Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sam James <sam@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/curl/files/, net-misc/curl/
Date: Wed, 15 Mar 2023 05:05:04
Message-Id: 1678856682.f7a9dcc44364ee6ae07f6bfa4c48661736d3d05f.sam@gentoo
1 commit: f7a9dcc44364ee6ae07f6bfa4c48661736d3d05f
2 Author: Matt Jolly <Matt.Jolly <AT> footclan <DOT> ninja>
3 AuthorDate: Thu Mar 9 13:19:13 2023 +0000
4 Commit: Sam James <sam <AT> gentoo <DOT> org>
5 CommitDate: Wed Mar 15 05:04:42 2023 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7a9dcc4
7
8 net-misc/curl: add 7.88.1-r2
9
10 cURL attempts to resolve .onion tlds and depending on USE flags
11 may leak that you're using Tor.
12
13 This commit adds the upstream patch for RFC7686 compliance a
14 little early as it may not make the next cURL release.
15
16 Closes: https://bugs.gentoo.org/887287
17
18 Signed-off-by: Matt Jolly <Matt.Jolly <AT> footclan.ninja>
19 Signed-off-by: Sam James <sam <AT> gentoo.org>
20
21 net-misc/curl/curl-7.88.1-r2.ebuild | 307 +++++++++++++++++++++
22 .../curl/files/curl-7.88.1-onion-resolution.patch | 132 +++++++++
23 2 files changed, 439 insertions(+)
24
25 diff --git a/net-misc/curl/curl-7.88.1-r2.ebuild b/net-misc/curl/curl-7.88.1-r2.ebuild
26 new file mode 100644
27 index 000000000000..d1a2c5b2213a
28 --- /dev/null
29 +++ b/net-misc/curl/curl-7.88.1-r2.ebuild
30 @@ -0,0 +1,307 @@
31 +# Copyright 1999-2023 Gentoo Authors
32 +# Distributed under the terms of the GNU General Public License v2
33 +
34 +EAPI="8"
35 +
36 +inherit autotools multilib-minimal prefix verify-sig
37 +
38 +DESCRIPTION="A Client that groks URLs"
39 +HOMEPAGE="https://curl.se/"
40 +SRC_URI="https://curl.se/download/${P}.tar.xz
41 + verify-sig? ( https://curl.se/download/${P}.tar.xz.asc )"
42 +
43 +LICENSE="curl"
44 +SLOT="0"
45 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
46 +IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap kerberos ldap mbedtls nss +openssl +pop3 +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd"
47 +IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls curl_ssl_nss +curl_ssl_openssl curl_ssl_rustls"
48 +IUSE+=" nghttp3"
49 +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/danielstenberg.asc
50 +
51 +#Only one default ssl provider can be enabled
52 +REQUIRED_USE="
53 + ssl? (
54 + ^^ (
55 + curl_ssl_gnutls
56 + curl_ssl_mbedtls
57 + curl_ssl_nss
58 + curl_ssl_openssl
59 + curl_ssl_rustls
60 + )
61 + )"
62 +
63 +# lead to lots of false negatives, bug #285669
64 +RESTRICT="!test? ( test )"
65 +
66 +RDEPEND="ldap? ( net-nds/openldap:=[${MULTILIB_USEDEP}] )
67 + brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
68 + ssl? (
69 + gnutls? (
70 + net-libs/gnutls:=[static-libs?,${MULTILIB_USEDEP}]
71 + dev-libs/nettle:=[${MULTILIB_USEDEP}]
72 + app-misc/ca-certificates
73 + )
74 + mbedtls? (
75 + net-libs/mbedtls:=[${MULTILIB_USEDEP}]
76 + app-misc/ca-certificates
77 + )
78 + openssl? (
79 + dev-libs/openssl:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}]
80 + )
81 + nss? (
82 + dev-libs/nss:0[${MULTILIB_USEDEP}]
83 + dev-libs/nss-pem
84 + app-misc/ca-certificates
85 + )
86 + rustls? (
87 + net-libs/rustls-ffi:=[${MULTILIB_USEDEP}]
88 + )
89 + )
90 + http2? ( net-libs/nghttp2:=[${MULTILIB_USEDEP}] )
91 + nghttp3? (
92 + net-libs/nghttp3[${MULTILIB_USEDEP}]
93 + net-libs/ngtcp2[ssl,${MULTILIB_USEDEP}]
94 + )
95 + idn? ( net-dns/libidn2:=[static-libs?,${MULTILIB_USEDEP}] )
96 + adns? ( net-dns/c-ares:=[${MULTILIB_USEDEP}] )
97 + kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
98 + rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
99 + ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] )
100 + sys-libs/zlib[${MULTILIB_USEDEP}]
101 + zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )"
102 +
103 +DEPEND="${RDEPEND}"
104 +BDEPEND="dev-lang/perl
105 + virtual/pkgconfig
106 + test? (
107 + sys-apps/diffutils
108 + http2? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
109 + nghttp3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
110 + )
111 + verify-sig? ( sec-keys/openpgp-keys-danielstenberg )"
112 +
113 +DOCS=( CHANGES README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} )
114 +
115 +MULTILIB_WRAPPED_HEADERS=(
116 + /usr/include/curl/curlbuild.h
117 +)
118 +
119 +MULTILIB_CHOST_TOOLS=(
120 + /usr/bin/curl-config
121 +)
122 +
123 +PATCHES=(
124 + "${FILESDIR}"/${PN}-7.30.0-prefix.patch
125 + "${FILESDIR}"/${PN}-respect-cflags-3.patch
126 +
127 + "${FILESDIR}"/${P}-header-dump-segfault.patch
128 + "${FILESDIR}"/${P}-onion-resolution.patch
129 + "${FILESDIR}"/${P}-pipewait.patch
130 + "${FILESDIR}"/${P}-silent-parallel.patch
131 +)
132 +
133 +src_prepare() {
134 + default
135 +
136 + # Some tests (HTTP/#) rely on ssl certificates that are stored VCS which breaks
137 + # with out-of-tree builds.
138 + sed -i "s:my \$path = getcwd():my \$path = \"${S}/tests\":" tests/http*-server.pl \
139 + || die "Unable to update test locations"
140 + eprefixify curl-config.in
141 + eautoreconf
142 +}
143 +
144 +multilib_src_configure() {
145 + # We make use of the fact that later flags override earlier ones
146 + # So start with all ssl providers off until proven otherwise
147 + # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/)
148 + local myconf=()
149 +
150 + myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt )
151 + #myconf+=( --without-default-ssl-backend )
152 + if use ssl ; then
153 + myconf+=( --without-gnutls --without-mbedtls --without-nss --without-rustls )
154 +
155 + if use gnutls || use curl_ssl_gnutls; then
156 + einfo "SSL provided by gnutls"
157 + myconf+=( --with-gnutls )
158 + fi
159 + if use mbedtls || use curl_ssl_mbedtls; then
160 + einfo "SSL provided by mbedtls"
161 + myconf+=( --with-mbedtls )
162 + fi
163 + if use nss || use curl_ssl_nss; then
164 + einfo "SSL provided by nss"
165 + myconf+=( --with-nss --with-nss-deprecated )
166 + fi
167 + if use openssl || use curl_ssl_openssl; then
168 + einfo "SSL provided by openssl"
169 + myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs )
170 + fi
171 + if use rustls || use curl_ssl_rustls; then
172 + einfo "SSL provided by rustls"
173 + myconf+=( --with-rustls )
174 + fi
175 + if use curl_ssl_gnutls; then
176 + einfo "Default SSL provided by gnutls"
177 + myconf+=( --with-default-ssl-backend=gnutls )
178 + elif use curl_ssl_mbedtls; then
179 + einfo "Default SSL provided by mbedtls"
180 + myconf+=( --with-default-ssl-backend=mbedtls )
181 + elif use curl_ssl_nss; then
182 + einfo "Default SSL provided by nss"
183 + myconf+=( --with-default-ssl-backend=nss )
184 + elif use curl_ssl_openssl; then
185 + einfo "Default SSL provided by openssl"
186 + myconf+=( --with-default-ssl-backend=openssl )
187 + elif use curl_ssl_rustls; then
188 + einfo "Default SSL provided by rustls"
189 + myconf+=( --with-default-ssl-backend=rustls )
190 + else
191 + eerror "We can't be here because of REQUIRED_USE."
192 + fi
193 +
194 + else
195 + myconf+=( --without-ssl )
196 + einfo "SSL disabled"
197 + fi
198 +
199 + # These configuration options are organized alphabetically
200 + # within each category. This should make it easier if we
201 + # ever decide to make any of them contingent on USE flags:
202 + # 1) protocols first. To see them all do
203 + # 'grep SUPPORT_PROTOCOLS configure.ac'
204 + # 2) --enable/disable options second.
205 + # 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort
206 + # 3) --with/without options third.
207 + # grep -- --with configure | grep Check | awk '{ print $4 }' | sort
208 +
209 + myconf+=(
210 + $(use_enable alt-svc)
211 + --enable-crypto-auth
212 + --enable-dict
213 + --disable-ech
214 + --enable-file
215 + $(use_enable ftp)
216 + $(use_enable gopher)
217 + $(use_enable hsts)
218 + --enable-http
219 + $(use_enable imap)
220 + $(use_enable ldap)
221 + $(use_enable ldap ldaps)
222 + --enable-ntlm
223 + --disable-ntlm-wb
224 + $(use_enable pop3)
225 + --enable-rt
226 + --enable-rtsp
227 + $(use_enable samba smb)
228 + $(use_with ssh libssh2)
229 + $(use_enable smtp)
230 + $(use_enable telnet)
231 + $(use_enable tftp)
232 + --enable-tls-srp
233 + $(use_enable adns ares)
234 + --enable-cookies
235 + --enable-dateparse
236 + --enable-dnsshuffle
237 + --enable-doh
238 + --enable-symbol-hiding
239 + --enable-http-auth
240 + --enable-ipv6
241 + --enable-largefile
242 + --enable-manual
243 + --enable-mime
244 + --enable-netrc
245 + $(use_enable progress-meter)
246 + --enable-proxy
247 + --enable-socketpair
248 + --disable-sspi
249 + $(use_enable static-libs static)
250 + --enable-pthreads
251 + --enable-threaded-resolver
252 + --disable-versioned-symbols
253 + --without-amissl
254 + --without-bearssl
255 + $(use_with brotli)
256 + --without-fish-functions-dir
257 + $(use_with http2 nghttp2)
258 + --without-hyper
259 + $(use_with idn libidn2)
260 + $(use_with kerberos gssapi "${EPREFIX}"/usr)
261 + --without-libgsasl
262 + --without-libpsl
263 + --without-msh3
264 + $(use_with nghttp3)
265 + $(use_with nghttp3 ngtcp2)
266 + --without-quiche
267 + $(use_with rtmp librtmp)
268 + --without-schannel
269 + --without-secure-transport
270 + --without-test-caddy
271 + --without-test-httpd
272 + --without-test-nghttpx
273 + $(use_enable websockets)
274 + --without-winidn
275 + --without-wolfssl
276 + --with-zlib
277 + $(use_with zstd)
278 + )
279 +
280 + if use test && multilib_is_native_abi && ( use http2 || use nghttp3 ); then
281 + myconf+=(
282 + --with-test-nghttpx="${BROOT}/usr/bin/nghttpx"
283 + )
284 + fi
285 +
286 + ECONF_SOURCE="${S}" econf "${myconf[@]}"
287 +
288 + if ! multilib_is_native_abi; then
289 + # avoid building the client
290 + sed -i -e '/SUBDIRS/s:src::' Makefile || die
291 + sed -i -e '/SUBDIRS/s:scripts::' Makefile || die
292 + fi
293 +
294 + # Fix up the pkg-config file to be more robust.
295 + # https://github.com/curl/curl/issues/864
296 + local priv=() libs=()
297 + # We always enable zlib.
298 + libs+=( "-lz" )
299 + priv+=( "zlib" )
300 + if use http2; then
301 + libs+=( "-lnghttp2" )
302 + priv+=( "libnghttp2" )
303 + fi
304 + if use nghttp3; then
305 + libs+=( "-lnghttp3" "-lngtcp2" )
306 + priv+=( "libnghttp3" "libngtcp2" )
307 + fi
308 + if use ssl && use curl_ssl_openssl; then
309 + libs+=( "-lssl" "-lcrypto" )
310 + priv+=( "openssl" )
311 + fi
312 + grep -q Requires.private libcurl.pc && die "need to update ebuild"
313 + libs=$(printf '|%s' "${libs[@]}")
314 + sed -i -r \
315 + -e "/^Libs.private/s:(${libs#|})( |$)::g" \
316 + libcurl.pc || die
317 + echo "Requires.private: ${priv[*]}" >> libcurl.pc || die
318 +}
319 +
320 +multilib_src_test() {
321 + # See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721
322 + # -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches)
323 + # -v: verbose
324 + # -a: keep going on failure (so we see everything which breaks, not just 1st test)
325 + # -k: keep test files after completion
326 + # -am: automake style TAP output
327 + # -p: print logs if test fails
328 + # Note: if needed, we can disable tests. See e.g. Fedora's packaging
329 + # or just read https://github.com/curl/curl/tree/master/tests#run.
330 + multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p"
331 +}
332 +
333 +multilib_src_install_all() {
334 + einstalldocs
335 + find "${ED}" -type f -name '*.la' -delete || die
336 + rm -rf "${ED}"/etc/ || die
337 +}
338
339 diff --git a/net-misc/curl/files/curl-7.88.1-onion-resolution.patch b/net-misc/curl/files/curl-7.88.1-onion-resolution.patch
340 new file mode 100644
341 index 000000000000..05519884653c
342 --- /dev/null
343 +++ b/net-misc/curl/files/curl-7.88.1-onion-resolution.patch
344 @@ -0,0 +1,132 @@
345 +https://github.com/curl/curl/pull/10705
346 +From: Matt Jolly <Matt.Jolly@××××××××.ninja>
347 +Date: Wed, 8 Mar 2023 02:16:45 +1100
348 +Subject: [PATCH] Refuse to resolve the .onion TLD.
349 +
350 +RFC 7686 states that:
351 +
352 +> Applications that do not implement the Tor
353 +> protocol SHOULD generate an error upon the use of .onion and
354 +> SHOULD NOT perform a DNS lookup.
355 +
356 +Let's do that.
357 +
358 +See curl/curl#543
359 +https://www.rfc-editor.org/rfc/rfc7686#section-2
360 +--- a/lib/hostip.c
361 ++++ b/lib/hostip.c
362 +@@ -652,6 +652,14 @@ enum resolve_t Curl_resolv(struct Curl_easy *data,
363 + CURLcode result;
364 + enum resolve_t rc = CURLRESOLV_ERROR; /* default to failure */
365 + struct connectdata *conn = data->conn;
366 ++ /* We should intentionally error and not resolve .onion TLDs */
367 ++ size_t hostname_len = strlen(hostname);
368 ++ if(hostname_len >= 7 &&
369 ++ (curl_strequal(&hostname[hostname_len-6], ".onion") ||
370 ++ curl_strequal(&hostname[hostname_len-7], ".onion."))) {
371 ++ failf(data, "Not resolving .onion address (RFC 7686)");
372 ++ return CURLRESOLV_ERROR;
373 ++ }
374 + *entry = NULL;
375 + #ifndef CURL_DISABLE_DOH
376 + conn->bits.doh = FALSE; /* default is not */
377 +--- a/tests/data/Makefile.inc
378 ++++ b/tests/data/Makefile.inc
379 +@@ -186,8 +186,8 @@ test1432 test1433 test1434 test1435 test1436 test1437 test1438 test1439 \
380 + test1440 test1441 test1442 test1443 test1444 test1445 test1446 test1447 \
381 + test1448 test1449 test1450 test1451 test1452 test1453 test1454 test1455 \
382 + test1456 test1457 test1458 test1459 test1460 test1461 test1462 test1463 \
383 +-test1464 test1465 test1466 test1467 test1468 test1469 \
384 +-\
385 ++test1464 test1465 test1466 test1467 test1468 test1469 test1471 \
386 ++test1472 \
387 + test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
388 + test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
389 + test1516 test1517 test1518 test1519 test1520 test1521 test1522 test1523 \
390 +--- /dev/null
391 ++++ b/tests/data/test1471
392 +@@ -0,0 +1,39 @@
393 ++<testcase>
394 ++<info>
395 ++<keywords>
396 ++Onion
397 ++Tor
398 ++FAILURE
399 ++</keywords>
400 ++</info>
401 ++#
402 ++# Server-side
403 ++<reply>
404 ++</reply>
405 ++
406 ++#
407 ++# Client-side
408 ++<client>
409 ++<server>
410 ++none
411 ++</server>
412 ++<name>
413 ++Fail to resolve .onion TLD
414 ++</name>
415 ++<command>
416 ++red.onion
417 ++</command>
418 ++</client>
419 ++
420 ++#
421 ++# Verify data after the test has been "shot"
422 ++<verify>
423 ++# Couldn't resolve host name
424 ++<errorcode>
425 ++6
426 ++</errorcode>
427 ++<stderr mode="text">
428 ++curl: (6) Not resolving .onion address (RFC 7686)
429 ++</stderr>
430 ++</verify>
431 ++</testcase>
432 +--- /dev/null
433 ++++ b/tests/data/test1472
434 +@@ -0,0 +1,39 @@
435 ++<testcase>
436 ++<info>
437 ++<keywords>
438 ++Onion
439 ++Tor
440 ++FAILURE
441 ++</keywords>
442 ++</info>
443 ++#
444 ++# Server-side
445 ++<reply>
446 ++</reply>
447 ++
448 ++#
449 ++# Client-side
450 ++<client>
451 ++<server>
452 ++none
453 ++</server>
454 ++<name>
455 ++Fail to resolve .onion. TLD
456 ++</name>
457 ++<command>
458 ++tasty.onion.
459 ++</command>
460 ++</client>
461 ++
462 ++#
463 ++# Verify data after the test has been "shot"
464 ++<verify>
465 ++# Couldn't resolve host name
466 ++<errorcode>
467 ++6
468 ++</errorcode>
469 ++<stderr mode="text">
470 ++curl: (6) Not resolving .onion address (RFC 7686)
471 ++</stderr>
472 ++</verify>
473 ++</testcase>
474 +--
475 +2.39.2
476 +
Report Message
Find on MARC Find on Google Groups