pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #24203 from layus/nix-ssl-cert-file

git, curl, openssl: Refactor $NIX_SSL_CERT_FILE handling

Eelco Dolstra f0875982 8143413e

options
unified split
Changed files
+16 -35
pkgs
applications
version-management
git-and-tools
git
default.nix
ssl-cert-file.patch
development
libraries
openssl
default.nix
use-etc-ssl-certs-darwin.patch
tools
networking
curl
default.nix
nix-ssl-cert-file.patch
-1
pkgs/applications/version-management/git-and-tools/git/default.nix 
···

       
30

       
30

       
 

       
    ./symlinks-in-bin.patch


     

       
31

       
31

       
 

       
    ./git-sh-i18n.patch


     

       
32

       
32

       
 

       
    ./ssh-path.patch


     

       
33

       

       
-

       
    ./ssl-cert-file.patch


     

       
34

       
33

       
 

       
  ];


     

       
35

       
34

       
 

       



     

       
36

       
35

       
 

       
  postPatch = ''
-14
pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch 
···

       
1

       

       
-

       
diff -ru git-2.7.4-orig/http.c git-2.7.4/http.c


     

       
2

       

       
-

       
--- git-2.7.4-orig/http.c	2016-03-17 21:47:59.000000000 +0100


     

       
3

       

       
-

       
+++ git-2.7.4/http.c	2016-04-12 11:38:33.187070848 +0200


     

       
4

       

       
-

       
@@ -544,6 +544,10 @@


     

       
5

       

       
-

       
 #if LIBCURL_VERSION_NUM >= 0x070908


     

       
6

       

       
-

       
 	set_from_env(&ssl_capath, "GIT_SSL_CAPATH");


     

       
7

       

       
-

       
 #endif


     

       
8

       

       
-

       
+	if (getenv("NIX_SSL_CERT_FILE"))


     

       
9

       

       
-

       
+	  set_from_env(&ssl_cainfo, "NIX_SSL_CERT_FILE");


     

       
10

       

       
-

       
+	else


     

       
11

       

       
-

       
+	  set_from_env(&ssl_cainfo, "SSL_CERT_FILE");


     

       
12

       

       
-

       
 	set_from_env(&ssl_cainfo, "GIT_SSL_CAINFO");


     

       
13

       

       
-

       
 


     

       
14

       

       
-

       
 	set_from_env(&user_agent, "GIT_HTTP_USER_AGENT");
+2 -1
pkgs/development/libraries/openssl/default.nix 
···

       
20

       
20

       
 

       
    patches =


     

       
21

       
21

       
 

       
      (args.patches or [])


     

       
22

       
22

       
 

       
      ++ [ ./nix-ssl-cert-file.patch ]


     

       
23

       

       
-

       
      ++ optional (versionOlder version "1.1.0") ./use-etc-ssl-certs.patch


     

       

       
23

       
+

       
      ++ optional (versionOlder version "1.1.0")


     

       

       
24

       
+

       
          (if stdenv.isDarwin then ./use-etc-ssl-certs-darwin.patch else ./use-etc-ssl-certs.patch)


     

       
24

       
25

       
 

       
      ++ optional stdenv.isCygwin ./1.0.1-cygwin64.patch


     

       
25

       
26

       
 

       
      ++ optional


     

       
26

       
27

       
 

       
           (versionOlder version "1.0.2" && (stdenv.isDarwin || (stdenv ? cross && stdenv.cross.libc == "libSystem")))
+13
pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch 
···

       

       
1

       
+

       
diff -ru -x '*~' openssl-1.0.1r-orig/crypto/cryptlib.h openssl-1.0.1r/crypto/cryptlib.h


     

       

       
2

       
+

       
--- openssl-1.0.1r-orig/crypto/cryptlib.h	2016-01-28 14:38:30.000000000 +0100


     

       

       
3

       
+

       
+++ openssl-1.0.1r/crypto/cryptlib.h	2016-02-03 12:54:29.193165176 +0100


     

       

       
4

       
+

       
@@ -81,8 +81,8 @@


     

       

       
5

       
+

       
 


     

       

       
6

       
+

       
 # ifndef OPENSSL_SYS_VMS


     

       

       
7

       
+

       
 #  define X509_CERT_AREA          OPENSSLDIR


     

       

       
8

       
+

       
 #  define X509_CERT_DIR           OPENSSLDIR "/certs"


     

       

       
9

       
+

       
-#  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"


     

       

       
10

       
+

       
+#  define X509_CERT_FILE          "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"


     

       

       
11

       
+

       
 #  define X509_PRIVATE_DIR        OPENSSLDIR "/private"


     

       

       
12

       
+

       
 # else


     

       

       
13

       
+

       
 #  define X509_CERT_AREA          "SSLROOT:[000000]"
+1 -5
pkgs/tools/networking/curl/default.nix 
···

       
28

       
28

       
 

       
    sha256 = "1s1hyndva0yp62xy96pcp4anzrvw6cl0abjajim17sbmdp00fwhw";


     

       
29

       
29

       
 

       
  };


     

       
30

       
30

       
 

       



     

       
31

       

       
-

       
  patches = [ ./nix-ssl-cert-file.patch ];


     

       
32

       

       
-

       



     

       
33

       
31

       
 

       
  outputs = [ "bin" "dev" "out" "man" "devdoc" ];


     

       
34

       
32

       
 

       



     

       
35

       
33

       
 

       
  enableParallelBuilding = true;


     
···

       
57

       
55

       
 

       
  '';


     

       
58

       
56

       
 

       



     

       
59

       
57

       
 

       
  configureFlags = [


     

       
60

       

       
-

       
      # OS X does not have a default system bundle, so we assume cacerts is installed in the default nix-env profile


     

       
61

       

       
-

       
      # This sucks. We should probably just include the latest cacerts in the darwin bootstrap.


     

       
62

       

       
-

       
      "--with-ca-bundle=${if stdenv.isDarwin then "/nix/var/nix/profiles/default" else ""}/etc/ssl/certs/ca-${if stdenv.isDarwin then "bundle" else "certificates"}.crt"


     

       

       
58

       
+

       
      "--with-ca-fallback"


     

       
63

       
59

       
 

       
      "--disable-manual"


     

       
64

       
60

       
 

       
      ( if sslSupport then "--with-ssl=${openssl.dev}" else "--without-ssl" )


     

       
65

       
61

       
 

       
      ( if gnutlsSupport then "--with-gnutls=${gnutls.dev}" else "--without-gnutls" )
-14
pkgs/tools/networking/curl/nix-ssl-cert-file.patch 
···

       
1

       

       
-

       
diff -ru -x '*~' curl-7.50.3-orig/src/tool_operate.c curl-7.50.3/src/tool_operate.c


     

       
2

       

       
-

       
--- curl-7.50.3-orig/src/tool_operate.c	2016-09-06 23:25:06.000000000 +0200


     

       
3

       

       
-

       
+++ curl-7.50.3/src/tool_operate.c	2016-10-14 11:51:48.999943142 +0200


     

       
4

       

       
-

       
@@ -269,7 +269,9 @@


     

       
5

       

       
-

       
         capath_from_env = true;


     

       
6

       

       
-

       
       }


     

       
7

       

       
-

       
       else {


     

       
8

       

       
-

       
-        env = curlx_getenv("SSL_CERT_FILE");


     

       
9

       

       
-

       
+        env = curlx_getenv("NIX_SSL_CERT_FILE");


     

       
10

       

       
-

       
+        if(!env)


     

       
11

       

       
-

       
+          env = curlx_getenv("SSL_CERT_FILE");


     

       
12

       

       
-

       
         if(env) {


     

       
13

       

       
-

       
           config->cacert = strdup(env);


     

       
14

       

       
-

       
           if(!config->cacert) {