Merge pull request #131 from Intel-BMC/update1-1.201-release

Update to internal 1-1.20

4 files changed, 88 insertions, 11 deletions

diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2024-0853.patch b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2024-0853.patch
new file mode 100644
index 000000000..9385c1421
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2024-0853.patch
@@ -0,0 +1,41 @@
+From c28e9478cb2548848eca9b765d0d409bfb18668c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 22 Jan 2024 23:54:08 +0100
+Subject: [PATCH] openssl: when verifystatus fails, remove session id from
+ cache
+
+To prevent that it gets used in a subsequent transfer that skips the
+verifystatus check since that check can't be done when the session id is
+reused.
+
+Reported-by: Hiroki Kurosawa
+Closes #12760
+---
+ lib/vtls/openssl.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 0e36dc6aa7e1e4..8d6087022b32c2 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -4351,6 +4351,20 @@ static CURLcode servercert(struct Curl_cfilter *cf,
+     /* don't do this after Session ID reuse */
+     result = verifystatus(cf, data);
+     if(result) {
++      /* when verifystatus failed, remove the session id from the cache again
++         if present */
++      if(!Curl_ssl_cf_is_proxy(cf)) {
++        void *old_ssl_sessionid = NULL;
++        bool incache;
++        Curl_ssl_sessionid_lock(data);
++        incache = !(Curl_ssl_getsessionid(cf, data, &old_ssl_sessionid, NULL));
++        if(incache) {
++          infof(data, "Remove session ID again from cache");
++          Curl_ssl_delsessionid(data, old_ssl_sessionid);
++        }
++        Curl_ssl_sessionid_unlock(data);
++      }
++
+       X509_free(backend->server_cert);
+       backend->server_cert = NULL;
+       return result;
diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/disable-tests b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/disable-tests
index 92056bd8c..419022091 100644
--- a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/disable-tests
+++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/disable-tests
@@ -1,14 +1,23 @@
+# Intermittently fails e.g. https://autobuilder.yocto.io/pub/non-release/20231220-28/testresults/qemux86-64-ptest/curl.log
+# https://autobuilder.yocto.io/pub/non-release/20231220-27/testresults/qemux86-64-ptest/curl.log
+337
 # These CRL test (alt-avc) are failing
 356
 412
 413
 # These CRL tests are scanning docs
 971
+# Intermittently hangs e.g http://autobuilder.yocto.io/pub/non-release/20231228-18/testresults/qemux86-64-ptest/curl.log
+1091
+# Intermittently hangs e.g https://autobuilder.yocto.io/pub/non-release/20231220-27/testresults/qemux86-64-ptest/curl.log
+1096
+# These CRL tests are scanning docs
 1119
 1132
 1135
-# These CRL tests are scnning headers
+# These CRL tests are scanning headers
 1167
+1477
 # These CRL tests are scanning man pages
 1139
 1140
@@ -18,7 +27,10 @@
 1165
 # This CRL test is looking for src files
 1185
+# This test is scanning the source tree
+1222
 # These CRL tests need --libcurl option to be enabled
+1279
 1400
 1401
 1402
diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/run-ptest b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/run-ptest
index 614e82292..8f9c20f34 100644
--- a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/run-ptest
+++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/run-ptest
@@ -1,6 +1,6 @@
 #!/bin/sh
 cd tests
-./runtests.pl -a -n -s | sed \
+{ ./runtests.pl -a -n -s -j4 !flaky || echo "FAIL: curl" ; } | sed \
      -e 's|\([^ ]* *\) \([^ ]* *\)...OK|PASS: \1 \2|' \
      -e 's|\([^ ]* *\) \([^ ]* *\)...FAILED|FAIL: \1 \2|' \
      -e 's/Warning: test[0-9]\+ not present in tests\/data\/Makefile.inc//'
diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl_8.2.0.bb b/meta-openbmc-mods/meta-common/recipes-support/curl/curl_8.5.0.bb
index 69597440f..c8450e929 100644
--- a/meta-openbmc-mods/meta-common/recipes-support/curl/curl_8.2.0.bb
+++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl_8.5.0.bb
@@ -13,8 +13,9 @@ SRC_URI = " \
     https://curl.se/download/${BP}.tar.xz \
     file://run-ptest \
     file://disable-tests \
+    file://CVE-2024-0853.patch \
 "
-SRC_URI[sha256sum] = "2859ec79e2cd96e976a99493547359b8001af1d1e21f3a3a3b846544ef54500f"
+SRC_URI[sha256sum] = "42ab8db9e20d8290a3b633e7fbb3cec15db34df65fd1015ef8ac1e4723750eeb"
 
 # Curl has used many names over the years...
 CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
@@ -24,21 +25,26 @@ inherit autotools pkgconfig binconfig multilib_header ptest
 # Entropy source for random PACKAGECONFIG option
 RANDOM ?= "/dev/urandom"
 
-PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} libidn openssl proxy random threaded-resolver verbose zlib"
+PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} aws basic-auth bearer-auth digest-auth negotiate-auth libidn openssl proxy random threaded-resolver verbose zlib"
 PACKAGECONFIG:class-native = "ipv6 openssl proxy random threaded-resolver verbose zlib"
 PACKAGECONFIG:class-nativesdk = "ipv6 openssl proxy random threaded-resolver verbose zlib"
 
 # 'ares' and 'threaded-resolver' are mutually exclusive
 PACKAGECONFIG[ares] = "--enable-ares,--disable-ares,c-ares,,,threaded-resolver"
+PACKAGECONFIG[aws] = "--enable-aws,--disable-aws"
+PACKAGECONFIG[basic-auth] = "--enable-basic-auth,--disable-basic-auth"
+PACKAGECONFIG[bearer-auth] = "--enable-bearer-auth,--disable-bearer-auth"
 PACKAGECONFIG[brotli] = "--with-brotli,--without-brotli,brotli"
 PACKAGECONFIG[builtinmanual] = "--enable-manual,--disable-manual"
 # Don't use this in production
 PACKAGECONFIG[debug] = "--enable-debug,--disable-debug"
 PACKAGECONFIG[dict] = "--enable-dict,--disable-dict,"
+PACKAGECONFIG[digest-auth] = "--enable-digest-auth,--disable-digest-auth"
 PACKAGECONFIG[gnutls] = "--with-gnutls,--without-gnutls,gnutls"
 PACKAGECONFIG[gopher] = "--enable-gopher,--disable-gopher,"
 PACKAGECONFIG[imap] = "--enable-imap,--disable-imap,"
 PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
+PACKAGECONFIG[kerberos-auth] = "--enable-kerberos-auth,--disable-kerberos-auth"
 PACKAGECONFIG[krb5] = "--with-gssapi,--without-gssapi,krb5"
 PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap,openldap"
 PACKAGECONFIG[ldaps] = "--enable-ldaps,--disable-ldaps,openldap"
@@ -47,6 +53,7 @@ PACKAGECONFIG[libidn] = "--with-libidn2,--without-libidn2,libidn2"
 PACKAGECONFIG[libssh2] = "--with-libssh2,--without-libssh2,libssh2"
 PACKAGECONFIG[mbedtls] = "--with-mbedtls=${STAGING_DIR_TARGET},--without-mbedtls,mbedtls"
 PACKAGECONFIG[mqtt] = "--enable-mqtt,--disable-mqtt,"
+PACKAGECONFIG[negotiate-auth] = "--enable-negotiate-auth,--disable-negotiate-auth"
 PACKAGECONFIG[nghttp2] = "--with-nghttp2,--without-nghttp2,nghttp2"
 PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl"
 PACKAGECONFIG[pop3] = "--enable-pop3,--disable-pop3,"
@@ -56,7 +63,6 @@ PACKAGECONFIG[rtmpdump] = "--with-librtmp,--without-librtmp,rtmpdump"
 PACKAGECONFIG[rtsp] = "--enable-rtsp,--disable-rtsp,"
 PACKAGECONFIG[smb] = "--enable-smb,--disable-smb,"
 PACKAGECONFIG[smtp] = "--enable-smtp,--disable-smtp,"
-PACKAGECONFIG[nss] = "--with-nss,--without-nss,nss"
 PACKAGECONFIG[telnet] = "--enable-telnet,--disable-telnet,"
 PACKAGECONFIG[tftp] = "--enable-tftp,--disable-tftp,"
 PACKAGECONFIG[threaded-resolver] = "--enable-threaded-resolver,--disable-threaded-resolver,,,,ares"
@@ -67,11 +73,10 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd"
 EXTRA_OECONF = " \
     --disable-libcurl-option \
     --disable-ntlm-wb \
-    --enable-crypto-auth \
     --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
     --without-libpsl \
     --enable-optimize \
-    ${@'--without-ssl' if (bb.utils.filter('PACKAGECONFIG', 'gnutls mbedtls nss openssl', d) == '') else ''} \
+    ${@'--without-ssl' if (bb.utils.filter('PACKAGECONFIG', 'gnutls mbedtls openssl', d) == '') else ''} \
 "
 
 do_install:append:class-target() {
@@ -85,14 +90,18 @@ do_install:append:class-target() {
 }
 
 do_compile_ptest() {
-	oe_runmake test
-	oe_runmake -C ${B}/tests/server
+	oe_runmake -C ${B}/tests
 }
 
 do_install_ptest() {
 	cat  ${WORKDIR}/disable-tests >> ${S}/tests/data/DISABLED
 	rm -f ${B}/tests/configurehelp.pm
 	cp -rf ${B}/tests ${D}${PTEST_PATH}
+        rm -f ${D}${PTEST_PATH}/tests/libtest/.libs/libhostname.la
+        rm -f ${D}${PTEST_PATH}/tests/libtest/libhostname.la
+        mv ${D}${PTEST_PATH}/tests/libtest/.libs/* ${D}${PTEST_PATH}/tests/libtest/
+        mv ${D}${PTEST_PATH}/tests/libtest/libhostname.so ${D}${PTEST_PATH}/tests/libtest/.libs/
+        mv ${D}${PTEST_PATH}/tests/http/clients/.libs/* ${D}${PTEST_PATH}/tests/http/clients/
 	cp -rf ${S}/tests ${D}${PTEST_PATH}
 	find ${D}${PTEST_PATH}/ -type f -name Makefile.am -o -name Makefile.in -o -name Makefile -delete
 	install -d ${D}${PTEST_PATH}/src
@@ -100,8 +109,23 @@ do_install_ptest() {
 	cp -rf ${D}${bindir}/curl-config ${D}${PTEST_PATH}
 }
 
-RDEPENDS:${PN}-ptest += "bash perl-modules perl-module-time-hires perl-module-digest-md5 \
-                         perl-module-digest perl-module-ipc-open2"
+RDEPENDS:${PN}-ptest += " \
+	bash \
+	perl-module-b \
+	perl-module-base \
+	perl-module-cwd \
+	perl-module-digest \
+	perl-module-digest-md5 \
+	perl-module-file-basename \
+	perl-module-file-spec \
+	perl-module-file-temp \
+	perl-module-io-socket \
+	perl-module-ipc-open2 \
+	perl-module-list-util \
+	perl-module-memoize \
+	perl-module-storable \
+	perl-module-time-hires \
+"
 
 PACKAGES =+ "lib${BPN}"