GHA: source mbedTLS from official tarball

Instead of the Git repo tag which requires downloading the tip of
a dependency repository at the time of bumping version:
https://github.com

GHA: source mbedTLS from official tarball

Instead of the Git repo tag which requires downloading the tip of
a dependency repository at the time of bumping version:
https://github.com/Mbed-TLS/mbedtls-framework

The official source tarball ships with this dependency, making
the CI builds reproducible.

Also: fold long download commands for other dependencies.

Closes #15632

show more ...

GHA: speed up 3 openssl/quictls builds 3x

Build in parallel first, then install with `-j1`. This makes the build
part 3x quicker, while avoiding parallellism issues at the install
ph

GHA: speed up 3 openssl/quictls builds 3x

Build in parallel first, then install with `-j1`. This makes the build
part 3x quicker, while avoiding parallellism issues at the install
phase.

```
before after after
1da198d this
aws-lc: 1m55s ~40s
libressl: 1m16s ~1m20s
openssl-tsan: 5m47s 3m43s 1m48s (clang)
openssl: 6m38s 4m49s 2m13s (quic)
quictls-no-deprecated: 2m28s 1m51s
quictls: ~6m08s 4m16s 1m55s
wolfssl-all: 1m36s 52s
wolfssl-master: 1m34s 53s
wolfssl-opensslextra: 50s 32s
```

Follow-up to 1da198d18e495c08adb5691459da0b5fcfc7f160 #15622

Closes #15630

show more ...

GHA: disable building tests, apps, docs in dependencies

Also:
- for LibreSSL download the official source tarball instead of
using the tagged Git repo and running the build script

GHA: disable building tests, apps, docs in dependencies

Also:
- for LibreSSL download the official source tarball instead of
using the tagged Git repo and running the build script which
merged the OpenBSD libressl repo into it. The latter method
was also broken at the time of this commit.

Build times:
```
before after
aws-lc: 1m55s ~40s
libressl: 1m16s ~1m20s
openssl-tsan: 5m47s 3m43s
openssl: 6m38s 4m49s
quictls-no-deprecated: 2m28s 1m51s
quictls: ~6m08s 4m16s
wolfssl-all: 1m36s 52s
wolfssl-master: 1m34s 53s
wolfssl-opensslextra: 50s 32s
```

LibreSSL build options are unchanged, but by using the tarball now
instead of two repos and a generator script, it also should be faster,
and more stable.

Closes #15622

show more ...

cmake: include `wolfssl/options.h` first

It was missing while detecting `wolfSSL_DES_ecb_encrypt`,
`wolfSSL_BIO_new` and `wolfSSL_BIO_set_shutdown`.

We have not seen it causing

cmake: include `wolfssl/options.h` first

It was missing while detecting `wolfSSL_DES_ecb_encrypt`,
`wolfSSL_BIO_new` and `wolfSSL_BIO_set_shutdown`.

We have not seen it causing issues in stable wolfSSL releases as of
v5.7.4, until a recent commit in wolfSSL master, which broke detections:
```
curl/CMakeFiles/CMakeScratch//CheckSymbolExists.c:8:19: error: ‘wolfSSL_BIO_new’ undeclared (first use in this function); did you mean ‘wolfSSL_CTX_new’?
curl/CMakeFiles/CMakeScratch//CheckSymbolExists.c:8:19: error: ‘wolfSSL_BIO_set_shutdown’ undeclared (first use in this function); did you mean ‘wolfSSL_set_shutdown’?
```
This in turn disabled `HTTPS-proxy` and failed related pytests:
https://github.com/curl/curl/actions/runs/11953800545/job/33324250039?pr=15620

wolfSSL source diff causing the regression:
https://github.com/wolfSSL/wolfSSL/compare/be70bea687526a51e3d751d425bbaaa412b451ee..c06f65a8ace311667d9b9d7fd320b6b25f8b1bf8

The wolfSSL build says:
```
Note: Make sure your application includes "wolfssl/options.h" before any other wolfSSL headers.
You can define "WOLFSSL_USE_OPTIONS_H" in your application to include this automatically.
```

This patch makes sure to follow this rule across the curl codebase.

Also:
- include `wolfssl/options.h` first in `lib/vtls/wolfssl.c`.
It was preceded by `wolfssl/version.h`, which did not cause issues.
Background for the pre-existing include order:
Ref: deb9462ff2de8e955c67ed441f5f48619a31198d #3903
Ref: https://curl.se/mail/lib-2015-04/0069.html

Bug: https://github.com/curl/curl/pull/15620#issuecomment-2491872463
Follow-up to d68a121266671c806b5065c2fdce52d292bf7830 #14064

Closes #15623

show more ...

schannel: remove TLS 1.3 ciphersuite-list support

Drop TLS 1.3 ciphersuite-list support from SChannel because of the
number of bugs in SChannel itself (a closed-source TLS library). TLS

schannel: remove TLS 1.3 ciphersuite-list support

Drop TLS 1.3 ciphersuite-list support from SChannel because of the
number of bugs in SChannel itself (a closed-source TLS library). TLS 1.3
with SChannel still works, however the ciphersuite negotiation is left
entirely to SChannel.

Bug: https://hackerone.com/reports/2792484
Reported-by: newfunction on hackerone

Fixes https://github.com/curl/curl/issues/15482
Closes https://github.com/curl/curl/pull/15621

show more ...

cmake: do not echo most inherited `LDFLAGS` to config files

Sync with autotools and filter out most linker flags inherited via
`CMAKE_SHARED_LINKER_FLAGS` (that includes `LDFLAGS` env) b

cmake: do not echo most inherited `LDFLAGS` to config files

Sync with autotools and filter out most linker flags inherited via
`CMAKE_SHARED_LINKER_FLAGS` (that includes `LDFLAGS` env) before
echoing them in `libcurl.pc` `Libs.private` and `curl-config`
`--static-libs`.

Keep inheriting `-l`, `-L`, `-F`, `--library-path=`, `-framework`
options.

Follow-up to e244d50064a56723c2ba4f0df8c847d6b70de0cb #15550
Follow-up to 9f56bb608ecfbb8978c6cb72a04d9e8b23162d82 #14681
Follow-up to 8ed66f98a954cfce92f770adeb2320deb1ea700e

Closes #15617

show more ...

curl_multi_socket_all.md: soften the deprecation warning

- Instead of saying "do not use", explain that the function was
deprecated for performance reasons.

Some users may hav

curl_multi_socket_all.md: soften the deprecation warning

- Instead of saying "do not use", explain that the function was
deprecated for performance reasons.

Some users may have a legitimate use of this function even though we
deprecated it. Since there are no plans to remove it from the API get
rid of the "do not use" warning.

Bug: https://curl.se/mail/lib-2024-11/0029.html
Reported-by: Jacob Champion

Closes https://github.com/curl/curl/pull/15576

show more ...

docs: document default `User-Agent`

curl offers a `--user-agent` option for modifying the `User-Agent`
header supplied in its requests.

The man page section for this option expl

docs: document default `User-Agent`

curl offers a `--user-agent` option for modifying the `User-Agent`
header supplied in its requests.

The man page section for this option explains how to use the
`--user-agent` option, but does not explain which `User-Agent` curl uses
by default.

By default, curl uses curl/VERSION, such as `User-Agent: curl/8.11.0`.

Note that this appears to be different from the libcurl default (no
User-Agent header).

This commit documents the default `User-Agent` in the man page section
for the `--user-agent` option, as well as on the "Art of Scripting"
page.

The `%VERSION` placeholder will be used to insert the current version
as described in the man page generator docs.

Closes #15608

show more ...

show-headers.md: clarify the headers are saved with the data

Fixes #15605
Reported-by: tkzv on github
Closes #15606

GHA/macos: enable ECH in wolfSSL jobs

Homebrew wolfSSL builds recently enabled all features.
It allows to enable ECH in curl for these jobs.

https://github.com/Homebrew/homebrew

GHA/macos: enable ECH in wolfSSL jobs

Homebrew wolfSSL builds recently enabled all features.
It allows to enable ECH in curl for these jobs.

https://github.com/Homebrew/homebrew-core/commit/97d1ed6e6db63071853f0d0c5b3b02cb22983be9
https://github.com/Homebrew/homebrew-core/pull/191561

Closes #15607

show more ...

RELEASE-NOTES: synced

multi: add clarifying comment for wakeup_write()

Coverity raised it as a "suspicious sizeof".

Closes #15600

netrc: fix pointer to bool conversion

with MSVC 2008 and 2010:
```
lib/netrc.c(107): error C2440: 'initializing' : cannot convert from 'char *' to 'bool'
```
Ref: https://ci.

netrc: fix pointer to bool conversion

with MSVC 2008 and 2010:
```
lib/netrc.c(107): error C2440: 'initializing' : cannot convert from 'char *' to 'bool'
```
Ref: https://ci.appveyor.com/project/curlorg/curl/builds/51002792/job/jtoxd4mk984oi6fd#L164
Ref: https://ci.appveyor.com/project/curlorg/curl/builds/51002792/job/0wxlw9a8g04e56vt#L177

Follow-up to e9b9bbac22c26cf67316fa8e6c6b9e831af31949 #15586
Closes #15601

show more ...

socket: handle binding to "host!<ip>"

Regression since 3060557af702d (shipped in 8.9.0)

Fixes #15553
Reported-by: marcos-ng on github
Closes #15583

netrc: address several netrc parser flaws

- make sure that a match that returns a username also returns a
password, that should be blank if no password is found

- fix handling

netrc: address several netrc parser flaws

- make sure that a match that returns a username also returns a
password, that should be blank if no password is found

- fix handling of multiple logins for same host where the password/login
order might be reversed.

- reject credentials provided in the .netrc if they contain ASCII control
codes - if the used protocol does not support such (like HTTP and WS do)

Reported-by: Harry Sintonen

Add test 478, 479 and 480 to verify. Updated unit 1304.

Closes #15586

show more ...

GHA/linux: enable ECH in wolfSSL jobs

wolfSSL `--enable-all` builds support ECH. Enable it for 3 jobs using
such builds.

Also:
- GHA/windows: drop ECH from the job name.

GHA/linux: enable ECH in wolfSSL jobs

wolfSSL `--enable-all` builds support ECH. Enable it for 3 jobs using
such builds.

Also:
- GHA/windows: drop ECH from the job name.

Closes #15598

show more ...

curl.h: mark two error codes as obsolete

Not used by libcurl since many years

Closes #15538

CI: update dependencies

- debian:bookworm-slim Docker digest to c00d13c
- github/codeql-action digest to ea9e4e3
- fsfe/reuse-action action to v5
- awslabs/aws-lc to v1.39.0

CI: update dependencies

- debian:bookworm-slim Docker digest to c00d13c
- github/codeql-action digest to ea9e4e3
- fsfe/reuse-action action to v5
- awslabs/aws-lc to v1.39.0

Closes #15555
Closes #15556
Closes #15579
Closes #15594

show more ...

GHA/windows: enable GSS-API in an MSVC job

Ref: #15545
Ref: #15564
Ref: #15585

Closes #15549

krb5: fix socket/sockindex confusion, MSVC compiler warnings

- fix socket/sockindex confusion on writes:

The callstack used to end with `Curl_write_plain()` accepting a socket

krb5: fix socket/sockindex confusion, MSVC compiler warnings

- fix socket/sockindex confusion on writes:

The callstack used to end with `Curl_write_plain()` accepting a socket
till 7.87.0. This call got swapped for `Curl_conn_send()`, expecting
a sockindex. `socket_write()` was updated accordingly. Its callers
missed it and continued operating on sockets: `do_sec_send()`,
`sec_write()`, passing it down the stack and `Curl_conn_send()`
resolving it as if it were a sockindex.
It affected FTP Kerberos authentication.

Discovered through MSVC warnings:
```
curl\lib\krb5.c(652,28): warning C4244: 'function': conversion from 'curl_socket_t' to 'int', possible loss of data
curl\lib\krb5.c(654,28): warning C4244: 'function': conversion from 'curl_socket_t' to 'int', possible loss of data
curl\lib\krb5.c(656,26): warning C4244: 'function': conversion from 'curl_socket_t' to 'int', possible loss of data
curl\lib\krb5.c(657,26): warning C4244: 'function': conversion from 'curl_socket_t' to 'int', possible loss of data
curl\lib\krb5.c(665,24): warning C4244: 'function': conversion from 'curl_socket_t' to 'int', possible loss of data
curl\lib\krb5.c(666,24): warning C4244: 'function': conversion from 'curl_socket_t' to 'int', possible loss of data
```
Ref: https://github.com/curl/curl/actions/runs/11846599621/job/33014592805#step:9:32

Follow-up to 5651a36d1ae46db61a31771a8d4d6dcf2a510856 #10280
Bug: https://github.com/curl/curl/pull/15549#issuecomment-2474154067
Fixes #15582

- fix uninitialized buffer:
```
curl\lib\krb5.c(288,1): warning C4701: potentially uninitialized local variable '_gssresp' used
```
Ref: https://github.com/curl/curl/actions/runs/11848626645/job/33020501026?pr=15585#step:9:31

- silence unreachable code compiler warning:
```
curl\lib\krb5.c(370,1): warning C4702: unreachable code
```
Ref: https://github.com/curl/curl/actions/runs/11848626645/job/33020501026?pr=15585#step:9:30

Closes #15585

show more ...

CURLOPT_PREREQFUNCTION.md: add result code on failure

Closes #15542

Rename struct var to fix AIX build

Fixing issue #15580 by renaming struct var to tool_var to avoid conflict
with the same structure name defined in AIX system headers.

Fixes #15

Rename struct var to fix AIX build

Fixing issue #15580 by renaming struct var to tool_var to avoid conflict
with the same structure name defined in AIX system headers.

Fixes #15580
Closes #15581

show more ...

tidy-up: indentation [ci skip]

configure: replace `$#` shell syntax

With a more portable alternative.

Fixes (seen on macOS):
```
../configure: line 47131: 1: command not found
```
Ref: https://git

configure: replace `$#` shell syntax

With a more portable alternative.

Fixes (seen on macOS):
```
../configure: line 47131: 1: command not found
```
Ref: https://github.com/curl/curl/actions/runs/11846071276/job/33012894013#step:7:635

Follow-up to e244d50064a56723c2ba4f0df8c847d6b70de0cb #15550
Closes #15584

show more ...

cmake: restore cmake args list in `buildinfo.txt`

This feature was recently dropped because of a bad side-effect of
silencing unused cmake command-line option warnings.

Fix this

cmake: restore cmake args list in `buildinfo.txt`

This feature was recently dropped because of a bad side-effect of
silencing unused cmake command-line option warnings.

Fix this issue by retrieving variable values using `get_property()`,
instead of accessing the variables directly. It allows restoring
this feature without the bad side-effect.

Also limit the logic to CI runs.

Follow-up to 96edb5f611c9e54da1ae824d9dc0e219619c24c0 #15501
Closes #15563

show more ...