1 |
commit: f7a9dcc44364ee6ae07f6bfa4c48661736d3d05f |
2 |
Author: Matt Jolly <Matt.Jolly <AT> footclan <DOT> ninja> |
3 |
AuthorDate: Thu Mar 9 13:19:13 2023 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Mar 15 05:04:42 2023 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7a9dcc4 |
7 |
|
8 |
net-misc/curl: add 7.88.1-r2 |
9 |
|
10 |
cURL attempts to resolve .onion tlds and depending on USE flags |
11 |
may leak that you're using Tor. |
12 |
|
13 |
This commit adds the upstream patch for RFC7686 compliance a |
14 |
little early as it may not make the next cURL release. |
15 |
|
16 |
Closes: https://bugs.gentoo.org/887287 |
17 |
|
18 |
Signed-off-by: Matt Jolly <Matt.Jolly <AT> footclan.ninja> |
19 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
20 |
|
21 |
net-misc/curl/curl-7.88.1-r2.ebuild | 307 +++++++++++++++++++++ |
22 |
.../curl/files/curl-7.88.1-onion-resolution.patch | 132 +++++++++ |
23 |
2 files changed, 439 insertions(+) |
24 |
|
25 |
diff --git a/net-misc/curl/curl-7.88.1-r2.ebuild b/net-misc/curl/curl-7.88.1-r2.ebuild |
26 |
new file mode 100644 |
27 |
index 000000000000..d1a2c5b2213a |
28 |
--- /dev/null |
29 |
+++ b/net-misc/curl/curl-7.88.1-r2.ebuild |
30 |
@@ -0,0 +1,307 @@ |
31 |
+# Copyright 1999-2023 Gentoo Authors |
32 |
+# Distributed under the terms of the GNU General Public License v2 |
33 |
+ |
34 |
+EAPI="8" |
35 |
+ |
36 |
+inherit autotools multilib-minimal prefix verify-sig |
37 |
+ |
38 |
+DESCRIPTION="A Client that groks URLs" |
39 |
+HOMEPAGE="https://curl.se/" |
40 |
+SRC_URI="https://curl.se/download/${P}.tar.xz |
41 |
+ verify-sig? ( https://curl.se/download/${P}.tar.xz.asc )" |
42 |
+ |
43 |
+LICENSE="curl" |
44 |
+SLOT="0" |
45 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" |
46 |
+IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap kerberos ldap mbedtls nss +openssl +pop3 +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd" |
47 |
+IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls curl_ssl_nss +curl_ssl_openssl curl_ssl_rustls" |
48 |
+IUSE+=" nghttp3" |
49 |
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/danielstenberg.asc |
50 |
+ |
51 |
+#Only one default ssl provider can be enabled |
52 |
+REQUIRED_USE=" |
53 |
+ ssl? ( |
54 |
+ ^^ ( |
55 |
+ curl_ssl_gnutls |
56 |
+ curl_ssl_mbedtls |
57 |
+ curl_ssl_nss |
58 |
+ curl_ssl_openssl |
59 |
+ curl_ssl_rustls |
60 |
+ ) |
61 |
+ )" |
62 |
+ |
63 |
+# lead to lots of false negatives, bug #285669 |
64 |
+RESTRICT="!test? ( test )" |
65 |
+ |
66 |
+RDEPEND="ldap? ( net-nds/openldap:=[${MULTILIB_USEDEP}] ) |
67 |
+ brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) |
68 |
+ ssl? ( |
69 |
+ gnutls? ( |
70 |
+ net-libs/gnutls:=[static-libs?,${MULTILIB_USEDEP}] |
71 |
+ dev-libs/nettle:=[${MULTILIB_USEDEP}] |
72 |
+ app-misc/ca-certificates |
73 |
+ ) |
74 |
+ mbedtls? ( |
75 |
+ net-libs/mbedtls:=[${MULTILIB_USEDEP}] |
76 |
+ app-misc/ca-certificates |
77 |
+ ) |
78 |
+ openssl? ( |
79 |
+ dev-libs/openssl:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}] |
80 |
+ ) |
81 |
+ nss? ( |
82 |
+ dev-libs/nss:0[${MULTILIB_USEDEP}] |
83 |
+ dev-libs/nss-pem |
84 |
+ app-misc/ca-certificates |
85 |
+ ) |
86 |
+ rustls? ( |
87 |
+ net-libs/rustls-ffi:=[${MULTILIB_USEDEP}] |
88 |
+ ) |
89 |
+ ) |
90 |
+ http2? ( net-libs/nghttp2:=[${MULTILIB_USEDEP}] ) |
91 |
+ nghttp3? ( |
92 |
+ net-libs/nghttp3[${MULTILIB_USEDEP}] |
93 |
+ net-libs/ngtcp2[ssl,${MULTILIB_USEDEP}] |
94 |
+ ) |
95 |
+ idn? ( net-dns/libidn2:=[static-libs?,${MULTILIB_USEDEP}] ) |
96 |
+ adns? ( net-dns/c-ares:=[${MULTILIB_USEDEP}] ) |
97 |
+ kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) |
98 |
+ rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) |
99 |
+ ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] ) |
100 |
+ sys-libs/zlib[${MULTILIB_USEDEP}] |
101 |
+ zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )" |
102 |
+ |
103 |
+DEPEND="${RDEPEND}" |
104 |
+BDEPEND="dev-lang/perl |
105 |
+ virtual/pkgconfig |
106 |
+ test? ( |
107 |
+ sys-apps/diffutils |
108 |
+ http2? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) |
109 |
+ nghttp3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) |
110 |
+ ) |
111 |
+ verify-sig? ( sec-keys/openpgp-keys-danielstenberg )" |
112 |
+ |
113 |
+DOCS=( CHANGES README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) |
114 |
+ |
115 |
+MULTILIB_WRAPPED_HEADERS=( |
116 |
+ /usr/include/curl/curlbuild.h |
117 |
+) |
118 |
+ |
119 |
+MULTILIB_CHOST_TOOLS=( |
120 |
+ /usr/bin/curl-config |
121 |
+) |
122 |
+ |
123 |
+PATCHES=( |
124 |
+ "${FILESDIR}"/${PN}-7.30.0-prefix.patch |
125 |
+ "${FILESDIR}"/${PN}-respect-cflags-3.patch |
126 |
+ |
127 |
+ "${FILESDIR}"/${P}-header-dump-segfault.patch |
128 |
+ "${FILESDIR}"/${P}-onion-resolution.patch |
129 |
+ "${FILESDIR}"/${P}-pipewait.patch |
130 |
+ "${FILESDIR}"/${P}-silent-parallel.patch |
131 |
+) |
132 |
+ |
133 |
+src_prepare() { |
134 |
+ default |
135 |
+ |
136 |
+ # Some tests (HTTP/#) rely on ssl certificates that are stored VCS which breaks |
137 |
+ # with out-of-tree builds. |
138 |
+ sed -i "s:my \$path = getcwd():my \$path = \"${S}/tests\":" tests/http*-server.pl \ |
139 |
+ || die "Unable to update test locations" |
140 |
+ eprefixify curl-config.in |
141 |
+ eautoreconf |
142 |
+} |
143 |
+ |
144 |
+multilib_src_configure() { |
145 |
+ # We make use of the fact that later flags override earlier ones |
146 |
+ # So start with all ssl providers off until proven otherwise |
147 |
+ # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) |
148 |
+ local myconf=() |
149 |
+ |
150 |
+ myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) |
151 |
+ #myconf+=( --without-default-ssl-backend ) |
152 |
+ if use ssl ; then |
153 |
+ myconf+=( --without-gnutls --without-mbedtls --without-nss --without-rustls ) |
154 |
+ |
155 |
+ if use gnutls || use curl_ssl_gnutls; then |
156 |
+ einfo "SSL provided by gnutls" |
157 |
+ myconf+=( --with-gnutls ) |
158 |
+ fi |
159 |
+ if use mbedtls || use curl_ssl_mbedtls; then |
160 |
+ einfo "SSL provided by mbedtls" |
161 |
+ myconf+=( --with-mbedtls ) |
162 |
+ fi |
163 |
+ if use nss || use curl_ssl_nss; then |
164 |
+ einfo "SSL provided by nss" |
165 |
+ myconf+=( --with-nss --with-nss-deprecated ) |
166 |
+ fi |
167 |
+ if use openssl || use curl_ssl_openssl; then |
168 |
+ einfo "SSL provided by openssl" |
169 |
+ myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs ) |
170 |
+ fi |
171 |
+ if use rustls || use curl_ssl_rustls; then |
172 |
+ einfo "SSL provided by rustls" |
173 |
+ myconf+=( --with-rustls ) |
174 |
+ fi |
175 |
+ if use curl_ssl_gnutls; then |
176 |
+ einfo "Default SSL provided by gnutls" |
177 |
+ myconf+=( --with-default-ssl-backend=gnutls ) |
178 |
+ elif use curl_ssl_mbedtls; then |
179 |
+ einfo "Default SSL provided by mbedtls" |
180 |
+ myconf+=( --with-default-ssl-backend=mbedtls ) |
181 |
+ elif use curl_ssl_nss; then |
182 |
+ einfo "Default SSL provided by nss" |
183 |
+ myconf+=( --with-default-ssl-backend=nss ) |
184 |
+ elif use curl_ssl_openssl; then |
185 |
+ einfo "Default SSL provided by openssl" |
186 |
+ myconf+=( --with-default-ssl-backend=openssl ) |
187 |
+ elif use curl_ssl_rustls; then |
188 |
+ einfo "Default SSL provided by rustls" |
189 |
+ myconf+=( --with-default-ssl-backend=rustls ) |
190 |
+ else |
191 |
+ eerror "We can't be here because of REQUIRED_USE." |
192 |
+ fi |
193 |
+ |
194 |
+ else |
195 |
+ myconf+=( --without-ssl ) |
196 |
+ einfo "SSL disabled" |
197 |
+ fi |
198 |
+ |
199 |
+ # These configuration options are organized alphabetically |
200 |
+ # within each category. This should make it easier if we |
201 |
+ # ever decide to make any of them contingent on USE flags: |
202 |
+ # 1) protocols first. To see them all do |
203 |
+ # 'grep SUPPORT_PROTOCOLS configure.ac' |
204 |
+ # 2) --enable/disable options second. |
205 |
+ # 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort |
206 |
+ # 3) --with/without options third. |
207 |
+ # grep -- --with configure | grep Check | awk '{ print $4 }' | sort |
208 |
+ |
209 |
+ myconf+=( |
210 |
+ $(use_enable alt-svc) |
211 |
+ --enable-crypto-auth |
212 |
+ --enable-dict |
213 |
+ --disable-ech |
214 |
+ --enable-file |
215 |
+ $(use_enable ftp) |
216 |
+ $(use_enable gopher) |
217 |
+ $(use_enable hsts) |
218 |
+ --enable-http |
219 |
+ $(use_enable imap) |
220 |
+ $(use_enable ldap) |
221 |
+ $(use_enable ldap ldaps) |
222 |
+ --enable-ntlm |
223 |
+ --disable-ntlm-wb |
224 |
+ $(use_enable pop3) |
225 |
+ --enable-rt |
226 |
+ --enable-rtsp |
227 |
+ $(use_enable samba smb) |
228 |
+ $(use_with ssh libssh2) |
229 |
+ $(use_enable smtp) |
230 |
+ $(use_enable telnet) |
231 |
+ $(use_enable tftp) |
232 |
+ --enable-tls-srp |
233 |
+ $(use_enable adns ares) |
234 |
+ --enable-cookies |
235 |
+ --enable-dateparse |
236 |
+ --enable-dnsshuffle |
237 |
+ --enable-doh |
238 |
+ --enable-symbol-hiding |
239 |
+ --enable-http-auth |
240 |
+ --enable-ipv6 |
241 |
+ --enable-largefile |
242 |
+ --enable-manual |
243 |
+ --enable-mime |
244 |
+ --enable-netrc |
245 |
+ $(use_enable progress-meter) |
246 |
+ --enable-proxy |
247 |
+ --enable-socketpair |
248 |
+ --disable-sspi |
249 |
+ $(use_enable static-libs static) |
250 |
+ --enable-pthreads |
251 |
+ --enable-threaded-resolver |
252 |
+ --disable-versioned-symbols |
253 |
+ --without-amissl |
254 |
+ --without-bearssl |
255 |
+ $(use_with brotli) |
256 |
+ --without-fish-functions-dir |
257 |
+ $(use_with http2 nghttp2) |
258 |
+ --without-hyper |
259 |
+ $(use_with idn libidn2) |
260 |
+ $(use_with kerberos gssapi "${EPREFIX}"/usr) |
261 |
+ --without-libgsasl |
262 |
+ --without-libpsl |
263 |
+ --without-msh3 |
264 |
+ $(use_with nghttp3) |
265 |
+ $(use_with nghttp3 ngtcp2) |
266 |
+ --without-quiche |
267 |
+ $(use_with rtmp librtmp) |
268 |
+ --without-schannel |
269 |
+ --without-secure-transport |
270 |
+ --without-test-caddy |
271 |
+ --without-test-httpd |
272 |
+ --without-test-nghttpx |
273 |
+ $(use_enable websockets) |
274 |
+ --without-winidn |
275 |
+ --without-wolfssl |
276 |
+ --with-zlib |
277 |
+ $(use_with zstd) |
278 |
+ ) |
279 |
+ |
280 |
+ if use test && multilib_is_native_abi && ( use http2 || use nghttp3 ); then |
281 |
+ myconf+=( |
282 |
+ --with-test-nghttpx="${BROOT}/usr/bin/nghttpx" |
283 |
+ ) |
284 |
+ fi |
285 |
+ |
286 |
+ ECONF_SOURCE="${S}" econf "${myconf[@]}" |
287 |
+ |
288 |
+ if ! multilib_is_native_abi; then |
289 |
+ # avoid building the client |
290 |
+ sed -i -e '/SUBDIRS/s:src::' Makefile || die |
291 |
+ sed -i -e '/SUBDIRS/s:scripts::' Makefile || die |
292 |
+ fi |
293 |
+ |
294 |
+ # Fix up the pkg-config file to be more robust. |
295 |
+ # https://github.com/curl/curl/issues/864 |
296 |
+ local priv=() libs=() |
297 |
+ # We always enable zlib. |
298 |
+ libs+=( "-lz" ) |
299 |
+ priv+=( "zlib" ) |
300 |
+ if use http2; then |
301 |
+ libs+=( "-lnghttp2" ) |
302 |
+ priv+=( "libnghttp2" ) |
303 |
+ fi |
304 |
+ if use nghttp3; then |
305 |
+ libs+=( "-lnghttp3" "-lngtcp2" ) |
306 |
+ priv+=( "libnghttp3" "libngtcp2" ) |
307 |
+ fi |
308 |
+ if use ssl && use curl_ssl_openssl; then |
309 |
+ libs+=( "-lssl" "-lcrypto" ) |
310 |
+ priv+=( "openssl" ) |
311 |
+ fi |
312 |
+ grep -q Requires.private libcurl.pc && die "need to update ebuild" |
313 |
+ libs=$(printf '|%s' "${libs[@]}") |
314 |
+ sed -i -r \ |
315 |
+ -e "/^Libs.private/s:(${libs#|})( |$)::g" \ |
316 |
+ libcurl.pc || die |
317 |
+ echo "Requires.private: ${priv[*]}" >> libcurl.pc || die |
318 |
+} |
319 |
+ |
320 |
+multilib_src_test() { |
321 |
+ # See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721 |
322 |
+ # -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches) |
323 |
+ # -v: verbose |
324 |
+ # -a: keep going on failure (so we see everything which breaks, not just 1st test) |
325 |
+ # -k: keep test files after completion |
326 |
+ # -am: automake style TAP output |
327 |
+ # -p: print logs if test fails |
328 |
+ # Note: if needed, we can disable tests. See e.g. Fedora's packaging |
329 |
+ # or just read https://github.com/curl/curl/tree/master/tests#run. |
330 |
+ multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p" |
331 |
+} |
332 |
+ |
333 |
+multilib_src_install_all() { |
334 |
+ einstalldocs |
335 |
+ find "${ED}" -type f -name '*.la' -delete || die |
336 |
+ rm -rf "${ED}"/etc/ || die |
337 |
+} |
338 |
|
339 |
diff --git a/net-misc/curl/files/curl-7.88.1-onion-resolution.patch b/net-misc/curl/files/curl-7.88.1-onion-resolution.patch |
340 |
new file mode 100644 |
341 |
index 000000000000..05519884653c |
342 |
--- /dev/null |
343 |
+++ b/net-misc/curl/files/curl-7.88.1-onion-resolution.patch |
344 |
@@ -0,0 +1,132 @@ |
345 |
+https://github.com/curl/curl/pull/10705 |
346 |
+From: Matt Jolly <Matt.Jolly@××××××××.ninja> |
347 |
+Date: Wed, 8 Mar 2023 02:16:45 +1100 |
348 |
+Subject: [PATCH] Refuse to resolve the .onion TLD. |
349 |
+ |
350 |
+RFC 7686 states that: |
351 |
+ |
352 |
+> Applications that do not implement the Tor |
353 |
+> protocol SHOULD generate an error upon the use of .onion and |
354 |
+> SHOULD NOT perform a DNS lookup. |
355 |
+ |
356 |
+Let's do that. |
357 |
+ |
358 |
+See curl/curl#543 |
359 |
+https://www.rfc-editor.org/rfc/rfc7686#section-2 |
360 |
+--- a/lib/hostip.c |
361 |
++++ b/lib/hostip.c |
362 |
+@@ -652,6 +652,14 @@ enum resolve_t Curl_resolv(struct Curl_easy *data, |
363 |
+ CURLcode result; |
364 |
+ enum resolve_t rc = CURLRESOLV_ERROR; /* default to failure */ |
365 |
+ struct connectdata *conn = data->conn; |
366 |
++ /* We should intentionally error and not resolve .onion TLDs */ |
367 |
++ size_t hostname_len = strlen(hostname); |
368 |
++ if(hostname_len >= 7 && |
369 |
++ (curl_strequal(&hostname[hostname_len-6], ".onion") || |
370 |
++ curl_strequal(&hostname[hostname_len-7], ".onion."))) { |
371 |
++ failf(data, "Not resolving .onion address (RFC 7686)"); |
372 |
++ return CURLRESOLV_ERROR; |
373 |
++ } |
374 |
+ *entry = NULL; |
375 |
+ #ifndef CURL_DISABLE_DOH |
376 |
+ conn->bits.doh = FALSE; /* default is not */ |
377 |
+--- a/tests/data/Makefile.inc |
378 |
++++ b/tests/data/Makefile.inc |
379 |
+@@ -186,8 +186,8 @@ test1432 test1433 test1434 test1435 test1436 test1437 test1438 test1439 \ |
380 |
+ test1440 test1441 test1442 test1443 test1444 test1445 test1446 test1447 \ |
381 |
+ test1448 test1449 test1450 test1451 test1452 test1453 test1454 test1455 \ |
382 |
+ test1456 test1457 test1458 test1459 test1460 test1461 test1462 test1463 \ |
383 |
+-test1464 test1465 test1466 test1467 test1468 test1469 \ |
384 |
+-\ |
385 |
++test1464 test1465 test1466 test1467 test1468 test1469 test1471 \ |
386 |
++test1472 \ |
387 |
+ test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ |
388 |
+ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \ |
389 |
+ test1516 test1517 test1518 test1519 test1520 test1521 test1522 test1523 \ |
390 |
+--- /dev/null |
391 |
++++ b/tests/data/test1471 |
392 |
+@@ -0,0 +1,39 @@ |
393 |
++<testcase> |
394 |
++<info> |
395 |
++<keywords> |
396 |
++Onion |
397 |
++Tor |
398 |
++FAILURE |
399 |
++</keywords> |
400 |
++</info> |
401 |
++# |
402 |
++# Server-side |
403 |
++<reply> |
404 |
++</reply> |
405 |
++ |
406 |
++# |
407 |
++# Client-side |
408 |
++<client> |
409 |
++<server> |
410 |
++none |
411 |
++</server> |
412 |
++<name> |
413 |
++Fail to resolve .onion TLD |
414 |
++</name> |
415 |
++<command> |
416 |
++red.onion |
417 |
++</command> |
418 |
++</client> |
419 |
++ |
420 |
++# |
421 |
++# Verify data after the test has been "shot" |
422 |
++<verify> |
423 |
++# Couldn't resolve host name |
424 |
++<errorcode> |
425 |
++6 |
426 |
++</errorcode> |
427 |
++<stderr mode="text"> |
428 |
++curl: (6) Not resolving .onion address (RFC 7686) |
429 |
++</stderr> |
430 |
++</verify> |
431 |
++</testcase> |
432 |
+--- /dev/null |
433 |
++++ b/tests/data/test1472 |
434 |
+@@ -0,0 +1,39 @@ |
435 |
++<testcase> |
436 |
++<info> |
437 |
++<keywords> |
438 |
++Onion |
439 |
++Tor |
440 |
++FAILURE |
441 |
++</keywords> |
442 |
++</info> |
443 |
++# |
444 |
++# Server-side |
445 |
++<reply> |
446 |
++</reply> |
447 |
++ |
448 |
++# |
449 |
++# Client-side |
450 |
++<client> |
451 |
++<server> |
452 |
++none |
453 |
++</server> |
454 |
++<name> |
455 |
++Fail to resolve .onion. TLD |
456 |
++</name> |
457 |
++<command> |
458 |
++tasty.onion. |
459 |
++</command> |
460 |
++</client> |
461 |
++ |
462 |
++# |
463 |
++# Verify data after the test has been "shot" |
464 |
++<verify> |
465 |
++# Couldn't resolve host name |
466 |
++<errorcode> |
467 |
++6 |
468 |
++</errorcode> |
469 |
++<stderr mode="text"> |
470 |
++curl: (6) Not resolving .onion address (RFC 7686) |
471 |
++</stderr> |
472 |
++</verify> |
473 |
++</testcase> |
474 |
+-- |
475 |
+2.39.2 |
476 |
+ |