- NetBSD: enable impacket. Debatable if this hefty package is worth it
for the single SMB test (1451) run curl uses it for.
(on the upside, it seems to install instantly on NetBSD)
It's also a versioned package name that requires active maintenance.
The unversioned name doesn't work, though that's what the package
search returns: https://pkgsrc.se/net/py-impacket
- FreeBSD: stop installing impacket deps explicitly.
They are automatically installed via the impacket package.
- Linux: put time limit on test runs.
Started hanging yesterday:
linux: https://github.com/curl/curl/actions/runs/10875011573/job/30172946986#step:41:3731
awslc: https://github.com/curl/curl/actions/runs/10879782864/job/30185188509
wolfssl: https://github.com/curl/curl/actions/runs/10879782864/job/30185188509
- distcheck: reduce time limit to 15m (was 30m)
Linux tests started to hang, so reduce the timeout from 30 minutes
to 15. These jobs normally take 3 to 6 minutes to finish.
https://github.com/curl/curl/actions/runs/10879479914
Viktor Szakats [Wed, 11 Sep 2024 10:41:57 +0000 (12:41 +0200)]
CI: move Azure jobs to GHA, fix fallouts, sshserver, runtests tweaks
CI:
- GHA/windows: enable OpenSSH server, SysInternals `handle`, `impacket`.
Skip `impacket` on MSYS2 due to install failure.
Skip OpenSSH server for old/standalone mingw-w64 (building curl
without SSH there.)
- GHA/windows: make test tool installs a separate step.
- GHA/cygwin: enable OpenSSH server.
Skip `impacket`: it's compiling for 7 minutes then breaks.
Skip `stunnel` due to sluggish test run performance.
(This update is unrelated to Azure jobs.)
- GHA/linux: migrate Linux jobs from Azure CI.
- GHA/linux: migrate scanbuild job from Azure CI.
- GHA/linux: enable libssh2 in a job. Also enable valgrind.
- CI/windows: enable SSPI in two jobs.
- CI/windows: disable zlib in one more job.
- CI/windows: improve `if` condition checking GnuTLS.
- CI/windows: ignore SFTP/SCP tests as necessary.
- universally ignore SCP tests, they fail everywhere.
- ignore test 612.
- ignore test 613 616 618 with MSYS2 mingw-w64.
- ignore test 614 with libssh.
- ignore all SFTP with MSYS2 native.
- ignore all SFTP with vcpkg with `libssh2[core,zlib]`.
- ignore a couple of SFTP tests with MSYS2 mingw-w64.
(This matches settings on Azure CI.)
- GHA/windows: ignore failing 1451 'Basic SMB request' test for
old mingw-w64 7.3.0 (but not for 9.5.0!):
```
2024-09-11 21:45:59,738 ERROR smbComNegotiate: b'NT LM 0.12\x00' is not in list
[...]
curl: (7) Could not connect to server
[...]
FAIL 1451: 'Basic SMB request' SMB
```
Ref: https://github.com/curl/curl/actions/runs/10816280746/job/30007130770#step:13:3546
- CI/Azure: delete, now moved to GHA.
sshserver:
- sshserver: fix permissions for SSH host key on Windows, allowing sshd
to launch.
- sshserver: fix initializing config paths with Cygwin/MSYS2 sshd.
- sshserver: fix initializing config paths in parallel builds.
- sshserver: delete redundant `DenyUsers`. This also opens the way
to allow multiple usernames.
- sshserver: fix `AllowUsers` for GHA/windows, by allowing the
domainless username again.
Follow-up to 3ee7c676ec8ef32e3a9cb4d0fb2929a8335d58db #5721
- sshserver: fix `Deprecated option` warnings in `sshd_config`:
```
D:/a/curl/curl/bld/tests/log/2/server/curl_sshd_config line 7: Deprecated option AuthorizedKeysFile2
D:/a/curl/curl/bld/tests/log/2/server/curl_sshd_config line 25: Deprecated option KeyRegenerationInterval
D:/a/curl/curl/bld/tests/log/2/server/curl_sshd_config line 35: Deprecated option RhostsRSAAuthentication
D:/a/curl/curl/bld/tests/log/2/server/curl_sshd_config line 36: Deprecated option RSAAuthentication
D:/a/curl/curl/bld/tests/log/2/server/curl_sshd_config line 37: Deprecated option ServerKeyBits
D:/a/curl/curl/bld/tests/log/2/server/curl_sshd_config line 41: Deprecated option UseLogin
```
- sshserver: fix `Deprecated option` warnings in `ssh_config` with
Cygwin/MSYS2.
- sshserver: fix dumping config files due to the filenames missing their
full paths.
- sshserver: add workaround to make `logmsg` messages visible.
Before this patch they only went to a file and never shown.
runtests:
- runtests: log details when these Windows commands are called:
`handle`, `taskkill`, `tasklist`.
- runtests: add documentation links to Windows tools:
`handle`, `taskkill`, `tasklist`, `icacls`.
- runtests: add `-t` (kill whole tree) option to `taskkill` in
`servers.pm`, syncing it with the other `taskkill` call.
Follow-up to bc72a78a11764558639131d51fa8e7c81ee1e113 #14488
- runtests: show warning if Sysinternals `handle` tool is missing.
- runtests: drop Windows XP Home compatibility `tskill` call.
The call was made on all Windows versions. It's possibly overkill to
do this, because XP Home is probably rarely used for running curl
tests these days. In case it's needed, it'd be better to put it under
an explicit option.
- runtests: show Perl version and path.
Fix/silence fallouts:
- unit2603: fix building with disabled HTTP support.
- unit2604: silence `-Woverlength-strings` warnings in C89 mode.
- test437, test1614: fix to pass with no-IPv6 builds.
Viktor Szakats [Sat, 14 Sep 2024 20:29:13 +0000 (22:29 +0200)]
GHA/macos: replace make with ninja for cmake builds
Ninja performs better than GNU Make. Also the generation step is a bit
faster. The cost is installing ninja where missing from the image, and
there is no pre-existing package install step. Otherwise the
installation is fast because the tool is tiny.
(It would probably make sense to include ninja on the runner image; it's
a near zero-cost optimization opportunity for all CI jobs using cmake.)
Viktor Szakats [Sat, 14 Sep 2024 20:03:54 +0000 (22:03 +0200)]
GHA/macos: tidy-ups, install impacket for cmake jobs
- install impacket for cmake jobs.
- stop installing autotools for cmake jobs.
(also saving the extra seconds necessary for impacket install.)
- delete no longer necessary openssl pkg-config patch.
- `brew unlink openssl` unconditionally. This is safe, we no longer need
it at the default path, and the condition were never met anyway for
a while now.
- stop installing openssl, it's there on the base image.
(it was also missed for cmake, but that's okay)
Since ASCII transfers on FTP means sending CRLF line endings, we should
still keep converting them to LF-only on platforms where text files
typically do not use CRLF.
This also DOES NOT convert existing CRLF line endings on ASCII uploads
but only does stand-alone LF => CRLF.
Stefan Eissing [Fri, 13 Sep 2024 11:12:50 +0000 (13:12 +0200)]
connect: store connection info when really done
Output the 'Connected to...' info message when the connection has been
fully established and all information is available.
Due to our happy eyeballing, we should not emit info messages in
filters, because they may be part of an eyeballing attempt and may be
discarded later for another chain.
Stefan Eissing [Fri, 13 Sep 2024 16:36:53 +0000 (18:36 +0200)]
transfer: fix sendrecv() without interim poll
There was a "clever" optimization that skipped sendrecv() handling when
the transfer's pollset was empty. This happens for paused transfers, for
example.
Unforunately, if the libcurl application never calls curl_multi_poll(),
the pollset is and will aways remain empty, prevent the transfer from
progressing.
Remove this "optimization" and always try send/receive where applicable.
Fixes #14898 Reported-by: Victor Kislov
Closes #14901
Daniel McCarney [Thu, 12 Sep 2024 16:38:51 +0000 (12:38 -0400)]
vtls/rustls: support strong CSRNG data
Now that the curl rustls vtls backend is using rustls 0.14 we can
address the weak random situation by using
`rustls_default_crypto_provider_random()` to provide a `Curl_ssl`
`random` callback that fills the provided buffer with cryptographically
secure random data.
The mentions in `docs/` about weak RNG when using rustls are removed as
they are no longer applicable.
Daniel McCarney [Thu, 12 Sep 2024 16:31:59 +0000 (12:31 -0400)]
vtls/rustls: simplify ciphersuite skipping
Now that the rustls vtls backend is using rustls 0.14 we can take
advantage of `rustls_supported_ciphersuite_protocol_version()` to skip
TLS 1.3 and TLS 1.2 ciphersuites as required without needing to
interrogate the ciphersuite names as `rustls_str`s.
Daniel McCarney [Thu, 12 Sep 2024 16:18:26 +0000 (12:18 -0400)]
vtls/rustls: rustls-ffi 0.14.0 update
* Documentation is updated to describe new required version, and to link
to the upstream README about cryptography providers.
* GitHub workflow is updated to fetch 0.14.0.
* Breaking changes in`lib/vtls/rustls.c` are addressed:
* The `rustls_client_config_builder_build()` function now uses an out
parameter for the built config instead of returning it directly.
This allows the building process to fail if the default crypto
provider state isn't appropriate, or another error condition occurs.
* Default ciphersuites are collected using renamed functions named to
make it clear the ciphersuites are associated with the default
crypto provider.
* Customization of ciphersuites is now done via
a `rustls_crypto_provider_builder` used to instantiate a
`rustls_crypto_provider`. The customized provider can then can be
used with `rustls_client_config_builder_new_custom` in place of
providing ciphersuites directly.
* `rustls_connection_get_negotiated_ciphersuite()` now returns the
ciphersuite ID directly.
Daniel McCarney [Tue, 6 Aug 2024 17:49:03 +0000 (13:49 -0400)]
vtls/rustls: differentiate error messages
It's easier to diagnose a problem when there is one place where the
error message can be emitted. For that reason this commit updates two
errors that were shared between other fallible operations to use unique
messages.
Daniel McCarney [Fri, 19 Jul 2024 16:23:18 +0000 (12:23 -0400)]
vtls/rustls: simplify builder cleanup
Don't build `config_builder` just to free the resulting config, free the
builder directly.
When `cr_init_backend` encounters an error condition setting up the
Rustls client configuration it must do something with the
`config_builder` that was constructed earlier to avoid a memory leak.
The previous implementation preferred to use a pattern of building the
builder (thus consuming it) and then freeing the built config (to avoid
a memory leak). However, the purpose/intent is clearer when we just free
the builder directly instead of building it and freeing the result.
Stefan Eissing [Mon, 9 Sep 2024 11:52:44 +0000 (13:52 +0200)]
tests: tweak lock file handling and timers
- when server are killed by a test case, do not wait for the server lock
file to go away. These tests are mostly about client timeouts and the
server will hang until killed.
- when killing a server successfully, check for a remaining lock file,
log its existence and remove it.
- lower the delay timings on SLOWDOWN by half
- add SLOWDOWNDATA server command to only slow down the FTP data bytes,
not the control ones.
- lower some timeout values
Viktor Szakats [Thu, 12 Sep 2024 13:08:05 +0000 (15:08 +0200)]
autotools: fix `--with-ca-embed` build rule
Add missing rule dependency on the user-specified CA bundle. This fixes
including it when using the curl distro tarball, and other cases.
Also:
- fix the internal name of the CA bundle to avoid nested quotes.
It broke broke the rule dependency for the make tool.
- exclude the generated (empty) `tool_ca_embed.c` file from the distro
tarball. Patch-by: Daniel Stenberg
Follow-up to 8a3740bc8e558b9a9d4a652b74cf27a0961d7010 #14059 Reported-by: rampageX on github
Fixes #14879
Closes #14882
Stefan Eissing [Thu, 12 Sep 2024 08:03:33 +0000 (10:03 +0200)]
http2: when uploading data from stdin, fix eos forwarding
When uploading data from stdin ('-T -'), and the EOS was only detected
on a 0-length read, the EOS was not forwarded to the filters. This led
HTTP/2 to hang on not forwarding this to the server.
Added test_07_14 to reproduce and verify.
Fixes #14870 Reported-by: nekopsykose on github
Closes #14877
Viktor Szakats [Wed, 11 Sep 2024 21:42:43 +0000 (23:42 +0200)]
cmake: ensure `CURL_USE_OPENSSL`/`USE_OPENSSL_QUIC` are set in sync
OpenSSL must be selected (manually or by default) and detected for
`USE_OPENSSL_QUIC=ON` to work. This was documented before this patch,
but with CMake it was possible to use `USE_OPENSSL_QUIC=ON` without
an explicit or default `CURL_USE_OPENSSL=ON`, leading to a confused
internal state.
Fix by checking the QUIC condition early, showing a warning if enabled
without OpenSSL, and ignoring QUIC in such case.
Also: Fix casing of OpenSSL in option description.
Stefan Eissing [Wed, 11 Sep 2024 10:10:10 +0000 (12:10 +0200)]
test537: cap the rlimit max this test runs
Modern debian reports a soft limit of 134217724 which makes this test
run for minutes to allocate all file descriptors. Impose a cap of 256k,
so we do not run this tests on systems with larger rlimits.
Stefan Eissing [Wed, 11 Sep 2024 11:53:44 +0000 (13:53 +0200)]
QUIC: on connect, keep on trying on draining server
Do not give up connect on servers that are in draining state. This might
indicate the QUIC server restarting and the UDP packet routing still
hitting the instance shutting down.
Instead keep on connecting until the overall TIMEOUT fires.
Daniel Stenberg [Wed, 11 Sep 2024 12:12:41 +0000 (14:12 +0200)]
multi: check that the multi handle is valid in curl_multi_assign
By requiring that the multi handle is fine, it can detect bad usage
better and by that avoid crashes. Like in the #14860 case, which is an
application calling curl_multi_assign() with a NULL pointer multi
handle.
Reported-by: Carlo Cabrera
Fixes #14860
Closes #14862
Dan Fandrich [Fri, 6 Sep 2024 17:29:58 +0000 (10:29 -0700)]
GHA/linux-old: add an autoconf/automake build
This verifies that using older autotools still works. The results of the
autoconf build should end up being identical to the second of the two
cmake builds (the difference in the platform string notwithstanding).
Jay Satiro [Thu, 5 Sep 2024 06:18:25 +0000 (02:18 -0400)]
asyn-thread: stop using GetAddrInfoExW on Windows
- For the threaded resolver backend on Windows, revert back to
exclusively use the threaded resolver with libcurl-owned threading
instead of GetAddrInfoExW with Windows-owned threading.
Winsock (the Windows sockets library) has a bug where it does not wait
for all of the name resolver threads it is managing to terminate before
returning from WSACleanup. The threads continue to run and may cause a
crash.
This commit is effectively a revert of several commits that encompass
all GetAddrInfoExW code in libcurl. A manual review of merge conflicts
was used to resolve minor changes that had modified the code for
aesthetic or build reasons in other commits.
Prior to this change if libcurl was built with the threaded resolver
backend for Windows, and Windows 8 or later was the operating system at
runtime, and the caller was not impersonating another user, then libcurl
would use GetAddrInfoExW to handle asynchronous name lookups.
GetAddrInfoExW support was added in a6bbc87f, which preceded 8.6.0, and
prior to that the threaded resolver backend used libcurl-owned threading
exclusively on Windows.
Dan Fandrich [Sat, 7 Sep 2024 01:17:19 +0000 (18:17 -0700)]
maketgz: fix RELEASE-TOOLS.md for daily tarballs
The daily snapshots have no associated git tag, so provide a commit hash
instead in these cases. Fix the dpkg detection since the shell would
exit immediately without showing an error message if it weren't found.
Viktor Szakats [Thu, 5 Sep 2024 21:23:47 +0000 (23:23 +0200)]
build: generate `buildinfo.txt` for test logs
Also:
- read `buildinfo.txt` from `runtests.pl` and dump it to the log.
- cmake: show `CROSS` target flag for cross-builds.
- cmake: add logic to detect arguments passed via the command-line.
It is meant to help filling out missing datapoints in the testclutch
matrix.
Daniel Stenberg [Thu, 5 Sep 2024 13:58:45 +0000 (15:58 +0200)]
GHA/distcheck: keep upload artifacts for one day only
The uploads are only used as a cache mechanism between jobs to save them
from having to re-run maketgz multiple times, so there is no need to
save the artifact longer than this.
Daniel Stenberg [Wed, 4 Sep 2024 09:11:06 +0000 (11:11 +0200)]
openssl: certinfo errors now fail correctly
If there is a (memory) error when creating the certinfo data, the code
would previously continue which could lead to a partial/broken response.
Now, the first error aborts and cleans up the entire thing.
A certinfo "collection" error is however still not considered an error
big enough to stop the handshake.
Bonus 1: made two functions static (and removed the Curl_ prefix) that
were not used outside of openssl.c
Bonus 2: removed the unused function Curl_ossl_set_client_cert
projects / thirdparty / curl.git / log
