net-misc/curl: add 8.11.0

There are a number of patches attached to this release. Normally
I'd generate a downstream tarball, or wait for the next point release;
however we have signed tarballs for curl and that's worth preserving,
and the next point release has been pushed back until mid-December due
to upstream availability.

Signed-off-by: Matt Jolly <kangie@gentoo.org>

11 files changed, 880 insertions, 2 deletions

diff --git a/net-misc/curl/Manifest b/net-misc/curl/Manifest
index 792b00ecc0bb..fc18ac50a874 100644
--- a/net-misc/curl/Manifest
+++ b/net-misc/curl/Manifest
@@ -1,5 +1,7 @@
 DIST curl-8.10.1.tar.xz 2726748 BLAKE2B bfdfa24f6d652884044c5e8eea5d70daad651b46255c99c9df502f9595a2dcbf8c4034446becf9e87f8e8a3f397a8fda29ab3e0d6020ac0dae62dd42b8136b78 SHA512 f1c7a12492dcfb8ba08be69b96a83ce9074592cbaa6b95c72b3c16fc58ad35e9f9deec7b72baca7d360d013b0b1c7ea38bd4edae464903ac67aa3c76238d8c6c
 DIST curl-8.10.1.tar.xz.asc 488 BLAKE2B 8e8f2b628d4e8964a76c1c43c5557aacbfc2d2dbc51be8a0fa1b157c257f15f29aedba842cba7cb270c4adcf0b4a5d9c8b0b3d49633c48b061fb3e1472303d66 SHA512 21d6d560c027efc9e3e5db182a77501d6376442221ba910df817e2ec980bee44a9fe2afc698205f8d5e8313ae47915a341d60206a46b46e816d73ee357a894ac
+DIST curl-8.11.0.tar.xz 2750684 BLAKE2B 3db13ed558bee332e07e1eab878b5ecae14cd049c115eea3a25fcb78cf28aadfe577dc224df75b62844529994ec478a9a74fed5c9bae338f809d231420ae5d0a SHA512 3a642d421e0a5c09ecb681bea18498f2c6124e9af4d8afdc074dfb85a9b0211d8972ade9cf00ab44b5dfed9303262cd83551dd3b5e0976d11fc19da3c4a0987e
+DIST curl-8.11.0.tar.xz.asc 488 BLAKE2B 5d91dc654d6a62c66e344ca92676b42e7a49f437e14f9fb714f7ae64a266d24d9bb7006b4512fc323459072ff0d9e05f627e494f34f845eadbedbd83acacc2ce SHA512 71073dde48e8f0013e392eb88bf70f6b8a4a4f0c955a3fb56db98e74aa10acc1004e2a0483f30be082e61b59a76fa75ae1d90545ace7c6b07bca8164078375f0
 DIST curl-8.7.1.tar.xz 2707016 BLAKE2B a2a9f48d0b69c0d92fcbbda535ce55082a5243abe3ab2db80d6fa3f32fb2c98b65026d69fc45c94e966398cf9ba8d9c95b6b91f4768b54749ed3275dd21838ef SHA512 5bbde9d5648e9226f5490fa951690aaf159149345f3a315df2ba58b2468f3e59ca32e8a49734338afc861803a4f81caac6d642a4699b72c6310ebfb1f618aad2
 DIST curl-8.7.1.tar.xz.asc 488 BLAKE2B 1c91d116aecc8e98d8ec3aad68b7c96f11151e6c2716f531e5d2989e9b6b1199e180603673891d7967cdcdaee1d6b5e15160ccabe9b51590e2887022db03c2ed SHA512 f98c393997c4a32f545a8982226e8cd612395210915a4576c2ce227d0f650cff341be7bf15e989d1789abf32ac4fd9c190b9250b81e650b569e8532048746b37
 DIST curl-8.8.0.tar.xz 2748860 BLAKE2B c14903bad4cbd1752a5335afa6bcc78be1a484692fce0e0a6c2061963e0e6b4e56defb8332cef32d0dbddb481ad0443b71faf3a52a6e9d945c89ecbce373d2a3 SHA512 9d2c0d3a0d8f6c31ba4fabe48f801910f886fde43dc198dc4213708d6967ed5e040a1bb7348aa1cb126577ee508a3ec36fe65256d027d861d6ffb70f6383967a
diff --git a/net-misc/curl/curl-8.11.0.ebuild b/net-misc/curl/curl-8.11.0.ebuild
new file mode 100644
index 000000000000..35717336263a
--- /dev/null
+++ b/net-misc/curl/curl-8.11.0.ebuild
@@ -0,0 +1,390 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Maintainers should subscribe to the 'curl-distros' ML for backports etc
+# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/
+# https://lists.haxx.se/listinfo/curl-distros
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc
+inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig
+
+DESCRIPTION="A Client that groks URLs"
+HOMEPAGE="https://curl.se/"
+
+if [[ ${PV} == 9999 ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/curl/curl.git"
+else
+	SRC_URI="
+		https://curl.se/download/${P}.tar.xz
+		verify-sig? ( https://curl.se/download/${P}.tar.xz.asc )
+	"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+fi
+
+LICENSE="BSD curl ISC test? ( BSD-4 )"
+SLOT="0"
+IUSE="+adns +alt-svc brotli debug +ftp gnutls gopher +hsts +http2 +http3 idn +imap kerberos ldap mbedtls +openssl +pop3"
+IUSE+=" +psl +progress-meter +quic rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp +websockets zstd"
+# These select the default tls implementation / which quic impl to use
+IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
+RESTRICT="!test? ( test )"
+
+# Only one default ssl / quic provider can be enabled
+# The default provider needs its USE satisfied
+# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day.
+# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e
+REQUIRED_USE="
+	quic? (
+		^^ (
+			curl_quic_openssl
+			curl_quic_ngtcp2
+		)
+		http3
+		ssl
+	)
+	ssl? (
+		^^ (
+			curl_ssl_gnutls
+			curl_ssl_mbedtls
+			curl_ssl_openssl
+			curl_ssl_rustls
+		)
+	)
+	curl_quic_openssl? (
+		curl_ssl_openssl
+		quic
+		!gnutls
+		!mbedtls
+		!rustls
+	)
+	curl_quic_ngtcp2? (
+		curl_ssl_gnutls
+		quic
+		!mbedtls
+		!openssl
+		!rustls
+	)
+	curl_ssl_gnutls? ( gnutls )
+	curl_ssl_mbedtls? ( mbedtls )
+	curl_ssl_openssl? ( openssl )
+	curl_ssl_rustls? ( rustls )
+	http3? ( alt-svc quic )
+"
+
+# cURL's docs and CI/CD are great resources for confirming supported versions
+# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.:
+# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions)
+# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly)
+# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2)
+# However 'supported' vs 'works' are two entirely different things; be sane but
+# don't be afraid to require a later version.
+# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time.
+RDEPEND="
+	>=sys-libs/zlib-1.1.4[${MULTILIB_USEDEP}]
+	adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] )
+	brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
+	http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] )
+	http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] )
+	idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
+	kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
+	ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
+	psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] )
+	quic? (
+		curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] )
+		curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] )
+	)
+	rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
+	ssh? ( >=net-libs/libssh2-1.0.0[${MULTILIB_USEDEP}] )
+	ssl? (
+		gnutls? (
+			app-misc/ca-certificates
+			>=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}]
+			dev-libs/nettle:=[${MULTILIB_USEDEP}]
+		)
+		mbedtls? (
+			app-misc/ca-certificates
+			net-libs/mbedtls:=[${MULTILIB_USEDEP}]
+		)
+		openssl? (
+			>=dev-libs/openssl-0.9.7:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}]
+		)
+		rustls? (
+			>=net-libs/rustls-ffi-0.14.0:=[${MULTILIB_USEDEP}]
+		)
+	)
+	zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
+"
+
+DEPEND="${RDEPEND}"
+
+BDEPEND="
+	dev-lang/perl
+	virtual/pkgconfig
+	test? (
+		sys-apps/diffutils
+		http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] )
+		http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
+	)
+	verify-sig? ( sec-keys/openpgp-keys-danielstenberg )
+"
+
+DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} )
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/curl/curlbuild.h
+)
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/curl-config
+)
+
+QA_CONFIG_IMPL_DECL_SKIP=(
+	__builtin_available
+	closesocket
+	CloseSocket
+	getpass_r
+	ioctlsocket
+	IoctlSocket
+	mach_absolute_time
+	setmode
+	_fseeki64
+	# custom AC_LINK_IFELSE code fails to link even without -Werror
+	OSSL_QUIC_client_method
+)
+
+PATCHES=(
+	"${FILESDIR}/${PN}-prefix-3.patch"
+	"${FILESDIR}/${PN}-respect-cflags-3.patch"
+	"${FILESDIR}/${P}-cmdline-ech-docs.patch"
+	"${FILESDIR}/${P}-curl-libssh-ipv6-brackets.patch"
+	"${FILESDIR}/${P}-mbedtls-global-init.patch"
+	"${FILESDIR}/${P}-setopt-http_content_decoding.patch"
+	"${FILESDIR}/${P}-cookie-case-sensitive.patch"
+	"${FILESDIR}/${P}-duphandle-init-netrc.patch"
+	"${FILESDIR}/${P}-netrc-large-file.patch"
+)
+
+src_prepare() {
+	default
+
+	eprefixify curl-config.in
+	eautoreconf
+}
+
+multilib_src_configure() {
+	# We make use of the fact that later flags override earlier ones
+	# So start with all ssl providers off until proven otherwise
+	# TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/)
+	local myconf=()
+
+	myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt  )
+	if use ssl; then
+		myconf+=( --without-gnutls --without-mbedtls --without-rustls )
+
+		if use gnutls; then
+			multilib_is_native_abi && einfo "SSL provided by gnutls"
+			myconf+=( --with-gnutls )
+		fi
+		if use mbedtls; then
+			multilib_is_native_abi && einfo "SSL provided by mbedtls"
+			myconf+=( --with-mbedtls )
+		fi
+		if use openssl; then
+			multilib_is_native_abi && einfo "SSL provided by openssl"
+			myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs )
+		fi
+		if use rustls; then
+			multilib_is_native_abi && einfo "SSL provided by rustls"
+			myconf+=( --with-rustls )
+		fi
+		if use curl_ssl_gnutls; then
+			multilib_is_native_abi && einfo "Default SSL provided by gnutls"
+			myconf+=( --with-default-ssl-backend=gnutls )
+		elif use curl_ssl_mbedtls; then
+			multilib_is_native_abi && einfo "Default SSL provided by mbedtls"
+			myconf+=( --with-default-ssl-backend=mbedtls )
+		elif use curl_ssl_openssl; then
+			multilib_is_native_abi && einfo "Default SSL provided by openssl"
+			myconf+=( --with-default-ssl-backend=openssl )
+		elif use curl_ssl_rustls; then
+			multilib_is_native_abi && einfo "Default SSL provided by rustls"
+			myconf+=( --with-default-ssl-backend=rustls )
+		else
+			eerror "We can't be here because of REQUIRED_USE."
+			die "Please file a bug, hit impossible condition w/ USE=ssl handling."
+		fi
+
+	else
+		myconf+=( --without-ssl )
+		einfo "SSL disabled"
+	fi
+
+	# These configuration options are organized alphabetically
+	# within each category.  This should make it easier if we
+	# ever decide to make any of them contingent on USE flags:
+	# 1) protocols first.  To see them all do
+	# 'grep SUPPORT_PROTOCOLS configure.ac'
+	# 2) --enable/disable options second.
+	# 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort
+	# 3) --with/without options third.
+	# grep -- --with configure | grep Check | awk '{ print $4 }' | sort
+
+	myconf+=(
+		$(use_enable alt-svc)
+		--enable-basic-auth
+		--enable-bearer-auth
+		--enable-digest-auth
+		--enable-kerberos-auth
+		--enable-negotiate-auth
+		--enable-aws
+		--enable-dict
+		--disable-ech
+		--enable-file
+		$(use_enable ftp)
+		$(use_enable gopher)
+		$(use_enable hsts)
+		--enable-http
+		$(use_enable imap)
+		$(use_enable ldap)
+		$(use_enable ldap ldaps)
+		--enable-ntlm
+		$(use_enable pop3)
+		--enable-rt
+		--enable-rtsp
+		$(use_enable samba smb)
+		$(use_with ssh libssh2)
+		$(use_enable smtp)
+		$(use_enable telnet)
+		$(use_enable tftp)
+		--enable-tls-srp
+		$(use_enable adns ares)
+		--enable-cookies
+		--enable-dateparse
+		--enable-dnsshuffle
+		--enable-doh
+		--enable-symbol-hiding
+		--enable-http-auth
+		--enable-ipv6
+		--enable-largefile
+		--enable-manual
+		--enable-mime
+		--enable-netrc
+		$(use_enable progress-meter)
+		--enable-proxy
+		--enable-socketpair
+		--disable-sspi
+		$(use_enable static-libs static)
+		--enable-pthreads
+		--enable-threaded-resolver
+		--disable-versioned-symbols
+		--without-amissl
+		--without-bearssl
+		$(use_with brotli)
+		--with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d
+		$(use_with http2 nghttp2)
+		--without-hyper
+		$(use_with idn libidn2)
+		$(use_with kerberos gssapi "${EPREFIX}"/usr)
+		--without-libgsasl
+		$(use_with psl libpsl)
+		--without-msh3
+		$(use_with http3 nghttp3)
+		$(use_with curl_quic_ngtcp2 ngtcp2)
+		$(use_with curl_quic_openssl openssl-quic)
+		--without-quiche
+		$(use_with rtmp librtmp)
+		--without-schannel
+		--without-secure-transport
+		--without-test-caddy
+		--without-test-httpd
+		--without-test-nghttpx
+		$(use_enable websockets)
+		--without-winidn
+		--without-wolfssl
+		--with-zlib
+		$(use_with zstd)
+		--with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions
+	)
+
+	if use debug; then
+		myconf+=(
+			--enable-debug
+		)
+	fi
+
+	if use test && multilib_is_native_abi && ( use http2 || use http3 ); then
+		myconf+=(
+			--with-test-nghttpx="${BROOT}/usr/bin/nghttpx"
+		)
+	fi
+
+	if [[ ${CHOST} == *mingw* ]] ; then
+		myconf+=(
+			--disable-pthreads
+		)
+	fi
+
+	ECONF_SOURCE="${S}" econf "${myconf[@]}"
+
+	if ! multilib_is_native_abi; then
+		# Avoid building the client (we just want libcurl for multilib)
+		sed -i -e '/SUBDIRS/s:src::' Makefile || die
+		sed -i -e '/SUBDIRS/s:scripts::' Makefile || die
+	fi
+
+}
+
+multilib_src_compile() {
+	default
+
+	if multilib_is_native_abi; then
+		# Shell completions
+		! tc-is-cross-compiler && emake -C scripts
+	fi
+}
+
+# There is also a pytest harness that tests for bugs in some very specific
+# situations; we can rely on upstream for this rather than adding additional test deps.
+multilib_src_test() {
+	# See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721
+	# -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches)
+	# -v: verbose
+	# -a: keep going on failure (so we see everything that breaks, not just 1st test)
+	# -k: keep test files after completion
+	# -am: automake style TAP output
+	# -p: print logs if test fails
+	# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
+	# or just read https://github.com/curl/curl/tree/master/tests#run.
+	# Note: we don't run the testsuite for cross-compilation.
+	# Upstream recommend 7*nproc as a starting point for parallel tests, but
+	# this ends up breaking when nproc is huge (like -j80).
+	# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
+	# as most gentoo users don't have an 'ip6-localhost'
+	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install
+
+	if multilib_is_native_abi; then
+		# Shell completions
+		! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install
+	fi
+}
+
+multilib_src_install_all() {
+	einstalldocs
+	find "${ED}" -type f -name '*.la' -delete || die
+	rm -rf "${ED}"/etc/ || die
+}
+
+pkg_postinst() {
+	if use debug; then
+		ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose."
+		ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger."
+		ewarn "hic sunt dracones; you have been warned."
+	fi
+}
diff --git a/net-misc/curl/curl-9999.ebuild b/net-misc/curl/curl-9999.ebuild
index 78cab3a439db..09179eadd2f2 100644
--- a/net-misc/curl/curl-9999.ebuild
+++ b/net-misc/curl/curl-9999.ebuild
@@ -156,8 +156,8 @@ QA_CONFIG_IMPL_DECL_SKIP=(
 )
 
 PATCHES=(
-	"${FILESDIR}"/${PN}-prefix-2.patch
-	"${FILESDIR}"/${PN}-respect-cflags-3.patch
+	"${FILESDIR}/${PN}-prefix-3.patch"
+	"${FILESDIR}/${PN}-respect-cflags-3.patch"
 )
 
 src_prepare() {
diff --git a/net-misc/curl/files/curl-8.11.0-cmdline-ech-docs.patch b/net-misc/curl/files/curl-8.11.0-cmdline-ech-docs.patch
new file mode 100644
index 000000000000..e6cd10937b06
--- /dev/null
+++ b/net-misc/curl/files/curl-8.11.0-cmdline-ech-docs.patch
@@ -0,0 +1,59 @@
+https://github.com/curl/curl/commit/f4ee7bafda8d451255e935a3c585220dd3cf58c4
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 7 Nov 2024 23:21:14 +0100
+Subject: [PATCH] cmdline/ech.md: formatting cleanups
+
+Reported-by: Samuel Henrique
+Fixes #15506
+Closes #15517
+--- a/docs/cmdline-opts/ech.md
++++ b/docs/cmdline-opts/ech.md
+@@ -20,35 +20,33 @@ Specifies how to do ECH (Encrypted Client Hello).
+ 
+ The values allowed for \<config\> can be:
+ 
+-## "false" (default)
++## `false`
+ 
+-Do not attempt ECH
++Do not attempt ECH. The is the default.
+ 
+-## "grease"
++## `grease`
+ 
+ Send a GREASE ECH extension
+ 
+-## "true"
++## `true`
+ 
+ Attempt ECH if possible, but do not fail if ECH is not attempted.
+ (The connection fails if ECH is attempted but fails.)
+ 
+-## "hard"
++## `hard`
+ 
+-Attempt ECH and fail if that is not possible.
+-ECH only works with TLS 1.3 and also requires using
+-DoH or providing an ECHConfigList on the command line.
++Attempt ECH and fail if that is not possible. ECH only works with TLS 1.3 and
++also requires using DoH or providing an ECHConfigList on the command line.
+ 
+-## "ecl:<b64val>"
++## `ecl:<b64val>`
+ 
+ A base64 encoded ECHConfigList that is used for ECH.
+ 
+-## "pn:<name>"
++## `pn:<name>`
+ 
+-A name to use to over-ride the `public_name` field of an ECHConfigList
+-(only available with OpenSSL TLS support)
++A name to use to over-ride the `public_name` field of an ECHConfigList (only
++available with OpenSSL TLS support)
+ 
+-## Errors
++##
+ 
+-Most errors cause error
+-*CURLE_ECH_REQUIRED* (101).
++Most ECH related errors cause error *CURLE_ECH_REQUIRED* (101).
diff --git a/net-misc/curl/files/curl-8.11.0-cookie-case-sensitive.patch b/net-misc/curl/files/curl-8.11.0-cookie-case-sensitive.patch
new file mode 100644
index 000000000000..d906aab7e909
--- /dev/null
+++ b/net-misc/curl/files/curl-8.11.0-cookie-case-sensitive.patch
@@ -0,0 +1,56 @@
+https://github.com/curl/curl/commit/9919149aef67014150e2a1c75a7aa2c79204e30d
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 6 Nov 2024 11:26:25 +0100
+Subject: [PATCH] cookie: treat cookie name case sensitively
+
+Extend test 31 to verify
+
+Reported-by: delogicsreal on github
+Fixes #15492
+Closes #15493
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -989,7 +989,7 @@ replace_existing(struct Curl_easy *data,
+   size_t myhash = cookiehash(co->domain);
+   for(n = Curl_llist_head(&ci->cookielist[myhash]); n; n = Curl_node_next(n)) {
+     struct Cookie *clist = Curl_node_elem(n);
+-    if(strcasecompare(clist->name, co->name)) {
++    if(!strcmp(clist->name, co->name)) {
+       /* the names are identical */
+       bool matching_domains = FALSE;
+ 
+@@ -1029,7 +1029,7 @@ replace_existing(struct Curl_easy *data,
+       }
+     }
+ 
+-    if(!replace_n && strcasecompare(clist->name, co->name)) {
++    if(!replace_n && !strcmp(clist->name, co->name)) {
+       /* the names are identical */
+ 
+       if(clist->domain && co->domain) {
+--- a/tests/data/test31
++++ b/tests/data/test31
+@@ -26,6 +26,7 @@ Set-Cookie: blankdomain=sure; domain=; path=/
+ %if !hyper
+ Set-Cookie: foobar=name; domain=anything.com; path=/ ; secure

+ Set-Cookie:ismatch=this  ; domain=test31.curl; path=/silly/

++Set-Cookie:ISMATCH=this  ; domain=test31.curl; path=/silly/

+ Set-Cookie: overwrite=this  ; domain=test31.curl; path=/overwrite/

+ Set-Cookie: overwrite=this2  ; domain=test31.curl; path=/overwrite

+ Set-Cookie: sec1value=secure1  ; domain=test31.curl; path=/secure1/ ; secure

+@@ -75,6 +76,7 @@ Set-Cookie: securewithspace=after    ; secure =
+ %else
+ Set-Cookie: foobar=name; domain=anything.com; path=/ ; secure

+ Set-Cookie: ismatch=this  ; domain=test31.curl; path=/silly/

++Set-Cookie:ISMATCH=this  ; domain=test31.curl; path=/silly/

+ Set-Cookie: overwrite=this  ; domain=test31.curl; path=/overwrite/

+ Set-Cookie: overwrite=this2  ; domain=test31.curl; path=/overwrite

+ Set-Cookie: sec1value=secure1  ; domain=test31.curl; path=/secure1/ ; secure

+@@ -181,6 +183,7 @@ test31.curl	FALSE	/we/want/	FALSE	2118138987	nodomain	value
+ #HttpOnly_.test31.curl	TRUE	/p2/	FALSE	0	httpo2	value2
+ #HttpOnly_.test31.curl	TRUE	/p1/	FALSE	0	httpo1	value1
+ .test31.curl	TRUE	/overwrite	FALSE	0	overwrite	this2
++.test31.curl	TRUE	/silly/	FALSE	0	ISMATCH	this
+ .test31.curl	TRUE	/silly/	FALSE	0	ismatch	this
+ test31.curl	FALSE	/	FALSE	0	blankdomain	sure
+ </file>
diff --git a/net-misc/curl/files/curl-8.11.0-curl-libssh-ipv6-brackets.patch b/net-misc/curl/files/curl-8.11.0-curl-libssh-ipv6-brackets.patch
new file mode 100644
index 000000000000..6e1ecc0dd097
--- /dev/null
+++ b/net-misc/curl/files/curl-8.11.0-curl-libssh-ipv6-brackets.patch
@@ -0,0 +1,26 @@
+https://github.com/curl/curl/commit/93c65c00e52c4c8cdc09b2d9194ce63763c7349e
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 8 Nov 2024 16:31:41 +0100
+Subject: [PATCH] libssh: when using IPv6 numerical address, add brackets
+
+Reported-by: henrikjehgmti on github
+Fixes #15522
+Closes #15524
+--- a/lib/vssh/libssh.c
++++ b/lib/vssh/libssh.c
+@@ -2191,7 +2191,14 @@ static CURLcode myssh_connect(struct Curl_easy *data, bool *done)
+     return CURLE_FAILED_INIT;
+   }
+ 
+-  rc = ssh_options_set(ssh->ssh_session, SSH_OPTIONS_HOST, conn->host.name);
++  if(conn->bits.ipv6_ip) {
++    char ipv6[MAX_IPADR_LEN];
++    msnprintf(ipv6, sizeof(ipv6), "[%s]", conn->host.name);
++    rc = ssh_options_set(ssh->ssh_session, SSH_OPTIONS_HOST, ipv6);
++  }
++  else
++    rc = ssh_options_set(ssh->ssh_session, SSH_OPTIONS_HOST, conn->host.name);
++
+   if(rc != SSH_OK) {
+     failf(data, "Could not set remote host");
+     return CURLE_FAILED_INIT;
diff --git a/net-misc/curl/files/curl-8.11.0-duphandle-init-netrc.patch b/net-misc/curl/files/curl-8.11.0-duphandle-init-netrc.patch
new file mode 100644
index 000000000000..4a3e82a477fe
--- /dev/null
+++ b/net-misc/curl/files/curl-8.11.0-duphandle-init-netrc.patch
@@ -0,0 +1,195 @@
+https://github.com/curl/curl/commit/f5c616930b5cf148b1b2632da4f5963ff48bdf88
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 7 Nov 2024 08:52:38 +0100
+Subject: [PATCH] duphandle: also init netrc
+
+The netrc init was only done in the Curl_open, meaning that a duplicated
+handle would not get inited properly.
+
+Added test 2309 to verify. It does netrc auth with a duplicated handle.
+
+Regression from 3b43a05e000aa8f65bda513f733a
+
+Reported-by: tranzystorekk on github
+Fixes #15496
+Closes #15503
+--- a/lib/easy.c
++++ b/lib/easy.c
+@@ -940,6 +940,7 @@ CURL *curl_easy_duphandle(CURL *d)
+     goto fail;
+ 
+   Curl_dyn_init(&outcurl->state.headerb, CURL_MAX_HTTP_HEADER);
++  Curl_netrc_init(&outcurl->state.netrc);
+ 
+   /* the connection pool is setup on demand */
+   outcurl->state.lastconnect_id = -1;
+--- a/tests/data/Makefile.am
++++ b/tests/data/Makefile.am
+@@ -255,7 +255,7 @@ test2100 \
+ test2200 test2201 test2202 test2203 test2204 test2205 \
+ \
+ test2300 test2301 test2302 test2303 test2304 test2305 test2306 test2307 \
+-test2308 \
++test2308 test2309 \
+ \
+ test2400 test2401 test2402 test2403 test2404 test2405 test2406 \
+ \
+--- /dev/null
++++ b/tests/data/test2309
+@@ -0,0 +1,66 @@
++<testcase>
++<info>
++<keywords>
++netrc
++HTTP
++</keywords>
++</info>
++#
++# Server-side
++<reply>
++<data crlf="yes" nocheck="yes">
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Content-Type: text/html
++Funny-head: yesyes
++
++-foo-
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++<features>
++proxy
++</features>
++
++# Reproducing issue 15496
++<name>
++HTTP with .netrc using duped easy handle
++</name>
++<tool>
++lib%TESTNUMBER
++</tool>
++<command>
++http://github.com %LOGDIR/netrc%TESTNUMBER http://%HOSTIP:%HTTPPORT/
++</command>
++<file name="%LOGDIR/netrc%TESTNUMBER" >
++
++machine github.com
++
++login daniel
++password $y$j9T$WUVjiVvDbRAWafDLs6cab1$01NX.oaZKf5lw8MR2Nk9Yaxv4CqbE0IaDF.GpGxPul1
++</file>
++</client>
++
++<verify>
++<protocol>
++GET http://github.com/ HTTP/1.1

++Host: github.com

++Authorization: Basic %b64[daniel:$y$j9T$WUVjiVvDbRAWafDLs6cab1$01NX.oaZKf5lw8MR2Nk9Yaxv4CqbE0IaDF.GpGxPul1]b64%

++Accept: */*

++Proxy-Connection: Keep-Alive

++

++</protocol>
++</verify>
++</testcase>
+--- a/tests/libtest/Makefile.inc
++++ b/tests/libtest/Makefile.inc
+@@ -77,7 +77,7 @@ LIBTESTPROGS = libauthretry libntlmconnect libprereq                     \
+  lib1945 lib1946 lib1947 lib1948 lib1955 lib1956 lib1957 lib1958 lib1959 \
+  lib1960 lib1964 \
+  lib1970 lib1971 lib1972 lib1973 lib1974 lib1975 \
+- lib2301 lib2302 lib2304 lib2305 lib2306         lib2308 \
++ lib2301 lib2302 lib2304 lib2305 lib2306         lib2308 lib2309 \
+  lib2402 lib2404 lib2405 \
+  lib2502 \
+  lib3010 lib3025 lib3026 lib3027 \
+@@ -683,6 +683,9 @@ lib2306_LDADD = $(TESTUTIL_LIBS)
+ lib2308_SOURCES = lib2308.c $(SUPPORTFILES)
+ lib2308_LDADD = $(TESTUTIL_LIBS)
+ 
++lib2309_SOURCES = lib2309.c $(SUPPORTFILES)
++lib2309_LDADD = $(TESTUTIL_LIBS)
++
+ lib2402_SOURCES = lib2402.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+ lib2402_LDADD = $(TESTUTIL_LIBS)
+ 
+--- /dev/null
++++ b/tests/libtest/lib2309.c
+@@ -0,0 +1,66 @@
++/***************************************************************************
++ *                                  _   _ ____  _
++ *  Project                     ___| | | |  _ \| |
++ *                             / __| | | | |_) | |
++ *                            | (__| |_| |  _ <| |___
++ *                             \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++
++#include "test.h"
++#include "testtrace.h"
++
++#include <curl/curl.h>
++
++static size_t cb_ignore(char *buffer, size_t size, size_t nmemb, void *userp)
++{
++  (void)buffer;
++  (void)size;
++  (void)nmemb;
++  (void)userp;
++  return CURL_WRITEFUNC_ERROR;
++}
++
++CURLcode test(char *URL)
++{
++  CURL *curl;
++  CURL *curldupe;
++  CURLcode res = CURLE_OK;
++
++  global_init(CURL_GLOBAL_ALL);
++  curl = curl_easy_init();
++  if(curl) {
++    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, cb_ignore);
++    curl_easy_setopt(curl, CURLOPT_URL, URL);
++    curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
++    curl_easy_setopt(curl, CURLOPT_PROXY, libtest_arg3);
++    curl_easy_setopt(curl, CURLOPT_NETRC, (long)CURL_NETRC_REQUIRED);
++    curl_easy_setopt(curl, CURLOPT_NETRC_FILE, libtest_arg2);
++
++    curldupe = curl_easy_duphandle(curl);
++    if(curldupe) {
++      res = curl_easy_perform(curldupe);
++      printf("Returned %d, should be %d.\n", res, CURLE_WRITE_ERROR);
++      fflush(stdout);
++      curl_easy_cleanup(curldupe);
++    }
++    curl_easy_cleanup(curl);
++  }
++  curl_global_cleanup();
++  return CURLE_OK;
++}
diff --git a/net-misc/curl/files/curl-8.11.0-mbedtls-global-init.patch b/net-misc/curl/files/curl-8.11.0-mbedtls-global-init.patch
new file mode 100644
index 000000000000..2c60da8ca6cd
--- /dev/null
+++ b/net-misc/curl/files/curl-8.11.0-mbedtls-global-init.patch
@@ -0,0 +1,71 @@
+https://github.com/curl/curl/commit/bcf8a848818ca0ca8d292c51c0ddeb93fa17fe62
+From: Stefan Eissing <stefan@eissing.org>
+Date: Thu, 7 Nov 2024 10:26:03 +0100
+Subject: [PATCH] mbedtls: call psa_crypt_init() in global init
+
+Run mbedtls' psa_crypt_init() in the general global init, optionally
+protected by mbedtls locks when available.
+
+CI: when building mbedtls, enabled thread safety
+
+Reported-by: wxiaoguang on github
+Fixes #15500
+Closes #15505
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -54,7 +54,7 @@
+ #  ifdef MBEDTLS_DEBUG
+ #    include <mbedtls/debug.h>
+ #  endif
+-#endif
++#endif /* MBEDTLS_VERSION_MAJOR >= 2 */
+ 
+ #include "cipher_suite.h"
+ #include "strcase.h"
+@@ -122,7 +122,7 @@ struct mbed_ssl_backend_data {
+ #define HAS_SESSION_TICKETS
+ #endif
+ 
+-#if defined(THREADING_SUPPORT)
++#ifdef THREADING_SUPPORT
+ static mbedtls_entropy_context ts_entropy;
+ 
+ static int entropy_init_initialized = 0;
+@@ -585,16 +585,6 @@ mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
+     return CURLE_NOT_BUILT_IN;
+   }
+ 
+-#ifdef TLS13_SUPPORT
+-  ret = psa_crypto_init();
+-  if(ret != PSA_SUCCESS) {
+-    mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
+-    failf(data, "mbedTLS psa_crypto_init returned (-0x%04X) %s",
+-          -ret, errorbuf);
+-    return CURLE_SSL_CONNECT_ERROR;
+-  }
+-#endif /* TLS13_SUPPORT */
+-
+ #ifdef THREADING_SUPPORT
+   mbedtls_ctr_drbg_init(&backend->ctr_drbg);
+ 
+@@ -1571,6 +1561,20 @@ static int mbedtls_init(void)
+ #ifdef THREADING_SUPPORT
+   entropy_init_mutex(&ts_entropy);
+ #endif
++#ifdef TLS13_SUPPORT
++  {
++    int ret;
++#ifdef THREADING_SUPPORT
++    Curl_mbedtlsthreadlock_lock_function(0);
++#endif
++    ret = psa_crypto_init();
++#ifdef THREADING_SUPPORT
++    Curl_mbedtlsthreadlock_unlock_function(0);
++#endif
++    if(ret != PSA_SUCCESS)
++      return 0;
++  }
++#endif /* TLS13_SUPPORT */
+   return 1;
+ }
+ 
diff --git a/net-misc/curl/files/curl-8.11.0-netrc-large-file.patch b/net-misc/curl/files/curl-8.11.0-netrc-large-file.patch
new file mode 100644
index 000000000000..ba0e45140640
--- /dev/null
+++ b/net-misc/curl/files/curl-8.11.0-netrc-large-file.patch
@@ -0,0 +1,25 @@
+https://github.com/curl/curl/commit/0cdde0fdfbeb8c35420f6d03fa4b77ed73497694
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 7 Nov 2024 17:03:54 +0100
+Subject: [PATCH] netrc: support large file, longer lines, longer tokens
+
+Regression from 3b43a05e000aa8f6 (shipped in 8.11.0)
+
+Reported-by: Moritz
+Fixes #15513
+Closes #15514
+--- a/lib/netrc.c
++++ b/lib/netrc.c
+@@ -58,9 +58,9 @@ enum found_state {
+ #define NETRC_FAILED -1
+ #define NETRC_SUCCESS 0
+ 
+-#define MAX_NETRC_LINE 4096
+-#define MAX_NETRC_FILE (64*1024)
+-#define MAX_NETRC_TOKEN 128
++#define MAX_NETRC_LINE 16384
++#define MAX_NETRC_FILE (128*1024)
++#define MAX_NETRC_TOKEN 4096
+ 
+ static CURLcode file2memory(const char *filename, struct dynbuf *filebuf)
+ {
diff --git a/net-misc/curl/files/curl-8.11.0-setopt-http_content_decoding.patch b/net-misc/curl/files/curl-8.11.0-setopt-http_content_decoding.patch
new file mode 100644
index 000000000000..68621e85ba00
--- /dev/null
+++ b/net-misc/curl/files/curl-8.11.0-setopt-http_content_decoding.patch
@@ -0,0 +1,20 @@
+https://github.com/curl/curl/commit/878bc429f26c27294787dc59d7b53345d9edc5aa
+From: Jesus Malo Poyatos <jmalopoy@opentext.com>
+Date: Thu, 7 Nov 2024 14:00:53 +0100
+Subject: [PATCH] setopt: fix CURLOPT_HTTP_CONTENT_DECODING
+
+Regression from 30da1f5974d34841b30c4f (shipped in 8.11.0)
+
+Fixes #15511
+Closes #15510
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -1146,7 +1146,7 @@ static CURLcode setopt_long(struct Curl_easy *data, CURLoption option,
+     /*
+      * raw data passed to the application when content encoding is used
+      */
+-    data->set.http_ce_skip = enabled;
++    data->set.http_ce_skip = !enabled; /* reversed */
+     break;
+ 
+ #if !defined(CURL_DISABLE_FTP) || defined(USE_SSH)
diff --git a/net-misc/curl/files/curl-prefix-3.patch b/net-misc/curl/files/curl-prefix-3.patch
new file mode 100644
index 000000000000..cebca0bbfa99
--- /dev/null
+++ b/net-misc/curl/files/curl-prefix-3.patch
@@ -0,0 +1,34 @@
+From 6927ecf38cf3372d539c88479e97707d855de07e Mon Sep 17 00:00:00 2001
+From: Matt Jolly <kangie@gentoo.org>
+Date: Sun, 10 Nov 2024 08:51:02 +1000
+Subject: [PATCH] Update prefix patch for 8.11.0
+
+---
+ curl-config.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/curl-config.in b/curl-config.in
+index 2dc40ed..1876d6c 100644
+--- a/curl-config.in
++++ b/curl-config.in
+@@ -147,7 +147,7 @@ while test "$#" -gt 0; do
+     else
+       CPPFLAG_CURL_STATICLIB=''
+     fi
+-    if test "X@includedir@" = 'X/usr/include'; then
++    if test "X@includedir@" = "X@GENTOO_PORTAGE_EPREFIX@/usr/include"; then
+       echo "${CPPFLAG_CURL_STATICLIB}"
+     else
+       echo "${CPPFLAG_CURL_STATICLIB}-I@includedir@"
+@@ -155,7 +155,7 @@ while test "$#" -gt 0; do
+     ;;
+ 
+   --libs)
+-    if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then
++    if test "X@libdir@" != "X@GENTOO_PORTAGE_EPREFIX@/usr/lib" -a "X@libdir@" != "X@GENTOO_PORTAGE_EPREFIX@/usr/lib64"; then
+       CURLLIBDIR="-L@libdir@ "
+     else
+       CURLLIBDIR=''
+-- 
+2.47.0
+