Both of these projects define the same `SHA*` macros via headers
included by curl (in MultiSSL builds, possibly only in Unity builds),
causing redefinition compiler warnings.
Fix it by disabling compatibility macros in wolfSSL.
```
Building C object lib/CMakeFiles/libcurl_static.dir/Unity/unity_0_c.c.o
In file included from _bld/lib/CMakeFiles/libcurl_static.dir/Unity/unity_0_c.c:202:
In file included from lib/http_aws_sigv4.c:33:
In file included from lib/curl_sha256.h:40:
In file included from /usr/local/Cellar/wolfssl/5.7.2/include/wolfssl/openssl/sha.h:30:
/usr/local/Cellar/wolfssl/5.7.2/include/wolfssl/wolfcrypt/sha256.h:117:13: warning: 'SHA256_BLOCK_SIZE' macro redefined [-Wmacro-redefined]
#define SHA256_BLOCK_SIZE WC_SHA256_BLOCK_SIZE
^
/usr/local/Cellar/nettle/3.10/include/nettle/sha2.h:70:9: note: previous definition is here
#define SHA256_BLOCK_SIZE 64
^
In file included from _bld/lib/CMakeFiles/libcurl_static.dir/Unity/unity_0_c.c:202:
In file included from lib/http_aws_sigv4.c:33:
In file included from lib/curl_sha256.h:40:
In file included from /usr/local/Cellar/wolfssl/5.7.2/include/wolfssl/openssl/sha.h:30:
[...]
#define SHA256_DIGEST_SIZE WC_SHA256_DIGEST_SIZE
#define SHA224_BLOCK_SIZE WC_SHA224_BLOCK_SIZE
#define SHA224_DIGEST_SIZE WC_SHA224_DIGEST_SIZE
#define SHA512_BLOCK_SIZE WC_SHA512_BLOCK_SIZE
#define SHA512_DIGEST_SIZE WC_SHA512_DIGEST_SIZE
#define SHA384_BLOCK_SIZE WC_SHA384_BLOCK_SIZE
#define SHA384_DIGEST_SIZE WC_SHA384_DIGEST_SIZE
```
Cherry-picked from #14495Closes#14511
E.g. with Homebrew wolfssl 5.7.2 on macOS:
```
In file included from _bld/lib/CMakeFiles/libcurl_static.dir/Unity/unity_0_c.c:85:
lib/curl_ntlm_core.c:157:27: error: unknown type name 'DES_key_schedule'
DES_key_schedule DESKEYARG(ks))
^
lib/curl_ntlm_core.c:159:3: error: use of undeclared identifier 'DES_cblock'
DES_cblock key;
^
[...]
```
Earlier patch addressing this for OpenSSL:
802d864450#7808
Cherry-picked from #14495Closes#14512
When using CMake Unity build.
- use unique name for `set_ssl_version_min_max()`
Fixes collision between GnuTLS, mbedTLS and SecureTransport.
```
lib\vtls\mbedtls.c(317,1): error C2084: function 'CURLcode set_ssl_version_min_max(Curl_easy *,ssl_peer *,ssl_primary_config *,const char **,const char *)' already has a body
lib\vtls\mbedtls.c(837,49): warning C4133: 'function': incompatible types - from 'Curl_cfilter *' to 'Curl_easy *'
lib\vtls\mbedtls.c(837,53): warning C4133: 'function': incompatible types - from 'Curl_easy *' to 'ssl_peer *'
lib\vtls\mbedtls.c(837,25): error C2198: 'set_ssl_version_min_max': too few arguments for call
```
- use unique name for `do_file_type()`
Fixes collision between GnuTLS, OpenSSL and wolfSSL.
```
lib\vtls\openssl.c(1053,12): error C2084: function 'gnutls_x509_crt_fmt_t do_file_type(const char *)' already has a body
```
Ref: https://github.com/curl/curl/actions/runs/10341162641/job/28622681573?pr=14484#step:10:31
Cherry-picked from #14495Closes#14516
Silence bogus MSVC warning C4232. Use the method already used
for similar cases earlier.
Also fixup existing suppressions to use pragma push/pop.
```
lib\vquic\curl_ngtcp2.c(709,40): error C2220: the following warning is treated as an error
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'client_initial': address of dllimport 'ngtcp2_crypto_client_initial_cb' is not static, identity not guaranteed
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'recv_crypto_data': address of dllimport 'ngtcp2_crypto_recv_crypto_data_cb' is not static, identity not guaran
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'encrypt': address of dllimport 'ngtcp2_crypto_encrypt_cb' is not static, identity not guaranteed
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'decrypt': address of dllimport 'ngtcp2_crypto_decrypt_cb' is not static, identity not guaranteed
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'hp_mask': address of dllimport 'ngtcp2_crypto_hp_mask_cb' is not static, identity not guaranteed
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'recv_retry': address of dllimport 'ngtcp2_crypto_recv_retry_cb' is not static, identity not guaranteed
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'update_key': address of dllimport 'ngtcp2_crypto_update_key_cb' is not static, identity not guaranteed
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'delete_crypto_aead_ctx': address of dllimport 'ngtcp2_crypto_delete_crypto_aead_ctx_cb' is not static, identit
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'delete_crypto_cipher_ctx': address of dllimport 'ngtcp2_crypto_delete_crypto_cipher_ctx_cb' is not static, ide
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'get_path_challenge_data': address of dllimport 'ngtcp2_crypto_get_path_challenge_data_cb' is not static, ident
```
Ref: https://github.com/curl/curl/actions/runs/10343459009/job/28627621355#step:10:30
Cherry-picked from #14495
Co-authored-by: Tal Regev
Ref: #14383Closes#14510
Add option to control whether to use `pkg-config` to detect
dependencies. Curl's CMake uses `pkg-config` by default for all targets
except for MSVC without vcpkg.
With the CMake option `-DCURL_USE_PKGCONFIG=ON` you can override it to
use `pkg-config` always.
If `pkg-config` is causing issues, e.g. in cross-builds or other cases,
`-DCURL_USE_PKGCONFIG=OFF` disables all use of `pkg-config`.
Also add it to `curl-config.cmake`. Not yet used, but will be once curl
starts referencing any curl-specific `Find*` module from this public
script.
Follow-up to 9dfdc6ff42#14483Closes#14504
- make sure to exclude failing tests when libidn2 is detected by
default.
- ignore test 1560 results. Seen to fail with libidn2.
I'm not sure why this test was not executed earlier:
https://github.com/curl/curl/actions/runs/10354610889/job/28660309355#step:13:3647
- runtests: recognize `libidn2` as a feature.
- move IDN test exclusions from GHA/windows to `tests/data/DISABLED`.
- GHA/windows: drop default `-DUSE_LIBIDN2=ON` cmake config.
Cherry-picked from #14495Closes#14519
Give a more consice overview of curl's cipher options and cipher suites.
Removed long lists of ciphers that were directly copied from the SSL
backends' documentation. Instead present the user a more common aproach
acorss the SSL backends, with notes for backends that do not conform
and/or provide alternate means.
Provide a shorter list of cipher suites that is more relevant for modern
usage and should work mostly across all backends, provide a seperate
list with all cipher suites, and provide links to the SSL backends'
documentation for more information.
Also give examples with modern cipher suites.
Add docs/CIPHERS-TLS12.md for TLS 1.2 ciphers.
Closes#14460
Members of the filter context, like stream hash and buffers, need to be
initialized early and protected by a flag to also avoid double cleanup.
This allow the context to be used safely before a connect() is started
and the other parts of the context are set up.
Closes#14505
Before, setting CURLOPT_SSLVERSION with wolfSSL restricted the the tls
proto to just the specified version. Now it properly supports a range.
So it can set the min and max tls proto (max requires wolfSSL 4.2.0).
Bump the absolute minimum required version of wolfSSL to 3.4.6 (released
2015) because it is needed for the wolfSSL_CTX_SetMinVersion() function.
Closes#14480
When using `curl_ws_send()`, perform a blocking send of the data under
the following conditions:
- the websocket is in raw mode and the call is done from within a curl
callback. A partial write of the data could subsequently mess up the
ws framing, as a callback has a hard time handling this.
- the websocket is encoding the data itself, has added it to its
internal sendbuf. A partial flush of the buffer has unclear semantics
for the caller, as they will have no idea what to send again.
Fixes WebSockets tests with CURL_DBG_SOCK_WBLOCK=90 set.
Closes#14458
Channel Bindings are used to tie the session context to a specific TLS
channel. This is to provide additional proof of valid identity,
mitigating authentication relay attacks.
Major web servers have the ability to require (None/Accept/Require)
GSSAPI channel binding, rendering Curl unable to connect to such
websites unless support for channel bindings is implemented.
IIS calls this feature Extended Protection (EPA), which is used in
Enterprise environments using Kerberos for authentication.
This change require krb5 >= 1.19, otherwise channel bindings won't be
forwarded through SPNEGO.
Co-Authored-By: Steffen Kieß <947515+steffen-kiess@users.noreply.github.com>
Closes#13098
Before this patch, `pkg-config` was used for `UNIX` builds only (with
a few exceptions like wolfSSL, libssh, gsasl, libuv). This patch extends
`pkg-config` use to all envs except: `MSVC` without vcpkg. Meaning MSVC
with vcpkg will now use it. Also mingw on Windows.
Also apply the new condition to options where `pkg-config` was used
unconditionally (= for all targets). These are:
`-DCURL_USE_WOLFSSL=ON`, `-DCURL_USE_LIBSSH=ON`,
`-DCURL_USE_GSASL=ON` and `-DCURL_USE_LIBUV=ON`
This patch may still cause regressions for cross-builds (e.g. mingw
cross-build from Unix) and potentially other cases. If that happens, we
recommend using some of these methods to explicitly disable `pkg-config`
when using CMake:
- CMake option: `-DPKG_CONFIG_EXECUTABLE=`
(or `-DPKG_CONFIG_EXECUTABLE=nonexistent` or similar)
This is similar to the (curl-specific) `PKG_CONFIG` env for autotools.
- export env: `PKG_CONFIG_LIBDIR=`
(or `PKG_CONFIG_PATH`, `PKG_CONFIG_SYSROOT_DIR`,
or the CMake-specific `PKG_CONFIG`)
We may improve control over this in a future patch, also allowing opting
in MSVC (without vcpkg).
Ref: #14405
Ref: #14408
Ref: #14140Closes#14483
Rename internal macros to match their `libcurl.pc` metadata counterpart.
Also apply these to the `curl-config.in` template.
- `CPPFLAG_CURL_STATICLIB` -> `LIBCURL_PC_CFLAGS`
- `LIBCURL_LIBS` -> `LIBCURL_PC_LIBS_PRIVATE`
- `LIBCURL_NO_SHARED` -> `LIBCURL_PC_LIBS`
Closes#14476
- Turned them all into functions to also do asserts etc.
- The llist related structs got all their fields renamed in order to make
sure no existing code remains using direct access.
- Each list node struct now points back to the list it "lives in", so
Curl_node_remove() no longer needs the list pointer.
- Rename the node struct and some of the access functions.
- Added lots of ASSERTs to verify API being used correctly
- Fix some cases of API misuse
Add docs/LLIST.md documenting the internal linked list API.
Closes#14485
Instead of having an especially "unique" linked list handler for the
main list of easy handles within the multi handle, this now uses a
regular Curl_llist for this as well.
With this change, it is also clearer that every easy handle added to a
multi handle belongs to one and only one out of three different lists:
process - the general one for normal transfer processing
pending - queued up waiting to get a connection (MSTATE_PENDING)
msgsent - transfer completed (MSTATE_MSGSENT)
An easy handle must therefore be removed from the current list before it
gets added to another.
Closes#14474
libidn2 is detected by default, which triggers a `pkg-config` detectio
attempt by default. This in turn may pick up libidn2 inadvertently from
the disk, and append the libidn2 header directory to the include path.
This header directory might contain incompatible system and/or component
headers, causing confusion and failed builds.
Some of these side-effects may be the result of an unknowningly
configured (or misconfigured) `pkg-config`. In another reported case,
it was hit by the `pkg-config` from Strawberry Perl. Until we
investigate the reasons and come up with a technique to avoid these
issues, limit `pkg-config` detection to UNIX platforms, like we already
do in `Find*` modules.
Notice that `-DCURL_USE_LIBSSH=ON`, `-DCURL_USE_GSASL=ON`, and
`-DCURL_USE_LIBUV=ON` options continue to have the above side-effects,
though these options are disabled by default.
Follow-up to f43adc2c49#14137
Reported-by: Micah Snyder
Fixes#14405Closes#14408
- memdebug: replace keyword `malloc` with `__malloc__` to
not interfere with envs where `malloc` is redefined. Also apply
the fix to `alloc_size`.
Fixes:
```
lib/memdebug.h:107:13: warning: unknown attribute 'vec_malloc' ignored [-Wunknown-attributes]
CURL_EXTERN ALLOC_FUNC FILE *curl_dbg_fdopen(int filedes, const char *mode,
^~~~~~~~~~
lib/memdebug.h:37:37: note: expanded from macro 'ALLOC_FUNC'
# define ALLOC_FUNC __attribute__((malloc))
^~~~~~
/usr/include/stdlib.h:753:16: note: expanded from macro 'malloc'
#define malloc vec_malloc
^~~~~~~~~~
```
- memdebug: always undef before defining.
Also do this for the rest of functions redefined in the same block.
Avoids warning on AIX:
```
lib/memdebug.h:117:9: warning: 'malloc' macro redefined [-Wmacro-redefined]
#define malloc(size) curl_dbg_malloc(size, __LINE__, __FILE__)
^
/usr/include/stdlib.h:753:9: note: previous definition is here
#define malloc vec_malloc
^
```
- easy: fix `-Wformat` warning on AIX by adding a cast.
```
lib/easy.c:608:47: warning: format specifies type 'int' but the argument has type 'long' [-Wformat]
"%" CURL_FORMAT_SOCKET_T ")", fds[i].fd);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~
```
- if2ip: silence compiler warning inside AIX system header.
```
/lib/if2ip.c:219:19: warning: signed shift result (0x80000000) sets the sign bit of the shift expression's type ('int') and becomes negative [-Wshift-sign-overflow]
if(ioctl(dummy, SIOCGIFADDR, &req) < 0) {
^~~~~~~~~~~
/usr/include/sys/ioctl.h:401:26: note: expanded from macro 'SIOCGIFADDR'
#define SIOCGIFADDR (int)_IOWR('i',33, struct oifreq) /* get ifnet address */
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/sys/ioctl.h:174:23: note: expanded from macro '_IOWR'
#define _IOWR(x,y,t) (IOC_INOUT|((sizeof(t)&IOCPARM_MASK)<<16)|(x<<8)|y)
^~~~~~~~~
/usr/include/sys/ioctl.h:168:20: note: expanded from macro 'IOC_INOUT'
#define IOC_INOUT (IOC_IN|IOC_OUT)
^~~~~~
/usr/include/sys/ioctl.h:167:28: note: expanded from macro 'IOC_IN'
#define IOC_IN (0x40000000<<1) /* copy in parameters */
~~~~~~~~~~^ ~
```
Ref: https://curl.se/dev/log.cgi?id=20240808180420-3809007
Assisted-by: Dan Fandrich
Closes#14464
- prefix local variables with underscore and convert to lowercase.
- list variables accepted by `libcurl.pc` and `curl-config` templates.
- quote more string literals.
Follow-up to 919394ee64#14450Closes#14462
Log progress only at start and end of transfer to give normalized
output when upload data is only partially sent or temporarily blocked.
Fixes test with CURL_DBG_SOCK_WBLOCK=90 set.
Closes#14454
Fix FTP protocol to flush the pingpong's send buffer before receiving a
response from the server, as it may never come otherwise.
Fixes FTP/FTPS tests with `CURL_DBG_SOCK_WBLOCK=90` set.
Closes#14452
... using the new script 'maxline' to which we specify the maximum
number of columns we allow any single line to be, or it will cause an
error.
Starting out with a max width at 100 columns.
Bonus: shorten the long line in the --ipfs-gateway section.
Closes#14423
- tidy up two `MATCHES` expression by avoiding macros expansion and
adding quotes. Then convert then to `STREQUAL` to match other places
in the code doing the same checks.
- fix setting `_ALL_SOURCE` for AIX to match what autotools does.
- delete stray `_ALL_SOURCE` reference from `lib/config_riscos.h`
- simplify/fix two `STREQUAL ""` checks.
The one in the `openssl_check_symbol_exists()` macro succeeded
regardless of the value. The other could return TRUE when
`CMAKE_OSX_SYSROOT` was undefined.
- delete code for CMake versions (<3.7) we no longer support.
- prefer `LIST(APPEND ...)` to extend `CURL_LIBS`.
- use `CURL_LIBS` to add the `network` lib for Haiku.
Before this patch it was done via raw C flags. I could not test this.
- move `_WIN32_WINNT`-related code next to each other.
It also moves detection to the top, allowing more code to use
the result.
- merge two `WIN32` blocks.
- rename internal variables to underscore + lowercase.
- unwrap a line, indent, whitespace.
Closes#14450
