uboot: (firmwareOdroidC2/C4) don't invoke patch tool, use patches = [] instead

https://github.com/NixOS/nixpkgs/blob/master/pkgs/stdenv/generic/setup.sh#L948 this can do it nicely. Signed-off-by: Anton Arapov <anton@deadbeef.mx>
2021-04-03 12:58:10 +02:00 · 2021-04-03 12:58:10 +02:00 · 56de2bcd43
commit 56de2bcd43
30691 changed files with 3076956 additions and 0 deletions
--- a/pkgs/development/libraries/gnutls/default.nix
+++ b/pkgs/development/libraries/gnutls/default.nix
@ -0,0 +1,126 @@
+{ config, lib, stdenv, fetchurl, zlib, lzo, libtasn1, nettle, pkg-config, lzip
+, perl, gmp, autoconf, automake, libidn2, libiconv
+, unbound, dns-root-data, gettext, util-linux
+, cxxBindings ? !stdenv.hostPlatform.isStatic # tries to link libstdc++.so
+, guileBindings ? config.gnutls.guile or false, guile
+, tpmSupport ? false, trousers, which, nettools, libunistring
+, withP11-kit ? !stdenv.hostPlatform.isStatic, p11-kit
+, withSecurity ? false, Security  # darwin Security.framework
+}:
+
+assert guileBindings -> guile != null;
+let
+
+  # XXX: Gnulib's `test-select' fails on FreeBSD:
+  # https://hydra.nixos.org/build/2962084/nixlog/1/raw .
+  doCheck = !stdenv.isFreeBSD && !stdenv.isDarwin
+      && stdenv.buildPlatform == stdenv.hostPlatform;
+
+  inherit (stdenv.hostPlatform) isDarwin;
+in
+
+stdenv.mkDerivation rec {
+  pname = "gnutls";
+  version = "3.7.3";
+
+  src = fetchurl {
+    url = "mirror://gnupg/gnutls/v${lib.versions.majorMinor version}/gnutls-${version}.tar.xz";
+    sha256 = "16n4yvw3792gcdxkikjmhddr6cbs4wlk027zfxlhmchsqcxw8ngw";
+  };
+
+  outputs = [ "bin" "dev" "out" "man" "devdoc" ];
+  # Not normally useful docs.
+  outputInfo = "devdoc";
+  outputDoc  = "devdoc";
+
+  patches = [ ./nix-ssl-cert-file.patch ]
+    # Disable native add_system_trust.
+    ++ lib.optional (isDarwin && !withSecurity) ./no-security-framework.patch;
+
+  # Skip some tests:
+  #  - pkg-config: building against the result won't work before installing (3.5.11)
+  #  - fastopen: no idea; it broke between 3.6.2 and 3.6.3 (3437fdde6 in particular)
+  #  - trust-store: default trust store path (/etc/ssl/...) is missing in sandbox (3.5.11)
+  #  - psk-file: no idea; it broke between 3.6.3 and 3.6.4
+  # Change p11-kit test to use pkg-config to find p11-kit
+  postPatch = ''
+    sed '2iexit 77' -i tests/{pkgconfig,fastopen}.sh
+    sed '/^void doit(void)/,/^{/ s/{/{ exit(77);/' -i tests/{trust-store,psk-file}.c
+    sed 's:/usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/:`pkg-config --variable=p11_module_path p11-kit-1`:' -i tests/p11-kit-trust.sh
+  '' + lib.optionalString stdenv.hostPlatform.isMusl '' # See https://gitlab.com/gnutls/gnutls/-/issues/945
+    sed '2iecho "certtool tests skipped in musl build"\nexit 0' -i tests/cert-tests/certtool.sh
+  '';
+
+  preConfigure = "patchShebangs .";
+  configureFlags =
+    lib.optionals withP11-kit [
+    "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"
+    "--with-default-trust-store-pkcs11=pkcs11:"
+  ] ++ [
+    "--disable-dependency-tracking"
+    "--enable-fast-install"
+    "--with-unbound-root-key-file=${dns-root-data}/root.key"
+    (lib.withFeature withP11-kit "p11-kit")
+    (lib.enableFeature cxxBindings "cxx")
+  ] ++ lib.optional guileBindings [
+    "--enable-guile"
+    "--with-guile-site-dir=\${out}/share/guile/site"
+    "--with-guile-site-ccache-dir=\${out}/share/guile/site"
+    "--with-guile-extension-dir=\${out}/share/guile/site"
+  ];
+
+  enableParallelBuilding = true;
+
+  buildInputs = [ lzo lzip libtasn1 libidn2 zlib gmp libunistring unbound gettext libiconv ]
+    ++ lib.optional (withP11-kit) p11-kit
+    ++ lib.optional (isDarwin && withSecurity) Security
+    ++ lib.optional (tpmSupport && stdenv.isLinux) trousers
+    ++ lib.optional guileBindings guile;
+
+  nativeBuildInputs = [ perl pkg-config ]
+    ++ lib.optionals (isDarwin && !withSecurity) [ autoconf automake ]
+    ++ lib.optionals doCheck [ which nettools util-linux ];
+
+  propagatedBuildInputs = [ nettle ];
+
+  inherit doCheck;
+  # stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` breaks tests.
+  # Also empty files won't work, and we want to avoid potentially impure /etc/
+  preCheck = "NIX_SSL_CERT_FILE=${./dummy.crt}";
+
+  # Fixup broken libtool and pkg-config files
+  preFixup = lib.optionalString (!isDarwin) ''
+    sed ${lib.optionalString tpmSupport "-e 's,-ltspi,-L${trousers}/lib -ltspi,'"} \
+        -e 's,-lz,-L${zlib.out}/lib -lz,' \
+        -e 's,-L${gmp.dev}/lib,-L${gmp.out}/lib,' \
+        -e 's,-lgmp,-L${gmp.out}/lib -lgmp,' \
+        -i $out/lib/*.la "$dev/lib/pkgconfig/gnutls.pc"
+  '' + ''
+    # It seems only useful for static linking but basically noone does that.
+    substituteInPlace "$out/lib/libgnutls.la" \
+      --replace "-lunistring" ""
+  '';
+
+  meta = with lib; {
+    description = "The GNU Transport Layer Security Library";
+
+    longDescription = ''
+       GnuTLS is a project that aims to develop a library which
+       provides a secure layer, over a reliable transport
+       layer. Currently the GnuTLS library implements the proposed standards by
+       the IETF's TLS working group.
+
+       Quoting from the TLS protocol specification:
+
+       "The TLS protocol provides communications privacy over the
+       Internet. The protocol allows client/server applications to
+       communicate in a way that is designed to prevent eavesdropping,
+       tampering, or message forgery."
+    '';
+
+    homepage = "https://gnutls.org/";
+    license = licenses.lgpl21Plus;
+    maintainers = with maintainers; [ eelco fpletz ];
+    platforms = platforms.all;
+  };
+}
--- a/pkgs/development/libraries/gnutls/dummy.crt
+++ b/pkgs/development/libraries/gnutls/dummy.crt
@ -0,0 +1,45 @@
+ACCVRAIZ1
+-----BEGIN CERTIFICATE-----
+MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE
+AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw
+CQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQ
+BgNVBAMMCUFDQ1ZSQUlaMTEQMA4GA1UECwwHUEtJQUNDVjENMAsGA1UECgwEQUND
+VjELMAkGA1UEBhMCRVMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCb
+qau/YUqXry+XZpp0X9DZlv3P4uRm7x8fRzPCRKPfmt4ftVTdFXxpNRFvu8gMjmoY
+HtiP2Ra8EEg2XPBjs5BaXCQ316PWywlxufEBcoSwfdtNgM3802/J+Nq2DoLSRYWo
+G2ioPej0RGy9ocLLA76MPhMAhN9KSMDjIgro6TenGEyxCQ0jVn8ETdkXhBilyNpA
+lHPrzg5XPAOBOp0KoVdDaaxXbXmQeOW1tDvYvEyNKKGno6e6Ak4l0Squ7a4DIrhr
+IA8wKFSVf+DuzgpmndFALW4ir50awQUZ0m/A8p/4e7MCQvtQqR0tkw8jq8bBD5L/
+0KIV9VMJcRz/RROE5iZe+OCIHAr8Fraocwa48GOEAqDGWuzndN9wrqODJerWx5eH
+k6fGioozl2A3ED6XPm4pFdahD9GILBKfb6qkxkLrQaLjlUPTAYVtjrs78yM2x/47
+4KElB0iryYl0/wiPgL/AlmXz7uxLaL2diMMxs0Dx6M/2OLuc5NF/1OVYm3z61PMO
+m3WR5LpSLhl+0fXNWhn8ugb2+1KoS5kE3fj5tItQo05iifCHJPqDQsGH+tUtKSpa
+cXpkatcnYGMN285J9Y0fkIkyF/hzQ7jSWpOGYdbhdQrqeWZ2iE9x6wQl1gpaepPl
+uUsXQA+xtrn13k/c4LOsOxFwYIRKQ26ZIMApcQrAZQIDAQABo4ICyzCCAscwfQYI
+KwYBBQUHAQEEcTBvMEwGCCsGAQUFBzAChkBodHRwOi8vd3d3LmFjY3YuZXMvZmls
+ZWFkbWluL0FyY2hpdm9zL2NlcnRpZmljYWRvcy9yYWl6YWNjdjEuY3J0MB8GCCsG
+AQUFBzABhhNodHRwOi8vb2NzcC5hY2N2LmVzMB0GA1UdDgQWBBTSh7Tj3zcnk1X2
+VuqB5TbMjB4/vTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNKHtOPfNyeT
+VfZW6oHlNsyMHj+9MIIBcwYDVR0gBIIBajCCAWYwggFiBgRVHSAAMIIBWDCCASIG
+CCsGAQUFBwICMIIBFB6CARAAQQB1AHQAbwByAGkAZABhAGQAIABkAGUAIABDAGUA
+cgB0AGkAZgBpAGMAYQBjAGkA8wBuACAAUgBhAO0AegAgAGQAZQAgAGwAYQAgAEEA
+QwBDAFYAIAAoAEEAZwBlAG4AYwBpAGEAIABkAGUAIABUAGUAYwBuAG8AbABvAGcA
+7QBhACAAeQAgAEMAZQByAHQAaQBmAGkAYwBhAGMAaQDzAG4AIABFAGwAZQBjAHQA
+cgDzAG4AaQBjAGEALAAgAEMASQBGACAAUQA0ADYAMAAxADEANQA2AEUAKQAuACAA
+QwBQAFMAIABlAG4AIABoAHQAdABwADoALwAvAHcAdwB3AC4AYQBjAGMAdgAuAGUA
+czAwBggrBgEFBQcCARYkaHR0cDovL3d3dy5hY2N2LmVzL2xlZ2lzbGFjaW9uX2Mu
+aHRtMFUGA1UdHwROMEwwSqBIoEaGRGh0dHA6Ly93d3cuYWNjdi5lcy9maWxlYWRt
+aW4vQXJjaGl2b3MvY2VydGlmaWNhZG9zL3JhaXphY2N2MV9kZXIuY3JsMA4GA1Ud
+DwEB/wQEAwIBBjAXBgNVHREEEDAOgQxhY2N2QGFjY3YuZXMwDQYJKoZIhvcNAQEF
+BQADggIBAJcxAp/n/UNnSEQU5CmH7UwoZtCPNdpNYbdKl02125DgBS4OxnnQ8pdp
+D70ER9m+27Up2pvZrqmZ1dM8MJP1jaGo/AaNRPTKFpV8M9xii6g3+CfYCS0b78gU
+JyCpZET/LtZ1qmxNYEAZSUNUY9rizLpm5U9EelvZaoErQNV/+QEnWCzI7UiRfD+m
+AM/EKXMRNt6GGT6d7hmKG9Ww7Y49nCrADdg9ZuM8Db3VlFzi4qc1GwQA9j9ajepD
+vV+JHanBsMyZ4k0ACtrJJ1vnE5Bc5PUzolVt3OAJTS+xJlsndQAJxGJ3KQhfnlms
+tn6tn1QwIgPBHnFk/vk4CpYY3QIUrCPLBhwepH2NDd4nQeit2hW3sCPdK6jT2iWH
+7ehVRE2I9DZ+hJp4rPcOVkkO1jMl1oRQQmwgEh0q1b688nCBpHBgvgW1m54ERL5h
+I6zppSSMEYCUWqKiuUnSwdzRp+0xESyeGabu4VXhwOrPDYTkF7eifKXeVSUG7szA
+h1xA2syVP1XgNce4hL60Xc16gwFy7ofmXx2utYXGJt/mwZrpHgJHnyqobalbz+xF
+d3+YJ5oyXSrjhO7FmGYvliAd3djDJ9ew+f7Zfc3Qn48LFFhRny+Lwzgt3uiP1o2H
+pPVWQxaZLPSkVrQ0uGE3ycJYgBugl6H8WY3pEfbRD0tVNEYqi4Y7
+-----END CERTIFICATE-----
--- a/pkgs/development/libraries/gnutls/nix-ssl-cert-file.patch
+++ b/pkgs/development/libraries/gnutls/nix-ssl-cert-file.patch
@ -0,0 +1,19 @@
+allow overriding system trust store location via $NIX_SSL_CERT_FILE
+
+diff --git a/lib/system/certs.c b/lib/system/certs.c
+index 611c645..6ef6edb 100644
+--- a/lib/system/certs.c
+++ b/lib/system/certs.c
+@@ -369,6 +369,11 @@ gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list,
+ 					unsigned int tl_flags,
+ 					unsigned int tl_vflags)
+ {
+-	return add_system_trust(list, tl_flags|GNUTLS_TL_NO_DUPLICATES, tl_vflags);
+	tl_flags = tl_flags|GNUTLS_TL_NO_DUPLICATES;
+	const char *file = secure_getenv("NIX_SSL_CERT_FILE");
+	return file
+		? gnutls_x509_trust_list_add_trust_file(
+			list, file, NULL/*CRL*/, GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags)
+		: add_system_trust(list, tl_flags, tl_vflags);
+ }
+ 
--- a/pkgs/development/libraries/gnutls/no-security-framework.patch
+++ b/pkgs/development/libraries/gnutls/no-security-framework.patch
@ -0,0 +1,126 @@
+commit 9bcdde1ab9cdff6a4471f9a926dd488ab70c7247
+Author: Daiderd Jordan <daiderd@gmail.com>
+Date:   Mon Apr 22 16:38:27 2019 +0200
+
+    Revert "gnutls_x509_trust_list_add_system_trust: Add macOS keychain support"
+    
+    This reverts commit c0eb46d3463cd21b3f822ac377ff37f067f66b8d.
+
+diff --git a/configure.ac b/configure.ac
+index 8ad597bfd..8d14f26cd 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -781,7 +781,7 @@ dnl auto detect https://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.
+ AC_ARG_WITH([default-trust-store-file],
+   [AS_HELP_STRING([--with-default-trust-store-file=FILE],
+     [use the given file default trust store])], with_default_trust_store_file="$withval",
+-  [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x && test x$have_macosx = x;then
+  [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x;then
+   for i in \
+     /etc/ssl/ca-bundle.pem \
+     /etc/ssl/certs/ca-certificates.crt \
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index fe9cf63a2..745695f7e 100644
+--- a/lib/Makefile.am
+++ b/lib/Makefile.am
+@@ -203,10 +203,6 @@ if WINDOWS
+ thirdparty_libadd += -lcrypt32
+ endif
+ 
+-if MACOSX
+-libgnutls_la_LDFLAGS += -framework Security -framework CoreFoundation
+-endif
+-
+ libgnutls_la_LIBADD += $(thirdparty_libadd)
+ 
+ # C++ library
+diff --git a/lib/system/certs.c b/lib/system/certs.c
+index 611c645e0..912b0aa5e 100644
+--- a/lib/system/certs.c
+++ b/lib/system/certs.c
+@@ -44,12 +44,6 @@
+ # endif
+ #endif
+ 
+-#ifdef __APPLE__
+-# include <CoreFoundation/CoreFoundation.h>
+-# include <Security/Security.h>
+-# include <Availability.h>
+-#endif
+-
+ /* System specific function wrappers for certificate stores.
+  */
+ 
+@@ -276,72 +270,6 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
+ 
+ 	return r;
+ }
+-#elif defined(__APPLE__) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070
+-static
+-int osstatus_error(status)
+-{
+-	CFStringRef err_str = SecCopyErrorMessageString(status, NULL);
+-	_gnutls_debug_log("Error loading system root certificates: %s\n",
+-			  CFStringGetCStringPtr(err_str, kCFStringEncodingUTF8));
+-	CFRelease(err_str);
+-	return GNUTLS_E_FILE_ERROR;
+-}
+-
+-static
+-int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
+-		     unsigned int tl_vflags)
+-{
+-	int r=0;
+-
+-	SecTrustSettingsDomain domain[] = { kSecTrustSettingsDomainUser,
+-					    kSecTrustSettingsDomainAdmin,
+-					    kSecTrustSettingsDomainSystem };
+-	for (size_t d=0; d<sizeof(domain)/sizeof(*domain); d++) {
+-		CFArrayRef certs = NULL;
+-		OSStatus status = SecTrustSettingsCopyCertificates(domain[d],
+-								   &certs);
+-		if (status == errSecNoTrustSettings)
+-			continue;
+-		if (status != errSecSuccess)
+-			return osstatus_error(status);
+-
+-		int cert_count = CFArrayGetCount(certs);
+-		for (int i=0; i<cert_count; i++) {
+-			SecCertificateRef cert =
+-				(void*)CFArrayGetValueAtIndex(certs, i);
+-			CFDataRef der;
+-			status = SecItemExport(cert, kSecFormatX509Cert, 0,
+-					       NULL, &der);
+-			if (status != errSecSuccess) {
+-				CFRelease(der);
+-				CFRelease(certs);
+-				return osstatus_error(status);
+-			}
+-
+-			if (gnutls_x509_trust_list_add_trust_mem(list,
+-								 &(gnutls_datum_t) {
+-									.data = (void*)CFDataGetBytePtr(der),
+-									.size = CFDataGetLength(der),
+-								 },
+-								 NULL,
+-			                                         GNUTLS_X509_FMT_DER,
+-								 tl_flags,
+-								 tl_vflags) > 0)
+-				r++;
+-			CFRelease(der);
+-		}
+-		CFRelease(certs);
+-	}
+-
+-#ifdef DEFAULT_BLACKLIST_FILE
+-	ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM);
+-	if (ret < 0) {
+-		_gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE);
+-	}
+-#endif
+-
+-	return r;
+-}
+ #else
+ 
+ #define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE