RELEASE-NOTES: synced with 52af6e69f0 / 7.28.1

RELEASE-NOTES: NSS can be used for metalink hashing
Get test 2032 working when using valgrind
2012-11-20 08:05:42 +01:00 · 2012-11-20 00:14:31 +01:00 · 2012-11-19 13:36:28 +01:00 · 2012-11-19 13:36:10 +01:00 · 2012-11-19 10:58:14 +01:00 · 2012-11-19 10:58:14 +01:00
142 changed files with 2295 additions and 636 deletions
--- a/138
+++ b/138
@@ -1,62 +1,51 @@
-Curl and libcurl 7.28.0
+Curl and libcurl 7.28.1
- Public curl releases:         129
+ Public curl releases:         130
 Command line options:         152
 curl_easy_setopt() options:   199
 Public functions in libcurl:  58
 Known libcurl bindings:       39
- Contributors:                 953
+ Contributors:                 979
 This release includes the following changes:
- o SSH: added agent based authentication
+ o metalink/md5: Use CommonCrypto on Apple operating systems
- o ftp: active conn, allow application to set sockopt after accept() call
+ o href_extractor: new example code extracting href elements
-   with CURLSOCKTYPE_ACCEPT
+ o NSS can be used for metalink hashing [13]
 o multi: add curl_multi_wait() [12]
 o metalink: Added support for Microsoft Windows CryptoAPI
 o md5: Added support for Microsoft Windows CryptoAPI
 o parse_proxy: treat "socks://x" as a socks4 proxy [17]
 o socks: Added support for IPv6 connections through SOCKSv5 proxy
 This release includes the following bugfixes:
- o WSAPoll disabled on Windows builds due to its bugs [8]
+ o Fix broken libmetalink-aware OpenSSL build
- o segfault on request retries [1]
+ o gnutls: fix the error is fatal logic [1]
- o curl-config: parentheses fix [2]
+ o darwinssl: un-broke iOS build, fix error on server disconnect
- o VC build: add define for openssl [3]
+ o asyn-ares: restore functionality with c-ares < 1.6.1 [2]
- o globbing: fix segfault when >9 globs were used [4]
+ o tlsauthtype: deal with the string case insensitively [3]
- o fixed a few clang-analyzer warnings
+ o Fixed MSVC libssh2 static build
- o metalink: change code order to build with gnutls-nettle [5]
+ o evhiperfifo: fix the pointer passed to WRITEDATA [6]
- o gtls: fix build failure by including nettle-specific headers [5]
+ o BUGS: fix the bug tracker URL [4]
- o change preferred HTTP auth on a handle previously used for another auth [9]
+ o winbuild: Use machine type of development environment
- o file: use fdopen() to avoid race condition [6]
+ o FTP: prevent the multi interface from blocking [5]
- o Added DWANT_IDN_PROTOTYPES define for MSVC too [7]
+ o uniformly use AM_CPPFLAGS, avoid deprecated INCLUDES
- o verbose: fixed (nil) output of hostnames in re-used connections [10]
+ o httpcustomheader.c: free the headers after use
- o metalink: Un-broke the build when building --with-darwinssl
+ o fix >2000 bytes POST over NTLM-using proxy [7]
- o curl man page cleanup
+ o redirects to URLs with fragments [8]
- o Avoid leak of local device string when reusing connection
+ o don't send '#' fragments when using proxy [9]
- o Curl_socket_check: fix return code for timeout [11]
+ o OpenSSL: show full issuer string [10]
- o nss: do not print misleading NSS error codes
+ o fix HTTP auth regression [11]
- o configure: remove the --enable/disable-nonblocking options
+ o CURLOPT_SSL_VERIFYHOST: stop supporting the 1 value [12]
- o darwinssl: add TLS 1.1 and 1.2 support, replace deprecated functions
+ o ftp: EPSV-disable fix over SOCKS [14]
- o NTLM: re-use existing connection better
+ o Digest: Add microseconds into nounce calculation [15]
- o schannel crash on multi and easy handle cleanup
+ o SCP/SFTP: improve error code used for send failures
- o SOCKS: truly disable it if CURL_DISABLE_PROXY is defined [13]
+ o SSL: Several SSL-backend related fixes
- o mk-ca-bundle: detect start of trust section better [14]
+ o removed the notorious "additional stuff not fine" debug output
- o gnutls: do not fail on non-fatal handshake errors [15]
+ o OpenSSL: Disable SSL/TLS compression - avoid the "CRIME" attack
- o SMTP: only send SIZE if supported [16]
+ o FILE: Make upload-writes unbuffered
- o ftpserver: respond with a 250 to SMTP EHLO
+ o custom memory callbacks failure with HTTP proxy (and more) [16]
- o ssh: do not crash if MD5 fingerprint is not provided by libssh2
+ o TFTP: handle resends
- o winbuild: Added support for building with SPNEGO enabled
+ o autoconf: don't force-disable compiler debug option
- o metalink: Fixed validation of binary files containing EOF
+ o winbuild: Fix PDB file output [17]
- o setup.h: fixed for MS VC10 build [18]
+ o test2032: spurious failure caused by premature termination [18]
- o cmake: use standard findxxx modules for cmake v2.8+
+ o memory leak: CURLOPT_RESOLVE with multi interface [19]
 o HTTP_ONLY: disable more protocols [19]
 o Curl_reconnect_request: clear pointer on failure [20]
 o https.c example: remember to call curl_global_init()
 o metalink: Filter resource URLs by type
 o multi interface: CURLOPT_LOW_SPEED_* fix during rate limitation [21]
 o curl_schannel: Removed buffer limit and optimized buffer strategy
 This release includes the following known bugs:
@@ -65,35 +54,34 @@ This release includes the following known bugs:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
- Guenter Knauf, Joe Mason, Kamil Dudka, Steve Holme, Anthony G. Basile,
+ Guenter Knauf, Alessandro Ghedini, Nick Zitzmann, Michal Kowalczyk,
- Edward Sheldrake, Jan Koen Annot, Maxime Larocque, Mike Crowe, Anthony Bryan,
+ Jeff Connelly, Oscar Norlander, Guido Berhoerster, Marc Hoersken,
- Nick Zitzmann, Gisle Vanem, Armel Asselin, Dan Fandrich, Dave Reisner,
+ Dave Reisner, Jan Ehrhardt, John Suprock, Alessandro Ghedini,
- Gokhan Sengun, Sara Golemon, Olivier Berger, Marc Hoersken, David Blaikie,
+ Lars Buitinck, Anton Malov, Sergei Nikulov, Patrick Monnerat,
- Alessandro Ghedini, František Kučera, Marcel Raad, Scott Bailey, Ho-chi Chen,
+ Gabriel Sjoberg, Oscar Koeroo, Fabian Keil, Johnny Luong, Cristian Rodríguez,
- Tomas Mlcoch, Jie He, Tatsuhiro Tsujikawa, Sergei Nikulov, Mark Tully
+ Sebastian Rasmussen, Mark Snelling, Christian Vogt, Marcin Adamski,
 Ajit Dhumale, Alex Gruz
        Thanks! (and sorry if I forgot to mention someone)
 References to bug reports and discussions on issues:
- [1] = http://curl.haxx.se/bug/view.cgi?id=3544688
+ [1] = http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690551
- [2] = http://curl.haxx.se/bug/view.cgi?id=3551460
+ [2] = http://curl.haxx.se/bug/view.cgi?id=3577710
- [3] = http://curl.haxx.se/bug/view.cgi?id=3552997
+ [3] = http://curl.haxx.se/bug/view.cgi?id=3578418
- [4] = http://curl.haxx.se/bug/view.cgi?id=3546353
+ [4] = http://curl.haxx.se/bug/view.cgi?id=3582408
- [5] = http://curl.haxx.se/bug/view.cgi?id=3554668
+ [5] = http://curl.haxx.se/bug/view.cgi?id=3579064
- [6] = https://bugzilla.redhat.com/844385
+ [6] = http://curl.haxx.se/bug/view.cgi?id=3582407
- [7] = http://curl.haxx.se/mail/lib-2012-07/0271.html
+ [7] = http://curl.haxx.se/bug/view.cgi?id=3582321
- [8] = http://curl.haxx.se/mail/lib-2012-07/0310.html
+ [8] = http://curl.haxx.se/bug/view.cgi?id=3581898
- [9] = http://curl.haxx.se/bug/view.cgi?id=3545398
+ [9] = http://curl.haxx.se/bug/view.cgi?id=3579813
- [10] = http://curl.haxx.se/mail/lib-2012-07/0111.html
+ [10] = http://curl.haxx.se/bug/view.cgi?id=3579286
- [11] = http://curl.haxx.se/mail/lib-2012-07/0122.html
+ [11] = http://curl.haxx.se/bug/view.cgi?id=3582718
- [12] = http://daniel.haxx.se/blog/2012/09/03/introducing-curl_multi_wait/
+ [12] = http://daniel.haxx.se/blog/2012/10/25/libcurl-claimed-to-be-dangerous/
- [13] = http://curl.haxx.se/bug/view.cgi?id=3561305
+ [13] = http://curl.haxx.se/bug/view.cgi?id=3578163
- [14] = http://curl.haxx.se/mail/lib-2012-09/0019.html
+ [14] = http://curl.haxx.se/bug/view.cgi?id=3586338
- [15] = http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685402
+ [15] = https://github.com/bagder/curl/pull/50
- [16] = http://curl.haxx.se/bug/view.cgi?id=3564114
+ [16] = http://curl.haxx.se/mail/lib-2012-11/0125.html
- [17] = http://curl.haxx.se/bug/view.cgi?id=3566860
+ [17] = http://curl.haxx.se/bug/view.cgi?id=3586741
- [18] = http://curl.haxx.se/bug/view.cgi?id=3568327
+ [18] = http://curl.haxx.se/mail/lib-2012-11/0095.html
- [19] = http://curl.haxx.se/mail/lib-2012-09/0127.html
+ [19] = http://curl.haxx.se/bug/view.cgi?id=3575448
 [20] = http://curl.haxx.se/mail/lib-2012-09/0188.html
 [21] = http://curl.haxx.se/mail/lib-2012-09/0081.html
--- a/docs/BUGS
+++ b/docs/BUGS
@@ -35,9 +35,11 @@ BUGS
  have a go at a solution. You can optionally also post your bug/problem at
  curl's bug tracking system over at
-        http://sourceforge.net/bugs/?group_id=976
+        http://sourceforge.net/tracker/?group_id=976&atid=100976
-  (but please read the sections below first before doing that)
+  Please read the rest of this document below first before doing that! Also,
  you need to login to your sourceforge account before being able to submit a
  bug report (necessary evil done to avoid spam).
  If you feel you need to ask around first, find a suitable mailing list and
  post there. The lists are available on http://curl.haxx.se/mail/
--- a/docs/THANKS
+++ b/docs/THANKS
@@ -207,6 +207,7 @@ Dave Reisner
 Dave Vasilevsky
 David Bau
 David Binderman
 David Blaikie
 David Byron
 David Cohen
 David Eriksson
@@ -263,6 +264,7 @@ Early Ehlinger
 Ebenezer Ikonne
 Edin Kadribasic
 Eduard Bloch
 Edward Sheldrake
 Eelco Dolstra
 Eetu Ojanen
 Ellis Pritchard
@@ -302,6 +304,7 @@ Frank McGeough
 Frank Meier
 Frank Ticheler
 Frank Van Uffelen
 František Kučera
 Fred Machado
 Fred New
 Fred Noz
@@ -360,6 +363,7 @@ Henrik Storner
 Henry Ludemann
 Herve Amblard
 Hidemoto Nakada
 Ho-chi Chen
 Hoi-Ho Chan
 Hongli Lai
 Howard Chu
@@ -397,6 +401,7 @@ Jamie Lokier
 Jamie Newton
 Jamie Wilkinson
 Jan Ehrhardt
 Jan Koen Annot
 Jan Kunder
 Jan Schaumann
 Jan Van Boghout
@@ -428,6 +433,7 @@ Jerry Wu
 Jes Badwal
 Jesper Jensen
 Jesse Noller
 Jie He
 Jim Drash
 Jim Freeman
 Jim Hollinger
@@ -435,6 +441,7 @@ Jim Meyering
 Jocelyn Jaubert
 Joe Halpin
 Joe Malicki
 Joe Mason
 Joel Chen
 Jofell Gallardo
 Johan Anderson
@@ -579,6 +586,7 @@ Mark Incley
 Mark Karpeles
 Mark Lentczner
 Mark Salisbury
 Mark Tully
 Markus Duft
 Markus Koetter
 Markus Moeller
@@ -612,6 +620,7 @@ Max Katsev
 Maxim Ivanov
 Maxim Perenesenko
 Maxim Prohorov
 Maxime Larocque
 Mehmet Bozkurt
 Mekonikum
 Mettgut Jamalla
@@ -680,6 +689,7 @@ Ofer
 Olaf Flebbe
 Olaf Stueben
 Olaf Stüben
 Olivier Berger
 Oren Tirosh
 Ori Avtalion
 P R Schaffner
@@ -823,13 +833,16 @@ Sander Gates
 Sandor Feldi
 Santhana Todatry
 Saqib Ali
 Sara Golemon
 Saul good
 Scott Bailey
 Scott Barrett
 Scott Cantor
 Scott Davis
 Scott McCreary
 Sebastien Willemijns
 Senthil Raja Velu
 Sergei Nikulov
 Sergio Ballestrero
 Seshubabu Pasam
 Sh Diao
@@ -913,6 +926,7 @@ Tom Mueller
 Tom Regner
 Tom Wright
 Tom Zerucha
 Tomas Mlcoch
 Tomas Pospisek
 Tomas Szepe
 Tomasz Lacki
--- a/docs/examples/Makefile.am
+++ b/docs/examples/Makefile.am
@@ -34,14 +34,13 @@ EXTRA_DIST = README Makefile.example Makefile.inc Makefile.m32 \
 # $(top_builddir)/include for generated curlbuild.h included from lib/setup.h
 # $(top_srcdir)/include is for libcurl's external include files
-INCLUDES = -I$(top_builddir)/include/curl \
+AM_CPPFLAGS = -I$(top_builddir)/include/curl \
-           -I$(top_builddir)/include      \
+              -I$(top_builddir)/include      \
-           -I$(top_srcdir)/include
+              -I$(top_srcdir)/include \
              -DCURL_NO_OLDIES
 LIBDIR = $(top_builddir)/lib
 AM_CPPFLAGS = -DCURL_NO_OLDIES
 # Mostly for Windows build targets, when using static libcurl
 if USE_CPPFLAG_CURL_STATICLIB
 AM_CPPFLAGS += -DCURL_STATICLIB
--- a/docs/examples/Makefile.inc
+++ b/docs/examples/Makefile.inc
@@ -12,4 +12,4 @@ check_PROGRAMS = 10-at-a-time anyauthput cookie_interface debug fileupload \
 COMPLICATED_EXAMPLES = curlgtk.c curlx.c htmltitle.cc cacertinmem.c	   \
  ftpuploadresume.c ghiper.c hiperfifo.c htmltidy.c multithread.c	   \
  opensslthreadlock.c sampleconv.c synctime.c threaded-ssl.c evhiperfifo.c \
-  smooth-gtk-thread.c version-check.pl
+  smooth-gtk-thread.c version-check.pl href_extractor.c
--- a/docs/examples/evhiperfifo.c
+++ b/docs/examples/evhiperfifo.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -336,7 +336,7 @@ static void new_conn(char *url, GlobalInfo *g )
  conn->url = strdup(url);
  curl_easy_setopt(conn->easy, CURLOPT_URL, conn->url);
  curl_easy_setopt(conn->easy, CURLOPT_WRITEFUNCTION, write_cb);
-  curl_easy_setopt(conn->easy, CURLOPT_WRITEDATA, &conn);
+  curl_easy_setopt(conn->easy, CURLOPT_WRITEDATA, conn);
  curl_easy_setopt(conn->easy, CURLOPT_VERBOSE, 1L);
  curl_easy_setopt(conn->easy, CURLOPT_ERRORBUFFER, conn->error);
  curl_easy_setopt(conn->easy, CURLOPT_PRIVATE, conn);
--- a/docs/examples/href_extractor.c
+++ b/docs/examples/href_extractor.c
@@ -0,0 +1,86 @@
 /***************************************************************************
 *                                  _   _ ____  _
 *  Project                     ___| | | |  _ \| |
 *                             / __| | | | |_) | |
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * are also available at http://curl.haxx.se/docs/copyright.html.
 *
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 ***************************************************************************/
 /*
 * This example uses the "Streaming HTML parser" to extract the href pieces in
 * a streaming manner from a downloaded HTML. Kindly donated by Michał
 * Kowalczyk.
 *
 * The parser is found at
 * http://code.google.com/p/htmlstreamparser/
 */
 #include <stdio.h>
 #include <curl/curl.h>
 #include <htmlstreamparser.h>
 static size_t write_callback(void *buffer, size_t size, size_t nmemb,
                             void *hsp)
 {
  size_t realsize = size * nmemb, p;
  for (p = 0; p < realsize; p++) {
    html_parser_char_parse(hsp, ((char *)buffer)[p]);
    if (html_parser_cmp_tag(hsp, "a", 1))
      if (html_parser_cmp_attr(hsp, "href", 4))
        if (html_parser_is_in(hsp, HTML_VALUE_ENDED)) {
          html_parser_val(hsp)[html_parser_val_length(hsp)] = '\0';
          printf("%s\n", html_parser_val(hsp));
        }
  }
  return realsize;
 }
 int main(int argc, char *argv[])
 {
  char tag[1], attr[4], val[128];
  CURL *curl;
  HTMLSTREAMPARSER *hsp;
  if (argc != 2) {
    printf("Usage: %s URL\n", argv[0]);
    return EXIT_FAILURE;
  }
  curl = curl_easy_init();
  hsp = html_parser_init();
  html_parser_set_tag_to_lower(hsp, 1);
  html_parser_set_attr_to_lower(hsp, 1);
  html_parser_set_tag_buffer(hsp, tag, sizeof(tag));
  html_parser_set_attr_buffer(hsp, attr, sizeof(attr));
  html_parser_set_val_buffer(hsp, val, sizeof(val)-1);
  curl_easy_setopt(curl, CURLOPT_URL, argv[1]);
  curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback);
  curl_easy_setopt(curl, CURLOPT_WRITEDATA, hsp);
  curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1);
  curl_easy_perform(curl);
  curl_easy_cleanup(curl);
  html_parser_cleanup(hsp);
  return EXIT_SUCCESS;
 }
--- a/docs/examples/httpcustomheader.c
+++ b/docs/examples/httpcustomheader.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -53,6 +53,9 @@ int main(void)
    /* always cleanup */
    curl_easy_cleanup(curl);
    /* free the custom headers */
    curl_slist_free_all(chunk);
  }
  return 0;
 }
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -2323,8 +2323,9 @@ Curl considers the server the intended one when the Common Name field or a
 Subject Alternate Name field in the certificate matches the host name in the
 URL to which you told Curl to connect.
-When the value is 1, the certificate must contain a Common Name field, but it
+When the value is 1, libcurl will return a failure. It was previously (in
-doesn't matter what name it says.  (This is not ordinarily a useful setting).
+7.28.0 and earlier) a debug option of some sorts, but it is no longer
 supported due to frequently leading to programmer mistakes.
 When the value is 0, the connection succeeds regardless of the names in the
 certificate.
--- a/include/curl/curlver.h
+++ b/include/curl/curlver.h
@@ -30,13 +30,13 @@
 /* This is the version number of the libcurl package from which this header
   file origins: */
-#define LIBCURL_VERSION "7.28.0-DEV"
+#define LIBCURL_VERSION "7.28.1-DEV"
 /* The numeric version number is also available "in parts" by using these
   defines: */
 #define LIBCURL_VERSION_MAJOR 7
 #define LIBCURL_VERSION_MINOR 28
-#define LIBCURL_VERSION_PATCH 0
+#define LIBCURL_VERSION_PATCH 1
 /* This is the numeric version of the libcurl version number, meant for easier
   parsing and comparions by programs. The LIBCURL_VERSION_NUM define will
@@ -53,7 +53,7 @@
   and it is always a greater number in a more recent release. It makes
   comparisons with greater than and less than work.
 */
-#define LIBCURL_VERSION_NUM 0x071c00
+#define LIBCURL_VERSION_NUM 0x071c01
 /*
 * This is the date and time when the full source package was created. The
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -64,23 +64,21 @@ CFLAG_CURL_SYMBOL_HIDING = @CFLAG_CURL_SYMBOL_HIDING@
 # $(top_srcdir)/ares is for in-tree c-ares's external include files
 if USE_EMBEDDED_ARES
-INCLUDES = -I$(top_builddir)/include/curl \
+AM_CPPFLAGS = -I$(top_builddir)/include/curl \
-           -I$(top_builddir)/include      \
+              -I$(top_builddir)/include      \
-           -I$(top_srcdir)/include        \
+              -I$(top_srcdir)/include        \
-           -I$(top_builddir)/lib          \
+              -I$(top_builddir)/lib          \
-           -I$(top_srcdir)/lib            \
+              -I$(top_srcdir)/lib            \
-           -I$(top_builddir)/ares         \
+              -I$(top_builddir)/ares         \
-           -I$(top_srcdir)/ares
+              -I$(top_srcdir)/ares
 else
-INCLUDES = -I$(top_builddir)/include/curl \
+AM_CPPFLAGS = -I$(top_builddir)/include/curl \
-           -I$(top_builddir)/include      \
+              -I$(top_builddir)/include      \
-           -I$(top_srcdir)/include        \
+              -I$(top_srcdir)/include        \
-           -I$(top_builddir)/lib          \
+              -I$(top_builddir)/lib          \
-           -I$(top_srcdir)/lib
+              -I$(top_srcdir)/lib
 endif
 AM_CPPFLAGS =
 # Mostly for Windows build targets, when building libcurl library
 if USE_CPPFLAG_BUILDING_LIBCURL
 AM_CPPFLAGS += -DBUILDING_LIBCURL
@@ -101,9 +99,9 @@ if SONAME_BUMP
 #
 # This conditional soname bump SHOULD be removed at next "proper" bump.
 #
-VERSIONINFO=-version-info 7:0:2
+VERSIONINFO=-version-info 8:0:3
 else
-VERSIONINFO=-version-info 6:0:2
+VERSIONINFO=-version-info 7:0:3
 endif
 # This flag accepts an argument of the form current[:revision[:age]]. So,
--- a/lib/Makefile.inc
+++ b/lib/Makefile.inc
@@ -24,7 +24,7 @@ CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c	\
  idn_win32.c http_negotiate_sspi.c cyassl.c http_proxy.c non-ascii.c	\
  asyn-ares.c asyn-thread.c curl_gssapi.c curl_ntlm.c curl_ntlm_wb.c	\
  curl_ntlm_core.c curl_ntlm_msgs.c curl_sasl.c curl_schannel.c	\
-  curl_multibyte.c curl_darwinssl.c
+  curl_multibyte.c curl_darwinssl.c hostcheck.c
 HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h	\
  progress.h formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h	\
@@ -41,4 +41,5 @@ HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h	\
  warnless.h curl_hmac.h polarssl.h curl_rtmp.h curl_gethostname.h	\
  gopher.h axtls.h cyassl.h http_proxy.h non-ascii.h asyn.h curl_ntlm.h	\
  curl_gssapi.h curl_ntlm_wb.h curl_ntlm_core.h curl_ntlm_msgs.h	\
-  curl_sasl.h curl_schannel.h curl_multibyte.h curl_darwinssl.h
+  curl_sasl.h curl_schannel.h curl_multibyte.h curl_darwinssl.h	\
  hostcheck.h
--- a/lib/Makefile.m32
+++ b/lib/Makefile.m32
@@ -273,8 +273,9 @@ $(libcurl_a_LIBRARY): $(libcurl_a_OBJECTS) $(libcurl_a_DEPENDENCIES)
 $(libcurl_dll_LIBRARY): $(libcurl_a_OBJECTS) $(RESOURCE) $(libcurl_dll_DEPENDENCIES)
 	@$(call DEL, $@)
-	$(CC) $(LDFLAGS) -shared -Wl,--out-implib,$(libcurl_dll_a_LIBRARY) \
+	$(CC) $(LDFLAGS) -shared -o $@ \
-	  -o $@ $(libcurl_a_OBJECTS) $(RESOURCE) $(DLL_LIBS)
+	  -Wl,--output-def,$(@:.dll=.def),--out-implib,$(libcurl_dll_a_LIBRARY) \
 	  $(libcurl_a_OBJECTS) $(RESOURCE) $(DLL_LIBS)
 %.o: %.c $(PROOT)/include/curl/curlbuild.h
 	$(CC) $(INCLUDES) $(CFLAGS) -c $<
@@ -289,7 +290,7 @@ endif
 	@$(call DEL, $(libcurl_a_OBJECTS) $(RESOURCE))
 distclean vclean: clean
-	@$(call DEL, $(libcurl_a_LIBRARY) $(libcurl_dll_LIBRARY) $(libcurl_dll_a_LIBRARY))
+	@$(call DEL, $(libcurl_a_LIBRARY) $(libcurl_dll_LIBRARY) $(libcurl_dll_LIBRARY:.dll=.def) $(libcurl_dll_a_LIBRARY))
 $(PROOT)/include/curl/curlbuild.h:
 	@echo Creating $@
--- a/lib/asyn-ares.c
+++ b/lib/asyn-ares.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -83,6 +83,8 @@
 #    define CARES_STATICLIB
 #  endif
 #  include <ares.h>
 #  include <ares_version.h> /* really old c-ares didn't include this by
                               itself */
 #if ARES_VERSION >= 0x010500
 /* c-ares 1.5.0 or later, the callback proto is modified */
--- a/lib/axtls.c
+++ b/lib/axtls.c
@@ -47,6 +47,8 @@
 #include "curl_memory.h"
 /* The last #include file should be: */
 #include "memdebug.h"
 #include "hostcheck.h"
 /* SSL_read is opied from axTLS compat layer */
 static int SSL_read(SSL *ssl, void *buf, int num)
@@ -150,7 +152,11 @@ Curl_axtls_connect(struct connectdata *conn,
  int i, ssl_fcn_return;
  const uint8_t *ssl_sessionid;
  size_t ssl_idsize;
-  const char *x509;
+  const char *peer_CN;
  uint32_t dns_altname_index;
  const char *dns_altname;
  int8_t found_subject_alt_names = 0;
  int8_t found_subject_alt_name_matching_conn = 0;
  /* Assuming users will not compile in custom key/cert to axTLS */
  uint32_t client_option = SSL_NO_DEFAULT_KEY|SSL_SERVER_VERIFY_LATER;
@@ -296,19 +302,65 @@ Curl_axtls_connect(struct connectdata *conn,
  /* Here, gtls.c does issuer verification. axTLS has no straightforward
   * equivalent, so omitting for now.*/
  /* See if common name was set in server certificate */
  x509 = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME);
  if(x509 == NULL)
    infof(data, "error fetching CN from cert\n");
  /* Here, gtls.c does the following
   * 1) x509 hostname checking per RFC2818.  axTLS doesn't support this, but
-   *    it seems useful.  Omitting for now.
+   *    it seems useful. This is now implemented, by Oscar Koeroo
   * 2) checks cert validity based on time.  axTLS does this in ssl_verify_cert
   * 3) displays a bunch of cert information.  axTLS doesn't support most of
   *    this, but a couple fields are available.
   */
  /* There is no (DNS) Altnames count in the version 1.4.8 API. There is a
     risk of an inifite loop */
  for(dns_altname_index = 0; ; dns_altname_index++) {
    dns_altname = ssl_get_cert_subject_alt_dnsname(ssl, dns_altname_index);
    if(dns_altname == NULL) {
      break;
    }
    found_subject_alt_names = 1;
    infof(data, "\tComparing subject alt name DNS with hostname: %s <-> %s\n",
          dns_altname, conn->host.name);
    if(Curl_cert_hostcheck(dns_altname, conn->host.name)) {
      found_subject_alt_name_matching_conn = 1;
      break;
    }
  }
  /* RFC2818 checks */
  if(found_subject_alt_names && !found_subject_alt_name_matching_conn) {
    /* Break connection ! */
    Curl_axtls_close(conn, sockindex);
    failf(data, "\tsubjectAltName(s) do not match %s\n", conn->host.dispname);
    return CURLE_PEER_FAILED_VERIFICATION;
  }
  else if(found_subject_alt_names == 0) {
    /* Per RFC2818, when no Subject Alt Names were available, examine the peer
       CN as a legacy fallback */
    peer_CN = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME);
    if(peer_CN == NULL) {
      /* Similar behaviour to the OpenSSL interface */
      Curl_axtls_close(conn, sockindex);
      failf(data, "unable to obtain common name from peer certificate");
      return CURLE_PEER_FAILED_VERIFICATION;
    }
    else {
      if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) {
        if(data->set.ssl.verifyhost) {
          /* Break connection ! */
          Curl_axtls_close(conn, sockindex);
          failf(data, "\tcommon name \"%s\" does not match \"%s\"\n",
                peer_CN, conn->host.dispname);
          return CURLE_PEER_FAILED_VERIFICATION;
        }
        else
          infof(data, "\tcommon name \"%s\" does not match \"%s\"\n",
                peer_CN, conn->host.dispname);
      }
    }
  }
  /* General housekeeping */
  conn->ssl[sockindex].state = ssl_connection_complete;
  conn->ssl[sockindex].ssl = ssl;
--- a/lib/connect.c
+++ b/lib/connect.c
@@ -1101,7 +1101,9 @@ CURLcode Curl_connecthost(struct connectdata *conn,  /* context */
  if(sockfd == CURL_SOCKET_BAD) {
    /* no good connect was made */
-    failf(data, "couldn't connect to host");
+    failf(data, "couldn't connect to %s at %s:%d",
          conn->bits.proxy?"proxy":"host",
          conn->bits.proxy?conn->proxy.name:conn->host.name, conn->port);
    return CURLE_COULDNT_CONNECT;
  }
--- a/lib/curl_darwinssl.c
+++ b/lib/curl_darwinssl.c
@@ -266,6 +266,44 @@ CF_INLINE const char *SSLCipherNameForNumber(SSLCipherSuite cipher) {
    case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
      return "SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA";
      break;
    /* TLS 1.0 with AES (RFC 3268)
       (Apparently these are used in SSLv3 implementations as well.) */
    case TLS_RSA_WITH_AES_128_CBC_SHA:
      return "TLS_RSA_WITH_AES_128_CBC_SHA";
      break;
    case TLS_DH_DSS_WITH_AES_128_CBC_SHA:
      return "TLS_DH_DSS_WITH_AES_128_CBC_SHA";
      break;
    case TLS_DH_RSA_WITH_AES_128_CBC_SHA:
      return "TLS_DH_RSA_WITH_AES_128_CBC_SHA";
      break;
    case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
      return "TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
      break;
    case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
      return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA";
      break;
    case TLS_DH_anon_WITH_AES_128_CBC_SHA:
      return "TLS_DH_anon_WITH_AES_128_CBC_SHA";
      break;
    case TLS_RSA_WITH_AES_256_CBC_SHA:
      return "TLS_RSA_WITH_AES_256_CBC_SHA";
      break;
    case TLS_DH_DSS_WITH_AES_256_CBC_SHA:
      return "TLS_DH_DSS_WITH_AES_256_CBC_SHA";
      break;
    case TLS_DH_RSA_WITH_AES_256_CBC_SHA:
      return "TLS_DH_RSA_WITH_AES_256_CBC_SHA";
      break;
    case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
      return "TLS_DHE_DSS_WITH_AES_256_CBC_SHA";
      break;
    case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
      return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA";
      break;
    case TLS_DH_anon_WITH_AES_256_CBC_SHA:
      return "TLS_DH_anon_WITH_AES_256_CBC_SHA";
      break;
    /* SSL version 2.0 */
    case SSL_RSA_WITH_RC2_CBC_MD5:
      return "SSL_RSA_WITH_RC2_CBC_MD5";
@@ -594,7 +632,6 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
  struct SessionHandle *data = conn->data;
  curl_socket_t sockfd = conn->sock[sockindex];
  struct ssl_connect_data *connssl = &conn->ssl[sockindex];
  bool sni = true;
 #ifdef ENABLE_IPV6
  struct in6_addr addr;
 #else
@@ -614,7 +651,8 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
    }
  }
  else {
-#if TARGET_OS_EMBEDDED == 0 /* the older API does not exist on iOS */
+  /* The old ST API does not exist under iOS, so don't compile it: */
 #if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
    if(connssl->ssl_ctx)
      (void)SSLDisposeContext(connssl->ssl_ctx);
    err = SSLNewContext(false, &(connssl->ssl_ctx));
@@ -622,7 +660,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
      failf(data, "SSL: couldn't create a context: OSStatus %d", err);
      return CURLE_OUT_OF_MEMORY;
    }
-#endif /* TARGET_OS_EMBEDDED == 0 */
+#endif /* (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) */
  }
 #else
  if(connssl->ssl_ctx)
@@ -656,7 +694,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
    }
  }
  else {
-#if TARGET_OS_EMBEDDED == 0
+#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
    (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                       kSSLProtocolAll,
                                       false);
@@ -697,7 +735,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
                                           true);
        break;
    }
-#endif  /* TARGET_OS_EMBEDDED == 0 */
+#endif  /* (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) */
  }
 #else
  (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, kSSLProtocolAll, false);
@@ -747,14 +785,14 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
    }
  }
  else {
-#if TARGET_OS_EMBEDDED == 0
+#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
    err = SSLSetEnableCertVerify(connssl->ssl_ctx,
                                 data->set.ssl.verifypeer?true:false);
    if(err != noErr) {
      failf(data, "SSL: SSLSetEnableCertVerify() failed: OSStatus %d", err);
      return CURLE_SSL_CONNECT_ERROR;
    }
-#endif /* TARGET_OS_EMBEDDED == 0 */
+#endif /* (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) */
  }
 #else
  err = SSLSetEnableCertVerify(connssl->ssl_ctx,
@@ -765,12 +803,14 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
  }
 #endif /* defined(__MAC_10_6) || defined(__IPHONE_5_0) */
  /* If this is a domain name and not an IP address, then configure SNI.
   * Also: the verifyhost setting influences SNI usage */
  /* If this is a domain name and not an IP address, then configure SNI: */
  if((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
 #ifdef ENABLE_IPV6
     (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
 #endif
-     sni) {
+     data->set.ssl.verifyhost) {
    err = SSLSetPeerDomainName(connssl->ssl_ctx, conn->host.name,
                               strlen(conn->host.name));
    if(err != noErr) {
@@ -824,7 +864,6 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
        connssl->connecting_state = connssl->ssl_direction ?
            ssl_connect_2_writing : ssl_connect_2_reading;
        return CURLE_OK;
        break;
      case errSSLServerAuthCompleted:
        /* the documentation says we need to call SSLHandshake() again */
@@ -836,13 +875,16 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
      case errSSLCertExpired:
        failf(data, "SSL certificate problem: OSStatus %d", err);
        return CURLE_SSL_CACERT;
-        break;
+
      case errSSLHostNameMismatch:
        failf(data, "SSL certificate peer verification failed, the "
              "certificate did not match \"%s\"\n", conn->host.dispname);
        return CURLE_PEER_FAILED_VERIFICATION;
      default:
        failf(data, "Unknown SSL protocol error in connection to %s:%d",
              conn->host.name, err);
        return CURLE_SSL_CONNECT_ERROR;
        break;
    }
  }
  else {
@@ -902,6 +944,32 @@ darwinssl_connect_step3(struct connectdata *conn,
   * Well, okay, if verbose mode is on, let's print the details of the
   * server certificates. */
 #if defined(__MAC_10_7) || defined(__IPHONE_5_0)
 #if (TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)
 #pragma unused(server_certs)
  err = SSLCopyPeerTrust(connssl->ssl_ctx, &trust);
  if(err == noErr) {
    count = SecTrustGetCertificateCount(trust);
    for(i = 0L ; i < count ; i++) {
      server_cert = SecTrustGetCertificateAtIndex(trust, i);
      server_cert_summary = SecCertificateCopySubjectSummary(server_cert);
      memset(server_cert_summary_c, 0, 128);
      if(CFStringGetCString(server_cert_summary,
                            server_cert_summary_c,
                            128,
                            kCFStringEncodingUTF8)) {
        infof(data, "Server certificate: %s\n", server_cert_summary_c);
      }
      CFRelease(server_cert_summary);
    }
    CFRelease(trust);
  }
 #else
  /* SSLCopyPeerCertificates() is deprecated as of Mountain Lion.
     The function SecTrustGetCertificateAtIndex() is officially present
     in Lion, but it is unfortunately also present in Snow Leopard as
     private API and doesn't work as expected. So we have to look for
     a different symbol to make sure this code is only executed under
     Lion or later. */
  if(SecTrustEvaluateAsync != NULL) {
 #pragma unused(server_certs)
    err = SSLCopyPeerTrust(connssl->ssl_ctx, &trust);
@@ -909,7 +977,8 @@ darwinssl_connect_step3(struct connectdata *conn,
      count = SecTrustGetCertificateCount(trust);
      for(i = 0L ; i < count ; i++) {
        server_cert = SecTrustGetCertificateAtIndex(trust, i);
-        server_cert_summary = SecCertificateCopySubjectSummary(server_cert);
+        server_cert_summary =
          SecCertificateCopyLongDescription(NULL, server_cert, NULL);
        memset(server_cert_summary_c, 0, 128);
        if(CFStringGetCString(server_cert_summary,
                              server_cert_summary_c,
@@ -923,7 +992,6 @@ darwinssl_connect_step3(struct connectdata *conn,
    }
  }
  else {
 #if TARGET_OS_EMBEDDED == 0
    err = SSLCopyPeerCertificates(connssl->ssl_ctx, &server_certs);
    if(err == noErr) {
      count = CFArrayGetCount(server_certs);
@@ -943,8 +1011,8 @@ darwinssl_connect_step3(struct connectdata *conn,
      }
      CFRelease(server_certs);
    }
 #endif /* TARGET_OS_EMBEDDED == 0 */
  }
 #endif /* (TARGET_OS_EMBEDDED || TARGET_OS_IPHONE) */
 #else
 #pragma unused(trust)
  err = SSLCopyPeerCertificates(connssl->ssl_ctx, &server_certs);
@@ -1120,10 +1188,10 @@ void Curl_darwinssl_close(struct connectdata *conn, int sockindex)
 #if defined(__MAC_10_8) || defined(__IPHONE_5_0)
    if(SSLCreateContext != NULL)
      CFRelease(connssl->ssl_ctx);
-#if TARGET_OS_EMBEDDED == 0
+#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
    else
      (void)SSLDisposeContext(connssl->ssl_ctx);
-#endif  /* TARGET_OS_EMBEDDED == 0 */
+#endif  /* (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) */
 #else
    (void)SSLDisposeContext(connssl->ssl_ctx);
 #endif /* defined(__MAC_10_8) || defined(__IPHONE_5_0) */
@@ -1311,6 +1379,11 @@ static ssize_t darwinssl_recv(struct connectdata *conn,
        return -1;
        break;
      case errSSLClosedGraceful: /* they're done; fail gracefully */
        *curlcode = CURLE_OK;
        return -1;
        break;
      default:
        failf(conn->data, "SSLRead() return error %d", err);
        *curlcode = CURLE_RECV_ERROR;
--- a/lib/curl_schannel.c
+++ b/lib/curl_schannel.c
@@ -156,14 +156,22 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
      infof(data, "schannel: disable server certificate revocation checks\n");
    }
-    if(Curl_inet_pton(AF_INET, conn->host.name, &addr) ||
+    if(Curl_inet_pton(AF_INET, conn->host.name, &addr)
 #ifdef ENABLE_IPV6
-       Curl_inet_pton(AF_INET6, conn->host.name, &addr6) ||
+       || Curl_inet_pton(AF_INET6, conn->host.name, &addr6)
 #endif
-       data->set.ssl.verifyhost < 2) {
+      ) {
      schannel_cred.dwFlags |= SCH_CRED_NO_SERVERNAME_CHECK;
-      infof(data, "schannel: using IP address, disable SNI servername "
+      infof(data, "schannel: using IP address, SNI is being disabled by "
-            "check\n");
+                  "disabling the servername check against the "
                  "subject names in server certificates.\n");
    }
    if(!data->set.ssl.verifyhost) {
      schannel_cred.dwFlags |= SCH_CRED_NO_SERVERNAME_CHECK;
      infof(data, "schannel: verifyhost setting prevents Schannel from "
                  "comparing the supplied target name with the subject "
                  "names in server certificates. Also disables SNI.\n");
    }
    switch(data->set.ssl.version) {
@@ -1238,10 +1246,7 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex)
  }
  if(result == CURLE_OK) {
-    if(data->set.ssl.verifyhost == 1) {
+    if(data->set.ssl.verifyhost) {
      infof(data, "warning: ignoring unsupported value (1) ssl.verifyhost\n");
    }
    else if(data->set.ssl.verifyhost == 2) {
      TCHAR cert_hostname_buff[128];
      xcharp_u hostname;
      xcharp_u cert_hostname;
--- a/lib/cyassl.c
+++ b/lib/cyassl.c
@@ -53,6 +53,8 @@
 #include "curl_memory.h"
 /* The last #include file should be: */
 #include "memdebug.h"
 #include <cyassl/ssl.h>
 #include <cyassl/error.h>
 static Curl_recv cyassl_recv;
@@ -237,6 +239,13 @@ cyassl_connect_step2(struct connectdata *conn,
  conn->recv[sockindex] = cyassl_recv;
  conn->send[sockindex] = cyassl_send;
  /* Enable RFC2818 checks */
  if(data->set.ssl.verifyhost) {
    ret = CyaSSL_check_domain_name(conssl->handle, conn->host.name);
    if(ret == SSL_FAILURE)
      return CURLE_OUT_OF_MEMORY;
  }
  ret = SSL_connect(conssl->handle);
  if(ret != 1) {
    char error_buffer[80];
@@ -246,15 +255,43 @@ cyassl_connect_step2(struct connectdata *conn,
      conssl->connecting_state = ssl_connect_2_reading;
      return CURLE_OK;
    }
-
+    else if(SSL_ERROR_WANT_WRITE == detail) {
    if(SSL_ERROR_WANT_WRITE == detail) {
      conssl->connecting_state = ssl_connect_2_writing;
      return CURLE_OK;
    }
-
+    /* There is no easy way to override only the CN matching.
-    failf(data, "SSL_connect failed with error %d: %s", detail,
+     * This will enable the override of both mismatching SubjectAltNames
     * as also mismatching CN fields */
    else if(DOMAIN_NAME_MISMATCH == detail) {
 #if 1
      failf(data, "\tsubject alt name(s) or common name do not match \"%s\"\n",
            conn->host.dispname);
      return CURLE_PEER_FAILED_VERIFICATION;
 #else
      /* When the CyaSSL_check_domain_name() is used and you desire to continue
       * on a DOMAIN_NAME_MISMATCH, i.e. 'data->set.ssl.verifyhost == 0',
       * CyaSSL version 2.4.0 will fail with an INCOMPLETE_DATA error. The only
       * way to do this is currently to switch the CyaSSL_check_domain_name()
       * in and out based on the 'data->set.ssl.verifyhost' value. */
      if(data->set.ssl.verifyhost) {
        failf(data,
              "\tsubject alt name(s) or common name do not match \"%s\"\n",
              conn->host.dispname);
        return CURLE_PEER_FAILED_VERIFICATION;
      }
      else {
        infof(data,
              "\tsubject alt name(s) and/or common name do not match \"%s\"\n",
              conn->host.dispname);
        return CURLE_OK;
      }
 #endif
    }
    else {
      failf(data, "SSL_connect failed with error %d: %s", detail,
          ERR_error_string(detail, error_buffer));
-    return CURLE_SSL_CONNECT_ERROR;
+      return CURLE_SSL_CONNECT_ERROR;
    }
  }
  conssl->connecting_state = ssl_connect_3;
--- a/lib/dict.c
+++ b/lib/dict.c
@@ -67,10 +67,10 @@
 #define _MPRINTF_REPLACE /* use our functions only */
 #include <curl/mprintf.h>
 #include "curl_memory.h"
 /* The last #include file should be: */
 #include "memdebug.h"
 /*
 * Forward declarations.
 */
--- a/lib/file.c
+++ b/lib/file.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -310,7 +310,8 @@ static CURLcode file_upload(struct connectdata *conn)
 {
  struct FILEPROTO *file = conn->data->state.proto.file;
  const char *dir = strchr(file->path, DIRSEP);
-  FILE *fp;
+  int fd;
  int mode;
  CURLcode res=CURLE_OK;
  struct SessionHandle *data = conn->data;
  char *buf = data->state.buffer;
@@ -333,33 +334,21 @@ static CURLcode file_upload(struct connectdata *conn)
    return CURLE_FILE_COULDNT_READ_FILE; /* fix: better error code */
  if(!dir[1])
-     return CURLE_FILE_COULDNT_READ_FILE; /* fix: better error code */
+    return CURLE_FILE_COULDNT_READ_FILE; /* fix: better error code */
 #ifdef O_BINARY
 #define MODE_DEFAULT O_WRONLY|O_CREAT|O_BINARY
 #else
 #define MODE_DEFAULT O_WRONLY|O_CREAT
 #endif
  if(data->state.resume_from)
-    fp = fopen( file->path, "ab" );
+    mode = MODE_DEFAULT|O_APPEND;
-  else {
+  else
-    int fd;
+    mode = MODE_DEFAULT|O_TRUNC;
-#ifdef DOS_FILESYSTEM
+  fd = open(file->path, mode, conn->data->set.new_file_perms);
-    fd = open(file->path, O_WRONLY|O_CREAT|O_TRUNC|O_BINARY,
+  if(fd < 0) {
              conn->data->set.new_file_perms);
 #else
    fd = open(file->path, O_WRONLY|O_CREAT|O_TRUNC,
              conn->data->set.new_file_perms);
 #endif
    if(fd < 0) {
      failf(data, "Can't open %s for writing", file->path);
      return CURLE_WRITE_ERROR;
    }
 #ifdef HAVE_FDOPEN
    fp = fdopen(fd, "wb");
 #else
    close(fd);
    fp = fopen(file->path, "wb");
 #endif
  }
  if(!fp) {
    failf(data, "Can't open %s for writing", file->path);
    return CURLE_WRITE_ERROR;
  }
@@ -370,8 +359,8 @@ static CURLcode file_upload(struct connectdata *conn)
  /* treat the negative resume offset value as the case of "-" */
  if(data->state.resume_from < 0) {
-    if(fstat(fileno(fp), &file_stat)) {
+    if(fstat(fd, &file_stat)) {
-      fclose(fp);
+      close(fd);
      failf(data, "Can't get the size of %s", file->path);
      return CURLE_WRITE_ERROR;
    }
@@ -407,7 +396,7 @@ static CURLcode file_upload(struct connectdata *conn)
      buf2 = buf;
    /* write the data to the target */
-    nwrite = fwrite(buf2, 1, nread, fp);
+    nwrite = write(fd, buf2, nread);
    if(nwrite != nread) {
      res = CURLE_SEND_ERROR;
      break;
@@ -425,7 +414,7 @@ static CURLcode file_upload(struct connectdata *conn)
  if(!res && Curl_pgrsUpdate(conn))
    res = CURLE_ABORTED_BY_CALLBACK;
-  fclose(fp);
+  close(fd);
  return res;
 }
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -632,8 +632,8 @@ static CURLcode ftp_readresp(curl_socket_t sockfd,
                             size_t *size) /* size of the response */
 {
  struct connectdata *conn = pp->conn;
 #if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
  struct SessionHandle *data = conn->data;
 #if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
  char * const buf = data->state.buffer;
 #endif
  CURLcode result = CURLE_OK;
@@ -661,16 +661,23 @@ static CURLcode ftp_readresp(curl_socket_t sockfd,
 #endif
  /* store the latest code for later retrieval */
-  conn->data->info.httpcode=code;
+  data->info.httpcode=code;
  if(ftpcode)
    *ftpcode = code;
-  if(421 == code)
+  if(421 == code) {
    /* 421 means "Service not available, closing control connection." and FTP
     * servers use it to signal that idle session timeout has been exceeded.
-     * If we ignored the response, it could end up hanging in some cases. */
+     * If we ignored the response, it could end up hanging in some cases.
     *
     * This response code can come at any point so having it treated
     * generically is a good idea.
     */
    infof(data, "We got a 421 - timeout!\n");
    state(conn, FTP_STOP);
    return CURLE_OPERATION_TIMEDOUT;
  }
  return result;
 }
@@ -1793,6 +1800,23 @@ static CURLcode ftp_state_quote(struct connectdata *conn,
  return result;
 }
 /* called from ftp_state_pasv_resp to switch to PASV in case of EPSV
   problems */
 static CURLcode ftp_epsv_disable(struct connectdata *conn)
 {
  CURLcode result = CURLE_OK;
  infof(conn->data, "got positive EPSV response, but can't connect. "
        "Disabling EPSV\n");
  /* disable it for next transfer */
  conn->bits.ftp_use_epsv = FALSE;
  conn->data->state.errorbuf = FALSE; /* allow error message to get
                                         rewritten */
  PPSENDF(&conn->proto.ftpc.pp, "PASV", NULL);
  conn->proto.ftpc.count1++;
  /* remain in the FTP_PASV state */
  return result;
 }
 static CURLcode ftp_state_pasv_resp(struct connectdata *conn,
                                    int ftpcode)
 {
@@ -1975,20 +1999,12 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn,
  Curl_resolv_unlock(data, addr); /* we're done using this address */
-  if(result && ftpc->count1 == 0 && ftpcode == 229) {
+  if(result) {
-    infof(data, "got positive EPSV response, but can't connect. "
+    if(ftpc->count1 == 0 && ftpcode == 229)
-          "Disabling EPSV\n");
+      return ftp_epsv_disable(conn);
    /* disable it for next transfer */
    conn->bits.ftp_use_epsv = FALSE;
    data->state.errorbuf = FALSE; /* allow error message to get rewritten */
    PPSENDF(&ftpc->pp, "PASV", NULL);
    ftpc->count1++;
    /* remain in the FTP_PASV state */
    return result;
 }
  if(result)
    return result;
  }
  conn->bits.tcpconnect[SECONDARYSOCKET] = connected;
@@ -2028,8 +2044,11 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn,
    break;
  }
-  if(result)
+  if(result) {
    if(ftpc->count1 == 0 && ftpcode == 229)
      return ftp_epsv_disable(conn);
    return result;
  }
  if(conn->bits.tunnel_proxy && conn->bits.httpproxy) {
    /* FIX: this MUST wait for a proper connect first if 'connected' is
@@ -2394,6 +2413,7 @@ static CURLcode ftp_state_stor_resp(struct connectdata *conn,
  if(ftpcode>=400) {
    failf(data, "Failed FTP upload: %0d", ftpcode);
    state(conn, FTP_STOP);
    /* oops, we never close the sockets! */
    return CURLE_UPLOAD_FAILED;
  }
@@ -2411,9 +2431,6 @@ static CURLcode ftp_state_stor_resp(struct connectdata *conn,
    if(!connected) {
      struct ftp_conn *ftpc = &conn->proto.ftpc;
      infof(data, "Data conn was not available immediately\n");
      /* as there's not necessarily an immediate action on the control
         connection now, we halt the state machine */
      state(conn, FTP_STOP);
      ftpc->wait_data_conn = TRUE;
    }
@@ -3663,6 +3680,8 @@ static CURLcode ftp_do_more(struct connectdata *conn, bool *complete)
  /* the ftp struct is inited in ftp_connect() */
  struct FTP *ftp = data->state.proto.ftp;
  *complete = FALSE;
  /* if the second connection isn't done yet, wait for it */
  if(!conn->bits.tcpconnect[SECONDARYSOCKET]) {
    result = Curl_is_connected(conn, SECONDARYSOCKET, &connected);
@@ -3675,6 +3694,18 @@ static CURLcode ftp_do_more(struct connectdata *conn, bool *complete)
      return result;
  }
  if((data->state.used_interface == Curl_if_multi) &&
     ftpc->state) {
    /* multi interface and already in a state so skip the intial commands.
       They are only done to kickstart the do_more state */
    result = ftp_multi_statemach(conn, complete);
    /* if we got an error or if we don't wait for a data connection return
       immediately */
    if(result || (ftpc->wait_data_conn != TRUE))
      return result;
  }
  if(ftp->transfer <= FTPTRANSFER_INFO) {
    /* a transfer is about to take place, or if not a file name was given
       so we'll do a SIZE on it later and then we need the right TYPE first */
@@ -3728,7 +3759,13 @@ static CURLcode ftp_do_more(struct connectdata *conn, bool *complete)
          return result;
      }
    }
-    result = ftp_easy_statemach(conn);
+    if(data->state.used_interface == Curl_if_multi) {
      result = ftp_multi_statemach(conn, complete);
      return result;
    }
    else
      result = ftp_easy_statemach(conn);
  }
  if((result == CURLE_OK) && (ftp->transfer != FTPTRANSFER_BODY))
@@ -4402,20 +4439,21 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
 static CURLcode ftp_dophase_done(struct connectdata *conn,
                                 bool connected)
 {
  CURLcode result = CURLE_OK;
  struct FTP *ftp = conn->data->state.proto.ftp;
  struct ftp_conn *ftpc = &conn->proto.ftpc;
  if(connected) {
    bool completed;
-    result = ftp_do_more(conn, &completed);
+    CURLcode result = ftp_do_more(conn, &completed);
  }
-  if(result && (conn->sock[SECONDARYSOCKET] != CURL_SOCKET_BAD)) {
+    if(result) {
-    /* Failure detected, close the second socket if it was created already */
+      if(conn->sock[SECONDARYSOCKET] != CURL_SOCKET_BAD) {
-    Curl_closesocket(conn, conn->sock[SECONDARYSOCKET]);
+        /* close the second socket if it was created already */
-    conn->sock[SECONDARYSOCKET] = CURL_SOCKET_BAD;
+        Curl_closesocket(conn, conn->sock[SECONDARYSOCKET]);
-    return result;
+        conn->sock[SECONDARYSOCKET] = CURL_SOCKET_BAD;
      }
      return result;
    }
  }
  if(ftp->transfer != FTPTRANSFER_BODY)
@@ -4427,7 +4465,7 @@ static CURLcode ftp_dophase_done(struct connectdata *conn,
  ftpc->ctl_valid = TRUE; /* seems good */
-  return result;
+  return CURLE_OK;
 }
 /* called from multi.c while DOing */
--- a/lib/gopher.c
+++ b/lib/gopher.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -70,10 +70,10 @@
 #define _MPRINTF_REPLACE /* use our functions only */
 #include <curl/mprintf.h>
 #include "curl_memory.h"
 /* The last #include file should be: */
 #include "memdebug.h"
 /*
 * Forward declarations.
 */
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -299,14 +299,35 @@ static CURLcode handshake(struct connectdata *conn,
      connssl->connecting_state =
        gnutls_record_get_direction(session)?
        ssl_connect_2_writing:ssl_connect_2_reading;
      continue;
      if(nonblocking)
        return CURLE_OK;
    }
-    else if((rc < 0) && gnutls_error_is_fatal(rc)) {
+    else if((rc < 0) && !gnutls_error_is_fatal(rc)) {
-      failf(data, "gnutls_handshake() warning: %s", gnutls_strerror(rc));
+      const char *strerr = NULL;
      if(rc == GNUTLS_E_WARNING_ALERT_RECEIVED) {
        int alert = gnutls_alert_get(session);
        strerr = gnutls_alert_get_name(alert);
      }
      if(strerr == NULL)
        strerr = gnutls_strerror(rc);
      failf(data, "gnutls_handshake() warning: %s", strerr);
    }
    else if(rc < 0) {
-      failf(data, "gnutls_handshake() failed: %s", gnutls_strerror(rc));
+      const char *strerr = NULL;
      if(rc == GNUTLS_E_FATAL_ALERT_RECEIVED) {
        int alert = gnutls_alert_get(session);
        strerr = gnutls_alert_get_name(alert);
      }
      if(strerr == NULL)
        strerr = gnutls_strerror(rc);
      failf(data, "gnutls_handshake() failed: %s", strerr);
      return CURLE_SSL_CONNECT_ERROR;
    }
@@ -660,7 +681,7 @@ gtls_connect_step3(struct connectdata *conn,
  rc = gnutls_x509_crt_check_hostname(x509_cert, conn->host.name);
  if(!rc) {
-    if(data->set.ssl.verifyhost > 1) {
+    if(data->set.ssl.verifyhost) {
      failf(data, "SSL: certificate subject name (%s) does not match "
            "target host name '%s'", certbuf, conn->host.dispname);
      gnutls_x509_crt_deinit(x509_cert);
--- a/lib/hostcheck.c
+++ b/lib/hostcheck.c
@@ -0,0 +1,96 @@
 /***************************************************************************
 *                                  _   _ ____  _
 *  Project                     ___| | | |  _ \| |
 *                             / __| | | | |_) | |
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * are also available at http://curl.haxx.se/docs/copyright.html.
 *
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 ***************************************************************************/
 #include "setup.h"
 #if defined(USE_SSLEAY) || defined(USE_AXTLS)
 /* these two backends use functions from this file */
 #include "hostcheck.h"
 #include "rawstr.h"
 /*
 * Match a hostname against a wildcard pattern.
 * E.g.
 *  "foo.host.com" matches "*.host.com".
 *
 * We use the matching rule described in RFC6125, section 6.4.3.
 * http://tools.ietf.org/html/rfc6125#section-6.4.3
 */
 static int hostmatch(const char *hostname, const char *pattern)
 {
  const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
  int wildcard_enabled;
  size_t prefixlen, suffixlen;
  pattern_wildcard = strchr(pattern, '*');
  if(pattern_wildcard == NULL)
    return Curl_raw_equal(pattern, hostname) ?
      CURL_HOST_MATCH : CURL_HOST_NOMATCH;
  /* We require at least 2 dots in pattern to avoid too wide wildcard
     match. */
  wildcard_enabled = 1;
  pattern_label_end = strchr(pattern, '.');
  if(pattern_label_end == NULL || strchr(pattern_label_end+1, '.') == NULL ||
     pattern_wildcard > pattern_label_end ||
     Curl_raw_nequal(pattern, "xn--", 4)) {
    wildcard_enabled = 0;
  }
  if(!wildcard_enabled)
    return Curl_raw_equal(pattern, hostname) ?
      CURL_HOST_MATCH : CURL_HOST_NOMATCH;
  hostname_label_end = strchr(hostname, '.');
  if(hostname_label_end == NULL ||
     !Curl_raw_equal(pattern_label_end, hostname_label_end))
    return CURL_HOST_NOMATCH;
  /* The wildcard must match at least one character, so the left-most
     label of the hostname is at least as large as the left-most label
     of the pattern. */
  if(hostname_label_end - hostname < pattern_label_end - pattern)
    return CURL_HOST_NOMATCH;
  prefixlen = pattern_wildcard - pattern;
  suffixlen = pattern_label_end - (pattern_wildcard+1);
  return Curl_raw_nequal(pattern, hostname, prefixlen) &&
    Curl_raw_nequal(pattern_wildcard+1, hostname_label_end - suffixlen,
                    suffixlen) ?
    CURL_HOST_MATCH : CURL_HOST_NOMATCH;
 }
 int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
 {
  if(!match_pattern || !*match_pattern ||
      !hostname || !*hostname) /* sanity check */
    return 0;
  if(Curl_raw_equal(hostname, match_pattern)) /* trivial case */
    return 1;
  if(hostmatch(hostname,match_pattern) == CURL_HOST_MATCH)
    return 1;
  return 0;
 }
 #endif /* SSLEAY or AXTLS */
--- a/lib/hostcheck.h
+++ b/lib/hostcheck.h
@@ -0,0 +1,31 @@
 #ifndef __HOSTCHECK_H
 #define __HOSTCHECK_H
 /***************************************************************************
 *                                  _   _ ____  _
 *  Project                     ___| | | |  _ \| |
 *                             / __| | | | |_) | |
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * are also available at http://curl.haxx.se/docs/copyright.html.
 *
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 ***************************************************************************/
 #include <curl/curl.h>
 #define CURL_HOST_NOMATCH 0
 #define CURL_HOST_MATCH   1
 int Curl_cert_hostcheck(const char *match_pattern, const char *hostname);
 #endif
--- a/lib/hostip.c
+++ b/lib/hostip.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -740,14 +740,18 @@ static int hostcache_inuse(void *data, void *hc)
  return 1; /* free all entries */
 }
-void Curl_hostcache_destroy(struct SessionHandle *data)
+void Curl_hostcache_clean(struct SessionHandle *data)
 {
  /* Entries added to the hostcache with the CURLOPT_RESOLVE function are
   * still present in the cache with the inuse counter set to 1. Detect them
   * and cleanup!
   */
  Curl_hash_clean_with_criterium(data->dns.hostcache, data, hostcache_inuse);
 }
 void Curl_hostcache_destroy(struct SessionHandle *data)
 {
  Curl_hostcache_clean(data);
  Curl_hash_destroy(data->dns.hostcache);
  data->dns.hostcachetype = HCACHE_NONE;
  data->dns.hostcache = NULL;
--- a/lib/hostip.h
+++ b/lib/hostip.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -200,11 +200,19 @@ extern sigjmp_buf curl_jmpenv;
 */
 CURLcode Curl_set_dns_servers(struct SessionHandle *data, char *servers);
 /*
 * Clean off entries from the cache
 */
 void Curl_hostcache_clean(struct SessionHandle *data);
 /*
 * Destroy the hostcache of this handle.
 */
 void Curl_hostcache_destroy(struct SessionHandle *data);
 /*
 * Populate the cache with specified entries from CURLOPT_RESOLVE.
 */
 CURLcode Curl_loadhostpairs(struct SessionHandle *data);
 #endif /* HEADER_CURL_HOSTIP_H */
--- a/lib/http.c
+++ b/lib/http.c
@@ -387,7 +387,8 @@ static CURLcode http_perhapsrewind(struct connectdata *conn)
       (data->state.authproxy.picked == CURLAUTH_NTLM_WB) ||
       (data->state.authhost.picked == CURLAUTH_NTLM_WB)) {
      if(((expectsend - bytessent) < 2000) ||
-         (conn->ntlm.state != NTLMSTATE_NONE)) {
+         (conn->ntlm.state != NTLMSTATE_NONE) ||
         (conn->proxyntlm.state != NTLMSTATE_NONE)) {
        /* The NTLM-negotiation has started *OR* there is just a little (<2K)
           data left to send, keep on sending. */
@@ -407,7 +408,7 @@ static CURLcode http_perhapsrewind(struct connectdata *conn)
            " bytes\n", (curl_off_t)(expectsend - bytessent));
    }
-    /* This is not NTLM or NTLM with many bytes left to send: close
+    /* This is not NTLM or many bytes left to send: close
     */
    conn->bits.close = TRUE;
    data->req.size = 0; /* don't download any more than 0 bytes */
--- a/lib/http_digest.c
+++ b/lib/http_digest.c
@@ -280,7 +280,7 @@ CURLcode Curl_output_digest(struct connectdata *conn,
  unsigned char *md5this;
  unsigned char *ha1;
  unsigned char ha2[33];/* 32 digits and 1 zero byte */
-  char cnoncebuf[7];
+  char cnoncebuf[33];
  char *cnonce = NULL;
  size_t cnonce_sz = 0;
  char *tmp = NULL;
@@ -344,7 +344,8 @@ CURLcode Curl_output_digest(struct connectdata *conn,
  if(!d->cnonce) {
    /* Generate a cnonce */
    now = Curl_tvnow();
-    snprintf(cnoncebuf, sizeof(cnoncebuf), "%06ld", (long)now.tv_sec);
+    snprintf(cnoncebuf, sizeof(cnoncebuf), "%32ld",
             (long)now.tv_sec + now.tv_usec);
    rc = Curl_base64_encode(data, cnoncebuf, strlen(cnoncebuf),
                            &cnonce, &cnonce_sz);
--- a/lib/http_proxy.c
+++ b/lib/http_proxy.c
@@ -45,6 +45,7 @@
 #include "curlx.h"
 #include "curl_memory.h"
 /* The last #include file should be: */
 #include "memdebug.h"
--- a/lib/idn_win32.c
+++ b/lib/idn_win32.c
@@ -30,6 +30,10 @@
 #include "curl_multibyte.h"
 #include "curl_memory.h"
 /* The last #include file should be: */
 #include "memdebug.h"
 #ifdef WANT_IDN_PROTOTYPES
 WINBASEAPI int WINAPI IdnToAscii(DWORD, const WCHAR *, int, WCHAR *, int);
 WINBASEAPI int WINAPI IdnToUnicode(DWORD, const WCHAR *, int, WCHAR *, int);
--- a/lib/md5.c
+++ b/lib/md5.c
@@ -28,9 +28,13 @@
 #include "curl_hmac.h"
 #include "warnless.h"
 #include "curl_memory.h"
 #if defined(USE_GNUTLS_NETTLE)
 #include <nettle/md5.h>
 /* The last #include file should be: */
 #include "memdebug.h"
 typedef struct md5_ctx MD5_CTX;
@@ -54,6 +58,8 @@ static void MD5_Final(unsigned char digest[16], MD5_CTX * ctx)
 #elif defined(USE_GNUTLS)
 #include <gcrypt.h>
 /* The last #include file should be: */
 #include "memdebug.h"
 typedef gcry_md_hd_t MD5_CTX;
@@ -84,6 +90,17 @@ static void MD5_Final(unsigned char digest[16], MD5_CTX * ctx)
 #    include <md5.h>
 #  endif
 #elif defined(__MAC_10_4) || defined(__IPHONE_5_0)
 /* For Apple operating systems: CommonCrypto has the functions we need.
   The library's headers are even backward-compatible with OpenSSL's
   headers as long as we define COMMON_DIGEST_FOR_OPENSSL first.
   These functions are available on Tiger and later, as well as iOS 5.0
   and later. If you're building for an older cat, well, sorry. */
 #  define COMMON_DIGEST_FOR_OPENSSL
 #  include <CommonCrypto/CommonDigest.h>
 #elif defined(_WIN32)
 #include <wincrypt.h>
@@ -425,6 +442,9 @@ static void Decode (UINT4 *output,
 #endif /* CRYPTO LIBS */
 /* The last #include file should be: */
 #include "memdebug.h"
 const HMAC_params Curl_HMAC_MD5[] = {
  {
    (HMAC_hinit_func) MD5_Init,           /* Hash initialization function. */
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -1789,12 +1789,6 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
  } WHILE_FALSE; /* just to break out from! */
  if(CURLM_STATE_COMPLETED == easy->state) {
    if(data->dns.hostcachetype == HCACHE_MULTI) {
      /* clear out the usage of the shared DNS cache */
      data->dns.hostcache = NULL;
      data->dns.hostcachetype = HCACHE_NONE;
    }
    /* now fill in the Curl_message with this info */
    msg = &easy->msg;
@@ -1911,9 +1905,6 @@ CURLMcode curl_multi_cleanup(CURLM *multi_handle)
      cl= n;
    }
    Curl_hash_destroy(multi->hostcache);
    multi->hostcache = NULL;
    Curl_hash_destroy(multi->sockhash);
    multi->sockhash = NULL;
@@ -1930,6 +1921,7 @@ CURLMcode curl_multi_cleanup(CURLM *multi_handle)
      nexteasy=easy->next;
      if(easy->easy_handle->dns.hostcachetype == HCACHE_MULTI) {
        /* clear out the usage of the shared DNS cache */
        Curl_hostcache_clean(easy->easy_handle);
        easy->easy_handle->dns.hostcache = NULL;
        easy->easy_handle->dns.hostcachetype = HCACHE_NONE;
      }
@@ -1943,6 +1935,9 @@ CURLMcode curl_multi_cleanup(CURLM *multi_handle)
      easy = nexteasy;
    }
    Curl_hash_destroy(multi->hostcache);
    multi->hostcache = NULL;
    free(multi);
    return CURLM_OK;
--- a/lib/non-ascii.c
+++ b/lib/non-ascii.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -24,12 +24,16 @@
 #ifdef CURL_DOES_CONVERSIONS
 #include <curl/curl.h>
 #include "non-ascii.h"
 #include "formdata.h"
 #include "sendf.h"
 #include "urldata.h"
-#include <curl/curl.h>
+#include "curl_memory.h"
 /* The last #include file should be: */
 #include "memdebug.h"
 #ifdef HAVE_ICONV
 #include <iconv.h>
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1316,8 +1316,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
  if(!data->set.ssl.verifypeer && data->set.ssl.verifyhost)
    infof(data, "warning: ignoring value of ssl.verifyhost\n");
  else if(data->set.ssl.verifyhost == 1)
    infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n");
  /* bypass the default SSL_AuthCertificate() hook in case we do not want to
   * verify peer */
--- a/lib/nwlib.c
+++ b/lib/nwlib.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -32,6 +32,9 @@
 #include <nks/thread.h>
 #include <nks/synch.h>
 #include "curl_memory.h"
 /* The last #include file should be: */
 #include "memdebug.h"
 typedef struct
 {
--- a/lib/pingpong.c
+++ b/lib/pingpong.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -424,6 +424,9 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd,
           it may actually contain another end of response already! */
        clipamount = gotbytes - i;
        restart = TRUE;
        DEBUGF(infof(data, "Curl_pp_readresp_ %d bytes of trailing "
                     "server response left\n",
                     (int)clipamount));
      }
      else if(keepon) {
--- a/lib/polarssl.c
+++ b/lib/polarssl.c
@@ -212,8 +212,15 @@ polarssl_connect_step1(struct connectdata *conn,
    infof(data, "PolarSSL re-using session\n");
  }
 /* PolarSSL SVN revision r1316 to r1317, matching <1.2.0 is to cover Ubuntu's
   1.1.4 version and the like */
 #if POLARSSL_VERSION_NUMBER<0x01020000
  ssl_set_session(&connssl->ssl, 1, 600,
                  &connssl->ssn);
 #else
  ssl_set_session(&connssl->ssl,
                  &connssl->ssn);
 #endif
  ssl_set_ca_chain(&connssl->ssl,
                   &connssl->cacert,
@@ -306,12 +313,25 @@ polarssl_connect_step2(struct connectdata *conn,
    return CURLE_PEER_FAILED_VERIFICATION;
  }
 /* PolarSSL SVN revision r1316 to r1317, matching <1.2.0 is to cover Ubuntu's
   1.1.4 version and the like */
 #if POLARSSL_VERSION_NUMBER<0x01020000
  if(conn->ssl[sockindex].ssl.peer_cert) {
 #else
  if(ssl_get_peer_cert(&(connssl->ssl))) {
 #endif
    /* If the session was resumed, there will be no peer certs */
    memset(buffer, 0, sizeof(buffer));
 /* PolarSSL SVN revision r1316 to r1317, matching <1.2.0 is to cover Ubuntu's
   1.1.4 version and the like */
 #if POLARSSL_VERSION_NUMBER<0x01020000
    if(x509parse_cert_info(buffer, sizeof(buffer), (char *)"* ",
                           conn->ssl[sockindex].ssl.peer_cert) != -1)
 #else
    if(x509parse_cert_info(buffer, sizeof(buffer), (char *)"* ",
                           ssl_get_peer_cert(&(connssl->ssl))) != -1)
 #endif
      infof(data, "Dumping cert info:\n%s\n", buffer);
  }
--- a/lib/sendf.c
+++ b/lib/sendf.c
@@ -264,7 +264,7 @@ CURLcode Curl_write(struct connectdata *conn,
  default:
    /* we got a specific curlcode, forward it */
-    return (CURLcode)curlcode;
+    return curlcode;
  }
 }
--- a/lib/ssh.c
+++ b/lib/ssh.c
@@ -2982,6 +2982,10 @@ static ssize_t scp_send(struct connectdata *conn, int sockindex,
    *err = CURLE_AGAIN;
    nwrite = 0;
  }
  else if(nwrite < LIBSSH2_ERROR_NONE) {
    *err = libssh2_session_error_to_CURLE(nwrite);
    nwrite = -1;
  }
  return nwrite;
 }
@@ -3126,6 +3130,10 @@ static ssize_t sftp_send(struct connectdata *conn, int sockindex,
    *err = CURLE_AGAIN;
    nwrite = 0;
  }
  else if(nwrite < LIBSSH2_ERROR_NONE) {
    *err = libssh2_session_error_to_CURLE(nwrite);
    nwrite = -1;
  }
  return nwrite;
 }
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -50,6 +50,7 @@
 #include "select.h"
 #include "sslgen.h"
 #include "rawstr.h"
 #include "hostcheck.h"
 #define _MPRINTF_REPLACE /* use the internal *printf() functions */
 #include <curl/mprintf.h>
@@ -1039,71 +1040,6 @@ static int asn1_output(const ASN1_UTCTIME *tm,
 /* ====================================================== */
 /*
 * Match a hostname against a wildcard pattern.
 * E.g.
 *  "foo.host.com" matches "*.host.com".
 *
 * We use the matching rule described in RFC6125, section 6.4.3.
 * http://tools.ietf.org/html/rfc6125#section-6.4.3
 */
 #define HOST_NOMATCH 0
 #define HOST_MATCH   1
 static int hostmatch(const char *hostname, const char *pattern)
 {
  const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
  int wildcard_enabled;
  size_t prefixlen, suffixlen;
  pattern_wildcard = strchr(pattern, '*');
  if(pattern_wildcard == NULL) {
    return Curl_raw_equal(pattern, hostname) ? HOST_MATCH : HOST_NOMATCH;
  }
  /* We require at least 2 dots in pattern to avoid too wide wildcard
     match. */
  wildcard_enabled = 1;
  pattern_label_end = strchr(pattern, '.');
  if(pattern_label_end == NULL || strchr(pattern_label_end+1, '.') == NULL ||
     pattern_wildcard > pattern_label_end ||
     Curl_raw_nequal(pattern, "xn--", 4)) {
    wildcard_enabled = 0;
  }
  if(!wildcard_enabled) {
    return Curl_raw_equal(pattern, hostname) ? HOST_MATCH : HOST_NOMATCH;
  }
  hostname_label_end = strchr(hostname, '.');
  if(hostname_label_end == NULL ||
     !Curl_raw_equal(pattern_label_end, hostname_label_end)) {
    return HOST_NOMATCH;
  }
  /* The wildcard must match at least one character, so the left-most
     label of the hostname is at least as large as the left-most label
     of the pattern. */
  if(hostname_label_end - hostname < pattern_label_end - pattern) {
    return HOST_NOMATCH;
  }
  prefixlen = pattern_wildcard - pattern;
  suffixlen = pattern_label_end - (pattern_wildcard+1);
  return Curl_raw_nequal(pattern, hostname, prefixlen) &&
    Curl_raw_nequal(pattern_wildcard+1, hostname_label_end - suffixlen,
                    suffixlen) ?
    HOST_MATCH : HOST_NOMATCH;
 }
 static int
 cert_hostcheck(const char *match_pattern, const char *hostname)
 {
  if(!match_pattern || !*match_pattern ||
      !hostname || !*hostname) /* sanity check */
    return 0;
  if(Curl_raw_equal(hostname, match_pattern)) /* trivial case */
    return 1;
  if(hostmatch(hostname,match_pattern) == HOST_MATCH)
    return 1;
  return 0;
 }
 /* Quote from RFC2818 section 3.1 "Server Identity"
@@ -1192,7 +1128,7 @@ static CURLcode verifyhost(struct connectdata *conn,
          if((altlen == strlen(altptr)) &&
             /* if this isn't true, there was an embedded zero in the name
                string and we cannot match it. */
-             cert_hostcheck(altptr, conn->host.name))
+             Curl_cert_hostcheck(altptr, conn->host.name))
            matched = 1;
          else
            matched = 0;
@@ -1291,15 +1227,10 @@ static CURLcode verifyhost(struct connectdata *conn,
            "SSL: unable to obtain common name from peer certificate");
      res = CURLE_PEER_FAILED_VERIFICATION;
    }
-    else if(!cert_hostcheck((const char *)peer_CN, conn->host.name)) {
+    else if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) {
-      if(data->set.ssl.verifyhost > 1) {
+      failf(data, "SSL: certificate subject name '%s' does not match "
-        failf(data, "SSL: certificate subject name '%s' does not match "
+            "target host name '%s'", peer_CN, conn->host.dispname);
-              "target host name '%s'", peer_CN, conn->host.dispname);
+      res = CURLE_PEER_FAILED_VERIFICATION;
        res = CURLE_PEER_FAILED_VERIFICATION;
      }
      else
        infof(data, "\t common name: %s (does not match '%s')\n",
              peer_CN, conn->host.dispname);
    }
    else {
      infof(data, "\t common name: %s (matched)\n", peer_CN);
@@ -1570,6 +1501,10 @@ ossl_connect_step1(struct connectdata *conn,
  ctx_options |= SSL_OP_NO_TICKET;
 #endif
 #ifdef SSL_OP_NO_COMPRESSION
  ctx_options |= SSL_OP_NO_COMPRESSION;
 #endif
 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
  /* mitigate CVE-2010-4180 */
  ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
@@ -2308,11 +2243,11 @@ static CURLcode servercert(struct connectdata *conn,
  infof(data, "\t subject: %s\n", buffer);
  certdate = X509_get_notBefore(connssl->server_cert);
-  asn1_output(certdate, buffer, sizeof(buffer));
+  asn1_output(certdate, buffer, BUFSIZE);
  infof(data, "\t start date: %s\n", buffer);
  certdate = X509_get_notAfter(connssl->server_cert);
-  asn1_output(certdate, buffer, sizeof(buffer));
+  asn1_output(certdate, buffer, BUFSIZE);
  infof(data, "\t expire date: %s\n", buffer);
  if(data->set.ssl.verifyhost) {
@@ -2325,7 +2260,7 @@ static CURLcode servercert(struct connectdata *conn,
  }
  rc = x509_name_oneline(X509_get_issuer_name(connssl->server_cert),
-                         buffer, sizeof(buffer));
+                         buffer, BUFSIZE);
  if(rc) {
    if(strict)
      failf(data, "SSL: couldn't get X509-issuer name!");
--- a/lib/strdup.c
+++ b/lib/strdup.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -19,7 +19,9 @@
 * KIND, either express or implied.
 *
 ***************************************************************************/
-
+/*
 * This file is 'mem-include-scan' clean. See test 1132.
 */
 #include "setup.h"
 #include "strdup.h"
--- a/lib/strerror.c
+++ b/lib/strerror.c
@@ -44,6 +44,9 @@
 #define _MPRINTF_REPLACE /* use our functions only */
 #include <curl/mprintf.h>
 #include "curl_memory.h"
 /* The last #include file should be: */
 #include "memdebug.h"
 const char *
 curl_easy_strerror(CURLcode error)
--- a/lib/tftp.c
+++ b/lib/tftp.c
@@ -591,16 +591,25 @@ static CURLcode tftp_rx(tftp_state_data_t *state, tftp_event_t event)
  case TFTP_EVENT_DATA:
    /* Is this the block we expect? */
    rblock = getrpacketblock(&state->rpacket);
-    if(NEXT_BLOCKNUM(state->block) != rblock) {
+    if(NEXT_BLOCKNUM(state->block) == rblock) {
-      /* No, log it */
+      /* This is the expected block.  Reset counters and ACK it. */
      state->retries = 0;
    }
    else if(state->block == rblock) {
      /* This is the last recently received block again. Log it and ACK it
         again. */
      infof(data, "Received last DATA packet block %d again.\n", rblock);
    }
    else {
      /* totally unexpected, just log it */
      infof(data,
            "Received unexpected DATA packet block %d, expecting block %d\n",
            rblock, NEXT_BLOCKNUM(state->block));
      break;
    }
-    /* This is the expected block.  Reset counters and ACK it. */
+
    /* ACK this block. */
    state->block = (unsigned short)rblock;
    state->retries = 0;
    setpacketevent(&state->spacket, TFTP_EVENT_ACK);
    setpacketblock(&state->spacket, state->block);
    sbytes = sendto(state->sockfd, (void *)state->spacket.data,
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -1030,12 +1030,6 @@ CURLcode Curl_readwrite(struct connectdata *conn,
    if(result || *done)
      return result;
  }
  else if(k->keepon & KEEP_RECV) {
    DEBUGF(infof(data, "additional stuff not fine %s:%d: %d %d\n",
                 __FILE__, __LINE__,
                 select_res & CURL_CSELECT_IN,
                 conn->bits.stream_was_rewound));
  }
  /* If we still have writing to do, we check if we have a writable socket. */
  if((k->keepon & KEEP_SEND) && (select_res & CURL_CSELECT_OUT)) {
@@ -1433,10 +1427,6 @@ CURLcode Curl_pretransfer(struct SessionHandle *data)
  data->state.ssl_connect_retry = FALSE;
  /* zero out auth state */
  memset(&data->state.authhost, 0, sizeof(struct auth));
  memset(&data->state.authproxy, 0, sizeof(struct auth));
  data->state.authproblem = FALSE;
  data->state.authhost.want = data->set.httpauth;
  data->state.authproxy.want = data->set.proxyauth;
@@ -1473,6 +1463,12 @@ CURLcode Curl_pretransfer(struct SessionHandle *data)
    if(data->set.connecttimeout)
      Curl_expire(data, data->set.connecttimeout);
    /* In case the handle is re-used and an authentication method was picked
       in the session we need to make sure we only use the one(s) we now
       consider to be fine */
    data->state.authhost.picked &= data->state.authhost.want;
    data->state.authproxy.picked &= data->state.authproxy.want;
  }
  return res;
--- a/lib/url.c
+++ b/lib/url.c
@@ -708,7 +708,7 @@ CURLcode Curl_init_userdefined(struct UserDefined *set)
   * switched off unless wanted.
   */
  set->ssl.verifypeer = TRUE;
-  set->ssl.verifyhost = 2;
+  set->ssl.verifyhost = TRUE;
 #ifdef USE_TLS_SRP
  set->ssl.authtype = CURL_TLSAUTH_NONE;
 #endif
@@ -2049,13 +2049,25 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
    /*
     * Enable peer SSL verifying.
     */
-    data->set.ssl.verifypeer = va_arg(param, long);
+    data->set.ssl.verifypeer = (0 != va_arg(param, long))?TRUE:FALSE;
    break;
  case CURLOPT_SSL_VERIFYHOST:
    /*
-     * Enable verification of the CN contained in the peer certificate
+     * Enable verification of the host name in the peer certificate
     */
-    data->set.ssl.verifyhost = va_arg(param, long);
+    arg = va_arg(param, long);
    /* Obviously people are not reading documentation and too many thought
       this argument took a boolean when it wasn't and misused it. We thus ban
       1 as a sensible input and we warn about its use. Then we only have the
       2 action internally stored as TRUE. */
    if(1 == arg) {
      failf(data, "CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!");
      return CURLE_BAD_FUNCTION_ARGUMENT;
    }
    data->set.ssl.verifyhost = (0 != arg)?TRUE:FALSE;
    break;
 #ifdef USE_SSLEAY
    /* since these two options are only possible to use on an OpenSSL-
@@ -2589,7 +2601,7 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
      data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
    break;
  case CURLOPT_TLSAUTH_TYPE:
-    if(strncmp((char *)va_arg(param, char *), "SRP", strlen("SRP")) == 0)
+    if(strnequal((char *)va_arg(param, char *), "SRP", strlen("SRP")))
      data->set.ssl.authtype = CURL_TLSAUTH_SRP;
    else
      data->set.ssl.authtype = CURL_TLSAUTH_NONE;
@@ -3975,9 +3987,17 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data,
     last part of the URI. We are looking for the first '#' so that we deal
     gracefully with non conformant URI such as http://example.com#foo#bar. */
  fragment = strchr(path, '#');
-  if(fragment)
+  if(fragment) {
    *fragment = 0;
    /* we know the path part ended with a fragment, so we know the full URL
       string does too and we need to cut it off from there so it isn't used
       over proxy */
    fragment = strchr(data->change.url, '#');
    if(fragment)
      *fragment = 0;
  }
  /*
   * So if the URL was A://B/C#D,
   *   protop is A
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -332,10 +332,9 @@ struct ssl_connect_data {
 struct ssl_config_data {
  long version;          /* what version the client wants to use */
  long certverifyresult; /* result from the certificate verification */
-  long verifypeer;       /* set TRUE if this is desired */
+
-  long verifyhost;       /* 0: no verify
+  bool verifypeer;       /* set TRUE if this is desired */
-                            1: check that CN exists
+  bool verifyhost;       /* set TRUE if CN/SAN must match hostname */
                            2: CN must match hostname */
  char *CApath;          /* certificate dir (doesn't work on windows) */
  char *CAfile;          /* certificate to verify peer against */
  const char *CRLfile;   /* CRL to check certificate revocation */
@@ -994,8 +993,8 @@ struct connectdata {
  int socks5_gssapi_enctype;
 #endif
-  long verifypeer;
+  bool verifypeer;
-  long verifyhost;
+  bool verifyhost;
  /* When this connection is created, store the conditions for the local end
     bind. This is stored before the actual bind and before any connection is
--- a/m4/curl-compilers.m4
+++ b/m4/curl-compilers.m4
@@ -97,7 +97,7 @@ AC_DEFUN([CURL_CHECK_COMPILER_CLANG], [
    flags_dbg_all="$flags_dbg_all -gdwarf-2"
    flags_dbg_all="$flags_dbg_all -gvms"
    flags_dbg_yes="-g"
-    flags_dbg_off="-g0"
+    flags_dbg_off=""
    flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4"
    flags_opt_yes="-Os"
    flags_opt_off="-O0"
@@ -121,7 +121,7 @@ AC_DEFUN([CURL_CHECK_COMPILER_DEC_C], [
    compiler_id="DEC_C"
    flags_dbg_all="-g -g0 -g1 -g2 -g3"
    flags_dbg_yes="-g2"
-    flags_dbg_off="-g0"
+    flags_dbg_off=""
    flags_opt_all="-O -O0 -O1 -O2 -O3 -O4"
    flags_opt_yes="-O1"
    flags_opt_off="-O0"
@@ -157,7 +157,7 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
    flags_dbg_all="$flags_dbg_all -gdwarf-2"
    flags_dbg_all="$flags_dbg_all -gvms"
    flags_dbg_yes="-g"
-    flags_dbg_off="-g0"
+    flags_dbg_off=""
    flags_opt_all="-O -O0 -O1 -O2 -O3 -Os"
    flags_opt_yes="-O2"
    flags_opt_off="-O0"
@@ -236,7 +236,7 @@ AC_DEFUN([CURL_CHECK_COMPILER_INTEL_C], [
      compiler_id="INTEL_UNIX_C"
      flags_dbg_all="-g -g0"
      flags_dbg_yes="-g"
-      flags_dbg_off="-g0"
+      flags_dbg_off=""
      flags_opt_all="-O -O0 -O1 -O2 -O3 -Os"
      flags_opt_yes="-O2"
      flags_opt_off="-O0"
@@ -300,7 +300,7 @@ AC_DEFUN([CURL_CHECK_COMPILER_SGI_MIPS_C], [
    compiler_id="SGI_MIPS_C"
    flags_dbg_all="-g -g0 -g1 -g2 -g3"
    flags_dbg_yes="-g"
-    flags_dbg_off="-g0"
+    flags_dbg_off=""
    flags_opt_all="-O -O0 -O1 -O2 -O3 -Ofast"
    flags_opt_yes="-O2"
    flags_opt_off="-O0"
@@ -327,7 +327,7 @@ AC_DEFUN([CURL_CHECK_COMPILER_SGI_MIPSPRO_C], [
    compiler_id="SGI_MIPSPRO_C"
    flags_dbg_all="-g -g0 -g1 -g2 -g3"
    flags_dbg_yes="-g"
-    flags_dbg_off="-g0"
+    flags_dbg_off=""
    flags_opt_all="-O -O0 -O1 -O2 -O3 -Ofast"
    flags_opt_yes="-O2"
    flags_opt_off="-O0"
--- a/packages/OS400/README.OS400
+++ b/packages/OS400/README.OS400
@@ -73,6 +73,7 @@ options:
        CURLOPT_COPYPOSTFIELDS
        CURLOPT_CRLFILE
        CURLOPT_CUSTOMREQUEST
        CURLOPT_DNS_SERVERS
        CURLOPT_EGDSOCKET
        CURLOPT_ENCODING
        CURLOPT_FTP_ACCOUNT
@@ -83,6 +84,7 @@ options:
        CURLOPT_KEYPASSWD
        CURLOPT_KRBLEVEL
        CURLOPT_MAIL_FROM
        CURLOPT_MAIL_AUTH
        CURLOPT_NETRC_FILE
        CURLOPT_NOPROXY
        CURLOPT_PASSWORD
--- a/packages/OS400/ccsidcurl.c
+++ b/packages/OS400/ccsidcurl.c
@@ -1032,7 +1032,7 @@ curl_easy_setopt_ccsid(CURL * curl, CURLoption tag, ...)
 #ifdef USE_TLS_SRP
    if ((int) STRING_LAST != (int) STRING_TLSAUTH_PASSWORD + 1)
 #else
-    if ((int) STRING_LAST != (int) STRING_MAIL_FROM + 1)
+    if ((int) STRING_LAST != (int) STRING_MAIL_AUTH + 1)
 #endif
      curl_mfprintf(stderr,
       "*** WARNING: curl_easy_setopt_ccsid() should be reworked ***\n");
@@ -1051,6 +1051,7 @@ curl_easy_setopt_ccsid(CURL * curl, CURLoption tag, ...)
  case CURLOPT_COOKIELIST:
  case CURLOPT_CRLFILE:
  case CURLOPT_CUSTOMREQUEST:
  case CURLOPT_DNS_SERVERS:
  case CURLOPT_EGDSOCKET:
  case CURLOPT_ENCODING:
  case CURLOPT_FTP_ACCOUNT:
@@ -1061,6 +1062,7 @@ curl_easy_setopt_ccsid(CURL * curl, CURLoption tag, ...)
  case CURLOPT_KEYPASSWD:
  case CURLOPT_KRBLEVEL:
  case CURLOPT_MAIL_FROM:
  case CURLOPT_MAIL_AUTH:
  case CURLOPT_NETRC_FILE:
  case CURLOPT_NOPROXY:
  case CURLOPT_PASSWORD:
--- a/packages/OS400/curl.inc.in
+++ b/packages/OS400/curl.inc.in
@@ -173,6 +173,8 @@
     d                 c                   X'00000004'
     d CURLSSH_AUTH_KEYBOARD...
     d                 c                   X'00000008'
     d CURLSSH_AUTH_AGENT...
     d                 c                   X'00000010'
     d CURLSSH_AUTH_DEFAULT...
     d                 c                   X'7FFFFFFF'                          CURLSSH_AUTH_ANY
      *
@@ -236,8 +238,10 @@
     d                 c                   1
     d CURL_REDIR_POST_302...
     d                 c                   2
     d CURL_REDIR_POST_303...
     d                 c                   4
     d CURL_REDIR_POST_ALL...
-     d                 c                   3
+     d                 c                   7
      *
     d CURL_POLL_NONE  c                   0
     d CURL_POLL_IN    c                   1
@@ -299,6 +303,13 @@
     d CURL_FNMATCHFUNC_FAIL...
     d                 c                   2
      *
     d CURL_WAIT_POLLIN...
     d                 c                   X'0001'
     d CURL_WAIT_POLLPRI...
     d                 c                   X'0002'
     d CURL_WAIT_POLLOUT...
     d                 c                   X'0004'
      *
      **************************************************************************
      *                                Types
      **************************************************************************
@@ -327,11 +338,11 @@
     d                 c                   8
     d  CURLE_REMOTE_ACCESS_DENIED...
     d                 c                   9
-     d  CURLE_OBSOLETE10...
+     d  CURLE_FTP_ACCEPT_FAILED...
     d                 c                   10
     d  CURLE_FTP_WEIRD_PASS_REPLY...
     d                 c                   11
-     d  CURLE_OBSOLETE12...
+     d  CURLE_FTP_ACCEPT_TIMEOUT...
     d                 c                   12
     d  CURLE_FTP_WEIRD_PASV_REPLY...
     d                 c                   13
@@ -641,6 +652,9 @@
     d  CURLUSESSL_ALL...
     d                 c                   3
      *
     d CURLSSLOPT_ALLOW_BEAST...
     d                 c                   1
      *
      /if not defined(CURL_NO_OLDIES)
     d curl_ftpssl     s                   like(curl_usessl)
     d                                     based(######ptr######)
@@ -1124,6 +1138,20 @@
     d                 c                   10209
     d  CURLOPT_GSSAPI_DELEGATION...
     d                 c                   00210
     d  CURLOPT_DNS_SERVERS...
     d                 c                   10211
     d  CURLOPT_ACCEPTTIMEOUT_MS...
     d                 c                   00212
     d  CURLOPT_TCP_KEEPALIVE...
     d                 c                   00213
     d  CURLOPT_TCP_KEEPIDLE...
     d                 c                   00214
     d  CURLOPT_TCP_KEEPINTVL...
     d                 c                   00215
     d  CURLOPT_SSL_OPTIONS...
     d                 c                   00216
     d  CURLOPT_MAIL_AUTH...
     d                 c                   10217
      *
      /if not defined(CURL_NO_OLDIES)
     d  CURLOPT_SSLKEYPASSWD...
@@ -1385,6 +1413,8 @@
     d curlsocktype    s             10i 0 based(######ptr######)               Enum
     d  CURLSOCKTYPE_IPCXN...
     d                 c                   0
     d  CURLSOCKTYPE_ACCEPT...
     d                 c                   1
      *
     d  CURL_SOCKOPT_OK...
     d                 c                   0
@@ -1471,6 +1501,13 @@
     d   whatever                      *   overlay(data)                        void *
     d   result                            overlay(data) like(CURLcode)
      *
     d curl_waitfd...
     d                 ds                  based(######ptr######)
     d                                     qualified
     d  fd                                 like(curl_socket_t)
     d  events                        5i 0
     d  revents                       5i 0
      *
     d curl_http_post...
     d                 ds                  based(######ptr######)
     d                                     qualified
@@ -1916,6 +1953,15 @@
     d  exc_fd_set                65535    options(*varsize)                    fd_set
     d  max_fd                       10i 0
      *
     d curl_multi_wait...
     d                 pr                  extproc('curl_multi_wait')
     d                                     like(CURLMcode)
     d  multi_handle                   *   value                                CURLM *
     d  extra_fds                      *   value                                curl_waitfd *
     d  extra_nfds                   10u 0 value
     d  timeout_ms                   10i 0 value
     d  ret                          10i 0 options(*omit)
      *
     d curl_multi_perform...
     d                 pr                  extproc('curl_multi_perform')
     d                                     like(CURLMcode)
--- a/packages/OS400/initscript.sh
+++ b/packages/OS400/initscript.sh
@@ -157,11 +157,8 @@ db2_name()
        basename "${1}"                                                 |
        tr 'a-z-' 'A-Z_'                                                |
        sed -e 's/\..*//'                                               \
-            -e 's/\([^_]\)[^_]*_\(.*\)/\1\2/'                                \
+            -e 's/^CURL_*/C/'                                           \
-            -e 's/\([^_]\)\([^_]\)[^_]*_\(.*\)/\1\2\3/'                      \
+            -e 's/^\(.\).*\(.........\)$/\1\2/'
            -e 's/\([^_]\)\([^_]\)\([^_]\)[^_]*_\(.*\)/\1\2\3\4/'            \
            -e 's/\([^_]\)\([^_]\)\([^_]\)\([^_]\)[^_]*_\(.*\)/\1\2\3\4\5/'  \
            -e 's/^\(..........\).*/\1/'
 }
--- a/packages/OS400/make-lib.sh
+++ b/packages/OS400/make-lib.sh
@@ -13,7 +13,7 @@ cd "${TOPDIR}/lib"
 echo '#pragma comment(user, "libcurl version '"${LIBCURL_VERSION}"'")' > os400.c
 echo '#pragma comment(user, __DATE__)' >> os400.c
 echo '#pragma comment(user, __TIME__)' >> os400.c
-echo '#pragma comment(copyright, "Copyright (C) 1998-2011 Daniel Stenberg et al. OS/400 version by P. Monnerat")' >> os400.c
+echo '#pragma comment(copyright, "Copyright (C) 1998-2012 Daniel Stenberg et al. OS/400 version by P. Monnerat")' >> os400.c
 make_module     OS400           os400.c
 LINK=                           # No need to rebuild service program yet.
 MODULES=
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -34,19 +34,19 @@ AUTOMAKE_OPTIONS = foreign nostdinc
 # $(top_srcdir)/lib is for libcurl's lib/setup.h and other "borrowed" files
 # $(top_srcdir)/src is for curl's src/tool_setup.h and "curl-private" files
-INCLUDES = -I$(top_builddir)/include/curl \
+AM_CPPFLAGS = -I$(top_builddir)/include/curl \
-           -I$(top_builddir)/include      \
+              -I$(top_builddir)/include      \
-           -I$(top_srcdir)/include        \
+              -I$(top_srcdir)/include        \
-           -I$(top_builddir)/lib          \
+              -I$(top_builddir)/lib          \
-           -I$(top_builddir)/src          \
+              -I$(top_builddir)/src          \
-           -I$(top_srcdir)/lib            \
+              -I$(top_srcdir)/lib            \
-           -I$(top_srcdir)/src
+              -I$(top_srcdir)/src
 bin_PROGRAMS = curl
 # Mostly for Windows build targets, when using static libcurl
 if USE_CPPFLAG_CURL_STATICLIB
-AM_CPPFLAGS = -DCURL_STATICLIB
+AM_CPPFLAGS += -DCURL_STATICLIB
 endif
 include Makefile.inc
--- a/src/Makefile.m32
+++ b/src/Makefile.m32
@@ -32,6 +32,14 @@ endif
 ifndef LIBMETALINK_PATH
 LIBMETALINK_PATH = ../../libmetalink-0.1.2
 endif
 # Edit the path below to point to the base of your libexpat package.
 ifndef LIBEXPAT_PATH
 LIBEXPAT_PATH = ../../expat-2.1.0
 endif
 # Edit the path below to point to the base of your libxml2 package.
 ifndef LIBXML2_PATH
 LIBXML2_PATH = ../../libxml2-2.9.0
 endif
 # Edit the path below to point to the base of your libidn package.
 ifndef LIBIDN_PATH
 LIBIDN_PATH = ../../libidn-1.18
@@ -67,6 +75,7 @@ CFLAGS	+= -D_AMD64_
 endif
 # comment LDFLAGS below to keep debug info
 LDFLAGS	= -s
 AR	= $(CROSSPREFIX)ar
 RC	= $(CROSSPREFIX)windres
 RCFLAGS	= --include-dir=$(PROOT)/include -O COFF -i
@@ -180,6 +189,17 @@ ifdef SSH2
  curl_LDADD += -L"$(LIBSSH2_PATH)/win32" -lssh2
 endif
 ifdef SSL
  ifndef OPENSSL_INCLUDE
    ifeq "$(wildcard $(OPENSSL_PATH)/outinc)" "$(OPENSSL_PATH)/outinc"
      OPENSSL_INCLUDE = $(OPENSSL_PATH)/outinc
    endif
    ifeq "$(wildcard $(OPENSSL_PATH)/include)" "$(OPENSSL_PATH)/include"
      OPENSSL_INCLUDE = $(OPENSSL_PATH)/include
    endif
  endif
  ifneq "$(wildcard $(OPENSSL_INCLUDE)/openssl/opensslv.h)" "$(OPENSSL_INCLUDE)/openssl/opensslv.h"
  $(error Invalid path to OpenSSL package: $(OPENSSL_PATH))
  endif
  ifndef OPENSSL_LIBPATH
    OPENSSL_LIBS = -lssl -lcrypto
    ifeq "$(wildcard $(OPENSSL_PATH)/out)" "$(OPENSSL_PATH)/out"
@@ -195,7 +215,8 @@ ifdef SSL
  ifndef DYN
    OPENSSL_LIBS += -lgdi32 -lcrypt32
  endif
-  CFLAGS += -DUSE_SSLEAY
+  INCLUDES += -I"$(OPENSSL_INCLUDE)"
  CFLAGS += -DUSE_SSLEAY -DUSE_OPENSSL
  curl_LDADD += -L"$(OPENSSL_LIBPATH)" $(OPENSSL_LIBS)
 endif
 ifdef ZLIB
@@ -213,9 +234,16 @@ ifdef WINIDN
 endif
 endif
 ifdef METALINK
-  INCLUDES += -I"$(LIBMETALINK_PATH)/lib/includes"
+  INCLUDES += -I"$(LIBMETALINK_PATH)/include"
  CFLAGS += -DUSE_METALINK
-  curl_LDADD += -L"$(LIBMETALINK_PATH)/lib/.libs" -lmetalink.dll
+  curl_LDADD += -L"$(LIBMETALINK_PATH)/lib" -lmetalink
  ifndef DYN
    ifeq ($(findstring libexpat_metalink_parser.o,$(shell $(AR) t "$(LIBMETALINK_PATH)/lib/libmetalink.a")),libexpat_metalink_parser.o)
      curl_LDADD += -L"$(LIBEXPAT_PATH)/lib" -lexpat
    else
      curl_LDADD += -L"$(LIBXML2_PATH)/lib" -lxml2
    endif
  endif
 endif
 ifdef SSPI
  CFLAGS += -DUSE_WINDOWS_SSPI
--- a/src/tool_metalink.c
+++ b/src/tool_metalink.c
@@ -52,10 +52,19 @@
 #  define MD5_CTX    gcry_md_hd_t
 #  define SHA_CTX    gcry_md_hd_t
 #  define SHA256_CTX gcry_md_hd_t
-#elif defined(USE_DARWINSSL)
+#elif defined(USE_NSS)
-/* For darwinssl: CommonCrypto has the functions we need. The library's
+#  include <nss.h>
-   headers are even backward-compatible with OpenSSL's headers as long as
+#  include <pk11pub.h>
-   we define COMMON_DIGEST_FOR_OPENSSL first.
+#  define MD5_CTX    void *
 #  define SHA_CTX    void *
 #  define SHA256_CTX void *
 #  ifdef HAVE_NSS_INITCONTEXT
     static NSSInitContext *nss_context;
 #  endif
 #elif defined(__MAC_10_4) || defined(__IPHONE_5_0)
 /* For Apple operating systems: CommonCrypto has the functions we need.
   The library's headers are even backward-compatible with OpenSSL's
   headers as long as we define COMMON_DIGEST_FOR_OPENSSL first.
   These functions are available on Tiger and later, as well as iOS 5.0
   and later. If you're building for an older cat, well, sorry. */
@@ -112,9 +121,10 @@ struct win32_crypto_hash {
 #ifdef USE_GNUTLS_NETTLE
-static void MD5_Init(MD5_CTX *ctx)
+static int MD5_Init(MD5_CTX *ctx)
 {
  md5_init(ctx);
  return 1;
 }
 static void MD5_Update(MD5_CTX *ctx,
@@ -129,9 +139,10 @@ static void MD5_Final(unsigned char digest[16], MD5_CTX *ctx)
  md5_digest(ctx, 16, digest);
 }
-static void SHA1_Init(SHA_CTX *ctx)
+static int SHA1_Init(SHA_CTX *ctx)
 {
  sha1_init(ctx);
  return 1;
 }
 static void SHA1_Update(SHA_CTX *ctx,
@@ -146,9 +157,10 @@ static void SHA1_Final(unsigned char digest[20], SHA_CTX *ctx)
  sha1_digest(ctx, 20, digest);
 }
-static void SHA256_Init(SHA256_CTX *ctx)
+static int SHA256_Init(SHA256_CTX *ctx)
 {
  sha256_init(ctx);
  return 1;
 }
 static void SHA256_Update(SHA256_CTX *ctx,
@@ -165,9 +177,10 @@ static void SHA256_Final(unsigned char digest[32], SHA256_CTX *ctx)
 #elif defined(USE_GNUTLS)
-static void MD5_Init(MD5_CTX *ctx)
+static int MD5_Init(MD5_CTX *ctx)
 {
  gcry_md_open(ctx, GCRY_MD_MD5, 0);
  return 1;
 }
 static void MD5_Update(MD5_CTX *ctx,
@@ -183,9 +196,10 @@ static void MD5_Final(unsigned char digest[16], MD5_CTX *ctx)
  gcry_md_close(*ctx);
 }
-static void SHA1_Init(SHA_CTX *ctx)
+static int SHA1_Init(SHA_CTX *ctx)
 {
  gcry_md_open(ctx, GCRY_MD_SHA1, 0);
  return 1;
 }
 static void SHA1_Update(SHA_CTX *ctx,
@@ -201,9 +215,10 @@ static void SHA1_Final(unsigned char digest[20], SHA_CTX *ctx)
  gcry_md_close(*ctx);
 }
-static void SHA256_Init(SHA256_CTX *ctx)
+static int SHA256_Init(SHA256_CTX *ctx)
 {
  gcry_md_open(ctx, GCRY_MD_SHA256, 0);
  return 1;
 }
 static void SHA256_Update(SHA256_CTX *ctx,
@@ -219,7 +234,96 @@ static void SHA256_Final(unsigned char digest[32], SHA256_CTX *ctx)
  gcry_md_close(*ctx);
 }
-#elif defined(_WIN32)
+#elif defined(USE_NSS)
 static int nss_hash_init(void **pctx, SECOidTag hash_alg)
 {
  PK11Context *ctx;
  /* we have to initialize NSS if not initialized alraedy */
 #ifdef HAVE_NSS_INITCONTEXT
  if(!NSS_IsInitialized() && !nss_context) {
    static NSSInitParameters params;
    params.length = sizeof params;
    nss_context = NSS_InitContext("", "", "", "", &params, NSS_INIT_READONLY
        | NSS_INIT_NOCERTDB   | NSS_INIT_NOMODDB       | NSS_INIT_FORCEOPEN
        | NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE | NSS_INIT_PK11RELOAD);
  }
 #endif
  ctx = PK11_CreateDigestContext(hash_alg);
  if(!ctx)
    return /* failure */ 0;
  if(PK11_DigestBegin(ctx) != SECSuccess) {
    PK11_DestroyContext(ctx, PR_TRUE);
    return /* failure */ 0;
  }
  *pctx = ctx;
  return /* success */ 1;
 }
 static void nss_hash_final(void **pctx, unsigned char *out, unsigned int len)
 {
  PK11Context *ctx = *pctx;
  unsigned int outlen;
  PK11_DigestFinal(ctx, out, &outlen, len);
  PK11_DestroyContext(ctx, PR_TRUE);
 }
 static int MD5_Init(MD5_CTX *pctx)
 {
  return nss_hash_init(pctx, SEC_OID_MD5);
 }
 static void MD5_Update(MD5_CTX *pctx,
                       const unsigned char *input,
                       unsigned int input_len)
 {
  PK11_DigestOp(*pctx, input, input_len);
 }
 static void MD5_Final(unsigned char digest[16], MD5_CTX *pctx)
 {
  nss_hash_final(pctx, digest, 16);
 }
 static int SHA1_Init(SHA_CTX *pctx)
 {
  return nss_hash_init(pctx, SEC_OID_SHA1);
 }
 static void SHA1_Update(SHA_CTX *pctx,
                        const unsigned char *input,
                        unsigned int input_len)
 {
  PK11_DigestOp(*pctx, input, input_len);
 }
 static void SHA1_Final(unsigned char digest[20], SHA_CTX *pctx)
 {
  nss_hash_final(pctx, digest, 20);
 }
 static int SHA256_Init(SHA256_CTX *pctx)
 {
  return nss_hash_init(pctx, SEC_OID_SHA256);
 }
 static void SHA256_Update(SHA256_CTX *pctx,
                          const unsigned char *input,
                          unsigned int input_len)
 {
  PK11_DigestOp(*pctx, input, input_len);
 }
 static void SHA256_Final(unsigned char digest[32], SHA256_CTX *pctx)
 {
  nss_hash_final(pctx, digest, 32);
 }
 #elif defined(_WIN32) && !defined(USE_SSLEAY)
 static void win32_crypto_final(struct win32_crypto_hash *ctx,
                               unsigned char *digest,
@@ -235,12 +339,13 @@ static void win32_crypto_final(struct win32_crypto_hash *ctx,
    CryptReleaseContext(ctx->hCryptProv, 0);
 }
-static void MD5_Init(MD5_CTX *ctx)
+static int MD5_Init(MD5_CTX *ctx)
 {
  if(CryptAcquireContext(&ctx->hCryptProv, NULL, NULL,
                         PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
    CryptCreateHash(ctx->hCryptProv, CALG_MD5, 0, 0, &ctx->hHash);
  }
  return 1;
 }
 static void MD5_Update(MD5_CTX *ctx,
@@ -255,12 +360,13 @@ static void MD5_Final(unsigned char digest[16], MD5_CTX *ctx)
  win32_crypto_final(ctx, digest, 16);
 }
-static void SHA1_Init(SHA_CTX *ctx)
+static int SHA1_Init(SHA_CTX *ctx)
 {
  if(CryptAcquireContext(&ctx->hCryptProv, NULL, NULL,
                         PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
    CryptCreateHash(ctx->hCryptProv, CALG_SHA1, 0, 0, &ctx->hHash);
  }
  return 1;
 }
 static void SHA1_Update(SHA_CTX *ctx,
@@ -275,12 +381,13 @@ static void SHA1_Final(unsigned char digest[20], SHA_CTX *ctx)
  win32_crypto_final(ctx, digest, 20);
 }
-static void SHA256_Init(SHA256_CTX *ctx)
+static int SHA256_Init(SHA256_CTX *ctx)
 {
  if(CryptAcquireContext(&ctx->hCryptProv, NULL, NULL,
                         PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
    CryptCreateHash(ctx->hCryptProv, CALG_SHA_256, 0, 0, &ctx->hHash);
  }
  return 1;
 }
 static void SHA256_Update(SHA256_CTX *ctx,
@@ -374,7 +481,10 @@ digest_context *Curl_digest_init(const digest_params *dparams)
  ctxt->digest_hash = dparams;
-  dparams->digest_init(ctxt->digest_hashctx);
+  if(dparams->digest_init(ctxt->digest_hashctx) != 1) {
    free(ctxt);
    return NULL;
  }
  return ctxt;
 }
@@ -425,6 +535,8 @@ static unsigned char hex_to_uint(const char *s)
 *   Checksum didn't match.
 * -1:
 *   Could not open file; or could not read data from file.
 * -2:
 *   Hash algorithm not available.
 */
 static int check_hash(const char *filename,
                      const metalink_digest_def *digest_def,
@@ -446,7 +558,15 @@ static int check_hash(const char *filename,
            digest_def->hash_name, strerror(errno));
    return -1;
  }
  dctx = Curl_digest_init(digest_def->dparams);
  if(!dctx) {
    fprintf(error, "Metalink: validating (%s) [%s] FAILED (%s)\n", filename,
            digest_def->hash_name, "failed to initialize hash algorithm");
    close(fd);
    return -2;
  }
  result = malloc(digest_def->dparams->digest_resultlen);
  while(1) {
    unsigned char buf[4096];
@@ -773,4 +893,14 @@ void clean_metalink(struct Configurable *config)
  config->metalinkfile_last = 0;
 }
 void metalink_cleanup(void)
 {
 #if defined(USE_NSS) && defined(HAVE_NSS_INITCONTEXT)
  if(nss_context) {
    NSS_ShutdownContext(nss_context);
    nss_context = NULL;
  }
 #endif
 }
 #endif /* USE_METALINK */
--- a/src/tool_metalink.h
+++ b/src/tool_metalink.h
@@ -23,7 +23,9 @@
 ***************************************************************************/
 #include "tool_setup.h"
-typedef void (* Curl_digest_init_func)(void *context);
+/* returns 1 for success, 0 otherwise (we use OpenSSL *_Init fncs directly) */
 typedef int (* Curl_digest_init_func)(void *context);
 typedef void (* Curl_digest_update_func)(void *context,
                                         const unsigned char *data,
                                         unsigned int len);
@@ -137,13 +139,18 @@ int check_metalink_content_type(const char *content_type);
 * -1:
 *   Could not open file; or could not read data from file.
 * -2:
- *   No checksum in Metalink supported; or Metalink does not contain
+ *   No checksum in Metalink supported, hash algorithm not available, or
- *   checksum.
+ *   Metalink does not contain checksum.
 */
 int metalink_check_hash(struct Configurable *config,
                        metalinkfile *mlfile,
                        const char *filename);
 /*
 * Release resources allocated at global scope.
 */
 void metalink_cleanup(void);
 #else /* USE_METALINK */
 #define count_next_metalink_resource(x)  0
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1051,7 +1051,7 @@ int operate(struct Configurable *config, int argc, argv_item_t argv[])
        if(curlinfo->features & CURL_VERSION_SSL) {
          if(config->insecure_ok) {
            my_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
-            my_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1L);
+            my_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
          }
          else {
            my_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
--- a/src/tool_operhlp.c
+++ b/src/tool_operhlp.c
@@ -32,6 +32,11 @@
 #include "tool_operhlp.h"
 #include "tool_version.h"
 #ifdef USE_METALINK
 /* import the declaration of metalink_cleanup() */
 #  include "tool_metalink.h"
 #endif
 #include "memdebug.h" /* keep this as LAST include */
 /*
@@ -215,6 +220,9 @@ void main_free(void)
 {
  curl_global_cleanup();
  convert_cleanup();
 #ifdef USE_METALINK
  metalink_cleanup();
 #endif
 }
 #ifdef CURLDEBUG
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -28,7 +28,7 @@ EXTRA_DIST = ftpserver.pl httpserver.pl secureserver.pl runtests.pl getpart.pm \
 sshserver.pl sshhelp.pm testcurl.1 runtests.1 $(HTMLPAGES) $(PDFPAGES) \
 CMakeLists.txt certs/scripts/*.sh certs/Server* certs/EdelCurlRoot* \
 serverhelp.pm tftpserver.pl rtspserver.pl directories.pm symbol-scan.pl \
- certs/srp-verifier-conf certs/srp-verifier-db
+ certs/srp-verifier-conf certs/srp-verifier-db mem-include-scan.pl
 # we have two variables here to make sure DIST_SUBDIRS won't get 'unit'
 # added twice as then targets such as 'distclean' misbehave and try to
--- a/tests/README
+++ b/tests/README
@@ -207,7 +207,9 @@ The cURL Test Suite
     800 - 899   POP3, IMAP, SMTP
     1000 - 1299 miscellaneous*
     1300 - 1399 unit tests*
-     1400 - 1999 miscellaneous*
+     1400 - 1499 miscellaneous*
     1500 - 1599 libcurl source code tests, not using the curl command tool
                 (same as 5xx)
     2000 - x    multiple sequential protocols per test case*
  Since 30-apr-2003, there's nothing in the system that requires us to keep
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -75,7 +75,7 @@ test1094 test1095 test1096 test1097 test1098 test1099 test1100 test1101	\
 test1102 test1103 test1104 test1105 test1106 test1107 test1108 test1109	\
 test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117	\
 test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125	\
-test1126 test1127 test1128 test1129 test1130 test1131 \
+test1126 test1127 test1128 test1129 test1130 test1131 test1132 \
 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
 test1208 test1209 test1210 test1211 \
 test1220 \
@@ -92,8 +92,8 @@ test1371 test1372 test1373 test1374 test1375 test1376 test1377 test1378 \
 test1379 test1380 test1381 test1382 test1383 test1384 test1385 test1386 \
 test1387 test1388 test1389 test1390 test1391 test1392 test1393 \
 test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 \
-test1408 test1409 test1410 test1411 \
+test1408 test1409 test1410 test1411 test1412 test1413 \
-test1500 \
+test1500 test1501 test1502 \
 test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 \
 test2008 test2009 test2010 test2011 test2012 test2013 test2014 test2015 \
 test2016 test2017 test2018 test2019 test2020 test2021 test2022 \
--- a/tests/data/test1105
+++ b/tests/data/test1105
@@ -34,6 +34,9 @@ HTTP with cookie parser and header recording
 <command>
 "http://%HOSTIP:%HTTPPORT/we/want/1105?parm1=this*that/other/thing&parm2=foobar/1105" -c log/cookie1105.txt -d "userid=myname&password=mypassword"
 </command>
 <precheck>
 perl -e 'if ("%HOSTIP" !~ /127\.0\.0\.1$/) {print "Test only works for HOSTIP 127.0.0.1"; exit(1)}'
 </precheck>
 </client>
 # Verify data after the test has been "shot"
--- a/tests/data/test1132
+++ b/tests/data/test1132
@@ -0,0 +1,24 @@
 <testcase>
 <info>
 <keywords>
 memory-includes
 </keywords>
 </info>
 #
 # Client-side
 <client>
 <server>
 none
 </server>
 <name>
 Verify memory #include files in libcurl's C source files
 </name>
 <command type="perl">
 %SRCDIR/mem-include-scan.pl %SRCDIR/../lib
 </command>
 </client>
 </testcase>
--- a/tests/data/test1318
+++ b/tests/data/test1318
@@ -3,6 +3,7 @@
 <keywords>
 HTTP
 HTTP GET
 --resolve
 </keywords>
 </info>
@@ -32,7 +33,7 @@ Content-Length: 0
 http
 </server>
 <name>
-HTTP with same host name using different cases
+HTTP with --resolve and same host name using different cases
 </name>
 <command>
 --resolve MiXeDcAsE.cOm:%HTTPPORT:%HOSTIP http://MiXeDcAsE.cOm:%HTTPPORT/1318 http://mixedcase.com:%HTTPPORT/13180001
--- a/tests/data/test1412
+++ b/tests/data/test1412
@@ -0,0 +1,117 @@
 <testcase>
 <info>
 <keywords>
 HTTP
 HTTP GET
 HTTP Digest auth
 --anyauth
 </keywords>
 </info>
 # Server-side
 <reply>
 <servercmd>
 auth_required
 </servercmd>
 <data>
 HTTP/1.1 401 Authorization Required swsclose
 Server: Apache/1.3.27 (Darwin) PHP/4.1.2
 WWW-Authenticate: Blackmagic realm="gimme all yer s3cr3ts"
 WWW-Authenticate: Basic realm="gimme all yer s3cr3ts"
 WWW-Authenticate: Digest realm="gimme all yer s3cr3ts", nonce="11223344"
 Content-Type: text/html; charset=iso-8859-1
 Connection: close
 This is not the real page
 </data>
 # This is supposed to be returned when the server gets a
 # Authorization: Digest line passed-in from the client
 <data1000>
 HTTP/1.1 200 OK swsclose
 Server: Apache/1.3.27 (Darwin) PHP/4.1.2
 Content-Type: text/html; charset=iso-8859-1
 Content-Length: 23
 Connection: close
 This IS the real page!
 </data1000>
 # This is the second request
 <data1001>
 HTTP/1.1 200 OK swsclose
 Server: Apache/1.3.27 (Darwin) PHP/4.1.2
 Content-Type: text/html; charset=iso-8859-1
 Content-Length: 23
 Connection: close
 This IS the second real page!
 </data1001>
 <datacheck>
 HTTP/1.1 401 Authorization Required swsclose
 Server: Apache/1.3.27 (Darwin) PHP/4.1.2
 WWW-Authenticate: Blackmagic realm="gimme all yer s3cr3ts"
 WWW-Authenticate: Basic realm="gimme all yer s3cr3ts"
 WWW-Authenticate: Digest realm="gimme all yer s3cr3ts", nonce="11223344"
 Content-Type: text/html; charset=iso-8859-1
 Connection: close
 HTTP/1.1 200 OK swsclose
 Server: Apache/1.3.27 (Darwin) PHP/4.1.2
 Content-Type: text/html; charset=iso-8859-1
 Content-Length: 23
 Connection: close
 This IS the real page!
 </datacheck>
 </reply>
 # Client-side
 <client>
 <server>
 http
 </server>
 <features>
 crypto
 </features>
 <name>
 HTTP GET with --anyauth with two URLs (picking Digest) 
 </name>
 <command>
 http://%HOSTIP:%HTTPPORT/1412 -u testuser:testpass --anyauth http://%HOSTIP:%HTTPPORT/14120001
 </command>
 <file name="log/put1412">
 This is data we upload with PUT
 a second line
 line three
 four is the number of lines
 </file>
 </client>
 # Verify data after the test has been "shot"
 <verify>
 <strip>
 ^User-Agent:.*
 </strip>
 <protocol>
 GET /1412 HTTP/1.1
 Host: %HOSTIP:%HTTPPORT
 Accept: */*
 GET /1412 HTTP/1.1
 Authorization: Digest username="testuser", realm="gimme all yer s3cr3ts", nonce="11223344", uri="/1412", response="0390dbe89e31adca0413d11f91f30e7f"
 User-Agent: curl/7.10.5 (i686-pc-linux-gnu) libcurl/7.10.5 OpenSSL/0.9.7a ipv6 zlib/1.1.3
 Host: %HOSTIP:%HTTPPORT
 Accept: */*
 GET /14120001 HTTP/1.1
 Authorization: Digest username="testuser", realm="gimme all yer s3cr3ts", nonce="11223344", uri="/14120001", response="0085df91870374c8bf4e94415e7fbf8e"
 User-Agent: curl/7.10.5 (i686-pc-linux-gnu) libcurl/7.10.5 OpenSSL/0.9.7a ipv6 zlib/1.1.3
 Host: %HOSTIP:%HTTPPORT
 Accept: */*
 </protocol>
 </verify>
 </testcase>
--- a/tests/data/test1413
+++ b/tests/data/test1413
@@ -0,0 +1,73 @@
 <testcase>
 <info>
 <keywords>
 HTTP
 HTTP GET
 followlocation
 </keywords>
 </info>
 #
 # Server-side
 <reply>
 <data>
 HTTP/1.1 302 OK swsclose
 Location: moo.html/14130002#fragmentpart
 Date: Thu, 09 Nov 2010 14:49:00 GMT
 Connection: close
 </data>
 <data2>
 HTTP/1.1 200 OK swsclose
 Location: this should be ignored
 Date: Thu, 09 Nov 2010 14:49:00 GMT
 Connection: close
 body
 </data2>
 <datacheck>
 HTTP/1.1 302 OK swsclose
 Location: moo.html/14130002#fragmentpart
 Date: Thu, 09 Nov 2010 14:49:00 GMT
 Connection: close
 HTTP/1.1 200 OK swsclose
 Location: this should be ignored
 Date: Thu, 09 Nov 2010 14:49:00 GMT
 Connection: close
 body
 </datacheck>
 </reply>
 #
 # Client-side
 <client>
 <server>
 http
 </server>
 <name>
 HTTP redirect with fragment in new URL
 </name>
 <command>
 http://%HOSTIP:%HTTPPORT/this/1413 -L
 </command>
 </client>
 #
 # Verify data after the test has been "shot"
 <verify>
 <strip>
 ^User-Agent:.*
 </strip>
 <protocol>
 GET /this/1413 HTTP/1.1
 Host: %HOSTIP:%HTTPPORT
 Accept: */*
 GET /this/moo.html/14130002 HTTP/1.1
 Host: %HOSTIP:%HTTPPORT
 Accept: */*
 </protocol>
 </verify>
 </testcase>
--- a/tests/data/test147
+++ b/tests/data/test147
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 FTP
 </keywords>
 </info>
 # Server-side
 <reply>
 <data>
--- a/tests/data/test148
+++ b/tests/data/test148
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 FTP
 </keywords>
 </info>
 # Server-side
 <reply>
 <servercmd>
--- a/tests/data/test149
+++ b/tests/data/test149
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 FTP
 </keywords>
 </info>
 # Server-side
 <reply>
 </reply>
--- a/tests/data/test1501
+++ b/tests/data/test1501
@@ -0,0 +1,53 @@
 <testcase>
 <info>
 <keywords>
 FTP
 RETR
 multi
 LIST
 </keywords>
 </info>
 # Server-side
 <reply>
 <data>
 </data>
 <servercmd>
 DELAY LIST 2
 DELAY TYPE 2
 </servercmd>
 </reply>
 # Client-side
 <client>
 <server>
 ftp
 </server>
 <tool>
 lib1501
 </tool>
 <name>
 FTP with multi interface and slow LIST response 
 </name>
 <command>
 ftp://%HOSTIP:%FTPPORT/1501/
 </command>
 </client>
 # Verify data after the test has been "shot"
 <verify>
 <errorcode>
 0
 </errorcode>
 <protocol>
 USER anonymous
 PASS ftp@example.com
 PWD
 CWD 1501
 EPSV
 TYPE A
 LIST
 QUIT
 </protocol>
 </verify>
 </testcase>
--- a/tests/data/test1502
+++ b/tests/data/test1502
@@ -0,0 +1,58 @@
 <testcase>
 <info>
 <keywords>
 HTTP
 HTTP GET
 multi
 CURLOPT_RESOLVE
 </keywords>
 </info>
 <reply>
 <data>
 HTTP/1.1 200 OK
 Date: Thu, 09 Nov 2010 14:49:00 GMT
 Server: test-server/fake
 Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
 ETag: "21025-dc7-39462498"
 Accept-Ranges: bytes
 Content-Length: 6
 Connection: close
 Content-Type: text/html
 Funny-head: yesyes
 -foo-
 </data>
 </reply>
 #
 # Client-side
 <client>
 <server>
 http
 </server>
 <tool>
 lib1502
 </tool>
 <name>
 HTTP multi with CURLOPT_RESOLVE
 </name>
 <command>
 http://google.com:%HTTPPORT/1502 %HTTPPORT %HOSTIP
 </command>
 </client>
 #
 # Verify data after the test has been "shot"
 <verify>
 <strip>
 ^User-Agent:.*
 </strip>
 <protocol>
 GET /1502 HTTP/1.1
 Host: google.com:%HTTPPORT
 Accept: */*
 </protocol>
 </verify>
 </testcase>
--- a/tests/data/test155
+++ b/tests/data/test155
@@ -1,4 +1,11 @@
 <testcase>
 <info>
 <keywords>
 HTTP
 HTTP PUT
 </keywords>
 </info>
 # Server-side
 <reply>
 <servercmd>
--- a/tests/data/test158
+++ b/tests/data/test158
@@ -1,4 +1,11 @@
 <testcase>
 <info>
 <keywords>
 HTTP
 HTTP POST
 </keywords>
 </info>
 # Server-side
 <reply>
 <data>
--- a/tests/data/test174
+++ b/tests/data/test174
@@ -1,4 +1,11 @@
 <testcase>
 <info>
 <keywords>
 HTTP
 HTTP POST
 </keywords>
 </info>
 # Server-side
 <reply>
 <data>
--- a/tests/data/test176
+++ b/tests/data/test176
@@ -1,4 +1,11 @@
 <testcase>
 <info>
 <keywords>
 HTTP
 HTTP POST
 </keywords>
 </info>
 # Server-side
 <reply>
 # the first request has NTLM type-1 included, and then the 1001 is returned
--- a/tests/data/test182
+++ b/tests/data/test182
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 FTP
 </keywords>
 </info>
 # Server-side
 <reply>
 <data sendzero="yes">
--- a/tests/data/test190
+++ b/tests/data/test190
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 FTP
 </keywords>
 </info>
 # Server-side
 <reply>
 <servercmd>
--- a/tests/data/test191
+++ b/tests/data/test191
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 FTP
 </keywords>
 </info>
 # Server-side
 <reply>
 <data>
--- a/tests/data/test194
+++ b/tests/data/test194
@@ -13,7 +13,7 @@ Resume
 <data>
 HTTP/1.1 416 Requested Range Not Satisfiable swsclose
 Date: Fri, 24 Oct 2003 21:33:12 GMT
-Server: Apache/1.3.19 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 PHP/4.3.1
+Server: Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 PHP/4.3.1
 Last-Modified: Fri, 24 Oct 2003 18:01:23 GMT
 ETag: "ab57a-507-3f9968f3"
 Accept-Ranges: bytes
--- a/tests/data/test195
+++ b/tests/data/test195
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 FTP
 </keywords>
 </info>
 # Server-side
 <reply>
 <servercmd>
--- a/tests/data/test196
+++ b/tests/data/test196
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 FTP
 </keywords>
 </info>
 # Server-side
 <reply>
 <servercmd>
--- a/tests/data/test197
+++ b/tests/data/test197
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 HTTP
 HTTP GET
 </keywords>
 </info>
 #
 # Server-side
 <reply>
--- a/tests/data/test198
+++ b/tests/data/test198
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 HTTP
 HTTP GET
 </keywords>
 </info>
 #
 # Server-side
 <reply>
--- a/tests/data/test199
+++ b/tests/data/test199
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 HTTP
 HTTP GET
 </keywords>
 </info>
 #
 # Server-side
 <reply name="1">
--- a/tests/data/test2027
+++ b/tests/data/test2027
@@ -9,6 +9,17 @@ HTTP Digest auth
 # Server-side
 <reply>
 <!--
 Explanation for the duplicate 400 requests:
 libcurl doesn't detect that a given Digest password is wrong already on the
 first 401 response (as the data400 gives). libcurl will instead consider the
 new response just as a duplicate and it sends another and detects the auth
 problem on the second 401 response!
 -->
 <!-- First request has Digest auth, wrong password -->
 <data100>
 HTTP/1.1 401 Need Digest auth
@@ -93,16 +104,6 @@ This is a bad password page!
 </data1400>
 <!-- Fifth request has Digest auth, right password -->
 <data500>
 HTTP/1.1 401 Need Digest auth (5)
 Server: Microsoft-IIS/5.0
 Content-Type: text/html; charset=iso-8859-1
 Content-Length: 27
 WWW-Authenticate: Digest realm="testrealm", nonce="8"
 This is not the real page!
 </data500>
 <data1500>
 HTTP/1.1 200 Things are fine in server land (2)
 Server: Microsoft-IIS/5.0
@@ -151,6 +152,12 @@ Content-Type: text/html; charset=iso-8859-1
 Content-Length: 29
 WWW-Authenticate: Digest realm="testrealm", nonce="7"
 HTTP/1.1 401 Sorry wrong password (3)
 Server: Microsoft-IIS/5.0
 Content-Type: text/html; charset=iso-8859-1
 Content-Length: 29
 WWW-Authenticate: Digest realm="testrealm", nonce="7"
 This is a bad password page!
 HTTP/1.1 200 Things are fine in server land (2)
 Server: Microsoft-IIS/5.0
@@ -222,6 +229,11 @@ Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/2
 Host: %HOSTIP:%HTTPPORT
 Accept: */*
 GET /20270400 HTTP/1.1
 Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/20270400", response="f5906785511fb60a2af8b1cd53008ead"
 Host: %HOSTIP:%HTTPPORT
 Accept: */*
 GET /20270500 HTTP/1.1
 Authorization: Digest username="testuser", realm="testrealm", nonce="7", uri="/20270500", response="8ef4d935fd964a46c3965c0863b52cf1"
 Host: %HOSTIP:%HTTPPORT
--- a/tests/data/test2030
+++ b/tests/data/test2030
@@ -13,6 +13,18 @@ HTTP NTLM auth
 <!-- Alternate the order that Digest and NTLM headers appear in responses to
 ensure that the order doesn't matter. -->
 <!--
 Explanation for the duplicate 400 requests:
 libcurl doesn't detect that a given Digest password is wrong already on the
 first 401 response (as the data400 gives). libcurl will instead consider the
 new response just as a duplicate and it sends another and detects the auth
 problem on the second 401 response!
 -->
 <!-- First request has NTLM auth, wrong password -->
 <data100>
 HTTP/1.1 401 Need Digest or NTLM auth
@@ -186,6 +198,13 @@ Content-Length: 29
 WWW-Authenticate: NTLM
 WWW-Authenticate: Digest realm="testrealm", nonce="7"
 HTTP/1.1 401 Sorry wrong password (3)
 Server: Microsoft-IIS/5.0
 Content-Type: text/html; charset=iso-8859-1
 Content-Length: 29
 WWW-Authenticate: NTLM
 WWW-Authenticate: Digest realm="testrealm", nonce="7"
 This is a bad password page!
 HTTP/1.1 200 Things are fine in server land (2)
 Server: Microsoft-IIS/5.0
@@ -259,6 +278,11 @@ Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/2
 Host: %HOSTIP:%HTTPPORT
 Accept: */*
 GET /20300400 HTTP/1.1
 Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/20300400", response="d6262e9147db08c62ff2f53b515861e8"
 Host: %HOSTIP:%HTTPPORT
 Accept: */*
 GET /20300500 HTTP/1.1
 Authorization: Digest username="testuser", realm="testrealm", nonce="7", uri="/20300500", response="198757e61163a779cf24ed4c49c1ad7d"
 Host: %HOSTIP:%HTTPPORT
--- a/tests/data/test207
+++ b/tests/data/test207
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 HTTP
 HTTP GET
 </keywords>
 </info>
 #
 # Server-side
 <reply>
--- a/tests/data/test210
+++ b/tests/data/test210
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 FTP
 </keywords>
 </info>
 # Server-side
 <reply>
 <data>
--- a/tests/data/test211
+++ b/tests/data/test211
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 FTP
 </keywords>
 </info>
 # Server-side
 <reply>
 <data>
--- a/tests/data/test212
+++ b/tests/data/test212
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 FTP
 </keywords>
 </info>
 # Server-side
 <reply>
 <data>
--- a/tests/data/test214
+++ b/tests/data/test214
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 HTTP
 HTTP GET
 </keywords>
 </info>
 #
 # Server-side
 <reply>
--- a/tests/data/test215
+++ b/tests/data/test215
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 FTP
 </keywords>
 </info>
 # Server-side
 <reply>
 # When doing LIST, we get the default list output hard-coded in the test
--- a/tests/data/test216
+++ b/tests/data/test216
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 FTP
 </keywords>
 </info>
 # Server-side
 <reply>
 </reply>
--- a/tests/data/test218
+++ b/tests/data/test218
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 HTTP
 HTTP PUT
 </keywords>
 </info>
 #
 # Server-side
 <reply>
--- a/tests/data/test235
+++ b/tests/data/test235
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 FTP
 </keywords>
 </info>
 # Server-side
 <reply>
 </reply>
--- a/tests/data/test236
+++ b/tests/data/test236
@@ -1,4 +1,9 @@
 <testcase>
 <info>
 <keywords>
 FTP
 </keywords>
 </info>
 # Server-side
 <reply>
--- a/tests/data/test237
+++ b/tests/data/test237
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 FTP
 </keywords>
 </info>
 # Server-side
 <reply>
 <servercmd>
--- a/tests/data/test238
+++ b/tests/data/test238
@@ -1,4 +1,10 @@
 <testcase>
 <info>
 <keywords>
 FTP
 </keywords>
 </info>
 # Server-side
 <reply>
 <servercmd>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Daniel Stenberg	b9fdb721f2	RELEASE-NOTES: synced with `52af6e69f0` / 7.28.1	2012-11-20 08:05:42 +01:00
Anthony Bryan	c830115c48	RELEASE-NOTES: NSS can be used for metalink hashing	2012-11-20 00:14:31 +01:00
Fabian Keil	52af6e69f0	Get test 2032 working when using valgrind If curl_multi_fdset() sets maxfd to -1, the socket detection loop is skipped and thus !found_new_socket is no cause for alarm.	2012-11-19 13:36:28 +01:00
Kamil Dudka	32be348af2	test2032: spurious failure caused by premature termination Bug: http://curl.haxx.se/mail/lib-2012-11/0095.html	2012-11-19 13:36:10 +01:00
Fabian Keil	7e87499213	Fix comment typos in test 517	2012-11-19 10:58:14 +01:00
Fabian Keil	7719333f55	Test 92 and 194: normalize spaces in the Server headers It makes no difference from curl's point of view but makes it more convenient to use the tests with a lws-normalizing proxy between curl and the test server.	2012-11-19 10:58:14 +01:00
Fabian Keil	276452ca10	Add a HOSTIP precheck for tests 31 and 1105 They currently only work for 127.0.0.1 which is hardcoded and can't be easily changed.	2012-11-19 10:58:14 +01:00
Fabian Keil	1b10dd7aae	Let test 8 work as long as %HOSTIP ends with ".0.0.1" .. and add a precheck to skip the test otherwise.	2012-11-19 10:58:14 +01:00
Fabian Keil	7aebb3cc42	Add --resolve to the keywords and name of test 1318 This makes it easier to skip it automatically when the test suite is used with external proxies.	2012-11-19 10:58:14 +01:00
Fabian Keil	6f444b2761	Add FTP keywords for a couple of currently keyword-less FTP tests	2012-11-19 10:58:14 +01:00
Fabian Keil	81d96c4421	Add keywords for a couple of currently keyword-less HTTP tests	2012-11-19 10:58:14 +01:00
Fabian Keil	10296ac665	Use carriage returns in all headers in test 31 Trailing spaces were left unmodifed, assuming they were intentional.	2012-11-19 10:58:14 +01:00
Fabian Keil	ab0fa55780	Do not mix CRLF and LF header endings in a couple of HTTP tests Consistently use CRLF instead. The mixed endings weren't documented so I assume they were unintentional. This change doesn't matter for curl itself but makes using the tests with a proxy between curl and the test server more convenient. Tests that consistently use no carriage returns were left unmodified as one can easily work around this.	2012-11-19 10:58:02 +01:00
Daniel Stenberg	409f2a041f	fixed memory leak: CURLOPT_RESOLVE with multi interface DNS cache entries populated with CURLOPT_RESOLVE were not properly freed again when done using the multi interface. Test case 1502 added to verify. Bug: http://curl.haxx.se/bug/view.cgi?id=3575448 Reported by: Alex Gruz	2012-11-18 16:39:31 +01:00
Daniel Stenberg	dd75cba3ef	RELEASE-NOTES: synced with `ee588fe088` 4 more bug fixes and 4 more contributors	2012-11-17 14:23:41 +01:00
Daniel Stenberg	ee588fe088	mem-include-scan: verify memory #includes If we use memory functions (malloc, free, strdup etc) in C sources in libcurl and we fail to include curl_memory.h or memdebug.h we either fail to properly support user-provided memory callbacks or the memory leak system of the test suite fails. After Ajit's report of a failure in the first category in http_proxy.c, I spotted a few in the second category as well. These problems are now tested for by test 1132 which runs a perl program that scans for and attempts to check that we use the correct include files if a memory related function is used in the source code. Reported by: Ajit Dhumale Bug: http://curl.haxx.se/mail/lib-2012-11/0125.html	2012-11-17 13:56:38 +01:00
Daniel Stenberg	db4215f14a	tftp_rx: code style cleanup Fixed checksrc warnings	2012-11-16 22:00:17 +01:00
Fabian Keil	32afaaef93	Fix the libauthretry changes from `7c0cbcf2f6` They broke the NTLM tests from 2023 to 2031.	2012-11-16 20:09:02 +01:00
Christian Vogt	0ac827848d	tftp_rx: handle resends Re-send ACK for block X in case we receive block X data again while waiting for block X+1. Based on an earlier patch by Marcin Adamski.	2012-11-16 15:30:52 +01:00
Daniel Stenberg	c277bd6ce7	autoconf: don't force-disable compiler debug option When nothing is told to configure, we should not enforce switching off debug options with -g0 (or similar). We instead don't use -g at all in that situaion and therefore allow the user's CFLAGS settings possibly dictate what to do.	2012-11-16 13:06:49 +01:00
Mark Snelling	6d8443a245	winbuild: Fix PDB file output And fix some newlines to be proper CRLF Bug: http://curl.haxx.se/bug/view.cgi?id=3586741	2012-11-14 23:20:10 +01:00
Daniel Stenberg	53c83ee3ed	RELEASE-NOTES: synced with `fa1ae0abcd`	2012-11-14 22:32:19 +01:00
Cristian Rodríguez	fa1ae0abcd	OpenSSL: Disable SSL/TLS compression It either causes increased memory usage or exposes users to the "CRIME attack" (CVE-2012-4929)	2012-11-13 23:01:28 +01:00
Sebastian Rasmussen	38ed72cd37	FILE: Make upload-writes unbuffered by not using FILE streams	2012-11-13 22:02:18 +01:00
Kamil Dudka	1099f3a071	tool_metalink: fix error detection of hash alg initialization The {MD5,SHA1,SHA256}_Init functions from OpenSSL are called directly without any wrappers and they return 1 for success, 0 otherwise. Hence, we have to use the same approach in all the wrapper functions that are used for the other crypto libraries. This commit fixes a regression introduced in commit `dca8ae5f`.	2012-11-13 13:17:45 +01:00
Daniel Stenberg	6a4bdb027b	RELEASE-NOTES: synced with `7c0cbcf2f6`	2012-11-13 13:03:38 +01:00
Sergei Nikulov	7c0cbcf2f6	fixed Visual Studio 2010 compilation	2012-11-13 11:17:20 +01:00
Anton Malov	076e1fa348	ftp: EPSV-disable fix over SOCKS Bug: http://curl.haxx.se/bug/view.cgi?id=3586338	2012-11-12 23:00:27 +01:00
Patrick Monnerat	cd5261ea6d	Merge branch 'master' of github.com:bagder/curl	2012-11-12 14:27:43 +01:00
Patrick Monnerat	4b994e14fb	OS400: upgrade wrappers for the 7.28.1 release.	2012-11-12 14:26:16 +01:00
Daniel Stenberg	e62ee60c7a	runtests: limit execessive logging/output	2012-11-12 13:50:00 +01:00
Gabriel Sjoberg	e237402c47	Digst: Add microseconds into nounce calculation When using only 1 second precision, curl doesn't create new cnonce values quickly enough for all uses. For example, issuing the following command multiple times to a recent Tomcat causes authentication failures: curl --digest -utest:test http://tomcat.test.com:8080/manager/list This is because curl uses the same cnonce for several seconds, but doesn't increment the nonce counter. Tomcat correctly interprets this as a replay attack and rejects the request. When microsecond-precision is available, this commit causes curl to change cnonce values much more frequently. With microsecond resolution, increasing the nounce length used in the headers to 32 was made to further reduce the risk of duplication.	2012-11-12 11:46:27 +01:00
Daniel Stenberg	1c23d2b392	SCP/SFTP: improve error code used for send failures Instead of relying on the generic CURLE error for SCP or SFTP send failures, try passing back a more suitable error if possible.	2012-11-12 10:04:44 +01:00
Daniel Stenberg	7ecd874bce	Curl_write: remove unneeded typecast	2012-11-12 10:04:31 +01:00
Kamil Dudka	49c37e6c1c	tool_metalink: allow to use hash algorithms provided by NSS Fixes bug #3578163: http://sourceforge.net/tracker/?func=detail&atid=100976&aid=3578163&group_id=976	2012-11-09 10:42:54 +01:00
Kamil Dudka	dca8ae5f02	tool_metalink: allow to handle failure of hash alg initialization	2012-11-09 10:27:10 +01:00
Kamil Dudka	cf75a64651	tool_metalink: introduce metalink_cleanup() in the internal API ... to release resources allocated at global scope	2012-11-09 10:27:10 +01:00
Daniel Stenberg	0af1a9d270	hostcheck: only build for the actual users and make local function static	2012-11-08 22:37:53 +01:00
Oscar Koeroo	1394cad30f	SSL: Several SSL-backend related fixes axTLS: This will make the axTLS backend perform the RFC2818 checks, honoring the VERIFYHOST setting similar to the OpenSSL backend. Generic for OpenSSL and axTLS: Move the hostcheck and cert_hostcheck functions from the lib/ssluse.c files to make them genericly available for both the OpenSSL, axTLS and other SSL backends. They are now in the new lib/hostcheck.c file. CyaSSL: CyaSSL now also has the RFC2818 checks enabled by default. There is a limitation that the verifyhost can not be enabled exclusively on the Subject CN field comparison. This SSL backend will thus behave like the NSS and the GnuTLS (meaning: RFC2818 ok, or bust). In other words: setting verifyhost to 0 or 1 will disable the Subject Alt Names checks too. Schannel: Updated the schannel information messages: Split the IP address usage message from the verifyhost setting and changed the message about disabling SNI (Server Name Indication, used in HTTP virtual hosting) into a message stating that the Subject Alternative Names checks are being disabled when verifyhost is set to 0 or 1. As a side effect of switching off the RFC2818 related servername checks with SCH_CRED_NO_SERVERNAME_CHECK (http://msdn.microsoft.com/en-us/library/aa923430.aspx) the SNI feature is being disabled. This effect is not documented in MSDN, but Wireshark output clearly shows the effect (details on the libcurl maillist). PolarSSL: Fix the prototype change in PolarSSL of ssl_set_session() and the move of the peer_cert from the ssl_context to the ssl_session. Found this change in the PolarSSL SVN between r1316 and r1317 where the POLARSSL_VERSION_NUMBER was at 0x01010100. But to accommodate the Ubuntu PolarSSL version 1.1.4 the check is to discriminate between lower then PolarSSL version 1.2.0 and 1.2.0 and higher. Note: The PolarSSL SVN trunk jumped from version 1.1.1 to 1.2.0. Generic: All the SSL backends are fixed and checked to work with the ssl.verifyhost as a boolean, which is an internal API change.	2012-11-08 22:23:12 +01:00
Daniel Stenberg	18c0e9bd71	libcurl: VERSIONINFO update Since we added the curl_multi_wait function, the VERSIONINFO needed updating. Reported by: Patrick Monnerat	2012-11-08 20:26:19 +01:00
Guenter Knauf	c70c1a22d2	Added .def file to output. Requested by Johnny Luong on the libcurl list.	2012-11-08 18:50:48 +01:00
Guenter Knauf	5a4f6413d1	Added deps for static metalink-aware MinGW builds.	2012-11-08 18:41:59 +01:00
Fabian Keil	6d1b493f3d	Fix compilation of lib1501	2012-11-08 18:33:47 +01:00
Daniel Stenberg	7840c4c70c	Curl_readwrite: remove debug output The text "additional stuff not fine" text was added for debug purposes a while ago, but it isn't really helping anyone and for some reason some Linux distributions provide their libcurls built with debug info still present and thus (far too many) users get to read this info.	2012-11-08 10:47:11 +01:00
Daniel Stenberg	9096f4f451	RELEASE-NOTES: synced with `487538e87a` 6 new bugfixes and 3 more contributors...	2012-11-07 23:21:55 +01:00
Daniel Stenberg	487538e87a	http_perhapsrewind: consider NTLM over proxy too The logic previously checked for a started NTLM negotiation only for host and not also with proxy, leading to problems doing POSTs over a proxy NTLM that are larger than 2000 bytes. Now it includes proxy in the check. Bug: http://curl.haxx.se/bug/view.cgi?id=3582321 Reported by: John Suprock	2012-11-07 23:08:29 +01:00
Lars Buitinck	e1fa945e7e	Curl_connecthost: friendlier "couldn't connect" message	2012-11-07 22:55:33 +01:00
Daniel Stenberg	cda6d891ab	test1413: verify redirects to URLs with fragments The bug report claimed it didn't work. This problem was probably fixed in `473003fbdf`. Bug: http://curl.haxx.se/bug/view.cgi?id=3581898	2012-11-06 23:25:52 +01:00
Daniel Stenberg	473003fbdf	URL parser: cut off '#' fragments from URLs (better) The existing logic only cut off the fragment from the separate 'path' buffer which is used when sending HTTP to hosts. The buffer that held the full URL used for proxies were not dealt with. It is now. Test case 5 was updated to use a fragment on a URL over a proxy. Bug: http://curl.haxx.se/bug/view.cgi?id=3579813	2012-11-06 23:17:57 +01:00
Daniel Stenberg	3f20303702	OpenSSL/servercert: use correct buffer size, not size of pointer Bug: http://curl.haxx.se/bug/view.cgi?id=3579286	2012-11-06 22:55:22 +01:00
Daniel Stenberg	a1be8e7f9b	curl: set CURLOPT_SSL_VERIFYHOST to 0 to disable	2012-11-06 22:27:25 +01:00
Daniel Stenberg	8d97bed806	test 2027/2030: take duplicate Digest requests into account With the reversion of `ce8311c7e4` and the new clear logic, this flaw is present and we allow it.	2012-11-06 22:23:56 +01:00
Daniel Stenberg	13ce9031cc	Curl_pretransfer: clear out unwanted auth methods As a handle can be re-used after having done HTTP auth in a previous request, it must make sure to clear out the HTTP types that aren't wanted in this new request.	2012-11-06 22:23:56 +01:00
Daniel Stenberg	95326a40ff	test1412: verify Digest with repeated URLs This test case verifies that bug 3582718 is fixed. Bug: http://curl.haxx.se/bug/view.cgi?id=3582718 Reported by: Nick Zitzmann (originally)	2012-11-06 22:23:56 +01:00
Daniel Stenberg	8e329bb759	Revert "Zero out auth structs before transfer" This reverts commit `ce8311c7e4`. The commit made test 2024 work but caused a regression with repeated Digest authentication. We need to fix this differently.	2012-11-06 22:23:56 +01:00
Daniel Stenberg	da82f59b69	CURLOPT_SSL_VERIFYHOST: stop supporting the 1 value After a research team wrote a document[1] that found several live source codes out there in the wild that misused the CURLOPT_SSL_VERIFYHOST option thinking it was a boolean, this change now bans 1 as a value and will make libcurl return error for it. 1 was never a sensible value to use in production but was introduced back in the days to help debugging. It was always documented clearly this way. 1 was never supported by all SSL backends in libcurl, so this cleanup makes the treatment of it unified. The report's list of mistakes for this option were all PHP code and while there's a binding layer between libcurl and PHP, the PHP team has decided that they have an as thin layer as possible on top of libcurl so they will not alter or specifically filter a 'TRUE' value for this particular option. I sympathize with that position. [1] = http://daniel.haxx.se/blog/2012/10/25/libcurl-claimed-to-be-dangerous/	2012-11-06 19:46:53 +01:00
Daniel Stenberg	ab1f80200a	gnutls: fix compiler warnings	2012-11-06 19:46:17 +01:00
Alessandro Ghedini	41eec4efa2	gnutls: print alerts during handshake	2012-11-06 19:42:38 +01:00
Alessandro Ghedini	2045d83dd3	gnutls: fix the error_is_fatal logic	2012-11-06 19:42:37 +01:00
Daniel Stenberg	0da6c113ce	RELEASE-NOTES: synced with `fa6d78829f`	2012-11-06 12:03:29 +01:00
Daniel Stenberg	fa6d78829f	httpcustomheader.c: free the headers after use	2012-11-06 11:51:19 +01:00
Dave Reisner	550e403f00	uniformly use AM_CPPFLAGS, avoid deprecated INCLUDES Since automake 1.12.4, the warnings are issued on running automake: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS') Avoid INCLUDES and roll these flags into AM_CPPFLAGS. Compile tested on: Ubuntu 10.04 (automake 1:1.11.1-1) Ubuntu 12.04 (automake 1:1.11.3-1ubuntu2) Arch Linux (automake 1.12.4)	2012-11-06 00:32:21 +01:00
Daniel Stenberg	f99430d89e	libauthretry.c: shorten lines to fit within 80 cols	2012-11-06 00:06:21 +01:00
Daniel Stenberg	09a491378a	ftp_readresp: fix build without krb4 support Oops, my previous commit broke builds with krb support.	2012-11-05 13:01:48 +01:00
Daniel Stenberg	9019a0a86c	test/README: mention the 1500 test number range	2012-11-04 23:18:20 +01:00
Daniel Stenberg	b2954e66e8	FTP: prevent the multi interface from blocking As pointed out in Bug report #3579064, curl_multi_perform() would wrongly use a blocking mechanism internally for some commands which could lead to for example a very long block if the LIST response never showed. The solution was to make sure to properly continue to use the multi interface non-blocking state machine. The new test 1501 verifies the fix. Bug: http://curl.haxx.se/bug/view.cgi?id=3579064 Reported by: Guido Berhoerster	2012-11-04 19:05:39 +01:00
Marc Hoersken	7c0f201075	winbuild: Use machine type of development environment This patch restores the original behavior instead of always falling back to x86 if no MACHINE-type was specified.	2012-11-01 22:23:05 +01:00
Marc Hoersken	0ecb57056f	winbuild: Additional clean up	2012-11-01 22:16:47 +01:00
Sapien2	3be96564a8	Even more winbuild refactoring	2012-11-01 22:06:54 +01:00
Sapien2	0cb5650386	Minor winbuild refactoring	2012-11-01 22:06:53 +01:00
Sapien2	8f61e5cea7	Architecture selection for winbuild and minor makefiles refactoring	2012-11-01 22:06:53 +01:00
Daniel Stenberg	34ff881ece	BUGS: fix the bug tracker URL The URL we used before is the one that goes directly to 'add' a bug report, but since you can only do that after first having logged in to sourceforge, the link often doesn't work for visitors. Bug: http://curl.haxx.se/bug/view.cgi?id=3582408 Reported by: Oscar Norlander	2012-11-01 21:36:28 +01:00
Daniel Stenberg	af121ccad8	evhiperfifo: fix the pointer passed to WRITEDATA Bug: http://curl.haxx.se/bug/view.cgi?id=3582407 Reported by: Oscar Norlander	2012-11-01 14:20:58 +01:00
Guenter Knauf	c81eb7e226	Fixed MSVC libssh2 static build. Since libssh2 supports now agent stuff it also depends on user32.lib. Posted to the list by Jan Ehrhardt.	2012-11-01 01:03:12 +01:00
Daniel Stenberg	74fe1b95fb	tlsauthtype: deal with the string case insensitively When given a string as 'srp' it didn't work, but required 'SRP'. Starting now, the check disregards casing. Bug: http://curl.haxx.se/bug/view.cgi?id=3578418 Reported by: Jeff Connelly	2012-10-23 23:12:58 +02:00
Daniel Stenberg	d1c769877a	asyn-ares: restore working with c-ares < 1.6.1 Back in those days the public ares.h header didn't include the ares_version.h header so it needs to be included here. Bug: http://curl.haxx.se/bug/view.cgi?id=3577710	2012-10-23 23:06:38 +02:00
Nick Zitzmann	94891ff296	metalink/md5: Use CommonCrypto on Apple operating systems Previously the Metalink code used Apple's CommonCrypto library only if curl was built using the --with-darwinssl option. Now we use CommonCrypto on all Apple operating systems including Tiger or later, or iOS 5 or later, so you don't need to build --with-darwinssl anymore. Also rolled out this change to libcurl's md5 code.	2012-10-22 23:32:59 +02:00
Daniel Stenberg	12a40e17a9	href_extractor.c: fix the URL	2012-10-18 19:42:31 +02:00
Michał Kowalczyk	8ffc971138	href_extractor: example code extracting href elements It does so in a streaming manner using the "Streaming HTML parser".	2012-10-18 16:45:51 +02:00
Nick Zitzmann	f1d2e18508	darwinssl: un-broke iOS build, fix error on server disconnect The iOS build was broken by a reference to a function that only existed under OS X; fixed. Also fixed a hard-to-reproduce problem where, if the server disconnected before libcurl got the chance to hang up first and SecureTransport was in use, then we'd raise an error instead of failing gracefully.	2012-10-16 19:55:03 +02:00
Alessandro Ghedini	1a02e84589	gnutls: put reset code into else block Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690551	2012-10-16 00:18:44 +02:00
Guenter Knauf	c79c0909d9	Fix now broken libmetalink-aware OpenSSL build.	2012-10-13 01:03:34 +02:00
Guenter Knauf	3fc5779b91	Revert c44e674; add OpenSSL includes/defines. The makefile is designed to build against a libmetalink devel package; therefore is does not matter what will change inside libmetalink. Add OpenSSL includes and defines for libmetalink-aware OpenSSL builds.	2012-10-13 00:48:05 +02:00
Daniel Stenberg	ff32546d81	version-bump: towards 7.28.1!	2012-10-10 22:35:08 +02:00
Daniel Stenberg	99b036c9b2	THANKS: 14 new contributors from 7.28.0	2012-10-10 22:33:33 +02:00