mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2026-05-05 12:16:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

net-misc/curl: Sync with Gentoo

Browse Source 
It's from Gentoo commit 8053e78f154e174b5a1b8192fa7b3182a36b1534.

Signed-off-by: Flatcar Buildbot <buildbot@flatcar-linux.org>
This commit is contained in:
Flatcar Buildbot 2025-09-22 07:10:51 +00:00 committed by Krzesimir Nowak
parent 5f207e5b93
commit ad48f6712a
13 changed files with 464 additions and 1142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sdk_container/src/third_party/portage-stable/net-misc/curl/Manifest vendored
View File

@ -1,7 +1,3 @@
DIST curl-8.12.1.tar.xz 2768160 BLAKE2B 2b3e3d91041881c0951ad470736266105d3b9720440b808fe382baa493a30075aba52eb1d329fb1f148e27cd76290d82e121e7f4abf695f215456a10e26ade3e SHA512 88915468fa1bb7256e3dd6c9d058ada6894faa1e3e7800c7d9bfee3e8be4081ae57e7f2bf260c5342b709499fc4302ddc2d7864e25bfa3300fa07f118a3de603
DIST curl-8.12.1.tar.xz.asc 488 BLAKE2B 2a6563609c9f7ada84ca2c7048ad9406809eef4cc958760d2ab3d1b7be58d26247e579bd025870609e80ebb00295026aae30614b84e3a81bdf3ed3dbd0f5ed70 SHA512 41fc5582935090d13940d86974fdea3ea901dd5dab156c16029a87f811d2535172c59dc8dc366f2ffc37bcf85accbecb5aa765bc7b83c2991a3ef402bf25af69
DIST curl-8.13.0.tar.xz 2773628 BLAKE2B 6869634ad50f015d5c7526699034d5a3f27d9588bc32eacc8080dbd6c690f63b1f25cee40d3fdf8fd9dd8535c305ea9c5edf1d5a02bc6d9ce60fd8c88230aca0 SHA512 d266e460f162ee455b56726e5b7247b2d1aa5265ae12081513fc0c5c79e785a594097bc71d505dc9bcd2c2f6f1ff6f4bab9dbd9d120bb76d06c5be8521a8ca7d
DIST curl-8.13.0.tar.xz.asc 488 BLAKE2B bd568ec32a44ef7c14c38e4830bcc7711dac726e950325292f1e5de76e619839685300c5afac32330127324327e71ce0d6e574f6e95bcc4a48957345152bc86a SHA512 07f79c7fd7c305c96e10a5f52797254aed7d2a1f3577c8626b8d617855ceb82634ac6787bfa0b7130a4ed72c3a9945d3c9ba5b7be54df8bafa07ded1c62ef2be
DIST curl-8.14.1.tar.xz 2817248 BLAKE2B 4ce2277d143084823855b714e86047a94d4c52a686b8d16d9ab76c31168f1a74d63dfa7608cff36706a8a0b9bf9cc611a9b99860b176a227bca580cd95e9cff2 SHA512 7f6eae04cc23c50fc41d448aa28dfa59141018009e42c5b1e3f4e0d40c0633460b4e6eec05dfc290f7953671096abfa70a8b5443fccdd3f1be6be32ac10b31d9
DIST curl-8.14.1.tar.xz.asc 488 BLAKE2B f664f526dbffa0a1af2b28f51982445f7d9064b3c3b3e6dd04322003db22da2acde5d493c80204b36a9219d42959543c5a0aee47f2365eb713490ff2fc5f475f SHA512 663b1652bb27338310d1475a8b0422f04e68fca74be11a4b7120de948af4fc0c2b08b75ce5372d657aa89504a27b36b937b5091cb2d932297a7490d5e390d99f
DIST curl-8.15.0.tar.xz 2773156 BLAKE2B ae809be87f34d079413129c27e618a6d15c2bf9087fd7e679cefe9b6d8645f0dd092e8c3e1f62b7bd0dffdd0b77e0bc5ac031ffce4e50060ec20b280618c8e68 SHA512 d27e316d70973906ac4b8d2c280f7e99b7528966aa1220c13a38ed45fca2ed6bbde54b8a9d7bed9e283171b92edb621f7b95162ef7d392e6383b0ee469de3191

386
sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.12.1.ebuild vendored
View File

@ -1,386 +0,0 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Maintainers should subscribe to the 'curl-distros' ML for backports etc
# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/
# https://lists.haxx.se/listinfo/curl-distros
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc
inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig
DESCRIPTION="A Client that groks URLs"
HOMEPAGE="https://curl.se/"
if [[ ${PV} == 9999 ]]; then
inherit git-r3
EGIT_REPO_URI="https://github.com/curl/curl.git"
else
SRC_URI="
https://curl.se/download/${P}.tar.xz
verify-sig? ( https://curl.se/download/${P}.tar.xz.asc )
"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
fi
LICENSE="BSD curl ISC test? ( BSD-4 )"
SLOT="0"
IUSE="+adns +alt-svc brotli debug +ftp gnutls gopher +hsts +http2 +http3 idn +imap kerberos ldap mbedtls +openssl +pop3"
IUSE+=" +psl +progress-meter +quic rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp +websockets zstd"
# These select the default tls implementation / which quic impl to use
IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
RESTRICT="!test? ( test )"
# Only one default ssl / quic provider can be enabled
# The default provider needs its USE satisfied
# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day.
# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e
REQUIRED_USE="
quic? (
^^ (
curl_quic_openssl
curl_quic_ngtcp2
)
http3
ssl
)
ssl? (
^^ (
curl_ssl_gnutls
curl_ssl_mbedtls
curl_ssl_openssl
curl_ssl_rustls
)
)
curl_quic_openssl? (
curl_ssl_openssl
!gnutls
!mbedtls
!rustls
)
curl_quic_ngtcp2? (
curl_ssl_gnutls
!mbedtls
!openssl
!rustls
)
curl_ssl_gnutls? ( gnutls )
curl_ssl_mbedtls? ( mbedtls )
curl_ssl_openssl? ( openssl )
curl_ssl_rustls? ( rustls )
http3? ( alt-svc quic )
"
# cURL's docs and CI/CD are great resources for confirming supported versions
# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.:
# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions)
# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly)
# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2)
# However 'supported' vs 'works' are two entirely different things; be sane but
# don't be afraid to require a later version.
# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time.
RDEPEND="
>=sys-libs/zlib-1.1.4[${MULTILIB_USEDEP}]
adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] )
brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] )
http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] )
idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] )
quic? (
curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] )
curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] )
)
rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
ssh? ( >=net-libs/libssh2-1.0.0[${MULTILIB_USEDEP}] )
ssl? (
gnutls? (
app-misc/ca-certificates
>=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}]
dev-libs/nettle:=[${MULTILIB_USEDEP}]
)
mbedtls? (
app-misc/ca-certificates
net-libs/mbedtls:0=[${MULTILIB_USEDEP}]
)
openssl? (
>=dev-libs/openssl-0.9.7:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}]
)
rustls? (
>=net-libs/rustls-ffi-0.14.0:=[${MULTILIB_USEDEP}]
)
)
zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
"
DEPEND="${RDEPEND}"
BDEPEND="
dev-lang/perl
virtual/pkgconfig
test? (
sys-apps/diffutils
http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] )
http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
)
verify-sig? ( sec-keys/openpgp-keys-danielstenberg )
"
DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} )
MULTILIB_WRAPPED_HEADERS=(
/usr/include/curl/curlbuild.h
)
MULTILIB_CHOST_TOOLS=(
/usr/bin/curl-config
)
QA_CONFIG_IMPL_DECL_SKIP=(
__builtin_available
closesocket
CloseSocket
getpass_r
ioctlsocket
IoctlSocket
mach_absolute_time
setmode
_fseeki64
# custom AC_LINK_IFELSE code fails to link even without -Werror
OSSL_QUIC_client_method
)
PATCHES=(
"${FILESDIR}/${PN}-prefix-4.patch"
"${FILESDIR}/${PN}-respect-cflags-3.patch"
)
src_prepare() {
default
eprefixify curl-config.in
eautoreconf
}
multilib_src_configure() {
# We make use of the fact that later flags override earlier ones
# So start with all ssl providers off until proven otherwise
# TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/)
local myconf=()
myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt )
if use ssl; then
myconf+=( --without-gnutls --without-mbedtls --without-rustls )
if use gnutls; then
multilib_is_native_abi && einfo "SSL provided by gnutls"
myconf+=( --with-gnutls )
fi
if use mbedtls; then
multilib_is_native_abi && einfo "SSL provided by mbedtls"
myconf+=( --with-mbedtls )
fi
if use openssl; then
multilib_is_native_abi && einfo "SSL provided by openssl"
myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs )
fi
if use rustls; then
multilib_is_native_abi && einfo "SSL provided by rustls"
myconf+=( --with-rustls )
fi
if use curl_ssl_gnutls; then
multilib_is_native_abi && einfo "Default SSL provided by gnutls"
myconf+=( --with-default-ssl-backend=gnutls )
elif use curl_ssl_mbedtls; then
multilib_is_native_abi && einfo "Default SSL provided by mbedtls"
myconf+=( --with-default-ssl-backend=mbedtls )
elif use curl_ssl_openssl; then
multilib_is_native_abi && einfo "Default SSL provided by openssl"
myconf+=( --with-default-ssl-backend=openssl )
elif use curl_ssl_rustls; then
multilib_is_native_abi && einfo "Default SSL provided by rustls"
myconf+=( --with-default-ssl-backend=rustls )
else
eerror "We can't be here because of REQUIRED_USE."
die "Please file a bug, hit impossible condition w/ USE=ssl handling."
fi
else
myconf+=( --without-ssl )
einfo "SSL disabled"
fi
# These configuration options are organized alphabetically
# within each category. This should make it easier if we
# ever decide to make any of them contingent on USE flags:
# 1) protocols first. To see them all do
# 'grep SUPPORT_PROTOCOLS configure.ac'
# 2) --enable/disable options second.
# 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort
# 3) --with/without options third.
# grep -- --with configure | grep Check | awk '{ print $4 }' | sort
myconf+=(
$(use_enable alt-svc)
--enable-basic-auth
--enable-bearer-auth
--enable-digest-auth
--enable-kerberos-auth
--enable-negotiate-auth
--enable-aws
--enable-dict
--disable-ech
--enable-file
$(use_enable ftp)
$(use_enable gopher)
$(use_enable hsts)
--enable-http
$(use_enable imap)
$(use_enable ldap)
$(use_enable ldap ldaps)
--enable-ntlm
$(use_enable pop3)
--enable-rt
--enable-rtsp
$(use_enable samba smb)
$(use_with ssh libssh2)
$(use_enable smtp)
$(use_enable telnet)
$(use_enable tftp)
--enable-tls-srp
$(use_enable adns ares)
--enable-cookies
--enable-dateparse
--enable-dnsshuffle
--enable-doh
--enable-symbol-hiding
--enable-http-auth
--enable-ipv6
--enable-largefile
--enable-manual
--enable-mime
--enable-netrc
$(use_enable progress-meter)
--enable-proxy
--enable-socketpair
--disable-sspi
$(use_enable static-libs static)
--disable-versioned-symbols
--without-amissl
--without-bearssl
$(use_with brotli)
--with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d
$(use_with http2 nghttp2)
$(use_with idn libidn2)
$(use_with kerberos gssapi "${EPREFIX}"/usr)
--without-libgsasl
$(use_with psl libpsl)
--without-msh3
$(use_with http3 nghttp3)
$(use_with curl_quic_ngtcp2 ngtcp2)
$(use_with curl_quic_openssl openssl-quic)
--without-quiche
$(use_with rtmp librtmp)
--without-schannel
--without-secure-transport
--without-test-caddy
--without-test-httpd
--without-test-nghttpx
$(use_enable websockets)
--without-winidn
--without-wolfssl
--with-zlib
$(use_with zstd)
--with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions
)
if use debug; then
myconf+=(
--enable-debug
)
fi
if use test && multilib_is_native_abi && ( use http2 || use http3 ); then
myconf+=(
--with-test-nghttpx="${BROOT}/usr/bin/nghttpx"
)
fi
# Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive
# This is in support of some work to enable `httpsrr` to use adns and the rest
# of curl to use the threaded resolver; we'll just make `httpsrr` conditional on adns
# when the time comes.
if use adns; then
myconf+=(
--disable-threaded-resolver
)
else
myconf+=(
--enable-threaded-resolver
)
fi
ECONF_SOURCE="${S}" econf "${myconf[@]}"
if ! multilib_is_native_abi; then
# Avoid building the client (we just want libcurl for multilib)
sed -i -e '/SUBDIRS/s:src::' Makefile || die
sed -i -e '/SUBDIRS/s:scripts::' Makefile || die
fi
}
multilib_src_compile() {
default
if multilib_is_native_abi; then
# Shell completions
! tc-is-cross-compiler && emake -C scripts
fi
}
# There is also a pytest harness that tests for bugs in some very specific
# situations; we can rely on upstream for this rather than adding additional test deps.
multilib_src_test() {
# See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721
# -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches)
# -v: verbose
# -a: keep going on failure (so we see everything that breaks, not just 1st test)
# -k: keep test files after completion
# -am: automake style TAP output
# -p: print logs if test fails
# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
# or just read https://github.com/curl/curl/tree/master/tests#run.
# Note: we don't run the testsuite for cross-compilation.
# Upstream recommend 7*nproc as a starting point for parallel tests, but
# this ends up breaking when nproc is huge (like -j80).
# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
# as most gentoo users don't have an 'ip6-localhost'
multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
}
multilib_src_install() {
emake DESTDIR="${D}" install
if multilib_is_native_abi; then
# Shell completions
! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install
fi
}
multilib_src_install_all() {
einstalldocs
find "${ED}" -type f -name '*.la' -delete || die
rm -rf "${ED}"/etc/ || die
}
pkg_postinst() {
if use debug; then
ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose."
ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger."
ewarn "hic sunt dracones; you have been warned."
fi
}

448
sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.13.0-r1.ebuild vendored
View File

@ -1,448 +0,0 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Maintainers should subscribe to the 'curl-distros' ML for backports etc
# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/
# https://lists.haxx.se/listinfo/curl-distros
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc
inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig
DESCRIPTION="A Client that groks URLs"
HOMEPAGE="https://curl.se/"
if [[ ${PV} == 9999 ]]; then
inherit git-r3
EGIT_REPO_URI="https://github.com/curl/curl.git"
else
if [[ ${P} == *rc* ]]; then
CURL_URI="https://curl.se/rc/"
S="${WORKDIR}/${P//_/-}"
else
CURL_URI="https://curl.se/download/"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
fi
SRC_URI="
${CURL_URI}${P//_/-}.tar.xz
verify-sig? ( ${CURL_URI}${P//_/-}.tar.xz.asc )
"
fi
LICENSE="BSD curl ISC test? ( BSD-4 )"
SLOT="0"
IUSE="+adns +alt-svc brotli debug ech +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap"
IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test"
IUSE+=" telnet +tftp +websockets zstd"
# These select the default tls implementation / which quic impl to use
IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
RESTRICT="!test? ( test )"
# HTTPS RR is technically usable with the threaded resolver, but it still uses c-ares to
# ask for the HTTPS RR record type; if DoH is in use the HTTPS record will be requested
# in addition to A and AAAA records.
# To simplify dependency management in the ebuild we'll require c-ares for HTTPS RR (for now?).
# HTTPS RR in cURL is a dependency for:
# - ECH (requires patched openssl or gnutls currently, enabled with rustls)
# - Fetching the ALPN list which should provide a better HTTP/3 experience.
# Only one default ssl / quic provider can be enabled
# The default provider needs its USE satisfied
# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day.
# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e
REQUIRED_USE="
ech? ( rustls )
httpsrr? ( adns )
quic? (
^^ (
curl_quic_openssl
curl_quic_ngtcp2
)
http3
ssl
)
ssl? (
^^ (
curl_ssl_gnutls
curl_ssl_mbedtls
curl_ssl_openssl
curl_ssl_rustls
)
)
curl_quic_openssl? (
curl_ssl_openssl
!gnutls
!mbedtls
!rustls
)
curl_quic_ngtcp2? (
curl_ssl_gnutls
!mbedtls
!openssl
!rustls
)
curl_ssl_gnutls? ( gnutls )
curl_ssl_mbedtls? ( mbedtls )
curl_ssl_openssl? ( openssl )
curl_ssl_rustls? ( rustls )
http3? ( alt-svc httpsrr quic )
"
# cURL's docs and CI/CD are great resources for confirming supported versions
# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.:
# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions)
# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly)
# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2)
# However 'supported' vs 'works' are two entirely different things; be sane but
# don't be afraid to require a later version.
# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time.
RDEPEND="
>=sys-libs/zlib-1.2.5[${MULTILIB_USEDEP}]
adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] )
brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] )
http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] )
idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] )
quic? (
curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] )
curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] )
)
rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] )
sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] )
ssl? (
gnutls? (
app-misc/ca-certificates
>=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}]
dev-libs/nettle:=[${MULTILIB_USEDEP}]
)
mbedtls? (
app-misc/ca-certificates
net-libs/mbedtls:0=[${MULTILIB_USEDEP}]
)
openssl? (
>=dev-libs/openssl-1.0.2:=[static-libs?,${MULTILIB_USEDEP}]
)
rustls? (
>=net-libs/rustls-ffi-0.15.0:=[${MULTILIB_USEDEP}]
)
)
zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
"
DEPEND="${RDEPEND}"
BDEPEND="
dev-lang/perl
virtual/pkgconfig
test? (
sys-apps/diffutils
http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] )
http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
)
verify-sig? ( sec-keys/openpgp-keys-danielstenberg )
"
DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} )
MULTILIB_WRAPPED_HEADERS=(
/usr/include/curl/curlbuild.h
)
MULTILIB_CHOST_TOOLS=(
/usr/bin/curl-config
)
QA_CONFIG_IMPL_DECL_SKIP=(
__builtin_available
closesocket
CloseSocket
getpass_r
ioctlsocket
IoctlSocket
mach_absolute_time
setmode
_fseeki64
# custom AC_LINK_IFELSE code fails to link even without -Werror
OSSL_QUIC_client_method
)
PATCHES=(
"${FILESDIR}/${PN}-prefix-4.patch"
"${FILESDIR}/${PN}-respect-cflags-3.patch"
"${FILESDIR}/${P}-gssapi-non-ssl-build.patch"
"${FILESDIR}/${P}-hostip-correct-proxy-name.patch"
"${FILESDIR}/${P}-http2-stream-window-size.patch"
"${FILESDIR}/${P}-httpsrr-target-check.patch"
"${FILESDIR}/${P}-krb5-ftp.patch"
"${FILESDIR}/${P}-openssl-quic-stream-shutdown.patch"
)
src_prepare() {
default
eprefixify curl-config.in
eautoreconf
}
# Generates TLS-related configure options based on USE flags.
# Outputs options suitable for appending to a configure options array.
_get_curl_tls_configure_opts() {
local tls_opts=()
local backend flag_name
for backend in gnutls mbedtls openssl rustls; do
if [[ "$backend" == "openssl" ]]; then
flag_name="ssl"
tls_opts+=( "--with-ca-path=${EPREFIX}/etc/ssl/certs")
else
flag_name="$backend"
fi
if use "$backend"; then
tls_opts+=( "--with-${flag_name}" )
else
# If a single backend is enabled, 'ssl' is required, openssl is the default / fallback
if ! [[ "$backend" == "openssl" ]]; then
tls_opts+=( "--without-${flag_name}" )
fi
fi
done
if use curl_ssl_gnutls; then
multilib_is_native_abi && einfo "Default TLS backend: gnutls"
tls_opts+=( "--with-default-ssl-backend=gnutls" )
elif use curl_ssl_mbedtls; then
multilib_is_native_abi && einfo "Default TLS backend: mbedtls"
tls_opts+=( "--with-default-ssl-backend=mbedtls" )
elif use curl_ssl_openssl; then
multilib_is_native_abi && einfo "Default TLS backend: openssl"
tls_opts+=( "--with-default-ssl-backend=openssl" )
elif use curl_ssl_rustls; then
multilib_is_native_abi && einfo "Default TLS backend: rustls"
tls_opts+=( "--with-default-ssl-backend=rustls" )
else
eerror "We can't be here because of REQUIRED_USE."
die "Please file a bug, hit impossible condition w/ USE=ssl handling."
fi
# Explicitly Disable unimplemented b
tls_opts+=(
--without-amissl
--without-bearssl
--without-wolfssl
)
printf "%s\n" "${tls_opts[@]}"
}
multilib_src_configure() {
# We make use of the fact that later flags override earlier ones
# So start with all ssl providers off until proven otherwise
# TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/)
local myconf=()
myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt )
if use ssl; then
local -a tls_backend_opts
readarray -t tls_backend_opts < <(_get_curl_tls_configure_opts)
myconf+=("${tls_backend_opts[@]}")
if use quic; then
myconf+=(
$(use_with curl_quic_ngtcp2 ngtcp2)
$(use_with curl_quic_openssl openssl-quic)
)
else
# Without a REQUIRED_USE to ensure that QUIC was requested when at least one default backend is
# enabled we need ensure that we don't try to build QUIC support
myconf+=( --without-ngtcp2 --without-openssl-quic )
fi
else
myconf+=( --without-ssl )
einfo "SSL disabled"
fi
# These configuration options are organised alphabetically by category/type
# Protocols
# `grep SUPPORT_PROTOCOLS=\" configure.ac | awk '{ print substr($2, 1, length($2)-1)}' | sort`
# Assume that anything omitted (that is not new!) is enabled by default with no deps
myconf+=(
--enable-file
$(use_enable ftp)
$(use_enable gopher)
--enable-http
$(use_enable imap) # Automatic IMAPS if TLS is enabled
$(use_enable ldap ldaps)
$(use_enable ldap)
$(use_enable pop3)
$(use_enable samba smb)
$(use_with ssh libssh2) # enables scp/sftp
$(use_with rtmp librtmp)
--enable-rtsp
$(use_enable smtp)
$(use_enable telnet)
$(use_enable tftp)
$(use_enable websockets)
)
# Keep various 'HTTP-flavoured' options together
myconf+=(
$(use_enable alt-svc)
$(use_enable hsts)
$(use_enable httpsrr)
$(use_with http2 nghttp2)
$(use_with http3 nghttp3)
)
# --enable/disable options
# `grep -- --enable configure | grep Check | awk '{ print $4 }' | sort`
myconf+=(
$(use_enable adns ares)
--enable-aws
--enable-basic-auth
--enable-bearer-auth
--enable-cookies
--enable-dateparse
--enable-dict
--enable-digest-auth
--enable-dnsshuffle
--enable-doh
$(use_enable ech)
--enable-http-auth
--enable-ipv6
--enable-kerberos-auth
--enable-largefile
--enable-manual
--enable-mime
--enable-negotiate-auth
--enable-netrc
--enable-ntlm
--enable-progress-meter
--enable-proxy
--enable-rt
--enable-socketpair
--disable-sspi
$(use_enable static-libs static)
--enable-symbol-hiding
--enable-tls-srp
--disable-versioned-symbols
)
# --with/without options
# `grep -- --with configure | grep Check | awk '{ print $4 }' | sort`
myconf+=(
$(use_with brotli)
--with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d
$(use_with idn libidn2)
$(use_with kerberos gssapi "${EPREFIX}"/usr)
$(use_with sasl-scram libgsasl)
$(use_with psl libpsl)
--without-msh3
--without-quiche
--without-schannel
--without-secure-transport
--without-winidn
--with-zlib
--with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions
$(use_with zstd)
)
# Test deps (disabled)
myconf+=(
--without-test-caddy
--without-test-httpd
--without-test-nghttpx
)
if use debug; then
myconf+=(
--enable-debug
)
fi
if use test && multilib_is_native_abi && ( use http2 || use http3 ); then
myconf+=(
--with-test-nghttpx="${BROOT}/usr/bin/nghttpx"
)
fi
# Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive
# This is in support of some work to enable `httpsrr` to use adns and the rest
# of curl to use the threaded resolver; for us `httpsrr` is conditional on adns.
if use adns; then
myconf+=(
--disable-threaded-resolver
)
else
myconf+=(
--enable-threaded-resolver
)
fi
ECONF_SOURCE="${S}" econf "${myconf[@]}"
if ! multilib_is_native_abi; then
# Avoid building the client (we just want libcurl for multilib)
sed -i -e '/SUBDIRS/s:src::' Makefile || die
sed -i -e '/SUBDIRS/s:scripts::' Makefile || die
fi
}
multilib_src_compile() {
default
if multilib_is_native_abi; then
# Shell completions
! tc-is-cross-compiler && emake -C scripts
fi
}
# There is also a pytest harness that tests for bugs in some very specific
# situations; we can rely on upstream for this rather than adding additional test deps.
multilib_src_test() {
# See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721
# -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches)
# -v: verbose
# -a: keep going on failure (so we see everything that breaks, not just 1st test)
# -k: keep test files after completion
# -am: automake style TAP output
# -p: print logs if test fails
# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
# or just read https://github.com/curl/curl/tree/master/tests#run.
# Note: we don't run the testsuite for cross-compilation.
# Upstream recommend 7*nproc as a starting point for parallel tests, but
# this ends up breaking when nproc is huge (like -j80).
# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
# as most gentoo users don't have an 'ip6-localhost'
multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
}
multilib_src_install() {
emake DESTDIR="${D}" install
if multilib_is_native_abi; then
# Shell completions
! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install
fi
}
multilib_src_install_all() {
einstalldocs
find "${ED}" -type f -name '*.la' -delete || die
rm -rf "${ED}"/etc/ || die
}
pkg_postinst() {
if use debug; then
ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose."
ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger."
ewarn "hic sunt dracones; you have been warned."
fi
}

2
sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.16.0.ebuild → sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.16.0-r1.ebuild vendored
View File

@ -175,6 +175,8 @@ QA_CONFIG_IMPL_DECL_SKIP=(
PATCHES=(
"${FILESDIR}/${PN}-prefix-5.patch"
"${FILESDIR}/${PN}-respect-cflags-3.patch"
"${FILESDIR}/${P}-ssl_verifyhost.patch"
"${FILESDIR}/${P}-pthread_cancel.patch"
)
src_prepare() {

28
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-gssapi-non-ssl-build.patch vendored
View File

@ -1,28 +0,0 @@
https://github.com/curl/curl/commit/fe5f435b42a6c928b57c61db5d57f96b5c5a39be
From: Andrew <akirillo@uk.ibm.com>
Date: Wed, 2 Apr 2025 13:45:21 +0100
Subject: [PATCH] http_negotiate: fix non-SSL build with GSSAPI
Fixes #16919
Closes #16921
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -110,8 +110,8 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
#endif
/* Check if the connection is using SSL and get the channel binding data */
#ifdef HAVE_GSSAPI
- Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1);
#ifdef USE_SSL
+ Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1);
if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) {
result = Curl_ssl_get_channel_binding(
data, FIRSTSOCKET, &neg_ctx->channel_binding_data);
@@ -120,6 +120,8 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn,
return result;
}
}
+#else
+ Curl_dyn_init(&neg_ctx->channel_binding_data, 1);
#endif /* USE_SSL */
#endif /* HAVE_GSSAPI */

46
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-hostip-correct-proxy-name.patch vendored
View File

@ -1,46 +0,0 @@
https://github.com/curl/curl/commit/db3e7a24b5339860fb91cf0d932e8ae13a01e472
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 4 Apr 2025 12:34:09 +0200
Subject: [PATCH] hostip: show the correct name on proxy resolve error
Regression, probably from 8ded8e5f3f4b6586399 (#16451)
Fixes #16958
Reported-by: Jean-Christophe Amiel
Closes #16961
--- a/lib/hostip.c
+++ b/lib/hostip.c
@@ -1494,25 +1494,21 @@ CURLcode Curl_once_resolved(struct Curl_easy *data, bool *protocol_done)
#ifdef USE_CURL_ASYNC
CURLcode Curl_resolver_error(struct Curl_easy *data)
{
- const char *host_or_proxy;
- CURLcode result;
+ struct connectdata *conn = data->conn;
+ const char *host_or_proxy = "host";
+ const char *name = conn->host.dispname;
+ CURLcode result = CURLE_COULDNT_RESOLVE_HOST;
#ifndef CURL_DISABLE_PROXY
- struct connectdata *conn = data->conn;
- if(conn->bits.httpproxy) {
+ if(conn->bits.proxy) {
host_or_proxy = "proxy";
result = CURLE_COULDNT_RESOLVE_PROXY;
+ name = conn->socks_proxy.host.name ? conn->socks_proxy.host.dispname :
+ conn->http_proxy.host.dispname;
}
- else
#endif
- {
- host_or_proxy = "host";
- result = CURLE_COULDNT_RESOLVE_HOST;
- }
-
- failf(data, "Could not resolve %s: %s", host_or_proxy,
- data->conn->host.dispname);
+ failf(data, "Could not resolve %s: %s", host_or_proxy, name);
return result;
}
#endif /* USE_CURL_ASYNC */

143
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-http2-stream-window-size.patch vendored
View File

@ -1,143 +0,0 @@
https://github.com/curl/curl/commit/5fbd78eb2dc4afbd8884e8eed27147fc3d4318f6
From: Stefan Eissing <stefan@eissing.org>
Date: Fri, 4 Apr 2025 10:43:13 +0200
Subject: [PATCH] http2: fix stream window size after unpausing
When pausing a HTTP/2 transfer, the stream's local window size
is reduced to 0 to prevent the server from sending further data
which curl cannot write out to the application.
When unpausing again, the stream's window size was not correctly
increased again. The attempt to trigger a window update was
ignored by nghttp2, the server never received it and the transfer
stalled.
Add a debug feature to allow use of small window sizes which
reproduces this bug in test_02_21.
Fixes #16955
Closes #16960
--- a/docs/libcurl/libcurl-env-dbg.md
+++ b/docs/libcurl/libcurl-env-dbg.md
@@ -147,3 +147,8 @@ Make a blocking, graceful shutdown of all remaining connections when
a multi handle is destroyed. This implicitly triggers for easy handles
that are run via easy_perform. The value of the environment variable
gives the shutdown timeout in milliseconds.
+
+## `CURL_H2_STREAM_WIN_MAX`
+
+Set to a positive 32-bit number to override the HTTP/2 stream window's
+default of 10MB. Used in testing to verify correct window update handling.
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -44,6 +44,7 @@
#include "connect.h"
#include "rand.h"
#include "strdup.h"
+#include "strparse.h"
#include "transfer.h"
#include "dynbuf.h"
#include "headers.h"
@@ -141,6 +142,9 @@ struct cf_h2_ctx {
uint32_t goaway_error; /* goaway error code from server */
int32_t remote_max_sid; /* max id processed by server */
int32_t local_max_sid; /* max id processed by us */
+#ifdef DEBUGBUILD
+ int32_t stream_win_max; /* max h2 stream window size */
+#endif
BIT(initialized);
BIT(via_h1_upgrade);
BIT(conn_closed);
@@ -166,6 +170,18 @@ static void cf_h2_ctx_init(struct cf_h2_ctx *ctx, bool via_h1_upgrade)
Curl_hash_offt_init(&ctx->streams, 63, h2_stream_hash_free);
ctx->remote_max_sid = 2147483647;
ctx->via_h1_upgrade = via_h1_upgrade;
+#ifdef DEBUGBUILD
+ {
+ const char *p = getenv("CURL_H2_STREAM_WIN_MAX");
+
+ ctx->stream_win_max = H2_STREAM_WINDOW_SIZE_MAX;
+ if(p) {
+ curl_off_t l;
+ if(!Curl_str_number(&p, &l, INT_MAX))
+ ctx->stream_win_max = (int32_t)l;
+ }
+ }
+#endif
ctx->initialized = TRUE;
}
@@ -285,7 +301,15 @@ static int32_t cf_h2_get_desired_local_win(struct Curl_cfilter *cf,
* This gets less precise the higher the latency. */
return (int32_t)data->set.max_recv_speed;
}
+#ifdef DEBUGBUILD
+ else {
+ struct cf_h2_ctx *ctx = cf->ctx;
+ CURL_TRC_CF(data, cf, "stream_win_max=%d", ctx->stream_win_max);
+ return ctx->stream_win_max;
+ }
+#else
return H2_STREAM_WINDOW_SIZE_MAX;
+#endif
}
static CURLcode cf_h2_update_local_win(struct Curl_cfilter *cf,
@@ -302,6 +326,13 @@ static CURLcode cf_h2_update_local_win(struct Curl_cfilter *cf,
int32_t wsize = nghttp2_session_get_stream_effective_local_window_size(
ctx->h2, stream->id);
if(dwsize > wsize) {
+ rv = nghttp2_session_set_local_window_size(ctx->h2, NGHTTP2_FLAG_NONE,
+ stream->id, dwsize);
+ if(rv) {
+ failf(data, "[%d] nghttp2 set_local_window_size(%d) failed: "
+ "%s(%d)", stream->id, dwsize, nghttp2_strerror(rv), rv);
+ return CURLE_HTTP2;
+ }
rv = nghttp2_submit_window_update(ctx->h2, NGHTTP2_FLAG_NONE,
stream->id, dwsize - wsize);
if(rv) {
--- a/tests/http/test_02_download.py
+++ b/tests/http/test_02_download.py
@@ -313,9 +313,9 @@ def test_02_20_h2_small_frames(self, env: Env, httpd):
assert httpd.stop()
assert httpd.start()
- # download via lib client, 1 at a time, pause/resume at different offsets
+ # download serial via lib client, pause/resume at different offsets
@pytest.mark.parametrize("pause_offset", [0, 10*1024, 100*1023, 640000])
- @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
+ @pytest.mark.parametrize("proto", ['http/1.1', 'h3'])
def test_02_21_lib_serial(self, env: Env, httpd, nghttpx, proto, pause_offset):
if proto == 'h3' and not env.have_h3():
pytest.skip("h3 not supported")
@@ -332,6 +332,29 @@ def test_02_21_lib_serial(self, env: Env, httpd, nghttpx, proto, pause_offset):
srcfile = os.path.join(httpd.docs_dir, docname)
self.check_downloads(client, srcfile, count)
+ # h2 download parallel via lib client, pause/resume at different offsets
+ # debug-override stream window size to reproduce #16955
+ @pytest.mark.parametrize("pause_offset", [0, 10*1024, 100*1023, 640000])
+ @pytest.mark.parametrize("swin_max", [0, 10*1024])
+ def test_02_21_h2_lib_serial(self, env: Env, httpd, pause_offset, swin_max):
+ proto = 'h2'
+ count = 2
+ docname = 'data-10m'
+ url = f'https://localhost:{env.https_port}/{docname}'
+ run_env = os.environ.copy()
+ run_env['CURL_DEBUG'] = 'multi,http/2'
+ if swin_max > 0:
+ run_env['CURL_H2_STREAM_WIN_MAX'] = f'{swin_max}'
+ client = LocalClient(name='hx-download', env=env, run_env=run_env)
+ if not client.exists():
+ pytest.skip(f'example client not built: {client.name}')
+ r = client.run(args=[
+ '-n', f'{count}', '-P', f'{pause_offset}', '-V', proto, url
+ ])
+ r.check_exit_code(0)
+ srcfile = os.path.join(httpd.docs_dir, docname)
+ self.check_downloads(client, srcfile, count)
+
# download via lib client, several at a time, pause/resume
@pytest.mark.parametrize("pause_offset", [100*1023])
@pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])

22
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-httpsrr-target-check.patch vendored
View File

@ -1,22 +0,0 @@
https://github.com/curl/curl/commit/4f3c22d77d752fea6ff9ab2706f70d58882ea466
From: Stefan Eissing <stefan@eissing.org>
Date: Fri, 4 Apr 2025 18:10:28 +0200
Subject: [PATCH] https-connect, fix httpsrr target check
The HTTPSRR check on the record's target was not working as it used the
wrong index on the NUL byte if the target was not NULL.
Fixes #16966
Reported-by: Pavel Kropachev
Closes #16968
--- a/lib/cf-https-connect.c
+++ b/lib/cf-https-connect.c
@@ -673,7 +673,7 @@ CURLcode Curl_cf_https_setup(struct Curl_easy *data,
(!conn->dns_entry->hinfo->target || /* for same host */
!conn->dns_entry->hinfo->target[0] ||
(conn->dns_entry->hinfo->target[0] == '.' &&
- !conn->dns_entry->hinfo->target[0])) &&
+ !conn->dns_entry->hinfo->target[1])) &&
(conn->dns_entry->hinfo->port < 0 || /* for same port */
conn->dns_entry->hinfo->port == conn->remote_port)) {
size_t i;

19
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-krb5-ftp.patch vendored
View File

@ -1,19 +0,0 @@
https://github.com/curl/curl/commit/5caba3bd97a14b64d906ece77bc0e2b339161a1f
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 3 Apr 2025 08:49:20 +0200
Subject: [PATCH] curl_krb5: only use functions if FTP is still enabled
Reported-by: x1sc0 on github
Fixes #16925
Closes #16931
--- a/lib/curl_krb5.h
+++ b/lib/curl_krb5.h
@@ -39,7 +39,7 @@ struct Curl_sec_client_mech {
#define AUTH_CONTINUE 1
#define AUTH_ERROR 2
-#ifdef HAVE_GSSAPI
+#if defined(HAVE_GSSAPI) && !defined(CURL_DISABLE_FTP)
void Curl_sec_conn_init(struct connectdata *);
void Curl_sec_conn_destroy(struct connectdata *);
int Curl_sec_read_msg(struct Curl_easy *data, struct connectdata *conn, char *,

44
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-openssl-quic-stream-shutdown.patch vendored
View File

@ -1,44 +0,0 @@
https://github.com/curl/curl/commit/219302b4e64e2337c50d86056e9af2103b281e7e
From: Stefan Eissing <stefan@eissing.org>
Date: Wed, 9 Apr 2025 11:01:54 +0200
Subject: [PATCH] openssl-quic: fix shutdown when stream not open
Check that h3 stream had been opened before telling nghttp3 to
shut it down.
Fixes #16998
Reported-by: Demi Marie Obenour
Closes #17003
--- a/lib/vquic/curl_osslq.c
+++ b/lib/vquic/curl_osslq.c
@@ -654,7 +654,7 @@ static void h3_data_done(struct Curl_cfilter *cf, struct Curl_easy *data)
if(stream) {
CURL_TRC_CF(data, cf, "[%"FMT_PRId64"] easy handle is done",
stream->s.id);
- if(ctx->h3.conn && !stream->closed) {
+ if(ctx->h3.conn && (stream->s.id >= 0) && !stream->closed) {
nghttp3_conn_shutdown_stream_read(ctx->h3.conn, stream->s.id);
nghttp3_conn_close_stream(ctx->h3.conn, stream->s.id,
NGHTTP3_H3_REQUEST_CANCELLED);
--- a/tests/http/test_01_basic.py
+++ b/tests/http/test_01_basic.py
@@ -242,3 +242,19 @@ def test_01_15_gigalarge_resp_headers(self, env: Env, httpd, proto):
r.check_exit_code(16) # CURLE_HTTP2
else:
r.check_exit_code(100) # CURLE_TOO_LARGE
+
+ # http: invalid request headers, GET, issue #16998
+ @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
+ def test_01_16_inv_req_get(self, env: Env, httpd, proto):
+ if proto == 'h3' and not env.have_h3():
+ pytest.skip("h3 not supported")
+ curl = CurlClient(env=env)
+ url = f'https://{env.authority_for(env.domain1, proto)}/curltest/echo'
+ r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
+ '-H', "a: a\x0ab"
+ ])
+ # on h1, request is sent, h2/h3 reject
+ if proto == 'http/1.1':
+ r.check_exit_code(0)
+ else:
+ r.check_exit_code(43)

399
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.16.0-pthread_cancel.patch vendored Normal file
View File

@ -0,0 +1,399 @@
https://github.com/curl/curl/commit/de3fc1d7adb78c078e4cc7ccc48e550758094ad3
From: Stefan Eissing <stefan@eissing.org>
Date: Sat, 13 Sep 2025 15:25:53 +0200
Subject: [PATCH] asyn-thrdd: drop pthread_cancel
Remove use of pthread_cancel in asnyc threaded resolving. While there
are system where this works, others might leak to resource leakage
(memory, files, etc.). The popular nsswitch is one example where resolve
code can be dragged in that is not prepared.
The overall promise and mechanism of pthread_cancel() is just too
brittle and the historcal design of getaddrinfo() continues to haunt us.
Fixes #18532
Reported-by: Javier Blazquez
Closes #18540
--- a/docs/libcurl/libcurl-env-dbg.md
+++ b/docs/libcurl/libcurl-env-dbg.md
@@ -83,11 +83,6 @@ When built with c-ares for name resolving, setting this environment variable
to `[IP:port]` makes libcurl use that DNS server instead of the system
default. This is used by the curl test suite.
-## `CURL_DNS_DELAY_MS`
-
-Delay the DNS resolve by this many milliseconds. This is used in the test
-suite to check proper handling of CURLOPT_CONNECTTIMEOUT(3).
-
## `CURL_FTP_PWD_STOP`
When set, the first transfer - when using ftp: - returns before sending
--- a/lib/asyn-thrdd.c
+++ b/lib/asyn-thrdd.c
@@ -199,14 +199,6 @@ addr_ctx_create(struct Curl_easy *data,
return NULL;
}
-static void async_thrd_cleanup(void *arg)
-{
- struct async_thrdd_addr_ctx *addr_ctx = arg;
-
- Curl_thread_disable_cancel();
- addr_ctx_unlink(&addr_ctx, NULL);
-}
-
#ifdef HAVE_GETADDRINFO
/*
@@ -220,15 +212,6 @@ static CURL_THREAD_RETURN_T CURL_STDCALL getaddrinfo_thread(void *arg)
struct async_thrdd_addr_ctx *addr_ctx = arg;
bool do_abort;
-/* clang complains about empty statements and the pthread_cleanup* macros
- * are pretty ill defined. */
-#if defined(__clang__)
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wextra-semi-stmt"
-#endif
-
- Curl_thread_push_cleanup(async_thrd_cleanup, addr_ctx);
-
Curl_mutex_acquire(&addr_ctx->mutx);
do_abort = addr_ctx->do_abort;
Curl_mutex_release(&addr_ctx->mutx);
@@ -237,9 +220,6 @@ static CURL_THREAD_RETURN_T CURL_STDCALL getaddrinfo_thread(void *arg)
char service[12];
int rc;
-#ifdef DEBUGBUILD
- Curl_resolve_test_delay();
-#endif
msnprintf(service, sizeof(service), "%d", addr_ctx->port);
rc = Curl_getaddrinfo_ex(addr_ctx->hostname, service,
@@ -274,11 +254,6 @@ static CURL_THREAD_RETURN_T CURL_STDCALL getaddrinfo_thread(void *arg)
}
- Curl_thread_pop_cleanup();
-#if defined(__clang__)
-#pragma clang diagnostic pop
-#endif
-
addr_ctx_unlink(&addr_ctx, NULL);
return 0;
}
@@ -293,24 +268,11 @@ static CURL_THREAD_RETURN_T CURL_STDCALL gethostbyname_thread(void *arg)
struct async_thrdd_addr_ctx *addr_ctx = arg;
bool do_abort;
-/* clang complains about empty statements and the pthread_cleanup* macros
- * are pretty ill defined. */
-#if defined(__clang__)
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wextra-semi-stmt"
-#endif
-
- Curl_thread_push_cleanup(async_thrd_cleanup, addr_ctx);
-
Curl_mutex_acquire(&addr_ctx->mutx);
do_abort = addr_ctx->do_abort;
Curl_mutex_release(&addr_ctx->mutx);
if(!do_abort) {
-#ifdef DEBUGBUILD
- Curl_resolve_test_delay();
-#endif
-
addr_ctx->res = Curl_ipv4_resolve_r(addr_ctx->hostname, addr_ctx->port);
if(!addr_ctx->res) {
addr_ctx->sock_error = SOCKERRNO;
@@ -337,12 +299,7 @@ static CURL_THREAD_RETURN_T CURL_STDCALL gethostbyname_thread(void *arg)
#endif
}
- Curl_thread_pop_cleanup();
-#if defined(__clang__)
-#pragma clang diagnostic pop
-#endif
-
- async_thrd_cleanup(addr_ctx);
+ addr_ctx_unlink(&addr_ctx, NULL);
return 0;
}
@@ -381,12 +338,12 @@ static void async_thrdd_destroy(struct Curl_easy *data)
CURL_TRC_DNS(data, "async_thrdd_destroy, thread joined");
}
else {
- /* thread is still running. Detach the thread while mutexed, it will
- * trigger the cleanup when it releases its reference. */
+ /* thread is still running. Detach it. */
Curl_thread_destroy(&addr->thread_hnd);
CURL_TRC_DNS(data, "async_thrdd_destroy, thread detached");
}
}
+ /* release our reference to the shared context */
addr_ctx_unlink(&thrdd->addr, data);
}
@@ -532,10 +489,12 @@ static void async_thrdd_shutdown(struct Curl_easy *data)
done = addr_ctx->thrd_done;
Curl_mutex_release(&addr_ctx->mutx);
- DEBUGASSERT(addr_ctx->thread_hnd != curl_thread_t_null);
- if(!done && (addr_ctx->thread_hnd != curl_thread_t_null)) {
- CURL_TRC_DNS(data, "cancelling resolve thread");
- (void)Curl_thread_cancel(&addr_ctx->thread_hnd);
+ /* Wait for the thread to terminate if it is already marked done. If it is
+ not done yet we cannot do anything here. We had tried pthread_cancel but
+ it caused hanging and resource leaks (#18532). */
+ if(done && (addr_ctx->thread_hnd != curl_thread_t_null)) {
+ Curl_thread_join(&addr_ctx->thread_hnd);
+ CURL_TRC_DNS(data, "async_thrdd_shutdown, thread joined");
}
}
@@ -553,9 +512,11 @@ static CURLcode asyn_thrdd_await(struct Curl_easy *data,
if(!entry)
async_thrdd_shutdown(data);
- CURL_TRC_DNS(data, "resolve, wait for thread to finish");
- if(!Curl_thread_join(&addr_ctx->thread_hnd)) {
- DEBUGASSERT(0);
+ if(addr_ctx->thread_hnd != curl_thread_t_null) {
+ CURL_TRC_DNS(data, "resolve, wait for thread to finish");
+ if(!Curl_thread_join(&addr_ctx->thread_hnd)) {
+ DEBUGASSERT(0);
+ }
}
if(entry)
--- a/lib/curl_threads.c
+++ b/lib/curl_threads.c
@@ -100,34 +100,6 @@ int Curl_thread_join(curl_thread_t *hnd)
return ret;
}
-/* do not use pthread_cancel if:
- * - pthread_cancel seems to be absent
- * - on FreeBSD, as we see hangers in CI testing
- * - this is a -fsanitize=thread build
- * (clang sanitizer reports false positive when functions to not return)
- */
-#if defined(PTHREAD_CANCEL_ENABLE) && !defined(__FreeBSD__)
-#if defined(__has_feature)
-# if !__has_feature(thread_sanitizer)
-#define USE_PTHREAD_CANCEL
-# endif
-#else /* __has_feature */
-#define USE_PTHREAD_CANCEL
-#endif /* !__has_feature */
-#endif /* PTHREAD_CANCEL_ENABLE && !__FreeBSD__ */
-
-int Curl_thread_cancel(curl_thread_t *hnd)
-{
- (void)hnd;
- if(*hnd != curl_thread_t_null)
-#ifdef USE_PTHREAD_CANCEL
- return pthread_cancel(**hnd);
-#else
- return 1; /* not supported */
-#endif
- return 0;
-}
-
#elif defined(USE_THREADS_WIN32)
curl_thread_t Curl_thread_create(CURL_THREAD_RETURN_T
@@ -182,12 +154,4 @@ int Curl_thread_join(curl_thread_t *hnd)
return ret;
}
-int Curl_thread_cancel(curl_thread_t *hnd)
-{
- if(*hnd != curl_thread_t_null) {
- return 1; /* not supported */
- }
- return 0;
-}
-
#endif /* USE_THREADS_* */
--- a/lib/curl_threads.h
+++ b/lib/curl_threads.h
@@ -66,22 +66,6 @@ void Curl_thread_destroy(curl_thread_t *hnd);
int Curl_thread_join(curl_thread_t *hnd);
-int Curl_thread_cancel(curl_thread_t *hnd);
-
-#if defined(USE_THREADS_POSIX) && defined(PTHREAD_CANCEL_ENABLE)
-#define Curl_thread_push_cleanup(a,b) pthread_cleanup_push(a,b)
-#define Curl_thread_pop_cleanup() pthread_cleanup_pop(0)
-#define Curl_thread_enable_cancel() \
- pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, NULL)
-#define Curl_thread_disable_cancel() \
- pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL)
-#else
-#define Curl_thread_push_cleanup(a,b) ((void)a,(void)b)
-#define Curl_thread_pop_cleanup() Curl_nop_stmt
-#define Curl_thread_enable_cancel() Curl_nop_stmt
-#define Curl_thread_disable_cancel() Curl_nop_stmt
-#endif
-
#endif /* USE_THREADS_POSIX || USE_THREADS_WIN32 */
#endif /* HEADER_CURL_THREADS_H */
--- a/lib/hostip.c
+++ b/lib/hostip.c
@@ -1132,10 +1132,6 @@ CURLcode Curl_resolv_timeout(struct Curl_easy *data,
prev_alarm = alarm(curlx_sltoui(timeout/1000L));
}
-#ifdef DEBUGBUILD
- Curl_resolve_test_delay();
-#endif
-
#else /* !USE_ALARM_TIMEOUT */
#ifndef CURLRES_ASYNCH
if(timeoutms)
@@ -1639,18 +1635,3 @@ CURLcode Curl_resolver_error(struct Curl_easy *data, const char *detail)
return result;
}
#endif /* USE_CURL_ASYNC */
-
-#ifdef DEBUGBUILD
-#include "curlx/wait.h"
-
-void Curl_resolve_test_delay(void)
-{
- const char *p = getenv("CURL_DNS_DELAY_MS");
- if(p) {
- curl_off_t l;
- if(!curlx_str_number(&p, &l, TIME_T_MAX) && l) {
- curlx_wait_ms((timediff_t)l);
- }
- }
-}
-#endif
--- a/lib/hostip.h
+++ b/lib/hostip.h
@@ -216,8 +216,4 @@ struct Curl_addrinfo *Curl_sync_getaddrinfo(struct Curl_easy *data,
#endif
-#ifdef DEBUGBUILD
-void Curl_resolve_test_delay(void);
-#endif
-
#endif /* HEADER_CURL_HOSTIP_H */
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -112,7 +112,7 @@ test754 test755 test756 test757 test758 test759 test760 test761 test762 \
test763 \
\
test780 test781 test782 test783 test784 test785 test786 test787 test788 \
-test789 test790 test791 test792 test793 test794 test795 test796 test797 \
+test789 test790 test791 test792 test793 test794 test796 test797 \
\
test799 test800 test801 test802 test803 test804 test805 test806 test807 \
test808 test809 test810 test811 test812 test813 test814 test815 test816 \
--- a/tests/data/test795
+++ /dev/null
@@ -1,36 +0,0 @@
-<testcase>
-<info>
-<keywords>
-DNS
-</keywords>
-</info>
-
-# Client-side
-<client>
-<features>
-http
-Debug
-!c-ares
-!win32
-</features>
-<name>
-Delayed resolve --connect-timeout check
-</name>
-<setenv>
-CURL_DNS_DELAY_MS=5000
-</setenv>
-<command>
-http://test.invalid -v --no-progress-meter --trace-config dns --connect-timeout 1 -w \%{time_total}
-</command>
-</client>
-
-# Verify data after the test has been "shot"
-<verify>
-<errorcode>
-28
-</errorcode>
-<postcheck>
-%SRCDIR/libtest/test795.pl %LOGDIR/stdout%TESTNUMBER 2 >> %LOGDIR/stderr%TESTNUMBER
-</postcheck>
-</verify>
-</testcase>
--- a/tests/libtest/Makefile.am
+++ b/tests/libtest/Makefile.am
@@ -42,7 +42,7 @@ AM_CPPFLAGS = -I$(top_srcdir)/include \
include Makefile.inc
EXTRA_DIST = CMakeLists.txt $(FIRST_C) $(FIRST_H) $(UTILS_C) $(UTILS_H) $(TESTS_C) \
- test307.pl test610.pl test613.pl test795.pl test1013.pl test1022.pl mk-lib1521.pl
+ test307.pl test610.pl test613.pl test1013.pl test1022.pl mk-lib1521.pl
CFLAGS += @CURL_CFLAG_EXTRAS@
--- a/tests/libtest/test795.pl
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/usr/bin/env perl
-#***************************************************************************
-# _ _ ____ _
-# Project ___| | | | _ \| |
-# / __| | | | |_) | |
-# | (__| |_| | _ <| |___
-# \___|\___/|_| \_\_____|
-#
-# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
-#
-# This software is licensed as described in the file COPYING, which
-# you should have received as part of this distribution. The terms
-# are also available at https://curl.se/docs/copyright.html.
-#
-# You may opt to use, copy, modify, merge, publish, distribute and/or sell
-# copies of the Software, and permit persons to whom the Software is
-# furnished to do so, under the terms of the COPYING file.
-#
-# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
-# KIND, either express or implied.
-#
-# SPDX-License-Identifier: curl
-#
-###########################################################################
-use strict;
-use warnings;
-
-my $ok = 1;
-my $exp_duration = $ARGV[1] + 0.0;
-
-# Read the output of curl --version
-open(F, $ARGV[0]) || die "Can't open test result from $ARGV[0]\n";
-$_ = <F>;
-chomp;
-/\s*([\.\d]+)\s*/;
-my $duration = $1 + 0.0;
-close F;
-
-if ($duration <= $exp_duration) {
- print "OK: duration of $duration in expected range\n";
- $ok = 0;
-}
-else {
- print "FAILED: duration of $duration is larger than $exp_duration\n";
-}
-exit $ok;

63
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.16.0-ssl_verifyhost.patch vendored Normal file
View File

@ -0,0 +1,63 @@
https://github.com/curl/curl/commit/f7cac7cc07a45481b246c875e8113d741ba2a6e1
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 14 Sep 2025 23:28:03 +0200
Subject: [PATCH] setopt: accept *_SSL_VERIFYHOST set to 2L
... without outputing a verbose message about it. In the early days we
had 2L and 1L have different functionalities.
Reported-by: Jicea
Bug: https://curl.se/mail/lib-2025-09/0031.html
Closes #18547
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -443,6 +443,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option,
long arg, bool *set)
{
bool enabled = !!arg;
+ int ok = 1;
struct UserDefined *s = &data->set;
switch(option) {
case CURLOPT_FORBID_REUSE:
@@ -619,7 +620,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option,
* Enable verification of the hostname in the peer certificate for proxy
*/
s->proxy_ssl.primary.verifyhost = enabled;
-
+ ok = 2;
/* Update the current connection proxy_ssl_config. */
Curl_ssl_conn_config_update(data, TRUE);
break;
@@ -723,6 +724,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option,
* Enable verification of the hostname in the peer certificate for DoH
*/
s->doh_verifyhost = enabled;
+ ok = 2;
break;
case CURLOPT_DOH_SSL_VERIFYSTATUS:
/*
@@ -732,6 +734,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option,
return CURLE_NOT_BUILT_IN;
s->doh_verifystatus = enabled;
+ ok = 2;
break;
#endif /* ! CURL_DISABLE_DOH */
case CURLOPT_SSL_VERIFYHOST:
@@ -743,6 +746,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option,
this argument took a boolean when it was not and misused it.
Treat 1 and 2 the same */
s->ssl.primary.verifyhost = enabled;
+ ok = 2;
/* Update the current connection ssl_config. */
Curl_ssl_conn_config_update(data, FALSE);
@@ -844,7 +848,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option,
default:
return CURLE_OK;
}
- if((arg > 1) || (arg < 0))
+ if((arg > ok) || (arg < 0))
/* reserve other values for future use */
infof(data, "boolean setopt(%d) got unsupported argument %ld,"
" treated as %d", option, arg, enabled);

2
sdk_container/src/third_party/portage-stable/net-misc/curl/metadata.xml vendored
View File

@ -22,7 +22,6 @@
<flag name="mbedtls">Enable mbedtls ssl backend</flag>
<flag name="openssl">Enable openssl ssl backend</flag>
<flag name="pop3">Enable Post Office Protocol 3 support</flag>
<flag name="progress-meter">Enable the progress meter</flag>
<flag name="psl">Enable Public Suffix List (PSL) support. See https://daniel.haxx.se/blog/2024/01/10/psl-in-curl/.</flag>
<flag name="quic">Enable support for QUIC (RFC 9000); a UDP-based protocol intended to replace TCP</flag>
<flag name="rtmp">Enable RTMP Streaming Media support</flag>
@ -31,7 +30,6 @@
<flag name="smtp">Enable Simple Mail Transfer Protocol support</flag>
<flag name="ssh">Enable SSH urls in curl using libssh2</flag>
<flag name="ssl">Enable crypto engine support (via openssl if USE='-gnutls -nss')</flag>
<flag name="sslv3">Support for the old/insecure SSLv3 protocol</flag>
<flag name="telnet">Enable Telnet protocol support</flag>
<flag name="tftp">Enable TFTP support</flag>
<flag name="websockets">Enable websockets support</flag>