We decided last year not to pursue avoiding this warning, because it
adds noise and friction, while in most cases not revealing actual code
issues. We fixed the interesting portion of them throughout mid-2024.
Conclude this effort by deleting related FIXMEs and temporary comments.
Follow-up to 3829759bd0#12489Closes#15939
The msh3 backed for QUIC and HTTP/3 was introduced in April 2022 but has
never been made to work properly. It has seen no visible traction or
developer activity from the msh3 main author (or anyone else seemingly
interested) in two years. As a non-functional backend, it only adds
friction and "weight" to the development and maintenance.
Meanwhile, we have a fully working backend in the ngtcp2 one and we have
two fully working backends in OpenSSL-QUIC and quiche well on their way
of ending their experimental status in a future.
We remove msh3 support from the curl source tree in July 2025.
Closes#15931
This discussion:
https://github.com/openssl/openssl/discussions/23339#discussion-6094341
Specifically item number 2 (Send Blocking) was raised by the curl team,
noting that SSL_want_write returning false was not a good indicator of
when a stream is writeable. The suggestion in that discussion was to use
SSL_poll with an SSL_POLL_EVENT_W flag instead, as that is a proper
indication of when an SSL_object will allow writing without blocking.
While ssl_want_write updates its state based on the last error
encountered (implying a need to retry an operation to update the
last_error state again), SSL_poll checks stream buffer status during the
call, giving it more up to date information on request. This is the
method used by our guide demos (quic-hq-interop specifically), and it
works well.
This change has been run through the curl test suite, and shown to pass
all tests. However, given the initial problem description I'm not sure
if there is a test case that explicitly checks for blocking and
unblocking of streams. As such some additional testing may be warranted.
Closes#15909
The TE request header field is invalid in HTTP/2. Since clients may not
know in advance if a connection negotiates HTTP/2, automatically strip
such a header when h2 is in play.
Add test_01_10 to verify.
Reported-by: Jiri Stary
Fixes#15941Closes#15943
Adds the experimental feature `ssls-export` to libcurl and curl for
importing and exporting SSL sessions from/to a file.
* add functions to libcurl API
* add command line option `--ssl-sessions <filename>` to curl
* add documenation
* add support in configure
* add support in cmake
+ add pytest case
Closes#15924
VS2008 has been partly broken for a while with its shared-debug builds
crashing on startup. Its compiler output (UTF-16 HTML) was also barely
readable even after conversion. It's also the only platform in CI
missing `stdint.h`.
This patch migrates a VS2008 job to VS2010 and drops another that
already had a VS2010 equivalent.
We recommend switching to VS2010 or newer when using MSVC to build curl.
Ref: #15907Closes#15934
Also to align with existing VS2010. Keeping the VS2008 job first to give
a quick sniff test for MSVC builds.
Follow-up to 08ff33e483#15923
Follow-up to 50f6a6b1d4#15926Closes#15932
- bump cookie counter and "creation time" to use 'unsigned int'
- use BIT() for single-bit struct field
- make invalid_octets() return bool properly
Closes#15921
MSVC 1900 and older is missing a `const` specifier in the `inet_ntop()`
declaration for the second argument. A workaround was in place for it
in cmake, but it didn't cover all necessary versions.
Replace the workaround with a different one, move it to `lib/inet_ntop.c`
and extend to all necessary MSVC versions.
Also add CI jobs for the older MSVC versions: 2013, 2015, 2017.
Closes#15923
Count connections to a host against a possibly configured destination
limit. Trigger multi `connchange` when a connection has been shutdown,
so pending transfers can try to get a connection once again.
Reported-by: baranyaib90 on github
Fixes#15857Closes#15879
Subparts may have been previously used as a top-level mime structure and
thus not rewound.
New test 695 checks the proper functioning in these particular conditions.
Reported-by: Qriist on github
Fixes#15842Closes#15911
This isn't needed anymore after https://github.com/curl/curl/pull/15835,
since banned functions are just allowed in general in
`docs/examples/.checksrc`, and emits a warning when running make
checksrc:
`invalid warning specified in .checksrc: "SNPRINTF"`
Closes#15916
Via these variables, as lists:
- `CURL_SUPPORTED_PROTOCOLS`
- `CURL_SUPPORTED_FEATURES`
As individual flags:
- `CURL_SUPPORTS_<protocol/feature>` = `TRUE`
Also:
- set `CURL_VERSION_STRING` which was missing when using
`find_package(CURL CONFIG)` or
`find_package(CURL NO_MODULE)`.
- set `CURL_<prototol/feature>_FOUND` for compatibility.
- show full list of missing but required `COMPONENTS`.
Assisted-by: Derek Huang
Fixes#15854Closes#15858
To make sure they are not spellchecked. Also, leaving two backticks is
not good because they cause the spellchecker to misinterpret the
markdown file so they have to be removed as well.
ngtcp2 depends on crypto backends. nghttp2 depends on ngtcp2 and nghttp3
(for nghttpx server used in pytests).
Before this patch, ngtcp2, nghttp2 weren't rebuilt when their
dependencies changes. This worked fine until wolfSSL bumped its
soversion and caused CI to fail because ngtcp2 was not rebuilt and was
still referring to the old soname that was no longer offered by the
wolfSSL package.
Make sure to rebuild ngtcp2/nghttp2 when any of their dependencies bump.
To avoid rebuilding everything on every wolfSSL commit, switch to use
wolfSSL stable versions.
Bug: https://github.com/curl/curl/pull/15882#issuecomment-2566821417Closes#15885
Expand a little.
- mention the type name of the return code
- avoid stating which exact return codes that might be returned, as that
varies over time, builds and conditions
- avoid stating some always return OK
- refer to the manpage documenting all the return codes
Closes#15900
We already avoid system framework paths while looking for LDAP headers
to avoid issues.
Do the same while looking for LDAP libraries. This makes sure to find
the regular ldap library (`libldap.tbd`) instead of picking up
`ldap.framework` and let that seep into `libcurl.pc` with a full path.
This makes LDAP detection work on Apple as before introducing FindLDAP.
Follow-up to 49f2a23d50#15273Closes#15895
via `DL_LIBRARY`, `MATH_LIBRARY`, `PTHREAD_LIBRARY` variables.
They are used in Rustls, wolfSSL Find modules.
Also:
- always use `NAMES` keyword in `find_library()` calls.
- respect `find_library()` results for `dl`, `m`, `pthread`.
- formatting.
Closes#15892
This just adds a precaution and shows a clear intention in the code.
Added because CodeSonar is reporting a false positive Use After Free on
this function.
Closes#15889
curl_multi_waitfds(m, NULL, ...);
=> Curl_waitfds_init(&cwfds, ufds, size);
=> Curl_waitfds_add_ps(&cwfds);
=> cwfds_add_sock(cwfds, ...);
Would then try to use the ->wfds array while set to NULL previously.
This should not happen, which this is now also protected with an assert
to trigger debug builds if it happens.
Caught by CodeSonar
Assisted-by: Jay Satiro
Closes#15881
In OpenSSL < 3.0, the modularity was provided by mechanism called
"engines". This is supported in curl, but the engines got deprecated
with OpenSSL 3.0 in favor of more versatile providers.
This adds a support for OpenSSL Providers, to use PKCS#11 keys, namely
through the pkcs11 provider. This is done using similar approach as the
engines and this is automatically built in when the OpenSSL 3 and newer
is used.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Closes#15587
- ngtcp2: drop `$PWD/build` (= self)
- ngtcp2: drop nghttp3. It's only used for examples, which we do not use
here and are disabled by default.
- nghttp2: drop `$HOME/build` (does not exist)
Closes#15887
