Commit graph

16803 commits

Author SHA1 Message Date
Stefan Eissing
75c2c881af
openssl+sectrust: fix session reuse
When TLS is verified via Apple SecTrust, openssl internal state is a
verification faiure (that is how it works, we use sectrust when openssl
fails to verify and natice ca store is enabled).

OpenSSL stores this verification status inside its TLS session objects.
On reuse, we see an unverified session and do not reuse it for a
verified connect attempt. While this is a performance penalty for most
connections, it *fails* on ftps:// transfers where servers expect
session reuse on DATA connections.

Fix this by remembering that TLS and a session was verified by sectrust
and allow reuse of such sessions for new connect attempts that also use
sectrust.

Closes #22235
2026-07-01 23:11:10 +02:00
Emmanuel Ugwu
acebf346fe schannel: shut off experimental TLS 1.3 support for Win 10
- Change minimum Windows version for TLS 1.3 support to
  Windows Server 2022.

Prior to this change Windows Server 2022 was already used as the minimum
version in some but not all of the checks for TLS 1.3 support.

Ref: https://github.com/curl/curl/pull/21719#issuecomment-4520234306
Ref: https://github.com/curl/curl/issues/21702

Signed-off-by: Emmanuel Ugwu <emmanuelugwu121@gmail.com>

Closes https://github.com/curl/curl/pull/22231
2026-07-01 03:37:35 -04:00
Viktor Szakats
c0cae1eba4
formdata: replace stray camelcase local function names
Replace with names using the style in the rest of codebase. Also move
the object to left-hand side and action to the right-hand side.

Closes #22223
2026-06-30 11:36:55 +02:00
Viktor Szakats
6fbb65126d
openssl: replace stray legacy API variant with EVP_DigestInit_ex()
To match rest of code, use the modern variant and avoid an unnecessary
internal reset/cleanup.

Closes #22222
2026-06-30 11:36:55 +02:00
Viktor Szakats
5b10939ef7
mbedtls: replace memset() with psa_hash_operation_init()
To initialize hash contexts.

Ref: https://arm-software.github.io/psa-api/crypto/1.1/api/ops/hashes.html#c.psa_hash_operation_init
Follow-up to 3a305831d1 #19077

Closes #22220
2026-06-30 11:36:55 +02:00
Patrick Monnerat
f02c53361e
sasl: fix zero-length response encoding
A sasl zero-length normal response is an empty string, unlike an initial
response. Since the encoding of a zero-length initial response is
protocol dependent, move its handling to the protocol-specific sendauth
procedure. Similarly, do not check for an '=' server message, as this
should normally never occur.

Update the erroneous tests accordingly.

Closes #22218
2026-06-30 08:58:33 +02:00
alhudz
bedeeaa4a7
smtp: reject CR and LF in the envelope address
Verified in test 2110

Closes #22119
2026-06-29 22:28:46 +02:00
Daniel Stenberg
ea71c3b6b6
openldap: handle Curl_sasl_continue() returns better
Similar to how it gets treated already in other protocol handlers.

Follow-up to eeca818b1e

Reported-by: Eunsoo Kim
Closes #22213
2026-06-29 22:22:52 +02:00
HwangRock
df350dd0d8
content_encoding: give a clear error on multi-member gzip
A gzip Content-Encoding response holding more than one gzip member made
curl decode the first member and then fail the transfer with a bare
CURLE_WRITE_ERROR and no hint about the cause. Detect the trailing
member and fail with a message that explains what happened.

Fixes #22156
Closes #22172
2026-06-29 22:21:34 +02:00
Viktor Szakats
2b5911880b
openssl: prefer modern API flavors for EVP_MD_CTX new/free
Available in all supported OpenSSL flavors and versions. They are
functionally identical to the legacy API calls.

Closes #22219
2026-06-29 20:04:57 +02:00
Viktor Szakats
1671ebd975
build: drop superfluous STDC_HEADERS macro
It is traditionally defined by autotools to detect the presence of set
of standard C89 headers. autoconf 2.70 (2020-12-08) reduced the headers
covered to `stdlib.h`, `string.h`. After 2.59d (2006-06-05) obsoleting
it earlier. CMake replicated this detection, and curl included
`curl/stdcheaders.h` if standard headers were missing. However, such
condition could never happen because curl sources already assume all
checked standard headers (`stdarg.h`, `stdlib.h`, `string.h`) and
include them unconditionally.

Since this is an unused feature detection and an impossible fallback
path, drop them from CMake and curl's source. autotools continues to do
the detection by default, but its result is unused after this patch.

This leaves public `curl/stdcheaders.h` unused from within the codebase.

Refs:
f0c7c42553
86c213d0e3

Follow-up to 65dae4ad80 #22191
Follow-up to 4c5307b456
Ref: ae1912cb0d

Closes #22206
2026-06-29 11:11:16 +02:00
Viktor Szakats
99859ecca8
cf-ngtcp2-cmn: initialize new callback ptr for ngtcp2 1.24.0+, bump in CI
Fixes #22205

Closes #22207
2026-06-28 13:57:31 +02:00
Viktor Szakats
39dec13ec0
build: always use local inet_pton()/inet_ntop() implementations
Also repurpose existing build-time feature checks into unit test 1961,
to verify.

Prior to this patch these functions were auto-detected with both
autotools and cmake. In case of autotools there was an extra
verification phase ensuring the functions work as expected. This step
required running the function, thus was limited to non-cross-builds. For
cross-builds and CMake it always used the system implementation if
present. On Windows it always used the local implementation, because
availability/use is complicated there.

After this patch all platforms, always use the local implementation,
which is known to be accurate. This makes curl behave more consistently,
and simplifies the build process, a fixes cross-builds and CMake
auto-detection differences.

Also:
- test1960: enable unconditionally.
- checksrc: disallow globally, allowlist in `block_ip.c` example.
- dnsd: verify ntop result for NULL before passing to printf.

Ref: https://github.com/curl/curl/pull/22137#issuecomment-4797440983
Ref: #22137
Ref: 8537a5b0bc #16577

Closes #22170
2026-06-27 01:24:39 +02:00
Viktor Szakats
a62e08c5eb
lib: fix 'ns' -> 'us' in trace messages
Closes #22200
2026-06-27 00:26:36 +02:00
Daniel Stenberg
996696621f
curl_trc: store callback info in a uint8, not a bool
The state is no longer just a bool so make sure to use a proper uint8_t
so that it gets restored properly.

Follow-up to a6af50c484

Closes #22199
2026-06-26 23:19:51 +02:00
alhudz
65d8eaeaa2
gopher: reject CR and LF in the selector
Verifed in test 1609

Closes #22116
2026-06-26 23:09:43 +02:00
Stefan Eissing
d786a85f19
lib: hostname related cleanups
* format `data->state.aptr.host` without crlf, so signatures do not need
  to strip it again. Add the crlf when adding the header to the request
  dynbuf
* check `connect-to` strings on normalized hostname and user supplied
  hostname (when those differ)
* libssh: always use the peer for setting ssh option SSH_OPTIONS_HOST,
  preserve ipv6 [] enclosure, use IDN converted hostname otherwise. This
  is the libssh documented expectation.
  Do NOT use strings from URL parsing.

Closes #22128
2026-06-26 22:50:38 +02:00
Viktor Szakats
9f9d2d10d9
lib1587: fix gcc -Wconversion with LibreSSL on Windows, test in CI
By exposing and reusing existing custom type via `vtls/openss.h`.

Also:
- GHA/curl-for-win: test in CI by enabling building tests.
  Cost is 45s per job, so limit it to the gcc job.

Seen with Windows x64 gcc (not tested in CI prior to this patch):
```
tests/libtest/lib1587.c:50:7: error: conversion from 'opt1587' {aka 'long long unsigned int'} to 'long int' may change value [-Werror=conversion]
   50 |       SSL_CTX_set_options(info->internals, opts);
      |       ^~~~~~~~~~~~~~~~~~~
tests/libtest/lib1587.c:59:7: error: conversion from 'opt1587' {aka 'long long unsigned int'} to 'long int' may change value [-Werror=conversion]
   59 |       SSL_set_options(info->internals, opts);
      |       ^~~~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/28258372229/job/83727170184?pr=22195#step:3:4884

Ref: da2f05e6f6 #22198
Ref: 6163566461 #22197
Follow-up to 3e40ccb875 #21290
Follow-up to 2db8ae480f #17809 #17801

Closes #22195
2026-06-26 22:44:53 +02:00
Viktor Szakats
6163566461
openssl: drop unused pre-OpenSSL3 ctx_option_t typedef
Follow-up to 69c89bf3d3 #18330

Closes #22197
2026-06-26 21:12:35 +02:00
Viktor Szakats
84c5dcdb05
tidy-up: syntax and code nits
- cmp-pkg-config.sh: replace `-r -f` with `-rf` to match rest of repo.
- configure.ac: add double quotes for robustness (not a bug).
- curl-openssl.m4: merge nested `if`s.
- CurlTests.c: drop `!= 0`, also to sync with m4.
- CurlTests.c: replace `example.com` with `localhost` in
  `gethostbyname()` feature test code. (compile-only, not a bug)
- GHA/http3-linux: drop literal `true` from bool expression.
- lib650: drop redundant `&`.
- move variable/call to left-hand side of equality checks, where
  missing.
- perl: detach `<`/`>` from filename in `open()`, where missing.
- schannel: apply two nit fixes lost in rebase.
- scripts/verify-release: drop redundant double quotes.
- scripts/verify-release: exit with error code on error.
- synctime: replace magic numbers with `sizeof()`.
- telnet: add missing parentheses to macro value.
- tests/Makefile.am: use single quotes.
- tool_operate: drop redundant `break` after `return` in VMS code.
- unit2413: drop unused NULL pointer + free call.
- unit2413: fix duplicate test case name.
- urlapi: drop redundant parentheses.
- urlapi: drop `CURL_UNCONST()` that became redundant.

Closes #22186
2026-06-26 15:45:24 +02:00
Alhuda Khan
a36384ab94
http: trim custom header name before the Authorization drop
A custom header name padded with blanks (`Authorization :`) missed the
exact-length compare and slipped past the cross-host Authorization and
Cookie drop, forwarding the header to the redirect target. Trim the
parsed name in both the request and proxy CONNECT header builders.

Closes #22178
2026-06-26 14:50:04 +02:00
Stefan Eissing
18475e662c
urlpieces: remove members that live in peers/creds
Remove members of `struct urlpieces` that now live in peers/creds.

Change all remaining uses of those urlpieces.

When comparing schemes, use the protocol constants.

Closes #22171
2026-06-26 14:39:40 +02:00
Stefan Eissing
cfc7922377
altsvc: use Curl_peer in processing
Use `data->state.origin` when processing alt-avc information.

Decomplexify parsing function.

Closes #22184
2026-06-26 14:12:53 +02:00
Stefan Eissing
2f1e94eaed
conncache: connection alive checks intervals
Do not check if a particular connection is alive or not more than once
every second. We did this on every connection reuse which is overkill
when sending many requests to the same host.

Closes #22169
2026-06-26 13:52:26 +02:00
Stefan Eissing
00d5562650
proxy: optimized env lookups
Optimize proxy env var lookups for the commen case of 'https' and 'http'
urls. We do this for every transfer.

Closes #22168
2026-06-26 13:50:20 +02:00
Daniel Stenberg
a6af50c484
multi: forbid curl_easy_pause from within multi socket callback
- there is a risk for a nasty recursive situation

- we avoid certain risks that the pause call changes things so that when
  returning from the callback, the state of some internals is undefined
  and we need to reload which is easy to miss

- we can't think of legitiate use cases for doing this. This is
  basically just the new favorite point for AI and security researchers
  to find hypothetical problems

Closes #22179
2026-06-26 13:43:48 +02:00
Viktor Szakats
397b8f0ec6
tidy-up: docs, comments, typos, whitespace
- GHA/windows: mention `IgnoreStandardErrorWarningFormat=true`
  in comment.
- cmake: fix MIT/GNU GSS order in messages.
- drop some exclamation marks from messages.
- drop redundant ending newlines from messages.
- fold/unfold where possible.
- fix indent, whitespace, typos and other nits.

Closes #22185
2026-06-26 11:36:09 +02:00
Viktor Szakats
231445df2a
cmake: drop logic for GNU/kFreeBSD systems
Adopting change made in CMake, with description: "kFreeBSD is no longer
maintained or supported and was never an officially-supported release
architecture for Debian."

This system name was also dropped by CMake 4.1+:
https://cmake.org/cmake/help/v4.2/variable/CMAKE_SYSTEM_NAME.html

Credits-to: Roger Leigh
Ref: 99c8abed55
Ref: https://gitlab.kitware.com/cmake/cmake/-/work_items/26742
Ref: https://gitlab.kitware.com/cmake/cmake/-/work_items/26722

Follow-up to 5de6848f10 #10023 #5935

Closes #22176
2026-06-26 10:17:00 +02:00
Daniel Stenberg
fdbc5beed3
urlapi: make two #defines instead of magic values/strings in code
Closes #22181
2026-06-26 09:57:21 +02:00
Stefan Eissing
26c6a4d898
urlapi: do not keep an internal port string
Do not allocated an internal port string, just keep and number and a bit
if it is present. Format the port string in a local buffer when someone
asks for it and copy that.

This avoid the format/alloc penalty when parsing URLs and no one ever
asking for the port string.

(And there will be a method to get the uint16_t value directly in
 another PR)

Closes #22167
2026-06-25 14:07:40 +02:00
Viktor Szakats
62e095cee0
ssh: dedupe ssh_pollset() functions
Closes #22115
2026-06-25 11:32:36 +02:00
Stefan Eissing
e9a2b0dc72
multi_ev: refresh sock entry after remove callback
This was missed in the fix for CVE-2026-9080.

Reported-by: stze on hackerone
URL: https://hackerone.com/reports/3823985
Closes #22163
2026-06-25 10:43:41 +02:00
alhudz
f746780a1e
mqtt: reject control bytes in the topic
Closes #22112
2026-06-25 09:35:01 +02:00
Jay Satiro
4ce309d968 ldap: support insecure mode for Windows native LDAP
- Bypass cert verification if verifypeer is disabled.

Prior to this change libcurl lacked the ability to bypass certificate
verification for Windows native LDAP (USE_WIN32_LDAP). A comment said
"Win32 LDAP SDK does not support insecure mode without CA!" but I found
that we can bypass the check by setting a verify callback to override
Windows' internal verify check.

Closes https://github.com/curl/curl/pull/22152
2026-06-24 14:36:16 -04:00
Viktor Szakats
560dc2985a
doh: drop redundant curlx_dyn_free() call in doh_probe_done()
The buffer is freed on the next instruction via `Curl_meta_remove()`'s
destructor.

Reported-by: netspacer.research

Follow-up to 1ebd92d0fd #16384

Closes #22133
2026-06-22 21:04:45 +02:00
Viktor Szakats
b0d0f16d20
tidy-up: make 'CA' uppercase, where missing
```sh
git grep -w ca | grep -v -E -i 'ca[;"=/()%_.-]' | grep -v -E -i '[*$"=/()%_.-]ca'
```

Closes #22135
2026-06-22 21:04:45 +02:00
Stefan Eissing
be1d976a2a
peer: fix ipv6 detection
When trying to detect ipv6 addresses, ipv4 addresses were also
flagged as ipv6.

Add test2413 to check.

Closes #22134
2026-06-22 17:16:07 +02:00
Viktor Szakats
f7d4e11f4b
setopt: return error if received curl_blob->data is NULL
To avoid dereferencing in the function if `CURL_BLOB_COPY` is set, or
outside of the function if unset.

Reported-by: netspacer.research

Closes #22129
2026-06-22 12:08:35 +02:00
Viktor Szakats
b3675fe80a
libssh2: drop stray double-negative from strncmp() result
Just a tidy-up. Logic remains identical.

Spotted by GitHub Code Quality

Follow-up to a867314f4f #16382

Closes #22126
2026-06-22 12:08:35 +02:00
Viktor Szakats
2735ef3bae
libssh2: fix to return error code on missing parameter
Reported by GitHub Code Quality

Follow-up to 0095f98464 #15250

Closes #22125
2026-06-22 12:08:35 +02:00
Daniel Stenberg
c35e2cb29f
setopt: cleanup the length check for COPYPOSTFIELDS handling
Make it more straight-forward

Closes #22127
2026-06-22 11:49:49 +02:00
Stefan Eissing
d638eac189
libssh2: code and infof/trace cleanups
Give the libssh2 infof() messages a common format, add/clarify some to
make the connect/authentication flow more clear.

Closes #22101
2026-06-22 10:12:25 +02:00
Daniel Stenberg
ab779d4e4a
doh: stricter HTTPS RNAME parsing
If any sublabel is longer than 63 octets, abort. This then also catches
compression attempts.

Verified in test 1658

Reported-by: netspacer.research
Closes #22124
2026-06-22 09:53:14 +02:00
Daniel Stenberg
e8e3af2abb
doh: cap the maximum TTL to 24 hours
To avoid mistakes or abuse to cause problems. Many public DNS providers
cap their cache times to this.

Verify in test 1650

Reported-by: netspacer.research
Closes #22122
2026-06-22 09:12:55 +02:00
Stefan Eissing
8ed285f06d
websockets: buffer ugprade data at connection level
When the HTTP Upgrade to websockets already carries ws frame data,
buffer that data at connection level and not in the ws decoder.

Adding new cfilter `cf_recvbuf` to buffer a fixed amont of data
to be received later. When the data is received, the filter
passes further recv call through to its subfilter.

Fixes #22107
Reported-by: sideshowbarker on github
Closes #22111
2026-06-22 08:54:50 +02:00
Michael Kaufmann
810d9535e1
proxy: fix automatic tunnel mode with "connect to host"
Fix a regression in curl 8.21.0-rc3: Check whether the host and the "connect
to host" are equal before initializing the proxy. If they are equal, switching
to tunnel mode is not necessary.

Follow-up to 73daec6

Closes #22110
2026-06-22 08:53:31 +02:00
Daniel Stenberg
0d6e5944bc
setopt: make CURLOPT_KEYPASSWD work for SSH-only builds
This option is used for both TLS and SSH so it needs to be handled
even in TLS-disabled builds

Mention this in the man page as well.

Follow-up to 52fa8d9
Pointed out by Codex Security
Closes #22121
2026-06-22 00:28:28 +02:00
Daniel Stenberg
52fa8d994d
setopt: refactor setopt_cptr into smaller helper functions
This takes down the longest function to sub 500 lines

Closes #22095
2026-06-19 23:43:24 +02:00
Viktor Szakats
93e2341e87
vquic: fix -Wunused-parameter with proxies disabled
Fixing:
```
lib/vquic/vquic.c:864:56: error: unused parameter 'conn' [-Werror,-Wunused-parameter]
  864 |                              const struct connectdata *conn,
      |                                                        ^
```

Closes #22104
2026-06-19 14:46:54 +02:00
alhudz
fdd6ba3580
cookie: check __Secure- and __Host- case sensitively when read from file
The header path matches these prefixes case sensitively, as 5af0165562
made it for cookie spec reasons, but the Netscape cookie-file path still
used a case-insensitive match. Align the file path so a differently
cased name like __secure-x is treated as an ordinary cookie instead of
being put through the prefix integrity checks.

Extended test 2311 to cover it.

Closes #22085
2026-06-18 23:58:07 +02:00