Fix test 1175 by passing the source root directory (was: tests).
Before this patch this caused silent Perl warnings and returning success
without executing the tests, due to:
```
readline() on closed filehandle $f at ../../tests/test1175.pl line 55.
readline() on closed filehandle $f at ../../tests/test1175.pl line 39.
```
Running the test revealed these issues:
```
CURLE_FUNCTION_NOT_FOUND is not in libcurl-errors.md
CURLE_HTTP_POST_ERROR is not in libcurl-errors.md
CURLE_TELNET_OPTION_SYNTAX is not in libcurl-errors.md
CURLM_CALL_MULTI_SOCKET is not in libcurl-errors.md
```
Apply fixes:
- mark `CURLE_FUNCTION_NOT_FOUND` deprecated by 7.53.0
- mark `CURLE_HTTP_POST_ERROR` deprecated by 7.56.0
- mark `CURLE_TELNET_OPTION_SYNTAX` deprecated by 7.78.0
- document `CURLM_CALL_MULTI_SOCKET` as a synonym for
`CURLM_CALL_MULTI_PERFORM`
- test1477: exclude `CURLM_CALL_MULTI_SOCKET`.
But, these weren't officially deprecated. It may need more updates
to reflect that in other places, or fix the issues differently.
Follow-up to 66ec950004#12424
Follow-up to 74f441c6d3#4628
Cherry-picked from #17877Closes#17880
Make `docs/examples/websocket.c more complete by showing how to handle
CURLE_AGAIN return codes and incomplete sends.
Reported-by: Markus Unterwaditzer
Fixes#13288Closes#17860
The idea here is to set limits per test how many allocations and maximum
amount of memory it is allowed to use. This is a means to make sure the
number and total size of allocations are kept in check and don't
mistakenly "blow up".
If runtests.pl detects that the given limits have been exceeded it fails
the test case with an error.
The `<verify>` part now supports `<limits>`, and in this section two
limits can be set for each test (verified in debug builds only):
Allocations: [number of allocation calls]
Maximum allocated: [maximum concurrent memory allocated]
Default limits (used if nothing is set in the test file):
Allocations: 1000
Maximum allocated: 1000000
Closes#17821
This was spotted by Debian's lintian tool. It adds an informational
warning at every run, so my OCD was kicking in and I had to fix it :-)
Closes#17787
Callback and data set via CURLOPT_CLOSESOCKETFUNCTION and
CURLOPT_CLOSESOCKETDATA may get used after the easy handle has been
cleaned up. Inform about that.
Closes#17816
... since the tests check for the feature using this name, we
accidentally had lots tests not run because this provided the
`digest-auth` feature that was not checked for.
Closes#17786
Replace the `libstubgss.so`-based overload solution with one built into
libcurl at compile-time.
The previous, `LD_PRELOAD`-based, solution was non-portable, allowlisted
for Linux, BSD and Solaris. It also required non-debug builds, which
turned out to be an accidental condition:
7d342c723c. It also required a curl tool
built against a shared libcurl. Detecting this condition wasn't always
accurate, e.g. with certain cmake configurations.
The overload solution also didn't work on macOS, though it theoretically
should have:
- #17653
- #2394
Experiments on making the overload solution work in more envs:
- #17759
That revealed that it also did not work on NetBSD, in CI.
The replacement solution is overloading the necessary GSS-API functions
for test 2056 and 2057 at compile time. It requires a debug-enabled curl
build (due to its insecure nature).
This makes these tests run on all platforms. Including most GSS jobs in
CI, that are running tests. (the exception is old-linux, non-debug jobs,
where it felt overkill to enable debug for this.)
The refactored GSS stub code needs to overload less than before because
it's free to use the official GSS API. (This didn't work with
the overload solution on Alpine for example). It can also use libcurl
functions, allowing to replace `snprintf()` with `msnprintf()`.
OS/400 is also overloading GSS API functions. I haven't tested how this
works after this PR. In theory it should, because this PR doesn't rely
on preprocessor overrides.
Note that for future GSS tests, it may be necessary to stub these GSS
API functions: `gss_inquire_context()`, `gss_unwrap()`, `gss_wrap()`.
They are on codepaths not (yet) touched by tests.
Also:
- stub-gss: check for token buffer overrun.
- stub-gss: replace size macros with `sizeof()`.
- GHA: enable debug for some jobs with GSS.
- GHA/linux: ignore results for 2056 and 2057 in the valgrind job.
They leak the same way as seen with 2077 and 2078.
Ref: 7020ba7979#17462
Ref: 146759716c#14430
- GHA/linux: fix to ignore `gss_import_name()` leaks in valgrind builds.
only.
- lib/vauth/krb5_gssapi: reduce variable scope.
- lib/vauth/spnego_gssapi: reduce variable scope.
- tests/libtest: drop code and build logic dealing with `libstubgss`.
- runtests:
- drop `ld_preload` feature.
- drop special handling of `LD_PRELOAD` env in tests.
- drop logic dealing with shared curl tool detection.
- drop `LD_PRELOAD` envs from tests.
Follow-up to 56d949d31a#1687Closes#17752
- tests/libtest: move exception to `stub_gssapi.h`.
- tests/libtest: move remaining exception to `testtrace.c`.
- tests/server: drop obsolete exception.
- docs/examples: move `BANNEDFUNC` exceptions to local files (3 lines).
- docs/examples: move `ERRNOVAR` exception to `ephiperfifo.c`.
- docs/examples: drop `typedef struct` (8 files).
- lib/curlx: add `.checksrc` with banned funcs copied from lib.
- checksrc: ban `strncpy`, `strtok_r`, `strtoul` by default.
Drop local bans. Add exception for `strtoul` to `tests/server'.
- lib, src: sync banned funcs.
Also:
- REUSE: drop `stunnel.pem`, it no longer exists.
- docs/examples: formatting.
- docs/examples: simplify some `sizeof()`s.
Closes#17764
Flaws in any script or compiled artifact which isn't installed by
default is not considered to be security vulnerabilities.
Closes#17761
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
curl passes down the capath directly to the backends. OpenSSL will then
delimiter-separate this path internally to support multiple directories
(using its certificate hash scheme). However, the other backends
(wolfSSL, mbedTLS, gnutls) only expect a single directory (and do not
use the hash scheme, preferring to iterate the directory and load all
files). This adjusts the `--capath` documentation to reflect that
multiple paths is an OpenSSL-specific feature. Alternatively, curl could
delimiter-separate these itself, but I'm not sure it's worth it.
Ref https://github.com/JuliaLang/NetworkOptions.jl/issues/41Closes#17737
Make the <dns> tag in a test case control what is stored there. Also
documented. Make test 2102 and 2103 use the new tag.
Lets the test case config the A and AAAA contents the server replies
with. Initial work for the HTTPS RR exists, but does not yet work.
Closes#17543
In CODE_REVIEW.md file, the link that points to CONTRIBUTE was broken,
so I fixed this issue changing the link from only "CONTRIBUTE.md" to
"https://curl.se/dev/contribute.html".
Closes#17656
Setting CURLOPT_CONNECT_ONLY with value 2 is only defined
for WebSocket and the effect on other protocols is undetermined.
That includes the HTTP urls.
Fixes#17621
Reported-by: Kirill Obukhov
Closes#17635
- GHA/windows: make a mingw autotools build static only.
- GHA/windows: fix a CI script issue with the build above.
- src: fix to pass `LIBCURL_PC_LIBS_PRIVATE` instead of `LINKFLAGS`.
This makes the libs propagate to tunits, making the local hack there
unnecessary. `LINKFLAGS` had this single use in the repo, and it was
empty in local tests.
- tests: drop passing redundant `LIBCURL_PC_LDFLAGS_PRIVATE`.
- tests: drop redundant target name from config variables.
- examples, tests/client: drop `LIBDIR` temp variables with single uses.
- examples, tests: formatting to sync `Makefile.am` scripts with each
other.
Closes#17661
I added it just in case when removing enabled-by-default memdebug
from test servers. Apparently it broke after recent changes. It's
probably not a widely used feature and does not seem to be worth fixing.
It creates odd dependencies as the error message indicates:
```
[28/54] Building C object tests/server/CMakeFiles/servers.dir/__/__/lib/memdebug.c.obj
FAILED: tests/server/CMakeFiles/servers.dir/__/__/lib/memdebug.c.obj
[...]
lib/memdebug.c: In function 'curl_dbg_log':
lib/memdebug.c:465:12: error: implicit declaration of function 'mvsnprintf'; did you mean 'vsnprintf'? [-Wimplicit-function-declaration]
465 | nchars = mvsnprintf(buf, sizeof(buf), format, ap);
| ^~~~~~~~~~
| vsnprintf
lib/memdebug.c:465:12: warning: nested extern declaration of 'mvsnprintf' [-Wnested-externs]
```
This patch is dropping these build options:
- cmake: `ENABLE_SERVER_DEBUG`
- autotools: `--enable-server-debug` / `--disable-server-debug`
Follow-up to a16485a42e#16705Closes#17629
Instead of relying on CMake's built-in unity feature, use `mk-unity.pl`,
as already done with autotools. It simplified the build, shortens logs
and makes debugging easier because of the fewer build variations.
It also allows testing / fixing with cmake and those automatically apply
to autotools builds too. cmake builds can be much-much faster, esp.
when working the builds themselves.
It also enables "unity" in old cmake versions. Basically every test
target is a single generated .c source.
Also:
- drop a `lib` unity workaround for libtests with autotools after fixing
the issue in libtests itself. It drops a few exceptions and makes
libcurl build faster (in autotools unity).
- fix another `lib` autotools unity issue and drop the workaround for it
from `mk-unity.pl`. `srcdir` was missing from the header path.
- simplify `mk-unity.pl` command-lines, drop exclusions.
Follow-up to 2c27a67daa#17590Closes#17628
When `curl_easy_cleanup()` is invoked while still being part
of a multi handle, the code will auto-remove it. But since the
connection was detached first, the code in
`curl_multi_remove_handle()` that invalidates dirty connections
did not bite.
Attach the connection *after* the possible remove from a multi
handle, so that connection reuse can be prevented.
Add test753 to reproduce and verify the fix. This required adding
the new debug env var CURL_FTP_PWD_STOP, to have a transfer return
from multi_perform() early with a connection that does not show
and pending input.
Reported-by: Brian Harris
Fixes https://github.com/curl/curl/issues/17578
Closes https://github.com/curl/curl/pull/17607
- Align --cacert behaviour with OpenSSL and LibreSSL.
This changes the default behavior of Schannel manual certificate
verification, which is used when the user provides their own CA
certificates for verification, to accept partial chains. In other words,
the user may provide an intermediate certificate without having to
provide the root CA.
Win8/Server2012 widened the PKIX chain traversal API to allow
certificate traversal to terminate at an intermediate.
This behaviour (terminate at the fist matching intermediate) is the
default for LibreSSL and OpenSSL (with OpenSSL allowing control via
CURLSSLOPT_NO_PARTIALCHAIN).
This change uses the new API if it is available, and also allows the
behaviour to revert legacy if CURLSSLOPT_NO_PARTIALCHAIN is present.
Closes https://github.com/curl/curl/pull/17418
Make test bundles the default. Drop non-bundle build mode.
Also do all the optimizations and tidy-ups this allows, simpler builds,
less bundle exceptions, streamlined build mechanics.
Also rework the init/deinit macro magic for unit tests. The new method
allows using unique init/deinit function names, and calling them with
arguments. This is in turn makes it possible to reduce the use of global
variables.
Note this drop existing build options `-DCURL_TEST_BUNDLES=` from cmake
and `--enable-test-bundles` / `--disable-test-bundles` from autotools.
Also:
- rename test entry functions to have unique names: `test_<testname>`
This removes the last exception that was handled in the generator.
- fix `make dist` to not miss test sources with test bundles enabled.
- sync and merge `tests/mk-bundle.pl` into `scripts/mk-unity.pl`.
- mk-unity.pl: add `--embed` option and use it when `CURL_CLANG_TIDY=ON`
to ensure that `clang-tidy` does not miss external test C sources.
(because `clang-tidy` ignores code that's #included.)
- tests/unit: drop no-op setup/stop functions.
- tests: reduce symbol scopes, global macros, other fixes and tidy-ups.
- tool1621: fix to run, also fix it to pass.
- sockfilt: fix Windows compiler warning in certain unity include order,
by explicitly including `warnless.h`.
Follow-up to 6897aeb105#17468Closes#17590
These libraries do not support TLS 1.3 and have been marked for removal
for over a year. We want to help users select a TLS dependency that is
future-proof and reliable, and not supporting TLS 1.3 in 2025 does not
infer confidence. Users who build libcurl are likely to be served better
and get something more future-proof with a TLS library that supports
1.3.
Closes#16677
This boolean option was moved to the wrong handling function. Make it
an ARG_NONE and move it to the correct handler and add a test to
verify that the option works.
Follow-up to 698491f44
Reported-by: fjaell on github
Fixes#17545Closes#17547
In the documentation for the --continue-at and --range options.
A future version could implement support for the new standard HTTP resumed
uploads mechanism.
Ref: #17510Closes#17521
This started out as regression tests for the `curl_ws_recv()` and
`curl_ws_send()` implementation and ended up with a bugfix, additional
protocol validation and minor logging improvements.
- Fix reset of fragmented message decoder state when a PING/PONG is
received in between message fragments.
- Fix undefined behavior (applying zero offset to null pointer) in
curl_ws_send() when the given buffer is NULL.
- Detect invalid overlong PING/PONG/CLOSE frames.
- Detect invalid fragmented PING/PONG/CLOSE frames.
- Detect invalid sequences of fragmented frames.
- a) A continuation frame (0x80...) is received without any ongoing
fragmented message.
- b) A new fragmented message is started (0x81/0x01/0x82/0x02...)
before the ongoing fragmented message has terminated.
- Made logs for invalid opcodes easier to understand.
- Moved noisy logs to the `CURL_TRC_WS` log level.
- Unified the prefixes for WebSocket log messages: `[WS] ...`
- Add env var `CURL_WS_FORCE_ZERO_MASK` in debug builds.
- If set, it forces the bit mask applied to outgoing payloads to
0x00000000, which effectively means the payload is not masked at
all. This drastically simplifies defining the expected `<protocol>`
data in test cases.
- 2700: Frame types
- 2701: Invalid opcode 0x3
- 2702: Invalid opcode 0xB
- 2703: Invalid reserved bit RSV1 _(replaces 2310)_
- 2704: Invalid reserved bit RSV2
- 2705: Invalid reserved bit RSV3
- 2706: Invalid masked server message
- 2707: Peculiar frame sizes _(part. replaces 2311)_
- 2708: Automatic PONG
- 2709: No automatic PONG _(replaces 2312)_
- 2710: Unsolicited PONG
- 2711: Empty PING/PONG/CLOSE
- 2712: Max sized PING/PONG/CLOSE
- 2713: Invalid oversized PING _(replaces 2307)_
- 2714: Invalid oversized PONG
- 2715: Invalid oversized CLOSE
- 2716: Invalid fragmented PING
- 2717: Invalid fragmented PONG
- 2718: Invalid fragmented CLOSE
- 2719: Fragmented messages _(part. replaces 2311)_
- 2720: Fragmented messages with empty fragments
- 2721: Fragmented messages with interleaved pong
- 2722: Invalid fragmented message without initial frame
- 2723: Invalid fragmented message without final frame
- 2305: curl_ws_recv() loop reading three larger frames
- This test involuntarily sent an invalid sequence of opcodes (0x01...,0x01...,0x81...) , but neither libcurl nor the test caught this! The correct sequence was tested in 2311 (0x01...,0x00...,0x80...). See below for 2311.
- Validation of the opcode sequence was added to libcurl and is now tested in 2723.
- Superseded by 2719 (fragmented message) and 2707 (large frames).
- 2307: overlong PING payload
- The tested PING payload length check was actually missing, but the test didn't catch this since it involuntarily sent an invalid opcode (0x19... instead of 0x89...) so that the expected error occurred, but for the wrong reason.
- Superseded by 2713.
- 2310: unknown reserved bit set in frame header
- Superseded by 2703 and extended by 2704 and 2705.
- 2311: curl_ws_recv() read fragmented message
- Superseded by 2719 (fragmented message) and 2707 (large frames).
- 2312: WebSockets no auto ping
- Superseded by 2709.
- No tests for `CURLOPT_WRITEFUNCTION`.
- No tests for sending of invalid frames/fragments.
Closes#17136
With a dash, using two Ls. Also for different forms of the word.
Use NULL in all uppercase if it means a zero pointer.
Follow-up to 307b7543eaCloses#17489
After Gmail called out the typo I fixed on
532d89a866, I've decided to paste the
whole man page into Google docs and check what other issues it would
spot.
I know, it sounds silly, but I've just spent the last hour and a half
going over each one of them and fixing everything which was a true
finding and non-controversial.
Closes#17480
In an attempt to make them easier to find.
The man pages runtests.md and testcurl.md are in /docs
The rest of the test documentation is in /docs/tests
Closes#17463
- appveyor: make a job target Windows XP.
- examples/block_ip: force this specific example to target Vista to make
it compile when building curl for Windows XP. Fixing:
```
docs\examples\block_ip.c(157): warning C4013: 'inet_pton' undefined; assuming extern returning int
docs\examples\block_ip.c(272): warning C4013: 'inet_ntop' undefined; assuming extern returning int
```
Ref: https://ci.appveyor.com/project/curlorg/curl/builds/52102142/job/2ajdluhc20r4gmmw#L530
Cherry-picked from #17413Closes#17415
To avoid redundant work in CI and to avoid a single checksrc issue make
all autotools jobs fail. After this patch checksrc issues make fail
the checksrc job, the `dist / verify-out-of-tree-autotools-debug`,
`dist / maketgz-and-verify-in-tree` jobs and the fuzzer job (if run).
Of these, the `dist` jobs replicate local builds, also testing the build
logic.
Also add a script to check the complete local repository, optionally
with the build tree to verify generated C files.
Also:
- automatically run checksrc in subdirectories having a `checksrc`
target. (examples, OS400, tests http/client, unit and tunit)
- tests/libtest: make sure to run `checksrc` on generated `lib1521.c`.
(requires in-tree autotools build.)
- tests: run `checksrc` on targets also for non-`DEBUGBUILD`
builds. It ensures to check `lib1521.c` in CI via job
`dist / maketgz-and-verify-in-tree`.
- src: drop redundant `$(builddir)` in autotools builds.
- scripts: add `checksrc-all.sh` script to check all C sources and
the build directory as an option.
- use the above from CI, also make it verify all generated sources.
- silence `checksrc` issues in generated C sources.
- checksrc: add `-v` option to enable verbose mode.
- checksrc: make verbose mode show checked filename and fix to only
return error on failure.
- make sure that generated C files pass `checksrc`.
Assisted-by: Daniel Stenberg
Closes#17376
Feedback-by: Daniel Fosco
Feedback-by: Jimmy Sjölund
Feedback-by: Christoph Jabs
Feedback-by: Manuel Strehl
Feedback-by: Dan Fandrich
Feedback-by: Sarah Gooding
Closes#17325
- replace ß (scharfes S) with links.
- replace § (section sign) with links.
- replace 🙏 emoji with `🙏`.
Supported by GitHub, Forgejo/Gitea and most likely GitLab.
- docs/libcurl/curl_mprintf.md: replace Unicode ± with `{+|-}`.
- docs/CIPHERS.md: URL encode Unicode in URLs.
- lib1560: use hex encoding in `räksmörgås.se`.
- unit1307: use hex encoding in `Lindmätarv`.
- drop LATIN SMALL LETTER A WITH ACUTE exception.
No longer appears in tests.
This leaves the single character exception: `ö`
And file exceptions holding contributor names.
Follow-up to 9243ed59b3#17329
Follow-up to 838dc53bb7#17247Closes#17335
- Clarify that the ssl_version in MultiSSL builds contains all SSL
backend names with the inactive backend names in parentheses.
Closes https://github.com/curl/curl/pull/17308
Move curlx_ functions into its own subdir.
The idea is to use the curlx_ prefix proper on these functions, and use
these same function names both in tool, lib and test suite source code.
Stop the previous special #define setup for curlx_ names.
The printf defines are now done for the library alone. Tests no longer
use the printf defines. The tool code sets its own defines. The printf
functions are not curlx, they are publicly available.
The strcase defines are not curlx_ functions and should not be used by
tool or server code.
dynbuf, warnless, base64, strparse, timeval, timediff are now proper
curlx functions.
When libcurl is built statically, the functions from the library can be
used as-is. The key is then that the functions must work as-is, without
having to be recompiled for use in tool/tests. This avoids symbol
collisions - when libcurl is built statically, we use those functions
directly when building the tool/tests. When libcurl is shared, we
build/link them separately for the tool/tests.
Assisted-by: Jay Satiro
Closes#17253
OpenSSL3 can in fact have both enabled at once. Load the provider and
key/cert appropriately. When loading a provider, the user can now also
set an associated "property string".
Work on this was sponsored by Valantic.
Closes#17165
To help anyone wanting to build/reproduce release candidates, this is
the set git tag naming scheme to use. Similar to, but different, than
the "normal" release tags to not be possible to mixup.
Closes#17177
If the CURLU handle already holds a proper URL, otherwise it is an
error.
Verified by test 1560
Fixes#17188
Reported-by: zopsicle on github
Closes#17189
Sync them with the function name they detect, and sync them between
cmake and autotools.
- rename `HAVE_WOLFSSL_BIO` to `HAVE_WOLFSSL_BIO_NEW`.
- rename `HAVE_WOLFSSL_FULL_BIO` to `HAVE_WOLFSSL_BIO_SET_SHUTDOWN`.
- autotools: rename `WOLFSSL_NTLM` to `HAVE_WOLFSSL_DES_ECB_ENCRYPT`
(to sync with cmake).
- autotools: rename `WOLFSSL_BIO` to `HAVE_WOLFSSL_BIO_NEW`
(to sync with cmake).
- autotools: simplify `HAVE_WOLFSSL_DES_ECB_ENCRYPT` detection.
Cherry-picked from #17082Closes#17175
- update text on dependency feature detection variables, and move it
to its own section in `docs/INSTALL-CMAKE.md`.
Ref: #17032 (Discussion)
- tidy up descriptions/comments, alpha-sort.
- move comment to its own section in `docs/INSTALL-CMAKE.md`.
- split `HAVE_SSL_SET_QUIC_USE_LEGACY_CODEPOINT` to distinct names for
each TLS backend API. To make the names more stable and to sync them
with autotools.
Follow-up to 07cc50f8eb#17018
Follow-up to 342a654ef3#15873
- drop redundant condition while detecting QUICTLS API.
Follow-up to 07cc50f8eb#17018
- add config-comparison exception for `HAVE_SSL_SET_QUIC_TLS_CBS`.
Follow-up to 5eefdd71a3#17027
- detect `wolfSSL_get_peer_certificate` like autotools does.
- detect `wolfSSL_UseALPN` like autotools does.
Closes#17082
With a meta_hash at each connection (similar to easy handle, let
multi_ev.c store its pollsets as meta data, no longer needing its own
hashes.
This eliminates the last use of Curl_hash_offt. Remove it.
Closes#17095
Build/install the man page. Install the script.
This an "import" rather than just adding the script into the release tarball
with maketgz to make sure the tarball build is completely reproducible.
wcurl development, issues etc is still to be done at
https://github.com/curl/wcurl
Assisted-by: Viktor Szakats
Assisted-by: Samuel Henrique
Closes#17035
This adds another bitflag on CURLOPT_WS_OPTIONS (CURLWS_NOAUTOPONG) that
disables the default and automatic PONG reply in the WebSocket layer.
Assisted-by: Calvin Ruocco
Closes#16744
Change multi's book keeping of transfers to no longer use lists, but a
special table and bitsets for unsigned int values.
`multi-xfers` is the `uint_tbl` where `multi_add_handle()` inserts a new
transfer which assigns it a unique identifier `mid`. Use bitsets to keep
track of transfers that are in state "process" or "pending" or
"msgsent".
Use sparse bitsets to replace `conn->easyq` and event handlings tracking
of transfers per socket. Instead of pointers, keep the mids involved.
Provide base data structures and document them in docs/internal:
* `uint_tbl`: a table of transfers with `mid` as lookup key,
handing out a mid for adds between 0 - capacity.
* `uint_bset`: a bitset keeping unsigned ints from 0 - capacity.
* `uint_spbset`: a sparse bitset for keeping a small number of
unsigned int values
* `uint_hash`: for associating `mid`s with a pointer.
This makes the `mid` the recommended way to refer to transfers inside
the same multi without risk of running into a UAF.
Modifying table and bitsets is safe while iterating over them. Overall
memory requirements are lower as with the double linked list apprach.
Closes#16761
Currently the DNS server only responds to A and AAAA queries. It always
responds with a fixed response: the localhost address. Three times.
It should work fine over either IPv4 or IPv6, but I don't think it
matters much for curl testing.
The idea is to allow curl tests to use "normal" DNS hostnames (using the
normal name resolving code paths) and still use the local test servers.
This setup currently only works if curl is built with c-ares because
redirecting DNS requests to our test server when using getaddrinfo() is
not easy.
This should be extended to respond to HTTPS queries as well to allow
more testing there, as c-ares is always used for that.
Test 2102 is the first test using this.
Closes#17015
With the new addition of OpenSSL QUIC API support and the support in
ngtcp2 main branch, make the necessary adjustments in curl to support
this combination.
- add support in configure.ac to detect the feature OPENSSL_QUIC_API2 in
openssl
- initialise ngtcp2 properly in this combination
- add a Curl_vquic_init() for global initialisation that ngtcp2 likes
for performance reasons
- add documentation on how to build in docs/HTTP3.md
- add CI testing in http3-linux.yml
Assisted-by: Viktor Szakats
Closes#17027
Found by improving verify-examples.pl:
- Operate directly on markdown files to remove the need to render nroff files
first.
- Add -Wall as a compiler option to find more issues
Closes#17028
- Mention in README.md and INSTALL-CMAKE.md that the winbuild build
system is going to be removed in September 2025.
Closes https://github.com/curl/curl/pull/16957
When pausing a HTTP/2 transfer, the stream's local window size
is reduced to 0 to prevent the server from sending further data
which curl cannot write out to the application.
When unpausing again, the stream's window size was not correctly
increased again. The attempt to trigger a window update was
ignored by nghttp2, the server never received it and the transfer
stalled.
Add a debug feature to allow use of small window sizes which
reproduces this bug in test_02_21.
Fixes#16955Closes#16960
This document now lists all previous releases.
This allows us to verify that documentation refers to actual release
versions.
Test 971 now verifies options-in-versions and all command line options
documentation individually. Fixed a few discrepancies.
Test 1488 verifies libcurl options "Added-in" to exist. Fixed a few
discrepancies there as well.
Closes#16907
To remove POSIX shell as an extra dependency for runtests.
Also fix to `chmod 0600` the `.pem` file (was: `.prm`), and apply it
_before_ writing the keys.
Follow-up to 44341e736a#16824Closes#16858
Add the last (*) missing bit for feature parity with autotools.
Also test in CI. Add a new `cmake install` step to GHA/macos.
(*) AFAIK. Let us know if there's something else missing.
Closes#16833
Before this patch the curl repository and source tarball distribution
contained test certificates as binary blobs. Used by runtests.
Drop these certificates in favor of generating them dynamically as
part of the build process. Both via autotools and CMake.
As part of this, improve certificates, the generator script and process,
file layout, and fix any issue to make it work fast and smooth both in
CI and local builds.
Note, cert generator scripts require OpenSSL >=1.0.2
(or LibreSSL >=3.1.0). Generation requires POSIX shell, also with CMake.
Without a POSIX shell tests relying on TLS (and stunnel) will fail.
Details:
- build: generate certs as part of the test run process.
- build, tests: generate certs in the build directory.
- binarycheck: drop concept of known binary files with hashes.
- binarycheck: move binary check logic into spacecheck and drop this
separate checker tool.
- build: fix to clean all cert files.
- autotools: fix to not run leaf cert generators in parallel. To avoid
confusion when updating the revocation database and counter.
- scripts: drop `scripts` subdir, merge two scripts into one,
auto-generate root cert, allow generating multiple leafs at once.
- scripts: switch to EC-256 keys (was: RSA-2048). For key size and perf.
- scripts: drop `-x` echo, text dumps, most other output. To avoid log
noise and make it quicker in CI.
- scripts: make it non-RSA-specific.
- scripts: delete unused code.
- scripts: use POSIX shell shebang. Some envs don't have bash (Alpine).
- scripts: pass test pseudo-secrets via the command-line. To avoid:
```
+ openssl genrsa -out test-ca.key -passout fd:0 2048
Invalid password argument, starting with "fd:"
```
- cmake: fix to launch generator scripts via the detected POSIX shell.
- cmake: fix `build-certs` rule to not depend on `SRPFILES`
(`srp-verifier-*`).
- cmake: drop `EXCLUDE_FROM_ALL` for the cert subdir. It makes
the Visual Studio generator miss to create the `clean-certs`,
`build-certs` targets. No target depend on them, so they don't execute
implicitly anyway. Fixes:
```
MSBUILD : error MSB1009: Project file does not exist.
Switch: clean-certs.vcxproj
```
- cmake: add `VERBATIM USES_TERMINAL` to `build-certs` target.
- GHA/linux: install openssl on Alpine, for the cert generator scripts.
Follow-up to 556f722fe3#16593
Follow-up to fa461b4eff#14486Closes#16824
With rustls-ffi 0.15+ we can set up a callback for writing TLS secrets
hooked up to call Curl_tls_keylog_write. To make sure the associated
file is cleaned up we update the Curl_ssl struct for the rustls-ffi vtls
backend to have a cleanup callback.
Closes#16828
Describes using a package manager or pre-built binaries and adopts the
0.15 installation from source instructions.
Previously the rustls docs described installing rustls-ffi from source
using the GNU Makefile. The upstream project has switched to using
cargo-c as a cross-platform solution that works well with the rust
toolchain, pkg-config, and Windows and so this needs an update.
Similarly, for folks that want to avoid the extra cargo-c tool
requirement, rustls-ffi provides binary releases for common platforms,
and some Linux distributions/package managers offer pre-built packages.
The install instructions are expanded to cover these options since
they're generally better for end users than building the dep. from
source (no `rustc` required).
- cmake: disable test bundles for clang-tidy builds.
clang-tidy ignores #included .c sources, and incompatible with unity
and bundles. It caused clang-tidy ignoring all test sources. It also
means this is the first time tests sources are checked with
clang-tidy. (autotools doesn't run it on tests.)
- cmake: update description for `CURL_TEST_BUNDLES` option.
- fix tests using special `CURLE_*` enums that were missing from
`curl/curl.h`. Add them as reserved codes.
- fix about ~50 other issues detected by clang-tidy: unchecked results,
NULL derefs, memory leaks, casts to enums, unused assigments,
uninitialized `errno` uses, unchecked `open`, indent, and more.
- drop unnecessary casts (lib1533, lib3207).
- suppress a few impossible cases with detailed `NOLINT`s.
- lib/escape.c: drop `NOLINT` no longer necessary.
Follow-up to 72abf7c13a#13862 (possibly)
- extend two existing `NOLINT` comments with details.
Follow-up to fabfa8e402#15825Closes#16756
It seems unnecessary and possibly unexpected to build test servers with
debug-enabled features and memory tracking whenever the tested curl is
built like that (which is a requirement for some tests, so curl is
mostly built like that when running tests.) It also makes building
servers a little bit faster with cmake for the most common cases.
You can apply debug options to `tests/server` with these new options:
- `./configure`: `--enable-server-debug`.
- cmake: `-DENABLE_SERVER_DEBUG`.
Also sync the way we pass these macros in autotools, with CMake builds.
Before this patch, autotools passed them via `curl_config.h`. After this
patch it passes them on the command-line, like cmake builds do.
This patch also make these option no longer passed to examples and
`http/client` in cmake builds, where they were no-ops anyway.
Ref: #15000Closes#16705
Before this patch, standard `E*` errno codes were redefined on Windows,
onto matching winsock2 `WSA*` error codes, which have different values.
This broke uses where using the `E*` value in non-socket context, or
other places expecting a POSIX `errno`, e.g. file I/O, threads, IDN or
interfacing with dependencies.
Fix it by introducing a curl-specific `SOCKE*` set of macros that map to
`WSA*` on Windows and standard POSIX codes on other platforms. Then
verify and update the code to use `SOCKE*` or `E*` macro depending on
context.
- Add `SOCKE*` macros that map to either winsock2 or POSIX error codes.
And use them with `SOCKERRNO` or in contexts requiring
platform-dependent socket error codes.
This fixes `E*` uses which were supposed be POSIX values, not `WSA*`
socket errors, on Windows:
- lib/curl_multibyte.c
- lib/curl_threads.c
- lib/idn.c
- lib/vtls/gtls.c
- lib/vtls/rustls.c
- src/tool_cb_wrt.c
- src/tool_dirhie.c
- Ban `E*` codes having a `SOCKE*` mapping, via checksrc.
Authored-by: Daniel Stenberg
- Add exceptions for `E*` codes used in file I/O, or other contexts
requiring POSIX error codes.
Also:
- ftp: fix missing `SOCKEACCES` mapping for Windows.
- add `SOCKENOMEM` for `Curl_getaddrinfo()` via `asyn-thread.c`.
- tests/server/sockfilt: fix to set `SOCKERRNO` in local `select()`
override on Windows.
- lib/inet_ntop: fix to return `WSAEINVAL` on Windows, where `ENOSPC` is
used on other platforms. To simulate Windows' built-in `inet_ntop()`,
as tested on a Win10 machine.
Note:
- WINE returns `STATUS_INVALID_PARAMETER` = `0xC000000D`.
- Microsoft documentation says it returns `WSA_INVALID_PARAMETER`
(= `ERROR_INVALID_PARAMETER`) 87:
https://learn.microsoft.com/windows/win32/api/ws2tcpip/nf-ws2tcpip-inet_ntop#return-value
- lib/inet_ntop: drop redundant `CURL_SETERRNO(ENOSPC)`.
`inet_ntop4()` already sets it before returning `NULL`.
- replace stray `WSAEWOULDBLOCK` with `USE_WINSOCK` macro to detect
winsock2.
- move existing `SOCKE*` mappings from `tests/server` to
`curl_setup_once.h`.
- add missing `EINTR`, `EINVAL` constants for WinCE.
Follow-up to abf80aae38#16612
Follow-up to d69425ed7d#16615
Bug: https://github.com/curl/curl/pull/16553#issuecomment-2704679377Closes#16621
1.2.5.2 was released on 2011-12-18. (vs. 1.2.0.4 on 2003-08-10)
It allows to:
- use `Z_BLOCK` unconditionally.
- use `inflateReset2()` to replace `inflateEnd()` + `inflateInit2()`
and save a memory allocation.
- use `Z_CONST` and `z_const` (in a future commit).
Suggested-by: Dan Fandrich
Ref: https://github.com/curl/curl/pull/16142#discussion_r1985449743Closes#16616
No longer ignore the `--ciphers` argument in gnutls curl builds, but use
it to set the gnutls priority string.
When the set ciphers start with '+', '-' or '!', it is *appended* to the
curl generated priority string. Otherwise it replaces the curl one
completely.
Add test_17_18 to check various combinations.
Closes#16557
After this patch, we're back to 8.12.1, but disallowing
`CURL_STATIC_CRT=ON` with shared curl exe built with VS2013 or older.
Because those may crash. A stable reprducer is with `ENABLE_DEBUG=ON`
and calling `curl.exe -V`.
You can pass the necessary CMake and MSVC linker options manually,
to get around this condition.
Shared build with static UCRT may be crashing too, depending on
conditions. Consult the documentation about limitations of static CRT:
https://learn.microsoft.com/cpp/c-runtime-library/crt-library-features
Follow-up to 049352dd80#16516
Follow-up to edfa537100#16456
Ref: #16394Closes#16522
$ curl -h all | grep -- --http
Now:
--http0.9 Allow HTTP/0.9 responses
-0, --http1.0 Use HTTP/1.0
--http1.1 Use HTTP/1.1
--http2 Use HTTP/2
--http2-prior-knowledge Use HTTP/2 without HTTP/1.1 Upgrade
--http3 Use HTTP/3
--http3-only Use HTTP/3 only
Before:
--http0.9 Allow HTTP 0.9 responses
-0, --http1.0 Use HTTP 1.0
--http1.1 Use HTTP 1.1
--http2 Use HTTP/2
--http2-prior-knowledge Use HTTP 2 without HTTP/1.1 Upgrade
--http3 Use HTTP v3
--http3-only Use HTTP v3 only
Closes#16542
With this change, the argument passed to the CURLOPT_FOLLOWLOCATION
option is now instead a "mode" instead of just a boolean. Documentation
is extended to describe the two new modes.
Test 1571 to 1581 verify.
Closes#16473
To avoid breaking the control flow and align to majority of code
already using `return`.
`exit()` has the side-effect of suppressing leak detection in cases.
Fix fallouts detected after switching to `return`.
- configure:
- fix `getaddrinfo` run test to call `freeaddrinfo()` to pacify ASAN,
and call `WSACleanup()` to deinit winsock2.
- fix `getifaddrs` run test to call `freeifaddrs()` to pacify ASAN.
- tests/server:
- setup `atexit(win32_cleanup)` via `win32_init()`.
- return 2 instead of 1 on winsock2 init failures.
- sws: goto cleanup instead of `exit()` in `http_connect()`.
Follow-up to 02dfe71937#7235
- tests/client/http:
- cleanup memory to pacify ASAN in `h2-upgrade-extreme`,
`tls-session-reuse`.
- examples:
- block_ip: fix memory leak reported by CI.
- http2-upload: avoid handle leaks.
Untouched `exit()` calls, made from callbacks:
- docs/examples: ephiperfifo.c, ghiper.c, hiperfifo.c
- tests/libtest: lib582.c, lib655.c, lib670.c
- tests/server: tftpd.c
Closes#16507
Public curl headers are best not to define 3rd-party or system macros.
Introduce `CURL_HAS_DECLSPEC_ATTRIBUTE` to cover this system macro and
use it.
Detected by test1167 after dropping the indentation:
```
test 1167...[Verify curl prefix of public symbols in header files]
/usr/bin/perl -I. -I. returned 1, when expecting 0
1167: exit FAILED
== Contents of files in the log/10/ dir after test 1167
=== Start of file server.cmd
Testnum 1167
=== End of file server.cmd
=== Start of file stdout1167
Bad symbols in public header files:
__has_declspec_attribute(x)
=== End of file stdout1167
```
Ref: https://github.com/curl/curl/actions/runs/13533200900/job/37819784405?pr=16490#step:42:2087
Ref: https://clang.llvm.org/docs/LanguageExtensions.html#has-declspec-attribute
Follow-up to 50482b8c0a#3616
Ref: #16496 (fixing test1167)
Closes#16491
This PR updates the CMake build/install docs in `docs/INSTALL-CMAKE.md`,
in particular focusing on the use of libcurl from CMake using
`find_package` as well as the newly added features/protocols support via
using `COMPONENTS` or `OPTIONAL_COMPONENTS` with `find_package`.
See #15854 for initial discussion and the corresponding PR #15858 that
was merged.
Some additional best-practices notes are added, for example:
* Encouraging building out-of-source
* Using `--config` with `cmake --build` for multi-config CMake
generators, not `CMAKE_BUILD_TYPE`
We also add a CURL CMake-specific tip on using `CMAKE_INSTALL_PREFIX`
during configure time to set the install prefix, not using `--prefix`
when running `cmake --install` so `curl-config` output is consistent.
Closes#16329
This allows you to use the `certs` and `num_certs` writeout variables in
the curl tool, and getting information about the server certificates
using CURLINFO_CERTINFO.
Closes#16459
Static CRT crashes MSVCR* MSVC builds (in VS2008, VS2010, VS2012,
VS2013) according to CI and local tests. The reproducible crash happens
in `curl_mfprintf() -> fputc(s, stderr)` when trying to display the
warning message in `curl -V`. `stderr` is non-NULL and resolves to `2`.
This reproducer needs a debug-enabled build, but it's unrelated to debug
features or curl's memory tracker. It happens regardless of unity build,
CPU architecture or `DllMain()` use. Example from VS2013:
```
+ _bld/src/Debug/curl.exe --disable --version
./appveyor.sh: line 124: 203 Segmentation fault "${curl}" --disable --version
```
Ref: https://ci.appveyor.com/project/curlorg/curl/builds/51570451/job/ojpdqrsm1hmpmq6a#L210
Another crash happened in an UCRT build (VS2017) with a couple of
`printf()`s added to curl's `main()` function:
```
Microsoft Visual C++ Runtime Library
Debug Assertion Failed!
Program: C:/projects/curl/bld/src/Debug/curl.exe
File: minkernel/crts/ucrt/src/appcrt/heap/debug_heap.cpp
Line: 996
Expression: _act_first_block == header
```
(it hangs the job in CI due to the GUI popup)
Ref: https://github.com/curl/curl/pull/16394#issuecomment-2677181716
To avoid actual and potential issues, this patch issues a warning on
the shared-libcurl + static-CRT combination and falls back to the
default, shared CRT. IOW a static CRT build now requires a static curl
exe when using the `CURL_STATIC_CRT=ON` option.
Follow-up to 4fc6ebe18a#1621
Cherry-picked from #16394 (with more details there)
Closes#16456
Enable TLS Early Data for wolfSSL:
- merge WOLFSSL_CTX and WOLFSSL setup from ngtcp2 with the general
implemenation in wolfssl.c
- enable for QUIC via ngtcp2
- give Curl_vquic_tls_init() a `struct alpn_spec` like used for the TCP
case. Adapt gnutls and other users.
- enable pytest test cases for early data with wolfSSL
and while this messes up wolfssl.c anyway, do
- rename all struct/functions with prefix 'wolfssl_' to 'wssl_' to not
pollute that name prefix
- rename `ctx/handle` to `ssl_ctx/ssl`, as used in openssl case
Closes#16167
- make it only accept version 1.0, as that is the version curl supports
- convert the parser to use strparse
- the status code max is now 999, but it does allow != 3 digits
Closes#16435
Rework the event based handling of transfers and connections to
be "localized" into a single source file with clearer dependencies.
- add multi_ev.c and multi_ev.h
- add docs/internal/MULTI-EV.md to explain the overall workings
- only do event handling book keeping when the socket callback
is set
- add handling for "connection only" event tracking, when internal
easy handles are used that are not really tied to a connection.
Used in connection pool.
- remove transfer member "last_poll" and connections "shutdown_poll"
and keep all that internal to multi_ev.c
- add CURL_TRC_M() for tracing of "multi" related things, including
event handling and connection pool operations. Add new trace
feature "multi" for trace config.
multi traces will show exactly what is going on in regard to
event handling.
- multi: trace transfers "mstate" in every CURL_TRC_M() call
- make internal trace buffer 2048 bytes and end the silliness
with +n here -m there. Adjust test 1652 expectations of resulting
length and input edge cases.
- add trace feature "lib-ids" to perfix libcurl traces with transfer
and connection ids. Useful for debugging libcurl applications.
Closes#16308
Verified in test 455 and 487.
If the provided string cannot be base64-decoded, it will instead use
"[64dec-fail]" (without the quotes).
Documented
Ref: #16288Closes#16330
Make it possible to build curl for Windows CE using the CeGCC toolchain.
With both CMake and autotools, including tests and examples, also in CI.
The build configuration is the default one with Schannel enabled. No
3rd-party dependencies have been tested.
Also revive old code to make Schannel build with Windows CE, including
certificate verification.
Builds have been throughougly tested. But, I've made no functional tests
for this PR. Some parts (esp. file operations, like truncate and seek)
are stubbed out and likely broken as a result. Test servers build, but
they do not work on Windows CE. This patch substitutes `fstat()` calls
with `stat()`, which operate on filenames, not file handles. This may or
may not work and/or may not be secure.
About CeGCC: I used the latest available macOS binary build v0.59.1
r1397 from 2009, in native `mingw32ce` build mode. CeGCC is in effect
MinGW + GCC 4.4.0 + old/classic-mingw Windows headers. It targets
Windows CE v3.0 according to its `_WIN32_WCE` value. It means this PR
restores portions of old/classic-mingw support. It makes the Windows CE
codepath compatible with GCC 4.4.0. It also adds workaround for CMake,
which cannot identify and configure this toolchain out of the box.
Notes:
- CMake doesn't recognize CeGCC/mingw32ce, necessitating tricks as seen
with Amiga and MS-DOS.
- CMake doesn't set `MINGW` for mingw32ce. Set it and `MINGW32CE`
manually as a helper variable, in addition to `WINCE` which CMake sets
based on `CMAKE_SYSTEM_NAME`.
- CMake fails to create an implib for `libcurl.dll`, due to not
recognizing the platform as a Windowsy one. This patch adds the
necessary workaround to make it work.
- headers shipping with CeGCC miss some things curl needs for Schannel
support. Fixed by restoring and renovating code previously deleted
old-mingw code.
- it's sometime non-trivial to figure out if a fallout is WinCE,
mingw32ce, old-mingw, or GCC version-specific.
- WinCE is always Unicode. With exceptions: no `wmain`,
`GetProcAddress()`.
- `_fileno()` is said to convert from `FILE *` to `void *` which is
a Win32 file `HANDLE`. (This patch doesn't use this, but with further
effort it probably could be.)
https://stackoverflow.com/questions/3989545/how-do-i-get-the-file-handle-from-the-fopen-file-structure
- WinCE has no signals, current directory, stdio/CRT file handles, no
`_get_osfhandle()`, no `errno`, no `errno.h`. Some of this stuff is
standard C89, yet missing from this platform. Microsoft expects
Windows CE apps to use Win32 file API and `FILE *` exclusively.
- revived CeGCC here (not tested for this PR):
https://building.enlyze.com/posts/a-new-windows-ce-x86-compiler-in-2024/
On `UNDER_CE` vs. `_WIN32_WCE`: (This patch settled on `UNDER_CE`)
- A custom VS2008 WinCE toolchain does not set any of these.
The compiler binaries don't contain these strings, and has no compiler
option for targeting WinCE, hinting that a vanilla toolchain isn't
setting any of them either.
- `UNDER_CE` is automatically defined by the CeGCC compiler.
https://cegcc.sourceforge.net/docs/details.html
- `UNDER_CE` is similar to `_WIN32`, except it's not set automatically
by all compilers. It's not supposed to have any value, like a version.
(Though e.g. OpenSSL sets it to a version)
- `_WIN32_WCE` is the CE counterpart of the non-CE `_WIN32_WINNT` macro.
That does return the targeted Windows CE version.
- `_WIN32_WCE` is not defined by compilers, and relies on a header
setting it to a default, or the build to set it to the desired target
version. This is also how `_WIN32_WINNT` works.
- `_WIN32_WCE` default is set by `windef.h` in CeGCC.
- `_WIN32_WCE` isn't set to a default by MSVC Windows CE headers (the
ones I checked at least).
- CMake sets `_WIN32_WCE=<ver>`, `UNDER_CE`, `WINCE` for MSVC WinCE.
- `_WIN32_WCE` seems more popular in other projects, including CeGCC
itself. `zlib` is a notable exception amongst curl dependencies,
which uses `UNDER_CE`.
- Since `_WIN32_WCE` needs "certain" headers to have it defined, it's
undefined depending on headers included beforehand.
- `curl/curl.h` re-uses `_WIN32_WCE`'s as a self-guard, relying on
its not-(necessarily)-defined-by-default property:
25b445e479/include/curl/curl.h (L77)
Toolchain downloads:
- Windows:
https://downloads.sourceforge.net/cegcc/cegcc/0.59.1/cegcc_mingw32ce_cygwin1.7_r1399.tar.bz2
- macOS Intel:
https://downloads.sourceforge.net/cegcc/cegcc/0.59.1/cegcc_mingw32ce_snowleopard_r1397.tar.bz2Closes#15975
To access the string and the length without having to directly use the
struct field names. Gives more freedom, flexbility and keeps
implementation specifics out of users' code.
Closes#16386
- fold DoH and async HTTPS-RR handling into common code.
have common cleanups, etc. Have a CURLcode result in async
handling to allow HTTPS RR parsing to fail.
- keep target, ipv4hints, ipv6hints, port and echconfig also
when resolving via cares. We need to know `target` and `port`
when evaluating possible ALPN candidates to not go astray.
- add CURL_TRC_DNS for tracing DNS operations
- replace DoH specific tracing with DNS, use doh as alias
for dns in curl_global_tracea()
Closes#16132
This also applies to --resolve of course.
Applied strparse functions on the function.
Fixes#16357
Reported-by: rmg-x on github
Closes#16358
Assisted-by: Jay Satiro
- Use the variable name 'var' instead of 'url' since the latter is also
a function name and that may confuse the user.
Closes https://github.com/curl/curl/pull/16346
- replace `add_compile_options()`, `add_definitions()` with directory
properties. To harmonize this across all scripts. The new commands are
verbose, but describe better how they work. The syntax is also closer
to setting target properties, helps grepping.
- prefer `CMAKE_INSTALL_PREFIX` over `--prefix` (in tests, CI).
- tidy up cmake invocations.
- formatting.
Closes#16238
Allow overriding the `IMPORT_LIB_SUFFIX` default with an empty value.
Also:
- add a fatal error if the implib and static lib filename are identical.
- clarify `IMPORT_LIB_SUFFIX` default value in the documentation.
Reported-by: RubisetCie on Github
Fixes#16324
Ref: 1199308dbc#11505Closes#16332
To reduce the number `-Wunused-macro` compiler warnings:
- delete unused macros.
- comment out unused macro that are part of a set.
- move macros into the scope they are used.
This may be useful to enable by default, but there are tricky cases that
I didn't manage to fix and paused the effort. E.g. internal features
checks in `openssl.c`. There is more, once those are fixed.
Closes#16279
1. make sure the check is done before the backticks are replaced
2. ignore less-than and greater-than used within backticks
(adjust proxy.md that now showed a two-space warning)
Closes#16315
Prior to this change %header{} and %output{} were explained in remarks
but not listed in the --write-out variable list.
Closes https://github.com/curl/curl/pull/16299
- Add the names that can be used to select an SSL backend by name.
This change syncs the names in 3 places: curl_global_sslset
documentation, the curl tool environment variable documentation for
CURL_SSL_BACKEND and the libcurl environment variable documentation for
CURL_SSL_BACKEND.
Closes https://github.com/curl/curl/pull/16256
curl 8.12.0 introduced an improved SSL session cache. All easy handles
that are added to the same multi handle automatically use the multi
handle's SSL session cache.
Clsoes #16245
libssh 0.9.0 was shipped on June 28 2019 and is the first version
featuring the knownhosts API
Drop libssh from the GHA/linux-old CI job since it gets a libssh 0.7.3
version, too old for us now.
Closes#16200
It was wrongly bumped to 1.16.0 in db50fc6e95. While we strongly
recommend using 1.16.0 or later, we still allow builds using older
versions.
It would make sense to raise the requirement to at least 1.11.0 (Feb 19
2016) but that's not done right now.
Closes#16221
- Better explain that if the requested range (--range or CURLOPT_RANGE)
contains multiple ranges then the response contains meta information
in addition to the requested bytes.
Prior to this change it was noted that a multiple part response was
returned as-is but not what that meant. In particular, meta information
is returned in addition to the requested bytes and that may have been
unexpected.
Reported-by: Ralf A. Timmermann
Fixes https://github.com/curl/curl/issues/16139
Closes https://github.com/curl/curl/pull/16150
- Detach and disconnect an attached connection before performing.
Prior to this change it was not possible to safely reuse an easy handle
with an attached connection in a second call to curl_easy_perform. The
only known case of this is a connect-only type handle where the
connection was detached when curl_easy_perform returned, only to be
reattached by either curl_easy_send/recv.
This commit effectively reverts 2f8ecd5d and be82a360, the latter of
which treated the reuse as an error. Prior to that change undefined
behavior may occur in such a case.
Bug: https://curl.se/mail/lib-2025-01/0044.html
Reported-by: Aleksander Mazur
Closes https://github.com/curl/curl/pull/16008
Works better if we later introduce another way to do the asynch RR
resolves (together with the threaded resolver) that does not use c-ares.
Closes#16090
Rework the way `tool_hugehelp.c` is included in builds.
After this patch, with `./configure` and CMake `tool_hugehelp.c` is only
compiled when building with manuals enabled. With manuals disabled this
source file is not used anymore. The method is similar to how
8a3740bc8e implemented `tool_ca_embed.c`.
`./configure` always generates it as before, otherwise the build fails.
- winbuild: rework to not need `buildconf.bat`, but automatically use
`tool_hugehelp.c` if present (e.g. when building from an official
source tarball) and enable `USE_MANUAL` accordingly.
- `buildconf.bat`: after dropping `tool_hugehelp.c` generation, the only
logic left was `cp Makefile.dist Makefile`. This allowed to launch
winbuild builds via GNU Make in a Git repo. Drop this option together
with the batch file.
- build `libcurltool` without `USE_MANUAL` macro to exclude the manual
and the dependence on the generator commands. Drop relying on
`UNITTESTS` for this purpose.
Follow-up to 96843f4ef7#16068
- `src/mkhelp.pl`: include `tool_hugehelp.h` before using `USE_MANUAL`
to have it set in `config-*.h` builds with source tarballs created
with manual but without zlib.
Closes#16081
Allow building with c-ares and yet use threaded resolver for the main
host A/AAAA resolving:
`--with-ares` provides the c-ares install path and defaults to use
c-ares for name resolving
`--with-threaded-resolver` still uses c-ares in the build (for HTTPS)
but uses the threaded resolver for "normal" resolves.
It works similarly for cmake: ENABLE_ARES enables ares, and if
ENABLE_THREADED_RESOLVER also is set, c-ares is used for HTTPS RR and
the threaded resolver for "normal" resolves.
HTTPSRR and c-ares-rr are new features return by curl_version_info() and
thus shown by curl -V.
The c-ares-rr feature bit is there to make it possible to distinguish
between builds using c-ares for all name resolves and builds that use
the threaded resolves for the regular name resolves and c-ares for
HTTPSRR only. "c-ares-rr" means it does not use c-ares for "plain" name
resolves.
HTTPSRR support is EXPERIMENTAL only.
Closes#16054
- silence false positive picky warnings.
- avoid "possible noreturn" warnings for standalone tests and examples.
- fix to compile without `#pragma GCC diagnostic push` support.
- fix "#pragma GCC diagnostic not allowed inside functions".
Prerequisite for #15975 that needs GCC 4.4 for the latest pre-built
CeGCC/mingw32ce toolchain for Windows CE.
Cherry-picked from #15975Closes#16062
iOS:
- add jobs with autotools, CMake, CMake Xcode generator.
The Xcode generator is >10x slower than Unix Makefiles. Keep it
because it's the one recommended by CMake and for having its own
quirks we may want to know about.
- build, cache and use LibreSSL for these jobs.
With workaround for an iOS build issue fixed in master.
- make Xcode generator work by explicitly disabling code signing.
- make tests and examples build with the Xcode generator by setting
`-DMACOSX_BUNDLE_GUI_IDENTIFIER=se.curl`, to avoid
"Bundle identifier is missing" errors.
- cmake: disable `CURL_USE_PKGCONFIG` by default for Apple device.
- cmake: add `stdc++` library for BoringSSL and AWS-LC, with
`OPENSSL_USE_STATIC_LIBS=ON` set.
- cmake: add workaround for Xcode generator issue, where it cannot
handle two targets depending on one custom command. A better fix may
be dropping `tool_hugehelp.c` and `tool_ca_embed.c` from curltool
library. For a future PR.
Android:
- add vcpkg to Android jobs, enable dependencies.
Assisted-by: Tal Regev via #16045
- make vcpkg work with autotools.
- pass `--with-brotli` to autotools to detect the vcpkg-supplied brotli.
- enable BoringSSL for Android and add a job with it.
- silence 457 CMake configure warnings about the Android NDK CMake
scripts targeting freshly deprecated CMake versions.
These were much more involved than imagined. Basically nothing works out
of the box, and when combined, everything becomes a unique edge case.
autotools builds were a much easier to make work than CMake ones.
Also:
- GHA/non-native: re-sync names to be shorter and more aligned with
other workflows.
- GHA: add `persist-credentials: false` where missing.
Unresolved issues:
- `OPENSSL_ROOT_DIR` ignored/mis-used when pointing it to LibreSSL.
CMake seems to prepend the sysroot to the passed absolute directory.
Found no workaround.
- CMake when combined with Android, both the Google-recommended method
and the built-in CMake method fail to provide a way to avoid
`pkg-config` packages at system directories. Failed to find a knob
that can remove `/usr/include` from the search path. The workaround is
to disable zstd. (I enabled it by default in this release, maybe
premature?: f2adb3b6d7#15431)
Disabling `pkg-config` doesn't work because vcpkg dependencies do not
link without it.
- CMake's Xcode generator is slow because each `try_compile()` feature
check springs a new CMake + Xcode project taking a long time to run,
just to compile single-liner C files. A known issue, with no solution.
`-DCMAKE_MACOSX_BUNDLE=OFF` did not help, limiting build types to
a single one (e.g. `Debug`) also had no effect.
make | Xcode | GHA run
:---- | :---- | :--------------------------------------------------------------------
16s | 2m57s | https://github.com/curl/curl/actions/runs/12866334102/job/35868712426
23s | 4m13s | https://github.com/curl/curl/actions/runs/12868128013/job/35874212461
16s | 3m39s | https://github.com/curl/curl/actions/runs/12859073531/job/35849041880
14s | 2m23s | https://github.com/curl/curl/actions/runs/12858298423/job/35847201313
15s | 2m36s | https://github.com/curl/curl/actions/runs/12858058492/job/35846669761
19s | 3m19s | https://github.com/curl/curl/actions/runs/12868919430/job/35876601168Closes#16043
libcurl cannot fully protect against attacks where an attacker has write
access to the same directory where it is directed to save files. This is
particularly sensitive if you save files using elevated privileges.
Previously only mentioned in VULN-DISCLOSURE-POLICY.md.
Highlighted-by: Donguk Kim
Closes#16051
- GHA/non-native: add Android builds, both cmake and autotools,
both NDK 21 (oldest available) and 35 (newest available)
https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md
It comes with a maintenance burden to bump the oldest/latest values
with CI runner updates.
- cmake: disable `CURL_USE_PKGCONFIG` by default for Android.
To avoid picking up system package by default.
- build: add `ANDROID-<NDK-LEVEL>` flag to `buildinfo.txt`.
Also detect NDK level with the CMake built-in build method:
https://cmake.org/cmake/help/latest/manual/cmake-toolchains.7.html#cross-compiling-for-android
- INSTALL.md: add CMake build instructions for Android.
- INSTALL.md: make NDK levels consistent in `./configure` example.
Closes#16014
- Fix a bug in EAGAIN handling when sending frames that led to a
corrupted last byte of the frame sent.
- Restore sanity to curl_ws_send() behaviour:
- Partial writes are reported as OK with the actual number of
payload bytes sent.
- CURLE_AGAIN is only returned when none of the payload bytes
(or for 0-length frames, not all of the frame header bytes)
could be sent.
- curl_ws_send() now behaves like a common send() call.
- Change 'ws-data' test client to allow concurrent send/recv
operations and vary frame sizes and repeat count.
- Add DEBUG env var CURL_WS_CHUNK_EAGAIN to simulate blocking
after a chunk of an encoded websocket frame has been sent.
- Add tests.
Prior to this change data corruption may occur when sending websocket
messages due to two bugs:
1) 3e64569a (precedes 8.10.0) caused a data corruption bug in the last
byte of frame of large messages.
2) curl_ws_send had non-traditional send behavior and could return
CURLE_AGAIN with bytes sent and expect the caller to adjust buffer
and buflen in a subsequent call. That behavior was not documented.
Reported-by: na-trium-144@users.noreply.github.com
Fixes https://github.com/curl/curl/issues/15865
Fixes https://github.com/curl/curl/issues/15865#issuecomment-2569870144
Closes https://github.com/curl/curl/pull/15901
Since the script 'apachectl' from the httpd project is severly mutilated
on several distros, use the executable httpd/apache2 directly in pytest
runs.
Remove detection of apachectl form autoconf and cmake.
Closes#16000
Which then makes the generated man page also include details about the
specific backends that support this feature.
Follow-up to 515a21f350Closes#15993
Dedupe and migrate MSVC-specific warning suppressions to `curl_setup.h`.
Make cmake set `_CRT_SECURE_NO_DEPRECATE` for examples and standalone
tests, and stop setting `_CRT_NONSTDC_NO_DEPRECATE` for them.
Details:
- drop version guards. On ancient MSVC version these macro are a no-op.
- move to `curl_setup.h` from `config-win32*.h`.
- sync macro values with CMake.
- cmake: stop setting them globally in favour of `curl_setup.h`.
- cmake: re-add these macros to `docs/examples` and `tests/http/clients`,
which do not use `curl_setup.h`.
- cmake: drop `_CRT_NONSTDC_NO_DEPRECATE` for examples and tests.
They build fine without.
- update comments.
Closes#15960
We recommend migrating to CMake from winbuild and Visual Studio project
files. winbuild is deprecated and will be dropped in September 2025.
CMake supports all the features and options, with new ones added
promptly. It supports out-of-tree, unity and documentation builds.
- deprecate winbuild method in favour of CMake by September 2025.
- add migration guide from winbuild to CMake.
- add migration guide from Visual Studio Project Files to CMake.
- add deprecation message to winbuild.
Need to ack with `WINBUILD_ACKNOWLEDGE_DEPRECATED=yes`
Authored-by: Jay Satiro
- mention `CMAKE_BUILD_TYPE` option in `INSTALL-CMAKE`.
- document missing `SSH_PATH` winbuild option.
Closes#15920
The msh3 backed for QUIC and HTTP/3 was introduced in April 2022 but has
never been made to work properly. It has seen no visible traction or
developer activity from the msh3 main author (or anyone else seemingly
interested) in two years. As a non-functional backend, it only adds
friction and "weight" to the development and maintenance.
Meanwhile, we have a fully working backend in the ngtcp2 one and we have
two fully working backends in OpenSSL-QUIC and quiche well on their way
of ending their experimental status in a future.
We remove msh3 support from the curl source tree in July 2025.
Closes#15931
Adds the experimental feature `ssls-export` to libcurl and curl for
importing and exporting SSL sessions from/to a file.
* add functions to libcurl API
* add command line option `--ssl-sessions <filename>` to curl
* add documenation
* add support in configure
* add support in cmake
+ add pytest case
Closes#15924
This isn't needed anymore after https://github.com/curl/curl/pull/15835,
since banned functions are just allowed in general in
`docs/examples/.checksrc`, and emits a warning when running make
checksrc:
`invalid warning specified in .checksrc: "SNPRINTF"`
Closes#15916
Expand a little.
- mention the type name of the return code
- avoid stating which exact return codes that might be returned, as that
varies over time, builds and conditions
- avoid stating some always return OK
- refer to the manpage documenting all the return codes
Closes#15900
via `DL_LIBRARY`, `MATH_LIBRARY`, `PTHREAD_LIBRARY` variables.
They are used in Rustls, wolfSSL Find modules.
Also:
- always use `NAMES` keyword in `find_library()` calls.
- respect `find_library()` results for `dl`, `m`, `pthread`.
- formatting.
Closes#15892
In OpenSSL < 3.0, the modularity was provided by mechanism called
"engines". This is supported in curl, but the engines got deprecated
with OpenSSL 3.0 in favor of more versatile providers.
This adds a support for OpenSSL Providers, to use PKCS#11 keys, namely
through the pkcs11 provider. This is done using similar approach as the
engines and this is automatically built in when the OpenSSL 3 and newer
is used.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Closes#15587
- Treat negative Retry-After date-based times as 0.
- Treat Retry-After times greater than 6 hours as 6 hours.
Prior to this change Retry-After did not have a limited range and the
server could have set a time greater than 6 hours or a date in the past
that would result in a negative time, either of which may be unexpected
by the user.
The 6 hour limit is purposely not documented so that it can be changed
in the future if necessary.
Closes https://github.com/curl/curl/pull/15833
Follow-up to 40c264db61 after discussions on IRC.
The new style is
name[0-99]=contents
and
name[0-99]@filename
A) This does not cause the same problems with old curl versions trying
the new syntax as this way will cause old curls just fail with syntax
error and not risk using the wrong file.
B) Adds the same byte range support for "normal" assigns, which the
previous syntax did not. Thus lets a user get a partial content of a
variable etc.
Added test 790 and 791 to verify non-file assigns with ranges.
Closes#15862
mbedtls is picky when a mbedtls_ssl_write) was previously blocked. It
requires to be called with the same amount of bytes again, or it will
lose bytes, e.g. reporting all was sent but they were not. Remember the
blocked length and use that when set.
Reported-by: Tamás Bálint Misius
Fixes#15801Closes#15846
Use 'banfunc' and 'allowfunc' in .checksrc to specify which functions to
ban or allow to be used. This saves us from having to edit the script
going forward when we want to ban or allow specific functions.
This replaces a set of previous rules and all banned functions are now
checked with the BANNEDFUNC rule.
There is a set of default banned functions, shown by invoking
./checksrc.
Also, -a and -b options are added to specify allowed or banned functions
on the command line.
Closes#15835
The redirect logic was broken when the redirect-to URL was a relative
URL only as a fragment or query (starting with '#' or '?').
Extended test 1560 to reproduce, then verify.
Reported-by: Jeroen Ooms
Fixes#15836Closes#15848
- Make curl_multi_waitfds consistent with the documentation.
Issue Addressed:
- The documentation of curl_multi_waitfds indicates that users should
be able to call curl_multi_waitfds with a NULL ufds. However, before
this change, the function would return CURLM_BAD_FUNCTION_ARGUMENT.
- Additionally, the documentation suggests that users can use this
function to determine the number of file descriptors (fds) needed.
However, the function would stop counting fds if the supplied fds
were exhausted.
Changes Made:
- NULL ufds Handling: curl_multi_waitfds can now accept a NULL ufds if
size is also zero.
- Counting File Descriptors: If curl_multi_waitfds is passed a NULL
ufds, or the size of ufds is insufficient, the output parameter
fd_count will return the number of fds needed. This value may be
higher than actually needed but never lower.
Testing:
- Test 2405 has been updated to cover the usage scenarios described
above.
Fixes https://github.com/curl/curl/issues/15146
Closes https://github.com/curl/curl/pull/15155
- Parse the input string without modifying it.
Prior to this change a segfault could occur if the input string was
const because the tokenizer modified the input string. For example if
the user set CURLOPT_COOKIELIST to a const string then libcurl would
likely cause a crash when modifying that string. Even if the string was
not const or a crash did not occur there was still the incorrect and
unexpected modification of the user's input string.
This issue was caused by 30da1f59 (precedes 8.11.0) which refactored
some options parsing and eliminated the copy of the input string. Also,
an earlier commit f88cc654 incorrectly cast the input pointer when
passing it to strtok.
Co-authored-by: Daniel Stenberg
Closes https://github.com/curl/curl/pull/15826
build:
- autotools: fix to build generated sources for the `tidy` target.
- autotools: allow passing custom clang-tidy options via
`CURL_CLANG_TIDYFLAGS` env.
- cmake: add `CURL_CLANG_TIDY` option to configure for `clang-tidy`.
Also add:
- `CLANG_TIDY` variable to customize the `clang-tidy` tool.
- `CURL_CLANG_TIDYFLAGS` to pass custom options to `clang-tidy`.
- apply `--enable-werror` and `-DCURL_WERROR=ON` to `clang-tidy`.
CI/GHA:
- add clang-tidy job for Linux, using autotools and clang-tidy v18.
This one needs to disable `clang-analyzer-valist.Uninitialized`
to avoid false positives:
https://github.com/llvm/llvm-project/issues/40656
Duration: 5.5 minutes
- add clang-tidy job for macOS, using cmake and clang-tidy v19.
This one also covers tests and examples, and doesn't hit the false
positives seen with llvm v18 and earlier.
Duration: 4.5 minutes
- Linux/macOS: skip installing test dependencies when not building or
running tests.
fix fallouts reported by `clang-tidy`:
- lib:
- cf-h2-proxy: unused assignment in non-debug builds.
- cf-socket: silence warning.
FIXME: https://github.com/curl/curl/pull/15825#issuecomment-2561867769
- ftp: NULL passed to `strncmp()`.
- http2: NULL-ptr deref.
- mprintf: silence warning.
- src/tool_writeout: NULL passed to `fputs()`.
- examples:
- invalid file pointers.
- missing `fclose()`.
- tests:
- http/clients/hx-download: memory leaks on error.
- http/clients/hx-download: memory leak on repeat `-r` option.
- server: double `fclose()`.
https://www.man7.org/linux/man-pages/man3/fclose.3.html
- server: invalid file pointer/handle.
- server/getpart: unused assignments.
- server/mqttd: leak on failed `realloc()`.
- server/tftpd: NULL passed to `strcmp()`.
Closes#15825
The new detection method also allows to enable librtmp without using
OpenSSL as a curl TLS backend at the same time.
Also:
- implement manual version detection for librtmp.
Version info is in hex. With CMake 3.13 and newer, extract it as a hex
number. With earlier CMake version, just strip the leading zeroes.
Doing more here seems overkill because librtmp has been standing
at 2.3/2.4 for a decade now. Bumping into hex digits seems unlikely
before deprecating CMake 3.13 support.
librtmp advertises v2.4 via its `pkg-config` module, and v2.3 via
its public header. The latter shows up in `curl -V` and either can
be shown at configure-time depending on detection method.
This isn't a curl bug.
- GHA/macos: enable rtmp in a job.
- apply the "half-detection" fix to the Find module.
`librtmp` is also affected (in CI too), because it depends on libssl and
libcrypto.
Closes#15832
Let CURLINFO_QUEUE_TIME_T count only the time a transfer spends queued,
including possible redirect requests.
Add var 'time_queue' for reporting the time in write outs.
Add test for verifying correct reporting.
Closes#15512
Allowing --variable read a portion of provided files, makes curl work on
partial files for any options that accepts strings. Like --data and others.
The byte offset is provided within brackets, with a semicolon separator
like: --variable name@file;[100-200]"
Inspired by #14479
Assisted-by: Manuel Einfalt
Test 784 - 789. Documentation update provided.
Closes#15739
lib : remove all hyper code
configure: stop detecting hyper
docs: no more mention of hyper
tests: mo more special-handling of hyper builds
CI: no jobs using hyper
Closes#15120
For MinGW this is `-DNO_OLDNAMES`, with MSVC it is
`-D_CRT_DECLARE_NONSTDC_NAMES=0`.
There have been some support for this before this patch.
After this patch this is extended to all examples.
(And also the standalone http/client programs, if here.)
Cherry-picked from #15652Closes#15789
Described in detail in internal doc TLS-SESSIONS.md
Main points:
- use a new `ssl_peer_key` for cache lookups by connection filters
- recognize differences between TLSv1.3 and other tickets
* TLSv1.3 tickets are single-use, cache can hold several of them for a peer
* TLSv1.2 are reused, keep only a single one per peer
- differentiate between ticket BLOB to store (that could be persisted) and object instances
- use put/take/return pattern for cache access
- remember TLS version, ALPN protocol, time received and lifetime of ticket
- auto-expire tickets after their lifetime
Closes#15774
This example can use the Date: header of any server so there is no point
in linking to ancient URLs describeing a setup at NIST that no longer
exists.
Closes#15786
- make `curl_dependency_option()` more generic.
- extend `CURL_BROTLI` and `CURL_ZSTD` options to accept
`AUTO` in addition to existing `ON` and `OFF`.
- change `CURL_BROTLI` and `CURL_ZSTD` option default
to `AUTO`. Was: `OFF`.
It brings cmake behavior closer to `./configure`.
Still different:
- `./configure` defaults to `off` which means to check default
locations. cmake checks more locations by default.
(Also tried `NO_CMAKE_PATH`, but then it checked less locations.)
- cmake returns both `brotlicommon` and `brotlidec` libs,
while `./configure` only returns the latter.
- ci: drop explicit cmake options, that are now unnecessary.
- GHA/configure-vs-cmake: make adjustments to make tests pass.
Closes#15431
This reverts commit 39c06f7883#15005.
Combined with most Find modules now supporting `pkg-config`
(39c741b7b0#15408) this change made
mingw-cross builds fragile by picking up OS-native components. Also
adding `/usr/include` to the header path, confusing feature detection.
`Makefile.mk` supported MS-DOS and Amiga, but `./configure` also
supported them in a better tested and more flexible way.
This patch also adds CMake support for MS-DOS/DJGPP and Amiga OS 3.
`Makefile.mk` was not maintained. Delete it in favour of first-tier
build methods.
Also include some non-MS-DOS/AmigaOS-specific tidy-up, see details at
the end of this message.
Details:
- fix/silence all MS-DOS/DJGPP build warnings and issues.
- add MS-DOS support to cmake.
- default to `ENABLE_THREADED_RESOLVER=OFF` for MS-DOS.
- add support for `WATT_ROOT`.
- use static libcurl with MS-DOS.
- fixup default CMake suffixes/prefixes for DJGPP.
- disable hidden symbols for MS-DOS. Not supported on MS-DOS.
- opt-in MS-DOS into `USE_UNIX_SOCKETS`.
- improve MS-DOS support in autotools.
- default to `--disable-threaded-resolver` for MS-DOS.
- make sure to use `close_s()` (from Watt-32) with autotools and cmake.
`Makefile.mk` used it before this patch.
- GHA: add DJGPP cmake (~30s) and autotools (~60s) build jobs.
Also build tests and examples with cmake.
- improve AmigaOS support in autotools:
- configure: detect `CloseSocket()` when it's a macro.
- configure: fix `IoctlSocket` detection on AmigaOS.
- curl-amissl.m4: pass AmiSSL libs to tests/servers.
- add AmigaOS3 support to cmake:
- cmake: fix `HAVE_IOCTLSOCKET_CAMEL` and
`HAVE_IOCTLSOCKET_CAMEL_FIONBIO` detections.
- set necessary system libs.
- add AmiSSL support.
- inet_ntop, inet_pton: fix using it for AmigaOS. cmake detects them,
and they did not compile with AmigaOS.
- cmake: better sync `gethostname` detection with autotools.
Fixes detection for AmigaOS, where `gethostname` is a macro.
- cmake: fix `sys/utime.h` detection on AmigaOS.
- cmake: force-disable `getaddrinfo` for AmigaOS.
- cmake: tweak threading and static/shared default for AmigaOS.
- cmake: rely on manual variable `AMIGA` to enable the platform.
- GHA: add AmigaOS cmake and autotools (~45s) jobs.
Also build tests and examples with cmake.
- INSTALL: update MS-DOS and AmigaOS build instructions.
- amigaos: fix `-Wpointer-sign` and
`zero or negative size array '_args'` in `Printf()`.
- amigaos: fix `-Wpointer-sign`
- amigaos: fix `-Wredundant-decls` `errno` and `h_errno`.
- amigaos: brute-force silence `lseek()` size warnings.
- amigaos: server/resolve: silence `-Wdiscarded-qualifiers`.
- amigaos: server/resolve: fix `-Wpointer-sign`.
- amigaos: fix `CURL_SA_FAMILY_T` type.
- nonblock: prefer `HAVE_IOCTLSOCKET_CAMEL_FIONBIO` for AmigaOS.
`ioctl` is also detected, but fails when used. Make the above override
it for a successful build.
Authored-by: Darren Banfi
Fixes#15537Closes#15603
- tftpd: prefer `HAVE_IOCTLSOCKET_CAMEL_FIONBIO` for AmigaOS.
- tftpd: tidy-up conditional code.
- curl: set stack size to 16384 for AmigaOS3/4
Overriding the default 4096.
Suggested-by: Darren Banfi
Ref: https://github.com/curl/curl/pull/15543#issuecomment-2498783123
Ref: https://wiki.amigaos.net/wiki/Controlling_Application_Stack
- functypes.h: fix `SEND_QUAL_ARG2` for AmigaOS.
- tftp: add missing cast in sendto() call for AmigaOS.
- getinfo: fix warning with AmigaOS.
- tool_operate: silence warning with AmigaOS
- amigaos: fix building libtests due to missing `RLIMIT_NOFILE`.
- curl_gethostname: silence warning for AmigaOS.
- ftp: silence `-Wtype-limits` for AmigaOS.
- libtest: fix timeval initialization for AmigaOS.
- examples: fix `timeval` initialization for AmigaOS.
- examples: silence warning for AmigaOS.
- configure: fix IPv6 detection for cross-builds.
- netrc: fix to build with AmigaOS cleanly.
- buildinfo: detect and add `DOS` tag for MS-DOS builds.
- buildinfo: add `AMIGA` to buildinfo.txt in auttools.
- build: move `USE_WATT32` macro definition to cmake/configure.
Non-MS-DOS/AmigeOS-specific tidy-ups:
- configure: sync `sa_family_t` detection with cmake.
- configure: sync `ADDRESS_FAMILY` detection signals with cmake.
- doh: use `CURL_SA_FAMILY_T`.
- lib: drop mingw-specific `CURL_SA_FAMILY_T` workaround.
- cmake: extend instead of override check-specific
configurations/requirements.
This allows to honor global requirements added earlier.
Necessary for AmigaOS for example.
- cmake: omit warning on disabled IPv6 for MS-DOS and AmigaOS.
No IPv6 support on these platforms. Also sync with autotools.
- lib1960: use libcurl `inet_pton()` wrapper.
- cmake: detect LibreSSL (to match autotools).
- cmake: say the specific OpenSSL flavour detected.
- hostip: add missing `HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID` guard.
- lib: simplify classic mac feature guards.
Follow-up to a8861b6ccd#9764Closes#15543
Enable `CURL_USE_PKGCONFIG` by default for MinGW cross-builds.
Note: This may cause fallouts in certain envs where `pkg-config` picks
up native packages.
Follow-up to e1ab01d1bd#14658
Follow-up to c555ab469d#14575Closes#15005
Prefix (or suffix) curl-defined macro and function names with `curl`.
To avoid collisions with non-curl CMake and to make them recognizable
as curl-specific calls.
Closes#15498
Using sscanf() is not a (security) problem in itself, but we strongly
discorage using it for parsing input since it is hard to use right, easy
to mess up and often makes for sloppy error checking.
Allow it in examples and tests
Closes#15687
Designed to aid converting off from sscanf parsers. sscanf is hard to
use right, easy to mess up and often makes for sloppy error checking.
The new parsers allow more exact and pedandic parsing.
This new set of functions should be possible to use (and extend) and
switch over other libcurl parser code to use going forward.
Adapts the following to use the new functions:
- altsvc.c
- hsts.c
- http_aws_sigv4.c
Bonus: fewer memory copies, fewer stack buffers.
Test: Unit test1664
Docs: docs/internals/STRPARSE.md
Closes#15692
This partly reverts 0e06603b23
These file formats are not properly documented elsewhere, plus the
website uses these files to populate the documentation pages to which
users end up via the URLs that are mentioned within the alt-svc and hsts
files.
Fixes#15705
Reported-by: Jeffrey Bosboom
Closes#15706
Allowing both just creates a transfer with behaviors no user can
properly anticipate so better just deny the combo.
Fixes#15646
Reported-by: Harry Sintonen
Closes#15666
The MSVC UWP job in CI did not actually enable UWP. Fix this and
the fallouts discovered after enabling it.
- GHA/windows: make sure to enable UWP in MSVC vcpkg UWP job.
Use the CMake options and C flags already used for mingw-w64, but use
`WINAPI_FAMILY_PC_APP` instead of the deprecated `WINAPI_FAMILY_APP`.
(The former is not supported by mingw-w64, so leave it there as-is.)
Follow-up to cb22cfca69#14077
- GHA/windows: by default the MSVC UWP job became 2x-3x slower than
others after actually enabling UWP. Most of it is caused by
CMake/MSBuild automatically building full APPX containers for each
`.exe` target. This includes 21 CMake feature detections. Each
detection app is built into a 15MB APPX project, with code signing,
logos, etc. Example:
https://github.com/curl/curl/actions/runs/12056968170/job/33620610958
Disable this overhead for curl build targets via custom
`CMAKE_VS_GLOBALS` options. I've found no way to apply them to feature
detection targets, so those remain slow.
- cmake: automatically enable Unicode for UWP builds. It's required.
Also stop enabling it manually in the existing CI job.
- tests: fix `getpid()` use for Windows UWP:
```
tests\server\util.c(281,21): warning C4013: 'getpid' undefined; assuming extern returning int
```
Ref: https://github.com/curl/curl/actions/runs/12061215311/job/33632904249#step:11:38
- src/tool_doswin: disable `GetLoadedModulePaths()` for UWP.
mingw-w64 UWP was okay with this, but MS SDK headers are not.
This makes `--dump-module-paths` return empty for UWP builds.
```
src\tool_doswin.c(620,3): error C2065: 'MODULEENTRY32': undeclared identifier
src\tool_doswin.c(626,11): warning C4013: 'CreateToolhelp32Snapshot' undefined; assuming extern returning int
src\tool_doswin.c(626,36): error C2065: 'TH32CS_SNAPMODULE': undeclared identifier
src\tool_doswin.c(632,7): warning C4013: 'Module32First' undefined; assuming extern returning int
```
Ref: https://github.com/curl/curl/actions/runs/12055081933/job/33614629930#step:9:35
- examples: fix `websocket.c` to include `winsock2.h` before `windows.h`
to make it build with MSVC UWP:
```
include\curl\curl.h(143,16): error C2061: syntax error: identifier 'curl_socket_t'
include\curl\curl.h(143,16): error C2059: syntax error: ';'
include\curl\curl.h(417,52): error C2146: syntax error: missing ')' before identifier 'curlfd'
include\curl\curl.h(417,38): error C2081: 'curl_socket_t': name in formal parameter list illegal
```
Ref: https://github.com/curl/curl/actions/runs/12055317910/job/33615644427#step:14:126
- GHA/windows: silence linker warning with MSVC UWP builds:
```
LINK : warning LNK4075: ignoring '/INCREMENTAL' due to '/OPT:ICF' specification
```
Ref: https://github.com/curl/curl/actions/runs/12055696808/job/33616629610#step:11:38
- GHA/windows: set `/INCREMENTAL:NO` for all MSVC jobs to improve
performance a little.
- cmake: show `UWP` platform flag.
Ref: #15652Closes#15657
The ECH feature cannot be built without HTTPS RR.
ECH automatically implied HTTPS RR in `./configure` but not in CMake,
winbuild, documentation.
Also update documentation and CI configs.
Follow-up to a362962b72#11922Closes#15648
- Instead of saying "do not use", explain that the function was
deprecated for performance reasons.
Some users may have a legitimate use of this function even though we
deprecated it. Since there are no plans to remove it from the API get
rid of the "do not use" warning.
Bug: https://curl.se/mail/lib-2024-11/0029.html
Reported-by: Jacob Champion
Closes https://github.com/curl/curl/pull/15576
curl offers a `--user-agent` option for modifying the `User-Agent`
header supplied in its requests.
The man page section for this option explains how to use the
`--user-agent` option, but does not explain which `User-Agent` curl uses
by default.
By default, curl uses curl/VERSION, such as `User-Agent: curl/8.11.0`.
Note that this appears to be different from the libcurl default (no
User-Agent header).
This commit documents the default `User-Agent` in the man page section
for the `--user-agent` option, as well as on the "Art of Scripting"
page.
The `%VERSION` placeholder will be used to insert the current version
as described in the man page generator docs.
Closes#15608
- appveyor: add build-only job for clang-cl.
- cmake: `-pedantic-errors` enables `-Werror,-Wlanguage-extension-token`
automatically, which makes `__int64` detection fail.
Explictly disable this compiler warning for clang-cl to make the
feature detection work and to accept `__int64` in the source code.
- cmake: disable `-Wlanguage-extension-token` warning for clang-cl
to fix these when encountering `__int64`:
```
lib/formdata.c(797,29): error : extension used [-Werror,-Wlanguage-extension-token]
lib/warnless.c(117,33): error : extension used [-Werror,-Wlanguage-extension-token]
lib/warnless.c(60,28): message : expanded from macro 'CURL_MASK_SCOFFT'
lib/warnless.c(59,38): message : expanded from macro 'CURL_MASK_UCOFFT'
include\curl/system.h(352,40): message : expanded from macro 'CURL_TYPEOF_CURL_OFF_T'
```
- make `__GNUC__` warning suppressions apply to `__clang__` too.
Necessary for clang-cl, which defines the latter, but not the former.
(Regular clang defines both.)
- examples: fix clang-cl compiler warning in `http2-upload.c`.
```
docs\examples\http2-upload.c(56,5): error : no previous prototype for function 'my_gettimeofday' [-Werror,-Wmissing-prototypes]
docs\examples\http2-upload.c(56,1): message : declare 'static' if the function is not intended to be used outside of this translation unit
```
- unit2604: add missing `#pragma GCC diagnostic pop`.
Follow-up to e53523fef0#14859
- unit1652: limit compiler warning suppression to GCC.
They do not affect clang builds.
Follow-up to 71cf0d1fca#14772Closes#15449
Some of the wording in the mqtt.md confused me as to how the commands
were used and what they did, so I cleared up some of the wording to
better explain what each command does.
Closes#15451
Extend `INSTALL-CMAKE` document with the list of available options,
a short description and default values.
The list may not be 100% complete.
There are no component boundaries in CMake, so the line is blurry
between curl options, CMake options, CMake Find modules options.
I included certain CMake options that seemed useful, and/or have
dedicated use withing curl's CMake source. But, all CMake built-in
options are usable, as documented upstream in CMake.
The naming of the options has a heritage and the inconsistencies with
it, including a lack of clear namespace. This may be subject to future
updates, also after figuring out which name has special meaning within
CMake and/or CMake projects out of unwritten convention or something
more tangible.
CMake allows to initialize any internal variable via `-D`. This may be
useful to pre-initialize/override feature check results. The list
doesn't contain these, and they remain officially undocumented.
Also:
- make adjustments to keep the spellchecker happy.
- retrofit description changes to the cmake sources.
- stop documenting deprecated `Find*` variables.
Reported-by: Daniel Stenberg
Fixes https://github.com/curl/curl/discussions/14885Closes#15388
- INSTALL-CMAKE: delete `Current flaws in the curl CMake build` section.
#1123 was fixed in 7e93637acd#2443
- TODO: delete item 3.2.
Follow-up to 1cb4f5d6e8#1879Closes#15405
- the specified URL can also get data sent to it
- rephrase the scheme guessing part
- mention target options for each URL for saving data
- mention --remote-name-all
- remove "warning" and make it into normal text
Closes#15396
It reduces the number of synonym variables in the code.
Makes it easier to grok and grep.
- replace `CURL_SOURCE_DIR`
with `PROJECT_SOURCE_DIR`.
- replace `CURL_BINARY_DIR`
with `PROJECT_BINARY_DIR` or `CMAKE_CURRENT_BINARY_DIR`.
- replace a single use of `CMAKE_BINARY_DIR`
with `PROJECT_BINARY_DIR`.
- replace `CMAKE_CURRENT_*_DIR`
with `PROJECT_*_DIR` where it makes the code more uniform.
- quote an argument (formatting).
Closes#15331
Fix new issues found by `proselint`.
Also:
- silence this technical warning:
```
:0: DeprecationWarning: /home/runner/.proselintrc was found instead of a JSON file. Rename to /home/runner/.proselintrc.json.
```
- fix an input filename.
`proselints` fails now if an input file is missing.
Reported-by: Jay Satiro
Bug: https://github.com/curl/curl/pull/15291#issuecomment-2410505100Closes#15293
This indicates that the file was created by curl which can help a user
determine the origin of a file. Like the other attributes, this is only
enabled with the --xattr option.
Closes#15237
Based on #14135, implement TLSv1.3 earlydata support for the curl
command line, libcurl and its implementation in GnuTLS.
If a known TLS session announces early data support, and the feature is
enabled *and* it is not a "connect-only" transfer, delay the TLS
handshake until the first request is being sent.
- Add --tls-earldata as new boolean command line option for curl.
- Add CURLSSLOPT_EARLYDATA to libcurl to enable use of the feature.
- Add CURLINFO_EARLYDATA_SENT_T to libcurl, reporting the amount of
bytes sent and accepted/rejected by the server.
Implementation details:
- store the ALPN protocol selected at the SSL session.
- When reusing the session and enabling earlydata, use exactly
that ALPN protocol for negoptiation with the server. When the
sessions ALPN does not match the connections ALPN, earlydata
will not be enabled.
- Check that the server selected the correct ALPN protocol for
an earlydata connect. If the server does not confirm or reports
something different, the connect fails.
- HTTP/2: delay sending the initial SETTINGS frames during connect,
if not connect-only.
Verification:
- add test_02_32 to verify earlydata GET with nghttpx.
- add test_07_70 to verify earlydata PUT with nghttpx.
- add support in 'hx-download', 'hx-upload' clients for the feature
Assisted-by: ad-chaos on github
Closes#15211
`Curl_bufq_unwrite()` used the head instead of the tail chunk to shrink
the bufq's content. Fix this and add test case that checks correct
behaviour.
Amended test 2601 accordingly.
Reported-by: Chris Stubbs
Closes#15136
Previously this document stated we would do it after February, but now
it will be done already for the first January 2025 release.
The reason being that since we decided to deprecate hyper, the
degradation speed has increased as now no one bothers to fix issues in
the hyper side of things. Also: not a single soul has yet spoken up in
favor of keeping the support.
Closes#15135
curl_multi_init - mention the caches held by the handle
curl_multi_cleanup - mention that the socket callback might be invoked
by this function
Closes#15109
Add `CURL_CA_SEARCH_SAFE` build-time option to enable CA bundle search
in the `curl` tool directory. The lookup method was already used to find
`.curlrc` and `_curlrc` (on Windows). On Windows it overrides the unsafe
default `SearchPath()` method.
Enable with:
- cmake: `-DCURL_CA_SEARCH_SAFE=ON`
- autotools: `--enable-ca-search-safe`
- raw: `CPPFLAGS=-DCURL_CA_SEARCH_SAFE`
On Windows, before this patch the whole `PATH` was searched for
a CA bundle. `PATH` may contain unwanted or world-writable locations,
including the current directory. Searching them all is convenient to
pick up any CA bundle, but not secure.
The Muldersoft curl distro implements such CA search via a custom
patch for Windows:
cd652d4792/patch/curl_tool_doswin.diff (L50)
MSYS2/mingw-w64 distro has also been rolling a patch solving this:
https://github.com/msys2/MINGW-packages/blob/master/mingw-w64-curl/0001-Make-cURL-relocatable.patchhttps://github.com/msys2/MINGW-packages/blob/master/mingw-w64-curl/pathtools.c
Also add option to fully disable Windows CA search:
- cmake: `-DCURL_DISABLE_CA_SEARCH=ON`
- autotools: `--disable-ca-search`
- raw: `CPPFLAGS=-DCURL_DISABLE_CA_SEARCH`.
Both options are considered EXPERIMENTAL, with possible incompatible
changes or even (partial) removal in the future, depending on feedback.
An alternative, secure option is to embed the CA bundle into the binary.
Safe search can be extended to other platforms if necessary or useful,
by using `_NSGetExecutablePath()` (macOS),
`/proc/self/exe` (Linux/Cygwin), or `argv[0]`.
Closes#14582
- make `curl.1` and `curl.txt` depend on `DPAGES`.
To trigger a rebuild when an individual manpage is updated.
- tell CMake that the cmdline-opts command also creates `curl.txt`.
- make `tool_hugehelp.c` depend on `curl.txt` (was: `curl.1`), to match
what it actually uses for input.
- stop using `generate-curl.1` as an indirect way to create `curl.txt`
in time for `tool_hugehelp.c`. After the fixes above there is a direct
depedency chain between them.
- move `ASCIIPAGE` and `MANPAGE` variables to top-level, re-use them in
`src` and prefix them with `CURL_` to avoid clashing with other
projects.
- drop double quotes from `generate-curl.1` as a hint that it is not
a filename, but a target name.
- src: tidy up order of dependency lists.
Closes#14883
Suppress deprecation warnings the closest to the deprecated code, using
`CURL_IGNORE_DEPRECATION()`. Then drop build-specific suppressions, and
file-wide ones. The latter is not compatible with Unity mode. Also
replace manual suppressions with a macro to apply to all compilers with
deprecation warning support. Also enable deprecation warnings for clang.
- curl/curl.h: enable deprecation warnings for clang.
- docs/examples: stop setting `CURL_DISABLE_DEPRECATION` with autotools.
Suppression moved to C-level earlier. Syncs with cmake.
Follow-up to 5fc61a37c1#14123
- tests/http/clients: stop setting `CURL_DISABLE_DEPRECATION` in
autotools. If it becomes necessary in the future, it can be done in
C via the macro. Syncs with cmake.
- lib1545: stop setting `CURL_DISABLE_DEPRECATION` in autotools.
Drop guard from test source.
Follow-up to 0f10360073#12444
- libtest, unit: replace `CURL_DISABLE_DEPRECATION` with
`CURL_IGNORE_DEPRECATION()`.
- docs/examples: replace pragmas with `CURL_IGNORE_DEPRECATION()`.
Closes#14789
- Move `docs/examples` builds under a separate target.
- Make `BUILD_EXAMPLES` default to `ON`. It means to generate the rules
for `docs/examples` by default, but not build them. To build them,
an explicit `make curl-examples` (or ninja, etc) command is necessary.
This syncs behaviour with autotools, and also how both cmake and
autotools are building tests.
- GHA: update cmake jobs to use the new way of building examples.
- GHA: move examples build step at the end of the job, after building
and running tests. This allows to have build and test run results
faster, and leave the seldom-changing examples build to the end.
Building examples is the slowest build step with no practical way to
make them fast.
- appveyor: enable building examples in two old-MSVC jobs.
- examples: fix examples to build cleanly with old MSVC versions.
- GHA/non-native: move example build log under a GHA foldable section.
- GHA/windows: move building examples into separate step for Linux cross
jobs.
Follow-up to dfdd978f7c#13491Closes#14906
When a full URL is set (parsed), the hostname component is stored URL
decoded (with default zero flags).
While perhaps surprising and inconsistent, the API has done this for
quite some time already and changigtn this now would break existing
behaviour.
Fixes#14942
Reported-by: Venkat Krishna R
Closes#14946
Now that the curl rustls vtls backend is using rustls 0.14 we can
address the weak random situation by using
`rustls_default_crypto_provider_random()` to provide a `Curl_ssl`
`random` callback that fills the provided buffer with cryptographically
secure random data.
The mentions in `docs/` about weak RNG when using rustls are removed as
they are no longer applicable.
Closes#14889
* Documentation is updated to describe new required version, and to link
to the upstream README about cryptography providers.
* GitHub workflow is updated to fetch 0.14.0.
* Breaking changes in`lib/vtls/rustls.c` are addressed:
* The `rustls_client_config_builder_build()` function now uses an out
parameter for the built config instead of returning it directly.
This allows the building process to fail if the default crypto
provider state isn't appropriate, or another error condition occurs.
* Default ciphersuites are collected using renamed functions named to
make it clear the ciphersuites are associated with the default
crypto provider.
* Customization of ciphersuites is now done via
a `rustls_crypto_provider_builder` used to instantiate a
`rustls_crypto_provider`. The customized provider can then can be
used with `rustls_client_config_builder_new_custom` in place of
providing ciphersuites directly.
* `rustls_connection_get_negotiated_ciphersuite()` now returns the
ciphersuite ID directly.
Closes#14889
Went through CURLOPTTYPE_STRINGPOINT and CURLOPTTYPE_SLISTPOINT options
and clarified:
- what happens when setting the option *again*
- setting to NULL disables/restores to default
- libcurl does not copy the slist for options using a such
Closes#14846
... so it adds the risk of making the header too long. Clarify this
better.
Also: remove the PSL mention from here since it is not really relevant
for this option as this option is for specific *outgoing* cookies only.
Reported-by: Hiroki Kurosawa
Closes#14839
- Move all Windows unicode issues into the single "bug", as they are all
at least semi-related
- Removed ancient issues that are not relevant anymore
Closes#14775
Change mingw-w64 printf format checks in public curl headers to use
`__MINGW_PRINTF_FORMAT` instead of `gnu_printf`. This syncs the format
checker with format string macros published via `curl/system.h`. (Also
disable format checks for mingw-w64 older than 3.0.0 (2013-09-20) and
classic-mingw, which do not support this macro.)
This fixes bogus format checker `-Wformat` warnings in 3rd party code
using curl format strings with the curl printf functions, when using
mingw-w64 7.0.0 (2019-11-10) and older (with GCC, MSVCRT).
It also allows to delete two workaounds for this within curl itself:
- setting `-D__USE_MINGW_ANSI_STDIO=1` for mingw-w64 via cmake and
configure for `docs/examples` and `tests/http/clients`.
Ref: c730c8549b#14640
The format check macro is incompatible (depending on mingw-w64 version
and configuration) with the C99 `%z` (`size_t`) format string used
internally by curl.
To work around this problem, override the format check style in curl
public headers to use `gnu_printf`. This is compatible with `%z` in all
mingw-w64 versions and allows keeping the C99 format strings internally.
Also:
- lib/ws.c: add missing space to an error message.
- docs/examples/ftpgetinfo.c: fix to use standard printf.
Ref: #14643 (take 1)
Follow-up to 3829759bd0#12489Closes#14703
Existing C macro lacked build-level counterparts.
Add them in this patch.
- cmake: `-DCURL_DISABLE_SHA512_256=ON`
- autotools: `--disable-sha512-256`
Also drop the checker exception from `test1165.pl`.
Follow-up to cbe41d151d#12897Closes#14753
Before this patch the targe OS was used, which prevented building
libcurl manpages in larger batches in cross-builds targeting e.g.
Windows.
Update the condition to use `CMAKE_HOST_UNIX` instead of `UNIX`.
This variable has been available since CMake 2.6.0:
176fe63d15
Follow-up to bb84f82476#13207Closes#14733
Previously this functionality was limited to platforms that not already
use CRLF as native line endings.
TODO: 4.5 ASCII support now considered fixed
Closes#14717
- reuse local variable names.
- sync `PROJECT_LABEL`, add where missing.
- namespace all target names.
- bind header directories to each target.
- tests/server: limit `CURL_STATICLIB` to Windows (as in autotools.)
- drop functions with a single caller.
Closes#14660
Add tweak for mingw-w64 when building tests/http/client programs to
avoid a bogus `-Wformat` warning when using mingw-w64 v7.0.0 or older.
The warning is bogus because these programs use curl's `printf()`
implementation that is guaranteed to support that format spec.
Add this for both CMake and autotools. (But only CMake is CI tested with
an old toolchain.)
Apply the workaround to `docs/examples`, and fix an example to use
curl's `printf()` with `CURL_FORMAT_CURL_OFF_T`.
Reintroduce curl `printf()` calls into `tests/http/client`, via #14625.
Also restore large number masks to a printf, changed earlier in #14382.
Follow-up to 232302f88a#14382
Ref: https://github.com/curl/curl/pull/14625#issuecomment-2302361737Closes#14640
also done in CURLOPT_PROGRESSFUNCTION.md
This changes the wording to say that 1 should be returned instad of
non-zero to return error from the callback. I did this to simplify, even
if other non-zero values still do the same thing I figure we might just
as well just leave out the others from the documentation.
Fixes#14627
Reported-by: Benjamin Riefenstahl Mecom
Closes#14637
These are files and documentation for established functionality that
should by now be covered properly and completely in the standard
documentation and in everything curl. Having these extra files provides
duplicated information where they risk being out of sync.
Closes#14553
The entire ASCII version of the manpage word wraps at a fixed column,
while example command lines can easily go wider than so.
This change now makes manage work on wrapping long example command lines
to make them look nicer. And also to avoid triggering the build error
caused by too long lines in the output.
Quoted lines cannot be wrapped, so managen now errors out if they are
"too long". With this addition, the 'maxline' script is removed as it is
no longer needed.
Closes#14543
- converted the Curl_hash_count() macro to a function
- Discourage accessing struct fields directly
- Document the internal API in HASH.md
Closes#14503
Give a more consice overview of curl's cipher options and cipher suites.
Removed long lists of ciphers that were directly copied from the SSL
backends' documentation. Instead present the user a more common aproach
acorss the SSL backends, with notes for backends that do not conform
and/or provide alternate means.
Provide a shorter list of cipher suites that is more relevant for modern
usage and should work mostly across all backends, provide a seperate
list with all cipher suites, and provide links to the SSL backends'
documentation for more information.
Also give examples with modern cipher suites.
Add docs/CIPHERS-TLS12.md for TLS 1.2 ciphers.
Closes#14460
Before, setting CURLOPT_SSLVERSION with wolfSSL restricted the the tls
proto to just the specified version. Now it properly supports a range.
So it can set the min and max tls proto (max requires wolfSSL 4.2.0).
Bump the absolute minimum required version of wolfSSL to 3.4.6 (released
2015) because it is needed for the wolfSSL_CTX_SetMinVersion() function.
Closes#14480
When using `curl_ws_send()`, perform a blocking send of the data under
the following conditions:
- the websocket is in raw mode and the call is done from within a curl
callback. A partial write of the data could subsequently mess up the
ws framing, as a callback has a hard time handling this.
- the websocket is encoding the data itself, has added it to its
internal sendbuf. A partial flush of the buffer has unclear semantics
for the caller, as they will have no idea what to send again.
Fixes WebSockets tests with CURL_DBG_SOCK_WBLOCK=90 set.
Closes#14458
Rename internal macros to match their `libcurl.pc` metadata counterpart.
Also apply these to the `curl-config.in` template.
- `CPPFLAG_CURL_STATICLIB` -> `LIBCURL_PC_CFLAGS`
- `LIBCURL_LIBS` -> `LIBCURL_PC_LIBS_PRIVATE`
- `LIBCURL_NO_SHARED` -> `LIBCURL_PC_LIBS`
Closes#14476
- Turned them all into functions to also do asserts etc.
- The llist related structs got all their fields renamed in order to make
sure no existing code remains using direct access.
- Each list node struct now points back to the list it "lives in", so
Curl_node_remove() no longer needs the list pointer.
- Rename the node struct and some of the access functions.
- Added lots of ASSERTs to verify API being used correctly
- Fix some cases of API misuse
Add docs/LLIST.md documenting the internal linked list API.
Closes#14485
... using the new script 'maxline' to which we specify the maximum
number of columns we allow any single line to be, or it will cause an
error.
Starting out with a max width at 100 columns.
Bonus: shorten the long line in the --ipfs-gateway section.
Closes#14423
- quote string literals.
In the hope it improves syntax-highlighting and readability.
- use lowercase, underscore-prefixed local var names.
As a hint for scope, to help readability.
- prefer `pkg_search_module` (over `pkg_check_modules`).
They are the same, but `pkg_search_module` stops searching
at the first hit.
- more `IN LISTS` in `foreach()`.
- OtherTests.cmake: clear `CMAKE_EXTRA_INCLUDE_FILES` after use.
- add `PROJECT_LABEL` for http/client and unit test targets.
- sync `Find*` module comments and formatting.
- drop a few local variables.
- drop bogus `CARES_LIBRARIES` from comment.
- unquote numeric literal.
Follow-up to acbc6b703f#14197Closes#14388
- make mentioning `-v` on the curl command line increase the
verbosity of the trace output
- related discussion https://github.com/curl/curl/discussions/13810
- make a single -v revert all previous -v+ changes
- make --no-verbose also reset all trace configs
Closes#13977
- sync build-dir/source-dir header path order with autotools, by
including build-dir first, then source-dir.
This prevents out-of-tree builds breaking due to leftover generated
headers in the source tree.
- tests/unit: move `src` ahead of `libtest` in header path, syncing with
autotools.
- stop adding non-existing generated `include` dir to header path.
There are no generated `include` headers and this directory is either
missing in out-of-tree builds or the same as the one already added
globally via the root `CMakeLists.txt`.
- lib: stop adding a duplicate source include directory to the header
path.
It's already added globally via the root `CMakeLists.txt`.
- lib: stop adding the project root to the header path.
- docs/examples: drop internal header paths.
Examples do not and should not use internal headers.
- replace `curl_setup_once.h` in comments with `curl_setup.h`,
the header actually used, and also referred to in autotools comments.
- add comment why we need `src` in include path for `tests/server`.
- add quotes around header directories.
Closes#14416
wolfSSL supports setting certificates/private keys from memory blobs
which allow us to implement both CURLOPT_SSLCERT_BLOB and
CURLOPT_SSLKEY_BLOB options.
Closes#14018
- Determine which connection cache is or will be used by the easy handle
and perform connection upkeep on that cache.
This change allows curl_easy_upkeep to be effective on easy handles that
are using a shared connection cache, either from a user created shared
connection cache or a user created multi which has its own shared
connection cache.
Prior to this change curl_easy_upkeep would upkeep the connection cache
for the easy handle only if that cache was from the multi owned by the
easy handle (ie curl_easy_perform was previously called and there's a
connection cache exclusive to the easy handle in
data->multi_easy->conn_cache).
Ref: https://curl.se/mail/lib-2024-01/0016.html
Closes https://github.com/curl/curl/pull/12677
- For HTTPS if http2-prior-knowledge is set then only offer h2 (HTTP/2)
alpn to the server for protocol negotiation.
Prior to this change both HTTP/2 ("h2") and HTTP/1.1 ("http/1.1") were
offered for ALPN when http2-prior-knowledge was set.
CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE (tool: --http2-prior-knowledge) is
meant to send non-TLS HTTP requests HTTP/2 when it is known the server
supports them. However when HTTPS is used then it attempts to first
negotiate the connection with ALPN. In that case the user likely does
not want to offer http/1.1 to the server as an acceptable protocol.
Reported-by: kit-ty-kate@users.noreply.github.com
Fixes https://github.com/curl/curl/issues/9963
Closes https://github.com/curl/curl/pull/14266
With this option, the entire download is skipped if the selected target
filename already exists when the opertion is about to begin.
Test 994, 995 and 996 verify.
Ref: #11012Closes#13993
Use these words and casing more consistently across text, comments and
one curl tool output:
AIX, ALPN, ANSI, BSD, Cygwin, Darwin, FreeBSD, GitHub, HP-UX, Linux,
macOS, MS-DOS, MSYS, MinGW, NTLM, POSIX, Solaris, UNIX, Unix, Unicode,
WINE, WebDAV, Win32, winbind, WinIDN, Windows, Windows CE, Winsock.
Mostly OS names and a few more.
Also a couple of other minor text fixups.
Closes#14360
Since the documentation text blob might be gzipped, it needs to search
for what to output in a streaming manner. It then first searches for
"\nALL OPTIONS".
Then, it looks for the start to display at "\n -[option]" and stops
again at "\n -". Except for the last option in the man page, which
ends at "\nFILES" - the subtitle for the section following all options
in the manpage.
Test 1707 to 1710 verify
Closes#13997
... or pick the last directory part from the path if available.
Instead of returning error.
Add test 690 and 691 to verify. Test 76 and 2036 no longer apply.
Closes#13988
- tidy-up comments.
- use lowercase, underscore prefixed names for internal variables.
- use `IN LISTS` and `IN ITEMS` in `foreach()` loops.
- rename variable name `OUTPUT` to a more distinctive one.
- tidy-up `STREQUAL` syntax.
- delete commented code.
- indent/whitespace.
Closes#14197
Do no more than 5 transfers per 15 seconds with "5/15s" or limit it to 3
transfers per 4 hours with "3/4h" etc.
Previously it would always only work with a single time unit.
Ref: #14242Closes#14245
Add the ability to embed a CA bundle into the curl binary. It is used
when no other runtime or build-time option set one.
This helps curl-for-win macOS and Linux builds to run standalone, and
also helps Windows builds to avoid picking up the CA bundle from an
arbitrary (possibly world-writable) location (though this behaviour is
not currently disablable).
Usage:
- cmake: `-DCURL_CA_EMBED=/path/to/curl-ca-bundle.crt`
- autotools: `--with-ca-embed=/path/to/curl-ca-bundle.crt`
- Makefile.mk: `CURL_CA_EMBED=/path/to/curl-ca-bundle.crt`
Also add new command-line option `--dump-ca-embed` to dump the embedded
CA bundle to standard output.
Closes#14059
- shows how to pass on local variables (better)
- start the transfers nicer (with curl_multi_socket_action)
- consistent and helpful function naming - to better show what functions
and callbacks that are used for what
- build warning-free with gcc -W -Wall -pedantic
Closes#14287
Because it is no longer needed to be done by a person as the dmaketgz
script does it by itself.
Removed two past release dates, added two new future ones
Closes#14267
- make DEFAULT sections less repetitive
- make historic mentions use HISTORY
- generate the protocols section on `# %PROTOCOLS%` instead of guessing
where to put it
- generate the availability section on `# %AVAILABILITY%` instead of
guessing where to put it
- make the protocols section more verbose
Closes#14227
- generate AVAILABILITY manpage sections automatically - for consistent
wording
- allows us to double-check against other documumentation (symbols-in-versions
etc)
- enables proper automation/scripting based on this data
- lots of them were wrong or missing in the manpages
- several of them repeated (sometimes mismatching) backend support info
Add test 1488 to verify "added-in" version numbers against
symbols-in-versions.
Closes#14217
The man pages for curl_easy_getinfo, curl_easy_setopt and
curl_multi_setopt now feature the lists of options alphabetically
sorted. Test 1139 verify that they are.
The curl_multi_setopt page also got brief explanations of the listed
options.
Closes#14156
Simplify making clean builds by silencing deprecation warnings inside
the example code where these may occur.
Drop related build tweaks/comments from GHA jobs.
Example warning:
```
curl/docs/examples/postit2-formadd.c:65:16: error: 'CURLFORM_COPYNAME' is deprecated: since 7.56.0. Use curl_mime_name() [-Werror=deprecated-declarations]
65 | CURLFORM_COPYNAME, "sendfile",
| ^~~~~~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/9841099503/job/27166970904#step:10:829Closes#14123
Option cleanups:
--get is not upload
--form* are post
- added several options into ldap, smtp, imap and pop3
- shortened the category descriptions in the list
category curl fixes:
--create-dirs removed from 'curl'
--ftp-create-dirs removed from 'curl'
--netrc moved to 'auth' from 'curl'
--netrc-file moved to 'auth' from 'curl'
--netrc-optional moved to 'auth' from 'curl'
--no-buffer moved to 'output' from 'curl'
--no-clobber removed from 'curl'
--output removed from 'curl'
--output-dir removed from 'curl'
--remove-on-error removed from 'curl'
Add a "global" category:
- Made all "global" options set this category
Add a "deprecated" category:
- Moved the deprecated options to it (maybe they should not be in any
category long term)
Add a 'timeout' category
- Put a number of appropriate options in it
Add an 'ldap' category
- Put the LDAP related option in there
Remove categories "ECH" and "ipfs"
- They should not be categories. Had only one single option each.
Remove category "misc"
- It should not be a category as it is impossible to know when to browse
it.
--use-ascii moved to ftp and output
--xattr moved to output
--service-name moved to auth
Managen fixes:
- errors if an option is given a category name that is not already setup
for in code
- verifies that options set `scope: global` also is put in category
`global´
Closes#14101
Also mention in HTTP3.md
OpenSSL has a bug that messes the config `--libdir=path` to become the
wrong path in its pkgconfig files. If we just pass `--libdir=lib` it
should avoid this.
Ref: #14099
See also: https://github.com/openssl/openssl/issues/23569Closes#14102
- Add --output, --remove-on-error, --output-dir and --created-dirs to
the output help category
- Add --hostpubmd5, --hostpubsha256, --insecure (-k), and --pubkey to
the ssh help category
Closes#14076
GnuTLS todo item about using an equivalent of `SSL_peak()`, which
nicely escaped the word checks, is no longer relevant.
We do not use `SSL_peek()` anymore since connection filters were
introduced.
Closes#14091
Based on the standards and guidelines we use for our documentation.
- expand contractions (they're => they are etc)
- host name = > hostname
- file name => filename
- user name = username
- man page => manpage
- run-time => runtime
- set-up => setup
- back-end => backend
- a HTTP => an HTTP
- Two spaces after a period => one space after period
Closes#14073
Previously this was one single manpage for two functions but as they are
two separate ones since a while back, they should each clearly document
their single specific functions.
Follow-up to eefcc1bda4Closes#14068
- use imperative form
- use lowercase
- no period
- unify some phrases
- fix curl_multi_socket and curl_multi_socket_all to keep their own
descriptions
Closes#14062
These have lingered in the issue tracker for a long time without action.
We don't expect any fixes in the near term either. Move them to the
KNOWN_BUGS document.
Closes#12177Closes#12171Closes#13350Closes#14042
Fix issues detected.
Also:
- One of the `.vc` files used LF EOLs, while the other didn't.
Make that one also use LF EOLs, as this is apparently supported by
`nmake`.
- Drop `.dsw` and `.btn` types from `.gitattributes`.
The repository doesn't use them.
- Sync section order with the rest of files in
`tests/certs/EdelCurlRoot-ca.prm`.
- Indent/align `.prm` and `.pem` files.
- Delete dummy `[something]` section from `.prm` and `.pem` files.
Mental note:
MSVC `.sln` files seem to accept spaces for indentation and also support
LF line-endings. I cannot test this and I don't know what's more
convenient when updating them, so left them as-is, with specific
exclusions.
Closes#14031
When libcurl discards a connection there are two phases this may go
through: "shutdown" and "closing". If a connection is aborted, the
shutdown phase is skipped and it is closed right away.
The connection filters attached to the connection implement the phases
in their `do_shutdown()` and `do_close()` callbacks. Filters carry now a
`shutdown` flags next to `connected` to keep track of the shutdown
operation.
Filters are shut down from top to bottom. If a filter is not connected,
its shutdown is skipped. Notable filters that *do* something during
shutdown are HTTP/2 and TLS. HTTP/2 sends the GOAWAY frame. TLS sends
its close notify and expects to receive a close notify from the server.
As sends and receives may EAGAIN on the network, a shutdown is often not
successful right away and needs to poll the connection's socket(s). To
facilitate this, such connections are placed on a new shutdown list
inside the connection cache.
Since managing this list requires the cooperation of a multi handle,
only the connection cache belonging to a multi handle is used. If a
connection was in another cache when being discarded, it is removed
there and added to the multi's cache. If no multi handle is available at
that time, the connection is shutdown and closed in a one-time,
best-effort attempt.
When a multi handle is destroyed, all connection still on the shutdown
list are discarded with a final shutdown attempt and close. In curl
debug builds, the environment variable `CURL_GRACEFUL_SHUTDOWN` can be
set to make this graceful with a timeout in milliseconds given by the
variable.
The shutdown list is limited to the max number of connections configured
for a multi cache. Set via CURLMOPT_MAX_TOTAL_CONNECTIONS. When the
limit is reached, the oldest connection on the shutdown list is
discarded.
- In multi_wait() and multi_waitfds(), collect all connection caches
involved (each transfer might carry its own) into a temporary list.
Let each connection cache on the list contribute sockets and
POLLIN/OUT events it's connections are waiting for.
- in multi_perform() collect the connection caches the same way and let
them peform their maintenance. This will make another non-blocking
attempt to shutdown all connections on its shutdown list.
- for event based multis (multi->socket_cb set), add the sockets and
their poll events via the callback. When `multi_socket()` is invoked
for a socket not known by an active transfer, forward this to the
multi's cache for processing. On closing a connection, remove its
socket(s) via the callback.
TLS connection filters MUST NOT send close nofity messages in their
`do_close()` implementation. The reason is that a TLS close notify
signals a success. When a connection is aborted and skips its shutdown
phase, the server needs to see a missing close notify to detect
something has gone wrong.
A graceful shutdown of FTP's data connection is performed implicitly
before regarding the upload/download as complete and continuing on the
control connection. For FTP without TLS, there is just the socket close
happening. But with TLS, the sent/received close notify signals that the
transfer is complete and healthy. Servers like `vsftpd` verify that and
reject uploads without a TLS close notify.
- added test_19_* for shutdown related tests
- test_19_01 and test_19_02 test for TCP RST packets
which happen without a graceful shutdown and should
no longer appear otherwise.
- add test_19_03 for handling shutdowns by the server
- add test_19_04 for handling shutdowns by curl
- add test_19_05 for event based shutdowny by server
- add test_30_06/07 and test_31_06/07 for shutdown checks
on FTP up- and downloads.
Closes#13976
- up the limit: remove all mentions of 7.60 or earlier from manpage
7.60 is 6 years old now.
- warn on "broken" added in lines, as they avoid detection
- fixup added in markup in a few curldown files
Closes#14002
Support "curl -h --insecure" etc to output the manpage section for the
--insecure command line option in the terminal. Should be possible to
work with either long or short versions of command line options.
Closes#13990
If a malicious server can trigger a NULL dereference in curl or
otherwise cause curl to crash (and nothing worse), chances are big that
we do not consider that a security problem.
Closes#13974
There are a places where man pages reference deprecated CURLOPT options,
where it doesn't make sense, replace them with the reccomended
replacement option.
also remove reference to the removed mesalink TLS backend
Closes#13951
- cmake: populate for dependencies.
- autotools: populate for dependencies.
(including mbedtls, though the script does not detect
mbedtls through pkgconfig. mbedtls 3.6.0 now supports it.)
Skip dealing with gssapi in this patch.
Fixes#864Closes#13911
This adds connection shutdown infrastructure and first use for FTP. FTP
data connections, when not encountering an error, are now shut down in a
blocking way with a 2sec timeout.
- add cfilter `Curl_cft_shutdown` callback
- keep a shutdown start timestamp and timeout at connectdata
- provide shutdown timeout default and member in
`data->set.shutdowntimeout`.
- provide methods for starting, interrogating and clearing
shutdown timers
- provide `Curl_conn_shutdown_blocking()` to shutdown the
`sockindex` filter chain in a blocking way. Use that in FTP.
- add `Curl_conn_cf_poll()` to wait for socket events during
shutdown of a connection filter chain.
This gets the monitoring sockets and events via the filters
"adjust_pollset()" methods. This gives correct behaviour when
shutting down a TLS connection through a HTTP/2 proxy.
- Implement shutdown for all socket filters
- for HTTP/2 and h2 proxying to send GOAWAY
- for TLS backends to the best of their capabilities
- for tcp socket filter to make a final, nonblocking
receive to avoid unwanted RST states
- add shutdown forwarding to happy eyeballers and
https connect ballers when applicable.
Closes#13904
Multipath TCP (MPTCP), standardized in RFC8684 [1], is a TCP extension
that enables a TCP connection to use different paths.
Multipath TCP has been used for several use cases. On smartphones, MPTCP
enables seamless handovers between cellular and Wi-Fi networks while
preserving established connections. This use-case is what pushed Apple
to use MPTCP since 2013 in multiple applications [2]. On dual-stack
hosts, Multipath TCP enables the TCP connection to automatically use the
best performing path, either IPv4 or IPv6. If one path fails, MPTCP
automatically uses the other path.
To benefit from MPTCP, both the client and the server have to support
it. Multipath TCP is a backward-compatible TCP extension that is enabled
by default on recent Linux distributions (Debian, Ubuntu, Redhat, ...).
Multipath TCP is included in the Linux kernel since version 5.6 [3]. To
use it on Linux, an application must explicitly enable it when creating
the socket. No need to change anything else in the application.
This attached patch adds an --mptcp option which allows the creation of
an MPTCP socket instead of TCP on Linux. If Multipath TCP is not
supported on the system, an error will be reported. It is important to
note that if the end server doesn't support MPTCP, the connection will
continue after a seamless fallback to TCP.
Link: https://www.rfc-editor.org/rfc/rfc8684.html [1]
Link: https://www.tessares.net/apples-mptcp-story-so-far/ [2]
Link: https://www.mptcp.dev [3]
Co-developed-by: Dorian Craps (@CrapsDorian) <doriancraps@gmail.com>
Co-developed-by: Olivier Bonaventure (@obonaventure) <Olivier.Bonaventure@uclouvain.be>
Co-developed-by: Matthieu Baerts (@matttbe) <matttbe@kernel.org>
Signed-off-by: Dorian Craps <dorian.craps@student.vinci.be>
Closes#13278
Introduce new notation for CURLOPT_INTERFACE / --interface:
ifhost!<interface>!<host>
Binding to an interface doesn't set the address, and an interface can
have multiple addresses.
When binding to an address (without interface), the kernel is free to
choose the route, and it can route through any device that can access
the target address, not necessarily the one with the chosen address.
Moreover, it is possible for different interfaces to have the same IP
address, on which case we need to provide a way to be more specific.
Factor out the parsing part of interface option, and add unit tests:
1663.
Closes#13719
- Remove the locking callback code that demonstrates how to meet
requirements of threading libraries (mainly OpenSSL).
Locking callback code has not been needed for many years. According to
the documentation for OpenSSL and GnuTLS they are thread-safe by design,
assuming support for the underlying OS threading API is built-in.
Ref: https://github.com/curl/curl/pull/13850#issuecomment-2143538458
Closes https://github.com/curl/curl/pull/13851
- similar to openssl, use a shared 'credentials' instance
among TLS connections with a plain configuration.
- different to openssl, a connection with a client certificate
is not eligible to sharing.
- document CURLOPT_CA_CACHE_TIMEOUT in man page
Closes#13795
Used for extracting:
- when used asking for a scheme, it will return CURLUE_NO_SCHEME if the
stored information was a guess
- when used asking for a URL, the URL is returned without a scheme, like
when previously given to the URL parser when it was asked to guess
- as soon as the scheme is set explicitly, it is no longer internally
marked as guessed
The idea being:
1. allow a user to figure out if a URL's scheme was set as a result of
guessing
2. extract the URL without a guessed scheme
3. this makes it work similar to how we already deal with port numbers
Extend test 1560 to verify.
Closes#13616
Like when we list a series of options and then want to add "normal" text
again afterwards.
Without this, the indentation level wrongly continues even after the
final "##" header, making following text wrongly appear to belong to the
header above.
Adjusted several curldown files to use this.
Fixes#13803
Reported-by: Jay Satiro
Closes#13806
Delete a bunch of unnecessary-looking headers from some examples. This
is known to be tricky on AIX (perhaps also in other less-tested envs).
Let me know if any of this looks incorrect or outright fails on some
systems.
Follow-up to d4b8589055#13771Closes#13785
- `websocket.c`: use `Sleep()` on Windows.
`sleep()` and `unistd.h` are not available in MSVC.
- `http2-upload.c`: use local `gettimeofday()` implementation when
compiled with MSVC.
(Alternate solution is to disable the trace function for MSVC.)
Public domain code copied and adapted from libssh2:
e973493f99/src/misc.c (L719-L743)
- silence compiler warning for deprecated `inet_addr()`.
Also drop duplicate winsock2 include.
```
curl\docs\examples\externalsocket.c(125,32): error C2220: the following warning is treated as an error [curl\bld\docs\examples\curl-example-externalsocket.vcxproj]
curl\docs\examples\externalsocket.c(125,32): warning C4996: 'inet_addr': Use inet_pton() or InetPton() instead or define _WINSOCK_DEPRECATED_NO_WARNINGS to disable deprecated API warnings [curl\bld\docs\examples\curl-example-e
```
Ref: https://github.com/curl/curl/actions/runs/9227337318/job/25389073450#step:4:95
- silence an MSVC compiler warning. This is in conflict with `checksrc`
rules, so silence the rule in favour of the warning-free C syntax.
```
curl\docs\examples\multi-legacy.c(152,1): error C2220: the following warning is treated as an error [curl\bld\docs\examples\curl-example-multi-legacy.vcxproj]
curl\docs\examples\multi-legacy.c(152,1): warning C4706: assignment within conditional expression [curl\bld\docs\examples\curl-example-multi-legacy.vcxproj]
```
Ref: https://github.com/curl/curl/actions/runs/9227337318/job/25389073450#step:4:226
- do not use `sys/time.h` and `unistd.h` in Windows builds.
Some of these includes look unnecessary. Subject to another PR.
Cherry-picked from #13766Closes#13771
- Revert to the legacy TLS 1.2 key logging code for LibreSSL.
- Document SSLKEYLOGFILE for LibreSSL is TLS 1.2 max.
Prior to this change if the user specified a filename in the
SSLKEYLOGFILE environment variable and was using LibreSSL 3.5.0+ then
an empty file would be created and no keys would be logged.
This is effectively a revert of e43474b4 which changed openssl.c to use
SSL_CTX_set_keylog_callback for LibreSSL 3.5.0+. Unfortunately LibreSSL
added that function only as a stub that doesn't actually do anything.
Reported-by: Gonçalo Carvalho
Fixes https://github.com/curl/curl/issues/13672
Closes https://github.com/curl/curl/pull/13682
curl drops support for TLS libraries without TLS 1.3 capability after
May 2025.
It requires that a curl build using the library should be able to
negotiate and use TLS 1.3, or else it is not good enough. We support a
vast amount of other TLS libraries that are likely to satisfy users
better.
Closes#13544
