quiche: use quiche_conn_peer_transport_params()

In recent quiche, transport parameter API is separated
with quiche_conn_peer_transport_params().
(https://github.com/cloudflare/quiche

quiche: use quiche_conn_peer_transport_params()

In recent quiche, transport parameter API is separated
with quiche_conn_peer_transport_params().
(https://github.com/cloudflare/quiche/pull/1575)
It breaks with bulding with latest(post 0.18.0) quiche.

Closes #12180

show more ...

Makefile: generate the VC 14.20 project files at dist-time

Follow-up to 28287092cc5a6d6ef8 (#12282)

Closes #12290

misc: fix -Walloc-size warnings

GCC 14 introduces a new -Walloc-size included in -Wextra which gives:

```
src/tool_operate.c: In function ‘add_per_transfer’:
src/tool_operat

misc: fix -Walloc-size warnings

GCC 14 introduces a new -Walloc-size included in -Wextra which gives:

```
src/tool_operate.c: In function ‘add_per_transfer’:
src/tool_operate.c:213:5: warning: allocation of insufficient size ‘1’ for type ‘struct per_transfer’ with size ‘480’ [-Walloc-size]
213 | p = calloc(sizeof(struct per_transfer), 1);
| ^
src/var.c: In function ‘addvariable’:
src/var.c:361:5: warning: allocation of insufficient size ‘1’ for type ‘struct var’ with size ‘32’ [-Walloc-size]
361 | p = calloc(sizeof(struct var), 1);
| ^
```

The calloc prototype is:
```
void *calloc(size_t nmemb, size_t size);
```

So, just swap the number of members and size arguments to match the
prototype, as we're initialising 1 struct of size `sizeof(struct
...)`. GCC then sees we're not doing anything wrong.

Closes #12292

show more ...

IPFS: bugfixes

- Fixed endianness bug in gateway file parsing
- Use IPFS_PATH in tests where IPFS_DATA was used
- Fixed typos from traling -> trailing
- Fixed broken link in IPFS

IPFS: bugfixes

- Fixed endianness bug in gateway file parsing
- Use IPFS_PATH in tests where IPFS_DATA was used
- Fixed typos from traling -> trailing
- Fixed broken link in IPFS.md

Follow-up to 859e88f6533f9e

Reported-by: Michael Kaufmann
Bug: https://github.com/curl/curl/pull/12152#issuecomment-1798214137
Closes #12305

show more ...

VULN-DISCLOSURE-POLIC: remove broken link to hackerone

It should ideally soon not be done from hackerone anyway

Closes #12308

schannel: add CA cache support for files and memory blobs

- Support CA bundle and blob caching.

Cache timeout is 24 hours or can be set via CURLOPT_CA_CACHE_TIMEOUT.

Closes

schannel: add CA cache support for files and memory blobs

- Support CA bundle and blob caching.

Cache timeout is 24 hours or can be set via CURLOPT_CA_CACHE_TIMEOUT.

Closes https://github.com/curl/curl/pull/12261

show more ...

RELEASE-NOTES: synced

cmake: option to disable install & drop `curlu` target when unused

This patch makes the following changes:
- adds the option `CURL_DISABLE_INSTALL` - to disable 'install' targets.
-

cmake: option to disable install & drop `curlu` target when unused

This patch makes the following changes:
- adds the option `CURL_DISABLE_INSTALL` - to disable 'install' targets.
- Removes the target `curlu` when the option `BUILD_TESTING` is set to
`OFF` - to prevent it from being loaded in Visual Studio.

Closes #12287

show more ...

cmake: fix multiple include of CURL package

Fixes errors on second `find_package(CURL)`. This is a frequent case
with transitive dependencies:
```
CMake Error at ...:
add_l

cmake: fix multiple include of CURL package

Fixes errors on second `find_package(CURL)`. This is a frequent case
with transitive dependencies:
```
CMake Error at ...:
add_library cannot create ALIAS target "CURL::libcurl" because another
target with the same name already exists.
```

Test to reproduce:
```cmake
cmake_minimum_required(VERSION 3.27) # must be 3.18 or higher

project(curl)

set(CURL_DIR "example/lib/cmake/CURL/")
find_package(CURL CONFIG REQUIRED)
find_package(CURL CONFIG REQUIRED) # fails

add_executable(main main.c)
target_link_libraries(main CURL::libcurl)
```

Ref: https://cmake.org/cmake/help/latest/release/3.18.html#other-changes
Ref: https://cmake.org/cmake/help/v3.18/policy/CMP0107.html
Ref: #12300
Assisted-by: Harry Mallon
Closes #11913

show more ...

tidy-up: use `OPENSSL_VERSION_NUMBER`

Uniformly use `OPENSSL_VERSION_NUMBER` to check for OpenSSL version.
Before this patch some places used `OPENSSL_VERSION_MAJOR`.

Also fix `

tidy-up: use `OPENSSL_VERSION_NUMBER`

Uniformly use `OPENSSL_VERSION_NUMBER` to check for OpenSSL version.
Before this patch some places used `OPENSSL_VERSION_MAJOR`.

Also fix `lib/md4.c`, which included `opensslconf.h`, but that doesn't
define any version number in these implementations: BoringSSL, AWS-LC,
LibreSSL, wolfSSL. (Only in mainline OpenSSL/quictls). Switch that to
`opensslv.h`. This wasn't causing a deeper problem because the code is
looking for v3, which is only provided by OpenSSL/quictls as of now.

According to https://github.com/openssl/openssl/issues/17517, the macro
`OPENSSL_VERSION_NUMBER` is safe to use and not deprecated.

Reviewed-by: Marcel Raad
Closes #12298

show more ...

resolve.d: drop a multi use-sentence

Since the `multi:` keyword adds that message.

Reported-by: 積丹尼 Dan Jacobson
Fixes https://github.com/curl/curl/discussions/12294
Closes

resolve.d: drop a multi use-sentence

Since the `multi:` keyword adds that message.

Reported-by: 積丹尼 Dan Jacobson
Fixes https://github.com/curl/curl/discussions/12294
Closes #12295

show more ...

content_encoding: make Curl_all_content_encodings allocless

- Fixes a memory leak pointed out by Coverity
- Also found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=

content_encoding: make Curl_all_content_encodings allocless

- Fixes a memory leak pointed out by Coverity
- Also found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63947
- Avoids unncessary allocations

Follow-up ad051e1cbec68b2456a22661b

Closes #12289

show more ...

vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0

Some servers don't support the ALPN protocol "http/1.0" (e.g. IIS 10),
avoid it and use "http/1.1" instead.

This rever

vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0

Some servers don't support the ALPN protocol "http/1.0" (e.g. IIS 10),
avoid it and use "http/1.1" instead.

This reverts commit df856cb5c9 (#10183).

Fixes #12259
Closes #12285

show more ...

Makefile.am: drop vc10, vc11 and vc12 projects from dist

They are end of life products. Support for generating them remain in the
repo for a while but this change drops them from distrib

Makefile.am: drop vc10, vc11 and vc12 projects from dist

They are end of life products. Support for generating them remain in the
repo for a while but this change drops them from distribution.

Closes #12288

show more ...

projects: add VC14.20 project files

Windows projects included VC14, VC14.10, VC14.30 but not VC14.20.
OpenSSL and Wolf SSL scripts mention VC14.20 so I don't see a reason why
this is

projects: add VC14.20 project files

Windows projects included VC14, VC14.10, VC14.30 but not VC14.20.
OpenSSL and Wolf SSL scripts mention VC14.20 so I don't see a reason why
this is missing. Updated the templates to produce a VC14.20 project.
Project opens in Visual Studio 2019 as expected.

Closes #12282

show more ...

curl: move IPFS code into src/tool_ipfs.[ch]

- convert ensure_trailing into ensure_trailing_slash
- strdup the URL string to own it proper
- use shorter variable names
- combine

curl: move IPFS code into src/tool_ipfs.[ch]

- convert ensure_trailing into ensure_trailing_slash
- strdup the URL string to own it proper
- use shorter variable names
- combine some expressions
- simplify error handling in ipfs_gateway()
- add MAX_GATEWAY_URL_LEN + proper bailout if maximum is reached
- ipfs-gateway.d polish and simplification
- shorten ipfs error message + make them "synthetic"

Closes #12281

show more ...

build: delete support bits for obsolete Windows compilers

- Pelles C: Unclear status, failed to obtain a fresh copy a few months
ago. Possible website is HTTP-only. ~10 years ago I lef

build: delete support bits for obsolete Windows compilers

- Pelles C: Unclear status, failed to obtain a fresh copy a few months
ago. Possible website is HTTP-only. ~10 years ago I left this compiler
dealing with crashes and other issues with no response on the forum
for years. It has seen some activity in curl back in 2021.
- LCC: Last stable release in September 2002.
- Salford C: Misses winsock2 support, possibly abandoned? Last mentioned
in 2006.
- Borland C++: We dropped Borland C++ support in 2018.
- MS Visual C++ 6.0: Released in 1998. curl already requires VS 2010
(or possibly 2008) as a minimum.

Closes #12222

show more ...

build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H`

We use `stdint.h` unconditionally in all places except one. These uses
are imposed by external dependencies / features. nghttp2, quic,

build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H`

We use `stdint.h` unconditionally in all places except one. These uses
are imposed by external dependencies / features. nghttp2, quic, wolfSSL
and `HAVE_MACH_ABSOLUTE_TIME` do require this C99 header. It means that
any of these features make curl require a C99 compiler. (In case of
MSVC, this means Visual Studio 2010 or newer.)

This patch changes the single use of `stdint.h` guarded by
`HAVE_STDINT_H` to use `stdint.h` unconditionally. Also stop using
`inttypes.h` as an alternative there. `HAVE_INTTYPES_H` wasn't used
anywhere else, allowing to delete this feature check as well.

Closes #12275

show more ...

tool_operate: do not mix memory models

Make sure 'inputpath' only points to memory allocated by libcurl so that
curl_free works correctly.

Pointed out by Coverity

Follo

tool_operate: do not mix memory models

Make sure 'inputpath' only points to memory allocated by libcurl so that
curl_free works correctly.

Pointed out by Coverity

Follow-up to 859e88f6533f9e1f890

Closes #12280

show more ...

lib: client writer, part 2, accounting + logging

This PR has these changes:

Renaming of unencode_* to cwriter, e.g. client writers
- documentation of sendf.h functions
- mov

lib: client writer, part 2, accounting + logging

This PR has these changes:

Renaming of unencode_* to cwriter, e.g. client writers
- documentation of sendf.h functions
- move max decode stack checks back to content_encoding.c
- define writer phase which was used as order before
- introduce phases for monitoring inbetween decode phases
- offering default implementations for init/write/close

Add type paramter to client writer's do_write()
- always pass all writes through the writer stack
- writers who only care about BODY data will pass other writes unchanged

add RAW and PROTOCOL client writers
- RAW used for Curl_debug() logging of CURLINFO_DATA_IN
- PROTOCOL used for updates to data->req.bytecount, max_filesize checks and
Curl_pgrsSetDownloadCounter()
- remove all updates of data->req.bytecount and calls to
Curl_pgrsSetDownloadCounter() and Curl_debug() from other code
- adjust test457 expected output to no longer see the excess write

Closes #12184

show more ...

VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw

Closes #12278

rand: fix build error with autotools + LibreSSL

autotools unexpectedly detects `arc4random` because it is also looking
into dependency libs. One dependency, LibreSSL, happens to publish

rand: fix build error with autotools + LibreSSL

autotools unexpectedly detects `arc4random` because it is also looking
into dependency libs. One dependency, LibreSSL, happens to publish an
`arc4random` function (via its shared lib before v3.7, also via static
lib as of v3.8.2). When trying to use this function in `lib/rand.c`,
its protoype is missing. To fix that, curl included a prototype, but
that used a C99 type without including `stdint.h`, causing:

```
../../lib/rand.c:37:1: error: unknown type name 'uint32_t'
37 | uint32_t arc4random(void);
| ^
1 error generated.
```

This patch improves this by dropping the local prototype and instead
limiting `arc4random` use for non-OpenSSL builds. OpenSSL builds provide
their own random source anyway.

The better fix would be to teach autotools to not link dependency libs
while detecting `arc4random`.

LibreSSL publishing a non-namespaced `arc4random` tracked here:
https://github.com/libressl/portable/issues/928

Regression from 755ddbe901cd0c921fbc3ac5b3775c0dc683bc73 #10672

Reviewed-by: Daniel Stenberg
Fixes #12257
Closes #12274

show more ...

RELEASE-NOTES: synced

strdup: do Curl_strndup without strncpy

To avoid (false positive) gcc-13 compiler warnings.

Follow-up to 4855debd8a2c1cb

Assisted-by: Jay Satiro
Reported-by: Viktor Sza

strdup: do Curl_strndup without strncpy

To avoid (false positive) gcc-13 compiler warnings.

Follow-up to 4855debd8a2c1cb

Assisted-by: Jay Satiro
Reported-by: Viktor Szakats
Fixes #12258

show more ...

HTTP: fix empty-body warning

This change fixes a compiler warning with gcc-12.2.0 when
`-DCURL_DISABLE_BEARER_AUTH=ON` is used.

/home/tox/src/curl/lib/http.c: In function 'C

HTTP: fix empty-body warning

This change fixes a compiler warning with gcc-12.2.0 when
`-DCURL_DISABLE_BEARER_AUTH=ON` is used.

/home/tox/src/curl/lib/http.c: In function 'Curl_http_input_auth':
/home/tox/src/curl/lib/http.c:1147:12: warning: suggest braces around empty body in an 'else' statement [-Wempty-body]
1147 | ;
| ^

Closes #12262

show more ...