net-misc/curl: add 7.88.0-r1

* Add HTTP/2 patchset
* Add test fix patchset

Bug: https://bugs.gentoo.org/894676
Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
Signed-off-by: Sam James <sam@gentoo.org>

3 files changed, 511 insertions, 0 deletions

diff --git a/net-misc/curl/curl-7.88.0-r1.ebuild b/net-misc/curl/curl-7.88.0-r1.ebuild
new file mode 100644
index 000000000000..a95ae998050a
--- /dev/null
+++ b/net-misc/curl/curl-7.88.0-r1.ebuild
@@ -0,0 +1,298 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="8"
+
+inherit autotools prefix multilib-minimal verify-sig
+
+DESCRIPTION="A Client that groks URLs"
+HOMEPAGE="https://curl.se/"
+SRC_URI="https://curl.se/download/${P}.tar.xz
+	verify-sig? ( https://curl.se/download/${P}.tar.xz.asc )"
+
+LICENSE="curl"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap kerberos ldap mbedtls nss +openssl +pop3 +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd"
+IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls curl_ssl_nss +curl_ssl_openssl curl_ssl_rustls"
+IUSE+=" nghttp3"
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/danielstenberg.asc
+
+#Only one default ssl provider can be enabled
+REQUIRED_USE="
+	ssl? (
+		^^ (
+			curl_ssl_gnutls
+			curl_ssl_mbedtls
+			curl_ssl_nss
+			curl_ssl_openssl
+			curl_ssl_rustls
+		)
+	)"
+
+# lead to lots of false negatives, bug #285669
+RESTRICT="!test? ( test )"
+
+RDEPEND="ldap? ( net-nds/openldap:=[${MULTILIB_USEDEP}] )
+	brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
+	ssl? (
+		gnutls? (
+			net-libs/gnutls:=[static-libs?,${MULTILIB_USEDEP}]
+			dev-libs/nettle:=[${MULTILIB_USEDEP}]
+			app-misc/ca-certificates
+		)
+		mbedtls? (
+			net-libs/mbedtls:=[${MULTILIB_USEDEP}]
+			app-misc/ca-certificates
+		)
+		openssl? (
+			dev-libs/openssl:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}]
+		)
+		nss? (
+			dev-libs/nss:0[${MULTILIB_USEDEP}]
+			dev-libs/nss-pem
+			app-misc/ca-certificates
+		)
+		rustls? (
+			net-libs/rustls-ffi:=[${MULTILIB_USEDEP}]
+		)
+	)
+	http2? ( net-libs/nghttp2:=[${MULTILIB_USEDEP}] )
+	nghttp3? (
+		net-libs/nghttp3[${MULTILIB_USEDEP}]
+		net-libs/ngtcp2[ssl,${MULTILIB_USEDEP}]
+	)
+	idn? ( net-dns/libidn2:=[static-libs?,${MULTILIB_USEDEP}] )
+	adns? ( net-dns/c-ares:=[${MULTILIB_USEDEP}] )
+	kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
+	rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
+	ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] )
+	sys-libs/zlib[${MULTILIB_USEDEP}]
+	zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )"
+
+DEPEND="${RDEPEND}"
+BDEPEND="dev-lang/perl
+	virtual/pkgconfig
+	test? (
+		sys-apps/diffutils
+	)
+	verify-sig? ( sec-keys/openpgp-keys-danielstenberg )"
+
+DOCS=( CHANGES README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} )
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/curl/curlbuild.h
+)
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/curl-config
+)
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-7.30.0-prefix.patch
+	"${FILESDIR}"/${PN}-respect-cflags-3.patch
+
+	"${FILESDIR}"/${P}-http2.patch
+	"${FILESDIR}"/${P}-tests.patch
+)
+
+src_prepare() {
+	default
+
+	eprefixify curl-config.in
+	eautoreconf
+}
+
+multilib_src_configure() {
+	# We make use of the fact that later flags override earlier ones
+	# So start with all ssl providers off until proven otherwise
+	# TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/)
+	local myconf=()
+
+	myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt  )
+	#myconf+=( --without-default-ssl-backend )
+	if use ssl ; then
+		myconf+=( --without-gnutls --without-mbedtls --without-nss --without-rustls )
+
+		if use gnutls || use curl_ssl_gnutls; then
+			einfo "SSL provided by gnutls"
+			myconf+=( --with-gnutls )
+		fi
+		if use mbedtls || use curl_ssl_mbedtls; then
+			einfo "SSL provided by mbedtls"
+			myconf+=( --with-mbedtls )
+		fi
+		if use nss || use curl_ssl_nss; then
+			einfo "SSL provided by nss"
+			myconf+=( --with-nss --with-nss-deprecated )
+		fi
+		if use openssl || use curl_ssl_openssl; then
+			einfo "SSL provided by openssl"
+			myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs )
+		fi
+		if use rustls || use curl_ssl_rustls; then
+			einfo "SSL provided by rustls"
+			myconf+=( --with-rustls )
+		fi
+		if use curl_ssl_gnutls; then
+			einfo "Default SSL provided by gnutls"
+			myconf+=( --with-default-ssl-backend=gnutls )
+		elif use curl_ssl_mbedtls; then
+			einfo "Default SSL provided by mbedtls"
+			myconf+=( --with-default-ssl-backend=mbedtls )
+		elif use curl_ssl_nss; then
+			einfo "Default SSL provided by nss"
+			myconf+=( --with-default-ssl-backend=nss )
+		elif use curl_ssl_openssl; then
+			einfo "Default SSL provided by openssl"
+			myconf+=( --with-default-ssl-backend=openssl )
+		elif use curl_ssl_rustls; then
+			einfo "Default SSL provided by rustls"
+			myconf+=( --with-default-ssl-backend=rustls )
+		else
+			eerror "We can't be here because of REQUIRED_USE."
+		fi
+
+	else
+		myconf+=( --without-ssl )
+		einfo "SSL disabled"
+	fi
+
+	# These configuration options are organized alphabetically
+	# within each category.  This should make it easier if we
+	# ever decide to make any of them contingent on USE flags:
+	# 1) protocols first.  To see them all do
+	# 'grep SUPPORT_PROTOCOLS configure.ac'
+	# 2) --enable/disable options second.
+	# 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort
+	# 3) --with/without options third.
+	# grep -- --with configure | grep Check | awk '{ print $4 }' | sort
+
+	myconf+=(
+		$(use_enable alt-svc)
+		--enable-crypto-auth
+		--enable-dict
+		--disable-ech
+		--enable-file
+		$(use_enable ftp)
+		$(use_enable gopher)
+		$(use_enable hsts)
+		--enable-http
+		$(use_enable imap)
+		$(use_enable ldap)
+		$(use_enable ldap ldaps)
+		--enable-ntlm
+		--disable-ntlm-wb
+		$(use_enable pop3)
+		--enable-rt
+		--enable-rtsp
+		$(use_enable samba smb)
+		$(use_with ssh libssh2)
+		$(use_enable smtp)
+		$(use_enable telnet)
+		$(use_enable tftp)
+		--enable-tls-srp
+		$(use_enable adns ares)
+		--enable-cookies
+		--enable-dateparse
+		--enable-dnsshuffle
+		--enable-doh
+		--enable-symbol-hiding
+		--enable-http-auth
+		--enable-ipv6
+		--enable-largefile
+		--enable-manual
+		--enable-mime
+		--enable-netrc
+		$(use_enable progress-meter)
+		--enable-proxy
+		--disable-sspi
+		$(use_enable static-libs static)
+		--enable-pthreads
+		--enable-threaded-resolver
+		--disable-versioned-symbols
+		--without-amissl
+		--without-bearssl
+		$(use_with brotli)
+		--without-fish-functions-dir
+		$(use_with http2 nghttp2)
+		--without-hyper
+		$(use_with idn libidn2)
+		$(use_with kerberos gssapi "${EPREFIX}"/usr)
+		--without-libgsasl
+		--without-libpsl
+		--without-msh3
+		$(use_with nghttp3)
+		$(use_with nghttp3 ngtcp2)
+		--without-quiche
+		$(use_with rtmp librtmp)
+		--without-schannel
+		--without-secure-transport
+		$(use_enable websockets)
+		--without-winidn
+		--without-wolfssl
+		--with-zlib
+		$(use_with zstd)
+	)
+
+	# Do not supply a test httpd/caddy/etc
+	if use test; then
+		myconf+=(
+			--without-test-caddy
+			--without-test-httpd
+			--without-test-nghttpx
+		)
+	fi
+
+	ECONF_SOURCE="${S}" econf "${myconf[@]}"
+
+	if ! multilib_is_native_abi; then
+		# avoid building the client
+		sed -i -e '/SUBDIRS/s:src::' Makefile || die
+		sed -i -e '/SUBDIRS/s:scripts::' Makefile || die
+	fi
+
+	# Fix up the pkg-config file to be more robust.
+	# https://github.com/curl/curl/issues/864
+	local priv=() libs=()
+	# We always enable zlib.
+	libs+=( "-lz" )
+	priv+=( "zlib" )
+	if use http2; then
+		libs+=( "-lnghttp2" )
+		priv+=( "libnghttp2" )
+	fi
+	if use nghttp3; then
+		libs+=( "-lnghttp3" "-lngtcp2" )
+		priv+=( "libnghttp3" "libngtcp2" )
+	fi
+	if use ssl && use curl_ssl_openssl; then
+		libs+=( "-lssl" "-lcrypto" )
+		priv+=( "openssl" )
+	fi
+	grep -q Requires.private libcurl.pc && die "need to update ebuild"
+	libs=$(printf '|%s' "${libs[@]}")
+	sed -i -r \
+		-e "/^Libs.private/s:(${libs#|})( |$)::g" \
+		libcurl.pc || die
+	echo "Requires.private: ${priv[*]}" >> libcurl.pc || die
+}
+
+multilib_src_test() {
+	# See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721
+	# -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches)
+	# -v: verbose
+	# -a: keep going on failure (so we see everything which breaks, not just 1st test)
+	# -k: keep test files after completion
+	# -am: automake style TAP output
+	# -p: print logs if test fails
+	# Note: if needed, we can disable tests. See e.g. Fedora's packaging
+	# or just read https://github.com/curl/curl/tree/master/tests#run.
+	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p"
+}
+
+multilib_src_install_all() {
+	einstalldocs
+	find "${ED}" -type f -name '*.la' -delete || die
+	rm -rf "${ED}"/etc/ || die
+}
diff --git a/net-misc/curl/files/curl-7.88.0-http2.patch b/net-misc/curl/files/curl-7.88.0-http2.patch
new file mode 100644
index 000000000000..49d90e901823
--- /dev/null
+++ b/net-misc/curl/files/curl-7.88.0-http2.patch
@@ -0,0 +1,93 @@
+https://github.com/curl/curl/commit/87ed650d04dc1a6f7944a5d952f7d5b0934a19ac
+Author: Harry Sintonen <sintonen@iki.fi>
+Date:   Thu Feb 16 06:26:26 2023 +0200
+
+    http2: set drain on stream end
+    
+    Ensure that on_frame_recv() stream end will trigger a read if there is
+    pending data. Without this it could happen that the pending data is
+    never consumed.
+    
+    This combined with https://github.com/curl/curl/pull/10529 should fix
+    https://github.com/curl/curl/issues/10525
+    
+    Ref: https://github.com/curl/curl/issues/10525
+    Closes #10530
+
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -868,6 +868,14 @@ static int on_frame_recv(nghttp2_session *session, const nghttp2_frame *frame,
+         return NGHTTP2_ERR_CALLBACK_FAILURE;
+       }
+     }
++    if(frame->hd.flags & NGHTTP2_FLAG_END_STREAM) {
++      /* Stream has ended. If there is pending data, ensure that read
++         will occur to consume it. */
++      if(!data->state.drain && stream->memlen) {
++        drain_this(cf, data_s);
++        Curl_expire(data, 0, EXPIRE_RUN_NOW);
++      }
++    }
+     break;
+   case NGHTTP2_HEADERS:
+     DEBUGF(LOG_CF(data_s, cf, "[h2sid=%u] recv frame HEADERS", stream_id));
+
+https://github.com/curl/curl/commit/3103de2053ca8cacf9cdbe78764ba6814481709f
+Author: Stefan Eissing <stefan@eissing.org>
+Date:   Wed Feb 15 22:11:13 2023 +0100
+
+    http2: buffer/pausedata and output flush fix.
+    
+     * do not process pending input data when copying pausedata to the
+       caller
+     * return CURLE_AGAIN if the output buffer could not be completely
+       written out.
+    
+    Ref: #10525
+    Closes #10529
+
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -467,6 +467,7 @@ static CURLcode flush_output(struct Curl_cfilter *cf,
+   }
+   if((size_t)written < buflen) {
+     Curl_dyn_tail(&ctx->outbuf, buflen - (size_t)written);
++    return CURLE_AGAIN;
+   }
+   else {
+     Curl_dyn_reset(&ctx->outbuf);
+@@ -1790,6 +1791,7 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data,
+ 
+     stream->pausedata += nread;
+     stream->pauselen -= nread;
++    drain_this(cf, data);
+ 
+     if(stream->pauselen == 0) {
+       DEBUGF(LOG_CF(data, cf, "[h2sid=%u] Unpaused", stream->stream_id));
+@@ -1798,18 +1800,6 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data,
+ 
+       stream->pausedata = NULL;
+       stream->pauselen = 0;
+-
+-      /* When NGHTTP2_ERR_PAUSE is returned from
+-         data_source_read_callback, we might not process DATA frame
+-         fully.  Calling nghttp2_session_mem_recv() again will
+-         continue to process DATA frame, but if there is no incoming
+-         frames, then we have to call it again with 0-length data.
+-         Without this, on_stream_close callback will not be called,
+-         and stream could be hanged. */
+-      if(h2_process_pending_input(cf, data, err) != 0) {
+-        nread = -1;
+-        goto out;
+-      }
+     }
+     DEBUGF(LOG_CF(data, cf, "[h2sid=%u] recv: returns unpaused %zd bytes",
+                   stream->stream_id, nread));
+@@ -1933,6 +1923,7 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data,
+       drained_transfer(cf, data);
+     }
+ 
++    *err = CURLE_OK;
+     nread = retlen;
+     DEBUGF(LOG_CF(data, cf, "[h2sid=%u] cf_h2_recv -> %zd",
+                   stream->stream_id, nread));
diff --git a/net-misc/curl/files/curl-7.88.0-tests.patch b/net-misc/curl/files/curl-7.88.0-tests.patch
new file mode 100644
index 000000000000..81131dc6bc64
--- /dev/null
+++ b/net-misc/curl/files/curl-7.88.0-tests.patch
@@ -0,0 +1,120 @@
+https://github.com/curl/curl/commit/f1d09231adfc695d15995b9ef2c8c6e568c28091
+Author: Stefan Eissing <stefan@eissing.org>
+Date:   Tue Feb 14 14:29:13 2023 +0100
+
+    tests: make the telnet server shut down a socket gracefully
+    
+    - test 1452 failed occasionally with ECONNRESET errnos in curl when the
+      server closed the connection in an unclean state.
+    
+    Closes #10509
+
+--- a/tests/negtelnetserver.py
++++ b/tests/negtelnetserver.py
+@@ -29,7 +29,9 @@ from __future__ import (absolute_import, division, print_function,
+ import argparse
+ import logging
+ import os
++import socket
+ import sys
++import time
+ 
+ from util import ClosingFileHandler
+ 
+@@ -90,7 +92,7 @@ class NegotiatingTelnetHandler(socketserver.BaseRequestHandler):
+             neg.send_wont("NAWS")
+ 
+             # Get the data passed through the negotiator
+-            data = neg.recv(1024)
++            data = neg.recv(4*1024)
+             log.debug("Incoming data: %r", data)
+ 
+             if VERIFIED_REQ.encode('utf-8') in data:
+@@ -109,6 +111,12 @@ class NegotiatingTelnetHandler(socketserver.BaseRequestHandler):
+                 log.debug("Sending %r", response_data)
+                 self.request.sendall(response_data)
+ 
++            # put some effort into making a clean socket shutdown
++            # that does not give the client ECONNRESET
++            self.request.settimeout(0.1)
++            self.request.recv(4*1024)
++            self.request.shutdown(socket.SHUT_RDWR)
++
+         except IOError:
+             log.exception("IOError hit during request")
+ 
+
+https://github.com/curl/curl/commit/2fdc1d816ebf3c77f43068103bec1b3a3767881a
+Author: Daniel Stenberg <daniel@haxx.se>
+Date:   Wed Feb 15 15:04:07 2023 +0100
+
+    tests: make sure gnuserv-tls has SRP support before using it
+    
+    Reported-by: fundawang on github
+    Fixes #10522
+    Closes #10524
+
+--- a/tests/runtests.pl
++++ b/tests/runtests.pl
+@@ -5382,7 +5382,7 @@ sub startservers {
+         elsif($what eq "httptls") {
+             if(!$httptlssrv) {
+                 # for now, we can't run http TLS-EXT tests without gnutls-serv
+-                return "no gnutls-serv";
++                return "no gnutls-serv (with SRP support)";
+             }
+             if($torture && $run{'httptls'} &&
+                !responsive_httptls_server($verbose, "IPv4")) {
+--- a/tests/sshhelp.pm
++++ b/tests/sshhelp.pm
+@@ -408,7 +408,16 @@ sub find_sshkeygen {
+ # Find httptlssrv (gnutls-serv) and return canonical filename
+ #
+ sub find_httptlssrv {
+-    return find_exe_file_hpath($httptlssrvexe);
++    my $p = find_exe_file_hpath($httptlssrvexe);
++    my @o = `$p -l`;
++    my $found;
++    for(@o) {
++        if(/Key exchange: SRP/) {
++            $found = 1;
++            last;
++        }
++    }
++    return $p if($found);
+ }
+ 
+ 
+
+https://github.com/curl/curl/commit/79d0b3c0c0bb00829f10ec139dbf3823c249ae72
+Author: Daniel Stenberg <daniel@haxx.se>
+Date:   Wed Feb 15 13:03:21 2023 +0100
+
+    runtests: fix "uninitialized value $port"
+    
+    by using a more appropriate variable
+    
+    Reported-by: fundawang on github
+    Fixes #10518
+    Closes #10520
+
+--- a/tests/runtests.pl
++++ b/tests/runtests.pl
+@@ -1740,7 +1740,7 @@ sub runhttpserver {
+     }
+ 
+     # where is it?
+-    my $port;
++    my $port = 0;
+     if(!$port_or_path) {
+         $port = $port_or_path = pidfromfile($portfile);
+     }
+@@ -1758,7 +1758,7 @@ sub runhttpserver {
+     $pid2 = $pid3;
+ 
+     if($verbose) {
+-        logmsg "RUN: $srvrname server is on PID $httppid port $port\n";
++        logmsg "RUN: $srvrname server is on PID $httppid port $port_or_path\n";
+     }
+ 
+     return ($httppid, $pid2, $port);