Connection filters can now carry the flag CF_TYPE_SETUP, indicating that
they are only needed during connection setup, e.g. connect.
Once the connection is fully established, those filter are removed
again. This frees resources and also makes the filter (call) chains
shorter.
Closes#21269
When HTTPS-RR is needed for the HTTP/3 handshake, delay the connect
until it arrives. Relevant only for TLS backends that support ECH, for
now.
Closes#21253
To avoid (mis-)detecting it via the internal Apple library
`/usr/lib/system/libsystem_sim_kernel.dylib` when targeting iPhone
Simulator (seen with iPhoneSimulator26.4.sdk).
Reported-by: Ian Spence
Fixes#21236Closes#21271
Make cf-https-connect work async correctly:
- only start first baller when at least one A/AAAA address
is available
- select first connect attempt after that with HTTPS-RR info
there or not.
- select second connect attempt only when HTTPS-RR is resolved
(may have resolved to "not known") and select possible ALPN
from things known by then. May not select any second attempt
when first already covers everything.
This means when the HTTPS-RR is known at/before the first address
is resolved, everything behaves as before. When the HTTPS-RR is
late, a first connection attempt will have been started. Any
ALPN preference from the HTTPS-RR that is not already ongoing will
then start the second attempt.
For HTTPS-RRs that recommend 2 or more ALPNs, the first will always
be attempted: either it is already ongong or it will be the ALPN
for the second attempt. The 2nd ALPN recommendation from HTTPS-RR
*may* be honored or not, depending on what is already selected.
The difference in behaviour between early/late HTTPS-RR resolve
cannot be helped - unless we do not perform any attempts before
it arrives. Trade offs.
Closes#21267
Mostly, this means two blank lines between classes and functions and one
line between methods. Since these checks are currently in preview, they
are done in a separate ruff invocation to avoid turning ALL the preview
checks on at the same time.
- Checks for missing explicit `return` statements at the end of functions
that can return non-`None` values.
- Checks for classes that inherit from `object`.
- Checks for useless expressions.
- Within an `except*` clause, raise exceptions with `raise ... from err`
or `raise ... from None` to distinguish them from errors in exception
handling
- Checks for variable assignments that immediately precede a `return` of the
assigned variable.
- Checks for `else` statements with a `return` statement in the preceding
`if` block.
- Checks for unnecessary parentheses on raised exceptions.
Closes: #21258
The making of the TLS session cache key should use the cert blob
independently of verifypeer on/off.
Follow-up to fa0ccd9f1f
Spotted by Codex Security
Closes#21222
There are 69 entries, bsearch is faster than linear search for random
access.
This now also makes the matching case sensitive (zone names always in
uppercase). No docs said otherwise and all tests assumed uppercase.
Extended test 517
Closes#21266
It did not require a full-length match, so empty or prefix tokens map to
ECJPAKE would silently add that cipher to the configured list.
Follow-up to fba9afebba
Reported by Codex Security
Closes#21264
Polish the time2epoch function to become a little more readable.
Corrected the military time zones: they were going in the wrong
direction.
Add more curl_getdate() input varations to test 517
Closes#21251
Introduce a limit on the concurrent connect attempts of 6:
- document this in CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
- close the oldest attempt before opening a new one that would
exceed the limit
- closing failed attempts early to avoid sockets use beyong their
usefulness
- add tests for limits in unit2600
These changes are externally visible as file descriptors will be
reassigned where we previously kept the old one around and started a
new socket, allocating always a new descriptor.
Closes#21252
Follow-up to bd3b2a626a
- rename it to myssh_statemachine
- remove the use of ternary operators in the switch
- fix the error handling for if 'sshp' actually ever is NULL
Closes#21250
The pieces of the state machine that were not separate functions before, now
are.
Also removed the use of ternary operators in the function calls.
Follow-up to f0bf43e209Closes#21249
Connections should only be reused when using the same "share" (and
perhaps some additional conditions), but instead of fixing this flaw,
this change completely disables connection reuse for SMB. This protocol
is about to get dropped soon anyway.
Reported-by: Osama Hamad
Closes#21238
For DragonFlyBSD and SunOS.
Also opt-in `BSD`, which is covering those listed explicitly, when using
CMake 3.25+.
Follow-up to 131a2fd5aa#16987Closes#21243
Curl_conn_cf_poll did not map adjust_pollset failures to poll-style
errors properly, so error codes were treated as ready events.
Found by Codex Security
Closes#21231
`certdata` dependency requires accessing api.github.com for
a reproducible timestamp, which in turn requires a GitHub token to avoid
errors due to rate limiting. Avoid all this by omitting this dependency,
which isn't necessary for these build tests anyway.
The `zero` job already did not use `certdata`, but disable explicitly
anyway just in case.
Reported-by: James Fuller
Follow-up to 9514184977
Follow-up to 128c252975#21105Closes#21241
Fixing (dl-mingw, CM 6.4.0-i686 (mingw-w64 5.0.0) schannel !unity):
```
lib/vssh/libssh.c: In function 'myssh_in_SFTP_QUOTE_STATVFS':
lib/vssh/libssh.c:573:31: error: ISO C does not support the 'I' printf flag [-Werror=format=]
char *tmp = curl_maprintf("statvfs:\n"
^~~~~~~~~~~~
lib/vssh/libssh.c:573:31: error: format '%u' expects argument of type 'unsigned int', but argument 2 has type 'uint64_t {aka long long unsigned int}' [-Werror=format=]
lib/vssh/libssh.c:573:31: error: ISO C does not support the 'I' printf flag [-Werror=format=]
[...]
```
Ref: https://github.com/curl/curl/actions/runs/24002480364/job/70000685821
mingw-w64 <=6.0.0 define `PRIu64` like this:
```
./inttypes.h:#define PRIu64 "I64u"
```
Follow-up to 413a0fedd0#12346
Cherry-picked from #21227Closes#21229
