From c5edd9926d07a1de54d743dbce645778dead7b13 Mon Sep 17 00:00:00 2001
From: Izorkin <izorkin@elven.pw>
Date: Wed, 11 May 2022 17:49:38 +0300
Subject: [PATCH] curl: 7.83.0 -> 7.83.1

---
 .../7.83.1-quiche-support-ca-fallback.patch   | 51 +++++++++++++++++++
 pkgs/tools/networking/curl/default.nix        | 10 ++--
 2 files changed, 57 insertions(+), 4 deletions(-)
 create mode 100644 pkgs/tools/networking/curl/7.83.1-quiche-support-ca-fallback.patch

diff --git a/pkgs/tools/networking/curl/7.83.1-quiche-support-ca-fallback.patch b/pkgs/tools/networking/curl/7.83.1-quiche-support-ca-fallback.patch
new file mode 100644
index 00000000000..c68f9f1d84d
--- /dev/null
+++ b/pkgs/tools/networking/curl/7.83.1-quiche-support-ca-fallback.patch
@@ -0,0 +1,51 @@
+diff --git a/lib/vquic/quiche.c b/lib/vquic/quiche.c
+index bfdc966a85ea..e4bea4d677be 100644
+--- a/lib/vquic/quiche.c
++++ b/lib/vquic/quiche.c
+@@ -201,23 +201,31 @@ static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data)
+ 
+   {
+     struct connectdata *conn = data->conn;
+-    const char * const ssl_cafile = conn->ssl_config.CAfile;
+-    const char * const ssl_capath = conn->ssl_config.CApath;
+-
+     if(conn->ssl_config.verifypeer) {
+-      SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
+-      /* tell OpenSSL where to find CA certificates that are used to verify
+-         the server's certificate. */
+-      if(!SSL_CTX_load_verify_locations(ssl_ctx, ssl_cafile, ssl_capath)) {
+-        /* Fail if we insist on successfully verifying the server. */
+-        failf(data, "error setting certificate verify locations:"
+-              "  CAfile: %s CApath: %s",
+-              ssl_cafile ? ssl_cafile : "none",
+-              ssl_capath ? ssl_capath : "none");
+-        return NULL;
++      const char * const ssl_cafile = conn->ssl_config.CAfile;
++      const char * const ssl_capath = conn->ssl_config.CApath;
++      if(ssl_cafile || ssl_capath) {
++        SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
++        /* tell OpenSSL where to find CA certificates that are used to verify
++           the server's certificate. */
++        if(!SSL_CTX_load_verify_locations(ssl_ctx, ssl_cafile, ssl_capath)) {
++          /* Fail if we insist on successfully verifying the server. */
++          failf(data, "error setting certificate verify locations:"
++                "  CAfile: %s CApath: %s",
++                ssl_cafile ? ssl_cafile : "none",
++                ssl_capath ? ssl_capath : "none");
++          return NULL;
++        }
++        infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");
++        infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none");
+       }
+-      infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");
+-      infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none");
++#ifdef CURL_CA_FALLBACK
++      else {
++        /* verifying the peer without any CA certificates won't work so
++           use openssl's built-in default as fallback */
++        SSL_CTX_set_default_verify_paths(ssl_ctx);
++      }
++#endif
+     }
+   }
+   return ssl_ctx;
diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix
index 934253c737a..134ae716705 100644
--- a/pkgs/tools/networking/curl/default.nix
+++ b/pkgs/tools/networking/curl/default.nix
@@ -62,18 +62,21 @@ assert zstdSupport -> zstd != null;
 
 stdenv.mkDerivation rec {
   pname = "curl";
-  version = "7.83.0";
+  version = "7.83.1";
 
   src = fetchurl {
     urls = [
       "https://curl.haxx.se/download/${pname}-${version}.tar.bz2"
       "https://github.com/curl/curl/releases/download/${lib.replaceStrings ["."] ["_"] pname}-${version}/${pname}-${version}.tar.bz2"
     ];
-    sha256 = "sha256-JHx+x1IcQljmVjTlKScNIU/jKWmXHMy3KEXnqkaDH5Y=";
+    sha256 = "sha256-9Tmjb7RKgmDsXZd+Tg290u7intkPztqpvDyfeKETv/A=";
   };
 
   patches = [
     ./7.79.1-darwin-no-systemconfiguration.patch
+    # quiche: support ca-fallback
+    # https://github.com/curl/curl/commit/fdb5e21b4dd171a96cf7c002ee77bb08f8e58021
+    ./7.83.1-quiche-support-ca-fallback.patch
   ];
 
   outputs = [ "bin" "dev" "out" "man" "devdoc" ];
@@ -141,8 +144,7 @@ stdenv.mkDerivation rec {
     ] ++ lib.optionals stdenv.isDarwin [
       # Disable default CA bundle, use NIX_SSL_CERT_FILE or fallback to nss-cacert from the default profile.
       # Without this curl might detect /etc/ssl/cert.pem at build time on macOS, causing curl to ignore NIX_SSL_CERT_FILE.
-      # https://github.com/curl/curl/issues/8696 - fallback is not supported by HTTP3
-      (if http3Support then "--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt" else "--without-ca-bundle")
+      "--without-ca-bundle"
       "--without-ca-path"
     ];