Changes in 8.13.0 - April 2 2025

Changes:

• curl: add write-out variable 'tls_earlydata'
• curl: make --url support a file with URLs
• gnutls: set priority via --ciphers
• IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags
• lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY
• OpenSSL/quictls: add support for TLSv1.3 early data
• rustls: add support for CERTINFO
• rustls: add support for SSLKEYLOGFILE
• rustls: support ECH w/ DoH lookup for config
• rustls: support native platform verifier
• var: add a '64dec' function that can base64 decode a string
• wolfssl: tls early data support

Bugfixes:

• addrinfo: add curl macro to avoid redefining foreign symbols
• asyn-thread: avoid the separate 'struct resdata' alloc
• asyn-thread: avoid the separate curl_mutex_t alloc
• asyn-thread: do not allocate thread_data separately
• asyn-thread: remove 'status' from struct Curl_async
• autotools: fix `dllmain.c` in unity builds
• autotools: fix `libtest` bundle to depend on `FIRSTFILES`
• autotools: use `CURLDEBUG` to exclude TrackMemory code from unity
• aws_sigv4: cannot be used for proxy
• aws_sigv4: merge repeated headers in canonical request
• aws_sigv4: use strparse more for parsing
• base64: drop `BUILDING_CURL` macro, always include in tests/server
• build: add Windows CE / CeGCC support, with CI jobs
• build: cmake multi-pkg-config detection improvements (brotli, ldap, mbedtls)
• build: do not apply curl debug macros to `tests/server` by default
• build: drop unused `getpart` tool
• build: enable -Wjump-misses-init for GCC 4.5+
• build: enable `-Wcast-qual`, fix or silence compiler warnings
• build: fix compiler warnings in feature detections
• build: replace Curl_ prefix with curlx_ for functions used in servers
• build: set `-O3` and tune WinCE in CI, fix `getpart`, `vtls_scache` fallouts
• build: set `HAVE_STDINT_H` if `stdint.h` is available
• build: set `HAVE_WRITABLE_ARGV` for Apple cross-builds
• build: silence bogus `-Wconversion` warnings with gcc 5.1-5.4
• build: silence mingw32ce C99 format warnings, simplify CI
• build: tidy-ups around `inet_pton`
• c-ares httpsrr: fix ifdef
• c-ares: error out for unsupported versions, drop unused macros
• ca-native.md: sync with CURLSSLOPT_NATIVE_CA
• cf-socket: deduplicate Windows Vista detection
• cf-socket: remove empty switch
• client writer: handle pause before decoding
• cmake: `CURL_LIBDIRS` improvements (upstreamed from vcpkg)
• cmake: `SHARE_LIB_OBJECT=ON` requires CMake 3.12 or newer
• cmake: add custom command scripts as dependencies where missing
• cmake: add pre-fill for Unix, enable in GHA/macos, verify pre-fills
• cmake: add shell completion support
• cmake: allow `CURL_STATIC_CRT` with shared libcurl and no curl exe
• cmake: allow `CURL_STATIC_CRT` with UCRT VS2015+ builds
• cmake: allow empty `IMPORT_LIB_SUFFIX`, add suffix collision detection
• cmake: avoid `-Wnonnull` warning in `HAVE_FSETXATTR_5` detection
• cmake: disable HTTPS-proxy as a feature if proxy is disabled
• cmake: drop `CURL_DISABLE_TESTS` option
• cmake: drop `HAVE_C_FLAG_Wno_long_double` logic for ancient Apple gcc
• cmake: drop `HAVE_IN_ADDR_T` from pre-fill too
• cmake: drop two stray TLS feature checks for wolfSSL
• cmake: exclude `-MP` for `clang-cl` again
• cmake: fix `HAVE_ATOMIC`/`HAVE_STDATOMIC` pre-fill for clang-cl
• cmake: fix clang-tidy builds to verify tests, fix fallouts
• cmake: fix detection pre-fills for iOS
• cmake: fix ECH detection in custom-patched OpenSSL
• cmake: fix typo in ECH config error msg
• cmake: hide empty `MINGW64_VERSION` output for mingw32ce
• cmake: improve httpd detection for pytest
• cmake: mention 'insecure' in the debug build warning
• cmake: misc tidy-ups
• cmake: pre-fill known type sizes for Windows OSes
• cmake: replace CMAKE_COMPILER_IS_GNUCC with CMAKE_C_COMPILER_ID
• cmake: replace exec_program() with execute_process()
• cmake: restrict static CRT builds to static curl exe, test in CI
• cmake: sync cutoff version with autotools for picky option `-ftree-vrp`
• cmake: sync OpenSSL(-fork) feature checks with `./configure`
• cmake: unity mode optimization for non-`CURLDEBUG` `testdeps` targets
• CODE_STYLE: readability and banned functions
• config-win32: set `HAVE_STDINT_H` where available
• configure: call the blocking resolver "blocking", not "default"
• configure: fix ECH detection with MultiSSL
• configure: silence compiler warnings in feature checks, drop duplicates
• configure: tidy up shell completion rules
• configure: use `curl_cv_apple` variable
• conn: eliminate `conn->now`
• conn: fix connection reuse when SSL is optional
• conncache: eliminate `conn->destination_len` as premature optimization
• contributors.sh: lowercase 'github' for consistency
• contrithanks.sh: update docs/THANKS in place
• cookie: do prefix matching case-sensitively
• cookie: minor parser simplification
• cookie: simplify invalid_octets()
• core: stop redefining `E*` macros on Windows, map `EACCES`, related fixes
• curl.h: change some enums to defines with L suffix
• curl.h: convert CURLUSESSL* names to defines
• curl.h: stop defining non-curl `__has_declspec_attribute`
• curl.h: switch `CURL_HTTP_VERSION*` enums to long constants
• curl/system.h: drop leftover comment about 32 bit curl_off_t
• curl: add my_setopt_long() and _offt()
• curl_msh3: remove verify bypass from DEBUGBUILDs
• curl_setup: drop `ERANGE` (for WinCE), no longer used
• curl_setup_once: drop `E*` macro redefines unused (with winsock2)
• curl_setup_once: stop redefining `ENAMETOOLONG` to winsock2 error code
• curl_trc: fix build with CURL_DISABLE_VERBOSE_STRINGS
• curl_ws_recv.md: expand a little on the fragments the API delivers
• CURLMOPT_SOCKETFUNCTION.md: add advice for socket callback invocation
• CURLOPT_HTTPHEADER.md: add comments to the example
• CURLOPT_HTTPHEADER.md: rephrases
• curltime: use libcurl time functions in src and tests/server
• DISABLED: add 313 for sectransp (move from GHA/macos)
• docs/cmdline-opts: use imperative form
• docs: adapt to removed --with-random
• docs: add FD_ZERO to curl_multi_fdset example
• docs: bump `rustls` to 0.14.1
• docs: correct argument names & URL redirection
• docs: minor edits to please the new spellchecker regime
• docs: rework RUSTLS install instructions
• docs: unify HTTP version style in --help output
• docs: vulnerabilities in debug code are not eligible for a bounty
• doh: improve HTTPS RR svcparams parsing
• doh: remove wrong but unreachable exit path from doh_decode_rdata_name
• dynbuf: assert init on free
• easy: drop `break` after `return`
• easy: fix warning about possible comma misuse
• eventfd: allow use on all CPUs
• examples: prefer `return` over `exit()` (cont.)
• ftp/sftp: strdup data info memory
• ftp: fix comment
• gnutls: fix connection state check on handshake
• gnutls: fix use of pkcs11 urls for keys/certs
• gtls: fix uninitialized variable
• hash: use single linked list for entries
• hostip: don't use alarm() for DoH resolves
• hostip: make CURLOPT_RESOLVE support replacing IPv6 addresses
• http2: add on_invalid_frame callback for error detection
• http2: detect session being closed on ingress handling
• http2: enhance error messages on Curl_dyn* upon receiving headers
• http2: fix stream assignemnt for pushes
• http2: reset stream on response header error
• HTTP3.md: only speak about minimal versions
• http: convert parsers to strparse
• http: fix NTLM info message typo
• http: fix the auth check
• http: make the RTSP version check stricter
• http: negotiation and room for alt-svc/https rr to navigate
• http: remove a HTTP method size restriction
• http: version negotiation
• http_chunks: replace a strofft call with curl_str_hex
• https-rr: implementation improvements
• httpsrr: fix port detection
• httpsrr: fix the HTTPS-RR threaded-resolver build combo
• INFRASTRUCTURE.md: add IRC and Matrix details
• INSTALL-CMAKE.md: CMake usage updates
• INSTALL-CMAKE.md: mention `ZLIB_USE_STATIC_LIBS`
• lib1156: pass longs to `curl_easy_setopt()`
• lib1560: test set path containing LR or CR
• lib2302: fix crash due to stack overflow on MSVC and clang Windows
• lib696: fix building on Windows in non-bundle mode
• lib: better optimized casecompare() and ncasecompare()
• lib: clear up CURLRES_ASYNCH vs USE_CURL_ASYNC use
• lib: fix two curlx_strtoofft invokes
• lib: rename curlx_strtoofft to Curl_str_numblanks()
• lib: replace while(ISBLANK()) loops with Curl_str_passblanks()
• lib: simplify more white space loops
• lib: strtoofft.h header cleanup
• lib: use Curl_str_* instead of strtok_r()
• lib: use Curl_str_number() for parsing decimal numbers
• libssh2: fix freeing of resources in disconnect
• libssh2: fix memory leak in `SSH_SFTP_REALPATH` state
• libssh2: fix to ignore `known_hosts` if SHA256 host public key is set
• libssh2: print user with verbose flag
• libssh2: show crypto backend in the verbose connect log
• libssh: fix freeing of resources in disconnect
• libssh: fix scp large file upload for 32-bit size_t systems
• libtest/first.c: remove the Test: stderr output for unity builds
• libtest/libprereq.c: set CURLOPT_FOLLOWLOCATION with a long
• managen: accept more markdown-quote-markers
• managen: correct the warning for un-escaped '<' and '>'
• mbedtls: re-enable an error check
• memdebug.h: avoid `-Wredundant-decls` with an extra guard
• memdebug: drop dynamic allocation from `curl_dbg_log()`
• mprintf: switch three number parsers to use strparse
• mqtt: convert sendleftovers to dynbuf
• msvc: drop support for VS2005 and older
• multi: call protocol handler done() if PROTOCONNECT or later
• multi: event based rework
• multi: kill off remaining internal handles in curl_multi_cleanup
• multi: start the loop over when handles are removed
• multi_ev: fixes regarding connection shutdowns
• ngtcp2: do not iterate over multi handles
• ntlm: merge ntlm.h into ntlm.c
• openssl-quic: do not iterate over multi handles
• openssl: check return value of X509_get0_pubkey
• openssl: drop support for old OpenSSL/LibreSSL versions
• openssl: fix crash on missing cert password
• openssl: fix pkcs11 URI checking for key files.
• openssl: remove bad `goto`s into other scope
• prox/preproxy.md: document argument within <brackets>
• pytest: test negotiate with http proxy
• quiche: do not iterate over multi handles
• RELEASE-PROCEDURE.md: explain release candidates
• request: clear sendbuf_hds_len when resetting request bufq
• resolve: fix building without Unix sockets and `CURLDEBUG`
• runtests: accept `CURL_DIRSUFFIX` without ending slash
• runtests: add feature-based filtering
• runtests: check and report if `diff` tool is missing
• runtests: drop logic calling the `handle` tool (Windows)
• runtests: drop recognizing 'winssl' as Schannel
• runtests: drop ref to unused external function
• runtests: fix bundled test invocation with `-g` option
• runtests: fix SSH server not starting in cases, re-ignore failing vcpkg CI jobs
• runtests: fix test key format for libssh2 WinCNG (and others)
• runtests: generate certs dynamically, bump to EC-256, tidy up
• runtests: recognize AWS-LC as OpenSSL
• runtests: rewrite `genserv.sh` in Perl
• runtests: support multi-target cmake, drop workarounds from CI
• runtests: support running tests under wine or qemu (cont.)
• runtests: support running tests under wine or qemu
• runtests: use `setfacl` on Cygwin/MSYS, if present
• rustls: add ECH support w/ string ECH config
• rustls: cap maximum allowed CRL file size to 8MB
• rustls: support ECH GREASE
• rustls: use client cert and key if available
• schannel: deduplicate Windows Vista detection
• schannel: enable ALPN support under WINE 6.0+
• schannel: enable ALPN with MinGW, fix ALPN for UWP builds
• schannel: guard ALPN init code to ALPN builds
• scripts/managen: fix option 'single'
• scripts/managen: fix parsing of markdown code sections
• scripts: update completion.pl to parse options from docs
• sectransp: add support for HTTP/2 in gcc builds
• sendf: client reader line conversion: do not change data->state.infilesize
• setopt: illegal CURLOPT_SOCKS5_AUTH should return error
• setopt: remove unnecessary void pointer typecasts
• setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine
• shutdowns: split shutdown handling from connection pool
• socks: remove bad assert from do_SOCKS5()
• src: avoid strdup on platforms not doing UTF-8 conversions
• src: cleanup ISBLANK vs ISSPACE
• src: remove Curl_ prefix from tool-specific function
• src: remove final uses of Curl_ symbol prefixes in tool code
• src: replace strto[u][ld] with curlx_str_ parsers
• ssh: consider sftp quote commands case sensitive
• sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version
• sshserver.pl: use Perl `chmod`
• sshserver: fix excluding obsolete client config lines
• ssl session cache: add exportable flag
• SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR
• strparse: make Curl_str_number() return error for no digits
• strparse: switch the API to work on 'const char *'
• strparse: switch to curl_off_t as base data type
• test1022: add support for rc releases
• test1167: catch #defines with extra whitespace
• test313: disable CRL test for Schannel due to lack of support and flakiness
• test313: disable via `<features>` for backends without CRL support
• test489: set output dir
• test612: SCP `rm` the uploaded remote file (not the local source), unignore in CI
• test613: make it pass on Windows, fix postprocess, unignore in CI
• test615: fix for Cygwin, unignore in CI
• tests/certs: cleanup
• tests/server: drop unused `base64.pl`
• tests/server: fix to check against winsock2 error codes on Windows
• tests/server: give global `path` variable a more descriptive name
• tests/server: make the signal handler signal-safe
• tests/server: replace `errno` with `SOCKERRNO` in sockfilt, socksd, sws
• tests/server: replace `strerror` with `sstrerror` in socksd
• tests/server: support bundle binary
• tests/server: sync `wait_ms()` with the libcurl implementation
• tests/server: use `curlx_str_numblanks()` to avoid `errno`
• tests/servers.pm: remove unused variable 'portrange'
• tests: build non-debug unit tests with autotools, run them
• tests: fix comment in lib533
• tests: fix enum/int confusion, fix autotools `CFLAGS` for `servers`
• tests: make sure 'commands.log' is generated in the correct logdir
• tests: mark tests 1631, 1632 flaky
• tests: reformat error messages to avoid tripping MSBuild
• tests: remove base64 encoded sections
• tests: Remove unused variables
• tests: replace remaining non-ASCII bytes with hex markup
• tftpd: prefix TFTP protocol error `E*` constants with `TFTP_`
• tidy-up: align MSYS2/Cygwin codepaths, follow Cygwin `MAX_PID` bump
• tidy-up: delete, comment or scope C macros reported unused
• tidy-up: drop unused `CURL_INADDR_NONE` macro and `in_addr_t` type
• tidy-up: use `CURL_ARRAYSIZE()`
• timediff: fix comment for curlx_mstotv()
• timediff: remove unnecessary double typecast
• tool_dirhie: create dir hierarchy without strtok
• tool_getparam: clear sensitive arguments better
• tool_getparam: do parse_upload_flags without the alloc/free
• tool_getparam: parse --trace-config without strdup()/free()
• tool_getparam: parse_header() without strtok
• tool_operate: change "1 retries" to "1 retry"
• tool_operate: fail SSH transfers without server auth
• tool_operate: fix pluralization of seconds
• tool_operate: remove unnecessary (long) typecasts
• tool_paramhlp: do --proto parsing without strtok
• tool_parsecfg: make my_get_line skip comments and newlines
• tool_setopt: reduce use of "code hiding" macros
• url: call protocol handler's disconnect in Curl_conn_free
• urlapi: fix redirect from file:// with query, and simplify
• urlapi: remove percent encoded dot sequences from the URL path
• urlapi: simplify junkscan
• urldata: remove 'hostname' from struct Curl_async
• variable.md: clarify 'trim' example
• vquic: obey IOV_MAX
• vtls: fix compiler warnings seen with gcc 7.3.0 and mbedTLS
• winbuild: reduce command-line length by dropping whitespace
• windows: do not use winsock2 `inet_ntop()`/`inet_pton()`
• windows: drop code and curl manifest targeting W2K and older
• windows: fix issues detected by clang-tidy, and some more
• wolfssh: fix freeing of resources in disconnect
• wolfssh: retrieve the error using wolfSSH_get_error
• wolfssl: fix CA certificate multiple location import
• wolfssl: fix unused variable warning
• wolfssl: warn if CA native import option is ignored
• wolfssl: when using PQ KEM, use ML-KEM, not Kyber
• ws: corrected curlws_cont to reflect its documented purpose
• ws: fix and extend CURLWS_CONT handling
• zlib: bump minimum to 1.2.5.2 (was: 1.2.0.4)

Further