After this patch the `GSS_VERSION` value is left empty in all cases when
there is known version number (potentially on Windows).
Also:
- sync `GSS_FOUND` comment with other Find modules.
- sync `GSS_VERSION` comment with other Find modules, drop the promise
of returning "unknown", which was not true and also not done by other
Find modules.
- tidy up Windows-registry-based MIT `GSS_VERSION` detection, by
guarding the whole block for `WIN32`.
- drop fallback version value `MIT Unknown` used for MIT.
- fix vertical alignment in comment block.
Changing CMake log output like so (in affected config):
```
-- Found GSS: MIT (found version "MIT Unknown")
```
->
```
-- Found GSS: MIT
```
Spotted by Copilot
Bug: https://github.com/curl/curl/pull/22052#discussion_r3429273238
Follow-up to 558814e16dCloses#22071
3 minutes (was: 2).
IIn the hope it fixes timeouts, assuming the Ubuntu mirrors are only
somewhat slower sometimes (and not completely stalled).
Closes#22068
Whether the install is extreme slow and will fail anyway, or only slower
sometimes, and this fixes, we will see.
Example:
```
Need to get 1159 MB of archives.
After this operation, 4463 MB of additional disk space will be used.
Get:1 https://apt.repos.intel.com/oneapi all/main all intel-oneapi-common-licensing-2023.2.0 all 2023.2.0-49462 [30.4 kB]
Get:2 https://apt.repos.intel.com/oneapi all/main all intel-oneapi-common-licensing-2026.0 all 2026.0.0-235 [30.7 kB]
[...]
Get:21 https://apt.repos.intel.com/oneapi all/main amd64 intel-oneapi-dpcpp-debugger-2023.2.0 amd64 2023.2.0-49330 [201 MB]
Error: The action 'install Intel compilers' has timed out after 2 minutes.
```
Ref: https://github.com/curl/curl/actions/runs/27683923870/job/81877924590
Follow-up to 50ff4f2927#21414Closes#22065
Since we have the quirky of empty credentials (the empty string for
username and password) for Negotiate reactivated, we need to check for
this when considering Basic and Digest auth.
Verify a redirect to blank user+password in test 2208
Closes#22060
- drop the old test_setopt() which did the same thing
- remove #if 0'ed macros from first.h
These macros now store results in 'result' more aggressively, but I
believe that is generally favorable.
Closes#22057
Allow creation of a `Curl_creds` instance with empty username and
password (not NULL username/password). There are authentication
schemes like <insert greek mythology'> that do not use the actual
values of username/password but trigger on the mere existance.
We have no test cases for this, so this is a shot in the dark
here.
Fixes#21943
Reported-by: Dan Fandrich
Closes#22044
The DNS filter knows the peer it resolves and the code parts that want
the results know the peer as well. Pass it to lookup methods to make
sure results match.
Background: when tunneling, the resolved peer is not always the one that
other filters are looking for. Especially when HTTPS-RR results are
accessed in TLS filters, those will differ.
This prevents a HTTPS-RR for a proxy to be used for the origin when ECH
is activated. To make ECH work through a tunnel, we need to start an
additional resolve. Something to be fixed after 8.21.
Closes#22042
The OS detection variable is not initialized at the time of assigning
its value to `OPT_APPLE_SECTRUST`. Replace the current empty value with
`no`. This keeps existing, desired, behavior.
Closes#22054
When tying credentials to a connection (NTLM, Negotiate) also link the
origin the credentials are for. This prevents a connection reuse with
the same credentials, but intended for another origin.
The mis-reuse could happen for a forwarding proxy and NTLM (although, in
the mind of the person writing this, it is an insane setup).
Closes#22040
- Clarify that the tarball to verify should be put in the same dir you
run the script.
- Verify that the curl version number in the file name matches the
version number within the tarball. To reduce risk for mistakes.
- When verifying using git, do not unpack the tarball. It avoids the
security risk with malicious tarball contents playing tricks on git.
- Only unpack the tarball for git-less verfication.
- Move the source tarball into _tarballs/ instead of overwriting it,
which can be useful in case the verification fails
Closes#22032
When talking to a forwarding proxy, do not start HTTPS Eyeballing.
We might support this in the future, but for now, the --httpx.x
arguments to do not apply to such a setup.
Add a test case for forward proxying without use of ALPN.
Closes#22033
`Curl_secure_context()` checked `conn->scheme` to determine if Secure
cookies may be sent. Since 73daec6, `conn->scheme` is set to the proxy's
scheme when using an HTTPS forwarding proxy, causing the function to
return TRUE for HTTP origins. This leaked Secure cookies over the
plaintext connection between proxy and origin.
Use `data->state.origin->scheme` instead, which always reflects the
origin's scheme regardless of proxy configuration.
Not an approved vulnerability because the regression was introduced
after the last release and is not present in any released version.
Verified by test 3401
Follow-up to 73daec6620
Reported-by: daviey on hackerone
URL: https://hackerone.com/reports/3803415Closes#22024
This PR makes the wolfssl TLS backend work properly for PQC key
exchanges. The following issues are fixed:
* WOLFSSL_HAVE_KYBER is not present anymore in upstream wolfssl (for a
long time actually), so it has no use and the ML-KEM functionality was
never turned on properly.
* Key share group selection (via --curves) is now handled via the
generic wolfSSL_CTX_set1_groups_list() method instead of the prior
wolfSSL_CTX_set1_curves_list() and the additonal PQC handling. This
removes a lot of PQC related special handling and the behavior now
matches the OpenSSL backend.
* The default QUIC group setting has been removed. For QUIC, the key
share as well as the list in the supported_groups extension is now
handled all within wolfssl. This also supports --curves properly now.
Closes#22030
- lib650: pass `long` to `CURLFORM_NAMELENGTH` in test.
Spotted by Copilot.
https://github.com/curl/curl/pull/22011#discussion_r3412407235
Follow-up to 3620e569b3
- lib650: drop an interim variable, and interim casts.
Follow-up to 60776a0515#2747
- curl_formdata.md: document `CURLFORM_NAMELENGTH` on man page.
- curl_formdata.md: pass `long` to `CURLFORM_BUFFERLENGTH` on man page.
- formdata: pass `long` to `CURLFORM_CONTENTSLENGTH` in comment.
Closes#22017
Some protocols (and servers) prefer to batch IO and will not send data
unless the window is of sufficient size. Set the burst rate for our
rate limits to a minimum of 32KB to prevent stalling.
Reported-by: Tatsuhiro Tsujikawa
Closes#22016
Move the setup filter into its own source file.
Move the main connect driving function, `Curl_conn_connect()`,
from cfilters.c to connect.c.
Closes#22022
For correctness. Did not cause an issue, because the null-terminator is
present.
Also:
- change a size type to avoid casts.
- reuse input length value.
Spotted by GitHub Code Quality
Follow-up to 1e4cb333ef#4826Closes#22027
In `bind_unix_socket()`, before retrying `bind()`.
This patch uses `ENOENT`. This was last time in source between
d25b050379 (2018) and
dffd996e3b (2023), and also earlier. Also
defined by supported Windows envs. Seems safe to use.
Reported-by CodeQL
Follow-up to 99fb36797a
Cherry-picked from #22010Closes#22028
The reason to use them seems to be that just (void) before a function
call is not enough to silence compiler warnings when return codes are
ignored and -Werror=unused-result is used.
While (void)! apparently works to silence those warnings, it is just too
weird and surprising to readers to use.
It is rather a reason to reconsider the usefulness of the warning.
Closes#22023
Now that `conn->origin` can be the proxy, we need to change how
Curl_xfer_is_secure() and some other places work.
Pointed out by Codex Security
Closes#22015
On Windows there is no `lstat()`, which was later substituted with
normal `stat()`, but on Windows `S_IFSOCK` is never defined, which meant
the output of stat was not actually used, reducing this to checking for
the presence of the file, and bailing out without retry if missing.
Follow-up to 30e491e5c9#7034
Follow-up to 99fb36797a
Cherry-picked from #22010Closes#22021
