gnutls: drop the withSecurity option
The patch for `withSecurity = false` wouldn't apply anymore, and it didn't seem sufficient for several months already. Noone's shown interest in fixing that.
This commit is contained in:
parent
0442267e82
commit
0cedc3dedf
|
@ -5,7 +5,7 @@
|
||||||
, guileBindings ? config.gnutls.guile or false, guile
|
, guileBindings ? config.gnutls.guile or false, guile
|
||||||
, tpmSupport ? false, trousers, which, nettools, libunistring
|
, tpmSupport ? false, trousers, which, nettools, libunistring
|
||||||
, withP11-kit ? !stdenv.hostPlatform.isStatic, p11-kit
|
, withP11-kit ? !stdenv.hostPlatform.isStatic, p11-kit
|
||||||
, withSecurity ? true, Security # darwin Security.framework
|
, Security # darwin Security.framework
|
||||||
# certificate compression - only zlib now, more possible: zstd, brotli
|
# certificate compression - only zlib now, more possible: zstd, brotli
|
||||||
|
|
||||||
# for passthru.tests
|
# for passthru.tests
|
||||||
|
@ -47,11 +47,7 @@ stdenv.mkDerivation rec {
|
||||||
outputInfo = "devdoc";
|
outputInfo = "devdoc";
|
||||||
outputDoc = "devdoc";
|
outputDoc = "devdoc";
|
||||||
|
|
||||||
patches = [ ./nix-ssl-cert-file.patch ]
|
patches = [ ./nix-ssl-cert-file.patch ];
|
||||||
# Disable native add_system_trust.
|
|
||||||
# FIXME: apparently it's not enough to drop the framework anymore; maybe related to
|
|
||||||
# https://gitlab.com/gnutls/gnutls/-/commit/c19cb93d492e45141bfef9b926dfeba36003261c
|
|
||||||
++ lib.optional (isDarwin && !withSecurity) ./no-security-framework.patch;
|
|
||||||
|
|
||||||
# Skip some tests:
|
# Skip some tests:
|
||||||
# - pkg-config: building against the result won't work before installing (3.5.11)
|
# - pkg-config: building against the result won't work before installing (3.5.11)
|
||||||
|
@ -93,12 +89,11 @@ stdenv.mkDerivation rec {
|
||||||
++ lib.optional guileBindings guile;
|
++ lib.optional guileBindings guile;
|
||||||
|
|
||||||
nativeBuildInputs = [ perl pkg-config ]
|
nativeBuildInputs = [ perl pkg-config ]
|
||||||
++ lib.optionals (isDarwin && !withSecurity) [ autoconf automake ]
|
|
||||||
++ lib.optionals doCheck [ which nettools util-linux ];
|
++ lib.optionals doCheck [ which nettools util-linux ];
|
||||||
|
|
||||||
propagatedBuildInputs = [ nettle ]
|
propagatedBuildInputs = [ nettle ]
|
||||||
# Builds dynamically linking against gnutls seem to need the framework now.
|
# Builds dynamically linking against gnutls seem to need the framework now.
|
||||||
++ lib.optional (isDarwin && withSecurity) Security;
|
++ lib.optional isDarwin Security;
|
||||||
|
|
||||||
inherit doCheck;
|
inherit doCheck;
|
||||||
# stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` breaks tests.
|
# stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` breaks tests.
|
||||||
|
|
|
@ -1,126 +0,0 @@
|
||||||
commit 9bcdde1ab9cdff6a4471f9a926dd488ab70c7247
|
|
||||||
Author: Daiderd Jordan <daiderd@gmail.com>
|
|
||||||
Date: Mon Apr 22 16:38:27 2019 +0200
|
|
||||||
|
|
||||||
Revert "gnutls_x509_trust_list_add_system_trust: Add macOS keychain support"
|
|
||||||
|
|
||||||
This reverts commit c0eb46d3463cd21b3f822ac377ff37f067f66b8d.
|
|
||||||
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index 8ad597bfd..8d14f26cd 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -781,7 +781,7 @@ dnl auto detect https://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.
|
|
||||||
AC_ARG_WITH([default-trust-store-file],
|
|
||||||
[AS_HELP_STRING([--with-default-trust-store-file=FILE],
|
|
||||||
[use the given file default trust store])], with_default_trust_store_file="$withval",
|
|
||||||
- [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x && test x$have_macosx = x;then
|
|
||||||
+ [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x;then
|
|
||||||
for i in \
|
|
||||||
/etc/ssl/ca-bundle.pem \
|
|
||||||
/etc/ssl/certs/ca-certificates.crt \
|
|
||||||
diff --git a/lib/Makefile.am b/lib/Makefile.am
|
|
||||||
index fe9cf63a2..745695f7e 100644
|
|
||||||
--- a/lib/Makefile.am
|
|
||||||
+++ b/lib/Makefile.am
|
|
||||||
@@ -203,10 +203,6 @@ if WINDOWS
|
|
||||||
thirdparty_libadd += -lcrypt32
|
|
||||||
endif
|
|
||||||
|
|
||||||
-if MACOSX
|
|
||||||
-libgnutls_la_LDFLAGS += -framework Security -framework CoreFoundation
|
|
||||||
-endif
|
|
||||||
-
|
|
||||||
libgnutls_la_LIBADD += $(thirdparty_libadd)
|
|
||||||
|
|
||||||
# C++ library
|
|
||||||
diff --git a/lib/system/certs.c b/lib/system/certs.c
|
|
||||||
index 611c645e0..912b0aa5e 100644
|
|
||||||
--- a/lib/system/certs.c
|
|
||||||
+++ b/lib/system/certs.c
|
|
||||||
@@ -44,12 +44,6 @@
|
|
||||||
# endif
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-#ifdef __APPLE__
|
|
||||||
-# include <CoreFoundation/CoreFoundation.h>
|
|
||||||
-# include <Security/Security.h>
|
|
||||||
-# include <Availability.h>
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
/* System specific function wrappers for certificate stores.
|
|
||||||
*/
|
|
||||||
|
|
||||||
@@ -276,72 +270,6 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
|
|
||||||
|
|
||||||
return r;
|
|
||||||
}
|
|
||||||
-#elif defined(__APPLE__) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070
|
|
||||||
-static
|
|
||||||
-int osstatus_error(status)
|
|
||||||
-{
|
|
||||||
- CFStringRef err_str = SecCopyErrorMessageString(status, NULL);
|
|
||||||
- _gnutls_debug_log("Error loading system root certificates: %s\n",
|
|
||||||
- CFStringGetCStringPtr(err_str, kCFStringEncodingUTF8));
|
|
||||||
- CFRelease(err_str);
|
|
||||||
- return GNUTLS_E_FILE_ERROR;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-static
|
|
||||||
-int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
|
|
||||||
- unsigned int tl_vflags)
|
|
||||||
-{
|
|
||||||
- int r=0;
|
|
||||||
-
|
|
||||||
- SecTrustSettingsDomain domain[] = { kSecTrustSettingsDomainUser,
|
|
||||||
- kSecTrustSettingsDomainAdmin,
|
|
||||||
- kSecTrustSettingsDomainSystem };
|
|
||||||
- for (size_t d=0; d<sizeof(domain)/sizeof(*domain); d++) {
|
|
||||||
- CFArrayRef certs = NULL;
|
|
||||||
- OSStatus status = SecTrustSettingsCopyCertificates(domain[d],
|
|
||||||
- &certs);
|
|
||||||
- if (status == errSecNoTrustSettings)
|
|
||||||
- continue;
|
|
||||||
- if (status != errSecSuccess)
|
|
||||||
- return osstatus_error(status);
|
|
||||||
-
|
|
||||||
- int cert_count = CFArrayGetCount(certs);
|
|
||||||
- for (int i=0; i<cert_count; i++) {
|
|
||||||
- SecCertificateRef cert =
|
|
||||||
- (void*)CFArrayGetValueAtIndex(certs, i);
|
|
||||||
- CFDataRef der;
|
|
||||||
- status = SecItemExport(cert, kSecFormatX509Cert, 0,
|
|
||||||
- NULL, &der);
|
|
||||||
- if (status != errSecSuccess) {
|
|
||||||
- CFRelease(der);
|
|
||||||
- CFRelease(certs);
|
|
||||||
- return osstatus_error(status);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (gnutls_x509_trust_list_add_trust_mem(list,
|
|
||||||
- &(gnutls_datum_t) {
|
|
||||||
- .data = (void*)CFDataGetBytePtr(der),
|
|
||||||
- .size = CFDataGetLength(der),
|
|
||||||
- },
|
|
||||||
- NULL,
|
|
||||||
- GNUTLS_X509_FMT_DER,
|
|
||||||
- tl_flags,
|
|
||||||
- tl_vflags) > 0)
|
|
||||||
- r++;
|
|
||||||
- CFRelease(der);
|
|
||||||
- }
|
|
||||||
- CFRelease(certs);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
-#ifdef DEFAULT_BLACKLIST_FILE
|
|
||||||
- ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM);
|
|
||||||
- if (ret < 0) {
|
|
||||||
- _gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE);
|
|
||||||
- }
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
- return r;
|
|
||||||
-}
|
|
||||||
#else
|
|
||||||
|
|
||||||
#define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE
|
|
Loading…
Reference in a new issue