Viktor Szakats [Sun, 22 Mar 2026 11:40:23 +0000 (12:40 +0100)]
gnutls: fix clang-tidy warning with !verbose
with
`-DCURL_DISABLE_VERBOSE_STRINGS=ON -DCURL_USE_GNUTLS=ON -DCURL_CLANG_TIDY=ON`.
```
lib/vtls/gtls.c:268:7: error: Value stored to 'strerr' is never read [clang-analyzer-deadcode.DeadStores,-warnings-as-errors]
268 | strerr = gnutls_strerror(rc);
| ^ ~~~~~~~~~~~~~~~~~~~
```
Viktor Szakats [Fri, 20 Mar 2026 13:08:22 +0000 (14:08 +0100)]
GHA/curl-for-win: enable c-ares with HTTPS-RR in an existing job
c-ares builds have been sped up within curl-for-win using, pre-fills. It
allows building it with acceptable performance, making it practical to
use it, alongside HTTPS-RR, in curl CI and possibly in curl-for-win. It
has been enabled in its dev branch for a while.
Viktor Szakats [Fri, 20 Mar 2026 12:41:25 +0000 (13:41 +0100)]
cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR + clang 21
Fixing (seen in curl-for-win dev branch):
```
In file included from _a64-linux-gnu-bld/lib/CMakeFiles/libcurl_object.dir/Unity/unity_0_c.c:34:
lib/cf-https-connect.c:681:28: error: implicit conversion from 'unsigned char' to enumeration type 'enum alpnid' is invalid in C++ [-Werror,-Wimplicit-int-enum-cast]
681 | enum alpnid alpn = rr->alpns[i];
| ~~~~ ^~~~~~~~~~~~e
```
Scott Boudreaux [Wed, 18 Mar 2026 15:56:09 +0000 (10:56 -0500)]
md5/md4: enable unaligned access fast path on powerpc64
PowerPC64 (both big-endian and little-endian) supports efficient
unaligned memory access, similar to x86. This extends the existing
fast path that avoids byte-by-byte loads in the MD5 and MD4 SET/GET
macros.
On POWER8 ppc64le, this eliminates 3 shifts + 3 ORs per 32-bit word
load, replacing them with a single lwz (or lwbrx on big-endian).
After limiting `find_package()`/`find_dependency()` calls to curl local
Find modules via the `MODULES` keyword, it became possible to detect
dependencies via CMake Configs from within those local Find modules, by
calling `find_package()` again with the `CONFIG` keyword. This patch
implements this. Then maps detection results to the result variables and
curl-specific imported targets the rest of the build expects.
Also honor recently introduced `*_USE_STATIC_LIBS` (experimental) flags
to map to the static target when requested.
This adds CMake Configs as an alternative to the existing `pkg-config`
and `find_path()`/`find_library()` auto-detection methods.
Enabled by default for MSVC, outside vcpkg and when not cross-building.
To enable for other cases, or override the default, you can use
`-DCURL_USE_CMAKECONFIG=ON` or `OFF`.
When enabled, Config detection happens after `pkg-config` and before
`find_path()`/`find_library()`. Using CMake's built-in options, you may
also manually point to the absolute directory holding Config files:
Stefan Eissing [Fri, 20 Mar 2026 13:55:53 +0000 (14:55 +0100)]
curlx_now(), prevent zero timestamp
As code checks `curltime` values for zero and interprets this
as not-initialized or "forever" in several places, make sure
`curlx_now()` never returns a zero timestamp.
Stefan Eissing [Mon, 9 Mar 2026 14:40:34 +0000 (15:40 +0100)]
share: concurrency handling, easy updates
Replace the `volatile int dirty` with a reference counter
protected by a mutex when available.
Solve the problem of when to call application's lock function
by adding a volatile flag that indicates a share has been added
to easy handles in its lifetime. That flag ever goes from
FALSE to TRUE, so volatile might work (in the absence of a mutex).
(The problem is that the lock/unlock functions need 2-3
`curl_share_setopt()` invocations to become usable and there
is no way of telling if the third will ever happen. Calling
the lock function before the 3rd setopt may crash the
application.)
When removing a share from an easy handle (or replacing it with
another share), detach the easy connection on a share with a
connection pool.
When cleaning up a share, allow this even if it is still used in
easy handles. It will be destroyed when the reference count
drops to 0.
Viktor Szakats [Fri, 27 Feb 2026 15:10:59 +0000 (16:10 +0100)]
build: assume `snprintf()` in `mprintf`, drop feature check
- it was already required for `curl_*printf()` float/double support.
- some curl tests always fail without it.
- it was already assumed to be present to build test servers.
Source code did not check for `HAVE_SNPRINTF` detection variable.
- it was already required to build examples.
Windows builds stopped using this detection and the function via earlier
commits.
Viktor Szakats [Wed, 26 Nov 2025 18:07:19 +0000 (19:07 +0100)]
cmake: drop support for CMake 3.17 and older
Require CMake 3.18 (2020-07-15) or newer, up from 3.7 (2016-11-11)
prior to this patch.
This requirement also applies to the distributed `curl-config.cmake`.
To allow dropping compatibility code maintained for old versions, and to
use features which were unpractical in separate code paths. Also to make
testing, documentation and development easier, CI builds faster due to
CMake performance improvements over time. (e.g. integration tests on
macOS run 8x faster (10 minutes is now under 1.5m) in CI, 2.5x faster on
Windows.)
CMake offers pre-built binaries for major platforms. They work without
an install step, just by unpacking and pointing the cmake command to
them. Making upgrades easy in many cases:
https://cmake.org/download/
https://cmake.org/files/
https://github.com/Kitware/CMake/releases
CMake 3.18 brings these feature as generally available when building or
consuming curl/libcurl:
LTO support, improved performance, `pkg-config` and interface target
support, `OBJECT` target (for faster libcurl builds), modern invocation
with `-S`/`-B` options, better support for custom linker options,
FetchContent, `GnuTLS::GnuTLS` target, `--verbose` and `--install`
options, `CMAKE_GENERATOR` env, last but not least unity mode and Ninja
generator.
For maximum build speed, use:
`-DCMAKE_UNITY_BUILD=ON -DCURL_DROP_UNUSED=ON`
As for deprecations, C++11 is required to build CMake itself, which may
be a limit on some platforms. autotools continues to cover them.
Viktor Szakats [Tue, 24 Feb 2026 11:45:59 +0000 (12:45 +0100)]
curl/curl.h: replace recursive macros with C++-friendly method to enforce 3 args
Certain uses may still trigger a C compiler warning
`-Wdisabled-macro-expansion` after this, e.g. when the call is wrapped
in the `CURL_IGNORE_DEPRECATION()` macro as seen in docs/examples.
Suggested-by: Kai Pastor
Ref: https://github.com/curl/curl/issues/20682#issuecomment-3949788664
Stefan Eissing [Fri, 6 Mar 2026 08:22:26 +0000 (09:22 +0100)]
dnscache: own source file, improvements
- Rename `Curl_resolv_unlink()` to `Curl_dns_entry_unlink()`.
- Change `Curl_dnscache_get()` to return CURLcode result. Returns
now `CURLE_COULDNT_RESOLVE_HOST` for "negative" cache entries.
- Add `Curl_dnscache_add_negative()` to put a "negative" entry
into the cache.
Stefan Eissing [Fri, 6 Mar 2026 09:10:55 +0000 (10:10 +0100)]
multi: improve wakeup and wait code
- Split WINSOCK and POSIX code in `multi_wait()` as the ifdef'ery
was becoming unreadable
- define `ENABLE_WAKEUP` to mean the wakeup socketpair is enabled,
no additional USE_WINSOCK check needed. Under WINSOCK
`ENABLE_WAKEUP` is not defined, so it's availability is as before
under the double defined() checks
- When the multi handle has "alive" transfers, the admin handle's
pollset include the wakeup receive socket. This results in the
admin handle running when someone uses `curl_multi_wakeup()`.
- Without any "alive" transfers, the wakeup socket is removed from
the pollset. Otherwise, event based processing would never finish,
eg. leave the event loop.
- The wakeup socket was never registered for event processing before,
e.g. `curl_multi_wakeup()` never worked in that mode.
- Adjust test exepectations on socket callback invocations and
number of sockets appearing in waitfds sets.
Stefan Eissing [Thu, 19 Mar 2026 09:33:08 +0000 (10:33 +0100)]
wolfssl: fix handling of abrupt connection close
A closed connection without TLS notify shutdowns, has been reported as a
correct EOF instead of an error. Fix the error handling in wolfSSL
backend receive handling.
Daniel Stenberg [Fri, 20 Mar 2026 16:28:03 +0000 (17:28 +0100)]
transfer: enable custom methods again on next transfer
`http_ignorecustom` is set on redirect handling but was not reset
between transfers, so once a redirect occurs in the new follow modes,
custom request methods were ignored for later transfers on the same
handle.
Daniel Stenberg [Thu, 19 Mar 2026 15:51:07 +0000 (16:51 +0100)]
x509asn1: fixed and adapted for ASN1tostr unit testing
- move defines to header file
- make bit2str require < 8 unused bits
- make bool strings stricter
- make UTime2str show + or - for custom time zones
- removed unused 'type' argument to ASN1tostr() function
- fix int2str for negative values. All values below 10000 are now shown
in decimal properly, also possibly negative values.
Viktor Szakats [Thu, 19 Mar 2026 13:47:12 +0000 (14:47 +0100)]
x509asn1: move declaration to header
Fixing clang-tidy warning:
```
tests/unit/unit1666.c:50:12: error: call to undeclared function 'encodeOID'; ISO C99 and later do not support implicit function declarations [clang-diagnostic-implicit-function-declaration]
50 | result = encodeOID(dbuf, oid, oid + spec->size);
| ^
```
Ref: https://github.com/curl/curl/actions/runs/23297585235/job/67749144361?pr=21008#step:46:736
Daniel Stenberg [Thu, 19 Mar 2026 08:55:46 +0000 (09:55 +0100)]
x509asn1: improve encodeOID
- return error on zero length input
- return error on OOM or doing too large output
- fix full 32-bit number support
- fix the broken handling of the first and second numbers
- support up to 32-bit minus 80 for the second number
- a field with a leading 0x80 is now considered an error, since it only
works as padding and is then no longer the shortest possible version
Add unit tests in 1666
Bonus: removed the last argument to OID2str() as it was always set TRUE.
Viktor Szakats [Wed, 18 Mar 2026 13:13:07 +0000 (14:13 +0100)]
rand: use `BCryptGenRandom()` in UWP builds
Also:
- fix build configuration to correctly set Win10 target in the mingw-w64
CI build, to enable the `BCryptGenRandom()` prototype in v6+ SDK
headers.
Stefan Eissing [Wed, 18 Mar 2026 10:37:18 +0000 (11:37 +0100)]
lib: always use Curl_1st_fatal instead of Curl_1st_err
Curl_1st_err() does not return the second error if the first result is
CURLE_AGAIN. This may cause errors to not become noticeable when they
should be.
Replace all use of Curl_1st_err() with Curl_1st_fatal(), which handles
CURLE_AGAIN as a not-a-real-error case.
Viktor Szakats [Thu, 12 Mar 2026 09:58:35 +0000 (10:58 +0100)]
gcc: guard `#pragma diagnostic` in core code for <4.6, disable picky warnings
Extend `#pragma diagnostic push`/`pop` guards to the whole codebase
(from tests and examples only) to disable it for GCC <4.6. Rename guard
to `CURL_HAVE_DIAG` and make it include llvm/clang to be interchangeable
with `__GNUC__ || __clang__` in this context.
The above means no longer disabling certain warnings locally, so pair
this with disabling all picky warnings for GCC <4.6.
Also:
- drop global workarounds for misbehaving GCC <4.6 compiler warnings.
Not needed with picky warnings disabled.
Ercan Ermis [Tue, 17 Mar 2026 08:47:24 +0000 (09:47 +0100)]
ftp: reject PWD responses containing control characters
A malicious or compromised FTP server could include control characters
(e.g. bare \r, or bytes 0x01-0x1f/0x7f) inside the quoted directory path
of its 257 PWD response. That string is stored verbatim as
ftpc->entrypath and later sent unescaped in a CWD command on connection
reuse via Curl_pp_sendf(), which performs no sanitization before
appending \r\n.
Reject the entire path if any control character is encountered during
extraction so that tainted data never reaches a subsequent FTP command.
Add test case 3217 and 3218 to verify. Adjusted test 1152 accordingly.
Daniel Stenberg [Tue, 17 Mar 2026 15:22:54 +0000 (16:22 +0100)]
tool_formparse: propagate my_get_line errors when reading headers
The read_field_headers() function would return "ok" even if the
underlying file read returned error, thus would the parent not become
aware of the problem.
projects / thirdparty / curl.git / log
