GHA/linux, http3-linux: add CMake support, sync steps, other improvements

- use shallow clone for submodules.
- reduce total job timeout from 90/60 -> 45 minutes.
- use `$HOME` inste

GHA/linux, http3-linux: add CMake support, sync steps, other improvements

- use shallow clone for submodules.
- reduce total job timeout from 90/60 -> 45 minutes.
- use `$HOME` instead of literal.
- http3-linux: sync step yaml order with linux.yml.
- http3-linux: add cmake + ninja support like in linux.yml.
- http3-linux: dump confgure log, test config, curl -V like in linux.yml.
- http3-linux: skip restoring gnutls and wolfssl when not used.
- dump `curl_config.h`.
- fold a long line.

Closes #15242

show more ...

GHA/mac: simplify detecting SDK version bound to GCC

Previous method extracted this information from the "hack layer"
headers' copyright comments.

It turns out that the same inf

GHA/mac: simplify detecting SDK version bound to GCC

Previous method extracted this information from the "hack layer"
headers' copyright comments.

It turns out that the same information can be obtained by querying
the default SDK root via a GCC option.

According to this test run, they do match:
https://github.com/curl/curl/actions/runs/11264283159/job/31323963221?pr=15193

Closes #15241

show more ...

GHA/linux: fix mbedTLS cmake build

CMake builds mbedTLS in Debug mode by default, which was the reason
for these consistent test failures:
```
FAIL 1631: 'FTP through HTTPS-proxy

GHA/linux: fix mbedTLS cmake build

CMake builds mbedTLS in Debug mode by default, which was the reason
for these consistent test failures:
```
FAIL 1631: 'FTP through HTTPS-proxy' FTP, HTTPS-proxy
FAIL 1632: 'FTP through HTTPS-proxy, with connection reuse' FTP, HTTPS-proxy
```
Sometimes also:
```
FAIL 303: 'HTTPS with 8 secs timeout' HTTPS, HTTP GET, timeout, FAILURE
```
https://github.com/curl/curl/actions/runs/11260616621/job/31313234198

Fix it by building in `RelWithDebInfo` mode, matching the bare
`Makefile` builds used earlier. (`Release` mode also works.)

Cache sizes:
- Makefile: 10MB
- CMake Release: 1MB
- CMake RelWithDebInfo: 2.5MB

Ref: #15215
Follow-up to e377c917664241d8cccf67316b96d59a280ad8e4 #15208

Closes #15238

show more ...

packages/OS400/curlmain: remove the strncpy calls

Closes #15214

tests/server/util.c: remove use of strncpy

... and ban the function in code in this directory.

Closes #15213

tool_getparam: replace two uses of strncpy(), ban strncpy

strncpy() is rarely the right choice

Closes #15212

tests: 780 - 783, new HSTS tests

test780: verify updated HSTS data in response header

test781: HSTS update expiry, with parent includeSubDomains domain
present

test782:

tests: 780 - 783, new HSTS tests

test780: verify updated HSTS data in response header

test781: HSTS update expiry, with parent includeSubDomains domain
present

test782: HSTS update expiry, with two includeSubDomains domains present

test783: HSTS update expiry, removing includesubdomains in update

show more ...

hsts: improve subdomain handling

- on load, only replace existing HSTS entries if there is a full host
match

- on matching, prefer a full host match and secondary the longest

hsts: improve subdomain handling

- on load, only replace existing HSTS entries if there is a full host
match

- on matching, prefer a full host match and secondary the longest tail
subdomain match

Closes #15210

show more ...

multi: make curl_multi_cleanup invalidate magic latter

When a multi handle is being cleaned up, it can still cause user
callbacks to be fired. Notably Curl_cpool_destroy calls socket_cal

multi: make curl_multi_cleanup invalidate magic latter

When a multi handle is being cleaned up, it can still cause user
callbacks to be fired. Notably Curl_cpool_destroy calls socket_callback
on all pooled connections. It's still possible for the callback to call
curl_multi_assign leading to an assert.

This commit moves clearing of a multi handle magic to a point where the
multi handle stops being a valid object.

Fixes #15201
Closes #15206

show more ...

wolfssl: use old version API without openssl extra

Closes #15205

GHA: add Linux and macOS mbedTLS jobs, fix issue

- update mbedTLS repo URL.
- switch local mbedTLS build to use CMake, and Ninja.
CMake build is required to create and install mbed

GHA: add Linux and macOS mbedTLS jobs, fix issue

- update mbedTLS repo URL.
- switch local mbedTLS build to use CMake, and Ninja.
CMake build is required to create and install mbedTLS `pkg-config`
files. (as of v3.6.1)
`-DCMAKE_POSITION_INDEPENDENT_CODE=ON` required to avoid this error
when linking mbedtls to `libcurl.so`:
```
/usr/bin/ld: /home/runner/mbedtls/lib/libmbedcrypto.a(cipher.c.o): warning: relocation against `mbedtls_cipher_base_lookup_table' in read-only section `.text'
/usr/bin/ld: /home/runner/mbedtls/lib/libmbedtls.a(ssl_tls.c.o): relocation R_X86_64_PC32 against symbol `mbedtls_x509_crt_profile_suiteb' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: bad value
```
Ref: https://github.com/curl/curl/actions/runs/11245069259/job/31264386723#step:40:43
- make local mbedTLS build 10x smaller by omitting programs and tests.
- GHA/linux: fix cmake warning by adding `-B .` option.
- GHA/linux: add build-only cmake job for packaged mbedTLS (2.x).
- fix compiler warning when building with mbedTLS 2.x:
```
/home/runner/work/curl/curl/lib/vtls/mbedtls.c:344:1: error: ‘mbed_cipher_suite_get_str’ defined but not used [-Werror=unused-function]
344 | mbed_cipher_suite_get_str(uint16_t id, char *buf, size_t buf_size,
| ^~~~~~~~~~~~~~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/11244999065/job/31264168295#step:40:50

Also in preparation for #15193
Closes #15208

show more ...

GHA/windows: drop vcpkg shiftmedia-gnutls, replace with mbedtls

GnuTLS vcpkg package broken again with the latest runner image update:
https://github.com/curl/curl/actions/runs/112400113

GHA/windows: drop vcpkg shiftmedia-gnutls, replace with mbedtls

GnuTLS vcpkg package broken again with the latest runner image update:
https://github.com/curl/curl/actions/runs/11240011311/job/31248406051?pr=15203#step:5:137

Previous breakage: 09b21e4755b4cc8ff31e9126aa9caf464988551e #14864
Closes #15204

show more ...

INSTALL.md: fix a typo that slipped in to RISC OS

Also, illumos is spelled with lower case.

RELEASE-NOTES: synced

json.md: cli-option `--json` is an alias of `--data-binary`

Closes #15197

http_aws_sigv4: avoid local buffer and strcpy

This avoids the buffer, the copy and the previous host name length
limit.

Closes #15200

tftp: avoid two memcpy/strcpy

Closes #15199

telnet: avoid two strcpy() by pointing to the strings instead

Closes #15198

setopt: avoid superfluous length checks before strcmp()

Simplify the checks

Closes #15192

bearssl: avoid strpcy() when generating TLS version log message

Closes #15194

smb: replace use of strcpy() with snprintf()

Closes #15196

altsvc: avoid using local buffer and memcpy

When parsing alt-svc headers. Store and use the length of the name
separately.

Closes #15191

hsts: avoid the local buffer and memcpy on lookup

Closes #15190

configure: add GSS to `libcurl.pc` `Depends:`

GSS was the last (known) missing dependency missing from `libcurl.pc`.

Closes #15177

cmake: detect GNU GSS

Fix to set `HAVE_GSSGNU` when GNU GSS is detected.

Also set the appropriate `pkg-config` dependency and do version
detection for the GNU GSS flavour.

cmake: detect GNU GSS

Fix to set `HAVE_GSSGNU` when GNU GSS is detected.

Also set the appropriate `pkg-config` dependency and do version
detection for the GNU GSS flavour.

Tested with `pkg-config` and partly tested without. The latter case
picks up everything else but, in my env. This is likely not the last
word to implement this detection correctly for all build-cases.

GNU GSS doesn't seem to have a Homebrew formula and building
it locally needs manual tweaks to make finish successfully.

Also move a MIT-specific header detection into to MIT-specific `if`
branch.

Closes #15176

show more ...