diff --git a/sdk_container/src/third_party/portage-stable/net-misc/curl/Manifest b/sdk_container/src/third_party/portage-stable/net-misc/curl/Manifest index e32343230d..7b6217a5f3 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/curl/Manifest +++ b/sdk_container/src/third_party/portage-stable/net-misc/curl/Manifest @@ -2,3 +2,5 @@ DIST curl-7.87.0.tar.xz 2547932 BLAKE2B b272ec928c5ef1728434630d8910f58834327a30 DIST curl-7.87.0.tar.xz.asc 488 BLAKE2B 031d8236b357bd3c519548b181254dc0aea1efc1375738bce04f4f331d35bafe99d1ca394ecf5943ede7cae040854b6d2b478fd305147eb7330f8d50e5d95c96 SHA512 0bcc12bafc4ae50d80128af2cf4bf1a1ec6018ebb8d5b9c49f52b51c0c25acc77e820858965656549ef43c1f923f4e5fe75b0a3523623154b4cfb9dc8a1d76e4 DIST curl-7.88.1.tar.xz 2581032 BLAKE2B ed7e7aa29efb02fd89a53d5c8d0ec79b4d17612ea07d2a6b5a951f0ca651b4cf7264704344b1a0c2d82196f4cb5c08525e06b4cdd432bc3278ff23c7a6580839 SHA512 b8d30c52a6d1c3e272608a7a8db78dfd79aef21330f34d6f1df43839a400e13ac6aac72a383526db0b711a70ecbec89a3b934677d7ecf5094fd64d3dbcb3492f DIST curl-7.88.1.tar.xz.asc 488 BLAKE2B ea90d840846fca3f0b17838a84431cb44d6e3f8d2b42c3eced1fb1c929a58e8899b303c93d27ca3cafcaa52e7269ac440e7102191d6b2c2751729a6c4116e82f SHA512 d6dc720533004c4d533cc4fb3dd33ac28d95e114f440ec011e4b58f65d1f4c40cfa10ba26d2e2f2f1f9de99511632578b4758c5e79593c7c30d29788fdf1cbb6 +DIST curl-8.0.1.tar.xz 2575544 BLAKE2B 67d82e9d71f0a351b5c2ed3ad5eab02e367ded872658a295179b935729d5105015f8c29569c396e11cd14036656af894ded85c8838cba260d9f6f1a8dcb5e22b SHA512 3bb777982659ed697ae90f113ff7b65d6ce8ba9fe6a8984cfd6769d2f051a72ba953c911abe234c204ec2cc5a35d68b4d033037fad7fba31bb92a52543f8d13d +DIST curl-8.0.1.tar.xz.asc 488 BLAKE2B 452e1bebe1028e7621bbf8829e50cf56e254cd63a8cf2a4c0332176b9f18fb2821304ae556a203996d273c986bddbd04db2218c18fd34dee66e9155861ba50ce SHA512 92c6a0570e9a8a708fe2f717b8b37a68dcb9cd4520ca50c9baafec5891bda103bce2d2dcb67f1387bf11bd7e51e0e64ccd52d196e61d58b598ad3aa1960386cf diff --git a/sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.0.1.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.0.1.ebuild new file mode 100644 index 0000000000..6af2629111 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.0.1.ebuild @@ -0,0 +1,316 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/danielstenberg.asc +inherit autotools multilib-minimal prefix verify-sig + +DESCRIPTION="A Client that groks URLs" +HOMEPAGE="https://curl.se/" +SRC_URI=" + https://curl.se/download/${P}.tar.xz + verify-sig? ( https://curl.se/download/${P}.tar.xz.asc ) +" + +LICENSE="curl" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap kerberos ldap mbedtls nss +openssl +pop3 +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd" +IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls curl_ssl_nss +curl_ssl_openssl curl_ssl_rustls" +IUSE+=" nghttp3" +RESTRICT="!test? ( test )" + +# Only one default ssl provider can be enabled +REQUIRED_USE=" + ssl? ( + ^^ ( + curl_ssl_gnutls + curl_ssl_mbedtls + curl_ssl_nss + curl_ssl_openssl + curl_ssl_rustls + ) + ) +" + +RDEPEND=" + sys-libs/zlib[${MULTILIB_USEDEP}] + adns? ( net-dns/c-ares:=[${MULTILIB_USEDEP}] ) + brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) + http2? ( net-libs/nghttp2:=[${MULTILIB_USEDEP}] ) + idn? ( net-dns/libidn2:=[static-libs?,${MULTILIB_USEDEP}] ) + kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) + ldap? ( net-nds/openldap:=[${MULTILIB_USEDEP}] ) + nghttp3? ( + net-libs/nghttp3[${MULTILIB_USEDEP}] + net-libs/ngtcp2[ssl,${MULTILIB_USEDEP}] + ) + rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) + ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] ) + ssl? ( + gnutls? ( + app-misc/ca-certificates + net-libs/gnutls:=[static-libs?,${MULTILIB_USEDEP}] + dev-libs/nettle:=[${MULTILIB_USEDEP}] + ) + mbedtls? ( + app-misc/ca-certificates + net-libs/mbedtls:=[${MULTILIB_USEDEP}] + ) + nss? ( + app-misc/ca-certificates + dev-libs/nss[${MULTILIB_USEDEP}] + dev-libs/nss-pem + ) + openssl? ( + dev-libs/openssl:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}] + ) + rustls? ( + net-libs/rustls-ffi:=[${MULTILIB_USEDEP}] + ) + ) + zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] ) +" +DEPEND="${RDEPEND}" +BDEPEND=" + dev-lang/perl + virtual/pkgconfig + test? ( + sys-apps/diffutils + http2? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) + nghttp3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) + ) + verify-sig? ( sec-keys/openpgp-keys-danielstenberg ) +" + +DOCS=( CHANGES README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/curl/curlbuild.h +) + +MULTILIB_CHOST_TOOLS=( + /usr/bin/curl-config +) + +QA_CONFIG_IMPL_DECL_SKIP=( + __builtin_available + closesocket + CloseSocket + getpass_r + ioctlsocket + IoctlSocket + mach_absolute_time + setmode +) + +PATCHES=( + "${FILESDIR}"/${PN}-7.30.0-prefix.patch + "${FILESDIR}"/${PN}-respect-cflags-3.patch + + # Backports + "${FILESDIR}"/${PN}-8.0.1-onion-resolution.patch +) + +src_prepare() { + default + + eprefixify curl-config.in + eautoreconf +} + +multilib_src_configure() { + # We make use of the fact that later flags override earlier ones + # So start with all ssl providers off until proven otherwise + # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) + local myconf=() + + myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) + #myconf+=( --without-default-ssl-backend ) + if use ssl ; then + myconf+=( --without-gnutls --without-mbedtls --without-nss --without-rustls ) + + if use gnutls || use curl_ssl_gnutls; then + einfo "SSL provided by gnutls" + myconf+=( --with-gnutls ) + fi + if use mbedtls || use curl_ssl_mbedtls; then + einfo "SSL provided by mbedtls" + myconf+=( --with-mbedtls ) + fi + if use nss || use curl_ssl_nss; then + einfo "SSL provided by nss" + myconf+=( --with-nss --with-nss-deprecated ) + fi + if use openssl || use curl_ssl_openssl; then + einfo "SSL provided by openssl" + myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs ) + fi + if use rustls || use curl_ssl_rustls; then + einfo "SSL provided by rustls" + myconf+=( --with-rustls ) + fi + if use curl_ssl_gnutls; then + einfo "Default SSL provided by gnutls" + myconf+=( --with-default-ssl-backend=gnutls ) + elif use curl_ssl_mbedtls; then + einfo "Default SSL provided by mbedtls" + myconf+=( --with-default-ssl-backend=mbedtls ) + elif use curl_ssl_nss; then + einfo "Default SSL provided by nss" + myconf+=( --with-default-ssl-backend=nss ) + elif use curl_ssl_openssl; then + einfo "Default SSL provided by openssl" + myconf+=( --with-default-ssl-backend=openssl ) + elif use curl_ssl_rustls; then + einfo "Default SSL provided by rustls" + myconf+=( --with-default-ssl-backend=rustls ) + else + eerror "We can't be here because of REQUIRED_USE." + fi + + else + myconf+=( --without-ssl ) + einfo "SSL disabled" + fi + + # These configuration options are organized alphabetically + # within each category. This should make it easier if we + # ever decide to make any of them contingent on USE flags: + # 1) protocols first. To see them all do + # 'grep SUPPORT_PROTOCOLS configure.ac' + # 2) --enable/disable options second. + # 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort + # 3) --with/without options third. + # grep -- --with configure | grep Check | awk '{ print $4 }' | sort + + myconf+=( + $(use_enable alt-svc) + --enable-crypto-auth + --enable-dict + --disable-ech + --enable-file + $(use_enable ftp) + $(use_enable gopher) + $(use_enable hsts) + --enable-http + $(use_enable imap) + $(use_enable ldap) + $(use_enable ldap ldaps) + --enable-ntlm + --disable-ntlm-wb + $(use_enable pop3) + --enable-rt + --enable-rtsp + $(use_enable samba smb) + $(use_with ssh libssh2) + $(use_enable smtp) + $(use_enable telnet) + $(use_enable tftp) + --enable-tls-srp + $(use_enable adns ares) + --enable-cookies + --enable-dateparse + --enable-dnsshuffle + --enable-doh + --enable-symbol-hiding + --enable-http-auth + --enable-ipv6 + --enable-largefile + --enable-manual + --enable-mime + --enable-netrc + $(use_enable progress-meter) + --enable-proxy + --enable-socketpair + --disable-sspi + $(use_enable static-libs static) + --enable-pthreads + --enable-threaded-resolver + --disable-versioned-symbols + --without-amissl + --without-bearssl + $(use_with brotli) + --without-fish-functions-dir + $(use_with http2 nghttp2) + --without-hyper + $(use_with idn libidn2) + $(use_with kerberos gssapi "${EPREFIX}"/usr) + --without-libgsasl + --without-libpsl + --without-msh3 + $(use_with nghttp3) + $(use_with nghttp3 ngtcp2) + --without-quiche + $(use_with rtmp librtmp) + --without-schannel + --without-secure-transport + --without-test-caddy + --without-test-httpd + --without-test-nghttpx + $(use_enable websockets) + --without-winidn + --without-wolfssl + --with-zlib + $(use_with zstd) + ) + + if use test && multilib_is_native_abi && ( use http2 || use nghttp3 ); then + myconf+=( + --with-test-nghttpx="${BROOT}/usr/bin/nghttpx" + ) + fi + + ECONF_SOURCE="${S}" econf "${myconf[@]}" + + if ! multilib_is_native_abi; then + # Avoid building the client (we just want libcurl for multilib) + sed -i -e '/SUBDIRS/s:src::' Makefile || die + sed -i -e '/SUBDIRS/s:scripts::' Makefile || die + fi + + # Fix up the pkg-config file to be more robust. + # https://github.com/curl/curl/issues/864 + local priv=() libs=() + # We always enable zlib. + libs+=( "-lz" ) + priv+=( "zlib" ) + if use http2; then + libs+=( "-lnghttp2" ) + priv+=( "libnghttp2" ) + fi + if use nghttp3; then + libs+=( "-lnghttp3" "-lngtcp2" ) + priv+=( "libnghttp3" "libngtcp2" ) + fi + if use ssl && use curl_ssl_openssl; then + libs+=( "-lssl" "-lcrypto" ) + priv+=( "openssl" ) + fi + grep -q Requires.private libcurl.pc && die "need to update ebuild" + libs=$(printf '|%s' "${libs[@]}") + sed -i -r \ + -e "/^Libs.private/s:(${libs#|})( |$)::g" \ + libcurl.pc || die + echo "Requires.private: ${priv[*]}" >> libcurl.pc || die +} + +multilib_src_test() { + # See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721 + # -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches) + # -v: verbose + # -a: keep going on failure (so we see everything which breaks, not just 1st test) + # -k: keep test files after completion + # -am: automake style TAP output + # -p: print logs if test fails + # Note: if needed, we can skip specific tests. See e.g. Fedora's packaging + # or just read https://github.com/curl/curl/tree/master/tests#run. + multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p" +} + +multilib_src_install_all() { + einstalldocs + find "${ED}" -type f -name '*.la' -delete || die + rm -rf "${ED}"/etc/ || die +} diff --git a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-7.88.1-onion-resolution.patch b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-7.88.1-onion-resolution.patch index 0551988465..d3385623da 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-7.88.1-onion-resolution.patch +++ b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-7.88.1-onion-resolution.patch @@ -1,4 +1,6 @@ +https://bugs.gentoo.org/887287 https://github.com/curl/curl/pull/10705 + From: Matt Jolly Date: Wed, 8 Mar 2023 02:16:45 +1100 Subject: [PATCH] Refuse to resolve the .onion TLD. diff --git a/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.0.1-onion-resolution.patch b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.0.1-onion-resolution.patch new file mode 100644 index 0000000000..65b486529c --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.0.1-onion-resolution.patch @@ -0,0 +1,158 @@ +https://bugs.gentoo.org/887287 +https://github.com/curl/curl/pull/10705 + +From e2bbd1adc22ec5033e2292b780e1790db93c3cb4 Mon Sep 17 00:00:00 2001 +From: Matt Jolly +Date: Wed, 8 Mar 2023 02:16:45 +1100 +Subject: [PATCH] Refuse to resolve the .onion TLD. + +RFC 7686 states that: + +> Applications that do not implement the Tor +> protocol SHOULD generate an error upon the use of .onion and +> SHOULD NOT perform a DNS lookup. + +Let's do that. + +See curl/curl#543 +https://www.rfc-editor.org/rfc/rfc7686#section-2 +--- a/docs/KNOWN_BUGS ++++ b/docs/KNOWN_BUGS +@@ -80,7 +80,6 @@ problems may have been fixed or changed somewhat since this was written. + 10.3 FTPS over SOCKS + + 11. Internals +- 11.1 Curl leaks .onion hostnames in DNS + 11.2 error buffer not set if connection to multiple addresses fails + 11.4 HTTP test server 'connection-monitor' problems + 11.5 Connection information when using TCP Fast Open +@@ -525,14 +524,6 @@ problems may have been fixed or changed somewhat since this was written. + + 11. Internals + +-11.1 Curl leaks .onion hostnames in DNS +- +- Curl sends DNS requests for hostnames with a .onion TLD. This leaks +- information about what the user is attempting to access, and violates this +- requirement of RFC7686: https://datatracker.ietf.org/doc/html/rfc7686 +- +- Issue: https://github.com/curl/curl/issues/543 +- + 11.2 error buffer not set if connection to multiple addresses fails + + If you ask libcurl to resolve a hostname like example.com to IPv6 addresses +--- a/lib/hostip.c ++++ b/lib/hostip.c +@@ -652,6 +652,14 @@ enum resolve_t Curl_resolv(struct Curl_easy *data, + CURLcode result; + enum resolve_t rc = CURLRESOLV_ERROR; /* default to failure */ + struct connectdata *conn = data->conn; ++ /* We should intentionally error and not resolve .onion TLDs */ ++ size_t hostname_len = strlen(hostname); ++ if(hostname_len >= 7 && ++ (curl_strequal(&hostname[hostname_len-6], ".onion") || ++ curl_strequal(&hostname[hostname_len-7], ".onion."))) { ++ failf(data, "Not resolving .onion address (RFC 7686)"); ++ return CURLRESOLV_ERROR; ++ } + *entry = NULL; + #ifndef CURL_DISABLE_DOH + conn->bits.doh = FALSE; /* default is not */ +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -186,8 +186,8 @@ test1432 test1433 test1434 test1435 test1436 test1437 test1438 test1439 \ + test1440 test1441 test1442 test1443 test1444 test1445 test1446 test1447 \ + test1448 test1449 test1450 test1451 test1452 test1453 test1454 test1455 \ + test1456 test1457 test1458 test1459 test1460 test1461 test1462 test1463 \ +-test1464 test1465 test1466 test1467 test1468 test1469 test1470 \ +-\ ++test1464 test1465 test1466 test1467 test1468 test1469 test1470 test1471 \ ++test1472 \ + test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ + test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \ + test1516 test1517 test1518 test1519 test1520 test1521 test1522 test1523 \ +--- /dev/null ++++ b/tests/data/test1471 +@@ -0,0 +1,39 @@ ++ ++ ++ ++Onion ++Tor ++FAILURE ++ ++ ++# ++# Server-side ++ ++ ++ ++# ++# Client-side ++ ++ ++none ++ ++ ++Fail to resolve .onion TLD ++ ++ ++red.onion ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# Couldn't resolve host name ++ ++6 ++ ++ ++curl: (6) Not resolving .onion address (RFC 7686) ++ ++ ++ +--- /dev/null ++++ b/tests/data/test1472 +@@ -0,0 +1,39 @@ ++ ++ ++ ++Onion ++Tor ++FAILURE ++ ++ ++# ++# Server-side ++ ++ ++ ++# ++# Client-side ++ ++ ++none ++ ++ ++Fail to resolve .onion. TLD ++ ++ ++tasty.onion. ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# Couldn't resolve host name ++ ++6 ++ ++ ++curl: (6) Not resolving .onion address (RFC 7686) ++ ++ ++ +