Seen in curl-for-win daily, building against libssh2 1.11.2_DEV:
```
curl-for-win/curl/lib/vssh/libssh2.c:2644:9: warning: 'libssh2_scp_send_ex' is deprecated:
since libssh2 1.2.6. Use libssh2_scp_send64() [-Wdeprecated-declarations]
2644 | SCP_SEND(sshc->ssh_session, sshp->path, data->set.new_file_perms,
```
Ref: https://github.com/curl/curl-for-win/actions/runs/13229370277/job/36924363438#step:3:5805
Follow-up to 553248f501#16199Closes#16291
Default curl unity builds make a single unit for each target. It means
all target sources are batched together and built in a single compiler
invocation. With multi-core CPUs this doesn't always result in the best
possible performance. This patch enables smaller batches for jobs where
this resulted in shorter build times. These jobs are Cygwin, MSYS2,
MinGW, running on the Windows runners.
Use batch of 30 (meaning 30 sources batched into units), and 32 for
Cygwin/MSYS2 to avoid a unity fallout that's subject to a different PR.
(CMake allows to set the number of sources per unit, not the number
of units, though the latter may be more practical to max out CPU cores.)
Also override to not batch the `curlu` target because batching lost
a little bit of time there, due to the already existing parallelism when
building the `testdeps` targets.
For jobs on the macOS and Linux runners jobs were already mostly single
digit or below teen seconds, and batching didn't improve on them
noticeably. On VM jobs, the virtual CPUs are limited, so I didn't
make a try. In AppVeyor and GHA vcpkg jobs (using msbuild), batching
didn't result in conclusive or any gains.
Build times in seconds (curl + testdeps):
Job | Before | After w curlu=0 | Gain
:--------------------| :-------------- | :-------------- | :---
cygwin, CM | 19 + 32 = 51 | 12 + 32 = 44 | 7
msys2, CM | 7 + 15 = 22 | 5 + 14 = 19 | 3
mingw gcc U, CM | 19 + 30 = 49 | 13 + 32 = 45 | 4
mingw ucrt, CM | 32 + 42 = 74 | 15 + 43 = 58 | 16
mingw clang, CM | 15 + 21 = 36 | 8 + 21 = 29 | 7
mingw uwp, CM | 30 + 40 = 70 | 14 + 40 = 54 | 16
mingw gcc, CM | 20 + 31 = 51 | 12 + 31 = 43 | 8
mingw x86, CM | 35 + 40 = 75 | 15 + 38 = 53 | 22
dl-mingw, CM 9.5.0 | 88 + 99 = 187 | 42 + 101 = 143 | 44
dl-mingw, CM 7.3.0 U | 24 + 32 = 56 | 17 + 35 = 52 | 4
Total | | | 131
Total gain per GHA/windows workflow runs: 2m11s
Runs:
Before: https://github.com/curl/curl/actions/runs/13220256084/job/36904342259
After: https://github.com/curl/curl/actions/runs/13220383702/job/36904602981https://github.com/curl/curl/actions/runs/13220613141/job/36905170104https://github.com/curl/curl/actions/runs/13222019443/job/36908358550
With curlu tweak: https://github.com/curl/curl/actions/runs/13222239255/job/36908782462
Ref: 116950a250#16265Closes#16272
LibreSSL headers emit this warning because we included `wincrypt.h`
before them. We have to include `wincrypt.h` before OpenSSL headers
to avoid symbol collisions when using other forks. LibreSSL 3.8.2+
offers a macro to silence its warnings to avoid this issue. This patch
sets it.
This allows to stop setting this macro in curl-for-win builds.
Warnings seen with MinGW with cmake non-unity (also unity batch=30):
```
[156/219] Building C object lib/CMakeFiles/libcurl_object.dir/vtls/openssl.c.obj
In file included from lib/vtls/openssl.h:35,
from lib/vtls/openssl.c:53:
dep/libressl-win-x64/include/openssl/ossl_typ.h:90:2: warning: #warning overriding WinCrypt defines [-Wcpp]
90 | #warning overriding WinCrypt defines
| ^~~~~~~
In file included from dep/libressl-win-x64/include/openssl/pem.h:71,
from dep/libressl-win-x64/include/openssl/ssl.h:151,
from lib/vtls/openssl.h:36:
dep/libressl-win-x64/include/openssl/x509.h:108:2: warning: #warning overriding WinCrypt defines [-Wcpp]
108 | #warning overriding WinCrypt defines
| ^~~~~~~
In file included from dep/libressl-win-x64/include/openssl/x509.h:319:
dep/libressl-win-x64/include/openssl/pkcs7.h:77:2: warning: #warning overriding WinCrypt defines [-Wcpp]
77 | #warning overriding WinCrypt defines
| ^~~~~~~
```
Ref: https://github.com/libressl/portable/issues/910
Ref: https://github.com/libressl/portable/pull/924
Ref: e7fe6caab2
Ref: 760ccfcc91Closes#16273
When the c-ares setup fails and we get a NULL channel, the resolve still
continues and we just need to survive it and just not get any HTTPS RR.
Reported-by: nono303 on github
Fixes#16216Closes#16244
Keeping the relevant 'ssl_scache' in 'data->state' leads to problems
when the owner of the cache is cleaned up and this reference is left
dangling.
Remove the ref entirely and always find the ssl_scache at the current
share or multi.
Folded in #16260 (test 3208) to verify this fixes the bug with a
dangling reference when an easy handle is used with easy_perform first
and in a multi_perform after.
Ref: #16236Closes#16261
Some of the 'goto fail' situations could happen without having
initialized the local variables referenced in the error code flow.
Reported-by: Marcel Raad
Fixes#16246Closes#16251
The eventfd manpage says:
A write(2) fails with the error EINVAL if the size of the supplied
buffer is less than 8 bytes
When doing x32 on a 64-bit system, pointers are still four bytes so this
code must not use the size of a pointer but the size of a 64-bit type.
Fixes#16237
Reported-by: Jan Engelhardt
Closes#16239
With `CURL_DISABLE_SOCKETPAIR` defined and `USE_HTTPSRR_ARES`
undefined, the local variable `socketi` was unused.
This fixes a regression from commit 0d4fdbf15d.
Closes https://github.com/curl/curl/pull/16179
OpenSSL QUIC method errors on setting TLSv1.2 ciphers, where other
methods do not.
Refrain setting --ciphers when min TLS version is 1.3 or higher.
Refrain setting --tls13-ciphers when max TLS version is less than 1.3.
Add 2 test cases.
Fixes#16232
Reported-by: zzq1015 on github
Closes#16235
- add VS2019 job, with Schannel + OpenSSL 1.0.2.
First MultiSSL job here and add the last missing modern VS version.
- fix builds with mixed ALPN capabilities in MultiSSL unity builds.
Caused by reusing `HAS_ALPN` between TLS modules without
resetting it. Fix it by using unique names for each backend.
- merge a VS2010 job into a VS2012. With MultiSSL and x86 OpenSSL.
- make a job static.
- fix `Shared`/`Static` in a job name.
- add `Shared` to job names.
Closes#16231
There were two places in the code that tried to connect the SSL filter,
e.g. do the TLS handshake, but only one changed imap state to CAPA
afterwards.
Depending on timing, the wrong path was taken and the connection was
hanging, waiting for a server reply to a command not sent.
Do the upgrade to tls in one place and update connection filter and
smtps protocol handler at the same time. Always transition to CAPA on
success.
Closes#16213
There were two places in the code that tried to connect the SSL filter,
e.g. do the TLS handshake, but only one changed pop3 state to CAPA
afterwards.
Depending on timing, the wrong path was taken and the connection was
hanging, waiting for a server reply to a command not sent.
Do the upgrade to tls in one place and update connection filter and
smtps protocol handler at the same time. Always transition to CAPA on
success.
Ref: #16166Closes#16208
There were two places in the code that tried to connect the SSL filter,
e.g. do the TLS handshake, but only one changed stmp state to EHLO
afterwards.
Depending on timing, the wrong path was taken and the connection was
hanging, waiting for a server reply to a command not sent.
Do the upgrade to tls in one place and update connection filter and
smtps protocol handler at the same time. Always transition to EHLO on
success.
Fixes#16189
Reported-by: Christian Schmitz
Closes#16206
The latest copy I could find at:
https://beta.novell.com/developer/ndk/ldap_libraries_for_c.html
is from 2016-Feb-03, available for Linux and Windows.
I built curl against the Windows package with CMake:
https://sdk.suse.com/ndk/cldap/builds/2016/openldapsdk-devel-windows64-2016-01-28.zip
(It comes with OpenSSL 1.0.1q-fips (2015-Dec-03) binaries.)
CMake identified it as OpenLDAP and built with it as expected:
```
curl 8.12.0-DEV (x86_64-w64-mingw32) libcurl/8.12.0-DEV Schannel OpenLDAP/2.4.37
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS HSTS HTTPS-proxy IPv6 Kerberos Largefile NTLM SPNEGO SSL SSPI threadsafe UnixSockets
```
Since it identified it as OpenLDAP (`lib/openldap.c`), the branch
deleted in this PR (`lib/ldap.c`) wasn't reached. Thus, defining
the `CURL_HAS_NOVELL_LDAPSDK` also made no difference in the build.
This suggests the code guarded by it is now orphan and unnecessary.
Novell NetWare builds were another user, but we dropped support for them
in 2022: 3b16575ae9#8358Closes#16176
libssh 0.9.0 was shipped on June 28 2019 and is the first version
featuring the knownhosts API
Drop libssh from the GHA/linux-old CI job since it gets a libssh 0.7.3
version, too old for us now.
Closes#16200
Made the netrc parser return a more consistent set of error codes and
error messages, and also return error properly if the .netrc file is
missing.
Add test 697 to verify error on missing netrc file.
Fixes#16163
Reported-by: arlt on github
Closes#16165
The previous runtime check using strcmp() risks failing when zlib
reaches 1.10. While this instead changes the logic to a cruder
build-time instead of runtime, it avoids the 1.10 risk.
I verified that ZLIB_VERNUM has been provided since at least the 1.2.0.3
release.
1.2.0.4 was released on 10 August 2003.
Reported-by: Fay Stegerman
Closes#16202
Seen with GCC 13 with Windows x86:
```
lib/vssh/libssh.c: In function 'myssh_statemach_act':
lib/vssh/libssh.c:1851:41: error: conversion from 'curl_off_t' {aka 'long long int'} to 'size_t' {aka 'unsigned int'} may change value [-Werror=conversion]
1851 | data->state.infilesize,
| ~~~~~~~~~~~^~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/13161422041/job/36737994642?pr=16182#step:3:5111Closes#16194
Include `netinet/in.h` for FreeBSD/OpenBSD. Also include `sys/socket.h`
just in case, based on earlier code in `tests/libtest/lib1960.c`.
Also:
- document these in `CMakeLists.txt`.
- add a CI job testing FreeBSD with no unity and no test bundles.
(without running tests to keep it fast)
FreeBSD (autotools):
```
../../../tests/libtest/lib1960.c:66:22: error: variable has incomplete type 'struct sockaddr_in'
66 | struct sockaddr_in serv_addr;
| ^
../../../tests/libtest/lib1960.c:66:10: note: forward declaration of 'struct sockaddr_in'
66 | struct sockaddr_in serv_addr;
| ^
```
Ref: https://github.com/curl/curl/actions/runs/13159721509/job/36725114118?pr=16188#step:3:5289
OpenBSD (cmake):
```
/home/runner/work/curl/curl/tests/libtest/lib1960.c:66:22: error: variable has incomplete type 'struct sockaddr_in'
struct sockaddr_in serv_addr;
^
/home/runner/work/curl/curl/tests/libtest/lib1960.c:66:10: note: forward declaration of 'struct sockaddr_in'
struct sockaddr_in serv_addr;
^
1 error generated.
```
Ref: https://github.com/curl/curl/actions/runs/13159721509/job/36725102004?pr=16188#step:3:2166
Reported-by: CueXXIII on Github
Fixes#16184
Follow-up to a3585c9576#15543Closes#16188
By removing 'data' from the thread struct and passing it in as an
argument we avoid the case it could be dereferenced before stored when
shutting down HTTPS RR.
Also reordered the struct fields a little to remove holes.
Closes#16169
Before this patch it returned `CURLE_FAILED_INIT` on init failures, with
the value of 2. Fix it to return `false`.
Seen with clang 18.1.8:
```
../lib/transfer.c(181,12): warning: integer constant not in range of enumerated type 'bool' [-Wassign-enum]
181 | return CURLE_FAILED_INIT;
| ^
../lib/transfer.c(181,12): warning: implicit conversion from enumeration type 'CURLcode' to different enumeration type 'bool' [-Wenum-conversion]
181 | return CURLE_FAILED_INIT;
| ~~~~~~ ^~~~~~~~~~~~~~~~~
../lib/transfer.c(183,12): warning: integer constant not in range of enumerated type 'bool' [-Wassign-enum]
183 | return CURLE_FAILED_INIT;
| ^
../lib/transfer.c(183,12): warning: implicit conversion from enumeration type 'CURLcode' to different enumeration type 'bool' [-Wenum-conversion]
183 | return CURLE_FAILED_INIT;
| ~~~~~~ ^~~~~~~~~~~~~~~~~
```
Follow-up to 35bf766280#14253Closes#16170
As reported in #16166, the STLS hangs with the check for SSL connection
filters, but is working with the old protocol handler way. Revert the
change, although it is unclear why it was no good here.
Fixes#16166
Reported-by: ralfjunker on github
Closes#16172
We don't pursue this, and the necessary `#pragma` got in the way of
compiling curl with gcc 4.2 and older. Drop the logic completely.
Follow-up to 8a266ac488#15939
Reported-by: prpr19xx on Github
Fixes#16152Closes#16157
For ASN.1 tags with indefinite length, curl's own parser for TLS
backends that do not support certificate inspection calls itself
recursively. A malicious server certificate can then lead to high
recursion level exhausting the stack space.
This PR limits the recursion level to 16 which should be safe on all
architectures.
Added unit test 1657 to verify behaviour.
Fixes#16135
Reported-by: z2_
Closes#16137
- replace deprecated `ares_init()` call with `ares_init_options()`.
Follow-up to 0d4fdbf15d#16054
- dedupe `CARES_STATICLIB` initalizations into `curl_setup.h`, to
ensure it's defined before the first (and every) `ares.h` include and
avoid a potential confusion.
- move `CARES_NO_DEPRECATED` from build level to `curl_setup.h`.
To work regardless of build system.
It is necessary because curl calls `ares_getsock()` from two places,
of which one feeds a chain of wrappers: `Curl_ares_getsock()`,
`Curl_resolver_getsock()`, `Curl_resolv_getsock()`.
Closes#16131
Before this patch this macro was used in `vtls/openssl.h` without
setting it first, causing the `keylog_done` member be present in
struct `ossl_ctx` while the code did not use it.
Follow-up to 3210101088#13172Closes#16105
RFC 6455 Section 5.2 notes that for bits RSV1, RSV2, and RSV3 of the
framing header, a non-zero value that is not defined by a negotiated
extension MUST Fail the WebSocket connection.
Test 2310 verifies
Closes#16069
- Use build-time CURL_DEFAULT_SSL_BACKEND as a fallback when environment
variable CURL_SSL_BACKEND contains a backend that is unavailable.
Prior to this change if CURL_SSL_BACKEND was set then
CURL_DEFAULT_SSL_BACKEND was ignored even if the backend of the former
was unavailable. In that case libcurl would instead select the first
available backend in the list of backends.
Bug: https://github.com/curl/curl/issues/16076#issuecomment-2617354254
Reported-by: Jeroen Ooms
Closes https://github.com/curl/curl/pull/16108
