net-misc/curl: add 8.0.1

Note that https://github.com/curl/curl/commit/372b95f77f08ae7a64a5bca53cfb342ec5a8adc9
did get fixed in this release, although the warnings in bug 898364 weren't real
issues here.

Kangie's done a great job of upstreaming various fixes here but is away at
the moment so I'm doing the easy bit of just bumping the ebuild.

Also sorted dependencies and some other minor tweaks to comments.

Bug: https://bugs.gentoo.org/902801
Closes: https://bugs.gentoo.org/879237
Closes: https://bugs.gentoo.org/898364
Signed-off-by: Sam James <sam@gentoo.org>

3 files changed, 476 insertions, 0 deletions

diff --git a/net-misc/curl/Manifest b/net-misc/curl/Manifest
index e32343230d55..7b6217a5f3f0 100644
--- a/net-misc/curl/Manifest
+++ b/net-misc/curl/Manifest
@@ -2,3 +2,5 @@ DIST curl-7.87.0.tar.xz 2547932 BLAKE2B b272ec928c5ef1728434630d8910f58834327a30
 DIST curl-7.87.0.tar.xz.asc 488 BLAKE2B 031d8236b357bd3c519548b181254dc0aea1efc1375738bce04f4f331d35bafe99d1ca394ecf5943ede7cae040854b6d2b478fd305147eb7330f8d50e5d95c96 SHA512 0bcc12bafc4ae50d80128af2cf4bf1a1ec6018ebb8d5b9c49f52b51c0c25acc77e820858965656549ef43c1f923f4e5fe75b0a3523623154b4cfb9dc8a1d76e4
 DIST curl-7.88.1.tar.xz 2581032 BLAKE2B ed7e7aa29efb02fd89a53d5c8d0ec79b4d17612ea07d2a6b5a951f0ca651b4cf7264704344b1a0c2d82196f4cb5c08525e06b4cdd432bc3278ff23c7a6580839 SHA512 b8d30c52a6d1c3e272608a7a8db78dfd79aef21330f34d6f1df43839a400e13ac6aac72a383526db0b711a70ecbec89a3b934677d7ecf5094fd64d3dbcb3492f
 DIST curl-7.88.1.tar.xz.asc 488 BLAKE2B ea90d840846fca3f0b17838a84431cb44d6e3f8d2b42c3eced1fb1c929a58e8899b303c93d27ca3cafcaa52e7269ac440e7102191d6b2c2751729a6c4116e82f SHA512 d6dc720533004c4d533cc4fb3dd33ac28d95e114f440ec011e4b58f65d1f4c40cfa10ba26d2e2f2f1f9de99511632578b4758c5e79593c7c30d29788fdf1cbb6
+DIST curl-8.0.1.tar.xz 2575544 BLAKE2B 67d82e9d71f0a351b5c2ed3ad5eab02e367ded872658a295179b935729d5105015f8c29569c396e11cd14036656af894ded85c8838cba260d9f6f1a8dcb5e22b SHA512 3bb777982659ed697ae90f113ff7b65d6ce8ba9fe6a8984cfd6769d2f051a72ba953c911abe234c204ec2cc5a35d68b4d033037fad7fba31bb92a52543f8d13d
+DIST curl-8.0.1.tar.xz.asc 488 BLAKE2B 452e1bebe1028e7621bbf8829e50cf56e254cd63a8cf2a4c0332176b9f18fb2821304ae556a203996d273c986bddbd04db2218c18fd34dee66e9155861ba50ce SHA512 92c6a0570e9a8a708fe2f717b8b37a68dcb9cd4520ca50c9baafec5891bda103bce2d2dcb67f1387bf11bd7e51e0e64ccd52d196e61d58b598ad3aa1960386cf
diff --git a/net-misc/curl/curl-8.0.1.ebuild b/net-misc/curl/curl-8.0.1.ebuild
new file mode 100644
index 000000000000..6af2629111d2
--- /dev/null
+++ b/net-misc/curl/curl-8.0.1.ebuild
@@ -0,0 +1,316 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/danielstenberg.asc
+inherit autotools multilib-minimal prefix verify-sig
+
+DESCRIPTION="A Client that groks URLs"
+HOMEPAGE="https://curl.se/"
+SRC_URI="
+	https://curl.se/download/${P}.tar.xz
+	verify-sig? ( https://curl.se/download/${P}.tar.xz.asc )
+"
+
+LICENSE="curl"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap kerberos ldap mbedtls nss +openssl +pop3 +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd"
+IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls curl_ssl_nss +curl_ssl_openssl curl_ssl_rustls"
+IUSE+=" nghttp3"
+RESTRICT="!test? ( test )"
+
+# Only one default ssl provider can be enabled
+REQUIRED_USE="
+	ssl? (
+		^^ (
+			curl_ssl_gnutls
+			curl_ssl_mbedtls
+			curl_ssl_nss
+			curl_ssl_openssl
+			curl_ssl_rustls
+		)
+	)
+"
+
+RDEPEND="
+	sys-libs/zlib[${MULTILIB_USEDEP}]
+	adns? ( net-dns/c-ares:=[${MULTILIB_USEDEP}] )
+	brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
+	http2? ( net-libs/nghttp2:=[${MULTILIB_USEDEP}] )
+	idn? ( net-dns/libidn2:=[static-libs?,${MULTILIB_USEDEP}] )
+	kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
+	ldap? ( net-nds/openldap:=[${MULTILIB_USEDEP}] )
+	nghttp3? (
+		net-libs/nghttp3[${MULTILIB_USEDEP}]
+		net-libs/ngtcp2[ssl,${MULTILIB_USEDEP}]
+	)
+	rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
+	ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] )
+	ssl? (
+		gnutls? (
+			app-misc/ca-certificates
+			net-libs/gnutls:=[static-libs?,${MULTILIB_USEDEP}]
+			dev-libs/nettle:=[${MULTILIB_USEDEP}]
+		)
+		mbedtls? (
+			app-misc/ca-certificates
+			net-libs/mbedtls:=[${MULTILIB_USEDEP}]
+		)
+		nss? (
+			app-misc/ca-certificates
+			dev-libs/nss[${MULTILIB_USEDEP}]
+			dev-libs/nss-pem
+		)
+		openssl? (
+			dev-libs/openssl:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}]
+		)
+		rustls? (
+			net-libs/rustls-ffi:=[${MULTILIB_USEDEP}]
+		)
+	)
+	zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="
+	dev-lang/perl
+	virtual/pkgconfig
+	test? (
+		sys-apps/diffutils
+		http2? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
+		nghttp3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
+	)
+	verify-sig? ( sec-keys/openpgp-keys-danielstenberg )
+"
+
+DOCS=( CHANGES README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} )
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/curl/curlbuild.h
+)
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/curl-config
+)
+
+QA_CONFIG_IMPL_DECL_SKIP=(
+	__builtin_available
+	closesocket
+	CloseSocket
+	getpass_r
+	ioctlsocket
+	IoctlSocket
+	mach_absolute_time
+	setmode
+)
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-7.30.0-prefix.patch
+	"${FILESDIR}"/${PN}-respect-cflags-3.patch
+
+	# Backports
+	"${FILESDIR}"/${PN}-8.0.1-onion-resolution.patch
+)
+
+src_prepare() {
+	default
+
+	eprefixify curl-config.in
+	eautoreconf
+}
+
+multilib_src_configure() {
+	# We make use of the fact that later flags override earlier ones
+	# So start with all ssl providers off until proven otherwise
+	# TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/)
+	local myconf=()
+
+	myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt  )
+	#myconf+=( --without-default-ssl-backend )
+	if use ssl ; then
+		myconf+=( --without-gnutls --without-mbedtls --without-nss --without-rustls )
+
+		if use gnutls || use curl_ssl_gnutls; then
+			einfo "SSL provided by gnutls"
+			myconf+=( --with-gnutls )
+		fi
+		if use mbedtls || use curl_ssl_mbedtls; then
+			einfo "SSL provided by mbedtls"
+			myconf+=( --with-mbedtls )
+		fi
+		if use nss || use curl_ssl_nss; then
+			einfo "SSL provided by nss"
+			myconf+=( --with-nss --with-nss-deprecated )
+		fi
+		if use openssl || use curl_ssl_openssl; then
+			einfo "SSL provided by openssl"
+			myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs )
+		fi
+		if use rustls || use curl_ssl_rustls; then
+			einfo "SSL provided by rustls"
+			myconf+=( --with-rustls )
+		fi
+		if use curl_ssl_gnutls; then
+			einfo "Default SSL provided by gnutls"
+			myconf+=( --with-default-ssl-backend=gnutls )
+		elif use curl_ssl_mbedtls; then
+			einfo "Default SSL provided by mbedtls"
+			myconf+=( --with-default-ssl-backend=mbedtls )
+		elif use curl_ssl_nss; then
+			einfo "Default SSL provided by nss"
+			myconf+=( --with-default-ssl-backend=nss )
+		elif use curl_ssl_openssl; then
+			einfo "Default SSL provided by openssl"
+			myconf+=( --with-default-ssl-backend=openssl )
+		elif use curl_ssl_rustls; then
+			einfo "Default SSL provided by rustls"
+			myconf+=( --with-default-ssl-backend=rustls )
+		else
+			eerror "We can't be here because of REQUIRED_USE."
+		fi
+
+	else
+		myconf+=( --without-ssl )
+		einfo "SSL disabled"
+	fi
+
+	# These configuration options are organized alphabetically
+	# within each category.  This should make it easier if we
+	# ever decide to make any of them contingent on USE flags:
+	# 1) protocols first.  To see them all do
+	# 'grep SUPPORT_PROTOCOLS configure.ac'
+	# 2) --enable/disable options second.
+	# 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort
+	# 3) --with/without options third.
+	# grep -- --with configure | grep Check | awk '{ print $4 }' | sort
+
+	myconf+=(
+		$(use_enable alt-svc)
+		--enable-crypto-auth
+		--enable-dict
+		--disable-ech
+		--enable-file
+		$(use_enable ftp)
+		$(use_enable gopher)
+		$(use_enable hsts)
+		--enable-http
+		$(use_enable imap)
+		$(use_enable ldap)
+		$(use_enable ldap ldaps)
+		--enable-ntlm
+		--disable-ntlm-wb
+		$(use_enable pop3)
+		--enable-rt
+		--enable-rtsp
+		$(use_enable samba smb)
+		$(use_with ssh libssh2)
+		$(use_enable smtp)
+		$(use_enable telnet)
+		$(use_enable tftp)
+		--enable-tls-srp
+		$(use_enable adns ares)
+		--enable-cookies
+		--enable-dateparse
+		--enable-dnsshuffle
+		--enable-doh
+		--enable-symbol-hiding
+		--enable-http-auth
+		--enable-ipv6
+		--enable-largefile
+		--enable-manual
+		--enable-mime
+		--enable-netrc
+		$(use_enable progress-meter)
+		--enable-proxy
+		--enable-socketpair
+		--disable-sspi
+		$(use_enable static-libs static)
+		--enable-pthreads
+		--enable-threaded-resolver
+		--disable-versioned-symbols
+		--without-amissl
+		--without-bearssl
+		$(use_with brotli)
+		--without-fish-functions-dir
+		$(use_with http2 nghttp2)
+		--without-hyper
+		$(use_with idn libidn2)
+		$(use_with kerberos gssapi "${EPREFIX}"/usr)
+		--without-libgsasl
+		--without-libpsl
+		--without-msh3
+		$(use_with nghttp3)
+		$(use_with nghttp3 ngtcp2)
+		--without-quiche
+		$(use_with rtmp librtmp)
+		--without-schannel
+		--without-secure-transport
+		--without-test-caddy
+		--without-test-httpd
+		--without-test-nghttpx
+		$(use_enable websockets)
+		--without-winidn
+		--without-wolfssl
+		--with-zlib
+		$(use_with zstd)
+	)
+
+	if use test && multilib_is_native_abi && ( use http2 || use nghttp3 ); then
+		myconf+=(
+			--with-test-nghttpx="${BROOT}/usr/bin/nghttpx"
+		)
+	fi
+
+	ECONF_SOURCE="${S}" econf "${myconf[@]}"
+
+	if ! multilib_is_native_abi; then
+		# Avoid building the client (we just want libcurl for multilib)
+		sed -i -e '/SUBDIRS/s:src::' Makefile || die
+		sed -i -e '/SUBDIRS/s:scripts::' Makefile || die
+	fi
+
+	# Fix up the pkg-config file to be more robust.
+	# https://github.com/curl/curl/issues/864
+	local priv=() libs=()
+	# We always enable zlib.
+	libs+=( "-lz" )
+	priv+=( "zlib" )
+	if use http2; then
+		libs+=( "-lnghttp2" )
+		priv+=( "libnghttp2" )
+	fi
+	if use nghttp3; then
+		libs+=( "-lnghttp3" "-lngtcp2" )
+		priv+=( "libnghttp3" "libngtcp2" )
+	fi
+	if use ssl && use curl_ssl_openssl; then
+		libs+=( "-lssl" "-lcrypto" )
+		priv+=( "openssl" )
+	fi
+	grep -q Requires.private libcurl.pc && die "need to update ebuild"
+	libs=$(printf '|%s' "${libs[@]}")
+	sed -i -r \
+		-e "/^Libs.private/s:(${libs#|})( |$)::g" \
+		libcurl.pc || die
+	echo "Requires.private: ${priv[*]}" >> libcurl.pc || die
+}
+
+multilib_src_test() {
+	# See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721
+	# -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches)
+	# -v: verbose
+	# -a: keep going on failure (so we see everything which breaks, not just 1st test)
+	# -k: keep test files after completion
+	# -am: automake style TAP output
+	# -p: print logs if test fails
+	# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
+	# or just read https://github.com/curl/curl/tree/master/tests#run.
+	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p"
+}
+
+multilib_src_install_all() {
+	einstalldocs
+	find "${ED}" -type f -name '*.la' -delete || die
+	rm -rf "${ED}"/etc/ || die
+}
diff --git a/net-misc/curl/files/curl-8.0.1-onion-resolution.patch b/net-misc/curl/files/curl-8.0.1-onion-resolution.patch
new file mode 100644
index 000000000000..65b486529c1f
--- /dev/null
+++ b/net-misc/curl/files/curl-8.0.1-onion-resolution.patch
@@ -0,0 +1,158 @@
+https://bugs.gentoo.org/887287
+https://github.com/curl/curl/pull/10705
+
+From e2bbd1adc22ec5033e2292b780e1790db93c3cb4 Mon Sep 17 00:00:00 2001
+From: Matt Jolly <Matt.Jolly@footclan.ninja>
+Date: Wed, 8 Mar 2023 02:16:45 +1100
+Subject: [PATCH] Refuse to resolve the .onion TLD.
+
+RFC 7686 states that:
+
+> Applications that do not implement the Tor
+> protocol SHOULD generate an error upon the use of .onion and
+> SHOULD NOT perform a DNS lookup.
+
+Let's do that.
+
+See curl/curl#543
+https://www.rfc-editor.org/rfc/rfc7686#section-2
+--- a/docs/KNOWN_BUGS
++++ b/docs/KNOWN_BUGS
+@@ -80,7 +80,6 @@ problems may have been fixed or changed somewhat since this was written.
+  10.3 FTPS over SOCKS
+ 
+  11. Internals
+- 11.1 Curl leaks .onion hostnames in DNS
+  11.2 error buffer not set if connection to multiple addresses fails
+  11.4 HTTP test server 'connection-monitor' problems
+  11.5 Connection information when using TCP Fast Open
+@@ -525,14 +524,6 @@ problems may have been fixed or changed somewhat since this was written.
+ 
+ 11. Internals
+ 
+-11.1 Curl leaks .onion hostnames in DNS
+-
+- Curl sends DNS requests for hostnames with a .onion TLD. This leaks
+- information about what the user is attempting to access, and violates this
+- requirement of RFC7686: https://datatracker.ietf.org/doc/html/rfc7686
+-
+- Issue: https://github.com/curl/curl/issues/543
+-
+ 11.2 error buffer not set if connection to multiple addresses fails
+ 
+  If you ask libcurl to resolve a hostname like example.com to IPv6 addresses
+--- a/lib/hostip.c
++++ b/lib/hostip.c
+@@ -652,6 +652,14 @@ enum resolve_t Curl_resolv(struct Curl_easy *data,
+   CURLcode result;
+   enum resolve_t rc = CURLRESOLV_ERROR; /* default to failure */
+   struct connectdata *conn = data->conn;
++  /* We should intentionally error and not resolve .onion TLDs */
++  size_t hostname_len = strlen(hostname);
++  if(hostname_len >= 7 &&
++  (curl_strequal(&hostname[hostname_len-6], ".onion") ||
++  curl_strequal(&hostname[hostname_len-7], ".onion."))) {
++    failf(data, "Not resolving .onion address (RFC 7686)");
++    return CURLRESOLV_ERROR;
++  }
+   *entry = NULL;
+ #ifndef CURL_DISABLE_DOH
+   conn->bits.doh = FALSE; /* default is not */
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -186,8 +186,8 @@ test1432 test1433 test1434 test1435 test1436 test1437 test1438 test1439 \
+ test1440 test1441 test1442 test1443 test1444 test1445 test1446 test1447 \
+ test1448 test1449 test1450 test1451 test1452 test1453 test1454 test1455 \
+ test1456 test1457 test1458 test1459 test1460 test1461 test1462 test1463 \
+-test1464 test1465 test1466 test1467 test1468 test1469 test1470 \
+-\
++test1464 test1465 test1466 test1467 test1468 test1469 test1470 test1471 \
++test1472 \
+ test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
+ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
+ test1516 test1517 test1518 test1519 test1520 test1521 test1522 test1523 \
+--- /dev/null
++++ b/tests/data/test1471
+@@ -0,0 +1,39 @@
++<testcase>
++<info>
++<keywords>
++Onion
++Tor
++FAILURE
++</keywords>
++</info>
++#
++# Server-side
++<reply>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++none
++</server>
++<name>
++Fail to resolve .onion TLD
++</name>
++<command>
++red.onion
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# Couldn't resolve host name
++<errorcode>
++6
++</errorcode>
++<stderr mode="text">
++curl: (6) Not resolving .onion address (RFC 7686)
++</stderr>
++</verify>
++</testcase>
+--- /dev/null
++++ b/tests/data/test1472
+@@ -0,0 +1,39 @@
++<testcase>
++<info>
++<keywords>
++Onion
++Tor
++FAILURE
++</keywords>
++</info>
++#
++# Server-side
++<reply>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++none
++</server>
++<name>
++Fail to resolve .onion. TLD
++</name>
++<command>
++tasty.onion.
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# Couldn't resolve host name
++<errorcode>
++6
++</errorcode>
++<stderr mode="text">
++curl: (6) Not resolving .onion address (RFC 7686)
++</stderr>
++</verify>
++</testcase>
+