From ad48f6712a297ef8a9dafe00339f2c7c9f9be5e0 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 22 Sep 2025 07:10:51 +0000 Subject: [PATCH] net-misc/curl: Sync with Gentoo It's from Gentoo commit 8053e78f154e174b5a1b8192fa7b3182a36b1534. Signed-off-by: Flatcar Buildbot --- .../portage-stable/net-misc/curl/Manifest | 4 - .../net-misc/curl/curl-8.12.1.ebuild | 386 --------------- .../net-misc/curl/curl-8.13.0-r1.ebuild | 448 ------------------ ...rl-8.16.0.ebuild => curl-8.16.0-r1.ebuild} | 2 + .../curl-8.13.0-gssapi-non-ssl-build.patch | 28 -- ...url-8.13.0-hostip-correct-proxy-name.patch | 46 -- ...curl-8.13.0-http2-stream-window-size.patch | 143 ------ .../curl-8.13.0-httpsrr-target-check.patch | 22 - .../curl/files/curl-8.13.0-krb5-ftp.patch | 19 - ...-8.13.0-openssl-quic-stream-shutdown.patch | 44 -- .../files/curl-8.16.0-pthread_cancel.patch | 399 ++++++++++++++++ .../files/curl-8.16.0-ssl_verifyhost.patch | 63 +++ .../portage-stable/net-misc/curl/metadata.xml | 2 - 13 files changed, 464 insertions(+), 1142 deletions(-) delete mode 100644 sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.12.1.ebuild delete mode 100644 sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.13.0-r1.ebuild rename sdk_container/src/third_party/portage-stable/net-misc/curl/{curl-8.16.0.ebuild => curl-8.16.0-r1.ebuild} (99%) delete mode 100644 sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-gssapi-non-ssl-build.patch delete mode 100644 sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-hostip-correct-proxy-name.patch delete mode 100644 sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-http2-stream-window-size.patch delete mode 100644 sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-httpsrr-target-check.patch delete mode 100644 sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-krb5-ftp.patch delete mode 100644 sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-openssl-quic-stream-shutdown.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.16.0-pthread_cancel.patch create mode 100644 sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.16.0-ssl_verifyhost.patch diff --git a/sdk_container/src/third_party/portage-stable/net-misc/curl/Manifest b/sdk_container/src/third_party/portage-stable/net-misc/curl/Manifest index 4b4076cb26..7ce5cf5037 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/curl/Manifest +++ b/sdk_container/src/third_party/portage-stable/net-misc/curl/Manifest @@ -1,7 +1,3 @@ -DIST curl-8.12.1.tar.xz 2768160 BLAKE2B 2b3e3d91041881c0951ad470736266105d3b9720440b808fe382baa493a30075aba52eb1d329fb1f148e27cd76290d82e121e7f4abf695f215456a10e26ade3e SHA512 88915468fa1bb7256e3dd6c9d058ada6894faa1e3e7800c7d9bfee3e8be4081ae57e7f2bf260c5342b709499fc4302ddc2d7864e25bfa3300fa07f118a3de603 -DIST curl-8.12.1.tar.xz.asc 488 BLAKE2B 2a6563609c9f7ada84ca2c7048ad9406809eef4cc958760d2ab3d1b7be58d26247e579bd025870609e80ebb00295026aae30614b84e3a81bdf3ed3dbd0f5ed70 SHA512 41fc5582935090d13940d86974fdea3ea901dd5dab156c16029a87f811d2535172c59dc8dc366f2ffc37bcf85accbecb5aa765bc7b83c2991a3ef402bf25af69 -DIST curl-8.13.0.tar.xz 2773628 BLAKE2B 6869634ad50f015d5c7526699034d5a3f27d9588bc32eacc8080dbd6c690f63b1f25cee40d3fdf8fd9dd8535c305ea9c5edf1d5a02bc6d9ce60fd8c88230aca0 SHA512 d266e460f162ee455b56726e5b7247b2d1aa5265ae12081513fc0c5c79e785a594097bc71d505dc9bcd2c2f6f1ff6f4bab9dbd9d120bb76d06c5be8521a8ca7d -DIST curl-8.13.0.tar.xz.asc 488 BLAKE2B bd568ec32a44ef7c14c38e4830bcc7711dac726e950325292f1e5de76e619839685300c5afac32330127324327e71ce0d6e574f6e95bcc4a48957345152bc86a SHA512 07f79c7fd7c305c96e10a5f52797254aed7d2a1f3577c8626b8d617855ceb82634ac6787bfa0b7130a4ed72c3a9945d3c9ba5b7be54df8bafa07ded1c62ef2be DIST curl-8.14.1.tar.xz 2817248 BLAKE2B 4ce2277d143084823855b714e86047a94d4c52a686b8d16d9ab76c31168f1a74d63dfa7608cff36706a8a0b9bf9cc611a9b99860b176a227bca580cd95e9cff2 SHA512 7f6eae04cc23c50fc41d448aa28dfa59141018009e42c5b1e3f4e0d40c0633460b4e6eec05dfc290f7953671096abfa70a8b5443fccdd3f1be6be32ac10b31d9 DIST curl-8.14.1.tar.xz.asc 488 BLAKE2B f664f526dbffa0a1af2b28f51982445f7d9064b3c3b3e6dd04322003db22da2acde5d493c80204b36a9219d42959543c5a0aee47f2365eb713490ff2fc5f475f SHA512 663b1652bb27338310d1475a8b0422f04e68fca74be11a4b7120de948af4fc0c2b08b75ce5372d657aa89504a27b36b937b5091cb2d932297a7490d5e390d99f DIST curl-8.15.0.tar.xz 2773156 BLAKE2B ae809be87f34d079413129c27e618a6d15c2bf9087fd7e679cefe9b6d8645f0dd092e8c3e1f62b7bd0dffdd0b77e0bc5ac031ffce4e50060ec20b280618c8e68 SHA512 d27e316d70973906ac4b8d2c280f7e99b7528966aa1220c13a38ed45fca2ed6bbde54b8a9d7bed9e283171b92edb621f7b95162ef7d392e6383b0ee469de3191 diff --git a/sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.12.1.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.12.1.ebuild deleted file mode 100644 index 0fd4d01a66..0000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.12.1.ebuild +++ /dev/null @@ -1,386 +0,0 @@ -# Copyright 1999-2025 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -# Maintainers should subscribe to the 'curl-distros' ML for backports etc -# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/ -# https://lists.haxx.se/listinfo/curl-distros - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc -inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig - -DESCRIPTION="A Client that groks URLs" -HOMEPAGE="https://curl.se/" - -if [[ ${PV} == 9999 ]]; then - inherit git-r3 - EGIT_REPO_URI="https://github.com/curl/curl.git" -else - SRC_URI=" - https://curl.se/download/${P}.tar.xz - verify-sig? ( https://curl.se/download/${P}.tar.xz.asc ) - " - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" -fi - -LICENSE="BSD curl ISC test? ( BSD-4 )" -SLOT="0" -IUSE="+adns +alt-svc brotli debug +ftp gnutls gopher +hsts +http2 +http3 idn +imap kerberos ldap mbedtls +openssl +pop3" -IUSE+=" +psl +progress-meter +quic rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp +websockets zstd" -# These select the default tls implementation / which quic impl to use -IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls" -RESTRICT="!test? ( test )" - -# Only one default ssl / quic provider can be enabled -# The default provider needs its USE satisfied -# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day. -# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e -REQUIRED_USE=" - quic? ( - ^^ ( - curl_quic_openssl - curl_quic_ngtcp2 - ) - http3 - ssl - ) - ssl? ( - ^^ ( - curl_ssl_gnutls - curl_ssl_mbedtls - curl_ssl_openssl - curl_ssl_rustls - ) - ) - curl_quic_openssl? ( - curl_ssl_openssl - !gnutls - !mbedtls - !rustls - ) - curl_quic_ngtcp2? ( - curl_ssl_gnutls - !mbedtls - !openssl - !rustls - ) - curl_ssl_gnutls? ( gnutls ) - curl_ssl_mbedtls? ( mbedtls ) - curl_ssl_openssl? ( openssl ) - curl_ssl_rustls? ( rustls ) - http3? ( alt-svc quic ) -" - -# cURL's docs and CI/CD are great resources for confirming supported versions -# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.: -# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions) -# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly) -# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2) -# However 'supported' vs 'works' are two entirely different things; be sane but -# don't be afraid to require a later version. -# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time. -RDEPEND=" - >=sys-libs/zlib-1.1.4[${MULTILIB_USEDEP}] - adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] ) - brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) - http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] ) - http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] ) - idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) - kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) - ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) - psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] ) - quic? ( - curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] ) - curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] ) - ) - rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) - ssh? ( >=net-libs/libssh2-1.0.0[${MULTILIB_USEDEP}] ) - ssl? ( - gnutls? ( - app-misc/ca-certificates - >=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}] - dev-libs/nettle:=[${MULTILIB_USEDEP}] - ) - mbedtls? ( - app-misc/ca-certificates - net-libs/mbedtls:0=[${MULTILIB_USEDEP}] - ) - openssl? ( - >=dev-libs/openssl-0.9.7:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}] - ) - rustls? ( - >=net-libs/rustls-ffi-0.14.0:=[${MULTILIB_USEDEP}] - ) - ) - zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] ) -" - -DEPEND="${RDEPEND}" - -BDEPEND=" - dev-lang/perl - virtual/pkgconfig - test? ( - sys-apps/diffutils - http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] ) - http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) - ) - verify-sig? ( sec-keys/openpgp-keys-danielstenberg ) -" - -DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/curl/curlbuild.h -) - -MULTILIB_CHOST_TOOLS=( - /usr/bin/curl-config -) - -QA_CONFIG_IMPL_DECL_SKIP=( - __builtin_available - closesocket - CloseSocket - getpass_r - ioctlsocket - IoctlSocket - mach_absolute_time - setmode - _fseeki64 - # custom AC_LINK_IFELSE code fails to link even without -Werror - OSSL_QUIC_client_method -) - -PATCHES=( - "${FILESDIR}/${PN}-prefix-4.patch" - "${FILESDIR}/${PN}-respect-cflags-3.patch" -) - -src_prepare() { - default - - eprefixify curl-config.in - eautoreconf -} - -multilib_src_configure() { - # We make use of the fact that later flags override earlier ones - # So start with all ssl providers off until proven otherwise - # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) - local myconf=() - - myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) - if use ssl; then - myconf+=( --without-gnutls --without-mbedtls --without-rustls ) - - if use gnutls; then - multilib_is_native_abi && einfo "SSL provided by gnutls" - myconf+=( --with-gnutls ) - fi - if use mbedtls; then - multilib_is_native_abi && einfo "SSL provided by mbedtls" - myconf+=( --with-mbedtls ) - fi - if use openssl; then - multilib_is_native_abi && einfo "SSL provided by openssl" - myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs ) - fi - if use rustls; then - multilib_is_native_abi && einfo "SSL provided by rustls" - myconf+=( --with-rustls ) - fi - if use curl_ssl_gnutls; then - multilib_is_native_abi && einfo "Default SSL provided by gnutls" - myconf+=( --with-default-ssl-backend=gnutls ) - elif use curl_ssl_mbedtls; then - multilib_is_native_abi && einfo "Default SSL provided by mbedtls" - myconf+=( --with-default-ssl-backend=mbedtls ) - elif use curl_ssl_openssl; then - multilib_is_native_abi && einfo "Default SSL provided by openssl" - myconf+=( --with-default-ssl-backend=openssl ) - elif use curl_ssl_rustls; then - multilib_is_native_abi && einfo "Default SSL provided by rustls" - myconf+=( --with-default-ssl-backend=rustls ) - else - eerror "We can't be here because of REQUIRED_USE." - die "Please file a bug, hit impossible condition w/ USE=ssl handling." - fi - - else - myconf+=( --without-ssl ) - einfo "SSL disabled" - fi - - # These configuration options are organized alphabetically - # within each category. This should make it easier if we - # ever decide to make any of them contingent on USE flags: - # 1) protocols first. To see them all do - # 'grep SUPPORT_PROTOCOLS configure.ac' - # 2) --enable/disable options second. - # 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort - # 3) --with/without options third. - # grep -- --with configure | grep Check | awk '{ print $4 }' | sort - - myconf+=( - $(use_enable alt-svc) - --enable-basic-auth - --enable-bearer-auth - --enable-digest-auth - --enable-kerberos-auth - --enable-negotiate-auth - --enable-aws - --enable-dict - --disable-ech - --enable-file - $(use_enable ftp) - $(use_enable gopher) - $(use_enable hsts) - --enable-http - $(use_enable imap) - $(use_enable ldap) - $(use_enable ldap ldaps) - --enable-ntlm - $(use_enable pop3) - --enable-rt - --enable-rtsp - $(use_enable samba smb) - $(use_with ssh libssh2) - $(use_enable smtp) - $(use_enable telnet) - $(use_enable tftp) - --enable-tls-srp - $(use_enable adns ares) - --enable-cookies - --enable-dateparse - --enable-dnsshuffle - --enable-doh - --enable-symbol-hiding - --enable-http-auth - --enable-ipv6 - --enable-largefile - --enable-manual - --enable-mime - --enable-netrc - $(use_enable progress-meter) - --enable-proxy - --enable-socketpair - --disable-sspi - $(use_enable static-libs static) - --disable-versioned-symbols - --without-amissl - --without-bearssl - $(use_with brotli) - --with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d - $(use_with http2 nghttp2) - $(use_with idn libidn2) - $(use_with kerberos gssapi "${EPREFIX}"/usr) - --without-libgsasl - $(use_with psl libpsl) - --without-msh3 - $(use_with http3 nghttp3) - $(use_with curl_quic_ngtcp2 ngtcp2) - $(use_with curl_quic_openssl openssl-quic) - --without-quiche - $(use_with rtmp librtmp) - --without-schannel - --without-secure-transport - --without-test-caddy - --without-test-httpd - --without-test-nghttpx - $(use_enable websockets) - --without-winidn - --without-wolfssl - --with-zlib - $(use_with zstd) - --with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions - ) - - if use debug; then - myconf+=( - --enable-debug - ) - fi - - if use test && multilib_is_native_abi && ( use http2 || use http3 ); then - myconf+=( - --with-test-nghttpx="${BROOT}/usr/bin/nghttpx" - ) - fi - - # Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive - # This is in support of some work to enable `httpsrr` to use adns and the rest - # of curl to use the threaded resolver; we'll just make `httpsrr` conditional on adns - # when the time comes. - if use adns; then - myconf+=( - --disable-threaded-resolver - ) - else - myconf+=( - --enable-threaded-resolver - ) - fi - - ECONF_SOURCE="${S}" econf "${myconf[@]}" - - if ! multilib_is_native_abi; then - # Avoid building the client (we just want libcurl for multilib) - sed -i -e '/SUBDIRS/s:src::' Makefile || die - sed -i -e '/SUBDIRS/s:scripts::' Makefile || die - fi - -} - -multilib_src_compile() { - default - - if multilib_is_native_abi; then - # Shell completions - ! tc-is-cross-compiler && emake -C scripts - fi -} - -# There is also a pytest harness that tests for bugs in some very specific -# situations; we can rely on upstream for this rather than adding additional test deps. -multilib_src_test() { - # See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721 - # -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches) - # -v: verbose - # -a: keep going on failure (so we see everything that breaks, not just 1st test) - # -k: keep test files after completion - # -am: automake style TAP output - # -p: print logs if test fails - # Note: if needed, we can skip specific tests. See e.g. Fedora's packaging - # or just read https://github.com/curl/curl/tree/master/tests#run. - # Note: we don't run the testsuite for cross-compilation. - # Upstream recommend 7*nproc as a starting point for parallel tests, but - # this ends up breaking when nproc is huge (like -j80). - # The network sandbox causes tests 241 and 1083 to fail; these are typically skipped - # as most gentoo users don't have an 'ip6-localhost' - multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083" -} - -multilib_src_install() { - emake DESTDIR="${D}" install - - if multilib_is_native_abi; then - # Shell completions - ! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install - fi -} - -multilib_src_install_all() { - einstalldocs - find "${ED}" -type f -name '*.la' -delete || die - rm -rf "${ED}"/etc/ || die -} - -pkg_postinst() { - if use debug; then - ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose." - ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger." - ewarn "hic sunt dracones; you have been warned." - fi -} diff --git a/sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.13.0-r1.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.13.0-r1.ebuild deleted file mode 100644 index d5551349f3..0000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.13.0-r1.ebuild +++ /dev/null @@ -1,448 +0,0 @@ -# Copyright 1999-2025 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -# Maintainers should subscribe to the 'curl-distros' ML for backports etc -# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/ -# https://lists.haxx.se/listinfo/curl-distros - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc -inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig - -DESCRIPTION="A Client that groks URLs" -HOMEPAGE="https://curl.se/" - -if [[ ${PV} == 9999 ]]; then - inherit git-r3 - EGIT_REPO_URI="https://github.com/curl/curl.git" -else - if [[ ${P} == *rc* ]]; then - CURL_URI="https://curl.se/rc/" - S="${WORKDIR}/${P//_/-}" - else - CURL_URI="https://curl.se/download/" - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" - fi - SRC_URI=" - ${CURL_URI}${P//_/-}.tar.xz - verify-sig? ( ${CURL_URI}${P//_/-}.tar.xz.asc ) - " -fi - -LICENSE="BSD curl ISC test? ( BSD-4 )" -SLOT="0" -IUSE="+adns +alt-svc brotli debug ech +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap" -IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test" -IUSE+=" telnet +tftp +websockets zstd" -# These select the default tls implementation / which quic impl to use -IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls" -RESTRICT="!test? ( test )" - -# HTTPS RR is technically usable with the threaded resolver, but it still uses c-ares to -# ask for the HTTPS RR record type; if DoH is in use the HTTPS record will be requested -# in addition to A and AAAA records. - -# To simplify dependency management in the ebuild we'll require c-ares for HTTPS RR (for now?). -# HTTPS RR in cURL is a dependency for: -# - ECH (requires patched openssl or gnutls currently, enabled with rustls) -# - Fetching the ALPN list which should provide a better HTTP/3 experience. - -# Only one default ssl / quic provider can be enabled -# The default provider needs its USE satisfied -# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day. -# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e -REQUIRED_USE=" - ech? ( rustls ) - httpsrr? ( adns ) - quic? ( - ^^ ( - curl_quic_openssl - curl_quic_ngtcp2 - ) - http3 - ssl - ) - ssl? ( - ^^ ( - curl_ssl_gnutls - curl_ssl_mbedtls - curl_ssl_openssl - curl_ssl_rustls - ) - ) - curl_quic_openssl? ( - curl_ssl_openssl - !gnutls - !mbedtls - !rustls - ) - curl_quic_ngtcp2? ( - curl_ssl_gnutls - !mbedtls - !openssl - !rustls - ) - curl_ssl_gnutls? ( gnutls ) - curl_ssl_mbedtls? ( mbedtls ) - curl_ssl_openssl? ( openssl ) - curl_ssl_rustls? ( rustls ) - http3? ( alt-svc httpsrr quic ) -" - -# cURL's docs and CI/CD are great resources for confirming supported versions -# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.: -# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions) -# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly) -# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2) -# However 'supported' vs 'works' are two entirely different things; be sane but -# don't be afraid to require a later version. -# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time. -RDEPEND=" - >=sys-libs/zlib-1.2.5[${MULTILIB_USEDEP}] - adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] ) - brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) - http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] ) - http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] ) - idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) - kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) - ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) - psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] ) - quic? ( - curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] ) - curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] ) - ) - rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) - ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] ) - sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] ) - ssl? ( - gnutls? ( - app-misc/ca-certificates - >=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}] - dev-libs/nettle:=[${MULTILIB_USEDEP}] - ) - mbedtls? ( - app-misc/ca-certificates - net-libs/mbedtls:0=[${MULTILIB_USEDEP}] - ) - openssl? ( - >=dev-libs/openssl-1.0.2:=[static-libs?,${MULTILIB_USEDEP}] - ) - rustls? ( - >=net-libs/rustls-ffi-0.15.0:=[${MULTILIB_USEDEP}] - ) - ) - zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] ) -" - -DEPEND="${RDEPEND}" - -BDEPEND=" - dev-lang/perl - virtual/pkgconfig - test? ( - sys-apps/diffutils - http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] ) - http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) - ) - verify-sig? ( sec-keys/openpgp-keys-danielstenberg ) -" - -DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/curl/curlbuild.h -) - -MULTILIB_CHOST_TOOLS=( - /usr/bin/curl-config -) - -QA_CONFIG_IMPL_DECL_SKIP=( - __builtin_available - closesocket - CloseSocket - getpass_r - ioctlsocket - IoctlSocket - mach_absolute_time - setmode - _fseeki64 - # custom AC_LINK_IFELSE code fails to link even without -Werror - OSSL_QUIC_client_method -) - -PATCHES=( - "${FILESDIR}/${PN}-prefix-4.patch" - "${FILESDIR}/${PN}-respect-cflags-3.patch" - "${FILESDIR}/${P}-gssapi-non-ssl-build.patch" - "${FILESDIR}/${P}-hostip-correct-proxy-name.patch" - "${FILESDIR}/${P}-http2-stream-window-size.patch" - "${FILESDIR}/${P}-httpsrr-target-check.patch" - "${FILESDIR}/${P}-krb5-ftp.patch" - "${FILESDIR}/${P}-openssl-quic-stream-shutdown.patch" -) - -src_prepare() { - default - - eprefixify curl-config.in - eautoreconf -} - -# Generates TLS-related configure options based on USE flags. -# Outputs options suitable for appending to a configure options array. -_get_curl_tls_configure_opts() { - local tls_opts=() - - local backend flag_name - for backend in gnutls mbedtls openssl rustls; do - if [[ "$backend" == "openssl" ]]; then - flag_name="ssl" - tls_opts+=( "--with-ca-path=${EPREFIX}/etc/ssl/certs") - else - flag_name="$backend" - fi - - if use "$backend"; then - tls_opts+=( "--with-${flag_name}" ) - else - # If a single backend is enabled, 'ssl' is required, openssl is the default / fallback - if ! [[ "$backend" == "openssl" ]]; then - tls_opts+=( "--without-${flag_name}" ) - fi - fi - done - - if use curl_ssl_gnutls; then - multilib_is_native_abi && einfo "Default TLS backend: gnutls" - tls_opts+=( "--with-default-ssl-backend=gnutls" ) - elif use curl_ssl_mbedtls; then - multilib_is_native_abi && einfo "Default TLS backend: mbedtls" - tls_opts+=( "--with-default-ssl-backend=mbedtls" ) - elif use curl_ssl_openssl; then - multilib_is_native_abi && einfo "Default TLS backend: openssl" - tls_opts+=( "--with-default-ssl-backend=openssl" ) - elif use curl_ssl_rustls; then - multilib_is_native_abi && einfo "Default TLS backend: rustls" - tls_opts+=( "--with-default-ssl-backend=rustls" ) - else - eerror "We can't be here because of REQUIRED_USE." - die "Please file a bug, hit impossible condition w/ USE=ssl handling." - fi - - # Explicitly Disable unimplemented b - tls_opts+=( - --without-amissl - --without-bearssl - --without-wolfssl - ) - - printf "%s\n" "${tls_opts[@]}" -} - -multilib_src_configure() { - # We make use of the fact that later flags override earlier ones - # So start with all ssl providers off until proven otherwise - # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) - local myconf=() - - myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) - if use ssl; then - local -a tls_backend_opts - readarray -t tls_backend_opts < <(_get_curl_tls_configure_opts) - myconf+=("${tls_backend_opts[@]}") - if use quic; then - myconf+=( - $(use_with curl_quic_ngtcp2 ngtcp2) - $(use_with curl_quic_openssl openssl-quic) - ) - else - # Without a REQUIRED_USE to ensure that QUIC was requested when at least one default backend is - # enabled we need ensure that we don't try to build QUIC support - myconf+=( --without-ngtcp2 --without-openssl-quic ) - fi - else - myconf+=( --without-ssl ) - einfo "SSL disabled" - fi - - # These configuration options are organised alphabetically by category/type - - # Protocols - # `grep SUPPORT_PROTOCOLS=\" configure.ac | awk '{ print substr($2, 1, length($2)-1)}' | sort` - # Assume that anything omitted (that is not new!) is enabled by default with no deps - myconf+=( - --enable-file - $(use_enable ftp) - $(use_enable gopher) - --enable-http - $(use_enable imap) # Automatic IMAPS if TLS is enabled - $(use_enable ldap ldaps) - $(use_enable ldap) - $(use_enable pop3) - $(use_enable samba smb) - $(use_with ssh libssh2) # enables scp/sftp - $(use_with rtmp librtmp) - --enable-rtsp - $(use_enable smtp) - $(use_enable telnet) - $(use_enable tftp) - $(use_enable websockets) - ) - - # Keep various 'HTTP-flavoured' options together - myconf+=( - $(use_enable alt-svc) - $(use_enable hsts) - $(use_enable httpsrr) - $(use_with http2 nghttp2) - $(use_with http3 nghttp3) - ) - - # --enable/disable options - # `grep -- --enable configure | grep Check | awk '{ print $4 }' | sort` - myconf+=( - $(use_enable adns ares) - --enable-aws - --enable-basic-auth - --enable-bearer-auth - --enable-cookies - --enable-dateparse - --enable-dict - --enable-digest-auth - --enable-dnsshuffle - --enable-doh - $(use_enable ech) - --enable-http-auth - --enable-ipv6 - --enable-kerberos-auth - --enable-largefile - --enable-manual - --enable-mime - --enable-negotiate-auth - --enable-netrc - --enable-ntlm - --enable-progress-meter - --enable-proxy - --enable-rt - --enable-socketpair - --disable-sspi - $(use_enable static-libs static) - --enable-symbol-hiding - --enable-tls-srp - --disable-versioned-symbols - ) - - # --with/without options - # `grep -- --with configure | grep Check | awk '{ print $4 }' | sort` - myconf+=( - $(use_with brotli) - --with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d - $(use_with idn libidn2) - $(use_with kerberos gssapi "${EPREFIX}"/usr) - $(use_with sasl-scram libgsasl) - $(use_with psl libpsl) - --without-msh3 - --without-quiche - --without-schannel - --without-secure-transport - --without-winidn - --with-zlib - --with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions - $(use_with zstd) - ) - - # Test deps (disabled) - myconf+=( - --without-test-caddy - --without-test-httpd - --without-test-nghttpx - ) - - if use debug; then - myconf+=( - --enable-debug - ) - fi - - if use test && multilib_is_native_abi && ( use http2 || use http3 ); then - myconf+=( - --with-test-nghttpx="${BROOT}/usr/bin/nghttpx" - ) - fi - - # Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive - # This is in support of some work to enable `httpsrr` to use adns and the rest - # of curl to use the threaded resolver; for us `httpsrr` is conditional on adns. - if use adns; then - myconf+=( - --disable-threaded-resolver - ) - else - myconf+=( - --enable-threaded-resolver - ) - fi - - ECONF_SOURCE="${S}" econf "${myconf[@]}" - - if ! multilib_is_native_abi; then - # Avoid building the client (we just want libcurl for multilib) - sed -i -e '/SUBDIRS/s:src::' Makefile || die - sed -i -e '/SUBDIRS/s:scripts::' Makefile || die - fi - -} - -multilib_src_compile() { - default - - if multilib_is_native_abi; then - # Shell completions - ! tc-is-cross-compiler && emake -C scripts - fi -} - -# There is also a pytest harness that tests for bugs in some very specific -# situations; we can rely on upstream for this rather than adding additional test deps. -multilib_src_test() { - # See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721 - # -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches) - # -v: verbose - # -a: keep going on failure (so we see everything that breaks, not just 1st test) - # -k: keep test files after completion - # -am: automake style TAP output - # -p: print logs if test fails - # Note: if needed, we can skip specific tests. See e.g. Fedora's packaging - # or just read https://github.com/curl/curl/tree/master/tests#run. - # Note: we don't run the testsuite for cross-compilation. - # Upstream recommend 7*nproc as a starting point for parallel tests, but - # this ends up breaking when nproc is huge (like -j80). - # The network sandbox causes tests 241 and 1083 to fail; these are typically skipped - # as most gentoo users don't have an 'ip6-localhost' - multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083" -} - -multilib_src_install() { - emake DESTDIR="${D}" install - - if multilib_is_native_abi; then - # Shell completions - ! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install - fi -} - -multilib_src_install_all() { - einstalldocs - find "${ED}" -type f -name '*.la' -delete || die - rm -rf "${ED}"/etc/ || die -} - -pkg_postinst() { - if use debug; then - ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose." - ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger." - ewarn "hic sunt dracones; you have been warned." - fi -} diff --git a/sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.16.0.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.16.0-r1.ebuild similarity index 99% rename from sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.16.0.ebuild rename to sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.16.0-r1.ebuild index f9ed048bec..5e1eb5151c 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.16.0.ebuild +++ b/sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.16.0-r1.ebuild @@ -175,6 +175,8 @@ QA_CONFIG_IMPL_DECL_SKIP=( PATCHES=( "${FILESDIR}/${PN}-prefix-5.patch" "${FILESDIR}/${PN}-respect-cflags-3.patch" + "${FILESDIR}/${P}-ssl_verifyhost.patch" + "${FILESDIR}/${P}-pthread_cancel.patch" ) src_prepare() { diff --git a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-gssapi-non-ssl-build.patch b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-gssapi-non-ssl-build.patch deleted file mode 100644 index cd9bde14de..0000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-gssapi-non-ssl-build.patch +++ /dev/null @@ -1,28 +0,0 @@ -https://github.com/curl/curl/commit/fe5f435b42a6c928b57c61db5d57f96b5c5a39be -From: Andrew -Date: Wed, 2 Apr 2025 13:45:21 +0100 -Subject: [PATCH] http_negotiate: fix non-SSL build with GSSAPI - -Fixes #16919 -Closes #16921 ---- a/lib/http_negotiate.c -+++ b/lib/http_negotiate.c -@@ -110,8 +110,8 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn, - #endif - /* Check if the connection is using SSL and get the channel binding data */ - #ifdef HAVE_GSSAPI -- Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1); - #ifdef USE_SSL -+ Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1); - if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { - result = Curl_ssl_get_channel_binding( - data, FIRSTSOCKET, &neg_ctx->channel_binding_data); -@@ -120,6 +120,8 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn, - return result; - } - } -+#else -+ Curl_dyn_init(&neg_ctx->channel_binding_data, 1); - #endif /* USE_SSL */ - #endif /* HAVE_GSSAPI */ - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-hostip-correct-proxy-name.patch b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-hostip-correct-proxy-name.patch deleted file mode 100644 index 18965c9b94..0000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-hostip-correct-proxy-name.patch +++ /dev/null @@ -1,46 +0,0 @@ -https://github.com/curl/curl/commit/db3e7a24b5339860fb91cf0d932e8ae13a01e472 -From: Daniel Stenberg -Date: Fri, 4 Apr 2025 12:34:09 +0200 -Subject: [PATCH] hostip: show the correct name on proxy resolve error - -Regression, probably from 8ded8e5f3f4b6586399 (#16451) - -Fixes #16958 -Reported-by: Jean-Christophe Amiel -Closes #16961 ---- a/lib/hostip.c -+++ b/lib/hostip.c -@@ -1494,25 +1494,21 @@ CURLcode Curl_once_resolved(struct Curl_easy *data, bool *protocol_done) - #ifdef USE_CURL_ASYNC - CURLcode Curl_resolver_error(struct Curl_easy *data) - { -- const char *host_or_proxy; -- CURLcode result; -+ struct connectdata *conn = data->conn; -+ const char *host_or_proxy = "host"; -+ const char *name = conn->host.dispname; -+ CURLcode result = CURLE_COULDNT_RESOLVE_HOST; - - #ifndef CURL_DISABLE_PROXY -- struct connectdata *conn = data->conn; -- if(conn->bits.httpproxy) { -+ if(conn->bits.proxy) { - host_or_proxy = "proxy"; - result = CURLE_COULDNT_RESOLVE_PROXY; -+ name = conn->socks_proxy.host.name ? conn->socks_proxy.host.dispname : -+ conn->http_proxy.host.dispname; - } -- else - #endif -- { -- host_or_proxy = "host"; -- result = CURLE_COULDNT_RESOLVE_HOST; -- } -- -- failf(data, "Could not resolve %s: %s", host_or_proxy, -- data->conn->host.dispname); - -+ failf(data, "Could not resolve %s: %s", host_or_proxy, name); - return result; - } - #endif /* USE_CURL_ASYNC */ diff --git a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-http2-stream-window-size.patch b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-http2-stream-window-size.patch deleted file mode 100644 index f16c13738a..0000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-http2-stream-window-size.patch +++ /dev/null @@ -1,143 +0,0 @@ -https://github.com/curl/curl/commit/5fbd78eb2dc4afbd8884e8eed27147fc3d4318f6 -From: Stefan Eissing -Date: Fri, 4 Apr 2025 10:43:13 +0200 -Subject: [PATCH] http2: fix stream window size after unpausing - -When pausing a HTTP/2 transfer, the stream's local window size -is reduced to 0 to prevent the server from sending further data -which curl cannot write out to the application. - -When unpausing again, the stream's window size was not correctly -increased again. The attempt to trigger a window update was -ignored by nghttp2, the server never received it and the transfer -stalled. - -Add a debug feature to allow use of small window sizes which -reproduces this bug in test_02_21. - -Fixes #16955 -Closes #16960 ---- a/docs/libcurl/libcurl-env-dbg.md -+++ b/docs/libcurl/libcurl-env-dbg.md -@@ -147,3 +147,8 @@ Make a blocking, graceful shutdown of all remaining connections when - a multi handle is destroyed. This implicitly triggers for easy handles - that are run via easy_perform. The value of the environment variable - gives the shutdown timeout in milliseconds. -+ -+## `CURL_H2_STREAM_WIN_MAX` -+ -+Set to a positive 32-bit number to override the HTTP/2 stream window's -+default of 10MB. Used in testing to verify correct window update handling. ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -44,6 +44,7 @@ - #include "connect.h" - #include "rand.h" - #include "strdup.h" -+#include "strparse.h" - #include "transfer.h" - #include "dynbuf.h" - #include "headers.h" -@@ -141,6 +142,9 @@ struct cf_h2_ctx { - uint32_t goaway_error; /* goaway error code from server */ - int32_t remote_max_sid; /* max id processed by server */ - int32_t local_max_sid; /* max id processed by us */ -+#ifdef DEBUGBUILD -+ int32_t stream_win_max; /* max h2 stream window size */ -+#endif - BIT(initialized); - BIT(via_h1_upgrade); - BIT(conn_closed); -@@ -166,6 +170,18 @@ static void cf_h2_ctx_init(struct cf_h2_ctx *ctx, bool via_h1_upgrade) - Curl_hash_offt_init(&ctx->streams, 63, h2_stream_hash_free); - ctx->remote_max_sid = 2147483647; - ctx->via_h1_upgrade = via_h1_upgrade; -+#ifdef DEBUGBUILD -+ { -+ const char *p = getenv("CURL_H2_STREAM_WIN_MAX"); -+ -+ ctx->stream_win_max = H2_STREAM_WINDOW_SIZE_MAX; -+ if(p) { -+ curl_off_t l; -+ if(!Curl_str_number(&p, &l, INT_MAX)) -+ ctx->stream_win_max = (int32_t)l; -+ } -+ } -+#endif - ctx->initialized = TRUE; - } - -@@ -285,7 +301,15 @@ static int32_t cf_h2_get_desired_local_win(struct Curl_cfilter *cf, - * This gets less precise the higher the latency. */ - return (int32_t)data->set.max_recv_speed; - } -+#ifdef DEBUGBUILD -+ else { -+ struct cf_h2_ctx *ctx = cf->ctx; -+ CURL_TRC_CF(data, cf, "stream_win_max=%d", ctx->stream_win_max); -+ return ctx->stream_win_max; -+ } -+#else - return H2_STREAM_WINDOW_SIZE_MAX; -+#endif - } - - static CURLcode cf_h2_update_local_win(struct Curl_cfilter *cf, -@@ -302,6 +326,13 @@ static CURLcode cf_h2_update_local_win(struct Curl_cfilter *cf, - int32_t wsize = nghttp2_session_get_stream_effective_local_window_size( - ctx->h2, stream->id); - if(dwsize > wsize) { -+ rv = nghttp2_session_set_local_window_size(ctx->h2, NGHTTP2_FLAG_NONE, -+ stream->id, dwsize); -+ if(rv) { -+ failf(data, "[%d] nghttp2 set_local_window_size(%d) failed: " -+ "%s(%d)", stream->id, dwsize, nghttp2_strerror(rv), rv); -+ return CURLE_HTTP2; -+ } - rv = nghttp2_submit_window_update(ctx->h2, NGHTTP2_FLAG_NONE, - stream->id, dwsize - wsize); - if(rv) { ---- a/tests/http/test_02_download.py -+++ b/tests/http/test_02_download.py -@@ -313,9 +313,9 @@ def test_02_20_h2_small_frames(self, env: Env, httpd): - assert httpd.stop() - assert httpd.start() - -- # download via lib client, 1 at a time, pause/resume at different offsets -+ # download serial via lib client, pause/resume at different offsets - @pytest.mark.parametrize("pause_offset", [0, 10*1024, 100*1023, 640000]) -- @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3']) -+ @pytest.mark.parametrize("proto", ['http/1.1', 'h3']) - def test_02_21_lib_serial(self, env: Env, httpd, nghttpx, proto, pause_offset): - if proto == 'h3' and not env.have_h3(): - pytest.skip("h3 not supported") -@@ -332,6 +332,29 @@ def test_02_21_lib_serial(self, env: Env, httpd, nghttpx, proto, pause_offset): - srcfile = os.path.join(httpd.docs_dir, docname) - self.check_downloads(client, srcfile, count) - -+ # h2 download parallel via lib client, pause/resume at different offsets -+ # debug-override stream window size to reproduce #16955 -+ @pytest.mark.parametrize("pause_offset", [0, 10*1024, 100*1023, 640000]) -+ @pytest.mark.parametrize("swin_max", [0, 10*1024]) -+ def test_02_21_h2_lib_serial(self, env: Env, httpd, pause_offset, swin_max): -+ proto = 'h2' -+ count = 2 -+ docname = 'data-10m' -+ url = f'https://localhost:{env.https_port}/{docname}' -+ run_env = os.environ.copy() -+ run_env['CURL_DEBUG'] = 'multi,http/2' -+ if swin_max > 0: -+ run_env['CURL_H2_STREAM_WIN_MAX'] = f'{swin_max}' -+ client = LocalClient(name='hx-download', env=env, run_env=run_env) -+ if not client.exists(): -+ pytest.skip(f'example client not built: {client.name}') -+ r = client.run(args=[ -+ '-n', f'{count}', '-P', f'{pause_offset}', '-V', proto, url -+ ]) -+ r.check_exit_code(0) -+ srcfile = os.path.join(httpd.docs_dir, docname) -+ self.check_downloads(client, srcfile, count) -+ - # download via lib client, several at a time, pause/resume - @pytest.mark.parametrize("pause_offset", [100*1023]) - @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3']) diff --git a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-httpsrr-target-check.patch b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-httpsrr-target-check.patch deleted file mode 100644 index 880a676ea8..0000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-httpsrr-target-check.patch +++ /dev/null @@ -1,22 +0,0 @@ -https://github.com/curl/curl/commit/4f3c22d77d752fea6ff9ab2706f70d58882ea466 -From: Stefan Eissing -Date: Fri, 4 Apr 2025 18:10:28 +0200 -Subject: [PATCH] https-connect, fix httpsrr target check - -The HTTPSRR check on the record's target was not working as it used the -wrong index on the NUL byte if the target was not NULL. - -Fixes #16966 -Reported-by: Pavel Kropachev -Closes #16968 ---- a/lib/cf-https-connect.c -+++ b/lib/cf-https-connect.c -@@ -673,7 +673,7 @@ CURLcode Curl_cf_https_setup(struct Curl_easy *data, - (!conn->dns_entry->hinfo->target || /* for same host */ - !conn->dns_entry->hinfo->target[0] || - (conn->dns_entry->hinfo->target[0] == '.' && -- !conn->dns_entry->hinfo->target[0])) && -+ !conn->dns_entry->hinfo->target[1])) && - (conn->dns_entry->hinfo->port < 0 || /* for same port */ - conn->dns_entry->hinfo->port == conn->remote_port)) { - size_t i; diff --git a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-krb5-ftp.patch b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-krb5-ftp.patch deleted file mode 100644 index 5d59ed9a9c..0000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-krb5-ftp.patch +++ /dev/null @@ -1,19 +0,0 @@ -https://github.com/curl/curl/commit/5caba3bd97a14b64d906ece77bc0e2b339161a1f -From: Daniel Stenberg -Date: Thu, 3 Apr 2025 08:49:20 +0200 -Subject: [PATCH] curl_krb5: only use functions if FTP is still enabled - -Reported-by: x1sc0 on github -Fixes #16925 -Closes #16931 ---- a/lib/curl_krb5.h -+++ b/lib/curl_krb5.h -@@ -39,7 +39,7 @@ struct Curl_sec_client_mech { - #define AUTH_CONTINUE 1 - #define AUTH_ERROR 2 - --#ifdef HAVE_GSSAPI -+#if defined(HAVE_GSSAPI) && !defined(CURL_DISABLE_FTP) - void Curl_sec_conn_init(struct connectdata *); - void Curl_sec_conn_destroy(struct connectdata *); - int Curl_sec_read_msg(struct Curl_easy *data, struct connectdata *conn, char *, diff --git a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-openssl-quic-stream-shutdown.patch b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-openssl-quic-stream-shutdown.patch deleted file mode 100644 index acb8fa9b10..0000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.13.0-openssl-quic-stream-shutdown.patch +++ /dev/null @@ -1,44 +0,0 @@ -https://github.com/curl/curl/commit/219302b4e64e2337c50d86056e9af2103b281e7e -From: Stefan Eissing -Date: Wed, 9 Apr 2025 11:01:54 +0200 -Subject: [PATCH] openssl-quic: fix shutdown when stream not open - -Check that h3 stream had been opened before telling nghttp3 to -shut it down. - -Fixes #16998 -Reported-by: Demi Marie Obenour -Closes #17003 ---- a/lib/vquic/curl_osslq.c -+++ b/lib/vquic/curl_osslq.c -@@ -654,7 +654,7 @@ static void h3_data_done(struct Curl_cfilter *cf, struct Curl_easy *data) - if(stream) { - CURL_TRC_CF(data, cf, "[%"FMT_PRId64"] easy handle is done", - stream->s.id); -- if(ctx->h3.conn && !stream->closed) { -+ if(ctx->h3.conn && (stream->s.id >= 0) && !stream->closed) { - nghttp3_conn_shutdown_stream_read(ctx->h3.conn, stream->s.id); - nghttp3_conn_close_stream(ctx->h3.conn, stream->s.id, - NGHTTP3_H3_REQUEST_CANCELLED); ---- a/tests/http/test_01_basic.py -+++ b/tests/http/test_01_basic.py -@@ -242,3 +242,19 @@ def test_01_15_gigalarge_resp_headers(self, env: Env, httpd, proto): - r.check_exit_code(16) # CURLE_HTTP2 - else: - r.check_exit_code(100) # CURLE_TOO_LARGE -+ -+ # http: invalid request headers, GET, issue #16998 -+ @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3']) -+ def test_01_16_inv_req_get(self, env: Env, httpd, proto): -+ if proto == 'h3' and not env.have_h3(): -+ pytest.skip("h3 not supported") -+ curl = CurlClient(env=env) -+ url = f'https://{env.authority_for(env.domain1, proto)}/curltest/echo' -+ r = curl.http_get(url=url, alpn_proto=proto, extra_args=[ -+ '-H', "a: a\x0ab" -+ ]) -+ # on h1, request is sent, h2/h3 reject -+ if proto == 'http/1.1': -+ r.check_exit_code(0) -+ else: -+ r.check_exit_code(43) diff --git a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.16.0-pthread_cancel.patch b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.16.0-pthread_cancel.patch new file mode 100644 index 0000000000..1cc185c2e4 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.16.0-pthread_cancel.patch @@ -0,0 +1,399 @@ +https://github.com/curl/curl/commit/de3fc1d7adb78c078e4cc7ccc48e550758094ad3 +From: Stefan Eissing +Date: Sat, 13 Sep 2025 15:25:53 +0200 +Subject: [PATCH] asyn-thrdd: drop pthread_cancel + +Remove use of pthread_cancel in asnyc threaded resolving. While there +are system where this works, others might leak to resource leakage +(memory, files, etc.). The popular nsswitch is one example where resolve +code can be dragged in that is not prepared. + +The overall promise and mechanism of pthread_cancel() is just too +brittle and the historcal design of getaddrinfo() continues to haunt us. + +Fixes #18532 +Reported-by: Javier Blazquez +Closes #18540 +--- a/docs/libcurl/libcurl-env-dbg.md ++++ b/docs/libcurl/libcurl-env-dbg.md +@@ -83,11 +83,6 @@ When built with c-ares for name resolving, setting this environment variable + to `[IP:port]` makes libcurl use that DNS server instead of the system + default. This is used by the curl test suite. + +-## `CURL_DNS_DELAY_MS` +- +-Delay the DNS resolve by this many milliseconds. This is used in the test +-suite to check proper handling of CURLOPT_CONNECTTIMEOUT(3). +- + ## `CURL_FTP_PWD_STOP` + + When set, the first transfer - when using ftp: - returns before sending +--- a/lib/asyn-thrdd.c ++++ b/lib/asyn-thrdd.c +@@ -199,14 +199,6 @@ addr_ctx_create(struct Curl_easy *data, + return NULL; + } + +-static void async_thrd_cleanup(void *arg) +-{ +- struct async_thrdd_addr_ctx *addr_ctx = arg; +- +- Curl_thread_disable_cancel(); +- addr_ctx_unlink(&addr_ctx, NULL); +-} +- + #ifdef HAVE_GETADDRINFO + + /* +@@ -220,15 +212,6 @@ static CURL_THREAD_RETURN_T CURL_STDCALL getaddrinfo_thread(void *arg) + struct async_thrdd_addr_ctx *addr_ctx = arg; + bool do_abort; + +-/* clang complains about empty statements and the pthread_cleanup* macros +- * are pretty ill defined. */ +-#if defined(__clang__) +-#pragma clang diagnostic push +-#pragma clang diagnostic ignored "-Wextra-semi-stmt" +-#endif +- +- Curl_thread_push_cleanup(async_thrd_cleanup, addr_ctx); +- + Curl_mutex_acquire(&addr_ctx->mutx); + do_abort = addr_ctx->do_abort; + Curl_mutex_release(&addr_ctx->mutx); +@@ -237,9 +220,6 @@ static CURL_THREAD_RETURN_T CURL_STDCALL getaddrinfo_thread(void *arg) + char service[12]; + int rc; + +-#ifdef DEBUGBUILD +- Curl_resolve_test_delay(); +-#endif + msnprintf(service, sizeof(service), "%d", addr_ctx->port); + + rc = Curl_getaddrinfo_ex(addr_ctx->hostname, service, +@@ -274,11 +254,6 @@ static CURL_THREAD_RETURN_T CURL_STDCALL getaddrinfo_thread(void *arg) + + } + +- Curl_thread_pop_cleanup(); +-#if defined(__clang__) +-#pragma clang diagnostic pop +-#endif +- + addr_ctx_unlink(&addr_ctx, NULL); + return 0; + } +@@ -293,24 +268,11 @@ static CURL_THREAD_RETURN_T CURL_STDCALL gethostbyname_thread(void *arg) + struct async_thrdd_addr_ctx *addr_ctx = arg; + bool do_abort; + +-/* clang complains about empty statements and the pthread_cleanup* macros +- * are pretty ill defined. */ +-#if defined(__clang__) +-#pragma clang diagnostic push +-#pragma clang diagnostic ignored "-Wextra-semi-stmt" +-#endif +- +- Curl_thread_push_cleanup(async_thrd_cleanup, addr_ctx); +- + Curl_mutex_acquire(&addr_ctx->mutx); + do_abort = addr_ctx->do_abort; + Curl_mutex_release(&addr_ctx->mutx); + + if(!do_abort) { +-#ifdef DEBUGBUILD +- Curl_resolve_test_delay(); +-#endif +- + addr_ctx->res = Curl_ipv4_resolve_r(addr_ctx->hostname, addr_ctx->port); + if(!addr_ctx->res) { + addr_ctx->sock_error = SOCKERRNO; +@@ -337,12 +299,7 @@ static CURL_THREAD_RETURN_T CURL_STDCALL gethostbyname_thread(void *arg) + #endif + } + +- Curl_thread_pop_cleanup(); +-#if defined(__clang__) +-#pragma clang diagnostic pop +-#endif +- +- async_thrd_cleanup(addr_ctx); ++ addr_ctx_unlink(&addr_ctx, NULL); + return 0; + } + +@@ -381,12 +338,12 @@ static void async_thrdd_destroy(struct Curl_easy *data) + CURL_TRC_DNS(data, "async_thrdd_destroy, thread joined"); + } + else { +- /* thread is still running. Detach the thread while mutexed, it will +- * trigger the cleanup when it releases its reference. */ ++ /* thread is still running. Detach it. */ + Curl_thread_destroy(&addr->thread_hnd); + CURL_TRC_DNS(data, "async_thrdd_destroy, thread detached"); + } + } ++ /* release our reference to the shared context */ + addr_ctx_unlink(&thrdd->addr, data); + } + +@@ -532,10 +489,12 @@ static void async_thrdd_shutdown(struct Curl_easy *data) + done = addr_ctx->thrd_done; + Curl_mutex_release(&addr_ctx->mutx); + +- DEBUGASSERT(addr_ctx->thread_hnd != curl_thread_t_null); +- if(!done && (addr_ctx->thread_hnd != curl_thread_t_null)) { +- CURL_TRC_DNS(data, "cancelling resolve thread"); +- (void)Curl_thread_cancel(&addr_ctx->thread_hnd); ++ /* Wait for the thread to terminate if it is already marked done. If it is ++ not done yet we cannot do anything here. We had tried pthread_cancel but ++ it caused hanging and resource leaks (#18532). */ ++ if(done && (addr_ctx->thread_hnd != curl_thread_t_null)) { ++ Curl_thread_join(&addr_ctx->thread_hnd); ++ CURL_TRC_DNS(data, "async_thrdd_shutdown, thread joined"); + } + } + +@@ -553,9 +512,11 @@ static CURLcode asyn_thrdd_await(struct Curl_easy *data, + if(!entry) + async_thrdd_shutdown(data); + +- CURL_TRC_DNS(data, "resolve, wait for thread to finish"); +- if(!Curl_thread_join(&addr_ctx->thread_hnd)) { +- DEBUGASSERT(0); ++ if(addr_ctx->thread_hnd != curl_thread_t_null) { ++ CURL_TRC_DNS(data, "resolve, wait for thread to finish"); ++ if(!Curl_thread_join(&addr_ctx->thread_hnd)) { ++ DEBUGASSERT(0); ++ } + } + + if(entry) +--- a/lib/curl_threads.c ++++ b/lib/curl_threads.c +@@ -100,34 +100,6 @@ int Curl_thread_join(curl_thread_t *hnd) + return ret; + } + +-/* do not use pthread_cancel if: +- * - pthread_cancel seems to be absent +- * - on FreeBSD, as we see hangers in CI testing +- * - this is a -fsanitize=thread build +- * (clang sanitizer reports false positive when functions to not return) +- */ +-#if defined(PTHREAD_CANCEL_ENABLE) && !defined(__FreeBSD__) +-#if defined(__has_feature) +-# if !__has_feature(thread_sanitizer) +-#define USE_PTHREAD_CANCEL +-# endif +-#else /* __has_feature */ +-#define USE_PTHREAD_CANCEL +-#endif /* !__has_feature */ +-#endif /* PTHREAD_CANCEL_ENABLE && !__FreeBSD__ */ +- +-int Curl_thread_cancel(curl_thread_t *hnd) +-{ +- (void)hnd; +- if(*hnd != curl_thread_t_null) +-#ifdef USE_PTHREAD_CANCEL +- return pthread_cancel(**hnd); +-#else +- return 1; /* not supported */ +-#endif +- return 0; +-} +- + #elif defined(USE_THREADS_WIN32) + + curl_thread_t Curl_thread_create(CURL_THREAD_RETURN_T +@@ -182,12 +154,4 @@ int Curl_thread_join(curl_thread_t *hnd) + return ret; + } + +-int Curl_thread_cancel(curl_thread_t *hnd) +-{ +- if(*hnd != curl_thread_t_null) { +- return 1; /* not supported */ +- } +- return 0; +-} +- + #endif /* USE_THREADS_* */ +--- a/lib/curl_threads.h ++++ b/lib/curl_threads.h +@@ -66,22 +66,6 @@ void Curl_thread_destroy(curl_thread_t *hnd); + + int Curl_thread_join(curl_thread_t *hnd); + +-int Curl_thread_cancel(curl_thread_t *hnd); +- +-#if defined(USE_THREADS_POSIX) && defined(PTHREAD_CANCEL_ENABLE) +-#define Curl_thread_push_cleanup(a,b) pthread_cleanup_push(a,b) +-#define Curl_thread_pop_cleanup() pthread_cleanup_pop(0) +-#define Curl_thread_enable_cancel() \ +- pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, NULL) +-#define Curl_thread_disable_cancel() \ +- pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL) +-#else +-#define Curl_thread_push_cleanup(a,b) ((void)a,(void)b) +-#define Curl_thread_pop_cleanup() Curl_nop_stmt +-#define Curl_thread_enable_cancel() Curl_nop_stmt +-#define Curl_thread_disable_cancel() Curl_nop_stmt +-#endif +- + #endif /* USE_THREADS_POSIX || USE_THREADS_WIN32 */ + + #endif /* HEADER_CURL_THREADS_H */ +--- a/lib/hostip.c ++++ b/lib/hostip.c +@@ -1132,10 +1132,6 @@ CURLcode Curl_resolv_timeout(struct Curl_easy *data, + prev_alarm = alarm(curlx_sltoui(timeout/1000L)); + } + +-#ifdef DEBUGBUILD +- Curl_resolve_test_delay(); +-#endif +- + #else /* !USE_ALARM_TIMEOUT */ + #ifndef CURLRES_ASYNCH + if(timeoutms) +@@ -1639,18 +1635,3 @@ CURLcode Curl_resolver_error(struct Curl_easy *data, const char *detail) + return result; + } + #endif /* USE_CURL_ASYNC */ +- +-#ifdef DEBUGBUILD +-#include "curlx/wait.h" +- +-void Curl_resolve_test_delay(void) +-{ +- const char *p = getenv("CURL_DNS_DELAY_MS"); +- if(p) { +- curl_off_t l; +- if(!curlx_str_number(&p, &l, TIME_T_MAX) && l) { +- curlx_wait_ms((timediff_t)l); +- } +- } +-} +-#endif +--- a/lib/hostip.h ++++ b/lib/hostip.h +@@ -216,8 +216,4 @@ struct Curl_addrinfo *Curl_sync_getaddrinfo(struct Curl_easy *data, + + #endif + +-#ifdef DEBUGBUILD +-void Curl_resolve_test_delay(void); +-#endif +- + #endif /* HEADER_CURL_HOSTIP_H */ +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -112,7 +112,7 @@ test754 test755 test756 test757 test758 test759 test760 test761 test762 \ + test763 \ + \ + test780 test781 test782 test783 test784 test785 test786 test787 test788 \ +-test789 test790 test791 test792 test793 test794 test795 test796 test797 \ ++test789 test790 test791 test792 test793 test794 test796 test797 \ + \ + test799 test800 test801 test802 test803 test804 test805 test806 test807 \ + test808 test809 test810 test811 test812 test813 test814 test815 test816 \ +--- a/tests/data/test795 ++++ /dev/null +@@ -1,36 +0,0 @@ +- +- +- +-DNS +- +- +- +-# Client-side +- +- +-http +-Debug +-!c-ares +-!win32 +- +- +-Delayed resolve --connect-timeout check +- +- +-CURL_DNS_DELAY_MS=5000 +- +- +-http://test.invalid -v --no-progress-meter --trace-config dns --connect-timeout 1 -w \%{time_total} +- +- +- +-# Verify data after the test has been "shot" +- +- +-28 +- +- +-%SRCDIR/libtest/test795.pl %LOGDIR/stdout%TESTNUMBER 2 >> %LOGDIR/stderr%TESTNUMBER +- +- +- +--- a/tests/libtest/Makefile.am ++++ b/tests/libtest/Makefile.am +@@ -42,7 +42,7 @@ AM_CPPFLAGS = -I$(top_srcdir)/include \ + include Makefile.inc + + EXTRA_DIST = CMakeLists.txt $(FIRST_C) $(FIRST_H) $(UTILS_C) $(UTILS_H) $(TESTS_C) \ +- test307.pl test610.pl test613.pl test795.pl test1013.pl test1022.pl mk-lib1521.pl ++ test307.pl test610.pl test613.pl test1013.pl test1022.pl mk-lib1521.pl + + CFLAGS += @CURL_CFLAG_EXTRAS@ + +--- a/tests/libtest/test795.pl ++++ /dev/null +@@ -1,46 +0,0 @@ +-#!/usr/bin/env perl +-#*************************************************************************** +-# _ _ ____ _ +-# Project ___| | | | _ \| | +-# / __| | | | |_) | | +-# | (__| |_| | _ <| |___ +-# \___|\___/|_| \_\_____| +-# +-# Copyright (C) Daniel Stenberg, , et al. +-# +-# This software is licensed as described in the file COPYING, which +-# you should have received as part of this distribution. The terms +-# are also available at https://curl.se/docs/copyright.html. +-# +-# You may opt to use, copy, modify, merge, publish, distribute and/or sell +-# copies of the Software, and permit persons to whom the Software is +-# furnished to do so, under the terms of the COPYING file. +-# +-# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY +-# KIND, either express or implied. +-# +-# SPDX-License-Identifier: curl +-# +-########################################################################### +-use strict; +-use warnings; +- +-my $ok = 1; +-my $exp_duration = $ARGV[1] + 0.0; +- +-# Read the output of curl --version +-open(F, $ARGV[0]) || die "Can't open test result from $ARGV[0]\n"; +-$_ = ; +-chomp; +-/\s*([\.\d]+)\s*/; +-my $duration = $1 + 0.0; +-close F; +- +-if ($duration <= $exp_duration) { +- print "OK: duration of $duration in expected range\n"; +- $ok = 0; +-} +-else { +- print "FAILED: duration of $duration is larger than $exp_duration\n"; +-} +-exit $ok; diff --git a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.16.0-ssl_verifyhost.patch b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.16.0-ssl_verifyhost.patch new file mode 100644 index 0000000000..4d08f7f796 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.16.0-ssl_verifyhost.patch @@ -0,0 +1,63 @@ +https://github.com/curl/curl/commit/f7cac7cc07a45481b246c875e8113d741ba2a6e1 +From: Daniel Stenberg +Date: Sun, 14 Sep 2025 23:28:03 +0200 +Subject: [PATCH] setopt: accept *_SSL_VERIFYHOST set to 2L + +... without outputing a verbose message about it. In the early days we +had 2L and 1L have different functionalities. + +Reported-by: Jicea +Bug: https://curl.se/mail/lib-2025-09/0031.html +Closes #18547 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -443,6 +443,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option, + long arg, bool *set) + { + bool enabled = !!arg; ++ int ok = 1; + struct UserDefined *s = &data->set; + switch(option) { + case CURLOPT_FORBID_REUSE: +@@ -619,7 +620,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option, + * Enable verification of the hostname in the peer certificate for proxy + */ + s->proxy_ssl.primary.verifyhost = enabled; +- ++ ok = 2; + /* Update the current connection proxy_ssl_config. */ + Curl_ssl_conn_config_update(data, TRUE); + break; +@@ -723,6 +724,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option, + * Enable verification of the hostname in the peer certificate for DoH + */ + s->doh_verifyhost = enabled; ++ ok = 2; + break; + case CURLOPT_DOH_SSL_VERIFYSTATUS: + /* +@@ -732,6 +734,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option, + return CURLE_NOT_BUILT_IN; + + s->doh_verifystatus = enabled; ++ ok = 2; + break; + #endif /* ! CURL_DISABLE_DOH */ + case CURLOPT_SSL_VERIFYHOST: +@@ -743,6 +746,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option, + this argument took a boolean when it was not and misused it. + Treat 1 and 2 the same */ + s->ssl.primary.verifyhost = enabled; ++ ok = 2; + + /* Update the current connection ssl_config. */ + Curl_ssl_conn_config_update(data, FALSE); +@@ -844,7 +848,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option, + default: + return CURLE_OK; + } +- if((arg > 1) || (arg < 0)) ++ if((arg > ok) || (arg < 0)) + /* reserve other values for future use */ + infof(data, "boolean setopt(%d) got unsupported argument %ld," + " treated as %d", option, arg, enabled); diff --git a/sdk_container/src/third_party/portage-stable/net-misc/curl/metadata.xml b/sdk_container/src/third_party/portage-stable/net-misc/curl/metadata.xml index 2fa671c41f..48bc5a58dd 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/curl/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/net-misc/curl/metadata.xml @@ -22,7 +22,6 @@ Enable mbedtls ssl backend Enable openssl ssl backend Enable Post Office Protocol 3 support - Enable the progress meter Enable Public Suffix List (PSL) support. See https://daniel.haxx.se/blog/2024/01/10/psl-in-curl/. Enable support for QUIC (RFC 9000); a UDP-based protocol intended to replace TCP Enable RTMP Streaming Media support @@ -31,7 +30,6 @@ Enable Simple Mail Transfer Protocol support Enable SSH urls in curl using libssh2 Enable crypto engine support (via openssl if USE='-gnutls -nss') - Support for the old/insecure SSLv3 protocol Enable Telnet protocol support Enable TFTP support Enable websockets support