scan-build has been dropped in favor of clang-tidy and this false
positive no longer triggers with it.
Follow-up to ce4db9c2ef#20751
Follow-up to 02f207a76bCloses#20860
After targeting Vista as minimum, the non-bcrypt fallback code was
impossible to reach, because on UWP wincrypt is never available.
After this patch it's more obvious that no-SSL UWP builds only support
weak random source.
Follow-up to b17ef873ae#18009Closes#20859
Instead of the first internal call to `curlx_verify_windows_version()`.
To avoid the chance of a race, potentially resulting in initializing
this address twice. AFAICT it could not cause an issue before this
patch.
Reported by Codex Security
Follow-up to b17ef873ae#18009Closes#20853
The code actual init code remains identical after this patch. To make it
clearer where this initialization is called from, and to dedupe code.
Follow-up to b17ef873ae#18009Closes#20852
The 'id' struct field in 'struct h3_stream_ctx' is a uint64_t type so
should be output with PRIu64 - and it makes sense to be consistent.
Note that the field with the same name in the ngtcp2 version of this
struct is a *signed* 64-bit variable.
Reported by Codex Security
Closes#20849
As the SOCK_CLOEXEC and SOCK_NONBLOCK get ORed to the socktype, this
introduces the cf_socktype() function to use when checking for the
specific socket type: DGRAM or STREAM. The function filters off the
non-type related bits to enable the comparison.
Follow-up to 05367694ecCloses#20808
If the first write was interrupted by a signal and a subsequent write
succeeds, the function would still erroneously return EINTR.
Found by Codex Security
Closes#20809
This fixes a regression and accidental changed behavior shipped in
8.18.0 (via 6b9c75e219).
When the setopt is set to "" and curl is built without support for a
single compression algorithm, it used to use "identity" but recently did
not.
Spotted by Codex Security
Closes#20805
OpenSSL 4.0.0-dev supports ECH with one flaw. If peer verification
is not enabled, it will report SSL_ECH_STATUS_BAD_NAME on the ECH
status.
Provide a workaround in libcurl that checks the inner name used in
ECH was the peer's hostname, both verify peer and host are disabled
and then accept the BAD_NAME without failing the connect.
Fixes#20655
Reported-by: Dexter Gerig
Closes#20821
Perform the actual timeout calculation in the blocking resolv
loop each time in the same way, keeping the logic simpler.
The previous version calculated the timeout once, and then
reduced it by the elapsed time spent in polling/processing.
This is unnecessarily complicated.
Closes#20819
The strdup() of the hostname to resolve is unnecessary as the sync
resolve code does not keep the string and the async code makes copies
already.
Remove the member from `connectdata`.
Closes#20833
- the value collided with the internal one used for WebSocket
- we add all new ones as internal bits
- bump to 64-bit internal type
- introduce new define for setting all protocols (CURLPROTO_64ALL)
Reported by Codex Security
Closes#20798
In this use case 'unsigned value &= ~DEFINE;
As otherwise the right side is treated as signed, which annoyingly
triggers UBSan. The U_* defines are local versions of the public define,
only typecast to unsigned.
Reported-by: xmoezzz on github
Fixes#20753Closes#20769
If TLS 1.3 is not supported, the call to
`mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets()` fails
during compilation:
```
curl-8.18.0/lib/vtls/mbedtls.c: In function 'mbed_connect_step1':
curl-8.18.0/lib/vtls/mbedtls.c:809:3: error: implicit declaration of function 'mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets' [-Werror=implicit-function-declaration]
mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(&backend->config,
^
curl-8.18.0/lib/vtls/mbedtls.c:809:3: warning: nested extern declaration of 'mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets' [-Wnested-externs]
```
Protect this call inside the `#ifdef` block by making sure that support
for TLS 1.3 is defined.
Closes#20789
```
lib/multi.c:305:5: error: code will never be executed [clang-diagnostic-unreachable-code]
305 | goto error;
| ^~~~~~~~~~
```
Cherry-picked from #20774Closes#20788
- replaced double spaces with single space where applicable
- replaced "favourite" with "favorite"
- added language identifiers to code blocks in markdown files
- added extra line after code blocks and after headings in markdown
files
Cloes #20748
To support floats and doubles when using these old compilers.
Before this patch, these tests most likely failed with them:
```
FAIL 557: 'curl_mprintf() testing' printf, unittest
FAIL 566: 'HTTP GET with CURLINFO_CONTENT_LENGTH_DOWNLOAD and 0 bytes transfer' HTTP, HTTP GET
FAIL 599: 'HTTP GET with progress callback and redirects changing content sizes' HTTP, HTTP POST, chunked Transfer-Encoding
FAIL 1148: 'progress-bar' HTTP, progressbar
```
Also:
- mention `_snprintf()` in the `_CRT_SECURE_NO_WARNINGS` comment.
Follow-up to 7de35515d9#20218Closes#20761
To fix building tests/server with cmake and both wolfSSL and OpenSSL
enabled (MultiSSL).
tests/server do not have libcurl dependency header paths setup because
it does not use libcurl. The code however includes `curl_setup.h`, which
tried including `wolfssl/version.h` before this patch to verify if the
wolfSSL coexist feature is available. Without a header path, it failed:
```
In file included from bld/tests/server/servers.c:3:
In file included from tests/server/first.h:40:
lib/curl_setup.h:737:12: fatal error: 'wolfssl/version.h' file not found
737 | # include <wolfssl/version.h>
| ^~~~~~~~~~~~~~~~~~~
1 error generated.
```
Ref: https://github.com/curl/curl/actions/runs/22410066319/job/64880787424#step:46:76
Fix by moving the include and version check to `vtls/wolfssl.c`.
Also: add an early version check to cmake.
Follow-up to 16f073ef49#16973
Cherry-picked from #20720Closes#20726
Reported when running `HeaderFilterRegex: '.*'` in CI.
Also replace an underscored symbol with a regular one in macro
definition.
Cherry-picked from #20720Closes#20721
- vms/curlmsg_vms.h: delete unused/commented code.
- vtls/schannel_verify: sort includes.
- typecheck-gcc.h: fix indent and alignment.
- lib/config-win32.h: drop idle `#undef`.
- spacecheck: check for stray empty lines before after curly braces.
- make literals more readable: 1048576 -> 1024 * 1024
- scope variables.
- use ISO date in a comment.
- drop redundant parentheses.
- drop empty comments.
- unfold lines.
- duplicate/stray spaces in comments.
- fix indent, whitespace, minor typos.
Closes#20690
