From c5edd9926d07a1de54d743dbce645778dead7b13 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Wed, 11 May 2022 17:49:38 +0300 Subject: [PATCH] curl: 7.83.0 -> 7.83.1 --- .../7.83.1-quiche-support-ca-fallback.patch | 51 +++++++++++++++++++ pkgs/tools/networking/curl/default.nix | 10 ++-- 2 files changed, 57 insertions(+), 4 deletions(-) create mode 100644 pkgs/tools/networking/curl/7.83.1-quiche-support-ca-fallback.patch diff --git a/pkgs/tools/networking/curl/7.83.1-quiche-support-ca-fallback.patch b/pkgs/tools/networking/curl/7.83.1-quiche-support-ca-fallback.patch new file mode 100644 index 000000000000..c68f9f1d84df --- /dev/null +++ b/pkgs/tools/networking/curl/7.83.1-quiche-support-ca-fallback.patch @@ -0,0 +1,51 @@ +diff --git a/lib/vquic/quiche.c b/lib/vquic/quiche.c +index bfdc966a85ea..e4bea4d677be 100644 +--- a/lib/vquic/quiche.c ++++ b/lib/vquic/quiche.c +@@ -201,23 +201,31 @@ static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data) + + { + struct connectdata *conn = data->conn; +- const char * const ssl_cafile = conn->ssl_config.CAfile; +- const char * const ssl_capath = conn->ssl_config.CApath; +- + if(conn->ssl_config.verifypeer) { +- SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL); +- /* tell OpenSSL where to find CA certificates that are used to verify +- the server's certificate. */ +- if(!SSL_CTX_load_verify_locations(ssl_ctx, ssl_cafile, ssl_capath)) { +- /* Fail if we insist on successfully verifying the server. */ +- failf(data, "error setting certificate verify locations:" +- " CAfile: %s CApath: %s", +- ssl_cafile ? ssl_cafile : "none", +- ssl_capath ? ssl_capath : "none"); +- return NULL; ++ const char * const ssl_cafile = conn->ssl_config.CAfile; ++ const char * const ssl_capath = conn->ssl_config.CApath; ++ if(ssl_cafile || ssl_capath) { ++ SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL); ++ /* tell OpenSSL where to find CA certificates that are used to verify ++ the server's certificate. */ ++ if(!SSL_CTX_load_verify_locations(ssl_ctx, ssl_cafile, ssl_capath)) { ++ /* Fail if we insist on successfully verifying the server. */ ++ failf(data, "error setting certificate verify locations:" ++ " CAfile: %s CApath: %s", ++ ssl_cafile ? ssl_cafile : "none", ++ ssl_capath ? ssl_capath : "none"); ++ return NULL; ++ } ++ infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none"); ++ infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none"); + } +- infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none"); +- infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none"); ++#ifdef CURL_CA_FALLBACK ++ else { ++ /* verifying the peer without any CA certificates won't work so ++ use openssl's built-in default as fallback */ ++ SSL_CTX_set_default_verify_paths(ssl_ctx); ++ } ++#endif + } + } + return ssl_ctx; diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index 934253c737aa..134ae716705e 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -62,18 +62,21 @@ assert zstdSupport -> zstd != null; stdenv.mkDerivation rec { pname = "curl"; - version = "7.83.0"; + version = "7.83.1"; src = fetchurl { urls = [ "https://curl.haxx.se/download/${pname}-${version}.tar.bz2" "https://github.com/curl/curl/releases/download/${lib.replaceStrings ["."] ["_"] pname}-${version}/${pname}-${version}.tar.bz2" ]; - sha256 = "sha256-JHx+x1IcQljmVjTlKScNIU/jKWmXHMy3KEXnqkaDH5Y="; + sha256 = "sha256-9Tmjb7RKgmDsXZd+Tg290u7intkPztqpvDyfeKETv/A="; }; patches = [ ./7.79.1-darwin-no-systemconfiguration.patch + # quiche: support ca-fallback + # https://github.com/curl/curl/commit/fdb5e21b4dd171a96cf7c002ee77bb08f8e58021 + ./7.83.1-quiche-support-ca-fallback.patch ]; outputs = [ "bin" "dev" "out" "man" "devdoc" ]; @@ -141,8 +144,7 @@ stdenv.mkDerivation rec { ] ++ lib.optionals stdenv.isDarwin [ # Disable default CA bundle, use NIX_SSL_CERT_FILE or fallback to nss-cacert from the default profile. # Without this curl might detect /etc/ssl/cert.pem at build time on macOS, causing curl to ignore NIX_SSL_CERT_FILE. - # https://github.com/curl/curl/issues/8696 - fallback is not supported by HTTP3 - (if http3Support then "--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt" else "--without-ca-bundle") + "--without-ca-bundle" "--without-ca-path" ];