KwYBBQUHAQEEcTBvMEwGCCsGAQUFBzAChkBodHRwOi8vd3d3LmFjY3YuZXMvZmls
ZWFkbWluL0FyY2hpdm9zL2NlcnRpZmljYWRvcy9yYWl6YWNjdjEuY3J0MB8GCCsG
AQUFBzABhhNodHRwOi8vb2NzcC5hY2N2LmVzMB0GA1UdDgQWBBTSh7Tj3zcnk1X2
VuqB5TbMjB4/vTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNKHtOPfNyeT
VfZW6oHlNsyMHj+9MIIBcwYDVR0gBIIBajCCAWYwggFiBgRVHSAAMIIBWDCCASIG
CCsGAQUFBwICMIIBFB6CARAAQQB1AHQAbwByAGkAZABhAGQAIABkAGUAIABDAGUA
cgB0AGkAZgBpAGMAYQBjAGkA8wBuACAAUgBhAO0AegAgAGQAZQAgAGwAYQAgAEEA
QwBDAFYAIAAoAEEAZwBlAG4AYwBpAGEAIABkAGUAIABUAGUAYwBuAG8AbABvAGcA
7QBhACAAeQAgAEMAZQByAHQAaQBmAGkAYwBhAGMAaQDzAG4AIABFAGwAZQBjAHQA
cgDzAG4AaQBjAGEALAAgAEMASQBGACAAUQA0ADYAMAAxADEANQA2AEUAKQAuACAA
QwBQAFMAIABlAG4AIABoAHQAdABwADoALwAvAHcAdwB3AC4AYQBjAGMAdgAuAGUA
czAwBggrBgEFBQcCARYkaHR0cDovL3d3dy5hY2N2LmVzL2xlZ2lzbGFjaW9uX2Mu
aHRtMFUGA1UdHwROMEwwSqBIoEaGRGh0dHA6Ly93d3cuYWNjdi5lcy9maWxlYWRt
aW4vQXJjaGl2b3MvY2VydGlmaWNhZG9zL3JhaXphY2N2MV9kZXIuY3JsMA4GA1Ud
DwEB/wQEAwIBBjAXBgNVHREEEDAOgQxhY2N2QGFjY3YuZXMwDQYJKoZIhvcNAQEF
BQADggIBAJcxAp/n/UNnSEQU5CmH7UwoZtCPNdpNYbdKl02125DgBS4OxnnQ8pdp
D70ER9m+27Up2pvZrqmZ1dM8MJP1jaGo/AaNRPTKFpV8M9xii6g3+CfYCS0b78gU
JyCpZET/LtZ1qmxNYEAZSUNUY9rizLpm5U9EelvZaoErQNV/+QEnWCzI7UiRfD+m
AM/EKXMRNt6GGT6d7hmKG9Ww7Y49nCrADdg9ZuM8Db3VlFzi4qc1GwQA9j9ajepD
vV+JHanBsMyZ4k0ACtrJJ1vnE5Bc5PUzolVt3OAJTS+xJlsndQAJxGJ3KQhfnlms
tn6tn1QwIgPBHnFk/vk4CpYY3QIUrCPLBhwepH2NDd4nQeit2hW3sCPdK6jT2iWH
7ehVRE2I9DZ+hJp4rPcOVkkO1jMl1oRQQmwgEh0q1b688nCBpHBgvgW1m54ERL5h
I6zppSSMEYCUWqKiuUnSwdzRp+0xESyeGabu4VXhwOrPDYTkF7eifKXeVSUG7szA
h1xA2syVP1XgNce4hL60Xc16gwFy7ofmXx2utYXGJt/mwZrpHgJHnyqobalbz+xF
d3+YJ5oyXSrjhO7FmGYvliAd3djDJ9ew+f7Zfc3Qn48LFFhRny+Lwzgt3uiP1o2H
pPVWQxaZLPSkVrQ0uGE3ycJYgBugl6H8WY3pEfbRD0tVNEYqi4Y7
-----END CERTIFICATE-----

17
pkgs/development/libraries/gnutls/nix-ssl-cert-file.patch Normal file
View File

@@ -0,0 +1,17 @@
allow overriding system trust store location via $NIX_SSL_CERT_FILE
--- a/lib/system/certs.c
+++ b/lib/system/certs.c
@@ -381,6 +381,10 @@ int gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list,
unsigned int tl_flags,
unsigned int tl_vflags)
{
- return add_system_trust(list, tl_flags | GNUTLS_TL_NO_DUPLICATES,
- tl_vflags);
+ tl_flags = tl_flags|GNUTLS_TL_NO_DUPLICATES;
+ const char *file = secure_getenv("NIX_SSL_CERT_FILE");
+ return file
+ ? gnutls_x509_trust_list_add_trust_file(
+ list, file, NULL/*CRL*/, GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags)
+ : add_system_trust(list, tl_flags, tl_vflags);
}