RELEASE-NOTES: synced

vtls: new io_need flags for poll handling

- decouple need to recv/send from negotiation state, we need
this later in shutdown handling as well
- move ssl enums from urldata.h to vt

vtls: new io_need flags for poll handling

- decouple need to recv/send from negotiation state, we need
this later in shutdown handling as well
- move ssl enums from urldata.h to vtls_int.h
- implement use of `connssl->io_need` in vtls.c. and all backends

Closes #13879

show more ...

cfilters: make Curl_conn_connect always assign 'done'

It could return error without assigning it, and we have a caller in
multi.c that assumes it gets set.

Spotted by CodeSonar

cfilters: make Curl_conn_connect always assign 'done'

It could return error without assigning it, and we have a caller in
multi.c that assumes it gets set.

Spotted by CodeSonar
Closes #13884

show more ...

CURLOPT_INTERFACE.md: quote the less-than and larger-than

Fixes the warnings shown on stderr.

Follow-up from 3060557af702dd5

Closes #13883

cmdline-opts/interface.md: expand the documentation

Explain the syntax it supports.

Closes #13882

url: allow DoH transfers to override max connection limit

When reaching the set maximum limit of allowed connections, allow a new
connection anyway if the transfer is created for the (in

url: allow DoH transfers to override max connection limit

When reaching the set maximum limit of allowed connections, allow a new
connection anyway if the transfer is created for the (internal) purpose
of doing a DoH name resolve. Otherwise, unrelated "normal" transfers can
starve out new DoH requests making it impossible to name resolve for new
transfers.

Bug: https://curl.se/mail/lib-2024-06/0001.html
Reported-by: kartatz
Closes #13880

show more ...

windows: fix UWP builds, add GHA job

Add new job to test building for UWP (aka `CURL_WINDOWS_APP`).

Fix fallouts when building for UWP:
- rand: do not use `BCryptGenRandom()`.

windows: fix UWP builds, add GHA job

Add new job to test building for UWP (aka `CURL_WINDOWS_APP`).

Fix fallouts when building for UWP:
- rand: do not use `BCryptGenRandom()`.
- cmake: disable using win32 LDAP.
- cmake: disable telnet.
- version_win32: fix code before declaration.
- schannel: disable `HAS_MANUAL_VERIFY_API`.
- schannel: disable `SSLSUPP_PINNEDPUBKEY`
and make `schannel_checksum()` a stub.
Ref: e178fbd40a896f2098278ae61e1166c88e7b31d0 #1429
- schannel: make `cert_get_name_string()` a failing stub.
- system_win32: make `Curl_win32_impersonating()` a failing stub.
- system_win32: try to fix `Curl_win32_init()` (untested).
- threads: fix to use `CreateThread()`.
- src: disable searching `PATH` for the CA bundle.
- src: disable bold text support and capability detection.
- src: disable `getfiletime()`/`setfiletime()`.
- tests: make `win32_load_system_library()` a failing stub.
- tests/server/util: make it compile.
- tests/server/sockfilt: make it compile.
- tests/lib3026: fix to use `CreateThread()`.

See individual commits for build error details.

Some of these fixes may have better solutions, and some may not work
as expected. The goal of this patch is to make curl build for UWP.

Closes #13870

show more ...

socket: support binding to interface *AND* IP

Introduce new notation for CURLOPT_INTERFACE / --interface:
ifhost!<interface>!<host>

Binding to an interface doesn't set the addre

socket: support binding to interface *AND* IP

Introduce new notation for CURLOPT_INTERFACE / --interface:
ifhost!<interface>!<host>

Binding to an interface doesn't set the address, and an interface can
have multiple addresses.

When binding to an address (without interface), the kernel is free to
choose the route, and it can route through any device that can access
the target address, not necessarily the one with the chosen address.

Moreover, it is possible for different interfaces to have the same IP
address, on which case we need to provide a way to be more specific.

Factor out the parsing part of interface option, and add unit tests:
1663.

Closes #13719

show more ...

socketpair: add `eventfd` and use `SOCK_NONBLOCK` for `socketpair()`

Currently, we use `pipe` for `wakeup_create`, which requires ***two***
file descriptors. Furthermore, given its compl

socketpair: add `eventfd` and use `SOCK_NONBLOCK` for `socketpair()`

Currently, we use `pipe` for `wakeup_create`, which requires ***two***
file descriptors. Furthermore, given its complexity inside, `pipe` is a
bit heavyweight for just a simple event wait/notify mechanism.

`eventfd` would be a more suitable solution for this kind of scenario,
kernel also advocates for developers to use `eventfd` instead of `pipe`
in some simple use cases:

Applications can use an eventfd file descriptor instead of a pipe
(see pipe(2) in all cases where a pipe is used simply to signal
events. The kernel overhead of an eventfd file descriptor is much
lower than that of a pipe, and only one file descriptor is required
(versus the two required for a pipe).

This change adds the new backend of `eventfd` for `wakeup_create` and
uses it where available, eliminating the overhead of `pipe`. Also, it
optimizes the `wakeup_create` to eliminate the system calls that make
file descriptors non-blocking by moving the logic of setting
non-blocking flags on file descriptors to `socketpair.c` and using
`SOCK_NONBLOCK` for `socketpair(2)`, `EFD_NONBLOCK` for `eventfd(2)`.

Ref:
https://man7.org/linux/man-pages/man7/pipe.7.html
https://man7.org/linux/man-pages/man2/eventfd.2.html
https://man7.org/linux/man-pages/man2/socketpair.2.html
https://www.gnu.org/software/gnulib/manual/html_node/eventfd.html

Closes #13874

show more ...

ci: update github/codeql-action digest to 2e230e8

Closes #13881

examples/threaded-ssl: remove locking callback code

- Remove the locking callback code that demonstrates how to meet
requirements of threading libraries (mainly OpenSSL).

Lock

examples/threaded-ssl: remove locking callback code

- Remove the locking callback code that demonstrates how to meet
requirements of threading libraries (mainly OpenSSL).

Locking callback code has not been needed for many years. According to
the documentation for OpenSSL and GnuTLS they are thread-safe by design,
assuming support for the underlying OS threading API is built-in.

Ref: https://github.com/curl/curl/pull/13850#issuecomment-2143538458

Closes https://github.com/curl/curl/pull/13851

show more ...

tests: delete redundant `!MSDOS` guard

This fix was supposed to be committed earlier, but ended up missing from
the final commit.

Follow-up to e9a7d4a1c8377dbcf9a2d94365f60e3e5d

tests: delete redundant `!MSDOS` guard

This fix was supposed to be committed earlier, but ended up missing from
the final commit.

Follow-up to e9a7d4a1c8377dbcf9a2d94365f60e3e5dff48f8 #12376
Closes #13878

show more ...

lib: fix thread entry point to return `DWORD` on WinCE

We already do this in `tests/server/util.c`:
https://github.com/curl/curl/blob/97e5e37cc8269660bc5d4a1936f10f2390b97c5a/tests/serve

lib: fix thread entry point to return `DWORD` on WinCE

We already do this in `tests/server/util.c`:
https://github.com/curl/curl/blob/97e5e37cc8269660bc5d4a1936f10f2390b97c5a/tests/server/util.c#L604-L606
and in `sockfilt.c`, `lib3026.c`.

Before this patch it returned `unsigned int`.

Closes #13877

show more ...

socket: use SOCK_NONBLOCK to eliminate extra system call

Every time function `cf_socket_open()` is called to create a socket,
`curlx_nonblock()` is called to make that socket non-blockin

socket: use SOCK_NONBLOCK to eliminate extra system call

Every time function `cf_socket_open()` is called to create a socket,
`curlx_nonblock()` is called to make that socket non-blocking. And
`curlx_nonblock()` will cost us 1 or 2 system calls (2 for `fcntl()`, 1
for `ioctl()`, etc.), meanwhile, tucking `SOCK_NONBLOCK` and
`SOCK_CLOEXEC` into the `type` argument for `socket()` is widely
supported across UNIX-like OS: Linux, *BSD, Solaris, etc. With that
ability, we can save 1 or 2 system calls on each socket.

Another change in this PR is to eliminate the redundant
`curlx_nonblock()` call on the socket in `cf_udp_setup_quic()` as that
socket created by `cf_socket_open()` is already non-blocking.

Ref:
https://man7.org/linux/man-pages/man2/socket.2.html
https://man.freebsd.org/cgi/man.cgi?socket(2)
https://man.dragonflybsd.org/?command=socket&section=2
https://man.netbsd.org/socket.2
https://man.openbsd.org/socket
https://docs.oracle.com/cd/E88353_01/html/E37843/socket-3c.html
https://illumos.org/man/3SOCKET/socket
...

Closes #13855

show more ...

GHA: show cmake error log in Windows and non-native workflows

CMake configure doesn't fail often, but when it does, it helps to see
its `CMakeFiles/CMakeConfigureLog.yaml` output. This f

GHA: show cmake error log in Windows and non-native workflows

CMake configure doesn't fail often, but when it does, it helps to see
its `CMakeFiles/CMakeConfigureLog.yaml` output. This file is present
since CMake v3.26:
https://cmake.org/cmake/help/v3.26/manual/cmake-configure-log.7.html

(Older CMake versions save similar contend to
`CMakeFiles\CMakeOutput.log` and
`CMakeFiles\CMakeError.log`. This patch doesn't deal with that because
the workflows touched are all running a newer CMake.)

After this patch, we dump the content if cmake fails. Syncing this with
autotools, where we already did that.

Closes #13872

show more ...

GHA: switch a Windows job to UCRT (gcc)

Cherry-picked from #13870

curl-config: revert to backticks to support old target envs

Make an exception for `curl-config` because this script that may be
running on any target system, including old ones, e.g. Sun

curl-config: revert to backticks to support old target envs

Make an exception for `curl-config` because this script that may be
running on any target system, including old ones, e.g. SunOS 5.10.

Reported-by: Alejandro R. Sedeño
Ref: https://github.com/curl/curl/pull/13307#issuecomment-2146427358
Follow-up to fa69b41c7790fab86fd363242c81d8ef2e89e183 #13307
Closes #13871

show more ...

mbedtls: v3.6.0 workarounds

- add special sauce to disable unwanted peer verification by mbedtls
when negotiating TLS v1.3
- add special sauce for MBEDTLS_ERR_SSL_RECEIVED_NEW_SESS

mbedtls: v3.6.0 workarounds

- add special sauce to disable unwanted peer verification by mbedtls
when negotiating TLS v1.3
- add special sauce for MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET
return code on *writing* TLS data. We assume the data had not been
written and EAGAIN.
- return correct Curl error code when peer verification failed.
- disable test_08_05 with 50 HTTP/1.1 connections, as mbedtls reports a
memory allocation failed during handshake.
- bump CI mbedtls version to 3.6.0

Fixes #13653
Closes #13838

show more ...

gnutls: support CA caching

- similar to openssl, use a shared 'credentials' instance
among TLS connections with a plain configuration.
- different to openssl, a connection with a c

gnutls: support CA caching

- similar to openssl, use a shared 'credentials' instance
among TLS connections with a plain configuration.
- different to openssl, a connection with a client certificate
is not eligible to sharing.
- document CURLOPT_CA_CACHE_TIMEOUT in man page

Closes #13795

show more ...

tests: don't log buffer length in throwing away message

It's not available at that point, and it will be written in the
non-error case right afterward.

tests: log "Throwing away" messages before throwing away

In case the read that follows hangs we'll get a clue as to what it was
doing.

CI: reduce memory request for FreeBSD builds

Also, add a comment with link to the Cirrus credit page since it's not
easy to find otherwise.

tcpkeepalive: support setting TCP keep-alive parameters on Solaris <11.4

Solaris didn't support TCP_KEEPIDLE and TCP_KEEPINTVL until 11.4,
before that it use TCP_KEEPALIVE_THRESHOLD and

tcpkeepalive: support setting TCP keep-alive parameters on Solaris <11.4

Solaris didn't support TCP_KEEPIDLE and TCP_KEEPINTVL until 11.4,
before that it use TCP_KEEPALIVE_THRESHOLD and TCP_KEEPALIVE_ABORT_THRESHOLD
as the substitute. Therefore, for Solaris <11.4 we need to use this substitute
for setting TCP keep-alive parameters.

Ref:
https://docs.oracle.com/cd/E86824_01/html/E54777/tcp-7p.html
https://docs.oracle.com/cd/E88353_01/html/E37851/tcp-4p.html

Closes #13864

show more ...

KNOWN_BUGS: quiche: QUIC connection is draining

Closes #12037
Closes #13867

KNOWN_BUGS: aws-sigv4 has problems with particular URLs

Closes #13058
Closes #13866