gnutls: respect NIX_SSL_CERT_FILE, remove 3.5.10 on darwin

pkgs/development/libraries/gnutls/generic.nix → pkgs/development/libraries/gnutls/default.nix

@@ -1,33 +1,52 @@
-{ config, lib, stdenv, zlib, lzo, libtasn1, nettle, pkgconfig, lzip
-, perl, gmp, autogen, libidn, p11-kit, libiconv
+{ config, lib, stdenv, fetchurl, zlib, lzo, libtasn1, nettle, pkgconfig, lzip
+, perl, gmp, autoconf, autogen, automake, libidn, p11-kit, libiconv
+, unbound, dns-root-data, gettext
 , guileBindings ? config.gnutls.guile or false, guile
 , tpmSupport ? false, trousers, which, nettools, libunistring
-, unbound, dns-root-data, gettext
-
-# Version dependent args
-, version, src, patches ? [], postPatch ? "", nativeBuildInputs ? []
-, buildInputs ? []
-, ...}:
+, withSecurity ? false, Security  # darwin Security.framework
+}:
 
 assert guileBindings -> guile != null;
 let
+  version = "3.6.7";
+
   # XXX: Gnulib's `test-select' fails on FreeBSD:
   # http://hydra.nixos.org/build/2962084/nixlog/1/raw .
   doCheck = !stdenv.isFreeBSD && !stdenv.isDarwin && lib.versionAtLeast version "3.4"
       && stdenv.buildPlatform == stdenv.hostPlatform;
+
+  inherit (stdenv.hostPlatform) isDarwin;
 in
+
 stdenv.mkDerivation {
   name = "gnutls-${version}";
+  inherit version;
 
-  inherit src patches;
+  src = fetchurl {
+    url = "mirror://gnupg/gnutls/v3.6/gnutls-${version}.tar.xz";
+    sha256 = "1ql8l6l5bxks2pgpwb1602zc0j6ivhpy27hdfc49h8xgbanhjd2v";
+  };
 
   outputs = [ "bin" "dev" "out" "man" "devdoc" ];
   outputInfo = "devdoc";
 
+  patches = [ ./nix-ssl-cert-file.patch ]
+    # Disable native add_system_trust.
+    ++ lib.optional (isDarwin && !withSecurity) ./no-security-framework.patch;
+
+  # Skip some tests:
+  #  - pkgconfig: building against the result won't work before installing (3.5.11)
+  #  - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular)
+  #  - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11)
+  #  - psk-file: no idea; it broke between 3.6.3 and 3.6.4
+  # Change p11-kit test to use pkg-config to find p11-kit
   postPatch = lib.optionalString (lib.versionAtLeast version "3.4") ''
-    sed '2iecho "name constraints tests skipped due to datefudge problems"\nexit 0' \
-      -i tests/cert-tests/name-constraints
-  '' + postPatch;
+    sed '2iecho "name constraints tests skipped due to datefudge problems"\nexit 0' -i tests/cert-tests/name-constraints
+  '' + lib.optionalString (lib.versionAtLeast version "3.6") ''
+    sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh
+    sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c
+    sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh
+  '';
 
   preConfigure = "patchShebangs .";
   configureFlags =
@@ -42,19 +61,20 @@ stdenv.mkDerivation {
   enableParallelBuilding = true;
 
   buildInputs = [ lzo lzip libtasn1 libidn p11-kit zlib gmp autogen libunistring unbound gettext libiconv ]
+    ++ lib.optional (isDarwin && withSecurity) Security
     ++ lib.optional (tpmSupport && stdenv.isLinux) trousers
-    ++ lib.optional guileBindings guile
-    ++ buildInputs;
+    ++ lib.optional guileBindings guile;
 
-  nativeBuildInputs = [ perl pkgconfig ] ++ nativeBuildInputs
+  nativeBuildInputs = [ perl pkgconfig ]
+    ++ lib.optionals (isDarwin && !withSecurity) [ autoconf automake ]
     ++ lib.optionals doCheck [ which nettools ];
 
   propagatedBuildInputs = [ nettle ];
 
   inherit doCheck;
 
   # Fixup broken libtool and pkgconfig files
-  preFixup = lib.optionalString (!stdenv.isDarwin) ''
+  preFixup = lib.optionalString (!isDarwin) ''
     sed ${lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"} \
         -e 's,-lz,-L${zlib.out}/lib -lz,' \
         -e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \

pkgs/development/libraries/gnutls/nix-ssl-cert-file.patch

@@ -0,0 +1,19 @@
+allow overriding system trust store location via $NIX_SSL_CERT_FILE
+
+diff --git a/lib/system/certs.c b/lib/system/certs.c
+index 611c645..6ef6edb 100644
+--- a/lib/system/certs.c
++++ b/lib/system/certs.c
+@@ -369,6 +369,11 @@ gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list,
+ 					unsigned int tl_flags,
+ 					unsigned int tl_vflags)
+ {
+-	return add_system_trust(list, tl_flags|GNUTLS_TL_NO_DUPLICATES, tl_vflags);
++	tl_flags = tl_flags|GNUTLS_TL_NO_DUPLICATES;
++	const char *file = secure_getenv("NIX_SSL_CERT_FILE");
++	return file
++		? gnutls_x509_trust_list_add_trust_file(
++			list, file, NULL/*CRL*/, GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags)
++		: add_system_trust(list, tl_flags, tl_vflags);
+ }
+

pkgs/development/libraries/gnutls/no-security-framework.patch

@@ -0,0 +1,126 @@
+commit 9bcdde1ab9cdff6a4471f9a926dd488ab70c7247
+Author: Daiderd Jordan <daiderd@gmail.com>
+Date:   Mon Apr 22 16:38:27 2019 +0200
+
+    Revert "gnutls_x509_trust_list_add_system_trust: Add macOS keychain support"
+
+    This reverts commit c0eb46d3463cd21b3f822ac377ff37f067f66b8d.
+
+diff --git a/configure.ac b/configure.ac
+index 8ad597bfd..8d14f26cd 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -781,7 +781,7 @@ dnl auto detect https://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.
+ AC_ARG_WITH([default-trust-store-file],
+   [AS_HELP_STRING([--with-default-trust-store-file=FILE],
+     [use the given file default trust store])], with_default_trust_store_file="$withval",
+-  [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x && test x$have_macosx = x;then
++  [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x;then
+   for i in \
+     /etc/ssl/ca-bundle.pem \
+     /etc/ssl/certs/ca-certificates.crt \
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index fe9cf63a2..745695f7e 100644
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -203,10 +203,6 @@ if WINDOWS
+ thirdparty_libadd += -lcrypt32
+ endif
+
+-if MACOSX
+-libgnutls_la_LDFLAGS += -framework Security -framework CoreFoundation
+-endif
+-
+ libgnutls_la_LIBADD += $(thirdparty_libadd)
+
+ # C++ library
+diff --git a/lib/system/certs.c b/lib/system/certs.c
+index 611c645e0..912b0aa5e 100644
+--- a/lib/system/certs.c
++++ b/lib/system/certs.c
+@@ -44,12 +44,6 @@
+ # endif
+ #endif
+
+-#ifdef __APPLE__
+-# include <CoreFoundation/CoreFoundation.h>
+-# include <Security/Security.h>
+-# include <Availability.h>
+-#endif
+-
+ /* System specific function wrappers for certificate stores.
+  */
+
+@@ -276,72 +270,6 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
+
+ 	return r;
+ }
+-#elif defined(__APPLE__) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070
+-static
+-int osstatus_error(status)
+-{
+-	CFStringRef err_str = SecCopyErrorMessageString(status, NULL);
+-	_gnutls_debug_log("Error loading system root certificates: %s\n",
+-			  CFStringGetCStringPtr(err_str, kCFStringEncodingUTF8));
+-	CFRelease(err_str);
+-	return GNUTLS_E_FILE_ERROR;
+-}
+-
+-static
+-int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
+-		     unsigned int tl_vflags)
+-{
+-	int r=0;
+-
+-	SecTrustSettingsDomain domain[] = { kSecTrustSettingsDomainUser,
+-					    kSecTrustSettingsDomainAdmin,
+-					    kSecTrustSettingsDomainSystem };
+-	for (size_t d=0; d<sizeof(domain)/sizeof(*domain); d++) {
+-		CFArrayRef certs = NULL;
+-		OSStatus status = SecTrustSettingsCopyCertificates(domain[d],
+-								   &certs);
+-		if (status == errSecNoTrustSettings)
+-			continue;
+-		if (status != errSecSuccess)
+-			return osstatus_error(status);
+-
+-		int cert_count = CFArrayGetCount(certs);
+-		for (int i=0; i<cert_count; i++) {
+-			SecCertificateRef cert =
+-				(void*)CFArrayGetValueAtIndex(certs, i);
+-			CFDataRef der;
+-			status = SecItemExport(cert, kSecFormatX509Cert, 0,
+-					       NULL, &der);
+-			if (status != errSecSuccess) {
+-				CFRelease(der);
+-				CFRelease(certs);
+-				return osstatus_error(status);
+-			}
+-
+-			if (gnutls_x509_trust_list_add_trust_mem(list,
+-								 &(gnutls_datum_t) {
+-									.data = (void*)CFDataGetBytePtr(der),
+-									.size = CFDataGetLength(der),
+-								 },
+-								 NULL,
+-			                                         GNUTLS_X509_FMT_DER,
+-								 tl_flags,
+-								 tl_vflags) > 0)
+-				r++;
+-			CFRelease(der);
+-		}
+-		CFRelease(certs);
+-	}
+-
+-#ifdef DEFAULT_BLACKLIST_FILE
+-	ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM);
+-	if (ret < 0) {
+-		_gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE);
+-	}
+-#endif
+-
+-	return r;
+-}
+ #else
+
+ #define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE

pkgs/top-level/all-packages.nix

@@ -10402,13 +10402,9 @@ in
               then callPackage ../development/libraries/gnu-efi { }
             else null;
 
-  gnutls = callPackage
-    (if stdenv.isDarwin
-      # Avoid > 3.5.10 due to frameworks for now; see discussion on:
-      # https://github.com/NixOS/nixpkgs/commit/d6454e6a1
-      then ../development/libraries/gnutls/3.5.10.nix
-      else ../development/libraries/gnutls/3.6.nix)
-    { };
+  gnutls = callPackage ../development/libraries/gnutls/default.nix {
+    inherit (darwin.apple_sdk.frameworks) Security;
+  };
 
   gnutls-kdh = callPackage ../development/libraries/gnutls-kdh/3.5.nix {
     gperf = gperf_3_0;