Windows CRTs have a `share.h`. Before this patch when trying to
`#include <share.h>` it, the compiler picked up curl's internal
`lib/share.h` instead. Rename it to avoid this issue.
CRT `share.h` has constants necessary for using safe open CRT functions.
Also rename `lib/share.c` to keep matching the header.
Ref: https://learn.microsoft.com/cpp/c-runtime-library/sharing-constants
Ref: 625f2c1644#16949#16991
Cherry-picked from #19643Closes#19676
Description of how this works in `docs/internal/RATELIMITS.ms`.
Notable implementation changes:
- KEEP_SEND_PAUSE/KEEP_SEND_HOLD and KEEP_RECV_PAUSE/KEEP_RECV_HOLD
no longer exist. Pausing is down via blocked the new rlimits.
- KEEP_SEND_TIMED no longer exists. Pausing "100-continue" transfers
is done in the new `Curl_http_perform_pollset()` method.
- HTTP/2 rate limiting implemented via window updates. When
transfer initiaiting connection has a ratelimit, adjust the
initial window size
- HTTP/3 ngtcp2 rate limitin implemnented via ack updates
- HTTP/3 quiche does not seem to support this via its API
- the default progress-meter has been improved for accuracy
in "current speed" results.
pytest speed tests have been improved.
Closes#19384
To replace deprecated, unsafe `sys_nerr`, `sys_errlist` global
variables with the function suggested by the CRT warning silenced via
`_CRT_SECURE_NO_WARNINGS`:
```
lib/curlx/strerr.c(291): warning C4996: '__sys_nerr': This function or variable may be unsafe. Consider using strerror instead.
lib/curlx/strerr.c(292): warning C4996: '__sys_errlist': This function or variable may be unsafe. Consider using strerror instead.
```
(where `strerror` in turn suggests `strerror_s`...)
Upside: returns an error and has a Unicode variant. Downaside: happy
to return success when passing unrecognized error codes. Work it around
by looking for the string "Unknown error" returned in such cases and
falling back to other methods to retrieve a description.
Refs:
https://learn.microsoft.com/cpp/c-runtime-library/errno-doserrno-sys-errlist-and-sys-nerrhttps://learn.microsoft.com/cpp/c-runtime-library/reference/strerror-s-strerror-s-wcserror-s-wcserror-sCloses#19646
Also:
- memdebug: fix symbol collision in unity builds.
- memdebug: fix compiler warning by making a variable static.
Follow-up to c77bed81a2#19657Closes#19666
When a trasfer is paused from a read callback with a CURL_READFUNC_PAUSE
code, it should be excluded from the speedcheck. Currently only
transfers paused from write callbacks are excluded, because the code
only checks for "recv direction" of the transfer. This commit adds a
check for "send direction".
Issue similar to https://github.com/curl/curl/issues/6358Closes#19653
- adjust cipher list in infof() statement for min/max TLS version
- skip test_17_07 for wolfSSL 5.8.4 when CHACHA20 is negotiated
due to regression with homebrew build on ARM systems.
Fixes#19644
Reported-by: Viktor Szakats
Closes#19662
The freeing of the already allocated hostname is done by
Curl_async_shutdown(). This extra free in the RR code path made a
double-free.
Presumably not detected because the CI torture tests don't run HTTPS-RR
enabled?
Follow-up to 8d0bfe74fbCloses#19658
When OpenSSL fails to verify the peer certificate, we checked for
one specific reason code and did not ask Apple SecTrust for any
other failure.
Always ask Apple SecTrust after OpenSSL fails when the `native_ca_store`
is enabled. If the user configures a CAfile or CApath, the native store
is disabled, so this does not affect use cases where users asks curl
to use a specific set of trust anchors.
Do the same for GnuTLS
Fixes#19636
Reported-by: ffath-vo on github
Closes#19638
Usage:
- autotools: `--disable-typecheck` (or `--enable-typecheck` (default))
- cmake: `-DCURL_DISABLE_TYPECHECK=ON`.
To disable `curl_easy_setopt()`/`curl_easy_getinfo()` type checking with
supported (new) gcc and clang compilers. It is useful to improve build
performance for the `tests/libtest` target. In particular the CodeQL
analyzer may take above an hour to compile with type checking enabled,
and disabling it brings it down to seconds. On local machines it may
also cut build times in half when build testdeps, depending on platform
and compiler.
Other than these cases, we recommend leaving type checking enabled.
Ref: fdacf34aae#19632
Also:
- GHA/codeql: use it.
- test1165: check in `include/curl`.
- lib1912: delete stray todo comment.
- spelling and comment nits.
Closes#19637
Replace:
- curl_sspi: macro `_tcsncpy()` with `_tcsncpy_s()`.
- curlx/fopen: `wcsncpy()` with `wcsncpy_s()`.
- curlx/fopen: `wcscpy()` with `wcscpy_s()`.
Use of the pre-existing functions were safe. This patch aims to use the
recommended Windows CRT functions. Handle errors returned by them. Also
to avoid the compiler warnings silenced via `_CRT_SECURE_NO_WARNINGS`:
```
lib/curl_sspi.c(152): warning C4996: 'wcsncpy': This function or variable may be unsafe. Consider using wcsncpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS.
lib/curlx/fopen.c(161): warning C4996: 'wcsncpy': This function or variable may be unsafe. Consider using wcsncpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS.
lib/curlx/fopen.c(162): warning C4996: 'wcscpy': This function or variable may be unsafe. Consider using wcscpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS.
lib/curlx/fopen.c(174): warning C4996: 'wcsncpy': This function or variable may be unsafe. Consider using wcsncpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS.
lib/curlx/fopen.c(175): warning C4996: 'wcscpy': This function or variable may be unsafe. Consider using wcscpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS.
```
Refs:
https://learn.microsoft.com/cpp/c-runtime-library/reference/strncpy-strncpy-l-wcsncpy-wcsncpy-l-mbsncpy-mbsncpy-lhttps://learn.microsoft.com/cpp/c-runtime-library/reference/strncpy-s-strncpy-s-l-wcsncpy-s-wcsncpy-s-l-mbsncpy-s-mbsncpy-s-lhttps://learn.microsoft.com/cpp/c-runtime-library/security-features-in-the-crt
Cherry-picked from #19581 (in part)
Closes#19589
If verifypeer and verifyhost are disabled, to not generate
a failf() message for failed verifications.
Fixes#19615
Reported-by: ncaklovic on github
Closes#19625
Based on existing code and commit history it appears
`CURL_DISABLE_INSTALL` means to prevent calling `install()`;
`CURL_ENABLE_EXPORT_TARGET` means to prevent calling `export()` and
`install()`s with `EXPORT` in them.
Fix them to also apply to the lib and src directories in that vain:
- lib: honor `CURL_DISABLE_INSTALL`
- src: honor `CURL_DISABLE_INSTALL`
- src: honor `CURL_ENABLE_EXPORT_TARGET`
https://cmake.org/cmake/help/v4.2/command/install.htmlhttps://cmake.org/cmake/help/v4.2/command/export.html
- `CURL_DISABLE_INSTALL` follow-up to:
aace27b096#12287
- `CURL_ENABLE_EXPORT_TARGET` follow-up to:
8698825106#9638643ec29645#7060Closes#19144
To complement the existing `curlx_fopen()` internal API.
It's used by the curl's `--stderr` option.
`curlx_freopen()` adds two features to the bare `freopen()`:
- tracing for debug-enabled builds.
- Unicode and long-filename support for Windows builds.
In effect this adds long-filename and enables Unicode support for
the `--stderr <filename>` curl command-line option on Windows.
Also add to checksrc.
Follow-up to 2f17a9b654#10673Closes#19598
- curl_setup.h: replace `_CRT_SECURE_NO_DEPRECATE` with
`_CRT_SECURE_NO_WARNINGS`, which seems to be the preferred,
more recent macro for this. Also syncing with libssh2.
They are equivalent for curl sources with the supported compilers.
- cmake: stop setting `_CRT_SECURE_NO_DEPRECATE` globally for examples.
- examples: suppress CRT deprecation warnings on a per-file basis.
To make it work when compiling examples out of curl's build systems.
Use `_CRT_SECURE_NO_WARNINGS`.
- examples: document the functions requiring `_CRT_SECURE_NO_WARNINGS`.
- examples/block_ip: delete superfluous `_CRT_SECURE_NO_WARNINGS`.
- examples/block_ip: limit `_CRT_NONSTDC_NO_DEPRECATE` to MSVC.
- examples/log_failed_transfers: fix to set `_CRT_SECURE_NO_WARNINGS`
before headers and limit to MSVC.
- curl_setup.h: document which SDKs support `_CRT_NONSTDC_NO_DEPRECATE`.
Closes#19175
The parsing of the HTTP/1.1 formatted request into the h2/h3 header
structures should detect CURLOPT_CUSTOMREQUEST methods and forward them
correctly.
Add test_01_20 to verify
Fixes#19543
Reported-by: Omdahake on github
Closes#19563
