build: enable missing OpenSSF-recommended warnings, with fixes

https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
as of 2023-11-29 [1]

build: enable missing OpenSSF-recommended warnings, with fixes

https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
as of 2023-11-29 [1].

Enable new recommended warnings (except `-Wsign-conversion`):

- enable `-Wformat=2` for clang (in both cmake and autotools).
- add `CURL_PRINTF()` internal attribute and mark functions accepting
printf arguments with it. This is a copy of existing
`CURL_TEMP_PRINTF()` but using `__printf__` to make it compatible
with redefinting the `printf` symbol:
https://gcc.gnu.org/onlinedocs/gcc-3.0.4/gcc_5.html#SEC94
- fix `CURL_PRINTF()` and existing `CURL_TEMP_PRINTF()` for
mingw-w64 and enable it on this platform.
- enable `-Wimplicit-fallthrough`.
- enable `-Wtrampolines`.
- add `-Wsign-conversion` commented with a FIXME.
- cmake: enable `-pedantic-errors` the way we do it with autotools.
Follow-up to d5c0351055d5709da8f3e16c91348092fdb481aa #2747
- lib/curl_trc.h: use `CURL_FORMAT()`, this also fixes it to enable format
checks. Previously it was always disabled due to the internal `printf`
macro.

Fix them:

- fix bug where an `set_ipv6_v6only()` call was missed in builds with
`--disable-verbose` / `CURL_DISABLE_VERBOSE_STRINGS=ON`.
- add internal `FALLTHROUGH()` macro.
- replace obsolete fall-through comments with `FALLTHROUGH()`.
- fix fallthrough markups: Delete redundant ones (showing up as
warnings in most cases). Add missing ones. Fix indentation.
- silence `-Wformat-nonliteral` warnings with llvm/clang.
- fix one `-Wformat-nonliteral` warning.
- fix new `-Wformat` and `-Wformat-security` warnings.
- fix `CURL_FORMAT_SOCKET_T` value for mingw-w64. Also move its
definition to `lib/curl_setup.h` allowing use in `tests/server`.
- lib: fix two wrongly passed string arguments in log outputs.
Co-authored-by: Jay Satiro
- fix new `-Wformat` warnings on mingw-w64.

[1] https://github.com/ossf/wg-best-practices-os-developers/blob/56c0fde3895bfc55c8a973ef49a2572c507b2ae1/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C%2B%2B.md

Closes #12489

show more ...

build: variadic macro tidy-ups

- delete unused `HAVE_VARIADIC_MACROS_C99/GCC` feature checks.
(both autotools and CMake.)
- delete duplicate `NULL` check in `Curl_trc_cf_infof()`.

build: variadic macro tidy-ups

- delete unused `HAVE_VARIADIC_MACROS_C99/GCC` feature checks.
(both autotools and CMake.)
- delete duplicate `NULL` check in `Curl_trc_cf_infof()`.
- fix compiler warning in `CURL_DISABLE_VERBOSE_STRINGS` builds.
```
./lib/cf-socket.c:122:41: warning: unused parameter 'data' [-Wunused-parameter]
static void nosigpipe(struct Curl_easy *data,
^
```
- fix `#ifdef` comments in `lib/curl_trc.{c,h}`.
- fix indentation in some `infof()` calls.

Follow-up to dac293cfb7026b1ca4175d88b80f1432d3d3c684 #12167

Cherry-picked from #12105
Closes #12210

show more ...

websocket: rename arguments/variables to match docs

Pedantry/semantic-alignment between functions, docs, comments with
respect to websocket protocol code; No functional change intended.

websocket: rename arguments/variables to match docs

Pedantry/semantic-alignment between functions, docs, comments with
respect to websocket protocol code; No functional change intended.

* "totalsize", "framesize" becomes "fragsize" (we deal in frame fragments).

* "sendflags" becomes "flags"

* use canonical CURL *handle

Closes #11493

show more ...

lib: fix some format specifiers

- Use CURL_FORMAT_CURL_OFF_T where %zd was erroneously used for some
curl_off_t variables.

- Use %zu where %zd was erroneously used for some si

lib: fix some format specifiers

- Use CURL_FORMAT_CURL_OFF_T where %zd was erroneously used for some
curl_off_t variables.

- Use %zu where %zd was erroneously used for some size_t variables.

Prior to this change some of the Windows CI tests were failing because
in Windows 32-bit targets have a 32-bit size_t and a 64-bit curl_off_t.
When %zd was used for some curl_off_t variables then only the lower
32-bits was read and the upper 32-bits would be read for part or all of
the next specifier.

Fixes https://github.com/curl/curl/issues/11327
Closes https://github.com/curl/curl/pull/11321

show more ...

lib: add CURLINFO_CONN_ID and CURLINFO_XFER_ID

- add an `id` long to Curl_easy, -1 on init
- once added to a multi (or its own multi), it gets
a non-negative number assigned by the

lib: add CURLINFO_CONN_ID and CURLINFO_XFER_ID

- add an `id` long to Curl_easy, -1 on init
- once added to a multi (or its own multi), it gets
a non-negative number assigned by the connection cache
- `id` is unique among all transfers using the same
cache until reaching LONG_MAX where it will wrap
around. So, not unique eternally.
- CURLINFO_CONN_ID returns the connection id attached to
data or, if none present, data->state.lastconnect_id
- variables and type declared in tool for write out

Closes #11185

show more ...

ws: make the curl_ws_meta() return pointer a const

The returned info is read-only for the user.

Closes #11261

ws: fix CONT opcode check

Detected by Coverity. Follow-up to 930c00c259

Closes #11037

tests/http: more tests with specific clients

- Makefile support for building test specific clients in tests/http/clients
- auto-make of clients when invoking pytest
- added test_09_0

tests/http: more tests with specific clients

- Makefile support for building test specific clients in tests/http/clients
- auto-make of clients when invoking pytest
- added test_09_02 for server PUSH_PROMISEs using clients/h2-serverpush
- added test_02_21 for lib based downloads and pausing/unpausing transfers

curl url parser:
- added internal method `curl_url_set_authority()` for setting the
authority part of a url (used for PUSH_PROMISE)

http2:
- made logging of PUSH_PROMISE handling nicer

Placing python test requirements in requirements.txt files
- separate files to base test suite and http tests since use
and module lists differ
- using the files in the gh workflows

websocket test cases, fixes for we and bufq
- bufq: account for spare chunks in space calculation
- bufq: reset chunks that are skipped empty
- ws: correctly encode frames with 126 bytes payload
- ws: update frame meta information on first call of collect
callback that fills user buffer
- test client ws-data: some test/reporting improvements

Closes #11006

show more ...

Websocket en-/decoding

- state is fully kept at connection, since curl_ws_send() and
curl_ws_rec() have lifetime beyond usual transfers
- no more limit on frame sizes

Repo

Websocket en-/decoding

- state is fully kept at connection, since curl_ws_send() and
curl_ws_rec() have lifetime beyond usual transfers
- no more limit on frame sizes

Reported-by: simplerobot on github
Fixes #10962
Closes #10999

show more ...

ws: handle reads before EAGAIN better

Reported-by: simplerobot on github
Fixes #10831
Closes #10856

ws: keep the socket non-blocking

Reported-by: marski on github
Fixes #10615
Closes #10625

ws: fix recv of larger frames

+ remove 'oleft' from the struct
+ deal with "overflow data" in a separate dynbuf

Reported-by: Mike Duglas
Fixes #10438
Closes #10447

ws: use %Ou for outputting curl_off_t with info()

Reported-by: Mike Duglas
Fixes #10439
Closes #10441

ws: fix multiframe send handling

Fixes #10413
Closes #10420

ws: unstick connect-only shutdown

As this mode uses blocking sockets, it must set them back to
non-blocking in disconnect to avoid the risk of getting stuck.

Closes #10366

ws: remove bad assert

Reported-by: Stanley Wucw
Fixes #10347
Closes #10366

ws: fix autoping handling

Reported-by: Alexey Savchuk
Fixes #10289
Closes #10294

copyright: update all copyright lines and remove year ranges

- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- save

copyright: update all copyright lines and remove year ranges

- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- saves us from pointless churn
- git keeps history for us
- the year range is kept in COPYING

checksrc is updated to allow non-year using copyright statements

Closes #10205

show more ...

ws: if no connection is around, return error

- curl_ws_send returns CURLE_SEND_ERROR if data->conn is gone

- curl_ws_recv returns CURLE_GOT_NOTHING on connection close

- cu

ws: if no connection is around, return error

- curl_ws_send returns CURLE_SEND_ERROR if data->conn is gone

- curl_ws_recv returns CURLE_GOT_NOTHING on connection close

- curl_ws_recv.3: mention new return code for connection close + example
embryo

Closes #10084

show more ...

Websocket: fixes for partial frames and buffer updates.

- buffers updated correctly when handling partial frames
- callbacks no longer invoked for incomplete payload data of 0 length

Websocket: fixes for partial frames and buffer updates.

- buffers updated correctly when handling partial frames
- callbacks no longer invoked for incomplete payload data of 0 length
- curl_ws_recv no longer returns with 0 length partial payload

Closes #9890

show more ...

websockets: fix handling of partial frames

buffer used and send length calculations are fixed when a partial
websocket frame has been received.

Closes #9861

ws: return CURLE_NOT_BUILT_IN when websockets not built in

- Change curl_ws_recv & curl_ws_send to return CURLE_NOT_BUILT_IN when
websockets support is not built in.

Prior to

ws: return CURLE_NOT_BUILT_IN when websockets not built in

- Change curl_ws_recv & curl_ws_send to return CURLE_NOT_BUILT_IN when
websockets support is not built in.

Prior to this change they returned CURLE_OK.

Closes #9851

show more ...

ws: fix buffer pointer use in the callback loop

Closes #9678

ws: minor fixes for web sockets without the CONNECT_ONLY flag

- Fixed an issue where is_in_callback was getting cleared when using web
sockets with debug logging enabled
- Ensure t

ws: minor fixes for web sockets without the CONNECT_ONLY flag

- Fixed an issue where is_in_callback was getting cleared when using web
sockets with debug logging enabled
- Ensure the handle is is_in_callback when calling out to fwrite_func
- Change the write vs. send_data decision to whether or not the handle
is in CONNECT_ONLY mode.
- Account for buflen not including the header length in curl_ws_send

Closes #9665

show more ...

ws: fix Coverity complaints

Coverity pointed out several flaws where variables remained
uninitialized after forks.

Follow-up to e3f335148adc6742728f

Closes #9666