commit: 70ff00af11cc1367b647d26d1778ff806b96d127 Author: Matt Jolly <kangie <AT> gentoo <DOT> org> AuthorDate: Thu Sep 18 06:26:21 2025 +0000 Commit: Matt Jolly <kangie <AT> gentoo <DOT> org> CommitDate: Thu Sep 18 06:30:40 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=70ff00af
net-misc/curl: add 8.16.0-r1 There were a few regressions in this release, but nothing patch-worthy. Signed-off-by: Matt Jolly <kangie <AT> gentoo.org> net-misc/curl/curl-8.16.0-r1.ebuild | 441 +++++++++++++++++++++ .../curl/files/curl-8.16.0-pthread_cancel.patch | 399 +++++++++++++++++++ .../curl/files/curl-8.16.0-ssl_verifyhost.patch | 63 +++ 3 files changed, 903 insertions(+) diff --git a/net-misc/curl/curl-8.16.0-r1.ebuild b/net-misc/curl/curl-8.16.0-r1.ebuild new file mode 100644 index 000000000000..5e1eb5151ca8 --- /dev/null +++ b/net-misc/curl/curl-8.16.0-r1.ebuild @@ -0,0 +1,441 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Maintainers should subscribe to the 'curl-distros' ML for backports etc +# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/ +# https://lists.haxx.se/listinfo/curl-distros + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc +inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig + +DESCRIPTION="A Client that groks URLs" +HOMEPAGE="https://curl.se/"; + +if [[ ${PV} == 9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/curl/curl.git"; +else + if [[ ${P} == *rc* ]]; then + CURL_URI="https://curl.se/rc/"; + S="${WORKDIR}/${P//_/-}" + else + CURL_URI="https://curl.se/download/"; + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + fi + SRC_URI=" + ${CURL_URI}${P//_/-}.tar.xz + verify-sig? ( ${CURL_URI}${P//_/-}.tar.xz.asc ) + " +fi + +LICENSE="BSD curl ISC test? ( BSD-4 )" +SLOT="0" +IUSE="+adns +alt-svc brotli debug ech +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap" +IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test" +IUSE+=" telnet +tftp +websockets zstd" +# These select the default tls implementation / which quic impl to use +IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls" +RESTRICT="!test? ( test )" + +# HTTPS RR is technically usable with the threaded resolver, but it still uses c-ares to +# ask for the HTTPS RR record type; if DoH is in use the HTTPS record will be requested +# in addition to A and AAAA records. + +# To simplify dependency management in the ebuild we'll require c-ares for HTTPS RR (for now?). +# HTTPS RR in cURL is a dependency for: +# - ECH (requires patched openssl or gnutls currently, enabled with rustls) +# - Fetching the ALPN list which should provide a better HTTP/3 experience. + +# Only one default ssl / quic provider can be enabled +# The default provider needs its USE satisfied +# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day. +# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e +REQUIRED_USE=" + ech? ( rustls ) + httpsrr? ( adns ) + quic? ( + ^^ ( + curl_quic_openssl + curl_quic_ngtcp2 + ) + http3 + ssl + ) + ssl? ( + ^^ ( + curl_ssl_gnutls + curl_ssl_mbedtls + curl_ssl_openssl + curl_ssl_rustls + ) + ) + curl_quic_openssl? ( + curl_ssl_openssl + !gnutls + !mbedtls + !rustls + ) + curl_quic_ngtcp2? ( + curl_ssl_gnutls + !mbedtls + !openssl + !rustls + ) + curl_ssl_gnutls? ( gnutls ) + curl_ssl_mbedtls? ( mbedtls ) + curl_ssl_openssl? ( openssl ) + curl_ssl_rustls? ( rustls ) + http3? ( alt-svc httpsrr quic ) +" + +# cURL's docs and CI/CD are great resources for confirming supported versions +# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.: +# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions) +# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly) +# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2) +# However 'supported' vs 'works' are two entirely different things; be sane but +# don't be afraid to require a later version. +# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time. +RDEPEND=" + >=sys-libs/zlib-1.2.5[${MULTILIB_USEDEP}] + adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] ) + brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) + http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] ) + http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] ) + idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) + kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) + ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) + psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] ) + quic? ( + curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] ) + curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] ) + ) + rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) + ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] ) + sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] ) + ssl? ( + gnutls? ( + app-misc/ca-certificates + >=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}] + dev-libs/nettle:=[${MULTILIB_USEDEP}] + ) + mbedtls? ( + app-misc/ca-certificates + net-libs/mbedtls:0=[${MULTILIB_USEDEP}] + ) + openssl? ( + >=dev-libs/openssl-1.0.2:=[static-libs?,${MULTILIB_USEDEP}] + ) + rustls? ( + >=net-libs/rustls-ffi-0.15.0:=[${MULTILIB_USEDEP}] + ) + ) + zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] ) +" + +DEPEND="${RDEPEND}" + +BDEPEND=" + dev-lang/perl + virtual/pkgconfig + test? ( + sys-apps/diffutils + http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] ) + http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) + ) + verify-sig? ( sec-keys/openpgp-keys-danielstenberg ) +" + +DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/curl/curlbuild.h +) + +MULTILIB_CHOST_TOOLS=( + /usr/bin/curl-config +) + +QA_CONFIG_IMPL_DECL_SKIP=( + __builtin_available + closesocket + CloseSocket + getpass_r + ioctlsocket + IoctlSocket + mach_absolute_time + setmode + _fseeki64 + # custom AC_LINK_IFELSE code fails to link even without -Werror + OSSL_QUIC_client_method +) + +PATCHES=( + "${FILESDIR}/${PN}-prefix-5.patch" + "${FILESDIR}/${PN}-respect-cflags-3.patch" + "${FILESDIR}/${P}-ssl_verifyhost.patch" + "${FILESDIR}/${P}-pthread_cancel.patch" +) + +src_prepare() { + default + + eprefixify curl-config.in + eautoreconf +} + +# Generates TLS-related configure options based on USE flags. +# Outputs options suitable for appending to a configure options array. +_get_curl_tls_configure_opts() { + local tls_opts=() + + local backend flag_name + for backend in gnutls mbedtls openssl rustls; do + if [[ "$backend" == "openssl" ]]; then + flag_name="ssl" + tls_opts+=( "--with-ca-path=${EPREFIX}/etc/ssl/certs") + else + flag_name="$backend" + fi + + if use "$backend"; then + tls_opts+=( "--with-${flag_name}" ) + else + # If a single backend is enabled, 'ssl' is required, openssl is the default / fallback + if ! [[ "$backend" == "openssl" ]]; then + tls_opts+=( "--without-${flag_name}" ) + fi + fi + done + + if use curl_ssl_gnutls; then + multilib_is_native_abi && einfo "Default TLS backend: gnutls" + tls_opts+=( "--with-default-ssl-backend=gnutls" ) + elif use curl_ssl_mbedtls; then + multilib_is_native_abi && einfo "Default TLS backend: mbedtls" + tls_opts+=( "--with-default-ssl-backend=mbedtls" ) + elif use curl_ssl_openssl; then + multilib_is_native_abi && einfo "Default TLS backend: openssl" + tls_opts+=( "--with-default-ssl-backend=openssl" ) + elif use curl_ssl_rustls; then + multilib_is_native_abi && einfo "Default TLS backend: rustls" + tls_opts+=( "--with-default-ssl-backend=rustls" ) + else + eerror "We can't be here because of REQUIRED_USE." + die "Please file a bug, hit impossible condition w/ USE=ssl handling." + fi + + # Explicitly Disable unimplemented backends + tls_opts+=( + --without-amissl + --without-wolfssl + ) + + printf "%s\n" "${tls_opts[@]}" +} + +multilib_src_configure() { + # We make use of the fact that later flags override earlier ones + # So start with all ssl providers off until proven otherwise + # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) + local myconf=() + + myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) + if use ssl; then + local -a tls_backend_opts + readarray -t tls_backend_opts < <(_get_curl_tls_configure_opts) + myconf+=("${tls_backend_opts[@]}") + if use quic; then + myconf+=( + $(use_with curl_quic_ngtcp2 ngtcp2) + $(use_with curl_quic_openssl openssl-quic) + ) + else + # Without a REQUIRED_USE to ensure that QUIC was requested when at least one default backend is + # enabled we need ensure that we don't try to build QUIC support + myconf+=( --without-ngtcp2 --without-openssl-quic ) + fi + else + myconf+=( --without-ssl ) + einfo "SSL disabled" + fi + + # These configuration options are organised alphabetically by category/type + + # Protocols + # `grep SUPPORT_PROTOCOLS=\" configure.ac | awk '{ print substr($2, 1, length($2)-1)}' | sort` + # Assume that anything omitted (that is not new!) is enabled by default with no deps + myconf+=( + --enable-file + $(use_enable ftp) + $(use_enable gopher) + --enable-http + $(use_enable imap) # Automatic IMAPS if TLS is enabled + $(use_enable ldap ldaps) + $(use_enable ldap) + $(use_enable pop3) + $(use_enable samba smb) + $(use_with ssh libssh2) # enables scp/sftp + $(use_with rtmp librtmp) + --enable-rtsp + $(use_enable smtp) + $(use_enable telnet) + $(use_enable tftp) + $(use_enable websockets) + ) + + # Keep various 'HTTP-flavoured' options together + myconf+=( + $(use_enable alt-svc) + $(use_enable hsts) + $(use_enable httpsrr) + $(use_with http2 nghttp2) + $(use_with http3 nghttp3) + ) + + # --enable/disable options + # `grep -- --enable configure | grep Check | awk '{ print $4 }' | sort` + myconf+=( + $(use_enable adns ares) + --enable-aws + --enable-basic-auth + --enable-bearer-auth + --enable-cookies + --enable-dateparse + --enable-dict + --enable-digest-auth + --enable-dnsshuffle + --enable-doh + $(use_enable ech) + --enable-http-auth + --enable-ipv6 + --enable-kerberos-auth + --enable-largefile + --enable-manual + --enable-mime + --enable-negotiate-auth + --enable-netrc + --enable-ntlm + --enable-progress-meter + --enable-proxy + --enable-rt + --enable-socketpair + --disable-sspi + $(use_enable static-libs static) + --enable-symbol-hiding + --enable-tls-srp + --disable-versioned-symbols + ) + + # --with/without options + # `grep -- --with configure | grep Check | awk '{ print $4 }' | sort` + myconf+=( + $(use_with brotli) + --with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d + $(use_with idn libidn2) + $(use_with kerberos gssapi "${EPREFIX}"/usr) + $(use_with sasl-scram libgsasl) + $(use_with psl libpsl) + --without-quiche + --without-schannel + --without-winidn + --with-zlib + --with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions + $(use_with zstd) + ) + + # Test deps (disabled) + myconf+=( + --without-test-caddy + --without-test-httpd + --without-test-nghttpx + ) + + if use debug; then + myconf+=( + --enable-debug + ) + fi + + if use test && multilib_is_native_abi && ( use http2 || use http3 ); then + myconf+=( + --with-test-nghttpx="${BROOT}/usr/bin/nghttpx" + ) + fi + + # Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive + # This is in support of some work to enable `httpsrr` to use adns and the rest + # of curl to use the threaded resolver; for us `httpsrr` is conditional on adns. + if use adns; then + myconf+=( + --disable-threaded-resolver + ) + else + myconf+=( + --enable-threaded-resolver + ) + fi + + ECONF_SOURCE="${S}" econf "${myconf[@]}" + + if ! multilib_is_native_abi; then + # Avoid building the client (we just want libcurl for multilib) + sed -i -e '/SUBDIRS/s:src::' Makefile || die + sed -i -e '/SUBDIRS/s:scripts::' Makefile || die + fi + +} + +multilib_src_compile() { + default + + if multilib_is_native_abi; then + # Shell completions + ! tc-is-cross-compiler && emake -C scripts + fi +} + +# There is also a pytest harness that tests for bugs in some very specific +# situations; we can rely on upstream for this rather than adding additional test deps. +multilib_src_test() { + # See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721 + # -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches) + # -v: verbose + # -a: keep going on failure (so we see everything that breaks, not just 1st test) + # -k: keep test files after completion + # -am: automake style TAP output + # -p: print logs if test fails + # Note: if needed, we can skip specific tests. See e.g. Fedora's packaging + # or just read https://github.com/curl/curl/tree/master/tests#run. + # Note: we don't run the testsuite for cross-compilation. + # Upstream recommend 7*nproc as a starting point for parallel tests, but + # this ends up breaking when nproc is huge (like -j80). + # The network sandbox causes tests 241 and 1083 to fail; these are typically skipped + # as most gentoo users don't have an 'ip6-localhost' + multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083" +} + +multilib_src_install() { + emake DESTDIR="${D}" install + + if multilib_is_native_abi; then + # Shell completions + ! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install + fi +} + +multilib_src_install_all() { + einstalldocs + find "${ED}" -type f -name '*.la' -delete || die + rm -rf "${ED}"/etc/ || die +} + +pkg_postinst() { + if use debug; then + ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose." + ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger." + ewarn "hic sunt dracones; you have been warned." + fi +} diff --git a/net-misc/curl/files/curl-8.16.0-pthread_cancel.patch b/net-misc/curl/files/curl-8.16.0-pthread_cancel.patch new file mode 100644 index 000000000000..1cc185c2e4f1 --- /dev/null +++ b/net-misc/curl/files/curl-8.16.0-pthread_cancel.patch @@ -0,0 +1,399 @@ +https://github.com/curl/curl/commit/de3fc1d7adb78c078e4cc7ccc48e550758094ad3 +From: Stefan Eissing <[email protected]> +Date: Sat, 13 Sep 2025 15:25:53 +0200 +Subject: [PATCH] asyn-thrdd: drop pthread_cancel + +Remove use of pthread_cancel in asnyc threaded resolving. While there +are system where this works, others might leak to resource leakage +(memory, files, etc.). The popular nsswitch is one example where resolve +code can be dragged in that is not prepared. + +The overall promise and mechanism of pthread_cancel() is just too +brittle and the historcal design of getaddrinfo() continues to haunt us. + +Fixes #18532 +Reported-by: Javier Blazquez +Closes #18540 +--- a/docs/libcurl/libcurl-env-dbg.md ++++ b/docs/libcurl/libcurl-env-dbg.md +@@ -83,11 +83,6 @@ When built with c-ares for name resolving, setting this environment variable + to `[IP:port]` makes libcurl use that DNS server instead of the system + default. This is used by the curl test suite. + +-## `CURL_DNS_DELAY_MS` +- +-Delay the DNS resolve by this many milliseconds. This is used in the test +-suite to check proper handling of CURLOPT_CONNECTTIMEOUT(3). +- + ## `CURL_FTP_PWD_STOP` + + When set, the first transfer - when using ftp: - returns before sending +--- a/lib/asyn-thrdd.c ++++ b/lib/asyn-thrdd.c +@@ -199,14 +199,6 @@ addr_ctx_create(struct Curl_easy *data, + return NULL; + } + +-static void async_thrd_cleanup(void *arg) +-{ +- struct async_thrdd_addr_ctx *addr_ctx = arg; +- +- Curl_thread_disable_cancel(); +- addr_ctx_unlink(&addr_ctx, NULL); +-} +- + #ifdef HAVE_GETADDRINFO + + /* +@@ -220,15 +212,6 @@ static CURL_THREAD_RETURN_T CURL_STDCALL getaddrinfo_thread(void *arg) + struct async_thrdd_addr_ctx *addr_ctx = arg; + bool do_abort; + +-/* clang complains about empty statements and the pthread_cleanup* macros +- * are pretty ill defined. */ +-#if defined(__clang__) +-#pragma clang diagnostic push +-#pragma clang diagnostic ignored "-Wextra-semi-stmt" +-#endif +- +- Curl_thread_push_cleanup(async_thrd_cleanup, addr_ctx); +- + Curl_mutex_acquire(&addr_ctx->mutx); + do_abort = addr_ctx->do_abort; + Curl_mutex_release(&addr_ctx->mutx); +@@ -237,9 +220,6 @@ static CURL_THREAD_RETURN_T CURL_STDCALL getaddrinfo_thread(void *arg) + char service[12]; + int rc; + +-#ifdef DEBUGBUILD +- Curl_resolve_test_delay(); +-#endif + msnprintf(service, sizeof(service), "%d", addr_ctx->port); + + rc = Curl_getaddrinfo_ex(addr_ctx->hostname, service, +@@ -274,11 +254,6 @@ static CURL_THREAD_RETURN_T CURL_STDCALL getaddrinfo_thread(void *arg) + + } + +- Curl_thread_pop_cleanup(); +-#if defined(__clang__) +-#pragma clang diagnostic pop +-#endif +- + addr_ctx_unlink(&addr_ctx, NULL); + return 0; + } +@@ -293,24 +268,11 @@ static CURL_THREAD_RETURN_T CURL_STDCALL gethostbyname_thread(void *arg) + struct async_thrdd_addr_ctx *addr_ctx = arg; + bool do_abort; + +-/* clang complains about empty statements and the pthread_cleanup* macros +- * are pretty ill defined. */ +-#if defined(__clang__) +-#pragma clang diagnostic push +-#pragma clang diagnostic ignored "-Wextra-semi-stmt" +-#endif +- +- Curl_thread_push_cleanup(async_thrd_cleanup, addr_ctx); +- + Curl_mutex_acquire(&addr_ctx->mutx); + do_abort = addr_ctx->do_abort; + Curl_mutex_release(&addr_ctx->mutx); + + if(!do_abort) { +-#ifdef DEBUGBUILD +- Curl_resolve_test_delay(); +-#endif +- + addr_ctx->res = Curl_ipv4_resolve_r(addr_ctx->hostname, addr_ctx->port); + if(!addr_ctx->res) { + addr_ctx->sock_error = SOCKERRNO; +@@ -337,12 +299,7 @@ static CURL_THREAD_RETURN_T CURL_STDCALL gethostbyname_thread(void *arg) + #endif + } + +- Curl_thread_pop_cleanup(); +-#if defined(__clang__) +-#pragma clang diagnostic pop +-#endif +- +- async_thrd_cleanup(addr_ctx); ++ addr_ctx_unlink(&addr_ctx, NULL); + return 0; + } + +@@ -381,12 +338,12 @@ static void async_thrdd_destroy(struct Curl_easy *data) + CURL_TRC_DNS(data, "async_thrdd_destroy, thread joined"); + } + else { +- /* thread is still running. Detach the thread while mutexed, it will +- * trigger the cleanup when it releases its reference. */ ++ /* thread is still running. Detach it. */ + Curl_thread_destroy(&addr->thread_hnd); + CURL_TRC_DNS(data, "async_thrdd_destroy, thread detached"); + } + } ++ /* release our reference to the shared context */ + addr_ctx_unlink(&thrdd->addr, data); + } + +@@ -532,10 +489,12 @@ static void async_thrdd_shutdown(struct Curl_easy *data) + done = addr_ctx->thrd_done; + Curl_mutex_release(&addr_ctx->mutx); + +- DEBUGASSERT(addr_ctx->thread_hnd != curl_thread_t_null); +- if(!done && (addr_ctx->thread_hnd != curl_thread_t_null)) { +- CURL_TRC_DNS(data, "cancelling resolve thread"); +- (void)Curl_thread_cancel(&addr_ctx->thread_hnd); ++ /* Wait for the thread to terminate if it is already marked done. If it is ++ not done yet we cannot do anything here. We had tried pthread_cancel but ++ it caused hanging and resource leaks (#18532). */ ++ if(done && (addr_ctx->thread_hnd != curl_thread_t_null)) { ++ Curl_thread_join(&addr_ctx->thread_hnd); ++ CURL_TRC_DNS(data, "async_thrdd_shutdown, thread joined"); + } + } + +@@ -553,9 +512,11 @@ static CURLcode asyn_thrdd_await(struct Curl_easy *data, + if(!entry) + async_thrdd_shutdown(data); + +- CURL_TRC_DNS(data, "resolve, wait for thread to finish"); +- if(!Curl_thread_join(&addr_ctx->thread_hnd)) { +- DEBUGASSERT(0); ++ if(addr_ctx->thread_hnd != curl_thread_t_null) { ++ CURL_TRC_DNS(data, "resolve, wait for thread to finish"); ++ if(!Curl_thread_join(&addr_ctx->thread_hnd)) { ++ DEBUGASSERT(0); ++ } + } + + if(entry) +--- a/lib/curl_threads.c ++++ b/lib/curl_threads.c +@@ -100,34 +100,6 @@ int Curl_thread_join(curl_thread_t *hnd) + return ret; + } + +-/* do not use pthread_cancel if: +- * - pthread_cancel seems to be absent +- * - on FreeBSD, as we see hangers in CI testing +- * - this is a -fsanitize=thread build +- * (clang sanitizer reports false positive when functions to not return) +- */ +-#if defined(PTHREAD_CANCEL_ENABLE) && !defined(__FreeBSD__) +-#if defined(__has_feature) +-# if !__has_feature(thread_sanitizer) +-#define USE_PTHREAD_CANCEL +-# endif +-#else /* __has_feature */ +-#define USE_PTHREAD_CANCEL +-#endif /* !__has_feature */ +-#endif /* PTHREAD_CANCEL_ENABLE && !__FreeBSD__ */ +- +-int Curl_thread_cancel(curl_thread_t *hnd) +-{ +- (void)hnd; +- if(*hnd != curl_thread_t_null) +-#ifdef USE_PTHREAD_CANCEL +- return pthread_cancel(**hnd); +-#else +- return 1; /* not supported */ +-#endif +- return 0; +-} +- + #elif defined(USE_THREADS_WIN32) + + curl_thread_t Curl_thread_create(CURL_THREAD_RETURN_T +@@ -182,12 +154,4 @@ int Curl_thread_join(curl_thread_t *hnd) + return ret; + } + +-int Curl_thread_cancel(curl_thread_t *hnd) +-{ +- if(*hnd != curl_thread_t_null) { +- return 1; /* not supported */ +- } +- return 0; +-} +- + #endif /* USE_THREADS_* */ +--- a/lib/curl_threads.h ++++ b/lib/curl_threads.h +@@ -66,22 +66,6 @@ void Curl_thread_destroy(curl_thread_t *hnd); + + int Curl_thread_join(curl_thread_t *hnd); + +-int Curl_thread_cancel(curl_thread_t *hnd); +- +-#if defined(USE_THREADS_POSIX) && defined(PTHREAD_CANCEL_ENABLE) +-#define Curl_thread_push_cleanup(a,b) pthread_cleanup_push(a,b) +-#define Curl_thread_pop_cleanup() pthread_cleanup_pop(0) +-#define Curl_thread_enable_cancel() \ +- pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, NULL) +-#define Curl_thread_disable_cancel() \ +- pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL) +-#else +-#define Curl_thread_push_cleanup(a,b) ((void)a,(void)b) +-#define Curl_thread_pop_cleanup() Curl_nop_stmt +-#define Curl_thread_enable_cancel() Curl_nop_stmt +-#define Curl_thread_disable_cancel() Curl_nop_stmt +-#endif +- + #endif /* USE_THREADS_POSIX || USE_THREADS_WIN32 */ + + #endif /* HEADER_CURL_THREADS_H */ +--- a/lib/hostip.c ++++ b/lib/hostip.c +@@ -1132,10 +1132,6 @@ CURLcode Curl_resolv_timeout(struct Curl_easy *data, + prev_alarm = alarm(curlx_sltoui(timeout/1000L)); + } + +-#ifdef DEBUGBUILD +- Curl_resolve_test_delay(); +-#endif +- + #else /* !USE_ALARM_TIMEOUT */ + #ifndef CURLRES_ASYNCH + if(timeoutms) +@@ -1639,18 +1635,3 @@ CURLcode Curl_resolver_error(struct Curl_easy *data, const char *detail) + return result; + } + #endif /* USE_CURL_ASYNC */ +- +-#ifdef DEBUGBUILD +-#include "curlx/wait.h" +- +-void Curl_resolve_test_delay(void) +-{ +- const char *p = getenv("CURL_DNS_DELAY_MS"); +- if(p) { +- curl_off_t l; +- if(!curlx_str_number(&p, &l, TIME_T_MAX) && l) { +- curlx_wait_ms((timediff_t)l); +- } +- } +-} +-#endif +--- a/lib/hostip.h ++++ b/lib/hostip.h +@@ -216,8 +216,4 @@ struct Curl_addrinfo *Curl_sync_getaddrinfo(struct Curl_easy *data, + + #endif + +-#ifdef DEBUGBUILD +-void Curl_resolve_test_delay(void); +-#endif +- + #endif /* HEADER_CURL_HOSTIP_H */ +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -112,7 +112,7 @@ test754 test755 test756 test757 test758 test759 test760 test761 test762 \ + test763 \ + \ + test780 test781 test782 test783 test784 test785 test786 test787 test788 \ +-test789 test790 test791 test792 test793 test794 test795 test796 test797 \ ++test789 test790 test791 test792 test793 test794 test796 test797 \ + \ + test799 test800 test801 test802 test803 test804 test805 test806 test807 \ + test808 test809 test810 test811 test812 test813 test814 test815 test816 \ +--- a/tests/data/test795 ++++ /dev/null +@@ -1,36 +0,0 @@ +-<testcase> +-<info> +-<keywords> +-DNS +-</keywords> +-</info> +- +-# Client-side +-<client> +-<features> +-http +-Debug +-!c-ares +-!win32 +-</features> +-<name> +-Delayed resolve --connect-timeout check +-</name> +-<setenv> +-CURL_DNS_DELAY_MS=5000 +-</setenv> +-<command> +-http://test.invalid -v --no-progress-meter --trace-config dns --connect-timeout 1 -w \%{time_total} +-</command> +-</client> +- +-# Verify data after the test has been "shot" +-<verify> +-<errorcode> +-28 +-</errorcode> +-<postcheck> +-%SRCDIR/libtest/test795.pl %LOGDIR/stdout%TESTNUMBER 2 >> %LOGDIR/stderr%TESTNUMBER +-</postcheck> +-</verify> +-</testcase> +--- a/tests/libtest/Makefile.am ++++ b/tests/libtest/Makefile.am +@@ -42,7 +42,7 @@ AM_CPPFLAGS = -I$(top_srcdir)/include \ + include Makefile.inc + + EXTRA_DIST = CMakeLists.txt $(FIRST_C) $(FIRST_H) $(UTILS_C) $(UTILS_H) $(TESTS_C) \ +- test307.pl test610.pl test613.pl test795.pl test1013.pl test1022.pl mk-lib1521.pl ++ test307.pl test610.pl test613.pl test1013.pl test1022.pl mk-lib1521.pl + + CFLAGS += @CURL_CFLAG_EXTRAS@ + +--- a/tests/libtest/test795.pl ++++ /dev/null +@@ -1,46 +0,0 @@ +-#!/usr/bin/env perl +-#*************************************************************************** +-# _ _ ____ _ +-# Project ___| | | | _ \| | +-# / __| | | | |_) | | +-# | (__| |_| | _ <| |___ +-# \___|\___/|_| \_\_____| +-# +-# Copyright (C) Daniel Stenberg, <[email protected]>, et al. +-# +-# This software is licensed as described in the file COPYING, which +-# you should have received as part of this distribution. The terms +-# are also available at https://curl.se/docs/copyright.html. +-# +-# You may opt to use, copy, modify, merge, publish, distribute and/or sell +-# copies of the Software, and permit persons to whom the Software is +-# furnished to do so, under the terms of the COPYING file. +-# +-# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY +-# KIND, either express or implied. +-# +-# SPDX-License-Identifier: curl +-# +-########################################################################### +-use strict; +-use warnings; +- +-my $ok = 1; +-my $exp_duration = $ARGV[1] + 0.0; +- +-# Read the output of curl --version +-open(F, $ARGV[0]) || die "Can't open test result from $ARGV[0]\n"; +-$_ = <F>; +-chomp; +-/\s*([\.\d]+)\s*/; +-my $duration = $1 + 0.0; +-close F; +- +-if ($duration <= $exp_duration) { +- print "OK: duration of $duration in expected range\n"; +- $ok = 0; +-} +-else { +- print "FAILED: duration of $duration is larger than $exp_duration\n"; +-} +-exit $ok; diff --git a/net-misc/curl/files/curl-8.16.0-ssl_verifyhost.patch b/net-misc/curl/files/curl-8.16.0-ssl_verifyhost.patch new file mode 100644 index 000000000000..4d08f7f796bc --- /dev/null +++ b/net-misc/curl/files/curl-8.16.0-ssl_verifyhost.patch @@ -0,0 +1,63 @@ +https://github.com/curl/curl/commit/f7cac7cc07a45481b246c875e8113d741ba2a6e1 +From: Daniel Stenberg <[email protected]> +Date: Sun, 14 Sep 2025 23:28:03 +0200 +Subject: [PATCH] setopt: accept *_SSL_VERIFYHOST set to 2L + +... without outputing a verbose message about it. In the early days we +had 2L and 1L have different functionalities. + +Reported-by: Jicea +Bug: https://curl.se/mail/lib-2025-09/0031.html +Closes #18547 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -443,6 +443,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option, + long arg, bool *set) + { + bool enabled = !!arg; ++ int ok = 1; + struct UserDefined *s = &data->set; + switch(option) { + case CURLOPT_FORBID_REUSE: +@@ -619,7 +620,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option, + * Enable verification of the hostname in the peer certificate for proxy + */ + s->proxy_ssl.primary.verifyhost = enabled; +- ++ ok = 2; + /* Update the current connection proxy_ssl_config. */ + Curl_ssl_conn_config_update(data, TRUE); + break; +@@ -723,6 +724,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option, + * Enable verification of the hostname in the peer certificate for DoH + */ + s->doh_verifyhost = enabled; ++ ok = 2; + break; + case CURLOPT_DOH_SSL_VERIFYSTATUS: + /* +@@ -732,6 +734,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option, + return CURLE_NOT_BUILT_IN; + + s->doh_verifystatus = enabled; ++ ok = 2; + break; + #endif /* ! CURL_DISABLE_DOH */ + case CURLOPT_SSL_VERIFYHOST: +@@ -743,6 +746,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option, + this argument took a boolean when it was not and misused it. + Treat 1 and 2 the same */ + s->ssl.primary.verifyhost = enabled; ++ ok = 2; + + /* Update the current connection ssl_config. */ + Curl_ssl_conn_config_update(data, FALSE); +@@ -844,7 +848,7 @@ static CURLcode setopt_bool(struct Curl_easy *data, CURLoption option, + default: + return CURLE_OK; + } +- if((arg > 1) || (arg < 0)) ++ if((arg > ok) || (arg < 0)) + /* reserve other values for future use */ + infof(data, "boolean setopt(%d) got unsupported argument %ld," + " treated as %d", option, arg, enabled);
