commit: 20b82121b5a956b2a7051629d7532abc7188027a Author: orbea <orbea <AT> riseup <DOT> net> AuthorDate: Tue Apr 15 14:17:55 2025 +0000 Commit: orbea <orbea <AT> riseup <DOT> net> CommitDate: Tue Apr 15 14:17:55 2025 +0000 URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=20b82121
net-misc/curl: add 8.13.0-r1 Signed-off-by: orbea <orbea <AT> riseup.net> net-misc/curl/curl-8.13.0-r1.ebuild | 438 +++++++++++++++++++++ .../curl-8.11.1-async-thread-close-eventfd.patch | 33 -- .../files/curl-8.13.0-gssapi-non-ssl-build.patch | 28 ++ .../curl-8.13.0-hostip-correct-proxy-name.patch | 46 +++ .../curl-8.13.0-http2-stream-window-size.patch | 143 +++++++ .../files/curl-8.13.0-httpsrr-target-check.patch | 22 ++ net-misc/curl/files/curl-8.13.0-krb5-ftp.patch | 19 + .../curl-8.13.0-openssl-quic-stream-shutdown.patch | 44 +++ net-misc/curl/files/curl-prefix-3.patch | 34 -- 9 files changed, 740 insertions(+), 67 deletions(-) diff --git a/net-misc/curl/curl-8.13.0-r1.ebuild b/net-misc/curl/curl-8.13.0-r1.ebuild new file mode 100644 index 0000000..c6aeba5 --- /dev/null +++ b/net-misc/curl/curl-8.13.0-r1.ebuild @@ -0,0 +1,438 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Maintainers should subscribe to the 'curl-distros' ML for backports etc +# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/ +# https://lists.haxx.se/listinfo/curl-distros + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc +inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig + +DESCRIPTION="A Client that groks URLs" +HOMEPAGE="https://curl.se/"; + +if [[ ${PV} == 9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/curl/curl.git"; +else + if [[ ${P} == *rc* ]]; then + CURL_URI="https://curl.se/rc/"; + S="${WORKDIR}/${P//_/-}" + else + CURL_URI="https://curl.se/download/"; + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + fi + SRC_URI=" + ${CURL_URI}${P//_/-}.tar.xz + verify-sig? ( ${CURL_URI}${P//_/-}.tar.xz.asc ) + " +fi + +LICENSE="BSD curl ISC test? ( BSD-4 )" +SLOT="0" +IUSE="+adns +alt-svc brotli debug ech +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap" +IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test" +IUSE+=" telnet +tftp +websockets zstd" +# These select the default tls implementation / which quic impl to use +IUSE+=" curl_quic_openssl +curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls" +RESTRICT="!test? ( test )" + +# HTTPS RR is technically usable with the threaded resolver, but it still uses c-ares to +# ask for the HTTPS RR record type; if DoH is in use the HTTPS record will be requested +# in addition to A and AAAA records. + +# To simplify dependency management in the ebuild we'll require c-ares for HTTPS RR (for now?). +# HTTPS RR in cURL is a dependency for: +# - ECH (requires patched openssl or gnutls currently, enabled with rustls) +# - Fetching the ALPN list which should provide a better HTTP/3 experience. + +# Only one default ssl / quic provider can be enabled +# The default provider needs its USE satisfied +# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day. +# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e +REQUIRED_USE=" + ech? ( rustls ) + httpsrr? ( adns ) + quic? ( + !curl_quic_openssl + curl_quic_ngtcp2 + http3 + ssl + ) + ssl? ( + ^^ ( + curl_ssl_gnutls + curl_ssl_mbedtls + curl_ssl_openssl + curl_ssl_rustls + ) + ) + curl_quic_openssl? ( + curl_ssl_openssl + quic + !gnutls + !mbedtls + !rustls + ) + curl_quic_ngtcp2? ( + quic + !mbedtls + !rustls + ) + curl_ssl_gnutls? ( gnutls ) + curl_ssl_mbedtls? ( mbedtls ) + curl_ssl_openssl? ( openssl ) + curl_ssl_rustls? ( rustls ) + http3? ( alt-svc httpsrr quic ) +" + +# cURL's docs and CI/CD are great resources for confirming supported versions +# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.: +# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions) +# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly) +# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2) +# However 'supported' vs 'works' are two entirely different things; be sane but +# don't be afraid to require a later version. +# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time. +RDEPEND=" + >=sys-libs/zlib-1.2.5[${MULTILIB_USEDEP}] + adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] ) + brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) + http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] ) + http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] ) + idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) + kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) + ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) + psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] ) + quic? ( + curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] ) + curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[ssl,openssl,${MULTILIB_USEDEP}] ) + ) + rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) + ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] ) + sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] ) + ssl? ( + gnutls? ( + app-misc/ca-certificates + >=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}] + dev-libs/nettle:=[${MULTILIB_USEDEP}] + ) + mbedtls? ( + app-misc/ca-certificates + net-libs/mbedtls:0=[${MULTILIB_USEDEP}] + ) + openssl? ( + >=dev-libs/openssl-1.0.2:=[static-libs?,${MULTILIB_USEDEP}] + ) + rustls? ( + >=net-libs/rustls-ffi-0.15.0:=[${MULTILIB_USEDEP}] + ) + ) + zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] ) +" + +DEPEND="${RDEPEND}" + +BDEPEND=" + dev-lang/perl + virtual/pkgconfig + test? ( + sys-apps/diffutils + http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] ) + http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) + ) + verify-sig? ( sec-keys/openpgp-keys-danielstenberg ) +" + +DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/curl/curlbuild.h +) + +MULTILIB_CHOST_TOOLS=( + /usr/bin/curl-config +) + +QA_CONFIG_IMPL_DECL_SKIP=( + __builtin_available + closesocket + CloseSocket + getpass_r + ioctlsocket + IoctlSocket + mach_absolute_time + setmode + _fseeki64 + # custom AC_LINK_IFELSE code fails to link even without -Werror + OSSL_QUIC_client_method +) + +PATCHES=( + "${FILESDIR}/${PN}-prefix-4.patch" + "${FILESDIR}/${PN}-respect-cflags-3.patch" + "${FILESDIR}/${P}-gssapi-non-ssl-build.patch" + "${FILESDIR}/${P}-hostip-correct-proxy-name.patch" + "${FILESDIR}/${P}-http2-stream-window-size.patch" + "${FILESDIR}/${P}-httpsrr-target-check.patch" + "${FILESDIR}/${P}-krb5-ftp.patch" + "${FILESDIR}/${P}-openssl-quic-stream-shutdown.patch" +) + +src_prepare() { + default + + eprefixify curl-config.in + eautoreconf +} + +# Generates TLS-related configure options based on USE flags. +# Outputs options suitable for appending to a configure options array. +_get_curl_tls_configure_opts() { + local tls_opts=() + + local backend flag_name + for backend in gnutls mbedtls openssl rustls; do + if [[ "$backend" == "openssl" ]]; then + flag_name="ssl" + tls_opts+=( "--with-ca-path=${EPREFIX}/etc/ssl/certs") + else + flag_name="$backend" + fi + + if use "$backend"; then + tls_opts+=( "--with-${flag_name}" ) + else + # If a single backend is enabled, 'ssl' is required, openssl is the default / fallback + if ! [[ "$backend" == "openssl" ]]; then + tls_opts+=( "--without-${flag_name}" ) + fi + fi + done + + if use curl_ssl_gnutls; then + multilib_is_native_abi && einfo "Default TLS backend: gnutls" + tls_opts+=( "--with-default-ssl-backend=gnutls" ) + elif use curl_ssl_mbedtls; then + multilib_is_native_abi && einfo "Default TLS backend: mbedtls" + tls_opts+=( "--with-default-ssl-backend=mbedtls" ) + elif use curl_ssl_openssl; then + multilib_is_native_abi && einfo "Default TLS backend: openssl" + tls_opts+=( "--with-default-ssl-backend=openssl" ) + elif use curl_ssl_rustls; then + multilib_is_native_abi && einfo "Default TLS backend: rustls" + tls_opts+=( "--with-default-ssl-backend=rustls" ) + else + eerror "We can't be here because of REQUIRED_USE." + die "Please file a bug, hit impossible condition w/ USE=ssl handling." + fi + + # Explicitly Disable unimplemented b + tls_opts+=( + --without-amissl + --without-bearssl + --without-wolfssl + ) + + printf "%s\n" "${tls_opts[@]}" +} + +multilib_src_configure() { + # We make use of the fact that later flags override earlier ones + # So start with all ssl providers off until proven otherwise + # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) + local myconf=() + + myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) + if use ssl; then + local -a tls_backend_opts + readarray -t tls_backend_opts < <(_get_curl_tls_configure_opts) + myconf+=("${tls_backend_opts[@]}") + else + myconf+=( --without-ssl ) + einfo "SSL disabled" + fi + + # These configuration options are organised alphabetically by category/type + + # Protocols + # `grep SUPPORT_PROTOCOLS=\" configure.ac | awk '{ print substr($2, 1, length($2)-1)}' | sort` + # Assume that anything omitted (that is not new!) is enabled by default with no deps + myconf+=( + --enable-file + $(use_enable ftp) + $(use_enable gopher) + --enable-http + $(use_enable imap) # Automatic IMAPS if TLS is enabled + $(use_enable ldap ldaps) + $(use_enable ldap) + $(use_enable pop3) + $(use_enable samba smb) + $(use_with ssh libssh2) # enables scp/sftp + $(use_with rtmp librtmp) + --enable-rtsp + $(use_enable smtp) + $(use_enable telnet) + $(use_enable tftp) + $(use_enable websockets) + ) + + # Keep various 'HTTP-flavoured' options together + myconf+=( + $(use_enable alt-svc) + $(use_enable hsts) + $(use_enable httpsrr) + $(use_with http2 nghttp2) + $(use_with http3 nghttp3) + $(use_with curl_quic_ngtcp2 ngtcp2) + $(use_with curl_quic_openssl openssl-quic) + ) + + # --enable/disable options + # `grep -- --enable configure | grep Check | awk '{ print $4 }' | sort` + myconf+=( + $(use_enable adns ares) + --enable-aws + --enable-basic-auth + --enable-bearer-auth + --enable-cookies + --enable-dateparse + --enable-dict + --enable-digest-auth + --enable-dnsshuffle + --enable-doh + $(use_enable ech) + --enable-http-auth + --enable-ipv6 + --enable-kerberos-auth + --enable-largefile + --enable-manual + --enable-mime + --enable-negotiate-auth + --enable-netrc + --enable-ntlm + --enable-progress-meter + --enable-proxy + --enable-rt + --enable-socketpair + --disable-sspi + $(use_enable static-libs static) + --enable-symbol-hiding + --enable-tls-srp + --disable-versioned-symbols + ) + + # --with/without options + # `grep -- --with configure | grep Check | awk '{ print $4 }' | sort` + myconf+=( + $(use_with brotli) + --with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d + $(use_with idn libidn2) + $(use_with kerberos gssapi "${EPREFIX}"/usr) + $(use_with sasl-scram libgsasl) + $(use_with psl libpsl) + --without-msh3 + --without-quiche + --without-schannel + --without-secure-transport + --without-winidn + --with-zlib + --with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions + $(use_with zstd) + ) + + # Test deps (disabled) + myconf+=( + --without-test-caddy + --without-test-httpd + --without-test-nghttpx + ) + + if use debug; then + myconf+=( + --enable-debug + ) + fi + + if use test && multilib_is_native_abi && ( use http2 || use http3 ); then + myconf+=( + --with-test-nghttpx="${BROOT}/usr/bin/nghttpx" + ) + fi + + # Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive + # This is in support of some work to enable `httpsrr` to use adns and the rest + # of curl to use the threaded resolver; for us `httpsrr` is conditional on adns. + if use adns; then + myconf+=( + --disable-threaded-resolver + ) + else + myconf+=( + --enable-threaded-resolver + ) + fi + + ECONF_SOURCE="${S}" econf "${myconf[@]}" + + if ! multilib_is_native_abi; then + # Avoid building the client (we just want libcurl for multilib) + sed -i -e '/SUBDIRS/s:src::' Makefile || die + sed -i -e '/SUBDIRS/s:scripts::' Makefile || die + fi + +} + +multilib_src_compile() { + default + + if multilib_is_native_abi; then + # Shell completions + ! tc-is-cross-compiler && emake -C scripts + fi +} + +# There is also a pytest harness that tests for bugs in some very specific +# situations; we can rely on upstream for this rather than adding additional test deps. +multilib_src_test() { + # See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721 + # -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches) + # -v: verbose + # -a: keep going on failure (so we see everything that breaks, not just 1st test) + # -k: keep test files after completion + # -am: automake style TAP output + # -p: print logs if test fails + # Note: if needed, we can skip specific tests. See e.g. Fedora's packaging + # or just read https://github.com/curl/curl/tree/master/tests#run. + # Note: we don't run the testsuite for cross-compilation. + # Upstream recommend 7*nproc as a starting point for parallel tests, but + # this ends up breaking when nproc is huge (like -j80). + # The network sandbox causes tests 241 and 1083 to fail; these are typically skipped + # as most gentoo users don't have an 'ip6-localhost' + multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083" +} + +multilib_src_install() { + emake DESTDIR="${D}" install + + if multilib_is_native_abi; then + # Shell completions + ! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install + fi +} + +multilib_src_install_all() { + einstalldocs + find "${ED}" -type f -name '*.la' -delete || die + rm -rf "${ED}"/etc/ || die +} + +pkg_postinst() { + if use debug; then + ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose." + ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger." + ewarn "hic sunt dracones; you have been warned." + fi +} diff --git a/net-misc/curl/files/curl-8.11.1-async-thread-close-eventfd.patch b/net-misc/curl/files/curl-8.11.1-async-thread-close-eventfd.patch deleted file mode 100644 index 2bdfc51..0000000 --- a/net-misc/curl/files/curl-8.11.1-async-thread-close-eventfd.patch +++ /dev/null @@ -1,33 +0,0 @@ -https://github.com/curl/curl/commit/ff5091aa9f73802e894b1cbdf24ab84e103200e2 -From: Andy Pan <[email protected]> -Date: Thu, 12 Dec 2024 12:48:56 +0000 -Subject: [PATCH] async-thread: avoid closing eventfd twice - -When employing eventfd for socketpair, there is only one file -descriptor. Closing that fd twice might result in fd corruption. -Thus, we should avoid closing the eventfd twice, following the -pattern in lib/multi.c. - -Fixes #15725 -Closes #15727 -Reported-by: Christian Heusel ---- - lib/asyn-thread.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c -index a58e4b790494ab..32d496b107cb0a 100644 ---- a/lib/asyn-thread.c -+++ b/lib/asyn-thread.c -@@ -195,9 +195,11 @@ void destroy_thread_sync_data(struct thread_sync_data *tsd) - * close one end of the socket pair (may be done in resolver thread); - * the other end (for reading) is always closed in the parent thread. - */ -+#ifndef USE_EVENTFD - if(tsd->sock_pair[1] != CURL_SOCKET_BAD) { - wakeup_close(tsd->sock_pair[1]); - } -+#endif - #endif - memset(tsd, 0, sizeof(*tsd)); - } diff --git a/net-misc/curl/files/curl-8.13.0-gssapi-non-ssl-build.patch b/net-misc/curl/files/curl-8.13.0-gssapi-non-ssl-build.patch new file mode 100644 index 0000000..cd9bde1 --- /dev/null +++ b/net-misc/curl/files/curl-8.13.0-gssapi-non-ssl-build.patch @@ -0,0 +1,28 @@ +https://github.com/curl/curl/commit/fe5f435b42a6c928b57c61db5d57f96b5c5a39be +From: Andrew <[email protected]> +Date: Wed, 2 Apr 2025 13:45:21 +0100 +Subject: [PATCH] http_negotiate: fix non-SSL build with GSSAPI + +Fixes #16919 +Closes #16921 +--- a/lib/http_negotiate.c ++++ b/lib/http_negotiate.c +@@ -110,8 +110,8 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn, + #endif + /* Check if the connection is using SSL and get the channel binding data */ + #ifdef HAVE_GSSAPI +- Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1); + #ifdef USE_SSL ++ Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1); + if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { + result = Curl_ssl_get_channel_binding( + data, FIRSTSOCKET, &neg_ctx->channel_binding_data); +@@ -120,6 +120,8 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn, + return result; + } + } ++#else ++ Curl_dyn_init(&neg_ctx->channel_binding_data, 1); + #endif /* USE_SSL */ + #endif /* HAVE_GSSAPI */ + diff --git a/net-misc/curl/files/curl-8.13.0-hostip-correct-proxy-name.patch b/net-misc/curl/files/curl-8.13.0-hostip-correct-proxy-name.patch new file mode 100644 index 0000000..18965c9 --- /dev/null +++ b/net-misc/curl/files/curl-8.13.0-hostip-correct-proxy-name.patch @@ -0,0 +1,46 @@ +https://github.com/curl/curl/commit/db3e7a24b5339860fb91cf0d932e8ae13a01e472 +From: Daniel Stenberg <[email protected]> +Date: Fri, 4 Apr 2025 12:34:09 +0200 +Subject: [PATCH] hostip: show the correct name on proxy resolve error + +Regression, probably from 8ded8e5f3f4b6586399 (#16451) + +Fixes #16958 +Reported-by: Jean-Christophe Amiel +Closes #16961 +--- a/lib/hostip.c ++++ b/lib/hostip.c +@@ -1494,25 +1494,21 @@ CURLcode Curl_once_resolved(struct Curl_easy *data, bool *protocol_done) + #ifdef USE_CURL_ASYNC + CURLcode Curl_resolver_error(struct Curl_easy *data) + { +- const char *host_or_proxy; +- CURLcode result; ++ struct connectdata *conn = data->conn; ++ const char *host_or_proxy = "host"; ++ const char *name = conn->host.dispname; ++ CURLcode result = CURLE_COULDNT_RESOLVE_HOST; + + #ifndef CURL_DISABLE_PROXY +- struct connectdata *conn = data->conn; +- if(conn->bits.httpproxy) { ++ if(conn->bits.proxy) { + host_or_proxy = "proxy"; + result = CURLE_COULDNT_RESOLVE_PROXY; ++ name = conn->socks_proxy.host.name ? conn->socks_proxy.host.dispname : ++ conn->http_proxy.host.dispname; + } +- else + #endif +- { +- host_or_proxy = "host"; +- result = CURLE_COULDNT_RESOLVE_HOST; +- } +- +- failf(data, "Could not resolve %s: %s", host_or_proxy, +- data->conn->host.dispname); + ++ failf(data, "Could not resolve %s: %s", host_or_proxy, name); + return result; + } + #endif /* USE_CURL_ASYNC */ diff --git a/net-misc/curl/files/curl-8.13.0-http2-stream-window-size.patch b/net-misc/curl/files/curl-8.13.0-http2-stream-window-size.patch new file mode 100644 index 0000000..f16c137 --- /dev/null +++ b/net-misc/curl/files/curl-8.13.0-http2-stream-window-size.patch @@ -0,0 +1,143 @@ +https://github.com/curl/curl/commit/5fbd78eb2dc4afbd8884e8eed27147fc3d4318f6 +From: Stefan Eissing <[email protected]> +Date: Fri, 4 Apr 2025 10:43:13 +0200 +Subject: [PATCH] http2: fix stream window size after unpausing + +When pausing a HTTP/2 transfer, the stream's local window size +is reduced to 0 to prevent the server from sending further data +which curl cannot write out to the application. + +When unpausing again, the stream's window size was not correctly +increased again. The attempt to trigger a window update was +ignored by nghttp2, the server never received it and the transfer +stalled. + +Add a debug feature to allow use of small window sizes which +reproduces this bug in test_02_21. + +Fixes #16955 +Closes #16960 +--- a/docs/libcurl/libcurl-env-dbg.md ++++ b/docs/libcurl/libcurl-env-dbg.md +@@ -147,3 +147,8 @@ Make a blocking, graceful shutdown of all remaining connections when + a multi handle is destroyed. This implicitly triggers for easy handles + that are run via easy_perform. The value of the environment variable + gives the shutdown timeout in milliseconds. ++ ++## `CURL_H2_STREAM_WIN_MAX` ++ ++Set to a positive 32-bit number to override the HTTP/2 stream window's ++default of 10MB. Used in testing to verify correct window update handling. +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -44,6 +44,7 @@ + #include "connect.h" + #include "rand.h" + #include "strdup.h" ++#include "strparse.h" + #include "transfer.h" + #include "dynbuf.h" + #include "headers.h" +@@ -141,6 +142,9 @@ struct cf_h2_ctx { + uint32_t goaway_error; /* goaway error code from server */ + int32_t remote_max_sid; /* max id processed by server */ + int32_t local_max_sid; /* max id processed by us */ ++#ifdef DEBUGBUILD ++ int32_t stream_win_max; /* max h2 stream window size */ ++#endif + BIT(initialized); + BIT(via_h1_upgrade); + BIT(conn_closed); +@@ -166,6 +170,18 @@ static void cf_h2_ctx_init(struct cf_h2_ctx *ctx, bool via_h1_upgrade) + Curl_hash_offt_init(&ctx->streams, 63, h2_stream_hash_free); + ctx->remote_max_sid = 2147483647; + ctx->via_h1_upgrade = via_h1_upgrade; ++#ifdef DEBUGBUILD ++ { ++ const char *p = getenv("CURL_H2_STREAM_WIN_MAX"); ++ ++ ctx->stream_win_max = H2_STREAM_WINDOW_SIZE_MAX; ++ if(p) { ++ curl_off_t l; ++ if(!Curl_str_number(&p, &l, INT_MAX)) ++ ctx->stream_win_max = (int32_t)l; ++ } ++ } ++#endif + ctx->initialized = TRUE; + } + +@@ -285,7 +301,15 @@ static int32_t cf_h2_get_desired_local_win(struct Curl_cfilter *cf, + * This gets less precise the higher the latency. */ + return (int32_t)data->set.max_recv_speed; + } ++#ifdef DEBUGBUILD ++ else { ++ struct cf_h2_ctx *ctx = cf->ctx; ++ CURL_TRC_CF(data, cf, "stream_win_max=%d", ctx->stream_win_max); ++ return ctx->stream_win_max; ++ } ++#else + return H2_STREAM_WINDOW_SIZE_MAX; ++#endif + } + + static CURLcode cf_h2_update_local_win(struct Curl_cfilter *cf, +@@ -302,6 +326,13 @@ static CURLcode cf_h2_update_local_win(struct Curl_cfilter *cf, + int32_t wsize = nghttp2_session_get_stream_effective_local_window_size( + ctx->h2, stream->id); + if(dwsize > wsize) { ++ rv = nghttp2_session_set_local_window_size(ctx->h2, NGHTTP2_FLAG_NONE, ++ stream->id, dwsize); ++ if(rv) { ++ failf(data, "[%d] nghttp2 set_local_window_size(%d) failed: " ++ "%s(%d)", stream->id, dwsize, nghttp2_strerror(rv), rv); ++ return CURLE_HTTP2; ++ } + rv = nghttp2_submit_window_update(ctx->h2, NGHTTP2_FLAG_NONE, + stream->id, dwsize - wsize); + if(rv) { +--- a/tests/http/test_02_download.py ++++ b/tests/http/test_02_download.py +@@ -313,9 +313,9 @@ def test_02_20_h2_small_frames(self, env: Env, httpd): + assert httpd.stop() + assert httpd.start() + +- # download via lib client, 1 at a time, pause/resume at different offsets ++ # download serial via lib client, pause/resume at different offsets + @pytest.mark.parametrize("pause_offset", [0, 10*1024, 100*1023, 640000]) +- @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3']) ++ @pytest.mark.parametrize("proto", ['http/1.1', 'h3']) + def test_02_21_lib_serial(self, env: Env, httpd, nghttpx, proto, pause_offset): + if proto == 'h3' and not env.have_h3(): + pytest.skip("h3 not supported") +@@ -332,6 +332,29 @@ def test_02_21_lib_serial(self, env: Env, httpd, nghttpx, proto, pause_offset): + srcfile = os.path.join(httpd.docs_dir, docname) + self.check_downloads(client, srcfile, count) + ++ # h2 download parallel via lib client, pause/resume at different offsets ++ # debug-override stream window size to reproduce #16955 ++ @pytest.mark.parametrize("pause_offset", [0, 10*1024, 100*1023, 640000]) ++ @pytest.mark.parametrize("swin_max", [0, 10*1024]) ++ def test_02_21_h2_lib_serial(self, env: Env, httpd, pause_offset, swin_max): ++ proto = 'h2' ++ count = 2 ++ docname = 'data-10m' ++ url = f'https://localhost:{env.https_port}/{docname}' ++ run_env = os.environ.copy() ++ run_env['CURL_DEBUG'] = 'multi,http/2' ++ if swin_max > 0: ++ run_env['CURL_H2_STREAM_WIN_MAX'] = f'{swin_max}' ++ client = LocalClient(name='hx-download', env=env, run_env=run_env) ++ if not client.exists(): ++ pytest.skip(f'example client not built: {client.name}') ++ r = client.run(args=[ ++ '-n', f'{count}', '-P', f'{pause_offset}', '-V', proto, url ++ ]) ++ r.check_exit_code(0) ++ srcfile = os.path.join(httpd.docs_dir, docname) ++ self.check_downloads(client, srcfile, count) ++ + # download via lib client, several at a time, pause/resume + @pytest.mark.parametrize("pause_offset", [100*1023]) + @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3']) diff --git a/net-misc/curl/files/curl-8.13.0-httpsrr-target-check.patch b/net-misc/curl/files/curl-8.13.0-httpsrr-target-check.patch new file mode 100644 index 0000000..880a676 --- /dev/null +++ b/net-misc/curl/files/curl-8.13.0-httpsrr-target-check.patch @@ -0,0 +1,22 @@ +https://github.com/curl/curl/commit/4f3c22d77d752fea6ff9ab2706f70d58882ea466 +From: Stefan Eissing <[email protected]> +Date: Fri, 4 Apr 2025 18:10:28 +0200 +Subject: [PATCH] https-connect, fix httpsrr target check + +The HTTPSRR check on the record's target was not working as it used the +wrong index on the NUL byte if the target was not NULL. + +Fixes #16966 +Reported-by: Pavel Kropachev +Closes #16968 +--- a/lib/cf-https-connect.c ++++ b/lib/cf-https-connect.c +@@ -673,7 +673,7 @@ CURLcode Curl_cf_https_setup(struct Curl_easy *data, + (!conn->dns_entry->hinfo->target || /* for same host */ + !conn->dns_entry->hinfo->target[0] || + (conn->dns_entry->hinfo->target[0] == '.' && +- !conn->dns_entry->hinfo->target[0])) && ++ !conn->dns_entry->hinfo->target[1])) && + (conn->dns_entry->hinfo->port < 0 || /* for same port */ + conn->dns_entry->hinfo->port == conn->remote_port)) { + size_t i; diff --git a/net-misc/curl/files/curl-8.13.0-krb5-ftp.patch b/net-misc/curl/files/curl-8.13.0-krb5-ftp.patch new file mode 100644 index 0000000..5d59ed9 --- /dev/null +++ b/net-misc/curl/files/curl-8.13.0-krb5-ftp.patch @@ -0,0 +1,19 @@ +https://github.com/curl/curl/commit/5caba3bd97a14b64d906ece77bc0e2b339161a1f +From: Daniel Stenberg <[email protected]> +Date: Thu, 3 Apr 2025 08:49:20 +0200 +Subject: [PATCH] curl_krb5: only use functions if FTP is still enabled + +Reported-by: x1sc0 on github +Fixes #16925 +Closes #16931 +--- a/lib/curl_krb5.h ++++ b/lib/curl_krb5.h +@@ -39,7 +39,7 @@ struct Curl_sec_client_mech { + #define AUTH_CONTINUE 1 + #define AUTH_ERROR 2 + +-#ifdef HAVE_GSSAPI ++#if defined(HAVE_GSSAPI) && !defined(CURL_DISABLE_FTP) + void Curl_sec_conn_init(struct connectdata *); + void Curl_sec_conn_destroy(struct connectdata *); + int Curl_sec_read_msg(struct Curl_easy *data, struct connectdata *conn, char *, diff --git a/net-misc/curl/files/curl-8.13.0-openssl-quic-stream-shutdown.patch b/net-misc/curl/files/curl-8.13.0-openssl-quic-stream-shutdown.patch new file mode 100644 index 0000000..acb8fa9 --- /dev/null +++ b/net-misc/curl/files/curl-8.13.0-openssl-quic-stream-shutdown.patch @@ -0,0 +1,44 @@ +https://github.com/curl/curl/commit/219302b4e64e2337c50d86056e9af2103b281e7e +From: Stefan Eissing <[email protected]> +Date: Wed, 9 Apr 2025 11:01:54 +0200 +Subject: [PATCH] openssl-quic: fix shutdown when stream not open + +Check that h3 stream had been opened before telling nghttp3 to +shut it down. + +Fixes #16998 +Reported-by: Demi Marie Obenour +Closes #17003 +--- a/lib/vquic/curl_osslq.c ++++ b/lib/vquic/curl_osslq.c +@@ -654,7 +654,7 @@ static void h3_data_done(struct Curl_cfilter *cf, struct Curl_easy *data) + if(stream) { + CURL_TRC_CF(data, cf, "[%"FMT_PRId64"] easy handle is done", + stream->s.id); +- if(ctx->h3.conn && !stream->closed) { ++ if(ctx->h3.conn && (stream->s.id >= 0) && !stream->closed) { + nghttp3_conn_shutdown_stream_read(ctx->h3.conn, stream->s.id); + nghttp3_conn_close_stream(ctx->h3.conn, stream->s.id, + NGHTTP3_H3_REQUEST_CANCELLED); +--- a/tests/http/test_01_basic.py ++++ b/tests/http/test_01_basic.py +@@ -242,3 +242,19 @@ def test_01_15_gigalarge_resp_headers(self, env: Env, httpd, proto): + r.check_exit_code(16) # CURLE_HTTP2 + else: + r.check_exit_code(100) # CURLE_TOO_LARGE ++ ++ # http: invalid request headers, GET, issue #16998 ++ @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3']) ++ def test_01_16_inv_req_get(self, env: Env, httpd, proto): ++ if proto == 'h3' and not env.have_h3(): ++ pytest.skip("h3 not supported") ++ curl = CurlClient(env=env) ++ url = f'https://{env.authority_for(env.domain1, proto)}/curltest/echo' ++ r = curl.http_get(url=url, alpn_proto=proto, extra_args=[ ++ '-H', "a: a\x0ab" ++ ]) ++ # on h1, request is sent, h2/h3 reject ++ if proto == 'http/1.1': ++ r.check_exit_code(0) ++ else: ++ r.check_exit_code(43) diff --git a/net-misc/curl/files/curl-prefix-3.patch b/net-misc/curl/files/curl-prefix-3.patch deleted file mode 100644 index cebca0b..0000000 --- a/net-misc/curl/files/curl-prefix-3.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 6927ecf38cf3372d539c88479e97707d855de07e Mon Sep 17 00:00:00 2001 -From: Matt Jolly <[email protected]> -Date: Sun, 10 Nov 2024 08:51:02 +1000 -Subject: [PATCH] Update prefix patch for 8.11.0 - ---- - curl-config.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/curl-config.in b/curl-config.in -index 2dc40ed..1876d6c 100644 ---- a/curl-config.in -+++ b/curl-config.in -@@ -147,7 +147,7 @@ while test "$#" -gt 0; do - else - CPPFLAG_CURL_STATICLIB='' - fi -- if test "X@includedir@" = 'X/usr/include'; then -+ if test "X@includedir@" = "X@GENTOO_PORTAGE_EPREFIX@/usr/include"; then - echo "${CPPFLAG_CURL_STATICLIB}" - else - echo "${CPPFLAG_CURL_STATICLIB}-I@includedir@" -@@ -155,7 +155,7 @@ while test "$#" -gt 0; do - ;; - - --libs) -- if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then -+ if test "X@libdir@" != "X@GENTOO_PORTAGE_EPREFIX@/usr/lib" -a "X@libdir@" != "X@GENTOO_PORTAGE_EPREFIX@/usr/lib64"; then - CURLLIBDIR="-L@libdir@ " - else - CURLLIBDIR='' --- -2.47.0 -
