- "CMake build with MIT Kerberos does not work"
Ref: #6904
The FindGSS module responsible for MIT Kerberos detection has seen 50
updates since this report. In the last years I made many local tests
with it, and it's also extensively CI-tested since (including Windows
for a 1-year period), with no known issues.
If you see problems remaining, let us know in a new issue.
Viktor Szakats [Thu, 18 Jun 2026 22:17:50 +0000 (00:17 +0200)]
GHA: fix Linux triplet passed to `CMAKE_C_COMPILER_TARGET`
Before this patch it broke clang 20/21 cmake builds on ubuntu-26.04-arm
runner, failing at the beginning of the configure stage while probing
the compiler.
Seen in the 'CM openssl clang krb5 LTO' job:
```
: && /usr/bin/clang --target=aarch64-pc-linux-gnu CMakeFiles/cmTC_3d9ae.dir/testCCompiler.c.o -o cmTC_3d9ae && :
/usr/bin/aarch64-linux-gnu-ld.bfd: cannot find crtbeginS.o: No such file or directory
/usr/bin/aarch64-linux-gnu-ld.bfd: cannot find -lgcc: No such file or directory
/usr/bin/aarch64-linux-gnu-ld.bfd: cannot find -lgcc_s: No such file or directory
```
Ref: https://github.com/curl/curl/actions/runs/27778098314/job/82195462687#step:38:66
Viktor Szakats [Thu, 18 Jun 2026 21:48:23 +0000 (23:48 +0200)]
GHA: separate pytype from other checkers and pips
pytype is discontinued, does not receive further updates, and it
requires older python, offered by Ubuntu 24.04 or older.
Move it to its own GHA job to allow bumping the rest of checkers to.
newer runner images. Also move it out from the shared `requirements.txt`
and install directly from its separate GHA job, to avoid installing it
unnecessarily from others. Since it does not receive update, it's fine
to move out from Dependabot's view.
Ref: https://pypi.org/project/pytype/
Cherry-picked from #22092
alhudz [Thu, 18 Jun 2026 14:31:20 +0000 (20:01 +0530)]
cookie: check __Secure- and __Host- case sensitively when read from file
The header path matches these prefixes case sensitively, as 5af0165562
made it for cookie spec reasons, but the Netscape cookie-file path still
used a case-insensitive match. Align the file path so a differently
cased name like __secure-x is treated as an ordinary cookie instead of
being put through the prefix integrity checks.
Viktor Szakats [Thu, 18 Jun 2026 15:04:58 +0000 (17:04 +0200)]
GHA: bump analyzer/sanitizer jobs to clang-22, and ubuntu-26.04
On Linux, and Windows cross-builds.
clang-tidy jobs look significantly faster. Other jobs remain around the
same (this feels nice after seeing the significant slowdowns in
Windows-2025, FreeBSD 15.)
gcc-analyzer also got faster:
Before: https://github.com/curl/curl/actions/runs/27758865007/job/82127670883
After: https://github.com/curl/curl/actions/runs/27768696084/job/82162385765
Also:
- work around actionlint 1.7.12 not yet being aware of ubuntu-26.04:
```
windows.yml:770:14: label "ubuntu-26.04" is unknown. available labels are [...]
```
Ref: https://github.com/curl/curl/actions/runs/27769065782/job/82163700294#step:6:13
Ref: https://github.com/rhysd/actionlint/issues/682
Ref: https://github.com/rhysd/actionlint/pull/683
Viktor Szakats [Thu, 18 Jun 2026 15:12:03 +0000 (17:12 +0200)]
openssl: do not mix OpenSSL int result with `CURLcode` variable
Seen with clang-22:
```
lib/vtls/openssl.c:3538:14: error: implicit conversion from 'int' to enumeration type 'CURLcode' is invalid in C++ [-Werror,-Wimplicit-int-enum-cast]
3538 | result = SSL_ech_set1_server_names(octx->ssl,
| ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3539 | peer->origin->hostname, outername,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3540 | 0 /* do send outer */);
| ~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
```
Ref: https://github.com/curl/curl/actions/runs/27769068896/job/82163712258#step:42:43
alhudz [Sat, 13 Jun 2026 08:04:51 +0000 (13:34 +0530)]
pingpong: reject nul byte in server response line
Add test 2108 covering the rejection over FTP. Drop the now-vestigial
nul bytes from test 1282; they exercised the removed Kerberos FTP
security buffer check and now trip this rejection before the 633
login-denied path is reached.
Viktor Szakats [Thu, 18 Jun 2026 08:44:03 +0000 (10:44 +0200)]
GHA/linux: use default GCC compiler, drop `CC`/`CXX` envs
At the time of the original commit, the runner was ubuntu-22.04 with
a default GCC 11. It made sense to bump to 12 manually. Since 2025,
the default is ubuntu-24.04 with GCC 13, when this became a downgrade.
Drop manual envs and bump to GCC 13 with it. Other options available are
14, 15 and 16.
Stefan Eissing [Wed, 17 Jun 2026 12:20:02 +0000 (14:20 +0200)]
multi: xfers_really_alive
Yes, we were counting the "live" transfers before, but were they
*really* alive?
When determining to add the wakeup socket to fdset/waitfds etc, we
should only do that when the multi handle is actually processing
transfers. Other wise, the application could wait on the wakeup socket
forever.
For this, we counted `multi->xfers_alive` (e.g. the "running" number
returned by `curl_multi_perform()`). This was almost correct.
The problem is that added easy handles are counted as "alive" right away
on the addition. But the processing has not started yet. They did not
trigger any DNS resolves or opened any sockets yet.
Add two fields in multi and easy handle:
* `multi->xfers_really_alive`: counts the "alive" transfers that have
passed `MSTATE_INIT` (at least once)
* `data->state.really_alive`: to track if the transfer has been counted
Add test 2412 to check that adding transfers without perform will not
trigger the wakeup socket to be added.
Viktor Szakats [Wed, 17 Jun 2026 15:38:32 +0000 (17:38 +0200)]
cmake/FindGSS: drop "MIT Unknown" version value, related tidy ups
After this patch the `GSS_VERSION` value is left empty in all cases when
there is known version number (potentially on Windows).
Also:
- sync `GSS_FOUND` comment with other Find modules.
- sync `GSS_VERSION` comment with other Find modules, drop the promise
of returning "unknown", which was not true and also not done by other
Find modules.
- tidy up Windows-registry-based MIT `GSS_VERSION` detection, by
guarding the whole block for `WIN32`.
- drop fallback version value `MIT Unknown` used for MIT.
- fix vertical alignment in comment block.
Changing CMake log output like so (in affected config):
```
-- Found GSS: MIT (found version "MIT Unknown")
```
->
```
-- Found GSS: MIT
```
Viktor Szakats [Wed, 17 Jun 2026 12:15:01 +0000 (14:15 +0200)]
GHA/linux: allow more time for `apt.repos.intel.com` install
Whether the install is extreme slow and will fail anyway, or only slower
sometimes, and this fixes, we will see.
Example:
```
Need to get 1159 MB of archives.
After this operation, 4463 MB of additional disk space will be used.
Get:1 https://apt.repos.intel.com/oneapi all/main all intel-oneapi-common-licensing-2023.2.0 all 2023.2.0-49462 [30.4 kB]
Get:2 https://apt.repos.intel.com/oneapi all/main all intel-oneapi-common-licensing-2026.0 all 2026.0.0-235 [30.7 kB]
[...]
Get:21 https://apt.repos.intel.com/oneapi all/main amd64 intel-oneapi-dpcpp-debugger-2023.2.0 amd64 2023.2.0-49330 [201 MB]
Error: The action 'install Intel compilers' has timed out after 2 minutes.
```
Ref: https://github.com/curl/curl/actions/runs/27683923870/job/81877924590
Stefan Eissing [Wed, 17 Jun 2026 10:06:29 +0000 (12:06 +0200)]
http: for basic+digest auth, do not engage on empty user+passwd
Since we have the quirky of empty credentials (the empty string for
username and password) for Negotiate reactivated, we need to check for
this when considering Basic and Digest auth.
Verify a redirect to blank user+password in test 2208
Stefan Eissing [Tue, 16 Jun 2026 11:42:05 +0000 (13:42 +0200)]
creds: create with empty user+pass
Allow creation of a `Curl_creds` instance with empty username and
password (not NULL username/password). There are authentication
schemes like <insert greek mythology'> that do not use the actual
values of username/password but trigger on the mere existance.
We have no test cases for this, so this is a shot in the dark
here.
Fixes #21943 Reported-by: Dan Fandrich
Closes #22044
Stefan Eissing [Tue, 16 Jun 2026 10:07:08 +0000 (12:07 +0200)]
cf-dns: pass peer for result lookups
The DNS filter knows the peer it resolves and the code parts that want
the results know the peer as well. Pass it to lookup methods to make
sure results match.
Background: when tunneling, the resolved peer is not always the one that
other filters are looking for. Especially when HTTPS-RR results are
accessed in TLS filters, those will differ.
This prevents a HTTPS-RR for a proxy to be used for the origin when ECH
is activated. To make ECH work through a tunnel, we need to start an
additional resolve. Something to be fixed after 8.21.
Viktor Szakats [Tue, 16 Jun 2026 18:26:41 +0000 (20:26 +0200)]
configure: tidy up `OPT_APPLE_SECTRUST` initialization
The OS detection variable is not initialized at the time of assigning
its value to `OPT_APPLE_SECTRUST`. Replace the current empty value with
`no`. This keeps existing, desired, behavior.
Stefan Eissing [Tue, 16 Jun 2026 08:12:24 +0000 (10:12 +0200)]
url: connection credentials origin
When tying credentials to a connection (NTLM, Negotiate) also link the
origin the credentials are for. This prevents a connection reuse with
the same credentials, but intended for another origin.
The mis-reuse could happen for a forwarding proxy and NTLM (although, in
the mind of the person writing this, it is an insane setup).
Stefan Eissing [Mon, 15 Jun 2026 15:13:00 +0000 (17:13 +0200)]
cf-https-connect: do not engage on proxy origin
When talking to a forwarding proxy, do not start HTTPS Eyeballing.
We might support this in the future, but for now, the --httpx.x
arguments to do not apply to such a setup.
Add a test case for forward proxying without use of ALPN.
Dave Walker [Mon, 15 Jun 2026 11:57:42 +0000 (12:57 +0100)]
cookie: use origin scheme for secure context check
`Curl_secure_context()` checked `conn->scheme` to determine if Secure
cookies may be sent. Since 73daec6, `conn->scheme` is set to the proxy's
scheme when using an HTTPS forwarding proxy, causing the function to
return TRUE for HTTP origins. This leaked Secure cookies over the
plaintext connection between proxy and origin.
Use `data->state.origin->scheme` instead, which always reflects the
origin's scheme regardless of proxy configuration.
Not an approved vulnerability because the regression was introduced
after the last release and is not present in any released version.
This PR makes the wolfssl TLS backend work properly for PQC key
exchanges. The following issues are fixed:
* WOLFSSL_HAVE_KYBER is not present anymore in upstream wolfssl (for a
long time actually), so it has no use and the ML-KEM functionality was
never turned on properly.
* Key share group selection (via --curves) is now handled via the
generic wolfSSL_CTX_set1_groups_list() method instead of the prior
wolfSSL_CTX_set1_curves_list() and the additonal PQC handling. This
removes a lot of PQC related special handling and the behavior now
matches the OpenSSL backend.
* The default QUIC group setting has been removed. For QUIC, the key
share as well as the list in the supported_groups extension is now
handled all within wolfssl. This also supports --curves properly now.
Viktor Szakats [Mon, 15 Jun 2026 19:27:51 +0000 (21:27 +0200)]
servers: silence `-Wunused-result` with pragma
In some configurations the `write()` functions gets the
`warn_unused_result` attribute, that makes casting to `(void)`
ineffective to silence this warning. Seen with glibc, in 5 CI jobs.
The warning option appeared in GCC 4.5 and comes enabled by default.
```
tests/server/util.c:329:5: error: ignoring return value of ‘write’ declared with attribute ‘warn_unused_result’ [-Werror=unused-result]
329 | write(STDERR_FILENO, msg, sizeof(msg) - 1);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/27548333990/job/81427544632
Viktor Szakats [Mon, 15 Jun 2026 09:47:05 +0000 (11:47 +0200)]
curl_formdata: fix to pass long where missing, document `CURLFORM_NAMELENGTH`
- lib650: pass `long` to `CURLFORM_NAMELENGTH` in test.
Spotted by Copilot.
https://github.com/curl/curl/pull/22011#discussion_r3412407235
Follow-up to 3620e569b312476f1e63b298106f942079b5afe8
Viktor Szakats [Mon, 15 Jun 2026 09:18:14 +0000 (11:18 +0200)]
servers: accept `lstat()` failing due to the file missing
In `bind_unix_socket()`, before retrying `bind()`.
Before this patch the code wanted to check if the to-be-deleted unix
socket path was indeed a socket, before deleting it and retrying to
bind. If `lstat()` failed for any reason, it skipped retry. Fix to retry
if `lstat()` failed because of the file missing.
Stefan Eissing [Mon, 15 Jun 2026 08:19:56 +0000 (10:19 +0200)]
ratelimits: use minimal burst rate
Some protocols (and servers) prefer to batch IO and will not send data
unless the window is of sufficient size. Set the burst rate for our
rate limits to a minimum of 32KB to prevent stalling.
Daniel Stenberg [Mon, 15 Jun 2026 11:52:52 +0000 (13:52 +0200)]
src/test: avoid (void)! constructs
The reason to use them seems to be that just (void) before a function
call is not enough to silence compiler warnings when return codes are
ignored and -Werror=unused-result is used.
While (void)! apparently works to silence those warnings, it is just too
weird and surprising to readers to use.
It is rather a reason to reconsider the usefulness of the warning.
Viktor Szakats [Mon, 15 Jun 2026 11:11:30 +0000 (13:11 +0200)]
servers: drop unix socket path attribute check on Windows
On Windows there is no `lstat()`, which was later substituted with
normal `stat()`, but on Windows `S_IFSOCK` is never defined, which meant
the output of stat was not actually used, reducing this to checking for
the presence of the file, and bailing out without retry if missing.
Viktor Szakats [Thu, 11 Jun 2026 22:33:40 +0000 (00:33 +0200)]
tidy-up: miscellaneous
- `N byte` -> `N-byte` or `N bytes`.
- INTERNALS.md: language tweaks.
- schannel: language tweak in comment/error message.
- socks_gssapi, socks_sspi: simplify composing an error message.
(at a cost of 8 extra constant string bytes.)
- m4/curl-compilers.m4: fix typo in link (in comment).
- contrithanks.sh: fix indent, drop stray `;` terminator.
- lib, src, tests: drop/fix a bunch of badwords.
- fix typos in comments.
- fix indent, stray spaces.
Some of these spotted by GitHub Code Quality and Copilot
Daniel Stenberg [Sun, 14 Jun 2026 10:44:44 +0000 (12:44 +0200)]
socks_sspi: store socks5_gssapi_enctype
Store the unwrapped protection level in `conn->socks5_gssapi_enctype` to
prevent the proxy from contuning unprotected. Matches the GSSAPI version
of the code.
Viktor Szakats [Sun, 14 Jun 2026 12:36:24 +0000 (14:36 +0200)]
servers: minor socket error handling fixes
- sws: fix socket error code in `select()` failure message.
Spotted by Copilot
Bug: https://github.com/curl/curl/pull/21998#discussion_r3409469444
- sws: do not call `SOCKERRNO` twice on error.
- dnsd: do not call `SOCKERRNO` twice on error.
- dnsd: replace `goto` with `while()` to sync with rest of code.
- dnsd: `sendto()` fail message fixes:
- replace `int` cast with `%zu` mask.
- drop redundant newline.
- show socket error string like rest of code.
- report not-fully-sent error separately from socket errors.
Viktor Szakats [Sun, 14 Jun 2026 12:29:13 +0000 (14:29 +0200)]
rtspd: sync up sleep loop with sws
Check for `!got_exit_signal` as part of the `while()` expression,
instead of doing it after calling `curlx_wait_ms()`. To simplify and
improve consistency with rest of code.
Spotted by Copilot in `socksd.c`
Bug: https://github.com/curl/curl/pull/21998#discussion_r3409395013
Follow-up to 80eb71a3f5146f2ab5c5f8d8655d6861b5472668 #8687
Saud Alshareef [Fri, 12 Jun 2026 02:02:04 +0000 (05:02 +0300)]
ldap: base64 encode binary LDIF values with WinLDAP
The WinLDAP backend only base64 encoded LDAP values when the attribute
name ended in ;binary. This made attributes such as jpegPhoto get
written as raw bytes, producing malformed LDIF output.
Match the OpenLDAP backend by also base64 encoding values with leading
or trailing blanks or non-printable bytes.
Fixes #21926 Reported-by: oreadvanthink on github
Closes #21982
Daniel Stenberg [Fri, 12 Jun 2026 12:37:55 +0000 (14:37 +0200)]
sspi: free libcurl allocated memory with curlx_free
DecryptMessage() decrypts the buffer in place, overwriting the original
contents. It does not allocate any new buffer so the single original
buffer should be freed using the same memory "system" that allocated it.
Stefan Eissing [Fri, 12 Jun 2026 10:02:08 +0000 (12:02 +0200)]
lib: transfer origin and proxy handling
Add `data->state.origin` as the origin the transfer is sending the
current request to/gets the response from. Use it for request specific
properties like authentication, hsts and cookie handling, etc.
Unless talking to a forwarding HTTP proxy (e.g. not tunneling),
`data->state.origin` and `conn->origin` are the same.
With a forwarding HTTP proxy in play, `conn->origin` is set to
`conn->http_proxy.peer` and `conn->bits.origin_is_proxy` (a new bit) is
set.
Viktor Szakats [Sun, 7 Jun 2026 23:21:44 +0000 (01:21 +0200)]
socket: introduce `SOCK_EAGAIN()` and use it
To contain the logic of checking for both `EWOULDBLOCK` and/or `EAGAIN`
depending on platform/availability. Also to avoid checking for both if
they mapp to the same value, and to avoid PP guards around use.
This also ensures `EAGAIN` is consistently not checked on Windows, where
headers defined it, but `SOCKERRNO` never returns it, because curl maps
it to `WSAGetLastError()`.
If they map to the same value, checking them both in an `if` expression
trips GCC warning `-Wlogical-op` (the same way it triggers duplicate
case value error in `switch`).
Also:
- replace two `switch()` statements with the new macro.
- tests/server/sws: make two outliers use the new macro that were only
checking for `EWOULDBLOCK` before this patch, in `connect_to()`.
- move variables to the left-side of expressions, where missing.
- rustls: use a variant of this macro that uses raw `EWOULDBLOCK`.
Tried tracing it back to the origins, but I couldn't figure out if
this is working as expected on all supported Windows versions in
Rust. It seems to be using `GetLastError()`, according to
https://docs.rs/system_error/0.2.0/system_error/, which would be
probably incorrect.
Notes:
- it's probably a good idea to assign `SOCKERRNO` to a variable before
passing it to this macro.
Viktor Szakats [Fri, 12 Jun 2026 15:51:22 +0000 (17:51 +0200)]
AmigaOS: fix build fallouts, re-add to CI
Fix build issues:
- src: adjust `toolx_ftruncate()`.
- libtests/cli_ftp_upload: make `struct timeval` initialization portable.
- libtests/lib1960: do unconst in local `inet_pton()` macro.
- tests/server/dnsd: make it stub instead of failing the build.
- tests/server: make them link AmiSSL for `SocketBase`.
Also:
- bump AmiSSL to the latest release.
- add download hash checks and toolchain cache.
- sync restored code with local updates made since last year.
projects / thirdparty / curl.git / log
