A side effect of a previous change to configure (576e507c78)
exposed a non-critical issue that can happen if configure is called with
both '--without-ssl' and some parameter setting the use of a ssl library
(e.g. --with-gnutls). The configure script would end up assuming this is
a MultiSSL build, due to the way the case statement is written.
I have changed the order of the variables in the string concatenation
for the case statement and also tweaked the options so that
--without-ssl never turns the build into a MultiSSL one and also clearly
stating that there are conflicting parameters if the user sets it like
described above.
Closes#9414
Previously the configure script would just warn about this fact and
continue with TLS disabled build which is not always helpful. TLS should
be explicitly disabled if that is what the user wants.
Closes#9367
Commit b589696f added lines to some shell within AC_ARG_WITH macros, but
inadvertently failed to move the final closing ).
Quote the script section using braces.
So, if these problems have been around for a while, how did I find them?
Only because I did a configure including these options:
$ ./configure --with-openssl --without-rustls
SSL: enabled (OpenSSL)
Closes#9344
- based on ngtcp2 PR https://github.com/ngtcp2/ngtcp2/pull/505
- configure adapted to build against ngtcp2 wolfssl crypto lib
- quic code added for creation of WOLFSSL* instances
Closes#9290
This is a rewrite of the previously used GPLv3+exception licensed
file. With this change, there is no more reference to GPL so we can
remove that from LICENSES/.
Ref: #9220Closes#9291
The code that detects bsdsocket.library for AmigaOS did not work
for AmigaOS 4.x. This has been fixed and also cleaned up a little
to reduce duplication. Wasn't technically necessary before, but is
required when building with AmiSSL instead of OpenSSL.
Closes#9268
AmiSSL v5 is the latest version, featuring a port of OpenSSL 3.0.
Support for previous OpenSSL 1.1.x versions has been dropped, so
makes sense to enforce v5 as the minimum requirement. This also
allows all the AmiSSL stub workarounds to be removed as they are
now provided in a link library in the AmiSSL SDK.
Closes#9267
- Use the Windows API to seed the fallback random generator.
This ensures to always have a random seed, even when libcurl is built
with a vtls backend lacking a random generator API, such as rustls
(experimental), GSKit and certain mbedTLS builds, or, when libcurl is
built without a TLS backend. We reuse the Windows-specific random
function from the Schannel backend.
- Implement support for `BCryptGenRandom()` [1] on Windows, as a
replacement for the deprecated `CryptGenRandom()` [2] function.
It is used as the secure random generator for Schannel, and also to
provide entropy for libcurl's fallback random generator. The new
function is supported on Vista and newer via its `bcrypt.dll`. It is
used automatically when building for supported versions. It also works
in UWP apps (the old function did not).
- Clear entropy buffer before calling the Windows random generator.
This avoids using arbitrary application memory as entropy (with
`CryptGenRandom()`) and makes sure to return in a predictable state
when an API call fails.
[1] https://docs.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom
[2] https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandomCloses#9027
Referring to Daniel's article [1], making the init function thread-safe
was the last bit to make libcurl thread-safe as a whole. So the name of
the feature may as well be the more concise 'threadsafe', also telling
the story that libcurl is now fully thread-safe, not just its init
function. Chances are high that libcurl wants to remain so in the
future, so there is little likelihood of ever needing any other distinct
`threadsafe-<name>` feature flags.
For consistency we also shorten `CURL_VERSION_THREADSAFE_INIT` to
`CURL_VERSION_THREADSAFE`, update its description and reference libcurl's
thread safety documentation.
[1]: https://daniel.haxx.se/blog/2022/06/08/making-libcurl-init-more-thread-safe/
Reviewed-by: Daniel Stenberg
Reviewed-by: Jay Satiro
Closes#8989
Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.
This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.
Closes#8869
This flag can be used to make sure that curl_global_init() is
thread-safe.
This can be useful for libraries that can't control what other
dependencies are doing with Curl.
Closes#8680
Enable Linux GSO in ngtcp2 QUIC. In order to recover from the
EAGAIN/EWOULDBLOCK by sendmsg with multiple packets in one GSO write,
packet buffer is now held by struct quicsocket. GSO write might fail in
runtime depending on NIC. Disable GSO if sendmsg returns EIO.
Closes#8909
Rather than assuming sed in PATH, use the resolved $SED variable
like in all other invocations of sed in configure.
Closes: #8891
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
Set the libcurl version in libcurl.plist like how libcurl.vers is
created.
Closes: #8692
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Nick Zitzmann <nickzman@gmail.com>
The fix for #8276 proposed in #8374 set `CFLAGS="$CFLAGS -pthead"`
earlier than it used to be set, applying it in cases where it should not
have been applied.
This moves the AIX XLC check to a new `case $host in` block inside of
the `if test "$USE_THREADS_POSIX" != "1"` block, where `CFLAGS="$CFLAGS
-pthead"` used to happen.
Fixes#8541Closes#8542
Using the system pkg-config path in the face of a user-specified
library path is asking to link the wrong library.
Reported-by: Michael Kaufmann
Fixes#8289Closes#8456
In March 2010 (commit 4259d2df7d) we removed the embedded 'ares'
directory from the curl source tree but we have since supported
especially detecting and using that build directory. The time has come
to remove that kludge and ask users to specify the c-ares dir correctly
with --enable-ares.
Closes#8397
- Change library link check for ngtcp2_crypto_{gnutls,openssl} to
to use function ngtcp2_crypto_recv_client_initial_cb instead of
ngtcp2_crypto_ctx_initial.
The latter function is no longer external since two days ago in
ngtcp2/ngtcp2@533451f. curl HTTP/3 CI builds have been failing since
then because they would not link to the ngtcp2 crypto library.
Ref: https://github.com/ngtcp2/ngtcp2/pull/356
Closes https://github.com/curl/curl/pull/8372
Mesalink has ceased development. We can no longer encourage use of it.
It seems to be continued under the name TabbySSL, but no attempts have
(yet) been to make curl support it.
Fixes#8188Closes#8191
If hyper is indeed present in the specified directory but couldn't be
used to find the correct symbol, then offer a different error message to
better help the user understand the issue.
Suggested-by: Jacob Hoffman-Andrews
Fixes#8001Closes#8005
Previously specifying `--without-gnutls` would unexpectedly attempt to
compile with GnuTLS, effectively interpreting this as
`--with-gnutls`. This caused a significant amount of confusion when
`libcurl` was built with SSL disabled since GnuTLS wasn't present.
68d89f24 dropped the `--without-*` options from the configure help, but
`AC_ARG_WITH` still defines these flags automatically. As
https://www.gnu.org/software/autoconf/manual/autoconf-2.60/html_node/External-Software.html
describes, the `action-if-given` is called when the user specifies
`--with-*` or `--without-*` options.
To prevent this confusion, we make the `--without` flag do the right
thing by ignoring the value if it set to "no".
Closes#7994
Some method names, as well as the generated library name, were changed
in a recent refactoring.
Further, change the default configuration instructions to check for
Hyper in either "target/debug" or "target/release" - the latter
contains an optimized build configuration.
Fixes#7947Closes#7948
The rationale is that custom *-config tools don't work well when
cross-compiling or using sysroots (such as when using Yocto project) and
require custom fixing for each of them; pkg-config on the other hand
works similarly everywhere.
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Closes#7916
ngtcp2_conn_client_new and nghttp3_conn_client_new are now macros.
Check the wrapped functions instead.
ngtcp2_stream_close callback now takes flags parameter.
Closes#7709
The AC_ARG_ENABLE() macro itself uses a variable called
'enable_[option]', so when our script also used a variable with that
name for the purpose of storing what the user wants, it also
accidentally made it impossible to switch off the feature with
--disable-hsts. Fix this by renaming our variable.
Reported-by: Michał Antoniak
Fixes#7669Closes#7672
- If the user has not specified a minimum OS version (via WINVER or
_WIN32_WINNT macros) then set it to Windows XP.
Prior to this change classic MinGW defaulted the minimum OS version
to Windows NT 4.0 which is way too old. At least Windows XP is needed
for getaddrinfo (which resolves hostnames to IPv6 addresses).
Ref: https://github.com/curl/curl/issues/7483#issuecomment-891597034
Closes https://github.com/curl/curl/pull/7581
This reverts commit b4b34db65f, 673753344c and 29c7cf79e8.
The logic is now back to assuming that the nghttp2 lib is called nghttp2 and
nothing else.
Reported-by: Rui Pinheiro
Reported-by: Alex Crichton
Fixes#7514Closes#7515
commit 29c7cf79e8 (shipped in 7.78.0) introduced a problem by
assuming that LIB_H2 does not have any leading whitespace. At least
OpenBSD's native pkg-config can produce such whitespace, though:
$ pkg-config --libs-only-l libnghttp2
-lnghttp2
As a result, the configure check for libnghttp2 will erroneously fail.
Bug: https://curl.se/mail/lib-2021-07/0050.htmlCloses#7472
it needs to be processed by autoconf or autoreconf, and doesn't have a
suitable shebang to be directly executed. other projects normally set
configure.ac -x.
Closes#7272
"get-easy-options" is the configure option advertised by the help text
anyway, so use that.
Fixes#7211Closes#7213
Follow-up to ad691b191 ("configure: added --disable-get-easy-options")
Suggested-by: Daniel Stenberg <daniel@haxx.se>
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Warning: this will make existing curl command lines that use metalink to
stop working.
Reasons for removal:
1. We've found several security problems and issues involving the
metalink support in curl. The issues are not detailed here. When
working on those, it become apparent to the team that several of the
problems are due to the system design, metalink library API and what
the metalink RFC says. They are very hard to fix on the curl side
only.
2. The metalink usage with curl was only very briefly documented and was
not following the "normal" curl usage pattern in several ways, making
it surprising and non-intuitive which could lead to further security
issues.
3. The metalink library was last updated 6 years ago and wasn't so
active the years before that either. An unmaintained library means
there's a security problem waiting to happen. This is probably reason
enough.
4. Metalink requires an XML parsing library, which is complex code (even
the smaller alternatives) and to this day often gets security
updates.
5. Metalink is not a widely used curl feature. In the 2020 curl user
survey, only 1.4% of the responders said that they'd are using it. In
2021 that number was 1.2%. Searching the web also show very few
traces of it being used, even with other tools.
6. The torrent format and associated technology clearly won for
downloading large files from multiple sources in parallel.
Cloes #7176
Latest version of quiche requires the application to pass the peer
address of received packets, and it provides the address for outgoing
packets back.
Closes#7120
configure no longer tries to find a TLS library by default, but all
libraries are now equal: the user needs to explicitly ask what TLS
library or libraries to use.
If no TLS library is selected, configure will error out unless
--without-ssl is explicitly used to request a built without TLS (as that
is very rare these days).
Removes: --with-winssl, --with-darwinssl and all --without-* options for
TLS libraries.
Closes#6897
In 2682e5f5, several instances of AC_HEADER_TIME were removed since
it is a deprecated autoconf macro. However, this was the macro that
defined TIME_WITH_SYS_TIME, which was used to indicate that <time.h>
can be included alongside <sys/time.h>. TIME_WITH_SYS_TIME is still
used in the configure test body and since it is no longer defined,
<time.h> is *not* included on systems that have <sys/time.h>.
In particular, at least on musl libc and glibc, <sys/time.h> does
not implicitly include <time.h> and does not declare clock_gettime,
gmtime_r, or localtime_r. This causes configure to fail to detect
those functions.
The AC_HEADER_TIME macro deprecation text says
> All current systems provide time.h; it need not be checked for.
> Not all systems provide sys/time.h, but those that do, all allow
> you to include it and time.h simultaneously.
So, to fix this issue, simply include <time.h> unconditionally when
testing for time-related functions and in libcurl, and don't bother
checking for it.
Closes#6859
Avoid enabling NTLM feature based upon Windows SSPI
being enabled in case that crypto auth is disabled.
Reported-by: Marcel Raad
Follow-up to #6277Fixes#6803Closes#6808
AC_HELP_STRING is deprecated in 2.70+ and I believe AS_HELP_STRING works
already since 2.59 so bump the minimum required version to that.
Reported-by: Emil Engler
Fixes#6647Closes#6748
Align conditions for NTLM features between CMake and configure
builds by differentiating between USE_NTLM and USE_CURL_NTLM_CORE,
just like curl_setup.h does internally to detect support of:
- USE_NTLM: required for NTLM crypto authentication feature
- USE_CURL_NTLM_CORE: required for SMB protocol
Implement USE_WIN32_CRYPTO detection by checking for Crypt functions
in wincrypt.h which are not available in the Windows App environment.
Link advapi32 and crypt32 for Crypto API and Schannel SSL backend.
Fix condition of Schannel SSL backend in CMake build accordingly.
Reviewed-by: Marcel Raad
Closes#6277
Add paths for OpenSSL compiling and linking only if they have been
defined. If they haven't been defined, we'll assume that the paths are
already available to the toolchain.
Closes#6730
Previously, configure would look for hyper by default, and use it if
found; otherwise it would not use hyper, and not error.
Now, configure will not look for hyper unless --with-hyper is passed. If
configure looks for hyper and fails, it will error.
Also, add -ld -lpthread -lm to Hyper's libs. I think they are required.
Closes#6598
This commit introduces a "gophers" handler inside the gopher protocol if
USE_SSL is defined. This protocol is no different than the usual gopher
prococol, with the added TLS encapsulation upon connecting. The protocol
has been adopted in the gopher community, and many people have enabled
TLS in their gopher daemons like geomyidae(8), and clients, like clic(1)
and hurl(1).
I have not implemented test units for this protocol because my knowledge
of Perl is sub-par. However, for someone more knowledgeable it might be
fairly trivial, because the same test that tests the plain gopher
protocol can be used for "gophers" just by adding a TLS listener.
Signed-off-by: parazyd <parazyd@dyne.org>
Closes#6208
