Viktor Szakats [Tue, 4 Nov 2025 17:37:49 +0000 (18:37 +0100)]
gnutls: report accurate error when TLS-SRP is not built-in
With GnuTLS 3.8.0+ the build-time SRP feature detection always succeeds.
It's also disabled by default in these GnuTLS versions.
When using TLS-SRP without it being available in GnuTLS, report
the correct error code `CURLE_NOT_BUILT_IN`, replacing the out of memory
error reported before this patch.
Also add comments to autotools and cmake scripts about this feature
detection property.
Detecting it at build-time would need to run code which doesn't work
in cross-builds. Once curl requires 3.8.0 as minimum, the build-time
checks can be deleted.
```
# before:
curl: (27) gnutls_srp_allocate_client_cred() failed: An unimplemented or disabled feature has been requested.
# after:
curl: (4) GnuTLS: TLS-SRP support not built in: An unimplemented or disabled feature has been requested.
```
Viktor Szakats [Wed, 5 Nov 2025 01:50:42 +0000 (02:50 +0100)]
GHA/checksrc: add actionlint, fix or silence issues found
It also does shellcheck on `run:` elements, overlapping with
the homegrown `shellcheck-ci.sh` with the same purpose. But it also does
more and perhaps could replace the script too, especially in curl
sub-repos.
x2018 [Tue, 4 Nov 2025 18:16:54 +0000 (02:16 +0800)]
gtls: add return checks and optimize the code
This commit does the following things:
1. Update the description of gtls_init()
2. In gtls_client_init(), check the invaild SSLVERSION at first. Note
that this part refactors the duplicate/incompatible checks and removes
the useless local variable `sni`.
3. Check the return value of gnutls_ocsp_resp_init(). Although the
original code is safe because gnutls_ocsp_resp_import() will check
the validity of `ocsp_resp`, it is better to catch the error in time
and record the proper message to output log.
Viktor Szakats [Tue, 4 Nov 2025 14:26:29 +0000 (15:26 +0100)]
cmake: fix `HAVE_GNUTLS_SRP` detection after adding local FindGnuTLS module
When GnuTLS is detected via pkg-config on a non-default path, e.g. with
Homebrew arm64 (`/opt/homebrew/`).
This was a regression from a commit made in this release cycle.
The Find module doesn't return an absolute path to the detected library
(as the former solution did), but a bare libname and a libpath. We thus
need to explicitly use the libpath while detecting a feature in GnuTLS
found this way. Syncing this with other dependencies.
Daniel Stenberg [Tue, 4 Nov 2025 10:22:32 +0000 (11:22 +0100)]
tests: remove most user-agent filters
Use the %VERSION instead. The user-agent stripping was introduced at the
time before we had %VERSION (introduced in e6b21d4). The tests would
then remove the user-agent header to make them possible to be compared
in a version independent way.
Fixes #19355 Reported-by: Stefan Eissing
Closes #19356
Viktor Szakats [Fri, 31 Oct 2025 14:50:01 +0000 (15:50 +0100)]
tests: avoid hard-coded CRLFs in more sections
- `reply/data*`, `verify/stdout`, `verify/stderr`, `verify/file*`,
`verify/proxy`:
- make `crlf="yes"` force CRLF to all lines, instead of just applying
to HTTP protocol headers.
- add support for `crlf="headers"` that only converts HTTP protocol
header lines to CRLF. (previously done via `crlf="yes"`.)
- use `crlf="headers"` where possible.
- `reply/connect*`:
- add support for `crlf="yes"` and `crlf="headers"`.
- use them where possible.
- `client/file*`, `client/stdin`:
- add support for `crlf="yes"`.
- use it where possible.
- `reply/data*`, `verify/protocol`:
- replace existing uses of `crlf="yes"` with `crlf="headers`" where it
does not change the result.
Reducing the number of `tests/data/test*`:
- CRLF newlines from 10295 to 1985. (119985 lines total)
- files with mixed newlines from 656 to 113. (1890 files total)
After this patch there remain 141 sections with mixed newlines, where
the mixing is not split between headers/non-headers. There is no obvious
pattern here. Some of the CRLF uses might be accidental, or
non-significant. They will be tackled in a future patch.
Joshua Rogers [Fri, 24 Oct 2025 19:49:58 +0000 (03:49 +0800)]
vtls: check final cfilter node in find_ssl_filter
find_ssl_filter used while(cf && cf->next) and skipped the last node.
If the SSL filter was last, channel binding lookup failed and we returned
CURLE_BAD_FUNCTION_ARGUMENT. Switch to while(cf) so the tail is examined.
Devdatta Talele [Mon, 20 Oct 2025 15:21:43 +0000 (20:51 +0530)]
gssapi: make channel binding conditional on GSS_C_CHANNEL_BOUND_FLAG
Fixes #19109 - GSSAPI authentication fails on macOS with Apple's Heimdal
implementation which lacks GSS_C_CHANNEL_BOUND_FLAG support for TLS
channel binding.
Commit 0a5ea09a910e introduced TLS channel binding for SPNEGO/GSSAPI
authentication unconditionally, but Apple's Heimdal fork (used on macOS)
does not support this feature, causing "unsupported mechanism" errors
when authenticating to corporate HTTP services with Kerberos.
Solution:
- Add CURL_GSSAPI_HAS_CHANNEL_BINDING detection in curl_gssapi.h based
on GSS_C_CHANNEL_BOUND_FLAG presence (MIT Kerberos >= 1.19)
- Make negotiatedata.channel_binding_data field conditional in vauth.h
- Guard channel binding collection/cleanup in http_negotiate.c
- Guard channel binding usage in spnego_gssapi.c
This follows the same pattern as GSS_C_DELEG_POLICY_FLAG detection and
ensures graceful degradation when channel binding is unavailable while
maintaining full support for implementations that have it.
Tested on macOS with Apple Heimdal (no channel binding) and Linux with
MIT Kerberos (with channel binding). Both configurations authenticate
successfully without errors.
The definition of these constants does not give a numeric ordering
and MAX_DEFAULT needs to be checked in addition of ciphers and QUIC
checks to apply correctly.
Fixes #19340 Reported-by: Peter Piekarski
Closes #19341
Viktor Szakats [Sun, 2 Nov 2025 15:00:24 +0000 (16:00 +0100)]
test696: decouple from test556 data
Test 696 and 556 share the same libtest code. Make sure to issue
the `GET` request to the correct runtime test number instead of using
the hard-wired "556".
It makes the `sws` test server read the response string from `test696`
`<data>` section, instead of reading it from `test556`. To avoid this
hidden interaction between test data.
AFAICS there is no other similar hard-coded string in reused libtests.
Viktor Szakats [Sat, 1 Nov 2025 00:28:55 +0000 (01:28 +0100)]
tests: avoid more hard-coded CRLFs in `protocol` sections
- fix regex to not catch CR (from CRLF), in `PORT`, `EPRT`
commands, allowing to use `crlf="yes"` more.
- add `crlf="headers"` mode for `protocol` sections.
To call `subnewlines()` without its force option.
This is the mode used in `data` sections when `crlf="yes"`.
(This confusion may be subject to a future commit.)
- subnewlines: apply CRLF to `HEAD` and `CONNECT` HTTP requests.
- subnewlines: apply CRLF to RTSP requests.
- delete remaining empty `protocol` sections.
Reducing the number of `tests/data/test*`:
- CRLF newlines from 11325 to 10295. (119984 lines total)
- files with mixed newlines from 707 to 656. (1890 files total)
Stefan Eissing [Fri, 31 Oct 2025 16:57:53 +0000 (17:57 +0100)]
sectrust: fix verifystatus via sectrust
When openssl does not verify the certificate, but apple sectrust
does, we also pass it the ocsp stapled response when configured and
available.
When openssl does not verify the cert chain, it will also not be able
to verify the ocsp stapling. Do not call it if sectrust is the
verifier of the cert chain.
Fixes #19307 Reported-by: Harry Sintonen
Closes #19308
Viktor Szakats [Fri, 31 Oct 2025 16:36:27 +0000 (17:36 +0100)]
tests/libtest/cli*: fix init/deinit, leaks, and more
- add global init and deinit where missing.
- check global init success.
- improve cleaning up on error codepaths.
- drop `CLI_ERR()` macro, that could quit.
Also make error messages tell the reason.
Viktor Szakats [Thu, 30 Oct 2025 23:55:13 +0000 (00:55 +0100)]
tests: replace significant invisible spaces with macros
To make them explicit, visible, avoid being accidentally trimmed.
Also prevents Git warnings, e.g. on `git am`.
Also:
- runtests: add support for `%spc%` and `%tab%` macros.
- test59: delete non-significant line-ending space.
- spacecheck.pl: drop line-ending whitespace exception for tests.
Daniel Stenberg [Fri, 31 Oct 2025 13:42:30 +0000 (14:42 +0100)]
examples: consistent variable naming across examples
- 'CURL *' handles are called 'curl'
- 'CURLM *' handles are called 'multi'
- write callbacks are called 'write_cb'
- read callbacs are called 'read_cb'
- CURLcode variables are called 'res'
It makes the examples look and feel more consistent. It allows for
easier copy and pasting between examples.
Stefan Eissing [Fri, 31 Oct 2025 12:46:18 +0000 (13:46 +0100)]
scp/sftp: fix disconnect
When a SCP/SFTP connection calls the protocol handler disconnect, it
required the connections *and* the easy handles SSH meta data to be
present. When the disconnect is called with an admin handle, the easy
meta data is not present, which prevented the shutdown to run.
The easy meta data is however not necessary to run the shutdown state
machine. Calling it with a NULL `sshp` is fine. To avoid any mixups,
check `sshp` in state operations that need it.
Fixes #19293 Reported-by: And-yW on github
Closes #19295
Viktor Szakats [Fri, 31 Oct 2025 03:22:42 +0000 (04:22 +0100)]
examples: fix more potential resource leaks, and more
Also:
- delete dead code.
- sync `http2-download.c` and `http2-upload.c` sources.
- simplessl: fix constant expression.
- simplessl: avoid `expression is constant` VS2010 warning, drop pragma.
- replace large stack buffers with dynamic allocation.
- http2-download: fix to fill transfer number.
Some of these were pointed out by TIOBE scanner via Coverity 2025.3.0.
Daniel Stenberg [Thu, 30 Oct 2025 10:32:15 +0000 (11:32 +0100)]
base64: make base64_encode() error on too long input
The maximum size is set to 16MB.
It should not possible to call this function with this large input, but
this is a precaution to catch mistakes and replaces the earlier check on
architectures with small size_t.
TheBitBrine [Sun, 26 Oct 2025 04:39:02 +0000 (04:39 +0000)]
imap: fix custom FETCH commands to handle literal responses
Custom IMAP commands using -X (e.g. 'FETCH 123 BODY[1]') were only
returning the first line of responses containing literals, instead of
the full multi-line body data.
The issue was that custom commands route through imap_perform_list()
and imap_state_listsearch_resp(), which didn't detect or handle IMAP
literal syntax {size}.
This commit adds literal detection to imap_state_listsearch_resp():
- Detects literal syntax {size} in untagged responses
- Writes the response header line containing the literal marker
- Handles any literal body data already in the pingpong buffer
- Sets up transfer layer to read remaining literal data from socket
- Configures maxdownload and transfer size to include header + body
- Initializes pp->overflow to 0 when no buffered data present
- Modifies imap_done() to transition to FETCH_FINAL for custom
commands that set up downloads
Stefan Eissing [Wed, 29 Oct 2025 08:48:50 +0000 (09:48 +0100)]
ngtcp2: overwrite rate-limits defaults
In pytests test_08 with the Caddy server, the new rate-limiting in
ngtcp2 did close the connection because it found "too many" stream data
packet repeats.
It is unclear if this is some Caddy issue or if the ngtcp2 implementaton
is wrong. Or if curl can do anything here.
Reported as https://github.com/ngtcp2/ngtcp2/issues/1850
This PR overwrites the ratelimit defaults in ngtcp2 with ten times
increased values. This makes the errors disappear on macOS.
Enable test_08_04/05 in CI again to see if there are any issues
to be found there. (We had those disabled before having parallel
pytests.)
Stefan Eissing [Mon, 27 Oct 2025 09:33:41 +0000 (10:33 +0100)]
ssl-session-cache: check use on config and availability
Replace the check if a ssl session cache is configured with
a function checking if it is configured *and* if an ssl session
cache is available.
During normal operations, a session cache is always there, however
for "connect-only" transfers this might not be the case. When such
transfers receive new sessions/tickets, they need to silently
discard those and not fail.
Reported-by: Marc Aldorasi
Fixes https://github.com/curl/curl/issues/18983
Closes https://github.com/curl/curl/pull/19251
Jay Satiro [Sun, 19 Oct 2025 15:42:37 +0000 (11:42 -0400)]
tool_operate: move the checks that skip ca cert detection
- Move the checks into the function that needs them, cacertpaths().
Prior to this change the caller made the determination whether to skip
calling cacertpaths for cert detection. However for posterity it is
better to have the checks in cacertpaths since other code could call it.
projects / thirdparty / curl.git / log
