curl: update to v8.4.0 (#5938)

* curl: update to v8.4.0
- CVE-2023-38039
- CVE-2023-38545
- CVE-2023-38546

* fix rutorrent build for qoriq

* temp. declare domoticz as broken

cross/curl/Makefile

@@ -1,5 +1,5 @@
 PKG_NAME = curl
-PKG_VERS = 8.1.2
+PKG_VERS = 8.4.0
 PKG_EXT = tar.xz
 PKG_DIST_NAME = $(PKG_NAME)-$(PKG_VERS).$(PKG_EXT)
 PKG_DIST_SITE = https://curl.se/download

cross/curl/digests

@@ -1,3 +1,3 @@
-curl-8.1.2.tar.xz SHA1 bba5bcc82cb46bb20e31dc094d01ab40dbd40920
-curl-8.1.2.tar.xz SHA256 31b1118eb8bfd43cd95d9a3f146f814ff874f6ed3999b29d94f4d1e7dbac5ef6
-curl-8.1.2.tar.xz MD5 1f7f6678b1342ad78f30e1dedd015fe2
+curl-8.4.0.tar.xz SHA1 893985fa820b25d41141eb318c0c2e3bf00f0ae5
+curl-8.4.0.tar.xz SHA256 16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d
+curl-8.4.0.tar.xz MD5 8424597f247da68b6041dd7f9ca367fe

cross/curl/patches/002-prefer-gnutls-for-http3.patch

@@ -1,8 +1,8 @@
 # To use GNUTLS for http3 (ngtcp2) when USE_OPENSSL is defined too,
 # we must first check for USE_GNUTLS and apply code for.
 # 
---- lib/vquic/curl_ngtcp2.h.orig	2023-05-15 10:55:59.000000000 +0000
-+++ lib/vquic/curl_ngtcp2.h	2023-06-11 07:37:17.255309500 +0000
+--- lib/vquic/curl_ngtcp2.h.orig	2023-10-05 07:58:50.000000000 +0000
++++ lib/vquic/curl_ngtcp2.h	2023-11-24 12:41:56.051202200 +0000
 @@ -34,7 +34,9 @@
 
  #include <ngtcp2/ngtcp2_crypto.h>
@@ -14,8 +14,8 @@
  #include <openssl/ssl.h>
  #elif defined(USE_WOLFSSL)
  #include <wolfssl/options.h>
---- lib/vquic/curl_ngtcp2.c.orig	2023-05-26 06:37:58.000000000 +0000
-+++ lib/vquic/curl_ngtcp2.c	2023-06-11 08:00:26.210096152 +0000
+--- lib/vquic/curl_ngtcp2.c.orig	2023-10-10 09:34:20.000000000 +0000
++++ lib/vquic/curl_ngtcp2.c	2023-11-25 11:45:17.635886120 +0000
 @@ -28,7 +28,10 @@
  #include <ngtcp2/ngtcp2.h>
  #include <nghttp3/nghttp3.h>
@@ -26,10 +26,10 @@
 +#include "vtls/gtls.h"
 +#elif defined(USE_OPENSSL)
  #include <openssl/err.h>
- #ifdef OPENSSL_IS_BORINGSSL
+ #if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
  #include <ngtcp2/ngtcp2_crypto_boringssl.h>
 @@ -36,9 +39,6 @@
- #include <ngtcp2/ngtcp2_crypto_openssl.h>
+ #include <ngtcp2/ngtcp2_crypto_quictls.h>
  #endif
  #include "vtls/openssl.h"
 -#elif defined(USE_GNUTLS)
@@ -38,7 +38,7 @@
  #elif defined(USE_WOLFSSL)
  #include <ngtcp2/ngtcp2_crypto_wolfssl.h>
  #include "vtls/wolfssl.h"
-@@ -101,17 +101,17 @@
+@@ -102,17 +102,17 @@
            (H3_STREAM_WINDOW_SIZE / H3_STREAM_CHUNK_SIZE)
 
 
@@ -58,11 +58,11 @@
 +#define QUIC_CIPHERS                                                          \
 +  "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_"               \
 +  "POLY1305_SHA256:TLS_AES_128_CCM_SHA256"
-+#define QUIC_GROUPS "P-256:P-384:P-521"
++#define QUIC_GROUPS "P-256:X25519:P-384:P-521"
  #elif defined(USE_WOLFSSL)
  #define QUIC_CIPHERS                                                          \
    "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_"               \
-@@ -142,11 +142,11 @@
+@@ -143,11 +143,11 @@
    ngtcp2_transport_params transport_params;
    ngtcp2_ccerr last_error;
    ngtcp2_crypto_conn_ref conn_ref;
@@ -77,7 +77,7 @@
  #elif defined(USE_WOLFSSL)
    WOLFSSL_CTX *sslctx;
    WOLFSSL *ssl;
-@@ -331,13 +331,7 @@
+@@ -360,13 +360,7 @@
    }
  }
 
@@ -92,7 +92,7 @@
  static int keylog_callback(gnutls_session_t session, const char *label,
                      const gnutls_datum_t *secret)
  {
-@@ -352,6 +346,13 @@
+@@ -381,6 +375,12 @@
    Curl_tls_keylog_write(label, crandom.data, secret->data, secret->size);
    return 0;
  }
@@ -102,11 +102,10 @@
 +  (void)ssl;
 +  Curl_tls_keylog_write_line(line);
 +}
-+
  #elif defined(USE_WOLFSSL)
  #if defined(HAVE_SECRET_CALLBACK)
  static void keylog_callback(const WOLFSSL *ssl, const char *line)
-@@ -364,7 +365,60 @@
+@@ -393,7 +393,60 @@
 
  static int init_ngh3_conn(struct Curl_cfilter *cf);
 
@@ -136,15 +135,15 @@
 +  gnutls_session_set_ptr(ctx->gtls->session, &ctx->conn_ref);
 +
 +  if(ngtcp2_crypto_gnutls_configure_client_session(ctx->gtls->session) != 0) {
-+    DEBUGF(LOG_CF(data, cf,
-+                  "ngtcp2_crypto_gnutls_configure_client_session failed\n"));
++    CURL_TRC_CF(data, cf,
++                "ngtcp2_crypto_gnutls_configure_client_session failed\n");
 +    return CURLE_QUIC_CONNECT_ERROR;
 +  }
 +
 +  rc = gnutls_priority_set_direct(ctx->gtls->session, QUIC_PRIORITY, NULL);
 +  if(rc < 0) {
-+    DEBUGF(LOG_CF(data, cf, "gnutls_priority_set_direct failed: %s\n",
-+                  gnutls_strerror(rc)));
++    CURL_TRC_CF(data, cf, "gnutls_priority_set_direct failed: %s\n",
++                gnutls_strerror(rc));
 +    return CURLE_QUIC_CONNECT_ERROR;
 +  }
 +
@@ -168,8 +167,8 @@
  static CURLcode quic_ssl_ctx(SSL_CTX **pssl_ctx,
                               struct Curl_cfilter *cf, struct Curl_easy *data)
  {
-@@ -495,59 +549,6 @@
-   SSL_set_tlsext_host_name(ctx->ssl, cf->conn->host.name);
+@@ -544,59 +597,6 @@
+   }
    return CURLE_OK;
  }
 -#elif defined(USE_GNUTLS)
@@ -197,15 +196,15 @@
 -  gnutls_session_set_ptr(ctx->gtls->session, &ctx->conn_ref);
 -
 -  if(ngtcp2_crypto_gnutls_configure_client_session(ctx->gtls->session) != 0) {
--    DEBUGF(LOG_CF(data, cf,
--                  "ngtcp2_crypto_gnutls_configure_client_session failed\n"));
+-    CURL_TRC_CF(data, cf,
+-                "ngtcp2_crypto_gnutls_configure_client_session failed\n");
 -    return CURLE_QUIC_CONNECT_ERROR;
 -  }
 -
 -  rc = gnutls_priority_set_direct(ctx->gtls->session, QUIC_PRIORITY, NULL);
 -  if(rc < 0) {
--    DEBUGF(LOG_CF(data, cf, "gnutls_priority_set_direct failed: %s\n",
--                  gnutls_strerror(rc)));
+-    CURL_TRC_CF(data, cf, "gnutls_priority_set_direct failed: %s\n",
+-                gnutls_strerror(rc));
 -    return CURLE_QUIC_CONNECT_ERROR;
 -  }
 -
@@ -228,7 +227,7 @@
  #elif defined(USE_WOLFSSL)
 
  static CURLcode quic_ssl_ctx(WOLFSSL_CTX **pssl_ctx,
-@@ -1730,7 +1731,14 @@
+@@ -1902,7 +1902,14 @@
    cf->conn->bundle->multiuse = BUNDLE_MULTIPLEX;
 
    if(cf->conn->ssl_config.verifyhost) {
@@ -244,7 +243,7 @@
      X509 *server_cert;
      server_cert = SSL_get_peer_certificate(ctx->ssl);
      if(!server_cert) {
-@@ -1740,13 +1748,6 @@
+@@ -1912,13 +1919,6 @@
      X509_free(server_cert);
      if(result)
        return result;
@@ -258,17 +257,25 @@
  #elif defined(USE_WOLFSSL)
      if(wolfSSL_check_domain_name(ctx->ssl, snihost) == SSL_FAILURE)
        return CURLE_PEER_FAILED_VERIFICATION;
-@@ -1755,7 +1756,8 @@
+@@ -1927,7 +1927,7 @@
    }
    else
      infof(data, "Skipped certificate verification");
 -#ifdef USE_OPENSSL
-+#ifdef USE_GNUTLS
-+#elif defined(USE_OPENSSL)
++#if defined(USE_OPENSSL) && !defined(USE_GNUTLS)
    if(data->set.ssl.certinfo)
      /* asked to gather certificate info */
      (void)Curl_ossl_certchain(data, ctx->ssl);
-@@ -2170,12 +2172,7 @@
+@@ -1996,7 +1996,7 @@
+     pktx->ts = timestamp();
+   }
+
+-#ifdef USE_OPENSSL
++#if defined(USE_OPENSSL) && !defined(USE_GNUTLS)
+   if(!ctx->x509_store_setup) {
+     result = Curl_ssl_setup_x509_store(cf, data, ctx->sslctx);
+     if(result)
+@@ -2319,12 +2319,7 @@
    if(ctx->qlogfd != -1) {
      close(ctx->qlogfd);
    }
@@ -282,7 +289,7 @@
    if(ctx->gtls) {
      if(ctx->gtls->cred)
        gnutls_certificate_free_credentials(ctx->gtls->cred);
-@@ -2183,6 +2180,11 @@
+@@ -2332,6 +2327,11 @@
        gnutls_deinit(ctx->gtls->session);
      free(ctx->gtls);
    }
@@ -294,13 +301,12 @@
  #elif defined(USE_WOLFSSL)
    if(ctx->ssl)
      wolfSSL_free(ctx->ssl);
-@@ -2264,7 +2266,8 @@
+@@ -2414,7 +2414,7 @@
    Curl_bufcp_init(&ctx->stream_bufcp, H3_STREAM_CHUNK_SIZE,
                    H3_STREAM_POOL_SPARES);
 
 -#ifdef USE_OPENSSL
-+#ifdef USE_GNUTLS
-+#elif defined(USE_OPENSSL)
++#if defined(USE_OPENSSL) && !defined(USE_GNUTLS)
    result = quic_ssl_ctx(&ctx->sslctx, cf, data);
    if(result)
      return result;

cross/libsigc++/Makefile

@@ -1,7 +1,7 @@
 PKG_NAME = libsigc++-main
 
-# support for c++11/c++17 language features is required
-UNSUPPORTED_ARCHS = $(ARMv5_ARCHS) $(PPC_ARCHS) $(OLD_PPC_ARCHS)
+# support for c++11 language features is required for libsigc++-2.12
+UNSUPPORTED_ARCHS = $(ARMv5_ARCHS) $(OLD_PPC_ARCHS)
 
 OPTIONAL_DEPENDS  = cross/libsigc++-latest
 OPTIONAL_DEPENDS += cross/libsigc++-2.12

cross/nghttp2/Makefile

@@ -1,5 +1,5 @@
 PKG_NAME = nghttp2
-PKG_VERS = 1.54.0
+PKG_VERS = 1.58.0
 PKG_EXT = tar.xz
 PKG_DIST_NAME = $(PKG_NAME)-$(PKG_VERS).$(PKG_EXT)
 PKG_DIST_SITE = https://github.com/nghttp2/nghttp2/releases/download/v$(PKG_VERS)

cross/nghttp2/PLIST

@@ -1,3 +1,3 @@
 lnk:lib/libnghttp2.so
 lnk:lib/libnghttp2.so.14
-lib:lib/libnghttp2.so.14.24.2
+lib:lib/libnghttp2.so.14.25.1

cross/nghttp2/digests

@@ -1,3 +1,3 @@
-nghttp2-1.54.0.tar.xz SHA1 eac516cb21f0c3c2e2fc4d21ee9f35b96650fd45
-nghttp2-1.54.0.tar.xz SHA256 20533c9354fbb6aa689b6aa0ddb77f91da1d242587444502832e1864308152df
-nghttp2-1.54.0.tar.xz MD5 8833c8ff79b328711079cb3e34a6e4ff
+nghttp2-1.58.0.tar.xz SHA1 604fd302ab380dc3d4c7a0dfd7d8b4a1eb4d5eaa
+nghttp2-1.58.0.tar.xz SHA256 4a68a3040da92fd9872c056d0f6b0cd60de8410de10b578f8ade9ecc14d297e0
+nghttp2-1.58.0.tar.xz MD5 4601542da69d9657072a3c5529f5c32e

cross/nghttp3/Makefile

@@ -1,5 +1,5 @@
 PKG_NAME = nghttp3
-PKG_VERS = 0.12.0
+PKG_VERS = 1.0.0
 PKG_EXT = tar.xz
 PKG_DIST_NAME = $(PKG_NAME)-$(PKG_VERS).$(PKG_EXT)
 PKG_DIST_SITE = https://github.com/ngtcp2/nghttp3/releases/download/v$(PKG_VERS)
@@ -19,6 +19,6 @@ LICENSE  = MIT
 
 GNU_CONFIGURE = 1
 CONFIGURE_ARGS = --disable-static --enable-lib-only
-ADDITIONAL_CFLAGS = -O2 -std=c++11
+ADDITIONAL_CFLAGS = -O2
 
 include ../../mk/spksrc.cross-cc.mk

cross/nghttp3/PLIST

@@ -1,3 +1,3 @@
 lnk:lib/libnghttp3.so
-lnk:lib/libnghttp3.so.7
-lib:lib/libnghttp3.so.7.0.0
+lnk:lib/libnghttp3.so.9
+lib:lib/libnghttp3.so.9.0.0

cross/nghttp3/digests

@@ -1,3 +1,3 @@
-nghttp3-0.12.0.tar.xz SHA1 a530e49553e8a9a573a88e24f9a457fe81b677a8
-nghttp3-0.12.0.tar.xz SHA256 d2e12072f5f86209b6ff9e4f07f990dece3c27d2f8367aa2a00fc5181ab85189
-nghttp3-0.12.0.tar.xz MD5 a9b2ef84f1a0233c7cb4dd259e758a85
+nghttp3-1.0.0.tar.xz SHA1 1ac1d2871bf81aacc69fa1304fc634df8bc6ea71
+nghttp3-1.0.0.tar.xz SHA256 2d982fadb92ba6488cd5ef3dadc9d2c901084c812553aea9ab1c4bfa1215f77a
+nghttp3-1.0.0.tar.xz MD5 af21094ff54f40bf8a88a4222094dfd3

cross/ngtcp2/Makefile

@@ -1,15 +1,14 @@
 PKG_NAME = ngtcp2
-PKG_VERS = 0.15.0
+PKG_VERS = 1.0.1
 PKG_EXT = tar.xz
 PKG_DIST_NAME = $(PKG_NAME)-$(PKG_VERS).$(PKG_EXT)
 PKG_DIST_SITE = https://github.com/ngtcp2/ngtcp2/releases/download/v$(PKG_VERS)
 PKG_DIR = $(PKG_NAME)-$(PKG_VERS)
 
 # for supported version for curl
 # see: https://github.com/curl/curl/blob/master/docs/HTTP3.md
-# despite ngtcp2 version 0.16.0 is expected, it works with 0.15.0 only
 
-DEPENDS = cross/gnutls
+DEPENDS = cross/gnutls cross/nghttp3
 
 HOMEPAGE = https://nghttp2.org/ngtcp2/
 COMMENT  = ngtcp2 project is an effort to implement IETF QUIC protocol.

cross/ngtcp2/PLIST

@@ -1,6 +1,6 @@
 lnk:lib/libngtcp2.so
-lnk:lib/libngtcp2.so.12
-lib:lib/libngtcp2.so.12.0.0
+lnk:lib/libngtcp2.so.16
+lib:lib/libngtcp2.so.16.0.0
 lnk:lib/libngtcp2_crypto_gnutls.so
-lnk:lib/libngtcp2_crypto_gnutls.so.4
-lib:lib/libngtcp2_crypto_gnutls.so.4.0.1
+lnk:lib/libngtcp2_crypto_gnutls.so.8
+lib:lib/libngtcp2_crypto_gnutls.so.8.0.1

cross/ngtcp2/digests

@@ -1,3 +1,3 @@
-ngtcp2-0.15.0.tar.xz SHA1 7f6a8f672d76b4b551b9cc1979914bbce7e82387
-ngtcp2-0.15.0.tar.xz SHA256 730b6700e4766fa70b311bcf88f1004f78ef3288f18e6e9cf42dfe9b655d412e
-ngtcp2-0.15.0.tar.xz MD5 fc71469e0f9511f05bf2a2ea25892cbe
+ngtcp2-1.0.1.tar.xz SHA1 7b3df07a2a56aec078cc8c5368366b2757415ff2
+ngtcp2-1.0.1.tar.xz SHA256 21c898fa5543d3f2dc203fd0a300a8a7cb70fec21ad7f7a3ec6e119ba4850451
+ngtcp2-1.0.1.tar.xz MD5 884fff8bcc4ab550fe17029dfd37103e

diyspk/curl/Makefile

@@ -1,5 +1,5 @@
 SPK_NAME = curl
-SPK_VERS = 8.1.2
+SPK_VERS = 8.4.0
 SPK_REV = 1
 
 # package of curl with all optional features

spk/domoticz/BROKEN

@@ -0,0 +1,3 @@
+domoticz is currently broken
+but there is WIP in https://github.com/SynoCommunity/spksrc/pull/4730
+that might bring domiticz back...