commit: c84fcde0a58d2aff96e756ee4bc1941659bbd913 Author: Brett A C Sheffield <bacs <AT> librecast <DOT> net> AuthorDate: Tue Mar 10 21:04:38 2026 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Wed Mar 11 13:14:09 2026 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c84fcde0
net-misc/curl: drop 8.15.0, 8.16.0-r1, 8.17.0, 8.17.0-r1 Bug: https://bugs.gentoo.org/962682 Bug: https://bugs.gentoo.org/966140 Bug: https://bugs.gentoo.org/969430 Signed-off-by: Brett A C Sheffield <bacs <AT> librecast.net> Part-of: https://codeberg.org/gentoo/gentoo/pulls/284 Signed-off-by: Sam James <sam <AT> gentoo.org> net-misc/curl/Manifest | 6 - net-misc/curl/curl-8.15.0.ebuild | 442 -------------------- net-misc/curl/curl-8.16.0-r1.ebuild | 445 -------------------- net-misc/curl/curl-8.17.0-r1.ebuild | 450 --------------------- net-misc/curl/curl-8.17.0.ebuild | 442 -------------------- .../curl/files/curl-8.16.0-pthread_cancel.patch | 399 ------------------ .../curl/files/curl-8.16.0-ssl_verifyhost.patch | 63 --- .../curl/files/curl-8.17.0-curlopt-capath.patch | 289 ------------- .../curl/files/curl-8.17.0-progress-parallel.patch | 54 --- .../files/curl-8.17.0-wcurl-CVE-2025-11563.patch | 27 -- net-misc/curl/files/curl-prefix-4.patch | 35 -- net-misc/curl/files/curl-prefix-5.patch | 29 -- 12 files changed, 2681 deletions(-) diff --git a/net-misc/curl/Manifest b/net-misc/curl/Manifest index 9999334047d1..3aa6193c8cef 100644 --- a/net-misc/curl/Manifest +++ b/net-misc/curl/Manifest @@ -1,9 +1,3 @@ -DIST curl-8.15.0.tar.xz 2773156 BLAKE2B ae809be87f34d079413129c27e618a6d15c2bf9087fd7e679cefe9b6d8645f0dd092e8c3e1f62b7bd0dffdd0b77e0bc5ac031ffce4e50060ec20b280618c8e68 SHA512 d27e316d70973906ac4b8d2c280f7e99b7528966aa1220c13a38ed45fca2ed6bbde54b8a9d7bed9e283171b92edb621f7b95162ef7d392e6383b0ee469de3191 -DIST curl-8.15.0.tar.xz.asc 488 BLAKE2B 4b0bab065a1d2d5b7e5d49989bd4953344d844cafd3036b4cb2ed2dec82e59031832f05c06dc6a801e4668d92c936df74aeff7a5f2c15ff614da4b1673a67501 SHA512 b6aef1c6a1f32c60401494df565a748fa96c1d5098138772c22f6208bafeb8e61402f3077cbc274ea2c05f35ff376d8f736c58554520f8d20fded36d876499a5 -DIST curl-8.16.0.tar.xz 2788632 BLAKE2B 573d56779481abf0b7d20225bba4f068cb726f23f69ce10076438e32cc6c16d1229c211aee05fc5e3e9cb9d78bbfdc5da0d8b73e730c0865879000eb90accf6a SHA512 8262c3dc113cfd5744ef1b82dbccaa69448a9395ad5c094c22df5cf537a047a927d3332db2cb3be12a31a68a60d8d0fa8485b916e975eda36a4ebd860da4f621 -DIST curl-8.16.0.tar.xz.asc 488 BLAKE2B d213bd447c668118b49b7356dc99e710de927b93f81325802bae5e286b61481da6ed30f23c7f4f3cfb0f01222db88602ff4e510f4a1401e98511eb0c72ac6abb SHA512 591568e997c0d955a00152ce5bdfb4586d84b42f5c1e15df503514fb4eb4bf289a98b1ebdad23913119c67c27d51a6e6f4065ee6f7657b971c3a581c928a0d82 -DIST curl-8.17.0.tar.xz 2797000 BLAKE2B a7a804afe058f323b40177bcb4ffc523decde92da3da0a051f2dc1b566131250a96afe1ebf2bebc071993c893bddeef883ef33ddc0a9bee86d4e54402a546fba SHA512 fc6349def40c3c259de2a568631507df17dff83e78a2edbb93f069586dce594439fdc88bef7ce2bed7491f35800b8c0c181c8c88e6ef656cc3c18f9834681eca -DIST curl-8.17.0.tar.xz.asc 488 BLAKE2B 88b72cb9c0acd8a06956eca31047dfadfe110dc07290adbe50b9451a71d4282acaa05c8a149787d71cf13cf1b42e8df9594d0e8a2b1cadbfca5eb50550f32609 SHA512 e77d4cb1f4961aa0df3d76f1a8c55a0b9005ed557adf745f3ab24d33cee2d0e4bd06cecb9d911e76409852e7755129873cc7d24936c846ff1b854903c0f086b2 DIST curl-8.18.0.tar.xz 2801444 BLAKE2B 16e1539616c1800dfa08a5bd3e38ff75d2906a4a574b1541509c69200aebe680b0a5efdf1b1e0c89f3cccb6001bfe1c1459b9fd815053c964e1a1434be1e2e0e SHA512 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c DIST curl-8.18.0.tar.xz.asc 488 BLAKE2B 68c2ce9777ba51962139e70e48c4b24d404682a6ad530843791cc188b2656dc26a19f0757f97ead2ff492f7b8a4e4116707df901e81bf8efb28658ff4df99ae0 SHA512 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152 DIST curl-8.19.0.tar.xz 2787584 BLAKE2B d4a943af9a109893112876784dbe106276317e6cd5a2663f4de143c93abb4e266945fa65b4a5fa842f99240c961b027a1b2492e3e32f5247a91c394895e2b8b0 SHA512 ee97faaf588b255428000599293c47a2f648af11d1a0b7b823db6aec151e2090f5c7b921745ddb2c3818d92b16e0a4c15d7a9b3d1ff45df1f35438504bd16574 diff --git a/net-misc/curl/curl-8.15.0.ebuild b/net-misc/curl/curl-8.15.0.ebuild deleted file mode 100644 index 4715d49e9e95..000000000000 --- a/net-misc/curl/curl-8.15.0.ebuild +++ /dev/null @@ -1,442 +0,0 @@ -# Copyright 1999-2025 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -# Maintainers should subscribe to the 'curl-distros' ML for backports etc -# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/ -# https://lists.haxx.se/listinfo/curl-distros - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc -inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig - -DESCRIPTION="A Client that groks URLs" -HOMEPAGE="https://curl.se/"; - -if [[ ${PV} == 9999 ]]; then - inherit git-r3 - EGIT_REPO_URI="https://github.com/curl/curl.git"; -else - if [[ ${P} == *rc* ]]; then - CURL_URI="https://curl.se/rc/"; - S="${WORKDIR}/${P//_/-}" - else - CURL_URI="https://curl.se/download/"; - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris" - fi - SRC_URI=" - ${CURL_URI}${P//_/-}.tar.xz - verify-sig? ( ${CURL_URI}${P//_/-}.tar.xz.asc ) - " -fi - -LICENSE="BSD curl ISC test? ( BSD-4 )" -SLOT="0" -IUSE="+adns +alt-svc brotli debug ech +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap" -IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test" -IUSE+=" telnet +tftp +websockets zstd" -# These select the default tls implementation / which quic impl to use -IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls" -RESTRICT="!test? ( test )" - -# HTTPS RR is technically usable with the threaded resolver, but it still uses c-ares to -# ask for the HTTPS RR record type; if DoH is in use the HTTPS record will be requested -# in addition to A and AAAA records. - -# To simplify dependency management in the ebuild we'll require c-ares for HTTPS RR (for now?). -# HTTPS RR in cURL is a dependency for: -# - ECH (requires patched openssl or gnutls currently, enabled with rustls) -# - Fetching the ALPN list which should provide a better HTTP/3 experience. - -# Only one default ssl / quic provider can be enabled -# The default provider needs its USE satisfied -# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day. -# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e -REQUIRED_USE=" - ech? ( rustls ) - httpsrr? ( adns ) - quic? ( - ^^ ( - curl_quic_openssl - curl_quic_ngtcp2 - ) - http3 - ssl - ) - ssl? ( - ^^ ( - curl_ssl_gnutls - curl_ssl_mbedtls - curl_ssl_openssl - curl_ssl_rustls - ) - ) - curl_quic_openssl? ( - curl_ssl_openssl - quic - !gnutls - !mbedtls - !rustls - ) - curl_quic_ngtcp2? ( - curl_ssl_gnutls - quic - !mbedtls - !openssl - !rustls - ) - curl_ssl_gnutls? ( gnutls ) - curl_ssl_mbedtls? ( mbedtls ) - curl_ssl_openssl? ( openssl ) - curl_ssl_rustls? ( rustls ) - http3? ( alt-svc httpsrr quic ) -" - -# cURL's docs and CI/CD are great resources for confirming supported versions -# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.: -# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions) -# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly) -# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2) -# However 'supported' vs 'works' are two entirely different things; be sane but -# don't be afraid to require a later version. -# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time. -RDEPEND=" - >=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}] - adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] ) - brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) - http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] ) - http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] ) - idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) - kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) - ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) - psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] ) - quic? ( - curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] ) - curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] ) - ) - rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) - ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] ) - sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] ) - ssl? ( - gnutls? ( - app-misc/ca-certificates - >=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}] - dev-libs/nettle:=[${MULTILIB_USEDEP}] - ) - mbedtls? ( - app-misc/ca-certificates - net-libs/mbedtls:0=[${MULTILIB_USEDEP}] - ) - openssl? ( - >=dev-libs/openssl-1.0.2:=[static-libs?,${MULTILIB_USEDEP}] - ) - rustls? ( - >=net-libs/rustls-ffi-0.15.0:=[${MULTILIB_USEDEP}] - ) - ) - zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] ) -" - -DEPEND="${RDEPEND}" - -BDEPEND=" - dev-lang/perl - virtual/pkgconfig - test? ( - sys-apps/diffutils - http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] ) - http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) - ) - verify-sig? ( sec-keys/openpgp-keys-danielstenberg ) -" - -DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/curl/curlbuild.h -) - -MULTILIB_CHOST_TOOLS=( - /usr/bin/curl-config -) - -QA_CONFIG_IMPL_DECL_SKIP=( - __builtin_available - closesocket - CloseSocket - getpass_r - ioctlsocket - IoctlSocket - mach_absolute_time - setmode - _fseeki64 - # custom AC_LINK_IFELSE code fails to link even without -Werror - OSSL_QUIC_client_method -) - -PATCHES=( - "${FILESDIR}/${PN}-prefix-4.patch" - "${FILESDIR}/${PN}-respect-cflags-3.patch" -) - -src_prepare() { - default - - eprefixify curl-config.in - eautoreconf -} - -# Generates TLS-related configure options based on USE flags. -# Outputs options suitable for appending to a configure options array. -_get_curl_tls_configure_opts() { - local tls_opts=() - - local backend flag_name - for backend in gnutls mbedtls openssl rustls; do - if [[ "$backend" == "openssl" ]]; then - flag_name="ssl" - tls_opts+=( "--with-ca-path=${EPREFIX}/etc/ssl/certs") - else - flag_name="$backend" - fi - - if use "$backend"; then - tls_opts+=( "--with-${flag_name}" ) - else - # If a single backend is enabled, 'ssl' is required, openssl is the default / fallback - if ! [[ "$backend" == "openssl" ]]; then - tls_opts+=( "--without-${flag_name}" ) - fi - fi - done - - if use curl_ssl_gnutls; then - multilib_is_native_abi && einfo "Default TLS backend: gnutls" - tls_opts+=( "--with-default-ssl-backend=gnutls" ) - elif use curl_ssl_mbedtls; then - multilib_is_native_abi && einfo "Default TLS backend: mbedtls" - tls_opts+=( "--with-default-ssl-backend=mbedtls" ) - elif use curl_ssl_openssl; then - multilib_is_native_abi && einfo "Default TLS backend: openssl" - tls_opts+=( "--with-default-ssl-backend=openssl" ) - elif use curl_ssl_rustls; then - multilib_is_native_abi && einfo "Default TLS backend: rustls" - tls_opts+=( "--with-default-ssl-backend=rustls" ) - else - eerror "We can't be here because of REQUIRED_USE." - die "Please file a bug, hit impossible condition w/ USE=ssl handling." - fi - - # Explicitly Disable unimplemented backends - tls_opts+=( - --without-amissl - --without-wolfssl - ) - - printf "%s\n" "${tls_opts[@]}" -} - -multilib_src_configure() { - # We make use of the fact that later flags override earlier ones - # So start with all ssl providers off until proven otherwise - # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) - local myconf=() - - myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) - if use ssl; then - local -a tls_backend_opts - readarray -t tls_backend_opts < <(_get_curl_tls_configure_opts) - myconf+=("${tls_backend_opts[@]}") - if use quic; then - myconf+=( - $(use_with curl_quic_ngtcp2 ngtcp2) - $(use_with curl_quic_openssl openssl-quic) - ) - else - # Without a REQUIRED_USE to ensure that QUIC was requested when at least one default backend is - # enabled we need ensure that we don't try to build QUIC support - myconf+=( --without-ngtcp2 --without-openssl-quic ) - fi - else - myconf+=( --without-ssl ) - einfo "SSL disabled" - fi - - # These configuration options are organised alphabetically by category/type - - # Protocols - # `grep SUPPORT_PROTOCOLS=\" configure.ac | awk '{ print substr($2, 1, length($2)-1)}' | sort` - # Assume that anything omitted (that is not new!) is enabled by default with no deps - myconf+=( - --enable-file - $(use_enable ftp) - $(use_enable gopher) - --enable-http - $(use_enable imap) # Automatic IMAPS if TLS is enabled - $(use_enable ldap ldaps) - $(use_enable ldap) - $(use_enable pop3) - $(use_enable samba smb) - $(use_with ssh libssh2) # enables scp/sftp - $(use_with rtmp librtmp) - --enable-rtsp - $(use_enable smtp) - $(use_enable telnet) - $(use_enable tftp) - $(use_enable websockets) - ) - - # Keep various 'HTTP-flavoured' options together - myconf+=( - $(use_enable alt-svc) - $(use_enable hsts) - $(use_enable httpsrr) - $(use_with http2 nghttp2) - $(use_with http3 nghttp3) - ) - - # --enable/disable options - # `grep -- --enable configure | grep Check | awk '{ print $4 }' | sort` - myconf+=( - $(use_enable adns ares) - --enable-aws - --enable-basic-auth - --enable-bearer-auth - --enable-cookies - --enable-dateparse - --enable-dict - --enable-digest-auth - --enable-dnsshuffle - --enable-doh - $(use_enable ech) - --enable-http-auth - --enable-ipv6 - --enable-kerberos-auth - --enable-largefile - --enable-manual - --enable-mime - --enable-negotiate-auth - --enable-netrc - --enable-ntlm - --enable-progress-meter - --enable-proxy - --enable-rt - --enable-socketpair - --disable-sspi - $(use_enable static-libs static) - --enable-symbol-hiding - --enable-tls-srp - --disable-versioned-symbols - ) - - # --with/without options - # `grep -- --with configure | grep Check | awk '{ print $4 }' | sort` - myconf+=( - $(use_with brotli) - --with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d - $(use_with idn libidn2) - $(use_with kerberos gssapi "${EPREFIX}"/usr) - $(use_with sasl-scram libgsasl) - $(use_with psl libpsl) - --without-msh3 - --without-quiche - --without-schannel - --without-winidn - --with-zlib - --with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions - $(use_with zstd) - ) - - # Test deps (disabled) - myconf+=( - --without-test-caddy - --without-test-httpd - --without-test-nghttpx - ) - - if use debug; then - myconf+=( - --enable-debug - ) - fi - - if use test && multilib_is_native_abi && ( use http2 || use http3 ); then - myconf+=( - --with-test-nghttpx="${BROOT}/usr/bin/nghttpx" - ) - fi - - # Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive - # This is in support of some work to enable `httpsrr` to use adns and the rest - # of curl to use the threaded resolver; for us `httpsrr` is conditional on adns. - if use adns; then - myconf+=( - --disable-threaded-resolver - ) - else - myconf+=( - --enable-threaded-resolver - ) - fi - - ECONF_SOURCE="${S}" econf "${myconf[@]}" - - if ! multilib_is_native_abi; then - # Avoid building the client (we just want libcurl for multilib) - sed -i -e '/SUBDIRS/s:src::' Makefile || die - sed -i -e '/SUBDIRS/s:scripts::' Makefile || die - fi - -} - -multilib_src_compile() { - default - - if multilib_is_native_abi; then - # Shell completions - ! tc-is-cross-compiler && emake -C scripts - fi -} - -# There is also a pytest harness that tests for bugs in some very specific -# situations; we can rely on upstream for this rather than adding additional test deps. -multilib_src_test() { - # See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721 - # -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches) - # -v: verbose - # -a: keep going on failure (so we see everything that breaks, not just 1st test) - # -k: keep test files after completion - # -am: automake style TAP output - # -p: print logs if test fails - # Note: if needed, we can skip specific tests. See e.g. Fedora's packaging - # or just read https://github.com/curl/curl/tree/master/tests#run. - # Note: we don't run the testsuite for cross-compilation. - # Upstream recommend 7*nproc as a starting point for parallel tests, but - # this ends up breaking when nproc is huge (like -j80). - # The network sandbox causes tests 241 and 1083 to fail; these are typically skipped - # as most gentoo users don't have an 'ip6-localhost' - multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083" -} - -multilib_src_install() { - emake DESTDIR="${D}" install - - if multilib_is_native_abi; then - # Shell completions - ! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install - fi -} - -multilib_src_install_all() { - einstalldocs - find "${ED}" -type f -name '*.la' -delete || die - rm -rf "${ED}"/etc/ || die -} - -pkg_postinst() { - if use debug; then - ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose." - ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger." - ewarn "hic sunt dracones; you have been warned." - fi -} diff --git a/net-misc/curl/curl-8.16.0-r1.ebuild b/net-misc/curl/curl-8.16.0-r1.ebuild deleted file mode 100644 index e598370a739f..000000000000 --- a/net-misc/curl/curl-8.16.0-r1.ebuild +++ /dev/null @@ -1,445 +0,0 @@ -# Copyright 1999-2026 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -# Maintainers should subscribe to the 'curl-distros' ML for backports etc -# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/ -# https://lists.haxx.se/listinfo/curl-distros - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc -inherit dot-a autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig - -DESCRIPTION="A Client that groks URLs" -HOMEPAGE="https://curl.se/"; - -if [[ ${PV} == 9999 ]]; then - inherit git-r3 - EGIT_REPO_URI="https://github.com/curl/curl.git"; -else - if [[ ${P} == *rc* ]]; then - CURL_URI="https://curl.se/rc/"; - S="${WORKDIR}/${P//_/-}" - else - CURL_URI="https://curl.se/download/"; - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris" - fi - SRC_URI=" - ${CURL_URI}${P//_/-}.tar.xz - verify-sig? ( ${CURL_URI}${P//_/-}.tar.xz.asc ) - " -fi - -LICENSE="BSD curl ISC test? ( BSD-4 )" -SLOT="0" -IUSE="+adns +alt-svc brotli debug ech +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap" -IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test" -IUSE+=" telnet +tftp +websockets zstd" -# These select the default tls implementation / which quic impl to use -IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls" -RESTRICT="!test? ( test )" - -# HTTPS RR is technically usable with the threaded resolver, but it still uses c-ares to -# ask for the HTTPS RR record type; if DoH is in use the HTTPS record will be requested -# in addition to A and AAAA records. - -# To simplify dependency management in the ebuild we'll require c-ares for HTTPS RR (for now?). -# HTTPS RR in cURL is a dependency for: -# - ECH (requires patched openssl or gnutls currently, enabled with rustls) -# - Fetching the ALPN list which should provide a better HTTP/3 experience. - -# Only one default ssl / quic provider can be enabled -# The default provider needs its USE satisfied -# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day. -# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e -REQUIRED_USE=" - ech? ( rustls ) - httpsrr? ( adns ) - quic? ( - ^^ ( - curl_quic_openssl - curl_quic_ngtcp2 - ) - http3 - ssl - ) - ssl? ( - ^^ ( - curl_ssl_gnutls - curl_ssl_mbedtls - curl_ssl_openssl - curl_ssl_rustls - ) - ) - curl_quic_openssl? ( - curl_ssl_openssl - !gnutls - !mbedtls - !rustls - ) - curl_quic_ngtcp2? ( - curl_ssl_gnutls - !mbedtls - !openssl - !rustls - ) - curl_ssl_gnutls? ( gnutls ) - curl_ssl_mbedtls? ( mbedtls ) - curl_ssl_openssl? ( openssl ) - curl_ssl_rustls? ( rustls ) - http3? ( alt-svc httpsrr quic ) -" - -# cURL's docs and CI/CD are great resources for confirming supported versions -# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.: -# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions) -# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly) -# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2) -# However 'supported' vs 'works' are two entirely different things; be sane but -# don't be afraid to require a later version. -# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time. -RDEPEND=" - >=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}] - adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] ) - brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) - http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] ) - http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] ) - idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) - kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) - ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) - psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] ) - quic? ( - curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] ) - curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] ) - ) - rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) - ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] ) - sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] ) - ssl? ( - gnutls? ( - app-misc/ca-certificates - >=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}] - dev-libs/nettle:=[${MULTILIB_USEDEP}] - ) - mbedtls? ( - app-misc/ca-certificates - net-libs/mbedtls:3=[${MULTILIB_USEDEP}] - ) - openssl? ( - >=dev-libs/openssl-1.0.2:=[static-libs?,${MULTILIB_USEDEP}] - ) - rustls? ( - >=net-libs/rustls-ffi-0.15.0:=[${MULTILIB_USEDEP}] - ) - ) - zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] ) -" - -DEPEND="${RDEPEND}" - -BDEPEND=" - dev-lang/perl - virtual/pkgconfig - test? ( - sys-apps/diffutils - http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] ) - http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) - ) - verify-sig? ( sec-keys/openpgp-keys-danielstenberg ) -" - -DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/curl/curlbuild.h -) - -MULTILIB_CHOST_TOOLS=( - /usr/bin/curl-config -) - -QA_CONFIG_IMPL_DECL_SKIP=( - __builtin_available - closesocket - CloseSocket - getpass_r - ioctlsocket - IoctlSocket - mach_absolute_time - setmode - _fseeki64 - # custom AC_LINK_IFELSE code fails to link even without -Werror - OSSL_QUIC_client_method -) - -PATCHES=( - "${FILESDIR}/${PN}-prefix-5.patch" - "${FILESDIR}/${PN}-respect-cflags-3.patch" - "${FILESDIR}/${P}-ssl_verifyhost.patch" - "${FILESDIR}/${P}-pthread_cancel.patch" -) - -src_prepare() { - default - - eprefixify curl-config.in - eautoreconf -} - -# Generates TLS-related configure options based on USE flags. -# Outputs options suitable for appending to a configure options array. -_get_curl_tls_configure_opts() { - local tls_opts=() - - local backend flag_name - for backend in gnutls mbedtls openssl rustls; do - if [[ "$backend" == "openssl" ]]; then - flag_name="ssl" - tls_opts+=( "--with-ca-path=${EPREFIX}/etc/ssl/certs") - else - flag_name="$backend" - fi - - if use "$backend"; then - tls_opts+=( "--with-${flag_name}" ) - else - # If a single backend is enabled, 'ssl' is required, openssl is the default / fallback - if ! [[ "$backend" == "openssl" ]]; then - tls_opts+=( "--without-${flag_name}" ) - fi - fi - done - - if use curl_ssl_gnutls; then - multilib_is_native_abi && einfo "Default TLS backend: gnutls" - tls_opts+=( "--with-default-ssl-backend=gnutls" ) - elif use curl_ssl_mbedtls; then - multilib_is_native_abi && einfo "Default TLS backend: mbedtls" - tls_opts+=( "--with-default-ssl-backend=mbedtls" ) - elif use curl_ssl_openssl; then - multilib_is_native_abi && einfo "Default TLS backend: openssl" - tls_opts+=( "--with-default-ssl-backend=openssl" ) - elif use curl_ssl_rustls; then - multilib_is_native_abi && einfo "Default TLS backend: rustls" - tls_opts+=( "--with-default-ssl-backend=rustls" ) - else - eerror "We can't be here because of REQUIRED_USE." - die "Please file a bug, hit impossible condition w/ USE=ssl handling." - fi - - # Explicitly Disable unimplemented backends - tls_opts+=( - --without-amissl - --without-wolfssl - ) - - printf "%s\n" "${tls_opts[@]}" -} - -multilib_src_configure() { - use static-libs && lto-guarantee-fat - # We make use of the fact that later flags override earlier ones - # So start with all ssl providers off until proven otherwise - # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) - local myconf=() - - myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) - if use ssl; then - local -a tls_backend_opts - readarray -t tls_backend_opts < <(_get_curl_tls_configure_opts) - myconf+=("${tls_backend_opts[@]}") - if use quic; then - myconf+=( - $(use_with curl_quic_ngtcp2 ngtcp2) - $(use_with curl_quic_openssl openssl-quic) - ) - else - # Without a REQUIRED_USE to ensure that QUIC was requested when at least one default backend is - # enabled we need ensure that we don't try to build QUIC support - myconf+=( --without-ngtcp2 --without-openssl-quic ) - fi - else - myconf+=( --without-ssl ) - einfo "SSL disabled" - fi - - # These configuration options are organised alphabetically by category/type - - # Protocols - # `grep SUPPORT_PROTOCOLS=\" configure.ac | awk '{ print substr($2, 1, length($2)-1)}' | sort` - # Assume that anything omitted (that is not new!) is enabled by default with no deps - myconf+=( - --enable-file - $(use_enable ftp) - $(use_enable gopher) - --enable-http - $(use_enable imap) # Automatic IMAPS if TLS is enabled - $(use_enable ldap ldaps) - $(use_enable ldap) - $(use_enable pop3) - $(use_enable samba smb) - $(use_with ssh libssh2) # enables scp/sftp - $(use_with rtmp librtmp) - --enable-rtsp - $(use_enable smtp) - $(use_enable telnet) - $(use_enable tftp) - $(use_enable websockets) - ) - - # Keep various 'HTTP-flavoured' options together - myconf+=( - $(use_enable alt-svc) - $(use_enable hsts) - $(use_enable httpsrr) - $(use_with http2 nghttp2) - $(use_with http3 nghttp3) - ) - - # --enable/disable options - # `grep -- --enable configure | grep Check | awk '{ print $4 }' | sort` - myconf+=( - $(use_enable adns ares) - --enable-aws - --enable-basic-auth - --enable-bearer-auth - --enable-cookies - --enable-dateparse - --enable-dict - --enable-digest-auth - --enable-dnsshuffle - --enable-doh - $(use_enable ech) - --enable-http-auth - --enable-ipv6 - --enable-kerberos-auth - --enable-largefile - --enable-manual - --enable-mime - --enable-negotiate-auth - --enable-netrc - --enable-ntlm - --enable-progress-meter - --enable-proxy - --enable-rt - --enable-socketpair - --disable-sspi - $(use_enable static-libs static) - --enable-symbol-hiding - --enable-tls-srp - --disable-versioned-symbols - ) - - # --with/without options - # `grep -- --with configure | grep Check | awk '{ print $4 }' | sort` - myconf+=( - $(use_with brotli) - --with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d - $(use_with idn libidn2) - $(use_with kerberos gssapi "${EPREFIX}"/usr) - $(use_with sasl-scram libgsasl) - $(use_with psl libpsl) - --without-quiche - --without-schannel - --without-winidn - --with-zlib - --with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions - $(use_with zstd) - ) - - # Test deps (disabled) - myconf+=( - --without-test-caddy - --without-test-httpd - --without-test-nghttpx - ) - - if use debug; then - myconf+=( - --enable-debug - ) - fi - - if use test && multilib_is_native_abi && ( use http2 || use http3 ); then - myconf+=( - --with-test-nghttpx="${BROOT}/usr/bin/nghttpx" - ) - fi - - # Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive - # This is in support of some work to enable `httpsrr` to use adns and the rest - # of curl to use the threaded resolver; for us `httpsrr` is conditional on adns. - if use adns; then - myconf+=( - --disable-threaded-resolver - ) - else - myconf+=( - --enable-threaded-resolver - ) - fi - - ECONF_SOURCE="${S}" econf "${myconf[@]}" - - if ! multilib_is_native_abi; then - # Avoid building the client (we just want libcurl for multilib) - sed -i -e '/SUBDIRS/s:src::' Makefile || die - sed -i -e '/SUBDIRS/s:scripts::' Makefile || die - fi - -} - -multilib_src_compile() { - default - - if multilib_is_native_abi; then - # Shell completions - ! tc-is-cross-compiler && emake -C scripts - fi -} - -# There is also a pytest harness that tests for bugs in some very specific -# situations; we can rely on upstream for this rather than adding additional test deps. -multilib_src_test() { - # See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721 - # -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches) - # -v: verbose - # -a: keep going on failure (so we see everything that breaks, not just 1st test) - # -k: keep test files after completion - # -am: automake style TAP output - # -p: print logs if test fails - # Note: if needed, we can skip specific tests. See e.g. Fedora's packaging - # or just read https://github.com/curl/curl/tree/master/tests#run. - # Note: we don't run the testsuite for cross-compilation. - # Upstream recommend 7*nproc as a starting point for parallel tests, but - # this ends up breaking when nproc is huge (like -j80). - # The network sandbox causes tests 241 and 1083 to fail; these are typically skipped - # as most gentoo users don't have an 'ip6-localhost' - multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083" -} - -multilib_src_install() { - emake DESTDIR="${D}" install - - if multilib_is_native_abi; then - # Shell completions - ! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install - fi -} - -multilib_src_install_all() { - einstalldocs - find "${ED}" -type f -name '*.la' -delete || die - - use static-libs && strip-lto-bytecode - - rm -rf "${ED}"/etc/ || die -} - -pkg_postinst() { - if use debug; then - ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose." - ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger." - ewarn "hic sunt dracones; you have been warned." - fi -} diff --git a/net-misc/curl/curl-8.17.0-r1.ebuild b/net-misc/curl/curl-8.17.0-r1.ebuild deleted file mode 100644 index 5a11fa5389ce..000000000000 --- a/net-misc/curl/curl-8.17.0-r1.ebuild +++ /dev/null @@ -1,450 +0,0 @@ -# Copyright 1999-2026 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -# Maintainers should subscribe to the 'curl-distros' ML for backports etc -# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/ -# https://lists.haxx.se/listinfo/curl-distros - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc -inherit dot-a autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig - -DESCRIPTION="A Client that groks URLs" -HOMEPAGE="https://curl.se/"; - -if [[ ${PV} == 9999 ]]; then - inherit git-r3 - EGIT_REPO_URI="https://github.com/curl/curl.git"; -else - if [[ ${P} == *rc* ]]; then - CURL_URI="https://curl.se/rc/"; - S="${WORKDIR}/${P//_/-}" - else - CURL_URI="https://curl.se/download/"; - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris" - fi - SRC_URI=" - ${CURL_URI}${P//_/-}.tar.xz - verify-sig? ( ${CURL_URI}${P//_/-}.tar.xz.asc ) - " -fi - -LICENSE="BSD curl ISC test? ( BSD-4 )" -SLOT="0" -IUSE="+adns +alt-svc brotli debug ech +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap" -IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test" -IUSE+=" telnet +tftp +websockets zstd" -# These select the default tls implementation / which quic impl to use -IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls" -RESTRICT="!test? ( test )" - -# HTTPS RR is technically usable with the threaded resolver, but it still uses c-ares to -# ask for the HTTPS RR record type; if DoH is in use the HTTPS record will be requested -# in addition to A and AAAA records. - -# To simplify dependency management in the ebuild we'll require c-ares for HTTPS RR (for now?). -# HTTPS RR in cURL is a dependency for: -# - ECH (requires patched openssl or gnutls currently, enabled with rustls) -# - Fetching the ALPN list which should provide a better HTTP/3 experience. - -# Only one default ssl / quic provider can be enabled -# The default provider needs its USE satisfied -# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day. -# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e -REQUIRED_USE=" - ech? ( rustls ) - httpsrr? ( adns ) - quic? ( - ^^ ( - curl_quic_openssl - curl_quic_ngtcp2 - ) - http3 - ssl - ) - ssl? ( - ^^ ( - curl_ssl_gnutls - curl_ssl_mbedtls - curl_ssl_openssl - curl_ssl_rustls - ) - ) - curl_quic_openssl? ( - curl_ssl_openssl - !gnutls - !mbedtls - !rustls - ) - curl_quic_ngtcp2? ( - curl_ssl_gnutls - !mbedtls - !openssl - !rustls - ) - curl_ssl_gnutls? ( gnutls ) - curl_ssl_mbedtls? ( mbedtls ) - curl_ssl_openssl? ( openssl ) - curl_ssl_rustls? ( rustls ) - http3? ( alt-svc httpsrr quic ) -" - -# cURL's docs and CI/CD are great resources for confirming supported versions -# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.: -# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions) -# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly) -# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2) -# However 'supported' vs 'works' are two entirely different things; be sane but -# don't be afraid to require a later version. -# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time. -# TODO: OpenSSL-QUIC support is going to be removed in 2026; depend on ngtcp2[{gnutls,openssl}] before that point. -# - https://github.com/curl/curl/pull/18820 (Deprecate OpenSSL QUIC support) -# - https://github.com/curl/curl/issues/18336 (curl w/ OpenSSL QUIC fails to fetch Google.com) -RDEPEND=" - >=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}] - adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] ) - brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) - http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] ) - http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] ) - idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) - kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) - ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) - psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] ) - quic? ( - curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] ) - curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] ) - ) - rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) - ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] ) - sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] ) - ssl? ( - gnutls? ( - app-misc/ca-certificates - >=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}] - dev-libs/nettle:=[${MULTILIB_USEDEP}] - ) - mbedtls? ( - app-misc/ca-certificates - net-libs/mbedtls:3=[${MULTILIB_USEDEP}] - ) - openssl? ( - >=dev-libs/openssl-1.0.2:=[static-libs?,${MULTILIB_USEDEP}] - ) - rustls? ( - >=net-libs/rustls-ffi-0.15.0:=[${MULTILIB_USEDEP}] - ) - ) - zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] ) -" - -DEPEND="${RDEPEND}" - -BDEPEND=" - dev-lang/perl - virtual/pkgconfig - test? ( - sys-apps/diffutils - http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] ) - http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) - ) - verify-sig? ( sec-keys/openpgp-keys-danielstenberg ) -" - -DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/curl/curlbuild.h -) - -MULTILIB_CHOST_TOOLS=( - /usr/bin/curl-config -) - -QA_CONFIG_IMPL_DECL_SKIP=( - __builtin_available - closesocket - CloseSocket - getpass_r - ioctlsocket - IoctlSocket - mach_absolute_time - setmode - _fseeki64 - # custom AC_LINK_IFELSE code fails to link even without -Werror - OSSL_QUIC_client_method -) - -PATCHES=( - "${FILESDIR}/${PN}-prefix-5.patch" - "${FILESDIR}/${PN}-respect-cflags-3.patch" - "${FILESDIR}/${P}-progress-parallel.patch" - "${FILESDIR}/${P}-curlopt-capath.patch" - "${FILESDIR}/${P}-wcurl-CVE-2025-11563.patch" -) - -src_prepare() { - default - - eprefixify curl-config.in - eautoreconf -} - -# Generates TLS-related configure options based on USE flags. -# Outputs options suitable for appending to a configure options array. -_get_curl_tls_configure_opts() { - local tls_opts=() - - local backend flag_name - for backend in gnutls mbedtls openssl rustls; do - if [[ "$backend" == "openssl" ]]; then - flag_name="ssl" - tls_opts+=( "--with-ca-path=${EPREFIX}/etc/ssl/certs") - else - flag_name="$backend" - fi - - if use "$backend"; then - tls_opts+=( "--with-${flag_name}" ) - else - # If a single backend is enabled, 'ssl' is required, openssl is the default / fallback - if ! [[ "$backend" == "openssl" ]]; then - tls_opts+=( "--without-${flag_name}" ) - fi - fi - done - - if use curl_ssl_gnutls; then - multilib_is_native_abi && einfo "Default TLS backend: gnutls" - tls_opts+=( "--with-default-ssl-backend=gnutls" ) - elif use curl_ssl_mbedtls; then - multilib_is_native_abi && einfo "Default TLS backend: mbedtls" - tls_opts+=( "--with-default-ssl-backend=mbedtls" ) - elif use curl_ssl_openssl; then - multilib_is_native_abi && einfo "Default TLS backend: openssl" - tls_opts+=( "--with-default-ssl-backend=openssl" ) - elif use curl_ssl_rustls; then - multilib_is_native_abi && einfo "Default TLS backend: rustls" - tls_opts+=( "--with-default-ssl-backend=rustls" ) - else - eerror "We can't be here because of REQUIRED_USE." - die "Please file a bug, hit impossible condition w/ USE=ssl handling." - fi - - # Explicitly Disable unimplemented backends - tls_opts+=( - --without-amissl - --without-wolfssl - ) - - printf "%s\n" "${tls_opts[@]}" -} - -multilib_src_configure() { - use static-libs && lto-guarantee-fat - - # We make use of the fact that later flags override earlier ones - # So start with all ssl providers off until proven otherwise - # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) - local myconf=() - - myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) - if use ssl; then - local -a tls_backend_opts - readarray -t tls_backend_opts < <(_get_curl_tls_configure_opts) - myconf+=("${tls_backend_opts[@]}") - if use quic; then - myconf+=( - $(use_with curl_quic_ngtcp2 ngtcp2) - $(use_with curl_quic_openssl openssl-quic) - ) - else - # Without a REQUIRED_USE to ensure that QUIC was requested when at least one default backend is - # enabled we need ensure that we don't try to build QUIC support - myconf+=( --without-ngtcp2 --without-openssl-quic ) - fi - else - myconf+=( --without-ssl ) - einfo "SSL disabled" - fi - - # These configuration options are organised alphabetically by category/type - - # Protocols - # `grep SUPPORT_PROTOCOLS=\" configure.ac | awk '{ print substr($2, 1, length($2)-1)}' | sort` - # Assume that anything omitted (that is not new!) is enabled by default with no deps - myconf+=( - --enable-file - $(use_enable ftp) - $(use_enable gopher) - --enable-http - $(use_enable imap) # Automatic IMAPS if TLS is enabled - $(use_enable ldap ldaps) - $(use_enable ldap) - $(use_enable pop3) - $(use_enable samba smb) - $(use_with ssh libssh2) # enables scp/sftp - $(use_with rtmp librtmp) - --enable-rtsp - $(use_enable smtp) - $(use_enable telnet) - $(use_enable tftp) - $(use_enable websockets) - ) - - # Keep various 'HTTP-flavoured' options together - myconf+=( - $(use_enable alt-svc) - $(use_enable hsts) - $(use_enable httpsrr) - $(use_with http2 nghttp2) - $(use_with http3 nghttp3) - ) - - # --enable/disable options - # `grep -- --enable configure | grep Check | awk '{ print $4 }' | sort` - myconf+=( - $(use_enable adns ares) - --enable-aws - --enable-basic-auth - --enable-bearer-auth - --enable-cookies - --enable-dateparse - --enable-dict - --enable-digest-auth - --enable-dnsshuffle - --enable-doh - $(use_enable ech) - --enable-http-auth - --enable-ipv6 - --enable-kerberos-auth - --enable-largefile - --enable-manual - --enable-mime - --enable-negotiate-auth - --enable-netrc - --enable-ntlm - --enable-progress-meter - --enable-proxy - --enable-rt - --enable-socketpair - --disable-sspi - $(use_enable static-libs static) - --enable-symbol-hiding - --enable-tls-srp - --disable-versioned-symbols - ) - - # --with/without options - # `grep -- --with configure | grep Check | awk '{ print $4 }' | sort` - myconf+=( - $(use_with brotli) - --with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d - $(use_with idn libidn2) - $(use_with kerberos gssapi "${EPREFIX}"/usr) - $(use_with sasl-scram libgsasl) - $(use_with psl libpsl) - --without-quiche - --without-schannel - --without-winidn - --with-zlib - --with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions - $(use_with zstd) - ) - - # Test deps (disabled) - myconf+=( - --without-test-caddy - --without-test-httpd - --without-test-nghttpx - ) - - if use debug; then - myconf+=( - --enable-debug - ) - fi - - if use test && multilib_is_native_abi && ( use http2 || use http3 ); then - myconf+=( - --with-test-nghttpx="${BROOT}/usr/bin/nghttpx" - ) - fi - - # Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive - # This is in support of some work to enable `httpsrr` to use adns and the rest - # of curl to use the threaded resolver; for us `httpsrr` is conditional on adns. - if use adns; then - myconf+=( - --disable-threaded-resolver - ) - else - myconf+=( - --enable-threaded-resolver - ) - fi - - ECONF_SOURCE="${S}" econf "${myconf[@]}" - - if ! multilib_is_native_abi; then - # Avoid building the client (we just want libcurl for multilib) - sed -i -e '/SUBDIRS/s:src::' Makefile || die - sed -i -e '/SUBDIRS/s:scripts::' Makefile || die - fi - -} - -multilib_src_compile() { - default - - if multilib_is_native_abi; then - # Shell completions - ! tc-is-cross-compiler && emake -C scripts - fi -} - -# There is also a pytest harness that tests for bugs in some very specific -# situations; we can rely on upstream for this rather than adding additional test deps. -multilib_src_test() { - # See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721 - # -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches) - # -v: verbose - # -a: keep going on failure (so we see everything that breaks, not just 1st test) - # -k: keep test files after completion - # -am: automake style TAP output - # -p: print logs if test fails - # Note: if needed, we can skip specific tests. See e.g. Fedora's packaging - # or just read https://github.com/curl/curl/tree/master/tests#run. - # Note: we don't run the testsuite for cross-compilation. - # Upstream recommend 7*nproc as a starting point for parallel tests, but - # this ends up breaking when nproc is huge (like -j80). - # The network sandbox causes tests 241 and 1083 to fail; these are typically skipped - # as most gentoo users don't have an 'ip6-localhost' - multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083" -} - -multilib_src_install() { - emake DESTDIR="${D}" install - - if multilib_is_native_abi; then - # Shell completions - ! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install - fi -} - -multilib_src_install_all() { - einstalldocs - find "${ED}" -type f -name '*.la' -delete || die - - use static-libs && strip-lto-bytecode - - rm -rf "${ED}"/etc/ || die -} - -pkg_postinst() { - if use debug; then - ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose." - ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger." - ewarn "hic sunt dracones; you have been warned." - fi -} diff --git a/net-misc/curl/curl-8.17.0.ebuild b/net-misc/curl/curl-8.17.0.ebuild deleted file mode 100644 index 1b2ccf8c874c..000000000000 --- a/net-misc/curl/curl-8.17.0.ebuild +++ /dev/null @@ -1,442 +0,0 @@ -# Copyright 1999-2025 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -# Maintainers should subscribe to the 'curl-distros' ML for backports etc -# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/ -# https://lists.haxx.se/listinfo/curl-distros - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc -inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig - -DESCRIPTION="A Client that groks URLs" -HOMEPAGE="https://curl.se/"; - -if [[ ${PV} == 9999 ]]; then - inherit git-r3 - EGIT_REPO_URI="https://github.com/curl/curl.git"; -else - if [[ ${P} == *rc* ]]; then - CURL_URI="https://curl.se/rc/"; - S="${WORKDIR}/${P//_/-}" - else - CURL_URI="https://curl.se/download/"; - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" - fi - SRC_URI=" - ${CURL_URI}${P//_/-}.tar.xz - verify-sig? ( ${CURL_URI}${P//_/-}.tar.xz.asc ) - " -fi - -LICENSE="BSD curl ISC test? ( BSD-4 )" -SLOT="0" -IUSE="+adns +alt-svc brotli debug ech +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap" -IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test" -IUSE+=" telnet +tftp +websockets zstd" -# These select the default tls implementation / which quic impl to use -IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls" -RESTRICT="!test? ( test )" - -# HTTPS RR is technically usable with the threaded resolver, but it still uses c-ares to -# ask for the HTTPS RR record type; if DoH is in use the HTTPS record will be requested -# in addition to A and AAAA records. - -# To simplify dependency management in the ebuild we'll require c-ares for HTTPS RR (for now?). -# HTTPS RR in cURL is a dependency for: -# - ECH (requires patched openssl or gnutls currently, enabled with rustls) -# - Fetching the ALPN list which should provide a better HTTP/3 experience. - -# Only one default ssl / quic provider can be enabled -# The default provider needs its USE satisfied -# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day. -# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e -REQUIRED_USE=" - ech? ( rustls ) - httpsrr? ( adns ) - quic? ( - ^^ ( - curl_quic_openssl - curl_quic_ngtcp2 - ) - http3 - ssl - ) - ssl? ( - ^^ ( - curl_ssl_gnutls - curl_ssl_mbedtls - curl_ssl_openssl - curl_ssl_rustls - ) - ) - curl_quic_openssl? ( - curl_ssl_openssl - !gnutls - !mbedtls - !rustls - ) - curl_quic_ngtcp2? ( - curl_ssl_gnutls - !mbedtls - !openssl - !rustls - ) - curl_ssl_gnutls? ( gnutls ) - curl_ssl_mbedtls? ( mbedtls ) - curl_ssl_openssl? ( openssl ) - curl_ssl_rustls? ( rustls ) - http3? ( alt-svc httpsrr quic ) -" - -# cURL's docs and CI/CD are great resources for confirming supported versions -# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.: -# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions) -# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly) -# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2) -# However 'supported' vs 'works' are two entirely different things; be sane but -# don't be afraid to require a later version. -# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time. -# TODO: OpenSSL-QUIC support is going to be removed in 2026; depend on ngtcp2[{gnutls,openssl}] before that point. -# - https://github.com/curl/curl/pull/18820 (Deprecate OpenSSL QUIC support) -# - https://github.com/curl/curl/issues/18336 (curl w/ OpenSSL QUIC fails to fetch Google.com) -RDEPEND=" - >=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}] - adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] ) - brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) - http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] ) - http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] ) - idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) - kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) - ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) - psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] ) - quic? ( - curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] ) - curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] ) - ) - rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) - ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] ) - sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] ) - ssl? ( - gnutls? ( - app-misc/ca-certificates - >=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}] - dev-libs/nettle:=[${MULTILIB_USEDEP}] - ) - mbedtls? ( - app-misc/ca-certificates - net-libs/mbedtls:3=[${MULTILIB_USEDEP}] - ) - openssl? ( - >=dev-libs/openssl-1.0.2:=[static-libs?,${MULTILIB_USEDEP}] - ) - rustls? ( - >=net-libs/rustls-ffi-0.15.0:=[${MULTILIB_USEDEP}] - ) - ) - zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] ) -" - -DEPEND="${RDEPEND}" - -BDEPEND=" - dev-lang/perl - virtual/pkgconfig - test? ( - sys-apps/diffutils - http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] ) - http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) - ) - verify-sig? ( sec-keys/openpgp-keys-danielstenberg ) -" - -DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/curl/curlbuild.h -) - -MULTILIB_CHOST_TOOLS=( - /usr/bin/curl-config -) - -QA_CONFIG_IMPL_DECL_SKIP=( - __builtin_available - closesocket - CloseSocket - getpass_r - ioctlsocket - IoctlSocket - mach_absolute_time - setmode - _fseeki64 - # custom AC_LINK_IFELSE code fails to link even without -Werror - OSSL_QUIC_client_method -) - -PATCHES=( - "${FILESDIR}/${PN}-prefix-5.patch" - "${FILESDIR}/${PN}-respect-cflags-3.patch" -) - -src_prepare() { - default - - eprefixify curl-config.in - eautoreconf -} - -# Generates TLS-related configure options based on USE flags. -# Outputs options suitable for appending to a configure options array. -_get_curl_tls_configure_opts() { - local tls_opts=() - - local backend flag_name - for backend in gnutls mbedtls openssl rustls; do - if [[ "$backend" == "openssl" ]]; then - flag_name="ssl" - tls_opts+=( "--with-ca-path=${EPREFIX}/etc/ssl/certs") - else - flag_name="$backend" - fi - - if use "$backend"; then - tls_opts+=( "--with-${flag_name}" ) - else - # If a single backend is enabled, 'ssl' is required, openssl is the default / fallback - if ! [[ "$backend" == "openssl" ]]; then - tls_opts+=( "--without-${flag_name}" ) - fi - fi - done - - if use curl_ssl_gnutls; then - multilib_is_native_abi && einfo "Default TLS backend: gnutls" - tls_opts+=( "--with-default-ssl-backend=gnutls" ) - elif use curl_ssl_mbedtls; then - multilib_is_native_abi && einfo "Default TLS backend: mbedtls" - tls_opts+=( "--with-default-ssl-backend=mbedtls" ) - elif use curl_ssl_openssl; then - multilib_is_native_abi && einfo "Default TLS backend: openssl" - tls_opts+=( "--with-default-ssl-backend=openssl" ) - elif use curl_ssl_rustls; then - multilib_is_native_abi && einfo "Default TLS backend: rustls" - tls_opts+=( "--with-default-ssl-backend=rustls" ) - else - eerror "We can't be here because of REQUIRED_USE." - die "Please file a bug, hit impossible condition w/ USE=ssl handling." - fi - - # Explicitly Disable unimplemented backends - tls_opts+=( - --without-amissl - --without-wolfssl - ) - - printf "%s\n" "${tls_opts[@]}" -} - -multilib_src_configure() { - # We make use of the fact that later flags override earlier ones - # So start with all ssl providers off until proven otherwise - # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) - local myconf=() - - myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) - if use ssl; then - local -a tls_backend_opts - readarray -t tls_backend_opts < <(_get_curl_tls_configure_opts) - myconf+=("${tls_backend_opts[@]}") - if use quic; then - myconf+=( - $(use_with curl_quic_ngtcp2 ngtcp2) - $(use_with curl_quic_openssl openssl-quic) - ) - else - # Without a REQUIRED_USE to ensure that QUIC was requested when at least one default backend is - # enabled we need ensure that we don't try to build QUIC support - myconf+=( --without-ngtcp2 --without-openssl-quic ) - fi - else - myconf+=( --without-ssl ) - einfo "SSL disabled" - fi - - # These configuration options are organised alphabetically by category/type - - # Protocols - # `grep SUPPORT_PROTOCOLS=\" configure.ac | awk '{ print substr($2, 1, length($2)-1)}' | sort` - # Assume that anything omitted (that is not new!) is enabled by default with no deps - myconf+=( - --enable-file - $(use_enable ftp) - $(use_enable gopher) - --enable-http - $(use_enable imap) # Automatic IMAPS if TLS is enabled - $(use_enable ldap ldaps) - $(use_enable ldap) - $(use_enable pop3) - $(use_enable samba smb) - $(use_with ssh libssh2) # enables scp/sftp - $(use_with rtmp librtmp) - --enable-rtsp - $(use_enable smtp) - $(use_enable telnet) - $(use_enable tftp) - $(use_enable websockets) - ) - - # Keep various 'HTTP-flavoured' options together - myconf+=( - $(use_enable alt-svc) - $(use_enable hsts) - $(use_enable httpsrr) - $(use_with http2 nghttp2) - $(use_with http3 nghttp3) - ) - - # --enable/disable options - # `grep -- --enable configure | grep Check | awk '{ print $4 }' | sort` - myconf+=( - $(use_enable adns ares) - --enable-aws - --enable-basic-auth - --enable-bearer-auth - --enable-cookies - --enable-dateparse - --enable-dict - --enable-digest-auth - --enable-dnsshuffle - --enable-doh - $(use_enable ech) - --enable-http-auth - --enable-ipv6 - --enable-kerberos-auth - --enable-largefile - --enable-manual - --enable-mime - --enable-negotiate-auth - --enable-netrc - --enable-ntlm - --enable-progress-meter - --enable-proxy - --enable-rt - --enable-socketpair - --disable-sspi - $(use_enable static-libs static) - --enable-symbol-hiding - --enable-tls-srp - --disable-versioned-symbols - ) - - # --with/without options - # `grep -- --with configure | grep Check | awk '{ print $4 }' | sort` - myconf+=( - $(use_with brotli) - --with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d - $(use_with idn libidn2) - $(use_with kerberos gssapi "${EPREFIX}"/usr) - $(use_with sasl-scram libgsasl) - $(use_with psl libpsl) - --without-quiche - --without-schannel - --without-winidn - --with-zlib - --with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions - $(use_with zstd) - ) - - # Test deps (disabled) - myconf+=( - --without-test-caddy - --without-test-httpd - --without-test-nghttpx - ) - - if use debug; then - myconf+=( - --enable-debug - ) - fi - - if use test && multilib_is_native_abi && ( use http2 || use http3 ); then - myconf+=( - --with-test-nghttpx="${BROOT}/usr/bin/nghttpx" - ) - fi - - # Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive - # This is in support of some work to enable `httpsrr` to use adns and the rest - # of curl to use the threaded resolver; for us `httpsrr` is conditional on adns. - if use adns; then - myconf+=( - --disable-threaded-resolver - ) - else - myconf+=( - --enable-threaded-resolver - ) - fi - - ECONF_SOURCE="${S}" econf "${myconf[@]}" - - if ! multilib_is_native_abi; then - # Avoid building the client (we just want libcurl for multilib) - sed -i -e '/SUBDIRS/s:src::' Makefile || die - sed -i -e '/SUBDIRS/s:scripts::' Makefile || die - fi - -} - -multilib_src_compile() { - default - - if multilib_is_native_abi; then - # Shell completions - ! tc-is-cross-compiler && emake -C scripts - fi -} - -# There is also a pytest harness that tests for bugs in some very specific -# situations; we can rely on upstream for this rather than adding additional test deps. -multilib_src_test() { - # See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721 - # -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches) - # -v: verbose - # -a: keep going on failure (so we see everything that breaks, not just 1st test) - # -k: keep test files after completion - # -am: automake style TAP output - # -p: print logs if test fails - # Note: if needed, we can skip specific tests. See e.g. Fedora's packaging - # or just read https://github.com/curl/curl/tree/master/tests#run. - # Note: we don't run the testsuite for cross-compilation. - # Upstream recommend 7*nproc as a starting point for parallel tests, but - # this ends up breaking when nproc is huge (like -j80). - # The network sandbox causes tests 241 and 1083 to fail; these are typically skipped - # as most gentoo users don't have an 'ip6-localhost' - multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083" -} - -multilib_src_install() { - emake DESTDIR="${D}" install - - if multilib_is_native_abi; then - # Shell completions - ! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install - fi -} - -multilib_src_install_all() { - einstalldocs - find "${ED}" -type f -name '*.la' -delete || die - rm -rf "${ED}"/etc/ || die -} - -pkg_postinst() { - if use debug; then - ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose." - ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger." - ewarn "hic sunt dracones; you have been warned." - fi -} diff --git a/net-misc/curl/files/curl-8.16.0-pthread_cancel.patch b/net-misc/curl/files/curl-8.16.0-pthread_cancel.patch deleted file mode 100644 index 1cc185c2e4f1..000000000000 --- a/net-misc/curl/files/curl-8.16.0-pthread_cancel.patch +++ /dev/null @@ -1,399 +0,0 @@ -https://github.com/curl/curl/commit/de3fc1d7adb78c078e4cc7ccc48e550758094ad3 -From: Stefan Eissing <[email protected]> -Date: Sat, 13 Sep 2025 15:25:53 +0200 -Subject: [PATCH] asyn-thrdd: drop pthread_cancel - -Remove use of pthread_cancel in asnyc threaded resolving. While there -are system where this works, others might leak to resource leakage -(memory, files, etc.). The popular nsswitch is one example where resolve -code can be dragged in that is not prepared. - -The overall promise and mechanism of pthread_cancel() is just too -brittle and the historcal design of getaddrinfo() continues to haunt us. - -Fixes #18532 -Reported-by: Javier Blazquez -Closes #18540 ---- a/docs/libcurl/libcurl-env-dbg.md -+++ b/docs/libcurl/libcurl-env-dbg.md -@@ -83,11 +83,6 @@ When built with c-ares for name resolving, setting this environment variable - to `[IP:port]` makes libcurl use that DNS server instead of the system - default. This is used by the curl test suite. - --## `CURL_DNS_DELAY_MS` -- --Delay the DNS resolve by this many milliseconds. This is used in the test --suite to check proper handling of CURLOPT_CONNECTTIMEOUT(3). -- - ## `CURL_FTP_PWD_STOP` - - When set, the first transfer - when using ftp: - returns before sending ---- a/lib/asyn-thrdd.c -+++ b/lib/asyn-thrdd.c -@@ -199,14 +199,6 @@ addr_ctx_create(struct Curl_easy *data, - return NULL; - } - --static void async_thrd_cleanup(void *arg) --{ -- struct async_thrdd_addr_ctx *addr_ctx = arg; -- -- Curl_thread_disable_cancel(); -- addr_ctx_unlink(&addr_ctx, NULL); --} -- - #ifdef HAVE_GETADDRINFO - - /* -@@ -220,15 +212,6 @@ static CURL_THREAD_RETURN_T CURL_STDCALL getaddrinfo_thread(void *arg) - struct async_thrdd_addr_ctx *addr_ctx = arg; - bool do_abort; - --/* clang complains about empty statements and the pthread_cleanup* macros -- * are pretty ill defined. */ --#if defined(__clang__) --#pragma clang diagnostic push --#pragma clang diagnostic ignored "-Wextra-semi-stmt" --#endif -- -- Curl_thread_push_cleanup(async_thrd_cleanup, addr_ctx); -- - Curl_mutex_acquire(&addr_ctx->mutx); - do_abort = addr_ctx->do_abort; - Curl_mutex_release(&addr_ctx->mutx); -@@ -237,9 +220,6 @@ static CURL_THREAD_RETURN_T CURL_STDCALL getaddrinfo_thread(void *arg) - char service[12]; - int rc; - --#ifdef DEBUGBUILD -- Curl_resolve_test_delay(); --#endif - msnprintf(service, sizeof(service), "%d", addr_ctx->port); - - rc = Curl_getaddrinfo_ex(addr_ctx->hostname, service, -@@ -274,11 +254,6 @@ static CURL_THREAD_RETURN_T CURL_STDCALL getaddrinfo_thread(void *arg) - - } - -- Curl_thread_pop_cleanup(); --#if defined(__clang__) --#pragma clang diagnostic pop --#endif -- - addr_ctx_unlink(&addr_ctx, NULL); - return 0; - } -@@ -293,24 +268,11 @@ static CURL_THREAD_RETURN_T CURL_STDCALL gethostbyname_thread(void *arg) - struct async_thrdd_addr_ctx *addr_ctx = arg; - bool do_abort; - --/* clang complains about empty statements and the pthread_cleanup* macros -- * are pretty ill defined. */ --#if defined(__clang__) --#pragma clang diagnostic push --#pragma clang diagnostic ignored "-Wextra-semi-stmt" --#endif -- -- Curl_thread_push_cleanup(async_thrd_cleanup, addr_ctx); -- - Curl_mutex_acquire(&addr_ctx->mutx); - do_abort = addr_ctx->do_abort; - Curl_mutex_release(&addr_ctx->mutx); - - if(!do_abort) { --#ifdef DEBUGBUILD -- Curl_resolve_test_delay(); --#endif -- - addr_ctx->res = Curl_ipv4_resolve_r(addr_ctx->hostname, addr_ctx->port); - if(!addr_ctx->res) { - addr_ctx->sock_error = SOCKERRNO; -@@ -337,12 +299,7 @@ static CURL_THREAD_RETURN_T CURL_STDCALL gethostbyname_thread(void *arg) - #endif - } - -- Curl_thread_pop_cleanup(); --#if defined(__clang__) --#pragma clang diagnostic pop --#endif -- -- async_thrd_cleanup(addr_ctx); -+ addr_ctx_unlink(&addr_ctx, NULL); - return 0; - } - -@@ -381,12 +338,12 @@ static void async_thrdd_destroy(struct Curl_easy *data) - CURL_TRC_DNS(data, "async_thrdd_destroy, thread joined"); - } - else { -- /* thread is still running. Detach the thread while mutexed, it will -- * trigger the cleanup when it releases its reference. */ -+ /* thread is still running. Detach it. */ - Curl_thread_destroy(&addr->thread_hnd); - CURL_TRC_DNS(data, "async_thrdd_destroy, thread detached"); - } - } -+ /* release our reference to the shared context */ - addr_ctx_unlink(&thrdd->addr, data); - } - -@@ -532,10 +489,12 @@ static void async_thrdd_shutdown(struct Curl_easy *data) - done = addr_ctx->thrd_done; - Curl_mutex_release(&addr_ctx->mutx); - -- DEBUGASSERT(addr_ctx->thread_hnd != curl_thread_t_null); -- if(!done && (addr_ctx->thread_hnd != curl_thread_t_null)) { -- CURL_TRC_DNS(data, "cancelling resolve thread"); -- (void)Curl_thread_cancel(&addr_ctx->thread_hnd); -+ /* Wait for the thread to terminate if it is already marked done. If it is -+ not done yet we cannot do anything here. We had tried pthread_cancel but -+ it caused hanging and resource leaks (#18532). */ -+ if(done && (addr_ctx->thread_hnd != curl_thread_t_null)) { -+ Curl_thread_join(&addr_ctx->thread_hnd); -+ CURL_TRC_DNS(data, "async_thrdd_shutdown, thread joined"); - } - } - -@@ -553,9 +512,11 @@ static CURLcode asyn_thrdd_await(struct Curl_easy *data, - if(!entry) - async_thrdd_shutdown(data); - -- CURL_TRC_DNS(data, "resolve, wait for thread to finish"); -- if(!Curl_thread_join(&addr_ctx->thread_hnd)) { -- DEBUGASSERT(0); -+ if(addr_ctx->thread_hnd != curl_thread_t_null) { -+ CURL_TRC_DNS(data, "resolve, wait for thread to finish"); -+ if(!Curl_thread_join(&addr_ctx->thread_hnd)) { -+ DEBUGASSERT(0); -+ } - } - - if(entry) ---- a/lib/curl_threads.c -+++ b/lib/curl_threads.c -@@ -100,34 +100,6 @@ int Curl_thread_join(curl_thread_t *hnd) - return ret; - } - --/* do not use pthread_cancel if: -- * - pthread_cancel seems to be absent -- * - on FreeBSD, as we see hangers in CI testing -- * - this is a -fsanitize=thread build -- * (clang sanitizer reports false positive when functions to not return) -- */ --#if defined(PTHREAD_CANCEL_ENABLE) && !defined(__FreeBSD__) --#if defined(__has_feature) --# if !__has_feature(thread_sanitizer) --#define USE_PTHREAD_CANCEL --# endif --#else /* __has_feature */ --#define USE_PTHREAD_CANCEL --#endif /* !__has_feature */ --#endif /* PTHREAD_CANCEL_ENABLE && !__FreeBSD__ */ -- --int Curl_thread_cancel(curl_thread_t *hnd) --{ -- (void)hnd; -- if(*hnd != curl_thread_t_null) --#ifdef USE_PTHREAD_CANCEL -- return pthread_cancel(**hnd); --#else -- return 1; /* not supported */ --#endif -- return 0; --} -- - #elif defined(USE_THREADS_WIN32) - - curl_thread_t Curl_thread_create(CURL_THREAD_RETURN_T -@@ -182,12 +154,4 @@ int Curl_thread_join(curl_thread_t *hnd) - return ret; - } - --int Curl_thread_cancel(curl_thread_t *hnd) --{ -- if(*hnd != curl_thread_t_null) { -- return 1; /* not supported */ -- } -- return 0; --} -- - #endif /* USE_THREADS_* */ ---- a/lib/curl_threads.h -+++ b/lib/curl_threads.h -@@ -66,22 +66,6 @@ void Curl_thread_destroy(curl_thread_t *hnd); - - int Curl_thread_join(curl_thread_t *hnd); - --int Curl_thread_cancel(curl_thread_t *hnd); -- --#if defined(USE_THREADS_POSIX) && defined(PTHREAD_CANCEL_ENABLE) --#define Curl_thread_push_cleanup(a,b) pthread_cleanup_push(a,b) --#define Curl_thread_pop_cleanup() pthread_cleanup_pop(0) --#define Curl_thread_enable_cancel() \ -- pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, NULL) --#define Curl_thread_disable_cancel() \ -- pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL) --#else --#define Curl_thread_push_cleanup(a,b) ((void)a,(void)b) --#define Curl_thread_pop_cleanup() Curl_nop_stmt --#define Curl_thread_enable_cancel() Curl_nop_stmt --#define Curl_thread_disable_cancel() Curl_nop_stmt --#endif -- - #endif /* USE_THREADS_POSIX || USE_THREADS_WIN32 */ - - #endif /* HEADER_CURL_THREADS_H */ ---- a/lib/hostip.c -+++ b/lib/hostip.c -@@ -1132,10 +1132,6 @@ CURLcode Curl_resolv_timeout(struct Curl_easy *data, - prev_alarm = alarm(curlx_sltoui(timeout/1000L)); - } - --#ifdef DEBUGBUILD -- Curl_resolve_test_delay(); --#endif -- - #else /* !USE_ALARM_TIMEOUT */ - #ifndef CURLRES_ASYNCH - if(timeoutms) -@@ -1639,18 +1635,3 @@ CURLcode Curl_resolver_error(struct Curl_easy *data, const char *detail) - return result; - } - #endif /* USE_CURL_ASYNC */ -- --#ifdef DEBUGBUILD --#include "curlx/wait.h" -- --void Curl_resolve_test_delay(void) --{ -- const char *p = getenv("CURL_DNS_DELAY_MS"); -- if(p) { -- curl_off_t l; -- if(!curlx_str_number(&p, &l, TIME_T_MAX) && l) { -- curlx_wait_ms((timediff_t)l); -- } -- } --} --#endif ---- a/lib/hostip.h -+++ b/lib/hostip.h -@@ -216,8 +216,4 @@ struct Curl_addrinfo *Curl_sync_getaddrinfo(struct Curl_easy *data, - - #endif - --#ifdef DEBUGBUILD --void Curl_resolve_test_delay(void); --#endif -- - #endif /* HEADER_CURL_HOSTIP_H */ ---- a/tests/data/Makefile.am -+++ b/tests/data/Makefile.am -@@ -112,7 +112,7 @@ test754 test755 test756 test757 test758 test759 test760 test761 test762 \ - test763 \ - \ - test780 test781 test782 test783 test784 test785 test786 test787 test788 \ --test789 test790 test791 test792 test793 test794 test795 test796 test797 \ -+test789 test790 test791 test792 test793 test794 test796 test797 \ - \ - test799 test800 test801 test802 test803 test804 test805 test806 test807 \ - test808 test809 test810 test811 test812 test813 test814 test815 test816 \ ---- a/tests/data/test795 -+++ /dev/null -@@ -1,36 +0,0 @@ --<testcase> --<info> --<keywords> --DNS --</keywords> --</info> -- --# Client-side --<client> --<features> --http --Debug --!c-ares --!win32 --</features> --<name> --Delayed resolve --connect-timeout check --</name> --<setenv> --CURL_DNS_DELAY_MS=5000 --</setenv> --<command> --http://test.invalid -v --no-progress-meter --trace-config dns --connect-timeout 1 -w \%{time_total} --</command> --</client> -- --# Verify data after the test has been "shot" --<verify> --<errorcode> --28 --</errorcode> --<postcheck> --%SRCDIR/libtest/test795.pl %LOGDIR/stdout%TESTNUMBER 2 >> %LOGDIR/stderr%TESTNUMBER --</postcheck> --</verify> --</testcase> ---- a/tests/libtest/Makefile.am -+++ b/tests/libtest/Makefile.am -@@ -42,7 +42,7 @@ AM_CPPFLAGS = -I$(top_srcdir)/include \ - include Makefile.inc - - EXTRA_DIST = CMakeLists.txt $(FIRST_C) $(FIRST_H) $(UTILS_C) $(UTILS_H) $(TESTS_C) \ -- test307.pl test610.pl test613.pl test795.pl test1013.pl test1022.pl mk-lib1521.pl -+ test307.pl test610.pl test613.pl test1013.pl test1022.pl mk-lib1521.pl - - CFLAGS += @CURL_CFLAG_EXTRAS@ - ---- a/tests/libtest/test795.pl -+++ /dev/null -@@ -1,46 +0,0 @@ --#!/usr/bin/env perl --#*************************************************************************** --# _ _ ____ _ --# Project ___| | | | _ \| | --# / __| | | | |_) | | --# | (__| |_| | _ <| |___ --# \___|\___/|_| \_\_____| --# --# Copyright (C) Daniel Stenberg, <[email protected]>, et al. --# --# This software is licensed as described in the file COPYING, which --# you should have received as part of this distribution. The terms --# are also available at https://curl.se/docs/copyright.html. --# --# You may opt to use, copy, modify, merge, publish, distribute and/or sell --# copies of the Software, and permit persons to whom the Software is --# furnished to do so, under the terms of the COPYING file. --# --# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY --# KIND, either express or implied. --# --# SPDX-License-Identifier: curl --# --########################################################################### --use strict; --use warnings; -- --my $ok = 1; --my $exp_duration = $ARGV[1] + 0.0; -- --# Read the output of curl --version --open(F, $ARGV[0]) || die "Can't open test result from $ARGV[0]\n"; --$_ = <F>; --chomp; --/\s*([\.\d]+)\s*/; --my $duration = $1 + 0.0; --close F; -- --if ($duration <= $exp_duration) { -- print "OK: duration of $duration in expected range\n"; -- $ok = 0; --} --else { -- print "FAILED: duration of $duration is larger than $exp_duration\n"; --} --exit $ok; diff --git a/net-misc/curl/files/curl-8.16.0-ssl_verifyhost.patch b/net-misc/curl/files/curl-8.16.0-ssl_verifyhost.patch deleted file mode 100644 index 4d08f7f796bc..000000000000 --- a/net-misc/curl/files/curl-8.16.0-ssl_verifyhost.patch +++ /dev/null @@ -1,63 +0,0 @@ -https://github.com/curl/curl/commit/f7cac7cc07a45481b246c875e8113d741ba2a6e1 -From: Daniel Stenberg <[email protected]> -Date: Sun, 14 Sep 2025 23:28:03 +0200 -Subject: [PATCH] setopt: accept *_SSL_VERIFYHOST set to 2L - -... without outputing a verbose message about it. In the early days we -had 2L and 1L have different functionalities. - -Reported-by: Jicea -Bug: https://curl.se/mail/lib-2025-09/0031.html -Closes #18547 ---- a/lib/setopt.c -+++ b/lib/setopt.c -@@ -443,6 +443,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option, - long arg, bool *set) - { - bool enabled = !!arg; -+ int ok = 1; - struct UserDefined *s = &data->set; - switch(option) { - case CURLOPT_FORBID_REUSE: -@@ -619,7 +620,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option, - * Enable verification of the hostname in the peer certificate for proxy - */ - s->proxy_ssl.primary.verifyhost = enabled; -- -+ ok = 2; - /* Update the current connection proxy_ssl_config. */ - Curl_ssl_conn_config_update(data, TRUE); - break; -@@ -723,6 +724,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option, - * Enable verification of the hostname in the peer certificate for DoH - */ - s->doh_verifyhost = enabled; -+ ok = 2; - break; - case CURLOPT_DOH_SSL_VERIFYSTATUS: - /* -@@ -732,6 +734,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option, - return CURLE_NOT_BUILT_IN; - - s->doh_verifystatus = enabled; -+ ok = 2; - break; - #endif /* ! CURL_DISABLE_DOH */ - case CURLOPT_SSL_VERIFYHOST: -@@ -743,6 +746,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option, - this argument took a boolean when it was not and misused it. - Treat 1 and 2 the same */ - s->ssl.primary.verifyhost = enabled; -+ ok = 2; - - /* Update the current connection ssl_config. */ - Curl_ssl_conn_config_update(data, FALSE); -@@ -844,7 +848,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option, - default: - return CURLE_OK; - } -- if((arg > 1) || (arg < 0)) -+ if((arg > ok) || (arg < 0)) - /* reserve other values for future use */ - infof(data, "boolean setopt(%d) got unsupported argument %ld," - " treated as %d", option, arg, enabled); diff --git a/net-misc/curl/files/curl-8.17.0-curlopt-capath.patch b/net-misc/curl/files/curl-8.17.0-curlopt-capath.patch deleted file mode 100644 index 32e96f389950..000000000000 --- a/net-misc/curl/files/curl-8.17.0-curlopt-capath.patch +++ /dev/null @@ -1,289 +0,0 @@ -https://github.com/curl/curl/pull/19408 - -From f36ab2dd6f33b9a9c069a034cf4f1451006d0f21 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing <[email protected]> -Date: Sat, 8 Nov 2025 14:28:38 +0100 -Subject: [PATCH 1/4] fix --capath use - -A regression in curl 8.17.0 led to a customer CAPATH set by the application -(or the curl command) to be ignored unless licurl was built with a default -CAPATH. - -Add test cases using `--capath` on the custom pytest CA, generated with -the help of the openssl command when available. - -refs #19401 ---- - lib/vtls/vtls.c | 4 ++-- - tests/http/test_17_ssl_use.py | 23 +++++++++++++++++++++++ - tests/http/testenv/certs.py | 16 ++++++++++++++++ - tests/http/testenv/curl.py | 3 ++- - tests/http/testenv/env.py | 20 ++++++++++++++++++++ - 5 files changed, 63 insertions(+), 3 deletions(-) - -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index 3b7a095c8b75..3858cad98312 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -310,7 +310,6 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data) - if(result) - return result; - } -- sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH]; - #endif - #ifdef CURL_CA_BUNDLE - if(!sslc->custom_cafile && !set->str[STRING_SSL_CAFILE]) { -@@ -322,6 +321,7 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data) - } - sslc->primary.CAfile = data->set.str[STRING_SSL_CAFILE]; - sslc->primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; -+ sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH]; - sslc->primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; - sslc->primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT]; - sslc->primary.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST]; -@@ -358,7 +358,6 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data) - if(result) - return result; - } -- sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY]; - #endif - #ifdef CURL_CA_BUNDLE - if(!sslc->custom_cafile && !set->str[STRING_SSL_CAFILE_PROXY]) { -@@ -370,6 +369,7 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data) - #endif - } - sslc->primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY]; -+ sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY]; - sslc->primary.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST_PROXY]; - sslc->primary.cipher_list13 = data->set.str[STRING_SSL_CIPHER13_LIST_PROXY]; - sslc->primary.pinned_key = data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]; -diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py -index 57e1c014042b..20b6fdaef18b 100644 ---- a/tests/http/test_17_ssl_use.py -+++ b/tests/http/test_17_ssl_use.py -@@ -597,3 +597,26 @@ def test_17_20_correct_pin(self, env: Env, proto, httpd): - ]) - # expect NOT_IMPLEMENTED or OK - assert r.exit_code in [0, 2], f'{r.dump_logs()}' -+ -+ @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command") -+ def test_17_21_capath_valid(self, env: Env, httpd): -+ proto = 'http/1.1' -+ curl = CurlClient(env=env) -+ url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo' -+ r = curl.http_get(url=url, alpn_proto=proto, extra_args=[ -+ '--capath', os.path.join(env.gen_dir, 'ca/hashdir') -+ ]) -+ assert r.exit_code == 0, f'{r.dump_logs()}' -+ assert r.json['HTTPS'] == 'on', f'{r.json}' -+ -+ @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command") -+ def test_17_22_capath_invalid(self, env: Env, httpd): -+ proto = 'http/1.1' -+ curl = CurlClient(env=env) -+ url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo' -+ r = curl.http_get(url=url, alpn_proto=proto, extra_args=[ -+ '--capath', os.path.join(env.gen_dir, 'ca/invalid') -+ ]) -+ # CURLE_PEER_FAILED_VERIFICATION -+ assert r.exit_code == 60, f'{r.dump_logs()}' -+ -diff --git a/tests/http/testenv/certs.py b/tests/http/testenv/certs.py -index e59b1ea147e1..c9a30aaac065 100644 ---- a/tests/http/testenv/certs.py -+++ b/tests/http/testenv/certs.py -@@ -28,6 +28,8 @@ - import ipaddress - import os - import re -+import shutil -+import subprocess - from datetime import timedelta, datetime, timezone - from typing import List, Any, Optional - -@@ -200,6 +202,10 @@ def pkey_file(self) -> Optional[str]: - def combined_file(self) -> Optional[str]: - return self._combined_file - -+ @property -+ def hashdir(self) -> Optional[str]: -+ return os.path.join(self._store.path, 'hashdir') -+ - def get_first(self, name) -> Optional['Credentials']: - creds = self._store.get_credentials_for_name(name) if self._store else [] - return creds[0] if len(creds) else None -@@ -236,6 +242,16 @@ def issue_cert(self, spec: CertificateSpec, - creds.issue_certs(spec.sub_specs, chain=subchain) - return creds - -+ def create_hashdir(self, openssl): -+ os.makedirs(self.hashdir, exist_ok=True) -+ p = subprocess.run(args=[ -+ openssl, 'x509', '-hash', '-noout', '-in', self.cert_file -+ ], capture_output=True, text=True) -+ if p.returncode != 0: -+ raise Exception(f'openssl failed to compute cert hash: {p}') -+ cert_hname = f'{p.stdout.strip()}.0' -+ shutil.copy(self.cert_file, os.path.join(self.hashdir, cert_hname)) -+ - - class CertStore: - -diff --git a/tests/http/testenv/curl.py b/tests/http/testenv/curl.py -index dc885ab8cba9..a92e4f681f34 100644 ---- a/tests/http/testenv/curl.py -+++ b/tests/http/testenv/curl.py -@@ -987,7 +987,8 @@ def _complete_args(self, urls, timeout=None, options=None, - pass - elif insecure: - args.append('--insecure') -- elif active_options and "--cacert" in active_options: -+ elif active_options and ("--cacert" in active_options or \ -+ "--capath" in active_options): - pass - elif u.hostname: - args.extend(["--cacert", self.env.ca.cert_file]) -diff --git a/tests/http/testenv/env.py b/tests/http/testenv/env.py -index ff8741530b70..859b704a35a3 100644 ---- a/tests/http/testenv/env.py -+++ b/tests/http/testenv/env.py -@@ -199,6 +199,16 @@ def __init__(self, pytestconfig: Optional[pytest.Config] = None, - ]), - ] - -+ self.openssl = 'openssl' -+ p = subprocess.run(args=[self.openssl, 'version'], -+ capture_output=True, text=True) -+ if p.returncode != 0: -+ # no openssl in path -+ self.openssl = None -+ self.openssl_version = None -+ else: -+ self.openssl_version = p.stdout.strip() -+ - self.nghttpx = self.config['nghttpx']['nghttpx'] - if len(self.nghttpx.strip()) == 0: - self.nghttpx = None -@@ -372,6 +382,10 @@ def setup_incomplete() -> bool: - def incomplete_reason() -> Optional[str]: - return Env.CONFIG.get_incomplete_reason() - -+ @staticmethod -+ def have_openssl() -> bool: -+ return Env.CONFIG.openssl is not None -+ - @staticmethod - def have_nghttpx() -> bool: - return Env.CONFIG.nghttpx is not None -@@ -548,6 +562,8 @@ def issue_certs(self): - store_dir=ca_dir, - key_type="rsa2048") - self._ca.issue_certs(self.CONFIG.cert_specs) -+ if self.have_openssl(): -+ self._ca.create_hashdir(self.openssl) - - def setup(self): - os.makedirs(self.gen_dir, exist_ok=True) -@@ -703,6 +719,10 @@ def ws_port(self) -> int: - def curl(self) -> str: - return self.CONFIG.curl - -+ @property -+ def openssl(self) -> Optional[str]: -+ return self.CONFIG.openssl -+ - @property - def httpd(self) -> str: - return self.CONFIG.httpd - -From 02a595146a0bd3036f653ec48d5bfc9a0187ab75 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing <[email protected]> -Date: Sat, 8 Nov 2025 14:37:22 +0100 -Subject: [PATCH 2/4] use correct hashdir - ---- - tests/http/test_17_ssl_use.py | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py -index 20b6fdaef18b..0019bb1239d2 100644 ---- a/tests/http/test_17_ssl_use.py -+++ b/tests/http/test_17_ssl_use.py -@@ -604,7 +604,7 @@ def test_17_21_capath_valid(self, env: Env, httpd): - curl = CurlClient(env=env) - url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo' - r = curl.http_get(url=url, alpn_proto=proto, extra_args=[ -- '--capath', os.path.join(env.gen_dir, 'ca/hashdir') -+ '--capath', env.ca.hashdir - ]) - assert r.exit_code == 0, f'{r.dump_logs()}' - assert r.json['HTTPS'] == 'on', f'{r.json}' -@@ -619,4 +619,3 @@ def test_17_22_capath_invalid(self, env: Env, httpd): - ]) - # CURLE_PEER_FAILED_VERIFICATION - assert r.exit_code == 60, f'{r.dump_logs()}' -- - -From 5a952c670b0cf6e5735c2178014600af062390c4 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing <[email protected]> -Date: Sat, 8 Nov 2025 14:50:23 +0100 -Subject: [PATCH 3/4] test_17_21 skip for rustls test_17_22 accept error 77 as - well - ---- - tests/http/test_17_ssl_use.py | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py -index 0019bb1239d2..76f20080b3d6 100644 ---- a/tests/http/test_17_ssl_use.py -+++ b/tests/http/test_17_ssl_use.py -@@ -600,6 +600,8 @@ def test_17_20_correct_pin(self, env: Env, proto, httpd): - - @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command") - def test_17_21_capath_valid(self, env: Env, httpd): -+ if env.curl_uses_lib('rustls'): -+ pytest.skip('rustls does not support CURLOPT_CAPATH') - proto = 'http/1.1' - curl = CurlClient(env=env) - url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo' -@@ -611,11 +613,13 @@ def test_17_21_capath_valid(self, env: Env, httpd): - - @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command") - def test_17_22_capath_invalid(self, env: Env, httpd): -+ # we can test all TLS backends here. the ones not supporting CAPATH -+ # need to fail as well as the ones which do, but get an invalid path. - proto = 'http/1.1' - curl = CurlClient(env=env) - url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo' - r = curl.http_get(url=url, alpn_proto=proto, extra_args=[ - '--capath', os.path.join(env.gen_dir, 'ca/invalid') - ]) -- # CURLE_PEER_FAILED_VERIFICATION -- assert r.exit_code == 60, f'{r.dump_logs()}' -+ # CURLE_PEER_FAILED_VERIFICATION or CURLE_SSL_CACERT_BADFILE -+ assert r.exit_code in [60, 77], f'{r.dump_logs()}' - -From 10d57fbbe4c1036780d36feed6f55a87307c6e25 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing <[email protected]> -Date: Sat, 8 Nov 2025 14:58:25 +0100 -Subject: [PATCH 4/4] use 'rustls-ffi' to check for rustsls backend - ---- - tests/http/test_17_ssl_use.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py -index 76f20080b3d6..615658f06c01 100644 ---- a/tests/http/test_17_ssl_use.py -+++ b/tests/http/test_17_ssl_use.py -@@ -600,7 +600,7 @@ def test_17_20_correct_pin(self, env: Env, proto, httpd): - - @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command") - def test_17_21_capath_valid(self, env: Env, httpd): -- if env.curl_uses_lib('rustls'): -+ if env.curl_uses_lib('rustls-ffi'): - pytest.skip('rustls does not support CURLOPT_CAPATH') - proto = 'http/1.1' - curl = CurlClient(env=env) - diff --git a/net-misc/curl/files/curl-8.17.0-progress-parallel.patch b/net-misc/curl/files/curl-8.17.0-progress-parallel.patch deleted file mode 100644 index 8bfd90e577ca..000000000000 --- a/net-misc/curl/files/curl-8.17.0-progress-parallel.patch +++ /dev/null @@ -1,54 +0,0 @@ -https://github.com/curl/curl/pull/19383 - -From a5038ff41f83907c896a41716f4f78a80a144cd1 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing <[email protected]> -Date: Thu, 6 Nov 2025 12:47:33 +0100 -Subject: [PATCH] curl: fix progress meter in parallel mode - -With `check_finished()` triggered by notifications now, the -`progress_meter()` was no longer called at regular intervals. - -Move `progress_meter()` out of `check_finishe()` into the perform -loop and event callbacks. ---- - src/tool_operate.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/tool_operate.c b/src/tool_operate.c -index 74f5da5fa915..e1f61a2ba519 100644 ---- a/src/tool_operate.c -+++ b/src/tool_operate.c -@@ -1549,6 +1549,7 @@ static void on_uv_socket(uv_poll_t *req, int status, int events) - - curl_multi_socket_action(c->uv->s->multi, c->sockfd, flags, - &c->uv->s->still_running); -+ progress_meter(c->uv->s->multi, &c->uv->s->start, FALSE); - } - - /* callback from libuv when timeout expires */ -@@ -1561,6 +1562,7 @@ static void on_uv_timeout(uv_timer_t *req) - if(uv && uv->s) { - curl_multi_socket_action(uv->s->multi, CURL_SOCKET_TIMEOUT, 0, - &uv->s->still_running); -+ progress_meter(uv->s->multi, &uv->s->start, FALSE); - } - } - -@@ -1733,7 +1735,6 @@ static CURLcode check_finished(struct parastate *s) - int rc; - CURLMsg *msg; - bool checkmore = FALSE; -- progress_meter(s->multi, &s->start, FALSE); - do { - msg = curl_multi_info_read(s->multi, &rc); - if(msg) { -@@ -1875,6 +1876,8 @@ static CURLcode parallel_transfers(CURLSH *share) - s->mcode = curl_multi_poll(s->multi, NULL, 0, 1000, NULL); - if(!s->mcode) - s->mcode = curl_multi_perform(s->multi, &s->still_running); -+ -+ progress_meter(s->multi, &s->start, FALSE); - } - - (void)progress_meter(s->multi, &s->start, TRUE); - diff --git a/net-misc/curl/files/curl-8.17.0-wcurl-CVE-2025-11563.patch b/net-misc/curl/files/curl-8.17.0-wcurl-CVE-2025-11563.patch deleted file mode 100644 index a5cc6fa5588b..000000000000 --- a/net-misc/curl/files/curl-8.17.0-wcurl-CVE-2025-11563.patch +++ /dev/null @@ -1,27 +0,0 @@ -https://bugs.gentoo.org/966140 -https://github.com/curl/wcurl/commit/65546bae0164a97d89d42176e366d9c7c7796261 - -From 65546bae0164a97d89d42176e366d9c7c7796261 Mon Sep 17 00:00:00 2001 -From: Xi Ruoyao <[email protected]> -Date: Sun, 9 Nov 2025 14:30:34 +0800 -Subject: [PATCH] wcurl: Really fix CVE-2025-11563 - -When we pass a string to is_safe_percent_encode, it always begins with -"%'. But the lookup table UNSAFE_PERCENT_ENCODE does not contain "%" so -nothing can be matched. - -Also update the test suite to fix the false positive. - -Signed-off-by: Xi Ruoyao <[email protected]> - ---- a/scripts/wcurl -+++ b/scripts/wcurl -@@ -118,7 +118,7 @@ readonly PER_URL_PARAMETERS="\ - # characters. - # 2F = / - # 5C = \ --readonly UNSAFE_PERCENT_ENCODE="2F 5C" -+readonly UNSAFE_PERCENT_ENCODE="%2F %5C" - - # Whether to invoke curl or not. - DRY_RUN="false" diff --git a/net-misc/curl/files/curl-prefix-4.patch b/net-misc/curl/files/curl-prefix-4.patch deleted file mode 100644 index 796b67fd927f..000000000000 --- a/net-misc/curl/files/curl-prefix-4.patch +++ /dev/null @@ -1,35 +0,0 @@ -From f18f4362d7ca60fb12248a559dab26aea330771c Mon Sep 17 00:00:00 2001 -From: Matt Jolly <[email protected]> -Date: Wed, 5 Feb 2025 17:27:11 +1000 -Subject: [PATCH] Update prefix patch for 8.12.0 - -Signed-off-by: Matt Jolly <[email protected]> ---- - curl-config.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/curl-config.in b/curl-config.in -index 55184167b..df31fdb46 100644 ---- a/curl-config.in -+++ b/curl-config.in -@@ -141,7 +141,7 @@ while test "$#" -gt 0; do - ;; - - --cflags) -- if test "X@includedir@" = 'X/usr/include'; then -+ if test "X@includedir@" = "X@GENTOO_PORTAGE_EPREFIX@/usr/include"; then - echo '@LIBCURL_PC_CFLAGS@' - else - echo "@LIBCURL_PC_CFLAGS@ -I@includedir@" -@@ -149,7 +149,7 @@ while test "$#" -gt 0; do - ;; - - --libs) -- if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then -+ if test "X@libdir@" != "X@GENTOO_PORTAGE_EPREFIX@/usr/lib" -a "X@libdir@" != "X@GENTOO_PORTAGE_EPREFIX@/usr/lib64"; then - curllibdir="-L@libdir@ " - else - curllibdir='' --- -2.48.0 - diff --git a/net-misc/curl/files/curl-prefix-5.patch b/net-misc/curl/files/curl-prefix-5.patch deleted file mode 100644 index 77070171aedf..000000000000 --- a/net-misc/curl/files/curl-prefix-5.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 05d97da1f669a1486489897128c2374b562ab176 Mon Sep 17 00:00:00 2001 -From: Matt Jolly <[email protected]> -Date: Tue, 2 Sep 2025 08:41:51 +1000 -Subject: [PATCH] Update prefix patch for 8.16.0 - -Signed-off-by: Matt Jolly <[email protected]> ---- a/curl-config.in -+++ b/curl-config.in -@@ -141,7 +141,7 @@ while test "$#" -gt 0; do - ;; - - --cflags) -- if test "@includedir@" = '/usr/include'; then -+ if test "@includedir@" = "GENTOO_PORTAGE_EPREFIX@/usr/include"; then - echo '@LIBCURL_PC_CFLAGS@' - else - echo "@LIBCURL_PC_CFLAGS@ -I@includedir@" -@@ -149,7 +149,7 @@ while test "$#" -gt 0; do - ;; - - --libs) -- if test "@libdir@" != '/usr/lib' -a "@libdir@" != '/usr/lib64'; then -+ if test "@libdir@" != "@GENTOO_PORTAGE_EPREFIX@/usr/lib" -a "@libdir@" != "@GENTOO_PORTAGE_EPREFIX@/usr/lib64"; then - curllibdir="-L@libdir@ " - else - curllibdir='' --- -2.50.1 -
