cmake: sync up formatting in Find modules

- lowercase internal variable names (FindGSS)
- comments
- whitespace

Closes #14527

runtests: log ignored but passed tests

List tests explicitly ignored, but passing. It can be useful to catch
ignore rules that are no longer necessary because the tests are not
faili

runtests: log ignored but passed tests

List tests explicitly ignored, but passing. It can be useful to catch
ignore rules that are no longer necessary because the tests are not
failing anymore.

To not clutter the default view, hide this information under a GitHub
Actions foldable group.

Closes #14457

show more ...

GHA/macos: disable AppleIDN for autotools in combinations jobs

Without libidn2, AppleIDN gets enabled by default in autotools.

To remain minimal and match cmake.

Follow-up

GHA/macos: disable AppleIDN for autotools in combinations jobs

Without libidn2, AppleIDN gets enabled by default in autotools.

To remain minimal and match cmake.

Follow-up to 8de8fe8c98309c8b6183b22cc2e209ce4648173b #14401

show more ...

tests: don't mangle output if hostname or type unknown

If either of these couldn't be determined, the output would be missing a
newline. Make sure the line ends even in the case of an er

tests: don't mangle output if hostname or type unknown

If either of these couldn't be determined, the output would be missing a
newline. Make sure the line ends even in the case of an error.

show more ...

curl_sha512_256: fix symbol collisions with nettle library

`SHA512_256_BLOCK_SIZE`, `SHA512_256_DIGEST_SIZE` macros were both
defined within curl and also in the nettle library required

curl_sha512_256: fix symbol collisions with nettle library

`SHA512_256_BLOCK_SIZE`, `SHA512_256_DIGEST_SIZE` macros were both
defined within curl and also in the nettle library required by GnuTLS.

Fix it by namespacing the curl macros.

Cherry-picked from #14495
Closes #14514

show more ...

lib: prefer `CURL_SHA256_DIGEST_LENGTH` over the unprefixed name

Already used in `vtls.h`. Prefer this curl-namespaced name over the
unprefixed `SHA256_DIGEST_LENGTH`. The latter is also

lib: prefer `CURL_SHA256_DIGEST_LENGTH` over the unprefixed name

Already used in `vtls.h`. Prefer this curl-namespaced name over the
unprefixed `SHA256_DIGEST_LENGTH`. The latter is also defined by TLS
backends with a potential to cause issues.

Also stop relying on externel headers setting this constant. It's
already defined in `vtls.h` on curl's behalf, do this also for `lib`.

Cherry-picked from #14495
Closes #14513

show more ...

lib: avoid macro collisions between wolfSSL and GnuTLS headers

Both of these projects define the same `SHA*` macros via headers
included by curl (in MultiSSL builds, possibly only in Uni

lib: avoid macro collisions between wolfSSL and GnuTLS headers

Both of these projects define the same `SHA*` macros via headers
included by curl (in MultiSSL builds, possibly only in Unity builds),
causing redefinition compiler warnings.

Fix it by disabling compatibility macros in wolfSSL.

```
Building C object lib/CMakeFiles/libcurl_static.dir/Unity/unity_0_c.c.o
In file included from _bld/lib/CMakeFiles/libcurl_static.dir/Unity/unity_0_c.c:202:
In file included from lib/http_aws_sigv4.c:33:
In file included from lib/curl_sha256.h:40:
In file included from /usr/local/Cellar/wolfssl/5.7.2/include/wolfssl/openssl/sha.h:30:
/usr/local/Cellar/wolfssl/5.7.2/include/wolfssl/wolfcrypt/sha256.h:117:13: warning: 'SHA256_BLOCK_SIZE' macro redefined [-Wmacro-redefined]
#define SHA256_BLOCK_SIZE WC_SHA256_BLOCK_SIZE
^
/usr/local/Cellar/nettle/3.10/include/nettle/sha2.h:70:9: note: previous definition is here
#define SHA256_BLOCK_SIZE 64
^
In file included from _bld/lib/CMakeFiles/libcurl_static.dir/Unity/unity_0_c.c:202:
In file included from lib/http_aws_sigv4.c:33:
In file included from lib/curl_sha256.h:40:
In file included from /usr/local/Cellar/wolfssl/5.7.2/include/wolfssl/openssl/sha.h:30:
[...]
#define SHA256_DIGEST_SIZE WC_SHA256_DIGEST_SIZE
#define SHA224_BLOCK_SIZE WC_SHA224_BLOCK_SIZE
#define SHA224_DIGEST_SIZE WC_SHA224_DIGEST_SIZE
#define SHA512_BLOCK_SIZE WC_SHA512_BLOCK_SIZE
#define SHA512_DIGEST_SIZE WC_SHA512_DIGEST_SIZE
#define SHA384_BLOCK_SIZE WC_SHA384_BLOCK_SIZE
#define SHA384_DIGEST_SIZE WC_SHA384_DIGEST_SIZE
```

Cherry-picked from #14495
Closes #14511

show more ...

cmake: update `curl-config.cmake.in` template var list [ci skip]

Omit those defined by CMake.

Follow-up to a298df7f475f95996dcabc9e5a6ab31225ae6afa #14462

lib: fix building with wolfSSL without DES support

E.g. with Homebrew wolfssl 5.7.2 on macOS:
```
In file included from _bld/lib/CMakeFiles/libcurl_static.dir/Unity/unity_0_c.c:85:

lib: fix building with wolfSSL without DES support

E.g. with Homebrew wolfssl 5.7.2 on macOS:
```
In file included from _bld/lib/CMakeFiles/libcurl_static.dir/Unity/unity_0_c.c:85:
lib/curl_ntlm_core.c:157:27: error: unknown type name 'DES_key_schedule'
DES_key_schedule DESKEYARG(ks))
^
lib/curl_ntlm_core.c:159:3: error: use of undeclared identifier 'DES_cblock'
DES_cblock key;
^
[...]
```

Earlier patch addressing this for OpenSSL:
802d8644500f5b18c895b77a23d85e029766d65e #7808

Cherry-picked from #14495
Closes #14512

show more ...

sha256: fix symbol collision between nettle (GnuTLS) and OpenSSL codepath

Fixes:
```
C:\vcpkg\installed\x64-windows\include\nettle\sha2.h(75,8): error C2011: 'sha256_ctx': 'struct' t

sha256: fix symbol collision between nettle (GnuTLS) and OpenSSL codepath

Fixes:
```
C:\vcpkg\installed\x64-windows\include\nettle\sha2.h(75,8): error C2011: 'sha256_ctx': 'struct' type redefinition
```
Ref: https://github.com/curl/curl/actions/runs/10341162641/job/28622681573?pr=14484#step:10:30

Cherry-picked from #14495
Closes #14515

show more ...

vtls: fix static function name collisions between TLS backends

When using CMake Unity build.

- use unique name for `set_ssl_version_min_max()`
Fixes collision between GnuTLS,

vtls: fix static function name collisions between TLS backends

When using CMake Unity build.

- use unique name for `set_ssl_version_min_max()`
Fixes collision between GnuTLS, mbedTLS and SecureTransport.
```
lib\vtls\mbedtls.c(317,1): error C2084: function 'CURLcode set_ssl_version_min_max(Curl_easy *,ssl_peer *,ssl_primary_config *,const char **,const char *)' already has a body
lib\vtls\mbedtls.c(837,49): warning C4133: 'function': incompatible types - from 'Curl_cfilter *' to 'Curl_easy *'
lib\vtls\mbedtls.c(837,53): warning C4133: 'function': incompatible types - from 'Curl_easy *' to 'ssl_peer *'
lib\vtls\mbedtls.c(837,25): error C2198: 'set_ssl_version_min_max': too few arguments for call
```

- use unique name for `do_file_type()`
Fixes collision between GnuTLS, OpenSSL and wolfSSL.
```
lib\vtls\openssl.c(1053,12): error C2084: function 'gnutls_x509_crt_fmt_t do_file_type(const char *)' already has a body
```

Ref: https://github.com/curl/curl/actions/runs/10341162641/job/28622681573?pr=14484#step:10:31
Cherry-picked from #14495
Closes #14516

show more ...

build: silence C4232 MSVC warnings in vcpkg ngtcp2 builds

Silence bogus MSVC warning C4232. Use the method already used
for similar cases earlier.

Also fixup existing suppressio

build: silence C4232 MSVC warnings in vcpkg ngtcp2 builds

Silence bogus MSVC warning C4232. Use the method already used
for similar cases earlier.

Also fixup existing suppressions to use pragma push/pop.

```
lib\vquic\curl_ngtcp2.c(709,40): error C2220: the following warning is treated as an error
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'client_initial': address of dllimport 'ngtcp2_crypto_client_initial_cb' is not static, identity not guaranteed
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'recv_crypto_data': address of dllimport 'ngtcp2_crypto_recv_crypto_data_cb' is not static, identity not guaran
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'encrypt': address of dllimport 'ngtcp2_crypto_encrypt_cb' is not static, identity not guaranteed
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'decrypt': address of dllimport 'ngtcp2_crypto_decrypt_cb' is not static, identity not guaranteed
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'hp_mask': address of dllimport 'ngtcp2_crypto_hp_mask_cb' is not static, identity not guaranteed
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'recv_retry': address of dllimport 'ngtcp2_crypto_recv_retry_cb' is not static, identity not guaranteed
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'update_key': address of dllimport 'ngtcp2_crypto_update_key_cb' is not static, identity not guaranteed
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'delete_crypto_aead_ctx': address of dllimport 'ngtcp2_crypto_delete_crypto_aead_ctx_cb' is not static, identit
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'delete_crypto_cipher_ctx': address of dllimport 'ngtcp2_crypto_delete_crypto_cipher_ctx_cb' is not static, ide
lib\vquic\curl_ngtcp2.c(709,40): warning C4232: nonstandard extension used: 'get_path_challenge_data': address of dllimport 'ngtcp2_crypto_get_path_challenge_data_cb' is not static, ident
```
Ref: https://github.com/curl/curl/actions/runs/10343459009/job/28627621355#step:10:30

Cherry-picked from #14495
Co-authored-by: Tal Regev
Ref: #14383
Closes #14510

show more ...

cmake: add `CURL_USE_PKGCONFIG` option

Add option to control whether to use `pkg-config` to detect
dependencies. Curl's CMake uses `pkg-config` by default for all targets
except for

cmake: add `CURL_USE_PKGCONFIG` option

Add option to control whether to use `pkg-config` to detect
dependencies. Curl's CMake uses `pkg-config` by default for all targets
except for MSVC without vcpkg.

With the CMake option `-DCURL_USE_PKGCONFIG=ON` you can override it to
use `pkg-config` always.

If `pkg-config` is causing issues, e.g. in cross-builds or other cases,
`-DCURL_USE_PKGCONFIG=OFF` disables all use of `pkg-config`.

Also add it to `curl-config.cmake`. Not yet used, but will be once curl
starts referencing any curl-specific `Find*` module from this public
script.

Follow-up to 9dfdc6ff42ba045ec48056bb6d2072f2fcac2e9d #14483
Closes #14504

show more ...

IDN: fix/extend/migrate test exclusion rules

- make sure to exclude failing tests when libidn2 is detected by
default.

- ignore test 1560 results. Seen to fail with libidn2.

IDN: fix/extend/migrate test exclusion rules

- make sure to exclude failing tests when libidn2 is detected by
default.

- ignore test 1560 results. Seen to fail with libidn2.
I'm not sure why this test was not executed earlier:
https://github.com/curl/curl/actions/runs/10354610889/job/28660309355#step:13:3647

- runtests: recognize `libidn2` as a feature.

- move IDN test exclusions from GHA/windows to `tests/data/DISABLED`.

- GHA/windows: drop default `-DUSE_LIBIDN2=ON` cmake config.

Cherry-picked from #14495
Closes #14519

show more ...

docs: update CIPHERS.md

Give a more consice overview of curl's cipher options and cipher suites.

Removed long lists of ciphers that were directly copied from the SSL
backends' d

docs: update CIPHERS.md

Give a more consice overview of curl's cipher options and cipher suites.

Removed long lists of ciphers that were directly copied from the SSL
backends' documentation. Instead present the user a more common aproach
acorss the SSL backends, with notes for backends that do not conform
and/or provide alternate means.

Provide a shorter list of cipher suites that is more relevant for modern
usage and should work mostly across all backends, provide a seperate
list with all cipher suites, and provide links to the SSL backends'
documentation for more information.

Also give examples with modern cipher suites.

Add docs/CIPHERS-TLS12.md for TLS 1.2 ciphers.

Closes #14460

show more ...

GHA: bump deps: upload-artifact, codeql and spellcheck

- bump actions/upload-artifact from 4.3.5 to 4.3.6

Signed-off-by: dependabot[bot] <support@github.com>

Closes #14506

GHA: bump deps: upload-artifact, codeql and spellcheck

- bump actions/upload-artifact from 4.3.5 to 4.3.6

Signed-off-by: dependabot[bot] <support@github.com>

Closes #14506

- bump github/codeql-action from 3.25.15 to 3.26.0

Closes #14507

- bump rojopolis/spellcheck-github-actions digest to a0fba0c

Closes #14518

show more ...

http2+h3 filters: fix ctx init

Members of the filter context, like stream hash and buffers, need to be
initialized early and protected by a flag to also avoid double cleanup.

Th

http2+h3 filters: fix ctx init

Members of the filter context, like stream hash and buffers, need to be
initialized early and protected by a flag to also avoid double cleanup.

This allow the context to be used safely before a connect() is started
and the other parts of the context are set up.

Closes #14505

show more ...

GHA/macos: drop gcc-11

No longer present in macos-12, macos-13 images:
https://github.com/actions/runner-images/blob/macos-12/20240811.1/images/macos/macos-12-Readme.md
https://githu

GHA/macos: drop gcc-11

No longer present in macos-12, macos-13 images:
https://github.com/actions/runner-images/blob/macos-12/20240811.1/images/macos/macos-12-Readme.md
https://github.com/actions/runner-images/blob/macos-13/20240811.1/images/macos/macos-13-Readme.md

Closes #14509

show more ...

wolfssl: fix CURLOPT_SSLVERSION

Before, setting CURLOPT_SSLVERSION with wolfSSL restricted the the tls
proto to just the specified version. Now it properly supports a range.
So it ca

wolfssl: fix CURLOPT_SSLVERSION

Before, setting CURLOPT_SSLVERSION with wolfSSL restricted the the tls
proto to just the specified version. Now it properly supports a range.
So it can set the min and max tls proto (max requires wolfSSL 4.2.0).

Bump the absolute minimum required version of wolfSSL to 3.4.6 (released
2015) because it is needed for the wolfSSL_CTX_SetMinVersion() function.

Closes #14480

show more ...

websocket: introduce blocking sends

When using `curl_ws_send()`, perform a blocking send of the data under
the following conditions:

- the websocket is in raw mode and the call

websocket: introduce blocking sends

When using `curl_ws_send()`, perform a blocking send of the data under
the following conditions:

- the websocket is in raw mode and the call is done from within a curl
callback. A partial write of the data could subsequently mess up the
ws framing, as a callback has a hard time handling this.

- the websocket is encoding the data itself, has added it to its
internal sendbuf. A partial flush of the buffer has unclear semantics
for the caller, as they will have no idea what to send again.

Fixes WebSockets tests with CURL_DBG_SOCK_WBLOCK=90 set.
Closes #14458

show more ...

spnego_gssapi: implement TLS channel bindings for openssl

Channel Bindings are used to tie the session context to a specific TLS
channel. This is to provide additional proof of valid ide

spnego_gssapi: implement TLS channel bindings for openssl

Channel Bindings are used to tie the session context to a specific TLS
channel. This is to provide additional proof of valid identity,
mitigating authentication relay attacks.

Major web servers have the ability to require (None/Accept/Require)
GSSAPI channel binding, rendering Curl unable to connect to such
websites unless support for channel bindings is implemented.

IIS calls this feature Extended Protection (EPA), which is used in
Enterprise environments using Kerberos for authentication.

This change require krb5 >= 1.19, otherwise channel bindings won't be
forwarded through SPNEGO.

Co-Authored-By: Steffen Kieß <947515+steffen-kiess@users.noreply.github.com>
Closes #13098

show more ...

cmake: allow `pkg-config` in more envs

Before this patch, `pkg-config` was used for `UNIX` builds only (with
a few exceptions like wolfSSL, libssh, gsasl, libuv). This patch extends

cmake: allow `pkg-config` in more envs

Before this patch, `pkg-config` was used for `UNIX` builds only (with
a few exceptions like wolfSSL, libssh, gsasl, libuv). This patch extends
`pkg-config` use to all envs except: `MSVC` without vcpkg. Meaning MSVC
with vcpkg will now use it. Also mingw on Windows.

Also apply the new condition to options where `pkg-config` was used
unconditionally (= for all targets). These are:
`-DCURL_USE_WOLFSSL=ON`, `-DCURL_USE_LIBSSH=ON`,
`-DCURL_USE_GSASL=ON` and `-DCURL_USE_LIBUV=ON`

This patch may still cause regressions for cross-builds (e.g. mingw
cross-build from Unix) and potentially other cases. If that happens, we
recommend using some of these methods to explicitly disable `pkg-config`
when using CMake:
- CMake option: `-DPKG_CONFIG_EXECUTABLE=`
(or `-DPKG_CONFIG_EXECUTABLE=nonexistent` or similar)
This is similar to the (curl-specific) `PKG_CONFIG` env for autotools.
- export env: `PKG_CONFIG_LIBDIR=`
(or `PKG_CONFIG_PATH`, `PKG_CONFIG_SYSROOT_DIR`,
or the CMake-specific `PKG_CONFIG`)

We may improve control over this in a future patch, also allowing opting
in MSVC (without vcpkg).

Ref: #14405
Ref: #14408
Ref: #14140
Closes #14483

show more ...

build: tidy up internal macro names for `libcurl.pc`

Rename internal macros to match their `libcurl.pc` metadata counterpart.
Also apply these to the `curl-config.in` template.

build: tidy up internal macro names for `libcurl.pc`

Rename internal macros to match their `libcurl.pc` metadata counterpart.
Also apply these to the `curl-config.in` template.

- `CPPFLAG_CURL_STATICLIB` -> `LIBCURL_PC_CFLAGS`
- `LIBCURL_LIBS` -> `LIBCURL_PC_LIBS_PRIVATE`
- `LIBCURL_NO_SHARED` -> `LIBCURL_PC_LIBS`

Closes #14476

show more ...

tidy-up: delete `Makefile.inc` from `EXTRA_DIST`

autotools is adding them automatically. Delete the few ones that were
also added manually.

Closes #14496

RELEASE-NOTES: synced