diff options
| author | Vladimír Čunát <v@cunat.cz> | 2023-02-11 09:26:51 +0100 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2023-02-14 20:39:48 +0000 |
| commit | 0cedc3dedfacb410783ed767961356616bed9fa1 (patch) | |
| tree | 767fd94bdc25f2aa3d885e5be2bdb6b01c0641f2 /pkgs/development/libraries/gnutls | |
| parent | 0442267e821a573737ec9a858ad3551bb144fb93 (diff) | |
gnutls: drop the withSecurity option
The patch for `withSecurity = false` wouldn't apply anymore, and it didn't seem sufficient for several months already. Noone's shown interest in fixing that.
Diffstat (limited to 'pkgs/development/libraries/gnutls')
| -rw-r--r-- | pkgs/development/libraries/gnutls/default.nix | 11 | ||||
| -rw-r--r-- | pkgs/development/libraries/gnutls/no-security-framework.patch | 126 |
2 files changed, 3 insertions, 134 deletions
diff --git a/pkgs/development/libraries/gnutls/default.nix b/pkgs/development/libraries/gnutls/default.nix index adb25f8f8a9de..2c6e74d0fa1af 100644 --- a/pkgs/development/libraries/gnutls/default.nix +++ b/pkgs/development/libraries/gnutls/default.nix @@ -5,7 +5,7 @@ , guileBindings ? config.gnutls.guile or false, guile , tpmSupport ? false, trousers, which, nettools, libunistring , withP11-kit ? !stdenv.hostPlatform.isStatic, p11-kit -, withSecurity ? true, Security # darwin Security.framework +, Security # darwin Security.framework # certificate compression - only zlib now, more possible: zstd, brotli # for passthru.tests @@ -47,11 +47,7 @@ stdenv.mkDerivation rec { outputInfo = "devdoc"; outputDoc = "devdoc"; - patches = [ ./nix-ssl-cert-file.patch ] - # Disable native add_system_trust. - # FIXME: apparently it's not enough to drop the framework anymore; maybe related to - # https://gitlab.com/gnutls/gnutls/-/commit/c19cb93d492e45141bfef9b926dfeba36003261c - ++ lib.optional (isDarwin && !withSecurity) ./no-security-framework.patch; + patches = [ ./nix-ssl-cert-file.patch ]; # Skip some tests: # - pkg-config: building against the result won't work before installing (3.5.11) @@ -93,12 +89,11 @@ stdenv.mkDerivation rec { ++ lib.optional guileBindings guile; nativeBuildInputs = [ perl pkg-config ] - ++ lib.optionals (isDarwin && !withSecurity) [ autoconf automake ] ++ lib.optionals doCheck [ which nettools util-linux ]; propagatedBuildInputs = [ nettle ] # Builds dynamically linking against gnutls seem to need the framework now. - ++ lib.optional (isDarwin && withSecurity) Security; + ++ lib.optional isDarwin Security; inherit doCheck; # stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` breaks tests. diff --git a/pkgs/development/libraries/gnutls/no-security-framework.patch b/pkgs/development/libraries/gnutls/no-security-framework.patch deleted file mode 100644 index 7f5808e50535e..0000000000000 --- a/pkgs/development/libraries/gnutls/no-security-framework.patch +++ /dev/null @@ -1,126 +0,0 @@ -commit 9bcdde1ab9cdff6a4471f9a926dd488ab70c7247 -Author: Daiderd Jordan <daiderd@gmail.com> -Date: Mon Apr 22 16:38:27 2019 +0200 - - Revert "gnutls_x509_trust_list_add_system_trust: Add macOS keychain support" - - This reverts commit c0eb46d3463cd21b3f822ac377ff37f067f66b8d. - -diff --git a/configure.ac b/configure.ac -index 8ad597bfd..8d14f26cd 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -781,7 +781,7 @@ dnl auto detect https://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004. - AC_ARG_WITH([default-trust-store-file], - [AS_HELP_STRING([--with-default-trust-store-file=FILE], - [use the given file default trust store])], with_default_trust_store_file="$withval", -- [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x && test x$have_macosx = x;then -+ [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x;then - for i in \ - /etc/ssl/ca-bundle.pem \ - /etc/ssl/certs/ca-certificates.crt \ -diff --git a/lib/Makefile.am b/lib/Makefile.am -index fe9cf63a2..745695f7e 100644 ---- a/lib/Makefile.am -+++ b/lib/Makefile.am -@@ -203,10 +203,6 @@ if WINDOWS - thirdparty_libadd += -lcrypt32 - endif - --if MACOSX --libgnutls_la_LDFLAGS += -framework Security -framework CoreFoundation --endif -- - libgnutls_la_LIBADD += $(thirdparty_libadd) - - # C++ library -diff --git a/lib/system/certs.c b/lib/system/certs.c -index 611c645e0..912b0aa5e 100644 ---- a/lib/system/certs.c -+++ b/lib/system/certs.c -@@ -44,12 +44,6 @@ - # endif - #endif - --#ifdef __APPLE__ --# include <CoreFoundation/CoreFoundation.h> --# include <Security/Security.h> --# include <Availability.h> --#endif -- - /* System specific function wrappers for certificate stores. - */ - -@@ -276,72 +270,6 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, - - return r; - } --#elif defined(__APPLE__) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070 --static --int osstatus_error(status) --{ -- CFStringRef err_str = SecCopyErrorMessageString(status, NULL); -- _gnutls_debug_log("Error loading system root certificates: %s\n", -- CFStringGetCStringPtr(err_str, kCFStringEncodingUTF8)); -- CFRelease(err_str); -- return GNUTLS_E_FILE_ERROR; --} -- --static --int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, -- unsigned int tl_vflags) --{ -- int r=0; -- -- SecTrustSettingsDomain domain[] = { kSecTrustSettingsDomainUser, -- kSecTrustSettingsDomainAdmin, -- kSecTrustSettingsDomainSystem }; -- for (size_t d=0; d<sizeof(domain)/sizeof(*domain); d++) { -- CFArrayRef certs = NULL; -- OSStatus status = SecTrustSettingsCopyCertificates(domain[d], -- &certs); -- if (status == errSecNoTrustSettings) -- continue; -- if (status != errSecSuccess) -- return osstatus_error(status); -- -- int cert_count = CFArrayGetCount(certs); -- for (int i=0; i<cert_count; i++) { -- SecCertificateRef cert = -- (void*)CFArrayGetValueAtIndex(certs, i); -- CFDataRef der; -- status = SecItemExport(cert, kSecFormatX509Cert, 0, -- NULL, &der); -- if (status != errSecSuccess) { -- CFRelease(der); -- CFRelease(certs); -- return osstatus_error(status); -- } -- -- if (gnutls_x509_trust_list_add_trust_mem(list, -- &(gnutls_datum_t) { -- .data = (void*)CFDataGetBytePtr(der), -- .size = CFDataGetLength(der), -- }, -- NULL, -- GNUTLS_X509_FMT_DER, -- tl_flags, -- tl_vflags) > 0) -- r++; -- CFRelease(der); -- } -- CFRelease(certs); -- } -- --#ifdef DEFAULT_BLACKLIST_FILE -- ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM); -- if (ret < 0) { -- _gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE); -- } --#endif -- -- return r; --} - #else - - #define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE |