diff --git a/_modules/rust.py b/_modules/rust.py
new file mode 100644
--- /dev/null
+++ b/_modules/rust.py
@@ -0,0 +1,33 @@
+# -*- coding: utf-8 -*-
+
+# -------------------------------------------------------------
+# Salt — Rust module
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Description: Provide support for Rust properties
+# License: BSD-2-Clause
+# -------------------------------------------------------------
+
+
+from salt.utils.path import which as path_which
+
+
+def __virtual__():
+ """
+ Only load if the Rust compiler is available
+ """
+ return path_which('rustc') is not None,\
+ "The Rust execution module cannot be loaded: rustc not installed."
+
+
+def get_rustc_triplet():
+ """
+ A function to get a node triplet for Rust toolchains.
+
+ CLI Example:
+
+ salt * rust.get_rustc_triplet
+ """
+
+ # Thanks to @semarie for that tip.
+ return __salt__['cmd.shell']("rustc -vV | sed -ne 's/^host: //p'")
diff --git a/_tests/modules/test_rust.py b/_tests/modules/test_rust.py
new file mode 100644
--- /dev/null
+++ b/_tests/modules/test_rust.py
@@ -0,0 +1,14 @@
+from importlib.machinery import SourceFileLoader
+import unittest
+
+
+salt_test_case = SourceFileLoader('salt_test_case', "salt_test_case.py").load_module()
+rust = SourceFileLoader('rust', "../_modules/rust.py").load_module()
+
+
+class Testinstance(unittest.TestCase, salt_test_case.SaltTestCase):
+
+ def test_get_rustc_triplet(self):
+ triplet = rust.get_rustc_triplet()
+
+ self.assertTrue(len(triplet.split("-")) > 2)
diff --git a/pillar/core/users.sls b/pillar/core/users.sls
--- a/pillar/core/users.sls
+++ b/pillar/core/users.sls
@@ -117,6 +117,7 @@
devserver_tasks:
- deploy_dotfiles
- deploy_nanotab
+ - install_rustup
uid: 5001
erol:
diff --git a/roles/devserver/userland-home/homefiles.sls b/roles/devserver/userland-home/homefiles.sls
--- a/roles/devserver/userland-home/homefiles.sls
+++ b/roles/devserver/userland-home/homefiles.sls
@@ -7,6 +7,7 @@
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
+{% set triplet = salt['rust.get_rustc_triplet']() %}
{% for username, user in salt['forest.get_users']().items() %}
{% set tasks = user.get('devserver_tasks', []) %}
@@ -37,4 +38,20 @@
- unset tabstospaces
{% endif %}
+{% if 'install_rustup' in tasks %}
+devserver_rustup_{{ username }}:
+ cmd.run:
+ - name: rustup-init -y
+ - runas: {{ username }}
+ - creates: /home/{{ username }}/.cargo/bin/rustup
+
+{% for toolchain in ['stable', 'nightly'] %}
+devserver_rustup_{{toolchain}}_{{username}}:
+ cmd.run:
+ - name: rustup install {{ toolchain }}
+ - runas: {{ username }}
+ - creates: /home/{{ username }}/.rustup/toolchains/{{ toolchain }}-{{ triplet }}
+{% endfor %}
+{% endif %}
+
{% endfor %}
diff --git a/roles/devserver/userland-software/dev.sls b/roles/devserver/userland-software/dev.sls
--- a/roles/devserver/userland-software/dev.sls
+++ b/roles/devserver/userland-software/dev.sls
@@ -6,7 +6,7 @@
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
-{% from "map.jinja" import packages, packages_prefixes with context %}
+{% from "map.jinja" import dirs, packages, packages_prefixes with context %}
# -------------------------------------------------------------
# C/C++
@@ -108,6 +108,11 @@
- pkgs:
- rust
+{{ dirs.bin }}/rustup-init:
+ file.managed:
+ - source: salt://roles/devserver/userland-software/files/rustup-init.sh
+ - mode: 0755
+
# -------------------------------------------------------------
# Shell
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
diff --git a/roles/devserver/userland-software/files/rustup-init.sh b/roles/devserver/userland-software/files/rustup-init.sh
new file mode 100755
--- /dev/null
+++ b/roles/devserver/userland-software/files/rustup-init.sh
@@ -0,0 +1,662 @@
+#!/bin/sh
+# shellcheck shell=dash
+
+# This is just a little script that can be downloaded from the internet to
+# install rustup. It just does platform detection, downloads the installer
+# and runs it.
+
+# It runs on Unix shells like {a,ba,da,k,z}sh. It uses the common `local`
+# extension. Note: Most shells limit `local` to 1 var per line, contra bash.
+
+if [ "$KSH_VERSION" = 'Version JM 93t+ 2010-03-05' ]; then
+ # The version of ksh93 that ships with many illumos systems does not
+ # support the "local" extension. Print a message rather than fail in
+ # subtle ways later on:
+ echo 'rustup does not work with this ksh93 version; please try bash!' >&2
+ exit 1
+fi
+
+
+set -u
+
+# If RUSTUP_UPDATE_ROOT is unset or empty, default it.
+RUSTUP_UPDATE_ROOT="${RUSTUP_UPDATE_ROOT:-https://static.rust-lang.org/rustup}"
+
+#XXX: If you change anything here, please make the same changes in setup_mode.rs
+usage() {
+ cat 1>&2 <<EOF
+rustup-init 1.24.3 (c1c769109 2021-05-31)
+The installer for rustup
+
+USAGE:
+ rustup-init [FLAGS] [OPTIONS]
+
+FLAGS:
+ -v, --verbose Enable verbose output
+ -q, --quiet Disable progress output
+ -y Disable confirmation prompt.
+ --no-modify-path Don't configure the PATH environment variable
+ -h, --help Prints help information
+ -V, --version Prints version information
+
+OPTIONS:
+ --default-host <default-host> Choose a default host triple
+ --default-toolchain <default-toolchain> Choose a default toolchain to install
+ --default-toolchain none Do not install any toolchains
+ --profile [minimal|default|complete] Choose a profile
+ -c, --component <components>... Component name to also install
+ -t, --target <targets>... Target name to also install
+EOF
+}
+
+main() {
+ downloader --check
+ need_cmd uname
+ need_cmd mktemp
+ need_cmd chmod
+ need_cmd mkdir
+ need_cmd rm
+ need_cmd rmdir
+
+ get_architecture || return 1
+ local _arch="$RETVAL"
+ assert_nz "$_arch" "arch"
+
+ local _ext=""
+ case "$_arch" in
+ *windows*)
+ _ext=".exe"
+ ;;
+ esac
+
+ local _url="${RUSTUP_UPDATE_ROOT}/dist/${_arch}/rustup-init${_ext}"
+
+ local _dir
+ _dir="$(ensure mktemp -d)"
+ local _file="${_dir}/rustup-init${_ext}"
+
+ local _ansi_escapes_are_valid=false
+ if [ -t 2 ]; then
+ if [ "${TERM+set}" = 'set' ]; then
+ case "$TERM" in
+ xterm*|rxvt*|urxvt*|linux*|vt*)
+ _ansi_escapes_are_valid=true
+ ;;
+ esac
+ fi
+ fi
+
+ # check if we have to use /dev/tty to prompt the user
+ local need_tty=yes
+ for arg in "$@"; do
+ case "$arg" in
+ -h|--help)
+ usage
+ exit 0
+ ;;
+ -y)
+ # user wants to skip the prompt -- we don't need /dev/tty
+ need_tty=no
+ ;;
+ *)
+ ;;
+ esac
+ done
+
+ if $_ansi_escapes_are_valid; then
+ printf "\33[1minfo:\33[0m downloading installer\n" 1>&2
+ else
+ printf '%s\n' 'info: downloading installer' 1>&2
+ fi
+
+ ensure mkdir -p "$_dir"
+ ensure downloader "$_url" "$_file" "$_arch"
+ ensure chmod u+x "$_file"
+ if [ ! -x "$_file" ]; then
+ printf '%s\n' "Cannot execute $_file (likely because of mounting /tmp as noexec)." 1>&2
+ printf '%s\n' "Please copy the file to a location where you can execute binaries and run ./rustup-init${_ext}." 1>&2
+ exit 1
+ fi
+
+ if [ "$need_tty" = "yes" ]; then
+ # The installer is going to want to ask for confirmation by
+ # reading stdin. This script was piped into `sh` though and
+ # doesn't have stdin to pass to its children. Instead we're going
+ # to explicitly connect /dev/tty to the installer's stdin.
+ if [ ! -t 1 ]; then
+ err "Unable to run interactively. Run with -y to accept defaults, --help for additional options"
+ fi
+
+ ignore "$_file" "$@" < /dev/tty
+ else
+ ignore "$_file" "$@"
+ fi
+
+ local _retval=$?
+
+ ignore rm "$_file"
+ ignore rmdir "$_dir"
+
+ return "$_retval"
+}
+
+check_proc() {
+ # Check for /proc by looking for the /proc/self/exe link
+ # This is only run on Linux
+ if ! test -L /proc/self/exe ; then
+ err "fatal: Unable to find /proc/self/exe. Is /proc mounted? Installation cannot proceed without /proc."
+ fi
+}
+
+get_bitness() {
+ need_cmd head
+ # Architecture detection without dependencies beyond coreutils.
+ # ELF files start out "\x7fELF", and the following byte is
+ # 0x01 for 32-bit and
+ # 0x02 for 64-bit.
+ # The printf builtin on some shells like dash only supports octal
+ # escape sequences, so we use those.
+ local _current_exe_head
+ _current_exe_head=$(head -c 5 /proc/self/exe )
+ if [ "$_current_exe_head" = "$(printf '\177ELF\001')" ]; then
+ echo 32
+ elif [ "$_current_exe_head" = "$(printf '\177ELF\002')" ]; then
+ echo 64
+ else
+ err "unknown platform bitness"
+ fi
+}
+
+is_host_amd64_elf() {
+ need_cmd head
+ need_cmd tail
+ # ELF e_machine detection without dependencies beyond coreutils.
+ # Two-byte field at offset 0x12 indicates the CPU,
+ # but we're interested in it being 0x3E to indicate amd64, or not that.
+ local _current_exe_machine
+ _current_exe_machine=$(head -c 19 /proc/self/exe | tail -c 1)
+ [ "$_current_exe_machine" = "$(printf '\076')" ]
+}
+
+get_endianness() {
+ local cputype=$1
+ local suffix_eb=$2
+ local suffix_el=$3
+
+ # detect endianness without od/hexdump, like get_bitness() does.
+ need_cmd head
+ need_cmd tail
+
+ local _current_exe_endianness
+ _current_exe_endianness="$(head -c 6 /proc/self/exe | tail -c 1)"
+ if [ "$_current_exe_endianness" = "$(printf '\001')" ]; then
+ echo "${cputype}${suffix_el}"
+ elif [ "$_current_exe_endianness" = "$(printf '\002')" ]; then
+ echo "${cputype}${suffix_eb}"
+ else
+ err "unknown platform endianness"
+ fi
+}
+
+get_architecture() {
+ local _ostype _cputype _bitness _arch _clibtype
+ _ostype="$(uname -s)"
+ _cputype="$(uname -m)"
+ _clibtype="gnu"
+
+ if [ "$_ostype" = Linux ]; then
+ if [ "$(uname -o)" = Android ]; then
+ _ostype=Android
+ fi
+ if ldd --version 2>&1 | grep -q 'musl'; then
+ _clibtype="musl"
+ fi
+ fi
+
+ if [ "$_ostype" = Darwin ] && [ "$_cputype" = i386 ]; then
+ # Darwin `uname -m` lies
+ if sysctl hw.optional.x86_64 | grep -q ': 1'; then
+ _cputype=x86_64
+ fi
+ fi
+
+ if [ "$_ostype" = SunOS ]; then
+ # Both Solaris and illumos presently announce as "SunOS" in "uname -s"
+ # so use "uname -o" to disambiguate. We use the full path to the
+ # system uname in case the user has coreutils uname first in PATH,
+ # which has historically sometimes printed the wrong value here.
+ if [ "$(/usr/bin/uname -o)" = illumos ]; then
+ _ostype=illumos
+ fi
+
+ # illumos systems have multi-arch userlands, and "uname -m" reports the
+ # machine hardware name; e.g., "i86pc" on both 32- and 64-bit x86
+ # systems. Check for the native (widest) instruction set on the
+ # running kernel:
+ if [ "$_cputype" = i86pc ]; then
+ _cputype="$(isainfo -n)"
+ fi
+ fi
+
+ case "$_ostype" in
+
+ Android)
+ _ostype=linux-android
+ ;;
+
+ Linux)
+ check_proc
+ _ostype=unknown-linux-$_clibtype
+ _bitness=$(get_bitness)
+ ;;
+
+ FreeBSD)
+ _ostype=unknown-freebsd
+ ;;
+
+ NetBSD)
+ _ostype=unknown-netbsd
+ ;;
+
+ DragonFly)
+ _ostype=unknown-dragonfly
+ ;;
+
+ Darwin)
+ _ostype=apple-darwin
+ ;;
+
+ illumos)
+ _ostype=unknown-illumos
+ ;;
+
+ MINGW* | MSYS* | CYGWIN*)
+ _ostype=pc-windows-gnu
+ ;;
+
+ *)
+ err "unrecognized OS type: $_ostype"
+ ;;
+
+ esac
+
+ case "$_cputype" in
+
+ i386 | i486 | i686 | i786 | x86)
+ _cputype=i686
+ ;;
+
+ xscale | arm)
+ _cputype=arm
+ if [ "$_ostype" = "linux-android" ]; then
+ _ostype=linux-androideabi
+ fi
+ ;;
+
+ armv6l)
+ _cputype=arm
+ if [ "$_ostype" = "linux-android" ]; then
+ _ostype=linux-androideabi
+ else
+ _ostype="${_ostype}eabihf"
+ fi
+ ;;
+
+ armv7l | armv8l)
+ _cputype=armv7
+ if [ "$_ostype" = "linux-android" ]; then
+ _ostype=linux-androideabi
+ else
+ _ostype="${_ostype}eabihf"
+ fi
+ ;;
+
+ aarch64 | arm64)
+ _cputype=aarch64
+ ;;
+
+ x86_64 | x86-64 | x64 | amd64)
+ _cputype=x86_64
+ ;;
+
+ mips)
+ _cputype=$(get_endianness mips '' el)
+ ;;
+
+ mips64)
+ if [ "$_bitness" -eq 64 ]; then
+ # only n64 ABI is supported for now
+ _ostype="${_ostype}abi64"
+ _cputype=$(get_endianness mips64 '' el)
+ fi
+ ;;
+
+ ppc)
+ _cputype=powerpc
+ ;;
+
+ ppc64)
+ _cputype=powerpc64
+ ;;
+
+ ppc64le)
+ _cputype=powerpc64le
+ ;;
+
+ s390x)
+ _cputype=s390x
+ ;;
+ riscv64)
+ _cputype=riscv64gc
+ ;;
+ *)
+ err "unknown CPU type: $_cputype"
+
+ esac
+
+ # Detect 64-bit linux with 32-bit userland
+ if [ "${_ostype}" = unknown-linux-gnu ] && [ "${_bitness}" -eq 32 ]; then
+ case $_cputype in
+ x86_64)
+ if [ -n "${RUSTUP_CPUTYPE:-}" ]; then
+ _cputype="$RUSTUP_CPUTYPE"
+ else {
+ # 32-bit executable for amd64 = x32
+ if is_host_amd64_elf; then {
+ echo "This host is running an x32 userland; as it stands, x32 support is poor," 1>&2
+ echo "and there isn't a native toolchain -- you will have to install" 1>&2
+ echo "multiarch compatibility with i686 and/or amd64, then select one" 1>&2
+ echo "by re-running this script with the RUSTUP_CPUTYPE environment variable" 1>&2
+ echo "set to i686 or x86_64, respectively." 1>&2
+ echo 1>&2
+ echo "You will be able to add an x32 target after installation by running" 1>&2
+ echo " rustup target add x86_64-unknown-linux-gnux32" 1>&2
+ exit 1
+ }; else
+ _cputype=i686
+ fi
+ }; fi
+ ;;
+ mips64)
+ _cputype=$(get_endianness mips '' el)
+ ;;
+ powerpc64)
+ _cputype=powerpc
+ ;;
+ aarch64)
+ _cputype=armv7
+ if [ "$_ostype" = "linux-android" ]; then
+ _ostype=linux-androideabi
+ else
+ _ostype="${_ostype}eabihf"
+ fi
+ ;;
+ riscv64gc)
+ err "riscv64 with 32-bit userland unsupported"
+ ;;
+ esac
+ fi
+
+ # Detect armv7 but without the CPU features Rust needs in that build,
+ # and fall back to arm.
+ # See https://github.com/rust-lang/rustup.rs/issues/587.
+ if [ "$_ostype" = "unknown-linux-gnueabihf" ] && [ "$_cputype" = armv7 ]; then
+ if ensure grep '^Features' /proc/cpuinfo | grep -q -v neon; then
+ # At least one processor does not have NEON.
+ _cputype=arm
+ fi
+ fi
+
+ _arch="${_cputype}-${_ostype}"
+
+ RETVAL="$_arch"
+}
+
+say() {
+ printf 'rustup: %s\n' "$1"
+}
+
+err() {
+ say "$1" >&2
+ exit 1
+}
+
+need_cmd() {
+ if ! check_cmd "$1"; then
+ err "need '$1' (command not found)"
+ fi
+}
+
+check_cmd() {
+ command -v "$1" > /dev/null 2>&1
+}
+
+assert_nz() {
+ if [ -z "$1" ]; then err "assert_nz $2"; fi
+}
+
+# Run a command that should never fail. If the command fails execution
+# will immediately terminate with an error showing the failing
+# command.
+ensure() {
+ if ! "$@"; then err "command failed: $*"; fi
+}
+
+# This is just for indicating that commands' results are being
+# intentionally ignored. Usually, because it's being executed
+# as part of error handling.
+ignore() {
+ "$@"
+}
+
+# This wraps curl or wget. Try curl first, if not installed,
+# use wget instead.
+downloader() {
+ local _dld
+ local _ciphersuites
+ local _err
+ local _status
+ if check_cmd curl; then
+ _dld=curl
+ elif check_cmd wget; then
+ _dld=wget
+ else
+ _dld='curl or wget' # to be used in error message of need_cmd
+ fi
+
+ if [ "$1" = --check ]; then
+ need_cmd "$_dld"
+ elif [ "$_dld" = curl ]; then
+ get_ciphersuites_for_curl
+ _ciphersuites="$RETVAL"
+ if [ -n "$_ciphersuites" ]; then
+ _err=$(curl --proto '=https' --tlsv1.2 --ciphers "$_ciphersuites" --silent --show-error --fail --location "$1" --output "$2" 2>&1)
+ _status=$?
+ else
+ echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure"
+ if ! check_help_for "$3" curl --proto --tlsv1.2; then
+ echo "Warning: Not enforcing TLS v1.2, this is potentially less secure"
+ _err=$(curl --silent --show-error --fail --location "$1" --output "$2" 2>&1)
+ _status=$?
+ else
+ _err=$(curl --proto '=https' --tlsv1.2 --silent --show-error --fail --location "$1" --output "$2" 2>&1)
+ _status=$?
+ fi
+ fi
+ if [ -n "$_err" ]; then
+ echo "$_err" >&2
+ if echo "$_err" | grep -q 404$; then
+ err "installer for platform '$3' not found, this may be unsupported"
+ fi
+ fi
+ return $_status
+ elif [ "$_dld" = wget ]; then
+ get_ciphersuites_for_wget
+ _ciphersuites="$RETVAL"
+ if [ -n "$_ciphersuites" ]; then
+ _err=$(wget --https-only --secure-protocol=TLSv1_2 --ciphers "$_ciphersuites" "$1" -O "$2" 2>&1)
+ _status=$?
+ else
+ echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure"
+ if ! check_help_for "$3" wget --https-only --secure-protocol; then
+ echo "Warning: Not enforcing TLS v1.2, this is potentially less secure"
+ _err=$(wget "$1" -O "$2" 2>&1)
+ _status=$?
+ else
+ _err=$(wget --https-only --secure-protocol=TLSv1_2 "$1" -O "$2" 2>&1)
+ _status=$?
+ fi
+ fi
+ if [ -n "$_err" ]; then
+ echo "$_err" >&2
+ if echo "$_err" | grep -q ' 404 Not Found$'; then
+ err "installer for platform '$3' not found, this may be unsupported"
+ fi
+ fi
+ return $_status
+ else
+ err "Unknown downloader" # should not reach here
+ fi
+}
+
+check_help_for() {
+ local _arch
+ local _cmd
+ local _arg
+ _arch="$1"
+ shift
+ _cmd="$1"
+ shift
+
+ local _category
+ if "$_cmd" --help | grep -q 'For all options use the manual or "--help all".'; then
+ _category="all"
+ else
+ _category=""
+ fi
+
+ case "$_arch" in
+
+ *darwin*)
+ if check_cmd sw_vers; then
+ case $(sw_vers -productVersion) in
+ 10.*)
+ # If we're running on macOS, older than 10.13, then we always
+ # fail to find these options to force fallback
+ if [ "$(sw_vers -productVersion | cut -d. -f2)" -lt 13 ]; then
+ # Older than 10.13
+ echo "Warning: Detected macOS platform older than 10.13"
+ return 1
+ fi
+ ;;
+ 11.*)
+ # We assume Big Sur will be OK for now
+ ;;
+ *)
+ # Unknown product version, warn and continue
+ echo "Warning: Detected unknown macOS major version: $(sw_vers -productVersion)"
+ echo "Warning TLS capabilities detection may fail"
+ ;;
+ esac
+ fi
+ ;;
+
+ esac
+
+ for _arg in "$@"; do
+ if ! "$_cmd" --help $_category | grep -q -- "$_arg"; then
+ return 1
+ fi
+ done
+
+ true # not strictly needed
+}
+
+# Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites
+# if support by local tools is detected. Detection currently supports these curl backends:
+# GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty.
+get_ciphersuites_for_curl() {
+ if [ -n "${RUSTUP_TLS_CIPHERSUITES-}" ]; then
+ # user specified custom cipher suites, assume they know what they're doing
+ RETVAL="$RUSTUP_TLS_CIPHERSUITES"
+ return
+ fi
+
+ local _openssl_syntax="no"
+ local _gnutls_syntax="no"
+ local _backend_supported="yes"
+ if curl -V | grep -q ' OpenSSL/'; then
+ _openssl_syntax="yes"
+ elif curl -V | grep -iq ' LibreSSL/'; then
+ _openssl_syntax="yes"
+ elif curl -V | grep -iq ' BoringSSL/'; then
+ _openssl_syntax="yes"
+ elif curl -V | grep -iq ' GnuTLS/'; then
+ _gnutls_syntax="yes"
+ else
+ _backend_supported="no"
+ fi
+
+ local _args_supported="no"
+ if [ "$_backend_supported" = "yes" ]; then
+ # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc.
+ if check_help_for "notspecified" "curl" "--tlsv1.2" "--ciphers" "--proto"; then
+ _args_supported="yes"
+ fi
+ fi
+
+ local _cs=""
+ if [ "$_args_supported" = "yes" ]; then
+ if [ "$_openssl_syntax" = "yes" ]; then
+ _cs=$(get_strong_ciphersuites_for "openssl")
+ elif [ "$_gnutls_syntax" = "yes" ]; then
+ _cs=$(get_strong_ciphersuites_for "gnutls")
+ fi
+ fi
+
+ RETVAL="$_cs"
+}
+
+# Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites
+# if support by local tools is detected. Detection currently supports these wget backends:
+# GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty.
+get_ciphersuites_for_wget() {
+ if [ -n "${RUSTUP_TLS_CIPHERSUITES-}" ]; then
+ # user specified custom cipher suites, assume they know what they're doing
+ RETVAL="$RUSTUP_TLS_CIPHERSUITES"
+ return
+ fi
+
+ local _cs=""
+ if wget -V | grep -q '\-DHAVE_LIBSSL'; then
+ # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc.
+ if check_help_for "notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then
+ _cs=$(get_strong_ciphersuites_for "openssl")
+ fi
+ elif wget -V | grep -q '\-DHAVE_LIBGNUTLS'; then
+ # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc.
+ if check_help_for "notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then
+ _cs=$(get_strong_ciphersuites_for "gnutls")
+ fi
+ fi
+
+ RETVAL="$_cs"
+}
+
+# Return strong TLS 1.2-1.3 cipher suites in OpenSSL or GnuTLS syntax. TLS 1.2
+# excludes non-ECDHE and non-AEAD cipher suites. DHE is excluded due to bad
+# DH params often found on servers (see RFC 7919). Sequence matches or is
+# similar to Firefox 68 ESR with weak cipher suites disabled via about:config.
+# $1 must be openssl or gnutls.
+get_strong_ciphersuites_for() {
+ if [ "$1" = "openssl" ]; then
+ # OpenSSL is forgiving of unknown values, no problems with TLS 1.3 values on versions that don't support it yet.
+ echo "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
+ elif [ "$1" = "gnutls" ]; then
+ # GnuTLS isn't forgiving of unknown values, so this may require a GnuTLS version that supports TLS 1.3 even if wget doesn't.
+ # Begin with SECURE128 (and higher) then remove/add to build cipher suites. Produces same 9 cipher suites as OpenSSL but in slightly different order.
+ echo "SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS-ALL:-CIPHER-ALL:-MAC-ALL:-KX-ALL:+AEAD:+ECDHE-ECDSA:+ECDHE-RSA:+AES-128-GCM:+CHACHA20-POLY1305:+AES-256-GCM"
+ fi
+}
+
+main "$@" || exit 1