curl: upgrade to release 8.3.0

Fixes CVE-2023-38039 * NSS support was removed in this release, so NSS related patches are not necessary now. * add configure options for curl. Change-Id: I71e09bac3c69ce4b13deee770a32225f39f79c46 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/156917 Tested-by: Jenkins Reviewed-by: Taichi Haradaguchi <20001722@ymail.ne.jp>
2023-09-13 18:25:13 +09:00 · 2023-09-13 18:25:13 +09:00 · c2930ebff8
commit c2930ebff8
parent c76678bbe9
5 changed files with 7 additions and 63 deletions
--- a/download.lst
+++ b/download.lst
@ -75,8 +75,8 @@ CPPUNIT_TARBALL := cppunit-1.15.1.tar.gz
 # three static lines
 # so that git cherry-pick
 # will not run into conflicts
-CURL_SHA256SUM := dd322f6bd0a20e6cebdfd388f69e98c3d183bed792cf4713c8a7ef498cba4894
-CURL_TARBALL := curl-8.2.1.tar.xz
+CURL_SHA256SUM := 376d627767d6c4f05105ab6d497b0d9aba7111770dd9d995225478209c37ea63
+CURL_TARBALL := curl-8.3.0.tar.xz
 # three static lines
 # so that git cherry-pick
 # will not run into conflicts
--- a/external/curl/ExternalProject_curl.mk
+++ b/external/curl/ExternalProject_curl.mk
@ -10,21 +10,10 @@
 $(eval $(call gb_ExternalProject_ExternalProject,curl))

 $(eval $(call gb_ExternalProject_use_externals,curl,\
+	$(if $(ENABLE_OPENSSL),openssl) \
 	zlib \
 ))

-ifeq ($(TLS),NSS)
-$(eval $(call gb_ExternalProject_use_externals,curl,\
-	nss3 \
-))
-else
-ifeq ($(TLS),OPENSSL)
-$(eval $(call gb_ExternalProject_use_externals,curl,\
-	openssl \
-))
-endif
-endif
-
 $(eval $(call gb_ExternalProject_register_targets,curl,\
 	build \
 ))
@ -41,18 +30,14 @@ curl_LDFLAGS += -L$(SYSBASE)/usr/lib
 endif
 endif

-# there are 2 include paths, the other one is passed to --with-nss below
-ifeq ($(SYSTEM_NSS),)
-curl_CPPFLAGS += -I$(call gb_UnpackedTarball_get_dir,nss)/dist/public/nss
-endif
-
 # use --with-secure-transport on macOS >10.5 and iOS to get a native UI for SSL certs for CMIS usage
-# use --with-nss/--with-openssl only on platforms other than macOS and iOS
+# use --with-openssl only on platforms other than macOS and iOS
 $(call gb_ExternalProject_get_state_target,curl,build):
 	$(call gb_Trace_StartRange,curl,EXTERNAL)
 	$(call gb_ExternalProject_run,build,\
 		$(gb_RUN_CONFIGURE) ./configure \
-			--without-nss --without-openssl --without-gnutls --without-mbedtls \
+			--without-amissl --without-bearssl --without-gnutls \
+			--without-mbedtls --without-rustls --without-wolfssl \
 			--enable-ftp --enable-http --enable-ipv6 \
 			--without-libidn2 --without-libpsl --without-librtmp \
 			--without-libssh2 --without-nghttp2 \
@ -66,8 +51,7 @@ $(call gb_ExternalProject_get_state_target,curl,build):
 			--disable-tftp  \
 			$(if $(filter iOS MACOSX,$(OS)),\
 				--with-secure-transport,\
-				$(if $(filter NSS,$(TLS)),--with-nss$(if $(SYSTEM_NSS),,="$(call gb_UnpackedTarball_get_dir,nss)/dist/out") --with-nss-deprecated)) \
-				$(if $(filter OPENSSL,$(TLS)),--with-openssl$(if $(SYSTEM_OPENSSL),,="$(call gb_UnpackedTarball_get_dir,openssl)")) \
+				$(if $(ENABLE_OPENSSL),--with-openssl$(if $(SYSTEM_OPENSSL),,="$(call gb_UnpackedTarball_get_dir,openssl)"))) \
 			$(if $(filter LINUX,$(OS)),--without-ca-bundle --without-ca-path) \
 			$(gb_CONFIGURE_PLATFORMS) \
 			$(if $(filter TRUE,$(DISABLE_DYNLOADING)),--disable-shared,--disable-static) \
--- a/external/curl/UnpackedTarball_curl.mk
+++ b/external/curl/UnpackedTarball_curl.mk
@ -27,22 +27,10 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\
 	external/curl/configurable-z-option.patch.0 \
 ))

-ifeq ($(SYSTEM_NSS),)
-$(eval $(call gb_UnpackedTarball_add_patches,curl,\
-	external/curl/curl-nss.patch.1 \
-))
-endif
-
 ifeq ($(OS)-$(COM_IS_CLANG),WNT-TRUE)
 $(eval $(call gb_UnpackedTarball_add_patches,curl, \
    external/curl/clang-cl.patch.0 \
 ))
 endif

-ifneq ($(filter -fsanitize=%,$(CC)),)
-$(eval $(call gb_UnpackedTarball_add_patches,curl, \
-    external/curl/asan-poison-nsspem.patch.0 \
-))
-endif
-
 # vim: set noet sw=4 ts=4:
--- a/external/curl/asan-poison-nsspem.patch.0
+++ b/external/curl/asan-poison-nsspem.patch.0
@ -1,11 +0,0 @@
--- lib/vtls/nss.c
-+++ lib/vtls/nss.c
-@@ -1926,7 +1926,7 @@
- 
-   PK11_SetPasswordFunc(nss_get_password);
- 
-  result = nss_load_module(&pem_module, pem_library, "PEM");
-+  result = CURLE_FAILED_INIT;
-   PR_Unlock(nss_initlock);
-   if(result == CURLE_FAILED_INIT)
-     infof(data, "WARNING: failed to load NSS PEM library %s. Using "
--- a/external/curl/curl-nss.patch.1
+++ b/external/curl/curl-nss.patch.1
@ -1,17 +0,0 @@
-diff -ur curl.org/configure curl/configure
--- curl.orig/configure	2023-02-20 16:11:55.000000000 +0900
-+++ curl/configure	2023-02-23 15:40:58.617432471 +0900
-@@ -28675,7 +28675,12 @@
-       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: Using hard-wired libraries and compilation flags for NSS." >&5
- printf "%s\n" "$as_me: WARNING: Using hard-wired libraries and compilation flags for NSS." >&2;}
-       addld="-L$OPT_NSS/lib"
-      addlib="-lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4"
-+      addlib="-lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 -lnssutil3"
-+      case $host_os in
-+        *android*)
-+          addlib="${addlib} -llog"
-+          ;;
-+      esac
-       addcflags="-I$OPT_NSS/include"
-       version="unknown"
-       nssprefix=$OPT_NSS