Viktor Szakats [Wed, 13 May 2026 16:20:33 +0000 (18:20 +0200)]
src: add `curlx_memzero()` to clear buffers securely
To safely zero memory, introduce `curlx_memzero()`, and map it to
`memset_s()` (C11) or `memset_explicit()` (C23) if auto-detected, or
`explicit_bzero()` or `explicit_memset()` for platforms opted-in, or
fall back to a local workaround if all unavailable. On Windows, always
use `SecureZeroMemory()`, or `SecureZeroMemory2()` with Visual Studio
and Windows SDK 10.0.26100.0+.
Details above are experimental and may change if they cause issues.
Also add macros/functions that zero memory before freeing a buffer:
- `curlx_safefreezero()`: for buffers with size.
- `curlx_safefreezeroz()`: for null-terminated buffers.
- `curlx_freezero()`: for buffers with size.
- `curlx_freezeroz()`: for null-terminated buffers.
`curlx_memzero()` must not be passed a NULL pointer because in some
implementations it is undefined behavior.
Also:
- curl_sha512_256: Replace hard-wired `explicit_memset()` call with new
`curlx_memzero()`.
Daniel Stenberg [Fri, 15 May 2026 15:04:26 +0000 (17:04 +0200)]
urlapi: consume trailing dots after IPv4 numerical addresses
If the hostname is specified as an IPv4 numerical address and it is
followed by a single dot, acccept that as a valid IPv4 and remove the
dot when normalizing.
This prevents otherwise legitimate IPv4 hostnames to have trailing dots.
Seems to match what browsers do.
Daniel Stenberg [Wed, 13 May 2026 22:06:03 +0000 (00:06 +0200)]
strparse: make curlx_str_until() accept zero for 'max'
When asked to parse for a string with max zero bytes, it will always
return error and no longer trigger an assert. This saves the caller from
having to check for this condition.
Viktor Szakats [Thu, 14 May 2026 12:35:21 +0000 (14:35 +0200)]
gsasl: fix potential double free
Also:
- require libgsasl 1.6.0+ (2010-12-14) for a `gsasl_finish()` that
handles a NULL argument.
Ref: https://gitlab.com/gsasl/gsasl/-/commit/b550032df8488a9ceaa3cfd4c634947d8f219717
Viktor Szakats [Thu, 14 May 2026 12:09:50 +0000 (14:09 +0200)]
GHA: explicitly `brew update` before `brew install` with Linuxbrew
Fixing:
```
==> Installing openssl@3 dependency: ca-certificates
==> Pouring ca-certificates--2026-05-14.all.bottle.tar.gz
Error: undefined method '[]' for nil
/home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/utils/bottles.rb:127:in 'Utils::Bottles.load_tab'
/home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/formula_installer.rb:1507:in 'FormulaInstaller#pour'
[...]
/home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/brew.rb:114:in '<main>'
You have disabled automatic updates and have not updated today.
Do not report this issue until you've run `brew update` and tried again.
Error: Process completed with exit code 1.
```
Ref: https://github.com/curl/curl/actions/runs/25859030402/job/75984082148?pr=21607
Dropping `HOMEBREW_NO_AUTO_UPDATE=1` was not enough to fix it.
Daniel Stenberg [Wed, 13 May 2026 07:55:36 +0000 (09:55 +0200)]
snpego_sspi: preserve distinction btw policy-only and uncond delegation
CURLOPT_GSSAPI_DELEGATION exposes distinct modes:
CURLGSSAPI_DELEGATION_POLICY_FLAG is documented as delegating only when
OK-AS-DELEGATE policy permits it, while CURLGSSAPI_DELEGATION_FLAG is
unconditional. The new SSPI implementation checks for either bit and
sets ISC_REQ_DELEGATE, so a caller requesting policy-limited delegation
is put on the same SSPI path as unconditional delegation.
In addition, curl's existing protection that avoids reusing a connection
when the GSS delegation setting differs was guarded only by HAVE_GSSAPI;
SSPI-only builds now have an effective delegation option, but the
connection's delegation setting was neither copied nor compared. This
would cause Windows SSPI Negotiate/Kerberos authentication to delegate
credentials contrary to the caller's selected policy or reuse an
already-delegated authenticated connection for a transfer that requested
no delegation.
Stefan Eissing [Wed, 13 May 2026 10:02:48 +0000 (12:02 +0200)]
creds: add sasl service name
The SASL service name, used in authentication, is part of curl's credentials
when authenticating to a server/proxy. Make it part of `struct Curl_creds`.
Change code to use `creds` to obtain a service name. By tying creds used
to the connection, connection reuse is also only allowed when the service
name matches.
Daniel Stenberg [Tue, 21 Apr 2026 22:52:16 +0000 (00:52 +0200)]
curl: named globs in output file name for upload glob references
Use parts of text from the upload filename field when that uses globbing
by giving it a name the same way we do it for URL globs. For example, if
you upload three files to a HTTP URL and want to save the corresponding
responses in separate files:
Andrei Rybak [Tue, 12 May 2026 16:02:21 +0000 (18:02 +0200)]
VULN-DISCLOSURE-POLICY.md: remove mention of bug bounty reward
As a follow-up to commits ca7ef4b817 ("BUG-BOUNTY.md: we stop the
bug-bounty end of Jan 2026", 2026-01-22) and ed7bf43a08 ("BUG-BOUNTY.md:
minor rephrase to say there is no bug bounty", 2026-03-10), remove a
leftover mention of the reward for vulnerability reports, that no longer
exists, in file `VULN-DISCLOSURE-POLICY.md`.
Fixes #21571 Reported-by: Alan De Smet
Closes #21574
Stefan Eissing [Mon, 11 May 2026 12:25:52 +0000 (14:25 +0200)]
creds: hold credentials
Authorizdation credentials are kept in `struct Curl_creds`. This contains:
* `user`: the username, maybe the empty string
* `passwd`: the password, maybe the empty string
* `sasl_authzid`: the SASL authz value, maybe the empty string
* `oauth_bearer`: the OAUTH bearer token, maybe the empty string
* `source`: where the credentials from from
* `refcount`: a reference counter to link/unkink creds
A `creds` with all values empty is equivalent to NULL, e.g. no `creds`
instance. With reference counting, `creds` can be linked/unlinked
in several places.
Song X. Gao [Mon, 11 May 2026 16:45:15 +0000 (12:45 -0400)]
spnego_sspi: honor CURLOPT_GSSAPI_DELEGATION for Windows SSPI
Make CURLOPT_GSSAPI_DELEGATION effective on Windows builds that use SSPI
(instead of a native GSS-API implementation), so Kerberos delegation can
be requested during SPNEGO/Negotiate authentication.
Stefan Eissing [Mon, 11 May 2026 12:56:04 +0000 (14:56 +0200)]
event: fix wakeup consumption
The events on a multi wakeup socketpair were only consumed via
curl_multi_poll()/curl_multi_wait() but not in event based processing on
a curl_multi_socket() call. That led to busy loops as reported in
Fixes #21547 Reported-by: Earnestly on github
Closes #21549
Viktor Szakats [Tue, 12 May 2026 02:50:09 +0000 (04:50 +0200)]
gnutls: fix more nettle 4+ compatibility issues
- disable DES with nettle 4. It no longer supports it.
```
lib/curl_ntlm_core.c:67:12: fatal error: 'nettle/des.h' file not found
67 | # include <nettle/des.h>
| ^~~~~~~~~~~~~~
```
- fix MD4 support with nettle 4.
```
lib/md4.c:178:36: error: too many arguments to function call, expected 2, have 3
178 | md4_digest(ctx, MD4_DIGEST_SIZE, digest);
| ~~~~~~~~~~ ^~~~~~
```
- GHA/macos: stop enabling NTLM in the GnuTLS job.
It no longer builds due to missing DES support in nettle 4.
```
lib/curl_ntlm_core.c:90:4: error: "cannot compile NTLM support without a crypto library with DES."
90 | # error "cannot compile NTLM support without a crypto library with DES."
| ^
```
Ref: https://github.com/curl/curl/actions/runs/25710321195/job/75488970170?pr=21557
Kai Pastor [Sat, 9 May 2026 05:23:37 +0000 (07:23 +0200)]
cmake: export/forward `NGTCP2_CRYPTO_BACKEND`
Exporting the component name as passed in is somewhat boring. OTOH it is
convenient for reuse.
- FindNGTCP2: export crypto backend in `NGTCP2_CRYPTO_BACKEND`.
- pass `COMPONENTS` `NGTCP2_CRYPTO_BACKEND` in `curl-config.cmake`.
- FindNGTCP2: fix to skip Config detection when optional `COMPONENTS` is
not passed.
amitbidlan [Mon, 11 May 2026 13:39:53 +0000 (22:39 +0900)]
hostip: remove unused MAX_HOSTCACHE_LEN and MAX_DNS_CACHE_SIZE
These macros are leftovers from when DNS caching was moved out of
hostip.c into its own source file. Both are still defined and used in
lib/dnscache.c; the copies in lib/hostip.c are unreferenced.
Daniel Stenberg [Sat, 2 May 2026 20:50:10 +0000 (22:50 +0200)]
lib: drop support for CURLAUTH_DIGEST_IE
This bit was used to do Digest authentication like Internet Explorer
before version 7 (released on October 18, 2006). Presumably no one uses
this anymore and since it is hard to use and does broken auth, starting
in 8.21.0 this bit does nothing (except setting the actual Digest bit).
Kai Pastor [Fri, 8 May 2026 15:21:52 +0000 (17:21 +0200)]
cmake: fix zstd CMake config name
They install `zstdConfig.cmake`,
https://github.com/facebook/zstd/blob/885c79ba4ae8345e006f61bc97b270d4cf7ff076/build/cmake/CMakeModules/ZstdPackage.cmake#L33-L38.
With the `Config.cmake` pattern, this is a case-sensitive package name,
`zstd`.
When detecting these dependencies via CMake Config and their main
imported target is undefined, automatically assume and use their static
imported target instead.
Adopting from vcpkg downstream, where it's done for nghttp3 and ngtcp2,
but not for nghttp2.
Daniel Stenberg [Thu, 7 May 2026 15:45:48 +0000 (17:45 +0200)]
tool_urlglob: avoid overflow at end of range
Due to how the range span globbing code works, a range that ends with 9223372036854775807 (the maximum signed 63 bit value) cannot be used as
it triggers an integer overflow.
Stefan Eissing [Thu, 7 May 2026 08:30:07 +0000 (10:30 +0200)]
url: fix connection reuse for starttls protocols
When a connection is tested for reuse in a transfer that *may* upgrade
to TLS (commonly via STARTTLS), the SSL configuration must match the
existing connection.
Stefan Eissing [Wed, 6 May 2026 11:44:16 +0000 (13:44 +0200)]
auth: cleanups
- rename `req->proxyuserpwd` to `req->hd_proxy_auth`
- rename `req->userpwd` to `req->hd_auth`
- rename parameter `proxytunnel` to `is_connect` for Curl_http_output_auth()
- move path+query concatenation into Curl_http_output_auth(), saving an alloc when no auth is in play
- rename `H1_HD_USER_AUTH` into `H1_HD_AUTH`
Daniel Stenberg [Thu, 7 May 2026 07:04:55 +0000 (09:04 +0200)]
url: remove ssh_config_matches
The CURLOPT_SSH_HOST_PUBLIC_KEY_* options are documented to verify the
host at connect time and not for connection reuse. Once the SSH host has
been deemed okay, it remains okay as long as the connection survives.
In addition: this function currently always returned TRUE since the
pointers have been NULLed in the SSH backend code before this function
is called.
parasol-aser [Thu, 7 May 2026 03:53:34 +0000 (03:53 +0000)]
tool1622: assert width and exact format boundaries
Convert the silent "was too long!" diagnostics in the timebuf and
max5data width loops into fail_unless assertions, so a regression in
output width fails the unit test directly instead of only printing.
Add small exact-output tables that probe format-transition boundaries
not necessarily hit by the geometric value sweep: the 99999/100000
suffix kick-in for max5data, and the 6d/01h, 51m, 136y, and >99999y roll
points for timebuf.
Daniel Stenberg [Wed, 6 May 2026 21:59:22 +0000 (23:59 +0200)]
mbedtls: null terminate the private key blob
Unfortunately, mbedtls_pk_parse_key() requires the data to be
null-terminated if the data is PEM encoded (even when provided the exact
length), so this function needs to make a copy that has one.
Stefan Eissing [Tue, 5 May 2026 10:58:22 +0000 (12:58 +0200)]
lib: introduce Curl_peer
`struct Curl_peer` keeps information about a communication endpoint
together. It will replace `conn->host` and `conn->conn_to_host` and
proxyinfo host. It will also become part of `struct ssl_peer`.
It has a reference counter, so an instance can be shared between
connections and filters.
Elminiates `conn->host` and `conn->connect_to_host`, used in the
proxyinfo structures. Passed to DNS resolution and socks filters, etc.
Pass peer to http proxy and socks tunnel filters. Use peer in dns filter
and resolving. Make `Curl_peer` a member in the `struct ssl_peer`.
projects / thirdparty / curl.git / log
