Viktor Szakats [Fri, 2 Jan 2026 21:50:34 +0000 (22:50 +0100)]
GHA/windows: reduce workflow timeouts
From 15 to 10 minutes.
To reduce the idle wait for hung jobs from 20 to 15 minutes (hopefully),
so that the failed just can be restarted manually eariler. It appears
that GitHub Actions notices a hung job 5 minutes past the workflow
timeout (reason undiscovered).
Also: Leave extra time for torture and arm64 jobs.
Viktor Szakats [Fri, 2 Jan 2026 16:45:09 +0000 (17:45 +0100)]
GHA: disable autotools static libcurl in many jobs
To avoid building libcurl in both static and shared flavor by default.
It results in 1.5-2.x speed-up for the curl build step in most jobs.
Saving a total of 6-7 minutes. In the Cygwin job alone it saves 1-1.5m.
Also:
- enable static + shared in a Windows job to keep testing this combo.
Viktor Szakats [Fri, 2 Jan 2026 02:13:32 +0000 (03:13 +0100)]
GHA/linux: split valgrind jobs to job-pairs for parallelism, to finish in 10m
To make CI turnaround time shorter, by cutting the longest running jobs.
After this patch all jobs should finish around 10-11 minutes. Down from
15-16 minutes before this patch.
Suggested-by: Stefan Eissing
The fuzzing workflow is now the slowest (with a 7-minute startup time
needed to build deps from source on each run), followed by macOS
and Windows torture tests (both split in two now). Without fuzzing, it's
under 10 minutes.
Notes:
- an extra cost with job-pairs is installing prereqs,
configuring/building curl and tests twice. GitHub doesn't support
making a matrix job a prereq for another workflow that may fix this:
https://github.com/orgs/community/discussions/42335
This overhead is significant on Windows: 11m20 -> 9m20 + 8m40
- job-pairs are annoying to maintain and keep in sync.
- splitting tests into halves is a manual process and needs to be
revisited from time to time. Possibly something to automate with
a runtests option, e.g. with `1 of 50%` and `2 of 50%`?
Also:
- split torture tests in two equal pieces, replacing the `FTP` + `!FTP`
split used earlier.
Viktor Szakats [Fri, 2 Jan 2026 10:03:12 +0000 (11:03 +0100)]
GHA/linux: switch scan-build jobs to cmake (for 2x perf)
Somewhat unexpectedly, switching autotools jobs to identical (non-unity,
non-debug, same options) cmake ones, makes them complete 2x faster.
Most of it comes from cmake building shared libcurl only, while autotools
was using defaults and building both, in two separate passes. Thers is
about a minute (per job) of gain due to other reasons.
After:
MultiSSL: 4m52s: https://github.com/curl/curl/actions/runs/20658343323/job/59315501903
H3: 4m7s: https://github.com/curl/curl/actions/runs/20658343323/job/59315501918
H3: 5m4s: https://github.com/curl/curl/actions/runs/20659294959/job/59318215987 (autotools shared only, for comparison, not merged)
Also:
- drop building examples with scan-build in the second (shorter) job.
This offers no extra coverage over the long job that has both GnuTLS
and OpenSSL. Saving an extra ~30s.
Viktor Szakats [Wed, 31 Dec 2025 17:15:17 +0000 (18:15 +0100)]
pytest: replace allowlist with feature check to enable OCSP test 17_08
Add a `cert-status` feature flag to `curlinfo`, based on the conditions
used in `lib/vtls` sources.
To:
- fix disabling this test when using OpenSSL (or fork) built with
the `no-ocsp` option.
- enable this test for AWS-LC in CI.
Note:
- BoringSSL (and quiche) has OSCP disabled by default.
- MultiSSL dynamic selection continues to confuse this test.
(To fix it, support would need to be detected by querying libcurl
via curl. Probably overkill given that OCSP is on its way out.)
dependabot[bot] [Thu, 1 Jan 2026 14:06:15 +0000 (14:06 +0000)]
GHA: bump gha-dependencies
- update `github/codeql-action` from 4.31.8 to 4.31.9
- update `cross-platform-actions/action` from 0.30.0 to 0.32.0
- support for OmniOS and FreeBSD 15.0
- releases are now immutable
Viktor Szakats [Wed, 31 Dec 2025 11:28:46 +0000 (12:28 +0100)]
lib: drop unused or duplicate `curlx/timeval.h` includes
Note: This patch doesn't aim to add `timeval.h` includes missing from
local headers using `curltime` type. They remain relying on `urldata.h`
being included first. This patch also doesn't delete existing, used
includes already present in local headers (as internal users may rely
on them).
trxvorr [Sun, 28 Dec 2025 18:28:18 +0000 (23:58 +0530)]
digest: fix OWS and escaped quote handling
The migration to the strparse API introduced regressions in Digest
authentication parsing where Optional Whitespace (OWS) after commas was
not skipped, and escaped quotes in values were not correctly parsed.
This change ensures whitespace is skipped before key lookups and escaped
characters are properly handled and unescaped in quoted values.
Reported-by: herdiyanitdev on hackerone
Closes #20102
Jay Satiro [Sat, 20 Dec 2025 09:08:09 +0000 (04:08 -0500)]
tool_doswin: increase allowable length of path sanitizer
- Use 32767-1 instead of PATH_MAX-1 (260-1) as the maximum allowable
length of a path in Windows.
Prior to this change the path sanitizer in Windows used 32767-1 as the
maximum length only for paths that had the "\\" prefix like
"\\?\longpath". Since then we added some workarounds to open longer
paths without "\\?\" prefix by normalizing the path and adding that
prefix, and the sanitizer is called before the prefix is added.
Bug: https://github.com/curl/curl/issues/20044 Reported-by: Viktor Szakats
Closes https://github.com/curl/curl/pull/20046
Stefan Eissing [Mon, 29 Dec 2025 10:21:31 +0000 (11:21 +0100)]
ratelimit blocking: fix busy loop
Fix the pollset in perform state to not add sockets for directions
that are blocked. This otherwise will lead to busy loops for a
transfer that cannot be progressed.
Reported-by: Fizn-Ahmd on github
Fixes #20091
Closes #20109
Viktor Szakats [Sat, 20 Dec 2025 13:32:49 +0000 (14:32 +0100)]
tidy-up: miscellaneous
- asyn-thrdd.c: scope an include.
- apply more clang-format suggestions.
- tidy-up PP guard comments.
- delete empty line from the top of headers.
- add empty line after `curl_setup.h` include where missing.
- fix indent.
- CODE_STYLE.md: add `strcpy`.
Follow-up to 8636ad55dfbdbcc2809a61e65c3511baf5e7b0e8 #20088
- lib1901.c: drop unnecessary line.
Follow-up to 436e67f65b9dee1e80aa063c39450f0d1df6ac72 #20076
Daniel Stenberg [Thu, 25 Dec 2025 22:21:34 +0000 (23:21 +0100)]
memdebug: stop tracking send and recv
- they rarely catch any problems
- we have other ways to test different send/recv problems
- the number of such calls vary much more per invoke than others, making
memdebugging harder
- reducing the total number of fallible functions per test is good
- they were not used as intended anyway
Daniel Stenberg [Thu, 25 Dec 2025 09:53:11 +0000 (10:53 +0100)]
cookie: flush better
The cookie flushing (saving to a cookie jar) should only be done if a
transfer has been started. This is now done by checking the
cookies->running field, which is not reset in curl_easy_reset() so the
saving works correctly even after a call to that.
Viktor Szakats [Wed, 24 Dec 2025 23:26:48 +0000 (00:26 +0100)]
lib: drop unused protocol headers
- drop unused `http.h` includes.
- drop unused `http1.h` include.
- drop unused `http2.h` includes.
- vssh/ssh.h: drop unused `vssh.h` include.
- urldata.h: drop unused protocol includes.
- url: include `smtp.h` directly.
- rtsp.h: include directly where used.
- imap, smtp: drop redundant include, move another from .h to .c.
Viktor Szakats [Tue, 23 Dec 2025 10:59:59 +0000 (11:59 +0100)]
tests: replace `strcpy()` with `curlx_strcopy()`
Also:
- examples/hsts-preload: apply the same change as it's based on lib1915
in tests. Make a local clone of `curlx_strcopy()`. Then drop the
`_CRT_SECURE_NO_WARNINGS` hack, that's no longer necessary.
- curl_setup.h: delete `strcpy()` from the `_CRT_SECURE_NO_WARNINGS`
list.
Viktor Szakats [Sun, 21 Dec 2025 01:40:10 +0000 (02:40 +0100)]
lib: drop, or replace `sendf.h` with `curl_trc.h` where possible
- replace `sendf.h` with `curl_trc.h` where it was included just for it.
- drop unused `curl_trc.h` includes.
- easy: delete obsolete comment about `send.h` include reason.
Also:
- move out `curl_trc.h` include from `sendf.h` and include it directly
in users, where not done already. To flatten the include tree and
to less rely on indirect includes.
- stop including `sendf.h` from other headers, replace it with forward
declaration of `Curl_easy`, as done already elsewhere.
Viktor Szakats [Sun, 21 Dec 2025 10:28:42 +0000 (11:28 +0100)]
test96: fix to accept non-unity memdump content with MSVC
In unity builds the source filename (via `__FILE__`) has no path (or
uses slashes?), while in non-unity ones it does contain backslashes
on Windows, with MSVC. Fix the test to recognize backslashes in the
`stripfile` regexp.
Seen in MSVC jobs in CI:
```diff
-MEM tool_cfgable.c[LF]
-MEM tool_paramhlp.c[LF]
-MEM tool_cfgable.c[LF]
-MEM tool_cfgable.c[LF]
-MEM tool_cfgable.c[LF]
-MEM tool_cfgable.c[LF]
+MEM D:\a\curl\curl\src\tool_cfgable.c[LF]
+MEM D:\a\curl\curl\src\tool_paramhlp.c[LF]
+MEM D:\a\curl\curl\src\tool_cfgable.c[LF]
+MEM D:\a\curl\curl\src\tool_cfgable.c[LF]
+MEM D:\a\curl\curl\src\tool_cfgable.c[LF]
+MEM D:\a\curl\curl\src\tool_cfgable.c[LF]
```
Ref: https://github.com/curl/curl/actions/runs/20408366058/job/58641468316?pr=20061#step:13:303
Ref: https://github.com/curl/curl/actions/runs/20408522070/job/58641826216?pr=20064#step:13:298
Viktor Szakats [Sat, 20 Dec 2025 23:40:32 +0000 (00:40 +0100)]
lib: include `curlx/warnless.h` from `curl_setup.h`
To make it available for all files. Drop includes from individual
sources. This header was already included from most sources and not
specific to any internal subsystem.
Also to ensure that two system symbol redefines on Windows (`read()` and
`write()`) get applied to all sources. Move them to `curl_setup.h`.
Wyatt O'Day [Mon, 15 Dec 2025 17:17:13 +0000 (12:17 -0500)]
mbedTLS: cleanup insecure/deprecated code
1. With `MBEDTLS_SSL_PROTO_TLS1_2` not enabled, the mbedTLS code was not
able to connect to any server due to broken logic in curl's
`mbed_set_ssl_version_min_max()`. Now it correctly sets the minimum
supported TLS version based on what is compiled in the library.
2. If debugging is enabled, move the debugging enabling earlier in the
`mbed_connect_step1()` so that verbose errors are actually displayed if
failures happen (see the previous point -- it would've made debugging
that issue easier).
3. Remove the constant `mbedtls_x509_crt_profile_fr` and instead use
mbedTLS-included profile `mbedtls_x509_crt_profile_next` with
`mbedtls_ssl_conf_cert_profile()`. This will follow the latest standards
as new mbedTLS versions are released (rather than being stuck-in-time
until someone comes along to fix what was hard-coded here). This has the
immediate benefit of no longer supporting SHA1 certs and insecure RSA
key-lengths (1024). This fix immediately prevents previously possible
MITM attacks (SHA1 hashes and RSA-1024 keys can be forged relatively
easily by nation-state actors and criminal organizations with
deep-pockets).
4. Added [predictive
resistance](https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-a-random-generator/#enabling-prediction-resistance)
to the random number generator (adding more entropy to the RNG).
5. Split the random number generator into initialization, the actual
random generation, and the "freeing" of the resources. This
significantly reduces the overhead of using the RNG.
6. Removed the separate RNG function in the TLS connect stage (instead
use the "main" one) and remove the ad-hoc threading support. Instead
properly document how to enable threading in mbedTLS. As it was, other
internals of mbedTLS could have race conditions (in the RSA module in
particular) if `MBEDTLS_THREADING_C` was *not* enabled. And if it is
enabled, then these race-conditions cannot happen. And also, if
MBEDTLS_THREADING_C is enabled then the RNG functions [are fully
thread-safe](https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading/).
So, the previous ad-hoc threading support was both partial and broken.
7. Enable support for disabling `MBEDTLS_PEM_PARSE_C`.
8. Add support for `CURLOPT_SSLCERTTYPE` so user can specify `PEM` or
`DER` and get faster execution.
projects / thirdparty / curl.git / log
