Stefan Eissing [Mon, 27 Oct 2025 11:16:59 +0000 (12:16 +0100)]
TLS: IP address verification, extend test
Change the test certificate to carry a altname 'dns:127.0.0.1' which
should *not* match in test_17_05_bad_ip_addr.
wolfSSL: since `wolfSSL_check_domain_name()` does not differentiate
between DNS and IP names, use if only for DNS names. For IP addresses,
get the peer certificate after the handshake and check that using
wolfSSL_X509_check_ip_asc().
Unfortunately, this succeeds where it should not, as wolfSSL internally
used the same check code for both cases. So, skip the test case until
wolfSSL fixes that.
TheBitBrine [Sun, 26 Oct 2025 03:15:07 +0000 (03:15 +0000)]
pop3: fix CAPA response termination detection
The code was checking if a line starts with '.', which would
incorrectly match capability names starting with dots. Per RFC 2449,
the terminator must be a line containing only a single dot.
RFC 2449 also explicitly excludes '.' from valid capability name
starting characters, so this is purely theoretical, but the code
should match the spec.
Changed to check for exact match: line length of 3 with '.\r' or
length 2 with '.\n' to handle both CRLF and LF-only servers.
Daniel Stenberg [Thu, 23 Oct 2025 14:25:24 +0000 (16:25 +0200)]
schannel: lower the maximum allowed time to block to 7 seconds
During TLS renegotiation, the schannel_recv_renegotiate() function is
allowed to block for a short while. Reduce the maximum allowed time to
block from 10 minutes down to 7 seconds.
Viktor Szakats [Fri, 24 Oct 2025 16:34:35 +0000 (18:34 +0200)]
mbedtls: fix building with sha-256 missing from PSA
Fixing:
```
lib/vtls/mbedtls.c:1505:10: error: call to undeclared function 'Curl_sha256it'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
1505 | return Curl_sha256it(sha256sum, input, inputlen);
| ^
1 error generated.
```
Viktor Szakats [Fri, 24 Oct 2025 11:44:44 +0000 (13:44 +0200)]
GHA/fuzz: try fixing concurrency group deadlock
```
Fuzzer
Canceling since a deadlock was detected for concurrency group:
'Fuzzer-82fa9862dfa3083d4014d6dcfb721a7278e66f0b' between a top level workflow and 'Fuzzing'
```
https://github.com/curl/curl/actions/runs/18778617351
Viktor Szakats [Fri, 24 Oct 2025 11:02:55 +0000 (13:02 +0200)]
GHA: set `concurrency:` where missing
To silence zizmor 1.16.0 warnings.
Also:
- http3-linux: replace hard-coded workflow name with variable.
Follow-up to a8174176b5425c5692b55b78e40aef3a2331155f #13841
- codeql: set `cancel-in-progress: true`.
zizmor apparently does not allow `false` in pedantic mode anymore:
https://github.com/zizmorcore/zizmor/pull/1227
- codeql: sync concurrency setting with the rest of the jobs.
(I'm not sure this is correct, or why it was previously special-cased.)
Expressions used (before and after this patch):
- `group: ${{ github.workflow }}-${{ github.event.sha }}-${{ github.event.target_url }}`
for GHA/appveyor-status.
- `group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}`
for all the rest.
Viktor Szakats [Thu, 23 Oct 2025 20:08:53 +0000 (22:08 +0200)]
NTLM: disable if DES support missing from OpenSSL or mbedTLS
Make autotools and cmake detect DES support in OpenSSL and mbedTLS.
Forward feature macros to C and omit NTLM from the feature preview list.
Use the feature macros in source. This ensure that `-V` output matches
the preview.
OpenSSL doesn't support DES when built with `no-des` or `no-deprecated`.
mbedTLS 4.x no longer supports it, and it's possible to disable it in
<4 with `scripts/config.py unset MBEDTLS_DES_C`.
Before this patch this worked for
mbedTLS 4 only, and with a regression for pending PR #16973.
Also:
- drop NTLM feature check from `curl_setup.h` in favour of autotools/
cmake feature macros. This makes `curl_setup.h` no longer need
to include an mbedTLS header, which in turn makes tests/server build
without depending on mbedTLS.
Fixing, in #16973:
```
In file included from tests/server/first.h:40,
from bld/tests/server/servers.c:3:
lib/curl_setup.h:741:10: fatal error: mbedtls/version.h: No such file or directory
741 | #include <mbedtls/version.h>
| ^~~~~~~~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/18689537893/job/53291322012?pr=16973
Ref: #19181 (initial fix idea)
Follow-up to 3a305831d1a9d10b2bfd4fa3939ed41275fee7f7 #19077
- move back mbedTLS header include and version check from
`curl_setup.h` to each source which consumes mbedTLS.
Viktor Szakats [Thu, 23 Oct 2025 22:55:37 +0000 (00:55 +0200)]
mbedtls: fix building with <3.6.1
```
lib/vtls/mbedtls.c:786:3: error: call to undeclared function 'mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
786 | mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(&backend->config,
| ^
lib/vtls/mbedtls.c:787:5: error: use of undeclared identifier 'MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED'; did you mean 'MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH'?
787 | MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH
dep/mbedtls-3.4.0/_pkg/include/mbedtls/ssl.h:700:5: note: 'MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH' declared here
700 | MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH,
| ^
2 errors generated.
```
Daniel Stenberg [Thu, 23 Oct 2025 14:20:01 +0000 (16:20 +0200)]
connect: for CONNECT_ONLY, CURLOPT_TIMEOUT does not apply
Since using CONNECT_ONLY is by defintion only a connect, we make the
timeleft function return 0 after the connection is done so that it does
not - surprisingly - timeout later.
Daniel Stenberg [Thu, 23 Oct 2025 09:16:03 +0000 (11:16 +0200)]
http: only accept ';' as a separator for custom headers
When parsing incoming headers, they need to have a plain normal colon.
Previously out of convenience we used the same parser function for both
cases (incoming + custom set headers via the API) which made the
function too liberal for incoming HTTP traffic.
Theo Buehler [Thu, 23 Oct 2025 11:12:48 +0000 (13:12 +0200)]
vtls: remove call to PKCS12_PBE_add()
Curl is one of the last callers of PKCS12_PBE_add(). It has been a noop
since OpenSSL 0.9.8k (2006) stubbed it out when moving the built-in PBE
algorithms to a static table:
https://github.com/openssl/openssl/commit/b8f702a0affa2087758230967b55df504a176774
Stefan Eissing [Wed, 22 Oct 2025 13:04:53 +0000 (15:04 +0200)]
smtp: fix EOB handling
SMTP automatically appends a \n.\n to an upload if there is not already
one at the end of the input. The implementation had a bug where this did
not happen, depending on read size and buffering.
Change test 900 to reproduce the failure. The bug only happened for mail
body input of known length, where EOS was known on the last chunk read.
Change test 900 to use an input file and make it large enough.
Fixes #18798
Closes #19193 Reported-by: madoe on github
Stefan Eissing [Wed, 22 Oct 2025 10:37:59 +0000 (12:37 +0200)]
transfer: fix retry for empty downloads on reuse
When a reused connection did transfer 0 bytes, it assumed the transfer
had failed and needed a retry. Add a check for data->red.done, so we can
successfully accept the transfer of a 0-length file via SFTP.
Add test case 1583 to verfiy.
Fix SFTP disconnect debug trace when there was nothing to
disconnect (like when reusing a connection).
Fixes #19165 Reported-by: Alexander Blach
Closes #19189
Stefan Eissing [Wed, 22 Oct 2025 08:12:54 +0000 (10:12 +0200)]
vquic: fix recvmsg loop for max_pkts
The parameter `max_pkts` was not checked in the recvmsg() implementation
of vquic_recv_packets() as the packter counter was never increased. This
led to the loop running until an EAGAIN was encountered. Which, in any
real case scenario, does no harm as long as libcurl is ingesting packets
faster than a server is able to send them.
However on a slow device and a fast network this could happen and allow
a denial of serice.
Not a real regression as the vulnerable code has never been released.
libcurl 8.16.0 does not have this bug.
Stefan Eissing [Wed, 22 Oct 2025 08:39:58 +0000 (10:39 +0200)]
gnutls: fix re-handshake comments
With GnuTLS, a GNUTLS_E_REHANDSHAKE can be a renegotiate in TLSv1.2 or a
key update in TLSv1.3. This had been made non-blocking in a1850ad7debe33fded6367e34d5c06be4d51f58e but the comment warning about a
blocking call was not updated.
Stefan Eissing [Wed, 22 Oct 2025 08:00:53 +0000 (10:00 +0200)]
ftp: check errors on remote ip for data connection
Obtaining the remote ip of the control connection to be used for the
data connection can fail. Check that and fail the transfer when that
does not work.
Daniel Stenberg [Mon, 20 Oct 2025 09:34:25 +0000 (11:34 +0200)]
cookie: only count accepted cookies in Curl_cookie_add
The counter used to stop accepting cookies after a certain amount has
been received in a single response would previously also count some
cookies that were not actually accepted as they were discarded after the
counter was increased.
Starting now, the counter is increased only for cookies that were
accepted.
Viktor Szakats [Mon, 20 Oct 2025 21:11:53 +0000 (23:11 +0200)]
cmake: say 'absolute path' in option descriptions and docs
To not have to guess. Also to sync with autotools, which already uses
this wording.
Also:
- replace the stray term 'folder' with 'directory' for consistency.
- store help text in a temp variable to avoid overly long strings
(mandatory in CMake <4.2.0 and can't be trivially split), also
to avoid repeating this string 4 times.
Viktor Szakats [Mon, 20 Oct 2025 13:51:39 +0000 (15:51 +0200)]
cmake: add and use local FindGnuTLS module
Replacing a combination of custom logic in the main script and relying
on CMake's built-in Find module, with code and behavior used for
the rest of dependencies.
Also to:
- add version detection in the non-pkg-config path.
- make `GNUTLS_INCLUDE_DIR` and `GNUTLS_LIBRARY` take precedence over
pkg-config. As with other dependencies.
- document the above two configuration options.
- prepare for #16973, which originally introduced this local Find
module.
The local module is doing largely the same as CMake's built-in
FindGnuTLS. Differences:
- honors `CURL_USE_PKGCONFIG`.
- returns GnuTLS version for non-pkg-config detection.
- consistently returns `GNUTLS_VERSION`.
(CMake's built-in uses s different name in <3.16.)
- CMake 3.16+ returns an imported target. curl supports 3.7,
therefore we may only use it conditionally, which isn't worth it.
Stefan Eissing [Mon, 20 Oct 2025 09:51:20 +0000 (11:51 +0200)]
cf-socket: give information when unable to open socket
Give ERRNO explanation in a failf() when unable to open a socket.
Helps in finding out what the issue preventing your curl to work
really is. Just had a wrong ulimit after a sys update.
Viktor Szakats [Fri, 10 Oct 2025 15:44:25 +0000 (17:44 +0200)]
socks_gssapi: replace `gss_release_buffer()` with curl free for buffers owned by libcurl
Before this patch, this code used to call `gss_release_buffer()` on
objects with buffers allocated via curl's allocator.
`gss_release_buffer()` calls system (or Win32) free on these buffers,
which may mismatch with curl's allocator. To fix it, align these calls
with the pattern used in vauth modules, by replacing
`gss_release_buffer()` with curl free to release the buffers.
Use `Curl_safefree()` to set the freed pointer to NULL, as
`gss_release_buffer()` did.
Viktor Szakats [Mon, 20 Oct 2025 12:02:06 +0000 (14:02 +0200)]
GHA/curl-for-win: drop libssh
Switch back to default libssh2.
The distribution server has reliability issues (this time it works
locally though):
```
++ curl [...] --output pkg.bin https://www.libssh.org/files/0.11/libssh-0.11.3.tar.xz --output pkg.sig https://www.libssh.org/files/0.11/libssh-0.11.3.tar.xz.asc
curl: (92) HTTP/2 stream 1 was not closed cleanly: INTERNAL_ERROR (err 2) [4x]
```
Ref: https://github.com/curl/curl/actions/runs/18651134321/job/53169147048#step:3:2391
Daniel Stenberg [Sun, 19 Oct 2025 14:12:56 +0000 (16:12 +0200)]
tool_operate: return error on strdup() failure
In src/tool_operate.c inside the Windows safe-search branch (#ifdef
CURL_CA_SEARCH_SAFE), the code assigns config->cacert = strdup(cacert);
at line 2076 without checking whether strdup returned NULL.
This would allow the code to continue with the wrong value set, causing
possible confusion.
projects / thirdparty / curl.git / log
