[platform/upstream/curl.git] / CHANGES

                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.44.0 (11 Aug 2015)

Daniel Stenberg (11 Aug 2015)
- RELEASE-NOTES: synced with c75a1e775061

- [Svyatoslav Mishyn brought this change]

  curl_formget.3: correct return code
  
  Closes #375

- [Svyatoslav Mishyn brought this change]

  libcurl-tutorial.3: fix formatting
  
  Closes #374

- [Svyatoslav Mishyn brought this change]

  curl_easy_recv.3: fix formatting

- [Anders Bakken brought this change]

  http2: discard frames with no SessionHandle
  
  Return 0 instead of NGHTTP2_ERR_CALLBACK_FAILURE if we can't locate the
  SessionHandle. Apparently mod_h2 will sometimes send a frame for a
  stream_id we're finished with.
  
  Use nghttp2_session_get_stream_user_data and
  nghttp2_session_set_stream_user_data to identify SessionHandles instead
  of a hash.
  
  Closes #372

- RELEASE-NOTES: synced with 9ee40ce2aba

- [Viktor Szakats brought this change]

  build: refer to fixed libidn versions
  
  closes #371

- Revert "configure: disable libidn by default"
  
  This reverts commit e6749055d65398315fd77f5b5b8234c5552ac2d3.
  
  ... since libidn has since been fixed.

- [Jakub Zakrzewski brought this change]

  CMake: s/HAVE_GSS_API/HAVE_GSSAPI/ to match header define
  
  Otherwise the build only pretended to use GSS-API
  
  Closes #370

- SFTP: fix range request off-by-one in size check
  
  Reported-by: Tim Stack
  
  Closes #359

- test46: update cookie expire time
  
  ... since it went old and thus was expired and caused the test to fail!

Steve Holme (9 Aug 2015)
- generate.bat: Use buildconf.bat for prerequisite file generation

- buildconf.bat: Tidy up of comments after recent commits

- buildconf.bat: Added full generation of src\tool_hugehelp.c
  
  Added support for generating the full man page based on code from
  generate.bat.

- buildconf.bat: Added detection of groff, nroff, perl and gzip
  
  To allow for the full generation of tool_hugehelp.c added detection of
  the required programs - based on code from generate.bat.

- buildconf.bat: Move DOS variable clean-up code to separate function
  
  Rather than duplicate future variables, during clean-up of both success
  and error conditions, use a common function that can be called by both.

- RELEASE-NOTES: Synced with 39dcf352d2

- buildconf.bat: Added error messages on failure

- buildconf.bat: Generate and clean files in the same order

- buildconf.bat: Maintain compatibility with DOS based systems
  
  Commit f08e30d7bc broke compatibility with DOS and non Windows NT based
  versions of Windows due to the use of the setlocal command.

Jay Satiro (9 Aug 2015)
- CURLOPT_RESOLVE.3: Note removal support was added in 7.42
  
  Bug: http://curl.haxx.se/mail/lib-2015-08/0019.html
  Reported-by: Inca R

Steve Holme (8 Aug 2015)
- checksrc.bat: Fixed error when missing *.c and *.h files
  
  File Not Found

- checksrc.bat: Fixed incorrect 'lib\vtls' path check in commit 333c36b276

- checksrc.bat: Fixed error when [directory] isn't a curl source directory
  
  The system cannot find the file specified.

- checksrc.bat: Added check for unknown arguments

- scripts: Added missing comments

- scripts: Always perform setlocal and endlocal calls in pairs
  
  Ensure that there isn't a mismatch between setlocal and endlocal calls,
  which could have happened due to setlocal being called after certain
  error conditions were checked for.

- scripts: Allow -help to be specified in any argument
  
  Allow the -help command line argument to be specified in any argument
  and not just as the first.

Daniel Stenberg (6 Aug 2015)
- [juef brought this change]

  curl_multi_remove_handle.3: fix formatting
  
  closes #366

Steve Holme (6 Aug 2015)
- README: Added notes about 'Running DLL based configurations'
  
  ...as well as a TODO for a future enhancement to the project files.
  
  Thanks-to: Jay Satiro

- RELEASE-NOTES: Synced with cf8975387f

- buildconf.bat: Synchronise no repository error with generate.bat

- generate.bat: Added a check for the presence of a git repository

- [Jay Satiro brought this change]

  build: Added wolfSSL configurations to VC10+ project files
  
  URL: https://github.com/bagder/curl/pull/174

- [Jay Satiro brought this change]

  build: Added wolfSSL build script for Visual Studio projects
  
  Added the wolfSSL build script, based on build-openssl.bat, as well as
  the property sheet and header file required for the upcoming additions
  to the Visual Studio project files.

Daniel Stenberg (6 Aug 2015)
- CHANGES: refer to the online changelog
  
  Suggested-by: mc0e

- [Isaac Boukris brought this change]

  NTLM: handle auth for only a single request
  
  Currently when the server responds with 401 on NTLM authenticated
  connection (re-used) we consider it to have failed.  However this is
  legitimate and may happen when for example IIS is set configured to
  'authPersistSingleRequest' or when the request goes thru a proxy (with
  'via' header).
  
  Implemented by imploying an additional state once a connection is
  re-used to indicate that if we receive 401 we need to restart
  authentication.
  
  Closes #363

Steve Holme (5 Aug 2015)
- RELEASE-NOTES: Synced with 473807b95f

- generate.bat: Use buildconf.bat for prerequisite file clean-up

- buildconf.bat: Added support for file clean-up via -clean

- buildconf.bat: Added progress output

- buildconf.bat: Avoid using goto for file not in repository

Daniel Stenberg (5 Aug 2015)
- curl_slist_append.3: add error checking to the example

Steve Holme (5 Aug 2015)
- buildconf.bat: Added display of usage text with -help

- buildconf.bat: Added exit codes for error handling

- buildconf.bat: Added our standard copyright header

- buildconf.bat: Use lower-case for commands and reserved keywords

- generate.bat: Only clean prerequisite files when in ALL mode

- generate.bat: Moved error messages out of sub-routines

- generate.bat: More use of lower-case for commands and reserved keywords

Daniel Stenberg (3 Aug 2015)
- libcurl.3: fix a single typo
  
  Closes #361

- RELEASE-NOTES: synced with c4eb10e2f06f

- SSH: three state machine fixups
  
  The SSH state machine didn't clear the 'rc' variable appropriately in a
  two places which prevented it from looping the way it should. And it
  lacked an 'else' statement that made it possible to erroneously get
  stuck in the SSH_AUTH_AGENT state.
  
  Reported-by: Tim Stack
  
  Closes #357

- curl_gssapi: remove 'const' to fix compiler warnings
  
  initialization discards 'const' qualifier from pointer target type

- docs: formpost needs the full size at start of upload
  
  Closes #360

Steve Holme (1 Aug 2015)
- sspi: Fix typo from left over from old code which referenced NTLM
  
  References to NTLM in the identity generation should have been removed
  in commit c469941293 but not all were.

- win32: Fix compilation warnings from commit 40c921f8b8
  
  connect.c:953:5: warning: initializer element is not computable at load
                   time
  connect.c:953:5: warning: missing initializer for field 'dwMinorVersion'
                   of 'OSVERSIONINFOEX'
  curl_sspi.c:97:5: warning: initializer element is not computable at load
                    time
  curl_sspi.c:97:5: warning: missing initializer for field 'szCSDVersion'
                    of 'OSVERSIONINFOEX'

- schannel: Fix compilation warning from commit 7a8e861a56
  
  schannel.c:1125:5: warning: missing initializer for field 'dwMinorVersion'
                     of 'OSVERSIONINFOEX' [-Wmissing-field-initializers

Daniel Stenberg (31 Jul 2015)
- libcurl-thread.3: minor reformatting

Jay Satiro (31 Jul 2015)
- curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs
  
  Bug: http://curl.haxx.se/mail/lib-2015-07/0149.html
  Reported-by: Eric Ridge

- libcurl-thread.3: Warn memory functions must be thread safe
  
  Bug: http://curl.haxx.se/mail/lib-2015-07/0149.html
  Reported-by: Eric Ridge

Steve Holme (31 Jul 2015)
- RELEASE-NOTES: Synced with 8b1d00ac1a

- INSTALL: Minor formatting correction in 'Legacy Windows and SSL' section
  
  ...as well as some rewording.

Kamil Dudka (30 Jul 2015)
- http: move HTTP/2 cleanup code off http_disconnect()
  
  Otherwise it would never be called for an HTTP/2 connection, which has
  its own disconnect handler.
  
  I spotted this while debugging <https://bugzilla.redhat.com/1248389>
  where the http_disconnect() handler was called on an FTP session handle
  causing 'dnf' to crash.  conn->data->req.protop of type (struct FTP *)
  was reinterpreted as type (struct HTTP *) which resulted in SIGSEGV in
  Curl_add_buffer_free() after printing the "Connection cache is full,
  closing the oldest one." message.
  
  A previously working version of libcurl started to crash after it was
  recompiled with the HTTP/2 support despite the HTTP/2 protocol was not
  actually used.  This commit makes it work again although I suspect the
  root cause (reinterpreting session handle data of incompatible protocol)
  still has to be fixed.  Otherwise the same will happen when mixing FTP
  and HTTP/2 connections and exceeding the connection cache limit.
  
  Reported-by: Tomas Tomecek
  Bug: https://bugzilla.redhat.com/1248389

Daniel Stenberg (30 Jul 2015)
- [Viktor Szakats brought this change]

  ABI doc: use secure URL

- ABI: remove the ascii logo
  
  and made the indent level to 1

- libcurl-multi.3: mention curl_multi_wait
  
  ... and some general rewordings to improve this docs.
  
  Reported-by: Tim Stack
  
  Closes #356

Steve Holme (30 Jul 2015)
- maketgz: Fixed some VC makefiles missing from the release tarball
  
  VC7, VC11, VC12 and VC14 makefiles were missing from the release
  tarball.

- RELEASE-NOTES: Synced with 2d7e165761

- build: Added VC14 project files to Makefile.am

- build: Added VC14 project files
  
  Updates to Makefile.am for the generation of the project files in
  the tarball to follow.

Jay Satiro (29 Jul 2015)
- libcurl-thread.3: Clarify CURLOPT_NOSIGNAL takes long value 1L

Steve Holme (28 Jul 2015)
- generate.bat: Use lower-case for commands and reserved keywords
  
  Whilst there are no coding standards for the batch files used in curl,
  most tend to use lower-case for keywords and upper-case for variables.

- build: Added initial VC14 support to generate.bat
  
  Visual Studio project files and updates to makefile.am to follow.

- build: Fixed missing .opensdf files from VC10+ .gitignore files

- build: Use $(ProjectName) macro for curl.exe and curld.exe filenames
  
  This wasn't possible with the old curlsrc project filenames, but like
  commit 2a615a2b64 and 11397eb6dd for libcurl use the built in Visual
  Studio macros for the output filenames.

- build: Renamed curl src Visual Studio project files
  
  Following commit 957fcd9049 and in preparation for adding the VC14
  project files renamed the curl source project files.

Daniel Stenberg (28 Jul 2015)
- [Jay Satiro brought this change]

  libcurl-thread.3: Revert to stricter handle wording
  
  .. also update formatting and add WinSSL and wolfSSL to the SSL/TLS
  handlers list.

- [Jay Satiro brought this change]

  libcurl-thread.3: Consolidate thread safety info
  
  This is a new document to consolidate our thread safety information from
  several documents (curl-www:features, libcurl.3, libcurl-tutorial.3).
  Each document's section on multi-threading will now point to this one.

Steve Holme (27 Jul 2015)
- README: Corrected formatting for 'Legacy Windows and SSL' section
  
  ...as well as some wording.

- build-openssl.bat: Added support for VC14

Daniel Stenberg (26 Jul 2015)
- RELEASE-NOTES: synced with 0f645adc95390e8

- test1902: attempt to make the test more reliable
  
  Closes #355

- comment: fix comment about adding new option support

Jay Satiro (25 Jul 2015)
- build-openssl.bat: Show syntax if required args are missing

Daniel Stenberg (26 Jul 2015)
- TODO: improve how curl works in a windows console window
  
  Closes #322 for now

- 1.11 minimize dependencies with dynamicly loaded modules
  
  Closes #349 for now

Jay Satiro (25 Jul 2015)
- tool_operate: Fix CURLOPT_SSL_OPTIONS for builds without HTTPS
  
  - Set CURLOPT_SSL_OPTIONS only if the tool enabled an SSL option.
  
  Broken by me several days ago in 172b2be.
  https://github.com/bagder/curl/commit/172b2be#diff-70b44ee478e58d4e1ddcf9c9a73d257b
  
  Bug: http://curl.haxx.se/mail/lib-2015-07/0119.html
  Reported-by: Dan Fandrich

Daniel Stenberg (25 Jul 2015)
- configure: check if OpenSSL linking wants -ldl
  
  To make it easier to link with static versions of OpenSSL, the configure
  script now checks if -ldl is needed for linking.
  
  Help-by: TJ Saunders

- [Michael Kaufmann brought this change]

  HTTP: ignore "Content-Encoding: compress"
  
  Currently, libcurl rejects responses with "Content-Encoding: compress"
  when CURLOPT_ACCEPT_ENCODING is set to "". I think that libcurl should
  treat the Content-Encoding "compress" the same as other
  Content-Encodings that it does not support, e.g. "bzip2". That means
  just ignoring it.

- [Marcel Raad brought this change]

  openssl: work around MSVC warning
  
  MSVC 12 complains:
  
  lib\vtls\openssl.c(1554): warning C4701: potentially uninitialized local
  variable 'verstr' used It's a false positive, but as it's normally not,
  I have enabled warning-as-error for that warning.

- [Michał Fita brought this change]

  configure: add --disable-rt option
  
  This option disables any attempts in configure to create dependency on
  stuff requiring linking to librt.so and libpthread.so, in this case this
  means clock_gettime(CLOCK_MONOTONIC, &mt).
  
  We were in need to build curl which doesn't link libpthread.so to avoid
  the following bug:
  https://sourceware.org/bugzilla/show_bug.cgi?id=16628.

Kamil Dudka (23 Jul 2015)
- http2: verify success of strchr() in http2_send()
  
  Detected by Coverity.
  
  Error: NULL_RETURNS:
  lib/http2.c:1301: returned_null: "strchr" returns null (checked 103 out of 109 times).
  lib/http2.c:1301: var_assigned: Assigning: "hdbuf" = null return value from "strchr".
  lib/http2.c:1302: dereference: Incrementing a pointer which might be null: "hdbuf".
  1300|
  1301|     hdbuf = strchr(hdbuf, 0x0a);
  1302|->   ++hdbuf;
  1303|
  1304|     authority_idx = 0;

Jay Satiro (22 Jul 2015)
- Windows: Fix VerifyVersionInfo calls
  
  - Fix the VerifyVersionInfo calls, which we use to test for the OS major
  version, to also test for the minor version as well as the service pack
  major and minor versions.
  
  MSDN: "If you are testing the major version, you must also test the
  minor version and the service pack major and minor versions."
  
  https://msdn.microsoft.com/en-us/library/windows/desktop/ms725492.aspx
  
  Bug: https://github.com/bagder/curl/pull/353#issuecomment-123493098
  Reported-by: Marcel Raad <MarcelRaad@users.noreply.github.com>

- [Marcel Raad brought this change]

  schannel: Replace deprecated GetVersion with VerifyVersionInfo

Steve Holme (21 Jul 2015)
- makefile: Added support for VC14

Patrick Monnerat (21 Jul 2015)
- os400: ebcdic wrappers for new functions. Upgrade ILE/RPG bindings.

- libcurl: VERSIONINFO update
  Addition of new procedures curl_pushheader_bynum and curl_pushheader_byname
  requires VERSIONINFO updating.

- http2: satisfy external references even if http2 is not compiled in.

Daniel Stenberg (20 Jul 2015)
- http2: add stream != NULL checks for reliability
  
  They should not trigger, but in case of internal problems we at least
  avoid crashes this way.

Jay Satiro (18 Jul 2015)
- symbols-in-versions: Add new CURLSSLOPT_NO_REVOKE symbol

- SSL: Add an option to disable certificate revocation checks
  
  New tool option --ssl-no-revoke.
  New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS.
  
  Currently this option applies only to WinSSL where we have automatic
  certificate revocation checking by default. According to the
  ssl-compared chart there are other backends that have automatic checking
  (NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at
  some later point.
  
  Bug: https://github.com/bagder/curl/issues/264
  Reported-by: zenden2k <zenden2k@gmail.com>

- runtests: Allow for spaces in curl custom path
  
  .. also fix some typos in test's FILEFORMAT spec.

- [David Woodhouse brought this change]

  ntlm_wb: Fix theoretical memory leak
  
  Static analysis indicated that my commit 9008f3d564 ("ntlm_wb: Fix
  hard-coded limit on NTLM auth packet size") introduced a potential
  memory leak on an error path, because we forget to free the buffer
  before returning an error.
  
  Fix this.
  
  Although actually, it never happens in practice because we never *get*
  here with state == NTLMSTATE_TYPE1. The state is always zero. That
  might want cleaning up in a separate patch.
  
  Reported-by: Terri Oda

- strerror: Add CRYPT_E_REVOKED to SSPI error strings

Kamil Dudka (14 Jul 2015)
- libtest: call PR_Cleanup() on exit if NSPR is used
  
  This prevents valgrind from reporting possibly lost memory that NSPR
  uses for file descriptor cache and other globally allocated internal
  data structures.
  
  Reported-by: Štefan Kremeň

Jay Satiro (14 Jul 2015)
- [John Malmberg brought this change]

  openssl: VMS support for SHA256
  
  setup-vms.h: More symbols for SHA256, hacks for older VAX
  
  openssl.h: Use OpenSSL OPENSSL_NO_SHA256 macro to allow building on VAX.
  
  openssl.c: Use OpenSSL version checks and OPENSSL_NO_SHA256 macro to
  allow building on VAX and 64 bit VMS.

- examples: Fix typo in multi-single.c

Daniel Stenberg (7 Jul 2015)
- [Tatsuhiro Tsujikawa brought this change]

  http2: Fix memory leak in push header array

Dan Fandrich (2 Jul 2015)
- test2041: fixed line endings in protocol part

- cyassl: fixed mismatched sha256sum function prototype

Daniel Stenberg (1 Jul 2015)
- [moparisthebest brought this change]

  SSL: Pinned public key hash support

- examples: provide <DESC> sections

- [John Malmberg brought this change]

  OpenVMS: VMS Software, Inc now the supplier.
  
  setup-vms.h: Symbol case fixups submitted by Michael Steve
  
  build_gnv_curl_pcsi_desc.com: VSI aka as VMS Software, is now the
  supplier of new versions of VMS.  The install kit needs to accept
  VSI as a producer.

Jay Satiro (30 Jun 2015)
- multi: Move http2 push function declarations to header end
  
  This change necessary for binary compatibility.
  
  Prior to this change test 1135 failed due to the order of functions.

- symbols-in-versions: Add new http2 push symbols
  
  Prior to this change test 1119 failed due to the missing symbols.

Daniel Stenberg (30 Jun 2015)
- RELEASE-NOTES: synced with e6749055d653

- configure: disable libidn by default
  
  For security reasons, until there is a fix.
  
  Bug: http://curl.haxx.se/mail/lib-2015-06/0143.html
  Reported-by: Gustavo Grieco, Feist Josselin

- SSL-PROBLEMS: mention WinSSL problems in WinXP

- CODE_OF_CONDUCT.md: added
  
  Just to underscore how we treat each other in this project. Nothing new
  really, but could be useful for newcomers and outsiders to see our
  values.

- tool_header_cb: fflush the header stream
  
  Flush the header stream when -D is used so that they are sent off
  earlier.
  
  Bug: https://github.com/bagder/curl/issues/324
  Reported-by: Cédric Connes

- [Roger Leigh brought this change]

  tests: Distribute CMakeLists.txt files in subdirectories

- CURLOPT_FAILONERROR.3: mention that it closes the connection
  
  Reported-by: bemoody
  Bug: https://github.com/bagder/curl/issues/325

- curl_multi_setopt.3: alpha sort the options

- curl_multi_setopt.3: add the new push options

- [Tatsuhiro Tsujikawa brought this change]

  http2: Use nghttp2 library error code for error return value

- [Tatsuhiro Tsujikawa brought this change]

  http2: Harden header validation for curl_pushheader_byname
  
  Since we do prefix match using given header by application code
  against header name pair in format "NAME:VALUE", and VALUE part can
  contain ":", we have to careful about existence of ":" in header
  parameter.  ":" should be allowed to match HTTP/2 pseudo-header field,
  and other use of ":" in header must be treated as error, and
  curl_pushheader_byname should return NULL.  This commit implements
  this behaviour.

- [Tatsuhiro Tsujikawa brought this change]

  CURLMOPT_PUSHFUNCTION.3: Remove unused variable

- CURLMOPT_PUSHFUNCTION.3: added example

- http2: curl_pushheader_byname now takes a const char *

- http2-serverpush.c: example code

- http2: free all header memory after the push callback

- http2: init the pushed transfer properly

- http2: fixed the header accessor functions for the push callback

- http2: setup the new pushed stream properly

- http2: initial implementation of the push callback

- http2: initial HTTP/2 server push types/docs

- test1531: verify POSTFIELDSIZE set after add_handle
  
  Following the fix made in 903b6e05565bf.

- pretransfer: init state.infilesize here, not in add_handle
  
  ... to properly support that options are set to the handle after it is
  added to the multi handle.
  
  Bug: http://curl.haxx.se/mail/lib-2015-06/0122.html
  Reported-by: Stefan Bühler

Jay Satiro (21 Jun 2015)
- [Lior Kaplan brought this change]

  tool_help: fix --tlsv1 help text to use >= for TLSv1

- INSTALL: Advise use of non-native SSL for Windows <= XP
  
  Advise that WinSSL in versions <= XP will not be able to connect to
  servers that no longer support the legacy handshakes and algorithms used
  by those versions, and to use an alternate backend like OpenSSL instead.
  
  Bug: https://github.com/bagder/curl/issues/253
  Reported-by: zenden2k <zenden2k@gmail.com>

Kamil Dudka (19 Jun 2015)
- curl_easy_setopt.3: restore contents removed by mistake
  
  ... in commit curl-7_43_0-18-g570076e

Daniel Stenberg (19 Jun 2015)
- curl_easy_setopt.3: mention CURLOPT_PIPEWAIT

Jay Satiro (18 Jun 2015)
- cookie: Fix bug in export if any-domain cookie is present
  
  In 3013bb6 I had changed cookie export to ignore any-domain cookies,
  however the logic I used to do so was incorrect, and would lead to a
  busy loop in the case of exporting a cookie list that contained
  any-domain cookies. The result of that is worse though, because in that
  case the other cookies would not be written resulting in an empty file
  once the application is terminated to stop the busy loop.

Dan Fandrich (18 Jun 2015)
- FTP: fixed compiling with --disable-proxy, broken in b88f980a

Daniel Stenberg (18 Jun 2015)
- tool: always provide negotiate/kerberos options
  
  libcurl can still be built with it, even if the tool is not. Maintain
  independence!

- TODO: Support IDNA2008

- [Viktor Szakats brought this change]

  Makefile.m32: add support for CURL_LDFLAG_EXTRAS
  
  It is similar to existing CURL_CFLAG_EXTRAS, but for
  extra linker option.

- RTSP: removed another piece of dead code
  
  Coverity CID 1306668

- openssl: fix use of uninitialized buffer
  
  Make sure that the error buffer is always initialized and simplify the
  use of it to make the logic easier.
  
  Bug: https://github.com/bagder/curl/issues/318
  Reported-by: sneis

- examples: more descriptions

- examples: add descriptions with <DESC>
  
  Using this fixed format for example descriptions, we can generate a
  better list on the web site.

- libcurl-errors.3: fix typo

- curl_easy_setopt.3: option order doesn't matter

- openssl: fix build with BoringSSL
  
  OPENSSL_load_builtin_modules does not exist in BoringSSL. Regression
  from cae43a1

- [Paul Howarth brought this change]

  openssl: Fix build with openssl < ~ 0.9.8f
  
  The symbol SSL3_MT_NEWSESSION_TICKET appears to have been introduced at
  around openssl 0.9.8f, and the use of it in lib/vtls/openssl.c breaks
  builds with older openssls (certainly with 0.9.8b, which is the latest
  older version I have to try with).

- FTP: do the HTTP CONNECT for data connection blocking
  
  ** WORK-AROUND **
  
  The introduced non-blocking general behaviour for Curl_proxyCONNECT()
  didn't work for the data connection establishment unless it was very
  fast. The newly introduced function argument makes it operate in a more
  blocking manner, more like it used to work in the past. This blocking
  approach is only used when the FTP data connecting through HTTP proxy.
  
  Blocking like this is bad. A better fix would make it work more
  asynchronously.
  
  Bug: https://github.com/bagder/curl/issues/278

- bump: start the journey toward 7.44.0

Jay Satiro (17 Jun 2015)
- CURLOPT_ERRORBUFFER.3: Fix example, escape backslashes

- CURLOPT_ERRORBUFFER.3: Improve example

Version 7.43.0 (17 Jun 2015)

Daniel Stenberg (17 Jun 2015)
- RELEASE-NOTES: 7.43.0 release

- THANKS: updated with 7.43.0 names

- [Kamil Dudka brought this change]

  http: do not leak basic auth credentials on re-used connections
  
  CVE-2015-3236
  
  This partially reverts commit curl-7_39_0-237-g87c4abb
  
  Reported-by: Tomas Tomecek, Kamil Dudka
  Bug: http://curl.haxx.se/docs/adv_20150617A.html

- [Kamil Dudka brought this change]

  test2040: verify basic auth on re-used connections

- SMB: rangecheck values read off incoming packet
  
  CVE-2015-3237
  
  Detected by Coverity. CID 1299430.
  
  Bug: http://curl.haxx.se/docs/adv_20150617B.html

Jay Satiro (17 Jun 2015)
- schannel: schannel_recv overhaul
  
  This commit is several drafts squashed together. The changes from each
  draft are noted below. If any changes are similar and possibly
  contradictory the change in the latest draft takes precedence.
  
  Bug: https://github.com/bagder/curl/issues/244
  Reported-by: Chris Araman
  
  %%
  %% Draft 1
  %%
  - return 0 if len == 0. that will have to be documented.
  - continue on and process the caches regardless of raw recv
  - if decrypted data will be returned then set the error code to CURLE_OK
  and return its count
  - if decrypted data will not be returned and the connection has closed
  (eg nread == 0) then return 0 and CURLE_OK
  - if decrypted data will not be returned and the connection *hasn't*
  closed then set the error code to CURLE_AGAIN --only if an error code
  isn't already set-- and return -1
  - narrow the Win2k workaround to only Win2k
  
  %%
  %% Draft 2
  %%
  - Trying out a change in flow to handle corner cases.
  
  %%
  %% Draft 3
  %%
  - Back out the lazier decryption change made in draft2.
  
  %%
  %% Draft 4
  %%
  - Some formatting and branching changes
  - Decrypt all encrypted cached data when len == 0
  - Save connection closed state
  - Change special Win2k check to use connection closed state
  
  %%
  %% Draft 5
  %%
  - Default to CURLE_AGAIN in cleanup if an error code wasn't set and the
  connection isn't closed.
  
  %%
  %% Draft 6
  %%
  - Save the last error only if it is an unrecoverable error.
  
  Prior to this I saved the last error state in all cases; unfortunately
  the logic to cover that in all cases would lead to some muddle and I'm
  concerned that could then lead to a bug in the future so I've replaced
  it by only recording an unrecoverable error and that state will persist.
  
  - Do not recurse on renegotiation.
  
  Instead we'll continue on to process any trailing encrypted data
  received during the renegotiation only.
  
  - Move the err checks in cleanup after the check for decrypted data.
  
  In either case decrypted data is always returned but I think it's easier
  to understand when those err checks come after the decrypted data check.
  
  %%
  %% Draft 7
  %%
  - Regardless of len value go directly to cleanup if there is an
  unrecoverable error or a close_notify was already received. Prior to
  this change we only acknowledged those two states if len != 0.
  
  - Fix a bug in connection closed behavior: Set the error state in the
  cleanup, because we don't know for sure it's an error until that time.
  
  - (Related to above) In the case the connection is closed go "greedy"
  with the decryption to make sure all remaining encrypted data has been
  decrypted even if it is not needed at that time by the caller. This is
  necessary because we can only tell if the connection closed gracefully
  (close_notify) once all encrypted data has been decrypted.
  
  - Do not renegotiate when an unrecoverable error is pending.
  
  %%
  %% Draft 8
  %%
  - Don't show 'server closed the connection' info message twice.
  
  - Show an info message if server closed abruptly (missing close_notify).

Daniel Stenberg (16 Jun 2015)
- [Paul Oliver brought this change]

  Fix typo in docs
  
  s/curret/current/

- [Viktor Szakats brought this change]

  docs: update URLs

- RELEASE-NOTES: synced with f29f2cbd00dbe5f

- [Viktor Szakats brought this change]

  README: use secure protocol for Git repository

- [Viktor Szakats brought this change]

  HTTP2.md: use SSL/TLS IETF URLs

- [Viktor Szakats brought this change]

  LICENSE-MIXING: update URLs
  
  * use SSL/TLS where available
  * follow permanent redirects

- LICENSE-MIXING: refreshed

- curl_easy_duphandle: see also *reset

- rtsp_do: fix DEAD CODE
  
  "At condition p_request, the value of p_request cannot be NULL."
  
  Coverity CID 1306668.

- security:choose_mech fix DEAD CODE warning
  
  ... by removing the "do {} while (0)" block.
  
  Coverity CID 1306669

- curl.1: netrc is in man section 5

- curl.1: small format fix
  
  use \fI-style instead of .BR for references

- urldata: store POST size in state.infilesize too
  
  ... to simplify checking when PUT _or_ POST have completed.
  
  Reported-by: Frank Meier
  Bug: http://curl.haxx.se/mail/lib-2015-06/0019.html

Dan Fandrich (14 Jun 2015)
- test1530: added http to required features

Jay Satiro (14 Jun 2015)
- [Drake Arconis brought this change]

  build: Fix typo from OpenSSL 1.0.2 version detection fix

- [Drake Arconis brought this change]

  build: Properly detect OpenSSL 1.0.2 when using configure

- curl_multi_info_read.3: fix example formatting

Daniel Stenberg (13 Jun 2015)
- BINDINGS: there's a new R binding in town!

- BINDINGS: added the Xojo binding

Jay Satiro (11 Jun 2015)
- [Joel Depooter brought this change]

  schannel: Add support for optional client certificates
  
  Some servers will request a client certificate, but not require one.
  This change allows libcurl to connect to such servers when using
  schannel as its ssl/tls backend. When a server requests a client
  certificate, libcurl will now continue the handshake without one,
  rather than terminating the handshake. The server can then decide
  if that is acceptable or not. Prior to this change, libcurl would
  terminate the handshake, reporting a SEC_I_INCOMPLETE_CREDENTIALS
  error.

Daniel Stenberg (11 Jun 2015)
- curl_easy_cleanup.3: provide more SEE ALSO

- debug: remove http2 debug leftovers

- VERSIONS: now using markdown

- RELEASE-PROCEDURE: remove ascii logo at the top of file

- INTERNALS: absorbed docs/LIBCURL-STRUCTS

- INTERNALS: cat lib/README* >> INTERNALS
  
  and a conversion to markdown. Removed the lib/README.* files. The idea
  being to move toward having INTERNALS as the one and only "book" of
  internals documentation.
  
  Added a TOC to top of the document.

Jay Satiro (8 Jun 2015)
- openssl: LibreSSL and BoringSSL do not use TLS_client_method
  
  Although OpenSSL 1.1.0+ deprecated SSLv23_client_method in favor of
  TLS_client_method LibreSSL and BoringSSL didn't and still use
  SSLv23_client_method.
  
  Bug: https://github.com/bagder/curl/commit/49a6642#commitcomment-11578009
  Reported-by: asavah@users.noreply.github.com

Daniel Stenberg (9 Jun 2015)
- RELEASE-NOTES: synced with 20ac3458068

- CURLOPT_OPENSOCKETFUNCTION: return error at once
  
  When CURL_SOCKET_BAD is returned in the callback, it should be treated
  as an error (CURLE_COULDNT_CONNECT) if no other socket is subsequently
  created when trying to connect to a server.
  
  Bug: http://curl.haxx.se/mail/lib-2015-06/0047.html

- fopen.c: fix a few compiler warnings

- [Ville Skyttä brought this change]

  docs: Spelling fixes

- [Ville Skyttä brought this change]

  docs: man page indentation and syntax fixes

Linus Nielsen (8 Jun 2015)
- help: Add --proxy-service-name and --service-name to the --help output

Jay Satiro (7 Jun 2015)
- openssl: Fix verification of server-sent legacy intermediates
  
  - Try building a chain using issuers in the trusted store first to avoid
  problems with server-sent legacy intermediates.
  
  Prior to this change server-sent legacy intermediates with missing
  legacy issuers would cause verification to fail even if the client's CA
  bundle contained a valid replacement for the intermediate and an
  alternate chain could be constructed that would verify successfully.
  
  https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest

Daniel Stenberg (5 Jun 2015)
- BINDINGS: update several URLs
  
  Stop linking to the curl.haxx.se anchor pages, they are usually only
  themselves pointers to the real page so better point there directly
  instead.

- BINDINGS: the curl-rust binding

- curl.h: add CURL_HTTP_VERSION_2
  
  The protocol is named "HTTP/2" after all. It is an alias for the
  existing CURL_HTTP_VERSION_2_0 enum.

- openssl: removed error string #ifdef
  
  ERR_error_string_n() was introduced in 0.9.6, no need to #ifdef anymore

- openssl: removed USERDATA_IN_PWD_CALLBACK kludge
  
  Code for OpenSSL 0.9.4 serves no purpose anymore!

- openssl: remove SSL_get_session()-using code
  
  It was present for OpenSSL 0.9.5 code but we only support 0.9.7 or
  later.

- openssl: remove dummy callback use from SSL_CTX_set_verify()
  
  The existing callback served no purpose.

- LIBCURL-STRUCTS: clarify for multiplexing

Jay Satiro (3 Jun 2015)
- cookie: Stop exporting any-domain cookies
  
  Prior to this change any-domain cookies (cookies without a domain that
  are sent to any domain) were exported with domain name "unknown".
  
  Bug: https://github.com/bagder/curl/issues/292

Daniel Stenberg (3 Jun 2015)
- RELEASE-PROCEDURE: refreshed 'coming dates'

Jay Satiro (2 Jun 2015)
- curl_setup: Change fopen text macros to use 't' for MSDOS
  
  Bug: https://github.com/bagder/curl/pull/258#issuecomment-107915198
  Reported-by: Gisle Vanem

Daniel Stenberg (2 Jun 2015)
- curl_multi_timeout.3: added example

- curl_multi_perform.3: added example

- curl_multi_info_read.3: added example

- checksrc: detect fopen() for text without the FOPEN_* macros
  
  Follow-up to e8423f9ce150 with discussionis in
  https://github.com/bagder/curl/pull/258
  
  This check scans for fopen() with a mode string without 'b' present, as
  it may indicate that an FOPEN_* define should rather be used.

- curl_getdate.3: update RFC reference

Jay Satiro (1 Jun 2015)
- curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT
  
  - Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt"
  - Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt"
  
  This change is to explicitly specify when we need to read/write text.
  Unfortunately 't' is not part of POSIX fopen so we can't specify it
  directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT.
  
  Prior to this change we had an issue on Windows if an application that
  uses libcurl overrides the default file mode to binary. The default file
  mode in Windows is normally text mode (translation mode) and that's what
  libcurl expects.
  
  Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055
  Reported-by: Orgad Shaneh

Daniel Stenberg (1 Jun 2015)
- http2-upload.c: use PIPEWAIT for playing HTTP/2 better

- http2-download: check for CURLPIPE_MULTIPLEX properly
  
  Bug: http://curl.haxx.se/mail/lib-2015-06/0001.html
  Reported-by: Rafayel Mkrtchyan

- [Isaac Boukris brought this change]

  HTTP-NTLM: fail auth on connection close instead of looping
  
  Bug: https://github.com/bagder/curl/issues/256

- 5.6 Refuse "downgrade" redirects

- README.pingpong: removed

- ROADMAP: remove HTTP/2 multiplexing - its here now

- HTTP2.md: formatted properly

- HTTP2: moved docs into docs/ and make it markdown

- README.http2: refreshed and added multiplexing info

- dist: add the http2 examples

- http2 examples: clean up some comments

- examples: added two programs doing multiplexed HTTP/2

- scripts: moved contributors.sh and contrithanks.sh into subdir

- RELEASE-NOTES: synced with c005790ff1c0a

- [Daniel Melani brought this change]

  openssl: typo in comment

Jay Satiro (27 May 2015)
- openssl: Use TLS_client_method for OpenSSL 1.1.0+
  
  SSLv23_client_method is deprecated starting in OpenSSL 1.1.0. The
  equivalent is TLS_client_method.
  
  https://github.com/openssl/openssl/commit/13c9bb3#diff-708d3ae0f2c2973b272b811315381557

Daniel Stenberg (26 May 2015)
- FAQ: How do I port libcurl to my OS?

Jay Satiro (25 May 2015)
- CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain
  
  Document that if Set-Cookie is used without a domain then the cookie is
  sent for any domain and will not be modified.
  
  Bug: http://curl.haxx.se/mail/lib-2015-05/0137.html
  Reported-by: Alexander Dyagilev

Daniel Stenberg (25 May 2015)
- [Tatsuhiro Tsujikawa brought this change]

  http2: Copy data passed in Curl_http2_switched into HTTP/2 connection buffer
  
  Previously, after seeing upgrade to HTTP/2, we feed data followed by
  upgrade response headers directly to nghttp2_session_mem_recv() in
  Curl_http2_switched().  But it turns out that passed buffer, mem, is
  part of stream->mem, and callbacks called by
  nghttp2_session_mem_recv() will write stream specific data into
  stream->mem, overwriting input data.  This will corrupt input, and
  most likely frame length error is detected by nghttp2 library.  The
  fix is first copy the passed data to HTTP/2 connection buffer,
  httpc->inbuf, and call nghttp2_session_mem_recv().

Jay Satiro (24 May 2015)
- CURLOPT_COOKIE.3: Explain that the cookies won't be modified
  
  The CURLOPT_COOKIE doc says it "sets the cookie header explicitly in the
  outgoing request(s)." However there seems to be some user confusion
  about cookie modification. Document that the cookies set by this option
  are not modified by the cookie engine.
  
  Bug: http://curl.haxx.se/mail/lib-2015-05/0115.html
  Reported-by: Alexander Dyagilev

- CURLOPT_COOKIELIST.3: Add example

Dan Fandrich (24 May 2015)
- testcurl.pl: use rel2abs to make the source directory absolute
  
  This function makes a platform-specific absolute path which uses
  backslashes on Windows. This form works when passing it on the
  command-line, as well as if the source is on another drive.

- conncache: fixed memory leak on OOM (torture tests)

Daniel Stenberg (24 May 2015)
- perl: remove subdir, not touched in 9 years

- log2changes.pl: moved to scripts/

- [Alessandro Ghedini brought this change]

  scripts: add zsh.pl for generating zsh completion

Dan Fandrich (23 May 2015)
- test1510: another flaky test

Daniel Stenberg (22 May 2015)
- security: fix "Unchecked return value" from sscanf()
  
  By (void) prefixing it and adding a comment. Did some minor related
  cleanups.
  
  Coverity CID 1299423.

- security: simplify choose_mech
  
  Coverity CID 1299424 identified dead code because of checks that could
  never equal true (if the mechanism's name was NULL).
  
  Simplified the function by removing a level of pointers and removing the
  loop and array that weren't used.

- RTSP: catch attempted unsupported requests better
  
  Replace use of assert with code that properly catches bad input at
  run-time even in non-debug builds.
  
  This flaw was sort of detected by Coverity CID 1299425 which claimed the
  "case RTSPREQ_NONE" was dead code.

- share_init: fix OOM crash
  
  A failed calloc() would lead to NULL pointer use.
  
  Coverity CID 1299427.

- parse_proxy: switch off tunneling if non-HTTP proxy
  
  non-HTTP proxy implies not using CURLOPT_HTTPPROXYTUNNEL
  
  Bug: http://curl.haxx.se/mail/lib-2015-05/0056.html
  Reported-by: Sean Boudreau

- curl: fix potential NULL dereference
  
  Coverity CID 1299428: Dereference after null check (FORWARD_NULL)

- http2: on_frame_recv: return early on stream 0
  
  Coverity CID 1299426 warned about possible NULL dereference otherwise,
  but that would only ever happen if we get invalid HTTP/2 data with
  frames for stream 0. Avoid this risk by returning early when stream 0 is
  used.

- http: removed self assignment
  
  Follow-up fix from b0143a2a33f0
  
  Detected by coverity. CID 1299429

- [Tatsuhiro Tsujikawa brought this change]

  http2: Make HTTP Upgrade work
  
  This commit just add implicitly opened stream 1 to streams hash.

Jay Satiro (22 May 2015)
- strerror: Change SEC_E_ILLEGAL_MESSAGE description
  
  Prior to this change the description for SEC_E_ILLEGAL_MESSAGE was OS
  and language specific, and invariably translated to something not very
  helpful like: "The message received was unexpected or badly formatted."
  
  Bug: https://github.com/bagder/curl/issues/267
  Reported-by: Michael Osipov

- telnet: Fix read-callback change for Windows builds
  
  Refer to b0143a2 for more information on the read-callback change.

Daniel Stenberg (21 May 2015)
- CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy!

Dan Fandrich (21 May 2015)
- testcurl.pl: allow source to be in an arbitrary directory
  
  This way, the build directory can be located on an entirely different
  filesystem from the source code (e.g. a tmpfs).

Daniel Stenberg (20 May 2015)
- read_callback: move to SessionHandle from connectdata
  
  With many easy handles using the same connection for multiplexing, it is
  important we store and keep the transfer-oriented stuff in the
  SessionHandle so that callbacks and callback data work fine even when
  many easy handles share the same physical connection.

- http2: show stream IDs in decimal
  
  It makes them easier to match output from the nghttpd test server.

- [Tatsuhiro Tsujikawa brought this change]

  http2: Faster http2 upload
  
  Previously, when we send all given buffer in data_source_callback, we
  return NGHTTP2_ERR_DEFERRED, and nghttp2 library removes this stream
  temporarily for writing.  This itself is good.  If this is the sole
  stream in the session, nghttp2_session_want_write() returns zero,
  which means that libcurl does not check writeability of the underlying
  socket.  This leads to very slow upload, because it seems curl only
  upload 16k something per 1 second.  To fix this, if we still have data
  to send, call nghttp2_session_resume_data after nghttp2_session_send.
  This makes nghttp2_session_want_write() returns nonzero (if connection
  window still opens), and as a result, socket writeability is checked,
  and upload speed becomes normal.

- [Dmitry Eremin-Solenikov brought this change]

  gtls: don't fail on non-fatal alerts during handshake
  
  Stop curl from failing when non-fatal alert is received during
  handshake.  This e.g. fixes lots of problems when working with https
  sites through proxies.

- curl_easy_unescape.3: update RFC reference
  
  Reported-by: bsammon
  Bug: https://github.com/bagder/curl/issues/282

Jay Satiro (20 May 2015)
- CURLOPT_POSTFIELDS.3: Mention curl_easy_escape
  
  .. also correct some variable naming in curl_easy_escape.3
  
  Bug: https://github.com/bagder/curl/issues/281
  Reported-by: bsammon@users.noreply.github.com

Daniel Stenberg (19 May 2015)
- [Brian Prodoehl brought this change]

  openssl: Use SSL_CTX_set_msg_callback and SSL_CTX_set_msg_callback_arg
  
  BoringSSL removed support for direct callers of SSL_CTX_callback_ctrl
  and SSL_CTX_ctrl, so move to a way that should work on BoringSSL and
  OpenSSL.
  
  re #275

Jay Satiro (19 May 2015)
- curl.1: fix missing space in section --data

Daniel Stenberg (19 May 2015)
- transfer: remove erroneous and misleading comment

Kamil Dudka (19 May 2015)
- http: silence compile-time warnings without USE_NGHTTP2
  
  Error: CLANG_WARNING:
  lib/http.c:173:16: warning: Value stored to 'http' during its initialization is never read
  
  Error: COMPILER_WARNING:
  lib/http.c: scope_hint: In function ‘http_disconnect’
  lib/http.c:173:16: warning: unused variable ‘http’ [-Wunused-variable]

Jay Satiro (19 May 2015)
- transfer: Replace __func__ instances with function name
  
  .. also make __func__ replacement in multi.
  
  Prior to this change debug builds would fail to build if the compiler
  was building pre-c99 and didn't support __func__.

Daniel Stenberg (19 May 2015)
- [Viktor Szakats brought this change]

  build: bump version in default nghttp2 paths

- INTERNALS: we require nghttp2 1.0.0+ now

Jay Satiro (18 May 2015)
- http: Add some include guards for the new HTTP/2 stuff

Daniel Stenberg (18 May 2015)
- http2: store upload state per stream
  
  Use a curl_off_t for upload left

- http2: fix build when NOT h2-enabled

- http2: switch to use Curl_hash_destroy()
  
  as after 4883f7019d3, the *_clean() function only flushes the hash.

- curlver: restore LIBCURL_VERSION_NUM defined as a full number
  
  As it breaks configure, curl-config and test 1023 if not.

- [Anthony Avina brought this change]

  hostip: fix unintended destruction of hash table
  
  .. and added unit1602 for hash.c

- curlver: introducing new version number (checking) macros

- runtests.pl: use 'h2c' now, no -14 anymore

- [Tatsuhiro Tsujikawa brought this change]

  http2: Ignore if we have stream ID not in hash in on_stream_close
  
  We could get stream ID not in the hash in on_stream_close.  For
  example, if we decided to reject stream (e.g., PUSH_PROMISE), then we
  don't create stream and store it in hash with its stream ID.

- [Tatsuhiro Tsujikawa brought this change]

  Require nghttp2 v1.0.0
  
  This commit requires nghttp2 v1.0.0 to compile, and migrate to v1.0.0,
  and utilize recent version of nghttp2 to simplify the code,
  
  First we use nghttp2_option_set_no_recv_client_magic function to
  detect nghttp2 v1.0.0.  That function only exists since v1.0.0.
  
  Since nghttp2 v0.7.5, nghttp2 ensures header field ordering, and
  validates received header field.  If it found error, RST_STREAM with
  PROTOCOL_ERROR is issued.  Since we require v1.0.0, we can utilize
  this feature to simplify libcurl code.  This commit does this.
  
  Migration from 0.7 series are done based on nghttp2 migration
  document.  For libcurl, we removed the code sending first 24 bytes
  client magic.  It is now done by nghttp2 library.
  on_invalid_frame_recv callback signature changed, and is updated
  accordingly.

- http2: infof length in on_frame_send()

- pipeline: switch some code over to functions
  
  ... to "compartmentalize" a bit and make it easier to change behavior
  when multiplexing is used instead of good old pipelining.

- symbols-in-versions: add CURLOPT_PIPEWAIT

- CURLOPT_PIPEWAIT: added
  
  By setting this option to 1 libcurl will wait for a connection to reveal
  if it is possible to pipeline/multiplex on before it continues.

- Curl_http_readwrite_headers: minor code simplification

- IsPipeliningPossible: fixed for http2

- http2: bump the h2 buffer size to 32K for speed

- http2: remove the stream from the hash in stream_close callback
  
  ... and suddenly things work much better!

- http2: if there is paused data, do not clear the drain field

- http2: rename s/data/pausedata

- http2: "stream %x" in all outputs to make it easier to search for

- http2: Curl_expire() all handles with incoming traffic
  
  ... so that they'll get handled next in the multi loop.

- http2: don't signal settings change for same values

- http2: set default concurrency, fix ConnectionExists for multiplex

- bundles: store no/default/pipeline/multiplex
  
  to allow code to act differently on the situation.
  
  Also added some more info message for the connection re-use function to
  make it clearer when connections are not re-used.

- http2: lazy init header_recvbuf
  
  It makes us use less memory when not doing HTTP/2 and subsequently also
  makes us not have to cleanup HTTP/2 related data when not using HTTP/2!

- http2: separate multiplex/pipelining + cleanup memory leaks

- CURLMOPT_PIPELINE: bit 1 is for multiplexing

- [Tatsuhiro Tsujikawa brought this change]

  http2: Fix bug that data to be drained are overwritten by pending "paused" data

- [Tatsuhiro Tsujikawa brought this change]

  http2: Don't call nghttp2_session_mem_recv while it is paused by a stream

- [Tatsuhiro Tsujikawa brought this change]

  http2: Read data left in connection buffer after pause
  
  Previously when we do pause because of out of buffer, we just throw
  away unread data in connection buffer.  This just broke protocol
  framing, and I saw occasional FRAME_SIZE_ERROR.  This commit fix this
  issue by remembering how much data read, and in the next iteration, we
  process remaining data.

- [Tatsuhiro Tsujikawa brought this change]

  http2: Fix streams get stuck
  
  This commit fixes the bug that streams get stuck if stream gets some
  DATA, and stream->closed becomes true at the same time.  Previously,
  in this condition, after we processed DATA, we are going to try to
  read data from underlying transport, but there is no data, and gets
  EAGAIN.  There was no code path to evaludate stream->closed.

- http2: store incoming h2 SETTINGS

- pipeline: move function to pipeline.c and make static
  
  ... as it was only used from there.

- IsPipeliningPossible: http2 can always "pipeline" (multiplex)

- http2: remove debug logging from on_frame_recv

- http2: remove the closed check in http2_recv
  
  With the "drained" functionality we can get here slightly asynchronously
  so the stream have have been closed but there is pending data left to
  read.

- http2: bump the h2 buffer to 8K

- http2: Curl_read should not use the single buffer
  
  ... as it does for pipelining when we're multiplexing, as we need the
  different buffers to store incoming data correctly for all streams.

- http2: more debug outputs

- http2: leave WAITPERFORM when conn is multiplexed
  
  No need to wait for our "spot" like for pipelining

- http2: force "drainage" of streams
  
  ... which is necessary since the socket won't be readable but there is
  data waiting in the buffer.

- http2: move the mem+len pair to the stream struct

- http2: more stream-oriented data, stream ID 0 is for connections

- http2: move lots of state data to the 'stream' struct
  
  ... from the connection struct. The stream one being the 'struct HTTP'
  which is kept in the SessionHandle struct (easy handle).
  
  lookup streams for incoming frames in the stream hash, hashing is based
  on the stream id and we get the SessionHandle for the incoming stream
  that way.

- HTTP: partial start at fixing up hash-lookups on http2 frame receival

- http: a stream hash for h2 multiplexing

- http: a stream hash for h2 multiplexing

- http2: debug log when receiving unexpected stream_id

- http2: move stream_id to the HTTP struct (per-stream)

- Curl_http2_setup: only do it once and enable multiplex on the server
  
  Once we know we are HTTP/2 enabled we know the server can multiplex.

- http: switch on "pipelining" (multiplexing) for HTTP/2 servers
  
  ... and do not blacklist any.

- README.pipelining: removed
  
  All the details mentioned here are better documented in man pages

Dan Fandrich (14 May 2015)
- build: removed bundles.c from make files
  
  This file was removed in commit fd137786

Daniel Stenberg (14 May 2015)
- Curl_conncache_add_conn: fix memory leak on OOM

- CURLMOPT_MAX_HOST_CONNECTIONS: host = host name + port number

- conncache: keep bundles on host+port bases, not only host names
  
  Previously we counted all connections to a specific host name and that
  would be used for the CURLMOPT_MAX_HOST_CONNECTIONS check for example,
  while servers on different port numbers are normally considered
  different "origins" on the web and should thus be considered different
  hosts.

- bundles: merged into conncache.c
  
  All the existing Curl_bundle* functions were only ever used from within
  the conncache.c file, so I moved them over and made them static (and
  removed the Curl_ prefix).

- hostcache: made all host caches use structs, not pointers
  
  This avoids unnecessary dynamic allocs and as this also removed the last
  users of *hash_alloc() and *hash_destroy(), those two functions are now
  removed.

- multi: converted socket hash into non-allocated struct
  
  avoids extra dynamic allocation

- connection cache: avoid Curl_hash_alloc()
  
  ... by using plain structs instead of pointers for the connection cache,
  we can avoid several dynamic allocations that weren't necessary.

- proxy: add newline to info message

Patrick Monnerat (8 May 2015)
- FTP: fix dangling conn->ip_addr dereference on verbose EPSV.

- FTP: Make EPSV use the control IP address rather than the original host.
  This ensures an alternate address is not used.
  Does not apply to proxy tunnel.

Daniel Stenberg (8 May 2015)
- [Alessandro Ghedini brought this change]

  tool_help: fix formatting for --next option

- [Egon Eckert brought this change]

  opts: improved the TCP keepalive examples

Jay Satiro (8 May 2015)
- winbuild: Document the option used to statically link the CRT
  
  - Document option RTLIBCFG (runtime library configuration).
  
  Bug: https://github.com/bagder/curl/issues/254
  Reported-by: Bert Huijben

- [Orgad Shaneh brought this change]

  netrc: Read in text mode when cygwin
  
  Use text mode when cygwin to eliminate trailing carriage returns.
  
  Bug: https://github.com/bagder/curl/pull/258

Patrick Monnerat (5 May 2015)
- OS400: Add SPNEGO service name options to ILE/RPG binding.

Daniel Stenberg (4 May 2015)
- curl_multi_info_read.3: fix typo
  
  Reported-by: Liviu Chircu

- MANUAL: language fix
  
  Reported-by: Fred Stluka
  Bug: https://github.com/bagder/curl/issues/255

- [Alessandro Ghedini brought this change]

  gtls: properly retrieve certificate status
  
  Also print the revocation reason if appropriate.

- OpenSSL: conditional check for SSL3_RT_HEADER
  
  The symbol is fairly new.
  
  Reported-by: Kamil Dudka

- openssl: skip trace outputs for ssl_ver == 0
  
  The OpenSSL trace callback is wonderfully undocumented but given a
  journey in the source code, it seems the cases were ssl_ver is zero
  doesn't follow the same pattern and thus turned out confusing and
  misleading. For now, we skip doing any CURLINFO_TEXT logging on those
  but keep sending them as CURLINFO_SSL_DATA_OUT/IN.
  
  Also, I added direction to the text info and I edited some functions
  slightly.
  
  Bug: https://github.com/bagder/curl/issues/219
  Reported-by: Jay Satiro, Ashish Shukla

Marc Hoersken (2 May 2015)
- schannel.c: Small changes

- schannel.c: Improve code path and readability

- schannel.c: Improve error and return code handling upon aa99a63f03

- [Chris Araman brought this change]

  schannel: fix regression in schannel_recv
  
  https://github.com/bagder/curl/issues/244
  
  Commit 145c263 changed the behavior when Curl_read_plain returns
  CURLE_AGAIN. We now handle CURLE_AGAIN and SEC_I_CONTEXT_EXPIRED
  correctly.

- Bug born in changes made several days ago 9a91e80.
  
  Commit: https://github.com/bagder/curl/commit/926cb9f
  Reported-by: Ray Satiro

Daniel Stenberg (30 Apr 2015)
- [Michael Osipov brought this change]

  configure: remove missing and make it autogenerate
  
  The missing file has not been autogenerated because a temporary fix was
  employed in acinclude.m4 which blocked update. Removed that fix and a recent
  version of missing is copied to build root.

- [Michael Osipov brought this change]

  acinclude.m4: fix test for default CA cert bundle/path
  
  test(1) on HP-UX requires a single equals sign and fails with two.
  Let's use one and make every OS happy.

- CONTRIBUTING.md: remove the sourceforge mention
  
  Reported-By: Michael Osipov

Dan Fandrich (30 Apr 2015)
- http_negotiate_sspi: added missing data variable

Daniel Stenberg (30 Apr 2015)
- [Michael Osipov brought this change]

  configure: remove --automake from libtoolize call
  
  That option is not mentioned in the man page of libtoolize 2.4.4.19-fda4.
  Moveover, a comment in line 2623 says "--automake is for 1.5 compatibility".
  
  This option is redundant now.

- [Viktor Szakats brought this change]

  build: update depedency versions, urls, example makefiles
  
  - update default versions of dependencies (except for rare/old platforms)
  - update urls
  - sync examples makefiles with main ones
  - remove line ending space

- [Michael Osipov brought this change]

  configure: remove autogenerated files by autoconf
  
  * install-sh is always regenerated
  * mkinstalldirs was already redudant years ago. Automake uses install for
    that. See: http://lists.gnu.org/archive/html/automake/2007-03/msg00015.html

- [Anders Bakken brought this change]

  curl_multi_add_handle: next is already NULL

Jay Satiro (30 Apr 2015)
- schannel: Fix out of bounds array
  
  Bug born in changes made several days ago 9a91e80.
  
  Bug: http://curl.haxx.se/mail/lib-2015-04/0199.html
  Reported-by: Brian Chrisman

- docs/libcurl: gitignore libcurl-symbols.3
  
  Bug: http://curl.haxx.se/mail/lib-2015-04/0191.html
  Reported-by: Michael Osipov

- [Viktor Szakats brought this change]

  lib/makefile.m32: add arch -m32/-m64 to LDFLAGS
  
  This fixes using a multi-target mingw distro to build curl .dll for the
  non-default target.
  (mirroring the same patch present in src/makefile.m32)

Daniel Stenberg (29 Apr 2015)
- RELEASE-NOTES: synced with cd39b944afc
  
  I've not mentioned the bug fixes that were shipped in 7.42.1 from the
  7_42 branch.

- THANKS: merged from the 7.42.1 release

- CURLOPT_HEADEROPT: default to separate
  
  Make the HTTP headers separated by default for improved security and
  reduced risk for information leakage.
  
  Bug: http://curl.haxx.se/docs/adv_20150429.html
  Reported-by: Yehezkel Horowitz, Oren Souroujon

Linus Nielsen (28 Apr 2015)
- docs/libcurl: Corrected a typo in the CURLOPT_PROXY_SERVICE_NAME documentation

Daniel Stenberg (28 Apr 2015)
- hash: simplify Curl_str_key_compare()

- dist: ship CURLOPT_PROXY_SERVICE_NAME and CURLOPT_SERVICE_NAME

- [Linus Nielsen brought this change]

  Negotiate: custom service names for SPNEGO.
  
  * Add new options, CURLOPT_PROXY_SERVICE_NAME and CURLOPT_SERVICE_NAME.
  * Add new curl options, --proxy-service-name and --service-name.

- http2: unify http_conn variable names to 'c'

- ConnectionExists: call it multi-use instead of pipelining
  
  So that it fits HTTP/2 as well

Kamil Dudka (27 Apr 2015)
- [Paul Howarth brought this change]

  nss: fix compilation failure with old versions of NSS
  
  Bug: http://curl.haxx.se/mail/lib-2015-04/0095.html

Daniel Stenberg (27 Apr 2015)
- sws: init http2 state properly
  
  It would otherwise cause problems when running tests after 1801 etc.

- curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
  
  ... as it was previouly undocumented what the pointer was.

- runtests: use a DISABLED.local file too
  
  ... and have git ignore that. Allows for a dev to add tests to ignore in
  local tests and yet don't obstruct a normal git work flow.

Marc Hoersken (26 Apr 2015)
- schannel.c: Fix typo introduced with 3447c973d0

- schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL error
  
  Reported-by: Brian Chrisman

Daniel Stenberg (26 Apr 2015)
- schannel: re-indented file to follow curl style better
  
  white space changes only

- Curl_ossl_init: load builtin modules
  
  To have engine modules work, we must tell openssl to load builtin
  modules first.
  
  Bug: https://github.com/bagder/curl/pull/206

- configure: follow-up fix for krb5-config
  
  commit 5b66860652 was incomplete so here's a follow-up fix
  
  Reported-by: Dagobert Michelsen
  Bug: https://github.com/bagder/curl/commit/5b668606527613179d0349f21b4ab0df2971e3d2#commitcomment-10473445

- openssl: fix serial number output
  
  The code extracting the cert serial number was broken and didn't display
  it properly.
  
  Bug: https://github.com/bagder/curl/issues/235
  Reported-by: dkjjr89

- [Grant Pannell brought this change]

  sasl_sspi: Populate domain from the realm in the challenge
  
  Without this, SSPI based digest auth was broken.
  
  Bug: https://github.com/bagder/curl/pull/141.patch

Jay Satiro (25 Apr 2015)
- [Anthony Avina brought this change]

  tool: New option --data-raw to HTTP POST data, '@' allowed.
  
  Add new option --data-raw which is almost the same as --data but does
  not have a special interpretation of the @ character.
  
  Prior to this change there was no (easy) way to pass the @ character as
  the first character in POST data without it being interpreted as a
  special character.
  
  Bug: https://github.com/bagder/curl/issues/198
  Reported-by: Jens Rantil

Dan Fandrich (25 Apr 2015)
- test2039: fixed line endings that caused a test failure

Daniel Stenberg (24 Apr 2015)
- [Viktor Szakats brought this change]

  netrc: add unit tests for 'default' support

- [Viktor Szakats brought this change]

  netrc: support 'default' token
  
  The 'default' token has no argument and means to match _any_ domain.
  It must be placed last if there are 'machine <name>' tokens in the same file.
  
  See full description here:
  https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-File.html

- ROADMAP.md: extended the HTTP/2 section, reformatted
  
  Elaborated on several of the remaining HTTP/2 parts and made document
  use a format that ends up nicer on the web page:
  http://curl.haxx.se/dev/roadmap.html

Kamil Dudka (23 Apr 2015)
- curl -z: do not write empty file on unmet condition
  
  This commit fixes a regression introduced in curl-7_41_0-186-g261a0fe.
  It also introduces a regression test 1424 based on tests 78 and 1423.
  
  Reported-by: Viktor Szakats
  Bug: https://github.com/bagder/curl/issues/237

Dan Fandrich (23 Apr 2015)
- tool: fixed a comment typo

- README: convert to UTF-8

Jay Satiro (22 Apr 2015)
- cyassl: Implement public key pinning
  
  Also add public key extraction example to CURLOPT_PINNEDPUBLICKEY doc.

Dan Fandrich (22 Apr 2015)
- [Alessandro Ghedini brought this change]

  curl.1: fix typo

Kamil Dudka (22 Apr 2015)
- docs: distribute the CURLOPT_PINNEDPUBLICKEY(3) man page, too

- tests/unit/.gitignore: hide unit1601 and above, too

Daniel Stenberg (22 Apr 2015)
- connectionexists: follow-up to fd9d3a1ef1f
  
  PROTOPT_CREDSPERREQUEST still needs to be checked even when NTLM is not
  enabled.
  
  Mistake-caught-by: Kamil Dudka

- connectionexists: fix build without NTLM
  
  Do not access NTLM-specific struct fields when built without NTLM
  enabled!
  
  bug: http://curl.haxx.se/?i=231
  Reported-by: Patrick Rapin

- bump: start working toward 7.43.0

Kamil Dudka (22 Apr 2015)
- nss: implement public key pinning for NSS backend
  
  Bug: https://bugzilla.redhat.com/1195771

Daniel Stenberg (22 Apr 2015)
- dist: include {src,lib}/checksrc.whitelist

Version 7.42.0 (22 Apr 2015)

Daniel Stenberg (22 Apr 2015)
- RELEASE-NOTES: updated for 7.42.0

- THANKS: added contributors from 7.42.0 release notes

- THANKS-filter: a few more alterations to squash

- contrithanks.sh: helper script for maintaining THANKS

- http_done: close Negotiate connections when done
  
  When doing HTTP requests Negotiate authenticated, the entire connnection
  may become authenticated and not just the specific HTTP request which is
  otherwise how HTTP works, as Negotiate can basically use NTLM under the
  hood. curl was not adhering to this fact but would assume that such
  requests would also be authenticated per request.
  
  CVE-2015-3148
  
  Bug: http://curl.haxx.se/docs/adv_20150422B.html
  Reported-by: Isaac Boukris

- fix_hostname: zero length host name caused -1 index offset
  
  If a URL is given with a zero-length host name, like in "http://:80" or
  just ":80", `fix_hostname()` will index the host name pointer with a -1
  offset (as it blindly assumes a non-zero length) and both read and
  assign that address.
  
  CVE-2015-3144
  
  Bug: http://curl.haxx.se/docs/adv_20150422D.html
  Reported-by: Hanno Böck

- cookie: cookie parser out of boundary memory access
  
  The internal libcurl function called sanitize_cookie_path() that cleans
  up the path element as given to it from a remote site or when read from
  a file, did not properly validate the input. If given a path that
  consisted of a single double-quote, libcurl would index a newly
  allocated memory area with index -1 and assign a zero to it, thus
  destroying heap memory it wasn't supposed to.
  
  CVE-2015-3145
  
  Bug: http://curl.haxx.se/docs/adv_20150422C.html
  Reported-by: Hanno Böck

- ConnectionExists: for NTLM re-use, require credentials to match
  
  CVE-2015-3143
  
  Bug: http://curl.haxx.se/docs/adv_20150422A.html
  Reported-by: Paras Sethia

Jay Satiro (21 Apr 2015)
- [byronhe brought this change]

  openssl: add OPENSSL_NO_SSL3_METHOD check

Daniel Stenberg (20 Apr 2015)
- CURLOPT_HEADERFUNCTION.3: match parameter name in synopsis and desc
  
  Bug: https://github.com/bagder/curl/issues/229
  Reported-by: bsammon

Kamil Dudka (20 Apr 2015)
- [Mostyn Bramley-Moore brought this change]

  configure --with-nss: remove unneeded libs from the fallback

Daniel Stenberg (20 Apr 2015)
- contributors.sh: fix help output, filter out (-prefix from names

- RELEASE-NOTES: synced with cc0e7ebc3be0

- [Michael Stapelberg brought this change]

  CURLMOPT_TIMERFUNCTION.3: Clarify, add an example

- [Viktor Szakáts brought this change]

  vtls/openssl: use https in URLs and a comment typo fixed

- curl_version_info.3: fixed the 'protocols' variable type
  
  Reported-by: John Marshall
  Bug: https://github.com/bagder/curl/issues/225

Dan Fandrich (18 Apr 2015)
- test1423: added missing "file" to server section

Daniel Stenberg (17 Apr 2015)
- TheArtOfHttpScripting: Multiple URLs + Multiple HTTP methods
  
  ... and some minor edits

- Revert "HTTP: don't abort connections with pending Negotiate authentication"
  
  This reverts commit 5dc68dd6092a789bb5e0a67a1c1356ba87fdcbc6.
  
  Bug: https://github.com/bagder/curl/issues/223
  Reported-by: Michael Osipov

Jay Satiro (17 Apr 2015)
- cyassl: Fix include order
  
  Prior to this change CyaSSL's build options could redefine some generic
  build symbols.
  
  http://curl.haxx.se/mail/lib-2015-04/0069.html

Kamil Dudka (17 Apr 2015)
- configure --with-nss: drop redundant if statement

- configure --with-nss=PATH: query pkg-config if available
  
  Bug: https://github.com/bagder/curl/pull/171

Daniel Stenberg (17 Apr 2015)
- parsecfg: do not continue past a zero termination
  
  When a config file line ends without newline, the parsing function could
  continue reading beyond that point in memory.
  
  Reported-by: Hanno Böck

Jay Satiro (16 Apr 2015)
- gitignore: Ignore Windows build output directories

Daniel Stenberg (15 Apr 2015)
- RELEASE-NOTES: synced with 1ba6e4c88e0

- TODO: 17.9 Choose the name of file in braces for complex URLs

- TODO: a little caution that maybe not all ideas are still good

- TODO: 17.8 offer color-coded HTTP header output

- TODO: 17.7 warning when sending binary output to terminal

- KNOWN_BUGS: #90 IMAP "SEARCH ALL" truncates output on large boxes

Jay Satiro (14 Apr 2015)
- cyassl: Add support for TLS extension SNI

Daniel Stenberg (13 Apr 2015)
- [Matthew Hall brought this change]

  gitignore: ignore test-driver file

- [Matthew Hall brought this change]

  vtls_openssl: improve PKCS#12 load failure error message

- [Matthew Hall brought this change]

  vtls_openssl: fix minor typo in PKCS#12 load routine

- [Matthew Hall brought this change]

  vtls_openssl: improve client certificate load failure error messages

- [Matthew Hall brought this change]

  vtls_openssl: remove ambiguous SSL_CLIENT_CERT_ERR constant

- BUGS: refer to the github issue tracker now as primary

- firefox-db2pem: fix wildcard to find Firefox default profile
  
  At some point, Firefox has changed and generates different directory
  names for the default profile that made this script fail to find them.
  
  Bug: https://github.com/bagder/curl/issues/207
  Reported-by: sneakyimp

Jay Satiro (11 Apr 2015)
- cyassl: Include the CyaSSL build config
  
  CyaSSL >= 2.6.0 may have an options.h that was generated during
  its build by configure.

- build: Generate source prerequisites for Visual Studio in generate.bat
  
  Prior to this change Visual Studio builds could fail due to missing
  prerequisites src/tool_hugehelp.c and include/curl/curlbuild.h.
  
  http://curl.haxx.se/mail/lib-2015-04/0034.html

Daniel Stenberg (9 Apr 2015)
- [Viktor Szakats brought this change]

  lib/makefile.m32: add missing libs to build libcurl.dll
  
  Add 'gdi32' and 'crypt32' Windows implibs to avoid failure
  while building libcurl.dll using the mingw compiler.
  The same logic is used in 'src/makefile.m32' when
  building curl.exe.

Kamil Dudka (8 Apr 2015)
- test142[23]: verify that an empty file is stored on success

- src/tool_operate: create output file on successful download
  
  ... of an empty file
  
  Bug: https://github.com/bagder/curl/issues/183

- src/tool_cb_wrt: separate fnc for output file creation

Daniel Stenberg (7 Apr 2015)
- [Da-Yoon Chung brought this change]

  lib/transfer.c: Remove factor of 8 from sleep time calculation
  
  The factor of 8 is a bytes-to-bits conversion factor, but pkt_size and
  rate_bps are both in bytes. When using the rate limiting option, curl
  waits 8 times too long, and then transfers very quickly until the
  average rate reaches the limit. The average rate follows the limit over
  time, but the actual traffic is bursty.
  
  Thanks-to: Benjamin Gilbert

- [Jay Satiro brought this change]

  x509asn1: Silence x64 loss-of-data warning on RSA key length assignment
  
  The key length in bits will always fit in an unsigned long so the
  loss-of-data warning assigning the result of x64 pointer arithmetic to
  an unsigned long is unnecessary.

- [Jay Satiro brought this change]

  cyassl: Use CYASSL_MAX_ERROR_SZ for error buffer size
  
  Also fix it so that all ERR_error_string calls use an error buffer.
  CyaSSL's implementation of ERR_error_string only writes the error when
  an error buffer is passed.
  
  http://www.yassl.com/forums/topic599-openssl-compatibility-and-errerrorstring.html

- [Jay Satiro brought this change]

  cyassl: Remove 'Connecting to' message from cyassl_connect_step2
  
  Prior to this change libcurl could show multiple 'CyaSSL: Connecting to'
  messages since cyassl_connect_step2 is called multiple times, typically.
  The message is superfluous even once since libcurl already informs the
  user elsewhere in code that it is connecting.

- [Viktor Szakats brought this change]

  checksrc.bat: quotes to support an SRC_DIR with spaces

- hostip: fix compiler warnings
  
  introduced in the previous mini-series of 3 commits

- [Stefan Bühler brought this change]

  actually implement CURLOPT_RESOLVE removals
  
  - also log when a CURLOPT_RESOLVE entry couldn't get parsed

- [Stefan Bühler brought this change]

  move Curl_share_lock and ref counting into Curl_fetch_addr

- [Stefan Bühler brought this change]

  fix refreshing of obsolete dns cache entries
  
  - cache entries must be also refreshed when they are in use
  - have the cache count as inuse reference too, freeing timestamp == 0 special
    value
  - use timestamp == 0 for CURLOPT_RESOLVE entries which don't get refreshed
  - remove CURLOPT_RESOLVE special inuse reference (timestamp == 0 will prevent refresh)
  - fix Curl_hostcache_clean - CURLOPT_RESOLVE entries don't have a special
    reference anymore, and it would also release non CURLOPT_RESOLVE references
  - fix locking in Curl_hostcache_clean
  - fix unit1305.c: hash now keeps a reference, need to set inuse = 1

- RELEASE-NOTES: synced with abf6bddc14a

- [Jay Satiro brought this change]

  checksrc.bat: Check lib\vtls source

- [Jay Satiro brought this change]

  cyassl: Set minimum protocol version before CTX callback
  
  This change is to allow the user's CTX callback to change the minimum
  protocol version in the CTX without us later overriding it, as we did
  prior to this change.

- [Jay Satiro brought this change]

  build-openssl.bat: Fix mixed line endings
  
  Use LF not CRLF, throughout.  msysgit will only convert a file to CRLF
  on checkout if it's not mixed.

- [Jay Satiro brought this change]

  cyassl: Fix certificate load check
  
  SSL_CTX_load_verify_locations can return negative values on fail,
  therefore to check for failure we check if load is != 1 (success)
  instead of if load is == 0 (failure), the latter being incorrect given
  that behavior.

- [Tatsuhiro Tsujikawa brought this change]

  http2: Fix missing nghttp2_session_send call in Curl_http2_switched
  
  Previously in Curl_http2_switched, we called nghttp2_session_mem_recv to
  parse incoming data which were already received while curl was handling
  upgrade.  But we didn't call nghttp2_session_send, and it led to make
  curl not send any response to the received frames.  Most likely, we
  received SETTINGS from server at this point, so we missed opportunity to
  send SETTINGS + ACK.  This commit adds missing nghttp2_session_send call
  in Curl_http2_switched to fix this issue.
  
  Bug: https://github.com/bagder/curl/issues/192
  Reported-by: Stefan Eissing

- cookie: handle spaces after the name in Set-Cookie
  
  "name =value" is fine and the space should just be skipped.
  
  Updated test 31 to also test for this.
  
  Bug: https://github.com/bagder/curl/issues/195
  Reported-by: cromestant
  Help-by: Frank Gevaerts

- [Jay Satiro brought this change]

  cyassl: Fix library initialization return value
  
  (Curl_cyassl_init)
  - Return 1 on success, 0 in failure.
  
  Prior to this change the fail path returned an incorrect value and the
  evaluation to determine whether CyaSSL_Init had succeeded was incorrect.
  Ironically that combined with the way curl_global_init tests SSL library
  initialization (!Curl_ssl_init()) meant that CyaSSL having been
  successfully initialized would be seen as that even though the code path
  and return value in Curl_cyassl_init were wrong.

- [Thomas Ruecker brought this change]

  CURLOPT_HTTP200ALIASES.3: Mainly SHOUTcast servers use "ICY 200"
  
  Icecast versions 1.3.0 through 1.3.12 would reply with "ICY 200"
  under certain conditions:
  
      client_wants_icy_headers (connection_t *con)
      {
              const char *val;
  
              if (!con)
                      return 1;
  
              val = get_user_agent (con);
              if (!val || !val[0] || strcmp (val, "(null)") == 0)
                      return 1;
  
              if (con->food.client->use_icy)
                      return 1;
              if (strncasecmp (val, "winamp", 6) == 0)
                      return 1;
              if (strncasecmp (val, "Shoutcast", 9) == 0)
                      return 1;
  
              return 0;
      }
  
  So mainly if there is no 'user agent' or it is '(null)' or contains
  'winamp' or 'Shoutcast'.
  
  No mainstream distribution carries Icecast 1.3.x anymore, after all
  it was released in 2002 and superseded by Icecast 2.x.

Dan Fandrich (31 Mar 2015)
- axtls: add timeout within Curl_axtls_connect
  
  This allows test 405 to pass on axTLS.

Daniel Stenberg (30 Mar 2015)
- [Jay Satiro brought this change]

  checksrc: Windows-specific input fixes
  
  lib/config-win32ce.h
  - Fix whitespace for checksrc compliance.
  
  lib/checksrc.pl
  - Remove trailing carriage returns from input.
  
  projects/checksrc.bat
  - Ignore tool_hugehelp.c.

- [Dagobert Michelsen brought this change]

  configure: Use KRB5CONFIG for krb5-config
  
  Allows the user to easier override its path.
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1486

- multi: remove_handle: move pending connections
  
  If the handle removed from the multi handle happens to be the one
  "owning" the pipeline other transfers will be waiting indefinitely. Now
  we move such handles back to connect to have them race (again) for
  getting the connection and thus avoid hanging.
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1465
  Reported-by: Jiri Dvorak

- KNOWN_BUGS: 89 is bug #1411
  
  Disabling pipelining on multi handle with in-progress pipelined requests
  leads to heap corruption and crash

- [Jay Satiro brought this change]

  cyassl: CTX callback cosmetic changes and doc fix
  
  - More descriptive fail message for NO_FILESYSTEM builds.
  - Cosmetic changes.
  - Change more of CURLOPT_SSL_CTX_* doc to not be OpenSSL specific.

- RELEASE-NOTES: synced with d2feb71752f

Dan Fandrich (28 Mar 2015)
- tool_operate: only set SSL options if SSL is enabled

- runtests.pl: detect WolfSSL as yassl

Daniel Stenberg (27 Mar 2015)
- [Kyle L. Huff brought this change]

  cyassl: add SSL context callback support for CyaSSL
  
  Adds support for CURLOPT_SSL_CTX_FUNCTION when using CyaSSL, and better
  handles CyaSSL instances using NO_FILESYSTEM.

- [Kyle L. Huff brought this change]

  cyassl: remove undefined reference to CyaSSL_no_filesystem_verify
  
  CyaSSL_no_filesystem_verify is not (or no longer) defined by cURL or
  CyaSSL. This reference causes build errors when compiling with
  NO_FILESYSTEM.

- [Jay Satiro brought this change]

  build: Fix libcurl.sln erroneous mixed configurations
  
  Prior to this change some Release configurations had an active
  configuration assignment to their Debug counterpart.

- [Jay Satiro brought this change]

  vtls: Don't accept unknown CURLOPT_SSLVERSION values

- [Jay Satiro brought this change]

  url: Don't accept CURLOPT_SSLVERSION unless USE_SSL is defined

- [Paul Howarth brought this change]

  build: link curl to openssl libraries when openssl support is enabled
  
  This fixes a build failure where openssl and libmetalink are used
  together and the system linker does not do implicit linking (e.g.
  Fedora 13 and later releases). The MD5 functions required for
  metalink support must be pulled in from the openssl crypto library.
  
  This is similar to commit c6e7cbb94e669b85d3eb8e015ec51d0072112133,
  which fixes the same sort of problem for NSS builds.

- multi: on a request completion, check all CONNECT_PEND transfers
  
  ... even if they don't have an associated connection anymore. It could
  leave the waiting transfers pending with no active one on the
  connection.
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1465
  Reported-by: Jiri Dvorak

- [Emil Lerner brought this change]

  globbing: fix url number calculation when using range with step
  
  In function glob_range, the number of urls was multiplied by (max - min
  + 1), regardless of step. The correct formula is (max - min) / step + 1

- README.http2: refreshed and added TODO items

- [Emil Lerner brought this change]

  globbing: fix step parsing for character globbing ranges
  
  The glob_range function used wrong offset (3 instead of 4) for parsing
  integer step inside character range specification, which led to 'bad
  range' error when using character ranges with explicitly specified step
  (such as '[a-z:2]')

- polarssl: called mbedTLS in 1.3.10 and later

- polarssl: remove dead code
  
  and simplify code by changing if-elses to a switch()
  
  CID 1291706: Logically dead code. Execution cannot reach this statement

- polarssl: remove superfluous for(;;) loop
  
  "unreachable: Since the loop increment is unreachable, the loop body
  will never execute more than once."
  
  Coverity CID 1291707

- Curl_ssl_md5sum: return CURLcode
  
  ... since the funciton can fail on OOM. Check this return code.
  
  Coverity CID 1291705.

- [Jay Satiro brought this change]

  cyassl: default to highest possible TLS version
  
  (cyassl_connect_step1)
  - Use TLS 1.0-1.2 by default when available.
  
  CyaSSL/wolfSSL >= v3.3.0 supports setting a minimum protocol downgrade
  version.
  
  cyassl/cyassl@322f79f

- [Jay Satiro brought this change]

  cyassl: Check for invalid length parameter in Curl_cyassl_random

- [Jay Satiro brought this change]

  cyassl: If wolfSSL then identify as such in version string

Dan Fandrich (24 Mar 2015)
- symbols-in-versions: added CURLOPT_PATH_AS_IS

- testcurl.pl: add the --notes option to supply more info about a build
  
  Support for notes has been in place for a while, but it required
  being added to the setup file manually.

- curl_memory: make curl_memory.h the second-last header file loaded
  
  This header file must be included after all header files except
  memdebug.h, as it does similar memory function redefinitions and can be
  similarly affected by conflicting definitions in system or dependent
  library headers.

Daniel Stenberg (24 Mar 2015)
- openssl: do the OCSP work-around for libressl too
  
  I tested with libressl git master now (v2.1.4-27-g34bf96c) and it seems to
  still require the work-around for stapling to work.

- openssl: verifystatus: only use the OCSP work-around <= 1.0.2a
  
  URL: http://curl.haxx.se/mail/lib-2015-03/0205.html
  Reported-by: Alessandro Ghedini

- openssl: adapt to ASN1/X509 things gone opaque in 1.1

Dan Fandrich (24 Mar 2015)
- [Jay Satiro brought this change]

  curl_easy_setopt.3: Fix misspelling in CURLOPT_PATH_AS_IS description

- [Viktor Szakáts brought this change]

  CURLOPT_HTTPHEADER.3: fix typo in recent commit

- [Viktor Szakáts brought this change]

  CURLOPT_PATH_AS_IS.3: add type 'long' to prototype

- vtls: fix compile with --disable-crypto-auth but with SSL
  
  This is a strange combination of options, but is allowed.

Patrick Monnerat (24 Mar 2015)
- os400: define new options in ILE/RPG binding.

Daniel Stenberg (24 Mar 2015)
- RELEASE-NOTES: synced with f6878609361

- curl_easy_setopt.3: Add CURLOPT_PATH_AS_IS

- CURLOPT_PATH_AS_IS: added
  
  --path-as-is is the command line option
  
  Added docs in curl.1 and CURLOPT_PATH_AS_IS.3
  
  Added test in test 1241

- [Yamada Yasuharu brought this change]

  curl_easy_recv/send: make them work with the multi interface
  
  By making sure Curl_getconnectinfo() uses the correct connection cache
  to find the last connection.

- http2: move the init too for when its actually needed
  
  ... it would otherwise lead to memory leakage if we never actually do
  the switch.

Dan Fandrich (23 Mar 2015)
- dict: rename byte to avoid compiler shadowed declaration warning
  
  This conflicted with a WolfSSL typedef.

- cyassl: include version.h to ensure the version macros are defined

- test1513: eliminated race condition in test run
  
  It seems that some systems (e.g. fairly consistently in some recent
  Solaris autobuilds) would manage to get to the connect phase before the
  progress callback was called, resulting in a CURLE_COULDNT_CONNECT
  error. Reworked the test to point at a test server that never returns a
  full result so the progress callback always gets a chance to be called
  before the transfer can complete in some other way.

Nick Zitzmann (21 Mar 2015)
- darwinsssl: add support for TLS False Start
  
  TLS False Start support requires iOS 7.0 or later, or OS X 10.9 or later.

Daniel Stenberg (21 Mar 2015)
- gtls: add check of return code
  
  Coverity CID 1291167 pointed out that 'rc' was received but never used when
  gnutls_credentials_set() was used. Added return code check now.

- gtls: dereferencing NULL pointer
  
  Coverity CID 1291165 pointed out 'chainp' could be dereferenced when
  NULL if gnutls_certificate_get_peers() had previously failed.

- gtls: avoid uninitialized variable.
  
  Coverity CID 1291166 pointed out that we could read this variable
  uninitialized.

Dan Fandrich (21 Mar 2015)
- tests/certs: rebuild certificates with modified key usage bits
  
  The certificates were missing the digitalSignature and keyAgreement
  usage types, of which at least digitalSignature was checked by CyaSSL.
  This caused the test server in test 310 (among others) to fail the
  startup verification and therefore run (see
  http://curl.haxx.se/mail/lib-2014-07/0303.html).

- tests/certs: added make target to rebuild certificates
  
  The certificate generation scripts were also updated to better match the
  format of the certificates currently checked in.

Daniel Stenberg (21 Mar 2015)
- x509asn1: add /* fallthrough */ in switch() case

- x509asn1: minor edit to unconfuse Coverity
  
  CID 1202732 warns on the previous use, although I cannot fine any
  problems with it. I'm doing this change only to make the code use a more
  familiar approach to accomplish the same thing.

- [Dagobert Michelsen brought this change]

  testcurl: Allow '=' in values given on command line

- nss: error: unused variable 'connssl'

Dan Fandrich (21 Mar 2015)
- test938: added missing closing tags

- cyassl: use new library version macro when available

Kamil Dudka (20 Mar 2015)
- [Alessandro Ghedini brought this change]

  curl: add --false-start option

- [Alessandro Ghedini brought this change]

  nss: add support for TLS False Start

- [Alessandro Ghedini brought this change]

  url: add CURLOPT_SSL_FALSESTART option
  
  This option can be used to enable/disable TLS False Start defined in the RFC
  draft-bmoeller-tls-falsestart.

Patrick Monnerat (20 Mar 2015)
- [Alessandro Ghedini brought this change]

  gtls: implement CURLOPT_CERTINFO

Daniel Stenberg (20 Mar 2015)
- [Alessandro Ghedini brought this change]

  openssl: try to avoid accessing OCSP structs when possible

- CURLOPT_URL.3: spelling!
  
  Reported-by: Frank Gevaerts

- CURLOPT_URL.3: Added "SECURITY CONCERNS"

- CURLOPT_HTTPHEADER.3: add a "SECURITY CONCERNS" section

Dan Fandrich (19 Mar 2015)
- cyassl: detect the library as renamed wolfssl
  
  This change was made in CyaSSL/WolfSSL ver. 3.4.0

Daniel Stenberg (19 Mar 2015)
- HTTP: don't switch to HTTP/2 from 1.1 until we get the 101
  
  We prematurely changed protocol handler to HTTP/2 which made things very
  slow (and wrong).
  
  Reported-by: Stefan Eissing
  Bug: https://github.com/bagder/curl/issues/169

Dan Fandrich (19 Mar 2015)
- axtls: version 1.5.2 now requires that config.h be manually included

Daniel Stenberg (19 Mar 2015)
- metalink: fix resource leak in OOM
  
  Coverity CID 1288826

Dan Fandrich (18 Mar 2015)
- docs/libcurl: clean up libcurl-symbols.3

- docs/libcurl: check that all options with man pages are referenced
  
  If a man page exists in the opts/ directory, it must also be referenced
  either in curl_easy_setopt.3 or curl_multi_setopt.3

- curl_easy_setopt.3: added a few missing options

Kamil Dudka (18 Mar 2015)
- nss: explicitly tell NSS to disable NPN/ALPN
  
  ... if disabled at libcurl level.  Otherwise, we would allow to
  negotiate NPN despite curl was invoked with the --no-npn option.

Daniel Stenberg (18 Mar 2015)
- [Jay Satiro brought this change]

  mkhelp: Remove trailing carriage return from every line of input
  
  - Get rid of this flood of warnings in Windows mingw build:
  warning: missing terminating " character
  
  The warning is due to the carriage return. When msysgit checks out files
  from the repo by default it converts the line endings to CRLF. Prior to
  this change when mkhelp.pl processed the MANUAL and curl.1 in CRLF
  format the trailing carriage returns caused unnecessary CR in the
  output.

- RELEASE-NOTES: synced with e539f01567

- [Christian Weisgerber brought this change]

  docs/libcurl: make portability fix
  
  Using $< in a non-suffix rule context is a GNU make idiom.  This bug was
  introduced in 7.41.0.

Dan Fandrich (17 Mar 2015)
- checksrc: Fix whitelist on out-of-tree builds

Daniel Stenberg (17 Mar 2015)
- [Stefan Bühler brought this change]

  Curl_sh_entry: remove unused 'timestamp'

- HTTP: don't use Expect: headers when on HTTP/2
  
  Reported-by: Stefan Eissing
  Bug: https://github.com/bagder/curl/issues/169

- checksrc: detect and remove space before trailing semicolons

- checksrc: introduce a whitelisting concept

- checksrc: use space after comma

- checksrc: use space before paren in "return (expr);"

- CONTRIBUTE: refer to git log instead of deprecated CHANGES file

- CURLOPT_*.3: more examples and edits

- CURLOPT_*.3: added lots of small example sections

- CURLOPT_PRIVATE.3: provide an example

- CURLOPT_*TIMEOUT.3: provide examples

- CURLOPT_USERAGENT.3: added an example

- CURLOPT_STDERR.3: added an example

- curl_easy_perform.3: remove superfluous close brace from example

- free: instead of Curl_safefree()
  
  Since we just started make use of free(NULL) in order to simplify code,
  this change takes it a step further and:
  
  - converts lots of Curl_safefree() calls to good old free()
  - makes Curl_safefree() not check the pointer before free()
  
  The (new) rule of thumb is: if you really want a function call that
  frees a pointer and then assigns it to NULL, then use Curl_safefree().
  But we will prefer just using free() from now on.

- [Markus Elfring brought this change]

  Bug #149: Deletion of unnecessary checks before a few calls of cURL functions
  
  The following functions return immediately if a null pointer was passed.
  * Curl_cookie_cleanup
  * curl_formfree
  
  It is therefore not needed that a function caller repeats a corresponding check.
  
  This issue was fixed by using the software Coccinelle 1.0.0-rc24.
  
  Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>

- [Markus Elfring brought this change]

  Bug #149: Deletion of unnecessary checks before calls of the function "free"
  
  The function "free" is documented in the way that no action shall occur for
  a passed null pointer. It is therefore not needed that a function caller
  repeats a corresponding check.
  http://stackoverflow.com/questions/18775608/free-a-null-pointer-anyway-or-check-first
  
  This issue was fixed by using the software Coccinelle 1.0.0-rc24.
  
  Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>

- [Jay Satiro brought this change]

  connect: Fix happy eyeballs logic for IPv4-only builds
  
  Bug: https://github.com/bagder/curl/pull/168
  
  (trynextip)
  - Don't try the "other" protocol family unless IPv6 is available. In an
  IPv4-only build the other family can only be IPv6 which is unavailable.
  
  This change essentially stops IPv4-only builds from attempting the
  "happy eyeballs" secondary parallel connection that is supposed to be
  used by the "other" address family.
  
  Prior to this change in IPv4-only builds that secondary parallel
  connection attempt could be erroneously used by the same family (IPv4)
  which caused a bug where every address after the first for a host could
  be tried twice, often in parallel. This change fixes that bug. An
  example of the bug is shown below.
  
  Assume MTEST resolves to 3 addresses 127.0.0.2, 127.0.0.3 and 127.0.0.4:
  
  * STATE: INIT => CONNECT handle 0x64f4b0; line 1046 (connection #-5000)
  * Rebuilt URL to: http://MTEST/
  * Added connection 0. The cache now contains 1 members
  * STATE: CONNECT => WAITRESOLVE handle 0x64f4b0; line 1083
  (connection #0)
  *   Trying 127.0.0.2...
  * STATE: WAITRESOLVE => WAITCONNECT handle 0x64f4b0; line 1163
  (connection #0)
  *   Trying 127.0.0.3...
  * connect to 127.0.0.2 port 80 failed: Connection refused
  *   Trying 127.0.0.3...
  * connect to 127.0.0.3 port 80 failed: Connection refused
  *   Trying 127.0.0.4...
  * connect to 127.0.0.3 port 80 failed: Connection refused
  *   Trying 127.0.0.4...
  * connect to 127.0.0.4 port 80 failed: Connection refused
  * connect to 127.0.0.4 port 80 failed: Connection refused
  * Failed to connect to MTEST port 80: Connection refused
  * Closing connection 0
  * The cache now contains 0 members
  * Expire cleared
  curl: (7) Failed to connect to MTEST port 80: Connection refused
  
  The bug was born in commit bagder/curl@2d435c7.

- mksymbolsmanpage.pl: use std header and generate better nroff header

- [Frank Meier brought this change]

  closesocket: call multi socket cb on close even with custom close
  
  In function Curl_closesocket() in connect.c the call to
  Curl_multi_closed() was wrongly omitted if a socket close function
  (CURLOPT_CLOSESOCKETFUNCTION) is registered.
  
  That would lead to not removing the socket from the internal hash table
  and not calling the multi socket callback appropriately.
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1493

- [Tobias Stoeckmann brought this change]

  hostip: Fix signal race in Curl_resolv_timeout.
  
  A signal handler for SIGALRM is installed in Curl_resolv_timeout. It is
  configured to interrupt system calls and uses siglongjmp to return into
  the function if alarm() goes off.
  
  The signal handler is installed before curl_jmpenv is initialized.
  This means that an already installed alarm timer could trigger the
  newly installed signal handler, leading to undefined behavior when it
  accesses the uninitialized curl_jmpenv.
  
  Even if there is no previously installed alarm available, the code in
  Curl_resolv_timeout itself installs an alarm before the environment is
  fully set up. If the process is sent into suspend right after that, the
  signal handler could be called too early as in previous scenario.
  
  To fix this, the signal handler should only be installed and the alarm
  timer only be set after sigsetjmp has been called.

- http2: detect prematures close without data transfered
  
  ... by using the regular Curl_http_done() method which checks for
  that. This makes test 1801 fail consistently with error 56 (which seems
  fine) to that test is also updated here.
  
  Reported-by: Ben Darnell
  Bug: https://github.com/bagder/curl/issues/166

Dan Fandrich (13 Mar 2015)
- test320: Expect the Host header to be the first header
  
  Required for the test to work after a5d994941c2b.

Daniel Stenberg (12 Mar 2015)
- RELEASE-NOTES: synced with 186e46d88dd

- openssl: use colons properly in the ciphers list
  
  While the previous string worked, this is the documented format.
  
  Reported-by: Richard Moore

- openssl: sort the ciphers on strength
  
  This makes curl pick better (stronger) ciphers by default. The strongest
  available ciphers are fine according to the HTTP/2 spec so an OpenSSL
  built curl is no longer rejected by string HTTP/2 servers.
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1487

- [Fabian Keil brought this change]

  test203[0-3]: Expect the Host header to be the first header
  
  Required for the tests to work after a5d994941c2b.

- openssl: show the cipher selection to use

- http: always send Host: header as first header
  
  ...after the method line:
  
   "Since the Host field-value is critical information for handling a
   request, a user agent SHOULD generate Host as the first header field
   following the request-line." / RFC 7230 section 5.4
  
  Additionally, this will also make libcurl ignore multiple specified
  custom Host: headers and only use the first one. Test 1121 has been
  updated accordingly
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1491
  Reported-by: Rainer Canavan

- [Alexander Pepper brought this change]

  mk-ca-bundle bugfix: Don't report SHA1 numbers with "-q".
  
  Also unified printing to STDERR by creating the helper method "report".

- proxy: re-use proxy connections (regression)
  
  When checking for a connection to re-use, a proxy-using request must
  check for and use a proxy connection and not one based on the host
  name!
  
  Added test 1421 to verify
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1492

- [Jay Satiro brought this change]

  memanalyze.pl: handle free(NULL)

- [Jay Satiro brought this change]

  .travis.yml: Change CI make test to make test-full
  
  - Change the continuous integration script to use 'make test-full'
  instead of just 'make test' so that the diagnostic log output is
  printed to stdout when a test fails.
  
  - Change the continuous integration script to use
  './configure --enable-debug' instead of just './configure' so that the
  memory analyzer will work during testing.
  
  Prior to this change Travis used its default C test script:
  ./configure && make && make test

- [Alessandro Ghedini brought this change]

  gtls: correctly align certificate status verification messages

- [Alessandro Ghedini brought this change]

  gtls: don't print double newline after certificate dates

- [Alessandro Ghedini brought this change]

  gtls: print negotiated TLS version and full cipher suite name
  
  Instead of priting cipher and MAC algorithms names separately, print the
  whole cipher suite string which also includes the key exchange algorithm,
  along with the negotiated TLS version.

- gtls: fix compiler warnings

- [Alessandro Ghedini brought this change]

  gtls: add support for CURLOPT_CAPATH

- [stopiccot brought this change]

  MacOSX-Framework: use @rpath instead of @executable_path
  
  Bug: https://github.com/bagder/curl/pull/157

- RELEASE-NOTES: synced with c19349951

- multi: fix *getsock() with CONNECT
  
  The code used some happy eyeballs logic even _after_ CONNECT has been
  sent to a proxy, while the happy eyeball phase is already (should be)
  over by then.
  
  This is solved by splitting the multi state into two separate states
  introducing the new SENDPROTOCONNECT state.
  
  Bug: http://curl.haxx.se/mail/lib-2015-01/0170.html
  Reported-by: Peter Laser

- conncontrol: only log changes to the connection bit

- http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*
  
  Since they already exist and will make comparing easier

- http2: make the info-message about receiving HTTP2 headers debug-only

- [Alessandro Ghedini brought this change]

  urldata: remove unused asked_for_h2 field

- [Alessandro Ghedini brought this change]

  polarssl: make it possible to enable ALPN/NPN without HTTP2

- [Alessandro Ghedini brought this change]

  nss: make it possible to enable ALPN/NPN without HTTP2

- [Alessandro Ghedini brought this change]

  gtls: make it possible to enable ALPN/NPN without HTTP2

- [Alessandro Ghedini brought this change]

  openssl: make it possible to enable ALPN/NPN without HTTP2

- metalink: add some error checks
  
  malloc() and strdup() calls without checking return codes.
  
  Reported-by: Markus Elfring
  Bug: https://github.com/bagder/curl/issues/150

- curl_easy_setopt.3: added CURLOPT_SSL_VERIFYSTATUS
  
  Reported-by: Jonathan Cardoso

- urldata: fix gnutls build

Steve Holme (5 Mar 2015)
- openssl: Removed use of USE_SSLEAY from the Visual Studio project files
  
  In addition to commit 709cf76f6b, removed the USE_SSLEAY preprocessor
  variable from the Visual Studio project files as it isn't required
  anymore.

Daniel Stenberg (5 Mar 2015)
- multi: fix memory-leak on timeout (regression)
  
  Since 1342a96ecfe0d44, a timeout detected in the multi state machine didn't
  necesarily clear everything up, like formpost data.
  
  Bug: https://github.com/bagder/curl/issues/147
  Reported-by: Michel Promonet
  Patched-by: Michel Promonet

- configure: follow-up fix from 709cf76f6
  
  OpenSSL handling was a little broken.

- openssl: remove all uses of USE_SSLEAY
  
  SSLeay was the name of the library that was subsequently turned into
  OpenSSL many moons ago (1999). curl does not work with the old SSLeay
  library since years. This is now reflected by only using USE_OPENSSL in
  code that depends on OpenSSL.

- [Sergei Nikulov brought this change]

  cmake: handle build definitions CURLDEBUG/DEBUGBUILD
  
  Acked-by: Brad King

- FAQ: 4.21 Why is there a HTTP/1.1 in my HTTP/2 request?

- symbols.pl: handle '-' in the deprecated field
  
  ... which otherwise made the script skip the _LAST define for some
  symbols.
  
  Reported-by: Jeroen Ooms
  Bug: http://curl.haxx.se/mail/lib-2015-03/0052.html

- curl.1: fix "The the" typo
  
  Reported-by: Jon Seymour

- vtls: use curl_printf.h all over
  
  No need to use _MPRINTF_REPLACE internally.

- tool: use ENABLE_CURLX_PRINTF instead of _MPRINTF_REPLACE

- tool_writeenv: remove _MPRINTF_REPLACE define, it wasn't used

- [Sergei Nikulov brought this change]

  libtest: fixed linker errors on msvc
  
  Bug: https://github.com/bagder/curl/pull/144

- mprintf.h: remove #ifdef CURLDEBUG
  
  ... and as a consequence, introduce curl_printf.h with that re-define
  magic instead and make all libcurl code use that instead.

- tool_getpass: remove unused curl/mprintf.h include

- CONTRIBUTING.md: file for advice on github

- [Viktor Szakáts brought this change]

  BINDINGS: add link to Harbour bindings
  
  And UTF8-fix a few names

- CURLOPT_HEADERFUNCTION.3: typo in error code name
  
  Reported-by: Jonathan Cardoso

- BINDINGS: tclcurl moved
  
  Reporte-by: Steve Havelka

- [Jay Satiro brought this change]

  opts: Fix pipelining examples

- [Jay Satiro brought this change]

  curl_multi_setopt.3: Link to CURLMOPT_MAXCONNECTS

- CONTRIBUTE: the new more github-friendly attitude!

Steve Holme (28 Feb 2015)
- RELEASE-NOTES: Synced with 921d195187

Kamil Dudka (28 Feb 2015)
- tool: wrap lines longer than 79 columns
  
  ... to avoid a build failure when configured with --enable-debug

Steve Holme (27 Feb 2015)
- [Tatsuhiro Tsujikawa brought this change]

  http2: Return error if stream was closed with other than NO_ERROR
  
  Previously, we just ignored error code passed to
  on_stream_close_callback and just return 0 (success) after stream
  closure even if stream was reset with error.  This patch records error
  code in on_stream_close_callback, and return -1 and use CURLE_HTTP2
  error code on abnormal stream closure.

- tool: Updated the warnf() function to use the GlobalConfig structure
  
  As the 'error' and 'mute' options are now part of the GlobalConfig,
  rather than per Operation, updated the warnf() function to use this
  structure rather than the OperationConfig.

- build: Removed DataExecutionPrevention directive from VC9+ project files
  
  Removed the DataExecutionPrevention directive from the project files for
  Visual Studio 2008 and above. The XML value in the VC9 project files was
  set to "0" (Default) whilst the VC10+ project files contained an empty
  XML element.

- build: Use default RandomizedBaseAddress directive in VC9+ project files
  
  Visual Studio 2008 introduced support for the address space layout
  randomization (ASLR) feature of Windows Vista. However, upgrading the
  VC8 project files to VC9 and above disabled this feature.
  
  Removed the RandomizedBaseAddress directive to enabled the default
  setting (/DYNAMICBASE). Note: This doesn't appear to have any negative
  impact when compiled and ran on Windows XP.

- build: Added support to Generate.bat for files in the upcoming vauth folder

Daniel Stenberg (25 Feb 2015)
- http2: return recv error on unexpected EOF
  
  Pointed-out-by: Tatsuhiro Tsujikawa
  Bug: http://curl.haxx.se/bug/view.cgi?id=1487

Kamil Dudka (25 Feb 2015)
- dist: add symbol-scan.pl to the tarball
  
  ... in order to make test1135 succeed

Daniel Stenberg (25 Feb 2015)
- http2: move lots of verbose output to be debug-only

Kamil Dudka (25 Feb 2015)
- curl-config.in: eliminate double quotes around CURL_CA_BUNDLE
  
  Otherwise it expands to:
  
      echo ""/etc/pki/tls/certs/ca-bundle.crt""
  
  Detected by ShellCheck:
  
      curl-config:74:16: warning: The double quotes around this do
      nothing.  Remove or escape them. [SC2140]

- nss: do not skip Curl_nss_seed() if data is NULL
  
  In that case, we only skip writing the error message for failed NSS
  initialization (while still returning the correct error code).

- nss: improve error handling in Curl_nss_random()
  
  The vtls layer now checks the return value, so it is no longer necessary
  to abort if a random number cannot be provided by NSS.  This also fixes
  the following Coverity report:
  
  Error: FORWARD_NULL (CWE-476):
  lib/vtls/nss.c:1918: var_compare_op: Comparing "data" to null implies that "data" might be null.
  lib/vtls/nss.c:1923: var_deref_model: Passing null pointer "data" to "Curl_failf", which dereferences it.
  lib/sendf.c:154:3: deref_parm: Directly dereferencing parameter "data".

Daniel Stenberg (25 Feb 2015)
- RELEASE-PROCEDURE: add some more future release dates
  
  ... and remove some old ones

- sws: timeout idle CONNECT connections

- bump: start working toward 7.42.0

Version 7.41.0 (25 Feb 2015)

Daniel Stenberg (25 Feb 2015)
- THANKS: added contributors from the 7.41.0 RELEASE-NOTES

- RELEASE-NOTES: sync with ffc2aeec6e (7.41.0 release time!)

Marc Hoersken (25 Feb 2015)
- Revert "telnet.c: fix handling of 0 being returned from custom read function"
  
  This reverts commit 03fa576833643c67579ae216c4e7350fa9b5f2fe.

- telnet.c: fix invalid use of custom read function if not being set
  
  obj_count can be 1 if the custom read function is set or the stdin
  handle is a reference to a pipe. Since the pipe should be handled
  using the PeekNamedPipe-check below, the custom read function should
  only be used if it is actually enabled.

- telnet.c: fix handling of 0 being returned from custom read function
  
  According to [1]: "Returning 0 will signal end-of-file to the library
  and cause it to stop the current transfer."
  This change makes the Windows telnet code handle this case accordingly.
  
   [1] http://curl.haxx.se/libcurl/c/CURLOPT_READFUNCTION.html

Daniel Stenberg (24 Feb 2015)
- sws: stop logging about TPC_NODELAY nonsense

- lib530: make it less timing sensible
  
  ... by making sure the first request is completed before doing the
  remainder.

Kamil Dudka (23 Feb 2015)
- connect: wait for IPv4 connection attempts
  
  ... even if the last IPv6 connection attempt has failed.
  
  Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1187531#c4

- connect: avoid skipping an IPv4 address
  
  ... in case the protocol versions are mixed in a DNS response
  (IPv6 -> IPv4 -> IPv6).
  
  Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1187531#c3

Daniel Stenberg (23 Feb 2015)
- RELEASE-NOTES: synced with 5e4395eab839d

- ROADMAP: curl_easy_setopt.3 has already been split up
  
  Remove cmake as marked for removal. It is in much better state now.

- ROADMAP: extend the HTTP/2 stuff, remove SPDY

- [Julian Ospald brought this change]

  configure: allow both --with-ca-bundle and --with-ca-path
  
  SSL_CTX_load_verify_locations by default (and if given non-Null
  parameters) searches the CAfile first and falls back to CApath.  This
  allows for CAfile to be a basis (e.g. installed by the package manager)
  and CApath to be a user configured directory.
  
  This wasn't reflected by the previous configure constraint which this
  patch fixes.
  
  Bug: https://github.com/bagder/curl/pull/139

- [Ben Boeckel brought this change]

  cmake: install the dll file to the correct directory

- [Alessandro Ghedini brought this change]

  nss: fix NPN/ALPN protocol negotiation
  
  Correctly check for memcmp() return value (it returns 0 if the strings match).
  
  This is not really important, since curl is going to use http/1.1 anyway, but
  it's still a bug I guess.

- [Alessandro Ghedini brought this change]

  polarssl: fix ALPN protocol negotiation
  
  Correctly check for strncmp() return value (it returns 0 if the strings
  match).

- [Sergei Nikulov brought this change]

  CMake: Fix generation of tool_hugehelp.c on windows
  
  Use "cmake -E echo" instead of "echo".
  
  Reviewed-by: Brad King <brad.king@kitware.com>

- [Sergei Nikulov brought this change]

  CMake: fix winsock2 detection on windows
  
  Set CMAKE_REQUIRED_DEFINITIONS to include definitions needed to get
  the winsock2 API from windows.h.  Simplify the order of checks to
  avoid extra conditions.
  
  Use check_include_file instead of check_include_file_concat to look
  for OpenSSL headers.  They do not need to participate in a sequence
  of dependent system headers.  Also they may cause winsock.h to be
  included before ws2tcpip.h, causing the latter to not be detected
  in the sequence.
  
  Reviewed-by: Brad King <brad.king@kitware.com>

- [Alessandro Ghedini brought this change]

  gtls: fix build with HTTP2

Steve Holme (16 Feb 2015)
- Makefile.vc6: Corrected typos in rename of darwinssl.obj

Nick Zitzmann (15 Feb 2015)
- By request, change the name of "curl_darwinssl.[ch]" to "darwinssl.[ch]"

Steve Holme (14 Feb 2015)
- RELEASE-NOTES: Synced with 6f89f86c3d

- tests/README: Updated to reflect email test ranges

- [Alessandro Ghedini brought this change]

  curl.1: --cert-status is also supported by OpenSSL now

- build: Removed Visual Studio SuppressStartupBanner directive for VC8+
  
  Visual Studio 2005 and above defaults to disabling the startup banner
  for the Compiler, Linker and MIDL tools (with /NOLOGO). As such there
  is no need to explicitly set the SuppressStartupBanner directive, as
  this is a leftover from the VC7 and VC7.1 projects being upgraded to
  VC8 and above.

Kamil Dudka (12 Feb 2015)
- openssl: fix a compile-time warning
  
  lib/vtls/openssl.c:1450:7: warning: extra tokens at end of #endif directive

Steve Holme (11 Feb 2015)
- openssl: Use OPENSSL_IS_BORINGSSL for BoringSSL detection
  
  For consistency with other conditionally compiled code in openssl.c,
  use OPENSSL_IS_BORINGSSL rather than HAVE_BORINGSSL and try to use
  HAVE_BORINGSSL outside of openssl.c when the OpenSSL header files are
  not included.

Patrick Monnerat (11 Feb 2015)
- ftp: accept all 2xx responses to the PORT command

Steve Holme (9 Feb 2015)
- openssl: Disable OCSP in old versions of OpenSSL
  
  Versions of OpenSSL prior to v0.9.8h do not support the necessary
  functions for OCSP stapling.

Daniel Stenberg (9 Feb 2015)
- [Tatsuhiro Tsujikawa brought this change]

  http2: Fix bug that associated stream canceled on PUSH_PROMISE
  
  Previously we don't ignore PUSH_PROMISE header fields in on_header
  callback.  It makes header values mixed with following HEADERS,
  resulting protocol error.

- [Jay Satiro brought this change]

  polarssl: Fix exclusive SSL protocol version options
  
  Prior to this change the options for exclusive SSL protocol versions did
  not actually set the protocol exclusive.
  
  http://curl.haxx.se/mail/lib-2015-01/0002.html
  Reported-by: Dan Fandrich

- [Jay Satiro brought this change]

  gskit: Fix exclusive SSLv3 option

- curl.1: clarify that -X is used for all requests
  
  Reported-by: Jon Seymour

- curl.1: add warning when using -H and redirects

Steve Holme (7 Feb 2015)
- schannel: Removed curl_ prefix from source files
  
  Removed the curl_ prefix from the schannel source files as discussed
  with Marc and Daniel at FOSDEM.

Daniel Stenberg (6 Feb 2015)
- md5: use axTLS's own MD5 functions when available

- MD(4|5): make the MD4_* and MD5_* functions static

- axtls: fix conversion from size_t to int warning

Steve Holme (5 Feb 2015)
- ftp: Use 'CURLcode result' for curl result codes

Daniel Stenberg (5 Feb 2015)
- openssl: SSL_SESSION->ssl_version no longer exist
  
  The struct went private in 1.0.2 so we cannot read the version number
  from there anymore. Use SSL_version() instead!
  
  Reported-by: Gisle Vanem
  Bug: http://curl.haxx.se/mail/lib-2015-02/0034.html

Dan Fandrich (4 Feb 2015)
- unit1600: Fix compilation when NTLM is disabled

Daniel Stenberg (4 Feb 2015)
- MD5: fix compiler warnings and code style nits

- MD5: replace implementation
  
  The previous one was "encumbered" by RSA Inc - to avoid the licensing
  restrictions it has being replaced. This is the initial import,
  inserting the md5.c and md5.h files from
  http://openwall.info/wiki/people/solar/software/public-domain-source-code/md5
  
  Code-by: Alexander Peslyak

- MD4: fix compiler warnings and code style nits

- MD4: replace implementation
  
  The previous one was "encumbered" by RSA Inc - to avoid the licensing
  restrictions it has being replaced. This is the initial import,
  inserting the md4.c and md4.h files from
  http://openwall.info/wiki/people/solar/software/public-domain-source-code/md4
  
  Code-by: Alexander Peslyak

Steve Holme (4 Feb 2015)
- telnet: Prefer 'CURLcode result' for curl result codes

- hostasyn: Prefer 'CURLcode result' for curl result codes

- schannel: Prefer 'CURLcode result' for curl result codes

Daniel Stenberg (3 Feb 2015)
- unit1601: MD5 unit tests

- unit1600: unit test for Curl_ntlm_core_mk_nt_hash

- unit1600: NTLM unit test

- tests/README: add a new range, clean up some language

- [Jay Satiro brought this change]

  opts: CURLOPT_CAINFO availability depends on SSL engine

- getpass: protect include with proper #ifdef
  
  Reported-by: Tamir

- getpass_r: read from stdin, not stdout!
  
  The file number used was wrong. This bug was introduced over 10 years
  ago, proving this function isn't used much...
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1476
  Reported-by: Tamir

- test1135: verify the CURL_EXTERN order in header files

- Makefile.am: fix 'make distcheck'
  
  ... by removing generated files from the *_DIST variable [*] and instead
  generate them with a .dist suffix, since that is then handled and put
  into the release archive by our generic dist-hook.
  
  [*] = 'make distcheck' fails with non-existing files listed there

Steve Holme (2 Feb 2015)
- curl_sasl.c: More code policing
  
  Better use of 80 character line limit, comment corrections and line
  spacing preferences.

Daniel Stenberg (2 Feb 2015)
- libcurl-symbols: first basic shot for autogenerated docs

- FAQ: minor edit of 3.22

Steve Holme (2 Feb 2015)
- build: Added removal of Visual Studio project files
  
  Added the removal of the locally generated project files so one
  may revert to a clean repository.

- build: Renamed top level Visual Studio solution files
  
  In preparation for adding the test suite and examples projects renamed
  the top level "all" solution files to better describe what they are.
  
  This will also enable us to use "curl" rather than "curlsrc" for the
  command line tool solution and project files, which will simplify some
  of the configuration.

- build: Enabled DEBUGBUILD in Visual Studio debug builds
  
  Defined the DEBUGBUILD pre-processor variable to allow extra logging,
  which is particularly useful in debug builds, as we use this and Visual
  Studio typically uses _DEBUG.
  
  We could define DEBUBBUILD, in curl_setup.h, when _MSC_VER and _DEBUG is
  defined but that would also affect the makefile based builds which we
  probably don't want to do.

- build: Removed unused Visual Studio bscmake settings

Daniel Stenberg (2 Feb 2015)
- CURLOPT_HTTP_VERSION.3: CURL_HTTP_VERSION_2_0 added in 7.33.0
  
  And modify the text to refer to HTTP 2 as it isn't called "2.0".
  
  Reported-By: Michael Wallner

Marc Hoersken (31 Jan 2015)
- TODO: moved WinSSL/SChannel todo items into docs

Daniel Stenberg (29 Jan 2015)
- [Michael Kaufmann brought this change]

  CURLOPT_SEEKFUNCTION.3: also when server closes a connection

Steve Holme (29 Jan 2015)
- curl_sasl.c: Fixed compilation warning when cryptography is disabled
  
  curl_sasl.c:1506: warning: unused variable 'chlg'

- curl_sasl.c: Fixed compilation warning when verbose debug output disabled
  
  curl_sasl.c:1317: warning: unused parameter 'conn'

- ntlm_core: Use own odd parity function when crypto engine doesn't have one

- ntlm_core: Prefer sizeof(key) rather than hard coded sizes

- ntlm_core: Added consistent comments to DES functions

- des: Added Curl_des_set_odd_parity()
  
  Added Curl_des_set_odd_parity() for use when cryptography engines
  don't include this functionality.

- tests: Grouped SMTP SASL EXTERNAL tests with other SMTP tests

- tests: Grouped POP3 SASL EXTERNAL tests with other POP3 tests

- tests: Grouped IMAP SASL EXTERNAL tests with other IMAP tests

- sasl: Minor code policing and grammar corrections

Daniel Stenberg (28 Jan 2015)
- [Gisle Vanem brought this change]

  ldap: build with BoringSSL

- security: avoid compiler warning
  
  Possible access to uninitialised memory '&nread' at line 140 of
  lib/security.c in function 'ftp_send_command'.
  
  Reported-by: Rich Burridge

- runtests: identify BoringSSL and libressl

Patrick Monnerat (27 Jan 2015)
- docs: cite SASL external authentication.

- sasl: remove XOAUTH2 from default enabled authentication mechanism.

- test: add test cases for sasl external authentication (imap/pop3/smtp).

- imap: remove automatic password setting: it breaks external sasl authentication

- sasl: implement EXTERNAL authentication mechanism.
    Its use is only enabled by explicit requirement in URL (;AUTH=EXTERNAL) and
  by not setting the password.

Steve Holme (27 Jan 2015)
- openssl: Fixed Curl_ossl_cert_status_request() not returning FALSE
  
  Modified the Curl_ossl_cert_status_request() function to return FALSE
  when built with BoringSSL or when OpenSSL is missing the necessary TLS
  extensions.

- openssl: Fixed compilation errors when OpenSSL built with 'no-tlsext'
  
  Fixed the build of openssl.c when OpenSSL is built without the necessary
  TLS extensions for OCSP stapling.
  
  Reported-by: John E. Malmberg

- [Brad Spencer brought this change]

  curl_setup: Disable SMB/CIFS support when HTTP only

- RELEASE-NOTES: Synced with 37824498a3

Daniel Stenberg (22 Jan 2015)
- configure: remove detection of the old yassl emulation API
  
  ... as that is ancient history and not used.

- OCSP stapling: disabled when build with BoringSSL

- [Alessandro Ghedini brought this change]

  openssl: add support for the Certificate Status Request TLS extension
  
  Also known as "status_request" or OCSP stapling, defined in RFC6066
  section 8.
  
  Thanks-to: Joe Mason
  - for the work-around for the OpenSSL bug.

- BoringSSL: fix build for non-configure builds
  
  HAVE_BORINGSSL gets defined now by configure and should be defined by
  other build systems in case a BoringSSL build is desired.

- configure: fix BoringSSL detection and detect libresssl

Steve Holme (22 Jan 2015)
- curl_sasl: Reinstate the sasl_ prefix for locally scoped functions
  
  Commit 7a8b2885e2 made some functions static and removed the public
  Curl_ prefix. Unfortunately, it also removed the sasl_ prefix, which
  is the naming convention we use in this source file.

- curl_sasl: Minor code policing following recent commits

Daniel Stenberg (22 Jan 2015)
- [John Malmberg brought this change]

  openvms: Handle openssl/0.8.9zb version parsing
  
  packages/vms/gnv_link_curl.com was assuming only a single letter suffix
  in the openssl version.  That assumption has been fixed for 7.40.

- BoringSSL: detected by configure, switches off NTLM

- BoringSSL: no PKCS12 support nor ERR_remove_state

- [Leith Bade brought this change]

  BoringSSL: fix build

Steve Holme (20 Jan 2015)
- curl_sasl.c: chlglen is not used when cryptography is disabled

- curl_sasl.c: Fixed compilation warning when cyptography is disabled
  
  curl_sasl.c:1453: warning C4101: 'serverdata' : unreferenced local
                    variable

- curl_sasl.c: Fixed compilation error when USE_WINDOWS_SSPI defined
  
  curl_sasl.c:1221: error C2065: 'mechtable' : undeclared identifier
  
  This error could also happen for non-SSPI builds when cryptography is
  disabled (CURL_DISABLE_CRYPTO_AUTH is defined).

Patrick Monnerat (20 Jan 2015)
- SASL: make some procedures local-scoped

- SASL: common state engine for imap/pop3/smtp

- SASL: common URL option and auth capabilities decoders for all protocols

- IMAP/POP3/SMTP: use a per-connection sub-structure for SASL parameters.

Daniel Stenberg (20 Jan 2015)
- ipv6: enclose AF_INET6 uses with proper #ifdefs for ipv6
  
  Reported-by: Chris Young

- [Chris Young brought this change]

  timeval: typecast for better type (on Amiga)
  
  There is an issue with conflicting "struct timeval" definitions with
  certain AmigaOS releases and C libraries, depending on what gets
  included when.  It's a minor difference - the OS one is unsigned,
  whereas the common structure has signed elements.  If the OS one ends up
  getting defined, this causes a timing calculation error in curl.
  
  It's easy enough to resolve this at the curl end, by casting the
  potentially errorneous calculation to a signed long.

- openssl: do public key pinning check independently
  
  ... of the other cert verification checks so that you can set verifyhost
  and verifypeer to FALSE and still check the public key.
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1471
  Reported-by: Kyle J. McKay

Patrick Monnerat (19 Jan 2015)
- OS400: CURLOPT_SSL_VERIFYSTATUS for ILE/RPG too.

Steve Holme (18 Jan 2015)
- ldap: Renamed the CURL_LDAP_WIN definition to USE_WIN32_LDAP
  
  For consistency with other USE_WIN32_ defines as well as the
  USE_OPENLDAP define.

- http_negotiate: Use dynamic buffer for SPN generation
  
  Use a dynamicly allocated buffer for the temporary SPN variable similar
  to how the SASL GSS-API code does, rather than using a fixed buffer of
  2048 characters.

- sasl_gssapi: Make Curl_sasl_build_gssapi_spn() public

- sasl_gssapi: Fixed memory leak with local SPN variable

Daniel Stenberg (17 Jan 2015)
- http_negotiate.c: unused variable 'ret'

Steve Holme (17 Jan 2015)
- gskit.h: Code policing of function pointer arguments

- vtls: Removed unimplemented overrides of curlssl_close_all()
  
  Carrying on from commit 037cd0d991, removed the following unimplemented
  instances of curlssl_close_all():
  
  Curl_axtls_close_all()
  Curl_darwinssl_close_all()
  Curl_cyassl_close_all()
  Curl_gskit_close_all()
  Curl_gtls_close_all()
  Curl_nss_close_all()
  Curl_polarssl_close_all()

- vtls: Separate the SSL backend definition from the API setup
  
  Slight code cleanup as the SSL backend #define is mixed up with the API
  function setup.

- vtls: Fixed compilation errors when SSL not used
  
  Fixed the following warning and error from commit 3af90a6e19 when SSL
  is not being used:
  
  url.c:2004: warning C4013: 'Curl_ssl_cert_status_request' undefined;
              assuming extern returning int
  
  error LNK2019: unresolved external symbol Curl_ssl_cert_status_request
                 referenced in function Curl_setopt

- http_negotiate: Added empty decoded challenge message info text

- http_negotiate: Return CURLcode in Curl_input_negotiate() instead of int

- http_negotiate_sspi: Prefer use of 'attrs' for context attributes
  
  Use the same variable name as other areas of SSPI code.

- http_negotiate_sspi: Use correct return type for QuerySecurityPackageInfo()
  
  Use the SECURITY_STATUS typedef rather than a unsigned long for the
  QuerySecurityPackageInfo() return and rename the variable as per other
  areas of SSPI code.

- http_negotiate_sspi: Use 'CURLcode result' for CURL result code

- curl_endian: Fixed build when 64-bit integers are not supported (Part 2)
  
  Missed Curl_read64_be() in commit bb12d44471 :(

Daniel Stenberg (16 Jan 2015)
- CURLOPT_SSL_VERIFYSTATUS.3: mention it is added in version 7.41.0

- curlver.h: next release is 7.41.0 due to the changes

- RELEASE-NOTES: mention the new OCSP stapling options, bump version

- opts: add CURLOPT_SSL_VERIFYSTATUS* to docs/Makefile

- help: add --cert-status to --help output

- copyright years: after OCSP stapling changes

- [Alessandro Ghedini brought this change]

  curl: add --cert-status option
  
  This enables the CURLOPT_SSL_VERIFYSTATUS functionality.

- [Alessandro Ghedini brought this change]

  nss: add support for the Certificate Status Request TLS extension
  
  Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8.
  
  This requires NSS 3.15 or higher.

- [Alessandro Ghedini brought this change]

  gtls: add support for the Certificate Status Request TLS extension
  
  Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8.
  
  This requires GnuTLS 3.1.3 or higher to build, however it's recommended to use
  at least GnuTLS 3.3.11 since previous versions had a bug that caused the OCSP
  response verfication to fail even on valid responses.

- [Alessandro Ghedini brought this change]

  url: add CURLOPT_SSL_VERIFYSTATUS option
  
  This option can be used to enable/disable certificate status verification using
  the "Certificate Status Request" TLS extension defined in RFC6066 section 8.
  
  This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the
  certificate status verification fails, and the Curl_ssl_cert_status_request()
  function, used to check whether the SSL backend supports the status_request
  extension.

- TheArtOfHttpScripting: skip the date at the top, we have git

- TheArtOfHttpScripting: phrase it TLS lib agnostic

Steve Holme (16 Jan 2015)
- TODO: Added some SMB ideas

- RELEASE-NOTES: Synced with 5f09947d28

- build-openssl.bat: Added check for Perl installation

- checksrc.bat: Better detection of Perl installation

- curl_endian: Fixed build when 64-bit integers are not supported
  
  Bug: http://curl.haxx.se/mail/lib-2015-01/0094.html
  Reported-by: John E. Malmberg

Daniel Stenberg (15 Jan 2015)
- [Yun SangHo brought this change]

  curl.h: remove extra space

- Curl_pretransfer: reset expected transfer sizes
  
  Reported-by: Mohammad AlSaleh
  Bug: http://curl.haxx.se/mail/lib-2015-01/0065.html

Marc Hoersken (12 Jan 2015)
- curl_schannel.c: mark session as removed from cache if not freed
  
  If the session is still used by active SSL/TLS connections, it
  cannot be closed yet. Thus we mark the session as not being cached
  any longer so that the reference counting mechanism in
  Curl_schannel_shutdown is used to close and free the session.
  
  Reported-by: Jean-Francois Durand

Steve Holme (9 Jan 2015)
- RELEASE-NOTES: Synced with d21b66835f

Guenter Knauf (9 Jan 2015)
- Merge pull request #134 from vszakats/mingw-m64
  
  add -m64 CFLAGS when targeting mingw64, add -m32/-m64 to LDFLAGS

- Merge pull request #136 from vszakats/mingw-allow-custom-cflags
  
  mingw build: allow to pass custom CFLAGS

Daniel Stenberg (9 Jan 2015)
- NSS: fix compiler error when built http2-enabled

Steve Holme (9 Jan 2015)
- gssapi: Remove need for duplicated GSS_C_NT_HOSTBASED_SERVICE definitions
  
  Better code reuse and consistency in calls to gss_import_name().

Viktor Szakats (9 Jan 2015)
- mingw build: allow to pass custom CFLAGS

Daniel Stenberg (8 Jan 2015)
- FTP: if EPSV fails on IPV6 connections, bail out
  
  ... instead of trying PASV, since PASV can't work with IPv6.
  
  Reported-by: Vojtěch Král

- FTP: fix IPv6 host using link-local address
  
  ... and make sure we can connect the data connection to a host name that
  is longer than 48 bytes.
  
  Also simplifies the code somewhat by re-using the original host name
  more, as it is likely still in the DNS cache.
  
  Original-Patch-by: Vojtěch Král
  Bug: http://curl.haxx.se/bug/view.cgi?id=1468

Steve Holme (8 Jan 2015)
- [Sam Schanken brought this change]

  winbuild: Added option to build with c-ares
  
  Added support for a WITH_CARES option to be used when invoking nmake
  via Makefile.vc. This option enables linking against both the DLL and
  static versions of the c-ares libraries, as well as the debug and
  release varients, depending on the value of DEBUG. The USE_ARES
  preprocessor symbol is also defined.

Guenter Knauf (8 Jan 2015)
- NetWare build: added TLS-SRP enabled build.

Steve Holme (8 Jan 2015)
- sasl_gssapi: Fixed build on NetBSD with built-in GSS-API
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1469
  Reported-by: Thomas Klausner

Viktor Szakats (8 Jan 2015)
- add -m64 clags when targeting mingw64, add -m32/-m64 to LDFLAGS

Daniel Stenberg (8 Jan 2015)
- bump: start working towards 7.40.1

- THANKS: 14 new contributors from the 7.40.0 release notes

Version 7.40.0 (7 Jan 2015)

Daniel Stenberg (7 Jan 2015)
- RELEASE-NOTES: version 7.40.0

- darwinssl: fix session ID keys to only reuse identical sessions
  
  ...to avoid a session ID getting cached without certificate checking and
  then after a subsequent _enabling_ of the check libcurl could still
  re-use the session done without cert checks.
  
  Bug: http://curl.haxx.se/docs/adv_20150108A.html
  Reported-by: Marc Hesse

- tests: make sure CRLFs can't be used in URLs passed to proxy
  
  Bug: http://curl.haxx.se/docs/adv_20150108B.html

- url-parsing: reject CRLFs within URLs
  
  Bug: http://curl.haxx.se/docs/adv_20150108B.html
  Reported-by: Andrey Labunets

Steve Holme (7 Jan 2015)
- ldap: Convert attribute output to UTF-8 when Unicode

- ldap: Convert DN output to UTF-8 when Unicode

Daniel Stenberg (7 Jan 2015)
- hostip: remove 'stale' argument from Curl_fetch_addr proto
  
  Also, remove the log output of the resolved name is NOT in the cache in
  the spirit of only telling when something is actually happening.

Steve Holme (7 Jan 2015)
- ldap/imap: Fixed spelling mistake in comments and variable names
  
  Reported-by: Michael Osipov

Daniel Stenberg (7 Jan 2015)
- RELEASE-NOTES: updated with ./contributors.sh output

Dan Fandrich (5 Jan 2015)
- curl_multibyte.h: Eliminated some trailing whitespace

Steve Holme (4 Jan 2015)
- RELEASE-NOTES: Synced with ea93252ef1

- ldap: Fixed Unicode usage for all Win32 builds
  
  Otherwise, the fixes in the previous commits would only be applicable
  to IDN and SSPI based builds and not others such as OpenSSL with LDAP
  enabled.

- ldap: Fixed memory leak from commit efb64fdf80

- ldap: Fix memory leak from commit 3a805c5cc1

- ldap: Fixed attribute variable warnings when Unicode is enabled
  
  Use 'TCHAR *' for local attribute variable rather than 'char *'.

- ldap: Fixed DN variable warnings when Unicode is enabled
  
  Use 'TCHAR *' for local DN variable rather than 'char *'.

- ldap: Remove the unescape_elements() function
  
  Due to the recent modifications this function is no longer used.

- ldap.c: Fixed compilation warning
  
  ldap.c:98: warning: extra tokens at end of #endif directive

- ldap: Fixed support for Unicode filter in Win32 search call

- ldap.c: Fixed compilation warning
  
  ldap.c:802: warning: comparison between signed and unsigned integer
              expressions

- ldap: Fixed support for Unicode attributes in Win32 search call

- ldap: Fixed memory leak from commit efb64fdf80
  
  The unescapped DN was not freed after a successful character conversion.

- ldap.c: Fixed compilation error
  
  ldap.c:738: error: macro "LDAP_TRACE" passed 2 arguments, but takes
              just 1

- ldap.c: Fixed compilation warning
  
  ldap.c:89: warning: extra tokens at end of #endif directive

- ldap: Fixed support for Unicode DN in Win32 search call

- ldap: Fixed Unicode user and password in Win32 bind calls

- ldap: Fixed Unicode host name in Win32 initialisation calls

- ldap: Use host.dispname for infof() connection failure messages
  
  As host.name may be encoded use dispname for infof() failure messages.

- ldap: Prefer 'CURLcode result' for curl result codes

- ldap: Pass write length in all Curl_client_write() calls
  
  As we get the length for the DN and attribute variables, and we know
  the length for the line terminator, pass the length values rather than
  zero as this will save Curl_client_write() from having to perform an
  additional strlen() call.

- ldap: Fixed attribute memory leaks on failed client write
  
  Fixed memory leaks from commit 086ad79970 as was noted in the commit
  comments.

- ldap: Fixed DN memory leaks on failed client write
  
  Fixed memory leaks from commit 086ad79970 as was noted in the commit
  comments.

- curl_ntlm_core.c: Fixed compilation warning from commit 1cb17b2a5d
  
  curl_ntlm_core.c:146: warning: passing 'DES_cblock' (aka 'unsigned char
                        [8]') to parameter of type 'char *' converts
                        between pointers to integer types with different
                        sign

- ntlm: Use extend_key_56_to_64() for all cryptography engines
  
  Rather than duplicate the code in setup_des_key() for OpenSSL and in
  extend_key_56_to_64() for non-OpenSSL based crypto engines, as it is
  the same, use extend_key_56_to_64() for all engines.

- RELEASE-NOTES: Synced with 34f0bd110f

- curl_ntlm_core.c: Fixed compilation warning
  
  curl_ntlm_core.c:458: warning: 'ascii_uppercase_to_unicode_le' defined
                        but not used

- endian: Fixed bit-shift in 64-bit integer read functions
  
  From commit 43792592ca and 4bb5a351b2.
  
  Reported-by: Michael Osipov

- smb: Use endian functions for reading NBT and message size values

- endian: Added big endian read functions

- endian: Added 64-bit integer read function

- COPYING: Bumped copyright year to 2015

- version: Bump copyright year to 2015

- smb.c: Fixed compilation warnings
  
  smb.c:780: warning: passing 'char *' to parameter of type 'unsigned
             char *' converts between pointers to integer types with
             different sign
  smb.c:781: warning: passing 'char *' to parameter of type 'unsigned
             char *' converts between pointers to integer types with
             different sign
  smb.c:804: warning: passing 'char *' to parameter of type 'unsigned
             char *' converts between pointers to integer types with
             different sign

- smb: Use endian functions for reading length and offset values

- endian: Added 16-bit integer write function

- endian: Fixed Linux compilation issues
  
  Having files named endian.[c|h] seemed to cause issues under Linux so
  renamed them both to have the curl_ prefix in the filenames.

- [Julien Nabet brought this change]

  lib1900.c: Fixed cppcheck error
  
  lib1900.c:182: (style) Array index 'handlenum' is used before limits
                 check
  
  Bug: https://github.com/bagder/curl/pull/133

- endian: Added standard function descriptions

- endian: Renamed functions for curl API naming convention

- endian: Moved write functions to new module

- endian: Moved read functions to new module

- endian: Introduced endian module
  
  To allow the little endian functions, currently used in two of the NTLM
  source files, to be used by other modules such as the SMB module.

- sepheaders.c: Applied curl oding standards

- [Julien Nabet brought this change]

  sepheaders.c: Fixed resource leak on failure

- vtls: Use '(void) arg' for unused parameters
  
  Prefer void for unused parameters, rather than assigning an argument to
  itself as a) unintelligent compilers won't optimize it out, b) it can't
  be used for const parameters, c) it will cause compilation warnings for
  clang with -Wself-assign and d) is inconsistent with other areas of the
  curl source code.

- smb.c: Fixed compilation warning
  
  smb.c:586: warning: conversion to 'short unsigned int' from 'int' may
             alter its value

- [Bill Nagel brought this change]

  smb: Use the connection's upload buffer
  
  Use the connection's upload buffer instead of allocating our own send
  buffer.

- RELEASE-NOTES: Synced with 1933f9d33c

- schannel: Moved the ISC return flag definitions to the SSPI module
  
  Moved our Initialize Security Context return attribute definitions to
  the SSPI module, as a) these can be used by other SSPI based providers
  and b) the ISC required attributes are defined there.

- [Bill Nagel brought this change]

  smb: Close the connection after a failed client write

- darwinssl: Fixed compilation warning
  
  vtls.c:683:43: warning: unused parameter 'data'

- sockfilt.c: Fixed compilation warnings
  
  sockfilt.c:288: warning: conversion to 'DWORD' from 'size_t' may alter
                  its value
  sockfilt.c:291: warning: conversion to 'DWORD' from 'size_t' may alter
                  its value
  sockfilt.c:323: warning: conversion to 'DWORD' from 'size_t' may alter
                  its value
  sockfilt.c:326: warning: conversion to 'DWORD' from 'size_t' may alter
                  its value

- test1509: Fixed compilation warning
  
  lib1509.c:93:18: warning: conversion to 'long int' from 'size_t' may
                   alter its value

- test556: Fixed compilation warning
  
  lib556.c:90: warning: conversion to 'unsigned int' from 'size_t' may
               alter its value

- sasl_gssapi: Fixed use of dummy username with real username

- vtls: Fixed compilation warning and an ignored return code
  
  curl_schannel.h:123: warning: right-hand operand of comma expression
                       has no effect
  
  Some instances of the curlssl_close_all() function were declared with a
  void return type whilst others as int. The schannel version returned
  CURLE_NOT_BUILT_IN and others simply returned zero, but in all cases the
  return code was ignored by the calling function Curl_ssl_close_all().
  
  For the time being and to keep the internal API consistent, changed all
  declarations to use a void return type.
  
  To reduce code we might want to consider removing the unimplemented
  versions and use a void #define like schannel does.

Daniel Stenberg (28 Dec 2014)
- TODO: 2.3 Better support for same name resolves

Steve Holme (28 Dec 2014)
- test1520: Fixed initial teething problems
  
  * Missing initialisation of upload status caused a seg fault
  * Missing data termination caused corrupt data to be uploaded
  * Data verification should be performed in <upload> element
  * Added missing recipient list cleanup

- test1520: Fixed compilation errors

- tests: Added test for bug #1456

- checksrc.bat: Fixed a problem opening files with spaces in the filename

- openldap: Prefer use of 'CURLcode result'

- openldap: Use 'LDAPMessage *msg' for messages
  
  This frees up the 'result' variable for CURLcode based result codes.

- nss: Don't ignore Curl_extract_certinfo() OOM failure

- nss: Don't ignore Curl_ssl_init_certinfo() OOM failure

- nss: Use 'CURLcode result' for curl result codes
  
  ...and don't use CURLE_OK in failure/success comparisons.

- getinfo: Code style policing

- getinfo: Use 'CURLcode result' for curl result codes

- darwinssl: Use 'CURLcode result' for curl result codes

- polarssl: Use 'CURLcode result' for curl result codes

- docs: Updated following the addition of SASL GSSAPI via GSS-API libraries
  
  As this feature has been implemented for 7.40.0.

- asiohiper.cpp: No need to initialise members of ConnInfo
  
  ...as calloc() automatically clears the area of memory with zeros.

- asiohiper.cpp: Updated for curl coding standards
  
  ...with the exception of the start of block statement curly brackets.

- code/docs: Use correct case for IPv4 and IPv6
  
  For consistency, as we seem to have a bit of a mixed bag, changed all
  instances of ipv4 and ipv6 in comments and documentations to use the
  correct case.

- runtests: Fixed detection of Unix Sockets feature
  
  ...following change in curl --version output.

- code/docs: Use Unix rather than UNIX to avoid use of the trademark
  
  Use Unix when generically writing about Unix based systems as UNIX is
  the trademark and should only be used in a particular product's name.

- ip2ip.c: Fixed compilation warning when IPv6 Scope ID not supported
  
  if2ip.c:119: warning: unused parameter 'remote_scope_id'
  
  ...and some minor code style policing in the same function.

- vtls: Don't set cert info count until memory allocation is successful
  
  Otherwise Curl_ssl_init_certinfo() can fail and set the num_of_certs
  member variable to the requested count, which could then be used
  incorrectly as libcurl closes down.

- vtls: Use CURLcode for Curl_ssl_init_certinfo() return type
  
  The return type for this function was 0 on success and 1 on error. This
  was then examined by the calling functions and, in most cases, used to
  return CURLE_OUT_OF_MEMORY.
  
  Instead use CURLcode for the return type and return the out of memory
  error directly, propagating it up the call stack.

- configure: Use camel case for UNIX sockets feature output
  
  To match the curl --version output.

Marc Hoersken (26 Dec 2014)
- sockfilt.c: Reduce the number of individual memory allocations
  
  Merge multiple internal arrays into one, even if some variables
  will not not be used. They are all created with the number of
  file descriptors as their size.
  
  Also fix possible thread handle leak in CloseHandle-loop.

- sockfilt.c: Replace 100ms sleep with thread throttle
  
  Improves performance of test cases 574 and 575 by 50%.
  
  A value of zero causes the thread to relinquish the remainder
  of its time slice to any other thread of equal priority that is
  ready to run. If there are no other threads of equal priority
  ready to run, the function returns immediately, and the thread
  continues execution.
  
  http://msdn.microsoft.com/library/windows/desktop/ms686307.aspx

Steve Holme (25 Dec 2014)
- tool_help: Use camel case for UNIX sockets feature output
  
  In line with the other features listed in the --version output,
  capitalise the UNIX socket feature.

- vtls: Use bool for Curl_ssl_getsessionid() return type
  
  The return type of this function is a boolean value, and even uses a
  bool internally, so use bool in the function declaration as well as
  the variables that store the return value, to avoid any confusion.

- schannel: Minor code style policing for casts

- schannel: Prefer 'CURLcode result' for curl result codes

- cyassl: Prefer 'CURLcode result' for curl result codes

- tool_xattr: Use 'CURLcode result' for curl result codes

- curl_ntlm_core.c: Fixed compilation warnings
  
  curl_ntlm_core.c:301: warning: pointer targets in passing argument 2 of
                        'CryptImportKey' differ in signedness
  curl_ntlm_core.c:310: warning: passing argument 6 of 'CryptEncrypt' from
                        incompatible pointer type
  curl_ntlm_core.c:540: warning: passing argument 4 of 'CryptGetHashParam'
                        from incompatible pointer type

- RELEASE-NOTES: Synced with 8830df8b66

- gtls: Use preferred 'CURLcode result'

- openldap: Use standard naming for setup connection function
  
  Renamed ldap_setup() to ldap_setup_connection() to follow more widely
  used function naming.

- rtmp: Use standard naming for setup connection function
  
  Renamed rtmp_setup() to rtmp_setup_connection() to follow more widely
  used function naming.

- smb: Use standard naming for setup connection function
  
  Renamed smb_setup() to smb_setup_connection() to follow more widely
  used function naming.

- config-win32.h: Fixed line length > 79 columns

- openssl: Prefer we don't use NULL in comparisons

- build: Removed WIN32 definition from the Visual Studio projects
  
  As this pre-processor definition is defined in curl_setup.h there is no
  need to include it in the Visual Studio project files.

- build: Removed WIN64 definition from the libcurl Visual Studio projects
  
  Removed the WIN64 pre-processor definition from the libcurl project
  files as:
  
  * WIN64 is not used in our source code
  * The curl projects files don't define it
  * It isn't required by or used in the platform SDK
  * For backwards compatability curl_setup.h defines WIN32
  * The compiler automatically defines _WIN64 for x64 builds
  
  Historically Visual Studio projects have defined WIN32, in addition to
  the compiler defined _WIN32 definition, and I had incorrectly changed
  that to WIN64 for the x64 libcurl builds but not in the curl projects.
  
  As such, it is questionable whether this should be defined or not. For
  more information see the following cache of a discussion that took
  place on the microsoft.public.vc.mfc newsgroup:
  
  http://www.tech-archive.net/Archive/VC/microsoft.public.vc.mfc/2008-06/msg00074.html

- openssl.c Fix for compilation errors with older versions of OpenSSL
  
  openssl.c:1408: error: 'TLS1_1_VERSION' undeclared
  openssl.c:1411: error: 'TLS1_2_VERSION' undeclared

Daniel Stenberg (22 Dec 2014)
- [John Malmberg brought this change]

  Fix comment edit in vms/backup_gnv_curl_src.com
  
  packages/vms/backup_gnv_curl_src.com: Originally copied from Bash port.

- curl: show size of inhibited data when using -v
  
  To offer some more info and yet it doesn't use more lines.

- openssl: fix SSL/TLS versions in verbose output

- openssl: make it compile against openssl 1.1.0-DEV master branch

Marc Hoersken (22 Dec 2014)
- sshserver.pl: clarify and streamline variable names

Daniel Stenberg (21 Dec 2014)
- openssl: warn for SRP set if SSLv3 is used, not for TLS version
  
  ... as it requires TLS and it was was left to warn on the default from
  when default was SSL...

- smb: use memcpy() instead of strncpy()
  
  ... as it never copies the trailing zero anyway and always just the four
  bytes so let's not mislead anyone into thinking it is actually treated
  as a string.
  
  Coverity CID: 1260214

- [John E. Malmberg brought this change]

  VMS: Updates for 0740-0D1220
  
  lib/setup-vms.h : VAX HP OpenSSL port is ancient, needs help.
                    More defines to set symbols to uppercase.
  
  src/tool_main.c : Fix parameter to vms_special_exit() call.
  
  packages/vms/ :
    backup_gnv_curl_src.com : Fix the error message to have the correct package.
  
    build_curl-config_script.com : Rewrite to be more accurate.
  
    build_libcurl_pc.com : Use tool_version.h now.
  
    build_vms.com : Fix to handle lib/vtls directory.
  
    curl_gnv_build_steps.txt : Updated build procedure documentation.
  
    generate_config_vms_h_curl.com :
         * VAX does not support 64 bit ints, so no NTLM support for now.
         * VAX HP SSL port is ancient, needs some help.
         * Disable NGHTTP2 for now, not ported to VMS.
         * Disable UNIX_SOCKETS, not available on VMS yet.
         * HP GSSAPI port does not have gss_nt_service_name.
  
    gnv_link_curl.com : Update for new curl structure.
  
    pcsi_product_gnv_curl.com : Set up to optionally do a complete build.

Marc Hoersken (21 Dec 2014)
- sockfilt.c: use non-Ex functions that are available before WinXP
  
  It was initially reported by Guenter that GetFileSizeEx
  requires (_WIN32_WINNT >= 0x0500) to be true.

- tests: use Cygwin-style paths in SSH, SSHD and SFTP config files
  
  Second patch to enable Windows support using Cygwin-based OpenSSH.
  
  Tested with CopSSH 5.0.0 free edition using an msys shell on Windows 7.

- tests: support spaces in paths to SSH, SSHD and SFTP binaries
  
  First patch to enable Windows support using Cygwin-based OpenSSH.

Steve Holme (20 Dec 2014)
- non-ascii: Reduce variable usage
  
  Removed 'next' variable in Curl_convert_form(). Rather than setting it
  from 'form->next' and using that to set 'form' after the conversion
  just use 'form = form->next' instead.

- non-ascii: Prefer while loop rather than a do loop
  
  This also removes the need to check that the 'form' argument is valid.

- non-ascii: Reduce variable scope
  
  As 'result' isn't used out side the conversion callback code and
  previously caused variable shadowing in the libiconv based code.

- non-ascii: We prefer 'CURLcode result'
  
  This also fixes a variable shadowing issue when HAVE_ICONV is defined
  as rc was declared for the result code of libiconv based functions.

Marc Hoersken (19 Dec 2014)
- secureserver.pl: clean up formatting of config and fix verbose output
  
  Verbose output was not matching the actual configuration file,
  because FIPS and Windows conditions were ignored.

- secureserver.pl: update Windows detection and fix path conversion

- secureserver.pl: make OpenSSL CApath and cert absolute path values
  
  Recent stunnel versions (5.08) seem to have trouble with relative
  paths on Windows. This turns the relative paths into absolute ones.

Patrick Monnerat (18 Dec 2014)
- if2ip: dummy scope parameter for Curl_if2ip() call in SIOCGIFADDR-enabled code.

- [Kyle J. McKay brought this change]

  parseurlandfillconn(): fix improper non-numeric scope_id stripping.
  Fixes SF bug 1149: http://sourceforge.net/p/curl/bugs/1449/

- IPV6: address scope != scope id
  There was a confusion between these: this commit tries to disambiguate them.
  - Scope can be computed from the address itself.
  - Scope id is scope dependent: it is currently defined as 1-based local
    interface index for link-local scoped addresses, and as a site index(?) for
    (obsolete) site-local addresses. Linux only supports it for link-local
    addresses.
  The URL parser properly parses a scope id as an interface index, but stores it
  in a field named "scope": confusion. The field has been renamed into "scope_id".
  Curl_if2ip() used the scope id as it was a scope. This caused failures
  to bind to an interface.
  Scope is now computed from the addresses and Curl_if2ip() matches them.
  If redundantly specified in the URL, scope id is check for mismatch with
  the interface index.
  
  This commit should fix SF bug #1451.

- connect: singleipconnect(): properly try other address families after failure

Daniel Stenberg (16 Dec 2014)
- SFTP: work-around servers that return zero size on STAT
  
  Bug: http://curl.haxx.se/mail/lib-2014-12/0103.html
  Pathed-by: Marc Renault

- glob_next_url: make the loop count upwards
  
  As the former contruct apparently caused a compiler warning, mentioned
  in d8efde07e556c.

- tool_operate: we prefer 'CURLcode result'

- tool_urlglob: unify return codes to use CURLcode
  
  There was a mix of GlobCode, CURLcode and ints and they were mostly
  passing around CURLcode errors. This change makes the functions use only
  CURLcode and removes the GlobCode type completely.

- tool_urlglob.c: partly reverse dc19789444
  
  The loop in glob_next_url() needs to be done backwards to maintain the
  logic. dc19789444 caused test 1235 to fail.

- KNOWN_BUGS: the SFTP code doesn't support CURLINFO_FILETIME

- [Jay Satiro brought this change]

  opts: Warn CURLOPT_TIMEOUT overrides when set after CURLOPT_TIMEOUT_MS
  
  Change CURLOPT_TIMEOUT doc to warn that if CURLOPT_TIMEOUT and
  CURLOPT_TIMEOUT_MS are both set whichever one is set last is the one
  that will be used.
  
  Prior to this change that behavior was only noted in the
  CURLOPT_TIMEOUT_MS doc.

Nick Zitzmann (15 Dec 2014)
- darwinssl: fix incorrect usage of aprintf()
  
  Commit b13923f changed an snprintf() to use aprintf(), but the API usage
  wasn't correct, and was causing a crash to occur. This fixes it.

Steve Holme (14 Dec 2014)
- copyright: Updated the copyright year following recent updates

Daniel Stenberg (14 Dec 2014)
- tool_urlglob.c: reverse two loops
  
  By counting from 0 and up instead of backwards like before, we remove
  the need for the "funny" check of the unsigned variable when decreased
  passed zero. Easier to read and less risk for compiler warnings.

Marc Hoersken (14 Dec 2014)
- tool_urlglob.c: Added braces to clarify the conditions

- tool_urlglob.c: Silence warning C6293: Ill-defined for-loop
  
  The >= 0 is actually not required, since i underflows and
  the for-loop is stopped using the < condition, but this
  makes the VS2012 compiler and code analysis happy.

- tool_binmode.c: Explicitly ignore the return code of setmode
  
  Fixes code analysis warning C6031:
  return value ignored: <function> could return unexpected value

- lib: Fixed multiple code analysis warnings if SAL are available
  
  warning C28252: Inconsistent annotation for function:
  parameter has another annotation on this instance

Steve Holme (14 Dec 2014)
- smb.c: Fixed code analysis warning
  
  smb.c:320: warning C6297: Arithmetic overflow: 32-bit value is shifted,
             then cast to 64-bit value. Result may not be an expected
             value

Marc Hoersken (14 Dec 2014)
- tool_util.c: Use GetTickCount64 if it is available

Steve Holme (14 Dec 2014)
- smb: Use HAVE_PROCESS_H for process.h inclusion
  
  Rather than testing against _WIN32 use the preferred HAVE_PROCESS_H
  pre-processor define when including process.h.

Daniel Stenberg (14 Dec 2014)
- darwinssl: aprintf() to allocate the session key
  
  ... to avoid using a fixed memory size that risks being too large or too
  small.

Marc Hoersken (14 Dec 2014)
- curl_schannel: Improvements to memory re-allocation strategy
  
  - do not grow memory by doubling its size
  - do not leak previously allocated memory if reallocation fails
  - replace while-loop with a single check to make sure
    that the requested amount of data fits into the buffer
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1450
  Reported-by: Warren Menzer

Steve Holme (14 Dec 2014)
- asyn-ares: We prefer use of 'CURLcode result'

Marc Hoersken (14 Dec 2014)
- curl_schannel.c: Data may be available before connection shutdown

Steve Holme (14 Dec 2014)
- http2: Use 'CURLcode result' for curl result codes

- asyn-thread:  We prefer 'CURLcode result'

- smb: Fixed unnecessary initialisation of struct member variables
  
  There is no need to set the 'state' and 'result' member variables to
  SMB_REQUESTING (0) and CURLE_OK (0) after the allocation via calloc()
  as calloc() initialises the contents to zero.

- ntlm: Fixed return code for bad type-2 Target Info
  
  Use CURLE_BAD_CONTENT_ENCODING for bad type-2 Target Info security
  buffers just like we do for bad decodes.

- ntlm: Remove unnecessary casts in readshort_le()
  
  I don't think both of my fix ups from yesterday were needed to fix the
  compilation warning, so remove the one that I think is unnecessary and
  let the next Android autobuild prove/disprove it.

- curl_ntlm_msgs.c: Another attempt to fix compilation warning
  
  curl_ntlm_msgs.c:170: warning: conversion to 'short unsigned int' from
                        'int' may alter its value

Guenter Knauf (13 Dec 2014)
- synctime.c: added own user-agent string.

Steve Holme (13 Dec 2014)
- smb.c: Fixed line longer than 79 columns

- curl_ntlm_msgs.c: Fixed compilation warning from commit 783b5c3b11
  
  curl_ntlm_msgs.c:169: warning: conversion to 'short unsigned int' from
                        'int' may alter its value

Guenter Knauf (13 Dec 2014)
- mk-ca-bundle.pl: restored forced run again.

- synctime.c: removed another timeserver URL.
  
  worldtimeserver.com seems also no longer available.

- synctime.c: fixed timeserver URLs.
  
  For getting the date header its not necessary to access special
  pages or even CGI scripts - all pages including the main index
  reply with the date header, therefore shortened URLs to domain.
  Removed worldtime.com; added pool.ntp.org.

Steve Holme (13 Dec 2014)
- ftp.c: Fixed compilation warning when no verbose string support
  
  ftp.c:819: warning: unused parameter 'lineno'

- smb: Added state change functions to assist with debugging
  
  For debugging purposes, and as per other protocols within curl, added
  state change functions rather than changing the states directly.

- ntlm: Use short integer when decoding 16-bit values

- RELEASE-NOTES: Synced with 6291a16b20

- smtp.c: Fixed compilation warnings
  
  smtp.c:2357 warning: adding 'size_t' (aka 'unsigned long') to a string
              does not append to the string
  smtp.c:2375 warning: adding 'size_t' (aka 'unsigned long') to a string
              does not append to the string
  smtp.c:2386 warning: adding 'size_t' (aka 'unsigned long') to a string
              does not append to the string
  
  Used array index notation instead.

- smb: Disable SMB when 64-bit integers are not supported
  
  This fixes compilation issues with compilers that don't support 64-bit
  integers through long long or __int64.

- ntlm: Disable NTLM v2 when 64-bit integers are not supported
  
  This fixes compilation issues with compilers that don't support 64-bit
  integers through long long or __int64 which was introduced in commit
  07b66cbfa4.

- ntlm: Allow NTLM2Session messages when USE_NTRESPONSES manually defined
  
  Previously USE_NTLM2SESSION would only be defined automatically when
  USE_NTRESPONSES wasn't already defined. Separated the two definitions
  so that the user can manually set USE_NTRESPONSES themselves but
  USE_NTLM2SESSION is defined automatically if they don't define it.

- smtp.c: Fixed line longer than 79 columns

- config-win32.h: Don't enable Windows Crypt API if using OpenSSL
  
  As the OpenSSL and NSS Crypto engines are prefered by the core NTLM
  routines, to the Windows Crypt API, don't define USE_WIN32_CRYPT
  automatically when either OpenSSL or NSS are in use - doing so would
  disable NTLM2Session responses in NTLM type-3 messages.

- smtp: Fixed inappropriate free of the scratch buffer
  
  If the scratch buffer was allocated in a previous call to
  Curl_smtp_escape_eob(), a new buffer not allocated in the subsequent
  call and no action taken by that call, then an attempt would be made to
  try and free the buffer which, by now, would be part of the data->state
  structure.
  
  This bug was introduced in commit 4bd860a001.

- smtp: Fixed dot stuffing when EOL characters were at end of input buffers
  
  Fixed a problem with the CRLF. detection when multiple buffers were
  used to upload an email to libcurl and the line ending character(s)
  appeared at the end of each buffer. This meant any lines which started
  with . would not be escaped into .. and could be interpreted as the end
  of transmission string instead.
  
  This only affected libcurl based applications that used a read function
  and wasn't reproducible with the curl command-line tool.
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1456
  Assisted-by: Patrick Monnerat

Daniel Stenberg (11 Dec 2014)
- telnet: fix "cast increases required alignment of target type"

- ntlm_wb_response: fix "statement not reached"
  
  ... and I could use a break instead of a goto to end the loop.
  
  Bug: http://curl.haxx.se/mail/lib-2014-12/0089.html
  Reported-by: Tor Arntsen

Steve Holme (10 Dec 2014)
- RELEASE-NOTES: Synced with 1cc5194337
  
  Added some bug fixes that I had missed in previous synchronisations.

Daniel Stenberg (10 Dec 2014)
- Curl_unix2addr: avoid using the variable name 'sun'
  
  I suspect this causes compile failures on Solaris:
  
  Bug: http://curl.haxx.se/mail/lib-2014-12/0081.html

Steve Holme (10 Dec 2014)
- url.c: Fixed compilation warning when USE_NTLM is not defined
  
  url.c:3078: warning: variable 'credentialsMatch' set but not used

- parsedate.c: Fixed compilation warning
  
  parsedate.c:548: warning: 'parsed' may be used uninitialized in this
                   function
  
  As curl_getdate() returns -1 when parsedate() fails we can initialise
  parsed to -1.

Daniel Stenberg (10 Dec 2014)
- TODO: Cache negative name resolves
  
  Worth exploring

- ldap: check Curl_client_write() return codes
  
  There might be one or two memory leaks left in the error paths.

- ldap: rename variables to comply to curl standards

Dan Fandrich (10 Dec 2014)
- sws.c: Fixed 'rc' may be used uninitialized warning

- cookies: Improved OOM handling in cookies
  
  This fixes the test 506 torture test. The internal cookie API really
  ought to be improved to separate cookie parsing errors (which may be
  ignored) with OOM errors (which should be fatal).

Guenter Knauf (9 Dec 2014)
- synctime.c: fixed user-agent setting.
  
  Some websites meanwhile refuse to reply to requests from ancient
  browsers like IE6, therefore I've comment out this setting, but
  also fixed the string to now fake IE8 if someone enables it.

Daniel Stenberg (9 Dec 2014)
- smb: fix unused return code warning

Patrick Monnerat (9 Dec 2014)
- Curl_client_write() & al.: chop long data, convert data only once.

Guenter Knauf (9 Dec 2014)
- VC build: added sspi define for winssl-zlib builds.

Daniel Stenberg (9 Dec 2014)
- schannel_recv: return the correct code
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1462
  Reported-by: Tae Hyoung Ahn

- http2: avoid logging neg "failure" if h2 was not requested

- openldap: do not ignore Curl_client_write() return codes

- compile: warn on unused return code from Curl_client_write()

Patrick Monnerat (8 Dec 2014)
- SMB: Fix a data size mismatch that broke SMB on big-endian platforms

Steve Holme (7 Dec 2014)
- smb: Fixed Windows autoconf builds following commit eb88d778e7
  
  As Windows based autoconf builds don't yet define USE_WIN32_CRYPTO
  either explicitly through --enable-win32-cypto or automatically on
  _WIN32 based platforms, subsequent builds broke with the following
  error message:
  
  "Can't compile NTLM support without a crypto library."

- RELEASE-NOTES: Synced with 526603ff05

- [Bill Nagel brought this change]

  smb: Build with SSPI enabled
  
  Build SMB/CIFS protocol support when SSPI is enabled.

- [Bill Nagel brought this change]

  ntlm: Use Windows Crypt API
  
  Allow the use of the Windows Crypt API for NTLMv1 functions.

Dan Fandrich (7 Dec 2014)
- cookie.c: Refactored cleanup code to simplify
  
  Also, fixed the outdated comments on the cookie API.

- get_url_file_name: Fixed crash on OOM on debug build
  
  This caused a null-pointer dereference which caused a few dozen
  torture tests to fail.

Steve Holme (6 Dec 2014)
- sws.c: Fixed compilation warning
  
  sws.c:2191 warning: 'rc' may be used uninitialized in this function

- ftp.c: Fixed compilation warnings when proxy support disabled
  
  ftp.c:1827 warning: unused parameter 'newhost'
  ftp.c:1827 warning: unused parameter 'newport'

- smb: Fixed a problem with large file transfers
  
  Fixed an issue with the message size calculation where the raw bytes
  from the buffer were interpreted as signed values rather than unsigned
  values.
  
  Reported-by: Gisle Vanem
  Assisted-by: Bill Nagel

- smb: Moved the URL decoding into a separate function

- smb: Fixed URL encoded URLs not working

- Makefile.inc: Added our standard header and updated file formatting

- Makefile.inc: Updated file formatting
  
  Aligned continuation character and used space as the separator
  character as per other makefile files.

- curl_md4.h: Updated copyright year following recent edit
  
  ...and minor layout adjustment.

Patrick Monnerat (5 Dec 2014)
- SMB: Fix big endian problems. Make it OS/400 aware.

- OS400: enable NTLM authentication

Steve Holme (5 Dec 2014)
- multi.c: Fixed compilation warning
  
  multi.c:2695: warning: declaration of `exp' shadows a global declaration

Guenter Knauf (5 Dec 2014)
- build: updated dependencies in makefiles.

Steve Holme (5 Dec 2014)
- sasl: Corrected formatting of function descriptions