net-misc/curl: add 8.6.0-r2

Revbump to fix some runtime issues resulting from a
subtle order-of-operations error in rustls detection via
pkgconfig.

Bug: https://bugs.gentoo.org/928236
Signed-off-by: Matt Jolly <kangie@gentoo.org>

2 files changed, 619 insertions, 0 deletions

diff --git a/net-misc/curl/curl-8.6.0-r2.ebuild b/net-misc/curl/curl-8.6.0-r2.ebuild
new file mode 100644
index 000000000000..c31bf46b91d8
--- /dev/null
+++ b/net-misc/curl/curl-8.6.0-r2.ebuild
@@ -0,0 +1,367 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc
+inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig
+
+DESCRIPTION="A Client that groks URLs"
+HOMEPAGE="https://curl.se/"
+
+if [[ ${PV} == 9999 ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/curl/curl.git"
+else
+	SRC_URI="
+		https://curl.se/download/${P}.tar.xz
+		verify-sig? ( https://curl.se/download/${P}.tar.xz.asc )
+	"
+	KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+fi
+
+LICENSE="BSD curl ISC test? ( BSD-4 )"
+SLOT="0"
+IUSE="+adns +alt-svc brotli +ftp gnutls gopher +hsts +http2 idn +imap kerberos ldap mbedtls nghttp3 +openssl +pop3"
+IUSE+=" +psl +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd"
+# These select the default SSL implementation
+IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
+RESTRICT="!test? ( test )"
+
+# Only one default ssl provider can be enabled
+# The default ssl provider needs its USE satisfied
+# nghttp3 = https://bugs.gentoo.org/912029
+REQUIRED_USE="
+	ssl? (
+		^^ (
+			curl_ssl_gnutls
+			curl_ssl_mbedtls
+			curl_ssl_openssl
+			curl_ssl_rustls
+		)
+	)
+	curl_ssl_gnutls? ( gnutls )
+	curl_ssl_mbedtls? ( mbedtls )
+	curl_ssl_openssl? ( openssl )
+	curl_ssl_rustls? ( rustls )
+	nghttp3? (
+		!openssl
+		alt-svc )
+"
+
+# cURL's docs and CI/CD are great resources for confirming supported versions
+# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.:
+# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions)
+# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly)
+# - https://github.com/curl/curl/blob/master/.github/workflows/quiche-linux.yml (CI/CD for TCP/2)
+# However 'supported' vs 'works' are two entirely different things; be sane but
+# don't be afraid to require a later version.
+
+RDEPEND="
+	>=sys-libs/zlib-1.1.4[${MULTILIB_USEDEP}]
+	adns? ( net-dns/c-ares:=[${MULTILIB_USEDEP}] )
+	brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
+	http2? ( >=net-libs/nghttp2-1.12.0:=[${MULTILIB_USEDEP}] )
+	idn? ( net-dns/libidn2:=[static-libs?,${MULTILIB_USEDEP}] )
+	kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
+	ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
+	nghttp3? (
+		>=net-libs/nghttp3-0.15.0[${MULTILIB_USEDEP}]
+		>=net-libs/ngtcp2-0.19.1[gnutls,ssl,-openssl,${MULTILIB_USEDEP}]
+	)
+	psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] )
+	rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
+	ssh? ( >=net-libs/libssh2-1.0.0[${MULTILIB_USEDEP}] )
+	ssl? (
+		gnutls? (
+			app-misc/ca-certificates
+			>=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}]
+			dev-libs/nettle:=[${MULTILIB_USEDEP}]
+		)
+		mbedtls? (
+			app-misc/ca-certificates
+			net-libs/mbedtls:=[${MULTILIB_USEDEP}]
+		)
+		openssl? (
+			>=dev-libs/openssl-0.9.7:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}]
+		)
+		rustls? (
+			~net-libs/rustls-ffi-0.10.0:=[${MULTILIB_USEDEP}]
+		)
+	)
+	zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
+"
+
+DEPEND="${RDEPEND}"
+
+BDEPEND="
+	dev-lang/perl
+	virtual/pkgconfig
+	test? (
+		sys-apps/diffutils
+		http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] )
+		nghttp3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
+	)
+	verify-sig? ( sec-keys/openpgp-keys-danielstenberg )
+"
+
+DOCS=( CHANGES README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} )
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/curl/curlbuild.h
+)
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/curl-config
+)
+
+QA_CONFIG_IMPL_DECL_SKIP=(
+	__builtin_available
+	closesocket
+	CloseSocket
+	getpass_r
+	ioctlsocket
+	IoctlSocket
+	mach_absolute_time
+	setmode
+	_fseeki64
+)
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-prefix.patch
+	"${FILESDIR}"/${PN}-respect-cflags-3.patch
+	"${FILESDIR}"/${P}-vtls-revert-receive-max-buffer-add-test-case.patch
+	"${FILESDIR}"/${P}-rustls-fixes.patch
+)
+
+src_prepare() {
+	default
+
+	eprefixify curl-config.in
+	eautoreconf
+}
+
+multilib_src_configure() {
+	# We make use of the fact that later flags override earlier ones
+	# So start with all ssl providers off until proven otherwise
+	# TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/)
+	local myconf=()
+
+	myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt  )
+	if use ssl; then
+		myconf+=( --without-gnutls --without-mbedtls --without-rustls )
+
+		if use gnutls; then
+			multilib_is_native_abi && einfo "SSL provided by gnutls"
+			myconf+=( --with-gnutls )
+		fi
+		if use mbedtls; then
+			multilib_is_native_abi && einfo "SSL provided by mbedtls"
+			myconf+=( --with-mbedtls )
+		fi
+		if use openssl; then
+			multilib_is_native_abi && einfo "SSL provided by openssl"
+			myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs )
+		fi
+		if use rustls; then
+			multilib_is_native_abi && einfo "SSL provided by rustls"
+			myconf+=( --with-rustls )
+		fi
+		if use curl_ssl_gnutls; then
+			multilib_is_native_abi && einfo "Default SSL provided by gnutls"
+			myconf+=( --with-default-ssl-backend=gnutls )
+		elif use curl_ssl_mbedtls; then
+			multilib_is_native_abi && einfo "Default SSL provided by mbedtls"
+			myconf+=( --with-default-ssl-backend=mbedtls )
+		elif use curl_ssl_openssl; then
+			multilib_is_native_abi && einfo "Default SSL provided by openssl"
+			myconf+=( --with-default-ssl-backend=openssl )
+		elif use curl_ssl_rustls; then
+			multilib_is_native_abi && einfo "Default SSL provided by rustls"
+			myconf+=( --with-default-ssl-backend=rustls )
+		else
+			eerror "We can't be here because of REQUIRED_USE."
+			die "Please file a bug, hit impossible condition w/ USE=ssl handling."
+		fi
+
+	else
+		myconf+=( --without-ssl )
+		einfo "SSL disabled"
+	fi
+
+	# These configuration options are organized alphabetically
+	# within each category.  This should make it easier if we
+	# ever decide to make any of them contingent on USE flags:
+	# 1) protocols first.  To see them all do
+	# 'grep SUPPORT_PROTOCOLS configure.ac'
+	# 2) --enable/disable options second.
+	# 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort
+	# 3) --with/without options third.
+	# grep -- --with configure | grep Check | awk '{ print $4 }' | sort
+
+	myconf+=(
+		$(use_enable alt-svc)
+		--enable-basic-auth
+		--enable-bearer-auth
+		--enable-digest-auth
+		--enable-kerberos-auth
+		--enable-negotiate-auth
+		--enable-aws
+		--enable-dict
+		--disable-ech
+		--enable-file
+		$(use_enable ftp)
+		$(use_enable gopher)
+		$(use_enable hsts)
+		--enable-http
+		$(use_enable imap)
+		$(use_enable ldap)
+		$(use_enable ldap ldaps)
+		--enable-ntlm
+		--disable-ntlm-wb
+		$(use_enable pop3)
+		--enable-rt
+		--enable-rtsp
+		$(use_enable samba smb)
+		$(use_with ssh libssh2)
+		$(use_enable smtp)
+		$(use_enable telnet)
+		$(use_enable tftp)
+		--enable-tls-srp
+		$(use_enable adns ares)
+		--enable-cookies
+		--enable-dateparse
+		--enable-dnsshuffle
+		--enable-doh
+		--enable-symbol-hiding
+		--enable-http-auth
+		--enable-ipv6
+		--enable-largefile
+		--enable-manual
+		--enable-mime
+		--enable-netrc
+		$(use_enable progress-meter)
+		--enable-proxy
+		--enable-socketpair
+		--disable-sspi
+		$(use_enable static-libs static)
+		--enable-pthreads
+		--enable-threaded-resolver
+		--disable-versioned-symbols
+		--without-amissl
+		--without-bearssl
+		$(use_with brotli)
+		--with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d
+		$(use_with http2 nghttp2)
+		--without-hyper
+		$(use_with idn libidn2)
+		$(use_with kerberos gssapi "${EPREFIX}"/usr)
+		--without-libgsasl
+		$(use_with psl libpsl)
+		--without-msh3
+		$(use_with nghttp3)
+		$(use_with nghttp3 ngtcp2)
+		--without-quiche
+		$(use_with rtmp librtmp)
+		--without-schannel
+		--without-secure-transport
+		--without-test-caddy
+		--without-test-httpd
+		--without-test-nghttpx
+		$(use_enable websockets)
+		--without-winidn
+		--without-wolfssl
+		--with-zlib
+		$(use_with zstd)
+		--with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions
+	)
+
+	if use test && multilib_is_native_abi && ( use http2 || use nghttp3 ); then
+		myconf+=(
+			--with-test-nghttpx="${BROOT}/usr/bin/nghttpx"
+		)
+	fi
+
+	if [[ ${CHOST} == *mingw* ]] ; then
+		myconf+=(
+			--disable-pthreads
+		)
+	fi
+
+	ECONF_SOURCE="${S}" econf "${myconf[@]}"
+
+	if ! multilib_is_native_abi; then
+		# Avoid building the client (we just want libcurl for multilib)
+		sed -i -e '/SUBDIRS/s:src::' Makefile || die
+		sed -i -e '/SUBDIRS/s:scripts::' Makefile || die
+	fi
+
+	# Fix up the pkg-config file to be more robust.
+	# https://github.com/curl/curl/issues/864
+	local priv=() libs=()
+	# We always enable zlib.
+	libs+=( "-lz" )
+	priv+=( "zlib" )
+	if use http2; then
+		libs+=( "-lnghttp2" )
+		priv+=( "libnghttp2" )
+	fi
+	if use nghttp3; then
+		libs+=( "-lnghttp3" "-lngtcp2" )
+		priv+=( "libnghttp3" "libngtcp2" )
+	fi
+	if use ssl && use curl_ssl_openssl; then
+		libs+=( "-lssl" "-lcrypto" )
+		priv+=( "openssl" )
+	fi
+	grep -q Requires.private libcurl.pc && die "need to update ebuild"
+	libs=$(printf '|%s' "${libs[@]}")
+	sed -i -r \
+		-e "/^Libs.private/s:(${libs#|})( |$)::g" \
+		libcurl.pc || die
+	echo "Requires.private: ${priv[*]}" >> libcurl.pc || die
+}
+
+multilib_src_compile() {
+	default
+
+	if multilib_is_native_abi; then
+		# Shell completions
+		! tc-is-cross-compiler && emake -C scripts
+	fi
+}
+
+# There is also a pytest harness that tests for bugs in some very specific
+# situations; we can rely on upstream for this rather than adding additional test deps.
+multilib_src_test() {
+	# See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721
+	# -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches)
+	# -v: verbose
+	# -a: keep going on failure (so we see everything which breaks, not just 1st test)
+	# -k: keep test files after completion
+	# -am: automake style TAP output
+	# -p: print logs if test fails
+	# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
+	# or just read https://github.com/curl/curl/tree/master/tests#run.
+	# Note: we don't run the testsuite for cross-compilation.
+	# Upstream recommend 7*nproc as a starting point for parallel tests, but
+	# this ends up breaking when nproc is huge (like -j80).
+	# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
+	# as most gentoo users don't have an 'ip6-localhost'
+	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install
+
+	if multilib_is_native_abi; then
+		# Shell completions
+		! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install
+	fi
+}
+
+multilib_src_install_all() {
+	einstalldocs
+	find "${ED}" -type f -name '*.la' -delete || die
+	rm -rf "${ED}"/etc/ || die
+}
diff --git a/net-misc/curl/files/curl-8.6.0-rustls-fixes.patch b/net-misc/curl/files/curl-8.6.0-rustls-fixes.patch
new file mode 100644
index 000000000000..4f713668fd35
--- /dev/null
+++ b/net-misc/curl/files/curl-8.6.0-rustls-fixes.patch
@@ -0,0 +1,252 @@
+From a59683a3607bc0167ff702352d15eee1c0d658a6 Mon Sep 17 00:00:00 2001
+From: Matt Jolly <Matt.Jolly@footclan.ninja>
+Date: Mon, 1 Apr 2024 08:49:27 +1000
+Subject: [PATCH] m4: fix rustls builds
+
+This patch consolidates the following commits to do with rustls
+detection using pkg-config:
+
+- https://github.com/curl/curl/commit/9c4209837094781d5eef69ae6bcad0e86b64bf99
+- https://github.com/curl/curl/commit/5a50cb5a18a141a463148562dab83fa3be1a3b90
+---
+ m4/curl-rustls.m4 | 210 ++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 146 insertions(+), 64 deletions(-)
+
+diff --git a/m4/curl-rustls.m4 b/m4/curl-rustls.m4
+index 75542e4..8082cf9 100644
+--- a/m4/curl-rustls.m4
++++ b/m4/curl-rustls.m4
+@@ -28,84 +28,166 @@ dnl check for rustls
+ dnl ----------------------------------------------------
+ 
+ if test "x$OPT_RUSTLS" != xno; then
+-  _cppflags=$CPPFLAGS
+-  _ldflags=$LDFLAGS
+   ssl_msg=
+ 
+-  if test X"$OPT_RUSTLS" != Xno; then
++  dnl backup the pre-ssl variables
++  CLEANLDFLAGS="$LDFLAGS"
++  CLEANCPPFLAGS="$CPPFLAGS"
+ 
+-    if test "$OPT_RUSTLS" = "yes"; then
+-      OPT_RUSTLS=""
+-    fi
++  case $host_os in
++    darwin*)
++      LDFLAGS="$LDFLAGS -framework Security"
++      ;;
++    *)
++      ;;
++  esac
++  ## NEW CODE
+ 
+-    case $host_os in
+-      darwin*)
+-        LDFLAGS="$LDFLAGS -framework Security"
+-        ;;
+-      *)
+-        ;;
+-    esac
+-
+-    if test -z "$OPT_RUSTLS" ; then
+-      dnl check for lib first without setting any new path
+-
+-      AC_CHECK_LIB(rustls, rustls_client_session_read,
+-      dnl librustls found, set the variable
+-       [
+-         AC_DEFINE(USE_RUSTLS, 1, [if rustls is enabled])
+-         AC_SUBST(USE_RUSTLS, [1])
+-         RUSTLS_ENABLED=1
+-         USE_RUSTLS="yes"
+-         ssl_msg="rustls"
+-         test rustls != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
+-        ], [], -lpthread -ldl -lm)
+-    fi
++  dnl use pkg-config unless we have been given a path
++  dnl even then, try pkg-config first
+ 
+-    if test "x$USE_RUSTLS" != "xyes"; then
+-      dnl add the path and test again
+-      addld=-L$OPT_RUSTLS/lib$libsuff
+-      addcflags=-I$OPT_RUSTLS/include
+-      rustlslib=$OPT_RUSTLS/lib$libsuff
++  case "$OPT_RUSTLS" in
++    yes)
++      dnl --with-rustls (without path) used
++      PKGTEST="yes"
++      PREFIX_RUSTLS=
++      ;;
++    *)
++      dnl check the provided --with-rustls path
++      PKGTEST="no"
++      PREFIX_RUSTLS=$OPT_RUSTLS
+ 
+-      LDFLAGS="$LDFLAGS $addld"
+-      if test "$addcflags" != "-I/usr/include"; then
+-         CPPFLAGS="$CPPFLAGS $addcflags"
++      dnl Try pkg-config even when cross-compiling.  Since we
++      dnl specify PKG_CONFIG_LIBDIR we are only looking where
++      dnl the user told us to look
++
++      RUSTLS_PCDIR="$PREFIX_RUSTLS/lib/pkgconfig"
++      if test -f "$RUSTLS_PCDIR/rustls.pc"; then
++        AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to "$RUSTLS_PCDIR"])
++        PKGTEST="yes"
+       fi
+ 
+-      AC_CHECK_LIB(rustls, rustls_connection_read,
+-       [
+-       AC_DEFINE(USE_RUSTLS, 1, [if rustls is enabled])
+-       AC_SUBST(USE_RUSTLS, [1])
+-       RUSTLS_ENABLED=1
+-       USE_RUSTLS="yes"
+-       ssl_msg="rustls"
+-       test rustls != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
+-       ],
+-       AC_MSG_ERROR([--with-rustls was specified but could not find rustls.]),
+-       -lpthread -ldl -lm)
+-    fi
++      if test "$PKGTEST" != "yes"; then
++        # try lib64 instead
++        RUSTLS_PCDIR="$PREFIX_RUSTLS/lib64/pkgconfig"
++        if test -f "$RUSTLS_PCDIR/rustls.pc"; then
++          AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to "$RUSTLS_PCDIR"])
++          PKGTEST="yes"
++        fi
++      fi
++
++      if test "$PKGTEST" != "yes"; then
++        dnl pkg-config came up empty, use what we got
++        dnl via --with-rustls
+ 
+-    if test "x$USE_RUSTLS" = "xyes"; then
+-      AC_MSG_NOTICE([detected rustls])
+-      check_for_ca_bundle=1
+-
+-      LIBS="-lrustls -lpthread -ldl -lm $LIBS"
+-
+-      if test -n "$rustlslib"; then
+-        dnl when shared libs were found in a path that the run-time
+-        dnl linker doesn't search through, we need to add it to
+-        dnl CURL_LIBRARY_PATH to prevent further configure tests to fail
+-        dnl due to this
+-        if test "x$cross_compiling" != "xyes"; then
+-          CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$rustlslib"
+-          export CURL_LIBRARY_PATH
+-          AC_MSG_NOTICE([Added $rustlslib to CURL_LIBRARY_PATH])
++        addld=-L$PREFIX_RUSTLS/lib$libsuff
++        addcflags=-I$PREFIX_RUSTLS/include
++
++        LDFLAGS="$LDFLAGS $addld"
++        if test "$addcflags" != "-I/usr/include"; then
++            CPPFLAGS="$CPPFLAGS $addcflags"
++        fi
++
++        AC_CHECK_LIB(rustls, rustls_connection_read,
++          [
++          AC_DEFINE(USE_RUSTLS, 1, [if rustls is enabled])
++          AC_SUBST(USE_RUSTLS, [1])
++          RUSTLS_ENABLED=1
++          USE_RUSTLS="yes"
++          ssl_msg="rustls"
++          test rustls != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
++          ],
++          AC_MSG_ERROR([--with-rustls was specified but could not find rustls.]),
++          -lpthread -ldl -lm)
++
++        USE_RUSTLS="yes"
++        ssl_msg="rustls"
++
++        LIB_RUSTLS="$PREFIX_RUSTLS/lib$libsuff"
++        if test "$PREFIX_RUSTLS" != "/usr" ; then
++          SSL_LDFLAGS="-L$LIB_RUSTLS"
++          SSL_CPPFLAGS="-I$PREFIX_RUSTLS/include"
+         fi
+       fi
++      ;;
++  esac
++
++  if test "$PKGTEST" = "yes"; then
++
++    CURL_CHECK_PKGCONFIG(rustls, [$RUSTLS_PCDIR])
++
++    if test "$PKGCONFIG" != "no" ; then
++      SSL_LIBS=`CURL_EXPORT_PCDIR([$RUSTLS_PCDIR]) dnl
++        $PKGCONFIG --libs-only-l --libs-only-other rustls 2>/dev/null`
++
++      SSL_LDFLAGS=`CURL_EXPORT_PCDIR([$RUSTLS_PCDIR]) dnl
++        $PKGCONFIG --libs-only-L rustls 2>/dev/null`
++
++      SSL_CPPFLAGS=`CURL_EXPORT_PCDIR([$RUSTLS_PCDIR]) dnl
++        $PKGCONFIG --cflags-only-I rustls 2>/dev/null`
++
++      AC_SUBST(SSL_LIBS)
++      AC_MSG_NOTICE([pkg-config: SSL_LIBS: "$SSL_LIBS"])
++      AC_MSG_NOTICE([pkg-config: SSL_LDFLAGS: "$SSL_LDFLAGS"])
++      AC_MSG_NOTICE([pkg-config: SSL_CPPFLAGS: "$SSL_CPPFLAGS"])
++
++      LIB_RUSTLS=`echo $SSL_LDFLAGS | sed -e 's/^-L//'`
++
++      dnl use the values pkg-config reported.  This is here
++      dnl instead of below with CPPFLAGS and LDFLAGS because we only
++      dnl learn about this via pkg-config.  If we only have
++      dnl the argument to --with-rustls we don't know what
++      dnl additional libs may be necessary.  Hope that we
++      dnl don't need any.
++      LIBS="$SSL_LIBS $LIBS"
++      USE_RUSTLS="yes"
++      ssl_msg="rustls"
++      AC_DEFINE(USE_RUSTLS, 1, [if rustls is enabled])
++      AC_SUBST(USE_RUSTLS, [1])
++      USE_RUSTLS="yes"
++      RUSTLS_ENABLED=1
++      test rustls != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
++    else
++      AC_MSG_ERROR([pkg-config: Could not find rustls])
+     fi
+ 
+-  fi dnl rustls not disabled
++  else
++    dnl we did not use pkg-config, so we need to add the
++    dnl rustls lib to LIBS
++    LIBS="-lrustls -lpthread -ldl -lm $LIBS"
++  fi
++
++  dnl finally, set flags to use this TLS backend
++  CPPFLAGS="$CLEAN_CPPFLAGS $SSL_CPPFLAGS"
++  LDFLAGS="$CLAN_LDFLAGS $SSL_LDFLAGS"
++
++  if test "x$USE_RUSTLS" = "xyes"; then
++    AC_MSG_NOTICE([detected rustls])
++    check_for_ca_bundle=1
++
++    if test -n "$LIB_RUSTLS"; then
++      dnl when shared libs were found in a path that the run-time
++      dnl linker does not search through, we need to add it to
++      dnl CURL_LIBRARY_PATH so that further configure tests do not
++      dnl fail due to this
++      if test "x$cross_compiling" != "xyes"; then
++        CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$LIB_RUSTLS"
++        export CURL_LIBRARY_PATH
++        AC_MSG_NOTICE([Added $LIB_RUSTLS to CURL_LIBRARY_PATH])
++      fi
++    fi
++  fi
+ 
+   test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
++
++  if test X"$OPT_RUSTLS" != Xno &&
++    test "$RUSTLS_ENABLED" != "1"; then
++    AC_MSG_NOTICE([OPT_RUSTLS: $OPT_RUSTLS])
++    AC_MSG_NOTICE([RUSTLS_ENABLED: $RUSTLS_ENABLED])
++    AC_MSG_ERROR([--with-rustls was given but Rustls could not be detected])
++  fi
+ fi
+ ])
++
++
++RUSTLS_ENABLED
+-- 
+2.44.0
+