2 files changed, 129 insertions, 6 deletions

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 5893baa28b..89d50309da 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1236,11 +1236,11 @@ add_custom_target(dist
 )
 
 if(GNUTLS_FOUND AND NOT GNUTLS_VERSION VERSION_LESS "3.4.0")
-	# While all Linux and Windows builds have PKCS #11 support enabled,
-	# macos-setup.sh explicitly disables it using --without-p11-kit.
+	# Calculating public keys from PKCS #11 private keys requires GnuTLS
+	# 3.4.0 or greater.
 	#
-	# Require at least GnuTLS 3.4.0 such that public keys can be calculated
-	# from PKCS #11 private keys.
+	# Check that the support is present in case GnuTLS was compiled
+	# --without-p11-kit as macos-setup.sh did until recently.
 	include(CheckSymbolExists)
 	cmake_push_check_state()
 	if(WIN32)
diff --git a/tools/macos-setup.sh b/tools/macos-setup.sh
index 9493622c30..937cf6d76f 100755
--- a/tools/macos-setup.sh
+++ b/tools/macos-setup.sh
@@ -150,6 +150,13 @@ if [ "$GNUTLS_VERSION" ]; then
     # And, in turn, Nettle requires GMP.
     #
     GMP_VERSION=6.2.1
+
+    #
+    # And p11-kit
+    P11KIT_VERSION=0.23.21
+
+    # Which requires libtasn1
+    LIBTASN1_VERSION=4.16.0
 fi
 # Use 5.2.4, not 5.3, for now; lua_bitop.c hasn't been ported to 5.3
 # yet, and we need to check for compatibility issues (we'd want Lua
@@ -1120,6 +1127,90 @@ uninstall_gmp() {
     fi
 }
 
+install_libtasn1() {
+    if [ "$LIBTASN1_VERSION" -a ! -f libtasn1-$LIBTASN1_VERSION-done ] ; then
+        echo "Downloading, building, and installing libtasn1:"
+        [ -f libtasn1-$LIBTASN1_VERSION.tar.gz ] || curl -L -O https://ftpmirror.gnu.org/libtasn1/libtasn1-$LIBTASN1_VERSION.tar.gz || exit 1
+        $no_build && echo "Skipping installation" && return
+        gzcat libtasn1-$LIBTASN1_VERSION.tar.gz | tar xf - || exit 1
+        cd libtasn1-$LIBTASN1_VERSION
+        CFLAGS="$CFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" CXXFLAGS="$CXXFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" LDFLAGS="$LDFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" ./configure || exit 1
+        make $MAKE_BUILD_OPTS || exit 1
+        $DO_MAKE_INSTALL || exit 1
+        cd ..
+        touch libtasn1-$LIBTASN1_VERSION-done
+    fi
+}
+
+uninstall_libtasn1() {
+    if [ ! -z "$installed_libtasn1_version" ] ; then
+        #
+        # p11-kit depends on this, so uninstall it.
+        #
+        uninstall_p11_kit "$@"
+
+        echo "Uninstalling libtasn1:"
+        cd nettle-$installed_libtasn1_version
+        $DO_MAKE_UNINSTALL || exit 1
+        make distclean || exit 1
+        cd ..
+        rm libtasn1-$installed_libtasn1_version-done
+
+        if [ "$#" -eq 1 -a "$1" = "-r" ] ; then
+            #
+            # Get rid of the previously downloaded and unpacked version.
+            #
+            rm -rf libtasn1-$installed_libtasn1_version
+            rm -rf libtasn1-$installed_libtasn1_version.tar.gz
+        fi
+
+        installed_libtasn1_version=""
+    fi
+}
+
+install_p11_kit() {
+    if [ "$P11KIT_VERSION" -a ! -f p11-kit-$P11KIT_VERSION-done ] ; then
+        echo "Downloading, building, and installing p11-kit:"
+        [ -f p11-kit-$P11KIT_VERSION.tar.xz ] || curl -L -O https://github.com/p11-glue/p11-kit/releases/download/$P11KIT_VERSION/p11-kit-$P11KIT_VERSION.tar.xz || exit 1
+        $no_build && echo "Skipping installation" && return
+        xzcat p11-kit-$P11KIT_VERSION.tar.xz | tar xf - || exit 1
+        cd p11-kit-$P11KIT_VERSION
+        # Same hack for libffi missing pkg-config files as GLib
+        includedir=`xcrun --show-sdk-path 2>/dev/null`/usr/include
+        LIBFFI_CFLAGS="-I $includedir/ffi" LIBFFI_LIBS="-lffi" CFLAGS="$CFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" CXXFLAGS="$CXXFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" LDFLAGS="$LDFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" ./configure --without-trust-paths || exit 1
+        make $MAKE_BUILD_OPTS || exit 1
+        $DO_MAKE_INSTALL || exit 1
+        cd ..
+        touch p11-kit-$P11KIT_VERSION-done
+    fi
+}
+
+uninstall_p11_kit() {
+    if [ ! -z "$installed_p11_kit_version" ] ; then
+        #
+        # Nettle depends on this, so uninstall it.
+        #
+        uninstall_nettle "$@"
+
+        echo "Uninstalling p11-kit:"
+        cd p11-kit-$installed_p11_kit_version
+        $DO_MAKE_UNINSTALL || exit 1
+        make distclean || exit 1
+        cd ..
+        rm p11-kit-$installed_p11_kit_version-done
+
+        if [ "$#" -eq 1 -a "$1" = "-r" ] ; then
+            #
+            # Get rid of the previously downloaded and unpacked version.
+            #
+            rm -rf p11-kit-$installed_p11_kit_version
+            rm -rf p11-kit-$installed_p11_kit_version.tar.xz
+        fi
+
+        installed_p11_kit_version=""
+    fi
+}
+
 install_nettle() {
     if [ "$NETTLE_VERSION" -a ! -f nettle-$NETTLE_VERSION-done ] ; then
         echo "Downloading, building, and installing Nettle:"
@@ -1127,7 +1218,7 @@ install_nettle() {
         $no_build && echo "Skipping installation" && return
         gzcat nettle-$NETTLE_VERSION.tar.gz | tar xf - || exit 1
         cd nettle-$NETTLE_VERSION
-        CFLAGS="$CFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" CXXFLAGS="$CXXFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" LDFLAGS="$LDFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" ./configure --with-libgcrypt --without-p11-kit || exit 1
+        CFLAGS="$CFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" CXXFLAGS="$CXXFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" LDFLAGS="$LDFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" ./configure || exit 1
         make $MAKE_BUILD_OPTS || exit 1
         $DO_MAKE_INSTALL || exit 1
         cd ..
@@ -1188,7 +1279,7 @@ install_gnutls() {
             bzcat gnutls-$GNUTLS_VERSION.tar.bz2 | tar xf - || exit 1
         fi
         cd gnutls-$GNUTLS_VERSION
-        CFLAGS="$CFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" CXXFLAGS="$CXXFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" LDFLAGS="$LDFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" ./configure --with-included-libtasn1 --with-included-unistring --without-p11-kit --disable-guile || exit 1
+        CFLAGS="$CFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" CXXFLAGS="$CXXFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" LDFLAGS="$LDFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" ./configure --with-included-unistring --disable-guile || exit 1
         make $MAKE_BUILD_OPTS || exit 1
         $DO_MAKE_INSTALL || exit 1
         cd ..
@@ -2249,6 +2340,28 @@ install_all() {
         uninstall_gmp -r
     fi
 
+    if [ ! -z "$installed_p11_kit_version" -a \
+              "$installed_p11_kit_version" != "$P11KIT_VERSION" ] ; then
+        echo "Installed p11-kit version is $installed_p11_kit_version"
+        if [ -z "$P11KIT_VERSION" ] ; then
+            echo "p11-kit is not requested"
+        else
+            echo "Requested p11-kit version is $P11KIT_VERSION"
+        fi
+        uninstall_p11_kit -r
+    fi
+
+    if [ ! -z "$installed_libtasn1_version" -a \
+              "$installed_libtasn1_version" != "$LIBTASN1_VERSION" ] ; then
+        echo "Installed libtasn1 version is $installed_libtasn1_version"
+        if [ -z "$LIBTASN1_VERSION" ] ; then
+            echo "libtasn1 is not requested"
+        else
+            echo "Requested libtasn1 version is $LIBTASN1_VERSION"
+        fi
+        uninstall_libtasn1 -r
+    fi
+
     if [ ! -z "$installed_libgcrypt_version" -a \
               "$installed_libgcrypt_version" != "$LIBGCRYPT_VERSION" ] ; then
         echo "Installed libgcrypt version is $installed_libgcrypt_version"
@@ -2551,6 +2664,10 @@ install_all() {
 
     install_gmp
 
+    install_libtasn1
+
+    install_p11_kit
+
     install_nettle
 
     install_gnutls
@@ -2654,6 +2771,10 @@ uninstall_all() {
 
         uninstall_nettle
 
+        uninstall_p11_kit
+
+        uninstall_libtasn1
+
         uninstall_gmp
 
         uninstall_libgcrypt
@@ -2814,6 +2935,8 @@ then
     installed_libgpg_error_version=`ls libgpg-error-*-done 2>/dev/null | sed 's/libgpg-error-\(.*\)-done/\1/'`
     installed_libgcrypt_version=`ls libgcrypt-*-done 2>/dev/null | sed 's/libgcrypt-\(.*\)-done/\1/'`
     installed_gmp_version=`ls gmp-*-done 2>/dev/null | sed 's/gmp-\(.*\)-done/\1/'`
+    installed_libtasn1_version=`ls libtasn1-*-done 2>/dev/null | sed 's/libtasn1-\(.*\)-done/\1/'`
+    installed_p11_kit_version=`ls p11-kit-*-done 2>/dev/null | sed 's/p11-kit-\(.*\)-done/\1/'`
     installed_nettle_version=`ls nettle-*-done 2>/dev/null | sed 's/nettle-\(.*\)-done/\1/'`
     installed_gnutls_version=`ls gnutls-*-done 2>/dev/null | sed 's/gnutls-\(.*\)-done/\1/'`
     installed_lua_version=`ls lua-*-done 2>/dev/null | sed 's/lua-\(.*\)-done/\1/'`