http_aws_sigv4: handle no-value user header entries

- Handle user headers in format 'name:' and 'name;' with no value.

The former is used when the user wants to remove an internal l

http_aws_sigv4: handle no-value user header entries

- Handle user headers in format 'name:' and 'name;' with no value.

The former is used when the user wants to remove an internal libcurl
header and the latter is used when the user actually wants to send a
no-value header in the format 'name:' (note the semi-colon is converted
by libcurl to a colon).

Prior to this change the AWS header import code did not special case
either of those and the generated AWS SignedHeaders would be incorrect.

Reported-by: apparentorder@users.noreply.github.com

Ref: https://curl.se/docs/manpage.html#-H

Fixes https://github.com/curl/curl/issues/11664
Closes https://github.com/curl/curl/pull/11668

show more ...

CI: run pytest with the -v option

This lists of the test cases being run so it can be tracked over time.

Closes #11824

HTTP3: the msquic backend is not functional

I ask that we do not submit bugs for this backend just yet as we know it
does not fully work.

Closes #11831
Closes #11819

aws_sigv4: the query canon code miscounted URL encoded input

Added some extra ampersands to test 439 to verify "blank" query parts

Follow-up to fc76a24c53b08cdf

Closes #118

aws_sigv4: the query canon code miscounted URL encoded input

Added some extra ampersands to test 439 to verify "blank" query parts

Follow-up to fc76a24c53b08cdf

Closes #11829

show more ...

quic: don't set SNI if hostname is an IP address

We already do this for TLS connections.

RFC 6066 says: Literal IPv4 and IPv6 addresses are not permitted in
"HostName".

quic: don't set SNI if hostname is an IP address

We already do this for TLS connections.

RFC 6066 says: Literal IPv4 and IPv6 addresses are not permitted in
"HostName".

Ref: https://www.rfc-editor.org/rfc/rfc6066#section-3

Fixes https://github.com/curl/curl/issues/11827
Closes https://github.com/curl/curl/pull/11828

show more ...

RELEASE-NOTES: synced

configure: fix `HAVE_TIME_T_UNSIGNED` check

The syntax was incorrect (need a proper main body), and the test
condition was wrong (resulting in a signed `time_t` detected as
unsigned)

configure: fix `HAVE_TIME_T_UNSIGNED` check

The syntax was incorrect (need a proper main body), and the test
condition was wrong (resulting in a signed `time_t` detected as
unsigned).

Closes #11825

show more ...

THANKS-filter: pszlazak on github

include.d: explain headers not printed with --fail before 7.75.0

Prior to 7.75.0 response headers were not printed if -f/--fail was used
and an error was reported by server. This was fi

include.d: explain headers not printed with --fail before 7.75.0

Prior to 7.75.0 response headers were not printed if -f/--fail was used
and an error was reported by server. This was fixed in ab525c0
(precedes 7.75.0).

Closes #11822

show more ...

http_aws_sigv4: skip the op if the query pair is zero bytes

Follow-up to fc76a24c53b08cdf

Spotted by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=621

http_aws_sigv4: skip the op if the query pair is zero bytes

Follow-up to fc76a24c53b08cdf

Spotted by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62175
Closes #11823

show more ...

cmdline-docs: use present tense, not future

+ some smaller cleanups

Closes #11821

cmdline-docs: make sure to phrase it as "added in ...."

References to things that were added or changed in a specific version
should be specified as "(added in [version]) for two reasons

cmdline-docs: make sure to phrase it as "added in ...."

References to things that were added or changed in a specific version
should be specified as "(added in [version]) for two reasons:

1 - consistency

2 - to allow gen.pl to strip them out if deemed referring to too old
versions

Closes #11821

show more ...

docs: mark --ssl-revoke-best-effort as Schannel specific

Closes https://github.com/curl/curl/pull/11760

schannel: fix ordering of cert chain info

- Use CERT_CONTEXT's pbCertEncoded to determine chain order.

CERT_CONTEXT from SECPKG_ATTR_REMOTE_CERT_CONTEXT contains
end-entity/serv

schannel: fix ordering of cert chain info

- Use CERT_CONTEXT's pbCertEncoded to determine chain order.

CERT_CONTEXT from SECPKG_ATTR_REMOTE_CERT_CONTEXT contains
end-entity/server certificate in pbCertEncoded. We can use this pointer
to determine the order of certificates when enumerating hCertStore using
CertEnumCertificatesInStore.

This change is to help ensure that the ordering of the certificate chain
requested by the user via CURLINFO_CERTINFO has the same ordering on all
versions of Windows.

Prior to this change Schannel certificate order was reversed in 8986df80
but that was later reverted in f540a39b when it was discovered that
Windows 11 22H2 does the reversal on its own.

Ref: https://github.com/curl/curl/issues/9706

Closes https://github.com/curl/curl/pull/11632

show more ...

digest: Use hostname to generate spn instead of realm

In https://www.rfc-editor.org/rfc/rfc2831#section-2.1.2

digest-uri-value should be serv-type "/" host , where host is:

digest: Use hostname to generate spn instead of realm

In https://www.rfc-editor.org/rfc/rfc2831#section-2.1.2

digest-uri-value should be serv-type "/" host , where host is:

The DNS host name or IP address for the service requested. The
DNS host name must be the fully-qualified canonical name of the
host. The DNS host name is the preferred form; see notes on server
processing of the digest-uri.

Realm may not be the host, so we must specify the host explicitly.

Note this change only affects the non-SSPI digest code. The digest code
used by SSPI builds already uses the hostname to generate the spn.

Ref: https://github.com/curl/curl/issues/11369

Closes https://github.com/curl/curl/pull/11395

show more ...

docs: remove use of the word 'very'

It is mostly superfluous. proselint would complain.

Closes #11818

curl_multi_remove_handle.3: clarify what happens with connection

Closes #11817

RELEASE-NOTES: synced

test439: verify query canonization for aws-sigv4

tool_operate: make aws-sigv4 not require TLS to be used

Maybe not used too often, but we want it for testing and it should work.

http_aws_sigv4: canonicalize the query

Percent encoding needs to be done using uppercase, and most
non-alphanumerical must be percent-encoded.

Fixes #11794
Reported-by: John

http_aws_sigv4: canonicalize the query

Percent encoding needs to be done using uppercase, and most
non-alphanumerical must be percent-encoded.

Fixes #11794
Reported-by: John Walker
Closes #11806

show more ...

lib: add ability to disable auths individually

Both with configure and cmake

Closes #11490

ngtcp2: fix handling of large requests

- requests >64K are send in parts to the filter
- fix parsing of the request to assemble it correctly
from several sends
- open a QUIC st

ngtcp2: fix handling of large requests

- requests >64K are send in parts to the filter
- fix parsing of the request to assemble it correctly
from several sends
- open a QUIC stream only when the complete request has
been collected

Closes #11815

show more ...

openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init x509 store before

- we delay loading the x509 store to shorten the handshake time.
However an application callback installed

openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init x509 store before

- we delay loading the x509 store to shorten the handshake time.
However an application callback installed via CURLOPT_SSL_CTX_FUNCTION
may need to have the store loaded and try to manipulate it.
- load the x509 store before invoking the app callback

Fixes #11800
Reported-by: guoxinvmware on github
Cloes #11805

show more ...

krb5: fix "implicit conversion loses integer precision" warnings

conversions to/from enum and unsigned chars

Closes #11814