Reshuffle code a little to detect when the transfer's credentials
actually change. Otherwise, leave the existing creds in place.
This gives the precise location where we may want to reset other
states that become invalid with change credentials. Also, by
keeping a creds instance as long as it is valid, we can associate
meta data with it.
Closes#21755
To avoid hitting all lines in it. It doesn't happen in curl at the
moment, but may happen in the future or in other projects using this
script.
Closes#21819
Not documented and experimental, example:
`-D_CURL_PYTEST=/test_60_h3_proxy.py`
Ideally, this should be an env like `TFLAGS` and it should allow
selecting any test ID or a group of them, but so far could not figure
out how even a basic env could work.
Closes#21818
- merge tests into a single class.
For shorter names, to fix sort order by test number, and to align with
other tests.
- fix preconditions to make `test_60_04_guard_proxy_http3_unsupported`
actually run.
- replace local precondition with constant of the same effect.
- drop redundant non-`ngtcp2` requirement for
`test_60_04_guard_proxy_http3_unsupported`.
(seemed relevant for no longer supported openssl-quic builds.)
- drop unused `NGTCP2_ONLY_MSG` constant.
Follow-up to e4139a73c8#21798
- avoid creating unnecessary test data blobs, and minimize their scopes.
Follow-up to 91facd7bb3#21791
Follow-up to e78b1b3ecc#21153Closes#21811
When a transfer goes against another origin than the initial one, do not
add the following to the ssl configuration: client cert, client key, srp
user/pass, pinned key.
Closes#21695
Add test_31_13 to check connection reuse on mixed --ssl-reqd setting.
For that add debug env var CURL_DBG_NO_USE_SSL_ON_FIRST to disable
--ssl-reqd for the first url. Check that the connection without SSL
from the first url is not reused on the second URL that requires it.
Tweak special ftp: protocol check to fail a DEBUGASSERT on mismatched
`use_ssl` settings as that should have been caught before in the
connection reuse matching (imap/smtp etc. do not have this extra check
and rely on the general part doing its job).
Closes#21665
- test_60_02_connect_tunnel_fail[fail_h1_over_h3_proxytunnel]
- test_60_02_connect_tunnel_fail[fail_h3_over_h2_proxytunnel]
- test_60_02_connect_tunnel_fail[fail_h3_over_h3_proxytunnel]
- test_60_03_h3_target_auto_connect_udp[proxy_h3]
- test_60_15_connect_timeout
Further flaky ones may be disabled in future commits.
All to be re-enabled after stabilizing them.
Follow-up to 59213f8248#21789
Follow-up to e78b1b3ecc#21153Closes#21803
- replace literal -1 with `NGHTTP3_ERR_CALLBACK_FAILURE` in nghttp3
callback.
- replace `NGHTTP3_ERR_CALLBACK_FAILURE` with
`NGTCP2_ERR_CALLBACK_FAILURE` in ngtcp2 callbacks.
- test_60_h3_proxy: fix non-critical typo in symbol.
Spotted by GitHub Code Quality
Follow-up to e78b1b3ecc#21153Closes#21802
code:
- less exception handling in existing code
- true ip happy eyeballing
- enable certificate verification
- cf-h2-proxy: abort connection when server closed connection
tests:
- remove all --insecure and --proxy-insecure args
- make session reuse test_60_12 a working one
- resolve port conflicts between h2o and nghttpx
- use proxy args better
- make test_60_06 run shorter
- kill h2o at the end of tests, normal stop takes too long
Ref: 59213f8248#21789
Follow-up to e78b1b3ecc#21153Closes#21798
Also:
- GHA/http3-linux: enable deprecated APIs in openssl-prev local
OpenSSL builds. Required by h2o and its vendored dependencies.
Tried OpenSSL 4, LibreSSL 4.x, BoringSSL: all failed at one point.
- GHA/http3-linux: build h2o from source.
libuv1-dev may not be stricly required.
Tried installing libwslay-dev, but it wasn't recognized.
Also disable building h2o libs for a much smaller dist directory and
slightly faster build.
Sadly, h2o is not versioned, so I pinned to the current latest commit
at the master branch. It advertises itself as 2.3.0-DEV in pytest.
- drop redundant `libnghttp3` installs. Remains of openssl-quic builds.
Follow-up to 6aaac9dd38#20226
Note GHA/macos pytests may or not not be stable with the H3 proxy tests.
Follow-up to e78b1b3ecc#21153Closes#21789
When connecting to an mDNS hostname that resolves to an IPv6 link-local
address, connect() fails with EINVAL because sin6_scope_id is 0. This is
a regression since 8.20.0 where the threaded resolver started splitting
A and AAAA queries into separate getaddrinfo calls. The AAAA-only call
with PF_INET6 may not set scope_id on systems where the same call with
PF_UNSPEC did.
When the resolver does not provide scope_id for a link-local address,
try to determine it from the system's network interfaces using
getifaddrs(). Also add scope_id to verbose connect output so the value
can be seen in curl -v logs.
Built and tested locally on Linux. checksrc passes.
Fixes#21669
Reported-by: Bartel Sielski
Closes#21728
Omit checking `OPT_<BACKEND>` against `no` twice.
Also:
- openssl: drop stray `OPT_OPENSSL=off` check.
Follow-up to 68d89f242c#6897
- rustls: drop no-op line.
Follow-up to 9c42098370#13202
- gnutls: fix casing in comment.
- merge `if` branches where possible after these changes.
Closes#21781
Also:
- check `curl_url()` for NULL where missing.
- free memory `curl_url_get()` return pointer where missing.
- propagate `curl_url_set()` errors in `clear_url()`, where missing.
- add missing NULL-check before `strcmp()` in `clear_url()`.
Closes#21780
- fix symbol used for first-round detection.
- skip detecting mbedtls on custom path if custom path was not supplied.
Reported-by: Ross Burton
Fixes#21727Closes#21729
Replace result code `CURLE_SSL_CIPHER` with
`CURLE_BAD_FUNCTION_ARGUMENT` in case of a low-level digest function
fails. Functionality is related to vauth, not SSL, and the operation is
a digest, not a cipher.
Also fix a indentation.
Follow-up to 05268cf801#13070Closes#21767
