Using the system's provided arpa/tftp.h and optimizing, GCC 12 detects
and reports a stringop-overread warning:
tftpd.c: In function ‘write_behind.isra’:
tftpd.c:485:12: warning: ‘write’ reading between 1 and 2147483647 bytes from a region of size 0 [-Wstringop-overread]
485 | return write(test->ofile, writebuf, count);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from tftpd.c:71:
/usr/include/arpa/tftp.h:58:30: note: source object ‘tu_data’ of size 0
58 | char tu_data[0]; /* data or error string */
| ^~~~~~~
This occurs because writebuf points to this field and the latter
cannot be considered as being of dynamic length because it is not
the last field in the structure. Thus it is bound to its declared
size.
This commit always uses curl's own version of tftp.h where the
target field is last in its structure, effectively avoiding the
warning.
As HAVE_ARPA_TFTP_H is not used anymore, cmake/configure checks for
arpa/tftp.h are removed.
Closes#11897
The syntax was incorrect (need a proper main body), and the test
condition was wrong (resulting in a signed `time_t` detected as
unsigned).
Closes#11825
The library flags retrieved from pkg-config were later thrown out and
harded-coded, which negates the whole reason to use pkg-config.
Also, previously, the assumption was made that --libs-only-l and
--libs-only-L are the full decomposition of --libs, which is untrue and
would not allow linking against a static zlib. The new approach is
better in that it uses --libs, although only if --libs-only-l returns
nothing.
Bug: https://curl.se/mail/lib-2023-08/0081.html
Reported-by: Randall
Closes#11778
- with CMake, use the variable `WINDOWS_STORE` to detect an UWP build
and disable our non-UWP-compatible use the Windows crypto API. This
allows to drop two dynamic feature checks.
`WINDOWS_STORE` is true when invoking CMake with
`CMAKE_SYSTEM_NAME` == `WindowsStore`. Introduced in CMake v3.1.
Ref: https://cmake.org/cmake/help/latest/variable/WINDOWS_STORE.html
- with autotools, drop the separate feature check for `wincrypt.h`. On
one hand this header has been present for long (even Borland C 5.5 had
it from year 2000), on the other we used the check result solely to
enable another check for certain crypto functions. This fails anyway
with the header not present. We save one dynamic feature check at the
configure stage.
Reviewed-by: Marcel Raad
Closes#11657
Introduce a --enable-form-api configure option to control its inclusion
in builds. The condition name defined for it is CURL_DISABLE_FORM_API.
Form api code is dependent of MIME: configure and CMake handle this
dependency automatically: CMake by making it a dependent option
explicitly, configure by inheriting the MIME value by default and
rejecting explicit incompatible values.
"form-api" is now a new hidden test feature.
Update libcurl modules to respect this option and adjust tests
accordingly.
Closes#9621
... as otherwise the configure script will say it is OpenLDAP in the
summary, but not set the USE_OPENLDAP define, therefor not using the
intended OpenLDAP code paths.
Regression since 4d7385446 (7.85.0)
Fixes#11372Closes#11374
Reported-by: vlkl-sap on github
If you try to assign and export on the same line on some older /bin/sh
implementations, it complains:
```
$ export "NAME=value"
NAME=value: is not an identifier
```
This commit rewrites run-compiler's assignments and exports to work with
old /bin/sh, splitting assignment and export into two separate
statements, and only quote the value. So now we have:
```
NAME="value"
export NAME
```
While we're here, make the same change to the two supporting
assign+export lines preceeding the script to be consistent with how
exports work throughout the rest of configure.ac.
Closes#11228
Since ./configure and processes that inherit its environment variables
are the only callers of the run-compiler script, we can just save the
current value of the LD_LIBRARY_PATH and CC variables to another pair of
environment variables, and make run-compiler a static script that
simply restores CC and LD_LIBRARY_PATH to the saved value, and before
running the compiler.
This avoids having to inject the values of the variables in the script,
possibly causing problems if they contains spaces, quotes, and other
special characters.
Also add exports in the script just in case LD_LIBRARY_PATH and CC are
not already in the environment.
follow-up from 471dab2Closes#11182
Building for multilib failed, as the compiler command contains an
extra argument. That needs quoting.
Regression from b78ca50cb3Fixes#11179Closes#11180
AC_ARG_ENABLE seems to only trim off whitespace from the start and end
of its help-string argument, while prepending two spaces of indentation
to all lines.
This means that the two spaces of indentation between the --enable-rtsp
and the --disable-rtsp line were not removed causing ./configure --help
to print:
Optional Features:
[...]
--enable-rtsp Enable RTSP support
--disable-rtsp Disable RTSP support
I removed the indentation to fix the issue, now it prints:
Optional Features:
[...]
--enable-rtsp Enable RTSP support
--disable-rtsp Disable RTSP support
The --enable-hsts and --disable-hsts lines had the same problems, and
have been fixed too.
Closes#11142
in the CURL_RUN_IFELSE macro, with LD_LIBRARY_PATH set to the value of
the configure invoke, and not the value that might be used later,
intended for the execution of the output the compiler ouputs.
For example when the compiler uses the same library (like libz) that
configure checks for.
Reported-by: Jonas Bülow
Fixes#11114Closes#11120
- Makefile support for building test specific clients in tests/http/clients
- auto-make of clients when invoking pytest
- added test_09_02 for server PUSH_PROMISEs using clients/h2-serverpush
- added test_02_21 for lib based downloads and pausing/unpausing transfers
curl url parser:
- added internal method `curl_url_set_authority()` for setting the
authority part of a url (used for PUSH_PROMISE)
http2:
- made logging of PUSH_PROMISE handling nicer
Placing python test requirements in requirements.txt files
- separate files to base test suite and http tests since use
and module lists differ
- using the files in the gh workflows
websocket test cases, fixes for we and bufq
- bufq: account for spare chunks in space calculation
- bufq: reset chunks that are skipped empty
- ws: correctly encode frames with 126 bytes payload
- ws: update frame meta information on first call of collect
callback that fills user buffer
- test client ws-data: some test/reporting improvements
Closes#11006
curl now requires quiche version >= 1.17.1 to be used and this function
was added in this version and makes a convenient check.
This requirement is because this is the lowest quiche version that
supports peer-initiated key updates correctly.
Closes#10886
- make configure show on HTTP3 feature that both ngtcp2 and nghttp3
are in play
- define ENABLE_QUIC only when USE_NGTCP2 and USE_NGHTTP3 are defined
- add USE_NGHTTP3 in the ngtcp2 implementation
Fixes#10793Closes#10821
- added to: ngtcp2-quictls, ngtcp2-gnutls and the linux varians
quiche, bearssl, libressl, mbedtls, openssl3, rustls
- added disabled in ngtcp2-wolfssl due to weird SSL_connect() errors
not reproducable locally
Improvements on pytest:
- handling of systems with nghttpx in $PATH
- configure will seach $PATH got nghttpx used in pytest
- pytest fixes for managing nghttpx without h3 support
- ngtcp2-wolfssl: use a fully enabled wolfssl build
- lower parallel count for http/1.1 tests, since we do not
want to test excessive connections.
- check built curl for HTTPS-proxy support in proxy tests
- bearssl does not like one of our critical cert extensions, making
it non-critical now
- bearssl is too slow for test_12, skipping
- making sure we do h3 tests only when curl and server support is there
Closes#10699
Normally curl uses cryptographically strong random provided by the
selected SSL backend. If compiled without SSL support, a naive built-in
function was used instead.
Generally this was okay, but it will result in some downsides for non-
SSL builds, such as predictable temporary file names.
This change ensures that arc4random will be used instead, if available.
Closes#10672
Because automake used to delete depdirs at once (.deps) and there was an issue
with portability, curl's XC_AMEND_DISTCLEAN greps the Makefiles in an attempt
to build a list of all depfiles and delete them individually instead.
Since commit 08849db866b44510f6b8fd49e313c91a43a3dfd3, automake switched from
deleting directories to individual files. curl's custom logic now finds a lot
more results with the grep (the filtering of these results isn't great), which
causes a massive bloating of the Makefile in the order of O(n^2).
Also remove now-unused XC_AMEND_DISTCLEAN macro group
References: https://github.com/curl/curl/issues/9843
References: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=59288
Reported-by: Ilmari Lauhakangas
Fixes#9843Closes#10661
- httpd is only one server we test with
- the suite coveres the HTTP protocol in general where
the default test cases need a more beefy environment
Closes#10654
New cfilter HTTP-CONNECT for h3/h2/http1.1 eyeballing.
- filter is installed when `--http3` in the tool is used (or
the equivalent CURLOPT_ done in the library)
- starts a QUIC/HTTP/3 connect right away. Should that not
succeed after 100ms (subject to change), a parallel attempt
is started for HTTP/2 and HTTP/1.1 via TCP
- both attempts are subject to IPv6/IPv4 eyeballing, same
as happens for other connections
- tie timeout to the ip-version HAPPY_EYEBALLS_TIMEOUT
- use a `soft` timeout at half the value. When the soft timeout
expires, the HTTPS-CONNECT filter checks if the QUIC filter
has received any data from the server. If not, it will start
the HTTP/2 attempt.
HTTP/3(ngtcp2) improvements.
- setting call_data in all cfilter calls similar to http/2 and vtls filters
for use in callback where no stream data is available.
- returning CURLE_PARTIAL_FILE for prematurely terminated transfers
- enabling pytest test_05 for h3
- shifting functionality to "connect" UDP sockets from ngtcp2
implementation into the udp socket cfilter. Because unconnected
UDP sockets are weird. For example they error when adding to a
pollset.
HTTP/3(quiche) improvements.
- fixed upload bug in quiche implementation, now passes 251 and pytest
- error codes on stream RESET
- improved debug logs
- handling of DRAIN during connect
- limiting pending event queue
HTTP/2 cfilter improvements.
- use LOG_CF macros for dynamic logging in debug build
- fix CURLcode on RST streams to be CURLE_PARTIAL_FILE
- enable pytest test_05 for h2
- fix upload pytests and improve parallel transfer performance.
GOAWAY handling for ngtcp2/quiche
- during connect, when the remote server refuses to accept new connections
and closes immediately (so the local conn goes into DRAIN phase), the
connection is torn down and a another attempt is made after a short grace
period.
This is the behaviour observed with nghttpx when we tell it to shut
down gracefully. Tested in pytest test_03_02.
TLS improvements
- ALPN selection for SSL/SSL-PROXY filters in one vtls set of functions, replaces
copy of logic in all tls backends.
- standardized the infof logging of offered ALPNs
- ALPN negotiated: have common function for all backends that sets alpn proprty
and connection related things based on the negotiated protocol (or lack thereof).
- new tests/tests-httpd/scorecard.py for testing h3/h2 protocol implementation.
Invoke:
python3 tests/tests-httpd/scorecard.py --help
for usage.
Improvements on gathering connect statistics and socket access.
- new CF_CTRL_CONN_REPORT_STATS cfilter control for having cfilters
report connection statistics. This is triggered when the connection
has completely connected.
- new void Curl_pgrsTimeWas(..) method to report a timer update with
a timestamp of when it happend. This allows for updating timers
"later", e.g. a connect statistic after full connectivity has been
reached.
- in case of HTTP eyeballing, the previous changes will update
statistics only from the filter chain that "won" the eyeballing.
- new cfilter query CF_QUERY_SOCKET for retrieving the socket used
by a filter chain.
Added methods Curl_conn_cf_get_socket() and Curl_conn_get_socket()
for convenient use of this query.
- Change VTLS backend to query their sub-filters for the socket when
checks during the handshake are made.
HTTP/3 documentation on how https eyeballing works.
TLS improvements
- ALPN selection for SSL/SSL-PROXY filters in one vtls set of functions, replaces
copy of logic in all tls backends.
- standardized the infof logging of offered ALPNs
- ALPN negotiated: have common function for all backends that sets alpn proprty
and connection related things based on the negotiated protocol (or lack thereof).
Scorecard with Caddy.
- configure can be run with `--with-test-caddy=path` to specify which caddy to use for testing
- tests/tests-httpd/scorecard.py now measures download speeds with caddy
pytest improvements
- adding Makfile to clean gen dir
- adding nghttpx rundir creation on start
- checking httpd version 2.4.55 for test_05 cases where it is needed. Skipping with message if too old.
- catch exception when checking for caddy existance on system.
Closes#10349
- adding '--with-test-httpd=<path>' to configure non-standard apache2
install
- python env and base classes for running httpd
- basic tests for connectivity with h1/h2/h3
- adding test cases for truncated responses in http versions.
- adding goaway test for HTTP/3.
- adding "stuttering" tests with parallel downloads in chunks with
varying delays between chunks.
- adding a curltest module to the httpd server, adding GOAWAY test.
- mod_curltest now installs 2 handlers
- 'echo': writing as response body what came as request body
- 'tweak': with query parameters to tweak response behaviour
- marked known fails as skip for now
Closes#10175
- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- saves us from pointless churn
- git keeps history for us
- the year range is kept in COPYING
checksrc is updated to allow non-year using copyright statements
Closes#10205
- keeping the "current" easy handle registered at SSL* is no longer
necessary, since the "calling" data object is already stored in the
cfilter's context (and used by other SSL backends from there).
- The "detach" of an easy handle that goes out of scope is then avoided.
- using SSL_set0_wbio for clear reference counting where available.
Closes#10151
- adding support for HTTP/3 test cases via a nghttpx server that is
build with ngtcp2 and nghttp3.
- test2500 is the first test case, performing a simple GET.
- nghttpx is checked for support and the 'feature' nghttpx-h3
is set accordingly. test2500 will only run, when supported.
- a specific nghttpx location can be given in the environment
variable NGHTTPX or via the configure option
--with-test-nghttpx=<path>
Extend NGHTTPX config to H2 tests as well
* use $ENV{NGHTTPX} and the configured default also in http2 server starts
* always provide the empty test/nghttpx.conf to nghttpx. as it defaults to
reading /etc/nghttpx/nghttpx.conf otherwise.
Added nghttpx to CI ngtcp2 jobs to run h3 tests.
Closes#9031
`windres` is not always auto-detected by autotools when building for
Windows. When this happened, the build failed with a confusing error due
to the empty `RC` command:
```
/bin/bash ../libtool --tag=RC --mode=compile -I../include -DCURL_EMBED_MANIFEST -i curl.rc -o curl.o
[...]
Usage: /sandbox/curl/libtool [OPTION]... [MODE-ARG]...
Try 'libtool --help' for more information.
libtool: error: unrecognised option: '-I../include'
```
Improve this by verifying if `RC` is set, and fail with a clear error
otherwise.
Follow-up to 6de7322c03
Ref: https://curl.se/mail/lib-2022-10/0049.html
Reported-by: Thomas Glanzmann
Closes#9781
`WANT_IDN_PROTOTYPES` was necessary to avoid using a header that came
via an optional package. MS stopped distributing this package some
years ago and the winidn definitions are part of standard headers (via
`windows.h`) since Vista.
Auto-detect Vista inside `lib/idn_win32.c` and enable the manual
definitions if building for an older Windows.
This allows to delete this manual knob from all build-systems.
Also drop the `_SAL_VERSION` sub-case:
Our manual definitions are now only enabled with old systems. We assume
that code analysis is not run on such systems, allowing us to delete the
SAL-friendly flavour of these.
Reviewed-by: Jay Satiro
Closes#9793
Fixes: 73a070d96f/curl-autotools.sh (L44-L47)
On Windows this feature is present, but not the header used in the
detection logic. It also requires an elaborate enabler logic
(as seen in `lib/curl_setup.h`). Let's always allow it and let the
lib code deal with the details.
Closes#9688
Detecting headers and lib separately makes sense when headers come in
variations or with extra ones, but this wasn't the case here. These were
duplicate/parallel macros that we had to keep in sync with each other
for a working build. This patch leaves a single macro for each of these
dependencies:
- Rely on `HAVE_LIBZ`, delete parallel `HAVE_ZLIB_H`.
Also delete CMake logic making sure these two were in sync, along with
a toggle to turn off that logic, called `CURL_SPECIAL_LIBZ`.
Also delete stray `HAVE_ZLIB` defines.
There is also a `USE_ZLIB` variant in `lib/config-dos.h`. This patch
retains it for compatibility and deprecates it.
- Rely on `USE_LIBSSH2`, delete parallel `HAVE_LIBSSH2_H`.
Also delete `LIBSSH2_WIN32`, `LIBSSH2_LIBRARY` from
`winbuild/MakefileBuild.vc`, these have a role when building libssh2
itself. And `CURL_USE_LIBSSH`, which had no use at all.
Also delete stray `HAVE_LIBSSH2` defines.
- Rely on `USE_LIBSSH`, delete parallel `HAVE_LIBSSH_LIBSSH_H`.
Also delete `LIBSSH_WIN32`, `LIBSSH_LIBRARY` and `HAVE_LIBSSH` from
`winbuild/MakefileBuild.vc`, these were the result of copy-pasting the
libssh2 line, and were not having any use.
- Delete unused `HAVE_LIBPSL_H` and `HAVE_LIBPSL`.
Reviewed-by: Daniel Stenberg
Closes#9652
If curl_off_t turns out to be smaller than 8 bytes,
--with-n64-deprecated needs to be used to allow the build to
continue. This is to highlight the fact that support for such builds is
going away next year.
Also mentioned in DEPRECATED.md
Closes#9605
Move `LT_LANG([Windows Resource])` after `XC_LIBTOOL`, fixing:
- Warnings when running `autoreconf -fi`.
- Warning when compiling .rc files:
libtool: compile: unable to infer tagged configuration
libtool: error: specify a tag with '--tag'
Follow up to 6de7322c03
Ref: https://github.com/curl/curl/pull/9521#issuecomment-1256291156
Suggested-by: Patrick Monnerat
Closes#9582
This is the single place in libcurl code where it uses the "native"
s(n)printf() function. Used for writing floats. The use has been
reviewed and vetted and uses a HUGE target buffer, but switching to
snprintf() still makes this safer and removes build-time warnings.
Reported-by: Philip Heiduck
Fixes#9569Closes#9570
After this update autotools builds will compile and link `.rc` resources
to Windows executables. Bringing this feature on par with CMake and
Makefile.m32 builds. And also making it unnecessary to improvise these
steps manually, while monkey patching build files, e.g. [0].
You can customize the resource compiler via the `RC` envvar, and its
options via `RCFLAGS`.
This harmless warning may appear throughout the build, even though the
autotools manual documents [1] `RC` as a valid tag, and it fails when
omitting one:
`libtool: error: ignoring unknown tag RC`
[0] 535f19060d/curl-autotools.sh (L376-L382)
[1] https://www.gnu.org/software/libtool/manual/html_node/Tags.htmlCloses#9521
The check first checks that grep -E works, and only as a fallback tries
to find and use egrep. egrep is deprecated.
This change only corrects the output wording, not the checks themselves.
Closes#9471
A side effect of a previous change to configure (576e507c78)
exposed a non-critical issue that can happen if configure is called with
both '--without-ssl' and some parameter setting the use of a ssl library
(e.g. --with-gnutls). The configure script would end up assuming this is
a MultiSSL build, due to the way the case statement is written.
I have changed the order of the variables in the string concatenation
for the case statement and also tweaked the options so that
--without-ssl never turns the build into a MultiSSL one and also clearly
stating that there are conflicting parameters if the user sets it like
described above.
Closes#9414
Previously the configure script would just warn about this fact and
continue with TLS disabled build which is not always helpful. TLS should
be explicitly disabled if that is what the user wants.
Closes#9367
Commit b589696f added lines to some shell within AC_ARG_WITH macros, but
inadvertently failed to move the final closing ).
Quote the script section using braces.
So, if these problems have been around for a while, how did I find them?
Only because I did a configure including these options:
$ ./configure --with-openssl --without-rustls
SSL: enabled (OpenSSL)
Closes#9344
- based on ngtcp2 PR https://github.com/ngtcp2/ngtcp2/pull/505
- configure adapted to build against ngtcp2 wolfssl crypto lib
- quic code added for creation of WOLFSSL* instances
Closes#9290
This is a rewrite of the previously used GPLv3+exception licensed
file. With this change, there is no more reference to GPL so we can
remove that from LICENSES/.
Ref: #9220Closes#9291
The code that detects bsdsocket.library for AmigaOS did not work
for AmigaOS 4.x. This has been fixed and also cleaned up a little
to reduce duplication. Wasn't technically necessary before, but is
required when building with AmiSSL instead of OpenSSL.
Closes#9268
AmiSSL v5 is the latest version, featuring a port of OpenSSL 3.0.
Support for previous OpenSSL 1.1.x versions has been dropped, so
makes sense to enforce v5 as the minimum requirement. This also
allows all the AmiSSL stub workarounds to be removed as they are
now provided in a link library in the AmiSSL SDK.
Closes#9267
- Use the Windows API to seed the fallback random generator.
This ensures to always have a random seed, even when libcurl is built
with a vtls backend lacking a random generator API, such as rustls
(experimental), GSKit and certain mbedTLS builds, or, when libcurl is
built without a TLS backend. We reuse the Windows-specific random
function from the Schannel backend.
- Implement support for `BCryptGenRandom()` [1] on Windows, as a
replacement for the deprecated `CryptGenRandom()` [2] function.
It is used as the secure random generator for Schannel, and also to
provide entropy for libcurl's fallback random generator. The new
function is supported on Vista and newer via its `bcrypt.dll`. It is
used automatically when building for supported versions. It also works
in UWP apps (the old function did not).
- Clear entropy buffer before calling the Windows random generator.
This avoids using arbitrary application memory as entropy (with
`CryptGenRandom()`) and makes sure to return in a predictable state
when an API call fails.
[1] https://docs.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom
[2] https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandomCloses#9027
Referring to Daniel's article [1], making the init function thread-safe
was the last bit to make libcurl thread-safe as a whole. So the name of
the feature may as well be the more concise 'threadsafe', also telling
the story that libcurl is now fully thread-safe, not just its init
function. Chances are high that libcurl wants to remain so in the
future, so there is little likelihood of ever needing any other distinct
`threadsafe-<name>` feature flags.
For consistency we also shorten `CURL_VERSION_THREADSAFE_INIT` to
`CURL_VERSION_THREADSAFE`, update its description and reference libcurl's
thread safety documentation.
[1]: https://daniel.haxx.se/blog/2022/06/08/making-libcurl-init-more-thread-safe/
Reviewed-by: Daniel Stenberg
Reviewed-by: Jay Satiro
Closes#8989
Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.
This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.
Closes#8869
This flag can be used to make sure that curl_global_init() is
thread-safe.
This can be useful for libraries that can't control what other
dependencies are doing with Curl.
Closes#8680
Enable Linux GSO in ngtcp2 QUIC. In order to recover from the
EAGAIN/EWOULDBLOCK by sendmsg with multiple packets in one GSO write,
packet buffer is now held by struct quicsocket. GSO write might fail in
runtime depending on NIC. Disable GSO if sendmsg returns EIO.
Closes#8909
Rather than assuming sed in PATH, use the resolved $SED variable
like in all other invocations of sed in configure.
Closes: #8891
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
Set the libcurl version in libcurl.plist like how libcurl.vers is
created.
Closes: #8692
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Nick Zitzmann <nickzman@gmail.com>
The fix for #8276 proposed in #8374 set `CFLAGS="$CFLAGS -pthead"`
earlier than it used to be set, applying it in cases where it should not
have been applied.
This moves the AIX XLC check to a new `case $host in` block inside of
the `if test "$USE_THREADS_POSIX" != "1"` block, where `CFLAGS="$CFLAGS
-pthead"` used to happen.
Fixes#8541Closes#8542
Using the system pkg-config path in the face of a user-specified
library path is asking to link the wrong library.
Reported-by: Michael Kaufmann
Fixes#8289Closes#8456
In March 2010 (commit 4259d2df7d) we removed the embedded 'ares'
directory from the curl source tree but we have since supported
especially detecting and using that build directory. The time has come
to remove that kludge and ask users to specify the c-ares dir correctly
with --enable-ares.
Closes#8397
- Change library link check for ngtcp2_crypto_{gnutls,openssl} to
to use function ngtcp2_crypto_recv_client_initial_cb instead of
ngtcp2_crypto_ctx_initial.
The latter function is no longer external since two days ago in
ngtcp2/ngtcp2@533451f. curl HTTP/3 CI builds have been failing since
then because they would not link to the ngtcp2 crypto library.
Ref: https://github.com/ngtcp2/ngtcp2/pull/356
Closes https://github.com/curl/curl/pull/8372
Mesalink has ceased development. We can no longer encourage use of it.
It seems to be continued under the name TabbySSL, but no attempts have
(yet) been to make curl support it.
Fixes#8188Closes#8191
If hyper is indeed present in the specified directory but couldn't be
used to find the correct symbol, then offer a different error message to
better help the user understand the issue.
Suggested-by: Jacob Hoffman-Andrews
Fixes#8001Closes#8005
Previously specifying `--without-gnutls` would unexpectedly attempt to
compile with GnuTLS, effectively interpreting this as
`--with-gnutls`. This caused a significant amount of confusion when
`libcurl` was built with SSL disabled since GnuTLS wasn't present.
68d89f24 dropped the `--without-*` options from the configure help, but
`AC_ARG_WITH` still defines these flags automatically. As
https://www.gnu.org/software/autoconf/manual/autoconf-2.60/html_node/External-Software.html
describes, the `action-if-given` is called when the user specifies
`--with-*` or `--without-*` options.
To prevent this confusion, we make the `--without` flag do the right
thing by ignoring the value if it set to "no".
Closes#7994
Some method names, as well as the generated library name, were changed
in a recent refactoring.
Further, change the default configuration instructions to check for
Hyper in either "target/debug" or "target/release" - the latter
contains an optimized build configuration.
Fixes#7947Closes#7948
The rationale is that custom *-config tools don't work well when
cross-compiling or using sysroots (such as when using Yocto project) and
require custom fixing for each of them; pkg-config on the other hand
works similarly everywhere.
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Closes#7916
ngtcp2_conn_client_new and nghttp3_conn_client_new are now macros.
Check the wrapped functions instead.
ngtcp2_stream_close callback now takes flags parameter.
Closes#7709
The AC_ARG_ENABLE() macro itself uses a variable called
'enable_[option]', so when our script also used a variable with that
name for the purpose of storing what the user wants, it also
accidentally made it impossible to switch off the feature with
--disable-hsts. Fix this by renaming our variable.
Reported-by: Michał Antoniak
Fixes#7669Closes#7672
- If the user has not specified a minimum OS version (via WINVER or
_WIN32_WINNT macros) then set it to Windows XP.
Prior to this change classic MinGW defaulted the minimum OS version
to Windows NT 4.0 which is way too old. At least Windows XP is needed
for getaddrinfo (which resolves hostnames to IPv6 addresses).
Ref: https://github.com/curl/curl/issues/7483#issuecomment-891597034
Closes https://github.com/curl/curl/pull/7581
This reverts commit b4b34db65f, 673753344c and 29c7cf79e8.
The logic is now back to assuming that the nghttp2 lib is called nghttp2 and
nothing else.
Reported-by: Rui Pinheiro
Reported-by: Alex Crichton
Fixes#7514Closes#7515
commit 29c7cf79e8 (shipped in 7.78.0) introduced a problem by
assuming that LIB_H2 does not have any leading whitespace. At least
OpenBSD's native pkg-config can produce such whitespace, though:
$ pkg-config --libs-only-l libnghttp2
-lnghttp2
As a result, the configure check for libnghttp2 will erroneously fail.
Bug: https://curl.se/mail/lib-2021-07/0050.htmlCloses#7472
it needs to be processed by autoconf or autoreconf, and doesn't have a
suitable shebang to be directly executed. other projects normally set
configure.ac -x.
Closes#7272
"get-easy-options" is the configure option advertised by the help text
anyway, so use that.
Fixes#7211Closes#7213
Follow-up to ad691b191 ("configure: added --disable-get-easy-options")
Suggested-by: Daniel Stenberg <daniel@haxx.se>
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Warning: this will make existing curl command lines that use metalink to
stop working.
Reasons for removal:
1. We've found several security problems and issues involving the
metalink support in curl. The issues are not detailed here. When
working on those, it become apparent to the team that several of the
problems are due to the system design, metalink library API and what
the metalink RFC says. They are very hard to fix on the curl side
only.
2. The metalink usage with curl was only very briefly documented and was
not following the "normal" curl usage pattern in several ways, making
it surprising and non-intuitive which could lead to further security
issues.
3. The metalink library was last updated 6 years ago and wasn't so
active the years before that either. An unmaintained library means
there's a security problem waiting to happen. This is probably reason
enough.
4. Metalink requires an XML parsing library, which is complex code (even
the smaller alternatives) and to this day often gets security
updates.
5. Metalink is not a widely used curl feature. In the 2020 curl user
survey, only 1.4% of the responders said that they'd are using it. In
2021 that number was 1.2%. Searching the web also show very few
traces of it being used, even with other tools.
6. The torrent format and associated technology clearly won for
downloading large files from multiple sources in parallel.
Cloes #7176
Latest version of quiche requires the application to pass the peer
address of received packets, and it provides the address for outgoing
packets back.
Closes#7120
configure no longer tries to find a TLS library by default, but all
libraries are now equal: the user needs to explicitly ask what TLS
library or libraries to use.
If no TLS library is selected, configure will error out unless
--without-ssl is explicitly used to request a built without TLS (as that
is very rare these days).
Removes: --with-winssl, --with-darwinssl and all --without-* options for
TLS libraries.
Closes#6897
In 2682e5f5, several instances of AC_HEADER_TIME were removed since
it is a deprecated autoconf macro. However, this was the macro that
defined TIME_WITH_SYS_TIME, which was used to indicate that <time.h>
can be included alongside <sys/time.h>. TIME_WITH_SYS_TIME is still
used in the configure test body and since it is no longer defined,
<time.h> is *not* included on systems that have <sys/time.h>.
In particular, at least on musl libc and glibc, <sys/time.h> does
not implicitly include <time.h> and does not declare clock_gettime,
gmtime_r, or localtime_r. This causes configure to fail to detect
those functions.
The AC_HEADER_TIME macro deprecation text says
> All current systems provide time.h; it need not be checked for.
> Not all systems provide sys/time.h, but those that do, all allow
> you to include it and time.h simultaneously.
So, to fix this issue, simply include <time.h> unconditionally when
testing for time-related functions and in libcurl, and don't bother
checking for it.
Closes#6859
Avoid enabling NTLM feature based upon Windows SSPI
being enabled in case that crypto auth is disabled.
Reported-by: Marcel Raad
Follow-up to #6277Fixes#6803Closes#6808
AC_HELP_STRING is deprecated in 2.70+ and I believe AS_HELP_STRING works
already since 2.59 so bump the minimum required version to that.
Reported-by: Emil Engler
Fixes#6647Closes#6748
Align conditions for NTLM features between CMake and configure
builds by differentiating between USE_NTLM and USE_CURL_NTLM_CORE,
just like curl_setup.h does internally to detect support of:
- USE_NTLM: required for NTLM crypto authentication feature
- USE_CURL_NTLM_CORE: required for SMB protocol
Implement USE_WIN32_CRYPTO detection by checking for Crypt functions
in wincrypt.h which are not available in the Windows App environment.
Link advapi32 and crypt32 for Crypto API and Schannel SSL backend.
Fix condition of Schannel SSL backend in CMake build accordingly.
Reviewed-by: Marcel Raad
Closes#6277
Add paths for OpenSSL compiling and linking only if they have been
defined. If they haven't been defined, we'll assume that the paths are
already available to the toolchain.
Closes#6730
Previously, configure would look for hyper by default, and use it if
found; otherwise it would not use hyper, and not error.
Now, configure will not look for hyper unless --with-hyper is passed. If
configure looks for hyper and fails, it will error.
Also, add -ld -lpthread -lm to Hyper's libs. I think they are required.
Closes#6598
This commit introduces a "gophers" handler inside the gopher protocol if
USE_SSL is defined. This protocol is no different than the usual gopher
prococol, with the added TLS encapsulation upon connecting. The protocol
has been adopted in the gopher community, and many people have enabled
TLS in their gopher daemons like geomyidae(8), and clients, like clic(1)
and hurl(1).
I have not implemented test units for this protocol because my knowledge
of Perl is sub-par. However, for someone more knowledgeable it might be
fairly trivial, because the same test that tests the plain gopher
protocol can be used for "gophers" just by adding a TLS listener.
Signed-off-by: parazyd <parazyd@dyne.org>
Closes#6208
- enable in the build (configure)
- header parsing
- host name lookup
- unit tests for the above
- CI build
- CURL_VERSION_HSTS bit
- curl_version_info support
- curl -V output
- curl-config --features
- CURLOPT_HSTS_CTRL
- man page for CURLOPT_HSTS_CTRL
- curl --hsts (sets CURLOPT_HSTS_CTRL and works with --libcurl)
- man page for --hsts
- save cache to disk
- load cache from disk
- CURLOPT_HSTS
- man page for CURLOPT_HSTS
- added docs/HSTS.md
- fixed --version docs
- adjusted curl_easy_duphandle
Closes#5896
It supposes when people specify the libdir/includedir they do it to
change where under prefix/exec_prefix it should be, not to make it
independent of prefix/exec_prefix.
Closes#6061
`USE_WINDOWS_SSPI` without `USE_WIN32_CRYPTO` but with any other DES
backend is fine, but was excluded before.
This also fixes test 1013 as the condition for SMB support in
configure.ac didn't match the condition in the source code. Now it
does.
Fixes https://github.com/curl/curl/issues/1262
Closes https://github.com/curl/curl/pull/5771
When amending the include path with "/wolfssl", this now properly strips
off all whitespace from the path variable! Previously this would lead to
pkg-config builds creating bad command lines.
Closes#5848
The CMake option is now called CMAKE_USE_SCHANNEL
The winbuild flag is USE_SCHANNEL
The CI jobs and build scripts only use the new names and the new name
options
Tests now require 'Schannel' (when necessary)
Closes#5795
include zstd curl patch for Makefile.m32 from vszakats
and include Add CMake support for zstd from Peter Wu
Helped-by: Viktor Szakats
Helped-by: Peter Wu
Closes#5453
In the logic that works out if a given OpenSSL path works, it stripped
off a possibly leading -L flag using an incorrect sed pattern which
would remove all instances of -L in the string, including if the path
itself contained that two-letter sequence!
The same pattern was used and is now updated in multiple places. Now it
only removes -L if it starts the strings.
Reported-by: Mohamed Osama
Fixes#5519Closes#5521
Using time_t and suseconds_t if suseconds_t is available,
long on Windows (maybe others in the future) and int elsewhere.
Also handle case of ULONG_MAX being greater or equal to INFINITE.
Assisted-by: Jay Satiro
Reviewed-by: Daniel Stenberg
Part of #5343
Due to bad escaping of the test code, the test wouldn't build and thus
result in a negative test result, which would lead to the unconditional
assumption that overwriting the arguments doesn't work and thus curl
would never hide credentials given in the command line, even when it
would otherwise be possible.
Regression from commit 2d4c2152c (7.60.0)
Reported-by: huzunhao on github
Fixes#5470Closes#5471
A shared boringssl/OpenSSL library requires -lcrypto only for linking.
A static build additionally requires `-ldl -lpthread`. In the latter
case `-lpthread` is added to LIBS which prevented `-pthread` from being
added to CFLAGS. Clear LIBS to fix linking failures for libtest tests.
A project being built entirely statically will call pkg-config with
--static, which utilises the Libs.private field. Conversely it will
not use --static when not being built entirely statically, even if
there is only a static build of libcurl available. This will most
likely cause the build to fail due to underlinking unless we merge the
Libs fields.
Consider that this is what the Meson build system does when it
generates pkg-config files.
I have also reflected this in the --libs argument of curl-config even
though REQUIRE_LIB_DEPS always seems to be "yes" anyway.
Closes#5373
quiche has the potential to log qlog files. To enable this, you must
build quiche with the qlog feature enabled `cargo build --features
qlog`. curl then passes a file descriptor to quiche, which takes
ownership of the file. The FD transfer only works on UNIX.
The convention is to enable logging when the QLOGDIR environment is
set. This should be a path to a folder where files are written with the
naming template <SCID>.qlog.
Co-authored-by: Lucas Pardue
Replaces #5337Closes#5341
GnuTLS 3.1.10 added new functions we want to use. That version was
released on Mar 22, 2013. Removing support for older versions also
greatly simplifies the code.
Ref: #5271Closes#5276
Currently, the TLS backend used by vquic/ngtcp2.c is selected at compile
time. Therefore OpenSSL support needs to be explicitly disabled.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Closes#5148
OpenSSL 3 deprecates SSL_CTX_load_verify_locations and the MD4, DES
functions we use.
Fix the MD4 and SSL_CTX_load_verify_locations warnings.
In configure, detect OpenSSL v3 and if so, inhibit the deprecation
warnings. OpenSSL v3 deprecates the DES functions we use for NTLM and
until we rewrite the code to use non-deprecated functions we better
ignore these warnings as they don't help us.
Closes#5139
If --enable-werror is used.
Follow-up to d5c0351055 which added it too early in the configure
script before $compiler_num was set correctly and thus this option was
never used.
Reported-by: Stepan Efremov
Fixes#5067Closes#5068
Follow up to cdcc9df1 and #5006. Even though I mentioned mbedTLS as
being one of the backends that metalink needs to be disabled for, I
seem to have included it in the list of allowed SSL/TLS backends in
comnfigure.ac :(
Closes#5013
tool_metalink only supports cryptography from OpenSSL, GnuTLS, NSS,
The Win32 Crypto library and Apple's Common Crypto library.
If an TLS backend such as mbedTLS or WolfSSL is specified then the
following error is given during compilation along, with a load of
unresolved extern errors:
Can't compile METALINK support without a crypto library.
Reviewed-by: Daniel Stenberg
Closes#5006
To simplify our code and since earlier versions lack important function
calls libcurl needs to function correctly.
nghttp2 1.12.0 was relased on June 26, 2016.
Closes#4961
This makes it possible to recognize and connect to literal IPv6
addresses when `getaddrinfo` is not available, which is already the
case for the CMake build. This affects e.g. classic MinGW because it
still targets Windows 2000 by default, where `getaddrinfo` is not
available, but general IPv6 support is.
Instead of checking for `getaddrinfo`, check for `sockaddr_in6` as the
CMake build does.
Closes https://github.com/curl/curl/pull/4662
