Dockerfile: Update debian:bookworm-slim Docker digest to 903d322

Closes #14788

llist: only provide Curl_llist_tail in unit test builds

... since it is not used otherwsie. Also fix Curl_node_prev to have the
same status.

Closes #14790

GHA/linux-old: split test step into build and run

To see how much time each takes.

Closes #14791

cf-socket: fix listen pollset for FTP active mode

Follow-up to a07ba37b5e88a89bf4bcc6b0c927f7a42d7ea4f2 which did not
solve the issue of corrent polling for FTP active data connections.

cf-socket: fix listen pollset for FTP active mode

Follow-up to a07ba37b5e88a89bf4bcc6b0c927f7a42d7ea4f2 which did not
solve the issue of corrent polling for FTP active data connections.

Added test cases for active up-/download.

Closes #14786

show more ...

smb: convert superflous assign into assert

Since the value is already supposed to be correct, verify that with and
assert instead of doing an assign that is not needed.

Bonus: r

smb: convert superflous assign into assert

Since the value is already supposed to be correct, verify that with and
assert instead of doing an assign that is not needed.

Bonus: remove unnecessary clearing of data

Closes #14784

show more ...

schannel: avoid malloc for CAinfo_blob_digest

...it can just as well be part of the struct always.

Closes #14777

src: namespace symbols clashing with lib

Before this patch `lib/http.h` and `src/tool_sdecls.h` both declared
`HTTPREQ_*` enums.

Rename `src` ones to have distinct names.

src: namespace symbols clashing with lib

Before this patch `lib/http.h` and `src/tool_sdecls.h` both declared
`HTTPREQ_*` enums.

Rename `src` ones to have distinct names.

They are not included in the same code for now, but this may change when
bundling unit/libtests into single programs.

Closes #14785

show more ...

KNOWN_BUGS: cleanup

- Move all Windows unicode issues into the single "bug", as they are all
at least semi-related

- Removed ancient issues that are not relevant anymore

KNOWN_BUGS: cleanup

- Move all Windows unicode issues into the single "bug", as they are all
at least semi-related

- Removed ancient issues that are not relevant anymore

Closes #14775

show more ...

openssl: certinfo errors now fail correctly

If there is a (memory) error when creating the certinfo data, the code
would previously continue which could lead to a partial/broken response

openssl: certinfo errors now fail correctly

If there is a (memory) error when creating the certinfo data, the code
would previously continue which could lead to a partial/broken response.
Now, the first error aborts and cleans up the entire thing.

A certinfo "collection" error is however still not considered an error
big enough to stop the handshake.

Bonus 1: made two functions static (and removed the Curl_ prefix) that
were not used outside of openssl.c

Bonus 2: removed the unused function Curl_ossl_set_client_cert

Closes #14780

show more ...

lib: make SSPI global symbols use Curl_ prefix

Do not pollute the namespace.

Closes #14776

cmake: restore variable names `CURL_CA_BUNDLE_SET`/`CURL_CA_PATH_SET`

They were renamed recently as internal variables, but they are both
cached, so let's keep the original names for con

cmake: restore variable names `CURL_CA_BUNDLE_SET`/`CURL_CA_PATH_SET`

They were renamed recently as internal variables, but they are both
cached, so let's keep the original names for consistency and
compatibility.

Partial revert of c2889a7b4180fc963ae30811f59ab547b6eb03cd #14388
Tested via #14778

show more ...

docs: document the (weak) random value situation in rustls builds

Closes #14770

RELEASE-NOTES: synced

cf-socket: fix pollset for listening

When FTP does an active data connection, the socket connection
filter is instantiated with a listening socket. When the filter
adjusts its pollse

cf-socket: fix pollset for listening

When FTP does an active data connection, the socket connection
filter is instantiated with a listening socket. When the filter
adjusts its pollset, it needs to POLLIN, not OUT.

Bug: https://curl.se/mail/lib-2024-08/0023.html
Reported-by: Yoshimasa Ohno
Closes #14766

show more ...

connect: always prefer ipv6 in IP eyeballing

Always try ipv6 addresses first, ipv4 second after a delay.

If neither ipv4/6 are amongst the supplied addresses, start a happy
eyeb

connect: always prefer ipv6 in IP eyeballing

Always try ipv6 addresses first, ipv4 second after a delay.

If neither ipv4/6 are amongst the supplied addresses, start a happy
eyeballer for the first address family present. This is for AF_UNIX
connects.

Fixes #14761
Reported-by: janedenone on hackerone
Closes #14768

show more ...

KNOWN_BUGS: CURLOPT_CONNECT_TO does not work for HTTPS proxy

Closes #14481
Closes #14769

lib: use FMT_ as prefix instead of CURL_FORMAT_

For printf format defines used internally. Makes the code slighly
easier to read.

Closes #14764

openssl: fix the data race when sharing an SSL session between threads

The SSL_Session object is mutated during connection inside openssl,
and it might not be thread-safe. Besides, accor

openssl: fix the data race when sharing an SSL session between threads

The SSL_Session object is mutated during connection inside openssl,
and it might not be thread-safe. Besides, according to documentation
of openssl:

```
SSL_SESSION objects keep internal link information about the session
cache list, when being inserted into one SSL_CTX object's session
cache. One SSL_SESSION object, regardless of its reference count,
must therefore only be used with one SSL_CTX object (and the SSL
objects created from this SSL_CTX object).
```
If I understand correctly, it is not safe to share it even in a
single thread.

Instead, serialize the SSL_SESSION before adding it to the cache,
and deserialize it after retrieving it from the cache, so that no
concurrent write to the same object is infeasible.

Also
- add a ci test for thread sanitizer
- add a test for sharing ssl sessions concurrently
- avoid redefining memory functions when not building libcurl, but
including the soruce in libtest
- increase the concurrent connections limit in sws

Notice that there are fix for a global data race for openssl which
is not yet release. The fix is cherry pick for the ci test with
thread sanitizer.
https://github.com/openssl/openssl/commit/d8def79838cd0d5e7c21d217aa26edb5229f0ab4

Closes #14751

show more ...

haproxy: send though next filter

Small but, instead of sending the initial data though the connection
method, send it to the next filter in the chain. While the connection
methods ac

haproxy: send though next filter

Small but, instead of sending the initial data though the connection
method, send it to the next filter in the chain. While the connection
methods accomodates for such use, by ignoring unconnected filters, it is
better to follow the filter chain explicitly.

Closes #14756

show more ...

printf: fix mingw-w64 format checks

Change mingw-w64 printf format checks in public curl headers to use
`__MINGW_PRINTF_FORMAT` instead of `gnu_printf`. This syncs the format
checker

printf: fix mingw-w64 format checks

Change mingw-w64 printf format checks in public curl headers to use
`__MINGW_PRINTF_FORMAT` instead of `gnu_printf`. This syncs the format
checker with format string macros published via `curl/system.h`. (Also
disable format checks for mingw-w64 older than 3.0.0 (2013-09-20) and
classic-mingw, which do not support this macro.)

This fixes bogus format checker `-Wformat` warnings in 3rd party code
using curl format strings with the curl printf functions, when using
mingw-w64 7.0.0 (2019-11-10) and older (with GCC, MSVCRT).

It also allows to delete two workaounds for this within curl itself:
- setting `-D__USE_MINGW_ANSI_STDIO=1` for mingw-w64 via cmake and
configure for `docs/examples` and `tests/http/clients`.
Ref: c730c8549b5b67e7668ca5d2cd82c3cc183e125d #14640

The format check macro is incompatible (depending on mingw-w64 version
and configuration) with the C99 `%z` (`size_t`) format string used
internally by curl.

To work around this problem, override the format check style in curl
public headers to use `gnu_printf`. This is compatible with `%z` in all
mingw-w64 versions and allows keeping the C99 format strings internally.

Also:
- lib/ws.c: add missing space to an error message.
- docs/examples/ftpgetinfo.c: fix to use standard printf.

Ref: #14643 (take 1)
Follow-up to 3829759bd042c03225ae862062560f568ba1a231 #12489

Closes #14703

show more ...

cmake: default `CURL_DISABLE_LDAPS` to the value of `CURL_DISABLE_LDAP`

After this patch LDAPS is disabled by default when LDAP is manually
disabled.

This makes it unnecessary t

cmake: default `CURL_DISABLE_LDAPS` to the value of `CURL_DISABLE_LDAP`

After this patch LDAPS is disabled by default when LDAP is manually
disabled.

This makes it unnecessary to disable them in sync manually just to avoid
a `CMakeLists.txt` warning.

Syncs behavior with `./configure`.

Closes #14758

show more ...

rand: only provide weak random when needed

builds without TLS and builds using rustls

Closes #14749

lib: remove use of RANDOM_FILE

It could previously be set with configure/cmake and used in rare cases
for reading randomness: with ancient mbedTLS or rustls without
arc4random.

lib: remove use of RANDOM_FILE

It could previously be set with configure/cmake and used in rare cases
for reading randomness: with ancient mbedTLS or rustls without
arc4random.

We now get randomness in this order:

1. The TLS library's way to provide random
2. On Windows: Curl_win32_random
3. if arc4random exists, use that
4. weak non-crytographically strong pseudo-random

Closes #14749

show more ...

url: fix connection reuse for HTTP/2 upgrades

Normally, when a connection's filters have all connected, the
multiplex status is determined. However, HTTP/2 Upgrade:
requests will onl

url: fix connection reuse for HTTP/2 upgrades

Normally, when a connection's filters have all connected, the
multiplex status is determined. However, HTTP/2 Upgrade:
requests will only do this when the first server response
has been received.

The current connection reuse mechanism does not accomodate
that and when the time between connect and response is large
enough, connection reuse may not happen as desired.

See test case 2405 failures, such as in
https://github.com/curl/curl/actions/runs/10629497461/job/29467166451

Add 'conn->bits.asks_multiplex' as indicator that a connection is
still being evaluated for mulitplexing, so that new transfers
may wait on this to be cleared.

Closes #14739

show more ...

curl_easy_handler.md: fix language

Applications need to [...] if it needs -> The application needs to

Closes #14752