mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2026-05-07 21:26:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

net-misc/curl: Sync with Gentoo

Browse Source 
It's from Gentoo commit 254013c1a16b6c9e994752bc7aaae53ba8dbe876.

Signed-off-by: Flatcar Buildbot <buildbot@flatcar-linux.org>
This commit is contained in:
Flatcar Buildbot 2026-03-23 07:36:29 +00:00 committed by Krzesimir Nowak
parent 68738c1f66
commit 29b3af38a8
16 changed files with 196 additions and 2686 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
sdk_container/src/third_party/portage-stable/net-misc/curl/Manifest vendored
View File

@ -1,10 +1,4 @@
DIST curl-8.15.0.tar.xz 2773156 BLAKE2B ae809be87f34d079413129c27e618a6d15c2bf9087fd7e679cefe9b6d8645f0dd092e8c3e1f62b7bd0dffdd0b77e0bc5ac031ffce4e50060ec20b280618c8e68 SHA512 d27e316d70973906ac4b8d2c280f7e99b7528966aa1220c13a38ed45fca2ed6bbde54b8a9d7bed9e283171b92edb621f7b95162ef7d392e6383b0ee469de3191
DIST curl-8.15.0.tar.xz.asc 488 BLAKE2B 4b0bab065a1d2d5b7e5d49989bd4953344d844cafd3036b4cb2ed2dec82e59031832f05c06dc6a801e4668d92c936df74aeff7a5f2c15ff614da4b1673a67501 SHA512 b6aef1c6a1f32c60401494df565a748fa96c1d5098138772c22f6208bafeb8e61402f3077cbc274ea2c05f35ff376d8f736c58554520f8d20fded36d876499a5
DIST curl-8.16.0.tar.xz 2788632 BLAKE2B 573d56779481abf0b7d20225bba4f068cb726f23f69ce10076438e32cc6c16d1229c211aee05fc5e3e9cb9d78bbfdc5da0d8b73e730c0865879000eb90accf6a SHA512 8262c3dc113cfd5744ef1b82dbccaa69448a9395ad5c094c22df5cf537a047a927d3332db2cb3be12a31a68a60d8d0fa8485b916e975eda36a4ebd860da4f621
DIST curl-8.16.0.tar.xz.asc 488 BLAKE2B d213bd447c668118b49b7356dc99e710de927b93f81325802bae5e286b61481da6ed30f23c7f4f3cfb0f01222db88602ff4e510f4a1401e98511eb0c72ac6abb SHA512 591568e997c0d955a00152ce5bdfb4586d84b42f5c1e15df503514fb4eb4bf289a98b1ebdad23913119c67c27d51a6e6f4065ee6f7657b971c3a581c928a0d82
DIST curl-8.17.0.tar.xz 2797000 BLAKE2B a7a804afe058f323b40177bcb4ffc523decde92da3da0a051f2dc1b566131250a96afe1ebf2bebc071993c893bddeef883ef33ddc0a9bee86d4e54402a546fba SHA512 fc6349def40c3c259de2a568631507df17dff83e78a2edbb93f069586dce594439fdc88bef7ce2bed7491f35800b8c0c181c8c88e6ef656cc3c18f9834681eca
DIST curl-8.17.0.tar.xz.asc 488 BLAKE2B 88b72cb9c0acd8a06956eca31047dfadfe110dc07290adbe50b9451a71d4282acaa05c8a149787d71cf13cf1b42e8df9594d0e8a2b1cadbfca5eb50550f32609 SHA512 e77d4cb1f4961aa0df3d76f1a8c55a0b9005ed557adf745f3ab24d33cee2d0e4bd06cecb9d911e76409852e7755129873cc7d24936c846ff1b854903c0f086b2
DIST curl-8.18.0.tar.xz 2801444 BLAKE2B 16e1539616c1800dfa08a5bd3e38ff75d2906a4a574b1541509c69200aebe680b0a5efdf1b1e0c89f3cccb6001bfe1c1459b9fd815053c964e1a1434be1e2e0e SHA512 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c
DIST curl-8.18.0.tar.xz.asc 488 BLAKE2B 68c2ce9777ba51962139e70e48c4b24d404682a6ad530843791cc188b2656dc26a19f0757f97ead2ff492f7b8a4e4116707df901e81bf8efb28658ff4df99ae0 SHA512 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152
DIST curl-8.19.0-rc2.tar.xz 2782276 BLAKE2B 28ca64b9c42ba14b6ae73260822e2c7b59b16f6a1bf186ec8ee696a2f7f4d6f23d6a18ba580092f8d9e513b8b7eb5523f22cf03a414441a7dcb4932b8b77c252 SHA512 ad3fff8477dbf3487d7978ac1bef9622203a477ab30592923c18009a5292e9df83d8653c84cc4b1a0448891e9b9c9135e60a7524982809da7dd656272ecc76b7
DIST curl-8.19.0-rc2.tar.xz.asc 488 BLAKE2B cc8e16325a3ecbd5ce95df0df4a8f73d2622daa6e3162ba3bd2cec044ac1d38b392d8bccb1be017d0ae494e278a7b974130663af7d670f01e89946034c5500f0 SHA512 593109ecad8e420416e7debec254ee3e29eaffaaefdbd5aa63f90e960eb479ac424b28e82075344744517560f4e74bb7a45d991c15363972b57e4634693ebac3
DIST curl-8.19.0.tar.xz 2787584 BLAKE2B d4a943af9a109893112876784dbe106276317e6cd5a2663f4de143c93abb4e266945fa65b4a5fa842f99240c961b027a1b2492e3e32f5247a91c394895e2b8b0 SHA512 ee97faaf588b255428000599293c47a2f648af11d1a0b7b823db6aec151e2090f5c7b921745ddb2c3818d92b16e0a4c15d7a9b3d1ff45df1f35438504bd16574
DIST curl-8.19.0.tar.xz.asc 488 BLAKE2B 0031029301586546bf2a50e00fdf16042da14ac26c2294d033274ed9cd9303c81c3997935b17b3b4202356c972eeed2b354cb623c790fa3983481587ed2ecf35 SHA512 ea3d4f2f42ec6571340e982868c5a35836eed2b76109b08b90b98023474293ad33a7218da511f153d01de607b735fc039a0733fa09fddd984fd7e2c61ee0446a

442
sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.15.0.ebuild vendored
View File

@ -1,442 +0,0 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Maintainers should subscribe to the 'curl-distros' ML for backports etc
# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/
# https://lists.haxx.se/listinfo/curl-distros
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc
inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig
DESCRIPTION="A Client that groks URLs"
HOMEPAGE="https://curl.se/"
if [[ ${PV} == 9999 ]]; then
inherit git-r3
EGIT_REPO_URI="https://github.com/curl/curl.git"
else
if [[ ${P} == *rc* ]]; then
CURL_URI="https://curl.se/rc/"
S="${WORKDIR}/${P//_/-}"
else
CURL_URI="https://curl.se/download/"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris"
fi
SRC_URI="
${CURL_URI}${P//_/-}.tar.xz
verify-sig? ( ${CURL_URI}${P//_/-}.tar.xz.asc )
"
fi
LICENSE="BSD curl ISC test? ( BSD-4 )"
SLOT="0"
IUSE="+adns +alt-svc brotli debug ech +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap"
IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test"
IUSE+=" telnet +tftp +websockets zstd"
# These select the default tls implementation / which quic impl to use
IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
RESTRICT="!test? ( test )"
# HTTPS RR is technically usable with the threaded resolver, but it still uses c-ares to
# ask for the HTTPS RR record type; if DoH is in use the HTTPS record will be requested
# in addition to A and AAAA records.
# To simplify dependency management in the ebuild we'll require c-ares for HTTPS RR (for now?).
# HTTPS RR in cURL is a dependency for:
# - ECH (requires patched openssl or gnutls currently, enabled with rustls)
# - Fetching the ALPN list which should provide a better HTTP/3 experience.
# Only one default ssl / quic provider can be enabled
# The default provider needs its USE satisfied
# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day.
# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e
REQUIRED_USE="
ech? ( rustls )
httpsrr? ( adns )
quic? (
^^ (
curl_quic_openssl
curl_quic_ngtcp2
)
http3
ssl
)
ssl? (
^^ (
curl_ssl_gnutls
curl_ssl_mbedtls
curl_ssl_openssl
curl_ssl_rustls
)
)
curl_quic_openssl? (
curl_ssl_openssl
quic
!gnutls
!mbedtls
!rustls
)
curl_quic_ngtcp2? (
curl_ssl_gnutls
quic
!mbedtls
!openssl
!rustls
)
curl_ssl_gnutls? ( gnutls )
curl_ssl_mbedtls? ( mbedtls )
curl_ssl_openssl? ( openssl )
curl_ssl_rustls? ( rustls )
http3? ( alt-svc httpsrr quic )
"
# cURL's docs and CI/CD are great resources for confirming supported versions
# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.:
# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions)
# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly)
# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2)
# However 'supported' vs 'works' are two entirely different things; be sane but
# don't be afraid to require a later version.
# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time.
RDEPEND="
>=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}]
adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] )
brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] )
http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] )
idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] )
quic? (
curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] )
curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] )
)
rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] )
sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] )
ssl? (
gnutls? (
app-misc/ca-certificates
>=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}]
dev-libs/nettle:=[${MULTILIB_USEDEP}]
)
mbedtls? (
app-misc/ca-certificates
net-libs/mbedtls:0=[${MULTILIB_USEDEP}]
)
openssl? (
>=dev-libs/openssl-1.0.2:=[static-libs?,${MULTILIB_USEDEP}]
)
rustls? (
>=net-libs/rustls-ffi-0.15.0:=[${MULTILIB_USEDEP}]
)
)
zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
"
DEPEND="${RDEPEND}"
BDEPEND="
dev-lang/perl
virtual/pkgconfig
test? (
sys-apps/diffutils
http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] )
http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
)
verify-sig? ( sec-keys/openpgp-keys-danielstenberg )
"
DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} )
MULTILIB_WRAPPED_HEADERS=(
/usr/include/curl/curlbuild.h
)
MULTILIB_CHOST_TOOLS=(
/usr/bin/curl-config
)
QA_CONFIG_IMPL_DECL_SKIP=(
__builtin_available
closesocket
CloseSocket
getpass_r
ioctlsocket
IoctlSocket
mach_absolute_time
setmode
_fseeki64
# custom AC_LINK_IFELSE code fails to link even without -Werror
OSSL_QUIC_client_method
)
PATCHES=(
"${FILESDIR}/${PN}-prefix-4.patch"
"${FILESDIR}/${PN}-respect-cflags-3.patch"
)
src_prepare() {
default
eprefixify curl-config.in
eautoreconf
}
# Generates TLS-related configure options based on USE flags.
# Outputs options suitable for appending to a configure options array.
_get_curl_tls_configure_opts() {
local tls_opts=()
local backend flag_name
for backend in gnutls mbedtls openssl rustls; do
if [[ "$backend" == "openssl" ]]; then
flag_name="ssl"
tls_opts+=( "--with-ca-path=${EPREFIX}/etc/ssl/certs")
else
flag_name="$backend"
fi
if use "$backend"; then
tls_opts+=( "--with-${flag_name}" )
else
# If a single backend is enabled, 'ssl' is required, openssl is the default / fallback
if ! [[ "$backend" == "openssl" ]]; then
tls_opts+=( "--without-${flag_name}" )
fi
fi
done
if use curl_ssl_gnutls; then
multilib_is_native_abi && einfo "Default TLS backend: gnutls"
tls_opts+=( "--with-default-ssl-backend=gnutls" )
elif use curl_ssl_mbedtls; then
multilib_is_native_abi && einfo "Default TLS backend: mbedtls"
tls_opts+=( "--with-default-ssl-backend=mbedtls" )
elif use curl_ssl_openssl; then
multilib_is_native_abi && einfo "Default TLS backend: openssl"
tls_opts+=( "--with-default-ssl-backend=openssl" )
elif use curl_ssl_rustls; then
multilib_is_native_abi && einfo "Default TLS backend: rustls"
tls_opts+=( "--with-default-ssl-backend=rustls" )
else
eerror "We can't be here because of REQUIRED_USE."
die "Please file a bug, hit impossible condition w/ USE=ssl handling."
fi
# Explicitly Disable unimplemented backends
tls_opts+=(
--without-amissl
--without-wolfssl
)
printf "%s\n" "${tls_opts[@]}"
}
multilib_src_configure() {
# We make use of the fact that later flags override earlier ones
# So start with all ssl providers off until proven otherwise
# TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/)
local myconf=()
myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt )
if use ssl; then
local -a tls_backend_opts
readarray -t tls_backend_opts < <(_get_curl_tls_configure_opts)
myconf+=("${tls_backend_opts[@]}")
if use quic; then
myconf+=(
$(use_with curl_quic_ngtcp2 ngtcp2)
$(use_with curl_quic_openssl openssl-quic)
)
else
# Without a REQUIRED_USE to ensure that QUIC was requested when at least one default backend is
# enabled we need ensure that we don't try to build QUIC support
myconf+=( --without-ngtcp2 --without-openssl-quic )
fi
else
myconf+=( --without-ssl )
einfo "SSL disabled"
fi
# These configuration options are organised alphabetically by category/type
# Protocols
# `grep SUPPORT_PROTOCOLS=\" configure.ac | awk '{ print substr($2, 1, length($2)-1)}' | sort`
# Assume that anything omitted (that is not new!) is enabled by default with no deps
myconf+=(
--enable-file
$(use_enable ftp)
$(use_enable gopher)
--enable-http
$(use_enable imap) # Automatic IMAPS if TLS is enabled
$(use_enable ldap ldaps)
$(use_enable ldap)
$(use_enable pop3)
$(use_enable samba smb)
$(use_with ssh libssh2) # enables scp/sftp
$(use_with rtmp librtmp)
--enable-rtsp
$(use_enable smtp)
$(use_enable telnet)
$(use_enable tftp)
$(use_enable websockets)
)
# Keep various 'HTTP-flavoured' options together
myconf+=(
$(use_enable alt-svc)
$(use_enable hsts)
$(use_enable httpsrr)
$(use_with http2 nghttp2)
$(use_with http3 nghttp3)
)
# --enable/disable options
# `grep -- --enable configure | grep Check | awk '{ print $4 }' | sort`
myconf+=(
$(use_enable adns ares)
--enable-aws
--enable-basic-auth
--enable-bearer-auth
--enable-cookies
--enable-dateparse
--enable-dict
--enable-digest-auth
--enable-dnsshuffle
--enable-doh
$(use_enable ech)
--enable-http-auth
--enable-ipv6
--enable-kerberos-auth
--enable-largefile
--enable-manual
--enable-mime
--enable-negotiate-auth
--enable-netrc
--enable-ntlm
--enable-progress-meter
--enable-proxy
--enable-rt
--enable-socketpair
--disable-sspi
$(use_enable static-libs static)
--enable-symbol-hiding
--enable-tls-srp
--disable-versioned-symbols
)
# --with/without options
# `grep -- --with configure | grep Check | awk '{ print $4 }' | sort`
myconf+=(
$(use_with brotli)
--with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d
$(use_with idn libidn2)
$(use_with kerberos gssapi "${EPREFIX}"/usr)
$(use_with sasl-scram libgsasl)
$(use_with psl libpsl)
--without-msh3
--without-quiche
--without-schannel
--without-winidn
--with-zlib
--with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions
$(use_with zstd)
)
# Test deps (disabled)
myconf+=(
--without-test-caddy
--without-test-httpd
--without-test-nghttpx
)
if use debug; then
myconf+=(
--enable-debug
)
fi
if use test && multilib_is_native_abi && ( use http2 || use http3 ); then
myconf+=(
--with-test-nghttpx="${BROOT}/usr/bin/nghttpx"
)
fi
# Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive
# This is in support of some work to enable `httpsrr` to use adns and the rest
# of curl to use the threaded resolver; for us `httpsrr` is conditional on adns.
if use adns; then
myconf+=(
--disable-threaded-resolver
)
else
myconf+=(
--enable-threaded-resolver
)
fi
ECONF_SOURCE="${S}" econf "${myconf[@]}"
if ! multilib_is_native_abi; then
# Avoid building the client (we just want libcurl for multilib)
sed -i -e '/SUBDIRS/s:src::' Makefile || die
sed -i -e '/SUBDIRS/s:scripts::' Makefile || die
fi
}
multilib_src_compile() {
default
if multilib_is_native_abi; then
# Shell completions
! tc-is-cross-compiler && emake -C scripts
fi
}
# There is also a pytest harness that tests for bugs in some very specific
# situations; we can rely on upstream for this rather than adding additional test deps.
multilib_src_test() {
# See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721
# -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches)
# -v: verbose
# -a: keep going on failure (so we see everything that breaks, not just 1st test)
# -k: keep test files after completion
# -am: automake style TAP output
# -p: print logs if test fails
# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
# or just read https://github.com/curl/curl/tree/master/tests#run.
# Note: we don't run the testsuite for cross-compilation.
# Upstream recommend 7*nproc as a starting point for parallel tests, but
# this ends up breaking when nproc is huge (like -j80).
# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
# as most gentoo users don't have an 'ip6-localhost'
multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
}
multilib_src_install() {
emake DESTDIR="${D}" install
if multilib_is_native_abi; then
# Shell completions
! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install
fi
}
multilib_src_install_all() {
einstalldocs
find "${ED}" -type f -name '*.la' -delete || die
rm -rf "${ED}"/etc/ || die
}
pkg_postinst() {
if use debug; then
ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose."
ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger."
ewarn "hic sunt dracones; you have been warned."
fi
}

445
sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.16.0-r1.ebuild vendored
View File

@ -1,445 +0,0 @@
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Maintainers should subscribe to the 'curl-distros' ML for backports etc
# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/
# https://lists.haxx.se/listinfo/curl-distros
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc
inherit dot-a autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig
DESCRIPTION="A Client that groks URLs"
HOMEPAGE="https://curl.se/"
if [[ ${PV} == 9999 ]]; then
inherit git-r3
EGIT_REPO_URI="https://github.com/curl/curl.git"
else
if [[ ${P} == *rc* ]]; then
CURL_URI="https://curl.se/rc/"
S="${WORKDIR}/${P//_/-}"
else
CURL_URI="https://curl.se/download/"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris"
fi
SRC_URI="
${CURL_URI}${P//_/-}.tar.xz
verify-sig? ( ${CURL_URI}${P//_/-}.tar.xz.asc )
"
fi
LICENSE="BSD curl ISC test? ( BSD-4 )"
SLOT="0"
IUSE="+adns +alt-svc brotli debug ech +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap"
IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test"
IUSE+=" telnet +tftp +websockets zstd"
# These select the default tls implementation / which quic impl to use
IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
RESTRICT="!test? ( test )"
# HTTPS RR is technically usable with the threaded resolver, but it still uses c-ares to
# ask for the HTTPS RR record type; if DoH is in use the HTTPS record will be requested
# in addition to A and AAAA records.
# To simplify dependency management in the ebuild we'll require c-ares for HTTPS RR (for now?).
# HTTPS RR in cURL is a dependency for:
# - ECH (requires patched openssl or gnutls currently, enabled with rustls)
# - Fetching the ALPN list which should provide a better HTTP/3 experience.
# Only one default ssl / quic provider can be enabled
# The default provider needs its USE satisfied
# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day.
# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e
REQUIRED_USE="
ech? ( rustls )
httpsrr? ( adns )
quic? (
^^ (
curl_quic_openssl
curl_quic_ngtcp2
)
http3
ssl
)
ssl? (
^^ (
curl_ssl_gnutls
curl_ssl_mbedtls
curl_ssl_openssl
curl_ssl_rustls
)
)
curl_quic_openssl? (
curl_ssl_openssl
!gnutls
!mbedtls
!rustls
)
curl_quic_ngtcp2? (
curl_ssl_gnutls
!mbedtls
!openssl
!rustls
)
curl_ssl_gnutls? ( gnutls )
curl_ssl_mbedtls? ( mbedtls )
curl_ssl_openssl? ( openssl )
curl_ssl_rustls? ( rustls )
http3? ( alt-svc httpsrr quic )
"
# cURL's docs and CI/CD are great resources for confirming supported versions
# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.:
# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions)
# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly)
# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2)
# However 'supported' vs 'works' are two entirely different things; be sane but
# don't be afraid to require a later version.
# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time.
RDEPEND="
>=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}]
adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] )
brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] )
http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] )
idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] )
quic? (
curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] )
curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] )
)
rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] )
sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] )
ssl? (
gnutls? (
app-misc/ca-certificates
>=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}]
dev-libs/nettle:=[${MULTILIB_USEDEP}]
)
mbedtls? (
app-misc/ca-certificates
net-libs/mbedtls:3=[${MULTILIB_USEDEP}]
)
openssl? (
>=dev-libs/openssl-1.0.2:=[static-libs?,${MULTILIB_USEDEP}]
)
rustls? (
>=net-libs/rustls-ffi-0.15.0:=[${MULTILIB_USEDEP}]
)
)
zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
"
DEPEND="${RDEPEND}"
BDEPEND="
dev-lang/perl
virtual/pkgconfig
test? (
sys-apps/diffutils
http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] )
http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
)
verify-sig? ( sec-keys/openpgp-keys-danielstenberg )
"
DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} )
MULTILIB_WRAPPED_HEADERS=(
/usr/include/curl/curlbuild.h
)
MULTILIB_CHOST_TOOLS=(
/usr/bin/curl-config
)
QA_CONFIG_IMPL_DECL_SKIP=(
__builtin_available
closesocket
CloseSocket
getpass_r
ioctlsocket
IoctlSocket
mach_absolute_time
setmode
_fseeki64
# custom AC_LINK_IFELSE code fails to link even without -Werror
OSSL_QUIC_client_method
)
PATCHES=(
"${FILESDIR}/${PN}-prefix-5.patch"
"${FILESDIR}/${PN}-respect-cflags-3.patch"
"${FILESDIR}/${P}-ssl_verifyhost.patch"
"${FILESDIR}/${P}-pthread_cancel.patch"
)
src_prepare() {
default
eprefixify curl-config.in
eautoreconf
}
# Generates TLS-related configure options based on USE flags.
# Outputs options suitable for appending to a configure options array.
_get_curl_tls_configure_opts() {
local tls_opts=()
local backend flag_name
for backend in gnutls mbedtls openssl rustls; do
if [[ "$backend" == "openssl" ]]; then
flag_name="ssl"
tls_opts+=( "--with-ca-path=${EPREFIX}/etc/ssl/certs")
else
flag_name="$backend"
fi
if use "$backend"; then
tls_opts+=( "--with-${flag_name}" )
else
# If a single backend is enabled, 'ssl' is required, openssl is the default / fallback
if ! [[ "$backend" == "openssl" ]]; then
tls_opts+=( "--without-${flag_name}" )
fi
fi
done
if use curl_ssl_gnutls; then
multilib_is_native_abi && einfo "Default TLS backend: gnutls"
tls_opts+=( "--with-default-ssl-backend=gnutls" )
elif use curl_ssl_mbedtls; then
multilib_is_native_abi && einfo "Default TLS backend: mbedtls"
tls_opts+=( "--with-default-ssl-backend=mbedtls" )
elif use curl_ssl_openssl; then
multilib_is_native_abi && einfo "Default TLS backend: openssl"
tls_opts+=( "--with-default-ssl-backend=openssl" )
elif use curl_ssl_rustls; then
multilib_is_native_abi && einfo "Default TLS backend: rustls"
tls_opts+=( "--with-default-ssl-backend=rustls" )
else
eerror "We can't be here because of REQUIRED_USE."
die "Please file a bug, hit impossible condition w/ USE=ssl handling."
fi
# Explicitly Disable unimplemented backends
tls_opts+=(
--without-amissl
--without-wolfssl
)
printf "%s\n" "${tls_opts[@]}"
}
multilib_src_configure() {
use static-libs && lto-guarantee-fat
# We make use of the fact that later flags override earlier ones
# So start with all ssl providers off until proven otherwise
# TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/)
local myconf=()
myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt )
if use ssl; then
local -a tls_backend_opts
readarray -t tls_backend_opts < <(_get_curl_tls_configure_opts)
myconf+=("${tls_backend_opts[@]}")
if use quic; then
myconf+=(
$(use_with curl_quic_ngtcp2 ngtcp2)
$(use_with curl_quic_openssl openssl-quic)
)
else
# Without a REQUIRED_USE to ensure that QUIC was requested when at least one default backend is
# enabled we need ensure that we don't try to build QUIC support
myconf+=( --without-ngtcp2 --without-openssl-quic )
fi
else
myconf+=( --without-ssl )
einfo "SSL disabled"
fi
# These configuration options are organised alphabetically by category/type
# Protocols
# `grep SUPPORT_PROTOCOLS=\" configure.ac | awk '{ print substr($2, 1, length($2)-1)}' | sort`
# Assume that anything omitted (that is not new!) is enabled by default with no deps
myconf+=(
--enable-file
$(use_enable ftp)
$(use_enable gopher)
--enable-http
$(use_enable imap) # Automatic IMAPS if TLS is enabled
$(use_enable ldap ldaps)
$(use_enable ldap)
$(use_enable pop3)
$(use_enable samba smb)
$(use_with ssh libssh2) # enables scp/sftp
$(use_with rtmp librtmp)
--enable-rtsp
$(use_enable smtp)
$(use_enable telnet)
$(use_enable tftp)
$(use_enable websockets)
)
# Keep various 'HTTP-flavoured' options together
myconf+=(
$(use_enable alt-svc)
$(use_enable hsts)
$(use_enable httpsrr)
$(use_with http2 nghttp2)
$(use_with http3 nghttp3)
)
# --enable/disable options
# `grep -- --enable configure | grep Check | awk '{ print $4 }' | sort`
myconf+=(
$(use_enable adns ares)
--enable-aws
--enable-basic-auth
--enable-bearer-auth
--enable-cookies
--enable-dateparse
--enable-dict
--enable-digest-auth
--enable-dnsshuffle
--enable-doh
$(use_enable ech)
--enable-http-auth
--enable-ipv6
--enable-kerberos-auth
--enable-largefile
--enable-manual
--enable-mime
--enable-negotiate-auth
--enable-netrc
--enable-ntlm
--enable-progress-meter
--enable-proxy
--enable-rt
--enable-socketpair
--disable-sspi
$(use_enable static-libs static)
--enable-symbol-hiding
--enable-tls-srp
--disable-versioned-symbols
)
# --with/without options
# `grep -- --with configure | grep Check | awk '{ print $4 }' | sort`
myconf+=(
$(use_with brotli)
--with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d
$(use_with idn libidn2)
$(use_with kerberos gssapi "${EPREFIX}"/usr)
$(use_with sasl-scram libgsasl)
$(use_with psl libpsl)
--without-quiche
--without-schannel
--without-winidn
--with-zlib
--with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions
$(use_with zstd)
)
# Test deps (disabled)
myconf+=(
--without-test-caddy
--without-test-httpd
--without-test-nghttpx
)
if use debug; then
myconf+=(
--enable-debug
)
fi
if use test && multilib_is_native_abi && ( use http2 || use http3 ); then
myconf+=(
--with-test-nghttpx="${BROOT}/usr/bin/nghttpx"
)
fi
# Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive
# This is in support of some work to enable `httpsrr` to use adns and the rest
# of curl to use the threaded resolver; for us `httpsrr` is conditional on adns.
if use adns; then
myconf+=(
--disable-threaded-resolver
)
else
myconf+=(
--enable-threaded-resolver
)
fi
ECONF_SOURCE="${S}" econf "${myconf[@]}"
if ! multilib_is_native_abi; then
# Avoid building the client (we just want libcurl for multilib)
sed -i -e '/SUBDIRS/s:src::' Makefile || die
sed -i -e '/SUBDIRS/s:scripts::' Makefile || die
fi
}
multilib_src_compile() {
default
if multilib_is_native_abi; then
# Shell completions
! tc-is-cross-compiler && emake -C scripts
fi
}
# There is also a pytest harness that tests for bugs in some very specific
# situations; we can rely on upstream for this rather than adding additional test deps.
multilib_src_test() {
# See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721
# -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches)
# -v: verbose
# -a: keep going on failure (so we see everything that breaks, not just 1st test)
# -k: keep test files after completion
# -am: automake style TAP output
# -p: print logs if test fails
# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
# or just read https://github.com/curl/curl/tree/master/tests#run.
# Note: we don't run the testsuite for cross-compilation.
# Upstream recommend 7*nproc as a starting point for parallel tests, but
# this ends up breaking when nproc is huge (like -j80).
# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
# as most gentoo users don't have an 'ip6-localhost'
multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
}
multilib_src_install() {
emake DESTDIR="${D}" install
if multilib_is_native_abi; then
# Shell completions
! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install
fi
}
multilib_src_install_all() {
einstalldocs
find "${ED}" -type f -name '*.la' -delete || die
use static-libs && strip-lto-bytecode
rm -rf "${ED}"/etc/ || die
}
pkg_postinst() {
if use debug; then
ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose."
ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger."
ewarn "hic sunt dracones; you have been warned."
fi
}

450
sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.17.0-r1.ebuild vendored
View File

@ -1,450 +0,0 @@
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Maintainers should subscribe to the 'curl-distros' ML for backports etc
# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/
# https://lists.haxx.se/listinfo/curl-distros
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc
inherit dot-a autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig
DESCRIPTION="A Client that groks URLs"
HOMEPAGE="https://curl.se/"
if [[ ${PV} == 9999 ]]; then
inherit git-r3
EGIT_REPO_URI="https://github.com/curl/curl.git"
else
if [[ ${P} == *rc* ]]; then
CURL_URI="https://curl.se/rc/"
S="${WORKDIR}/${P//_/-}"
else
CURL_URI="https://curl.se/download/"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris"
fi
SRC_URI="
${CURL_URI}${P//_/-}.tar.xz
verify-sig? ( ${CURL_URI}${P//_/-}.tar.xz.asc )
"
fi
LICENSE="BSD curl ISC test? ( BSD-4 )"
SLOT="0"
IUSE="+adns +alt-svc brotli debug ech +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap"
IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test"
IUSE+=" telnet +tftp +websockets zstd"
# These select the default tls implementation / which quic impl to use
IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
RESTRICT="!test? ( test )"
# HTTPS RR is technically usable with the threaded resolver, but it still uses c-ares to
# ask for the HTTPS RR record type; if DoH is in use the HTTPS record will be requested
# in addition to A and AAAA records.
# To simplify dependency management in the ebuild we'll require c-ares for HTTPS RR (for now?).
# HTTPS RR in cURL is a dependency for:
# - ECH (requires patched openssl or gnutls currently, enabled with rustls)
# - Fetching the ALPN list which should provide a better HTTP/3 experience.
# Only one default ssl / quic provider can be enabled
# The default provider needs its USE satisfied
# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day.
# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e
REQUIRED_USE="
ech? ( rustls )
httpsrr? ( adns )
quic? (
^^ (
curl_quic_openssl
curl_quic_ngtcp2
)
http3
ssl
)
ssl? (
^^ (
curl_ssl_gnutls
curl_ssl_mbedtls
curl_ssl_openssl
curl_ssl_rustls
)
)
curl_quic_openssl? (
curl_ssl_openssl
!gnutls
!mbedtls
!rustls
)
curl_quic_ngtcp2? (
curl_ssl_gnutls
!mbedtls
!openssl
!rustls
)
curl_ssl_gnutls? ( gnutls )
curl_ssl_mbedtls? ( mbedtls )
curl_ssl_openssl? ( openssl )
curl_ssl_rustls? ( rustls )
http3? ( alt-svc httpsrr quic )
"
# cURL's docs and CI/CD are great resources for confirming supported versions
# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.:
# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions)
# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly)
# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2)
# However 'supported' vs 'works' are two entirely different things; be sane but
# don't be afraid to require a later version.
# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time.
# TODO: OpenSSL-QUIC support is going to be removed in 2026; depend on ngtcp2[{gnutls,openssl}] before that point.
# - https://github.com/curl/curl/pull/18820 (Deprecate OpenSSL QUIC support)
# - https://github.com/curl/curl/issues/18336 (curl w/ OpenSSL QUIC fails to fetch Google.com)
RDEPEND="
>=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}]
adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] )
brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] )
http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] )
idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] )
quic? (
curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] )
curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] )
)
rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] )
sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] )
ssl? (
gnutls? (
app-misc/ca-certificates
>=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}]
dev-libs/nettle:=[${MULTILIB_USEDEP}]
)
mbedtls? (
app-misc/ca-certificates
net-libs/mbedtls:3=[${MULTILIB_USEDEP}]
)
openssl? (
>=dev-libs/openssl-1.0.2:=[static-libs?,${MULTILIB_USEDEP}]
)
rustls? (
>=net-libs/rustls-ffi-0.15.0:=[${MULTILIB_USEDEP}]
)
)
zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
"
DEPEND="${RDEPEND}"
BDEPEND="
dev-lang/perl
virtual/pkgconfig
test? (
sys-apps/diffutils
http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] )
http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
)
verify-sig? ( sec-keys/openpgp-keys-danielstenberg )
"
DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} )
MULTILIB_WRAPPED_HEADERS=(
/usr/include/curl/curlbuild.h
)
MULTILIB_CHOST_TOOLS=(
/usr/bin/curl-config
)
QA_CONFIG_IMPL_DECL_SKIP=(
__builtin_available
closesocket
CloseSocket
getpass_r
ioctlsocket
IoctlSocket
mach_absolute_time
setmode
_fseeki64
# custom AC_LINK_IFELSE code fails to link even without -Werror
OSSL_QUIC_client_method
)
PATCHES=(
"${FILESDIR}/${PN}-prefix-5.patch"
"${FILESDIR}/${PN}-respect-cflags-3.patch"
"${FILESDIR}/${P}-progress-parallel.patch"
"${FILESDIR}/${P}-curlopt-capath.patch"
"${FILESDIR}/${P}-wcurl-CVE-2025-11563.patch"
)
src_prepare() {
default
eprefixify curl-config.in
eautoreconf
}
# Generates TLS-related configure options based on USE flags.
# Outputs options suitable for appending to a configure options array.
_get_curl_tls_configure_opts() {
local tls_opts=()
local backend flag_name
for backend in gnutls mbedtls openssl rustls; do
if [[ "$backend" == "openssl" ]]; then
flag_name="ssl"
tls_opts+=( "--with-ca-path=${EPREFIX}/etc/ssl/certs")
else
flag_name="$backend"
fi
if use "$backend"; then
tls_opts+=( "--with-${flag_name}" )
else
# If a single backend is enabled, 'ssl' is required, openssl is the default / fallback
if ! [[ "$backend" == "openssl" ]]; then
tls_opts+=( "--without-${flag_name}" )
fi
fi
done
if use curl_ssl_gnutls; then
multilib_is_native_abi && einfo "Default TLS backend: gnutls"
tls_opts+=( "--with-default-ssl-backend=gnutls" )
elif use curl_ssl_mbedtls; then
multilib_is_native_abi && einfo "Default TLS backend: mbedtls"
tls_opts+=( "--with-default-ssl-backend=mbedtls" )
elif use curl_ssl_openssl; then
multilib_is_native_abi && einfo "Default TLS backend: openssl"
tls_opts+=( "--with-default-ssl-backend=openssl" )
elif use curl_ssl_rustls; then
multilib_is_native_abi && einfo "Default TLS backend: rustls"
tls_opts+=( "--with-default-ssl-backend=rustls" )
else
eerror "We can't be here because of REQUIRED_USE."
die "Please file a bug, hit impossible condition w/ USE=ssl handling."
fi
# Explicitly Disable unimplemented backends
tls_opts+=(
--without-amissl
--without-wolfssl
)
printf "%s\n" "${tls_opts[@]}"
}
multilib_src_configure() {
use static-libs && lto-guarantee-fat
# We make use of the fact that later flags override earlier ones
# So start with all ssl providers off until proven otherwise
# TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/)
local myconf=()
myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt )
if use ssl; then
local -a tls_backend_opts
readarray -t tls_backend_opts < <(_get_curl_tls_configure_opts)
myconf+=("${tls_backend_opts[@]}")
if use quic; then
myconf+=(
$(use_with curl_quic_ngtcp2 ngtcp2)
$(use_with curl_quic_openssl openssl-quic)
)
else
# Without a REQUIRED_USE to ensure that QUIC was requested when at least one default backend is
# enabled we need ensure that we don't try to build QUIC support
myconf+=( --without-ngtcp2 --without-openssl-quic )
fi
else
myconf+=( --without-ssl )
einfo "SSL disabled"
fi
# These configuration options are organised alphabetically by category/type
# Protocols
# `grep SUPPORT_PROTOCOLS=\" configure.ac | awk '{ print substr($2, 1, length($2)-1)}' | sort`
# Assume that anything omitted (that is not new!) is enabled by default with no deps
myconf+=(
--enable-file
$(use_enable ftp)
$(use_enable gopher)
--enable-http
$(use_enable imap) # Automatic IMAPS if TLS is enabled
$(use_enable ldap ldaps)
$(use_enable ldap)
$(use_enable pop3)
$(use_enable samba smb)
$(use_with ssh libssh2) # enables scp/sftp
$(use_with rtmp librtmp)
--enable-rtsp
$(use_enable smtp)
$(use_enable telnet)
$(use_enable tftp)
$(use_enable websockets)
)
# Keep various 'HTTP-flavoured' options together
myconf+=(
$(use_enable alt-svc)
$(use_enable hsts)
$(use_enable httpsrr)
$(use_with http2 nghttp2)
$(use_with http3 nghttp3)
)
# --enable/disable options
# `grep -- --enable configure | grep Check | awk '{ print $4 }' | sort`
myconf+=(
$(use_enable adns ares)
--enable-aws
--enable-basic-auth
--enable-bearer-auth
--enable-cookies
--enable-dateparse
--enable-dict
--enable-digest-auth
--enable-dnsshuffle
--enable-doh
$(use_enable ech)
--enable-http-auth
--enable-ipv6
--enable-kerberos-auth
--enable-largefile
--enable-manual
--enable-mime
--enable-negotiate-auth
--enable-netrc
--enable-ntlm
--enable-progress-meter
--enable-proxy
--enable-rt
--enable-socketpair
--disable-sspi
$(use_enable static-libs static)
--enable-symbol-hiding
--enable-tls-srp
--disable-versioned-symbols
)
# --with/without options
# `grep -- --with configure | grep Check | awk '{ print $4 }' | sort`
myconf+=(
$(use_with brotli)
--with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d
$(use_with idn libidn2)
$(use_with kerberos gssapi "${EPREFIX}"/usr)
$(use_with sasl-scram libgsasl)
$(use_with psl libpsl)
--without-quiche
--without-schannel
--without-winidn
--with-zlib
--with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions
$(use_with zstd)
)
# Test deps (disabled)
myconf+=(
--without-test-caddy
--without-test-httpd
--without-test-nghttpx
)
if use debug; then
myconf+=(
--enable-debug
)
fi
if use test && multilib_is_native_abi && ( use http2 || use http3 ); then
myconf+=(
--with-test-nghttpx="${BROOT}/usr/bin/nghttpx"
)
fi
# Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive
# This is in support of some work to enable `httpsrr` to use adns and the rest
# of curl to use the threaded resolver; for us `httpsrr` is conditional on adns.
if use adns; then
myconf+=(
--disable-threaded-resolver
)
else
myconf+=(
--enable-threaded-resolver
)
fi
ECONF_SOURCE="${S}" econf "${myconf[@]}"
if ! multilib_is_native_abi; then
# Avoid building the client (we just want libcurl for multilib)
sed -i -e '/SUBDIRS/s:src::' Makefile || die
sed -i -e '/SUBDIRS/s:scripts::' Makefile || die
fi
}
multilib_src_compile() {
default
if multilib_is_native_abi; then
# Shell completions
! tc-is-cross-compiler && emake -C scripts
fi
}
# There is also a pytest harness that tests for bugs in some very specific
# situations; we can rely on upstream for this rather than adding additional test deps.
multilib_src_test() {
# See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721
# -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches)
# -v: verbose
# -a: keep going on failure (so we see everything that breaks, not just 1st test)
# -k: keep test files after completion
# -am: automake style TAP output
# -p: print logs if test fails
# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
# or just read https://github.com/curl/curl/tree/master/tests#run.
# Note: we don't run the testsuite for cross-compilation.
# Upstream recommend 7*nproc as a starting point for parallel tests, but
# this ends up breaking when nproc is huge (like -j80).
# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
# as most gentoo users don't have an 'ip6-localhost'
multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
}
multilib_src_install() {
emake DESTDIR="${D}" install
if multilib_is_native_abi; then
# Shell completions
! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install
fi
}
multilib_src_install_all() {
einstalldocs
find "${ED}" -type f -name '*.la' -delete || die
use static-libs && strip-lto-bytecode
rm -rf "${ED}"/etc/ || die
}
pkg_postinst() {
if use debug; then
ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose."
ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger."
ewarn "hic sunt dracones; you have been warned."
fi
}

442
sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.17.0.ebuild vendored
View File

@ -1,442 +0,0 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Maintainers should subscribe to the 'curl-distros' ML for backports etc
# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/
# https://lists.haxx.se/listinfo/curl-distros
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc
inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig
DESCRIPTION="A Client that groks URLs"
HOMEPAGE="https://curl.se/"
if [[ ${PV} == 9999 ]]; then
inherit git-r3
EGIT_REPO_URI="https://github.com/curl/curl.git"
else
if [[ ${P} == *rc* ]]; then
CURL_URI="https://curl.se/rc/"
S="${WORKDIR}/${P//_/-}"
else
CURL_URI="https://curl.se/download/"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris"
fi
SRC_URI="
${CURL_URI}${P//_/-}.tar.xz
verify-sig? ( ${CURL_URI}${P//_/-}.tar.xz.asc )
"
fi
LICENSE="BSD curl ISC test? ( BSD-4 )"
SLOT="0"
IUSE="+adns +alt-svc brotli debug ech +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap"
IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test"
IUSE+=" telnet +tftp +websockets zstd"
# These select the default tls implementation / which quic impl to use
IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
RESTRICT="!test? ( test )"
# HTTPS RR is technically usable with the threaded resolver, but it still uses c-ares to
# ask for the HTTPS RR record type; if DoH is in use the HTTPS record will be requested
# in addition to A and AAAA records.
# To simplify dependency management in the ebuild we'll require c-ares for HTTPS RR (for now?).
# HTTPS RR in cURL is a dependency for:
# - ECH (requires patched openssl or gnutls currently, enabled with rustls)
# - Fetching the ALPN list which should provide a better HTTP/3 experience.
# Only one default ssl / quic provider can be enabled
# The default provider needs its USE satisfied
# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day.
# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e
REQUIRED_USE="
ech? ( rustls )
httpsrr? ( adns )
quic? (
^^ (
curl_quic_openssl
curl_quic_ngtcp2
)
http3
ssl
)
ssl? (
^^ (
curl_ssl_gnutls
curl_ssl_mbedtls
curl_ssl_openssl
curl_ssl_rustls
)
)
curl_quic_openssl? (
curl_ssl_openssl
!gnutls
!mbedtls
!rustls
)
curl_quic_ngtcp2? (
curl_ssl_gnutls
!mbedtls
!openssl
!rustls
)
curl_ssl_gnutls? ( gnutls )
curl_ssl_mbedtls? ( mbedtls )
curl_ssl_openssl? ( openssl )
curl_ssl_rustls? ( rustls )
http3? ( alt-svc httpsrr quic )
"
# cURL's docs and CI/CD are great resources for confirming supported versions
# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.:
# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions)
# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly)
# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2)
# However 'supported' vs 'works' are two entirely different things; be sane but
# don't be afraid to require a later version.
# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time.
# TODO: OpenSSL-QUIC support is going to be removed in 2026; depend on ngtcp2[{gnutls,openssl}] before that point.
# - https://github.com/curl/curl/pull/18820 (Deprecate OpenSSL QUIC support)
# - https://github.com/curl/curl/issues/18336 (curl w/ OpenSSL QUIC fails to fetch Google.com)
RDEPEND="
>=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}]
adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] )
brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] )
http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] )
idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] )
quic? (
curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] )
curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] )
)
rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] )
sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] )
ssl? (
gnutls? (
app-misc/ca-certificates
>=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}]
dev-libs/nettle:=[${MULTILIB_USEDEP}]
)
mbedtls? (
app-misc/ca-certificates
net-libs/mbedtls:3=[${MULTILIB_USEDEP}]
)
openssl? (
>=dev-libs/openssl-1.0.2:=[static-libs?,${MULTILIB_USEDEP}]
)
rustls? (
>=net-libs/rustls-ffi-0.15.0:=[${MULTILIB_USEDEP}]
)
)
zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
"
DEPEND="${RDEPEND}"
BDEPEND="
dev-lang/perl
virtual/pkgconfig
test? (
sys-apps/diffutils
http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] )
http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
)
verify-sig? ( sec-keys/openpgp-keys-danielstenberg )
"
DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} )
MULTILIB_WRAPPED_HEADERS=(
/usr/include/curl/curlbuild.h
)
MULTILIB_CHOST_TOOLS=(
/usr/bin/curl-config
)
QA_CONFIG_IMPL_DECL_SKIP=(
__builtin_available
closesocket
CloseSocket
getpass_r
ioctlsocket
IoctlSocket
mach_absolute_time
setmode
_fseeki64
# custom AC_LINK_IFELSE code fails to link even without -Werror
OSSL_QUIC_client_method
)
PATCHES=(
"${FILESDIR}/${PN}-prefix-5.patch"
"${FILESDIR}/${PN}-respect-cflags-3.patch"
)
src_prepare() {
default
eprefixify curl-config.in
eautoreconf
}
# Generates TLS-related configure options based on USE flags.
# Outputs options suitable for appending to a configure options array.
_get_curl_tls_configure_opts() {
local tls_opts=()
local backend flag_name
for backend in gnutls mbedtls openssl rustls; do
if [[ "$backend" == "openssl" ]]; then
flag_name="ssl"
tls_opts+=( "--with-ca-path=${EPREFIX}/etc/ssl/certs")
else
flag_name="$backend"
fi
if use "$backend"; then
tls_opts+=( "--with-${flag_name}" )
else
# If a single backend is enabled, 'ssl' is required, openssl is the default / fallback
if ! [[ "$backend" == "openssl" ]]; then
tls_opts+=( "--without-${flag_name}" )
fi
fi
done
if use curl_ssl_gnutls; then
multilib_is_native_abi && einfo "Default TLS backend: gnutls"
tls_opts+=( "--with-default-ssl-backend=gnutls" )
elif use curl_ssl_mbedtls; then
multilib_is_native_abi && einfo "Default TLS backend: mbedtls"
tls_opts+=( "--with-default-ssl-backend=mbedtls" )
elif use curl_ssl_openssl; then
multilib_is_native_abi && einfo "Default TLS backend: openssl"
tls_opts+=( "--with-default-ssl-backend=openssl" )
elif use curl_ssl_rustls; then
multilib_is_native_abi && einfo "Default TLS backend: rustls"
tls_opts+=( "--with-default-ssl-backend=rustls" )
else
eerror "We can't be here because of REQUIRED_USE."
die "Please file a bug, hit impossible condition w/ USE=ssl handling."
fi
# Explicitly Disable unimplemented backends
tls_opts+=(
--without-amissl
--without-wolfssl
)
printf "%s\n" "${tls_opts[@]}"
}
multilib_src_configure() {
# We make use of the fact that later flags override earlier ones
# So start with all ssl providers off until proven otherwise
# TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/)
local myconf=()
myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt )
if use ssl; then
local -a tls_backend_opts
readarray -t tls_backend_opts < <(_get_curl_tls_configure_opts)
myconf+=("${tls_backend_opts[@]}")
if use quic; then
myconf+=(
$(use_with curl_quic_ngtcp2 ngtcp2)
$(use_with curl_quic_openssl openssl-quic)
)
else
# Without a REQUIRED_USE to ensure that QUIC was requested when at least one default backend is
# enabled we need ensure that we don't try to build QUIC support
myconf+=( --without-ngtcp2 --without-openssl-quic )
fi
else
myconf+=( --without-ssl )
einfo "SSL disabled"
fi
# These configuration options are organised alphabetically by category/type
# Protocols
# `grep SUPPORT_PROTOCOLS=\" configure.ac | awk '{ print substr($2, 1, length($2)-1)}' | sort`
# Assume that anything omitted (that is not new!) is enabled by default with no deps
myconf+=(
--enable-file
$(use_enable ftp)
$(use_enable gopher)
--enable-http
$(use_enable imap) # Automatic IMAPS if TLS is enabled
$(use_enable ldap ldaps)
$(use_enable ldap)
$(use_enable pop3)
$(use_enable samba smb)
$(use_with ssh libssh2) # enables scp/sftp
$(use_with rtmp librtmp)
--enable-rtsp
$(use_enable smtp)
$(use_enable telnet)
$(use_enable tftp)
$(use_enable websockets)
)
# Keep various 'HTTP-flavoured' options together
myconf+=(
$(use_enable alt-svc)
$(use_enable hsts)
$(use_enable httpsrr)
$(use_with http2 nghttp2)
$(use_with http3 nghttp3)
)
# --enable/disable options
# `grep -- --enable configure | grep Check | awk '{ print $4 }' | sort`
myconf+=(
$(use_enable adns ares)
--enable-aws
--enable-basic-auth
--enable-bearer-auth
--enable-cookies
--enable-dateparse
--enable-dict
--enable-digest-auth
--enable-dnsshuffle
--enable-doh
$(use_enable ech)
--enable-http-auth
--enable-ipv6
--enable-kerberos-auth
--enable-largefile
--enable-manual
--enable-mime
--enable-negotiate-auth
--enable-netrc
--enable-ntlm
--enable-progress-meter
--enable-proxy
--enable-rt
--enable-socketpair
--disable-sspi
$(use_enable static-libs static)
--enable-symbol-hiding
--enable-tls-srp
--disable-versioned-symbols
)
# --with/without options
# `grep -- --with configure | grep Check | awk '{ print $4 }' | sort`
myconf+=(
$(use_with brotli)
--with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d
$(use_with idn libidn2)
$(use_with kerberos gssapi "${EPREFIX}"/usr)
$(use_with sasl-scram libgsasl)
$(use_with psl libpsl)
--without-quiche
--without-schannel
--without-winidn
--with-zlib
--with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions
$(use_with zstd)
)
# Test deps (disabled)
myconf+=(
--without-test-caddy
--without-test-httpd
--without-test-nghttpx
)
if use debug; then
myconf+=(
--enable-debug
)
fi
if use test && multilib_is_native_abi && ( use http2 || use http3 ); then
myconf+=(
--with-test-nghttpx="${BROOT}/usr/bin/nghttpx"
)
fi
# Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive
# This is in support of some work to enable `httpsrr` to use adns and the rest
# of curl to use the threaded resolver; for us `httpsrr` is conditional on adns.
if use adns; then
myconf+=(
--disable-threaded-resolver
)
else
myconf+=(
--enable-threaded-resolver
)
fi
ECONF_SOURCE="${S}" econf "${myconf[@]}"
if ! multilib_is_native_abi; then
# Avoid building the client (we just want libcurl for multilib)
sed -i -e '/SUBDIRS/s:src::' Makefile || die
sed -i -e '/SUBDIRS/s:scripts::' Makefile || die
fi
}
multilib_src_compile() {
default
if multilib_is_native_abi; then
# Shell completions
! tc-is-cross-compiler && emake -C scripts
fi
}
# There is also a pytest harness that tests for bugs in some very specific
# situations; we can rely on upstream for this rather than adding additional test deps.
multilib_src_test() {
# See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721
# -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches)
# -v: verbose
# -a: keep going on failure (so we see everything that breaks, not just 1st test)
# -k: keep test files after completion
# -am: automake style TAP output
# -p: print logs if test fails
# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
# or just read https://github.com/curl/curl/tree/master/tests#run.
# Note: we don't run the testsuite for cross-compilation.
# Upstream recommend 7*nproc as a starting point for parallel tests, but
# this ends up breaking when nproc is huge (like -j80).
# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
# as most gentoo users don't have an 'ip6-localhost'
multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
}
multilib_src_install() {
emake DESTDIR="${D}" install
if multilib_is_native_abi; then
# Shell completions
! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install
fi
}
multilib_src_install_all() {
einstalldocs
find "${ED}" -type f -name '*.la' -delete || die
rm -rf "${ED}"/etc/ || die
}
pkg_postinst() {
if use debug; then
ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose."
ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger."
ewarn "hic sunt dracones; you have been warned."
fi
}

1
sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.18.0.ebuild vendored
View File

@ -178,6 +178,7 @@ QA_CONFIG_IMPL_DECL_SKIP=(
PATCHES=(
"${FILESDIR}/${PN}-prefix-6.patch"
"${FILESDIR}/${PN}-respect-cflags-3.patch"
"${FILESDIR}/${P}-restore-heimdal.patch"
)
src_prepare() {

1
sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.19.0_rc2.ebuild → sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.19.0.ebuild vendored
View File

@ -166,6 +166,7 @@ QA_CONFIG_IMPL_DECL_SKIP=(
PATCHES=(
"${FILESDIR}/${PN}-prefix-6.patch"
"${FILESDIR}/${PN}-respect-cflags-3.patch"
"${FILESDIR}/${PN}-8.18.0-restore-heimdal.patch"
)
src_prepare() {

4
sdk_container/src/third_party/portage-stable/net-misc/curl/curl-9999.ebuild vendored
View File

@ -33,7 +33,7 @@ fi
LICENSE="BSD curl ISC test? ( BSD-4 )"
SLOT="0"
IUSE="+adns +alt-svc brotli debug ech +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap"
IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test"
IUSE+=" mbedtls +openssl +pop3 +psl +quic rustls samba sasl-scram +smtp ssh ssl static-libs test"
IUSE+=" telnet +tftp +websockets zstd"
# These select the default tls implementation / which quic impl to use
IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
@ -103,7 +103,6 @@ RDEPEND="
gnutls? ( >=net-libs/ngtcp2-1.20.0-r1[gnutls,ssl,${MULTILIB_USEDEP}] )
openssl? ( >=net-libs/ngtcp2-1.20.0-r1[openssl,ssl,${MULTILIB_USEDEP}] )
)
rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] )
sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] )
ssl? (
@ -261,7 +260,6 @@ multilib_src_configure() {
$(use_enable pop3)
$(use_enable samba smb)
$(use_with ssh libssh2) # enables scp/sftp
$(use_with rtmp librtmp)
--enable-rtsp
$(use_enable smtp)
$(use_enable telnet)

399
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.16.0-pthread_cancel.patch vendored
View File

@ -1,399 +0,0 @@
https://github.com/curl/curl/commit/de3fc1d7adb78c078e4cc7ccc48e550758094ad3
From: Stefan Eissing <stefan@eissing.org>
Date: Sat, 13 Sep 2025 15:25:53 +0200
Subject: [PATCH] asyn-thrdd: drop pthread_cancel
Remove use of pthread_cancel in asnyc threaded resolving. While there
are system where this works, others might leak to resource leakage
(memory, files, etc.). The popular nsswitch is one example where resolve
code can be dragged in that is not prepared.
The overall promise and mechanism of pthread_cancel() is just too
brittle and the historcal design of getaddrinfo() continues to haunt us.
Fixes #18532
Reported-by: Javier Blazquez
Closes #18540
--- a/docs/libcurl/libcurl-env-dbg.md
+++ b/docs/libcurl/libcurl-env-dbg.md
@@ -83,11 +83,6 @@ When built with c-ares for name resolving, setting this environment variable
to `[IP:port]` makes libcurl use that DNS server instead of the system
default. This is used by the curl test suite.
-## `CURL_DNS_DELAY_MS`
-
-Delay the DNS resolve by this many milliseconds. This is used in the test
-suite to check proper handling of CURLOPT_CONNECTTIMEOUT(3).
-
## `CURL_FTP_PWD_STOP`
When set, the first transfer - when using ftp: - returns before sending
--- a/lib/asyn-thrdd.c
+++ b/lib/asyn-thrdd.c
@@ -199,14 +199,6 @@ addr_ctx_create(struct Curl_easy *data,
return NULL;
}
-static void async_thrd_cleanup(void *arg)
-{
- struct async_thrdd_addr_ctx *addr_ctx = arg;
-
- Curl_thread_disable_cancel();
- addr_ctx_unlink(&addr_ctx, NULL);
-}
-
#ifdef HAVE_GETADDRINFO
/*
@@ -220,15 +212,6 @@ static CURL_THREAD_RETURN_T CURL_STDCALL getaddrinfo_thread(void *arg)
struct async_thrdd_addr_ctx *addr_ctx = arg;
bool do_abort;
-/* clang complains about empty statements and the pthread_cleanup* macros
- * are pretty ill defined. */
-#if defined(__clang__)
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wextra-semi-stmt"
-#endif
-
- Curl_thread_push_cleanup(async_thrd_cleanup, addr_ctx);
-
Curl_mutex_acquire(&addr_ctx->mutx);
do_abort = addr_ctx->do_abort;
Curl_mutex_release(&addr_ctx->mutx);
@@ -237,9 +220,6 @@ static CURL_THREAD_RETURN_T CURL_STDCALL getaddrinfo_thread(void *arg)
char service[12];
int rc;
-#ifdef DEBUGBUILD
- Curl_resolve_test_delay();
-#endif
msnprintf(service, sizeof(service), "%d", addr_ctx->port);
rc = Curl_getaddrinfo_ex(addr_ctx->hostname, service,
@@ -274,11 +254,6 @@ static CURL_THREAD_RETURN_T CURL_STDCALL getaddrinfo_thread(void *arg)
}
- Curl_thread_pop_cleanup();
-#if defined(__clang__)
-#pragma clang diagnostic pop
-#endif
-
addr_ctx_unlink(&addr_ctx, NULL);
return 0;
}
@@ -293,24 +268,11 @@ static CURL_THREAD_RETURN_T CURL_STDCALL gethostbyname_thread(void *arg)
struct async_thrdd_addr_ctx *addr_ctx = arg;
bool do_abort;
-/* clang complains about empty statements and the pthread_cleanup* macros
- * are pretty ill defined. */
-#if defined(__clang__)
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wextra-semi-stmt"
-#endif
-
- Curl_thread_push_cleanup(async_thrd_cleanup, addr_ctx);
-
Curl_mutex_acquire(&addr_ctx->mutx);
do_abort = addr_ctx->do_abort;
Curl_mutex_release(&addr_ctx->mutx);
if(!do_abort) {
-#ifdef DEBUGBUILD
- Curl_resolve_test_delay();
-#endif
-
addr_ctx->res = Curl_ipv4_resolve_r(addr_ctx->hostname, addr_ctx->port);
if(!addr_ctx->res) {
addr_ctx->sock_error = SOCKERRNO;
@@ -337,12 +299,7 @@ static CURL_THREAD_RETURN_T CURL_STDCALL gethostbyname_thread(void *arg)
#endif
}
- Curl_thread_pop_cleanup();
-#if defined(__clang__)
-#pragma clang diagnostic pop
-#endif
-
- async_thrd_cleanup(addr_ctx);
+ addr_ctx_unlink(&addr_ctx, NULL);
return 0;
}
@@ -381,12 +338,12 @@ static void async_thrdd_destroy(struct Curl_easy *data)
CURL_TRC_DNS(data, "async_thrdd_destroy, thread joined");
}
else {
- /* thread is still running. Detach the thread while mutexed, it will
- * trigger the cleanup when it releases its reference. */
+ /* thread is still running. Detach it. */
Curl_thread_destroy(&addr->thread_hnd);
CURL_TRC_DNS(data, "async_thrdd_destroy, thread detached");
}
}
+ /* release our reference to the shared context */
addr_ctx_unlink(&thrdd->addr, data);
}
@@ -532,10 +489,12 @@ static void async_thrdd_shutdown(struct Curl_easy *data)
done = addr_ctx->thrd_done;
Curl_mutex_release(&addr_ctx->mutx);
- DEBUGASSERT(addr_ctx->thread_hnd != curl_thread_t_null);
- if(!done && (addr_ctx->thread_hnd != curl_thread_t_null)) {
- CURL_TRC_DNS(data, "cancelling resolve thread");
- (void)Curl_thread_cancel(&addr_ctx->thread_hnd);
+ /* Wait for the thread to terminate if it is already marked done. If it is
+ not done yet we cannot do anything here. We had tried pthread_cancel but
+ it caused hanging and resource leaks (#18532). */
+ if(done && (addr_ctx->thread_hnd != curl_thread_t_null)) {
+ Curl_thread_join(&addr_ctx->thread_hnd);
+ CURL_TRC_DNS(data, "async_thrdd_shutdown, thread joined");
}
}
@@ -553,9 +512,11 @@ static CURLcode asyn_thrdd_await(struct Curl_easy *data,
if(!entry)
async_thrdd_shutdown(data);
- CURL_TRC_DNS(data, "resolve, wait for thread to finish");
- if(!Curl_thread_join(&addr_ctx->thread_hnd)) {
- DEBUGASSERT(0);
+ if(addr_ctx->thread_hnd != curl_thread_t_null) {
+ CURL_TRC_DNS(data, "resolve, wait for thread to finish");
+ if(!Curl_thread_join(&addr_ctx->thread_hnd)) {
+ DEBUGASSERT(0);
+ }
}
if(entry)
--- a/lib/curl_threads.c
+++ b/lib/curl_threads.c
@@ -100,34 +100,6 @@ int Curl_thread_join(curl_thread_t *hnd)
return ret;
}
-/* do not use pthread_cancel if:
- * - pthread_cancel seems to be absent
- * - on FreeBSD, as we see hangers in CI testing
- * - this is a -fsanitize=thread build
- * (clang sanitizer reports false positive when functions to not return)
- */
-#if defined(PTHREAD_CANCEL_ENABLE) && !defined(__FreeBSD__)
-#if defined(__has_feature)
-# if !__has_feature(thread_sanitizer)
-#define USE_PTHREAD_CANCEL
-# endif
-#else /* __has_feature */
-#define USE_PTHREAD_CANCEL
-#endif /* !__has_feature */
-#endif /* PTHREAD_CANCEL_ENABLE && !__FreeBSD__ */
-
-int Curl_thread_cancel(curl_thread_t *hnd)
-{
- (void)hnd;
- if(*hnd != curl_thread_t_null)
-#ifdef USE_PTHREAD_CANCEL
- return pthread_cancel(**hnd);
-#else
- return 1; /* not supported */
-#endif
- return 0;
-}
-
#elif defined(USE_THREADS_WIN32)
curl_thread_t Curl_thread_create(CURL_THREAD_RETURN_T
@@ -182,12 +154,4 @@ int Curl_thread_join(curl_thread_t *hnd)
return ret;
}
-int Curl_thread_cancel(curl_thread_t *hnd)
-{
- if(*hnd != curl_thread_t_null) {
- return 1; /* not supported */
- }
- return 0;
-}
-
#endif /* USE_THREADS_* */
--- a/lib/curl_threads.h
+++ b/lib/curl_threads.h
@@ -66,22 +66,6 @@ void Curl_thread_destroy(curl_thread_t *hnd);
int Curl_thread_join(curl_thread_t *hnd);
-int Curl_thread_cancel(curl_thread_t *hnd);
-
-#if defined(USE_THREADS_POSIX) && defined(PTHREAD_CANCEL_ENABLE)
-#define Curl_thread_push_cleanup(a,b) pthread_cleanup_push(a,b)
-#define Curl_thread_pop_cleanup() pthread_cleanup_pop(0)
-#define Curl_thread_enable_cancel() \
- pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, NULL)
-#define Curl_thread_disable_cancel() \
- pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL)
-#else
-#define Curl_thread_push_cleanup(a,b) ((void)a,(void)b)
-#define Curl_thread_pop_cleanup() Curl_nop_stmt
-#define Curl_thread_enable_cancel() Curl_nop_stmt
-#define Curl_thread_disable_cancel() Curl_nop_stmt
-#endif
-
#endif /* USE_THREADS_POSIX || USE_THREADS_WIN32 */
#endif /* HEADER_CURL_THREADS_H */
--- a/lib/hostip.c
+++ b/lib/hostip.c
@@ -1132,10 +1132,6 @@ CURLcode Curl_resolv_timeout(struct Curl_easy *data,
prev_alarm = alarm(curlx_sltoui(timeout/1000L));
}
-#ifdef DEBUGBUILD
- Curl_resolve_test_delay();
-#endif
-
#else /* !USE_ALARM_TIMEOUT */
#ifndef CURLRES_ASYNCH
if(timeoutms)
@@ -1639,18 +1635,3 @@ CURLcode Curl_resolver_error(struct Curl_easy *data, const char *detail)
return result;
}
#endif /* USE_CURL_ASYNC */
-
-#ifdef DEBUGBUILD
-#include "curlx/wait.h"
-
-void Curl_resolve_test_delay(void)
-{
- const char *p = getenv("CURL_DNS_DELAY_MS");
- if(p) {
- curl_off_t l;
- if(!curlx_str_number(&p, &l, TIME_T_MAX) && l) {
- curlx_wait_ms((timediff_t)l);
- }
- }
-}
-#endif
--- a/lib/hostip.h
+++ b/lib/hostip.h
@@ -216,8 +216,4 @@ struct Curl_addrinfo *Curl_sync_getaddrinfo(struct Curl_easy *data,
#endif
-#ifdef DEBUGBUILD
-void Curl_resolve_test_delay(void);
-#endif
-
#endif /* HEADER_CURL_HOSTIP_H */
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -112,7 +112,7 @@ test754 test755 test756 test757 test758 test759 test760 test761 test762 \
test763 \
\
test780 test781 test782 test783 test784 test785 test786 test787 test788 \
-test789 test790 test791 test792 test793 test794 test795 test796 test797 \
+test789 test790 test791 test792 test793 test794 test796 test797 \
\
test799 test800 test801 test802 test803 test804 test805 test806 test807 \
test808 test809 test810 test811 test812 test813 test814 test815 test816 \
--- a/tests/data/test795
+++ /dev/null
@@ -1,36 +0,0 @@
-<testcase>
-<info>
-<keywords>
-DNS
-</keywords>
-</info>
-
-# Client-side
-<client>
-<features>
-http
-Debug
-!c-ares
-!win32
-</features>
-<name>
-Delayed resolve --connect-timeout check
-</name>
-<setenv>
-CURL_DNS_DELAY_MS=5000
-</setenv>
-<command>
-http://test.invalid -v --no-progress-meter --trace-config dns --connect-timeout 1 -w \%{time_total}
-</command>
-</client>
-
-# Verify data after the test has been "shot"
-<verify>
-<errorcode>
-28
-</errorcode>
-<postcheck>
-%SRCDIR/libtest/test795.pl %LOGDIR/stdout%TESTNUMBER 2 >> %LOGDIR/stderr%TESTNUMBER
-</postcheck>
-</verify>
-</testcase>
--- a/tests/libtest/Makefile.am
+++ b/tests/libtest/Makefile.am
@@ -42,7 +42,7 @@ AM_CPPFLAGS = -I$(top_srcdir)/include \
include Makefile.inc
EXTRA_DIST = CMakeLists.txt $(FIRST_C) $(FIRST_H) $(UTILS_C) $(UTILS_H) $(TESTS_C) \
- test307.pl test610.pl test613.pl test795.pl test1013.pl test1022.pl mk-lib1521.pl
+ test307.pl test610.pl test613.pl test1013.pl test1022.pl mk-lib1521.pl
CFLAGS += @CURL_CFLAG_EXTRAS@
--- a/tests/libtest/test795.pl
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/usr/bin/env perl
-#***************************************************************************
-# _ _ ____ _
-# Project ___| | | | _ \| |
-# / __| | | | |_) | |
-# | (__| |_| | _ <| |___
-# \___|\___/|_| \_\_____|
-#
-# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
-#
-# This software is licensed as described in the file COPYING, which
-# you should have received as part of this distribution. The terms
-# are also available at https://curl.se/docs/copyright.html.
-#
-# You may opt to use, copy, modify, merge, publish, distribute and/or sell
-# copies of the Software, and permit persons to whom the Software is
-# furnished to do so, under the terms of the COPYING file.
-#
-# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
-# KIND, either express or implied.
-#
-# SPDX-License-Identifier: curl
-#
-###########################################################################
-use strict;
-use warnings;
-
-my $ok = 1;
-my $exp_duration = $ARGV[1] + 0.0;
-
-# Read the output of curl --version
-open(F, $ARGV[0]) || die "Can't open test result from $ARGV[0]\n";
-$_ = <F>;
-chomp;
-/\s*([\.\d]+)\s*/;
-my $duration = $1 + 0.0;
-close F;
-
-if ($duration <= $exp_duration) {
- print "OK: duration of $duration in expected range\n";
- $ok = 0;
-}
-else {
- print "FAILED: duration of $duration is larger than $exp_duration\n";
-}
-exit $ok;

63
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.16.0-ssl_verifyhost.patch vendored
View File

@ -1,63 +0,0 @@
https://github.com/curl/curl/commit/f7cac7cc07a45481b246c875e8113d741ba2a6e1
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 14 Sep 2025 23:28:03 +0200
Subject: [PATCH] setopt: accept *_SSL_VERIFYHOST set to 2L
... without outputing a verbose message about it. In the early days we
had 2L and 1L have different functionalities.
Reported-by: Jicea
Bug: https://curl.se/mail/lib-2025-09/0031.html
Closes #18547
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -443,6 +443,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option,
long arg, bool *set)
{
bool enabled = !!arg;
+ int ok = 1;
struct UserDefined *s = &data->set;
switch(option) {
case CURLOPT_FORBID_REUSE:
@@ -619,7 +620,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option,
* Enable verification of the hostname in the peer certificate for proxy
*/
s->proxy_ssl.primary.verifyhost = enabled;
-
+ ok = 2;
/* Update the current connection proxy_ssl_config. */
Curl_ssl_conn_config_update(data, TRUE);
break;
@@ -723,6 +724,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option,
* Enable verification of the hostname in the peer certificate for DoH
*/
s->doh_verifyhost = enabled;
+ ok = 2;
break;
case CURLOPT_DOH_SSL_VERIFYSTATUS:
/*
@@ -732,6 +734,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option,
return CURLE_NOT_BUILT_IN;
s->doh_verifystatus = enabled;
+ ok = 2;
break;
#endif /* ! CURL_DISABLE_DOH */
case CURLOPT_SSL_VERIFYHOST:
@@ -743,6 +746,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option,
this argument took a boolean when it was not and misused it.
Treat 1 and 2 the same */
s->ssl.primary.verifyhost = enabled;
+ ok = 2;
/* Update the current connection ssl_config. */
Curl_ssl_conn_config_update(data, FALSE);
@@ -844,7 +848,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option,
default:
return CURLE_OK;
}
- if((arg > 1) || (arg < 0))
+ if((arg > ok) || (arg < 0))
/* reserve other values for future use */
infof(data, "boolean setopt(%d) got unsupported argument %ld,"
" treated as %d", option, arg, enabled);

289
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.17.0-curlopt-capath.patch vendored
View File

@ -1,289 +0,0 @@
https://github.com/curl/curl/pull/19408
From f36ab2dd6f33b9a9c069a034cf4f1451006d0f21 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Sat, 8 Nov 2025 14:28:38 +0100
Subject: [PATCH 1/4] fix --capath use
A regression in curl 8.17.0 led to a customer CAPATH set by the application
(or the curl command) to be ignored unless licurl was built with a default
CAPATH.
Add test cases using `--capath` on the custom pytest CA, generated with
the help of the openssl command when available.
refs #19401
---
lib/vtls/vtls.c | 4 ++--
tests/http/test_17_ssl_use.py | 23 +++++++++++++++++++++++
tests/http/testenv/certs.py | 16 ++++++++++++++++
tests/http/testenv/curl.py | 3 ++-
tests/http/testenv/env.py | 20 ++++++++++++++++++++
5 files changed, 63 insertions(+), 3 deletions(-)
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index 3b7a095c8b75..3858cad98312 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -310,7 +310,6 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
if(result)
return result;
}
- sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH];
#endif
#ifdef CURL_CA_BUNDLE
if(!sslc->custom_cafile && !set->str[STRING_SSL_CAFILE]) {
@@ -322,6 +321,7 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
}
sslc->primary.CAfile = data->set.str[STRING_SSL_CAFILE];
sslc->primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+ sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH];
sslc->primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
sslc->primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
sslc->primary.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST];
@@ -358,7 +358,6 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
if(result)
return result;
}
- sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
#endif
#ifdef CURL_CA_BUNDLE
if(!sslc->custom_cafile && !set->str[STRING_SSL_CAFILE_PROXY]) {
@@ -370,6 +369,7 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
#endif
}
sslc->primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
+ sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
sslc->primary.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST_PROXY];
sslc->primary.cipher_list13 = data->set.str[STRING_SSL_CIPHER13_LIST_PROXY];
sslc->primary.pinned_key = data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
index 57e1c014042b..20b6fdaef18b 100644
--- a/tests/http/test_17_ssl_use.py
+++ b/tests/http/test_17_ssl_use.py
@@ -597,3 +597,26 @@ def test_17_20_correct_pin(self, env: Env, proto, httpd):
])
# expect NOT_IMPLEMENTED or OK
assert r.exit_code in [0, 2], f'{r.dump_logs()}'
+
+ @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command")
+ def test_17_21_capath_valid(self, env: Env, httpd):
+ proto = 'http/1.1'
+ curl = CurlClient(env=env)
+ url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
+ r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
+ '--capath', os.path.join(env.gen_dir, 'ca/hashdir')
+ ])
+ assert r.exit_code == 0, f'{r.dump_logs()}'
+ assert r.json['HTTPS'] == 'on', f'{r.json}'
+
+ @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command")
+ def test_17_22_capath_invalid(self, env: Env, httpd):
+ proto = 'http/1.1'
+ curl = CurlClient(env=env)
+ url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
+ r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
+ '--capath', os.path.join(env.gen_dir, 'ca/invalid')
+ ])
+ # CURLE_PEER_FAILED_VERIFICATION
+ assert r.exit_code == 60, f'{r.dump_logs()}'
+
diff --git a/tests/http/testenv/certs.py b/tests/http/testenv/certs.py
index e59b1ea147e1..c9a30aaac065 100644
--- a/tests/http/testenv/certs.py
+++ b/tests/http/testenv/certs.py
@@ -28,6 +28,8 @@
import ipaddress
import os
import re
+import shutil
+import subprocess
from datetime import timedelta, datetime, timezone
from typing import List, Any, Optional
@@ -200,6 +202,10 @@ def pkey_file(self) -> Optional[str]:
def combined_file(self) -> Optional[str]:
return self._combined_file
+ @property
+ def hashdir(self) -> Optional[str]:
+ return os.path.join(self._store.path, 'hashdir')
+
def get_first(self, name) -> Optional['Credentials']:
creds = self._store.get_credentials_for_name(name) if self._store else []
return creds[0] if len(creds) else None
@@ -236,6 +242,16 @@ def issue_cert(self, spec: CertificateSpec,
creds.issue_certs(spec.sub_specs, chain=subchain)
return creds
+ def create_hashdir(self, openssl):
+ os.makedirs(self.hashdir, exist_ok=True)
+ p = subprocess.run(args=[
+ openssl, 'x509', '-hash', '-noout', '-in', self.cert_file
+ ], capture_output=True, text=True)
+ if p.returncode != 0:
+ raise Exception(f'openssl failed to compute cert hash: {p}')
+ cert_hname = f'{p.stdout.strip()}.0'
+ shutil.copy(self.cert_file, os.path.join(self.hashdir, cert_hname))
+
class CertStore:
diff --git a/tests/http/testenv/curl.py b/tests/http/testenv/curl.py
index dc885ab8cba9..a92e4f681f34 100644
--- a/tests/http/testenv/curl.py
+++ b/tests/http/testenv/curl.py
@@ -987,7 +987,8 @@ def _complete_args(self, urls, timeout=None, options=None,
pass
elif insecure:
args.append('--insecure')
- elif active_options and "--cacert" in active_options:
+ elif active_options and ("--cacert" in active_options or \
+ "--capath" in active_options):
pass
elif u.hostname:
args.extend(["--cacert", self.env.ca.cert_file])
diff --git a/tests/http/testenv/env.py b/tests/http/testenv/env.py
index ff8741530b70..859b704a35a3 100644
--- a/tests/http/testenv/env.py
+++ b/tests/http/testenv/env.py
@@ -199,6 +199,16 @@ def __init__(self, pytestconfig: Optional[pytest.Config] = None,
]),
]
+ self.openssl = 'openssl'
+ p = subprocess.run(args=[self.openssl, 'version'],
+ capture_output=True, text=True)
+ if p.returncode != 0:
+ # no openssl in path
+ self.openssl = None
+ self.openssl_version = None
+ else:
+ self.openssl_version = p.stdout.strip()
+
self.nghttpx = self.config['nghttpx']['nghttpx']
if len(self.nghttpx.strip()) == 0:
self.nghttpx = None
@@ -372,6 +382,10 @@ def setup_incomplete() -> bool:
def incomplete_reason() -> Optional[str]:
return Env.CONFIG.get_incomplete_reason()
+ @staticmethod
+ def have_openssl() -> bool:
+ return Env.CONFIG.openssl is not None
+
@staticmethod
def have_nghttpx() -> bool:
return Env.CONFIG.nghttpx is not None
@@ -548,6 +562,8 @@ def issue_certs(self):
store_dir=ca_dir,
key_type="rsa2048")
self._ca.issue_certs(self.CONFIG.cert_specs)
+ if self.have_openssl():
+ self._ca.create_hashdir(self.openssl)
def setup(self):
os.makedirs(self.gen_dir, exist_ok=True)
@@ -703,6 +719,10 @@ def ws_port(self) -> int:
def curl(self) -> str:
return self.CONFIG.curl
+ @property
+ def openssl(self) -> Optional[str]:
+ return self.CONFIG.openssl
+
@property
def httpd(self) -> str:
return self.CONFIG.httpd
From 02a595146a0bd3036f653ec48d5bfc9a0187ab75 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Sat, 8 Nov 2025 14:37:22 +0100
Subject: [PATCH 2/4] use correct hashdir
---
tests/http/test_17_ssl_use.py | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
index 20b6fdaef18b..0019bb1239d2 100644
--- a/tests/http/test_17_ssl_use.py
+++ b/tests/http/test_17_ssl_use.py
@@ -604,7 +604,7 @@ def test_17_21_capath_valid(self, env: Env, httpd):
curl = CurlClient(env=env)
url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
- '--capath', os.path.join(env.gen_dir, 'ca/hashdir')
+ '--capath', env.ca.hashdir
])
assert r.exit_code == 0, f'{r.dump_logs()}'
assert r.json['HTTPS'] == 'on', f'{r.json}'
@@ -619,4 +619,3 @@ def test_17_22_capath_invalid(self, env: Env, httpd):
])
# CURLE_PEER_FAILED_VERIFICATION
assert r.exit_code == 60, f'{r.dump_logs()}'
-
From 5a952c670b0cf6e5735c2178014600af062390c4 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Sat, 8 Nov 2025 14:50:23 +0100
Subject: [PATCH 3/4] test_17_21 skip for rustls test_17_22 accept error 77 as
well
---
tests/http/test_17_ssl_use.py | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
index 0019bb1239d2..76f20080b3d6 100644
--- a/tests/http/test_17_ssl_use.py
+++ b/tests/http/test_17_ssl_use.py
@@ -600,6 +600,8 @@ def test_17_20_correct_pin(self, env: Env, proto, httpd):
@pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command")
def test_17_21_capath_valid(self, env: Env, httpd):
+ if env.curl_uses_lib('rustls'):
+ pytest.skip('rustls does not support CURLOPT_CAPATH')
proto = 'http/1.1'
curl = CurlClient(env=env)
url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
@@ -611,11 +613,13 @@ def test_17_21_capath_valid(self, env: Env, httpd):
@pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command")
def test_17_22_capath_invalid(self, env: Env, httpd):
+ # we can test all TLS backends here. the ones not supporting CAPATH
+ # need to fail as well as the ones which do, but get an invalid path.
proto = 'http/1.1'
curl = CurlClient(env=env)
url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
'--capath', os.path.join(env.gen_dir, 'ca/invalid')
])
- # CURLE_PEER_FAILED_VERIFICATION
- assert r.exit_code == 60, f'{r.dump_logs()}'
+ # CURLE_PEER_FAILED_VERIFICATION or CURLE_SSL_CACERT_BADFILE
+ assert r.exit_code in [60, 77], f'{r.dump_logs()}'
From 10d57fbbe4c1036780d36feed6f55a87307c6e25 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Sat, 8 Nov 2025 14:58:25 +0100
Subject: [PATCH 4/4] use 'rustls-ffi' to check for rustsls backend
---
tests/http/test_17_ssl_use.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
index 76f20080b3d6..615658f06c01 100644
--- a/tests/http/test_17_ssl_use.py
+++ b/tests/http/test_17_ssl_use.py
@@ -600,7 +600,7 @@ def test_17_20_correct_pin(self, env: Env, proto, httpd):
@pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command")
def test_17_21_capath_valid(self, env: Env, httpd):
- if env.curl_uses_lib('rustls'):
+ if env.curl_uses_lib('rustls-ffi'):
pytest.skip('rustls does not support CURLOPT_CAPATH')
proto = 'http/1.1'
curl = CurlClient(env=env)

54
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.17.0-progress-parallel.patch vendored
View File

@ -1,54 +0,0 @@
https://github.com/curl/curl/pull/19383
From a5038ff41f83907c896a41716f4f78a80a144cd1 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Thu, 6 Nov 2025 12:47:33 +0100
Subject: [PATCH] curl: fix progress meter in parallel mode
With `check_finished()` triggered by notifications now, the
`progress_meter()` was no longer called at regular intervals.
Move `progress_meter()` out of `check_finishe()` into the perform
loop and event callbacks.
---
src/tool_operate.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 74f5da5fa915..e1f61a2ba519 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1549,6 +1549,7 @@ static void on_uv_socket(uv_poll_t *req, int status, int events)
curl_multi_socket_action(c->uv->s->multi, c->sockfd, flags,
&c->uv->s->still_running);
+ progress_meter(c->uv->s->multi, &c->uv->s->start, FALSE);
}
/* callback from libuv when timeout expires */
@@ -1561,6 +1562,7 @@ static void on_uv_timeout(uv_timer_t *req)
if(uv && uv->s) {
curl_multi_socket_action(uv->s->multi, CURL_SOCKET_TIMEOUT, 0,
&uv->s->still_running);
+ progress_meter(uv->s->multi, &uv->s->start, FALSE);
}
}
@@ -1733,7 +1735,6 @@ static CURLcode check_finished(struct parastate *s)
int rc;
CURLMsg *msg;
bool checkmore = FALSE;
- progress_meter(s->multi, &s->start, FALSE);
do {
msg = curl_multi_info_read(s->multi, &rc);
if(msg) {
@@ -1875,6 +1876,8 @@ static CURLcode parallel_transfers(CURLSH *share)
s->mcode = curl_multi_poll(s->multi, NULL, 0, 1000, NULL);
if(!s->mcode)
s->mcode = curl_multi_perform(s->multi, &s->still_running);
+
+ progress_meter(s->multi, &s->start, FALSE);
}
(void)progress_meter(s->multi, &s->start, TRUE);

27
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.17.0-wcurl-CVE-2025-11563.patch vendored
View File

@ -1,27 +0,0 @@
https://bugs.gentoo.org/966140
https://github.com/curl/wcurl/commit/65546bae0164a97d89d42176e366d9c7c7796261
From 65546bae0164a97d89d42176e366d9c7c7796261 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Sun, 9 Nov 2025 14:30:34 +0800
Subject: [PATCH] wcurl: Really fix CVE-2025-11563
When we pass a string to is_safe_percent_encode, it always begins with
"%'. But the lookup table UNSAFE_PERCENT_ENCODE does not contain "%" so
nothing can be matched.
Also update the test suite to fix the false positive.
Signed-off-by: Xi Ruoyao <xry111@xry111.site>
--- a/scripts/wcurl
+++ b/scripts/wcurl
@@ -118,7 +118,7 @@ readonly PER_URL_PARAMETERS="\
# characters.
# 2F = /
# 5C = \
-readonly UNSAFE_PERCENT_ENCODE="2F 5C"
+readonly UNSAFE_PERCENT_ENCODE="%2F %5C"
# Whether to invoke curl or not.
DRY_RUN="false"

191
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.18.0-restore-heimdal.patch vendored Normal file
View File

@ -0,0 +1,191 @@
diff -Naurp curl-8.16.0/CMake/FindGSS.cmake curl-8.16.0_orig/CMake/FindGSS.cmake
--- curl-8.16.0/CMake/FindGSS.cmake 2025-11-11 10:04:08.786293188 +0000
+++ curl-8.16.0/CMake/FindGSS.cmake 2025-11-11 09:54:12.223957480 +0000
@@ -37,6 +37,7 @@
set(_gnu_modname "gss")
set(_mit_modname "mit-krb5-gssapi")
+set(_heimdal_modname "heimdal-gssapi")
include(CheckIncludeFile)
include(CheckIncludeFiles)
@@ -51,7 +52,7 @@ set(_gss_LIBRARY_DIRS "")
if(NOT GSS_ROOT_DIR AND NOT "$ENV{GSS_ROOT_DIR}")
if(CURL_USE_PKGCONFIG)
find_package(PkgConfig QUIET)
- pkg_search_module(_gss ${_gnu_modname} ${_mit_modname})
+ pkg_search_module(_gss ${_gnu_modname} ${_mit_modname} ${_heimdal_modname})
list(APPEND _gss_root_hints "${_gss_PREFIX}")
set(_gss_version "${_gss_VERSION}")
endif()
@@ -139,8 +140,14 @@ if(NOT _gss_FOUND) # Not found by pkg-c
OUTPUT_STRIP_TRAILING_WHITESPACE)
# Older versions may not have the "--vendor" parameter. In this case we just do not care.
- if(NOT _gss_configure_failed AND NOT _gss_vendor MATCHES "Heimdal|heimdal")
- set(_gss_flavour "MIT") # assume a default, should not really matter
+ if(_gss_configure_failed)
+ set(_gss_flavour "Heimdal") # most probably, should not really matter
+ else()
+ if(_gss_vendor MATCHES "Heimdal|heimdal")
+ set(_gss_flavour "Heimdal")
+ else()
+ set(_gss_flavour "MIT")
+ endif()
endif()
else() # Either there is no config script or we are on a platform that does not provide one (Windows?)
@@ -149,30 +156,46 @@ if(NOT _gss_FOUND) # Not found by pkg-c
cmake_push_check_state()
list(APPEND CMAKE_REQUIRED_INCLUDES "${_gss_INCLUDE_DIRS}")
check_include_files("gssapi/gssapi_generic.h;gssapi/gssapi_krb5.h" _gss_have_mit_headers)
- cmake_pop_check_state()
if(_gss_have_mit_headers)
set(_gss_flavour "MIT")
if(WIN32)
if(CMAKE_SIZEOF_VOID_P EQUAL 8)
list(APPEND _gss_libdir_suffixes "lib/AMD64")
set(_gss_libname "gssapi64")
else()
list(APPEND _gss_libdir_suffixes "lib/i386")
set(_gss_libname "gssapi32")
endif()
else()
list(APPEND _gss_libdir_suffixes "lib" "lib64") # those suffixes are not checked for HINTS
set(_gss_libname "gssapi_krb5")
endif()
+ else()
+ # Prevent compiling the header - just check if we can include it
+ list(APPEND CMAKE_REQUIRED_DEFINITIONS "-D__ROKEN_H__")
+ check_include_file("roken.h" _gss_have_roken_h)
+
+ check_include_file("heimdal/roken.h" _gss_have_heimdal_roken_h)
+ if(_gss_have_roken_h OR _gss_have_heimdal_roken_h)
+ set(_gss_flavour "Heimdal")
+ endif()
endif()
+ cmake_pop_check_state()
else()
- find_path(_gss_INCLUDE_DIRS NAMES "gss.h" HINTS ${_gss_root_hints} PATH_SUFFIXES "include")
if(_gss_INCLUDE_DIRS)
- set(_gss_flavour "GNU")
- set(_gss_pc_requires ${_gnu_modname})
- set(_gss_libname "gss")
+ set(_gss_flavour "Heimdal")
+ set(_gss_pc_requires ${_heimdal_modname})
+ set(_gss_libname "libgssapi")
+ else()
+ find_path(_gss_INCLUDE_DIRS NAMES "gss.h" HINTS ${_gss_root_hints} PATH_SUFFIXES "include")
+
+ if(_gss_INCLUDE_DIRS)
+ set(_gss_flavour "GNU")
+ set(_gss_pc_requires ${_gnu_modname})
+ set(_gss_libname "gss")
+ endif()
endif()
endif()
@@ -189,9 +210,6 @@ if(NOT _gss_FOUND) # Not found by pkg-c
find_library(_gss_LIBRARIES NAMES ${_gss_libname} HINTS ${_gss_libdir_hints} PATH_SUFFIXES ${_gss_libdir_suffixes})
endif()
endif()
- if(NOT _gss_flavour)
- message(FATAL_ERROR "GNU or MIT GSS is required")
- endif()
else()
# _gss_MODULE_NAME set since CMake 3.16.
# _pkg_check_modules_pkg_name is undocumented and used as a fallback for CMake <3.16 versions.
@@ -202,15 +226,33 @@ else()
set(_gss_flavour "MIT")
set(_gss_pc_requires ${_mit_modname})
else()
- message(FATAL_ERROR "GNU or MIT GSS is required")
+ set(_gss_flavour "Heimdal")
+ set(_gss_pc_requires ${_heimdal_modname})
endif()
message(STATUS "Found GSS/${_gss_flavour} (via pkg-config): ${_gss_INCLUDE_DIRS} (found version \"${_gss_version}\")")
endif()
set(GSS_VERSION ${_gss_version})
-if(NOT GSS_VERSION)
- if(_gss_flavour STREQUAL "MIT")
+if(_gss_flavour)
+ if(NOT GSS_VERSION AND _gss_flavour STREQUAL "Heimdal")
+ if(CMAKE_SIZEOF_VOID_P EQUAL 8)
+ set(_heimdal_manifest_file "Heimdal.Application.amd64.manifest")
+ else()
+ set(_heimdal_manifest_file "Heimdal.Application.x86.manifest")
+ endif()
+
+ if(EXISTS "${_gss_INCLUDE_DIRS}/${_heimdal_manifest_file}")
+ file(STRINGS "${_gss_INCLUDE_DIRS}/${_heimdal_manifest_file}" _heimdal_version_str
+ REGEX "^.*version=\"[0-9]\\.[^\"]+\".*$")
+
+ string(REGEX MATCH "[0-9]\\.[^\"]+" GSS_VERSION "${_heimdal_version_str}")
+ endif()
+
+ if(NOT GSS_VERSION)
+ set(GSS_VERSION "Heimdal Unknown")
+ endif()
+ elseif(NOT GSS_VERSION AND _gss_flavour STREQUAL "MIT")
if(CMAKE_VERSION VERSION_GREATER_EQUAL 3.24)
cmake_host_system_information(RESULT _mit_version QUERY WINDOWS_REGISTRY
"HKLM/SOFTWARE/MIT/Kerberos/SDK/CurrentVersion" VALUE "VersionString")
@@ -223,7 +339,7 @@ if(NOT GSS_VERSION)
else()
set(GSS_VERSION "MIT Unknown")
endif()
- else() # GNU
+ elseif(NOT GSS_VERSION AND _gss_flavour STREQUAL "GNU")
if(_gss_INCLUDE_DIRS AND EXISTS "${_gss_INCLUDE_DIRS}/gss.h")
set(_version_regex "#[\t ]*define[\t ]+GSS_VERSION[\t ]+\"([^\"]*)\"")
file(STRINGS "${_gss_INCLUDE_DIRS}/gss.h" _version_str REGEX "${_version_regex}")
diff -Naurp curl-8.16.0/configure.ac curl-8.16.0_orig/configure.ac
--- curl-8.16.0/configure.ac 2025-11-11 08:59:46.795915379 +0000
+++ curl-8.16.0/configure.ac 2025-11-11 08:57:58.852575571 +0000
@@ -1860,14 +1860,21 @@ if test x"$want_gss" = xyes; then
gnu_gss=yes
],
[
- dnl not found, check for MIT
+ dnl not found, check Heimdal or MIT
AC_CHECK_HEADERS(
[gssapi/gssapi.h gssapi/gssapi_generic.h gssapi/gssapi_krb5.h],
[],
[not_mit=1])
if test "$not_mit" = "1"; then
- dnl MIT not found
- AC_MSG_ERROR([MIT or GNU GSS library required, but not found])
+ dnl MIT not found, check for Heimdal
+ AC_CHECK_HEADER(gssapi.h,
+ [],
+ [
+ dnl no header found, disabling GSS
+ want_gss=no
+ AC_MSG_WARN(disabling GSS-API support since no header files were found)
+ ]
+ )
fi
]
)
@@ -1877,7 +1884,7 @@ fi
if test "$want_gss" = "yes"; then
AC_DEFINE(HAVE_GSSAPI, 1, [if you have GSS-API libraries])
HAVE_GSSAPI=1
- curl_gss_msg="enabled (MIT Kerberos)"
+ curl_gss_msg="enabled (MIT Kerberos/Heimdal)"
link_pkgconfig=''
if test -n "$gnu_gss"; then
@@ -1956,6 +1963,8 @@ if test x"$want_gss" = xyes; then
if test -n "$link_pkgconfig"; then
if test -n "$gnu_gss"; then
LIBCURL_PC_REQUIRES_PRIVATE="$LIBCURL_PC_REQUIRES_PRIVATE gss"
+ elif test "x$not_mit" = "x1"; then
+ LIBCURL_PC_REQUIRES_PRIVATE="$LIBCURL_PC_REQUIRES_PRIVATE heimdal-gssapi"
else
LIBCURL_PC_REQUIRES_PRIVATE="$LIBCURL_PC_REQUIRES_PRIVATE mit-krb5-gssapi"
fi

35
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-prefix-4.patch vendored
View File

@ -1,35 +0,0 @@
From f18f4362d7ca60fb12248a559dab26aea330771c Mon Sep 17 00:00:00 2001
From: Matt Jolly <kangie@gentoo.org>
Date: Wed, 5 Feb 2025 17:27:11 +1000
Subject: [PATCH] Update prefix patch for 8.12.0
Signed-off-by: Matt Jolly <kangie@gentoo.org>
---
curl-config.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/curl-config.in b/curl-config.in
index 55184167b..df31fdb46 100644
--- a/curl-config.in
+++ b/curl-config.in
@@ -141,7 +141,7 @@ while test "$#" -gt 0; do
;;
--cflags)
- if test "X@includedir@" = 'X/usr/include'; then
+ if test "X@includedir@" = "X@GENTOO_PORTAGE_EPREFIX@/usr/include"; then
echo '@LIBCURL_PC_CFLAGS@'
else
echo "@LIBCURL_PC_CFLAGS@ -I@includedir@"
@@ -149,7 +149,7 @@ while test "$#" -gt 0; do
;;
--libs)
- if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then
+ if test "X@libdir@" != "X@GENTOO_PORTAGE_EPREFIX@/usr/lib" -a "X@libdir@" != "X@GENTOO_PORTAGE_EPREFIX@/usr/lib64"; then
curllibdir="-L@libdir@ "
else
curllibdir=''
--
2.48.0

29
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-prefix-5.patch vendored
View File

@ -1,29 +0,0 @@
From 05d97da1f669a1486489897128c2374b562ab176 Mon Sep 17 00:00:00 2001
From: Matt Jolly <kangie@gentoo.org>
Date: Tue, 2 Sep 2025 08:41:51 +1000
Subject: [PATCH] Update prefix patch for 8.16.0
Signed-off-by: Matt Jolly <kangie@gentoo.org>
--- a/curl-config.in
+++ b/curl-config.in
@@ -141,7 +141,7 @@ while test "$#" -gt 0; do
;;
--cflags)
- if test "@includedir@" = '/usr/include'; then
+ if test "@includedir@" = "GENTOO_PORTAGE_EPREFIX@/usr/include"; then
echo '@LIBCURL_PC_CFLAGS@'
else
echo "@LIBCURL_PC_CFLAGS@ -I@includedir@"
@@ -149,7 +149,7 @@ while test "$#" -gt 0; do
;;
--libs)
- if test "@libdir@" != '/usr/lib' -a "@libdir@" != '/usr/lib64'; then
+ if test "@libdir@" != "@GENTOO_PORTAGE_EPREFIX@/usr/lib" -a "@libdir@" != "@GENTOO_PORTAGE_EPREFIX@/usr/lib64"; then
curllibdir="-L@libdir@ "
else
curllibdir=''
--
2.50.1