Wyatt O'Day [Mon, 15 Dec 2025 17:17:13 +0000 (12:17 -0500)]
mbedTLS: cleanup insecure/deprecated code
1. With `MBEDTLS_SSL_PROTO_TLS1_2` not enabled, the mbedTLS code was not
able to connect to any server due to broken logic in curl's
`mbed_set_ssl_version_min_max()`. Now it correctly sets the minimum
supported TLS version based on what is compiled in the library.
2. If debugging is enabled, move the debugging enabling earlier in the
`mbed_connect_step1()` so that verbose errors are actually displayed if
failures happen (see the previous point -- it would've made debugging
that issue easier).
3. Remove the constant `mbedtls_x509_crt_profile_fr` and instead use
mbedTLS-included profile `mbedtls_x509_crt_profile_next` with
`mbedtls_ssl_conf_cert_profile()`. This will follow the latest standards
as new mbedTLS versions are released (rather than being stuck-in-time
until someone comes along to fix what was hard-coded here). This has the
immediate benefit of no longer supporting SHA1 certs and insecure RSA
key-lengths (1024). This fix immediately prevents previously possible
MITM attacks (SHA1 hashes and RSA-1024 keys can be forged relatively
easily by nation-state actors and criminal organizations with
deep-pockets).
4. Added [predictive
resistance](https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-a-random-generator/#enabling-prediction-resistance)
to the random number generator (adding more entropy to the RNG).
5. Split the random number generator into initialization, the actual
random generation, and the "freeing" of the resources. This
significantly reduces the overhead of using the RNG.
6. Removed the separate RNG function in the TLS connect stage (instead
use the "main" one) and remove the ad-hoc threading support. Instead
properly document how to enable threading in mbedTLS. As it was, other
internals of mbedTLS could have race conditions (in the RSA module in
particular) if `MBEDTLS_THREADING_C` was *not* enabled. And if it is
enabled, then these race-conditions cannot happen. And also, if
MBEDTLS_THREADING_C is enabled then the RNG functions [are fully
thread-safe](https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading/).
So, the previous ad-hoc threading support was both partial and broken.
7. Enable support for disabling `MBEDTLS_PEM_PARSE_C`.
8. Add support for `CURLOPT_SSLCERTTYPE` so user can specify `PEM` or
`DER` and get faster execution.
Viktor Szakats [Sat, 20 Dec 2025 00:44:46 +0000 (01:44 +0100)]
curlx: add `curlx_rename()`, fix to support long filenames on Windows
Move existing `Curl_rename()` `rename()` wrapper from lib to
curlx/fopen, and make it a curlx macro/function. To allow using
the local worker function to fixup long filenames on Windows.
Then fix the Windows-specific rename implementation to support long
filenames. This operation may happen when using a cookie jar, HSTS cache
or alt-svc cache, via libcurl or the curl tool.
Before this patch, when passing a long filename to the above options,
a `<random>.tmp` file was left on the disk without renaming it to the
filename passed to curl. There was also 1 second delay for each
attempted rename operation.
Also:
- checksrc: ban raw `rename()` and `MoveFileEx*()` functions.
- Note: `Curl_rename()` returned 1 on failure before this patch, while
`curlx_rename()` returns -1 after, to match POSIX `rename()`.
Viktor Szakats [Sat, 20 Dec 2025 14:00:49 +0000 (15:00 +0100)]
GHA/http3-linux: set minimum number of runtest tests
Tailored for each job with a relatively tight limits. Also with no
tolerance in valgrind tests: 4 of the 4 has to be run.
Based on Test Clutch feature matrix which displays the minimum and
actual number of tests:
https://testclutch.curl.se/static/reports/feature-matrix.html
Also:
- runtests.pl: include total number of tests in the error message shown
when the limit was not met.
Viktor Szakats [Fri, 19 Dec 2025 22:26:10 +0000 (23:26 +0100)]
windows: fix `CreateFile()` calls to support long filenames
It makes them work in Schannel's CA bundle loader, and curl tool's
set/get file timestamp operations (e.g. in `-R`/`--remote-time`). Also
to match file open operations, that already support long filenames.
E.g. when using `--remote-time`, fixing:
```
Warning: Failed to set filetime 1741363917 on outfile: CreateFile failed:
Warning: GetLastError 0x00000003
```
The special long filename logic is necessary to support Windows releases
prior to Windows 10 v1607. With the latter, it's possible to opt-in to
this behavior via a manifest setting. Note that Windows itself also needs
to opt-in to support this. Finally note that curl itself needs passing
`--globoff` to let long filenames through, pending #20044 and #20046.
Viktor Szakats [Sat, 20 Dec 2025 11:38:19 +0000 (12:38 +0100)]
openssl: drop includes unused or duplicate
Also:
- vquic-tls.h: do not include unused headers for non-H3 builds.
- autotools: stop looking for `openssl/x509.h` header.
- cmp-config.pl: delete exception for `openssl/x509.h`.
- examples: format/comment sync between the two touched files.
- openssl: drop unused `curlx/wait.h` include.
Viktor Szakats [Fri, 19 Dec 2025 13:57:10 +0000 (14:57 +0100)]
cmake: match filename suffixes with file content
To:
- simplify recognizing CMake sources.
- ensure syntax highlighters use the correct file type.
- sync .h template filename with its autotools counterpart.
Stefan Eissing [Fri, 19 Dec 2025 10:53:51 +0000 (11:53 +0100)]
ngtcp2: retune window sizes
With 24b36fd stream flow control window sizes have been set too
restrictive, crippling transfer rates when no rate limit is in effect.
Disable ngtcp3 stream window auto-tuning and extend the stream window
from the small initial size to the effective rate limit. If no rate
limit is configured, extend stream window to maximum value right away.
This cannot shrink the stream window later, however. But growing the
limit or removing it, will work mid download.
Fixes #20030 Reported-by: koujaz on github
Closes #20033
Viktor Szakats [Fri, 19 Dec 2025 10:00:53 +0000 (11:00 +0100)]
socketpair: drop redundant `_WIN32` branch and include
`io.h` already included via `curl_setup.h`, the other headers are
already guarded off for Windows. `INADDR_LOOPBACK` fallback remains
a no-op on Windows.
Viktor Szakats [Fri, 19 Dec 2025 01:09:15 +0000 (02:09 +0100)]
build: drop duplicate include `curl/curl.h` and others
- curl_range: replace `sendf.h` with direct header dependency
`curl_trc.h`.
- drop `curl/curl.h` includes from internal sourcees in favor of the
include made from `curl_setup.h`. Replace it with the latter where
it's the only include.
- include `curl_setup.h` before using macros, where missing.
- drop redundant `stdlib.h`, `string.h` includes, in favor of
`curl_setup_once.h` including them.
- drop redundant `limits.h` in favor of `curl_setup.h` including it.
- fake_addrinfo.h: fix typo in comment.
- curl_setup_once.h: drop `stdio.h` in favor of earlier include in
`curl_setup.h`.
- drop stray, unused, `stddef.h` includes.
- memdebug.h: add missing `stddef.h` include. (relying on accidental
includes via other headers before this patch.)
- stddef.h: document why it's included.
- strerr: drop `curl/mprintf.h` in favor of `curl/curl.h` including it
via `curl_setup.h`.
Viktor Szakats [Fri, 12 Dec 2025 19:51:52 +0000 (20:51 +0100)]
tidy-up: miscellaneous
- apply more clang-format.
- lib/version: use `CURL_ARRAYSIZE()`.
- INSTALL-CMAKE.md: sync-up an option description with others.
- examples: delete unused main args.
- examples/ftpgetinfo: document `_CRT_SECURE_NO_WARNINGS` symbol.
- delete remaining stray duplicate lines.
- acinclude.m4: drop an unnecessary x-hack.
- vtls/mbedtls: join a URL split into two lines.
- src/tool_cb_see: add parentheses around macro expressions.
- src/tool_operate: move literals to the right side of comparisons.
- libtests: sync up fopen/fstat error messages between tests.
- curl_setup.h: replace `if ! defined __LP64` with `ifndef __LP64`.
I assume it makes no difference on Tandem systems, as the latter form
is already used in `include/curl/system.h`.
Daniel Stenberg [Thu, 18 Dec 2025 12:58:22 +0000 (13:58 +0100)]
http: when unfolding, leave single-space for new header line
Restore the unfolding behavior from before 67ae101666f10232. This change
(leaving more whitespace in the delivered headers) turned out causing
some friction in the git project so presumably others might also find it
a little surprising.
Reported-by: Jeff King
Ref: https://marc.info/?l=git&m=176606332701171&w=2
Closes #20016
Stefan Eissing [Wed, 17 Dec 2025 10:20:42 +0000 (11:20 +0100)]
wolfssl: proof use of wolfSSL_i2d_SSL_SESSION
While wolfSSL_i2d_SSL_SESSION() does not change the passed pointer, like
OpenSSL does, it may one day decide to do so. Pass a copy instead to be
future-proof to such a change in wolfSSL's implementation.
dependabot[bot] [Tue, 16 Dec 2025 23:37:45 +0000 (23:37 +0000)]
GHA: bump pip-dependencies
- update `filelock` from 3.20.0 to 3.20.1 (CVE-2025-68146) (used in pytests)
- update `pytest` from 9.0.1 to 9.0.2
- update `ruff` from 0.14.8 to 0.14.9
Viktor Szakats [Tue, 16 Dec 2025 20:32:29 +0000 (21:32 +0100)]
examples/threaded-ssl: delete in favor of `examples/threaded`
After applying a recent fix made to `threaded.c` (formerly
`multithread.c`) to `threaded-ssl.c`, syncing and updating comments,
the two examples turned out to be identical except their test URLs.
Delete one of them to avoid duplication.
Also:
- examples/threaded: scope a variable.
- examples/threaded: merge comments from its deleted sibling.
Dan Fandrich [Tue, 16 Dec 2025 08:26:25 +0000 (00:26 -0800)]
tests: add a standard log line for alloc failures
This type of test failure requires a test status line in order to be
consistent with other failures and to be parsed properly by Test Clutch.
This is the same style as an exit or postcheck failure.
Viktor Szakats [Tue, 16 Dec 2025 16:26:46 +0000 (17:26 +0100)]
schannel: use Win8 `CERT_NAME_SEARCH_ALL_NAMES_FLAG` with old SDKs
Define `CERT_NAME_SEARCH_ALL_NAMES_FLAG` macro if missing.
To allow using a runtime branch regardless of build-time SDK version,
when running on Windows 8+.
In practice it enables this branch for builds using mingw-w64 v3, and
MSVC with Windows SDK <8.
Dan Fandrich [Tue, 16 Dec 2025 07:32:59 +0000 (23:32 -0800)]
lib: create unitprotos.h in the builddir, not srcdir
The make rule confused automake by changing directories before creating
the file, causing unitprotos.h to be created in the srcdir instead of
the builddir. This results in a stale file and confusing compile errors
in out-of-tree builds.
Viktor Szakats [Tue, 16 Dec 2025 15:41:05 +0000 (16:41 +0100)]
cf-socket: enable Win10 `TCP_KEEP*` options with old SDKs
Define `TCP_KEEP*` macros if they are missing in Windows builds.
To allow using these runtime `setsockopt()` options regardless of
build-time SDK version, when running on Windows 10.0.16299+.
In practice in enables them for builds using mingw-w64 <12, and
MSVC with Windows SDK <10.
Before this patch these runtime options required building curl with
a recent toolchain.
Viktor Szakats [Mon, 15 Dec 2025 15:49:04 +0000 (16:49 +0100)]
idn: clarify null-termination on Windows
Add comments to clarify that a terminating null is always present in
the buffers returned to the caller.
The curl APIs `win32_idn_to_ascii()` or `win32_ascii_to_idn()` receive
a null-terminated UTF-8 string as input. They first convert it to wide
chars by first asking `MultiByteToWideChar()` to calculate the length,
by passing -1. This API returns the length with the null char included
(= `strlen() + 1`), does the conversion, with the output also
null-terminated. `IdnTo*()` preserve this null character as documented.
Then we pass this null-terminated, fixed-length buffer ito
`WideCharToMultiByte()`, which keeps preserving the null, ending up in
the buffer returned to the caller.
Viktor Szakats [Sat, 13 Dec 2025 03:27:41 +0000 (04:27 +0100)]
localtime: detect thread-safe alternatives and use them
- add local API `toolx_localtime()` to wrap the banned function
`localtime()`. Used from libcurl, libtests and test servers.
- auto-detect and use `localtime_r()` where available (e.g. Linux).
Also to support multi-threading.
- use `localtime_s()` on Windows. It requires MSVC or mingw-w64 v4+.
Also to support multi-threading.
Use local workaround to also support mingw-w64 v3.
- add `src/toolx` to keep internal APIs used by the curl tool and tests,
but not by libcurl. `toolx_localtime()` is the first API in it.
- replace `localtime()` calls with `toolx_localtime()`.
Except in examples.
- note Windows XP's default `msvcrt.dll` doesn't offer secure CRT APIs.
XP likely needs a newer version of this DLL, or may not run.
- note that `localtime()` mirrors `gmtime()`, with the difference that
`gmtime()`'s internal wrapper lives in curlx.
Viktor Szakats [Fri, 12 Dec 2025 23:16:58 +0000 (00:16 +0100)]
curlx: move `Curl_gmtime()`, use `gmtime_s()` on Windows
Move `Curl_gmtime()` to curlx and rename to `curlx_gmtime()`. Then call
the internal wrapper also from the curl tool, to avoid using the banned
`gmtime()` directly, and using better, thread-safe alternatives when
available.
Windows `gmtime_s()` requires mingw-w64 v4+ or MSVC. Use local
workaround to also support mingw-w64 v3. `gmtime_s()` also makes
defining `_CRT_SECURE_NO_WARNINGS` unnecessary.
Also:
- lib: drop unused `parsedate.h` includes.
- drop redundant cast from `gmtime_r()` result.
- autotools: reverse condition in the proto detection to avoid
misleading readers. (the condition plays no role in detection.)
- note Windows XP's default `msvcrt.dll` doesn't offer secure CRT APIs.
XP likely needs a newer version of this DLL, or may not run.
Viktor Szakats [Tue, 16 Dec 2025 00:37:10 +0000 (01:37 +0100)]
build: unix socket tidy-ups
- lib: delete two unused `<sys/un.h>` includes.
- lib: drop interim macro `WIN32_SOCKADDR_UN`.
Follow-up to 0fe9018e1a1af0d906dfe934efe2f2b1ba48f060 #7737
Also fixing a potential issue of leaving unix socket support disabled
if any header would include Windows' `afunix.h`, and define
`UNIX_PATH_MAX` on its own.
- connect: honor unix socket disable option.
- connect: simplify unix socket PP condition.
`USE_UNIX_SOCKETS` already means the necessary header/type are
available, guaranteed by configure. `AF_UNIX` is already used
elsewhere in the code without explicit checks.
- curl_setup.h: document availability of `afunix.h` on Windows more.
It requires mingw-w64 10+ or MS SDK 10.17763.0 VS2017 15.8+.
- curl_setup.h: use `afunix.h` with mingw-w64 v10+ to start avoiding
the local workaround if possible.
- GHA/windows: test disable unix socket option on Windows.
Stefan Eissing [Mon, 15 Dec 2025 13:28:09 +0000 (14:28 +0100)]
lib: keep timestamp in easy handle
Use `data->progress.now` as the timestamp of proecssing a transfer.
Update it on significant events and refrain from calling `curlx_now()`
in many places.
The problem this addresses is
a) calling curlx_now() has costs, depending on platform. Calling it
every time results in 25% increase `./runtest` duration on macOS.
b) we used to pass a `struct curltime *` around to save on calls, but
when some method directly use `curx_now()` and some use the passed
pointer, the transfer experienes non-linear time. This results in
timeline checks to report events in the wrong order.
By keeping a timestamp in the easy handle and updating it there, no
longer invoking `curlx_now()` in the "lower" methods, the transfer
can observer a steady clock progression.
Add documentation in docs/internals/TIME-KEEPING.md
Reported-by: Viktor Szakats
Fixes #19935
Closes #19961
Stefan Eissing [Mon, 15 Dec 2025 10:15:38 +0000 (11:15 +0100)]
vquic: ignore 0-length UDP packets
When someone gives us 0-length UDP packets, ignore
them as they cannot be valid QUIC packets. This also
prevents us from messing up any GSO calculations.
Viktor Szakats [Sun, 14 Dec 2025 23:05:15 +0000 (00:05 +0100)]
tests/server: fix initialization on Windows Vista+
Make sure to call `curlx_now_init()` before the first call to
`curlx_now()`.
Before this patch the first `curlx_now()` used the non-Vista code path
calling `GetTickCount()` on Vista+. This is harmless, but the upcoming
PR #18009 is going to drop the non-Vista code path, causing a division
by zero at startup in test servers, without this fix.
Viktor Szakats [Mon, 15 Dec 2025 00:53:16 +0000 (01:53 +0100)]
renovate: try bumping Fil-C on releases, not tags
CI needs the binary packages attached to the release, which appears some
time after tagging. Hopefully this patch helps getting a clean build
by the time Renovate opens its PR.
Viktor Szakats [Sun, 14 Dec 2025 08:42:59 +0000 (09:42 +0100)]
runtests: improve XML prolog check, enable `-w` permanently, fix two tests
To really verify the presence of the XML prolog, also in CI.
- move the prolog check from `loadtest` to `checktest`.
(load did a soft error, silently skipping the test instead of failing)
- runtests: enable `-w` functionality permanently for all test targets,
drop the option. It has no measurable performance impact.
- test 798, 1665: add XML prolog.
Follow-up to f0d277cb0e3712ae4edf8f51822ffa99e9b3ec54
Viktor Szakats [Fri, 12 Dec 2025 22:30:45 +0000 (23:30 +0100)]
renovate: leave bumping GitHub Actions to Dependabot
To avoid update noise. Renovate bumps everything instantly, meaning
a major version a couple hours after release, then all minor bugfix
releases throughout the next 1-2 days. Also putting major versions in
a different group than the bugfix release, and there is no support for
a cooldown period.
After this patch GitHub's Dependabot remains the single tool responsible
to bump GitHub Actions, once a month, grouped, with a cooldown period.
In sync with most other curl repos.
Both Renovate and Dependabot keep bumping pinned pips for now. Also
Renovate keeps updating C dependencies and Dockerfile.
Daniel Stenberg [Fri, 12 Dec 2025 15:36:08 +0000 (16:36 +0100)]
http: unfold response headers earlier
Make the low-level HTTP header "builder" unfold headers so that
everything else can keep pretending folding does not exist.
This code no longer tries to reduce repeated leading whitespace (in the
continued folded header) to a single one. To avoid having to have a
special state for that.
Viktor Szakats [Sat, 13 Dec 2025 11:35:36 +0000 (12:35 +0100)]
GHA/checksrc: fix `-z` position, also use `--output` with `xmllint`
Fixing:
```
fatal: option '-z' must come before non-option arguments
```
Ref: https://github.com/curl/curl/actions/runs/20183280533/job/57948203944#step:4:5
Daniel Stenberg [Sat, 13 Dec 2025 12:48:59 +0000 (13:48 +0100)]
tool_urlglob: support globs as long as config line lengths
libcurl supports up to 8MB string inputs, the config file accepts up to
10MB line lengths. It did not make sense to limit the globs to a maximum
of one megabyte.
Viktor Szakats [Fri, 12 Dec 2025 02:59:21 +0000 (03:59 +0100)]
GHA: enable libssh and libssh2 in 10 more Linux jobs
To run more pytest sshd tests, and for more static analysis.
Also:
- drop redundant option from `openssl libssh2 ...` config.
- GHA/linux: enable pytest in the LTO job (to test libssh2).
- avoid both with local builds of OpenSSL-forks, due to crypto lib
mixups causing a mixture of build error, crashes, test failures.
Viktor Szakats [Fri, 12 Dec 2025 00:55:30 +0000 (01:55 +0100)]
runtests: add options to set minimum number of tests, use them
To detect mistakes made in the runtests framework that reduce
the number of test runs. Before this patch it could go undetected with
a green CI.
The minimum thresholds will need light maintenance going forward (either
bumping them periodically, or adjust if some may fell below minimums for
justified reasons). We may also make minimums tighter or looser, or more
job-specific.
Latest number of test runs for each job can be seen at Test Clutch:
https://testclutch.curl.se/static/reports/feature-matrix.html
Stefan Eissing [Thu, 11 Dec 2025 15:02:41 +0000 (16:02 +0100)]
pytest: add tests using sshd
With either /usr/sbin/sshd found or configured via --with-test-sshd=path
add tests for SCP down- and uploads, insecure, with known hosts or not,
with authorized user key or unauthorized one.
Working now with libssh and libssh2, using a hashed known_hosts file.
Viktor Szakats [Sun, 7 Dec 2025 15:49:55 +0000 (16:49 +0100)]
tidy-up: miscellaneous
- drop stray duplicate empty lines in docs, scripts, test data, include,
examples, tests.
- drop duplicate PP parenthesis.
- curl-functions.m4: move literals to the right side in if expressions,
to match rest of the source code.
- FAQ.md: delete language designator from an URL.
- packages: apply clang-format (OS400, VMS).
- scripts/schemetable.c: apply clang-format.
- data320: delete duplicate empty line that doesn't change the outcome.
- spacecheck: extend to check for duplicate empty lines
(with exceptions.)
- fix whitespace nits
projects / thirdparty / curl.git / log
