Viktor Szakats [Sat, 20 Dec 2025 13:32:49 +0000 (14:32 +0100)]
tidy-up: miscellaneous
- asyn-thrdd.c: scope an include.
- apply more clang-format suggestions.
- tidy-up PP guard comments.
- delete empty line from the top of headers.
- add empty line after `curl_setup.h` include where missing.
- fix indent.
- CODE_STYLE.md: add `strcpy`.
Follow-up to 8636ad55dfbdbcc2809a61e65c3511baf5e7b0e8 #20088
- lib1901.c: drop unnecessary line.
Follow-up to 436e67f65b9dee1e80aa063c39450f0d1df6ac72 #20076
Daniel Stenberg [Thu, 25 Dec 2025 22:21:34 +0000 (23:21 +0100)]
memdebug: stop tracking send and recv
- they rarely catch any problems
- we have other ways to test different send/recv problems
- the number of such calls vary much more per invoke than others, making
memdebugging harder
- reducing the total number of fallible functions per test is good
- they were not used as intended anyway
Daniel Stenberg [Thu, 25 Dec 2025 09:53:11 +0000 (10:53 +0100)]
cookie: flush better
The cookie flushing (saving to a cookie jar) should only be done if a
transfer has been started. This is now done by checking the
cookies->running field, which is not reset in curl_easy_reset() so the
saving works correctly even after a call to that.
Viktor Szakats [Wed, 24 Dec 2025 23:26:48 +0000 (00:26 +0100)]
lib: drop unused protocol headers
- drop unused `http.h` includes.
- drop unused `http1.h` include.
- drop unused `http2.h` includes.
- vssh/ssh.h: drop unused `vssh.h` include.
- urldata.h: drop unused protocol includes.
- url: include `smtp.h` directly.
- rtsp.h: include directly where used.
- imap, smtp: drop redundant include, move another from .h to .c.
Viktor Szakats [Tue, 23 Dec 2025 10:59:59 +0000 (11:59 +0100)]
tests: replace `strcpy()` with `curlx_strcopy()`
Also:
- examples/hsts-preload: apply the same change as it's based on lib1915
in tests. Make a local clone of `curlx_strcopy()`. Then drop the
`_CRT_SECURE_NO_WARNINGS` hack, that's no longer necessary.
- curl_setup.h: delete `strcpy()` from the `_CRT_SECURE_NO_WARNINGS`
list.
Viktor Szakats [Sun, 21 Dec 2025 01:40:10 +0000 (02:40 +0100)]
lib: drop, or replace `sendf.h` with `curl_trc.h` where possible
- replace `sendf.h` with `curl_trc.h` where it was included just for it.
- drop unused `curl_trc.h` includes.
- easy: delete obsolete comment about `send.h` include reason.
Also:
- move out `curl_trc.h` include from `sendf.h` and include it directly
in users, where not done already. To flatten the include tree and
to less rely on indirect includes.
- stop including `sendf.h` from other headers, replace it with forward
declaration of `Curl_easy`, as done already elsewhere.
Viktor Szakats [Sun, 21 Dec 2025 10:28:42 +0000 (11:28 +0100)]
test96: fix to accept non-unity memdump content with MSVC
In unity builds the source filename (via `__FILE__`) has no path (or
uses slashes?), while in non-unity ones it does contain backslashes
on Windows, with MSVC. Fix the test to recognize backslashes in the
`stripfile` regexp.
Seen in MSVC jobs in CI:
```diff
-MEM tool_cfgable.c[LF]
-MEM tool_paramhlp.c[LF]
-MEM tool_cfgable.c[LF]
-MEM tool_cfgable.c[LF]
-MEM tool_cfgable.c[LF]
-MEM tool_cfgable.c[LF]
+MEM D:\a\curl\curl\src\tool_cfgable.c[LF]
+MEM D:\a\curl\curl\src\tool_paramhlp.c[LF]
+MEM D:\a\curl\curl\src\tool_cfgable.c[LF]
+MEM D:\a\curl\curl\src\tool_cfgable.c[LF]
+MEM D:\a\curl\curl\src\tool_cfgable.c[LF]
+MEM D:\a\curl\curl\src\tool_cfgable.c[LF]
```
Ref: https://github.com/curl/curl/actions/runs/20408366058/job/58641468316?pr=20061#step:13:303
Ref: https://github.com/curl/curl/actions/runs/20408522070/job/58641826216?pr=20064#step:13:298
Viktor Szakats [Sat, 20 Dec 2025 23:40:32 +0000 (00:40 +0100)]
lib: include `curlx/warnless.h` from `curl_setup.h`
To make it available for all files. Drop includes from individual
sources. This header was already included from most sources and not
specific to any internal subsystem.
Also to ensure that two system symbol redefines on Windows (`read()` and
`write()`) get applied to all sources. Move them to `curl_setup.h`.
Wyatt O'Day [Mon, 15 Dec 2025 17:17:13 +0000 (12:17 -0500)]
mbedTLS: cleanup insecure/deprecated code
1. With `MBEDTLS_SSL_PROTO_TLS1_2` not enabled, the mbedTLS code was not
able to connect to any server due to broken logic in curl's
`mbed_set_ssl_version_min_max()`. Now it correctly sets the minimum
supported TLS version based on what is compiled in the library.
2. If debugging is enabled, move the debugging enabling earlier in the
`mbed_connect_step1()` so that verbose errors are actually displayed if
failures happen (see the previous point -- it would've made debugging
that issue easier).
3. Remove the constant `mbedtls_x509_crt_profile_fr` and instead use
mbedTLS-included profile `mbedtls_x509_crt_profile_next` with
`mbedtls_ssl_conf_cert_profile()`. This will follow the latest standards
as new mbedTLS versions are released (rather than being stuck-in-time
until someone comes along to fix what was hard-coded here). This has the
immediate benefit of no longer supporting SHA1 certs and insecure RSA
key-lengths (1024). This fix immediately prevents previously possible
MITM attacks (SHA1 hashes and RSA-1024 keys can be forged relatively
easily by nation-state actors and criminal organizations with
deep-pockets).
4. Added [predictive
resistance](https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-a-random-generator/#enabling-prediction-resistance)
to the random number generator (adding more entropy to the RNG).
5. Split the random number generator into initialization, the actual
random generation, and the "freeing" of the resources. This
significantly reduces the overhead of using the RNG.
6. Removed the separate RNG function in the TLS connect stage (instead
use the "main" one) and remove the ad-hoc threading support. Instead
properly document how to enable threading in mbedTLS. As it was, other
internals of mbedTLS could have race conditions (in the RSA module in
particular) if `MBEDTLS_THREADING_C` was *not* enabled. And if it is
enabled, then these race-conditions cannot happen. And also, if
MBEDTLS_THREADING_C is enabled then the RNG functions [are fully
thread-safe](https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading/).
So, the previous ad-hoc threading support was both partial and broken.
7. Enable support for disabling `MBEDTLS_PEM_PARSE_C`.
8. Add support for `CURLOPT_SSLCERTTYPE` so user can specify `PEM` or
`DER` and get faster execution.
Viktor Szakats [Sat, 20 Dec 2025 00:44:46 +0000 (01:44 +0100)]
curlx: add `curlx_rename()`, fix to support long filenames on Windows
Move existing `Curl_rename()` `rename()` wrapper from lib to
curlx/fopen, and make it a curlx macro/function. To allow using
the local worker function to fixup long filenames on Windows.
Then fix the Windows-specific rename implementation to support long
filenames. This operation may happen when using a cookie jar, HSTS cache
or alt-svc cache, via libcurl or the curl tool.
Before this patch, when passing a long filename to the above options,
a `<random>.tmp` file was left on the disk without renaming it to the
filename passed to curl. There was also 1 second delay for each
attempted rename operation.
Also:
- checksrc: ban raw `rename()` and `MoveFileEx*()` functions.
- Note: `Curl_rename()` returned 1 on failure before this patch, while
`curlx_rename()` returns -1 after, to match POSIX `rename()`.
Viktor Szakats [Sat, 20 Dec 2025 14:00:49 +0000 (15:00 +0100)]
GHA/http3-linux: set minimum number of runtest tests
Tailored for each job with a relatively tight limits. Also with no
tolerance in valgrind tests: 4 of the 4 has to be run.
Based on Test Clutch feature matrix which displays the minimum and
actual number of tests:
https://testclutch.curl.se/static/reports/feature-matrix.html
Also:
- runtests.pl: include total number of tests in the error message shown
when the limit was not met.
Viktor Szakats [Fri, 19 Dec 2025 22:26:10 +0000 (23:26 +0100)]
windows: fix `CreateFile()` calls to support long filenames
It makes them work in Schannel's CA bundle loader, and curl tool's
set/get file timestamp operations (e.g. in `-R`/`--remote-time`). Also
to match file open operations, that already support long filenames.
E.g. when using `--remote-time`, fixing:
```
Warning: Failed to set filetime 1741363917 on outfile: CreateFile failed:
Warning: GetLastError 0x00000003
```
The special long filename logic is necessary to support Windows releases
prior to Windows 10 v1607. With the latter, it's possible to opt-in to
this behavior via a manifest setting. Note that Windows itself also needs
to opt-in to support this. Finally note that curl itself needs passing
`--globoff` to let long filenames through, pending #20044 and #20046.
Viktor Szakats [Sat, 20 Dec 2025 11:38:19 +0000 (12:38 +0100)]
openssl: drop includes unused or duplicate
Also:
- vquic-tls.h: do not include unused headers for non-H3 builds.
- autotools: stop looking for `openssl/x509.h` header.
- cmp-config.pl: delete exception for `openssl/x509.h`.
- examples: format/comment sync between the two touched files.
- openssl: drop unused `curlx/wait.h` include.
Viktor Szakats [Fri, 19 Dec 2025 13:57:10 +0000 (14:57 +0100)]
cmake: match filename suffixes with file content
To:
- simplify recognizing CMake sources.
- ensure syntax highlighters use the correct file type.
- sync .h template filename with its autotools counterpart.
Stefan Eissing [Fri, 19 Dec 2025 10:53:51 +0000 (11:53 +0100)]
ngtcp2: retune window sizes
With 24b36fd stream flow control window sizes have been set too
restrictive, crippling transfer rates when no rate limit is in effect.
Disable ngtcp3 stream window auto-tuning and extend the stream window
from the small initial size to the effective rate limit. If no rate
limit is configured, extend stream window to maximum value right away.
This cannot shrink the stream window later, however. But growing the
limit or removing it, will work mid download.
Fixes #20030 Reported-by: koujaz on github
Closes #20033
Viktor Szakats [Fri, 19 Dec 2025 10:00:53 +0000 (11:00 +0100)]
socketpair: drop redundant `_WIN32` branch and include
`io.h` already included via `curl_setup.h`, the other headers are
already guarded off for Windows. `INADDR_LOOPBACK` fallback remains
a no-op on Windows.
Viktor Szakats [Fri, 19 Dec 2025 01:09:15 +0000 (02:09 +0100)]
build: drop duplicate include `curl/curl.h` and others
- curl_range: replace `sendf.h` with direct header dependency
`curl_trc.h`.
- drop `curl/curl.h` includes from internal sourcees in favor of the
include made from `curl_setup.h`. Replace it with the latter where
it's the only include.
- include `curl_setup.h` before using macros, where missing.
- drop redundant `stdlib.h`, `string.h` includes, in favor of
`curl_setup_once.h` including them.
- drop redundant `limits.h` in favor of `curl_setup.h` including it.
- fake_addrinfo.h: fix typo in comment.
- curl_setup_once.h: drop `stdio.h` in favor of earlier include in
`curl_setup.h`.
- drop stray, unused, `stddef.h` includes.
- memdebug.h: add missing `stddef.h` include. (relying on accidental
includes via other headers before this patch.)
- stddef.h: document why it's included.
- strerr: drop `curl/mprintf.h` in favor of `curl/curl.h` including it
via `curl_setup.h`.
Viktor Szakats [Fri, 12 Dec 2025 19:51:52 +0000 (20:51 +0100)]
tidy-up: miscellaneous
- apply more clang-format.
- lib/version: use `CURL_ARRAYSIZE()`.
- INSTALL-CMAKE.md: sync-up an option description with others.
- examples: delete unused main args.
- examples/ftpgetinfo: document `_CRT_SECURE_NO_WARNINGS` symbol.
- delete remaining stray duplicate lines.
- acinclude.m4: drop an unnecessary x-hack.
- vtls/mbedtls: join a URL split into two lines.
- src/tool_cb_see: add parentheses around macro expressions.
- src/tool_operate: move literals to the right side of comparisons.
- libtests: sync up fopen/fstat error messages between tests.
- curl_setup.h: replace `if ! defined __LP64` with `ifndef __LP64`.
I assume it makes no difference on Tandem systems, as the latter form
is already used in `include/curl/system.h`.
Daniel Stenberg [Thu, 18 Dec 2025 12:58:22 +0000 (13:58 +0100)]
http: when unfolding, leave single-space for new header line
Restore the unfolding behavior from before 67ae101666f10232. This change
(leaving more whitespace in the delivered headers) turned out causing
some friction in the git project so presumably others might also find it
a little surprising.
Reported-by: Jeff King
Ref: https://marc.info/?l=git&m=176606332701171&w=2
Closes #20016
Stefan Eissing [Wed, 17 Dec 2025 10:20:42 +0000 (11:20 +0100)]
wolfssl: proof use of wolfSSL_i2d_SSL_SESSION
While wolfSSL_i2d_SSL_SESSION() does not change the passed pointer, like
OpenSSL does, it may one day decide to do so. Pass a copy instead to be
future-proof to such a change in wolfSSL's implementation.
dependabot[bot] [Tue, 16 Dec 2025 23:37:45 +0000 (23:37 +0000)]
GHA: bump pip-dependencies
- update `filelock` from 3.20.0 to 3.20.1 (CVE-2025-68146) (used in pytests)
- update `pytest` from 9.0.1 to 9.0.2
- update `ruff` from 0.14.8 to 0.14.9
Viktor Szakats [Tue, 16 Dec 2025 20:32:29 +0000 (21:32 +0100)]
examples/threaded-ssl: delete in favor of `examples/threaded`
After applying a recent fix made to `threaded.c` (formerly
`multithread.c`) to `threaded-ssl.c`, syncing and updating comments,
the two examples turned out to be identical except their test URLs.
Delete one of them to avoid duplication.
Also:
- examples/threaded: scope a variable.
- examples/threaded: merge comments from its deleted sibling.
Dan Fandrich [Tue, 16 Dec 2025 08:26:25 +0000 (00:26 -0800)]
tests: add a standard log line for alloc failures
This type of test failure requires a test status line in order to be
consistent with other failures and to be parsed properly by Test Clutch.
This is the same style as an exit or postcheck failure.
Viktor Szakats [Tue, 16 Dec 2025 16:26:46 +0000 (17:26 +0100)]
schannel: use Win8 `CERT_NAME_SEARCH_ALL_NAMES_FLAG` with old SDKs
Define `CERT_NAME_SEARCH_ALL_NAMES_FLAG` macro if missing.
To allow using a runtime branch regardless of build-time SDK version,
when running on Windows 8+.
In practice it enables this branch for builds using mingw-w64 v3, and
MSVC with Windows SDK <8.
Dan Fandrich [Tue, 16 Dec 2025 07:32:59 +0000 (23:32 -0800)]
lib: create unitprotos.h in the builddir, not srcdir
The make rule confused automake by changing directories before creating
the file, causing unitprotos.h to be created in the srcdir instead of
the builddir. This results in a stale file and confusing compile errors
in out-of-tree builds.
Viktor Szakats [Tue, 16 Dec 2025 15:41:05 +0000 (16:41 +0100)]
cf-socket: enable Win10 `TCP_KEEP*` options with old SDKs
Define `TCP_KEEP*` macros if they are missing in Windows builds.
To allow using these runtime `setsockopt()` options regardless of
build-time SDK version, when running on Windows 10.0.16299+.
In practice in enables them for builds using mingw-w64 <12, and
MSVC with Windows SDK <10.
Before this patch these runtime options required building curl with
a recent toolchain.
Viktor Szakats [Mon, 15 Dec 2025 15:49:04 +0000 (16:49 +0100)]
idn: clarify null-termination on Windows
Add comments to clarify that a terminating null is always present in
the buffers returned to the caller.
The curl APIs `win32_idn_to_ascii()` or `win32_ascii_to_idn()` receive
a null-terminated UTF-8 string as input. They first convert it to wide
chars by first asking `MultiByteToWideChar()` to calculate the length,
by passing -1. This API returns the length with the null char included
(= `strlen() + 1`), does the conversion, with the output also
null-terminated. `IdnTo*()` preserve this null character as documented.
Then we pass this null-terminated, fixed-length buffer ito
`WideCharToMultiByte()`, which keeps preserving the null, ending up in
the buffer returned to the caller.
Viktor Szakats [Sat, 13 Dec 2025 03:27:41 +0000 (04:27 +0100)]
localtime: detect thread-safe alternatives and use them
- add local API `toolx_localtime()` to wrap the banned function
`localtime()`. Used from libcurl, libtests and test servers.
- auto-detect and use `localtime_r()` where available (e.g. Linux).
Also to support multi-threading.
- use `localtime_s()` on Windows. It requires MSVC or mingw-w64 v4+.
Also to support multi-threading.
Use local workaround to also support mingw-w64 v3.
- add `src/toolx` to keep internal APIs used by the curl tool and tests,
but not by libcurl. `toolx_localtime()` is the first API in it.
- replace `localtime()` calls with `toolx_localtime()`.
Except in examples.
- note Windows XP's default `msvcrt.dll` doesn't offer secure CRT APIs.
XP likely needs a newer version of this DLL, or may not run.
- note that `localtime()` mirrors `gmtime()`, with the difference that
`gmtime()`'s internal wrapper lives in curlx.
Viktor Szakats [Fri, 12 Dec 2025 23:16:58 +0000 (00:16 +0100)]
curlx: move `Curl_gmtime()`, use `gmtime_s()` on Windows
Move `Curl_gmtime()` to curlx and rename to `curlx_gmtime()`. Then call
the internal wrapper also from the curl tool, to avoid using the banned
`gmtime()` directly, and using better, thread-safe alternatives when
available.
Windows `gmtime_s()` requires mingw-w64 v4+ or MSVC. Use local
workaround to also support mingw-w64 v3. `gmtime_s()` also makes
defining `_CRT_SECURE_NO_WARNINGS` unnecessary.
Also:
- lib: drop unused `parsedate.h` includes.
- drop redundant cast from `gmtime_r()` result.
- autotools: reverse condition in the proto detection to avoid
misleading readers. (the condition plays no role in detection.)
- note Windows XP's default `msvcrt.dll` doesn't offer secure CRT APIs.
XP likely needs a newer version of this DLL, or may not run.
projects / 0xmirror / curl.git / log