- adjust cipher list in infof() statement for min/max TLS version
- skip test_17_07 for wolfSSL 5.8.4 when CHACHA20 is negotiated
due to regression with homebrew build on ARM systems.
Fixes#19644
Reported-by: Viktor Szakats
Closes#19662
The freeing of the already allocated hostname is done by
Curl_async_shutdown(). This extra free in the RR code path made a
double-free.
Presumably not detected because the CI torture tests don't run HTTPS-RR
enabled?
Follow-up to 8d0bfe74fbCloses#19658
When OpenSSL fails to verify the peer certificate, we checked for
one specific reason code and did not ask Apple SecTrust for any
other failure.
Always ask Apple SecTrust after OpenSSL fails when the `native_ca_store`
is enabled. If the user configures a CAfile or CApath, the native store
is disabled, so this does not affect use cases where users asks curl
to use a specific set of trust anchors.
Do the same for GnuTLS
Fixes#19636
Reported-by: ffath-vo on github
Closes#19638
Usage:
- autotools: `--disable-typecheck` (or `--enable-typecheck` (default))
- cmake: `-DCURL_DISABLE_TYPECHECK=ON`.
To disable `curl_easy_setopt()`/`curl_easy_getinfo()` type checking with
supported (new) gcc and clang compilers. It is useful to improve build
performance for the `tests/libtest` target. In particular the CodeQL
analyzer may take above an hour to compile with type checking enabled,
and disabling it brings it down to seconds. On local machines it may
also cut build times in half when build testdeps, depending on platform
and compiler.
Other than these cases, we recommend leaving type checking enabled.
Ref: fdacf34aae#19632
Also:
- GHA/codeql: use it.
- test1165: check in `include/curl`.
- lib1912: delete stray todo comment.
- spelling and comment nits.
Closes#19637
Replace:
- curl_sspi: macro `_tcsncpy()` with `_tcsncpy_s()`.
- curlx/fopen: `wcsncpy()` with `wcsncpy_s()`.
- curlx/fopen: `wcscpy()` with `wcscpy_s()`.
Use of the pre-existing functions were safe. This patch aims to use the
recommended Windows CRT functions. Handle errors returned by them. Also
to avoid the compiler warnings silenced via `_CRT_SECURE_NO_WARNINGS`:
```
lib/curl_sspi.c(152): warning C4996: 'wcsncpy': This function or variable may be unsafe. Consider using wcsncpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS.
lib/curlx/fopen.c(161): warning C4996: 'wcsncpy': This function or variable may be unsafe. Consider using wcsncpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS.
lib/curlx/fopen.c(162): warning C4996: 'wcscpy': This function or variable may be unsafe. Consider using wcscpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS.
lib/curlx/fopen.c(174): warning C4996: 'wcsncpy': This function or variable may be unsafe. Consider using wcsncpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS.
lib/curlx/fopen.c(175): warning C4996: 'wcscpy': This function or variable may be unsafe. Consider using wcscpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS.
```
Refs:
https://learn.microsoft.com/cpp/c-runtime-library/reference/strncpy-strncpy-l-wcsncpy-wcsncpy-l-mbsncpy-mbsncpy-lhttps://learn.microsoft.com/cpp/c-runtime-library/reference/strncpy-s-strncpy-s-l-wcsncpy-s-wcsncpy-s-l-mbsncpy-s-mbsncpy-s-lhttps://learn.microsoft.com/cpp/c-runtime-library/security-features-in-the-crt
Cherry-picked from #19581 (in part)
Closes#19589
If verifypeer and verifyhost are disabled, to not generate
a failf() message for failed verifications.
Fixes#19615
Reported-by: ncaklovic on github
Closes#19625
Based on existing code and commit history it appears
`CURL_DISABLE_INSTALL` means to prevent calling `install()`;
`CURL_ENABLE_EXPORT_TARGET` means to prevent calling `export()` and
`install()`s with `EXPORT` in them.
Fix them to also apply to the lib and src directories in that vain:
- lib: honor `CURL_DISABLE_INSTALL`
- src: honor `CURL_DISABLE_INSTALL`
- src: honor `CURL_ENABLE_EXPORT_TARGET`
https://cmake.org/cmake/help/v4.2/command/install.htmlhttps://cmake.org/cmake/help/v4.2/command/export.html
- `CURL_DISABLE_INSTALL` follow-up to:
aace27b096#12287
- `CURL_ENABLE_EXPORT_TARGET` follow-up to:
8698825106#9638643ec29645#7060Closes#19144
To complement the existing `curlx_fopen()` internal API.
It's used by the curl's `--stderr` option.
`curlx_freopen()` adds two features to the bare `freopen()`:
- tracing for debug-enabled builds.
- Unicode and long-filename support for Windows builds.
In effect this adds long-filename and enables Unicode support for
the `--stderr <filename>` curl command-line option on Windows.
Also add to checksrc.
Follow-up to 2f17a9b654#10673Closes#19598
- curl_setup.h: replace `_CRT_SECURE_NO_DEPRECATE` with
`_CRT_SECURE_NO_WARNINGS`, which seems to be the preferred,
more recent macro for this. Also syncing with libssh2.
They are equivalent for curl sources with the supported compilers.
- cmake: stop setting `_CRT_SECURE_NO_DEPRECATE` globally for examples.
- examples: suppress CRT deprecation warnings on a per-file basis.
To make it work when compiling examples out of curl's build systems.
Use `_CRT_SECURE_NO_WARNINGS`.
- examples: document the functions requiring `_CRT_SECURE_NO_WARNINGS`.
- examples/block_ip: delete superfluous `_CRT_SECURE_NO_WARNINGS`.
- examples/block_ip: limit `_CRT_NONSTDC_NO_DEPRECATE` to MSVC.
- examples/log_failed_transfers: fix to set `_CRT_SECURE_NO_WARNINGS`
before headers and limit to MSVC.
- curl_setup.h: document which SDKs support `_CRT_NONSTDC_NO_DEPRECATE`.
Closes#19175
The parsing of the HTTP/1.1 formatted request into the h2/h3 header
structures should detect CURLOPT_CUSTOMREQUEST methods and forward them
correctly.
Add test_01_20 to verify
Fixes#19543
Reported-by: Omdahake on github
Closes#19563
Before this patch `TCP_KEEP*` socket options were unconditionally used
if the build-time SDK supported them. This caused curl logging errors
(or trace messages since #19527) on Windows versions missing support
for them. After this patch, use them only when the runtime environment
supports it and fall back to the alternate method (`SIO_KEEPALIVE_VALS`)
dynamically.
Also:
- log a trace message when using the Win10 method.
- document which SDK versions offer `TCP_KEEP*` macros.
Ref: https://learn.microsoft.com/windows/win32/winsock/ipproto-tcp-socket-options
Ref: https://learn.microsoft.com/windows/win32/winsock/sio-keepalive-vals
Reported-by: Aleksandr Sergeev
Fixes#19520
Follow-up to dc34498d18#19527Closes#19559
The mistake is harmless because it is still a size of a pointer, but
this is the correct pointer.
Acked-by: Daniel McCarney
Reported-by: pelioro on hackerone
Bug: https://hackerone.com/reports/3427460Closes#19545
It also means that all supported OpenSSL versions and forks support
TLSv1.3 after this patch.
It reduces `openssl.c` size by more than 10%, or 400 LOC.
Ref: #18822Closes#18330
