nixpkgs/pkgs/development/libraries/gnutls/no-security-framework.patch

commit 9bcdde1ab9cdff6a4471f9a926dd488ab70c7247
Author: Daiderd Jordan <daiderd@gmail.com>
Date:   Mon Apr 22 16:38:27 2019 +0200

    Revert "gnutls_x509_trust_list_add_system_trust: Add macOS keychain support"
    
    This reverts commit c0eb46d3463cd21b3f822ac377ff37f067f66b8d.

diff --git a/configure.ac b/configure.ac
index 8ad597bfd..8d14f26cd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -781,7 +781,7 @@ dnl auto detect https://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.
 AC_ARG_WITH([default-trust-store-file],
   [AS_HELP_STRING([--with-default-trust-store-file=FILE],
     [use the given file default trust store])], with_default_trust_store_file="$withval",
-  [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x && test x$have_macosx = x;then
+  [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x;then
   for i in \
     /etc/ssl/ca-bundle.pem \
     /etc/ssl/certs/ca-certificates.crt \
diff --git a/lib/Makefile.am b/lib/Makefile.am
index fe9cf63a2..745695f7e 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -203,10 +203,6 @@ if WINDOWS
 thirdparty_libadd += -lcrypt32
 endif
 
-if MACOSX
-libgnutls_la_LDFLAGS += -framework Security -framework CoreFoundation
-endif
-
 libgnutls_la_LIBADD += $(thirdparty_libadd)
 
 # C++ library
diff --git a/lib/system/certs.c b/lib/system/certs.c
index 611c645e0..912b0aa5e 100644
--- a/lib/system/certs.c
+++ b/lib/system/certs.c
@@ -44,12 +44,6 @@
 # endif
 #endif
 
-#ifdef __APPLE__
-# include <CoreFoundation/CoreFoundation.h>
-# include <Security/Security.h>
-# include <Availability.h>
-#endif
-
 /* System specific function wrappers for certificate stores.
  */
 
@@ -276,72 +270,6 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
 
 	return r;
 }
-#elif defined(__APPLE__) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070
-static
-int osstatus_error(status)
-{
-	CFStringRef err_str = SecCopyErrorMessageString(status, NULL);
-	_gnutls_debug_log("Error loading system root certificates: %s\n",
-			  CFStringGetCStringPtr(err_str, kCFStringEncodingUTF8));
-	CFRelease(err_str);
-	return GNUTLS_E_FILE_ERROR;
-}
-
-static
-int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
-		     unsigned int tl_vflags)
-{
-	int r=0;
-
-	SecTrustSettingsDomain domain[] = { kSecTrustSettingsDomainUser,
-					    kSecTrustSettingsDomainAdmin,
-					    kSecTrustSettingsDomainSystem };
-	for (size_t d=0; d<sizeof(domain)/sizeof(*domain); d++) {
-		CFArrayRef certs = NULL;
-		OSStatus status = SecTrustSettingsCopyCertificates(domain[d],
-								   &certs);
-		if (status == errSecNoTrustSettings)
-			continue;
-		if (status != errSecSuccess)
-			return osstatus_error(status);
-
-		int cert_count = CFArrayGetCount(certs);
-		for (int i=0; i<cert_count; i++) {
-			SecCertificateRef cert =
-				(void*)CFArrayGetValueAtIndex(certs, i);
-			CFDataRef der;
-			status = SecItemExport(cert, kSecFormatX509Cert, 0,
-					       NULL, &der);
-			if (status != errSecSuccess) {
-				CFRelease(der);
-				CFRelease(certs);
-				return osstatus_error(status);
-			}
-
-			if (gnutls_x509_trust_list_add_trust_mem(list,
-								 &(gnutls_datum_t) {
-									.data = (void*)CFDataGetBytePtr(der),
-									.size = CFDataGetLength(der),
-								 },
-								 NULL,
-			                                         GNUTLS_X509_FMT_DER,
-								 tl_flags,
-								 tl_vflags) > 0)
-				r++;
-			CFRelease(der);
-		}
-		CFRelease(certs);
-	}
-
-#ifdef DEFAULT_BLACKLIST_FILE
-	ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM);
-	if (ret < 0) {
-		_gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE);
-	}
-#endif
-
-	return r;
-}
 #else
 
 #define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE