From 74207b79f05fe0f067528c7fd3c7c8fd60128939 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Sat, 1 Apr 2023 18:35:18 +0200 Subject: [PATCH] curl: add support for Rustls backend No functional changes for the other TLS backend but it is now possible to build curl with `rustls-ffi`. ``` > ./result-bin/bin/curl --version curl 8.0.1 (x86_64-pc-linux-gnu) libcurl/8.0.1 rustls-ffi/0.9.2/rustls/0.20.8 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.2 libssh2/1.10.0 nghttp2/1.51.0 Release-Date: 2023-03-20 Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz SPNEGO SSL threadsafe UnixSockets zstd ``` --- pkgs/development/libraries/rustls-ffi/default.nix | 3 ++- pkgs/tools/networking/curl/default.nix | 13 +++++++------ 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/pkgs/development/libraries/rustls-ffi/default.nix b/pkgs/development/libraries/rustls-ffi/default.nix index cf82505f714..824e84e9510 100644 --- a/pkgs/development/libraries/rustls-ffi/default.nix +++ b/pkgs/development/libraries/rustls-ffi/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchFromGitHub, rustPlatform, Security, apacheHttpd }: +{ lib, stdenv, fetchFromGitHub, rustPlatform, Security, apacheHttpd, curl }: rustPlatform.buildRustPackage rec { pname = "rustls-ffi"; @@ -28,6 +28,7 @@ rustPlatform.buildRustPackage rec { passthru.tests = { apacheHttpd = apacheHttpd.override { modTlsSupport = true; }; + curl = curl.override { opensslSupport = false; rustlsSupport = true; }; }; meta = with lib; { diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index 16136296879..c0b488627ef 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -22,6 +22,7 @@ , rtmpSupport ? false, rtmpdump , scpSupport ? zlibSupport && !stdenv.isSunOS && !stdenv.isCygwin, libssh2 , wolfsslSupport ? false, wolfssl +, rustlsSupport ? false, rustls-ffi , zlibSupport ? true, zlib , zstdSupport ? false, zstd @@ -42,9 +43,7 @@ # cgit) that are needed here should be included directly in Nixpkgs as # files. -assert !(gnutlsSupport && opensslSupport); -assert !(gnutlsSupport && wolfsslSupport); -assert !(opensslSupport && wolfsslSupport); +assert !((lib.count (x: x) [ gnutlsSupport opensslSupport wolfsslSupport rustlsSupport ]) > 1); stdenv.mkDerivation (finalAttrs: { pname = "curl"; @@ -89,6 +88,7 @@ stdenv.mkDerivation (finalAttrs: { optional rtmpSupport rtmpdump ++ optional scpSupport libssh2 ++ optional wolfsslSupport wolfssl ++ + optional rustlsSupport rustls-ffi ++ optional zlibSupport zlib ++ optional zstdSupport zstd; @@ -104,11 +104,12 @@ stdenv.mkDerivation (finalAttrs: { (lib.enableFeature c-aresSupport "ares") (lib.enableFeature ldapSupport "ldap") (lib.enableFeature ldapSupport "ldaps") - # The build fails when using wolfssl with --with-ca-fallback - (lib.withFeature (!wolfsslSupport) "ca-fallback") + # --with-ca-fallback is only supported for openssl and gnutls https://github.com/curl/curl/blame/curl-8_0_1/acinclude.m4#L1640 + (lib.withFeature (opensslSupport || gnutlsSupport) "ca-fallback") (lib.withFeature http3Support "nghttp3") (lib.withFeature http3Support "ngtcp2") (lib.withFeature rtmpSupport "librtmp") + (lib.withFeature rustlsSupport "rustls") (lib.withFeature zstdSupport "zstd") (lib.withFeatureAs brotliSupport "brotli" (lib.getDev brotli)) (lib.withFeatureAs gnutlsSupport "gnutls" (lib.getDev gnutls)) @@ -129,7 +130,7 @@ stdenv.mkDerivation (finalAttrs: { # Without this curl might detect /etc/ssl/cert.pem at build time on macOS, causing curl to ignore NIX_SSL_CERT_FILE. "--without-ca-bundle" "--without-ca-path" - ] ++ lib.optionals (!gnutlsSupport && !opensslSupport && !wolfsslSupport) [ + ] ++ lib.optionals (!gnutlsSupport && !opensslSupport && !wolfsslSupport && !rustlsSupport) [ "--without-ssl" ];