Daniel Stenberg [Thu, 17 Oct 2024 14:01:08 +0000 (16:01 +0200)]
tool_operate: reuse the schannel backend check
The transfer_per_config is called once per new transfer. It now saves
the result of the first TLS backend check done so that subsequent
invokes are more efficient and reuses the existing knowledge.
This change also splits the logic into several smaller functions.
Stefan Eissing [Thu, 17 Oct 2024 15:00:41 +0000 (17:00 +0200)]
http2: auto reset stream on server eos
When a server signals EOS from its side and the curl upload is
unfinished and the server has not given a positive HTTP status response,
auto RST the stream to signal that the upload is incomplete and that the
whole transfer can be stopped.
Fixes the case where the server responds with 413 on an upload but does
not RST the stream from its side, as httpd and others do.
Reported-by: jkamp-aws on github
Fixes #15316
Closes #15325
Daniel Stenberg [Thu, 17 Oct 2024 15:50:02 +0000 (17:50 +0200)]
libtests: generate the lib1521 atomically
By renaming from a temporary file name to the .c once completed. This
avoids the risk that the checksrc job tries to verify the file before it
is complete, in parallel build setups.
Reported-by: Dan Frandrich
Fixes #15258
Closes #15327
Stefan Eissing [Thu, 17 Oct 2024 11:53:06 +0000 (13:53 +0200)]
openssl: improve retries on shutdown
Once SSL_shutdown() has been called, OpenSSL does not really seem to
like it when it is called again and the other side has some finally data
to deliver.
Instead SSL_read() needs to be used solely, once the close notify has
been sent from curl's side.
Daniel Stenberg [Thu, 17 Oct 2024 06:33:04 +0000 (08:33 +0200)]
GHA: switch off proselint
Because we cannot disable the individual warnings we do not care about,
making this tool almost unusable for our purposes. See
https://github.com/amperser/proselint/issues/1367
Instead, make 'very' a banned word (as recently that has been what
proselint most commonly points out for us).
Stefan Eissing [Wed, 16 Oct 2024 14:21:03 +0000 (16:21 +0200)]
tests/http: fix ubuntu GnuTLS CI failures
Override the system default config in test_17_09, since we want to check
all TLS versions. Provide own, empty config file to gnutls, so that any
system wide file has no effect.
The latest ubunu image in GH CI disables TLS 1.0 and 1.1
system wide for GnuTLS. Good intentions.
Viktor Szakats [Tue, 15 Oct 2024 00:58:44 +0000 (02:58 +0200)]
GHA/macos: merge autotools and cmake jobs
To match other workflows and to avoid repetition in rules.
Also:
- fix build example step for cmake. update a job to use it.
- use `cmake` to invoke the builds (instead of ninja directly).
- extend test 2100 exclusion to more jobs.
It fails with all `!debug gcc-12` jobs with autotools.
With cmake this only happened for gcc-12 Secure Transport jobs
for some reason.
Dan Fandrich [Wed, 16 Oct 2024 16:52:36 +0000 (09:52 -0700)]
CI: explicitly specify the OS version when necessary
Commit 8ea120f6 added --break-system-packages which works in Ubuntu
24.04 but not 22.04, so explicitly specify that version in the runner
instead of relying on ubuntu-latest to provide it. Some runners have
regressed back to 22.04 for ubuntu-latest, resulting in build failures.
Dan Fandrich [Sat, 12 Oct 2024 17:38:40 +0000 (10:38 -0700)]
tests: capture stdin to get the vsftpd version number
vsftpd 3.0 at least writes its version number to stdin (!) instead of
stderr. This works due for backwards compatibility reasons in UNIX, so
we must check stdin for anything written there to reliably parse the
version string.
Viktor Szakats [Wed, 16 Oct 2024 10:14:52 +0000 (12:14 +0200)]
src: guard for double declaration of `curl_ca_embed` in unity builds
Seen with curl-for-win linux-musl-from-mac build with gcc 9.2.0.
```
n file included from /Users/runner/work/curl-for-win/curl-for-win/curl/_x64-linux-musl-bld/src/CMakeFiles/curl.dir/Unity/unity_0_c.c:136:
/Users/runner/work/curl-for-win/curl-for-win/curl/_x64-linux-musl-bld/src/tool_ca_embed.c:4:28: warning: redundant redeclaration of 'curl_ca_embed' [-Wredundant-decls]
4 | extern const unsigned char curl_ca_embed[];
| ^~~~~~~~~~~~~
In file included from /Users/runner/work/curl-for-win/curl-for-win/curl/_x64-linux-musl-bld/src/CMakeFiles/curl.dir/Unity/unity_0_c.c:88:
/Users/runner/work/curl-for-win/curl-for-win/curl/src/tool_operate.c:107:28: note: previous declaration of 'curl_ca_embed' was here
107 | extern const unsigned char curl_ca_embed[];
| ^~~~~~~~~~~~~
```
https://github.com/curl/curl-for-win/actions/runs/11192203640/job/31116070669#step:3:4894
Daniel Stenberg [Sun, 13 Oct 2024 21:50:11 +0000 (23:50 +0200)]
libssh2: put the readdir buffers into struct
... instead of separate malloc() calls:
- removes two mallocs (and associated error handling paths)
- makes cleanup easier
Also reduce maximum SFTP file path lengths to 1024 bytes universally
everywhere. Using the system's own MAX_PATH did not make sense since
this is mostly about getting a remote file name.
Viktor Szakats [Mon, 14 Oct 2024 09:27:54 +0000 (11:27 +0200)]
GHA: silence proselint warnings and an error
Fix new issues found by `proselint`.
Also:
- silence this technical warning:
```
:0: DeprecationWarning: /home/runner/.proselintrc was found instead of a JSON file. Rename to /home/runner/.proselintrc.json.
```
- fix an input filename.
`proselints` fails now if an input file is missing.
Reported-by: Jay Satiro
Bug: https://github.com/curl/curl/pull/15291#issuecomment-2410505100
Closes #15293
Daniel Stenberg [Mon, 14 Oct 2024 12:09:59 +0000 (14:09 +0200)]
curl.h: remove the struct pointer for CURL/CURLSH/CURLM typedefs
It makes the callbacks get different signnatures when used from within
libcurl vs outside of it by libcurl-using applications (such as the
libtests) and this triggers UndefinedBehaviorSanitizer errors.
Stefan Eissing [Thu, 5 Sep 2024 14:41:53 +0000 (16:41 +0200)]
ftp: move listen handling to socket filter
Move the listen/accept handling of the FTP active data connection
into the socket filter and monitor 'connected' status of that as
with passive connections - more or less.
The advantage is that the socket filter now reports being connected
only when the server has actually called and accept() has been done.
This enables to bootstrap the filter chain on the data connection
just like any other. A require SSL filter can then be added right
at the start and does not need to be patched in later.
Still, the active connection keeps on needing special handling in
ftp.c as the control connection needs to be monitored while waiting
as the server might send error responses this way. So, things did
not turn out quite as squeaky clean as hoped for, but still seems
better to do that way.
Stefan Eissing [Thu, 10 Oct 2024 09:44:39 +0000 (11:44 +0200)]
wolfSSL: fix handling of TLSv1.3 sessions
Register a callback to get notified of new SSL sessions by wolfSSL.
Remove the explicit session retrieval after handshake, since this does
not work for TLSv1.3.
Adjust test expectations now that TLSv1.3 session resumption works
in wolfSSL.
Viktor Szakats [Fri, 11 Oct 2024 08:53:32 +0000 (10:53 +0200)]
smb: do not redefine `getpid` on Windows
Replace with namespaced local macro `Curl_getpid()`.
Redefining symbols can backfire if that symbol is used in system
headers, especially with unity build. We haven't seen a fallout in CI
or supported envs, but do it anyway for good measure.
Viktor Szakats [Sat, 12 Oct 2024 08:45:31 +0000 (10:45 +0200)]
GHA: optimize test prereq steps
- Linux: move test and pytest prereqs right before test run.
- returns build phase results faster.
- allows skipping steps for jobs that don't need them.
- makes dependencies more transparent.
- sync prereq install step names.
- use `tests/requirements.txt` more.
Viktor Szakats [Fri, 11 Oct 2024 16:36:43 +0000 (18:36 +0200)]
cmake: tidy-ups and rebase fixups
- limit `SIZEOF_SA_FAMILY_T` detection to non-Windows.
- make sure `sys/socket.h` exists before detecting `SIZEOF_SA_FAMILY_T`.
- limit `mach_absolute_time()` detection to `APPLE`. Drop from Windows
pre-cache.
- skip `HAVE_LIBSOCKET` detection for Windows, drop pre-cached value.
- drop redundant pre-cached `HAVE_LIBZ` for Windows.
- `curl_required_libpaths()`: stop accepting multiple arguments.
To prepare for `CMAKE_REQUIRED_LINK_DIRECTORIES` support.
Follow-up to 7bab201abe3915a0167c002f9308950cb8a06e4b #15193
- GSS: fix recent rebase mistakes:
- fix variable name.
- do not add a header twice.
Follow-up to 91d451b48809f20415ba8627786f5d4f5aaf8bfe #15157
- GSS: quote a variable.
Dan Fandrich [Wed, 9 Oct 2024 23:47:20 +0000 (16:47 -0700)]
tool_xattr: create the user.creator xattr attribute
This indicates that the file was created by curl which can help a user
determine the origin of a file. Like the other attributes, this is only
enabled with the --xattr option.
- reduce `check_include_file_concat()` use to those headers that either
depend on a previously detected header, or another header or symbol
detection depend on it.
- replace `check_symbol_exists()` with `check_function_exists()` for
functions that are detected with `AC_CHECK_FUNCS()` in `./configure`.
This makes `setmode()` no longer be detected with MSYS, syncing
this with `./configure`. Instead `_setmode()` is used now also in
CMake MSYS builds. This is consistent with Cygwin builds also.
- add comment about which header/symbol detection depends on what
header. Based on `./configure` mainly.
- form `CURL_TEST_DEFINES` manually, and include only those macros which
are actually used in `CMake/CurlTests.c`.
- change `curl_internal_test()` to use `CMAKE_REQUIRED_DEFINITIONS`,
instead of `CMAKE_REQUIRED_FLAGS` to simplify the logic, and to allow
dropping the latter macro completely.
- drop `windows.h` from header and symbol checks.
- `./configure`: add comment about whether `netinet/in6.h`, `sys/un.h`
are indeed meant to be included for all detections. There is a chance
they were added there by accident.
Stefan Eissing [Wed, 9 Oct 2024 12:46:32 +0000 (14:46 +0200)]
TLS: TLSv1.3 earlydata support for curl
Based on #14135, implement TLSv1.3 earlydata support for the curl
command line, libcurl and its implementation in GnuTLS.
If a known TLS session announces early data support, and the feature is
enabled *and* it is not a "connect-only" transfer, delay the TLS
handshake until the first request is being sent.
- Add --tls-earldata as new boolean command line option for curl.
- Add CURLSSLOPT_EARLYDATA to libcurl to enable use of the feature.
- Add CURLINFO_EARLYDATA_SENT_T to libcurl, reporting the amount of
bytes sent and accepted/rejected by the server.
Implementation details:
- store the ALPN protocol selected at the SSL session.
- When reusing the session and enabling earlydata, use exactly
that ALPN protocol for negoptiation with the server. When the
sessions ALPN does not match the connections ALPN, earlydata
will not be enabled.
- Check that the server selected the correct ALPN protocol for
an earlydata connect. If the server does not confirm or reports
something different, the connect fails.
- HTTP/2: delay sending the initial SETTINGS frames during connect,
if not connect-only.
Verification:
- add test_02_32 to verify earlydata GET with nghttpx.
- add test_07_70 to verify earlydata PUT with nghttpx.
- add support in 'hx-download', 'hx-upload' clients for the feature
Viktor Szakats [Sat, 5 Oct 2024 00:12:13 +0000 (02:12 +0200)]
cmake: replace `check_include_file_concat()` for LDAP and GSS detection
Replace `check_include_file_concat()` with `check_include_file()` in
GSS/LDAP detection to avoid these headers spilling into subsequent
feature checks.
- For LDAP, reverse detection order to match with `./configure`.
Though, in current LDAP packages `ldap.h` does include `lber.h`.
- For GSS, align header detection logic with `./configure`, where
`gssapi/gssapi_generic.h` might require `gssapi/gssapi.h`, and
`gssapi/gssapi_krb5.h` might require both.
Viktor Szakats [Sat, 5 Oct 2024 11:59:28 +0000 (13:59 +0200)]
cmake: add comments to feature check options applied globally
Add comments saying when we want values set in feature check option
variables to apply to all feature checks, globally. These are currently:
`ws2_32` and `socket` libraries, and `-D_WIN32_WINNT=` macro.
Also use `list(APPEND ...)` for the libraries to avoid overwriting
potentially existing values.
Viktor Szakats [Sat, 5 Oct 2024 12:01:49 +0000 (14:01 +0200)]
cmake: stop adding dependency headers to global `CMAKE_REQUIRED_INCLUDES`
It was done for `zlib`, `brotli`, `libpsl`, `libssh2`, `wolfssh`
(a copy-paste case for `wolfssh`).
Feature detections should not rely by default on dependency headers.
There is no evidence they do now. If it becomes necessary, headers
should added for the duration of the feature check.
Viktor Szakats [Fri, 4 Oct 2024 23:12:44 +0000 (01:12 +0200)]
cmake: use `cmake_push_check_state()` around feature checks
Enclose
`CMAKE_EXTRA_INCLUDE_FILES`,
`CMAKE_REQUIRED_DEFINITIONS`,
`CMAKE_REQUIRED_FLAGS`,
`CMAKE_REQUIRED_INCLUDES`,
`CMAKE_REQUIRED_LIBRARIES`,
`CMAKE_REQUIRED_LINK_OPTIONS`,
settings within `cmake_push_check_state()`/`cmake_pop_check_state()`
calls. It prevents spilling them into other feature checks. It also
replaces manual resets found in some places (which can have
the undesired side-effect of destroying values meant for global use.)
Also:
- detect and add required system libraries for Rustls on macOS and
non-Windows.
- add Linux CMake jobs for the touched dependencies.
Caveats:
- MSH3 generates a broken `libmsh3.pc`, so needs manual config.
Upstream PR: https://github.com/nibanks/msh3/pull/225
- Rustls `.pc` file missing, so needs manual config.
An internal change worthy of mention is that we are using the lib path
and name information returned by `pkg-config` as-is. Meaning the libname
doesn't include the full path, like it's usual with native cmake
detection. The path comes separately and needs to be rolled separately.
For this we add it to targets via `link_directories()`. We also keep tab
of them in `CURL_LIBDIRS` and use that in `libcurl.pc`. Feature checks
also need to receive these paths. CMake doesn't offer
a `CMAKE_REQUIRED_*` variable for this purpose, only
a `CMAKE_REQUIRED_LINK_OPTIONS` accepting raw linker flags. Add a macro
to convert a list of paths to linker options to solve it. wolfSSL
requires this for now.
Viktor Szakats [Thu, 10 Oct 2024 09:21:09 +0000 (11:21 +0200)]
GHA/linux, http3-linux: add CMake support, sync steps, other improvements
- use shallow clone for submodules.
- reduce total job timeout from 90/60 -> 45 minutes.
- use `$HOME` instead of literal.
- http3-linux: sync step yaml order with linux.yml.
- http3-linux: add cmake + ninja support like in linux.yml.
- http3-linux: dump confgure log, test config, curl -V like in linux.yml.
- http3-linux: skip restoring gnutls and wolfssl when not used.
- dump `curl_config.h`.
- fold a long line.
Viktor Szakats [Thu, 10 Oct 2024 00:22:29 +0000 (02:22 +0200)]
GHA/linux: fix mbedTLS cmake build
CMake builds mbedTLS in Debug mode by default, which was the reason
for these consistent test failures:
```
FAIL 1631: 'FTP through HTTPS-proxy' FTP, HTTPS-proxy
FAIL 1632: 'FTP through HTTPS-proxy, with connection reuse' FTP, HTTPS-proxy
```
Sometimes also:
```
FAIL 303: 'HTTPS with 8 secs timeout' HTTPS, HTTP GET, timeout, FAILURE
```
https://github.com/curl/curl/actions/runs/11260616621/job/31313234198
Fix it by building in `RelWithDebInfo` mode, matching the bare
`Makefile` builds used earlier. (`Release` mode also works.)
Emanuel Komínek [Tue, 8 Oct 2024 16:35:13 +0000 (18:35 +0200)]
multi: make curl_multi_cleanup invalidate magic latter
When a multi handle is being cleaned up, it can still cause user
callbacks to be fired. Notably Curl_cpool_destroy calls socket_callback
on all pooled connections. It's still possible for the callback to call
curl_multi_assign leading to an assert.
This commit moves clearing of a multi handle magic to a point where the
multi handle stops being a valid object.
Viktor Szakats [Tue, 8 Oct 2024 20:41:18 +0000 (22:41 +0200)]
GHA: add Linux and macOS mbedTLS jobs, fix issue
- update mbedTLS repo URL.
- switch local mbedTLS build to use CMake, and Ninja.
CMake build is required to create and install mbedTLS `pkg-config`
files. (as of v3.6.1)
`-DCMAKE_POSITION_INDEPENDENT_CODE=ON` required to avoid this error
when linking mbedtls to `libcurl.so`:
```
/usr/bin/ld: /home/runner/mbedtls/lib/libmbedcrypto.a(cipher.c.o): warning: relocation against `mbedtls_cipher_base_lookup_table' in read-only section `.text'
/usr/bin/ld: /home/runner/mbedtls/lib/libmbedtls.a(ssl_tls.c.o): relocation R_X86_64_PC32 against symbol `mbedtls_x509_crt_profile_suiteb' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: bad value
```
Ref: https://github.com/curl/curl/actions/runs/11245069259/job/31264386723#step:40:43
- make local mbedTLS build 10x smaller by omitting programs and tests.
- GHA/linux: fix cmake warning by adding `-B .` option.
- GHA/linux: add build-only cmake job for packaged mbedTLS (2.x).
- fix compiler warning when building with mbedTLS 2.x:
```
/home/runner/work/curl/curl/lib/vtls/mbedtls.c:344:1: error: ‘mbed_cipher_suite_get_str’ defined but not used [-Werror=unused-function]
344 | mbed_cipher_suite_get_str(uint16_t id, char *buf, size_t buf_size,
| ^~~~~~~~~~~~~~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/11244999065/job/31264168295#step:40:50
Viktor Szakats [Tue, 8 Oct 2024 18:18:56 +0000 (20:18 +0200)]
GHA/windows: drop vcpkg shiftmedia-gnutls, replace with mbedtls
GnuTLS vcpkg package broken again with the latest runner image update:
https://github.com/curl/curl/actions/runs/11240011311/job/31248406051?pr=15203#step:5:137
Viktor Szakats [Mon, 7 Oct 2024 14:13:32 +0000 (16:13 +0200)]
cmake: detect GNU GSS
Fix to set `HAVE_GSSGNU` when GNU GSS is detected.
Also set the appropriate `pkg-config` dependency and do version
detection for the GNU GSS flavour.
Tested with `pkg-config` and partly tested without. The latter case
picks up everything else but, in my env. This is likely not the last
word to implement this detection correctly for all build-cases.
GNU GSS doesn't seem to have a Homebrew formula and building
it locally needs manual tweaks to make finish successfully.
Also move a MIT-specific header detection into to MIT-specific `if`
branch.
projects / thirdparty / curl.git / log
