From 525a6631747597cd108bed21c26286637038b6a6 Mon Sep 17 00:00:00 2001
From: Guillaume Maudoux <guillaume.maudoux@uclouvain.be>
Date: Tue, 21 Mar 2017 10:28:44 +0100
Subject: [PATCH 1/3] curl, git: Fix curl default CA, let git use it

Improve patching of curl to use NIX_SSL_CERT_FILE as default CA
Remove patches from git, as git uses curl and passes its environment
variables to curl.
---
 .../git-and-tools/git/default.nix             |  1 -
 .../git-and-tools/git/ssl-cert-file.patch     | 14 ---------
 .../networking/curl/nix-ssl-cert-file.patch   | 31 ++++++++++++++++---
 3 files changed, 27 insertions(+), 19 deletions(-)
 delete mode 100644 pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch

diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix
index af5fc8a8be4..d6cc205bbae 100644
--- a/pkgs/applications/version-management/git-and-tools/git/default.nix
+++ b/pkgs/applications/version-management/git-and-tools/git/default.nix
@@ -30,7 +30,6 @@ stdenv.mkDerivation {
     ./symlinks-in-bin.patch
     ./git-sh-i18n.patch
     ./ssh-path.patch
-    ./ssl-cert-file.patch
   ];
 
   postPatch = ''
diff --git a/pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch b/pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch
deleted file mode 100644
index 0e0697dfb21..00000000000
--- a/pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff -ru git-2.7.4-orig/http.c git-2.7.4/http.c
---- git-2.7.4-orig/http.c	2016-03-17 21:47:59.000000000 +0100
-+++ git-2.7.4/http.c	2016-04-12 11:38:33.187070848 +0200
-@@ -544,6 +544,10 @@
- #if LIBCURL_VERSION_NUM >= 0x070908
- 	set_from_env(&ssl_capath, "GIT_SSL_CAPATH");
- #endif
-+	if (getenv("NIX_SSL_CERT_FILE"))
-+	  set_from_env(&ssl_cainfo, "NIX_SSL_CERT_FILE");
-+	else
-+	  set_from_env(&ssl_cainfo, "SSL_CERT_FILE");
- 	set_from_env(&ssl_cainfo, "GIT_SSL_CAINFO");
- 
- 	set_from_env(&user_agent, "GIT_HTTP_USER_AGENT");
diff --git a/pkgs/tools/networking/curl/nix-ssl-cert-file.patch b/pkgs/tools/networking/curl/nix-ssl-cert-file.patch
index 20c408bfae2..14eaea7071b 100644
--- a/pkgs/tools/networking/curl/nix-ssl-cert-file.patch
+++ b/pkgs/tools/networking/curl/nix-ssl-cert-file.patch
@@ -1,7 +1,30 @@
-diff -ru -x '*~' curl-7.50.3-orig/src/tool_operate.c curl-7.50.3/src/tool_operate.c
---- curl-7.50.3-orig/src/tool_operate.c	2016-09-06 23:25:06.000000000 +0200
-+++ curl-7.50.3/src/tool_operate.c	2016-10-14 11:51:48.999943142 +0200
-@@ -269,7 +269,9 @@
+diff --git a/lib/url.c b/lib/url.c
+index 03feaa20f..43d3baa80 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -574,11 +574,15 @@ CURLcode Curl_init_userdefined(struct UserDefined *set)
+ 
+   /* This is our preferred CA cert bundle/path since install time */
+ #if defined(CURL_CA_BUNDLE)
+-  result = setstropt(&set->str[STRING_SSL_CAFILE_ORIG], CURL_CA_BUNDLE);
++  char* env = curl_getenv("NIX_SSL_CERT_FILE");
++  if (!env)
++      env = CURL_CA_BUNDLE;
++
++  result = setstropt(&set->str[STRING_SSL_CAFILE_ORIG], env);
+   if(result)
+     return result;
+ 
+-  result = setstropt(&set->str[STRING_SSL_CAFILE_PROXY], CURL_CA_BUNDLE);
++  result = setstropt(&set->str[STRING_SSL_CAFILE_PROXY], env);
+   if(result)
+     return result;
+ #endif
+diff --git a/src/tool_operate.c b/src/tool_operate.c
+index 572c8d0cc..ca4fb31cb 100644
+--- a/src/tool_operate.c
++++ b/src/tool_operate.c
+@@ -265,7 +265,9 @@ static CURLcode operate_do(struct GlobalConfig *global,
          capath_from_env = true;
        }
        else {

From 8ecb94bb97842f95ca3fb780fc2977ee43b7d554 Mon Sep 17 00:00:00 2001
From: Guillaume Maudoux <guillaume.maudoux@uclouvain.be>
Date: Wed, 22 Mar 2017 11:48:06 +0100
Subject: [PATCH 2/3] curl: Use default trust store of TLS backend

Having curl fall back to openssl's CA means that we need not patch curl
to respect NIX_SSL_CERT_FILE. It will work in all the cases.

This reverts commit fb4c43dd8adbd7a10d1c52539b36e2da269f3f7f "curl: Use CA bundle in nix default profile by default"
If we want to reintroduce that feature, this needs to go inside openssl
---
 pkgs/tools/networking/curl/default.nix        |  6 +--
 .../networking/curl/nix-ssl-cert-file.patch   | 37 -------------------
 2 files changed, 1 insertion(+), 42 deletions(-)
 delete mode 100644 pkgs/tools/networking/curl/nix-ssl-cert-file.patch

diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix
index f8d1506cca3..4f8daf38d46 100644
--- a/pkgs/tools/networking/curl/default.nix
+++ b/pkgs/tools/networking/curl/default.nix
@@ -28,8 +28,6 @@ stdenv.mkDerivation rec {
     sha256 = "1s1hyndva0yp62xy96pcp4anzrvw6cl0abjajim17sbmdp00fwhw";
   };
 
-  patches = [ ./nix-ssl-cert-file.patch ];
-
   outputs = [ "bin" "dev" "out" "man" "devdoc" ];
 
   enableParallelBuilding = true;
@@ -57,9 +55,7 @@ stdenv.mkDerivation rec {
   '';
 
   configureFlags = [
-      # OS X does not have a default system bundle, so we assume cacerts is installed in the default nix-env profile
-      # This sucks. We should probably just include the latest cacerts in the darwin bootstrap.
-      "--with-ca-bundle=${if stdenv.isDarwin then "/nix/var/nix/profiles/default" else ""}/etc/ssl/certs/ca-${if stdenv.isDarwin then "bundle" else "certificates"}.crt"
+      "--with-ca-fallback"
       "--disable-manual"
       ( if sslSupport then "--with-ssl=${openssl.dev}" else "--without-ssl" )
       ( if gnutlsSupport then "--with-gnutls=${gnutls.dev}" else "--without-gnutls" )
diff --git a/pkgs/tools/networking/curl/nix-ssl-cert-file.patch b/pkgs/tools/networking/curl/nix-ssl-cert-file.patch
deleted file mode 100644
index 14eaea7071b..00000000000
--- a/pkgs/tools/networking/curl/nix-ssl-cert-file.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-diff --git a/lib/url.c b/lib/url.c
-index 03feaa20f..43d3baa80 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -574,11 +574,15 @@ CURLcode Curl_init_userdefined(struct UserDefined *set)
- 
-   /* This is our preferred CA cert bundle/path since install time */
- #if defined(CURL_CA_BUNDLE)
--  result = setstropt(&set->str[STRING_SSL_CAFILE_ORIG], CURL_CA_BUNDLE);
-+  char* env = curl_getenv("NIX_SSL_CERT_FILE");
-+  if (!env)
-+      env = CURL_CA_BUNDLE;
-+
-+  result = setstropt(&set->str[STRING_SSL_CAFILE_ORIG], env);
-   if(result)
-     return result;
- 
--  result = setstropt(&set->str[STRING_SSL_CAFILE_PROXY], CURL_CA_BUNDLE);
-+  result = setstropt(&set->str[STRING_SSL_CAFILE_PROXY], env);
-   if(result)
-     return result;
- #endif
-diff --git a/src/tool_operate.c b/src/tool_operate.c
-index 572c8d0cc..ca4fb31cb 100644
---- a/src/tool_operate.c
-+++ b/src/tool_operate.c
-@@ -265,7 +265,9 @@ static CURLcode operate_do(struct GlobalConfig *global,
-         capath_from_env = true;
-       }
-       else {
--        env = curlx_getenv("SSL_CERT_FILE");
-+        env = curlx_getenv("NIX_SSL_CERT_FILE");
-+        if(!env)
-+          env = curlx_getenv("SSL_CERT_FILE");
-         if(env) {
-           config->cacert = strdup(env);
-           if(!config->cacert) {

From c86f05e7ce13e64238960ebf3ee9706142db961b Mon Sep 17 00:00:00 2001
From: Guillaume Maudoux <guillaume.maudoux@uclouvain.be>
Date: Wed, 22 Mar 2017 12:09:09 +0100
Subject: [PATCH 3/3] openssl: default to default profile CA on darwin

---
 pkgs/development/libraries/openssl/default.nix      |  3 ++-
 .../openssl/use-etc-ssl-certs-darwin.patch          | 13 +++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch

diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
index 947c0e30f99..a9f8c32dde9 100644
--- a/pkgs/development/libraries/openssl/default.nix
+++ b/pkgs/development/libraries/openssl/default.nix
@@ -20,7 +20,8 @@ let
     patches =
       (args.patches or [])
       ++ [ ./nix-ssl-cert-file.patch ]
-      ++ optional (versionOlder version "1.1.0") ./use-etc-ssl-certs.patch
+      ++ optional (versionOlder version "1.1.0")
+          (if stdenv.isDarwin then ./use-etc-ssl-certs-darwin.patch else ./use-etc-ssl-certs.patch)
       ++ optional stdenv.isCygwin ./1.0.1-cygwin64.patch
       ++ optional
            (versionOlder version "1.0.2" && (stdenv.isDarwin || (stdenv ? cross && stdenv.cross.libc == "libSystem")))
diff --git a/pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch b/pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch
new file mode 100644
index 00000000000..3d9ee7e6a82
--- /dev/null
+++ b/pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch
@@ -0,0 +1,13 @@
+diff -ru -x '*~' openssl-1.0.1r-orig/crypto/cryptlib.h openssl-1.0.1r/crypto/cryptlib.h
+--- openssl-1.0.1r-orig/crypto/cryptlib.h	2016-01-28 14:38:30.000000000 +0100
++++ openssl-1.0.1r/crypto/cryptlib.h	2016-02-03 12:54:29.193165176 +0100
+@@ -81,8 +81,8 @@
+ 
+ # ifndef OPENSSL_SYS_VMS
+ #  define X509_CERT_AREA          OPENSSLDIR
+ #  define X509_CERT_DIR           OPENSSLDIR "/certs"
+-#  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
++#  define X509_CERT_FILE          "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
+ #  define X509_PRIVATE_DIR        OPENSSLDIR "/private"
+ # else
+ #  define X509_CERT_AREA          "SSLROOT:[000000]"