curl+hyper+crustls fails to build on macOS due to Security.framework linkage

[tgeoghegan]

@kevinburke reports a failure building curl:

autoreconf -fi && ./configure --with-hyper=/Users/<pii>/src/github.com/hyperium/hyper --with-rustls=/Users/<pii>/src/github.com/rustls/rustls-ffi/target --without-ssl --without-secure-transport --without-nghttp2 --enable-debug --prefix=/Users/<pii>curl && make && make install && rehash && ~/curl/bin/curl --version

configure:27602: gcc -o conftest -Werror-implicit-function-declaration -g -O0 -pedantic -Wall -W -Wpointer-arith -Wwrite-strings -Wunused -Wshadow -Winline -Wnested-externs -Wmissing-declarations -Wmissin
g-prototypes -Wno-long-long -Wbad-function-cast -Wfloat-equal -Wno-multichar -Wsign-compare -Wundef -Wno-format-nonliteral -Wendif-labels -Wstrict-prototypes -Wdeclaration-after-statement -Wold-style-defi
nition -Wstrict-aliasing=3 -Wcast-align -Wtype-limits -Wold-style-declaration -Wmissing-parameter-type -Wempty-body -Wclobbered -Wignored-qualifiers -Wconversion -Wno-sign-conversion -Wvla -ftree-vrp -Wdo
uble-promotion -Wformat=2 -Warray-bounds=2 -Wshift-negative-value -Wshift-overflow=2 -Wnull-dereference -fdelete-null-pointer-checks -Wduplicated-cond -Wunused-const-variable -Wduplicated-branches -Wrestr
ict -Walloc-zero -Wformat-overflow=2 -Wformat-truncation=2 -Wimplicit-fallthrough=4 -Wno-system-headers -Wenum-conversion  -I/Users/<pii>/src/github.com/hyperium/hyper/capi/include  -I/Users/<pii>/src/git
hub.com/rustls/rustls-ffi/target/include  -framework CoreFoundation -framework SystemConfiguration -L/Users/<pii>/src/github.com/hyperium/hyper/target/debug  -L/Users/<pii>/src/github.com/rustls/rustls-ff
i/target/lib conftest.c -lcrustls -lpthread -ldl -lldap -lz -lhyper -ldl -lpthread -lm  >&5
conftest.c:46:1: warning: function declaration isn't a prototype [-Wstrict-prototypes]
   46 | char rustls_connection_read ();
      | ^~~~
Undefined symbols for architecture x86_64:
  "_SecRandomCopyBytes", referenced from:
      __ZN4ring4rand6darwin4fill17hef096156cdbb5e22E in libcrustls.a(ring-059d35c0cff8849f.ring.4rb6t1i9-cgu.13.rcgu.o)
      __ZN4ring2ec7suite_b5ecdsa7signing12EcdsaKeyPair3new17h59971278221fac36E in libcrustls.a(ring-059d35c0cff8849f.ring.4rb6t1i9-cgu.14.rcgu.o)
  "_kSecRandomDefault", referenced from:
      __ZN4ring4rand6darwin4fill17hef096156cdbb5e22E in libcrustls.a(ring-059d35c0cff8849f.ring.4rb6t1i9-cgu.13.rcgu.o)
      __ZN4ring2ec7suite_b5ecdsa7signing12EcdsaKeyPair3new17h59971278221fac36E in libcrustls.a(ring-059d35c0cff8849f.ring.4rb6t1i9-cgu.14.rcgu.o)
ld: symbol(s) not found for architecture x86_64

I believe the problem here is that the gcc invocation is missing -framework Security, needed to resolve SecRandomCopyBytes. That symbol is needed by ring::rand::SecureRandom on macOS (see also briansmith/ring#149). However, building curl with --without-secure-transport causes it to not link Security.framework when building on Darwin.

[tgeoghegan]

There's a couple ways to resolve this, off the top of my head. ring could introduce a feature that makes it use arc4random(3) or CCRandomGenerateBytes (both of which are in Darwin libc/libsystem) buuuuut since Darwin curl builds already suffer the indignity of linking CoreFoundation.framework and SystemConfiguration.framework, it might be better to make curl bring Security.framework back in if either or both of --with-hyper or --with-rustls are set (depending on which one uses ring:random::SystemRandom, and I bet it's both), especially since I think a lot of care went into ring's decision to use SecRandomCopyBytes on macOS.

I filed this issue in rustls-ffi just so we don't lose track of the problem, but I don't think this project is where a fix will be made, since crustls doesn't directly depend on ring.

[kevinburke]

Thank you @tgeoghegan !

[kevinburke]

I'm able to work around this during curl compilation by manually setting CPPFLAGS="-framework Security" in the environment. So now I'm running into the UnknownIssuer cert issue instead :)

[cpu]

I don't believe this issue is relevant with tip-of-main. If I'm mistaken and someone can reproduce with tip, or the 0.14.0 release, please comment and we can revisit.