Daniel Stenberg [Sat, 17 Jan 2026 21:49:28 +0000 (22:49 +0100)]
vquic: drop support for OpenSSL-QUIC
- It is slower and uses more memory than the alternatives and is only
experimental in curl.
- We disable a few tests for OpenSSL-QUIC because of flakiness
- It gets little attention from OpenSSL and we have no expectation of the
major flaws getting corrected anytime soon.
- No one has spoken up for keeping it
- curl users building with vanilla OpenSSL can still use QUIC through the
means of ngtcp2
Viktor Szakats [Wed, 13 Aug 2025 22:48:00 +0000 (00:48 +0200)]
windows: add build option to use the native CA store
With the same semantics as Apple SecTrust, in both libcurl and the curl
tool, when using non-Schannel TLS backends. In practice it means that
it makes TLS work without manually or implicitly configuring a CA bundle
`.crt` file, such as `curl-ca-bundle.crt`.
When enabled:
- enables `CURLSSLOPT_NATIVE_CA` (libcurl) / `--ca-native`
and `--proxy-ca-native` (curl tool) options by default.
- unsafe search for an on-disk CA bundle gets disabled by default.
Equivalent to `--disable-ca-search` with autotools,
`-DCURL_DISABLE_CA_SEARCH=ON` with CMake.
- build-time detection of CA bundle and CA path gets disabled. As with
Apple SecTrust. This was already the default for Windows.
- native CA can be disabled at run-time with the `--no-ca-native`
and/or `--no-proxy-ca-native` command-line options.
Rationale: This build option:
- has a repeat and active interest from packagers and users.
- helps integrating curl with Windows for those who need this.
- it also applies to macOS: #17525
Shipped in curl 8.17.0.
- makes it trivial to use custom certs configured on the OS.
- frees applications/packagers/users from the task of securely
distributing, and keeping up-to-date, a CA bundle.
- frees potentially many curl tool from configuring a CA bundle manually
to access HTTPS (and other TLS) URLs. This is traditionally difficult
on Windows because there is no concept of a universal, protected,
non-world-writable, location on the file system to securely store
a CA bundle.
- allows using modern features regardless of Windows version. Some of
these features are not supported with Schannel (e.g. HTTP/3, ECH) on
any Windows version.
- is necessary for HTTP/3 builds, where bootstrapping a CA bundle is not
possible with Schannel, because MultiSSL is not an option, and HTTP/3
is not supported with Schannel.
Viktor Szakats [Thu, 1 Jan 2026 15:38:56 +0000 (16:38 +0100)]
msvc: drop exception, make `BIT()` a bitfield with Visual Studio
Add casts to `bool`, or use `bit` type in local variables, where
neccessary to avoid MSVC compiler warnings C4242.
Note: There may remain places needing the above updates, where not
tested in CI, and missed in manual review.
Also:
- urldata: convert struct field `connect_only` to bitfield to match its
counterpart in another struct.
- rename curl-specific `bit` type to `curl_bit`.
Viktor Szakats [Thu, 24 Jul 2025 01:06:39 +0000 (03:06 +0200)]
windows: bump minimum to Vista (from XP)
After this patch curl requires targeting Vista or newer, and a toolchain
with Vista support.
Supported MSVC compilers (VS2010+) all support Vista:
- VS2012+ target Win8 (or later) by default.
- VS2010 targets Win7 by default.
Supported mingw-w64 versions (v3+) all support Vista:
- mingw-w64 v9+ target Win10 by default.
- mingw-w64 v8 and older target Server 2003 (~XP) by default.
After this patch it may be necessary to override the default Windows
target version to Vista (or newer) via:
autotools: `CPPFLAGS=-D_WIN32_WINNT=0x0600`
cmake: `-DCURL_TARGET_WINDOWS_VERSION=0x0600`
- mingw-w64 v6+ allow changing the default at toolchain build-time.
Notes:
- For non-MSVC, non-mingw-w64 toolchains, `if_nametoindex` needs to be
allowlisted in `curl_setup.h`, if they do support it.
Stefan Eissing [Thu, 15 Jan 2026 10:58:56 +0000 (11:58 +0100)]
ratelimit: download finetune
When a download size is known and rate limiting is in effect, adjust the
duration of each measurement step and its rate for maximum precision.
Since it is unpredictable how long the last bytes of a download will
take, download speed can be thrown off if the "last bytes" are a
significant amount of the total download. Make the "last bytes" small in
comparision to the rest and "stretch" the rate limit intervals to
accommodate the difference.
Fix ngtcp2 receive data acknowldgements to be based on a local window
size tracking. This allows window updates controlled by rate limits.
Fix ratelimit wait time calculation to accomodate negative tokens.
h3 rate limit, update timeers
Make download rate limits work correctly in ngtcp2. Fix multi handling
of rate limits to set a timer for when limits will update again.
Without running the transfer on limit updates, protocols like h2/h3 may
stall if the server does not send due to stream windows being too small.
scorecard: measure download speedlimits
When running scorecard with --limit-rate=n, show the reported download
speed averages plus percentage deviation from the limit.
Viktor Szakats [Fri, 16 Jan 2026 12:13:27 +0000 (13:13 +0100)]
GHA: silence fresh zizmor 1.21.0 warnings
- MSYS2/Cygwin bash shells are now tagged "misfeature".
It is not something we can fix. We need these shells, and using
documented/necessary settings to use these environments should be
allowed without workarounds.
- untagged actions within curl's own organization are now also flagged
as "action is not pinned to a hash (required by blanket policy)". This
seems overkill. Making internal releases would not be helpful or
practical. Also considering that the referred internal action uses an
unpinned external action anyway (google/oss-fuzz/infra/cifuzz), with
near-zero chance to fix.
Viktor Szakats [Wed, 14 Jan 2026 22:50:42 +0000 (23:50 +0100)]
checksrc: do not apply `BANNEDFUNC` to struct member functions
Omit this warning, when `close()` is banned:
```
./lib/vtls/vtls.c:947:13: warning: use of close is banned (BANNEDFUNC)
Curl_ssl->close(cf, data);
^
```
Ref: https://github.com/curl/curl/actions/runs/21012427938/job/60410334312?pr=20212#step:3:6
Viktor Szakats [Wed, 14 Jan 2026 16:11:55 +0000 (17:11 +0100)]
build: drop more forward function declarations
Most by moving functions around. Also delete unused ones.
Reducing their number from 83 to 33.
Remaining ones due to:
- circular dependencies.
- H3 code, that I did not attempt to update and likely the above applies.
- static declarations with attributes (`CURL_PRINTF`, `WARN_UNUSED_RESULT`).
- OS400 code.
Viktor Szakats [Wed, 14 Jan 2026 12:04:18 +0000 (13:04 +0100)]
cmake: avoid setting custom property on built-in interface targets
In some cases `ZLIB::ZLIB` and/or `OpenSSL::SSL` may be aliases, which
prevents setting a curl-specific property (.pc module name) in them:
```
CMake Error at [...]/curl/CMakeLists.txt:910 (set_target_properties):
set_target_properties can not be used on an ALIAS target.
```
Fix by special-casing these built-in targets and manually converting
them to .pc module names, without using the targets themselves
to carry this information throughout curl's internal build logic.
Daniel Stenberg [Tue, 13 Jan 2026 14:31:06 +0000 (15:31 +0100)]
digest: handle quotes in the path
- The 'uri' component needs to be escaped as well
- Rewrote the quote function to use dynbuf
- Build the digest at least partly with dynbuf
- Use goto as a general error mechanism
- Make test 64 use a double quote in the URL
dependabot[bot] [Tue, 13 Jan 2026 22:04:33 +0000 (22:04 +0000)]
GHA: bump pip-dependencies
- update `ruff` from 0.14.10 to 0.14.11
- update `filelock` from 3.20.1 to 3.20.3 (CVE-2026-22701) (used in pytests)
- update `psutil` from 7.2.0 to 7.2.1
- reorder functions to not need forward declarations.
- sync `ephiperfifo.c` and `evhiperfifo.c`.
- drop redundant casts for `calloc()` return value.
- ephiperfifo: silence unused variable warning.
- fix indent and apply clang-format more.
Viktor Szakats [Tue, 13 Jan 2026 16:56:02 +0000 (17:56 +0100)]
url.h: fix `-Wdocumentation`
Seen when testing `-Weverything`:
```
lib/url.h:84:11: warning: parameter 'nowp' not found in the function declaration [-Wdocumentation]
84 | * @param nowp NULL or pointer to time being checked against.
| ^~~~
```
Daniel Stenberg [Mon, 12 Jan 2026 23:13:59 +0000 (00:13 +0100)]
top-complexity: always show the top-25
Accept argument as a custom amount. Previously it showed all functions
with a complexity score above 57. This way it adapts better as we
gradually decrease complexity in functions.
Daniel Stenberg [Mon, 12 Jan 2026 08:30:25 +0000 (09:30 +0100)]
mimepost: allocate main struct on-demand
This makes the easy handle 432 bytes smaller (totally 5352 bytes on my
rather maximized Linux 64 bit build). The 440 byte mimepost struct is
now allocated only when needed.
Viktor Szakats [Sun, 11 Jan 2026 13:53:41 +0000 (14:53 +0100)]
GHA: delete new apt sources adding the flaky distro source
CI workflows deleted apt package source `microsoft-prod.list` due to
flakiness seen in the past with those sources. Sources are still flaky
and they are now also used from `azure-cli.sources` which is included
by default by the runner images. Add it to the delete list.
Also: remove another new, unnecessary (for curl CI) package source seen
on the `ubuntu-24.04-arm` runner, for good measure, and performance.
Fixing:
```
Reading package lists...
E: Failed to fetch https://packages.microsoft.com/repos/azure-cli/dists/noble/InRelease 403 Forbidden [IP: 13.107.246.66 443]
E: The repository 'https://packages.microsoft.com/repos/azure-cli noble InRelease' is no longer signed.
Error: Process completed with exit code 100.
```
Ref: https://github.com/curl/curl/actions/runs/20896127602/job/60034941964?pr=20142#step:2:79
Viktor Szakats [Sun, 11 Jan 2026 00:07:43 +0000 (01:07 +0100)]
GHA: include runner CPU arch in cache keys (revert)
Turns out in practice the internal cache name contains the arch where it
matters (arm or dual-arch local builds), which is part of the cache key
string. Drop `runner.arch` to avoid two arch strings in the key.
Cache keys without an explicit arch designator mean intel.
Viktor Szakats [Sat, 10 Jan 2026 23:05:43 +0000 (00:05 +0100)]
GHA/linux: fix 'mbedtls' internal name confusion
`mbedtls-arm` and `mbedtls-prev` were matching `contains()` expressions
looking for `mbedtls`. It caused an unnecessary cache restore and an
redundant mbedtls build on bumps, and made the build flavors require
different local directory names to avoid this accidental collision.
Also drop `-threadsafe` from internal names. All local builds are.
Viktor Szakats [Sat, 10 Jan 2026 21:47:41 +0000 (22:47 +0100)]
GHA/linux: move 6 jobs with locally built dependencies to arm
All libresll jobs, wolfssl-all, and one mbedtls job.
As noted earlier, arm jobs run faster than intel ones, especially
valgrind steps that run almost twice as fast. Package install runs
slower, but this is offset by faster build and test steps, even in
non-valgrind jobs.
Viktor Szakats [Tue, 30 Dec 2025 10:21:05 +0000 (11:21 +0100)]
tool: improve error/warning messages when output filename sanitization fails
On MS-DOS (OOM and bad filename) and Windows (OOM only).
Given the rarity of both platform and error, we make a compromise and
return an unrelated libcurl error (43) in case of a bad output filename
on MS-DOS.
After:
```
$ CURL_FN_SANITIZE_OOM=1 wine curl.exe https://curl.se/ --output out.txt
curl: (27) Out of memory
$ CURL_FN_SANITIZE_BAD=1 wine curl.exe https://curl.se/ --output out.txt
Warning: bad output filename
curl: (43) A libcurl function was given a bad argument
$ CURL_FN_SANITIZE_OOM=1 wine curl.exe https://curl.se/index.html --globoff -O
curl: (27) Out of memory
$ CURL_FN_SANITIZE_BAD=1 wine curl.exe https://curl.se/index.html --globoff -O
curl: bad output filename
curl: (43) A libcurl function was given a bad argument
```
Before:
```
$ CURL_FN_SANITIZE_OOM=1 wine curl.exe https://curl.se/ --output out.txt
Warning: bad output glob
curl: (27) Out of memory
$ CURL_FN_SANITIZE_BAD=1 wine curl.exe https://curl.se/ --output out.txt
Warning: bad output glob
curl: (3) URL using bad/illegal format or missing URL
$ CURL_FN_SANITIZE_OOM=1 wine curl.exe https://curl.se/index.html --globoff -O
curl: Failed to extract a filename from the URL to use for storage
curl: (27) Out of memory
$ CURL_FN_SANITIZE_BAD=1 wine curl.exe https://curl.se/index.html --globoff -O
curl: Failed to extract a filename from the URL to use for storage
curl: (3) URL using bad/illegal format or missing URL
```
Viktor Szakats [Fri, 9 Jan 2026 14:51:04 +0000 (15:51 +0100)]
GHA: switch 12 Linux jobs to arm64
More cost-effective and seems as fast or faster than Intel.
In particular, valgrind seems to be almost 2x fast. So fast the job pair
could fit under 10 minutes if merged again (but would be the longest in
GHA/Linux.)
Installing packages is slightly slower. The package repo is Ubuntu's
which is slower than the Azure mirror used on Intel (unless Azure is
broken, which happened a lot last year).
To add to more jobs, the locally built deps also need to be migrated.
Also:
- add workaround for failing sshd server on Linux arm runners, caused by
world-writable `HOME` directory.
Viktor Szakats [Thu, 8 Jan 2026 13:28:02 +0000 (14:28 +0100)]
cmake: silence useless compiler warnings triggered by the FASTBuild generator
Silencing all of these:
```
11>/tmp/_fbuild.tmp/0x0752c383/core_2/70816E19/krb5_sspi.c:1:5: error: this style of line directive is a GNU extension [-Werror,-Wgnu-line-marker]
1 | # 1 "<built-in>"
| ^
/path/to/curl/lib/vauth/krb5_sspi.c:29:6: error: this style of line directive is a GNU extension [-Werror,-Wgnu-line-marker]
29 | # 26 "/path/to/curl/lib/vauth/krb5_sspi.c"
| ^
[...]
```
FASTBuild is slightly faster than Ninja in basic (single-machine, build
from scratch) cases (and can be more faster in other build cases). It
doesn't support unity builds. Maybe it can bring slightly better
performance to non-unity cmake CI jobs, in jobs having an 'install
prereq' phase already, and installing the fastbuild package being faster
than this gain. It overall seems marginal if any in curl CI. At least
for now. But it doesn't hurt if it works, and may be useful for some.
Requires CMake 4.2+.
That said this workaround may have a better place within CMake.
Stefan Eissing [Fri, 9 Jan 2026 14:23:36 +0000 (15:23 +0100)]
pytest: bump quiche version check update
Since the Lazy Lucas did not manage to get the fix merged in 0.24.7,
increase the pytest version check number in the hope that it will happen
in the next release.
Daniel Stenberg [Thu, 8 Jan 2026 22:57:58 +0000 (23:57 +0100)]
urldata: convert 'long' fields to fixed variable types
Makes sure they work identically cross-platform, as long varies in size
between Windows vs non-Windows. Makes Curl_easy 16 bytes smaller on 64
bit Linux.
This reduces support for the RTSP cseq counters to 32 bit (down from 63
bit previously on 64 bit non-Windows), but it is probably safe.
Implementations probably rarely support anything above 32 bits anyway
and this is how curl has worked on Windows since always.
There is now only one 'long' left in urldata.h (in the ssl_config_data
struct). That field, certverifyresult, is used to store the response
code from TLS backend code and in the OpenSSL case that function returns
an actual 'long'.
Stefan Eissing [Thu, 8 Jan 2026 10:19:39 +0000 (11:19 +0100)]
ngtcp2: stabilize recv
When receiving on a stream that already failed or has already been closed,
return the matching error code without touching the connection. In case
the connection shows errors, e.g. the server closed, those errors should
not have impact on an already failed/closed stream.
This might mitigate flakiness in pytest 07_13 where unexpected errors
occur after a successful upload.
projects / thirdparty / curl.git / log
