From 525a6631747597cd108bed21c26286637038b6a6 Mon Sep 17 00:00:00 2001 From: Guillaume Maudoux Date: Tue, 21 Mar 2017 10:28:44 +0100 Subject: [PATCH 1/3] curl, git: Fix curl default CA, let git use it Improve patching of curl to use NIX_SSL_CERT_FILE as default CA Remove patches from git, as git uses curl and passes its environment variables to curl. --- .../git-and-tools/git/default.nix | 1 - .../git-and-tools/git/ssl-cert-file.patch | 14 --------- .../networking/curl/nix-ssl-cert-file.patch | 31 ++++++++++++++++--- 3 files changed, 27 insertions(+), 19 deletions(-) delete mode 100644 pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index af5fc8a8be4..d6cc205bbae 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -30,7 +30,6 @@ stdenv.mkDerivation { ./symlinks-in-bin.patch ./git-sh-i18n.patch ./ssh-path.patch - ./ssl-cert-file.patch ]; postPatch = '' diff --git a/pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch b/pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch deleted file mode 100644 index 0e0697dfb21..00000000000 --- a/pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -ru git-2.7.4-orig/http.c git-2.7.4/http.c ---- git-2.7.4-orig/http.c 2016-03-17 21:47:59.000000000 +0100 -+++ git-2.7.4/http.c 2016-04-12 11:38:33.187070848 +0200 -@@ -544,6 +544,10 @@ - #if LIBCURL_VERSION_NUM >= 0x070908 - set_from_env(&ssl_capath, "GIT_SSL_CAPATH"); - #endif -+ if (getenv("NIX_SSL_CERT_FILE")) -+ set_from_env(&ssl_cainfo, "NIX_SSL_CERT_FILE"); -+ else -+ set_from_env(&ssl_cainfo, "SSL_CERT_FILE"); - set_from_env(&ssl_cainfo, "GIT_SSL_CAINFO"); - - set_from_env(&user_agent, "GIT_HTTP_USER_AGENT"); diff --git a/pkgs/tools/networking/curl/nix-ssl-cert-file.patch b/pkgs/tools/networking/curl/nix-ssl-cert-file.patch index 20c408bfae2..14eaea7071b 100644 --- a/pkgs/tools/networking/curl/nix-ssl-cert-file.patch +++ b/pkgs/tools/networking/curl/nix-ssl-cert-file.patch @@ -1,7 +1,30 @@ -diff -ru -x '*~' curl-7.50.3-orig/src/tool_operate.c curl-7.50.3/src/tool_operate.c ---- curl-7.50.3-orig/src/tool_operate.c 2016-09-06 23:25:06.000000000 +0200 -+++ curl-7.50.3/src/tool_operate.c 2016-10-14 11:51:48.999943142 +0200 -@@ -269,7 +269,9 @@ +diff --git a/lib/url.c b/lib/url.c +index 03feaa20f..43d3baa80 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -574,11 +574,15 @@ CURLcode Curl_init_userdefined(struct UserDefined *set) + + /* This is our preferred CA cert bundle/path since install time */ + #if defined(CURL_CA_BUNDLE) +- result = setstropt(&set->str[STRING_SSL_CAFILE_ORIG], CURL_CA_BUNDLE); ++ char* env = curl_getenv("NIX_SSL_CERT_FILE"); ++ if (!env) ++ env = CURL_CA_BUNDLE; ++ ++ result = setstropt(&set->str[STRING_SSL_CAFILE_ORIG], env); + if(result) + return result; + +- result = setstropt(&set->str[STRING_SSL_CAFILE_PROXY], CURL_CA_BUNDLE); ++ result = setstropt(&set->str[STRING_SSL_CAFILE_PROXY], env); + if(result) + return result; + #endif +diff --git a/src/tool_operate.c b/src/tool_operate.c +index 572c8d0cc..ca4fb31cb 100644 +--- a/src/tool_operate.c ++++ b/src/tool_operate.c +@@ -265,7 +265,9 @@ static CURLcode operate_do(struct GlobalConfig *global, capath_from_env = true; } else { From 8ecb94bb97842f95ca3fb780fc2977ee43b7d554 Mon Sep 17 00:00:00 2001 From: Guillaume Maudoux Date: Wed, 22 Mar 2017 11:48:06 +0100 Subject: [PATCH 2/3] curl: Use default trust store of TLS backend Having curl fall back to openssl's CA means that we need not patch curl to respect NIX_SSL_CERT_FILE. It will work in all the cases. This reverts commit fb4c43dd8adbd7a10d1c52539b36e2da269f3f7f "curl: Use CA bundle in nix default profile by default" If we want to reintroduce that feature, this needs to go inside openssl --- pkgs/tools/networking/curl/default.nix | 6 +-- .../networking/curl/nix-ssl-cert-file.patch | 37 ------------------- 2 files changed, 1 insertion(+), 42 deletions(-) delete mode 100644 pkgs/tools/networking/curl/nix-ssl-cert-file.patch diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index f8d1506cca3..4f8daf38d46 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -28,8 +28,6 @@ stdenv.mkDerivation rec { sha256 = "1s1hyndva0yp62xy96pcp4anzrvw6cl0abjajim17sbmdp00fwhw"; }; - patches = [ ./nix-ssl-cert-file.patch ]; - outputs = [ "bin" "dev" "out" "man" "devdoc" ]; enableParallelBuilding = true; @@ -57,9 +55,7 @@ stdenv.mkDerivation rec { ''; configureFlags = [ - # OS X does not have a default system bundle, so we assume cacerts is installed in the default nix-env profile - # This sucks. We should probably just include the latest cacerts in the darwin bootstrap. - "--with-ca-bundle=${if stdenv.isDarwin then "/nix/var/nix/profiles/default" else ""}/etc/ssl/certs/ca-${if stdenv.isDarwin then "bundle" else "certificates"}.crt" + "--with-ca-fallback" "--disable-manual" ( if sslSupport then "--with-ssl=${openssl.dev}" else "--without-ssl" ) ( if gnutlsSupport then "--with-gnutls=${gnutls.dev}" else "--without-gnutls" ) diff --git a/pkgs/tools/networking/curl/nix-ssl-cert-file.patch b/pkgs/tools/networking/curl/nix-ssl-cert-file.patch deleted file mode 100644 index 14eaea7071b..00000000000 --- a/pkgs/tools/networking/curl/nix-ssl-cert-file.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff --git a/lib/url.c b/lib/url.c -index 03feaa20f..43d3baa80 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -574,11 +574,15 @@ CURLcode Curl_init_userdefined(struct UserDefined *set) - - /* This is our preferred CA cert bundle/path since install time */ - #if defined(CURL_CA_BUNDLE) -- result = setstropt(&set->str[STRING_SSL_CAFILE_ORIG], CURL_CA_BUNDLE); -+ char* env = curl_getenv("NIX_SSL_CERT_FILE"); -+ if (!env) -+ env = CURL_CA_BUNDLE; -+ -+ result = setstropt(&set->str[STRING_SSL_CAFILE_ORIG], env); - if(result) - return result; - -- result = setstropt(&set->str[STRING_SSL_CAFILE_PROXY], CURL_CA_BUNDLE); -+ result = setstropt(&set->str[STRING_SSL_CAFILE_PROXY], env); - if(result) - return result; - #endif -diff --git a/src/tool_operate.c b/src/tool_operate.c -index 572c8d0cc..ca4fb31cb 100644 ---- a/src/tool_operate.c -+++ b/src/tool_operate.c -@@ -265,7 +265,9 @@ static CURLcode operate_do(struct GlobalConfig *global, - capath_from_env = true; - } - else { -- env = curlx_getenv("SSL_CERT_FILE"); -+ env = curlx_getenv("NIX_SSL_CERT_FILE"); -+ if(!env) -+ env = curlx_getenv("SSL_CERT_FILE"); - if(env) { - config->cacert = strdup(env); - if(!config->cacert) { From c86f05e7ce13e64238960ebf3ee9706142db961b Mon Sep 17 00:00:00 2001 From: Guillaume Maudoux Date: Wed, 22 Mar 2017 12:09:09 +0100 Subject: [PATCH 3/3] openssl: default to default profile CA on darwin --- pkgs/development/libraries/openssl/default.nix | 3 ++- .../openssl/use-etc-ssl-certs-darwin.patch | 13 +++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index 947c0e30f99..a9f8c32dde9 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -20,7 +20,8 @@ let patches = (args.patches or []) ++ [ ./nix-ssl-cert-file.patch ] - ++ optional (versionOlder version "1.1.0") ./use-etc-ssl-certs.patch + ++ optional (versionOlder version "1.1.0") + (if stdenv.isDarwin then ./use-etc-ssl-certs-darwin.patch else ./use-etc-ssl-certs.patch) ++ optional stdenv.isCygwin ./1.0.1-cygwin64.patch ++ optional (versionOlder version "1.0.2" && (stdenv.isDarwin || (stdenv ? cross && stdenv.cross.libc == "libSystem"))) diff --git a/pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch b/pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch new file mode 100644 index 00000000000..3d9ee7e6a82 --- /dev/null +++ b/pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch @@ -0,0 +1,13 @@ +diff -ru -x '*~' openssl-1.0.1r-orig/crypto/cryptlib.h openssl-1.0.1r/crypto/cryptlib.h +--- openssl-1.0.1r-orig/crypto/cryptlib.h 2016-01-28 14:38:30.000000000 +0100 ++++ openssl-1.0.1r/crypto/cryptlib.h 2016-02-03 12:54:29.193165176 +0100 +@@ -81,8 +81,8 @@ + + # ifndef OPENSSL_SYS_VMS + # define X509_CERT_AREA OPENSSLDIR + # define X509_CERT_DIR OPENSSLDIR "/certs" +-# define X509_CERT_FILE OPENSSLDIR "/cert.pem" ++# define X509_CERT_FILE "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" + # define X509_PRIVATE_DIR OPENSSLDIR "/private" + # else + # define X509_CERT_AREA "SSLROOT:[000000]"