6 files changed, 73 insertions, 132 deletions

diff --git a/meta/recipes-support/curl/curl/721941aadf4adf4f6aeb3f4c0ab489bb89610c36.patch b/meta/recipes-support/curl/curl/721941aadf4adf4f6aeb3f4c0ab489bb89610c36.patch
deleted file mode 100644
index 98f7db93e8..0000000000
--- a/meta/recipes-support/curl/curl/721941aadf4adf4f6aeb3f4c0ab489bb89610c36.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 721941aadf4adf4f6aeb3f4c0ab489bb89610c36 Mon Sep 17 00:00:00 2001
-From: Stefan Eissing <stefan@eissing.org>
-Date: Mon, 1 Apr 2024 15:41:18 +0200
-Subject: [PATCH] http: with chunked POST forced, disable length check on read
- callback
-
-- when an application forces HTTP/1.1 chunked transfer encoding
-  by setting the corresponding header and instructs curl to use
-  the CURLOPT_READFUNCTION, disregard any POST length information.
-- this establishes backward compatibility with previous curl versions
-
-Applications are encouraged to not force "chunked", but rather
-set length information for a POST. By setting -1, curl will
-auto-select chunked on HTTP/1.1 and work properly on other HTTP
-versions.
-
-Reported-by: Jeff King
-Fixes #13229
-Closes #13257
-Upstream-Status: Backport
----
- lib/http.c | 22 ++++++++++++++++++++--
- 1 file changed, 20 insertions(+), 2 deletions(-)
-
-diff --git a/lib/http.c b/lib/http.c
-index 92c04e69cd8373..a764d3c4403c39 100644
---- a/lib/http.c
-+++ b/lib/http.c
-@@ -2046,8 +2046,19 @@ static CURLcode set_reader(struct Curl_easy *data, Curl_HttpReq httpreq)
-       else
-         result = Curl_creader_set_null(data);
-     }
--    else { /* we read the bytes from the callback */
--      result = Curl_creader_set_fread(data, postsize);
-+    else {
-+      /* we read the bytes from the callback. In case "chunked" encoding
-+       * is forced by the application, we disregard `postsize`. This is
-+       * a backward compatibility decision to earlier versions where
-+       * chunking disregarded this. See issue #13229. */
-+      bool chunked = FALSE;
-+      char *ptr = Curl_checkheaders(data, STRCONST("Transfer-Encoding"));
-+      if(ptr) {
-+        /* Some kind of TE is requested, check if 'chunked' is chosen */
-+        chunked = Curl_compareheader(ptr, STRCONST("Transfer-Encoding:"),
-+                                     STRCONST("chunked"));
-+      }
-+      result = Curl_creader_set_fread(data, chunked? -1 : postsize);
-     }
-     return result;
- 
-@@ -2115,6 +2126,13 @@ CURLcode Curl_http_req_set_reader(struct Curl_easy *data,
-     data->req.upload_chunky =
-       Curl_compareheader(ptr,
-                          STRCONST("Transfer-Encoding:"), STRCONST("chunked"));
-+    if(data->req.upload_chunky &&
-+       Curl_use_http_1_1plus(data, data->conn) &&
-+       (data->conn->httpversion >= 20)) {
-+       infof(data, "suppressing chunked transfer encoding on connection "
-+             "using HTTP version 2 or higher");
-+       data->req.upload_chunky = FALSE;
-+    }
-   }
-   else {
-     curl_off_t req_clen = Curl_creader_total_length(data);
diff --git a/meta/recipes-support/curl/curl/disable-tests b/meta/recipes-support/curl/curl/disable-tests
index 259576fd01..e69de29bb2 100644
--- a/meta/recipes-support/curl/curl/disable-tests
+++ b/meta/recipes-support/curl/curl/disable-tests
@@ -1,41 +0,0 @@
-# Intermittently fails e.g. https://autobuilder.yocto.io/pub/non-release/20231220-28/testresults/qemux86-64-ptest/curl.log
-# https://autobuilder.yocto.io/pub/non-release/20231220-27/testresults/qemux86-64-ptest/curl.log
-337
-# These CRL test (alt-avc) are failing
-356
-412
-413
-# These CRL tests are scanning docs
-971
-# Intermittently hangs e.g http://autobuilder.yocto.io/pub/non-release/20231228-18/testresults/qemux86-64-ptest/curl.log
-1091
-# Intermittently hangs e.g https://autobuilder.yocto.io/pub/non-release/20231220-27/testresults/qemux86-64-ptest/curl.log
-1096
-# These CRL tests are scanning docs
-1119
-1132
-1135
-1478
-# These CRL tests are scanning headers
-1167
-1477
-# These CRL tests are scanning man pages
-1139
-1140
-1173
-1177
-# This CRL test is looking for m4 files
-1165
-# This CRL test is looking for src files
-1185
-# This test is scanning the source tree
-1222
-# These CRL tests need --libcurl option to be enabled
-1279
-1400
-1401
-1402
-1403
-1404
-1405
-1465
diff --git a/meta/recipes-support/curl/curl/environment.d-curl.sh b/meta/recipes-support/curl/curl/environment.d-curl.sh
new file mode 100644
index 0000000000..7c2971b3da
--- /dev/null
+++ b/meta/recipes-support/curl/curl/environment.d-curl.sh
@@ -0,0 +1,19 @@
+# Respect host env CURL_CA_BUNDLE/CURL_CA_PATH first, then auto-detected host cert, then cert in buildtools
+# CAFILE/CAPATH is auto-deteced when source buildtools
+if [ -z "$CURL_CA_PATH" ]; then
+        if [ -n "$CAFILE" ];then
+                export CURL_CA_BUNDLE="$CAFILE"
+        elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+                export CURL_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
+        fi
+fi
+
+if [ -z "$CURL_CA_PATH" ]; then
+        if [ -n "$CAPATH" ];then
+                export CURL_CA_PATH="$CAPATH"
+        elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+                export CURL_CA_PATH="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs"
+        fi
+fi
+
+export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} CURL_CA_BUNDLE CURL_CA_PATH"
diff --git a/meta/recipes-support/curl/curl/no-test-timeout.patch b/meta/recipes-support/curl/curl/no-test-timeout.patch
index 7122b6f043..5b901a6fe9 100644
--- a/meta/recipes-support/curl/curl/no-test-timeout.patch
+++ b/meta/recipes-support/curl/curl/no-test-timeout.patch
@@ -14,7 +14,7 @@ diff --git a/tests/servers.pm b/tests/servers.pm
 index d4472d5..9999938 100644
 --- a/tests/servers.pm
 +++ b/tests/servers.pm
-@@ -120,7 +120,7 @@ my $sshdverstr;  # for socks server, ssh daemon version string
+@@ -124,7 +124,7 @@ my $sshdverstr;  # for socks server, ssh daemon version string
  my $sshderror;   # for socks server, ssh daemon version error
  my %doesntrun;    # servers that don't work, identified by pidfile
  my %PORT = (nolisten => 47); # port we use for a local non-listening service
diff --git a/meta/recipes-support/curl/curl/run-ptest b/meta/recipes-support/curl/curl/run-ptest
index 579b3f4587..597cf92dbb 100644
--- a/meta/recipes-support/curl/curl/run-ptest
+++ b/meta/recipes-support/curl/curl/run-ptest
@@ -10,4 +10,10 @@ cd tests
 
 # Don't run the flaky or timing dependent tests
 # Until https://github.com/curl/curl/issues/13350 is resolved, don't run FTP tests
-./runtests.pl -a -n -am -j4 -p !flaky !timing-dependent !FTP
+# We don't enable --libcurl
+# Don't assume curl-config exists
+# We don't have the source tree
+./runtests.pl \
+    -a -c curl -vc curl -n -am -j4 -p \
+    !flaky !timing-dependent !FTP \
+    !--libcurl !curl-config !source\ analysis !checksrc !documentation
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.14.1.bb
index 23b7c50a86..08ad9cdb17 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.14.1.bb
@@ -7,28 +7,31 @@ HOMEPAGE = "https://curl.se/"
 BUGTRACKER = "https://github.com/curl/curl/issues"
 SECTION = "console/network"
 LICENSE = "curl"
-LIC_FILES_CHKSUM = "file://COPYING;md5=eed2e5088e1ac619c9a1c747da291d75"
+LIC_FILES_CHKSUM = "file://COPYING;md5=72f4e9890e99e68d77b7e40703d789b8"
 
 SRC_URI = " \
     https://curl.se/download/${BP}.tar.xz \
-    file://721941aadf4adf4f6aeb3f4c0ab489bb89610c36.patch \
     file://run-ptest \
     file://disable-tests \
     file://no-test-timeout.patch \
 "
-SRC_URI[sha256sum] = "6fea2aac6a4610fbd0400afb0bcddbe7258a64c63f1f68e5855ebc0c659710cd"
+
+SRC_URI:append:class-nativesdk = " \
+           file://environment.d-curl.sh \
+"
+
+SRC_URI[sha256sum] = "f4619a1e2474c4bbfedc88a7c2191209c8334b48fa1f4e53fd584cc12e9120dd"
 
 # Curl has used many names over the years...
 CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
+CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on google cloud services causing a potential man in the middle attack"
 
 inherit autotools pkgconfig binconfig multilib_header ptest
 
-# Entropy source for random PACKAGECONFIG option
-RANDOM ?= "/dev/urandom"
-
-PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} aws basic-auth bearer-auth digest-auth negotiate-auth libidn openssl proxy random threaded-resolver verbose zlib"
-PACKAGECONFIG:class-native = "ipv6 openssl proxy random threaded-resolver verbose zlib"
-PACKAGECONFIG:class-nativesdk = "ipv6 openssl proxy random threaded-resolver verbose zlib"
+COMMON_PACKAGECONFIG = "basic-auth bearer-auth digest-auth ipfs negotiate-auth openssl proxy threaded-resolver verbose zlib"
+PACKAGECONFIG ??= "${COMMON_PACKAGECONFIG} ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} aws libidn"
+PACKAGECONFIG:class-native = "${COMMON_PACKAGECONFIG} ipv6"
+PACKAGECONFIG:class-nativesdk = "${COMMON_PACKAGECONFIG} ipv6"
 
 # 'ares' and 'threaded-resolver' are mutually exclusive
 PACKAGECONFIG[ares] = "--enable-ares,--disable-ares,c-ares,,,threaded-resolver"
@@ -45,6 +48,7 @@ PACKAGECONFIG[gnutls] = "--with-gnutls,--without-gnutls,gnutls"
 PACKAGECONFIG[gopher] = "--enable-gopher,--disable-gopher,"
 PACKAGECONFIG[imap] = "--enable-imap,--disable-imap,"
 PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
+PACKAGECONFIG[ipfs] = "--enable-ipfs,--disable-ipfs,"
 PACKAGECONFIG[kerberos-auth] = "--enable-kerberos-auth,--disable-kerberos-auth"
 PACKAGECONFIG[krb5] = "--with-gssapi,--without-gssapi,krb5"
 PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap,openldap"
@@ -59,7 +63,6 @@ PACKAGECONFIG[nghttp2] = "--with-nghttp2,--without-nghttp2,nghttp2"
 PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl"
 PACKAGECONFIG[pop3] = "--enable-pop3,--disable-pop3,"
 PACKAGECONFIG[proxy] = "--enable-proxy,--disable-proxy,"
-PACKAGECONFIG[random] = "--with-random=${RANDOM},--without-random"
 PACKAGECONFIG[rtmpdump] = "--with-librtmp,--without-librtmp,rtmpdump"
 PACKAGECONFIG[rtsp] = "--enable-rtsp,--disable-rtsp,"
 PACKAGECONFIG[smb] = "--enable-smb,--disable-smb,"
@@ -68,16 +71,19 @@ PACKAGECONFIG[telnet] = "--enable-telnet,--disable-telnet,"
 PACKAGECONFIG[tftp] = "--enable-tftp,--disable-tftp,"
 PACKAGECONFIG[threaded-resolver] = "--enable-threaded-resolver,--disable-threaded-resolver,,,,ares"
 PACKAGECONFIG[verbose] = "--enable-verbose,--disable-verbose"
+PACKAGECONFIG[websockets] = "--enable-websockets,--disable-websockets"
 PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib"
 PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd"
 
 EXTRA_OECONF = " \
     --disable-libcurl-option \
-    --disable-ntlm-wb \
-    --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
     --without-libpsl \
     --enable-optimize \
     ${@'--without-ssl' if (bb.utils.filter('PACKAGECONFIG', 'gnutls mbedtls openssl', d) == '') else ''} \
+    WATT_ROOT=${STAGING_DIR_TARGET}${prefix} \
+"
+EXTRA_OECONF:append:class-target = " \
+    --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
 "
 
 fix_absolute_paths () {
@@ -96,6 +102,9 @@ do_install:append:class-target() {
 
 do_install:append:class-nativesdk() {
         fix_absolute_paths
+
+        mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
+        install -m 644 ${UNPACKDIR}/environment.d-curl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/curl.sh
 }
 
 do_compile_ptest() {
@@ -103,32 +112,43 @@ do_compile_ptest() {
 }
 
 do_install_ptest() {
-        cat  ${UNPACKDIR}/disable-tests >> ${S}/tests/data/DISABLED
-        rm -f ${B}/tests/configurehelp.pm
-        cp -rf ${B}/tests ${D}${PTEST_PATH}
-        rm -f ${D}${PTEST_PATH}/tests/libtest/.libs/libhostname.la
-        rm -f ${D}${PTEST_PATH}/tests/libtest/libhostname.la
-        mv ${D}${PTEST_PATH}/tests/libtest/.libs/* ${D}${PTEST_PATH}/tests/libtest/
-        mv ${D}${PTEST_PATH}/tests/libtest/libhostname.so ${D}${PTEST_PATH}/tests/libtest/.libs/
-        mv ${D}${PTEST_PATH}/tests/http/clients/.libs/* ${D}${PTEST_PATH}/tests/http/clients/
-        cp -rf ${S}/tests ${D}${PTEST_PATH}
-        find ${D}${PTEST_PATH}/ -type f -name Makefile.am -o -name Makefile.in -o -name Makefile -delete
+        install -d ${D}${PTEST_PATH}/tests
+        cp ${S}/tests/*.p[lmy] ${D}${PTEST_PATH}/tests/
+
+        install -d ${D}${PTEST_PATH}/tests/libtest
+        for name in $(makefile-getvar ${B}/tests/libtest/Makefile noinst_PROGRAMS noinst_LTLIBRARIES); do
+                ${B}/libtool --mode=install install ${B}/tests/libtest/$name ${D}${PTEST_PATH}/tests/libtest
+        done
+        rm -f ${D}${PTEST_PATH}/tests/libtest/libhostname.la
+
+        install -d ${D}${PTEST_PATH}/tests/server
+        for name in $(makefile-getvar ${B}/tests/server/Makefile noinst_PROGRAMS); do
+                ${B}/libtool --mode=install install ${B}/tests/server/$name ${D}${PTEST_PATH}/tests/server
+        done
+
         install -d ${D}${PTEST_PATH}/src
-        ln -sf ${bindir}/curl   ${D}${PTEST_PATH}/src/curl
-        cp -rf ${D}${bindir}/curl-config ${D}${PTEST_PATH}
+        install -m 755 ${B}/src/curlinfo ${D}${PTEST_PATH}/src
+
+        cp -r ${S}/tests/data ${D}${PTEST_PATH}/tests/
+
+        # More tests that we disable for automated QA as they're not reliable
+        cat ${UNPACKDIR}/disable-tests >>${D}${PTEST_PATH}/tests/data/DISABLED
 }
 
+DEPENDS:append:class-target = "${@bb.utils.contains('PTEST_ENABLED', '1', ' openssl-native', '', d)}"
+
 RDEPENDS:${PN}-ptest += " \
-        bash \
         locale-base-en-us \
         perl-module-b \
         perl-module-base \
         perl-module-cwd \
         perl-module-digest \
         perl-module-digest-md5 \
+        perl-module-digest-sha \
         perl-module-file-basename \
         perl-module-file-spec \
         perl-module-file-temp \
+        perl-module-i18n-langinfo \
         perl-module-io-socket \
         perl-module-ipc-open2 \
         perl-module-list-util \
@@ -143,6 +163,7 @@ FILES:lib${BPN} = "${libdir}/lib*.so.*"
 RRECOMMENDS:lib${BPN} += "ca-certificates"
 
 FILES:${PN} += "${datadir}/zsh"
+FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/curl.sh"
 
 inherit multilib_script
 MULTILIB_SCRIPTS = "${PN}-dev:${bindir}/curl-config"