This adds another bitflag on CURLOPT_WS_OPTIONS (CURLWS_NOAUTOPONG) that
disables the default and automatic PONG reply in the WebSocket layer.
Assisted-by: Calvin Ruocco
Closes#16744
Do not set a transport parameter idle timeout, meaning we have no such
thing from our side. The remote setting then applies.
In ngtcp2, set its "keep-alive" timer to prevent a possible remote idle
timeout to tear down the connection while we have active transfers on
that connection.
Closes#17057
To keep testing these with MSVC:
- UWP !ssl
- arm64 build on the `windows-11-arm` runner
- examples
- OpenSSH-Windows (fix install on `windows-11-arm`)
- `windows-2025` runner
- cmake pre-fill checker
Surprise: UWP doesn't support SSPI, which is required by curl's Schannel
backend. Thus, no TLS support for this UWP build. It also suggests
the Schannel UWP mingw-w64 binaries may be broken and just a happy build
accident thanks to mingw-w64 headers being inaccurate.
Building zlib + libssh2 might actually take up to 2+ minutes with vcpkg,
instead of the previously estimated <1.5 minutes.
Follow-up to e3912f0f9f#17086
Follow-up to 15fb1dc7f8#17069Closes#17089
Depending on timing when the server aborting the connection is detected,
the reported curl exit code may vary. Check for the possible set of
expected codes instead of a single one.
Closes#17083
Change multi's book keeping of transfers to no longer use lists, but a
special table and bitsets for unsigned int values.
`multi-xfers` is the `uint_tbl` where `multi_add_handle()` inserts a new
transfer which assigns it a unique identifier `mid`. Use bitsets to keep
track of transfers that are in state "process" or "pending" or
"msgsent".
Use sparse bitsets to replace `conn->easyq` and event handlings tracking
of transfers per socket. Instead of pointers, keep the mids involved.
Provide base data structures and document them in docs/internal:
* `uint_tbl`: a table of transfers with `mid` as lookup key,
handing out a mid for adds between 0 - capacity.
* `uint_bset`: a bitset keeping unsigned ints from 0 - capacity.
* `uint_spbset`: a sparse bitset for keeping a small number of
unsigned int values
* `uint_hash`: for associating `mid`s with a pointer.
This makes the `mid` the recommended way to refer to transfers inside
the same multi without risk of running into a UAF.
Modifying table and bitsets is safe while iterating over them. Overall
memory requirements are lower as with the double linked list apprach.
Closes#16761
Currently the DNS server only responds to A and AAAA queries. It always
responds with a fixed response: the localhost address. Three times.
It should work fine over either IPv4 or IPv6, but I don't think it
matters much for curl testing.
The idea is to allow curl tests to use "normal" DNS hostnames (using the
normal name resolving code paths) and still use the local test servers.
This setup currently only works if curl is built with c-ares because
redirecting DNS requests to our test server when using getaddrinfo() is
not easy.
This should be extended to respond to HTTPS queries as well to allow
more testing there, as c-ares is always used for that.
Test 2102 is the first test using this.
Closes#17015
With the new addition of OpenSSL QUIC API support and the support in
ngtcp2 main branch, make the necessary adjustments in curl to support
this combination.
- add support in configure.ac to detect the feature OPENSSL_QUIC_API2 in
openssl
- initialise ngtcp2 properly in this combination
- add a Curl_vquic_init() for global initialisation that ngtcp2 likes
for performance reasons
- add documentation on how to build in docs/HTTP3.md
- add CI testing in http3-linux.yml
Assisted-by: Viktor Szakats
Closes#17027
Adds a "meta_hash" to each easy handle for keeping special data during
operations. All meta data set needs to add its destructor callback, so
that meta data gets destroyed properly when the easy handle is cleaned
up or reset.
Add data->master_mid for "sub" transfers that belong to a "master" easy
handle. When a "sub" transfer is done, the corresponding "master" can
add a callback to be invoked. Used in DoH name resolution.
DoH: use easy meta hash to add internal structs for DoH name resolution.
One in each in each probe easy handle. When probes are done, response
data is copied from the probe to the initiating easy.
This allows DoH using transfers and their probes to be cleaned up in any
sequence correctly.
Fold DoH cleanup into the Curl_async_shutdown() and Curl_async_destroy()
functions.
Closes#16384
Enable it for `_MSC_VER <= 1943`.
Omit it for not yet CI-tested MSVC versions, to avoid hitting unfixed
warnings emitted by future toolchain releases. It means we need
to explicitly opt-in to newer MSVC versions while fixing any new issues.
The newly enabled warnings did not reveal new issues. It hints that we
catch those with clang/gcc. Yet, these warnings may be useful for local
development done with MSVC.
Also:
- disable and document warnings that don't seem useful, unactionable,
or unfixable.
- disable and document warnings found in Windows SDK headers.
- tidy up a few comments, also to avoid
`-Wdocumentation-unknown-command`, part of llvm/clang `-Wall`.
```
lib\dynhds.h(159,29): error : unknown command tag name [-Werror,-Wdocumentation-unknown-command]
lib\ftp.c(337,15): error : unknown command tag name [-Werror,-Wdocumentation-unknown-command]
```
(This patch did not end up enabling `-Wall` for clang-cl.)
Closes#17050
In the last 1-2 days, curl's vcpkg binary cache entries stored by GHA
apparently disappeared, and each vcpkg job is now rebuilding everything
on every run. This takes up to 40 minutes per job. New cache entries
fail on upload with messages like:
```
Completed submission of nghttp2:arm64-android@1.65.0 to 0 binary cache(s) in 172 ms
```
(note the zero.)
This coincided with my adding support for windows-11-arm and touching
some jobs affected. Yet, unrelated. It also affects Android jobs. The root
cause is a runner image update bumping the vcpkg tool.
The latest vcpkg tool also has this issue.
As a temporary workaround, stop using vcpkg in CI.
Last good run: https://github.com/curl/curl/actions/runs/14473789417/job/40594304523
First bad run: https://github.com/curl/curl/actions/runs/14474616982/job/40597095025
Assisted-by: Tal Regev
Ref: #17070Closes#17069
"asyn" is the internal name under which both c-ares and threaded
resolver operate. Make the naming more consistent. Implement the c-ares
resolver in `asyn-ares.*` and the threaded resolver in `asyn-thrdd.*`.
The common functions are in `asyn-base.c`.
When `CURLRES_ASYNCH` is defined, either of the two is used and
`data->state.async` exists. Members of that struct vary for the selected
implementation, but have the fields `hostname`, `port` and `ip_version`
always present. This are populated when the async resolving starts and
eliminate the need to pass them again when checking on the status and
processing the results of the resolving.
Add a `Curl_resolv_blocking()` to `hostip.h` that relieves FTP and SOCKS
from having to repeat the same code.
`Curl_resolv_check()` remains the function to check for status of
ongoing resolving. Now it also performs internally the check if the
needed DNS entry exists in the dnscache and if so, aborts the asnyc
operation. (libcurl right now does not check for duplicate resolve
attempts. an area for future improvements).
The number of functions in `asyn.h` has been reduced. There were subtle
difference in "cancel()" and "kill()" calls, both replaced by
`Curl_async_shutdown()` now. This changes behaviour for threaded
resolver insofar as the resolving thread is now always joined unless
`data->set.quick_exit` is set. Before this was only done on some code
paths. A future improvement would be a thread pool that keeps a limit
and also could handle joins more gracefully.
DoH, not previously tagged under "asny", has its struct `doh_probes` now
also in `data->state.async`, moved there from `data->req` because it
makes more sense. Further integration of DoH underneath the "asyn"
umbrella seems like a good idea.
Closes#16963
The SChannel code uses the CertFindCertificateInStore function to
retrieve the client certificate from a pkcs12 certificate store.
However, when called with the CERT_FIND_ANY flag, this function does not
provide any guarantees on the order in which certificates are retrieved.
If a pkcs12 file contains an entire certificate chain instead of a
single client certificate, the CertFindCertificateInStore function may
return the CA or an intermediate certificate instead of the desired
client certificate. Since there is no associated private key for such a
certificate, the TLS handshake fails.
With this change, we now pass the CERT_FIND_HAS_PRIVATE_KEY flag. This
ensures that the CertFindCertificateInStore function will return a
certificate which has a corresponding private key. This will stop the CA
and intermediate certificates from being selected. I don't think there
would be much use in a client certificate which has no associated
private key, so this should ensure the client certificate is selected. I
suppose it may be possible for a pkcs12 file to contain multiple
certificates with private keys and the new behaviour may not guarantee
which is selected. However, this is no worse that the previous behaviour
in which any certificate may been selected.
The CERT_FIND_HAS_PRIVATE_KEY is only available in Windows 8 / Server
2012 (aka Windows NT6.2). For older versions, we will fall back to using
the CERT_FIND_ANY flag.
Closes#16825
Without this patch, the handling of the alt-svc header added via
279a4772ae in curl-8.13.0 attempts to
connect to alternative services via different HTTP versions, even if the
target HTTP version is not supported by curl (i.e., not enabled at
compile-time). If I understand the code and RFC 7838 correctly, then we
should only attempt to migrate to supported protocols. Therefore,
`allowed_apns` should only contain such protocols, and we need to guard
its modification with `ifdefs` for supported HTTP versions.
This was discovered in a downstream bug report in Alpine Linux [1] where
it was reported that a Matrix client (using libcurl) was defunct after
the upgrade to curl-8.13.0. Further debugging revealed that this was due
to the Matrix server sending a `alt-svc: h3=":443";` HTTP header,
causing curl to attempt migration to HTTP3 even though Alpine's curl
version is compiled without HTTP3 support.
I am not sure if this is the best place in the code to address this
or if the `allowed` bitmask shouldn't contain unsupported versions
in the first place. However, since there are existing `ifdefs` in
this function for source (not destination) ALP selection, it may
be a good fit to address this here.
[1]: https://gitlab.alpinelinux.org/alpine/aports/-/issues/17062Closes#17037
- bump an MSYS2/mingw job to windows-2025 runner.
(MSVC is possible, but vcpkg needs to build for windows-2025, and
can't share these with windows-2022 builds, so not optimal for
a single canary job.)
- skip installing OpenSSH-Windows-builtin on windows-2025.
It's preinstalled:
```
ssh client found /c/Windows/System32/OpenSSH/ssh.exe is OpenSSH-Windows 9.5.0
ssh server found /c/Windows/System32/OpenSSH/sshd.exe is OpenSSH-Windows 9.5.0
```
Still older than the manual preview install (9.8.1), so keep using that.
Closes#17066
Very similar to 9f8bdd0eae, but affects
e.g. netrc file parsing.
Suggested-by: Graham Christensen <graham@grahamc.com>
Add test 744 to verify
Closes#17036
Safe to do this now, as the code no longer relies on setting these
options after feature detection.
Also: Tidy up the way we handle options not to be passed to feature
checks, and make sure to show them in the configure log.
Follow-up to e86542038d#17047Closes#17062
wolfSSL headers publish the `HAVE_ALPN` macro to tell if it has ALPN
support compiled in. Use that instead of `HAS_ALPN`, which was never
set.
Follow-up to edd573d980#16167Closes#17056
In the hope this avoid a possible hang in `taskkill`.
To kill processes, `runtests` first tries to kill them gently (with
"TERM", or on Windows `taskkill`), then waits some time for them
to disappear and then kills them with `KILL`, or on Windows with
`taskkill -f`. This happens within `killpid()`.
This patch bumps the gentle phase to `taskkill -f`. On the obervation
that a non-forced `taskkill` may hang in cases:
msvc, CM x64-windows wolfssl +examples:
```
[...]
test 3006...[SMTP with multiple invalid (all) --mail-rcpt and --mail-rcpt-allowfails]
--p----e--- OK (1682 out of 1718, remaining: 00:04, took 0.524s, duration: 03:13)
test 3005...[SMTP with multiple and invalid (all but one) --mail-rcpt and --mail-rcpt-allowfails]
--p-u--e-Executing: 'taskkill -t -pid 1196 >nul 2>&1'
```
Ref: https://github.com/curl/curl/actions/runs/14445993473/job/40508986059?pr=17051#step:15:4176
Cancelling the job worked, resulting in a greyed out status, with the above
step and log entries lost.
If this change causes issues or does nothing at all, we may revert it
or limit it to CI runs.
Ref: #14854Closes#17054
Also:
- pass `-D_GNU_SOURCE` via `COMPILE_DEFINITIONS`.
- make it explicit to pass these C flags to feature checks.
- update `_GNU_SOURCE` comment with `pipe2()`.
- enable `-pedantic-errors` picky option for GCC with CMake <3.23.
- drop redundant condition when stripping existing MSVC `/Wn` options.
CMake passes `CMAKE_C_FLAGS` to targets, feature checks and raw
`try_compile()` calls. With `COMPILE_OPTIONS`, this is limited to
targets, and we must explicitly pass them to feature checks. This
makes the build logic clearer, and offers more control. It also
reduces log noise by omitting these options from linker commands,
and from `CMAKE_C_FLAGS` dumps in feature checks.
Closes#17047
To avoid having LTO enabled for Debug configurations with multi-config
generators (e.g. MSVC.)
Reported-by: PleaseJustDont
Fixes#17042
Ref: ##17034
Follow-up to a1eaa12a83#15829Closes#17043
To allow configuring paths styles for SCP and SFTP servers separately.
- make `scp://` URLs use `%SCP_PWD` (was: `%SSH_PWD`).
- make `%SCP_PWD` equal to `%POSIX_PWD`.
To fix test 3022 with OpenSSH-Windows 9.8.0 server.
The fix works on a local machine. Remains broken in CI.
Before this patch, it was equal to `%FILE_PWD` when using
OpenSSH-Windows, otherwise it was `%POSIX_PWD`.
Notice that no matter what path-style we pass, test 3022
was and still is broken with earlier OpenSSH-Windows versions.
(as tested with 9.5.0, 9.5.0-beta20240403, 8.0.0.1)
- rename rest of `%SSH_PWD` uses to `%SFTP_PWD`.
- drop unused `%POSIX_PWD`.
- GHA/windows: test with OpenSSH-Windows server again.
In the LibreSSL MSVC job. This job is short enough to fit the slow
install of the built-in OpenSSH-Windows tools, if needed.
Follow-up to 1abb087a9c#5298
Ref: #16803Closes#17041
On the windows-2022 runner it installs these client/server versions:
```
ssh client found /c/Windows/System32/OpenSSH/ssh.exe is OpenSSH-Windows 9.5.0
ssh server found /c/Windows/System32/OpenSSH/sshd.exe is OpenSSH-Windows 8.1.0
```
Not currently enabled. Slight downside (when enabled) that Windows needs
over 1 minute to install these two tiny programs.
Closes#17046
