curl: add support for Rustls backend

No functional changes for the other TLS backend but it is now possible to build curl with `rustls-ffi`. ``` > ./result-bin/bin/curl --version curl 8.0.1 (x86_64-pc-linux-gnu) libcurl/8.0.1 rustls-ffi/0.9.2/rustls/0.20.8 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.2 libssh2/1.10.0 nghttp2/1.51.0 Release-Date: 2023-03-20 Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz SPNEGO SSL threadsafe UnixSockets zstd ```
2023-04-01 18:35:18 +02:00 · 2023-04-01 18:35:18 +02:00 · 74207b79f0
parent 7f0e9a3d13
commit 74207b79f0
2 changed files with 9 additions and 7 deletions
--- a/pkgs/development/libraries/rustls-ffi/default.nix
+++ b/pkgs/development/libraries/rustls-ffi/default.nix
@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, rustPlatform, Security, apacheHttpd }:
+{ lib, stdenv, fetchFromGitHub, rustPlatform, Security, apacheHttpd, curl }:

 rustPlatform.buildRustPackage rec {
  pname = "rustls-ffi";
@ -28,6 +28,7 @@ rustPlatform.buildRustPackage rec {

  passthru.tests = {
    apacheHttpd = apacheHttpd.override { modTlsSupport = true; };
+    curl = curl.override { opensslSupport = false; rustlsSupport = true; };
  };

  meta = with lib; {
--- a/pkgs/tools/networking/curl/default.nix
+++ b/pkgs/tools/networking/curl/default.nix
@ -22,6 +22,7 @@
 , rtmpSupport ? false, rtmpdump
 , scpSupport ? zlibSupport && !stdenv.isSunOS && !stdenv.isCygwin, libssh2
 , wolfsslSupport ? false, wolfssl
+, rustlsSupport ? false, rustls-ffi
 , zlibSupport ? true, zlib
 , zstdSupport ? false, zstd

@ -42,9 +43,7 @@
 # cgit) that are needed here should be included directly in Nixpkgs as
 # files.

-assert !(gnutlsSupport && opensslSupport);
-assert !(gnutlsSupport && wolfsslSupport);
-assert !(opensslSupport && wolfsslSupport);
+assert !((lib.count (x: x) [ gnutlsSupport opensslSupport wolfsslSupport rustlsSupport ]) > 1);

 stdenv.mkDerivation (finalAttrs: {
  pname = "curl";
@ -89,6 +88,7 @@ stdenv.mkDerivation (finalAttrs: {
    optional rtmpSupport rtmpdump ++
    optional scpSupport libssh2 ++
    optional wolfsslSupport wolfssl ++
+    optional rustlsSupport rustls-ffi ++
    optional zlibSupport zlib ++
    optional zstdSupport zstd;

@ -104,11 +104,12 @@ stdenv.mkDerivation (finalAttrs: {
      (lib.enableFeature c-aresSupport "ares")
      (lib.enableFeature ldapSupport "ldap")
      (lib.enableFeature ldapSupport "ldaps")
-      # The build fails when using wolfssl with --with-ca-fallback
-      (lib.withFeature (!wolfsslSupport) "ca-fallback")
+      # --with-ca-fallback is only supported for openssl and gnutls https://github.com/curl/curl/blame/curl-8_0_1/acinclude.m4#L1640
+      (lib.withFeature (opensslSupport || gnutlsSupport) "ca-fallback")
      (lib.withFeature http3Support "nghttp3")
      (lib.withFeature http3Support "ngtcp2")
      (lib.withFeature rtmpSupport "librtmp")
+      (lib.withFeature rustlsSupport "rustls")
      (lib.withFeature zstdSupport "zstd")
      (lib.withFeatureAs brotliSupport "brotli" (lib.getDev brotli))
      (lib.withFeatureAs gnutlsSupport "gnutls" (lib.getDev gnutls))
@ -129,7 +130,7 @@ stdenv.mkDerivation (finalAttrs: {
      # Without this curl might detect /etc/ssl/cert.pem at build time on macOS, causing curl to ignore NIX_SSL_CERT_FILE.
      "--without-ca-bundle"
      "--without-ca-path"
-    ] ++ lib.optionals (!gnutlsSupport && !opensslSupport && !wolfsslSupport) [
+    ] ++ lib.optionals (!gnutlsSupport && !opensslSupport && !wolfsslSupport && !rustlsSupport) [
      "--without-ssl"
    ];