path: root/libs/libcurl/docs/CHANGES

                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 8.0.1 (20 Mar 2023)

Daniel Stenberg (20 Mar 2023)

- RELEASE-NOTES: synced

  curl 8.0.1

- Revert "multi: remove PENDING + MSGSENT handles from the main linked list"

  This reverts commit f6d6f3ce01e377932f1ce7c24ee34d45a36950b8.

  The commits caused issues in the 8.0.0 release. Needs a retake.

  Reported-by: Kamil Dudka
  Closes #10795

- include/curl/curlver.h: bump to 8.0.1

Version 8.0.0 (20 Mar 2023)

Daniel Stenberg (20 Mar 2023)

- RELEASE-NOTES: synced

  The curl 8.0.0 release

- THANKS: from the 8.0.0 release

- scripts/delta: fix "ambiguous argument" when used in branches

- SECURITY-PROCESS.md: Busy-loops are not security problems

  Closes #10790

Stefan Eissing (17 Mar 2023)

- tests/http: do not save files for downloads in scorecard testing

  Closes #10788

Daniel Stenberg (17 Mar 2023)

- cf-socket: use port 80 when resolving name for local bind

  It turns out c-ares returns an error when asked to resolve a host name with
  ares_getaddrinfo using port number 0.

  Reported as a c-ares bug here: https://github.com/c-ares/c-ares/issues/517

  The work-around is to simply use port 80 instead, as the number typically doe
  s
  not make a difference and a non-zero number works for c-ares.

  Fixes #10759
  Reported-by: Matt Jolly
  Closes #10789

- curl.h: require gcc 12.1 for the deprecation magic

  Reported-by: kchow-FTNT on github
  Fixes #10726
  Closes #10784

- Revert "rtsp: use dynbuf instead of custom reallocs"

  This reverts commit 1b9ea3239d22147e00d8 because of OSS-fuzz reports.
  I'll do another take after the pending release.

  Closes #10785

- test422: verify --next used without a prior URL

  Closes #10782

- tool_getparam: error if --next is used without a prior URL

  Reported-by: 積丹尼 Dan Jacobson
  Ref: https://github.com/curl/curl/pull/10769#discussion_r1137895629

  Closes #10782

- libssh: use dynbuf instead of realloc

  When building lines to show for SFTP directory listings.

  Closes #10778

- lib2305: deal with CURLE_AGAIN

  The test does a slightly ugly busy-loop for this case but should be
  managable due to it likely being a very short moment.

  Mention CURLE_AGAIN in curl_ws_recv.3

  Fixes #10760
  Reported-by: Jay Satiro
  Closes #10781

- rtsp: use dynbuf instead of custom reallocs

  For the RTP buffering.

  Closes #10776

- libssh2: remove unused variable from libssh2's struct

  Closes #10777

- RELEASE-NOTES: synced

- multi: remove PENDING + MSGSENT handles from the main linked list

  As they are not driving transfers or any socket activity, the main loop
  does not need to iterate over these handles. A performance improvement.

  They are instead only held in their own separate lists.

  Assisted-by: Stefan Eissing
  Ref: #10743
  Closes #10762

- multi: turn link/unlinking easy handles into dedicated functions

- http_aws_sigv4: fix scan-build "value stored to 'ret' is never read"

  Follow-up to 495d09810aa9a

  Closes #10766

- lib: skip Curl_llist_destroy calls

  Linked lists themselves do not carry any allocations, so for the lists
  that do not have have a set destructor we can just skip the
  Curl_llist_destroy() call and save CPU time.

  Closes #10764

- lib643: LIB644 is never defined, this is dead code

  Closes #10765

- libtest/Makefile.inc: remove superfluous variables

  Rely on the defaults when possible.

  Closes #10765

- tests/http: remove year ranges from copyrights

  Closes #10763

Casey Bodley (14 Mar 2023)

- aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3

  all s3 requests default to UNSIGNED-PAYLOAD and add the required
  x-amz-content-sha256 header. this allows CURLAUTH_AWS_SIGV4 to correctly
  sign s3 requests to amazon with no additional configuration

  Signed-off-by: Casey Bodley <cbodley@redhat.com>

  Closes #9995

Viktor Szakats (14 Mar 2023)

- wolfssl: add quic/ngtcp2 detection in cmake, and fix builds

  - add QUIC/ngtcp2 detection in CMake with wolfSSL.

    Because wolfSSL uses zlib if available, move compression detection
    before TLS detection. (OpenSSL might also need this in the future.)

  - wolfSSL 5.5.0 started using C99 types in its `quic.h` header, but it
    doesn't #include the necessary C99 header itself, breaking builds
    (unless another dependency pulled it by chance.) Add local workaround
    for it. For this to work with all build tools, we had to fix our
    header detection first. Ref: #10745

    Ref: https://github.com/curl/curl-for-win/commit/6ad5f6ecc15620c15625fc4434
  76b3a1ecef4f3f

  Closes #10739

Stefan Eissing (14 Mar 2023)

- secure-transport: fix recv return code handling

  Return code handling of recv calls were not always correct when an error
  occured or the connection was closed.

  Closes #10717

- http2: Use KEEP_SEND_HOLD for flow control in HTTP/2

  - use the defined, but so far not used, KEEP_SEND_HOLD bit for flow
    control based suspend of sending in transfers.

  Prior to this change KEEP_SEND_PAUSE bit was used instead, but that can
  interfere with pausing streams from the user side via curl_easy_pause.

  Fixes https://github.com/curl/curl/issues/10751
  Closes https://github.com/curl/curl/pull/10753

Dan Fandrich (13 Mar 2023)

- tests: fix control code that hid some text in runtests.1

- tests: sync option lists in runtests.pl & its man page

Daniel Stenberg (13 Mar 2023)

- multi: make multi_perform ignore/unignore signals less often

  For improved performance

  Reported-by: Jerome St-Louis
  Ref: #10743
  Closes #10750

Viktor Szakats (13 Mar 2023)

- cmake: delete unused HAVE__STRTOI64

  Also delete obsolete surrounding comments.

  Reviewed-by: Daniel Stenberg
  Closes #10756

- CI: fix copyright header

  Follow-up to 395b9175b7422d699fa93643973295c106cdf147

Daniel Stenberg (13 Mar 2023)

- RELEASE-PROCEDURE.md: update coming release dates

Stefan Eissing (13 Mar 2023)

- tests/http: add pytest to GHA and improve tests

  - added to: ngtcp2-quictls, ngtcp2-gnutls and the linux varians
    quiche, bearssl, libressl, mbedtls, openssl3, rustls
  - added disabled in ngtcp2-wolfssl due to weird SSL_connect() errors
    not reproducable locally

  Improvements on pytest:

  -  handling of systems with nghttpx in $PATH
     - configure will seach $PATH got nghttpx used in pytest
     - pytest fixes for managing nghttpx without h3 support
     - ngtcp2-wolfssl: use a fully enabled wolfssl build

  - lower parallel count for http/1.1 tests, since we do not
     want to test excessive connections.
  - check built curl for HTTPS-proxy support in proxy tests
  - bearssl does not like one of our critical cert extensions, making
    it non-critical now
  - bearssl is too slow for test_12, skipping
  - making sure we do h3 tests only when curl and server support is there

  Closes #10699

Marcel Raad (13 Mar 2023)

- tool_operate: silence unused parameter warning

  `global` is only used in the `my_setopt` macro version without
  `CURL_DISABLE_LIBCURL_OPTION` since commit 4774decf10a.

  Closes https://github.com/curl/curl/pull/10752

Viktor Szakats (13 Mar 2023)

- build: fix stdint/inttypes detection with non-autotools

  Fix `stdint.h` and `inttypes.h` detection with non-autotools builds on
  Windows. (autotools already auto-detected them accurately.)

  `lib/config-win32.h` builds (e.g. `Makefile.mk`):
  - set `HAVE_STDINT_H` where supported.
  - set `HAVE_INTTYPES_H` for MinGW.

  CMake:
  - auto-detect them on Windows. (They were both force-disabled.)
  - delete unused `CURL_PULL_STDINT_H`.
  - delete unused `CURL_PULL_INTTYPES_H`.
  - stop detecting `HAVE_STDINT_H` twice.
    Present since the initial CMake commit: 4c5307b45655ba75ab066564afdc0c111a8
  b9291

  curl doesn't use these C99 headers, we need them now to workaround
  broken wolfSSL builds. Ref: #10739

  Once that clears up, we can delete these detections and macros (unless
  we want to keep them for future us.)

  Reviewed-by: Daniel Stenberg
  Closes #10745

Daniel Stenberg (13 Mar 2023)

- RELEASE-NOTES: synced

- ftp: add more conditions for connection reuse

  Reported-by: Harry Sintonen
  Closes #10730

Dan Fandrich (12 Mar 2023)

- tests: make first.c the same for both lib tests and unit tests

  The only difference used to be global variable used in unittest tests.
  After cb7ed5a removed individual flag overrides for the unittests, first.c
  was no longer recompiled for unit tests to include the flag, so whether it
  worked or gave a link error depended on whether it was compiled in
  libtest or unittest first. This way also speeds up the build by
  eliminating 40 identical compile invocations.

  Fixes #10749

- tests: use AM_CPPFILES to modify flags in unit tests

  Using CPPFLAGS sometimes caused odd compile issues when building tests
  with parallel make and AM_CPPFILES is the right flag, anyway.

  Follow-up to cb7ed5a

  Ref #10749

Viktor Szakats (13 Mar 2023)

- Makefile.mk: fix -g option in debug mode [ci skip]

  Add it to `CFLAGS` (was: `LDFLAGS`).

  Closes #10747

Jay Satiro (12 Mar 2023)

- tool: improve --stderr handling

  - freopen stderr with the user-specified file (--stderr file) instead of
    using a separate 'errors' stream.

  - In tool_setup.h override stdio.h's stderr macro as global variable
    tool_stderr.

  Both freopen and overriding the stderr macro are necessary because if
  the user-specified filename is "-" then stdout is assigned to
  tool_stderr and no freopen takes place. See the PR for more information.

  Ref: https://github.com/curl/curl/issues/10491

  Closes https://github.com/curl/curl/pull/10673

Dan Fandrich (11 Mar 2023)

- CI: don't run CI jobs if only another CI was changed

  Also skip builds on non-Windows platforms when only Windows build files
  have changed.

  This should reduce the number of useless builds and the associated
  waiting time and chance of spurious failures, freeing resources for
  new PRs.

  Closes #10742

- http: don't send 100-continue for short PUT requests

  This is already how curl is documented to behave in Everything curl, but
  in actuality only short POSTs skip this. This should knock 30 seconds
  off a full run of the test suite since the 100-continue timeout will no
  longer be hit.

  Closes #10740

- tests: add DELAY keyword to more tests using waits

- tests: hack to build most unit tests under cmake

  These are only built when a libcurl static library is available, since
  we're not building a special libcurlu library yet and these tests rely
  on private symbols that aren't available in the shared library. A few
  unit tests do require libcurlu, so those are not built.

  Closes #10722

- tests: fix MSVC unreachable code warnings in unit tests

  Switch unit1654 to use the proper test macros as well.

- tests: make CPPFLAGS common to all unit tests

  There's no need to specify them individually.

- tests: keep cmake unit tests names in sync

  Put only the test names into Makefile.inc so they can be used by both
  cmake and automake. This will prevent the list of tests from becoming
  out of date when they are also built under cmake.

Viktor Szakats (11 Mar 2023)

- src: silence wmain() warning for all build methods

  llvm/clang and gcc doesn't recognize the wmain() function in Unicode
  Windows builds:

  llvm/clang:
  ```
  ../../src/tool_main.c:239:5: warning: no previous prototype for function 'wma
  in' [-Wmissing-prototypes]
  int wmain(int argc, wchar_t *argv[])
      ^
  1 warning generated.
  ```

  gcc:
  ```
  ../../src/tool_main.c:239:5: warning: no previous prototype for 'wmain' [-Wmi
  ssing-prototypes]
    239 | int wmain(int argc, wchar_t *argv[])
        |     ^~~~~
  ```

  Before this patch, we already silenced it with CMake. This patch moves
  the silencing to the source, so that it applies to all build tools.

  Bug: https://github.com/curl/curl/issues/7229#issuecomment-1464806651

  Reviewed-by: Marcel Raad
  Closes #10744

Dan Fandrich (10 Mar 2023)

- CI: fix retrying on brew failures

  The previous attempt didn't consider that the shell would exit
  immediately after the false statement in the retry case.

  Follow-up to dc141a37

Stefan Eissing (10 Mar 2023)

- http2: fix error handling during parallel operations

  RST and connection close were not handled correctly during parallel
  transfers, leading to aborted response bodies being reported complete.

  Closes #10715

Daniel Stenberg (10 Mar 2023)

- url: only reuse connections with same GSS delegation

  Reported-by: Harry Sintonen
  Closes #10731

Viktor Szakats (10 Mar 2023)

- lib: silence clang/gcc -Wvla warnings in brotli headers

  brotli v1.0.0 throughout current latest v1.0.9 and latest master [1]
  trigger this warning.

  It happened with CMake and GNU Make. autotools builds avoid it with
  the `convert -I options to -isystem` macro.

  llvm/clang:
  ```
  In file included from ./curl/lib/content_encoding.c:36:
  ./brotli/x64-ucrt/usr/include/brotli/decode.h:204:34: warning: variable lengt
  h array used [-Wvla]
      const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)],
                                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  ./brotli/x64-ucrt/usr/include/brotli/port.h:253:34: note: expanded from macro
   'BROTLI_ARRAY_PARAM'
                                   ^~~~~~
  In file included from ./curl/lib/content_encoding.c:36:
  ./brotli/x64-ucrt/usr/include/brotli/decode.h:206:48: warning: variable lengt
  h array used [-Wvla]
      uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]);
                             ~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~
  ./brotli/x64-ucrt/usr/include/brotli/port.h:253:35: note: expanded from macro
   'BROTLI_ARRAY_PARAM'
                                   ~^~~~~
  ```

  gcc:
  ```
  In file included from ./curl/lib/content_encoding.c:36:
  ./brotli/x64-ucrt/usr/include/brotli/decode.h:204:5: warning: ISO C90 forbids
   variable length array 'encoded_buffer' [-Wvla]
    204 |     const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)],
        |     ^~~~~
  ./brotli/x64-ucrt/usr/include/brotli/decode.h:206:5: warning: ISO C90 forbids
   variable length array 'decoded_buffer' [-Wvla]
    206 |     uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]);
        |     ^~~~~~~
  ```

  [1] https://github.com/google/brotli/commit/ed1995b6bda19244070ab5d331111f16f
  67c8054

  Reviewed-by: Daniel Stenberg
  Reviewed-by: Marcel Raad
  Closes #10738

Daniel Stenberg (10 Mar 2023)

- curl_path: create the new path with dynbuf

  Closes #10729

- url: remove dummy protocol handler

  Just two added checks were needed saves a whole handler struct.

  Closes #10727

Dan Fandrich (10 Mar 2023)

- CI: retry a failed brew update too, not just brew install

  Also, make sure an eventual failure ends up returning a failure code so
  the job stops.

Daniel Stenberg (10 Mar 2023)

- url: fix the SSH connection reuse check

  Reported-by: Harry Sintonen
  Closes #10735

- CURLOPT_PROXY.3: curl+NSS does not handle HTTPS over unix domain socket

  It results in error "NSS error -5985 (PR_ADDRESS_NOT_SUPPORTED_ERROR)"

  Disabled test 1470 for NSS builds and documented the restriction.

  Reported-by: Dan Fandrich
  Fixes #10723
  Closes #10734

- CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe

  Reported-by: Hiroki Kurosawa
  Closes #10732

- telnet: only accept option arguments in ascii

  To avoid embedded telnet negotiation commands etc.

  Reported-by: Harry Sintonen
  Closes #10728

- test1903: test use of COOKIEFILE - reset - COOKIEFILE

  This also tests for the memory leak bug fixed by parent commit b559ef6f.

  Ref: #10694

  Closes https://github.com/curl/curl/pull/10712

Jay Satiro (10 Mar 2023)

- url: fix cookielist memleak when curl_easy_reset

  - Free set.cookelist in Curl_freeset instead of Curl_close.

  Prior to this change the cookielist linked list wasn't freed by
  curl_easy_reset which calls Curl_freeset to free all set.

  Bug: https://github.com/curl/curl/issues/10694#issuecomment-1458619157
  Reported-by: Sergey Ryabinin

  Closes https://github.com/curl/curl/pull/10709

Dan Fandrich (10 Mar 2023)

- tests: fix some keywords and unused sections

- tests: fix test1301 to call the right binary

  It was refactored in commit 480ac6e5 but this step was missed.

- tests: add timeout, SLOWDOWN and DELAY keywords to tests

  These are tests that are testing timing and end up being quite slow.

Daniel Stenberg (10 Mar 2023)

- RELEASE-NOTES: synced

Stefan Eissing (10 Mar 2023)

- wolfSSL: ressurect the BIO `io_result`

  In pytest'ing the situation occored that wolfSSL reported an
  IO error when the underlying BIO operation was returning an
  CURLE_AGAIN condition.

  Readding the `io_result` filter context member to detect such
  situations.

  Also, making sure that the returned CURLcode is initialized
  on all recv operations outcome.

  Closes #10716

- gssapi: align global `gss_OID_desc` vars to silence ld warnings on macOS vent
  ura

  Refs #9975 which first reported this.

  Closes #10718

Daniel Stenberg (10 Mar 2023)

- libssh2: only set the memory callbacks when debugging

  This makes us debug libssh2 less and libcurl more when for example
  running torture tests that otherwise will spend a lot of time in libssh2
  functions.

  We leave libssh2 to test libssh2.

  Closes #10721

- docs/SECURITY-PROCESS.md: updates

  - allow Low+Medium issues to be managed through plain PRs
  - update the bug-bounty part to reflect current reality

  Closes #10719

Dan Fandrich (9 Mar 2023)

- tests: fix tag markup issues in some tests

Marcel Raad (9 Mar 2023)

- tests: add `cookies` features

  These tests don't work with `--disable-cookies`.

  Closes https://github.com/curl/curl/pull/10713

- test420: add cookies keyword

  It fails with `--disable-cookies`.

  Closes https://github.com/curl/curl/pull/10713

Dan Fandrich (8 Mar 2023)

- CI: Add more labeler match patterns

  Also, add the  CI, tests or libcurl API tags in conjunction with any
  others that might also apply.

Andy Alt (9 Mar 2023)

- GHA: minor improvements to spellcheck

  Closes #10640

Daniel Stenberg (9 Mar 2023)

- test1671: fix after fix

- test421: -w %{header_json} test with multiple same header names

  To reproduce the issue in #10704

- tool_writeout_json. fix the output for duplicate header names

  Header entries with index != 0 are handled at the index 0 level so they
  should then be skipped when iterated over.

  Reported-by: Boris Okunskiy
  Fixes #10704
  Closes #10707

- headers: make curl_easy_header and nextheader return different buffers

  By letting curl_easy_header() and curl_easy_nextheader() store the
  header data in their own struct storage when they return a pointer to
  it, it makes it possible for applications to use them both in a loop.
  Like the curl tool does.

  Reported-by: Boris Okunskiy
  Fixes #10704
  Closes #10707

rcombs (8 Mar 2023)

- urlapi: take const args in _dup and _get functions

  Closes #10708

- urlapi: avoid mutating internals in getter routine

  This was not intended.

  Closes #10708

Daniel Stenberg (8 Mar 2023)

- urlapi: '%' is illegal in host names

  Update test 1560 to verify

  Ref: #10708
  Closes #10711

- ftp: make the 'ftpauth' a more normal 'char *'-array

  Closes #10703

Evgeny Grin (Karlson2k) (8 Mar 2023)

- doc: fix compiler warning in libcurl.m4

  Current test for curl_free() may produce warnings with strict compiler
  flags or even with default compiler flags with upcoming versions.
  These warning could turned into errors by -Werror or similar flags.
  Such warnings/errors are avoided by this patch.

  Closes #10710

Viktor Szakats (8 Mar 2023)

- misc: fix typos

  Closes #10706

Stefan Eissing (7 Mar 2023)

- ftp: active mode with SSL, add the damn filter

  - since 7.87.0 we lost adding the SSL filter for an active
    FTP connection that uses SSL. This leads to hangers and timeouts
    as reported in #10666.

  Reported-by: SandakovMM on github
  Fixes #10666
  Closes #10669

Daniel Stenberg (7 Mar 2023)

- docs: extend the URL API descriptions

  Closes #10701

Stefan Eissing (7 Mar 2023)

- url: fix logic in connection reuse to deny reuse on "unclean" connections

  - add parameter to `conn_is_alive()` cfilter method that returns
    if there is input data waiting on the connection
  - refrain from re-using connnection from the cache that have
    input pending
  - adapt http/2 and http/3 alive checks to digest pending input
    to check the connection state
  - remove check_cxn method from openssl as that was just doing
    what the socket filter now does.
  - add tests for connection reuse with special server configs

  Closes #10690

Daniel Stenberg (6 Mar 2023)

- x509asn1: use plain %x, not %lx, when the arg is an int

  Pointed out by Coverity.

  Closes #10689

Stefan Eissing (6 Mar 2023)

- http2: fix handling of RST and GOAWAY to recognize partial transfers

  - a reset transfer (HTTP/2 RST) did not always lead to the proper
    error message on receiving its response, leading to wrong reports
    of a successful transfer
  - test_05_02 was able to trigger this condition with increased transfer
    count. The simulated response errors did not carry a 'Content-Length'
    so only proper RST handling could detect the abort
  - When doing such transfers in parallel, a connection could enter the
    state where
    a) it had been closed (GOAWAY received)
    b) the RST had not been "seen" for the transfer yet
    or c) the GOAWAY announced an error and the last successful
    stream id was not checked against ongoing transfers

  Closes #10693

- tests: use dynamic ports numbers in pytest suite

  - necessary ports are bound at start of test suite and then
    given to server fixtures for use.
  - this make parallel use of pytest (in separate directories),
    practically safe for use as OS tend to not reuse such port numbers
    for a while

  Closes #10692

- connect: fix time_connect and time_appconnect timer statistics

  - time_connect was not updated when the overall connection failed,
    e.g. when SSL verification was unsuccessful, refs #10670
  - rework gather those values to interrogate involved filters,
    also from all eyeballing attempts, to report the maximum of
    those values.
  - added 3 test cases in test_06 to check reported values on
    successful, partially failed and totally failed connections.

  Reported-by: Master Inspire
  Fixes #10670
  Closes #10671

Daniel Stenberg (6 Mar 2023)

- test1905: update output cookie order

  After the #10685 update

- test420: verify expiring cookies

  Cookies that are loaded fine from a jar but then are expired in headers.

- cookie: don't load cookies again when flushing

  Reported-by: Sergio Mijatovic
  Fixes #10677
  Closes #10685

- RELEASE-NOTES: synced

Andy Alt (6 Mar 2023)

- docs: note '--data-urlencode' option

  Closes #10687

Daniel Stenberg (6 Mar 2023)

- DEPRECATE: the original legacy mingw version 1

  Remove completely in September 2023

  Closes #10667

Harry Sintonen (6 Mar 2023)

- rand: use arc4random as fallback when available

  Normally curl uses cryptographically strong random provided by the
  selected SSL backend. If compiled without SSL support, a naive built-in
  function was used instead.

  Generally this was okay, but it will result in some downsides for non-
  SSL builds, such as predictable temporary file names.

  This change ensures that arc4random will be used instead, if available.

  Closes #10672

Grisha Levit (6 Mar 2023)

- tool: dump headers even if file is write-only

  The fixes in #10079 brought a (seemingly unrelated) change of open mode
  from `wb`/`ab` to `wb+`/`ab+` for the headerfile. This makes it no
  longer possible to write the header file to e.g. a pipe, like:

      curl -D >(grep ...) file:///dev/null

  Which presently results in `Warning: Failed to open /dev/fd/63`

  See #10079
  Closes #10675

Jay Satiro (6 Mar 2023)

- tests: fix gnutls-serv check

  - If gnutls-serv doesn't exist then don't try to execute it.

  Follow-up to 2fdc1d81.

  Closes https://github.com/curl/curl/pull/10688

Daniel Stenberg (6 Mar 2023)

- lib1560: fix enumerated type mixed with another type

  Follow-up to c84c0f9aa3bb006

  Closes #10684

Viktor Szakats (5 Mar 2023)

- cmake: fix enabling LDAPS on Windows

  Before this patch, enabling LDAPS required a manual C flag:
  https://github.com/curl/curl-for-win/blob/c1cfc31cfc04f24f7a4f946564d6f0e1b4d
  7dd36/curl-cmake.sh#L105

  Fix this and enable LDAPS automatically when using `wldap32` (and
  when not explicitly disabled). This matches autotools and `Makefile.mk`
  behavior. Also remove issue from KNOWN_BUGS.

  Add workaround for MSVS 2010 warning triggered by LDAPS now enabled
  in more CI tests:
  `ldap.c(360): warning C4306: 'type cast' : conversion from 'int' to 'void *' 
  of greater size`
  Ref: https://ci.appveyor.com/project/curlorg/curl/builds/46408284/job/v8mwl9y
  fbmoeqwlr#L312

  Reported-by: JackBoosY on github
  Reviewed-by: Jay Satiro
  Reviewed-by: Marcel Raad
  Fixes #6284
  Closes #10674

- Makefile.mk: delete redundant `HAVE_LDAP_SSL` macro [ci skip]

  Since abebb2b8939c6b3e0f951eb2d9ec3729b569aa2c, we set this macro for
  all Windows `wldap32` builds using `Makefile.mk`.

  For OpenLDAP builds this macro is not enough to enable LDAPS, and
  OpenLDAP is not an option in `Makefile.mk`. For Novell LDAP it might
  have helped, but it's also not an option anymore in `Makefile.mk`.

  The future for LDAPS is that we should enable it by default without
  extra build knobs.

  Reviewed-by: Marcel Raad
  Closes #10681

- cmake: skip CA-path/bundle auto-detection in cross-builds

  Also remove issue from KNOWN_BUGS.

  Reported-by: Cristian Morales Vega
  Reviewed-by: Marcel Raad
  Fixes #6178
  Closes #10676

Daniel Stenberg (3 Mar 2023)

- schannel: loop over the algos to pick the selected one

  Avoid using the funny macro and the extra buffer copy.

  Closes #10647

- wildcard: remove files and move functions into ftplistparser.c

- ftp: allocate the wildcard struct on demand

  The feature is rarely used so this frees up data for the vast majority
  of easy handles that don't use it.

  Rename "protdata" to "ftpwc" since it is always an FTP wildcard struct
  pointer. Made the state struct field an unsigned char to save space.

  Closes #10639

- lib1560: test parsing URLs with ridiculously large fields

  In the order of 120K.

  Closes #10665

Brad Spencer (3 Mar 2023)

- urlapi: parse IPv6 literals without ENABLE_IPV6

  This makes the URL parser API stable and working the same way
  independently of libcurl supporting IPv6 transfers or not.

  Closes #10660

Jan Engelhardt (3 Mar 2023)

- build: drop the use of XC_AMEND_DISTCLEAN

  Because automake used to delete depdirs at once (.deps) and there was an issu
  e
  with portability, curl's XC_AMEND_DISTCLEAN greps the Makefiles in an attempt
  to build a list of all depfiles and delete them individually instead.

  Since commit 08849db866b44510f6b8fd49e313c91a43a3dfd3, automake switched from
  deleting directories to individual files. curl's custom logic now finds a lot
  more results with the grep (the filtering of these results isn't great), whic
  h
  causes a massive bloating of the Makefile in the order of O(n^2).

  Also remove now-unused XC_AMEND_DISTCLEAN macro group

  References: https://github.com/curl/curl/issues/9843
  References: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=59288

  Reported-by: Ilmari Lauhakangas
  Fixes #9843
  Closes #10661

Balakrishnan Balasubramanian (3 Mar 2023)

- test1470: test socks proxy using unix sockets and connect to https

  Similar to test1468 except using https instead of http

  Closes #10662

Daniel Stenberg (3 Mar 2023)

- test1960: verify CURL_SOCKOPT_ALREADY_CONNECTED

  When returned from the CURLOPT_SOCKOPTFUNCTION, like when we have a
  custom socket connected in the app, passed in to libcurl.

  Verifies the fix in #10648

  Closes #10651

Stefan Eissing (2 Mar 2023)

- tests: rename tests/tests-httpd to tests/http

   - httpd is only one server we test with
   - the suite coveres the HTTP protocol in general where
     the default test cases need a more beefy environment

  Closes #10654

- socket: detect "dead" connections better, e.g. not fit for reuse

  - refs #10646 where reuse was attempted on closed connections in the
    cache, leading to an exhaustion of retries on a transfer
  - the mistake was that poll events like POLLHUP, POLLERR, etc
    were regarded as "not dead".
  - change cf-socket filter check to regard such events as inidication
    of corpsiness.
  - vtls filter checks: fixed interpretation of backend check result
    when inconclusive to interrogate status further down the filter
    chain.

  Reported-by: SendSonS on github
  Fixes #10646
  Closes #10652

- lib: give source files cf-http.* better fitting names

  Closes #10656

- http2: fix code indent

  Closes https://github.com/curl/curl/pull/10655

Shankar Jadhavar (1 Mar 2023)

- cf-socket: if socket is already connected, return CURLE_OK

  In 7.87.0, if callback method for CURLOPT_SOCKOPTFUNCTION returns
  CURL_SOCKOPT_ALREADY_CONNECTED then curl library used to return
  CURLE_OK.  n 7.88.0, now even if callback returns
  CURL_SOCKOPT_ALREADY_CONNECTED, curl library still tries to connect to
  socket by invoking method do_connect().

  This is regression caused by commit
  https://github.com/curl/curl/commit/71b7e0161032927cdfb

  Fix: Check if we are already connected and return CURLE_OK.

  Fixes #10626
  Closes #10648

Jay Satiro (1 Mar 2023)

- DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure

  This is the existing behavior and it has been widely assumed in the
  codebase.

  Closes https://github.com/curl/curl/pull/10645

Stefan Eissing (1 Mar 2023)

- http2: fix upload busy loop

  - Set KEEP_SEND_PAUSE when exhausting remote HTTP/2 window size of a
    stream.

  - Clear KEEP_SEND_PAUSE when receiving HTTP/2 window updates on a paused
    stream.

  - Also fix http2 send compiler warnings reported in #10449.

  Prior to this change, starting in 71b7e016 which precedes 7.88.0,
  libcurl may eat CPU during HTTP/2 upload.

  Reported-by: Jay Satiro

  Fixes https://github.com/curl/curl/issues/10449
  Fixes https://github.com/curl/curl/issues/10618
  Closes https://github.com/curl/curl/pull/10627

Daniel Stenberg (1 Mar 2023)

- sectransp: make read_cert() use a dynbuf when loading

  Closes #10632

Jay Satiro (1 Mar 2023)

- transfer: limit Windows SO_SNDBUF updates to once a second

  - Change readwrite_upload() to call win_update_buffer_size() no more
    than once a second to update SO_SNDBUF (send buffer limit).

  Prior to this change during an upload readwrite_upload() could call
  win_update_buffer_size() anywhere from hundreds of times per second to
  an extreme test case of 100k per second (which is likely due to a bug,
  see #10618). In the latter case WPA profiler showed
  win_update_buffer_size was the highest capture count in
  readwrite_upload. In any case the calls were excessive and unnecessary.

  Ref: https://github.com/curl/curl/pull/2762

  Closes https://github.com/curl/curl/pull/10611

Daniel Stenberg (28 Feb 2023)

- RELEASE-NOTES: synced

Stefan Eissing (28 Feb 2023)

- http2: fix for http2-prior-knowledge when reusing connections

  - refs #10634 where errors in the HTTP/2 framing layer are observed.
  - the bug was that on connection reuse, the code attempted to switch
    in yet another layer of HTTP/2 handling instead of detecting that
    this was already in place.
  - added pytest testcase reproducing the issue.

  Reported-by: rwmjones on github
  Fixes #10634
  Closes #10643

- cf-socket: fix handling of remote addr for accepted tcp sockets

  - do not try to determine the remote address of a listen socket. There
    is none.
  - Update remote address of an accepted socket by getpeername() if
    available.

  Reported-by: Harry Sintonen
  Fixes #10622
  Closes #10642

- http: fix unix domain socket use in https connects

  - when h2/h3 eyeballing was involved, unix domain socket
    configurations were not honoured
  - configuring --unix-socket will disable HTTP/3 as candidate for eyeballing
  - combinatino of --unix-socket and --http3-only will fail during initialisati
  on
  - adding pytest test_11 to reproduce

  Reported-by: Jelle van der Waa
  Fixes #10633
  Closes #10641

Daniel Stenberg (28 Feb 2023)

- setopt: move the CURLOPT_CHUNK_DATA pointer to the set struct

  To make duphandle work etc

  Closes #10635

Viktor Szakats (28 Feb 2023)

- quic/schannel: fix compiler warnings

  Fixes #10603
  Closes #10616

Daniel Stenberg (28 Feb 2023)

- page-footer: add explanation for three missing exit codes

  Added in 7.73.0, 7.77.0 and 7.84.0

  Closes #10630

積丹尼 Dan Jacobson (28 Feb 2023)

- rate.c: single URLs make no sense in --rate example

  Here somehow you need to put more than one URL in these examples, else
  they will make no sense, as --rate only affects the second and beyond
  URLs. The first URL will always finish the same time no matter what
  --rate is given.

  Closes #10638

Daniel Stenberg (28 Feb 2023)

- libcurl-errors.3: add the CURLHcode errors from curl_easy_header.3

  Closes #10629

- mqtt: on send error, return error

  Reported-by: Maciej Domanski

  Closes #10623

- ws: keep the socket non-blocking

  Reported-by: marski on github
  Fixes #10615
  Closes #10625

- hostip: avoid sscanf and extra buffer copies

  Also made create_hostcache_id() return the id length.

  Closes #10601

- PARALLEL-TRANSFERS.md: not "early days" for this anymore

  Refresh the language as the support is now over three years old

  Closes #10624

- easy: remove infof() debug leftover from curl_easy_recv

  It said "reached [path]/easy.c:1231"

  Closes #10628

- idn: return error if the conversion ends up with a blank host

  Some IDN sequences are converted into "" (nothing), which can make this
  function end up with a zero length host name and we cannot consider that
  a valid host to continue with.

  Reported-by: Maciej Domanski
  Closes #10617

- examples/http3.c: use CURL_HTTP_VERSION_3

  and update the comment

  Closes #10619

- x509asn1.c: use correct format specifier for infof() call

  Detected by Coverity

  Closes #10614

- Revert "GHA: add Microsoft C++ Code Analysis"

  This reverts commit e0db842b2a082dffad4a9fbe31321e9a75c74041.

  This tool seems very restricted in how often it might be used by a
  project and thus very quickly start to report fails simply because it
  refuses to run when "there are more runs than allowed".

  Closes #10613

Patrick Monnerat (25 Feb 2023)

- tests: test secure mail protocols with explicit SSL requests

  New tests 987, 988 and 989, disabled for rustls (hanging).

  Closes #10077

- tests: support for imaps/pop3s/smtps protocols

  Closes #10077

- runtests: use a hash table for server port numbers

  Closes #10077

Andy Alt (25 Feb 2023)

- INTERNALS.md: grammar

  Closes #10607

Daniel Stenberg (25 Feb 2023)

- RELEASE-NOTES: synced

Philip Heiduck (25 Feb 2023)

- .cirrus.yml: Bump to FreeBSD 13.2

  Closes #10270

- ngtcp2-gnutls.yml: bump to gnutls 3.8.0

  Closes #10507

- CI: update ngtcp2 and nghttp2 for pytest

  Follow-up: https://github.com/curl/curl/commit/5c9ee8cef4b351a085b440f8178500
  124647f8e6

  Closes #10508

Andy Alt (25 Feb 2023)

- GHA: use same flags for Slackbuild as Slack package

  Closes #10526

Daniel Stenberg (24 Feb 2023)

- rtsp: avoid sscanf for parsing

  Closes #10605

- http_proxy: parse the status line without sscanf

  Closes #10602

- telnet: error correctly for WS set to "x[num]"

  Follow-up to e4f93be9d587
  Reported-by: Harry Sintonen
  Closes #10606

- krb5: avoid sscanf for parsing

  Closes #10599

- misc: remove support for curl_off_t < 8 bytes

  Closes #10597

- telnet: parse NEW_ENVIRON without sscanf

  Closes #10596

- telnet: parse the WS= argument without sscanf

  Closes #10596

- telnet: parse telnet options without sscanf

  Closes #10596

- ftp: replace sscanf for MDTM 213 response parsing

  Closes #10590

- ftp: replace sscanf for PASV parsing

  Closes #10590

- ftp: make the EPSV response parser not use sscanf

  Closes #10590

Stefan Eissing (24 Feb 2023)

- ngtcp2: fix unwanted close of file descriptor 0

  ... causing macOS to hand out 0 as next socket handle and failing on
  further operations.

  Reported-by: Sergey Fionov
  Fixes #10593
  Closes #10595

Daniel Stenberg (23 Feb 2023)

- select: stop treating POLLRDBAND as an error

  POLLRDBAND does not seem to be an general error and on Windows the value
  for POLLIN is 768 and the value for POLLRDBAND is 512.

  Fixes #10501
  Reported-by: opensslonzos-github on github
  Closes #10592

- test978: mark file as text mode

  Follow-up to 4ea5702980cb

  To fix test failures on Windows

  Closes #10594

- http: rewrite the status line parser without sscanf

  Closes #10585

- test978: verify that --stderr works for -w's stderr as well

Jay Satiro (23 Feb 2023)

- curl: make -w's %{stderr} use the file set with --stderr

  Reported-by: u20221022 on github
  Fixes #10491
  Closes #10569

- winbuild: fix makefile clean

  - Fix and move 'clean' code that removes the output and obj directories
    trees from MakefileBuild.vc to Makefile.vc.

  Prior to this change the 'clean' code did not work right because the
  variables containing the directory names were not fully initialized and
  the rmdir syntax was sometimes incorrect (typos). DIRDIST for example
  was set to ..\builds\ and not ..\builds\$(CONFIG_NAME_LIB)\ so it would
  remove the former and not the latter. If WITH_PREFIX was set then that
  directory was removed instead.

  Also, DIRDIST (the output directory) even if initialized should not be
  removed by MakefileBuild.vc because by that time it could be set to a
  user directory that may contain other files if WITH_PREFIX is set (eg we
  don't want rmdir /s /q C:\usr\local). Therefore we remove from
  Makefile.vc before any of that happens. I added a comment in both
  makefiles explaining this.

  Closes https://github.com/curl/curl/pull/10576

- sectransp: fix compiler warning c89 mixed code/declaration

  Since cbf57176 the Cirrus CI 'macOS arm64 SecureTransport http2' has
  been failing due to c89 warnings mixed code/declaration. That commit is
  not the cause so I assume something has changed in the CI outside of our
  configuration. Anyway, we don't mix code/declaration so this is the fix
  for that.

  Closes https://github.com/curl/curl/pull/10574

Philipp Engel (22 Feb 2023)

- BINDINGS: add Fortran binding

  Closes #10589

Stefan Eissing (22 Feb 2023)

- test2600: detect when ALARM_TIMEOUT is in use and adjust

  - use higher timeout values > 1s
  - skip duration checks

  Assisted-by: Marcel Raad
  Closes #10513

Daniel Stenberg (22 Feb 2023)

- RELEASE-NOTES: synced

- test686: verify return code for no URL after --next

- tool_operate: propagate error codes for missing URL after --next

  Fixes #10558
  Reported-by: u20221022 on github
  Closes #10580

- test1278: verify that an extra --no-remote-name cause no warning

- tool_getparam: don't add a new node for just --no-remote-name

  Unless --remote-name-all is used.

  Fixes #10564
  Reported-by: u20221022 on github
  Closes #10582

- gen.pl: add '%GLOBALS' as a variable for mainpage

  And use it in page-header to list all global command line options.

- docs/cmdline-opts: mark all global options

  gen.pl now outputs a generic explanations for them for each option

  Fixes #10566
  Reported-by: u20221022 on github
  Closes #10584

- GHA: add Microsoft C++ Code Analysis

  Closes #10583

- tool_progress: shut off progress meter for --silent in parallel

  Reported-by: finkjsc on github
  Fixes #10573
  Closes #10579

- lib1560: add a test using %25 in the userinfo in a URL

  Closes #10578

Stefan Eissing (21 Feb 2023)

- CURLOPT_PIPEWAIT: allow waited reuse also for subsequent connections

  As tested in test_02_07, when firing off 200 urls with --parallel, 199
  wait for the first connection to be established. if that is multiuse,
  urls are added up to its capacity.

  The first url over capacity opens another connection. But subsequent
  urls found the same situation and open a connection too. They should
  have waited for the second connection to actually connect and make its
  capacity known.

  This change fixes that by

  - setting `connkeep()` early in the HTTP setup handler. as otherwise
    a new connection is marked as closeit by default and not considered
    for multiuse at all
  - checking the "connected" status for a candidate always and continuing
    to PIPEWAIT if no alternative is found.

  pytest:
  - removed "skip" from test_02_07
  - added test_02_07b to check that http/1.1 continues to work as before

  Closes #10456

Daniel Stenberg (21 Feb 2023)

- test419: verify --dump-header to file that cannot be created

  Closes #10571

- tool_operate: avoid fclose(NULL) on bad header dump file

  Fixes #10570
  Reported-by: Jérémy Rabasco
  Closes #10571

- RELEASE-NOTES: synced

  Starting the journey towards 8.0.0

- cookie: parse without sscanf()

  Saves us from using 2*4096 bytes buffers on stack, the extra copies and
  more.

  Closes #10550

- lib517: verify time stamps without leading zeroes plus some more

- parsedate: replace sscanf( for time stamp parsing

  Closes #10547

- parsedate: parse strings without using sscanf()

  - sscanf is slow and complex, avoid it
  - give up already if the string is 12 bytes or longer as no valid string
    can be that long
  - this can now be done without copy

  Closes #10547

Matt Jolly (20 Feb 2023)

- tests: HTTP server fixups

  - httpserver.pl -> http-server.pl for consistency
  - add http3-server.pl to EXTRA_DIST; alphabetise for maintainability
  - nghttpx proxy invocation scripts should not use getcwd

  Closes #10568

Version 7.88.1 (20 Feb 2023)

Daniel Stenberg (20 Feb 2023)

- RELEASE-NOTES: synced

  7.88.1 release

- THANKS: add contributors from 7.88.1

- socketpair: allow EWOULDBLOCK when reading the pair check bytes

  Reported-by: Gunamoi Software
  Co-authored-by: Jay Satiro
  Fixes #10561
  Closes #10562

Jay Satiro (18 Feb 2023)

- tool_operate: fix scanbuild compiler warning

  Prior to this change Azure CI scanbuild warned of a potential NULL
  pointer string passed to strtol when CURLDEBUG enabled, even though the
  way the code was written it wouldn't have happened.

  Bug: https://github.com/curl/curl/commit/5479d991#r101159711
  Reported-by: Marcel Raad

  Closes https://github.com/curl/curl/pull/10559

- curl_setup: Suppress OpenSSL 3 deprecation warnings

  - Define OPENSSL_SUPPRESS_DEPRECATED.

  OpenSSL 3 has deprecated some of the functions libcurl uses such as
  those with DES, MD5 and ENGINE prefix. We don't have replacements for
  those functions so the warnings were disabled in autotools and cmake
  builds, but still showed in other builds.

  Closes https://github.com/curl/curl/pull/10543

- build-openssl.bat: keep OpenSSL 3 engine binaries

  Prior to this change copying the OpenSSL 3 engine binaries failed
  because 'engines-1_1' (OpenSSL 1.1.x folder name) was erroneously used
  instead of 'engines-3'. The OpenSSL 3 builds would complete successfully
  but without the engine binaries.

  Closes https://github.com/curl/curl/pull/10542

ALittleDruid (18 Feb 2023)

- cmake: fix Windows check for CryptAcquireContext

  Check for CryptAcquireContext in windows.h and wincrypt.h only, since
  otherwise this check may fail due to third party headers not found.

  Closes https://github.com/curl/curl/pull/10353

Daniel Stenberg (19 Feb 2023)

- remote-header-name.d: mention that filename* is not supported

  and that you can use --clobber to allow overwriting.

  Ref: #10533
  Closes #10555

  Co-authored-by: Jay Satiro <raysatiro@yahoo.com>

Pierrick Charron (18 Feb 2023)

- CURLOPT_WS_OPTIONS.3: fix the availability version

  Closes #10557

Jacob Hoffman-Andrews (18 Feb 2023)

- GHA: update rustls dependency to 0.9.2

  This allows re-enabling test 312 for the rustls backend.

  Closes #10553

Philip Heiduck (18 Feb 2023)

- HTTP3.md: update git branches

  Closes #10554

Stefan Eissing (17 Feb 2023)

- urldata: remove `now` from struct SingleRequest - not needed

  Closes #10549

Daniel Stenberg (17 Feb 2023)

- lib1560: add IPv6 canonicalization tests

  Closes #10552

- RELEASE-NOTES: synced

- urlapi: do the port number extraction without using sscanf()

  - sscanf() is rather complex and slow, strchr() much simpler

  - the port number function does not need to fully verify the IPv6 address
    anyway as it is done later in the hostname_check() function and doing
    it twice is unnecessary.

  Closes #10541

Stefan Eissing (17 Feb 2023)

- setopt: allow HTTP3 when HTTP2 is not defined

  Reported-by: Karthikdasari0423 on github
  Fixes #10538
  Closes #10544

Jon Rumsey (17 Feb 2023)

- os400: correct Curl_os400_sendto()

  Add const qualifier to 5th argument of Curl_os400_sendto()

  Make OS400 wrapper for sendto match the normal prototype of sendto()
  with a const qualifier.

  Fixes #10539
  Closes #10548

Stefan Eissing (17 Feb 2023)

- tests-httpd: add proxy tests

  for direct and tunneling checks on http: and https:

  Closes #10519

Daniel Stenberg (17 Feb 2023)

- curl: make --silent work stand-alone

  - renamed the struct field to 'silent' to match the cmdline option
  - make --show-error toggle independently of --silent
  - make --silent independent of ->noprogress as well

  By doing this, the three options --silent, --no-progress-meter and
  --show-error should work independently of each other and also work with
  and without '--no-' prefix as documented.

  Reported-by: u20221022 on github
  Fixes #10535
  Closes #10536

- socks: allow using DoH to resolve host names

  For SOCKS modes where a local host resolve is done.

  It was previously disabled in 12d655d4561, but a few local tests seem to
  indicate that it works fine. Works now because of the SOCKS refactor of
  4a4b63daaa01ef59 that made it non-blocking.

  Reported-by: roughtex on github
  Fixes #10537
  Closes #10540

Stefan Eissing (17 Feb 2023)

- test: add test for HTTP/2 corruption as reported in #10525

  - adding test_02_20 for reproducing the situation
  - using recently released mod_h2 Apache module
  - skipping test if an older version is installed
  - adding installation of current mod_h2 to github pytest workflow

  This reproduces the error reliable (for me) on the lib/http2.c version
  of curl 7.88.0. And passes with the recent curl master.

  Closes #10534

Daniel Stenberg (16 Feb 2023)

- tool_operate: allow debug builds to set buffersize

  Using the CURL_BUFFERSIZE environment variable.

  Closes #10532

Stefan Eissing (16 Feb 2023)

- connnect: fix timeout handling to use full duration

  - connect timeout was used at half the configured value, if the
    destination had 1 ip version 4 and other version 6 addresses
    (or the other way around)
  - extended test2600 to reproduce these cases

  Reported-by: Michael Kaufmann
  Fixes #10514
  Closes #10517

Daniel Stenberg (16 Feb 2023)

- tool_getparam: make --get a true boolean

  To match how it is documented in the man page.

  Fixes #10527
  Reported-by: u20221022 on github
  Closes #10531

Harry Sintonen (16 Feb 2023)

- http:: include stdint.h more readily

  Closes #10516

Stefan Eissing (16 Feb 2023)

- tests: make the telnet server shut down a socket gracefully

  - test 1452 failed occasionally with ECONNRESET errnos in curl when the
    server closed the connection in an unclean state.

  Closes #10509

Harry Sintonen (16 Feb 2023)

- http2: set drain on stream end

  Ensure that on_frame_recv() stream end will trigger a read if there is
  pending data. Without this it could happen that the pending data is
  never consumed.

  This combined with https://github.com/curl/curl/pull/10529 should fix
  https://github.com/curl/curl/issues/10525

  Ref: https://github.com/curl/curl/issues/10525
  Closes #10530

Stefan Eissing (16 Feb 2023)

- http2: buffer/pausedata and output flush fix.

   * do not process pending input data when copying pausedata to the
     caller
   * return CURLE_AGAIN if the output buffer could not be completely
     written out.

  Ref: #10525
  Closes #10529

Marcel Raad (16 Feb 2023)

- krb5: silence cast-align warning

  Add an intermediate cast to `void *`, as done everywhere else when
  casting from `sockaddr *` to `sockaddr_in *`.

  Closes https://github.com/curl/curl/pull/10528

Daniel Stenberg (15 Feb 2023)

- RELEASE-NOTES: synced

  bumped to 7.88.1

- tests: make sure gnuserv-tls has SRP support before using it

  Reported-by: fundawang on github
  Fixes #10522
  Closes #10524

- runtests: fix "uninitialized value $port"

  by using a more appropriate variable

  Reported-by: fundawang on github
  Fixes #10518
  Closes #10520

Version 7.88.0 (15 Feb 2023)

Daniel Stenberg (15 Feb 2023)

- RELEASE-NOTES: synced

  7.88.0 release

- THANKS: added contributors from 7.88.0

- openssl: rename 'errcode_t' to 'sslerr_t'

  Turns out "/usr/include/et/com_err.h" typedefs this type (without proper
  variable scoping).

  comerr is the "common error description library" that apparently might be use
  d
  by krb5 code, which then makes this header get used in a curl build.

  Reported-by: Bruno Henrique Batista Cruz da Silva
  Fixed #10502
  Closes #10500

Dan Fandrich (13 Feb 2023)

- CONTRIBUTE: More formally specify the commit description

  This codifies what people have actually used in git commits over the
  past 6 years. I've left off some lesser-used headers that appear to
  duplicate others and tried to describe a consistent use for several
  others that were used more arbitrarily.

  This makes it easier for new committers to find out the kinds of things
  we want to acknowledge, makes it easier to perform statistical analysis
  on commits, and opens the possibility of performing lint checks on
  descriptions before submission.

  Reviewed-by: Daniel Stenberg
  Reviewed-by: Jay Satiro

  Closes #10478

Stefan Eissing (13 Feb 2023)

- openssl: test and fix for forward proxy handling (non-tunneling).

  - adding pytest test_10 cases for proxy httpd setup tests
  - fixing openssl bug in https: proxy hostname verification that
    used the hostname of the request and not the proxy name.

  Closes #10498

Daniel Stenberg (13 Feb 2023)

- cmdline-opts/Makefile: on error, do not leave a partial

  And support 'make V=1' to show the full command line

  Closes #10497

- curl.1: make help, version and manual sections "custom"

  Instead of using "multi: boolean", as these are slightly special as in
  they do are not enable/disable ones.

  Fixes #10490
  Reported-by: u20221022 on github
  Closes #10497

Stefan Eissing (13 Feb 2023)

- tests: add tests for HTTP/2 and HTTP/3 to verify the header API

  Test 2403 and 2503 check "header_json" output and therefore use of
  header-api

  Closes #10495

Philip Heiduck (13 Feb 2023)

- CI: update wolfssl / wolfssh to 5.5.4 / 1.4.12

  Closes #10493

Daniel Stenberg (13 Feb 2023)

- KNOW_BUGS: cleanups with some changed to TODOs

  - remove "Excessive HTTP/2 packets with TCP_NODELAY"

    This is not a bug. Rather room for improvement.

  I believe these have been fixed:

  - 17.4 Connection failures with parallel HTTP/2
  - 17.5 HTTP/2 connections through HTTPS proxy frequently stall

  - remove "FTPS needs session reuse"

  That is still true, but curl should also do session reuse now.

  - remove "ASCII FTP"

  It is documented behavior, and not single user has asked for extended
  functionality here the last decade or so.

  - remove "Passive transfer tries only one IP address"

  add as a TODO

  - remove "DoH leaks memory after followlocation"

  With a recipe on how to reproduce, this is pointless to keep around

  - remove "DoH does not inherit all transfer options"

  add it as a TODO

  Closes #10487

Tatsuhiro Tsujikawa (13 Feb 2023)

- GHA: bump ngtcp2 workflow dependencies

  Closes #10494

Patrick Monnerat (13 Feb 2023)

- content_encoding: do not reset stage counter for each header

  Test 418 verifies

  Closes #10492

Daniel Stenberg (13 Feb 2023)

- RELEASE-NOTES: synced

Jay Satiro (13 Feb 2023)

- multi: stop sending empty HTTP/3 UDP datagrams on Windows

  - Limit the 0-sized send procedure that is used to reset a SOCKET's
    FD_WRITE to TCP sockets only.

  Prior to this change the reset was used on UDP sockets as well, but
  unlike TCP sockets a 0-sized send actually sends out a datagram.

  Assisted-by: Marc Hörsken

  Ref: https://github.com/curl/curl/pull/9203

  Fixes https://github.com/curl/curl/issues/9086
  Closes https://github.com/curl/curl/pull/10430

Viktor Szakats (12 Feb 2023)

- h3: silence compiler warnings

  Reviewed-by: Daniel Stenberg
  Fixes #10485
  Closes #10486

Daniel Stenberg (12 Feb 2023)

- smb: return error on upload without size

  The protocol needs to know the size ahead of time, this is now a known
  restriction and not a bug.

  Also output a clearer error if the URL path does not contain proper
  share.

  Ref: #7896
  Closes #10484

Viktor Szakats (12 Feb 2023)

- windows: always use curl's basename() implementation

  The `basename()` [1][2] implementation provided by mingw-w64 [3] makes
  assumptions about input encoding and may break with non-ASCII strings.

  `basename()` was auto-detected with CMake, autotools and since
  68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6 (2022-10-13), also in
  `Makefile.mk` after syncing its behaviour with the mainline build
  methods. A similar patch for curl-for-win broke official Windows
  builds earlier, in release 7.83.1_4 (2022-06-15).

  This patch forces all Windows builds to use curl's internal
  `basename()` implementation to avoid such problems.

  [1]: https://pubs.opengroup.org/onlinepubs/9699919799/utilities/basename.html
  [2]: https://www.man7.org/linux/man-pages/man3/basename.3.html
  [3]: https://sourceforge.net/p/mingw-w64/mingw-w64/ci/master/tree/mingw-w64-c
  rt/misc/basename.c

  Reported-by: UnicornZhang on Github
  Assisted-by: Cherish98 on Github
  Reviewed-by: Daniel Stenberg

  Fixes #10261
  Closes #10475

Philip Heiduck (12 Feb 2023)

- Linux CI: Bump rustls-ffi to v0.9.1

  Closes #10476

Daniel Stenberg (12 Feb 2023)

- libtest: build lib2305 with multibyte as well

  Fixes a build regression.

  Follow-up to 5a9a04d5567
  Reported-by: Viktor Szakats
  Ref: https://github.com/curl/curl/pull/10475#issuecomment-1426831800

  Closes #10477

Dmitry Atamanov (12 Feb 2023)

- cmake: fix dev warning due to mismatched arg

  The package name passed to find_package_handle_standard_args (BROTLI)
  does not match the name of the calling package (Brotli). This can lead
  to problems in calling code that expects find_package result variables
  (e.g., _FOUND) to follow a certain pattern.

  Closes https://github.com/curl/curl/pull/10471

James Keast (11 Feb 2023)

- setopt: Address undefined behaviour by checking for null

  This addresses undefined behaviour found using clang's UBsan:

  curl/lib/setopt.c:177:14: runtime error: applying non-zero offset 1 to null p
  ointer
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior curl/lib/setopt.c:177
  :14 in

  Closes #10472

Jacob Hoffman-Andrews (11 Feb 2023)

- rustls: improve error messages

  Changes numeric error codes into verbose error codes in two places.
  Adds a prefix indicating that the error came from rustls, and in some
  places which function it came from.

  Adds special handling for RUSTLS_RESULT_UNEXPECTED_EOF, since the
  default message of "Unexpected EOF" is insufficiently explanatory.

  Closes #10463

Daniel Stenberg (11 Feb 2023)

- openssl: remove dead code

  Follow-up to e8b00fcd6a

  Due to the new 'if(!nonblocking)' check on the block a level above,
  there is no need to check for it again within the same conditional.

  Detected by Coverity

  Closes #10473

- ngtcp2: replace removed define and stop using removed function

  They were removed upstream.

  Reported-by: Karthikdasari0423 on github
  Fixes #10469
  Closes #10474

- scripts/delta: show percent of number of files changed since last tag

- RELEASE-NOTES: synced

Stefan Eissing (10 Feb 2023)

- pytest: add a test case for PUSH related things.

  - checking that "103 Early Hints" are visible in curl's header dump file

  Closes #10452

Gregory Panakkal (10 Feb 2023)

- WEBSOCKET.md: typo

  Fixing missing slash for ws protocol scheme

  Closes #10464

Stefan Eissing (10 Feb 2023)

- vquic: stabilization and improvements

  vquic stabilization
  - udp send code shared between ngtcp2 and quiche
  - quiche handling of data and events improved

  ngtcp2 and pytest improvements
  - fixes handling of "drain" situations, discovered in scorecard
    tests with the Caddy server.
  - improvements in handling transfers that have already  data or
    are already closed to make an early return on recv

  pytest
  - adding caddy tests when available

  scorecard improvemnts.
  - using correct caddy port
  - allowing tests for only httpd or caddy

  Closes #10451

Philip Heiduck (10 Feb 2023)

- Linux CI: update some dependecies to latest tag

  Closes #10458

Daniel Stenberg (10 Feb 2023)

- test2305: send 3 frames, 4097 bytes each, as one message

  Receive them using a 256 bytes buffer in a loop.

- ws: fix recv of larger frames

   + remove 'oleft' from the struct
   + deal with "overflow data" in a separate dynbuf

  Reported-by: Mike Duglas
  Fixes #10438
  Closes #10447

- curl/websockets.h: extend the websocket frame struct

- sws: fix typo, indentation add more ws logging

- test2304: remove stdout verification

  This cripples the test somewhat but the check was bad since depending on
  timing it could exit before the output was done, making the test flaky.

Dan Fandrich (9 Feb 2023)

- CI: Add more labeler match patterns

- CI: Retry failed downloads to reduce spurious failures

  A temporary error with a remote server shouldn't cause a CI run to fail.
  Also, put a cap on the time to download to fail faster on a misbehaving
  server or connection and use HTTP compression where possible to reduce
  download times.

Daniel Stenberg (9 Feb 2023)

- no-clobber.d: only use long form options in man page text

  ... since they are expanded and the short-form gets mentioned
  automatically so if the short form is mentioned as well, it gets
  repeated.

  Fixes #10461
  Closes #10462
  Reported-by: Dan Fandrich

- GHA: enable websockets in the torture job

  Closes #10448

- header.d: add a header file example

  Closes #10455

Stefan Eissing (9 Feb 2023)

- HTTP/[23]: continue upload when state.drain is set

  - as reported in #10433, HTTP/2 uploads may stall when a response is
    received before the upload is done. This happens when the
    data->state.drain is set for such a transfer, as the special handling
    in transfer.c from then on only cared about downloads.
  - add continuation of uploads, if applicable, in this case.
  - add pytest case test_07_12_upload_seq_large to reproduce this scenario
    (although, current nghttp2 implementation is using drain less often)

  Reported-by: Lucas Pardue

  Fixes #10433
  Closes #10443

- http2: minor buffer and error path fixes

  - use memory buffer in full available size
  - fail receive of reset/errored streams early

  pytest:
  - make test_05 error cases more reliable

  Closes #10444

Federico Pellegrin (9 Feb 2023)

- openldap: fix missing sasl symbols at build in specific configs

  If curl is built with openldap support (USE_OPENLDAP=1) but does not
  have also some other protocol (IMAP/SMTP/POP3) enabled that brings
  in Curl_sasl_* functions, then the build will fail with undefined
  references to various symbols:

  ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_decode_mech'
  ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_parse_url_auth
  _option'
  ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_cleanup'
  ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_can_authentica
  te'
  ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_continue'
  ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_start'
  ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_init'

  This was tracked down to these functions bein used in openldap.c but
  defined in curl_sasl.c and then forward in two vauth/ files to have
  a guard against a set of #define configurations that was now extended
  to cover also this case.

  Example configuration targeted that could reproduce the problem:

  curl 7.87.1-DEV () libcurl/7.87.1-DEV .... OpenLDAP/2.6.3
  Protocols: file ftp ftps http https ldap ldaps

  Closes #10445

Daniel Stenberg (9 Feb 2023)

- ws: use %Ou for outputting curl_off_t with info()

  Reported-by: Mike Duglas
  Fixes #10439
  Closes #10441

Jay Satiro (9 Feb 2023)

- curl_setup: Disable by default recv-before-send in Windows

  Prior to this change a workaround for Windows to recv before every send
  was enabled by default. The way it works is a recv is called before
  every send and saves the received data, in case send fails because in
  Windows apparently that can wipe out the socket's internal received
  data buffer.

  This feature has led to several bugs because the way libcurl operates
  it waits on a socket to read or to write, and may not at all times
  check for buffered receive data.

  Two recent significant bugs this workaround caused:
  - Broken Schannel TLS 1.3 connections (#9431)
  - HTTP/2 arbitrary hangs (#10253)

  The actual code remains though it is disabled by default. Though future
  changes to connection filter buffering could improve the situation IMO
  it's just not tenable to manage this workaround.

  Ref: https://github.com/curl/curl/issues/657
  Ref: https://github.com/curl/curl/pull/668
  Ref: https://github.com/curl/curl/pull/720

  Ref: https://github.com/curl/curl/issues/9431
  Ref: https://github.com/curl/curl/issues/10253

  Closes https://github.com/curl/curl/pull/10409

Stefan Eissing (8 Feb 2023)

- http2: aggregate small SETTINGS/PRIO/WIN_UPDATE frames

  add a small buffer to nghttp2 session sending in order to aggregate
  small SETTINGS/PRIO/WIN_UPDATE frames that nghttp2 "writes" to the
  callback individually.

  Ref: #10389
  Closes #10432

- openssl: store the CA after first send (ClientHello)

  move Curl_ssl_setup_x509_store() call after the first send (ClientHello)
  this gives time to parse CA anchors while waiting on the server reply

  Ref: #10389
  Closes #10432

Daniel Stenberg (8 Feb 2023)

- RELEASE-NOTES: synced

Anthony Hu (8 Feb 2023)

- wolfssl: remove deprecated post-quantum algorithms

  Closes #10440

John Bampton (8 Feb 2023)

- misc: fix spelling

  Closes #10437

Daniel Stenberg (7 Feb 2023)

- man pages: call the custom user pointer 'clientp' consistently

  The variable had a few different names. Now try to use 'clientp'
  consistently for all man pages using a custom pointer set by the
  application.

  Reported-by: Gerrit Renker

  Fixes #10434
  Closes #10435

- vtls: infof using %.*s needs to provide the length as int

  Fixes a Coverity warning.

  Closes #10436

Stefan Eissing (7 Feb 2023)

- vrls: addressing issues reported by coverity

  I believe the code was secure before this, but limiting the accepted
  name length to what is used in the structures should help Coverity's
  analysis.

  Closes #10431

Daniel Stenberg (7 Feb 2023)

- tool_operate: move the 'updated' variable

  This was already done by Dan Fandrich in the previous PR but somehow I
  lost that fixup.

  Follow-up to 349c5391f2121e

Dan Fandrich (7 Feb 2023)

- tool_operate: Fix error codes during DOS filename sanitize

  It would return CURLE_URL_MALFORMAT in an OOM condition.

  Closes #10414

- tool_operate: Fix error codes on bad URL & OOM

  curl would erroneously report CURLE_OUT_OF_MEMORY in some cases instead
  of CURLE_URL_MALFORMAT. In other cases, it would erroneously return
  CURLE_URL_MALFORMAT instead of CURLE_OUT_OF_MEMORY.  Add a test case to
  test the former condition.

  Fixes #10130
  Closes #10414

Daniel Stenberg (6 Feb 2023)

- setopt: use >, not >=, when checking if uarg is larger than uint-max

  Closes #10421

- vtls: fix failf() format argument type for %.*s handling

  Reported by Coverity

  Closes #10422

- openssl: fix "Improper use of negative value"

  By getting the socket first and returning error in case of bad socket.

  Detected by Coverity.

  Closes #10423

Dan Fandrich (6 Feb 2023)

- packages: Remove Android.mk from makefile

  This was missed in commit #44141512

  Ref: #10418

Daniel Stenberg (6 Feb 2023)

- curl_ws_send.3: clarify how to send multi-frame messages

Mike Duglas (6 Feb 2023)

- ws: fix multiframe send handling

  Fixes #10413
  Closes #10420

Daniel Stenberg (6 Feb 2023)

- unit2600: make sure numerical curl_easy_setopt sets long

  Follow-up to 671158242db3203

  Reported-by: Marcel Raad
  Fixes #10410
  Closes #10419

Andy Alt (6 Feb 2023)

- GHA: move Slackware test into matrix

  Closes #10412

Pronyushkin Petr (6 Feb 2023)

- urlapi: fix part of conditional expression is always true: qlen

  Closes #10408

- url: fix part of conditional expression is always true

  Closes #10407

Daniel Stenberg (6 Feb 2023)

- RELEASE-NOTES: synced

Philip Heiduck (6 Feb 2023)

- GHA/macos.yml: bump to gcc-12

  Closes #10415

Daniel Stenberg (6 Feb 2023)

- packages: remove Android, update README

  - Nobody builds curl for Android using this anymore
  - Refreshed the README and converted to markdown

  Reported-by: John Porter
  Fixes #10416
  Closes #10418

Kvarec Lezki (5 Feb 2023)

- fopen: remove unnecessary assignment

  [CWE-1164] V1048: The '* tempname' variable was assigned the same value.

  Ref: https://pvs-studio.com/en/docs/warnings/v1048/

  Closes https://github.com/curl/curl/pull/10398

Gisle Vanem (5 Feb 2023)

- libtest: add a sleep macro for Windows

  .. because sleep() is used in some libtests.

  Closes https://github.com/curl/curl/pull/10295

Kvarec Lezki (3 Feb 2023)

- http_aws_sigv4: remove typecasts from HMAC_SHA256 macro

  V220: Suspicious sequence of types castings: memsize -> 32-bit integer -> mem
  size.

  https://pvs-studio.com/en/docs/warnings/v220/

  Closes #10400

Daniel Stenberg (3 Feb 2023)

- mailmap: Thomas1664 on github

Thomas1664 on github (3 Feb 2023)

- CURLOPT_WRITEFUNCTION.3: fix memory leak in example

  Closes #10390

Kvarec Lezki (3 Feb 2023)

- doh: ifdef IPv6 code

  For disabled IPv6 a condition (conn->ip_version != CURL_IPRESOLVE_V4) is
  always false. https://pvs-studio.com/en/docs/warnings/v560/

  Closes #10397

Daniel Stenberg (3 Feb 2023)

- urlapi: remove pathlen assignment

  "Value stored to 'pathlen' is never read"

  Follow-up to 804d5293f89

  Reported-by: Kvarec Lezki

  Closes #10405

Kvarec Lezki (3 Feb 2023)

- http: fix "part of conditional expression is always false"

  [CWE-570] V560: A part of conditional expression is always false: conn->bits.
  authneg.
  [CWE-570] V560: A part of conditional expression is always false: conn->handl
  er->protocol & (0 | 0).

  https://pvs-studio.com/en/docs/warnings/v560/

  Closes #10399

Daniel Stenberg (2 Feb 2023)

- urlapi: skip the extra dedotdot alloc if no dot in path

  Saves an allocation for many/most URLs.

  Updates test 1395 accordingly

  Closes #10403

Stefan Eissing (2 Feb 2023)

- connections: introduce http/3 happy eyeballs

  New cfilter HTTP-CONNECT for h3/h2/http1.1 eyeballing.
  - filter is installed when `--http3` in the tool is used (or
    the equivalent CURLOPT_ done in the library)
  - starts a QUIC/HTTP/3 connect right away. Should that not
    succeed after 100ms (subject to change), a parallel attempt
    is started for HTTP/2 and HTTP/1.1 via TCP
  - both attempts are subject to IPv6/IPv4 eyeballing, same
    as happens for other connections
  - tie timeout to the ip-version HAPPY_EYEBALLS_TIMEOUT
  - use a `soft` timeout at half the value. When the soft timeout
    expires, the HTTPS-CONNECT filter checks if the QUIC filter
    has received any data from the server. If not, it will start
    the HTTP/2 attempt.

  HTTP/3(ngtcp2) improvements.
  - setting call_data in all cfilter calls similar to http/2 and vtls filters
    for use in callback where no stream data is available.
  - returning CURLE_PARTIAL_FILE for prematurely terminated transfers
  - enabling pytest test_05 for h3
  - shifting functionality to "connect" UDP sockets from ngtcp2
    implementation into the udp socket cfilter. Because unconnected
    UDP sockets are weird. For example they error when adding to a
    pollset.

  HTTP/3(quiche) improvements.
  - fixed upload bug in quiche implementation, now passes 251 and pytest
  - error codes on stream RESET
  - improved debug logs
  - handling of DRAIN during connect
  - limiting pending event queue

  HTTP/2 cfilter improvements.
  - use LOG_CF macros for dynamic logging in debug build
  - fix CURLcode on RST streams to be CURLE_PARTIAL_FILE
  - enable pytest test_05 for h2
  - fix upload pytests and improve parallel transfer performance.

  GOAWAY handling for ngtcp2/quiche
  - during connect, when the remote server refuses to accept new connections
    and closes immediately (so the local conn goes into DRAIN phase), the
    connection is torn down and a another attempt is made after a short grace
    period.
    This is the behaviour observed with nghttpx when we tell it to  shut
    down gracefully. Tested in pytest test_03_02.

  TLS improvements
  - ALPN selection for SSL/SSL-PROXY filters in one vtls set of functions, repl
  aces
    copy of logic in all tls backends.
  - standardized the infof logging of offered ALPNs
  - ALPN negotiated: have common function for all backends that sets alpn propr
  ty
    and connection related things based on the negotiated protocol (or lack the
  reof).

  - new tests/tests-httpd/scorecard.py for testing h3/h2 protocol implementatio
  n.
    Invoke:
      python3 tests/tests-httpd/scorecard.py --help
    for usage.

  Improvements on gathering connect statistics and socket access.
  - new CF_CTRL_CONN_REPORT_STATS cfilter control for having cfilters
    report connection statistics. This is triggered when the connection
    has completely connected.
  - new void Curl_pgrsTimeWas(..) method to report a timer update with
    a timestamp of when it happend. This allows for updating timers
    "later", e.g. a connect statistic after full connectivity has been
    reached.
  - in case of HTTP eyeballing, the previous changes will update
    statistics only from the filter chain that "won" the eyeballing.
  - new cfilter query CF_QUERY_SOCKET for retrieving the socket used
    by a filter chain.
    Added methods Curl_conn_cf_get_socket() and Curl_conn_get_socket()
    for convenient use of this query.
  - Change VTLS backend to query their sub-filters for the socket when
    checks during the handshake are made.

  HTTP/3 documentation on how https eyeballing works.

  TLS improvements
  - ALPN selection for SSL/SSL-PROXY filters in one vtls set of functions, repl
  aces
    copy of logic in all tls backends.
  - standardized the infof logging of offered ALPNs
  - ALPN negotiated: have common function for all backends that sets alpn propr
  ty
    and connection related things based on the negotiated protocol (or lack the
  reof).

  Scorecard with Caddy.
  - configure can be run with `--with-test-caddy=path` to specify which caddy t
  o use for testing
  - tests/tests-httpd/scorecard.py now measures download speeds with caddy

  pytest improvements
  - adding Makfile to clean gen dir
  - adding nghttpx rundir creation on start
  - checking httpd version 2.4.55 for test_05 cases where it is needed. Skippin
  g with message if too old.
  - catch exception when checking for caddy existance on system.

  Closes #10349

Daniel Stenberg (2 Feb 2023)

- CODEOWNERS: remove the peeps mentioned as CI owners

  These owners do not have the bandwidth/energy to do the reviews which
  makes PRs stall and this ownership claim flawed. We can bring people
  back when the situation is different.

  Follow-up to c04c78ac87c4d46737934345a

  Closes #10386

Martin D'Aloia (2 Feb 2023)

- write-out.d: add 'since version' to %{header_json} documentation

  The documentation of `%{header_json}` missed to mention since which
  version this variable for `--write-out` is present.

  Based on commit https://github.com/curl/curl/commit/4133a69f2daa476bb
  we can determine from the tags were this commit is present that the
  first version to include it was `7.83.0`.
  This could be also checked with:
  `git tag --contains 4133a69f2daa476bb6d902687f1dd6660ea9c3c5`

  Closes #10395

Daniel Stenberg (1 Feb 2023)

- urlapi: avoid Curl_dyn_addf() for hex outputs

  Inspired by the recent fixes to escape.c, we should avoid calling
  Curl_dyn_addf() in loops, perhaps in particular when adding something so
  simple as %HH codes - for performance reasons. This change makes the
  same thing for the URL parser's two URL-encoding loops.

  Closes #10384

- urlapi: skip path checks if path is just "/"

  As a miniscule optimization, treat a path of the length 1 as the same as
  non-existing, as it can only be a single leading slash, and that's what
  we do for no paths as well.

  Closes #10385

Philip Heiduck (1 Feb 2023)

- GHA/macos: use Xcode_14.0.1 for cmake builds

  Fixes #10356
  Closes #10381

Viktor Szakats (1 Feb 2023)

- tls: fixes for wolfssl + openssl combo builds

  1. Add `USE_WOLFSSL` to the TLS backend priority list in
     `lib/curl_ntlm_core.c`.

  2. Fix `lib/curl_ntlm_core.h` to respect TLS backend priority, bringing
     it in sync with the above list and `lib/curl_ntlm_core.c` itself.

     Reported-by: Mark Roszko
     Ref: https://github.com/curl/curl/issues/10321

  3. Allow enabling both wolfSSL and OpenSSL at the same time in
     `lib/Makefile.mk` bringing this in line with cmake/autotools builds.
     Update logic to select the crypto-specific lib for `ngtcp2`, which
     supports a single TLS backend at the same time.

  Closes #10322

Daniel Stenberg (1 Feb 2023)

- RELEASE-NOTES: synced

- docs/INSTALL: document how to use multiple TLS backends

  And document how OpenSSL forks and wolfSSL cannot be used at the same
  time.

  Reported-by: Mark Roszko
  Fixes #10321
  Closes #10382

Kvarec Lezki (1 Feb 2023)

- cookies: fp is always not NULL

  Closes #10383

Daniel Stenberg (31 Jan 2023)

- escape: use table lookup when adding %-codes to output

  On my dev host, this code runs 7.8 times faster.

  Closes #10377

- unit2600: avoid error: ‘TEST_CASES’ defined but not used

  Follow-up to d55de24dce9d51

  Closes #10379

- escape: hex decode with a lookup-table

  Makes the decoding 2.8 times faster in my tests.

  Closes #10376

- cf-socket: fix build error wo TCP_FASTOPEN_CONNECT

  Follow-up to 5651a36d1a

  Closes #10378

  Reviewed-by: Stefan Eissing

Stefan Eissing (31 Jan 2023)

- CI: add pytest github workflow to CI test/tests-httpd on a HTTP/3 setup

  Closes #10317

- connect: fix strategy testing for attempts, timeouts and happy-eyeball

  - add test2600 as a unit test that triggers various connect conditions
    and monitors behaviour, available in a debug build only.

  - this exposed edge cases in connect.c that have been fixed

  Closes #10312

- cf-socket: improvements in socket I/O handling

  - Curl_write_plain/Curl_read_plain have been eliminated. Last code use
    now uses Curl_conn_send/recv so that requests use conn->send/revc
    callbacks which defaults to cfilters use.
  - Curl_recv_plain/Curl_send_plain have been internalized in cf-socket.c.
  - USE_RECV_BEFORE_SEND_WORKAROUND (active on Windows) has been moved
    into cf-socket.c. The pre_recv buffer is held at the socket filter
    context.  `postponed_data` structures have been removed from
    `connectdata`.
  - the hanger in HTTP/2 request handling was a result of read buffering
    on all sends and the multi handling is not prepared for this. The
    following happens:

     - multi preforms on a HTTP/2 easy handle
     - h2 reads and processes data
     - this leads to a send of h2 data
     - which receives and buffers before the send
     - h2 returns
     - multi selects on the socket, but no data arrives (its in the buffer alre
  ady)
     the workaround now receives data in a loop as long as there is something i
  n
     the buffer. The real fix would be for multi to change, so that `data_pendi
  ng`
     is evaluated before deciding to wait on the socket.

  io_buffer, optional, in cf-socket.c, http/2 sets state.drain if lower
  filter have pending data.

  This io_buffer is only available/used when the
  -DUSE_RECV_BEFORE_SEND_WORKAROUND is active, e.g. on Windows
  configurations. It also maintains the original checks on protocol
  handler being HTTP and conn->send/recv not being replaced.

  The HTTP/2 (nghttp2) cfilter now sets data->state.drain when it finds
  out that the "lower" filter chain has still pending data at the end of
  its IO operation. This prevents the processing from becoming stalled.

  Closes #10280

Daniel Stenberg (31 Jan 2023)

- openssl: only use CA_BLOB if verifying peer

  Reported-by: Paul Groke
  Bug: https://curl.se/mail/lib-2023-01/0070.html
  Fixes #10351
  Closes #10359

Thomas1664 on github (31 Jan 2023)

- curl_free.3: fix return type of `curl_free`

  Fixes #10373
  Closes #10374

Daniel Stenberg (30 Jan 2023)

- zuul: stop using this CI service

  The important jobs have already transitioned. The remaining ones we can
  skip for now.

  Closes #10368

- copyright: remove "m4/ax_compile_check_sizeof.m4" from skips

  and report if skipped files do not exist.

  Follow-up to 9e11c2791fb960758 which removed the file.

  Closes #10369

- ws: unstick connect-only shutdown

  As this mode uses blocking sockets, it must set them back to
  non-blocking in disconnect to avoid the risk of getting stuck.

  Closes #10366

- ws: remove bad assert

  Reported-by: Stanley Wucw
  Fixes #10347
  Closes #10366

- openssl: adapt to boringssl's error code type

  BoringSSL uses uint32_t, OpenSSL uses 'unsigned 'long'

  Closes #10360

- tool_operate: repair --rate

  Regression from a55256cfb242 (7.87.0)
  Reported-by: highmtworks on github
  Fixes #10357
  Closes #10358

- dict: URL decode the entire path always

  Reported-by: dekerser on github
  Fixes #10298
  Closes #10354

Stefan Eissing (29 Jan 2023)

- vtls: do not null-check when we already assume cf-ctx exists

  Fixes #10361
  Closes #10362

Daniel Stenberg (29 Jan 2023)

- RELEASE-NOTES: synced

- CURLOPT_READFUNCTION.3: the callback 'size' arg is always 1

  Reported-by: Brian Green
  Fixes #10328
  Closes #10355

- copyright.pl: cease doing year verifications

  As we have (mostly) removed the copyright year ranges.

  Reported-by: Ryan Schmidt
  Fixes #10345
  Closes #10352

Dan Fandrich (28 Jan 2023)

- CI: Work around a labeler bug that removes labels

Jay Satiro (26 Jan 2023)

- write-out.d: clarify Windows % symbol escaping

  - Clarify that in Windows batch files the % must be escaped as %%, and
    at the command prompt it cannot be escaped which could lead to
    incorrect expansion.

  Prior to this change the doc implied % must be escaped as %% in win32
  always.

  ---

  Examples showing how a write-out argument is received by curl:

  If curl --write-out "%{http_code}" is executed in a batch file:
  {http_code}

  If curl --write-out "%%{http_code}" is executed in a batch file:
  %{http_code}

  If curl --write-out "%{http_code}" is executed from the command prompt:
  %{http_code}

  If curl --write-out "%%{http_code}" is executed from the command prompt:
  %%{http_code}

  At the command prompt something like "%{speed_download}%{http_code}"
  would first be parsed by the command interpreter as %{speed_download}%
  and would be expanded as environment variable {speed_download} if it
  existed, though that's highly unlikely since Windows environment names
  don't use braces.

  ---

  Reported-by: Muhammad Hussein Ammari

  Ref: https://github.com/bagder/everything-curl/pull/279

  Fixes https://github.com/curl/curl/issues/10323
  Closes https://github.com/curl/curl/pull/10337

Ryan Schmidt (26 Jan 2023)

- connect: Fix build when not ENABLE_IPV6

  Check for ENABLE_IPV6 before accessing AF_INET6. Fixes build failure
  introduced in 1c5d8ac.

  Closes https://github.com/curl/curl/pull/10344

- cf-socket: Fix build when not HAVE_GETPEERNAME

  Remove remaining references to conn and sockfd, which were removed from
  the function signature when conninfo_remote was renamed to
  conn_set_primary_ip in 6a8d7ef.

  Closes https://github.com/curl/curl/pull/10343

Stefan Eissing (26 Jan 2023)

- vtls: Manage current easy handle in nested cfilter calls

  The previous implementation cleared `data` so the outer invocation lost
  its data, which could lead to a crash.

  Bug: https://github.com/curl/curl/issues/10336
  Reported-by: Fujii Hironori

  Closes https://github.com/curl/curl/pull/10340

Dan Fandrich (25 Jan 2023)

- CI: Add even more paths to the labeler config (#10326)

- scripts: Fix Appveyor job detection in cijobs.pl

  The reorganization in #9769 broke the script. This should probably be
  rewritten to use a YAML parser for better upward compatibility.

- CI: Add a few more paths to the labeler config (#10326)

- CI: Switch the labeler event to pull_request_target

  Otherwise, the action won't work on PRs from forked repositories
  (#10326).

Viktor Szakats (25 Jan 2023)

- cmake: delete redundant macro definition `SECURITY_WIN32`

  Stop explicitly defining `SECURITY_WIN32` in CMake builds.

  No other build systems define this macro, because it's unconditionally
  defined in `lib/curl_sspi.h` already. This is the only curl source using
  the `sspi.h` and `security.h` Win32 headers, and no other Win32 headers
  need this macro.

  Reviewed-by: Jay Satiro
  Closes #10341

Fredrik (24 Jan 2023)

- winbuild: document that arm64 is supported

  Building an arm64 version works flawlessly with the VS arm64 toolset.

  Closes https://github.com/curl/curl/pull/10332

Cherish98 (24 Jan 2023)

- openssl: don't log raw record headers

  - Skip content type SSL3_RT_HEADER in verbose TLS output.

  This commit prevents bogus and misleading verbose TLS header messages as
  discussed in #10299.

  Assisted-by: Peter Wu

  Closes https://github.com/curl/curl/pull/10299

Marc Aldorasi (24 Jan 2023)

- cmake: use list APPEND syntax for CMAKE_REQUIRED_DEFINITIONS

  - Use list() instead of set() for CMAKE_REQUIRED_DEFINITIONS list since
    the former is clearer.

  Closes https://github.com/curl/curl/pull/10272

Dan Fandrich (23 Jan 2023)

- CI: Add a workflow to automatically label pull requests

  The labeler language is quite restrictive right now so labels are added
  quite conservatively, meaning that many PRs won't get labels when it's
  "obvious" they should. It will still save some manual work on those
  that it can label.

Jay Satiro (21 Jan 2023)

- system.h: assume OS400 is always built with ILEC compiler

  Prior to this change the OS400 types were only defined when __ILEC400__.
  That symbol is only defined by IBM's C compiler and not their C++
  compiler, which led to missing types when users on OS400 would compile a
  C++ application that included curl.

  The IBM C and C++ compilers are the only native compilers on the
  platform.

  Assisted-by: Jon Rumsey
  Reported-by: John Sherrill

  Fixes https://github.com/curl/curl/issues/10305
  Closes https://github.com/curl/curl/pull/10329

xgladius (20 Jan 2023)

- cmake: Remove deprecated symbols check

  curl stopped use of CMAKE_USE_ as a prefix for its own build symbols in
  2021 and added a check, meant to last 1 year, to fatally error on those
  symbols. This commit removes that check.

  Closes https://github.com/curl/curl/pull/10314

Dan Fandrich (20 Jan 2023)

- docs: POSTFIELDSIZE must be set to -1 with read function

  Reported-by: RanBarLavie on github

  Closes #10313

Stefan Eissing (20 Jan 2023)

- vtls: fix hostname handling in filters

  - Copy the hostname and dispname to ssl_connect_data.

  Use a copy instead of referencing the `connectdata` instance since this
  may get free'ed on connection reuse.

  Reported-by: Stefan Talpalaru
  Reported-by: sergio-nsk@users.noreply.github.com

  Fixes https://github.com/curl/curl/issues/10273
  Fixes https://github.com/curl/curl/issues/10309

  Closes https://github.com/curl/curl/pull/10310

Sergey Bronnikov (17 Jan 2023)

- lib: fix typos

  Closes https://github.com/curl/curl/pull/10307

- curl_version_info.3: fix typo

  Closes https://github.com/curl/curl/pull/10306

Jay Satiro (17 Jan 2023)

- openssl: Don't ignore CA paths when using Windows CA store (redux)

  .. and remove 'experimental' designation from CURLSSLOPT_NATIVE_CA.

  This commit restores the behavior of CURLSSLOPT_NATIVE_CA so that it
  does not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded
  default locations. Instead the native Windows CA store can be used at
  the same time.

  ---

  This behavior was originally added over two years ago in abbc5d60
  (#5585) but then 83393b1a (#7892) broke it over a year ago, I assume
  inadvertently.

  The CURLSSLOPT_NATIVE_CA feature was marked experimental and likely
  rarely used.

  Ref: https://github.com/curl/curl/pull/5585
  Ref: https://github.com/curl/curl/pull/7892
  Ref: https://curl.se/mail/lib-2023-01/0019.html

  Closes https://github.com/curl/curl/pull/10244

Daniel Stenberg (13 Jan 2023)

- RELEASE-NOTES: synced

- ws: fix autoping handling

  Reported-by: Alexey Savchuk
  Fixes #10289
  Closes #10294

- curl_log: avoid printf() format checking with mingw

  Since it does not seem to like %zu and more

  Follow-up to db91dbbf2

  Fixes #10291
  Closes #10292

- tool_getparam: fix compiler warning when !HAVE_WRITABLE_ARGV

  Follow-up to 2ed0e1f70ee176edf3d2

  Closes #10286

Stefan Eissing (12 Jan 2023)

- openssl: make the BIO_METHOD a local variable in the connection filter

  This avoids UAF issues when `curl_global_cleanup()` is called before all
  transfers have been completely handled. Unfortunately this seems to be a
  more common pattern than we like.

  Closes #10285

Daniel Stenberg (12 Jan 2023)

- curl: output warning at --verbose output for debug-enabled version

  + a libcurl warning in the debug output

  Assisted-by: Jay Satiro

  Ref: https://curl.se/mail/lib-2023-01/0039.html
  Closes #10278

- src: add --http3-only

  Warning: --http3 and --http3-only are subject to change again (or be
  removed) before HTTP/3 support goes non-experimental.

  Closes #10264

- curl.h: add CURL_HTTP_VERSION_3ONLY

  As the previous CURL_HTTP_VERSION_3 option gets a slightly altered meaning.

  Closes #10264

- connect: fix access of pointer before NULL check

  Detected by Coverity CID 1518992

  Closes #10284

Daniel Gustafsson (12 Jan 2023)

- easyoptions: Fix header printing in generation script

  The optiontable.pl script prints the header comment when generating
  easyoptions.c, but it wasn't escaping all characters which jumbled the
  curl ascii logo.  Fix by escaping.

  Cloes #10275

Harry Sintonen (12 Jan 2023)

- tool_getparam: fix hiding of command line secrets

  Closes #10276

Stefan Eissing (12 Jan 2023)

- tests: document the cfilter debug logging options

  Closes #10283

- curl_log: for failf/infof and debug logging implementations

   - new functions and macros for cfilter debugging
   - set CURL_DEBUG with names of cfilters where debug logging should be
     enabled
   - use GNUC __attribute__ to enable printf format checks during compile

  Closes #10271

Daniel Stenberg (10 Jan 2023)

- RELEASE-NOTES: synced

Nick Banks (10 Jan 2023)

- msh3: update to v0.6

  Closes #10192

Stefan Eissing (10 Jan 2023)

- ngtcp2: add CURLOPT_SSL_CTX_FUNCTION support for openssl+wolfssl

  Using common method for SSL_CTX initialization of verfiy peer and CA
  settings. This also provides X509_STORE sharing to become available for
  ngtcp2+openssl HTTP/3.

  Reported-by: violetlige on github

  Fixes #10222
  Closes #10239

Daniel Stenberg (10 Jan 2023)

- cf-socket: make infof() call use %zu for size_t output

  Detected by Coverity CID 1518986 and CID 1518984

  Closes #10268

Jon Rumsey (10 Jan 2023)

- os400: fixes to make-lib.sh and initscript.sh

  Adjust how exports list is generated from header files to account for
  declarations across multiple lines and CURL_DEPRECATED(...) tags.

  Update initscript.sh

  Specify qadrt_use_inline to prevent unistd.h in ASCII runtime defining
  close(a) -> close_a(a)

  Fixes #10266
  Closes #10267

Stefan Eissing (9 Jan 2023)

- tests-httpd: basic infra to run curl against an apache httpd plus nghttpx for
   h3

  - adding '--with-test-httpd=<path>' to configure non-standard apache2
    install
  - python env and base classes for running httpd
  - basic tests for connectivity with h1/h2/h3
  - adding test cases for truncated responses in http versions.
  - adding goaway test for HTTP/3.
  - adding "stuttering" tests with parallel downloads in chunks with
    varying delays between chunks.

  - adding a curltest module to the httpd server, adding GOAWAY test.
      - mod_curltest now installs 2 handlers
        - 'echo': writing as response body what came as request body
        - 'tweak': with query parameters to tweak response behaviour
  - marked known fails as skip for now

  Closes #10175

- quic: improve connect error message, debugging info, fix false connect report

  - ECONNECTREFUSED has not its own fail message in quic filters
  - Debug logging in connect eyballing improved
  - Fix bug in ngtcp2/quiche that could lead to false success reporting.

  Reported-by: Divy Le Ray

  Fixes #10245
  Closes #10248

- quiche: fix build without any HTTP/2 implementation

  Fixes #10260
  Closes #10263

Daniel Stenberg (9 Jan 2023)

- .github/workflows/linux.yml: add a quiche CI job

  Move over from zuul

  Closes #10241

- curl.h: allow up to 10M buffer size

  Bump the limit from 512K. There might be reasons for applications using
  h3 to set larger buffers and there is no strong reason for curl to have
  a very small maximum.

  Ref: https://curl.se/mail/lib-2023-01/0026.html

  Closes #10256

Tatsuhiro Tsujikawa (8 Jan 2023)

- GHA: use designated ngtcp2 and its dependencies versions

  Designate ngtcp2 and its dependency versions so that the CI build does
  not fail without our control.

  Closes #10257

Daniel Stenberg (8 Jan 2023)

- docs/cmdline-opts/hsts.d: explain hsts more

  Closes #10258

Stefan Eissing (8 Jan 2023)

- msh3: run again in its cfilter

  - test 2500, single GET works
  - test 2501, single POST stalls
  - test 2502, multiple, sequential GETs each use a new connection since
    MsH3ConnectionGetState(qconn) no longer reports CONNECTED after one
    GET.

  Closes #10204

Jay Satiro (8 Jan 2023)

- sendf: fix build for Linux TCP fastopen

  - Fix the remote addr struct dereference.

  - Include cf-socket.h in urldata.h.

  Follow-up to 6a8d7ef9 which changed conn->ipaddr (Curl_addrinfo* )
  member to conn->remote_addr (Curl_sockaddr_ex *) several days ago.

  Reported-by: Stephan Guilloux

  Fixes https://github.com/curl/curl/issues/10249
  Closes https://github.com/curl/curl/pull/10250

Daniel Stenberg (7 Jan 2023)

- RELEASE-NOTES: synced

- setopt: move the SHA256 opt within #ifdef libssh2

  Because only the libssh2 backend not supports it and thus this should
  return error if this option is used other backends.

  Reported-by: Harry Sintonen

  Closes #10255

Patrick Monnerat (7 Jan 2023)

- nss: implement data_pending method

  NSS currently uses the default Curl_none_data_pending() method which
  always returns false, causing TLS buffered input data to be missed.

  The current commit implements the nss_data_pending() method that properly
  monitors the presence of available TLS data.

  Ref:#10077

  Closes #10225

Jay Satiro (6 Jan 2023)

- CURLOPT_HEADERDATA.3: warn DLL users must set write function

  - Warn that in Windows if libcurl is running from a DLL and if
    CURLOPT_HEADERDATA is set then CURLOPT_WRITEFUNCTION or
    CURLOPT_HEADERFUNCTION must be set as well, otherwise the user may
    experience crashes.

  We already have a similar warning in CURLOPT_WRITEDATA. Basically, in
  Windows libcurl could crash writing a FILE pointer that was created by
  a different C runtime. In Windows each DLL that is part of a program may
  or may not have its own C runtime.

  Ref: https://github.com/curl/curl/issues/10231

  Closes https://github.com/curl/curl/pull/10233

Jon Rumsey (5 Jan 2023)

- x509asn1: fix compile errors and warnings

  Various small issues when built for GSKit

  Closes #10238

Patrick Monnerat (5 Jan 2023)

- runtests: fix detection of TLS backends

  Built-in TLS backends are detected at test time by scanning for their
  names in the version string line returned by the cli tool: as this line
  may also list the libssh configuration that mentions its own backend,
  the curl backend may be wrongly determined.

  In example, if the version line contains "libssh/0.10.4/openssl/zlib",
  OpenSSL is detected as a curl-configured backend even if not.

  This fix requires the backend names to appear as full words preceded by
  spacing in the version line to be recognized as curl TLS backends.

  Closes #10236

Andy Alt (5 Jan 2023)

- GHA: add job on Slackware 15.0

  Closes #10230

Daniel Stenberg (5 Jan 2023)

- test363: make even smaller writes to loop more

- http_proxy: do not assign data->req.p.http use local copy

  Avoid the tricky reusing of the data->req.p.http pointer for http proxy
  tunneling.

  Fixes #10194
  Closes #10234

Stefan Eissing (5 Jan 2023)

- quic: rename vquic implementations, fix for quiche build.

  - quiche in debug mode did not build, fixed.
  - moved all vquic implementation files to prefix curl_* to avoid
    the potential mixups between provided .h files and our own.
  - quich passes test 2500 and 2502. 2501, the POST, fail with
    the body being rejected. Quich bug?

  Closes #10242

- sectransp: fix for incomplete read/writes

  SecureTransport expects result code errSSLWouldBlock when the requested
  length could not be sent/recieved in full. The previous code returned
  noErr, which let SecureTransport to believe that the IO had terminated
  prematurely.

  Fixes #10227
  Closes #10235

Andy Alt (5 Jan 2023)

- GHA: Hacktoberfest CI: Update deprecated 'set-output' command

  Closes #10221

Jay Satiro (5 Jan 2023)

- scripts: set file mode +x on all perl and shell scripts

  - Set all scripts +x, ie 644 => 755.

  Prior to this change some scripts were not executable and therefore
  could not be called directly.

  ~~~
  git ls-files -s \*.{sh,pl,py} | grep -v 100755
  ~~~

  Closes https://github.com/curl/curl/pull/10219

Stefan Eissing (4 Jan 2023)

- tool_operate: fix headerfile writing

  Do not rely on the first transfer started to be the first to get a
  response (remember -Z). All transfers now write the headefile (-D) in
  append mode, making sure that the order of transfer responses does not
  lead to overwrites of previous data.

  Closes #10224

Daniel Stenberg (4 Jan 2023)

- misc: reduce struct and struct field sizes

  - by using BIT() instead of bool
  - imap: shrink struct
  - ftp: make state 'unsigned char'
  - ftp: sort ftp_conn struct entries on size
  - urldata: use smaller fields for SSL version info storage
  - pop3: reduce the pop3_conn struct size
  - smtp: reduce the size of the smtp structs

  Closes #10186

- noproxy: support for space-separated names is deprecated

  To be removed in July 2024.

  Assisted-by: Michael Osipov
  Fixes #10209
  Closes #10215

Andrei Rybak (4 Jan 2023)

- lib: fix typos in comments which repeat a word

  Remove erroneously duplicated words in code comments of files
  `lib.connect.c` and `lib/url.c`.

  Closes #10220

Radek Brich (3 Jan 2023)

- cmake: set SOVERSION also for macOS

  Closes #10214

Jay Satiro (3 Jan 2023)

- http2: fix compiler warning due to uninitialized variable

  Prior to this change http2_cfilter_add could return an uninitialized
  cfilter pointer in an OOM condition. In this case though, the pointer
  is discarded and not dereferenced so there was no risk of a crash.

Stefan Eissing (3 Jan 2023)

- cf-socket: keep sockaddr local in the socket filters

  - copy `struct Curl_addrinfo` on filter setup into context
  - remove `struct Curl_addrinfoi *` with `struct Curl_sockaddr_ex *` in
    connectdata that is set and NULLed by the socket filter
  - this means we have no reference to the resolver info in connectdata or
    its filters
  - trigger the CF_CTRL_CONN_INFO_UPDATE event when the complete filter
    chain reaches connected status
  - update easy handle connection information on CF_CTRL_DATA_SETUP event.

  Closes #10213

Daniel Stenberg (3 Jan 2023)

- RELEASE-NOTES: synced

- runtests: consider warnings fatal and error on them

  To help us detect and fix warnings in this script easier and faster.

  Assisted-by: Jakob Hirsch

  Ref: #10206
  Closes #10208

- copyright: update all copyright lines and remove year ranges

  - they are mostly pointless in all major jurisdictions
  - many big corporations and projects already don't use them
  - saves us from pointless churn
  - git keeps history for us
  - the year range is kept in COPYING

  checksrc is updated to allow non-year using copyright statements

  Closes #10205

- docs/DEPRECATE.md: deprecate gskit

  Ref: #10163

  - This is a niche TLS library, only running on some IBM systems
  - no regular curl contributors use this backend
  - no CI builds use or verify this backend
  - gskit, or the curl adaption for it, lacks many modern TLS features
    making it an inferior solution
  - build breakages in this code take weeks or more to get detected
  - fixing gskit code is mostly done "flying blind"

  Closes #10201

- Revert "x509asn1: avoid freeing unallocated pointers"

  This reverts commit 6b19247e794cfdf4ec63c5880d8f4f5485f653ab.

  Fixes #10163
  Closes #10207

- ngtcp2: fix the build without 'sendmsg'

  Follow-up from 71b7e0161032

  Closes #10210

- cmake: check for sendmsg

  Used by ngtcp2

  Closes #10211

Timmy Schierling (2 Jan 2023)

- runtest.pl: add expected fourth return value

  Fixes warning in autobild log: "Use of uninitialized value $HTTP2TLSPORT
  in substitution iterator at /tests/runtests.pl line 3516"

  Closes #10206

Daniel Stenberg (2 Jan 2023)

- http2: when using printf %.*s, the length arg must be 'int'

  Detected by Coverity CID 1518341

  Closes #10203

- cfilters: check for NULL before using pointer

  Detected by Coverity CID 1518343

  Closes #10202

- http2: in connisdead check, attach the connection before reading

  Otherwise data->conn is NULL and things go wrong.

  This problem caused occastional failures in test 359, 1700 and more
  depending on timing and the alignment of various planets.

  Assisted-by: Stefan Eissing

  Closes #10199

Philip Heiduck (2 Jan 2023)

- Linux CI: update some dependecies to latest tag

  Closes #10195

Daniel Stenberg (2 Jan 2023)

- c-hyper: move down the Accept-Encoding header generation

  To match the internal HTTP request header order so that test 1277 works
  again.

  Closes #10200

- release-notes.pl: check fixes/closes lines better

  To better skip lines that just happen to mention those words at the
  start of a line without being instructions.

- test1560: use a UTF8-using locale when run

  There are odd cases that don't use UTF8 and then the IDN handling goes
  wrong.

  Reported-by: Marcel Raad
  Fixes #10193
  Closes #10196

- cf-socket: fix build regression

  Reported-by: Stephan Guilloux
  Fixes #10190
  Closes #10191

- examples: remove the curlgtk.c example

  - it does not add a lot of value
  - we do not test-build it to verify because of its dependencies
  - unclear for what GTK versions it works or not

  Reported-by: odek86 on github

  Fixes #10197
  Closes #10198

Andy Alt (2 Jan 2023)

- docs: add link to GitHub Discussions

  Closes #10171

- GHA: ignore changes to md files for most workflows

  Closes #10176

Josh Brobst (2 Jan 2023)

- http: decode transfer encoding first

  The unencoding stack is added to as Transfer-Encoding and
  Content-Encoding fields are encountered with no distinction between the
  two, meaning the stack will be incorrect if, e.g., the message has both
  fields and a non-chunked Transfer-Encoding comes first. This commit
  fixes this by ordering the stack with transfer encodings first.

  Reviewed-by: Patrick Monnerat
  Closes #10187

Daniel Stenberg (1 Jan 2023)

- curl.h: mark CURLSSLBACKEND_MESALINK as deprecated

  Follow-up since 223f26c28a340b36

  Deprecated since 7.82.0

  Closes #10189

- curl_global_sslset.3: clarify the openssl situation

  and add rustls

  Closes #10188

Cameron Blomquist (1 Jan 2023)

- http: add additional condition for including stdint.h

  stdint.h was only included in http.h when ENABLE_QUIC was defined, but
  symbols from stdint.h are also used when USE_NGHTTP2 is defined. This
  causes build errors when USE_NGHTTP2 is defined but ENABLE_QUIC is not.

  Closes #10185

Daniel Stenberg (31 Dec 2022)

- urldata: cease storing TLS auth type

  The only TLS auth type libcurl ever supported is SRP and that is the
  default type. Since nobody ever sets any other type, there is no point
  in wasting space to store the set type and code to check the type.

  If TLS auth is used, SRP is now implied.

  Closes #10181

- vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used

  Previously libcurl would use the HTTP/1.1 ALPN id even when the
  application specified HTTP/1.0.

  Reported-by: William Tang
  Ref: #10183

Marcel Raad (30 Dec 2022)

- lib670: make test.h the first include

  As in all other lib tests. This avoids a macro redefinition warning for
  `_FILE_OFFSET_BITS` visible in the autobuilds.

  Closes https://github.com/curl/curl/pull/10182

Stefan Eissing (30 Dec 2022)

- lib: connect/h2/h3 refactor

  Refactoring of connection setup and happy eyeballing. Move
  nghttp2. ngtcp2, quiche and msh3 into connection filters.

   - eyeballing cfilter that uses sub-filters for performing parallel connects
   - socket cfilter for all transport types, including QUIC
   - QUIC implementations in cfilter, can now participate in eyeballing
   - connection setup is more dynamic in order to adapt to what filter did
     really connect.  Relevant to see if a SSL filter needs to be added or
     if SSL has already been provided
   - HTTP/3 test cases similar to HTTP/2
   - multiuse of parallel transfers for HTTP/3, tested for ngtcp2 and quiche

   - Fix for data attach/detach in VTLS filters that could lead to crashes
     during parallel transfers.
   - Eliminating setup() methods in cfilters, no longer needed.
   - Improving Curl_conn_is_alive() to replace Curl_connalive() and
     integrated ssl alive checks into cfilter.
   - Adding CF_CNTRL_CONN_INFO_UPDATE to tell filters to update
     connection into and persist it at the easy handle.

   - Several more cfilter related cleanups and moves:
     - stream_weigth and dependency info is now wrapped in struct
       Curl_data_priority
     - Curl_data_priority members depend is available in HTTP2|HTTP3
     - Curl_data_priority members depend on NGHTTP2 support
     - handling init/reset/cleanup of priority part of url.c
     - data->state.priority same struct, but shallow copy for compares only

   - PROTOPT_STREAM has been removed
     - Curl_conn_is_mulitplex() now available to check on capability

   - Adding query method to connection filters.
     - ngtcp2+quiche: implementing query for max concurrent transfers.

   - Adding is_alive and keep_alive cfilter methods. Adding DATA_SETUP event.
     - setting keepalive timestamp on connect
     - DATA_SETUP is called after the connection has been completely
       setup (but may not connected yet) to allow filters to initialize
       data members they use.

   - there is no socket to be had with msh3, it is unclear how select
     shall work

   - manual test via "curl --http3 https://curl.se" fail with "empty
     reply from server".

   - Various socket/conn related cleanups:
     - Curl_socket is now Curl_socket_open and in cf-socket.c
     - Curl_closesocket is now Curl_socket_close and in cf-socket.c
     - Curl_ssl_use has been replaced with Cur_conn_is_ssl
     - Curl_conn_tcp_accepted_set has been split into
       Curl_conn_tcp_listen_set and Curl_conn_tcp_accepted_set
       with a clearer purpose

  Closes #10141

Daniel Stenberg (30 Dec 2022)

- RELEASE-NOTES: synced

- docs/libcurl/curl_getdate.3: minor whitespace edit

  To avoid a fccp quirk that made it render wrongly on the website

- transfer: break the read loop when RECV is cleared

  When the RECV bit is cleared because the response reading for this
  transfer is complete, the read loop should be stopped. data_pending()
  can otherwise still return TRUE and another read would be attempted.

  Reported-by: Hide Ishikawa
  Fixes #10172
  Closes #10174

- multihandle: turn bool struct fields into bits

  Closes #10179

Stefan Eissing (30 Dec 2022)

- ftpserver: lower the normal DATA connect timeout to speed up torture tests

  - tests/ftpserver.pl blocks when expecting a DATA connection from the
    client.

  - the previous 10 seconds were encountered repeatedly in torture tests
    and let to long waits.

  - 2 seconds should still be sufficient for current hw, but CI will show.

  Closes #10178

Nick Banks (28 Dec 2022)

- msh3: add support for request payload

  Closes #10136

Stefan Eissing (28 Dec 2022)

- openssl: remove attached easy handles from SSL instances

   - keeping the "current" easy handle registered at SSL* is no longer
     necessary, since the "calling" data object is already stored in the
     cfilter's context (and used by other SSL backends from there).
   - The "detach" of an easy handle that goes out of scope is then avoided.
   - using SSL_set0_wbio for clear reference counting where available.

  Closes #10151

Daniel Stenberg (28 Dec 2022)

- socketpair: allow localhost MITM sniffers

  Windows allow programs to MITM connections to localhost. The previous
  check here would detect that and error out. This new method writes data
  to verify the pipe thus allowing MITM.

  Reported-by: SerusDev on github
  Fixes #10144
  Closes #10169

- HTTP3: mention what needs to be in place to remove EXPERIMENTAL label

  Closes #10168

Andy Alt (28 Dec 2022)

- MANUAL.md: add pipe to apt-key example

  Closes #10170

Daniel Stenberg (27 Dec 2022)

- test417: verify %{certs} output

- runtests: make 'mbedtls' a testable feature

  Also add to FILEFORMAT.md

- writeout: add %{certs} and %{num_certs}

  Let users get the server certificate chain using the command line

  Closes #10019

Stefan Eissing (27 Dec 2022)

- haxproxy: send before TLS handhshake

  - reverse order of haproxy and final ssl cfilter

  - make haproxy avaiable on PROXY builds, independent of HTTP support as
    it can be used with any protocol.

  Reported-by: Sergio-IME on github
  Fixes #10165
  Closes #10167

Daniel Stenberg (27 Dec 2022)

- RELEASE-NOTES: synced

- test446: verify hsts with two URLs

- runtests: support crlf="yes" for verify/proxy

- hsts: handle adding the same host name again

  It will then use the largest expire time of the two entries.

- tool_operate: share HSTS between handles

- share: add sharing of HSTS cache among handles

  Closes #10138

Viktor Szakats (27 Dec 2022)

- Makefile.mk: fix wolfssl and mbedtls default paths

  Fix the defaults for `WOLFSSL_PATH` and `MBEDTLS_PATH` to have
  meaningful values instead of the copy-pasted wrong ones.

  Ref: https://github.com/curl/curl/commit/66e68ca47f7fd00dff2cb7c45ba6725d4009
  9585#r94275172

  Reported-by: Ryan Schmidt
  Closes #10164

Daniel Stenberg (27 Dec 2022)

- INTERNALS: cleanup

  - remove "operating systems" (mostly outdated)

  - upodate the "build tools"

  Closes #10162

- cmake: bump requirement to 3.7

  Because this is the cmake version (released in November 2016) that
  introduced GREATER_EQUAL, which is used already.

  Reported-by: nick-telia on github
  Fixes #10128
  Closes #10161

- cfilters:Curl_conn_get_select_socks: use the first non-connected filter

  When there are filters addded for both socket and SSL, the code
  previously checked the SSL sockets during connect when it *should* first
  check the socket layer until that has connected.

  Fixes #10157
  Fixes #10146
  Closes #10160

  Reviewed-by: Stefan Eissing

- urlapi: add CURLU_PUNYCODE

  Allows curl_url_get() get the punycode version of host names for the
  host name and URL parts.

  Extend test 1560 to verify.

  Closes #10109

- RELEASE-NOTES: synced

- libssh2: try sha2 algos for hostkey methods

  As is supported by recent libssh2, but should just be ignored by older
  versions.

  Reported-by: norbertmm on github
  Assisted-by: norbertmm on github
  Fixes #10143
  Closes #10145

Patrick Monnerat (26 Dec 2022)

- typecheck: accept expressions for option/info parameters

  As expressions can have side effects, evaluate only once.

  To enable deprecation reporting only once, get rid of the __typeof__
  use to define the local temporary variable and use the target type
  (CURLoption/CURLINFO). This also avoids multiple reports on type
  conflicts (if some) by the curlcheck_* macros.

  Note that CURLOPT_* and CURLINFO_* symbols may be deprecated, but not
  their values: a curl_easy_setopt call with an integer constant as option
  will never report a deprecation.

  Reported-by: Thomas Klausner
  Fixes #10148
  Closes #10149

Paul Howarth (26 Dec 2022)

- tests: avoid use of sha1 in certificates

  The SHA-1 algorithm is deprecated (particularly for security-sensitive
  applications) in a variety of OS environments. This already affects
  RHEL-9 and derivatives, which are not willing to use certificates using
  that algorithm. The fix is to use sha256 instead, which is already used
  for most of the other certificates in the test suite.

  Fixes #10135

  This gets rid of issues related to sha1 signatures.

  Manual steps after "make clean-certs" and "make build-certs":

  - Copy tests/certs/stunnel-sv.pem to tests/stunnel.pem
    (make clean-certs does not remove the original tests/stunnel.pem)

  - Copy tests/certs/Server-localhost-sv.pubkey-pinned into --pinnedpubkey
    options of tests/data/test2041 and tests/data/test2087

  Closes #10153

Yurii Rashkovskii (26 Dec 2022)

- cmake: fix the snprintf detection

  I haven't had the time to check other configurations, but on my macOS
  Ventura 13.1 with XCode 14.2 cmake does not find `snprintf`.

  Solution: ensure stdio.h is checked for definitions

  Closes #10155

Radu Hociung (26 Dec 2022)

- http: remove the trace message "Mark bundle... multiuse"

  The message "Mark bundle as not supporting multiuse" was added at commit
  29364d93 when an http/2-related bug was fixed, and it appears to be a
  leftover trace message.

  This message should be removed because:
   * it conveys no information to the user
   * it is enabled in the default build (--enable-verbose)
   * it reads like a warning/unexpected condition
   * it is equivalent to "Detected http proto < 2", which is
     not a useful message.
   * it is a time-wasting red-herring for anyone who encounters
     it for the first time while investigating some other, real
     problem.

  This commit removes the trace message "Mark bundle as not
  supporting multiuse"

  Closes #10159

Hannah Schierling (26 Dec 2022)

- url: fix build with `--disable-cookies`

  Struct `UserDefined` has no member `cookielist` if
  `CURL_DISABLE_COOKIES` is defined.

  Follow-up to af5999a

  Closes #10158

Stefan Eissing (23 Dec 2022)

- runtests: also tear down http2/http3 servers when https server is stopped

  Closes #10114

- tests: add 3 new HTTP/2 test cases, plus https: support for nghttpx

  - a simple https get
  - a simple https post
  - a multi get of 4 requests and check that same connection was used

  Closes #10114

Daniel Stenberg (23 Dec 2022)

- urldata: remove unused struct fields, made more conditional

  - source_quote, source_prequote and source_postquote have not been used since
    5e0d9aea3; September 2006

  - make several fields conditional on proxy support

  - make three quote struct fields conditional on FTP || SSH

  - make 'mime_options' depend on MIME

  - make trailer_* fields depend on HTTP

  - change 'gssapi_delegation' from long to unsigned char

  - make 'localportrange' unsigned short instead of int

  - conn->trailer now depends on HTTP

  Closes #10147

- urldata: make set.http200aliases conditional on HTTP being present

  And make a few SSH-only fields depend on SSH

  Closes #10140

- md4: fix build with GnuTLS + OpenSSL v1

  Reported-by: Esdras de Morais da Silva

  Fixes #10110
  Closes #10142

- urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP

  Closes #10139

John Bampton (22 Dec 2022)

- misc: fix grammar and spelling

  Closes #10137

Daniel Stenberg (22 Dec 2022)

- urldata: move the cookefilelist to the 'set' struct

  The cookiefile entries are set into the handle and should remain set for
  the lifetime of the handle so that duplicating it also duplicates the
  list. Therefore, the struct field is moved from 'state' to 'set'.

  Fixes #10133
  Closes #10134

- strdup: name it Curl_strdup

  It does not belong in the curlx_ name space as it is never used
  externally.

  Closes #10132

Nick Banks (22 Dec 2022)

- msh3: update to v0.5 Release

  Closes #10125

Andy Alt (22 Dec 2022)

- workflows/linux.yml: merge 3 common packages

  Closes #10071

Daniel Stenberg (21 Dec 2022)

- docs: mention indirect effects of --insecure

  Warn users that disabling certficate verification allows servers to
  "pollute" curl with data it trusts.

  Reported-by: Harry Sintonen
  Closes #10126

- SECURITY-PROCESS.md: document severity levels

  Closes #10118

- RELEASE_NOTES: synced

  bumped version for new cycle

Marcel Raad (21 Dec 2022)

- tool_operate: fix `CURLOPT_SOCKS5_GSSAPI_NEC` type

  `CURLOPT_SOCKS5_GSSAPI_NEC` is a long, while `socks5_gssapi_nec` was
  made a bool in commit 4ac64eadf60.

  Closes https://github.com/curl/curl/pull/10124

Version 7.87.0 (21 Dec 2022)

Daniel Stenberg (21 Dec 2022)

- RELEASE-NOTES: synced

  The curl 7.87.0 release

- THANKS: 40 new contributors from 7.87.0

- http: fix the ::1 comparison for IPv6 localhost for cookies

  When checking if there is a "secure context", which it is if the
  connection is to localhost even if the protocol is HTTP, the comparison
  for ::1 was done incorrectly and included brackets.

  Reported-by: BratSinot on github

  Fixes #10120
  Closes #10121

Philip Heiduck (19 Dec 2022)

- CI/spell: actions/checkout@v2 > actions/checkout@v3

Daniel Stenberg (19 Dec 2022)

- smb/telnet: do not free the protocol struct in *_done()

  It is managed by the generic layer.

  Reported-by: Trail of Bits

  Closes #10112

- http: use the IDN decoded name in HSTS checks

  Otherwise it stores the info HSTS into the persistent cache for the IDN
  name which will not match when the HSTS status is later checked for
  using the decoded name.

  Reported-by: Hiroki Kurosawa

  Closes #10111

- CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "raw"

  Closes #10106

Xì Gà (16 Dec 2022)

- socks: fix username max size is 255 (0xFF)

  Closes #10105

  Reviewed-by: Daniel Gustafsson

Daniel Stenberg (16 Dec 2022)

- limit-rate.d: see also --rate

- lib1560: add some basic IDN host name tests

  Closes #10094

- idn: rename the files to idn.[ch] and hold all IDN functions

  Closes #10094

- idn: remove Curl_win32_ascii_to_idn

  It was not used. Introduce a new IDN header for the prototype(s).

  Closes #10094

- RELEASE-NOTES: synced

- curl_url_get.3: remove spurious backtick

  Put there by mistake.

  Follow-up from 9a8564a92

  Closes #10101

- socks: fix infof() flag for outputing a char

  It used to be a 'long', %lu is no longer correct.

  Follow-up to 57d2d9b6bed33d
  Detected by Coverity CID 1517663

  Closes #10100

- ssl-reqd.d: clarify that this is for upgrading connections only

  Closes #10093

- curl_url_set.3: document CURLU_DISALLOW_USER

  Closes #10099

- cmake: set the soname on the shared library

  Set SONAME and VERSION for platforms we think this works on. Remove
  issue from KNOWN_BUGS.

  Assisted-by: Jakub Zakrzewski

  Closes #10023

- tool_paramhlp: free the proto strings on exit

  And also make sure that repeated use of the options free the previous
  string before it stores a new.

  Follow-up from e6f8445edef8e7996d

  Closes #10098

- tool_cfgable: free the ssl_ec_curves on exit

  Follow-up to ede125b7b

  Closes #10097

- urlapi: reject more bad letters from the host name: &+()

  Follow-up from eb0167ff7d31d3a5

  Extend test 1560 to verify

  Closes #10096

- altsvc: fix rejection of negative port numbers

  Follow-up to ac612dfeee95

  strtoul() accepts a leading minus so better make sure there is none

  Extended test 356 somewhat to use a huge negative 64 bit number that
  otherwise becomes a low positive number.

  Closes #10095

- lib: use size_t or int etc instead of longs

  Since long is not using a consistent data size in curl builds, making it
  often "waste" 32 bits.

  Closes #10088

- azure: use "unversioned" clang and clang-tools for scanbuild job

  To make it less fragile

  Closes #10092

Daniel Gustafsson (14 Dec 2022)

- x509asn1: avoid freeing unallocated pointers

  When utf8asn1str fails there is no allocation returned, so freeing
  the return pointer in **to is at best a no-op and at worst a double-
  free bug waiting to happen. The current coding isn't hiding any such
  bugs but to future proof, avoid freeing the return value pointer iff
  the function failed.

  Closes: #10087
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Emil Engler (13 Dec 2022)

- curl_url_set.3: fix typo

  Closes: #10089
  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>

Daniel Stenberg (13 Dec 2022)

- test2304: verify websocket handling when connection is closed

- server/sws: if asked to close connection, skip the websocket handling

- ws: if no connection is around, return error

  - curl_ws_send returns CURLE_SEND_ERROR if data->conn is gone

  - curl_ws_recv returns CURLE_GOT_NOTHING on connection close

  - curl_ws_recv.3: mention new return code for connection close + example
    embryo

  Closes #10084

Emil Engler (13 Dec 2022)

- docs: extend the dump-header documentation

  This commit extends the documentation of the --dump-header command-line
  option to reflect the behavior introduced in 8b1e5df7.

  See #10079
  Closes #10085

Daniel Stenberg (12 Dec 2022)

- RELEASE-NOTES: synced

- styled-output.d: this option does not work on Windows

  Reported-by: u20221022 on github

  Fixes #10082
  Closes #10083

Emil Engler (12 Dec 2022)

- tool: determine the correct fopen option for -D

  This commit fixes a bug in the dump-header feature regarding the
  determination of the second fopen(3) option.

  Reported-by: u20221022 on github

  See #4753
  See #4762
  Fixes #10074
  Closes #10079

Christian Schmitz (11 Dec 2022)

- docs/curl_ws_send: Fixed typo in websocket docs

  Replace as with is in relevant sentences.

  Closes: #10081
  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>

Prithvi MK (11 Dec 2022)

- c-hyper: fix multi-request mechanism

  It makes test 565 run fine.

  Fixes #8896
  Closes #10080
  Assisted-by: Daniel Stenberg

Andy Alt (11 Dec 2022)

- page-header: grammar improvement (display transfer rate)

  Closes #10068

- docs/DEPRECATE.md: grammar improvement and sp correction

  The main thing I wanted to do was fix the spelling of "spent", but I
  think this rewording improves the flow of the paragraph.

  Closes #10067

Boris Verkhovskiy (11 Dec 2022)

- tool_cfgable: make socks5_gssapi_nec a boolean

  Closes #10078

Frank Gevaerts (9 Dec 2022)

- contributors.sh: actually use $CURLWWW instead of just setting it.

  The script was all set up for flexibility where curl-www is elsewhere in
  the filesystem, but then hard-coded ../curl-www anyway...

  Closes #10064

Daniel Stenberg (9 Dec 2022)

- KNOWN_BUGS: remove items not considered bugs any more

  - CURL_GLOBAL_SSL

  This option was changed in libcurl 7.57.0 and clearly it has not caused
  too many issues and a lot of time has passed.

  - Store TLS context per transfer instead of per connection

  This is a possible future optimization. One that is much less important
  and interesting since the added support for CA caching.

  - Microsoft telnet server

  This bug was filed in May 2007 against curl 7.16.1 and we have not
  received further reports.

  - active FTP over a SOCKS

  Actually, proxies in general is not working with active FTP mode. This
  is now added in proxy documentation.

  - DICT responses show the underlying protocol

  curl still does this, but since this is now an established behavior
  since forever we cannot change it easily and adding an option for it
  seems crazy as this protocol is not so little its not worth it. Let's
  just live with it.

  - Secure Transport disabling hostname validation also disables SNI

  This is an already documented restriction in Secure Transport.

  - CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM

  The curl_formadd() function is marked and documented as deprecated. No
  point in collecting bugs for it. It should not be used further.

  - STARTTRANSFER time is wrong for HTTP POSTs

  After close source code inspection I cannot see how this is true or that
  there is any special treatment for different HTTP methods. We also have
  not received many further reports on this, making me strongly suspect
  that this is no (longer an) issue.

  - multipart formposts file name encoding

  The once proposed RFC 5987-encoding is since RFC 7578 documented as MUST
  NOT be used. The since then implemented MIME API allows the user to set
  the name on their own and can thus provide it encoded as it wants.

  - DoH is not used for all name resolves when enabled

  It is questionable if users actually want to use DoH for interface and
  FTP port name resolving. This restriction is now documented and we
  advice users against using name resolving at all for these functions.

  Closes #10043

- CURLOPT_COOKIEFILE.3: advice => advise

  Closes #10063

  Reviewed-by: Daniel Gustafsson

Daniel Gustafsson (9 Dec 2022)

- curl.h: reword comment to not use deprecated option

  CURLOPT_INFILE was replaced by CURLOPT_READDATA in 7.9.7,  reword the
  comment mentioning it to make code grepping easier as well as improve
  the documentation.

  Closes: #10062
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Ryan Schmidt (9 Dec 2022)

- system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS

  Change "__MWERKS__" to "macintosh". When this block was originally added
  in 3ac6929 it was probably intended to handle classic Mac OS since the
  previous classic Mac OS build procedure for curl (which was removed in
  bf327a9) used Metrowerks CodeWarrior.

  But there are other classic Mac OS compilers, such as the MPW compilers,
  that were not handled by this case. For classic Mac OS,
  CURL_TYPEOF_CURL_SOCKLEN_T needs to match what's provided by the
  third-party GUSI library, which does not vary by compiler.

  Meanwhile CodeWarrior works on platforms other than classic Mac OS, and
  they may need different definitions. Separate blocks could be added
  later for any of those platforms that curl doesn't already support.

  Closes #10049

- vms: remove SIZEOF_SHORT

  The rest of SIZEOF_SHORT was removed in d48dd15.

  See #9291
  Closes #10061

Daniel Gustafsson (8 Dec 2022)

- tool_formparse: avoid clobbering on function params

  While perfectly legal to do, clobbering function parameters and using
  them as local variables is confusing at best and rarely improves code
  readability.  Fix by using a local variable instead, no functionality
  is changed.

  This also renames the parameter from data to mime_data since the term
  data is (soft) reserved for the easy handle struct.

  Closes: #10046
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

- noproxy: guard against empty hostnames in noproxy check

  When checking for a noproxy setting we need to ensure that we get
  a hostname passed in. If there is no hostname then there cannot be
  a matching noproxy rule for it by definition.

  Closes: #10057
  Reported-by: Geeknik Labs
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Daniel Stenberg (8 Dec 2022)

- c-hyper: CONNECT respones are not server responses

  Together with d31915a8dbbd it makes test 265 run fine.

  Fixes #8853
  Assisted-by: Prithvi MK
  Assisted-by: Sean McArthur
  Closes #10060

- test265: Use "connection: keep-alive" response header

  When it answers as HTTP/1.0, so that clients (hyper) knows properly that
  the connection remains intact.

- RELEASE-NOTES: synced

Stefan Eissing (8 Dec 2022)

- cfilter: improve SSL connection checks

  - fixes `Curl_ssl_cf_get_ssl()` to detect also the first filter instance
    as ssl (refs #10053)

  - replaces `Curl_ssl_use()` with the correct `Curl_conn_is_ssl()`

  Closes #10054
  Fixes #10053

  Reported-by: Patrick Monnerat

Daniel Stenberg (8 Dec 2022)

- runtests: silence nghttpx errors

  Also, move the output of the nghttpx_h3 info to the general "Env:" line
  in the test output header.

  Reported-by: Marcel Raad
  Ref: https://github.com/curl/curl/commit/ca15b7512e8d1199e55fbaa206ef01e64b8f
  147d#commitcomment-92015094
  Closes #10044

Ryan Schmidt (7 Dec 2022)

- config-mac: define HAVE_SYS_IOCTL_H

  This is needed to compile nonblock.c on classic Mac OS with Grand
  Unified Socket Interface (GUSI) because nonblock.c uses FIONBIO which is
  defined in <sys/filio.h> which is included by <sys/ioctl.h>.

  Ref: https://sourceforge.net/projects/gusi/

  Closes https://github.com/curl/curl/pull/10042

Philip Heiduck (7 Dec 2022)

- CI: Change FreeBSD image from 12.3 to 12.4

  Ref: https://www.phoronix.com/news/FreeBSD-12.4-Released

  Closes https://github.com/curl/curl/pull/10051

Ryan Schmidt (7 Dec 2022)

- test1421: fix typo

  Closes https://github.com/curl/curl/pull/10055

Jay Satiro (7 Dec 2022)

- build: assume errno.h is always available

  - Remove errno.h detection from all build configurations.

  errno.h is a standard header according to C89.

  Closes https://github.com/curl/curl/pull/9986

- build: assume assert.h is always available

  - Remove assert.h detection from all build configurations.

  assert.h is a standard header according to C89.

  I had proposed this several years ago as part of a larger change that
  was abandoned.

  Ref: https://github.com/curl/curl/issues/1237#issuecomment-277500720

  Closes https://github.com/curl/curl/pull/9985

Philip Heiduck (7 Dec 2022)

- CI: LGTM.com will be shut down in December 2022

  Closes #10052

Daniel Stenberg (6 Dec 2022)

- mailmap: Andy Alt

Andy Alt (6 Dec 2022)

- misc: Fix incorrect spelling

  Fix various uses of connnect by replacing them with connect.

  Closes: #10045
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>

Stefan Eissing (6 Dec 2022)

- wolfssl: remove special BIO return code handling

  - rely solely on the retry flag in BIO, similar to OpenSSL vtls
    implementation.

  Ref: https://github.com/curl/curl/pull/10021#issuecomment-1336147053

  Closes #10033

Daniel Stenberg (6 Dec 2022)

- openssl: return -1 on error in the BIO callbacks

  BIO_read and BIO_write return negative numbers on error, including
  retryable ones. A regression from 55807e6. Both branches should be
  returning -1.

  The APIs are patterned after POSIX read and write which, similarly,
  return -1 on errors, not zero, with EAGAIN treated as an error.

  Bug: https://github.com/curl/curl/issues/10013#issuecomment-1335308146
  Reported-by: David Benjamin
  Closes #10021

Ryan Schmidt (6 Dec 2022)

- config-mac: remove HAVE_SYS_SELECT_H

  When compiling for classic Mac OS with GUSI, there is no sys/select.h.
  GUSI provides the "select" function prototype in sys/time.h.

  Closes #10039

- setup: do not require __MRC__ defined for Mac OS 9 builds

  Partially reverts "somewhat protect Mac OS X users from using Mac OS 9
  config file", commit 62519bfe059251af2914199f284c736553ff0489.

  Do things that are specific to classic Mac OS (i.e. include config-mac.h
  in curl_setup.h and rename "main" to "curl_main" in tool_setup.h) when
  only "macintosh" is defined. Remove the additional condition that
  "__MRC__" should be defined since that would only be true with the MPW
  MrC compiler which prevents the use of other reasonable compilers like
  the MPW SC compiler and especially the Metrowerks CodeWarrior compilers.
  "macintosh" is only defined by classic Mac OS compilers so this change
  should not affect users of Mac OS X / OS X / macOS / any other OS.

  Closes #10037

- curl.h: name all public function parameters

  Most public function parameters already have names; this adds those
  that were missing.

  Closes #10036

Andy Alt (6 Dec 2022)

- docs/examples: spell correction ('Retrieve')

  Closes #10040

Daniel Stenberg (6 Dec 2022)

- unit1302: slightly extended

  To test more base64 decoding

- base64: faster base64 decoding

  - by using a lookup table instead of strchr()
  - by doing full quantums first, then padding

  Closes #10032

Michael Musset (6 Dec 2022)

- libssh2: return error when ssh_hostkeyfunc returns error

  return CURLE_PEER_FAILED_VERIFICATION if verification with the callback
  return a result different than CURLKHMATCH_OK

  Closes #10034

Viktor Szakats (5 Dec 2022)

- Makefile.mk: improve a GNU Make hack [ci skip]

  Replace the hack of using `$() ` to represent a single space. The new
  method silences the `--warn-undefined-variables` debug warning and it's
  also a better-known form of solving this problem.

  Reviewed-by: Jay Satiro
  Closes #10031

Daniel Stenberg (5 Dec 2022)

- tests/unit/.gitignore: ignore all unit + 4 digits files

- base64: encode without using snprintf

  For speed. In some tests, this approch is 29 times faster!

  Closes #10026

- base64: better alloc size

  The previous algorithm allocated more bytes than necessary.

  Suggested-by: xtonik on github
  Fixes #10024
  Closes #10025

Ryan Schmidt (5 Dec 2022)

- config-mac: fix typo: size_T -> size_t

  Both MPW and CodeWarrior compilers complained about this.

  Closes #10029

Daniel Stenberg (3 Dec 2022)

- RELEASE-NOTES: synced

Jakub Zakrzewski (2 Dec 2022)

- CMake: fix build with `CURL_USE_GSSAPI`

  CMAKE_*_LINKER_FLAGS must be a string but GSS_LINKER_FLAGS is a list, so
  we need to replace semicolons with spaces when setting those.

  Fixes #9017
  Closes #1022

Max Dymond (2 Dec 2022)

- ci: Reuse fuzzing snippet from curl-fuzzer project

Diogo Teles Sant'Anna (2 Dec 2022)

- GHA: clarify workflows permissions, set least possible privilege

  Set top-level permissions to None on all workflows, setting per-job
  permissions. This avoids that new jobs inherit unwanted permissions.

  Discussion: https://curl.se/mail/lib-2022-11/0028.html

  Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

  Closes #9928

Viktor Szakats (2 Dec 2022)

- Makefile.mk: address minor issues

  - Fix `NROFF` auto-detection with certain shell/make-build combinations:

    When a non-MSYS2 GNU Make runs inside an MSYS2 shell, Make executes
    the detection command as-is via `CreateProcess()`. It fails because
    `command` is an `sh` built-in. Ensure to explicitly invoke the shell.

  - Initialize user-customizable variables:

    Silences a list of warnings when running GNU Make with the option
    `--warn-undefined-variables`. Another benefit is that it's now easy
    to look up all user-customizable `Makefile.mk` variables by grepping
    for ` ?=` in the curl source tree.

    Suggested-by: Gisle Vanem
    Ref: https://github.com/curl/curl/pull/9764#issuecomment-1330674433

  - Fix `MKDIR` invocation:

    Avoid a warning and potential issue in envs without forward-slash
    support.

  Closes #10000

Rob de Wit (2 Dec 2022)

- curl_get_line: allow last line without newline char

  improve backwards compatibility

  Test 3200 verifies

  Closes #9973

Daniel Stenberg (2 Dec 2022)

- cookie: open cookie jar as a binary file

  On Windows there is a difference and for text files, ^Z means end of
  file which is not desirable.

  Ref: #9973
  Closes #10017

- runtests: only do CRLF replacements for hyper if it is HTTP

  Closes #10016

Stefan Eissing (1 Dec 2022)

- openssl: fix for BoringSSL BIO result interpretation mixups

  Reported-by: Robin Marx
  Fixes #10013
  Closes #10015

Max Dymond (1 Dec 2022)

- ci: Remove zuul fuzzing job as it's superseded by CIFuzz

Daniel Stenberg (1 Dec 2022)

- runtests: do CRLF replacements per section only

  The `crlf="yes"` attribute and "hyper mode" are now only applied on a
  subset of dedicated sections: data, datacheck, stdout and protocol.

  Updated test 2500 accordingly.

  Also made test1 use crlf="yes" for <protocol>, mostly because it is
  often used as a template test case. Going forward, using this attribute
  we should be able to write test cases using linefeeds only and avoid
  mixed line ending encodings.

  Follow-up to ca15b7512e8d11

  Fixes #10009
  Closes #10010

Stefan Eissing (1 Dec 2022)

- gnutls: use common gnutls init and verify code for ngtcp2

  Closes #10007

Baitinq on github (1 Dec 2022)

- aws_sigv4: fix typos in aws_sigv4.c

  Closes #10008

Kenneth Myhra (30 Nov 2022)

- curl.h: include <sys/select.h> on SerenityOS

  Closes #10006

Daniel Stenberg (30 Nov 2022)

- openssl: prefix errors with '[lib]/[version]: '

  To help users understand where this (cryptic) error message comes from.

  Suggested-by: Philip Sanetra
  Ref: #10002
  Closes #10004

Stefan Eissing (30 Nov 2022)

- tests: add HTTP/3 test case, custom location for proper nghttpx

  - adding support for HTTP/3 test cases via a nghttpx server that is
    build with ngtcp2 and nghttp3.
  - test2500 is the first test case, performing a simple GET.
  - nghttpx is checked for support and the 'feature' nghttpx-h3
    is set accordingly. test2500 will only run, when supported.
  - a specific nghttpx location can be given in the environment
    variable NGHTTPX or via the configure option
      --with-test-nghttpx=<path>

  Extend NGHTTPX config to H2 tests as well

  * use $ENV{NGHTTPX} and the configured default also in http2 server starts
  * always provide the empty test/nghttpx.conf to nghttpx. as it defaults to
    reading /etc/nghttpx/nghttpx.conf otherwise.

  Added nghttpx to CI ngtcp2 jobs to run h3 tests.

  Closes #9031

Daniel Stenberg (30 Nov 2022)

- RELEASE-NOTES: synced

  Removed duplicate after contributors.sh fix: 9967c10b6daa1

- scripts/contributors.sh: strip one OR MORE leading spaces

  From names found credited in commit logs

- RELEASE-NOTES: synced

- openssl/mbedtls: use %d for outputing port with failf (int)

  Coverity CID 1517100

  Also, remove some int typecasts in vtls.c for the port number

  Closes #10001

- KNOWN_BUGS: remove "Multi perform hangs waiting for threaded resolver"

  We now offer a way to avoid that hang, using CURLOPT_QUICK_EXIT.

  Follow-up to 49798cac832ab1 fixed via #9147

  Closes #9999

- KNOWN_BUGS: remove "--interface for ipv6 binds to unusable IP address"

  Since years back the "if2ip" function verifies that it binds to a local IPv6
  address that uses the same scope as the remote address.

  This is not a bug.

  Fixes #686
  Closes #9998

- test1276: verify lib/optiontable.pl

  Checks that it generates an output identical to the file.

- lib/optiontable.pl: adapt to CURLOPTDEPRECATED()

  Follow-up from 6967571bf20624bc

  Reported-by: Gisle Vanem

  Fixes #9992
  Closes #9993

- docs/INSTALL.md: list OSes and CPUs quoted

  to make them skip spellcheck. Also added a new CPU.

  Follow-up to 4506cbf7f24a2a

  Closes #9997

Ikko Ashimine (28 Nov 2022)

- vtls: fix typo in vtls_int.h

  paramter -> parameter

  Closes: #9996
  Reviewed-by: Daniel Gustafsson <daniel@yesql.se>

Daniel Stenberg (28 Nov 2022)

- curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS

  As OpenSSL's include files are all included using <openssl/*.h> in curl
  source code, we just risk that existing openssl files will "shadow"
  include files without path if that path is provided.

  Fixes #9989
  Closes #9988

- INSTALL: update operating systems and CPU archs

  Update after recent runs on Twitter/Mastodon and my blog

  Closes #9994

Stefan Eissing (28 Nov 2022)

- tls: backends use connection filters for IO, enabling HTTPS-proxy

   - OpenSSL (and compatible)
   - BearSSL
   - gnutls
   - mbedtls
   - rustls
   - schannel
   - secure-transport
   - wolfSSL (v5.0.0 and newer)

   This leaves only the following without HTTPS-proxy support:
   - gskit
   - nss
   - wolfSSL (versions earlier than v5.0.0)

  Closes #9962

Daniel Stenberg (28 Nov 2022)

- include/curl/curl.h: bump the deprecated requirements to gcc 6.1

  Reported-by: Michael Kaufmann
  Fixes #9917
  Closes #9987

Patrick Monnerat (28 Nov 2022)

- mime: relax easy/mime structures binding

  Deprecation and removal of codeset conversion support from the library
  have released the strict need for an early binding of mime structures to
  an easy handle (https://github.com/curl/curl/commit/2610142).

  This constraint currently forces to create the handle before the mime
  structure and the latter cannot be attached to another handle once
  created (see https://curl.se/mail/lib-2022-08/0027.html).

  This commit removes the handle pointers from the mime structures
  allowing more flexibility on their use.

  When an easy handle is duplicated, bound mime structures must however
  still be duplicated too as their components hold send-time dynamic
  information.

  Closes #9927

fractal-access (26 Nov 2022)

- test416: verify growing FTP file support

  Added setting: RETRSIZE [size] in the <servercmd> section. When set this
  will cause the test FTP server to return the size set (rather than the
  actual size) in the acknowledgement from a RETR request.

  Closes #9772

- ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH

  When using the option CURLOPT_IGNORE_CONTENT_LENGTH (set.ignorecl in
  code) to support growing files in FTP, the code should ignore the
  initial size it gets from the server as this will not be the final size
  of the file. This is done in ftp_state_quote() to prevent a size request
  being issued in the initial sequence. However, in a later call to
  ftp_state_get_resp() the code attempts to get the size of the content
  again if it doesn't already have it, by parsing the response from the
  RETR request. This fix prevents this parsing of the response to get the
  size when the set.ignorecl option is set. This should maintain the size
  value as -1, unknown, in this situation.

  Closes #9772

Stefan Eissing (26 Nov 2022)

- cfilter: re-add `conn` as parameter to cfilter setup methods

  - `Curl_ssl_get_config()` now returns the first config if no SSL proxy
    filter is active

  - socket filter starts connection only on first invocation of its
    connect method

  Fixes #9982
  Closes #9983

Daniel Stenberg (26 Nov 2022)

- KNOWN_BUGS: remove five FTP related issues

  - "FTP with CONNECT and slow server"

  I believe this is not a problem these days.

  - "FTP with NULs in URL parts"

  The FTP protocol does not support them properly anyway.

  - remove "FTP and empty path parts in the URL"

  I don't think this has ever been reported as a real problem but was only
  a hypothetical one.

  - "Premature transfer end but healthy control channel"

  This is not a bug, this is an optimization that *could* be performed but is
  not an actual problem.

  - "FTP without or slow 220 response"

  Instead add to the documentation of the connect timeout that the
  connection is considered complete at TCP/TLS/QUIC layer.

  Closes #9979

Stefan Eissing (26 Nov 2022)

- tests: add authorityInfoAccess to generated certs

  Generate stunnel.pem as well

  Closes #9980

Daniel Stenberg (25 Nov 2022)

- runtests: --no-debuginfod now disables DEBUGINFOD_URLS

  Prior to this change, DEBUGINFOD_URLS was always disabled by runtests
  due to a report of it slowing down tests. However, some setups need it
  to fetch debug symbols, and if it is disabled on those systems then curl
  tests with valgrind will fail.

  Reported-by: Mark Gaiser

  Ref: #8805
  Closes #9950

Casey Bodley (25 Nov 2022)

- test/aws_sigv4: test cases for content-sha256

  1956 adds the sha256 value corresponding to an empty buffer
  1957 adds an arbitrary value and confirms that the signature differs from 195
  6
  1958 adds whitespace to 1957 and confirms that the signature matches 1957
  1959 adds a value longer than 'char sha_hex[65]' in Curl_output_aws_sigv4()

  Signed-off-by: Casey Bodley <cbodley@redhat.com>

  Closes #9804

- aws_sigv4: consult x-%s-content-sha256 for payload hash

  `Curl_output_aws_sigv4()` doesn't always have the whole payload in
  memory to generate a real payload hash. this commit allows the user to
  pass in a header like `x-amz-content-sha256` to provide their desired
  payload hash

  some services like s3 require this header, and may support other values
  like s3's `UNSIGNED-PAYLOAD` and `STREAMING-AWS4-HMAC-SHA256-PAYLOAD`
  with special semantics. servers use this header's value as the payload
  hash during signature validation, so it must match what the client uses
  to generate the signature

  CURLOPT_AWS_SIGV4.3 now describes the content-sha256 interaction

  Signed-off-by: Casey Bodley <cbodley@redhat.com>

  Closes #9804

Philip Heiduck (25 Nov 2022)

- GHA: NSS use clang instead of clang-9

  Closes #9978

Daniel Stenberg (25 Nov 2022)

- RELEASE-NOTES: synced

- tool_operate: override the numeric locale and set "C" by force

  Makes curl always use dot as decimal separator for options,
  independently of what the locale says. Makes scripts and command lines
  portable.

  Updated docs accordingly.

  Reported-by: Daniel Faust

  Fixes #9969
  Closes #9972

- test1662: verify formpost, 301 redirect, no rewind possible

  Reproduces #9735 and verifies the subsequent fix. The original issue
  uses a pipe that cannot be rewound, but this test case instead sets a
  callback without rewind ability to get roughly the same properties but
  being a much more portable test.

- lib: rewind BEFORE request instead of AFTER previous

  This makes a big difference for cases when the rewind is not actually
  necessary to perofm (for example HTTP response code 301 converts to GET)
  and therefore the rewind can be avoided. In particular for situations
  when that rewind fails, for example when reading from a pipe or similar.

  Reported-by: Ali Utku Selen

  Fixes #9735
  Closes #9958

- vtls: repair build with disabled proxy

  Closes #9974

Daniel Gustafsson (23 Nov 2022)

- packaging: remove traces of deleted files

  Commit a8861b6cc removed packages/DOS but left a few traces of it
  which broke the distcheck CI. Remove all traces.

  Closes: #9971
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

- openssl: silence compiler warning when not using IPv6

  In non-IPv6 builds the conn parameter is unused, and compilers which
  run with "-Werror=unused-parameter" (or similar) warnings turned on
  fails to build. Below is an excerpt from a CI job:

    vtls/openssl.c: In function ‘Curl_ossl_verifyhost’:
    vtls/openssl.c:2016:75: error: unused parameter ‘conn’ [-Werror=unused-
  parameter]
     2016 | CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connec
  tdata *conn,
          |                                                       ~~~~~~~~~~~~~
  ~~~~~~~^~~~

  Closes: #9970
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

- netware: remove leftover traces

  Commit 3b16575ae938dec2a29454631a12aa52b6ab9c67 removed support for
  building on Novell Netware, but a few leftover traces remained. This
  removes the last bits.

  Closes: #9966
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Ryan Schmidt (23 Nov 2022)

- curl_endian: remove Curl_write64_le from header

  The actual function was already removed in 4331c6dc.

  See #7280
  Closes #9968

Daniel Stenberg (22 Nov 2022)

- docs: add more "SEE ALSO" links to CA related pages

  Closes #9959

- examples: update descriptions

  Make them not say "this is an example showing..." and instead just say
  what the example shows.

  Closes #9960

Stefan Eissing (22 Nov 2022)

- vtls: localization of state data in filters

   - almost all backend calls pass the Curl_cfilter intance instead of
     connectdata+sockindex
   - ssl_connect_data is remove from struct connectdata and made internal
     to vtls
   - ssl_connect_data is allocated in the added filter, kept at cf->ctx

   - added function to let a ssl filter access its ssl_primary_config and
     ssl_config_data this selects the propert subfields in conn and data,
     for filters added as plain or proxy
   - adjusted all backends to use the changed api
   - adjusted all backends to access config data via the exposed
     functions, no longer using conn or data directly

  cfilter renames for clear purpose:

   - methods `Curl_conn_*(data, conn, sockindex)` work on the complete
     filter chain at `sockindex` and connection `conn`.
   - methods `Curl_cf_*(cf, ...)` work on a specific Curl_cfilter
     instance.
   - methods `Curl_conn_cf()` work on/with filter instances at a
     connection.
   - rebased and resolved some naming conflicts
   - hostname validation (und session lookup) on SECONDARY use the same
     name as on FIRST (again).

  new debug macros and removing connectdata from function signatures where not
  needed.

  adapting schannel for new Curl_read_plain paramter.

  Closes #9919

Daniel Stenberg (22 Nov 2022)

- examples/10-at-a-time: fix possible skipped final transfers

  Prior to this change if curl_multi_perform returned 0 running handles
  and then all remaining transfers were added, then the perform loop would
  end immediately without performing those transfers.

  Reported-by: Mikhail Kuznetsov

  Fixes https://github.com/curl/curl/issues/9953
  Closes https://github.com/curl/curl/pull/9954

Viktor Szakats (22 Nov 2022)

- Makefile.mk: portable Makefile.m32

  Update bare GNU Make `Makefile.m32` to:

  - Move objects into a subdirectory.
  - Add support for MS-DOS. Tested with DJGPP.
  - Add support for Watt-32 (on MS-DOS).
  - Add support for AmigaOS.
  - Rename `Makefile.m32` to `Makefile.mk`
  - Replace `ARCH` with `TRIPLET`.
  - Build `tool_hugehelp.c` proper (when tools are available).
  - Drop MS-DOS compatibility macro `USE_ZLIB` (replaced by `HAVE_LIBZ`)
  - Add support for `ZLIB_LIBS` to override `-lz`.
  - Omit object files when building examples.
  - Default `CC` to `gcc` once again, for convenience. (Caveat: compiler
    name `cc` cannot be set now.)
  - Set `-DCURL_NO_OLDIES` for examples, like autotools does.
  - Delete `makefile.dj` files. Notice the configuration details and
    defaults are not retained with the new method.
  - Delete `makefile.amiga` files. A successful build needs a few custom
    options. We're also not retaining all build details from the existing
    Amiga make files.
  - Rename `Makefile.m32` to `Makefile.mk` to reflect that they are not
    Windows/MinGW32-specific anymore.
  - Add support for new `CFG` options: `-map`, `-debug`, `-trackmem`
  - Set `-DNDEBUG` by default.
  - Allow using `-DOS=...` in all `lib/config-*.h` headers, syncing this
    with `config-win32.h`.
  - Look for zlib parts in `ZLIB_PATH/include` and `ZLIB_PATH/lib`
    instead of bare `ZLIB_PATH`.

  Note that existing build configurations for MS-DOS and AmigaOS likely
  become incompatible with this change.

  Example AmigaOS configuration:
  ```
  export CROSSPREFIX=/opt/amiga/bin/m68k-amigaos-
  export CC=gcc
  export CPPFLAGS='-DHAVE_PROTO_BSDSOCKET_H'
  export CFLAGS='-mcrt=clib2'
  export LDFLAGS="${CFLAGS}"
  export LIBS='-lnet -lm'
  make -C lib -f Makefile.mk
  make -C src -f Makefile.mk
  ```

  Example MS-DOS configuration:
  ```
  export CROSSPREFIX=/opt/djgpp/bin/i586-pc-msdosdjgpp-
  export WATT_PATH=/opt/djgpp/net/watt
  export ZLIB_PATH=/opt/djgpp
  export OPENSSL_PATH=/opt/djgpp
  export OPENSSL_LIBS='-lssl -lcrypt'
  export CFG=-zlib-ssl
  make -C lib -f Makefile.mk
  make -C src -f Makefile.mk
  ```

  Closes #9764

Stefan Eissing (22 Nov 2022)

- cfiler: filter types have flags indicating what they do

  - Adding Curl_conn_is_ip_connected() to check if network connectivity
    has been reached

  - having ftp wait for network connectivity before proceeding with
    transfers.

  Fixes test failures 1631 and 1632 with hyper.

  Closes #9952

Daniel Stenberg (21 Nov 2022)

- RELEASE-NOTES: synced

Jay Satiro (20 Nov 2022)

- sendf: change Curl_read_plain to wrap Curl_recv_plain (take 2)

  Prior to this change Curl_read_plain would attempt to read the
  socket directly. On Windows that's a problem because recv data may be
  cached by libcurl and that data is only drained using Curl_recv_plain.

  Rather than rewrite Curl_read_plain to handle cached recv data, I
  changed it to wrap Curl_recv_plain, in much the same way that
  Curl_write_plain already wraps Curl_send_plain.

  Curl_read_plain -> Curl_recv_plain
  Curl_write_plain -> Curl_send_plain

  This fixes a bug in the schannel backend where decryption of arbitrary
  TLS records fails because cached recv data is never drained. We send
  data (TLS records formed by Schannel) using Curl_write_plain, which
  calls Curl_send_plain, and that may do a recv-before-send
  ("pre-receive") to cache received data. The code calls Curl_read_plain
  to read data (TLS records from the server), which prior to this change
  did not call Curl_recv_plain and therefore cached recv data wasn't
  retrieved, resulting in malformed TLS records and decryption failure
  (SEC_E_DECRYPT_FAILURE).

  The bug has only been observed during Schannel TLS 1.3 handshakes. Refer
  to the issue and PR for more information.

  --

  This is take 2 of the original fix. It preserves the original behavior
  of Curl_read_plain to write 0 to the bytes read parameter on error,
  since apparently some callers expect that (SOCKS tests were hanging).
  The original fix which landed in 12e1def5 and was later reverted in
  18383fbf failed to work properly because it did not do that.

  Also, it changes Curl_write_plain the same way to complement
  Curl_read_plain, and it changes Curl_send_plain to return -1 instead of
  0 on CURLE_AGAIN to complement Curl_recv_plain.

  Behavior on error with these changes:

  Curl_recv_plain returns -1 and *code receives error code.
  Curl_send_plain returns -1 and *code receives error code.
  Curl_read_plain returns error code and *n (bytes read) receives 0.
  Curl_write_plain returns error code and *written receives 0.

  --

  Ref: https://github.com/curl/curl/issues/9431#issuecomment-1312420361

  Assisted-by: Joel Depooter
  Reported-by: Egor Pugin

  Fixes https://github.com/curl/curl/issues/9431
  Closes https://github.com/curl/curl/pull/9949

Sean McArthur (19 Nov 2022)

- hyper: classify headers as CONNECT and 1XX

  Closes #9947

Stefan Eissing (19 Nov 2022)

- ftp: fix "AUTH TLS" on primary conn and for SSL in PASV second conn

  Follow-up to dafdb20a26d0c89

  Reported-by: Anthony Hu
  Closes #9948

Jay Satiro (19 Nov 2022)

- CURLOPT_POST.3: Explain setting to 0 changes request type

  Bug: https://github.com/curl/curl/issues/9849
  Reported-by:  MonkeybreadSoftware@users.noreply.github.com

  Closes https://github.com/curl/curl/pull/9942

Daniel Stenberg (19 Nov 2022)

- docs/INSTALL.md: expand on static builds

  Remove from KNOWN_BUGS

  Closes #9944

Stefan Eissing (19 Nov 2022)

- http: restore h3 to working condition after connection filter introduction

  Follow-up to dafdb20a26d0c

  HTTP/3 needs a special filter chain, since it does the TLS handling
  itself. This PR adds special setup handling in the HTTP protocol handler
  that takes are of it.

  When a handler, in its setup method, installs filters, the default
  behaviour for managing the filter chain is overridden.

  Reported-by: Karthikdasari0423 on github

  Fixes #9931
  Closes #9945

Daniel Stenberg (18 Nov 2022)

- urldata: change port num storage to int and unsigned short

  Instead of long.

  Closes #9946

- Revert "sendf: change Curl_read_plain to wrap Curl_recv_plain"

  This reverts commit 12e1def51a75392df62e65490416007d7e68dab9.

  It introduced SOCKS proxy fails, like test 700 never ending.

  Reopens #9431

- HTTP-COOKIES.md: update the 6265bis link to draft-11

  Closes #9940

- docs/WEBSOCKET.md: explain the URL use

  Fixes #9936
  Closes #9941

Jay Satiro (18 Nov 2022)

- sendf: change Curl_read_plain to wrap Curl_recv_plain

  Prior to this change Curl_read_plain would attempt to read the
  socket directly. On Windows that's a problem because recv data may be
  cached by libcurl and that data is only drained using Curl_recv_plain.

  Rather than rewrite Curl_read_plain to handle cached recv data, I
  changed it to wrap Curl_recv_plain, in much the same way that
  Curl_write_plain already wraps Curl_send_plain.

  Curl_read_plain -> Curl_recv_plain
  Curl_write_plain -> Curl_send_plain

  This fixes a bug in the schannel backend where decryption of arbitrary
  TLS records fails because cached recv data is never drained. We send
  data (TLS records formed by Schannel) using Curl_write_plain, which
  calls Curl_send_plain, and that may do a recv-before-send
  ("pre-receive") to cache received data. The code calls Curl_read_plain
  to read data (TLS records from the server), which prior to this change
  did not call Curl_recv_plain and therefore cached recv data wasn't
  retrieved, resulting in malformed TLS records and decryption failure
  (SEC_E_DECRYPT_FAILURE).

  The bug has only been observed during Schannel TLS 1.3 handshakes. Refer
  to the issue and PR for more information.

  Ref: https://github.com/curl/curl/issues/9431#issuecomment-1312420361

  Assisted-by: Joel Depooter
  Reported-by: Egor Pugin

  Fixes https://github.com/curl/curl/issues/9431
  Closes https://github.com/curl/curl/pull/9904

- test3026: reduce runtime in legacy mingw builds

  - Load Windows system libraries secur32 and iphlpapi beforehand, so
    that libcurl's repeated global init/cleanup only increases/decreases
    the library's refcount rather than causing it to load/unload.

  Assisted-by: Marc Hoersken

  Closes https://github.com/curl/curl/pull/9412

Daniel Stenberg (18 Nov 2022)

- url: move back the IDN conversion of proxy names

  Regression: in commit 53bcf55 we moved the IDN conversion calls to
  happen before the HSTS checks. But the HSTS checks are only done on the
  server host name, not the proxy names. By moving the proxy name IDN
  conversions, we accidentally broke the verbose output showing the proxy
  name.

  This change moves back the IDN conversions for the proxy names to the
  place in the code path they were before 53bcf55.

  Reported-by: Andy Stamp
  Fixes #9937
  Closes #9939

Alexandre Ferrieux (18 Nov 2022)

- CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit

  Fixes #2975
  Closes #9147

Daniel Stenberg (17 Nov 2022)

- HTTP-COOKIES.md: mention that http://localhost is a secure context

  Reported-by: Trail of Bits

  Closes #9938

- lib: parse numbers with fixed known base 10

  ... instead of using 0 argument that allows decimal, hex or octal when
  the number is documented and assumed to use base 10.

  Closes #9933

- RELEASE-NOTES: synced

- scripts/delta: adapt to curl.h changes for the opt counter

- cookie: expire cookies at once when max-age is negative

  Update test 329 to verify

  Reported-by: godmar on github
  Fixes #9930
  Closes #9932

Stefan Eissing (17 Nov 2022)

- proxy: haproxy filter is only available when PROXY and HTTP are

  Closes #9935

Daniel Stenberg (16 Nov 2022)

- OtherTests.cmake: check for cross-compile, not for toolchain

  Build systems like vcpkg alway sets `CMAKE_TOOLCHAIN_FILE` so it should
  not be used as a sign that this is a cross-compile.

  Also indented the function correctly.

  Reported-by: Philip Chan
  Fixes #9921
  Closes #9923

- ntlm: improve comment for encrypt_des

  Reported-by: Andrei Rybak
  Fixes #9903
  Closes #9925

- include/curl/curl.h: bump the deprecated requirements to gcc 5.3

  Reported-by: Stephan Guilloux
  Fixes #9917
  Closes #9918

Stefan Eissing (15 Nov 2022)

- proxy: refactor haproxy protocol handling as connection filter

  Closes #9893

Patrick Monnerat (15 Nov 2022)

- lib: feature deprecation warnings in gcc >= 4.3

  Add a deprecated attribute to functions and enum values that should not
  be used anymore.
  This uses a gcc 4.3 dialect, thus is only available for this version of
  gcc and newer. Note that the _Pragma() keyword is introduced by C99, but
  is available as part of the gcc dialect even when compiling in C89 mode.

  It is still possible to disable deprecation at a calling module compile
  time by defining CURL_DISABLE_DEPRECATION.

  Gcc type checking macros are made aware of possible deprecations.

  Some testing support Perl programs are adapted to the extended
  declaration syntax.

  Several test and unit test C programs intentionally use deprecated
  functions/options and are annotated to not generate a warning.

  New test 1222 checks the deprecation status in doc and header files.

  Closes #9667

Daniel Stenberg (15 Nov 2022)

- log2changes.pl: wrap long lines at 80 columns

  Also, only use author names in the output.

  Fixes #9896
  Reported-by: John Sherrill
  Closes #9897

- cfilters: use %zu for outputting size_t

  Detected by Coverity CID 1516894

  Closes #9907

- Curl_closesocket: avoid using 'conn' if NULL

  ... in debug-only code.

  Reported by Coverity CID 1516896

  Closes #9907

- url: only acknowledge fresh_reuse for non-followed transfers

  ... to make sure NTLM auth sticks to the connection it needs, as
  verified by 2032.

  Follow-up to fa0b9227616e

  Assisted-by: Stefan Eissing
  Closes #9905

- netrc.d: provide mutext info

  Reported-by: xianghongai on github
  Fixes #9899
  Closes #9901

- cmdline-opts/page-footer: remove long option nroff formatting

  As gen.pl adds them

- nroff-scan.pl: detect double highlights

- cmdline-opts/gen.pl: fix the linkifier

  Improved logic for finding existing --options in text and replacing with
  the full version with nroff syntax. This also makes the web version link
  options better.

  Reported-by: xianghongai on github
  Fixes #9899
  Closes #9902

Patrick Monnerat (14 Nov 2022)

- tool: use feature names instead of bit mask, when possible

  If the run-time libcurl is too old to support feature names, the name
  array is created locally from the bit masks. This is the only sequence
  left that uses feature bit masks.

  Closes #9583

- docs: curl_version_info is not thread-safe before libcurl initialization

  Closes #9583

- version: add a feature names array to curl_version_info_data

  Field feature_names contains a null-terminated sorted array of feature
  names. Bitmask field features is deprecated.

  Documentation is updated. Test 1177 and tests/version-scan.pl updated to
  match new documentation format and extended to check feature names too.

  Closes #9583

Stefan Eissing (14 Nov 2022)

- negtelnetserver.py: have it call its close() method

  Closes #9894

Nathan Moinvaziri (13 Nov 2022)

- ntlm: silence ubsan warning about copying from null target_info pointer.

  runtime error: null pointer passed as argument 2, which is declared to
  never be null

  Closes #9898

Daniel Stenberg (12 Nov 2022)

- RELEASE-NOTES: synced

Stefan Eissing (12 Nov 2022)

- Websocket: fixes for partial frames and buffer updates.

  - buffers updated correctly when handling partial frames
  - callbacks no longer invoked for incomplete payload data of 0 length
  - curl_ws_recv no longer returns with 0 length partial payload

  Closes #9890

Daniel Stenberg (12 Nov 2022)

- tool_operate: provide better errmsg for -G with bad URL

  If the URL that -G would try to add a query to could not be parsed, it would
  display

   curl: (27) Out of memory

  It now instead shows:

   curl: (2) Could not parse the URL, failed to set query

  Reported-by: Alex Xu
  Fixes #9889
  Closes #9892

- vtls: fix build without proxy support

  Follow-up to dafdb20a26d0c890

  Closes #9895

- tool_getparam: make --no-get work as the opposite of --get

  ... as documented.

  Closes #9891

- http: mark it 'this_is_a_follow' in the Location: logic

  To make regular auth "reloads" to not count as redirects.

  Verified by test 3101

  Fixes #9885
  Closes #9887

Viktor Szakats (11 Nov 2022)

- config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW

  The previously set default value of 8 (64-bit) is only correct for
  mingw-w64 and only when we set `_FILE_OFFSET_BITS` to 64 (the default
  when building curl). For MSVC, old MinGW and other Windows compilers,
  the correct value is 4 (32-bit). Adjust condition accordingly. Also
  drop the manual override option.

  Regression in 7.86.0 (from 68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6)

  Bug: https://github.com/curl/curl/pull/9712#issuecomment-1307330551

  Reported-by: Peter Piekarski
  Reviewed-by: Jay Satiro

  Closes #9872

Daniel Stenberg (11 Nov 2022)

- lib: remove bad set.opt_no_body assignments

  This struct field MUST remain what the application set it to, so that
  handle reuse and handle duplication work.

  Instead, the request state bit 'no_body' is introduced for code flows
  that need to change this in run-time.

  Closes #9888

Stefan Eissing (11 Nov 2022)

- lib: connection filters (cfilter) addition to curl:

   - general construct/destroy in connectdata
   - default implementations of callback functions
   - connect: cfilters for connect and accept
   - socks: cfilter for socks proxying
   - http_proxy: cfilter for http proxy tunneling
   - vtls: cfilters for primary and proxy ssl
   - change in general handling of data/conn
   - Curl_cfilter_setup() sets up filter chain based on data settings,
     if none are installed by the protocol handler setup
   - Curl_cfilter_connect() boot straps filters into `connected` status,
     used by handlers and multi to reach further stages
   - Curl_cfilter_is_connected() to check if a conn is connected,
     e.g. all filters have done their work
   - Curl_cfilter_get_select_socks() gets the sockets and READ/WRITE
     indicators for multi select to work
   - Curl_cfilter_data_pending() asks filters if the have incoming
     data pending for recv
   - Curl_cfilter_recv()/Curl_cfilter_send are the general callbacks
     installed in conn->recv/conn->send for io handling
   - Curl_cfilter_attach_data()/Curl_cfilter_detach_data() inform filters
     and addition/removal of a `data` from their connection
   - adding vtl functions to prevent use of Curl_ssl globals directly
     in other parts of the code.

  Reviewed-by: Daniel Stenberg
  Closes #9855

- curl-rustls.m4: on macOS, rustls also needs the Security framework

  Closes #9883

Daniel Stenberg (10 Nov 2022)

- rtsp: only store first_host once

  Suggested-by: Erik Janssen
  URL: https://github.com/curl/curl/pull/9870#issuecomment-1309499744
  Closes #9882

Fata Nugraha (10 Nov 2022)

- test3028: verify PROXY

- http: do not send PROXY more than once

  Unlike `CONNECT`, currently we don't keep track whether `PROXY` is
  already sent or not. This causes `PROXY` header to be sent twice during
  `MSTATE_TUNNELING` and `MSTATE_PROTOCONNECT`.

  Closes #9878
  Fixes #9442

Jay Satiro (10 Nov 2022)

- lib: add CURL_WRITEFUNC_ERROR to signal write callback error

  Prior to this change if the user wanted to signal an error from their
  write callbacks they would have to use logic to return a value different
  from the number of bytes (nmemb) passed to the callback. Also, the
  inclination of some users has been to just return 0 to signal error,
  which is incorrect as that may be the number of bytes passed to the
  callback.

  To remedy this the user can now return CURL_WRITEFUNC_ERROR instead.

  Ref: https://github.com/curl/curl/issues/9873

  Closes https://github.com/curl/curl/pull/9874

Daniel Stenberg (9 Nov 2022)

- Revert "GHA: add scorecard.yml"

  This reverts commit ca76c79b34f9d90105674a2151bf228ff7b13bef.

- GHA: add scorecard.yml

  add a "scorecard" scanner job

Lorenzo Miniero (9 Nov 2022)

- test3100: RTSP Basic authentication

  Closes #9449

Daniel Stenberg (9 Nov 2022)

- rtsp: fix RTSP auth

  Verified with test 3100

  Fixes #4750
  Closes #9870

- KNOWN_BUGS: remove eight entries

  - 1.2 Multiple methods in a single WWW-Authenticate: header

  This is not considered a bug anymore but a restriction and one that we
  keep because we have NEVER gotten this reported by users in the wild and
  because of this I consider this a fringe edge case we don't need to
  support.

  - 1.6 Unnecessary close when 401 received waiting for 100

  This is not a bug, but possibly an optimization that *can* be done.

  - 1.7 Deflate error after all content was received

  This is not a curl bug. This happens due to broken servers.

  - 2.1 CURLINFO_SSL_VERIFYRESULT has limited support

  This is not a bug. This is just the nature of the implementation.

  - 2.2 DER in keychain

  This is not a bug.

  - 5.7 Visual Studio project gaps

  This is not a bug.

  - 15.14 cmake build is not thread-safe

  Fixed in 109e9730ee5e2b

  - 11.3 Disconnects do not do verbose

  This is not a bug.

  Closes #9871

Hirotaka Tagawa (9 Nov 2022)

- headers: add endif comments

  Closes #9853

Daniel Stenberg (8 Nov 2022)

- test1221: verify --url-query

- curl: add --url-query

  This option adds a piece of data, usually a name + value pair, to the
  end of the URL query part. The syntax is identical to that used for
  --data-urlencode with one extension:

  If the argument starts with a '+' (plus), the rest of the string is
  provided as-is unencoded.

  This allows users to "build" query parts with options and URL encoding
  even when not doing GET requests, which the already provided option -G
  (--get) is limited to.

  This idea was born in a Twitter thread.

  Closes #9691

- maketgz: set the right version in lib/libcurl.plist

  Follow-up to e498a9b1fe5964a18eb2a3a99dc52

  Make sure the tarball gets a version of the libcurl.plist file that is
  updated with the new version string.

  Reported-by: jvreelanda on github
  Fixes #9866
  Closes #9867

- RELEASE-NOTES: synced

  Bumped version to 7.87.0

Michael Drake (8 Nov 2022)

- curl.h: add CURLOPT_CA_CACHE_TIMEOUT option

  Adds a new option to control the maximum time that a cached
  certificate store may be retained for.

  Currently only the OpenSSL backend implements support for
  caching certificate stores.

  Closes #9620

- openssl: reduce CA certificate bundle reparsing by caching

  Closes #9620

Rose (8 Nov 2022)

- lib: fix some type mismatches and remove unneeded typecasts

  Many of these castings are unneeded if we change the variables to work
  better with each other.

  Ref: https://github.com/curl/curl/pull/9823

  Closes https://github.com/curl/curl/pull/9835

Daniel Stenberg (8 Nov 2022)

- cookie: compare cookie prefixes case insensitively

  Adapted to language in rfc6265bis draft-11.

  Closes #9863

  Reviewed-by: Daniel Gustafsson

- tool_operate: when aborting, make sure there is a non-NULL error buffer

  To store custom errors in. Or SIGSEGVs will follow.

  Reported-by: Trail of Bits
  Closes #9865

- WEBSOCKET.md: fix broken link

  Reported-by: Felipe Gasper
  Bug: https://curl.se/mail/lib-2022-10/0097.html
  Closes #9864

- CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example

  Reported-by: Oskar Sigvardsson

  Bug: https://curl.se/mail/lib-2022-11/0016.html

  Closes #9862

Stefan Eissing (7 Nov 2022)

- websockets: fix handling of partial frames

  buffer used and send length calculations are fixed when a partial
  websocket frame has been received.

  Closes #9861

Daniel Stenberg (7 Nov 2022)

- mailmap: unify Stefan Eissing

Stefan Eissing (7 Nov 2022)

- hyper: fix handling of hyper_task's when reusing the same address

  Fixes #9840
  Closes #9860

Jay Satiro (7 Nov 2022)

- ws: return CURLE_NOT_BUILT_IN when websockets not built in

  - Change curl_ws_recv & curl_ws_send to return CURLE_NOT_BUILT_IN when
    websockets support is not built in.

  Prior to this change they returned CURLE_OK.

  Closes #9851

Daniel Stenberg (7 Nov 2022)

- noproxy: tailmatch like in 7.85.0 and earlier

  A regfression in 7.86.0 (via 1e9a538e05c010) made the tailmatch work
  differently than before. This restores the logic to how it used to work:

  All names listed in NO_PROXY are tailmatched against the used domain
  name, if the lengths are identical it needs a full match.

  Update the docs, update test 1614.

  Reported-by: Stuart Henderson
  Fixes #9842
  Closes #9858

- configure: require fork for NTLM-WB

  Reported-by: ウさん

  Fixes #9847
  Closes #9856

- docs/EARLY-RELEASE.md: how to determine an early release

  URL: https://curl.se/mail/lib-2022-10/0079.html

  Closes #9820

- RELEASE-NOTES: synced

Zespre Schmidt (3 Nov 2022)

- docs: add missing parameters for --retry flag

  Closes #9848

Adam Averay (3 Nov 2022)

- libcurl-errors.3: remove duplicate word

  Closes #9846

Eric Vigeant (3 Nov 2022)

- cur_path: do not add '/' if homedir ends with one

  When using SFTP and a path relative to the user home, do not add a
  trailing '/' to the user home dir if it already ends with one.

  Closes #9844

Viktor Szakats (1 Nov 2022)

- windows: fail early with a missing windres in autotools

  `windres` is not always auto-detected by autotools when building for
  Windows. When this happened, the build failed with a confusing error due
  to the empty `RC` command:

  ```
  /bin/bash ../libtool --tag=RC --mode=compile  -I../include -DCURL_EMBED_MANIF
  EST  -i curl.rc -o curl.o
  [...]
  Usage: /sandbox/curl/libtool [OPTION]... [MODE-ARG]...
  Try 'libtool --help' for more information.
  libtool:   error: unrecognised option: '-I../include'
  ```

  Improve this by verifying if `RC` is set, and fail with a clear error
  otherwise.

  Follow-up to 6de7322c03d5b4d91576a7d9fc893e03cc9d1057

  Ref: https://curl.se/mail/lib-2022-10/0049.html
  Reported-by: Thomas Glanzmann
  Closes #9781

- lib: sync guard for Curl_getaddrinfo_ex() definition and use

  `Curl_getaddrinfo_ex()` gets _defined_ with `HAVE_GETADDRINFO` set. But,
  `hostip4.c` _used_ it with `HAVE_GETADDRINFO_THREADSAFE` set alone. It
  meant a build with the latter, but without the former flag could result
  in calling this function but not defining it, and failing to link.

  Patch this by adding an extra check for `HAVE_GETATTRINFO` around the
  call.

  Before this patch, build systems prevented this condition. Now they
  don't need to.

  While here, simplify the related CMake logic on Windows by setting
  `HAVE_GETADDRINFO_THREADSAFE` to the detection result of
  `HAVE_GETADDRINFO`. This expresses the following intent clearer than
  the previous patch and keeps the logic in a single block of code:
  When we have `getaddrinfo()` on Windows, it's always threadsafe.

  Follow-up to 67d88626d44ec04b9e11dca4cfbf62cd29fe9781

  Reviewed-by: Jay Satiro
  Closes #9734

- tidy-up: process.h detection and use

  This patch aims to cleanup the use of `process.h` header and the macro
  `HAVE_PROCESS_H` associated with it.

  - `process.h` is always available on Windows. In curl, it is required
    only for `_beginthreadex()` in `lib/curl_threads.c`.

  - `process.h` is also available in MS-DOS. In curl, its only use was in
    `lib/smb.c` for `getpid()`. But `getpid()` is in fact declared by
    `unistd.h`, which is always enabled via `lib/config-dos.h`. So the
    header is not necessary.

  - `HAVE_PROCESS_H` was detected by CMake, forced to 1 on Windows and
    left to real detection for other platforms.
    It was also set to always-on in `lib/config-win32.h` and
    `lib/config-dos.h`.
    In autotools builds, there was no detection and the macro was never
    set.

  Based on these observations, in this patch we:

  - Rework Windows `getpid` logic in `lib/smb.c` to always use the
    equivalent direct Win32 API function `GetCurrentProcessId()`, as we
    already did for Windows UWP apps. This makes `process.h` unnecessary
    here on Windows.

  - Stop #including `process.h` into files where it was not necessary.
    This is everywhere, except `lib/curl_threads.c`.

    > Strangely enough, `lib/curl_threads.c` compiled fine with autotools
    > because `process.h` is also indirecty included via `unistd.h`. This
    > might have been broken in autotools MSVC builds, where the latter
    > header is missing.

  - Delete all remaining `HAVE_PROCESS_H` feature guards, for they were
    unnecessary.

  - Delete `HAVE_PROCESS_H` detection from CMake and predefined values
    from `lib/config-*.h` headers.

  Reviewed-by: Jay Satiro
  Closes #9703

Daniel Stenberg (1 Nov 2022)

- lib1301: unit103 turned into a libtest

  It is not a unit test so moved over to libtests.

- strcase: use curl_str(n)equal for case insensitive matches

  No point in having two entry points for the same functions.

  Also merged the *safe* function treatment into these so that they can
  also be used when one or both pointers are NULL.

  Closes #9837

- README.md: remove badges and xmas-tree garnish

  URL: https://curl.se/mail/lib-2022-10/0050.html

  Closes #9833

Patrick Monnerat (1 Nov 2022)

- gen.pl: do not generate CURLHELP bitmask lines > 79 characters

  If a command line option is in many help categories, there is a risk
  that CURLHELP bitmask source lines generated for listhelp are longer
  than 79 characters.

  This change takes care of folding such long lines.

  Cloes #9834

Marc Hoersken (30 Oct 2022)

- CI/cirrus: remove superfluous double-quotes and sudo

  Follow up to #9565 and #9677
  Closes #9738

- tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+

  Ref: #9738

Daniel Stenberg (30 Oct 2022)

- style: use space after comment start and before comment end

  /* like this */

  /*not this*/

  checksrc is updated accordingly

  Closes #9828

Patrick Schlangen (30 Oct 2022)

- docs: remove performance note in CURLOPT_SSL_VERIFYPEER

  This note became obsolete since PR #7892 (see also discussion in the PR
  comments).

  Closes #9832

Daniel Stenberg (30 Oct 2022)

- tests/server: make use of strcasecompare from lib/

  ... instead of having a second private implementation.

  Idea triggered by #9830

  Closes #9831

- curl: timeout in the read callback

  The read callback can timeout if there's nothing to read within the
  given maximum period. Example use case is when doing "curl -m 3
  telnet://example.com" or anything else that expects input on stdin or
  similar that otherwise would "hang" until something happens and then not
  respect the timeout.

  This fixes KNOWN_BUG 8.1, first filed in July 2009.

  Bug: https://sourceforge.net/p/curl/bugs/846/

  Closes #9815

- noproxy: fix tail-matching

  Also ignore trailing dots in both host name and comparison pattern.

  Regression in 7.86.0 (from 1e9a538e05c0)

  Extended test 1614 to verify better.

  Reported-by: Henning Schild
  Fixes #9821
  Closes #9822

- docs: explain the noproxy CIDR notation support

  Follow-up to 1e9a538e05c0107c

  Closes #9818

Jon Rumsey (27 Oct 2022)

- os400: use platform socklen_t in Curl_getnameinfo_a

  Curl_getnameinfo_a() is prototyped before including curl.h as an
  ASCII'fied wrapper for getnameinfo(), which itself is prototyped with
  socklen_t arguments, so this should use the platform socklen_t and not
  curl_socklen_t too.

  Update setup-os400.h

  Fixes #9811
  Closes #9812

Daniel Stenberg (27 Oct 2022)

- noproxy: also match with adjacent comma

  If the host name is an IP address and the noproxy string contained that
  IP address with a following comma, it would erroneously not match.

  Extended test 1614 to verify this combo as well.

  Reported-by: Henning Schild

  Fixes #9813
  Closes #9814

Randall S. Becker (27 Oct 2022)

- build: fix for NonStop

  - Include arpa/inet.h in all units where htonl is called.

  Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>

  Closes https://github.com/curl/curl/pull/9816

- system.h: support 64-bit curl_off_t for NonStop 32-bit

  - Correctly define curl_off_t on NonStop (ie __TANDEM) ia64 and x86 for
    32-bit builds.

  Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>

  Closes https://github.com/curl/curl/pull/9817

Daniel Stenberg (27 Oct 2022)

- spellcheck.words: remove 'github' as an accepted word

  Prefer the properly cased version: GitHub

  Use markdown for links and GitHub in text.

  Closes #9810

Ayesh Karunaratne (27 Oct 2022)

- misc: typo and grammar fixes

  - Replace `Github` with `GitHub`.
  - Replace `windows` with `Windows`
  - Replace `advice` with `advise` where a verb is used.
  - A few fixes on removing repeated words.
  - Replace `a HTTP` with `an HTTP`

  Closes #9802

Viktor Szakats (27 Oct 2022)

- windows: fix linking .rc to shared curl with autotools

  `./configure --enable-shared --disable-static` fails when trying to link
  a shared `curl.exe`, due to `libtool` magically changing the output
  filename of `windres` to one that it doesn't find when linking:

  ```
  /bin/sh ../libtool --tag=RC --mode=compile windres -I../../curl/include -DCUR
  L_EMBED_MANIFEST  -i ../../curl/src/curl.rc -o curl.o
  libtool: compile:  windres -I../../curl/include -DCURL_EMBED_MANIFEST -i ../.
  ./curl/src/curl.rc  -o .libs/curl.o
  [...]
  CCLD     curl.exe
  clang: error: no such file or directory: 'curl.o'
  ```

  Let's resolve this by skipping `libtool` and calling `windres` directly
  when building `src` (aka `curl.exe`). Leave `lib` unchanged, as it does
  need the `libtool` magic. This solution is compatible with building
  a static `curl.exe`.

  This build scenario is not CI-tested.

  While here, delete an obsolete comment about a permanent `libtool`
  warning that we've resolved earlier.

  Regression from 6de7322c03d5b4d91576a7d9fc893e03cc9d1057

  Reported-by: Christoph Reiter
  Fixes #9803
  Closes #9805

- cmake: really enable warnings with clang

  Even though `PICKY_COMPILER=ON` is the default, warnings were not
  enabled when using llvm/clang, because `CMAKE_COMPILER_IS_CLANG` was
  always false (in my tests at least).

  This is the single use of this variable in curl, and in a different
  place we already use `CMAKE_C_COMPILER_ID MATCHES "Clang"`, which works
  as expected, so change the condition to use that instead.

  Also fix the warnings uncovered by the above:

  - lib: add casts to silence clang warnings

  - schannel: add casts to silence clang warnings in ALPN code

    Assuming the code is correct, solve the warnings with a cast.
    This particular build case isn't CI tested.

    There is a chance the warning is relevant for some platforms, perhaps
    Windows 32-bit ARM7.

  Closes #9783

Joel Depooter (26 Oct 2022)

- sendf: remove unnecessary if condition

  At this point, the psnd->buffer will always exist. We have already
  allocated a new buffer if one did not previously exist, and returned
  from the function if the allocation failed.

  Closes #9801

Viktor Szakats (26 Oct 2022)

- winidn: drop WANT_IDN_PROTOTYPES

  `WANT_IDN_PROTOTYPES` was necessary to avoid using a header that came
  via an optional package. MS stopped distributing this package some
  years ago and the winidn definitions are part of standard headers (via
  `windows.h`) since Vista.

  Auto-detect Vista inside `lib/idn_win32.c` and enable the manual
  definitions if building for an older Windows.

  This allows to delete this manual knob from all build-systems.

  Also drop the `_SAL_VERSION` sub-case:

  Our manual definitions are now only enabled with old systems. We assume
  that code analysis is not run on such systems, allowing us to delete the
  SAL-friendly flavour of these.

  Reviewed-by: Jay Satiro
  Closes #9793

Daniel Stenberg (26 Oct 2022)

- misc: remove duplicated include files

  Closes #9796

- scripts/checksrc.pl: detect duplicated include files

  After an idea by Dan Fandrich in #9794

  Closes #9796

- RELEASE-NOTES: synced

  And bumped version to 7.86.1 for now

- CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE

  The removal is brief or long, don't assume.

  Reported-by: Luca Niccoli

  Fixes #9799
  Closes #9800

Version 7.86.0 (26 Oct 2022)

Daniel Stenberg (26 Oct 2022)

- RELEASE: synced

  The 7.86.0 release

- THANKS: added from the 7.86.0 release

Viktor Szakats (25 Oct 2022)

- noproxy: include netinet/in.h for htonl()

  Solve the Amiga build warning by including `netinet/in.h`.

  `krb5.c` and `socketpair.c` are using `htonl()` too. This header is
  already included in those sources.

  Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309

  Reviewed-by: Daniel Stenberg
  Closes #9787

Marc Hoersken (24 Oct 2022)

- CI: fix AppVeyor status failing for starting jobs

Daniel Stenberg (24 Oct 2022)

- test445: verifies the protocols-over-http-proxy flaw and fix

- http_proxy: restore the protocol pointer on error

  Reported-by: Trail of Bits

  Closes #9790

- multi: remove duplicate include of connect.h

  Reported-by: Martin Strunz
  Fixes #9794
  Closes #9795

Daniel Gustafsson (24 Oct 2022)

- idn: fix typo in test description

  s/enabked/enabled/i

Daniel Stenberg (24 Oct 2022)

- url: use IDN decoded names for HSTS checks

  Reported-by: Hiroki Kurosawa

  Closes #9791

- unit1614: fix disabled-proxy build

  Follow-up to 1e9a538e05c01

  Closes #9792

Daniel Gustafsson (24 Oct 2022)

- cookies: optimize control character check

  When checking for invalid octets the strcspn() call will return the
  position of the first found invalid char or the first NULL byte.
  This means that we can check the indicated position in the search-
  string saving a strlen() call.

  Closes: #9736
  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>

Daniel Stenberg (24 Oct 2022)

- netrc: replace fgets with Curl_get_line

  Make the parser only accept complete lines and avoid problems with
  overly long lines.

  Reported-by: Hiroki Kurosawa

  Closes #9789

- RELEASE-NOTES: add "Planned upcoming removals include"

  URL: https://curl.se/mail/archive-2022-10/0001.html

  Suggested-by: Dan Fandrich

Viktor Szakats (23 Oct 2022)

- ci: bump to gcc-11 for macos

  Ref: https://github.blog/changelog/2022-10-03-github-actions-jobs-running-on-
  macos-latest-are-now-running-on-macos-12/
  Ref: https://github.com/actions/runner-images/blob/main/images/macos/macos-12
  -Readme.md

  Reviewed-by: Max Dymond
  Closes #9785

- Makefile.m32: reintroduce CROSSPREFIX and -W -Wall [ci skip]

  - Reintroduce `CROSSPREFIX`:

    If set, we add it to the `CC` and `AR` values, and to the _default_
    value of `RC`, which is `windres`. This allows to control each of
    these individidually, while also allowing to simplify configuration
    via `CROSSPREFIX`.

    This variable worked differently earlier. Hopefully this new solution
    hits a better compromise in usefulness/complexity/flexibility.

    Follow-up to: aa970c4c08775afcd0c2853be89b0a6f02582d50

  - Enable warnings again:

    This time with an option to override it via `CFLAGS`. Warnings are
    also enabled by default in CMake, `makefile.dj` and `makefile.amiga`
    builds (not in autotools though).

    Follow-up to 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3

  Closes #9784

- noproxy: silence unused variable warnings with no ipv6

  Follow-up to 36474f1050c7f4117e3c8de6cc9217cfebfc717d

  Reviewed-by: Daniel Stenberg
  Closes #9782

Daniel Stenberg (22 Oct 2022)

- test644: verify --xattr (with redirect)

- tool_xattr: save the original URL, not the final redirected one

  Adjusted test 1621 accordingly.

  Reported-by: Viktor Szakats
  Fixes #9766
  Closes #9768

- docs: make sure libcurl opts examples pass in long arguments

  Reported-by: Sergey
  Fixes #9779
  Closes #9780

Marc Hoersken (21 Oct 2022)

- CI: fix AppVeyor job links only working for most recent build

  Ref: https://github.com/curl/curl/pull/9768#issuecomment-1286675916
  Reported-by: Daniel Stenberg

  Follow up to #9769

Viktor Szakats (21 Oct 2022)

- noproxy: fix builds without AF_INET6

  Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309

  Reviewed-by: Daniel Stenberg

  Closes #9778

Daniel Stenberg (21 Oct 2022)

- noproxy: support proxies specified using cidr notation

  For both IPv4 and IPv6 addresses. Now also checks IPv6 addresses "correctly"
  and not with string comparisons.

  Split out the noproxy checks and functionality into noproxy.c

  Added unit test 1614 to verify checking functions.

  Reported-by: Mathieu Carbonneaux

  Fixes #9773
  Fixes #5745
  Closes #9775

- urlapi: remove two variable assigns

  To please scan-build:

  urlapi.c:1163:9: warning: Value stored to 'qlen' is never read
          qlen = Curl_dyn_len(&enc);
          ^      ~~~~~~~~~~~~~~~~~~
  urlapi.c:1164:9: warning: Value stored to 'query' is never read
          query = u->query = Curl_dyn_ptr(&enc);
          ^       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Follow-up to 7d6cf06f571d57

  Closes #9777

Jeremy Maitin-Shepard (21 Oct 2022)

- cmake: improve usability of CMake build as a sub-project

  - Renames `uninstall` -> `curl_uninstall`
  - Ensures all export rules are guarded by CURL_ENABLE_EXPORT_TARGET

  Closes #9638

Don J Olmstead (21 Oct 2022)

- easy_lock: check for HAVE_STDATOMIC_H as well

  The check for `HAVE_STDATOMIC_H` looks to see if the `stdatomic.h`
  header is present.

  Closes #9755

Daniel Stenberg (21 Oct 2022)

- RELEASE-NOTES: synced

Brad Harder (20 Oct 2022)

- CURLMOPT_PIPELINING.3: dedup manpage xref

  Closes #9776

Marc Hoersken (20 Oct 2022)

- CI: report AppVeyor build status for each job

  Also give each job on AppVeyor CI a human-readable name.

  This aims to make job and therefore build failures more visible.

  Reviewed-by: Marcel Raad
  Closes #9769

Viktor Szakats (20 Oct 2022)

- amiga: set SIZEOF_CURL_OFF_T=8 by default [ci skip]

  Reviewed-by: Daniel Stenberg

  Closes #9771

- connect: fix builds without AF_INET6

  Regression from 2b309560c1e5d6ed5c0e542e6fdffa968b0521c9

  Reviewed-by: Daniel Stenberg
  Reviewed-by: Jay Satiro

  Closes #9770

Daniel Stenberg (20 Oct 2022)

- test1105: adjust <data> to work with a hyper build

  Closes #9767

- urlapi: fix parsing URL without slash with CURLU_URLENCODE

  When CURLU_URLENCODE is set, the parser would mistreat the path
  component if the URL was specified without a slash like in
  http://local.test:80?-123

  Extended test 1560 to reproduce and verify the fix.

  Reported-by: Trail of Bits

  Closes #9763

Marc Hoersken (19 Oct 2022)

- tests: avoid CreateThread if _beginthreadex is available

  CreateThread is not threadsafe if mixed with CRT calls.
  _beginthreadex on the other hand can be mixed with CRT.

  Reviewed-by: Marcel Raad
  Closes #9705

Joel Depooter (19 Oct 2022)

- schannel: Don't reset recv/send function pointers on renegotiation

  These function pointers will have been set when the initial TLS
  handshake was completed. If they are unchanged, there is no need to set
  them again. If they have been changed, as is the case with HTTP/2, we
  don't want to override that change. That would result in the
  http22_recv/send functions being completely bypassed.

  Prior to this change a connection that uses Schannel with HTTP/2 would
  fail on renegotiation with error "Received HTTP/0.9 when not allowed".

  Fixes https://github.com/curl/curl/issues/9451
  Closes https://github.com/curl/curl/pull/9756

Viktor Szakats (18 Oct 2022)

- hostip: guard PF_INET6 use

  Some platforms (e.g. Amiga OS) do not have `PF_INET6`. Adjust the code
  for these.

  ```
  hostip.c: In function 'fetch_addr':
  hostip.c:308:12: error: 'PF_INET6' undeclared (first use in this function)
         pf = PF_INET6;
              ^~~~~~~~
  ```

  Regression from 1902e8fc511078fb5e26fc2b907b4cce77e1240d

  Reviewed-by: Daniel Stenberg

  Closes #9760

- amiga: do not hardcode openssl/zlib into the os config [ci skip]

  Enable them in `lib/makefile.amiga` and `src/makefile.amiga` instead.

  This allows builds without openssl and/or zlib. E.g. with the
  <https://github.com/bebbo/amiga-gcc> cross-compiler.

  Reviewed-by: Daniel Stenberg

  Closes #9762

- amigaos: add missing curl header [ci skip]

  Without it, `CURLcode` and `CURLE_*` are undefined. `lib/hostip.h` and
  conditional local code need them.

  Reviewed-by: Daniel Stenberg

  Closes #9761

Daniel Stenberg (18 Oct 2022)

- cmdline/docs: add a required 'multi' keyword for each option

  The keyword specifies how option works when specified multiple times:

   - single: the last provided value replaces the earlier ones
   - append: it supports being provided multiple times
   - boolean: on/off values
   - mutex: flag-like option that disable anoter flag

  The 'gen.pl' script then outputs the proper and unified language for
  each option's multi-use behavior in the generated man page.

  The multi: header is requires in each .d file and will cause build error
  if missing or set to an unknown value.

  Closes #9759

- CURLOPT_AUTOREFERER.3: highlight the privacy leak risk

  Closes #9757

- mprintf: reject two kinds of precision for the same argument

  An input like "%.*1$.9999d" would first use the precision taken as an
  argument *and* then the precision specified in the string, which is
  confusing and wrong. pass1 will now instead return error on this double
  use.

  Adjusted unit test 1398 to verify

  Reported-by: Peter Goodman

  Closes #9754

- ftp: remove redundant if

  Reported-by: Trail of Bits

  Closes #9753

- tool_operate: more transfer cleanup after parallel transfer fail

  In some circumstances when doing parallel transfers, the
  single_transfer_cleanup() would not be called and then 'inglob' could
  leak.

  Test 496 verifies

  Reported-by: Trail of Bits
  Closes #9749

- mqtt: spell out CONNECT in comments

  Instead of calling it 'CONN' in several comments, use the full and
  correct protocol packet name.

  Suggested by Trail of Bits

  Closes #9751

- CURLOPT_POSTFIELDS.3: refer to CURLOPT_MIMEPOST

  Not the deprecated CURLOPT_HTTPPOST option.

  Also added two see-alsos.

  Reported-by: Trail of Bits
  Closes #9752

- RELEASE-NOTES: synced

Jay Satiro (17 Oct 2022)

- ngtcp2: Fix build errors due to changes in ngtcp2 library

  ngtcp2/ngtcp2@b0d86f60 changed:

  - ngtcp2_conn_get_max_udp_payload_size =>
    ngtcp2_conn_get_max_tx_udp_payload_size

  - ngtcp2_conn_get_path_max_udp_payload_size =>
    ngtcp2_conn_get_path_max_tx_udp_payload_size

  ngtcp2/ngtcp2@ec59b873 changed:

  - 'early_data_rejected' member added to ng_callbacks.

  Assisted-by: Daniel Stenberg
  Reported-by: jurisuk@users.noreply.github.com

  Fixes https://github.com/curl/curl/issues/9747
  Closes https://github.com/curl/curl/pull/9748

Daniel Stenberg (16 Oct 2022)

- curl_path: return error if given a NULL homedir

  Closes #9740

- libssh: if sftp_init fails, don't get the sftp error code

  This flow extracted the wrong code (sftp code instead of ssh code), and
  the code is sometimes (erroneously) returned as zero anyway, so skip
  getting it and set a generic error.

  Reported-by: David McLaughlin
  Fixes #9737
  Closes #9740

- mqtt: return error for too long topic

  Closes #9744

Rickard Hallerbäck (16 Oct 2022)

- tool_paramhlp: make the max argument a 'double'

  To fix compiler warnings "Implicit conversion from 'long' to 'double'
  may lose precision"

  Closes #9700

Philip Heiduck (15 Oct 2022)

- cirrus-ci: add more macOS builds with m1 based on x86_64 builds

  Also refactor macOS builds to use task matrix.

  Assisted-by: Marc Hörsken
  Closes #9565

Viktor Szakats (14 Oct 2022)

- cmake: set HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID on Windows

  `lib/config-win32.h` enables this configuration option unconditionally.
  Make it apply to CMake builds as well.

  While here, delete a broken check for
  `HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID` from `CMakeLists.txt`. This came with
  the initial commit [1], but did not include the actual verification code
  inside `CMake/CurlTests.c`, so it always failed. A later commit [2]
  added a second test, for non-Windows platforms.

  Enabling this flag causes test 1056 to fail with CMake builds, as they
  do with autotools builds. Let's apply the same solution and ignore the
  results here as well.

  [1] 4c5307b45655ba75ab066564afdc0c111a8b9291
  [2] aec7c5a87c8482b6ddffa352d7d220698652262e

  Reviewed-by: Daniel Stenberg
  Assisted-by: Marcel Raad

  Closes #9726

- cmake: set HAVE_GETADDRINFO_THREADSAFE on Windows

  autotools enables this configuration option unconditionally for Windows
  [^1]. Do the same in CMake.

  The above will make this work for all reasonably recent environments.
  The logic present in `lib/config-win32.h` [^2] has the following
  exceptions which we did not cover in this CMake update:

  - Builds targeting Windows 2000 and earlier
  - MS Visual C++ 5.0 (1997) and earlier

  Also make sure to disable this feature when `HAVE_GETADDRINFO` isn't
  set, to avoid a broken build. We might want to handle that in the C
  sources in a future commit.

  [^1]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a5
  1f6/m4/curl-functions.m4#L2067-L2070

  [^2]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a5
  1f6/lib/config-win32.h#L511-L528

  Closes #9727

- cmake: sync HAVE_SIGNAL detection with autotools

  `HAVE_SIGNAL` means the availability of the `signal()` function in
  autotools, while in CMake it meant the availability of that function
  _and_ the symbol `SIGALRM`.

  The latter is not available on Windows, but the function is, which means
  on Windows, autotools did define `HAVE_SIGNAL`, but CMake did not,
  introducing a slight difference into the binaries.

  This patch syncs CMake behaviour with autotools to look for the function
  only.

  The logic came with the initial commit adding CMake support to curl, so
  the commit history doesn't reveal the reason behind it. In any case,
  it's best to check the existence of `SIGALRM` directly in the source
  before use. For now, curl builds fine with `HAVE_SIGNAL` enabled and
  `SIGALRM` missing.

  Follow-up to 68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6

  Closes #9725

- cmake: delete duplicate HAVE_GETADDRINFO test

  A custom `HAVE_GETADDRINFO` check came with the initial CMake commit
  [1]. A later commit [2] added a standard check for it as well. The
  standard check run before the custom one, so CMake ignored the latter.

  The custom check was also non-portable, so this patch deletes it in
  favor of the standard check.

  [1] 4c5307b45655ba75ab066564afdc0c111a8b9291
  [2] aec7c5a87c8482b6ddffa352d7d220698652262e

  Closes #9731

Daniel Stenberg (14 Oct 2022)

- tool_formparse: unroll the NULL_CHECK and CONST_FREE macros

  To make the code read more obvious

  Assisted-by: Jay Satiro

  Closes #9710

Christopher Sauer (14 Oct 2022)

- docs/INSTALL: update Android Instructions for newer NDKs

  Closes #9732

Daniel Stenberg (14 Oct 2022)

- markdown-uppercase: ignore quoted sections

  Sections within the markdown ~~~ or ``` are now ignored.

  Closes #9733

- RELEASE-NOTES: synced

- test8: update as cookies no longer can have "embedded" TABs in content

- test1105: extend to verify TAB in name/content discarding cookies

- cookie: reject cookie names or content with TAB characters

  TABs in name and content seem allowed by RFC 6265: "the algorithm strips
  leading and trailing whitespace from the cookie name and value (but
  maintains internal whitespace)"

  Cookies with TABs in the names are rejected by Firefox and Chrome.

  TABs in content are stripped out by Firefox, while Chrome discards the
  whole cookie.

  TABs in cookies also cause issues in saved netscape cookie files.

  Reported-by: Trail of Bits

  URL: https://curl.se/mail/lib-2022-10/0032.html
  URL: https://github.com/httpwg/http-extensions/issues/2262

  Closes #9659

- curl/add_parallel_transfers: better error handling

  1 - consider the transfer handled at once when in the function, to avoid
      the same list entry to get added more than once in rare error
      situations

  2 - set the ERRORBUFFER for the handle first after it has been added
      successfully

  Reported-by: Trail of Bits

  Closes #9729

- netrc: remove the two 'changed' arguments

  As no user of these functions used the returned content.

- test495: verify URL encoded user name + netrc-optional

  Reproduced issue #9709

- netrc: use the URL-decoded user

  When the user name is provided in the URL it is URL encoded there, but
  when used for authentication the encoded version should be used.

  Regression introduced after 7.83.0

  Reported-by: Jonas Haag
  Fixes #9709
  Closes #9715

Shaun Mirani (13 Oct 2022)

- url: allow non-HTTPS HSTS-matching for debug builds

  Closes #9728

Daniel Stenberg (13 Oct 2022)

- test1275: remove the check of stderr

  To avoid the mysterious test failures on Windows, instead rely on the
  error code returned on failure.

  Fixes #9716
  Closes #9723

Viktor Szakats (13 Oct 2022)

- lib: set more flags in config-win32.h

  The goal is to add any flag that affect the created binary, to get in
  sync with the ones built with CMake and autotools.

  I took these flags from curl-for-win [0], where they've been tested with
  mingw-w64 and proven to work well.

  This patch brings them to curl as follows:

  - Enable unconditionally those force-enabled via
    `CMake/WindowsCache.cmake`:

    - `HAVE_SETJMP_H`
    - `HAVE_STRING_H`
    - `HAVE_SIGNAL` (CMake equivalent is `HAVE_SIGNAL_FUNC`)

  - Expand existing guards with mingw-w64:

    - `HAVE_STDBOOL_H`
    - `HAVE_BOOL_T`

  - Enable Win32 API functions for Windows Vista and later:

    - `HAVE_INET_NTOP`
    - `HAVE_INET_PTON`

  - Set sizes, if not already set:

    - `SIZEOF_OFF_T = 8`
    - `_FILE_OFFSET_BITS = 64` when `USE_WIN32_LARGE_FILES` is set,
      and using mingw-w64.

  - Add the remaining for mingw-w64 only. Feel free to expand as desired:

    - `HAVE_LIBGEN_H`
    - `HAVE_FTRUNCATE`
    - `HAVE_BASENAME`
    - `HAVE_STRTOK_R`

  Future TODO:

  - `HAVE_SIGNAL` has a different meaning in CMake. It's enabled when both
    the `signal()` function and the `SIGALRM` macro are found. In
    autotools and this header, it means the function only. For the
    function alone, CMake uses `HAVE_SIGNAL_FUNC`.

  [0] https://github.com/curl/curl-for-win/blob/c9b9a5f273c94c73d2b565ee892c4df
  f0ca97a8c/curl-m32.sh#L53-L58

  Reviewed-by: Daniel Stenberg

  Closes #9712

Daniel Stenberg (13 Oct 2022)

- tests: add tests/markdown-uppercase.pl to dist tarball

  Follow-up to aafb06c5928183d

  Closes #9722

- tool_paramhelp: asserts verify maximum sizes for string loading

  The two defines MAX_FILE2MEMORY and MAX_FILE2STRING define the largest
  strings accepted when loading files into memory, but as the size is
  later used as input to functions that take the size as 'int' as
  argument, the sizes must not be larger than INT_MAX.

  These two new assert()s make the code error out if someone would bump
  the sizes without this consideration.

  Reported-by Trail of Bits

  Closes #9719

- http: try parsing Retry-After: as a number first

  Since the date parser allows YYYYMMDD as a date format (due to it being
  a bit too generic for parsing this particular header), a large integer
  number could wrongly match that pattern and cause the parser to generate
  a wrong value.

  No date format accepted for this header starts with a decimal number, so
  by reversing the check and trying a number first we can deduct that if
  that works, it was not a date.

  Reported-by Trail of Bits

  Closes #9718

Patrick Monnerat (13 Oct 2022)

- doc: fix deprecation versions inconsistencies

  Ref: https://curl.se/mail/lib-2022-10/0026.html

  Closes #9711

Daniel Stenberg (13 Oct 2022)

- http_aws_sigv4: fix strlen() check

  The check was off-by-one leading to buffer overflow.

  Follow-up to 29c4aa00a16872

  Detected by OSS-Fuzz

  Closes #9714

- curl/main_checkfds: check the fcntl return code better

  fcntl() can (in theory) return a non-zero number for success, so a
  better test for error is checking for -1 explicitly.

  Follow-up to 41e1b30ea1b77e9ff

  Mentioned-by: Dominik Klemba

  Closes #9708

Viktor Szakats (12 Oct 2022)

- tidy-up: delete unused HAVE_STRUCT_POLLFD

  It was only defined in `lib/config-win32.h`, when building for Vista.

  It was only used in `select.h`, in a condition that also included a
  check for `POLLIN` which is a superior choice for this detection and
  which was already used by cmake and autotools builds.

  Delete both instances of this macro.

  Closes #9707

Daniel Stenberg (12 Oct 2022)

- test1275: verify upercase after period in markdown

  Script based on the #9474 pull-request logic, but implemented in perl.

  Updated docs/URL-SYNTAX.md accordingly.

  Suggested-by: Dan Fandrich

  Closes #9697

12932 (12 Oct 2022)

- misc: nitpick grammar in comments/docs

  because the 'u' in URL is actually a consonant *sound* it is only
  correct to write "a URL"

  sorry this is a bit nitpicky :P

  https://english.stackexchange.com/questions/152/when-should-i-use-a-vs-an
  https://www.techtarget.com/whatis/feature/Which-is-correct-a-URL-or-an-URL

  Closes #9699

Viktor Szakats (11 Oct 2022)

- Makefile.m32: drop CROSSPREFIX and our CC/AR defaults [ci skip]

  This patch aimed to fix a regression [0], where `CC` initialization
  moved beyond its first use. But, on closer inspection it turned out that
  the `CC` initialization does not work as expected due to GNU Make
  filling it with `cc` by default. So unless implicit values were
  explicitly disabled via a GNU Make option, the default value of
  `$CROSSPREFIX` + `gcc` was never used. At the same time the implicit
  value `cc` maps to `gcc` in (most/all?) MinGW envs.

  `AR` has the same issue, with a default value of `ar`.

  We could reintroduce a separate variable to fix this without ill
  effects, but for simplicity and flexibility, it seems better to drop
  support for `CROSSPREFIX`, along with our own `CC`/`AR` init logic, and
  require the caller to initialize `CC`, `AR` and `RC` to the full
  (prefixed if necessary) names of these tools, as desired.

  We keep `RC ?= windres` because `RC` is empty by default.

  Also fix grammar in a comment.

  [0] 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3

  Closes #9698

- smb: replace CURL_WIN32 with WIN32

  PR #9255 aimed to fix a Cygwin/MSYS issue (#8220). It used the
  `CURL_WIN32` macro, but that one is not defined here, while compiling
  curl itself. This patch changes this to `WIN32`, assuming this was the
  original intent.

  Regression from 1c52e8a3795ccdf8ec9c308f4f8f19cf10ea1f1a

  Reviewed-by: Marcel Raad

  Closes #9701

Matthias Gatto (11 Oct 2022)

- aws_sigv4: fix header computation

  Handle canonical headers and signed headers creation as explained here:
  https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.
  html

  The algo tells that signed and canonical must contain at last host and
  x-amz-date.

  So we check whatever thoses are present in the curl http headers list.
  If they are, we use the one enter by curl user, otherwise we generate
  them.  then we to lower, and remove space from each http headers plus
  host and x-amz-date, then sort them all by alphabetical order.

  This patch also fix a bug with host header, which was ignoring the port.

  Closes #7966

Aftab Alam (11 Oct 2022)

- README.md: link the curl logo to the website

  - Link the curl:// image to https://curl.se/

  Closes https://github.com/curl/curl/pull/9675

Dustin Howett (11 Oct 2022)

- schannel: when importing PFX, disable key persistence

  By default, the PFXImportCertStore API persists the key in the user's
  key store (as though the certificate was being imported for permanent,
  ongoing use.)

  The documentation specifies that keys that are not to be persisted
  should be imported with the flag PKCS12_NO_PERSIST_KEY.
  NOTE: this flag is only supported on versions of Windows newer than XP
  and Server 2003.

  --

  This is take 2 of the original fix. It extends the lifetime of the
  client certificate store to that of the credential handle. The original
  fix which landed in 70d010d and was later reverted in aec8d30 failed to
  work properly because it did not do that.

  Minor changes were made to the schannel credential context to support
  closing the client certificate store handle at the end of an SSL session.

  --

  Reported-by: ShadowZzj@users.noreply.github.com

  Fixes https://github.com/curl/curl/issues/9300
  Supersedes https://github.com/curl/curl/pull/9363
  Closes https://github.com/curl/curl/pull/9460

Viktor Szakats (11 Oct 2022)

- Makefile.m32: support more options [ci skip]

  - Add support for these options:
    `-wolfssl`, `-wolfssh`, `-mbedtls`, `-libssh`, `-psl`

    Caveats:
    - `-wolfssh` requires `-wolfssl`.
    - `-wolfssl` cannot be used with OpenSSL backends in parallel.
    - `-libssh` has build issues with BoringSSL and LibreSSL, and also
       what looks like a world-writable-config vulnerability on Windows.
       Consider it experimental.
    - `-psl` requires `-idn2` and extra libs passed via
      `LIBS=-liconv -lunistring`.

  - Detect BoringSSL/wolfSSL and set ngtcp2 crypto lib accordingly.
  - Generalize MultiSSL detection.
  - Use else-if syntax. Requires GNU Make 3.81 (2006-04-01).
  - Document more customization options.

  This brings over some configuration logic from `curl-for-win`.

  Closes #9680

- cmake: enable more detection on Windows

  Enable `HAVE_UNISTD_H`, `HAVE_STRTOK_R` and `HAVE_STRCASECMP` detection
  on Windows, instead of having predefined values.

  With these features detected correctly, CMake Windows builds get closer
  to the autotools and `config-win32.h` ones.

  This also fixes detecting `HAVE_FTRUNCATE` correctly, which required
  `unistd.h`.

  Fixing `ftruncate()` in turn causes a build warning/error with legacy
  MinGW/MSYS1 due to an offset type size mismatch. This env misses to
  detect `HAVE_FILE_OFFSET_BITS`, which may be a reason. This patch
  force-disables `HAVE_FTRUNCATE` for this platform.

  Reviewed-by: Daniel Stenberg

  Closes #9687

- autotools: allow unix sockets on Windows

  Fixes: https://github.com/curl/curl-for-win/blob/73a070d96fd906fdee929e2f1f00
  a9149fb39239/curl-autotools.sh#L44-L47

  On Windows this feature is present, but not the header used in the
  detection logic. It also requires an elaborate enabler logic
  (as seen in `lib/curl_setup.h`). Let's always allow it and let the
  lib code deal with the details.

  Closes #9688

- cmake: add missing inet_ntop check

  This adds the missing half of the check, next to the other half
  already present in `lib/curl_config.h.cmake`.

  Force disable `HAVE_INET_NTOP` for old MSVC where it caused compiler
  warnings.

  Reviewed-by: Daniel Stenberg

  Closes #9689

Daniel Stenberg (11 Oct 2022)

- RELEASE-NOTES: synced

bsergean on github (11 Oct 2022)

- asyn-ares: set hint flags when calling ares_getaddrinfo

  The hint flag is ARES_AI_NUMERICSERV, and it will save a call to
  getservbyname or getservbyname_r to set it.

  Closes #9694

Daniel Stenberg (11 Oct 2022)

- header.d: add category smtp and imap

  They were previously (erroneously) added manually to tool_listhelp.c
  which would make them get removed again when the file is updated next
  time, unless added correctly here in header.d

  Follow-up to 2437fac01

  Closes #9690

- curl/get_url_file_name: use libcurl URL parser

  To avoid URL tricks, use the URL parser for this.

  This update changes curl's behavior slightly in that it will ignore the
  possible query part from the URL and only use the file name from the
  actual path from the URL. I consider it a bugfix.

  "curl -O localhost/name?giveme-giveme" will now save the output in the
  local file named 'name'

  Updated test 1210 to verify

  Assisted-by: Jay Satiro

  Closes #9684

Martin Ågren (11 Oct 2022)

- docs: fix grammar around needing pass phrase

  "You never needed a pass phrase" reads like it's about to be followed by
  something like "until version so-and-so", but that is not what is
  intended. Change to "You never need a pass phrase". There are two
  instances of this text, so make sure to update both.

Xiang Xiao (10 Oct 2022)

- cmake: add the check of HAVE_SOCKETPAIR

  which is used by Curl_socketpair

  Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>

  Closes #9686

Daniel Stenberg (10 Oct 2022)

- curl/add_file_name_to_url: use the libcurl URL parser

  instead of the custom error-prone parser, to extract and update the path
  of the given URL

  Closes #9683

- single_transfer: use the libcurl URL parser when appending query parts

  Instead of doing "manual" error-prone parsing in another place.

  Used when --data contents is added to the URL query when -G is provided.

  Closes #9681

- ws: fix buffer pointer use in the callback loop

  Closes #9678

Petr Štetiar (10 Oct 2022)

- curl-wolfssl.m4: error out if wolfSSL is not usable

  When I explicitly declare, that I would like to have curl built with
  wolfSSL support using `--with-wolfssl` configure option, then I would
  expect, that either I endup with curl having that support, for example
  in form of https support or it wouldn't be available at all.

  Downstream projects like for example OpenWrt build curl wolfSSL variant
  with `--with-wolfssl` already, but in certain corner cases it does fail:

    configure:25299: checking for wolfSSL_Init in -lwolfssl
    configure:25321: x86_64-openwrt-linux-musl-gcc -o conftest [snip]
    In file included from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/dsa.
  h:33,
                     from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/asn_
  public.h:35,
                    from target-x86_64_musl/usr/include/wolfssl/ssl.h:35,
                     from conftest.c:47:
    target-x86_64_musl/usr/include/wolfssl/wolfcrypt/integer.h:37:14: fatal err
  or: wolfssl/wolfcrypt/sp_int.h: No such file or directory
         #include <wolfssl/wolfcrypt/sp_int.h>
                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
    compilation terminated.

  and in the end thus produces curl without https support:

   curl: (1) Protocol "https" not supported or disabled in libcurl

  So fix it, by making the working wolfSSL mandatory and error out in
  configure step when that's not the case:

   checking for wolfSSL_Init in -lwolfssl... no
   configure: error: --with-wolfssl but wolfSSL was not found or doesn't work

  References: https://github.com/openwrt/packages/issues/19005
  References: https://github.com/openwrt/packages/issues/19547
  Signed-off-by: Petr Štetiar <ynezz@true.cz>

  Closes #9682

Daniel Stenberg (10 Oct 2022)

- tool_getparam: pass in the snprintf("%.*s") string length as 'int'

  Reported by Coverity CID 1515928

  Closes #9679

Paul Seligman (9 Oct 2022)

- ws: minor fixes for web sockets without the CONNECT_ONLY flag

  - Fixed an issue where is_in_callback was getting cleared when using web
    sockets with debug logging enabled
  - Ensure the handle is is_in_callback when calling out to fwrite_func
  - Change the write vs. send_data decision to whether or not the handle
    is in CONNECT_ONLY mode.
  - Account for buflen not including the header length in curl_ws_send

  Closes #9665

Marc Hoersken (8 Oct 2022)

- CI/cirrus: merge existing macOS jobs into a job matrix

  Ref: #9627
  Reviewed-by: Philip H.

  Closes #9672

Daniel Stenberg (8 Oct 2022)

- strcase: add and use Curl_timestrcmp

  This is a strcmp() alternative function for comparing "secrets",
  designed to take the same time no matter the content to not leak
  match/non-match info to observers based on how fast it is.

  The time this function takes is only a function of the shortest input
  string.

  Reported-by: Trail of Bits

  Closes #9658

- tool_getparam: split out data_urlencode() into its own function

  Closes #9673

- connect: fix Curl_updateconninfo for TRNSPRT_UNIX

  Reported-by: Vasiliy Ulyanov
  Fixes #9664
  Closes #9670

- ws: fix Coverity complaints

  Coverity pointed out several flaws where variables remained
  uninitialized after forks.

  Follow-up to e3f335148adc6742728f

  Closes #9666

Marc Hoersken (7 Oct 2022)

- CI/GHA: merge msh3 and openssl3 builds into linux workflow

  Continue work on merging all Linux workflows into one file.

  Follow up to #9501
  Closes #9646

Daniel Stenberg (7 Oct 2022)

- curl_ws_send.3: call the argument 'fragsize'

  Since WebSocket works with "fragments" not "frames"

  Closes #9668

- easy: avoid Intel error #2312: pointer cast involving 64-bit pointed-to type

  Follow-up to e3f335148adc6742728ff8

  Closes #9669

- tool_main: exit at once if out of file descriptors

  If the main_checkfds function cannot create new file descriptors in an
  attempt to detect of stdin, stdout or stderr are closed.

  Also changed the check to use fcntl() to check if the descriptors are
  open, which avoids superfluously calling pipe() if they all already are.

  Follow-up to facfa19cdd4d0094

  Reported-by: Trail of Bits

  Closes #9663

- websockets: remodeled API to support 63 bit frame sizes

  curl_ws_recv() now receives data to fill up the provided buffer, but can
  return a partial fragment. The function now also get a pointer to a
  curl_ws_frame struct with metadata that also mentions the offset and
  total size of the fragment (of which you might be receiving a smaller
  piece). This way, large incoming fragments will be "streamed" to the
  application. When the curl_ws_frame struct field 'bytesleft' is 0, the
  final fragment piece has been delivered.

  curl_ws_recv() was also adjusted to work with a buffer size smaller than
  the fragment size. (Possibly needless to say as the fragment size can
  now be 63 bit large).

  curl_ws_send() now supports sending a piece of a fragment, in a
  streaming manner, in addition to sending the entire fragment in a single
  call if it is small enough. To send a huge fragment, curl_ws_send() can
  be used to send it in many small calls by first telling libcurl about
  the total expected fragment size, and then send the payload in N number
  of separate invokes and libcurl will stream those over the wire.

  The struct curl_ws_meta() returns is now called 'curl_ws_frame' and it
  has been extended with two new fields: *offset* and *bytesleft*. To help
  describe the passed on data chunk when a fragment is delivered in many
  smaller pieces.

  The documentation has been updated accordingly.

  Closes #9636

Patrick Monnerat (7 Oct 2022)

- docs/examples: avoid deprecated options in examples where possible

  Example programs targeting a deprecated feature/option are commented with
  a warning about it.
  Other examples are adapted to not use deprecated options.

  Closes #9661

Viktor Szakats (6 Oct 2022)

- cmake: fix enabling websocket support

  Follow-up from 664249d095275ec532f55dd1752d80c8c1093a77

  Closes #9660

- tidy-up: delete parallel/unused feature flags

  Detecting headers and lib separately makes sense when headers come in
  variations or with extra ones, but this wasn't the case here. These were
  duplicate/parallel macros that we had to keep in sync with each other
  for a working build. This patch leaves a single macro for each of these
  dependencies:

  - Rely on `HAVE_LIBZ`, delete parallel `HAVE_ZLIB_H`.

    Also delete CMake logic making sure these two were in sync, along with
    a toggle to turn off that logic, called `CURL_SPECIAL_LIBZ`.

    Also delete stray `HAVE_ZLIB` defines.

    There is also a `USE_ZLIB` variant in `lib/config-dos.h`. This patch
    retains it for compatibility and deprecates it.

  - Rely on `USE_LIBSSH2`, delete parallel `HAVE_LIBSSH2_H`.

    Also delete `LIBSSH2_WIN32`, `LIBSSH2_LIBRARY` from
    `winbuild/MakefileBuild.vc`, these have a role when building libssh2
    itself. And `CURL_USE_LIBSSH`, which had no use at all.

    Also delete stray `HAVE_LIBSSH2` defines.

  - Rely on `USE_LIBSSH`, delete parallel `HAVE_LIBSSH_LIBSSH_H`.

    Also delete `LIBSSH_WIN32`, `LIBSSH_LIBRARY` and `HAVE_LIBSSH` from
    `winbuild/MakefileBuild.vc`, these were the result of copy-pasting the
    libssh2 line, and were not having any use.

  - Delete unused `HAVE_LIBPSL_H` and `HAVE_LIBPSL`.

  Reviewed-by: Daniel Stenberg

  Closes #9652

Daniel Stenberg (6 Oct 2022)

- netrc: compare user name case sensitively

  User name comparisions in netrc need to match the case.

  Closes #9657

- CURLOPT_COOKIEFILE: insist on "" for enable-without-file

  The former way that also suggested using a non-existing file to just
  enable the cookie engine could lead to developers maybe a bit carelessly
  guessing a file name that will not exist, and then in a future due to
  circumstances, such a file could be made to exist and then accidentally
  libcurl would read cookies not actually meant to.

  Reported-by: Trail of bits

  Closes #9654

- tests/Makefile: remove run time stats from ci-test

  The ci-test is the normal makefile target invoked in CI jobs. This has
  been using the -r option to runtests.pl since a long time, but I find
  that it mostly just adds many lines to the test output report without
  anyone caring much about those stats.

  Remove it.

  Closes #9656

Patrick Monnerat (6 Oct 2022)

- tool: reorganize function c_escape around a dynbuf

  This is a bit shorter and a lot safer.

  Substrings of unescaped characters are added by a single call to reduce
  overhead.

  Extend test 1465 to handle more kind of escapes.

  Closes #9653

Jay Satiro (5 Oct 2022)

- CURLOPT_HTTPPOST.3: bolden the deprecation notice

  Ref: https://github.com/curl/curl/pull/9621

  Closes https://github.com/curl/curl/pull/9637

John Bampton (5 Oct 2022)

- misc: fix spelling in docs and comments

  also: remove outdated sentence

  Closes #9644

Patrick Monnerat (5 Oct 2022)

- tool: avoid generating ambiguous escaped characters in --libcurl

  C string hexadecimal-escaped characters may have more than 2 digits.
  This results in a wrong C compiler interpretation of a 2-digit escaped
  character when followed by an hex digit character.

  The solution retained here is to represent such characters as 3-digit
  octal escapes.

  Adjust and extend test 1465 for this case.

  Closes #9643

Daniel Stenberg (5 Oct 2022)

- configure: the ngtcp2 option should default to 'no'

  While still experimental.

  Bug: https://curl.se/mail/lib-2022-10/0007.html
  Reported-by: Daniel Hallberg

  Closes #9650

- CURLOPT_MIMEPOST.3: add an (inline) example

  Reported-by: Jay Satiro
  Bug: https://github.com/curl/curl/pull/9637#issuecomment-1268070723

  Closes #9649

Viktor Szakats (5 Oct 2022)

- Makefile.m32: exclude libs & libpaths for shared mode exes [ci skip]

  Exclude linker flags specifying depedency libs and libpaths, when
  building against `libcurl.dll`. In such case these options are not
  necessary (but may cause errors if not/wrongly configured.)

  Also move and reword a comment on `CPPFLAGS` to not apply to
  `UNICODE` options. These are necessary for all build targets.

  Closes #9651

Jay Satiro (5 Oct 2022)

- runtests: fix uninitialized value on ignored tests

  - Don't show TESTFAIL message (ie tests failed which aren't ignored) if
    only ignored tests failed.

  Before:
  IGNORED: failed tests: 571 612 1056
  TESTDONE: 1214 tests out of 1217 reported OK: 99%
  Use of uninitialized value $failed in concatenation (.) or string at
  ./runtests.pl line 6290.
  TESTFAIL: These test cases failed:

  After:
  IGNORED: failed tests: 571 612 1056
  TESTDONE: 1214 tests out of 1217 reported OK: 99%

  Closes https://github.com/curl/curl/pull/9648

- cirrus: use make LDFLAGS=-all-static instead of curl_LDFLAGS

  - Correct the use of -all-static for static Windows CI builds.

  curl_LDFLAGS was removed from the makefile when metalink support was
  removed. LDFLAGS=-all-static is passed to make only, because it is not a
  valid option for configure compilation tests.

  Closes https://github.com/curl/curl/pull/9633

Viktor Szakats (4 Oct 2022)

- Makefile.m32: fix regression with tool_hugehelp [ci skip]

  In a recent commit I mistakenly deleted this logic, after seeing a
  reference to a filename ending with `.cvs` and thinking it must have
  been long gone. Turns out this is an existing file. Restore the rule
  and the necessary `COPY` definitions with it.

  The restored logic is required for a successful build on a bare source
  tree (as opposed to a source release tarball).

  Also shorten an existing condition similar to the one added in this
  patch.

  Regression since 07a0047882dd3f1fbf73486c5dd9c15370877ad6

  Closes #9645

- Makefile.m32: deduplicate build rules [ci skip]

  After this patch, we reduce the three copies of most `Makefile.m32`
  logic to one. This now resides in `lib/Makefile.m32`. It makes future
  updates easier, the code shorter, with a small amount of added
  complexity.

  `Makefile.m32` reduction:

  |                   |  bytes | LOC total |  blank |  comment |  code |
  |-------------------|-------:|----------:|-------:|---------:|------:|
  | 7.85.0            |  34772 |      1337 |     79 |      192 |  1066 |
  | before this patch |  17601 |       625 |     62 |      106 |   457 |
  | after this patch  |  11680 |       392 |     52 |      104 |   236 |

  Details:

  - Change rules to create objects for the `v*` subdirs in the `lib` dir.
    This allows to use a shared compile rule and assumes that filenames
    are not (and will not be) colliding across these directories.
    `Makefile.m32` now also stores a list of these subdirs. They are
    changing rarely though.

  - Sync as much as possible between the three `Makefile.m32` scripts'
    rules and their source/target sections.

  - After this patch `CPPFLAGS` are all applied to the `src` sources once
    again. This matches the behaviour of cmake/autotools. Only zlib ones
    are actually required there.

  - Use `.rc` names from `Makefile.inc` instead of keeping a duplicate.

  - Change examples to link `libcurl.dll` by default. This makes building
    trivial, even as a cross-build:
      `CC=x86_64-w64-mingw32-gcc make -f Makefile.m32`
    To run them, you need to move/copy or add-to-path `libcurl.dll`.
    You can select static mode via `CFG=-static`.

  - List more of the `Makefile.m32` config variables.

  - Drop `.rc` support from examples. It made it fragile without much
    benefit.

  - Include a necessary system lib for the `externalsocket.c` example.

  - Exclude unnecessary systems libs when building in `-dyn` mode.

  Closes #9642

Daniel Stenberg (4 Oct 2022)

- RELEASE-NOTES: synced

- CURLOPT_COOKIELIST.3: fix formatting mistake

  Also, updated manpage-syntax.pl to make it detect this error in test
  1173.

  Reported-by: ProceduralMan on github
  Fixes #9639
  Closes #9640

Jay Satiro (4 Oct 2022)

- connect: change verbose IPv6 address:port to [address]:port

  - Use brackets for the IPv6 address shown in verbose message when the
    format is address:port so that it is less confusing.

  Before: Trying 2606:4700:4700::1111:443...
  After: Trying [2606:4700:4700::1111]:443...

  Bug: https://curl.se/mail/archive-2022-02/0041.html
  Reported-by: David Hu

  Closes #9635

Viktor Szakats (3 Oct 2022)

- Makefile.m32: major rework [ci skip]

  This patch overhauls `Makefile.m32` scripts, fixing a list of quirks,
  making its behaviour and customization envvars align better with other
  build systems, aiming for less code, that is easier to read, use and
  maintain.

  Details:
  - Rename customization envvars:
    `CURL_CC` -> `CC`
    `CURL_RC` -> `RC`
    `CURL_AR` -> `AR`
    `CURL_LDFLAG_EXTRAS_DLL` -> `CURL_LDFLAGS_LIB`
    `CURL_LDFLAG_EXTRAS_EXE` -> `CURL_LDFLAGS_BIN`
  - Drop `CURL_STRIP` and `CURL_RANLIB`. These tools are no longer used.
  - Accept `CFLAGS`, `CPPFLAGS`, `RCFLAGS`, `LDFLAGS` and `LIBS` envvars.
  - Drop `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, `CURL_RCFLAG_EXTRAS` in
    favor of the above.
  - Do not automatically enable `zlib` with `libssh2`. `zlib` is optional
    with `libssh2`.
  - Omit unnecessary `CPPFLAGS` options when building `curl.exe` and
    examples.
  - Drop support for deprecated `-winssl` `CFG` option. Use `-schannel`
    instead.
  - Avoid late evaluation where not necessary (`=` -> `:=`).
  - Drop support for `CURL_DLL_A_SUFFIX` to override the implib suffix.
    Instead, use the standard naming scheme by default: `libcurl.dll.a`.
    The toolchain recognizes the name, and selects it automatically when
    asking for a `-shared` vs. `-static` build.
  - Stop applying `strip` to `libcurl.a`. Follow-up from
    16a58e9f93c7e89e1f87720199388bcfcfa148a4. There was no debug info to
    strip since then.
  - Stop setting `-O3`, `-W`, `-Wall` options. You can add these to
    `CFLAGS` as desired.
  - Always enable `-DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG` with OpenSSL,
    to avoid that vulnerability on Windows.
  - Add `-lbrotlicommon` to `LIBS` when using `brotli`.
  - Do not enable `-nghttp3` without `-ngtcp2`.
  - `-ssh2` and `-rtmp` options no longer try to auto-select a TLS-backend.
    You need to set the backend explicitly. This scales better and avoids
    issues with certain combinations (e.g. `libssh2` + `wolfssl` with no
    `schannel`).
  - Default to OpenSSL TLS-backend with `ngtcp2`. Possible to override via
    `NGTCP2_LIBS`.
  - Old, alternate method of enabling components (e.g. `SSH2=1`) no longer
    supported.
  - Delete `SPNEGO` references. They were no-ops.
  - Drop support for Win9x environments.
  - Allow setting `OPENSSL_LIBS` independently from `OPENSSL_LIBPATH`.
  - Support autotools/CMake `libssh2` builds by default.
  - Respect `CURL_DLL_SUFFIX` in `-dyn` mode when building `curl.exe` and
    examples.
  - Assume standard directory layout with `LIBCARES_PATH`. (Instead of the
    long gone embedded one.)
  - Stop static linking with c-ares by default. Add
    `CPPFLAGS=-DCARES_STATICLIB` to enable it.
  - Reorganize internal layout to avoid redundancy and emit clean diffs
    between src/lib and example make files.
  - Delete unused variables.
  - Code cleanups/rework.
  - Comment and indentation fixes.

  Closes #9632

- scripts/release-notes.pl: strip ci skip tag [ci skip]

  Ref: https://github.com/curl/curl/commit/e604a82cae922bf86403a94f5803ac5e4303
  ae97#commitcomment-85637701

  Reviewed-by: Daniel Stenberg

  Closes #9634

- Makefile.m32: delete legacy component bits [ci skip]

  - Drop auto-detection of OpenSSL 1.0.2 and earlier. Now always defaulting
    to OpenSSL 1.1.0 and later, LibreSSL and BoringSSL.

  - Drop `Invalid path to OpenSSL package` detection. OpenSSL has been
    using a standard file layout since 1.1.0, so this seems unnecessary
    now.

  - Drop special logic to enable Novell LDAP SDK support.

  - Drop special logic to enable OpenLDAP LDAP SDK support. This seems
    to be distinct from native OpenLDAP, with support implemented inside
    `lib/ldap.c` (vs. `lib/openldap.c`) back when the latter did not exist
    yet in curl.

  - Add `-lwldap32` only if there is no other LDAP library (either native
    OpenLDAP, or SDKs above) present.

  - Update `doc/INSTALL.md` accordingly.

  After this patch, it's necessary to make configration changes when using
  OpenSSL 1.0.2 or earlier, or the two LDAP SDKs.

  OpenSSL 1.0.2 and earlier:
  ```
  export OPENSSL_INCLUDE = <path-to-openssl>/outinc
  export OPENSSL_LIBPATH = <path-to-openssl>/out
  export OPENSSL_LIBS = -lssl32 -leay32 -lgdi32
  ```

  Novell LDAP SDK, previously enabled via `USE_LDAP_NOVELL=1`:
  ```
  export CURL_CFLAG_EXTRAS = -I<path-to-sdk>/inc -DCURL_HAS_NOVELL_LDAPSDK
  export CURL_LDFLAG_EXTRAS = -L<path-to-sdk>/lib/mscvc -lldapsdk -lldapssl -ll
  dapx
  ```

  OpenLDAP LDAP SDK, previously enabled via `USE_LDAP_OPENLDAP=1`:
  ```
  export CURL_CFLAG_EXTRAS = -I<path-to-sdk>/include -DCURL_HAS_OPENLDAP_LDAPSD
  K
  export CURL_LDFLAG_EXTRAS = -L<path-to-sdk>/lib -lldap -llber
  ```

  I haven't tested these scenarios, and in general we recommend using
  a recent OpenSSL release. Also, WinLDAP (the Windows default) and
  OpenLDAP (via `-DUSE_OPENLDAP`) are the LDAP options actively worked on
  in curl.

  Closes #9631

Daniel Stenberg (2 Oct 2022)

- vauth/ntlm.h: make line shorter than 80 columns

  Follow-up from 265fbd937

Viktor Szakats (1 Oct 2022)

- docs: update sourceforge project links [ci skip]

  SourceForge projects can now choose between two hostnames, with .io and
  .net ending. Both support HTTPS by default now. Opening the other variant
  will perm-redirected to the one chosen by the project.

  The .io -> .net redirection is done insecurely.

  Let's update the URLs to point to the current canonical endpoints to
  avoid any redirects.

  Closes #9630

Daniel Stenberg (1 Oct 2022)

- curl_url_set.3: document CURLU_APPENDQUERY proper

  Listed among the other supported flags.

  Reported-by: Robby Simpson
  Fixes #9628
  Closes #9629

Viktor Szakats (1 Oct 2022)

- Makefile.m32: cleanups and fixes [ci skip]

  - Add `-lcrypt32` once, and add it always for simplicity.
  - Delete broken link and reference to the pre-Vista WinIDN add-on.
    MS no longer distribute it.
  - Delete related `WINIDN_PATH` option. IDN is a system lib since Vista.
  - Sync `LIBCARES_PATH` default with the rest of dependencies.
  - Delete version numbers from dependency path defaults.
  - `libgsasl` package is now called `gsasl`.
  - Delete `libexpat` and `libxml2` references. No longer used by curl.
  - Delete `Edit the path below...` comments. We recommend to predefine
    those envvars instead.
  - `libcares.a` is not an internal dependency anymore. Stop using it as
    such.
  - `windres` `--include-dir` -> `-I`, `-F` -> `--target=` for readability.
  - Delete `STRIP`, `CURL_STRIP`, `AR` references from `src/Makefile.m32`.
    They were never used.
  - Stop to `clean` some objects twice in `src/Makefile.m32`.
  - Delete cvs-specific leftovers.
  - Finish resource support in examples make file.
  - Delete `-I<root>/lib` from examples make file.
  - Fix copyright start year in examples make file.
  - Delete duplicate `ftpuploadresume` input in examples make file.
  - Sync OpenSSL lib order, `SYNC` support, `PROOT` use, dependency path
    defaults, variables names and other internal bits between the three
    make files.
  - `lib/Makefile.m32` accepted custom options via `DLL_LIBS` envvar. This
    was lib-specific and possibly accidental. Use `CURL_LDFLAG_EXTRAS_DLL`
    envvar for the same effect.
  - Fix linking `curl.exe` and examples to wrong static libs with
    auto-detected OpenSSL 1.0.2 or earlier.
  - Add `-lgdi32` for OpenSSL 1.0.2 and earlier only.
  - Add link to Novell LDAP SDK and use a relative default path. Latest
    version is from 2016, linked to an outdated OpenSSL 1.0.1.
  - Whitespace and comment cleanups.

  TODO in a next commit:

  Delete built-in detection/logic for OpenSSL 1.0.2 and earlier, the Novell
  LDAP SDK and the other LDAP SDK (which is _not_ OpenLDAP). Write up the
  necessary custom envvars to configure them.

  Closes #9616

Daniel Stenberg (30 Sep 2022)

- RELEASE-NOTES: synced

Matt Holt (30 Sep 2022)

- HTTP3.md: update Caddy example

  Closes #9623

Daniel Stenberg (30 Sep 2022)

- easy: fix the altsvc init for curl_easy_duphandle

  It was using the old #ifdef which nothing sets anymore

  Closes #9624

- GHA: build tests in a separate step from the running of them

  ... to make the output smaller for when you want to look at test
  failures.

  Removed the examples build from msh3

  Closes #9619

Viktor Szakats (29 Sep 2022)

- ldap: delete stray CURL_HAS_MOZILLA_LDAP reference

  Added in 68b215157fdf69612edebdb220b3804822277822, while adding openldap
  support. This is also the single mention of this constant in the source
  tree and also in that commit. Based on these, it seems like an accident.

  Delete this reference.

  Reviewed-by: Daniel Stenberg

  Closes #9625

- docs: spelling nits

  - MingW -> MinGW (Minimalist GNU for Windows)
  - f.e. -> e.g.
  - some whitespace and punctuation.

  Reviewed-by: Daniel Stenberg

  Closes #9622

Philip Heiduck (29 Sep 2022)

- cirrus-ci: add macOS build with m1

  Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com>

  Closes #9565

Patrick Monnerat (29 Sep 2022)

- lib: sanitize conditional exclusion around MIME

  The introduction of CURL_DISABLE_MIME came with some additional bugs:
  - Disabled MIME is compiled-in anyway if SMTP and/or IMAP is enabled.
  - CURLOPT_MIMEPOST, CURLOPT_MIME_OPTIONS and CURLOPT_HTTPHEADER are
    conditioned on HTTP, although also needed for SMTP and IMAP MIME mail
    uploads.

  In addition, the CURLOPT_HTTPHEADER and --header documentation does not
  mention their use for MIME mail.

  This commit fixes the problems above.

  Closes #9610

Thiago Suchorski (29 Sep 2022)

- docs: minor grammar fixes

  Closes #9609

Daniel Stenberg (28 Sep 2022)

- CURLSHOPT_UNLOCKFUNC.3: the callback as no 'access' argument

  Probably a copy and paste error from the lock function man page.

  Reported-by: Robby Simpson
  Fixes #9612
  Closes #9613

- CURLOPT_ACCEPT_ENCODING.3: remove "four" as they are five

  ... instead just list the supported encodings.

  Reported-by: ProceduralMan on github
  Fixes #9614
  Closes #9615

Dan Fandrich (28 Sep 2022)

- tests: Remove a duplicated keyword

- docs: document more server names for test files

Daniel Stenberg (28 Sep 2022)

- altsvc: reject bad port numbers

  The existing code tried but did not properly reject alternative services
  using negative or too large port numbers.

  With this fix, the logic now also flushes the old entries immediately
  before adding a new one, making a following header with an illegal entry
  not flush the already stored entry.

  Report from the ongoing source code audit by Trail of Bits.

  Adjusted test 356 to verify.

  Closes #9607

- functypes: provide the recv and send arg and return types

  This header is for providing the argument types for recv() and send()
  when built to not use a dedicated config-[platfor].h file.

  Remove the slow brute-force checks from configure and cmake.

  This change also removes the use of the types for select, as they were
  not used in code.

  Closes #9592

- urlapi: reject more bad characters from the host name field

  Extended test 1560 to verify

  Report from the ongoing source code audit by Trail of Bits.

  Closes #9608

- configure: deprecate builds with small curl_off_t

  If curl_off_t turns out to be smaller than 8 bytes,
  --with-n64-deprecated needs to be used to allow the build to
  continue. This is to highlight the fact that support for such builds is
  going away next year.

  Also mentioned in DEPRECATED.md

  Closes #9605

Patrick Monnerat (27 Sep 2022)

- http, vauth: always provide Curl_allow_auth_to_host() functionality

  This function is currently located in the lib/http.c module and is
  therefore disabled by the CURL_DISABLE_HTTP conditional token.

  As it may be called by TLS backends, disabling HTTP results in an
  undefined reference error at link time.

  Move this function to vauth/vauth.c to always provide it and rename it
  as Curl_auth_allowed_to_host() to respect the vauth module naming
  convention.

  Closes #9600

Daniel Stenberg (27 Sep 2022)

- ngtcp2: fix C89 compliance nit

- openssl: make certinfo available for QUIC

  Curl_ossl_certchain() is now an exported function in lib/vtls/openssl.c that
  can also be used from quiche.c and ngtcp2.c to get the cert chain for QUIC
  connections as well.

  The *certchain function was moved to the top of the file for this reason.

  Reported-by: Eloy Degen
  Fixes #9584
  Closes #9597

- RELEASE-NOTES: synced

- DEPRECATE.md: Support for systems without 64 bit data types

  Closes #9604

Patrick Monnerat (27 Sep 2022)

- tests: skip mime/form tests when mime is not built-in

  Closes #9596

Daniel Stenberg (27 Sep 2022)

- url: rename function due to name-clash in Watt-32

  Follow-up to 2481dbe5f4f58 and applies the change the way it was
  intended.

Viktor Szakats (26 Sep 2022)

- windows: adjust name of two internal public functions

  According to `docs/INTERNALS.md`, internal function names spanning source
  files start with uppercase `Curl_`. Bring these two functions in
  alignment with this.

  This also stops exporting them from `libcurl.dll` in autotools builds.

  Reviewed-by: Daniel Stenberg

  Closes #9598

Gisle Vanem (26 Sep 2022)

- url: rename function due to name-clash in Watt-32

  Since the commit 764c958c52edb427f39, there was a new function called
  resolve_ip(). This clashes with an internal function in Watt-32.

  Closes #9585

Jay Satiro (26 Sep 2022)

- schannel: ban server ALPN change during recv renegotiation

  By the time schannel_recv is renegotiating the connection, libcurl has
  already decided on a protocol and it is too late for the server to
  select a protocol via ALPN except for the originally selected protocol.

  Ref: https://github.com/curl/curl/issues/9451

  Closes https://github.com/curl/curl/pull/9463

Daniel Stenberg (26 Sep 2022)

- url: a zero-length userinfo part in the URL is still a (blank) user

  Adjusted test 1560 to verify

  Reported-by: Jay Satiro

  Fixes #9088
  Closes #9590

Viktor Szakats (25 Sep 2022)

- autotools: allow --enable-symbol-hiding with windows

  This local autotools logic was put in place in
  9e24b9c7afbcb81120af4cf3f6cdee49a06d8224 (in 2012) which disabled it for
  Windows unconditionally. Testing reveals that it actually works with
  tested toolchains (mingw-w64 and CI ones), so let's allow this build
  feature on that platform. Bringing this in sync with CMake, which already
  supported this.

  Reviewed-by: Jay Satiro

  Closes #9586

- autotools: reduce brute-force when detecting recv/send arg list

  autotools uses brute-force to detect `recv`/`send`/`select` argument
  lists, by interating through _all_ argument type combinations on each
  `./configure` run. This logic exists since
  01fa02d0b545e1433dced2430561f8c0c72b74a9 (from 2006) and was a bit later
  extended with Windows support.

  This results in a worst-case number of compile + link cycles as below:
  - `recv`: 96
  - `send`: 192
  - `select`: 60
  Total: 348 (the number of curl C source files is 195, for comparison)

  Notice that e.g. curl-for-win autotools builds require two `./configure`
  invocations, doubling these numbers.

  `recv` on Windows was especially unlucky because `SOCKET` (the correct
  choice there) was listed _last_ in one of the outer trial loops. This
  resulted in lengthy waits while autotools was trying all invalid
  combinations first, wasting cycles, disk writes and slowing down
  iteration.

  This patch reduces the amount of idle work by reordering the tests in
  a way to succeed first on a well-known platform such as Windows, and
  also on non-Windows by testing for POSIX prototypes first, on the
  assumption that these are the most likely candidates these days. (We do
  not touch `select`, where the order was already optimal for these
  platforms.)

  For non-Windows, this means to try a return value of `ssize_t` first,
  then `int`, reordering the buffer argument type to try `void *` first,
  then `byte *`, and prefer the `const` flavor with `send`. If we are
  here, also stop testing for `SOCKET` type in non-Windows builds.

  After the patch, detection on Windows is instantaneous. It should also be
  faster on popular platforms such as Linux and BSD-based ones.

  If there are known-good variations for other platforms, they can also be
  fast-tracked like above, given a way to check for that platform inside
  the autotools logic.

  Reviewed-by: Daniel Stenberg

  Closes #9591

Daniel Stenberg (23 Sep 2022)

- TODO: Provide the error body from a CONNECT response

  Spellchecked-by: Jay Satiro

  Closes #9513
  Closes #9581

Viktor Szakats (23 Sep 2022)

- windows: autotools .rc warnings fixup

  Move `LT_LANG([Windows Resource])` after `XC_LIBTOOL`, fixing:

  - Warnings when running `autoreconf -fi`.

  - Warning when compiling .rc files:
    libtool: compile: unable to infer tagged configuration
    libtool:   error: specify a tag with '--tag'

  Follow up to 6de7322c03d5b4d91576a7d9fc893e03cc9d1057
  Ref: https://github.com/curl/curl/pull/9521#issuecomment-1256291156

  Suggested-by: Patrick Monnerat
  Closes #9582

Randall S. Becker (23 Sep 2022)

- curl_setup: disable use of FLOSS for 64-bit NonStop builds

  Older 32-bit builds currently need FLOSS. This dependency may be removed
  in future OS releases.

  Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>

  Closes #9575

Patrick Monnerat (23 Sep 2022)

- tool: remove dead code

  Add a debug assertion to verify protocols included/excluded in a set
  are always tokenized.

  Follow-up to commit 677266c.

  Closes #9576

- lib: prepare the incoming of additional protocols

  Move the curl_prot_t to its own conditional block. Introduce symbol
  PROTO_TYPE_SMALL to control it.

  Fix a cast in a curl_prot_t assignment.
  Remove an outdated comment.

  Follow-up to cd5ca80.

  Closes #9534

Daniel Stenberg (23 Sep 2022)

- msh3: change the static_assert to make the code C89

- bearssl: make it proper C89 compliant

- curl-compilers.m4: for gcc + want warnings, set gnu89 standard

  To better verify that the code is C89

  Closes #9542

Patrick Monnerat (22 Sep 2022)

- lib517: fix C89 constant signedness

  In C89, positive integer literals that overflow an int but not an
  unsigned int may be understood as a negative int.

  lib517.c:129:3: warning: this decimal constant is unsigned only in ISO C90
     {"Sun, 06 Nov 2044 08:49:37 GMT", 2362034977 },
     ^

  Closes #9572

Daniel Stenberg (22 Sep 2022)

- mprintf: use snprintf if available

  This is the single place in libcurl code where it uses the "native"
  s(n)printf() function. Used for writing floats. The use has been
  reviewed and vetted and uses a HUGE target buffer, but switching to
  snprintf() still makes this safer and removes build-time warnings.

  Reported-by: Philip Heiduck

  Fixes #9569
  Closes #9570

- docs: tag curl options better in man pages

  As it makes them links in the HTML versions.

  Verified by the extended test 1176

- symbols-in-versions: CURLOPT_ENCODING is deprecated since 7.21.6

- manpage-syntax.pl: all libcurl option symbols should be \fI-tagged

  ... as that makes them links to their corresponding man page.

  This script is used for test 1173.

  Closes #9574

- RELEASE-NOTES: synced

Patrick Monnerat (22 Sep 2022)

- tool: remove protocol count limitation

  Replace bit mask protocol sets by null-terminated arrays of protocol
  tokens. These are the addresses of the protocol names returned by
  curl_version_info().

  Protocol names are sorted case-insensitively before output to satisfy CI
  tests matches consistency.

  The protocol list returned by curl_version_info() is augmented with all
  RTMP protocol variants.

  Test 1401 adjusted for new alpha ordered output.

  Closes #9546

Daniel Stenberg (22 Sep 2022)

- test972: verify the output without using external tool

  It seems too restrictive to assume and use an external tool to verify
  the JSON. This now verifies the outut byte per byte. We could consider
  building a local "JSON verifyer" in a future.

  Remove 'jsonlint' from the CI job.

  Reported-by: Marcel Raad
  Fixes #9563
  Closes #9564

- hostip: lazily wait to figure out if IPv6 works until needed

  The check may take many milliseconds, so now it is performed once the
  value is first needed. Also, this change makes sure that the value is
  not used if the resolve is set to be IPv4-only.

  Closes #9553

- curl.h: fix mention of wrong error code in comment

  The same error and comment were also used and is now corrected in
  CURLOPT_SSH_KEYFUNCTION.3

- symbol-scan.pl: scan and verify .3 man pages

  This script now also finds all .3 man pages in docs/include and
  docs/include/opts, extracts all uses of CURL* symbols and verifies that all
  symbols mentioned in docs are defined in public headers.

  A "global symbol" is one of those matching a known prefix and the script make
  s
  an attempt to check all/most of them. Just using *all* symbols that match
  CURL* proved matching a little too many other references as well and turned
  difficult turning into something useful.

  Closes #9544

- symbols-in-versions: add missing LIBCURL* symbols

- symbol-scan.pl: also check for LIBCURL* symbols

  Closes #9544

- docs/libcurl/symbols-in-versions: add several missing symbols

- test1119: scan all public headers

  Previously this test only scanned a subset of the headers, which made us
  accidentally miss symbols that were provided in the others. Now, the script
  iterates over all headers present in include/curl.

  Closes #9544

Patrick Monnerat (21 Sep 2022)

- examples/chkspeed: improve portability

  The example program chkspeed uses strncasecmp() which is not portable
  across systems. Replace calls to this function by tests on characters.

  Closes #9562

Daniel Stenberg (21 Sep 2022)

- easy: fix the #include order

  The mentioned "last 3 includes" order should be respected. easy_lock.h should
  be included before those three.

  Reported-by: Yuriy Chernyshov
  Fixes #9560
  Closes #9561

- docs: spellfixes

  Pointed by the new CI job

- GHA: spellcheck

  This spellchecker checks markdown files. For this reason this job
  converts all man pages in the repository to markdown with pandoc before
  the check runs.

  The perl script 'cleanspell' filters out details from the man page in
  the process, to avoid the spellchecker trying to spellcheck things it
  can't. Like curl specific symbols and the SYNOPSIS and EXAMPLE sections
  of libcurl man pages.

  The spell checker does not check words in sections that are within pre,
  strong and em tags.

  'spellcheck.words' is a custom word list with additional accepted words.

  Closes #9523

- connect: fix the wrong error message on connect failures

  The "Failed to connect to" message after a connection failure would
  include the strerror message based on the presumed previous socket
  error, but in times it seems that error number is not set when reaching
  this code and therefore it would include the wrong error message.

  The strerror message is now removed from here and the curl_easy_strerror
  error is used instead.

  Reported-by: Edoardo Lolletti
  Fixes #9549
  Closes #9554

- httpput-postfields.c: shorten string for C89 compliance

  httpput-postfields.c:41:3: error: string length ‘522’ is greater than the
   length ‘509’ ISO C90 compilers are required to support [-Woverlength-str
  ings]
     41 |   "this chapter.";
        |   ^~~~~~~~~~~~~~~

  Closes #9555

- ws: fix a C89 compliance nit

  Closes #9541

Patrick Monnerat (21 Sep 2022)

- unit test 1655: make it C89-compliant

  Initializations performed in unit test 1655 use automatic variables in
  aggregates and thus can only be computed at run-time. Using gcc in C89
  dialect mode produces warning messages like:

  unit1655.c:96:7: warning: initializer element is not computable at load time 
  [-Wpedantic]
     96 |     { toolong, DOH_DNS_NAME_TOO_LONG },  /* expect early failure */
        |       ^~~~~~~

  Fix the problem by converting these automatic pointer variables to
  static arrays.

  Closes #9551

Tobias Schaefer (20 Sep 2022)

- curl_strequal.3: fix typo

  Closes #9548

Dmitry Karpov (20 Sep 2022)

- resolve: make forced IPv4 resolve only use A queries

  This protects IPv4-only transfers from undesired bad IPv6-related side
  effects and make IPv4 transfers in dual-stack libcurl behave the same
  way as in IPv4 single-stack libcurl.

  Closes #9540

Daniel Stenberg (20 Sep 2022)

- RELEASE-NOTES: synced

- winbuild/MakefileBuild.vc: handle spaces in libssh(2) include paths

  Patched-by: Mark Itzcovitz
  Bug: https://curl.se/mail/lib-2022-09/0038.html

  Closes #9536

- TODO: Reduce CA certificate bundle reparsing

  By adding some sort of cache.

  Reported-by: Michael Drake
  Closes #9379
  Closes #9538

Marc Hoersken (19 Sep 2022)

- CI/GHA: cancel outdated CI runs on new PR changes

  Avoid letting outdated CI runs continue if a PR receives
  new changes. Outside a PR we let them continue running
  by tying the concurrency to the commit hash instead.

  Also only let one CodeQL or Hacktoberfest job run at a time.

  Other CI platforms we use have this build in, but GitHub
  unfortunately neither by default nor with a simple option.

  This saves CI resources and therefore a little energy.

  Approved-by: Daniel Stenberg
  Approved-by: Max Dymond
  Closes #9533

Daniel Stenberg (19 Sep 2022)

- docs: fix proselint complaints

- GHA: run proselint on markdown files

  Co-authored-by: Marc Hörsken

  Closes #9520

- lib: the number four in a sequence is the "fourth"

  Spelling is hard

  Closes #9535

John Bampton (19 Sep 2022)

- misc: fix spelling in two source files

  Closes #9529

Viktor Szakats (18 Sep 2022)

- windows: add .rc support to autotools builds

  After this update autotools builds will compile and link `.rc` resources
  to Windows executables. Bringing this feature on par with CMake and
  Makefile.m32 builds. And also making it unnecessary to improvise these
  steps manually, while monkey patching build files, e.g. [0].

  You can customize the resource compiler via the `RC` envvar, and its
  options via `RCFLAGS`.

  This harmless warning may appear throughout the build, even though the
  autotools manual documents [1] `RC` as a valid tag, and it fails when
  omitting one:
  `libtool:   error: ignoring unknown tag RC`

  [0] https://github.com/curl/curl-for-win/blob/535f19060d4b708f72e75dd849409ce
  50baa1b84/curl-autotools.sh#L376-L382
  [1] https://www.gnu.org/software/libtool/manual/html_node/Tags.html

  Closes #9521

Marc Hoersken (18 Sep 2022)

- CI/linkcheck: only run if a Markdown file is changed

  This saves CI resources and therefore a little energy.

  Reviewed-by: Max Dymond
  Closes #9531

- README.md: add GHA status badges for Linux and macOS builds

  This makes sense now that Linux builds are being consolidated.

  Approved-by: Daniel Stenberg
  Closes #9530

  [skip ci]

Daniel Stenberg (17 Sep 2022)

- misc: null-terminate

  Make use of this term consistently.

  Closes #9527

Marc Hoersken (17 Sep 2022)

- CI/GHA: merge intel CC and more TLS libs into linux workflow

  Continue work on merging all Linux workflows into one file.

  Reviewed-by: Max Dymond
  Follow up to #9501
  Closes #9514

Patrick Monnerat (17 Sep 2022)

- lib1597: make it C89-compliant again

  Automatic variable addresses cannot be used in an initialisation
  aggregate.

  Follow-up to 9d51329

  Reported-by: Daniel Stenberg
  Fixes: #9524
  Closes #9525

Daniel Stenberg (17 Sep 2022)

- tool_libinfo: silence "different 'const' qualifiers" in qsort()

  MSVC 15.0.30729.1 warned about it

  Follow-up to dd2a024323dcc

  Closes #9522

Patrick Monnerat (16 Sep 2022)

- docs: tell about disabled protocols in CURLOPT_*PROTOCOLS_STR.

  Disabled protocols are now handled as if they were unknown.
  Also update the possible protocol list.

- cli tool: do not use disabled protocols

  As they are now rejected by the library, take care of not passing
  disabled protocol names to CURLOPT_PROTOCOLS_STR and
  CURLOPT_REDIR_PROTOCOLS_STR.

  Rather than using the CURLPROTO_* constants, dynamically assign protocol
  numbers based on the order they are listed by curl_version_info().

  New type proto_set_t implements prototype bit masks: it should therefore
  be large enough to accomodate all library-enabled protocols. If not,
  protocol numbers beyond the bit count of proto_set_t are recognized but
  "inaccessible": when used, a warning is displayed and the value is
  ignored. Should proto_set_t overflows, enabled protocols are reordered to
  force those having a public CURLPROTO_* representation to be accessible.

  Code has been added to subordinate RTMP?* protocols to the presence of
  RTMP in the enabled protocol list, being returned by curl_version_info()
  or not.

- setopt: use the handler table for protocol name to number conversions

  This also returns error CURLE_UNSUPPORTED_PROTOCOL rather than
  CURLE_BAD_FUNCTION_ARGUMENT when a listed protocol name is not found.

  A new schemelen parameter is added to Curl_builtin_scheme() to support
  this extended use.

  Note that disabled protocols are not recognized anymore.

  Tests adapted accordingly.

  Closes #9472

Daniel Stenberg (16 Sep 2022)

- altsvc: use 'h3' for h3

  Since the official and real version has been out for a while now and servers
  are deployed out there using it, there is no point in sticking to h3-29.

  Reported-by: ウさん
  Fixes #9515
  Closes #9516

chemodax (16 Sep 2022)

- winbuild: Use NMake batch-rules for compilation

  - Invoke cl compiler once for each group of .c files.

  This is significantly improves compilation time. For example in my
  environment: 40 s --> 20 s.

  Prior to this change cl was invoked per .c file.

  Closes https://github.com/curl/curl/pull/9512

Daniel Stenberg (16 Sep 2022)

- ws: the infof() flags should be %zu

  Follow-up to e5e9e0c5e49ae0

  Closes #9518

- curl: warn for --ssl use, considered insecure

  Closes #9519

Sergey Bronnikov (16 Sep 2022)

- curl_escape.3: fix typo

  lengthf -> length

  Closes #9517

Daniel Stenberg (16 Sep 2022)

- mailmap: merge Philip Heiduck's two addresses into one

- test1948: verify PUT + POST reusing the same handle

  Reproduced #9507, verifies the fix

- setopt: when POST is set, reset the 'upload' field

  Reported-by: RobBotic1 on github
  Fixes #9507
  Closes #9511

Marc Hoersken (15 Sep 2022)

- github: initial CODEOWNERS setup for CI configuration

  Reviewed-by: Daniel Stenberg
  Reviewed-by: Marcel Raad
  Reviewed-by: Max Dymond

  Closes #9505

  [skip ci]

Philip Heiduck (15 Sep 2022)

- CI: optimize some more dependencies install

  Signed-off-by: Philip Heiduck <pheiduck@Philips-MBP.lan>

  Closes #9500

Marc Hoersken (15 Sep 2022)

- CI/GHA: merge event-based and NSS into new linux workflow

  Continue work on merging all Linux workflows into one file.

  Follow up to #9501
  Closes #9506

Daniel Stenberg (15 Sep 2022)

- include/curl/websockets.h: add extern "C" for C++

  Reported-by: n0name321 on github
  Fixes #9509
  Closes #9510

- lib1560: extended to verify detect/reject of unknown schemes

  ... when no guessing is allowed.

- urlapi: detect scheme better when not guessing

  When the parser is not allowed to guess scheme, it should consider the
  word ending at the first colon to be the scheme, independently of number
  of slashes.

  The parser now checks that the scheme is known before it counts slashes,
  to improve the error messge for URLs with unknown schemes and maybe no
  slashes.

  When following redirects, no scheme guessing is allowed and therefore
  this change effectively prevents redirects to unknown schemes such as
  "data".

  Fixes #9503

- strerror: improve two URL API error messages

Marc Hoersken (14 Sep 2022)

- CI/GHA: merge bearssl and hyper into initial linux workflow

  Begin work on merging all Linux workflows into one file.

  Closes #9501

Daniel Stenberg (14 Sep 2022)

- RELEASE-NOTES: synced

- cmake: define BUILDING_LIBCURL in lib/CMakeLists, not config.h

  Since the config file might also get included by the tool code at times.
  This syncs with how other builds do it.

  Closes #9498

- tool_hugehelp: make hugehelp a blank macro when disabled

  Closes #9485

- getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled

  ... to improve the output in this situation. Now it doesn't say "option
  unknown" anymore.

  Closes #9485

- setopt: fix compiler warning

  Follow-up to cd5ca80f00d2

  closes #9502

Philip Heiduck (13 Sep 2022)

- CI: skip make, do make install at once for dependencies

  Signed-off-by: Philip Heiduck <pheiduck@Philips-MBP.lan>

  Closes #9477

Daniel Stenberg (13 Sep 2022)

- formdata: typecast the va_arg return value

  To avoid "enumerated type mixed with another type" warnings

  Follow-up from 0f52dd5fd5aa3592691a

  Closes #9499

- RELEASE-PROCEDURE.md: mention patch releases

  - When to make them and how to argue for them
  - Refreshed the release date list

  Closes #9495

- urldata: use a curl_prot_t type for storing protocol bits

  This internal-use-only storage type can be bumped to a curl_off_t once
  we need to use bit 32 as the previous 'unsigned int' can no longer hold
  them all then.

  The websocket protocols take bit 30 and 31 so they are the last ones
  that fit within 32 bits - but cannot properly be exported through APIs
  since those use *signed* 32 bit types (long) in places.

  Closes #9481

zhanghu on xiaomi (13 Sep 2022)

- formdata: fix warning: 'CURLformoption' is promoted to 'int'

  curl/lib/formdata.c: In function 'FormAdd':
  curl/lib/formdata.c:249:31: warning: 'CURLformoption' is promoted to 'int' wh
  en passed through '...'
    249 |       option = va_arg(params, CURLformoption);
        |                               ^
  curl/lib/formdata.c:249:31: note: (so you should pass 'int' not 'CURLformopti
  on' to 'va_arg')
  curl/lib/formdata.c:249:31: note: if this code is reached, the program will a
  bort

  Closes #9484

Daniel Stenberg (13 Sep 2022)

- CURLOPT_CONNECT_ONLY.3: for ws(s) as well

  and correct the version number for when that support comes. Even if it
  is still experimental for WebSocket.

  Closes #9487

- tool_operate: avoid a few #ifdefs for disabled-libcurl builds

  By providing empty macros in the header file instead, the code gets
  easier to read and yet is disabled on demand.

  Closes #9486

a1346054 on github (13 Sep 2022)

- scripts: use `grep -E` instead of `egrep`

  egrep is deprecated

  Closes #9491

Hayden Roche (13 Sep 2022)

- wolfSSL: fix session management bug.

  Prior to this commit, non-persistent pointers were being used to store
  sessions.  When a WOLFSSL object was then freed, that freed the session
  it owned, and thus invalidated the pointer held in curl's cache. This
  commit makes it so we get a persistent (deep copied) session pointer
  that we then add to the cache.  Accordingly, wolfssl_session_free, which
  was previously a no-op, now needs to actually call SSL_SESSION_free.

  This bug was discovered by a wolfSSL customer.

  Closes #9492

Daniel Stenberg (13 Sep 2022)

- docs: use "WebSocket" in singular

  This is how the RFC calls the protocol. Also rename the file in docs/ to
  WEBSOCKET.md in uppercase to match how we have done it for many other
  protocol docs in similar fashion.

  Add the WebSocket docs to the tarball.

  Closes #9496

Marcel Raad (12 Sep 2022)

- ws: fix build without `USE_WEBSOCKETS`

  The curl.h include is required unconditionally.

- ws: add missing curl.h include

  A conflict between commits 664249d0952 and e5839f4ee70 broke the build.

Daniel Stenberg (12 Sep 2022)

- ws: fix an infof() call to use %uz for size_t output

  Detected by Coverity, CID 1514665.

  Closes #9480

Marcel Raad (12 Sep 2022)

- curl_setup: include only system.h instead of curl.h

  As done before commit 9506d01ee50.

  Ref: https://github.com/curl/curl/pull/9375#discussion_r957010158
  Closes https://github.com/curl/curl/pull/9453

- lib: add missing limits.h includes

  Closes https://github.com/curl/curl/pull/9453

- lib and tests: add missing curl.h includes

  Closes https://github.com/curl/curl/pull/9453

- curl_setup: include curl.h after platform setup headers

  The platform setup headers might set definitions required for the
  includes in curl.h.

  Ref: https://github.com/curl/curl/pull/9375#discussion_r956998269
  Closes https://github.com/curl/curl/pull/9453

Benjamin Loison (12 Sep 2022)

- docs: correct missing uppercase in Markdown files

  To detect these typos I used:

  ```
  clear && grep -rn '\. [a-z]' . | uniq | grep -v '\. lib' | grep -v '[0-9]\. [
  a-z]' | grep -v '\.\. [a-z]' | grep -v '\. curl' | grep -v 'e.g. [a-z]' | gre
  p -v 'eg. [a-z]' | grep -v '\etc. [a-z]' | grep -v 'i.e\. [a-z]' | grep --col
  or=always '\. [a-z]' | grep '\.md'
  ```

  Closes #9474

Daniel Stenberg (12 Sep 2022)

- tool_setopt: use better English in --libcurl source comments

  Like this:

    XYZ was set to an object pointer
    ABC was set to a function pointer

  Closes #9475

- setopt: make protocol2num use a curl_off_t for the protocol bit

  ... since WSS does not fit within 32 bit.

  Bug: https://github.com/curl/curl/pull/9467#issuecomment-1243014887
  Closes #9476

- RELEASE-NOTES: synced

- configure: polish the grep -E message a bit further

  Suggested-by: Emanuele Torre
  Closes #9473

- GHA: add a gcc-11 -O3 build using OpenSSL

  Since -O3 might trigger other warnings

  Closes #9454

Patrick Monnerat (11 Sep 2022)

- content_encoding: use writer struct subclasses for different encodings

  The variable-sized encoding-specific storage of a struct contenc_writer
  currently relies on void * alignment that may be insufficient with
  regards to the specific storage fields, although having not caused any
  problems yet.

  In addition, gcc 11.3 issues a warning on access to fields of partially
  allocated structures that can occur when the specific storage size is 0:

    content_encoding.c: In function ‘Curl_build_unencoding_stack’:
    content_encoding.c:980:21: warning: array subscript ‘struct contenc_write
  r[0]’ is partly outside array bounds of ‘unsigned char[16]’ [-Warray-bo
  unds]
      980 |     writer->handler = handler;
          |     ~~~~~~~~~~~~~~~~^~~~~~~~~
    In file included from content_encoding.c:49:
    memdebug.h:115:29: note: referencing an object of size 16 allocated by ‘c
  url_dbg_calloc’
      115 | #define calloc(nbelem,size) curl_dbg_calloc(nbelem, size, __LINE__,
   __FILE__)
          |                             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  ~~~~~~~~~~
    content_encoding.c:977:60: note: in expansion of macro ‘calloc’
      977 |   struct contenc_writer *writer = (struct contenc_writer *)calloc(1
  , sz);

  To solve both these problems, the current commit replaces the
  contenc_writer/params structure pairs by "subclasses" of struct
  contenc_writer. These are structures that contain a contenc_writer at
  offset 0. Proper field alignment is therefore handled by the compiler and
  full structure allocation is performed, silencing the warnings.

  Closes #9455

Daniel Stenberg (11 Sep 2022)

- configure: correct the wording when checking grep -E

  The check first checks that grep -E works, and only as a fallback tries
  to find and use egrep. egrep is deprecated.

  This change only corrects the output wording, not the checks themselves.

  Closes #9471

Viktor Szakats (10 Sep 2022)

- websockets: sync prototypes in docs with implementation [ci skip]

  Docs for the new send/recv functions synced with the committed versions
  of these.

  Closes #9470

Daniel Stenberg (10 Sep 2022)

- setopt: make protocols2num() work with websockets

  So that CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR can
  specify those as well.

  Reported-by: Patrick Monnerat
  Bug: https://curl.se/mail/lib-2022-09/0016.html
  Closes #9467

- curl/websockets.h: remove leftover bad typedef

  Just a leftover trace of a development thing that did not stay like
  that.

  Reported-by: Marc Hörsken
  Fixes #9465
  Cloes #9466

Orgad Shaneh (10 Sep 2022)

- fix Cygwin/MSYS compilation

  _getpid is Windows API. On Cygwin variants it should remain getpid.

  Fixes #8220
  Closes #9255

Marc Hoersken (10 Sep 2022)

- GHA: prepare workflow merge by aligning structure again

  Closes #9413

Daniel Stenberg (9 Sep 2022)

- docs: the websockets symbols are added in 7.86.0

  Nothing else

  Closes #9459

- tests/libtest/Makefile.inc: fixup merge conflict mistake

- EXPERIMENTAL.md: add WebSockets

- appveyor: enable websockets

- cirrus: enable websockets in the windows builds

- GHA: add websockets to macos, openssl3 and hyper builds

- tests: add websockets tests

   - add websockets support to sws
   - 2300: first very basic websockets test
   - 2301: first libcurl test for ws (not working yet)
   - 2302: use the ws callback
   - 2303: test refused upgrade

- curl_ws_meta: initial implementation

- curl_ws_meta.3: added docs

- ws: initial websockets support

  Closes #8995

- version: add ws + wss

- libtest/lib1560: test basic websocket URL parsing

- configure: add --enable-websockets

- docs/WebSockets.md: docs

- test415: verify Content-Length parser with control code + negative value

- strtoofft: after space, there cannot be a control code

  With the change from ISSPACE() to ISBLANK() this function no longer
  deals with (ignores) control codes the same way, which could lead to
  this function returning unexpected values like in the case of
  "Content-Length: \r-12354".

  Follow-up to 6f9fb7ec2d7cb389a0da5

  Detected by OSS-fuzz
  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51140
  Assisted-by: Max Dymond
  Closes #9458

- headers: reset the requests counter at transfer start

  If not, reusing an easy handle to do a subsequent transfer would
  continue the counter from the previous invoke, which then would make use
  of the header API difficult/impossible as the request counter
  mismatched.

  Add libtest 1947 to verify.

  Reported-by: Andrew Lambert
  Fixes #9424
  Closes #9447

Jay Satiro (8 Sep 2022)

- header: define public API functions as extern c

  Prior to this change linker errors would occur if curl_easy_header or
  curl_easy_nextheader was called from a C++ unit.

  Bug: https://github.com/curl/curl/issues/9424#issuecomment-1238818007
  Reported-by: Andrew Lambert

  Closes https://github.com/curl/curl/pull/9446

Daniel Stenberg (8 Sep 2022)

- http2: make nghttp2 less picky about field whitespace

  In nghttp2 1.49.0 it returns error on leading and trailing whitespace in
  header fields according to language in the recently shipped RFC 9113.

  nghttp2 1.50.0 introduces an option to switch off this strict check and
  this change enables this option by default which should make curl behave
  more similar to how it did with nghttp2 1.48.0 and earlier.

  We might want to consider making this an option in the future.

  Closes #9448

- RELEASE-NOTES: synced

  And bump to 7.86.0 for the pending next release