From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 60A891581EE for ; Tue, 01 Apr 2025 23:38:48 +0000 (UTC) Received: from lists.gentoo.org (bobolink.gentoo.org [140.211.166.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: relay-lists.gentoo.org@gentoo.org) by smtp.gentoo.org (Postfix) with ESMTPSA id 4B661343269 for ; Tue, 01 Apr 2025 23:38:48 +0000 (UTC) Received: from bobolink.gentoo.org (localhost [127.0.0.1]) by bobolink.gentoo.org (Postfix) with ESMTP id 3E8761104B6; Tue, 01 Apr 2025 23:38:35 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by bobolink.gentoo.org (Postfix) with ESMTPS id 3148C1104B6 for ; Tue, 01 Apr 2025 23:38:35 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id AE2C33431E8 for ; Tue, 01 Apr 2025 23:38:34 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id AC48F2848 for ; Tue, 01 Apr 2025 23:38:31 +0000 (UTC) From: "Matt Jolly" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Matt Jolly" Message-ID: <1743550404.2f3c72a25bcd49865dde5a9ccbc8fc4d01bce123.kangie@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/curl/ X-VCS-Repository: repo/gentoo X-VCS-Files: net-misc/curl/curl-8.13.0_rc3-r1.ebuild net-misc/curl/curl-8.13.0_rc3.ebuild net-misc/curl/curl-9999.ebuild net-misc/curl/metadata.xml X-VCS-Directories: net-misc/curl/ X-VCS-Committer: kangie X-VCS-Committer-Name: Matt Jolly X-VCS-Revision: 2f3c72a25bcd49865dde5a9ccbc8fc4d01bce123 X-VCS-Branch: master Date: Tue, 01 Apr 2025 23:38:31 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: a57eb1a0-4d31-4819-919d-172ade278b51 X-Archives-Hash: 74d93dacae561e1b581b1df868e925d0 commit: 2f3c72a25bcd49865dde5a9ccbc8fc4d01bce123 Author: Matt Jolly gentoo org> AuthorDate: Tue Apr 1 11:21:06 2025 +0000 Commit: Matt Jolly gentoo org> CommitDate: Tue Apr 1 23:33:24 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f3c72a2 net-misc/curl: add ECH and HTTPSRR USE flags; prepare for 8.13.0 HTTPS Resource Records are a type of DNS record that delivers configuration information and parameters for how to access a service via HTTPS. This should make QUIC in particular faster to establish connections due to being able to retrieve the h3 endpoint without bouncing off an alt-svc first. These may be fetched via DNS over HTTPS or via the cURL ADNS resolver (c-ares); the threaded resolver is disabled in Gentoo if HTTP RR is enabled as a request will need to be made via c-ares to fetch the records anyway. Encrypted Client Hello is now available via Rustls. ECH is a protocol extension to Transport Layer Security (TLS) which encrypts part of the handshake and masks the Server Name Indication (SNI) that is used to negotiate a TLS session. ECH info may be served via HTTPS RR or DoH. This commit also refactors the TLS configure option handling in the ebuild to avoid passing `--without` entries for enabled backends. Additionally USE=`sasl-scram` is added, using libgsasl (net-misc/gsasl) to extend SASL SCRAM-SHA support, and USE=`sslv3` is dropped. Signed-off-by: Matt Jolly gentoo.org> ...8.13.0_rc3.ebuild => curl-8.13.0_rc3-r1.ebuild} | 212 ++++++++++++--------- net-misc/curl/curl-8.13.0_rc3.ebuild | 1 - net-misc/curl/curl-9999.ebuild | 210 ++++++++++++-------- net-misc/curl/metadata.xml | 3 + 4 files changed, 256 insertions(+), 170 deletions(-) diff --git a/net-misc/curl/curl-8.13.0_rc3.ebuild b/net-misc/curl/curl-8.13.0_rc3-r1.ebuild similarity index 72% copy from net-misc/curl/curl-8.13.0_rc3.ebuild copy to net-misc/curl/curl-8.13.0_rc3-r1.ebuild index 5af80a37e9b1..7c358f28d7a5 100644 --- a/net-misc/curl/curl-8.13.0_rc3.ebuild +++ b/net-misc/curl/curl-8.13.0_rc3-r1.ebuild @@ -32,17 +32,28 @@ fi LICENSE="BSD curl ISC test? ( BSD-4 )" SLOT="0" -IUSE="+adns +alt-svc brotli debug +ftp gnutls gopher +hsts +http2 +http3 idn +imap kerberos ldap mbedtls +openssl +pop3" -IUSE+=" +psl +progress-meter +quic rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp +websockets zstd" +IUSE="+adns +alt-svc brotli debug +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap" +IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test" +IUSE+=" telnet +tftp +websockets zstd" # These select the default tls implementation / which quic impl to use IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls" RESTRICT="!test? ( test )" +# HTTPS RR is technically usable with the threaded resolver, but it still uses c-ares to +# ask for the HTTPS RR record type; if DoH is in use the HTTPS record will be requested +# in addition to A and AAAA records. + +# To simplify dependency management in the ebuild we'll require c-ares for HTTPS RR (for now?). +# HTTPS RR in cURL is a dependency for: +# - ECH (requires patched openssl or gnutls currently, enabled with rustls) +# - Fetching the ALPN list which should provide a better HTTP/3 experience. + # Only one default ssl / quic provider can be enabled # The default provider needs its USE satisfied # HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day. # https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e REQUIRED_USE=" + httpsrr? ( adns ) quic? ( ^^ ( curl_quic_openssl @@ -77,7 +88,7 @@ REQUIRED_USE=" curl_ssl_mbedtls? ( mbedtls ) curl_ssl_openssl? ( openssl ) curl_ssl_rustls? ( rustls ) - http3? ( alt-svc quic ) + http3? ( alt-svc httpsrr quic ) " # cURL's docs and CI/CD are great resources for confirming supported versions @@ -104,6 +115,7 @@ RDEPEND=" ) rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] ) + sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] ) ssl? ( gnutls? ( app-misc/ca-certificates @@ -115,10 +127,10 @@ RDEPEND=" net-libs/mbedtls:0=[${MULTILIB_USEDEP}] ) openssl? ( - >=dev-libs/openssl-1.0.2:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}] + >=dev-libs/openssl-1.0.2:=[static-libs?,${MULTILIB_USEDEP}] ) rustls? ( - >=net-libs/rustls-ffi-0.14.0:=[${MULTILIB_USEDEP}] + >=net-libs/rustls-ffi-0.15.0:=[${MULTILIB_USEDEP}] ) ) zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] ) @@ -173,6 +185,57 @@ src_prepare() { eautoreconf } +# Generates TLS-related configure options based on USE flags. +# Outputs options suitable for appending to a configure options array. +_get_curl_tls_configure_opts() { + local tls_opts=() + + local backend flag_name + for backend in gnutls mbedtls openssl rustls; do + if [[ "$backend" == "openssl" ]]; then + flag_name="ssl" + tls_opts+=( "--with-ca-path=${EPREFIX}/etc/ssl/certs") + else + flag_name="$backend" + fi + + if use "$backend"; then + tls_opts+=( "--with-${flag_name}" ) + else + # If a single backend is enabled, 'ssl' is required, openssl is the default / fallback + if ! [[ "$backend" == "openssl" ]]; then + tls_opts+=( "--without-${flag_name}" ) + fi + fi + done + + if use curl_ssl_gnutls; then + multilib_is_native_abi && einfo "Default TLS backend: gnutls" + tls_opts+=( "--with-default-ssl-backend=gnutls" ) + elif use curl_ssl_mbedtls; then + multilib_is_native_abi && einfo "Default TLS backend: mbedtls" + tls_opts+=( "--with-default-ssl-backend=mbedtls" ) + elif use curl_ssl_openssl; then + multilib_is_native_abi && einfo "Default TLS backend: openssl" + tls_opts+=( "--with-default-ssl-backend=openssl" ) + elif use curl_ssl_rustls; then + multilib_is_native_abi && einfo "Default TLS backend: rustls" + tls_opts+=( "--with-default-ssl-backend=rustls" ) + else + eerror "We can't be here because of REQUIRED_USE." + die "Please file a bug, hit impossible condition w/ USE=ssl handling." + fi + + # Explicitly Disable unimplemented b + tls_opts+=( + --without-amissl + --without-bearssl + --without-wolfssl + ) + + printf "%s\n" "${tls_opts[@]}" +} + multilib_src_configure() { # We make use of the fact that later flags override earlier ones # So start with all ssl providers off until proven otherwise @@ -181,128 +244,107 @@ multilib_src_configure() { myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) if use ssl; then - myconf+=( --without-gnutls --without-mbedtls --without-rustls ) - - if use gnutls; then - multilib_is_native_abi && einfo "SSL provided by gnutls" - myconf+=( --with-gnutls ) - fi - if use mbedtls; then - multilib_is_native_abi && einfo "SSL provided by mbedtls" - myconf+=( --with-mbedtls ) - fi - if use openssl; then - multilib_is_native_abi && einfo "SSL provided by openssl" - myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs ) - fi - if use rustls; then - multilib_is_native_abi && einfo "SSL provided by rustls" - myconf+=( --with-rustls ) - fi - if use curl_ssl_gnutls; then - multilib_is_native_abi && einfo "Default SSL provided by gnutls" - myconf+=( --with-default-ssl-backend=gnutls ) - elif use curl_ssl_mbedtls; then - multilib_is_native_abi && einfo "Default SSL provided by mbedtls" - myconf+=( --with-default-ssl-backend=mbedtls ) - elif use curl_ssl_openssl; then - multilib_is_native_abi && einfo "Default SSL provided by openssl" - myconf+=( --with-default-ssl-backend=openssl ) - elif use curl_ssl_rustls; then - multilib_is_native_abi && einfo "Default SSL provided by rustls" - myconf+=( --with-default-ssl-backend=rustls ) - else - eerror "We can't be here because of REQUIRED_USE." - die "Please file a bug, hit impossible condition w/ USE=ssl handling." - fi - + local -a tls_backend_opts + readarray -t tls_backend_opts < <(_get_curl_tls_configure_opts) + myconf+=("${tls_backend_opts[@]}") else myconf+=( --without-ssl ) einfo "SSL disabled" fi - # These configuration options are organized alphabetically - # within each category. This should make it easier if we - # ever decide to make any of them contingent on USE flags: - # 1) protocols first. To see them all do - # 'grep SUPPORT_PROTOCOLS configure.ac' - # 2) --enable/disable options second. - # 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort - # 3) --with/without options third. - # grep -- --with configure | grep Check | awk '{ print $4 }' | sort + # These configuration options are organised alphabetically by category/type + # Protocols + # `grep SUPPORT_PROTOCOLS=\" configure.ac | awk '{ print substr($2, 1, length($2)-1)}' | sort` + # Assume that anything omitted (that is not new!) is enabled by default with no deps myconf+=( - $(use_enable alt-svc) - --enable-basic-auth - --enable-bearer-auth - --enable-digest-auth - --enable-kerberos-auth - --enable-negotiate-auth - --enable-aws - --enable-dict - --disable-ech --enable-file $(use_enable ftp) $(use_enable gopher) - $(use_enable hsts) --enable-http - $(use_enable imap) - $(use_enable ldap) + $(use_enable imap) # Automatic IMAPS if TLS is enabled $(use_enable ldap ldaps) - --enable-ntlm + $(use_enable ldap) $(use_enable pop3) - --enable-rt - --enable-rtsp $(use_enable samba smb) - $(use_with ssh libssh2) + $(use_with ssh libssh2) # enables scp/sftp + $(use_with rtmp librtmp) + --enable-rtsp $(use_enable smtp) $(use_enable telnet) $(use_enable tftp) - --enable-tls-srp + $(use_enable websockets) + ) + + # Keep various 'HTTP-flavoured' options together + myconf+=( + $(use_enable alt-svc) + $(use_enable hsts) + $(use_enable httpsrr) + $(use_with http2 nghttp2) + $(use_with http3 nghttp3) + $(use_with curl_quic_ngtcp2 ngtcp2) + $(use_with curl_quic_openssl openssl-quic) + ) + + # --enable/disable options + # `grep -- --enable configure | grep Check | awk '{ print $4 }' | sort` + myconf+=( $(use_enable adns ares) + --enable-aws + --enable-basic-auth + --enable-bearer-auth --enable-cookies --enable-dateparse + --enable-dict + --enable-digest-auth --enable-dnsshuffle --enable-doh - --enable-symbol-hiding + --disable-ech --enable-http-auth --enable-ipv6 + --enable-kerberos-auth --enable-largefile --enable-manual --enable-mime + --enable-negotiate-auth --enable-netrc - $(use_enable progress-meter) + --enable-ntlm + --enable-progress-meter --enable-proxy + --enable-rt --enable-socketpair --disable-sspi $(use_enable static-libs static) + --enable-symbol-hiding + --enable-tls-srp --disable-versioned-symbols - --without-amissl - --without-bearssl + ) + + # --with/without options + # `grep -- --with configure | grep Check | awk '{ print $4 }' | sort` + myconf+=( $(use_with brotli) --with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d - $(use_with http2 nghttp2) $(use_with idn libidn2) $(use_with kerberos gssapi "${EPREFIX}"/usr) - --without-libgsasl + $(use_with sasl-scram libgsasl) $(use_with psl libpsl) --without-msh3 - $(use_with http3 nghttp3) - $(use_with curl_quic_ngtcp2 ngtcp2) - $(use_with curl_quic_openssl openssl-quic) --without-quiche - $(use_with rtmp librtmp) --without-schannel --without-secure-transport - --without-test-caddy - --without-test-httpd - --without-test-nghttpx - $(use_enable websockets) --without-winidn - --without-wolfssl --with-zlib - $(use_with zstd) --with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions + $(use_with zstd) + ) + + # Test deps (disabled) + myconf+=( + --without-test-caddy + --without-test-httpd + --without-test-nghttpx ) if use debug; then @@ -319,8 +361,7 @@ multilib_src_configure() { # Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive # This is in support of some work to enable `httpsrr` to use adns and the rest - # of curl to use the threaded resolver; we'll just make `httpsrr` conditional on adns - # when the time comes. + # of curl to use the threaded resolver; for us `httpsrr` is conditional on adns. if use adns; then myconf+=( --disable-threaded-resolver @@ -367,7 +408,8 @@ multilib_src_test() { # this ends up breaking when nproc is huge (like -j80). # The network sandbox causes tests 241 and 1083 to fail; these are typically skipped # as most gentoo users don't have an 'ip6-localhost' - multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083" + # 1308: https://github.com/curl/curl/issues/16890 + multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083 $(usex rustls "!1308")" } multilib_src_install() { diff --git a/net-misc/curl/curl-8.13.0_rc3.ebuild b/net-misc/curl/curl-8.13.0_rc3.ebuild index 5af80a37e9b1..6f599a99ce67 100644 --- a/net-misc/curl/curl-8.13.0_rc3.ebuild +++ b/net-misc/curl/curl-8.13.0_rc3.ebuild @@ -215,7 +215,6 @@ multilib_src_configure() { eerror "We can't be here because of REQUIRED_USE." die "Please file a bug, hit impossible condition w/ USE=ssl handling." fi - else myconf+=( --without-ssl ) einfo "SSL disabled" diff --git a/net-misc/curl/curl-9999.ebuild b/net-misc/curl/curl-9999.ebuild index 5af80a37e9b1..bdceb348fcc7 100644 --- a/net-misc/curl/curl-9999.ebuild +++ b/net-misc/curl/curl-9999.ebuild @@ -32,17 +32,29 @@ fi LICENSE="BSD curl ISC test? ( BSD-4 )" SLOT="0" -IUSE="+adns +alt-svc brotli debug +ftp gnutls gopher +hsts +http2 +http3 idn +imap kerberos ldap mbedtls +openssl +pop3" -IUSE+=" +psl +progress-meter +quic rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp +websockets zstd" +IUSE="+adns +alt-svc brotli debug ech +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap" +IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test" +IUSE+=" telnet +tftp +websockets zstd" # These select the default tls implementation / which quic impl to use IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls" RESTRICT="!test? ( test )" +# HTTPS RR is technically usable with the threaded resolver, but it still uses c-ares to +# ask for the HTTPS RR record type; if DoH is in use the HTTPS record will be requested +# in addition to A and AAAA records. + +# To simplify dependency management in the ebuild we'll require c-ares for HTTPS RR (for now?). +# HTTPS RR in cURL is a dependency for: +# - ECH (requires patched openssl or gnutls currently, enabled with rustls) +# - Fetching the ALPN list which should provide a better HTTP/3 experience. + # Only one default ssl / quic provider can be enabled # The default provider needs its USE satisfied # HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day. # https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e REQUIRED_USE=" + ech? ( rustls ) + httpsrr? ( adns ) quic? ( ^^ ( curl_quic_openssl @@ -77,7 +89,7 @@ REQUIRED_USE=" curl_ssl_mbedtls? ( mbedtls ) curl_ssl_openssl? ( openssl ) curl_ssl_rustls? ( rustls ) - http3? ( alt-svc quic ) + http3? ( alt-svc httpsrr quic ) " # cURL's docs and CI/CD are great resources for confirming supported versions @@ -104,6 +116,7 @@ RDEPEND=" ) rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] ) + sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] ) ssl? ( gnutls? ( app-misc/ca-certificates @@ -115,10 +128,10 @@ RDEPEND=" net-libs/mbedtls:0=[${MULTILIB_USEDEP}] ) openssl? ( - >=dev-libs/openssl-1.0.2:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}] + >=dev-libs/openssl-1.0.2:=[static-libs?,${MULTILIB_USEDEP}] ) rustls? ( - >=net-libs/rustls-ffi-0.14.0:=[${MULTILIB_USEDEP}] + >=net-libs/rustls-ffi-0.15.0:=[${MULTILIB_USEDEP}] ) ) zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] ) @@ -173,6 +186,57 @@ src_prepare() { eautoreconf } +# Generates TLS-related configure options based on USE flags. +# Outputs options suitable for appending to a configure options array. +_get_curl_tls_configure_opts() { + local tls_opts=() + + local backend flag_name + for backend in gnutls mbedtls openssl rustls; do + if [[ "$backend" == "openssl" ]]; then + flag_name="ssl" + tls_opts+=( "--with-ca-path=${EPREFIX}/etc/ssl/certs") + else + flag_name="$backend" + fi + + if use "$backend"; then + tls_opts+=( "--with-${flag_name}" ) + else + # If a single backend is enabled, 'ssl' is required, openssl is the default / fallback + if ! [[ "$backend" == "openssl" ]]; then + tls_opts+=( "--without-${flag_name}" ) + fi + fi + done + + if use curl_ssl_gnutls; then + multilib_is_native_abi && einfo "Default TLS backend: gnutls" + tls_opts+=( "--with-default-ssl-backend=gnutls" ) + elif use curl_ssl_mbedtls; then + multilib_is_native_abi && einfo "Default TLS backend: mbedtls" + tls_opts+=( "--with-default-ssl-backend=mbedtls" ) + elif use curl_ssl_openssl; then + multilib_is_native_abi && einfo "Default TLS backend: openssl" + tls_opts+=( "--with-default-ssl-backend=openssl" ) + elif use curl_ssl_rustls; then + multilib_is_native_abi && einfo "Default TLS backend: rustls" + tls_opts+=( "--with-default-ssl-backend=rustls" ) + else + eerror "We can't be here because of REQUIRED_USE." + die "Please file a bug, hit impossible condition w/ USE=ssl handling." + fi + + # Explicitly Disable unimplemented b + tls_opts+=( + --without-amissl + --without-bearssl + --without-wolfssl + ) + + printf "%s\n" "${tls_opts[@]}" +} + multilib_src_configure() { # We make use of the fact that later flags override earlier ones # So start with all ssl providers off until proven otherwise @@ -181,128 +245,107 @@ multilib_src_configure() { myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) if use ssl; then - myconf+=( --without-gnutls --without-mbedtls --without-rustls ) - - if use gnutls; then - multilib_is_native_abi && einfo "SSL provided by gnutls" - myconf+=( --with-gnutls ) - fi - if use mbedtls; then - multilib_is_native_abi && einfo "SSL provided by mbedtls" - myconf+=( --with-mbedtls ) - fi - if use openssl; then - multilib_is_native_abi && einfo "SSL provided by openssl" - myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs ) - fi - if use rustls; then - multilib_is_native_abi && einfo "SSL provided by rustls" - myconf+=( --with-rustls ) - fi - if use curl_ssl_gnutls; then - multilib_is_native_abi && einfo "Default SSL provided by gnutls" - myconf+=( --with-default-ssl-backend=gnutls ) - elif use curl_ssl_mbedtls; then - multilib_is_native_abi && einfo "Default SSL provided by mbedtls" - myconf+=( --with-default-ssl-backend=mbedtls ) - elif use curl_ssl_openssl; then - multilib_is_native_abi && einfo "Default SSL provided by openssl" - myconf+=( --with-default-ssl-backend=openssl ) - elif use curl_ssl_rustls; then - multilib_is_native_abi && einfo "Default SSL provided by rustls" - myconf+=( --with-default-ssl-backend=rustls ) - else - eerror "We can't be here because of REQUIRED_USE." - die "Please file a bug, hit impossible condition w/ USE=ssl handling." - fi - + local -a tls_backend_opts + readarray -t tls_backend_opts < <(_get_curl_tls_configure_opts) + myconf+=("${tls_backend_opts[@]}") else myconf+=( --without-ssl ) einfo "SSL disabled" fi - # These configuration options are organized alphabetically - # within each category. This should make it easier if we - # ever decide to make any of them contingent on USE flags: - # 1) protocols first. To see them all do - # 'grep SUPPORT_PROTOCOLS configure.ac' - # 2) --enable/disable options second. - # 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort - # 3) --with/without options third. - # grep -- --with configure | grep Check | awk '{ print $4 }' | sort + # These configuration options are organised alphabetically by category/type + # Protocols + # `grep SUPPORT_PROTOCOLS=\" configure.ac | awk '{ print substr($2, 1, length($2)-1)}' | sort` + # Assume that anything omitted (that is not new!) is enabled by default with no deps myconf+=( - $(use_enable alt-svc) - --enable-basic-auth - --enable-bearer-auth - --enable-digest-auth - --enable-kerberos-auth - --enable-negotiate-auth - --enable-aws - --enable-dict - --disable-ech --enable-file $(use_enable ftp) $(use_enable gopher) - $(use_enable hsts) --enable-http - $(use_enable imap) - $(use_enable ldap) + $(use_enable imap) # Automatic IMAPS if TLS is enabled $(use_enable ldap ldaps) - --enable-ntlm + $(use_enable ldap) $(use_enable pop3) - --enable-rt - --enable-rtsp $(use_enable samba smb) - $(use_with ssh libssh2) + $(use_with ssh libssh2) # enables scp/sftp + $(use_with rtmp librtmp) + --enable-rtsp $(use_enable smtp) $(use_enable telnet) $(use_enable tftp) - --enable-tls-srp + $(use_enable websockets) + ) + + # Keep various 'HTTP-flavoured' options together + myconf+=( + $(use_enable alt-svc) + $(use_enable hsts) + $(use_enable httpsrr) + $(use_with http2 nghttp2) + $(use_with http3 nghttp3) + $(use_with curl_quic_ngtcp2 ngtcp2) + $(use_with curl_quic_openssl openssl-quic) + ) + + # --enable/disable options + # `grep -- --enable configure | grep Check | awk '{ print $4 }' | sort` + myconf+=( $(use_enable adns ares) + --enable-aws + --enable-basic-auth + --enable-bearer-auth --enable-cookies --enable-dateparse + --enable-dict + --enable-digest-auth --enable-dnsshuffle --enable-doh - --enable-symbol-hiding + $(use_enable ech) --enable-http-auth --enable-ipv6 + --enable-kerberos-auth --enable-largefile --enable-manual --enable-mime + --enable-negotiate-auth --enable-netrc - $(use_enable progress-meter) + --enable-ntlm + --enable-progress-meter --enable-proxy + --enable-rt --enable-socketpair --disable-sspi $(use_enable static-libs static) + --enable-symbol-hiding + --enable-tls-srp --disable-versioned-symbols - --without-amissl - --without-bearssl + ) + + # --with/without options + # `grep -- --with configure | grep Check | awk '{ print $4 }' | sort` + myconf+=( $(use_with brotli) --with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d - $(use_with http2 nghttp2) $(use_with idn libidn2) $(use_with kerberos gssapi "${EPREFIX}"/usr) - --without-libgsasl + $(use_with sasl-scram libgsasl) $(use_with psl libpsl) --without-msh3 - $(use_with http3 nghttp3) - $(use_with curl_quic_ngtcp2 ngtcp2) - $(use_with curl_quic_openssl openssl-quic) --without-quiche - $(use_with rtmp librtmp) --without-schannel --without-secure-transport - --without-test-caddy - --without-test-httpd - --without-test-nghttpx - $(use_enable websockets) --without-winidn - --without-wolfssl --with-zlib - $(use_with zstd) --with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions + $(use_with zstd) + ) + + # Test deps (disabled) + myconf+=( + --without-test-caddy + --without-test-httpd + --without-test-nghttpx ) if use debug; then @@ -319,8 +362,7 @@ multilib_src_configure() { # Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive # This is in support of some work to enable `httpsrr` to use adns and the rest - # of curl to use the threaded resolver; we'll just make `httpsrr` conditional on adns - # when the time comes. + # of curl to use the threaded resolver; for us `httpsrr` is conditional on adns. if use adns; then myconf+=( --disable-threaded-resolver diff --git a/net-misc/curl/metadata.xml b/net-misc/curl/metadata.xml index b3581ad82856..497d1d0d69db 100644 --- a/net-misc/curl/metadata.xml +++ b/net-misc/curl/metadata.xml @@ -11,6 +11,7 @@ Enable alt-svc support + Enable Encrypted Client Hello support Enable FTP support Enable gnutls ssl backend Enable Gopher protocol support @@ -18,6 +19,7 @@ Enable Internet Message Access Protocol support Enable mbedtls ssl backend Enable HTTP/3 support + Enable HTTPS Resource Record support Enable openssl ssl backend Enable Post Office Protocol 3 support Enable the progress meter @@ -25,6 +27,7 @@ Enable support for QUIC (RFC 9000); a UDP-based protocol intended to replace TCP Enable RTMP Streaming Media support Enable Rustls ssl backend + Enable snupport for additional SASL SCRAM-SHA authentication methods via net-misc/gsasl Enable Simple Mail Transfer Protocol support Enable SSH urls in curl using libssh2 Enable crypto engine support (via openssl if USE='-gnutls -nss')