Joshua Rogers [Fri, 22 May 2026 07:59:17 +0000 (09:59 +0200)]
schannel: error on TLS 1.3-only with cipher list
The legacy SCHANNEL_CRED path cannot negotiate TLS 1.3. When TLS 1.3
is the only enabled protocol and a cipher list is set, fail instead of
silently downgrading to TLS 1.2.
Stefan Eissing [Fri, 22 May 2026 07:11:41 +0000 (09:11 +0200)]
http2: remove stream dependency tracking
The HTTP/2 feature is deprecated, few servers implement it and our
implementation is complicated by its state management. Make the two
CURLOPT_* involved a nop and deprecate them.
It may replace existing pedantic check, if this level isn't bringing
false-positives or annoyance. Officially it's not meant for CI, but curl
has been passing this in the last couple of months when checked locally.
Viktor Szakats [Thu, 21 May 2026 02:21:33 +0000 (04:21 +0200)]
units: tidy up begin/end blocks
- use `UNITTEST_BEGIN_SIMPLE`/`UNITTEST_END_SIMPLE` where missing.
- drop redundant `(void)arg;` where using `UNITTEST_BEGIN*`.
- unit1636: drop redundant block after `UNITTEST_BEGIN*`.
- unit1609: fix typo in comment.
- unit1627: merge to `if`s.
Viktor Szakats [Thu, 21 May 2026 09:16:49 +0000 (11:16 +0200)]
multi: silence gcc 16 `-Wnull-dereference`, bump CI job to test
- GHA/windows: bump dl-mingw job from gcc 15 to 16.
- multi: silence warning while building libcurlu:
```
In function 'multi_ischanged',
inlined from 'multi_socket.isra' at D:/a/curl/curl/lib/multi.c:3282:6:
D:/a/curl/curl/lib/multi.c:1710:17: error: null pointer dereference [-Werror=null-dereference]
1710 | bool retval = (bool)multi->recheckstate;
| ^~~~~~~~~~~~~~~~~~~~~~~~~
D:/a/curl/curl/lib/multi.c:1712:25: error: null pointer dereference [-Werror=null-dereference]
1712 | multi->recheckstate = FALSE;
| ^
```
Ref: https://github.com/curl/curl/actions/runs/26217071531/job/77142119137?pr=21707
- multi: silence another `-Wnull-dereference`, popping up in libcurl
with gcc 13 after the previous silencing:
```
In function 'Curl_multi_xfers_running',
inlined from 'multi_socket.isra' at ../../lib/multi.c:3292:28:
../../lib/multi.c:4132:15: error: null pointer dereference [-Werror=null-dereference]
4132 | return multi->xfers_alive;
| ~~~~~^~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/26218822231/job/77148186045
- multi: also add `DEBUGASSERT(multi)` to the two updated functions.
Dan Fandrich [Tue, 5 May 2026 03:48:52 +0000 (20:48 -0700)]
tests: add an assert to avoid IPC blocking
If so much data is being sent over the internal IPC pipe that the pipe
buffer fills and the syscall blocks, the program will hang. Add an
assert to ensure that this limit is never reached. The buffer size is
going to be different on different platforms, so choose 1KB which is
likely to be a reasonable lower bound on just about any system.
Currently, the maximum amount ever written is <100 bytes, so this should
provide plenty of headroom.
Prior to this change the revoke_best_effort setting for the proxy was
wrongly ignored in favor of the same setting for the destination host.
In other words, CURLSSLOPT_REVOKE_BEST_EFFORT set via
CURLOPT_PROXY_SSL_OPTIONS did not apply to the proxy and
CURLSSLOPT_REVOKE_BEST_EFFORT set via CURLOPT_SSL_OPTIONS wrongly
applied to the proxy.
Stefan Eissing [Tue, 19 May 2026 13:31:45 +0000 (15:31 +0200)]
cfilters: fix busy loop on blocked transfers
When a transfer gets paused after the connection has been established,
any data sitting in the kernel socket buffers will no longer get read.
Prevent the sockets form being added to the pollsets, because they
will trigger POLLIN endlessly and cause a busy poll loop. Same in event
based processing.
Reported-by: Harry Sintonen
Fixes https://github.com/curl/curl/issues/21671
Closes https://github.com/curl/curl/pull/21675
penpal [Fri, 15 May 2026 17:53:29 +0000 (23:38 +0545)]
sspi: clear SSPI credentials on AcquireCredentialsHandle failure
- Clear credentials on AcquireCredentialsHandle failure so it is not
used on a subsequent call.
SSPI initialization may evaluate the credentials pointer to determine
whether or not a prior call to AcquireCredentialsHandle was successful,
therefore we must clear it on a failed call.
Viktor Szakats [Wed, 20 May 2026 01:42:49 +0000 (03:42 +0200)]
GHA/non-native: drop DragonFlyBSD job, due to unreliable package repo updates
Example:
```
Wed, 20 May 2026 09:51:48 GMT Updating Avalon repository catalogue...
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT repository Avalon has no meta file, using default settings
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT Unable to update repository Avalon
Wed, 20 May 2026 09:51:48 GMT Error updating repositories!
Wed, 20 May 2026 09:51:48 GMT Error: Process completed with exit code 3.
```
As tested over at libssh2, retrying the install command also does not
help, only repeats the same failure.
Viktor Szakats [Tue, 19 May 2026 17:05:41 +0000 (19:05 +0200)]
GHA/non-native: move BSDs to a single matrix, add DragonFly and Midnight
- bump cross-platform-actions to v1.1.0.
Ref: https://github.com/cross-platform-actions/action/releases/tag/v1.1.0
- merge BSD jobs into a single matrix.
- split BSD jobs into build steps as used for other platforms.
A new feature of cross-platform-actions v1.1.0.
- sync BSD build steps with other platforms.
- add DragonFlyBSD and MidnightBSD to the BSD matrix.
New features of cross-platform-actions v1.1.0.
MidnightBSD uses GnuTLS to add variation, also the preinstalled
OpenSSL is too old (v1.1.1w) for curl.
Stick with autotools for DragonFlyBSD; I could not figure out how
to install cmake.
Refs:
https://en.wikipedia.org/wiki/DragonFly_BSD
https://en.wikipedia.org/wiki/MidnightBSD
- bump Intel FreeBSD jobs from v14.3 to v15.0.
- fix to show `gcc` in the NetBSD job name.
All these saved 50 lines of YAML. The two new jobs take 2m15s each. The
bump to FreeBSD 15 needs and extra minute in total.
Note, the DragonFlyBSD job seems to have reliability issues. If it
remains an issue, I'll comment it out or delete it in a future commit.
Viktor Szakats [Sat, 16 May 2026 16:58:47 +0000 (18:58 +0200)]
runner.pm: apply minor correctness fix
"Lines 244-245 overwrite global variables `$runnerr` and `$runnerw` that
were already assigned in the child process (lines 205-206). In the
parent process context, these assignments appear incorrect and could
cause issues if `runner_init` is called multiple times. The parent
should only store references in the controller hashes."
It could never cause an actual issue, but clarifies the intent of the
code.
Joshua Rogers [Tue, 19 May 2026 09:47:50 +0000 (11:47 +0200)]
tls: fix incomplete mTLS config in conn reuse and session cache
cert_type, key, key_type, key_passwd and key_blob lived in
ssl_config_data but not in ssl_primary_config, so they were invisible to
match_ssl_primary_config() and to the TLS session cache peer key.
Two easy handles sharing a connection pool could reuse each other's
authenticated connections when they differed only on SSLKEY, SSLKEYTYPE,
KEYPASSWD, SSLCERTTYPE or SSLKEYBLOB. The second handle would silently
inherit the first handle's authenticated identity.
Promote all five fields into ssl_primary_config so the conn-reuse
predicate and session cache key cover the complete client credential
set. Also replace the fixed ":CCERT" session cache marker with the
actual clientcert path so sessions are not shared across different
client certificates.
Viktor Szakats [Mon, 18 May 2026 16:38:25 +0000 (18:38 +0200)]
docs: tidy-up scheme references
After this patch `://` schemes are lowercase and enclosed in backticks.
Also:
- docs/libcurl/libcurl-multi.md: drop a stray C code fence.
- docs/libcurl/libcurl-tutorial.md: replace single/double quotes with
Markdown markup where applicable.
Joshua Rogers [Tue, 19 May 2026 10:29:34 +0000 (12:29 +0200)]
vtls: use Curl_safecmp for CRLfile and pinned_key comparison
Both are filesystem paths (or case-sensitive hash strings for
pinned_key). curl_strequal is case-insensitive and would treat
/etc/ssl/Crl.pem and /etc/ssl/crl.pem as the same file, unlike the other
path fields (CApath, CAfile, issuercert, clientcert) which already use
Curl_safecmp.
Shintomon Mathew [Mon, 18 May 2026 14:02:45 +0000 (19:32 +0530)]
creds: mask OAuth bearer token in trace logs
Masked OAuth bearer tokens in credential trace output by emitting ***
when a bearer token is present, matching the existing password redaction
behavior and preventing sensitive token disclosure in verbose/debug
logs.
Stefan Eissing [Fri, 15 May 2026 09:45:49 +0000 (11:45 +0200)]
netrc: scanner refactor
Refactor the netrc scanner. Add test case for checking that the last
matched machine with unmatched login does not return the password as
success (unit1304).
Mark Esler [Sat, 16 May 2026 22:07:15 +0000 (15:07 -0700)]
vtls_scache: include signature_algorithms in the SSL peer cache key
Curl_ssl_peer_key_make() omitted ssl->signature_algorithms, although
match_ssl_primary_config() compares the field. Two handles differing
only in CURLOPT_SSL_SIGNATURE_ALGORITHMS therefore shared a peer key and
could resume each other's sessions across a shared CURLSH SSL session
cache.
Add :SIGALGS-%s next to the other ssl_primary_config fields.
Viktor Szakats [Mon, 18 May 2026 09:50:37 +0000 (11:50 +0200)]
mk-unity.pl: `#include`, and not concatenate input headers
When using `-D_CURL_TESTS_CONCAT=ON` with CMake, do not concatenate
`first.h` (or any future header) into the output C file, but `#include`
it instead. This is to play nice with compilers and analyzers which may
apply different checker rules on logic found in headers, vs. the input
source file. As seen for example with `-Wunused-macro` enabled in CI.
After this patch concatenated sources behave closer to regular C
sources.
Also:
- first.h: drop some `-Wunused-macro` silencers that became redundant
with this patch.
Stefan Eissing [Fri, 15 May 2026 12:11:13 +0000 (14:11 +0200)]
unix-sockets: ignore proxy settings
Fix a recent regression: when a unix-socket is configured, all proxy
settings must be ignored. The `via_peer` had been checked correctly,
but the connections proxy bits were not cleared.
Viktor Szakats [Sat, 16 May 2026 01:56:33 +0000 (03:56 +0200)]
lib678: fix to not be perma-skipped
Prior to this patch the test was always skipped due to failing precheck
with `CURLE_BAD_FUNCTION_ARGUMENT`, because of the zero-length blob
passed to setopt. Fix by passing a non-zero long dummy blob as done in
`mk-lib1521.pl`.
Fixing:
```
test 0678 SKIPPED: CURLOPT_CAINFO_BLOB is not supported
```
Viktor Szakats [Tue, 12 May 2026 00:26:05 +0000 (02:26 +0200)]
GHA: enable `-Wunused-macros` in clang-tidy jobs
Also fix fallouts found.
Windows clang-tidy CI job is a little pickier than I'd prefer due to the
`_CURL_TESTS_CONCAT=ON` option used there, and all macros considered
local, thus checked by the compiler. Upside: it revealed macro usage
dynamics in tests. If too annoying, `first.h` may be opted-out from the
concat logic. Some macros may also be deleted instead of `#if 0`-ing.
Sergio Correia [Wed, 13 May 2026 18:44:05 +0000 (19:44 +0100)]
x509asn1: fix DH public key parameter extraction
The dh(g) parameter was read from param->beg instead of from the
cursor p returned by parsing dh(p). This caused dh(g) to always
report the same value as dh(p) when inspecting DH certificates
via CURLOPT_CERTINFO on non-OpenSSL backends.
The DSA branch correctly advances the cursor; the DH branch lost
this during what appears to be a copy-paste.
Add unit1676 to verify that dh(p) and dh(g) report distinct values
using a hand-crafted minimal DER certificate.
Assisted by: Claude Opus 4.6 Signed-off-by: Sergio Correia <scorreia@redhat.com>
Closes #21595
Stefan Eissing [Fri, 15 May 2026 11:03:02 +0000 (13:03 +0200)]
cf-h2-proxy: drop interim responses
Any 1xx response before the CONNECT final one can be dropped as no one
uses those in the HTTP/2 proxy filter. This eliminates a potential
memory exhaustion by the famous malicious server on the internet.
Viktor Szakats [Wed, 13 May 2026 16:20:33 +0000 (18:20 +0200)]
src: add `curlx_memzero()` to clear buffers securely
To safely zero memory, introduce `curlx_memzero()`, and map it to
`memset_s()` (C11) or `memset_explicit()` (C23) if auto-detected, or
`explicit_bzero()` or `explicit_memset()` for platforms opted-in, or
fall back to a local workaround if all unavailable. On Windows, always
use `SecureZeroMemory()`, or `SecureZeroMemory2()` with Visual Studio
and Windows SDK 10.0.26100.0+.
Details above are experimental and may change if they cause issues.
Also add macros/functions that zero memory before freeing a buffer:
- `curlx_safefreezero()`: for buffers with size.
- `curlx_safefreezeroz()`: for null-terminated buffers.
- `curlx_freezero()`: for buffers with size.
- `curlx_freezeroz()`: for null-terminated buffers.
`curlx_memzero()` must not be passed a NULL pointer because in some
implementations it is undefined behavior.
Also:
- curl_sha512_256: Replace hard-wired `explicit_memset()` call with new
`curlx_memzero()`.
Daniel Stenberg [Fri, 15 May 2026 15:04:26 +0000 (17:04 +0200)]
urlapi: consume trailing dots after IPv4 numerical addresses
If the hostname is specified as an IPv4 numerical address and it is
followed by a single dot, acccept that as a valid IPv4 and remove the
dot when normalizing.
This prevents otherwise legitimate IPv4 hostnames to have trailing dots.
Seems to match what browsers do.
Daniel Stenberg [Wed, 13 May 2026 22:06:03 +0000 (00:06 +0200)]
strparse: make curlx_str_until() accept zero for 'max'
When asked to parse for a string with max zero bytes, it will always
return error and no longer trigger an assert. This saves the caller from
having to check for this condition.
Viktor Szakats [Thu, 14 May 2026 12:35:21 +0000 (14:35 +0200)]
gsasl: fix potential double free
Also:
- require libgsasl 1.6.0+ (2010-12-14) for a `gsasl_finish()` that
handles a NULL argument.
Ref: https://gitlab.com/gsasl/gsasl/-/commit/b550032df8488a9ceaa3cfd4c634947d8f219717
Viktor Szakats [Thu, 14 May 2026 12:09:50 +0000 (14:09 +0200)]
GHA: explicitly `brew update` before `brew install` with Linuxbrew
Fixing:
```
==> Installing openssl@3 dependency: ca-certificates
==> Pouring ca-certificates--2026-05-14.all.bottle.tar.gz
Error: undefined method '[]' for nil
/home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/utils/bottles.rb:127:in 'Utils::Bottles.load_tab'
/home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/formula_installer.rb:1507:in 'FormulaInstaller#pour'
[...]
/home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/brew.rb:114:in '<main>'
You have disabled automatic updates and have not updated today.
Do not report this issue until you've run `brew update` and tried again.
Error: Process completed with exit code 1.
```
Ref: https://github.com/curl/curl/actions/runs/25859030402/job/75984082148?pr=21607
Dropping `HOMEBREW_NO_AUTO_UPDATE=1` was not enough to fix it.
projects / thirdparty / curl.git / log
