net-misc/curl: Sync with Gentoo

It's from Gentoo commit 26e17dadf436afe670d21bb964780f28d8af7ea1.
2026-05-05 12:16:41 +02:00 · 2025-04-28 07:17:47 +00:00 · 2025-04-28 07:17:47 +00:00 · 3573228984
commit 3573228984
parent fe94fac1bf
9 changed files with 744 additions and 67 deletions
--- a/sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.13.0-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.13.0-r1.ebuild
@ -0,0 +1,442 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Maintainers should subscribe to the 'curl-distros' ML for backports etc
+# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/
+# https://lists.haxx.se/listinfo/curl-distros
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc
+inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig
+
+DESCRIPTION="A Client that groks URLs"
+HOMEPAGE="https://curl.se/"
+
+if [[ ${PV} == 9999 ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/curl/curl.git"
+else
+	if [[ ${P} == *rc* ]]; then
+		CURL_URI="https://curl.se/rc/"
+		S="${WORKDIR}/${P//_/-}"
+	else
+		CURL_URI="https://curl.se/download/"
+		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+	fi
+	SRC_URI="
+		${CURL_URI}${P//_/-}.tar.xz
+		verify-sig? ( ${CURL_URI}${P//_/-}.tar.xz.asc )
+	"
+fi
+
+LICENSE="BSD curl ISC test? ( BSD-4 )"
+SLOT="0"
+IUSE="+adns +alt-svc brotli debug ech +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap"
+IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test"
+IUSE+=" telnet +tftp +websockets zstd"
+# These select the default tls implementation / which quic impl to use
+IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
+RESTRICT="!test? ( test )"
+
+# HTTPS RR is technically usable with the threaded resolver, but it still uses c-ares to
+# ask for the HTTPS RR record type; if DoH is in use the HTTPS record will be requested
+# in addition to A and AAAA records.
+
+# To simplify dependency management in the ebuild we'll require c-ares for HTTPS RR (for now?).
+# HTTPS RR in cURL is a dependency for:
+# - ECH (requires patched openssl or gnutls currently, enabled with rustls)
+# - Fetching the ALPN list which should provide a better HTTP/3 experience.
+
+# Only one default ssl / quic provider can be enabled
+# The default provider needs its USE satisfied
+# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day.
+# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e
+REQUIRED_USE="
+	ech? ( rustls )
+	httpsrr? ( adns )
+	quic? (
+		^^ (
+			curl_quic_openssl
+			curl_quic_ngtcp2
+		)
+		http3
+		ssl
+	)
+	ssl? (
+		^^ (
+			curl_ssl_gnutls
+			curl_ssl_mbedtls
+			curl_ssl_openssl
+			curl_ssl_rustls
+		)
+	)
+	curl_quic_openssl? (
+		curl_ssl_openssl
+		quic
+		!gnutls
+		!mbedtls
+		!rustls
+	)
+	curl_quic_ngtcp2? (
+		curl_ssl_gnutls
+		quic
+		!mbedtls
+		!openssl
+		!rustls
+	)
+	curl_ssl_gnutls? ( gnutls )
+	curl_ssl_mbedtls? ( mbedtls )
+	curl_ssl_openssl? ( openssl )
+	curl_ssl_rustls? ( rustls )
+	http3? ( alt-svc httpsrr quic )
+"
+
+# cURL's docs and CI/CD are great resources for confirming supported versions
+# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.:
+# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions)
+# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly)
+# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2)
+# However 'supported' vs 'works' are two entirely different things; be sane but
+# don't be afraid to require a later version.
+# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time.
+RDEPEND="
+	>=sys-libs/zlib-1.2.5[${MULTILIB_USEDEP}]
+	adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] )
+	brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
+	http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] )
+	http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] )
+	idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
+	kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
+	ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
+	psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] )
+	quic? (
+		curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] )
+		curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] )
+	)
+	rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
+	ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] )
+	sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] )
+	ssl? (
+		gnutls? (
+			app-misc/ca-certificates
+			>=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}]
+			dev-libs/nettle:=[${MULTILIB_USEDEP}]
+		)
+		mbedtls? (
+			app-misc/ca-certificates
+			net-libs/mbedtls:0=[${MULTILIB_USEDEP}]
+		)
+		openssl? (
+			>=dev-libs/openssl-1.0.2:=[static-libs?,${MULTILIB_USEDEP}]
+		)
+		rustls? (
+			>=net-libs/rustls-ffi-0.15.0:=[${MULTILIB_USEDEP}]
+		)
+	)
+	zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
+"
+
+DEPEND="${RDEPEND}"
+
+BDEPEND="
+	dev-lang/perl
+	virtual/pkgconfig
+	test? (
+		sys-apps/diffutils
+		http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] )
+		http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
+	)
+	verify-sig? ( sec-keys/openpgp-keys-danielstenberg )
+"
+
+DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} )
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/curl/curlbuild.h
+)
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/curl-config
+)
+
+QA_CONFIG_IMPL_DECL_SKIP=(
+	__builtin_available
+	closesocket
+	CloseSocket
+	getpass_r
+	ioctlsocket
+	IoctlSocket
+	mach_absolute_time
+	setmode
+	_fseeki64
+	# custom AC_LINK_IFELSE code fails to link even without -Werror
+	OSSL_QUIC_client_method
+)
+
+PATCHES=(
+	"${FILESDIR}/${PN}-prefix-4.patch"
+	"${FILESDIR}/${PN}-respect-cflags-3.patch"
+	"${FILESDIR}/${P}-gssapi-non-ssl-build.patch"
+	"${FILESDIR}/${P}-hostip-correct-proxy-name.patch"
+	"${FILESDIR}/${P}-http2-stream-window-size.patch"
+	"${FILESDIR}/${P}-httpsrr-target-check.patch"
+	"${FILESDIR}/${P}-krb5-ftp.patch"
+	"${FILESDIR}/${P}-openssl-quic-stream-shutdown.patch"
+)
+
+src_prepare() {
+	default
+
+	eprefixify curl-config.in
+	eautoreconf
+}
+
+# Generates TLS-related configure options based on USE flags.
+# Outputs options suitable for appending to a configure options array.
+_get_curl_tls_configure_opts() {
+	local tls_opts=()
+
+	local backend flag_name
+	for backend in gnutls mbedtls openssl rustls; do
+		if [[ "$backend" == "openssl" ]]; then
+			flag_name="ssl"
+			tls_opts+=( "--with-ca-path=${EPREFIX}/etc/ssl/certs")
+		else
+			flag_name="$backend"
+		fi
+
+		if use "$backend"; then
+			tls_opts+=( "--with-${flag_name}" )
+		else
+			# If a single backend is enabled, 'ssl' is required, openssl is the default / fallback
+			if ! [[ "$backend" == "openssl" ]]; then
+				tls_opts+=( "--without-${flag_name}" )
+			fi
+		fi
+	done
+
+	if use curl_ssl_gnutls; then
+		multilib_is_native_abi && einfo "Default TLS backend: gnutls"
+		tls_opts+=( "--with-default-ssl-backend=gnutls" )
+	elif use curl_ssl_mbedtls; then
+		multilib_is_native_abi && einfo "Default TLS backend: mbedtls"
+		tls_opts+=( "--with-default-ssl-backend=mbedtls" )
+	elif use curl_ssl_openssl; then
+		multilib_is_native_abi && einfo "Default TLS backend: openssl"
+		tls_opts+=( "--with-default-ssl-backend=openssl" )
+	elif use curl_ssl_rustls; then
+		multilib_is_native_abi && einfo "Default TLS backend: rustls"
+		tls_opts+=( "--with-default-ssl-backend=rustls" )
+	else
+		eerror "We can't be here because of REQUIRED_USE."
+		die "Please file a bug, hit impossible condition w/ USE=ssl handling."
+	fi
+
+	# Explicitly Disable unimplemented b
+	tls_opts+=(
+		--without-amissl
+		--without-bearssl
+		--without-wolfssl
+	)
+
+	printf "%s\n" "${tls_opts[@]}"
+}
+
+multilib_src_configure() {
+	# We make use of the fact that later flags override earlier ones
+	# So start with all ssl providers off until proven otherwise
+	# TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/)
+	local myconf=()
+
+	myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt  )
+	if use ssl; then
+		local -a tls_backend_opts
+		readarray -t tls_backend_opts < <(_get_curl_tls_configure_opts)
+		myconf+=("${tls_backend_opts[@]}")
+	else
+		myconf+=( --without-ssl )
+		einfo "SSL disabled"
+	fi
+
+	# These configuration options are organised alphabetically by category/type
+
+	# Protocols
+	# `grep SUPPORT_PROTOCOLS=\" configure.ac | awk '{ print substr($2, 1, length($2)-1)}' | sort`
+	# Assume that anything omitted (that is not new!) is enabled by default with no deps
+	myconf+=(
+		--enable-file
+		$(use_enable ftp)
+		$(use_enable gopher)
+		--enable-http
+		$(use_enable imap) # Automatic IMAPS if TLS is enabled
+		$(use_enable ldap ldaps)
+		$(use_enable ldap)
+		$(use_enable pop3)
+		$(use_enable samba smb)
+		$(use_with ssh libssh2) # enables scp/sftp
+		$(use_with rtmp librtmp)
+		--enable-rtsp
+		$(use_enable smtp)
+		$(use_enable telnet)
+		$(use_enable tftp)
+		$(use_enable websockets)
+	)
+
+	# Keep various 'HTTP-flavoured' options together
+	myconf+=(
+		$(use_enable alt-svc)
+		$(use_enable hsts)
+		$(use_enable httpsrr)
+		$(use_with http2 nghttp2)
+		$(use_with http3 nghttp3)
+		$(use_with curl_quic_ngtcp2 ngtcp2)
+		$(use_with curl_quic_openssl openssl-quic)
+	)
+
+	# --enable/disable options
+	# `grep -- --enable configure | grep Check | awk '{ print $4 }' | sort`
+	myconf+=(
+		$(use_enable adns ares)
+		--enable-aws
+		--enable-basic-auth
+		--enable-bearer-auth
+		--enable-cookies
+		--enable-dateparse
+		--enable-dict
+		--enable-digest-auth
+		--enable-dnsshuffle
+		--enable-doh
+		$(use_enable ech)
+		--enable-http-auth
+		--enable-ipv6
+		--enable-kerberos-auth
+		--enable-largefile
+		--enable-manual
+		--enable-mime
+		--enable-negotiate-auth
+		--enable-netrc
+		--enable-ntlm
+		--enable-progress-meter
+		--enable-proxy
+		--enable-rt
+		--enable-socketpair
+		--disable-sspi
+		$(use_enable static-libs static)
+		--enable-symbol-hiding
+		--enable-tls-srp
+		--disable-versioned-symbols
+	)
+
+	# --with/without options
+	# `grep -- --with configure | grep Check | awk '{ print $4 }' | sort`
+	myconf+=(
+		$(use_with brotli)
+		--with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d
+		$(use_with idn libidn2)
+		$(use_with kerberos gssapi "${EPREFIX}"/usr)
+		$(use_with sasl-scram libgsasl)
+		$(use_with psl libpsl)
+		--without-msh3
+		--without-quiche
+		--without-schannel
+		--without-secure-transport
+		--without-winidn
+		--with-zlib
+		--with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions
+		$(use_with zstd)
+	)
+
+	# Test deps (disabled)
+	myconf+=(
+		--without-test-caddy
+		--without-test-httpd
+		--without-test-nghttpx
+	)
+
+	if use debug; then
+		myconf+=(
+			--enable-debug
+		)
+	fi
+
+	if use test && multilib_is_native_abi && ( use http2 || use http3 ); then
+		myconf+=(
+			--with-test-nghttpx="${BROOT}/usr/bin/nghttpx"
+		)
+	fi
+
+	# Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive
+	# This is in support of some work to enable `httpsrr` to use adns and the rest
+	# of curl to use the threaded resolver; for us `httpsrr` is conditional on adns.
+	if use adns; then
+		myconf+=(
+			--disable-threaded-resolver
+		)
+	else
+		myconf+=(
+			--enable-threaded-resolver
+		)
+	fi
+
+	ECONF_SOURCE="${S}" econf "${myconf[@]}"
+
+	if ! multilib_is_native_abi; then
+		# Avoid building the client (we just want libcurl for multilib)
+		sed -i -e '/SUBDIRS/s:src::' Makefile || die
+		sed -i -e '/SUBDIRS/s:scripts::' Makefile || die
+	fi
+
+}
+
+multilib_src_compile() {
+	default
+
+	if multilib_is_native_abi; then
+		# Shell completions
+		! tc-is-cross-compiler && emake -C scripts
+	fi
+}
+
+# There is also a pytest harness that tests for bugs in some very specific
+# situations; we can rely on upstream for this rather than adding additional test deps.
+multilib_src_test() {
+	# See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721
+	# -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches)
+	# -v: verbose
+	# -a: keep going on failure (so we see everything that breaks, not just 1st test)
+	# -k: keep test files after completion
+	# -am: automake style TAP output
+	# -p: print logs if test fails
+	# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
+	# or just read https://github.com/curl/curl/tree/master/tests#run.
+	# Note: we don't run the testsuite for cross-compilation.
+	# Upstream recommend 7*nproc as a starting point for parallel tests, but
+	# this ends up breaking when nproc is huge (like -j80).
+	# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
+	# as most gentoo users don't have an 'ip6-localhost'
+	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install
+
+	if multilib_is_native_abi; then
+		# Shell completions
+		! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install
+	fi
+}
+
+multilib_src_install_all() {
+	einstalldocs
+	find "${ED}" -type f -name '*.la' -delete || die
+	rm -rf "${ED}"/etc/ || die
+}
+
+pkg_postinst() {
+	if use debug; then
+		ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose."
+		ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger."
+		ewarn "hic sunt dracones; you have been warned."
+	fi
+}
--- a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.11.1-async-thread-close-eventfd.patch
+++ b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.11.1-async-thread-close-eventfd.patch
@ -1,33 +0,0 @@
-https://github.com/curl/curl/commit/ff5091aa9f73802e894b1cbdf24ab84e103200e2
-From: Andy Pan <i@andypan.me>
-Date: Thu, 12 Dec 2024 12:48:56 +0000
-Subject: [PATCH] async-thread: avoid closing eventfd twice
-
-When employing eventfd for socketpair, there is only one file
-descriptor. Closing that fd twice might result in fd corruption.
-Thus, we should avoid closing the eventfd twice, following the
-pattern in lib/multi.c.
-
-Fixes #15725
-Closes #15727
-Reported-by: Christian Heusel
---
- lib/asyn-thread.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c
-index a58e4b790494ab..32d496b107cb0a 100644
--- a/lib/asyn-thread.c
-+++ b/lib/asyn-thread.c
-@@ -195,9 +195,11 @@ void destroy_thread_sync_data(struct thread_sync_data *tsd)
-    * close one end of the socket pair (may be done in resolver thread);
-    * the other end (for reading) is always closed in the parent thread.
-    */
-+#ifndef USE_EVENTFD
-   if(tsd->sock_pair[1] != CURL_SOCKET_BAD) {
-     wakeup_close(tsd->sock_pair[1]);
-   }
-+#endif
- #endif
-   memset(tsd, 0, sizeof(*tsd));
- }
--- a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-gssapi-non-ssl-build.patch
+++ b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-gssapi-non-ssl-build.patch
@ -0,0 +1,28 @@
+https://github.com/curl/curl/commit/fe5f435b42a6c928b57c61db5d57f96b5c5a39be
+From: Andrew <akirillo@uk.ibm.com>
+Date: Wed, 2 Apr 2025 13:45:21 +0100
+Subject: [PATCH] http_negotiate: fix non-SSL build with GSSAPI
+
+Fixes #16919
+Closes #16921
+--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
+@@ -110,8 +110,8 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
+ #endif
+   /* Check if the connection is using SSL and get the channel binding data */
+ #ifdef HAVE_GSSAPI
+-  Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1);
+ #ifdef USE_SSL
+  Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1);
+   if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) {
+     result = Curl_ssl_get_channel_binding(
+       data, FIRSTSOCKET, &neg_ctx->channel_binding_data);
+@@ -120,6 +120,8 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
+       return result;
+     }
+   }
+#else
+  Curl_dyn_init(&neg_ctx->channel_binding_data, 1);
+ #endif /* USE_SSL */
+ #endif /* HAVE_GSSAPI */
+ 
--- a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-hostip-correct-proxy-name.patch
+++ b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-hostip-correct-proxy-name.patch
@ -0,0 +1,46 @@
+https://github.com/curl/curl/commit/db3e7a24b5339860fb91cf0d932e8ae13a01e472
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 4 Apr 2025 12:34:09 +0200
+Subject: [PATCH] hostip: show the correct name on proxy resolve error
+
+Regression, probably from 8ded8e5f3f4b6586399 (#16451)
+
+Fixes #16958
+Reported-by: Jean-Christophe Amiel
+Closes #16961
+--- a/lib/hostip.c
+++ b/lib/hostip.c
+@@ -1494,25 +1494,21 @@ CURLcode Curl_once_resolved(struct Curl_easy *data, bool *protocol_done)
+ #ifdef USE_CURL_ASYNC
+ CURLcode Curl_resolver_error(struct Curl_easy *data)
+ {
+-  const char *host_or_proxy;
+-  CURLcode result;
+  struct connectdata *conn = data->conn;
+  const char *host_or_proxy = "host";
+  const char *name = conn->host.dispname;
+  CURLcode result = CURLE_COULDNT_RESOLVE_HOST;
+ 
+ #ifndef CURL_DISABLE_PROXY
+-  struct connectdata *conn = data->conn;
+-  if(conn->bits.httpproxy) {
+  if(conn->bits.proxy) {
+     host_or_proxy = "proxy";
+     result = CURLE_COULDNT_RESOLVE_PROXY;
+    name = conn->socks_proxy.host.name ? conn->socks_proxy.host.dispname :
+      conn->http_proxy.host.dispname;
+   }
+-  else
+ #endif
+-  {
+-    host_or_proxy = "host";
+-    result = CURLE_COULDNT_RESOLVE_HOST;
+-  }
+-
+-  failf(data, "Could not resolve %s: %s", host_or_proxy,
+-        data->conn->host.dispname);
+ 
+  failf(data, "Could not resolve %s: %s", host_or_proxy, name);
+   return result;
+ }
+ #endif /* USE_CURL_ASYNC */
--- a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-http2-stream-window-size.patch
+++ b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-http2-stream-window-size.patch
@ -0,0 +1,143 @@
+https://github.com/curl/curl/commit/5fbd78eb2dc4afbd8884e8eed27147fc3d4318f6
+From: Stefan Eissing <stefan@eissing.org>
+Date: Fri, 4 Apr 2025 10:43:13 +0200
+Subject: [PATCH] http2: fix stream window size after unpausing
+
+When pausing a HTTP/2 transfer, the stream's local window size
+is reduced to 0 to prevent the server from sending further data
+which curl cannot write out to the application.
+
+When unpausing again, the stream's window size was not correctly
+increased again. The attempt to trigger a window update was
+ignored by nghttp2, the server never received it and the transfer
+stalled.
+
+Add a debug feature to allow use of small window sizes which
+reproduces this bug in test_02_21.
+
+Fixes #16955
+Closes #16960
+--- a/docs/libcurl/libcurl-env-dbg.md
+++ b/docs/libcurl/libcurl-env-dbg.md
+@@ -147,3 +147,8 @@ Make a blocking, graceful shutdown of all remaining connections when
+ a multi handle is destroyed. This implicitly triggers for easy handles
+ that are run via easy_perform. The value of the environment variable
+ gives the shutdown timeout in milliseconds.
+
+## `CURL_H2_STREAM_WIN_MAX`
+
+Set to a positive 32-bit number to override the HTTP/2 stream window's
+default of 10MB. Used in testing to verify correct window update handling.
+--- a/lib/http2.c
+++ b/lib/http2.c
+@@ -44,6 +44,7 @@
+ #include "connect.h"
+ #include "rand.h"
+ #include "strdup.h"
+#include "strparse.h"
+ #include "transfer.h"
+ #include "dynbuf.h"
+ #include "headers.h"
+@@ -141,6 +142,9 @@ struct cf_h2_ctx {
+   uint32_t goaway_error;        /* goaway error code from server */
+   int32_t remote_max_sid;       /* max id processed by server */
+   int32_t local_max_sid;        /* max id processed by us */
+#ifdef DEBUGBUILD
+  int32_t stream_win_max;       /* max h2 stream window size */
+#endif
+   BIT(initialized);
+   BIT(via_h1_upgrade);
+   BIT(conn_closed);
+@@ -166,6 +170,18 @@ static void cf_h2_ctx_init(struct cf_h2_ctx *ctx, bool via_h1_upgrade)
+   Curl_hash_offt_init(&ctx->streams, 63, h2_stream_hash_free);
+   ctx->remote_max_sid = 2147483647;
+   ctx->via_h1_upgrade = via_h1_upgrade;
+#ifdef DEBUGBUILD
+  {
+    const char *p = getenv("CURL_H2_STREAM_WIN_MAX");
+
+    ctx->stream_win_max = H2_STREAM_WINDOW_SIZE_MAX;
+    if(p) {
+      curl_off_t l;
+      if(!Curl_str_number(&p, &l, INT_MAX))
+        ctx->stream_win_max = (int32_t)l;
+    }
+  }
+#endif
+   ctx->initialized = TRUE;
+ }
+ 
+@@ -285,7 +301,15 @@ static int32_t cf_h2_get_desired_local_win(struct Curl_cfilter *cf,
+      * This gets less precise the higher the latency. */
+     return (int32_t)data->set.max_recv_speed;
+   }
+#ifdef DEBUGBUILD
+  else {
+    struct cf_h2_ctx *ctx = cf->ctx;
+    CURL_TRC_CF(data, cf, "stream_win_max=%d", ctx->stream_win_max);
+    return ctx->stream_win_max;
+  }
+#else
+   return H2_STREAM_WINDOW_SIZE_MAX;
+#endif
+ }
+ 
+ static CURLcode cf_h2_update_local_win(struct Curl_cfilter *cf,
+@@ -302,6 +326,13 @@ static CURLcode cf_h2_update_local_win(struct Curl_cfilter *cf,
+     int32_t wsize = nghttp2_session_get_stream_effective_local_window_size(
+                       ctx->h2, stream->id);
+     if(dwsize > wsize) {
+      rv = nghttp2_session_set_local_window_size(ctx->h2, NGHTTP2_FLAG_NONE,
+                                                 stream->id, dwsize);
+      if(rv) {
+        failf(data, "[%d] nghttp2 set_local_window_size(%d) failed: "
+              "%s(%d)", stream->id, dwsize, nghttp2_strerror(rv), rv);
+        return CURLE_HTTP2;
+      }
+       rv = nghttp2_submit_window_update(ctx->h2, NGHTTP2_FLAG_NONE,
+                                         stream->id, dwsize - wsize);
+       if(rv) {
+--- a/tests/http/test_02_download.py
+++ b/tests/http/test_02_download.py
+@@ -313,9 +313,9 @@ def test_02_20_h2_small_frames(self, env: Env, httpd):
+         assert httpd.stop()
+         assert httpd.start()
+ 
+-    # download via lib client, 1 at a time, pause/resume at different offsets
+    # download serial via lib client, pause/resume at different offsets
+     @pytest.mark.parametrize("pause_offset", [0, 10*1024, 100*1023, 640000])
+-    @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
+    @pytest.mark.parametrize("proto", ['http/1.1', 'h3'])
+     def test_02_21_lib_serial(self, env: Env, httpd, nghttpx, proto, pause_offset):
+         if proto == 'h3' and not env.have_h3():
+             pytest.skip("h3 not supported")
+@@ -332,6 +332,29 @@ def test_02_21_lib_serial(self, env: Env, httpd, nghttpx, proto, pause_offset):
+         srcfile = os.path.join(httpd.docs_dir, docname)
+         self.check_downloads(client, srcfile, count)
+ 
+    # h2 download parallel via lib client, pause/resume at different offsets
+    # debug-override stream window size to reproduce #16955
+    @pytest.mark.parametrize("pause_offset", [0, 10*1024, 100*1023, 640000])
+    @pytest.mark.parametrize("swin_max", [0, 10*1024])
+    def test_02_21_h2_lib_serial(self, env: Env, httpd, pause_offset, swin_max):
+        proto = 'h2'
+        count = 2
+        docname = 'data-10m'
+        url = f'https://localhost:{env.https_port}/{docname}'
+        run_env = os.environ.copy()
+        run_env['CURL_DEBUG'] = 'multi,http/2'
+        if swin_max > 0:
+            run_env['CURL_H2_STREAM_WIN_MAX'] = f'{swin_max}'
+        client = LocalClient(name='hx-download', env=env, run_env=run_env)
+        if not client.exists():
+            pytest.skip(f'example client not built: {client.name}')
+        r = client.run(args=[
+             '-n', f'{count}', '-P', f'{pause_offset}', '-V', proto, url
+        ])
+        r.check_exit_code(0)
+        srcfile = os.path.join(httpd.docs_dir, docname)
+        self.check_downloads(client, srcfile, count)
+
+     # download via lib client, several at a time, pause/resume
+     @pytest.mark.parametrize("pause_offset", [100*1023])
+     @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
--- a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-httpsrr-target-check.patch
+++ b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-httpsrr-target-check.patch
@ -0,0 +1,22 @@
+https://github.com/curl/curl/commit/4f3c22d77d752fea6ff9ab2706f70d58882ea466
+From: Stefan Eissing <stefan@eissing.org>
+Date: Fri, 4 Apr 2025 18:10:28 +0200
+Subject: [PATCH] https-connect, fix httpsrr target check
+
+The HTTPSRR check on the record's target was not working as it used the
+wrong index on the NUL byte if the target was not NULL.
+
+Fixes #16966
+Reported-by: Pavel Kropachev
+Closes #16968
+--- a/lib/cf-https-connect.c
+++ b/lib/cf-https-connect.c
+@@ -673,7 +673,7 @@ CURLcode Curl_cf_https_setup(struct Curl_easy *data,
+        (!conn->dns_entry->hinfo->target ||      /* for same host */
+         !conn->dns_entry->hinfo->target[0] ||
+         (conn->dns_entry->hinfo->target[0] == '.' &&
+-         !conn->dns_entry->hinfo->target[0])) &&
+         !conn->dns_entry->hinfo->target[1])) &&
+        (conn->dns_entry->hinfo->port < 0 ||    /* for same port */
+         conn->dns_entry->hinfo->port == conn->remote_port)) {
+       size_t i;
--- a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-krb5-ftp.patch
+++ b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-krb5-ftp.patch
@ -0,0 +1,19 @@
+https://github.com/curl/curl/commit/5caba3bd97a14b64d906ece77bc0e2b339161a1f
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 3 Apr 2025 08:49:20 +0200
+Subject: [PATCH] curl_krb5: only use functions if FTP is still enabled
+
+Reported-by: x1sc0 on github
+Fixes #16925
+Closes #16931
+--- a/lib/curl_krb5.h
+++ b/lib/curl_krb5.h
+@@ -39,7 +39,7 @@ struct Curl_sec_client_mech {
+ #define AUTH_CONTINUE   1
+ #define AUTH_ERROR      2
+ 
+-#ifdef HAVE_GSSAPI
+#if defined(HAVE_GSSAPI) && !defined(CURL_DISABLE_FTP)
+ void Curl_sec_conn_init(struct connectdata *);
+ void Curl_sec_conn_destroy(struct connectdata *);
+ int Curl_sec_read_msg(struct Curl_easy *data, struct connectdata *conn, char *,
--- a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-openssl-quic-stream-shutdown.patch
+++ b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-openssl-quic-stream-shutdown.patch
@ -0,0 +1,44 @@
+https://github.com/curl/curl/commit/219302b4e64e2337c50d86056e9af2103b281e7e
+From: Stefan Eissing <stefan@eissing.org>
+Date: Wed, 9 Apr 2025 11:01:54 +0200
+Subject: [PATCH] openssl-quic: fix shutdown when stream not open
+
+Check that h3 stream had been opened before telling nghttp3 to
+shut it down.
+
+Fixes #16998
+Reported-by: Demi Marie Obenour
+Closes #17003
+--- a/lib/vquic/curl_osslq.c
+++ b/lib/vquic/curl_osslq.c
+@@ -654,7 +654,7 @@ static void h3_data_done(struct Curl_cfilter *cf, struct Curl_easy *data)
+   if(stream) {
+     CURL_TRC_CF(data, cf, "[%"FMT_PRId64"] easy handle is done",
+                 stream->s.id);
+-    if(ctx->h3.conn && !stream->closed) {
+    if(ctx->h3.conn && (stream->s.id >= 0) && !stream->closed) {
+       nghttp3_conn_shutdown_stream_read(ctx->h3.conn, stream->s.id);
+       nghttp3_conn_close_stream(ctx->h3.conn, stream->s.id,
+                                 NGHTTP3_H3_REQUEST_CANCELLED);
+--- a/tests/http/test_01_basic.py
+++ b/tests/http/test_01_basic.py
+@@ -242,3 +242,19 @@ def test_01_15_gigalarge_resp_headers(self, env: Env, httpd, proto):
+             r.check_exit_code(16)  # CURLE_HTTP2
+         else:
+             r.check_exit_code(100)  # CURLE_TOO_LARGE
+
+    # http: invalid request headers, GET, issue #16998
+    @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
+    def test_01_16_inv_req_get(self, env: Env, httpd, proto):
+        if proto == 'h3' and not env.have_h3():
+            pytest.skip("h3 not supported")
+        curl = CurlClient(env=env)
+        url = f'https://{env.authority_for(env.domain1, proto)}/curltest/echo'
+        r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
+            '-H', "a: a\x0ab"
+        ])
+        # on h1, request is sent, h2/h3 reject
+        if proto == 'http/1.1':
+            r.check_exit_code(0)
+        else:
+            r.check_exit_code(43)
--- a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-prefix-3.patch
+++ b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-prefix-3.patch
@ -1,34 +0,0 @@
-From 6927ecf38cf3372d539c88479e97707d855de07e Mon Sep 17 00:00:00 2001
-From: Matt Jolly <kangie@gentoo.org>
-Date: Sun, 10 Nov 2024 08:51:02 +1000
-Subject: [PATCH] Update prefix patch for 8.11.0
-
---
- curl-config.in | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/curl-config.in b/curl-config.in
-index 2dc40ed..1876d6c 100644
--- a/curl-config.in
-+++ b/curl-config.in
-@@ -147,7 +147,7 @@ while test "$#" -gt 0; do
-     else
-       CPPFLAG_CURL_STATICLIB=''
-     fi
-    if test "X@includedir@" = 'X/usr/include'; then
-+    if test "X@includedir@" = "X@GENTOO_PORTAGE_EPREFIX@/usr/include"; then
-       echo "${CPPFLAG_CURL_STATICLIB}"
-     else
-       echo "${CPPFLAG_CURL_STATICLIB}-I@includedir@"
-@@ -155,7 +155,7 @@ while test "$#" -gt 0; do
-     ;;
- 
-   --libs)
-    if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then
-+    if test "X@libdir@" != "X@GENTOO_PORTAGE_EPREFIX@/usr/lib" -a "X@libdir@" != "X@GENTOO_PORTAGE_EPREFIX@/usr/lib64"; then
-       CURLLIBDIR="-L@libdir@ "
-     else
-       CURLLIBDIR=''
-- 
-2.47.0
-