@@ -1158,7 +1158,6 @@ dist_patch_DATA = \
%D%/packages/patches/csvkit-set-locale-for-tests.patch \
%D%/packages/patches/cube-nocheck.patch \
%D%/packages/patches/cups-minimal-Address-PPD-injection-issues.patch \
- %D%/packages/patches/curl-CVE-2024-8096.patch \
%D%/packages/patches/curl-use-ssl-cert-env.patch \
%D%/packages/patches/curlftpfs-fix-error-closing-file.patch \
%D%/packages/patches/curlftpfs-fix-file-names.patch \
@@ -17,6 +17,7 @@
;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com>
;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com>
;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
+;;; Copyright © 2024, 2025 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -68,21 +69,22 @@ (define-module (gnu packages curl)
(define-public curl
(package
(name "curl")
- (version "8.6.0")
+ (version "8.13.0")
(source (origin
(method url-fetch)
(uri (string-append "https://curl.se/download/curl-"
version ".tar.xz"))
(sha256
(base32
- "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w"))
- (patches (search-patches "curl-use-ssl-cert-env.patch"
- "curl-CVE-2024-8096.patch"))))
+ "09902ng7lbydbsm6yb03g0p7y03i4yilj1f0zgi2vl62ldwkj2aa"))
+ (patches (search-patches "curl-use-ssl-cert-env.patch"))))
(outputs '("out"
"doc")) ;1.2 MiB of man3 pages
(build-system gnu-build-system)
(arguments
(list
+ #:modules `((ice-9 format)
+ ,@%default-gnu-modules)
#:disallowed-references '("doc")
#:configure-flags
#~(list "--with-gnutls"
@@ -90,6 +92,7 @@ (define-public curl
(dirname (dirname
(search-input-file
%build-inputs "lib/libgssrpc.so"))))
+ "--with-libssh2"
"--disable-static")
#:test-target "test-nonflaky" ;avoid tests marked as "flaky"
#:phases
@@ -116,20 +119,18 @@ (define-public curl
(if parallel-tests?
(number->string (parallel-job-count))
"1")))
- ;; Ignore test 1477 due to a missing file in the 8.5.0
- ;; release. See
- ;; <https://github.com/curl/curl/issues/12462>.
- (arguments `("-C" "tests" "test"
- ,@make-flags
- ,(if #$(or (system-hurd?)
- (target-arm32?)
- (target-aarch64?))
- ;; protocol FAIL
- (string-append "TFLAGS=~1474 "
- "!1477 "
- job-count)
- (string-append "TFLAGS=\"~1477 "
- job-count "\"")))))
+ (failing-tests
+ '( 962 963 964 965 966 967 1474 ;protocol FAIL
+ ;; Unknown reason.
+ 165 1448 2046 2047
+ ;; Mismatch in expected output, perhaps
+ ;; caused by different nginx version used.
+ 1700 1701 1702 2402 2403 2404 2405))
+ (arguments
+ `("-C" "tests" "test"
+ ,@make-flags
+ ,(format #f "TFLAGS=~a ~{~~~a ~}"
+ job-count failing-tests))))
;; The top-level "make check" does "make -C tests quiet-test", which
;; is too quiet. Use the "test" target instead, which is more
;; verbose.
@@ -153,7 +154,7 @@ (define-public curl
(native-inputs
(list nghttp2 perl pkg-config python-minimal-wrapper))
(inputs
- (list gnutls libidn libpsl mit-krb5 `(,nghttp2 "lib") zlib))
+ (list gnutls libidn libpsl libssh2 mit-krb5 `(,nghttp2 "lib") zlib))
(native-search-paths
;; These variables are introduced by curl-use-ssl-cert-env.patch.
(list $SSL_CERT_DIR
deleted file mode 100644
@@ -1,200 +0,0 @@
-From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Tue, 20 Aug 2024 16:14:39 +0200
-Subject: [PATCH] gtls: fix OCSP stapling management
-
-Reported-by: Hiroki Kurosawa
-Closes #14642
----
- lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------
- 1 file changed, 73 insertions(+), 73 deletions(-)
-
-diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
-index 03d6fcc038aac3..c7589d9d39bc81 100644
---- a/lib/vtls/gtls.c
-+++ b/lib/vtls/gtls.c
-@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
- init_flags |= GNUTLS_NO_TICKETS;
- #endif
-
-+#if defined(GNUTLS_NO_STATUS_REQUEST)
-+ if(!config->verifystatus)
-+ /* Disable the "status_request" TLS extension, enabled by default since
-+ GnuTLS 3.8.0. */
-+ init_flags |= GNUTLS_NO_STATUS_REQUEST;
-+#endif
-+
- rc = gnutls_init(>ls->session, init_flags);
- if(rc != GNUTLS_E_SUCCESS) {
- failf(data, "gnutls_init() failed: %d", rc);
-@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
- infof(data, " server certificate verification SKIPPED");
-
- if(config->verifystatus) {
-- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
-- gnutls_datum_t status_request;
-- gnutls_ocsp_resp_t ocsp_resp;
-+ gnutls_datum_t status_request;
-+ gnutls_ocsp_resp_t ocsp_resp;
-+ gnutls_ocsp_cert_status_t status;
-+ gnutls_x509_crl_reason_t reason;
-
-- gnutls_ocsp_cert_status_t status;
-- gnutls_x509_crl_reason_t reason;
-+ rc = gnutls_ocsp_status_request_get(session, &status_request);
-
-- rc = gnutls_ocsp_status_request_get(session, &status_request);
-+ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
-+ failf(data, "No OCSP response received");
-+ return CURLE_SSL_INVALIDCERTSTATUS;
-+ }
-
-- infof(data, " server certificate status verification FAILED");
-+ if(rc < 0) {
-+ failf(data, "Invalid OCSP response received");
-+ return CURLE_SSL_INVALIDCERTSTATUS;
-+ }
-
-- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
-- failf(data, "No OCSP response received");
-- return CURLE_SSL_INVALIDCERTSTATUS;
-- }
-+ gnutls_ocsp_resp_init(&ocsp_resp);
-
-- if(rc < 0) {
-- failf(data, "Invalid OCSP response received");
-- return CURLE_SSL_INVALIDCERTSTATUS;
-- }
-+ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
-+ if(rc < 0) {
-+ failf(data, "Invalid OCSP response received");
-+ return CURLE_SSL_INVALIDCERTSTATUS;
-+ }
-
-- gnutls_ocsp_resp_init(&ocsp_resp);
-+ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
-+ &status, NULL, NULL, NULL, &reason);
-
-- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
-- if(rc < 0) {
-- failf(data, "Invalid OCSP response received");
-- return CURLE_SSL_INVALIDCERTSTATUS;
-- }
-+ switch(status) {
-+ case GNUTLS_OCSP_CERT_GOOD:
-+ break;
-
-- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
-- &status, NULL, NULL, NULL, &reason);
-+ case GNUTLS_OCSP_CERT_REVOKED: {
-+ const char *crl_reason;
-
-- switch(status) {
-- case GNUTLS_OCSP_CERT_GOOD:
-+ switch(reason) {
-+ default:
-+ case GNUTLS_X509_CRLREASON_UNSPECIFIED:
-+ crl_reason = "unspecified reason";
- break;
-
-- case GNUTLS_OCSP_CERT_REVOKED: {
-- const char *crl_reason;
--
-- switch(reason) {
-- default:
-- case GNUTLS_X509_CRLREASON_UNSPECIFIED:
-- crl_reason = "unspecified reason";
-- break;
--
-- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
-- crl_reason = "private key compromised";
-- break;
--
-- case GNUTLS_X509_CRLREASON_CACOMPROMISE:
-- crl_reason = "CA compromised";
-- break;
--
-- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
-- crl_reason = "affiliation has changed";
-- break;
-+ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
-+ crl_reason = "private key compromised";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_SUPERSEDED:
-- crl_reason = "certificate superseded";
-- break;
-+ case GNUTLS_X509_CRLREASON_CACOMPROMISE:
-+ crl_reason = "CA compromised";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
-- crl_reason = "operation has ceased";
-- break;
-+ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
-+ crl_reason = "affiliation has changed";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
-- crl_reason = "certificate is on hold";
-- break;
-+ case GNUTLS_X509_CRLREASON_SUPERSEDED:
-+ crl_reason = "certificate superseded";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
-- crl_reason = "will be removed from delta CRL";
-- break;
-+ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
-+ crl_reason = "operation has ceased";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
-- crl_reason = "privilege withdrawn";
-- break;
-+ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
-+ crl_reason = "certificate is on hold";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_AACOMPROMISE:
-- crl_reason = "AA compromised";
-- break;
-- }
-+ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
-+ crl_reason = "will be removed from delta CRL";
-+ break;
-
-- failf(data, "Server certificate was revoked: %s", crl_reason);
-+ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
-+ crl_reason = "privilege withdrawn";
- break;
-- }
-
-- default:
-- case GNUTLS_OCSP_CERT_UNKNOWN:
-- failf(data, "Server certificate status is unknown");
-+ case GNUTLS_X509_CRLREASON_AACOMPROMISE:
-+ crl_reason = "AA compromised";
- break;
- }
-
-- gnutls_ocsp_resp_deinit(ocsp_resp);
-+ failf(data, "Server certificate was revoked: %s", crl_reason);
-+ break;
-+ }
-
-- return CURLE_SSL_INVALIDCERTSTATUS;
-+ default:
-+ case GNUTLS_OCSP_CERT_UNKNOWN:
-+ failf(data, "Server certificate status is unknown");
-+ break;
- }
-- else
-- infof(data, " server certificate status verification OK");
-+
-+ gnutls_ocsp_resp_deinit(ocsp_resp);
-+ if(status != GNUTLS_OCSP_CERT_GOOD)
-+ return CURLE_SSL_INVALIDCERTSTATUS;
- }
- else
- infof(data, " server certificate status verification SKIPPED");