Viktor Szakats [Thu, 24 Jul 2025 12:44:03 +0000 (14:44 +0200)]
windows: include `wincrypt.h` before `iphlpapi.h` for mingw-w64 <6
Required for mingw-w64 5.x (and older) builds targeting a Windows 7+.
mingw-w64 6+ fixed `mprapi.h` (included indirectly via `iphlpapi.h`)
to include `wincrypt.h` for the missing types.
MSVC is not affected because SDK 7.1a (the oldest MS SDK curl supports),
`mprapi.h` does include `wincrypt.h`.
Make sure to include `wincrypt.h` before including `iphlpapi.h` as
a workaround. `wincrypt.h` is used unconditionally even though it's
not available in UWP. This is safe in this context, because we use
`iphlpapi.h` for `if_nametoindex`, which is not supported and used
in UWP builds.
This fixes auto-detection that missed detecting `if_nametoindex` in
the affected combination, and this build error in non-unity builds:
```
In file included from D:/my-cache/mingw32/i686-w64-mingw32/include/iprtrmib.h:9:0,
from D:/my-cache/mingw32/i686-w64-mingw32/include/iphlpapi.h:17,
from D:/a/curl/curl/lib/url.c:63:
D:/my-cache/mingw32/i686-w64-mingw32/include/mprapi.h:865:3: error: unknown type name 'CERT_NAME_BLOB'
CERT_NAME_BLOB *certificateNames;
^~~~~~~~~~~~~~
D:/my-cache/mingw32/i686-w64-mingw32/include/mprapi.h:887:3: error: unknown type name 'CRYPT_HASH_BLOB'
CRYPT_HASH_BLOB certBlob;
^~~~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/16497057672/job/46645264552?pr=18012#step:10:140
This combination is not normally tested in CI. It was caught in
the `dl-mingw, CM 6.4.0-i686 schannel !unity Win7` job while working
on another PR.
Viktor Szakats [Thu, 24 Jul 2025 19:05:26 +0000 (21:05 +0200)]
curl_setup.h: move UWP detection after `config-win32.h` (revert)
This change wasn't good because `config-win32.h` does rely on the UWP
detection result to set `USE_WIN32_CRYPTO` and LDAP macros. While it
fixed one issue, it created another.
It seems better to revert, and focus on reducing and/or eventually
dropping the logic within `config-win32.h` that alters `_WIN32_WINNT`.
It may not be necessary anymore with a minimum of VS2008 (soon VS2010).
The logic is also absent from cmake builds, without causing issues.
Could affect UWP winbuild/project-file builds. These are theoretical
builds because neither build method is prepared to target UWP.
Viktor Szakats [Tue, 22 Jul 2025 01:14:43 +0000 (03:14 +0200)]
tests: unset some envs instead of blanking them
After 7cf8414fabc3063cc3d2121eacec4a6daa4164a8 #12862, `VAR=` no longer
removes the env variable, but sets it to an empty/blank value instead.
To remove an env, `VAR` shall be used (without the assigment operator.)
`SSL_CERT_FILE`, `CURL_HOME`, `HOME`, `XDG_CONFIG_HOME`, were added
before the change above. Make tests unset these envs again, as their
commit messages suggest, instead of blanking them. It does not change
the outcome of the tests.
Test log from the 'gcc 9` job above (with debug lines):
```
test 0428...[Expand environment variables within config file]
428: protocol FAILED!
There was no content at all in the file log/server.input.
Server glitch? Total curl failure? Returned: 26
== Contents of files in the log/ dir after test 428
=== Start of file cmd
--variable %FUNVALUE
--variable %VALUE2
--variable %BLANK
--variable %curl_NOT_SET=default
--expand-data 1{{FUNVALUE}}2{{VALUE2}}3{{curl_NOT_SET}}4{{BLANK}}5\{{verbatim}}6{{not.good}}7{{}}
=== End of file cmd
=== Start of file commands.log
../src/curl.exe --output log/curl428.out --include --trace-ascii log/trace428 --trace-time http://127.0.0.1:1593/428 -K log/cmd > log/stdout428 2> log/stderr428
=== End of file commands.log
=== Start of file server.cmd
Testnum 428
=== End of file server.cmd
=== Start of file stderr428
getenv of 'FUNVALUE' returned 0xee65d2
getenv of 'VALUE2' returned 0xee7a42
getenv of 'BLANK' returned (nil)
curl: Variable 'BLANK' import fail, not set
curl: log/cmd:3: '--variable' variable expansion failure
curl: cannot read config from 'log/cmd'
curl: option -K: error encountered when reading a file
curl: try 'curl --help' for more information
=== End of file stderr428
```
Env comparison:
Fail: https://ci.appveyor.com/project/curlorg/curl/builds/49123802/job/2a4w7i21npys9pd3
```
-- curl version=[8.6.1-DEV]
-- The C compiler identification is GNU 9.1.0
-- Found Perl: C:/msys64/usr/bin/perl.exe (found version "5.30.0").
-- Found _WIN32_WINNT=0x0601
* curl 8.6.1-DEV (Windows).
* libcurl/8.6.1-DEV Schannel zlib/1.2.11
* Features: alt-svc AsynchDNS Debug HSTS HTTPS-proxy IPv6 Kerberos Largefile libz NTLM SPNEGO SSL SSPI threadsafe TrackMemory UnixSockets
* Disabled: xattr
* System: MSYS_NT-10.0-14393 APPVYR-WIN 3.0.7-338.x86_64 2019-07-11 10:58 UTC x86_64 Msys
```
Viktor Szakats [Wed, 16 Jul 2025 02:25:08 +0000 (04:25 +0200)]
tests: fix UTF-8 detection, per-test `LC_*` settings, CI coverage
- runtests: fix `codeset-utf8` feature detection. Before this patch it
detected if the calling environment had UTF-8 enabled. If not, UTF-8
tests were all skipped. After this patch, it detects if UTF-8 is
supported by the calling environment regardless of what's currently
enabled.
Follow-up to 0b70b23ef4d007031bc2ae4fc63d5ed9136bc2b5 #15039
- GHA/macos: fix to actually enable `codeset-test`. Also set `LC_ALL`,
which seems necessary to trigger issues.
Follow-up to c221c0ee5935497168c52686a9d8cc87b45bbca9 #17938
- tests/data: replace `LC_CTYPE` env with `LC_ALL` in all tests
requiring a locale. Also to avoid potential issues with a blank or
unset `LC_ALL`, as seen earlier. And to ensure that the override works
on all platforms (as tested in CI.)
Slight downside is that this now resets the language/culture to `C`.
Ref: b4c9982382469398115cc0e3e0747e79db083455 #4743
Ref: 23208e330ac0c2164d59971baf79e87c45da1840 #4738
- replace `en_US.UTF-8` with `C.UTF-8` to be language/culture-agnostic.
- TEST-SUITE.md: drop `UTF-8` as a requirement for tests.
Tests shall work (or least be skipped) without UTF-8 support.
Viktor Szakats [Fri, 18 Jul 2025 16:17:06 +0000 (18:17 +0200)]
build: fix build errors/warnings in rare configurations
- vtls: fix unused variable and symbols.
- ftp: fix unused variable.
- http: fix unused variables.
- smtp: fix unsued variable.
- wolfssl: fix unused variable with !proxy.
- libssh: fix unused argument.
- curl_trc: sync guards between declaration and definition.
- curl_trc: add missing guard for `Curl_trc_ssls` when !verbose.
- curl_trc: fix errors with !http + http3.
- curl_trc: fix missing function with !http + nghttp2.
- cf-h2-proxy: disable when !http + nghttp2, to avoid calling undeclared
functions.
- sha256: fix missing declaration in rare configs.
- md4: fix symbol conflict when building GnuTLS together with AWS-LC or
wolfSSL. By prioritizing the latter two. AWS-LC has no option
to disable the clashing symbol. wolfSSL does, but the most seamless is
to skip including GnuTLS's standalone `md4.h` to avoid the clash.
- build: fix errors with !http + nghttp2.
- build: catch !ssl + ssls-export combination in source. Convert
build-level errors to warnings.
- build: fix errors with !http + http3.
- build: fix building curl tool and unit1302 in rare combinations.
By always compiling base64 curlx functions.
- cmake: add `_CURL_SKIP_BUILD_CERTS` internal option.
To disable automatically building certs with the testdeps target.
To improve performance when testing builds.
(used locally to find the failing builds fixed in this PR.)
Viktor Szakats [Fri, 18 Jul 2025 21:43:32 +0000 (23:43 +0200)]
cmake: fix to disable Schannel and SSPI for non-Windows targets
Fixing:
```
In file included from lib/vtls/vtls.c:50:
In file included from lib/vtls/../urldata.h:314:
lib/vtls/../curl_sspi.h:41:10: fatal error: 'security.h' file not found
41 | #include <security.h>
| ^~~~~~~~~~~~
1 error generated.
lib/curl_sspi.h:41:10: fatal error: 'security.h' file not found
41 | #include <security.h>
| ^~~~~~~~~~~~
1 error generated.
```
Stefan Eissing [Mon, 21 Jul 2025 10:23:06 +0000 (12:23 +0200)]
pytest: add SOCKS tests and scoring
Configure curl with `--with-test-sockd=<path to sockd>` for a locally
installed dante sockd server and new `test_40_*` will verify that
down- and uploads work via SOCKS.
Invoke scorecard.py with `--socks4` or `--socks5` to run performance
tests with SOCKS. Note that SOCKS is not supported for HTTP/3.
Viktor Szakats [Tue, 22 Jul 2025 10:19:22 +0000 (12:19 +0200)]
test1148: drop redundant `LC_NUMBER=` env setting
No longer necessary after a previous change made sure to strip
the '100.0%' number from the result, before checking it. The dot is
a regex character catching any decimal separator.
Viktor Szakats [Tue, 22 Jul 2025 14:44:45 +0000 (16:44 +0200)]
lib1560: fix memory leak when run without UTF-8 support
The issue is missed in CI, because valgrind jobs all run with UTF-8
support.
Fixing:
```
test 1560...[URL API]
valgrind ERROR ==13362== 104 bytes in 1 blocks are definitely lost in loss record 1 of 1
==13362== at 0x484D953: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==13362== by 0x48E1302: curl_dbg_calloc (in /curl/bld/lib/libcurl.so.4.8.0)
==13362== by 0x4931D12: curl_url (in /curl/bld/lib/libcurl.so.4.8.0)
==13362== by 0x14F658: get_parts (in /curl/bld/tests/libtest/libtests)
==13362== by 0x150AC6: test_lib1560 (in /curl/bld/tests/libtest/libtests)
==13362== by 0x17F5D5: main (in /curl/bld/tests/libtest/libtests)
```
Ref: https://github.com/curl/curl/actions/runs/16446352985/job/46479298080?pr=17988#step:41:3007
Viktor Szakats [Tue, 15 Jul 2025 19:37:51 +0000 (21:37 +0200)]
test1560: set locale/codeset with `LC_ALL` (was: `LANG`), test in CI
To fix running test 1560 when `LC_ALL` is set to something unexpected
(e.g. `C`). Also syncing it with the rest of tests.
Also:
- GHA/linux: enable `libidn2` in more jobs.
Also to enable test 1560 reproducing this issue in more jobs.
- GHA/linux: run tests with `LC_ALL=C` in one of the jobs.
- GHA/linux: switch to the non-deprecated package name for libidn2.
- GHA/macos: run tests with non-default locale settings in one job.
- GHA/macos: enable AppleIDN in that job.
Viktor Szakats [Fri, 11 Jul 2025 19:50:23 +0000 (21:50 +0200)]
GHA/checksrc: expand spellcheck, fix issues found
- codespell: break logic out into its own runnable script. Allowing
to run it on local machines.
- codespell: install via `pip`, bump to latest version.
- codespell: show version number in CI log.
- codespell: drop no longer needed word exception: `msdos`.
- codespell: include all curl source tree, except `packages` and
`winbuild`. Drop an obsolete file exclusion.
- add new spellchecker job using the `typos` tool. It includes
the codespell dictionary and a couple more. Use linuxbrew to install
it. This takes 10 seconds, while installing via `cargo` from source
would take over a minute.
- codespell: introduce an inline ignore filter compatible with `cspell`
Make `typos` recognize it, too. Move single exceptions inline.
Fix new typos found. Also rename variables and words to keep
spellchecking exceptions at minumum. This involves touching some tests.
Also switch base64 strings to `%b64[]` to avoid false positives.
Viktor Szakats [Sun, 20 Jul 2025 23:57:26 +0000 (01:57 +0200)]
windows: fix `if_nametoindex()` detection with autotools, improve with cmake
- autotools: fix auto-detection on the Windows platform.
It was mis-detected when targeting Windows XP/2003 64-bit.
It was permanently undetected when building for Windows 32-bit.
```
lib/url.c: In function 'zonefrom_url':
lib/url.c:1802:18: error: implicit declaration of function 'if_nametoindex' [-Wimplicit-function-declaration]
1802 | scopeidx = if_nametoindex(zoneid);
| ^~~~~~~~~~~~~~
lib/url.c:1802:18: error: nested extern declaration of 'if_nametoindex' [-Werror=nested-externs]
```
Ref: https://github.com/curl/curl/actions/runs/16405598782/job/46351023138?pr=17982#step:10:29
Reported-by: LoRd_MuldeR
Fixes #17979
Without this patch the workaround for the 8.15.0 release is:
`export ac_cv_func_if_nametoindex=0` for Windows XP/2003 64-bit.
Background: Checking for the `if_nametoindex()` function via
`AC_CHECK_FUNCS()` (autotools) or `check_function_exists()` (cmake) do
not work on Windows, for two reasons:
- the function may be disabled at compile-time in Windows headers
when targeting old Windows versions (XP or WS2003 in curl context)
via `_WIN32_WINNT`. But it's always present in the system implib
`iphlpapi` where these checks are looking.
- for 32-bit Windows the function signature in the implib requires
a 4-byte argument, while these checks always use no arguments,
making them always fail.
- cmake: call `if_nametoindex` dynamically with mingw-w64 v1.0.
This mingw-w64 version lacks prototype and implib entry for it.
- cmake: add auto-detection for Windows and use as a fallback for
non-pre-fill cases.
- cmake: disable pre-fill with `_CURL_PREFILL=OFF`. (for testing)
- cmake: disable pre-fill for untested compilers. (i.e. non-MSVC,
non-mingw64)
- GHA/windows: make an autotools job build for Windows XP.
Unconditionally enable _GNU_SOURCE when building on GNU/Hurd; this way
it is possible to properly use/rely on GNU extensions e.g. accept4(),
memrchr(), and the GNU strerror_r().
Viktor Szakats [Sat, 19 Jul 2025 13:21:31 +0000 (15:21 +0200)]
multissl: initialize when requesting a random number
To fix test 1308 in MultiSSL builds.
Failure was caused by the random number generator virtual function being
NULL, instead of pointing to the implementation in the runtime-selected
TLS backend. This could happen in MultiSSL builds when a functionality
was asking for a random number without triggering a VTLS function table
initialization first. Such functionality is MIME, or form data via MIME.
The reason CI did not catch it in an earlier MultiSSL GHA/windows job,
is that it was a debug-enabled one. In debug-enabled builds the test
runner was overriding the random number generator for all tests.
Viktor Szakats [Sat, 19 Jul 2025 20:53:08 +0000 (22:53 +0200)]
GHA/macos: enable QUIC API with OpenSSL
In one autotools and one cmake job.
Also:
- enable OpenSSL QUIC in two more jobs.
- pytest: add checks to skip h3 tests when there is no h3 server to
tests 26, 27a, 27b, 27c, 29 in test_02_download. Fixing:
```
FAILED tests/http/test_02_download.py::TestDownload::test_02_26_session_shared_reuse[h3] - AssertionError: expected exit code 0, got 1
[...]
```
Ref: https://github.com/curl/curl/actions/runs/16392680316/job/46320739635?pr=17973
Viktor Szakats [Fri, 18 Jul 2025 21:09:15 +0000 (23:09 +0200)]
GHA/macos: add Rustls, aws-lc jobs
Bind them to the (arbitrary choice of) Apple clang and gcc compilers,
respectively.
Also:
- bind existing mbedTLS job to the llvm compiler, to keep the number of
jobs the same as before this patch.
- move OpenLDAP from mbedTLS over to LibreSSL to keep testing it with
all 3 compilers.
- simplify exclusions for clang-tidy and torture jobs.
- tag clang-tidy and torture jobs via `install_steps`.
To avoid keeping around special bool fields.
test1560: skip some URLs if UTF-8 is not supported
Debian CI found that `lib1560` implements tests that will fail when
UTF-8 isn't supported. We can detect that with `nl_langinfo` and skip
the specific URLs that fail (i.e., those whose `getflags` are either
`CURLU_PUNYCODE` or `CURLU_PUNY2IDN`).
Viktor Szakats [Sat, 19 Jul 2025 16:45:25 +0000 (18:45 +0200)]
tests: set `CURL_ENTROPY` per test, not globally
Setting `CURL_ENTROPY` in debug-enabled builds overrides the code paths
responsible for random number generation. To avoid masking issue there,
this patch moves `CURL_ENTROPY` settings to each test that requires it,
and stop setting it by default for all tests (in `runner.pm`).
This makes it possible to catch random generator issues in debug-enabled
builds; extending test coverage.
To keep offering a well-defined state for tests, make `runner.pm` delete
the `CURL_ENTROPY` env, if present.
Reported-by: Kai Pastor Reported-by: Tal Regev
Bug: https://github.com/microsoft/vcpkg/pull/46444#pullrequestreview-3026575393
Ref: https://github.com/microsoft/vcpkg/pull/46444/commits/3a845c4b15066e8167bb4708007180fb6bedf40d
Stefan Eissing [Wed, 16 Jul 2025 09:10:13 +0000 (11:10 +0200)]
openssl: some small cleanups
- rename Curl_oss_check_peer_cert() to Curl_ossl_check_peer_cert()
- leave altname match loop after the first success when the match
was an ip address
- remove static subj_alt_hostcheck() since it did not really do much
- use length based infof() output of altname, even though it does
seem always to be nul terminated
Viktor Szakats [Fri, 11 Jul 2025 16:02:32 +0000 (18:02 +0200)]
test1706: pass include directory to `managen` for out-of-tree builds
Fixing:
```
readline() on closed filehandle INC at ../../curl-99.98.97/tests/../scripts/managen line 1299.
```
Ref: https://github.com/curl/curl/actions/runs/16224106087/job/45811979199?pr=17877#step:3:8545
Stefan Eissing [Mon, 14 Jul 2025 09:41:59 +0000 (11:41 +0200)]
connection: clarify `transport`
The `transport` to use for a transfer, e.g. TCP/QUIC/UNIX/UDP, is
initially selected by options and protocol used. This is set at the
`struct connectdata` as `transport` member.
During connection establishment, this transport may change due to
Alt-Svc or Happy-Eyeballing. Most common is the switch from TCP to QUIC.
Rename the connection member to `transport_wanted` and add a way to
query the connection for the transport in use via a new connection
filter query.
The filter query can also be used in the happy eyeballing attempts when
code needs to know which transport is used by the "filter below". This
happens in wolfssl initialization, as one example.
When using winbuild or Visual Studio IDE Project Files.
To simplify and prepare for dropping support for VS2008.
Details:
- fix VS2012 default target to be Windows 8 (was Vista).
Confirmed by CI:
```
-- The C compiler identification is MSVC 17.0.61030.0
-- Found _WIN32_WINNT=0x0602
```
Ref: https://ci.appveyor.com/project/curlorg/curl/builds/51594696/job/elbl0w5n7fmoos2f#L45
It also aligns with the default being Windows 7 for VS2010,
and Windows Vista for VS2008.
- bump minimum target to XP (was Windows 2000) when using VS2008.
curl requires XP.
- add Windows release names to comments for clarity.
- add hex Windows version to a comment for clarity.
- merge VS2008/VS2012 minimum/default logic and comments.
- reduce scope of local minimum/default macros.
- shorten comments to fit within line limit.
Daniel Stenberg [Mon, 14 Jul 2025 06:59:04 +0000 (08:59 +0200)]
VULN-DISCLOSURE-POLICY.md: 7 days embargo is max
It was recently updated in this doc to seven, but there were *two*
numbers mentioned and only one of them was updated leaving the paragraph
quite confusing.
Viktor Szakats [Sun, 13 Jul 2025 01:28:19 +0000 (03:28 +0200)]
GHA: minor tidy-ups
- GHA/checksrc: make a step name more accurate.
- cmakelint.sh: make sure to run from project root.
To make it easier to run locally.
- cmakelint.sh: use `set -eu`.
Viktor Szakats [Sat, 12 Jul 2025 16:07:51 +0000 (18:07 +0200)]
GHA/checksrc: use Linux for CI checks, merge job into misc checks
CI check used macOS before this patch, but with the help of Linuxbrew,
latest zizmor and shellcheck are also available on Linux.
Also:
- migrate CI checks to the misc check workflow, to make both shellcheck
use the same, latest, shellcheck version, and to save the overhead of
an extra workflow.
Daniel McCarney [Fri, 11 Jul 2025 20:19:12 +0000 (16:19 -0400)]
lib/vts: fix a copy-pasted early data comment typo
In gtls.c there was a typo'd comment that I think was missing the word
"no" to indicate there's "no GnuTLS way to signal no EarlyData".
This commit fixes that typo, and also updates a copy-pasted instance
that made it into wolfssl.c where it should refer to the WolfSSL API
missing the capability, not GnuTLS.
projects / thirdparty / curl.git / log
