Viktor Szakats [Wed, 15 Oct 2025 19:01:46 +0000 (21:01 +0200)]
mbedtls: add support for 4.0.0
After this patch libcurl requires (as already documented)
the `curl_global_init()` call when using the `curl_formadd()` API with
mbedTLS.
Note: NTLM is not supported with mbedTLS 4+, because it lacks
the necessary crypto primitive: DES.
Also:
- lib: de-dupe mbedTLS minimum version checks into `curl_setup.h`.
- lib: initialize PSA Crypto as part of `curl_global_init()`.
For MD5, SHA-256, `curl_formadd()`, and MultiSSL builds with mbedTLS
but where mbedTLS isn't the default backend.
- lib1308: fix to call `curl_global_init()` (for the Form API).
- curl_ntlm_core: disable with mbedTLS 4+.
- md4: disable mbedTLS implementation when building against 4.x.
- md5: use mbedTLS PSA Crypto API when available, otherwise use
the default local implementation.
- sha256: use mbedTLS PSA Crypto API when available, otherwise use
the default local implementation.
- vtls/mbedtls: drop PSA Crypto initialization in favor of
`curl_global_init()`.
- vtls/mbedtls: use PSA Crypto random API with all mbedTLS versions.
- vtls/mbedtls: do the same for the SHA-256 callback.
- autotools: detect mbedTLS 4+, and disable NTLM for 3.x.
- cmake: disable NTLM for mbedTLS 3.x.
- GHA/linux: keep building mbedTLS 3.x manually and use it in
an existing job, while also enabling pytest in it.
- GHA/linux: bump to mbedTLS 4.0.0.
Closes #19075
Closes #19074
Daniel Stenberg [Thu, 16 Oct 2025 19:47:42 +0000 (21:47 +0200)]
openldap: limit max incoming size
Set the maximum allowed size of an incoming LDAP message, which to
OpenLDAP means that it allows malloc() up to this size. If not set,
there is no limit and we instead risk a malloc() failure.
The limit is arbitrarily set to 256K as I can't figure out what a
reasonable value should be.
Stefan Eissing [Tue, 14 Oct 2025 13:53:37 +0000 (15:53 +0200)]
quic: remove data_idle handling
The transfer loop used to check the socket and if no poll events
were seen, triggered a "DATA_IDLE" event into the filters to let
them schedule times/do things anyway.
Since we no longer check the socket, the filters have been called
already and the DATA_IDLE event is unnecessary work. Remove it.
Daniel Stenberg [Wed, 15 Oct 2025 06:42:20 +0000 (08:42 +0200)]
tftp: check for trailing ";mode=" in URL without strstr
RFC 3617 defines two specific modes, "netascii" and "octet". This code
now checks only for those trailing ones - and not in the hostname since
they can't be there anymore.
Stefan Eissing [Tue, 14 Oct 2025 12:39:50 +0000 (14:39 +0200)]
scorecard: add perf support on linux
When calling scorecard with --flame to produce a flamegraph, use
"perf" on linux platforms to do the measurements. Update the scorecard
documentation about it.
Viktor Szakats [Mon, 13 Oct 2025 14:30:18 +0000 (16:30 +0200)]
examples: improve global init, error checks and returning errors
- add `curl_global_init()` and `curl_global_cleanup()` where missing.
- check the result of `curl_global_init()` where missing.
- return the last curl error from `main()`.
- drop Win32-specific socket initialization in favor of `curl_global_init()`.
- rename some outliers to `res` for curl result code.
- fix cleanup in some error cases.
Daniel Stenberg [Sun, 12 Oct 2025 09:15:08 +0000 (11:15 +0200)]
sws: pass in socket reference to allow function to close it
The function service_connection() now passes in a reference to the
socket instead of by value since the sub function http_connect() might
close it and set *infdp = CURL_SOCKET_BAD. This would previously not be
detected when service_connection() returned and potentially cause a
double close of the socket.
Daniel Stenberg [Sun, 12 Oct 2025 09:05:46 +0000 (11:05 +0200)]
libssh/libssh2: reject quote command lines with too much data
If there is lingering letters left on the right side after the paths
have been parsed, they are syntactically incorrect so returning error is
the safe thing to do.
Viktor Szakats [Fri, 10 Oct 2025 21:11:14 +0000 (23:11 +0200)]
cmake: pre-fill three more type sizes on Windows
Use `CMAKE_SIZEOF_VOID_P` to fill the size of three types that differ
on 32 and 64-bit Windows: `curl_socket_t`, `size_t`, and on mingw-w64:
`ssize_t`.
`time_t` remains the only type needing detection at configuration time,
with MSVC or mingw-w64.
Stefan Eissing [Fri, 10 Oct 2025 08:15:38 +0000 (10:15 +0200)]
thread: errno on thread creation
When thread creation fails, the code uses `errno` to remember the cause.
But pthread_create() never sets errno and gives the error as return value.
Fix that by setting the return value into errno on failure.
Windows: I think the ifdef was the wrong way around. Also set a generic
Windows Error code on CE systems.
Stefan Eissing [Wed, 8 Oct 2025 12:29:54 +0000 (14:29 +0200)]
socks: advance iobuf instead of reset
During the SOCKS connect phase, the `iobuf` is used to receive repsonses
from the server. If the server sends more bytes than expected, the code
discarded them silently.
Fix this by advancing the iobuf only with the length consumed.
Viktor Szakats [Fri, 10 Oct 2025 04:37:45 +0000 (06:37 +0200)]
cmake/FindGSS: drop wrong header check for GNU GSS
GNU GSS offers `gss.h`; do not check for `gssapi.h`. `gssapi.h`
was originally published by Heimdal, and later MIT Kerberos also added it
for Heimdal compatibility.
Viktor Szakats [Fri, 10 Oct 2025 01:09:16 +0000 (03:09 +0200)]
kerberos: bump minimum to 1.3 (2003-07-08), drop legacy logic
Previous minimum was: 1.2.4 (2002-02-28)
- assume `gssapi/gssapi.h` header for MIT Kerberos.
Drop logic detecting this header, and drop alternate logic including
a bare "gssapi.h". Bare `gssapi.h` is Heimdal-specific. MIT Kerberos
added support for it for Heimdal compatibility on 2006-11-09,
redirecting to `gssapi/gssapi.h`. MIT Kerberos supported the latter
header in the 1990s already.
There were still mentions of it after this patch, when using versions
<1.2.3, but those versions aren't supported since: 99185417952da30c8ddd82ab962fb58da96260b2 (2008-06-12)
This header remains in use by autotools and cmake to detect MIT Kerberos
(vs. Heimdal, which doesn't have it.)
Daniel Stenberg [Thu, 9 Oct 2025 20:32:09 +0000 (22:32 +0200)]
ftp: simplify the 150/126 size scanner
The file size is weirdly returned in a 150 or 126 response as "XXX
bytes" mentioned somewhere in the response string. This is a rewrite of
the size scanner to replace the strange strstr() + backwards search from
before with a plain forward search until '[number] + " bytes"' is a
match.
Triggered by a report by Joshua Rogers about the previous parser.
Daniel Stenberg [Thu, 9 Oct 2025 15:23:56 +0000 (17:23 +0200)]
asyn-ares: use the duped hostname pointer for all calls
In one c-ares call the passed in pointer was used and not the new
duplicated one. This is probably fine but might as well use the new
pointer as all the other calls do, which will survive longer.
Jay Satiro [Fri, 18 Oct 2024 18:12:31 +0000 (14:12 -0400)]
tool_operate: keep failed partial download for retry auto-resume
- Keep data from a failed download instead of discarding it on retry in
some limited cases when we know it's ok (currently only HTTP 200/206).
Prior to this change on failed transfer the tool truncated any outfile
data written before retrying the transfer. This change adds an exception
for HTTP downloads when the user requested auto-resume, because in that
case we can keep the outfile data and resume from the new position.
projects / thirdparty / curl.git / log
