RELEASE-NOTES: synced with 52af6e69f0 / 7.28.1

If curl_multi_fdset() sets maxfd to -1, the socket detection
loop is skipped and thus !found_new_socket is no cause for alarm.

RELEASE-NOTES

@@ -1,62 +1,51 @@
-Curl and libcurl 7.28.0
+Curl and libcurl 7.28.1
 
- Public curl releases:         129
+ Public curl releases:         130
  Command line options:         152
  curl_easy_setopt() options:   199
  Public functions in libcurl:  58
  Known libcurl bindings:       39
- Contributors:                 953
+ Contributors:                 979
 
 This release includes the following changes:
 
- o SSH: added agent based authentication
- o ftp: active conn, allow application to set sockopt after accept() call
-   with CURLSOCKTYPE_ACCEPT
- o multi: add curl_multi_wait() [12]
- o metalink: Added support for Microsoft Windows CryptoAPI
- o md5: Added support for Microsoft Windows CryptoAPI
- o parse_proxy: treat "socks://x" as a socks4 proxy [17]
- o socks: Added support for IPv6 connections through SOCKSv5 proxy
+ o metalink/md5: Use CommonCrypto on Apple operating systems
+ o href_extractor: new example code extracting href elements
+ o NSS can be used for metalink hashing [13]
 
 This release includes the following bugfixes:
 
- o WSAPoll disabled on Windows builds due to its bugs [8]
- o segfault on request retries [1]
- o curl-config: parentheses fix [2]
- o VC build: add define for openssl [3]
- o globbing: fix segfault when >9 globs were used [4]
- o fixed a few clang-analyzer warnings
- o metalink: change code order to build with gnutls-nettle [5]
- o gtls: fix build failure by including nettle-specific headers [5]
- o change preferred HTTP auth on a handle previously used for another auth [9]
- o file: use fdopen() to avoid race condition [6]
- o Added DWANT_IDN_PROTOTYPES define for MSVC too [7]
- o verbose: fixed (nil) output of hostnames in re-used connections [10]
- o metalink: Un-broke the build when building --with-darwinssl
- o curl man page cleanup
- o Avoid leak of local device string when reusing connection
- o Curl_socket_check: fix return code for timeout [11]
- o nss: do not print misleading NSS error codes
- o configure: remove the --enable/disable-nonblocking options
- o darwinssl: add TLS 1.1 and 1.2 support, replace deprecated functions
- o NTLM: re-use existing connection better
- o schannel crash on multi and easy handle cleanup
- o SOCKS: truly disable it if CURL_DISABLE_PROXY is defined [13]
- o mk-ca-bundle: detect start of trust section better [14]
- o gnutls: do not fail on non-fatal handshake errors [15]
- o SMTP: only send SIZE if supported [16]
- o ftpserver: respond with a 250 to SMTP EHLO
- o ssh: do not crash if MD5 fingerprint is not provided by libssh2
- o winbuild: Added support for building with SPNEGO enabled
- o metalink: Fixed validation of binary files containing EOF
- o setup.h: fixed for MS VC10 build [18]
- o cmake: use standard findxxx modules for cmake v2.8+
- o HTTP_ONLY: disable more protocols [19]
- o Curl_reconnect_request: clear pointer on failure [20]
- o https.c example: remember to call curl_global_init()
- o metalink: Filter resource URLs by type
- o multi interface: CURLOPT_LOW_SPEED_* fix during rate limitation [21]
- o curl_schannel: Removed buffer limit and optimized buffer strategy
+ o Fix broken libmetalink-aware OpenSSL build
+ o gnutls: fix the error is fatal logic [1]
+ o darwinssl: un-broke iOS build, fix error on server disconnect
+ o asyn-ares: restore functionality with c-ares < 1.6.1 [2]
+ o tlsauthtype: deal with the string case insensitively [3]
+ o Fixed MSVC libssh2 static build
+ o evhiperfifo: fix the pointer passed to WRITEDATA [6]
+ o BUGS: fix the bug tracker URL [4]
+ o winbuild: Use machine type of development environment
+ o FTP: prevent the multi interface from blocking [5]
+ o uniformly use AM_CPPFLAGS, avoid deprecated INCLUDES
+ o httpcustomheader.c: free the headers after use
+ o fix >2000 bytes POST over NTLM-using proxy [7]
+ o redirects to URLs with fragments [8]
+ o don't send '#' fragments when using proxy [9]
+ o OpenSSL: show full issuer string [10]
+ o fix HTTP auth regression [11]
+ o CURLOPT_SSL_VERIFYHOST: stop supporting the 1 value [12]
+ o ftp: EPSV-disable fix over SOCKS [14]
+ o Digest: Add microseconds into nounce calculation [15]
+ o SCP/SFTP: improve error code used for send failures
+ o SSL: Several SSL-backend related fixes
+ o removed the notorious "additional stuff not fine" debug output
+ o OpenSSL: Disable SSL/TLS compression - avoid the "CRIME" attack
+ o FILE: Make upload-writes unbuffered
+ o custom memory callbacks failure with HTTP proxy (and more) [16]
+ o TFTP: handle resends
+ o autoconf: don't force-disable compiler debug option
+ o winbuild: Fix PDB file output [17]
+ o test2032: spurious failure caused by premature termination [18]
+ o memory leak: CURLOPT_RESOLVE with multi interface [19]
 
 This release includes the following known bugs:
 
@@ -65,35 +54,34 @@ This release includes the following known bugs:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
- Guenter Knauf, Joe Mason, Kamil Dudka, Steve Holme, Anthony G. Basile,
- Edward Sheldrake, Jan Koen Annot, Maxime Larocque, Mike Crowe, Anthony Bryan,
- Nick Zitzmann, Gisle Vanem, Armel Asselin, Dan Fandrich, Dave Reisner,
- Gokhan Sengun, Sara Golemon, Olivier Berger, Marc Hoersken, David Blaikie,
- Alessandro Ghedini, František Kučera, Marcel Raad, Scott Bailey, Ho-chi Chen,
- Tomas Mlcoch, Jie He, Tatsuhiro Tsujikawa, Sergei Nikulov, Mark Tully
+ Guenter Knauf, Alessandro Ghedini, Nick Zitzmann, Michal Kowalczyk,
+ Jeff Connelly, Oscar Norlander, Guido Berhoerster, Marc Hoersken,
+ Dave Reisner, Jan Ehrhardt, John Suprock, Alessandro Ghedini,
+ Lars Buitinck, Anton Malov, Sergei Nikulov, Patrick Monnerat,
+ Gabriel Sjoberg, Oscar Koeroo, Fabian Keil, Johnny Luong, Cristian Rodríguez,
+ Sebastian Rasmussen, Mark Snelling, Christian Vogt, Marcin Adamski,
+ Ajit Dhumale, Alex Gruz
 
         Thanks! (and sorry if I forgot to mention someone)
 
 References to bug reports and discussions on issues:
 
- [1] = http://curl.haxx.se/bug/view.cgi?id=3544688
- [2] = http://curl.haxx.se/bug/view.cgi?id=3551460
- [3] = http://curl.haxx.se/bug/view.cgi?id=3552997
- [4] = http://curl.haxx.se/bug/view.cgi?id=3546353
- [5] = http://curl.haxx.se/bug/view.cgi?id=3554668
- [6] = https://bugzilla.redhat.com/844385
- [7] = http://curl.haxx.se/mail/lib-2012-07/0271.html
- [8] = http://curl.haxx.se/mail/lib-2012-07/0310.html
- [9] = http://curl.haxx.se/bug/view.cgi?id=3545398
- [10] = http://curl.haxx.se/mail/lib-2012-07/0111.html
- [11] = http://curl.haxx.se/mail/lib-2012-07/0122.html
- [12] = http://daniel.haxx.se/blog/2012/09/03/introducing-curl_multi_wait/
- [13] = http://curl.haxx.se/bug/view.cgi?id=3561305
- [14] = http://curl.haxx.se/mail/lib-2012-09/0019.html
- [15] = http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685402
- [16] = http://curl.haxx.se/bug/view.cgi?id=3564114
- [17] = http://curl.haxx.se/bug/view.cgi?id=3566860
- [18] = http://curl.haxx.se/bug/view.cgi?id=3568327
- [19] = http://curl.haxx.se/mail/lib-2012-09/0127.html
- [20] = http://curl.haxx.se/mail/lib-2012-09/0188.html
- [21] = http://curl.haxx.se/mail/lib-2012-09/0081.html
+ [1] = http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690551
+ [2] = http://curl.haxx.se/bug/view.cgi?id=3577710
+ [3] = http://curl.haxx.se/bug/view.cgi?id=3578418
+ [4] = http://curl.haxx.se/bug/view.cgi?id=3582408
+ [5] = http://curl.haxx.se/bug/view.cgi?id=3579064
+ [6] = http://curl.haxx.se/bug/view.cgi?id=3582407
+ [7] = http://curl.haxx.se/bug/view.cgi?id=3582321
+ [8] = http://curl.haxx.se/bug/view.cgi?id=3581898
+ [9] = http://curl.haxx.se/bug/view.cgi?id=3579813
+ [10] = http://curl.haxx.se/bug/view.cgi?id=3579286
+ [11] = http://curl.haxx.se/bug/view.cgi?id=3582718
+ [12] = http://daniel.haxx.se/blog/2012/10/25/libcurl-claimed-to-be-dangerous/
+ [13] = http://curl.haxx.se/bug/view.cgi?id=3578163
+ [14] = http://curl.haxx.se/bug/view.cgi?id=3586338
+ [15] = https://github.com/bagder/curl/pull/50
+ [16] = http://curl.haxx.se/mail/lib-2012-11/0125.html
+ [17] = http://curl.haxx.se/bug/view.cgi?id=3586741
+ [18] = http://curl.haxx.se/mail/lib-2012-11/0095.html
+ [19] = http://curl.haxx.se/bug/view.cgi?id=3575448

docs/BUGS

@@ -35,9 +35,11 @@ BUGS
   have a go at a solution. You can optionally also post your bug/problem at
   curl's bug tracking system over at
 
-        http://sourceforge.net/bugs/?group_id=976
+        http://sourceforge.net/tracker/?group_id=976&atid=100976
 
-  (but please read the sections below first before doing that)
+  Please read the rest of this document below first before doing that! Also,
+  you need to login to your sourceforge account before being able to submit a
+  bug report (necessary evil done to avoid spam).
 
   If you feel you need to ask around first, find a suitable mailing list and
   post there. The lists are available on http://curl.haxx.se/mail/

docs/THANKS

@@ -207,6 +207,7 @@ Dave Reisner
 Dave Vasilevsky
 David Bau
 David Binderman
+David Blaikie
 David Byron
 David Cohen
 David Eriksson
@@ -263,6 +264,7 @@ Early Ehlinger
 Ebenezer Ikonne
 Edin Kadribasic
 Eduard Bloch
+Edward Sheldrake
 Eelco Dolstra
 Eetu Ojanen
 Ellis Pritchard
@@ -302,6 +304,7 @@ Frank McGeough
 Frank Meier
 Frank Ticheler
 Frank Van Uffelen
+František Kučera
 Fred Machado
 Fred New
 Fred Noz
@@ -360,6 +363,7 @@ Henrik Storner
 Henry Ludemann
 Herve Amblard
 Hidemoto Nakada
+Ho-chi Chen
 Hoi-Ho Chan
 Hongli Lai
 Howard Chu
@@ -397,6 +401,7 @@ Jamie Lokier
 Jamie Newton
 Jamie Wilkinson
 Jan Ehrhardt
+Jan Koen Annot
 Jan Kunder
 Jan Schaumann
 Jan Van Boghout
@@ -428,6 +433,7 @@ Jerry Wu
 Jes Badwal
 Jesper Jensen
 Jesse Noller
+Jie He
 Jim Drash
 Jim Freeman
 Jim Hollinger
@@ -435,6 +441,7 @@ Jim Meyering
 Jocelyn Jaubert
 Joe Halpin
 Joe Malicki
+Joe Mason
 Joel Chen
 Jofell Gallardo
 Johan Anderson
@@ -579,6 +586,7 @@ Mark Incley
 Mark Karpeles
 Mark Lentczner
 Mark Salisbury
+Mark Tully
 Markus Duft
 Markus Koetter
 Markus Moeller
@@ -612,6 +620,7 @@ Max Katsev
 Maxim Ivanov
 Maxim Perenesenko
 Maxim Prohorov
+Maxime Larocque
 Mehmet Bozkurt
 Mekonikum
 Mettgut Jamalla
@@ -680,6 +689,7 @@ Ofer
 Olaf Flebbe
 Olaf Stueben
 Olaf Stüben
+Olivier Berger
 Oren Tirosh
 Ori Avtalion
 P R Schaffner
@@ -823,13 +833,16 @@ Sander Gates
 Sandor Feldi
 Santhana Todatry
 Saqib Ali
+Sara Golemon
 Saul good
+Scott Bailey
 Scott Barrett
 Scott Cantor
 Scott Davis
 Scott McCreary
 Sebastien Willemijns
 Senthil Raja Velu
+Sergei Nikulov
 Sergio Ballestrero
 Seshubabu Pasam
 Sh Diao
@@ -913,6 +926,7 @@ Tom Mueller
 Tom Regner
 Tom Wright
 Tom Zerucha
+Tomas Mlcoch
 Tomas Pospisek
 Tomas Szepe
 Tomasz Lacki

docs/examples/Makefile.am

@@ -34,14 +34,13 @@ EXTRA_DIST = README Makefile.example Makefile.inc Makefile.m32 \
 # $(top_builddir)/include for generated curlbuild.h included from lib/setup.h
 # $(top_srcdir)/include is for libcurl's external include files
 
-INCLUDES = -I$(top_builddir)/include/curl \
+AM_CPPFLAGS = -I$(top_builddir)/include/curl \
               -I$(top_builddir)/include      \
-           -I$(top_srcdir)/include
+              -I$(top_srcdir)/include \
+              -DCURL_NO_OLDIES
 
 LIBDIR = $(top_builddir)/lib
 
-AM_CPPFLAGS = -DCURL_NO_OLDIES
-
 # Mostly for Windows build targets, when using static libcurl
 if USE_CPPFLAG_CURL_STATICLIB
 AM_CPPFLAGS += -DCURL_STATICLIB

docs/examples/Makefile.inc

@@ -12,4 +12,4 @@ check_PROGRAMS = 10-at-a-time anyauthput cookie_interface debug fileupload \
 COMPLICATED_EXAMPLES = curlgtk.c curlx.c htmltitle.cc cacertinmem.c	   \
   ftpuploadresume.c ghiper.c hiperfifo.c htmltidy.c multithread.c	   \
   opensslthreadlock.c sampleconv.c synctime.c threaded-ssl.c evhiperfifo.c \
-  smooth-gtk-thread.c version-check.pl
+  smooth-gtk-thread.c version-check.pl href_extractor.c

docs/examples/evhiperfifo.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -336,7 +336,7 @@ static void new_conn(char *url, GlobalInfo *g )
   conn->url = strdup(url);
   curl_easy_setopt(conn->easy, CURLOPT_URL, conn->url);
   curl_easy_setopt(conn->easy, CURLOPT_WRITEFUNCTION, write_cb);
-  curl_easy_setopt(conn->easy, CURLOPT_WRITEDATA, &conn);
+  curl_easy_setopt(conn->easy, CURLOPT_WRITEDATA, conn);
   curl_easy_setopt(conn->easy, CURLOPT_VERBOSE, 1L);
   curl_easy_setopt(conn->easy, CURLOPT_ERRORBUFFER, conn->error);
   curl_easy_setopt(conn->easy, CURLOPT_PRIVATE, conn);

docs/examples/href_extractor.c

@@ -0,0 +1,86 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at http://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+/*
+ * This example uses the "Streaming HTML parser" to extract the href pieces in
+ * a streaming manner from a downloaded HTML. Kindly donated by Michał
+ * Kowalczyk.
+ *
+ * The parser is found at
+ * http://code.google.com/p/htmlstreamparser/
+ */
+
+#include <stdio.h>
+#include <curl/curl.h>
+#include <htmlstreamparser.h>
+
+
+static size_t write_callback(void *buffer, size_t size, size_t nmemb,
+                             void *hsp)
+{
+  size_t realsize = size * nmemb, p;
+  for (p = 0; p < realsize; p++) {
+    html_parser_char_parse(hsp, ((char *)buffer)[p]);
+    if (html_parser_cmp_tag(hsp, "a", 1))
+      if (html_parser_cmp_attr(hsp, "href", 4))
+        if (html_parser_is_in(hsp, HTML_VALUE_ENDED)) {
+          html_parser_val(hsp)[html_parser_val_length(hsp)] = '\0';
+          printf("%s\n", html_parser_val(hsp));
+        }
+  }
+  return realsize;
+}
+
+int main(int argc, char *argv[])
+{
+  char tag[1], attr[4], val[128];
+  CURL *curl;
+  HTMLSTREAMPARSER *hsp;
+
+  if (argc != 2) {
+    printf("Usage: %s URL\n", argv[0]);
+    return EXIT_FAILURE;
+  }
+
+  curl = curl_easy_init();
+
+  hsp = html_parser_init();
+
+  html_parser_set_tag_to_lower(hsp, 1);
+  html_parser_set_attr_to_lower(hsp, 1);
+  html_parser_set_tag_buffer(hsp, tag, sizeof(tag));
+  html_parser_set_attr_buffer(hsp, attr, sizeof(attr));
+  html_parser_set_val_buffer(hsp, val, sizeof(val)-1);
+
+  curl_easy_setopt(curl, CURLOPT_URL, argv[1]);
+  curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback);
+  curl_easy_setopt(curl, CURLOPT_WRITEDATA, hsp);
+  curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1);
+
+  curl_easy_perform(curl);
+
+  curl_easy_cleanup(curl);
+
+  html_parser_cleanup(hsp);
+
+  return EXIT_SUCCESS;
+}

docs/examples/httpcustomheader.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -53,6 +53,9 @@ int main(void)
 
     /* always cleanup */
     curl_easy_cleanup(curl);
+
+    /* free the custom headers */
+    curl_slist_free_all(chunk);
   }
   return 0;
 }

docs/libcurl/curl_easy_setopt.3

@@ -2323,8 +2323,9 @@ Curl considers the server the intended one when the Common Name field or a
 Subject Alternate Name field in the certificate matches the host name in the
 URL to which you told Curl to connect.
 
-When the value is 1, the certificate must contain a Common Name field, but it
-doesn't matter what name it says.  (This is not ordinarily a useful setting).
+When the value is 1, libcurl will return a failure. It was previously (in
+7.28.0 and earlier) a debug option of some sorts, but it is no longer
+supported due to frequently leading to programmer mistakes.
 
 When the value is 0, the connection succeeds regardless of the names in the
 certificate.

include/curl/curlver.h

@@ -30,13 +30,13 @@
 
 /* This is the version number of the libcurl package from which this header
    file origins: */
-#define LIBCURL_VERSION "7.28.0-DEV"
+#define LIBCURL_VERSION "7.28.1-DEV"
 
 /* The numeric version number is also available "in parts" by using these
    defines: */
 #define LIBCURL_VERSION_MAJOR 7
 #define LIBCURL_VERSION_MINOR 28
-#define LIBCURL_VERSION_PATCH 0
+#define LIBCURL_VERSION_PATCH 1
 
 /* This is the numeric version of the libcurl version number, meant for easier
    parsing and comparions by programs. The LIBCURL_VERSION_NUM define will
@@ -53,7 +53,7 @@
    and it is always a greater number in a more recent release. It makes
    comparisons with greater than and less than work.
 */
-#define LIBCURL_VERSION_NUM 0x071c00
+#define LIBCURL_VERSION_NUM 0x071c01
 
 /*
  * This is the date and time when the full source package was created. The

lib/Makefile.am

@@ -64,7 +64,7 @@ CFLAG_CURL_SYMBOL_HIDING = @CFLAG_CURL_SYMBOL_HIDING@
 # $(top_srcdir)/ares is for in-tree c-ares's external include files
 
 if USE_EMBEDDED_ARES
-INCLUDES = -I$(top_builddir)/include/curl \
+AM_CPPFLAGS = -I$(top_builddir)/include/curl \
               -I$(top_builddir)/include      \
               -I$(top_srcdir)/include        \
               -I$(top_builddir)/lib          \
@@ -72,15 +72,13 @@ INCLUDES = -I$(top_builddir)/include/curl \
               -I$(top_builddir)/ares         \
               -I$(top_srcdir)/ares
 else
-INCLUDES = -I$(top_builddir)/include/curl \
+AM_CPPFLAGS = -I$(top_builddir)/include/curl \
               -I$(top_builddir)/include      \
               -I$(top_srcdir)/include        \
               -I$(top_builddir)/lib          \
               -I$(top_srcdir)/lib
 endif
 
-AM_CPPFLAGS =
-
 # Mostly for Windows build targets, when building libcurl library
 if USE_CPPFLAG_BUILDING_LIBCURL
 AM_CPPFLAGS += -DBUILDING_LIBCURL
@@ -101,9 +99,9 @@ if SONAME_BUMP
 #
 # This conditional soname bump SHOULD be removed at next "proper" bump.
 #
-VERSIONINFO=-version-info 7:0:2
+VERSIONINFO=-version-info 8:0:3
 else
-VERSIONINFO=-version-info 6:0:2
+VERSIONINFO=-version-info 7:0:3
 endif
 
 # This flag accepts an argument of the form current[:revision[:age]]. So,

lib/Makefile.inc

@@ -24,7 +24,7 @@ CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c	\
   idn_win32.c http_negotiate_sspi.c cyassl.c http_proxy.c non-ascii.c	\
   asyn-ares.c asyn-thread.c curl_gssapi.c curl_ntlm.c curl_ntlm_wb.c	\
   curl_ntlm_core.c curl_ntlm_msgs.c curl_sasl.c curl_schannel.c	\
-  curl_multibyte.c curl_darwinssl.c
+  curl_multibyte.c curl_darwinssl.c hostcheck.c
 
 HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h	\
   progress.h formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h	\
@@ -41,4 +41,5 @@ HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h	\
   warnless.h curl_hmac.h polarssl.h curl_rtmp.h curl_gethostname.h	\
   gopher.h axtls.h cyassl.h http_proxy.h non-ascii.h asyn.h curl_ntlm.h	\
   curl_gssapi.h curl_ntlm_wb.h curl_ntlm_core.h curl_ntlm_msgs.h	\
-  curl_sasl.h curl_schannel.h curl_multibyte.h curl_darwinssl.h
+  curl_sasl.h curl_schannel.h curl_multibyte.h curl_darwinssl.h	\
+  hostcheck.h

lib/Makefile.m32

@@ -273,8 +273,9 @@ $(libcurl_a_LIBRARY): $(libcurl_a_OBJECTS) $(libcurl_a_DEPENDENCIES)
 
 $(libcurl_dll_LIBRARY): $(libcurl_a_OBJECTS) $(RESOURCE) $(libcurl_dll_DEPENDENCIES)
 	@$(call DEL, $@)
-	$(CC) $(LDFLAGS) -shared -Wl,--out-implib,$(libcurl_dll_a_LIBRARY) \
-	  -o $@ $(libcurl_a_OBJECTS) $(RESOURCE) $(DLL_LIBS)
+	$(CC) $(LDFLAGS) -shared -o $@ \
+	  -Wl,--output-def,$(@:.dll=.def),--out-implib,$(libcurl_dll_a_LIBRARY) \
+	  $(libcurl_a_OBJECTS) $(RESOURCE) $(DLL_LIBS)
 
 %.o: %.c $(PROOT)/include/curl/curlbuild.h
 	$(CC) $(INCLUDES) $(CFLAGS) -c $<
@@ -289,7 +290,7 @@ endif
 	@$(call DEL, $(libcurl_a_OBJECTS) $(RESOURCE))
 
 distclean vclean: clean
-	@$(call DEL, $(libcurl_a_LIBRARY) $(libcurl_dll_LIBRARY) $(libcurl_dll_a_LIBRARY))
+	@$(call DEL, $(libcurl_a_LIBRARY) $(libcurl_dll_LIBRARY) $(libcurl_dll_LIBRARY:.dll=.def) $(libcurl_dll_a_LIBRARY))
 
 $(PROOT)/include/curl/curlbuild.h:
 	@echo Creating $@

lib/asyn-ares.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -83,6 +83,8 @@
 #    define CARES_STATICLIB
 #  endif
 #  include <ares.h>
+#  include <ares_version.h> /* really old c-ares didn't include this by
+                               itself */
 
 #if ARES_VERSION >= 0x010500
 /* c-ares 1.5.0 or later, the callback proto is modified */

lib/axtls.c

@@ -47,6 +47,8 @@
 #include "curl_memory.h"
 /* The last #include file should be: */
 #include "memdebug.h"
+#include "hostcheck.h"
+
 
 /* SSL_read is opied from axTLS compat layer */
 static int SSL_read(SSL *ssl, void *buf, int num)
@@ -150,7 +152,11 @@ Curl_axtls_connect(struct connectdata *conn,
   int i, ssl_fcn_return;
   const uint8_t *ssl_sessionid;
   size_t ssl_idsize;
-  const char *x509;
+  const char *peer_CN;
+  uint32_t dns_altname_index;
+  const char *dns_altname;
+  int8_t found_subject_alt_names = 0;
+  int8_t found_subject_alt_name_matching_conn = 0;
 
   /* Assuming users will not compile in custom key/cert to axTLS */
   uint32_t client_option = SSL_NO_DEFAULT_KEY|SSL_SERVER_VERIFY_LATER;
@@ -296,19 +302,65 @@ Curl_axtls_connect(struct connectdata *conn,
   /* Here, gtls.c does issuer verification. axTLS has no straightforward
    * equivalent, so omitting for now.*/
 
-  /* See if common name was set in server certificate */
-  x509 = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME);
-  if(x509 == NULL)
-    infof(data, "error fetching CN from cert\n");
-
   /* Here, gtls.c does the following
    * 1) x509 hostname checking per RFC2818.  axTLS doesn't support this, but
-   *    it seems useful.  Omitting for now.
+   *    it seems useful. This is now implemented, by Oscar Koeroo
    * 2) checks cert validity based on time.  axTLS does this in ssl_verify_cert
    * 3) displays a bunch of cert information.  axTLS doesn't support most of
    *    this, but a couple fields are available.
    */
 
+
+  /* There is no (DNS) Altnames count in the version 1.4.8 API. There is a
+     risk of an inifite loop */
+  for(dns_altname_index = 0; ; dns_altname_index++) {
+    dns_altname = ssl_get_cert_subject_alt_dnsname(ssl, dns_altname_index);
+    if(dns_altname == NULL) {
+      break;
+    }
+    found_subject_alt_names = 1;
+
+    infof(data, "\tComparing subject alt name DNS with hostname: %s <-> %s\n",
+          dns_altname, conn->host.name);
+    if(Curl_cert_hostcheck(dns_altname, conn->host.name)) {
+      found_subject_alt_name_matching_conn = 1;
+      break;
+    }
+  }
+
+  /* RFC2818 checks */
+  if(found_subject_alt_names && !found_subject_alt_name_matching_conn) {
+    /* Break connection ! */
+    Curl_axtls_close(conn, sockindex);
+    failf(data, "\tsubjectAltName(s) do not match %s\n", conn->host.dispname);
+    return CURLE_PEER_FAILED_VERIFICATION;
+  }
+  else if(found_subject_alt_names == 0) {
+    /* Per RFC2818, when no Subject Alt Names were available, examine the peer
+       CN as a legacy fallback */
+    peer_CN = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME);
+    if(peer_CN == NULL) {
+      /* Similar behaviour to the OpenSSL interface */
+      Curl_axtls_close(conn, sockindex);
+      failf(data, "unable to obtain common name from peer certificate");
+      return CURLE_PEER_FAILED_VERIFICATION;
+    }
+    else {
+      if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) {
+        if(data->set.ssl.verifyhost) {
+          /* Break connection ! */
+          Curl_axtls_close(conn, sockindex);
+          failf(data, "\tcommon name \"%s\" does not match \"%s\"\n",
+                peer_CN, conn->host.dispname);
+          return CURLE_PEER_FAILED_VERIFICATION;
+        }
+        else
+          infof(data, "\tcommon name \"%s\" does not match \"%s\"\n",
+                peer_CN, conn->host.dispname);
+      }
+    }
+  }
+
   /* General housekeeping */
   conn->ssl[sockindex].state = ssl_connection_complete;
   conn->ssl[sockindex].ssl = ssl;

lib/connect.c

@@ -1101,7 +1101,9 @@ CURLcode Curl_connecthost(struct connectdata *conn,  /* context */
 
   if(sockfd == CURL_SOCKET_BAD) {
     /* no good connect was made */
-    failf(data, "couldn't connect to host");
+    failf(data, "couldn't connect to %s at %s:%d",
+          conn->bits.proxy?"proxy":"host",
+          conn->bits.proxy?conn->proxy.name:conn->host.name, conn->port);
     return CURLE_COULDNT_CONNECT;
   }
 

lib/curl_darwinssl.c

@@ -266,6 +266,44 @@ CF_INLINE const char *SSLCipherNameForNumber(SSLCipherSuite cipher) {
     case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
       return "SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA";
       break;
+    /* TLS 1.0 with AES (RFC 3268)
+       (Apparently these are used in SSLv3 implementations as well.) */
+    case TLS_RSA_WITH_AES_128_CBC_SHA:
+      return "TLS_RSA_WITH_AES_128_CBC_SHA";
+      break;
+    case TLS_DH_DSS_WITH_AES_128_CBC_SHA:
+      return "TLS_DH_DSS_WITH_AES_128_CBC_SHA";
+      break;
+    case TLS_DH_RSA_WITH_AES_128_CBC_SHA:
+      return "TLS_DH_RSA_WITH_AES_128_CBC_SHA";
+      break;
+    case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
+      return "TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
+      break;
+    case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
+      return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA";
+      break;
+    case TLS_DH_anon_WITH_AES_128_CBC_SHA:
+      return "TLS_DH_anon_WITH_AES_128_CBC_SHA";
+      break;
+    case TLS_RSA_WITH_AES_256_CBC_SHA:
+      return "TLS_RSA_WITH_AES_256_CBC_SHA";
+      break;
+    case TLS_DH_DSS_WITH_AES_256_CBC_SHA:
+      return "TLS_DH_DSS_WITH_AES_256_CBC_SHA";
+      break;
+    case TLS_DH_RSA_WITH_AES_256_CBC_SHA:
+      return "TLS_DH_RSA_WITH_AES_256_CBC_SHA";
+      break;
+    case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
+      return "TLS_DHE_DSS_WITH_AES_256_CBC_SHA";
+      break;
+    case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
+      return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA";
+      break;
+    case TLS_DH_anon_WITH_AES_256_CBC_SHA:
+      return "TLS_DH_anon_WITH_AES_256_CBC_SHA";
+      break;
     /* SSL version 2.0 */
     case SSL_RSA_WITH_RC2_CBC_MD5:
       return "SSL_RSA_WITH_RC2_CBC_MD5";
@@ -594,7 +632,6 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
   struct SessionHandle *data = conn->data;
   curl_socket_t sockfd = conn->sock[sockindex];
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
-  bool sni = true;
 #ifdef ENABLE_IPV6
   struct in6_addr addr;
 #else
@@ -614,7 +651,8 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
     }
   }
   else {
-#if TARGET_OS_EMBEDDED == 0 /* the older API does not exist on iOS */
+  /* The old ST API does not exist under iOS, so don't compile it: */
+#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
     if(connssl->ssl_ctx)
       (void)SSLDisposeContext(connssl->ssl_ctx);
     err = SSLNewContext(false, &(connssl->ssl_ctx));
@@ -622,7 +660,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
       failf(data, "SSL: couldn't create a context: OSStatus %d", err);
       return CURLE_OUT_OF_MEMORY;
     }
-#endif /* TARGET_OS_EMBEDDED == 0 */
+#endif /* (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) */
   }
 #else
   if(connssl->ssl_ctx)
@@ -656,7 +694,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
     }
   }
   else {
-#if TARGET_OS_EMBEDDED == 0
+#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
     (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                        kSSLProtocolAll,
                                        false);
@@ -697,7 +735,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
                                            true);
         break;
     }
-#endif  /* TARGET_OS_EMBEDDED == 0 */
+#endif  /* (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) */
   }
 #else
   (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, kSSLProtocolAll, false);
@@ -747,14 +785,14 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
     }
   }
   else {
-#if TARGET_OS_EMBEDDED == 0
+#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
     err = SSLSetEnableCertVerify(connssl->ssl_ctx,
                                  data->set.ssl.verifypeer?true:false);
     if(err != noErr) {
       failf(data, "SSL: SSLSetEnableCertVerify() failed: OSStatus %d", err);
       return CURLE_SSL_CONNECT_ERROR;
     }
-#endif /* TARGET_OS_EMBEDDED == 0 */
+#endif /* (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) */
   }
 #else
   err = SSLSetEnableCertVerify(connssl->ssl_ctx,
@@ -765,12 +803,14 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
   }
 #endif /* defined(__MAC_10_6) || defined(__IPHONE_5_0) */
 
+  /* If this is a domain name and not an IP address, then configure SNI.
+   * Also: the verifyhost setting influences SNI usage */
   /* If this is a domain name and not an IP address, then configure SNI: */
   if((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
 #ifdef ENABLE_IPV6
      (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
 #endif
-     sni) {
+     data->set.ssl.verifyhost) {
     err = SSLSetPeerDomainName(connssl->ssl_ctx, conn->host.name,
                                strlen(conn->host.name));
     if(err != noErr) {
@@ -824,7 +864,6 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
         connssl->connecting_state = connssl->ssl_direction ?
             ssl_connect_2_writing : ssl_connect_2_reading;
         return CURLE_OK;
-        break;
 
       case errSSLServerAuthCompleted:
         /* the documentation says we need to call SSLHandshake() again */
@@ -836,13 +875,16 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
       case errSSLCertExpired:
         failf(data, "SSL certificate problem: OSStatus %d", err);
         return CURLE_SSL_CACERT;
-        break;
+
+      case errSSLHostNameMismatch:
+        failf(data, "SSL certificate peer verification failed, the "
+              "certificate did not match \"%s\"\n", conn->host.dispname);
+        return CURLE_PEER_FAILED_VERIFICATION;
 
       default:
         failf(data, "Unknown SSL protocol error in connection to %s:%d",
               conn->host.name, err);
         return CURLE_SSL_CONNECT_ERROR;
-        break;
     }
   }
   else {
@@ -902,7 +944,7 @@ darwinssl_connect_step3(struct connectdata *conn,
    * Well, okay, if verbose mode is on, let's print the details of the
    * server certificates. */
 #if defined(__MAC_10_7) || defined(__IPHONE_5_0)
-  if(SecTrustEvaluateAsync != NULL) {
+#if (TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)
 #pragma unused(server_certs)
   err = SSLCopyPeerTrust(connssl->ssl_ctx, &trust);
   if(err == noErr) {
@@ -921,9 +963,35 @@ darwinssl_connect_step3(struct connectdata *conn,
     }
     CFRelease(trust);
   }
+#else
+  /* SSLCopyPeerCertificates() is deprecated as of Mountain Lion.
+     The function SecTrustGetCertificateAtIndex() is officially present
+     in Lion, but it is unfortunately also present in Snow Leopard as
+     private API and doesn't work as expected. So we have to look for
+     a different symbol to make sure this code is only executed under
+     Lion or later. */
+  if(SecTrustEvaluateAsync != NULL) {
+#pragma unused(server_certs)
+    err = SSLCopyPeerTrust(connssl->ssl_ctx, &trust);
+    if(err == noErr) {
+      count = SecTrustGetCertificateCount(trust);
+      for(i = 0L ; i < count ; i++) {
+        server_cert = SecTrustGetCertificateAtIndex(trust, i);
+        server_cert_summary =
+          SecCertificateCopyLongDescription(NULL, server_cert, NULL);
+        memset(server_cert_summary_c, 0, 128);
+        if(CFStringGetCString(server_cert_summary,
+                              server_cert_summary_c,
+                              128,
+                              kCFStringEncodingUTF8)) {
+          infof(data, "Server certificate: %s\n", server_cert_summary_c);
+        }
+        CFRelease(server_cert_summary);
+      }
+      CFRelease(trust);
+    }
   }
   else {
-#if TARGET_OS_EMBEDDED == 0
     err = SSLCopyPeerCertificates(connssl->ssl_ctx, &server_certs);
     if(err == noErr) {
       count = CFArrayGetCount(server_certs);
@@ -943,8 +1011,8 @@ darwinssl_connect_step3(struct connectdata *conn,
       }
       CFRelease(server_certs);
     }
-#endif /* TARGET_OS_EMBEDDED == 0 */
   }
+#endif /* (TARGET_OS_EMBEDDED || TARGET_OS_IPHONE) */
 #else
 #pragma unused(trust)
   err = SSLCopyPeerCertificates(connssl->ssl_ctx, &server_certs);
@@ -1120,10 +1188,10 @@ void Curl_darwinssl_close(struct connectdata *conn, int sockindex)
 #if defined(__MAC_10_8) || defined(__IPHONE_5_0)
     if(SSLCreateContext != NULL)
       CFRelease(connssl->ssl_ctx);
-#if TARGET_OS_EMBEDDED == 0
+#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
     else
       (void)SSLDisposeContext(connssl->ssl_ctx);
-#endif  /* TARGET_OS_EMBEDDED == 0 */
+#endif  /* (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) */
 #else
     (void)SSLDisposeContext(connssl->ssl_ctx);
 #endif /* defined(__MAC_10_8) || defined(__IPHONE_5_0) */
@@ -1311,6 +1379,11 @@ static ssize_t darwinssl_recv(struct connectdata *conn,
         return -1;
         break;
 
+      case errSSLClosedGraceful: /* they're done; fail gracefully */
+        *curlcode = CURLE_OK;
+        return -1;
+        break;
+
       default:
         failf(conn->data, "SSLRead() return error %d", err);
         *curlcode = CURLE_RECV_ERROR;

lib/curl_schannel.c

@@ -156,14 +156,22 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
       infof(data, "schannel: disable server certificate revocation checks\n");
     }
 
-    if(Curl_inet_pton(AF_INET, conn->host.name, &addr) ||
+    if(Curl_inet_pton(AF_INET, conn->host.name, &addr)
 #ifdef ENABLE_IPV6
-       Curl_inet_pton(AF_INET6, conn->host.name, &addr6) ||
+       || Curl_inet_pton(AF_INET6, conn->host.name, &addr6)
 #endif
-       data->set.ssl.verifyhost < 2) {
+      ) {
       schannel_cred.dwFlags |= SCH_CRED_NO_SERVERNAME_CHECK;
-      infof(data, "schannel: using IP address, disable SNI servername "
-            "check\n");
+      infof(data, "schannel: using IP address, SNI is being disabled by "
+                  "disabling the servername check against the "
+                  "subject names in server certificates.\n");
+    }
+
+    if(!data->set.ssl.verifyhost) {
+      schannel_cred.dwFlags |= SCH_CRED_NO_SERVERNAME_CHECK;
+      infof(data, "schannel: verifyhost setting prevents Schannel from "
+                  "comparing the supplied target name with the subject "
+                  "names in server certificates. Also disables SNI.\n");
     }
 
     switch(data->set.ssl.version) {
@@ -1238,10 +1246,7 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex)
   }
 
   if(result == CURLE_OK) {
-    if(data->set.ssl.verifyhost == 1) {
-      infof(data, "warning: ignoring unsupported value (1) ssl.verifyhost\n");
-    }
-    else if(data->set.ssl.verifyhost == 2) {
+    if(data->set.ssl.verifyhost) {
       TCHAR cert_hostname_buff[128];
       xcharp_u hostname;
       xcharp_u cert_hostname;

lib/cyassl.c

@@ -53,6 +53,8 @@
 #include "curl_memory.h"
 /* The last #include file should be: */
 #include "memdebug.h"
+#include <cyassl/ssl.h>
+#include <cyassl/error.h>
 
 
 static Curl_recv cyassl_recv;
@@ -237,6 +239,13 @@ cyassl_connect_step2(struct connectdata *conn,
   conn->recv[sockindex] = cyassl_recv;
   conn->send[sockindex] = cyassl_send;
 
+  /* Enable RFC2818 checks */
+  if(data->set.ssl.verifyhost) {
+    ret = CyaSSL_check_domain_name(conssl->handle, conn->host.name);
+    if(ret == SSL_FAILURE)
+      return CURLE_OUT_OF_MEMORY;
+  }
+
   ret = SSL_connect(conssl->handle);
   if(ret != 1) {
     char error_buffer[80];
@@ -246,16 +255,44 @@ cyassl_connect_step2(struct connectdata *conn,
       conssl->connecting_state = ssl_connect_2_reading;
       return CURLE_OK;
     }
-
-    if(SSL_ERROR_WANT_WRITE == detail) {
+    else if(SSL_ERROR_WANT_WRITE == detail) {
       conssl->connecting_state = ssl_connect_2_writing;
       return CURLE_OK;
     }
-
+    /* There is no easy way to override only the CN matching.
+     * This will enable the override of both mismatching SubjectAltNames
+     * as also mismatching CN fields */
+    else if(DOMAIN_NAME_MISMATCH == detail) {
+#if 1
+      failf(data, "\tsubject alt name(s) or common name do not match \"%s\"\n",
+            conn->host.dispname);
+      return CURLE_PEER_FAILED_VERIFICATION;
+#else
+      /* When the CyaSSL_check_domain_name() is used and you desire to continue
+       * on a DOMAIN_NAME_MISMATCH, i.e. 'data->set.ssl.verifyhost == 0',
+       * CyaSSL version 2.4.0 will fail with an INCOMPLETE_DATA error. The only
+       * way to do this is currently to switch the CyaSSL_check_domain_name()
+       * in and out based on the 'data->set.ssl.verifyhost' value. */
+      if(data->set.ssl.verifyhost) {
+        failf(data,
+              "\tsubject alt name(s) or common name do not match \"%s\"\n",
+              conn->host.dispname);
+        return CURLE_PEER_FAILED_VERIFICATION;
+      }
+      else {
+        infof(data,
+              "\tsubject alt name(s) and/or common name do not match \"%s\"\n",
+              conn->host.dispname);
+        return CURLE_OK;
+      }
+#endif
+    }
+    else {
       failf(data, "SSL_connect failed with error %d: %s", detail,
           ERR_error_string(detail, error_buffer));
       return CURLE_SSL_CONNECT_ERROR;
     }
+  }
 
   conssl->connecting_state = ssl_connect_3;
   infof(data, "SSL connected\n");

lib/dict.c

@@ -67,10 +67,10 @@
 #define _MPRINTF_REPLACE /* use our functions only */
 #include <curl/mprintf.h>
 
+#include "curl_memory.h"
 /* The last #include file should be: */
 #include "memdebug.h"
 
-
 /*
  * Forward declarations.
  */

lib/file.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -310,7 +310,8 @@ static CURLcode file_upload(struct connectdata *conn)
 {
   struct FILEPROTO *file = conn->data->state.proto.file;
   const char *dir = strchr(file->path, DIRSEP);
-  FILE *fp;
+  int fd;
+  int mode;
   CURLcode res=CURLE_OK;
   struct SessionHandle *data = conn->data;
   char *buf = data->state.buffer;
@@ -335,34 +336,22 @@ static CURLcode file_upload(struct connectdata *conn)
   if(!dir[1])
     return CURLE_FILE_COULDNT_READ_FILE; /* fix: better error code */
 
+#ifdef O_BINARY
+#define MODE_DEFAULT O_WRONLY|O_CREAT|O_BINARY
+#else
+#define MODE_DEFAULT O_WRONLY|O_CREAT
+#endif
+
   if(data->state.resume_from)
-    fp = fopen( file->path, "ab" );
-  else {
-    int fd;
+    mode = MODE_DEFAULT|O_APPEND;
+  else
+    mode = MODE_DEFAULT|O_TRUNC;
 
-#ifdef DOS_FILESYSTEM
-    fd = open(file->path, O_WRONLY|O_CREAT|O_TRUNC|O_BINARY,
-              conn->data->set.new_file_perms);
-#else
-    fd = open(file->path, O_WRONLY|O_CREAT|O_TRUNC,
-              conn->data->set.new_file_perms);
-#endif
+  fd = open(file->path, mode, conn->data->set.new_file_perms);
   if(fd < 0) {
     failf(data, "Can't open %s for writing", file->path);
     return CURLE_WRITE_ERROR;
   }
-#ifdef HAVE_FDOPEN
-    fp = fdopen(fd, "wb");
-#else
-    close(fd);
-    fp = fopen(file->path, "wb");
-#endif
-  }
-
-  if(!fp) {
-    failf(data, "Can't open %s for writing", file->path);
-    return CURLE_WRITE_ERROR;
-  }
 
   if(-1 != data->set.infilesize)
     /* known size of data to "upload" */
@@ -370,8 +359,8 @@ static CURLcode file_upload(struct connectdata *conn)
 
   /* treat the negative resume offset value as the case of "-" */
   if(data->state.resume_from < 0) {
-    if(fstat(fileno(fp), &file_stat)) {
-      fclose(fp);
+    if(fstat(fd, &file_stat)) {
+      close(fd);
       failf(data, "Can't get the size of %s", file->path);
       return CURLE_WRITE_ERROR;
     }
@@ -407,7 +396,7 @@ static CURLcode file_upload(struct connectdata *conn)
       buf2 = buf;
 
     /* write the data to the target */
-    nwrite = fwrite(buf2, 1, nread, fp);
+    nwrite = write(fd, buf2, nread);
     if(nwrite != nread) {
       res = CURLE_SEND_ERROR;
       break;
@@ -425,7 +414,7 @@ static CURLcode file_upload(struct connectdata *conn)
   if(!res && Curl_pgrsUpdate(conn))
     res = CURLE_ABORTED_BY_CALLBACK;
 
-  fclose(fp);
+  close(fd);
 
   return res;
 }

lib/ftp.c

@@ -632,8 +632,8 @@ static CURLcode ftp_readresp(curl_socket_t sockfd,
                              size_t *size) /* size of the response */
 {
   struct connectdata *conn = pp->conn;
-#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
   struct SessionHandle *data = conn->data;
+#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
   char * const buf = data->state.buffer;
 #endif
   CURLcode result = CURLE_OK;
@@ -661,16 +661,23 @@ static CURLcode ftp_readresp(curl_socket_t sockfd,
 #endif
 
   /* store the latest code for later retrieval */
-  conn->data->info.httpcode=code;
+  data->info.httpcode=code;
 
   if(ftpcode)
     *ftpcode = code;
 
-  if(421 == code)
+  if(421 == code) {
     /* 421 means "Service not available, closing control connection." and FTP
      * servers use it to signal that idle session timeout has been exceeded.
-     * If we ignored the response, it could end up hanging in some cases. */
+     * If we ignored the response, it could end up hanging in some cases.
+     *
+     * This response code can come at any point so having it treated
+     * generically is a good idea.
+     */
+    infof(data, "We got a 421 - timeout!\n");
+    state(conn, FTP_STOP);
     return CURLE_OPERATION_TIMEDOUT;
+  }
 
   return result;
 }
@@ -1793,6 +1800,23 @@ static CURLcode ftp_state_quote(struct connectdata *conn,
   return result;
 }
 
+/* called from ftp_state_pasv_resp to switch to PASV in case of EPSV
+   problems */
+static CURLcode ftp_epsv_disable(struct connectdata *conn)
+{
+  CURLcode result = CURLE_OK;
+  infof(conn->data, "got positive EPSV response, but can't connect. "
+        "Disabling EPSV\n");
+  /* disable it for next transfer */
+  conn->bits.ftp_use_epsv = FALSE;
+  conn->data->state.errorbuf = FALSE; /* allow error message to get
+                                         rewritten */
+  PPSENDF(&conn->proto.ftpc.pp, "PASV", NULL);
+  conn->proto.ftpc.count1++;
+  /* remain in the FTP_PASV state */
+  return result;
+}
+
 static CURLcode ftp_state_pasv_resp(struct connectdata *conn,
                                     int ftpcode)
 {
@@ -1975,21 +1999,13 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn,
 
   Curl_resolv_unlock(data, addr); /* we're done using this address */
 
-  if(result && ftpc->count1 == 0 && ftpcode == 229) {
-    infof(data, "got positive EPSV response, but can't connect. "
-          "Disabling EPSV\n");
-    /* disable it for next transfer */
-    conn->bits.ftp_use_epsv = FALSE;
-    data->state.errorbuf = FALSE; /* allow error message to get rewritten */
-    PPSENDF(&ftpc->pp, "PASV", NULL);
-    ftpc->count1++;
-    /* remain in the FTP_PASV state */
+  if(result) {
+    if(ftpc->count1 == 0 && ftpcode == 229)
+      return ftp_epsv_disable(conn);
+
     return result;
   }
 
-  if(result)
-    return result;
-
   conn->bits.tcpconnect[SECONDARYSOCKET] = connected;
 
   /*
@@ -2028,8 +2044,11 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn,
     break;
   }
 
-  if(result)
+  if(result) {
+    if(ftpc->count1 == 0 && ftpcode == 229)
+      return ftp_epsv_disable(conn);
     return result;
+  }
 
   if(conn->bits.tunnel_proxy && conn->bits.httpproxy) {
     /* FIX: this MUST wait for a proper connect first if 'connected' is
@@ -2394,6 +2413,7 @@ static CURLcode ftp_state_stor_resp(struct connectdata *conn,
 
   if(ftpcode>=400) {
     failf(data, "Failed FTP upload: %0d", ftpcode);
+    state(conn, FTP_STOP);
     /* oops, we never close the sockets! */
     return CURLE_UPLOAD_FAILED;
   }
@@ -2411,9 +2431,6 @@ static CURLcode ftp_state_stor_resp(struct connectdata *conn,
     if(!connected) {
       struct ftp_conn *ftpc = &conn->proto.ftpc;
       infof(data, "Data conn was not available immediately\n");
-      /* as there's not necessarily an immediate action on the control
-         connection now, we halt the state machine */
-      state(conn, FTP_STOP);
       ftpc->wait_data_conn = TRUE;
     }
 
@@ -3663,6 +3680,8 @@ static CURLcode ftp_do_more(struct connectdata *conn, bool *complete)
   /* the ftp struct is inited in ftp_connect() */
   struct FTP *ftp = data->state.proto.ftp;
 
+  *complete = FALSE;
+
   /* if the second connection isn't done yet, wait for it */
   if(!conn->bits.tcpconnect[SECONDARYSOCKET]) {
     result = Curl_is_connected(conn, SECONDARYSOCKET, &connected);
@@ -3675,6 +3694,18 @@ static CURLcode ftp_do_more(struct connectdata *conn, bool *complete)
       return result;
   }
 
+  if((data->state.used_interface == Curl_if_multi) &&
+     ftpc->state) {
+    /* multi interface and already in a state so skip the intial commands.
+       They are only done to kickstart the do_more state */
+    result = ftp_multi_statemach(conn, complete);
+
+    /* if we got an error or if we don't wait for a data connection return
+       immediately */
+    if(result || (ftpc->wait_data_conn != TRUE))
+      return result;
+  }
+
   if(ftp->transfer <= FTPTRANSFER_INFO) {
     /* a transfer is about to take place, or if not a file name was given
        so we'll do a SIZE on it later and then we need the right TYPE first */
@@ -3728,6 +3759,12 @@ static CURLcode ftp_do_more(struct connectdata *conn, bool *complete)
           return result;
       }
     }
+    if(data->state.used_interface == Curl_if_multi) {
+      result = ftp_multi_statemach(conn, complete);
+
+      return result;
+    }
+    else
       result = ftp_easy_statemach(conn);
   }
 
@@ -4402,21 +4439,22 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
 static CURLcode ftp_dophase_done(struct connectdata *conn,
                                  bool connected)
 {
-  CURLcode result = CURLE_OK;
   struct FTP *ftp = conn->data->state.proto.ftp;
   struct ftp_conn *ftpc = &conn->proto.ftpc;
 
   if(connected) {
     bool completed;
-    result = ftp_do_more(conn, &completed);
-  }
+    CURLcode result = ftp_do_more(conn, &completed);
 
-  if(result && (conn->sock[SECONDARYSOCKET] != CURL_SOCKET_BAD)) {
-    /* Failure detected, close the second socket if it was created already */
+    if(result) {
+      if(conn->sock[SECONDARYSOCKET] != CURL_SOCKET_BAD) {
+        /* close the second socket if it was created already */
         Curl_closesocket(conn, conn->sock[SECONDARYSOCKET]);
         conn->sock[SECONDARYSOCKET] = CURL_SOCKET_BAD;
+      }
       return result;
     }
+  }
 
   if(ftp->transfer != FTPTRANSFER_BODY)
     /* no data to transfer */
@@ -4427,7 +4465,7 @@ static CURLcode ftp_dophase_done(struct connectdata *conn,
 
   ftpc->ctl_valid = TRUE; /* seems good */
 
-  return result;
+  return CURLE_OK;
 }
 
 /* called from multi.c while DOing */

lib/gopher.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -70,10 +70,10 @@
 #define _MPRINTF_REPLACE /* use our functions only */
 #include <curl/mprintf.h>
 
+#include "curl_memory.h"
 /* The last #include file should be: */
 #include "memdebug.h"
 
-
 /*
  * Forward declarations.
  */

lib/gtls.c

@@ -299,14 +299,35 @@ static CURLcode handshake(struct connectdata *conn,
       connssl->connecting_state =
         gnutls_record_get_direction(session)?
         ssl_connect_2_writing:ssl_connect_2_reading;
+      continue;
       if(nonblocking)
         return CURLE_OK;
     }
-    else if((rc < 0) && gnutls_error_is_fatal(rc)) {
-      failf(data, "gnutls_handshake() warning: %s", gnutls_strerror(rc));
+    else if((rc < 0) && !gnutls_error_is_fatal(rc)) {
+      const char *strerr = NULL;
+
+      if(rc == GNUTLS_E_WARNING_ALERT_RECEIVED) {
+        int alert = gnutls_alert_get(session);
+        strerr = gnutls_alert_get_name(alert);
+      }
+
+      if(strerr == NULL)
+        strerr = gnutls_strerror(rc);
+
+      failf(data, "gnutls_handshake() warning: %s", strerr);
     }
     else if(rc < 0) {
-      failf(data, "gnutls_handshake() failed: %s", gnutls_strerror(rc));
+      const char *strerr = NULL;
+
+      if(rc == GNUTLS_E_FATAL_ALERT_RECEIVED) {
+        int alert = gnutls_alert_get(session);
+        strerr = gnutls_alert_get_name(alert);
+      }
+
+      if(strerr == NULL)
+        strerr = gnutls_strerror(rc);
+
+      failf(data, "gnutls_handshake() failed: %s", strerr);
       return CURLE_SSL_CONNECT_ERROR;
     }
 
@@ -660,7 +681,7 @@ gtls_connect_step3(struct connectdata *conn,
   rc = gnutls_x509_crt_check_hostname(x509_cert, conn->host.name);
 
   if(!rc) {
-    if(data->set.ssl.verifyhost > 1) {
+    if(data->set.ssl.verifyhost) {
       failf(data, "SSL: certificate subject name (%s) does not match "
             "target host name '%s'", certbuf, conn->host.dispname);
       gnutls_x509_crt_deinit(x509_cert);

lib/hostcheck.c

@@ -0,0 +1,96 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at http://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+#include "setup.h"
+
+#if defined(USE_SSLEAY) || defined(USE_AXTLS)
+/* these two backends use functions from this file */
+
+#include "hostcheck.h"
+#include "rawstr.h"
+
+/*
+ * Match a hostname against a wildcard pattern.
+ * E.g.
+ *  "foo.host.com" matches "*.host.com".
+ *
+ * We use the matching rule described in RFC6125, section 6.4.3.
+ * http://tools.ietf.org/html/rfc6125#section-6.4.3
+ */
+
+static int hostmatch(const char *hostname, const char *pattern)
+{
+  const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
+  int wildcard_enabled;
+  size_t prefixlen, suffixlen;
+  pattern_wildcard = strchr(pattern, '*');
+  if(pattern_wildcard == NULL)
+    return Curl_raw_equal(pattern, hostname) ?
+      CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+
+  /* We require at least 2 dots in pattern to avoid too wide wildcard
+     match. */
+  wildcard_enabled = 1;
+  pattern_label_end = strchr(pattern, '.');
+  if(pattern_label_end == NULL || strchr(pattern_label_end+1, '.') == NULL ||
+     pattern_wildcard > pattern_label_end ||
+     Curl_raw_nequal(pattern, "xn--", 4)) {
+    wildcard_enabled = 0;
+  }
+  if(!wildcard_enabled)
+    return Curl_raw_equal(pattern, hostname) ?
+      CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+
+  hostname_label_end = strchr(hostname, '.');
+  if(hostname_label_end == NULL ||
+     !Curl_raw_equal(pattern_label_end, hostname_label_end))
+    return CURL_HOST_NOMATCH;
+
+  /* The wildcard must match at least one character, so the left-most
+     label of the hostname is at least as large as the left-most label
+     of the pattern. */
+  if(hostname_label_end - hostname < pattern_label_end - pattern)
+    return CURL_HOST_NOMATCH;
+
+  prefixlen = pattern_wildcard - pattern;
+  suffixlen = pattern_label_end - (pattern_wildcard+1);
+  return Curl_raw_nequal(pattern, hostname, prefixlen) &&
+    Curl_raw_nequal(pattern_wildcard+1, hostname_label_end - suffixlen,
+                    suffixlen) ?
+    CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+}
+
+int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
+{
+  if(!match_pattern || !*match_pattern ||
+      !hostname || !*hostname) /* sanity check */
+    return 0;
+
+  if(Curl_raw_equal(hostname, match_pattern)) /* trivial case */
+    return 1;
+
+  if(hostmatch(hostname,match_pattern) == CURL_HOST_MATCH)
+    return 1;
+  return 0;
+}
+
+#endif /* SSLEAY or AXTLS */

lib/hostcheck.h

@@ -0,0 +1,31 @@
+#ifndef __HOSTCHECK_H
+#define __HOSTCHECK_H
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at http://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+#include <curl/curl.h>
+
+#define CURL_HOST_NOMATCH 0
+#define CURL_HOST_MATCH   1
+int Curl_cert_hostcheck(const char *match_pattern, const char *hostname);
+
+#endif

lib/hostip.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -740,14 +740,18 @@ static int hostcache_inuse(void *data, void *hc)
   return 1; /* free all entries */
 }
 
-void Curl_hostcache_destroy(struct SessionHandle *data)
+void Curl_hostcache_clean(struct SessionHandle *data)
 {
   /* Entries added to the hostcache with the CURLOPT_RESOLVE function are
    * still present in the cache with the inuse counter set to 1. Detect them
    * and cleanup!
    */
   Curl_hash_clean_with_criterium(data->dns.hostcache, data, hostcache_inuse);
+}
 
+void Curl_hostcache_destroy(struct SessionHandle *data)
+{
+  Curl_hostcache_clean(data);
   Curl_hash_destroy(data->dns.hostcache);
   data->dns.hostcachetype = HCACHE_NONE;
   data->dns.hostcache = NULL;

lib/hostip.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -200,11 +200,19 @@ extern sigjmp_buf curl_jmpenv;
  */
 CURLcode Curl_set_dns_servers(struct SessionHandle *data, char *servers);
 
+/*
+ * Clean off entries from the cache
+ */
+void Curl_hostcache_clean(struct SessionHandle *data);
+
 /*
  * Destroy the hostcache of this handle.
  */
 void Curl_hostcache_destroy(struct SessionHandle *data);
 
+/*
+ * Populate the cache with specified entries from CURLOPT_RESOLVE.
+ */
 CURLcode Curl_loadhostpairs(struct SessionHandle *data);
 
 #endif /* HEADER_CURL_HOSTIP_H */

lib/http.c

@@ -387,7 +387,8 @@ static CURLcode http_perhapsrewind(struct connectdata *conn)
        (data->state.authproxy.picked == CURLAUTH_NTLM_WB) ||
        (data->state.authhost.picked == CURLAUTH_NTLM_WB)) {
       if(((expectsend - bytessent) < 2000) ||
-         (conn->ntlm.state != NTLMSTATE_NONE)) {
+         (conn->ntlm.state != NTLMSTATE_NONE) ||
+         (conn->proxyntlm.state != NTLMSTATE_NONE)) {
         /* The NTLM-negotiation has started *OR* there is just a little (<2K)
            data left to send, keep on sending. */
 
@@ -407,7 +408,7 @@ static CURLcode http_perhapsrewind(struct connectdata *conn)
             " bytes\n", (curl_off_t)(expectsend - bytessent));
     }
 
-    /* This is not NTLM or NTLM with many bytes left to send: close
+    /* This is not NTLM or many bytes left to send: close
      */
     conn->bits.close = TRUE;
     data->req.size = 0; /* don't download any more than 0 bytes */

lib/http_digest.c

@@ -280,7 +280,7 @@ CURLcode Curl_output_digest(struct connectdata *conn,
   unsigned char *md5this;
   unsigned char *ha1;
   unsigned char ha2[33];/* 32 digits and 1 zero byte */
-  char cnoncebuf[7];
+  char cnoncebuf[33];
   char *cnonce = NULL;
   size_t cnonce_sz = 0;
   char *tmp = NULL;
@@ -344,7 +344,8 @@ CURLcode Curl_output_digest(struct connectdata *conn,
   if(!d->cnonce) {
     /* Generate a cnonce */
     now = Curl_tvnow();
-    snprintf(cnoncebuf, sizeof(cnoncebuf), "%06ld", (long)now.tv_sec);
+    snprintf(cnoncebuf, sizeof(cnoncebuf), "%32ld",
+             (long)now.tv_sec + now.tv_usec);
 
     rc = Curl_base64_encode(data, cnoncebuf, strlen(cnoncebuf),
                             &cnonce, &cnonce_sz);

lib/http_proxy.c

@@ -45,6 +45,7 @@
 
 #include "curlx.h"
 
+#include "curl_memory.h"
 /* The last #include file should be: */
 #include "memdebug.h"
 

lib/idn_win32.c

@@ -30,6 +30,10 @@
 
 #include "curl_multibyte.h"
 
+#include "curl_memory.h"
+/* The last #include file should be: */
+#include "memdebug.h"
+
 #ifdef WANT_IDN_PROTOTYPES
 WINBASEAPI int WINAPI IdnToAscii(DWORD, const WCHAR *, int, WCHAR *, int);
 WINBASEAPI int WINAPI IdnToUnicode(DWORD, const WCHAR *, int, WCHAR *, int);

lib/md5.c

@@ -28,9 +28,13 @@
 #include "curl_hmac.h"
 #include "warnless.h"
 
+#include "curl_memory.h"
+
 #if defined(USE_GNUTLS_NETTLE)
 
 #include <nettle/md5.h>
+/* The last #include file should be: */
+#include "memdebug.h"
 
 typedef struct md5_ctx MD5_CTX;
 
@@ -54,6 +58,8 @@ static void MD5_Final(unsigned char digest[16], MD5_CTX * ctx)
 #elif defined(USE_GNUTLS)
 
 #include <gcrypt.h>
+/* The last #include file should be: */
+#include "memdebug.h"
 
 typedef gcry_md_hd_t MD5_CTX;
 
@@ -84,6 +90,17 @@ static void MD5_Final(unsigned char digest[16], MD5_CTX * ctx)
 #    include <md5.h>
 #  endif
 
+#elif defined(__MAC_10_4) || defined(__IPHONE_5_0)
+
+/* For Apple operating systems: CommonCrypto has the functions we need.
+   The library's headers are even backward-compatible with OpenSSL's
+   headers as long as we define COMMON_DIGEST_FOR_OPENSSL first.
+
+   These functions are available on Tiger and later, as well as iOS 5.0
+   and later. If you're building for an older cat, well, sorry. */
+#  define COMMON_DIGEST_FOR_OPENSSL
+#  include <CommonCrypto/CommonDigest.h>
+
 #elif defined(_WIN32)
 
 #include <wincrypt.h>
@@ -425,6 +442,9 @@ static void Decode (UINT4 *output,
 
 #endif /* CRYPTO LIBS */
 
+/* The last #include file should be: */
+#include "memdebug.h"
+
 const HMAC_params Curl_HMAC_MD5[] = {
   {
     (HMAC_hinit_func) MD5_Init,           /* Hash initialization function. */

lib/multi.c

@@ -1789,12 +1789,6 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
   } WHILE_FALSE; /* just to break out from! */
 
   if(CURLM_STATE_COMPLETED == easy->state) {
-    if(data->dns.hostcachetype == HCACHE_MULTI) {
-      /* clear out the usage of the shared DNS cache */
-      data->dns.hostcache = NULL;
-      data->dns.hostcachetype = HCACHE_NONE;
-    }
-
     /* now fill in the Curl_message with this info */
     msg = &easy->msg;
 
@@ -1911,9 +1905,6 @@ CURLMcode curl_multi_cleanup(CURLM *multi_handle)
       cl= n;
     }
 
-    Curl_hash_destroy(multi->hostcache);
-    multi->hostcache = NULL;
-
     Curl_hash_destroy(multi->sockhash);
     multi->sockhash = NULL;
 
@@ -1930,6 +1921,7 @@ CURLMcode curl_multi_cleanup(CURLM *multi_handle)
       nexteasy=easy->next;
       if(easy->easy_handle->dns.hostcachetype == HCACHE_MULTI) {
         /* clear out the usage of the shared DNS cache */
+        Curl_hostcache_clean(easy->easy_handle);
         easy->easy_handle->dns.hostcache = NULL;
         easy->easy_handle->dns.hostcachetype = HCACHE_NONE;
       }
@@ -1943,6 +1935,9 @@ CURLMcode curl_multi_cleanup(CURLM *multi_handle)
       easy = nexteasy;
     }
 
+    Curl_hash_destroy(multi->hostcache);
+    multi->hostcache = NULL;
+
     free(multi);
 
     return CURLM_OK;

lib/non-ascii.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -24,12 +24,16 @@
 
 #ifdef CURL_DOES_CONVERSIONS
 
+#include <curl/curl.h>
+
 #include "non-ascii.h"
 #include "formdata.h"
 #include "sendf.h"
 #include "urldata.h"
 
-#include <curl/curl.h>
+#include "curl_memory.h"
+/* The last #include file should be: */
+#include "memdebug.h"
 
 #ifdef HAVE_ICONV
 #include <iconv.h>

lib/nss.c

@@ -1316,8 +1316,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
 
   if(!data->set.ssl.verifypeer && data->set.ssl.verifyhost)
     infof(data, "warning: ignoring value of ssl.verifyhost\n");
-  else if(data->set.ssl.verifyhost == 1)
-    infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n");
 
   /* bypass the default SSL_AuthCertificate() hook in case we do not want to
    * verify peer */

lib/nwlib.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -32,6 +32,9 @@
 #include <nks/thread.h>
 #include <nks/synch.h>
 
+#include "curl_memory.h"
+/* The last #include file should be: */
+#include "memdebug.h"
 
 typedef struct
 {

lib/pingpong.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -424,6 +424,9 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd,
            it may actually contain another end of response already! */
         clipamount = gotbytes - i;
         restart = TRUE;
+        DEBUGF(infof(data, "Curl_pp_readresp_ %d bytes of trailing "
+                     "server response left\n",
+                     (int)clipamount));
       }
       else if(keepon) {
 

lib/polarssl.c

@@ -212,8 +212,15 @@ polarssl_connect_step1(struct connectdata *conn,
     infof(data, "PolarSSL re-using session\n");
   }
 
+/* PolarSSL SVN revision r1316 to r1317, matching <1.2.0 is to cover Ubuntu's
+   1.1.4 version and the like */
+#if POLARSSL_VERSION_NUMBER<0x01020000
   ssl_set_session(&connssl->ssl, 1, 600,
                   &connssl->ssn);
+#else
+  ssl_set_session(&connssl->ssl,
+                  &connssl->ssn);
+#endif
 
   ssl_set_ca_chain(&connssl->ssl,
                    &connssl->cacert,
@@ -306,12 +313,25 @@ polarssl_connect_step2(struct connectdata *conn,
     return CURLE_PEER_FAILED_VERIFICATION;
   }
 
+/* PolarSSL SVN revision r1316 to r1317, matching <1.2.0 is to cover Ubuntu's
+   1.1.4 version and the like */
+#if POLARSSL_VERSION_NUMBER<0x01020000
   if(conn->ssl[sockindex].ssl.peer_cert) {
+#else
+  if(ssl_get_peer_cert(&(connssl->ssl))) {
+#endif
     /* If the session was resumed, there will be no peer certs */
     memset(buffer, 0, sizeof(buffer));
 
+/* PolarSSL SVN revision r1316 to r1317, matching <1.2.0 is to cover Ubuntu's
+   1.1.4 version and the like */
+#if POLARSSL_VERSION_NUMBER<0x01020000
     if(x509parse_cert_info(buffer, sizeof(buffer), (char *)"* ",
                            conn->ssl[sockindex].ssl.peer_cert) != -1)
+#else
+    if(x509parse_cert_info(buffer, sizeof(buffer), (char *)"* ",
+                           ssl_get_peer_cert(&(connssl->ssl))) != -1)
+#endif
       infof(data, "Dumping cert info:\n%s\n", buffer);
   }
 

lib/sendf.c

@@ -264,7 +264,7 @@ CURLcode Curl_write(struct connectdata *conn,
 
   default:
     /* we got a specific curlcode, forward it */
-    return (CURLcode)curlcode;
+    return curlcode;
   }
 }
 

lib/ssh.c

@@ -2982,6 +2982,10 @@ static ssize_t scp_send(struct connectdata *conn, int sockindex,
     *err = CURLE_AGAIN;
     nwrite = 0;
   }
+  else if(nwrite < LIBSSH2_ERROR_NONE) {
+    *err = libssh2_session_error_to_CURLE(nwrite);
+    nwrite = -1;
+  }
 
   return nwrite;
 }
@@ -3126,6 +3130,10 @@ static ssize_t sftp_send(struct connectdata *conn, int sockindex,
     *err = CURLE_AGAIN;
     nwrite = 0;
   }
+  else if(nwrite < LIBSSH2_ERROR_NONE) {
+    *err = libssh2_session_error_to_CURLE(nwrite);
+    nwrite = -1;
+  }
 
   return nwrite;
 }

lib/ssluse.c

@@ -50,6 +50,7 @@
 #include "select.h"
 #include "sslgen.h"
 #include "rawstr.h"
+#include "hostcheck.h"
 
 #define _MPRINTF_REPLACE /* use the internal *printf() functions */
 #include <curl/mprintf.h>
@@ -1039,71 +1040,6 @@ static int asn1_output(const ASN1_UTCTIME *tm,
 
 /* ====================================================== */
 
-/*
- * Match a hostname against a wildcard pattern.
- * E.g.
- *  "foo.host.com" matches "*.host.com".
- *
- * We use the matching rule described in RFC6125, section 6.4.3.
- * http://tools.ietf.org/html/rfc6125#section-6.4.3
- */
-#define HOST_NOMATCH 0
-#define HOST_MATCH   1
-
-static int hostmatch(const char *hostname, const char *pattern)
-{
-  const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
-  int wildcard_enabled;
-  size_t prefixlen, suffixlen;
-  pattern_wildcard = strchr(pattern, '*');
-  if(pattern_wildcard == NULL) {
-    return Curl_raw_equal(pattern, hostname) ? HOST_MATCH : HOST_NOMATCH;
-  }
-  /* We require at least 2 dots in pattern to avoid too wide wildcard
-     match. */
-  wildcard_enabled = 1;
-  pattern_label_end = strchr(pattern, '.');
-  if(pattern_label_end == NULL || strchr(pattern_label_end+1, '.') == NULL ||
-     pattern_wildcard > pattern_label_end ||
-     Curl_raw_nequal(pattern, "xn--", 4)) {
-    wildcard_enabled = 0;
-  }
-  if(!wildcard_enabled) {
-    return Curl_raw_equal(pattern, hostname) ? HOST_MATCH : HOST_NOMATCH;
-  }
-  hostname_label_end = strchr(hostname, '.');
-  if(hostname_label_end == NULL ||
-     !Curl_raw_equal(pattern_label_end, hostname_label_end)) {
-    return HOST_NOMATCH;
-  }
-  /* The wildcard must match at least one character, so the left-most
-     label of the hostname is at least as large as the left-most label
-     of the pattern. */
-  if(hostname_label_end - hostname < pattern_label_end - pattern) {
-    return HOST_NOMATCH;
-  }
-  prefixlen = pattern_wildcard - pattern;
-  suffixlen = pattern_label_end - (pattern_wildcard+1);
-  return Curl_raw_nequal(pattern, hostname, prefixlen) &&
-    Curl_raw_nequal(pattern_wildcard+1, hostname_label_end - suffixlen,
-                    suffixlen) ?
-    HOST_MATCH : HOST_NOMATCH;
-}
-
-static int
-cert_hostcheck(const char *match_pattern, const char *hostname)
-{
-  if(!match_pattern || !*match_pattern ||
-      !hostname || !*hostname) /* sanity check */
-    return 0;
-
-  if(Curl_raw_equal(hostname, match_pattern)) /* trivial case */
-    return 1;
-
-  if(hostmatch(hostname,match_pattern) == HOST_MATCH)
-    return 1;
-  return 0;
-}
 
 /* Quote from RFC2818 section 3.1 "Server Identity"
 
@@ -1192,7 +1128,7 @@ static CURLcode verifyhost(struct connectdata *conn,
           if((altlen == strlen(altptr)) &&
              /* if this isn't true, there was an embedded zero in the name
                 string and we cannot match it. */
-             cert_hostcheck(altptr, conn->host.name))
+             Curl_cert_hostcheck(altptr, conn->host.name))
             matched = 1;
           else
             matched = 0;
@@ -1291,16 +1227,11 @@ static CURLcode verifyhost(struct connectdata *conn,
             "SSL: unable to obtain common name from peer certificate");
       res = CURLE_PEER_FAILED_VERIFICATION;
     }
-    else if(!cert_hostcheck((const char *)peer_CN, conn->host.name)) {
-      if(data->set.ssl.verifyhost > 1) {
+    else if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) {
       failf(data, "SSL: certificate subject name '%s' does not match "
             "target host name '%s'", peer_CN, conn->host.dispname);
       res = CURLE_PEER_FAILED_VERIFICATION;
     }
-      else
-        infof(data, "\t common name: %s (does not match '%s')\n",
-              peer_CN, conn->host.dispname);
-    }
     else {
       infof(data, "\t common name: %s (matched)\n", peer_CN);
     }
@@ -1570,6 +1501,10 @@ ossl_connect_step1(struct connectdata *conn,
   ctx_options |= SSL_OP_NO_TICKET;
 #endif
 
+#ifdef SSL_OP_NO_COMPRESSION
+  ctx_options |= SSL_OP_NO_COMPRESSION;
+#endif
+
 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
   /* mitigate CVE-2010-4180 */
   ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
@@ -2308,11 +2243,11 @@ static CURLcode servercert(struct connectdata *conn,
   infof(data, "\t subject: %s\n", buffer);
 
   certdate = X509_get_notBefore(connssl->server_cert);
-  asn1_output(certdate, buffer, sizeof(buffer));
+  asn1_output(certdate, buffer, BUFSIZE);
   infof(data, "\t start date: %s\n", buffer);
 
   certdate = X509_get_notAfter(connssl->server_cert);
-  asn1_output(certdate, buffer, sizeof(buffer));
+  asn1_output(certdate, buffer, BUFSIZE);
   infof(data, "\t expire date: %s\n", buffer);
 
   if(data->set.ssl.verifyhost) {
@@ -2325,7 +2260,7 @@ static CURLcode servercert(struct connectdata *conn,
   }
 
   rc = x509_name_oneline(X509_get_issuer_name(connssl->server_cert),
-                         buffer, sizeof(buffer));
+                         buffer, BUFSIZE);
   if(rc) {
     if(strict)
       failf(data, "SSL: couldn't get X509-issuer name!");

lib/strdup.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -19,7 +19,9 @@
  * KIND, either express or implied.
  *
  ***************************************************************************/
-
+/*
+ * This file is 'mem-include-scan' clean. See test 1132.
+ */
 #include "setup.h"
 
 #include "strdup.h"

lib/strerror.c

@@ -44,6 +44,9 @@
 #define _MPRINTF_REPLACE /* use our functions only */
 #include <curl/mprintf.h>
 
+#include "curl_memory.h"
+/* The last #include file should be: */
+#include "memdebug.h"
 
 const char *
 curl_easy_strerror(CURLcode error)

lib/tftp.c

@@ -591,16 +591,25 @@ static CURLcode tftp_rx(tftp_state_data_t *state, tftp_event_t event)
   case TFTP_EVENT_DATA:
     /* Is this the block we expect? */
     rblock = getrpacketblock(&state->rpacket);
-    if(NEXT_BLOCKNUM(state->block) != rblock) {
-      /* No, log it */
+    if(NEXT_BLOCKNUM(state->block) == rblock) {
+      /* This is the expected block.  Reset counters and ACK it. */
+      state->retries = 0;
+    }
+    else if(state->block == rblock) {
+      /* This is the last recently received block again. Log it and ACK it
+         again. */
+      infof(data, "Received last DATA packet block %d again.\n", rblock);
+    }
+    else {
+      /* totally unexpected, just log it */
       infof(data,
             "Received unexpected DATA packet block %d, expecting block %d\n",
             rblock, NEXT_BLOCKNUM(state->block));
       break;
     }
-    /* This is the expected block.  Reset counters and ACK it. */
+
+    /* ACK this block. */
     state->block = (unsigned short)rblock;
-    state->retries = 0;
     setpacketevent(&state->spacket, TFTP_EVENT_ACK);
     setpacketblock(&state->spacket, state->block);
     sbytes = sendto(state->sockfd, (void *)state->spacket.data,

lib/transfer.c

@@ -1030,12 +1030,6 @@ CURLcode Curl_readwrite(struct connectdata *conn,
     if(result || *done)
       return result;
   }
-  else if(k->keepon & KEEP_RECV) {
-    DEBUGF(infof(data, "additional stuff not fine %s:%d: %d %d\n",
-                 __FILE__, __LINE__,
-                 select_res & CURL_CSELECT_IN,
-                 conn->bits.stream_was_rewound));
-  }
 
   /* If we still have writing to do, we check if we have a writable socket. */
   if((k->keepon & KEEP_SEND) && (select_res & CURL_CSELECT_OUT)) {
@@ -1433,10 +1427,6 @@ CURLcode Curl_pretransfer(struct SessionHandle *data)
 
   data->state.ssl_connect_retry = FALSE;
 
-  /* zero out auth state */
-  memset(&data->state.authhost, 0, sizeof(struct auth));
-  memset(&data->state.authproxy, 0, sizeof(struct auth));
-
   data->state.authproblem = FALSE;
   data->state.authhost.want = data->set.httpauth;
   data->state.authproxy.want = data->set.proxyauth;
@@ -1473,6 +1463,12 @@ CURLcode Curl_pretransfer(struct SessionHandle *data)
 
     if(data->set.connecttimeout)
       Curl_expire(data, data->set.connecttimeout);
+
+    /* In case the handle is re-used and an authentication method was picked
+       in the session we need to make sure we only use the one(s) we now
+       consider to be fine */
+    data->state.authhost.picked &= data->state.authhost.want;
+    data->state.authproxy.picked &= data->state.authproxy.want;
   }
 
   return res;

lib/url.c

@@ -708,7 +708,7 @@ CURLcode Curl_init_userdefined(struct UserDefined *set)
    * switched off unless wanted.
    */
   set->ssl.verifypeer = TRUE;
-  set->ssl.verifyhost = 2;
+  set->ssl.verifyhost = TRUE;
 #ifdef USE_TLS_SRP
   set->ssl.authtype = CURL_TLSAUTH_NONE;
 #endif
@@ -2049,13 +2049,25 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
     /*
      * Enable peer SSL verifying.
      */
-    data->set.ssl.verifypeer = va_arg(param, long);
+    data->set.ssl.verifypeer = (0 != va_arg(param, long))?TRUE:FALSE;
     break;
   case CURLOPT_SSL_VERIFYHOST:
     /*
-     * Enable verification of the CN contained in the peer certificate
+     * Enable verification of the host name in the peer certificate
      */
-    data->set.ssl.verifyhost = va_arg(param, long);
+    arg = va_arg(param, long);
+
+    /* Obviously people are not reading documentation and too many thought
+       this argument took a boolean when it wasn't and misused it. We thus ban
+       1 as a sensible input and we warn about its use. Then we only have the
+       2 action internally stored as TRUE. */
+
+    if(1 == arg) {
+      failf(data, "CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!");
+      return CURLE_BAD_FUNCTION_ARGUMENT;
+    }
+
+    data->set.ssl.verifyhost = (0 != arg)?TRUE:FALSE;
     break;
 #ifdef USE_SSLEAY
     /* since these two options are only possible to use on an OpenSSL-
@@ -2589,7 +2601,7 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
       data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
     break;
   case CURLOPT_TLSAUTH_TYPE:
-    if(strncmp((char *)va_arg(param, char *), "SRP", strlen("SRP")) == 0)
+    if(strnequal((char *)va_arg(param, char *), "SRP", strlen("SRP")))
       data->set.ssl.authtype = CURL_TLSAUTH_SRP;
     else
       data->set.ssl.authtype = CURL_TLSAUTH_NONE;
@@ -3975,8 +3987,16 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data,
      last part of the URI. We are looking for the first '#' so that we deal
      gracefully with non conformant URI such as http://example.com#foo#bar. */
   fragment = strchr(path, '#');
+  if(fragment) {
+    *fragment = 0;
+
+    /* we know the path part ended with a fragment, so we know the full URL
+       string does too and we need to cut it off from there so it isn't used
+       over proxy */
+    fragment = strchr(data->change.url, '#');
     if(fragment)
       *fragment = 0;
+  }
 
   /*
    * So if the URL was A://B/C#D,

lib/urldata.h

@@ -332,10 +332,9 @@ struct ssl_connect_data {
 struct ssl_config_data {
   long version;          /* what version the client wants to use */
   long certverifyresult; /* result from the certificate verification */
-  long verifypeer;       /* set TRUE if this is desired */
-  long verifyhost;       /* 0: no verify
-                            1: check that CN exists
-                            2: CN must match hostname */
+
+  bool verifypeer;       /* set TRUE if this is desired */
+  bool verifyhost;       /* set TRUE if CN/SAN must match hostname */
   char *CApath;          /* certificate dir (doesn't work on windows) */
   char *CAfile;          /* certificate to verify peer against */
   const char *CRLfile;   /* CRL to check certificate revocation */
@@ -994,8 +993,8 @@ struct connectdata {
   int socks5_gssapi_enctype;
 #endif
 
-  long verifypeer;
-  long verifyhost;
+  bool verifypeer;
+  bool verifyhost;
 
   /* When this connection is created, store the conditions for the local end
      bind. This is stored before the actual bind and before any connection is

m4/curl-compilers.m4

@@ -97,7 +97,7 @@ AC_DEFUN([CURL_CHECK_COMPILER_CLANG], [
     flags_dbg_all="$flags_dbg_all -gdwarf-2"
     flags_dbg_all="$flags_dbg_all -gvms"
     flags_dbg_yes="-g"
-    flags_dbg_off="-g0"
+    flags_dbg_off=""
     flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4"
     flags_opt_yes="-Os"
     flags_opt_off="-O0"
@@ -121,7 +121,7 @@ AC_DEFUN([CURL_CHECK_COMPILER_DEC_C], [
     compiler_id="DEC_C"
     flags_dbg_all="-g -g0 -g1 -g2 -g3"
     flags_dbg_yes="-g2"
-    flags_dbg_off="-g0"
+    flags_dbg_off=""
     flags_opt_all="-O -O0 -O1 -O2 -O3 -O4"
     flags_opt_yes="-O1"
     flags_opt_off="-O0"
@@ -157,7 +157,7 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
     flags_dbg_all="$flags_dbg_all -gdwarf-2"
     flags_dbg_all="$flags_dbg_all -gvms"
     flags_dbg_yes="-g"
-    flags_dbg_off="-g0"
+    flags_dbg_off=""
     flags_opt_all="-O -O0 -O1 -O2 -O3 -Os"
     flags_opt_yes="-O2"
     flags_opt_off="-O0"
@@ -236,7 +236,7 @@ AC_DEFUN([CURL_CHECK_COMPILER_INTEL_C], [
       compiler_id="INTEL_UNIX_C"
       flags_dbg_all="-g -g0"
       flags_dbg_yes="-g"
-      flags_dbg_off="-g0"
+      flags_dbg_off=""
       flags_opt_all="-O -O0 -O1 -O2 -O3 -Os"
       flags_opt_yes="-O2"
       flags_opt_off="-O0"
@@ -300,7 +300,7 @@ AC_DEFUN([CURL_CHECK_COMPILER_SGI_MIPS_C], [
     compiler_id="SGI_MIPS_C"
     flags_dbg_all="-g -g0 -g1 -g2 -g3"
     flags_dbg_yes="-g"
-    flags_dbg_off="-g0"
+    flags_dbg_off=""
     flags_opt_all="-O -O0 -O1 -O2 -O3 -Ofast"
     flags_opt_yes="-O2"
     flags_opt_off="-O0"
@@ -327,7 +327,7 @@ AC_DEFUN([CURL_CHECK_COMPILER_SGI_MIPSPRO_C], [
     compiler_id="SGI_MIPSPRO_C"
     flags_dbg_all="-g -g0 -g1 -g2 -g3"
     flags_dbg_yes="-g"
-    flags_dbg_off="-g0"
+    flags_dbg_off=""
     flags_opt_all="-O -O0 -O1 -O2 -O3 -Ofast"
     flags_opt_yes="-O2"
     flags_opt_off="-O0"

packages/OS400/README.OS400

@@ -73,6 +73,7 @@ options:
         CURLOPT_COPYPOSTFIELDS
         CURLOPT_CRLFILE
         CURLOPT_CUSTOMREQUEST
+        CURLOPT_DNS_SERVERS
         CURLOPT_EGDSOCKET
         CURLOPT_ENCODING
         CURLOPT_FTP_ACCOUNT
@@ -83,6 +84,7 @@ options:
         CURLOPT_KEYPASSWD
         CURLOPT_KRBLEVEL
         CURLOPT_MAIL_FROM
+        CURLOPT_MAIL_AUTH
         CURLOPT_NETRC_FILE
         CURLOPT_NOPROXY
         CURLOPT_PASSWORD

packages/OS400/ccsidcurl.c

@@ -1032,7 +1032,7 @@ curl_easy_setopt_ccsid(CURL * curl, CURLoption tag, ...)
 #ifdef USE_TLS_SRP
     if ((int) STRING_LAST != (int) STRING_TLSAUTH_PASSWORD + 1)
 #else
-    if ((int) STRING_LAST != (int) STRING_MAIL_FROM + 1)
+    if ((int) STRING_LAST != (int) STRING_MAIL_AUTH + 1)
 #endif
       curl_mfprintf(stderr,
        "*** WARNING: curl_easy_setopt_ccsid() should be reworked ***\n");
@@ -1051,6 +1051,7 @@ curl_easy_setopt_ccsid(CURL * curl, CURLoption tag, ...)
   case CURLOPT_COOKIELIST:
   case CURLOPT_CRLFILE:
   case CURLOPT_CUSTOMREQUEST:
+  case CURLOPT_DNS_SERVERS:
   case CURLOPT_EGDSOCKET:
   case CURLOPT_ENCODING:
   case CURLOPT_FTP_ACCOUNT:
@@ -1061,6 +1062,7 @@ curl_easy_setopt_ccsid(CURL * curl, CURLoption tag, ...)
   case CURLOPT_KEYPASSWD:
   case CURLOPT_KRBLEVEL:
   case CURLOPT_MAIL_FROM:
+  case CURLOPT_MAIL_AUTH:
   case CURLOPT_NETRC_FILE:
   case CURLOPT_NOPROXY:
   case CURLOPT_PASSWORD:

packages/OS400/curl.inc.in

@@ -173,6 +173,8 @@
      d                 c                   X'00000004'
      d CURLSSH_AUTH_KEYBOARD...
      d                 c                   X'00000008'
+     d CURLSSH_AUTH_AGENT...
+     d                 c                   X'00000010'
      d CURLSSH_AUTH_DEFAULT...
      d                 c                   X'7FFFFFFF'                          CURLSSH_AUTH_ANY
       *
@@ -236,8 +238,10 @@
      d                 c                   1
      d CURL_REDIR_POST_302...
      d                 c                   2
+     d CURL_REDIR_POST_303...
+     d                 c                   4
      d CURL_REDIR_POST_ALL...
-     d                 c                   3
+     d                 c                   7
       *
      d CURL_POLL_NONE  c                   0
      d CURL_POLL_IN    c                   1
@@ -299,6 +303,13 @@
      d CURL_FNMATCHFUNC_FAIL...
      d                 c                   2
       *
+     d CURL_WAIT_POLLIN...
+     d                 c                   X'0001'
+     d CURL_WAIT_POLLPRI...
+     d                 c                   X'0002'
+     d CURL_WAIT_POLLOUT...
+     d                 c                   X'0004'
+      *
       **************************************************************************
       *                                Types
       **************************************************************************
@@ -327,11 +338,11 @@
      d                 c                   8
      d  CURLE_REMOTE_ACCESS_DENIED...
      d                 c                   9
-     d  CURLE_OBSOLETE10...
+     d  CURLE_FTP_ACCEPT_FAILED...
      d                 c                   10
      d  CURLE_FTP_WEIRD_PASS_REPLY...
      d                 c                   11
-     d  CURLE_OBSOLETE12...
+     d  CURLE_FTP_ACCEPT_TIMEOUT...
      d                 c                   12
      d  CURLE_FTP_WEIRD_PASV_REPLY...
      d                 c                   13
@@ -641,6 +652,9 @@
      d  CURLUSESSL_ALL...
      d                 c                   3
       *
+     d CURLSSLOPT_ALLOW_BEAST...
+     d                 c                   1
+      *
       /if not defined(CURL_NO_OLDIES)
      d curl_ftpssl     s                   like(curl_usessl)
      d                                     based(######ptr######)
@@ -1124,6 +1138,20 @@
      d                 c                   10209
      d  CURLOPT_GSSAPI_DELEGATION...
      d                 c                   00210
+     d  CURLOPT_DNS_SERVERS...
+     d                 c                   10211
+     d  CURLOPT_ACCEPTTIMEOUT_MS...
+     d                 c                   00212
+     d  CURLOPT_TCP_KEEPALIVE...
+     d                 c                   00213
+     d  CURLOPT_TCP_KEEPIDLE...
+     d                 c                   00214
+     d  CURLOPT_TCP_KEEPINTVL...
+     d                 c                   00215
+     d  CURLOPT_SSL_OPTIONS...
+     d                 c                   00216
+     d  CURLOPT_MAIL_AUTH...
+     d                 c                   10217
       *
       /if not defined(CURL_NO_OLDIES)
      d  CURLOPT_SSLKEYPASSWD...
@@ -1385,6 +1413,8 @@
      d curlsocktype    s             10i 0 based(######ptr######)               Enum
      d  CURLSOCKTYPE_IPCXN...
      d                 c                   0
+     d  CURLSOCKTYPE_ACCEPT...
+     d                 c                   1
       *
      d  CURL_SOCKOPT_OK...
      d                 c                   0
@@ -1471,6 +1501,13 @@
      d   whatever                      *   overlay(data)                        void *
      d   result                            overlay(data) like(CURLcode)
       *
+     d curl_waitfd...
+     d                 ds                  based(######ptr######)
+     d                                     qualified
+     d  fd                                 like(curl_socket_t)
+     d  events                        5i 0
+     d  revents                       5i 0
+      *
      d curl_http_post...
      d                 ds                  based(######ptr######)
      d                                     qualified
@@ -1916,6 +1953,15 @@
      d  exc_fd_set                65535    options(*varsize)                    fd_set
      d  max_fd                       10i 0
       *
+     d curl_multi_wait...
+     d                 pr                  extproc('curl_multi_wait')
+     d                                     like(CURLMcode)
+     d  multi_handle                   *   value                                CURLM *
+     d  extra_fds                      *   value                                curl_waitfd *
+     d  extra_nfds                   10u 0 value
+     d  timeout_ms                   10i 0 value
+     d  ret                          10i 0 options(*omit)
+      *
      d curl_multi_perform...
      d                 pr                  extproc('curl_multi_perform')
      d                                     like(CURLMcode)

packages/OS400/initscript.sh

@@ -157,11 +157,8 @@ db2_name()
         basename "${1}"                                                 |
         tr 'a-z-' 'A-Z_'                                                |
         sed -e 's/\..*//'                                               \
-            -e 's/\([^_]\)[^_]*_\(.*\)/\1\2/'                                \
-            -e 's/\([^_]\)\([^_]\)[^_]*_\(.*\)/\1\2\3/'                      \
-            -e 's/\([^_]\)\([^_]\)\([^_]\)[^_]*_\(.*\)/\1\2\3\4/'            \
-            -e 's/\([^_]\)\([^_]\)\([^_]\)\([^_]\)[^_]*_\(.*\)/\1\2\3\4\5/'  \
-            -e 's/^\(..........\).*/\1/'
+            -e 's/^CURL_*/C/'                                           \
+            -e 's/^\(.\).*\(.........\)$/\1\2/'
 }
 
 

packages/OS400/make-lib.sh

@@ -13,7 +13,7 @@ cd "${TOPDIR}/lib"
 echo '#pragma comment(user, "libcurl version '"${LIBCURL_VERSION}"'")' > os400.c
 echo '#pragma comment(user, __DATE__)' >> os400.c
 echo '#pragma comment(user, __TIME__)' >> os400.c
-echo '#pragma comment(copyright, "Copyright (C) 1998-2011 Daniel Stenberg et al. OS/400 version by P. Monnerat")' >> os400.c
+echo '#pragma comment(copyright, "Copyright (C) 1998-2012 Daniel Stenberg et al. OS/400 version by P. Monnerat")' >> os400.c
 make_module     OS400           os400.c
 LINK=                           # No need to rebuild service program yet.
 MODULES=

src/Makefile.am

@@ -34,7 +34,7 @@ AUTOMAKE_OPTIONS = foreign nostdinc
 # $(top_srcdir)/lib is for libcurl's lib/setup.h and other "borrowed" files
 # $(top_srcdir)/src is for curl's src/tool_setup.h and "curl-private" files
 
-INCLUDES = -I$(top_builddir)/include/curl \
+AM_CPPFLAGS = -I$(top_builddir)/include/curl \
               -I$(top_builddir)/include      \
               -I$(top_srcdir)/include        \
               -I$(top_builddir)/lib          \
@@ -46,7 +46,7 @@ bin_PROGRAMS = curl
 
 # Mostly for Windows build targets, when using static libcurl
 if USE_CPPFLAG_CURL_STATICLIB
-AM_CPPFLAGS = -DCURL_STATICLIB
+AM_CPPFLAGS += -DCURL_STATICLIB
 endif
 
 include Makefile.inc

src/Makefile.m32

@@ -32,6 +32,14 @@ endif
 ifndef LIBMETALINK_PATH
 LIBMETALINK_PATH = ../../libmetalink-0.1.2
 endif
+# Edit the path below to point to the base of your libexpat package.
+ifndef LIBEXPAT_PATH
+LIBEXPAT_PATH = ../../expat-2.1.0
+endif
+# Edit the path below to point to the base of your libxml2 package.
+ifndef LIBXML2_PATH
+LIBXML2_PATH = ../../libxml2-2.9.0
+endif
 # Edit the path below to point to the base of your libidn package.
 ifndef LIBIDN_PATH
 LIBIDN_PATH = ../../libidn-1.18
@@ -67,6 +75,7 @@ CFLAGS	+= -D_AMD64_
 endif
 # comment LDFLAGS below to keep debug info
 LDFLAGS	= -s
+AR	= $(CROSSPREFIX)ar
 RC	= $(CROSSPREFIX)windres
 RCFLAGS	= --include-dir=$(PROOT)/include -O COFF -i
 
@@ -180,6 +189,17 @@ ifdef SSH2
   curl_LDADD += -L"$(LIBSSH2_PATH)/win32" -lssh2
 endif
 ifdef SSL
+  ifndef OPENSSL_INCLUDE
+    ifeq "$(wildcard $(OPENSSL_PATH)/outinc)" "$(OPENSSL_PATH)/outinc"
+      OPENSSL_INCLUDE = $(OPENSSL_PATH)/outinc
+    endif
+    ifeq "$(wildcard $(OPENSSL_PATH)/include)" "$(OPENSSL_PATH)/include"
+      OPENSSL_INCLUDE = $(OPENSSL_PATH)/include
+    endif
+  endif
+  ifneq "$(wildcard $(OPENSSL_INCLUDE)/openssl/opensslv.h)" "$(OPENSSL_INCLUDE)/openssl/opensslv.h"
+  $(error Invalid path to OpenSSL package: $(OPENSSL_PATH))
+  endif
   ifndef OPENSSL_LIBPATH
     OPENSSL_LIBS = -lssl -lcrypto
     ifeq "$(wildcard $(OPENSSL_PATH)/out)" "$(OPENSSL_PATH)/out"
@@ -195,7 +215,8 @@ ifdef SSL
   ifndef DYN
     OPENSSL_LIBS += -lgdi32 -lcrypt32
   endif
-  CFLAGS += -DUSE_SSLEAY
+  INCLUDES += -I"$(OPENSSL_INCLUDE)"
+  CFLAGS += -DUSE_SSLEAY -DUSE_OPENSSL
   curl_LDADD += -L"$(OPENSSL_LIBPATH)" $(OPENSSL_LIBS)
 endif
 ifdef ZLIB
@@ -213,9 +234,16 @@ ifdef WINIDN
 endif
 endif
 ifdef METALINK
-  INCLUDES += -I"$(LIBMETALINK_PATH)/lib/includes"
+  INCLUDES += -I"$(LIBMETALINK_PATH)/include"
   CFLAGS += -DUSE_METALINK
-  curl_LDADD += -L"$(LIBMETALINK_PATH)/lib/.libs" -lmetalink.dll
+  curl_LDADD += -L"$(LIBMETALINK_PATH)/lib" -lmetalink
+  ifndef DYN
+    ifeq ($(findstring libexpat_metalink_parser.o,$(shell $(AR) t "$(LIBMETALINK_PATH)/lib/libmetalink.a")),libexpat_metalink_parser.o)
+      curl_LDADD += -L"$(LIBEXPAT_PATH)/lib" -lexpat
+    else
+      curl_LDADD += -L"$(LIBXML2_PATH)/lib" -lxml2
+    endif
+  endif
 endif
 ifdef SSPI
   CFLAGS += -DUSE_WINDOWS_SSPI

src/tool_metalink.c

@@ -52,10 +52,19 @@
 #  define MD5_CTX    gcry_md_hd_t
 #  define SHA_CTX    gcry_md_hd_t
 #  define SHA256_CTX gcry_md_hd_t
-#elif defined(USE_DARWINSSL)
-/* For darwinssl: CommonCrypto has the functions we need. The library's
-   headers are even backward-compatible with OpenSSL's headers as long as
-   we define COMMON_DIGEST_FOR_OPENSSL first.
+#elif defined(USE_NSS)
+#  include <nss.h>
+#  include <pk11pub.h>
+#  define MD5_CTX    void *
+#  define SHA_CTX    void *
+#  define SHA256_CTX void *
+#  ifdef HAVE_NSS_INITCONTEXT
+     static NSSInitContext *nss_context;
+#  endif
+#elif defined(__MAC_10_4) || defined(__IPHONE_5_0)
+/* For Apple operating systems: CommonCrypto has the functions we need.
+   The library's headers are even backward-compatible with OpenSSL's
+   headers as long as we define COMMON_DIGEST_FOR_OPENSSL first.
 
    These functions are available on Tiger and later, as well as iOS 5.0
    and later. If you're building for an older cat, well, sorry. */
@@ -112,9 +121,10 @@ struct win32_crypto_hash {
 
 #ifdef USE_GNUTLS_NETTLE
 
-static void MD5_Init(MD5_CTX *ctx)
+static int MD5_Init(MD5_CTX *ctx)
 {
   md5_init(ctx);
+  return 1;
 }
 
 static void MD5_Update(MD5_CTX *ctx,
@@ -129,9 +139,10 @@ static void MD5_Final(unsigned char digest[16], MD5_CTX *ctx)
   md5_digest(ctx, 16, digest);
 }
 
-static void SHA1_Init(SHA_CTX *ctx)
+static int SHA1_Init(SHA_CTX *ctx)
 {
   sha1_init(ctx);
+  return 1;
 }
 
 static void SHA1_Update(SHA_CTX *ctx,
@@ -146,9 +157,10 @@ static void SHA1_Final(unsigned char digest[20], SHA_CTX *ctx)
   sha1_digest(ctx, 20, digest);
 }
 
-static void SHA256_Init(SHA256_CTX *ctx)
+static int SHA256_Init(SHA256_CTX *ctx)
 {
   sha256_init(ctx);
+  return 1;
 }
 
 static void SHA256_Update(SHA256_CTX *ctx,
@@ -165,9 +177,10 @@ static void SHA256_Final(unsigned char digest[32], SHA256_CTX *ctx)
 
 #elif defined(USE_GNUTLS)
 
-static void MD5_Init(MD5_CTX *ctx)
+static int MD5_Init(MD5_CTX *ctx)
 {
   gcry_md_open(ctx, GCRY_MD_MD5, 0);
+  return 1;
 }
 
 static void MD5_Update(MD5_CTX *ctx,
@@ -183,9 +196,10 @@ static void MD5_Final(unsigned char digest[16], MD5_CTX *ctx)
   gcry_md_close(*ctx);
 }
 
-static void SHA1_Init(SHA_CTX *ctx)
+static int SHA1_Init(SHA_CTX *ctx)
 {
   gcry_md_open(ctx, GCRY_MD_SHA1, 0);
+  return 1;
 }
 
 static void SHA1_Update(SHA_CTX *ctx,
@@ -201,9 +215,10 @@ static void SHA1_Final(unsigned char digest[20], SHA_CTX *ctx)
   gcry_md_close(*ctx);
 }
 
-static void SHA256_Init(SHA256_CTX *ctx)
+static int SHA256_Init(SHA256_CTX *ctx)
 {
   gcry_md_open(ctx, GCRY_MD_SHA256, 0);
+  return 1;
 }
 
 static void SHA256_Update(SHA256_CTX *ctx,
@@ -219,7 +234,96 @@ static void SHA256_Final(unsigned char digest[32], SHA256_CTX *ctx)
   gcry_md_close(*ctx);
 }
 
-#elif defined(_WIN32)
+#elif defined(USE_NSS)
+
+static int nss_hash_init(void **pctx, SECOidTag hash_alg)
+{
+  PK11Context *ctx;
+
+  /* we have to initialize NSS if not initialized alraedy */
+#ifdef HAVE_NSS_INITCONTEXT
+  if(!NSS_IsInitialized() && !nss_context) {
+    static NSSInitParameters params;
+    params.length = sizeof params;
+    nss_context = NSS_InitContext("", "", "", "", &params, NSS_INIT_READONLY
+        | NSS_INIT_NOCERTDB   | NSS_INIT_NOMODDB       | NSS_INIT_FORCEOPEN
+        | NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE | NSS_INIT_PK11RELOAD);
+  }
+#endif
+
+  ctx = PK11_CreateDigestContext(hash_alg);
+  if(!ctx)
+    return /* failure */ 0;
+
+  if(PK11_DigestBegin(ctx) != SECSuccess) {
+    PK11_DestroyContext(ctx, PR_TRUE);
+    return /* failure */ 0;
+  }
+
+  *pctx = ctx;
+  return /* success */ 1;
+}
+
+static void nss_hash_final(void **pctx, unsigned char *out, unsigned int len)
+{
+  PK11Context *ctx = *pctx;
+  unsigned int outlen;
+  PK11_DigestFinal(ctx, out, &outlen, len);
+  PK11_DestroyContext(ctx, PR_TRUE);
+}
+
+static int MD5_Init(MD5_CTX *pctx)
+{
+  return nss_hash_init(pctx, SEC_OID_MD5);
+}
+
+static void MD5_Update(MD5_CTX *pctx,
+                       const unsigned char *input,
+                       unsigned int input_len)
+{
+  PK11_DigestOp(*pctx, input, input_len);
+}
+
+static void MD5_Final(unsigned char digest[16], MD5_CTX *pctx)
+{
+  nss_hash_final(pctx, digest, 16);
+}
+
+static int SHA1_Init(SHA_CTX *pctx)
+{
+  return nss_hash_init(pctx, SEC_OID_SHA1);
+}
+
+static void SHA1_Update(SHA_CTX *pctx,
+                        const unsigned char *input,
+                        unsigned int input_len)
+{
+  PK11_DigestOp(*pctx, input, input_len);
+}
+
+static void SHA1_Final(unsigned char digest[20], SHA_CTX *pctx)
+{
+  nss_hash_final(pctx, digest, 20);
+}
+
+static int SHA256_Init(SHA256_CTX *pctx)
+{
+  return nss_hash_init(pctx, SEC_OID_SHA256);
+}
+
+static void SHA256_Update(SHA256_CTX *pctx,
+                          const unsigned char *input,
+                          unsigned int input_len)
+{
+  PK11_DigestOp(*pctx, input, input_len);
+}
+
+static void SHA256_Final(unsigned char digest[32], SHA256_CTX *pctx)
+{
+  nss_hash_final(pctx, digest, 32);
+}
+
+#elif defined(_WIN32) && !defined(USE_SSLEAY)
 
 static void win32_crypto_final(struct win32_crypto_hash *ctx,
                                unsigned char *digest,
@@ -235,12 +339,13 @@ static void win32_crypto_final(struct win32_crypto_hash *ctx,
     CryptReleaseContext(ctx->hCryptProv, 0);
 }
 
-static void MD5_Init(MD5_CTX *ctx)
+static int MD5_Init(MD5_CTX *ctx)
 {
   if(CryptAcquireContext(&ctx->hCryptProv, NULL, NULL,
                          PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
     CryptCreateHash(ctx->hCryptProv, CALG_MD5, 0, 0, &ctx->hHash);
   }
+  return 1;
 }
 
 static void MD5_Update(MD5_CTX *ctx,
@@ -255,12 +360,13 @@ static void MD5_Final(unsigned char digest[16], MD5_CTX *ctx)
   win32_crypto_final(ctx, digest, 16);
 }
 
-static void SHA1_Init(SHA_CTX *ctx)
+static int SHA1_Init(SHA_CTX *ctx)
 {
   if(CryptAcquireContext(&ctx->hCryptProv, NULL, NULL,
                          PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
     CryptCreateHash(ctx->hCryptProv, CALG_SHA1, 0, 0, &ctx->hHash);
   }
+  return 1;
 }
 
 static void SHA1_Update(SHA_CTX *ctx,
@@ -275,12 +381,13 @@ static void SHA1_Final(unsigned char digest[20], SHA_CTX *ctx)
   win32_crypto_final(ctx, digest, 20);
 }
 
-static void SHA256_Init(SHA256_CTX *ctx)
+static int SHA256_Init(SHA256_CTX *ctx)
 {
   if(CryptAcquireContext(&ctx->hCryptProv, NULL, NULL,
                          PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
     CryptCreateHash(ctx->hCryptProv, CALG_SHA_256, 0, 0, &ctx->hHash);
   }
+  return 1;
 }
 
 static void SHA256_Update(SHA256_CTX *ctx,
@@ -374,7 +481,10 @@ digest_context *Curl_digest_init(const digest_params *dparams)
 
   ctxt->digest_hash = dparams;
 
-  dparams->digest_init(ctxt->digest_hashctx);
+  if(dparams->digest_init(ctxt->digest_hashctx) != 1) {
+    free(ctxt);
+    return NULL;
+  }
 
   return ctxt;
 }
@@ -425,6 +535,8 @@ static unsigned char hex_to_uint(const char *s)
  *   Checksum didn't match.
  * -1:
  *   Could not open file; or could not read data from file.
+ * -2:
+ *   Hash algorithm not available.
  */
 static int check_hash(const char *filename,
                       const metalink_digest_def *digest_def,
@@ -446,7 +558,15 @@ static int check_hash(const char *filename,
             digest_def->hash_name, strerror(errno));
     return -1;
   }
+
   dctx = Curl_digest_init(digest_def->dparams);
+  if(!dctx) {
+    fprintf(error, "Metalink: validating (%s) [%s] FAILED (%s)\n", filename,
+            digest_def->hash_name, "failed to initialize hash algorithm");
+    close(fd);
+    return -2;
+  }
+
   result = malloc(digest_def->dparams->digest_resultlen);
   while(1) {
     unsigned char buf[4096];
@@ -773,4 +893,14 @@ void clean_metalink(struct Configurable *config)
   config->metalinkfile_last = 0;
 }
 
+void metalink_cleanup(void)
+{
+#if defined(USE_NSS) && defined(HAVE_NSS_INITCONTEXT)
+  if(nss_context) {
+    NSS_ShutdownContext(nss_context);
+    nss_context = NULL;
+  }
+#endif
+}
+
 #endif /* USE_METALINK */

src/tool_metalink.h

@@ -23,7 +23,9 @@
  ***************************************************************************/
 #include "tool_setup.h"
 
-typedef void (* Curl_digest_init_func)(void *context);
+/* returns 1 for success, 0 otherwise (we use OpenSSL *_Init fncs directly) */
+typedef int (* Curl_digest_init_func)(void *context);
+
 typedef void (* Curl_digest_update_func)(void *context,
                                          const unsigned char *data,
                                          unsigned int len);
@@ -137,13 +139,18 @@ int check_metalink_content_type(const char *content_type);
  * -1:
  *   Could not open file; or could not read data from file.
  * -2:
- *   No checksum in Metalink supported; or Metalink does not contain
- *   checksum.
+ *   No checksum in Metalink supported, hash algorithm not available, or
+ *   Metalink does not contain checksum.
  */
 int metalink_check_hash(struct Configurable *config,
                         metalinkfile *mlfile,
                         const char *filename);
 
+/*
+ * Release resources allocated at global scope.
+ */
+void metalink_cleanup(void);
+
 #else /* USE_METALINK */
 
 #define count_next_metalink_resource(x)  0

src/tool_operate.c

@@ -1051,7 +1051,7 @@ int operate(struct Configurable *config, int argc, argv_item_t argv[])
         if(curlinfo->features & CURL_VERSION_SSL) {
           if(config->insecure_ok) {
             my_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
-            my_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1L);
+            my_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
           }
           else {
             my_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);

src/tool_operhlp.c

@@ -32,6 +32,11 @@
 #include "tool_operhlp.h"
 #include "tool_version.h"
 
+#ifdef USE_METALINK
+/* import the declaration of metalink_cleanup() */
+#  include "tool_metalink.h"
+#endif
+
 #include "memdebug.h" /* keep this as LAST include */
 
 /*
@@ -215,6 +220,9 @@ void main_free(void)
 {
   curl_global_cleanup();
   convert_cleanup();
+#ifdef USE_METALINK
+  metalink_cleanup();
+#endif
 }
 
 #ifdef CURLDEBUG

tests/Makefile.am

@@ -28,7 +28,7 @@ EXTRA_DIST = ftpserver.pl httpserver.pl secureserver.pl runtests.pl getpart.pm \
  sshserver.pl sshhelp.pm testcurl.1 runtests.1 $(HTMLPAGES) $(PDFPAGES) \
  CMakeLists.txt certs/scripts/*.sh certs/Server* certs/EdelCurlRoot* \
  serverhelp.pm tftpserver.pl rtspserver.pl directories.pm symbol-scan.pl \
- certs/srp-verifier-conf certs/srp-verifier-db
+ certs/srp-verifier-conf certs/srp-verifier-db mem-include-scan.pl
 
 # we have two variables here to make sure DIST_SUBDIRS won't get 'unit'
 # added twice as then targets such as 'distclean' misbehave and try to

tests/README

@@ -207,7 +207,9 @@ The cURL Test Suite
      800 - 899   POP3, IMAP, SMTP
      1000 - 1299 miscellaneous*
      1300 - 1399 unit tests*
-     1400 - 1999 miscellaneous*
+     1400 - 1499 miscellaneous*
+     1500 - 1599 libcurl source code tests, not using the curl command tool
+                 (same as 5xx)
      2000 - x    multiple sequential protocols per test case*
 
   Since 30-apr-2003, there's nothing in the system that requires us to keep

tests/data/Makefile.am

@@ -75,7 +75,7 @@ test1094 test1095 test1096 test1097 test1098 test1099 test1100 test1101	\
 test1102 test1103 test1104 test1105 test1106 test1107 test1108 test1109	\
 test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117	\
 test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125	\
-test1126 test1127 test1128 test1129 test1130 test1131 \
+test1126 test1127 test1128 test1129 test1130 test1131 test1132 \
 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
 test1208 test1209 test1210 test1211 \
 test1220 \
@@ -92,8 +92,8 @@ test1371 test1372 test1373 test1374 test1375 test1376 test1377 test1378 \
 test1379 test1380 test1381 test1382 test1383 test1384 test1385 test1386 \
 test1387 test1388 test1389 test1390 test1391 test1392 test1393 \
 test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 \
-test1408 test1409 test1410 test1411 \
-test1500 \
+test1408 test1409 test1410 test1411 test1412 test1413 \
+test1500 test1501 test1502 \
 test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 \
 test2008 test2009 test2010 test2011 test2012 test2013 test2014 test2015 \
 test2016 test2017 test2018 test2019 test2020 test2021 test2022 \

tests/data/test1105

@@ -34,6 +34,9 @@ HTTP with cookie parser and header recording
  <command>
 "http://%HOSTIP:%HTTPPORT/we/want/1105?parm1=this*that/other/thing&parm2=foobar/1105" -c log/cookie1105.txt -d "userid=myname&password=mypassword"
 </command>
+<precheck>
+perl -e 'if ("%HOSTIP" !~ /127\.0\.0\.1$/) {print "Test only works for HOSTIP 127.0.0.1"; exit(1)}'
+</precheck>
 </client>
 
 # Verify data after the test has been "shot"

tests/data/test1132

@@ -0,0 +1,24 @@
+<testcase>
+<info>
+<keywords>
+memory-includes
+</keywords>
+</info>
+
+#
+# Client-side
+<client>
+<server>
+none
+</server>
+
+ <name>
+Verify memory #include files in libcurl's C source files
+ </name>
+
+<command type="perl">
+%SRCDIR/mem-include-scan.pl %SRCDIR/../lib
+</command>
+</client>
+
+</testcase>

tests/data/test1318

@@ -3,6 +3,7 @@
 <keywords>
 HTTP
 HTTP GET
+--resolve
 </keywords>
 </info>
 
@@ -32,7 +33,7 @@ Content-Length: 0
 http
 </server>
  <name>
-HTTP with same host name using different cases
+HTTP with --resolve and same host name using different cases
  </name>
  <command>
 --resolve MiXeDcAsE.cOm:%HTTPPORT:%HOSTIP http://MiXeDcAsE.cOm:%HTTPPORT/1318 http://mixedcase.com:%HTTPPORT/13180001

tests/data/test1412

@@ -0,0 +1,117 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+HTTP Digest auth
+--anyauth
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<servercmd>
+auth_required
+</servercmd>
+<data>
+HTTP/1.1 401 Authorization Required swsclose
+Server: Apache/1.3.27 (Darwin) PHP/4.1.2
+WWW-Authenticate: Blackmagic realm="gimme all yer s3cr3ts"
+WWW-Authenticate: Basic realm="gimme all yer s3cr3ts"
+WWW-Authenticate: Digest realm="gimme all yer s3cr3ts", nonce="11223344"
+Content-Type: text/html; charset=iso-8859-1
+Connection: close
+
+This is not the real page
+</data>
+
+# This is supposed to be returned when the server gets a
+# Authorization: Digest line passed-in from the client
+<data1000>
+HTTP/1.1 200 OK swsclose
+Server: Apache/1.3.27 (Darwin) PHP/4.1.2
+Content-Type: text/html; charset=iso-8859-1
+Content-Length: 23
+Connection: close
+
+This IS the real page!
+</data1000>
+
+# This is the second request
+<data1001>
+HTTP/1.1 200 OK swsclose
+Server: Apache/1.3.27 (Darwin) PHP/4.1.2
+Content-Type: text/html; charset=iso-8859-1
+Content-Length: 23
+Connection: close
+
+This IS the second real page!
+</data1001>
+
+<datacheck>
+HTTP/1.1 401 Authorization Required swsclose
+Server: Apache/1.3.27 (Darwin) PHP/4.1.2
+WWW-Authenticate: Blackmagic realm="gimme all yer s3cr3ts"
+WWW-Authenticate: Basic realm="gimme all yer s3cr3ts"
+WWW-Authenticate: Digest realm="gimme all yer s3cr3ts", nonce="11223344"
+Content-Type: text/html; charset=iso-8859-1
+Connection: close
+
+HTTP/1.1 200 OK swsclose
+Server: Apache/1.3.27 (Darwin) PHP/4.1.2
+Content-Type: text/html; charset=iso-8859-1
+Content-Length: 23
+Connection: close
+
+This IS the real page!
+</datacheck>
+
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+<features>
+crypto
+</features>
+ <name>
+HTTP GET with --anyauth with two URLs (picking Digest) 
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/1412 -u testuser:testpass --anyauth http://%HOSTIP:%HTTPPORT/14120001
+</command>
+<file name="log/put1412">
+This is data we upload with PUT
+a second line
+line three
+four is the number of lines
+</file>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<protocol>
+GET /1412 HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Accept: */*
+
+GET /1412 HTTP/1.1
+Authorization: Digest username="testuser", realm="gimme all yer s3cr3ts", nonce="11223344", uri="/1412", response="0390dbe89e31adca0413d11f91f30e7f"
+User-Agent: curl/7.10.5 (i686-pc-linux-gnu) libcurl/7.10.5 OpenSSL/0.9.7a ipv6 zlib/1.1.3
+Host: %HOSTIP:%HTTPPORT
+Accept: */*
+
+GET /14120001 HTTP/1.1
+Authorization: Digest username="testuser", realm="gimme all yer s3cr3ts", nonce="11223344", uri="/14120001", response="0085df91870374c8bf4e94415e7fbf8e"
+User-Agent: curl/7.10.5 (i686-pc-linux-gnu) libcurl/7.10.5 OpenSSL/0.9.7a ipv6 zlib/1.1.3
+Host: %HOSTIP:%HTTPPORT
+Accept: */*
+
+</protocol>
+</verify>
+</testcase>

tests/data/test1413

@@ -0,0 +1,73 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+followlocation
+</keywords>
+</info>
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 302 OK swsclose
+Location: moo.html/14130002#fragmentpart
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Connection: close
+
+</data>
+<data2>
+HTTP/1.1 200 OK swsclose
+Location: this should be ignored
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Connection: close
+
+body
+</data2>
+<datacheck>
+HTTP/1.1 302 OK swsclose
+Location: moo.html/14130002#fragmentpart
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Connection: close
+
+HTTP/1.1 200 OK swsclose
+Location: this should be ignored
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Connection: close
+
+body
+</datacheck>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+HTTP redirect with fragment in new URL
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/this/1413 -L
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<protocol>
+GET /this/1413 HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Accept: */*
+
+GET /this/moo.html/14130002 HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Accept: */*
+
+</protocol>
+</verify>
+</testcase>

tests/data/test147

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <data>

tests/data/test148

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <servercmd>

tests/data/test149

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+
 # Server-side
 <reply>
 </reply>

tests/data/test1501

@@ -0,0 +1,53 @@
+<testcase>
+<info>
+<keywords>
+FTP
+RETR
+multi
+LIST
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data>
+</data>
+<servercmd>
+DELAY LIST 2
+DELAY TYPE 2
+</servercmd>
+</reply>
+
+# Client-side
+<client>
+<server>
+ftp
+</server>
+<tool>
+lib1501
+</tool>
+ <name>
+FTP with multi interface and slow LIST response 
+ </name>
+ <command>
+ftp://%HOSTIP:%FTPPORT/1501/
+</command>
+</client>
+# Verify data after the test has been "shot"
+<verify>
+<errorcode>
+0
+</errorcode>
+<protocol>
+USER anonymous
+PASS ftp@example.com
+PWD
+CWD 1501
+EPSV
+TYPE A
+LIST
+QUIT
+</protocol>
+
+</verify>
+</testcase>

tests/data/test1502

@@ -0,0 +1,58 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+multi
+CURLOPT_RESOLVE
+</keywords>
+</info>
+
+<reply>
+<data>
+HTTP/1.1 200 OK
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+Content-Type: text/html
+Funny-head: yesyes
+
+-foo-
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+<tool>
+lib1502
+</tool>
+ <name>
+HTTP multi with CURLOPT_RESOLVE
+ </name>
+ <command>
+http://google.com:%HTTPPORT/1502 %HTTPPORT %HOSTIP
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<protocol>
+GET /1502 HTTP/1.1
+Host: google.com:%HTTPPORT
+Accept: */*
+
+</protocol>
+</verify>
+</testcase>

tests/data/test155

@@ -1,4 +1,11 @@
 <testcase>
+<info>
+<keywords>
+HTTP
+HTTP PUT
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <servercmd>

tests/data/test158

@@ -1,4 +1,11 @@
 <testcase>
+<info>
+<keywords>
+HTTP
+HTTP POST
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <data>

tests/data/test174

@@ -1,4 +1,11 @@
 <testcase>
+<info>
+<keywords>
+HTTP
+HTTP POST
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <data>

tests/data/test176

@@ -1,4 +1,11 @@
 <testcase>
+<info>
+<keywords>
+HTTP
+HTTP POST
+</keywords>
+</info>
+
 # Server-side
 <reply>
 # the first request has NTLM type-1 included, and then the 1001 is returned

tests/data/test182

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <data sendzero="yes">

tests/data/test190

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <servercmd>

tests/data/test191

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <data>

tests/data/test195

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <servercmd>

tests/data/test196

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <servercmd>

tests/data/test197

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+</keywords>
+</info>
 #
 # Server-side
 <reply>

tests/data/test198

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+</keywords>
+</info>
 #
 # Server-side
 <reply>

tests/data/test199

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+</keywords>
+</info>
 #
 # Server-side
 <reply name="1">

tests/data/test2027

@@ -9,6 +9,17 @@ HTTP Digest auth
 # Server-side
 <reply>
 
+<!--
+
+ Explanation for the duplicate 400 requests:
+
+ libcurl doesn't detect that a given Digest password is wrong already on the
+ first 401 response (as the data400 gives). libcurl will instead consider the
+ new response just as a duplicate and it sends another and detects the auth
+ problem on the second 401 response!
+
+-->
+
 <!-- First request has Digest auth, wrong password -->
 <data100>
 HTTP/1.1 401 Need Digest auth
@@ -93,16 +104,6 @@ This is a bad password page!
 </data1400>
 
 <!-- Fifth request has Digest auth, right password -->
-<data500>
-HTTP/1.1 401 Need Digest auth (5)
-Server: Microsoft-IIS/5.0
-Content-Type: text/html; charset=iso-8859-1
-Content-Length: 27
-WWW-Authenticate: Digest realm="testrealm", nonce="8"
-
-This is not the real page!
-</data500>
-
 <data1500>
 HTTP/1.1 200 Things are fine in server land (2)
 Server: Microsoft-IIS/5.0
@@ -151,6 +152,12 @@ Content-Type: text/html; charset=iso-8859-1
 Content-Length: 29
 WWW-Authenticate: Digest realm="testrealm", nonce="7"
 
+HTTP/1.1 401 Sorry wrong password (3)
+Server: Microsoft-IIS/5.0
+Content-Type: text/html; charset=iso-8859-1
+Content-Length: 29
+WWW-Authenticate: Digest realm="testrealm", nonce="7"
+
 This is a bad password page!
 HTTP/1.1 200 Things are fine in server land (2)
 Server: Microsoft-IIS/5.0
@@ -222,6 +229,11 @@ Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/2
 Host: %HOSTIP:%HTTPPORT
 Accept: */*
 
+GET /20270400 HTTP/1.1
+Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/20270400", response="f5906785511fb60a2af8b1cd53008ead"
+Host: %HOSTIP:%HTTPPORT
+Accept: */*
+
 GET /20270500 HTTP/1.1
 Authorization: Digest username="testuser", realm="testrealm", nonce="7", uri="/20270500", response="8ef4d935fd964a46c3965c0863b52cf1"
 Host: %HOSTIP:%HTTPPORT

tests/data/test2030

@@ -13,6 +13,18 @@ HTTP NTLM auth
 <!-- Alternate the order that Digest and NTLM headers appear in responses to
 ensure that the order doesn't matter. -->
 
+<!--
+
+ Explanation for the duplicate 400 requests:
+
+ libcurl doesn't detect that a given Digest password is wrong already on the
+ first 401 response (as the data400 gives). libcurl will instead consider the
+ new response just as a duplicate and it sends another and detects the auth
+ problem on the second 401 response!
+
+-->
+
+
 <!-- First request has NTLM auth, wrong password -->
 <data100>
 HTTP/1.1 401 Need Digest or NTLM auth
@@ -186,6 +198,13 @@ Content-Length: 29
 WWW-Authenticate: NTLM
 WWW-Authenticate: Digest realm="testrealm", nonce="7"
 
+HTTP/1.1 401 Sorry wrong password (3)
+Server: Microsoft-IIS/5.0
+Content-Type: text/html; charset=iso-8859-1
+Content-Length: 29
+WWW-Authenticate: NTLM
+WWW-Authenticate: Digest realm="testrealm", nonce="7"
+
 This is a bad password page!
 HTTP/1.1 200 Things are fine in server land (2)
 Server: Microsoft-IIS/5.0
@@ -259,6 +278,11 @@ Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/2
 Host: %HOSTIP:%HTTPPORT
 Accept: */*
 
+GET /20300400 HTTP/1.1
+Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/20300400", response="d6262e9147db08c62ff2f53b515861e8"
+Host: %HOSTIP:%HTTPPORT
+Accept: */*
+
 GET /20300500 HTTP/1.1
 Authorization: Digest username="testuser", realm="testrealm", nonce="7", uri="/20300500", response="198757e61163a779cf24ed4c49c1ad7d"
 Host: %HOSTIP:%HTTPPORT

tests/data/test207

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+</keywords>
+</info>
 #
 # Server-side
 <reply>

tests/data/test210

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <data>

tests/data/test211

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <data>

tests/data/test212

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <data>

tests/data/test214

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+</keywords>
+</info>
 #
 # Server-side
 <reply>

tests/data/test215

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+
 # Server-side
 <reply>
 # When doing LIST, we get the default list output hard-coded in the test

tests/data/test216

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+
 # Server-side
 <reply>
 </reply>

tests/data/test218

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+HTTP
+HTTP PUT
+</keywords>
+</info>
 #
 # Server-side
 <reply>

tests/data/test235

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+
 # Server-side
 <reply>
 </reply>

tests/data/test236

@@ -1,4 +1,9 @@
 <testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
 
 # Server-side
 <reply>

tests/data/test237

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <servercmd>

tests/data/test238

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+
 # Server-side
 <reply>
 <servercmd>

tests/data/test247

@@ -1,4 +1,10 @@
 <testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+
 <reply>
 <mdtm>
 213 20030409102659