With the new addition of OpenSSL QUIC API support and the support in
ngtcp2 main branch, make the necessary adjustments in curl to support
this combination.
- add support in configure.ac to detect the feature OPENSSL_QUIC_API2 in
openssl
- initialise ngtcp2 properly in this combination
- add a Curl_vquic_init() for global initialisation that ngtcp2 likes
for performance reasons
- add documentation on how to build in docs/HTTP3.md
- add CI testing in http3-linux.yml
Assisted-by: Viktor Szakats
Closes#17027
Adds a "meta_hash" to each easy handle for keeping special data during
operations. All meta data set needs to add its destructor callback, so
that meta data gets destroyed properly when the easy handle is cleaned
up or reset.
Add data->master_mid for "sub" transfers that belong to a "master" easy
handle. When a "sub" transfer is done, the corresponding "master" can
add a callback to be invoked. Used in DoH name resolution.
DoH: use easy meta hash to add internal structs for DoH name resolution.
One in each in each probe easy handle. When probes are done, response
data is copied from the probe to the initiating easy.
This allows DoH using transfers and their probes to be cleaned up in any
sequence correctly.
Fold DoH cleanup into the Curl_async_shutdown() and Curl_async_destroy()
functions.
Closes#16384
Enable it for `_MSC_VER <= 1943`.
Omit it for not yet CI-tested MSVC versions, to avoid hitting unfixed
warnings emitted by future toolchain releases. It means we need
to explicitly opt-in to newer MSVC versions while fixing any new issues.
The newly enabled warnings did not reveal new issues. It hints that we
catch those with clang/gcc. Yet, these warnings may be useful for local
development done with MSVC.
Also:
- disable and document warnings that don't seem useful, unactionable,
or unfixable.
- disable and document warnings found in Windows SDK headers.
- tidy up a few comments, also to avoid
`-Wdocumentation-unknown-command`, part of llvm/clang `-Wall`.
```
lib\dynhds.h(159,29): error : unknown command tag name [-Werror,-Wdocumentation-unknown-command]
lib\ftp.c(337,15): error : unknown command tag name [-Werror,-Wdocumentation-unknown-command]
```
(This patch did not end up enabling `-Wall` for clang-cl.)
Closes#17050
"asyn" is the internal name under which both c-ares and threaded
resolver operate. Make the naming more consistent. Implement the c-ares
resolver in `asyn-ares.*` and the threaded resolver in `asyn-thrdd.*`.
The common functions are in `asyn-base.c`.
When `CURLRES_ASYNCH` is defined, either of the two is used and
`data->state.async` exists. Members of that struct vary for the selected
implementation, but have the fields `hostname`, `port` and `ip_version`
always present. This are populated when the async resolving starts and
eliminate the need to pass them again when checking on the status and
processing the results of the resolving.
Add a `Curl_resolv_blocking()` to `hostip.h` that relieves FTP and SOCKS
from having to repeat the same code.
`Curl_resolv_check()` remains the function to check for status of
ongoing resolving. Now it also performs internally the check if the
needed DNS entry exists in the dnscache and if so, aborts the asnyc
operation. (libcurl right now does not check for duplicate resolve
attempts. an area for future improvements).
The number of functions in `asyn.h` has been reduced. There were subtle
difference in "cancel()" and "kill()" calls, both replaced by
`Curl_async_shutdown()` now. This changes behaviour for threaded
resolver insofar as the resolving thread is now always joined unless
`data->set.quick_exit` is set. Before this was only done on some code
paths. A future improvement would be a thread pool that keeps a limit
and also could handle joins more gracefully.
DoH, not previously tagged under "asny", has its struct `doh_probes` now
also in `data->state.async`, moved there from `data->req` because it
makes more sense. Further integration of DoH underneath the "asyn"
umbrella seems like a good idea.
Closes#16963
The SChannel code uses the CertFindCertificateInStore function to
retrieve the client certificate from a pkcs12 certificate store.
However, when called with the CERT_FIND_ANY flag, this function does not
provide any guarantees on the order in which certificates are retrieved.
If a pkcs12 file contains an entire certificate chain instead of a
single client certificate, the CertFindCertificateInStore function may
return the CA or an intermediate certificate instead of the desired
client certificate. Since there is no associated private key for such a
certificate, the TLS handshake fails.
With this change, we now pass the CERT_FIND_HAS_PRIVATE_KEY flag. This
ensures that the CertFindCertificateInStore function will return a
certificate which has a corresponding private key. This will stop the CA
and intermediate certificates from being selected. I don't think there
would be much use in a client certificate which has no associated
private key, so this should ensure the client certificate is selected. I
suppose it may be possible for a pkcs12 file to contain multiple
certificates with private keys and the new behaviour may not guarantee
which is selected. However, this is no worse that the previous behaviour
in which any certificate may been selected.
The CERT_FIND_HAS_PRIVATE_KEY is only available in Windows 8 / Server
2012 (aka Windows NT6.2). For older versions, we will fall back to using
the CERT_FIND_ANY flag.
Closes#16825
Without this patch, the handling of the alt-svc header added via
279a4772ae in curl-8.13.0 attempts to
connect to alternative services via different HTTP versions, even if the
target HTTP version is not supported by curl (i.e., not enabled at
compile-time). If I understand the code and RFC 7838 correctly, then we
should only attempt to migrate to supported protocols. Therefore,
`allowed_apns` should only contain such protocols, and we need to guard
its modification with `ifdefs` for supported HTTP versions.
This was discovered in a downstream bug report in Alpine Linux [1] where
it was reported that a Matrix client (using libcurl) was defunct after
the upgrade to curl-8.13.0. Further debugging revealed that this was due
to the Matrix server sending a `alt-svc: h3=":443";` HTTP header,
causing curl to attempt migration to HTTP3 even though Alpine's curl
version is compiled without HTTP3 support.
I am not sure if this is the best place in the code to address this
or if the `allowed` bitmask shouldn't contain unsupported versions
in the first place. However, since there are existing `ifdefs` in
this function for source (not destination) ALP selection, it may
be a good fit to address this here.
[1]: https://gitlab.alpinelinux.org/alpine/aports/-/issues/17062Closes#17037
Very similar to 9f8bdd0eae, but affects
e.g. netrc file parsing.
Suggested-by: Graham Christensen <graham@grahamc.com>
Add test 744 to verify
Closes#17036
wolfSSL headers publish the `HAVE_ALPN` macro to tell if it has ALPN
support compiled in. Use that instead of `HAS_ALPN`, which was never
set.
Follow-up to edd573d980#16167Closes#17056
To avoid having LTO enabled for Debug configurations with multi-config
generators (e.g. MSVC.)
Reported-by: PleaseJustDont
Fixes#17042
Ref: ##17034
Follow-up to a1eaa12a83#15829Closes#17043
when CURLMOPT_MAX_HOST_CONNECTIONS or CURLMOPT_MAX_TOTAL_CONNECTIONS
limits are reached, force close connections in shutdown to go below
limit when possible.
Fixes#17020
Reported-by: Fujii Hironori
Closes#17022
- `NOT` + `VERSION_LESS` -> `VERSION_GREATER_EQUAL`
Available since 3.7, which is the minimum required for curl:
https://cmake.org/cmake/help/latest/command/if.html#version-greater-equal
- make `CMAKE_REQUIRED_*` argument quotes consistent.
- make `CMAKE_REQUIRED_*` space alignment consistent.
- drop quote from version value for consistency with other cases.
- formatting
Closes#17002
by including headers using "../[header]" when done from C files in
subdirectories, we do not need to specify the lib source dir as an
include path and we reduce the risk of header name collisions with
headers in the SDK using the same file names.
Idea-by: Kai Pastor
Ref: #16949Closes#16991
Also adjust `()` around low-level calls preventing macro overrides via
e.g. `memdebug.h`:
- add for `malloc` and `free`.
- drop for `_open`. (We do not override `_open` in curl.)
Tidy-up: also sync libcurlu custom macro order in cmake with autotools.
Follow-up to f42a279ee3#11928Closes#16742
The fix in b8bd019c6a (#16959) broke the
CURLOPT_HTTP_TRANSFER_DECODING handling, shown in test 319 and curl's
--raw option.
This is a follow-up that restores the functionality.
Enable test 319 again.
Fixes#16974Closes#16984
Made the HTTPS-RR parser a little stricter while at it.
Drop the ALPN escape handling, that was not needed.
Make the hode handle (and ignore) duplicate ALPN entries.
Closes#16972
- allow and ignore "identity" as an encoding
- fail if any other encoder than chunked follows after chunked
- fail on unsolicited encodings - when the server encodes but curl did
not ask for it
Add test 1493 to 1496 to verify.
Disable test 319 as that is now broken: issue #16974
Reported-by: Jonathan Rosa
Fixes#16956Closes#16959
When pausing a HTTP/2 transfer, the stream's local window size
is reduced to 0 to prevent the server from sending further data
which curl cannot write out to the application.
When unpausing again, the stream's window size was not correctly
increased again. The attempt to trigger a window update was
ignored by nghttp2, the server never received it and the transfer
stalled.
Add a debug feature to allow use of small window sizes which
reproduces this bug in test_02_21.
Fixes#16955Closes#16960
From what I understand both rustls and mbedTLS expose a strong random
function, so as long as you have a TLS library random will be strong.
Followup 8972845123 "vtls/rustls: support strong CSRNG data"
Followup a90a5bccd4 "mbedtls: implement CTR-DRBG and HAVEGE random generators"
Closes#16965
The HTTPSRR check on the record's target was not working as it used the
wrong index on the NUL byte if the target was not NULL.
Fixes#16966
Reported-by: Pavel Kropachev
Closes#16968
To use curl as a tool for troubleshooting SigV4 signing, it is useful to
have the 'Canonical Request', 'String To Sign' and 'Signature'
calculations output.
Closes#16952
Allocate the data shared between a transfer and an aync resolver thread
separately and use a reference counter to determine its release.
Change `Curl_thread_destroy()` to clear the thread handle, so that the
thread is considered "gone" and we do not try to join (and fail to)
afterwards.
Retake of the revert in fb15a986c0Closes#16916
Slight refactoring around dnscache, e.g. hostcache
- eliminate `data->state.hostcache`. Always look up
relevant dnscache at share/multi.
- unify naming to "dnscache", replacing "hostcache"
- use `struct Curl_dnscache`, even though it just
contains a `Curl_hash` for now.
- add `Curl_dnscache_destroy()` for cleanup in
share/multi.
Closes#16941
Previously it was not compiled if CURL_DISABLE_BINDLOCAL is set, but the
FTP code is also using this function.
Easily found by using configure --disable-bindlocal without disabling
FTP.
Closes#16933
Enable eventfd code consistently when both `HAVE_EVENTFD` and
`HAVE_SYS_EVENTFD_H` macros are defined.
Before this patch `HAVE_EVENTFD` guarded it alone, though the code
also required the header, which was guarded by `HAVE_SYS_EVENTFD_H`.
These should normally be detected in pairs. When they aren't, omit using
`eventfd()` to avoid calling it without a known matching header.
If this disables valid cases (e.g. some system declares this function
via a different header), feature detection and the code may be extended
for those cases. If these are known to come in pairs, always, another
option is detect them both at build stage, and forward a single macro
to C.
Reported-by: Abhinav Singhal
Bug: https://curl.se/mail/lib-2025-04/0000.htmlCloses#16909
Curl_hexbyte - output a byte as a two-digit ASCII hex number
Curl_hexval - convert an ASCII hex digit to its binary value
... instead of duplicating similar code and hexdigit strings in numerous
places.
Closes#16888
The condition required to reach this call could not happen, because
cf_ssl_scache_get() already checks the same condition and returns NULL
for 'scache' prior to this.
Found by CodeSonar
Closes#16896
When a PUSH_PROMISE was received, the h2_stream object was assigned
to the wrong `newhandle->mid` and was thereafter not found. This led
to internal confusion, because the nghttp2 stream user_data was not
cleared and an invalid easy handle was use for trace messages,
resulting in a crash.
Reported-by: Viktor Szakats
Fixes#16881Closes#16905
