Make CURLOPT_GSSAPI_DELEGATION effective on Windows builds that use SSPI
(instead of a native GSS-API implementation), so Kerberos delegation can
be requested during SPNEGO/Negotiate authentication.
Closes#21528
Previously, the use of checkprefix() alone allowed the code to match not
only on "blksize" but also (mistakenly) on "blksizeFOO" etc.
Reported-by: Andrew Nesbit
Closes#21560
The events on a multi wakeup socketpair were only consumed via
curl_multi_poll()/curl_multi_wait() but not in event based processing on
a curl_multi_socket() call. That led to busy loops as reported in
Fixes#21547
Reported-by: Earnestly on github
Closes#21549
- disable DES with nettle 4. It no longer supports it.
```
lib/curl_ntlm_core.c:67:12: fatal error: 'nettle/des.h' file not found
67 | # include <nettle/des.h>
| ^~~~~~~~~~~~~~
```
- fix MD4 support with nettle 4.
```
lib/md4.c:178:36: error: too many arguments to function call, expected 2, have 3
178 | md4_digest(ctx, MD4_DIGEST_SIZE, digest);
| ~~~~~~~~~~ ^~~~~~
```
- fix unused argument compiler warning:
```
lib/vtls/gtls.c:2267:39: error: unused parameter 'sha256len' [clang-diagnostic-unused-parameter,-warnings-as-errors]
2267 | size_t sha256len)
| ^
```
Ref: https://github.com/curl/curl/actions/runs/25710321195/job/75488970143?pr=21557
- GHA/macos: stop enabling NTLM in the GnuTLS job.
It no longer builds due to missing DES support in nettle 4.
```
lib/curl_ntlm_core.c:90:4: error: "cannot compile NTLM support without a crypto library with DES."
90 | # error "cannot compile NTLM support without a crypto library with DES."
| ^
```
Ref: https://github.com/curl/curl/actions/runs/25710321195/job/75488970170?pr=21557
Follow-up to cfadbaa133#21169Closes#21557
By moving operations Perl-native (from shell and external commands), and
passing arguments individually to external commands.
Pointed out by Codex Security
Closes#21104
Exporting the component name as passed in is somewhat boring. OTOH it is
convenient for reuse.
- FindNGTCP2: export crypto backend in `NGTCP2_CRYPTO_BACKEND`.
- pass `COMPONENTS` `NGTCP2_CRYPTO_BACKEND` in `curl-config.cmake`.
- FindNGTCP2: fix to skip Config detection when optional `COMPONENTS` is
not passed.
Co-authored-by: Viktor Szakats
Reported-by: x-xiang on github
Fixes#21523
Follow-up to 8fce3e17e6#20814Closes#21540
These macros are leftovers from when DNS caching was moved out of
hostip.c into its own source file. Both are still defined and used in
lib/dnscache.c; the copies in lib/hostip.c are unreferenced.
Detected with clang -Wunused-macros.
Follow-up to 96d5b5c688Closes#21550
This bit was used to do Digest authentication like Internet Explorer
before version 7 (released on October 18, 2006). Presumably no one uses
this anymore and since it is hard to use and does broken auth, starting
in 8.21.0 this bit does nothing (except setting the actual Digest bit).
Closes#21486
When detecting these dependencies via CMake Config and their main
imported target is undefined, automatically assume and use their static
imported target instead.
Adopting from vcpkg downstream, where it's done for nghttp3 and ngtcp2,
but not for nghttp2.
Refs:
773e092a82/ports/curl/dependencies.patch70b941a5d2
Downstream-patch-by: Kai Pastor
Closes#21470
The code would previously read one byte past the provided
CURLOPT_CAINFO_BLOB if the blob ends exactly with -----BEGIN
CERTIFICATE-----
Reported-by: Andrew Nesbit
Closes#21543
It no longer requires "a special build" of OpenSSL, just OpenSSL 4+.
Emphasize the experimental part a little clearer.
Drop the caveat for wolfSSL from the main description.
Closes#21536
- passing an unknown string to CURLOPT_ECH now returns error
To properly allow applications to spot if they pass in a typo or
something to libcurl.
- CURLECH_DISABLE is now a plain zero internally, not a dedicated bit which
simplifies checks for when ECH is enabled
- Dropped the CURLECH_CLA_CFG bit, and just check STRING_ECH_CONFIG
- Turn grease/enable/hard into three different numerical values, no bitmask
needed
- Convert the struct field 'tls_ech' from an int to a byte.
Closes#21532
Due to how the range span globbing code works, a range that ends with
9223372036854775807 (the maximum signed 63 bit value) cannot be used as
it triggers an integer overflow.
Verified in test 2092
Reported-by: Andrew Nesbit
Closes#21529
The 'ber' pointer could remain allocated in the exit path if the write
callback returned error for one of the Curl_client_write() calls.
Reported-by: Andrew Nesbit
Closes#21530
When a connection is tested for reuse in a transfer that *may* upgrade
to TLS (commonly via STARTTLS), the SSL configuration must match the
existing connection.
Reported-by: Andrew Nesbit
Closes#21522
- rename `req->proxyuserpwd` to `req->hd_proxy_auth`
- rename `req->userpwd` to `req->hd_auth`
- rename parameter `proxytunnel` to `is_connect` for Curl_http_output_auth()
- move path+query concatenation into Curl_http_output_auth(), saving an alloc when no auth is in play
- rename `H1_HD_USER_AUTH` into `H1_HD_AUTH`
Closes#21513
The CURLOPT_SSH_HOST_PUBLIC_KEY_* options are documented to verify the
host at connect time and not for connection reuse. Once the SSH host has
been deemed okay, it remains okay as long as the connection survives.
In addition: this function currently always returned TRUE since the
pointers have been NULLed in the SSH backend code before this function
is called.
Follow-up to c31fcf2dec
Reported-by: Andrew Nesbit
Closes#21519
Convert the silent "was too long!" diagnostics in the timebuf and
max5data width loops into fail_unless assertions, so a regression in
output width fails the unit test directly instead of only printing.
Add small exact-output tables that probe format-transition boundaries
not necessarily hit by the geometric value sweep: the 99999/100000
suffix kick-in for max5data, and the 6d/01h, 51m, 136y, and >99999y roll
points for timebuf.
Closes#21516
Unfortunately, mbedtls_pk_parse_key() requires the data to be
null-terminated if the data is PEM encoded (even when provided the exact
length), so this function needs to make a copy that has one.
Reported-by: Elise Vance
Closes#21515
Unix domain socket paths need to be compared case-senstive, in contrast
to DNS hostnames.
Follow-up to bc40e09f63
Pointed out by Codex Security
Closes#21511
No production code function is allowed to be longer than 500 lines.
The lib/setopt.c:setopt_cptr function is currently exempt, as a single
exception until we make it smaller.
Closes#21492
