Refactor the netrc scanner. Add test case for checking that the last
matched machine with unmatched login does not return the password as
success (unit1304).
Closes#21624
Curl_ssl_peer_key_make() omitted ssl->signature_algorithms, although
match_ssl_primary_config() compares the field. Two handles differing
only in CURLOPT_SSL_SIGNATURE_ALGORITHMS therefore shared a peer key and
could resume each other's sessions across a shared CURLSH SSL session
cache.
Add :SIGALGS-%s next to the other ssl_primary_config fields.
Closes#21651
When using `-D_CURL_TESTS_CONCAT=ON` with CMake, do not concatenate
`first.h` (or any future header) into the output C file, but `#include`
it instead. This is to play nice with compilers and analyzers which may
apply different checker rules on logic found in headers, vs. the input
source file. As seen for example with `-Wunused-macro` enabled in CI.
After this patch concatenated sources behave closer to regular C
sources.
Also:
- first.h: drop some `-Wunused-macro` silencers that became redundant
with this patch.
Follow-up to 47f411c6d8#21554
Follow-up to 39542f0993#20667Closes#21656
On my suggestion, the regex turned up wrong when looking for Credits-to
in git logs. This adjustment allows the leading spaces.
Follow-up to 64adc43a6eCloses#21655
In both autotools and cmake builds, because Android does not offer
a `zlib.pc`.
Also:
- GHA/non-native: dump config files, to verify.
Reported-by: sfan5 on github
Fixes#21647Closes#21648
The unlinking of the new Curl_peer was happening too later after
the struct had been set to zero. Move the unlink to happen before
that.
Fixes#21602
Reported-by: Joshua Rogers
Closes#21627
Fix a recent regression: when a unix-socket is configured, all proxy
settings must be ignored. The `via_peer` had been checked correctly,
but the connections proxy bits were not cleared.
Add test_11_04 to verify.
Reported-by: Fabian Keil (libcurl mailing list)
Closes#21630
Prior to this patch the test was always skipped due to failing precheck
with `CURLE_BAD_FUNCTION_ARGUMENT`, because of the zero-length blob
passed to setopt. Fix by passing a non-zero long dummy blob as done in
`mk-lib1521.pl`.
Fixing:
```
test 0678 SKIPPED: CURLOPT_CAINFO_BLOB is not supported
```
Follow-up to 956e1ae84f#20705Closes#21641
In AppleSecTrust or NativeCA-enabled builds, make sure override it when
setting a custom `CURLOPT_PROXY_CAINFO_BLOB`.
Reported-by: Joshua Rogers (Aisle Research)
Follow-up to 1730407b74#18279
Follow-up to eefd03c572#18703Closes#21631
Also fix fallouts found.
Windows clang-tidy CI job is a little pickier than I'd prefer due to the
`_CURL_TESTS_CONCAT=ON` option used there, and all macros considered
local, thus checked by the compiler. Upside: it revealed macro usage
dynamics in tests. If too annoying, `first.h` may be opted-out from the
concat logic. Some macros may also be deleted instead of `#if 0`-ing.
Follow-up to e0e56e9ae4#21550
Follow-up to 5fa5cb3825#20593Closes#21554
The dh(g) parameter was read from param->beg instead of from the
cursor p returned by parsing dh(p). This caused dh(g) to always
report the same value as dh(p) when inspecting DH certificates
via CURLOPT_CERTINFO on non-OpenSSL backends.
The DSA branch correctly advances the cursor; the DH branch lost
this during what appears to be a copy-paste.
Add unit1676 to verify that dh(p) and dh(g) report distinct values
using a hand-crafted minimal DER certificate.
Assisted by: Claude Opus 4.6
Signed-off-by: Sergio Correia <scorreia@redhat.com>
Closes#21595
Any 1xx response before the CONNECT final one can be dropped as no one
uses those in the HTTP/2 proxy filter. This eliminates a potential
memory exhaustion by the famous malicious server on the internet.
Closes#21626
If the hostname is specified as an IPv4 numerical address and it is
followed by a single dot, acccept that as a valid IPv4 and remove the
dot when normalizing.
This prevents otherwise legitimate IPv4 hostnames to have trailing dots.
Seems to match what browsers do.
Extended test 1560 to verify.
Closes#21635
When asked to parse for a string with max zero bytes, it will always
return error and no longer trigger an assert. This saves the caller from
having to check for this condition.
Closes#21600
Or consisting of just a single dot.
Such names cannot be resolved with DNS.
While they *can* still be resolved with /etc/hosts or --resolve tricks,
they easily cause internal problems because their trailing dots.
Let's not allow them anymore.
Closes#21622
To make them more accurate.
Also:
- show Visual Studio version, where missing.
- ease the formatting.
- schannel_int.h: clang-tidy fallback code.
Used: `rg -l --sort=path CERT_FIND_HAS_PRIVATE_KEY`
Closes#21621
Fixing this with zizmor v1.25.0:
```
error[unpinned-images]: unpinned image references
--> .github/workflows/linux-old.yml:59:5
59 | container: 'debian:stretch'
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^ container image is not pinned to a SHA256 hash
= help: audit documentation -> https://docs.zizmor.sh/audits/#unpinned-images
[...]
```
Ref: https://github.com/curl/curl/actions/runs/25890035949/job/76090925291?pr=21618
Sadly there is no automatic mechanism to bump them..
Also:
- replace `debian-stretch` with its slim variant.
- bump one of the two Alpine jobs from 3.20 to 3.23.4.
Closes#21619
