- fix socket/sockindex confusion on writes:
The callstack used to end with `Curl_write_plain()` accepting a socket
till 7.87.0. This call got swapped for `Curl_conn_send()`, expecting
a sockindex. `socket_write()` was updated accordingly. Its callers
missed it and continued operating on sockets: `do_sec_send()`,
`sec_write()`, passing it down the stack and `Curl_conn_send()`
resolving it as if it were a sockindex.
It affected FTP Kerberos authentication.
Discovered through MSVC warnings:
```
curl\lib\krb5.c(652,28): warning C4244: 'function': conversion from 'curl_socket_t' to 'int', possible loss of data
curl\lib\krb5.c(654,28): warning C4244: 'function': conversion from 'curl_socket_t' to 'int', possible loss of data
curl\lib\krb5.c(656,26): warning C4244: 'function': conversion from 'curl_socket_t' to 'int', possible loss of data
curl\lib\krb5.c(657,26): warning C4244: 'function': conversion from 'curl_socket_t' to 'int', possible loss of data
curl\lib\krb5.c(665,24): warning C4244: 'function': conversion from 'curl_socket_t' to 'int', possible loss of data
curl\lib\krb5.c(666,24): warning C4244: 'function': conversion from 'curl_socket_t' to 'int', possible loss of data
```
Ref: https://github.com/curl/curl/actions/runs/11846599621/job/33014592805#step:9:32
Follow-up to 5651a36d1a#10280
Bug: https://github.com/curl/curl/pull/15549#issuecomment-2474154067Fixes#15582
- fix uninitialized buffer:
```
curl\lib\krb5.c(288,1): warning C4701: potentially uninitialized local variable '_gssresp' used
```
Ref: https://github.com/curl/curl/actions/runs/11848626645/job/33020501026?pr=15585#step:9:31
- silence unreachable code compiler warning:
```
curl\lib\krb5.c(370,1): warning C4702: unreachable code
```
Ref: https://github.com/curl/curl/actions/runs/11848626645/job/33020501026?pr=15585#step:9:30Closes#15585
Fixing issue #15580 by renaming struct var to tool_var to avoid conflict
with the same structure name defined in AIX system headers.
Fixes#15580Closes#15581
This feature was recently dropped because of a bad side-effect of
silencing unused cmake command-line option warnings.
Fix this issue by retrieving variable values using `get_property()`,
instead of accessing the variables directly. It allows restoring
this feature without the bad side-effect.
Also limit the logic to CI runs.
Follow-up to 96edb5f611#15501Closes#15563
The idea of linking dependencies found to `libcurl.pc` turns out not
to work in practice in some cases.
Specifically: gss, ldap, mbedtls, libmsh3, rustls
A `.pc` may not work or be missing for a couple of reasons:
- not all build methods generate it: mbedTLS, Rustls
- generated file is broken: msh3
Ref: https://github.com/nibanks/msh3/pull/225
- installed package flavour isn't shipping with one:
FreeBSD GSS, OmniOS LDAP, macOS LDAP
The effect of such issues shall be subtle in theory, because
`libcurl.pc` normally lists these dependencies in the `Requires.private`
section meant for static linking. But, e.g. `pkg-config --exists`
requires these to be present, and builds sometimes use this check
regardless of build type. This bug is not present in `pkgconf`; it only
checks for them when `--static` is also passed.
Fix these by adding affected `.pc` references to `libcurl.pc` only when
we detected the dependency via `pkg-config`.
There are a few side-effects of this solution:
- references are never added for dependencies where curl doesn't
implement `pkg-config` detection. These are:
- autotools: ldap, mbedtls, msh3
- cmake: ldap (pending #15273)
- generated `libcurl.pc` depends on the build-time environment.
- generated `libcurl.pc` depends on curl build tool (cmake, autotools).
- generated `libcurl.pc` depends on curl build implementation details.
Make an exception for GNU GSS, where I blindly guess that `gss.pc` is
always available, as no issues were reported.
Other, not mentioned, dependencies continue to be added regardless
of the detection method.
Reported-by: Harmen Stoppels, Thomas, Daniel Engberg, Andy Fiddaman
Fixes#15469Fixes#15507Fixes#15535
Fixes https://github.com/curl/curl/pull/15163#issuecomment-2473358444Closes#15573
- stop passing explicit libpaths via `CMAKE_SHARED_LINKER_FLAGS` and
`CMAKE_EXE_LINKER_FLAGS`. `link_directories()` is doing that already.
- use `curl_required_libpaths()` to pass libpaths to the feature test.
Reported-by: Daniel Engberg
Fixes#15536
Also fixes GSS feature detection with non-gcc/clang compilers,
such as MSVC.
- add libpaths to `CURL_LIBPATHS`.
- move `GSS_CFLAGS`, `GSS_LDFLAGS` stringifications to FindGSS.
To match the `CFLAGS` format returned by the rest of Find modules.
- reorder calls to match other dependencies.
- don't extend system `LDFLAGS` when FindGSS did not return any.
- ignore `LDFLAGS` when detecting GSS via `pkg-config`. `LDFLAGS` holds
a copy of libpaths and libs in this case. Ignore those to avoid these
duplicates making into `libcurl.pc` and `curl-config`. Also syncing
behavior with other Find modules which also ignore raw `LDFLAGS`.
- ignore raw `LDFLAGS` coming from `krb5-config --libs`. FindGSS
no longer returns dependency-specific `LDFLAGS` after this. Syncing
behavior with other Find modules.
- reduce scope of checker state push/pop/set.
Closes#15545
krb5 defines `strtok_r` for Windows unconditionally in its public
header:
dc5554394e/src/include/win-mac.h (L214-L215)
resulting in this warning:
```
lib\strtok.h(31,9): warning C4005: 'strtok_r': macro redefinition
C:\vcpkg\installed\x64-windows\include\win-mac.h(215,9):
see previous definition of 'strtok_r'
```
The krb5 macro collides with curl's internal definition, in case
the `strtok_r` function is undetected and falling back to a local
replacement.
Reported-by: Tal Regev
Bug: https://github.com/curl/curl/pull/15549#issuecomment-2468251761Closes#15564
`libcurl.pc` `Libs.private` (since 8.11.0, and in `Libs` before 7.20.0)
and `curl-config` `--static-libs` (since 7.17.1, and in `Libs` between
7.7.2-7.25.0). This included all flags inherited from the environment,
in addition to those coming from dependency detections.
To avoid spilling all linker flags inherited from the environment to
the libcurl config files, this patch omits them all, except `-L`, `-F`,
`--library-path=` and `-framework` options, which are still passed.
The rationale for the exceptions is that `LIBS` is passed as-is, and
`LDFLAGS`, `LIBS` are the canonical way to pass custom libs options
to a build. `LIBS` may not work without a matching custom libpath.
This brings autotools behaviour closer to cmake, and `curl-config`
closer to `libcurl.pc`.
Follow-up to 9f56bb608e#14681
Follow-up to 4c8adc8fee
Reported-by: Peter Marko
Fixes#15533Closes#15550
An upstream update `impacket` pip package started requiring `blinker`.
An older version is shipping with Ubuntu, causing this on install:
```
Attempting uninstall: blinker
Found existing installation: blinker 1.7.0
ERROR: Cannot uninstall blinker 1.7.0, RECORD file not found. Hint: The package was installed by debian.
```
Fix it by switching to venv and install everything separate from the
system.
The overhead is the same as using `pip --ignore-installed`, which also
installs everything from scratch.
The 3rd option is to uninstall the system `python3-blinker` package, but
it was the slowest.
Closes#15578
Homebrew switched to `pkgconf`, and now pkg-config installs an extra
package. Update package list to avoid that.
The side-effect of `pkgconf` is that this former log message:
```
-- Package 'libcrypto', required by 'libssh2', not found
```
https://github.com/curl/curl/actions/runs/11779568834/job/32808325442#step:7:84
is replaced by this, and repeated 10 times:
```
Package libcrypto was not found in the pkg-config search path.
Perhaps you should add the directory containing `libcrypto.pc'
to the PKG_CONFIG_PATH environment variable
Package 'libcrypto', required by 'libssh2', not found
```
https://github.com/curl/curl/actions/runs/11792711391/job/32846858320#step:7:85Closes#15575
Fix builds with CMake configured to falsely return successful detection
when using `check_function_exists()` (and `check_library_exists()`, and
anything based on `try_compile()` that's relying on the linker). After
such mis-detection the build fails when trying to use the feature that
doesn't in fact exist.
The mis-detection is caused by this CMake setting:
```
set(CMAKE_TRY_COMPILE_TARGET_TYPE STATIC_LIBRARY)
```
It is set by default (or on conditions) when using 3rd-party toolchain:
https://github.com/leetal/ios-cmake/blob/master/ios.toolchain.cmake
After this patch the curl build overrides this setting for the duration
of feature tests, and logs a message about it.
Also preset and skip feature tests for known mis-detections:
- `connect()` in `libsocket`
- `getpass_r()`
- `eventfd()` (did not cause an issue due to a separate bug)
- `sendmmsg()` (did not cause an issue because it's Linux-only)
If mis-detections are still seen, the workaround is to force-set the
specific feature by passing `-DHAVE_*=OFF` to cmake.
Also consider passing `-DENABLE_STRICT_TRY_COMPILE=ON` for
`ios.toolchain.cmake` to fix the root cause.
Interestingly curl itself uses this setting to speed up compile-only
detections: be17f298ff#3744
Also:
- OtherTests.cmake: restore original value of
`CMAKE_TRY_COMPILE_TARGET_TYPE`. Before this patch it reset it
to empty.
- OtherTests.cmake: unset a local variable after use, quote a string.
Follow-up to 8e34505776#15164
Follow-up to 8b76a8aeb2#15525
Ref: https://github.com/leetal/ios-cmake/issues/47
Ref: https://gitlab.kitware.com/cmake/cmake/-/issues/18121
Ref: https://cmake.org/cmake/help/latest/variable/CMAKE_TRY_COMPILE_TARGET_TYPE.html
Reported-by: Dan Rosser
Fixes#15557Closes#15559
Instead of installing the cmake package which is a meta-port (includes
documentation and manpages etc) install cmake-core which is cmake itself
to save a few cpu cycles.
Also drop nghttp2 in favour of the slimmer libnghttp2.
Closes#15540
The script's previous treatment of this meta-data was a
misunderstanding. (Added in 1ebc53df25) The mistrust is not for
the root cert at this date (it would simply be removed from the bundle
then instead) but for created server certificates:
If a builtin certificate has a CKA_NSS_SERVER_DISTRUST_AFTER
timestamp before the SCT or NotBefore date of a certificate that
builtin issued, then clients can elect not to trust it.
That is however information that cannot be provided in the generated PEM
output.
Fixes#15547
Reported-by: Andrew Ayer
Closes#15552
Different variable names were used in flag save and restore operations,
which could cause existing `CPPFLAGS` and `LDFLAGS` be accidentally lost
when detecting Rustls.
Follow-up to 647e86a3ef#13179Closes#15546
A recent update caused CMake builds to mis-detect this symbol on iOS.
Auto-detection also seems redundant given that it's a Windows-only
function and most Windows builds were already opted-in.
Drop detections and use it in all Windows builds with large file support
enabled.
Feature history:
- pririotizing for Windows: aaacd02466#14678
- Windows opt-in cmake: 8e74c0729d#11950
- Windows opt-in: aa6c94c5bf#11944
- use in libcurl: 9c7165e96a#11918
- use in example: 817d1c0106
Regression from 8e34505776#15164
Reported-by: Maarten Billemont
Fixes#15525Closes#15526
- gnutls/gnutls to v3.8.8
- rojopolis/spellcheck-github-actions digest to 403efe0
- awslabs/aws-lc to v1.38.0
- github/codeql-action digest to 4f3212b
Closes#15487Closes#15490Closes#15516Closes#15528
Provide libcurl's memory functions as callbacks to replace nghttp2's own memory
functions. This allows custom memory callbacks provided by users of libcurl to
be used by nghttp2 as well.
Closes#15527
Using this option (only available in debug builds) makes curl always
call curl_easy_duphandle() on the handle before using it.
To help us catch curl_easy_duphandle() mistakes better.
Add a CI job using this.
Bonus: the previous runtests option -e is now also supported as
--test-event
Closes#15504
As discovered earlier, Homebrew gcc is built against a specific Apple
SDK version and doesn't work when matched up with a different version,
e.g. the one advertised as default by the macos runner image.
Before this patch this was resolved with brute force by zapping the
hack-layer gcc component to avoid the bad interference. This worked
for us, but it's fragile, accidental and doesn't translate to
real-world build environments. Thus, impractical.
Avoid this by explicitly selecting the SDK version gcc was built for and
meant to be used with, as shown by `gcc --print-sysroot`.
It assumes that the gcc binaries preinstalled on the runner images
always ship with the SDK version they reference. It also assumes
this works with and without `brew update`.
Also:
- add 4 quick build-only jobs to test all gcc/macos combos.
- list SDKs offered via CommandLineTools.
Suggested-by: Bo Anderson
Ref: https://github.com/Homebrew/homebrew-core/issues/194778#issuecomment-2462764619
Follow-up to c349bd668c#14097Closes#15518
Run mbedtls' psa_crypt_init() in the general global init, optionally
protected by mbedtls locks when available.
CI: when building mbedtls, enabled thread safety
Reported-by: wxiaoguang on github
Fixes#15500Closes#15505
The netrc init was only done in the Curl_open, meaning that a duplicated
handle would not get inited properly.
Added test 2309 to verify. It does netrc auth with a duplicated handle.
Regression from 3b43a05e00
Reported-by: tranzystorekk on github
Fixes#15496Closes#15503
