When OpenSSL reports SSL_ERROR_WANT_READ, set the io_need explicitly.
It should have already been set by the BIO, but be safe.
Reported in Joshua's sarif data
Closes#18733
When a transfer has a speed limit less than 4, the receive loop early
exits without receiving anything, causing a busy loop for that transfer.
Perform that check only after the first receive has been done.
Reported in Joshua's sarif data
Closes#18732
The comments on `cf_recv()` function were outdated and described
calling conventions that no longer are true.
Reported in Joshua's sarif data
Closes#18728
The result of setting the negotiated ALPN was not checked, leading
to reporting success when it should not have.
Reported in Joshua's sarif data
Closes#18727
The return code of SSL_get_stream_read_error_code() was not checked
in one location, but others. Make that consistent.
Reported in Joshua's sarif data
Closes#18725
Fail on errors from SSL_handle_events().
Force quit Caddy test instance that is left hanging longer with
openssl-quic tests for unknown reasons.
Reported in Joshua's sarif data
Closes#18720
Restructured the code in the following ways:
* add terminal states SUCCESS and FAILED
* split SOCK4 and SOCK5 states to be more clear
* use `bufq` for send/recv of SOCK messages
* reduce SOCKS4 states, more speaking names
* for most states, move code into static function
* reduce SOCKS5 states, more speaking names
* add helpers for traversing to FAILED state
* add helper to flush bufq
* add hepler to read minimum amount into bufq
Closes#18401
Improvements around HTTP Upgrade: and multiplex hanndling:
* add `Curl_conn_set_multiplex()` to set connection's multiplex
bit and trigger "connchanged" events
* call `Curl_conn_set_multiplex()` in filters' `CF_CTRL_CONN_INFO_UPDATE`
implementation where other connection properties are updated.
This prevents connection updates before the final filter chain
is chosen.
* rename enum `UPGR101_INIT` to `UPGR101_NONE`
* rename connection bit `asks_multiplex` to `upgrade_in_progress`
* trigger "connchanged" when `upgrade_in_progress` clears
* rename `WebSockets` to `WebSocket` as it is the common term
used in documentation
Closes#18227
A probably unnecessary precaution but since the field sizes are 16 bit in the
protocol this makes sure to fail if they would ever be larger as that would go
wrong.
Reported in Joshua's sarif data
Closes#18719
- requirements.txt: shorten copyright headers.
- requirements.txt: pin packages to versions.
- GHA/windows: use `tests/requirements.txt`.
Pick a `cryptography` package version that satifies both `impacket`
and pytests dependencies.
- GHA/checksrc: move pip deps into a new `requirements.txt`.
To make Dependabot detect and bump them.
- GHA/checksrc: replace apt packages for python test deps with pip
install `tests/**/requirements.txt` to a venv.
- GHA/checksrc: use venv and drop `--break-system-packages`.
- GHA/linux: fix to actually activate venvs.
Follow-up to 2638570241#15578
- GHA/linux: fixup (did not cause an issue)
Follow-up to d75785c7de#18660
- GHA: create venvs later, simplify commands.
- GHA: sync pip command-line options, e.g. drop progress-bar,
everywhere.
Assisted-by: Dan Fandrich
Closes#18708
The mbedtls_ssl_read() function is documented to be able to also return
MBEDTLS_ERR_SSL_WANT_WRITE, so act on that accordingly instead of
returning error for it.
Assisted-by: Stefan Eissing
Reported in Joshua's sarif data
Closes#18682
The implementation was incomplete and lesser than the other backends. No
one ever reported a bug or requested enhancements for this, indicating
that this backend was never used.
Closes#18700
Replacing the hard-wired stable image. After this patch, it
will automatically follow upstream updates.
Follow-up to 6870bc1b35
Follow-up to 5a25df253dCloses#18709
- INSTALL.md: fence code to avoid wrong rendering.
Reported-by: rinsuki on github
Fixes: https://github.com/curl/curl-www/issues/480
- use `sh` instead of `bash` as fence language, for less visual noise.
- INSTALL.md: drop stray shebang.
- ECH.md: drop indent from fenced code.
- minor tidy-ups.
Ref: https://curl.se/docs/install.htmlCloses#18707
This reverts commit df60e8fe70.
The "first byte" checkpoint is not strictly the first byte received, but
the sign of first traffic from the server, which a closed connection
also is.
Closes#18676
If GSS returns a token to use that is longer than 65535 bytes, it can't
be transmitted since the length field is an unisgned 16 bit field and
thus needs to trigger an error.
Reported in Joshua's sarif data
Closes#18681
It may take 1.5 minutes to find the C compiler on macos with old cmake.
The build is also slow due to no unity and Ninja support.
```
Wed, 24 Sep 2025 04:56:51 GMT -- Using CMake version 3.11.4
Wed, 24 Sep 2025 04:58:01 GMT -- The C compiler identification is AppleClang 17.0.0.17000013
Wed, 24 Sep 2025 04:58:02 GMT -- Check for working C compiler: /Applications/Xcode_16.4.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang
Wed, 24 Sep 2025 04:59:33 GMT -- Check for working C compiler: /Applications/Xcode_16.4.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang -- works
Wed, 24 Sep 2025 04:59:33 GMT -- Detecting C compiler ABI info
Wed, 24 Sep 2025 04:59:35 GMT -- Detecting C compiler ABI info - done
```
Ref: https://github.com/curl/curl/actions/runs/17966736478/job/51100678487?pr=18700#step:10:50Closes#18702
It was using the global parallel value in cmake integration tests, while
on macos runners, this should be lower by one, as used in other macos
jobs. Performance impact is minimal.
Follow-up to fb70812437#16126Closes#18701
Number of combo jobs down to 22 from 24.
Also:
- update the version matrix.
- update exclusion matrix.
- include verbose compiler configuration dump.
It makes the Apple-included, default `-I/usr/local/include` visible.
Ref: #18683Closes#18698
Same issue as seen earlier in the tsan job. Fix it the same way, by
switching to cmake to avoid autotools' libtool confusing the analyzer.
Ref: 2a46df31fd#18274
Configuration remains identical. I removed libssh2 from the installed
packages, because it was unused before, but cmake enabled it by default
and libssh2 has memory leaks:
Ref: https://github.com/curl/curl/actions/runs/17941312820/job/51018425159
Fixing:
```
/usr/bin/llvm-symbolizer-18: /home/runner/work/curl/curl/bld/lib/.libs/libcurl.so.4: no version information available (required by /usr/bin/llvm-symbolizer-18)
/usr/bin/llvm-symbolizer-18: symbol lookup error: /home/runner/work/curl/curl/bld/lib/.libs/libcurl.so.4: undefined symbol: __asan_option_detect_stack_use_after_return
==33900==WARNING: Can't read from symbolizer at fd 3
[..]
==33900==WARNING: Can't write to symbolizer at fd 6
==33900==WARNING: Failed to use and restart external symbolizer
```
Ref: https://github.com/curl/curl/actions/runs/17939949191/job/51013953675?pr=18693
Cherry-picked from #18693Closes#18696
This is an effort to pass more code through clang-tidt and scan-build
static analyzers. Following CodeQL Linux jobs.
GHA/codeql:
- also build with libssh.
- disable verbose output in build steps.
GHA/linux:
- enable more build options for the clang-tidy and scan-build jobs:
libidn2, nghttp2, ldap, kerberos, rtmp, gnutls, gsasl, rustls,
mbedtls, wolfssl
Use Linuxbrew where necessary.
- also enable ECH, gssapi in the scan-build job.
- fix 'scanbuild' to be 'scan-build' in the job name.
GHA/macos:
- build with Rustls in the clang-tidy job.
- add a new clang-tidy job to test HTTP/3 (with openssl + ngtcp2).
- build with libssh in one of the clang-tidy jobs.
- build with LibreSSL in the MultiSSL clang-tidy job.
- build with heimdal and kerberos in the clang-tidy jobs respectively.
- build with OpenLDAP in one clang-tidy job.
- add support for `skipall`, `skiprun` job options, and use it.
Closes#18660
Reported in macOS clang-tidy v21.1.1 build, after enabling libssh in it:
```
lib/vssh/libssh.c
lib/vssh/libssh.c:1342:9: error: Value stored to 'to_t' is never read [clang-analyzer-deadcode.DeadStores,-warnings-as-errors]
1342 | to_t = STRE_OK;
| ^
lib/vssh/libssh.c:1342:9: note: Value stored to 'to_t' is never read
lib/vssh/libssh.c:1349:9: error: Value stored to 'from_t' is never read [clang-analyzer-deadcode.DeadStores,-warnings-as-errors]
1349 | from_t = STRE_OK;
| ^
lib/vssh/libssh.c:1349:9: note: Value stored to 'from_t' is never read
2 warnings generated.
```
Ref: https://github.com/curl/curl/actions/runs/17909917954/job/50918955923?pr=18660#step:11:182
Cherry-picked from #18660Closes#18684
