Viktor Szakats [Sun, 2 Nov 2025 15:00:24 +0000 (16:00 +0100)]
test696: decouple from test556 data
Test 696 and 556 share the same libtest code. Make sure to issue
the `GET` request to the correct runtime test number instead of using
the hard-wired "556".
It makes the `sws` test server read the response string from `test696`
`<data>` section, instead of reading it from `test556`. To avoid this
hidden interaction between test data.
AFAICS there is no other similar hard-coded string in reused libtests.
Viktor Szakats [Sat, 1 Nov 2025 00:28:55 +0000 (01:28 +0100)]
tests: avoid more hard-coded CRLFs in `protocol` sections
- fix regex to not catch CR (from CRLF), in `PORT`, `EPRT`
commands, allowing to use `crlf="yes"` more.
- add `crlf="headers"` mode for `protocol` sections.
To call `subnewlines()` without its force option.
This is the mode used in `data` sections when `crlf="yes"`.
(This confusion may be subject to a future commit.)
- subnewlines: apply CRLF to `HEAD` and `CONNECT` HTTP requests.
- subnewlines: apply CRLF to RTSP requests.
- delete remaining empty `protocol` sections.
Reducing the number of `tests/data/test*`:
- CRLF newlines from 11325 to 10295. (119984 lines total)
- files with mixed newlines from 707 to 656. (1890 files total)
Stefan Eissing [Fri, 31 Oct 2025 16:57:53 +0000 (17:57 +0100)]
sectrust: fix verifystatus via sectrust
When openssl does not verify the certificate, but apple sectrust
does, we also pass it the ocsp stapled response when configured and
available.
When openssl does not verify the cert chain, it will also not be able
to verify the ocsp stapling. Do not call it if sectrust is the
verifier of the cert chain.
Fixes #19307 Reported-by: Harry Sintonen
Closes #19308
Viktor Szakats [Fri, 31 Oct 2025 16:36:27 +0000 (17:36 +0100)]
tests/libtest/cli*: fix init/deinit, leaks, and more
- add global init and deinit where missing.
- check global init success.
- improve cleaning up on error codepaths.
- drop `CLI_ERR()` macro, that could quit.
Also make error messages tell the reason.
Viktor Szakats [Thu, 30 Oct 2025 23:55:13 +0000 (00:55 +0100)]
tests: replace significant invisible spaces with macros
To make them explicit, visible, avoid being accidentally trimmed.
Also prevents Git warnings, e.g. on `git am`.
Also:
- runtests: add support for `%spc%` and `%tab%` macros.
- test59: delete non-significant line-ending space.
- spacecheck.pl: drop line-ending whitespace exception for tests.
Daniel Stenberg [Fri, 31 Oct 2025 13:42:30 +0000 (14:42 +0100)]
examples: consistent variable naming across examples
- 'CURL *' handles are called 'curl'
- 'CURLM *' handles are called 'multi'
- write callbacks are called 'write_cb'
- read callbacs are called 'read_cb'
- CURLcode variables are called 'res'
It makes the examples look and feel more consistent. It allows for
easier copy and pasting between examples.
Stefan Eissing [Fri, 31 Oct 2025 12:46:18 +0000 (13:46 +0100)]
scp/sftp: fix disconnect
When a SCP/SFTP connection calls the protocol handler disconnect, it
required the connections *and* the easy handles SSH meta data to be
present. When the disconnect is called with an admin handle, the easy
meta data is not present, which prevented the shutdown to run.
The easy meta data is however not necessary to run the shutdown state
machine. Calling it with a NULL `sshp` is fine. To avoid any mixups,
check `sshp` in state operations that need it.
Fixes #19293 Reported-by: And-yW on github
Closes #19295
Viktor Szakats [Fri, 31 Oct 2025 03:22:42 +0000 (04:22 +0100)]
examples: fix more potential resource leaks, and more
Also:
- delete dead code.
- sync `http2-download.c` and `http2-upload.c` sources.
- simplessl: fix constant expression.
- simplessl: avoid `expression is constant` VS2010 warning, drop pragma.
- replace large stack buffers with dynamic allocation.
- http2-download: fix to fill transfer number.
Some of these were pointed out by TIOBE scanner via Coverity 2025.3.0.
Daniel Stenberg [Thu, 30 Oct 2025 10:32:15 +0000 (11:32 +0100)]
base64: make base64_encode() error on too long input
The maximum size is set to 16MB.
It should not possible to call this function with this large input, but
this is a precaution to catch mistakes and replaces the earlier check on
architectures with small size_t.
TheBitBrine [Sun, 26 Oct 2025 04:39:02 +0000 (04:39 +0000)]
imap: fix custom FETCH commands to handle literal responses
Custom IMAP commands using -X (e.g. 'FETCH 123 BODY[1]') were only
returning the first line of responses containing literals, instead of
the full multi-line body data.
The issue was that custom commands route through imap_perform_list()
and imap_state_listsearch_resp(), which didn't detect or handle IMAP
literal syntax {size}.
This commit adds literal detection to imap_state_listsearch_resp():
- Detects literal syntax {size} in untagged responses
- Writes the response header line containing the literal marker
- Handles any literal body data already in the pingpong buffer
- Sets up transfer layer to read remaining literal data from socket
- Configures maxdownload and transfer size to include header + body
- Initializes pp->overflow to 0 when no buffered data present
- Modifies imap_done() to transition to FETCH_FINAL for custom
commands that set up downloads
Stefan Eissing [Wed, 29 Oct 2025 08:48:50 +0000 (09:48 +0100)]
ngtcp2: overwrite rate-limits defaults
In pytests test_08 with the Caddy server, the new rate-limiting in
ngtcp2 did close the connection because it found "too many" stream data
packet repeats.
It is unclear if this is some Caddy issue or if the ngtcp2 implementaton
is wrong. Or if curl can do anything here.
Reported as https://github.com/ngtcp2/ngtcp2/issues/1850
This PR overwrites the ratelimit defaults in ngtcp2 with ten times
increased values. This makes the errors disappear on macOS.
Enable test_08_04/05 in CI again to see if there are any issues
to be found there. (We had those disabled before having parallel
pytests.)
Stefan Eissing [Mon, 27 Oct 2025 09:33:41 +0000 (10:33 +0100)]
ssl-session-cache: check use on config and availability
Replace the check if a ssl session cache is configured with
a function checking if it is configured *and* if an ssl session
cache is available.
During normal operations, a session cache is always there, however
for "connect-only" transfers this might not be the case. When such
transfers receive new sessions/tickets, they need to silently
discard those and not fail.
Reported-by: Marc Aldorasi
Fixes https://github.com/curl/curl/issues/18983
Closes https://github.com/curl/curl/pull/19251
Jay Satiro [Sun, 19 Oct 2025 15:42:37 +0000 (11:42 -0400)]
tool_operate: move the checks that skip ca cert detection
- Move the checks into the function that needs them, cacertpaths().
Prior to this change the caller made the determination whether to skip
calling cacertpaths for cert detection. However for posterity it is
better to have the checks in cacertpaths since other code could call it.
Stefan Eissing [Mon, 27 Oct 2025 11:16:59 +0000 (12:16 +0100)]
TLS: IP address verification, extend test
Change the test certificate to carry a altname 'dns:127.0.0.1' which
should *not* match in test_17_05_bad_ip_addr.
wolfSSL: since `wolfSSL_check_domain_name()` does not differentiate
between DNS and IP names, use if only for DNS names. For IP addresses,
get the peer certificate after the handshake and check that using
wolfSSL_X509_check_ip_asc().
Unfortunately, this succeeds where it should not, as wolfSSL internally
used the same check code for both cases. So, skip the test case until
wolfSSL fixes that.
TheBitBrine [Sun, 26 Oct 2025 03:15:07 +0000 (03:15 +0000)]
pop3: fix CAPA response termination detection
The code was checking if a line starts with '.', which would
incorrectly match capability names starting with dots. Per RFC 2449,
the terminator must be a line containing only a single dot.
RFC 2449 also explicitly excludes '.' from valid capability name
starting characters, so this is purely theoretical, but the code
should match the spec.
Changed to check for exact match: line length of 3 with '.\r' or
length 2 with '.\n' to handle both CRLF and LF-only servers.
Daniel Stenberg [Thu, 23 Oct 2025 14:25:24 +0000 (16:25 +0200)]
schannel: lower the maximum allowed time to block to 7 seconds
During TLS renegotiation, the schannel_recv_renegotiate() function is
allowed to block for a short while. Reduce the maximum allowed time to
block from 10 minutes down to 7 seconds.
Viktor Szakats [Fri, 24 Oct 2025 16:34:35 +0000 (18:34 +0200)]
mbedtls: fix building with sha-256 missing from PSA
Fixing:
```
lib/vtls/mbedtls.c:1505:10: error: call to undeclared function 'Curl_sha256it'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
1505 | return Curl_sha256it(sha256sum, input, inputlen);
| ^
1 error generated.
```
Viktor Szakats [Fri, 24 Oct 2025 11:44:44 +0000 (13:44 +0200)]
GHA/fuzz: try fixing concurrency group deadlock
```
Fuzzer
Canceling since a deadlock was detected for concurrency group:
'Fuzzer-82fa9862dfa3083d4014d6dcfb721a7278e66f0b' between a top level workflow and 'Fuzzing'
```
https://github.com/curl/curl/actions/runs/18778617351
Viktor Szakats [Fri, 24 Oct 2025 11:02:55 +0000 (13:02 +0200)]
GHA: set `concurrency:` where missing
To silence zizmor 1.16.0 warnings.
Also:
- http3-linux: replace hard-coded workflow name with variable.
Follow-up to a8174176b5425c5692b55b78e40aef3a2331155f #13841
- codeql: set `cancel-in-progress: true`.
zizmor apparently does not allow `false` in pedantic mode anymore:
https://github.com/zizmorcore/zizmor/pull/1227
- codeql: sync concurrency setting with the rest of the jobs.
(I'm not sure this is correct, or why it was previously special-cased.)
Expressions used (before and after this patch):
- `group: ${{ github.workflow }}-${{ github.event.sha }}-${{ github.event.target_url }}`
for GHA/appveyor-status.
- `group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}`
for all the rest.
Viktor Szakats [Thu, 23 Oct 2025 20:08:53 +0000 (22:08 +0200)]
NTLM: disable if DES support missing from OpenSSL or mbedTLS
Make autotools and cmake detect DES support in OpenSSL and mbedTLS.
Forward feature macros to C and omit NTLM from the feature preview list.
Use the feature macros in source. This ensure that `-V` output matches
the preview.
OpenSSL doesn't support DES when built with `no-des` or `no-deprecated`.
mbedTLS 4.x no longer supports it, and it's possible to disable it in
<4 with `scripts/config.py unset MBEDTLS_DES_C`.
Before this patch this worked for
mbedTLS 4 only, and with a regression for pending PR #16973.
Also:
- drop NTLM feature check from `curl_setup.h` in favour of autotools/
cmake feature macros. This makes `curl_setup.h` no longer need
to include an mbedTLS header, which in turn makes tests/server build
without depending on mbedTLS.
Fixing, in #16973:
```
In file included from tests/server/first.h:40,
from bld/tests/server/servers.c:3:
lib/curl_setup.h:741:10: fatal error: mbedtls/version.h: No such file or directory
741 | #include <mbedtls/version.h>
| ^~~~~~~~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/18689537893/job/53291322012?pr=16973
Ref: #19181 (initial fix idea)
Follow-up to 3a305831d1a9d10b2bfd4fa3939ed41275fee7f7 #19077
- move back mbedTLS header include and version check from
`curl_setup.h` to each source which consumes mbedTLS.
Viktor Szakats [Thu, 23 Oct 2025 22:55:37 +0000 (00:55 +0200)]
mbedtls: fix building with <3.6.1
```
lib/vtls/mbedtls.c:786:3: error: call to undeclared function 'mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
786 | mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(&backend->config,
| ^
lib/vtls/mbedtls.c:787:5: error: use of undeclared identifier 'MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED'; did you mean 'MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH'?
787 | MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH
dep/mbedtls-3.4.0/_pkg/include/mbedtls/ssl.h:700:5: note: 'MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH' declared here
700 | MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH,
| ^
2 errors generated.
```
Daniel Stenberg [Thu, 23 Oct 2025 14:20:01 +0000 (16:20 +0200)]
connect: for CONNECT_ONLY, CURLOPT_TIMEOUT does not apply
Since using CONNECT_ONLY is by defintion only a connect, we make the
timeleft function return 0 after the connection is done so that it does
not - surprisingly - timeout later.
Daniel Stenberg [Thu, 23 Oct 2025 09:16:03 +0000 (11:16 +0200)]
http: only accept ';' as a separator for custom headers
When parsing incoming headers, they need to have a plain normal colon.
Previously out of convenience we used the same parser function for both
cases (incoming + custom set headers via the API) which made the
function too liberal for incoming HTTP traffic.
Theo Buehler [Thu, 23 Oct 2025 11:12:48 +0000 (13:12 +0200)]
vtls: remove call to PKCS12_PBE_add()
Curl is one of the last callers of PKCS12_PBE_add(). It has been a noop
since OpenSSL 0.9.8k (2006) stubbed it out when moving the built-in PBE
algorithms to a static table:
https://github.com/openssl/openssl/commit/b8f702a0affa2087758230967b55df504a176774
projects / thirdparty / curl.git / log
