commit: 8ae84d93c58bd34634e7b674278452f141a38065 Author: orbea <orbea <AT> riseup <DOT> net> AuthorDate: Mon Nov 17 13:39:22 2025 +0000 Commit: orbea <orbea <AT> riseup <DOT> net> CommitDate: Mon Nov 17 13:39:22 2025 +0000 URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=8ae84d93
net-misc/curl: add 0.17.0-r1 Signed-off-by: orbea <orbea <AT> riseup.net> net-misc/curl/curl-8.17.0-r1.ebuild | 441 +++++++++++++++++++++ .../curl/files/curl-8.17.0-curlopt-capath.patch | 289 ++++++++++++++ .../curl/files/curl-8.17.0-progress-parallel.patch | 54 +++ .../files/curl-8.17.0-wcurl-CVE-2025-11563.patch | 27 ++ 4 files changed, 811 insertions(+) diff --git a/net-misc/curl/curl-8.17.0-r1.ebuild b/net-misc/curl/curl-8.17.0-r1.ebuild new file mode 100644 index 0000000..b8cc634 --- /dev/null +++ b/net-misc/curl/curl-8.17.0-r1.ebuild @@ -0,0 +1,441 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Maintainers should subscribe to the 'curl-distros' ML for backports etc +# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/ +# https://lists.haxx.se/listinfo/curl-distros + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc +inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig + +DESCRIPTION="A Client that groks URLs" +HOMEPAGE="https://curl.se/"; + +if [[ ${PV} == 9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/curl/curl.git"; +else + if [[ ${P} == *rc* ]]; then + CURL_URI="https://curl.se/rc/"; + S="${WORKDIR}/${P//_/-}" + else + CURL_URI="https://curl.se/download/"; + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + fi + SRC_URI=" + ${CURL_URI}${P//_/-}.tar.xz + verify-sig? ( ${CURL_URI}${P//_/-}.tar.xz.asc ) + " +fi + +LICENSE="BSD curl ISC test? ( BSD-4 )" +SLOT="0" +IUSE="+adns +alt-svc brotli debug ech +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap" +IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test" +IUSE+=" telnet +tftp +websockets zstd" +# These select the default tls implementation / which quic impl to use +IUSE+=" curl_quic_openssl +curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls" +RESTRICT="!test? ( test )" + +# HTTPS RR is technically usable with the threaded resolver, but it still uses c-ares to +# ask for the HTTPS RR record type; if DoH is in use the HTTPS record will be requested +# in addition to A and AAAA records. + +# To simplify dependency management in the ebuild we'll require c-ares for HTTPS RR (for now?). +# HTTPS RR in cURL is a dependency for: +# - ECH (requires patched openssl or gnutls currently, enabled with rustls) +# - Fetching the ALPN list which should provide a better HTTP/3 experience. + +# Only one default ssl / quic provider can be enabled +# The default provider needs its USE satisfied +# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day. +# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e +REQUIRED_USE=" + ech? ( rustls ) + httpsrr? ( adns ) + quic? ( + !curl_quic_openssl + curl_quic_ngtcp2 + http3 + ssl + ) + ssl? ( + ^^ ( + curl_ssl_gnutls + curl_ssl_mbedtls + curl_ssl_openssl + curl_ssl_rustls + ) + ) + curl_quic_openssl? ( + curl_ssl_openssl + !gnutls + !mbedtls + !rustls + ) + curl_quic_ngtcp2? ( + !mbedtls + !rustls + ) + curl_ssl_gnutls? ( gnutls ) + curl_ssl_mbedtls? ( mbedtls ) + curl_ssl_openssl? ( openssl ) + curl_ssl_rustls? ( rustls ) + http3? ( alt-svc httpsrr quic ) +" + +# cURL's docs and CI/CD are great resources for confirming supported versions +# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.: +# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions) +# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly) +# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2) +# However 'supported' vs 'works' are two entirely different things; be sane but +# don't be afraid to require a later version. +# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time. +# TODO: OpenSSL-QUIC support is going to be removed in 2026; depend on ngtcp2[{gnutls,openssl}] before that point. +# - https://github.com/curl/curl/pull/18820 (Deprecate OpenSSL QUIC support) +# - https://github.com/curl/curl/issues/18336 (curl w/ OpenSSL QUIC fails to fetch Google.com) +RDEPEND=" + >=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}] + adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] ) + brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) + http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] ) + http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] ) + idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) + kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) + ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) + psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] ) + quic? ( + curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] ) + curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[ssl,openssl,${MULTILIB_USEDEP}] ) + ) + rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) + ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] ) + sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] ) + ssl? ( + gnutls? ( + app-misc/ca-certificates + >=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}] + dev-libs/nettle:=[${MULTILIB_USEDEP}] + ) + mbedtls? ( + app-misc/ca-certificates + net-libs/mbedtls:3=[${MULTILIB_USEDEP}] + ) + openssl? ( + >=dev-libs/openssl-1.0.2:=[static-libs?,${MULTILIB_USEDEP}] + ) + rustls? ( + >=net-libs/rustls-ffi-0.15.0:=[${MULTILIB_USEDEP}] + ) + ) + zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] ) +" + +DEPEND="${RDEPEND}" + +BDEPEND=" + dev-lang/perl + virtual/pkgconfig + test? ( + sys-apps/diffutils + http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] ) + http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) + ) + verify-sig? ( sec-keys/openpgp-keys-danielstenberg ) +" + +DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/curl/curlbuild.h +) + +MULTILIB_CHOST_TOOLS=( + /usr/bin/curl-config +) + +QA_CONFIG_IMPL_DECL_SKIP=( + __builtin_available + closesocket + CloseSocket + getpass_r + ioctlsocket + IoctlSocket + mach_absolute_time + setmode + _fseeki64 + # custom AC_LINK_IFELSE code fails to link even without -Werror + OSSL_QUIC_client_method +) + +PATCHES=( + "${FILESDIR}/${PN}-prefix-5.patch" + "${FILESDIR}/${PN}-respect-cflags-3.patch" + "${FILESDIR}/${P}-progress-parallel.patch" + "${FILESDIR}/${P}-curlopt-capath.patch" + "${FILESDIR}/${P}-wcurl-CVE-2025-11563.patch" +) + +src_prepare() { + default + + eprefixify curl-config.in + eautoreconf +} + +# Generates TLS-related configure options based on USE flags. +# Outputs options suitable for appending to a configure options array. +_get_curl_tls_configure_opts() { + local tls_opts=() + + local backend flag_name + for backend in gnutls mbedtls openssl rustls; do + if [[ "$backend" == "openssl" ]]; then + flag_name="ssl" + tls_opts+=( "--with-ca-path=${EPREFIX}/etc/ssl/certs") + else + flag_name="$backend" + fi + + if use "$backend"; then + tls_opts+=( "--with-${flag_name}" ) + else + # If a single backend is enabled, 'ssl' is required, openssl is the default / fallback + if ! [[ "$backend" == "openssl" ]]; then + tls_opts+=( "--without-${flag_name}" ) + fi + fi + done + + if use curl_ssl_gnutls; then + multilib_is_native_abi && einfo "Default TLS backend: gnutls" + tls_opts+=( "--with-default-ssl-backend=gnutls" ) + elif use curl_ssl_mbedtls; then + multilib_is_native_abi && einfo "Default TLS backend: mbedtls" + tls_opts+=( "--with-default-ssl-backend=mbedtls" ) + elif use curl_ssl_openssl; then + multilib_is_native_abi && einfo "Default TLS backend: openssl" + tls_opts+=( "--with-default-ssl-backend=openssl" ) + elif use curl_ssl_rustls; then + multilib_is_native_abi && einfo "Default TLS backend: rustls" + tls_opts+=( "--with-default-ssl-backend=rustls" ) + else + eerror "We can't be here because of REQUIRED_USE." + die "Please file a bug, hit impossible condition w/ USE=ssl handling." + fi + + # Explicitly Disable unimplemented backends + tls_opts+=( + --without-amissl + --without-wolfssl + ) + + printf "%s\n" "${tls_opts[@]}" +} + +multilib_src_configure() { + # We make use of the fact that later flags override earlier ones + # So start with all ssl providers off until proven otherwise + # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) + local myconf=() + + myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) + if use ssl; then + local -a tls_backend_opts + readarray -t tls_backend_opts < <(_get_curl_tls_configure_opts) + myconf+=("${tls_backend_opts[@]}") + if use quic; then + myconf+=( + $(use_with curl_quic_ngtcp2 ngtcp2) + $(use_with curl_quic_openssl openssl-quic) + ) + else + # Without a REQUIRED_USE to ensure that QUIC was requested when at least one default backend is + # enabled we need ensure that we don't try to build QUIC support + myconf+=( --without-ngtcp2 --without-openssl-quic ) + fi + else + myconf+=( --without-ssl ) + einfo "SSL disabled" + fi + + # These configuration options are organised alphabetically by category/type + + # Protocols + # `grep SUPPORT_PROTOCOLS=\" configure.ac | awk '{ print substr($2, 1, length($2)-1)}' | sort` + # Assume that anything omitted (that is not new!) is enabled by default with no deps + myconf+=( + --enable-file + $(use_enable ftp) + $(use_enable gopher) + --enable-http + $(use_enable imap) # Automatic IMAPS if TLS is enabled + $(use_enable ldap ldaps) + $(use_enable ldap) + $(use_enable pop3) + $(use_enable samba smb) + $(use_with ssh libssh2) # enables scp/sftp + $(use_with rtmp librtmp) + --enable-rtsp + $(use_enable smtp) + $(use_enable telnet) + $(use_enable tftp) + $(use_enable websockets) + ) + + # Keep various 'HTTP-flavoured' options together + myconf+=( + $(use_enable alt-svc) + $(use_enable hsts) + $(use_enable httpsrr) + $(use_with http2 nghttp2) + $(use_with http3 nghttp3) + ) + + # --enable/disable options + # `grep -- --enable configure | grep Check | awk '{ print $4 }' | sort` + myconf+=( + $(use_enable adns ares) + --enable-aws + --enable-basic-auth + --enable-bearer-auth + --enable-cookies + --enable-dateparse + --enable-dict + --enable-digest-auth + --enable-dnsshuffle + --enable-doh + $(use_enable ech) + --enable-http-auth + --enable-ipv6 + --enable-kerberos-auth + --enable-largefile + --enable-manual + --enable-mime + --enable-negotiate-auth + --enable-netrc + --enable-ntlm + --enable-progress-meter + --enable-proxy + --enable-rt + --enable-socketpair + --disable-sspi + $(use_enable static-libs static) + --enable-symbol-hiding + --enable-tls-srp + --disable-versioned-symbols + ) + + # --with/without options + # `grep -- --with configure | grep Check | awk '{ print $4 }' | sort` + myconf+=( + $(use_with brotli) + --with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d + $(use_with idn libidn2) + $(use_with kerberos gssapi "${EPREFIX}"/usr) + $(use_with sasl-scram libgsasl) + $(use_with psl libpsl) + --without-quiche + --without-schannel + --without-winidn + --with-zlib + --with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions + $(use_with zstd) + ) + + # Test deps (disabled) + myconf+=( + --without-test-caddy + --without-test-httpd + --without-test-nghttpx + ) + + if use debug; then + myconf+=( + --enable-debug + ) + fi + + if use test && multilib_is_native_abi && ( use http2 || use http3 ); then + myconf+=( + --with-test-nghttpx="${BROOT}/usr/bin/nghttpx" + ) + fi + + # Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive + # This is in support of some work to enable `httpsrr` to use adns and the rest + # of curl to use the threaded resolver; for us `httpsrr` is conditional on adns. + if use adns; then + myconf+=( + --disable-threaded-resolver + ) + else + myconf+=( + --enable-threaded-resolver + ) + fi + + ECONF_SOURCE="${S}" econf "${myconf[@]}" + + if ! multilib_is_native_abi; then + # Avoid building the client (we just want libcurl for multilib) + sed -i -e '/SUBDIRS/s:src::' Makefile || die + sed -i -e '/SUBDIRS/s:scripts::' Makefile || die + fi + +} + +multilib_src_compile() { + default + + if multilib_is_native_abi; then + # Shell completions + ! tc-is-cross-compiler && emake -C scripts + fi +} + +# There is also a pytest harness that tests for bugs in some very specific +# situations; we can rely on upstream for this rather than adding additional test deps. +multilib_src_test() { + # See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721 + # -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches) + # -v: verbose + # -a: keep going on failure (so we see everything that breaks, not just 1st test) + # -k: keep test files after completion + # -am: automake style TAP output + # -p: print logs if test fails + # Note: if needed, we can skip specific tests. See e.g. Fedora's packaging + # or just read https://github.com/curl/curl/tree/master/tests#run. + # Note: we don't run the testsuite for cross-compilation. + # Upstream recommend 7*nproc as a starting point for parallel tests, but + # this ends up breaking when nproc is huge (like -j80). + # The network sandbox causes tests 241 and 1083 to fail; these are typically skipped + # as most gentoo users don't have an 'ip6-localhost' + multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083" +} + +multilib_src_install() { + emake DESTDIR="${D}" install + + if multilib_is_native_abi; then + # Shell completions + ! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install + fi +} + +multilib_src_install_all() { + einstalldocs + find "${ED}" -type f -name '*.la' -delete || die + rm -rf "${ED}"/etc/ || die +} + +pkg_postinst() { + if use debug; then + ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose." + ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger." + ewarn "hic sunt dracones; you have been warned." + fi +} diff --git a/net-misc/curl/files/curl-8.17.0-curlopt-capath.patch b/net-misc/curl/files/curl-8.17.0-curlopt-capath.patch new file mode 100644 index 0000000..32e96f3 --- /dev/null +++ b/net-misc/curl/files/curl-8.17.0-curlopt-capath.patch @@ -0,0 +1,289 @@ +https://github.com/curl/curl/pull/19408 + +From f36ab2dd6f33b9a9c069a034cf4f1451006d0f21 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing <[email protected]> +Date: Sat, 8 Nov 2025 14:28:38 +0100 +Subject: [PATCH 1/4] fix --capath use + +A regression in curl 8.17.0 led to a customer CAPATH set by the application +(or the curl command) to be ignored unless licurl was built with a default +CAPATH. + +Add test cases using `--capath` on the custom pytest CA, generated with +the help of the openssl command when available. + +refs #19401 +--- + lib/vtls/vtls.c | 4 ++-- + tests/http/test_17_ssl_use.py | 23 +++++++++++++++++++++++ + tests/http/testenv/certs.py | 16 ++++++++++++++++ + tests/http/testenv/curl.py | 3 ++- + tests/http/testenv/env.py | 20 ++++++++++++++++++++ + 5 files changed, 63 insertions(+), 3 deletions(-) + +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 3b7a095c8b75..3858cad98312 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -310,7 +310,6 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data) + if(result) + return result; + } +- sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH]; + #endif + #ifdef CURL_CA_BUNDLE + if(!sslc->custom_cafile && !set->str[STRING_SSL_CAFILE]) { +@@ -322,6 +321,7 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data) + } + sslc->primary.CAfile = data->set.str[STRING_SSL_CAFILE]; + sslc->primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; ++ sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH]; + sslc->primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; + sslc->primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT]; + sslc->primary.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST]; +@@ -358,7 +358,6 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data) + if(result) + return result; + } +- sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY]; + #endif + #ifdef CURL_CA_BUNDLE + if(!sslc->custom_cafile && !set->str[STRING_SSL_CAFILE_PROXY]) { +@@ -370,6 +369,7 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data) + #endif + } + sslc->primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY]; ++ sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY]; + sslc->primary.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST_PROXY]; + sslc->primary.cipher_list13 = data->set.str[STRING_SSL_CIPHER13_LIST_PROXY]; + sslc->primary.pinned_key = data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]; +diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py +index 57e1c014042b..20b6fdaef18b 100644 +--- a/tests/http/test_17_ssl_use.py ++++ b/tests/http/test_17_ssl_use.py +@@ -597,3 +597,26 @@ def test_17_20_correct_pin(self, env: Env, proto, httpd): + ]) + # expect NOT_IMPLEMENTED or OK + assert r.exit_code in [0, 2], f'{r.dump_logs()}' ++ ++ @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command") ++ def test_17_21_capath_valid(self, env: Env, httpd): ++ proto = 'http/1.1' ++ curl = CurlClient(env=env) ++ url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo' ++ r = curl.http_get(url=url, alpn_proto=proto, extra_args=[ ++ '--capath', os.path.join(env.gen_dir, 'ca/hashdir') ++ ]) ++ assert r.exit_code == 0, f'{r.dump_logs()}' ++ assert r.json['HTTPS'] == 'on', f'{r.json}' ++ ++ @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command") ++ def test_17_22_capath_invalid(self, env: Env, httpd): ++ proto = 'http/1.1' ++ curl = CurlClient(env=env) ++ url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo' ++ r = curl.http_get(url=url, alpn_proto=proto, extra_args=[ ++ '--capath', os.path.join(env.gen_dir, 'ca/invalid') ++ ]) ++ # CURLE_PEER_FAILED_VERIFICATION ++ assert r.exit_code == 60, f'{r.dump_logs()}' ++ +diff --git a/tests/http/testenv/certs.py b/tests/http/testenv/certs.py +index e59b1ea147e1..c9a30aaac065 100644 +--- a/tests/http/testenv/certs.py ++++ b/tests/http/testenv/certs.py +@@ -28,6 +28,8 @@ + import ipaddress + import os + import re ++import shutil ++import subprocess + from datetime import timedelta, datetime, timezone + from typing import List, Any, Optional + +@@ -200,6 +202,10 @@ def pkey_file(self) -> Optional[str]: + def combined_file(self) -> Optional[str]: + return self._combined_file + ++ @property ++ def hashdir(self) -> Optional[str]: ++ return os.path.join(self._store.path, 'hashdir') ++ + def get_first(self, name) -> Optional['Credentials']: + creds = self._store.get_credentials_for_name(name) if self._store else [] + return creds[0] if len(creds) else None +@@ -236,6 +242,16 @@ def issue_cert(self, spec: CertificateSpec, + creds.issue_certs(spec.sub_specs, chain=subchain) + return creds + ++ def create_hashdir(self, openssl): ++ os.makedirs(self.hashdir, exist_ok=True) ++ p = subprocess.run(args=[ ++ openssl, 'x509', '-hash', '-noout', '-in', self.cert_file ++ ], capture_output=True, text=True) ++ if p.returncode != 0: ++ raise Exception(f'openssl failed to compute cert hash: {p}') ++ cert_hname = f'{p.stdout.strip()}.0' ++ shutil.copy(self.cert_file, os.path.join(self.hashdir, cert_hname)) ++ + + class CertStore: + +diff --git a/tests/http/testenv/curl.py b/tests/http/testenv/curl.py +index dc885ab8cba9..a92e4f681f34 100644 +--- a/tests/http/testenv/curl.py ++++ b/tests/http/testenv/curl.py +@@ -987,7 +987,8 @@ def _complete_args(self, urls, timeout=None, options=None, + pass + elif insecure: + args.append('--insecure') +- elif active_options and "--cacert" in active_options: ++ elif active_options and ("--cacert" in active_options or \ ++ "--capath" in active_options): + pass + elif u.hostname: + args.extend(["--cacert", self.env.ca.cert_file]) +diff --git a/tests/http/testenv/env.py b/tests/http/testenv/env.py +index ff8741530b70..859b704a35a3 100644 +--- a/tests/http/testenv/env.py ++++ b/tests/http/testenv/env.py +@@ -199,6 +199,16 @@ def __init__(self, pytestconfig: Optional[pytest.Config] = None, + ]), + ] + ++ self.openssl = 'openssl' ++ p = subprocess.run(args=[self.openssl, 'version'], ++ capture_output=True, text=True) ++ if p.returncode != 0: ++ # no openssl in path ++ self.openssl = None ++ self.openssl_version = None ++ else: ++ self.openssl_version = p.stdout.strip() ++ + self.nghttpx = self.config['nghttpx']['nghttpx'] + if len(self.nghttpx.strip()) == 0: + self.nghttpx = None +@@ -372,6 +382,10 @@ def setup_incomplete() -> bool: + def incomplete_reason() -> Optional[str]: + return Env.CONFIG.get_incomplete_reason() + ++ @staticmethod ++ def have_openssl() -> bool: ++ return Env.CONFIG.openssl is not None ++ + @staticmethod + def have_nghttpx() -> bool: + return Env.CONFIG.nghttpx is not None +@@ -548,6 +562,8 @@ def issue_certs(self): + store_dir=ca_dir, + key_type="rsa2048") + self._ca.issue_certs(self.CONFIG.cert_specs) ++ if self.have_openssl(): ++ self._ca.create_hashdir(self.openssl) + + def setup(self): + os.makedirs(self.gen_dir, exist_ok=True) +@@ -703,6 +719,10 @@ def ws_port(self) -> int: + def curl(self) -> str: + return self.CONFIG.curl + ++ @property ++ def openssl(self) -> Optional[str]: ++ return self.CONFIG.openssl ++ + @property + def httpd(self) -> str: + return self.CONFIG.httpd + +From 02a595146a0bd3036f653ec48d5bfc9a0187ab75 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing <[email protected]> +Date: Sat, 8 Nov 2025 14:37:22 +0100 +Subject: [PATCH 2/4] use correct hashdir + +--- + tests/http/test_17_ssl_use.py | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py +index 20b6fdaef18b..0019bb1239d2 100644 +--- a/tests/http/test_17_ssl_use.py ++++ b/tests/http/test_17_ssl_use.py +@@ -604,7 +604,7 @@ def test_17_21_capath_valid(self, env: Env, httpd): + curl = CurlClient(env=env) + url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo' + r = curl.http_get(url=url, alpn_proto=proto, extra_args=[ +- '--capath', os.path.join(env.gen_dir, 'ca/hashdir') ++ '--capath', env.ca.hashdir + ]) + assert r.exit_code == 0, f'{r.dump_logs()}' + assert r.json['HTTPS'] == 'on', f'{r.json}' +@@ -619,4 +619,3 @@ def test_17_22_capath_invalid(self, env: Env, httpd): + ]) + # CURLE_PEER_FAILED_VERIFICATION + assert r.exit_code == 60, f'{r.dump_logs()}' +- + +From 5a952c670b0cf6e5735c2178014600af062390c4 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing <[email protected]> +Date: Sat, 8 Nov 2025 14:50:23 +0100 +Subject: [PATCH 3/4] test_17_21 skip for rustls test_17_22 accept error 77 as + well + +--- + tests/http/test_17_ssl_use.py | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py +index 0019bb1239d2..76f20080b3d6 100644 +--- a/tests/http/test_17_ssl_use.py ++++ b/tests/http/test_17_ssl_use.py +@@ -600,6 +600,8 @@ def test_17_20_correct_pin(self, env: Env, proto, httpd): + + @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command") + def test_17_21_capath_valid(self, env: Env, httpd): ++ if env.curl_uses_lib('rustls'): ++ pytest.skip('rustls does not support CURLOPT_CAPATH') + proto = 'http/1.1' + curl = CurlClient(env=env) + url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo' +@@ -611,11 +613,13 @@ def test_17_21_capath_valid(self, env: Env, httpd): + + @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command") + def test_17_22_capath_invalid(self, env: Env, httpd): ++ # we can test all TLS backends here. the ones not supporting CAPATH ++ # need to fail as well as the ones which do, but get an invalid path. + proto = 'http/1.1' + curl = CurlClient(env=env) + url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo' + r = curl.http_get(url=url, alpn_proto=proto, extra_args=[ + '--capath', os.path.join(env.gen_dir, 'ca/invalid') + ]) +- # CURLE_PEER_FAILED_VERIFICATION +- assert r.exit_code == 60, f'{r.dump_logs()}' ++ # CURLE_PEER_FAILED_VERIFICATION or CURLE_SSL_CACERT_BADFILE ++ assert r.exit_code in [60, 77], f'{r.dump_logs()}' + +From 10d57fbbe4c1036780d36feed6f55a87307c6e25 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing <[email protected]> +Date: Sat, 8 Nov 2025 14:58:25 +0100 +Subject: [PATCH 4/4] use 'rustls-ffi' to check for rustsls backend + +--- + tests/http/test_17_ssl_use.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py +index 76f20080b3d6..615658f06c01 100644 +--- a/tests/http/test_17_ssl_use.py ++++ b/tests/http/test_17_ssl_use.py +@@ -600,7 +600,7 @@ def test_17_20_correct_pin(self, env: Env, proto, httpd): + + @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command") + def test_17_21_capath_valid(self, env: Env, httpd): +- if env.curl_uses_lib('rustls'): ++ if env.curl_uses_lib('rustls-ffi'): + pytest.skip('rustls does not support CURLOPT_CAPATH') + proto = 'http/1.1' + curl = CurlClient(env=env) + diff --git a/net-misc/curl/files/curl-8.17.0-progress-parallel.patch b/net-misc/curl/files/curl-8.17.0-progress-parallel.patch new file mode 100644 index 0000000..8bfd90e --- /dev/null +++ b/net-misc/curl/files/curl-8.17.0-progress-parallel.patch @@ -0,0 +1,54 @@ +https://github.com/curl/curl/pull/19383 + +From a5038ff41f83907c896a41716f4f78a80a144cd1 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing <[email protected]> +Date: Thu, 6 Nov 2025 12:47:33 +0100 +Subject: [PATCH] curl: fix progress meter in parallel mode + +With `check_finished()` triggered by notifications now, the +`progress_meter()` was no longer called at regular intervals. + +Move `progress_meter()` out of `check_finishe()` into the perform +loop and event callbacks. +--- + src/tool_operate.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/tool_operate.c b/src/tool_operate.c +index 74f5da5fa915..e1f61a2ba519 100644 +--- a/src/tool_operate.c ++++ b/src/tool_operate.c +@@ -1549,6 +1549,7 @@ static void on_uv_socket(uv_poll_t *req, int status, int events) + + curl_multi_socket_action(c->uv->s->multi, c->sockfd, flags, + &c->uv->s->still_running); ++ progress_meter(c->uv->s->multi, &c->uv->s->start, FALSE); + } + + /* callback from libuv when timeout expires */ +@@ -1561,6 +1562,7 @@ static void on_uv_timeout(uv_timer_t *req) + if(uv && uv->s) { + curl_multi_socket_action(uv->s->multi, CURL_SOCKET_TIMEOUT, 0, + &uv->s->still_running); ++ progress_meter(uv->s->multi, &uv->s->start, FALSE); + } + } + +@@ -1733,7 +1735,6 @@ static CURLcode check_finished(struct parastate *s) + int rc; + CURLMsg *msg; + bool checkmore = FALSE; +- progress_meter(s->multi, &s->start, FALSE); + do { + msg = curl_multi_info_read(s->multi, &rc); + if(msg) { +@@ -1875,6 +1876,8 @@ static CURLcode parallel_transfers(CURLSH *share) + s->mcode = curl_multi_poll(s->multi, NULL, 0, 1000, NULL); + if(!s->mcode) + s->mcode = curl_multi_perform(s->multi, &s->still_running); ++ ++ progress_meter(s->multi, &s->start, FALSE); + } + + (void)progress_meter(s->multi, &s->start, TRUE); + diff --git a/net-misc/curl/files/curl-8.17.0-wcurl-CVE-2025-11563.patch b/net-misc/curl/files/curl-8.17.0-wcurl-CVE-2025-11563.patch new file mode 100644 index 0000000..a5cc6fa --- /dev/null +++ b/net-misc/curl/files/curl-8.17.0-wcurl-CVE-2025-11563.patch @@ -0,0 +1,27 @@ +https://bugs.gentoo.org/966140 +https://github.com/curl/wcurl/commit/65546bae0164a97d89d42176e366d9c7c7796261 + +From 65546bae0164a97d89d42176e366d9c7c7796261 Mon Sep 17 00:00:00 2001 +From: Xi Ruoyao <[email protected]> +Date: Sun, 9 Nov 2025 14:30:34 +0800 +Subject: [PATCH] wcurl: Really fix CVE-2025-11563 + +When we pass a string to is_safe_percent_encode, it always begins with +"%'. But the lookup table UNSAFE_PERCENT_ENCODE does not contain "%" so +nothing can be matched. + +Also update the test suite to fix the false positive. + +Signed-off-by: Xi Ruoyao <[email protected]> + +--- a/scripts/wcurl ++++ b/scripts/wcurl +@@ -118,7 +118,7 @@ readonly PER_URL_PARAMETERS="\ + # characters. + # 2F = / + # 5C = \ +-readonly UNSAFE_PERCENT_ENCODE="2F 5C" ++readonly UNSAFE_PERCENT_ENCODE="%2F %5C" + + # Whether to invoke curl or not. + DRY_RUN="false"
