KuriloVA
/
cs-lab34
1
0
Форкнуть 0
Код Задачи Запросы на слияние Пакеты Проекты Релизы Вики Активность

Сравнить коммиты

Основа: KuriloVA:12550c87fc64ae4e97f2384dac5821ec02489ea3
Ветки Теги
KuriloVA:master
...
сравнить: KuriloVA:1170b8159e6ba02cf58caf6c6462bb3fdd844d31
Ветки Теги
KuriloVA:master

5 Коммитов
12550c87fc ... 1170b8159e

Автор SHA1 Сообщение Дата
KuriloVA 1170b8159e изменила структуру программы
3 недель назад
KuriloVA 02dfcbc51f Добавили параметр argc и argv
3 недель назад
KuriloVA 5186427014 Добавила curl
3 недель назад
KuriloVA 161b64ceb7 Добавила новый параметр bool prompt
3 недель назад
KuriloVA fa55115fca Переписала функцию input_data
3 недель назад
332 изменённых файлов: 115189 добавлений и 12 удалений
Показать статистику

2
BAT-файл.txt
Unescape Просмотреть файл

@ -0,0 +1,2 @@
lab01.exe < 02-example.input.txt > 02-example.actual.txt 2>NUL
fc /N 02-example.actual.txt 02-example.expected.txt

120
curl/BUILD-HASHES.txt
Unescape Просмотреть файл

@ -0,0 +1,120 @@
SHA2-256(./bin/curl-ca-bundle.crt)= 50a6277ec69113f00c5fd45f09e8b97a4b3e32daa35d3a95ab30137a55386cef
SHA2-256(./bin/curl.exe)= 04f01d2994a731ca1754155496d43d72443b78b1bb11a767f242f9cb0103bb88
SHA2-256(./bin/libcurl-x64.def)= fc8449996b7661b9ae9c0ed67c847f1c7241a9ef3db717a5d578012f34fb00da
SHA2-256(./bin/libcurl-x64.dll)= 0ee738330bce47dfe9fdef3765eba828af0f992411dde6bab72f19c5e3f9b200
SHA2-256(./include/brotli/decode.h)= 20d0a87a96bc25a3af7557075be87be4393e88a5fb564db08e92884dee17d841
SHA2-256(./include/brotli/encode.h)= 3403a597eff24ff45903128feb471e4dd5138f624104ebe058a9d90ed905550c
SHA2-256(./include/brotli/port.h)= d87dae6cce00aff76192a1db4fedc2a817967e14e652829349b8a75088f9e467
SHA2-256(./include/brotli/shared_dictionary.h)= 86230f0aaf533044d85d92f84b5aec8b7e4e231d4b64b098604083e7866e8097
SHA2-256(./include/brotli/types.h)= 96c9330e790aa6fe53f4cdd328d0a4b98e361b82913baa3219db73aadb11272c
SHA2-256(./include/curl/curl.h)= 3df43d2a406f6fab43871c9e76374d12962c4f7f7e8869d1c0e577967229f2e2
SHA2-256(./include/curl/curlver.h)= 4970d58c40fe33ada8b458730fd444292e91d0aeb2863755e2e4d635af37dac4
SHA2-256(./include/curl/easy.h)= 3a9a663e57fa4104ae479e513a41d99b069f735543d118c90f73c5b5b0f37291
SHA2-256(./include/curl/header.h)= 614be48a86f4e5d304c5aa40ef1c85245e25b97732921c3631840146669d992f
SHA2-256(./include/curl/mprintf.h)= 5254b33e5e351298cdc25303381edc15889a41e129d41821bbd186dc2ddcbd40
SHA2-256(./include/curl/multi.h)= 83ae673f7655768bf70b141c9cf845b09695aa801d4d1d56362c3928c38e397c
SHA2-256(./include/curl/options.h)= 5716018d27e783283825bed2a8a051190487722fdeb64b7aa2d03a997e99b8d1
SHA2-256(./include/curl/stdcheaders.h)= d7588b86814a35ffc3766ff6242e6f6705e04401fc9c208a195caff3503af81c
SHA2-256(./include/curl/system.h)= 92ccf664e1228dd06e2ad9365185532d42176ee89359fa9d367a7efd60c9343a
SHA2-256(./include/curl/typecheck-gcc.h)= 69f21b923732fe43ad282368521a92392fd36f2233464ab3a9182be295645f58
SHA2-256(./include/curl/urlapi.h)= 4366e8eead1d92742c679b14dd3c65b92087226e1cebecc7803d619eded6a868
SHA2-256(./include/curl/websockets.h)= b58bb1d7eda3fd2372feb4d856c256897d83006dfe7933d69be54bc4a2ba5a3f
SHA2-256(./include/libpsl.h)= c18414f8fbcf2c16ce4cf4038dd27a0e8b64d8dc9c117d5b982016d830852f4e
SHA2-256(./include/libssh2.h)= 86cc9fcfd0daa10ba25442e5ecea23db618027362bc85fdc591ec7f5d9d39a91
SHA2-256(./include/libssh2_publickey.h)= f1cd086f3950e65635827ee3332c1c6ca62887c0f84369ec58e31974debb36e9
SHA2-256(./include/libssh2_sftp.h)= b5d864f19af69521278ed953b20b76a32cfdc08014da81d38f59964e7e2e2575
SHA2-256(./include/nghttp2/nghttp2.h)= 711ec7c2f6851f6c744cc54e279bdda113824adbd0e4e7d8a62703ca9c7b90ec
SHA2-256(./include/nghttp2/nghttp2ver.h)= d487680fae998aedc5527ea49a264a1d2ffbf850700510ab1bbf17645b1be168
SHA2-256(./include/nghttp3/nghttp3.h)= 0105d267ae01429f21fa45966652d5df6f7dc37a66ba0e6108ec3cd0b0785741
SHA2-256(./include/nghttp3/version.h)= 4787e4a77dc50a7da16473d69c09d757ac129aa47d95327ddc55e33e5e2f061d
SHA2-256(./include/ngtcp2/ngtcp2.h)= f1b81ef0a58dcb527859803b198bbc920d9d7c511545e46737a19b7aaee1874f
SHA2-256(./include/ngtcp2/ngtcp2_crypto.h)= 998aed2a9b3c866ca1fb29aa766f2d1eaeebb58aa79dc9335c8fa40eb0f60886
SHA2-256(./include/ngtcp2/ngtcp2_crypto_quictls.h)= 1790e0356644fe51c2239839c68cd1ded53cd729b4730c6f7068db14845216b2
SHA2-256(./include/ngtcp2/version.h)= 7508a03a55cef425ea851249cc55e23eae435c6c66daf30ace326c6b4f75d3c0
SHA2-256(./include/openssl/aes.h)= 61a5846af3aabc2eaf0fffd0109b82982d6e70c2e58a874e0713907d2c649dec
SHA2-256(./include/openssl/asn1.h)= 687538926de7e7abb5e633e496352f28cd8850bcfa6299f80f460f1166a511f3
SHA2-256(./include/openssl/asn1t.h)= ff2f110c85b1389ebed09059eb47a5337cc57c67c4e84bd7ae897124886c27fc
SHA2-256(./include/openssl/bio.h)= 1bcab470bff5f8834effa967eea18ef1a2cf70c2cefb9d5d00f5b85e0d8d6ff0
SHA2-256(./include/openssl/blowfish.h)= 436eea2ac8bd10f5bfd320bb11bfdd1c982bfdaac507f45db6a064915fc2ca17
SHA2-256(./include/openssl/bn.h)= 4331c86e4e8b3ea9e1bac19a648b71926001e91f7e37b3be29c8012a8a918a7e
SHA2-256(./include/openssl/buffer.h)= a60e861037ec534a80289dce8a5fda46ef72cb3248a29fdc86bd12559c0dfb93
SHA2-256(./include/openssl/camellia.h)= 8dc3a54e09392f539b38a6dabcd54daed7bec233de0b42b3d81986a58bc8d033
SHA2-256(./include/openssl/cast.h)= 3abc7cd1651f36958c013c12934119e545633be4a1c80c79dfc124690d24cfc9
SHA2-256(./include/openssl/chacha.h)= df0728ed1a2678969a7a40a83290a26173b396154a873f2d408343a4ef0d34c7
SHA2-256(./include/openssl/cmac.h)= 1e298a02b96233ae382ff8fad42ec6b7e04bdbc62ee7faab3479dbe7c7962c7e
SHA2-256(./include/openssl/cms.h)= df710537b6d99b10ff98576c89def33a8bfe4d0c7781da41a6f35932a6669622
SHA2-256(./include/openssl/comp.h)= 827b2d6d9ddebb4345aef8ff92e4a350e7bfa01de0f684fadf354ff891389f97
SHA2-256(./include/openssl/conf.h)= 49e7d1603fc727d252b9f876f2ebe0fbfcfd2ff238ed55d922747b70f62666b2
SHA2-256(./include/openssl/crypto.h)= 0e3cc0d17c8adccefec9494cafd6db230df62f504edee93e5b4c900e7b91bbce
SHA2-256(./include/openssl/ct.h)= 059a0cf146e35736dac7c2d34ad344f8b00fe364324112de4fe1c7a10a13edc3
SHA2-256(./include/openssl/curve25519.h)= d7534da0a98ef1827761beae60ca00d67b1acc0c6977e919591401f2777dd4d2
SHA2-256(./include/openssl/des.h)= c8ea5e61f053b10cf55f20b4d7c9b9481acd17c07b096cf75e56809add2a37c4
SHA2-256(./include/openssl/dh.h)= 8f4ec3a8703935fab16ddddbf4a6ea9214a41cc8a16cf4833643ca69cc06bf50
SHA2-256(./include/openssl/dsa.h)= ee29903a3f30967ad3e0e7b260d41fc92c5c5e7f3985e98346c2ce40ba872b6b
SHA2-256(./include/openssl/dtls1.h)= 9c9837a45861f79f4ecd54761bc74aa503265778be1dd76c68433d7994fabb3b
SHA2-256(./include/openssl/ec.h)= 3b2a21eadbed07db95a825aedca03d14410c1211b3e7f0acb5e170050253d1b9
SHA2-256(./include/openssl/ecdh.h)= bfef80e1a0152c23c29a04323302c6a592e55104a5add4c458301ef1da45bade
SHA2-256(./include/openssl/ecdsa.h)= 298d675ce2985b1ba12d7da1245fbc5327f193dc3a477a9aada2208162fdd542
SHA2-256(./include/openssl/engine.h)= e8bfa460b4ab7f443e1e43151f814db001d0c6c2a6f5d692b1d4ec8e9035ca76
SHA2-256(./include/openssl/err.h)= 36756914d0c756c4bfbd30a02372eff0f41fcdca7d6e1e5e9b727d492d5af72b
SHA2-256(./include/openssl/evp.h)= 153c2259c8de3e848b9bf7f3829f09125aee342289f47ed59fa17d10e16758e7
SHA2-256(./include/openssl/hkdf.h)= 47294d3c2c3df67590090a7262032d2ed83a249d053f9c81be01878faffdc4d2
SHA2-256(./include/openssl/hmac.h)= 69eb59fcb034781a014a11f8d2c22335ac32a37cb4a6887ca466f8233da8beb9
SHA2-256(./include/openssl/idea.h)= 610d9932439efb64d8898938d4b044e608ed16ed1ad0754ae4925ea32b8b8a08
SHA2-256(./include/openssl/kdf.h)= c7ecfc60364c4a47d86fb55c6087f4c8e8ae59b9ee60b9fce7e4c70c7d903141
SHA2-256(./include/openssl/lhash.h)= 053f21efa3da78055e2763b90fd69a4b810606c91b36bbc055290685eeee6f71
SHA2-256(./include/openssl/md4.h)= 8dc31cf435f33e35905a6369f5a87591ad176c5c4df5ce0913b30ff5965568ed
SHA2-256(./include/openssl/md5.h)= 20a6ed75c52e68e82438140604f921e04367a148814c494e222117b327040c5d
SHA2-256(./include/openssl/modes.h)= a8993a5bdfad225b207971039657000250b3239d7ca095238fabb895d73bafc6
SHA2-256(./include/openssl/obj_mac.h)= 4270ca80a060fdcaf77e31ce3dcd85ed92cceeb23aed7a6af8d92c84aff54075
SHA2-256(./include/openssl/objects.h)= dcf127aedcc6a9fbf4abc6dfacbf6d234a003d5c390025f4785c3407cbe99cf2
SHA2-256(./include/openssl/ocsp.h)= 74bf587344a632fee6721e93a3991de1c5cdafe762fc7ff3d22ea614ea8505f7
SHA2-256(./include/openssl/opensslconf.h)= 12907133aec34951c7154f85b0a4b716dd9f8522e1f88935e971b7e32e100293
SHA2-256(./include/openssl/opensslfeatures.h)= b6cb250da81ac43dfe8fe76f512f7b4ee81c036a76a98a0f9f656bcf218d86e7
SHA2-256(./include/openssl/opensslv.h)= 223b94f36e5212aa3ea042e56ef39787f6ec316f9e622bcba0fb5c48907598be
SHA2-256(./include/openssl/ossl_typ.h)= 74a337679d1a99aee06bdd11a3b7d814932f0ed772a1c09cbf799c6b7297158c
SHA2-256(./include/openssl/pem.h)= fd8e0bf923e6878d03a07b6401266a6cff4089082dca60db3426b8640fb5e6f6
SHA2-256(./include/openssl/pkcs12.h)= 144bf41de4f93ddcbfb44a3ebb82611e776205d744524a94c2c760dea6c997be
SHA2-256(./include/openssl/pkcs7.h)= 4966b5892e545b20553ca746739dba0d4a1a6684934433d7eb095984ad2edf56
SHA2-256(./include/openssl/poly1305.h)= b751992c10df319c0309b31e0206aad4597edc9d1496267002b433537419e7ec
SHA2-256(./include/openssl/posix_time.h)= 9b403139b6e0a2212b5c3ad5d387631f19f5bec74d8831d3fc4c3ab34f58840b
SHA2-256(./include/openssl/rand.h)= 9e4957207431d97886e6589aef8ce9cd15579bda226baf5c980dcb47876068cd
SHA2-256(./include/openssl/rc2.h)= a6bccbf74dd468343b127f80f1d04f69680860d5283c85a460325969bdf50e76
SHA2-256(./include/openssl/rc4.h)= e4b7f178300a7978f5904f06b559569c9aef128adf65dcd2b2a686ce36c439ed
SHA2-256(./include/openssl/ripemd.h)= 4c2c3459de4a53949fb92dba4fc76b253deaea6ca673b8150f2031b16031534f
SHA2-256(./include/openssl/rsa.h)= 2c14f09faefcd786eb62aa1343524dc94714b7962c790d145f5317fea94f74da
SHA2-256(./include/openssl/safestack.h)= 3ba8e3cf36e174528a5d581dfa897012dba82d820d2da07b2e4705ec6547ad22
SHA2-256(./include/openssl/sha.h)= 0c0076f1213121540ea71da9d583262b09ed02a113e26d84b28efee621a3492f
SHA2-256(./include/openssl/sm3.h)= dfc2175a2ed2d8a7ae3cd867f989fb154f1f8652564a97e3080f575835ec733f
SHA2-256(./include/openssl/sm4.h)= 6030457a506d6fbde00aebbff45b345a831a0673f4517bc278f7d5f72cf482ea
SHA2-256(./include/openssl/srtp.h)= ae58c4d9c667f74b8f3c44039072c6d45232a2af09539c414028aa6e9eb57f90
SHA2-256(./include/openssl/ssl.h)= d3956af6322899a607665a5a4841ad69aac79a4fe66835024787afdd6b927f45
SHA2-256(./include/openssl/ssl3.h)= 1b874f840ab4a34ff78de5009bf432e42d088716c17c43b6e45bbfde58d6c30a
SHA2-256(./include/openssl/stack.h)= cec4d77b15c66fcbadc05d6946ad6fb8a77430472302798ac25b52aeaa990b92
SHA2-256(./include/openssl/tls1.h)= 70a7c812a910dbe74a36a2725596413ed9da2a22e805de65b714d5346f2689bf
SHA2-256(./include/openssl/ts.h)= 28cb12962438d5c655fe5a46cad53e9f4a334497d4411446d5974601485a28cc
SHA2-256(./include/openssl/txt_db.h)= 7c50364dd59d167b14db35ff210327d57cabfb14be2ae40e440de2aad14d5b27
SHA2-256(./include/openssl/ui.h)= 42762d29440f35fc4bfac041716a7e4d6034e74b3a1f8b77ff4e7074ea6784dd
SHA2-256(./include/openssl/x509.h)= 0f8c800eef16ae00047f8a01f97dc48b8489e814c965340e562197278187dbe4
SHA2-256(./include/openssl/x509_vfy.h)= aa9c34d6eb48543408cb97a9859a7c40bddaaa0d903d2c678d4cb0b9e3834321
SHA2-256(./include/openssl/x509v3.h)= ba90f7955cb292501715d0d0756d5b057a06c6afaaab95a3fa6780ac9c99458a
SHA2-256(./include/zconf.h)= dcb0a2b20ac38181012fbc430d1c229cf6eb7758ce8ab26a618c8a0808c3e76e
SHA2-256(./include/zdict.h)= abacadb94e3f79e591f4b1648e839b0160fbf4291211fd01bdba1380269b245c
SHA2-256(./include/zlib.h)= 0f502ab19b9200f6c390945c0fc860816fd0a082e6a01925f7322564f9445565
SHA2-256(./include/zlib_name_mangling.h)= 38e51a846d6c2bd6100298c55328dba4437c08fa1dceda4eb2e06ecb1d142058
SHA2-256(./include/zstd.h)= 9b4bc8245565c98ccfc61c07749928b57e7c0f6fddb0530c4f6aa1971893d88b
SHA2-256(./include/zstd_errors.h)= 66a8c3f71d12ea6e797e4f622f31f3f8f81c41b36f48cad4f5de7d8bfb6aac0a
SHA2-256(./lib/libbrotlicommon.a)= 1c6a6ff41a2a1ec0bfe8bdfe8e27127fce59e16df88e0b9060e63b11e0a9ddaf
SHA2-256(./lib/libbrotlidec.a)= 8c5a2d2004888de89972cbb9f3299fe385ca1953068cd1a573ed79d84d53b7e9
SHA2-256(./lib/libcrypto.a)= 6b8fff99effdad113e32b4a2389b2a10e2da7788771b213b3f8fab98bfb12f65
SHA2-256(./lib/libcurl.a)= f60e1289cf6011631370e5b384b9d2fef9045a9c64d775da25d2f990345c908f
SHA2-256(./lib/libcurl.dll.a)= 48d31aeb7eeb9efcee391765bd7f18dabfcb9e36fd4bc9b7d7dac37658d9c634
SHA2-256(./lib/libnghttp2.a)= c516ac51da540e32535b6d4e8a5df7b399abd3edda55c9a180b478e501bf07e7
SHA2-256(./lib/libnghttp3.a)= 3d68c962edb6e11cba92c788be5a80d917a1cbbd1f2a8fb225f01d6b9469cf3b
SHA2-256(./lib/libngtcp2.a)= b31c87a46dc0bc916f88b0ee17fdb0cf2b1051f37c9f812a9df1425916c8c180
SHA2-256(./lib/libngtcp2_crypto_quictls.a)= 7439d28649e8fbc4b02bf69de8028812357fd934cc41cceedc4baf6d5ab7026c
SHA2-256(./lib/libpsl.a)= 711865fc20f356bebbfe55f2a2b9a4be49b935d151015c64b104c773d3e69c8a
SHA2-256(./lib/libssh2.a)= ae90e3a9e7da4bc572102d4886b9833620b8bb7c65d291703df9c938c538a66b
SHA2-256(./lib/libssl.a)= 4db85abf49d73206ecda2233b1efed68f4c367bb35c92c34a02a83ed6e2d1eaf
SHA2-256(./lib/libz.a)= 7d6f8b7f7033e72a6f6a4f1815a081ff14a1a22abdf3e19799aa743f11bc3c30
SHA2-256(./lib/libzstd.a)= dca30484c301668b263f154d060f225d7f1d2f3339527c5183bc42673aa86565

13
curl/BUILD-MANIFEST.txt
Unescape Просмотреть файл

@ -0,0 +1,13 @@
.clang 19.1.7
.mingw-w64 12.0.0-5
zlibng 2.2.4 https://github.com/zlib-ng/zlib-ng/archive/refs/tags/2.2.4.tar.gz
zstd 1.5.7 https://github.com/facebook/zstd/releases/download/v1.5.7/zstd-1.5.7.tar.gz
brotli 1.1.0 https://github.com/google/brotli/archive/v1.1.0.tar.gz
libpsl 0.21.5 https://github.com/rockdaboot/libpsl/releases/download/0.21.5/libpsl-0.21.5.tar.gz
nghttp3 1.9.0 https://github.com/ngtcp2/nghttp3/releases/download/v1.9.0/nghttp3-1.9.0.tar.xz
libressl 4.1.0 https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-4.1.0.tar.gz
ngtcp2 1.12.0 https://github.com/ngtcp2/ngtcp2/releases/download/v1.12.0/ngtcp2-1.12.0.tar.xz
nghttp2 1.65.0 https://github.com/nghttp2/nghttp2/releases/download/v1.65.0/nghttp2-1.65.0.tar.xz
libssh2 1.11.1 https://libssh2.org/download/libssh2-1.11.1.tar.xz
cacert 2025-02-25 https://curl.se/ca/cacert-2025-02-25.pem
curl 8.13.0 https://curl.se/download/curl-8.13.0.tar.xz

2
curl/BUILD-README.url
Unescape Просмотреть файл

@ -0,0 +1,2 @@
[InternetShortcut]
URL=https://github.com/curl/curl-for-win

22
curl/COPYING.txt
Unescape Просмотреть файл

@ -0,0 +1,22 @@
COPYRIGHT AND PERMISSION NOTICE
Copyright (c) 1996 - 2025, Daniel Stenberg, <daniel@haxx.se>, and many
contributors, see the THANKS file.
All rights reserved.
Permission to use, copy, modify, and distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright
notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN
NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
OR OTHER DEALINGS IN THE SOFTWARE.
Except as contained in this notice, the name of a copyright holder shall not
be used in advertising or otherwise to promote the sale, use or other dealings
in this Software without prior written authorization of the copyright holder.

55
curl/README.txt
Unescape Просмотреть файл

@ -0,0 +1,55 @@
_ _ ____ _
___| | | | _ \| |
/ __| | | | |_) | |
| (__| |_| | _ <| |___
\___|\___/|_| \_\_____|
README
Curl is a command line tool for transferring data specified with URL
syntax. Find out how to use curl by reading the curl.1 man page or the
MANUAL document. Find out how to install Curl by reading the INSTALL
document.
libcurl is the library curl is using to do its job. It is readily
available to be used by your software. Read the libcurl.3 man page to
learn how.
You find answers to the most frequent questions we get in the FAQ document.
Study the COPYING file for distribution terms.
Those documents and more can be found in the docs/ directory.
CONTACT
If you have problems, questions, ideas or suggestions, please contact us
by posting to a suitable mailing list. See https://curl.se/mail/
All contributors to the project are listed in the THANKS document.
WEBSITE
Visit the curl website for the latest news and downloads:
https://curl.se/
GIT
To download the latest source code off the GIT server, do this:
git clone https://github.com/curl/curl.git
(you will get a directory named curl created, filled with the source code)
SECURITY PROBLEMS
Report suspected security problems via our HackerOne page and not in public.
https://hackerone.com/curl
NOTICE
Curl contains pieces of source code that is Copyright (c) 1998, 1999
Kungliga Tekniska Högskolan. This notice is included here to comply with the
distribution terms.

679
curl/RELEASE-NOTES.txt
Unescape Просмотреть файл

@ -0,0 +1,679 @@
curl and libcurl 8.13.0
Public curl releases: 266
Command line options: 268
curl_easy_setopt() options: 307
Public functions in libcurl: 96
Contributors: 3378
This release includes the following changes:
o curl: add write-out variable 'tls_earlydata' [79]
o curl: make --url support a file with URLs [104]
o gnutls: set priority via --ciphers [167]
o IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags [124]
o lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY [147]
o OpenSSL/quictls: add support for TLSv1.3 early data [150]
o rustls: add support for CERTINFO [106]
o rustls: add support for SSLKEYLOGFILE [282]
o rustls: support ECH w/ DoH lookup for config [280]
o rustls: support native platform verifier
o var: add a '64dec' function that can base64 decode a string [78]
o wolfssl: tls early data support [50]
This release includes the following bugfixes:
o addrinfo: add curl macro to avoid redefining foreign symbols [29]
o asyn-thread: avoid the separate 'struct resdata' alloc [20]
o asyn-thread: avoid the separate curl_mutex_t alloc [6]
o asyn-thread: do not allocate thread_data separately [21]
o asyn-thread: remove 'status' from struct Curl_async [36]
o autotools: fix `dllmain.c` in unity builds [257]
o autotools: fix `libtest` bundle to depend on `FIRSTFILES` [240]
o autotools: use `CURLDEBUG` to exclude TrackMemory code from unity [253]
o aws_sigv4: cannot be used for proxy [171]
o aws_sigv4: merge repeated headers in canonical request [272]
o aws_sigv4: use strparse more for parsing [55]
o base64: drop `BUILDING_CURL` macro, always include in tests/server [234]
o build: add Windows CE / CeGCC support, with CI jobs [87]
o build: cmake multi-pkg-config detection improvements (brotli, ldap, mbedtls) [192]
o build: do not apply curl debug macros to `tests/server` by default [254]
o build: drop unused `getpart` tool [107]
o build: enable -Wjump-misses-init for GCC 4.5+ [62]
o build: enable `-Wcast-qual`, fix or silence compiler warnings [208]
o build: fix compiler warnings in feature detections [39]
o build: replace Curl_ prefix with curlx_ for functions used in servers [236]
o build: set `-O3` and tune WinCE in CI, fix `getpart`, `vtls_scache` fallouts [137]
o build: set `HAVE_STDINT_H` if `stdint.h` is available [155]
o build: set `HAVE_WRITABLE_ARGV` for Apple cross-builds [8]
o build: silence bogus `-Wconversion` warnings with gcc 5.1-5.4 [68]
o build: silence mingw32ce C99 format warnings, simplify CI [143]
o build: tidy-ups around `inet_pton` [180]
o c-ares httpsrr: fix ifdef [223]
o c-ares: error out for unsupported versions, drop unused macros [85]
o ca-native.md: sync with CURLSSLOPT_NATIVE_CA [72]
o cf-socket: deduplicate Windows Vista detection [11]
o cf-socket: remove empty switch [75]
o client writer: handle pause before decoding [61]
o cmake: `CURL_LIBDIRS` improvements (upstreamed from vcpkg) [191]
o cmake: `SHARE_LIB_OBJECT=ON` requires CMake 3.12 or newer [46]
o cmake: add custom command scripts as dependencies where missing [298]
o cmake: add pre-fill for Unix, enable in GHA/macos, verify pre-fills [42]
o cmake: add shell completion support [261]
o cmake: allow `CURL_STATIC_CRT` with shared libcurl and no curl exe [123]
o cmake: allow `CURL_STATIC_CRT` with UCRT VS2015+ builds [134]
o cmake: allow empty `IMPORT_LIB_SUFFIX`, add suffix collision detection [41]
o cmake: avoid `-Wnonnull` warning in `HAVE_FSETXATTR_5` detection [81]
o cmake: disable HTTPS-proxy as a feature if proxy is disabled [77]
o cmake: drop `CURL_DISABLE_TESTS` option [94]
o cmake: drop `HAVE_C_FLAG_Wno_long_double` logic for ancient Apple gcc [126]
o cmake: drop `HAVE_IN_ADDR_T` from pre-fill too
o cmake: drop two stray TLS feature checks for wolfSSL [9]
o cmake: exclude `-MP` for `clang-cl` again [132]
o cmake: fix `HAVE_ATOMIC`/`HAVE_STDATOMIC` pre-fill for clang-cl [28]
o cmake: fix clang-tidy builds to verify tests, fix fallouts [289]
o cmake: fix detection pre-fills for iOS [153]
o cmake: fix ECH detection in custom-patched OpenSSL [32]
o cmake: fix typo in ECH config error msg [246]
o cmake: hide empty `MINGW64_VERSION` output for mingw32ce [114]
o cmake: improve httpd detection for pytest [127]
o cmake: mention 'insecure' in the debug build warning [15]
o cmake: misc tidy-ups [38]
o cmake: pre-fill known type sizes for Windows OSes [100]
o cmake: replace CMAKE_COMPILER_IS_GNUCC with CMAKE_C_COMPILER_ID [232]
o cmake: replace exec_program() with execute_process() [239]
o cmake: restrict static CRT builds to static curl exe, test in CI [113]
o cmake: sync cutoff version with autotools for picky option `-ftree-vrp` [99]
o cmake: sync OpenSSL(-fork) feature checks with `./configure` [49]
o cmake: unity mode optimization for non-`CURLDEBUG` `testdeps` targets [231]
o CODE_STYLE: readability and banned functions [35]
o config-win32: set `HAVE_STDINT_H` where available [264]
o configure: call the blocking resolver "blocking", not "default" [220]
o configure: fix ECH detection with MultiSSL [259]
o configure: silence compiler warnings in feature checks, drop duplicates [86]
o configure: tidy up shell completion rules [292]
o configure: use `curl_cv_apple` variable [40]
o conn: eliminate `conn->now` [293]
o conn: fix connection reuse when SSL is optional [54]
o conncache: eliminate `conn->destination_len` as premature optimization [294]
o contributors.sh: lowercase 'github' for consistency [52]
o contrithanks.sh: update docs/THANKS in place [119]
o cookie: do prefix matching case-sensitively [82]
o cookie: minor parser simplification [58]
o cookie: simplify invalid_octets() [24]
o core: stop redefining `E*` macros on Windows, map `EACCES`, related fixes [233]
o curl.h: change some enums to defines with L suffix [84]
o curl.h: convert CURLUSESSL* names to defines [146]
o curl.h: stop defining non-curl `__has_declspec_attribute` [142]
o curl.h: switch `CURL_HTTP_VERSION*` enums to long constants [160]
o curl/system.h: drop leftover comment about 32 bit curl_off_t [305]
o curl: add my_setopt_long() and _offt() [158]
o curl_msh3: remove verify bypass from DEBUGBUILDs [43]
o curl_setup: drop `ERANGE` (for WinCE), no longer used [249]
o curl_setup_once: drop `E*` macro redefines unused (with winsock2) [164]
o curl_setup_once: stop redefining `ENAMETOOLONG` to winsock2 error code [163]
o curl_trc: fix build with CURL_DISABLE_VERBOSE_STRINGS [109]
o curl_ws_recv.md: expand a little on the fragments the API delivers [251]
o CURLMOPT_SOCKETFUNCTION.md: add advice for socket callback invocation[69]
o CURLOPT_HTTPHEADER.md: add comments to the example [90]
o CURLOPT_HTTPHEADER.md: rephrases [108]
o curltime: use libcurl time functions in src and tests/server [247]
o DISABLED: add 313 for sectransp (move from GHA/macos) [209]
o docs/cmdline-opts: use imperative form [270]
o docs: adapt to removed --with-random [177]
o docs: add FD_ZERO to curl_multi_fdset example [19]
o docs: bump `rustls` to 0.14.1 [111]
o docs: correct argument names & URL redirection [4]
o docs: minor edits to please the new spellchecker regime
o docs: rework RUSTLS install instructions
o docs: unify HTTP version style in --help output [139]
o docs: vulnerabilities in debug code are not eligible for a bounty [118]
o doh: improve HTTPS RR svcparams parsing [198]
o doh: remove wrong but unreachable exit path from doh_decode_rdata_name [199]
o dynbuf: assert init on free [295]
o easy: drop `break` after `return` [300]
o easy: fix warning about possible comma misuse [219]
o eventfd: allow use on all CPUs [93]
o examples: prefer `return` over `exit()` (cont.) [110]
o ftp/sftp: strdup data info memory [237]
o ftp: fix comment [135]
o gnutls: fix connection state check on handshake [80]
o gnutls: fix use of pkcs11 urls for keys/certs [122]
o gtls: fix uninitialized variable [154]
o hash: use single linked list for entries [57]
o hostip: don't use alarm() for DoH resolves [214]
o hostip: make CURLOPT_RESOLVE support replacing IPv6 addresses [47]
o http2: add on_invalid_frame callback for error detection [174]
o http2: detect session being closed on ingress handling [173]
o http2: enhance error messages on Curl_dyn* upon receiving headers [149]
o http2: fix stream assignemnt for pushes [302]
o http2: reset stream on response header error [175]
o HTTP3.md: only speak about minimal versions [18]
o http: convert parsers to strparse [48]
o http: fix NTLM info message typo [22]
o http: fix the auth check [88]
o http: make the RTSP version check stricter [73]
o http: negotiation and room for alt-svc/https rr to navigate [64]
o http: remove a HTTP method size restriction [241]
o http: version negotiation [45]
o http_chunks: replace a strofft call with curl_str_hex [138]
o https-rr: implementation improvements [44]
o httpsrr: fix port detection [51]
o httpsrr: fix the HTTPS-RR threaded-resolver build combo [67]
o INFRASTRUCTURE.md: add IRC and Matrix details [278]
o INSTALL-CMAKE.md: CMake usage updates [101]
o INSTALL-CMAKE.md: mention `ZLIB_USE_STATIC_LIBS` [112]
o lib1156: pass longs to `curl_easy_setopt()` [159]
o lib1560: test set path containing LR or CR [299]
o lib2302: fix crash due to stack overflow on MSVC and clang Windows [228]
o lib696: fix building on Windows in non-bundle mode [267]
o lib: better optimized casecompare() and ncasecompare() [3]
o lib: clear up CURLRES_ASYNCH vs USE_CURL_ASYNC use [215]
o lib: fix two curlx_strtoofft invokes [128]
o lib: rename curlx_strtoofft to Curl_str_numblanks() [218]
o lib: replace while(ISBLANK()) loops with Curl_str_passblanks() [148]
o lib: simplify more white space loops [60]
o lib: strtoofft.h header cleanup [17]
o lib: use Curl_str_* instead of strtok_r() [59]
o lib: use Curl_str_number() for parsing decimal numbers [13]
o libssh2: fix freeing of resources in disconnect [207]
o libssh2: fix memory leak in `SSH_SFTP_REALPATH` state [224]
o libssh2: fix to ignore `known_hosts` if SHA256 host public key is set [296]
o libssh2: print user with verbose flag [125]
o libssh2: show crypto backend in the verbose connect log [316]
o libssh: fix freeing of resources in disconnect [206]
o libssh: fix scp large file upload for 32-bit size_t systems [211]
o libtest/first.c: remove the Test: stderr output for unity builds [301]
o libtest/libprereq.c: set CURLOPT_FOLLOWLOCATION with a long [89]
o managen: accept more markdown-quote-markers [243]
o managen: correct the warning for un-escaped '<' and '>' [1]
o mbedtls: re-enable an error check [288]
o memdebug.h: avoid `-Wredundant-decls` with an extra guard [230]
o memdebug: drop dynamic allocation from `curl_dbg_log()` [285]
o mprintf: switch three number parsers to use strparse [221]
o mqtt: convert sendleftovers to dynbuf [262]
o msvc: drop support for VS2005 and older [96]
o multi: call protocol handler done() if PROTOCONNECT or later [238]
o multi: event based rework [74]
o multi: kill off remaining internal handles in curl_multi_cleanup [248]
o multi: start the loop over when handles are removed [129]
o multi_ev: fixes regarding connection shutdowns [284]
o ngtcp2: do not iterate over multi handles [194]
o ntlm: merge ntlm.h into ntlm.c [235]
o openssl-quic: do not iterate over multi handles [188]
o openssl: check return value of X509_get0_pubkey [105]
o openssl: drop support for old OpenSSL/LibreSSL versions [95]
o openssl: fix crash on missing cert password [271]
o openssl: fix pkcs11 URI checking for key files. [152]
o openssl: remove bad `goto`s into other scope [63]
o prox/preproxy.md: document argument within <brackets> [317]
o pytest: test negotiate with http proxy [83]
o quiche: do not iterate over multi handles [182]
o RELEASE-PROCEDURE.md: explain release candidates [161]
o request: clear sendbuf_hds_len when resetting request bufq [166]
o resolve: fix building without Unix sockets and `CURLDEBUG` [213]
o runtests: accept `CURL_DIRSUFFIX` without ending slash [133]
o runtests: add feature-based filtering [268]
o runtests: check and report if `diff` tool is missing [162]
o runtests: drop logic calling the `handle` tool (Windows) [263]
o runtests: drop recognizing 'winssl' as Schannel [102]
o runtests: drop ref to unused external function
o runtests: fix bundled test invocation with `-g` option [308]
o runtests: fix SSH server not starting in cases, re-ignore failing vcpkg CI jobs [225]
o runtests: fix test key format for libssh2 WinCNG (and others) [229]
o runtests: generate certs dynamically, bump to EC-256, tidy up [279]
o runtests: recognize AWS-LC as OpenSSL [103]
o runtests: rewrite `genserv.sh` in Perl [312]
o runtests: support multi-target cmake, drop workarounds from CI [116]
o runtests: support running tests under wine or qemu (cont.) [309]
o runtests: support running tests under wine or qemu [210]
o runtests: use `setfacl` on Cygwin/MSYS, if present [291]
o rustls: add ECH support w/ string ECH config [281]
o rustls: cap maximum allowed CRL file size to 8MB [196]
o rustls: support ECH GREASE
o rustls: use client cert and key if available
o schannel: deduplicate Windows Vista detection [98]
o schannel: enable ALPN support under WINE 6.0+ [92]
o schannel: enable ALPN with MinGW, fix ALPN for UWP builds [71]
o schannel: guard ALPN init code to ALPN builds [91]
o scripts/managen: fix option 'single' [31]
o scripts/managen: fix parsing of markdown code sections [30]
o scripts: update completion.pl to parse options from docs [266]
o sectransp: add support for HTTP/2 in gcc builds [200]
o sendf: client reader line conversion: do not change data->state.infilesize [244]
o setopt: illegal CURLOPT_SOCKS5_AUTH should return error [185]
o setopt: remove unnecessary void pointer typecasts [76]
o setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine [197]
o shutdowns: split shutdown handling from connection pool [156]
o socks: remove bad assert from do_SOCKS5() [216]
o src: avoid strdup on platforms not doing UTF-8 conversions [176]
o src: cleanup ISBLANK vs ISSPACE [195]
o src: remove Curl_ prefix from tool-specific function [205]
o src: remove final uses of Curl_ symbol prefixes in tool code [242]
o src: replace strto[u][ld] with curlx_str_ parsers [222]
o ssh: consider sftp quote commands case sensitive [33]
o sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version [204]
o sshserver.pl: use Perl `chmod` [311]
o sshserver: fix excluding obsolete client config lines [212]
o ssl session cache: add exportable flag [56]
o SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR [265]
o strparse: make Curl_str_number() return error for no digits [14]
o strparse: switch the API to work on 'const char *' [2]
o strparse: switch to curl_off_t as base data type [7]
o test1022: add support for rc releases [144]
o test1167: catch #defines with extra whitespace [140]
o test313: disable CRL test for Schannel due to lack of support and flakiness [310]
o test313: disable via `<features>` for backends without CRL support [303]
o test489: set output dir [186]
o test612: SCP `rm` the uploaded remote file (not the local source), unignore in CI [297]
o test613: make it pass on Windows, fix postprocess, unignore in CI [290]
o test615: fix for Cygwin, unignore in CI [276]
o tests/certs: cleanup [151]
o tests/server: drop unused `base64.pl` [258]
o tests/server: fix to check against winsock2 error codes on Windows [168]
o tests/server: give global `path` variable a more descriptive name [255]
o tests/server: make the signal handler signal-safe [269]
o tests/server: replace `errno` with `SOCKERRNO` in sockfilt, socksd, sws [183]
o tests/server: replace `strerror` with `sstrerror` in socksd
o tests/server: support bundle binary [217]
o tests/server: sync `wait_ms()` with the libcurl implementation [226]
o tests/server: use `curlx_str_numblanks()` to avoid `errno` [250]
o tests/servers.pm: remove unused variable 'portrange' [227]
o tests: build non-debug unit tests with autotools, run them [287]
o tests: fix comment in lib533 [121]
o tests: fix enum/int confusion, fix autotools `CFLAGS` for `servers` [27]
o tests: make sure 'commands.log' is generated in the correct logdir [172]
o tests: mark tests 1631, 1632 flaky [157]
o tests: reformat error messages to avoid tripping MSBuild [201]
o tests: remove base64 encoded sections [260]
o tests: Remove unused variables [245]
o tests: replace remaining non-ASCII bytes with hex markup [283]
o tftpd: prefix TFTP protocol error `E*` constants with `TFTP_` [189]
o tidy-up: align MSYS2/Cygwin codepaths, follow Cygwin `MAX_PID` bump [97]
o tidy-up: delete, comment or scope C macros reported unused [16]
o tidy-up: drop unused `CURL_INADDR_NONE` macro and `in_addr_t` type [26]
o tidy-up: use `CURL_ARRAYSIZE()` [37]
o timediff: fix comment for curlx_mstotv() [25]
o timediff: remove unnecessary double typecast [53]
o tool_dirhie: create dir hierarchy without strtok [169]
o tool_getparam: clear sensitive arguments better [66]
o tool_getparam: do parse_upload_flags without the alloc/free [181]
o tool_getparam: parse --trace-config without strdup()/free() [178]
o tool_getparam: parse_header() without strtok [165]
o tool_operate: change "1 retries" to "1 retry" [145]
o tool_operate: fail SSH transfers without server auth [70]
o tool_operate: fix pluralization of seconds [273]
o tool_operate: remove unnecessary (long) typecasts [141]
o tool_paramhlp: do --proto parsing without strtok [170]
o tool_parsecfg: make my_get_line skip comments and newlines [130]
o tool_setopt: reduce use of "code hiding" macros [203]
o url: call protocol handler's disconnect in Curl_conn_free [193]
o urlapi: fix redirect from file:// with query, and simplify [136]
o urlapi: remove percent encoded dot sequences from the URL path [252]
o urlapi: simplify junkscan [23]
o urldata: remove 'hostname' from struct Curl_async [131]
o variable.md: clarify 'trim' example [12]
o vquic: obey IOV_MAX [275]
o vtls: fix compiler warnings seen with gcc 7.3.0 and mbedTLS [187]
o winbuild: reduce command-line length by dropping whitespace [117]
o windows: do not use winsock2 `inet_ntop()`/`inet_pton()` [202]
o windows: drop code and curl manifest targeting W2K and older [115]
o windows: fix issues detected by clang-tidy, and some more [286]
o wolfssh: fix freeing of resources in disconnect [184]
o wolfssh: retrieve the error using wolfSSH_get_error [5]
o wolfssl: fix CA certificate multiple location import [34]
o wolfssl: fix unused variable warning [190]
o wolfssl: warn if CA native import option is ignored [65]
o wolfssl: when using PQ KEM, use ML-KEM, not Kyber [10]
o ws: corrected curlws_cont to reflect its documented purpose [120]
o ws: fix and extend CURLWS_CONT handling [256]
o zlib: bump minimum to 1.2.5.2 (was: 1.2.0.4) [179]
This release includes the following known bugs:
See https://curl.se/docs/knownbugs.html
For all changes ever done in curl:
See https://curl.se/changes.html
Planned upcoming removals include:
o Support for the msh3 HTTP/3 backend
o The winbuild build system
o TLS libraries not supporting TLS 1.3
See https://curl.se/dev/deprecate.html
This release would not have looked like this without help, code, reports and
advice from friends like these:
Abhinav Singhal, Anthony Hu, Aquila Macedo, Austin Moore, Ben Bodenmiller,
Brian Inglis, Calvin Ruocco, Carlos Henrique Lima Melara, Catena cyber,
Christian Schmitz, Dan Fandrich, Daniel McCarney, Daniel Stenberg,
Dave Nicolson, Demi Marie Obenour, dependabot[bot], Derek Huang,
Dexter Gerig, Ethan Wilkes, Gabriel Marin, Harry Sintonen, Jan Macku,
Jeremy Drake, John Bampton, Joseph Chen, Justin Steventon, Kai Pastor,
kayrus on github, kpcyrd on github, kriztalz, Lars Karlitski,
Laurențiu Nicola, lf- on github, Marcel Raad, Marius Albrecht, Mark Phillips,
Martxel, Michał Antoniak, Ondřej Hlavatý, Orgad Shaneh, Pavel Kropachev,
Peng-Yu Chen, Peter Kokot, Philippe Antoine, qhill on github, Ray Satiro,
renovate[bot], Rinku Das, rmg-x on github, Roman Zharkov, Ronald Crane,
RubisetCie on github, saimen, Samuel Dionne-Riel, Samuel Henrique,
Scott Talbert, Sergey, Stefan Eissing, stevenpackardblp on github,
Tatsuhiro Tsujikawa, Teh Kok How, Tianyi Song, Timo Tijhof, tiymat,
Viktor Szakats, Vulpes Vulpes, Weng Xuetian, Yedaya Katsman, Zenju on github,
Zhang Wen, Zhaoming Luo
(71 contributors)
References to bug reports and discussions on issues:
[1] = https://curl.se/bug/?i=16315
[2] = https://curl.se/bug/?i=16316
[3] = https://curl.se/bug/?i=16311
[4] = https://curl.se/bug/?i=16334
[5] = https://curl.se/bug/?i=16335
[6] = https://curl.se/bug/?i=16323
[7] = https://curl.se/bug/?i=16336
[8] = https://curl.se/bug/?i=16338
[9] = https://curl.se/bug/?i=16339
[10] = https://curl.se/bug/?i=16337
[11] = https://curl.se/bug/?i=16400
[12] = https://curl.se/bug/?i=16346
[13] = https://curl.se/bug/?i=16319
[14] = https://curl.se/bug/?i=16319
[15] = https://curl.se/bug/?i=16327
[16] = https://curl.se/bug/?i=16279
[17] = https://curl.se/bug/?i=16331
[18] = https://curl.se/bug/?i=16320
[19] = https://curl.se/bug/?i=16325
[20] = https://curl.se/bug/?i=16321
[21] = https://curl.se/bug/?i=16241
[22] = https://curl.se/bug/?i=16305
[23] = https://curl.se/bug/?i=16307
[24] = https://curl.se/bug/?i=16306
[25] = https://curl.se/bug/?i=16310
[26] = https://curl.se/bug/?i=16318
[27] = https://curl.se/bug/?i=16314
[28] = https://curl.se/bug/?i=16313
[29] = https://curl.se/bug/?i=16274
[30] = https://curl.se/bug/?i=16345
[31] = https://curl.se/bug/?i=16344
[32] = https://curl.se/bug/?i=16354
[33] = https://curl.se/bug/?i=16382
[34] = https://curl.se/bug/?i=16391
[35] = https://curl.se/bug/?i=16349
[36] = https://curl.se/bug/?i=16347
[37] = https://curl.se/bug/?i=16381
[38] = https://curl.se/bug/?i=16238
[39] = https://curl.se/bug/?i=16287
[40] = https://curl.se/bug/?i=16340
[41] = https://curl.se/bug/?i=16324
[42] = https://curl.se/bug/?i=15841
[43] = https://curl.se/bug/?i=16342
[44] = https://curl.se/bug/?i=16132
[45] = https://curl.se/bug/?i=16100
[46] = https://curl.se/bug/?i=16375
[47] = https://curl.se/bug/?i=16357
[48] = https://curl.se/bug/?i=16436
[49] = https://curl.se/bug/?i=16352
[50] = https://curl.se/bug/?i=16167
[51] = https://curl.se/bug/?i=16409
[52] = https://curl.se/bug/?i=16443
[53] = https://curl.se/bug/?i=16367
[54] = https://curl.se/bug/?i=16384
[55] = https://curl.se/bug/?i=16366
[56] = https://curl.se/bug/?i=16322
[57] = https://curl.se/bug/?i=16351
[58] = https://curl.se/bug/?i=16362
[59] = https://curl.se/bug/?i=16360
[60] = https://curl.se/bug/?i=16363
[61] = https://curl.se/bug/?i=16280
[62] = https://curl.se/bug/?i=16252
[63] = https://curl.se/bug/?i=16356
[64] = https://curl.se/bug/?i=16117
[65] = https://curl.se/bug/?i=16417
[66] = https://curl.se/bug/?i=16396
[67] = https://curl.se/bug/?i=16399
[68] = https://curl.se/bug/?i=16398
[69] = https://curl.se/bug/?i=16441
[70] = https://curl.se/bug/?i=16205
[71] = https://curl.se/bug/?i=16385
[72] = https://curl.se/bug/?i=16373
[73] = https://curl.se/bug/?i=16435
[74] = https://curl.se/bug/?i=16308
[75] = https://curl.se/bug/?i=16555
[76] = https://curl.se/bug/?i=16426
[77] = https://curl.se/bug/?i=16434
[78] = https://curl.se/bug/?i=16330
[79] = https://curl.se/bug/?i=15956
[80] = https://curl.se/bug/?i=16423
[81] = https://curl.se/bug/?i=16427
[82] = https://curl.se/bug/?i=16494
[83] = https://curl.se/bug/?i=14973
[84] = https://curl.se/bug/?i=16482
[85] = https://curl.se/bug/?i=16407
[86] = https://curl.se/bug/?i=16377
[87] = https://curl.se/bug/?i=15975
[88] = https://curl.se/bug/?i=16419
[89] = https://curl.se/bug/?i=16487
[90] = https://curl.se/bug/?i=16488
[91] = https://curl.se/bug/?i=16420
[92] = https://curl.se/bug/?i=16393
[93] = https://curl.se/bug/?i=16277
[94] = https://curl.se/bug/?i=16134
[95] = https://curl.se/bug/?i=16104
[96] = https://curl.se/bug/?i=16004
[97] = https://curl.se/bug/?i=16217
[98] = https://curl.se/bug/?i=16408
[99] = https://curl.se/bug/?i=16478
[100] = https://curl.se/bug/?i=16464
[101] = https://curl.se/bug/?i=16329
[102] = https://curl.se/bug/?i=16467
[103] = https://curl.se/bug/?i=16466
[104] = https://curl.se/bug/?i=16099
[105] = https://curl.se/bug/?i=16468
[106] = https://curl.se/bug/?i=16459
[107] = https://curl.se/bug/?i=16460
[108] = https://curl.se/bug/?i=16461
[109] = https://curl.se/bug/?i=16462
[110] = https://curl.se/bug/?i=16524
[111] = https://curl.se/bug/?i=16446
[112] = https://curl.se/bug/?i=16457
[113] = https://curl.se/bug/?i=16456
[114] = https://curl.se/bug/?i=16455
[115] = https://curl.se/bug/?i=16453
[116] = https://curl.se/bug/?i=16452
[117] = https://curl.se/bug/?i=16508
[118] = https://curl.se/bug/?i=16527
[119] = https://curl.se/bug/?i=16448
[120] = https://curl.se/bug/?i=16512
[121] = https://curl.se/bug/?i=16523
[122] = https://curl.se/bug/?i=16249
[123] = https://curl.se/bug/?i=16516
[124] = https://curl.se/bug/?i=15970
[125] = https://curl.se/bug/?i=16430
[126] = https://curl.se/bug/?i=16513
[127] = https://curl.se/bug/?i=16515
[128] = https://curl.se/bug/?i=16548
[129] = https://curl.se/bug/?i=16588
[130] = https://curl.se/bug/?i=16590
[131] = https://curl.se/bug/?i=16451
[132] = https://curl.se/bug/?i=16550
[133] = https://curl.se/bug/?i=16506
[134] = https://curl.se/bug/?i=16522
[135] = https://curl.se/bug/?i=16538
[136] = https://curl.se/bug/?i=16498
[137] = https://curl.se/bug/?i=16476
[138] = https://curl.se/bug/?i=16546
[139] = https://curl.se/bug/?i=16542
[140] = https://curl.se/bug/?i=16496
[141] = https://curl.se/bug/?i=16540
[142] = https://curl.se/bug/?i=16491
[143] = https://curl.se/bug/?i=16492
[144] = https://curl.se/bug/?i=16626
[145] = https://curl.se/bug/?i=16586
[146] = https://curl.se/bug/?i=16539
[147] = https://curl.se/bug/?i=16473
[148] = https://curl.se/bug/?i=16520
[149] = https://curl.se/bug/?i=16536
[150] = https://curl.se/bug/?i=16477
[151] = https://curl.se/bug/?i=16593
[152] = https://curl.se/bug/?i=16591
[153] = https://curl.se/bug/?i=16594
[154] = https://curl.se/bug/?i=16625
[155] = https://curl.se/bug/?i=16585
[156] = https://curl.se/bug/?i=16508
[157] = https://curl.se/bug/?i=16584
[158] = https://curl.se/bug/?i=16669
[159] = https://curl.se/bug/?i=16579
[160] = https://curl.se/bug/?i=16580
[161] = https://curl.se/bug/?i=16622
[162] = https://curl.se/bug/?i=16578
[163] = https://curl.se/bug/?i=16620
[164] = https://curl.se/bug/?i=16553
[165] = https://curl.se/bug/?i=16572
[166] = https://curl.se/bug/?i=16573
[167] = https://curl.se/bug/?i=16557
[168] = https://curl.se/bug/?i=16553
[169] = https://curl.se/bug/?i=16566
[170] = https://curl.se/bug/?i=16567
[171] = https://curl.se/bug/?i=16569
[172] = https://curl.se/bug/?i=16568
[173] = https://curl.se/bug/?i=16544
[174] = https://curl.se/bug/?i=16544
[175] = https://curl.se/bug/?i=16535
[176] = https://curl.se/bug/?i=16560
[177] = https://curl.se/bug/?i=16565
[178] = https://curl.se/bug/?i=16559
[179] = https://curl.se/bug/?i=16616
[180] = https://curl.se/bug/?i=16563
[181] = https://curl.se/bug/?i=16552
[182] = https://curl.se/bug/?i=16607
[183] = https://curl.se/bug/?i=16553
[184] = https://curl.se/bug/?i=16668
[185] = https://issues.oss-fuzz.com/issues/401430844
[186] = https://curl.se/bug/?i=16670
[187] = https://curl.se/bug/?i=16614
[188] = https://curl.se/bug/?i=16611
[189] = https://curl.se/bug/?i=16666
[190] = https://curl.se/bug/?i=16608
[191] = https://curl.se/bug/?i=16610
[192] = https://curl.se/bug/?i=16479
[193] = https://curl.se/bug/?i=16604
[194] = https://curl.se/bug/?i=16606
[195] = https://curl.se/bug/?i=16589
[196] = https://curl.se/bug/?i=16716
[197] = https://curl.se/bug/?i=16599
[198] = https://curl.se/bug/?i=16598
[199] = https://curl.se/bug/?i=16710
[200] = https://curl.se/bug/?i=16581
[201] = https://curl.se/bug/?i=16583
[202] = https://curl.se/bug/?i=16577
[203] = https://curl.se/bug/?i=16709
[204] = https://curl.se/bug/?i=16787
[205] = https://curl.se/bug/?i=16657
[206] = https://curl.se/bug/?i=16659
[207] = https://curl.se/bug/?i=16656
[208] = https://curl.se/bug/?i=16142
[209] = https://curl.se/bug/?i=16660
[210] = https://curl.se/bug/?i=16785
[211] = https://curl.se/bug/?i=16641
[212] = https://curl.se/bug/?i=16784
[213] = https://curl.se/bug/?i=16700
[214] = https://curl.se/bug/?i=16649
[215] = https://curl.se/bug/?i=16645
[216] = https://issues.oss-fuzz.com/issues/401869346
[217] = https://curl.se/bug/?i=15000
[218] = https://curl.se/bug/?i=16642
[219] = https://curl.se/bug/?i=16644
[220] = https://curl.se/bug/?i=16646
[221] = https://curl.se/bug/?i=16628
[222] = https://curl.se/bug/?i=16634
[223] = https://curl.se/bug/?i=16861
[224] = https://curl.se/bug/?i=16636
[225] = https://curl.se/bug/?i=16636
[226] = https://curl.se/bug/?i=16627
[227] = https://curl.se/bug/?i=16632
[228] = https://curl.se/bug/?i=16630
[229] = https://curl.se/bug/?i=16781
[230] = https://curl.se/bug/?i=16696
[231] = https://curl.se/bug/?i=16695
[232] = https://curl.se/bug/?i=16797
[233] = https://curl.se/bug/?i=16553
[234] = https://curl.se/bug/?i=16691
[235] = https://curl.se/bug/?i=16690
[236] = https://curl.se/bug/?i=16689
[237] = https://curl.se/bug/?i=16733
[238] = https://curl.se/bug/?i=16681
[239] = https://curl.se/bug/?i=16779
[240] = https://curl.se/bug/?i=16726
[241] = https://curl.se/bug/?i=16729
[242] = https://curl.se/bug/?i=16678
[243] = https://curl.se/bug/?i=16685
[244] = https://issues.oss-fuzz.com/issues/402476456
[245] = https://curl.se/bug/?i=16798
[246] = https://curl.se/bug/?i=16786
[247] = https://curl.se/bug/?i=16653
[248] = https://curl.se/bug/?i=16674
[249] = https://curl.se/bug/?i=16673
[250] = https://curl.se/bug/?i=16671
[251] = https://curl.se/bug/?i=16720
[252] = https://curl.se/bug/?i=16869
[253] = https://curl.se/bug/?i=16723
[254] = https://curl.se/bug/?i=16705
[255] = https://curl.se/bug/?i=16719
[256] = https://curl.se/bug/?i=16687
[257] = https://curl.se/bug/?i=16712
[258] = https://curl.se/bug/?i=16713
[259] = https://curl.se/bug/?i=16774
[260] = https://curl.se/bug/?i=16816
[261] = https://curl.se/bug/?i=16833
[262] = https://curl.se/bug/?i=16823
[263] = https://curl.se/bug/?i=16484
[264] = https://curl.se/bug/?i=16759
[265] = https://curl.se/bug/?i=16762
[266] = https://curl.se/bug/?i=16072
[267] = https://curl.se/bug/?i=16753
[268] = https://curl.se/bug/?i=16533
[269] = https://curl.se/bug/?i=16852
[270] = https://curl.se/bug/?i=16879
[271] = https://curl.se/bug/?i=16806
[272] = https://curl.se/bug/?i=16743
[273] = https://curl.se/bug/?i=16751
[275] = https://curl.se/bug/?i=16846
[276] = https://curl.se/bug/?i=16818
[278] = https://curl.se/bug/?i=16809
[279] = https://curl.se/bug/?i=16824
[280] = https://curl.se/bug/?i=16828
[281] = https://curl.se/bug/?i=16828
[282] = https://curl.se/bug/?i=16828
[283] = https://curl.se/bug/?i=16837
[284] = https://curl.se/bug/?i=16782
[285] = https://curl.se/bug/?i=16745
[286] = https://curl.se/bug/?i=16777
[287] = https://curl.se/bug/?i=16771
[288] = https://curl.se/bug/?i=16766
[289] = https://curl.se/bug/?i=16756
[290] = https://curl.se/bug/?i=16791
[291] = https://curl.se/bug/?i=16437
[292] = https://curl.se/bug/?i=16836
[293] = https://curl.se/bug/?i=16793
[294] = https://curl.se/bug/?i=16792
[295] = https://curl.se/bug/?i=16725
[296] = https://curl.se/bug/?i=16805
[297] = https://curl.se/bug/?i=16801
[298] = https://curl.se/bug/?i=16835
[299] = https://curl.se/bug/?i=16875
[300] = https://curl.se/bug/?i=16873
[301] = https://curl.se/bug/?i=16872
[302] = https://curl.se/bug/?i=16881
[303] = https://curl.se/bug/?i=16865
[305] = https://curl.se/bug/?i=16867
[308] = https://curl.se/bug/?i=16893
[309] = https://curl.se/bug/?i=16863
[310] = https://curl.se/bug/?i=16862
[311] = https://curl.se/bug/?i=16859
[312] = https://curl.se/bug/?i=16858
[316] = https://curl.se/bug/?i=16790
[317] = https://curl.se/bug/?i=16883

19
curl/dep/brotli/LICENSE.txt
Unescape Просмотреть файл

@ -0,0 +1,19 @@
Copyright (c) 2009, 2010, 2013-2016 by the Brotli Authors.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

95
curl/dep/brotli/README.md
Unescape Просмотреть файл

@ -0,0 +1,95 @@
<p align="center">
<img src="https://github.com/google/brotli/actions/workflows/build_test.yml/badge.svg" alt="GitHub Actions Build Status" href="https://github.com/google/brotli/actions?query=branch%3Amaster">
<img src="https://oss-fuzz-build-logs.storage.googleapis.com/badges/brotli.svg" alt="Fuzzing Status" href="https://oss-fuzz-build-logs.storage.googleapis.com/index.html#brotli">
</p>
<p align="center"><img src="https://brotli.org/brotli.svg" alt="Brotli" width="64"></p>
### Introduction
Brotli is a generic-purpose lossless compression algorithm that compresses data
using a combination of a modern variant of the LZ77 algorithm, Huffman coding
and 2nd order context modeling, with a compression ratio comparable to the best
currently available general-purpose compression methods. It is similar in speed
with deflate but offers more dense compression.
The specification of the Brotli Compressed Data Format is defined in [RFC 7932](https://tools.ietf.org/html/rfc7932).
Brotli is open-sourced under the MIT License, see the LICENSE file.
> **Please note:** brotli is a "stream" format; it does not contain
> meta-information, like checksums or uncompresssed data length. It is possible
> to modify "raw" ranges of the compressed stream and the decoder will not
> notice that.
### Build instructions
#### Vcpkg
You can download and install brotli using the [vcpkg](https://github.com/Microsoft/vcpkg/) dependency manager:
git clone https://github.com/Microsoft/vcpkg.git
cd vcpkg
./bootstrap-vcpkg.sh
./vcpkg integrate install
./vcpkg install brotli
The brotli port in vcpkg is kept up to date by Microsoft team members and community contributors. If the version is out of date, please [create an issue or pull request](https://github.com/Microsoft/vcpkg) on the vcpkg repository.
#### Bazel
See [Bazel](http://www.bazel.build/)
#### CMake
The basic commands to build and install brotli are:
$ mkdir out && cd out
$ cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=./installed ..
$ cmake --build . --config Release --target install
You can use other [CMake](https://cmake.org/) configuration.
#### Python
To install the latest release of the Python module, run the following:
$ pip install brotli
To install the tip-of-the-tree version, run:
$ pip install --upgrade git+https://github.com/google/brotli
See the [Python readme](python/README.md) for more details on installing
from source, development, and testing.
### Contributing
We glad to answer/library related questions in
[brotli mailing list](https://groups.google.com/forum/#!forum/brotli).
Regular issues / feature requests should be reported in
[issue tracker](https://github.com/google/brotli/issues).
For reporting vulnerability please read [SECURITY](SECURITY.md).
For contributing changes please read [CONTRIBUTING](CONTRIBUTING.md).
### Benchmarks
* [Squash Compression Benchmark](https://quixdb.github.io/squash-benchmark/) / [Unstable Squash Compression Benchmark](https://quixdb.github.io/squash-benchmark/unstable/)
* [Large Text Compression Benchmark](http://mattmahoney.net/dc/text.html)
* [Lzturbo Benchmark](https://sites.google.com/site/powturbo/home/benchmark)
### Related projects
> **Disclaimer:** Brotli authors take no responsibility for the third party projects mentioned in this section.
Independent [decoder](https://github.com/madler/brotli) implementation by Mark Adler, based entirely on format specification.
JavaScript port of brotli [decoder](https://github.com/devongovett/brotli.js). Could be used directly via `npm install brotli`
Hand ported [decoder / encoder](https://github.com/dominikhlbg/BrotliHaxe) in haxe by Dominik Homberger. Output source code: JavaScript, PHP, Python, Java and C#
7Zip [plugin](https://github.com/mcmilk/7-Zip-Zstd)
Dart [native bindings](https://github.com/thosakwe/brotli)
Dart compression framework with [fast FFI-based Brotli implementation](https://pub.dev/documentation/es_compression/latest/brotli/brotli-library.html) with ready-to-use prebuilt binaries for Win/Linux/Mac

2
curl/dep/cacert/LICENSE.url
Unescape Просмотреть файл

@ -0,0 +1,2 @@
[InternetShortcut]
URL=https://www.mozilla.org/media/MPL/2.0/index.txt

24
curl/dep/libpsl/AUTHORS.txt
Unescape Просмотреть файл

@ -0,0 +1,24 @@
Authors of and contributors to libpsl.
Thank you very much for spending your time !
Also many thanks for anyone who contributed ideas,
took part in discussions or 'just' asked questions.
Please drop me a note if you feel you should have
been mentioned here.
Tim Ruehsen (Implementation of libpsl)
Daniel Kahn Gillmor (Discussion, Ideas, Organization, Code)
Daniel Stenberg (Discussion, Ideas)
Darshit Shah (Patching Wget to work with libpsl)
Dagobert Michelsen (Fixed Solaris building)
Christopher Meng (Fedora building)
Jakub Čajka
Giuseppe Scrivano
Ryan Sleevi (Discussion, Requested DAFSA format and ICANN/PRIVATE support)
Daurnimator (Code review, discussion, reports)
Olle Liljenzin (Original DAFSA implementation and UTF-8 patch)
Claudio Saveedra (Add support for PSL_TYPE_NO_STAR_RULE)
Chun-wei Fan (Add NMake files)
Xavier Claessens (Add Meson build system)
Ignacio Casal Quinteiro (Improve Meson build)

19
curl/dep/libpsl/COPYING.txt
Unescape Просмотреть файл

@ -0,0 +1,19 @@
Copyright (C) 2014-2024 Tim Rühsen
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"),
to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.

237
curl/dep/libpsl/NEWS.txt
Unescape Просмотреть файл

@ -0,0 +1,237 @@
Copyright (C) 2014-2024 Tim Rühsen
13.01.2024 Release V0.21.5
* Fix version.txt
13.01.2024 Release V0.21.4
* Fix meson build (missing ICONV_CONST in config.h)
13.01.2024 Release V0.21.3
* Improved build with meson
* Fixed and improved build on Windows
* Improved build instructions
* Install psl-make-dafsa
26.12.2022 Release V0.21.2
* Increased internal label size
* Meson build improvements (needs meson >= 0.60.0)
* Autoconf build improvements
* Add instructions on how to build from tarball
* Add WSAStartup() for Windows psl tool and tests
* Bump gettext version to 0.19.3
* Fix stack buffer overflow WRITE 1 in domain_to_punycode()
(Relevant only when built without any IDNA library.)
* Fix undefined behavior in library code
* Ensures that calls to fopen() and stat() can handle largefiles
* Several minor (non-functional) changes
18.07.2020 Release V0.21.1
* Fixing a test due to recent changes in upstream PSL
* Meson build improvements
* Documentation cleanups
* Use semantic versioning for git tags
16.04.2019 Release V0.21.0
* Add -b/--batch to 'psl' to suppress printing the domain
* Add support for Meson build system
* Improve build system
* Improve Windows compatibility
* Remove NLS / gettext
* Several cleanups and cosmetics
26.04.2018 Release V0.20.2
* Fix non srcdir builds
* Add API decoration
* Fix for MSVC/Win32 builds
* Detection fallback from libidn2 to libcu, libidn
* Fix MinGW cross builds on Linux
* Add NMake Makefiles for Visual Studio builds
26.02.2018 Release V0.20.1
* Fix issue introduced with PSL_TYPE_NO_STAR_RULE in V0.20.0
* Fix SO_VERSION to 8:0:3
* Improve unit tests
22.02.2018 Release V0.20.0
* Remove hard-coded gcc flag in Makefile.am
* Prevent excessive CPU cycles on large inputs
* New flag PSL_TYPE_NO_STAR_RULE to skip star rule
09.11.2017 Release V0.19.1
* Add the forgotten commit with NEWS and configure.ac
09.11.2017 Release V0.19.0
* New function psl_free_string()
* psl_make_dafsa now works with python2 and python3
* psl_*count() functions now return -1 if info is not available
* Fixed unsigned integer overflow in _mem_is_ascii()
* Add -fsanitize-address-use-after-scope to --enable-asan if available
20.07.2017 Release V0.18.0
* Fix order of files in psl_latest()
* Add fuzzing architecture
* Fix memleak in _psl_is_public_suffix()
* Add configure option --enable-asan (Address sanitizer)
* Add configure option --enable-usan (Undefined sanitizer)
* Add configure option --enable-cfi (Control Flow Integrity)
* Fix finding libidn2 for static builds
* Fix use of uninitialized stack value
* Fix buffer overflow in libicu build
* Use libidn2 as default for builds (former libicu)
* Add pkg-config support for libidn and libidn2
16.01.2017 Release V0.17.0
* Use TR46 non-transitional for IDNA (libicu, libidn2 >= 0.14)
* Fix coverage upload from TravisCI to Coveralls
* New tests to cover psl_latest() and psl_dist_filename()
15.12.2016 Release V0.16.1
* Fix SO_VERSION to 6:0:1
* Add --use-latest-psl to tools/psl as default
16.12.2016 Release V0.16.0
* Add functions psl_latest() and psl_dist_filename()
* Do not taint out variable on error in psl_str_to_utf8lower()
* Replace psl2c by psl-make-dafsa
* Add missing includes for OpenBSD
* Fix typos
* Update copyright year
14.11.2016 Release V0.15.0
* Python3 compatibility for psl-make-dafsa
* Support for UTF-8 in DAFSA data
* Skip punycode conversion if DAFSA has UTF-8
* Better code coverage by test suite
* Code cleanup and enhancements
* Install man pages for psl-make-dafsa and psl
* Enhancements to the documentation
30.07.2016 Release V0.14.0
* Remove unneeded libraries from tools/psl link step
* Use https instead of http where possible
* Add man page for tools/psl
* Add header magic to DAFSA files
* Rename make_dafsa.py to psl-make-dafsa
* Add man page for psl-make-dafsa
02.03.2016 Release V0.13.0
* Use tests.txt as PSL test file by default
* Slightly shorter DAFSA array when sorting input
* Check for python 2.7+ in configure.ac
* Fix python3 incompatibilities in make_dafsa.py
02.01.2016 Release V0.12.0
* Load DAFSA binaries via psl_load_file() via auto-detection
* Add more tests
* Remove psl_builtin_compile_time()
* Compile PSL into DAFSA using make_dafsa.py
* Avoid libicu dependency with --enable-runtime=no
* Test on new Travis-CI build farm
* Use DAFSA format for builtin PSL data
* Add function psl_is_public_suffix2()
* Fix psl_builtin_outdated()
* Fix several bugs
* Cleanup code
23.09.2015 Release V0.11.0
* Add new function psl_check_version_number()
* Add version defines to include file
19.09.2015 Release V0.10.0
* Code simplified
* Less data entries, faster lookups
* Add new function psl_suffix_wildcard_count()
* Add new helper function psl_builtin_outdated()
15.09.2015 Release V0.9.0
* Added semantic checks to PSL entries when generating built-in data
* Fix test suite for TLD exceptions (not used yet in reality)
* Removed wrong assumption from test suite
* Support explicit combination of 'foo.bar' and '*.foo.bar'
14.08.2015 Release V0.8.1
* Fix documentation
* Add syntax checking of tests_psl.txt
06.08.2015 Release V0.8.0
* Add https://github.com/publicsuffix as git submodule
* Support Debian 'Reproducible Builds'
* Fix generation of docs
* Check UTF-8 sequences for validity (for libidn<=1.30)
* Add LICENSE to distribution tarball
* Fix compatibility function strndup
21.02.2015 Release V0.7.1
* include configured PSL file into tarball
30.01.2015 Release V0.7.0
* include effective_tld_names.dat of date 29.12.2014
* do not install docs when gtk-doc is not installed
* fix several compatibility issues with Solaris
* fix 'make distcheck' after 'make clean'
* mark API as stable
* use pkg-config to detect libicu
14.11.2014 Release V0.6.2
* revoked commit from 0.6.1 to satisfy Travis-CI
14.11.2014 Release V0.6.1
* include effective_tld_names.dat of date 04.11.2014
* fix pkg-config configuration
28.10.2014 Release V0.6.0
* added support for IP addresses in psl_is_cookie_domain_acceptable()
* removed qsort_r() for compatibility
* check for alloca.h before including
* include effective_tld_names.dat of date 27.10.2014
03.08.2014 Release V0.5.1
* fix ASCII check for architectures where char <> signed char
02.07.2014 Release V0.5.0
* added configure --enable-runtime to allow for IDNA library
selection as runtime dependency
* added configure --enable-builtin to allow for IDNA library
selection for generating the built-in PSL data
* fixed psl_str_to_utf8lower prototype
* fixed authors name to UTF-8
23.06.2014 Release V0.4.0
* depend on libicu for punycode, utf-8 and lowercase conversions
* added function psl_str_to_utf8lower()
* fixed locale issues
* introducing psl_error_t for error codes + defines
* removed redundant code from psl2c.c
* updated docs
* psl utility reads from stdin if no argument specified
10.06.2014 Release V0.3.1
* link psl utility dynamically
* fix output of psl_filename()
* cleanup for psl --help
* removed check for idn2 in autogen.sh
05.06.2014 Release V0.3.0
* added support for libicu in psl2c (IDNA2008 UTS#46)
this needs pkg-config and libicu-dev installed
* added --version to psl utility
31.05.2014 Release V0.2.5
* added psl_get_version()
* removed version from library name
30.05.2014 Release V0.2.4
* fixed psl_builtin() to return NULL if no built-in PSL data is available
27.05.2014 Release V0.2.3
* changed API version to 0.2
26.05.2014 Release V0.2.2
* changed code to C89
* added a few test cases
* build static library by default
25.04.2014 Hotfix release V0.2.1
* updated to the latest Publix Suffix List
25.04.2014 Initial release V0.2

133
curl/dep/libressl/COPYING.txt
Unescape Просмотреть файл

@ -0,0 +1,133 @@
LibReSSL files are retained under the copyright of the authors. New
additions are ISC licensed as per OpenBSD's normal licensing policy,
or are placed in the public domain.
The OpenSSL code is distributed under the terms of the original OpenSSL
licenses which follow:
LICENSE ISSUES
==============
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
the OpenSSL License and the original SSLeay license apply to the toolkit.
See below for the actual license texts. In case of any license issues
related to OpenSSL please contact openssl-core@openssl.org.
OpenSSL License
---------------
/* ====================================================================
* Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
Original SSLeay License
-----------------------
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/

3239
curl/dep/libressl/ChangeLog.txt
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

238
curl/dep/libressl/README.md
Unescape Просмотреть файл

@ -0,0 +1,238 @@
![LibreSSL image](https://www.libressl.org/images/libressl.jpg)
## Official portable version of [LibreSSL](https://www.libressl.org)
[![Linux Build Status](https://github.com/libressl/portable/actions/workflows/linux.yml/badge.svg)](https://github.com/libressl/portable/actions/workflows/linux.yml)
[![macOS Build Status](https://github.com/libressl/portable/actions/workflows/macos.yml/badge.svg)](https://github.com/libressl/portable/actions/workflows/macos.yml)
[![Windows Build Status](https://github.com/libressl/portable/actions/workflows/windows.yml/badge.svg)](https://github.com/libressl/portable/actions/workflows/windows.yml)
[![Android Build Status](https://github.com/libressl/portable/actions/workflows/android.yml/badge.svg)](https://github.com/libressl/portable/actions/workflows/android.yml)
[![Solaris Build Status](https://github.com/libressl/portable/actions/workflows/solaris.yml/badge.svg)](https://github.com/libressl/portable/actions/workflows/solaris.yml)
[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/libressl.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:libressl)
LibreSSL is a fork of [OpenSSL](https://www.openssl.org) 1.0.1g developed by the
[OpenBSD](https://www.openbsd.org) project. Our goal is to modernize the codebase,
improve security, and apply best practice development processes from OpenBSD.
## Compatibility with OpenSSL
LibreSSL provides much of the OpenSSL 1.1 API. The OpenSSL 3 API is not currently
supported. Incompatibilities between the projects exist and are unavoidable since
both evolve with different goals and priorities. Important incompatibilities will
be addressed if possible and as long as they are not too detrimental to LibreSSL's
goals of simplicity, security and sanity. We do not add new features, ciphers and
API without a solid reason and require that new code be clean and of high quality.
LibreSSL is not ABI compatible with any release of OpenSSL, or necessarily
earlier releases of LibreSSL. You will need to relink your programs to
LibreSSL in order to use it, just as in moving between major versions of OpenSSL.
LibreSSL's installed library version numbers are incremented to account for
ABI and API changes.
## Compatibility with other operating systems
While primarily developed on and taking advantage of APIs available on OpenBSD,
the LibreSSL portable project attempts to provide working alternatives for
other operating systems, and assists with improving OS-native implementations
where possible.
At the time of this writing, LibreSSL is known to build and work on:
* Linux (kernel 3.17 or later recommended)
* FreeBSD (tested with 9.2 and later)
* NetBSD (7.0 or later recommended)
* HP-UX (11i)
* Solaris 11 and later
* Mac OS X (tested with 10.8 and later)
* AIX (5.3 and later)
* Emscripten (3.1.44 and later)
LibreSSL also supports the following Windows environments:
* Microsoft Windows (Windows 7 / Windows Server 2008r2 or later, x86 and x64)
* Wine (32-bit and 64-bit)
* MinGW-w64, Cygwin, and Visual Studio
Official release tarballs are available at your friendly neighborhood
OpenBSD mirror in directory
[LibreSSL](https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/),
although we suggest that you use a [mirror](https://www.openbsd.org/ftp.html).
The LibreSSL portable build framework is also
[mirrored](https://github.com/libressl/portable) on GitHub.
Please report bugs either to the public libressl@openbsd.org mailing list,
or to the GitHub
[issue tracker](https://github.com/libressl/portable/issues)
Severe vulnerabilities or bugs requiring coordination with OpenSSL can be
sent to the core team at libressl-security@openbsd.org.
# Building LibreSSL
## Building from a Git checkout
If you have checked out this source using Git, or have downloaded a source
tarball from GitHub, follow these initial steps to prepare the source tree for
building. _Note: Your build will fail if you do not follow these instructions!
If you cannot follow these instructions or cannot meet these prerequisites,
please download an official release distribution from
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ instead. Using official
releases is strongly advised if you are not a developer._
1. Ensure that you have a bash shell. This is also required on Windows.
2. Ensure that you have the following packages installed:
automake, autoconf, git, libtool, perl.
3. Run `./autogen.sh` to prepare the source tree for building.
## Build steps using configure
Once you have the source tree prepared, run these commands to build and install:
```sh
./configure # see ./configure --help for configuration options
make check # runs builtin unit tests
make install # set DESTDIR= to install to an alternate location
```
Alternatively, it is possible to run `./dist.sh` to prepare a tarball.
## Build steps using CMake
Once you have the source tree prepared, run these commands to build and install:
```sh
mkdir build
cd build
cmake ..
make
make test
```
For faster builds, you can use Ninja:
```sh
mkdir build-ninja
cd build-ninja
cmake -G"Ninja" ..
ninja
ninja test
```
Or another supported build system like Visual Studio:
```sh
mkdir build-vs2022
cd build-vs2022
cmake -G"Visual Studio 17 2022" ..
```
#### Additional CMake Options
| Option Name | Default | Description |
|-------------------------|--------:|-----------------------------------------------------------------------------------------------------------------|
| `LIBRESSL_SKIP_INSTALL` | `OFF` | allows skipping install() rules. Can be specified from command line using <br>```-DLIBRESSL_SKIP_INSTALL=ON``` |
| `LIBRESSL_APPS` | `ON` | allows skipping application builds. Apps are required to run tests |
| `LIBRESSL_TESTS` | `ON` | allows skipping of tests. Tests are only available in static builds |
| `BUILD_SHARED_LIBS` | `OFF` | CMake option for building shared libraries. |
| `ENABLE_ASM` | `ON` | builds assembly optimized rules. |
| `ENABLE_EXTRATESTS` | `OFF` | Enable extra tests that may be unreliable on some platforms |
| `ENABLE_NC` | `OFF` | Enable installing TLS-enabled nc(1) |
| `OPENSSLDIR` | Blank | Set the default openssl directory. Can be specified from command line using <br>```-DOPENSSLDIR=<dirname>``` |
## Build information for specific systems
### HP-UX (11i)
Set the UNIX_STD environment variable to `2003` before running `configure`
in order to build with the HP C/aC++ compiler. See the "standards(5)" man
page for more details.
```sh
export UNIX_STD=2003
./configure
make
```
### MinGW-w64 - Windows
LibreSSL builds against relatively recent versions of [MinGW-w64](https://www.mingw-w64.org/), not to be
confused with the original mingw.org project. MinGW-w64 3.2 or later
should work. See [README.mingw.md](README.mingw.md) for more information.
### Emscripten
When configuring LibreSSL for use with Emscripten, make sure to prepend
`emcmake` to your `cmake` configuration command. Once configured, you can
proceed with your usual `cmake` commands. For example:
```sh
emcmake cmake . -Bbuild
cmake --build build --config Release
ctest --test-dir build -C Release --output-on-failure
```
# Using LibreSSL
## CMake
Make a new folder in your project root (where your main `CMakeLists.txt` file is
located) called CMake. Copy the `FindLibreSSL.cmake` file to that folder, and
add the following line to your main `CMakeLists.txt`:
```cmake
set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/CMake;${CMAKE_MODULE_PATH}")
```
After your `add_executable` or `add_library` line in your `CMakeLists.txt` file
add the following:
```cmake
find_package(LibreSSL REQUIRED)
```
It will tell CMake to find LibreSSL and if found will let you use the following
3 interfaces in your `CMakeLists.txt` file:
* LibreSSL::Crypto
* LibreSSL::SSL
* LibreSSL::TLS
If you for example want to use the LibreSSL TLS library in your test program,
include it like so (SSL and Crypto are required by TLS and included
automatically too):
```cmake
target_link_libraries(test LibreSSL::TLS)
```
Full example:
```cmake
cmake_minimum_required(VERSION 3.10.0)
set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/CMake;${CMAKE_MODULE_PATH}")
project(test)
add_executable(test Main.cpp)
find_package(LibreSSL REQUIRED)
target_link_libraries(test LibreSSL::TLS)
```
#### Linux
Following the guide in the sections above to compile LibreSSL using make and
running `sudo make install` will install LibreSSL to the `/usr/local/` folder,
and will be found automatically by find_package. If your system installs it to
another location, or you have placed them yourself in a different location, you
can set the CMake variable `LIBRESSL_ROOT_DIR` to the correct path, to help
CMake find the library.
#### Windows
Placing the library files in `C:/Program Files/LibreSSL/lib` and the include
files in `C:/Program Files/LibreSSL/include` should let CMake find them
automatically, but it is recommended that you use CMake-GUI to set the paths.
It is more convenient as you can have the files in any folder you choose.

43
curl/dep/libssh2/COPYING.txt
Unescape Просмотреть файл

@ -0,0 +1,43 @@
/* Copyright (C) 2004-2007 Sara Golemon <sarag@libssh2.org>
* Copyright (C) 2005,2006 Mikhail Gusarov <dottedmag@dottedmag.net>
* Copyright (C) 2006-2007 The Written Word, Inc.
* Copyright (C) 2007 Eli Fant <elifantu@mail.ru>
* Copyright (C) 2009-2023 Daniel Stenberg
* Copyright (C) 2008, 2009 Simon Josefsson
* Copyright (C) 2000 Markus Friedl
* Copyright (C) 2015 Microsoft Corp.
* All rights reserved.
*
* Redistribution and use in source and binary forms,
* with or without modification, are permitted provided
* that the following conditions are met:
*
* Redistributions of source code must retain the above
* copyright notice, this list of conditions and the
* following disclaimer.
*
* Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials
* provided with the distribution.
*
* Neither the name of the copyright holder nor the names
* of any other contributors may be used to endorse or
* promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
* CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
* USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
* OF SUCH DAMAGE.
*/

10896
curl/dep/libssh2/NEWS.txt
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

19
curl/dep/libssh2/README.txt
Unescape Просмотреть файл

@ -0,0 +1,19 @@
libssh2 - SSH2 library
======================
libssh2 is a library implementing the SSH2 protocol, available under
the revised BSD license.
Web site: https://libssh2.org/
Mailing list: https://lists.haxx.se/listinfo/libssh2-devel
License: see COPYING
Source code: https://github.com/libssh2/libssh2
Web site source code: https://github.com/libssh2/www
Installation instructions are in:
- docs/INSTALL_CMAKE for CMake
- docs/INSTALL_AUTOTOOLS for Autotools

325
curl/dep/libssh2/RELEASE-NOTES.txt
Unescape Просмотреть файл

@ -0,0 +1,325 @@
libssh2 1.11.1
Deprecation notices:
- Starting October 2024, the following algos go deprecated and will be
disabled in default builds (with an option to enable them):
- DSA: `ssh-dss` hostkeys.
You can enable it now with `-DLIBSSH2_DSA_ENABLE`.
Disabled by default in OpenSSH 7.0 (2015-08-11).
Support to be removed by early 2025 from OpenSSH.
- MD5-based MACs and hashes: `hmac-md5`, `hmac-md5-96`,
`LIBSSH2_HOSTKEY_HASH_MD5`
You can disable it now with `-DLIBSSH2_NO_MD5`.
Disabled by default since OpenSSH 7.2 (2016-02-29).
- 3DES cipher: `3des-cbc`
You can disable it now with `-DLIBSSH2_NO_3DES`.
Disabled by default since OpenSSH 7.4 (2016-12-19).
- RIPEMD-160 MACs: `hmac-ripemd160`, `hmac-ripemd160@openssh.com`
You can disable it now with `-DLIBSSH2_NO_HMAC_RIPEMD`.
Removed in OpenSSH 7.6 (2017-10-03).
- Blowfish cipher: `blowfish-cbc`
You can disable it now with `-DLIBSSH2_NO_BLOWFISH`.
Removed in OpenSSH 7.6 (2017-10-03).
- RC4 ciphers: `arcfour`, `arcfour128`
You can disable it now with `-DLIBSSH2_NO_RC4`.
Removed in OpenSSH 7.6 (2017-10-03).
- CAST cipher: `cast128-cbc`
You can disable it now with `-DLIBSSH2_NO_CAST`.
Removed in OpenSSH 7.6 (2017-10-03).
- Starting April 2025, above options will be deleted from the
libssh2 codebase.
- Default builds will also disable support for old-style, MD5-based
encrypted private keys.
You can disable it now with `-DLIBSSH2_NO_MD5_PEM`.
This release includes the following enhancements and bugfixes:
- autotools: fix to update `LDFLAGS` for each detected dependency (d19b6190 #1384 #1381 #1377)
- autotools: delete `--disable-tests` option, fix CI tests (e051ae34 #1271 #715 revert: 7483edfa)
- autotools: show the default for `hidden-symbols` option (a3f5594a #1269)
- autotools: enable `-Wunused-macros` with gcc (ecdf5199 #1262 #1227 #1224)
- autotools: fix dotless gcc and Apple clang version detections (89ccc83c #1232 #1187)
- autotools: show more clang/gcc version details (fb580161 #1230)
- autotools: avoid warnings in libtool stub code (96682bd5 #1227 #1224)
- autotools: sync warning enabler code with curl (5996fefe #1223)
- autotools: rename variable (ce5f208a #1222)
- autotools: picky warning options tidy-up (cdca8cff #1221)
- autotools: fix `cp` to preserve attributes and timestamp in `Makefile.am` (f64e6318)
- autotools: fix selecting WinCNG in cross-builds (and more) (00a3b88c #1187 #1186)
- autotools: use comma separator in `Requires.private` of `libssh2.pc` (7f83de14 #1124)
- autotools: remove `AB_INIT` from `configure.ac` (f4f52ccc)
- autotools: improve libz position (c89174a7 #1077 #941 #1075 #1013 regr: 4f0f4bff)
- autotools: skip tests requiring static lib if `--disable-static` (572c57c9 #1072 #663 #1056 regr: 83853f8a)
- build: stop detecting `sys/param.h` header (2677d3b0 #1418 #1415)
- build: silence warnings inside `FD_SET()`/`FD_ISSET()` macros (323a14b2 #1379)
- build: drop `-Wformat-nonliteral` warning suppressions (c452c5cc #1342)
- build: enable `-pedantic-errors` (3ec53f3e #1286)
- build: add mingw-w64 support to `LIBSSH2_PRINTF()` attribute (f8c45794 #1287)
- build: add `LIBSSH2_NO_DEPRECATED` option (b1414503 #1267 #1266 #1260 #1259)
- build: enable missing OpenSSF-recommended warnings, with fixes (afa6b865 #1257)
- build: enable more compiler warnings and fix them (7ecc309c #1224)
- build: picky warning updates (328a96b3 #1219)
- build: revert: respect autotools `DLL_EXPORT` in `libssh2.h` (481be044 #1141 #917 revert: fb1195cf)
- build: stop requiring libssl from openssl (c84745e3 #1128)
- build: tidy-up `libssh2.pc.in` variable names (5720dd9f #1125)
- build: add/fix `Requires.private` packages in `libssh2.pc` (ef538069 #1123)
- buildconf: drop (814a850c #1441 follow: fc5d7788)
- checksrc: update, check all sources, fix fallouts (1117b677 #1457)
- checksrc: sync with curl (8cd473c9 #1272)
- checksrc: fix spelling in comment (a95d401f)
- checksrc: modernise Perl file open (3d309f9b)
- checksrc: switch to dot file (d67a91aa #1052)
- ci: use Ninja with cmake (20ad047d #1458)
- ci: disable dependency tracking in autotools builds (e44f0418 #1396)
- ci: fix mbedtls runners on macOS (84411539 #1381)
- ci: enable Unity mode for most CMake builds (1bfae57b #1367 #1034)
- ci: add shellcheck job and script (d88b9bcd)
- ci: verify build and install from tarball (a86e27e8 #1362)
- ci: add reproducibility test for `maketgz` (2d765e45 #1360)
- ci: use Linux runner for BSDs, add arm64 FreeBSD 14 job (6f86b196 #1343)
- ci: do not parallelize `distcheck` job (5e65dd87 #1339)
- ci: add FreeBSD 14 job, fix issues (46333adf #1277)
- ci: add OmniOS job, fix issues (5e0ec991)
- ci: show compiler in cross/cygwin job names (c9124088)
- ci: add OpenBSD (v7.4) job + fix build error in example (0c9a8e35 #1250)
- ci: add NetBSD (v9.3) job (65c7a7a5)
- ci: update and speed up FreeBSD job (eee4e805)
- ci: use absolute path in `CMAKE_INSTALL_PREFIX` (74948816 #1247)
- ci: boost mbedTLS build speed (236e79a1 #1245)
- ci: add BoringSSL job (cmake, gcc, amd64) (c9dd3566 #1233)
- ci: fixup FreeBSD version, bump mbedTLS (fea6664e #1217)
- ci: add FreeBSD 13.2 job (a7d2a573 #1215)
- ci: mbedTLS 3.5.0 (5e190442 #1202)
- ci: update actions, use shallow clones with appveyor (d468a33f #1199)
- ci: replace `mv` + `chmod` with `install` in `Dockerfile` (5754fed6 #1175)
- ci: set file mode early in `appveyor_docker.yml` (633db55f)
- ci: add spellcheck (codespell) (a79218d3)
- ci: add MSYS builds (autotools and cmake) (d43b8d9b #1162)
- ci: add Cygwin builds (autotools and cmake) (f1e96e73 #1161)
- ci: add mingw-w64 UWP build (1215aa5f #1155 #1147)
- ci: add missing timeout to 'autotools distcheck' step (6265ffdb)
- ci: add non-static autotools i386 build, ignore GHA updates on AppVeyor (c6e137f7 #1074 #1072)
- ci: prefer `=` operator in shell snippets (e5c03043 #1073)
- ci: drop redundant/unused vars, sync var names (ab8e95bc #1059)
- ci: add i386 Linux build (with mbedTLS) (abdf40c7 #1057 #1053)
- ci/appveyor: reduce test runs (workaround for infrastructure permafails) (b5e68bdc #1461)
- ci/appveyor: increase wait for SSH server on GHA (bf3af90b)
- ci/appveyor: bump to OpenSSL 3.2.1 (53d9c1a6 #1363 #1348)
- ci/appveyor: re-enable parallel mode (e190e5b2 #1294 #884 #867)
- ci/appveyor: delete UWP job broken since Visual Studio upgrade (d0a7f1da #1275)
- ci/appveyor: YAML/PowerShell formatting, shorten variable name (06fd721f #1200)
- ci/appveyor: move to pure PowerShell (8a081fd9 #1197)
- ci/GHA: revert concurrency and improve permissions (e4c042f6)
- ci/GHA: FreeBSD 14.1, actions bump (ae04b1b9 #1424)
- ci/GHA: fix wolfSSL-from-source AES-GCM tests (1c0b07a7 #1409 #1408)
- ci/GHA: add Linux job with latest wolfSSL built from source (d4cea53f #1408 #1299 #1020)
- ci/GHA: tidy up build-from-source steps (2c633033)
- ci/GHA: show configure logs on failure and other tidy-ups (dab48398 #1403)
- ci/GHA: bump parallel jobs to nproc+1 (6f3d3bc8 #1402)
- ci/GHA: show test logs on failure (b8ffa7a5 #1401)
- ci/GHA: fix `Dockerfile` failing after Ubuntu package update (839bb84e #1400)
- ci/GHA: use ubuntu-latest with OmniOS job (50143d58)
- ci/GHA: shell syntax tidy-up (3b23e039 #1390)
- ci/GHA: bump NetBSD/OpenBSD, add NetBSD arm64 job (e980af72 #1388)
- ci/GHA: tidy up wolfSSL autotools config on macOS (5953c1f1 #1383)
- ci/GHA: shorter mbedTLS autotools workaround (736e3d7d #1382 #1381)
- ci/GHA: fix gcrypt with autotools/macOS/Homebrew/ARM64 (ae2770de #1377)
- ci/GHA: fix verbose option for autotools jobs (499b27ae #1376)
- ci/GHA: dump `config.log` on failure for macOS autotools jobs (4fa69214 #1375)
- ci/GHA: fix `autoreconf` failure on macOS/Homebrew (0b64b30b #1374)
- ci/GHA: fixup Homebrew location (for ARM runners) (6128aee0 #1373)
- ci/GHA: review/fixup auto-cancel settings (b08cfbc9 #1292)
- ci/GHA: restore curly braces in `if` (36748270 #1145)
- ci/GHA: simplify `if` strings (cab3db58 #1140)
- cmake: sync and improve Find modules, add `pkg-config` native detection (45064137 #1445 #1420)
- cmake: generate `LIBSSH2_PC_LIBS_PRIVATE` dynamically (c87f1296 #1466)
- cmake: add comment about `ibssh2.pc.in` variables (14b1b9d0)
- cmake: support absolute `CMAKE_INSTALL_INCLUDEDIR`/`CMAKE_INSTALL_LIBDIR` (d70cee36 #1465)
- cmake: rename two variables and initialize them (0fce9dcc #1464)
- cmake: prefer `find_dependency()` in `libssh2-config.cmake` (d9c2e550 #1460)
- cmake: tidy up syntax, minor improvements (9d9ee780 #1446)
- cmake: rename mbedTLS and wolfSSL Find modules (570de0f2)
- cmake: fixup version detection in mbedTLS Find module (8e3c40b2 #1444)
- cmake: mbedTLS detection tidy-ups (6d1d13c2 #1438)
- cmake: add quotes, delete ending dirseps (2bb46d44 #1437 #1166)
- cmake: sync formatting in `cmake/Find*` modules (a0310699)
- cmake: tidy up function name casing in `CopyRuntimeDependencies.cmake` (03547cb8)
- cmake: use the imported target of FindOpenSSL module (82b09f9b #1322)
- cmake: rename picky warnings script (64d6789f #1225)
- cmake: fix multiple include of libssh2 package (932d6a32 #1216)
- cmake: show crypto backend in feature summary (20387285 #1211)
- cmake: simplify showing CMake version (fc00bdd7 #1203)
- cmake: cleanup mbedTLS version detection more (4c241d5c #1196 #1192)
- cmake: delete duplicate `include()` (30eef0a6)
- cmake: improve/fix mbedTLS detection (41594675 #1192 #1191)
- cmake: tidy-up `foreach()` syntax (4a64ca14 #1180)
- cmake: verify `libssh2_VERSION` in integration tests (a20572e9)
- cmake: show cmake versions in ci (87f5769b)
- cmake: quote more strings (e9c7d3af #1173)
- cmake: add `ExternalProject` integration test (aeaefaf6 #1171)
- cmake: add integration tests (8715c3d5 #1170)
- cmake: (re-)add aliases for `add_subdirectory()` builds (4ff64ae3 #1169)
- cmake: style tidy-up (3fa5282d #1166)
- cmake: add `LIB_NAME` variable (5453fc80 #1159)
- cmake: tidy-up concatenation in `CMAKE_MODULE_PATH` (ae7d5108 #1157)
- cmake: replace `libssh2` literals with `PROJECT_NAME` variable (72fd2595 #1152)
- cmake: fix `STREQUAL` check in error branch (42d3bf13 #1151)
- cmake: cache more config values on Windows (11a03690 #1142)
- cmake: streamline invocation (f58f77b5 #1138)
- cmake: merge `set_target_properties()` calls (a9091007 #1132)
- cmake: (re-)add zlib to `Libs.private` in `libssh2.pc` (64643018 #1131)
- cmake: use `wolfssl/options.h` for detection, like autotools (c5ec6c49 #1130)
- cmake: add openssl libs to `Libs.private` in `libssh2.pc` (5cfa59d3 #1127)
- cmake: bump minimum CMake version to v3.7.0 (9cd18f45 #1126)
- cmake: CMAKE_SOURCE_DIR -> PROJECT_SOURCE_DIR (0f396aa9 #1121)
- cmake: tidy-ups (2fc36790 #1122)
- cmake: re-add `Libssh2:libssh2` for compatibility + lowercase namespace (2da13c13 #1104 #731 #1103)
- copyright: remove years from copyright headers (187d89bb #1082)
- disable DSA by default (b7ab0faa #1435 #1433)
- docs: update `INSTALL_AUTOTOOLS` (2f0efde3 #1316)
- docs: replace SHA1 with SHA256 in CMake example (766bde9f)
- example: restore `sys/time.h` for AIX (24503cb9 #1340 #1335 #1334 #1001 regr: e53aae0e)
- example: use `libssh2_socket_t` in X11 example (3f60ccb7)
- example: replace remaining libssh2_scp_recv with libssh2_scp_recv2 in output messages (8d69e63d #1258 follow: 6c84a426)
- example: fix regression in `ssh2_exec.c` (279a2e57 #1106 #861 #846 #1105 regr: b13936bd)
- example, tests: call `WSACleanup()` for each `WSAStartup()` (94b6bad3 #1283)
- example, tests: fix/silence `-Wformat-truncation=2` gcc warnings (744e059f)
- hostkey: do not advertise ssh-rsa when SHA1 is disabled (82d1b8ff #1093 #1092)
- kex: prevent possible double free of hostkey (b3465418 #1452)
- kex: always check for null pointers before calling _libssh2_bn_set_word (9f23a3bb #1423)
- kex: fix a memory leak in key exchange (19101843 #1412 #1404)
- kex: always add extension indicators to kex_algorithms (00e2a07e #1327 #1326)
- libssh2.h: add deprecated function warnings (9839ebe5 #1289 #1260)
- libssh2.h: add portable `LIBSSH2_SOCKET_CLOSE()` macro (28dbf016 #1278)
- libssh2.h: use `_WIN32` for Windows detection instead of rolling our own (631e7734 #1238)
- libssh2.pc: reference mbedcrypto pkgconfig (c149a127 #1405)
- libssh2.pc: re-add & extend support for static-only libssh2 builds (624abe27 #1119 #1114)
- libssh2.pc: don't put `@LIBS@` in pc file (1209c16d)
- mac: add empty hash functions for `mac_method_hmac_aesgcm` to not crash when e.g. setting `LIBSSH2_METHOD_CRYPT_CS` (b2738391 #1321)
- mac: handle low-level errors (f64885b6 #1297)
- Makefile.mk: delete Windows-focused raw GNU Make build (43485579 #1204)
- maketgz: reproducible tarballs/zip, display tarball hashes (d52fe1b4 #1357 #1359)
- maketgz: `set -eu`, reproducibility, improve zip, add CI test (cba7f975 #1353)
- man: improve `libssh2_userauth_publickey_from*` manpages (581b72aa #1347 #1308 #652)
- man: fix double spaces and dash escaping (a3ffc422 #1210)
- man: add description to `libssh2_session_get_blocking.3` (67e39091 #1185)
- mbedtls: always init ECDSA mbedtls_pk_context (a50d7deb #1430)
- mbedtls: correctly initialize values (ECDSA) (1701d5c0 #1428 #1421)
- mbedtls: expose `mbedtls_pk_load_file()` for our use (1628f6ca #1421 #1393 #1349 follow: e973493f)
- mbedtls: add workaround + FIXME to build with 3.6.0 (2e4c5ec4 #1349)
- mbedtls: improve disabling `-Wredundant-decls` (ecec68a2 #1226 #1224)
- mbedtls: include `version.h` for `MBEDTLS_VERSION_NUMBER` (9d7bc253 #1095 #1094)
- mbedtls: use more `size_t` to sync up with `crypto.h` (1153ebde #1054 #879 #846 #1053)
- md5: allow disabling old-style encrypted private keys at build-time (eb9f9de2 #1181)
- mingw: fix printf mask for 64-bit integers (36c1e1d1 #1091 #876 #846 #1090)
- misc: flatten `_libssh2_explicit_zero` if tree (74e74288 #1149)
- NMakefile: delete (c515eed3 #1134 #1129)
- openssl: free allocated resources when using openssl3 (b942bad1 #1459)
- openssl: fix memory leaks in `_libssh2_ecdsa_curve_name_with_octal_new` and `_libssh2_ecdsa_verify` (8d3bc19b #1449)
- openssl: fix calculating DSA public key with OpenSSL 3 (8b3c6e9d #1380)
- openssl: initialize BIGNUMs to NULL in `gen_publickey_from_dsa` for OpenSSL 3 (f1133c75 #1320)
- openssl: fix cppcheck found NULL dereferences (f2945905 #1304)
- openssl: delete internal `read_openssh_private_key_from_memory()` (34aff5ff #1306)
- openssl: use OpenSSL 3 HMAC API, add `no-deprecated` CI job (363dcbf4 #1243 #1235 #1207)
- openssl: make a function static, add `#ifdef` comments (efee9133 #1246 #248 follow: 03092292)
- openssl: fix DSA code to use OpenSSL 3 API (82581941 #1244 #1207)
- openssl: fix `EC_KEY` reference with OpenSSL 3 `no-deprecated` build (487152f4 #1236 #1235 #1207)
- openssl: use non-deprecated APIs with OpenSSL 3.x (b0ab005f #1207)
- openssl: silence `-Wunused-value` warnings (bf285500 #1205)
- openssl: use automatic initialization with LibreSSL 2.7.0+ (d79047c9 #1146 #302)
- openssl: add missing check for `LIBRESSL_VERSION_NUMBER` before use (4a42f42e #1117 #1115)
- os400: drop vsprintf() use (40e817ff #1462 #1457)
- os400: Add two recent files to the distribution (e4c65e5b #1364)
- os400: fix shellcheck warnings in scripts (fixups) (81341e1e #1366 #1364 #1358)
- os400: fix shellcheck warnings in scripts (c6625707 #1358)
- os400: maintain up to date (8457c37a #1309)
- packet: properly bounds check packet_authagent_open() (88a960a8 #1179)
- pem: fix private keys encrypted with AES-GCM methods (e87bdefa #1133)
- reuse: upgrade to `REUSE.toml` (70b8bf31 #1419)
- reuse: fix duplicate copyright warning (b9a4ed83)
- reuse: comply with 3.1 spec and 2.0.0 checker (fe6239a1 #1102 #1101 #1098)
- reuse: provide SPDX identifiers (f6aa31f4 #1084)
- scp: fix missing cast for targets without large file support (c317e06f #1060 #1057 #1002 regr: 5db836b2)
- session: support server banners up to 8192 bytes (was: 256) (1a9e8811 #1443 #1442)
- session: add `libssh2_session_callback_set2()` (c0f69548 #1285)
- session: handle EINTR from send/recv/poll/select to try again as the error is not fatal (798ed4a7 #1058 #955)
- sftp: increase SFTP_HANDLE_MAXLEN back to 4092 (75de6a37 #1422)
- sftp: implement posix-rename@openssh.com (fb652746 #1386)
- src: implement chacha20-poly1305@openssh.com (492bc543 #1426 #584)
- src: use `UINT32_MAX` (dc206408 #1413)
- src: fix type warning in `libssh2_sftp_unlink` macro (ac2e8c73 #1406)
- src: check the return value from `_libssh2_bn_*()` functions (95c824d5 #1354)
- src: support RSA-SHA2 cert-based authentication (rsa-sha2-512_cert and rsa-sha2-256_cert) (3a6ab70d #1314)
- src: check hash update/final success (4718ede4 #1303 #1301)
- src: check hash init success (2ed9eb92 #1301)
- src: add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack" (d34d9258 #1291 #1290)
- src: disable `-Wsign-conversion` warnings, add option to re-enable (6e451669 #1284 #1257)
- src: fix gcc 13 `-Wconversion` warning on Darwin (8cca7b77 #1209 follow: 08354e0a)
- src: drop a redundant `#include` (1f0174d0 #1153)
- src: improve MSVC C4701 warning fix (8b924999 #1086 #876 #1083)
- src: bump `hash_len` to `size_t` in `LIBSSH2_HOSTKEY_METHOD` (8b917d76 #1076)
- src: bump DSA and ECDSA sign `hash_len` to `size_t` (7b8e0225 #1055)
- tests: avoid using `MAXPATHLEN`, for portability (12427f4f #1415 #198 #1414)
- tests: fix excluding AES-GCM tests (fbd9d192 #1410)
- tests: drop default cygpath option `-u` (38e50aa0)
- tests: fix shellcheck issues in `test_sshd.test` (a2ac8c55)
- tests: sync port number type with the rest of codebase (eb996af8)
- tests: fall back to `$LOGNAME` for username (5326a5ce #1241 #1240)
- tests: show cmake version used in integration tests (2cd2f40e #1201)
- tests: formatting and tidy-ups (e61987a3)
- tests: replace FIXME with comments (1a99a86a)
- tests: add aes256-gcm encrypted key test (802336cf #1135 #1133)
- tests: trap signals in scripts (b2916b28 #1098)
- tests: cast to avoid `-Wchar-subscripts` with Cygwin (43df6a46 #1081 #1080)
- test_read: make it run without Docker (57e9d18e #1139)
- test_sshd.test: show sshd and test connect logs on harness failure (299c2040 #1097)
- test_sshd.test: set a safe PID directory (e8cabdcf #1089)
- test_sshd.test: minor cleanups (d29eea1d)
- tidy-up: link updates (c905bfd2 #1434)
- tidy-up: typo in comment (792e1b6f)
- tidy-up: fix typo found by codespell (706ec36d)
- tidy-up: bump casts from int to long for large C99 types in printfs (2e5a8719 #1264 #1257)
- tidy-up: `unsigned` -> `unsigned int` (b136c379)
- tidy-up: stop using leading underscores in macro names (c6589b88 #1248)
- tidy-up: around `stdint.h` (bfa00f1b #1212)
- tidy-up: fix typo in `readme.vms` (a9a79e7a)
- tidy-up: use built-in `_WIN32` macro to detect Windows (6fbc9505 #1195)
- tidy-up: drop `www.` from `www.libssh2.org` (6e3e8839 #1172)
- tidy-up: delete duplicate word from comment (76307435)
- tidy-up: avoid exclamations, prefer single quotes, in outputs (003fb454 #1079)
- TODO: disable or drop weak algos (0b4bdc85 #1261)
- transport: fix unstable connections over non-blocking sockets (de004875 #1454 #720 #1431 #1397)
- transport: check ETM on remote end when receiving (bde10825 #1332 #1331)
- transport: fix incorrect byte offset in debug message (2388a3aa #1096)
- userauth: avoid oob with huge interactive kbd response (f3a85cad #1337)
- userauth: add a new structure to separate memory read and file read (63b4c20e #773)
- userauth: check whether `*key_method` is a NULL pointer instead of `key_method` (bec57c40)
- wincng: fix `DH_GEX_MAXGROUP` set higher than supported (48584671 #1372 #493)
- wincng: add to ci/GHA, add `./configure` option `--enable-ecdsa-wincng` (3f98bfb0 #1368 #1315)
- wincng: add ECDSA support for host and user authentication (3e723437 #1315)
- wincng: prefer `ULONG`/`DWORD` over `unsigned long` (186c1d63 #1165)
- wincng: tidy-ups (7bb669b5 #1164)
- wolfssl: drop header path hack (8ae1b2d7 #1439)
- wolfssl: fix `EVP_Cipher()` use with v5.6.0 and older (a5b0fac2 #1407 #1394 #797 #1299 #1020)
- wolfssl: bump version in upstream issue comment (5cab802c)
- wolfssl: require v5.4.0 for AES-GCM (260a721c #1411 #1299 #1020)
- wolfssl: enable debug logging in wolfSSL when compiled in (76e7a68a #1310)
This release would not have looked like this without help, code, reports and
advice from friends like these:
Viktor Szakats, Michael Buckley, Patrick Monnerat, Ren Mingshuai,
Will Cosgrove, Daniel Stenberg, Josef Cejka, Nicolas Mora, Ryan Kelley,
Aaron Stone, Adam, Anders Borum, András Fekete, Andrei Augustin, binary1248,
Brian Inglis, brucsc on GitHub, concussious on github, Dan Fandrich,
dksslq on github, Haowei Hsu, Harmen Stoppels, Harry Mallon, Jack L,
Jakob Egger, Jiwoo Park, João M. S. Silva, Joel Depooter, Johannes Passing,
Jose Quaresma, Juliusz Sosinowicz, Kai Pastor, Kenneth Davidson,
klux21 on github, Lyndon Brown, Marc Hoersken, mike-jumper, naddy,
Nursan Valeyev, Paul Howarth, PewPewPew, Radek Brich, rahmanih on github,
rolag on github, Seo Suchan, shubhamhii on github, Steve McIntyre,
Tejaswi Kandula, Tobias Stoeckmann, Trzik, Xi Ruoyao

80
curl/dep/libssh2/docs/AUTHORS.txt
Unescape Просмотреть файл

@ -0,0 +1,80 @@
libssh2 is the result of many friendly people. This list is an attempt to
mention all contributors. If we have missed anyone, tell us!
This list of names is a-z sorted.
Adam Gobiowski
Alexander Holyapin
Alexander Lamaison
Alfred Gebert
Ben Kibbey
Bjorn Stenborg
Carlo Bramini
Cristian Rodríguez
Daiki Ueno
Dan Casey
Dan Fandrich
Daniel Stenberg
Dave Hayden
Dave McCaldon
David J Sullivan
David Robins
Dmitry Smirnov
Douglas Masterson
Edink Kadribasic
Erik Brossler
Francois Dupoux
Gellule Xg
Grubsky Grigory
Guenter Knauf
Heiner Steven
Henrik Nordstrom
James Housleys
Jasmeet Bagga
Jean-Louis Charton
Jernej Kovacic
Joey Degges
John Little
Jose Baars
Jussi Mononen
Kamil Dudka
Lars Nordin
Mark McPherson
Mark Smith
Markus Moeller
Matt Lilley
Matthew Booth
Maxime Larocque
Mike Protts
Mikhail Gusarov
Neil Gierman
Olivier Hervieu
Paul Howarth
Paul Querna
Paul Veldkamp
Peter Krempa
Peter O'Gorman
Peter Stuge
Pierre Joye
Rafael Kitover
Romain Bondue
Sara Golemon
Satish Mittal
Sean Peterson
Selcuk Gueney
Simon Hart
Simon Josefsson
Sofian Brabez
Steven Ayre
Steven Dake
Steven Van Ingelgem
TJ Saunders
Tommy Lindgren
Tor Arntsen
Viktor Szakats
Vincent Jaulin
Vincent Torri
Vlad Grachov
Wez Furlong
Yang Tse
Zl Liu

989
curl/dep/libssh2/docs/HACKING-CRYPTO.txt
Unescape Просмотреть файл

@ -0,0 +1,989 @@
Definitions needed to implement a specific crypto library
This document offers some hints about implementing a new crypto library
interface.
A crypto library interface consists of at least a header file, defining
entities referenced from the libssh2 core modules.
Real code implementation (if needed), is left at the implementor's choice.
This document lists the entities that must/may be defined in the header file.
Procedures listed as "void" may indeed have a result type: the void indication
indicates the libssh2 core modules never use the function result.
0) Build system.
Adding a crypto backend to the autotools build system (./configure) is easy:
0.1) Add one new line in configure.ac
m4_set_add([crypto_backends], [newname])
This automatically creates a --with-crypto=newname option.
0.2) Add an m4_case stanza to LIBSSH2_CRYPTO_CHECK in acinclude.m4
This must check for all required libraries, and if found set and AC_SUBST a
variable with the library linking flags. The recommended method is to use
LIBSSH2_LIB_HAVE_LINKFLAGS from LIBSSH2_CRYPTO_CHECK, which automatically
creates and handles a --with-$newname-prefix option and sets an
LTLIBNEWNAME variable on success.
0.3) Add new header to src/Makefile.inc
0.4) Include new source in src/crypto.c
0.5) Add a new block in configure.ac
```
elif test "$found_crypto" = "newname"; then
LIBS="${LIBS} ${LTLIBNEWNAME}"
```
0.6) Add CMake detection logic to CMakeLists.txt
1) Crypto library initialization/termination.
void libssh2_crypto_init(void);
Initializes the crypto library. May be an empty macro if not needed.
void libssh2_crypto_exit(void);
Terminates the crypto library use. May be an empty macro if not needed.
1.1) Crypto runtime detection
The libssh2_crypto_engine_t enum must include the new engine, and
libssh2_crypto_engine() must return it when it is built in.
2) HMAC
libssh2_hmac_ctx
Type of an HMAC computation context. Generally a struct.
Used for all hash algorithms.
int _libssh2_hmac_ctx_init(libssh2_hmac_ctx *ctx);
Initializes the HMAC computation context ctx.
Called before setting-up the hash algorithm.
Must return 1 for success and 0 for failure.
int _libssh2_hmac_update(libssh2_hmac_ctx *ctx,
const void *data, int datalen);
Continue computation of an HMAC on datalen bytes at data using context ctx.
Must return 1 for success and 0 for failure.
int _libssh2_hmac_final(libssh2_hmac_ctx *ctx,
void output[]);
Get the computed HMAC from context ctx into the output buffer. The
minimum data buffer size depends on the HMAC hash algorithm.
Must return 1 for success and 0 for failure.
void _libssh2_hmac_cleanup(libssh2_hmac_ctx *ctx);
Releases the HMAC computation context at ctx.
3) Hash algorithms.
3.1) SHA-1
Must always be implemented.
SHA_DIGEST_LENGTH
#define to 20, the SHA-1 digest length.
libssh2_sha1_ctx
Type of an SHA-1 computation context. Generally a struct.
int libssh2_sha1_init(libssh2_sha1_ctx *x);
Initializes the SHA-1 computation context at x.
Returns 1 for success and 0 for failure
int libssh2_sha1_update(libssh2_sha1_ctx ctx,
const unsigned char *data,
size_t len);
Continue computation of SHA-1 on len bytes at data using context ctx.
Note: if the ctx parameter is modified by the underlying code,
this procedure must be implemented as a macro to map ctx --> &ctx.
Must return 1 for success and 0 for failure.
int libssh2_sha1_final(libssh2_sha1_ctx ctx,
unsigned char output[SHA_DIGEST_LEN]);
Get the computed SHA-1 signature from context ctx and store it into the
output buffer.
Release the context.
Note: if the ctx parameter is modified by the underlying code,
this procedure must be implemented as a macro to map ctx --> &ctx.
Must return 1 for success and 0 for failure.
int libssh2_hmac_sha1_init(libssh2_hmac_ctx *ctx,
const void *key,
int keylen);
Setup the HMAC computation context ctx for an HMAC-SHA-1 computation using the
keylen-byte key. Is invoked just after libssh2_hmac_ctx_init().
Returns 1 for success and 0 for failure.
3.2) SHA-256
Must always be implemented.
SHA256_DIGEST_LENGTH
#define to 32, the SHA-256 digest length.
libssh2_sha256_ctx
Type of an SHA-256 computation context. Generally a struct.
int libssh2_sha256_init(libssh2_sha256_ctx *x);
Initializes the SHA-256 computation context at x.
Returns 1 for success and 0 for failure
int libssh2_sha256_update(libssh2_sha256_ctx ctx,
const unsigned char *data,
size_t len);
Continue computation of SHA-256 on len bytes at data using context ctx.
Note: if the ctx parameter is modified by the underlying code,
this procedure must be implemented as a macro to map ctx --> &ctx.
Must return 1 for success and 0 for failure.
int libssh2_sha256_final(libssh2_sha256_ctx ctx,
unsigned char output[SHA256_DIGEST_LENGTH]);
Gets the computed SHA-256 signature from context ctx into the output buffer.
Release the context.
Note: if the ctx parameter is modified by the underlying code,
this procedure must be implemented as a macro to map ctx --> &ctx.
Must return 1 for success and 0 for failure.
int libssh2_sha256(const unsigned char *message,
size_t len,
unsigned char output[SHA256_DIGEST_LENGTH]);
Computes the SHA-256 signature over the given message of length len and
store the result into the output buffer.
Return 1 if error, else 0.
Note: Seems unused in current code, but defined in each crypto library backend.
LIBSSH2_HMAC_SHA256
#define as 1 if the crypto library supports HMAC-SHA-256, else 0.
If defined as 0, the rest of this section can be omitted.
int libssh2_hmac_sha256_init(libssh2_hmac_ctx *ctx,
const void *key,
int keylen);
Setup the HMAC computation context ctx for an HMAC-256 computation using the
keylen-byte key. Is invoked just after libssh2_hmac_ctx_init().
Returns 1 for success and 0 for failure.
3.3) SHA-384
Mandatory if ECDSA is implemented. Can be omitted otherwise.
SHA384_DIGEST_LENGTH
#define to 48, the SHA-384 digest length.
libssh2_sha384_ctx
Type of an SHA-384 computation context. Generally a struct.
int libssh2_sha384_init(libssh2_sha384_ctx *x);
Initializes the SHA-384 computation context at x.
Returns 1 for success and 0 for failure
int libssh2_sha384_update(libssh2_sha384_ctx ctx,
const unsigned char *data,
size_t len);
Continue computation of SHA-384 on len bytes at data using context ctx.
Note: if the ctx parameter is modified by the underlying code,
this procedure must be implemented as a macro to map ctx --> &ctx.
Must return 1 for success and 0 for failure.
int libssh2_sha384_final(libssh2_sha384_ctx ctx,
unsigned char output[SHA384_DIGEST_LENGTH]);
Gets the computed SHA-384 signature from context ctx into the output buffer.
Release the context.
Note: if the ctx parameter is modified by the underlying code,
this procedure must be implemented as a macro to map ctx --> &ctx.
Must return 1 for success and 0 for failure.
int libssh2_sha384(const unsigned char *message,
size_t len,
unsigned char output[SHA384_DIGEST_LENGTH]);
Computes the SHA-384 signature over the given message of length len and
store the result into the output buffer.
Return 1 if error, else 0.
3.4) SHA-512
Must always be implemented.
SHA512_DIGEST_LENGTH
#define to 64, the SHA-512 digest length.
libssh2_sha512_ctx
Type of an SHA-512 computation context. Generally a struct.
int libssh2_sha512_init(libssh2_sha512_ctx *x);
Initializes the SHA-512 computation context at x.
Returns 1 for success and 0 for failure
int libssh2_sha512_update(libssh2_sha512_ctx ctx,
const unsigned char *data,
size_t len);
Continue computation of SHA-512 on len bytes at data using context ctx.
Note: if the ctx parameter is modified by the underlying code,
this procedure must be implemented as a macro to map ctx --> &ctx.
Must return 1 for success and 0 for failure.
int libssh2_sha512_final(libssh2_sha512_ctx ctx,
unsigned char output[SHA512_DIGEST_LENGTH]);
Gets the computed SHA-512 signature from context ctx into the output buffer.
Release the context.
Note: if the ctx parameter is modified by the underlying code,
this procedure must be implemented as a macro to map ctx --> &ctx.
Must return 1 for success and 0 for failure.
int libssh2_sha512(const unsigned char *message,
size_t len,
unsigned char output[SHA512_DIGEST_LENGTH]);
Computes the SHA-512 signature over the given message of length len and
store the result into the output buffer.
Return 1 if error, else 0.
Note: Seems unused in current code, but defined in each crypto library backend.
LIBSSH2_HMAC_SHA512
#define as 1 if the crypto library supports HMAC-SHA-512, else 0.
If defined as 0, the rest of this section can be omitted.
int libssh2_hmac_sha512_init(libssh2_hmac_ctx *ctx,
const void *key,
int keylen);
Setup the HMAC computation context ctx for an HMAC-512 computation using the
keylen-byte key. Is invoked just after libssh2_hmac_ctx_init().
Returns 1 for success and 0 for failure.
3.5) MD5
LIBSSH2_MD5
#define to 1 if the crypto library supports MD5, else 0.
If defined as 0, the rest of this section can be omitted.
MD5_DIGEST_LENGTH
#define to 16, the MD5 digest length.
libssh2_md5_ctx
Type of an MD5 computation context. Generally a struct.
int libssh2_md5_init(libssh2_md5_ctx *x);
Initializes the MD5 computation context at x.
Returns 1 for success and 0 for failure
int libssh2_md5_update(libssh2_md5_ctx ctx,
const unsigned char *data,
size_t len);
Continues computation of MD5 on len bytes at data using context ctx.
Returns 1 for success and 0 for failure.
Note: if the ctx parameter is modified by the underlying code,
this procedure must be implemented as a macro to map ctx --> &ctx.
Must return 1 for success and 0 for failure.
int libssh2_md5_final(libssh2_md5_ctx ctx,
unsigned char output[MD5_DIGEST_LENGTH]);
Gets the computed MD5 signature from context ctx into the output buffer.
Release the context.
Note: if the ctx parameter is modified by the underlying code,
this procedure must be implemented as a macro to map ctx --> &ctx.
Must return 1 for success and 0 for failure.
int libssh2_hmac_md5_init(libssh2_hmac_ctx *ctx,
const void *key,
int keylen);
Setup the HMAC computation context ctx for an HMAC-MD5 computation using the
keylen-byte key. Is invoked just after libssh2_hmac_ctx_init().
Returns 1 for success and 0 for failure.
3.6) RIPEMD-160
LIBSSH2_HMAC_RIPEMD
#define as 1 if the crypto library supports HMAC-RIPEMD-160, else 0.
If defined as 0, the rest of this section can be omitted.
int libssh2_hmac_ripemd160_init(libssh2_hmac_ctx *ctx,
const void *key,
int keylen);
Setup the HMAC computation context ctx for an HMAC-RIPEMD-160 computation using
the keylen-byte key. Is invoked just after libssh2_hmac_ctx_init().
Returns 1 for success and 0 for failure.
4) Bidirectional key ciphers.
_libssh2_cipher_ctx
Type of a cipher computation context.
_libssh2_cipher_type(name);
Macro defining name as storage identifying a cipher algorithm for
the crypto library interface. No trailing semicolon.
int _libssh2_cipher_init(_libssh2_cipher_ctx *h,
_libssh2_cipher_type(algo),
unsigned char *iv,
unsigned char *secret,
int encrypt);
Creates a cipher context for the given algorithm with the initialization vector
iv and the secret key secret. Prepare for encryption or decryption depending on
encrypt.
Return 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_cipher_crypt(_libssh2_cipher_ctx *ctx,
_libssh2_cipher_type(algo),
int encrypt,
unsigned char *block,
size_t blocksize,
int firstlast);
Encrypt or decrypt in-place data at (block, blocksize) using the given
context and/or algorithm.
Return 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
void _libssh2_cipher_dtor(_libssh2_cipher_ctx *ctx);
Release cipher context at ctx.
4.1) AES
4.1.1) AES in CBC block mode.
LIBSSH2_AES
#define as 1 if the crypto library supports AES in CBC mode, else 0.
If defined as 0, the rest of this section can be omitted.
_libssh2_cipher_aes128
AES-128-CBC algorithm identifier initializer.
#define with constant value of type _libssh2_cipher_type().
_libssh2_cipher_aes192
AES-192-CBC algorithm identifier initializer.
#define with constant value of type _libssh2_cipher_type().
_libssh2_cipher_aes256
AES-256-CBC algorithm identifier initializer.
#define with constant value of type _libssh2_cipher_type().
4.1.2) AES in CTR block mode.
LIBSSH2_AES_CTR
#define as 1 if the crypto library supports AES in CTR mode, else 0.
If defined as 0, the rest of this section can be omitted.
_libssh2_cipher_aes128ctr
AES-128-CTR algorithm identifier initializer.
#define with constant value of type _libssh2_cipher_type().
_libssh2_cipher_aes192ctr
AES-192-CTR algorithm identifier initializer.
#define with constant value of type _libssh2_cipher_type().
_libssh2_cipher_aes256ctr
AES-256-CTR algorithm identifier initializer.
#define with constant value of type _libssh2_cipher_type().
4.2) Blowfish in CBC block mode.
LIBSSH2_BLOWFISH
#define as 1 if the crypto library supports blowfish in CBC mode, else 0.
If defined as 0, the rest of this section can be omitted.
_libssh2_cipher_blowfish
Blowfish-CBC algorithm identifier initializer.
#define with constant value of type _libssh2_cipher_type().
4.3) RC4.
LIBSSH2_RC4
#define as 1 if the crypto library supports RC4 (arcfour), else 0.
If defined as 0, the rest of this section can be omitted.
_libssh2_cipher_arcfour
RC4 algorithm identifier initializer.
#define with constant value of type _libssh2_cipher_type().
4.4) CAST5 in CBC block mode.
LIBSSH2_CAST
#define 1 if the crypto library supports cast, else 0.
If defined as 0, the rest of this section can be omitted.
_libssh2_cipher_cast5
CAST5-CBC algorithm identifier initializer.
#define with constant value of type _libssh2_cipher_type().
4.5) Triple DES in CBC block mode.
LIBSSH2_3DES
#define as 1 if the crypto library supports TripleDES in CBC mode, else 0.
If defined as 0, the rest of this section can be omitted.
_libssh2_cipher_3des
TripleDES-CBC algorithm identifier initializer.
#define with constant value of type _libssh2_cipher_type().
5) Diffie-Hellman support.
LIBSSH2_DH_GEX_MINGROUP
The minimum Diffie-Hellman group length in bits supported by the backend.
Usually defined as 2048.
LIBSSH2_DH_GEX_OPTGROUP
The preferred Diffie-Hellman group length in bits. Usually defined as 4096.
LIBSSH2_DH_GEX_MAXGROUP
The maximum Diffie-Hellman group length in bits supported by the backend.
Usually defined as 8192.
LIBSSH2_DH_MAX_MODULUS_BITS
The maximum Diffie-Hellman modulus bit count accepted from the server. This
value must be supported by the backend. Usually 16384.
5.1) Diffie-Hellman context.
_libssh2_dh_ctx
Type of a Diffie-Hellman computation context.
Must always be defined.
5.2) Diffie-Hellman computation procedures.
void libssh2_dh_init(_libssh2_dh_ctx *dhctx);
Initializes the Diffie-Hellman context at `dhctx'. No effective context
creation needed here.
int libssh2_dh_key_pair(_libssh2_dh_ctx *dhctx, _libssh2_bn *public,
_libssh2_bn *g, _libssh2_bn *p, int group_order,
_libssh2_bn_ctx *bnctx);
Generates a Diffie-Hellman key pair using base `g', prime `p' and the given
`group_order'. Can use the given big number context `bnctx' if needed.
The private key is stored as opaque in the Diffie-Hellman context `*dhctx' and
the public key is returned in `public'.
0 is returned upon success, else -1.
int libssh2_dh_secret(_libssh2_dh_ctx *dhctx, _libssh2_bn *secret,
_libssh2_bn *f, _libssh2_bn *p, _libssh2_bn_ctx * bnctx)
Computes the Diffie-Hellman secret from the previously created context `*dhctx',
the public key `f' from the other party and the same prime `p' used at
context creation. The result is stored in `secret'.
0 is returned upon success, else -1.
void libssh2_dh_dtor(_libssh2_dh_ctx *dhctx)
Destroys Diffie-Hellman context at `dhctx' and resets its storage.
6) Big numbers.
Positive multi-byte integers support is sufficient.
6.1) Computation contexts.
This has a real meaning if the big numbers computations need some context
storage. If not, use a dummy type and functions (macros).
_libssh2_bn_ctx
Type of multiple precision computation context. May not be empty. if not used,
#define as char, for example.
_libssh2_bn_ctx _libssh2_bn_ctx_new(void);
Returns a new multiple precision computation context.
void _libssh2_bn_ctx_free(_libssh2_bn_ctx ctx);
Releases a multiple precision computation context.
6.2) Computation support.
_libssh2_bn
Type of multiple precision numbers (aka bignumbers or huge integers) for the
crypto library.
_libssh2_bn * _libssh2_bn_init(void);
Creates a multiple precision number (preset to zero).
_libssh2_bn * _libssh2_bn_init_from_bin(void);
Create a multiple precision number intended to be set by the
_libssh2_bn_from_bin() function (see below). Unlike _libssh2_bn_init(), this
code may be a dummy initializer if the _libssh2_bn_from_bin() actually
allocates the number. Returns a value of type _libssh2_bn *.
void _libssh2_bn_free(_libssh2_bn *bn);
Destroys the multiple precision number at bn.
unsigned long _libssh2_bn_bytes(_libssh2_bn *bn);
Get the number of bytes needed to store the bits of the multiple precision
number at bn.
unsigned long _libssh2_bn_bits(_libssh2_bn *bn);
Returns the number of bits of multiple precision number at bn.
int _libssh2_bn_set_word(_libssh2_bn *bn, unsigned long val);
Sets the value of bn to val.
Returns 1 on success, 0 otherwise.
_libssh2_bn * _libssh2_bn_from_bin(_libssh2_bn *bn, int len,
const unsigned char *val);
Converts the positive integer in big-endian form of length len at val
into a _libssh2_bn and place it in bn. If bn is NULL, a new _libssh2_bn is
created.
Returns a pointer to target _libssh2_bn or NULL if error.
int _libssh2_bn_to_bin(_libssh2_bn *bn, unsigned char *val);
Converts the absolute value of bn into big-endian form and store it at
val. val must point to _libssh2_bn_bytes(bn) bytes of memory.
Returns the length of the big-endian number.
7) Private key algorithms.
Format of an RSA public key:
a) "ssh-rsa".
b) RSA exponent, MSB first, with high order bit = 0.
c) RSA modulus, MSB first, with high order bit = 0.
Each item is preceded by its 32-bit byte length, MSB first.
Format of a DSA public key:
a) "ssh-dss".
b) p, MSB first, with high order bit = 0.
c) q, MSB first, with high order bit = 0.
d) g, MSB first, with high order bit = 0.
e) pub_key, MSB first, with high order bit = 0.
Each item is preceded by its 32-bit byte length, MSB first.
Format of an ECDSA public key:
a) "ecdsa-sha2-nistp256" or "ecdsa-sha2-nistp384" or "ecdsa-sha2-nistp521".
b) domain: "nistp256", "nistp384" or "nistp521" matching a).
c) raw public key ("octal").
Each item is preceded by its 32-bit byte length, MSB first.
Format of an ED25519 public key:
a) "ssh-ed25519".
b) raw key (32 bytes).
Each item is preceded by its 32-bit byte length, MSB first.
int _libssh2_pub_priv_keyfile(LIBSSH2_SESSION *session,
unsigned char **method,
size_t *method_len,
unsigned char **pubkeydata,
size_t *pubkeydata_len,
const char *privatekey,
const char *passphrase);
Reads a private key from file privatekey and extract the public key -->
(pubkeydata, pubkeydata_len). Store the associated method (ssh-rsa or ssh-dss)
into (method, method_len).
Both buffers have to be allocated using LIBSSH2_ALLOC().
Returns 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_pub_priv_keyfilememory(LIBSSH2_SESSION *session,
unsigned char **method,
size_t *method_len,
unsigned char **pubkeydata,
size_t *pubkeydata_len,
const char *privatekeydata,
size_t privatekeydata_len,
const char *passphrase);
Gets a private key from bytes at (privatekeydata, privatekeydata_len) and
extract the public key --> (pubkeydata, pubkeydata_len). Store the associated
method (ssh-rsa or ssh-dss) into (method, method_len).
Both buffers have to be allocated using LIBSSH2_ALLOC().
Returns 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
7.1) RSA
LIBSSH2_RSA
#define as 1 if the crypto library supports RSA, else 0.
If defined as 0, the rest of this section can be omitted.
libssh2_rsa_ctx
Type of an RSA computation context. Generally a struct.
int _libssh2_rsa_new(libssh2_rsa_ctx **rsa,
const unsigned char *edata,
unsigned long elen,
const unsigned char *ndata,
unsigned long nlen,
const unsigned char *ddata,
unsigned long dlen,
const unsigned char *pdata,
unsigned long plen,
const unsigned char *qdata,
unsigned long qlen,
const unsigned char *e1data,
unsigned long e1len,
const unsigned char *e2data,
unsigned long e2len,
const unsigned char *coeffdata, unsigned long coefflen);
Creates a new context for RSA computations from key source values:
pdata, plen Prime number p. Only used if private key known (ddata).
qdata, qlen Prime number q. Only used if private key known (ddata).
ndata, nlen Modulus n.
edata, elen Exponent e.
ddata, dlen e^-1 % phi(n) = private key. May be NULL if unknown.
e1data, e1len dp = d % (p-1). Only used if private key known (dtata).
e2data, e2len dq = d % (q-1). Only used if private key known (dtata).
coeffdata, coefflen q^-1 % p. Only used if private key known.
Returns 0 if OK.
This procedure is already prototyped in crypto.h.
Note: the current generic code only calls this function with e and n (public
key parameters): unless used internally by the backend, it is not needed to
support the private key and the other parameters here.
int _libssh2_rsa_new_private(libssh2_rsa_ctx **rsa,
LIBSSH2_SESSION *session,
const char *filename,
unsigned const char *passphrase);
Reads an RSA private key from file filename into a new RSA context.
Must call _libssh2_init_if_needed().
Return 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_rsa_new_private_frommemory(libssh2_rsa_ctx **rsa,
LIBSSH2_SESSION *session,
const char *data,
size_t data_len,
unsigned const char *passphrase);
Gets an RSA private key from data into a new RSA context.
Must call _libssh2_init_if_needed().
Return 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_rsa_sha1_verify(libssh2_rsa_ctx *rsa,
const unsigned char *sig,
size_t sig_len,
const unsigned char *m, size_t m_len);
Verify (sig, sig_len) signature of (m, m_len) using an SHA-1 hash and the
RSA context.
Return 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_rsa_sha1_signv(LIBSSH2_SESSION *session,
unsigned char **sig, size_t *siglen,
int count, const struct iovec vector[],
libssh2_rsa_ctx *ctx);
RSA signs the SHA-1 hash computed over the count data chunks in vector.
Signature is stored at (sig, siglen).
Signature buffer must be allocated from the given session.
Returns 0 if OK, else -1.
Note: this procedure is optional: if provided, it MUST be defined as a macro.
int _libssh2_rsa_sha1_sign(LIBSSH2_SESSION *session,
libssh2_rsa_ctx *rsactx,
const unsigned char *hash,
size_t hash_len,
unsigned char **signature,
size_t *signature_len);
RSA signs the (hash, hashlen) SHA-1 hash bytes and stores the allocated
signature at (signature, signature_len).
Signature buffer must be allocated from the given session.
Returns 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
Note: this procedure is not used if macro _libssh2_rsa_sha1_signv() is defined.
void _libssh2_rsa_free(libssh2_rsa_ctx *rsactx);
Releases the RSA computation context at rsactx.
LIBSSH2_RSA_SHA2
#define as 1 if the crypto library supports RSA SHA2 256/512, else 0.
If defined as 0, the rest of this section can be omitted.
int _libssh2_rsa_sha2_sign(LIBSSH2_SESSION * session,
libssh2_rsa_ctx * rsactx,
const unsigned char *hash,
size_t hash_len,
unsigned char **signature,
size_t *signature_len);
RSA signs the (hash, hashlen) SHA-2 hash bytes based on hash length and stores
the allocated signature at (signature, signature_len).
Signature buffer must be allocated from the given session.
Returns 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
Note: this procedure is not used if both macros _libssh2_rsa_sha2_256_signv()
and _libssh2_rsa_sha2_512_signv are defined.
int _libssh2_rsa_sha2_256_signv(LIBSSH2_SESSION *session,
unsigned char **sig, size_t *siglen,
int count, const struct iovec vector[],
libssh2_rsa_ctx *ctx);
RSA signs the SHA-256 hash computed over the count data chunks in vector.
Signature is stored at (sig, siglen).
Signature buffer must be allocated from the given session.
Returns 0 if OK, else -1.
Note: this procedure is optional: if provided, it MUST be defined as a macro.
int _libssh2_rsa_sha2_512_signv(LIBSSH2_SESSION *session,
unsigned char **sig, size_t *siglen,
int count, const struct iovec vector[],
libssh2_rsa_ctx *ctx);
RSA signs the SHA-512 hash computed over the count data chunks in vector.
Signature is stored at (sig, siglen).
Signature buffer must be allocated from the given session.
Returns 0 if OK, else -1.
Note: this procedure is optional: if provided, it MUST be defined as a macro.
int _libssh2_rsa_sha2_verify(libssh2_rsa_ctx * rsa,
size_t hash_len,
const unsigned char *sig,
size_t sig_len,
const unsigned char *m, size_t m_len);
Verify (sig, sig_len) signature of (m, m_len) using an SHA-2 hash based on
hash length and the RSA context.
Return 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
7.2) DSA
LIBSSH2_DSA
#define as 1 if the crypto library supports DSA, else 0.
If defined as 0, the rest of this section can be omitted.
libssh2_dsa_ctx
Type of a DSA computation context. Generally a struct.
int _libssh2_dsa_new(libssh2_dsa_ctx **dsa,
const unsigned char *pdata,
unsigned long plen,
const unsigned char *qdata,
unsigned long qlen,
const unsigned char *gdata,
unsigned long glen,
const unsigned char *ydata,
unsigned long ylen,
const unsigned char *x, unsigned long x_len);
Creates a new context for DSA computations from source key values:
pdata, plen Prime number p. Only used if private key known (ddata).
qdata, qlen Prime number q. Only used if private key known (ddata).
gdata, glen G number.
ydata, ylen Public key.
xdata, xlen Private key. Only taken if xlen non-zero.
Returns 0 if OK.
This procedure is already prototyped in crypto.h.
int _libssh2_dsa_new_private(libssh2_dsa_ctx **dsa,
LIBSSH2_SESSION *session,
const char *filename,
unsigned const char *passphrase);
Gets a DSA private key from file filename into a new DSA context.
Must call _libssh2_init_if_needed().
Return 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_dsa_new_private_frommemory(libssh2_dsa_ctx **dsa,
LIBSSH2_SESSION *session,
const char *data,
size_t data_len,
unsigned const char *passphrase);
Gets a DSA private key from the data_len-bytes data into a new DSA context.
Must call _libssh2_init_if_needed().
Returns 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_dsa_sha1_verify(libssh2_dsa_ctx *dsactx,
const unsigned char *sig,
const unsigned char *m, size_t m_len);
Verify (sig, siglen) signature of (m, m_len) using an SHA-1 hash and the
DSA context.
Returns 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_dsa_sha1_sign(libssh2_dsa_ctx *dsactx,
const unsigned char *hash,
size_t hash_len, unsigned char *sig);
DSA signs the (hash, hash_len) data using SHA-1 and store the signature at sig.
Returns 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
void _libssh2_dsa_free(libssh2_dsa_ctx *dsactx);
Releases the DSA computation context at dsactx.
7.3) ECDSA
LIBSSH2_ECDSA
#define as 1 if the crypto library supports ECDSA, else 0.
If defined as 0, _libssh2_ec_key should be defined as void and the rest of
this section can be omitted.
EC_MAX_POINT_LEN
Maximum point length. Usually defined as ((528 * 2 / 8) + 1) (= 133).
libssh2_ecdsa_ctx
Type of an ECDSA computation context. Generally a struct.
_libssh2_ec_key
Type of an elliptic curve key.
libssh2_curve_type
An enum type defining curve types. Current supported identifiers are:
LIBSSH2_EC_CURVE_NISTP256
LIBSSH2_EC_CURVE_NISTP384
LIBSSH2_EC_CURVE_NISTP521
int _libssh2_ecdsa_create_key(_libssh2_ec_key **out_private_key,
unsigned char **out_public_key_octal,
size_t *out_public_key_octal_len,
libssh2_curve_type curve_type);
Create a new ECDSA private key of type curve_type and return it at
out_private_key. If out_public_key_octal is not NULL, store an allocated
pointer to the associated public key in "octal" form in it and its length
at out_public_key_octal_len.
Return 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_ecdsa_new_private(libssh2_ecdsa_ctx **ec_ctx,
LIBSSH2_SESSION * session,
const char *filename,
unsigned const char *passphrase);
Reads an ECDSA private key from PEM file filename into a new ECDSA context.
Must call _libssh2_init_if_needed().
Return 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_ecdsa_new_private_frommemory(libssh2_ecdsa_ctx ** ec_ctx,
LIBSSH2_SESSION * session,
const char *filedata,
size_t filedata_len,
unsigned const char *passphrase);
Builds an ECDSA private key from PEM data at filedata of length filedata_len
into a new ECDSA context stored at ec_ctx.
Must call _libssh2_init_if_needed().
Return 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_ecdsa_curve_name_with_octal_new(libssh2_ecdsa_ctx **ecdsactx,
const unsigned char *k,
size_t k_len,
libssh2_curve_type type);
Stores at ecdsactx a new ECDSA context associated with the given curve type
and with "octal" form public key (k, k_len).
Return 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_ecdsa_new_openssh_private(libssh2_ecdsa_ctx **ec_ctx,
LIBSSH2_SESSION * session,
const char *filename,
unsigned const char *passphrase);
Reads a PEM-encoded ECDSA private key from file filename encrypted with
passphrase and stores at ec_ctx a new ECDSA context for it.
Return 0 if OK, else -1.
Currently used only from openssl backend (ought to be private).
This procedure is already prototyped in crypto.h.
int _libssh2_ecdsa_sign(LIBSSH2_SESSION *session, libssh2_ecdsa_ctx *ec_ctx,
const unsigned char *hash, unsigned long hash_len,
unsigned char **signature, size_t *signature_len);
ECDSA signs the (hash, hashlen) hash bytes and stores the allocated
signature at (signature, signature_len). Hash algorithm used should be
SHA-256, SHA-384 or SHA-512 depending on type stored in ECDSA context at ec_ctx.
Signature buffer must be allocated from the given session.
Returns 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_ecdsa_verify(libssh2_ecdsa_ctx *ctx,
const unsigned char *r, size_t r_len,
const unsigned char *s, size_t s_len,
const unsigned char *m, size_t m_len);
Verify the ECDSA signature made of (r, r_len) and (s, s_len) of (m, m_len)
using the hash algorithm configured in the ECDSA context ctx.
Return 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
libssh2_curve_type _libssh2_ecdsa_get_curve_type(libssh2_ecdsa_ctx *ecdsactx);
Returns the curve type associated with given context.
This procedure is already prototyped in crypto.h.
int _libssh2_ecdsa_curve_type_from_name(const char *name,
libssh2_curve_type *out_type);
Stores in out_type the curve type matching string name of the form
"ecdsa-sha2-nistpxxx".
Return 0 if OK, else -1.
Currently used only from openssl backend (ought to be private).
This procedure is already prototyped in crypto.h.
void _libssh2_ecdsa_free(libssh2_ecdsa_ctx *ecdsactx);
Releases the ECDSA computation context at ecdsactx.
7.4) ED25519
LIBSSH2_ED25519
#define as 1 if the crypto library supports ED25519, else 0.
If defined as 0, the rest of this section can be omitted.
libssh2_ed25519_ctx
Type of an ED25519 computation context. Generally a struct.
int _libssh2_curve25519_new(LIBSSH2_SESSION *session, libssh2_ed25519_ctx **ctx,
uint8_t **out_public_key,
uint8_t **out_private_key);
Generates an ED25519 key pair, stores a pointer to them at out_private_key
and out_public_key respectively and stores at ctx a new ED25519 context for
this key.
Argument ctx, out_private_key and out_public key may be NULL to disable storing
the corresponding value.
Length of each key is LIBSSH2_ED25519_KEY_LEN (32 bytes).
Key buffers are allocated and should be released by caller after use.
Returns 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_ed25519_new_private(libssh2_ed25519_ctx **ed_ctx,
LIBSSH2_SESSION *session,
const char *filename,
const uint8_t *passphrase);
Reads an ED25519 private key from PEM file filename into a new ED25519 context.
Must call _libssh2_init_if_needed().
Return 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_ed25519_new_public(libssh2_ed25519_ctx **ed_ctx,
LIBSSH2_SESSION *session,
const unsigned char *raw_pub_key,
const size_t key_len);
Stores at ed_ctx a new ED25519 key context for raw public key (raw_pub_key,
key_len).
Return 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_ed25519_new_private_frommemory(libssh2_ed25519_ctx **ed_ctx,
LIBSSH2_SESSION *session,
const char *filedata,
size_t filedata_len,
unsigned const char *passphrase);
Builds an ED25519 private key from PEM data at filedata of length filedata_len
into a new ED25519 context stored at ed_ctx.
Must call _libssh2_init_if_needed().
Return 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_ed25519_sign(libssh2_ed25519_ctx *ctx, LIBSSH2_SESSION *session,
uint8_t **out_sig, size_t *out_sig_len,
const uint8_t *message, size_t message_len);
ED25519 signs the (message, message_len) bytes and stores the allocated
signature at (sig, sig_len).
Signature buffer is allocated from the given session.
Returns 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_ed25519_verify(libssh2_ed25519_ctx *ctx, const uint8_t *s,
size_t s_len, const uint8_t *m, size_t m_len);
Verify (s, s_len) signature of (m, m_len) using the given ED25519 context.
Return 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
int _libssh2_curve25519_gen_k(_libssh2_bn **k,
uint8_t private_key[LIBSSH2_ED25519_KEY_LEN],
uint8_t srvr_public_key[LIBSSH2_ED25519_KEY_LEN]);
Computes a shared ED25519 secret key from the given raw server public key and
raw client public key and stores it as a big number in *k. Big number should
have been initialized before calling this function.
Returns 0 if OK, else -1.
This procedure is already prototyped in crypto.h.
void _libssh2_ed25519_free(libssh2_ed25519_ctx *ed25519ctx);
Releases the ED25519 computation context at ed25519ctx.
8) Miscellaneous
void libssh2_prepare_iovec(struct iovec *vector, unsigned int len);
Prepare len consecutive iovec slots before using them.
In example, this is needed to preset unused structure slacks on platforms
requiring it.
If this is not needed, it should be defined as an empty macro.
int _libssh2_random(unsigned char *buf, size_t len);
Store len random bytes at buf.
Returns 0 if OK, else -1.
const char * _libssh2_supported_key_sign_algorithms(LIBSSH2_SESSION *session,
unsigned char *key_method,
size_t key_method_len);
This function is for implementing key hash upgrading as defined in RFC 8332.
Based on the incoming key_method value, this function will return a
list of supported algorithms that can upgrade the original key method algorithm
as a comma separated list, if there is no upgrade option this function should
return NULL.

316
curl/dep/libssh2/docs/INSTALL_AUTOTOOLS.txt
Unescape Просмотреть файл

@ -0,0 +1,316 @@
Installation Instructions
*************************
Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002, 2004, 2005 Free
Software Foundation, Inc.
This file is free documentation; the Free Software Foundation gives
unlimited permission to copy, distribute and modify it.
SPDX-License-Identifier: FSFULLR
When Building directly from Master
==================================
If you want to build directly from the git repository, you must first
generate the configure script and Makefile using autotools. Make
sure that autoconf, automake and libtool are installed on your system,
then execute:
autoreconf -fi
After executing this script, you can build the project as usual:
./configure
make
Basic Installation
==================
These are generic installation instructions.
The `configure' shell script attempts to guess correct values for
various system-dependent variables used during compilation. It uses
those values to create a `Makefile' in each directory of the package.
It may also create one or more `.h' files containing system-dependent
definitions. Finally, it creates a shell script `config.status' that
you can run in the future to recreate the current configuration, and a
file `config.log' containing compiler output (useful mainly for
debugging `configure').
It can also use an optional file (typically called `config.cache'
and enabled with `--cache-file=config.cache' or shortly `-C') that saves
the results of its tests to speed up reconfiguring. (Caching is
disabled by default to prevent problems with accidental use of stale
cache files.)
If you need to do unusual things to compile the package, please try
to figure out how `configure' could check whether to do them, and mail
diffs or instructions to the address given in the `README' so they can
be considered for the next release. If you are using the cache, and at
some point `config.cache' contains results you do not want to keep, you
may remove or edit it.
The file `configure.ac' (or `configure.in') is used to create
`configure' by a program called `autoconf'. You only need
`configure.ac' if you want to change it or regenerate `configure' using
a newer version of `autoconf'.
The simplest way to compile this package is:
1. `cd' to the directory containing the package's source code and type
`./configure' to configure the package for your system. If you are
using `csh' on an old version of System V, you might need to type
`sh ./configure' instead to prevent `csh' from trying to execute
`configure' itself.
Running `configure' takes awhile. While running, it prints some
messages telling which features it is checking for.
2. Type `make' to compile the package.
3. Optionally, type `make check' to run any self-tests that come with
the package.
4. Type `make install' to install the programs and any data files and
documentation.
5. You can remove the program binaries and object files from the
source code directory by typing `make clean'. To also remove the
files that `configure' created (so you can compile the package for
a different kind of computer), type `make distclean'. There is
also a `make maintainer-clean' target, but that is intended mainly
for the package's developers. If you use it, you may have to get
all sorts of other programs in order to regenerate files that came
with the distribution.
Compilers and Options
=====================
Some systems require unusual options for compilation or linking that the
`configure' script does not know about. Run `./configure --help' for
details on some of the pertinent environment variables.
You can give `configure' initial values for configuration parameters
by setting variables in the command line or in the environment. Here
is an example:
./configure CC=c89 CFLAGS=-O2 LIBS=-lposix
*Note Defining Variables::, for more details.
Compiling For Multiple Architectures
====================================
You can compile the package for more than one kind of computer at the
same time, by placing the object files for each architecture in their
own directory. To do this, you must use a version of `make' that
supports the `VPATH' variable, such as GNU `make'. `cd' to the
directory where you want the object files and executables to go and run
the `configure' script. `configure' automatically checks for the
source code in the directory that `configure' is in and in `..'.
If you have to use a `make' that does not support the `VPATH'
variable, you have to compile the package for one architecture at a
time in the source code directory. After you have installed the
package for one architecture, use `make distclean' before reconfiguring
for another architecture.
Installation Names
==================
By default, `make install' installs the package's commands under
`/usr/local/bin', include files under `/usr/local/include', etc. You
can specify an installation prefix other than `/usr/local' by giving
`configure' the option `--prefix=PREFIX'.
You can specify separate installation prefixes for
architecture-specific files and architecture-independent files. If you
pass the option `--exec-prefix=PREFIX' to `configure', the package uses
PREFIX as the prefix for installing programs and libraries.
Documentation and other data files still use the regular prefix.
In addition, if you use an unusual directory layout you can give
options like `--bindir=DIR' to specify different values for particular
kinds of files. Run `configure --help' for a list of the directories
you can set and what kinds of files go in them.
If the package supports it, you can cause programs to be installed
with an extra prefix or suffix on their names by giving `configure' the
option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
Optional Features
=================
Some packages pay attention to `--enable-FEATURE' options to
`configure', where FEATURE indicates an optional part of the package.
They may also pay attention to `--with-PACKAGE' options, where PACKAGE
is something like `gnu-as' or `x' (for the X Window System). The
`README' should mention any `--enable-' and `--with-' options that the
package recognizes.
For packages that use the X Window System, `configure' can usually
find the X include and library files automatically, but if it does not,
you can use the `configure' options `--x-includes=DIR' and
`--x-libraries=DIR' to specify their locations.
Specifying the System Type
==========================
There may be some features `configure' cannot figure out automatically,
but needs to determine by the type of machine the package will run on.
Usually, assuming the package is built to be run on the _same_
architectures, `configure' can figure that out, but if it prints a
message saying it cannot guess the machine type, give it the
`--build=TYPE' option. TYPE can either be a short name for the system
type, such as `sun4', or a canonical name which has the form:
CPU-COMPANY-SYSTEM
where SYSTEM can have one of these forms:
OS KERNEL-OS
See the file `config.sub' for the possible values of each field. If
`config.sub' is not included in this package, then this package does not
need to know the machine type.
If you are _building_ compiler tools for cross-compiling, you should
use the option `--target=TYPE' to select the type of system they will
produce code for.
If you want to _use_ a cross compiler, that generates code for a
platform different from the build platform, you should specify the
"host" platform (i.e., that on which the generated programs will
eventually be run) with `--host=TYPE'.
Sharing Defaults
================
If you want to set default values for `configure' scripts to share, you
can create a site shell script called `config.site' that gives default
values for variables like `CC', `cache_file', and `prefix'.
`configure' looks for `PREFIX/share/config.site' if it exists, then
`PREFIX/etc/config.site' if it exists. Or, you can set the
`CONFIG_SITE' environment variable to the location of the site script.
A warning: not all `configure' scripts look for a site script.
Defining Variables
==================
Variables not defined in a site shell script can be set in the
environment passed to `configure'. However, some packages may run
configure again during the build, and the customized values of these
variables may be lost. In order to avoid this problem, you should set
them in the `configure' command line, using `VAR=value'. For example:
./configure CC=/usr/local2/bin/gcc
causes the specified `gcc' to be used as the C compiler (unless it is
overridden in the site shell script). Here is a another example:
/bin/bash ./configure CONFIG_SHELL=/bin/bash
Here the `CONFIG_SHELL=/bin/bash' operand causes subsequent
configuration-related scripts to be executed by `/bin/bash'.
`configure' Invocation
======================
`configure' recognizes the following options to control how it operates.
`--help'
`-h'
Print a summary of the options to `configure', and exit.
`--version'
`-V'
Print the version of Autoconf used to generate the `configure'
script, and exit.
`--cache-file=FILE'
Enable the cache: use and save the results of the tests in FILE,
traditionally `config.cache'. FILE defaults to `/dev/null' to
disable caching.
`--config-cache'
`-C'
Alias for `--cache-file=config.cache'.
`--quiet'
`--silent'
`-q'
Do not print messages saying which checks are being made. To
suppress all normal output, redirect it to `/dev/null' (any error
messages will still be shown).
`--srcdir=DIR'
Look for the package's source code in directory DIR. Usually
`configure' can determine that directory automatically.
`configure' also accepts some other, not widely useful, options. Run
`configure --help' for more details.
More configure options
======================
Some ./configure options deserve additional comments:
* --with-libgcrypt
* --without-libgcrypt
* --with-libgcrypt-prefix=DIR
libssh2 can use the Libgcrypt library
(https://www.gnupg.org/) for cryptographic operations.
One of the cryptographic libraries is required.
Configure will attempt to locate Libgcrypt
automatically.
If your installation of Libgcrypt is in another
location, specify it using --with-libgcrypt-prefix.
* --with-openssl
* --without-openssl
* --with-libssl-prefix=[DIR]
libssh2 can use the OpenSSL library
(https://www.openssl-library.org/) for cryptographic operations.
One of the cryptographic libraries is required.
Configure will attempt to locate OpenSSL in the
default location.
If your installation of OpenSSL is in another
location, specify it using --with-libssl-prefix.
* --with-mbedtls
* --without-mbedtls
* --with-libmbedcrypto-prefix=[DIR]
libssh2 can use the mbedTLS library
(https://tls.mbed.org) for cryptographic operations.
One of the cryptographic libraries is required.
Configure will attempt to locate mbedTLS in the
default location.
If your installation of mbedTLS is in another
location, specify it using --with-libmbedcrypto-prefix.
* --with-libz
* --without-libz
* --with-libz-prefix=[DIR]
If present, libssh2 will attempt to use the zlib
(https://zlib.net/) for payload compression, however
zlib is not required.
If your installation of Libz is in another location,
specify it using --with-libz-prefix.
* --enable-debug
Will make the build use more pedantic and strict compiler
options as well as enable the libssh2_trace() function (for
showing debug traces).

180
curl/dep/libssh2/docs/TODO.txt
Unescape Просмотреть файл

@ -0,0 +1,180 @@
Things TODO
===========
* Fix -Wsign-conversion warnings in src
* Fix the numerous malloc+copy operations for sending data, see "Buffering
Improvements" below for details
* make sure the windowing code adapts better to slow situations so that it
does not then use as much memory as today. Possibly by an app-controllable
"Window mode"?
* Decrease the number of mallocs. Everywhere. Will get easier once the
buffering improvements have been done.
* Use SO_NOSIGPIPE for Mac OS/BSD systems where MSG_NOSIGNAL does not
exist/work
* Extend the test suite to actually test lots of aspects of libssh2
* Update public API to drop casts added to fix compiler warnings
* Expose error messages sent by the server
* select() is troublesome with libssh2 when using multiple channels over
the same session. See "New Transport API" below for more details.
* for obsolete/weak/insecure algorithms: either stop enabling them by default
at build-time, or delete support for them completely.
At next SONAME bump
===================
* stop using #defined macros as part of the official API. The macros should
either be turned into real functions or discarded from the API.
* delete or deprecate libssh2_session_callback_set()
* bump length arguments in callback functions to size_t/ssize_t
* remove the following functions from the API/ABI
libssh2_base64_decode()
libssh2_session_flag()
libssh2_channel_handle_extended_data()
libssh2_channel_receive_window_adjust()
libssh2_poll()
libssh2_poll_channel_read()
libssh2_session_startup() (libssh2_session_handshake() is the replacement)
libssh2_banner_set() (libssh2_session_banner_set() is the replacement)
* Rename a few function:
libssh2_hostkey_hash => libssh2_session_hostkey_hash
libssh2_banner_set => libssh2_session_banner_set
* change 'int' to 'libssh2_socket_t' in the public API for sockets.
* Use 'size_t' for string lengths in all functions.
* Add a comment field to struct libssh2_knownhost.
* remove the existing libssh2_knownhost_add() function and rename
libssh2_knownhost_addc to become the new libssh2_knownhost_add instead
* remove the existing libssh2_scp_send_ex() function and rename
libssh2_scp_send64 to become the new libssh2_scp_send instead.
* remove the existing libssh2_knownhost_check() function and rename
libssh2_knownhost_checkp() to become the new libssh2_knownhost_check instead
Buffering Improvements
======================
transport_write
- If this function gets called with a total packet size that is larger than
32K, it should create more than one SSH packet so that it keeps the largest
one below 32K
sftp_write
- should not copy/allocate anything for the data, only create a header chunk
and pass on the payload data to channel_write "pointed to"
New Transport API
=================
THE PROBLEM
The problem in a nutshell is that when an application opens up multiple
channels over a single session, those are all using the same socket. If the
application is then using select() to wait for traffic (like any sensible app
does) and wants to act on the data when select() tells there is something to
for example read, what does an application do?
With our current API, you have to loop over all the channels and read from
them to see if they have data. This effectively makes blocking reads
impossible. If the app has many channels in a setup like this, it even becomes
slow. (The original API had the libssh2_poll_channel_read() and libssh2_poll()
to somewhat overcome this hurdle, but they too have pretty much the same
problems plus a few others.)
Traffic in the other direction is similarly limited: the app has to try
sending to all channels, even though some of them may very well not accept any
data at that point.
A SOLUTION
I suggest we introduce two new helper functions:
libssh2_transport_read()
- Read "a bunch" of data from the given socket and returns information to the
app about what channels that are now readable (ie they will not block when
read from). The function can be called over and over and it will repeatedly
return info about what channels that are readable at that moment.
libssh2_transport_write()
- Returns information about what channels that are writable, in the sense
that they have windows set from the remote side that allows data to get
sent. Writing to one of those channels will not block. Of course, the
underlying socket may only accept a certain amount of data, so at the first
short return, nothing more should be attempted to get sent until select()
(or equivalent) has been used on the master socket again.
I have not yet figured out a sensible API for how these functions should return
that info, but if we agree on the general principles I guess we can work that
out.
VOLUNTARY
I wanted to mention that these two helper functions would not be mandatory
in any way. They would just be there for those who want them, and existing
programs can remain using the old functions only if they prefer to.
New SFTP API
============
PURPOSE
Provide API functions that explicitly tells at once that a (full) SFTP file
transfer is wanted, to allow libssh2 to leverage on that knowledge to speed
up things internally. It can for example do read ahead, buffer writes (merge
small writes into larger chunks), better tune the SSH window and more. This
sort of API is already provided for SCP transfers.
API
New functions:
LIBSSH2_SFTP_HANDLE *libssh2_sftp_send(SFTP_SESSION *sftp,
libssh2_uint64_t filesize,
char *remote_path,
size_t remote_path_len,
long mode);
Tell libssh2 that a local file with a given size is about to get sent to
the SFTP server.
LIBSSH2_SFTP_HANDLE *libssh2_sftp_recv();
Tell libssh2 that a remote file is requested to get downloaded from the SFTP
server.
Only the setup of the file transfer is different from an application's point
of view. Depending on direction of the transfer(s), the following already
existing functions should then be used until the transfer is complete:
libssh2_sftp_read()
libssh2_sftp_write()
HOW TO USE
1. Setup the transfer using one of the two new functions.
2. Loop through the reading or writing of data.
3. Cleanup the transfer

168
curl/dep/nghttp2/AUTHORS.txt
Unescape Просмотреть файл

@ -0,0 +1,168 @@
nghttp2 project was started as a fork of spdylay project [1]. Both
projects were started by Tatsuhiro Tsujikawa, who is still the main
author of these projects. Meanwhile, we have many contributions, and
we are not here without them. We sincerely thank you to all who made
a contribution. Here is the all individuals/organizations who
contributed to nghttp2 and spdylay project at which we forked. These
names are retrieved from git commit log. If you have made a
contribution, but you are missing in the list, please let us know via
github issues [2].
[1] https://github.com/tatsuhiro-t/spdylay
[2] https://github.com/nghttp2/nghttp2/issues
--------
187j3x1
Adam Gołębiowski
Alek Storm
Alex Nalivko
Alexandr Vlasov
Alexandros Konstantinakis-Karmis
Alexis La Goutte
Alyssa Ross
Amir Livneh
Amir Pakdel
Anders Bakken
Andreas Pohl
Andrew Penkrat
Andy Davies
Angus Gratton
Anna Henningsen
Ant Bryan
Anthony Alayo
Asra Ali
Benedikt Christoph Wolters
Benjamin Peterson
Bernard Spil
Bernhard Walle
Brendan Heinonen
Brian Card
Brian Suh
Daniel Bevenius
Daniel Evers
Daniel Stenberg
Dave Reisner
David Beitey
David Korczynski
David Weekly
Deel
Deep Chordia
Dimitris Apostolou
Dmitri Tikhonov
Dmitriy Vetutnev
Don
Dylan Plecki
Etienne Cimon
Fabian Möller
Fabian Wiesel
Fred Sundvik
Gabi Davar
Gaël PORTAY
Geoff Hill
George Liu
Gitai
Google Inc.
Hajime Fujita
Jacky Tian
Jacky_Yin
Jacob Champion
James M Snell
Jan Kundrát
Jan-E
Janusz Dziemidowicz
Jay Satiro
Jeff 'Raid' Baitis
Jianqing Wang
Jim Morrison
Jiwoo Park
Jonas Kvinge
Josh Braegger
José F. Calcerrada
Kamil Dudka
Kazuho Oku
Kenny (kang-yen) Peng
Kenny Peng
Kit Chan
Kyle Schomp
LazyHamster
Leo Neat
Lorenz Nickel
Lucas Pardue
MATSUMOTO Ryosuke
Marc Bachmann
Marcelo Trylesinski
Mark Boddington
Matt Rudary
Matt Way
Michael Kaufmann
Mike Conlen
Mike Frysinger
Mike Lothian
Nicholas Hurley
Nora Shoemaker
Paweł Wegner
Pedro Santos
Peeyush Aggarwal
Peter Wu
Piotr Sikora
PufferOverflow
Raul Gutierrez Segales
Remo E
Renaud
Reza Tavakoli
Richard Wolfert
Rick Lei
Ross Smith II
Rudi Heitbaum
Ryan Carsten Schmidt
Ryo Ota
Scott Mitchell
Sebastiaan Deckers
Sergey Fedorov
Shelley Vohr
Simon Frankenberger
Simone Basso
Soham Sinha
Stefan Eissing
Stephen Ludin
Sunpoet Po-Chuan Hsieh
Svante Signell
Syohei YOSHIDA
Tapanito
Tatsuhiko Kubo
Tatsuhiro Tsujikawa
Thomas Devoogdt
Tobias Geerinckx-Rice
Tom Harwood
Tomas Krizek
Tomasz Buchert
Tomasz Torcz
Vernon Tang
Viacheslav Biriukov
Viktor Szakats
Viktor Szépe
Ville Vesilehto
Wenfeng Liu
William A Rowe Jr
Xiaoguang Sun
Zhuoyun Wei
acesso
ayanamist
bxshi
clemahieu
dalf
dawg
es
fangdingjun
hrxi
jwchoi
kumagi
lhuang04
lstefani
makovich
mod-h2-dev
moparisthebest
robaho
snnn
yuuki-kodama

23
curl/dep/nghttp2/COPYING.txt
Unescape Просмотреть файл

@ -0,0 +1,23 @@
The MIT License
Copyright (c) 2012, 2014, 2015, 2016 Tatsuhiro Tsujikawa
Copyright (c) 2012, 2014, 2015, 2016 nghttp2 contributors
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

927
curl/dep/nghttp2/ChangeLog.txt
Unescape Просмотреть файл

@ -0,0 +1,927 @@
commit 319bf015de8fa38e21ac271ce2f7d61aa77d90cb
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-02
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-02
Update bash_completion
commit 99c572448ac94f122a27cc088fe9cd8998222278
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-02
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-02
Update manual pages
commit a5007158dfdc76cd308e731c629d963406e25965
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-02
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-02
Bump package and library versions
commit 0b210f072d60db111d6abb44c98cfa754e4d9c99
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-02
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-02
Update AUTHORS
commit 5ca289471f681ed6c62a9f29e0cc4ea980506fdf
Merge: 2141edda 1459db27
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-02
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-02
Merge pull request #2311 from nghttp2/bump-libbpf
Bump libbpf to v1.5.0
commit 2141edda0cbf8a85bd46c041cc4b421d505d0cd5
Merge: 133cc56e d9793fce
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-01
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-01
Merge pull request #2312 from nghttp2/fix-coverity-check
Fix errors reported by coverity
commit d9793fceafdf44dbdea727dfb3e6d35023f46105
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-01
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-01
Fix errors reported by coverity
commit 1459db27fb5daf83d418729ab781d4cdd14c07ad
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-02-28
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-02-28
Bump libbpf to v1.5.0
commit 133cc56e70a31897088a75d38d24dfedf413060e
Merge: ce5329a3 cd9a021a
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-02-27
Commit: GitHub <noreply@github.com>
CommitDate: 2025-02-27
Merge pull request #2310 from nghttp2/bump-ngtcp2
Bump ngtcp2
commit cd9a021a19c7f6b83250be5dbb3ac01a12793a7f
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-02-27
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-02-27
Suppress warning when building C++ code with wolfSSL
commit 2e8124eadb41808b1de787131de1b6f58c83ed05
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-02-27
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-02-27
Bump ngtcp2 and its dependencies
commit ce5329a3109cda508f4d84e5c46a206d4d5ef3a6
Merge: 6b74e009 1049ce0a
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-02-18
Commit: GitHub <noreply@github.com>
CommitDate: 2025-02-18
Merge pull request #2309 from nghttp2/nghttpx-rework-quic-conn
nghttpx: Rework QUIC connection handling
commit 1049ce0a99b121f85768a3d1c3a3dd461fe6bd10
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-01-11
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-02-18
nghttpx: Rework QUIC connection handling
commit 6b74e0097ba30b1273843776a20395319f441987
Merge: 321b71ae 785b0b54
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-02-18
Commit: GitHub <noreply@github.com>
CommitDate: 2025-02-18
Merge pull request #2308 from nghttp2/dependabot/go_modules/golang.org/x/net-0.35.0
build(deps): bump golang.org/x/net from 0.34.0 to 0.35.0
commit 785b0b541d4152e5e07e33a611fa85e2ddd3593a
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AuthorDate: 2025-02-17
Commit: GitHub <noreply@github.com>
CommitDate: 2025-02-17
build(deps): bump golang.org/x/net from 0.34.0 to 0.35.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.34.0 to 0.35.0.
- [Commits](https://github.com/golang/net/compare/v0.34.0...v0.35.0)
---
updated-dependencies:
- dependency-name: golang.org/x/net
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
commit 321b71aedb54eaab20456828f316212ec203c8fa
Merge: e2e73723 1dbbcc35
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-02-08
Commit: GitHub <noreply@github.com>
CommitDate: 2025-02-08
Merge pull request #2306 from nghttp2/clang-format
clang-format
commit 1dbbcc35e1c5365d3ca94b6509ed7fe06d5b2444
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-02-08
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-02-08
clang-format
commit e2e737234e9d292d3cdbabd947c05e16b57ee19e
Merge: e01c9f10 2b7ad6e6
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-02-05
Commit: GitHub <noreply@github.com>
CommitDate: 2025-02-05
Merge pull request #2305 from qnx-ports/master
Add QNX Support
commit 2b7ad6e6f376d47943347b2dc4b0b9ac2223870b
Author: Deep Chordia <dchordia@blackberry.com>
AuthorDate: 2025-02-05
Commit: Deep Chordia <dchordia@blackberry.com>
CommitDate: 2025-02-05
Add QNX Support
commit e01c9f10a3b7d1df1b50f7ff190dee474cc15d0b
Merge: fd4505cf a2db898d
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-02-03
Commit: GitHub <noreply@github.com>
CommitDate: 2025-02-03
Merge pull request #2304 from nghttp2/cmake-src-tests
cmake: Disable src tests if BUILD_TESTING is OFF
commit a2db898d7094899c3dc8cb0b32ac1cf35ee362c8
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-02-03
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-02-03
cmake: Disable src tests if BUILD_TESTING is OFF
commit fd4505cfb21710ee9ca54a128001184472a9ab46
Merge: d037dc32 9c23c72d
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-01-29
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-29
Merge pull request #2302 from nghttp2/min-quic-pktlen
The minimum length of a valid QUIC packet is 21
commit 9c23c72d9997465205b62e061f317e8845e7dbb0
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-01-29
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-01-29
The minimum length of a valid QUIC packet is 21
commit d037dc32b4ddac267b0ede89f5f6f334319c636b
Merge: a4dad6d3 e045b463
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-01-28
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-28
Merge pull request #2301 from nghttp2/dependabot/go_modules/github.com/quic-go/quic-go-0.49.0
build(deps): bump github.com/quic-go/quic-go from 0.48.2 to 0.49.0
commit e045b46352a9a36834c7157c77e873d570717c26
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AuthorDate: 2025-01-27
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-27
build(deps): bump github.com/quic-go/quic-go from 0.48.2 to 0.49.0
Bumps [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) from 0.48.2 to 0.49.0.
- [Release notes](https://github.com/quic-go/quic-go/releases)
- [Changelog](https://github.com/quic-go/quic-go/blob/master/Changelog.md)
- [Commits](https://github.com/quic-go/quic-go/compare/v0.48.2...v0.49.0)
---
updated-dependencies:
- dependency-name: github.com/quic-go/quic-go
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
commit a4dad6d36acde0f2a511632ba8fa395e70159b41
Merge: 0c9fdf26 bdf7f14b
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-01-27
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-27
Merge pull request #2300 from nghttp2/stale-exempt-pr
GHA: Exempt pull request from actions/stale
commit bdf7f14b3d914d43ca7f9d1c6641331e7970b155
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-01-27
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-01-27
GHA: Exempt pull request from actions/stale
commit 0c9fdf26397d6f46595dd0f0df4091dd50606f70
Merge: 280110ca dd59dd8b
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-01-26
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-26
Merge pull request #2299 from nghttp2/nullptr
src: nullptr
commit dd59dd8ba99b3e40ed6a1bfb4ba5f676be8e386d
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-01-26
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-01-26
src: nullptr
commit 280110ca8dd1563b9fe1597bd33fbf0607fb5f5c
Merge: e25e68f2 f9958255
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-01-26
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-26
Merge pull request #2298 from nghttp2/fix-stale-action
Workaround actions/stale cache issue
commit f9958255ee08011a7d72060bcb1675a8f0842635
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-01-26
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-01-26
Workaround actions/stale cache issue
commit e25e68f23408720c11812ece06ffadb1b635f931
Merge: ab19019b 01accaef
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-01-25
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-25
Merge pull request #2297 from thevilledev/fix/hd-int-overflow-check
fix: Add defensive bounds checking in hd_ringbuf_init()
commit 01accaef55254ffeeebf99b1b0ceeb9cc0592d8e
Author: Ville Vesilehto <ville@vesilehto.fi>
AuthorDate: 2025-01-24
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-24
fix: remove redundant sizeof check
Co-authored-by: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
commit d06472b2c170cc898f9722b55005ef8cdbb07a63
Author: Ville Vesilehto <ville@vesilehto.fi>
AuthorDate: 2025-01-24
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-24
fix: optimise for conditions
Co-authored-by: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
commit 8ada192e6942eb4f5b85d73b648de73185a3e112
Author: Ville Vesilehto <ville@vesilehto.fi>
AuthorDate: 2025-01-24
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-24
fix: set max_size as const
Co-authored-by: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
commit 639b14710b83c831b5c2bc75d33e385da4cde22e
Author: Ville Vesilehto <ville@vesilehto.fi>
AuthorDate: 2025-01-20
Commit: Ville Vesilehto <ville@vesilehto.fi>
CommitDate: 2025-01-20
fix: Add defensive integer overflow checks in hd ringbuf init
Add bounds checking in hd_ringbuf_init() to prevent potential integer
overflow during size calculations. While HPACK decoder controls its own
buffer size (4-8K typical) and is not vulnerable to remote exploitation,
this adds defensive programming guards for robustness.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
commit ab19019b77bc04925cbede25307720af056b83d3
Merge: f88c0985 15d75404
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-01-18
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-18
Merge pull request #2296 from nghttp2/xmlfree
HtmlParser: Use xmlFree
commit 15d754040a03101bed219fd4ae910f56446b1b84
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-01-18
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-01-18
HtmlParser: Use xmlFree
commit f88c09857dc8819c3a849a67a5e1d8e10503b49f
Merge: e5309612 3cb06f11
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-01-14
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-14
Merge pull request #2295 from nghttp2/dependabot/go_modules/golang.org/x/net-0.34.0
build(deps): bump golang.org/x/net from 0.33.0 to 0.34.0
commit 3cb06f116d662843cc4fbd82ffd251cd90842532
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AuthorDate: 2025-01-13
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-13
build(deps): bump golang.org/x/net from 0.33.0 to 0.34.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.33.0 to 0.34.0.
- [Commits](https://github.com/golang/net/compare/v0.33.0...v0.34.0)
---
updated-dependencies:
- dependency-name: golang.org/x/net
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
commit e53096123c961357302442fb1e0ac14cf7bc7e03
Merge: 6494f056 48cdba35
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-01-12
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-12
Merge pull request #2294 from nghttp2/remove-nghttp2-dependency-based-priority-section
Remove nghttp2 dependency based priority section
commit 48cdba3553b294a470651f040d4c9dfff9fdea74
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-01-12
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-01-12
Update manual pages
commit 71498767046147f87bb3a5b01d5e4ff35dfba4c3
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-01-12
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-01-12
nghttp: Remove DEPENDENCY BASED PRIORITY section from its manual page
commit 6494f0563818cbc27a351769c1bc649f89177140
Merge: 1f581807 db12ee7a
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-01-12
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-12
Merge pull request #2293 from nghttp2/update-priority-doc
Update Stream priorities section
commit 1f5818070d0500822f03bc1194a655494a724dc9
Merge: d928ceb7 82602821
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-01-12
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-12
Merge pull request #2292 from nghttp2/nghttp-show-deprecation-warn-no-rfc7540-pri
nghttp: Show deprecation warning for --no-rfc7540-pri option
commit db12ee7a37bbd2ba7d2a59b3c31b0dd1f31aac1d
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-01-12
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-01-12
Update Stream priorities section
commit 82602821d00ff42eae0c7cf8cfe4a7eba2d0c563
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-01-12
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-01-12
nghttp: Show deprecation warning for --no-rfc7540-pri option
commit d928ceb75a364f1e199b841eae1548cc9897c9c2
Merge: 7e096cbc 7f871f63
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-01-12
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-12
Merge pull request #2291 from nghttp2/nghttpd-remove-rfc7540-pri
nghttpd: Remove RFC 7540 priorities
commit 7f871f63ea0935c9a09c3eab6b310f051806a672
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-01-12
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-01-12
nghttpd: Remove RFC 7540 priorities
This change deprecates --no-rfc7540-pri option.
SETTINGS_NO_RFC7540_PRIORITIES is now always sent.
commit 7e096cbc4131b1473e91e0e672a2bc2ca2ad91cf
Merge: c8bcf5a6 f25a8dca
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-01-11
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-11
Merge pull request #2290 from nghttp2/nghttp-remove-rfc7540-pri
nghttp: Remove RFC 7540 priorities
commit f25a8dca17446f525ce2930918e503536dcd4374
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-01-10
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-01-11
nghttp: Remove RFC 7540 priorities
This change removes RFC 7540 priorities from nghttp. nghttp now does
not create the initial dependency tree. --no-dep and --no-rfc7540-pri
options have been removed.
nghttp now always sends NGHTTP2_SETTINGS_NO_RFC7540_PRIORITIES.
--extpri option has been added to set priority for a given URI.
commit c8bcf5a6a2157b316444dddd8d262778b41f2821
Merge: 26a33cf9 b2a3299e
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-01-11
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-11
Merge pull request #2289 from nghttp2/deprecate-nghttp2_option_set_no_closed_streams
Deprecate nghttp2_option_set_no_closed_streams
commit b2a3299e8ecec9a879c41415373a46f8eb4cb286
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-01-10
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-01-11
Deprecate nghttp2_option_set_no_closed_streams
commit 26a33cf99bd30d4be24c6f6e534286cbddd86d05
Merge: cb8421e3 96e06509
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-01-10
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-10
Merge pull request #2288 from nghttp2/deprecate-nghttp2_option_set_server_fallback_rfc7540_priorities
Deprecate nghttp2_option_set_server_fallback_rfc7540_priorities
commit cb8421e3537154536dfaf8d1d8fdea77de672b21
Merge: 8c83772f 3dd61f8e
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-01-10
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-10
Merge pull request #2287 from nghttp2/remove-rfc7540-priority
Remove RFC 7540 priorities
commit 96e06509ac558d1b740cc62e2e6bf442b4d4667b
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-01-10
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-01-10
Deprecate nghttp2_option_set_server_fallback_rfc7540_priorities
commit 3dd61f8ec3990928ee5f2606353d2b291f771aab
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2024-03-25
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-01-10
Remove RFC 7540 priorities
Summary of the behavioral changes in public API functions:
- nghttp2_session_change_stream_priority: This function is noop. It
always returns 0.
- nghttp2_session_create_idle_stream: This function is noop. It
always returns 0.
- nghttp2_submit_request: pri_spec is ignored.
- nghttp2_submit_request2: pri_spec is ignored.
- nghttp2_submit_headers: pri_spec is ignored.
- nghttp2_submit_priority: This function is noop. It always returns
0.
- nghttp2_stream_get_parent: This function always returns NULL.
- nghttp2_stream_get_next_sibling: This function always returns NULL.
- nghttp2_stream_get_previous_sibling: This function always returns
NULL.
- nghttp2_stream_get_first_child: This function always returns NULL.
- nghttp2_stream_get_weight: This function always returns
NGHTTP2_DEFAULT_WEIGHT.
- nghttp2_stream_get_sum_dependency_weight: This function always
returns 0.
commit 8c83772f6c45a571fb209e9ec91729a360b8490f
Merge: 5ca0bca1 a8d731d8
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-01-03
Commit: GitHub <noreply@github.com>
CommitDate: 2025-01-03
Merge pull request #2286 from nghttp2/bump-munit
Bump munit
commit a8d731d81fb34fa253cc9cb7c8874f096914ee00
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-01-03
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-01-03
Bump munit
commit 5ca0bca19992fbb08792a25a6657a61c16f78710
Merge: 89f27a59 23a17d00
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2024-12-19
Commit: GitHub <noreply@github.com>
CommitDate: 2024-12-19
Merge pull request #2283 from nghttp2/bump-ngtcp2
Bump ngtcp2 and QUIC dependencies
commit 89f27a597f4237d1c70a7d2b1b6c559ff4182ed6
Merge: 59f85c5d 947928bc
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2024-12-19
Commit: GitHub <noreply@github.com>
CommitDate: 2024-12-19
Merge pull request #2282 from nghttp2/bump-golang.org/x/net
Bump golang.org/x/net to v0.33.0
commit 947928bcc2a8a5951a7ff15ea032501bae98927b
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2024-12-19
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2024-12-19
Bump golang.org/x/net to v0.33.0
commit 23a17d0048f581856a363f6e3498815b0a4e4844
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2024-12-19
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2024-12-19
Bump ngtcp2 and QUIC dependencies
commit 59f85c5d622ba46826f11e6d02b5aa39439cf7f8
Merge: 92fa43ac c7bf69c8
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2024-12-10
Commit: GitHub <noreply@github.com>
CommitDate: 2024-12-10
Merge pull request #2281 from nghttp2/dependabot/go_modules/golang.org/x/net-0.32.0
build(deps): bump golang.org/x/net from 0.31.0 to 0.32.0
commit c7bf69c8e1d8646b249ef08ad58f3bca06ff0f3b
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AuthorDate: 2024-12-09
Commit: GitHub <noreply@github.com>
CommitDate: 2024-12-09
build(deps): bump golang.org/x/net from 0.31.0 to 0.32.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.31.0 to 0.32.0.
- [Commits](https://github.com/golang/net/compare/v0.31.0...v0.32.0)
---
updated-dependencies:
- dependency-name: golang.org/x/net
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
commit 92fa43ac912b6c3b3d8bbfde55416eaa4f4ad508
Merge: 68c3600d b05ee704
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2024-12-10
Commit: GitHub <noreply@github.com>
CommitDate: 2024-12-10
Merge pull request #2279 from nghttp2/dependabot/go_modules/github.com/quic-go/quic-go-0.48.2
build(deps): bump github.com/quic-go/quic-go from 0.48.1 to 0.48.2
commit b05ee704dd020e9dd0a8ff329686241fdbaeb897
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AuthorDate: 2024-12-02
Commit: GitHub <noreply@github.com>
CommitDate: 2024-12-02
build(deps): bump github.com/quic-go/quic-go from 0.48.1 to 0.48.2
Bumps [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) from 0.48.1 to 0.48.2.
- [Release notes](https://github.com/quic-go/quic-go/releases)
- [Changelog](https://github.com/quic-go/quic-go/blob/master/Changelog.md)
- [Commits](https://github.com/quic-go/quic-go/compare/v0.48.1...v0.48.2)
---
updated-dependencies:
- dependency-name: github.com/quic-go/quic-go
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
commit 68c3600d9fe729b8c66424384472a23ae8b45cec
Merge: eb22cc12 f51e9b30
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2024-11-25
Commit: GitHub <noreply@github.com>
CommitDate: 2024-11-25
Merge pull request #2275 from nghttp2/bump-ngtcp2
Bump ngtcp2
commit f51e9b300f35ab50b16d3cdece1acf6ff9425357
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2024-11-25
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2024-11-25
GHA: Fix build error on Mac OS 14
commit f61d304ef38f92fb4c898664c48df9eadde36f9f
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2024-11-25
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2024-11-25
Bump ngtcp2 and its dependencies
commit eb22cc1231a6b57b384abcd9948eb3ddfb844755
Merge: 55c5adf9 41c8940a
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2024-11-18
Commit: GitHub <noreply@github.com>
CommitDate: 2024-11-18
Merge pull request #2274 from nghttp2/bump-sfparse
Bump sfparse to 7eaf5b651f67123edf2605391023ed2fd7e2ef16
commit 41c8940a4ca9875b6ada4d432d8d2f2beeda0e60
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2024-11-18
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2024-11-18
Bump sfparse to 7eaf5b651f67123edf2605391023ed2fd7e2ef16
commit 55c5adf9676ecb49e8083fe3458381e751796123
Merge: da14a31c db315a45
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2024-11-16
Commit: GitHub <noreply@github.com>
CommitDate: 2024-11-16
Merge pull request #2273 from nghttp2/urlparse
Replace url-parser with urlparse
commit db315a458810adb7d30be01315d48addd2a9fc40
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2024-11-16
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2024-11-16
Replace url-parser with urlparse
commit da14a31cfb7dd05ee0b5cbbc6ec9d04cc87da365
Merge: 7a96731c f5b0c5bf
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2024-11-15
Commit: GitHub <noreply@github.com>
CommitDate: 2024-11-15
Merge pull request #2272 from nghttp2/dependabot/go_modules/golang.org/x/net-0.31.0
build(deps): bump golang.org/x/net from 0.30.0 to 0.31.0
commit f5b0c5bf06354d8cdb5fc46ee1c736e818bb2933
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AuthorDate: 2024-11-11
Commit: GitHub <noreply@github.com>
CommitDate: 2024-11-11
build(deps): bump golang.org/x/net from 0.30.0 to 0.31.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.30.0 to 0.31.0.
- [Commits](https://github.com/golang/net/compare/v0.30.0...v0.31.0)
---
updated-dependencies:
- dependency-name: golang.org/x/net
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
commit 7a96731c6b03810bb5f45b3bd34806b895d7446e
Merge: 82ec1af2 ce70fb2a
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2024-10-30
Commit: GitHub <noreply@github.com>
CommitDate: 2024-10-30
Merge pull request #2268 from TuxInvader/conn-close-bytes
account for bytes on closing connections
commit ce70fb2a3e46a60a73ffe5526be9d1bdc87bd8ba
Author: Mark Boddington <TuxInvader@users.noreply.github.com>
AuthorDate: 2024-10-29
Commit: GitHub <noreply@github.com>
CommitDate: 2024-10-29
remove len check
commit 82ec1af20e05b6f3d7c3b9106f777dcd28e732a1
Merge: 55d4de79 5024c1b2
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2024-10-29
Commit: GitHub <noreply@github.com>
CommitDate: 2024-10-29
Merge pull request #2270 from nghttp2/dependabot/go_modules/github.com/quic-go/quic-go-0.48.1
build(deps): bump github.com/quic-go/quic-go from 0.48.0 to 0.48.1
commit 5024c1b2409a35c670fe945eb27c944f0e03d0c9
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AuthorDate: 2024-10-28
Commit: GitHub <noreply@github.com>
CommitDate: 2024-10-28
build(deps): bump github.com/quic-go/quic-go from 0.48.0 to 0.48.1
Bumps [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) from 0.48.0 to 0.48.1.
- [Release notes](https://github.com/quic-go/quic-go/releases)
- [Changelog](https://github.com/quic-go/quic-go/blob/master/Changelog.md)
- [Commits](https://github.com/quic-go/quic-go/compare/v0.48.0...v0.48.1)
---
updated-dependencies:
- dependency-name: github.com/quic-go/quic-go
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
commit a30bc25ac7327764863b430da3a713095afbe9df
Author: Mark Boddington <TuxInvader@users.noreply.github.com>
AuthorDate: 2024-10-25
Commit: GitHub <noreply@github.com>
CommitDate: 2024-10-25
account for bytes on closing connections
commit 55d4de7963bc8c2c849cf4ca0c195a6d9f8e12eb
Merge: fcd4f266 69df6871
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2024-10-22
Commit: GitHub <noreply@github.com>
CommitDate: 2024-10-22
Merge pull request #2266 from nghttp2/dependabot/go_modules/github.com/quic-go/quic-go-0.48.0
build(deps): bump github.com/quic-go/quic-go from 0.47.0 to 0.48.0
commit 69df6871f63994fa41b09f2d1972ee43982e894b
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AuthorDate: 2024-10-21
Commit: GitHub <noreply@github.com>
CommitDate: 2024-10-21
build(deps): bump github.com/quic-go/quic-go from 0.47.0 to 0.48.0
Bumps [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) from 0.47.0 to 0.48.0.
- [Release notes](https://github.com/quic-go/quic-go/releases)
- [Changelog](https://github.com/quic-go/quic-go/blob/master/Changelog.md)
- [Commits](https://github.com/quic-go/quic-go/compare/v0.47.0...v0.48.0)
---
updated-dependencies:
- dependency-name: github.com/quic-go/quic-go
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
commit fcd4f2663a61d1098cb2fca7d4da7e009f285569
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2024-10-21
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2024-10-21
Bump package version

1466
curl/dep/nghttp2/README.rst
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

29
curl/dep/nghttp3/AUTHORS.txt
Unescape Просмотреть файл

@ -0,0 +1,29 @@
Alexis La Goutte
Amir Livneh
Bruno S Marques
Bryan Call
Cheng Zhao
Daniel Bevenius
Daniel Stenberg
Deel
Dimitris Apostolou
Don
Don Olmstead
Dusk_NM02
Force Charlie
James M Snell
Javier Blazquez
Li Xinwei
Marek Ludha
Nishant Nori
Ondřej Koláček
Peter Wu
Tal Regev
Tatsuhiro Tsujikawa
Tim Gates
Toni Uhlig
Valère Plantevin
Viktor Szakats
Your Name
lhuang04
mbuhl

22
curl/dep/nghttp3/COPYING.txt
Unescape Просмотреть файл

@ -0,0 +1,22 @@
The MIT License
Copyright (c) 2019 nghttp3 contributors
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

597
curl/dep/nghttp3/ChangeLog.txt
Unescape Просмотреть файл

@ -0,0 +1,597 @@
commit 9ee0c9248f97c502cce01e6c8edcccd3723c61e6
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-04-16
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-04-16
Bump package and library versions
commit 4f0c04a6d01bc66cebccceefea1c3c65b506a9aa
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-04-16
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-04-16
Update AUTHORS
commit 649407f1fc3a12c886077359082f4cc9d474aa66
Merge: d22146c 9a072c5
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-04-13
Commit: GitHub <noreply@github.com>
CommitDate: 2025-04-13
Merge pull request #354 from ngtcp2/gha-macos-15
GHA: Replace macos-13 with macos-15
commit 9a072c58d38f323cafc34c615ad9f0b0a8955ca9
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-04-13
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-04-13
GHA: Replace macos-13 with macos-15
commit d22146c953a69121d0a51675d68022173d5a1931
Merge: c9c9126 3915768
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-04-07
Commit: GitHub <noreply@github.com>
CommitDate: 2025-04-07
Merge pull request #353 from ngtcp2/read-varint
Read varint
commit 391576806e8b490f98cc024c591bd86fd6e37b74
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-04-07
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-04-07
Add nghttp3_read_varint tests
commit f4217f434486f65a7965051bf0569af9c2fe968a
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-04-07
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-04-07
Optimize nghttp3_read_varint
commit c9c9126ba6e1ac5264c111908516dd1f4cae49a9
Merge: 0ef1b37 501d19a
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-04-06
Commit: GitHub <noreply@github.com>
CommitDate: 2025-04-06
Merge pull request #352 from ngtcp2/amend-349
Amend #349
commit 0ef1b378b9a6a3dc1a72cbacca4a358feae2cc2e
Merge: f318ce9 e005882
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-04-06
Commit: GitHub <noreply@github.com>
CommitDate: 2025-04-06
Merge pull request #351 from ngtcp2/test-submit-info
Add tests for nghttp3_conn_submit_info
commit 501d19ad15485045e942e75d505c2d9d6ecdbf86
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-04-06
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-04-06
Amend #349
commit e005882c98e21f1147851f8a2bab50586ba3762b
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-04-06
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-04-06
Add tests for nghttp3_conn_submit_info
commit f318ce96017ded11b3bc4f10853eb33a6fc18624
Merge: e3443b2 99f26a9
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-04-06
Commit: GitHub <noreply@github.com>
CommitDate: 2025-04-06
Merge pull request #350 from ngtcp2/security
Add security policy
commit e3443b2cc6568aab62d9d4474626a9c06b9173b8
Merge: e045faa 99fe197
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-04-06
Commit: GitHub <noreply@github.com>
CommitDate: 2025-04-06
Merge pull request #349 from ngtcp2/share-nva
tests: Share nva
commit 99f26a96b9e309360afcc8272aa76e7b9d355b45
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-04-06
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-04-06
Add security policy
commit 99fe197099d167ff57c3ceea5ed167ebdec68779
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-04-06
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-04-06
tests: Share nva
commit e045faa1be375a5256e207117eabc88eca07808e
Merge: 7e121df 2ad0284
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-04-06
Commit: GitHub <noreply@github.com>
CommitDate: 2025-04-06
Merge pull request #348 from ngtcp2/push-tests
Add a test for server push
commit 2ad0284f26e05cbfdc558fe1336aa76f785a434e
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-04-06
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-04-06
Add a test for server push
commit 7e121df7443d0fd33d47e21995d91c7ce21fd539
Merge: 8d495f6 17f5b11
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-23
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-23
Merge pull request #345 from ngtcp2/add-http-tests
Add more HTTP header related tests
commit 17f5b1187024da27a663eab39c51ad927c8dd9b4
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-23
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-23
Add more HTTP header related tests
commit 8d495f6884e3e5e266bae8b1caf7d88bbbd917a2
Merge: 0d59371 6cc517c
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-23
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-23
Merge pull request #344 from ngtcp2/add-missing-defined
examples: Add missing defined() in comment
commit 6cc517ca7e8522e1dfff63b6f0fdbc6adabd79b9
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-23
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-23
examples: Add missing defined() in comment
commit 0d593719310786676a720c5543575ac9b4a02bb0
Merge: 4fffb2f 98f8121
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-16
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-16
Merge pull request #343 from ngtcp2/fix-fuzz
Fix fuzzer failure
commit 98f81217aa26a76d22af455f19fd3f4a161bcae9
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-16
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-16
Fix fuzzer failure
If QUIC stack works properly, we never get any data on closed stream.
But the fuzzer currently does not check the stream state.
commit 4fffb2f68bbb180e9a02504f72c2833ca39c8a91
Merge: 55e85ab 4484ca7
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-16
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-16
Merge pull request #342 from ngtcp2/initial-rx-http-state
Set initial rx http state on stream creation
commit 55e85aba65c8c59297a90b3e3bf80816587725ff
Merge: 20efc98 5027db7
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-16
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-16
Merge pull request #341 from ngtcp2/assertions-fix
Assertions fix
commit 4484ca796fbf15e7ed95146b744bfb1847bf5a3d
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-16
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-16
Set initial rx http state on stream creation
commit 5027db7ded680974395121a4ed6c5e42dac584f9
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-16
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-16
Use assert_true/assert_false when checking fin
commit 3c04300f98d81e948b5bf7239c7977e3c412dea4
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-16
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-16
Prefer assert_TYPE to assert_true/assert_false
commit 69199cb621bb82072931dffba404bfd1626f3aa4
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-16
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-16
Use assert_ptrdiff for sveccnt
commit de8b31af138faaaf20fb6f6d4255160a8f391637
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-16
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-16
Add missing checks for nconsumed
commit 20efc98fdc8d60ada93c9c93692149ca09307a64
Merge: 16fa2b4 86f6b06
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-16
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-16
Merge pull request #340 from ngtcp2/tests-rx-http-state
Add tests for rx http state
commit 86f6b069b1d813701e58a5a136e46bb0c2f4b05d
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-16
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-16
Add tests for rx http state
commit 16fa2b47a91414396d6a455c8a9f7052858f1c73
Merge: 1722bed bf4db54
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-16
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-16
Merge pull request #339 from ngtcp2/fix-fin-ack
Do not ack 0-byte vector with fin which has not been handed out
commit bf4db5417875c4ff1068193cf7ea0feb16e47cd7
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-16
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-16
Do not ack 0-byte vector with fin which has not been handed out
commit 1722bede569e7ca13398d5033b2eed5e565788a8
Merge: 1885751 6c4868b
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-15
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-15
Merge pull request #338 from ngtcp2/amend-337
Amend #337 removing unnecessary casts
commit 6c4868b86cdc3ca0cdad6019ba52add88d6e5363
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-15
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-15
Amend #337 removing unnecessary casts
commit 18857517a30aa86214e80827b0c1ea49ee01c3d3
Merge: 8cd230e 227ec04
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-15
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-15
Merge pull request #337 from ngtcp2/add-tests
Add tests
commit 227ec04bc3f7075a938821c4fe3bcd33bfc9e421
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-15
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-15
Add test for nghttp3_stream_buffer_data called twice
commit f1d390afef585b4ace39133772eaedc2a54cff64
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-15
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-15
Add tests for writing QPACK decoder stream
commit 7bb8268e6378fb6993309d889a8f8ed94a940bfd
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-15
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-15
Add tests for appending to last shared buffer
commit fb121ee0001762f3adae103ef6ecf344db128b7e
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-14
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-15
Add tests for large request header
commit fa0b38686651c18a49497c742ad897bd76b253c5
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-14
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-15
Add tests for nghttp3_stream_write_settings
commit 8cd230eb9ec5305cf8aa43c8ea59391287ab2273
Merge: aac94e3 7632c2b
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-15
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-15
Merge pull request #336 from ngtcp2/remove-stream-outq_offset
Remove outq_offset from nghttp3_stream
commit 7632c2b115da60715424de4360c1f11583ef9e67
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-15
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-15
Remove outq_offset from nghttp3_stream
commit aac94e3ef03c11c667a456da863b581049063e22
Merge: 91a399b f0f6377
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-15
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-15
Merge pull request #335 from ngtcp2/simplify
Simplify
commit f0f63774b34a7b47cf2cecb774c09a536ae50ed8
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-15
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-15
Simplify nghttp3_stream_add_outq_offset
commit 7bd5bc5fc4e75a2f1be5f0e70d1e83023969bdad
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-15
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-15
Assert that end offset has not changed
commit 38b9205a2eea50890fdec93cf0e8916e73554e25
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-15
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-15
Just return rv
commit 91a399b3b256c8395d4970357849ca6e40408b53
Merge: 2b680a4 4e26353
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-15
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-15
Merge pull request #334 from ngtcp2/update-ack-offset-remove-unreachable
nghttp3_stream_update_ack_offset: Remove unreachable code
commit 4e2635364a48dd35a92566bd85ee28ee1fd950dd
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-15
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-15
nghttp3_stream_update_ack_offset: Remove unreachable code
commit 2b680a431bc504031f72162eac9266c8d978bd00
Merge: e063e82 51ebf47
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-15
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-15
Merge pull request #333 from ngtcp2/amend-330
Amend #330
commit e063e820b4b0ba57277896f33ac0714e84faf89b
Merge: 06f2dd1 cfe1ce8
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-15
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-15
Merge pull request #332 from ngtcp2/clang-format
clang-format
commit 51ebf4798e693255a017a41092804805fc7a3cf5
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-14
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-15
Amend #330
commit cfe1ce8e4bc93931537b3b3d546ac2c0eeea7b1b
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-15
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-15
clang-format
commit 06f2dd1b9e46d837cb1458d942090c3081c59f4d
Merge: 2170036 ddb7713
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-15
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-15
Merge pull request #325 from BombaxCeiba/popcnt_cause_crash
Add a CMake option to support disabling the popcnt instruction
commit 2170036de997f0dfd3a3445a2f1047efdca9bd8d
Merge: 9be23c1 f0e5612
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-09
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-09
Merge pull request #331 from ngtcp2/simplify-tests
Simplify tests with helper functions
commit f0e56129741fb28d8de3a5ad9d01f6e2f39be47f
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-09
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-09
Simplify tests with helper functions
commit 9be23c16f277582a6e216a816db86c88f1632420
Merge: b7f9c79 ccfc423
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-09
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-09
Merge pull request #330 from ngtcp2/add-tests
Add tests
commit ccfc42381b56a92db700744ff3715fda2806343f
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-09
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-09
Add helper objects to simplify tests
commit 1c37b63e58061381e13e8da0d3587062c261cc0b
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-09
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-09
Add test_nghttp3_conn_set_client_stream_priority
commit ddb77134787e1c071ef137e6f3dc80f60cfea8ad
Author: Dusk_NM02 <Dusk.11th@outlook.com>
AuthorDate: 2025-03-08
Commit: Dusk_NM02 <Dusk.11th@outlook.com>
CommitDate: 2025-03-08
Move ENABLE_POPCNT to CMakeOptions.txt
commit b7f9c79dbb3d6d16d0fda13a51709908c35d9949
Merge: 5776fc2 83b4938
Author: Tatsuhiro Tsujikawa <404610+tatsuhiro-t@users.noreply.github.com>
AuthorDate: 2025-03-02
Commit: GitHub <noreply@github.com>
CommitDate: 2025-03-02
Merge pull request #327 from ngtcp2/remove-pq-each
Remove unused nghttp3_pq_each
commit 83b4938164ee32084b502783e70da80572dcd060
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-03-02
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-03-02
Remove unused nghttp3_pq_each
commit 3811bbf6e026b93e18aaeb06df7a073acb716354
Author: Dusk_NM02 <Dusk.11th@outlook.com>
AuthorDate: 2025-02-23
Commit: Dusk_NM02 <Dusk.11th@outlook.com>
CommitDate: 2025-02-23
Fix popcnt cause crashes on unsupported devices
commit 5776fc22da9e0c8e5c992c47829d42cb7853ac8f
Author: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
AuthorDate: 2025-02-21
Commit: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
CommitDate: 2025-02-21
Bump package version

73
curl/dep/nghttp3/README.rst
Unescape Просмотреть файл

@ -0,0 +1,73 @@
nghttp3
=======
nghttp3 is an implementation of `RFC 9114
<https://datatracker.ietf.org/doc/html/rfc9114>`_ HTTP/3 mapping over
QUIC and `RFC 9204 <https://datatracker.ietf.org/doc/html/rfc9204>`_
QPACK in C.
It does not depend on any particular QUIC transport implementation.
Documentation
-------------
`Online documentation <https://nghttp2.org/nghttp3/>`_ is available.
Build from git
---------------
.. code-block:: shell
$ git clone https://github.com/ngtcp2/nghttp3
$ cd nghttp3
$ git submodule update --init
$ autoreconf -i
$ ./configure
$ make -j$(nproc) check
HTTP/3
------
This library implements `RFC 9114
<https://datatracker.ietf.org/doc/html/rfc9114>`_ HTTP/3. It does not
support server push.
The following extensions have been implemented:
- `Extensible Prioritization Scheme for HTTP
<https://datatracker.ietf.org/doc/html/rfc9218>`_
- `Bootstrapping WebSockets with HTTP/3
<https://datatracker.ietf.org/doc/html/rfc9220>`_
It can also send and receive `SETTINGS_H3_DATAGRAM` from `HTTP
Datagrams and the Capsule Protocol
<https://datatracker.ietf.org/doc/html/rfc9297>`_.
QPACK
-----
This library implements `RFC 9204
<https://datatracker.ietf.org/doc/html/rfc9204>`_ QPACK. It supports
dynamic table.
Optimizations
-------------
This library optionally uses AVX2, if available, to optimize its
performance. To compile with AVX2, add ``-mavx2`` to CFLAGS. Note
that by default, CFLAGS is set to ``-g -O2``. When specifying CFLAGS,
include them as well (e.g., ``-g -O2 -mavx2``).
Examples
--------
- client: https://github.com/ngtcp2/ngtcp2/blob/main/examples/client.cc
- server: https://github.com/ngtcp2/ngtcp2/blob/main/examples/server.cc
- curl: https://github.com/curl/curl/blob/master/lib/vquic/curl_ngtcp2.c
License
-------
The MIT License
Copyright (c) 2019 nghttp3 contributors

66
curl/dep/ngtcp2/AUTHORS.txt
Unescape Просмотреть файл

@ -0,0 +1,66 @@
Alexis La Goutte
Amir Livneh
Anna Henningsen
Atle Solbakken
Bas van den Berg
Billy Robert O'Neal III
Bruno S Marques
Bryan Call
Cheng Zhao
Daan De Meyer
Daiki Ueno
Daniel Bevenius
Daniel Stenberg
Dave Reisner
Don
Don Olmstead
Frank Osterfeld
Frédéric Lécaille
Félix Dagenais
Irina Guberman
James M Snell
Jan Doskočil
Jason Rhinelander
Javier Blazquez
Jay Satiro
Jean-Philippe Boivin
Jiawen Geng
Junqi Wang
Karthikdasari0423
Kazu Yamamoto
Ken-ichi ICHINO
Kenjiro Nakayama
Lars Eggert
Liang Ma
Marin Rukavina
Mark Chiou
Martin Thomson
Michael White
Moritz Buhl
NKTelnet
Natris
Nishant Nori
Patrick Griffis
Pavel Otchertsov
Peter Wu
Samuel Henrique
Stefan Eissing
Tal Regev
Tatsuhiro Tsujikawa
Tim Gates
Tomas Mraz
Toni Uhlig
Valère Plantevin
Victor Loh
Viktor Szakats
Your Name
Zizhong Zhang
flx413
hondaxiao
hyunjic
junqiw
msoxzw
nickfajones
rhoxn
scw00
shibin k v

22
curl/dep/ngtcp2/COPYING.txt
Unescape Просмотреть файл

@ -0,0 +1,22 @@
The MIT License
Copyright (c) 2016 ngtcp2 contributors
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

1052
curl/dep/ngtcp2/ChangeLog.txt
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

379
curl/dep/ngtcp2/README.rst
Unescape Просмотреть файл

@ -0,0 +1,379 @@
ngtcp2
======
"Call it TCP/2. One More Time."
ngtcp2 project is an effort to implement `RFC9000
<https://datatracker.ietf.org/doc/html/rfc9000>`_ QUIC protocol.
Documentation
-------------
`Online documentation <https://nghttp2.org/ngtcp2/>`_ is available.
Public test server
------------------
The following endpoints are available to try out ngtcp2
implementation:
- https://nghttp2.org:4433
- https://nghttp2.org:4434 (requires address validation token)
- https://nghttp2.org (powered by `nghttpx
<https://nghttp2.org/documentation/nghttpx.1.html>`_)
This endpoints sends Alt-Svc header field to clients if it is
accessed via HTTP/1.1 or HTTP/2 to tell them that HTTP/3 is
available at UDP 443.
Requirements
------------
The libngtcp2 C library itself does not depend on any external
libraries. The example client, and server are written in C++20, and
should compile with the modern C++ compilers (e.g., clang >= 11.0, or
gcc >= 11.0).
The following packages are required to configure the build system:
- pkg-config >= 0.20
- autoconf
- automake
- autotools-dev
- libtool
To build sources under the examples directory, libev and nghttp3 are
required:
- libev
- `nghttp3 <https://github.com/ngtcp2/nghttp3>`_ for HTTP/3
To enable `TLS Certificate Compression
<https://datatracker.ietf.org/doc/html/rfc8879>`_ in bsslclient and
bsslserver (BoringSSL (aws-lc) examples client and server), the
following library is required:
- libbrotli-dev >= 1.0.9
ngtcp2 crypto helper library, and client and server under examples
directory require at least one of the following TLS backends:
- `quictls
<https://github.com/quictls/openssl/tree/OpenSSL_1_1_1w+quic>`_
- GnuTLS >= 3.7.5
- BoringSSL (commit 23018360710de333b3343e63cbb3bd2dceb3287d);
or aws-lc >= 1.39.0
- Picotls (commit bbcdbe6dc31ec5d4b72a7beece4daf58098bad42)
- wolfSSL >= 5.5.0
- LibreSSL >= v3.9.2
- OpenSSL >= 3.5.0 (experimental)
Before building from git
------------------------
When build from git, run the following command to pull submodules:
.. code-block:: shell
$ git submodule update --init
Build with wolfSSL
------------------
.. code-block:: shell
$ git clone --depth 1 -b v5.7.6-stable https://github.com/wolfSSL/wolfssl
$ cd wolfssl
$ autoreconf -i
$ # For wolfSSL < v5.6.6, append --enable-quic.
$ ./configure --prefix=$PWD/build \
--enable-all --enable-aesni --enable-harden --enable-keylog-export \
--disable-ech
$ make -j$(nproc)
$ make install
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/nghttp3
$ cd nghttp3
$ autoreconf -i
$ ./configure --prefix=$PWD/build --enable-lib-only
$ make -j$(nproc) check
$ make install
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/ngtcp2
$ cd ngtcp2
$ autoreconf -i
$ # For Mac users who have installed libev with MacPorts, append
$ # LIBEV_CFLAGS="-I/opt/local/include" LIBEV_LIBS="-L/opt/local/lib -lev"
$ ./configure PKG_CONFIG_PATH=$PWD/../wolfssl/build/lib/pkgconfig:$PWD/../nghttp3/build/lib/pkgconfig \
--with-wolfssl
$ make -j$(nproc) check
Build with BoringSSL
--------------------
.. code-block:: shell
$ git clone https://boringssl.googlesource.com/boringssl
$ cd boringssl
$ git checkout 23018360710de333b3343e63cbb3bd2dceb3287d
$ cmake -B build -DCMAKE_POSITION_INDEPENDENT_CODE=ON
$ make -j$(nproc) -C build
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/nghttp3
$ cd nghttp3
$ autoreconf -i
$ ./configure --prefix=$PWD/build --enable-lib-only
$ make -j$(nproc) check
$ make install
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/ngtcp2
$ cd ngtcp2
$ autoreconf -i
$ # For Mac users who have installed libev with MacPorts, append
$ # LIBEV_CFLAGS="-I/opt/local/include" LIBEV_LIBS="-L/opt/local/lib -lev"
$ ./configure PKG_CONFIG_PATH=$PWD/../nghttp3/build/lib/pkgconfig \
BORINGSSL_LIBS="-L$PWD/../boringssl/build/ssl -lssl -L$PWD/../boringssl/build/crypto -lcrypto" \
BORINGSSL_CFLAGS="-I$PWD/../boringssl/include" \
--with-boringssl
$ make -j$(nproc) check
Build with aws-lc
-----------------
.. code-block:: shell
$ git clone --depth 1 -b v1.49.1 https://github.com/aws/aws-lc
$ cd aws-lc
$ cmake -B build -DDISABLE_GO=ON
$ make -j$(nproc) -C build
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/nghttp3
$ cd nghttp3
$ autoreconf -i
$ ./configure --prefix=$PWD/build --enable-lib-only
$ make -j$(nproc) check
$ make install
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/ngtcp2
$ cd ngtcp2
$ autoreconf -i
$ # For Mac users who have installed libev with MacPorts, append
$ # LIBEV_CFLAGS="-I/opt/local/include" LIBEV_LIBS="-L/opt/local/lib -lev"
$ ./configure PKG_CONFIG_PATH=$PWD/../nghttp3/build/lib/pkgconfig \
BORINGSSL_CFLAGS="-I$PWD/../aws-lc/include" \
BORINGSSL_LIBS="-L$PWD/../aws-lc/build/ssl -lssl -L$PWD/../aws-lc/build/crypto -lcrypto" \
--with-boringssl
$ make -j$(nproc) check
Build with libressl
-----------------
.. code-block:: shell
$ git clone --depth 1 -b v4.0.0 https://github.com/libressl/portable.git libressl
$ cd libressl
$ # Workaround autogen.sh failure
$ export LIBRESSL_GIT_OPTIONS="-b libressl-v4.0.0"
$ ./autogen.sh
$ ./configure --prefix=$PWD/build
$ make -j$(nproc) install
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/nghttp3
$ cd nghttp3
$ autoreconf -i
$ ./configure --prefix=$PWD/build --enable-lib-only
$ make -j$(nproc) check
$ make install
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/ngtcp2
$ cd ngtcp2
$ autoreconf -i
$ # For Mac users who have installed libev with MacPorts, append
$ # LIBEV_CFLAGS="-I/opt/homebrew/Cellar/libev/4.33/include" LIBEV_LIBS="-L/opt/homebrew/Cellar/libev/4.33/lib -lev"
$ ./configure PKG_CONFIG_PATH=$PWD/../nghttp3/build/lib/pkgconfig:$PWD/../libressl/build/lib/pkgconfig
$ make -j$(nproc) check
Client/Server
-------------
After successful build, the client and server executable should be
found under examples directory. They talk HTTP/3.
Client
~~~~~~
.. code-block:: shell
$ examples/wsslclient [OPTIONS] <HOST> <PORT> [<URI>...]
The notable options are:
- ``-d``, ``--data=<PATH>``: Read data from <PATH> and send it to a
peer.
Server
~~~~~~
.. code-block:: shell
$ examples/wsslserver [OPTIONS] <ADDR> <PORT> <PRIVATE_KEY_FILE> <CERTIFICATE_FILE>
The notable options are:
- ``-V``, ``--validate-addr``: Enforce stateless address validation.
H09wsslclient/H09wsslserver
---------------------------
There are h09wsslclient and h09wsslserver which speak HTTP/0.9. They
are written just for `quic-interop-runner
<https://github.com/marten-seemann/quic-interop-runner>`_. They share
the basic functionalities with HTTP/3 client and server but have less
functions (e.g., h09wsslclient does not have a capability to send
request body, and h09wsslserver does not understand numeric request
path, like /1000).
Resumption and 0-RTT
--------------------
In order to resume a session, a session ticket, and a transport
parameters must be fetched from server. First, run
examples/wsslclient with --session-file, and --tp-file options which
specify a path to session ticket, and transport parameter files
respectively to save them locally.
Once these files are available, run examples/wsslclient with the same
arguments again. You will see that session is resumed in your log if
resumption succeeds. Resuming session makes server's first Handshake
packet pretty small because it does not send its certificates.
To send 0-RTT data, after making sure that resumption works, use -d
option to specify a file which contains data to send.
Token (Not something included in Retry packet)
----------------------------------------------
QUIC server might send a token to client after connection has been
established. Client can send this token in subsequent connection to
the server. Server verifies the token and if it succeeds, the address
validation completes and lifts some restrictions on server which might
speed up transfer. In order to save and/or load a token,
use --token-file option of examples/wsslclient. The given file is
overwritten if it already exists when storing a token.
Crypto helper library
---------------------
In order to make TLS stack integration less painful, we provide a
crypto helper library which offers the basic crypto operations.
The header file exists under crypto/includes/ngtcp2 directory.
Each library file is built for a particular TLS backend. The
available crypto helper libraries are:
- libngtcp2_crypto_quictls: Use quictls and libressl as TLS backend
- libngtcp2_crypto_gnutls: Use GnuTLS as TLS backend
- libngtcp2_crypto_boringssl: Use BoringSSL and aws-lc as TLS backend
- libngtcp2_crypto_picotls: Use Picotls as TLS backend
- libngtcp2_crypto_wolfssl: Use wolfSSL as TLS backend
- libngtcp2_crypto_ossl: Use OpenSSL as TLS backend (experimental)
Because BoringSSL and Picotls are an unversioned product, we only
tested their particular revision. See Requirements section above.
We use Picotls with OpenSSL as crypto backend.
libngtcp2_crypto_ossl has some restrictions for its use because
OpenSSL QUIC TLS API requires us to keep crypto data in tact until it
says that they are no longer used. It also requires us to keep
transport parameter buffer. This extra book keeping is just done for
a couple of TLS messages exchanged during handshake and a couple of
session tickets after handshake. If you absolutely need to use
OpenSSL backend, your application must make sure that:
- Keep `ngtcp2_conn` alive until ``SSL`` object is freed by
``SSL_free``; or
- Call ``SSL_set_app_data(ssl, NULL)`` before calling ``SSL_free``
If you cannot make sure neither of them, it is a good time to migrate
your application to the other alternative (e.g., wolfSSL, aws-lc).
libngtcp2_crypto_quictls and libngtcp2_crypto_ossl cannot be built at
the same time.
The examples directory contains client and server that are linked to
those crypto helper libraries and TLS backends. They are only built
if their corresponding crypto helper library is built:
- qtlsclient: quictls(libressl) client
- qtlsserver: quictls(libressl) server
- gtlsclient: GnuTLS client
- gtlsserver: GnuTLS server
- bsslclient: BoringSSL(aws-lc) client
- bsslserver: BoringSSL(aws-lc) server
- ptlsclient: Picotls client
- ptlsserver: Picotls server
- wsslclient: wolfSSL client
- wsslserver: wolfSSL server
- osslclient: OpenSSL client
- osslserver: OpenSSL server
QUIC protocol extensions
-------------------------
The library implements the following QUIC protocol extensions:
- `An Unreliable Datagram Extension to QUIC
<https://datatracker.ietf.org/doc/html/rfc9221>`_
- `Greasing the QUIC Bit
<https://datatracker.ietf.org/doc/html/rfc9287>`_
- `Compatible Version Negotiation for QUIC
<https://datatracker.ietf.org/doc/html/rfc9368>`_
- `QUIC Version 2
<https://datatracker.ietf.org/doc/html/rfc9369>`_
Configuring Wireshark for QUIC
------------------------------
`Wireshark <https://www.wireshark.org/download.html>`_ can be configured to
analyze QUIC traffic using the following steps:
1. Set *SSLKEYLOGFILE* environment variable:
.. code-block:: shell
$ export SSLKEYLOGFILE=quic_keylog_file
2. Set the port that QUIC uses
Go to *Preferences->Protocols->QUIC* and set the port the program
listens to. In the case of the example application this would be
the port specified on the command line.
3. Set Pre-Master-Secret logfile
Go to *Preferences->Protocols->TLS* and set the *Pre-Master-Secret
log file* to the same value that was specified for *SSLKEYLOGFILE*.
4. Choose the correct network interface for capturing
Make sure you choose the correct network interface for
capturing. For example, if using localhost choose the *loopback*
network interface on macos.
5. Create a filter
Create A filter for the udp.port and set the port to the port the
application is listening to. For example:
.. code-block:: text
udp.port == 7777
License
-------
The MIT License
Copyright (c) 2016 ngtcp2 contributors

19
curl/dep/zlibng/LICENSE.md
Unescape Просмотреть файл

@ -0,0 +1,19 @@
(C) 1995-2024 Jean-loup Gailly and Mark Adler
This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages
arising from the use of this software.
Permission is granted to anyone to use this software for any purpose,
including commercial applications, and to alter it and redistribute it
freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not
claim that you wrote the original software. If you use this software
in a product, an acknowledgment in the product documentation would be
appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be
misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.

228
curl/dep/zlibng/README.md
Unescape Просмотреть файл

@ -0,0 +1,228 @@
| CI | Stable | Develop |
|:---|:-------|:--------|
| GitHub Actions | [![Stable CMake](https://github.com/zlib-ng/zlib-ng/actions/workflows/cmake.yml/badge.svg?branch=stable)](https://github.com/zlib-ng/zlib-ng/actions/workflows/cmake.yml?query=branch%3Astable) <br> [![Stable Configure](https://github.com/zlib-ng/zlib-ng/actions/workflows/configure.yml/badge.svg?branch=stable)](https://github.com/zlib-ng/zlib-ng/actions/workflows/configure.yml?query=branch%3Astable) <br> [![Stable NMake](https://github.com/zlib-ng/zlib-ng/actions/workflows/nmake.yml/badge.svg?branch=stable)](https://github.com/zlib-ng/zlib-ng/actions/workflows/nmake.yml?query=branch%3Astable) | [![Develop CMake](https://github.com/zlib-ng/zlib-ng/actions/workflows/cmake.yml/badge.svg?branch=develop)](https://github.com/zlib-ng/zlib-ng/actions/workflows/cmake.yml?query=branch%3Adevelop) <br> [![Develop Configure](https://github.com/zlib-ng/zlib-ng/actions/workflows/configure.yml/badge.svg?branch=develop)](https://github.com/zlib-ng/zlib-ng/actions/workflows/configure.yml?query=branch%3Adevelop) <br> [![Develop NMake](https://github.com/zlib-ng/zlib-ng/actions/workflows/nmake.yml/badge.svg?branch=develop)](https://github.com/zlib-ng/zlib-ng/actions/workflows/nmake.yml?query=branch%3Adevelop) |
| CodeFactor | [![CodeFactor](https://www.codefactor.io/repository/github/zlib-ng/zlib-ng/badge/stable)](https://www.codefactor.io/repository/github/zlib-ng/zlib-ng/overview/stable) | [![CodeFactor](https://www.codefactor.io/repository/github/zlib-ng/zlib-ng/badge/develop)](https://www.codefactor.io/repository/github/zlib-ng/zlib-ng/overview/develop) |
| OSS-Fuzz | [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/zlib-ng.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:zlib-ng) | [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/zlib-ng.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:zlib-ng) |
| Codecov | [![codecov](https://codecov.io/github/zlib-ng/zlib-ng/branch/stable/graph/badge.svg?token=uKsgK9LIuC)](https://codecov.io/github/zlib-ng/zlib-ng/tree/stable) | [![codecov](https://codecov.io/github/zlib-ng/zlib-ng/branch/develop/graph/badge.svg?token=uKsgK9LIuC)](https://codecov.io/github/zlib-ng/zlib-ng/tree/develop) |
## zlib-ng
*zlib data compression library for the next generation systems*
Maintained by Hans Kristian Rosbach
aka Dead2 (zlib-ng àt circlestorm dót org)
Features
--------
* Zlib compatible API with support for dual-linking
* Modernized native API based on zlib API for ease of porting
* Modern C11 syntax and a clean code layout
* Deflate medium and quick algorithms based on Intels zlib fork
* Support for CPU intrinsics when available
* Adler32 implementation using SSSE3, AVX2, AVX512, AVX512-VNNI, Neon, VMX & VSX
* CRC32-B implementation using PCLMULQDQ, VPCLMULQDQ, ACLE, & IBM Z
* Slide hash implementations using SSE2, AVX2, ARMv6, Neon, VMX & VSX
* Compare256 implementations using SSE2, AVX2, Neon, POWER9 & RVV
* Inflate chunk copying using SSE2, SSSE3, AVX, Neon & VSX
* Support for hardware-accelerated deflate using IBM Z DFLTCC
* Safe unaligned memory read/writes and large bit buffer improvements
* Includes improvements from Cloudflare and Intel forks
* Configure, CMake, and NMake build system support
* Comprehensive set of CMake unit tests
* Code sanitizers, fuzzing, and coverage
* GitHub Actions continuous integration on Windows, macOS, and Linux
* Emulated CI for ARM, AARCH64, PPC, PPC64, RISCV, SPARC64, S390x using qemu
History
-------
The motivation for this fork was seeing several 3rd party contributions with new optimizations not getting
implemented into the official zlib repository.
Mark Adler has been maintaining zlib for a very long time, and he has done a great job and hopefully he will continue
for a long time yet. The idea of zlib-ng is not to replace zlib, but to co-exist as a drop-in replacement with a
lower threshold for code change.
zlib has a long history and is incredibly portable, even supporting many systems that predate the Internet.<br>
That is great, but it can complicate further development and maintainability. The zlib code contains many workarounds
for really old compilers or to accommodate systems with limitations such as operating in a 16-bit environment.
Many of these workarounds are only maintenance burdens, some of them are pretty huge code-wise. With many workarounds
cluttered throughout the code, it makes it harder for new programmers with an idea/interest for zlib to contribute.
I decided to make a fork, merge all the Intel optimizations, some of the Cloudflare optimizations, plus a couple other
smaller patches. Then started cleaning out workarounds, various dead code, all contrib and example code.<br>
The result is a better performing and easier to maintain zlib-ng.
A lot of improvements have gone into zlib-ng since its start, and numerous people and companies have contributed both
small and big improvements, or valuable testing.
Build
-----
<sup>Please read LICENSE.md, it is very simple and very liberal.</sup>
There are two ways to build zlib-ng:
### Cmake
To build zlib-ng using the cross-platform makefile generator cmake.
```
cmake .
cmake --build . --config Release
ctest --verbose -C Release
```
Alternatively, you can use the cmake configuration GUI tool ccmake:
```
ccmake .
```
### Configure
To build zlib-ng using the bash configure script:
```
./configure
make
make test
```
Build Options
-------------
| CMake | configure | Description | Default |
|:---------------------------|:-------------------------|:------------------------------------------------------------------------------------|---------|
| ZLIB_COMPAT | --zlib-compat | Compile with zlib compatible API | OFF |
| ZLIB_ENABLE_TESTS | | Build test binaries | ON |
| WITH_GZFILEOP | --without-gzfileops | Compile with support for gzFile related functions | ON |
| WITH_OPTIM | --without-optimizations | Build with optimisations | ON |
| WITH_NEW_STRATEGIES | --without-new-strategies | Use new strategies | ON |
| WITH_NATIVE_INSTRUCTIONS | | Compiles with full instruction set supported on this host (gcc/clang -march=native) | OFF |
| WITH_RUNTIME_CPU_DETECTION | | Compiles with runtime CPU detection | ON |
| WITH_SANITIZER | | Build with sanitizer (memory, address, undefined) | OFF |
| WITH_GTEST | | Build gtest_zlib | ON |
| WITH_FUZZERS | | Build test/fuzz | OFF |
| WITH_BENCHMARKS | | Build test/benchmarks | OFF |
| WITH_MAINTAINER_WARNINGS | | Build with project maintainer warnings | OFF |
| WITH_CODE_COVERAGE | | Enable code coverage reporting | OFF |
Install
-------
WARNING: We do not recommend manually installing unless you really know what you are doing, because this can
potentially override the system default zlib library, and any incompatibility or wrong configuration of zlib-ng
can make the whole system unusable, requiring recovery or reinstall.
If you still want a manual install, we recommend using the /opt/ path prefix.
For Linux distros, an alternative way to use zlib-ng (if compiled in zlib-compat mode) instead of zlib, is through
the use of the _LD_PRELOAD_ environment variable. If the program is dynamically linked with zlib, then the program
will temporarily attempt to use zlib-ng instead, without risking system-wide instability.
```
LD_PRELOAD=/opt/zlib-ng/libz.so.1.2.13.zlib-ng /usr/bin/program
```
### Cmake
To install zlib-ng system-wide using cmake:
```sh or powershell
cmake --build . --target install
```
### Configure
To install zlib-ng system-wide using the configure script:
```sh
make install
```
### CPack
After building with cmake, an installation package can be created using cpack. By default a tgz package is created,
but you can append `-G <format>` to each command to generate alternative packages types (TGZ, ZIP, RPM, DEB). To easily
create a rpm or deb package, you would use `-G RPM` or `-G DEB` respectively.
```sh or powershell
cd build
cpack --config CPackConfig.cmake
cpack --config CPackSourceConfig.cmake
```
### Vcpkg
Alternatively, you can build and install zlib-ng using the [vcpkg](https://github.com/Microsoft/vcpkg/) dependency manager:
```sh or powershell
git clone https://github.com/Microsoft/vcpkg.git
cd vcpkg
./bootstrap-vcpkg.sh # "./bootstrap-vcpkg.bat" for powershell
./vcpkg integrate install
./vcpkg install zlib-ng
```
The zlib-ng port in vcpkg is kept up to date by Microsoft team members and community contributors.
If the version is out of date, please [create an issue or pull request](https://github.com/Microsoft/vcpkg) on the vcpkg repository.
Contributing
------------
Zlib-ng is aiming to be open to contributions, and we would be delighted to receive pull requests on github.
Help with testing and reviewing pull requests etc is also very much appreciated.
Please check the Wiki for more info: [Contributing](https://github.com/zlib-ng/zlib-ng/wiki/Contributing)
Acknowledgments
----------------
Thanks go out to all the people and companies who have taken the time to contribute
code reviews, testing and/or patches. Zlib-ng would not have been nearly as good without you.
The deflate format used by zlib was defined by Phil Katz.<br>
The deflate and zlib specifications were written by L. Peter Deutsch.
zlib was originally created by Jean-loup Gailly (compression) and Mark Adler (decompression).
Advanced Build Options
----------------------
| CMake | configure | Description | Default |
|:--------------------------------|:----------------------|:--------------------------------------------------------------------|------------------------|
| FORCE_SSE2 | --force-sse2 | Skip runtime check for SSE2 instructions (Always on for x86_64) | OFF (x86) |
| WITH_AVX2 | | Build with AVX2 intrinsics | ON |
| WITH_AVX512 | | Build with AVX512 intrinsics | ON |
| WITH_AVX512VNNI | | Build with AVX512VNNI intrinsics | ON |
| WITH_SSE2 | | Build with SSE2 intrinsics | ON |
| WITH_SSSE3 | | Build with SSSE3 intrinsics | ON |
| WITH_SSE42 | | Build with SSE42 intrinsics | ON |
| WITH_PCLMULQDQ | | Build with PCLMULQDQ intrinsics | ON |
| WITH_VPCLMULQDQ | --without-vpclmulqdq | Build with VPCLMULQDQ intrinsics | ON |
| WITH_ACLE | --without-acle | Build with ACLE intrinsics | ON |
| WITH_NEON | --without-neon | Build with NEON intrinsics | ON |
| WITH_ARMV6 | --without-armv6 | Build with ARMv6 intrinsics | ON |
| WITH_ALTIVEC | --without-altivec | Build with AltiVec (VMX) intrinsics | ON |
| WITH_POWER8 | --without-power8 | Build with POWER8 optimisations | ON |
| WITH_RVV | | Build with RVV intrinsics | ON |
| WITH_CRC32_VX | --without-crc32-vx | Build with vectorized CRC32 on IBM Z | ON |
| WITH_DFLTCC_DEFLATE | --with-dfltcc-deflate | Build with DFLTCC intrinsics for compression on IBM Z | OFF |
| WITH_DFLTCC_INFLATE | --with-dfltcc-inflate | Build with DFLTCC intrinsics for decompression on IBM Z | OFF |
| WITH_INFLATE_STRICT | | Build with strict inflate distance checking | OFF |
| WITH_INFLATE_ALLOW_INVALID_DIST | | Build with zero fill for inflate invalid distances | OFF |
| INSTALL_UTILS | | Copy minigzip and minideflate during install | OFF |
| ZLIBNG_ENABLE_TESTS | | Test zlib-ng specific API | ON |
Related Projects
----------------
* Fork of the popular minizip https://github.com/zlib-ng/minizip-ng
* Python tool to benchmark minigzip/minideflate https://github.com/zlib-ng/deflatebench
* Python tool to benchmark pigz https://github.com/zlib-ng/pigzbench
* 3rd party patches for zlib-ng compatibility https://github.com/zlib-ng/patches

863
curl/dep/zstd/CHANGELOG.txt
Unescape Просмотреть файл

@ -0,0 +1,863 @@
V1.5.7 (Feb 2025)
fix: compression bug in 32-bit mode associated with long-lasting sessions
api: new method `ZSTD_compressSequencesAndLiterals()` (#4217, #4232)
api: `ZSTD_getFrameHeader()` works on skippable frames (#4228)
perf: substantial compression speed improvements (up to +30%) on small data, by @TocarIP (#4144) and @cyan4973 (#4165)
perf: improved compression speed (~+5%) for dictionary compression at low levels (#4170)
perf: much faster speed for `--patch-from` at high compression levels (#4276)
perf: higher `--patch-from` compression ratios, notably at high levels (#4288)
perf: better speed for binaries on Windows (@pps83) and when compiled with Visual Studio (@MessyHack)
perf: slight compression ratio improvement thanks to better block boundaries (#4136, #4176, #4178)
perf: slight compression ratio improvement for `dfast`, aka levels 3 and 4 (#4171)
perf: runtime bmi2 detection enabled on x86 32-bit mode (#4251)
cli: multi-threading as default CLI setting, by @daniellerozenblit
cli: new `--max` command (#4290)
build: improve `msbuild` version autodetection, support VS2022, by @ManuelBlanc
build: fix `meson` build by @artem and @Victor-C-Zhang, and on Windows by @bgilbert
build: compatibility with Apple Framework, by @Treata11
build: improve icc/icx compatibility, by @josepho0918 and @luau-project
build: improve compatibility with Android NDK, by Adenilson Cavalcanti
portability: linux kernel branch, with improved support for Sequence producers (@embg, @gcabiddu, @cyan4973)
portability: improved qnx compatibility, suggested by @rainbowball
portability: improved install script for FreeBSD, by @sunpoet
portability: fixed test suite compatibility with gnu hurd, by @diegonc
doc: clarify specification, by @elasota
misc: improved tests/decodecorpus validation tool (#4102), by antmicro
V1.5.6 (Mar 2024)
api: Promote `ZSTD_c_targetCBlockSize` to Stable API by @felixhandte
api: new `ZSTD_d_maxBlockSize` experimental parameter, to reduce streaming decompression memory, by @terrelln
perf: improve performance of param `ZSTD_c_targetCBlockSize`, by @Cyan4973
perf: improved compression of arrays of integers at high compression, by @Cyan4973
lib: reduce binary size with selective build-time exclusion, by @felixhandte
lib: improved huffman speed on small data and linux kernel, by @terrelln
lib: accept dictionaries with partial literal tables, by @terrelln
lib: fix CCtx size estimation with external sequence producer, by @embg
lib: fix corner case decoder behaviors, by @Cyan4973 and @aimuz
lib: fix zdict prototype mismatch in static_only mode, by @ldv-alt
lib: fix several bugs in magicless-format decoding, by @embg
cli: add common compressed file types to `--exclude-compressed`` by @daniellerozenblit
cli: fix mixing `-c` and `-o` commands with `--rm`, by @Cyan4973
cli: fix erroneous exclusion of hidden files with `--output-dir-mirror` by @felixhandte
cli: improved time accuracy on BSD, by @felixhandte
cli: better errors on argument parsing, by @KapJI
tests: better compatibility with older versions of `grep`, by @Cyan4973
tests: lorem ipsum generator as default backup content, by @Cyan4973
build: cmake improvements by @terrelln, @sighingnow, @gjasny, @JohanMabille, @Saverio976, @gruenich, @teo-tsirpanis
build: bazel support, by @jondo2010
build: fix cross-compiling for AArch64 with lld by @jcelerier
build: fix Apple platform compatibility, by @nidhijaju
build: fix Visual 2012 and lower compatibility, by @Cyan4973
build: improve win32 support, by @DimitriPapadopoulos
build: better C90 compliance for zlibWrapper, by @emaste
port: make: fat binaries on macos, by @mredig
port: ARM64EC compatibility for Windows, by @dunhor
port: QNX support by @klausholstjacobsen
port: MSYS2 and Cygwin makefile installation and test support, by @QBos07
port: risc-v support validation in CI, by @Cyan4973
port: sparc64 support validation in CI, by @Cyan4973
port: AIX compatibility, by @likema
port: HP-UX compatibility, by @likema
doc: Improved specification accuracy, by @elasota
bug: Fix and deprecate ZSTD_generateSequences (#3981)
v1.5.5 (Apr 2023)
fix: fix rare corruption bug affecting the high compression mode, reported by @danlark1 (#3517, @terrelln)
perf: improve mid-level compression speed (#3529, #3533, #3543, @yoniko and #3552, @terrelln)
lib: deprecated bufferless block-level API (#3534) by @terrelln
cli: mmap large dictionaries to save memory, by @daniellerozenblit
cli: improve speed of --patch-from mode (~+50%) (#3545) by @daniellerozenblit
cli: improve i/o speed (~+10%) when processing lots of small files (#3479) by @felixhandte
cli: zstd no longer crashes when requested to write into write-protected directory (#3541) by @felixhandte
cli: fix decompression into block device using -o, reported by @georgmu (#3583)
build: fix zstd CLI compiled with lzma support but not zlib support (#3494) by @Hello71
build: fix cmake does no longer require 3.18 as minimum version (#3510) by @kou
build: fix MSVC+ClangCL linking issue (#3569) by @tru
build: fix zstd-dll, version of zstd CLI that links to the dynamic library (#3496) by @yoniko
build: fix MSVC warnings (#3495) by @embg
doc: updated zstd specification to clarify corner cases, by @Cyan4973
doc: document how to create fat binaries for macos (#3568) by @rickmark
misc: improve seekable format ingestion speed (~+100%) for very small chunk sizes (#3544) by @Cyan4973
misc: tests/fullbench can benchmark multiple files (#3516) by @dloidolt
v1.5.4 (Feb 2023)
perf: +20% faster huffman decompression for targets that can't compile x64 assembly (#3449, @terrelln)
perf: up to +10% faster streaming compression at levels 1-2 (#3114, @embg)
perf: +4-13% for levels 5-12 by optimizing function generation (#3295, @terrelln)
pref: +3-11% compression speed for `arm` target (#3199, #3164, #3145, #3141, #3138, @JunHe77 and #3139, #3160, @danlark1)
perf: +5-30% faster dictionary compression at levels 1-4 (#3086, #3114, #3152, @embg)
perf: +10-20% cold dict compression speed by prefetching CDict tables (#3177, @embg)
perf: +1% faster compression by removing a branch in ZSTD_fast_noDict (#3129, @felixhandte)
perf: Small compression ratio improvements in high compression mode (#2983, #3391, @Cyan4973 and #3285, #3302, @daniellerozenblit)
perf: small speed improvement by better detecting `STATIC_BMI2` for `clang` (#3080, @TocarIP)
perf: Improved streaming performance when `ZSTD_c_stableInBuffer` is set (#2974, @Cyan4973)
cli: Asynchronous I/O for improved cli speed (#2975, #2985, #3021, #3022, @yoniko)
cli: Change `zstdless` behavior to align with `zless` (#2909, @binhdvo)
cli: Keep original file if `-c` or `--stdout` is given (#3052, @dirkmueller)
cli: Keep original files when result is concatenated into a single output with `-o` (#3450, @Cyan4973)
cli: Preserve Permissions and Ownership of regular files (#3432, @felixhandte)
cli: Print zlib/lz4/lzma library versions with `-vv` (#3030, @terrelln)
cli: Print checksum value for single frame files with `-lv` (#3332, @Cyan4973)
cli: Print `dictID` when present with `-lv` (#3184, @htnhan)
cli: when `stderr` is *not* the console, disable status updates, but preserve final summary (#3458, @Cyan4973)
cli: support `--best` and `--no-name` in `gzip` compatibility mode (#3059, @dirkmueller)
cli: support for `posix` high resolution timer `clock_gettime()`, for improved benchmark accuracy (#3423, @Cyan4973)
cli: improved help/usage (`-h`, `-H`) formatting (#3094, @dirkmueller and #3385, @jonpalmisc)
cli: Fix better handling of bogus numeric values (#3268, @ctkhanhly)
cli: Fix input consists of multiple files _and_ `stdin` (#3222, @yoniko)
cli: Fix tiny files passthrough (#3215, @cgbur)
cli: Fix for `-r` on empty directory (#3027, @brailovich)
cli: Fix empty string as argument for `--output-dir-*` (#3220, @embg)
cli: Fix decompression memory usage reported by `-vv --long` (#3042, @u1f35c, and #3232, @zengyijing)
cli: Fix infinite loop when empty input is passed to trainer (#3081, @terrelln)
cli: Fix `--adapt` doesn't work when `--no-progress` is also set (#3354, @terrelln)
api: Support for Block-Level Sequence Producer (#3333, @embg)
api: Support for in-place decompression (#3432, @terrelln)
api: New `ZSTD_CCtx_setCParams()` function, set all parameters defined in a `ZSTD_compressionParameters` structure (#3403, @Cyan4973)
api: Streaming decompression detects incorrect header ID sooner (#3175, @Cyan4973)
api: Window size resizing optimization for edge case (#3345, @daniellerozenblit)
api: More accurate error codes for busy-loop scenarios (#3413, #3455, @Cyan4973)
api: Fix limit overflow in `compressBound` and `decompressBound` (#3362, #3373, Cyan4973) reported by @nigeltao
api: Deprecate several advanced experimental functions: streaming (#3408, @embg), copy (#3196, @mileshu)
bug: Fix corruption that rarely occurs in 32-bit mode with wlog=25 (#3361, @terrelln)
bug: Fix for block-splitter (#3033, @Cyan4973)
bug: Fixes for Sequence Compression API (#3023, #3040, @Cyan4973)
bug: Fix leaking thread handles on Windows (#3147, @animalize)
bug: Fix timing issues with cmake/meson builds (#3166, #3167, #3170, @Cyan4973)
build: Allow user to select legacy level for cmake (#3050, @shadchin)
build: Enable legacy support by default in cmake (#3079, @niamster)
build: Meson build script improvements (#3039, #3120, #3122, #3327, #3357, @eli-schwartz and #3276, @neheb)
build: Add aarch64 to supported architectures for zstd_trace (#3054, @ooosssososos)
build: support AIX architecture (#3219, @qiongsiwu)
build: Fix `ZSTD_LIB_MINIFY` build macro, which now reduces static library size by half (#3366, @terrelln)
build: Fix Windows issues with Multithreading translation layer (#3364, #3380, @yoniko) and ARM64 target (#3320, @cwoffenden)
build: Fix `cmake` script (#3382, #3392, @terrelln and #3252 @Tachi107 and #3167 @Cyan4973)
doc: Updated man page, providing more details for `--train` mode (#3112, @Cyan4973)
doc: Add decompressor errata document (#3092, @terrelln)
misc: Enable Intel CET (#2992, #2994, @hjl-tools)
misc: Fix `contrib/` seekable format (#3058, @yhoogstrate and #3346, @daniellerozenblit)
misc: Improve speed of the one-file library generator (#3241, @wahern and #3005, @cwoffenden)
v1.5.3 (dev version, unpublished)
v1.5.2 (Jan, 2022)
perf: Regain Minimal memset()-ing During Reuse of Compression Contexts (@Cyan4973, #2969)
build: Build Zstd with `noexecstack` on All Architectures (@felixhandte, #2964)
doc: Clarify Licensing (@terrelln, #2981)
v1.5.1 (Dec, 2021)
perf: rebalanced compression levels, to better match the intended speed/level curve, by @senhuang42
perf: faster huffman decoder, using x64 assembly, by @terrelln
perf: slightly faster high speed modes (strategies fast & dfast), by @felixhandte
perf: improved binary size and faster compilation times, by @terrelln
perf: new row64 mode, used notably in level 12, by @senhuang42
perf: faster mid-level compression speed in presence of highly repetitive patterns, by @senhuang42
perf: minor compression ratio improvements for small data at high levels, by @cyan4973
perf: reduced stack usage (mostly useful for Linux Kernel), by @terrelln
perf: faster compression speed on incompressible data, by @bindhvo
perf: on-demand reduced ZSTD_DCtx state size, using build macro ZSTD_DECODER_INTERNAL_BUFFER, at a small cost of performance, by @bindhvo
build: allows hiding static symbols in the dynamic library, using build macro, by @skitt
build: support for m68k (Motorola 68000's), by @cyan4973
build: improved AIX support, by @Helflym
build: improved meson unofficial build, by @eli-schwartz
cli : custom memory limit when training dictionary (#2925), by @embg
cli : report advanced parameters information when compressing in very verbose mode (`-vv`), by @Svetlitski-FB
v1.5.0 (May 11, 2021)
api: Various functions promoted from experimental to stable API: (#2579-2581, @senhuang42)
`ZSTD_defaultCLevel()`
`ZSTD_getDictID_fromCDict()`
api: Several experimental functions have been deprecated and will emit a compiler warning (#2582, @senhuang42)
`ZSTD_compress_advanced()`
`ZSTD_compress_usingCDict_advanced()`
`ZSTD_compressBegin_advanced()`
`ZSTD_compressBegin_usingCDict_advanced()`
`ZSTD_initCStream_srcSize()`
`ZSTD_initCStream_usingDict()`
`ZSTD_initCStream_usingCDict()`
`ZSTD_initCStream_advanced()`
`ZSTD_initCStream_usingCDict_advanced()`
`ZSTD_resetCStream()`
api: ZSTDMT_NBWORKERS_MAX reduced to 64 for 32-bit environments (@Cyan4973)
perf: Significant speed improvements for middle compression levels (#2494, @senhuang42 @terrelln)
perf: Block splitter to improve compression ratio, enabled by default for high compression levels (#2447, @senhuang42)
perf: Decompression loop refactor, speed improvements on `clang` and for `--long` modes (#2614 #2630, @Cyan4973)
perf: Reduced stack usage during compression and decompression entropy stage (#2522 #2524, @terrelln)
bug: Improve setting permissions of created files (#2525, @felixhandte)
bug: Fix large dictionary non-determinism (#2607, @terrelln)
bug: Fix non-determinism test failures on Linux i686 (#2606, @terrelln)
bug: Fix various dedicated dictionary search bugs (#2540 #2586, @senhuang42 @felixhandte)
bug: Ensure `ZSTD_estimateCCtxSize*() `monotonically increases with compression level (#2538, @senhuang42)
bug: Fix --patch-from mode parameter bound bug with small files (#2637, @occivink)
bug: Fix UBSAN error in decompression (#2625, @terrelln)
bug: Fix superblock compression divide by zero bug (#2592, @senhuang42)
bug: Make the number of physical CPU cores detection more robust (#2517, @PaulBone)
doc: Improve `zdict.h` dictionary training API documentation (#2622, @terrelln)
doc: Note that public `ZSTD_free*()` functions accept NULL pointers (#2521, @animalize)
doc: Add style guide docs for open source contributors (#2626, @Cyan4973)
tests: Better regression test coverage for different dictionary modes (#2559, @senhuang42)
tests: Better test coverage of index reduction (#2603, @terrelln)
tests: OSS-Fuzz coverage for seekable format (#2617, @senhuang42)
tests: Test coverage for ZSTD threadpool API (#2604, @senhuang42)
build: Dynamic library built multithreaded by default (#2584, @senhuang42)
build: Move `zstd_errors.h` and `zdict.h` to `lib/` root (#2597, @terrelln)
build: Allow `ZSTDMT_JOBSIZE_MIN` to be configured at compile-time, reduce default to 512KB (#2611, @Cyan4973)
build: Single file library build script moved to `build/` directory (#2618, @felixhandte)
build: `ZBUFF_*()` is no longer built by default (#2583, @senhuang42)
build: Fixed Meson build (#2548, @SupervisedThinking @kloczek)
build: Fix excessive compiler warnings with clang-cl and CMake (#2600, @nickhutchinson)
build: Detect presence of `md5` on Darwin (#2609, @felixhandte)
build: Avoid SIGBUS on armv6 (#2633, @bmwiedmann)
cli: `--progress` flag added to always display progress bar (#2595, @senhuang42)
cli: Allow reading from block devices with `--force` (#2613, @felixhandte)
cli: Fix CLI filesize display bug (#2550, @Cyan4973)
cli: Fix windows CLI `--filelist` end-of-line bug (#2620, @Cyan4973)
contrib: Various fixes for linux kernel patch (#2539, @terrelln)
contrib: Seekable format - Decompression hanging edge case fix (#2516, @senhuang42)
contrib: Seekable format - New seek table-only API (#2113 #2518, @mdittmer @Cyan4973)
contrib: Seekable format - Fix seek table descriptor check when loading (#2534, @foxeng)
contrib: Seekable format - Decompression fix for large offsets, (#2594, @azat)
misc: Automatically published release tarballs available on Github (#2535, @felixhandte)
v1.4.9 (Mar 1, 2021)
bug: Use `umask()` to Constrain Created File Permissions (#2495, @felixhandte)
bug: Make Simple Single-Pass Functions Ignore Advanced Parameters (#2498, @terrelln)
api: Add (De)Compression Tracing Functionality (#2482, @terrelln)
api: Support References to Multiple DDicts (#2446, @senhuang42)
api: Add Function to Generate Skippable Frame (#2439, @senhuang42)
perf: New Algorithms for the Long Distance Matcher (#2483, @mpu)
perf: Performance Improvements for Long Distance Matcher (#2464, @mpu)
perf: Don't Shrink Window Log when Streaming with a Dictionary (#2451, @terrelln)
cli: Fix `--output-dir-mirror` rejection of `..` -containing paths (#2512, @felixhandte)
cli: Allow Input From Console When `-f`/`--force` is Passed (#2466, @felixhandte)
cli: Improve Help Message (#2500, @senhuang42)
tests: Remove Flaky Tests (#2455, #2486, #2445, @Cyan4973)
tests: Correctly Invoke md5 Utility on NetBSD (#2492, @niacat)
tests: Avoid Using `stat -c` on NetBSD (#2513, @felixhandte)
build: Zstd CLI Can Now be Linked to Dynamic `libzstd` (#2457, #2454 @Cyan4973)
build: Hide and Avoid Using Static-Only Symbols (#2501, #2504, @skitt)
build: CMake: Enable Only C for lib/ and programs/ Projects (#2498, @concatime)
build: CMake: Use `configure_file()` to Create the `.pc` File (#2462, @lazka)
build: Fix Fuzzer Compiler Detection & Update UBSAN Flags (#2503, @terrelln)
build: Add Guards for `_LARGEFILE_SOURCE` and `_LARGEFILE64_SOURCE` (#2444, @indygreg)
build: Improve `zlibwrapper` Makefile (#2437, @Cyan4973)
contrib: Add `recover_directory` Program (#2473, @terrelln)
doc: Change License Year to 2021 (#2452 & #2465, @terrelln & @senhuang42)
doc: Fix Typos (#2459, @ThomasWaldmann)
v1.4.8 (Dec 18, 2020)
hotfix: wrong alignment of an internal buffer
v1.4.7 (Dec 16, 2020)
perf: stronger --long mode at high compression levels, by @senhuang42
perf: stronger --patch-from at high compression levels, thanks to --long improvements
perf: faster dictionary compression at medium compression levels, by @felixhandte
perf: small speed & memory usage improvements for ZSTD_compress2(), by @terrelln
perf: improved fast compression speeds with Visual Studio, by @animalize
cli : Set nb of threads with environment variable ZSTD_NBTHREADS, by @senhuang42
cli : accept decompressing files with *.zstd suffix
cli : provide a condensed summary by default when processing multiple files
cli : fix : stdin input no longer confused as user prompt
cli : improve accuracy of several error messages
api : new sequence ingestion API, by @senhuang42
api : shared thread pool: control total nb of threads used by multiple compression jobs, by @marxin
api : new ZSTD_getDictID_fromCDict(), by @LuAPi
api : zlibWrapper only uses public API, and is compatible with dynamic library, by @terrelln
api : fix : multithreaded compression has predictable output even in special cases (see #2327) (issue not accessible from cli)
api : fix : dictionary compression correctly respects dictionary compression level (see #2303) (issue not accessible from cli)
build: fix cmake script when using path with spaces, by @terrelln
build: improved compile-time detection of aarch64/neon platforms, by @bsdimp
build: Fix building on AIX 5.1, by @likema
build: compile paramgrill with cmake on Windows, requested by @mirh
doc : clarify repcode updates in format specification, by @felixhandte
v1.4.6
fix : Always return dstSize_tooSmall when that is the case
fix : Fix ZSTD_initCStream_advanced() with static allocation and no dictionary
perf: Improve small block decompression speed by 20%+, by @terrelln
perf: Reduce compression stack usage by 1 KB, by @terrelln
perf: Improve decompression speed by improving ZSTD_wildcopy, by @helloguo (#2252, #2256)
perf: Improve histogram construction, by @cyan4973 (#2253)
cli : Add --output-dir-mirror option, by @xxie24 (#2219)
cli : Warn when (de)compressing multiple files into a single output, by @senhuang42 (#2279)
cli : Improved progress bar and status summary when (de)compressing multiple files, by @senhuang42 (#2283)
cli : Call stat less often, by @felixhandte (#2262)
cli : Allow --patch-from XXX and --filelist XXX in addition to --patch-from=XXX and --filelist=XXX, by @cyan4973 (#2250)
cli : Allow --patch-from to compress stdin with --stream-size, by @bimbashrestha (#2206)
api : Do not install zbuff.h, since it has long been deprecated, by @cyan4973 (#2166).
api : Fix ZSTD_CCtx_setParameter() with ZSTD_c_compressionLevel to make 0 mean default level, by @i-do-cpp (#2291)
api : Rename ZSTDMT_NBTHREADS_MAX to ZSTDMT_NBWORKERS_MAX, by @marxin (#2228).
build: Install pkg-config file with CMake and MinGW, by @tonytheodore (#2183)
build: Install DLL with CMake on Windows, by @BioDataAnalysis (#2221)
build: Fix DLL install location with CMake, by @xantares and @bimbashrestha (#2186)
build: Add ZSTD_NO_UNUSED_FUNCTIONS macro to hide unused functions
build: Add ZSTD_NO_INTRINSICS macro to avoid explicit intrinsics
build: Add STATIC_BMI2 macro for compile time detection of BMI2 on MSVC, by @Niadb (#2258)
build: Fix -Wcomma warnings, by @cwoffenden
build: Remove distutils requirement for meson build, by @neheb (#2197)
build: Fix cli compilation with uclibc
build: Fix cli compilation without st_mtime, by @ffontaine (#2246)
build: Fix shadowing warnings in library
build: Fix single file library compilation with Enscripten, by @yoshihitoh (#2227)
misc: Improve single file library and include dictBuilder, by @cwoffenden
misc: Allow compression dictionaries with missing symbols
misc: Add freestanding translation script in contrib/freestanding_lib
misc: Collect all of zstd's libc dependencies into zstd_deps.h
doc : Add ZSTD_versionString() to manual, by @animalize
doc : Fix documentation for ZSTD_CCtxParams_setParameter(), by @felixhandte (#2270)
v1.4.5 (May 22, 2020)
fix : Compression ratio regression on huge files (> 3 GB) using high levels (--ultra) and multithreading, by @terrelln
perf: Improved decompression speed: x64 : +10% (clang) / +5% (gcc); ARM : from +15% to +50%, depending on SoC, by @terrelln
perf: Automatically downsizes ZSTD_DCtx when too large for too long (#2069, by @bimbashreshta)
perf: Improved fast compression speed on aarch64 (#2040, ~+3%, by @caoyzh)
perf: Small level 1 compression speed gains (depending on compiler)
cli : New --patch-from command, create and apply patches from files, by @bimbashreshta
cli : New --filelist= : Provide a list of files to operate upon from a file
cli : -b -d command can now benchmark decompression on multiple files
cli : New --no-content-size command
cli : New --show-default-cparams information command
api : ZDICT_finalizeDictionary() is promoted to stable (#2111)
api : new experimental parameter ZSTD_d_stableOutBuffer (#2094)
build: Generate a single-file libzstd library (#2065, by @cwoffenden)
build: Relative includes no longer require -I compiler flags for zstd lib subdirs (#2103, by @felixhandte)
build: zstd now compiles cleanly under -pedantic (#2099)
build: zstd now compiles with make-4.3
build: Support mingw cross-compilation from Linux, by @Ericson2314
build: Meson multi-thread build fix on windows
build: Some misc icc fixes backed by new ci test on travis
misc: bitflip analyzer tool, by @felixhandte
misc: Extend largeNbDicts benchmark to compression
misc: Edit-distance match finder in contrib/
doc : Improved beginner CONTRIBUTING.md docs
doc : New issue templates for zstd
v1.4.4 (Nov 6, 2019)
perf: Improved decompression speed, by > 10%, by @terrelln
perf: Better compression speed when re-using a context, by @felixhandte
perf: Fix compression ratio when compressing large files with small dictionary, by @senhuang42
perf: zstd reference encoder can generate RLE blocks, by @bimbashrestha
perf: minor generic speed optimization, by @davidbolvansky
api: new ability to extract sequences from the parser for analysis, by @bimbashrestha
api: fixed decoding of magic-less frames, by @terrelln
api: fixed ZSTD_initCStream_advanced() performance with fast modes, reported by @QrczakMK
cli: Named pipes support, by @bimbashrestha
cli: short tar's extension support, by @stokito
cli: command --output-dir-flat= , generates target files into requested directory, by @senhuang42
cli: commands --stream-size=# and --size-hint=#, by @nmagerko
cli: command --exclude-compressed, by @shashank0791
cli: faster `-t` test mode
cli: improved some error messages, by @vangyzen
cli: fix command `-D dictionary` on Windows, reported by @artyompetrov
cli: fix rare deadlock condition within dictionary builder, by @terrelln
build: single-file decoder with emscripten compilation script, by @cwoffenden
build: fixed zlibWrapper compilation on Visual Studio, reported by @bluenlive
build: fixed deprecation warning for certain gcc version, reported by @jasonma163
build: fix compilation on old gcc versions, by @cemeyer
build: improved installation directories for cmake script, by Dmitri Shubin
pack: modified pkgconfig, for better integration into openwrt, requested by @neheb
misc: Improved documentation : ZSTD_CLEVEL, DYNAMIC_BMI2, ZSTD_CDict, function deprecation, zstd format
misc: fixed educational decoder : accept larger literals section, and removed UNALIGNED() macro
v1.4.3 (Aug 20, 2019)
bug: Fix Dictionary Compression Ratio Regression by @cyan4973 (#1709)
bug: Fix Buffer Overflow in legacy v0.3 decompression by @felixhandte (#1722)
build: Add support for IAR C/C++ Compiler for Arm by @joseph0918 (#1705)
v1.4.2 (Jul 26, 2019)
bug: Fix bug in zstd-0.5 decoder by @terrelln (#1696)
bug: Fix seekable decompression in-memory API by @iburinoc (#1695)
misc: Validate blocks are smaller than size limit by @vivekmg (#1685)
misc: Restructure source files by @ephiepark (#1679)
v1.4.1 (Jul 20, 2019)
bug: Fix data corruption in niche use cases by @terrelln (#1659)
bug: Fuzz legacy modes, fix uncovered bugs by @terrelln (#1593, #1594, #1595)
bug: Fix out of bounds read by @terrelln (#1590)
perf: Improve decode speed by ~7% @mgrice (#1668)
perf: Slightly improved compression ratio of level 3 and 4 (ZSTD_dfast) by @cyan4973 (#1681)
perf: Slightly faster compression speed when re-using a context by @cyan4973 (#1658)
perf: Improve compression ratio for small windowLog by @cyan4973 (#1624)
perf: Faster compression speed in high compression mode for repetitive data by @terrelln (#1635)
api: Add parameter to generate smaller dictionaries by @tyler-tran (#1656)
cli: Recognize symlinks when built in C99 mode by @felixhandte (#1640)
cli: Expose cpu load indicator for each file on -vv mode by @ephiepark (#1631)
cli: Restrict read permissions on destination files by @chungy (#1644)
cli: zstdgrep: handle -f flag by @felixhandte (#1618)
cli: zstdcat: follow symlinks by @vejnar (#1604)
doc: Remove extra size limit on compressed blocks by @felixhandte (#1689)
doc: Fix typo by @yk-tanigawa (#1633)
doc: Improve documentation on streaming buffer sizes by @cyan4973 (#1629)
build: CMake: support building with LZ4 @leeyoung624 (#1626)
build: CMake: install zstdless and zstdgrep by @leeyoung624 (#1647)
build: CMake: respect existing uninstall target by @j301scott (#1619)
build: Make: skip multithread tests when built without support by @michaelforney (#1620)
build: Make: Fix examples/ test target by @sjnam (#1603)
build: Meson: rename options out of deprecated namespace by @lzutao (#1665)
build: Meson: fix build by @lzutao (#1602)
build: Visual Studio: don't export symbols in static lib by @scharan (#1650)
build: Visual Studio: fix linking by @absotively (#1639)
build: Fix MinGW-W64 build by @myzhang1029 (#1600)
misc: Expand decodecorpus coverage by @ephiepark (#1664)
v1.4.0 (Apr 17, 2019)
perf: Improve level 1 compression speed in most scenarios by 6% by @gbtucker and @terrelln
api: Move the advanced API, including all functions in the staging section, to the stable section
api: Make ZSTD_e_flush and ZSTD_e_end block for maximum forward progress
api: Rename ZSTD_CCtxParam_getParameter to ZSTD_CCtxParams_getParameter
api: Rename ZSTD_CCtxParam_setParameter to ZSTD_CCtxParams_setParameter
api: Don't export ZSTDMT functions from the shared library by default
api: Require ZSTD_MULTITHREAD to be defined to use ZSTDMT
api: Add ZSTD_decompressBound() to provide an upper bound on decompressed size by @shakeelrao
api: Fix ZSTD_decompressDCtx() corner cases with a dictionary
api: Move ZSTD_getDictID_*() functions to the stable section
api: Add ZSTD_c_literalCompressionMode flag to enable or disable literal compression by @terrelln
api: Allow compression parameters to be set when a dictionary is used
api: Allow setting parameters before or after ZSTD_CCtx_loadDictionary() is called
api: Fix ZSTD_estimateCStreamSize_usingCCtxParams()
api: Setting ZSTD_d_maxWindowLog to 0 means use the default
cli: Ensure that a dictionary is not used to compress itself by @shakeelrao
cli: Add --[no-]compress-literals flag to enable or disable literal compression
doc: Update the examples to use the advanced API
doc: Explain how to transition from old streaming functions to the advanced API in the header
build: Improve the Windows release packages
build: Improve CMake build by @hjmjohnson
build: Build fixes for FreeBSD by @lwhsu
build: Remove redundant warnings by @thatsafunnyname
build: Fix tests on OpenBSD by @bket
build: Extend fuzzer build system to work with the new clang engine
build: CMake now creates the libzstd.so.1 symlink
build: Improve Menson build by @lzutao
misc: Fix symbolic link detection on FreeBSD
misc: Use physical core count for -T0 on FreeBSD by @cemeyer
misc: Fix zstd --list on truncated files by @kostmo
misc: Improve logging in debug mode by @felixhandte
misc: Add CirrusCI tests by @lwhsu
misc: Optimize dictionary memory usage in corner cases
misc: Improve the dictionary builder on small or homogeneous data
misc: Fix spelling across the repo by @jsoref
v1.3.8 (Dec 28, 2018)
perf: better decompression speed on large files (+7%) and cold dictionaries (+15%)
perf: slightly better compression ratio at high compression modes
api : finalized advanced API, last stage before "stable" status
api : new --rsyncable mode, by @terrelln
api : support decompression of empty frames into NULL (used to be an error) (#1385)
build: new set of macros to build a minimal size decoder, by @felixhandte
build: fix compilation on MIPS32, reported by @clbr (#1441)
build: fix compilation with multiple -arch flags, by @ryandesign
build: highly upgraded meson build, by @lzutao
build: improved buck support, by @obelisk
build: fix cmake script : can create debug build, by @pitrou
build: Makefile : grep works on both colored consoles and systems without color support
build: fixed zstd-pgo, by @bmwiedemann
cli : support ZSTD_CLEVEL environment variable, by @yijinfb (#1423)
cli : --no-progress flag, preserving final summary (#1371), by @terrelln
cli : ensure destination file is not source file (#1422)
cli : clearer error messages, especially when input file not present
doc : clarified zstd_compression_format.md, by @ulikunitz
misc: fixed zstdgrep, returns 1 on failure, by @lzutao
misc: NEWS renamed as CHANGELOG, in accordance with fboss
v1.3.7 (Oct 20, 2018)
perf: slightly better decompression speed on clang (depending on hardware target)
fix : performance of dictionary compression for small input < 4 KB at levels 9 and 10
build: no longer build backtrace by default in release mode; restrict further automatic mode
build: control backtrace support through build macro BACKTRACE
misc: added man pages for zstdless and zstdgrep, by @samrussell
v1.3.6 (Oct 6, 2018)
perf: much faster dictionary builder, by @jenniferliu
perf: faster dictionary compression on small data when using multiple contexts, by @felixhandte
perf: faster dictionary decompression when using a very large number of dictionaries simultaneously
cli : fix : does no longer overwrite destination when source does not exist (#1082)
cli : new command --adapt, for automatic compression level adaptation
api : fix : block api can be streamed with > 4 GB, reported by @catid
api : reduced ZSTD_DDict size by 2 KB
api : minimum negative compression level is defined, and can be queried using ZSTD_minCLevel().
build: support Haiku target, by @korli
build: Read Legacy format is limited to v0.5+ by default. Can be changed at compile time with macro ZSTD_LEGACY_SUPPORT.
doc : zstd_compression_format.md updated to match wording in IETF RFC 8478
misc: tests/paramgrill, a parameter optimizer, by @GeorgeLu97
v1.3.5 (Jun 29, 2018)
perf: much faster dictionary compression, by @felixhandte
perf: small quality improvement for dictionary generation, by @terrelln
perf: slightly improved high compression levels (notably level 19)
mem : automatic memory release for long duration contexts
cli : fix : overlapLog can be manually set
cli : fix : decoding invalid lz4 frames
api : fix : performance degradation for dictionary compression when using advanced API, by @terrelln
api : change : clarify ZSTD_CCtx_reset() vs ZSTD_CCtx_resetParameters(), by @terrelln
build: select custom libzstd scope through control macros, by @GeorgeLu97
build: OpenBSD patch, by @bket
build: make and make all are compatible with -j
doc : clarify zstd_compression_format.md, updated for IETF RFC process
misc: pzstd compatible with reproducible compilation, by @lamby
v1.3.4 (Mar 27, 2018)
perf: faster speed (especially decoding speed) on recent cpus (haswell+)
perf: much better performance associating --long with multi-threading, by @terrelln
perf: better compression at levels 13-15
cli : asynchronous compression by default, for faster experience (use --single-thread for former behavior)
cli : smoother status report in multi-threading mode
cli : added command --fast=#, for faster compression modes
cli : fix crash when not overwriting existing files, by Pádraig Brady (@pixelb)
api : `nbThreads` becomes `nbWorkers` : 1 triggers asynchronous mode
api : compression levels can be negative, for even more speed
api : ZSTD_getFrameProgression() : get precise progress status of ZSTDMT anytime
api : ZSTDMT can accept new compression parameters during compression
api : implemented all advanced dictionary decompression prototypes
build: improved meson recipe, by Shawn Landden (@shawnl)
build: VS2017 scripts, by @HaydnTrigg
misc: all /contrib projects fixed
misc: added /contrib/docker script by @gyscos
v1.3.3 (Dec 21, 2017)
perf: faster zstd_opt strategy (levels 16-19)
fix : bug #944 : multithreading with shared dictionary and large data, reported by @gsliepen
cli : fix : content size written in header by default
cli : fix : improved LZ4 format support, by @felixhandte
cli : new : hidden command `-S`, to benchmark multiple files while generating one result per file
api : fix : support large skippable frames, by @terrelln
api : fix : streaming interface was adding a useless 3-bytes null block to small frames
api : change : when setting `pledgedSrcSize`, use `ZSTD_CONTENTSIZE_UNKNOWN` macro value to mean "unknown"
build: fix : compilation under rhel6 and centos6, reported by @pixelb
build: added `check` target
v1.3.2 (Oct 10, 2017)
new : long range mode, using --long command, by Stella Lau (@stellamplau)
new : ability to generate and decode magicless frames (#591)
changed : maximum nb of threads reduced to 200, to avoid address space exhaustion in 32-bits mode
fix : multi-threading compression works with custom allocators
fix : ZSTD_sizeof_CStream() was over-evaluating memory usage
fix : a rare compression bug when compression generates very large distances and bunch of other conditions (only possible at --ultra -22)
fix : 32-bits build can now decode large offsets (levels 21+)
cli : added LZ4 frame support by default, by Felix Handte (@felixhandte)
cli : improved --list output
cli : new : can split input file for dictionary training, using command -B#
cli : new : clean operation artefact on Ctrl-C interruption
cli : fix : do not change /dev/null permissions when using command -t with root access, reported by @mike155 (#851)
cli : fix : write file size in header in multiple-files mode
api : added macro ZSTD_COMPRESSBOUND() for static allocation
api : experimental : new advanced decompression API
api : fix : sizeof_CCtx() used to over-estimate
build: fix : no-multithread variant compiles without pool.c dependency, reported by Mitchell Blank Jr (@mitchblank) (#819)
build: better compatibility with reproducible builds, by Bernhard M. Wiedemann (@bmwiedemann) (#818)
example : added streaming_memory_usage
license : changed /examples license to BSD + GPLv2
license : fix a few header files to reflect new license (#825)
v1.3.1 (Aug 21, 2017)
New license : BSD + GPLv2
perf: substantially decreased memory usage in Multi-threading mode, thanks to reports by Tino Reichardt (@mcmilk)
perf: Multi-threading supports up to 256 threads. Cap at 256 when more are requested (#760)
cli : improved and fixed --list command, by @ib (#772)
cli : command -vV to list supported formats, by @ib (#771)
build : fixed binary variants, reported by @svenha (#788)
build : fix Visual compilation for non x86/x64 targets, reported by Greg Slazinski (@GregSlazinski) (#718)
API exp : breaking change : ZSTD_getframeHeader() provides more information
API exp : breaking change : pinned down values of error codes
doc : fixed huffman example, by Ulrich Kunitz (@ulikunitz)
new : contrib/adaptive-compression, I/O driven compression strength, by Paul Cruz (@paulcruz74)
new : contrib/long_distance_matching, statistics by Stella Lau (@stellamplau)
updated : contrib/linux-kernel, by Nick Terrell (@terrelln)
v1.3.0 (Jul 6, 2017)
cli : new : `--list` command, by Paul Cruz
cli : changed : xz/lzma support enabled by default
cli : changed : `-t *` continue processing list after a decompression error
API : added : ZSTD_versionString()
API : promoted to stable status : ZSTD_getFrameContentSize(), by Sean Purcell
API exp : new advanced API : ZSTD_compress_generic(), ZSTD_CCtx_setParameter()
API exp : new : API for static or external allocation : ZSTD_initStatic?Ctx()
API exp : added : ZSTD_decompressBegin_usingDDict(), requested by Guy Riddle (#700)
API exp : clarified memory estimation / measurement functions.
API exp : changed : strongest strategy renamed ZSTD_btultra, fastest strategy ZSTD_fast set to 1
tools : decodecorpus can generate random dictionary-compressed samples, by Paul Cruz
new : contrib/seekable_format, demo and API, by Sean Purcell
changed : contrib/linux-kernel, updated version and license, by Nick Terrell
v1.2.0 (May 5, 2017)
cli : changed : Multithreading enabled by default (use target zstd-nomt or HAVE_THREAD=0 to disable)
cli : new : command -T0 means "detect and use nb of cores", by Sean Purcell
cli : new : zstdmt symlink hardwired to `zstd -T0`
cli : new : command --threads=# (#671)
cli : changed : cover dictionary builder by default, for improved quality, by Nick Terrell
cli : new : commands --train-cover and --train-legacy, to select dictionary algorithm and parameters
cli : experimental targets `zstd4` and `xzstd4`, with support for lz4 format, by Sean Purcell
cli : fix : does not output compressed data on console
cli : fix : ignore symbolic links unless --force specified,
API : breaking change : ZSTD_createCDict_advanced(), only use compressionParameters as argument
API : added : prototypes ZSTD_*_usingCDict_advanced(), for direct control over frameParameters.
API : improved: ZSTDMT_compressCCtx() reduced memory usage
API : fix : ZSTDMT_compressCCtx() now provides srcSize in header (#634)
API : fix : src size stored in frame header is controlled at end of frame
API : fix : enforced consistent rules for pledgedSrcSize==0 (#641)
API : fix : error code "GENERIC" replaced by "dstSizeTooSmall" when appropriate
build: improved cmake script, by @Majlen
build: enabled Multi-threading support for *BSD, by Baptiste Daroussin
tools: updated Paramgrill. Command -O# provides best parameters for sample and speed target.
new : contrib/linux-kernel version, by Nick Terrell
v1.1.4 (Mar 18, 2017)
cli : new : can compress in *.gz format, using --format=gzip command, by Przemyslaw Skibinski
cli : new : advanced benchmark command --priority=rt
cli : fix : write on sparse-enabled file systems in 32-bits mode, by @ds77
cli : fix : --rm remains silent when input is stdin
cli : experimental : xzstd, with support for xz/lzma decoding, by Przemyslaw Skibinski
speed : improved decompression speed in streaming mode for single shot scenarios (+5%)
memory: DDict (decompression dictionary) memory usage down from 150 KB to 20 KB
arch: 32-bits variant able to generate and decode very long matches (>32 MB), by Sean Purcell
API : new : ZSTD_findFrameCompressedSize(), ZSTD_getFrameContentSize(), ZSTD_findDecompressedSize()
API : changed : dropped support of legacy versions <= v0.3 (can be changed by modifying ZSTD_LEGACY_SUPPORT value)
build : new: meson build system in contrib/meson, by Dima Krasner
build : improved cmake script, by @Majlen
build : added -Wformat-security flag, as recommended by Padraig Brady
doc : new : educational decoder, by Sean Purcell
v1.1.3 (Feb 7, 2017)
cli : zstd can decompress .gz files (can be disabled with `make zstd-nogz` or `make HAVE_ZLIB=0`)
cli : new : experimental target `make zstdmt`, with multi-threading support
cli : new : improved dictionary builder "cover" (experimental), by Nick Terrell, based on prior work by Giuseppe Ottaviano.
cli : new : advanced commands for detailed parameters, by Przemyslaw Skibinski
cli : fix zstdless on Mac OS-X, by Andrew Janke
cli : fix #232 "compress non-files"
dictBuilder : improved dictionary generation quality, thanks to Nick Terrell
API : new : lib/compress/ZSTDMT_compress.h multithreading API (experimental)
API : new : ZSTD_create?Dict_byReference(), requested by Bartosz Taudul
API : new : ZDICT_finalizeDictionary()
API : fix : ZSTD_initCStream_usingCDict() properly writes dictID into frame header, by Gregory Szorc (#511)
API : fix : all symbols properly exposed in libzstd, by Nick Terrell
build : support for Solaris target, by Przemyslaw Skibinski
doc : clarified specification, by Sean Purcell
v1.1.2 (Dec 15, 2016)
API : streaming : decompression : changed : automatic implicit reset when chain-decoding new frames without init
API : experimental : added : dictID retrieval functions, and ZSTD_initCStream_srcSize()
API : zbuff : changed : prototypes now generate deprecation warnings
lib : improved : faster decompression speed at ultra compression settings and 32-bits mode
lib : changed : only public ZSTD_ symbols are now exposed
lib : changed : reduced usage of stack memory
lib : fixed : several corner case bugs, by Nick Terrell
cli : new : gzstd, experimental version able to decode .gz files, by Przemyslaw Skibinski
cli : new : preserve file attributes
cli : new : added zstdless and zstdgrep tools
cli : fixed : status displays total amount decoded, even for file consisting of multiple frames (like pzstd)
cli : fixed : zstdcat
zlib_wrapper : added support for gz* functions, by Przemyslaw Skibinski
install : better compatibility with FreeBSD, by Dimitry Andric
source tree : changed : zbuff source files moved to lib/deprecated
v1.1.1 (Nov 2, 2016)
New : command -M#, --memory=, --memlimit=, --memlimit-decompress= to limit allowed memory consumption
New : doc/zstd_manual.html, by Przemyslaw Skibinski
Improved : slightly better compression ratio at --ultra levels (>= 20)
Improved : better memory usage when using streaming compression API, thanks to @Rogier-5 report
Added : API : ZSTD_initCStream_usingCDict(), ZSTD_initDStream_usingDDict() (experimental section)
Added : example/multiple_streaming_compression.c
Changed : zstd_errors.h is now installed within /include (and replaces errors_public.h)
Updated man page
Fixed : zstd-small, zstd-compress and zstd-decompress compilation targets
v1.1.0 (Sep 28, 2016)
New : contrib/pzstd, parallel version of zstd, by Nick Terrell
added : NetBSD install target (#338)
Improved : speed for batches of small files
Improved : speed of zlib wrapper, by Przemyslaw Skibinski
Changed : libzstd on Windows supports legacy formats, by Christophe Chevalier
Fixed : CLI -d output to stdout by default when input is stdin (#322)
Fixed : CLI correctly detects console on Mac OS-X
Fixed : CLI supports recursive mode `-r` on Mac OS-X
Fixed : Legacy decoders use unified error codes, reported by benrg (#341), fixed by Przemyslaw Skibinski
Fixed : compatibility with OpenBSD, reported by Juan Francisco Cantero Hurtado (#319)
Fixed : compatibility with Hurd, by Przemyslaw Skibinski (#365)
Fixed : zstd-pgo, reported by octoploid (#329)
v1.0.0 (Sep 1, 2016)
Change Licensing, all project is now BSD, Copyright Facebook
Small decompression speed improvement
API : Streaming API supports legacy format
API : ZDICT_getDictID(), ZSTD_sizeof_{CCtx, DCtx, CStream, DStream}(), ZSTD_setDStreamParameter()
CLI supports legacy formats v0.4+
Fixed : compression fails on certain huge files, reported by Jesse McGrew
Enhanced documentation, by Przemyslaw Skibinski
v0.8.1 (Aug 18, 2016)
New streaming API
Changed : --ultra now enables levels beyond 19
Changed : -i# now selects benchmark time in second
Fixed : ZSTD_compress* can now compress > 4 GB in a single pass, reported by Nick Terrell
Fixed : speed regression on specific patterns (#272)
Fixed : support for Z_SYNC_FLUSH, by Dmitry Krot (#291)
Fixed : ICC compilation, by Przemyslaw Skibinski
v0.8.0 (Aug 2, 2016)
Improved : better speed on clang and gcc -O2, thanks to Eric Biggers
New : Build on FreeBSD and DragonFly, thanks to JrMarino
Changed : modified API : ZSTD_compressEnd()
Fixed : legacy mode with ZSTD_HEAPMODE=0, by Christopher Bergqvist
Fixed : premature end of frame when zero-sized raw block, reported by Eric Biggers
Fixed : large dictionaries (> 384 KB), reported by Ilona Papava
Fixed : checksum correctly checked in single-pass mode
Fixed : combined --test amd --rm, reported by Andreas M. Nilsson
Modified : minor compression level adaptations
Updated : compression format specification to v0.2.0
changed : zstd.h moved to /lib directory
v0.7.5 (Aug 1, 2016)
Transition version, supporting decoding of v0.8.x
v0.7.4 (Jul 17, 2016)
Added : homebrew for Mac, by Daniel Cade
Added : more examples
Fixed : segfault when using small dictionaries, reported by Felix Handte
Modified : default compression level for CLI is now 3
Updated : specification, to v0.1.1
v0.7.3 (Jul 9, 2016)
New : compression format specification
New : `--` separator, stating that all following arguments are file names. Suggested by Chip Turner.
New : `ZSTD_getDecompressedSize()`
New : OpenBSD target, by Juan Francisco Cantero Hurtado
New : `examples` directory
fixed : dictBuilder using HC levels, reported by Bartosz Taudul
fixed : legacy support from ZSTD_decompress_usingDDict(), reported by Felix Handte
fixed : multi-blocks decoding with intermediate uncompressed blocks, reported by Greg Slazinski
modified : removed "mem.h" and "error_public.h" dependencies from "zstd.h" (experimental section)
modified : legacy functions no longer need magic number
v0.7.2 (Jul 4, 2016)
fixed : ZSTD_decompressBlock() using multiple consecutive blocks. Reported by Greg Slazinski.
fixed : potential segfault on very large files (many gigabytes). Reported by Chip Turner.
fixed : CLI displays system error message when destination file cannot be created (#231). Reported by Chip Turner.
v0.7.1 (Jun 23, 2016)
fixed : ZBUFF_compressEnd() called multiple times with too small `dst` buffer, reported by Christophe Chevalier
fixed : dictBuilder fails if first sample is too small, reported by Руслан Ковалёв
fixed : corruption issue, reported by cj
modified : checksum enabled by default in command line mode
v0.7.0 (Jun 17, 2016)
New : Support for directory compression, using `-r`, thanks to Przemyslaw Skibinski
New : Command `--rm`, to remove source file after successful de/compression
New : Visual build scripts, by Christophe Chevalier
New : Support for Sparse File-systems (do not use space for zero-filled sectors)
New : Frame checksum support
New : Support pass-through mode (when using `-df`)
API : more efficient Dictionary API : `ZSTD_compress_usingCDict()`, `ZSTD_decompress_usingDDict()`
API : create dictionary files from custom content, by Giuseppe Ottaviano
API : support for custom malloc/free functions
New : controllable Dictionary ID
New : Support for skippable frames
v0.6.1 (May 13, 2016)
New : zlib wrapper API, thanks to Przemyslaw Skibinski
New : Ability to compile compressor / decompressor separately
Changed : new lib directory structure
Fixed : Legacy codec v0.5 compatible with dictionary decompression
Fixed : Decoder corruption error (#173)
Fixed : null-string roundtrip (#176)
New : benchmark mode can select directory as input
Experimental : midipix support, VMS support
v0.6.0 (Apr 13, 2016)
Stronger high compression modes, thanks to Przemyslaw Skibinski
API : ZSTD_getFrameParams() provides size of decompressed content
New : highest compression modes require `--ultra` command to fully unleash their capacity
Fixed : zstd cli return error code > 0 and removes dst file artifact when decompression fails, thanks to Chip Turner
v0.5.1 (Feb 18, 2016)
New : Optimal parsing => Very high compression modes, thanks to Przemyslaw Skibinski
Changed : Dictionary builder integrated into libzstd and zstd cli
Changed (!) : zstd cli now uses "multiple input files" as default mode. See `zstd -h`.
Fix : high compression modes for big-endian platforms
New : zstd cli : `-t` | `--test` command
v0.5.0 (Feb 5, 2016)
New : dictionary builder utility
Changed : streaming & dictionary API
Improved : better compression of small data
v0.4.7 (Jan 22, 2016)
Improved : small compression speed improvement in HC mode
Changed : `zstd_decompress.c` has ZSTD_LEGACY_SUPPORT to 0 by default
fix : bt search bug
v0.4.6 (Jan 13, 2016)
fix : fast compression mode on Windows
New : cmake configuration file, thanks to Artyom Dymchenko
Improved : high compression mode on repetitive data
New : block-level API
New : ZSTD_duplicateCCtx()
v0.4.5 (Dec 18, 2015)
new : -m/--multiple : compress/decompress multiple files
v0.4.4 (Dec 14, 2015)
Fixed : high compression modes for Windows 32 bits
new : external dictionary API extended to buffered mode and accessible through command line
new : windows DLL project, thanks to Christophe Chevalier
v0.4.3 (Dec 7, 2015)
new : external dictionary API
new : zstd-frugal
v0.4.2 (Dec 2, 2015)
Generic minor improvements for small blocks
Fixed : big-endian compatibility, by Peter Harris (#85)
v0.4.1 (Dec 1, 2015)
Fixed : ZSTD_LEGACY_SUPPORT=0 build mode (reported by Luben)
removed `zstd.c`
v0.4.0 (Nov 29, 2015)
Command line utility compatible with high compression levels
Removed zstdhc => merged into zstd
Added : ZBUFF API (see zstd_buffered.h)
Rolling buffer support
v0.3.6 (Nov 10, 2015)
small blocks params
v0.3.5 (Nov 9, 2015)
minor generic compression improvements
v0.3.4 (Nov 6, 2015)
Faster fast cLevels
v0.3.3 (Nov 5, 2015)
Small compression ratio improvement
v0.3.2 (Nov 2, 2015)
Fixed Visual Studio
v0.3.1 (Nov 2, 2015)
Small compression ratio improvement
v0.3 (Oct 30, 2015)
HC mode : compression levels 2-26
v0.2.2 (Oct 28, 2015)
Fix : Visual Studio 2013 & 2015 release compilation, by Christophe Chevalier
v0.2.1 (Oct 24, 2015)
Fix : Read errors, advanced fuzzer tests, by Hanno Böck
v0.2.0 (Oct 22, 2015)
**Breaking format change**
Faster decompression speed
Can still decode v0.1 format
v0.1.3 (Oct 15, 2015)
fix uninitialization warning, reported by Evan Nemerson
v0.1.2 (Sep 11, 2015)
frame concatenation support
v0.1.1 (Aug 27, 2015)
fix compression bug
detects write-flush errors
v0.1.0 (Aug 25, 2015)
first release

30
curl/dep/zstd/LICENSE.txt
Unescape Просмотреть файл

@ -0,0 +1,30 @@
BSD License
For Zstandard software
Copyright (c) Meta Platforms, Inc. and affiliates. All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name Facebook, nor Meta, nor the names of its contributors may
be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

237
curl/dep/zstd/README.md
Unescape Просмотреть файл

@ -0,0 +1,237 @@
<p align="center"><img src="https://raw.githubusercontent.com/facebook/zstd/dev/doc/images/zstd_logo86.png" alt="Zstandard"></p>
__Zstandard__, or `zstd` as short version, is a fast lossless compression algorithm,
targeting real-time compression scenarios at zlib-level and better compression ratios.
It's backed by a very fast entropy stage, provided by [Huff0 and FSE library](https://github.com/Cyan4973/FiniteStateEntropy).
Zstandard's format is stable and documented in [RFC8878](https://datatracker.ietf.org/doc/html/rfc8878). Multiple independent implementations are already available.
This repository represents the reference implementation, provided as an open-source dual [BSD](LICENSE) OR [GPLv2](COPYING) licensed **C** library,
and a command line utility producing and decoding `.zst`, `.gz`, `.xz` and `.lz4` files.
Should your project require another programming language,
a list of known ports and bindings is provided on [Zstandard homepage](https://facebook.github.io/zstd/#other-languages).
**Development branch status:**
[![Build Status][travisDevBadge]][travisLink]
[![Build status][CircleDevBadge]][CircleLink]
[![Build status][CirrusDevBadge]][CirrusLink]
[![Fuzzing Status][OSSFuzzBadge]][OSSFuzzLink]
[travisDevBadge]: https://api.travis-ci.com/facebook/zstd.svg?branch=dev "Continuous Integration test suite"
[travisLink]: https://travis-ci.com/facebook/zstd
[CircleDevBadge]: https://circleci.com/gh/facebook/zstd/tree/dev.svg?style=shield "Short test suite"
[CircleLink]: https://circleci.com/gh/facebook/zstd
[CirrusDevBadge]: https://api.cirrus-ci.com/github/facebook/zstd.svg?branch=dev
[CirrusLink]: https://cirrus-ci.com/github/facebook/zstd
[OSSFuzzBadge]: https://oss-fuzz-build-logs.storage.googleapis.com/badges/zstd.svg
[OSSFuzzLink]: https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:zstd
## Benchmarks
For reference, several fast compression algorithms were tested and compared
on a desktop featuring a Core i7-9700K CPU @ 4.9GHz
and running Ubuntu 20.04 (`Linux ubu20 5.15.0-101-generic`),
using [lzbench], an open-source in-memory benchmark by @inikep
compiled with [gcc] 9.4.0,
on the [Silesia compression corpus].
[lzbench]: https://github.com/inikep/lzbench
[Silesia compression corpus]: https://sun.aei.polsl.pl//~sdeor/index.php?page=silesia
[gcc]: https://gcc.gnu.org/
| Compressor name | Ratio | Compression| Decompress.|
| --------------- | ------| -----------| ---------- |
| **zstd 1.5.6 -1** | 2.887 | 510 MB/s | 1580 MB/s |
| [zlib] 1.2.11 -1 | 2.743 | 95 MB/s | 400 MB/s |
| brotli 1.0.9 -0 | 2.702 | 395 MB/s | 430 MB/s |
| **zstd 1.5.6 --fast=1** | 2.437 | 545 MB/s | 1890 MB/s |
| **zstd 1.5.6 --fast=3** | 2.239 | 650 MB/s | 2000 MB/s |
| quicklz 1.5.0 -1 | 2.238 | 525 MB/s | 750 MB/s |
| lzo1x 2.10 -1 | 2.106 | 650 MB/s | 825 MB/s |
| [lz4] 1.9.4 | 2.101 | 700 MB/s | 4000 MB/s |
| lzf 3.6 -1 | 2.077 | 420 MB/s | 830 MB/s |
| snappy 1.1.9 | 2.073 | 530 MB/s | 1660 MB/s |
[zlib]: https://www.zlib.net/
[lz4]: https://lz4.github.io/lz4/
The negative compression levels, specified with `--fast=#`,
offer faster compression and decompression speed
at the cost of compression ratio.
Zstd can also offer stronger compression ratios at the cost of compression speed.
Speed vs Compression trade-off is configurable by small increments.
Decompression speed is preserved and remains roughly the same at all settings,
a property shared by most LZ compression algorithms, such as [zlib] or lzma.
The following tests were run
on a server running Linux Debian (`Linux version 4.14.0-3-amd64`)
with a Core i7-6700K CPU @ 4.0GHz,
using [lzbench], an open-source in-memory benchmark by @inikep
compiled with [gcc] 7.3.0,
on the [Silesia compression corpus].
Compression Speed vs Ratio | Decompression Speed
---------------------------|--------------------
![Compression Speed vs Ratio](doc/images/CSpeed2.png "Compression Speed vs Ratio") | ![Decompression Speed](doc/images/DSpeed3.png "Decompression Speed")
A few other algorithms can produce higher compression ratios at slower speeds, falling outside of the graph.
For a larger picture including slow modes, [click on this link](doc/images/DCspeed5.png).
## The case for Small Data compression
Previous charts provide results applicable to typical file and stream scenarios (several MB). Small data comes with different perspectives.
The smaller the amount of data to compress, the more difficult it is to compress. This problem is common to all compression algorithms, and reason is, compression algorithms learn from past data how to compress future data. But at the beginning of a new data set, there is no "past" to build upon.
To solve this situation, Zstd offers a __training mode__, which can be used to tune the algorithm for a selected type of data.
Training Zstandard is achieved by providing it with a few samples (one file per sample). The result of this training is stored in a file called "dictionary", which must be loaded before compression and decompression.
Using this dictionary, the compression ratio achievable on small data improves dramatically.
The following example uses the `github-users` [sample set](https://github.com/facebook/zstd/releases/tag/v1.1.3), created from [github public API](https://developer.github.com/v3/users/#get-all-users).
It consists of roughly 10K records weighing about 1KB each.
Compression Ratio | Compression Speed | Decompression Speed
------------------|-------------------|--------------------
![Compression Ratio](doc/images/dict-cr.png "Compression Ratio") | ![Compression Speed](doc/images/dict-cs.png "Compression Speed") | ![Decompression Speed](doc/images/dict-ds.png "Decompression Speed")
These compression gains are achieved while simultaneously providing _faster_ compression and decompression speeds.
Training works if there is some correlation in a family of small data samples. The more data-specific a dictionary is, the more efficient it is (there is no _universal dictionary_).
Hence, deploying one dictionary per type of data will provide the greatest benefits.
Dictionary gains are mostly effective in the first few KB. Then, the compression algorithm will gradually use previously decoded content to better compress the rest of the file.
### Dictionary compression How To:
1. Create the dictionary
`zstd --train FullPathToTrainingSet/* -o dictionaryName`
2. Compress with dictionary
`zstd -D dictionaryName FILE`
3. Decompress with dictionary
`zstd -D dictionaryName --decompress FILE.zst`
## Build instructions
`make` is the officially maintained build system of this project.
All other build systems are "compatible" and 3rd-party maintained,
they may feature small differences in advanced options.
When your system allows it, prefer using `make` to build `zstd` and `libzstd`.
### Makefile
If your system is compatible with standard `make` (or `gmake`),
invoking `make` in root directory will generate `zstd` cli in root directory.
It will also create `libzstd` into `lib/`.
Other available options include:
- `make install` : create and install zstd cli, library and man pages
- `make check` : create and run `zstd`, test its behavior on local platform
The `Makefile` follows the [GNU Standard Makefile conventions](https://www.gnu.org/prep/standards/html_node/Makefile-Conventions.html),
allowing staged install, standard flags, directory variables and command variables.
For advanced use cases, specialized compilation flags which control binary generation
are documented in [`lib/README.md`](lib/README.md#modular-build) for the `libzstd` library
and in [`programs/README.md`](programs/README.md#compilation-variables) for the `zstd` CLI.
### cmake
A `cmake` project generator is provided within `build/cmake`.
It can generate Makefiles or other build scripts
to create `zstd` binary, and `libzstd` dynamic and static libraries.
By default, `CMAKE_BUILD_TYPE` is set to `Release`.
#### Support for Fat (Universal2) Output
`zstd` can be built and installed with support for both Apple Silicon (M1/M2) as well as Intel by using CMake's Universal2 support.
To perform a Fat/Universal2 build and install use the following commands:
```bash
cmake -B build-cmake-debug -S build/cmake -G Ninja -DCMAKE_OSX_ARCHITECTURES="x86_64;x86_64h;arm64"
cd build-cmake-debug
ninja
sudo ninja install
```
### Meson
A Meson project is provided within [`build/meson`](build/meson). Follow
build instructions in that directory.
You can also take a look at [`.travis.yml`](.travis.yml) file for an
example about how Meson is used to build this project.
Note that default build type is **release**.
### VCPKG
You can build and install zstd [vcpkg](https://github.com/Microsoft/vcpkg/) dependency manager:
git clone https://github.com/Microsoft/vcpkg.git
cd vcpkg
./bootstrap-vcpkg.sh
./vcpkg integrate install
./vcpkg install zstd
The zstd port in vcpkg is kept up to date by Microsoft team members and community contributors.
If the version is out of date, please [create an issue or pull request](https://github.com/Microsoft/vcpkg) on the vcpkg repository.
### Conan
You can install pre-built binaries for zstd or build it from source using [Conan](https://conan.io/). Use the following command:
```bash
conan install --requires="zstd/[*]" --build=missing
```
The zstd Conan recipe is kept up to date by Conan maintainers and community contributors.
If the version is out of date, please [create an issue or pull request](https://github.com/conan-io/conan-center-index) on the ConanCenterIndex repository.
### Visual Studio (Windows)
Going into `build` directory, you will find additional possibilities:
- Projects for Visual Studio 2005, 2008 and 2010.
+ VS2010 project is compatible with VS2012, VS2013, VS2015 and VS2017.
- Automated build scripts for Visual compiler by [@KrzysFR](https://github.com/KrzysFR), in `build/VS_scripts`,
which will build `zstd` cli and `libzstd` library without any need to open Visual Studio solution.
### Buck
You can build the zstd binary via buck by executing: `buck build programs:zstd` from the root of the repo.
The output binary will be in `buck-out/gen/programs/`.
### Bazel
You easily can integrate zstd into your Bazel project by using the module hosted on the [Bazel Central Repository](https://registry.bazel.build/modules/zstd).
## Testing
You can run quick local smoke tests by running `make check`.
If you can't use `make`, execute the `playTest.sh` script from the `src/tests` directory.
Two env variables `$ZSTD_BIN` and `$DATAGEN_BIN` are needed for the test script to locate the `zstd` and `datagen` binary.
For information on CI testing, please refer to `TESTING.md`.
## Status
Zstandard is currently deployed within Facebook and many other large cloud infrastructures.
It is run continuously to compress large amounts of data in multiple formats and use cases.
Zstandard is considered safe for production environments.
## License
Zstandard is dual-licensed under [BSD](LICENSE) OR [GPLv2](COPYING).
## Contributing
The `dev` branch is the one where all contributions are merged before reaching `release`.
If you plan to propose a patch, please commit into the `dev` branch, or its own feature branch.
Direct commit to `release` are not permitted.
For more information, please read [CONTRIBUTING](CONTRIBUTING.md).

43
curl/docs/ALTSVC.md
Unescape Просмотреть файл

@ -0,0 +1,43 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# Alt-Svc
curl features support for the Alt-Svc: HTTP header.
## Enable Alt-Svc in build
`./configure --enable-alt-svc`
(enabled by default since 7.73.0)
## Standard
[RFC 7838](https://datatracker.ietf.org/doc/html/rfc7838)
# Alt-Svc cache file format
This is a text based file with one line per entry and each line consists of nine
space separated fields.
## Example
h2 quic.tech 8443 h3-22 quic.tech 8443 "20190808 06:18:37" 0 0
## Fields
1. The ALPN id for the source origin
2. The hostname for the source origin
3. The port number for the source origin
4. The ALPN id for the destination host
5. The hostname for the destination host
6. The port number for the destination host
7. The expiration date and time of this entry within double quotes. The date format is "YYYYMMDD HH:MM:SS" and the time zone is GMT.
8. Boolean (1 or 0) if "persist" was set for this entry
9. Integer priority value (not currently used)
If the hostname is an IPv6 numerical address, it is stored with brackets such
as `[::1]`.

148
curl/docs/BINDINGS.md
Unescape Просмотреть файл

@ -0,0 +1,148 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
libcurl bindings
================
Creative people have written bindings or interfaces for various environments
and programming languages. Using one of these allows you to take advantage of
curl powers from within your favourite language or system.
This is a list of all known interfaces as of this writing.
The bindings listed below are not part of the curl/libcurl distribution
archives, but must be downloaded and installed separately.
<!-- markdown-link-check-disable -->
[Ada95](https://web.archive.org/web/20070403105909/www.almroth.com/adacurl/index.html) Written by Andreas Almroth
[Basic](https://scriptbasic.com/) ScriptBasic bindings written by Peter Verhas
C++: [curlpp](https://github.com/jpbarrette/curlpp/) Written by Jean-Philippe Barrette-LaPierre,
[curlcpp](https://github.com/JosephP91/curlcpp) by Giuseppe Persico and [C++
Requests](https://github.com/libcpr/cpr) by Huu Nguyen
[Ch](https://chcurl.sourceforge.net/) Written by Stephen Nestinger and Jonathan Rogado
Cocoa: [BBHTTP](https://github.com/biasedbit/BBHTTP) written by Bruno de Carvalho
[curlhandle](https://github.com/karelia/curlhandle) Written by Dan Wood
Clojure: [clj-curl](https://github.com/lsevero/clj-curl) by Lucas Severo
[D](https://dlang.org/library/std/net/curl.html) Written by Kenneth Bogert
[Delphi](https://github.com/Mercury13/curl4delphi) Written by Mikhail Merkuryev
[Dylan](https://dylanlibs.sourceforge.net/) Written by Chris Double
[Eiffel](https://iron.eiffel.com/repository/20.11/package/ABEF6975-37AC-45FD-9C67-52D10BA0669B) Written by Eiffel Software
[Euphoria](https://web.archive.org/web/20050204080544/rays-web.com/eulibcurl.htm) Written by Ray Smith
[Falcon](http://www.falconpl.org/project_docs/curl/)
[Ferite](https://web.archive.org/web/20150102192018/ferite.org/) Written by Paul Querna
[Fortran](https://github.com/interkosmos/fortran-curl) Written by Philipp Engel
[Gambas](https://gambas.sourceforge.net/)
[glib/GTK+](https://web.archive.org/web/20100526203452/atterer.net/glibcurl) Written by Richard Atterer
Go: [go-curl](https://github.com/andelf/go-curl) by ShuYu Wang
[Guile](https://github.com/spk121/guile-curl) Written by Michael L. Gran
[Harbour](https://github.com/vszakats/hb/tree/main/contrib/hbcurl) Written by Viktor Szakats
[Haskell](https://hackage.haskell.org/package/curl) Written by Galois, Inc
[Hollywood](https://www.hollywood-mal.com/download.html) hURL by Andreas Falkenhahn
[Java](https://github.com/covers1624/curl4j)
[Julia](https://github.com/JuliaWeb/LibCURL.jl) Written by Amit Murthy
[Kapito](https://github.com/puzza007/katipo) is an Erlang HTTP library around libcurl.
[Lisp](https://common-lisp.net/project/cl-curl/) Written by Liam Healy
Lua: [luacurl](https://web.archive.org/web/20201205052437/luacurl.luaforge.net/) by Alexander Marinov, [Lua-cURL](https://github.com/Lua-cURL) by Jürgen Hötzel
[Mono](https://web.archive.org/web/20070606064500/https://forge.novell.com/modules/xfmod/project/?libcurl-mono) Written by Jeffrey Phillips
[.NET](https://sourceforge.net/projects/libcurl-net/) libcurl-net by Jeffrey Phillips
[Nim](https://nimble.directory/pkg/libcurl) wrapper for libcurl
[node.js](https://github.com/JCMais/node-libcurl) node-libcurl by Jonathan Cardoso Machado
[Object-Pascal](https://web.archive.org/web/20020610214926/www.tekool.com/opcurl) Free Pascal, Delphi and Kylix binding written by Christophe Espern.
[OCaml](https://opam.ocaml.org/packages/ocurl/) Written by Lars Nilsson and ygrek
[Pascal](https://web.archive.org/web/20030804091414/houston.quik.com/jkp/curlpas/) Free Pascal, Delphi and Kylix binding written by Jeffrey Pohlmeyer.
Perl: [WWW::Curl](https://github.com/szbalint/WWW--Curl) Maintained by Cris
Bailiff and Bálint Szilakszi,
[perl6-net-curl](https://github.com/azawawi/perl6-net-curl) by Ahmad M. Zawawi
[NET::Curl](https://metacpan.org/pod/Net::Curl) by Przemyslaw Iskra
[PHP](https://php.net/curl) Originally written by Sterling Hughes
[PostgreSQL](https://github.com/pramsey/pgsql-http) - HTTP client for PostgreSQL
[PostgreSQL](https://github.com/RekGRpth/pg_curl) - cURL client for PostgreSQL
[PureBasic](https://www.purebasic.com/documentation/http/index.html) uses libcurl in its "native" HTTP subsystem
[Python](http://pycurl.io/) PycURL by Kjetil Jacobsen
[Python](https://pypi.org/project/pymcurl/) mcurl by Ganesh Viswanathan
[Q](https://q-lang.sourceforge.net/) The libcurl module is part of the default install
[R](https://cran.r-project.org/package=curl)
[Rexx](https://rexxcurl.sourceforge.net/) Written Mark Hessling
[Ring](https://ring-lang.sourceforge.io/doc1.3/libcurl.html) RingLibCurl by Mahmoud Fayed
RPG, support for ILE/RPG on OS/400 is included in source distribution
Ruby: [curb](https://github.com/taf2/curb) written by Ross Bamford,
[ruby-curl-multi](https://github.com/kball/curl_multi.rb) by Kristjan Petursson and Keith Rarick
[Rust](https://github.com/alexcrichton/curl-rust) curl-rust - by Carl Lerche
[Scheme](https://www.metapaper.net/lisovsky/web/curl/) Bigloo binding by Kirill Lisovsky
[Scilab](https://help.scilab.org/docs/current/fr_FR/getURL.html) binding by Sylvestre Ledru
[S-Lang](https://www.jedsoft.org/slang/modules/curl.html) by John E Davis
[Smalltalk](https://www.squeaksource.com/CurlPlugin/) Written by Danil Osipchuk
[SP-Forth](https://sourceforge.net/p/spf/spf/ci/master/tree/devel/~ac/lib/lin/curl/) Written by Andrey Cherezov
[SPL](https://web.archive.org/web/20210203022158/www.clifford.at/spl/spldoc/curl.html) Written by Clifford Wolf
[Tcl](https://web.archive.org/web/20160826011806/mirror.yellow5.com/tclcurl/) Tclcurl by Andrés García
[Vibe](https://github.com/ttytm/vibe) HTTP requests through libcurl in V
[Visual Basic](https://sourceforge.net/projects/libcurl-vb/) libcurl-vb by Jeffrey Phillips
[Visual Foxpro](https://web.archive.org/web/20130730181523/www.ctl32.com.ar/libcurl.asp) by Carlos Alloatti
[wxWidgets](https://wxcode.sourceforge.net/components/wxcurl/) Written by Casey O'Donnell
[XBLite](https://web.archive.org/web/20060426150418/perso.wanadoo.fr/xblite/libraries.html) Written by David Szafranski
[Xojo](https://github.com/charonn0/RB-libcURL) Written by Andrew Lambert
[Zig](https://github.com/jiacai2050/zig-curl) Written by Jiacai Liu, both easy and multi API are supported.

94
curl/docs/BUG-BOUNTY.md
Unescape Просмотреть файл

@ -0,0 +1,94 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# The curl bug bounty
The curl project runs a bug bounty program in association with
[HackerOne](https://www.hackerone.com) and the [Internet Bug
Bounty](https://internetbugbounty.org).
## How does it work?
Start out by posting your suspected security vulnerability directly to [curl's
HackerOne program](https://hackerone.com/curl).
After you have reported a security issue, it has been deemed credible, and a
patch and advisory has been made public, you may be eligible for a bounty from
this program. See the [Security Process](https://curl.se/dev/secprocess.html)
document for how we work with security issues.
## What are the reward amounts?
The curl project offers monetary compensation for reported and published
security vulnerabilities. The amount of money that is rewarded depends on how
serious the flaw is determined to be.
Since 2021, the Bug Bounty is managed in association with the Internet Bug
Bounty and they set the reward amounts. If it would turn out that they set
amounts that are way lower than we can accept, the curl project intends to
"top up" rewards.
In 2022, typical "Medium" rated vulnerabilities have been rewarded 2,400 USD
each.
## Who is eligible for a reward?
Everyone and anyone who reports a security problem in a released curl version
that has not already been reported can ask for a bounty.
Dedicated - paid for - security audits that are performed in collaboration
with curl developers are not eligible for bounties.
Vulnerabilities in features that are off by default and documented as
experimental are not eligible for a reward.
The vulnerability has to be fixed and publicly announced (by the curl project)
before a bug bounty is considered.
Once the vulnerability has been published by curl, the researcher can request
their bounty from the [Internet Bug Bounty](https://hackerone.com/ibb).
Bounties need to be requested within twelve months from the publication of the
vulnerability.
The curl security team reserves themselves the right to deny or allow bug
bounty payouts on its own discretion. There is no appeals process.
## Product vulnerabilities only
This bug bounty only concerns the curl and libcurl products and thus their
respective source codes - when running on existing hardware. It does not
include curl documentation, curl websites, or other curl related
infrastructure.
The curl security team is the sole arbiter if a reported flaw is subject to a
bounty or not.
## Third parties
The curl bug bounty does not cover flaws in third party dependencies
(libraries) used by curl or libcurl. If the bug triggers because of curl
behaving wrongly or abusing a third party dependency, the problem is rather in
curl and not in the dependency and then the bounty might cover the problem.
## How are vulnerabilities graded?
The grading of each reported vulnerability that makes a reward claim is
performed by the curl security team. The grading is based on the CVSS (Common
Vulnerability Scoring System) 3.0.
## How are reward amounts determined?
The curl security team gives the vulnerability a score or severity level, as
mentioned above. The actual monetary reward amount is decided and paid by the
Internet Bug Bounty..
## Regarding taxes, etc. on the bounties
In the event that the individual receiving a bug bounty needs to pay taxes on
the reward money, the responsibility lies with the receiver. The curl project
or its security team never actually receive any of this money, hold the money,
or pay out the money.

270
curl/docs/BUGS.md
Unescape Просмотреть файл

@ -0,0 +1,270 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# BUGS
## There are still bugs
curl and libcurl keep being developed. Adding features and changing code
means that bugs sneak in, no matter how hard we try to keep them out.
Of course there are lots of bugs left. Not to mention misfeatures.
To help us make curl the stable and solid product we want it to be, we need
bug reports and bug fixes.
## Where to report
If you cannot fix a bug yourself and submit a fix for it, try to report an as
detailed report as possible to a curl mailing list to allow one of us to have
a go at a solution. You can optionally also submit your problem in [curl's
bug tracking system](https://github.com/curl/curl/issues).
Please read the rest of this document below first before doing that.
If you feel you need to ask around first, find a suitable [mailing
list](https://curl.se/mail/) and post your questions there.
## Security bugs
If you find a bug or problem in curl or libcurl that you think has a security
impact, for example a bug that can put users in danger or make them
vulnerable if the bug becomes public knowledge, then please report that bug
using our security development process.
Security related bugs or bugs that are suspected to have a security impact,
should be reported on the [curl security tracker at
HackerOne](https://hackerone.com/curl).
This ensures that the report reaches the curl security team so that they
first can deal with the report away from the public to minimize the harm and
impact it has on existing users out there who might be using the vulnerable
versions.
The curl project's process for handling security related issues is
[documented separately](https://curl.se/dev/secprocess.html).
## What to report
When reporting a bug, you should include all information to help us
understand what is wrong, what you expected to happen and how to repeat the
bad behavior. You therefore need to tell us:
- your operating system's name and version number
- what version of curl you are using (`curl -V` is fine)
- versions of the used libraries that libcurl is built to use
- what URL you were working with (if possible), at least which protocol
and anything and everything else you think matters. Tell us what you expected
to happen, tell use what did happen, tell us how you could make it work
another way. Dig around, try out, test. Then include all the tiny bits and
pieces in your report. You benefit from this yourself, as it enables us to
help you quicker and more accurately.
Since curl deals with networks, it often helps us if you include a protocol
debug dump with your bug report. The output you get by using the `-v` or
`--trace` options.
If curl crashed, causing a core dump (in Unix), there is hardly any use to
send that huge file to anyone of us. Unless we have the same system setup as
you, we cannot do much with it. Instead, we ask you to get a stack trace and
send that (much smaller) output to us instead.
The address and how to subscribe to the mailing lists are detailed in the
`MANUAL.md` file.
## libcurl problems
When you have written your own application with libcurl to perform transfers,
it is even more important to be specific and detailed when reporting bugs.
Tell us the libcurl version and your operating system. Tell us the name and
version of all relevant sub-components like for example the SSL library
you are using and what name resolving your libcurl uses. If you use SFTP or
SCP, the libssh2 version is relevant etc.
Showing us a real source code example repeating your problem is the best way
to get our attention and it greatly increases our chances to understand your
problem and to work on a fix (if we agree it truly is a problem).
Lots of problems that appear to be libcurl problems are actually just abuses
of the libcurl API or other malfunctions in your applications. It is advised
that you run your problematic program using a memory debug tool like valgrind
or similar before you post memory-related or "crashing" problems to us.
## Who fixes the problems
If the problems or bugs you describe are considered to be bugs, we want to
have the problems fixed.
There are no developers in the curl project that are paid to work on bugs.
All developers that take on reported bugs do this on a voluntary basis. We do
it out of an ambition to keep curl and libcurl excellent products and out of
pride.
Please do not assume that you can just lump over something to us and it then
magically gets fixed after some given time. Most often we need feedback and
help to understand what you have experienced and how to repeat a problem.
Then we may only be able to assist YOU to debug the problem and to track down
the proper fix.
We get reports from many people every month and each report can take a
considerable amount of time to really go to the bottom with.
## How to get a stack trace
First, you must make sure that you compile all sources with `-g` and that you
do not 'strip' the final executable. Try to avoid optimizing the code as well,
remove `-O`, `-O2` etc from the compiler options.
Run the program until it cores.
Run your debugger on the core file, like `<debugger> curl core`. `<debugger>`
should be replaced with the name of your debugger, in most cases that is
`gdb`, but `dbx` and others also occur.
When the debugger has finished loading the core file and presents you a
prompt, enter `where` (without quotes) and press return.
The list that is presented is the stack trace. If everything worked, it is
supposed to contain the chain of functions that were called when curl
crashed. Include the stack trace with your detailed bug report, it helps a
lot.
## Bugs in libcurl bindings
There are of course bugs in libcurl bindings. You should then primarily
approach the team that works on that particular binding and see what you can
do to help them fix the problem.
If you suspect that the problem exists in the underlying libcurl, then please
convert your program over to plain C and follow the steps outlined above.
## Bugs in old versions
The curl project typically releases new versions every other month, and we
fix several hundred bugs per year. For a huge table of releases, number of
bug fixes and more, see: https://curl.se/docs/releases.html
The developers in the curl project do not have bandwidth or energy enough to
maintain several branches or to spend much time on hunting down problems in
old versions when chances are we already fixed them or at least that they have
changed nature and appearance in later versions.
When you experience a problem and want to report it, you really SHOULD
include the version number of the curl you are using when you experience the
issue. If that version number shows us that you are using an out-of-date curl,
you should also try out a modern curl version to see if the problem persists
or how/if it has changed in appearance.
Even if you cannot immediately upgrade your application/system to run the
latest curl version, you can most often at least run a test version or
experimental build or similar, to get this confirmed or not.
At times people insist that they cannot upgrade to a modern curl version, but
instead, they "just want the bug fixed". That is fine, just do not count on us
spending many cycles on trying to identify which single commit, if that is
even possible, that at some point in the past fixed the problem you are now
experiencing.
Security wise, it is almost always a bad idea to lag behind the current curl
versions by a lot. We keep discovering and reporting security problems
over time see you can see in [this
table](https://curl.se/docs/vulnerabilities.html)
# Bug fixing procedure
## What happens on first filing
When a new issue is posted in the issue tracker or on the mailing list, the
team of developers first needs to see the report. Maybe they took the day off,
maybe they are off in the woods hunting. Have patience. Allow at least a few
days before expecting someone to have responded.
In the issue tracker, you can expect that some labels are set on the issue to
help categorize it.
## First response
If your issue/bug report was not perfect at once (and few are), chances are
that someone asks follow-up questions. Which version did you use? Which
options did you use? How often does the problem occur? How can we reproduce
this problem? Which protocols does it involve? Or perhaps much more specific
and deep diving questions. It all depends on your specific issue.
You should then respond to these follow-up questions and provide more info
about the problem, so that we can help you figure it out. Or maybe you can
help us figure it out. An active back-and-forth communication is important
and the key for finding a cure and landing a fix.
## Not reproducible
We may require further work from you who actually see or experience the
problem if we cannot reproduce it and cannot understand it even after having
gotten all the info we need and having studied the source code over again.
## Unresponsive
If the problem have not been understood or reproduced, and there is nobody
responding to follow-up questions or questions asking for clarifications or
for discussing possible ways to move forward with the task, we take that as a
strong suggestion that the bug is unimportant.
Unimportant issues are closed as inactive sooner or later as they cannot be
fixed. The inactivity period (waiting for responses) should not be shorter
than two weeks but may extend months.
## Lack of time/interest
Bugs that are filed and are understood can unfortunately end up in the
"nobody cares enough about it to work on it" category. Such bugs are
perfectly valid problems that *should* get fixed but apparently are not. We
try to mark such bugs as `KNOWN_BUGS material` after a time of inactivity and
if no activity is noticed after yet some time those bugs are added to the
`KNOWN_BUGS` document and are closed in the issue tracker.
## `KNOWN_BUGS`
This is a list of known bugs. Bugs we know exist and that have been pointed
out but that have not yet been fixed. The reasons for why they have not been
fixed can involve anything really, but the primary reason is that nobody has
considered these problems to be important enough to spend the necessary time
and effort to have them fixed.
The `KNOWN_BUGS` items are always up for grabs and we love the ones who bring
one of them back to life and offer solutions to them.
The `KNOWN_BUGS` document has a sibling document known as `TODO`.
## `TODO`
Issues that are filed or reported that are not really bugs but more missing
features or ideas for future improvements and so on are marked as
*enhancement* or *feature-request* and get added to the `TODO` document and
the issues are closed. We do not keep TODO items open in the issue tracker.
The `TODO` document is full of ideas and suggestions of what we can add or
fix one day. You are always encouraged and free to grab one of those items and
take up a discussion with the curl development team on how that could be
implemented or provided in the project so that you can work on ticking it odd
that document.
If an issue is rather a bug and not a missing feature or functionality, it is
listed in `KNOWN_BUGS` instead.
## Closing off stalled bugs
The [issue and pull request trackers](https://github.com/curl/curl) only hold
"active" entries open (using a non-precise definition of what active actually
is, but they are at least not completely dead). Those that are abandoned or
in other ways dormant are closed and sometimes added to `TODO` and
`KNOWN_BUGS` instead.
This way, we only have "active" issues open on GitHub. Irrelevant issues and
pull requests do not distract developers or casual visitors.

336
curl/docs/CIPHERS-TLS12.md
Unescape Просмотреть файл

@ -0,0 +1,336 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# TLS 1.2 cipher suites
| Id | IANA name | OpenSSL name | RFC |
|--------|-----------------------------------------------|------------------------------------|--------------------|
| 0x0001 | TLS_RSA_WITH_NULL_MD5 | NULL-MD5 | [RFC5246] |
| 0x0002 | TLS_RSA_WITH_NULL_SHA | NULL-SHA | [RFC5246] |
| 0x0003 | TLS_RSA_EXPORT_WITH_RC4_40_MD5 | EXP-RC4-MD5 | [RFC4346][RFC6347] |
| 0x0004 | TLS_RSA_WITH_RC4_128_MD5 | RC4-MD5 | [RFC5246][RFC6347] |
| 0x0005 | TLS_RSA_WITH_RC4_128_SHA | RC4-SHA | [RFC5246][RFC6347] |
| 0x0006 | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 | EXP-RC2-CBC-MD5 | [RFC4346] |
| 0x0007 | TLS_RSA_WITH_IDEA_CBC_SHA | IDEA-CBC-SHA | [RFC8996] |
| 0x0008 | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA | EXP-DES-CBC-SHA | [RFC4346] |
| 0x0009 | TLS_RSA_WITH_DES_CBC_SHA | DES-CBC-SHA | [RFC8996] |
| 0x000A | TLS_RSA_WITH_3DES_EDE_CBC_SHA | DES-CBC3-SHA | [RFC5246] |
| 0x000B | TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA | EXP-DH-DSS-DES-CBC-SHA | [RFC4346] |
| 0x000C | TLS_DH_DSS_WITH_DES_CBC_SHA | DH-DSS-DES-CBC-SHA | [RFC8996] |
| 0x000D | TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA | DH-DSS-DES-CBC3-SHA | [RFC5246] |
| 0x000E | TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA | EXP-DH-RSA-DES-CBC-SHA | [RFC4346] |
| 0x000F | TLS_DH_RSA_WITH_DES_CBC_SHA | DH-RSA-DES-CBC-SHA | [RFC8996] |
| 0x0010 | TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA | DH-RSA-DES-CBC3-SHA | [RFC5246] |
| 0x0011 | TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | EXP-DHE-DSS-DES-CBC-SHA | [RFC4346] |
| 0x0012 | TLS_DHE_DSS_WITH_DES_CBC_SHA | DHE-DSS-DES-CBC-SHA | [RFC8996] |
| 0x0013 | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | DHE-DSS-DES-CBC3-SHA | [RFC5246] |
| 0x0014 | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | EXP-DHE-RSA-DES-CBC-SHA | [RFC4346] |
| 0x0015 | TLS_DHE_RSA_WITH_DES_CBC_SHA | DHE-RSA-DES-CBC-SHA | [RFC8996] |
| 0x0016 | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | DHE-RSA-DES-CBC3-SHA | [RFC5246] |
| 0x0017 | TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 | EXP-ADH-RC4-MD5 | [RFC4346][RFC6347] |
| 0x0018 | TLS_DH_anon_WITH_RC4_128_MD5 | ADH-RC4-MD5 | [RFC5246][RFC6347] |
| 0x0019 | TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA | EXP-ADH-DES-CBC-SHA | [RFC4346] |
| 0x001A | TLS_DH_anon_WITH_DES_CBC_SHA | ADH-DES-CBC-SHA | [RFC8996] |
| 0x001B | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA | ADH-DES-CBC3-SHA | [RFC5246] |
| 0x001C | | FZA-NULL-SHA | |
| 0x001D | | FZA-FZA-CBC-SHA | |
| 0x001E | TLS_KRB5_WITH_DES_CBC_SHA | KRB5-DES-CBC-SHA | [RFC2712] |
| 0x001F | TLS_KRB5_WITH_3DES_EDE_CBC_SHA | KRB5-DES-CBC3-SHA | [RFC2712] |
| 0x0020 | TLS_KRB5_WITH_RC4_128_SHA | KRB5-RC4-SHA | [RFC2712][RFC6347] |
| 0x0021 | TLS_KRB5_WITH_IDEA_CBC_SHA | KRB5-IDEA-CBC-SHA | [RFC2712] |
| 0x0022 | TLS_KRB5_WITH_DES_CBC_MD5 | KRB5-DES-CBC-MD5 | [RFC2712] |
| 0x0023 | TLS_KRB5_WITH_3DES_EDE_CBC_MD5 | KRB5-DES-CBC3-MD5 | [RFC2712] |
| 0x0024 | TLS_KRB5_WITH_RC4_128_MD5 | KRB5-RC4-MD5 | [RFC2712][RFC6347] |
| 0x0025 | TLS_KRB5_WITH_IDEA_CBC_MD5 | KRB5-IDEA-CBC-MD5 | [RFC2712] |
| 0x0026 | TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA | EXP-KRB5-DES-CBC-SHA | [RFC2712] |
| 0x0027 | TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA | EXP-KRB5-RC2-CBC-SHA | [RFC2712] |
| 0x0028 | TLS_KRB5_EXPORT_WITH_RC4_40_SHA | EXP-KRB5-RC4-SHA | [RFC2712][RFC6347] |
| 0x0029 | TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 | EXP-KRB5-DES-CBC-MD5 | [RFC2712] |
| 0x002A | TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 | EXP-KRB5-RC2-CBC-MD5 | [RFC2712] |
| 0x002B | TLS_KRB5_EXPORT_WITH_RC4_40_MD5 | EXP-KRB5-RC4-MD5 | [RFC2712][RFC6347] |
| 0x002C | TLS_PSK_WITH_NULL_SHA | PSK-NULL-SHA | [RFC4785] |
| 0x002D | TLS_DHE_PSK_WITH_NULL_SHA | DHE-PSK-NULL-SHA | [RFC4785] |
| 0x002E | TLS_RSA_PSK_WITH_NULL_SHA | RSA-PSK-NULL-SHA | [RFC4785] |
| 0x002F | TLS_RSA_WITH_AES_128_CBC_SHA | AES128-SHA | [RFC5246] |
| 0x0030 | TLS_DH_DSS_WITH_AES_128_CBC_SHA | DH-DSS-AES128-SHA | [RFC5246] |
| 0x0031 | TLS_DH_RSA_WITH_AES_128_CBC_SHA | DH-RSA-AES128-SHA | [RFC5246] |
| 0x0032 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA | DHE-DSS-AES128-SHA | [RFC5246] |
| 0x0033 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | DHE-RSA-AES128-SHA | [RFC5246] |
| 0x0034 | TLS_DH_anon_WITH_AES_128_CBC_SHA | ADH-AES128-SHA | [RFC5246] |
| 0x0035 | TLS_RSA_WITH_AES_256_CBC_SHA | AES256-SHA | [RFC5246] |
| 0x0036 | TLS_DH_DSS_WITH_AES_256_CBC_SHA | DH-DSS-AES256-SHA | [RFC5246] |
| 0x0037 | TLS_DH_RSA_WITH_AES_256_CBC_SHA | DH-RSA-AES256-SHA | [RFC5246] |
| 0x0038 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA | DHE-DSS-AES256-SHA | [RFC5246] |
| 0x0039 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA | DHE-RSA-AES256-SHA | [RFC5246] |
| 0x003A | TLS_DH_anon_WITH_AES_256_CBC_SHA | ADH-AES256-SHA | [RFC5246] |
| 0x003B | TLS_RSA_WITH_NULL_SHA256 | NULL-SHA256 | [RFC5246] |
| 0x003C | TLS_RSA_WITH_AES_128_CBC_SHA256 | AES128-SHA256 | [RFC5246] |
| 0x003D | TLS_RSA_WITH_AES_256_CBC_SHA256 | AES256-SHA256 | [RFC5246] |
| 0x003E | TLS_DH_DSS_WITH_AES_128_CBC_SHA256 | DH-DSS-AES128-SHA256 | [RFC5246] |
| 0x003F | TLS_DH_RSA_WITH_AES_128_CBC_SHA256 | DH-RSA-AES128-SHA256 | [RFC5246] |
| 0x0040 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | DHE-DSS-AES128-SHA256 | [RFC5246] |
| 0x0041 | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA | CAMELLIA128-SHA | [RFC5932] |
| 0x0042 | TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA | DH-DSS-CAMELLIA128-SHA | [RFC5932] |
| 0x0043 | TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA | DH-RSA-CAMELLIA128-SHA | [RFC5932] |
| 0x0044 | TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA | DHE-DSS-CAMELLIA128-SHA | [RFC5932] |
| 0x0045 | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA | DHE-RSA-CAMELLIA128-SHA | [RFC5932] |
| 0x0046 | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA | ADH-CAMELLIA128-SHA | [RFC5932] |
| 0x0060 | | EXP1024-RC4-MD5 | |
| 0x0061 | | EXP1024-RC2-CBC-MD5 | |
| 0x0062 | | EXP1024-DES-CBC-SHA | |
| 0x0063 | | EXP1024-DHE-DSS-DES-CBC-SHA | |
| 0x0064 | | EXP1024-RC4-SHA | |
| 0x0065 | | EXP1024-DHE-DSS-RC4-SHA | |
| 0x0066 | | DHE-DSS-RC4-SHA | |
| 0x0067 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | DHE-RSA-AES128-SHA256 | [RFC5246] |
| 0x0068 | TLS_DH_DSS_WITH_AES_256_CBC_SHA256 | DH-DSS-AES256-SHA256 | [RFC5246] |
| 0x0069 | TLS_DH_RSA_WITH_AES_256_CBC_SHA256 | DH-RSA-AES256-SHA256 | [RFC5246] |
| 0x006A | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | DHE-DSS-AES256-SHA256 | [RFC5246] |
| 0x006B | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | DHE-RSA-AES256-SHA256 | [RFC5246] |
| 0x006C | TLS_DH_anon_WITH_AES_128_CBC_SHA256 | ADH-AES128-SHA256 | [RFC5246] |
| 0x006D | TLS_DH_anon_WITH_AES_256_CBC_SHA256 | ADH-AES256-SHA256 | [RFC5246] |
| 0x0080 | | GOST94-GOST89-GOST89 | |
| 0x0081 | | GOST2001-GOST89-GOST89 | |
| 0x0082 | | GOST94-NULL-GOST94 | |
| 0x0083 | | GOST2001-NULL-GOST94 | |
| 0x0084 | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA | CAMELLIA256-SHA | [RFC5932] |
| 0x0085 | TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA | DH-DSS-CAMELLIA256-SHA | [RFC5932] |
| 0x0086 | TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA | DH-RSA-CAMELLIA256-SHA | [RFC5932] |
| 0x0087 | TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA | DHE-DSS-CAMELLIA256-SHA | [RFC5932] |
| 0x0088 | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA | DHE-RSA-CAMELLIA256-SHA | [RFC5932] |
| 0x0089 | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA | ADH-CAMELLIA256-SHA | [RFC5932] |
| 0x008A | TLS_PSK_WITH_RC4_128_SHA | PSK-RC4-SHA | [RFC4279][RFC6347] |
| 0x008B | TLS_PSK_WITH_3DES_EDE_CBC_SHA | PSK-3DES-EDE-CBC-SHA | [RFC4279] |
| 0x008C | TLS_PSK_WITH_AES_128_CBC_SHA | PSK-AES128-CBC-SHA | [RFC4279] |
| 0x008D | TLS_PSK_WITH_AES_256_CBC_SHA | PSK-AES256-CBC-SHA | [RFC4279] |
| 0x008E | TLS_DHE_PSK_WITH_RC4_128_SHA | DHE-PSK-RC4-SHA | [RFC4279][RFC6347] |
| 0x008F | TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA | DHE-PSK-3DES-EDE-CBC-SHA | [RFC4279] |
| 0x0090 | TLS_DHE_PSK_WITH_AES_128_CBC_SHA | DHE-PSK-AES128-CBC-SHA | [RFC4279] |
| 0x0091 | TLS_DHE_PSK_WITH_AES_256_CBC_SHA | DHE-PSK-AES256-CBC-SHA | [RFC4279] |
| 0x0092 | TLS_RSA_PSK_WITH_RC4_128_SHA | RSA-PSK-RC4-SHA | [RFC4279][RFC6347] |
| 0x0093 | TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA | RSA-PSK-3DES-EDE-CBC-SHA | [RFC4279] |
| 0x0094 | TLS_RSA_PSK_WITH_AES_128_CBC_SHA | RSA-PSK-AES128-CBC-SHA | [RFC4279] |
| 0x0095 | TLS_RSA_PSK_WITH_AES_256_CBC_SHA | RSA-PSK-AES256-CBC-SHA | [RFC4279] |
| 0x0096 | TLS_RSA_WITH_SEED_CBC_SHA | SEED-SHA | [RFC4162] |
| 0x0097 | TLS_DH_DSS_WITH_SEED_CBC_SHA | DH-DSS-SEED-SHA | [RFC4162] |
| 0x0098 | TLS_DH_RSA_WITH_SEED_CBC_SHA | DH-RSA-SEED-SHA | [RFC4162] |
| 0x0099 | TLS_DHE_DSS_WITH_SEED_CBC_SHA | DHE-DSS-SEED-SHA | [RFC4162] |
| 0x009A | TLS_DHE_RSA_WITH_SEED_CBC_SHA | DHE-RSA-SEED-SHA | [RFC4162] |
| 0x009B | TLS_DH_anon_WITH_SEED_CBC_SHA | ADH-SEED-SHA | [RFC4162] |
| 0x009C | TLS_RSA_WITH_AES_128_GCM_SHA256 | AES128-GCM-SHA256 | [RFC5288] |
| 0x009D | TLS_RSA_WITH_AES_256_GCM_SHA384 | AES256-GCM-SHA384 | [RFC5288] |
| 0x009E | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | DHE-RSA-AES128-GCM-SHA256 | [RFC5288] |
| 0x009F | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | DHE-RSA-AES256-GCM-SHA384 | [RFC5288] |
| 0x00A0 | TLS_DH_RSA_WITH_AES_128_GCM_SHA256 | DH-RSA-AES128-GCM-SHA256 | [RFC5288] |
| 0x00A1 | TLS_DH_RSA_WITH_AES_256_GCM_SHA384 | DH-RSA-AES256-GCM-SHA384 | [RFC5288] |
| 0x00A2 | TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | DHE-DSS-AES128-GCM-SHA256 | [RFC5288] |
| 0x00A3 | TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 | DHE-DSS-AES256-GCM-SHA384 | [RFC5288] |
| 0x00A4 | TLS_DH_DSS_WITH_AES_128_GCM_SHA256 | DH-DSS-AES128-GCM-SHA256 | [RFC5288] |
| 0x00A5 | TLS_DH_DSS_WITH_AES_256_GCM_SHA384 | DH-DSS-AES256-GCM-SHA384 | [RFC5288] |
| 0x00A6 | TLS_DH_anon_WITH_AES_128_GCM_SHA256 | ADH-AES128-GCM-SHA256 | [RFC5288] |
| 0x00A7 | TLS_DH_anon_WITH_AES_256_GCM_SHA384 | ADH-AES256-GCM-SHA384 | [RFC5288] |
| 0x00A8 | TLS_PSK_WITH_AES_128_GCM_SHA256 | PSK-AES128-GCM-SHA256 | [RFC5487] |
| 0x00A9 | TLS_PSK_WITH_AES_256_GCM_SHA384 | PSK-AES256-GCM-SHA384 | [RFC5487] |
| 0x00AA | TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 | DHE-PSK-AES128-GCM-SHA256 | [RFC5487] |
| 0x00AB | TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 | DHE-PSK-AES256-GCM-SHA384 | [RFC5487] |
| 0x00AC | TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 | RSA-PSK-AES128-GCM-SHA256 | [RFC5487] |
| 0x00AD | TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 | RSA-PSK-AES256-GCM-SHA384 | [RFC5487] |
| 0x00AE | TLS_PSK_WITH_AES_128_CBC_SHA256 | PSK-AES128-CBC-SHA256 | [RFC5487] |
| 0x00AF | TLS_PSK_WITH_AES_256_CBC_SHA384 | PSK-AES256-CBC-SHA384 | [RFC5487] |
| 0x00B0 | TLS_PSK_WITH_NULL_SHA256 | PSK-NULL-SHA256 | [RFC5487] |
| 0x00B1 | TLS_PSK_WITH_NULL_SHA384 | PSK-NULL-SHA384 | [RFC5487] |
| 0x00B2 | TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 | DHE-PSK-AES128-CBC-SHA256 | [RFC5487] |
| 0x00B3 | TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 | DHE-PSK-AES256-CBC-SHA384 | [RFC5487] |
| 0x00B4 | TLS_DHE_PSK_WITH_NULL_SHA256 | DHE-PSK-NULL-SHA256 | [RFC5487] |
| 0x00B5 | TLS_DHE_PSK_WITH_NULL_SHA384 | DHE-PSK-NULL-SHA384 | [RFC5487] |
| 0x00B6 | TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 | RSA-PSK-AES128-CBC-SHA256 | [RFC5487] |
| 0x00B7 | TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 | RSA-PSK-AES256-CBC-SHA384 | [RFC5487] |
| 0x00B8 | TLS_RSA_PSK_WITH_NULL_SHA256 | RSA-PSK-NULL-SHA256 | [RFC5487] |
| 0x00B9 | TLS_RSA_PSK_WITH_NULL_SHA384 | RSA-PSK-NULL-SHA384 | [RFC5487] |
| 0x00BA | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 | CAMELLIA128-SHA256 | [RFC5932] |
| 0x00BD | TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 | DHE-DSS-CAMELLIA128-SHA256 | [RFC5932] |
| 0x00BE | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 | DHE-RSA-CAMELLIA128-SHA256 | [RFC5932] |
| 0x00BF | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 | ADH-CAMELLIA128-SHA256 | [RFC5932] |
| 0x00C0 | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 | CAMELLIA256-SHA256 | [RFC5932] |
| 0x00C3 | TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 | DHE-DSS-CAMELLIA256-SHA256 | [RFC5932] |
| 0x00C4 | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 | DHE-RSA-CAMELLIA256-SHA256 | [RFC5932] |
| 0x00C5 | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 | ADH-CAMELLIA256-SHA256 | [RFC5932] |
| 0x00FF | TLS_EMPTY_RENEGOTIATION_INFO_SCSV | | [RFC5746] |
| 0x5600 | TLS_FALLBACK_SCSV | | [RFC7507] |
| 0xC001 | TLS_ECDH_ECDSA_WITH_NULL_SHA | ECDH-ECDSA-NULL-SHA | [RFC8422] |
| 0xC002 | TLS_ECDH_ECDSA_WITH_RC4_128_SHA | ECDH-ECDSA-RC4-SHA | [RFC8422][RFC6347] |
| 0xC003 | TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | ECDH-ECDSA-DES-CBC3-SHA | [RFC8422] |
| 0xC004 | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | ECDH-ECDSA-AES128-SHA | [RFC8422] |
| 0xC005 | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | ECDH-ECDSA-AES256-SHA | [RFC8422] |
| 0xC006 | TLS_ECDHE_ECDSA_WITH_NULL_SHA | ECDHE-ECDSA-NULL-SHA | [RFC8422] |
| 0xC007 | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | ECDHE-ECDSA-RC4-SHA | [RFC8422][RFC6347] |
| 0xC008 | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | ECDHE-ECDSA-DES-CBC3-SHA | [RFC8422] |
| 0xC009 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | ECDHE-ECDSA-AES128-SHA | [RFC8422] |
| 0xC00A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | ECDHE-ECDSA-AES256-SHA | [RFC8422] |
| 0xC00B | TLS_ECDH_RSA_WITH_NULL_SHA | ECDH-RSA-NULL-SHA | [RFC8422] |
| 0xC00C | TLS_ECDH_RSA_WITH_RC4_128_SHA | ECDH-RSA-RC4-SHA | [RFC8422][RFC6347] |
| 0xC00D | TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | ECDH-RSA-DES-CBC3-SHA | [RFC8422] |
| 0xC00E | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | ECDH-RSA-AES128-SHA | [RFC8422] |
| 0xC00F | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | ECDH-RSA-AES256-SHA | [RFC8422] |
| 0xC010 | TLS_ECDHE_RSA_WITH_NULL_SHA | ECDHE-RSA-NULL-SHA | [RFC8422] |
| 0xC011 | TLS_ECDHE_RSA_WITH_RC4_128_SHA | ECDHE-RSA-RC4-SHA | [RFC8422][RFC6347] |
| 0xC012 | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | ECDHE-RSA-DES-CBC3-SHA | [RFC8422] |
| 0xC013 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ECDHE-RSA-AES128-SHA | [RFC8422] |
| 0xC014 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDHE-RSA-AES256-SHA | [RFC8422] |
| 0xC015 | TLS_ECDH_anon_WITH_NULL_SHA | AECDH-NULL-SHA | [RFC8422] |
| 0xC016 | TLS_ECDH_anon_WITH_RC4_128_SHA | AECDH-RC4-SHA | [RFC8422][RFC6347] |
| 0xC017 | TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | AECDH-DES-CBC3-SHA | [RFC8422] |
| 0xC018 | TLS_ECDH_anon_WITH_AES_128_CBC_SHA | AECDH-AES128-SHA | [RFC8422] |
| 0xC019 | TLS_ECDH_anon_WITH_AES_256_CBC_SHA | AECDH-AES256-SHA | [RFC8422] |
| 0xC01A | TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA | SRP-3DES-EDE-CBC-SHA | [RFC5054] |
| 0xC01B | TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA | SRP-RSA-3DES-EDE-CBC-SHA | [RFC5054] |
| 0xC01C | TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA | SRP-DSS-3DES-EDE-CBC-SHA | [RFC5054] |
| 0xC01D | TLS_SRP_SHA_WITH_AES_128_CBC_SHA | SRP-AES-128-CBC-SHA | [RFC5054] |
| 0xC01E | TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA | SRP-RSA-AES-128-CBC-SHA | [RFC5054] |
| 0xC01F | TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA | SRP-DSS-AES-128-CBC-SHA | [RFC5054] |
| 0xC020 | TLS_SRP_SHA_WITH_AES_256_CBC_SHA | SRP-AES-256-CBC-SHA | [RFC5054] |
| 0xC021 | TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA | SRP-RSA-AES-256-CBC-SHA | [RFC5054] |
| 0xC022 | TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA | SRP-DSS-AES-256-CBC-SHA | [RFC5054] |
| 0xC023 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ECDHE-ECDSA-AES128-SHA256 | [RFC5289] |
| 0xC024 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | ECDHE-ECDSA-AES256-SHA384 | [RFC5289] |
| 0xC025 | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | ECDH-ECDSA-AES128-SHA256 | [RFC5289] |
| 0xC026 | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | ECDH-ECDSA-AES256-SHA384 | [RFC5289] |
| 0xC027 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ECDHE-RSA-AES128-SHA256 | [RFC5289] |
| 0xC028 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | ECDHE-RSA-AES256-SHA384 | [RFC5289] |
| 0xC029 | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | ECDH-RSA-AES128-SHA256 | [RFC5289] |
| 0xC02A | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | ECDH-RSA-AES256-SHA384 | [RFC5289] |
| 0xC02B | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ECDHE-ECDSA-AES128-GCM-SHA256 | [RFC5289] |
| 0xC02C | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ECDHE-ECDSA-AES256-GCM-SHA384 | [RFC5289] |
| 0xC02D | TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | ECDH-ECDSA-AES128-GCM-SHA256 | [RFC5289] |
| 0xC02E | TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | ECDH-ECDSA-AES256-GCM-SHA384 | [RFC5289] |
| 0xC02F | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ECDHE-RSA-AES128-GCM-SHA256 | [RFC5289] |
| 0xC030 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ECDHE-RSA-AES256-GCM-SHA384 | [RFC5289] |
| 0xC031 | TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | ECDH-RSA-AES128-GCM-SHA256 | [RFC5289] |
| 0xC032 | TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | ECDH-RSA-AES256-GCM-SHA384 | [RFC5289] |
| 0xC033 | TLS_ECDHE_PSK_WITH_RC4_128_SHA | ECDHE-PSK-RC4-SHA | [RFC5489][RFC6347] |
| 0xC034 | TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA | ECDHE-PSK-3DES-EDE-CBC-SHA | [RFC5489] |
| 0xC035 | TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA | ECDHE-PSK-AES128-CBC-SHA | [RFC5489] |
| 0xC036 | TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA | ECDHE-PSK-AES256-CBC-SHA | [RFC5489] |
| 0xC037 | TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 | ECDHE-PSK-AES128-CBC-SHA256 | [RFC5489] |
| 0xC038 | TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 | ECDHE-PSK-AES256-CBC-SHA384 | [RFC5489] |
| 0xC039 | TLS_ECDHE_PSK_WITH_NULL_SHA | ECDHE-PSK-NULL-SHA | [RFC5489] |
| 0xC03A | TLS_ECDHE_PSK_WITH_NULL_SHA256 | ECDHE-PSK-NULL-SHA256 | [RFC5489] |
| 0xC03B | TLS_ECDHE_PSK_WITH_NULL_SHA384 | ECDHE-PSK-NULL-SHA384 | [RFC5489] |
| 0xC03C | TLS_RSA_WITH_ARIA_128_CBC_SHA256 | ARIA128-SHA256 | [RFC6209] |
| 0xC03D | TLS_RSA_WITH_ARIA_256_CBC_SHA384 | ARIA256-SHA384 | [RFC6209] |
| 0xC044 | TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 | DHE-RSA-ARIA128-SHA256 | [RFC6209] |
| 0xC045 | TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 | DHE-RSA-ARIA256-SHA384 | [RFC6209] |
| 0xC048 | TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 | ECDHE-ECDSA-ARIA128-SHA256 | [RFC6209] |
| 0xC049 | TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 | ECDHE-ECDSA-ARIA256-SHA384 | [RFC6209] |
| 0xC04A | TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 | ECDH-ECDSA-ARIA128-SHA256 | [RFC6209] |
| 0xC04B | TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 | ECDH-ECDSA-ARIA256-SHA384 | [RFC6209] |
| 0xC04C | TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 | ECDHE-ARIA128-SHA256 | [RFC6209] |
| 0xC04D | TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 | ECDHE-ARIA256-SHA384 | [RFC6209] |
| 0xC04E | TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 | ECDH-ARIA128-SHA256 | [RFC6209] |
| 0xC04F | TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 | ECDH-ARIA256-SHA384 | [RFC6209] |
| 0xC050 | TLS_RSA_WITH_ARIA_128_GCM_SHA256 | ARIA128-GCM-SHA256 | [RFC6209] |
| 0xC051 | TLS_RSA_WITH_ARIA_256_GCM_SHA384 | ARIA256-GCM-SHA384 | [RFC6209] |
| 0xC052 | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 | DHE-RSA-ARIA128-GCM-SHA256 | [RFC6209] |
| 0xC053 | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 | DHE-RSA-ARIA256-GCM-SHA384 | [RFC6209] |
| 0xC056 | TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 | DHE-DSS-ARIA128-GCM-SHA256 | [RFC6209] |
| 0xC057 | TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 | DHE-DSS-ARIA256-GCM-SHA384 | [RFC6209] |
| 0xC05C | TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 | ECDHE-ECDSA-ARIA128-GCM-SHA256 | [RFC6209] |
| 0xC05D | TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 | ECDHE-ECDSA-ARIA256-GCM-SHA384 | [RFC6209] |
| 0xC05E | TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 | ECDH-ECDSA-ARIA128-GCM-SHA256 | [RFC6209] |
| 0xC05F | TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 | ECDH-ECDSA-ARIA256-GCM-SHA384 | [RFC6209] |
| 0xC060 | TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 | ECDHE-ARIA128-GCM-SHA256 | [RFC6209] |
| 0xC061 | TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 | ECDHE-ARIA256-GCM-SHA384 | [RFC6209] |
| 0xC062 | TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 | ECDH-ARIA128-GCM-SHA256 | [RFC6209] |
| 0xC063 | TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 | ECDH-ARIA256-GCM-SHA384 | [RFC6209] |
| 0xC064 | TLS_PSK_WITH_ARIA_128_CBC_SHA256 | PSK-ARIA128-SHA256 | [RFC6209] |
| 0xC065 | TLS_PSK_WITH_ARIA_256_CBC_SHA384 | PSK-ARIA256-SHA384 | [RFC6209] |
| 0xC066 | TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 | DHE-PSK-ARIA128-SHA256 | [RFC6209] |
| 0xC067 | TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 | DHE-PSK-ARIA256-SHA384 | [RFC6209] |
| 0xC068 | TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 | RSA-PSK-ARIA128-SHA256 | [RFC6209] |
| 0xC069 | TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 | RSA-PSK-ARIA256-SHA384 | [RFC6209] |
| 0xC06A | TLS_PSK_WITH_ARIA_128_GCM_SHA256 | PSK-ARIA128-GCM-SHA256 | [RFC6209] |
| 0xC06B | TLS_PSK_WITH_ARIA_256_GCM_SHA384 | PSK-ARIA256-GCM-SHA384 | [RFC6209] |
| 0xC06C | TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 | DHE-PSK-ARIA128-GCM-SHA256 | [RFC6209] |
| 0xC06D | TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 | DHE-PSK-ARIA256-GCM-SHA384 | [RFC6209] |
| 0xC06E | TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 | RSA-PSK-ARIA128-GCM-SHA256 | [RFC6209] |
| 0xC06F | TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 | RSA-PSK-ARIA256-GCM-SHA384 | [RFC6209] |
| 0xC070 | TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 | ECDHE-PSK-ARIA128-SHA256 | [RFC6209] |
| 0xC071 | TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 | ECDHE-PSK-ARIA256-SHA384 | [RFC6209] |
| 0xC072 | TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 | ECDHE-ECDSA-CAMELLIA128-SHA256 | [RFC6367] |
| 0xC073 | TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 | ECDHE-ECDSA-CAMELLIA256-SHA384 | [RFC6367] |
| 0xC074 | TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 | ECDH-ECDSA-CAMELLIA128-SHA256 | [RFC6367] |
| 0xC075 | TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 | ECDH-ECDSA-CAMELLIA256-SHA384 | [RFC6367] |
| 0xC076 | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 | ECDHE-RSA-CAMELLIA128-SHA256 | [RFC6367] |
| 0xC077 | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 | ECDHE-RSA-CAMELLIA256-SHA384 | [RFC6367] |
| 0xC078 | TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 | ECDH-CAMELLIA128-SHA256 | [RFC6367] |
| 0xC079 | TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 | ECDH-CAMELLIA256-SHA384 | [RFC6367] |
| 0xC07A | TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 | CAMELLIA128-GCM-SHA256 | [RFC6367] |
| 0xC07B | TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 | CAMELLIA256-GCM-SHA384 | [RFC6367] |
| 0xC07C | TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 | DHE-RSA-CAMELLIA128-GCM-SHA256 | [RFC6367] |
| 0xC07D | TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 | DHE-RSA-CAMELLIA256-GCM-SHA384 | [RFC6367] |
| 0xC086 | TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 | ECDHE-ECDSA-CAMELLIA128-GCM-SHA256 | [RFC6367] |
| 0xC087 | TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 | ECDHE-ECDSA-CAMELLIA256-GCM-SHA384 | [RFC6367] |
| 0xC088 | TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 | ECDH-ECDSA-CAMELLIA128-GCM-SHA256 | [RFC6367] |
| 0xC089 | TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 | ECDH-ECDSA-CAMELLIA256-GCM-SHA384 | [RFC6367] |
| 0xC08A | TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 | ECDHE-CAMELLIA128-GCM-SHA256 | [RFC6367] |
| 0xC08B | TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 | ECDHE-CAMELLIA256-GCM-SHA384 | [RFC6367] |
| 0xC08C | TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 | ECDH-CAMELLIA128-GCM-SHA256 | [RFC6367] |
| 0xC08D | TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 | ECDH-CAMELLIA256-GCM-SHA384 | [RFC6367] |
| 0xC08E | TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 | PSK-CAMELLIA128-GCM-SHA256 | [RFC6367] |
| 0xC08F | TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 | PSK-CAMELLIA256-GCM-SHA384 | [RFC6367] |
| 0xC090 | TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 | DHE-PSK-CAMELLIA128-GCM-SHA256 | [RFC6367] |
| 0xC091 | TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 | DHE-PSK-CAMELLIA256-GCM-SHA384 | [RFC6367] |
| 0xC092 | TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 | RSA-PSK-CAMELLIA128-GCM-SHA256 | [RFC6367] |
| 0xC093 | TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 | RSA-PSK-CAMELLIA256-GCM-SHA384 | [RFC6367] |
| 0xC094 | TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 | PSK-CAMELLIA128-SHA256 | [RFC6367] |
| 0xC095 | TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 | PSK-CAMELLIA256-SHA384 | [RFC6367] |
| 0xC096 | TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 | DHE-PSK-CAMELLIA128-SHA256 | [RFC6367] |
| 0xC097 | TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 | DHE-PSK-CAMELLIA256-SHA384 | [RFC6367] |
| 0xC098 | TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 | RSA-PSK-CAMELLIA128-SHA256 | [RFC6367] |
| 0xC099 | TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 | RSA-PSK-CAMELLIA256-SHA384 | [RFC6367] |
| 0xC09A | TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 | ECDHE-PSK-CAMELLIA128-SHA256 | [RFC6367] |
| 0xC09B | TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 | ECDHE-PSK-CAMELLIA256-SHA384 | [RFC6367] |
| 0xC09C | TLS_RSA_WITH_AES_128_CCM | AES128-CCM | [RFC6655] |
| 0xC09D | TLS_RSA_WITH_AES_256_CCM | AES256-CCM | [RFC6655] |
| 0xC09E | TLS_DHE_RSA_WITH_AES_128_CCM | DHE-RSA-AES128-CCM | [RFC6655] |
| 0xC09F | TLS_DHE_RSA_WITH_AES_256_CCM | DHE-RSA-AES256-CCM | [RFC6655] |
| 0xC0A0 | TLS_RSA_WITH_AES_128_CCM_8 | AES128-CCM8 | [RFC6655] |
| 0xC0A1 | TLS_RSA_WITH_AES_256_CCM_8 | AES256-CCM8 | [RFC6655] |
| 0xC0A2 | TLS_DHE_RSA_WITH_AES_128_CCM_8 | DHE-RSA-AES128-CCM8 | [RFC6655] |
| 0xC0A3 | TLS_DHE_RSA_WITH_AES_256_CCM_8 | DHE-RSA-AES256-CCM8 | [RFC6655] |
| 0xC0A4 | TLS_PSK_WITH_AES_128_CCM | PSK-AES128-CCM | [RFC6655] |
| 0xC0A5 | TLS_PSK_WITH_AES_256_CCM | PSK-AES256-CCM | [RFC6655] |
| 0xC0A6 | TLS_DHE_PSK_WITH_AES_128_CCM | DHE-PSK-AES128-CCM | [RFC6655] |
| 0xC0A7 | TLS_DHE_PSK_WITH_AES_256_CCM | DHE-PSK-AES256-CCM | [RFC6655] |
| 0xC0A8 | TLS_PSK_WITH_AES_128_CCM_8 | PSK-AES128-CCM8 | [RFC6655] |
| 0xC0A9 | TLS_PSK_WITH_AES_256_CCM_8 | PSK-AES256-CCM8 | [RFC6655] |
| 0xC0AA | TLS_PSK_DHE_WITH_AES_128_CCM_8 | DHE-PSK-AES128-CCM8 | [RFC6655] |
| 0xC0AB | TLS_PSK_DHE_WITH_AES_256_CCM_8 | DHE-PSK-AES256-CCM8 | [RFC6655] |
| 0xC0AC | TLS_ECDHE_ECDSA_WITH_AES_128_CCM | ECDHE-ECDSA-AES128-CCM | [RFC7251] |
| 0xC0AD | TLS_ECDHE_ECDSA_WITH_AES_256_CCM | ECDHE-ECDSA-AES256-CCM | [RFC7251] |
| 0xC0AE | TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 | ECDHE-ECDSA-AES128-CCM8 | [RFC7251] |
| 0xC0AF | TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 | ECDHE-ECDSA-AES256-CCM8 | [RFC7251] |
| 0xC100 | TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC | GOST2012-KUZNYECHIK-KUZNYECHIKOMAC | [RFC9189] |
| 0xC101 | TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC | GOST2012-MAGMA-MAGMAOMAC | [RFC9189] |
| 0xC102 | TLS_GOSTR341112_256_WITH_28147_CNT_IMIT | IANA-GOST2012-GOST8912-GOST8912 | [RFC9189] |
| 0xCC13 | | ECDHE-RSA-CHACHA20-POLY1305-OLD | |
| 0xCC14 | | ECDHE-ECDSA-CHACHA20-POLY1305-OLD | |
| 0xCC15 | | DHE-RSA-CHACHA20-POLY1305-OLD | |
| 0xCCA8 | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | ECDHE-RSA-CHACHA20-POLY1305 | [RFC7905] |
| 0xCCA9 | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | ECDHE-ECDSA-CHACHA20-POLY1305 | [RFC7905] |
| 0xCCAA | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | DHE-RSA-CHACHA20-POLY1305 | [RFC7905] |
| 0xCCAB | TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 | PSK-CHACHA20-POLY1305 | [RFC7905] |
| 0xCCAC | TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | ECDHE-PSK-CHACHA20-POLY1305 | [RFC7905] |
| 0xCCAD | TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | DHE-PSK-CHACHA20-POLY1305 | [RFC7905] |
| 0xCCAE | TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 | RSA-PSK-CHACHA20-POLY1305 | [RFC7905] |
| 0xD001 | TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 | ECDHE-PSK-AES128-GCM-SHA256 | [RFC8442] |
| 0xE011 | | ECDHE-ECDSA-SM4-CBC-SM3 | |
| 0xE051 | | ECDHE-ECDSA-SM4-GCM-SM3 | |
| 0xE052 | | ECDHE-ECDSA-SM4-CCM-SM3 | |
| 0xFF00 | | GOST-MD5 | |
| 0xFF01 | | GOST-GOST94 | |
| 0xFF02 | | GOST-GOST89MAC | |
| 0xFF03 | | GOST-GOST89STREAM | |

273
curl/docs/CIPHERS.md
Unescape Просмотреть файл

@ -0,0 +1,273 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
## curl cipher options
A TLS handshake involves many parameters which take part in the negotiation
between client and server in order to agree on the TLS version and set of
algorithms to use for a connection.
What has become known as a "cipher" or better "cipher suite" in TLS
are names for specific combinations of
[key exchange](https://en.wikipedia.org/wiki/Key_exchange),
[bulk encryption](https://en.wikipedia.org/wiki/Link_encryption),
[message authentication code](https://en.wikipedia.org/wiki/Message_authentication_code)
and with TLSv1.3 the
[authenticated encryption](https://en.wikipedia.org/wiki/Authenticated_encryption).
In addition, there are other parameters that influence the TLS handshake, like
[DHE](https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange) "groups" and
[ECDHE](https://en.wikipedia.org/wiki/Elliptic-curve_Diffie–Hellman) with its
"curves".
### History
curl's way of letting users configure these settings closely followed OpenSSL
in its API. TLS learned new parameters, OpenSSL added new API functions and
curl added command line options.
Several other TLS backends followed the OpenSSL approach, more or less closely,
and curl maps the command line options to these TLS backends. Some TLS
backends do not support all of it and command line options are either
ignored or lead to an error.
Many examples below show the OpenSSL-like use of these options. GnuTLS
however chose a different approach. These are described in a separate
section further below.
## ciphers, the OpenSSL way
With curl's option
[`--tls13-ciphers`](https://curl.se/docs/manpage.html#--tls13-ciphers)
or
[`CURLOPT_TLS13_CIPHERS`](https://curl.se/libcurl/c/CURLOPT_TLS13_CIPHERS.html)
users can control which cipher suites to consider when negotiating TLS 1.3
connections. With option
[`--ciphers`](https://curl.se/docs/manpage.html#--ciphers)
or
[`CURLOPT_SSL_CIPHER_LIST`](https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html)
users can control which cipher suites to consider when negotiating
TLS 1.2 (1.1, 1.0) connections.
By default, curl may negotiate TLS 1.3 and TLS 1.2 connections, so the cipher
suites considered when negotiating a TLS connection are a union of the TLS 1.3
and TLS 1.2 cipher suites. If you want curl to consider only TLS 1.3 cipher
suites for the connection, you have to set the minimum TLS version to 1.3 by
using [`--tlsv1.3`](https://curl.se/docs/manpage.html#--tlsv13)
or [`CURLOPT_SSLVERSION`](https://curl.se/libcurl/c/CURLOPT_SSLVERSION.html)
with `CURL_SSLVERSION_TLSv1_3`.
Both the TLS 1.3 and TLS 1.2 cipher options expect a list of cipher suites
separated by colons (`:`). This list is parsed opportunistically, cipher suites
that are not recognized or implemented are ignored. As long as there is at
least one recognized cipher suite in the list, the list is considered valid.
For both the TLS 1.3 and TLS 1.2 cipher options, the order in which the
cipher suites are specified determine the preference of them. When negotiating
a TLS connection the server picks a cipher suite from the intersection of the
cipher suites supported by the server and the cipher suites sent by curl. If
the server is configured to honor the client's cipher preference, the first
common cipher suite in the list sent by curl is chosen.
### TLS 1.3 cipher suites
Setting TLS 1.3 cipher suites is supported by curl with
OpenSSL (1.1.1+, curl 7.61.0+), LibreSSL (3.4.1+, curl 8.3.0+),
wolfSSL (curl 8.10.0+) and mbedTLS (3.6.0+, curl 8.10.0+).
The list of cipher suites that can be used for the `--tls13-ciphers` option:
```
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_CCM_SHA256
TLS_AES_128_CCM_8_SHA256
```
#### wolfSSL notes
In addition to above list the following cipher suites can be used:
`TLS_SM4_GCM_SM3` `TLS_SM4_CCM_SM3` `TLS_SHA256_SHA256` `TLS_SHA384_SHA384`.
Usage of these cipher suites is not recommended. (The last two cipher suites
are NULL ciphers, offering no encryption whatsoever.)
### TLS 1.2 (1.1, 1.0) cipher suites
Setting TLS 1.2 cipher suites is supported by curl with OpenSSL, LibreSSL,
BoringSSL, mbedTLS (curl 8.8.0+), wolfSSL (curl 7.53.0+),
Secure Transport (curl 7.77.0+) and BearSSL (curl 7.83.0+). Schannel does not
support setting cipher suites directly, but does support setting algorithms
(curl 7.61.0+), see Schannel notes below.
For TLS 1.2 cipher suites there are multiple naming schemes, the two most used
are with OpenSSL names (e.g. `ECDHE-RSA-AES128-GCM-SHA256`) and IANA names
(e.g. `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`). IANA names of TLS 1.2 cipher
suites look similar to TLS 1.3 cipher suite names, to distinguish them note
that TLS 1.2 names contain `_WITH_`, while TLS 1.3 names do not. When setting
TLS 1.2 cipher suites with curl it is recommended that you use OpenSSL names
as these are most widely recognized by the supported SSL backends.
The complete list of cipher suites that may be considered for the `--ciphers`
option is extensive, it consists of more than 300 ciphers suites. However,
nowadays for most of them their usage is discouraged, and support for a lot of
them have been removed from the various SSL backends, if ever implemented at
all.
A shortened list (based on [recommendations by
Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS)) of cipher suites,
which are (mostly) supported by all SSL backends, that can be used for the
`--ciphers` option:
```
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA256
AES128-SHA
AES256-SHA
DES-CBC3-SHA
```
See this [list](https://github.com/curl/curl/blob/master/docs/CIPHERS-TLS12.md)
for a complete list of TLS 1.2 cipher suites.
#### OpenSSL notes
In addition to specifying a list of cipher suites, OpenSSL also accepts a
format with specific cipher strings (like `TLSv1.2`, `AESGCM`, `CHACHA20`) and
`!`, `-` and `+` operators. Refer to the
[OpenSSL cipher documentation](https://docs.openssl.org/master/man1/openssl-ciphers/#cipher-list-format)
for further information on that format.
#### Schannel notes
Schannel does not support setting individual TLS 1.2 cipher suites directly.
It only allows the enabling and disabling of encryption algorithms. These are
in the form of `CALG_xxx`, see the [Schannel `ALG_ID`
documentation](https://docs.microsoft.com/windows/desktop/SecCrypto/alg-id)
for a list of these algorithms. Also, (since curl 7.77.0)
`SCH_USE_STRONG_CRYPTO` can be given to pass that flag to Schannel, lookup the
[documentation for the Windows version in
use](https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel)
to see how that affects the cipher suite selection. When not specifying the
`--ciphers` and `--tls13-ciphers` options curl passes this flag by default.
### Examples
```sh
curl \
--tls13-ciphers TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 \
--ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 \
https://example.com/
```
Restrict ciphers to `aes128-gcm` and `chacha20`. Works with OpenSSL, LibreSSL,
mbedTLS and wolfSSL.
```sh
curl \
--tlsv1.3 \
--tls13-ciphers TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 \
https://example.com/
```
Restrict to only TLS 1.3 with `aes128-gcm` and `chacha20` ciphers. Works with
OpenSSL, LibreSSL, mbedTLS, wolfSSL and Schannel.
```sh
curl \
--ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 \
https://example.com/
```
Restrict TLS 1.2 ciphers to `aes128-gcm` and `chacha20`, use default TLS 1.3
ciphers (if TLS 1.3 is available). Works with OpenSSL, LibreSSL, BoringSSL,
mbedTLS, wolfSSL, Secure Transport and BearSSL.
## ciphers, the GnuTLS way
With GnuTLS, curl allows configuration of all TLS parameters via option
[`--ciphers`](https://curl.se/docs/manpage.html#--ciphers)
or
[`CURLOPT_SSL_CIPHER_LIST`](https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html)
only. The option
[`--tls13-ciphers`](https://curl.se/docs/manpage.html#--tls13-ciphers)
or
[`CURLOPT_TLS13_CIPHERS`](https://curl.se/libcurl/c/CURLOPT_TLS13_CIPHERS.html)
is being ignored.
`--ciphers` is used to set the GnuTLS **priority string** in
the following way:
* When the set string starts with '+', '-' or '!' it is *appended* to the
priority string libcurl itself generates (separated by ':'). This initial
priority depends other settings such as CURLOPT_SSLVERSION(3),
CURLOPT_TLSAUTH_USERNAME(3) (for SRP) or if HTTP/3 (QUIC)
is being negotiated.
* Otherwise, the set string fully *replaces* the libcurl generated one. While
giving full control to the application, the set priority needs to
provide for everything the transfer may need to negotiate. Example: if
the set priority only allows TLSv1.2, all HTTP/3 attempts fail.
Users may specify via `--ciphers` anything that GnuTLS supports: ciphers,
key exchange, MAC, compression, TLS versions, signature algorithms, groups,
elliptic curves, certificate types. In addition, GnuTLS has a variety of
other keywords that tweak its operations. Applications or a system
may define new alias names for priority strings that can then be used here.
Since the order of items in priority strings is significant, it makes no
sense for curl to puzzle other ssl options somehow together. `--ciphers`
is the single way to change priority.
### Examples
```sh
curl \
--ciphers '-CIPHER_ALL:+AES-128-GCM:+CHACHA20-POLY1305' \
https://example.com/
```
Restrict ciphers to `aes128-gcm` and `chacha20` in GnuTLS.
```sh
curl \
--ciphers 'NORMAL:-VERS-ALL:+TLS1.3:-AES-256-GCM' \
https://example.com/
```
Restrict to only TLS 1.3 without the `aes256-gcm` cipher.
```sh
curl \
--ciphers 'NORMAL:-VERS-ALL:+TLS1.2:-CIPHER_ALL:+CAMELLIA-128-GCM' \
https://example.com/
```
Restrict to only TLS 1.2 with the `CAMELLIA-128-GCM` cipher.
## Further reading
- [OpenSSL cipher suite names documentation](https://docs.openssl.org/master/man1/openssl-ciphers/#cipher-suite-names)
- [wolfSSL cipher support documentation](https://www.wolfssl.com/documentation/manuals/wolfssl/chapter04.html#cipher-support)
- [mbedTLS cipher suites reference](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/ssl__ciphersuites_8h/)
- [Schannel cipher suites documentation](https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel)
- [BearSSL supported crypto](https://www.bearssl.org/support.html)
- [Secure Transport cipher suite values](https://developer.apple.com/documentation/security/1550981-ssl_cipher_suite_values)
- [IANA cipher suites list](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4)
- [Wikipedia cipher suite article](https://en.wikipedia.org/wiki/Cipher_suite)
- [GnuTLS Priority Strings](https://gnutls.org/manual/html_node/Priority-Strings.html)

38
curl/docs/CODE_OF_CONDUCT.md
Unescape Просмотреть файл

@ -0,0 +1,38 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
Contributor Code of Conduct
===========================
As contributors and maintainers of this project, we pledge to respect all
people who contribute through reporting issues, posting feature requests,
updating documentation, submitting pull requests or patches, and other
activities.
We are committed to making participation in this project a harassment-free
experience for everyone, regardless of level of experience, gender, gender
identity and expression, sexual orientation, disability, personal appearance,
body size, race, ethnicity, age, or religion.
Examples of unacceptable behavior by participants include the use of sexual
language or imagery, derogatory comments or personal attacks, trolling, public
or private harassment, insults, or other unprofessional conduct.
Project maintainers have the right and responsibility to remove, edit, or
reject comments, commits, code, wiki edits, issues, and other contributions
that are not aligned to this Code of Conduct. Project maintainers who do not
follow the Code of Conduct may be removed from the project team.
This code of conduct applies both within project spaces and in public spaces
when an individual is representing the project or its community.
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported by opening an issue or contacting one or more of the project
maintainers.
This Code of Conduct is adapted from the [Contributor
Covenant](https://contributor-covenant.org/), version 1.1.0, available at
[https://contributor-covenant.org/version/1/1/0/](https://contributor-covenant.org/version/1/1/0/)

174
curl/docs/CODE_REVIEW.md
Unescape Просмотреть файл

@ -0,0 +1,174 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# How to do code reviews for curl
Anyone and everyone is encouraged and welcome to review code submissions in
curl. This is a guide on what to check for and how to perform a successful
code review.
## All submissions should get reviewed
All pull requests and patches submitted to the project should be reviewed by
at least one experienced curl maintainer before that code is accepted and
merged.
## Let the tools and tests take the first rounds
On initial pull requests, let the tools and tests do their job first and then
start out by helping the submitter understand the test failures and tool
alerts.
## How to provide feedback to author
Be nice. Ask questions. Provide examples or suggestions of improvements.
Assume the best intentions. Remember language barriers.
All first-time contributors can become regulars. Let's help them go there.
## Is this a change we want?
If this is not a change that seems to be aligned with the project's path
forward and as such cannot be accepted, inform the author about this sooner
rather than later. Do it gently and explain why and possibly what could be
done to make it more acceptable.
## API/ABI stability or changed behavior
Changing the API and the ABI may be fine in a change but it needs to be done
deliberately and carefully. If not, a reviewer must help the author to realize
the mistake.
curl and libcurl are similarly strict on not modifying existing behavior. API
and ABI stability is not enough, the behavior should also remain intact as far
as possible.
## Code style
Most code style nits are detected by checksrc but not all. Only leave remarks
on style deviation once checksrc does not find anymore.
Minor nits from fresh submitters can also be handled by the maintainer when
merging, in case it seems like the submitter is not clear on what to do. We
want to make the process fun and exciting for new contributors.
## Encourage consistency
Make sure new code is written in a similar style as existing code. Naming,
logic, conditions, etc.
## Are pointers always non-NULL?
If a function or code rely on pointers being non-NULL, take an extra look if
that seems to be a fair assessment.
## Asserts
Conditions that should never be false can be verified with `DEBUGASSERT()`
calls to get caught in tests and debugging easier, while not having an impact
on final or release builds.
## Memory allocation
Can the mallocs be avoided? Do not introduce mallocs in any hot paths. If
there are (new) mallocs, can they be combined into fewer calls?
Are all allocations handled in error paths to avoid leaks and crashes?
## Thread-safety
We do not like static variables as they break thread-safety and prevent
functions from being reentrant.
## Should features be `#ifdef`ed?
Features and functionality may not be present everywhere and should therefore
be `#ifdef`ed. Additionally, some features should be possible to switch on/off
in the build.
Write `#ifdef`s to be as little of a "maze" as possible.
## Does it look portable enough?
curl runs "everywhere". Does the code take a reasonable stance and enough
precautions to be possible to build and run on most platforms?
Remember that we live by C89 restrictions.
## Tests and testability
New features should be added in conjunction with one or more test cases.
Ideally, functions should also be written so that unit tests can be done to
test individual functions.
## Documentation
New features or changes to existing functionality **must** be accompanied by
updated documentation. Submitting that in a separate follow-up pull request is
not OK. A code review must also verify that the submitted documentation update
matches the code submission.
English is not everyone's first language, be mindful of this and help the
submitter improve the text if it needs a rewrite to read better.
## Code should not be hard to understand
Source code should be written to maximize readability and be easy to
understand.
## Functions should not be large
A single function should never be large as that makes it hard to follow and
understand all the exit points and state changes. Some existing functions in
curl certainly violate this ground rule but when reviewing new code we should
propose splitting into smaller functions.
## Duplication is evil
Anything that looks like duplicated code is a red flag. Anything that seems to
introduce code that we *should* already have or provide needs a closer check.
## Sensitive data
When credentials are involved, take an extra look at what happens with this
data. Where it comes from and where it goes.
## Variable types differ
`size_t` is not a fixed size. `time_t` can be signed or unsigned and have
different sizes. Relying on variable sizes is a red flag.
Also remember that endianness and >= 32-bit accesses to unaligned addresses
are problematic areas.
## Integer overflows
Be careful about integer overflows. Some variable types can be either 32-bit
or 64-bit. Integer overflows must be detected and acted on *before* they
happen.
## Dangerous use of functions
Maybe use of `realloc()` should rather use the dynbuf functions?
Do not allow new code that grows buffers without using dynbuf.
Use of C functions that rely on a terminating zero must only be used on data
that really do have a null-terminating zero.
## Dangerous "data styles"
Make extra precautions and verify that memory buffers that need a terminating
zero always have exactly that. Buffers *without* a null-terminator must not be
used as input to string functions.
# Commit messages
Tightly coupled with a code review is making sure that the commit message is
good. It is the responsibility of the person who merges the code to make sure
that the commit message follows our standard (detailed in the
[CONTRIBUTE](CONTRIBUTE.md) document). This includes making sure the PR
identifies related issues and giving credit to reporters and helpers.

307
curl/docs/CONTRIBUTE.md
Unescape Просмотреть файл

@ -0,0 +1,307 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# Contributing to the curl project
This document is intended to offer guidelines on how to best contribute to the
curl project. This concerns new features as well as corrections to existing
flaws or bugs.
## Join the Community
Skip over to [https://curl.se/mail/](https://curl.se/mail/) and join
the appropriate mailing list(s). Read up on details before you post
questions. Read this file before you start sending patches. We prefer
questions sent to and discussions being held on the mailing list(s), not sent
to individuals.
Before posting to one of the curl mailing lists, please read up on the
[mailing list etiquette](https://curl.se/mail/etiquette.html).
We also hang out on IRC in #curl on libera.chat
If you are at all interested in the code side of things, consider clicking
'watch' on the [curl repository on GitHub](https://github.com/curl/curl) to be
notified of pull requests and new issues posted there.
## License and copyright
When contributing with code, you agree to put your changes and new code under
the same license curl and libcurl is already using unless stated and agreed
otherwise.
If you add a larger piece of code, you can opt to make that file or set of
files to use a different license as long as they do not enforce any changes to
the rest of the package and they make sense. Such "separate parts" can not be
GPL licensed (as we do not want copyleft to affect users of libcurl) but they
must use "GPL compatible" licenses (as we want to allow users to use libcurl
properly in GPL licensed environments).
When changing existing source code, you do not alter the copyright of the
original file(s). The copyright is still owned by the original creator(s) or
those who have been assigned copyright by the original author(s).
By submitting a patch to the curl project, you are assumed to have the right
to the code and to be allowed by your employer or whatever to hand over that
patch/code to us. We credit you for your changes as far as possible, to give
credit but also to keep a trace back to who made what changes. Please always
provide us with your full real name when contributing,
## What To Read
Source code, the man pages, the [INTERNALS
document](https://curl.se/dev/internals.html),
[TODO](https://curl.se/docs/todo.html),
[KNOWN_BUGS](https://curl.se/docs/knownbugs.html) and the [most recent
changes](https://curl.se/dev/sourceactivity.html) in git. Just lurking on the
[curl-library mailing list](https://curl.se/mail/list.cgi?list=curl-library)
gives you a lot of insights on what's going on right now. Asking there is a
good idea too.
## Write a good patch
### Follow code style
When writing C code, follow the
[CODE_STYLE](https://curl.se/dev/code-style.html) already established in
the project. Consistent style makes code easier to read and mistakes less
likely to happen. Run `make checksrc` before you submit anything, to make sure
you follow the basic style. That script does not verify everything, but if it
complains you know you have work to do.
### Non-clobbering All Over
When you write new functionality or fix bugs, it is important that you do not
fiddle all over the source files and functions. Remember that it is likely
that other people have done changes in the same source files as you have and
possibly even in the same functions. If you bring completely new
functionality, try writing it in a new source file. If you fix bugs, try to
fix one bug at a time and send them as separate patches.
### Write Separate Changes
It is annoying when you get a huge patch from someone that is said to fix 11
odd problems, but discussions and opinions do not agree with 10 of them - or 9
of them were already fixed in a different way. Then the person merging this
change needs to extract the single interesting patch from somewhere within the
huge pile of source, and that creates a lot of extra work.
Preferably, each fix that corrects a problem should be in its own patch/commit
with its own description/commit message stating exactly what they correct so
that all changes can be selectively applied by the maintainer or other
interested parties.
Also, separate changes enable bisecting much better for tracking problems
and regression in the future.
### Patch Against Recent Sources
Please try to get the latest available sources to make your patches against.
It makes the lives of the developers so much easier. The best is if you get
the most up-to-date sources from the git repository, but the latest release
archive is quite OK as well.
### Documentation
Writing docs is dead boring and one of the big problems with many open source
projects but someone's gotta do it. It makes things a lot easier if you submit
a small description of your fix or your new features with every contribution
so that it can be swiftly added to the package documentation.
Documentation is mostly provided as manpages or plain ASCII files. The
manpages are rendered from their source files that are usually written using
markdown. Most HTML files on the website and in the release archives are
generated from corresponding markdown and ASCII files.
### Test Cases
Since the introduction of the test suite, we can quickly verify that the main
features are working as they are supposed to. To maintain this situation and
improve it, all new features and functions that are added need to be tested in
the test suite. Every feature that is added should get at least one valid test
case that verifies that it works as documented. If every submitter also posts
a few test cases, it does not end up a heavy burden on a single person.
If you do not have test cases or perhaps you have done something that is hard
to write tests for, do explain exactly how you have otherwise tested and
verified your changes.
# Submit Your Changes
## Get your changes merged
Ideally you file a [pull request on
GitHub](https://github.com/curl/curl/pulls), but you can also send your plain
patch to [the curl-library mailing
list](https://curl.se/mail/list.cgi?list=curl-library).
If you opt to post a patch on the mailing list, chances are someone converts
it into a pull request for you, to have the CI jobs verify it proper before it
can be merged. Be prepared that some feedback on the proposed change might
then come on GitHub.
Your changes be reviewed and discussed and you are expected to correct flaws
pointed out and update accordingly, or the change risks stalling and
eventually just getting deleted without action. As a submitter of a change,
you are the owner of that change until it has been merged.
Respond on the list or on GitHub about the change and answer questions and/or
fix nits/flaws. This is important. We take lack of replies as a sign that you
are not anxious to get your patch accepted and we tend to simply drop such
changes.
## About pull requests
With GitHub it is easy to send a [pull
request](https://github.com/curl/curl/pulls) to the curl project to have
changes merged.
We strongly prefer pull requests to mailed patches, as it makes it a proper
git commit that is easy to merge and they are easy to track and not that easy
to lose in the flood of many emails, like they sometimes do on the mailing
lists.
Every pull request submitted is automatically tested in several different
ways. [See the CI document for more
information](https://github.com/curl/curl/blob/master/tests/CI.md).
Sometimes the tests fail due to a dependency service temporarily being offline
or otherwise unavailable, e.g. package downloads. In this case you can just
try to update your pull requests to rerun the tests later as described below.
You can update your pull requests by pushing new commits or force-pushing
changes to existing commits. Force-pushing an amended commit without any
actual content changed also allows you to retrigger the tests for that commit.
When you adjust your pull requests after review, consider squashing the
commits so that we can review the full updated version more easily.
A pull request sent to the project might get labeled `needs-votes` by a
project maintainer. This label means that in addition to meeting all other
checks and qualifications this pull request must also receive more "votes" of
user support. More signs that people want this to happen. It could be in the
form of messages saying so, or thumbs-up reactions on GitHub.
## When the pull request is approved
If it does not seem to get approved when you think it is ready - feel free to
ask for approval.
Once your pull request has been approved it can be merged by a maintainer.
For new features, or changes, we require that the *feature window* is open for
the pull request to be merged. This is typically a three week period that
starts ten days after a previous release. New features submitted as pull
requests while the window is closed simply have to wait until it opens to get
merged.
If time passes without your approved pull request gets merged: feel free to
ask what more you can do to make it happen.
## Making quality changes
Make the patch against as recent source versions as possible.
If you have followed the tips in this document and your patch still has not
been incorporated or responded to after some weeks, consider resubmitting it
to the list or better yet: change it to a pull request.
## Commit messages
How to write git commit messages in the curl project.
---- start ----
[area]: [short line describing the main effect]
-- empty line --
[full description, no wider than 72 columns that describes as much as
possible as to why this change is made, and possibly what things
it fixes and everything else that is related,
-- end --
The first line is a succinct description of the change and should ideally work
as a single line in the RELEASE NOTES.
- use the imperative, present tense: **change** not "changed" nor "changes"
- do not capitalize the first letter
- no period (.) at the end
The `[area]` in the first line can be `http2`, `cookies`, `openssl` or
similar. There is no fixed list to select from but using the same "area" as
other related changes could make sense.
## Commit message keywords
Use the following ways to improve the message and provide pointers to related
work.
- `Follow-up to {shorthash}` - if this fixes or continues a previous commit;
add a `Ref:` that commit's PR or issue if it is not a small, obvious fix;
followed by an empty line
- `Bug: URL` to the source of the report or more related discussion; use
`Fixes` for GitHub issues instead when that is appropriate.
- `Approved-by: John Doe` - credit someone who approved the PR.
- `Authored-by: John Doe` - credit the original author of the code; only use
this if you cannot use `git commit --author=...`.
- `Signed-off-by: John Doe` - we do not use this, but do not bother removing
it.
- `whatever-else-by:` credit all helpers, finders, doers; try to use one of
the following keywords if at all possible, for consistency: `Acked-by:`,
`Assisted-by:`, `Co-authored-by:`, `Found-by:`, `Reported-by:`,
`Reviewed-by:`, `Suggested-by:`, `Tested-by:`.
- `Ref: #1234` - if this is related to a GitHub issue or PR, possibly one that
has already been closed.
- `Ref: URL` to more information about the commit; use `Bug:` instead for a
reference to a bug on another bug tracker]
- `Fixes #1234` - if this fixes a GitHub issue; GitHub closes the issue once
this commit is merged.
- `Closes #1234` - if this merges a GitHub PR; GitHub closes the PR once this
commit is merged.
Do not forget to use commit with `--author` if you commit someone else's work,
and make sure that you have your own user and email setup correctly in git
before you commit.
Add whichever header lines as appropriate, with one line per person if more
than one person was involved. There is no need to credit yourself unless you
are using `--author` which hides your identity. Do not include people's email
addresses in headers to avoid spam, unless they are already public from a
previous commit; saying `{userid} on github` is OK.
## Push Access
If you are a frequent contributor, you may be given push access to the git
repository and then you are able to push your changes straight into the git
repository instead of sending changes as pull requests or by mail as patches.
Just ask if this is what you would want. You are required to have posted
several high quality patches first, before you can be granted push access.
## Useful resources
- [Webinar on getting code into cURL](https://www.youtube.com/watch?v=QmZ3W1d6LQI)
# Update copyright and license information
There is a CI job called **REUSE compliance / check** that runs on every pull
request and commit to verify that the *REUSE state* of all files are still
fine.
This means that all files need to have their license and copyright information
clearly stated. Ideally by having the standard curl source code header, with
the `SPDX-License-Identifier` included. If the header does not work, you can
use a smaller header or add the information for a specific file to the
`REUSE.toml` file.
You can manually verify the copyright and compliance status by running the
[REUSE helper tool](https://github.com/fsfe/reuse-tool): `reuse lint`

191
curl/docs/CURL-DISABLE.md
Unescape Просмотреть файл

@ -0,0 +1,191 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# Code defines to disable features and protocols
## `CURL_DISABLE_ALTSVC`
Disable support for Alt-Svc: HTTP headers.
## `CURL_DISABLE_BINDLOCAL`
Disable support for binding the local end of connections.
## `CURL_DISABLE_COOKIES`
Disable support for HTTP cookies.
## `CURL_DISABLE_BASIC_AUTH`
Disable support for the Basic authentication methods.
## `CURL_DISABLE_BEARER_AUTH`
Disable support for the Bearer authentication methods.
## `CURL_DISABLE_DIGEST_AUTH`
Disable support for the Digest authentication methods.
## `CURL_DISABLE_KERBEROS_AUTH`
Disable support for the Kerberos authentication methods.
## `CURL_DISABLE_NEGOTIATE_AUTH`
Disable support for the negotiate authentication methods.
## `CURL_DISABLE_AWS`
Disable **aws-sigv4** support.
## `CURL_DISABLE_CA_SEARCH`
Disable unsafe CA bundle search in PATH on Windows.
## `CURL_DISABLE_DICT`
Disable the DICT protocol
## `CURL_DISABLE_DOH`
Disable DNS-over-HTTPS
## `CURL_DISABLE_FILE`
Disable the FILE protocol
## `CURL_DISABLE_FORM_API`
Disable the form API
## `CURL_DISABLE_FTP`
Disable the FTP (and FTPS) protocol
## `CURL_DISABLE_GETOPTIONS`
Disable the `curl_easy_options` API calls that lets users get information
about existing options to `curl_easy_setopt`.
## `CURL_DISABLE_GOPHER`
Disable the GOPHER protocol.
## `CURL_DISABLE_HEADERS_API`
Disable the HTTP header API.
## `CURL_DISABLE_HSTS`
Disable the HTTP Strict Transport Security support.
## `CURL_DISABLE_HTTP`
Disable the HTTP(S) protocols. Note that this then also disable HTTP proxy
support.
## `CURL_DISABLE_HTTP_AUTH`
Disable support for all HTTP authentication methods.
## `CURL_DISABLE_IMAP`
Disable the IMAP(S) protocols.
## `CURL_DISABLE_LDAP`
Disable the LDAP(S) protocols.
## `CURL_DISABLE_LDAPS`
Disable the LDAPS protocol.
## `CURL_DISABLE_LIBCURL_OPTION`
Disable the --libcurl option from the curl tool.
## `CURL_DISABLE_MIME`
Disable MIME support.
## `CURL_DISABLE_MQTT`
Disable MQTT support.
## `CURL_DISABLE_NETRC`
Disable the netrc parser.
## `CURL_DISABLE_NTLM`
Disable support for NTLM.
## `CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG`
Disable the auto load config support in the OpenSSL backend.
## `CURL_DISABLE_PARSEDATE`
Disable date parsing
## `CURL_DISABLE_POP3`
Disable the POP3 protocol
## `CURL_DISABLE_PROGRESS_METER`
Disable the built-in progress meter
## `CURL_DISABLE_PROXY`
Disable support for proxies
## `CURL_DISABLE_IPFS`
Disable the IPFS/IPNS protocols. This affects the curl tool only, where
IPFS/IPNS protocol support is implemented.
## `CURL_DISABLE_RTSP`
Disable the RTSP protocol.
## `CURL_DISABLE_SHA512_256`
Disable the SHA-512/256 hash algorithm.
## `CURL_DISABLE_SHUFFLE_DNS`
Disable the shuffle DNS feature
## `CURL_DISABLE_SMB`
Disable the SMB(S) protocols
## `CURL_DISABLE_SMTP`
Disable the SMTP(S) protocols
## `CURL_DISABLE_SOCKETPAIR`
Disable the use of `socketpair()` internally to allow waking up and canceling
`curl_multi_poll()`.
## `CURL_DISABLE_TELNET`
Disable the TELNET protocol
## `CURL_DISABLE_TFTP`
Disable the TFTP protocol
## `CURL_DISABLE_VERBOSE_STRINGS`
Disable verbose strings and error messages.
## `CURL_DISABLE_WEBSOCKETS`
Disable the WebSocket protocols.

168
curl/docs/CURLDOWN.md
Unescape Просмотреть файл

@ -0,0 +1,168 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# curldown
A markdown-like syntax for libcurl man pages.
## Purpose
A text format for writing libcurl documentation in the shape of man pages.
Make it easier for users to contribute and write documentation. A format that
is easier on the eye in its source format.
Make it harder to do syntactical mistakes.
Use a format that allows creating man pages that end up looking exactly like
the man pages did when we wrote them in nroff format.
Take advantage of the fact that people these days are accustomed to markdown
by using a markdown-like syntax.
This allows us to fix issues in the nroff format easier since now we generate
them. For example: escaping minus to prevent them from being turned into
Unicode by man.
Generate nroff output that looks (next to) *identical* to the previous files,
so that the look, existing test cases, HTML conversions, existing
infrastructure etc remain mostly intact.
Contains meta-data in a structured way to allow better output (for example the
see also information) and general awareness of what the file is about.
## File extension
Since curldown looks similar to markdown, we use `.md` extensions on the
files.
## Conversion
Convert **from curldown to nroff** with `cd2nroff`. Generates nroff man pages.
Convert **from nroff to curldown** with `nroff2cd`. This is only meant to be
used for the initial conversion to curldown and should ideally never be needed
again.
Convert, check or clean up an existing curldown to nicer, better, cleaner
curldown with **cd2cd**.
Mass-convert all curldown files to nroff in specified directories with
`cdall`:
cdall [dir1] [dir2] [dir3] ..
## Known issues
The `cd2nroff` tool does not yet handle *italics* or **bold** where the start
and the end markers are used on separate lines.
The `nroff2cd` tool generates code style quotes for all `.fi` sections since
the nroff format does not carry a distinction.
# Format
Each curldown starts with a header with meta-data:
---
c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
Title: CURLOPT_AWS_SIGV4
Section: 3
Source: libcurl
Protocol:
- HTTP
See-also:
- CURLOPT_HEADEROPT (3)
- CURLOPT_HTTPAUTH (3)
TLS-backend:
- [name]
Added-in: [version or "n/a"]
---
All curldown files *must* have all the headers present and at least one
`See-also:` entry specified.
If the man page is for section 3 (library related). The `Protocol` list must
contain at least one protocol, which can be `*` if the option is virtually for
everything. If `*` is used, it must be the only listed protocol. Recognized
protocols are either URL schemes (in uppercase), `TLS` or `TCP`.
If the `Protocol` list contains `TLS`, then there must also be a `TLS-backend`
list, specifying `All` or a list of what TLS backends that work with this
option. The available TLS backends are:
- `BearSSL`
- `GnuTLS`
- `mbedTLS`
- `OpenSSL` (also covers BoringSSL, LibreSSL, quictls, AWS-LC and AmiSSL)
- `rustls`
- `Schannel`
- `Secure Transport`
- `wolfSSL`
- `All`: all TLS backends
Following the header in the file, is the manual page using markdown-like
syntax:
~~~
# NAME
a page - this is a page descriving something
# SYNOPSIS
~~~c
#include <curl/curl.h>
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_AWS_SIGV4, char *param);
~~~
~~~
Quoted source code should start with `~~~c` and end with `~~~` while regular
quotes can start with `~~~` or just be indented with 4 spaces.
Headers at top-level `#` get converted to `.SH`.
`nroff2cd` supports the `##` next level header which gets converted to `.IP`.
Write bold words or phrases within `**` like:
This is a **bold** word.
Write italics like:
This is *italics*.
Due to how man pages do not support backticks especially formatted, such
occurrences in the source are instead just using italics in the generated
output:
This `word` appears in italics.
When generating the nroff output, the tooling removes superfluous newlines,
meaning they can be used freely in the source file to make the text more
readable.
To make sure curldown documents render correctly as markdown, all literal
occurrences of `<` or `>` need to be escaped by a leading backslash.
## Generating contents
`# %PROTOCOLS%` - inserts a **PROTOCOLS** section based on the metadata
provided in the header.
`# %AVAILABILITY%` - inserts an **AVAILABILITY** section based on the metadata
provided in the header.
## Symbols
All mentioned curl symbols that have their own man pages, like
`curl_easy_perform(3)` are automatically rendered using italics in the output
without having to enclose it with asterisks. This helps ensuring that they get
converted to links properly later in the HTML version on the website, as
converted with `roffit`. This makes the curldown text easier to read even when
mentioning many curl symbols.
This auto-linking works for patterns matching `(lib|)curl[^ ]*(3)`.

59
curl/docs/DEPRECATE.md
Unescape Просмотреть файл

@ -0,0 +1,59 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# Items to be removed from future curl releases
If any of these deprecated features is a cause for concern for you, please
email the
[curl-library mailing list](https://lists.haxx.se/listinfo/curl-library)
as soon as possible and explain to us why this is a problem for you and
how your use case cannot be satisfied properly using a workaround.
## TLS libraries without 1.3 support
curl drops support for TLS libraries without TLS 1.3 capability after May
2025.
It requires that a curl build using the library should be able to negotiate
and use TLS 1.3, or else it is not good enough.
As of May 2024, the libraries that need to get fixed to remain supported after
May 2025 are: BearSSL and Secure Transport.
## msh3 support
The msh3 backed for QUIC and HTTP/3 was introduced in April 2022 but has never
been made to work properly. It has seen no visible traction or developer
activity from the msh3 main author (or anyone else seemingly interested) in
two years. As a non-functional backend, it only adds friction and "weight" to
the development and maintenance.
Meanwhile, we have a fully working backend in the ngtcp2 one and we have two
fully working backends in OpenSSL-QUIC and quiche well on their way of ending
their experimental status in a future.
We remove msh3 support from the curl source tree in July 2025.
## winbuild build system
curl drops support for the winbuild build method after September 2025.
We recommend migrating to CMake. See the migration guide in
`docs/INSTALL-CMAKE.md`.
## Past removals
- Pipelining
- axTLS
- PolarSSL
- NPN
- Support for systems without 64-bit data types
- NSS
- gskit
- MinGW v1
- NTLM_WB
- space-separated `NOPROXY` patterns
- hyper

286
curl/docs/DISTROS.md
Unescape Просмотреть файл

@ -0,0 +1,286 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# curl distros
<!-- markdown-link-check-disable -->
Lots of organizations distribute curl packages to end users. This is a
collection of pointers to where to learn more about curl on and with each
distro. Those marked *Rolling Release* typically run the latest version of curl
and are therefore less likely to have back-ported patches to older versions.
We discuss curl distro issues, patches and collaboration on the [curl-distros
mailing list](https://lists.haxx.se/listinfo/curl-distros) ([list
archives](https://curl.se/mail/list.cgi?list=curl-distros)).
## AlmaLinux
- curl package source and patches: https://git.almalinux.org/rpms/curl/
- curl issues: https://bugs.almalinux.org/view_all_bug_page.php click Category and choose curl
- curl security: https://errata.almalinux.org/ search for curl
## Alpine Linux
- curl: https://pkgs.alpinelinux.org/package/edge/main/x86_64/curl
- curl issues: https://gitlab.alpinelinux.org/alpine/aports/-/issues
- curl security: https://security.alpinelinux.org/srcpkg/curl
- curl package source and patches: https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/main/curl
## Alt Linux
- curl: http://www.sisyphus.ru/srpm/Sisyphus/curl
- curl issues: https://packages.altlinux.org/en/sisyphus/srpms/curl/issues/
- curl patches: https://git.altlinux.org/gears/c/curl.git?p=curl.git;a=tree;f=.gear
## Arch Linux
*Rolling Release*
- curl: https://archlinux.org/packages/core/x86_64/curl/
- curl issues: https://gitlab.archlinux.org/archlinux/packaging/packages/curl/-/issues
- curl security: https://security.archlinux.org/package/curl
- curl wiki: https://wiki.archlinux.org/title/CURL
## Buildroot
*Rolling Release*
- curl package source and patches: https://git.buildroot.net/buildroot/tree/package/libcurl
- curl issues: https://bugs.buildroot.org/buglist.cgi?quicksearch=curl
## Chimera
- curl package source and patches: https://github.com/chimera-linux/cports/tree/master/main/curl
## Clear Linux
*Rolling Release*
- curl: https://github.com/clearlinux-pkgs/curl
- curl issues: https://github.com/clearlinux/distribution/issues
## Conary
- curl: https://github.com/conan-io/conan-center-index/tree/master/recipes/libcurl
- curl issues: https://github.com/conan-io/conan-center-index/issues
- curl patches: https://github.com/conan-io/conan-center-index/tree/master/recipes/libcurl (in `all/patches/*`, if any)
## conda-forge
- curl: https://github.com/conda-forge/curl-feedstock
- curl issues: https://github.com/conda-forge/curl-feedstock/issues
## CRUX
- curl: https://crux.nu/portdb/?a=search&q=curl
- curl issues: https://git.crux.nu/ports/core/issues/?type=all&state=open&q=curl
## curl-for-win
(this is the official curl binaries for Windows shipped by the curl project)
*Rolling Release*
- curl: https://curl.se/windows/
- curl patches: https://github.com/curl/curl-for-win/blob/main/curl.patch (if any)
- build-specific issues: https://github.com/curl/curl-for-win/issues
Issues and patches for this are managed in the main curl project.
## Cygwin
- curl: https://cygwin.com/cgit/cygwin-packages/curl/tree/curl.cygport
- curl patches: https://cygwin.com/cgit/cygwin-packages/curl/tree
- curl issues: https://inbox.sourceware.org/cygwin/?q=s%3Acurl
## Cygwin (cross mingw64)
- mingw64-x86_64-curl: https://cygwin.com/cgit/cygwin-packages/mingw64-x86_64-curl/tree/mingw64-x86_64-curl.cygport
- mingw64-x86_64-curl patches: https://cygwin.com/cgit/cygwin-packages/mingw64-x86_64-curl/tree
- mingw64-x86_64-curl issues: https://inbox.sourceware.org/cygwin/?q=s%3Amingw64-x86_64-curl
## Debian
- curl: https://tracker.debian.org/pkg/curl
- curl issues: https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=curl
- curl patches: https://udd.debian.org/patches.cgi?src=curl
- curl patches: https://salsa.debian.org/debian/curl (in debian/* branches, inside the folder debian/patches)
## Fedora
- curl: https://src.fedoraproject.org/rpms/curl
- curl issues: [bugzilla](https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&product=Fedora&product=Fedora%20EPEL&component=curl)
- curl patches: [list of patches in package git](https://src.fedoraproject.org/rpms/curl/tree/rawhide)
## FreeBSD
- curl: https://cgit.freebsd.org/ports/tree/ftp/curl
- curl patches: https://cgit.freebsd.org/ports/tree/ftp/curl
- curl issues: https://bugs.freebsd.org/bugzilla/buglist.cgi?bug_status=__open__&order=Importance&product=Ports%20%26%20Packages&query_format=advanced&short_desc=curl&short_desc_type=allwordssubstr
## Gentoo Linux
*Rolling Release*
- curl: https://packages.gentoo.org/packages/net-misc/curl
- curl issues: https://bugs.gentoo.org/buglist.cgi?quicksearch=net-misc/curl
- curl package sources and patches: https://gitweb.gentoo.org/repo/gentoo.git/tree/net-misc/curl/
## GNU Guix
*Rolling Release*
- curl: https://git.savannah.gnu.org/gitweb/?p=guix.git;a=blob;f=gnu/packages/curl.scm;hb=HEAD
- curl issues: https://issues.guix.gnu.org/search?query=curl
## Homebrew
*Rolling Release*
- curl: https://formulae.brew.sh/formula/curl
Homebrew's policy is that all patches and issues should be submitted upstream
unless it is specific to Homebrew's way of packaging software.
## MacPorts
*Rolling Release*
- curl: https://github.com/macports/macports-ports/tree/master/net/curl
- curl issues: https://trac.macports.org/query?0_port=curl&0_port_mode=%7E&0_status=%21closed
- curl patches: https://github.com/macports/macports-ports/tree/master/net/curl/files
## Mageia
- curl: https://svnweb.mageia.org/packages/cauldron/curl/current/SPECS/curl.spec?view=markup
- curl issues: https://bugs.mageia.org/buglist.cgi?bug_status=NEW&bug_status=UNCONFIRMED&bug_status=NEEDINFO&bug_status=UPSTREAM&bug_status=ASSIGNED&component=RPM%20Packages&f1=cf_rpmpkg&list_id=176576&o1=casesubstring&product=Mageia&query_format=advanced&v1=curl
- curl patches: https://svnweb.mageia.org/packages/cauldron/curl/current/SOURCES/
- curl patches in stable distro releases: https://svnweb.mageia.org/packages/updates/<STABLE_VERSION>/curl/current/SOURCES/
- curl security: https://advisories.mageia.org/src_curl.html
## MSYS2
*Rolling Release*
- curl: https://github.com/msys2/MSYS2-packages/tree/master/curl
- curl issues: https://github.com/msys2/MSYS2-packages/issues
- curl patches: https://github.com/msys2/MSYS2-packages/tree/master/curl (`*.patch`)
## MSYS2 (mingw-w64)
*Rolling Release*
- curl: https://github.com/msys2/MINGW-packages/tree/master/mingw-w64-curl
- curl issues: https://github.com/msys2/MINGW-packages/issues
- curl patches: https://github.com/msys2/MINGW-packages/tree/master/mingw-w64-curl (`*.patch`)
## Muldersoft
*Rolling Release*
- curl: https://github.com/lordmulder/cURL-build-win32
- curl issues: https://github.com/lordmulder/cURL-build-win32/issues
- curl patches: https://github.com/lordmulder/cURL-build-win32/tree/master/patch
## NixOS
- curl: https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/networking/curl/default.nix
- curl issues: https://github.com/NixOS/nixpkgs
nixpkgs is the package repository used by the NixOS Linux distribution, but
can also be used on other distributions
## OmniOS
- curl: https://github.com/omniosorg/omnios-build/tree/master/build/curl
- curl issues: https://github.com/omniosorg/omnios-build/issues
- curl patches: https://github.com/omniosorg/omnios-build/tree/master/build/curl/patches
## OpenIndiana
- curl: https://github.com/OpenIndiana/oi-userland/tree/oi/hipster/components/web/curl
- curl issues: https://www.illumos.org/projects/openindiana/issues
- curl patches: https://github.com/OpenIndiana/oi-userland/tree/oi/hipster/components/web/curl/patches
## OpenSUSE
- curl source and patches: https://build.opensuse.org/package/show/openSUSE%3AFactory/curl
## Oracle Solaris
- curl: https://github.com/oracle/solaris-userland/tree/master/components/curl
- curl issues: https://support.oracle.com/ (requires support contract)
- curl patches: https://github.com/oracle/solaris-userland/tree/master/components/curl/patches
## OpenEmbedded / Yocto Project
*Rolling Release*
- curl: https://layers.openembedded.org/layerindex/recipe/5765/
- curl issues: https://bugzilla.yoctoproject.org/
- curl patches: https://git.openembedded.org/openembedded-core/tree/meta/recipes-support/curl
## PLD Linux
- curl package source and patches: https://github.com/pld-linux/curl
- curl issues: https://bugs.launchpad.net/pld-linux?field.searchtext=curl&search=Search&field.status%3Alist=NEW&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=FIXCOMMITTED&field.assignee=&field.bug_reporter=&field.omit_dupes=on&field.has_patch=&field.has_no_package=
## pkgsrc
- curl: https://github.com/NetBSD/pkgsrc/tree/trunk/www/curl
- curl issues: https://github.com/NetBSD/pkgsrc/issues
- curl patches: https://github.com/NetBSD/pkgsrc/tree/trunk/www/curl/patches
## Red Hat Enterprise Linux / CentOS Stream
- curl: https://kojihub.stream.centos.org/koji/packageinfo?packageID=217
- curl issues: https://issues.redhat.com/secure/CreateIssueDetails!init.jspa?pid=12332745&issuetype=1&components=12377466&priority=10300
- curl patches: https://gitlab.com/redhat/centos-stream/rpms/curl
## Rocky Linux
- curl: https://git.rockylinux.org/staging/rpms/curl/-/blob/r9/SPECS/curl.spec
- curl issues: https://bugs.rockylinux.org
- curl patches: https://git.rockylinux.org/staging/rpms/curl/-/tree/r9/SOURCES
## SerenityOS
- curl: https://github.com/SerenityOS/serenity/tree/master/Ports/curl
- curl issues: https://github.com/SerenityOS/serenity/issues?q=label%3Aports
- curl patches: https://github.com/SerenityOS/serenity/tree/master/Ports/curl/patches
## SmartOS
- curl: https://github.com/TritonDataCenter/illumos-extra/tree/master/curl
- curl issues: https://github.com/TritonDataCenter/illumos-extra/issues
- curl patches: https://github.com/TritonDataCenter/illumos-extra/tree/master/curl/Patches
## SPACK
- curl package source and patches: https://github.com/spack/spack/tree/develop/var/spack/repos/builtin/packages/curl
## vcpkg
*Rolling Release*
- curl: https://github.com/microsoft/vcpkg/tree/master/ports/curl
- curl issues: https://github.com/microsoft/vcpkg/issues
- curl patches: https://github.com/microsoft/vcpkg/tree/master/ports/curl (`*.patch`)
## Void Linux
*Rolling Release*
- curl: https://github.com/void-linux/void-packages/tree/master/srcpkgs/curl
- curl issues: https://github.com/void-linux/void-packages/issues
- curl patches: https://github.com/void-linux/void-packages/tree/master/srcpkgs/curl/patches
## Wolfi
*Rolling Release*
- curl: https://github.com/wolfi-dev/os/blob/main/curl.yaml

73
curl/docs/EARLY-RELEASE.md
Unescape Просмотреть файл

@ -0,0 +1,73 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# How to determine if an early patch release is warranted
In the curl project we do releases every 8 weeks. Unless we break the cycle
and do an early patch release.
We do frequent releases partly to always have the next release "not too far
away".
## Bugfix
During the release cycle, and especially in the beginning of a new cycle (the
so-called "cool down" period), there are times when a bug is reported and
after it has been subsequently fixed correctly, the question might be asked:
is this bug and associated fix important enough for an early patch release?
The question can only be properly asked when a fix has been created and landed
in the git master branch.
## Early release
An early patch release means that we ship a new, complete and full release
called `major.minor.patch` where the `patch` part is increased by one since
the previous release. A curl release is a curl release. There is no small or
big and we never release just a patch. There is only "release".
## Questions to ask
- Is there a security advisory rated high or critical?
- Is there a data corruption bug?
- Did the bug cause an API/ABI breakage?
- Does the problem annoy a significant share of the user population?
If the answer is yes to one or more of the above, an early release might be
warranted.
More questions to ask ourselves when doing the assessment if the answers to
the three ones above are all 'no'.
- Does the bug cause curl to prematurely terminate?
- How common is the affected buggy option/feature/protocol/platform to get
used?
- How large is the estimated impacted user base?
- Does the bug block something crucial for applications or other adoption of
curl "out there" ?
- Does the bug cause problems for curl developers or others on "the curl
team" ?
- Is the bug limited to the curl tool only? That might have a smaller impact
than a bug also present in libcurl.
- Is there a (decent) workaround?
- Is it a regression? Is the bug introduced in this release?
- Can the bug be fixed "easily" by applying a patch?
- Does the bug break the build? Most users do not build curl themselves.
- How long is it until the already scheduled next release?
- Can affected users safely rather revert to a former release until the next
scheduled release?
- Is it a performance regression with no functionality side-effects? If so it
has to be substantial.
## If an early release is deemed necessary
Unless done for security or similarly important reasons, an early release
should not be done within a week of the previous release.
This, to enable us to collect and bundle more fixes into the same release to
make the release more worthwhile for everyone and to allow more time for fixes
to settle and things to get tested. Getting a release in shape and done in
style is work that should not be rushed.

478
curl/docs/ECH.md
Unescape Просмотреть файл

@ -0,0 +1,478 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# Building curl with HTTPS-RR and ECH support
We have added support for ECH to curl. It can use HTTPS RRs published in the
DNS if curl uses DoH, or else can accept the relevant ECHConfigList values
from the command line. This works with OpenSSL, wolfSSL, BoringSSL, AWS-LC
or rustls-ffi as the TLS provider.
This feature is EXPERIMENTAL. DO NOT USE IN PRODUCTION.
This should however provide enough of a proof-of-concept to prompt an informed
discussion about a good path forward for ECH support in curl.
## OpenSSL Build
To build our ECH-enabled OpenSSL fork:
```bash
cd $HOME/code
git clone https://github.com/defo-project/openssl
cd openssl
./config --libdir=lib --prefix=$HOME/code/openssl-local-inst
...stuff...
make -j8
...stuff (maybe go for coffee)...
make install_sw
...a little bit of stuff...
```
To build curl ECH-enabled, making use of the above:
```bash
cd $HOME/code
git clone https://github.com/curl/curl
cd curl
autoreconf -fi
LDFLAGS="-Wl,-rpath,$HOME/code/openssl-local-inst/lib/" ./configure --with-ssl=$HOME/code/openssl-local-inst --enable-ech
...lots of output...
WARNING: ECH HTTPSRR enabled but marked EXPERIMENTAL...
make
...lots more output...
```
If you do not get that WARNING at the end of the ``configure`` command, then
ECH is not enabled, so go back some steps and re-do whatever needs re-doing:-)
If you want to debug curl then you should add ``--enable-debug`` to the
``configure`` command.
In a recent (2024-05-20) build on one machine, configure failed to find the
ECH-enabled SSL library, apparently due to the existence of
``$HOME/code/openssl-local-inst/lib/pkgconfig`` as a directory containing
various settings. Deleting that directory worked around the problem but may
not be the best solution.
## Using ECH and DoH
curl supports using DoH for A/AAAA lookups so it was relatively easy to add
retrieval of HTTPS RRs in that situation. To use ECH and DoH together:
```bash
cd $HOME/code/curl
LD_LIBRARY_PATH=$HOME/code/openssl ./src/curl --ech true --doh-url https://one.one.one.one/dns-query https://defo.ie/ech-check.php
...
SSL_ECH_STATUS: success <img src="greentick-small.png" alt="good" /> <br/>
...
```
The output snippet above is within the HTML for the webpage, when things work.
The above works for these test sites:
```bash
https://defo.ie/ech-check.php
https://draft-13.esni.defo.ie:8413/stats
https://draft-13.esni.defo.ie:8414/stats
https://crypto.cloudflare.com/cdn-cgi/trace
https://tls-ech.dev
```
The list above has 4 different server technologies, implemented by 3 different
parties, and includes a case (the port 8414 server) where HelloRetryRequest
(HRR) is forced.
We currently support the following new curl command line arguments/options:
- ``--ech <config>`` - the ``config`` value can be one of:
- ``false`` says to not attempt ECH
- ``true`` says to attempt ECH, if possible
- ``grease`` if attempting ECH is not possible, then send a GREASE ECH extension
- ``hard`` hard-fail the connection if ECH cannot be attempted
- ``ecl:<b64value>`` a base64 encoded ECHConfigList, rather than one accessed from the DNS
- ``pn:<name>`` override the ``public_name`` from an ECHConfigList
Note that in the above "attempt ECH" means the client emitting a TLS
ClientHello with a "real" ECH extension, but that does not mean that the
relevant server can succeed in decrypting, as things can fail for other
reasons.
## Supplying an ECHConfigList on the command line
To supply the ECHConfigList on the command line, you might need a bit of
cut-and-paste, e.g.:
```bash
dig +short https defo.ie
1 . ipv4hint=213.108.108.101 ech=AED+DQA8PAAgACD8WhlS7VwEt5bf3lekhHvXrQBGDrZh03n/LsNtAodbUAAEAAEAAQANY292ZXIuZGVmby5pZQAA ipv6hint=2a00:c6c0:0:116:5::10
```
Then paste the base64 encoded ECHConfigList onto the curl command line:
```bash
LD_LIBRARY_PATH=$HOME/code/openssl ./src/curl --ech ecl:AED+DQA8PAAgACD8WhlS7VwEt5bf3lekhHvXrQBGDrZh03n/LsNtAodbUAAEAAEAAQANY292ZXIuZGVmby5pZQAA https://defo.ie/ech-check.php
...
SSL_ECH_STATUS: success <img src="greentick-small.png" alt="good" /> <br/>
...
```
The output snippet above is within the HTML for the webpage.
If you paste in the wrong ECHConfigList (it changes hourly for ``defo.ie``) you
should get an error like this:
```bash
LD_LIBRARY_PATH=$HOME/code/openssl ./src/curl -vvv --ech ecl:AED+DQA8yAAgACDRMQo+qYNsNRNj+vfuQfFIkrrUFmM4vogucxKj/4nzYgAEAAEAAQANY292ZXIuZGVmby5pZQAA https://defo.ie/ech-check.php
...
* OpenSSL/3.3.0: error:0A00054B:SSL routines::ech required
...
```
There is a reason to want this command line option - for use before publishing
an ECHConfigList in the DNS as per the Internet-draft [A well-known URI for
publishing ECHConfigList values](https://datatracker.ietf.org/doc/draft-ietf-tls-wkech/).
If you do use a wrong ECHConfigList value, then the server might return a
good value, via the ``retry_configs`` mechanism. You can see that value in
the verbose output, e.g.:
```bash
LD_LIBRARY_PATH=$HOME/code/openssl ./src/curl -vvv --ech ecl:AED+DQA8yAAgACDRMQo+qYNsNRNj+vfuQfFIkrrUFmM4vogucxKj/4nzYgAEAAEAAQANY292ZXIuZGVmby5pZQAA https://defo.ie/ech-check.php
...
* ECH: retry_configs AQD+DQA8DAAgACBvYqJy+Hgk33wh/ZLBzKSPgwxeop7gvojQzfASq7zeZQAEAAEAAQANY292ZXIuZGVmby5pZQAA/g0APEMAIAAgXkT5r4cYs8z19q5rdittyIX8gfQ3ENW4wj1fVoiJZBoABAABAAEADWNvdmVyLmRlZm8uaWUAAP4NADw2ACAAINXSE9EdXzEQIJZA7vpwCIQsWqsFohZARXChgPsnfI1kAAQAAQABAA1jb3Zlci5kZWZvLmllAAD+DQA8cQAgACASeiD5F+UoSnVoHvA2l1EifUVMFtbVZ76xwDqmMPraHQAEAAEAAQANY292ZXIuZGVmby5pZQAA
* ECH: retry_configs for defo.ie from cover.defo.ie, 319
...
```
At that point, you could copy the base64 encoded value above and try again.
For now, this only works for the OpenSSL and BoringSSL/AWS-LC builds.
## Default settings
curl has various ways to configure default settings, e.g. in ``$HOME/.curlrc``,
so one can set the DoH URL and enable ECH that way:
```bash
cat ~/.curlrc
doh-url=https://one.one.one.one/dns-query
silent
ech=true
```
Note that when you use the system's curl command (rather than our ECH-enabled
build), it is liable to warn that ``ech`` is an unknown option. If that is an
issue (e.g. if some script re-directs stdout and stderr somewhere) then adding
the ``silent`` line above seems to be a good enough fix. (Though of
course, yet another script could depend on non-silent behavior, so you may have
to figure out what you prefer yourself.) That seems to have changed with the
latest build, previously ``silent=TRUE`` was what I used in ``~/.curlrc`` but
now that seems to cause a problem, so that the following line(s) are ignored.
If you want to always use our OpenSSL build you can set ``LD_LIBRARY_PATH``
in the environment:
```bash
export LD_LIBRARY_PATH=$HOME/code/openssl
```
When you do the above, there can be a mismatch between OpenSSL versions
for applications that check that. A ``git push`` for example fails so you
should unset ``LD_LIBRARY_PATH`` before doing that or use a different shell.
```bash
git push
OpenSSL version mismatch. Built against 30000080, you have 30200000
...
```
With all that setup as above the command line gets simpler:
```bash
./src/curl https://defo.ie/ech-check.php
...
SSL_ECH_STATUS: success <img src="greentick-small.png" alt="good" /> <br/>
...
```
The ``--ech true`` option is opportunistic, so tries to do ECH but does not fail if
the client for example cannot find any ECHConfig values. The ``--ech hard``
option hard-fails if there is no ECHConfig found in DNS, so for now, that is not
a good option to set as a default. Once ECH has really been attempted by
the client, if decryption on the server side fails, then curl fails.
## Code changes for ECH support when using DoH
Code changes are ``#ifdef`` protected via ``USE_ECH`` or ``USE_HTTPSRR``:
- ``USE_HTTPSRR`` is used for HTTPS RR retrieval code that could be generically
used should non-ECH uses for HTTPS RRs be identified, e.g. use of ALPN values
or IP address hints.
- ``USE_ECH`` protects ECH specific code.
There are various obvious code blocks for handling the new command line
arguments which are not described here, but should be fairly clear.
As shown in the ``configure`` usage above, there are ``configure.ac`` changes
that allow separately dis/enabling ``USE_HTTPSRR`` and ``USE_ECH``. If ``USE_ECH``
is enabled, then ``USE_HTTPSRR`` is forced. In both cases ``CURL_DISABLE_DOH``
must not be enabled. (There may be some configuration conflicts available for the
determined :-)
The main functional change, as you would expect, is in ``lib/vtls/openssl.c``
where an ECHConfig, if available from command line or DNS cache, is fed into
the OpenSSL library via the new APIs implemented in our OpenSSL fork for that
purpose. This code also implements the opportunistic (``--ech true``) or hard-fail
(``--ech hard``) logic.
Other than that, the main additions are in ``lib/doh.c``
where we reuse ``dohprobe()`` to retrieve an HTTPS RR value for the target
domain. If such a value is found, that is stored using a new ``doh_store_https()``
function in a new field in the ``dohentry`` structure.
The qname for the DoH query is modified if the port number is not 443, as
defined in the SVCB specification.
When the DoH process has worked, ``Curl_doh_is_resolved()`` now also returns
the relevant HTTPS RR value data in the ``Curl_dns_entry`` structure.
That is later accessed when the TLS session is being established, if ECH is
enabled (from ``lib/vtls/openssl.c`` as described above).
## Limitations
Things that need fixing, but that can probably be ignored for the
moment:
- We could easily add code to make use of an ``alpn=`` value found in an HTTPS
RR, passing that on to OpenSSL for use as the "inner" ALPN value, but have
yet to do that.
Current limitations (more interesting than the above):
- Only the first HTTPS RR value retrieved is actually processed as described
above, that could be extended in future, though picking the "right" HTTPS RR
could be non-trivial if multiple RRs are published - matching IP address hints
versus A/AAAA values might be a good basis for that. Last I checked though,
browsers supporting ECH did not handle multiple HTTPS RRs well, though that
needs re-checking as it has been a while.
- It is unclear how one should handle any IP address hints found in an HTTPS RR.
It may be that a bit of consideration of how "multi-CDN" deployments might
emerge would provide good answers there, but for now, it is not clear how best
curl might handle those values when present in the DNS.
- The SVCB/HTTPS RR specification supports a new "CNAME at apex" indirection
("aliasMode") - the current code takes no account of that at all. One could
envisage implementing the equivalent of following CNAMEs in such cases, but
it is not clear if that'd be a good plan. (As of now, chrome browsers do not seem
to have any support for that "aliasMode" and we have not checked Firefox for that
recently.)
- We have not investigated what related changes or additions might be needed
for applications using libcurl, as opposed to use of curl as a command line
tool.
- We have not yet implemented tests as part of the usual curl test harness as
doing so would seem to require re-implementing an ECH-enabled server as part
of the curl test harness. For now, we have a ``./tests/ech_test.sh`` script
that attempts ECH with various test servers and with many combinations of the
allowed command line options. While that is a useful test and has find issues,
it is not comprehensive and we are not (as yet) sure what would be the right
level of coverage. When running that script you should not have a
``$HOME/.curlrc`` file that affects ECH or some of the negative tests could
produce spurious failures.
## Building with cmake
To build with cmake, assuming our ECH-enabled OpenSSL is as before:
```bash
cd $HOME/code
git clone https://github.com/curl/curl
cd curl
mkdir build
cd build
cmake -DOPENSSL_ROOT_DIR=$HOME/code/openssl -DUSE_ECH=1 ..
...
make
...
[100%] Built target curl
```
The binary produced by the cmake build does not need any ECH-specific
``LD_LIBRARY_PATH`` setting.
## BoringSSL build
BoringSSL is also supported by curl and also supports ECH, so to build
with that, instead of our ECH-enabled OpenSSL:
```bash
cd $HOME/code
git clone https://boringssl.googlesource.com/boringssl
cd boringssl
cmake -DCMAKE_INSTALL_PREFIX:PATH=$HOME/code/boringssl/inst -DBUILD_SHARED_LIBS=1
make
...
make install
```
Then:
```bash
cd $HOME/code
git clone https://github.com/curl/curl
cd curl
autoreconf -fi
LDFLAGS="-Wl,-rpath,$HOME/code/boringssl/inst/lib" ./configure --with-ssl=$HOME/code/boringssl/inst --enable-ech
...lots of output...
WARNING: ECH HTTPSRR enabled but marked EXPERIMENTAL. Use with caution.
make
```
The BoringSSL/AWS-LC APIs are fairly similar to those in our ECH-enabled
OpenSSL fork, so code changes are also in ``lib/vtls/openssl.c``, protected
via ``#ifdef OPENSSL_IS_BORINGSSL`` and are mostly obvious API variations.
The BoringSSL/AWS-LC APIs however do not support the ``--ech pn:`` command
line variant as of now.
## wolfSSL build
wolfSSL also supports ECH and can be used by curl, so here's how:
```bash
cd $HOME/code
git clone https://github.com/wolfSSL/wolfssl
cd wolfssl
./autogen.sh
./configure --prefix=$HOME/code/wolfssl/inst --enable-ech --enable-debug --enable-opensslextra
make
make install
```
The install prefix (``inst``) in the above causes wolfSSL to be installed there
and we seem to need that for the curl configure command to work out. The
``--enable-opensslextra`` turns out (after much faffing about;-) to be
important or else we get build problems with curl below.
```bash
cd $HOME/code
git clone https://github.com/curl/curl
cd curl
autoreconf -fi
./configure --with-wolfssl=$HOME/code/wolfssl/inst --enable-ech
make
```
There are some known issues with the ECH implementation in wolfSSL:
- The main issue is that the client currently handles HelloRetryRequest
incorrectly. [HRR issue](https://github.com/wolfSSL/wolfssl/issues/6802).)
The HRR issue means that the client does not work for
[this ECH test web site](https://tls-ech.dev) and any other similarly configured
sites.
- There is also an issue related to so-called middlebox compatibility mode.
[middlebox compatibility issue](https://github.com/wolfSSL/wolfssl/issues/6774)
### Code changes to support wolfSSL
There are what seem like oddball differences:
- The DoH URL in``$HOME/.curlrc`` can use `1.1.1.1` for OpenSSL but has to be
`one.one.one.one` for wolfSSL. The latter works for both, so OK, we us that.
- There seems to be some difference in CA databases too - the wolfSSL version
does not like ``defo.ie``, whereas the system and OpenSSL ones do. We can
ignore that for our purposes via ``--insecure``/``-k`` but would need to fix
for a real setup. (Browsers do like those certificates though.)
Then there are some functional code changes:
- tweak to ``configure.ac`` to check if wolfSSL has ECH or not
- added code to ``lib/vtls/wolfssl.c`` mirroring what's done in the
OpenSSL equivalent above.
- wolfSSL does not support ``--ech false`` or the ``--ech pn:`` command line
argument.
The lack of support for ``--ech false`` is because wolfSSL has decided to
always at least GREASE if built to support ECH. In other words, GREASE is
a compile time choice for wolfSSL, but a runtime choice for OpenSSL or
BoringSSL/AWS-LC. (Both are reasonable.)
## Additional notes
### Supporting ECH without DoH
All of the above only applies if DoH is being used. There should be a use-case
for ECH when DoH is not used by curl - if a system stub resolver supports DoT
or DoH, then, considering only ECH and the network threat model, it would make
sense for curl to support ECH without curl itself using DoH. The author for
example uses a combination of stubby+unbound as the system resolver listening
on localhost:53, so would fit this use-case. That said, it is unclear if
this is a niche that is worth trying to address. (The author is just as happy to
let curl use DoH to talk to the same public recursive that stubby might use:-)
Assuming for the moment this is a use-case we would like to support, then if
DoH is not being used by curl, it is not clear at this time how to provide
support for ECH. One option would seem to be to extend the ``c-ares`` library
to support HTTPS RRs, but in that case it is not now clear whether such
changes would be attractive to the ``c-ares`` maintainers, nor whether the
"tag=value" extensibility inherent in the HTTPS/SVCB specification is a good
match for the ``c-ares`` approach of defining structures specific to decoded
answers for each supported RRtype. We are also not sure how many downstream
curl deployments actually make use of the ``c-ares`` library, which would
affect the utility of such changes. Another option might be to consider using
some other generic DNS library that does support HTTPS RRs, but it is unclear
if such a library could or would be used by all or almost all curl builds and
downstream releases of curl.
Our current conclusion is that doing the above is likely best left until we
have some experience with the "using DoH" approach, so we are going to punt on
this for now.
### Debugging
Just a note to self as remembering this is a nuisance:
```bash
LD_LIBRARY_PATH=$HOME/code/openssl:./lib/.libs gdb ./src/.libs/curl
```
### Localhost testing
It can be useful to be able to run against a localhost OpenSSL ``s_server``
for testing. We have published instructions for such
[localhost tests](https://github.com/defo-project/ech-dev-utils/blob/main/howtos/localhost-tests.md)
in another repository. Once you have that set up, you can start a server
and then run curl against that:
```bash
cd $HOME/code/ech-dev-utils
./scripts/echsvr.sh -d
...
```
The ``echsvr.sh`` script supports many ECH-related options. Use ``echsvr.sh -h``
for details.
In another window:
```bash
cd $HOME/code/curl/
./src/curl -vvv --insecure --connect-to foo.example.com:8443:localhost:8443 --ech ecl:AD7+DQA6uwAgACBix2B78sX+EQhEbxMspDOc8Z3xVS5aQpYP0Cxpc2AWPAAEAAEAAQALZXhhbXBsZS5jb20AAA==
```
### Automated use of ``retry_configs`` not supported so far...
As of now we have not added support for using ``retry_config`` handling in the
application - for a command line tool, one can just use ``dig`` (or ``kdig``)
to get the HTTPS RR and pass the ECHConfigList from that on the command line,
if needed, or one can access the value from command line output in verbose more
and then reuse that in another invocation.
Both our OpenSSL fork and BoringSSL/AWS-LC have APIs for both controlling GREASE
and accessing and logging ``retry_configs``, it seems wolfSSL has neither.

90
curl/docs/EXPERIMENTAL.md
Unescape Просмотреть файл

@ -0,0 +1,90 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# Experimental
Some features and functionality in curl and libcurl are considered
**EXPERIMENTAL**.
Experimental support in curl means:
1. Experimental features are provided to allow users to try them out and
provide feedback on functionality and API etc before they ship and get
"carved in stone".
2. You must enable the feature when invoking configure as otherwise curl is
not built with the feature present.
3. We strongly advise against using this feature in production.
4. **We reserve the right to change behavior** of the feature without sticking
to our API/ABI rules as we do for regular features, as long as it is marked
experimental.
5. Experimental features are clearly marked so in documentation. Beware.
## Graduation
1. Each experimental feature should have a set of documented requirements of
what is needed for that feature to graduate. Graduation means being removed
from the list of experiments.
2. An experiment should NOT graduate if it needs test cases to be disabled,
unless they are for minor features that are clearly documented as not
provided by the experiment and then the disabling should be managed inside
each affected test case.
## Experimental features right now
### HTTP/3 support (non-ngtcp2 backends)
Graduation requirements:
- The used libraries should be considered out-of-beta with a reasonable
expectation of a stable API going forward.
- Using HTTP/3 with the given build should perform without risking busy-loops
### The Rustls backend
Graduation requirements:
- a reasonable expectation of a stable API going forward.
## ECH
Use of the HTTPS resource record and Encrypted Client Hello (ECH) when using
DoH
Graduation requirements:
- ECH support exists in at least one widely used TLS library apart from
BoringSSL and wolfSSL.
- feedback from users saying that ECH works for their use cases
- it has been given time to mature, so no earlier than April 2025 (twelve
months after being added here)
## SSL session import/export
Import/Export of SSL sessions tickets in libcurl and curl command line
option '--ssl-session <filename>' for faster TLS handshakes and use
of TLSv1.3/QUIC Early Data (0-RTT).
Graduation requirements:
- the implementation is considered safe
- feedback from users saying that session export works for their use cases
## HTTPS RR
HTTPS records support is a requirement for ECH but is provided as a
stand-alone feature that is itself considered EXPERIMENTAL.
Graduation requirements:
- HTTPS records work for DoH, c-ares and the threaded resolver
- HTTPS records can control ALPN and port number, at least
- There are options to control HTTPS use

1560
curl/docs/FAQ.txt
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

249
curl/docs/FEATURES.md
Unescape Просмотреть файл

@ -0,0 +1,249 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# Features -- what curl can do
## curl tool
- config file support
- multiple URLs in a single command line
- range "globbing" support: [0-13], {one,two,three}
- multiple file upload on a single command line
- redirect stderr
- parallel transfers
## libcurl
- URL RFC 3986 syntax
- custom maximum download time
- custom lowest download speed acceptable
- custom output result after completion
- guesses protocol from hostname unless specified
- supports .netrc
- progress bar with time statistics while downloading
- standard proxy environment variables support
- have run on 101 operating systems and 28 CPU architectures
- selectable network interface for outgoing traffic
- IPv6 support on Unix and Windows
- happy eyeballs dual-stack IPv4 + IPv6 connects
- persistent connections
- SOCKS 4 + 5 support, with or without local name resolving
- *pre-proxy* support, for *proxy chaining*
- supports username and password in proxy environment variables
- operations through HTTP proxy "tunnel" (using CONNECT)
- replaceable memory functions (malloc, free, realloc, etc)
- asynchronous name resolving
- both a push and a pull style interface
- international domain names (IDN)
- transfer rate limiting
- stable API and ABI
- TCP keep alive
- TCP Fast Open
- DNS cache (that can be shared between transfers)
- non-blocking single-threaded parallel transfers
- Unix domain sockets to server or proxy
- DNS-over-HTTPS
- uses non-blocking name resolves
- selectable name resolver backend
## URL API
- parses RFC 3986 URLs
- generates URLs from individual components
- manages "redirects"
## Header API
- easy access to HTTP response headers, from all contexts
- named headers
- iterate over headers
## TLS
- selectable TLS backend(s)
- TLS False Start
- TLS version control
- TLS session resumption
- key pinning
- mutual authentication
- Use dedicated CA cert bundle
- Use OS-provided CA store
- separate TLS options for HTTPS proxy
## HTTP
- HTTP/0.9 responses are optionally accepted
- HTTP/1.0
- HTTP/1.1
- HTTP/2, including multiplexing and server push
- GET
- PUT
- HEAD
- POST
- multipart formpost (RFC 1867-style)
- authentication: Basic, Digest, NTLM (9) and Negotiate (SPNEGO)
to server and proxy
- resume transfers
- follow redirects
- maximum amount of redirects to follow
- custom HTTP request
- cookie get/send fully parsed
- reads/writes the Netscape cookie file format
- custom headers (replace/remove internally generated headers)
- custom user-agent string
- custom referrer string
- range
- proxy authentication
- time conditions
- via HTTP proxy, HTTPS proxy or SOCKS proxy
- HTTP/2 or HTTP/1.1 to HTTPS proxy
- retrieve file modification date
- Content-Encoding support for deflate, gzip, brotli and zstd
- "Transfer-Encoding: chunked" support in uploads
- HSTS
- alt-svc
- ETags
- HTTP/1.1 trailers, both sending and getting
## HTTPS
- HTTP/3
- using client certificates
- verify server certificate
- via HTTP proxy, HTTPS proxy or SOCKS proxy
- select desired encryption
- select usage of a specific TLS version
- ECH
## FTP
- download
- authentication
- Kerberos 5
- active/passive using PORT, EPRT, PASV or EPSV
- single file size information (compare to HTTP HEAD)
- 'type=' URL support
- directory listing
- directory listing names-only
- upload
- upload append
- upload via http-proxy as HTTP PUT
- download resume
- upload resume
- custom ftp commands (before and/or after the transfer)
- simple "range" support
- via HTTP proxy, HTTPS proxy or SOCKS proxy
- all operations can be tunneled through proxy
- customizable to retrieve file modification date
- no directory depth limit
## FTPS
- implicit `ftps://` support that use SSL on both connections
- explicit "AUTH TLS" and "AUTH SSL" usage to "upgrade" plain `ftp://`
connection to use SSL for both or one of the connections
## SSH (both SCP and SFTP)
- selectable SSH backend
- known hosts support
- public key fingerprinting
- both password and public key auth
## SFTP
- both password and public key auth
- with custom commands sent before/after the transfer
- directory listing
## TFTP
- download
- upload
## TELNET
- connection negotiation
- custom telnet options
- stdin/stdout I/O
## LDAP
- full LDAP URL support
## DICT
- extended DICT URL support
## FILE
- URL support
- upload
- resume
## SMB
- SMBv1 over TCP and SSL
- download
- upload
- authentication with NTLMv1
## SMTP
- authentication: Plain, Login, CRAM-MD5, Digest-MD5, NTLM, Kerberos 5 and
External
- send emails
- mail from support
- mail size support
- mail auth support for trusted server-to-server relaying
- multiple recipients
- via http-proxy
## SMTPS
- implicit `smtps://` support
- explicit "STARTTLS" usage to "upgrade" plain `smtp://` connections to use SSL
- via http-proxy
## POP3
- authentication: Clear Text, APOP and SASL
- SASL based authentication: Plain, Login, CRAM-MD5, Digest-MD5, NTLM,
Kerberos 5 and External
- list emails
- retrieve emails
- enhanced command support for: CAPA, DELE, TOP, STAT, UIDL and NOOP via
custom requests
- via http-proxy
## POP3S
- implicit `pop3s://` support
- explicit `STLS` usage to "upgrade" plain `pop3://` connections to use SSL
- via http-proxy
## IMAP
- authentication: Clear Text and SASL
- SASL based authentication: Plain, Login, CRAM-MD5, Digest-MD5, NTLM,
Kerberos 5 and External
- list the folders of a mailbox
- select a mailbox with support for verifying the `UIDVALIDITY`
- fetch emails with support for specifying the UID and SECTION
- upload emails via the append command
- enhanced command support for: EXAMINE, CREATE, DELETE, RENAME, STATUS,
STORE, COPY and UID via custom requests
- via http-proxy
## IMAPS
- implicit `imaps://` support
- explicit "STARTTLS" usage to "upgrade" plain `imap://` connections to use SSL
- via http-proxy
## MQTT
- Subscribe to and publish topics using URL scheme `mqtt://broker/topic`

202
curl/docs/GOVERNANCE.md
Unescape Просмотреть файл

@ -0,0 +1,202 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# Decision making in the curl project
A rough guide to how we make decisions and who does what.
## BDFL
This project was started by and has to some extent been pushed forward over
the years with Daniel Stenberg as the driving force. It matches a standard
BDFL (Benevolent Dictator For Life) style project.
This setup has been used due to convenience and the fact that it has worked
fine this far. It is not because someone thinks of it as a superior project
leadership model. It also only works as long as Daniel manages to listen in to
what the project and the general user population wants and expects from us.
## Legal entity
There is no legal entity. The curl project is just a bunch of people scattered
around the globe with the common goal to produce source code that creates
great products. We are not part of any umbrella organization and we are not
located in any specific country. We are totally independent.
The copyrights in the project are owned by the individuals and organizations
that wrote those parts of the code.
## Decisions
The curl project is not a democracy, but everyone is entitled to state their
opinion and may argue for their sake within the community.
All and any changes that have been done or are done are eligible to bring up
for discussion, to object to or to praise. Ideally, we find consensus for the
appropriate way forward in any given situation or challenge.
If there is no obvious consensus, a maintainer who's knowledgeable in the
specific area takes an "executive" decision that they think is the right for
the project.
## Donations
Donating plain money to curl is best done to curl's [Open Collective
fund](https://opencollective.com/curl). Open Collective is a US based
non-profit organization that holds on to funds for us. This fund is then used
for paying the curl security bug bounties, to reimburse project related
expenses etc.
Donations to the project can also come in the form of server hosting, providing
services and paying for people to work on curl related code etc. Usually, such
donations are services paid for directly by the sponsors.
We grade sponsors in a few different levels and if they meet the criteria,
they can be mentioned on the Sponsors page on the curl website.
## Commercial Support
The curl project does not do or offer commercial support. It only hosts
mailing lists, runs bug trackers etc to facilitate communication and work.
However, Daniel works for wolfSSL and we offer commercial curl support there.
# Key roles
## User
Someone who uses or has used curl or libcurl.
## Contributor
Someone who has helped the curl project, who has contributed to bring it
forward. Contributing could be to provide advice, debug a problem, file a bug
report, run test infrastructure or writing code etc.
## Commit author
Sometimes also called 'committer'. Someone who has authored a commit in the
curl source code repository. Committers are recorded as `Author` in git.
## Maintainers
A maintainer in the curl project is an individual who has been given
permissions to push commits to one of the git repositories.
Maintainers are free to push commits to the repositories at they see fit.
Maintainers are however expected to listen to feedback from users and any
change that is non-trivial in size or nature *should* be brought to the
project as a Pull-Request (PR) to allow others to comment/object before merge.
## Former maintainers
A maintainer who stops being active in the project gets their push permissions
removed at some point. We do this for security reasons but also to make sure
that we always have the list of maintainers as "the team that push stuff to
curl".
Getting push permissions removed is not a punishment. Everyone who ever worked
on maintaining curl is considered a hero, for all time hereafter.
## Security team members
We have a security team. That is the team of people who are subscribed to the
curl-security mailing list; the receivers of security reports from users and
developers. This list of people varies over time but they are all skilled
developers familiar with the curl project.
The security team works best when it consists of a small set of active
persons. We invite new members when the team seems to need it, and we also
expect to retire security team members as they "drift off" from the project or
just find themselves unable to perform their duties there.
## Core team
There is a curl core team. It currently has the same set of members as the
security team. It can also be reached on the security email address.
The core team nominates and invites new members to the team when it sees fit.
There is no open member voting or formal ways to be a candidate. Active
participants in the curl project who want to join the core team can ask to
join.
The core team is a board of advisors. It deals with project management
subjects that need confidentiality or for other reasons cannot be dealt with
and discussed in the open (for example reports of code of conduct violations).
Project matters should always as far as possible be discussed on open mailing
lists.
## Server admins
We run a web server, a mailing list and more on the curl project's primary
server. That physical machine is owned and run by Haxx. Daniel is the primary
admin of all things curl related server stuff, but Björn Stenberg and Linus
Feltzing serve as backup admins for when Daniel is gone or unable.
The primary server is paid for by Haxx. The machine is physically located in a
server bunker in Stockholm Sweden, operated by the company Glesys.
The website contents are served to the web via Fastly and Daniel is the
primary curl contact with Fastly.
## BDFL
That is Daniel.
# Maintainers
A curl maintainer is a project volunteer who has the authority and rights to
merge changes into a git repository in the curl project.
Anyone can aspire to become a curl maintainer.
### Duties
There are no mandatory duties. We hope and wish that maintainers consider
reviewing patches and help merging them, especially when the changes are
within the area of personal expertise and experience.
### Requirements
- only merge code that meets our quality and style guide requirements.
- *never* merge code without doing a PR first, unless the change is "trivial"
- if in doubt, ask for input/feedback from others
### Recommendations
- we require two-factor authentication enabled on your GitHub account to
reduce risk of malicious source code tampering
- consider enabling signed git commits for additional verification of changes
### Merge advice
When you are merging patches/pull requests...
- make sure the commit messages follow our template
- squash patch sets into a few logical commits even if the PR did not, if
necessary
- avoid the "merge" button on GitHub, do it "manually" instead to get full
control and full audit trail (GitHub leaves out you as "Committer:")
- remember to credit the reporter and the helpers.
## Who are maintainers?
The [list of maintainers](https://github.com/orgs/curl/people). Be aware that
the level of presence and activity in the project vary greatly between
different individuals and over time.
### Become a maintainer?
If you think you can help making the project better by shouldering some
maintaining responsibilities, then please get in touch.
You are expected to be familiar with the curl project and its ways of working.
You need to have gotten a few quality patches merged as a proof of this.
### Stop being a maintainer
If you (appear to) not be active in the project anymore, you may be removed as
a maintainer. Thank you for your service.

94
curl/docs/HELP-US.md
Unescape Просмотреть файл

@ -0,0 +1,94 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# How to get started helping out in the curl project
We are always in need of more help. If you are new to the project and are
looking for ways to contribute and help out, this document aims to give a few
good starting points.
You may subscribe to the [curl-library mailing
list](https://lists.haxx.se/listinfo/curl-library) to keep track of the
current discussion topics; or if you are registered on GitHub, you can use the
[Discussions section](https://github.com/curl/curl/discussions) on the main
curl repository.
## Scratch your own itch
One of the best ways is to start working on any problems or issues you have
found yourself or perhaps got annoyed at in the past. It can be a spelling
error in an error text or a weirdly phrased section in a man page. Hunt it
down and report the bug. Or make your first pull request with a fix for that.
## Smaller tasks
Some projects mark small issues as "beginner friendly", "bite-sized" or
similar. We do not do that in curl since such issues never linger around long
enough. Simple issues get handled fast.
If you are looking for a smaller or simpler task in the project to help out
with as an entry-point into the project, perhaps because you are a newcomer or
even maybe not a terribly experienced developer, here's our advice:
- Read through this document to get a grasp on a general approach to use
- Consider adding a test case for something not currently tested (correctly)
- Consider updating or adding documentation
- One way to get started gently in the project, is to participate in an
existing issue/PR and help out by reproducing the issue, review the code in
the PR etc.
## Help wanted
In the issue tracker we occasionally mark bugs with [help
wanted](https://github.com/curl/curl/labels/help%20wanted), as a sign that the
bug is acknowledged to exist and that there is nobody known to work on this
issue for the moment. Those are bugs that are fine to "grab" and provide a
pull request for. The complexity level of these of course varies, so pick one
that piques your interest.
## Work on known bugs
Some bugs are known and have not yet received attention and work enough to get
fixed. We collect such known existing flaws in the
[KNOWN_BUGS](https://curl.se/docs/knownbugs.html) page. Many of them link
to the original bug report with some additional details, but some may also
have aged a bit and may require some verification that the bug still exists in
the same way and that what was said about it in the past is still valid.
## Fix autobuild problems
On the [autobuilds page](https://curl.se/dev/builds.html) we show a
collection of test results from the automatic curl build and tests that are
performed by volunteers. Fixing compiler warnings and errors shown there is
something we value greatly. Also, if you own or run systems or architectures
that are not already tested in the autobuilds, we also appreciate more
volunteers running builds automatically to help us keep curl portable.
## TODO items
Ideas for features and functions that we have considered worthwhile to
implement and provide are kept in the
[TODO](https://curl.se/docs/todo.html) file. Some of the ideas are
rough. Some are well thought out. Some probably are not really suitable
anymore.
Before you invest a lot of time on a TODO item, do bring it up for discussion
on the mailing list. For discussion on applicability but also for ideas and
brainstorming on specific ways to do the implementation etc.
## You decide
You can also come up with a completely new thing you think we should do. Or
not do. Or fix. Or add to the project. You then either bring it to the mailing
list first to see if people shoot down the idea at once, or you bring a first
draft of the idea as a pull request and take the discussion there around the
specific implementation. Either way is fine.
## CONTRIBUTE
We offer [guidelines](https://curl.se/dev/contribute.html) that are suitable
to be familiar with before you decide to contribute to curl. If you are used
to open source development, you probably do not find many surprises there.

486
curl/docs/HISTORY.md
Unescape Просмотреть файл

@ -0,0 +1,486 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
How curl Became Like This
=========================
Towards the end of 1996, Daniel Stenberg was spending time writing an IRC bot
for an Amiga related channel on EFnet. He then came up with the idea to make
currency-exchange calculations available to Internet Relay Chat (IRC)
users. All the necessary data were published on the Web; he just needed to
automate their retrieval.
1996
----
On November 11, 1996 the Brazilian developer Rafael Sagula wrote and released
HttpGet version 0.1.
Daniel extended this existing command-line open-source tool. After a few minor
adjustments, it did just what he needed. The first release with Daniel's
additions was 0.2, released on December 17, 1996. Daniel quickly became the
new maintainer of the project.
1997
----
HttpGet 0.3 was released in January 1997 and now it accepted HTTP URLs on the
command line.
HttpGet 1.0 was released on April 8 1997 with brand new HTTP proxy support.
We soon found and fixed support for getting currencies over GOPHER. Once FTP
download support was added, the name of the project was changed and urlget 2.0
was released in August 1997. The http-only days were already passed.
Version 2.2 was released on August 14 1997 and introduced support to build for
and run on Windows and Solaris.
November 24 1997: Version 3.1 added FTP upload support.
Version 3.5 added support for HTTP POST.
1998
----
February 4: urlget 3.10
February 9: urlget 3.11
March 14: urlget 3.12 added proxy authentication.
The project slowly grew bigger. With upload capabilities, the name was once
again misleading and a second name change was made. On March 20, 1998 curl 4
was released. (The version numbering from the previous names was kept.)
(Unrelated to this project a company called Curl Corporation registered a US
trademark on the name "CURL" on May 18 1998. That company had then already
registered the curl.com domain back in November of the previous year. All this
was revealed to us much later.)
SSL support was added, powered by the SSLeay library.
August: first announcement of curl on freshmeat.net.
October: with the curl 4.9 release and the introduction of cookie support,
curl was no longer released under the GPL license. Now we are at 4000 lines of
code, we switched over to the MPL license to restrict the effects of
"copyleft".
November: configure script and reported successful compiles on several
major operating systems. The never-quite-understood -F option was added and
curl could now simulate quite a lot of a browser. TELNET support was added.
curl 5 was released in December 1998 and introduced the first ever curl man
page. People started making Linux RPM packages out of it.
1999
----
January: DICT support added.
OpenSSL took over and SSLeay was abandoned.
May: first Debian package.
August: LDAP:// and FILE:// support added. The curl website gets 1300 visits
weekly. Moved site to curl.haxx.nu.
September: Released curl 6.0. 15000 lines of code.
December 28: added the project on Sourceforge and started using its services
for managing the project.
2000
----
Spring: major internal overhaul to provide a suitable library interface.
The first non-beta release was named 7.1 and arrived in August. This offered
the easy interface and turned out to be the beginning of actually getting
other software and programs to be based on and powered by libcurl. Almost
20000 lines of code.
June: the curl site moves to "curl.haxx.se"
August, the curl website gets 4000 visits weekly.
The PHP guys adopted libcurl already the same month, when the first ever third
party libcurl binding showed up. CURL has been a supported module in PHP since
the release of PHP 4.0.2. This would soon get followers. More than 16
different bindings exist at the time of this writing.
September: kerberos4 support was added.
November: started the work on a test suite for curl. It was later re-written
from scratch again. The libcurl major SONAME number was set to 1.
2001
----
January: Daniel released curl 7.5.2 under a new license again: MIT (or
MPL). The MIT license is extremely liberal and can be combined with GPL
in other projects. This would finally put an end to the "complaints" from
people involved in GPLed projects that previously were prohibited from using
libcurl while it was released under MPL only. (Due to the fact that MPL is
deemed "GPL incompatible".)
March 22: curl supports HTTP 1.1 starting with the release of 7.7. This
also introduced libcurl's ability to do persistent connections. 24000 lines of
code. The libcurl major SONAME number was bumped to 2 due to this overhaul.
The first experimental ftps:// support was added.
August: The curl website gets 8000 visits weekly. Curl Corporation contacted
Daniel to discuss "the name issue". After Daniel's reply, they have never
since got back in touch again.
September: libcurl 7.9 introduces cookie jar and `curl_formadd()`. During the
forthcoming 7.9.x releases, we introduced the multi interface slowly and
without many whistles.
September 25: curl (7.7.2) is bundled in Mac OS X (10.1) for the first time. It was
already becoming more and more of a standard utility of Linux distributions
and a regular in the BSD ports collections.
2002
----
June: the curl website gets 13000 visits weekly. curl and libcurl is
35000 lines of code. Reported successful compiles on more than 40 combinations
of CPUs and operating systems.
To estimate the number of users of the curl tool or libcurl library is next to
impossible. Around 5000 downloaded packages each week from the main site gives
a hint, but the packages are mirrored extensively, bundled with numerous OS
distributions and otherwise retrieved as part of other software.
October 1: with the release of curl 7.10 it is released under the MIT license
only.
Starting with 7.10, curl verifies SSL server certificates by default.
2003
----
January: Started working on the distributed curl tests. The autobuilds.
February: the curl site averages at 20000 visits weekly. At any given moment,
there is an average of 3 people browsing the website.
Multiple new authentication schemes are supported: Digest (May), NTLM (June)
and Negotiate (June).
November: curl 7.10.8 is released. 45000 lines of code. ~55000 unique visitors
to the website. Five official web mirrors.
December: full-fledged SSL for FTP is supported.
2004
----
January: curl 7.11.0 introduced large file support.
June: curl 7.12.0 introduced IDN support. 10 official web mirrors.
This release bumped the major SONAME to 3 due to the removal of the
`curl_formparse()` function
August: curl and libcurl 7.12.1
Public curl release number: 82
Releases counted from the beginning: 109
Available command line options: 96
Available curl_easy_setopt() options: 120
Number of public functions in libcurl: 36
Amount of public website mirrors: 12
Number of known libcurl bindings: 26
2005
----
April: GnuTLS can now optionally be used for the secure layer when curl is
built.
April: Added the multi_socket() API
September: TFTP support was added.
More than 100,000 unique visitors of the curl website. 25 mirrors.
December: security vulnerability: libcurl URL Buffer Overflow
2006
----
January: We dropped support for Gopher. We found bugs in the implementation
that turned out to have been introduced years ago, so with the conclusion that
nobody had found out in all this time we removed it instead of fixing it.
March: security vulnerability: libcurl TFTP Packet Buffer Overflow
September: The major SONAME number for libcurl was bumped to 4 due to the
removal of ftp third party transfer support.
November: Added SCP and SFTP support
2007
----
February: Added support for the Mozilla NSS library to do the SSL/TLS stuff
July: security vulnerability: libcurl GnuTLS insufficient cert verification
2008
----
November:
Command line options: 128
curl_easy_setopt() options: 158
Public functions in libcurl: 58
Known libcurl bindings: 37
Contributors: 683
145,000 unique visitors. >100 GB downloaded.
2009
----
March: security vulnerability: libcurl Arbitrary File Access
April: added CMake support
August: security vulnerability: libcurl embedded zero in cert name
December: Added support for IMAP, POP3 and SMTP
2010
----
January: Added support for RTSP
February: security vulnerability: libcurl data callback excessive length
March: The project switched over to use git (hosted by GitHub) instead of CVS
for source code control
May: Added support for RTMP
Added support for PolarSSL to do the SSL/TLS stuff
August:
Public curl releases: 117
Command line options: 138
curl_easy_setopt() options: 180
Public functions in libcurl: 58
Known libcurl bindings: 39
Contributors: 808
Gopher support added (re-added actually, see January 2006)
2011
----
February: added support for the axTLS backend
April: added the cyassl backend (later renamed to wolfSSL)
2012
----
July: Added support for Schannel (native Windows TLS backend) and Darwin SSL
(Native Mac OS X and iOS TLS backend).
Supports Metalink
October: SSH-agent support.
2013
----
February: Cleaned up internals to always uses the "multi" non-blocking
approach internally and only expose the blocking API with a wrapper.
September: First small steps on supporting HTTP/2 with nghttp2.
October: Removed krb4 support.
December: Happy eyeballs.
2014
----
March: first real release supporting HTTP/2
September: Website had 245,000 unique visitors and served 236GB data
SMB and SMBS support
2015
----
June: support for multiplexing with HTTP/2
August: support for HTTP/2 server push
December: Public Suffix List
2016
----
January: the curl tool defaults to HTTP/2 for HTTPS URLs
December: curl 7.52.0 introduced support for HTTPS-proxy
First TLS 1.3 support
2017
----
July: OSS-Fuzz started fuzzing libcurl
September: Added MultiSSL support
The website serves 3100 GB/month
Public curl releases: 169
Command line options: 211
curl_easy_setopt() options: 249
Public functions in libcurl: 74
Contributors: 1609
October: SSLKEYLOGFILE support, new MIME API
October: Daniel received the Polhem Prize for his work on curl
November: brotli
2018
----
January: new SSH backend powered by libssh
March: starting with the 1803 release of Windows 10, curl is shipped bundled
with Microsoft's operating system.
July: curl shows headers using bold type face
October: added DNS-over-HTTPS (DoH) and the URL API
MesaLink is a new supported TLS backend
libcurl now does HTTP/2 (and multiplexing) by default on HTTPS URLs
curl and libcurl are installed in an estimated 5 *billion* instances
world-wide.
October 31: curl and libcurl 7.62.0
Public curl releases: 177
Command line options: 219
curl_easy_setopt() options: 261
Public functions in libcurl: 80
Contributors: 1808
December: removed axTLS support
2019
----
March: added experimental alt-svc support
August: the first HTTP/3 requests with curl.
September: 7.66.0 is released and the tool offers parallel downloads
2020
----
curl and libcurl are installed in an estimated 10 *billion* instances
world-wide.
January: added BearSSL support
March: removed support for PolarSSL, added wolfSSH support
April: experimental MQTT support
August: zstd support
November: the website moves to curl.se. The website serves 10TB data monthly.
December: alt-svc support
2021
----
February 3: curl 7.75.0 ships with support for Hyper as an HTTP backend
March 31: curl 7.76.0 ships with support for Rustls
July: HSTS is supported
2022
----
March: added --json, removed mesalink support
Public curl releases: 206
Command line options: 245
curl_easy_setopt() options: 295
Public functions in libcurl: 86
Contributors: 2601
The curl.se website serves 16,500 GB/month over 462M requests, the
official docker image has been pulled 4,098,015,431 times.
October: initial WebSocket support
2023
----
March: remove support for curl_off_t < 8 bytes
March 31: we started working on a new command line tool for URL parsing and
manipulations: trurl.
May: added support for HTTP/2 over HTTPS proxy. Refuse to resolve .onion.
August: Dropped support for the NSS library
September: added "variable" support in the command line tool. Dropped support
for the gskit TLS library.
October: added support for IPFS via HTTP gateway
December: HTTP/3 support with ngtcp2 is no longer experimental
2024
----
January: switched to "curldown" for all documentation
April 24: the curl container has been pulled more than six billion times
May: experimental support for ECH, dropped NTLM_WB
August 9: we adopted the wcurl tool into the curl organization
September 11: --help [option]
November 6: TLS 1.3 early data, WebSocket is official
December 21: dropped hyper
2025
----
February 5: first 0RTT for QUIC, ssl session import/export
February: experimental HTTPS RR support
February 22: The website served 62.95 TB/month; 12.43 billion requests
The docker image has been pulled 6373501745 times.

48
curl/docs/HSTS.md
Unescape Просмотреть файл

@ -0,0 +1,48 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# HSTS support
HTTP Strict-Transport-Security. Added as experimental in curl
7.74.0. Supported "for real" since 7.77.0.
## Standard
[HTTP Strict Transport Security](https://datatracker.ietf.org/doc/html/rfc6797)
## Behavior
libcurl features an in-memory cache for HSTS hosts, so that subsequent
HTTP-only requests to a hostname present in the cache gets internally
"redirected" to the HTTPS version.
## `curl_easy_setopt()` options:
- `CURLOPT_HSTS_CTRL` - enable HSTS for this easy handle
- `CURLOPT_HSTS` - specify filename where to store the HSTS cache on close
(and possibly read from at startup)
## curl command line options
- `--hsts [filename]` - enable HSTS, use the file as HSTS cache. If filename
is `""` (no length) then no file is used, only in-memory cache.
## HSTS cache file format
Lines starting with `#` are ignored.
For each hsts entry:
[host name] "YYYYMMDD HH:MM:SS"
The `[host name]` is dot-prefixed if it includes subdomains.
The time stamp is when the entry expires.
## Possible future additions
- `CURLOPT_HSTS_PRELOAD` - provide a set of HSTS hostnames to load first
- ability to save to something else than a file

171
curl/docs/HTTP-COOKIES.md
Unescape Просмотреть файл

@ -0,0 +1,171 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# HTTP Cookies
## Cookie overview
Cookies are `name=contents` pairs that an HTTP server tells the client to
hold and then the client sends back those to the server on subsequent
requests to the same domains and paths for which the cookies were set.
Cookies are either "session cookies" which typically are forgotten when the
session is over which is often translated to equal when browser quits, or
the cookies are not session cookies they have expiration dates after which
the client throws them away.
Cookies are set to the client with the Set-Cookie: header and are sent to
servers with the Cookie: header.
For a long time, the only spec explaining how to use cookies was the
original [Netscape spec from 1994](https://curl.se/rfc/cookie_spec.html).
In 2011, [RFC 6265](https://www.ietf.org/rfc/rfc6265.txt) was finally
published and details how cookies work within HTTP. In 2016, an update which
added support for prefixes was
[proposed](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00),
and in 2017, another update was
[drafted](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-alone-01)
to deprecate modification of 'secure' cookies from non-secure origins. Both
of these drafts have been incorporated into a proposal to
[replace](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-11)
RFC 6265. Cookie prefixes and secure cookie modification protection has been
implemented by curl.
curl considers `http://localhost` to be a *secure context*, meaning that it
allows and uses cookies marked with the `secure` keyword even when done over
plain HTTP for this host. curl does this to match how popular browsers work
with secure cookies.
## Super cookies
A single cookie can be set for a domain that matches multiple hosts. Like if
set for `example.com` it gets sent to both `aa.example.com` as well as
`bb.example.com`.
A challenge with this concept is that there are certain domains for which
cookies should not be allowed at all, because they are *Public
Suffixes*. Similarly, a client never accepts cookies set directly for the
top-level domain like for example `.com`. Cookies set for *too broad*
domains are generally referred to as *super cookies*.
If curl is built with PSL (**Public Suffix List**) support, it detects and
discards cookies that are specified for such suffix domains that should not
be allowed to have cookies.
if curl is *not* built with PSL support, it has no ability to stop super
cookies.
## Cookies saved to disk
Netscape once created a file format for storing cookies on disk so that they
would survive browser restarts. curl adopted that file format to allow
sharing the cookies with browsers, only to see browsers move away from that
format. Modern browsers no longer use it, while curl still does.
The Netscape cookie file format stores one cookie per physical line in the
file with a bunch of associated meta data, each field separated with
TAB. That file is called the cookie jar in curl terminology.
When libcurl saves a cookie jar, it creates a file header of its own in
which there is a URL mention that links to the web version of this document.
## Cookie file format
The cookie file format is text based and stores one cookie per line. Lines
that start with `#` are treated as comments. An exception is lines that
start with `#HttpOnly_`, which is a prefix for cookies that have the
`HttpOnly` attribute set.
Each line that specifies a single cookie consists of seven text fields
separated with TAB characters. A valid line must end with a newline
character.
### Fields in the file
Field number, what type and example data and the meaning of it:
0. string `example.com` - the domain name
1. boolean `FALSE` - include subdomains
2. string `/foobar/` - path
3. boolean `TRUE` - send/receive over HTTPS only
4. number `1462299217` - expires at - seconds since Jan 1st 1970, or 0
5. string `person` - name of the cookie
6. string `daniel` - value of the cookie
## Cookies with curl the command line tool
curl has a full cookie "engine" built in. If you just activate it, you can
have curl receive and send cookies exactly as mandated in the specs.
Command line options:
[`-b, --cookie`](https://curl.se/docs/manpage.html#-b)
tell curl a file to read cookies from and start the cookie engine, or if it
is not a file it passes on the given string. `-b name=var` works and so does
`-b cookiefile`.
[`-j, --junk-session-cookies`](https://curl.se/docs/manpage.html#-j)
when used in combination with -b, it skips all "session cookies" on load so
as to appear to start a new cookie session.
[`-c, --cookie-jar`](https://curl.se/docs/manpage.html#-c)
tell curl to start the cookie engine and write cookies to the given file
after the request(s)
## Cookies with libcurl
libcurl offers several ways to enable and interface the cookie engine. These
options are the ones provided by the native API. libcurl bindings may offer
access to them using other means.
[`CURLOPT_COOKIE`](https://curl.se/libcurl/c/CURLOPT_COOKIE.html)
Is used when you want to specify the exact contents of a cookie header to
send to the server.
[`CURLOPT_COOKIEFILE`](https://curl.se/libcurl/c/CURLOPT_COOKIEFILE.html)
Tell libcurl to activate the cookie engine, and to read the initial set of
cookies from the given file. Read-only.
[`CURLOPT_COOKIEJAR`](https://curl.se/libcurl/c/CURLOPT_COOKIEJAR.html)
Tell libcurl to activate the cookie engine, and when the easy handle is
closed save all known cookies to the given cookie jar file. Write-only.
[`CURLOPT_COOKIELIST`](https://curl.se/libcurl/c/CURLOPT_COOKIELIST.html)
Provide detailed information about a single cookie to add to the internal
storage of cookies. Pass in the cookie as an HTTP header with all the
details set, or pass in a line from a Netscape cookie file. This option can
also be used to flush the cookies etc.
[`CURLOPT_COOKIESESSION`](https://curl.se/libcurl/c/CURLOPT_COOKIESESSION.html)
Tell libcurl to ignore all cookies it is about to load that are session
cookies.
[`CURLINFO_COOKIELIST`](https://curl.se/libcurl/c/CURLINFO_COOKIELIST.html)
Extract cookie information from the internal cookie storage as a linked
list.
## Cookies with JavaScript
These days a lot of the web is built up by JavaScript. The web browser loads
complete programs that render the page you see. These JavaScript programs
can also set and access cookies.
Since curl and libcurl are plain HTTP clients without any knowledge of or
capability to handle JavaScript, such cookies are not detected or used.
Often, if you want to mimic what a browser does on such websites, you can
record web browser HTTP traffic when using such a site and then repeat the
cookie operations using curl or libcurl.

439
curl/docs/HTTP3.md
Unescape Просмотреть файл

@ -0,0 +1,439 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# HTTP3 (and QUIC)
## Resources
[HTTP/3 Explained](https://http3-explained.haxx.se/en/) - the online free
book describing the protocols involved.
[quicwg.org](https://quicwg.org/) - home of the official protocol drafts
## QUIC libraries
QUIC libraries we are using:
[ngtcp2](https://github.com/ngtcp2/ngtcp2)
[quiche](https://github.com/cloudflare/quiche) - **EXPERIMENTAL**
[OpenSSL 3.2+ QUIC](https://github.com/openssl/openssl) - **EXPERIMENTAL**
[msh3](https://github.com/nibanks/msh3) (with [msquic](https://github.com/microsoft/msquic)) - **EXPERIMENTAL**
## Experimental
HTTP/3 support in curl is considered **EXPERIMENTAL** until further notice
when built to use *quiche* or *msh3*. Only the *ngtcp2* backend is not
experimental.
Further development and tweaking of the HTTP/3 support in curl happens in the
master branch using pull-requests, just like ordinary changes.
To fix before we remove the experimental label:
- the used QUIC library needs to consider itself non-beta
- it is fine to "leave" individual backends as experimental if necessary
# ngtcp2 version
Building curl with ngtcp2 involves 3 components: `ngtcp2` itself, `nghttp3` and a QUIC supporting TLS library. The supported TLS libraries are covered below.
While any version of `ngtcp2` and `nghttp3` from v1.0.0 on are expected to
work, using the latest versions often brings functional and performance
improvements.
The build examples use `$NGHTTP3_VERION` and `$NGTCP2_VERION` as placeholders
for the version you build.
## Build with quictls
OpenSSL does not offer the required APIs for building a QUIC client. You need
to use a TLS library that has such APIs and that works with *ngtcp2*.
Build quictls (any `+quic` tagged version works):
% git clone --depth 1 -b openssl-3.1.4+quic https://github.com/quictls/openssl
% cd openssl
% ./config enable-tls1_3 --prefix=<somewhere1>
% make
% make install
Build nghttp3:
% cd ..
% git clone -b $NGHTTP3_VERION https://github.com/ngtcp2/nghttp3
% cd nghttp3
% git submodule update --init
% autoreconf -fi
% ./configure --prefix=<somewhere2> --enable-lib-only
% make
% make install
Build ngtcp2:
% cd ..
% git clone -b $NGTCP2_VERION https://github.com/ngtcp2/ngtcp2
% cd ngtcp2
% autoreconf -fi
% ./configure PKG_CONFIG_PATH=<somewhere1>/lib/pkgconfig:<somewhere2>/lib/pkgconfig LDFLAGS="-Wl,-rpath,<somewhere1>/lib" --prefix=<somewhere3> --enable-lib-only
% make
% make install
Build curl:
% cd ..
% git clone https://github.com/curl/curl
% cd curl
% autoreconf -fi
% LDFLAGS="-Wl,-rpath,<somewhere1>/lib" ./configure --with-openssl=<somewhere1> --with-nghttp3=<somewhere2> --with-ngtcp2=<somewhere3>
% make
% make install
For OpenSSL 3.0.0 or later builds on Linux for x86_64 architecture, substitute all occurrences of "/lib" with "/lib64"
## Build with GnuTLS
Build GnuTLS:
% git clone --depth 1 https://gitlab.com/gnutls/gnutls.git
% cd gnutls
% ./bootstrap
% ./configure --prefix=<somewhere1>
% make
% make install
Build nghttp3:
% cd ..
% git clone -b $NGHTTP3_VERION https://github.com/ngtcp2/nghttp3
% cd nghttp3
% git submodule update --init
% autoreconf -fi
% ./configure --prefix=<somewhere2> --enable-lib-only
% make
% make install
Build ngtcp2:
% cd ..
% git clone -b $NGTCP2_VERION https://github.com/ngtcp2/ngtcp2
% cd ngtcp2
% autoreconf -fi
% ./configure PKG_CONFIG_PATH=<somewhere1>/lib/pkgconfig:<somewhere2>/lib/pkgconfig LDFLAGS="-Wl,-rpath,<somewhere1>/lib" --prefix=<somewhere3> --enable-lib-only --with-gnutls
% make
% make install
Build curl:
% cd ..
% git clone https://github.com/curl/curl
% cd curl
% autoreconf -fi
% ./configure --with-gnutls=<somewhere1> --with-nghttp3=<somewhere2> --with-ngtcp2=<somewhere3>
% make
% make install
## Build with wolfSSL
Build wolfSSL:
% git clone https://github.com/wolfSSL/wolfssl.git
% cd wolfssl
% autoreconf -fi
% ./configure --prefix=<somewhere1> --enable-quic --enable-session-ticket --enable-earlydata --enable-psk --enable-harden --enable-altcertchains
% make
% make install
Build nghttp3:
% cd ..
% git clone -b $NGHTTP3_VERION https://github.com/ngtcp2/nghttp3
% cd nghttp3
% git submodule update --init
% autoreconf -fi
% ./configure --prefix=<somewhere2> --enable-lib-only
% make
% make install
Build ngtcp2:
% cd ..
% git clone -b $NGTCP2_VERION https://github.com/ngtcp2/ngtcp2
% cd ngtcp2
% autoreconf -fi
% ./configure PKG_CONFIG_PATH=<somewhere1>/lib/pkgconfig:<somewhere2>/lib/pkgconfig LDFLAGS="-Wl,-rpath,<somewhere1>/lib" --prefix=<somewhere3> --enable-lib-only --with-wolfssl
% make
% make install
Build curl:
% cd ..
% git clone https://github.com/curl/curl
% cd curl
% autoreconf -fi
% ./configure --with-wolfssl=<somewhere1> --with-nghttp3=<somewhere2> --with-ngtcp2=<somewhere3>
% make
% make install
# quiche version
quiche support is **EXPERIMENTAL**
Since the quiche build manages its dependencies, curl can be built against the latest version. You are *probably* able to build against their main branch, but in case of problems, we recommend their latest release tag.
## Build
Build quiche and BoringSSL:
% git clone --recursive -b 0.22.0 https://github.com/cloudflare/quiche
% cd quiche
% cargo build --package quiche --release --features ffi,pkg-config-meta,qlog
% ln -s libquiche.so target/release/libquiche.so.0
% mkdir quiche/deps/boringssl/src/lib
% ln -vnf $(find target/release -name libcrypto.a -o -name libssl.a) quiche/deps/boringssl/src/lib/
Build curl:
% cd ..
% git clone https://github.com/curl/curl
% cd curl
% autoreconf -fi
% ./configure LDFLAGS="-Wl,-rpath,$PWD/../quiche/target/release" --with-openssl=$PWD/../quiche/quiche/deps/boringssl/src --with-quiche=$PWD/../quiche/target/release
% make
% make install
If `make install` results in `Permission denied` error, you need to prepend
it with `sudo`.
# OpenSSL version
QUIC support is **EXPERIMENTAL**
Use OpenSSL 3.3.1 or newer (QUIC support was added in 3.3.0, with
shortcomings on some platforms like macOS). 3.4.1 or newer is recommended.
Build via:
% cd ..
% git clone -b $OPENSSL_VERSION https://github.com/openssl/openssl
% cd openssl
% ./config enable-tls1_3 --prefix=<somewhere> --libdir=lib
% make
% make install
Build nghttp3:
% cd ..
% git clone -b $NGHTTP3_VERION https://github.com/ngtcp2/nghttp3
% cd nghttp3
% git submodule update --init
% autoreconf -fi
% ./configure --prefix=<somewhere2> --enable-lib-only
% make
% make install
Build curl:
% cd ..
% git clone https://github.com/curl/curl
% cd curl
% autoreconf -fi
% LDFLAGS="-Wl,-rpath,<somewhere>/lib" ./configure --with-openssl=<somewhere> --with-openssl-quic --with-nghttp3=<somewhere2>
% make
% make install
You can build curl with cmake:
% cd ..
% git clone https://github.com/curl/curl
% cd curl
% cmake -B bld -DCURL_USE_OPENSSL=ON -DUSE_OPENSSL_QUIC=ON
% cmake --build bld
% cmake --install bld
If `make install` results in `Permission denied` error, you need to prepend
it with `sudo`.
# msh3 (msquic) version
**Note**: The msquic HTTP/3 backend is immature and is not properly functional
one as of September 2023. Feel free to help us test it and improve it, but
there is no point in filing bugs about it just yet.
msh3 support is **EXPERIMENTAL**
## Build Linux (with quictls fork of OpenSSL)
Build msh3:
% git clone -b v0.6.0 --depth 1 --recursive https://github.com/nibanks/msh3
% cd msh3 && mkdir build && cd build
% cmake -G 'Unix Makefiles' -DCMAKE_BUILD_TYPE=RelWithDebInfo ..
% cmake --build .
% cmake --install .
Build curl:
% git clone https://github.com/curl/curl
% cd curl
% autoreconf -fi
% ./configure LDFLAGS="-Wl,-rpath,/usr/local/lib" --with-msh3=/usr/local --with-openssl
% make
% make install
Run from `/usr/local/bin/curl`.
## Build Windows
Build msh3:
% git clone -b v0.6.0 --depth 1 --recursive https://github.com/nibanks/msh3
% cd msh3 && mkdir build && cd build
% cmake -G 'Visual Studio 17 2022' -DCMAKE_BUILD_TYPE=RelWithDebInfo ..
% cmake --build . --config Release
% cmake --install . --config Release
**Note** - On Windows, Schannel is used for TLS support by default. If you
with to use (the quictls fork of) OpenSSL, specify the `-DQUIC_TLS=openssl`
option to the generate command above. Also note that OpenSSL brings with it an
additional set of build dependencies not specified here.
Build curl (in [Visual Studio Command
prompt](../winbuild/README.md#open-a-command-prompt)):
% git clone https://github.com/curl/curl
% cd curl/winbuild
% nmake /f Makefile.vc mode=dll WITH_MSH3=dll MSH3_PATH="C:/Program Files/msh3" MACHINE=x64
Run in the `C:/Program Files/msh3/lib` directory, copy `curl.exe` to that
directory, or copy `msquic.dll` and `msh3.dll` from that directory to the
`curl.exe` directory. For example:
% C:\Program Files\msh3\lib> F:\curl\builds\libcurl-vc-x64-release-dll-ipv6-sspi-schannel-msh3\bin\curl.exe --http3 https://curl.se/
# `--http3`
Use only HTTP/3:
% curl --http3-only https://example.org:4433/
Use HTTP/3 with fallback to HTTP/2 or HTTP/1.1 (see "HTTPS eyeballing" below):
% curl --http3 https://example.org:4433/
Upgrade via Alt-Svc:
% curl --alt-svc altsvc.cache https://curl.se/
See this [list of public HTTP/3 servers](https://bagder.github.io/HTTP3-test/)
### HTTPS eyeballing
With option `--http3` curl attempts earlier HTTP versions as well should the
connect attempt via HTTP/3 not succeed "fast enough". This strategy is similar
to IPv4/6 happy eyeballing where the alternate address family is used in
parallel after a short delay.
The IPv4/6 eyeballing has a default of 200ms and you may override that via
`--happy-eyeballs-timeout-ms value`. Since HTTP/3 is still relatively new, we
decided to use this timeout also for the HTTP eyeballing - with a slight
twist.
The `happy-eyeballs-timeout-ms` value is the **hard** timeout, meaning after
that time expired, a TLS connection is opened in addition to negotiate HTTP/2
or HTTP/1.1. At half of that value - currently - is the **soft** timeout. The
soft timeout fires, when there has been **no data at all** seen from the
server on the HTTP/3 connection.
So, without you specifying anything, the hard timeout is 200ms and the soft is 100ms:
* Ideally, the whole QUIC handshake happens and curl has an HTTP/3 connection
in less than 100ms.
* When QUIC is not supported (or UDP does not work for this network path), no
reply is seen and the HTTP/2 TLS+TCP connection starts 100ms later.
* In the worst case, UDP replies start before 100ms, but drag on. This starts
the TLS+TCP connection after 200ms.
* When the QUIC handshake fails, the TLS+TCP connection is attempted right
away. For example, when the QUIC server presents the wrong certificate.
The whole transfer only fails, when **both** QUIC and TLS+TCP fail to
handshake or time out.
Note that all this happens in addition to IP version happy eyeballing. If the
name resolution for the server gives more than one IP address, curl tries all
those until one succeeds - just as with all other protocols. If those IP
addresses contain both IPv6 and IPv4, those attempts happen, delayed, in
parallel (the actual eyeballing).
## Known Bugs
Check out the [list of known HTTP3 bugs](https://curl.se/docs/knownbugs.html#HTTP3).
# HTTP/3 Test server
This is not advice on how to run anything in production. This is for
development and experimenting.
## Prerequisite(s)
An existing local HTTP/1.1 server that hosts files. Preferably also a few huge
ones. You can easily create huge local files like `truncate -s=8G 8GB` - they
are huge but do not occupy that much space on disk since they are just big
holes.
In a Debian setup you can install apache2. It runs on port 80 and has a
document root in `/var/www/html`. Download the 8GB file from apache with `curl
localhost/8GB -o dev/null`
In this description we setup and run an HTTP/3 reverse-proxy in front of the
HTTP/1 server.
## Setup
You can select either or both of these server solutions.
### nghttpx
Get, build and install quictls, nghttp3 and ngtcp2 as described
above.
Get, build and install nghttp2:
% git clone https://github.com/nghttp2/nghttp2.git
% cd nghttp2
% autoreconf -fi
% PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/home/daniel/build-quictls/lib/pkgconfig:/home/daniel/build-nghttp3/lib/pkgconfig:/home/daniel/build-ngtcp2/lib/pkgconfig LDFLAGS=-L/home/daniel/build-quictls/lib CFLAGS=-I/home/daniel/build-quictls/include ./configure --enable-maintainer-mode --prefix=/home/daniel/build-nghttp2 --disable-shared --enable-app --enable-http3 --without-jemalloc --without-libxml2 --without-systemd
% make && make install
Run the local h3 server on port 9443, make it proxy all traffic through to
HTTP/1 on localhost port 80. For local toying, we can just use the test cert
that exists in curl's test dir.
% CERT=/path/to/stunnel.pem
% $HOME/bin/nghttpx $CERT $CERT --backend=localhost,80 \
--frontend="localhost,9443;quic"
### Caddy
[Install Caddy](https://caddyserver.com/docs/install). For easiest use, the binary
should be either in your PATH or your current directory.
Create a `Caddyfile` with the following content:
~~~
localhost:7443 {
respond "Hello, world! you are using {http.request.proto}"
}
~~~
Then run Caddy:
% ./caddy start
Making requests to `https://localhost:7443` should tell you which protocol is being used.
You can change the hard-coded response to something more useful by replacing `respond`
with `reverse_proxy` or `file_server`, for example: `reverse_proxy localhost:80`

100
curl/docs/HTTPSRR.md
Unescape Просмотреть файл

@ -0,0 +1,100 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# HTTPS RR
[RFC 9460](https://www.rfc-editor.org/rfc/rfc9460.html) documents the HTTPS
DNS Resource Record.
curl features **experimental** support for HTTPS RR.
- The ALPN list from the retrieved HTTPS record is parsed
- The ECH field is stored (when DoH is used)
- The port number from the HTTPS RR is not used
- The target name is not used
- The IP addresses from the HTTPS RR are not used
- It only supports a single HTTPS RR per hostname
- consider cases without A/AAAA records but *with* HTTPS RR
- consider service profiles where the RR provides different addresses for TCP
vs QUIC etc
`HTTPSRR` is listed as a feature in the `curl -V` output if curl contains
HTTPS RR support. If c-ares is not included in the build, the HTTPS RR support
is limited to DoH.
`asyn-rr` is listed as a feature in the `curl -V` output if c-ares is used for
additional resolves in addition to a "normal" resolve done with the threaded
resolver.
The data extracted from the HTTPS RR is stored in the in-memory DNS cache to
be reused on subsequent uses of the same hostnames.
## limitations
We have decided to work on the HTTPS RR support by following what seems to be
(widely) used, and simply wait with implementing the details of the record
that do not seem to be deployed. HTTPS RR is a DNS field with many odd corners
and complexities and we might as well avoid them if no one seems to want them.
## build
./configure --enable-httpsrr
or
cmake -DUSE_HTTPSRR=ON
## ALPN
The list of ALPN IDs is parsed but may not be completely respected because of
what the HTTP version preference is set to, which is a problem we are working
on. Also, getting an `HTTP/1.1` ALPN in the HTTPS RR field for an HTTP://
transfer should imply switching to HTTPS, HSTS style. Which curl currently
does not.
## DoH
When HTTPS RR is enabled in the curl build, The DoH code asks for an HTTPS
record in addition to the A and AAAA records, and if an HTTPS RR answer is
returned, curl parses it and stores the retrieved information.
## Non-DoH
If DoH is not used for name resolving in an HTTPS RR enabled build, we must
provide the ability using the regular resolver backends. We use the c-ares DNS
library for the HTTPS RR lookup. Version 1.28.0 or later.
### c-ares
If curl is built to use the c-ares library for name resolves, an HTTPS RR
enabled build makes a request for the HTTPS RR in addition to the regular
lookup.
### Threaded resolver
When built to use the threaded resolver, which is the default, an HTTPS RR
build still needs a c-ares installation provided so that a separate request
for the HTTPS record can be done in parallel to the regular getaddrinfo()
call.
This is done by specifying both c-ares and threaded resolver to configure:
./configure --enable-ares=... --enable-threaded-resolver
or to cmake:
cmake -DENABLE_ARES=ON -DENABLE_THREADED_RESOLVER=ON
Because the HTTPS record is handled separately from the A/AAAA record
retrieval, by a separate library, there is a small risk for discrepancies.
When building curl using the threaded resolver with HTTPS RR support (using
c-ares), the `curl -V` output looks exactly like a c-ares resolver build.
## HTTPS RR Options
Because curl is a low level transfer tool for which users sometimes want
detailed control, we need to offer options to control HTTPS RR use.

209
curl/docs/INFRASTRUCTURE.md
Unescape Просмотреть файл

@ -0,0 +1,209 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# Infrastructure in the curl project
Overview of infrastructure we maintain, host and run in the project for the
project.
## git repository
Since 2010, the main curl git repository has been hosted by GitHub, available
at https://github.com/curl/curl.
We also use the issue tracker, pull requests and discussions on GitHub.
curl has an "enterprise account" on GitHub and is an "organization" on the
site.
We accept sponsorship via GitHub Sponsors.
## CI services
For every pull request and git push to the master repository, a number of
build and testing jobs are run on a set of different CI services. The exact
services vary over time. GitHub Actions and AppVeyor are the primary ones
these days.
## Test Clutch
A [Test Clutch](https://github.com/dfandrich/testclutch) instance generates
regular reports on curl CI test results at https://testclutch.curl.se/ as well
as writing comments on curl pull requests whose tests have failed. The jobs
are hosted on a Virtuozzo Application Platform PaaS instance and is managed by
Dan Fandrich. The configuration code is is available and managed at
https://github.com/dfandrich/testclutch-curl-web
## Autobuilds
The curl autobuild system is a set of scripts that build and test curl and
send all output logs back to the autobuild server. The results are
continuously collected and visualized on the curl website at
<https://curl.se/dev/builds.html>.
The autobuild system and server is maintained by Daniel Stenberg.
## OSS-Fuzz
Google runs the [OSS-Fuzz](https://google.github.io/oss-fuzz/) project which
also runs fuzzing on curl code, non-stop, in their infrastructure and they
send us emails in the rare instances they actually find something.
OSS-Fuzz notifies those that are members in the "curl team". Any curl
maintainer who wants to is welcome to participate. It requires a Google
account.
## Coverity
We regularly run our code through the [Coverity static code
analyzer](https://scan.coverity.com/) thanks to them offering this service to
us for free.
## CodeSonar
[CodeSonar](https://codesecure.com/our-products/codesonar/) analyzes the curl
source code daily and emails Daniel Stenberg whenever it finds suspected
problems in the source code. I hope and expect that we can invite other
maintainers to access these reports soon.
## Domain names
The project runs services and website using a few different curl related
domain names, including `curl.se` and `curl.dev`. Daniel Stenberg owns these
domain names.
Until a few years ago, the curl website was present at `curl.haxx.se`. The
`haxx.se` domain is owned by Haxx AB, administrated by Daniel Stenberg. The
curl.haxx.se name is meant to keep working and be redirecting to curl.se for
the foreseeable future.
## Websites
The main curl website at `curl.se` is maintained by curl maintainers and the
content is available and managed at https://github.com/curl/curl-www. The site
updates from git and runs make every 20 minutes. Any change pushed to git can
thus take up to 20 minutes until it takes effect on the origin server.
The content on `curl.dev` is available and managed at
https://github.com/curl/curl.dev/
The content on `everything-curl.dev` is available and managed at
https://github.com/curl/everything-curl/
The machine hosting the website contents for these three sites is owned by
Haxx AB and is primarily managed by Daniel Stenberg (co-owner of the Haxx
company). The machine is physically located in Sweden.
curl release tarballs are hosted on https://curl.se/download.html. They are
uploaded there at release-time by the release manager.
curl-for-win downloads are hosted on https://curl.se/windows and are uploaded
to the server by Viktor Szakats.
curl-for-QNX downloads are hosted on <https://curl.se/qnx> and are uploaded to
the server by Daniel Stenberg.
Daily release tarball-like snapshots are generated automatically and are
provided for download at <https://curl.se/snapshots/>.
CA certificate bundles are extracted from the Firefox source code, hosted by
Mozilla and converted to PEM file format and is offered for download. The
conversion checks for updates daily. The bundle is provided for download at
<https://curl.se/docs/caextract.html>.
There is an automated "download check bot" that runs twice daily to scan for
available curl downloads to populate the curl download page appropriately with
the correct updated information. The bot uses URLs and patterns for all
download packages and is maintained in a database, maintained by Daniel
Stenberg and Dan Fandrich.
The TLS certificate for the origin curl web server is automatically updated
from Let's Encrypt.
## CDN
Fastly runs the Content Delivery Network (CDN) that fronts all the curl
websites. The CDN caches content that it gets from the origin server.
Recently, roughly 99.99% of web requests are satisfied by the CDN without
having to reach the origin.
The CDN caches different content at different lengths depending on the
content-type. The caching thus adds to the time for a change to have an effect
on the site from the moment it gets pushed to the git repository.
Using this setup, we provide four IPv4 addresses and eight IPv6 addresses for
anycast access to the site. Should be snappy from virtually everywhere across
the globe.
The CDN servers support HTTP/1, HTTP/2 and HTTP/3. They set HSTS for a year.
The `HTTP://` version of the site redirects to `HTTPS://`.
Fastly manages the TLS certificates from Let's Encrypt for the servers they
run on the behalf of curl.
## Containers
The curl project offer container builds of curl. The source repository for
them is located at <https://github.com/curl/curl-container>.
Container images are hosted at <https://quay.io/repository/curl/curl> and
<https://hub.docker.com/r/curlimages/curl>
## DNS
The primary domain name, `curl.se` is managed by Kirei and is offered over
fault-tolerant anycast servers. High availability and fast access for
everyone.
The actual physical DNS files and origin bind instance is managed by Daniel
Stenberg.
## Mailing lists
The curl related mailing lists are hosted by Haxx AB on `lists.haxx.se` and
are maintained by Daniel Stenberg. This includes the mailman2 and Postfix
instances used for this.
## Email
We use a few rare additional curl related email aliases in the curl domains.
They go through the mail server `mail.haxx.se` maintained by Daniel Stenberg
## Bug-bounty
We run a [bug-bounty](https://curl.se/docs/bugbounty.html) on HackerOne. The
setup runs entirely at https://hackerone.com/curl.
The money part for the bug bounty is sponsored by the [Internet Bug
Bounty](https://hackerone.com/ibb).
## Open Collective
We use [Open Collective](https://opencollective.com/curl) as our "fiscal
host". All money sent to and received by the curl project is managed by Open
Collective.
## Merchandise
We have stickers, coffee mugs and coasters. They are managed by Daniel who
sits on the inventory. The best way to get your hands on curl merchandise is
to attend events where Daniel is physically.
## Chat
Some curl developers, maintainers, users and enthusiasts use IRC for real-time
chat about curl and related topics. This done in the `#curl` channel on the
`libra.chat` IRC network. **Daniel Stenberg** (`bagder`) is registered owner
of the channel. We do not run any IRC servers or services ourselves.
`curelbot` is a service in the channel that shows details about GitHub issues
and pull requests when publicly mentioned using #[number]. The bot is run by
user `TheAssassin`.
There is a Matrix bridge to the IRC channel called `matrix.curl.se`. The
bridge is setup and run by **Sergio Durigan Junior** and **Daniel Stenberg**.
[curl online chat documentation](https://curl.se/docs/irc.html)

567
curl/docs/INSTALL-CMAKE.md
Unescape Просмотреть файл

@ -0,0 +1,567 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# Building with CMake
This document describes how to configure, build and install curl and libcurl
from source code using the CMake build tool. To build with CMake, you of
course first have to install CMake. The minimum required version of CMake is
specified in the file `CMakeLists.txt` found in the top of the curl source
tree. Once the correct version of CMake is installed you can follow the
instructions below for the platform you are building on.
CMake builds can be configured either from the command line, or from one of
CMake's GUIs.
# Configuring
A CMake configuration of curl is similar to the autotools build of curl.
It consists of the following steps after you have unpacked the source.
We recommend building with CMake on Windows. For instructions on migrating
from the `projects/Windows` Visual Studio solution files, see
[this section](#migrating-from-visual-studio-ide-project-files). For
instructions on migrating from the winbuild builds, see
[the following section](#migrating-from-winbuild-builds).
## Using `cmake`
You can configure for in source tree builds or for a build tree
that is apart from the source tree.
- Build in the source tree.
$ cmake -B .
- Build in a separate directory (parallel to the curl source tree in this
example). The build directory is created for you. This is recommended over
building in the source tree to separate source and build artifacts.
$ cmake -B ../curl-build
For the full list of CMake build configuration variables see
[the corresponding section](#cmake-build-options).
### Fallback for CMake before version 3.13
CMake before version 3.13 does not support the `-B` option. In that case,
you must create the build directory yourself, `cd` to it and run `cmake`
from there:
$ mkdir ../curl-build
$ cd ../curl-build
$ cmake ../curl
If you want to build in the source tree, it is enough to do this:
$ cmake .
### Build system generator selection
You can override CMake's default by using `-G <generator-name>`. For example
on Windows with multiple build systems if you have MinGW-w64 then you could use
`-G "MinGW Makefiles"`.
[List of generator names](https://cmake.org/cmake/help/latest/manual/cmake-generators.7.html).
## Using `ccmake`
CMake comes with a curses based interface called `ccmake`. To run `ccmake`
on a curl use the instructions for the command line cmake, but substitute
`ccmake` for `cmake`.
This brings up a curses interface with instructions on the bottom of the
screen. You can press the "c" key to configure the project, and the "g" key to
generate the project. After the project is generated, you can run make.
## Using `cmake-gui`
CMake also comes with a Qt based GUI called `cmake-gui`. To configure with
`cmake-gui`, you run `cmake-gui` and follow these steps:
1. Fill in the "Where is the source code" combo box with the path to
the curl source tree.
2. Fill in the "Where to build the binaries" combo box with the path to
the directory for your build tree, ideally this should not be the same
as the source tree, but a parallel directory called curl-build or
something similar.
3. Once the source and binary directories are specified, press the
"Configure" button.
4. Select the native build tool that you want to use.
5. At this point you can change any of the options presented in the GUI.
Once you have selected all the options you want, click the "Generate"
button.
# Building
Build (you have to specify the build directory).
$ cmake --build ../curl-build
## Static builds
The CMake build setup is primarily done to work with shared/dynamic third
party dependencies. When linking with shared libraries, the dependency "chain"
is handled automatically by the library loader - on all modern systems.
If you instead link with a static library, you need to provide all the
dependency libraries already at the link command line.
Figuring out all the dependency libraries for a given library is hard, as it
might involve figuring out the dependencies of the dependencies and they vary
between platforms and can change between versions.
When using static dependencies, the build scripts mostly assume that you, the
user, provide all the necessary additional dependency libraries as additional
arguments in the build.
Building statically is not for the faint of heart.
### Fallback for CMake before version 3.13
CMake before version 3.13 does not support the `--build` option. In that
case, you have to `cd` to the build directory and use the building tool that
corresponds to the build files that CMake generated for you. This example
assumes that CMake generates `Makefile`:
$ cd ../curl-build
$ make
# Testing
(The test suite does not yet work with the cmake build)
# Installing
Install to default location (you have to specify the build directory).
$ cmake --install ../curl-build
Do not use `--prefix` to change the installation prefix as the output produced
by the `curl-config` script is determined at CMake configure time. If you want
to set a custom install prefix for curl, set
[`CMAKE_INSTALL_PREFIX`](https://cmake.org/cmake/help/latest/variable/CMAKE_INSTALL_PREFIX.html)
when configuring the CMake build.
### Fallback for CMake before version 3.15
CMake before version 3.15 does not support the `--install` option. In that
case, you have to `cd` to the build directory and use the building tool that
corresponds to the build files that CMake generated for you. This example
assumes that CMake generates `Makefile`:
$ cd ../curl-build
$ make install
# CMake usage
Just as curl can be built and installed using CMake, it can also be used from
CMake.
## Using `find_package`
To locate libcurl from CMake, one can use the standard
[`find_package`](https://cmake.org/cmake/help/latest/command/find_package.html)
command in the typical fashion:
```cmake
find_package(CURL 8.12.0 REQUIRED) # FATAL_ERROR if CURL is not found
```
This invokes the CMake-provided
[FindCURL](https://cmake.org/cmake/help/latest/module/FindCURL.html) find module,
which first performs a search using the `find_package`
[config mode](https://cmake.org/cmake/help/latest/command/find_package.html#config-mode-search-procedure).
This is supported by the `CURLConfig.cmake` CMake config script which is
available if the given CURL was built and installed using CMake.
### Detecting CURL features/protocols
Since version 8.12.0, `CURLConfig.cmake` publishes the supported CURL features
and protocols (see [release notes](https://curl.se/ch/8.12.0.html)). These can
be specified using the `find_package` keywords `COMPONENTS` and
`OPTIONAL_COMPONENTS`, with protocols in all caps, e.g. `HTTPS`, `LDAP`, while
features should be in their original sentence case, e.g. `AsynchDNS`,
`UnixSockets`. If any of the `COMPONENTS` are missing, then CURL is considered
as *not* found.
Here is an example of using `COMPONENTS` and `OPTIONAL_COMPONENTS` in
`find_package` with CURL:
```cmake
# CURL_FOUND is FALSE if no HTTPS but brotli and zstd can be missing
find_package(CURL 8.12.0 COMPONENTS HTTPS OPTIONAL_COMPONENTS brotli zstd)
```
One can also check the defined `CURL_SUPPORTS_<feature-or-protocol>` variables
if a particular feature/protocol is supported. For example:
```cmake
# check HTTPS
if(CURL_SUPPORTS_HTTPS)
message(STATUS "CURL supports HTTPS")
else()
message(STATUS "CURL does NOT support HTTPS")
endif()
```
### Linking against libcurl
To link a CMake target against libcurl one can use
[`target_link_libraries`](https://cmake.org/cmake/help/latest/command/target_link_libraries.html)
as usual:
```cmake
target_link_libraries(my_target PRIVATE CURL::libcurl)
```
# CMake build options
- `BUILD_CURL_EXE`: Build curl executable. Default: `ON`
- `BUILD_EXAMPLES`: Build libcurl examples. Default: `ON`
- `BUILD_LIBCURL_DOCS`: Build libcurl man pages. Default: `ON`
- `BUILD_MISC_DOCS`: Build misc man pages (e.g. `curl-config` and `mk-ca-bundle`). Default: `ON`
- `BUILD_SHARED_LIBS`: Build shared libraries. Default: `ON`
- `BUILD_STATIC_CURL`: Build curl executable with static libcurl. Default: `OFF`
- `BUILD_STATIC_LIBS`: Build static libraries. Default: `OFF`
- `BUILD_TESTING`: Build tests. Default: `ON`
- `CURL_CLANG_TIDY`: Run the build through `clang-tidy`. Default: `OFF`
- `CURL_CLANG_TIDYFLAGS`: Custom options to pass to `clang-tidy`. Default: (empty)
- `CURL_COMPLETION_FISH`: Install fish completions. Default: `OFF`
- `CURL_COMPLETION_FISH_DIR`: Custom fish completion install directory.
- `CURL_COMPLETION_ZSH`: Install zsh completions. Default: `OFF`
- `CURL_COMPLETION_ZSH_DIR`: Custom zsh completion install directory.
- `CURL_DEFAULT_SSL_BACKEND`: Override default TLS backend in MultiSSL builds.
Accepted values in order of default priority:
`wolfssl`, `gnutls`, `mbedtls`, `openssl`, `secure-transport`, `schannel`, `bearssl`, `rustls`
- `CURL_ENABLE_EXPORT_TARGET`: Enable CMake export target. Default: `ON`
- `CURL_HIDDEN_SYMBOLS`: Hide libcurl internal symbols (=hide all symbols that are not officially external). Default: `ON`
- `CURL_LIBCURL_SOVERSION`: Enable libcurl SOVERSION. Default: `ON` for supported platforms
- `CURL_LIBCURL_VERSIONED_SYMBOLS`: Enable libcurl versioned symbols. Default: `OFF`
- `CURL_LIBCURL_VERSIONED_SYMBOLS_PREFIX`: Override default versioned symbol prefix. Default: `<TLS-BACKEND>_` or `MULTISSL_`
- `CURL_LTO`: Enable compiler Link Time Optimizations. Default: `OFF`
- `CURL_STATIC_CRT`: Build libcurl with static CRT with MSVC (`/MT`) (requires UCRT, static libcurl or no curl executable). Default: `OFF`
- `CURL_TARGET_WINDOWS_VERSION`: Minimum target Windows version as hex string.
- `CURL_TEST_BUNDLES`: Build tests into single-binary bundles. Default: `OFF`
- `CURL_WERROR`: Turn compiler warnings into errors. Default: `OFF`
- `ENABLE_CURLDEBUG`: Enable TrackMemory debug feature. Default: =`ENABLE_DEBUG`
- `ENABLE_CURL_MANUAL`: Build the man page for curl and enable its `-M`/`--manual` option. Default: `ON`
- `ENABLE_DEBUG`: Enable curl debug features (for developing curl itself). Default: `OFF`
- `ENABLE_SERVER_DEBUG`: Apply curl debug options to test servers. Default: `OFF`
- `IMPORT_LIB_SUFFIX`: Import library suffix. Default: `_imp` for MSVC-like toolchains, otherwise empty.
- `LIBCURL_OUTPUT_NAME`: Basename of the curl library. Default: `libcurl`
- `PICKY_COMPILER`: Enable picky compiler options. Default: `ON`
- `SHARE_LIB_OBJECT`: Build shared and static libcurl in a single pass (requires CMake 3.12 or newer). Default: `ON` for Windows
- `STATIC_LIB_SUFFIX`: Static library suffix. Default: (empty)
## CA bundle options
- `CURL_CA_BUNDLE`: Path to the CA bundle. Set `none` to disable or `auto` for auto-detection. Default: `auto`
- `CURL_CA_EMBED`: Path to the CA bundle to embed in the curl tool. Default: (disabled)
- `CURL_CA_FALLBACK`: Use built-in CA store of TLS backend. Default: `OFF`
- `CURL_CA_PATH`: Location of default CA path. Set `none` to disable or `auto` for auto-detection. Default: `auto`
- `CURL_CA_SEARCH_SAFE`: Enable safe CA bundle search (within the curl tool directory) on Windows. Default: `OFF`
## Enabling features
- `CURL_ENABLE_SSL`: Enable SSL support. Default: `ON`
- `CURL_WINDOWS_SSPI`: Enable SSPI on Windows. Default: =`CURL_USE_SCHANNEL`
- `ENABLE_IPV6`: Enable IPv6 support. Default: `ON` if target supports IPv6.
- `ENABLE_THREADED_RESOLVER`: Enable threaded DNS lookup. Default: `ON` if c-ares is not enabled and target supports threading.
- `ENABLE_UNICODE`: Use the Unicode version of the Windows API functions. Default: `OFF`
- `ENABLE_UNIX_SOCKETS`: Enable Unix domain sockets support. Default: `ON`
- `USE_ECH`: Enable ECH support. Default: `OFF`
- `USE_HTTPSRR`: Enable HTTPS RR support. Default: `OFF`
- `USE_OPENSSL_QUIC`: Use OpenSSL and nghttp3 libraries for HTTP/3 support. Default: `OFF`
- `USE_SSLS_EXPORT`: Enable experimental SSL session import/export. Default: `OFF`
## Disabling features
- `CURL_DISABLE_ALTSVC`: Disable alt-svc support. Default: `OFF`
- `CURL_DISABLE_AWS`: Disable **aws-sigv4**. Default: `OFF`
- `CURL_DISABLE_BASIC_AUTH`: Disable Basic authentication. Default: `OFF`
- `CURL_DISABLE_BEARER_AUTH`: Disable Bearer authentication. Default: `OFF`
- `CURL_DISABLE_BINDLOCAL`: Disable local binding support. Default: `OFF`
- `CURL_DISABLE_CA_SEARCH`: Disable unsafe CA bundle search in PATH on Windows. Default: `OFF`
- `CURL_DISABLE_COOKIES`: Disable cookies support. Default: `OFF`
- `CURL_DISABLE_DICT`: Disable DICT. Default: `OFF`
- `CURL_DISABLE_DIGEST_AUTH`: Disable Digest authentication. Default: `OFF`
- `CURL_DISABLE_DOH`: Disable DNS-over-HTTPS. Default: `OFF`
- `CURL_DISABLE_FILE`: Disable FILE. Default: `OFF`
- `CURL_DISABLE_FORM_API`: Disable **form-api**. Default: =`CURL_DISABLE_MIME`
- `CURL_DISABLE_FTP`: Disable FTP. Default: `OFF`
- `CURL_DISABLE_GETOPTIONS`: Disable `curl_easy_options` API for existing options to `curl_easy_setopt`. Default: `OFF`
- `CURL_DISABLE_GOPHER`: Disable Gopher. Default: `OFF`
- `CURL_DISABLE_HEADERS_API`: Disable **headers-api** support. Default: `OFF`
- `CURL_DISABLE_HSTS`: Disable HSTS support. Default: `OFF`
- `CURL_DISABLE_HTTP`: Disable HTTP. Default: `OFF`
- `CURL_DISABLE_HTTP_AUTH`: Disable all HTTP authentication methods. Default: `OFF`
- `CURL_DISABLE_IMAP`: Disable IMAP. Default: `OFF`
- `CURL_DISABLE_INSTALL`: Disable installation targets. Default: `OFF`
- `CURL_DISABLE_IPFS`: Disable IPFS. Default: `OFF`
- `CURL_DISABLE_KERBEROS_AUTH`: Disable Kerberos authentication. Default: `OFF`
- `CURL_DISABLE_LDAP`: Disable LDAP. Default: `OFF`
- `CURL_DISABLE_LDAPS`: Disable LDAPS. Default: =`CURL_DISABLE_LDAP`
- `CURL_DISABLE_LIBCURL_OPTION`: Disable `--libcurl` option from the curl tool. Default: `OFF`
- `CURL_DISABLE_MIME`: Disable MIME support. Default: `OFF`
- `CURL_DISABLE_MQTT`: Disable MQTT. Default: `OFF`
- `CURL_DISABLE_NEGOTIATE_AUTH`: Disable negotiate authentication. Default: `OFF`
- `CURL_DISABLE_NETRC`: Disable netrc parser. Default: `OFF`
- `CURL_DISABLE_NTLM`: Disable NTLM support. Default: `OFF`
- `CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG`: Disable automatic loading of OpenSSL configuration. Default: `OFF`
- `CURL_DISABLE_PARSEDATE`: Disable date parsing. Default: `OFF`
- `CURL_DISABLE_POP3`: Disable POP3. Default: `OFF`
- `CURL_DISABLE_PROGRESS_METER`: Disable built-in progress meter. Default: `OFF`
- `CURL_DISABLE_PROXY`: Disable proxy support. Default: `OFF`
- `CURL_DISABLE_RTSP`: Disable RTSP. Default: `OFF`
- `CURL_DISABLE_SHA512_256`: Disable SHA-512/256 hash algorithm. Default: `OFF`
- `CURL_DISABLE_SHUFFLE_DNS`: Disable shuffle DNS feature. Default: `OFF`
- `CURL_DISABLE_SMB`: Disable SMB. Default: `OFF`
- `CURL_DISABLE_SMTP`: Disable SMTP. Default: `OFF`
- `CURL_DISABLE_SOCKETPAIR`: Disable use of socketpair for curl_multi_poll. Default: `OFF`
- `CURL_DISABLE_SRP`: Disable TLS-SRP support. Default: `OFF`
- `CURL_DISABLE_TELNET`: Disable Telnet. Default: `OFF`
- `CURL_DISABLE_TFTP`: Disable TFTP. Default: `OFF`
- `CURL_DISABLE_VERBOSE_STRINGS`: Disable verbose strings. Default: `OFF`
- `CURL_DISABLE_WEBSOCKETS`: Disable WebSocket. Default: `OFF`
- `HTTP_ONLY`: Disable all protocols except HTTP (This overrides all `CURL_DISABLE_*` options). Default: `OFF`
## Environment
- `CI`: Assume running under CI if set.
- `CURL_BUILDINFO`: Print `buildinfo.txt` if set.
- `CURL_CI`: Assume running under CI if set.
## CMake options
- `CMAKE_BUILD_TYPE`: (see CMake)
- `CMAKE_DEBUG_POSTFIX`: Default: `-d`
- `CMAKE_IMPORT_LIBRARY_SUFFIX` (see CMake)
- `CMAKE_INSTALL_BINDIR` (see CMake)
- `CMAKE_INSTALL_INCLUDEDIR` (see CMake)
- `CMAKE_INSTALL_LIBDIR` (see CMake)
- `CMAKE_INSTALL_PREFIX` (see CMake)
- `CMAKE_STATIC_LIBRARY_SUFFIX` (see CMake)
- `CMAKE_UNITY_BUILD_BATCH_SIZE`: Set the number of sources in a "unity" unit. Default: `0` (all)
- `CMAKE_UNITY_BUILD`: Enable "unity" (aka jumbo) builds. Default: `OFF`
Details via CMake
[variables](https://cmake.org/cmake/help/latest/manual/cmake-variables.7.html) and
[install directories](https://cmake.org/cmake/help/latest/module/GNUInstallDirs.html).
## Dependencies
- `CURL_BROTLI`: Use brotli (`ON`, `OFF` or `AUTO`). Default: `AUTO`
- `CURL_USE_BEARSSL`: Enable BearSSL for SSL/TLS. Default: `OFF`
- `CURL_USE_GNUTLS`: Enable GnuTLS for SSL/TLS. Default: `OFF`
- `CURL_USE_GSASL`: Use libgsasl. Default: `OFF`
- `CURL_USE_GSSAPI`: Use GSSAPI implementation. Default: `OFF`
- `CURL_USE_LIBPSL`: Use libpsl. Default: `ON`
- `CURL_USE_LIBSSH2`: Use libssh2. Default: `ON`
- `CURL_USE_LIBSSH`: Use libssh. Default: `OFF`
- `CURL_USE_LIBUV`: Use libuv for event-based tests. Default: `OFF`
- `CURL_USE_MBEDTLS`: Enable mbedTLS for SSL/TLS. Default: `OFF`
- `CURL_USE_OPENSSL`: Enable OpenSSL for SSL/TLS. Default: `ON` if no other TLS backend was enabled.
- `CURL_USE_PKGCONFIG`: Enable `pkg-config` to detect dependencies. Default: `ON` for Unix (except Android, Apple devices), vcpkg, MinGW if not cross-compiling.
- `CURL_USE_RUSTLS`: Enable Rustls for SSL/TLS. Default: `OFF`
- `CURL_USE_SCHANNEL`: Enable Windows native SSL/TLS (Schannel). Default: `OFF`
- `CURL_USE_SECTRANSP`: Enable Apple OS native SSL/TLS (Secure Transport). Default: `OFF`
- `CURL_USE_WOLFSSH`: Use wolfSSH. Default: `OFF`
- `CURL_USE_WOLFSSL`: Enable wolfSSL for SSL/TLS. Default: `OFF`
- `CURL_ZLIB`: Use zlib (`ON`, `OFF` or `AUTO`). Default: `AUTO`
- `CURL_ZSTD`: Use zstd (`ON`, `OFF` or `AUTO`). Default: `AUTO`
- `ENABLE_ARES`: Enable c-ares support. Default: `OFF`
- `USE_APPLE_IDN`: Use Apple built-in IDN support. Default: `OFF`
- `USE_LIBIDN2`: Use libidn2 for IDN support. Default: `ON`
- `USE_LIBRTMP`: Enable librtmp from rtmpdump. Default: `OFF`
- `USE_MSH3`: Use msh3/msquic library for HTTP/3 support. Default: `OFF`
- `USE_NGHTTP2`: Use nghttp2 library. Default: `ON`
- `USE_NGTCP2`: Use ngtcp2 and nghttp3 libraries for HTTP/3 support. Default: `OFF`
- `USE_QUICHE`: Use quiche library for HTTP/3 support. Default: `OFF`
- `USE_WIN32_IDN`: Use WinIDN for IDN support. Default: `OFF`
- `USE_WIN32_LDAP`: Use Windows LDAP implementation. Default: `ON`
## Dependency options (via CMake)
- `OPENSSL_ROOT_DIR`: Set this variable to the root installation of OpenSSL (and forks).
- `OPENSSL_USE_STATIC_LIBS`: Look for static OpenSSL libraries.
- `ZLIB_INCLUDE_DIR`: The zlib include directory.
- `ZLIB_LIBRARY`: Path to `zlib` library.
- `ZLIB_USE_STATIC_LIBS`: Look for static ZLIB library (requires CMake v3.24).
## Dependency options (tools)
- `CLANG_TIDY`: `clang-tidy` tool used with `CURL_CLANG_TIDY=ON`. Default: `clang-tidy`
- `PERL_EXECUTABLE`: Perl binary used throughout the build and tests.
## Dependency options (libraries)
- `AMISSL_INCLUDE_DIR`: The AmiSSL include directory.
- `AMISSL_STUBS_LIBRARY`: Path to `amisslstubs` library.
- `AMISSL_AUTO_LIBRARY`: Path to `amisslauto` library.
- `BEARSSL_INCLUDE_DIR`: The BearSSL include directory.
- `BEARSSL_LIBRARY`: Path to `bearssl` library.
- `BROTLI_INCLUDE_DIR`: The brotli include directory.
- `BROTLICOMMON_LIBRARY`: Path to `brotlicommon` library.
- `BROTLIDEC_LIBRARY`: Path to `brotlidec` library.
- `CARES_INCLUDE_DIR`: The c-ares include directory.
- `CARES_LIBRARY`: Path to `cares` library.
- `DL_LIBRARY`: Path to `dl` library. (for Rustls)
- `GSS_ROOT_DIR`: Set this variable to the root installation of GSS. (also supported as environment)
- `LDAP_LIBRARY`: Name or full path to `ldap` library. Default: `ldap`
- `LDAP_LBER_LIBRARY`: Name or full path to `lber` library. Default: `lber`
- `LDAP_INCLUDE_DIR`: Path to LDAP include directory.
- `LIBGSASL_INCLUDE_DIR`: The libgsasl include directory.
- `LIBGSASL_LIBRARY`: Path to `libgsasl` library.
- `LIBIDN2_INCLUDE_DIR`: The libidn2 include directory.
- `LIBIDN2_LIBRARY`: Path to `libidn2` library.
- `LIBPSL_INCLUDE_DIR`: The libpsl include directory.
- `LIBPSL_LIBRARY`: Path to `libpsl` library.
- `LIBRTMP_INCLUDE_DIR`: The librtmp include directory.
- `LIBRTMP_LIBRARY`: Path to `librtmp` library.
- `LIBSSH_INCLUDE_DIR`: The libssh include directory.
- `LIBSSH_LIBRARY`: Path to `libssh` library.
- `LIBSSH2_INCLUDE_DIR`: The libssh2 include directory.
- `LIBSSH2_LIBRARY`: Path to `libssh2` library.
- `LIBUV_INCLUDE_DIR`: The libuv include directory.
- `LIBUV_LIBRARY`: Path to `libuv` library.
- `MATH_LIBRARY`: Path to `m` library. (for Rustls, wolfSSL)
- `MBEDTLS_INCLUDE_DIR`: The mbedTLS include directory.
- `MBEDTLS_LIBRARY`: Path to `mbedtls` library.
- `MBEDX509_LIBRARY`: Path to `mbedx509` library.
- `MBEDCRYPTO_LIBRARY`: Path to `mbedcrypto` library.
- `MSH3_INCLUDE_DIR`: The msh3 include directory.
- `MSH3_LIBRARY`: Path to `msh3` library.
- `NGHTTP2_INCLUDE_DIR`: The nghttp2 include directory.
- `NGHTTP2_LIBRARY`: Path to `nghttp2` library.
- `NGHTTP3_INCLUDE_DIR`: The nghttp3 include directory.
- `NGHTTP3_LIBRARY`: Path to `nghttp3` library.
- `NGTCP2_INCLUDE_DIR`: The ngtcp2 include directory.
- `NGTCP2_LIBRARY`: Path to `ngtcp2` library.
- `NETTLE_INCLUDE_DIR`: The nettle include directory.
- `NETTLE_LIBRARY`: Path to `nettle` library.
- `PTHREAD_LIBRARY`: Path to `pthread` library. (for Rustls)
- `QUICHE_INCLUDE_DIR`: The quiche include directory.
- `QUICHE_LIBRARY`: Path to `quiche` library.
- `RUSTLS_INCLUDE_DIR`: The Rustls include directory.
- `RUSTLS_LIBRARY`: Path to `rustls` library.
- `WATT_ROOT`: Set this variable to the root installation of Watt-32.
- `WOLFSSH_INCLUDE_DIR`: The wolfSSH include directory.
- `WOLFSSH_LIBRARY`: Path to `wolfssh` library.
- `WOLFSSL_INCLUDE_DIR`: The wolfSSL include directory.
- `WOLFSSL_LIBRARY`: Path to `wolfssl` library.
- `ZSTD_INCLUDE_DIR`: The zstd include directory.
- `ZSTD_LIBRARY`: Path to `zstd` library.
## Test tools
- `APXS`: Default: `apxs`
- `CADDY`: Default: `caddy`
- `HTTPD_NGHTTPX`: Default: `nghttpx`
- `HTTPD`: Default: `apache2`
- `TEST_NGHTTPX`: Default: `nghttpx`
- `VSFTPD`: Default: `vsftps`
# Migrating from Visual Studio IDE Project Files
We recommend using CMake to build curl with MSVC.
The project build files reside in project/Windows/VC\* for VS2010, VS2010 and
VS2013 respectively.
These CMake Visual Studio generators require CMake v3.24 or older. You can
download them from <https://cmake.org/files/v3.24/>.
You can also use `-G "NMake Makefiles"`, which is supported by all CMake
versions.
Configuration element | Equivalent CMake options
:-------------------------------- | :--------------------------------
`VC10` | `-G "Visual Studio 10 2010"`
`VC11` | `-G "Visual Studio 11 2012"`
`VC12` | `-G "Visual Studio 12 2013"`
`x64` | `-A x64`
`Win32` | `-A Win32`
`DLL` | `BUILD_SHARED_LIBS=ON`, `BUILD_STATIC_LIBS=OFF`, (default)
`LIB` | `BUILD_SHARED_LIBS=OFF`, `BUILD_STATIC_LIBS=ON`
`Debug` | `CMAKE_BUILD_TYPE=Debug` (`-G "NMake Makefiles"` only)
`Release` | `CMAKE_BUILD_TYPE=Release` (`-G "NMake Makefiles"` only)
`DLL Windows SSPI` | `CURL_USE_SCHANNEL=ON` (with SSPI enabled by default)
`DLL OpenSSL` | `CURL_USE_OPENSSL=ON`, optional: `OPENSSL_ROOT_DIR`, `OPENSSL_USE_STATIC_LIBS=ON`
`DLL libssh2` | `CURL_USE_LIBSSH2=ON`, optional: `LIBSSH2_INCLUDE_DIR`, `LIBSSH2_LIBRARY`
`DLL WinIDN` | `USE_WIN32_IDN=ON`
For example these commands:
> cd projects
> ./generate.bat VC12
> msbuild "-property:Configuration=DLL Debug - DLL Windows SSPI - DLL WinIDN" Windows/VC12/curl-all.sln
translate to:
> cmake . -G "Visual Studio 12 2013" -A x64 -DCURL_USE_SCHANNEL=ON -DUSE_WIN32_IDN=ON -DCURL_USE_LIBPSL=OFF
> cmake --build . --config Debug --parallel
We do *not* specify `-DCMAKE_BUILD_TYPE=Debug` here as we might do for the
`"NMake Makefiles"` generator because the Visual Studio generators are
[multi-config generators](https://cmake.org/cmake/help/latest/prop_gbl/GENERATOR_IS_MULTI_CONFIG.html)
and therefore ignore the value of `CMAKE_BUILD_TYPE`.
# Migrating from winbuild builds
We recommend CMake to build curl with MSVC. The winbuild build method is
deprecated and may be dropped in a future release.
In CMake you can customize the path of dependencies by passing the absolute
header path and the full path of the library via `*_INCLUDE_DIR` and
`*_LIBRARY` options (see the complete list in the option listing above).
The full path to the library can point to a static library or an import
library, which defines if the dependency is linked as a dll or statically.
For OpenSSL this works
[differently](https://cmake.org/cmake/help/latest/module/FindOpenSSL.html):
You can pass the root directory of the OpenSSL installation via
`OPENSSL_ROOT_DIR`, then pass `OPENSSL_USE_STATIC_LIBS=ON` to select static
libs.
winbuild options | Equivalent CMake options
:-------------------------------- | :--------------------------------
`DEBUG` | `CMAKE_BUILD_TYPE=Debug`
`GEN_PDB` | `CMAKE_EXE_LINKER_FLAGS=/Fd<path>`, `CMAKE_SHARED_LINKER_FLAGS=/Fd<path>`
`LIB_NAME_DLL`, `LIB_NAME_STATIC` | `IMPORT_LIB_SUFFIX`, `LIBCURL_OUTPUT_NAME`, `STATIC_LIB_SUFFIX`
`VC`: `<N>` | see the CMake [Visual Studio generators](https://cmake.org/cmake/help/latest/manual/cmake-generators.7.html#visual-studio-generators)
`MACHINE`: `x64`, `x86` | `-A x64`, `-A Win32`
`MODE`: `dll`, `static` | `BUILD_SHARED_LIBS=ON/OFF`, `BUILD_STATIC_LIBS=ON/OFF`, `BUILD_STATIC_CURL=ON/OFF` (default: dll)
`RTLIBCFG`: `static` | `CURL_STATIC_CRT=ON`
`ENABLE_IDN` | `USE_WIN32_IDN=ON`
`ENABLE_IPV6` | `ENABLE_IPV6=ON`
`ENABLE_MSH3` | `USE_MSH3=ON`
`ENABLE_NGHTTP2` | `USE_NGHTTP2=ON`
`ENABLE_OPENSSL_AUTO_LOAD_CONFIG` | `CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG=OFF` (default)
`ENABLE_SCHANNEL` | `CURL_USE_SCHANNEL=ON`
`ENABLE_SSPI` | `CURL_WINDOWS_SSPI=ON` (default with Schannel)
`ENABLE_UNICODE` | `ENABLE_UNICODE=ON`
`WITH_PREFIX` | `CMAKE_INSTALL_PREFIX=<path>`
`WITH_DEVEL` | see individual `*_INCLUDE_DIR` and `*_LIBRARY` options and `OPENSSL_ROOT_DIR`
`WITH_CARES`, `CARES_PATH` | `ENABLE_ARES=ON`, optional: `CARES_INCLUDE_DIR`, `CARES_LIBRARY`
`WITH_MBEDTLS`, `MBEDTLS_PATH` | `CURL_USE_MBEDTLS=ON`, optional: `MBEDTLS_INCLUDE_DIR`, `MBEDTLS_LIBRARY`, `MBEDX509_LIBRARY`, `MBEDCRYPTO_LIBRARY`
`WITH_MSH3`, `MSH_PATH` | `USE_MSH3=ON`, optional: `MSH3_INCLUDE_DIR`, `MSH3_LIBRARY`
`WITH_NGHTTP2`, `NGHTTP2_PATH` | `USE_NGHTTP2=ON`, optional: `NGHTTP2_INCLUDE_DIR`, `NGHTTP2_LIBRARY`
`WITH_SSH`, `SSH_PATH` | `CURL_USE_LIBSSH=ON`, optional: `LIBSSH_INCLUDE_DIR`, `LIBSSH_LIBRARY`
`WITH_SSH2`, `SSH2_PATH` | `CURL_USE_LIBSSH2=ON`, optional: `LIBSSH2_INCLUDE_DIR`, `LIBSSH2_LIBRARY`
`WITH_SSL`, `SSL_PATH` | `CURL_USE_OPENSSL=ON`, optional: `OPENSSL_ROOT_DIR`, `OPENSSL_USE_STATIC_LIBS=ON`
`WITH_WOLFSSL`, `WOLFSSL_PATH` | `CURL_USE_WOLFSSL=ON`, optional: `WOLFSSL_INCLUDE_DIR`, `WOLFSSL_LIBRARY`
`WITH_ZLIB`, `ZLIB_PATH` | `CURL_ZLIB=ON`, optional: `ZLIB_INCLUDE_DIR`, `ZLIB_LIBRARY`
For example this command-line:
> nmake -f Makefile.vc VC=17 MACHINE=x64 DEBUG=ON mode=dll SSL_PATH=C:\OpenSSL WITH_SSL=dll ENABLE_UNICODE=ON
translates to:
> cmake . -G "Visual Studio 17 2022" -A x64 -DBUILD_SHARED_LIBS=ON -DOPENSSL_ROOT_DIR=C:\OpenSSL -DCURL_USE_OPENSSL=ON -DENABLE_UNICODE=ON -DCURL_USE_LIBPSL=OFF
> cmake --build . --config Debug
We use `--config` with `cmake --build` because the Visual Studio CMake
generators are multi-config and therefore ignore `CMAKE_BUILD_TYPE`.

667
curl/docs/INSTALL.md
Unescape Просмотреть файл

@ -0,0 +1,667 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# How to install curl and libcurl
## Installing Binary Packages
Lots of people download binary distributions of curl and libcurl. This
document does not describe how to install curl or libcurl using such a binary
package. This document describes how to compile, build and install curl and
libcurl from source code.
## Building using vcpkg
You can download and install curl and libcurl using the [vcpkg](https://github.com/Microsoft/vcpkg/) dependency manager:
git clone https://github.com/Microsoft/vcpkg.git
cd vcpkg
./bootstrap-vcpkg.sh
./vcpkg integrate install
vcpkg install curl[tool]
The curl port in vcpkg is kept up to date by Microsoft team members and
community contributors. If the version is out of date, please [create an issue
or pull request](https://github.com/Microsoft/vcpkg) on the vcpkg repository.
## Building from git
If you get your code off a git repository instead of a release tarball, see
the `GIT-INFO.md` file in the root directory for specific instructions on how
to proceed.
# Unix
A normal Unix installation is made in three or four steps (after you have
unpacked the source archive):
./configure --with-openssl [--with-gnutls --with-wolfssl]
make
make test (optional)
make install
(Adjust the configure line accordingly to use the TLS library you want.)
You probably need to be root when doing the last command.
Get a full listing of all available configure options by invoking it like:
./configure --help
If you want to install curl in a different file hierarchy than `/usr/local`,
specify that when running configure:
./configure --prefix=/path/to/curl/tree
If you have write permission in that directory, you can do 'make install'
without being root. An example of this would be to make a local install in
your own home directory:
./configure --prefix=$HOME
make
make install
The configure script always tries to find a working SSL library unless
explicitly told not to. If you have OpenSSL installed in the default search
path for your compiler/linker, you do not need to do anything special. If you
have OpenSSL installed in `/usr/local/ssl`, you can run configure like:
./configure --with-openssl
If you have OpenSSL installed somewhere else (for example, `/opt/OpenSSL`) and
you have pkg-config installed, set the pkg-config path first, like this:
env PKG_CONFIG_PATH=/opt/OpenSSL/lib/pkgconfig ./configure --with-openssl
Without pkg-config installed, use this:
./configure --with-openssl=/opt/OpenSSL
If you insist on forcing a build without SSL support, you can run configure
like this:
./configure --without-ssl
If you have OpenSSL installed, but with the libraries in one place and the
header files somewhere else, you have to set the `LDFLAGS` and `CPPFLAGS`
environment variables prior to running configure. Something like this should
work:
CPPFLAGS="-I/path/to/ssl/include" LDFLAGS="-L/path/to/ssl/lib" ./configure
If you have shared SSL libs installed in a directory where your runtime
linker does not find them (which usually causes configure failures), you can
provide this option to gcc to set a hard-coded path to the runtime linker:
LDFLAGS=-Wl,-R/usr/local/ssl/lib ./configure --with-openssl
## Static builds
To force a static library compile, disable the shared library creation by
running configure like:
./configure --disable-shared
The configure script is primarily done to work with shared/dynamic third party
dependencies. When linking with shared libraries, the dependency "chain" is
handled automatically by the library loader - on all modern systems.
If you instead link with a static library, you need to provide all the
dependency libraries already at the link command line.
Figuring out all the dependency libraries for a given library is hard, as it
might involve figuring out the dependencies of the dependencies and they vary
between platforms and change between versions.
When using static dependencies, the build scripts mostly assume that you, the
user, provide all the necessary additional dependency libraries as additional
arguments in the build. With configure, by setting `LIBS` or `LDFLAGS` on the
command line.
Building statically is not for the faint of heart.
## Debug
If you are a curl developer and use gcc, you might want to enable more debug
options with the `--enable-debug` option.
curl can be built to use a whole range of libraries to provide various useful
services, and configure tries to auto-detect a decent default. If you want to
alter it, you can select how to deal with each individual library.
## Select TLS backend
These options are provided to select the TLS backend to use.
- AmiSSL: `--with-amissl`
- BearSSL: `--with-bearssl`
- GnuTLS: `--with-gnutls`.
- mbedTLS: `--with-mbedtls`
- OpenSSL: `--with-openssl` (also for BoringSSL, AWS-LC, LibreSSL, and quictls)
- rustls: `--with-rustls`
- Schannel: `--with-schannel`
- Secure Transport: `--with-secure-transport`
- wolfSSL: `--with-wolfssl`
You can build curl with *multiple* TLS backends at your choice, but some TLS
backends cannot be combined: if you build with an OpenSSL fork (or wolfSSL),
you cannot add another OpenSSL fork (or wolfSSL) simply because they have
conflicting identical symbol names.
When you build with multiple TLS backends, you can select the active one at
runtime when curl starts up.
## MultiSSL and HTTP/3
HTTP/3 needs QUIC and QUIC needs TLS. Building libcurl with HTTP/3 and QUIC
support is not compatible with the MultiSSL feature: they are mutually
exclusive. If you need MultiSSL in your build, you cannot have HTTP/3 support
and vice versa.
libcurl can only use a single TLS library with QUIC and that *same* TLS
library needs to be used for the other TLS using protocols.
## Configure finding libs in wrong directory
When the configure script checks for third-party libraries, it adds those
directories to the `LDFLAGS` variable and then tries linking to see if it
works. When successful, the found directory is kept in the `LDFLAGS` variable
when the script continues to execute and do more tests and possibly check for
more libraries.
This can make subsequent checks for libraries wrongly detect another
installation in a directory that was previously added to `LDFLAGS` by another
library check.
# Windows
Building for Windows XP is required as a minimum.
You can build curl with:
- Microsoft Visual Studio 2008 v9.0 or later (`_MSC_VER >= 1500`)
- MinGW-w64
## Building Windows DLLs and C runtime (CRT) linkage issues
As a general rule, building a DLL with static CRT linkage is highly
discouraged, and intermixing CRTs in the same app is something to avoid at
any cost.
Reading and comprehending Microsoft Knowledge Base articles KB94248 and
KB140584 is a must for any Windows developer. Especially important is full
understanding if you are not going to follow the advice given above.
- [How To Use the C Runtime](https://support.microsoft.com/help/94248/how-to-use-the-c-run-time)
- [Runtime Library Compiler Options](https://docs.microsoft.com/cpp/build/reference/md-mt-ld-use-run-time-library)
- [Potential Errors Passing CRT Objects Across DLL Boundaries](https://docs.microsoft.com/cpp/c-runtime-library/potential-errors-passing-crt-objects-across-dll-boundaries)
If your app is misbehaving in some strange way, or it is suffering from memory
corruption, before asking for further help, please try first to rebuild every
single library your app uses as well as your app using the debug
multi-threaded dynamic C runtime.
If you get linkage errors read section 5.7 of the FAQ document.
## Cygwin
Almost identical to the Unix installation. Run the configure script in the
curl source tree root with `sh configure`. Make sure you have the `sh`
executable in `/bin/` or you see the configure fail toward the end.
Run `make`
## MS-DOS
You can use either autotools or cmake:
./configure \
CC=/path/to/djgpp/bin/i586-pc-msdosdjgpp-gcc \
AR=/path/to/djgpp/bin/i586-pc-msdosdjgpp-ar \
RANLIB=/path/to/djgpp/bin/i586-pc-msdosdjgpp-ranlib \
WATT_ROOT=/path/to/djgpp/net/watt \
--host=i586-pc-msdosdjgpp \
--with-openssl=/path/to/djgpp \
--with-zlib=/path/to/djgpp \
--without-libpsl \
--disable-shared
cmake . \
-DCMAKE_SYSTEM_NAME=DOS \
-DCMAKE_C_COMPILER_TARGET=i586-pc-msdosdjgpp \
-DCMAKE_C_COMPILER=/path/to/djgpp/bin/i586-pc-msdosdjgpp-gcc \
-DWATT_ROOT=/path/to/djgpp/net/watt \
-DOPENSSL_INCLUDE_DIR=/path/to/djgpp/include \
-DOPENSSL_SSL_LIBRARY=/path/to/djgpp/lib/libssl.a \
-DOPENSSL_CRYPTO_LIBRARY=/path/to/djgpp/lib/libcrypto.a \
-DZLIB_INCLUDE_DIR=/path/to/djgpp/include \
-DZLIB_LIBRARY=/path/to/djgpp/lib/libz.a \
-DCURL_USE_LIBPSL=OFF
Notes:
- Requires DJGPP 2.04 or upper.
- Compile Watt-32 (and OpenSSL) with the same version of DJGPP. Otherwise
things go wrong because things like FS-extensions and `errno` values have
been changed between releases.
## AmigaOS
You can use either autotools or cmake:
./configure \
CC=/opt/amiga/bin/m68k-amigaos-gcc \
AR=/opt/amiga/bin/m68k-amigaos-ar \
RANLIB=/opt/amiga/bin/m68k-amigaos-ranlib \
--host=m68k-amigaos \
--with-amissl \
CFLAGS='-O0 -msoft-float -mcrt=clib2' \
CPPFLAGS=-I/path/to/AmiSSL/Developer/include \
LDFLAGS=-L/path/to/AmiSSL/Developer/lib/AmigaOS3 \
LIBS='-lnet -lm -latomic' \
--without-libpsl \
--disable-shared
cmake . \
-DAMIGA=1 \
-DCMAKE_SYSTEM_NAME=Generic \
-DCMAKE_C_COMPILER_TARGET=m68k-unknown-amigaos \
-DCMAKE_C_COMPILER=/opt/amiga/bin/m68k-amigaos-gcc \
-DCMAKE_C_FLAGS='-O0 -msoft-float -mcrt=clib2' \
-DAMISSL_INCLUDE_DIR=/path/to/AmiSSL/Developer/include \
-DAMISSL_STUBS_LIBRARY=/path/to/AmiSSL/Developer/lib/AmigaOS3/libamisslstubs.a \
-DAMISSL_AUTO_LIBRARY=/path/to/AmiSSL/Developer/lib/AmigaOS3/libamisslauto.a \
-DCURL_USE_LIBPSL=OFF
## Disabling Specific Protocols in Windows builds
The configure utility, unfortunately, is not available for the Windows
environment, therefore, you cannot use the various disable-protocol options of
the configure utility on this platform.
You can use specific defines to disable specific protocols and features. See
[CURL-DISABLE](CURL-DISABLE.md) for the full list.
If you want to set any of these defines you have the following options:
- Modify `lib/config-win32.h`
- Modify `lib/curl_setup.h`
- Modify `winbuild/Makefile.vc`
- Modify the "Preprocessor Definitions" in the libcurl project
Note: The pre-processor settings can be found using the Visual Studio IDE
under "Project -> Properties -> Configuration Properties -> C/C++ ->
Preprocessor".
## Using BSD-style lwIP instead of Winsock TCP/IP stack in Windows builds
In order to compile libcurl and curl using BSD-style lwIP TCP/IP stack it is
necessary to make the definition of the preprocessor symbol `USE_LWIPSOCK`
visible to libcurl and curl compilation processes. To set this definition you
have the following alternatives:
- Modify `lib/config-win32.h`
- Modify `winbuild/Makefile.vc`
- Modify the "Preprocessor Definitions" in the libcurl project
Note: The pre-processor settings can be found using the Visual Studio IDE
under "Project -> Properties -> Configuration Properties -> C/C++ ->
Preprocessor".
Once that libcurl has been built with BSD-style lwIP TCP/IP stack support, in
order to use it with your program it is mandatory that your program includes
lwIP header file `<lwip/opt.h>` (or another lwIP header that includes this)
before including any libcurl header. Your program does not need the
`USE_LWIPSOCK` preprocessor definition which is for libcurl internals only.
Compilation has been verified with lwIP 1.4.0.
This BSD-style lwIP TCP/IP stack support must be considered experimental given
that it has been verified that lwIP 1.4.0 still needs some polish, and libcurl
might yet need some additional adjustment.
## Important static libcurl usage note
When building an application that uses the static libcurl library on Windows,
you must add `-DCURL_STATICLIB` to your `CFLAGS`. Otherwise the linker looks
for dynamic import symbols.
## Legacy Windows and SSL
Schannel (from Windows SSPI), is the native SSL library in Windows. However,
Schannel in Windows <= XP is unable to connect to servers that no longer
support the legacy handshakes and algorithms used by those versions. If you
are using curl in one of those earlier versions of Windows you should choose
another SSL backend such as OpenSSL.
# Apple Platforms (macOS, iOS, tvOS, watchOS, and their simulator counterparts)
On modern Apple operating systems, curl can be built to use Apple's SSL/TLS
implementation, Secure Transport, instead of OpenSSL. To build with Secure
Transport for SSL/TLS, use the configure option `--with-secure-transport`.
When Secure Transport is in use, the curl options `--cacert` and `--capath`
and their libcurl equivalents, are ignored, because Secure Transport uses the
certificates stored in the Keychain to evaluate whether or not to trust the
server. This, of course, includes the root certificates that ship with the OS.
The `--cert` and `--engine` options, and their libcurl equivalents, are
currently unimplemented in curl with Secure Transport.
In general, a curl build for an Apple `ARCH/SDK/DEPLOYMENT_TARGET` combination
can be taken by providing appropriate values for `ARCH`, `SDK`, `DEPLOYMENT_TARGET`
below and running the commands:
```bash
# Set these three according to your needs
export ARCH=x86_64
export SDK=macosx
export DEPLOYMENT_TARGET=10.8
export CFLAGS="-arch $ARCH -isysroot $(xcrun -sdk $SDK --show-sdk-path) -m$SDK-version-min=$DEPLOYMENT_TARGET"
./configure --host=$ARCH-apple-darwin --prefix $(pwd)/artifacts --with-secure-transport
make -j8
make install
```
With CMake:
```bash
cmake . \
-DCMAKE_OSX_ARCHITECTURES=x86_64 \
-DCMAKE_OSX_DEPLOYMENT_TARGET=10.8 \
-DCMAKE_OSX_SYSROOT="$(xcrun --sdk macosx --show-sdk-path)"
```
The above command lines build curl for macOS platform with `x86_64`
architecture and `10.8` as deployment target.
Here is an example for iOS device:
```bash
export ARCH=arm64
export SDK=iphoneos
export DEPLOYMENT_TARGET=11.0
export CFLAGS="-arch $ARCH -isysroot $(xcrun -sdk $SDK --show-sdk-path) -m$SDK-version-min=$DEPLOYMENT_TARGET"
./configure --host=$ARCH-apple-darwin --prefix $(pwd)/artifacts --with-secure-transport
make -j8
make install
```
With CMake (3.16 or upper recommended):
```bash
cmake . \
-DCMAKE_SYSTEM_NAME=iOS \
-DCMAKE_OSX_ARCHITECTURES=arm64 \
-DCMAKE_OSX_DEPLOYMENT_TARGET=11.0
```
Another example for watchOS simulator for macs with Apple Silicon:
```bash
export ARCH=arm64
export SDK=watchsimulator
export DEPLOYMENT_TARGET=5.0
export CFLAGS="-arch $ARCH -isysroot $(xcrun -sdk $SDK --show-sdk-path) -m$SDK-version-min=$DEPLOYMENT_TARGET"
./configure --host=$ARCH-apple-darwin --prefix $(pwd)/artifacts --with-secure-transport
make -j8
make install
```
In all above, the built libraries and executables can be found in the
`artifacts` folder.
# Android
When building curl for Android you can you CMake or curl's `configure` script.
Before you can build curl for Android, you need to install the Android NDK
first. This can be done using the SDK Manager that is part of Android Studio.
Once you have installed the Android NDK, you need to figure out where it has
been installed and then set up some environment variables before launching
the build.
Examples to compile for `aarch64` and API level 29:
with CMake, where `ANDROID_NDK_HOME` points into your NDK:
cmake . \
-DANDROID_ABI=arm64-v8a \
-DANDROID_PLATFORM=android-29 \
-DCMAKE_TOOLCHAIN_FILE="$ANDROID_NDK_HOME/build/cmake/android.toolchain.cmake" \
-DCURL_ENABLE_SSL=OFF \
-DCURL_USE_LIBPSL=OFF
with `configure`, on macOS:
```bash
export ANDROID_NDK_HOME=~/Library/Android/sdk/ndk/25.1.8937393 # Point into your NDK.
export HOST_TAG=darwin-x86_64 # Same tag for Apple Silicon. Other OS values here: https://developer.android.com/ndk/guides/other_build_systems#overview
export TOOLCHAIN=$ANDROID_NDK_HOME/toolchains/llvm/prebuilt/$HOST_TAG
export AR=$TOOLCHAIN/bin/llvm-ar
export AS=$TOOLCHAIN/bin/llvm-as
export CC=$TOOLCHAIN/bin/aarch64-linux-android29-clang
export CXX=$TOOLCHAIN/bin/aarch64-linux-android29-clang++
export LD=$TOOLCHAIN/bin/ld
export RANLIB=$TOOLCHAIN/bin/llvm-ranlib
export STRIP=$TOOLCHAIN/bin/llvm-strip
```
When building on Linux or targeting other API levels or architectures, you need
to adjust those variables accordingly. After that you can build curl like this:
./configure --host aarch64-linux-android --with-pic --disable-shared
Note that this does not give you SSL/TLS support. If you need SSL/TLS, you
have to build curl with a SSL/TLS library, e.g. OpenSSL, because it is
impossible for curl to access Android's native SSL/TLS layer. To build curl
for Android using OpenSSL, follow the OpenSSL build instructions and then
install `libssl.a` and `libcrypto.a` to `$TOOLCHAIN/sysroot/usr/lib` and copy
`include/openssl` to `$TOOLCHAIN/sysroot/usr/include`. Now you can build curl
for Android using OpenSSL like this:
```bash
LIBS="-lssl -lcrypto -lc++" # For OpenSSL/BoringSSL. In general, you need to the SSL/TLS layer's transitive dependencies if you are linking statically.
./configure --host aarch64-linux-android --with-pic --disable-shared --with-openssl="$TOOLCHAIN/sysroot/usr"
```
# IBM i
For IBM i (formerly OS/400), you can use curl in two different ways:
- Natively, running in the **ILE**. The obvious use is being able to call curl
from ILE C or RPG applications.
- You need to build this from source. See `packages/OS400/README` for the ILE
specific build instructions.
- In the **PASE** environment, which runs AIX programs. curl is built as it
would be on AIX.
- IBM provides builds of curl in their Yum repository for PASE software.
- To build from source, follow the Unix instructions.
There are some additional limitations and quirks with curl on this platform;
they affect both environments.
## Multi-threading notes
By default, jobs in IBM i does not start with threading enabled. (Exceptions
include interactive PASE sessions started by `QP2TERM` or SSH.) If you use
curl in an environment without threading when options like asynchronous DNS
were enabled, you get messages like:
```
getaddrinfo() thread failed to start
```
Do not panic. curl and your program are not broken. You can fix this by:
- Set the environment variable `QIBM_MULTI_THREADED` to `Y` before starting
your program. This can be done at whatever scope you feel is appropriate.
- Alternatively, start the job with the `ALWMLTTHD` parameter set to `*YES`.
# Cross compile
Download and unpack the curl package.
`cd` to the new directory. (e.g. `cd curl-7.12.3`)
Set environment variables to point to the cross-compile toolchain and call
configure with any options you need. Be sure and specify the `--host` and
`--build` parameters at configuration time. The following script is an example
of cross-compiling for the IBM 405GP PowerPC processor using the toolchain on
Linux.
```bash
#! /bin/sh
export PATH=$PATH:/opt/hardhat/devkit/ppc/405/bin
export CPPFLAGS="-I/opt/hardhat/devkit/ppc/405/target/usr/include"
export AR=ppc_405-ar
export AS=ppc_405-as
export LD=ppc_405-ld
export RANLIB=ppc_405-ranlib
export CC=ppc_405-gcc
export NM=ppc_405-nm
./configure --target=powerpc-hardhat-linux
--host=powerpc-hardhat-linux
--build=i586-pc-linux-gnu
--prefix=/opt/hardhat/devkit/ppc/405/target/usr/local
--exec-prefix=/usr/local
```
The `--prefix` parameter specifies where curl gets installed. If `configure`
completes successfully, do `make` and `make install` as usual.
In some cases, you may be able to simplify the above commands to as little as:
./configure --host=ARCH-OS
# REDUCING SIZE
There are a number of configure options that can be used to reduce the size of
libcurl for embedded applications where binary size is an important factor.
First, be sure to set the `CFLAGS` variable when configuring with any relevant
compiler optimization flags to reduce the size of the binary. For gcc, this
would mean at minimum the `-Os` option, and others like the following that
may be relevant in some environments: `-march=X`, `-mthumb`, `-m32`,
`-mdynamic-no-pic`, `-flto`, `-fdata-sections`, `-ffunction-sections`,
`-fno-unwind-tables`, `-fno-asynchronous-unwind-tables`,
`-fno-record-gcc-switches`, `-fsection-anchors`, `-fno-plt`,
`-Wl,--gc-sections`, `-Wl,-Bsymbolic`, `-Wl,-s`,
For example, this is how to combine a few of these options:
./configure CC=gcc CFLAGS='-Os -ffunction-sections' LDFLAGS='-Wl,--gc-sections'...
Note that newer compilers often produce smaller code than older versions
due to improved optimization.
Be sure to specify as many `--disable-` and `--without-` flags on the
configure command-line as you can to disable all the libcurl features that you
know your application is not going to need. Besides specifying the
`--disable-PROTOCOL` flags for all the types of URLs your application do not
use, here are some other flags that can reduce the size of the library by
disabling support for some feature (run `./configure --help` to see them all):
- `--disable-alt-svc` (HTTP Alt-Svc)
- `--disable-ares` (the C-ARES DNS library)
- `--disable-cookies` (HTTP cookies)
- `--disable-basic-auth` (cryptographic authentication)
- `--disable-bearer-auth` (cryptographic authentication)
- `--disable-digest-auth` (cryptographic authentication)
- `--disable-kerberos-auth` (cryptographic authentication)
- `--disable-negotiate-auth` (cryptographic authentication)
- `--disable-aws` (cryptographic authentication)
- `--disable-dateparse` (date parsing for time conditionals)
- `--disable-dnsshuffle` (internal server load spreading)
- `--disable-doh` (DNS-over-HTTP)
- `--disable-form-api` (POST form API)
- `--disable-get-easy-options` (lookup easy options at runtime)
- `--disable-headers-api` (API to access headers)
- `--disable-hsts` (HTTP Strict Transport Security)
- `--disable-http-auth` (all HTTP authentication)
- `--disable-ipv6` (IPv6)
- `--disable-libcurl-option` (--libcurl C code generation support)
- `--disable-manual` (--manual built-in documentation)
- `--disable-mime` (MIME API)
- `--disable-netrc` (.netrc file)
- `--disable-ntlm` (NTLM authentication)
- `--disable-ntlm-wb` (NTLM winbind)
- `--disable-progress-meter` (graphical progress meter in library)
- `--disable-proxy` (HTTP and SOCKS proxies)
- `--disable-pthreads` (multi-threading)
- `--disable-socketpair` (socketpair for asynchronous name resolving)
- `--disable-threaded-resolver` (threaded name resolver)
- `--disable-tls-srp` (Secure Remote Password authentication for TLS)
- `--disable-unix-sockets` (Unix sockets)
- `--disable-verbose` (eliminates debugging strings and error code strings)
- `--disable-versioned-symbols` (versioned symbols)
- `--enable-symbol-hiding` (eliminates unneeded symbols in the shared library)
- `--without-brotli` (Brotli on-the-fly decompression)
- `--without-libpsl` (Public Suffix List in cookies)
- `--without-nghttp2` (HTTP/2 using nghttp2)
- `--without-ngtcp2` (HTTP/2 using ngtcp2)
- `--without-zstd` (Zstd on-the-fly decompression)
- `--without-libidn2` (internationalized domain names)
- `--without-librtmp` (RTMP)
- `--without-ssl` (SSL/TLS)
- `--without-zlib` (on-the-fly decompression)
Be sure also to strip debugging symbols from your binaries after compiling
using 'strip' or an option like `-s`. If space is really tight, you may be able
to gain a few bytes by removing some unneeded sections of the shared library
using the -R option to objcopy (e.g. the .comment section).
Using these techniques it is possible to create a basic HTTP-only libcurl
shared library for i386 Linux platforms that is only 130 KiB in size
(as of libcurl version 8.6.0, using gcc 13.2.0).
You may find that statically linking libcurl to your application results in a
lower total size than dynamically linking.
The curl test harness can detect the use of some, but not all, of the
`--disable` statements suggested above. Use of these can cause tests relying
on those features to fail. The test harness can be manually forced to skip the
relevant tests by specifying certain key words on the `runtests.pl` command
line. Following is a list of appropriate key words for those configure options
that are not automatically detected:
- `--disable-cookies` !cookies
- `--disable-dateparse` !RETRY-AFTER !`CURLOPT_TIMECONDITION` !`CURLINFO_FILETIME` !`If-Modified-Since` !`curl_getdate` !`-z`
- `--disable-libcurl-option` !`--libcurl`
- `--disable-verbose` !verbose\ logs
# Ports
This is a probably incomplete list of known CPU architectures and operating
systems that curl has been compiled for. If you know a system curl compiles
and runs on, that is not listed, please let us know.
## 104 Operating Systems
AIX, AmigaOS, Android, ArcoOS, Aros, Atari FreeMiNT, BeOS, Blackberry
10, Blackberry Tablet OS, Cell OS, CheriBSD, Chrome OS, Cisco IOS,
DG/UX, DR DOS, Dragonfly BSD, eCOS, FreeBSD, FreeDOS, FreeRTOS, Fuchsia,
Garmin OS, Genode, Haiku, HardenedBSD, HP-UX, Hurd, IBM I, illumos,
Integrity, iOS, ipadOS, IRIX, Linux, Lua RTOS, Mac OS 9, macOS, Maemo,
Mbed, Meego, Micrium, MINIX, Minoca, Moblin, MorphOS, MPE/iX, MS-DOS,
NCR MP-RAS, NetBSD, Netware, NextStep, Nintendo 3DS Nintendo Switch,
NonStop OS, NuttX, OpenBSD, OpenStep, Orbis OS, OS/2, OS21, Plan 9,
PlayStation Portable, QNX, Qubes OS, ReactOS, Redox, RISC OS, ROS,
RTEMS, Sailfish OS, SCO Unix, Serenity, SINIX-Z, SkyOS, software,
Solaris, Sortix, SunOS, Syllable OS, Symbian, Tizen, TPF, Tru64, tvOS,
ucLinux, Ultrix, UNICOS, UnixWare, VMS, vxWorks, watchOS, Wear OS,
WebOS, Wii system Wii U, Windows CE, Windows, Xbox System, Xenix, z/OS,
z/TPF, z/VM, z/VSE, Zephyr
## 28 CPU Architectures
Alpha, ARC, ARM, AVR32, C-SKY, CompactRISC, Elbrus, ETRAX, HP-PA, Itanium,
LoongArch, m68k, m88k, MicroBlaze, MIPS, Nios, OpenRISC, POWER, PowerPC,
RISC-V, s390, SH4, SPARC, Tilera, VAX, x86, Xtensa, z/arch

9
curl/docs/INSTALL.txt
Unescape Просмотреть файл

@ -0,0 +1,9 @@
_ _ ____ _
___| | | | _ \| |
/ __| | | | |_) | |
| (__| |_| | _ <| |___
\___|\___/|_| \_\_____|
How To Compile
see INSTALL.md

63
curl/docs/INTERNALS.md
Unescape Просмотреть файл

@ -0,0 +1,63 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# curl internals
The canonical libcurl internals documentation is now in the [everything
curl](https://everything.curl.dev/internals) book. This file lists supported
versions of libs and build tools.
## Portability
We write curl and libcurl to compile with C89 compilers on 32-bit and up
machines. Most of libcurl assumes more or less POSIX compliance but that is
not a requirement.
We write libcurl to build and work with lots of third party tools, and we
want it to remain functional and buildable with these and later versions
(older versions may still work but is not what we work hard to maintain):
## Dependencies
We aim to support these or later versions.
- OpenSSL 1.0.2a
- LibreSSL 2.9.1
- GnuTLS 3.1.10
- zlib 1.2.5.2
- libssh2 1.2.8
- c-ares 1.6.0
- libssh 0.9.0
- libidn2 2.0.0
- wolfSSL 3.4.6
- OpenLDAP 2.0
- MIT Kerberos 1.2.4
- Heimdal ?
- nghttp2 1.15.0
- Winsock 2.2 (on Windows 95+ and Windows CE .NET 4.1+)
## Build tools
When writing code (mostly for generating stuff included in release tarballs)
we use a few "build tools" and we make sure that we remain functional with
these versions:
- GNU Libtool 1.4.2
- GNU Autoconf 2.59
- GNU Automake 1.7
- GNU M4 1.4
- perl 5.8
- roffit 0.5
- cmake 3.7
Library Symbols
===============
All symbols used internally in libcurl must use a `Curl_` prefix if they are
used in more than a single file. Single-file symbols must be made static.
Public ("exported") symbols must use a `curl_` prefix. Public API functions
are marked with `CURL_EXTERN` in the public header files so that all others
can be hidden on platforms where this is possible.

133
curl/docs/IPFS.md
Unescape Просмотреть файл

@ -0,0 +1,133 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# IPFS
For an overview about IPFS, visit the [IPFS project site](https://ipfs.tech/).
In IPFS there are two protocols. IPFS and IPNS (their workings are explained in detail [here](https://docs.ipfs.tech/concepts/)). The ideal way to access data on the IPFS network is through those protocols. For example to access the Big Buck Bunny video the ideal way to access it is like: `ipfs://bafybeigagd5nmnn2iys2f3doro7ydrevyr2mzarwidgadawmamiteydbzi`
## IPFS Gateways
IPFS Gateway acts as a bridge between traditional HTTP clients and IPFS.
IPFS Gateway specifications of HTTP semantics can be found [here](https://specs.ipfs.tech/http-gateways/).
### Deserialized responses
By default, a gateway acts as a bridge between traditional HTTP clients and IPFS and performs necessary hash verification and deserialization. Through such gateway, users can download files, directories, and other content-addressed data stored with IPFS or IPNS as if they were stored in a traditional web server.
### Verifiable responses
By explicitly requesting [application/vnd.ipld.raw](https://www.iana.org/assignments/media-types/application/vnd.ipld.raw) or [application/vnd.ipld.car](https://www.iana.org/assignments/media-types/application/vnd.ipld.car) responses, by means defined in [Trustless Gateway Specification](https://specs.ipfs.tech/http-gateways/trustless-gateway/), the user is able to fetch raw content-addressed data and [perform hash verification themselves](https://docs.ipfs.tech/reference/http/gateway/#trustless-verifiable-retrieval).
This enables users to use untrusted, public gateways without worrying they might return invalid/malicious bytes.
## IPFS and IPNS protocol handling
There are various ways to access data from the IPFS network. One such way is
through the concept of public
"[gateways](https://docs.ipfs.tech/concepts/ipfs-gateway/#overview)". The
short version is that entities can offer gateway services. An example here
that is hosted by Protocol Labs (who also makes IPFS) is `dweb.link` and
`ipfs.io`. Both sites expose gateway functionality. Getting a file through
`ipfs.io` looks like this:
`https://ipfs.io/ipfs/bafybeigagd5nmnn2iys2f3doro7ydrevyr2mzarwidgadawmamiteydbzi`
If you were to be [running your own IPFS
node](https://docs.ipfs.tech/how-to/command-line-quick-start/) then you, by
default, also have a [local gateway](https://specs.ipfs.tech/http-gateways/)
running. In its default configuration the earlier example would then also work
in this link:
`http://127.0.0.1:8080/ipfs/bafybeigagd5nmnn2iys2f3doro7ydrevyr2mzarwidgadawmamiteydbzi`
## cURL handling of the IPFS protocols
The IPFS integration in cURL hides this gateway logic for you. Instead of
providing a full URL to a file on IPFS like this:
```
curl http://127.0.0.1:8080/ipfs/bafybeigagd5nmnn2iys2f3doro7ydrevyr2mzarwidgadawmamiteydbzi
```
You can provide it with the IPFS protocol instead:
```
curl ipfs://bafybeigagd5nmnn2iys2f3doro7ydrevyr2mzarwidgadawmamiteydbzi
```
With the IPFS protocol way of asking a file, cURL still needs to know the
gateway. curl essentially just rewrites the IPFS based URL to a gateway URL.
### IPFS_GATEWAY environment variable
If the `IPFS_GATEWAY` environment variable is found, its value is used as
gateway.
### Automatic gateway detection
When you provide no additional details to cURL then it:
1. First looks for the `IPFS_GATEWAY` environment variable and use that if it
is set.
2. Looks for the file: `~/.ipfs/gateway`. If it can find that file then it
means that you have a local gateway running and that file contains the URL
to your local gateway.
If cURL fails, you are presented with an error message and a link to this page
to the option most applicable to solving the issue.
### `--ipfs-gateway` argument
You can also provide a `--ipfs-gateway` argument to cURL. This overrules any
other gateway setting. curl does not fallback to the other options if the
provided gateway did not work.
## Gateway redirects
A gateway could redirect to another place. For example, `dweb.link` redirects
[path based](https://docs.ipfs.tech/how-to/address-ipfs-on-web/#path-gateway)
requests to [subdomain
based](https://docs.ipfs.tech/how-to/address-ipfs-on-web/#subdomain-gateway)
ones. A request using:
curl ipfs://bafybeigagd5nmnn2iys2f3doro7ydrevyr2mzarwidgadawmamiteydbzi --ipfs-gateway https://dweb.link
Which would be translated to:
https://dweb.link/ipfs/bafybeigagd5nmnn2iys2f3doro7ydrevyr2mzarwidgadawmamiteydbzi
redirects to:
https://bafybeigagd5nmnn2iys2f3doro7ydrevyr2mzarwidgadawmamiteydbzi.ipfs.dweb.link
If you trust this behavior from your gateway of choice then passing the `-L`
option follows the redirect.
## Error messages and hints
Depending on the arguments, cURL could present the user with an error.
### Gateway file and environment variable
cURL tried to look for the file: `~/.ipfs/gateway` but could not find it. It
also tried to look for the `IPFS_GATEWAY` environment variable but could not
find that either. This happens when no extra arguments are passed to cURL and
letting it try to figure it out [automatically](#automatic-gateway-detection).
Any IPFS implementation that has gateway support should expose its URL in
`~/.ipfs/gateway`. If you are already running a gateway, make sure it exposes
the file where cURL expects to find it.
Alternatively you could set the `IPFS_GATEWAY` environment variable or pass
the `--ipfs-gateway` flag to the cURL command.
### Malformed gateway URL
The command executed evaluates in an invalid URL. This could be anywhere in
the URL, but a likely point is a wrong gateway URL.
Inspect the URL set via the `IPFS_GATEWAY` environment variable or passed with
the `--ipfs-gateway` flag. Alternatively opt to go for the
[automatic](#automatic-gateway-detection) gateway detection.

664
curl/docs/KNOWN_BUGS.txt
Unescape Просмотреть файл

@ -0,0 +1,664 @@
_ _ ____ _
___| | | | _ \| |
/ __| | | | |_) | |
| (__| |_| | _ <| |___
\___|\___/|_| \_\_____|
Known Bugs
These are problems and bugs known to exist at the time of this release. Feel
free to join in and help us correct one or more of these. Also be sure to
check the changelog of the current development status, as one or more of these
problems may have been fixed or changed somewhat since this was written.
1. HTTP
2. TLS
2.1 IMAPS connection fails with Rustls error
2.3 Unable to use PKCS12 certificate with Secure Transport
2.4 Secure Transport does not import PKCS#12 client certificates without a password
2.7 Client cert (MTLS) issues with Schannel
2.11 Schannel TLS 1.2 handshake bug in old Windows versions
2.13 CURLOPT_CERTINFO results in CURLE_OUT_OF_MEMORY with Schannel
2.14 mbedTLS and CURLE_AGAIN handling
3. Email protocols
3.1 IMAP SEARCH ALL truncated response
3.2 No disconnect command
3.4 AUTH PLAIN for SMTP is not working on all servers
3.5 APOP authentication fails on POP3
3.6 POP3 issue when reading small chunks
4. Command line
4.1 -T /dev/stdin may upload with an incorrect content length
4.2 -T - always uploads chunked
5. Build and portability issues
5.1 OS400 port requires deprecated IBM library
5.2 curl-config --libs contains private details
5.3 LDFLAGS passed too late making libs linked incorrectly
5.6 Cygwin: make install installs curl-config.1 twice
5.11 configure --with-gssapi with Heimdal is ignored on macOS
5.12 flaky CI builds
5.13 long paths are not fully supported on Windows
5.15 Unicode on Windows
6. Authentication
6.2 MIT Kerberos for Windows build
6.3 NTLM in system context uses wrong name
6.5 NTLM does not support password with § character
6.6 libcurl can fail to try alternatives with --proxy-any
6.7 Do not clear digest for single realm
6.8 Heimdal memory leaks
6.9 SHA-256 digest not supported in Windows SSPI builds
6.10 curl never completes Negotiate over HTTP
6.11 Negotiate on Windows fails
6.12 cannot use Secure Transport with Crypto Token Kit
6.13 Negotiate against Hadoop HDFS
7. FTP
7.4 FTP with ACCT
7.12 FTPS directory listing hangs on Windows with Schannel
9. SFTP and SCP
9.1 SFTP does not do CURLOPT_POSTQUOTE correct
9.2 wolfssh: publickey auth does not work
9.3 Remote recursive folder creation with SFTP
9.4 libssh blocking and infinite loop problem
9.5 Cygwin: "WARNING: UNPROTECTED PRIVATE KEY FILE!"
10. Connection
10.1 --interface with link-scoped IPv6 address
11. Internals
11.1 gssapi library name + version is missing in curl_version_info()
11.2 error buffer not set if connection to multiple addresses fails
11.3 TFTP tests fail on OpenBSD
11.4 HTTP test server 'connection-monitor' problems
11.5 Connection information when using TCP Fast Open
11.6 test cases sometimes timeout
11.7 CURLOPT_CONNECT_TO does not work for HTTPS proxy
11.8 WinIDN test failures
11.9 setting a disabled option should return CURLE_NOT_BUILT_IN
12. LDAP
12.1 OpenLDAP hangs after returning results
12.2 LDAP on Windows does authentication wrong?
12.3 LDAP on Windows does not work
12.4 LDAPS requests to ActiveDirectory server hang
13. TCP/IP
13.2 Trying local ports fails on Windows
15. CMake
15.1 cmake outputs: no version information available
15.2 support build with GnuTLS
15.3 unusable tool_hugehelp.c with MinGW
15.6 uses -lpthread instead of Threads::Threads
15.7 generated .pc file contains strange entries
15.13 CMake build with MIT Kerberos does not work
16. aws-sigv4
16.2 aws-sigv4 does not handle multipart/form-data correctly
16.3 aws-sigv4 has problems with particular URLs
16.6 aws-sigv4 does not behave well with AWS VPC Lattice
17. HTTP/2
17.1 HTTP/2 prior knowledge over proxy
17.2 HTTP/2 frames while in the connection pool kill reuse
17.3 ENHANCE_YOUR_CALM causes infinite retries
17.4 HTTP/2 + TLS spends a lot of time in recv
18. HTTP/3
18.1 connection migration does not work
18.2 quiche: QUIC connection is draining
19. RTSP
19.1 Some methods do not support response bodies
==============================================================================
1. HTTP
2. TLS
2.1 IMAPS connection fails with Rustls error
https://github.com/curl/curl/issues/10457
2.3 Unable to use PKCS12 certificate with Secure Transport
See https://github.com/curl/curl/issues/5403
2.4 Secure Transport does not import PKCS#12 client certificates without a password
libcurl calls SecPKCS12Import with the PKCS#12 client certificate, but that
function rejects certificates that do not have a password.
https://github.com/curl/curl/issues/1308
2.7 Client cert (MTLS) issues with Schannel
See https://github.com/curl/curl/issues/3145
2.11 Schannel TLS 1.2 handshake bug in old Windows versions
In old versions of Windows such as 7 and 8.1 the Schannel TLS 1.2 handshake
implementation likely has a bug that can rarely cause the key exchange to
fail, resulting in error SEC_E_BUFFER_TOO_SMALL or SEC_E_MESSAGE_ALTERED.
https://github.com/curl/curl/issues/5488
2.13 CURLOPT_CERTINFO results in CURLE_OUT_OF_MEMORY with Schannel
https://github.com/curl/curl/issues/8741
2.14 mbedTLS and CURLE_AGAIN handling
https://github.com/curl/curl/issues/15801
3. Email protocols
3.1 IMAP SEARCH ALL truncated response
IMAP "SEARCH ALL" truncates output on large boxes. "A quick search of the
code reveals that pingpong.c contains some truncation code, at line 408, when
it deems the server response to be too large truncating it to 40 characters"
https://curl.se/bug/view.cgi?id=1366
3.2 No disconnect command
The disconnect commands (LOGOUT and QUIT) may not be sent by IMAP, POP3 and
SMTP if a failure occurs during the authentication phase of a connection.
3.4 AUTH PLAIN for SMTP is not working on all servers
Specifying "--login-options AUTH=PLAIN" on the command line does not seem to
work correctly.
See https://github.com/curl/curl/issues/4080
3.5 APOP authentication fails on POP3
See https://github.com/curl/curl/issues/10073
3.6 POP3 issue when reading small chunks
CURL_DBG_SOCK_RMAX=4 ./runtests.pl -v 982
See https://github.com/curl/curl/issues/12063
4. Command line
4.1 -T /dev/stdin may upload with an incorrect content length
-T stats the path to figure out its size in bytes to use it as Content-Length
if it is a regular file.
The problem with that is that, on BSDs and some other UNIXes (not Linux),
open(path) may not give you a file descriptor with a 0 offset from the start
of the file.
See https://github.com/curl/curl/issues/12177
4.2 -T - always uploads chunked
When the `<` shell operator is used. curl should realise that stdin is a
regular file in this case, and that it can do a non-chunked upload, like it
would do if you used -T file.
See https://github.com/curl/curl/issues/12171
5. Build and portability issues
5.1 OS400 port requires deprecated IBM library
curl for OS400 requires QADRT to build, which provides ASCII wrappers for
libc/POSIX functions in the ILE, but IBM no longer supports or even offers
this library to download.
See https://github.com/curl/curl/issues/5176
5.2 curl-config --libs contains private details
"curl-config --libs" include details set in LDFLAGS when configure is run
that might be needed only for building libcurl. Further, curl-config --cflags
suffers from the same effects with CFLAGS/CPPFLAGS.
5.3 LDFLAGS passed too late making libs linked incorrectly
Compiling latest curl on HP-UX and linking against a custom OpenSSL (which is
on the default loader/linker path), fails because the generated Makefile has
LDFLAGS passed on after LIBS.
See https://github.com/curl/curl/issues/14893
5.6 Cygwin: make install installs curl-config.1 twice
https://github.com/curl/curl/issues/8839
5.11 configure --with-gssapi with Heimdal is ignored on macOS
... unless you also pass --with-gssapi-libs
https://github.com/curl/curl/issues/3841
5.12 flaky CI builds
We run many CI builds for each commit and PR on github, and especially a
number of the Windows builds are flaky. This means that we rarely get all CI
builds go green and complete without errors. This is unfortunate as it makes
us sometimes miss actual build problems and it is surprising to newcomers to
the project who (rightfully) do not expect this.
See https://github.com/curl/curl/issues/6972
5.13 long paths are not fully supported on Windows
curl on Windows cannot access long paths (paths longer than 260 characters).
However, as a workaround, the Windows path prefix \\?\ which disables all
path interpretation may work to allow curl to access the path. For example:
\\?\c:\longpath.
See https://github.com/curl/curl/issues/8361
5.15 Unicode on Windows
Passing in a Unicode filename with -o:
https://github.com/curl/curl/issues/11461
Passing in Unicode character with -d:
https://github.com/curl/curl/issues/12231
Windows Unicode builds use homedir in current locale
The Windows Unicode builds of curl use the current locale, but expect Unicode
UTF-8 encoded paths for internal use such as open, access and stat. The
user's home directory is retrieved via curl_getenv in the current locale and
not as UTF-8 encoded Unicode.
See https://github.com/curl/curl/pull/7252 and
https://github.com/curl/curl/pull/7281
Cannot handle Unicode arguments in non-Unicode builds on Windows
If a URL or filename cannot be encoded using the user's current codepage then
it can only be encoded properly in the Unicode character set. Windows uses
UTF-16 encoding for Unicode and stores it in wide characters, however curl
and libcurl are not equipped for that at the moment except when built with
_UNICODE and UNICODE defined. Except for Cygwin, Windows cannot use UTF-8 as
a locale.
https://curl.se/bug/?i=345
https://curl.se/bug/?i=731
https://curl.se/bug/?i=3747
NTLM authentication and Unicode
NTLM authentication involving Unicode username or password only works
properly if built with UNICODE defined together with the Schannel backend.
The original problem was mentioned in:
https://curl.se/mail/lib-2009-10/0024.html
https://curl.se/bug/view.cgi?id=896
The Schannel version verified to work as mentioned in
https://curl.se/mail/lib-2012-07/0073.html
6. Authentication
6.2 MIT Kerberos for Windows build
libcurl fails to build with MIT Kerberos for Windows (KfW) due to KfW's
library header files exporting symbols/macros that should be kept private to
the KfW library. See ticket #5601 at https://krbdev.mit.edu/rt/
6.3 NTLM in system context uses wrong name
NTLM authentication using SSPI (on Windows) when (lib)curl is running in
"system context" makes it use wrong(?) username - at least when compared to
what winhttp does. See https://curl.se/bug/view.cgi?id=535
6.5 NTLM does not support password with § character
https://github.com/curl/curl/issues/2120
6.6 libcurl can fail to try alternatives with --proxy-any
When connecting via a proxy using --proxy-any, a failure to establish an
authentication causes libcurl to abort trying other options if the failed
method has a higher preference than the alternatives. As an example,
--proxy-any against a proxy which advertise Negotiate and NTLM, but which
fails to set up Kerberos authentication does not proceed to try
authentication using NTLM.
https://github.com/curl/curl/issues/876
6.7 Do not clear digest for single realm
https://github.com/curl/curl/issues/3267
6.8 Heimdal memory leaks
Running test 2077 and 2078 with curl built to do GSS with Heimdal causes
valgrind errors (memory leak).
https://github.com/curl/curl/issues/14446
6.9 SHA-256 digest not supported in Windows SSPI builds
Windows builds of curl that have SSPI enabled use the native Windows API calls
to create authentication strings. The call to InitializeSecurityContext fails
with SEC_E_QOP_NOT_SUPPORTED which causes curl to fail with CURLE_AUTH_ERROR.
Microsoft does not document supported digest algorithms and that SEC_E error
code is not a documented error for InitializeSecurityContext (digest).
https://github.com/curl/curl/issues/6302
6.10 curl never completes Negotiate over HTTP
Apparently it is not working correctly...?
See https://github.com/curl/curl/issues/5235
6.11 Negotiate on Windows fails
When using --negotiate (or NTLM) with curl on Windows, SSL/TLS handshake
fails despite having a valid kerberos ticket cached. Works without any issue
in Unix/Linux.
https://github.com/curl/curl/issues/5881
6.12 cannot use Secure Transport with Crypto Token Kit
https://github.com/curl/curl/issues/7048
6.13 Negotiate authentication against Hadoop HDFS
https://github.com/curl/curl/issues/8264
7. FTP
7.4 FTP with ACCT
When doing an operation over FTP that requires the ACCT command (but not when
logging in), the operation fails since libcurl does not detect this and thus
fails to issue the correct command: https://curl.se/bug/view.cgi?id=635
7.12 FTPS server compatibility on Windows with Schannel
FTPS is not widely used with the Schannel TLS backend and so there may be
more bugs compared to other TLS backends such as OpenSSL. In the past users
have reported hanging and failed connections. It is likely some changes to
curl since then fixed the issues. None of the reported issues can be
reproduced any longer.
If you encounter an issue connecting to your server via FTPS with the latest
curl and Schannel then please search for open issues or file a new issue.
9. SFTP and SCP
9.1 SFTP does not do CURLOPT_POSTQUOTE correct
When libcurl sends CURLOPT_POSTQUOTE commands when connected to a SFTP server
using the multi interface, the commands are not being sent correctly and
instead the connection is "cancelled" (the operation is considered done)
prematurely. There is a half-baked (busy-looping) patch provided in the bug
report but it cannot be accepted as-is. See
https://curl.se/bug/view.cgi?id=748
9.2 wolfssh: publickey auth does not work
When building curl to use the wolfSSH backend for SFTP, the publickey
authentication does not work. This is simply functionality not written for curl
yet, the necessary API for make this work is provided by wolfSSH.
See https://github.com/curl/curl/issues/4820
9.3 Remote recursive folder creation with SFTP
On this servers, the curl fails to create directories on the remote server
even when the CURLOPT_FTP_CREATE_MISSING_DIRS option is set.
See https://github.com/curl/curl/issues/5204
9.4 libssh blocking and infinite loop problem
In the SSH_SFTP_INIT state for libssh, the ssh session working mode is set to
blocking mode. If the network is suddenly disconnected during sftp
transmission, curl is stuck, even if curl is configured with a timeout.
https://github.com/curl/curl/issues/8632
9.5 Cygwin: "WARNING: UNPROTECTED PRIVATE KEY FILE!"
Running SCP and SFTP tests on Cygwin makes this warning message appear.
https://github.com/curl/curl/issues/11244
10. Connection
10.1 --interface with link-scoped IPv6 address
When you give the `--interface` option telling curl to use a specific
interface for its outgoing traffic in combination with a IPv6 address in the
URL that uses a link-local scope, curl might pick the wrong address from the
named interface and the subsequent transfer fails.
Example command line:
curl --interface eth0 'http://[fe80:928d:xxff:fexx:xxxx]/'
The fact that the given IP address is link-scoped should probably be used as
input to somehow make curl make a better choice for this.
https://github.com/curl/curl/issues/14782
11. Internals
11.1 gssapi library name + version is missing in curl_version_info()
The struct needs to be expanded and code added to store this info.
See https://github.com/curl/curl/issues/13492
11.2 error buffer not set if connection to multiple addresses fails
If you ask libcurl to resolve a hostname like example.com to IPv6 addresses
when you only have IPv4 connectivity. libcurl fails with
CURLE_COULDNT_CONNECT, but the error buffer set by CURLOPT_ERRORBUFFER
remains empty. Issue: https://github.com/curl/curl/issues/544
11.3 TFTP tests fail on OpenBSD
When adding an OpenBSD job with tests to GHA, some tests consistently fail
to run.
See https://github.com/curl/curl/issues/13623
11.4 HTTP test server 'connection-monitor' problems
The 'connection-monitor' feature of the sws HTTP test server does not work
properly if some tests are run in unexpected order. Like 1509 and then 1525.
See https://github.com/curl/curl/issues/868
11.5 Connection information when using TCP Fast Open
CURLINFO_LOCAL_PORT (and possibly a few other) fails when TCP Fast Open is
enabled.
See https://github.com/curl/curl/issues/1332 and
https://github.com/curl/curl/issues/4296
11.6 test cases sometimes timeout
Occasionally, one of the tests timeouts. Inexplicably.
See https://github.com/curl/curl/issues/13350
11.7 CURLOPT_CONNECT_TO does not work for HTTPS proxy
It is unclear if the same option should even cover the proxy connection or if
if requires a separate option.
See https://github.com/curl/curl/issues/14481
11.8 WinIDN test failures
Test 165 disabled when built with WinIDN.
11.9 setting a disabled option should return CURLE_NOT_BUILT_IN
When curl has been built with specific features or protocols disabled,
setting such options with curl_easy_setopt() should rather return
CURLE_NOT_BUILT_IN instead of CURLE_UNKNOWN_OPTION to signal the difference
to the application
See https://github.com/curl/curl/issues/15472
12. LDAP
12.1 OpenLDAP hangs after returning results
By configuration defaults, OpenLDAP automatically chase referrals on
secondary socket descriptors. The OpenLDAP backend is asynchronous and thus
should monitor all socket descriptors involved. Currently, these secondary
descriptors are not monitored, causing OpenLDAP library to never receive
data from them.
As a temporary workaround, disable referrals chasing by configuration.
The fix is not easy: proper automatic referrals chasing requires a
synchronous bind callback and monitoring an arbitrary number of socket
descriptors for a single easy handle (currently limited to 5).
Generic LDAP is synchronous: OK.
See https://github.com/curl/curl/issues/622 and
https://curl.se/mail/lib-2016-01/0101.html
12.2 LDAP on Windows does authentication wrong?
https://github.com/curl/curl/issues/3116
12.3 LDAP on Windows does not work
A simple curl command line getting "ldap://ldap.forumsys.com" returns an
error that says "no memory" !
https://github.com/curl/curl/issues/4261
12.4 LDAPS requests to ActiveDirectory server hang
https://github.com/curl/curl/issues/9580
13. TCP/IP
13.2 Trying local ports fails on Windows
This makes '--local-port [range]' to not work since curl cannot properly
detect if a port is already in use, so it tries the first port, uses that and
then subsequently fails anyway if that was actually in use.
https://github.com/curl/curl/issues/8112
15. CMake
15.1 cmake outputs: no version information available
Something in the SONAME generation seems to be wrong in the cmake build.
https://github.com/curl/curl/issues/11158
15.6 uses -lpthread instead of Threads::Threads
See https://github.com/curl/curl/issues/6166
15.7 generated .pc file contains strange entries
The Libs.private field of the generated .pc file contains -lgcc -lgcc_s -lc
-lgcc -lgcc_s
See https://github.com/curl/curl/issues/6167
15.13 CMake build with MIT Kerberos does not work
Minimum CMake version was bumped in curl 7.71.0 (#5358) Since CMake 3.2
try_compile started respecting the CMAKE_EXE_FLAGS. The code dealing with
MIT Kerberos detection sets few variables to potentially weird mix of space,
and ;-separated flags. It had to blow up at some point. All the CMake checks
that involve compilation are doomed from that point, the configured tree
cannot be built.
https://github.com/curl/curl/issues/6904
16. aws-sigv4
16.2 aws-sigv4 does not handle multipart/form-data correctly
https://github.com/curl/curl/issues/13351
16.3 aws-sigv4 has problems with particular URLs
https://github.com/curl/curl/issues/13085
16.6 aws-sigv4 does not behave well with AWS VPC Lattice
https://github.com/curl/curl/issues/11007
17. HTTP/2
17.1 HTTP/2 prior knowledge over proxy
https://github.com/curl/curl/issues/12641
17.2 HTTP/2 frames while in the connection pool kill reuse
If the server sends HTTP/2 frames (like for example an HTTP/2 PING frame) to
curl while the connection is held in curl's connection pool, the socket is
found readable when considered for reuse and that makes curl think it is dead
and then it is closed and a new connection gets created instead.
This is *best* fixed by adding monitoring to connections while they are kept
in the pool so that pings can be responded to appropriately.
17.3 ENHANCE_YOUR_CALM causes infinite retries
Infinite retries with 2 parallel requests on one connection receiving GOAWAY
with ENHANCE_YOUR_CALM error code.
See https://github.com/curl/curl/issues/5119
17.4 HTTP/2 + TLS spends a lot of time in recv
It has been observed that by making the speed limit less accurate we could
improve this performance. (by reverting
https://github.com/curl/curl/commit/db5c9f4f9e0779b49624752b135281a0717b277b)
Can we find a golden middle ground?
See https://curl.se/mail/lib-2024-05/0026.html and
https://github.com/curl/curl/issues/13416
18. HTTP/3
18.1 connection migration does not work
https://github.com/curl/curl/issues/7695
18.2 quiche: QUIC connection is draining
The transfer ends with error "QUIC connection is draining".
https://github.com/curl/curl/issues/12037
19. RTSP
19.1 Some methods do not support response bodies
The RTSP implementation is written to assume that a number of RTSP methods
always get responses without bodies, even though there seems to be no
indication in the RFC that this is always the case.
https://github.com/curl/curl/issues/12414

258
curl/docs/MAIL-ETIQUETTE.md
Unescape Просмотреть файл

@ -0,0 +1,258 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# Mail etiquette
## About the lists
### Mailing Lists
The mailing lists we have are all listed and described on the [curl
website](https://curl.se/mail/).
Each mailing list is targeted to a specific set of users and subjects, please
use the one or the ones that suit you the most.
Each mailing list has hundreds up to thousands of readers, meaning that each
mail sent is received and read by a large number of people. People from
various cultures, regions, religions and continents.
### Netiquette
Netiquette is a common term for how to behave on the Internet. Of course, in
each particular group and subculture there are differences in what is
acceptable and what is considered good manners.
This document outlines what we in the curl project consider to be good
etiquette, and primarily this focus on how to behave on and how to use our
mailing lists.
### Do Not Mail a Single Individual
Many people send one question to one person. One person gets many mails, and
there is only one person who can give you a reply. The question may be
something that other people would also like to ask. These other people have no
way to read the reply, but to ask the one person the question. The one person
consequently gets overloaded with mail.
If you really want to contact an individual and perhaps pay for his or her
services, by all means go ahead, but if it is just another curl question, take
it to a suitable list instead.
### Subscription Required
All curl mailing lists require that you are subscribed to allow a mail to go
through to all the subscribers.
If you post without being subscribed (or from a different mail address than
the one you are subscribed with), your mail is simply silently discarded. You
have to subscribe first, then post.
The reason for this unfortunate and strict subscription policy is of course to
stop spam from pestering the lists.
### Moderation of new posters
Several of the curl mailing lists automatically make all posts from new
subscribers be moderated. After you have subscribed and sent your first mail
to a list, that mail is not let through to the list until a mailing list
administrator has verified that it is OK and permits it to get posted.
Once a first post has been made that proves the sender is actually talking
about curl-related subjects, the moderation "flag" is switched off and future
posts go through without being moderated.
The reason for this moderation policy is that we do suffer from spammers who
actually subscribe and send spam to our lists.
### Handling trolls and spam
Despite our good intentions and hard work to keep spam off the lists and to
maintain a friendly and positive atmosphere, there are times when spam and or
trolls get through.
Troll - "someone who posts inflammatory, extraneous, or off-topic messages in
an online community"
Spam - "use of electronic messaging systems to send unsolicited bulk messages"
No matter what, we NEVER EVER respond to trolls or spammers on the list. If
you believe the list admin should do something in particular, contact them
off-list. The subject is taken care of as much as possible to prevent repeated
offenses, but responding on the list to such messages never leads to anything
good and only puts the light even more on the offender: which was the entire
purpose of it getting sent to the list in the first place.
Do not feed the trolls.
### How to unsubscribe
You can unsubscribe the same way you subscribed in the first place. You go to
the page for the particular mailing list you are subscribed to and you enter
your email address and password and press the unsubscribe button.
Also, the instructions to unsubscribe are included in the headers of every
mail that is sent out to all curl related mailing lists and there is a footer
in each mail that links to the "admin" page on which you can unsubscribe and
change other options.
You NEVER EVER email the mailing list requesting someone else to take you off
the list.
### I posted, now what?
If you are not subscribed with the same email address that you used to send
the email, your post is silently discarded.
If you posted for the first time to the mailing list, you first need to wait
for an administrator to allow your email to go through (moderated). This
normally happens quickly but in case we are asleep, you may have to wait a few
hours.
Once your email goes through it is sent out to several hundred or even
thousands of recipients. Your email may cover an area that not that many
people know about or are interested in. Or possibly the person who knows about
it is on vacation or under a heavy work load right now. You may have to wait
for a response and you should not expect to get a response at all. Ideally,
you get an answer within a couple of days.
You do yourself and all of us a service when you include as many details as
possible already in your first email. Mention your operating system and
environment. Tell us which curl version you are using and tell us what you
did, what happened and what you expected would happen. Preferably, show us
what you did with details enough to allow others to help point out the problem
or repeat the steps in their locations.
Failing to include details only delays responses and make people respond and
ask for more details and you have to send follow-up emails that include them.
Expect the responses to primarily help YOU debug the issue, or ask YOU
questions that can lead you or others towards a solution or explanation to
whatever you experience.
If you are a repeat offender to the guidelines outlined in this document,
chances are that people ignore you and your chances to get responses in the
future greatly diminish.
### Your emails are public
Your email, its contents and all its headers and the details in those headers
are received by every subscriber of the mailing list that you send your email
to.
Your email as sent to a curl mailing list ends up in mail archives, on the
curl website and elsewhere, for others to see and read. Today and in the
future. In addition to the archives, the mail is sent out to thousands of
individuals. There is no way to undo a sent email.
When sending emails to a curl mailing list, do not include sensitive
information such as usernames and passwords; use fake ones, temporary ones or
just remove them completely from the mail. Note that this includes base64
encoded HTTP Basic auth headers.
This public nature of the curl mailing lists makes automatically inserted mail
footers about mails being "private" or "only meant for the recipient" or
similar even more silly than usual. Because they are absolutely not private
when sent to a public mailing list.
## Sending mail
### Reply or New Mail
Please do not reply to an existing message as a short-cut to post a message to
the lists.
Many mail programs and web archivers use information within mails to keep them
together as "threads", as collections of posts that discuss a certain subject.
If you do not intend to reply on the same or similar subject, do not just hit
reply on an existing mail and change the subject, create a new mail.
### Reply to the List
When replying to a message from the list, make sure that you do "group reply"
or "reply to all", and not just reply to the author of the single mail you
reply to.
We are actively discouraging replying to the single person by setting the
correct field in outgoing mails back asking for replies to get sent to the
mailing list address, making it harder for people to reply to the author only
by mistake.
### Use a Sensible Subject
Please use a subject of the mail that makes sense and that is related to the
contents of your mail. It makes it a lot easier to find your mail afterwards
and it makes it easier to track mail threads and topics.
### Do Not Top-Post
If you reply to a message, do not use top-posting. Top-posting is when you
write the new text at the top of a mail and you insert the previous quoted
mail conversation below. It forces users to read the mail in a backwards order
to properly understand it.
This is why top posting is so bad (in top posting order):
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in email?
Apart from the screwed up read order (especially when mixed together in a
thread when someone responds using the mandated bottom-posting style), it also
makes it impossible to quote only parts of the original mail.
When you reply to a mail. You let the mail client insert the previous mail
quoted. Then you put the cursor on the first line of the mail and you move
down through the mail, deleting all parts of the quotes that do not add
context for your comments. When you want to add a comment you do so, inline,
right after the quotes that relate to your comment. Then you continue
downwards again.
When most of the quotes have been removed and you have added your own words,
you are done.
### HTML is not for mails
Please switch off those HTML encoded messages. You can mail all those funny
mails to your friends. We speak plain text mails.
### Quoting
Quote as little as possible. Just enough to provide the context you cannot
eave out. A lengthy description can be found
[here](https://www.netmeister.org/news/learn2quote.html).
### Digest
We allow subscribers to subscribe to the "digest" version of the mailing
lists. A digest is a collection of mails lumped together in one single mail.
Should you decide to reply to a mail sent out as a digest, there are two
things you MUST consider if you really, really cannot subscribe normally
instead:
Cut off all mails and chatter that is not related to the mail you want to
reply to.
Change the subject name to something sensible and related to the subject,
preferably even the actual subject of the single mail you wanted to reply to
### Please Tell Us How You Solved The Problem
Many people mail questions to the list, people spend some of their time and
make an effort in providing good answers to these questions.
If you are the one who asks, please consider responding once more in case one
of the hints was what solved your problems. The guys who write answers feel
good to know that they provided a good answer and that you fixed the problem.
Far too often, the person who asked the question is never heard from again,
and we never get to know if they are gone because the problem was solved or
perhaps because the problem was unsolvable.
Getting the solution posted also helps other users that experience the same
problem(s). They get to see (possibly in the web archives) that the suggested
fixes actually have helped at least one person.

1008
curl/docs/MANUAL.md
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

18
curl/docs/README.md
Unescape Просмотреть файл

@ -0,0 +1,18 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
![curl logo](https://curl.se/logo/curl-logo.svg)
# Documentation
You find a mix of various documentation in this directory and subdirectories,
using several different formats. Some of them are not ideal for reading
directly in your browser.
If you would rather see the rendered version of the documentation, check out the
curl website's [documentation section](https://curl.se/docs/) for
general curl stuff or the [libcurl section](https://curl.se/libcurl/) for
libcurl related documentation.

141
curl/docs/RELEASE-PROCEDURE.md
Unescape Просмотреть файл

@ -0,0 +1,141 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
curl release procedure - how to do a release
============================================
in the source code repo
-----------------------
- edit `RELEASE-NOTES` to be accurate
- update `docs/THANKS`
- make sure all relevant changes are committed on the master branch
- tag the git repo in this style: `git tag -a curl-7_34_0`. -a annotates the
tag and we use underscores instead of dots in the version number. Make sure
the tag is GPG signed (using -s).
- run `./scripts/dmaketgz 7.34.0` to build the release tarballs.
- push the git commits and the new tag
- GPG sign the 4 tarballs as `maketgz` suggests
- upload the 8 resulting files to the primary download directory
in the curl-www repo
--------------------
- edit `Makefile` (version number and date),
- edit `_newslog.html` (announce the new release) and
- edit `_changes.html` (insert changes+bugfixes from RELEASE-NOTES)
- commit all local changes
- tag the repo with the same name as used for the source repo.
- make sure all relevant changes are committed and pushed on the master branch
(the website then updates its contents automatically)
on GitHub
---------
- edit the newly made release tag so that it is listed as the latest release
inform
------
- send an email to curl-users, curl-announce and curl-library. Insert the
RELEASE-NOTES into the mail.
- if there are any advisories associated with the release, send each markdown
file to the above lists as well as to `oss-security@lists.openwall.com`
(unless the problem is unique to the non-open operating systems)
celebrate
---------
- suitable beverage intake is encouraged for the festivities
curl release scheduling
=======================
Release Cycle
-------------
We normally do releases every 8 weeks on Wednesdays. If important problems
arise, we can insert releases outside the schedule or we can move the release
date.
Each 8 week (56 days) release cycle is divided into three distinct periods:
- During the first 10 calendar days after a release, we are in "cool down". We
do not merge features but only bug-fixes. If a regression is reported, we
might do a follow-up patch release.
- During the following 3 weeks (21 days) there is a feature window: we allow
new features and changes to curl and libcurl. If we accept any such changes,
we bump the minor number used for the next release.
- During the next 25 days we are in feature freeze. We do not merge any
features or changes, and we only focus on fixing bugs and polishing things
to make the pending release a solid one.
If a future release date happens to end up on a "bad date", like in the middle
of common public holidays or when the lead release manager is unavailable, the
release date can be moved forwards or backwards a full week. This is then
advertised well in advance.
Release Candidates
------------------
We ship release candidate tarballs on three occasions in preparation for the
pending release:
- Release candidate one (**rc1**) ships the same Saturday the feature freeze
starts. Twenty-five days before the release.
- Release candidate two (**rc2**) ships nine days later, sixteen days before
the release. On a Monday.
- Release candidate tree (**rc3**) ships nine days later, seven days before
the release. On a Wednesday.
Release candidate tarballs are ephemeral and each such tarball is only kept
around for a few weeks. They are provided on their dedicated webpage at:
https://curl.se/rc/
**Do not use release candidates in production**. They are work in progress.
Use them for testing and verification only. Use actual releases in production.
Critical problems
-----------------
We can break the release cycle and do a patch release at any point if a
critical enough problem is reported. There is no exact definition of how to
assess such criticality, but if an issue is highly disturbing or has a
security impact on a large enough share of the user population it might
qualify.
If you think an issue qualifies, bring it to the curl-library mailing list and
push for it.
Coming dates
------------
Based on the description above, here are some planned future release dates:
- February 5, 2025
- April 2, 2025
- May 28, 2025
- July 23, 2025
- September 17, 2025
- November 12, 2025

28
curl/docs/RELEASE-TOOLS.md
Unescape Просмотреть файл

@ -0,0 +1,28 @@
# Release tools used for curl 8.13.0
The following tools and their Debian package version numbers were used to
produce this release tarball.
- autoconf: 2.71-3
- automake: 1:1.16.5-1.3
- libtool: 2.4.7-7~deb12u1
- make: 4.3-4.1
- perl: 5.36.0-7+deb12u1
- git: 1:2.39.5-0+deb12u2
# Reproduce the tarball
- Clone the repo and checkout the tag/commit: curl-8_13_0
- Install the same set of tools + versions as listed above
## Do a standard build
- autoreconf -fi
- ./configure [...]
- make
## Generate the tarball with the same timestamp
- export SOURCE_DATE_EPOCH=1743572861
- ./scripts/maketgz [version]

17
curl/docs/ROADMAP.md
Unescape Просмотреть файл

@ -0,0 +1,17 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# curl the next few years - perhaps
Roadmap of things Daniel Stenberg wants to work on next. It is intended to
serve as a guideline for others for information, feedback and possible
participation.
## WebSocket
Agree that it is a good enough API and remove the EXPERIMENTAL label.
##

85
curl/docs/RUSTLS.md
Unescape Просмотреть файл

@ -0,0 +1,85 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# Rustls
[Rustls is a TLS backend written in Rust](https://docs.rs/rustls/). curl can
be built to use it as an alternative to OpenSSL or other TLS backends. We use
the [rustls-ffi C bindings](https://github.com/rustls/rustls-ffi/). This
version of curl is compatible with `rustls-ffi` v0.15.x.
## Getting rustls-ffi
To build `curl` with `rustls` support you need to have `rustls-ffi` available first.
There are three options for this:
1. Install it from your package manager, if available.
2. Download pre-built binaries.
3. Build it from source.
### Installing rustls-ffi from a package manager
See the [rustls-ffi README] for packaging status. Availability and details for installation
differ between distributions.
Once installed, build `curl` using `--with-rustls`.
% git clone https://github.com/curl/curl
% cd curl
% autoreconf -fi
% ./configure --with-rustls
% make
[rustls-ffi README]: https://github.com/rustls/rustls-ffi?tab=readme-ov-file
### Downloading pre-built rustls-ffi binaries
Pre-built binaries are available on the [releases page] on GitHub for releases since 0.15.0.
Download the appropriate archive for your platform and extract it to a directory of your choice
(e.g. `${HOME}/rustls-ffi-built`).
Once downloaded, build `curl` using `--with-rustls` and the path to the extracted binaries.
% git clone https://github.com/curl/curl
% cd curl
% autoreconf -fi
% ./configure --with-rustls=${HOME}/rustls-ffi-built
% make
[releases page]: https://github.com/rustls/rustls-ffi/releases
### Building rustls-ffi from source
Building `rustls-ffi` from source requires both a rust compiler, and the [cargo-c] cargo plugin.
To install a Rust compiler, use [rustup] or your package manager to install
the **1.73+** or newer toolchain.
To install `cargo-c`, use your [package manager][cargo-c pkg], download
[a pre-built archive][cargo-c prebuilt], or build it from source with `cargo install cargo-c`.
Next, check out, build, and install the appropriate version of `rustls-ffi` using `cargo`:
% git clone https://github.com/rustls/rustls-ffi -b v0.15.0
% cd rustls-ffi
% cargo capi install --release --prefix=${HOME}/rustls-ffi-built
Now configure and build `curl` using `--with-rustls`:
% git clone https://github.com/curl/curl
% cd curl
% autoreconf -fi
% ./configure --with-rustls=${HOME}/rustls-ffi-built
% make
See the [rustls-ffi README][cryptography provider] for more information on cryptography providers and
their build/platform requirements.
[cargo-c]: https://github.com/lu-zero/cargo-c
[rustup]: https://rustup.rs/
[cargo-c pkg]: https://github.com/lu-zero/cargo-c?tab=readme-ov-file#availability
[cargo-c prebuilt]: https://github.com/lu-zero/cargo-c/releases
[cryptography provider]: https://github.com/cpu/rustls-ffi?tab=readme-ov-file#cryptography-provider

135
curl/docs/SECURITY-ADVISORY.md
Unescape Просмотреть файл

@ -0,0 +1,135 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# Anatomy of a curl security advisory
As described in the [Security Process](https://curl.se/dev/secprocess.html)
document, when a security vulnerability has been reported to the project and
confirmed, we author an advisory document for the issue. It should ideally
be written in cooperation with the reporter to make sure all the angles and
details of the problem are gathered and described correctly and succinctly.
## New document
A security advisory for curl is created in the `docs/` folder in the
[curl-www](https://github.com/curl/curl-www) repository. It should be named
`$CVEID.md` where `$CVEID` is the full CVE Id that has been registered for the
flaw. Like `CVE-2016-0755`. The `.md` extension of course means that the
document is written using markdown.
The standard way to go about this is to first write the `VULNERABILITY`
section for the document, so that there is description of the flaw available,
then paste this description into the CVE Id request.
### `vuln.pm`
The new issue should be entered at the top of the list in the file `vuln.pm`
in the same directory. It holds a large array with all published curl
vulnerabilities. All fields should be filled in accordingly, separated by a
pipe character (`|`).
The eleven fields for each CVE in `vuln.pm` are, in order:
HTML page name, first vulnerable version, last vulnerable version, name of
the issue, CVE Id, announce date (`YYYYMMDD`), report to the project date
(`YYYYMMDD`), CWE, awarded reward amount (USD), area (single word), C-issue
(`-` if not a C issue at all, `OVERFLOW` , `OVERREAD`, `DOUBLE_FREE`,
`USE_AFTER_FREE`, `NULL_MISTAKE`, `UNINIT`)
### `Makefile`
The new CVE webpage filename needs to be added in the `Makefile`'s `CVELIST`
macro.
When the markdown is in place and the `Makefile` and `vuln.pm` are updated,
all other files and metadata for all curl advisories and versions get
generated automatically using those files.
## Document format
The easy way is to start with a recent previously published advisory and just
blank out old texts and save it using a new name. Save the subtitles and
general layout.
Some details and metadata are extracted from this document so it is important
to stick to the existing format.
The first list must be the title of the issue.
### VULNERABILITY
The first subtitle should be `VULNERABILITY`. That should then include a
through and detailed description of the flaw. Including how it can be
triggered and maybe something about what might happen if triggered or
exploited.
### INFO
The next section is `INFO` which adds meta data information about the flaw. It
specifically mentions the official CVE Id for the issue and it must list the
CWE Id, starting on its own line. We write CWE identifiers in advisories with
the full (official) explanation on the right side of a colon. Like this:
`CWE-305: Authentication Bypass by Primary Weakness`
### AFFECTED VERSIONS
The third section first lists what versions that are affected, then adds
clarity by stressing what versions that are *not* affected. A third line adds
information about which specific git commit that introduced the vulnerability.
The `Introduced-in` commit should be a full URL that displays the commit, but
should work as a stand-alone commit hash if everything up to the last slash is
cut out.
An example using the correct syntax:
~~~
- Affected versions: curl 7.16.1 to and including 7.88.1
- Not affected versions: curl < 7.16.1 and curl >= 8.0.0
- Introduced-in: https://github.com/curl/curl/commit/2147284cad
~~~
### THE SOLUTION
This section describes and discusses the fix. The only mandatory information
here is the link to the git commit that fixes the problem.
The `Fixed-in` value should be a full URL that displays the commit, but should
work as a stand-alone commit hash if everything up to the last slash is cut
out.
Example:
`- Fixed-in: https://github.com/curl/curl/commit/af369db4d3833272b8ed`
### RECOMMENDATIONS
This section lists the recommended actions for the users in a top to bottom
priority order and should ideally contain three items but no less than two.
The top two are almost always `upgrade curl to version XXX` and `apply the
patch to your local version`.
### TIMELINE
Detail when this report was received in the project. When package distributors
were notified (via the distros mailing list or similar)
When the advisory and fixed version are released.
### CREDITS
Mention the reporter and patch author at least, then everyone else involved
you think deserves a mention.
If you want to mention more than one name, separate the names with comma
(`,`).
~~~
- Reported-by: Full Name
- Patched-by: Full Name
~~~

55
curl/docs/SPONSORS.md
Unescape Просмотреть файл

@ -0,0 +1,55 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# curl sponsors
A sponsor is someone who donates money or resources to the curl project for no
specific service in return.
curl accepts donations via [GitHub sponsors](https://github.com/sponsors/curl)
and [Open Collective](https://opencollective.com/curl).
An even better way to contribute to the project might be to pay an engineer or
two to spend work hours on curl related tasks.
We promise to use donated funds for things and activities that we believe are
beneficial for the project and its development. That includes but is not
limited to bug-bounties, developer conferences, infrastructure, development,
services and hardware.
Recurring donations above a certain amount of money puts the sponsor at a
named sponsor level: **Silver**, **Gold**, **Platinum** or **Top**.
Sponsors on a named level can provide their logo image and preferred URL and
get recognition on the curl website's [sponsor
page](https://curl.se/sponsors.html), assuming they meet the project's
standards and requirements.
- **Silver Sponsor** at least 100 USD/month
- **Gold Sponsor** at least 500 USD/month
- **Platinum Sponsor** at least 1000 USD/month
- **Top Sponsor** outstanding extra valuable help
## Sponsor requirements
A named level sponsor is entitled a logo and link on the curl website assuming
the company, brand and link are not deemed unsuitable. The curl team reserves
the right to make that decision at its own discretion.
Sponsors may be denied a website presence for example if involved with drugs,
gambling, pornography, social media manipulation etc.
## Past Sponsors
Sponsors that stop paying are considered *Past Sponsors* and are not displayed
on the sponsor page anymore. We thank you for your contributions.
## Donations
Please note that sponsorship and donations are exactly that: donations to the
curl project. They are used to help and further the project as the project
leadership deems best. No goods or services are expected or promised in
return. Requests for refunds for such purposes are rejected.

97
curl/docs/SSL-PROBLEMS.md
Unescape Просмотреть файл

@ -0,0 +1,97 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# SSL problems
First, let's establish that we often refer to TLS and SSL interchangeably as
SSL here. The current protocol is called TLS, it was called SSL a long time
ago.
There are several known reasons why a connection that involves SSL might
fail. This is a document that attempts to detail the most common ones and
how to mitigate them.
## CA certs
CA certs are used to digitally verify the server's certificate. You need a
"ca bundle" for this. See lots of more details on this in the `SSLCERTS`
document.
## CA bundle missing intermediate certificates
When using said CA bundle to verify a server cert, you may experience
problems if your CA store does not contain the certificates for the
intermediates if the server does not provide them.
The TLS protocol mandates that the intermediate certificates are sent in the
handshake, but as browsers have ways to survive or work around such
omissions, missing intermediates in TLS handshakes still happen that browser
users do not notice.
Browsers work around this problem in two ways: they cache intermediate
certificates from previous transfers and some implement the TLS "AIA"
extension that lets the client explicitly download such certificates on
demand.
## Protocol version
Some broken servers fail to support the protocol negotiation properly that
SSL servers are supposed to handle. This may cause the connection to fail
completely. Sometimes you may need to explicitly select a SSL version to use
when connecting to make the connection succeed.
An additional complication can be that modern SSL libraries sometimes are
built with support for older SSL and TLS versions disabled.
All versions of SSL and the TLS versions before 1.2 are considered insecure
and should be avoided. Use TLS 1.2 or later.
## Ciphers
Clients give servers a list of ciphers to select from. If the list does not
include any ciphers the server wants/can use, the connection handshake
fails.
curl has recently disabled the user of a whole bunch of seriously insecure
ciphers from its default set (slightly depending on SSL backend in use).
You may have to explicitly provide an alternative list of ciphers for curl
to use to allow the server to use a weak cipher for you.
Note that these weak ciphers are identified as flawed. For example, this
includes symmetric ciphers with less than 128 bit keys and RC4.
Schannel in Windows XP is not able to connect to servers that no longer
support the legacy handshakes and algorithms used by those versions, so we
advise against building curl to use Schannel on really old Windows versions.
Reference: [Prohibiting RC4 Cipher
Suites](https://datatracker.ietf.org/doc/html/draft-popov-tls-prohibiting-rc4-01)
## Allow BEAST
BEAST is the name of a TLS 1.0 attack that surfaced 2011. When adding means
to mitigate this attack, it turned out that some broken servers out there in
the wild did not work properly with the BEAST mitigation in place.
To make such broken servers work, the --ssl-allow-beast option was
introduced. Exactly as it sounds, it re-introduces the BEAST vulnerability
but on the other hand it allows curl to connect to that kind of strange
servers.
## Disabling certificate revocation checks
Some SSL backends may do certificate revocation checks (CRL, OCSP, etc)
depending on the OS or build configuration. The --ssl-no-revoke option was
introduced in 7.44.0 to disable revocation checking but currently is only
supported for Schannel (the native Windows SSL library), with an exception
in the case of Windows' Untrusted Publishers block list which it seems cannot
be bypassed. This option may have broader support to accommodate other SSL
backends in the future.
References:
https://curl.se/docs/ssl-compared.html

124
curl/docs/SSLCERTS.md
Unescape Просмотреть файл

@ -0,0 +1,124 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# TLS Certificate Verification
## Native vs file based
If curl was built with Schannel or Secure Transport support, then curl uses
the system native CA store for verification. All other TLS libraries use a
file based CA store by default.
## Verification
Every trusted server certificate is digitally signed by a Certificate
Authority, a CA.
In your local CA store you have a collection of certificates from *trusted*
certificate authorities that TLS clients like curl use to verify servers.
curl does certificate verification by default. This is done by verifying the
signature and making sure the certificate was crafted for the server name
provided in the URL.
If you communicate with HTTPS, FTPS or other TLS-using servers using
certificates signed by a CA whose certificate is present in the store, you can
be sure that the remote server really is the one it claims to be.
If the remote server uses a self-signed certificate, if you do not install a
CA cert store, if the server uses a certificate signed by a CA that is not
included in the store you use or if the remote host is an impostor
impersonating your favorite site, the certificate check fails and reports an
error.
If you think it wrongly failed the verification, consider one of the following
sections.
### Skip verification
Tell curl to *not* verify the peer with `-k`/`--insecure`.
We **strongly** recommend this is avoided and that even if you end up doing
this for experimentation or development, **never** skip verification in
production.
### Use a custom CA store
Get a CA certificate that can verify the remote server and use the proper
option to point out this CA cert for verification when connecting - for this
specific transfer only.
With the curl command line tool: `--cacert [file]`
If you use the curl command line tool without a native CA store, then you can
specify your own CA cert file by setting the environment variable
`CURL_CA_BUNDLE` to the path of your choice. `SSL_CERT_FILE` and `SSL_CERT_DIR`
are also supported.
If you are using the curl command line tool on Windows, curl searches for a CA
cert file named `curl-ca-bundle.crt` in these directories and in this order:
1. application's directory
2. current working directory
3. Windows System directory (e.g. C:\Windows\System32)
4. Windows Directory (e.g. C:\Windows)
5. all directories along %PATH%
curl 8.11.0 added a build-time option to disable this search behavior, and
another option to restrict search to the application's directory.
### Use the native store
In several environments, in particular on Windows, you can ask curl to use the
system's native CA store when verifying the certificate.
With the curl command line tool: `--ca-native`.
### Modify the CA store
Add the CA cert for your server to the existing default CA certificate store.
Usually you can figure out the path to the local CA store by looking at the
verbose output that `curl -v` shows when you connect to an HTTPS site.
### Change curl's default CA store
The default CA certificate store curl uses is set at build time. When you
build curl you can point out your preferred path.
### Extract CA cert from a server
curl -w %{certs} https://example.com > cacert.pem
The certificate has `BEGIN CERTIFICATE` and `END CERTIFICATE` markers.
### Get the Mozilla CA store
Download a version of the Firefox CA store converted to PEM format on the [CA
Extract](https://curl.se/docs/caextract.html) page. It always features the
latest Firefox bundle.
## Native CA store
If curl was built with Schannel, Secure Transport or were instructed to use
the native CA Store, then curl uses the certificates that are built into the
OS. These are the same certificates that appear in the Internet Options
control panel (under Windows) or Keychain Access application (under macOS).
Any custom security rules for certificates are honored.
Schannel runs CRL checks on certificates unless peer verification is disabled.
Secure Transport on iOS runs OCSP checks on certificates unless peer
verification is disabled. Secure Transport on macOS runs either OCSP or CRL
checks on certificates if those features are enabled, and this behavior can be
adjusted in the preferences of Keychain Access.
## HTTPS proxy
curl can do HTTPS to the proxy separately from the connection to the server.
This TLS connection is handled and verified separately from the server
connection so instead of `--insecure` and `--cacert` to control the
certificate verification, you use `--proxy-insecure` and `--proxy-cacert`.
With these options, you make sure that the TLS connection and the trust of the
proxy can be kept totally separate from the TLS connection to the server.

3385
curl/docs/THANKS.txt
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

1372
curl/docs/TODO.txt
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

712
curl/docs/TheArtOfHttpScripting.md
Unescape Просмотреть файл

@ -0,0 +1,712 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# The Art Of Scripting HTTP Requests Using curl
## Background
This document assumes that you are familiar with HTML and general networking.
The increasing amount of applications moving to the web has made "HTTP
Scripting" more frequently requested and wanted. To be able to automatically
extract information from the web, to fake users, to post or upload data to
web servers are all important tasks today.
curl is a command line tool for doing all sorts of URL manipulations and
transfers, but this particular document focuses on how to use it when doing
HTTP requests for fun and profit. This documents assumes that you know how to
invoke `curl --help` or `curl --manual` to get basic information about it.
curl is not written to do everything for you. It makes the requests, it gets
the data, it sends data and it retrieves the information. You probably need
to glue everything together using some kind of script language or repeated
manual invokes.
## The HTTP Protocol
HTTP is the protocol used to fetch data from web servers. It is a simple
protocol that is built upon TCP/IP. The protocol also allows information to
get sent to the server from the client using a few different methods, as is
shown here.
HTTP is plain ASCII text lines being sent by the client to a server to
request a particular action, and then the server replies a few text lines
before the actual requested content is sent to the client.
The client, curl, sends an HTTP request. The request contains a method (like
GET, POST, HEAD etc), a number of request headers and sometimes a request
body. The HTTP server responds with a status line (indicating if things went
well), response headers and most often also a response body. The "body" part
is the plain data you requested, like the actual HTML or the image etc.
## See the Protocol
Using curl's option [`--verbose`](https://curl.se/docs/manpage.html#-v) (`-v`
as a short option) displays what kind of commands curl sends to the server,
as well as a few other informational texts.
`--verbose` is the single most useful option when it comes to debug or even
understand the curl<->server interaction.
Sometimes even `--verbose` is not enough. Then
[`--trace`](https://curl.se/docs/manpage.html#-trace) and
[`--trace-ascii`](https://curl.se/docs/manpage.html#--trace-ascii)
offer even more details as they show **everything** curl sends and
receives. Use it like this:
curl --trace-ascii debugdump.txt http://www.example.com/
## See the Timing
Many times you may wonder what exactly is taking all the time, or you just
want to know the amount of milliseconds between two points in a transfer. For
those, and other similar situations, the
[`--trace-time`](https://curl.se/docs/manpage.html#--trace-time) option is
what you need. It prepends the time to each trace output line:
curl --trace-ascii d.txt --trace-time http://example.com/
## See which Transfer
When doing parallel transfers, it is relevant to see which transfer is doing
what. When response headers are received (and logged) you need to know which
transfer these are for.
[`--trace-ids`](https://curl.se/docs/manpage.html#--trace-ids) option is what
you need. It prepends the transfer and connection identifier to each trace
output line:
curl --trace-ascii d.txt --trace-ids http://example.com/
## See the Response
By default curl sends the response to stdout. You need to redirect it
somewhere to avoid that, most often that is done with `-o` or `-O`.
# URL
## Spec
The Uniform Resource Locator format is how you specify the address of a
particular resource on the Internet. You know these, you have seen URLs like
https://curl.se or https://example.com a million times. RFC 3986 is the
canonical spec. The formal name is not URL, it is **URI**.
## Host
The hostname is usually resolved using DNS or your /etc/hosts file to an IP
address and that is what curl communicates with. Alternatively you specify
the IP address directly in the URL instead of a name.
For development and other trying out situations, you can point to a different
IP address for a hostname than what would otherwise be used, by using curl's
[`--resolve`](https://curl.se/docs/manpage.html#--resolve) option:
curl --resolve www.example.org:80:127.0.0.1 http://www.example.org/
## Port number
Each protocol curl supports operates on a default port number, be it over TCP
or in some cases UDP. Normally you do not have to take that into
consideration, but at times you run test servers on other ports or
similar. Then you can specify the port number in the URL with a colon and a
number immediately following the hostname. Like when doing HTTP to port
1234:
curl http://www.example.org:1234/
The port number you specify in the URL is the number that the server uses to
offer its services. Sometimes you may use a proxy, and then you may
need to specify that proxy's port number separately from what curl needs to
connect to the server. Like when using an HTTP proxy on port 4321:
curl --proxy http://proxy.example.org:4321 http://remote.example.org/
## Username and password
Some services are setup to require HTTP authentication and then you need to
provide name and password which is then transferred to the remote site in
various ways depending on the exact authentication protocol used.
You can opt to either insert the user and password in the URL or you can
provide them separately:
curl http://user:password@example.org/
or
curl -u user:password http://example.org/
You need to pay attention that this kind of HTTP authentication is not what
is usually done and requested by user-oriented websites these days. They tend
to use forms and cookies instead.
## Path part
The path part is just sent off to the server to request that it sends back
the associated response. The path is what is to the right side of the slash
that follows the hostname and possibly port number.
# Fetch a page
## GET
The simplest and most common request/operation made using HTTP is to GET a
URL. The URL could itself refer to a webpage, an image or a file. The client
issues a GET request to the server and receives the document it asked for.
If you issue the command line
curl https://curl.se
you get a webpage returned in your terminal window. The entire HTML document
this URL identifies.
All HTTP replies contain a set of response headers that are normally hidden,
use curl's [`--include`](https://curl.se/docs/manpage.html#-i) (`-i`)
option to display them as well as the rest of the document.
## HEAD
You can ask the remote server for ONLY the headers by using the
[`--head`](https://curl.se/docs/manpage.html#-I) (`-I`) option which makes
curl issue a HEAD request. In some special cases servers deny the HEAD method
while others still work, which is a particular kind of annoyance.
The HEAD method is defined and made so that the server returns the headers
exactly the way it would do for a GET, but without a body. It means that you
may see a `Content-Length:` in the response headers, but there must not be an
actual body in the HEAD response.
## Multiple URLs in a single command line
A single curl command line may involve one or many URLs. The most common case
is probably to just use one, but you can specify any amount of URLs. Yes any.
No limits. You then get requests repeated over and over for all the given
URLs.
Example, send two GET requests:
curl http://url1.example.com http://url2.example.com
If you use [`--data`](https://curl.se/docs/manpage.html#-d) to POST to
the URL, using multiple URLs means that you send that same POST to all the
given URLs.
Example, send two POSTs:
curl --data name=curl http://url1.example.com http://url2.example.com
## Multiple HTTP methods in a single command line
Sometimes you need to operate on several URLs in a single command line and do
different HTTP methods on each. For this, you might enjoy the
[`--next`](https://curl.se/docs/manpage.html#-:) option. It is basically a
separator that separates a bunch of options from the next. All the URLs
before `--next` get the same method and get all the POST data merged into
one.
When curl reaches the `--next` on the command line, it resets the method and
the POST data and allow a new set.
Perhaps this is best shown with a few examples. To send first a HEAD and then
a GET:
curl -I http://example.com --next http://example.com
To first send a POST and then a GET:
curl -d score=10 http://example.com/post.cgi --next http://example.com/results.html
# HTML forms
## Forms explained
Forms are the general way a website can present an HTML page with fields for
the user to enter data in, and then press some kind of 'OK' or 'Submit'
button to get that data sent to the server. The server then typically uses
the posted data to decide how to act. Like using the entered words to search
in a database, or to add the info in a bug tracking system, display the
entered address on a map or using the info as a login-prompt verifying that
the user is allowed to see what it is about to see.
Of course there has to be some kind of program on the server end to receive
the data you send. You cannot just invent something out of the air.
## GET
A GET-form uses the method GET, as specified in HTML like:
```html
<form method="GET" action="junk.cgi">
<input type=text name="birthyear">
<input type=submit name=press value="OK">
</form>
```
In your favorite browser, this form appears with a text box to fill in and a
press-button labeled "OK". If you fill in '1905' and press the OK button,
your browser then creates a new URL to get for you. The URL gets
`junk.cgi?birthyear=1905&press=OK` appended to the path part of the previous
URL.
If the original form was seen on the page `www.example.com/when/birth.html`,
the second page you get becomes
`www.example.com/when/junk.cgi?birthyear=1905&press=OK`.
Most search engines work this way.
To make curl do the GET form post for you, just enter the expected created
URL:
curl "http://www.example.com/when/junk.cgi?birthyear=1905&press=OK"
## POST
The GET method makes all input field names get displayed in the URL field of
your browser. That is generally a good thing when you want to be able to
bookmark that page with your given data, but it is an obvious disadvantage if
you entered secret information in one of the fields or if there are a large
amount of fields creating a long and unreadable URL.
The HTTP protocol then offers the POST method. This way the client sends the
data separated from the URL and thus you do not see any of it in the URL
address field.
The form would look similar to the previous one:
```html
<form method="POST" action="junk.cgi">
<input type=text name="birthyear">
<input type=submit name=press value=" OK ">
</form>
```
And to use curl to post this form with the same data filled in as before, we
could do it like:
curl --data "birthyear=1905&press=%20OK%20" http://www.example.com/when/junk.cgi
This kind of POST uses the Content-Type `application/x-www-form-urlencoded`
and is the most widely used POST kind.
The data you send to the server MUST already be properly encoded, curl does
not do that for you. For example, if you want the data to contain a space,
you need to replace that space with `%20`, etc. Failing to comply with this
most likely causes your data to be received wrongly and messed up.
Recent curl versions can in fact url-encode POST data for you, like this:
curl --data-urlencode "name=I am Daniel" http://www.example.com
If you repeat `--data` several times on the command line, curl concatenates
all the given data pieces - and put a `&` symbol between each data segment.
## File Upload POST
Back in late 1995 they defined an additional way to post data over HTTP. It
is documented in the RFC 1867, why this method sometimes is referred to as
RFC 1867-posting.
This method is mainly designed to better support file uploads. A form that
allows a user to upload a file could be written like this in HTML:
<form method="POST" enctype='multipart/form-data' action="upload.cgi">
<input name=upload type=file>
<input type=submit name=press value="OK">
</form>
This clearly shows that the Content-Type about to be sent is
`multipart/form-data`.
To post to a form like this with curl, you enter a command line like:
curl --form upload=@localfilename --form press=OK [URL]
## Hidden Fields
A common way for HTML based applications to pass state information between
pages is to add hidden fields to the forms. Hidden fields are already filled
in, they are not displayed to the user and they get passed along just as all
the other fields.
A similar example form with one visible field, one hidden field and one
submit button could look like:
```html
<form method="POST" action="foobar.cgi">
<input type=text name="birthyear">
<input type=hidden name="person" value="daniel">
<input type=submit name="press" value="OK">
</form>
```
To POST this with curl, you do not have to think about if the fields are
hidden or not. To curl they are all the same:
curl --data "birthyear=1905&press=OK&person=daniel" [URL]
## Figure Out What A POST Looks Like
When you are about to fill in a form and send it to a server by using curl
instead of a browser, you are of course interested in sending a POST exactly
the way your browser does.
An easy way to get to see this, is to save the HTML page with the form on
your local disk, modify the 'method' to a GET, and press the submit button
(you could also change the action URL if you want to).
You then clearly see the data get appended to the URL, separated with a
`?`-letter as GET forms are supposed to.
# HTTP upload
## PUT
Perhaps the best way to upload data to an HTTP server is to use PUT. Then
again, this of course requires that someone put a program or script on the
server end that knows how to receive an HTTP PUT stream.
Put a file to an HTTP server with curl:
curl --upload-file uploadfile http://www.example.com/receive.cgi
# HTTP Authentication
## Basic Authentication
HTTP Authentication is the ability to tell the server your username and
password so that it can verify that you are allowed to do the request you are
doing. The Basic authentication used in HTTP (which is the type curl uses by
default) is **plain text** based, which means it sends username and password
only slightly obfuscated, but still fully readable by anyone that sniffs on
the network between you and the remote server.
To tell curl to use a user and password for authentication:
curl --user name:password http://www.example.com
## Other Authentication
The site might require a different authentication method (check the headers
returned by the server), and then
[`--ntlm`](https://curl.se/docs/manpage.html#--ntlm),
[`--digest`](https://curl.se/docs/manpage.html#--digest),
[`--negotiate`](https://curl.se/docs/manpage.html#--negotiate) or even
[`--anyauth`](https://curl.se/docs/manpage.html#--anyauth) might be
options that suit you.
## Proxy Authentication
Sometimes your HTTP access is only available through the use of an HTTP
proxy. This seems to be especially common at various companies. An HTTP proxy
may require its own user and password to allow the client to get through to
the Internet. To specify those with curl, run something like:
curl --proxy-user proxyuser:proxypassword curl.se
If your proxy requires the authentication to be done using the NTLM method,
use [`--proxy-ntlm`](https://curl.se/docs/manpage.html#--proxy-ntlm), if
it requires Digest use
[`--proxy-digest`](https://curl.se/docs/manpage.html#--proxy-digest).
If you use any one of these user+password options but leave out the password
part, curl prompts for the password interactively.
## Hiding credentials
Do note that when a program is run, its parameters might be possible to see
when listing the running processes of the system. Thus, other users may be
able to watch your passwords if you pass them as plain command line
options. There are ways to circumvent this.
It is worth noting that while this is how HTTP Authentication works, many
websites do not use this concept when they provide logins etc. See the Web
Login chapter further below for more details on that.
# More HTTP Headers
## Referer
An HTTP request may include a 'referer' field (yes it is misspelled), which
can be used to tell from which URL the client got to this particular
resource. Some programs/scripts check the referer field of requests to verify
that this was not arriving from an external site or an unknown page. While
this is a stupid way to check something so easily forged, many scripts still
do it. Using curl, you can put anything you want in the referer-field and
thus more easily be able to fool the server into serving your request.
Use curl to set the referer field with:
curl --referer http://www.example.come http://www.example.com
## User Agent
Similar to the referer field, all HTTP requests may set the User-Agent
field. It names what user agent (client) that is being used. Many
applications use this information to decide how to display pages. Silly web
programmers try to make different pages for users of different browsers to
make them look the best possible for their particular browsers. They usually
also do different kinds of JavaScript etc.
At times, you may learn that getting a page with curl does not return the
same page that you see when getting the page with your browser. Then you know
it is time to set the User Agent field to fool the server into thinking you
are one of those browsers.
By default, curl uses curl/VERSION, such as User-Agent: curl/8.11.0.
To make curl look like Internet Explorer 5 on a Windows 2000 box:
curl --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" [URL]
Or why not look like you are using Netscape 4.73 on an old Linux box:
curl --user-agent "Mozilla/4.73 [en] (X11; U; Linux 2.2.15 i686)" [URL]
## Redirects
## Location header
When a resource is requested from a server, the reply from the server may
include a hint about where the browser should go next to find this page, or a
new page keeping newly generated output. The header that tells the browser to
redirect is `Location:`.
curl does not follow `Location:` headers by default, but simply displays such
pages in the same manner it displays all HTTP replies. It does however
feature an option that makes it attempt to follow the `Location:` pointers.
To tell curl to follow a Location:
curl --location http://www.example.com
If you use curl to POST to a site that immediately redirects you to another
page, you can safely use [`--location`](https://curl.se/docs/manpage.html#-L)
(`-L`) and `--data`/`--form` together. curl only uses POST in the first
request, and then revert to GET in the following operations.
## Other redirects
Browsers typically support at least two other ways of redirects that curl
does not: first the html may contain a meta refresh tag that asks the browser
to load a specific URL after a set number of seconds, or it may use
JavaScript to do it.
# Cookies
## Cookie Basics
The way the web browsers do "client side state control" is by using
cookies. Cookies are just names with associated contents. The cookies are
sent to the client by the server. The server tells the client for what path
and hostname it wants the cookie sent back, and it also sends an expiration
date and a few more properties.
When a client communicates with a server with a name and path as previously
specified in a received cookie, the client sends back the cookies and their
contents to the server, unless of course they are expired.
Many applications and servers use this method to connect a series of requests
into a single logical session. To be able to use curl in such occasions, we
must be able to record and send back cookies the way the web application
expects them. The same way browsers deal with them.
## Cookie options
The simplest way to send a few cookies to the server when getting a page with
curl is to add them on the command line like:
curl --cookie "name=Daniel" http://www.example.com
Cookies are sent as common HTTP headers. This is practical as it allows curl
to record cookies simply by recording headers. Record cookies with curl by
using the [`--dump-header`](https://curl.se/docs/manpage.html#-D) (`-D`)
option like:
curl --dump-header headers_and_cookies http://www.example.com
(Take note that the
[`--cookie-jar`](https://curl.se/docs/manpage.html#-c) option described
below is a better way to store cookies.)
curl has a full blown cookie parsing engine built-in that comes in use if you
want to reconnect to a server and use cookies that were stored from a
previous connection (or hand-crafted manually to fool the server into
believing you had a previous connection). To use previously stored cookies,
you run curl like:
curl --cookie stored_cookies_in_file http://www.example.com
curl's "cookie engine" gets enabled when you use the
[`--cookie`](https://curl.se/docs/manpage.html#-b) option. If you only
want curl to understand received cookies, use `--cookie` with a file that
does not exist. Example, if you want to let curl understand cookies from a
page and follow a location (and thus possibly send back cookies it received),
you can invoke it like:
curl --cookie nada --location http://www.example.com
curl has the ability to read and write cookie files that use the same file
format that Netscape and Mozilla once used. It is a convenient way to share
cookies between scripts or invokes. The `--cookie` (`-b`) switch
automatically detects if a given file is such a cookie file and parses it,
and by using the `--cookie-jar` (`-c`) option you make curl write a new
cookie file at the end of an operation:
curl --cookie cookies.txt --cookie-jar newcookies.txt \
http://www.example.com
# HTTPS
## HTTPS is HTTP secure
There are a few ways to do secure HTTP transfers. By far the most common
protocol for doing this is what is generally known as HTTPS, HTTP over
SSL. SSL encrypts all the data that is sent and received over the network and
thus makes it harder for attackers to spy on sensitive information.
SSL (or TLS as the current version of the standard is called) offers a set of
advanced features to do secure transfers over HTTP.
curl supports encrypted fetches when built to use a TLS library and it can be
built to use one out of a fairly large set of libraries - `curl -V` shows
which one your curl was built to use (if any). To get a page from an HTTPS
server, simply run curl like:
curl https://secure.example.com
## Certificates
In the HTTPS world, you use certificates to validate that you are the one you
claim to be, as an addition to normal passwords. curl supports client- side
certificates. All certificates are locked with a passphrase, which you need
to enter before the certificate can be used by curl. The passphrase can be
specified on the command line or if not, entered interactively when curl
queries for it. Use a certificate with curl on an HTTPS server like:
curl --cert mycert.pem https://secure.example.com
curl also tries to verify that the server is who it claims to be, by
verifying the server's certificate against a locally stored CA cert bundle.
Failing the verification causes curl to deny the connection. You must then
use [`--insecure`](https://curl.se/docs/manpage.html#-k) (`-k`) in case you
want to tell curl to ignore that the server cannot be verified.
More about server certificate verification and ca cert bundles can be read in
the [`SSLCERTS` document](https://curl.se/docs/sslcerts.html).
At times you may end up with your own CA cert store and then you can tell
curl to use that to verify the server's certificate:
curl --cacert ca-bundle.pem https://example.com/
# Custom Request Elements
## Modify method and headers
Doing fancy stuff, you may need to add or change elements of a single curl
request.
For example, you can change the POST method to `PROPFIND` and send the data
as `Content-Type: text/xml` (instead of the default `Content-Type`) like
this:
curl --data "<xml>" --header "Content-Type: text/xml" \
--request PROPFIND example.com
You can delete a default header by providing one without content. Like you
can ruin the request by chopping off the `Host:` header:
curl --header "Host:" http://www.example.com
You can add headers the same way. Your server may want a `Destination:`
header, and you can add it:
curl --header "Destination: http://nowhere" http://example.com
## More on changed methods
It should be noted that curl selects which methods to use on its own
depending on what action to ask for. `-d` makes a POST, `-I` makes a HEAD and
so on. If you use the [`--request`](https://curl.se/docs/manpage.html#-X) /
`-X` option you can change the method keyword curl selects, but you do not
modify curl's behavior. This means that if you for example use -d "data" to
do a POST, you can modify the method to a `PROPFIND` with `-X` and curl still
thinks it sends a POST. You can change the normal GET to a POST method by
simply adding `-X POST` in a command line like:
curl -X POST http://example.org/
curl however still acts as if it sent a GET so it does not send any request
body etc.
# Web Login
## Some login tricks
While not strictly just HTTP related, it still causes a lot of people
problems so here's the executive run-down of how the vast majority of all
login forms work and how to login to them using curl.
It can also be noted that to do this properly in an automated fashion, you
most certainly need to script things and do multiple curl invokes etc.
First, servers mostly use cookies to track the logged-in status of the
client, so you need to capture the cookies you receive in the responses.
Then, many sites also set a special cookie on the login page (to make sure
you got there through their login page) so you should make a habit of first
getting the login-form page to capture the cookies set there.
Some web-based login systems feature various amounts of JavaScript, and
sometimes they use such code to set or modify cookie contents. Possibly they
do that to prevent programmed logins, like this manual describes how to...
Anyway, if reading the code is not enough to let you repeat the behavior
manually, capturing the HTTP requests done by your browsers and analyzing the
sent cookies is usually a working method to work out how to shortcut the
JavaScript need.
In the actual `<form>` tag for the login, lots of sites fill-in
random/session or otherwise secretly generated hidden tags and you may need
to first capture the HTML code for the login form and extract all the hidden
fields to be able to do a proper login POST. Remember that the contents need
to be URL encoded when sent in a normal POST.
# Debug
## Some debug tricks
Many times when you run curl on a site, you notice that the site does not
seem to respond the same way to your curl requests as it does to your
browser's.
Then you need to start making your curl requests more similar to your
browser's requests:
- Use the `--trace-ascii` option to store fully detailed logs of the requests
for easier analyzing and better understanding
- Make sure you check for and use cookies when needed (both reading with
`--cookie` and writing with `--cookie-jar`)
- Set user-agent (with [`-A`](https://curl.se/docs/manpage.html#-A)) to
one like a recent popular browser does
- Set referer (with [`-E`](https://curl.se/docs/manpage.html#-E)) like
it is set by the browser
- If you use POST, make sure you send all the fields and in the same order as
the browser does it.
## Check what the browsers do
A good helper to make sure you do this right, is the web browsers' developers
tools that let you view all headers you send and receive (even when using
HTTPS).
A more raw approach is to capture the HTTP traffic on the network with tools
such as Wireshark or tcpdump and check what headers that were sent and
received by the browser. (HTTPS forces you to use `SSLKEYLOGFILE` to do
that.)

395
curl/docs/URL-SYNTAX.md
Unescape Просмотреть файл

@ -0,0 +1,395 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# URL syntax and their use in curl
## Specifications
The official "URL syntax" is primarily defined in these two different
specifications:
- [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986) (although URL is called
"URI" in there)
- [The WHATWG URL Specification](https://url.spec.whatwg.org/)
RFC 3986 is the earlier one, and curl has always tried to adhere to that one
(since it shipped in January 2005).
The WHATWG URL spec was written later, is incompatible with the RFC 3986 and
changes over time.
## Variations
URL parsers as implemented in browsers, libraries and tools usually opt to
support one of the mentioned specifications. Bugs, differences in
interpretations and the moving nature of the WHATWG spec does however make it
unlikely that multiple parsers treat URLs the same way.
## Security
Due to the inherent differences between URL parser implementations, it is
considered a security risk to mix different implementations and assume the
same behavior.
For example, if you use one parser to check if a URL uses a good hostname or
the correct auth field, and then pass on that same URL to a *second* parser,
there is always a risk it treats the same URL differently. There is no right
and wrong in URL land, only differences of opinions.
libcurl offers a separate API to its URL parser for this reason, among others.
Applications may at times find it convenient to allow users to specify URLs
for various purposes and that string would then end up fed to curl. Getting a
URL from an external untrusted party and using it with curl brings several
security concerns:
1. If you have an application that runs as or in a server application, getting
an unfiltered URL can trick your application to access a local resource
instead of a remote resource. Protecting yourself against localhost accesses
is hard when accepting user provided URLs.
2. Such custom URLs can access other ports than you planned as port numbers
are part of the regular URL format. The combination of a local host and a
custom port number can allow external users to play tricks with your local
services.
3. Such a URL might use other schemes than you thought of or planned for.
## "RFC 3986 plus"
curl recognizes a URL syntax that we call "RFC 3986 plus". It is grounded on
the well established RFC 3986 to make sure previously written command lines
and curl using scripts remain working.
curl's URL parser allows a few deviations from the spec in order to
inter-operate better with URLs that appear in the wild.
### Spaces
A URL provided to curl cannot contain spaces. They need to be provided URL
encoded to be accepted in a URL by curl.
An exception to this rule: `Location:` response headers that indicate to a
client where a resource has been redirected to, sometimes contain spaces. This
is a violation of RFC 3986 but is fine in the WHATWG spec. curl handles these
by re-encoding them to `%20`.
### Non-ASCII
Byte values in a provided URL that are outside of the printable ASCII range
are percent-encoded by curl.
### Multiple slashes
An absolute URL always starts with a "scheme" followed by a colon. For all the
schemes curl supports, the colon must be followed by two slashes according to
RFC 3986 but not according to the WHATWG spec - which allows one to infinity
amount.
curl allows one, two or three slashes after the colon to still be considered a
valid URL.
### "scheme-less"
curl supports "URLs" that do not start with a scheme. This is not supported by
any of the specifications. This is a shortcut to entering URLs that was
supported by browsers early on and has been mimicked by curl.
Based on what the hostname starts with, curl "guesses" what protocol to use:
- `ftp.` means FTP
- `dict.` means DICT
- `ldap.` means LDAP
- `imap.` means IMAP
- `smtp.` means SMTP
- `pop3.` means POP3
- all other means HTTP
### Globbing letters
The curl command line tool supports "globbing" of URLs. It means that you can
create ranges and lists using `[N-M]` and `{one,two,three}` sequences. The
letters used for this (`[]{}`) are reserved in RFC 3986 and can therefore not
legitimately be part of such a URL.
They are however not reserved or special in the WHATWG specification, so
globbing can mess up such URLs. Globbing can be turned off for such occasions
(using `--globoff`).
# URL syntax details
A URL may consist of the following components - many of them are optional:
[scheme][divider][userinfo][hostname][port number][path][query][fragment]
Each component is separated from the following component with a divider
character or string.
For example, this could look like:
http://user:password@www.example.com:80/index.html?foo=bar#top
## Scheme
The scheme specifies the protocol to use. A curl build can support a few or
many different schemes. You can limit what schemes curl should accept.
curl supports the following schemes on URLs specified to transfer. They are
matched case insensitively:
`dict`, `file`, `ftp`, `ftps`, `gopher`, `gophers`, `http`, `https`, `imap`,
`imaps`, `ldap`, `ldaps`, `mqtt`, `pop3`, `pop3s`, `rtmp`, `rtmpe`, `rtmps`,
`rtmpt`, `rtmpte`, `rtmpts`, `rtsp`, `smb`, `smbs`, `smtp`, `smtps`, `telnet`,
`tftp`
When the URL is specified to identify a proxy, curl recognizes the following
schemes:
`http`, `https`, `socks4`, `socks4a`, `socks5`, `socks5h`, `socks`
## Userinfo
The userinfo field can be used to set username and password for
authentication purposes in this transfer. The use of this field is discouraged
since it often means passing around the password in plain text and is thus a
security risk.
URLs for IMAP, POP3 and SMTP also support *login options* as part of the
userinfo field. They are provided as a semicolon after the password and then
the options.
## Hostname
The hostname part of the URL contains the address of the server that you want
to connect to. This can be the fully qualified domain name of the server, the
local network name of the machine on your network or the IP address of the
server or machine represented by either an IPv4 or IPv6 address (within
brackets). For example:
http://www.example.com/
http://hostname/
http://192.168.0.1/
http://[2001:1890:1112:1::20]/
### "localhost"
Starting in curl 7.77.0, curl uses loopback IP addresses for the name
`localhost`: `127.0.0.1` and `::1`. It does not resolve the name using the
resolver functions.
This is done to make sure the host accessed is truly the localhost - the local
machine.
### IDNA
If curl was built with International Domain Name (IDN) support, it can also
handle hostnames using non-ASCII characters.
When built with libidn2, curl uses the IDNA 2008 standard. This is equivalent
to the WHATWG URL spec, but differs from certain browsers that use IDNA 2003
Transitional Processing. The two standards have a huge overlap but differ
slightly, perhaps most famously in how they deal with the German "double s"
(`ß`).
When WinIDN is used, curl uses IDNA 2003 Transitional Processing, like the rest
of Windows.
## Port number
If there is a colon after the hostname, that should be followed by the port
number to use. 1 - 65535. curl also supports a blank port number field - but
only if the URL starts with a scheme.
If the port number is not specified in the URL, curl uses a default port
number based on the provide scheme:
DICT 2628, FTP 21, FTPS 990, GOPHER 70, GOPHERS 70, HTTP 80, HTTPS 443,
IMAP 132, IMAPS 993, LDAP 369, LDAPS 636, MQTT 1883, POP3 110, POP3S 995,
RTMP 1935, RTMPS 443, RTMPT 80, RTSP 554, SCP 22, SFTP 22, SMB 445, SMBS 445,
SMTP 25, SMTPS 465, TELNET 23, TFTP 69
# Scheme specific behaviors
## FTP
The path part of an FTP request specifies the file to retrieve and from which
directory. If the file part is omitted then libcurl downloads the directory
listing for the directory specified. If the directory is omitted then the
directory listing for the root / home directory is returned.
FTP servers typically put the user in its "home directory" after login, which
then differs between users. To explicitly specify the root directory of an FTP
server, start the path with double slash `//` or `/%2f` (2F is the hexadecimal
value of the ASCII code for the slash).
## FILE
When a `FILE://` URL is accessed on Windows systems, it can be crafted in a
way so that Windows attempts to connect to a (remote) machine when curl wants
to read or write such a path.
curl only allows the hostname part of a FILE URL to be one out of these three
alternatives: `localhost`, `127.0.0.1` or blank ("", zero characters).
Anything else makes curl fail to parse the URL.
### Windows-specific FILE details
curl accepts that the FILE URL's path starts with a "drive letter". That is a
single letter `a` to `z` followed by a colon or a pipe character (`|`).
The Windows operating system itself converts some file accesses to perform
network accesses over SMB/CIFS, through several different file path patterns.
This way, a `file://` URL passed to curl *might* be converted into a network
access inadvertently and unknowingly to curl. This is a Windows feature curl
cannot control or disable.
## IMAP
The path part of an IMAP request not only specifies the mailbox to list or
select, but can also be used to check the `UIDVALIDITY` of the mailbox, to
specify the `UID`, `SECTION` and `PARTIAL` octets of the message to fetch and
to specify what messages to search for.
A top level folder list:
imap://user:password@mail.example.com
A folder list on the user's inbox:
imap://user:password@mail.example.com/INBOX
Select the user's inbox and fetch message with `uid = 1`:
imap://user:password@mail.example.com/INBOX/;UID=1
Select the user's inbox and fetch the first message in the mail box:
imap://user:password@mail.example.com/INBOX/;MAILINDEX=1
Select the user's inbox, check the `UIDVALIDITY` of the mailbox is 50 and
fetch message 2 if it is:
imap://user:password@mail.example.com/INBOX;UIDVALIDITY=50/;UID=2
Select the user's inbox and fetch the text portion of message 3:
imap://user:password@mail.example.com/INBOX/;UID=3/;SECTION=TEXT
Select the user's inbox and fetch the first 1024 octets of message 4:
imap://user:password@mail.example.com/INBOX/;UID=4/;PARTIAL=0.1024
Select the user's inbox and check for NEW messages:
imap://user:password@mail.example.com/INBOX?NEW
Select the user's inbox and search for messages containing "shadows" in the
subject line:
imap://user:password@mail.example.com/INBOX?SUBJECT%20shadows
Searching via the query part of the URL `?` is a search request for the
results to be returned as message sequence numbers (`MAILINDEX`). It is
possible to make a search request for results to be returned as unique ID
numbers (`UID`) by using a custom curl request via `-X`. `UID` numbers are
unique per session (and multiple sessions when `UIDVALIDITY` is the same). For
example, if you are searching for `"foo bar"` in header+body (`TEXT`) and you
want the matching `MAILINDEX` numbers returned then you could search via URL:
imap://user:password@mail.example.com/INBOX?TEXT%20%22foo%20bar%22
If you want matching `UID` numbers you have to use a custom request:
imap://user:password@mail.example.com/INBOX -X "UID SEARCH TEXT \"foo bar\""
For more information about IMAP commands please see RFC 9051. For more
information about the individual components of an IMAP URL please see RFC 5092.
* Note old curl versions would `FETCH` by message sequence number when `UID`
was specified in the URL. That was a bug fixed in 7.62.0, which added
`MAILINDEX` to `FETCH` by mail sequence number.
## LDAP
The path part of a LDAP request can be used to specify the: Distinguished
Name, Attributes, Scope, Filter and Extension for a LDAP search. Each field is
separated by a question mark and when that field is not required an empty
string with the question mark separator should be included.
Search for the `DN` as `My Organization`:
ldap://ldap.example.com/o=My%20Organization
the same search but only return `postalAddress` attributes:
ldap://ldap.example.com/o=My%20Organization?postalAddress
Search for an empty `DN` and request information about the
`rootDomainNamingContext` attribute for an Active Directory server:
ldap://ldap.example.com/?rootDomainNamingContext
For more information about the individual components of a LDAP URL please
see [RFC 4516](https://datatracker.ietf.org/doc/html/rfc4516).
## POP3
The path part of a POP3 request specifies the message ID to retrieve. If the
ID is not specified then a list of waiting messages is returned instead.
## SCP
The path part of an SCP URL specifies the path and file to retrieve or
upload. The file is taken as an absolute path from the root directory on the
server.
To specify a path relative to the user's home directory on the server, prepend
`~/` to the path portion.
## SFTP
The path part of an SFTP URL specifies the file to retrieve or upload. If the
path ends with a slash (`/`) then a directory listing is returned instead of a
file. If the path is omitted entirely then the directory listing for the root
/ home directory is returned.
## SMB
The path part of a SMB request specifies the file to retrieve and from what
share and directory or the share to upload to and as such, may not be omitted.
If the username is embedded in the URL then it must contain the domain name
and as such, the backslash must be URL encoded as %2f.
When uploading to SMB, the size of the file needs to be known ahead of time,
meaning that you can upload a file passed to curl over a pipe like stdin.
curl supports SMB version 1 (only)
## SMTP
The path part of a SMTP request specifies the hostname to present during
communication with the mail server. If the path is omitted, then libcurl
attempts to resolve the local computer's hostname. However, this may not
return the fully qualified domain name that is required by some mail servers
and specifying this path allows you to set an alternative name, such as your
machine's fully qualified domain name, which you might have obtained from an
external function such as gethostname or getaddrinfo.
The default smtp port is 25. Some servers use port 587 as an alternative.
## RTMP
There is no official URL spec for RTMP so libcurl uses the URL syntax supported
by the underlying librtmp library. It has a syntax where it wants a
traditional URL, followed by a space and a series of space-separated
`name=value` pairs.
While space is not typically a "legal" letter, libcurl accepts them. When a
user wants to pass in a `#` (hash) character it is treated as a fragment and
it gets cut off by libcurl if provided literally. You have to escape it by
providing it as backslash and its ASCII value in hexadecimal: `\23`.

63
curl/docs/VERSIONS.md
Unescape Просмотреть файл

@ -0,0 +1,63 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
Version Numbers and Releases
============================
The command line tool curl and the library libcurl are individually
versioned, but they usually follow each other closely.
The version numbering is always built up using the same system:
X.Y.Z
- X is main version number
- Y is release number
- Z is patch number
## Bumping numbers
One of these numbers get bumped in each new release. The numbers to the right
of a bumped number are reset to zero.
The main version number is bumped when *really* big, world colliding changes
are made. The release number is bumped when changes are performed or
things/features are added. The patch number is bumped when the changes are
mere bugfixes.
It means that after release 1.2.3, we can release 2.0.0 if something really
big has been made, 1.3.0 if not that big changes were made or 1.2.4 if only
bugs were fixed.
Bumping, as in increasing the number with 1, is unconditionally only
affecting one of the numbers (except the ones to the right of it, that may be
set to zero). 1 becomes 2, 3 becomes 4, 9 becomes 10, 88 becomes 89 and 99
becomes 100. So, after 1.2.9 comes 1.2.10. After 3.99.3, 3.100.0 might come.
All original curl source release archives are named according to the libcurl
version (not according to the curl client version that, as said before, might
differ).
As a service to any application that might want to support new libcurl
features while still being able to build with older versions, all releases
have the libcurl version stored in the `curl/curlver.h` file using a static
numbering scheme that can be used for comparison. The version number is
defined as:
```c
#define LIBCURL_VERSION_NUM 0xXXYYZZ
```
Where `XX`, `YY` and `ZZ` are the main version, release and patch numbers in
hexadecimal. All three number fields are always represented using two digits
(eight bits each). 1.2 would appear as "0x010200" while version 9.11.7
appears as `0x090b07`.
This 6-digit hexadecimal number is always a greater number in a more recent
release. It makes comparisons with greater than and less than work.
This number is also available as three separate defines:
`LIBCURL_VERSION_MAJOR`, `LIBCURL_VERSION_MINOR` and `LIBCURL_VERSION_PATCH`.

339
curl/docs/VULN-DISCLOSURE-POLICY.md
Unescape Просмотреть файл

@ -0,0 +1,339 @@
<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
-->
# curl vulnerability disclosure policy
This document describes how security vulnerabilities are handled in the curl
project.
## Publishing Information
All known and public curl or libcurl related vulnerabilities are listed on
[the curl website security page](https://curl.se/docs/security.html).
Security vulnerabilities **should not** be entered in the project's public bug
tracker.
## Vulnerability Handling
The typical process for handling a new security vulnerability is as follows.
No information should be made public about a vulnerability until it is
formally announced at the end of this process. That means, for example, that a
bug tracker entry must NOT be created to track the issue since that makes the
issue public and it should not be discussed on any of the project's public
mailing lists. Messages associated with any commits should not make any
reference to the security nature of the commit if done prior to the public
announcement.
- The person discovering the issue, the reporter, reports the vulnerability on
[HackerOne](https://hackerone.com/curl). Issues filed there reach a handful
of selected and trusted people.
- Messages that do not relate to the reporting or managing of an undisclosed
security vulnerability in curl or libcurl are ignored and no further action
is required.
- A person in the security team responds to the original report to acknowledge
that a human has seen the report.
- The security team investigates the report and either rejects it or accepts
it. See below for examples of problems that are not considered
vulnerabilities.
- If the report is rejected, the team writes to the reporter to explain why.
- If the report is accepted, the team writes to the reporter to let them
know it is accepted and that they are working on a fix.
- The security team discusses the problem, works out a fix, considers the
impact of the problem and suggests a release schedule. This discussion
should involve the reporter as much as possible.
- The release of the information should be "as soon as possible" and is most
often synchronized with an upcoming release that contains the fix. If the
reporter, or anyone else involved, thinks the next planned release is too
far away, then a separate earlier release should be considered.
- Write a security advisory draft about the problem that explains what the
problem is, its impact, which versions it affects, solutions or workarounds,
when the release is out and make sure to credit all contributors properly.
Figure out the CWE (Common Weakness Enumeration) number for the flaw. See
[SECURITY-ADVISORY](https://curl.se/dev/advisory.html) for help on creating
the advisory.
- Request a CVE Id for the issue. curl is a CNA (CVE Numbering Authority) and
can request its own numbers.
- Update the "security advisory" with the CVE number.
- The security team commits the fix in a private branch. The commit message
should ideally contain the CVE number. If the severity level of the issue is
set to Low or Medium, the fix is allowed to get merged into the master
repository via a normal PR - but without mentioning it being a security
vulnerability.
- The monetary reward part of the bug-bounty is managed by the Internet Bug
Bounty team and the reporter is asked to request the reward from them after
the issue has been completely handled and published by curl.
- No more than 10 days before release, inform
[distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros)
to prepare them about the upcoming public security vulnerability
announcement - attach the advisory draft for information with CVE and
current patch. 'distros' does not accept an embargo longer than 14 days and
they do not care for Windows-specific flaws.
- No more than 48 hours before the release, the private branch is merged into
the master branch and pushed. Once pushed, the information is accessible to
the public and the actual release should follow suit immediately afterwards.
The time between the push and the release is used for final tests and
reviews.
- The project team creates a release that includes the fix.
- The project team announces the release and the vulnerability to the world in
the same manner we always announce releases. It gets sent to the
curl-announce, curl-library and curl-users mailing lists.
- The security webpage on the website should get the new vulnerability
mentioned.
## security (at curl dot se)
This is a private mailing list for discussions on and about curl security
issues.
Who is on this list? There are a couple of criteria you must meet, and then we
might ask you to join the list or you can ask to join it. It really is not a
formal process. We basically only require that you have a long-term presence
in the curl project and you have shown an understanding for the project and
its way of working. You must have been around for a good while and you should
have no plans of vanishing in the near future.
We do not make the list of participants public mostly because it tends to vary
somewhat over time and a list somewhere only risks getting outdated.
## Publishing Security Advisories
1. Write up the security advisory, using markdown syntax. Use the same
subtitles as last time to maintain consistency.
2. Name the advisory file after the allocated CVE id.
3. Add a line on the top of the array in `curl-www/docs/vuln.pm`.
4. Put the new advisory markdown file in the `curl-www/docs/` directory. Add it
to the git repository.
5. Run `make` in your local web checkout and verify that things look fine.
6. On security advisory release day, push the changes on the curl-www
repository's remote master branch.
## HackerOne
Request the issue to be disclosed. If there are sensitive details present in
the report and discussion, those should be redacted from the disclosure. The
default policy is to disclose as much as possible as soon as the vulnerability
has been published.
## Bug Bounty
See [BUG-BOUNTY](https://curl.se/docs/bugbounty.html) for details on the
bug bounty program.
# Severity levels
The curl project's security team rates security problems using four severity
levels depending how serious we consider the problem to be. We use **Low**,
**Medium**, **High** and **Critical**. We refrain from using numerical scoring
of vulnerabilities.
We do not support CVSS as a method to grade security vulnerabilities, so we do
not set them for CVE records published by the curl project. We believe CVSS is
a broken system that often does not properly evaluate to suitable severity
levels that reflect all dimensions and factors involved. Other organizations
however set and provide CVSS scores for curl vulnerabilities. You need to
decide for yourself if you believe they know enough about the subjects
involved to make reasonable assessments. Deciding between four different
severity levels is hard enough for us.
When deciding severity level on a particular issue, we take all the factors
into account: attack vector, attack complexity, required privileges, necessary
build configuration, protocols involved, platform specifics and also what
effects a possible exploit or trigger of the issue can lead do, including
confidentiality, integrity or availability problems.
## Low
This is a security problem that is truly hard or unlikely to exploit or
trigger. Due to timing, platform requirements or the fact that options or
protocols involved are rare etc. [Past
example](https://curl.se/docs/CVE-2022-43552.html)
## Medium
This is a security problem that is less hard than **Low** to exploit or
trigger. Less strict timing, wider platforms availability or involving more
widely used options or protocols. A problem that usually needs something else
to also happen to become serious. [Past
example](https://curl.se/docs/CVE-2022-32206.html)
## High
This issue in itself a serious problem with real world impact. Flaws that can
easily compromise the confidentiality, integrity or availability of resources.
Exploiting or triggering this problem is not hard. [Past
example](https://curl.se/docs/CVE-2019-3822.html)
## Critical
Easily exploitable by a remote unauthenticated attacker and lead to system
compromise (arbitrary code execution) without requiring user interaction, with
a common configuration on a popular platform. This issue has few restrictions
and requirements and can be exploited easily using most curl configurations.
[Past example](https://curl.se/docs/CVE-2000-0973.html)
# Not security issues
This is an incomplete list of issues that are not considered vulnerabilities.
## Small memory leaks
We do not consider a small memory leak a security problem; even if the amount
of allocated memory grows by a small amount every now and then. Long-living
applications and services already need to have counter-measures and deal with
growing memory usage, be it leaks or just increased use. A small memory or
resource leak is then expected to *not* cause a security problem.
Of course there can be a discussion if a leak is small or not. A large leak
can be considered a security problem due to the DOS risk. If leaked memory
contains sensitive data it might also qualify as a security problem.
## Never-ending transfers
We do not consider flaws that cause a transfer to never end to be a security
problem. There are already several benign and likely reasons for transfers to
stall and never end, so applications that cannot deal with never-ending
transfers already need to have counter-measures established.
If the problem avoids the regular counter-measures when it causes a never-
ending transfer, it might be a security problem.
## Not practically possible
If the flaw or vulnerability cannot practically get executed on existing
hardware it is not a security problem.
## API misuse
If a reported issue only triggers by an application using the API in a way
that is not documented to work or even documented to not work, it is probably
not going to be considered a security problem. We only guarantee secure and
proper functionality when the APIs are used as expected and documented.
There can be a discussion about what the documentation actually means and how
to interpret the text, which might end up with us still agreeing that it is a
security problem.
## Local attackers already present
When an issue can only be attacked or misused by an attacker present on the
local system or network, the bar is raised. If a local user wrongfully has
elevated rights on your system enough to attack curl, they can probably
already do much worse harm and the problem is not really in curl.
## Debug & Experiments
Vulnerabilities in features which are off by default (in the build) and
documented as experimental, or exist only in debug mode, are not eligible for a
reward and we do not consider them security problems.
## URL inconsistencies
URL parser inconsistencies between browsers and curl are expected and are not
considered security vulnerabilities. The WHATWG URL Specification and RFC
3986+ (the plus meaning that it is an extended version) [are not completely
interoperable](https://github.com/bagder/docs/blob/master/URL-interop.md).
Obvious parser bugs can still be vulnerabilities of course.
## Visible command line arguments
The curl command blanks the contents of a number of command line arguments to
prevent them from appearing in process listings. It does not blank all
arguments even if some of them that are not blanked might contain sensitive
data. We consider this functionality a best-effort and omissions are not
security vulnerabilities.
- not all systems allow the arguments to be blanked in the first place
- since curl blanks the argument itself they are readable for a short moment
no matter what
- virtually every argument can contain sensitive data, depending on use
- blanking all arguments would make it impractical for users to differentiate
curl command lines in process listings
## Busy-loops
Busy-loops that consume 100% CPU time but eventually end (perhaps due to a set
timeout value or otherwise) are not considered security problems. Applications
are supposed to already handle situations when the transfer loop legitimately
consumes 100% CPU time, so while a prolonged such busy-loop is a nasty bug, we
do not consider it a security problem.
## Saving files
curl cannot protect against attacks where an attacker has write access to the
same directory where curl is directed to save files.
## Tricking a user to run a command line
A creative, misleading or funny looking command line is not a security
problem. The curl command line tool takes options and URLs on the command line
and if an attacker can trick the user to run a specifically crafted curl
command line, all bets are off. Such an attacker can just as well have the
user run a much worse command that can do something fatal (like
`sudo rm -rf /`).
## Terminal output and escape sequences
Content that is transferred from a server and gets displayed in a terminal by
curl may contain escape sequences or use other tricks to fool the user. This
is curl working as designed and is not a curl security problem. Escape
sequences, moving cursor, changing color etc, is also frequently used for
good. To reduce the risk of getting fooled, save files and browse them after
download using a display method that minimizes risks.
## NULL dereferences and crashes
If a malicious server can trigger a NULL dereference in curl or otherwise
cause curl to crash (and nothing worse), chances are big that we do not
consider that a security problem.
Malicious servers can already cause considerable harm and denial of service
like scenarios without having to trigger such code paths. For example by
stalling, being terribly slow or by delivering enormous amounts of data.
Additionally, applications are expected to handle "normal" crashes without
that being the end of the world.
There need to be more and special circumstances to treat such problems as
security issues.
## Legacy dependencies
Problems that can be triggered only by the use of a *legacy dependency* are
not considered security problems.
A *legacy dependency* is here defined as:
- the legacy version was released over ten years ago AND
- the legacy version is no longer in use by any existing still supported
operating system or distribution AND
- there are modern versions of equivalent or better functionality offered and
in common use

124
curl/docs/curl-config.md
Unescape Просмотреть файл

@ -0,0 +1,124 @@
---
c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
Title: curl-config
Section: 1
Source: curl-config
See-also:
- curl (1)
Added-in: 7.7.2
---
# NAME
curl-config - Get information about a libcurl installation
# SYNOPSIS
**curl-config [options]**
# DESCRIPTION
**curl-config**
displays information about the curl and libcurl installation.
# OPTIONS
## `--ca`
Displays the built-in path to the CA cert bundle this libcurl uses.
## `--cc`
Displays the compiler used to build libcurl.
## `--cflags`
Set of compiler options (CFLAGS) to use when compiling files that use
libcurl. Currently that is only the include path to the curl include files.
## `--checkfor [version]`
Specify the oldest possible libcurl version string you want, and this script
returns 0 if the current installation is new enough or it returns 1 and
outputs a text saying that the current version is not new enough. (Added in
7.15.4)
## `--configure`
Displays the arguments given to configure when building curl.
## `--feature`
Lists what particular main features the installed libcurl was built with. At
the time of writing, this list may include SSL, KRB4 or IPv6. Do not assume
any particular order. The keywords are separated by newlines. There may be
none, one, or several keywords in the list.
## `--help`
Displays the available options.
## `--libs`
Shows the complete set of libs and other linker options you need in order to
link your application with libcurl.
## `--prefix`
This is the prefix used when libcurl was installed. libcurl is then installed
in $prefix/lib and its header files are installed in $prefix/include and so
on. The prefix is set with `configure --prefix`.
## `--protocols`
Lists what particular protocols the installed libcurl was built to support. At
the time of writing, this list may include HTTP, HTTPS, FTP, FTPS, FILE,
TELNET, LDAP, DICT and many more. Do not assume any particular order. The
protocols are listed using uppercase and are separated by newlines. There may
be none, one, or several protocols in the list. (Added in 7.13.0)
## `--ssl-backends`
Lists the SSL backends that were enabled when libcurl was built. It might be
no, one or several names. If more than one name, they appear comma-separated.
(Added in 7.58.0)
## `--static-libs`
Shows the complete set of libs and other linker options you need in order to
link your application with libcurl statically. (Added in 7.17.1)
## `--version`
Outputs version information about the installed libcurl.
## `--vernum`
Outputs version information about the installed libcurl, in numerical mode.
This shows the version number, in hexadecimal, using 8 bits for each part:
major, minor, and patch numbers. This makes libcurl 7.7.4 appear as 070704 and
libcurl 12.13.14 appear as 0c0d0e... Note that the initial zero might be
omitted. (This option was broken in the 7.15.0 release.)
# EXAMPLES
What linker options do I need when I link with libcurl?
$ curl-config --libs
What compiler options do I need when I compile using libcurl functions?
$ curl-config --cflags
How do I know if libcurl was built with SSL support?
$ curl-config --feature | grep SSL
What's the installed libcurl version?
$ curl-config --version
How do I build a single file with a one-line command?
$ `curl-config --cc --cflags` -o example source.c `curl-config --libs`

153
curl/docs/examples/10-at-a-time.c
Unescape Просмотреть файл

@ -0,0 +1,153 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
/* <DESC>
* Download many files in parallel, in the same thread.
* </DESC>
*/
#include <stdlib.h>
#include <string.h>
#include <curl/curl.h>
static const char *urls[] = {
"https://www.microsoft.com",
"https://opensource.org",
"https://www.google.com",
"https://www.yahoo.com",
"https://www.ibm.com",
"https://www.mysql.com",
"https://www.oracle.com",
"https://www.ripe.net",
"https://www.iana.org",
"https://www.amazon.com",
"https://www.netcraft.com",
"https://www.heise.de",
"https://www.chip.de",
"https://www.ca.com",
"https://www.cnet.com",
"https://www.mozilla.org",
"https://www.cnn.com",
"https://www.wikipedia.org",
"https://www.dell.com",
"https://www.hp.com",
"https://www.cert.org",
"https://www.mit.edu",
"https://www.nist.gov",
"https://www.ebay.com",
"https://www.playstation.com",
"https://www.uefa.com",
"https://www.ieee.org",
"https://www.apple.com",
"https://www.symantec.com",
"https://www.zdnet.com",
"https://www.fujitsu.com/global/",
"https://www.supermicro.com",
"https://www.hotmail.com",
"https://www.ietf.org",
"https://www.bbc.co.uk",
"https://news.google.com",
"https://www.foxnews.com",
"https://www.msn.com",
"https://www.wired.com",
"https://www.sky.com",
"https://www.usatoday.com",
"https://www.cbs.com",
"https://www.nbc.com/",
"https://slashdot.org",
"https://www.informationweek.com",
"https://apache.org",
"https://www.un.org",
};
#define MAX_PARALLEL 10 /* number of simultaneous transfers */
#define NUM_URLS sizeof(urls)/sizeof(char *)
static size_t write_cb(char *data, size_t n, size_t l, void *userp)
{
/* take care of the data here, ignored in this example */
(void)data;
(void)userp;
return n*l;
}
static void add_transfer(CURLM *cm, unsigned int i, int *left)
{
CURL *eh = curl_easy_init();
curl_easy_setopt(eh, CURLOPT_WRITEFUNCTION, write_cb);
curl_easy_setopt(eh, CURLOPT_URL, urls[i]);
curl_easy_setopt(eh, CURLOPT_PRIVATE, urls[i]);
curl_multi_add_handle(cm, eh);
(*left)++;
}
int main(void)
{
CURLM *cm;
CURLMsg *msg;
unsigned int transfers = 0;
int msgs_left = -1;
int left = 0;
curl_global_init(CURL_GLOBAL_ALL);
cm = curl_multi_init();
/* Limit the amount of simultaneous connections curl should allow: */
curl_multi_setopt(cm, CURLMOPT_MAXCONNECTS, (long)MAX_PARALLEL);
for(transfers = 0; transfers < MAX_PARALLEL && transfers < NUM_URLS;
transfers++)
add_transfer(cm, transfers, &left);
do {
int still_alive = 1;
curl_multi_perform(cm, &still_alive);
/* !checksrc! disable EQUALSNULL 1 */
while((msg = curl_multi_info_read(cm, &msgs_left)) != NULL) {
if(msg->msg == CURLMSG_DONE) {
char *url;
CURL *e = msg->easy_handle;
curl_easy_getinfo(msg->easy_handle, CURLINFO_PRIVATE, &url);
fprintf(stderr, "R: %d - %s <%s>\n",
msg->data.result, curl_easy_strerror(msg->data.result), url);
curl_multi_remove_handle(cm, e);
curl_easy_cleanup(e);
left--;
}
else {
fprintf(stderr, "E: CURLMsg (%d)\n", msg->msg);
}
if(transfers < NUM_URLS)
add_transfer(cm, transfers++, &left);
}
if(left)
curl_multi_wait(cm, NULL, 0, 1000, NULL);
} while(left);
curl_multi_cleanup(cm);
curl_global_cleanup();
return EXIT_SUCCESS;
}

62
curl/docs/examples/address-scope.c
Unescape Просмотреть файл

@ -0,0 +1,62 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
/* <DESC>
* HTTP GET to an IPv6 address with specific scope
* </DESC>
*/
#include <stdio.h>
#include <curl/curl.h>
#if !defined(_WIN32) && !defined(MSDOS) && !defined(__AMIGA__)
#include <net/if.h>
#endif
int main(void)
{
#if !defined(_WIN32) && !defined(MSDOS) && !defined(__AMIGA__)
/* Windows/MS-DOS users need to find how to use if_nametoindex() */
CURL *curl;
CURLcode res;
curl = curl_easy_init();
if(curl) {
long my_scope_id;
curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
my_scope_id = (long)if_nametoindex("eth0");
curl_easy_setopt(curl, CURLOPT_ADDRESS_SCOPE, my_scope_id);
/* Perform the request, res gets the return code */
res = curl_easy_perform(curl);
/* Check for errors */
if(res != CURLE_OK)
fprintf(stderr, "curl_easy_perform() failed: %s\n",
curl_easy_strerror(res));
/* always cleanup */
curl_easy_cleanup(curl);
}
#endif
return 0;
}

58
curl/docs/examples/altsvc.c
Unescape Просмотреть файл

@ -0,0 +1,58 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
/* <DESC>
* HTTP with Alt-Svc support
* </DESC>
*/
#include <stdio.h>
#include <curl/curl.h>
int main(void)
{
CURL *curl;
CURLcode res;
curl = curl_easy_init();
if(curl) {
curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
/* cache the alternatives in this file */
curl_easy_setopt(curl, CURLOPT_ALTSVC, "altsvc.txt");
/* restrict which HTTP versions to use alternatives */
curl_easy_setopt(curl, CURLOPT_ALTSVC_CTRL, (long)
CURLALTSVC_H1|CURLALTSVC_H2|CURLALTSVC_H3);
/* Perform the request, res gets the return code */
res = curl_easy_perform(curl);
/* Check for errors */
if(res != CURLE_OK)
fprintf(stderr, "curl_easy_perform() failed: %s\n",
curl_easy_strerror(res));
/* always cleanup */
curl_easy_cleanup(curl);
}
return 0;
}

164
curl/docs/examples/anyauthput.c
Unescape Просмотреть файл

@ -0,0 +1,164 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
/* <DESC>
* HTTP PUT upload with authentication using "any" method. libcurl picks the
* one the server supports/wants.
* </DESC>
*/
#include <stdio.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <curl/curl.h>
#ifdef _WIN32
#undef stat
#define stat _stat
#undef fstat
#define fstat _fstat
#define fileno _fileno
#endif
#if LIBCURL_VERSION_NUM < 0x070c03
#error "upgrade your libcurl to no less than 7.12.3"
#endif
/*
* This example shows an HTTP PUT operation with authentication using "any"
* type. It PUTs a file given as a command line argument to the URL also given
* on the command line.
*
* Since libcurl 7.12.3, using "any" auth and POST/PUT requires a set seek
* function.
*
* This example also uses its own read callback.
*/
/* seek callback function */
static int my_seek(void *userp, curl_off_t offset, int origin)
{
FILE *fp = (FILE *) userp;
if(-1 == fseek(fp, (long) offset, origin))
/* could not seek */
return CURL_SEEKFUNC_CANTSEEK;
return CURL_SEEKFUNC_OK; /* success! */
}
/* read callback function, fread() look alike */
static size_t read_callback(char *ptr, size_t size, size_t nmemb, void *stream)
{
size_t nread;
nread = fread(ptr, size, nmemb, stream);
if(nread > 0) {
fprintf(stderr, "*** We read %lu bytes from file\n", (unsigned long)nread);
}
return nread;
}
int main(int argc, char **argv)
{
CURL *curl;
CURLcode res;
FILE *fp;
struct stat file_info;
char *file;
char *url;
if(argc < 3)
return 1;
file = argv[1];
url = argv[2];
/* get the file size of the local file */
fp = fopen(file, "rb");
if(!fp)
return 2;
#ifdef UNDER_CE
stat(file, &file_info);
#else
fstat(fileno(fp), &file_info);
#endif
/* In Windows, this inits the Winsock stuff */
curl_global_init(CURL_GLOBAL_ALL);
/* get a curl handle */
curl = curl_easy_init();
if(curl) {
/* we want to use our own read function */
curl_easy_setopt(curl, CURLOPT_READFUNCTION, read_callback);
/* which file to upload */
curl_easy_setopt(curl, CURLOPT_READDATA, (void *) fp);
/* set the seek function */
curl_easy_setopt(curl, CURLOPT_SEEKFUNCTION, my_seek);
/* pass the file descriptor to the seek callback as well */
curl_easy_setopt(curl, CURLOPT_SEEKDATA, (void *) fp);
/* enable "uploading" (which means PUT when doing HTTP) */
curl_easy_setopt(curl, CURLOPT_UPLOAD, 1L);
/* specify target URL, and note that this URL should also include a file
name, not only a directory (as you can do with GTP uploads) */
curl_easy_setopt(curl, CURLOPT_URL, url);
/* and give the size of the upload, this supports large file sizes
on systems that have general support for it */
curl_easy_setopt(curl, CURLOPT_INFILESIZE_LARGE,
(curl_off_t)file_info.st_size);
/* tell libcurl we can use "any" auth, which lets the lib pick one, but it
also costs one extra round-trip and possibly sending of all the PUT
data twice!!! */
curl_easy_setopt(curl, CURLOPT_HTTPAUTH, (long)CURLAUTH_ANY);
/* set user name and password for the authentication */
curl_easy_setopt(curl, CURLOPT_USERPWD, "user:password");
/* Now run off and do what you have been told! */
res = curl_easy_perform(curl);
/* Check for errors */
if(res != CURLE_OK)
fprintf(stderr, "curl_easy_perform() failed: %s\n",
curl_easy_strerror(res));
/* always cleanup */
curl_easy_cleanup(curl);
}
fclose(fp); /* close the local file */
curl_global_cleanup();
return 0;
}

355
curl/docs/examples/block_ip.c
Unescape Просмотреть файл

@ -0,0 +1,355 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
/* <DESC>
* Show how CURLOPT_OPENSOCKETFUNCTION can be used to block IP addresses.
* </DESC>
*/
/* This is an advanced example that defines a whitelist or a blacklist to
* filter IP addresses.
*/
#if defined(__AMIGA__) || defined(UNDER_CE)
#include <stdio.h>
int main(void) { printf("Platform not supported.\n"); return 1; }
#else
#ifdef _WIN32
#ifndef _CRT_SECURE_NO_WARNINGS
#define _CRT_SECURE_NO_WARNINGS
#endif
#ifndef _CRT_NONSTDC_NO_DEPRECATE
#define _CRT_NONSTDC_NO_DEPRECATE
#endif
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0600
#endif
#include <winsock2.h>
#include <ws2tcpip.h>
#include <windows.h>
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <curl/curl.h>
#ifndef TRUE
#define TRUE 1
#endif
#ifndef FALSE
#define FALSE 0
#endif
struct ip {
/* The user-provided IP address or network (use CIDR) to filter */
char *str;
/* IP address family AF_INET (IPv4) or AF_INET6 (IPv6) */
int family;
/* IP in network byte format */
union netaddr {
struct in_addr ipv4;
#ifdef AF_INET6
struct in6_addr ipv6;
#endif
} netaddr;
/* IP bits to match against.
* This is equal to the CIDR notation or max bits if no CIDR.
* For example if ip->str is 127.0.0.0/8 then ip->maskbits is 8.
*/
int maskbits;
struct ip *next;
};
enum connection_filter_t {
CONNECTION_FILTER_BLACKLIST,
CONNECTION_FILTER_WHITELIST
};
struct connection_filter {
struct ip *list;
enum connection_filter_t type;
int verbose;
#ifdef AF_INET6
/* If the address being filtered is an IPv4-mapped IPv6 address then it is
* checked against IPv4 list entries as well, unless ipv6_v6only is set TRUE.
*/
int ipv6_v6only;
#endif
};
static struct ip *ip_list_append(struct ip *list, const char *data)
{
struct ip *ip, *last;
char *cidr;
ip = (struct ip *)calloc(1, sizeof(*ip));
if(!ip)
return NULL;
if(strchr(data, ':')) {
#ifdef AF_INET6
ip->family = AF_INET6;
#else
free(ip);
return NULL;
#endif
}
else
ip->family = AF_INET;
ip->str = strdup(data);
if(!ip->str) {
free(ip);
return NULL;
}
/* determine the number of bits that this IP will match against */
cidr = strchr(ip->str, '/');
if(cidr) {
ip->maskbits = atoi(cidr + 1);
if(ip->maskbits <= 0 ||
#ifdef AF_INET6
(ip->family == AF_INET6 && ip->maskbits > 128) ||
#endif
(ip->family == AF_INET && ip->maskbits > 32)) {
free(ip->str);
free(ip);
return NULL;
}
/* ignore the CIDR notation when converting ip->str to ip->netaddr */
*cidr = '\0';
}
else if(ip->family == AF_INET)
ip->maskbits = 32;
#ifdef AF_INET6
else if(ip->family == AF_INET6)
ip->maskbits = 128;
#endif
if(1 != inet_pton(ip->family, ip->str, &ip->netaddr)) {
free(ip->str);
free(ip);
return NULL;
}
if(cidr)
*cidr = '/';
if(!list)
return ip;
for(last = list; last->next; last = last->next)
;
last->next = ip;
return list;
}
static void ip_list_free_all(struct ip *list)
{
struct ip *next;
while(list) {
next = list->next;
free(list->str);
free(list);
list = next;
}
}
static void free_connection_filter(struct connection_filter *filter)
{
if(filter) {
ip_list_free_all(filter->list);
free(filter);
}
}
static int ip_match(struct ip *ip, void *netaddr)
{
int bytes, tailbits;
const unsigned char *x, *y;
x = (unsigned char *)&ip->netaddr;
y = (unsigned char *)netaddr;
for(bytes = ip->maskbits / 8; bytes; --bytes) {
if(*x++ != *y++)
return FALSE;
}
tailbits = ip->maskbits % 8;
if(tailbits) {
unsigned char tailmask = (unsigned char)((0xFF << (8 - tailbits)) & 0xFF);
if((*x & tailmask) != (*y & tailmask))
return FALSE;
}
return TRUE;
}
#ifdef AF_INET6
static int is_ipv4_mapped_ipv6_address(int family, void *netaddr)
{
if(family == AF_INET6) {
int i;
unsigned char *x = (unsigned char *)netaddr;
for(i = 0; i < 12; ++i) {
if(x[i])
break;
}
/* support formats ::x.x.x.x (deprecated) and ::ffff:x.x.x.x */
if((i == 12 && (x[i] || x[i + 1] || x[i + 2] || x[i + 3])) ||
(i == 10 && (x[i] == 0xFF && x[i + 1] == 0xFF)))
return TRUE;
}
return FALSE;
}
#endif /* AF_INET6 */
static curl_socket_t opensocket(void *clientp,
curlsocktype purpose,
struct curl_sockaddr *address)
{
/* filter the address */
if(purpose == CURLSOCKTYPE_IPCXN) {
void *cinaddr = NULL;
if(address->family == AF_INET)
cinaddr = &((struct sockaddr_in *)(void *)&address->addr)->sin_addr;
#ifdef AF_INET6
else if(address->family == AF_INET6)
cinaddr = &((struct sockaddr_in6 *)(void *)&address->addr)->sin6_addr;
#endif
if(cinaddr) {
struct ip *ip;
struct connection_filter *filter = (struct connection_filter *)clientp;
#ifdef AF_INET6
int mapped = !filter->ipv6_v6only &&
is_ipv4_mapped_ipv6_address(address->family, cinaddr);
#endif
for(ip = filter->list; ip; ip = ip->next) {
if(ip->family == address->family && ip_match(ip, cinaddr))
break;
#ifdef AF_INET6
if(mapped && ip->family == AF_INET && address->family == AF_INET6 &&
ip_match(ip, (unsigned char *)cinaddr + 12))
break;
#endif
}
if(ip && filter->type == CONNECTION_FILTER_BLACKLIST) {
if(filter->verbose) {
char buf[128] = {0};
inet_ntop(address->family, cinaddr, buf, sizeof(buf));
fprintf(stderr, "* Rejecting IP %s due to blacklist entry %s.\n",
buf, ip->str);
}
return CURL_SOCKET_BAD;
}
else if(!ip && filter->type == CONNECTION_FILTER_WHITELIST) {
if(filter->verbose) {
char buf[128] = {0};
inet_ntop(address->family, cinaddr, buf, sizeof(buf));
fprintf(stderr,
"* Rejecting IP %s due to missing whitelist entry.\n", buf);
}
return CURL_SOCKET_BAD;
}
}
}
return socket(address->family, address->socktype, address->protocol);
}
int main(void)
{
CURL *curl;
CURLcode res;
struct connection_filter *filter;
filter = (struct connection_filter *)calloc(1, sizeof(*filter));
if(!filter)
return 1;
if(curl_global_init(CURL_GLOBAL_DEFAULT)) {
free(filter);
return 1;
}
curl = curl_easy_init();
if(!curl) {
curl_global_cleanup();
free(filter);
return 1;
}
/* Set the target URL */
curl_easy_setopt(curl, CURLOPT_URL, "http://localhost");
/* Define an IP connection filter.
* If an address has CIDR notation then it matches the network.
* For example 74.6.143.25/24 matches 74.6.143.0 - 74.6.143.255.
*/
filter->type = CONNECTION_FILTER_BLACKLIST;
filter->list = ip_list_append(filter->list, "98.137.11.164");
filter->list = ip_list_append(filter->list, "127.0.0.0/8");
#ifdef AF_INET6
filter->list = ip_list_append(filter->list, "::1");
#endif
/* Set the socket function which does the filtering */
curl_easy_setopt(curl, CURLOPT_OPENSOCKETFUNCTION, opensocket);
curl_easy_setopt(curl, CURLOPT_OPENSOCKETDATA, filter);
/* Verbose mode */
filter->verbose = TRUE;
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
/* Perform the request */
res = curl_easy_perform(curl);
/* Check for errors */
if(res != CURLE_OK) {
fprintf(stderr, "curl_easy_perform() failed: %s\n",
curl_easy_strerror(res));
}
/* Clean up */
curl_easy_cleanup(curl);
free_connection_filter(filter);
/* Clean up libcurl */
curl_global_cleanup();
return 0;
}
#endif

87
curl/docs/examples/certinfo.c
Unescape Просмотреть файл

@ -0,0 +1,87 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
/* <DESC>
* Extract lots of TLS certificate info.
* </DESC>
*/
#include <stdio.h>
#include <curl/curl.h>
static size_t wrfu(void *ptr, size_t size, size_t nmemb, void *stream)
{
(void)stream;
(void)ptr;
return size * nmemb;
}
int main(void)
{
CURL *curl;
CURLcode res;
curl_global_init(CURL_GLOBAL_DEFAULT);
curl = curl_easy_init();
if(curl) {
curl_easy_setopt(curl, CURLOPT_URL, "https://www.example.com/");
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, wrfu);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
curl_easy_setopt(curl, CURLOPT_VERBOSE, 0L);
curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L);
res = curl_easy_perform(curl);
if(!res) {
struct curl_certinfo *certinfo;
res = curl_easy_getinfo(curl, CURLINFO_CERTINFO, &certinfo);
if(!res && certinfo) {
int i;
printf("%d certs!\n", certinfo->num_of_certs);
for(i = 0; i < certinfo->num_of_certs; i++) {
struct curl_slist *slist;
for(slist = certinfo->certinfo[i]; slist; slist = slist->next)
printf("%s\n", slist->data);
}
}
}
curl_easy_cleanup(curl);
}
curl_global_cleanup();
return 0;
}

224
curl/docs/examples/chkspeed.c
Unescape Просмотреть файл

@ -0,0 +1,224 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
/* <DESC>
* Show transfer timing info after download completes.
* </DESC>
*/
/* Example source code to show how the callback function can be used to
* download data into a chunk of memory instead of storing it in a file.
* After successful download we use curl_easy_getinfo() calls to get the
* amount of downloaded bytes, the time used for the whole download, and
* the average download speed.
* On Linux you can create the download test files with:
* dd if=/dev/urandom of=file_1M.bin bs=1M count=1
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <curl/curl.h>
#define URL_BASE "http://speedtest.your.domain/"
#define URL_1M URL_BASE "file_1M.bin"
#define URL_2M URL_BASE "file_2M.bin"
#define URL_5M URL_BASE "file_5M.bin"
#define URL_10M URL_BASE "file_10M.bin"
#define URL_20M URL_BASE "file_20M.bin"
#define URL_50M URL_BASE "file_50M.bin"
#define URL_100M URL_BASE "file_100M.bin"
#define CHKSPEED_VERSION "1.0"
static size_t WriteCallback(void *ptr, size_t size, size_t nmemb, void *data)
{
/* we are not interested in the downloaded bytes itself,
so we only return the size we would have saved ... */
(void)ptr; /* unused */
(void)data; /* unused */
return (size_t)(size * nmemb);
}
int main(int argc, char *argv[])
{
CURL *curl_handle;
CURLcode res;
int prtall = 0, prtsep = 0, prttime = 0;
const char *url = URL_1M;
char *appname = argv[0];
if(argc > 1) {
/* parse input parameters */
for(argc--, argv++; *argv; argc--, argv++) {
if(argv[0][0] == '-') {
switch(argv[0][1]) {
case 'h':
case 'H':
fprintf(stderr,
"\rUsage: %s [-m=1|2|5|10|20|50|100] [-t] [-x] [url]\n",
appname);
return 1;
case 'v':
case 'V':
fprintf(stderr, "\r%s %s - %s\n",
appname, CHKSPEED_VERSION, curl_version());
return 1;
case 'a':
case 'A':
prtall = 1;
break;
case 'x':
case 'X':
prtsep = 1;
break;
case 't':
case 'T':
prttime = 1;
break;
case 'm':
case 'M':
if(argv[0][2] == '=') {
long m = strtol((*argv) + 3, NULL, 10);
switch(m) {
case 1:
url = URL_1M;
break;
case 2:
url = URL_2M;
break;
case 5:
url = URL_5M;
break;
case 10:
url = URL_10M;
break;
case 20:
url = URL_20M;
break;
case 50:
url = URL_50M;
break;
case 100:
url = URL_100M;
break;
default:
fprintf(stderr, "\r%s: invalid parameter %s\n",
appname, *argv + 3);
return 1;
}
break;
}
fprintf(stderr, "\r%s: invalid or unknown option %s\n",
appname, *argv);
return 1;
default:
fprintf(stderr, "\r%s: invalid or unknown option %s\n",
appname, *argv);
return 1;
}
}
else {
url = *argv;
}
}
}
/* print separator line */
if(prtsep) {
printf("-------------------------------------------------\n");
}
/* print localtime */
if(prttime) {
time_t t = time(NULL);
printf("Localtime: %s", ctime(&t));
}
/* init libcurl */
curl_global_init(CURL_GLOBAL_ALL);
/* init the curl session */
curl_handle = curl_easy_init();
/* specify URL to get */
curl_easy_setopt(curl_handle, CURLOPT_URL, url);
/* send all data to this function */
curl_easy_setopt(curl_handle, CURLOPT_WRITEFUNCTION, WriteCallback);
/* some servers do not like requests that are made without a user-agent
field, so we provide one */
curl_easy_setopt(curl_handle, CURLOPT_USERAGENT,
"libcurl-speedchecker/" CHKSPEED_VERSION);
/* get it! */
res = curl_easy_perform(curl_handle);
if(CURLE_OK == res) {
curl_off_t val;
/* check for bytes downloaded */
res = curl_easy_getinfo(curl_handle, CURLINFO_SIZE_DOWNLOAD_T, &val);
if((CURLE_OK == res) && (val > 0))
printf("Data downloaded: %lu bytes.\n", (unsigned long)val);
/* check for total download time */
res = curl_easy_getinfo(curl_handle, CURLINFO_TOTAL_TIME_T, &val);
if((CURLE_OK == res) && (val > 0))
printf("Total download time: %lu.%06lu sec.\n",
(unsigned long)(val / 1000000), (unsigned long)(val % 1000000));
/* check for average download speed */
res = curl_easy_getinfo(curl_handle, CURLINFO_SPEED_DOWNLOAD_T, &val);
if((CURLE_OK == res) && (val > 0))
printf("Average download speed: %lu kbyte/sec.\n",
(unsigned long)(val / 1024));
if(prtall) {
/* check for name resolution time */
res = curl_easy_getinfo(curl_handle, CURLINFO_NAMELOOKUP_TIME_T, &val);
if((CURLE_OK == res) && (val > 0))
printf("Name lookup time: %lu.%06lu sec.\n",
(unsigned long)(val / 1000000), (unsigned long)(val % 1000000));
/* check for connect time */
res = curl_easy_getinfo(curl_handle, CURLINFO_CONNECT_TIME_T, &val);
if((CURLE_OK == res) && (val > 0))
printf("Connect time: %lu.%06lu sec.\n",
(unsigned long)(val / 1000000), (unsigned long)(val % 1000000));
}
}
else {
fprintf(stderr, "Error while fetching '%s' : %s\n",
url, curl_easy_strerror(res));
}
/* cleanup curl stuff */
curl_easy_cleanup(curl_handle);
/* we are done with libcurl, so clean it up */
curl_global_cleanup();
return 0;
}

70
curl/docs/examples/connect-to.c
Unescape Просмотреть файл

@ -0,0 +1,70 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
/* <DESC>
* Use CURLOPT_CONNECT_TO to connect to "wrong" hostname
* </DESC>
*/
#include <stdio.h>
#include <curl/curl.h>
int main(void)
{
CURL *curl;
CURLcode res = CURLE_OK;
/*
Each single string should be written using the format
HOST:PORT:CONNECT-TO-HOST:CONNECT-TO-PORT where HOST is the host of the
request, PORT is the port of the request, CONNECT-TO-HOST is the host name
to connect to, and CONNECT-TO-PORT is the port to connect to.
*/
/* instead of curl.se:443, it resolves and uses example.com:443 but in other
aspects work as if it still is curl.se */
struct curl_slist *host = curl_slist_append(NULL,
"curl.se:443:example.com:443");
curl = curl_easy_init();
if(curl) {
curl_easy_setopt(curl, CURLOPT_CONNECT_TO, host);
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
curl_easy_setopt(curl, CURLOPT_URL, "https://curl.se/");
/* since this connects to the wrong host, checking the host name in the
server certificate fails, so unless we disable the check libcurl
returns CURLE_PEER_FAILED_VERIFICATION */
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
/* Letting the wrong host name in the certificate be okay, the transfer
goes through but (most likely) causes a 404 or similar because it sends
an unknown name in the Host: header field */
res = curl_easy_perform(curl);
/* always cleanup */
curl_easy_cleanup(curl);
}
curl_slist_free_all(host);
return (int)res;
}

139
curl/docs/examples/cookie_interface.c
Unescape Просмотреть файл

@ -0,0 +1,139 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
/* <DESC>
* Import and export cookies with COOKIELIST.
* </DESC>
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <time.h>
#include <curl/curl.h>
#include <curl/mprintf.h>
static int print_cookies(CURL *curl)
{
CURLcode res;
struct curl_slist *cookies;
struct curl_slist *nc;
int i;
printf("Cookies, curl knows:\n");
res = curl_easy_getinfo(curl, CURLINFO_COOKIELIST, &cookies);
if(res != CURLE_OK) {
fprintf(stderr, "Curl curl_easy_getinfo failed: %s\n",
curl_easy_strerror(res));
return 1;
}
nc = cookies;
i = 1;
while(nc) {
printf("[%d]: %s\n", i, nc->data);
nc = nc->next;
i++;
}
if(i == 1) {
printf("(none)\n");
}
curl_slist_free_all(cookies);
return 0;
}
int
main(void)
{
CURL *curl;
CURLcode res;
curl_global_init(CURL_GLOBAL_ALL);
curl = curl_easy_init();
if(curl) {
char nline[512];
curl_easy_setopt(curl, CURLOPT_URL, "https://www.example.com/");
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
curl_easy_setopt(curl, CURLOPT_COOKIEFILE, ""); /* start cookie engine */
res = curl_easy_perform(curl);
if(res != CURLE_OK) {
fprintf(stderr, "Curl perform failed: %s\n", curl_easy_strerror(res));
return 1;
}
print_cookies(curl);
printf("Erasing curl's knowledge of cookies!\n");
curl_easy_setopt(curl, CURLOPT_COOKIELIST, "ALL");
print_cookies(curl);
printf("-----------------------------------------------\n"
"Setting a cookie \"PREF\" via cookie interface:\n");
/* Netscape format cookie */
curl_msnprintf(nline, sizeof(nline), "%s\t%s\t%s\t%s\t%.0f\t%s\t%s",
".example.com", "TRUE", "/", "FALSE",
difftime(time(NULL) + 31337, (time_t)0),
"PREF", "hello example, i like you!");
res = curl_easy_setopt(curl, CURLOPT_COOKIELIST, nline);
if(res != CURLE_OK) {
fprintf(stderr, "Curl curl_easy_setopt failed: %s\n",
curl_easy_strerror(res));
return 1;
}
/* HTTP-header style cookie. If you use the Set-Cookie format and do not
specify a domain then the cookie is sent for any domain and is not
modified, likely not what you intended. For more information refer to
the CURLOPT_COOKIELIST documentation.
*/
curl_msnprintf(nline, sizeof(nline),
"Set-Cookie: OLD_PREF=3d141414bf4209321; "
"expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.example.com");
res = curl_easy_setopt(curl, CURLOPT_COOKIELIST, nline);
if(res != CURLE_OK) {
fprintf(stderr, "Curl curl_easy_setopt failed: %s\n",
curl_easy_strerror(res));
return 1;
}
print_cookies(curl);
res = curl_easy_perform(curl);
if(res != CURLE_OK) {
fprintf(stderr, "Curl perform failed: %s\n", curl_easy_strerror(res));
return 1;
}
curl_easy_cleanup(curl);
}
else {
fprintf(stderr, "Curl init failed!\n");
return 1;
}
curl_global_cleanup();
return 0;
}

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше

Редактирование Предпросмотр
Загрузка…
Отмена
Сохранить