Viktor Szakats [Thu, 28 May 2026 20:22:32 +0000 (22:22 +0200)]
h3-proxy: fix callback return values, and a typo in tests
- replace literal -1 with `NGHTTP3_ERR_CALLBACK_FAILURE` in nghttp3
callback.
- replace `NGHTTP3_ERR_CALLBACK_FAILURE` with
`NGTCP2_ERR_CALLBACK_FAILURE` in ngtcp2 callbacks.
- test_60_h3_proxy: fix non-critical typo in symbol.
Stefan Eissing [Wed, 27 May 2026 14:50:18 +0000 (16:50 +0200)]
h3-proxy: fixes around H3 proxy
code:
- less exception handling in existing code
- true ip happy eyeballing
- enable certificate verification
- cf-h2-proxy: abort connection when server closed connection
tests:
- remove all --insecure and --proxy-insecure args
- make session reuse test_60_12 a working one
- resolve port conflicts between h2o and nghttpx
- use proxy args better
- make test_60_06 run shorter
- kill h2o at the end of tests, normal stop takes too long
Viktor Szakats [Wed, 27 May 2026 21:56:50 +0000 (23:56 +0200)]
GHA: enable H3 proxy in CI, also enable h2o tests on Linux
Also:
- GHA/http3-linux: enable deprecated APIs in openssl-prev local
OpenSSL builds. Required by h2o and its vendored dependencies.
Tried OpenSSL 4, LibreSSL 4.x, BoringSSL: all failed at one point.
- GHA/http3-linux: build h2o from source.
libuv1-dev may not be stricly required.
Tried installing libwslay-dev, but it wasn't recognized.
Also disable building h2o libs for a much smaller dist directory and
slightly faster build.
Sadly, h2o is not versioned, so I pinned to the current latest commit
at the master branch. It advertises itself as 2.3.0-DEV in pytest.
- drop redundant `libnghttp3` installs. Remains of openssl-quic builds.
Follow-up to 6aaac9dd388a64d0f511544496608693e1105d13 #20226
Note GHA/macos pytests may or not not be stable with the H3 proxy tests.
Aritra Basu [Thu, 28 May 2026 00:35:44 +0000 (20:35 -0400)]
tests/http: fix HTTP/3 proxy pytest failures with h2o
Fix pytest failures in HTTP/3 proxy tests when h2o is not installed,
misconfigured, or fails to start at runtime.
This prevents:
- FileNotFoundError when h2o document root does not exist
- Fixture setup errors when h2o is configured but cannot start
- Unused test data file creation when h2o is absent or broken
- CI aborts on systems where h2o exists but is not runnable
ambikeesshh [Fri, 22 May 2026 18:57:18 +0000 (00:27 +0530)]
cf-socket: set scope_id for IPv6 link-local addresses
When connecting to an mDNS hostname that resolves to an IPv6 link-local
address, connect() fails with EINVAL because sin6_scope_id is 0. This is
a regression since 8.20.0 where the threaded resolver started splitting
A and AAAA queries into separate getaddrinfo calls. The AAAA-only call
with PF_INET6 may not set scope_id on systems where the same call with
PF_UNSPEC did.
When the resolver does not provide scope_id for a link-local address,
try to determine it from the system's network interfaces using
getifaddrs(). Also add scope_id to verbose connect output so the value
can be seen in curl -v logs.
Built and tested locally on Linux. checksrc passes.
Viktor Szakats [Wed, 27 May 2026 20:40:50 +0000 (22:40 +0200)]
pytest: re-enable test test_05_01 and test_05_02 for quiche 0.29.0+
The upstream issue seems to have been fixed or mitigated in quiche
v0.29.0. Though the original upstream report and patch remain open at
the time of writing this.
Viktor Szakats [Wed, 27 May 2026 16:06:51 +0000 (18:06 +0200)]
lib1560: fix to propagate failure from `get_nothing()`
Also:
- check `curl_url()` for NULL where missing.
- free memory `curl_url_get()` return pointer where missing.
- propagate `curl_url_set()` errors in `clear_url()`, where missing.
- add missing NULL-check before `strcmp()` in `clear_url()`.
Viktor Szakats [Wed, 27 May 2026 08:21:24 +0000 (10:21 +0200)]
curl_sha512_256: fix result code on error
Replace result code `CURLE_SSL_CIPHER` with
`CURLE_BAD_FUNCTION_ARGUMENT` in case of a low-level digest function
fails. Functionality is related to vauth, not SSL, and the operation is
a digest, not a cipher.
Viktor Szakats [Wed, 20 May 2026 10:20:10 +0000 (12:20 +0200)]
tidy-up: miscellaneous
- H3 proxy: re-sync code with original source `curl_ngtcp2.c` to reduce
differences, and to apply missed minor fixes. Also apply clang-format.
Drop redundant `#undef`s, casts, `#endif` comments, includes, drop
intermediate variables, sync include and macro order.
Follow-up to e78b1b3eccfa6a2e367a1225ea1b66dafcdac3c4 #21153
- INSTALL-CMAKE.md: move `CURL_ENABLE_SMB` to the enable section.
- tests/http/env: rename `tcpdmp` to `tcpdump` to match object variable.
- mbedtls: drop incorrect `mbedTLS 4+` comments.
(features are also supported by 3+, meaning it's always supported.)
- lib1648: rename a variable to match purpose.
- CIPHERS.md: alpha-sort link list.
- replace rare `X''` hex markup with `0x`.
- `IP v4/6` -> `IPv4/6`.
- 'version X.Y' -> 'vX.Y', where sensible.
- 'VX.Y' -> 'vX.Y', where sensible.
- fix indents, casing, newlines, typos.
Stefan Eissing [Tue, 26 May 2026 13:59:09 +0000 (15:59 +0200)]
content_encoding: timeout during slow decoding
Check during transfer/content decoding for every MB or so, if the
transfer has reached its overall time limit. Error out if so.
This is mainly a protectin against compression bombs using way more time
than the transfer is allowed to. Normal compression ratios are unlikely
to benefit as they need more upstream data where the timeout handling is
already in place.
Joshua Rogers [Tue, 19 May 2026 14:16:12 +0000 (16:16 +0200)]
gtls: fix ignored return and uninitialized status in OCSP check
gnutls_ocsp_resp_get_single() was called with (void) discarding its
return value, so a failure (e.g. an OCSP response with no
SingleResponse entries) went undetected. The following switch() then
read an uninitialized gnutls_ocsp_cert_status_t, which is undefined
behaviour and could yield GNUTLS_OCSP_CERT_GOOD (0) depending on
stack contents, causing gtls_verify_ocsp_status to return CURLE_OK for
a response that was never successfully parsed.
Fix by initializing status to GNUTLS_OCSP_CERT_UNKNOWN and treating a
negative return from gnutls_ocsp_resp_get_single as an error.
HTTP/3: add proxy CONNECT and MASQUE CONNECT-UDP support (ngtcp2 QUIC)
This patch adds two major proxy capabilities to curl (ngtcp2 QUIC):
- HTTP/3 Proxy CONNECT: Tunnel HTTP/1.1 or HTTP/2 traffic through an
HTTPS proxy that speaks HTTP/3 (QUIC) using the standard CONNECT
method over an HTTP/3 connection.
- MASQUE CONNECT-UDP: Tunnel HTTP/3 (QUIC) traffic through an HTTP
proxy (speaking HTTP/1.1, HTTP/2, or HTTP/3) using the extended
CONNECT method with the CONNECT-UDP protocol (RFC9297 & RFC9298).
Public API additions:
- `CURLPROXY_HTTPS3`: new proxy type constant for HTTP/3 proxy
- `--proxy-http3`: new CLI flag to negotiate HTTP/3 with HTTPS proxy
The implementation adds two new filters:
- `H3-PROXY` - enables negotiating HTTP/3 (QUIC) to the proxy and
running CONNECT/CONNECT-UDP through that proxy transport.
- `CAPSULE` - dedicated filter inserted between QUIC transport and
HTTP-PROXY to handle datagram capsule encapsulation/decapsulation.
Here is how the curl filter chaining looks in different scenarios:
- HTTP/3 Proxy CONNECT (tunneling TCP protocols over QUIC proxy):
conn -> HTTP/1.1 or HTTP/2 -> SSL -> HTTP-PROXY ->
H3-PROXY -> HAPPY-EYEBALLS -> UDP
- MASQUE CONNECT-UDP (tunneling QUIC over any proxy):
conn -> HTTP/3 -> CAPSULE -> HTTP-PROXY -> H3-PROXY ->
HAPPY-EYEBALLS -> UDP
conn -> HTTP/3 -> CAPSULE -> HTTP-PROXY -> H1-PROXY or H2-PROXY ->
SSL -> HAPPY-EYEBALLS -> TCP
- Both features currently require the ngtcp2 QUIC backend.
- Both features are experimental (disabled by default). Enable with
`--enable-proxy-http3`(autotools) or `-DUSE_PROXY_HTTP3=ON`(CMake).
Tests:
- tests/unit/unit3400.c: Unit tests for capsule protocol encode/decode
- tests/http/test_60_h3_proxy.py: Comprehensive pytest integration suite
- tests/http/testenv/h2o.py: Managing h2o instances with HTTP/1.1, HTTP/2,
and HTTP/3 (QUIC) listeners, proxy.connect and proxy.connect-udp enabled.
References:
RFC 9297 - HTTP Datagrams and the Capsule Protocol
RFC 9298 - Proxying UDP in HTTP
RFC 9000 §16 — Variable-Length Integer Encoding
Viktor Szakats [Tue, 26 May 2026 09:40:15 +0000 (11:40 +0200)]
GHA: fix locale tests on macOS, extend to verify test 1981
- fix macOS locale tests to clear existing variables.
(Without this, the system-defined `LC_ALL` takes precedence, and
the custom envs in CI are ignored.)
- trigger test 1981 issue by setting `LC_TIME` to non-English, on macOS.
(On Linux it'd require explicitly installing a non-English locale, I
skipped this for simplicity.)
```
[...]
-Time: 01/Aug/2025 08:31:43.037103 +0000 UTC[CR][LF]
+Time: 01/ao%c3%bb/2025 08:31:43.037103 +0000 UTC[CR][LF]
[...]
FAIL 1981: '%time output with --write-out' HTTP, HTTP GET
```
Follow-up to 90a7732d467eae7c5a59fc07c5a072970926f8c6 #21749
Viktor Szakats [Tue, 26 May 2026 13:56:27 +0000 (15:56 +0200)]
GHA: verify tarball downloads
Detect latest tarball version via the https://curl.se/downloads.html
page, download the signing key from a public keyserver then verify
source download signatures.
Viktor Szakats [Tue, 26 May 2026 11:22:20 +0000 (13:22 +0200)]
GHA: bump LibreSSL to 4.3.2
Also switch back to ftp.openbsd.org download server. More often than not
the GitHub release entry is missing the download artifacts at the time
of detecting a new version, breaking automatic bumps. We cache the
download so it does not bang the origin server with many requests.
Viktor Szakats [Sat, 23 May 2026 09:05:27 +0000 (11:05 +0200)]
quiche: bump cloudflare/quiche to v0.29.0, update pytest workaround
Also:
- drop no longer necessary quiche build workaround.
- update build for boringssl's new location (since v0.29.0, it's no
longer vendored) within the quiche tree.
- move boringssl install dir out of quiche tree, and shorten it.
Max Dymond [Sun, 24 May 2026 08:02:33 +0000 (09:02 +0100)]
KNOWN_BUGS: remove stale Threads::Threads entry
The old CMake bug about exporting -lpthread instead of Threads::Threads
no longer matches current master. As of 2d546d239ecd455b6459e68b85ef8d4b045c0a00
("cmake: use Threads::Threads imported target for POSIX Threads"),
the build now uses Threads::Threads and the generated CMake package
config resolves the dependency explicitly, so this KNOWN_BUGS entry is stale.
Joshua Rogers [Fri, 22 May 2026 07:59:17 +0000 (09:59 +0200)]
schannel: error on TLS 1.3-only with cipher list
The legacy SCHANNEL_CRED path cannot negotiate TLS 1.3. When TLS 1.3
is the only enabled protocol and a cipher list is set, fail instead of
silently downgrading to TLS 1.2.
Stefan Eissing [Fri, 22 May 2026 07:11:41 +0000 (09:11 +0200)]
http2: remove stream dependency tracking
The HTTP/2 feature is deprecated, few servers implement it and our
implementation is complicated by its state management. Make the two
CURLOPT_* involved a nop and deprecate them.
It may replace existing pedantic check, if this level isn't bringing
false-positives or annoyance. Officially it's not meant for CI, but curl
has been passing this in the last couple of months when checked locally.
Viktor Szakats [Thu, 21 May 2026 02:21:33 +0000 (04:21 +0200)]
units: tidy up begin/end blocks
- use `UNITTEST_BEGIN_SIMPLE`/`UNITTEST_END_SIMPLE` where missing.
- drop redundant `(void)arg;` where using `UNITTEST_BEGIN*`.
- unit1636: drop redundant block after `UNITTEST_BEGIN*`.
- unit1609: fix typo in comment.
- unit1627: merge to `if`s.
Viktor Szakats [Thu, 21 May 2026 09:16:49 +0000 (11:16 +0200)]
multi: silence gcc 16 `-Wnull-dereference`, bump CI job to test
- GHA/windows: bump dl-mingw job from gcc 15 to 16.
- multi: silence warning while building libcurlu:
```
In function 'multi_ischanged',
inlined from 'multi_socket.isra' at D:/a/curl/curl/lib/multi.c:3282:6:
D:/a/curl/curl/lib/multi.c:1710:17: error: null pointer dereference [-Werror=null-dereference]
1710 | bool retval = (bool)multi->recheckstate;
| ^~~~~~~~~~~~~~~~~~~~~~~~~
D:/a/curl/curl/lib/multi.c:1712:25: error: null pointer dereference [-Werror=null-dereference]
1712 | multi->recheckstate = FALSE;
| ^
```
Ref: https://github.com/curl/curl/actions/runs/26217071531/job/77142119137?pr=21707
- multi: silence another `-Wnull-dereference`, popping up in libcurl
with gcc 13 after the previous silencing:
```
In function 'Curl_multi_xfers_running',
inlined from 'multi_socket.isra' at ../../lib/multi.c:3292:28:
../../lib/multi.c:4132:15: error: null pointer dereference [-Werror=null-dereference]
4132 | return multi->xfers_alive;
| ~~~~~^~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/26218822231/job/77148186045
- multi: also add `DEBUGASSERT(multi)` to the two updated functions.
Dan Fandrich [Tue, 5 May 2026 03:48:52 +0000 (20:48 -0700)]
tests: add an assert to avoid IPC blocking
If so much data is being sent over the internal IPC pipe that the pipe
buffer fills and the syscall blocks, the program will hang. Add an
assert to ensure that this limit is never reached. The buffer size is
going to be different on different platforms, so choose 1KB which is
likely to be a reasonable lower bound on just about any system.
Currently, the maximum amount ever written is <100 bytes, so this should
provide plenty of headroom.
Prior to this change the revoke_best_effort setting for the proxy was
wrongly ignored in favor of the same setting for the destination host.
In other words, CURLSSLOPT_REVOKE_BEST_EFFORT set via
CURLOPT_PROXY_SSL_OPTIONS did not apply to the proxy and
CURLSSLOPT_REVOKE_BEST_EFFORT set via CURLOPT_SSL_OPTIONS wrongly
applied to the proxy.
Stefan Eissing [Tue, 19 May 2026 13:31:45 +0000 (15:31 +0200)]
cfilters: fix busy loop on blocked transfers
When a transfer gets paused after the connection has been established,
any data sitting in the kernel socket buffers will no longer get read.
Prevent the sockets form being added to the pollsets, because they
will trigger POLLIN endlessly and cause a busy poll loop. Same in event
based processing.
Reported-by: Harry Sintonen
Fixes https://github.com/curl/curl/issues/21671
Closes https://github.com/curl/curl/pull/21675
penpal [Fri, 15 May 2026 17:53:29 +0000 (23:38 +0545)]
sspi: clear SSPI credentials on AcquireCredentialsHandle failure
- Clear credentials on AcquireCredentialsHandle failure so it is not
used on a subsequent call.
SSPI initialization may evaluate the credentials pointer to determine
whether or not a prior call to AcquireCredentialsHandle was successful,
therefore we must clear it on a failed call.
Viktor Szakats [Wed, 20 May 2026 01:42:49 +0000 (03:42 +0200)]
GHA/non-native: drop DragonFlyBSD job, due to unreliable package repo updates
Example:
```
Wed, 20 May 2026 09:51:48 GMT Updating Avalon repository catalogue...
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT repository Avalon has no meta file, using default settings
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT pkg: An error occurred while fetching package: No error
Wed, 20 May 2026 09:51:48 GMT Unable to update repository Avalon
Wed, 20 May 2026 09:51:48 GMT Error updating repositories!
Wed, 20 May 2026 09:51:48 GMT Error: Process completed with exit code 3.
```
As tested over at libssh2, retrying the install command also does not
help, only repeats the same failure.
Viktor Szakats [Tue, 19 May 2026 17:05:41 +0000 (19:05 +0200)]
GHA/non-native: move BSDs to a single matrix, add DragonFly and Midnight
- bump cross-platform-actions to v1.1.0.
Ref: https://github.com/cross-platform-actions/action/releases/tag/v1.1.0
- merge BSD jobs into a single matrix.
- split BSD jobs into build steps as used for other platforms.
A new feature of cross-platform-actions v1.1.0.
- sync BSD build steps with other platforms.
- add DragonFlyBSD and MidnightBSD to the BSD matrix.
New features of cross-platform-actions v1.1.0.
MidnightBSD uses GnuTLS to add variation, also the preinstalled
OpenSSL is too old (v1.1.1w) for curl.
Stick with autotools for DragonFlyBSD; I could not figure out how
to install cmake.
Refs:
https://en.wikipedia.org/wiki/DragonFly_BSD
https://en.wikipedia.org/wiki/MidnightBSD
- bump Intel FreeBSD jobs from v14.3 to v15.0.
- fix to show `gcc` in the NetBSD job name.
All these saved 50 lines of YAML. The two new jobs take 2m15s each. The
bump to FreeBSD 15 needs and extra minute in total.
Note, the DragonFlyBSD job seems to have reliability issues. If it
remains an issue, I'll comment it out or delete it in a future commit.
Viktor Szakats [Sat, 16 May 2026 16:58:47 +0000 (18:58 +0200)]
runner.pm: apply minor correctness fix
"Lines 244-245 overwrite global variables `$runnerr` and `$runnerw` that
were already assigned in the child process (lines 205-206). In the
parent process context, these assignments appear incorrect and could
cause issues if `runner_init` is called multiple times. The parent
should only store references in the controller hashes."
It could never cause an actual issue, but clarifies the intent of the
code.
Joshua Rogers [Tue, 19 May 2026 09:47:50 +0000 (11:47 +0200)]
tls: fix incomplete mTLS config in conn reuse and session cache
cert_type, key, key_type, key_passwd and key_blob lived in
ssl_config_data but not in ssl_primary_config, so they were invisible to
match_ssl_primary_config() and to the TLS session cache peer key.
Two easy handles sharing a connection pool could reuse each other's
authenticated connections when they differed only on SSLKEY, SSLKEYTYPE,
KEYPASSWD, SSLCERTTYPE or SSLKEYBLOB. The second handle would silently
inherit the first handle's authenticated identity.
Promote all five fields into ssl_primary_config so the conn-reuse
predicate and session cache key cover the complete client credential
set. Also replace the fixed ":CCERT" session cache marker with the
actual clientcert path so sessions are not shared across different
client certificates.
Viktor Szakats [Mon, 18 May 2026 16:38:25 +0000 (18:38 +0200)]
docs: tidy-up scheme references
After this patch `://` schemes are lowercase and enclosed in backticks.
Also:
- docs/libcurl/libcurl-multi.md: drop a stray C code fence.
- docs/libcurl/libcurl-tutorial.md: replace single/double quotes with
Markdown markup where applicable.
projects / thirdparty / curl.git / log
