mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-12-22 17:52:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

net-misc/curl: Sync with Gentoo

Browse Source 
It's from Gentoo commit 222904ab419f93feddbb6581ec812d4f747a1234.

Signed-off-by: Flatcar Buildbot <buildbot@flatcar-linux.org>
This commit is contained in:
Flatcar Buildbot 2025-11-17 07:12:19 +00:00 committed by Krzesimir Nowak
parent e46ab6d67c
commit e1c16951df
9 changed files with 822 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sdk_container/src/third_party/portage-stable/net-misc/curl/Manifest vendored
View File

@ -2,5 +2,5 @@ DIST curl-8.15.0.tar.xz 2773156 BLAKE2B ae809be87f34d079413129c27e618a6d15c2bf90
DIST curl-8.15.0.tar.xz.asc 488 BLAKE2B 4b0bab065a1d2d5b7e5d49989bd4953344d844cafd3036b4cb2ed2dec82e59031832f05c06dc6a801e4668d92c936df74aeff7a5f2c15ff614da4b1673a67501 SHA512 b6aef1c6a1f32c60401494df565a748fa96c1d5098138772c22f6208bafeb8e61402f3077cbc274ea2c05f35ff376d8f736c58554520f8d20fded36d876499a5
DIST curl-8.16.0.tar.xz 2788632 BLAKE2B 573d56779481abf0b7d20225bba4f068cb726f23f69ce10076438e32cc6c16d1229c211aee05fc5e3e9cb9d78bbfdc5da0d8b73e730c0865879000eb90accf6a SHA512 8262c3dc113cfd5744ef1b82dbccaa69448a9395ad5c094c22df5cf537a047a927d3332db2cb3be12a31a68a60d8d0fa8485b916e975eda36a4ebd860da4f621
DIST curl-8.16.0.tar.xz.asc 488 BLAKE2B d213bd447c668118b49b7356dc99e710de927b93f81325802bae5e286b61481da6ed30f23c7f4f3cfb0f01222db88602ff4e510f4a1401e98511eb0c72ac6abb SHA512 591568e997c0d955a00152ce5bdfb4586d84b42f5c1e15df503514fb4eb4bf289a98b1ebdad23913119c67c27d51a6e6f4065ee6f7657b971c3a581c928a0d82
DIST curl-8.17.0-rc1.tar.xz 2789224 BLAKE2B f741f2385666a5f5902c9137e49c8131680903b61b3d52d4d48ec385cb69a9135ed40cfba9ac7e1bf4e24fe70a03b81336f54ee1e9cb464c88cfa6fe1c5d24c4 SHA512 bbaa3c97860f51c069dfc448d212a0d2149abfe76429bd4e7e3b005f44851e609008b90f5ed5caad048b5815043433248b495c41edf04d4bb5b76a8af41ede02
DIST curl-8.17.0-rc1.tar.xz.asc 488 BLAKE2B 2e753849bdb0ab224953cf56d03e0dbfc69152ad36c0783db688e808ce46e290d0ddbc3d7ce86b9bb4ad7e13ca20107b02ec6227c4a0ffc14470a1c257f90d99 SHA512 e86f7c9000ee5e8ee775947e720a17cf327b1f3053d6a6d92d3d1d27ed8dacefe1934ce3ee67b1efd59a601e0312bcffd1fb0900b760fda15e0fe7ba1a892c8f
DIST curl-8.17.0.tar.xz 2797000 BLAKE2B a7a804afe058f323b40177bcb4ffc523decde92da3da0a051f2dc1b566131250a96afe1ebf2bebc071993c893bddeef883ef33ddc0a9bee86d4e54402a546fba SHA512 fc6349def40c3c259de2a568631507df17dff83e78a2edbb93f069586dce594439fdc88bef7ce2bed7491f35800b8c0c181c8c88e6ef656cc3c18f9834681eca
DIST curl-8.17.0.tar.xz.asc 488 BLAKE2B 88b72cb9c0acd8a06956eca31047dfadfe110dc07290adbe50b9451a71d4282acaa05c8a149787d71cf13cf1b42e8df9594d0e8a2b1cadbfca5eb50550f32609 SHA512 e77d4cb1f4961aa0df3d76f1a8c55a0b9005ed557adf745f3ab24d33cee2d0e4bd06cecb9d911e76409852e7755129873cc7d24936c846ff1b854903c0f086b2

2
sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.15.0.ebuild vendored
View File

@ -101,7 +101,7 @@ REQUIRED_USE="
# don't be afraid to require a later version.
# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time.
RDEPEND="
>=sys-libs/zlib-1.2.5[${MULTILIB_USEDEP}]
>=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}]
adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] )
brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] )

4
sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.16.0-r1.ebuild vendored
View File

@ -22,7 +22,7 @@ else
S="${WORKDIR}/${P//_/-}"
else
CURL_URI="https://curl.se/download/"
KEYWORDS="~alpha amd64 arm ~arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
fi
SRC_URI="
${CURL_URI}${P//_/-}.tar.xz
@ -99,7 +99,7 @@ REQUIRED_USE="
# don't be afraid to require a later version.
# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time.
RDEPEND="
>=sys-libs/zlib-1.2.5[${MULTILIB_USEDEP}]
>=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}]
adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] )
brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] )

445
sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.17.0-r1.ebuild vendored Normal file
View File

@ -0,0 +1,445 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Maintainers should subscribe to the 'curl-distros' ML for backports etc
# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/
# https://lists.haxx.se/listinfo/curl-distros
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc
inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig
DESCRIPTION="A Client that groks URLs"
HOMEPAGE="https://curl.se/"
if [[ ${PV} == 9999 ]]; then
inherit git-r3
EGIT_REPO_URI="https://github.com/curl/curl.git"
else
if [[ ${P} == *rc* ]]; then
CURL_URI="https://curl.se/rc/"
S="${WORKDIR}/${P//_/-}"
else
CURL_URI="https://curl.se/download/"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
fi
SRC_URI="
${CURL_URI}${P//_/-}.tar.xz
verify-sig? ( ${CURL_URI}${P//_/-}.tar.xz.asc )
"
fi
LICENSE="BSD curl ISC test? ( BSD-4 )"
SLOT="0"
IUSE="+adns +alt-svc brotli debug ech +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap"
IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test"
IUSE+=" telnet +tftp +websockets zstd"
# These select the default tls implementation / which quic impl to use
IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
RESTRICT="!test? ( test )"
# HTTPS RR is technically usable with the threaded resolver, but it still uses c-ares to
# ask for the HTTPS RR record type; if DoH is in use the HTTPS record will be requested
# in addition to A and AAAA records.
# To simplify dependency management in the ebuild we'll require c-ares for HTTPS RR (for now?).
# HTTPS RR in cURL is a dependency for:
# - ECH (requires patched openssl or gnutls currently, enabled with rustls)
# - Fetching the ALPN list which should provide a better HTTP/3 experience.
# Only one default ssl / quic provider can be enabled
# The default provider needs its USE satisfied
# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day.
# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e
REQUIRED_USE="
ech? ( rustls )
httpsrr? ( adns )
quic? (
^^ (
curl_quic_openssl
curl_quic_ngtcp2
)
http3
ssl
)
ssl? (
^^ (
curl_ssl_gnutls
curl_ssl_mbedtls
curl_ssl_openssl
curl_ssl_rustls
)
)
curl_quic_openssl? (
curl_ssl_openssl
!gnutls
!mbedtls
!rustls
)
curl_quic_ngtcp2? (
curl_ssl_gnutls
!mbedtls
!openssl
!rustls
)
curl_ssl_gnutls? ( gnutls )
curl_ssl_mbedtls? ( mbedtls )
curl_ssl_openssl? ( openssl )
curl_ssl_rustls? ( rustls )
http3? ( alt-svc httpsrr quic )
"
# cURL's docs and CI/CD are great resources for confirming supported versions
# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.:
# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions)
# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly)
# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2)
# However 'supported' vs 'works' are two entirely different things; be sane but
# don't be afraid to require a later version.
# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time.
# TODO: OpenSSL-QUIC support is going to be removed in 2026; depend on ngtcp2[{gnutls,openssl}] before that point.
# - https://github.com/curl/curl/pull/18820 (Deprecate OpenSSL QUIC support)
# - https://github.com/curl/curl/issues/18336 (curl w/ OpenSSL QUIC fails to fetch Google.com)
RDEPEND="
>=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}]
adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] )
brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] )
http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] )
idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] )
quic? (
curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] )
curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] )
)
rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] )
sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] )
ssl? (
gnutls? (
app-misc/ca-certificates
>=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}]
dev-libs/nettle:=[${MULTILIB_USEDEP}]
)
mbedtls? (
app-misc/ca-certificates
net-libs/mbedtls:3=[${MULTILIB_USEDEP}]
)
openssl? (
>=dev-libs/openssl-1.0.2:=[static-libs?,${MULTILIB_USEDEP}]
)
rustls? (
>=net-libs/rustls-ffi-0.15.0:=[${MULTILIB_USEDEP}]
)
)
zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
"
DEPEND="${RDEPEND}"
BDEPEND="
dev-lang/perl
virtual/pkgconfig
test? (
sys-apps/diffutils
http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] )
http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
)
verify-sig? ( sec-keys/openpgp-keys-danielstenberg )
"
DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} )
MULTILIB_WRAPPED_HEADERS=(
/usr/include/curl/curlbuild.h
)
MULTILIB_CHOST_TOOLS=(
/usr/bin/curl-config
)
QA_CONFIG_IMPL_DECL_SKIP=(
__builtin_available
closesocket
CloseSocket
getpass_r
ioctlsocket
IoctlSocket
mach_absolute_time
setmode
_fseeki64
# custom AC_LINK_IFELSE code fails to link even without -Werror
OSSL_QUIC_client_method
)
PATCHES=(
"${FILESDIR}/${PN}-prefix-5.patch"
"${FILESDIR}/${PN}-respect-cflags-3.patch"
"${FILESDIR}/${P}-progress-parallel.patch"
"${FILESDIR}/${P}-curlopt-capath.patch"
"${FILESDIR}/${P}-wcurl-CVE-2025-11563.patch"
)
src_prepare() {
default
eprefixify curl-config.in
eautoreconf
}
# Generates TLS-related configure options based on USE flags.
# Outputs options suitable for appending to a configure options array.
_get_curl_tls_configure_opts() {
local tls_opts=()
local backend flag_name
for backend in gnutls mbedtls openssl rustls; do
if [[ "$backend" == "openssl" ]]; then
flag_name="ssl"
tls_opts+=( "--with-ca-path=${EPREFIX}/etc/ssl/certs")
else
flag_name="$backend"
fi
if use "$backend"; then
tls_opts+=( "--with-${flag_name}" )
else
# If a single backend is enabled, 'ssl' is required, openssl is the default / fallback
if ! [[ "$backend" == "openssl" ]]; then
tls_opts+=( "--without-${flag_name}" )
fi
fi
done
if use curl_ssl_gnutls; then
multilib_is_native_abi && einfo "Default TLS backend: gnutls"
tls_opts+=( "--with-default-ssl-backend=gnutls" )
elif use curl_ssl_mbedtls; then
multilib_is_native_abi && einfo "Default TLS backend: mbedtls"
tls_opts+=( "--with-default-ssl-backend=mbedtls" )
elif use curl_ssl_openssl; then
multilib_is_native_abi && einfo "Default TLS backend: openssl"
tls_opts+=( "--with-default-ssl-backend=openssl" )
elif use curl_ssl_rustls; then
multilib_is_native_abi && einfo "Default TLS backend: rustls"
tls_opts+=( "--with-default-ssl-backend=rustls" )
else
eerror "We can't be here because of REQUIRED_USE."
die "Please file a bug, hit impossible condition w/ USE=ssl handling."
fi
# Explicitly Disable unimplemented backends
tls_opts+=(
--without-amissl
--without-wolfssl
)
printf "%s\n" "${tls_opts[@]}"
}
multilib_src_configure() {
# We make use of the fact that later flags override earlier ones
# So start with all ssl providers off until proven otherwise
# TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/)
local myconf=()
myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt )
if use ssl; then
local -a tls_backend_opts
readarray -t tls_backend_opts < <(_get_curl_tls_configure_opts)
myconf+=("${tls_backend_opts[@]}")
if use quic; then
myconf+=(
$(use_with curl_quic_ngtcp2 ngtcp2)
$(use_with curl_quic_openssl openssl-quic)
)
else
# Without a REQUIRED_USE to ensure that QUIC was requested when at least one default backend is
# enabled we need ensure that we don't try to build QUIC support
myconf+=( --without-ngtcp2 --without-openssl-quic )
fi
else
myconf+=( --without-ssl )
einfo "SSL disabled"
fi
# These configuration options are organised alphabetically by category/type
# Protocols
# `grep SUPPORT_PROTOCOLS=\" configure.ac | awk '{ print substr($2, 1, length($2)-1)}' | sort`
# Assume that anything omitted (that is not new!) is enabled by default with no deps
myconf+=(
--enable-file
$(use_enable ftp)
$(use_enable gopher)
--enable-http
$(use_enable imap) # Automatic IMAPS if TLS is enabled
$(use_enable ldap ldaps)
$(use_enable ldap)
$(use_enable pop3)
$(use_enable samba smb)
$(use_with ssh libssh2) # enables scp/sftp
$(use_with rtmp librtmp)
--enable-rtsp
$(use_enable smtp)
$(use_enable telnet)
$(use_enable tftp)
$(use_enable websockets)
)
# Keep various 'HTTP-flavoured' options together
myconf+=(
$(use_enable alt-svc)
$(use_enable hsts)
$(use_enable httpsrr)
$(use_with http2 nghttp2)
$(use_with http3 nghttp3)
)
# --enable/disable options
# `grep -- --enable configure | grep Check | awk '{ print $4 }' | sort`
myconf+=(
$(use_enable adns ares)
--enable-aws
--enable-basic-auth
--enable-bearer-auth
--enable-cookies
--enable-dateparse
--enable-dict
--enable-digest-auth
--enable-dnsshuffle
--enable-doh
$(use_enable ech)
--enable-http-auth
--enable-ipv6
--enable-kerberos-auth
--enable-largefile
--enable-manual
--enable-mime
--enable-negotiate-auth
--enable-netrc
--enable-ntlm
--enable-progress-meter
--enable-proxy
--enable-rt
--enable-socketpair
--disable-sspi
$(use_enable static-libs static)
--enable-symbol-hiding
--enable-tls-srp
--disable-versioned-symbols
)
# --with/without options
# `grep -- --with configure | grep Check | awk '{ print $4 }' | sort`
myconf+=(
$(use_with brotli)
--with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d
$(use_with idn libidn2)
$(use_with kerberos gssapi "${EPREFIX}"/usr)
$(use_with sasl-scram libgsasl)
$(use_with psl libpsl)
--without-quiche
--without-schannel
--without-winidn
--with-zlib
--with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions
$(use_with zstd)
)
# Test deps (disabled)
myconf+=(
--without-test-caddy
--without-test-httpd
--without-test-nghttpx
)
if use debug; then
myconf+=(
--enable-debug
)
fi
if use test && multilib_is_native_abi && ( use http2 || use http3 ); then
myconf+=(
--with-test-nghttpx="${BROOT}/usr/bin/nghttpx"
)
fi
# Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive
# This is in support of some work to enable `httpsrr` to use adns and the rest
# of curl to use the threaded resolver; for us `httpsrr` is conditional on adns.
if use adns; then
myconf+=(
--disable-threaded-resolver
)
else
myconf+=(
--enable-threaded-resolver
)
fi
ECONF_SOURCE="${S}" econf "${myconf[@]}"
if ! multilib_is_native_abi; then
# Avoid building the client (we just want libcurl for multilib)
sed -i -e '/SUBDIRS/s:src::' Makefile || die
sed -i -e '/SUBDIRS/s:scripts::' Makefile || die
fi
}
multilib_src_compile() {
default
if multilib_is_native_abi; then
# Shell completions
! tc-is-cross-compiler && emake -C scripts
fi
}
# There is also a pytest harness that tests for bugs in some very specific
# situations; we can rely on upstream for this rather than adding additional test deps.
multilib_src_test() {
# See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721
# -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches)
# -v: verbose
# -a: keep going on failure (so we see everything that breaks, not just 1st test)
# -k: keep test files after completion
# -am: automake style TAP output
# -p: print logs if test fails
# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
# or just read https://github.com/curl/curl/tree/master/tests#run.
# Note: we don't run the testsuite for cross-compilation.
# Upstream recommend 7*nproc as a starting point for parallel tests, but
# this ends up breaking when nproc is huge (like -j80).
# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
# as most gentoo users don't have an 'ip6-localhost'
multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
}
multilib_src_install() {
emake DESTDIR="${D}" install
if multilib_is_native_abi; then
# Shell completions
! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install
fi
}
multilib_src_install_all() {
einstalldocs
find "${ED}" -type f -name '*.la' -delete || die
rm -rf "${ED}"/etc/ || die
}
pkg_postinst() {
if use debug; then
ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose."
ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger."
ewarn "hic sunt dracones; you have been warned."
fi
}

2
sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.17.0_rc1.ebuild → sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.17.0.ebuild vendored
View File

@ -102,7 +102,7 @@ REQUIRED_USE="
# - https://github.com/curl/curl/pull/18820 (Deprecate OpenSSL QUIC support)
# - https://github.com/curl/curl/issues/18336 (curl w/ OpenSSL QUIC fails to fetch Google.com)
RDEPEND="
>=sys-libs/zlib-1.2.5[${MULTILIB_USEDEP}]
>=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}]
adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] )
brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] )

2
sdk_container/src/third_party/portage-stable/net-misc/curl/curl-9999.ebuild vendored
View File

@ -102,7 +102,7 @@ REQUIRED_USE="
# - https://github.com/curl/curl/pull/18820 (Deprecate OpenSSL QUIC support)
# - https://github.com/curl/curl/issues/18336 (curl w/ OpenSSL QUIC fails to fetch Google.com)
RDEPEND="
>=sys-libs/zlib-1.2.5[${MULTILIB_USEDEP}]
>=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}]
adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] )
brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] )

289
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.17.0-curlopt-capath.patch vendored Normal file
View File

@ -0,0 +1,289 @@
https://github.com/curl/curl/pull/19408
From f36ab2dd6f33b9a9c069a034cf4f1451006d0f21 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Sat, 8 Nov 2025 14:28:38 +0100
Subject: [PATCH 1/4] fix --capath use
A regression in curl 8.17.0 led to a customer CAPATH set by the application
(or the curl command) to be ignored unless licurl was built with a default
CAPATH.
Add test cases using `--capath` on the custom pytest CA, generated with
the help of the openssl command when available.
refs #19401
---
lib/vtls/vtls.c | 4 ++--
tests/http/test_17_ssl_use.py | 23 +++++++++++++++++++++++
tests/http/testenv/certs.py | 16 ++++++++++++++++
tests/http/testenv/curl.py | 3 ++-
tests/http/testenv/env.py | 20 ++++++++++++++++++++
5 files changed, 63 insertions(+), 3 deletions(-)
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index 3b7a095c8b75..3858cad98312 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -310,7 +310,6 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
if(result)
return result;
}
- sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH];
#endif
#ifdef CURL_CA_BUNDLE
if(!sslc->custom_cafile && !set->str[STRING_SSL_CAFILE]) {
@@ -322,6 +321,7 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
}
sslc->primary.CAfile = data->set.str[STRING_SSL_CAFILE];
sslc->primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+ sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH];
sslc->primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
sslc->primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
sslc->primary.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST];
@@ -358,7 +358,6 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
if(result)
return result;
}
- sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
#endif
#ifdef CURL_CA_BUNDLE
if(!sslc->custom_cafile && !set->str[STRING_SSL_CAFILE_PROXY]) {
@@ -370,6 +369,7 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
#endif
}
sslc->primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
+ sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
sslc->primary.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST_PROXY];
sslc->primary.cipher_list13 = data->set.str[STRING_SSL_CIPHER13_LIST_PROXY];
sslc->primary.pinned_key = data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
index 57e1c014042b..20b6fdaef18b 100644
--- a/tests/http/test_17_ssl_use.py
+++ b/tests/http/test_17_ssl_use.py
@@ -597,3 +597,26 @@ def test_17_20_correct_pin(self, env: Env, proto, httpd):
])
# expect NOT_IMPLEMENTED or OK
assert r.exit_code in [0, 2], f'{r.dump_logs()}'
+
+ @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command")
+ def test_17_21_capath_valid(self, env: Env, httpd):
+ proto = 'http/1.1'
+ curl = CurlClient(env=env)
+ url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
+ r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
+ '--capath', os.path.join(env.gen_dir, 'ca/hashdir')
+ ])
+ assert r.exit_code == 0, f'{r.dump_logs()}'
+ assert r.json['HTTPS'] == 'on', f'{r.json}'
+
+ @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command")
+ def test_17_22_capath_invalid(self, env: Env, httpd):
+ proto = 'http/1.1'
+ curl = CurlClient(env=env)
+ url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
+ r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
+ '--capath', os.path.join(env.gen_dir, 'ca/invalid')
+ ])
+ # CURLE_PEER_FAILED_VERIFICATION
+ assert r.exit_code == 60, f'{r.dump_logs()}'
+
diff --git a/tests/http/testenv/certs.py b/tests/http/testenv/certs.py
index e59b1ea147e1..c9a30aaac065 100644
--- a/tests/http/testenv/certs.py
+++ b/tests/http/testenv/certs.py
@@ -28,6 +28,8 @@
import ipaddress
import os
import re
+import shutil
+import subprocess
from datetime import timedelta, datetime, timezone
from typing import List, Any, Optional
@@ -200,6 +202,10 @@ def pkey_file(self) -> Optional[str]:
def combined_file(self) -> Optional[str]:
return self._combined_file
+ @property
+ def hashdir(self) -> Optional[str]:
+ return os.path.join(self._store.path, 'hashdir')
+
def get_first(self, name) -> Optional['Credentials']:
creds = self._store.get_credentials_for_name(name) if self._store else []
return creds[0] if len(creds) else None
@@ -236,6 +242,16 @@ def issue_cert(self, spec: CertificateSpec,
creds.issue_certs(spec.sub_specs, chain=subchain)
return creds
+ def create_hashdir(self, openssl):
+ os.makedirs(self.hashdir, exist_ok=True)
+ p = subprocess.run(args=[
+ openssl, 'x509', '-hash', '-noout', '-in', self.cert_file
+ ], capture_output=True, text=True)
+ if p.returncode != 0:
+ raise Exception(f'openssl failed to compute cert hash: {p}')
+ cert_hname = f'{p.stdout.strip()}.0'
+ shutil.copy(self.cert_file, os.path.join(self.hashdir, cert_hname))
+
class CertStore:
diff --git a/tests/http/testenv/curl.py b/tests/http/testenv/curl.py
index dc885ab8cba9..a92e4f681f34 100644
--- a/tests/http/testenv/curl.py
+++ b/tests/http/testenv/curl.py
@@ -987,7 +987,8 @@ def _complete_args(self, urls, timeout=None, options=None,
pass
elif insecure:
args.append('--insecure')
- elif active_options and "--cacert" in active_options:
+ elif active_options and ("--cacert" in active_options or \
+ "--capath" in active_options):
pass
elif u.hostname:
args.extend(["--cacert", self.env.ca.cert_file])
diff --git a/tests/http/testenv/env.py b/tests/http/testenv/env.py
index ff8741530b70..859b704a35a3 100644
--- a/tests/http/testenv/env.py
+++ b/tests/http/testenv/env.py
@@ -199,6 +199,16 @@ def __init__(self, pytestconfig: Optional[pytest.Config] = None,
]),
]
+ self.openssl = 'openssl'
+ p = subprocess.run(args=[self.openssl, 'version'],
+ capture_output=True, text=True)
+ if p.returncode != 0:
+ # no openssl in path
+ self.openssl = None
+ self.openssl_version = None
+ else:
+ self.openssl_version = p.stdout.strip()
+
self.nghttpx = self.config['nghttpx']['nghttpx']
if len(self.nghttpx.strip()) == 0:
self.nghttpx = None
@@ -372,6 +382,10 @@ def setup_incomplete() -> bool:
def incomplete_reason() -> Optional[str]:
return Env.CONFIG.get_incomplete_reason()
+ @staticmethod
+ def have_openssl() -> bool:
+ return Env.CONFIG.openssl is not None
+
@staticmethod
def have_nghttpx() -> bool:
return Env.CONFIG.nghttpx is not None
@@ -548,6 +562,8 @@ def issue_certs(self):
store_dir=ca_dir,
key_type="rsa2048")
self._ca.issue_certs(self.CONFIG.cert_specs)
+ if self.have_openssl():
+ self._ca.create_hashdir(self.openssl)
def setup(self):
os.makedirs(self.gen_dir, exist_ok=True)
@@ -703,6 +719,10 @@ def ws_port(self) -> int:
def curl(self) -> str:
return self.CONFIG.curl
+ @property
+ def openssl(self) -> Optional[str]:
+ return self.CONFIG.openssl
+
@property
def httpd(self) -> str:
return self.CONFIG.httpd
From 02a595146a0bd3036f653ec48d5bfc9a0187ab75 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Sat, 8 Nov 2025 14:37:22 +0100
Subject: [PATCH 2/4] use correct hashdir
---
tests/http/test_17_ssl_use.py | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
index 20b6fdaef18b..0019bb1239d2 100644
--- a/tests/http/test_17_ssl_use.py
+++ b/tests/http/test_17_ssl_use.py
@@ -604,7 +604,7 @@ def test_17_21_capath_valid(self, env: Env, httpd):
curl = CurlClient(env=env)
url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
- '--capath', os.path.join(env.gen_dir, 'ca/hashdir')
+ '--capath', env.ca.hashdir
])
assert r.exit_code == 0, f'{r.dump_logs()}'
assert r.json['HTTPS'] == 'on', f'{r.json}'
@@ -619,4 +619,3 @@ def test_17_22_capath_invalid(self, env: Env, httpd):
])
# CURLE_PEER_FAILED_VERIFICATION
assert r.exit_code == 60, f'{r.dump_logs()}'
-
From 5a952c670b0cf6e5735c2178014600af062390c4 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Sat, 8 Nov 2025 14:50:23 +0100
Subject: [PATCH 3/4] test_17_21 skip for rustls test_17_22 accept error 77 as
well
---
tests/http/test_17_ssl_use.py | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
index 0019bb1239d2..76f20080b3d6 100644
--- a/tests/http/test_17_ssl_use.py
+++ b/tests/http/test_17_ssl_use.py
@@ -600,6 +600,8 @@ def test_17_20_correct_pin(self, env: Env, proto, httpd):
@pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command")
def test_17_21_capath_valid(self, env: Env, httpd):
+ if env.curl_uses_lib('rustls'):
+ pytest.skip('rustls does not support CURLOPT_CAPATH')
proto = 'http/1.1'
curl = CurlClient(env=env)
url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
@@ -611,11 +613,13 @@ def test_17_21_capath_valid(self, env: Env, httpd):
@pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command")
def test_17_22_capath_invalid(self, env: Env, httpd):
+ # we can test all TLS backends here. the ones not supporting CAPATH
+ # need to fail as well as the ones which do, but get an invalid path.
proto = 'http/1.1'
curl = CurlClient(env=env)
url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
'--capath', os.path.join(env.gen_dir, 'ca/invalid')
])
- # CURLE_PEER_FAILED_VERIFICATION
- assert r.exit_code == 60, f'{r.dump_logs()}'
+ # CURLE_PEER_FAILED_VERIFICATION or CURLE_SSL_CACERT_BADFILE
+ assert r.exit_code in [60, 77], f'{r.dump_logs()}'
From 10d57fbbe4c1036780d36feed6f55a87307c6e25 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Sat, 8 Nov 2025 14:58:25 +0100
Subject: [PATCH 4/4] use 'rustls-ffi' to check for rustsls backend
---
tests/http/test_17_ssl_use.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
index 76f20080b3d6..615658f06c01 100644
--- a/tests/http/test_17_ssl_use.py
+++ b/tests/http/test_17_ssl_use.py
@@ -600,7 +600,7 @@ def test_17_20_correct_pin(self, env: Env, proto, httpd):
@pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command")
def test_17_21_capath_valid(self, env: Env, httpd):
- if env.curl_uses_lib('rustls'):
+ if env.curl_uses_lib('rustls-ffi'):
pytest.skip('rustls does not support CURLOPT_CAPATH')
proto = 'http/1.1'
curl = CurlClient(env=env)

54
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.17.0-progress-parallel.patch vendored Normal file
View File

@ -0,0 +1,54 @@
https://github.com/curl/curl/pull/19383
From a5038ff41f83907c896a41716f4f78a80a144cd1 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Thu, 6 Nov 2025 12:47:33 +0100
Subject: [PATCH] curl: fix progress meter in parallel mode
With `check_finished()` triggered by notifications now, the
`progress_meter()` was no longer called at regular intervals.
Move `progress_meter()` out of `check_finishe()` into the perform
loop and event callbacks.
---
src/tool_operate.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 74f5da5fa915..e1f61a2ba519 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1549,6 +1549,7 @@ static void on_uv_socket(uv_poll_t *req, int status, int events)
curl_multi_socket_action(c->uv->s->multi, c->sockfd, flags,
&c->uv->s->still_running);
+ progress_meter(c->uv->s->multi, &c->uv->s->start, FALSE);
}
/* callback from libuv when timeout expires */
@@ -1561,6 +1562,7 @@ static void on_uv_timeout(uv_timer_t *req)
if(uv && uv->s) {
curl_multi_socket_action(uv->s->multi, CURL_SOCKET_TIMEOUT, 0,
&uv->s->still_running);
+ progress_meter(uv->s->multi, &uv->s->start, FALSE);
}
}
@@ -1733,7 +1735,6 @@ static CURLcode check_finished(struct parastate *s)
int rc;
CURLMsg *msg;
bool checkmore = FALSE;
- progress_meter(s->multi, &s->start, FALSE);
do {
msg = curl_multi_info_read(s->multi, &rc);
if(msg) {
@@ -1875,6 +1876,8 @@ static CURLcode parallel_transfers(CURLSH *share)
s->mcode = curl_multi_poll(s->multi, NULL, 0, 1000, NULL);
if(!s->mcode)
s->mcode = curl_multi_perform(s->multi, &s->still_running);
+
+ progress_meter(s->multi, &s->start, FALSE);
}
(void)progress_meter(s->multi, &s->start, TRUE);

27
sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.17.0-wcurl-CVE-2025-11563.patch vendored Normal file
View File

@ -0,0 +1,27 @@
https://bugs.gentoo.org/966140
https://github.com/curl/wcurl/commit/65546bae0164a97d89d42176e366d9c7c7796261
From 65546bae0164a97d89d42176e366d9c7c7796261 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Sun, 9 Nov 2025 14:30:34 +0800
Subject: [PATCH] wcurl: Really fix CVE-2025-11563
When we pass a string to is_safe_percent_encode, it always begins with
"%'. But the lookup table UNSAFE_PERCENT_ENCODE does not contain "%" so
nothing can be matched.
Also update the test suite to fix the false positive.
Signed-off-by: Xi Ruoyao <xry111@xry111.site>
--- a/scripts/wcurl
+++ b/scripts/wcurl
@@ -118,7 +118,7 @@ readonly PER_URL_PARAMETERS="\
# characters.
# 2F = /
# 5C = \
-readonly UNSAFE_PERCENT_ENCODE="2F 5C"
+readonly UNSAFE_PERCENT_ENCODE="%2F %5C"
# Whether to invoke curl or not.
DRY_RUN="false"