... instead of separate malloc() calls:
- removes two mallocs (and associated error handling paths)
- makes cleanup easier
Also reduce maximum SFTP file path lengths to 1024 bytes universally
everywhere. Using the system's own MAX_PATH did not make sense since
this is mostly about getting a remote file name.
Closes#15285
It makes the callbacks get different signnatures when used from within
libcurl vs outside of it by libcurl-using applications (such as the
libtests) and this triggers UndefinedBehaviorSanitizer errors.
Closes#15289
Move the listen/accept handling of the FTP active data connection
into the socket filter and monitor 'connected' status of that as
with passive connections - more or less.
The advantage is that the socket filter now reports being connected
only when the server has actually called and accept() has been done.
This enables to bootstrap the filter chain on the data connection
just like any other. A require SSL filter can then be added right
at the start and does not need to be patched in later.
Still, the active connection keeps on needing special handling in
ftp.c as the control connection needs to be monitored while waiting
as the server might send error responses this way. So, things did
not turn out quite as squeaky clean as hoped for, but still seems
better to do that way.
Closes#14798
For TLSv1.3, if supported, observer special return code to retrieve
newly arrived session from mbedTLS.
Adjust test expectations now that TLSv1.3 session resumption works in
mbedTLS >= 3.6.0.
Based on #14135 by @ad-chaos
Closes#15245
Register a callback to get notified of new SSL sessions by wolfSSL.
Remove the explicit session retrieval after handshake, since this does
not work for TLSv1.3.
Adjust test expectations now that TLSv1.3 session resumption works
in wolfSSL.
Closes#15243
Replace with namespaced local macro `Curl_getpid()`.
Redefining symbols can backfire if that symbol is used in system
headers, especially with unity build. We haven't seen a fallout in CI
or supported envs, but do it anyway for good measure.
Bug report: https://datagirl.xyz/posts/wolfssl_curl_w2k.htmlCloses#15263
Add session reuse for QUIC transfers using GnuTLS. This does not include
support for TLS early data, yet.
Fix check of early data support in common GnuTLS init code to not access
the filter context, as the struct varies between TCP and QUIC
connections.
Closes#15265
Based on #14135, implement TLSv1.3 earlydata support for the curl
command line, libcurl and its implementation in GnuTLS.
If a known TLS session announces early data support, and the feature is
enabled *and* it is not a "connect-only" transfer, delay the TLS
handshake until the first request is being sent.
- Add --tls-earldata as new boolean command line option for curl.
- Add CURLSSLOPT_EARLYDATA to libcurl to enable use of the feature.
- Add CURLINFO_EARLYDATA_SENT_T to libcurl, reporting the amount of
bytes sent and accepted/rejected by the server.
Implementation details:
- store the ALPN protocol selected at the SSL session.
- When reusing the session and enabling earlydata, use exactly
that ALPN protocol for negoptiation with the server. When the
sessions ALPN does not match the connections ALPN, earlydata
will not be enabled.
- Check that the server selected the correct ALPN protocol for
an earlydata connect. If the server does not confirm or reports
something different, the connect fails.
- HTTP/2: delay sending the initial SETTINGS frames during connect,
if not connect-only.
Verification:
- add test_02_32 to verify earlydata GET with nghttpx.
- add test_07_70 to verify earlydata PUT with nghttpx.
- add support in 'hx-download', 'hx-upload' clients for the feature
Assisted-by: ad-chaos on github
Closes#15211
- split the huge Curl_cookie_add() into several smaller static functions
- switch to using the common llist instead of custom linked list
- use less memory for *getlist()
- use bitfields for flags in the Cookie struct
- avoid the copy for date parsing
- more consistent variable naming
Closes#15247
Enclose
`CMAKE_EXTRA_INCLUDE_FILES`,
`CMAKE_REQUIRED_DEFINITIONS`,
`CMAKE_REQUIRED_FLAGS`,
`CMAKE_REQUIRED_INCLUDES`,
`CMAKE_REQUIRED_LIBRARIES`,
`CMAKE_REQUIRED_LINK_OPTIONS`,
settings within `cmake_push_check_state()`/`cmake_pop_check_state()`
calls. It prevents spilling them into other feature checks. It also
replaces manual resets found in some places (which can have
the undesired side-effect of destroying values meant for global use.)
Cherry-picked from #15157Closes#15251
- on load, only replace existing HSTS entries if there is a full host
match
- on matching, prefer a full host match and secondary the longest tail
subdomain match
Closes#15210
When a multi handle is being cleaned up, it can still cause user
callbacks to be fired. Notably Curl_cpool_destroy calls socket_callback
on all pooled connections. It's still possible for the callback to call
curl_multi_assign leading to an assert.
This commit moves clearing of a multi handle magic to a point where the
multi handle stops being a valid object.
Fixes#15201Closes#15206
- update mbedTLS repo URL.
- switch local mbedTLS build to use CMake, and Ninja.
CMake build is required to create and install mbedTLS `pkg-config`
files. (as of v3.6.1)
`-DCMAKE_POSITION_INDEPENDENT_CODE=ON` required to avoid this error
when linking mbedtls to `libcurl.so`:
```
/usr/bin/ld: /home/runner/mbedtls/lib/libmbedcrypto.a(cipher.c.o): warning: relocation against `mbedtls_cipher_base_lookup_table' in read-only section `.text'
/usr/bin/ld: /home/runner/mbedtls/lib/libmbedtls.a(ssl_tls.c.o): relocation R_X86_64_PC32 against symbol `mbedtls_x509_crt_profile_suiteb' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: bad value
```
Ref: https://github.com/curl/curl/actions/runs/11245069259/job/31264386723#step:40:43
- make local mbedTLS build 10x smaller by omitting programs and tests.
- GHA/linux: fix cmake warning by adding `-B .` option.
- GHA/linux: add build-only cmake job for packaged mbedTLS (2.x).
- fix compiler warning when building with mbedTLS 2.x:
```
/home/runner/work/curl/curl/lib/vtls/mbedtls.c:344:1: error: ‘mbed_cipher_suite_get_str’ defined but not used [-Werror=unused-function]
344 | mbed_cipher_suite_get_str(uint16_t id, char *buf, size_t buf_size,
| ^~~~~~~~~~~~~~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/11244999065/job/31264168295#step:40:50
Also in preparation for #15193Closes#15208
When the pool is cleaned up due to host limits, the bundle may be
cleaned up as well making the old pointer invalid.
Fixes#15185
Reported-by: Moritz Knüsel
Closes#15186
To sync with `./configure`.
- `HAVE_NETINET_IN6_H` is
needed by HPE NonStop NSE and NSX systems.
Follow-up to 76ebd54175#2155
- `HAVE_CLOSESOCKET_CAMEL`, `HAVE_PROTO_BSDSOCKET_H`
are for AmigaOS.
(Note: `./configure` tries to detect these for all targets, cmake does
it only for AmigaOS, to not inflate configure time.)
Closes#15172
Before this patch `setmode()` was not detected with Cygwin/MSYS, because
it's a macro, not a function, and detection is looking for a function.
Switching to symbol detection doesn't work because it mis-detects it on
BSD systems which features a function with the same name but different
functionality and arguments.
Fix it by looking for a `_setmode()` function on Cygwin/MSYS, and use it
if available.
`_setmode()` is recommended over `setmode()` by Windows documentation so
use that on Windows too. It seems to be available on all supported
compilers, so omit detection.
https://learn.microsoft.com/cpp/c-runtime-library/reference/posix-setmodehttps://learn.microsoft.com/cpp/c-runtime-library/reference/setmode
Officially Windows requires argument `_O_BINARY` with an underscore.
`O_BINARY` is also supported but bound to conditions. Continue to use it
for simplicity. Cygwin supports `O_BINARY` (no underscore).
Closes#15169
- Use the appropriate variable type for the curlx_tvtoms() return code:
timediff_t and remove the typecast.
- Simplify the function and avoid the odd expire adjustment that
probably is a rest from ancient days when the expire function did not
handle zero millisecond timeouts.
Closes#15145
As the parsing and address "regeneration" are done anyway, we might as
well use the updated version in the result and thereby A) get a
normalized (and lower cased) version of the address and B) avoid a
strcpy().
Updated test 1560 to verify.
Closes#15143
Since OpenSSL does its own send/recv internally, we may miss the moment
to populate the x509 store right before the server response. Do it
instead before we start the handshake, at the loss of the time to set
this up.
Closes#15137
`Curl_bufq_unwrite()` used the head instead of the tail chunk to shrink
the bufq's content. Fix this and add test case that checks correct
behaviour.
Amended test 2601 accordingly.
Reported-by: Chris Stubbs
Closes#15136
booleans should use the type 'bool' and set the value to TRUE/FALSE
non-booleans should not be 'bool' and should not set the value to
TRUE/FALSE
Closes#15123
For all states before MSTATE_DO the connect timeout needs to be
considered.
Regression since #13371 (be659030ba) shipped in 8.8.0
Reported-by: Deniz Sökmen
Fixes#15100Closes#15119
