These libraries do not support TLS 1.3 and have been marked for removal
for over a year. We want to help users select a TLS dependency that is
future-proof and reliable, and not supporting TLS 1.3 in 2025 does not
infer confidence. Users who build libcurl are likely to be served better
and get something more future-proof with a TLS library that supports
1.3.
Closes#16677
Public `curl/curl.h` includes these headers for non-Windows platforms
without further conditions. This makes it safe to assume these headers
do exist, allowing to save two feature checks for non-Windows targets.
`sys/time.h` is also assumed on Windows with mingw-w64, for declaring
`gettimeofday()`.
Closes#17522
Delete macros from `curl_config.h.cmake` that were never set by
the CMake script: `_LARGE_FILES`, `_THREAD_SAFE`, `const`, `size_t`.
Also:
- lib/config-riscos.h: drop `#undef _LARGE_FILES`. This is an
IBM-specific macro, no need to unset it on other platforms.
Cherry-picked from #17576Closes#17580
Trying to avoid the occasional ~6-minute long delays seen in the OpenBSD
since last week. The long delay causes the CI job to timeout and fail:
https://github.com/curl/curl/actions/workflows/non-native.yml?page=2&query=branch%3Amaster
The exact reason is or test number is unknown. I base this attempt on
looking at the first occurrences and possible patches that may be
related.
The issue was first seen in CI within PR #17136:
```
[...]
Wed, 07 May 2025 07:10:30 GMT test 3014...[Check if %{num_headers} returns correct number of headers]
Wed, 07 May 2025 07:10:30 GMT s-p----e--- OK (1743 out of 1778, remaining: 00:02, took 0.195s, duration: 01:43)
Wed, 07 May 2025 07:10:30 GMT test 3016...[GET a directory using file://]
[long delay here]
Wed, 07 May 2025 07:16:17 GMT -------
Wed, 07 May 2025 07:16:17 GMT Error: The operation was canceled.
```
Ref: https://github.com/curl/curl/actions/runs/14877264415/job/41776966626#step:3:5566
Ref: https://github.com/curl/curl/actions/runs/14900320627/job/41850699301#step:3:5561 (next in PR)
Then in master, shortly after merging it via d3594be6531df3d5eafcdd09f84ad9dee1777028:
```
[...]
Mon, 02 Jun 2025 09:23:55 GMT test 3201...[HTTP GET when PROXY Protocol enabled and spoofed client IP]
Mon, 02 Jun 2025 09:23:55 GMT --p----e--- OK (1777 out of 1788, remaining: 00:00, took 0.222s, duration: 01:42)
Mon, 02 Jun 2025 09:23:55 GMT RUN: failed to start the HTTP/2 server
Mon, 02 Jun 2025 09:23:55 GMT test 3202...[HTTP-IPv6 GET with PROXY protocol with spoofed client IP]
[long delay here]
Mon, 02 Jun 2025 09:29:48 GMT --p----e--- OK (1778 out of 1788, remaining: 00:00, took 0.1
Mon, 02 Jun 2025 09:29:48 GMT Error: The operation was canceled.
```
Ref: https://github.com/curl/curl/actions/runs/15388587165/job/43292652793#step:3:5097
Ref: https://github.com/curl/curl/actions/runs/15390589464/job/43298911578#step:3:5097 (next in master)
Closes#17562
Using a mixture of techniques to avoid symbols collisions:
- reduce scope.
- add `t*_` / `T*_` prefix.
- move shared functions to `testutil.c`.
(`suburl()`, `rlim2str()`)
- clone re-used lib*.c sources.
(lib587, lib645)
- include shared symbols just once in re-used `lib*.c` sources.
(using `LIB*_C` guards.)
- drop re-used `lib*.c` sources where they were identical or
unused.
- make macros global.
- #undef macros before use.
What remain is the entry functions `test`, and `unit_setup`,
`unit_stop` in unit tests.
Also:
- fix formatting and other minor things along the way.
- add `const` where possible.
- sync some symbol names between tests.
- drop `mk-bundle-hints.sh` that's no longer necessary.
Closes#17468
- replace dynamic `InitSecurityInterface()` call with early binding and
link `secur32` system DLL.
The library and function are available in all supported curl Windows
targets, meaning WinXP or newer. Add small hack for mingw32ce to
make it build.
- detect and use `if_nametoindex()` on Windows when available. Link
`iphlpapi` system DLL. Requires targeting Vista or newer.
Replacing the dynamic call and the pre-load optimization for lib3026.
Suggested-by: Jay Satiro
Closes#17413
Extend MSVC jobs with the option to use MSYS2 binary package as DLL
dependencies. Allow to use them alone (without vcpkg) or combined with
vcpkg packages. This saves the trouble of building these packages from
source and cache them manually.
This solution requires two tricks:
- workaround for zlib which installs a target-specific `zconf.h` that's
not portable between platforms and C compilers.
- manual dependency configuration in CMake to ensure linking against
the MSYS2 DLLs (and not it static libs). Static libs aren't portable
to MSVC due to missing symbols `__chkstk_ms`, `_stack_chk_fail`,
`_memcpy_chk`, `_stack_chk_guard`, and potentially other issues. CMake
in MSVC mode, `linker.exe` and `pkg-config` pick the static libs by
default. To pick `.dll.a` in favour of `.a`, these tools would have
to be taught about this convention. An alternative is deleting static
libs and see if `.dll.a` are picked-up automatically.
Using MSYS2 packages adds an install step taking 15-45 seconds per job.
It allowed to:
- re-enable libpsl for all MSVC jobs.
- convert the Intel 64-bit job to use MSYS2 without vcpkg, enabling
brotli, zstd, OpenSSL 3.5.0, libssh2 (with OpenSSL cryprography) and
nghttp2.
Using the same technique it's possible to re-enable more features
in MSVC builds, e.g. GnuTLS (also with H3), LibreSSL, mbedTLS, nghttp3,
ngtcp2, libssh, c-ares, gsasl, and replace vcpkg zlib, for faster runs.
What's missing compared to vcpkg is BoringSSL and wolfSSL
(the MSYS2-supplied build doesn't fit curl's requirements IIRC). These
could be built and cached manually.
Also:
- add workaround for zlib (classic) which uses a generated `zconf.h`,
rendering the MSYS2 zlib header incompatible with MSVC.
- set the correct `msystem` for arm64.
- allow using MSVC without vcpkg.
Follow-up to cd0ec4784c#17089Closes#17561
Remove structs for negotiate, krb5, ntlm and gsasl from connectdata and
store them as connection meta data with auto cleanup.
De-complexify sasl mech selection by moving code into static functions.
Closes#17557
We don't check the memory debug output with the threaded resolver, so
the only way to do it with with valgrind.
Also move the disabling of memory tracking to where we log that we're
doing it.
Closes#17501
When running torture tests with valgrind enabled, the torture function
got a command line that already had the valgrind invocation in it. It
added another, at the end resulting in an empty valgrind log file.
Remove the duplicate logic adding valgrind, which already had a bit of
different logic that wasn't updated when the other one was.
Closes#17501
For the `gh` tool, over `GITHUB_TOKEN`. It accepts both, of which
the former seems to be preferred according to the source code and
documentation.
GHA/appveyor-status already uses `GH_TOKEN`.
Closes#17556
When a pingpong based protocol tries to perform a connection disconnect,
it sends a sort of "logout" command to the server, unless the connection
is deemed dead.
But the disconnect might happen before pingpong data has been completely
sent, in which case sending the "logout" will not work. Check the
pingpong state and do not "logout" when data is pending.
This was detected as a condition in fuzzing that triggered a debug
assert in the pingpong sending.
Closes#17555
This boolean option was moved to the wrong handling function. Make it
an ARG_NONE and move it to the correct handler and add a test to
verify that the option works.
Follow-up to 698491f44
Reported-by: fjaell on github
Fixes#17545Closes#17547
Some CI tests fail due to "Can't start ssh server due to lack of USER name" -
add more ways to try to figure it out if no environment variable works: the
whoami and id commands.
Closes#17544
zizmor 1.9.0 effectively bans using GHA macros within shell script
snippets. Rework them to pass GHA macro values via envs and use those
envs in shell snippets. `${{ env.* }}` macros could be converted
to native env references after making their names shell-compatible.
Envs and shell commands can no longer be used in GHA macro values. Most
cases could be fixed by using literals. Passing quoted values with
spaces combined with other args also doesn't work anymore. This was
replaced by passing them separately.
Despite the initial complications, avoiding GHA macros in scripts does
seems to make the CI code reasonable cleaner. It also makes it possible
to analyze the scripts with shellcheck, finding subtle issues that went
unnoticed till now.
Also:
- un-ignore and fix three existing zizmor `template-injection` issues.
- add script to extract and shellcheck all shell code stored within GHA
and Circle CI YAML files.
- add CI job to run this script.
- fix shellcheck issues discovered.
- fix minor differences between cmake and autotools FreeBSD jobs.
- merge cmake/autotools FreeBSD jobs to avoid developing unwanted
differences again.
- fix/sync quote use across shell code.
- replace `$HOME` with `~` or literal where it made sense.
- replace most `brew --prefix` with literals.
- move all curl install tests to the `curl-install*` prefix.
- add missing curl install tests to cygwin/msys/mingw/*bsd.
- pipe to `tar` instead of storing downloads on disk.
- drop unnecessary `PKG_CONFIG_PATH` when building nghttp3.
Ref: https://github.com/curl/curl/actions/runs/15461461371/job/43523546041
Ref: https://github.com/zizmorcore/zizmor/releases/tag/v1.9.0
Follow-up to e522f47986#17278Closes#17537
Fix use of nghttpx fixture to be present even when h3 is not
available in curl. Fix TLS protocol versions expectations for
older openssl versions.
Closes#17538
impacket could not be used as it neeeds package six
- openbsd does not find python3, add package six
- http2-server.pl: only warn about unknown parameter if not empty string
Closes#17532
The ssh libraries do not reveal if they still have data buffered from
the peer. Only when their buffers are read empty can curl be sure that
it is safe to rely on socket polling.
This change adds detection of EGAIN on receive in the transfer loop and
allows SFTP/SCP transfers to avoid a busy loop in such a case (which
should happen often when CPU exceeds network bandwidth).
Closes#17533
Test1117 seems to verify that a response, incoming slowly, is read
completely before sending another request on the same connection.
The previsou write delay of 1000ms made the test last 23+ seconds.
A delay of 100ms seems to achieve the same test on modern machines, but
the overall run time is less than 3 seconds.
Closes#17530
Options marked ARG_NO should have their 'toggle' value reverted when the
short option is used as it implies using the --no- prefix.
-N happens be the only short option flag for a --no- long option.
Reported-by: Stefan Eissing
Closes#17527
To set `-D_GNU_SOURCE`.
Required to declare `accept4` on uclibc targets. `host_os` can have
the value `uclinux-uclibcgnueabi` in this case.
Fixing:
```
cf-socket.c: In function 'cf_tcp_accept_connect':
cf-socket.c:2141:18: error: implicit declaration of function 'accept4'; did you mean 'accept'? [-Werror=implicit-function-declaration]
2141 | s_accepted = accept4(ctx->sock, (struct sockaddr *) &add, &size,
```
Follow-up to 3d02872be7#16979
Reported-by: Kadambini Nema
Fixes#17512Closes#17524
In the documentation for the --continue-at and --range options.
A future version could implement support for the new standard HTTP resumed
uploads mechanism.
Ref: #17510Closes#17521
Improve the JSON result format to be more descriptive and
easier to parse.
Add --print option to scorecard.py that prints a saved JSON file
Add date field to score card.
Closes#17465
