RELEASE-NOTES: synced with 92cf6141ed

After the option rename in 5df04bfafd

Makefile.dist

@@ -148,12 +148,24 @@ vc-ssl-zlib: $(VC)
 	cd ..\src
 	nmake /f Makefile.$(VC) cfg=release-ssl-zlib
 
+vc-winssl-zlib: $(VC)
+	cd lib
+	nmake /f Makefile.$(VC) cfg=release-winssl-zlib
+	cd ..\src
+	nmake /f Makefile.$(VC) cfg=release-winssl-zlib
+
 vc-x64-ssl-zlib: $(VC)
 	cd lib
 	nmake /f Makefile.$(VC) MACHINE=x64 cfg=release-ssl-zlib
 	cd ..\src
 	nmake /f Makefile.$(VC) MACHINE=x64 cfg=release-ssl-zlib
 
+vc-x64-winssl-zlib: $(VC)
+	cd lib
+	nmake /f Makefile.$(VC) MACHINE=x64 cfg=release-winssl-zlib
+	cd ..\src
+	nmake /f Makefile.$(VC) MACHINE=x64 cfg=release-winssl-zlib
+
 vc-ssl-dll: $(VC)
 	cd lib
 	nmake /f Makefile.$(VC) cfg=release-ssl-dll

RELEASE-NOTES

@@ -1,71 +1,68 @@
-Curl and libcurl 7.31.0
+Curl and libcurl 7.33.0
 
- Public curl releases:         133
- Command line options:         152
- curl_easy_setopt() options:   199
+ Public curl releases:         135
+ Command line options:         161
+ curl_easy_setopt() options:   205
  Public functions in libcurl:  58
  Known libcurl bindings:       42
- Contributors:                 1005
-
-***
-  krb4 support is up for removal. If you care about it at all, speak up
-  on the curl-library list asap!
-***
+ Contributors:                 1057
 
 This release includes the following changes:
 
- o darwinssl: add TLS session resumption
- o darwinssl: add TLS crypto authentication
- o imap/pop3/smtp: Added support for ;auth=<mech> in the URL
- o imap/pop3/smtp: Added support for ;auth=<mech> to CURLOPT_USERPWD
- o usercertinmem.c: add example showing user cert in memory
- o url: Added smtp and pop3 hostnames to the protocol detection list
- o imap/pop3/smtp: Added support for enabling the SASL initial response [8]
- o curl -E: allow to use ':' in certificate nicknames [10]
+ o test code for testing the event based API [3]
+ o CURLM_ADDED_ALREADY: new error code
+ o test TFTP server: support "writedelay" within <servercmd>
+ o krb4 support has been removed
+ o imap/pop3/smtp: added basic SASL XOAUTH2 support [9]
+ o darwinssl: add support for PKCS#12 files for client authentication
+ o darwinssl: enable BEAST workaround on iOS 7 & later
+ o Pass password to OpenSSL engine by user interface [15]
+ o c-ares: Add support for various DNS binding options
+ o cookies: add expiration
+ o curl: added --oauth2-bearer option
 
 This release includes the following bugfixes:
 
- o SECURITY VULNERABILITY: curl_easy_unescape() may parse data beyond the end
-   of the input buffer [26]
-
- o FTP: access files in root dir correctly [1]
- o configure: try pthread_create without -lpthread [2]
- o FTP: handle a 230 welcome response [3]
- o curl-config: don't output static libs when they are disabled
- o CURL_CHECK_CA_BUNDLE: don't check for paths when cross-compiling [4]
- o Various documentation updates
- o getinfo.c: reset timecond when clearing session-info variables [5]
- o FILE: prevent an artificial timeout event due to stale speed-check data [6]
- o ftp_state_pasv_resp: connect through proxy also when set by env [7]
- o sshserver: disable StrictHostKeyChecking
- o ftpserver: Fixed imap logout confirmation data
- o curl_easy_init: use less mallocs
- o smtp: Fixed unknown percentage complete in progress bar
- o smtp: Fixed sending of double CRLF caused by first in EOB
- o bindlocal: move brace out of #ifdef [9]
- o winssl: Fixed invalid memory access during SSL shutdown [11]
- o OS X framework: fix invalid symbolic link
- o OpenSSL: allow empty server certificate subject [12]
- o axtls: prevent memleaks on SSL handshake failures
- o cookies: only consider full path matches
- o Revert win32 MemoryTracking: wcsdup() _wcsdup() and _tcsdup() [13]
- o Curl_cookie_add: handle IPv6 hosts [14]
- o ossl_send: SSL_write() returning 0 is an error too
- o ossl_recv: SSL_read() returning 0 is an error too
- o Digest auth: escape user names with \ or " in them [15]
- o curl_formadd.3: fixed wrong "end-marker" syntax [16]
- o libcurl-tutorial.3: fix incorrect backslash [17]
- o curl_multi_wait: reduce timeout if the multi handle wants to [18]
- o tests/Makefile: typo in the perlcheck target [19]
- o axtls: honor disabled VERIFYHOST
- o OpenSSL: avoid double free in the PKCS12 certificate code [20]
- o multi_socket: reduce timeout inaccuracy margin [21]
- o digest: support auth-int for empty entity body [22]
- o axtls: now done non-blocking
- o lib1900: use tutil_tvnow instead of gettimeofday
- o curl_easy_perform: avoid busy-looping [23]
- o CURLOPT_COOKIELIST: take cookie share lock [24]
- o multi_socket: react on socket close immediately [25]
+ o nss: make sure that NSS is initialized
+ o curl: make --no-[option] work properly for several options
+ o FTP: with socket_action send better socket updates in active mode [1]
+ o curl: fix the --sasl-ir in the --help output
+ o tests 2032, 2033: Don't hardcode port in expected output
+ o urlglob: better detect unclosed braces, empty lists and overflows [7]
+ o urlglob: error out on range overflow [8]
+ o imap: Fixed response check for SEARCH, EXPUNGE, LSUB, UID and NOOP commands [10]
+ o handle arbitrary-length username and password [2]
+ o TFTP: make the CURLOPT_LOW_SPEED* options work [4]
+ o curl.h: name space pollution by "enum type" [5]
+ o multi: move on from STATE_DONE faster [6]
+ o FTP: 60 secs delay if aborted in the CURLOPT_HEADERFUNCTION callback [11]
+ o multi_socket: improved 100-continue timeout handling
+ o curl_multi_remove_handle: allow multiple removes
+ o FTP: fix getsock during DO_MORE state [12]
+ o -x: rephrased the --proxy section somewhat
+ o acinclude: fix --without-ca-path when cross-compiling [13]
+ o LDAP: fix bad free() when URL parsing failed [14]
+ o --data: mention CRLF treatment when reading from file
+ o curl_easy_pause: suggest one way to unpause
+ o imap: Fixed calculation of transfer when partial FETCH received [16]
+ o pingpong: Check SSL library buffers for already read data [16]
+ o imap/pop3/smtp: Speed up SSL connection initialization
+ o libcurl.3: for multi interface connections are held in the multi handle
+ o curl_easy_setopt.3: mention RTMP URL quirks [17]
+ o curl.1: detail how short/long options work [18]
+ o curl.1: Added information about optional login options to --user option
+ o curl: Added clarification to the --mail options in the --help output
+ o curl_easy_setopt.3: clarify that TIMEOUT and TIMEOUT_MS set the same value
+ o openssl: use correct port number in error message [19]
+ o darwinssl: block TLS_RSA_WITH_NULL_SHA256 cipher
+ o OpenSSL: acknowledge CURLOPT_SSL_VERIFYHOST without VERIFYPEER
+ o xattr: add support for FreeBSD xattr API
+ o win32: fix Visual Studio 2010 build with WINVER >= 0x600 [22]
+ o configure: use icc options without space [21]
+ o test1112: Increase the timeout from 7s to 16s [20]
+ o SCP: upload speed on a fast connection limited to 16384 B/s
+ o curl_setup_once: fix errno access for lwip on Windows [24]
+ o HTTP: Output http response 304 when modified time is too old [23]
 
 This release includes the following known bugs:
 
@@ -74,43 +71,41 @@ This release includes the following known bugs:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
- David Strauss, Kamil Dudka, Steve Holme, Nick Zitzmann, Sam Deane, Duncan,
- Anders Havn, Dan Fandrich, Paul Howarth, Dave Reisner, Wouter Van Rooy,
- Linus Nielsen Feltzing, Ishan SinghLevett, Alessandro Ghedini,
- Ludovico Cavedon, Zdenek Pavlas, Zekun Ni, Lars Johannesen, Marc Hoersken,
- Renaud Guillard, John Gardiner Myers, Jared Jennings, Eric Hu,
- Yamada Yasuharu, Stefan Neis, Mike Giancola, Eric S. Raymond, Andrii Moiseiev,
- Christian Weisgerber, Peter Gal, Aleksey Tulinov, Hang Su, Sergei Nikulov,
- Miguel Angel, Nach M. S., Benjamin Gilbert, Erik Johansson, Timo Sirainen,
- Guenter Knauf
+ Alex McLellan, Bill Doyle, Colby Ranger, Fabian Keil, Gisle Vanem,
+ John E. Malmberg, Jonathan Nieder, Kamil Dudka, Shawn Landden,
+ Tor Arntsen, Will Dietz, Yi Huang, Kyle L. Huff, Steve Holme, Mike Mio,
+ Stefan Neis, Nick Zitzmann, Geoff Beier, John Dunn, Jiri Hruska,
+ Tomas Mlcoch, Kim Vandry, Ben Greear, Gorilla Maguila, Jerry Krinock,
+ Yamada Yasuharu, Gordon Marler, Dave Thompson, D. Flinkmann,
+ Benoit Sigoure, Clemens Gruber, Guenter Knauf, Petr Pisar, Elmira A Semenova,
+ Francois Charlier, Ishan SinghLevett, Marcel Raad, Ulf Samuelsson,
+ Andrej E Baranov, Derek Higgins, Heinrich Schaefer
 
         Thanks! (and sorry if I forgot to mention someone)
 
 References to bug reports and discussions on issues:
 
- [1] = http://curl.haxx.se/mail/lib-2013-04/0142.html
- [2] = http://curl.haxx.se/bug/view.cgi?id=1216
- [3] = http://curl.haxx.se/mail/lib-2013-02/0102.html
- [4] = http://curl.haxx.se/mail/lib-2013-04/0294.html
- [5] = http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705783
- [6] = https://bugzilla.redhat.com/906031
- [7] = http://curl.haxx.se/bug/view.cgi?id=1218
- [8] = http://curl.haxx.se/mail/lib-2012-03/0114.html
- [9] = http://curl.haxx.se/mail/lib-2013-05/0000.html
- [10] = http://curl.haxx.se/bug/view.cgi?id=1196
- [11] = http://curl.haxx.se/bug/view.cgi?id=1219
- [12] = http://curl.haxx.se/bug/view.cgi?id=1220
- [13] = http://curl.haxx.se/mail/lib-2013-05/0070.html
- [14] = http://curl.haxx.se/bug/view.cgi?id=1221
- [15] = http://curl.haxx.se/bug/view.cgi?id=1230
- [16] = http://curl.haxx.se/bug/view.cgi?id=1233
- [17] = http://curl.haxx.se/bug/view.cgi?id=1234
- [18] = http://curl.haxx.se/bug/view.cgi?id=1224
- [19] = http://curl.haxx.se/bug/view.cgi?id=1239
- [20] = http://curl.haxx.se/bug/view.cgi?id=1236
- [21] = http://curl.haxx.se/bug/view.cgi?id=1228
- [22] = http://curl.haxx.se/bug/view.cgi?id=1235
- [23] = http://curl.haxx.se/bug/view.cgi?id=1238
- [24] = http://curl.haxx.se/bug/view.cgi?id=1215
- [25] = http://curl.haxx.se/bug/view.cgi?id=1248
- [26] = http://curl.haxx.se/docs/adv_20130622.html
+ [1] = http://curl.haxx.se/mail/lib-2013-08/0043.html
+ [2] = http://bugs.debian.org/719856
+ [3] = http://daniel.haxx.se/blog/2013/08/20/testing-curl_multi_socket_action/
+ [4] = http://curl.haxx.se/bug/view.cgi?id=1269
+ [5] = https://github.com/bagder/curl/pull/76
+ [6] = http://curl.haxx.se/mail/lib-2013-08/0211.html
+ [7] = http://curl.haxx.se/bug/view.cgi?id=1264
+ [8] = http://curl.haxx.se/bug/view.cgi?id=1267
+ [9] = http://curl.haxx.se/mail/lib-2013-08/0234.html
+ [10] = http://curl.haxx.se/mail/lib-2013-08/0136.html
+ [11] = https://bugzilla.redhat.com/1005686
+ [12] = http://curl.haxx.se/mail/lib-2013-08/0109.html
+ [13] = http://curl.haxx.se/bug/view.cgi?id=1273
+ [14] = http://curl.haxx.se/mail/lib-2013-08/0209.html
+ [15] = http://curl.haxx.se/mail/lib-2013-08/0265.html
+ [16] = http://curl.haxx.se/mail/lib-2013-08/0170.html
+ [17] = http://curl.haxx.se/bug/view.cgi?id=1278
+ [18] = http://curl.haxx.se/bug/view.cgi?id=1279
+ [19] = http://curl.haxx.se/bug/view.cgi?id=1281
+ [20] = http://curl.haxx.se/mail/lib-2010-02/0200.html
+ [21] = http://curl.haxx.se/mail/lib-2013-09/0182.html
+ [22] = http://curl.haxx.se/bug/view.cgi?id=1282
+ [23] = http://curl.haxx.se/bug/view.cgi?id=1288
+ [24] = http://curl.haxx.se/mail/lib-2013-10/0048.html

acinclude.m4

@@ -2619,48 +2619,49 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
     fi
     capath="$want_capath"
     ca="no"
-  elif test "x$cross_compiling" != "xyes"; then
-    dnl NOT cross-compiling and...
-    dnl neither of the --with-ca-* options are provided
-
+  else
     dnl first try autodetecting a CA bundle , then a CA path
     dnl both autodetections can be skipped by --without-ca-*
     ca="no"
     capath="no"
-    if test "x$want_ca" = "xunset"; then
-      dnl the path we previously would have installed the curl ca bundle
-      dnl to, and thus we now check for an already existing cert in that place
-      dnl in case we find no other
-      if test "x$prefix" != xNONE; then
-        cac="${prefix}/share/curl/curl-ca-bundle.crt"
-      else
-        cac="$ac_default_prefix/share/curl/curl-ca-bundle.crt"
-      fi
+    if test "x$cross_compiling" != "xyes"; then
+      dnl NOT cross-compiling and...
+      dnl neither of the --with-ca-* options are provided
+      if test "x$want_ca" = "xunset"; then
+        dnl the path we previously would have installed the curl ca bundle
+        dnl to, and thus we now check for an already existing cert in that
+        dnl place in case we find no other
+        if test "x$prefix" != xNONE; then
+          cac="${prefix}/share/curl/curl-ca-bundle.crt"
+        else
+          cac="$ac_default_prefix/share/curl/curl-ca-bundle.crt"
+        fi
 
-      for a in /etc/ssl/certs/ca-certificates.crt \
-               /etc/pki/tls/certs/ca-bundle.crt \
-               /usr/share/ssl/certs/ca-bundle.crt \
-               /usr/local/share/certs/ca-root.crt \
-               /etc/ssl/cert.pem \
-               "$cac"; do
-        if test -f "$a"; then
-          ca="$a"
-          break
-        fi
-      done
+        for a in /etc/ssl/certs/ca-certificates.crt \
+                 /etc/pki/tls/certs/ca-bundle.crt \
+                 /usr/share/ssl/certs/ca-bundle.crt \
+                 /usr/local/share/certs/ca-root.crt \
+                 /etc/ssl/cert.pem \
+                 "$cac"; do
+          if test -f "$a"; then
+            ca="$a"
+            break
+          fi
+        done
+      fi
+      if test "x$want_capath" = "xunset" -a "x$ca" = "xno" -a \
+              "x$OPENSSL_ENABLED" = "x1"; then
+        for a in /etc/ssl/certs/; do
+          if test -d "$a" && ls "$a"/[[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]].0 >/dev/null 2>/dev/null; then
+            capath="$a"
+            break
+          fi
+        done
+      fi
+    else
+      dnl no option given and cross-compiling
+      AC_MSG_WARN([skipped the ca-cert path detection when cross-compiling])
     fi
-    if test "x$want_capath" = "xunset" -a "x$ca" = "xno" -a \
-            "x$OPENSSL_ENABLED" = "x1"; then
-      for a in /etc/ssl/certs/; do
-        if test -d "$a" && ls "$a"/[[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]].0 >/dev/null 2>/dev/null; then
-          capath="$a"
-          break
-        fi
-      done
-    fi
-  else
-    dnl no option given and cross-compiling
-    AC_MSG_WARN([skipped the ca-cert path detection when cross-compiling])
   fi
 
   if test "x$ca" != "xno"; then

configure.ac

@@ -126,7 +126,7 @@ fi
 dnl figure out the libcurl version
 CURLVERSION=`$SED -ne 's/^#define LIBCURL_VERSION "\(.*\)"/\1/p' ${srcdir}/include/curl/curlver.h`
 XC_CHECK_PROG_CC
-AM_INIT_AUTOMAKE
+XC_AUTOMAKE
 AC_MSG_CHECKING([curl version])
 AC_MSG_RESULT($CURLVERSION)
 
@@ -150,7 +150,6 @@ dnl initialize all the info variables
     curl_ssl_msg="no      (--with-{ssl,gnutls,nss,polarssl,cyassl,axtls,winssl,darwinssl} )"
     curl_ssh_msg="no      (--with-libssh2)"
    curl_zlib_msg="no      (--with-zlib)"
-   curl_krb4_msg="no      (--with-krb4*)"
     curl_gss_msg="no      (--with-gssapi)"
  curl_spnego_msg="no      (--with-spnego)"
 curl_tls_srp_msg="no      (--enable-tls-srp)"
@@ -1134,101 +1133,6 @@ no)
         ;;
 esac
 
-dnl **********************************************************************
-dnl Check for the presence of Kerberos4 libraries and headers
-dnl **********************************************************************
-
-AC_ARG_WITH(krb4-includes,
-AC_HELP_STRING([--with-krb4-includes=DIR],
-               [Specify location of kerberos4 headers]),[
- CPPFLAGS="$CPPFLAGS -I$withval"
- KRB4INC="$withval"
- want_krb4=yes
- ])
-
-AC_ARG_WITH(krb4-libs,
-AC_HELP_STRING([--with-krb4-libs=DIR],[Specify location of kerberos4 libs]),[
- LDFLAGS="$LDFLAGS -L$withval"
- KRB4LIB="$withval"
- want_krb4=yes
- ])
-
-
-OPT_KRB4=off
-AC_ARG_WITH(krb4,dnl
-AC_HELP_STRING([--with-krb4=DIR],[where to look for Kerberos4]),[
-  OPT_KRB4="$withval"
-  if test X"$OPT_KRB4" != Xno; then
-    want_krb4="yes"
-    if test X"$OPT_KRB4" != Xyes; then
-      LDFLAGS="$LDFLAGS -L$OPT_KRB4/lib$libsuff"
-      KRB4LIB="$OPT_KRB4/lib$libsuff"
-      CPPFLAGS="$CPPFLAGS -I$OPT_KRB4/include"
-      KRB4INC="$OPT_KRB4/include"
-    fi
-  fi
- ])
-
-AC_MSG_CHECKING([if Kerberos4 support is requested])
-
-if test "$want_krb4" = yes
-then
-  if test "$ipv6" = "yes"; then
-    echo krb4 is not compatible with IPv6
-    exit 1
-  fi
-  AC_MSG_RESULT(yes)
-
-  dnl Check for & handle argument to --with-krb4
-
-  AC_MSG_CHECKING(where to look for Kerberos4)
-  if test X"$OPT_KRB4" = Xyes
-  then
-    AC_MSG_RESULT([defaults])
-  else
-    AC_MSG_RESULT([libs in $KRB4LIB, headers in $KRB4INC])
-  fi
-
-  dnl Check for DES library
-  AC_CHECK_LIB(des, des_pcbc_encrypt,
-  [
-    AC_CHECK_HEADERS(des.h)
-
-    dnl resolv lib?
-    AC_CHECK_FUNC(res_search, , [AC_CHECK_LIB(resolv, res_search)])
-
-    dnl Check for the Kerberos4 library
-    AC_CHECK_LIB(krb, krb_net_read,
-    [
-      dnl Check for header files
-      AC_CHECK_HEADERS(krb.h)
-
-      dnl we found the required libraries, add to LIBS
-      LIBS="-lkrb -lcom_err -ldes $LIBS"
-
-      dnl Check for function krb_get_our_ip_for_realm
-      dnl this is needed for NAT networks
-      AC_CHECK_FUNCS(krb_get_our_ip_for_realm)
-
-      dnl add define KRB4
-      AC_DEFINE(HAVE_KRB4, 1,
-      [if you have the Kerberos4 libraries (including -ldes)])
-
-      dnl substitute it too!
-      KRB4_ENABLED=1
-      AC_SUBST(KRB4_ENABLED)
-
-      curl_krb4_msg="enabled"
-
-      dnl the krb4 stuff needs a strlcpy()
-      AC_CHECK_FUNCS(strlcpy)
-
-    ])
-  ])
-else
-  AC_MSG_RESULT(no)
-fi
-
 dnl **********************************************************************
 dnl Check for FBopenssl(SPNEGO) libraries
 dnl **********************************************************************
@@ -2808,6 +2712,92 @@ dnl http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/ \
 dnl genprogc/thread_quick_ref.htm
 
 
+dnl **********************************************************************
+dnl Check for nghttp2
+dnl **********************************************************************
+
+AC_MSG_CHECKING([whether to build with nghttp2])
+OPT_H2="no"
+AC_ARG_WITH(nghttp2,
+AC_HELP_STRING([--with-nghttp2=PATH],[Enable nghttp2 usage])
+AC_HELP_STRING([--without-nghttp2],[Disable nghttp2 usage]),
+  [OPT_H2=$withval])
+case "$OPT_H2" in
+  no)
+    dnl --without-nghttp2 option used
+    want_idn="no"
+    AC_MSG_RESULT([no])
+    ;;
+  default)
+    dnl configure option not specified
+    want_h2="no"
+    want_h2_path="default"
+    AC_MSG_RESULT([no])
+    ;;
+  yes)
+    dnl --with-nghttp2 option used without path
+    want_h2="yes"
+    want_h2_path=""
+    AC_MSG_RESULT([yes])
+    ;;
+  *)
+    dnl --with-nghttp2 option used with path
+    want_h2="yes"
+    want_h2_path="$withval"
+    AC_MSG_RESULT([yes ($withval)])
+    ;;
+esac
+
+curl_h2_msg="disabled (--with-nghttp2)"
+if test X"$OPT_H2" != Xno; then
+  dnl backup the pre-librtmp variables
+  CLEANLDFLAGS="$LDFLAGS"
+  CLEANCPPFLAGS="$CPPFLAGS"
+  CLEANLIBS="$LIBS"
+
+  h2pcdir=${want_h2_path}/lib/pkgconfig
+  CURL_CHECK_PKGCONFIG(libnghttp2, $h2pcdir)
+
+  if test "$PKGCONFIG" != "no" ; then
+    LIB_H2=`CURL_EXPORT_PCDIR([$h2pcdir])
+      $PKGCONFIG --libs-only-l libnghttp2`
+    AC_MSG_NOTICE([-l is $LIB_H2])
+
+    CPP_H2=`CURL_EXPORT_PCDIR([$h2pcdir]) dnl
+      $PKGCONFIG --cflags-only-I libnghttp2`
+    AC_MSG_NOTICE([-I is $CPP_H2])
+
+    LD_H2=`CURL_EXPORT_PCDIR([$h2pcdir])
+      $PKGCONFIG --libs-only-L libnghttp2`
+    AC_MSG_NOTICE([-L is $LD_H2])
+
+  else
+    dnl To avoid link errors, we do not allow --libnghttp2 without
+    dnl a pkgconfig file
+    AC_MSG_ERROR([--with-nghttp2 was specified but could not find libnghttp2 pkg-config file.])
+  fi
+
+  LDFLAGS="$LDFLAGS $LD_H2"
+  CPPFLAGS="$CPPFLAGS $CPP_H2"
+  LIBS="$LIB_H2 $LIBS"
+
+  AC_CHECK_LIB(nghttp2, nghttp2_session_client_new,
+    [
+     AC_CHECK_HEADERS(nghttp2/nghttp2.h,
+        curl_h2_msg="enabled (nghttp2)"
+        NGHTTP2_ENABLED=1
+        AC_DEFINE(USE_NGHTTP2, 1, [if nghttp2 is in use])
+        AC_SUBST(USE_NGHTTP2, [1])
+     )
+    ],
+      dnl not found, revert back to clean variables
+      LDFLAGS=$CLEANLDFLAGS
+      CPPFLAGS=$CLEANCPPFLAGS
+      LIBS=$CLEANLIBS
+  )
+
+fi
+
 dnl **********************************************************************
 dnl Back to "normal" configuring
 dnl **********************************************************************
@@ -3365,9 +3355,6 @@ if test "x$USE_SSLEAY" = "x1"; then
 elif test -n "$SSL_ENABLED"; then
   SUPPORT_FEATURES="$SUPPORT_FEATURES SSL"
 fi
-if test "@KRB4_ENABLED@" = "x1"; then
-  SUPPORT_FEATURES="$SUPPORT_FEATURES KRB4"
-fi
 if test "x$IPV6_ENABLED" = "x1"; then
   SUPPORT_FEATURES="$SUPPORT_FEATURES IPv6"
 fi
@@ -3397,6 +3384,10 @@ if test "x$USE_TLS_SRP" = "x1"; then
   SUPPORT_FEATURES="$SUPPORT_FEATURES TLS-SRP"
 fi
 
+if test "x$USE_NGHTTP2" = "x1"; then
+  SUPPORT_FEATURES="$SUPPORT_FEATURES HTTP2"
+fi
+
 AC_SUBST(SUPPORT_FEATURES)
 
 dnl For supported protocols in pkg-config file
@@ -3531,6 +3522,8 @@ AC_OUTPUT
 
 CURL_GENERATE_CONFIGUREHELP_PM
 
+XC_AMEND_DISTCLEAN([lib src tests/unit tests/server tests/libtest docs/examples])
+
 AC_MSG_NOTICE([Configured to build curl/libcurl:
 
   curl version:     ${CURLVERSION}
@@ -3540,7 +3533,6 @@ AC_MSG_NOTICE([Configured to build curl/libcurl:
   SSL support:      ${curl_ssl_msg}
   SSH support:      ${curl_ssh_msg}
   zlib support:     ${curl_zlib_msg}
-  krb4 support:     ${curl_krb4_msg}
   GSSAPI support:   ${curl_gss_msg}
   SPNEGO support:   ${curl_spnego_msg}
   TLS-SRP support:  ${curl_tls_srp_msg}
@@ -3559,6 +3551,7 @@ AC_MSG_NOTICE([Configured to build curl/libcurl:
   RTSP support:     ${curl_rtsp_msg}
   RTMP support:     ${curl_rtmp_msg}
   metalink support: ${curl_mtlnk_msg}
+  HTTP2 support:    ${curl_h2_msg}
   Protocols:        ${SUPPORT_PROTOCOLS}
 ])
 

contributors.sh

@@ -0,0 +1,46 @@
+#!/bin/sh
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at http://curl.haxx.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+###########################################################################
+
+#
+# This script shows all mentioned contributors from <hash> until HEAD. To aid
+# when writing RELEASE-NOTES and THANKS.
+#
+
+start=$1
+
+if test -z "$start"; then
+  echo "Usage: $0 <since this tag/hash>"
+fi
+
+# filter out Author:, Commit: and *by: lines
+# cut off the email parts
+# cut off spaces first and last on the line
+# only count names with a space (ie more than one word)
+# sort all unique names
+git log $start..HEAD | \
+egrep '(Author|Commit|by):' | \
+cut -d: -f2- | \
+cut '-d<' -f1 | \
+sed -e 's/^ //' -e 's/ $//g' | \
+grep ' ' | \
+sort -u

curl-config.in

@@ -155,12 +155,12 @@ while test $# -gt 0; do
         ;;
 
     --static-libs)
-	if test "X@ENABLE_STATIC@" != "Xno" ; then
-		echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@
-	else
-		echo "curl was built with static libraries disabled" >&2
-		exit 1
-	fi
+        if test "X@ENABLE_STATIC@" != "Xno" ; then
+          echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@
+        else
+          echo "curl was built with static libraries disabled" >&2
+          exit 1
+        fi
         ;;
 
     --configure)

docs/CONTRIBUTE

@@ -79,9 +79,9 @@
 1.3 What To Read
 
  Source code, the man pages, the INTERNALS document, TODO, KNOWN_BUGS, the
- most recent CHANGES. Just lurking on the libcurl mailing list is gonna give
- you a lot of insights on what's going on right now. Asking there is a good
- idea too.
+ most recent CHANGES. Just lurking on the curl-library mailing list is gonna
+ give you a lot of insights on what's going on right now. Asking there is a
+ good idea too.
 
 2. cURL Coding Standards
 
@@ -98,12 +98,12 @@
 
 2.2 Indenting
 
- Please try using the same indenting levels and bracing method as all the
- other code already does. It makes the source code a lot easier to follow if
- all of it is written using the same style. We don't ask you to like it, we
- just ask you to follow the tradition! ;-) This mainly means: 2-level indents,
- using spaces only (no tabs) and having the opening brace ({) on the same line
- as the if() or while().
+ Use the same indenting levels and bracing method as all the other code
+ already does. It makes the source code easier to follow if all of it is
+ written using the same style. We don't ask you to like it, we just ask you to
+ follow the tradition! ;-) This mainly means: 2-level indents, using spaces
+ only (no tabs) and having the opening brace ({) on the same line as the if()
+ or while().
 
  Also note that we use if() and while() with no space before the parenthesis.
 
@@ -151,6 +151,9 @@
  description exactly what they correct so that all patches can be selectively
  applied by the maintainer or other interested parties.
 
+ Also, separate patches enable bisecting much better when we track problems in
+ the future.
+
 2.9 Patch Against Recent Sources
 
  Please try to get the latest available sources to make your patches
@@ -178,6 +181,10 @@
  test case that verifies that it works as documented. If every submitter also
  posts a few test cases, it won't end up as a heavy burden on a single person!
 
+ If you don't have test cases or perhaps you have done something that is very
+ hard to write tests for, do explain exactly how you have otherwise tested and
+ verified your changes.
+
 3. Pushing Out Your Changes
 
 3.1 Write Access to git Repository

docs/FAQ

@@ -202,27 +202,25 @@ FAQ
   better. We do however believe in a few rules when it comes to the future of
   curl:
 
-  * Curl -- the command line tool -- is to remain a non-graphical command line
-    tool. If you want GUIs or fancy scripting capabilities, you should look
-    for another tool that uses libcurl.
+  Curl -- the command line tool -- is to remain a non-graphical command line
+  tool. If you want GUIs or fancy scripting capabilities, you should look for
+  another tool that uses libcurl.
 
-  * We do not add things to curl that other small and available tools already
-    do very fine at the side. Curl's output is fine to pipe into another
-    program or redirect to another file for the next program to interpret.
+  We do not add things to curl that other small and available tools already do
+  very fine at the side. Curl's output is fine to pipe into another program or
+  redirect to another file for the next program to interpret.
 
-  * We focus on protocol related issues and improvements. If you wanna do more
-    magic with the supported protocols than curl currently does, chances are
-    big we will agree. If you wanna add more protocols, we may very well
-    agree.
+  We focus on protocol related issues and improvements. If you wanna do more
+  magic with the supported protocols than curl currently does, chances are big
+  we will agree. If you wanna add more protocols, we may very well agree.
 
-  * If you want someone else to make all the work while you wait for us to
-    implement it for you, that is not a very friendly attitude. We spend a
-    considerable time already on maintaining and developing curl. In order to
-    get more out of us, you should consider trading in some of your time and
-    efforts in return.
+  If you want someone else to make all the work while you wait for us to
+  implement it for you, that is not a very friendly attitude. We spend a
+  considerable time already on maintaining and developing curl. In order to
+  get more out of us, you should consider trading in some of your time and
+  efforts in return.
 
-  * If you write the code, chances are bigger that it will get into curl
-    faster.
+  If you write the code, chances are bigger that it will get into curl faster.
 
   1.5 Who makes curl?
 
@@ -263,7 +261,7 @@ FAQ
 
   Our project name curl has been in effective use since 1998. We were not the
   first computer related project to use the name "curl" and do not claim any
-  first-hand rights to the name.
+  rights to the name.
 
   We recognize that we will be living in parallel with curl.com and wish them
   every success.
@@ -620,15 +618,15 @@ FAQ
 
   Some workarounds usually suggested to overcome this Javascript dependency:
 
-  - Depending on the Javascript complexity, write up a script that
-    translates it to another language and execute that.
+  Depending on the Javascript complexity, write up a script that translates it
+  to another language and execute that.
 
-  - Read the Javascript code and rewrite the same logic in another language.
+  Read the Javascript code and rewrite the same logic in another language.
 
-  - Implement a Javascript interpreter, people have successfully used the
-    Mozilla Javascript engine in the past.
+  Implement a Javascript interpreter, people have successfully used the
+  Mozilla Javascript engine in the past.
 
-  - Ask your admins to stop this, for a static proxy setup or similar.
+  Ask your admins to stop this, for a static proxy setup or similar.
 
   3.15 Can I do recursive fetches with curl?
 
@@ -644,34 +642,38 @@ FAQ
   There are three different kinds of "certificates" to keep track of when we
   talk about using SSL-based protocols (HTTPS or FTPS) using curl or libcurl.
 
-  - Client certificate. The server you communicate may require that you can
-    provide this in order to prove that you actually are who you claim to be.
-    If the server doesn't require this, you don't need a client certificate.
+  CLIENT CERTIFICATE
 
-    A client certificate is always used together with a private key, and the
-    private key has a pass phrase that protects it.
+  The server you communicate may require that you can provide this in order to
+  prove that you actually are who you claim to be.  If the server doesn't
+  require this, you don't need a client certificate.
 
-  - Server certificate. The server you communicate with has a server
-    certificate. You can and should verify this certificate to make sure that
-    you are truly talking to the real server and not a server impersonating
-    it.
+  A client certificate is always used together with a private key, and the
+  private key has a pass phrase that protects it.
 
-  - Certificate Authority certificate ("CA cert"). You often have several CA
-    certs in a CA cert bundle that can be used to verify a server certificate
-    that was signed by one of the authorities in the bundle. curl does not
-    come with a CA cert bundle but most curl installs provide one. You can
-    also override the default.
+  SERVER CERTIFICATE
 
-    The server certificate verification process is made by using a Certificate
-    Authority certificate ("CA cert") that was used to sign the server
-    certificate. Server certificate verification is enabled by default in curl
-    and libcurl and is often the reason for problems as explained in FAQ entry
-    4.12 and the SSLCERTS document
-    (http://curl.haxx.se/docs/sslcerts.html). Server certificates that are
-    "self-signed" or otherwise signed by a CA that you do not have a CA cert
-    for, cannot be verified. If the verification during a connect fails, you
-    are refused access. You then need to explicitly disable the verification
-    to connect to the server.
+  The server you communicate with has a server certificate. You can and should
+  verify this certificate to make sure that you are truly talking to the real
+  server and not a server impersonating it.
+
+  CERTIFICATE AUTHORITY CERTIFICATE ("CA cert")
+
+  You often have several CA certs in a CA cert bundle that can be used to
+  verify a server certificate that was signed by one of the authorities in the
+  bundle. curl does not come with a CA cert bundle but most curl installs
+  provide one. You can also override the default.
+
+  The server certificate verification process is made by using a Certificate
+  Authority certificate ("CA cert") that was used to sign the server
+  certificate. Server certificate verification is enabled by default in curl
+  and libcurl and is often the reason for problems as explained in FAQ entry
+  4.12 and the SSLCERTS document
+  (http://curl.haxx.se/docs/sslcerts.html). Server certificates that are
+  "self-signed" or otherwise signed by a CA that you do not have a CA cert
+  for, cannot be verified. If the verification during a connect fails, you are
+  refused access. You then need to explicitly disable the verification to
+  connect to the server.
 
   3.17 How do I list the root dir of an FTP server?
 
@@ -794,12 +796,13 @@ FAQ
 
      curl 'http://www.altavista.com/cgi-bin/query?text=yes&q=curl'
 
-  In Windows, the standard DOS shell treats the %-symbol specially and you
-  need to use TWO %-symbols for each single one you want to use in the URL.
+  In Windows, the standard DOS shell treats the percent sign specially and you
+  need to use TWO percent signs for each single one you want to use in the
+  URL.
 
-  Also note that if you want the literal %-symbol to be part of the data you
-  pass in a POST using -d/--data you must encode it as '%25' (which then also
-  needs the %-symbol doubled on Windows machines).
+  If you want a literal percent sign to be part of the data you pass in a POST
+  using -d/--data you must encode it as '%25' (which then also needs the
+  percent sign doubled on Windows machines).
 
   4.3 How can I use {, }, [ or ] to specify multiple URLs?
 
@@ -968,13 +971,13 @@ FAQ
   4.14 Redirects work in browser but not with curl!
 
   curl supports HTTP redirects fine (see item 3.8). Browsers generally support
-  at least two other ways to perform directs that curl does not:
+  at least two other ways to perform redirects that curl does not:
 
-  - Meta tags. You can write a HTML tag that will cause the browser to
-    redirect to another given URL after a certain time.
+  Meta tags. You can write a HTML tag that will cause the browser to redirect
+  to another given URL after a certain time.
 
-  - Javascript. You can write a Javascript program embedded in a HTML page
-    that redirects the browser to another given URL.
+  Javascript. You can write a Javascript program embedded in a HTML page that
+  redirects the browser to another given URL.
 
   There is no way to make curl follow these redirects. You must either
   manually figure out what the page is set to do, or you write a script that
@@ -1270,17 +1273,18 @@ FAQ
 
   5.12 Can I make libcurl fake or hide my real IP address?
 
-  No. libcurl operates on a higher level than so. Besides, faking IP address
-  would imply sending IP packages with a made-up source address, and then you
-  normally get a problem with intercepting the packages sent back as they
-  would then not be routed to you!
+  No. libcurl operates on a higher level. Besides, faking IP address would
+  imply sending IP packet with a made-up source address, and then you normally
+  get a problem with receiving the packet sent back as they would then not be
+  routed to you!
 
   If you use a proxy to access remote sites, the sites will not see your local
   IP address but instead the address of the proxy.
 
   Also note that on many networks NATs or other IP-munging techniques are used
   that makes you see and use a different IP address locally than what the
-  remote server will see you coming from.
+  remote server will see you coming from. You may also consider using
+  http://www.torproject.org .
 
   5.13 How do I stop an ongoing transfer?
 

docs/INSTALL

@@ -1045,7 +1045,7 @@ PORTS
         - Alpha OpenVMS V7.1-1H2
         - Alpha Tru64 v5.0 5.1
         - AVR32 Linux
-        - ARM Android 1.5, 2.1
+        - ARM Android 1.5, 2.1, 2.3, 3.2, 4.x
         - ARM INTEGRITY
         - ARM iOS
         - Cell Linux
@@ -1116,6 +1116,7 @@ GNU GSS      http://www.gnu.org/software/gss/
 GnuTLS       http://www.gnu.org/software/gnutls/
 Heimdal      http://www.pdc.kth.se/heimdal/
 libidn       http://www.gnu.org/software/libidn/
+libmetalink  https://launchpad.net/libmetalink/
 libssh2      http://www.libssh2.org/
 MIT Kerberos http://web.mit.edu/kerberos/www/dist/
 NSS          http://www.mozilla.org/projects/security/pki/nss/

docs/INTERNALS

@@ -111,6 +111,9 @@ Windows vs Unix
 Library
 =======
 
+ (See LIBCURL-STRUCTS for a separate document describing all major internal
+ structs and their purposes.)
+
  There are plenty of entry points to the library, namely each publicly defined
  function that libcurl offers to applications. All of those functions are
  rather small and easy-to-follow. All the ones prefixed with 'curl_easy' are
@@ -135,16 +138,18 @@ Library
  options is documented in the man page. This function mainly sets things in
  the 'SessionHandle' struct.
 
- curl_easy_perform() does a whole lot of things:
+ curl_easy_perform() is just a wrapper function that makes use of the multi
+ API.  It basically curl_multi_init(), curl_multi_add_handle(),
+ curl_multi_wait(), and curl_multi_perform() until the transfer is done and
+ then returns.
 
- It starts off in the lib/easy.c file by calling Curl_perform() and the main
- work then continues in lib/url.c. The flow continues with a call to
- Curl_connect() to connect to the remote site.
+ Some of the most important key functions in url.c are called from multi.c
+ when certain key steps are to be made in the transfer operation.
 
  o Curl_connect()
 
-   ... analyzes the URL, it separates the different components and connects to
-   the remote host. This may involve using a proxy and/or using SSL. The
+   Analyzes the URL, it separates the different components and connects to the
+   remote host. This may involve using a proxy and/or using SSL. The
    Curl_resolv() function in lib/hostip.c is used for looking up host names
    (it does then use the proper underlying method, which may vary between
    platforms and builds).
@@ -160,10 +165,7 @@ Library
  o Curl_do()
 
    Curl_do() makes sure the proper protocol-specific function is called. The
-   functions are named after the protocols they handle. Curl_ftp(),
-   Curl_http(), Curl_dict(), etc. They all reside in their respective files
-   (ftp.c, http.c and dict.c). HTTPS is handled by Curl_http() and FTPS by
-   Curl_ftp().
+   functions are named after the protocols they handle.
 
    The protocol-specific functions of course deal with protocol-specific
    negotiations and setup. They have access to the Curl_sendf() (from
@@ -182,10 +184,9 @@ Library
    be called with some basic info about the upcoming transfer: what socket(s)
    to read/write and the expected file transfer sizes (if known).
 
- o Transfer()
+ o Curl_readwrite()
 
-   Curl_perform() then calls Transfer() in lib/transfer.c that performs the
-   entire file transfer.
+   Called during the transfer of the actual protocol payload.
 
    During transfer, the progress functions in lib/progress.c are called at a
    frequent interval (or at the user's choice, a specified callback might get
@@ -207,33 +208,11 @@ Library
    used. This function is only used when we are certain that no more transfers
    is going to be made on the connection. It can be also closed by force, or
    it can be called to make sure that libcurl doesn't keep too many
-   connections alive at the same time (there's a default amount of 5 but that
-   can be changed with the CURLOPT_MAXCONNECTS option).
+   connections alive at the same time.
 
    This function cleans up all resources that are associated with a single
    connection.
 
- Curl_perform() is the function that does the main "connect - do - transfer -
- done" loop. It loops if there's a Location: to follow.
-
- When completed, the curl_easy_cleanup() should be called to free up used
- resources. It runs Curl_disconnect() on all open connections.
-
- A quick roundup on internal function sequences (many of these call
- protocol-specific function-pointers):
-
-  Curl_connect - connects to a remote site and does initial connect fluff
-   This also checks for an existing connection to the requested site and uses
-   that one if it is possible.
-
-   Curl_do - starts a transfer
-    Curl_handler::do_it() - transfers data
-   Curl_done - ends a transfer
-
-  Curl_disconnect - disconnects from a remote site. This is called when the
-   disconnect is really requested, which doesn't necessarily have to be
-   exactly after curl_done in case we want to keep the connection open for
-   a while.
 
  HTTP(S)
 
@@ -316,48 +295,38 @@ Persistent Connections
    hold connection-oriented data. It is meant to hold the root data as well as
    all the options etc that the library-user may choose.
  o The 'SessionHandle' struct holds the "connection cache" (an array of
-   pointers to 'connectdata' structs). There's one connectdata struct
-   allocated for each connection that libcurl knows about. Note that when you
-   use the multi interface, the multi handle will hold the connection cache
-   and not the particular easy handle. This of course to allow all easy handles
-   in a multi stack to be able to share and re-use connections.
+   pointers to 'connectdata' structs).
  o This enables the 'curl handle' to be reused on subsequent transfers.
- o When we are about to perform a transfer with curl_easy_perform(), we first
-   check for an already existing connection in the cache that we can use,
-   otherwise we create a new one and add to the cache. If the cache is full
-   already when we add a new connection, we close one of the present ones. We
-   select which one to close dependent on the close policy that may have been
-   previously set.
- o When the transfer operation is complete, we try to leave the connection
-   open. Particular options may tell us not to, and protocols may signal
-   closure on connections and then we don't keep it open of course.
+ o When libcurl is told to perform a transfer, it first checks for an already
+   existing connection in the cache that we can use. Otherwise it creates a
+   new one and adds that the cache. If the cache is full already when a new
+   conncetion is added added, it will first close the oldest unused one.
+ o When the transfer operation is complete, the connection is left
+   open. Particular options may tell libcurl not to, and protocols may signal
+   closure on connections and then they won't be kept open of course.
  o When curl_easy_cleanup() is called, we close all still opened connections,
    unless of course the multi interface "owns" the connections.
 
- You do realize that the curl handle must be re-used in order for the
- persistent connections to work.
+ The curl handle must be re-used in order for the persistent connections to
+ work.
 
 multi interface/non-blocking
 ============================
 
- We make an effort to provide a non-blocking interface to the library, the
- multi interface. To make that interface work as good as possible, no
- low-level functions within libcurl must be written to work in a blocking
- manner.
+ The multi interface is a non-blocking interface to the library. To make that
+ interface work as good as possible, no low-level functions within libcurl
+ must be written to work in a blocking manner. (There are still a few spots
+ violating this rule.)
 
  One of the primary reasons we introduced c-ares support was to allow the name
  resolve phase to be perfectly non-blocking as well.
 
- The ultimate goal is to provide the easy interface simply by wrapping the
- multi interface functions and thus treat everything internally as the multi
- interface is the single interface we have.
-
- The FTP and the SFTP/SCP protocols are thus perfect examples of how we adapt
- and adjust the code to allow non-blocking operations even on multi-stage
- protocols. They are built around state machines that return when they could
- block waiting for data.  The DICT, LDAP and TELNET protocols are crappy
- examples and they are subject for rewrite in the future to better fit the
- libcurl protocol family.
+ The FTP and the SFTP/SCP protocols are examples of how we adapt and adjust
+ the code to allow non-blocking operations even on multi-stage command-
+ response protocols. They are built around state machines that return when
+ they would otherwise block waiting for data.  The DICT, LDAP and TELNET
+ protocols are crappy examples and they are subject for rewrite in the future
+ to better fit the libcurl protocol family.
 
 SSL libraries
 =============
@@ -408,12 +377,12 @@ API/ABI
 Client
 ======
 
- main() resides in src/main.c together with most of the client code.
+ main() resides in src/tool_main.c.
 
  src/tool_hugehelp.c is automatically generated by the mkhelp.pl perl script
- to display the complete "manual" and the src/urlglob.c file holds the
- functions used for the URL-"globbing" support. Globbing in the sense that
- the {} and [] expansion stuff is there.
+ to display the complete "manual" and the src/tool_urlglob.c file holds the
+ functions used for the URL-"globbing" support. Globbing in the sense that the
+ {} and [] expansion stuff is there.
 
  The client mostly messes around to setup its 'config' struct properly, then
  it calls the curl_easy_*() functions of the library and when it gets back
@@ -425,8 +394,8 @@ Client
  curl_easy_getinfo() function to extract useful information from the curl
  session.
 
- Recent versions may loop and do all this several times if many URLs were
- specified on the command line or config file.
+ It may loop and do all this several times if many URLs were specified on the
+ command line or config file.
 
 Memory Debugging
 ================

docs/KNOWN_BUGS

@@ -3,6 +3,17 @@ join in and help us correct one or more of these! Also be sure to check the
 changelog of the current development status, as one or more of these problems
 may have been fixed since this was written!
 
+84. CURLINFO_SSL_VERIFYRESULT is only implemented for the OpenSSL and NSS
+  backends, so relying on this information in a generic app is flaky.
+
+83. curl is unable to load non-default openssl engines, because openssl isn't
+  initialized properly. This seems to require OpenSSL_config() or
+  CONF_modules_load_file() to be used by libcurl but the first seems to not
+  work and we've gotten not reports from tests with the latter. Possibly we
+  need to discuss with OpenSSL developers how this is supposed to be done. We
+  need users with actual external openssl engines for testing to work on this.
+  http://curl.haxx.se/bug/view.cgi?id=1208
+
 82. When building with the Windows Borland compiler, it fails because the
   "tlib" tool doesn't support hyphens (minus signs) in file names and we have
   such in the build.
@@ -16,18 +27,18 @@ may have been fixed since this was written!
 
 80. Curl doesn't recognize certificates in DER format in keychain, but it
   works with PEM.
-  http://curl.haxx.se/bug/view.cgi?id=3439999
+  http://curl.haxx.se/bug/view.cgi?id=1065
 
 79. SMTP. When sending data to multiple recipients, curl will abort and return
   failure if one of the recipients indicate failure (on the "RCPT TO"
   command). Ordinary mail programs would proceed and still send to the ones
   that can receive data. This is subject for change in the future.
-  http://curl.haxx.se/bug/view.cgi?id=3438362
+  http://curl.haxx.se/bug/view.cgi?id=1116
 
 78. curl and libcurl don't always signal the client properly when "sending"
   zero bytes files - it makes for example the command line client not creating
   any file at all. Like when using FTP.
-  http://curl.haxx.se/bug/view.cgi?id=3438362
+  http://curl.haxx.se/bug/view.cgi?id=1063
 
 77. CURLOPT_FORBID_REUSE on a handle prevents NTLM from working since it
   "abuses" the underlying connection re-use system and if connections are
@@ -42,7 +53,7 @@ may have been fixed since this was written!
   properly if built with UNICODE defined together with the schannel/winssl
   backend. The original problem was mentioned in:
   http://curl.haxx.se/mail/lib-2009-10/0024.html
-  http://curl.haxx.se/bug/view.cgi?id=2944325
+  http://curl.haxx.se/bug/view.cgi?id=896
 
   The schannel version verified to work as mentioned in
   http://curl.haxx.se/mail/lib-2012-07/0073.html
@@ -52,7 +63,7 @@ may have been fixed since this was written!
   acknowledge the connection timeout during that phase but only the "real"
   timeout - which may surprise users as it is probably considered to be the
   connect phase to most people. Brought up (and is being misunderstood) in:
-  http://curl.haxx.se/bug/view.cgi?id=2844077
+  http://curl.haxx.se/bug/view.cgi?id=856
 
 72. "Pausing pipeline problems."
   http://curl.haxx.se/mail/lib-2009-07/0214.html
@@ -70,7 +81,7 @@ may have been fixed since this was written!
   http://tools.ietf.org/html/draft-reschke-rfc2231-in-http-02
 
 66. When using telnet, the time limitation options don't work.
-  http://curl.haxx.se/bug/view.cgi?id=2818950
+  http://curl.haxx.se/bug/view.cgi?id=846
 
 65. When doing FTP over a socks proxy or CONNECT through HTTP proxy and the
   multi interface is used, libcurl will fail if the (passive) TCP connection
@@ -96,19 +107,12 @@ may have been fixed since this was written!
   CURLOPT_FAILONERROR with FTP to detect if a file exists or not, but it is
   not working: http://curl.haxx.se/mail/lib-2008-07/0295.html
 
-57. On VMS-Alpha: When using an http-file-upload the file is not sent to the
-  Server with the correct content-length.  Sending a file with 511 or less
-  bytes, content-length 512 is used.  Sending a file with 513 - 1023 bytes,
-  content-length 1024 is used.  Files with a length of a multiple of 512 Bytes
-  show the correct content-length. Only these files work for upload.
-  http://curl.haxx.se/bug/view.cgi?id=2057858
-
 56. When libcurl sends CURLOPT_POSTQUOTE commands when connected to a SFTP
   server using the multi interface, the commands are not being sent correctly
   and instead the connection is "cancelled" (the operation is considered done)
   prematurely. There is a half-baked (busy-looping) patch provided in the bug
   report but it cannot be accepted as-is. See
-  http://curl.haxx.se/bug/view.cgi?id=2006544
+  http://curl.haxx.se/bug/view.cgi?id=748
 
 55. libcurl fails to build with MIT Kerberos for Windows (KfW) due to KfW's
   library header files exporting symbols/macros that should be kept private
@@ -132,12 +136,12 @@ may have been fixed since this was written!
   protocol code. This should be very rare.
 
 43. There seems to be a problem when connecting to the Microsoft telnet server.
-  http://curl.haxx.se/bug/view.cgi?id=1720605
+  http://curl.haxx.se/bug/view.cgi?id=649
 
 41. When doing an operation over FTP that requires the ACCT command (but not
   when logging in), the operation will fail since libcurl doesn't detect this
   and thus fails to issue the correct command:
-  http://curl.haxx.se/bug/view.cgi?id=1693337
+  http://curl.haxx.se/bug/view.cgi?id=635
 
 39. Steffen Rumler's Race Condition in Curl_proxyCONNECT:
   http://curl.haxx.se/mail/lib-2007-01/0045.html
@@ -150,7 +154,7 @@ may have been fixed since this was written!
 
 34. The SOCKS4 connection codes don't properly acknowledge (connect) timeouts.
   Also see #12. According to bug #1556528, even the SOCKS5 connect code does
-  not do it right: http://curl.haxx.se/bug/view.cgi?id=1556528,
+  not do it right: http://curl.haxx.se/bug/view.cgi?id=604
 
 31. "curl-config --libs" will include details set in LDFLAGS when configure is
   run that might be needed only for building libcurl. Further, curl-config
@@ -165,13 +169,12 @@ may have been fixed since this was written!
   IDs in URLs to get around the problem of percent signs being
   special. According to the reporter, Firefox deals with the URL _with_ a
   percent letter (which seems like a blatant URL spec violation).
-  libcurl supports zone IDs where the percent sign is URL-escaped (i.e. %25).
-
-   See http://curl.haxx.se/bug/view.cgi?id=1371118
+  libcurl supports zone IDs where the percent sign is URL-escaped (i.e. %25):
+  http://curl.haxx.se/bug/view.cgi?id=555
 
 26. NTLM authentication using SSPI (on Windows) when (lib)curl is running in
   "system context" will make it use wrong(?) user name - at least when compared
-  to what winhttp does. See http://curl.haxx.se/bug/view.cgi?id=1281867
+  to what winhttp does. See http://curl.haxx.se/bug/view.cgi?id=535
 
 23. SOCKS-related problems:
   B) libcurl doesn't support FTPS over a SOCKS proxy.
@@ -180,12 +183,6 @@ may have been fixed since this was written!
   We probably have even more bugs and lack of features when a SOCKS proxy is
   used.
 
-22. Sending files to a FTP server using curl on VMS, might lead to curl
-  complaining on "unaligned file size" on completion. The problem is related
-  to VMS file structures and the perceived file sizes stat() returns. A
-  possible fix would involve sending a "STRU VMS" command.
-  http://curl.haxx.se/bug/view.cgi?id=1156287
-
 21. FTP ASCII transfers do not follow RFC959. They don't convert the data
    accordingly (not for sending nor for receiving). RFC 959 section 3.1.1.1
    clearly describes how this should be done:
@@ -223,7 +220,7 @@ may have been fixed since this was written!
 10. To get HTTP Negotiate authentication to work fine, you need to provide a
   (fake) user name (this concerns both curl and the lib) because the code
   wrongly only considers authentication if there's a user name provided.
-  http://curl.haxx.se/bug/view.cgi?id=1004841. How?
+  http://curl.haxx.se/bug/view.cgi?id=440 How?
   http://curl.haxx.se/mail/lib-2004-08/0182.html
 
 8. Doing resumed upload over HTTP does not work with '-C -', because curl

docs/LIBCURL-STRUCTS

@@ -0,0 +1,245 @@
+                                  _   _ ____  _
+                              ___| | | |  _ \| |
+                             / __| | | | |_) | |
+                            | (__| |_| |  _ <| |___
+                             \___|\___/|_| \_\_____|
+
+Structs in libcurl
+
+This document should cover 7.32.0 pretty accurately, but will make sense even
+for older and later versions as things don't change drastically that often.
+
+ 1. The main structs in libcurl
+  1.1 SessionHandle
+  1.2 connectdata
+  1.3 Curl_multi
+  1.4 Curl_handler
+  1.5 conncache
+  1.6 Curl_share
+  1.7 CookieInfo
+
+==============================================================================
+
+1. The main structs in libcurl
+
+  1.1 SessionHandle
+
+  The SessionHandle handle struct is the one returned to the outside in the
+  external API as a "CURL *". This is usually known as an easy handle in API
+  documentations and examples.
+
+  Information and state that is related to the actual connection is in the
+  'connectdata' struct. When a transfer is about to be made, libcurl will
+  either create a new connection or re-use an existing one. The particular
+  connectdata that is used by this handle is pointed out by
+  SessionHandle->easy_conn.
+
+  Data and information that regard this particular single transfer is put in
+  the SingleRequest sub-struct.
+
+  When the SessionHandle struct is added to a multi handle, as it must be in
+  order to do any transfer, the ->multi member will point to the Curl_multi
+  struct it belongs to. The ->prev and ->next members will then be used by the
+  multi code to keep a linked list of SessionHandle structs that are added to
+  that same multi handle. libcurl always uses multi so ->multi *will* point to
+  a Curl_multi when a transfer is in progress.
+
+  ->mstate is the multi state of this particular SessionHandle. When
+  multi_runsingle() is called, it will act on this handle according to which
+  state it is in. The mstate is also what tells which sockets to return for a
+  speicific SessionHandle when curl_multi_fdset() is called etc.
+
+  The libcurl source code generally use the name 'data' for the variable that
+  points to the SessionHandle.
+
+
+  1.2 connectdata
+
+  A general idea in libcurl is to keep connections around in a connection
+  "cache" after they have been used in case they will be used again and then
+  re-use an existing one instead of creating a new as it creates a significant
+  performance boost.
+
+  Each 'connectdata' identifies a single physical conncetion to a server. If
+  the connection can't be kept alive, the connection will be closed after use
+  and then this struct can be removed from the cache and freed.
+
+  Thus, the same SessionHandle can be used multiple times and each time select
+  another connectdata struct to use for the connection. Keep this in mind, as
+  it is then important to consider if options or choices are based on the
+  connection or the SessionHandle.
+
+  Functions in libcurl will assume that connectdata->data points to the
+  SessionHandle that uses this connection.
+
+  As a special complexity, some protocols supported by libcurl require a
+  special disconnect procedure that is more than just shutting down the
+  socket. It can involve sending one or more commands to the server before
+  doing so. Since connections are kept in the connection cache after use, the
+  original SessionHandle may no longer be around when the time comes to shut
+  down a particular connection. For this purpose, libcurl holds a special
+  dummy 'closure_handle' SessionHandle in the Curl_multi struct to 
+
+  FTP uses two TCP connections for a typical transfer but it keeps both in
+  this single struct and thus can be considered a single connection for most
+  internal concerns.
+
+  The libcurl source code generally use the name 'conn' for the variable that
+  points to the connectdata.
+
+
+  1.3 Curl_multi
+
+  Internally, the easy interface is implemented as a wrapper around multi
+  interface functions. This makes everything multi interface.
+
+  Curl_multi is the multi handle struct exposed as "CURLM *" in external APIs.
+
+  This struct holds a list of SessionHandle structs that have been added to
+  this handle with curl_multi_add_handle(). The start of the list is ->easyp
+  and ->num_easy is a counter of added SessionHandles.
+
+  ->msglist is a linked list of messages to send back when
+  curl_multi_info_read() is called. Basically a node is added to that list
+  when an individual SessionHandle's transfer has completed.
+
+  ->hostcache points to the name cache. It is a hash table for looking up name
+  to IP. The nodes have a limited life time in there and this cache is meant
+  to reduce the time for when the same name is wanted within a short period of
+  time.
+
+  ->timetree points to a tree of SessionHandles, sorted by the remaining time
+  until it should be checked - normally some sort of timeout. Each
+  SessionHandle has one node in the tree.
+
+  ->sockhash is a hash table to allow fast lookups of socket descriptor to
+  which SessionHandle that uses that descriptor. This is necessary for the
+  multi_socket API.
+
+  ->conn_cache points to the connection cache. It keeps track of all
+  connections that are kept after use. The cache has a maximum size.
+
+  ->closure_handle is described in the 'connectdata' section.
+
+  The libcurl source code generally use the name 'multi' for the variable that
+  points to the Curl_multi struct.
+
+
+  1.4 Curl_handler
+
+  Each unique protocol that is supported by libcurl needs to provide at least
+  one Curl_handler struct. It defines what the protocol is called and what
+  functions the main code should call to deal with protocol specific issues.
+  In general, there's a source file named [protocol].c in which there's a
+  "struct Curl_handler Curl_handler_[protocol]" declared. In url.c there's
+  then the main array with all individual Curl_handler structs pointed to from
+  a single array which is scanned through when a URL is given to libcurl to
+  work with.
+
+  ->scheme is the URL scheme name, usually spelled out in uppercase. That's
+  "HTTP" or "FTP" etc. SSL versions of the protcol need its own Curl_handler
+  setup so HTTPS separate from HTTP.
+
+  ->setup_connection is called to allow the protocol code to allocate protocol
+  specific data that then gets associated with that SessionHandle for the rest
+  of this transfer. It gets freed again at the end of the transfer. It will be
+  called before the 'connectdata' for the transfer has been selected/created.
+  Most protocols will allocate its private 'struct [PROTOCOL]' here and assign
+  SessionHandle->req.protop to point to it.
+
+  ->connect_it allows a protocol to do some specific actions after the TCP
+  connect is done, that can still be considered part of the connection phase.
+
+  Some protocols will alter the connectdata->recv[] and connectdata->send[]
+  function pointers in this function.
+
+  ->connecting is similarly a function that keeps getting called as long as the
+  protocol considers itself still in the connecting phase.
+
+  ->do_it is the function called to issue the transfer request. What we call
+  the DO action internally. If the DO is not enough and things need to be kept
+  getting done for the entier DO sequence to complete, ->doing is then usually
+  also provided. Each protocol that needs to do multiple commands or similar
+  for do/doing need to implement their own state machines (see SCP, SFTP,
+  FTP). Some protocols (only FTP and only due to historical reasons) has a
+  separate piece of the DO state called DO_MORE.
+
+  ->doing keeps getting called while issudeing the transfer request command(s)
+
+  ->done gets called when the transfer is complete and DONE. That's after the
+  main data has been transferred.
+
+  ->do_more gets called doring the DO_MORE state. The FTP protocol uses this
+  state when setting up the second connection.
+
+  ->proto_getsock
+  ->doing_getsock
+  ->domore_getsock
+  ->perform_getsock
+  Functions that return socket information. Which socket(s) to wait for which
+  action(s) during the particular multi state.
+
+  ->disconnect is called immediately before the TCP connection is shutdown.
+
+  ->readwrite gets called during transfer to allow the protocol to do extra
+  reads/writes
+
+  ->defport is the default report TCP or UDP port this protocol uses
+
+  ->protocol is one or more bits in the CURLPROTO_* set. The SSL versions have
+  their "base" protocol set and then the SSL variation. Like "HTTP|HTTPS".
+
+  ->flags is a bitmask with additional information about the protocol that will
+  make it get treated differently by the generic engine:
+
+    PROTOPT_SSL - will make it connect and negotiate SSL
+
+    PROTOPT_DUAL - this protocol uses two connections
+
+    PROTOPT_CLOSEACTION - this protocol has actions to do before closing the
+    connection. This flag is no longer used by code, yet still set for a bunch
+    protocol handlers.
+  
+    PROTOPT_DIRLOCK - "direction lock". The SSH protocols set this bit to
+    limit which "direction" of socket actions that the main engine will
+    concern itself about.
+
+    PROTOPT_NONETWORK - a protocol that doesn't use network (read file:)
+
+    PROTOPT_NEEDSPWD - this protocol needs a password and will use a default
+    one unless one is provided
+
+    PROTOPT_NOURLQUERY - this protocol can't handle a query part on the URL
+    (?foo=bar)
+
+
+  1.5 conncache
+
+  Is a hash table with connections for later re-use. Each SessionHandle has
+  a pointer to its connection cache. Each multi handle sets up a connection
+  cache that all added SessionHandles share by default.
+
+
+  1.6 Curl_share
+  
+  The libcurl share API allocates a Curl_share struct, exposed to the external
+  API as "CURLSH *".
+
+  The idea is that the struct can have a set of own versions of caches and
+  pools and then by providing this struct in the CURLOPT_SHARE option, those
+  specific SessionHandles will use the caches/pools that this share handle
+  holds.
+
+  Then individual SessionHandle structs can be made to share specific things
+  that they otherwise wouldn't, such as cookies.
+
+  The Curl_share struct can currently hold cookies, DNS cache and the SSL
+  session cache.
+
+  
+  1.7 CookieInfo
+
+  This is the main cookie struct. It holds all known cookies and related
+  information. Each SessionHandle has its own private CookieInfo even when
+  they are added to a multi handle. They can be made to share cookies by using
+  the share API.

docs/Makefile.am

@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -22,7 +22,8 @@
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
-man_MANS = curl.1 curl-config.1 mk-ca-bundle.1
+man_MANS = curl.1 curl-config.1
+noinst_man_MANS = mk-ca-bundle.1
 GENHTMLPAGES = curl.html curl-config.html mk-ca-bundle.html
 PDFPAGES = curl.pdf curl-config.pdf mk-ca-bundle.pdf
 
@@ -36,7 +37,7 @@ EXTRA_DIST = MANUAL BUGS CONTRIBUTE FAQ FEATURES INTERNALS SSLCERTS	 \
  README.win32 RESOURCES TODO TheArtOfHttpScripting THANKS VERSIONS	 \
  KNOWN_BUGS BINDINGS $(man_MANS) $(HTMLPAGES) HISTORY INSTALL		 \
  $(PDFPAGES) LICENSE-MIXING README.netware DISTRO-DILEMMA INSTALL.devcpp \
- MAIL-ETIQUETTE HTTP-COOKIES
+ MAIL-ETIQUETTE HTTP-COOKIES LIBCURL-STRUCTS
 
 MAN2HTML= roffit < $< >$@
 

docs/THANKS

@@ -21,6 +21,7 @@ Albert Choy
 Ale Vesely
 Alejandro Alvarez
 Aleksandar Milivojevic
+Aleksey Tulinov
 Alessandro Ghedini
 Alessandro Vesely
 Alex Bligh
@@ -47,11 +48,13 @@ Amol Pattekar
 Amr Shahin
 Anatoli Tubman
 Anders Gustafsson
+Anders Havn
 Andi Jahja
 Andre Guibert de Bruet
 Andreas Damm
 Andreas Faerber
 Andreas Farber
+Andreas Malzahn
 Andreas Ntaflos
 Andreas Olsson
 Andreas Rieke
@@ -69,6 +72,7 @@ Andrew Kurushin
 Andrew Moise
 Andrew Wansink
 Andrew de los Reyes
+Andrii Moiseiev
 Andrés García
 Andy Cedilnik
 Andy Serpa
@@ -103,6 +107,7 @@ Ben Van Hof
 Ben Winslow
 Benbuck Nason
 Benjamin Gerard
+Benjamin Gilbert
 Benjamin Johnson
 Bernard Leak
 Bernhard Reutner-Fischer
@@ -136,6 +141,7 @@ Bruce Mitchener
 Bruno de Carvalho
 Bryan Henderson
 Bryan Kemp
+Byrial Jensen
 Cameron Kaiser
 Camille Moncelier
 Caolan McNamara
@@ -162,6 +168,7 @@ Christian Kurz
 Christian Robottom Reis
 Christian Schmitz
 Christian Vogt
+Christian Weisgerber
 Christophe Demory
 Christophe Legry
 Christopher Conroy
@@ -234,6 +241,7 @@ David Odin
 David Phillips
 David Rosenstrauch
 David Shaw
+David Strauss
 David Tarendash
 David Thiel
 David Wright
@@ -266,6 +274,7 @@ Douglas R. Horner
 Douglas Steinwand
 Dov Murik
 Duane Cathey
+Duncan
 Duncan Mac-Vicar Prett
 Dustin Boswell
 Dylan Ellicott
@@ -274,6 +283,7 @@ Early Ehlinger
 Ebenezer Ikonne
 Edin Kadribasic
 Eduard Bloch
+Edward Rudd
 Edward Sheldrake
 Eelco Dolstra
 Eetu Ojanen
@@ -291,15 +301,18 @@ Eric Lavigne
 Eric Melville
 Eric Mertens
 Eric Rautman
+Eric S. Raymond
 Eric Thelin
 Eric Vergnaud
 Eric Wong
 Eric Young
 Erick Nuwendam
+Erik Johansson
 Erwan Legrand
 Erwin Authried
 Eugene Kotlyarov
 Evan Jordan
+Evgeny Turnaev
 Eygene Ryabinkin
 Fabian Hiernaux
 Fabian Keil
@@ -364,6 +377,7 @@ Gwenole Beauchesne
 Götz Babin-Ebell
 Hamish Mackenzie
 Hang Kin Lau
+Hang Su
 Hanno Kranzhoff
 Hans Steegers
 Hans-Jurgen May
@@ -398,6 +412,7 @@ Immanuel Gregoire
 Ingmar Runge
 Ingo Ralf Blum
 Ingo Wilken
+Ishan SinghLevett
 Jack Zhang
 Jacky Lam
 Jacob Meuser
@@ -419,6 +434,7 @@ Jan Koen Annot
 Jan Kunder
 Jan Schaumann
 Jan Van Boghout
+Jared Jennings
 Jared Lundell
 Jari Sundell
 Jason Glasgow
@@ -433,6 +449,7 @@ Jean-Claude Chauve
 Jean-Francois Bertrand
 Jean-Louis Lemaire
 Jean-Marc Ranger
+Jean-Noel Rouvignac
 Jean-Philippe Barrette-LaPierre
 Jeff Connelly
 Jeff Johnson
@@ -470,6 +487,7 @@ John Bradshaw
 John Crow
 John Dennis
 John E. Malmberg
+John Gardiner Myers
 John Janssen
 John Joseph Bachir
 John Kelly
@@ -511,6 +529,7 @@ Julien Royer
 Jun-ichiro itojun Hagino
 Jurij Smakov
 Justin Fletcher
+Justin Karneges
 Jörg Mueller-Tolk
 Jörn Hartroth
 Kai Engert
@@ -544,6 +563,7 @@ Kimmo Kinnunen
 Kjell Ericson
 Kjetil Jacobsen
 Klevtsov Vadim
+Konstantin Isakov
 Kris Kennaway
 Krishnendu Majumdar
 Krister Johansen
@@ -556,6 +576,7 @@ Larry Fahnoe
 Lars Buitinck
 Lars Gustafsson
 Lars J. Aas
+Lars Johannesen
 Lars Nilsson
 Lars Torben Wilson
 Lau Hang Kin
@@ -578,6 +599,7 @@ Loren Kirkby
 Luca Altea
 Luca Alteas
 Lucas Adamski
+Ludovico Cavedon
 Lukasz Czekierda
 Luke Amery
 Luke Call
@@ -589,6 +611,7 @@ Mandy Wu
 Manfred Schwarb
 Manuel Massing
 Marc Boucher
+Marc Doughty
 Marc Hoersken
 Marc Kleine-Budde
 Marcel Raad
@@ -668,12 +691,14 @@ Michal Gorny
 Michal Kowalczyk
 Michal Marek
 Michele Bini
+Miguel Angel
 Mihai Ionescu
 Mikael Johansson
 Mikael Sennerholm
 Mike Bytnar
 Mike Crowe
 Mike Dobbs
+Mike Giancola
 Mike Hommey
 Mike Power
 Mike Protts
@@ -684,6 +709,7 @@ Mohamed Lrhazi
 Mohun Biswas
 Moonesamy
 Myk Taylor
+Nach M. S.
 Nathan Coulter
 Nathan O'Sullivan
 Nathanael Nerode
@@ -752,6 +778,7 @@ Pedro Neves
 Pete Su
 Peter Bray
 Peter Forret
+Peter Gal
 Peter Heuchert
 Peter Hjalmarsson
 Peter Korsgaard
@@ -804,6 +831,7 @@ Reinout van Schouwen
 Renato Botelho
 Renaud Chaillat
 Renaud Duhaut
+Renaud Guillard
 Rene Bernhardt
 Rene Rebe
 Reuven Wachtfogel
@@ -903,6 +931,7 @@ Stan van de Burgt
 Stanislav Ivochkin
 Stefan Esser
 Stefan Krause
+Stefan Neis
 Stefan Teleman
 Stefan Tomanek
 Stefan Ulrich
@@ -950,6 +979,7 @@ Tim Harder
 Tim Heckman
 Tim Newsome
 Tim Sneddon
+Timo Sirainen
 Tinus van den Berg
 Tobias Rundström
 Toby Peterson
@@ -1013,6 +1043,7 @@ Wez Furlong
 Wilfredo Sanchez
 Willem Sparreboom
 Wojciech Zwiefka
+Wouter Van Rooy
 Wu Yongzheng
 Xavier Bouchoux
 Yamada Yasuharu
@@ -1024,6 +1055,7 @@ Yuriy Sosov
 Yves Arrouye
 Yves Lejeune
 Zdenek Pavlas
+Zekun Ni
 Zmey Petroff
 Zvi Har'El
 nk

docs/TODO

@@ -16,8 +16,8 @@
  1.3 struct lifreq
  1.4 signal-based resolver timeouts
  1.5 get rid of PATH_MAX
- 1.6 progress callback without doubles
- 1.7 Happy Eyeball dual stack connect
+ 1.6 Happy Eyeball dual stack connect
+ 1.7 Modified buffer size approach
 
  2. libcurl - multi interface
  2.1 More non-blocking
@@ -157,16 +157,7 @@
  we need libssh2 to properly tell us when we pass in a too small buffer and
  its current API (as of libssh2 1.2.7) doesn't.
 
-1.6 progress callback without doubles
-
- The progress callback was introduced way back in the days and the choice to
- use doubles in the arguments was possibly good at the time. Today the doubles
- only confuse users and make the amounts less precise. We should introduce
- another progress callback option that take precedence over the old one and
- have both co-exist for a forseeable time until we can remove the double-using
- one.
-
-1.7 Happy Eyeball dual stack connect
+1.6 Happy Eyeball dual stack connect
 
  In order to make alternative technologies not suffer when transitioning, like
  when introducing IPv6 as an alternative to IPv4 and there are more than one
@@ -178,6 +169,28 @@
 
     http://tools.ietf.org/html/rfc6555
 
+1.7 Modified buffer size approach
+
+ Current libcurl allocates a fixed 16K size buffer for download and an
+ additional 16K for upload. They are always unconditionally part of the easy
+ handle. If CRLF translations are requested, an additional 32K "scratch
+ buffer" is allocated. A total of 64K transfer buffers in the worst case.
+
+ First, while the handles are not actually in use these buffers could be freed
+ so that lingering handles just kept in queues or whatever waste less memory.
+
+ Secondly, SFTP is a protocol that needs to handle many ~30K blocks at once
+ since each need to be individually acked and therefore libssh2 must be
+ allowed to send (or receive) many separate ones in parallel to achieve high
+ transfer speeds. A current libcurl build with a 16K buffer makes that
+ impossible, but one with a 512K buffer will reach MUCH faster transfers. But
+ allocating 512K unconditionally for all buffers just in case they would like
+ to do fast SFTP transfers at some point is not a good solution either.
+
+ Dynamically allocate buffer size depending on protocol in use in combination
+ with freeing it after each individual transfer? Other suggestions?
+
+
 2. libcurl - multi interface
 
 2.1 More non-blocking

docs/curl.1

@@ -103,6 +103,18 @@ any response data to the terminal.
 If you prefer a progress "bar" instead of the regular meter, \fI-#\fP is your
 friend.
 .SH OPTIONS
+Options start with one or two dashes. Many of the options require an addition
+value next to it.
+
+The short "single-dash" form of the options, -d for example, may be used with
+or without a space between it and its value, although a space is a recommended
+separator. The long "double-dash" form, --data for example, requires a space
+between it and its value.
+
+Short version options that don't need any additional values can be used
+immediately next to each other, like for example you can specify all the
+options -O, -L and -v at once as -OLv.
+
 In general, all boolean options are enabled with --\fBoption\fP and yet again
 disabled with --\fBno-\fPoption. That is, you use the exact same option name
 but prefix it with "no-". However, in this list we mostly only list and show
@@ -113,8 +125,14 @@ same command line option.)
 Make curl display progress as a simple progress bar instead of the standard,
 more informational, meter.
 .IP "-0, --http1.0"
-(HTTP) Forces curl to issue its requests using HTTP 1.0 instead of using its
-internally preferred: HTTP 1.1.
+(HTTP) Tells curl to use HTTP version 1.0 instead of using its internally
+preferred: HTTP 1.1.
+.IP "--http1.1"
+(HTTP) Tells curl to use HTTP version 1.1. This is the internal default
+version. (Added in 7.33.0)
+.IP "--http2.0"
+(HTTP) Tells curl to issue its requests using HTTP 2.0. This requires that the
+underlying libcurl was built to support it. (Added in 7.33.0)
 .IP "-1, --tlsv1"
 (SSL)
 Forces curl to use TLS version 1 when negotiating with a remote TLS server.
@@ -230,7 +248,9 @@ server sends an unsupported encoding, curl will report an error.
 .IP "--connect-timeout <seconds>"
 Maximum time in seconds that you allow the connection to the server to take.
 This only limits the connection phase, once curl has connected this option is
-of no more use. See also the \fI-m, --max-time\fP option.
+of no more use.  Since 7.32.0, this option accepts decimal values, but the
+actual timeout will decrease in accuracy as the specified timeout increases in
+decimal precision. See also the \fI-m, --max-time\fP option.
 
 If this option is used several times, the last one will be used.
 .IP "--create-dirs"
@@ -270,7 +290,8 @@ If you start the data with the letter @, the rest should be a file name to
 read the data from, or - if you want curl to read the data from stdin.  The
 contents of the file must already be URL-encoded. Multiple files can also be
 specified. Posting data from a file named 'foobar' would thus be done with
-\fI--data @foobar\fP.
+\fI--data\fP @foobar. When --data is told to read from a file like that,
+carriage returns and newlines will be stripped out.
 .IP "-D, --dump-header <file>"
 Write the protocol headers to the specified file.
 
@@ -292,7 +313,7 @@ whatsoever.
 
 If you start the data with the letter @, the rest should be a filename.  Data
 is posted in a similar manner as \fI--data-ascii\fP does, except that newlines
-are preserved and conversions are never done.
+and carriage returns are preserved and conversions are never done.
 
 If this option is used several times, the ones following the first will append
 data as described in \fI-d, --data\fP.
@@ -367,6 +388,39 @@ is an alias for \fB--disable-epsv\fP.
 
 Disabling EPSV only changes the passive behavior. If you want to switch to
 active mode you need to use \fI-P, --ftp-port\fP.
+.IP "--dns-interface <interface>"
+Tell curl to send outgoing DNS requests through <interface>. This option
+is a counterpart to \fI--interface\fP (which does not affect DNS). The
+supplied string must be an interface name (not an address).
+
+This option requires that libcurl was built with a resolver backend that
+supports this operation. The c-ares backend is the only such one. (Added in
+7.33.0)
+.IP "--dns-ipv4-addr <ip-address>"
+Tell curl to bind to <ip-address> when making IPv4 DNS requests, so that
+the DNS requests originate from this address. The argument should be a
+single IPv4 address.
+
+This option requires that libcurl was built with a resolver backend that
+supports this operation. The c-ares backend is the only such one.  (Added in
+7.33.0)
+.IP "--dns-ipv6-addr <ip-address>"
+Tell curl to bind to <ip-address> when making IPv6 DNS requests, so that
+the DNS requests originate from this address. The argument should be a
+single IPv6 address.
+
+This option requires that libcurl was built with a resolver backend that
+supports this operation. The c-ares backend is the only such one.  (Added in
+7.33.0)
+.IP "--dns-servers <ip-address,ip-address>"
+Set the list of DNS servers to be used instead of the system default.
+The list of IP addresses should be separated with commas. Port numbers
+may also optionally be given as \fI:<port-number>\fP after each IP
+address.
+
+This option requires that libcurl was built with a resolver backend that
+supports this operation. The c-ares backend is the only such one.  (Added in
+7.33.0)
 .IP "-e, --referer <URL>"
 (HTTP) Sends the "Referer Page" information to the HTTP server. This can also
 be set with the \fI-H, --header\fP flag of course.  When used with
@@ -378,7 +432,8 @@ If this option is used several times, the last one will be used.
 .IP "-E, --cert <certificate[:password]>"
 (SSL) Tells curl to use the specified client certificate file when getting a
 file with HTTPS, FTPS or another SSL-based protocol. The certificate must be
-in PEM format.  If the optional password isn't specified, it will be queried
+in PKCS#12 format if using Secure Transport, or PEM format if using any other
+engine.  If the optional password isn't specified, it will be queried
 for on the terminal. Note that this option assumes a \&"certificate" file that
 is the private key and the private certificate concatenated! See \fI--cert\fP
 and \fI--key\fP to specify them independently.
@@ -393,7 +448,11 @@ nickname contains ":", it needs to be preceded by "\\" so that it is not
 recognized as password delimiter.  If the nickname contains "\\", it needs to
 be escaped as "\\\\" so that it is not recognized as an escape character.
 
-(iOS and Mac OS X only) If curl is built against Secure Transport, then the certificate string must match the name of a certificate that's in the system or user keychain. The private key corresponding to the certificate, and certificate chain (if any),  must also be present in the keychain.
+(iOS and Mac OS X only) If curl is built against Secure Transport, then the
+certificate string can either be the name of a certificate/private key in the
+system or user keychain, or the path to a PKCS#12-encoded certificate and
+private key. If you want to use a file from the current directory, please
+precede it with "./" prefix, in order to avoid confusion with a nickname.
 
 If this option is used several times, the last one will be used.
 .IP "--engine <name>"
@@ -810,7 +869,10 @@ Basic authentication).
 .IP "-m, --max-time <seconds>"
 Maximum time in seconds that you allow the whole operation to take.  This is
 useful for preventing your batch jobs from hanging for hours due to slow
-networks or links going down.  See also the \fI--connect-timeout\fP option.
+networks or links going down.  Since 7.32.0, this option accepts decimal
+values, but the actual timeout will decrease in accuracy as the specified
+timeout increases in decimal precision.  See also the \fI--connect-timeout\fP
+option.
 
 If this option is used several times, the last one will be used.
 .IP "--mail-auth <address>"
@@ -992,6 +1054,14 @@ you want the file saved in a different directory, make sure you change current
 working directory before you invoke curl with the \fB-O, --remote-name\fP flag!
 
 You may use this option as many times as the number of URLs you have.
+.IP "--oauth2-bearer"
+(IMAP/POP3/SMTP) Specify the Bearer Token for OAUTH 2.0 server authentication.
+The Bearer Token is used in conjuction with the user name which can be
+specified as part of the \fI--url\fP or \fI-u, --user\fP options.
+
+The Bearer Token and user name are formatted according to RFC 6750.
+
+If this option is used several times, the last one will be used.
 .IP "-p, --proxytunnel"
 When an HTTP proxy is used (\fI-x, --proxy\fP), this option will cause non-HTTP
 protocols to attempt to tunnel through the proxy instead of merely using it to
@@ -1043,6 +1113,13 @@ ubiquitous in web browsers, so curl does the conversion by default to maintain
 consistency. However, a server may require a POST to remain a POST after such
 a redirection. This option is meaningful only when using \fI-L, --location\fP
 (Added in 7.19.1)
+.IP "--post303"
+(HTTP) Tells curl to respect RFC 2616/10.3.2 and not convert POST requests
+into GET requests when following a 303 redirection. The non-RFC behaviour is
+ubiquitous in web browsers, so curl does the conversion by default to maintain
+consistency. However, a server may require a POST to remain a POST after such
+a redirection. This option is meaningful only when using \fI-L, --location\fP
+(Added in 7.26.0)
 .IP "--proto <protocols>"
 Tells curl to use the listed protocols for its initial retrieval. Protocols
 are evaluated left to right, are comma separated, and are each a protocol
@@ -1280,6 +1357,9 @@ If this option is used several times, the last one will be used.
 Silent or quiet mode. Don't show progress meter or error messages.  Makes Curl
 mute. It will still output the data you ask for, potentially even to the
 terminal/stdout unless you redirect it.
+.IP "--sasl-ir"
+Enable initial response in SASL authentication.
+(Added in 7.31.0)
 .IP "-S, --show-error"
 When used with \fI-s\fP it makes curl show an error message if it fails.
 .IP "--ssl"
@@ -1455,16 +1535,23 @@ If this option is used several times, the last one will be used.
 .IP "--trace-time"
 Prepends a time stamp to each trace or verbose line that curl displays.
 (Added in 7.14.0)
-.IP "-u, --user <user:password>"
-Specify the user name and password to use for server authentication. Overrides
-\fI-n, --netrc\fP and \fI--netrc-optional\fP.
+.IP "-u, --user <user:password;options>"
+Specify the user name, password and optional login options to use for server
+authentication. Overrides \fI-n, --netrc\fP and \fI--netrc-optional\fP.
 
-If you just give the user name (without entering a colon) curl will prompt for
-a password.
+If you simply specify the user name, with or without the login options, curl
+will prompt for a password.
 
-If you use an SSPI-enabled curl binary and do NTLM authentication, you can
-force curl to pick up the user name and password from your environment by
-simply specifying a single colon with this option: "-u :".
+If you use an SSPI-enabled curl binary and perform NTLM authentication, you
+can force curl to select the user name and password from your environment by
+simply specifying a single colon with this option: "-u :" or by specfying the
+login options on their own, for example "-u ;auth=NTLM".
+
+You can use the optional login options part to specify protocol specific
+options that may be used during authentication. At present only IMAP, POP3 and
+SMTP support login options as part of the user login information. For more
+information about the login options please see RFC 2384, RFC 5092 and IETF
+draft draft-earhart-url-smtp-00.txt (Added in 7.31.0). 
 
 If this option is used several times, the last one will be used.
 .IP "-U, --proxy-user <user:password>"
@@ -1625,8 +1712,16 @@ to follow location: headers.
 
 If this option is used several times, the last one will be used.
 .IP "-x, --proxy <[protocol://][user:password@]proxyhost[:port]>"
-Use the specified HTTP proxy. If the port number is not specified, it is
-assumed at port 1080.
+Use the specified proxy.
+
+The proxy string can be specified with a protocol:// prefix to specify
+alternative proxy protocols. Use socks4://, socks4a://, socks5:// or
+socks5h:// to request the specific SOCKS version to be used. No protocol
+specified, http:// and all others will be treated as HTTP proxies. (The
+protocol support was added in curl 7.21.7)
+
+If the port number is not specified in the proxy string, it is assumed to be
+1080.
 
 This option overrides existing environment variables that set the proxy to
 use. If there's an environment variable setting a proxy, you can set proxy to
@@ -1645,11 +1740,6 @@ The proxy host can be specified the exact same way as the proxy environment
 variables, including the protocol prefix (http://) and the embedded user +
 password.
 
-From 7.21.7, the proxy string may be specified with a protocol:// prefix to
-specify alternative proxy protocols. Use socks4://, socks4a://, socks5:// or
-socks5h:// to request the specific SOCKS version to be used. No protocol
-specified, http:// and all others will be treated as HTTP proxies.
-
 If this option is used several times, the last one will be used.
 .IP "-X, --request <command>"
 (HTTP) Specifies a custom request method to use when communicating with the
@@ -1675,7 +1765,7 @@ If this option is used several times, the last one will be used.
 
 .IP "--xattr"
 When saving output to a file, this option tells curl to store certain file
-metadata in extened file attributes. Currently, the URL is stored in the
+metadata in extended file attributes. Currently, the URL is stored in the
 xdg.origin.url attribute and, for HTTP, the content type is stored in
 the mime_type attribute. If the file system does not support extended
 attributes, a warning is issued.
@@ -1695,7 +1785,7 @@ speed-time seconds it gets aborted. speed-time is set with \fI-y\fP and is 30
 if not set.
 
 If this option is used several times, the last one will be used.
-.IP "-z/--time-cond <date expression>|<file>"
+.IP "-z, --time-cond <date expression>|<file>"
 (HTTP/FTP) Request a file that has been modified later than the given time and
 date, or one that has been modified before that time. The <date expression>
 can be all sorts of date strings or if it doesn't match any internal ones, it

docs/examples/Makefile.inc

@@ -5,8 +5,7 @@ check_PROGRAMS = 10-at-a-time anyauthput cookie_interface debug fileupload \
   persistant post-callback postit2 sepheaders simple simplepost simplessl  \
   sendrecv httpcustomheader certinfo chkspeed ftpgetinfo ftp-wildcard \
   smtp-multi simplesmtp smtp-tls rtsp externalsocket resolve \
-  progressfunc pop3s pop3slist imap url2file sftpget ftpsget \
-  usercertinmem
+  progressfunc pop3s pop3slist imap url2file sftpget ftpsget postinmemory
 
 # These examples require external dependencies that may not be commonly
 # available on POSIX systems, so don't bother attempting to compile them here.
@@ -14,4 +13,4 @@ COMPLICATED_EXAMPLES = curlgtk.c curlx.c htmltitle.cpp cacertinmem.c	   \
   ftpuploadresume.c ghiper.c hiperfifo.c htmltidy.c multithread.c	   \
   opensslthreadlock.c sampleconv.c synctime.c threaded-ssl.c evhiperfifo.c \
   smooth-gtk-thread.c version-check.pl href_extractor.c asiohiper.cpp \
-  multi-uv.c xmlstream.c
+  multi-uv.c xmlstream.c usercertinmem.c

docs/examples/getinmemory.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -98,10 +98,6 @@ int main(void)
      * bytes big and contains the remote file.
      *
      * Do something nice with it!
-     *
-     * You should be aware of the fact that at this point we might have an
-     * allocated data block, and nothing has yet deallocated that data. So when
-     * you're done with it, you should free() it as a nice application.
      */
 
     printf("%lu bytes retrieved\n", (long)chunk.size);

docs/examples/postinmemory.c

@@ -0,0 +1,111 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at http://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <curl/curl.h>
+
+struct MemoryStruct {
+  char *memory;
+  size_t size;
+};
+
+static size_t
+WriteMemoryCallback(void *contents, size_t size, size_t nmemb, void *userp)
+{
+  size_t realsize = size * nmemb;
+  struct MemoryStruct *mem = (struct MemoryStruct *)userp;
+
+  mem->memory = realloc(mem->memory, mem->size + realsize + 1);
+  if(mem->memory == NULL) {
+    /* out of memory! */
+    printf("not enough memory (realloc returned NULL)\n");
+    return 0;
+  }
+
+  memcpy(&(mem->memory[mem->size]), contents, realsize);
+  mem->size += realsize;
+  mem->memory[mem->size] = 0;
+
+  return realsize;
+}
+
+int main(void)
+{
+  CURL *curl;
+  CURLcode res;
+  struct MemoryStruct chunk;
+  static const char *postthis="Field=1&Field=2&Field=3";
+
+  chunk.memory = malloc(1);  /* will be grown as needed by realloc above */
+  chunk.size = 0;    /* no data at this point */
+
+  curl_global_init(CURL_GLOBAL_ALL);
+  curl = curl_easy_init();
+  if(curl) {
+
+    curl_easy_setopt(curl, CURLOPT_URL, "http://www.example.org/");
+
+    /* send all data to this function  */
+    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, WriteMemoryCallback);
+
+    /* we pass our 'chunk' struct to the callback function */
+    curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&chunk);
+
+    /* some servers don't like requests that are made without a user-agent
+       field, so we provide one */
+    curl_easy_setopt(curl, CURLOPT_USERAGENT, "libcurl-agent/1.0");
+
+    curl_easy_setopt(curl, CURLOPT_POSTFIELDS, postthis);
+
+    /* if we don't provide POSTFIELDSIZE, libcurl will strlen() by
+       itself */
+    curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(postthis));
+
+    /* Perform the request, res will get the return code */
+    res = curl_easy_perform(curl);
+    /* Check for errors */
+    if(res != CURLE_OK) {
+      fprintf(stderr, "curl_easy_perform() failed: %s\n",
+              curl_easy_strerror(res));
+    }
+    else {
+      /*
+       * Now, our chunk.memory points to a memory block that is chunk.size
+       * bytes big and contains the remote file.
+       *
+       * Do something nice with it!
+       */
+      printf("%s\n",chunk.memory);
+    }
+
+    /* always cleanup */
+    curl_easy_cleanup(curl);
+
+    if(chunk.memory)
+      free(chunk.memory);
+
+    /* we're done with libcurl, so clean it up */
+    curl_global_cleanup();
+  }
+  return 0;
+}

docs/examples/progressfunc.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -30,9 +30,10 @@ struct myprogress {
   CURL *curl;
 };
 
-static int progress(void *p,
-                    double dltotal, double dlnow,
-                    double ultotal, double ulnow)
+/* this is how the CURLOPT_XFERINFOFUNCTION callback works */
+static int xferinfo(void *p,
+                    curl_off_t dltotal, curl_off_t dlnow,
+                    curl_off_t ultotal, curl_off_t ulnow)
 {
   struct myprogress *myp = (struct myprogress *)p;
   CURL *curl = myp->curl;
@@ -48,7 +49,9 @@ static int progress(void *p,
     fprintf(stderr, "TOTAL TIME: %f \r\n", curtime);
   }
 
-  fprintf(stderr, "UP: %g of %g  DOWN: %g of %g\r\n",
+  fprintf(stderr, "UP: %" CURL_FORMAT_CURL_OFF_T " of %" CURL_FORMAT_CURL_OFF_T
+          "  DOWN: %" CURL_FORMAT_CURL_OFF_T " of %" CURL_FORMAT_CURL_OFF_T
+          "\r\n",
           ulnow, ultotal, dlnow, dltotal);
 
   if(dlnow > STOP_DOWNLOAD_AFTER_THIS_MANY_BYTES)
@@ -56,6 +59,19 @@ static int progress(void *p,
   return 0;
 }
 
+/* for libcurl older than 7.32.0 (CURLOPT_PROGRESSFUNCTION) */
+static int older_progress(void *p,
+                          double dltotal, double dlnow,
+                          double ultotal, double ulnow)
+{
+  return xferinfo(p,
+                  (curl_off_t)dltotal,
+                  (curl_off_t)dlnow,
+                  (curl_off_t)ultotal,
+                  (curl_off_t)ulnow);
+}
+
+
 int main(void)
 {
   CURL *curl;
@@ -68,9 +84,28 @@ int main(void)
     prog.curl = curl;
 
     curl_easy_setopt(curl, CURLOPT_URL, "http://example.com/");
-    curl_easy_setopt(curl, CURLOPT_PROGRESSFUNCTION, progress);
+
+    curl_easy_setopt(curl, CURLOPT_PROGRESSFUNCTION, older_progress);
     /* pass the struct pointer into the progress function */
     curl_easy_setopt(curl, CURLOPT_PROGRESSDATA, &prog);
+
+#if LIBCURL_VERSION_NUM >= 0x072000
+    /* xferinfo was introduced in 7.32.0, no earlier libcurl versions will
+       compile as they won't have the symbols around.
+
+       If built with a newer libcurl, but running with an older libcurl:
+       curl_easy_setopt() will fail in run-time trying to set the new
+       callback, making the older callback get used.
+
+       New libcurls will prefer the new callback and instead use that one even
+       if both callbacks are set. */
+
+    curl_easy_setopt(curl, CURLOPT_XFERINFOFUNCTION, xferinfo);
+    /* pass the struct pointer into the xferinfo function, note that this is
+       an alias to CURLOPT_PROGRESSDATA */
+    curl_easy_setopt(curl, CURLOPT_XFERINFODATA, &prog);
+#endif
+
     curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0L);
     res = curl_easy_perform(curl);
 

docs/libcurl/curl_easy_getinfo.3

@@ -232,7 +232,7 @@ Pass a pointer to a char pointer to receive a pointer to a string holding the
 most recent RTSP Session ID.
 
 Applications wishing to resume an RTSP session on another connection should
-retreive this info before closing the active connection.
+retrieve this info before closing the active connection.
 .IP CURLINFO_RTSP_CLIENT_CSEQ
 Pass a pointer to a long to receive the next CSeq that will be used by the
 application.
@@ -244,7 +244,7 @@ by the application.
 unimplemented).\fP
 
 Applications wishing to resume an RTSP session on another connection should
-retreive this info before closing the active connection.
+retrieve this info before closing the active connection.
 .IP CURLINFO_RTSP_CSEQ_RECV
 Pass a pointer to a long to receive the most recently received CSeq from the
 server. If your application encounters a \fICURLE_RTSP_CSEQ_ERROR\fP then you

docs/libcurl/curl_easy_pause.3

@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -38,8 +38,11 @@ that returns pause signals to the library that it couldn't take care of any
 data at all, and that data will then be delivered again to the callback when
 the writing is later unpaused.
 
-NOTE: while it may feel tempting, take care and notice that you cannot call
-this function from another thread.
+While it may feel tempting, take care and notice that you cannot call this
+function from another thread. To unpause, you may for example call it from the
+progress callback (see \fIcurl_easy_setopt(3)\fP's
+\fICURLOPT_PROGRESSFUNCTION\fP), which gets called at least once per second,
+even if the connection is paused.
 
 When this function is called to unpause reading, the chance is high that you
 will get your write callback called before this function returns.
@@ -68,6 +71,18 @@ code means something wrong occurred after the new state was set.  See the
 .SH AVAILABILITY
 This function was added in libcurl 7.18.0. Before this version, there was no
 explicit support for pausing transfers.
+.SH "USAGE WITH THE MULTI-SOCKET INTERFACE"
+Before libcurl 7.32.0, when a specific handle was unpaused with this function,
+there was no particular forced rechecking or similar of the socket's state,
+which made the continuation of the transfer get delayed until next
+multi-socket call invoke or even longer. Alternatively, the user could
+forcibly call for example curl_multi_socket_all(3) - with a rather hefty
+performance penalty.
+
+Starting in libcurl 7.32.0, unpausing a transfer will schedule a timeout
+trigger for that handle 1 millisecond into the future, so that a
+curl_multi_socket_action( ... CURL_SOCKET_TIMEOUT) can be used immediately
+afterwards to get the transfer going again as desired.
 .SH "MEMORY USE"
 When pausing a read by returning the magic return code from a write callback,
 the read data is already in libcurl's internal buffers so it'll have to keep

docs/libcurl/curl_easy_setopt.3

@@ -260,9 +260,9 @@ used to fast forward a file in a resumed upload (instead of reading all
 uploaded bytes with the normal read function/callback). It is also called to
 rewind a stream when doing a HTTP PUT or POST with a multi-pass authentication
 method. The function shall work like "fseek" or "lseek" and accepted SEEK_SET,
-SEEK_CUR and SEEK_END as argument for origin, although (in 7.18.0) libcurl
-only passes SEEK_SET. The callback must return 0 (CURL_SEEKFUNC_OK) on
-success, 1 (CURL_SEEKFUNC_FAIL) to cause the upload operation to fail or 2
+SEEK_CUR and SEEK_END as argument for origin, although libcurl currently only
+passes SEEK_SET. The callback must return 0 (CURL_SEEKFUNC_OK) on success, 1
+(CURL_SEEKFUNC_FAIL) to cause the upload operation to fail or 2
 (CURL_SEEKFUNC_CANTSEEK) to indicate that while the seek failed, libcurl is
 free to work around the problem if possible. The latter can sometimes be done
 by instead reading from the input or similar.
@@ -377,10 +377,54 @@ function that performs transfers.
 
 \fICURLOPT_NOPROGRESS\fP must be set to 0 to make this function actually
 get called.
+.IP CURLOPT_XFERINFOFUNCTION
+Pass a pointer to a function that matches the following prototype:
+
+.nf
+\fBint function(void *clientp, curl_off_t dltotal, curl_off_t dlnow,
+                curl_off_t ultotal, curl_off_t ulnow);\fP
+.fi
+
+This function gets called by libcurl instead of its internal equivalent with a
+frequent interval. While data is being transferred it will be called very
+frequently, and during slow periods like when nothing is being transferred it
+can slow down to about one call per second.
+
+\fIclientp\fP is the pointer set with \fICURLOPT_XFERINFODATA\fP, it is only
+passed along from the application to the callback.
+
+The callback gets told how much data libcurl will transfer and has
+transferred, in number of bytes. \fIdltotal\fP is the total number of bytes
+libcurl expects to download in this transfer. \fIdlnow\fP is the number of
+bytes downloaded so far. \fIultotal\fP is the total number of bytes libcurl
+expects to upload in this transfer. \fIulnow\fP is the number of bytes
+uploaded so far.
+
+Unknown/unused argument values passed to the callback will be set to zero
+(like if you only download data, the upload size will remain 0). Many times
+the callback will be called one or more times first, before it knows the data
+sizes so a program must be made to handle that.
+
+Returning a non-zero value from this callback will cause libcurl to abort the
+transfer and return \fICURLE_ABORTED_BY_CALLBACK\fP.
+
+If you transfer data with the multi interface, this function will not be
+called during periods of idleness unless you call the appropriate libcurl
+function that performs transfers.
+
+\fICURLOPT_NOPROGRESS\fP must be set to 0 to make this function actually
+get called.
+
+(Added in 7.32.0)
 .IP CURLOPT_PROGRESSDATA
 Pass a pointer that will be untouched by libcurl and passed as the first
 argument in the progress callback set with \fICURLOPT_PROGRESSFUNCTION\fP.
 The default value of this parameter is unspecified.
+.IP CURLOPT_XFERINFODATA
+Pass a pointer that will be untouched by libcurl and passed as the first
+argument in the progress callback set with \fICURLOPT_XFERINFOFUNCTION\fP.
+The default value of this parameter is unspecified. This option is an alias
+for CURLOPT_PROGRESSDATA. (Added in 7.32.0)
 .IP CURLOPT_HEADERFUNCTION
 Pass a pointer to a function that matches the following prototype:
 \fBsize_t function( void *ptr, size_t size, size_t nmemb, void
@@ -847,6 +891,19 @@ Active Directory server.
 For more information about the individual components of a LDAP URL please
 see RFC4516.
 
+.B RTMP
+
+There's no official URL spec for RTMP so libcurl uses the URL syntax supported
+by the underlying librtmp library. It has a syntax where it wants a
+traditional URL, followed by a space and a series of space-separated
+name=value pairs.
+
+While space is not typically a "legal" letter, libcurl accepts them. When a
+user wants to pass in a '#' (hash) character it will be treated as a fragment
+and get cut off by libcurl if provided literally. You will instead have to
+escape it by providing it as backslash and its ASCII value in hexadecimal:
+"\\23".
+
 .B NOTES
 
 Starting with version 7.20.0, the fragment part of the URI will not be sent as
@@ -1245,6 +1302,13 @@ mechanisms and to the IMAP, POP3 and SMTP protocols. (Added in 7.31.0)
 Note: Whilst IMAP supports this option there is no need to explicitly set it,
 as libcurl can determine the feature itself when the server supports the
 SASL-IR CAPABILITY.
+.IP CURLOPT_BEARER
+Pass a char * as parameter, which should point to the zero terminated OAUTH
+2.0 Bearer Access Token for use with IMAP. POP3 and SMTP servers that support
+the OAUTH 2.0 Authorization Framework. (Added in 7.33.0)
+
+Note: The user name used to generate the Bearer Token should be supplied via
+the \fICURLOPT_USERNAME\fP option.
 .SH HTTP OPTIONS
 .IP CURLOPT_AUTOREFERER
 Pass a parameter set to 1 to enable this. When enabled, libcurl will
@@ -2098,10 +2162,14 @@ In unix-like systems, this might cause signals to be used unless
 
 Default timeout is 0 (zero) which means it never times out.
 .IP CURLOPT_TIMEOUT_MS
-Like \fICURLOPT_TIMEOUT\fP but takes number of milliseconds instead. If
-libcurl is built to use the standard system name resolver, that portion
-of the transfer will still use full-second resolution for timeouts with
-a minimum timeout allowed of one second.
+An alternative to \fICURLOPT_TIMEOUT\fP but takes number of milliseconds
+instead. If libcurl is built to use the standard system name resolver, that
+portion of the transfer will still use full-second resolution for timeouts
+with a minimum timeout allowed of one second.
+
+If both \fICURLOPT_TIMEOUT\fP and \fICURLOPT_TIMEOUT_MS\fP are set, the value
+set last will be used.
+
 (Added in 7.16.2)
 .IP CURLOPT_LOW_SPEED_LIMIT
 Pass a long as parameter. It contains the transfer speed in bytes per second
@@ -2247,6 +2315,36 @@ This option requires that libcurl was built with a resolver backend that
 supports this operation. The c-ares backend is the only such one.
 
 (Added in 7.24.0)
+.IP CURLOPT_DNS_INTERFACE
+Pass a char * as parameter. Set the name of the network interface that
+the DNS resolver should bind to. This must be an interface name (not an
+address). Set this option to NULL to use the default setting (don't
+bind to a specific interface).
+
+This option requires that libcurl was built with a resolver backend that
+supports this operation. The c-ares backend is the only such one.
+
+(Added in 7.33.0)
+.IP CURLOPT_DNS_LOCAL_IP4
+Set the local IPv4 address that the resolver should bind to. The argument
+should be of type char * and contain a single IPv4 address as a string.
+Set this option to NULL to use the default setting (don't
+bind to a specific IP address).
+
+This option requires that libcurl was built with a resolver backend that
+supports this operation. The c-ares backend is the only such one.
+
+(Added in 7.33.0)
+.IP CURLOPT_DNS_LOCAL_IP6
+Set the local IPv6 address that the resolver should bind to. The argument
+should be of type char * and contain a single IPv6 address as a string.
+Set this option to NULL to use the default setting (don't
+bind to a specific IP address).
+
+This option requires that libcurl was built with a resolver backend that
+supports this operation. The c-ares backend is the only such one.
+
+(Added in 7.33.0)
 .IP CURLOPT_ACCEPTTIMEOUT_MS
 Pass a long telling libcurl the maximum number of milliseconds to wait for a
 server to connect back to libcurl when an active FTP connection is used. If no
@@ -2254,22 +2352,20 @@ timeout is set, the internal default of 60000 will be used. (Added in 7.24.0)
 .SH SSL and SECURITY OPTIONS
 .IP CURLOPT_SSLCERT
 Pass a pointer to a zero terminated string as parameter. The string should be
-the file name of your certificate. The default format is "PEM" and can be
-changed with \fICURLOPT_SSLCERTTYPE\fP.
+the file name of your certificate. The default format is "P12" on Secure
+Transport and "PEM" on other engines, and can be changed with
+\fICURLOPT_SSLCERTTYPE\fP.
 
-With NSS this can also be the nickname of the certificate you wish to
-authenticate with. If you want to use a file from the current directory, please
-precede it with "./" prefix, in order to avoid confusion with a nickname.
-
-(iOS and Mac OS X only) With Secure Transport, this string must match the name
-of a certificate that's in the system or user keychain. You should encode this
-string in UTF-8 format in case it contains non-ASCII characters. The private
-key corresponding to the certificate, and certificate chain (if any),  must
-also be present in the keychain. (Added in 7.31.0)
+With NSS or Secure Transport, this can also be the nickname of the certificate
+you wish to authenticate with as it is named in the security database. If you
+want to use a file from the current directory, please precede it with "./"
+prefix, in order to avoid confusion with a nickname.
 .IP CURLOPT_SSLCERTTYPE
 Pass a pointer to a zero terminated string as parameter. The string should be
-the format of your certificate. Supported formats are "PEM" and "DER".  (Added
-in 7.9.3)
+the format of your certificate. Supported formats are "PEM" and "DER", except
+with Secure Transport. OpenSSL (versions 0.9.3 and later) and Secure Transport
+(on iOS 5 or later, or OS X 10.6 or later) also support "P12" for
+PKCS#12-encoded files. (Added in 7.9.3)
 .IP CURLOPT_SSLKEY
 Pass a pointer to a zero terminated string as parameter. The string should be
 the file name of your private key. The default format is "PEM" and can be
@@ -2277,7 +2373,7 @@ changed with \fICURLOPT_SSLKEYTYPE\fP.
 
 (iOS and Mac OS X only) This option is ignored if curl was built against Secure
 Transport. Secure Transport expects the private key to be already present in
-the keychain containing the certificate.
+the keychain or PKCS#12 file containing the certificate.
 .IP CURLOPT_SSLKEYTYPE
 Pass a pointer to a zero terminated string as parameter. The string should be
 the format of your private key. Supported formats are "PEM", "DER" and "ENG".

docs/libcurl/curl_multi_add_handle.3

@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -29,9 +29,9 @@ CURLMcode curl_multi_add_handle(CURLM *multi_handle, CURL *easy_handle);
 .ad
 .SH DESCRIPTION
 Adds a standard easy handle to the multi stack. This function call will make
-this \fImulti_handle\fP control the specified \fIeasy_handle\fP.
-Furthermore, libcurl now initiates the connection associated with the
-specified \fIeasy_handle\fP.
+this \fImulti_handle\fP control the specified \fIeasy_handle\fP.  Furthermore,
+libcurl now initiates the connection associated with the specified
+\fIeasy_handle\fP.
 
 When an easy handle has been added to a multi stack, you can not and you must
 not use \fIcurl_easy_perform(3)\fP on that handle!
@@ -41,6 +41,12 @@ cache (CURLOPT_DNS_USE_GLOBAL_CACHE), it will be made to use the DNS cache
 that is shared between all easy handles within the multi handle when
 \fIcurl_multi_add_handle(3)\fP is called.
 
+If you have CURLMOPT_TIMERFUNCTION set in the multi handle (and you really
+should if you're working event-based with \fIcurl_multi_socket_action(3)\fP
+and friends), that callback will be called from within this function to ask
+for an updated timer so that your main event loop will get the activity on
+this handle to get started.
+
 The easy handle will remain added until you remove it again with
 \fIcurl_multi_remove_handle(3)\fP. You should remove the easy handle from the
 multi stack before you terminate first the easy handle and then the multi

docs/libcurl/libcurl-errors.3

@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -273,6 +273,9 @@ The passed-in socket is not a valid one that libcurl already knows about.
 .IP "CURLM_UNKNOWN_OPTION (6)"
 curl_multi_setopt() with unsupported option
 (Added in 7.15.4)
+.IP "CURLM_ADDED_ALREADY (7)"
+An easy handle already added to a multi handle was attempted to get added a
+second time. (Added in 7.32.1)
 .SH "CURLSHcode"
 The "share" interface will return a CURLSHcode to indicate when an error has
 occurred.  Also consider \fIcurl_share_strerror(3)\fP.

docs/libcurl/libcurl.3

@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -39,8 +39,15 @@ maintain while using libcurl.  This essentially means you call
 for details.
 
 To transfer files, you always set up an "easy handle" using
-\fIcurl_easy_init(3)\fP, but when you want the file(s) transferred you have
-the option of using the "easy" interface, or the "multi" interface.
+\fIcurl_easy_init(3)\fP for a single specific transfer (in either
+direction). You then set your desired set of options in that handle with
+\fIcurk_easy_setopt(3)\fP. Options you set with \fIcurl_easy_setopt(3)\fP will
+be used on every repeated use of this handle until you either call the
+function again and change the option, or you reset them all with
+\fIcurl_easy_reset(3)\fP.
+
+To actually transfer data you have the option of using the "easy" interface,
+or the "multi" interface.
 
 The easy interface is a synchronous interface with which you call
 \fIcurl_easy_perform(3)\fP and let it perform the transfer. When it is
@@ -51,7 +58,8 @@ The multi interface on the other hand is an asynchronous interface, that you
 call and that performs only a little piece of the transfer on each invoke. It
 is perfect if you want to do things while the transfer is in progress, or
 similar. The multi interface allows you to select() on libcurl action, and
-even to easily download multiple files simultaneously using a single thread. See further details in the \fIlibcurl-multi(3)\fP man page.
+even to easily download multiple files simultaneously using a single
+thread. See further details in the \fIlibcurl-multi(3)\fP man page.
 
 You can have multiple easy handles share certain data, even if they are used
 in different threads. This magic is setup using the share interface, as
@@ -115,19 +123,21 @@ Persistent connections means that libcurl can re-use the same connection for
 several transfers, if the conditions are right.
 
 libcurl will \fBalways\fP attempt to use persistent connections. Whenever you
-use \fIcurl_easy_perform(3)\fP or \fIcurl_multi_perform(3)\fP, libcurl will
-attempt to use an existing connection to do the transfer, and if none exists
-it'll open a new one that will be subject for re-use on a possible following
-call to \fIcurl_easy_perform(3)\fP or \fIcurl_multi_perform(3)\fP.
+use \fIcurl_easy_perform(3)\fP or \fIcurl_multi_perform(3)\fP etc, libcurl
+will attempt to use an existing connection to do the transfer, and if none
+exists it'll open a new one that will be subject for re-use on a possible
+following call to \fIcurl_easy_perform(3)\fP or \fIcurl_multi_perform(3)\fP.
 
 To allow libcurl to take full advantage of persistent connections, you should
-do as many of your file transfers as possible using the same curl handle. When
-you call \fIcurl_easy_cleanup(3)\fP, all the possibly open connections held by
-libcurl will be closed and forgotten.
+do as many of your file transfers as possible using the same handle.
 
-Note that the options set with \fIcurl_easy_setopt(3)\fP will be used on
-every repeated \fIcurl_easy_perform(3)\fP call.
+If you use the easy interface, and you call \fIcurl_easy_cleanup(3)\fP, all
+the possibly open connections held by libcurl will be closed and forgotten.
 
+When you've created a multi handle and are using the multi interface, the
+connection pool is instead kept in the multi handle so closing and creating
+new easy handles to do transfers will not affect them. Instead all added easy
+handles can take advantage of the single shared pool.
 .SH "GLOBAL CONSTANTS"
 There are a variety of constants that libcurl uses, mainly through its
 internal use of other libraries, which are too complicated for the

docs/libcurl/symbols-in-versions

@@ -85,8 +85,8 @@ CURLE_LDAP_SEARCH_FAILED        7.1
 CURLE_LIBRARY_NOT_FOUND         7.1           7.17.0
 CURLE_LOGIN_DENIED              7.13.1
 CURLE_MALFORMAT_USER            7.1           7.17.0
-CURLE_NO_CONNECTION_AVAILABLE   7.30.0
 CURLE_NOT_BUILT_IN              7.21.5
+CURLE_NO_CONNECTION_AVAILABLE   7.30.0
 CURLE_OK                        7.1
 CURLE_OPERATION_TIMEDOUT        7.10.2
 CURLE_OPERATION_TIMEOUTED       7.1           7.17.0
@@ -270,10 +270,10 @@ CURLKHTYPE_RSA1                 7.19.6
 CURLKHTYPE_UNKNOWN              7.19.6
 CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE 7.30.0
 CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE 7.30.0
+CURLMOPT_MAXCONNECTS            7.16.3
 CURLMOPT_MAX_HOST_CONNECTIONS   7.30.0
 CURLMOPT_MAX_PIPELINE_LENGTH    7.30.0
 CURLMOPT_MAX_TOTAL_CONNECTIONS  7.30.0
-CURLMOPT_MAXCONNECTS            7.16.3
 CURLMOPT_PIPELINING             7.16.0
 CURLMOPT_PIPELINING_SERVER_BL   7.30.0
 CURLMOPT_PIPELINING_SITE_BL     7.30.0
@@ -283,6 +283,7 @@ CURLMOPT_TIMERDATA              7.16.0
 CURLMOPT_TIMERFUNCTION          7.16.0
 CURLMSG_DONE                    7.9.6
 CURLMSG_NONE                    7.9.6
+CURLM_ADDED_ALREADY             7.32.1
 CURLM_BAD_EASY_HANDLE           7.9.6
 CURLM_BAD_HANDLE                7.9.6
 CURLM_BAD_SOCKET                7.15.4
@@ -331,6 +332,9 @@ CURLOPT_DEBUGDATA               7.9.6
 CURLOPT_DEBUGFUNCTION           7.9.6
 CURLOPT_DIRLISTONLY             7.17.0
 CURLOPT_DNS_CACHE_TIMEOUT       7.9.3
+CURLOPT_DNS_INTERFACE           7.33.0
+CURLOPT_DNS_LOCAL_IP4           7.33.0
+CURLOPT_DNS_LOCAL_IP6           7.33.0
 CURLOPT_DNS_SERVERS             7.24.0
 CURLOPT_DNS_USE_GLOBAL_CACHE    7.9.3         7.11.1
 CURLOPT_EGDSOCKET               7.7
@@ -428,7 +432,7 @@ CURLOPT_POSTREDIR               7.19.1
 CURLOPT_PREQUOTE                7.9.5
 CURLOPT_PRIVATE                 7.10.3
 CURLOPT_PROGRESSDATA            7.1
-CURLOPT_PROGRESSFUNCTION        7.1
+CURLOPT_PROGRESSFUNCTION        7.1           7.32.0
 CURLOPT_PROTOCOLS               7.19.4
 CURLOPT_PROXY                   7.1
 CURLOPT_PROXYAUTH               7.10.7
@@ -525,6 +529,9 @@ CURLOPT_WRITEDATA               7.9.7
 CURLOPT_WRITEFUNCTION           7.1
 CURLOPT_WRITEHEADER             7.1
 CURLOPT_WRITEINFO               7.1
+CURLOPT_XFERINFODATA            7.32.0
+CURLOPT_XFERINFOFUNCTION        7.32.0
+CURLOPT_XOAUTH2_BEARER          7.33.0
 CURLPAUSE_ALL                   7.18.0
 CURLPAUSE_CONT                  7.18.0
 CURLPAUSE_RECV                  7.18.0
@@ -618,14 +625,15 @@ CURL_FORMADD_NULL               7.9.8
 CURL_FORMADD_OK                 7.9.8
 CURL_FORMADD_OPTION_TWICE       7.9.8
 CURL_FORMADD_UNKNOWN_OPTION     7.9.8
+CURL_GLOBAL_ACK_EINTR           7.30.0
 CURL_GLOBAL_ALL                 7.8
 CURL_GLOBAL_DEFAULT             7.8
 CURL_GLOBAL_NOTHING             7.8
 CURL_GLOBAL_SSL                 7.8
 CURL_GLOBAL_WIN32               7.8.1
-CURL_GLOBAL_ACK_EINTR           7.30.0
 CURL_HTTP_VERSION_1_0           7.9.1
 CURL_HTTP_VERSION_1_1           7.9.1
+CURL_HTTP_VERSION_2_0           7.33.0
 CURL_HTTP_VERSION_NONE          7.9.1
 CURL_IPRESOLVE_V4               7.10.8
 CURL_IPRESOLVE_V6               7.10.8
@@ -698,6 +706,7 @@ CURL_VERSION_CONV               7.15.4
 CURL_VERSION_CURLDEBUG          7.19.6
 CURL_VERSION_DEBUG              7.10.6
 CURL_VERSION_GSSNEGOTIATE       7.10.6
+CURL_VERSION_HTTP2              7.33.0
 CURL_VERSION_IDN                7.12.0
 CURL_VERSION_IPV6               7.10
 CURL_VERSION_KERBEROS4          7.10

docs/mk-ca-bundle.1

@@ -60,11 +60,16 @@ unlink (remove) certdata.txt after processing
 be verbose and print out processed CAs
 .SH EXIT STATUS
 Returns 0 on success. Returns 1 if it fails to download data.
+.SH CERTDATA FORMAT
+The file format used by Mozilla for this trust information seems to be documented here:
+.nf
+http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-existing.html
+.fi
 .SH SEE ALSO
 .BR curl (1)
 .SH HISTORY
 \fBmk-ca-bundle\fP is a command line tool that is shipped as part of every
 curl and libcurl release (see http://curl.haxx.se/). It was originally based
 on the parse-certs script written by Roland Krikava and was later much
-improved by Guenter Knauf.  This manual page was written by Jan Schaumann
-\&<jschauma@netmeister.org>.
+improved by Guenter Knauf.  This manual page was initially written by Jan
+Schaumann \&<jschauma@netmeister.org>.

include/curl/curl.h

@@ -156,12 +156,22 @@ struct curl_httppost {
                                        HTTPPOST_CALLBACK posts */
 };
 
+/* This is the CURLOPT_PROGRESSFUNCTION callback proto. It is now considered
+   deprecated but was the only choice up until 7.31.0 */
 typedef int (*curl_progress_callback)(void *clientp,
                                       double dltotal,
                                       double dlnow,
                                       double ultotal,
                                       double ulnow);
 
+/* This is the CURLOPT_XFERINFOFUNCTION callback proto. It was introduced in
+   7.32.0, it avoids floating point and provides more detailed information. */
+typedef int (*curl_xferinfo_callback)(void *clientp,
+                                      curl_off_t dltotal,
+                                      curl_off_t dlnow,
+                                      curl_off_t ultotal,
+                                      curl_off_t ulnow);
+
 #ifndef CURL_MAX_WRITE_SIZE
   /* Tests have proven that 20K is a very bad buffer size for uploads on
      Windows, while 16K for some odd reason performed a lot better.
@@ -635,16 +645,18 @@ typedef enum {
 
 #define CURL_ERROR_SIZE 256
 
+enum curl_khtype {
+  CURLKHTYPE_UNKNOWN,
+  CURLKHTYPE_RSA1,
+  CURLKHTYPE_RSA,
+  CURLKHTYPE_DSS
+};
+
 struct curl_khkey {
   const char *key; /* points to a zero-terminated string encoded with base64
                       if len is zero, otherwise to the "raw" data */
   size_t len;
-  enum type {
-    CURLKHTYPE_UNKNOWN,
-    CURLKHTYPE_RSA1,
-    CURLKHTYPE_RSA,
-    CURLKHTYPE_DSS
-  } keytype;
+  enum curl_khtype keytype;
 };
 
 /* this is the set of return values expected from the curl_sshkeycallback
@@ -968,13 +980,16 @@ typedef enum {
 
   /* 55 = OBSOLETE */
 
-  /* Function that will be called instead of the internal progress display
+  /* DEPRECATED
+   * Function that will be called instead of the internal progress display
    * function. This function should be defined as the curl_progress_callback
    * prototype defines. */
   CINIT(PROGRESSFUNCTION, FUNCTIONPOINT, 56),
 
-  /* Data passed to the progress callback */
+  /* Data passed to the CURLOPT_PROGRESSFUNCTION and CURLOPT_XFERINFOFUNCTION
+     callbacks */
   CINIT(PROGRESSDATA, OBJECTPOINT, 57),
+#define CURLOPT_XFERINFODATA CURLOPT_PROGRESSDATA
 
   /* We want the referrer field set automatically when following locations */
   CINIT(AUTOREFERER, LONG, 58),
@@ -1533,6 +1548,27 @@ typedef enum {
   /* Enable/disable SASL initial response */
   CINIT(SASL_IR, LONG, 218),
 
+  /* Function that will be called instead of the internal progress display
+   * function. This function should be defined as the curl_xferinfo_callback
+   * prototype defines. (Deprecates CURLOPT_PROGRESSFUNCTION) */
+  CINIT(XFERINFOFUNCTION, FUNCTIONPOINT, 219),
+
+  /* The XOAUTH2 bearer token */
+  CINIT(XOAUTH2_BEARER, OBJECTPOINT, 220),
+
+  /* Set the interface string to use as outgoing network
+   * interface for DNS requests.
+   * Only supported by the c-ares DNS backend */
+  CINIT(DNS_INTERFACE, OBJECTPOINT, 221),
+
+  /* Set the local IPv4 address to use for outgoing DNS requests.
+   * Only supported by the c-ares DNS backend */
+  CINIT(DNS_LOCAL_IP4, OBJECTPOINT, 222),
+
+  /* Set the local IPv4 address to use for outgoing DNS requests.
+   * Only supported by the c-ares DNS backend */
+  CINIT(DNS_LOCAL_IP6, OBJECTPOINT, 223),
+
   CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;
 
@@ -1585,6 +1621,7 @@ enum {
                              for us! */
   CURL_HTTP_VERSION_1_0,  /* please use HTTP 1.0 in the request */
   CURL_HTTP_VERSION_1_1,  /* please use HTTP 1.1 in the request */
+  CURL_HTTP_VERSION_2_0,  /* please use HTTP 2.0 in the request */
 
   CURL_HTTP_VERSION_LAST /* *ILLEGAL* http version */
 };
@@ -2148,6 +2185,7 @@ typedef struct {
 #define CURL_VERSION_CURLDEBUG (1<<13) /* debug memory tracking supported */
 #define CURL_VERSION_TLSAUTH_SRP (1<<14) /* TLS-SRP auth is supported */
 #define CURL_VERSION_NTLM_WB   (1<<15) /* NTLM delegating to winbind helper */
+#define CURL_VERSION_HTTP2     (1<<16) /* HTTP2 support built-in */
 
  /*
  * NAME curl_version_info()

include/curl/curlver.h

@@ -30,12 +30,12 @@
 
 /* This is the version number of the libcurl package from which this header
    file origins: */
-#define LIBCURL_VERSION "7.31.0-DEV"
+#define LIBCURL_VERSION "7.33.0-DEV"
 
 /* The numeric version number is also available "in parts" by using these
    defines: */
 #define LIBCURL_VERSION_MAJOR 7
-#define LIBCURL_VERSION_MINOR 31
+#define LIBCURL_VERSION_MINOR 33
 #define LIBCURL_VERSION_PATCH 0
 
 /* This is the numeric version of the libcurl version number, meant for easier
@@ -53,7 +53,7 @@
    and it is always a greater number in a more recent release. It makes
    comparisons with greater than and less than work.
 */
-#define LIBCURL_VERSION_NUM 0x071f00
+#define LIBCURL_VERSION_NUM 0x072100
 
 /*
  * This is the date and time when the full source package was created. The

include/curl/multi.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -64,6 +64,8 @@ typedef enum {
   CURLM_INTERNAL_ERROR,  /* this is a libcurl bug */
   CURLM_BAD_SOCKET,      /* the passed in socket argument did not match */
   CURLM_UNKNOWN_OPTION,  /* curl_multi_setopt() with unsupported option */
+  CURLM_ADDED_ALREADY,   /* an easy handle already added to a multi handle was
+                            attempted to get added - again */
   CURLM_LAST
 } CURLMcode;
 

include/curl/typecheck-gcc.h

@@ -264,6 +264,11 @@ _CURL_WARNING(_curl_easy_getinfo_err_curl_slist,
    (option) == CURLOPT_RTSP_SESSION_ID ||                                     \
    (option) == CURLOPT_RTSP_STREAM_URI ||                                     \
    (option) == CURLOPT_RTSP_TRANSPORT ||                                      \
+   (option) == CURLOPT_XOAUTH2_BEARER ||                                      \
+   (option) == CURLOPT_DNS_SERVERS ||                                         \
+   (option) == CURLOPT_DNS_INTERFACE ||                                       \
+   (option) == CURLOPT_DNS_LOCAL_IP4 ||                                       \
+   (option) == CURLOPT_DNS_LOCAL_IP6 ||                                       \
    0)
 
 /* evaluates to true if option takes a curl_write_callback argument */

lib/CMakeLists.txt

@@ -94,6 +94,10 @@ add_library(
   ${HHEADERS} ${CSOURCES}
   )
 
+if(MSVC AND CURL_STATICLIB)
+  set_target_properties(${LIB_NAME} PROPERTIES STATIC_LIBRARY_FLAGS ${CMAKE_EXE_LINKER_FLAGS})
+endif()
+
 target_link_libraries(${LIB_NAME} ${CURL_LIBS})
 
 if(WIN32)
@@ -108,14 +112,6 @@ setup_curl_dependencies(${LIB_NAME})
 set_target_properties(${LIB_NAME} PROPERTIES PREFIX "")
 set_target_properties(${LIB_NAME} PROPERTIES IMPORT_PREFIX "")
 
-if(MSVC)
-  if(NOT BUILD_RELEASE_DEBUG_DIRS)
-    # Ugly workaround to remove the "/debug" or "/release" in each output
-    set_target_properties(${LIB_NAME} PROPERTIES PREFIX "../")
-    set_target_properties(${LIB_NAME} PROPERTIES IMPORT_PREFIX "../")
-  endif()
-endif()
-
 if(WIN32)
   if(NOT CURL_STATICLIB)
     # Add "_imp" as a suffix before the extension to avoid conflicting with the statically linked "libcurl.lib"

lib/Makefile.am

@@ -141,7 +141,7 @@ libcurl_la_CFLAGS_EXTRA += $(CFLAG_CURL_SYMBOL_HIDING)
 endif
 
 libcurl_la_CPPFLAGS = $(AM_CPPFLAGS) $(libcurl_la_CPPFLAGS_EXTRA)
-libcurl_la_LDFLAGS = $(AM_LDFLAGS) $(libcurl_la_LDFLAGS_EXTRA) $(LIBCURL_LIBS)
+libcurl_la_LDFLAGS = $(AM_LDFLAGS) $(libcurl_la_LDFLAGS_EXTRA) $(LDFLAGS) $(LIBCURL_LIBS)
 libcurl_la_CFLAGS = $(AM_CFLAGS) $(libcurl_la_CFLAGS_EXTRA)
 
 libcurlu_la_CPPFLAGS = $(AM_CPPFLAGS) -DCURL_STATICLIB -DUNITTESTS

lib/Makefile.b32

@@ -52,7 +52,7 @@ LDFLAGS  = -q -lq -laa -tWD
 SRCDIR   = .
 OBJDIR   = .\BCC_objs
 INCDIRS  = -I.;..\include
-LINKLIB  = $(BCCDIR)\lib\cw32mt.lib
+LINKLIB  = $(BCCDIR)\lib\cw32mt.lib $(BCCDIR)\lib\ws2_32.lib
 DEFINES  = -DNDEBUG -DWIN32 -DBUILDING_LIBCURL
 
 # By default SSPI support is enabled for BCC
@@ -88,8 +88,24 @@ LINKLIB  = $(LINKLIB) $(OPENSSL_PATH)\out32\ssleay32.lib $(OPENSSL_PATH)\out32\l
 # Makefile.inc provides the CSOURCES and HHEADERS defines
 !include Makefile.inc
 
-OBJECTS = $(CSOURCES:.c=.obj)
-PREPROCESSED = $(CSOURCES:.c=.int)
+# Borland's command line librarian program TLIB version 4.5 is not capable
+# of building a library when any of its objects contains an hypen in its
+# name, due to a command line parsing bug. In order to workaround this, we
+# build source files with hyphens in their name as objects with underscores
+# using explicit compilation build rules instead of implicit ones.
+
+NOHYPHEN = $(CSOURCES:-=_)
+
+OBJECTS = $(NOHYPHEN:.c=.obj)
+PREPROCESSED = $(NOHYPHEN:.c=.int)
+
+# Borland's command line compiler (BCC32) version 5.5.1 integrated
+# preprocessor has a bug which results in silently generating wrong
+# definitions for libcurl macros such as CURL_OFF_T_C, on the other
+# hand Borland's command line preprocessor (CPP32) version 5.5.1 does
+# not have the bug and achieves proper results. In order to avoid the
+# silent bug we first preprocess source files and later compile the
+# preprocessed result.
 
 .c.obj:
 	@-$(RM) $(@R).int
@@ -98,6 +114,21 @@ PREPROCESSED = $(CSOURCES:.c=.int)
 
 all:	$(OBJDIR) $(LIBCURL_LIB) $(LIBCURL_DLL)
 
+asyn_ares.obj: asyn-ares.c
+	@-$(RM) $(@R).int
+	$(PP_CMD) $(CC_FLAGS) $(INCDIRS) $(DEFINES) -o$(@R).int $(?)
+	$(CC_CMD) $(CC_FLAGS) -o$(@) $(@R).int
+
+asyn_thread.obj: asyn-thread.c
+	@-$(RM) $(@R).int
+	$(PP_CMD) $(CC_FLAGS) $(INCDIRS) $(DEFINES) -o$(@R).int $(?)
+	$(CC_CMD) $(CC_FLAGS) -o$(@) $(@R).int
+
+non_ascii.obj: non-ascii.c
+	@-$(RM) $(@R).int
+	$(PP_CMD) $(CC_FLAGS) $(INCDIRS) $(DEFINES) -o$(@R).int $(?)
+	$(CC_CMD) $(CC_FLAGS) -o$(@) $(@R).int
+
 clean:
 	cd $(OBJDIR)
 	@-$(RM) $(OBJECTS)
@@ -122,7 +153,10 @@ $(LIBCURL_LIB): $(OBJECTS)
 $(LIBCURL_DLL) $(LIBCURL_IMPLIB): $(OBJECTS) $(LINKLIB)
 	@-$(RM) $(LIBCURL_DLL)
 	@-$(RM) $(LIBCURL_IMPLIB)
-	$(LD) $(LDFLAGS) -e$(LIBCURL_DLL) $**
+	$(LD) $(LDFLAGS) -e$(LIBCURL_DLL) @&&!
+$(**: = ^
+)
+!
 	$(IMPLIB) $(LIBCURL_IMPLIB) $(LIBCURL_DLL)
 
 

lib/Makefile.inc

@@ -10,10 +10,10 @@
 CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c	\
   cookie.c http.c sendf.c ftp.c url.c dict.c if2ip.c speedcheck.c	\
   ldap.c ssluse.c version.c getenv.c escape.c mprintf.c telnet.c	\
-  netrc.c getinfo.c transfer.c strequal.c easy.c security.c krb4.c	\
+  netrc.c getinfo.c transfer.c strequal.c easy.c security.c      	\
   curl_fnmatch.c fileinfo.c ftplistparser.c wildcard.c krb5.c		\
   memdebug.c http_chunks.c strtok.c connect.c llist.c hash.c multi.c	\
-  content_encoding.c share.c http_digest.c md4.c md5.c curl_rand.c	\
+  content_encoding.c share.c http_digest.c md4.c md5.c	\
   http_negotiate.c inet_pton.c strtoofft.c strerror.c amigaos.c		\
   hostasyn.c hostip4.c hostip6.c hostsyn.c inet_ntop.c parsedate.c	\
   select.c gtls.c sslgen.c tftp.c splay.c strdup.c socks.c ssh.c nss.c	\
@@ -25,12 +25,13 @@ CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c	\
   http_proxy.c non-ascii.c asyn-ares.c asyn-thread.c curl_gssapi.c	\
   curl_ntlm.c curl_ntlm_wb.c curl_ntlm_core.c curl_ntlm_msgs.c		\
   curl_sasl.c curl_schannel.c curl_multibyte.c curl_darwinssl.c		\
-  hostcheck.c bundles.c conncache.c pipeline.c
+  hostcheck.c bundles.c conncache.c pipeline.c dotdot.c x509asn1.c      \
+  gskit.c http2.c
 
 HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h	\
   progress.h formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h	\
   if2ip.h speedcheck.h urldata.h curl_ldap.h ssluse.h escape.h telnet.h	\
-  getinfo.h strequal.h krb4.h memdebug.h http_chunks.h curl_rand.h	\
+  getinfo.h strequal.h curl_sec.h memdebug.h http_chunks.h		\
   curl_fnmatch.h wildcard.h fileinfo.h ftplistparser.h strtok.h		\
   connect.h llist.h hash.h content_encoding.h share.h curl_md4.h	\
   curl_md5.h http_digest.h http_negotiate.h inet_pton.h amigaos.h	\
@@ -44,4 +45,5 @@ HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h	\
   asyn.h curl_ntlm.h curl_gssapi.h curl_ntlm_wb.h curl_ntlm_core.h	\
   curl_ntlm_msgs.h curl_sasl.h curl_schannel.h curl_multibyte.h		\
   curl_darwinssl.h hostcheck.h bundles.h conncache.h curl_setup_once.h	\
-  multihandle.h setup-vms.h pipeline.h
+  multihandle.h setup-vms.h pipeline.h dotdot.h x509asn1.h gskit.h	\
+  http2.h

lib/Makefile.vc6

@@ -103,23 +103,24 @@ WINDOWS_SDK_PATH = "$(PROGRAMFILES)\Microsoft SDK"
 #############################################################
 ## Nothing more to do below this line!
 
-CCNODBG    = cl.exe /O2 /DNDEBUG
-CCDEBUG    = cl.exe /Od /Gm /Zi /D_DEBUG /GZ
-CFLAGSSSL  = /DUSE_SSLEAY /DUSE_OPENSSL /I "$(OPENSSL_PATH)/inc32" /I "$(OPENSSL_PATH)/inc32/openssl"
-CFLAGSSSH2 = /DUSE_LIBSSH2 /DCURL_DISABLE_LDAP /DHAVE_LIBSSH2 /DHAVE_LIBSSH2_H /DLIBSSH2_WIN32 /DLIBSSH2_LIBRARY /I "$(LIBSSH2_PATH)/include"
-CFLAGSZLIB = /DHAVE_ZLIB_H /DHAVE_ZLIB /DHAVE_LIBZ /I "$(ZLIB_PATH)"
-CFLAGS     = /I. /I../include /nologo /W3 /GX /DWIN32 /YX /FD /c /DBUILDING_LIBCURL /D_BIND_TO_CURRENT_VCLIBS_VERSION=1
-CFLAGSLIB  = /DCURL_STATICLIB
-LNKDLL     = link.exe /DLL
-LNKLIB     = link.exe /lib
-LFLAGS     = /nologo /machine:$(MACHINE)
-SSLLIBS    = libeay32.lib ssleay32.lib
-ZLIBLIBSDLL= zdll.lib
-ZLIBLIBS   = zlib.lib
-WINLIBS    = ws2_32.lib wldap32.lib advapi32.lib
-CFLAGS     = $(CFLAGS)
+CCNODBG      = cl.exe /O2 /DNDEBUG
+CCDEBUG      = cl.exe /Od /Gm /Zi /D_DEBUG /GZ
+CFLAGSSSL    = /DUSE_SSLEAY /DUSE_OPENSSL /I "$(OPENSSL_PATH)/inc32" /I "$(OPENSSL_PATH)/inc32/openssl"
+CFLAGSWINSSL = /DUSE_SCHANNEL
+CFLAGSSSH2   = /DUSE_LIBSSH2 /DCURL_DISABLE_LDAP /DHAVE_LIBSSH2 /DHAVE_LIBSSH2_H /DLIBSSH2_WIN32 /DLIBSSH2_LIBRARY /I "$(LIBSSH2_PATH)/include"
+CFLAGSZLIB   = /DHAVE_ZLIB_H /DHAVE_ZLIB /DHAVE_LIBZ /I "$(ZLIB_PATH)"
+CFLAGS       = /I. /I../include /nologo /W3 /GX /DWIN32 /YX /FD /c /DBUILDING_LIBCURL /D_BIND_TO_CURRENT_VCLIBS_VERSION=1
+CFLAGSLIB    = /DCURL_STATICLIB
+LNKDLL       = link.exe /DLL
+LNKLIB       = link.exe /lib
+LFLAGS       = /nologo /machine:$(MACHINE)
+SSLLIBS      = libeay32.lib ssleay32.lib
+ZLIBLIBSDLL  = zdll.lib
+ZLIBLIBS     = zlib.lib
+WINLIBS      = ws2_32.lib wldap32.lib advapi32.lib
+CFLAGS       = $(CFLAGS)
 
-CFGSET     = FALSE
+CFGSET       = FALSE
 
 !IFDEF WINDOWS_SSPI
 CFLAGS = $(CFLAGS) /DUSE_WINDOWS_SSPI /I$(WINDOWS_SDK_PATH)\include
@@ -189,6 +190,18 @@ CC       = $(CCNODBG) $(RTLIB) $(CFLAGSSSL) $(CFLAGSZLIB) $(CFLAGSLIB)
 CFGSET   = TRUE
 !ENDIF
 
+######################
+# release-winssl-zlib
+
+!IF "$(CFG)" == "release-winssl-zlib"
+TARGET   = $(LIBCURL_STA_LIB_REL)
+DIROBJ   = $(CFG)
+LFLAGSZLIB = "/LIBPATH:$(ZLIB_PATH)"
+LNK      = $(LNKLIB) $(LFLAGSZLIB) /out:$(DIROBJ)\$(TARGET)
+CC       = $(CCNODBG) $(RTLIB) $(CFLAGSWINSSL) $(CFLAGSZLIB) $(CFLAGSLIB)
+CFGSET   = TRUE
+!ENDIF
+
 ######################
 # release-ssl-ssh2-zlib
 
@@ -515,7 +528,6 @@ X_OBJS= \
 	$(DIROBJ)\curl_ntlm_core.obj \
 	$(DIROBJ)\curl_ntlm_msgs.obj \
 	$(DIROBJ)\curl_ntlm_wb.obj \
-	$(DIROBJ)\curl_rand.obj \
 	$(DIROBJ)\curl_rtmp.obj \
 	$(DIROBJ)\curl_sasl.obj \
 	$(DIROBJ)\curl_schannel.obj \
@@ -523,6 +535,7 @@ X_OBJS= \
 	$(DIROBJ)\curl_threads.obj \
 	$(DIROBJ)\cyassl.obj \
 	$(DIROBJ)\dict.obj \
+	$(DIROBJ)\dotdot.obj \
 	$(DIROBJ)\easy.obj \
 	$(DIROBJ)\escape.obj \
 	$(DIROBJ)\file.obj \
@@ -553,7 +566,6 @@ X_OBJS= \
 	$(DIROBJ)\imap.obj \
 	$(DIROBJ)\inet_ntop.obj \
 	$(DIROBJ)\inet_pton.obj \
-	$(DIROBJ)\krb4.obj \
 	$(DIROBJ)\krb5.obj \
 	$(DIROBJ)\ldap.obj \
 	$(DIROBJ)\llist.obj \

lib/README.http2

@@ -0,0 +1,31 @@
+
+HTTP2 with libcurl
+
+ Spec: http://tools.ietf.org/html/draft-ietf-httpbis-http2-06
+
+ nghttp2 (https://github.com/tatsuhiro-t/nghttp2)
+
+  We're depending on this 3rd party library for the actual low level protocol
+  handling parts. The reason for this is that HTTP2 is much more complex at
+  that layer than HTTP1.1 (which we implement on our own) and that nghttp2 is
+  an already existing and well functional library.
+
+ Over an http:// URL
+
+  If CURLOPT_HTTP_VERSION is set to CURL_HTTP_VERSION_2, libcurl will include
+  an upgrade header in the initial request to the host to allow upgrading to
+  http2. Possibly introduce an option that will cause libcurl to fail if not
+  possible to upgrade. Possibly introduce an option that makes libcurl use
+  http2 at once over http://
+
+ Over an https:// URL
+
+  If CURLOPT_HTTP_VERSION is set to CURL_HTTP_VERSION_2, libcurl will use ALPN
+  (or NPN) to negotiate which protocol to continue with. Possibly introduce an
+  option that will cause libcurl to fail if not possible to use http2.
+
+To consider:
+
+  - How to tell libcurl when using the multi interface that all or some of the
+    handles are allowed to re-use the same physical connection. Can we just
+    re-use existing pipelining logic?

lib/asyn-ares.c

@@ -315,6 +315,7 @@ CURLcode Curl_resolver_is_resolved(struct connectdata *conn,
   struct SessionHandle *data = conn->data;
   struct ResolverResults *res = (struct ResolverResults *)
     conn->async.os_specific;
+  CURLcode rc = CURLE_OK;
 
   *dns = NULL;
 
@@ -325,19 +326,19 @@ CURLcode Curl_resolver_is_resolved(struct connectdata *conn,
     /* temp_ai ownership is moved to the connection, so we need not free-up
        them */
     res->temp_ai = NULL;
-    destroy_async_data(&conn->async);
     if(!conn->async.dns) {
-      failf(data, "Could not resolve %s: %s (%s)",
-            conn->bits.proxy?"proxy":"host",
-            conn->host.dispname,
-            ares_strerror(conn->async.status));
-      return conn->bits.proxy?CURLE_COULDNT_RESOLVE_PROXY:
+      failf(data, "Could not resolve: %s (%s)",
+            conn->async.hostname, ares_strerror(conn->async.status));
+      rc = conn->bits.proxy?CURLE_COULDNT_RESOLVE_PROXY:
         CURLE_COULDNT_RESOLVE_HOST;
     }
-    *dns = conn->async.dns;
+    else
+      *dns = conn->async.dns;
+
+    destroy_async_data(&conn->async);
   }
 
-  return CURLE_OK;
+  return rc;
 }
 
 /*
@@ -415,37 +416,12 @@ CURLcode Curl_resolver_wait_resolv(struct connectdata *conn,
   if(entry)
     *entry = conn->async.dns;
 
-  if(!conn->async.dns) {
-    /* a name was not resolved */
-    if((timeout < 0) || (conn->async.status == ARES_ETIMEOUT)) {
-      if(conn->bits.proxy) {
-        failf(data, "Resolving proxy timed out: %s", conn->proxy.dispname);
-        rc = CURLE_COULDNT_RESOLVE_PROXY;
-      }
-      else {
-        failf(data, "Resolving host timed out: %s", conn->host.dispname);
-        rc = CURLE_COULDNT_RESOLVE_HOST;
-      }
-    }
-    else if(conn->async.done) {
-      if(conn->bits.proxy) {
-        failf(data, "Could not resolve proxy: %s (%s)", conn->proxy.dispname,
-              ares_strerror(conn->async.status));
-        rc = CURLE_COULDNT_RESOLVE_PROXY;
-      }
-      else {
-        failf(data, "Could not resolve host: %s (%s)", conn->host.dispname,
-              ares_strerror(conn->async.status));
-        rc = CURLE_COULDNT_RESOLVE_HOST;
-      }
-    }
-    else
-      rc = CURLE_OPERATION_TIMEDOUT;
-
+  if(rc)
     /* close the connection, since we can't return failure here without
-       cleaning up this connection properly */
+       cleaning up this connection properly.
+       TODO: remove this action from here, it is not a name resolver decision.
+    */
     conn->bits.close = TRUE;
-  }
 
   return rc;
 }
@@ -614,8 +590,19 @@ CURLcode Curl_set_dns_servers(struct SessionHandle *data,
                               char *servers)
 {
   CURLcode result = CURLE_NOT_BUILT_IN;
+  int ares_result;
+
+  /* If server is NULL or empty, this would purge all DNS servers
+   * from ares library, which will cause any and all queries to fail.
+   * So, just return OK if none are configured and don't actually make
+   * any changes to c-ares.  This lets c-ares use it's defaults, which
+   * it gets from the OS (for instance from /etc/resolv.conf on Linux).
+   */
+  if(!(servers && servers[0]))
+    return CURLE_OK;
+
 #if (ARES_VERSION >= 0x010704)
-  int ares_result = ares_set_servers_csv(data->state.resolver, servers);
+  ares_result = ares_set_servers_csv(data->state.resolver, servers);
   switch(ares_result) {
   case ARES_SUCCESS:
     result = CURLE_OK;
@@ -632,8 +619,76 @@ CURLcode Curl_set_dns_servers(struct SessionHandle *data,
   }
 #else /* too old c-ares version! */
   (void)data;
-  (void)servers;
+  (void)(ares_result);
 #endif
   return result;
 }
+
+CURLcode Curl_set_dns_interface(struct SessionHandle *data,
+                                const char *interf)
+{
+#if (ARES_VERSION >= 0x010704)
+  if(!interf)
+    interf = "";
+
+  ares_set_local_dev((ares_channel)data->state.resolver, interf);
+
+  return CURLE_OK;
+#else /* c-ares version too old! */
+  (void)data;
+  (void)interf;
+  return CURLE_NOT_BUILT_IN;
+#endif
+}
+
+CURLcode Curl_set_dns_local_ip4(struct SessionHandle *data,
+                                const char *local_ip4)
+{
+#if (ARES_VERSION >= 0x010704)
+  uint32_t a4;
+
+  if((!local_ip4) || (local_ip4[0] == 0)) {
+    a4 = 0; /* disabled: do not bind to a specific address */
+  }
+  else {
+    if(Curl_inet_pton(AF_INET, local_ip4, &a4) != 1) {
+      return CURLE_BAD_FUNCTION_ARGUMENT;
+    }
+  }
+
+  ares_set_local_ip4((ares_channel)data->state.resolver, ntohl(a4));
+
+  return CURLE_OK;
+#else /* c-ares version too old! */
+  (void)data;
+  (void)local_ip4;
+  return CURLE_NOT_BUILT_IN;
+#endif
+}
+
+CURLcode Curl_set_dns_local_ip6(struct SessionHandle *data,
+                                const char *local_ip6)
+{
+#if (ARES_VERSION >= 0x010704)
+  unsigned char a6[INET6_ADDRSTRLEN];
+
+  if((!local_ip6) || (local_ip6[0] == 0)) {
+    /* disabled: do not bind to a specific address */
+    memset(a6, 0, sizeof(a6));
+  }
+  else {
+    if(Curl_inet_pton(AF_INET6, local_ip6, a6) != 1) {
+      return CURLE_BAD_FUNCTION_ARGUMENT;
+    }
+  }
+
+  ares_set_local_ip6((ares_channel)data->state.resolver, a6);
+
+  return CURLE_OK;
+#else /* c-ares version too old! */
+  (void)data;
+  (void)local_ip6;
+  return CURLE_NOT_BUILT_IN;
+#endif
+}
 #endif /* CURLRES_ARES */

lib/asyn-thread.c

@@ -265,7 +265,7 @@ static int getaddrinfo_complete(struct connectdata *conn)
 static unsigned int CURL_STDCALL getaddrinfo_thread (void *arg)
 {
   struct thread_sync_data *tsd = (struct thread_sync_data*)arg;
-  char   service [NI_MAXSERV];
+  char service[12];
   int rc;
 
   snprintf(service, sizeof(service), "%d", tsd->port);
@@ -559,7 +559,7 @@ Curl_addrinfo *Curl_resolver_getaddrinfo(struct connectdata *conn,
   struct in_addr in;
   Curl_addrinfo *res;
   int error;
-  char sbuf[NI_MAXSERV];
+  char sbuf[12];
   int pf = PF_INET;
 #ifdef CURLRES_IPV6
   struct in6_addr in6;
@@ -635,4 +635,28 @@ CURLcode Curl_set_dns_servers(struct SessionHandle *data,
 
 }
 
+CURLcode Curl_set_dns_interface(struct SessionHandle *data,
+                                const char *interf)
+{
+  (void)data;
+  (void)interf;
+  return CURLE_NOT_BUILT_IN;
+}
+
+CURLcode Curl_set_dns_local_ip4(struct SessionHandle *data,
+                                const char *local_ip4)
+{
+  (void)data;
+  (void)local_ip4;
+  return CURLE_NOT_BUILT_IN;
+}
+
+CURLcode Curl_set_dns_local_ip6(struct SessionHandle *data,
+                                const char *local_ip6)
+{
+  (void)data;
+  (void)local_ip6;
+  return CURLE_NOT_BUILT_IN;
+}
+
 #endif /* CURLRES_THREADED */

lib/config-os400.h

@@ -277,21 +277,27 @@
 /* Define if you have the <stdlib.h> header file. */
 #define HAVE_STDLIB_H
 
+
+/* The following define is needed on OS400 to enable strcmpi(), stricmp() and
+   strdup(). */
+#define __cplusplus__strings__
+
 /* Define if you have the `strcasecmp' function. */
 #undef HAVE_STRCASECMP
 
 /* Define if you have the `strcmpi' function. */
-#undef HAVE_STRCMPI
+#define HAVE_STRCMPI
+
+/* Define if you have the `stricmp' function. */
+#define HAVE_STRICMP
 
 /* Define if you have the `strdup' function. */
-#undef HAVE_STRDUP
+#define HAVE_STRDUP
+
 
 /* Define if you have the `strftime' function. */
 #define HAVE_STRFTIME
 
-/* Define if you have the `stricmp' function. */
-#undef HAVE_STRICMP
-
 /* Define if you have the <strings.h> header file. */
 #define HAVE_STRINGS_H
 
@@ -525,6 +531,9 @@
 /* Define to use the QsoSSL package. */
 #define USE_QSOSSL
 
+/* Define to use the GSKit package. */
+#undef USE_GSKIT
+
 /* Use the system keyring as the default CA bundle. */
 #define CURL_CA_BUNDLE  "/QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB"
 

lib/config-win32.h

@@ -390,21 +390,6 @@
 #  define SIZEOF_SIZE_T 4
 #endif
 
-/* ---------------------------------------------------------------- */
-/*                          STRUCT RELATED                          */
-/* ---------------------------------------------------------------- */
-
-/* Define if you have struct sockaddr_storage. */
-#if !defined(__SALFORDC__) && !defined(__BORLANDC__)
-#define HAVE_STRUCT_SOCKADDR_STORAGE 1
-#endif
-
-/* Define if you have struct timeval. */
-#define HAVE_STRUCT_TIMEVAL 1
-
-/* Define if struct sockaddr_in6 has the sin6_scope_id member. */
-#define HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID 1
-
 /* ---------------------------------------------------------------- */
 /*               BSD-style lwIP TCP/IP stack SPECIFIC               */
 /* ---------------------------------------------------------------- */
@@ -572,6 +557,25 @@
 #  endif
 #endif
 
+/* ---------------------------------------------------------------- */
+/*                          STRUCT RELATED                          */
+/* ---------------------------------------------------------------- */
+
+/* Define if you have struct sockaddr_storage. */
+#if !defined(__SALFORDC__) && !defined(__BORLANDC__)
+#define HAVE_STRUCT_SOCKADDR_STORAGE 1
+#endif
+
+/* Define if you have struct timeval. */
+#define HAVE_STRUCT_TIMEVAL 1
+
+/* Define if struct sockaddr_in6 has the sin6_scope_id member. */
+#define HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID 1
+
+#if HAVE_WINSOCK2_H && defined(_WIN32_WINNT) && (_WIN32_WINNT >= 0x0600)
+#define HAVE_STRUCT_POLLFD 1
+#endif
+
 /* ---------------------------------------------------------------- */
 /*                        LARGE FILE SUPPORT                        */
 /* ---------------------------------------------------------------- */

lib/connect.c

@@ -1144,7 +1144,7 @@ CURLcode Curl_connecthost(struct connectdata *conn,  /* context */
 
   if(sockfd == CURL_SOCKET_BAD) {
     /* no good connect was made */
-    failf(data, "couldn't connect to %s at %s:%d",
+    failf(data, "couldn't connect to %s at %s:%ld",
           conn->bits.proxy?"proxy":"host",
           conn->bits.proxy?conn->proxy.name:conn->host.name, conn->port);
     return CURLE_COULDNT_CONNECT;

lib/cookie.c

@@ -89,6 +89,7 @@ Example set of cookies:
 #include "strequal.h"
 #include "strtok.h"
 #include "sendf.h"
+#include "slist.h"
 #include "curl_memory.h"
 #include "share.h"
 #include "strtoofft.h"
@@ -289,6 +290,34 @@ static void strstore(char **str, const char *newstr)
   *str = strdup(newstr);
 }
 
+/*
+ * remove_expired() removes expired cookies.
+ */
+static void remove_expired(struct CookieInfo *cookies)
+{
+  struct Cookie *co, *nx, *pv;
+  curl_off_t now = (curl_off_t)time(NULL);
+
+  co = cookies->cookies;
+  pv = NULL;
+  while(co) {
+    nx = co->next;
+    if((co->expirestr || co->maxage) && co->expires < now) {
+      if(co == cookies->cookies) {
+        cookies->cookies = co->next;
+      }
+      else {
+        pv->next = co->next;
+      }
+      cookies->numcookies--;
+      freecookie(co);
+    }
+    else {
+      pv = co;
+    }
+    co = nx;
+  }
+}
 
 /****************************************************************************
  *
@@ -699,6 +728,9 @@ Curl_cookie_add(struct SessionHandle *data,
      superceeds an already existing cookie, which it may if the previous have
      the same domain and path as this */
 
+  /* at first, remove expired cookies */
+  remove_expired(c);
+
   clist = c->cookies;
   replace_old = FALSE;
   while(clist) {
@@ -930,6 +962,9 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
   if(!c || !c->cookies)
     return NULL; /* no cookie struct or no cookies in the struct */
 
+  /* at first, remove expired cookies */
+  remove_expired(c);
+
   co = c->cookies;
 
   while(co) {
@@ -1172,6 +1207,9 @@ static int cookie_output(struct CookieInfo *c, const char *dumphere)
        destination file */
     return 0;
 
+  /* at first, remove expired cookies */
+  remove_expired(c);
+
   if(strequal("-", dumphere)) {
     /* use stdout */
     out = stdout;
@@ -1232,9 +1270,9 @@ struct curl_slist *Curl_cookie_list(struct SessionHandle *data)
       curl_slist_free_all(list);
       return NULL;
     }
-    beg = curl_slist_append(list, line);
-    free(line);
+    beg = Curl_slist_append_nodup(list, line);
     if(!beg) {
+      free(line);
       curl_slist_free_all(list);
       return NULL;
     }

lib/curl_darwinssl.c

@@ -38,9 +38,58 @@
 #include <Security/SecureTransport.h>
 #include <CoreFoundation/CoreFoundation.h>
 #include <CommonCrypto/CommonDigest.h>
+
+/* The Security framework has changed greatly between iOS and different OS X
+   versions, and we will try to support as many of them as we can (back to
+   Leopard and iOS 5) by using macros and weak-linking.
+
+   IMPORTANT: If TLS 1.1 and 1.2 support are important for you on OS X, then
+   you must build this project against the 10.8 SDK or later. */
 #if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
+
+#if MAC_OS_X_VERSION_MAX_ALLOWED < 1050
+#error "The darwinssl back-end requires Leopard or later."
+#endif /* MAC_OS_X_VERSION_MAX_ALLOWED < 1050 */
+
+#define CURL_BUILD_IOS 0
+#define CURL_BUILD_IOS_7 0
+#define CURL_BUILD_MAC 1
+/* This is the maximum API level we are allowed to use when building: */
+#define CURL_BUILD_MAC_10_5 MAC_OS_X_VERSION_MAX_ALLOWED >= 1050
+#define CURL_BUILD_MAC_10_6 MAC_OS_X_VERSION_MAX_ALLOWED >= 1060
+#define CURL_BUILD_MAC_10_7 MAC_OS_X_VERSION_MAX_ALLOWED >= 1070
+#define CURL_BUILD_MAC_10_8 MAC_OS_X_VERSION_MAX_ALLOWED >= 1080
+#define CURL_BUILD_MAC_10_9 MAC_OS_X_VERSION_MAX_ALLOWED >= 1090
+/* These macros mean "the following code is present to allow runtime backward
+   compatibility with at least this cat or earlier":
+   (You set this at build-time by setting the MACOSX_DEPLOYMENT_TARGET
+   environmental variable.) */
+#define CURL_SUPPORT_MAC_10_5 MAC_OS_X_VERSION_MIN_REQUIRED <= 1050
+#define CURL_SUPPORT_MAC_10_6 MAC_OS_X_VERSION_MIN_REQUIRED <= 1060
+#define CURL_SUPPORT_MAC_10_7 MAC_OS_X_VERSION_MIN_REQUIRED <= 1070
+#define CURL_SUPPORT_MAC_10_8 MAC_OS_X_VERSION_MIN_REQUIRED <= 1080
+#define CURL_SUPPORT_MAC_10_9 MAC_OS_X_VERSION_MIN_REQUIRED <= 1090
+
+#elif TARGET_OS_EMBEDDED || TARGET_OS_IPHONE
+#define CURL_BUILD_IOS 1
+#define CURL_BUILD_IOS_7 __IPHONE_OS_VERSION_MAX_ALLOWED >= 70000
+#define CURL_BUILD_MAC 0
+#define CURL_BUILD_MAC_10_5 0
+#define CURL_BUILD_MAC_10_6 0
+#define CURL_BUILD_MAC_10_7 0
+#define CURL_BUILD_MAC_10_8 0
+#define CURL_SUPPORT_MAC_10_5 0
+#define CURL_SUPPORT_MAC_10_6 0
+#define CURL_SUPPORT_MAC_10_7 0
+#define CURL_SUPPORT_MAC_10_8 0
+
+#else
+#error "The darwinssl back-end requires iOS or OS X."
+#endif /* (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) */
+
+#if CURL_BUILD_MAC
 #include <sys/sysctl.h>
-#endif
+#endif /* CURL_BUILD_MAC */
 
 #include "urldata.h"
 #include "sendf.h"
@@ -61,16 +110,6 @@
 #define ioErr -36
 #define paramErr -50
 
-/* In Mountain Lion and iOS 5, Apple made some changes to the API. They
-   added TLS 1.1 and 1.2 support, and deprecated and replaced some
-   functions. You need to build against the Mountain Lion or iOS 5 SDK
-   or later to get TLS 1.1 or 1.2 support working in cURL. We'll weak-link
-   to the newer functions and use them if present in the user's OS.
-
-   Builders: If you want TLS 1.1 and 1.2 but still want to retain support
-   for older cats, don't forget to set the MACOSX_DEPLOYMENT_TARGET
-   environmental variable prior to building cURL. */
-
 /* The following two functions were ripped from Apple sample code,
  * with some modifications: */
 static OSStatus SocketRead(SSLConnectionRef connection,
@@ -361,7 +400,7 @@ CF_INLINE const char *TLSCipherNameForNumber(SSLCipherSuite cipher) {
     case TLS_DH_anon_WITH_AES_256_CBC_SHA:
       return "TLS_DH_anon_WITH_AES_256_CBC_SHA";
       break;
-#if defined(__MAC_10_6) || defined(__IPHONE_5_0)
+#if CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS
     /* TLS 1.0 with ECDSA (RFC 4492) */
     case TLS_ECDH_ECDSA_WITH_NULL_SHA:
       return "TLS_ECDH_ECDSA_WITH_NULL_SHA";
@@ -438,8 +477,8 @@ CF_INLINE const char *TLSCipherNameForNumber(SSLCipherSuite cipher) {
     case TLS_ECDH_anon_WITH_AES_256_CBC_SHA:
       return "TLS_ECDH_anon_WITH_AES_256_CBC_SHA";
       break;
-#endif /* defined(__MAC_10_6) || defined(__IPHONE_5_0) */
-#if defined(__MAC_10_8) || defined(__IPHONE_5_0)
+#endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */
+#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
     /* TLS 1.2 (RFC 5246) */
     case TLS_RSA_WITH_NULL_MD5:
       return "TLS_RSA_WITH_NULL_MD5";
@@ -624,12 +663,116 @@ CF_INLINE const char *TLSCipherNameForNumber(SSLCipherSuite cipher) {
     case SSL_DH_anon_WITH_3DES_EDE_CBC_SHA:
       return "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA";
       break;
-#endif /* defined(__MAC_10_8) || defined(__IPHONE_5_0) */
+#endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */
+#if CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7
+    /* TLS PSK (RFC 4279): */
+    case TLS_PSK_WITH_RC4_128_SHA:
+      return "TLS_PSK_WITH_RC4_128_SHA";
+      break;
+    case TLS_PSK_WITH_3DES_EDE_CBC_SHA:
+      return "TLS_PSK_WITH_3DES_EDE_CBC_SHA";
+      break;
+    case TLS_PSK_WITH_AES_128_CBC_SHA:
+      return "TLS_PSK_WITH_AES_128_CBC_SHA";
+      break;
+    case TLS_PSK_WITH_AES_256_CBC_SHA:
+      return "TLS_PSK_WITH_AES_256_CBC_SHA";
+      break;
+    case TLS_DHE_PSK_WITH_RC4_128_SHA:
+      return "TLS_DHE_PSK_WITH_RC4_128_SHA";
+      break;
+    case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA:
+      return "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA";
+      break;
+    case TLS_DHE_PSK_WITH_AES_128_CBC_SHA:
+      return "TLS_DHE_PSK_WITH_AES_128_CBC_SHA";
+      break;
+    case TLS_DHE_PSK_WITH_AES_256_CBC_SHA:
+      return "TLS_DHE_PSK_WITH_AES_256_CBC_SHA";
+      break;
+    case TLS_RSA_PSK_WITH_RC4_128_SHA:
+      return "TLS_RSA_PSK_WITH_RC4_128_SHA";
+      break;
+    case TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA:
+      return "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA";
+      break;
+    case TLS_RSA_PSK_WITH_AES_128_CBC_SHA:
+      return "TLS_RSA_PSK_WITH_AES_128_CBC_SHA";
+      break;
+    case TLS_RSA_PSK_WITH_AES_256_CBC_SHA:
+      return "TLS_RSA_PSK_WITH_AES_256_CBC_SHA";
+      break;
+    /* More TLS PSK (RFC 4785): */
+    case TLS_PSK_WITH_NULL_SHA:
+      return "TLS_PSK_WITH_NULL_SHA";
+      break;
+    case TLS_DHE_PSK_WITH_NULL_SHA:
+      return "TLS_DHE_PSK_WITH_NULL_SHA";
+      break;
+    case TLS_RSA_PSK_WITH_NULL_SHA:
+      return "TLS_RSA_PSK_WITH_NULL_SHA";
+      break;
+    /* Even more TLS PSK (RFC 5487): */
+    case TLS_PSK_WITH_AES_128_GCM_SHA256:
+      return "TLS_PSK_WITH_AES_128_GCM_SHA256";
+      break;
+    case TLS_PSK_WITH_AES_256_GCM_SHA384:
+      return "TLS_PSK_WITH_AES_256_GCM_SHA384";
+      break;
+    case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256:
+      return "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256";
+      break;
+    case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384:
+      return "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384";
+      break;
+    case TLS_RSA_PSK_WITH_AES_128_GCM_SHA256:
+      return "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256";
+      break;
+    case TLS_RSA_PSK_WITH_AES_256_GCM_SHA384:
+      return "TLS_PSK_WITH_AES_256_GCM_SHA384";
+      break;
+    case TLS_PSK_WITH_AES_128_CBC_SHA256:
+      return "TLS_PSK_WITH_AES_128_CBC_SHA256";
+      break;
+    case TLS_PSK_WITH_AES_256_CBC_SHA384:
+      return "TLS_PSK_WITH_AES_256_CBC_SHA384";
+      break;
+    case TLS_PSK_WITH_NULL_SHA256:
+      return "TLS_PSK_WITH_NULL_SHA256";
+      break;
+    case TLS_PSK_WITH_NULL_SHA384:
+      return "TLS_PSK_WITH_NULL_SHA384";
+      break;
+    case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256:
+      return "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256";
+      break;
+    case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384:
+      return "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384";
+      break;
+    case TLS_DHE_PSK_WITH_NULL_SHA256:
+      return "TLS_DHE_PSK_WITH_NULL_SHA256";
+      break;
+    case TLS_DHE_PSK_WITH_NULL_SHA384:
+      return "TLS_RSA_PSK_WITH_NULL_SHA384";
+      break;
+    case TLS_RSA_PSK_WITH_AES_128_CBC_SHA256:
+      return "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256";
+      break;
+    case TLS_RSA_PSK_WITH_AES_256_CBC_SHA384:
+      return "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384";
+      break;
+    case TLS_RSA_PSK_WITH_NULL_SHA256:
+      return "TLS_RSA_PSK_WITH_NULL_SHA256";
+      break;
+    case TLS_RSA_PSK_WITH_NULL_SHA384:
+      return "TLS_RSA_PSK_WITH_NULL_SHA384";
+      break;
+#endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */
   }
   return "TLS_NULL_WITH_NULL_NULL";
 }
 
-#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
+#if CURL_BUILD_MAC
 CF_INLINE void GetDarwinVersionNumber(int *major, int *minor)
 {
   int mib[2];
@@ -658,7 +801,7 @@ CF_INLINE void GetDarwinVersionNumber(int *major, int *minor)
   *minor = atoi(os_version_minor);
   free(os_version);
 }
-#endif
+#endif /* CURL_BUILD_MAC */
 
 /* Apple provides a myriad of ways of getting information about a certificate
    into a string. Some aren't available under iOS or newer cats. So here's
@@ -668,37 +811,36 @@ CF_INLINE CFStringRef CopyCertSubject(SecCertificateRef cert)
 {
   CFStringRef server_cert_summary = CFSTR("(null)");
 
-#if (TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)
+#if CURL_BUILD_IOS
   /* iOS: There's only one way to do this. */
   server_cert_summary = SecCertificateCopySubjectSummary(cert);
 #else
-#if defined(__MAC_10_7)
+#if CURL_BUILD_MAC_10_7
   /* Lion & later: Get the long description if we can. */
   if(SecCertificateCopyLongDescription != NULL)
     server_cert_summary =
       SecCertificateCopyLongDescription(NULL, cert, NULL);
   else
-#endif /* defined(__MAC_10_7) */
-#if defined(__MAC_10_6)
+#endif /* CURL_BUILD_MAC_10_7 */
+#if CURL_BUILD_MAC_10_6
   /* Snow Leopard: Get the certificate summary. */
   if(SecCertificateCopySubjectSummary != NULL)
     server_cert_summary = SecCertificateCopySubjectSummary(cert);
   else
-#endif /* defined(__MAC_10_6) */
+#endif /* CURL_BUILD_MAC_10_6 */
   /* Leopard is as far back as we go... */
   (void)SecCertificateCopyCommonName(cert, &server_cert_summary);
-#endif /* (TARGET_OS_EMBEDDED || TARGET_OS_IPHONE) */
+#endif /* CURL_BUILD_IOS */
   return server_cert_summary;
 }
 
-#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
+#if CURL_SUPPORT_MAC_10_7
+/* The SecKeychainSearch API was deprecated in Lion, and using it will raise
+   deprecation warnings, so let's not compile this unless it's necessary: */
 static OSStatus CopyIdentityWithLabelOldSchool(char *label,
                                                SecIdentityRef *out_c_a_k)
 {
   OSStatus status = errSecItemNotFound;
-/* The SecKeychainSearch API was deprecated in Lion, and using it will raise
-   deprecation warnings, so let's not compile this unless it's necessary: */
-#if MAC_OS_X_VERSION_MIN_REQUIRED < 1070
   SecKeychainAttributeList attr_list;
   SecKeychainAttribute attr;
   SecKeychainSearchRef search = NULL;
@@ -730,22 +872,20 @@ static OSStatus CopyIdentityWithLabelOldSchool(char *label,
 
   if(search)
     CFRelease(search);
-#else
-#pragma unused(label, out_c_a_k)
-#endif /* MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_7 */
   return status;
 }
-#endif /* (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) */
+#endif /* CURL_SUPPORT_MAC_10_7 */
 
 static OSStatus CopyIdentityWithLabel(char *label,
                                       SecIdentityRef *out_cert_and_key)
 {
   OSStatus status = errSecItemNotFound;
 
-#if defined(__MAC_10_6) || defined(__IPHONE_2_0)
-  /* SecItemCopyMatching() was introduced in iOS and Snow Leopard. If it
-     exists, let's use that to find the certificate. */
-  if(SecItemCopyMatching != NULL) {
+#if CURL_BUILD_MAC_10_7 || CURL_BUILD_IOS
+  /* SecItemCopyMatching() was introduced in iOS and Snow Leopard.
+     kSecClassIdentity was introduced in Lion. If both exist, let's use them
+     to find the certificate. */
+  if(SecItemCopyMatching != NULL && kSecClassIdentity != NULL) {
     CFTypeRef keys[4];
     CFTypeRef values[4];
     CFDictionaryRef query_dict;
@@ -774,18 +914,81 @@ static OSStatus CopyIdentityWithLabel(char *label,
     CFRelease(query_dict);
   }
   else {
-#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
-    /* On Leopard, fall back to SecKeychainSearch. */
+#if CURL_SUPPORT_MAC_10_7
+    /* On Leopard and Snow Leopard, fall back to SecKeychainSearch. */
     status = CopyIdentityWithLabelOldSchool(label, out_cert_and_key);
-#endif /* (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) */
+#endif /* CURL_SUPPORT_MAC_10_7 */
   }
-#elif (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
-  /* For developers building on Leopard, we have no choice but to fall back. */
+#elif CURL_SUPPORT_MAC_10_7
+  /* For developers building on older cats, we have no choice but to fall back
+     to SecKeychainSearch. */
   status = CopyIdentityWithLabelOldSchool(label, out_cert_and_key);
-#endif /* defined(__MAC_10_6) || defined(__IPHONE_2_0) */
+#endif /* CURL_BUILD_MAC_10_7 || CURL_BUILD_IOS */
   return status;
 }
 
+static OSStatus CopyIdentityFromPKCS12File(const char *cPath,
+                                           const char *cPassword,
+                                           SecIdentityRef *out_cert_and_key)
+{
+  OSStatus status = errSecItemNotFound;
+  CFURLRef pkcs_url = CFURLCreateFromFileSystemRepresentation(NULL,
+    (const UInt8 *)cPath, strlen(cPath), false);
+  CFStringRef password = cPassword ? CFStringCreateWithCString(NULL,
+    cPassword, kCFStringEncodingUTF8) : NULL;
+  CFDataRef pkcs_data = NULL;
+
+  /* We can import P12 files on iOS or OS X 10.6 or later: */
+#if CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS
+  if(CFURLCreateDataAndPropertiesFromResource(NULL, pkcs_url, &pkcs_data,
+    NULL, NULL, &status)) {
+    const void *cKeys[] = {kSecImportExportPassphrase};
+    const void *cValues[] = {password};
+    CFDictionaryRef options = CFDictionaryCreate(NULL, cKeys, cValues,
+      password ? 1L : 0L, NULL, NULL);
+    CFArrayRef items = NULL;
+
+    /* Here we go: */
+    status = SecPKCS12Import(pkcs_data, options, &items);
+    if(status == noErr) {
+      CFDictionaryRef identity_and_trust = CFArrayGetValueAtIndex(items, 0L);
+      const void *temp_identity = CFDictionaryGetValue(identity_and_trust,
+        kSecImportItemIdentity);
+
+      /* Retain the identity; we don't care about any other data... */
+      CFRetain(temp_identity);
+      *out_cert_and_key = (SecIdentityRef)temp_identity;
+      CFRelease(items);
+    }
+    CFRelease(options);
+    CFRelease(pkcs_data);
+  }
+#endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */
+  if(password)
+    CFRelease(password);
+  CFRelease(pkcs_url);
+  return status;
+}
+
+/* This code was borrowed from nss.c, with some modifications:
+ * Determine whether the nickname passed in is a filename that needs to
+ * be loaded as a PEM or a regular NSS nickname.
+ *
+ * returns 1 for a file
+ * returns 0 for not a file
+ */
+CF_INLINE bool is_file(const char *filename)
+{
+  struct_stat st;
+
+  if(filename == NULL)
+    return false;
+
+  if(stat(filename, &st) == 0)
+    return S_ISREG(st.st_mode);
+  return false;
+}
+
 static CURLcode darwinssl_connect_step1(struct connectdata *conn,
                                         int sockindex)
 {
@@ -796,19 +999,19 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
   struct in6_addr addr;
 #else
   struct in_addr addr;
-#endif
+#endif /* ENABLE_IPV6 */
   size_t all_ciphers_count = 0UL, allowed_ciphers_count = 0UL, i;
   SSLCipherSuite *all_ciphers = NULL, *allowed_ciphers = NULL;
   char *ssl_sessionid;
   size_t ssl_sessionid_len;
   OSStatus err = noErr;
-#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
+#if CURL_BUILD_MAC
   int darwinver_maj = 0, darwinver_min = 0;
 
   GetDarwinVersionNumber(&darwinver_maj, &darwinver_min);
-#endif
+#endif /* CURL_BUILD_MAC */
 
-#if defined(__MAC_10_8) || defined(__IPHONE_5_0)
+#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
   if(SSLCreateContext != NULL) {  /* use the newer API if avaialble */
     if(connssl->ssl_ctx)
       CFRelease(connssl->ssl_ctx);
@@ -820,7 +1023,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
   }
   else {
   /* The old ST API does not exist under iOS, so don't compile it: */
-#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
+#if CURL_SUPPORT_MAC_10_8
     if(connssl->ssl_ctx)
       (void)SSLDisposeContext(connssl->ssl_ctx);
     err = SSLNewContext(false, &(connssl->ssl_ctx));
@@ -828,7 +1031,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
       failf(data, "SSL: couldn't create a context: OSStatus %d", err);
       return CURLE_OUT_OF_MEMORY;
     }
-#endif /* (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) */
+#endif /* CURL_SUPPORT_MAC_10_8 */
   }
 #else
   if(connssl->ssl_ctx)
@@ -838,11 +1041,11 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
     failf(data, "SSL: couldn't create a context: OSStatus %d", err);
     return CURLE_OUT_OF_MEMORY;
   }
-#endif /* defined(__MAC_10_8) || defined(__IPHONE_5_0) */
+#endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */
   connssl->ssl_write_buffered_length = 0UL; /* reset buffered write length */
 
   /* check to see if we've been told to use an explicit SSL/TLS version */
-#if defined(__MAC_10_8) || defined(__IPHONE_5_0)
+#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
   if(SSLSetProtocolVersionMax != NULL) {
     switch(data->set.ssl.version) {
       case CURL_SSLVERSION_DEFAULT: default:
@@ -858,12 +1061,16 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
         (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kSSLProtocol3);
         break;
       case CURL_SSLVERSION_SSLv2:
-        (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol2);
+        err = SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol2);
+        if(err != noErr) {
+          failf(data, "Your version of the OS does not support SSLv2");
+          return CURLE_SSL_CONNECT_ERROR;
+        }
         (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kSSLProtocol2);
     }
   }
   else {
-#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
+#if CURL_SUPPORT_MAC_10_8
     (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                        kSSLProtocolAll,
                                        false);
@@ -899,12 +1106,16 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
                                            true);
         break;
       case CURL_SSLVERSION_SSLv2:
-        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+        err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                            kSSLProtocol2,
                                            true);
+        if(err != noErr) {
+          failf(data, "Your version of the OS does not support SSLv2");
+          return CURLE_SSL_CONNECT_ERROR;
+        }
         break;
     }
-#endif  /* (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) */
+#endif  /* CURL_SUPPORT_MAC_10_8 */
   }
 #else
   (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, kSSLProtocolAll, false);
@@ -924,9 +1135,13 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
                                          true);
       break;
     case CURL_SSLVERSION_SSLv2:
-      (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+      err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                          kSSLProtocol2,
                                          true);
+      if(err != noErr) {
+        failf(data, "Your version of the OS does not support SSLv2");
+        return CURLE_SSL_CONNECT_ERROR;
+      }
       break;
     case CURL_SSLVERSION_SSLv3:
       (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
@@ -934,18 +1149,36 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
                                          true);
       break;
   }
-#endif /* defined(__MAC_10_8) || defined(__IPHONE_5_0) */
+#endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */
 
   if(data->set.str[STRING_KEY]) {
     infof(data, "WARNING: SSL: CURLOPT_SSLKEY is ignored by Secure "
-                "Transport. The private key must be in the Keychain.");
+                "Transport. The private key must be in the Keychain.\n");
   }
 
   if(data->set.str[STRING_CERT]) {
     SecIdentityRef cert_and_key = NULL;
+    bool is_cert_file = is_file(data->set.str[STRING_CERT]);
+
+    /* User wants to authenticate with a client cert. Look for it:
+       If we detect that this is a file on disk, then let's load it.
+       Otherwise, assume that the user wants to use an identity loaded
+       from the Keychain. */
+    if(is_cert_file) {
+      if(!data->set.str[STRING_CERT_TYPE])
+        infof(data, "WARNING: SSL: Certificate type not set, assuming "
+                    "PKCS#12 format.\n");
+      else if(strncmp(data->set.str[STRING_CERT_TYPE], "P12",
+        strlen(data->set.str[STRING_CERT_TYPE])) != 0)
+        infof(data, "WARNING: SSL: The Security framework only supports "
+                    "loading identities that are in PKCS#12 format.\n");
+
+      err = CopyIdentityFromPKCS12File(data->set.str[STRING_CERT],
+        data->set.str[STRING_KEY_PASSWD], &cert_and_key);
+    }
+    else
+      err = CopyIdentityWithLabel(data->set.str[STRING_CERT], &cert_and_key);
 
-    /* User wants to authenticate with a client cert. Look for it: */
-    err = CopyIdentityWithLabel(data->set.str[STRING_CERT], &cert_and_key);
     if(err == noErr) {
       SecCertificateRef cert = NULL;
       CFTypeRef certs_c[1];
@@ -982,8 +1215,29 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
       CFRelease(cert_and_key);
     }
     else {
-      failf(data, "SSL: Can't find the certificate \"%s\" and its private key "
-                  "in the Keychain.", data->set.str[STRING_CERT]);
+      switch(err) {
+        case errSecPkcs12VerifyFailure: case errSecAuthFailed:
+          failf(data, "SSL: Incorrect password for the certificate \"%s\" "
+                      "and its private key.", data->set.str[STRING_CERT]);
+          break;
+        case errSecDecode: case errSecUnknownFormat:
+          failf(data, "SSL: Couldn't make sense of the data in the "
+                      "certificate \"%s\" and its private key.",
+                      data->set.str[STRING_CERT]);
+          break;
+        case errSecPassphraseRequired:
+          failf(data, "SSL The certificate \"%s\" requires a password.",
+                      data->set.str[STRING_CERT]);
+          break;
+        case errSecItemNotFound:
+          failf(data, "SSL: Can't find the certificate \"%s\" and its private "
+                      "key in the Keychain.", data->set.str[STRING_CERT]);
+          break;
+        default:
+          failf(data, "SSL: Can't load the certificate \"%s\" and its private "
+                      "key: OSStatus %d", data->set.str[STRING_CERT], err);
+          break;
+      }
       return CURLE_SSL_CERTPROBLEM;
     }
   }
@@ -992,7 +1246,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
    * fail to connect if the verification fails, or if it should continue
    * anyway. In the latter case the result of the verification is checked with
    * SSL_get_verify_result() below. */
-#if defined(__MAC_10_6) || defined(__IPHONE_5_0)
+#if CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS
   /* Snow Leopard introduced the SSLSetSessionOption() function, but due to
      a library bug with the way the kSSLSessionOptionBreakOnServerAuth flag
      works, it doesn't work as expected under Snow Leopard or Lion.
@@ -1001,11 +1255,11 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
      (SecureTransport will always validate the certificate chain by
      default.) */
   /* (Note: Darwin 12.x.x is Mountain Lion.) */
-#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
+#if CURL_BUILD_MAC
   if(SSLSetSessionOption != NULL && darwinver_maj >= 12) {
 #else
   if(SSLSetSessionOption != NULL) {
-#endif /* (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) */
+#endif /* CURL_BUILD_MAC */
     err = SSLSetSessionOption(connssl->ssl_ctx,
                               kSSLSessionOptionBreakOnServerAuth,
                               data->set.ssl.verifypeer?false:true);
@@ -1015,14 +1269,14 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
     }
   }
   else {
-#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
+#if CURL_SUPPORT_MAC_10_8
     err = SSLSetEnableCertVerify(connssl->ssl_ctx,
                                  data->set.ssl.verifypeer?true:false);
     if(err != noErr) {
       failf(data, "SSL: SSLSetEnableCertVerify() failed: OSStatus %d", err);
       return CURLE_SSL_CONNECT_ERROR;
     }
-#endif /* (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) */
+#endif /* CURL_SUPPORT_MAC_10_8 */
   }
 #else
   err = SSLSetEnableCertVerify(connssl->ssl_ctx,
@@ -1031,7 +1285,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
     failf(data, "SSL: SSLSetEnableCertVerify() failed: OSStatus %d", err);
     return CURLE_SSL_CONNECT_ERROR;
   }
-#endif /* defined(__MAC_10_6) || defined(__IPHONE_5_0) */
+#endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */
 
   /* If this is a domain name and not an IP address, then configure SNI.
    * Also: the verifyhost setting influences SNI usage */
@@ -1044,7 +1298,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
     err = SSLSetPeerDomainName(connssl->ssl_ctx, conn->host.name,
                                strlen(conn->host.name));
     if(err != noErr) {
-      infof(data, "WARNING: SSL: SSLSetPeerDomainName() failed: OSStatus %d",
+      infof(data, "WARNING: SSL: SSLSetPeerDomainName() failed: OSStatus %d\n",
             err);
     }
   }
@@ -1061,7 +1315,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
      SSLGetSupportedCiphers(connssl->ssl_ctx, all_ciphers,
        &all_ciphers_count) == noErr) {
     for(i = 0UL ; i < all_ciphers_count ; i++) {
-#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
+#if CURL_BUILD_MAC
      /* There's a known bug in early versions of Mountain Lion where ST's ECC
         ciphers (cipher suite 0xC001 through 0xC032) simply do not work.
         Work around the problem here by disabling those ciphers if we are
@@ -1070,17 +1324,27 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
          all_ciphers[i] >= 0xC001 && all_ciphers[i] <= 0xC032) {
            continue;
       }
-#endif
+#endif /* CURL_BUILD_MAC */
       switch(all_ciphers[i]) {
         /* Disable NULL ciphersuites: */
         case SSL_NULL_WITH_NULL_NULL:
         case SSL_RSA_WITH_NULL_MD5:
         case SSL_RSA_WITH_NULL_SHA:
+        case 0x003B: /* TLS_RSA_WITH_NULL_SHA256 */
         case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
         case 0xC001: /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
         case 0xC006: /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
         case 0xC00B: /* TLS_ECDH_RSA_WITH_NULL_SHA */
         case 0xC010: /* TLS_ECDHE_RSA_WITH_NULL_SHA */
+        case 0x002C: /* TLS_PSK_WITH_NULL_SHA */
+        case 0x002D: /* TLS_DHE_PSK_WITH_NULL_SHA */
+        case 0x002E: /* TLS_RSA_PSK_WITH_NULL_SHA */
+        case 0x00B0: /* TLS_PSK_WITH_NULL_SHA256 */
+        case 0x00B1: /* TLS_PSK_WITH_NULL_SHA384 */
+        case 0x00B4: /* TLS_DHE_PSK_WITH_NULL_SHA256 */
+        case 0x00B5: /* TLS_DHE_PSK_WITH_NULL_SHA384 */
+        case 0x00B8: /* TLS_RSA_PSK_WITH_NULL_SHA256 */
+        case 0x00B9: /* TLS_RSA_PSK_WITH_NULL_SHA384 */
         /* Disable anonymous ciphersuites: */
         case SSL_DH_anon_EXPORT_WITH_RC4_40_MD5:
         case SSL_DH_anon_WITH_RC4_128_MD5:
@@ -1136,6 +1400,13 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
   Curl_safefree(all_ciphers);
   Curl_safefree(allowed_ciphers);
 
+#if CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7
+  /* We want to enable 1/n-1 when using a CBC cipher unless the user
+     specifically doesn't want us doing that: */
+  SSLSetSessionOption(connssl->ssl_ctx, kSSLSessionOptionSendOneByteRecord,
+                      !data->set.ssl_enable_beast);
+#endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */
+
   /* Check if there's a cached ID we can/should use here! */
   if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid,
     &ssl_sessionid_len)) {
@@ -1303,7 +1574,7 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
         infof(data, "TLS 1.0 connection using %s\n",
               TLSCipherNameForNumber(cipher));
         break;
-#if defined(__MAC_10_8) || defined(__IPHONE_5_0)
+#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
       case kTLSProtocol11:
         infof(data, "TLS 1.1 connection using %s\n",
               TLSCipherNameForNumber(cipher));
@@ -1330,20 +1601,22 @@ darwinssl_connect_step3(struct connectdata *conn,
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
   CFStringRef server_cert_summary;
   char server_cert_summary_c[128];
-  CFArrayRef server_certs;
+  CFArrayRef server_certs = NULL;
   SecCertificateRef server_cert;
   OSStatus err;
   CFIndex i, count;
-  SecTrustRef trust;
+  SecTrustRef trust = NULL;
 
   /* There is no step 3!
    * Well, okay, if verbose mode is on, let's print the details of the
    * server certificates. */
-#if defined(__MAC_10_7) || defined(__IPHONE_5_0)
-#if (TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)
+#if CURL_BUILD_MAC_10_7 || CURL_BUILD_IOS
+#if CURL_BUILD_IOS
 #pragma unused(server_certs)
   err = SSLCopyPeerTrust(connssl->ssl_ctx, &trust);
-  if(err == noErr) {
+  /* For some reason, SSLCopyPeerTrust() can return noErr and yet return
+     a null trust, so be on guard for that: */
+  if(err == noErr && trust) {
     count = SecTrustGetCertificateCount(trust);
     for(i = 0L ; i < count ; i++) {
       server_cert = SecTrustGetCertificateAtIndex(trust, i);
@@ -1369,7 +1642,9 @@ darwinssl_connect_step3(struct connectdata *conn,
   if(SecTrustEvaluateAsync != NULL) {
 #pragma unused(server_certs)
     err = SSLCopyPeerTrust(connssl->ssl_ctx, &trust);
-    if(err == noErr) {
+    /* For some reason, SSLCopyPeerTrust() can return noErr and yet return
+       a null trust, so be on guard for that: */
+    if(err == noErr && trust) {
       count = SecTrustGetCertificateCount(trust);
       for(i = 0L ; i < count ; i++) {
         server_cert = SecTrustGetCertificateAtIndex(trust, i);
@@ -1387,8 +1662,10 @@ darwinssl_connect_step3(struct connectdata *conn,
     }
   }
   else {
+#if CURL_SUPPORT_MAC_10_8
     err = SSLCopyPeerCertificates(connssl->ssl_ctx, &server_certs);
-    if(err == noErr) {
+    /* Just in case SSLCopyPeerCertificates() returns null too... */
+    if(err == noErr && server_certs) {
       count = CFArrayGetCount(server_certs);
       for(i = 0L ; i < count ; i++) {
         server_cert = (SecCertificateRef)CFArrayGetValueAtIndex(server_certs,
@@ -1406,8 +1683,9 @@ darwinssl_connect_step3(struct connectdata *conn,
       }
       CFRelease(server_certs);
     }
+#endif /* CURL_SUPPORT_MAC_10_8 */
   }
-#endif /* (TARGET_OS_EMBEDDED || TARGET_OS_IPHONE) */
+#endif /* CURL_BUILD_IOS */
 #else
 #pragma unused(trust)
   err = SSLCopyPeerCertificates(connssl->ssl_ctx, &server_certs);
@@ -1427,7 +1705,7 @@ darwinssl_connect_step3(struct connectdata *conn,
     }
     CFRelease(server_certs);
   }
-#endif /* defined(__MAC_10_7) || defined(__IPHONE_5_0) */
+#endif /* CURL_BUILD_MAC_10_7 || CURL_BUILD_IOS */
 
   connssl->connecting_state = ssl_connect_done;
   return CURLE_OK;
@@ -1579,16 +1857,16 @@ void Curl_darwinssl_close(struct connectdata *conn, int sockindex)
 
   if(connssl->ssl_ctx) {
     (void)SSLClose(connssl->ssl_ctx);
-#if defined(__MAC_10_8) || defined(__IPHONE_5_0)
+#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
     if(SSLCreateContext != NULL)
       CFRelease(connssl->ssl_ctx);
-#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
+#if CURL_SUPPORT_MAC_10_8
     else
       (void)SSLDisposeContext(connssl->ssl_ctx);
-#endif  /* (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) */
+#endif  /* CURL_SUPPORT_MAC_10_8 */
 #else
     (void)SSLDisposeContext(connssl->ssl_ctx);
-#endif /* defined(__MAC_10_8) || defined(__IPHONE_5_0) */
+#endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */
     connssl->ssl_ctx = NULL;
   }
   connssl->ssl_sockfd = 0;

lib/curl_darwinssl.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 2012, Nick Zitzmann, <nickzman@gmail.com>.
+ * Copyright (C) 2012 - 2013, Nick Zitzmann, <nickzman@gmail.com>.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -52,6 +52,10 @@ void Curl_darwinssl_md5sum(unsigned char *tmp, /* input */
                            unsigned char *md5sum, /* output */
                            size_t md5len);
 
+/* this backend provides these functions: */
+#define have_curlssl_random 1
+#define have_curlssl_md5sum 1
+
 /* API setup for SecureTransport */
 #define curlssl_init() (1)
 #define curlssl_cleanup() Curl_nop_stmt

lib/curl_memory.h

@@ -87,6 +87,9 @@ extern curl_free_callback Curl_cfree;
 extern curl_realloc_callback Curl_crealloc;
 extern curl_strdup_callback Curl_cstrdup;
 extern curl_calloc_callback Curl_ccalloc;
+#if defined(WIN32) && defined(UNICODE)
+extern curl_wcsdup_callback Curl_cwcsdup;
+#endif
 
 #ifndef CURLDEBUG
 
@@ -110,6 +113,20 @@ extern curl_calloc_callback Curl_ccalloc;
 #undef free
 #define free(ptr) Curl_cfree(ptr)
 
+#ifdef WIN32
+#  ifdef UNICODE
+#    undef wcsdup
+#    define wcsdup(ptr) Curl_cwcsdup(ptr)
+#    undef _wcsdup
+#    define _wcsdup(ptr) Curl_cwcsdup(ptr)
+#    undef _tcsdup
+#    define _tcsdup(ptr) Curl_cwcsdup(ptr)
+#  else
+#    undef _tcsdup
+#    define _tcsdup(ptr) Curl_cstrdup(ptr)
+#  endif
+#endif
+
 #endif /* CURLDEBUG */
 
 #else /* CURLX_NO_MEMORY_CALLBACKS */

lib/curl_sasl.c

@@ -22,6 +22,7 @@
  * RFC2831 DIGEST-MD5 authentication
  * RFC4422 Simple Authentication and Security Layer (SASL)
  * RFC4616 PLAIN authentication
+ * RFC6749 OAuth 2.0 Authorization Framework
  *
  ***************************************************************************/
 
@@ -32,7 +33,7 @@
 
 #include "curl_base64.h"
 #include "curl_md5.h"
-#include "curl_rand.h"
+#include "sslgen.h"
 #include "curl_hmac.h"
 #include "curl_ntlm_msgs.h"
 #include "curl_sasl.h"
@@ -94,18 +95,18 @@ CURLcode Curl_sasl_create_plain_message(struct SessionHandle *data,
                                         const char *passwdp,
                                         char **outptr, size_t *outlen)
 {
-  char plainauth[2 * MAX_CURL_USER_LENGTH + MAX_CURL_PASSWORD_LENGTH];
+  CURLcode result;
+  char *plainauth;
   size_t ulen;
   size_t plen;
 
   ulen = strlen(userp);
   plen = strlen(passwdp);
 
-  if(2 * ulen + plen + 2 > sizeof(plainauth)) {
+  plainauth = malloc(2 * ulen + plen + 2);
+  if(!plainauth) {
     *outlen = 0;
     *outptr = NULL;
-
-    /* Plainauth too small */
     return CURLE_OUT_OF_MEMORY;
   }
 
@@ -117,8 +118,10 @@ CURLcode Curl_sasl_create_plain_message(struct SessionHandle *data,
   memcpy(plainauth + 2 * ulen + 2, passwdp, plen);
 
   /* Base64 encode the reply */
-  return Curl_base64_encode(data, plainauth, 2 * ulen + plen + 2, outptr,
-                            outlen);
+  result = Curl_base64_encode(data, plainauth, 2 * ulen + plen + 2, outptr,
+                              outlen);
+  Curl_safefree(plainauth);
+  return result;
 }
 
 /*
@@ -190,7 +193,7 @@ CURLcode Curl_sasl_create_cram_md5_message(struct SessionHandle *data,
   size_t chlglen = 0;
   HMAC_context *ctxt;
   unsigned char digest[MD5_DIGEST_LEN];
-  char response[MAX_CURL_USER_LENGTH + 2 * MD5_DIGEST_LEN + 1];
+  char *response;
 
   /* Decode the challenge if necessary */
   if(chlg64len && *chlg64 != '=') {
@@ -220,14 +223,19 @@ CURLcode Curl_sasl_create_cram_md5_message(struct SessionHandle *data,
   Curl_HMAC_final(ctxt, digest);
 
   /* Prepare the response */
-  snprintf(response, sizeof(response),
+  response = aprintf(
       "%s %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
            userp, digest[0], digest[1], digest[2], digest[3], digest[4],
            digest[5], digest[6], digest[7], digest[8], digest[9], digest[10],
            digest[11], digest[12], digest[13], digest[14], digest[15]);
+  if(!response)
+    return CURLE_OUT_OF_MEMORY;
 
   /* Base64 encode the reply */
-  return Curl_base64_encode(data, response, 0, outptr, outlen);
+  result = Curl_base64_encode(data, response, 0, outptr, outlen);
+
+  Curl_safefree(response);
+  return result;
 }
 
 /*
@@ -314,7 +322,7 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
 
   /* Generate 64 bits of random data */
   for(i = 0; i < 8; i++)
-    cnonce[i] = table16[Curl_rand()%16];
+    cnonce[i] = table16[Curl_rand(data)%16];
 
   /* So far so good, now calculate A1 and H(A1) according to RFC 2831 */
   ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
@@ -470,6 +478,40 @@ CURLcode Curl_sasl_create_ntlm_type3_message(struct SessionHandle *data,
 }
 #endif /* USE_NTLM */
 
+/*
+ * Curl_sasl_create_xoauth2_message()
+ *
+ * This is used to generate an already encoded XOAUTH2 message ready
+ * for sending to the recipient.
+ *
+ * Parameters:
+ *
+ * data    [in]     - The session handle.
+ * user    [in]     - The user name.
+ * bearer  [in]     - The XOAUTH Bearer token.
+ * outptr  [in/out] - The address where a pointer to newly allocated memory
+ *                    holding the result will be stored upon completion.
+ * outlen  [out]    - The length of the output message.
+ *
+ * Returns CURLE_OK on success.
+ */
+CURLcode Curl_sasl_create_xoauth2_message(struct SessionHandle *data,
+                                          const char *user,
+                                          const char *bearer,
+                                          char **outptr, size_t *outlen)
+{
+  char *xoauth;
+
+  xoauth = aprintf("user=%s\1auth=Bearer %s\1\1", user, bearer);
+
+  if(!xoauth)
+    return CURLE_OUT_OF_MEMORY;
+
+  /* Base64 encode the reply */
+  return Curl_base64_encode(data, xoauth, strlen(xoauth), outptr,
+                            outlen);
+}
+
 /*
  * Curl_sasl_cleanup()
  *

lib/curl_sasl.h

@@ -24,18 +24,34 @@
 
 #include "pingpong.h"
 
-/* Authentication mechanism flags */
-#define SASL_MECH_LOGIN         (1 << 0)
-#define SASL_MECH_PLAIN         (1 << 1)
-#define SASL_MECH_CRAM_MD5      (1 << 2)
-#define SASL_MECH_DIGEST_MD5    (1 << 3)
-#define SASL_MECH_GSSAPI        (1 << 4)
-#define SASL_MECH_EXTERNAL      (1 << 5)
-#define SASL_MECH_NTLM          (1 << 6)
-
 /* Authentication mechanism values */
 #define SASL_AUTH_NONE          0
-#define SASL_AUTH_ANY           ~0
+#define SASL_AUTH_ANY           ~0U
+
+/* Authentication mechanism flags */
+#define SASL_MECH_LOGIN             (1 << 0)
+#define SASL_MECH_PLAIN             (1 << 1)
+#define SASL_MECH_CRAM_MD5          (1 << 2)
+#define SASL_MECH_DIGEST_MD5        (1 << 3)
+#define SASL_MECH_GSSAPI            (1 << 4)
+#define SASL_MECH_EXTERNAL          (1 << 5)
+#define SASL_MECH_NTLM              (1 << 6)
+#define SASL_MECH_XOAUTH2           (1 << 7)
+
+/* Authentication mechanism strings */
+#define SASL_MECH_STRING_LOGIN      "LOGIN"
+#define SASL_MECH_STRING_PLAIN      "PLAIN"
+#define SASL_MECH_STRING_CRAM_MD5   "CRAM-MD5"
+#define SASL_MECH_STRING_DIGEST_MD5 "DIGEST-MD5"
+#define SASL_MECH_STRING_GSSAPI     "GSSAPI"
+#define SASL_MECH_STRING_EXTERNAL   "EXTERNAL"
+#define SASL_MECH_STRING_NTLM       "NTLM"
+#define SASL_MECH_STRING_XOAUTH2    "XOAUTH2"
+
+/* This is used to test whether the line starts with the given mechanism */
+#define sasl_mech_equal(line, wordlen, mech) \
+  (wordlen == (sizeof(mech) - 1) / sizeof(char) && \
+   !memcmp(line, mech, wordlen))
 
 /* This is used to generate a base64 encoded PLAIN authentication message */
 CURLcode Curl_sasl_create_plain_message(struct SessionHandle *data,
@@ -85,6 +101,13 @@ CURLcode Curl_sasl_create_ntlm_type3_message(struct SessionHandle *data,
 
 #endif /* USE_NTLM */
 
+/* This is used to generate a base64 encoded XOAUTH2 authentication message
+   containing the user name and bearer token */
+CURLcode Curl_sasl_create_xoauth2_message(struct SessionHandle *data,
+                                          const char *user,
+                                          const char *bearer,
+                                          char **outptr, size_t *outlen);
+
 /* This is used to cleanup any libraries or curl modules used by the sasl
    functions */
 void Curl_sasl_cleanup(struct connectdata *conn, unsigned int authused);

lib/curl_sec.h

@@ -1,5 +1,5 @@
-#ifndef HEADER_CURL_KRB4_H
-#define HEADER_CURL_KRB4_H
+#ifndef HEADER_CURL_SECURITY_H
+#define HEADER_CURL_SECURITY_H
 /***************************************************************************
  *                                  _   _ ____  _
  *  Project                     ___| | | |  _ \| |
@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -34,24 +34,18 @@ struct Curl_sec_client_mech {
   int (*decode)(void *, void*, int, int, struct connectdata *);
 };
 
-
 #define AUTH_OK         0
 #define AUTH_CONTINUE   1
 #define AUTH_ERROR      2
 
-#ifdef HAVE_KRB4
-extern struct Curl_sec_client_mech Curl_krb4_client_mech;
-#endif
 #ifdef HAVE_GSSAPI
-extern struct Curl_sec_client_mech Curl_krb5_client_mech;
-#endif
-
-CURLcode Curl_krb_kauth(struct connectdata *conn);
 int Curl_sec_read_msg (struct connectdata *conn, char *,
                        enum protection_level);
 void Curl_sec_end (struct connectdata *);
 CURLcode Curl_sec_login (struct connectdata *);
 int Curl_sec_request_prot (struct connectdata *conn, const char *level);
 
-#endif /* HEADER_CURL_KRB4_H */
+extern struct Curl_sec_client_mech Curl_krb5_client_mech;
+#endif
 
+#endif /* HEADER_CURL_SECURITY_H */

lib/curl_setup.h

@@ -270,6 +270,9 @@
 #    endif
 #  endif
 #  include <tchar.h>
+#  ifdef UNICODE
+     typedef wchar_t *(*curl_wcsdup_callback)(const wchar_t *str);
+#  endif
 #endif
 
 /*
@@ -617,7 +620,7 @@ int netware_init(void);
 #if defined(USE_GNUTLS) || defined(USE_SSLEAY) || defined(USE_NSS) || \
     defined(USE_QSOSSL) || defined(USE_POLARSSL) || defined(USE_AXTLS) || \
     defined(USE_CYASSL) || defined(USE_SCHANNEL) || \
-    defined(USE_DARWINSSL)
+    defined(USE_DARWINSSL) || defined(USE_GSKIT)
 #define USE_SSL    /* SSL support has been enabled */
 #endif
 

lib/curl_setup_once.h

@@ -440,7 +440,7 @@ typedef int sig_atomic_t;
  * (or equivalent) on this platform to hide platform details to code using it.
  */
 
-#ifdef WIN32
+#if defined(WIN32) && !defined(USE_LWIPSOCK)
 #define ERRNO         ((int)GetLastError())
 #define SET_ERRNO(x)  (SetLastError((DWORD)(x)))
 #else

lib/dotdot.c

@@ -0,0 +1,170 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at http://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+#include "curl_setup.h"
+
+#include "dotdot.h"
+
+#include "curl_memory.h"
+/* The last #include file should be: */
+#include "memdebug.h"
+
+/*
+ * "Remove Dot Segments"
+ * http://tools.ietf.org/html/rfc3986#section-5.2.4
+ */
+
+/*
+ * Curl_dedotdotify()
+ *
+ * This function gets a zero-terminated path with dot and dotdot sequences
+ * passed in and strips them off according to the rules in RFC 3986 section
+ * 5.2.4.
+ *
+ * The function handles a query part ('?' + stuff) appended but it expects
+ * that fragments ('#' + stuff) have already been cut off.
+ *
+ * RETURNS
+ *
+ * an allocated dedotdotified output string
+ */
+char *Curl_dedotdotify(char *input)
+{
+  size_t inlen = strlen(input);
+  char *clone;
+  size_t clen = inlen; /* the length of the cloned input */
+  char *out = malloc(inlen+1);
+  char *outptr;
+  char *orgclone;
+  char *queryp;
+  if(!out)
+    return NULL; /* out of memory */
+
+  /* get a cloned copy of the input */
+  clone = strdup(input);
+  if(!clone) {
+    free(out);
+    return NULL;
+  }
+  orgclone = clone;
+  outptr = out;
+
+  /*
+   * To handle query-parts properly, we must find it and remove it during the
+   * dotdot-operation and then append it again at the end to the output
+   * string.
+   */
+  queryp = strchr(clone, '?');
+  if(queryp)
+    *queryp = 0;
+
+  do {
+
+    /*  A.  If the input buffer begins with a prefix of "../" or "./", then
+        remove that prefix from the input buffer; otherwise, */
+
+    if(!strncmp("./", clone, 2)) {
+      clone+=2;
+      clen-=2;
+    }
+    else if(!strncmp("../", clone, 3)) {
+      clone+=3;
+      clen-=3;
+    }
+
+    /*  B.  if the input buffer begins with a prefix of "/./" or "/.", where
+        "."  is a complete path segment, then replace that prefix with "/" in
+        the input buffer; otherwise, */
+    else if(!strncmp("/./", clone, 3)) {
+      clone+=2;
+      clen-=2;
+    }
+    else if(!strcmp("/.", clone)) {
+      clone[1]='/';
+      clone++;
+      clen-=1;
+    }
+
+    /*  C.  if the input buffer begins with a prefix of "/../" or "/..", where
+        ".." is a complete path segment, then replace that prefix with "/" in
+        the input buffer and remove the last segment and its preceding "/" (if
+        any) from the output buffer; otherwise, */
+
+    else if(!strncmp("/../", clone, 4)) {
+      clone+=3;
+      clen-=3;
+      /* remove the last segment from the output buffer */
+      while(outptr > out) {
+        outptr--;
+        if(*outptr == '/')
+          break;
+      }
+      *outptr = 0; /* zero-terminate where it stops */
+    }
+    else if(!strcmp("/..", clone)) {
+      clone[2]='/';
+      clone+=2;
+      clen-=2;
+      /* remove the last segment from the output buffer */
+      while(outptr > out) {
+        outptr--;
+        if(*outptr == '/')
+          break;
+      }
+      *outptr = 0; /* zero-terminate where it stops */
+    }
+
+    /*  D.  if the input buffer consists only of "." or "..", then remove
+        that from the input buffer; otherwise, */
+
+    else if(!strcmp(".", clone) || !strcmp("..", clone)) {
+      *clone=0;
+    }
+
+    else {
+      /*  E.  move the first path segment in the input buffer to the end of
+          the output buffer, including the initial "/" character (if any) and
+          any subsequent characters up to, but not including, the next "/"
+          character or the end of the input buffer. */
+
+      do {
+        *outptr++ = *clone++;
+        clen--;
+      } while(*clone && (*clone != '/'));
+      *outptr = 0;
+    }
+
+  } while(*clone);
+
+  if(queryp) {
+    size_t qlen;
+    /* There was a query part, append that to the output. The 'clone' string
+       may now have been altered so we copy from the original input string
+       from the correct index. */
+    size_t oindex = queryp - orgclone;
+    qlen = strlen(&input[oindex]);
+    memcpy(outptr, &input[oindex], qlen+1); /* include the ending zero byte */
+  }
+
+  free(orgclone);
+  return out;
+}

lib/dotdot.h

@@ -1,5 +1,5 @@
-#ifndef HEADER_CURL_RAND_H
-#define HEADER_CURL_RAND_H
+#ifndef HEADER_CURL_DOTDOT_H
+#define HEADER_CURL_DOTDOT_H
 /***************************************************************************
  *                                  _   _ ____  _
  *  Project                     ___| | | |  _ \| |
@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -21,9 +21,5 @@
  * KIND, either express or implied.
  *
  ***************************************************************************/
-
-void Curl_srand(void);
-
-unsigned int Curl_rand(void);
-
-#endif /* HEADER_CURL_RAND_H */
+char *Curl_dedotdotify(char *input);
+#endif

lib/easy.c

@@ -50,6 +50,11 @@
 #include <sys/param.h>
 #endif
 
+#if defined(HAVE_SIGNAL_H) && defined(HAVE_SIGACTION) && defined(USE_OPENSSL)
+#define SIGPIPE_IGNORE 1
+#include <signal.h>
+#endif
+
 #include "strequal.h"
 #include "urldata.h"
 #include <curl/curl.h>
@@ -69,7 +74,6 @@
 #include "connect.h" /* for Curl_getconnectinfo */
 #include "slist.h"
 #include "amigaos.h"
-#include "curl_rand.h"
 #include "non-ascii.h"
 #include "warnless.h"
 #include "conncache.h"
@@ -81,6 +85,56 @@
 /* The last #include file should be: */
 #include "memdebug.h"
 
+#ifdef SIGPIPE_IGNORE
+struct sigpipe_ignore {
+  struct sigaction old_pipe_act;
+  bool no_signal;
+};
+
+#define SIGPIPE_VARIABLE(x) struct sigpipe_ignore x
+
+/*
+ * sigpipe_ignore() makes sure we ignore SIGPIPE while running libcurl
+ * internals, and then sigpipe_restore() will restore the situation when we
+ * return from libcurl again.
+ */
+static void sigpipe_ignore(struct SessionHandle *data,
+                           struct sigpipe_ignore *ig)
+{
+  /* get a local copy of no_signal because the SessionHandle might not be
+     around when we restore */
+  ig->no_signal = data->set.no_signal;
+  if(!data->set.no_signal) {
+    struct sigaction action;
+    /* first, extract the existing situation */
+    memset(&ig->old_pipe_act, 0, sizeof(struct sigaction));
+    sigaction(SIGPIPE, NULL, &ig->old_pipe_act);
+    action = ig->old_pipe_act;
+    /* ignore this signal */
+    action.sa_handler = SIG_IGN;
+    sigaction(SIGPIPE, &action, NULL);
+  }
+}
+
+/*
+ * sigpipe_restore() puts back the outside world's opinion of signal handler
+ * and SIGPIPE handling. It MUST only be called after a corresponding
+ * sigpipe_ignore() was used.
+ */
+static void sigpipe_restore(struct sigpipe_ignore *ig)
+{
+  if(!ig->no_signal)
+    /* restore the outside state */
+    sigaction(SIGPIPE, &ig->old_pipe_act, NULL);
+}
+
+#else
+/* for systems without sigaction */
+#define sigpipe_ignore(x,y) Curl_nop_stmt
+#define sigpipe_restore(x)  Curl_nop_stmt
+#define SIGPIPE_VARIABLE(x)
+#endif
+
 /* win32_cleanup() is for win32 socket cleanup functionality, the opposite
    of win32_init() */
 static void win32_cleanup(void)
@@ -198,6 +252,9 @@ curl_free_callback Curl_cfree = (curl_free_callback)free;
 curl_realloc_callback Curl_crealloc = (curl_realloc_callback)realloc;
 curl_strdup_callback Curl_cstrdup = (curl_strdup_callback)system_strdup;
 curl_calloc_callback Curl_ccalloc = (curl_calloc_callback)calloc;
+#if defined(WIN32) && defined(UNICODE)
+curl_wcsdup_callback Curl_cwcsdup = (curl_wcsdup_callback)_wcsdup;
+#endif
 #else
 /*
  * Symbian OS doesn't support initialization to code in writeable static data.
@@ -229,6 +286,9 @@ CURLcode curl_global_init(long flags)
   Curl_crealloc = (curl_realloc_callback)realloc;
   Curl_cstrdup = (curl_strdup_callback)system_strdup;
   Curl_ccalloc = (curl_calloc_callback)calloc;
+#if defined(WIN32) && defined(UNICODE)
+  Curl_cwcsdup = (curl_wcsdup_callback)_wcsdup;
+#endif
 
   if(flags & CURL_GLOBAL_SSL)
     if(!Curl_ssl_init()) {
@@ -276,10 +336,6 @@ CURLcode curl_global_init(long flags)
 
   init_flags  = flags;
 
-  /* Preset pseudo-random number sequence. */
-
-  Curl_srand();
-
   return CURLE_OK;
 }
 
@@ -397,67 +453,275 @@ CURLcode curl_easy_setopt(CURL *curl, CURLoption tag, ...)
   return ret;
 }
 
-/*
- * curl_easy_perform() is the external interface that performs a blocking
- * transfer as previously setup.
+#ifdef CURLDEBUG
+
+struct socketmonitor {
+  struct socketmonitor *next; /* the next node in the list or NULL */
+  struct pollfd socket; /* socket info of what to monitor */
+};
+
+struct events {
+  long ms;              /* timeout, run the timeout function when reached */
+  bool msbump;          /* set TRUE when timeout is set by callback */
+  int num_sockets;      /* number of nodes in the monitor list */
+  struct socketmonitor *list; /* list of sockets to monitor */
+  int running_handles;  /* store the returned number */
+};
+
+/* events_timer
  *
- * CONCEPT: This function creates a multi handle, adds the easy handle to it,
- * runs curl_multi_perform() until the transfer is done, then detaches the
- * easy handle, destroys the multi handle and returns the easy handle's return
- * code.
- *
- * REALITY: it can't just create and destroy the multi handle that easily. It
- * needs to keep it around since if this easy handle is used again by this
- * function, the same multi handle must be re-used so that the same pools and
- * caches can be used.
+ * Callback that gets called with a new value when the timeout should be
+ * updated.
  */
-CURLcode curl_easy_perform(CURL *easy)
+
+static int events_timer(CURLM *multi,    /* multi handle */
+                        long timeout_ms, /* see above */
+                        void *userp)    /* private callback pointer */
+{
+  struct events *ev = userp;
+  (void)multi;
+  if(timeout_ms == -1)
+    /* timeout removed */
+    timeout_ms = 0;
+  else if(timeout_ms == 0)
+    /* timeout is already reached! */
+    timeout_ms = 1; /* trigger asap */
+
+  ev->ms = timeout_ms;
+  ev->msbump = TRUE;
+  return 0;
+}
+
+
+/* poll2cselect
+ *
+ * convert from poll() bit definitions to libcurl's CURL_CSELECT_* ones
+ */
+static int poll2cselect(int pollmask)
+{
+  int omask=0;
+  if(pollmask & POLLIN)
+    omask |= CURL_CSELECT_IN;
+  if(pollmask & POLLOUT)
+    omask |= CURL_CSELECT_OUT;
+  if(pollmask & POLLERR)
+    omask |= CURL_CSELECT_ERR;
+  return omask;
+}
+
+
+/* socketcb2poll
+ *
+ * convert from libcurl' CURL_POLL_* bit definitions to poll()'s
+ */
+static short socketcb2poll(int pollmask)
+{
+  short omask=0;
+  if(pollmask & CURL_POLL_IN)
+    omask |= POLLIN;
+  if(pollmask & CURL_POLL_OUT)
+    omask |= POLLOUT;
+  return omask;
+}
+
+/* events_socket
+ *
+ * Callback that gets called with information about socket activity to
+ * monitor.
+ */
+static int events_socket(CURL *easy,      /* easy handle */
+                         curl_socket_t s, /* socket */
+                         int what,        /* see above */
+                         void *userp,     /* private callback
+                                             pointer */
+                         void *socketp)   /* private socket
+                                             pointer */
+{
+  struct events *ev = userp;
+  struct socketmonitor *m;
+  struct socketmonitor *prev=NULL;
+  (void)socketp;
+
+  m = ev->list;
+  while(m) {
+    if(m->socket.fd == s) {
+
+      if(what == CURL_POLL_REMOVE) {
+        struct socketmonitor *nxt = m->next;
+        /* remove this node from the list of monitored sockets */
+        if(prev)
+          prev->next = nxt;
+        else
+          ev->list = nxt;
+        free(m);
+        m = nxt;
+        infof(easy, "socket cb: socket %d REMOVED\n", s);
+      }
+      else {
+        /* The socket 's' is already being monitored, update the activity
+           mask. Convert from libcurl bitmask to the poll one. */
+        m->socket.events = socketcb2poll(what);
+        infof(easy, "socket cb: socket %d UPDATED as %s%s\n", s,
+              what&CURL_POLL_IN?"IN":"",
+              what&CURL_POLL_OUT?"OUT":"");
+      }
+      break;
+    }
+    prev = m;
+    m = m->next; /* move to next node */
+  }
+  if(!m) {
+    if(what == CURL_POLL_REMOVE) {
+      /* this happens a bit too often, libcurl fix perhaps? */
+      /* fprintf(stderr,
+         "%s: socket %d asked to be REMOVED but not present!\n",
+                 __func__, s); */
+    }
+    else {
+      m = malloc(sizeof(struct socketmonitor));
+      m->next = ev->list;
+      m->socket.fd = s;
+      m->socket.events = socketcb2poll(what);
+      m->socket.revents = 0;
+      ev->list = m;
+      infof(easy, "socket cb: socket %d ADDED as %s%s\n", s,
+            what&CURL_POLL_IN?"IN":"",
+            what&CURL_POLL_OUT?"OUT":"");
+    }
+  }
+
+  return 0;
+}
+
+
+/*
+ * events_setup()
+ *
+ * Do the multi handle setups that only event-based transfers need.
+ */
+static void events_setup(CURLM *multi, struct events *ev)
+{
+  /* timer callback */
+  curl_multi_setopt(multi, CURLMOPT_TIMERFUNCTION, events_timer);
+  curl_multi_setopt(multi, CURLMOPT_TIMERDATA, ev);
+
+  /* socket callback */
+  curl_multi_setopt(multi, CURLMOPT_SOCKETFUNCTION, events_socket);
+  curl_multi_setopt(multi, CURLMOPT_SOCKETDATA, ev);
+}
+
+
+/* wait_or_timeout()
+ *
+ * waits for activity on any of the given sockets, or the timeout to trigger.
+ */
+
+static CURLcode wait_or_timeout(struct Curl_multi *multi, struct events *ev)
 {
-  CURLM *multi;
-  CURLMcode mcode;
-  CURLcode code = CURLE_OK;
-  CURLMsg *msg;
   bool done = FALSE;
-  int rc;
-  struct SessionHandle *data = easy;
+  CURLMcode mcode;
+  CURLcode rc = CURLE_OK;
+
+  while(!done) {
+    CURLMsg *msg;
+    struct socketmonitor *m;
+    struct pollfd *f;
+    struct pollfd fds[4];
+    int numfds=0;
+    int pollrc;
+    int i;
+    struct timeval before;
+    struct timeval after;
+
+    /* populate the fds[] array */
+    for(m = ev->list, f=&fds[0]; m; m = m->next) {
+      f->fd = m->socket.fd;
+      f->events = m->socket.events;
+      f->revents = 0;
+      /* fprintf(stderr, "poll() %d check socket %d\n", numfds, f->fd); */
+      f++;
+      numfds++;
+    }
+
+    /* get the time stamp to use to figure out how long poll takes */
+    before = curlx_tvnow();
+
+    /* wait for activity or timeout */
+    pollrc = Curl_poll(fds, numfds, (int)ev->ms);
+
+    after = curlx_tvnow();
+
+    ev->msbump = FALSE; /* reset here */
+
+    if(0 == pollrc) {
+      /* timeout! */
+      ev->ms = 0;
+      /* fprintf(stderr, "call curl_multi_socket_action( TIMEOUT )\n"); */
+      mcode = curl_multi_socket_action(multi, CURL_SOCKET_TIMEOUT, 0,
+                                       &ev->running_handles);
+    }
+    else if(pollrc > 0) {
+      /* loop over the monitored sockets to see which ones had activity */
+      for(i = 0; i< numfds; i++) {
+        if(fds[i].revents) {
+          /* socket activity, tell libcurl */
+          int act = poll2cselect(fds[i].revents); /* convert */
+          infof(multi->easyp, "call curl_multi_socket_action( socket %d )\n",
+                fds[i].fd);
+          mcode = curl_multi_socket_action(multi, fds[i].fd, act,
+                                           &ev->running_handles);
+        }
+      }
+
+      if(!ev->msbump)
+        /* If nothing updated the timeout, we decrease it by the spent time.
+         * If it was updated, it has the new timeout time stored already.
+         */
+        ev->ms += curlx_tvdiff(after, before);
+
+    }
+    if(mcode)
+      return CURLE_URL_MALFORMAT; /* TODO: return a proper error! */
+
+    /* we don't really care about the "msgs_in_queue" value returned in the
+       second argument */
+    msg = curl_multi_info_read(multi, &pollrc);
+    if(msg) {
+      rc = msg->data.result;
+      done = TRUE;
+    }
+  }
+
+  return rc;
+}
+
+
+/* easy_events()
+ *
+ * Runs a transfer in a blocking manner using the events-based API
+ */
+static CURLcode easy_events(CURLM *multi)
+{
+  struct events evs= {2, FALSE, 0, NULL, 0};
+
+  /* if running event-based, do some further multi inits */
+  events_setup(multi, &evs);
+
+  return wait_or_timeout(multi, &evs);
+}
+#else /* CURLDEBUG */
+/* when not built with debug, this function doesn't exist */
+#define easy_events(x) CURLE_NOT_BUILT_IN
+#endif
+
+static CURLcode easy_transfer(CURLM *multi)
+{
+  bool done = FALSE;
+  CURLMcode mcode = CURLM_OK;
+  CURLcode code = CURLE_OK;
+  struct timeval before;
   int without_fds = 0;  /* count number of consecutive returns from
                            curl_multi_wait() without any filedescriptors */
-  struct timeval before;
-
-  if(!easy)
-    return CURLE_BAD_FUNCTION_ARGUMENT;
-
-  if(data->multi) {
-    failf(data, "easy handled already used in multi handle");
-    return CURLE_FAILED_INIT;
-  }
-
-  if(data->multi_easy)
-    multi = data->multi_easy;
-  else {
-    /* this multi handle will only ever have a single easy handled attached
-       to it, so make it use minimal hashes */
-    multi = Curl_multi_handle(1, 3);
-    if(!multi)
-      return CURLE_OUT_OF_MEMORY;
-    data->multi_easy = multi;
-  }
-
-  /* Copy the MAXCONNECTS option to the multi handle */
-  curl_multi_setopt(multi, CURLMOPT_MAXCONNECTS, data->set.maxconnects);
-
-  mcode = curl_multi_add_handle(multi, easy);
-  if(mcode) {
-    curl_multi_cleanup(multi);
-    if(mcode == CURLM_OUT_OF_MEMORY)
-      return CURLE_OUT_OF_MEMORY;
-    else
-      return CURLE_FAILED_INIT;
-  }
-
-  /* assign this after curl_multi_add_handle() since that function checks for
-     it and rejects this handle otherwise */
-  data->multi = multi;
 
   while(!done && !mcode) {
     int still_running;
@@ -480,9 +744,7 @@ CURLcode curl_easy_perform(CURL *easy)
         if(curlx_tvdiff(after, before) <= 10) {
           without_fds++;
           if(without_fds > 2) {
-            int sleep_ms = without_fds * 50;
-            if(sleep_ms > 1000)
-              sleep_ms = 1000;
+            int sleep_ms = without_fds < 10 ? (1 << (without_fds-1)): 1000;
             Curl_wait_ms(sleep_ms);
           }
         }
@@ -499,22 +761,114 @@ CURLcode curl_easy_perform(CURL *easy)
 
     /* only read 'still_running' if curl_multi_perform() return OK */
     if((mcode == CURLM_OK) && !still_running) {
-      msg = curl_multi_info_read(multi, &rc);
+      int rc;
+      CURLMsg *msg = curl_multi_info_read(multi, &rc);
       if(msg) {
         code = msg->data.result;
         done = TRUE;
       }
     }
   }
+  return code;
+}
+
+
+/*
+ * easy_perform() is the external interface that performs a blocking
+ * transfer as previously setup.
+ *
+ * CONCEPT: This function creates a multi handle, adds the easy handle to it,
+ * runs curl_multi_perform() until the transfer is done, then detaches the
+ * easy handle, destroys the multi handle and returns the easy handle's return
+ * code.
+ *
+ * REALITY: it can't just create and destroy the multi handle that easily. It
+ * needs to keep it around since if this easy handle is used again by this
+ * function, the same multi handle must be re-used so that the same pools and
+ * caches can be used.
+ *
+ * DEBUG: if 'events' is set TRUE, this function will use a replacement engine
+ * instead of curl_multi_perform() and use curl_multi_socket_action().
+ */
+static CURLcode easy_perform(struct SessionHandle *data, bool events)
+{
+  CURLM *multi;
+  CURLMcode mcode;
+  CURLcode code = CURLE_OK;
+  SIGPIPE_VARIABLE(pipe_st);
+
+  if(!data)
+    return CURLE_BAD_FUNCTION_ARGUMENT;
+
+  if(data->multi) {
+    failf(data, "easy handled already used in multi handle");
+    return CURLE_FAILED_INIT;
+  }
+
+  if(data->multi_easy)
+    multi = data->multi_easy;
+  else {
+    /* this multi handle will only ever have a single easy handled attached
+       to it, so make it use minimal hashes */
+    multi = Curl_multi_handle(1, 3);
+    if(!multi)
+      return CURLE_OUT_OF_MEMORY;
+    data->multi_easy = multi;
+  }
+
+  /* Copy the MAXCONNECTS option to the multi handle */
+  curl_multi_setopt(multi, CURLMOPT_MAXCONNECTS, data->set.maxconnects);
+
+  mcode = curl_multi_add_handle(multi, data);
+  if(mcode) {
+    curl_multi_cleanup(multi);
+    if(mcode == CURLM_OUT_OF_MEMORY)
+      return CURLE_OUT_OF_MEMORY;
+    else
+      return CURLE_FAILED_INIT;
+  }
+
+  sigpipe_ignore(data, &pipe_st);
+
+  /* assign this after curl_multi_add_handle() since that function checks for
+     it and rejects this handle otherwise */
+  data->multi = multi;
+
+  /* run the transfer */
+  code = events ? easy_events(multi) : easy_transfer(multi);
 
   /* ignoring the return code isn't nice, but atm we can't really handle
      a failure here, room for future improvement! */
-  (void)curl_multi_remove_handle(multi, easy);
+  (void)curl_multi_remove_handle(multi, data);
+
+  sigpipe_restore(&pipe_st);
 
   /* The multi handle is kept alive, owned by the easy handle */
   return code;
 }
 
+
+/*
+ * curl_easy_perform() is the external interface that performs a blocking
+ * transfer as previously setup.
+ */
+CURLcode curl_easy_perform(CURL *easy)
+{
+  return easy_perform(easy, FALSE);
+}
+
+#ifdef CURLDEBUG
+/*
+ * curl_easy_perform_ev() is the external interface that performs a blocking
+ * transfer using the event-based API internally.
+ */
+CURLcode curl_easy_perform_ev(CURL *easy)
+{
+  return easy_perform(easy, TRUE);
+}
+
+#endif
+
 /*
  * curl_easy_cleanup() is the external interface to cleaning/freeing the given
  * easy handle.
@@ -522,27 +876,14 @@ CURLcode curl_easy_perform(CURL *easy)
 void curl_easy_cleanup(CURL *curl)
 {
   struct SessionHandle *data = (struct SessionHandle *)curl;
+  SIGPIPE_VARIABLE(pipe_st);
 
   if(!data)
     return;
 
+  sigpipe_ignore(data, &pipe_st);
   Curl_close(data);
-}
-
-/*
- * Store a pointed to the multi handle within the easy handle's data struct.
- */
-void Curl_easy_addmulti(struct SessionHandle *data,
-                        void *multi)
-{
-  data->multi = multi;
-}
-
-void Curl_easy_initHandleData(struct SessionHandle *data)
-{
-    memset(&data->req, 0, sizeof(struct SingleRequest));
-
-    data->req.maxdownload = -1;
+  sigpipe_restore(&pipe_st);
 }
 
 /*
@@ -554,12 +895,16 @@ CURLcode curl_easy_getinfo(CURL *curl, CURLINFO info, ...)
 {
   va_list arg;
   void *paramp;
+  CURLcode ret;
   struct SessionHandle *data = (struct SessionHandle *)curl;
 
   va_start(arg, info);
   paramp = va_arg(arg, void *);
 
-  return Curl_getinfo(data, info, paramp);
+  ret = Curl_getinfo(data, info, paramp);
+
+  va_end(arg);
+  return ret;
 }
 
 /*
@@ -637,8 +982,6 @@ CURL *curl_easy_duphandle(CURL *incurl)
 
   Curl_convert_setup(outcurl);
 
-  Curl_easy_initHandleData(outcurl);
-
   outcurl->magic = CURLEASY_MAGIC_NUMBER;
 
   /* we reach this point and thus we are OK */
@@ -672,7 +1015,7 @@ void curl_easy_reset(CURL *curl)
 
   data->state.path = NULL;
 
-  Curl_safefree(data->state.proto.generic);
+  Curl_free_request_state(data);
 
   /* zero out UserDefined data: */
   Curl_freeset(data);
@@ -682,9 +1025,6 @@ void curl_easy_reset(CURL *curl)
   /* zero out Progress data: */
   memset(&data->progress, 0, sizeof(struct Progress));
 
-  /* init Handle data */
-  Curl_easy_initHandleData(data);
-
   data->progress.flags |= PGRS_HIDE;
   data->state.current_speed = -1; /* init to negative == impossible */
 }
@@ -746,7 +1086,7 @@ CURLcode curl_easy_pause(CURL *curl, int action)
     do {
       chunklen = (tempsize > CURL_MAX_WRITE_SIZE)?CURL_MAX_WRITE_SIZE:tempsize;
 
-      result = Curl_client_write(data->state.current_conn,
+      result = Curl_client_write(data->easy_conn,
                                  temptype, tempwrite, chunklen);
       if(result)
         /* failures abort the loop at once */
@@ -788,6 +1128,13 @@ CURLcode curl_easy_pause(CURL *curl, int action)
     free(freewrite); /* this is unconditionally no longer used */
   }
 
+  /* if there's no error and we're not pausing both directions, we want
+     to have this handle checked soon */
+  if(!result &&
+     ((newstate&(KEEP_RECV_PAUSE|KEEP_SEND_PAUSE)) !=
+      (KEEP_RECV_PAUSE|KEEP_SEND_PAUSE)) )
+    Curl_expire(data, 1); /* get this handle going again */
+
   return result;
 }
 

lib/easyif.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -25,9 +25,9 @@
 /*
  * Prototypes for library-wide functions provided by easy.c
  */
-void Curl_easy_addmulti(struct SessionHandle *data, void *multi);
-
-void Curl_easy_initHandleData(struct SessionHandle *data);
+#ifdef CURLDEBUG
+CURL_EXTERN CURLcode curl_easy_perform_ev(CURL *easy);
+#endif
 
 #endif /* HEADER_CURL_EASYIF_H */
 

lib/file.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -90,7 +90,7 @@ static CURLcode file_done(struct connectdata *conn,
 static CURLcode file_connect(struct connectdata *conn, bool *done);
 static CURLcode file_disconnect(struct connectdata *conn,
                                 bool dead_connection);
-
+static CURLcode file_setup_connection(struct connectdata *conn);
 
 /*
  * FILE scheme handler.
@@ -98,7 +98,7 @@ static CURLcode file_disconnect(struct connectdata *conn,
 
 const struct Curl_handler Curl_handler_file = {
   "FILE",                               /* scheme */
-  ZERO_NULL,                            /* setup_connection */
+  file_setup_connection,                /* setup_connection */
   file_do,                              /* do_it */
   file_done,                            /* done */
   ZERO_NULL,                            /* do_more */
@@ -117,6 +117,16 @@ const struct Curl_handler Curl_handler_file = {
 };
 
 
+static CURLcode file_setup_connection(struct connectdata *conn)
+{
+  /* allocate the FILE specific struct */
+  conn->data->req.protop = calloc(1, sizeof(struct FILEPROTO));
+  if(!conn->data->req.protop)
+    return CURLE_OUT_OF_MEMORY;
+
+  return CURLE_OK;
+}
+
  /*
   Check if this is a range download, and if so, set the internal variables
   properly. This code is copied from the FTP implementation and might as
@@ -179,39 +189,17 @@ static CURLcode file_connect(struct connectdata *conn, bool *done)
 {
   struct SessionHandle *data = conn->data;
   char *real_path;
-  struct FILEPROTO *file;
+  struct FILEPROTO *file = data->req.protop;
   int fd;
 #ifdef DOS_FILESYSTEM
   int i;
   char *actual_path;
 #endif
 
-  /* If there already is a protocol-specific struct allocated for this
-     sessionhandle, deal with it */
-  Curl_reset_reqproto(conn);
-
   real_path = curl_easy_unescape(data, data->state.path, 0, NULL);
   if(!real_path)
     return CURLE_OUT_OF_MEMORY;
 
-  if(!data->state.proto.file) {
-    file = calloc(1, sizeof(struct FILEPROTO));
-    if(!file) {
-      free(real_path);
-      return CURLE_OUT_OF_MEMORY;
-    }
-    data->state.proto.file = file;
-  }
-  else {
-    /* file is not a protocol that can deal with "persistancy" */
-    file = data->state.proto.file;
-    Curl_safefree(file->freepath);
-    file->path = NULL;
-    if(file->fd != -1)
-      close(file->fd);
-    file->fd = -1;
-  }
-
 #ifdef DOS_FILESYSTEM
   /* If the first character is a slash, and there's
      something that looks like a drive at the beginning of
@@ -262,7 +250,7 @@ static CURLcode file_connect(struct connectdata *conn, bool *done)
 static CURLcode file_done(struct connectdata *conn,
                                CURLcode status, bool premature)
 {
-  struct FILEPROTO *file = conn->data->state.proto.file;
+  struct FILEPROTO *file = conn->data->req.protop;
   (void)status; /* not used */
   (void)premature; /* not used */
 
@@ -280,7 +268,7 @@ static CURLcode file_done(struct connectdata *conn,
 static CURLcode file_disconnect(struct connectdata *conn,
                                 bool dead_connection)
 {
-  struct FILEPROTO *file = conn->data->state.proto.file;
+  struct FILEPROTO *file = conn->data->req.protop;
   (void)dead_connection; /* not used */
 
   if(file) {
@@ -302,7 +290,7 @@ static CURLcode file_disconnect(struct connectdata *conn,
 
 static CURLcode file_upload(struct connectdata *conn)
 {
-  struct FILEPROTO *file = conn->data->state.proto.file;
+  struct FILEPROTO *file = conn->data->req.protop;
   const char *dir = strchr(file->path, DIRSEP);
   int fd;
   int mode;
@@ -440,6 +428,7 @@ static CURLcode file_do(struct connectdata *conn, bool *done)
   curl_off_t bytecount = 0;
   int fd;
   struct timeval now = Curl_tvnow();
+  struct FILEPROTO *file;
 
   *done = TRUE; /* unconditionally */
 
@@ -449,8 +438,10 @@ static CURLcode file_do(struct connectdata *conn, bool *done)
   if(data->set.upload)
     return file_upload(conn);
 
+  file = conn->data->req.protop;
+
   /* get the fd from the connection phase */
-  fd = conn->data->state.proto.file->fd;
+  fd = file->fd;
 
   /* VMS: This only works reliable for STREAMLF files */
   if(-1 != fstat(fd, &statbuf)) {

lib/formdata.c

@@ -24,9 +24,6 @@
 
 #include <curl/curl.h>
 
-/* Length of the random boundary string. */
-#define BOUNDARY_LENGTH 40
-
 #if !defined(CURL_DISABLE_HTTP) || defined(USE_SSLEAY)
 
 #if defined(HAVE_LIBGEN_H) && defined(HAVE_BASENAME)
@@ -35,7 +32,7 @@
 
 #include "urldata.h" /* for struct SessionHandle */
 #include "formdata.h"
-#include "curl_rand.h"
+#include "sslgen.h"
 #include "strequal.h"
 #include "curl_memory.h"
 #include "sendf.h"
@@ -56,7 +53,7 @@ static char *Curl_basename(char *path);
 #endif
 
 static size_t readfromfile(struct Form *form, char *buffer, size_t size);
-static char *formboundary(void);
+static char *formboundary(struct SessionHandle *data);
 
 /* What kind of Content-Type to use on un-specified files with unrecognized
    extensions. */
@@ -171,8 +168,8 @@ static FormInfo * AddFormInfo(char *value,
  * Returns some valid contenttype for filename.
  *
  ***************************************************************************/
-static const char * ContentTypeForFilename (const char *filename,
-                                            const char *prevtype)
+static const char *ContentTypeForFilename(const char *filename,
+                                          const char *prevtype)
 {
   const char *contenttype = NULL;
   unsigned int i;
@@ -181,7 +178,7 @@ static const char * ContentTypeForFilename (const char *filename,
    * extensions and pick the first we match!
    */
   struct ContentType {
-    char extension[6];
+    const char *extension;
     const char *type;
   };
   static const struct ContentType ctts[]={
@@ -429,7 +426,7 @@ CURLFORMcode FormAdd(struct curl_httppost **httppost,
 
       /* Get contents from a given file name */
     case CURLFORM_FILECONTENT:
-      if(current_form->flags != 0)
+      if(current_form->flags & (HTTPPOST_PTRCONTENTS|HTTPPOST_READFILE))
         return_value = CURL_FORMADD_OPTION_TWICE;
       else {
         const char *filename = array_state?
@@ -670,9 +667,11 @@ CURLFORMcode FormAdd(struct curl_httppost **httppost,
         if(((form->flags & HTTPPOST_FILENAME) ||
             (form->flags & HTTPPOST_BUFFER)) &&
            !form->contenttype ) {
+          char *f = form->flags & HTTPPOST_BUFFER?
+            form->showfilename : form->value;
+
           /* our contenttype is missing */
-          form->contenttype
-            = strdup(ContentTypeForFilename(form->value, prevtype));
+          form->contenttype = strdup(ContentTypeForFilename(f, prevtype));
           if(!form->contenttype) {
             return_value = CURL_FORMADD_MEMORY;
             break;
@@ -777,6 +776,70 @@ CURLFORMcode curl_formadd(struct curl_httppost **httppost,
   return result;
 }
 
+#ifdef __VMS
+#include <fabdef.h>
+/*
+ * get_vms_file_size does what it takes to get the real size of the file
+ *
+ * For fixed files, find out the size of the EOF block and adjust.
+ *
+ * For all others, have to read the entire file in, discarding the contents.
+ * Most posted text files will be small, and binary files like zlib archives
+ * and CD/DVD images should be either a STREAM_LF format or a fixed format.
+ *
+ */
+curl_off_t VmsRealFileSize(const char * name,
+                           const struct_stat * stat_buf)
+{
+  char buffer[8192];
+  curl_off_t count;
+  int ret_stat;
+  FILE * file;
+
+  file = fopen(name, "r");
+  if(file == NULL)
+    return 0;
+
+  count = 0;
+  ret_stat = 1;
+  while(ret_stat > 0) {
+    ret_stat = fread(buffer, 1, sizeof(buffer), file);
+    if(ret_stat != 0)
+      count += ret_stat;
+  }
+  fclose(file);
+
+  return count;
+}
+
+/*
+ *
+ *  VmsSpecialSize checks to see if the stat st_size can be trusted and
+ *  if not to call a routine to get the correct size.
+ *
+ */
+static curl_off_t VmsSpecialSize(const char * name,
+                                 const struct_stat * stat_buf)
+{
+  switch(stat_buf->st_fab_rfm) {
+  case FAB$C_VAR:
+  case FAB$C_VFC:
+    return VmsRealFileSize(name, stat_buf);
+    break;
+  default:
+    return stat_buf->st_size;
+  }
+}
+
+#endif
+
+#ifndef __VMS
+#define filesize(name, stat_data) (stat_data.st_size)
+#else
+    /* Getting the expected file size needs help on VMS */
+#define filesize(name, stat_data) VmsSpecialSize(name, &stat_data)
+#endif
+
 /*
  * AddFormData() adds a chunk of data to the FormData linked list.
  *
@@ -832,7 +895,7 @@ static CURLcode AddFormData(struct FormData **formp,
       if(!strequal("-", newform->line)) {
         struct_stat file;
         if(!stat(newform->line, &file) && !S_ISDIR(file.st_mode))
-          *size += file.st_size;
+          *size += filesize(newform->line, file);
         else
           return CURLE_BAD_FUNCTION_ARGUMENT;
       }
@@ -1101,7 +1164,7 @@ CURLcode Curl_getformdata(struct SessionHandle *data,
   if(!post)
     return result; /* no input => no output! */
 
-  boundary = formboundary();
+  boundary = formboundary(data);
   if(!boundary)
     return CURLE_OUT_OF_MEMORY;
 
@@ -1157,7 +1220,7 @@ CURLcode Curl_getformdata(struct SessionHandle *data,
          the magic to include several files with the same field name */
 
       Curl_safefree(fileboundary);
-      fileboundary = formboundary();
+      fileboundary = formboundary(data);
       if(!fileboundary) {
         result = CURLE_OUT_OF_MEMORY;
         break;
@@ -1343,6 +1406,36 @@ int Curl_FormInit(struct Form *form, struct FormData *formdata )
   return 0;
 }
 
+#ifndef __VMS
+# define fopen_read fopen
+#else
+  /*
+   * vmsfopenread
+   *
+   * For upload to work as expected on VMS, different optional
+   * parameters must be added to the fopen command based on
+   * record format of the file.
+   *
+   */
+# define fopen_read vmsfopenread
+static FILE * vmsfopenread(const char *file, const char *mode) {
+  struct_stat statbuf;
+  int result;
+
+  result = stat(file, &statbuf);
+
+  switch (statbuf.st_fab_rfm) {
+  case FAB$C_VAR:
+  case FAB$C_VFC:
+  case FAB$C_STMCR:
+    return fopen(file, "r");
+    break;
+  default:
+    return fopen(file, "r", "rfm=stmlf", "ctx=stm");
+  }
+}
+#endif
+
 /*
  * readfromfile()
  *
@@ -1365,7 +1458,7 @@ static size_t readfromfile(struct Form *form, char *buffer,
   else {
     if(!form->fp) {
       /* this file hasn't yet been opened */
-      form->fp = fopen(form->data->line, "rb"); /* b is for binary */
+      form->fp = fopen_read(form->data->line, "rb"); /* b is for binary */
       if(!form->fp)
         return (size_t)-1; /* failure */
     }
@@ -1464,28 +1557,12 @@ char *Curl_formpostheader(void *formp, size_t *len)
  * formboundary() creates a suitable boundary string and returns an allocated
  * one.
  */
-static char *formboundary(void)
+static char *formboundary(struct SessionHandle *data)
 {
-  char *retstring;
-  size_t i;
-
-  static const char table16[]="0123456789abcdef";
-
-  retstring = malloc(BOUNDARY_LENGTH+1);
-
-  if(!retstring)
-    return NULL; /* failed */
-
-  strcpy(retstring, "----------------------------");
-
-  for(i=strlen(retstring); i<BOUNDARY_LENGTH; i++)
-    retstring[i] = table16[Curl_rand()%16];
-
-  /* 28 dashes and 12 hexadecimal digits makes 12^16 (184884258895036416)
+  /* 24 dashes and 16 hexadecimal digits makes 64 bit (18446744073709551615)
      combinations */
-  retstring[BOUNDARY_LENGTH]=0; /* zero terminate */
-
-  return retstring;
+  return aprintf("------------------------%08x%08x",
+                 Curl_rand(data), Curl_rand(data));
 }
 
 #else  /* CURL_DISABLE_HTTP */

lib/ftp.c

@@ -59,11 +59,7 @@
 #include "ftp.h"
 #include "fileinfo.h"
 #include "ftplistparser.h"
-
-#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
-#include "krb4.h"
-#endif
-
+#include "curl_sec.h"
 #include "strtoofft.h"
 #include "strequal.h"
 #include "sslgen.h"
@@ -123,8 +119,8 @@ static void ftp_pasv_verbose(struct connectdata *conn,
                              char *newhost, /* ascii version */
                              int port);
 #endif
-static CURLcode ftp_state_post_rest(struct connectdata *conn);
-static CURLcode ftp_state_post_cwd(struct connectdata *conn);
+static CURLcode ftp_state_prepare_transfer(struct connectdata *conn);
+static CURLcode ftp_state_mdtm(struct connectdata *conn);
 static CURLcode ftp_state_quote(struct connectdata *conn,
                                 bool init, ftpstate instate);
 static CURLcode ftp_nb_type(struct connectdata *conn,
@@ -136,7 +132,7 @@ static CURLcode ftp_done(struct connectdata *conn,
                          CURLcode, bool premature);
 static CURLcode ftp_connect(struct connectdata *conn, bool *done);
 static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection);
-static CURLcode ftp_do_more(struct connectdata *conn, bool *completed);
+static CURLcode ftp_do_more(struct connectdata *conn, int *completed);
 static CURLcode ftp_multi_statemach(struct connectdata *conn, bool *done);
 static int ftp_getsock(struct connectdata *conn, curl_socket_t *socks,
                        int numsocks);
@@ -151,8 +147,7 @@ static CURLcode wc_statemach(struct connectdata *conn);
 
 static void wc_data_dtor(void *ptr);
 
-static CURLcode ftp_state_post_retr_size(struct connectdata *conn,
-                                         curl_off_t filesize);
+static CURLcode ftp_state_retr(struct connectdata *conn, curl_off_t filesize);
 
 static CURLcode ftp_readresp(curl_socket_t sockfd,
                              struct pingpong *pp,
@@ -226,7 +221,7 @@ const struct Curl_handler Curl_handler_ftps = {
 
 static const struct Curl_handler Curl_handler_ftp_proxy = {
   "FTP",                                /* scheme */
-  ZERO_NULL,                            /* setup_connection */
+  Curl_http_setup_conn,                 /* setup_connection */
   Curl_http,                            /* do_it */
   Curl_http_done,                       /* done */
   ZERO_NULL,                            /* do_more */
@@ -252,7 +247,7 @@ static const struct Curl_handler Curl_handler_ftp_proxy = {
 
 static const struct Curl_handler Curl_handler_ftps_proxy = {
   "FTPS",                               /* scheme */
-  ZERO_NULL,                            /* setup_connection */
+  Curl_http_setup_conn,                 /* setup_connection */
   Curl_http,                            /* do_it */
   Curl_http_done,                       /* done */
   ZERO_NULL,                            /* do_more */
@@ -494,7 +489,7 @@ static CURLcode ReceivedServerConnect(struct connectdata *conn, bool *received)
 static CURLcode InitiateTransfer(struct connectdata *conn)
 {
   struct SessionHandle *data = conn->data;
-  struct FTP *ftp = data->state.proto.ftp;
+  struct FTP *ftp = data->req.protop;
   CURLcode result = CURLE_OK;
 
   if(conn->ssl[SECONDARYSOCKET].use) {
@@ -616,7 +611,7 @@ static CURLcode ftp_readresp(curl_socket_t sockfd,
 {
   struct connectdata *conn = pp->conn;
   struct SessionHandle *data = conn->data;
-#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
+#ifdef HAVE_GSSAPI
   char * const buf = data->state.buffer;
 #endif
   CURLcode result = CURLE_OK;
@@ -624,7 +619,7 @@ static CURLcode ftp_readresp(curl_socket_t sockfd,
 
   result = Curl_pp_readresp(sockfd, pp, &code, size);
 
-#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
+#if defined(HAVE_GSSAPI)
   /* handle the security-oriented responses 6xx ***/
   /* FIXME: some errorchecking perhaps... ***/
   switch(code) {
@@ -776,6 +771,47 @@ CURLcode Curl_GetFTPResponse(ssize_t *nreadp, /* return number of bytes read */
   return result;
 }
 
+#if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS)
+  /* for debug purposes */
+static const char * const ftp_state_names[]={
+  "STOP",
+  "WAIT220",
+  "AUTH",
+  "USER",
+  "PASS",
+  "ACCT",
+  "PBSZ",
+  "PROT",
+  "CCC",
+  "PWD",
+  "SYST",
+  "NAMEFMT",
+  "QUOTE",
+  "RETR_PREQUOTE",
+  "STOR_PREQUOTE",
+  "POSTQUOTE",
+  "CWD",
+  "MKD",
+  "MDTM",
+  "TYPE",
+  "LIST_TYPE",
+  "RETR_TYPE",
+  "STOR_TYPE",
+  "SIZE",
+  "RETR_SIZE",
+  "STOR_SIZE",
+  "REST",
+  "RETR_REST",
+  "PORT",
+  "PRET",
+  "PASV",
+  "LIST",
+  "RETR",
+  "STOR",
+  "QUIT"
+};
+#endif
+
 /* This is the ONLY way to change FTP state! */
 static void _state(struct connectdata *conn,
                    ftpstate newstate
@@ -784,51 +820,12 @@ static void _state(struct connectdata *conn,
 #endif
   )
 {
-#if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS)
-  /* for debug purposes */
-  static const char * const names[]={
-    "STOP",
-    "WAIT220",
-    "AUTH",
-    "USER",
-    "PASS",
-    "ACCT",
-    "PBSZ",
-    "PROT",
-    "CCC",
-    "PWD",
-    "SYST",
-    "NAMEFMT",
-    "QUOTE",
-    "RETR_PREQUOTE",
-    "STOR_PREQUOTE",
-    "POSTQUOTE",
-    "CWD",
-    "MKD",
-    "MDTM",
-    "TYPE",
-    "LIST_TYPE",
-    "RETR_TYPE",
-    "STOR_TYPE",
-    "SIZE",
-    "RETR_SIZE",
-    "STOR_SIZE",
-    "REST",
-    "RETR_REST",
-    "PORT",
-    "PRET",
-    "PASV",
-    "LIST",
-    "RETR",
-    "STOR",
-    "QUIT"
-  };
-#endif
   struct ftp_conn *ftpc = &conn->proto.ftpc;
 #if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS)
   if(ftpc->state != newstate)
     infof(conn->data, "FTP %p (line %d) state change from %s to %s\n",
-          ftpc, lineno, names[ftpc->state], names[newstate]);
+          (void *)ftpc, lineno, ftp_state_names[ftpc->state],
+          ftp_state_names[newstate]);
 #endif
   ftpc->state = newstate;
 }
@@ -836,7 +833,7 @@ static void _state(struct connectdata *conn,
 static CURLcode ftp_state_user(struct connectdata *conn)
 {
   CURLcode result;
-  struct FTP *ftp = conn->data->state.proto.ftp;
+  struct FTP *ftp = conn->data->req.protop;
   /* send USER */
   PPSENDF(&conn->proto.ftpc.pp, "USER %s", ftp->user?ftp->user:"");
 
@@ -851,7 +848,7 @@ static CURLcode ftp_state_pwd(struct connectdata *conn)
   CURLcode result;
 
   /* send PWD to discover our entry point */
-  PPSENDF(&conn->proto.ftpc.pp, "PWD", NULL);
+  PPSENDF(&conn->proto.ftpc.pp, "%s", "PWD");
   state(conn, FTP_PWD);
 
   return CURLE_OK;
@@ -875,31 +872,21 @@ static int ftp_domore_getsock(struct connectdata *conn, curl_socket_t *socks,
     return GETSOCK_BLANK;
 
   /* When in DO_MORE state, we could be either waiting for us to connect to a
-     remote site, or we could wait for that site to connect to us. Or just
-     handle ordinary commands.
+   * remote site, or we could wait for that site to connect to us. Or just
+   * handle ordinary commands.
+   */
 
-     When waiting for a connect, we can be in FTP_STOP state (or we're in
-     FTP_STOR when we do an upload) and then we wait for the secondary socket
-     to become writeable. . If we're in another state, we're still handling
-     commands on the control (primary) connection.
+  if(FTP_STOP == ftpc->state) {
+    /* if stopped and still in this state, then we're also waiting for a
+       connect on the secondary connection */
+    socks[0] = conn->sock[FIRSTSOCKET];
+    socks[1] = conn->sock[SECONDARYSOCKET];
 
-  */
-
-  switch(ftpc->state) {
-  case FTP_STOP:
-  case FTP_STOR:
-    break;
-  default:
+    return GETSOCK_READSOCK(FIRSTSOCKET) |
+      GETSOCK_WRITESOCK(SECONDARYSOCKET);
+  }
+  else
     return Curl_pp_getsock(&conn->proto.ftpc.pp, socks, numsocks);
-  }
-
-  socks[0] = conn->sock[SECONDARYSOCKET];
-  if(ftpc->wait_data_conn) {
-    socks[1] = conn->sock[FIRSTSOCKET];
-    return GETSOCK_READSOCK(0) | GETSOCK_READSOCK(1);
-  }
-
-  return GETSOCK_READSOCK(0);
 }
 
 /* This is called after the FTP_QUOTE state is passed.
@@ -915,7 +902,7 @@ static CURLcode ftp_state_cwd(struct connectdata *conn)
 
   if(ftpc->cwddone)
     /* already done and fine */
-    result = ftp_state_post_cwd(conn);
+    result = ftp_state_mdtm(conn);
   else {
     ftpc->count2 = 0; /* count2 counts failed CWDs */
 
@@ -943,7 +930,7 @@ static CURLcode ftp_state_cwd(struct connectdata *conn)
       }
       else {
         /* No CWD necessary */
-        result = ftp_state_post_cwd(conn);
+        result = ftp_state_mdtm(conn);
       }
     }
   }
@@ -1373,13 +1360,17 @@ static CURLcode ftp_state_use_pasv(struct connectdata *conn)
   return result;
 }
 
-/* REST is the last command in the chain of commands when a "head"-like
-   request is made. Thus, if an actual transfer is to be made this is where
-   we take off for real. */
-static CURLcode ftp_state_post_rest(struct connectdata *conn)
+/*
+ * ftp_state_prepare_transfer() starts PORT, PASV or PRET etc.
+ *
+ * REST is the last command in the chain of commands when a "head"-like
+ * request is made. Thus, if an actual transfer is to be made this is where we
+ * take off for real.
+ */
+static CURLcode ftp_state_prepare_transfer(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
-  struct FTP *ftp = conn->data->state.proto.ftp;
+  struct FTP *ftp = conn->data->req.protop;
   struct SessionHandle *data = conn->data;
 
   if(ftp->transfer != FTPTRANSFER_BODY) {
@@ -1419,10 +1410,10 @@ static CURLcode ftp_state_post_rest(struct connectdata *conn)
   return result;
 }
 
-static CURLcode ftp_state_post_size(struct connectdata *conn)
+static CURLcode ftp_state_rest(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
-  struct FTP *ftp = conn->data->state.proto.ftp;
+  struct FTP *ftp = conn->data->req.protop;
   struct ftp_conn *ftpc = &conn->proto.ftpc;
 
   if((ftp->transfer != FTPTRANSFER_BODY) && ftpc->file) {
@@ -1435,15 +1426,15 @@ static CURLcode ftp_state_post_size(struct connectdata *conn)
     state(conn, FTP_REST);
   }
   else
-    result = ftp_state_post_rest(conn);
+    result = ftp_state_prepare_transfer(conn);
 
   return result;
 }
 
-static CURLcode ftp_state_post_type(struct connectdata *conn)
+static CURLcode ftp_state_size(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
-  struct FTP *ftp = conn->data->state.proto.ftp;
+  struct FTP *ftp = conn->data->req.protop;
   struct ftp_conn *ftpc = &conn->proto.ftpc;
 
   if((ftp->transfer == FTPTRANSFER_INFO) && ftpc->file) {
@@ -1455,12 +1446,12 @@ static CURLcode ftp_state_post_type(struct connectdata *conn)
     state(conn, FTP_SIZE);
   }
   else
-    result = ftp_state_post_size(conn);
+    result = ftp_state_rest(conn);
 
   return result;
 }
 
-static CURLcode ftp_state_post_listtype(struct connectdata *conn)
+static CURLcode ftp_state_list(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
@@ -1529,7 +1520,7 @@ static CURLcode ftp_state_post_listtype(struct connectdata *conn)
   return result;
 }
 
-static CURLcode ftp_state_post_retrtype(struct connectdata *conn)
+static CURLcode ftp_state_retr_prequote(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
 
@@ -1540,7 +1531,7 @@ static CURLcode ftp_state_post_retrtype(struct connectdata *conn)
   return result;
 }
 
-static CURLcode ftp_state_post_stortype(struct connectdata *conn)
+static CURLcode ftp_state_stor_prequote(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
 
@@ -1551,10 +1542,10 @@ static CURLcode ftp_state_post_stortype(struct connectdata *conn)
   return result;
 }
 
-static CURLcode ftp_state_post_mdtm(struct connectdata *conn)
+static CURLcode ftp_state_type(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
-  struct FTP *ftp = conn->data->state.proto.ftp;
+  struct FTP *ftp = conn->data->req.protop;
   struct SessionHandle *data = conn->data;
   struct ftp_conn *ftpc = &conn->proto.ftpc;
 
@@ -1577,14 +1568,14 @@ static CURLcode ftp_state_post_mdtm(struct connectdata *conn)
       return result;
   }
   else
-    result = ftp_state_post_type(conn);
+    result = ftp_state_size(conn);
 
   return result;
 }
 
 /* This is called after the CWD commands have been done in the beginning of
    the DO phase */
-static CURLcode ftp_state_post_cwd(struct connectdata *conn)
+static CURLcode ftp_state_mdtm(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
@@ -1600,7 +1591,7 @@ static CURLcode ftp_state_post_cwd(struct connectdata *conn)
     state(conn, FTP_MDTM);
   }
   else
-    result = ftp_state_post_mdtm(conn);
+    result = ftp_state_type(conn);
 
   return result;
 }
@@ -1611,7 +1602,7 @@ static CURLcode ftp_state_ul_setup(struct connectdata *conn,
                                    bool sizechecked)
 {
   CURLcode result = CURLE_OK;
-  struct FTP *ftp = conn->data->state.proto.ftp;
+  struct FTP *ftp = conn->data->req.protop;
   struct SessionHandle *data = conn->data;
   struct ftp_conn *ftpc = &conn->proto.ftpc;
   int seekerr = CURL_SEEKFUNC_OK;
@@ -1709,7 +1700,7 @@ static CURLcode ftp_state_quote(struct connectdata *conn,
 {
   CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
-  struct FTP *ftp = data->state.proto.ftp;
+  struct FTP *ftp = data->req.protop;
   struct ftp_conn *ftpc = &conn->proto.ftpc;
   bool quote=FALSE;
   struct curl_slist *item;
@@ -1775,7 +1766,7 @@ static CURLcode ftp_state_quote(struct connectdata *conn,
       else {
         if(ftpc->known_filesize != -1) {
           Curl_pgrsSetDownloadSize(data, ftpc->known_filesize);
-          result = ftp_state_post_retr_size(conn, ftpc->known_filesize);
+          result = ftp_state_retr(conn, ftpc->known_filesize);
         }
         else {
           PPSENDF(&ftpc->pp, "SIZE %s", ftpc->file);
@@ -1799,15 +1790,15 @@ static CURLcode ftp_state_quote(struct connectdata *conn,
 static CURLcode ftp_epsv_disable(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
-  infof(conn->data, "got positive EPSV response, but can't connect. "
-        "Disabling EPSV\n");
+  infof(conn->data, "Failed EPSV attempt. Disabling EPSV\n");
   /* disable it for next transfer */
   conn->bits.ftp_use_epsv = FALSE;
   conn->data->state.errorbuf = FALSE; /* allow error message to get
                                          rewritten */
-  PPSENDF(&conn->proto.ftpc.pp, "PASV", NULL);
+  PPSENDF(&conn->proto.ftpc.pp, "%s", "PASV");
   conn->proto.ftpc.count1++;
-  /* remain in the FTP_PASV state */
+  /* remain in/go to the FTP_PASV state */
+  state(conn, FTP_PASV);
   return result;
 }
 
@@ -1936,15 +1927,7 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn,
   }
   else if(ftpc->count1 == 0) {
     /* EPSV failed, move on to PASV */
-
-    /* disable it for next transfer */
-    conn->bits.ftp_use_epsv = FALSE;
-    infof(data, "disabling EPSV usage\n");
-
-    PPSENDF(&ftpc->pp, "PASV", NULL);
-    ftpc->count1++;
-    /* remain in the FTP_PASV state */
-    return result;
+    return ftp_epsv_disable(conn);
   }
   else {
     failf(data, "Bad PASV/EPSV response: %03d", ftpcode);
@@ -2021,14 +2004,17 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn,
   case CURLPROXY_SOCKS5_HOSTNAME:
     result = Curl_SOCKS5(conn->proxyuser, conn->proxypasswd, newhost, newport,
                          SECONDARYSOCKET, conn);
+    connected = TRUE;
     break;
   case CURLPROXY_SOCKS4:
     result = Curl_SOCKS4(conn->proxyuser, newhost, newport,
                          SECONDARYSOCKET, conn, FALSE);
+    connected = TRUE;
     break;
   case CURLPROXY_SOCKS4A:
     result = Curl_SOCKS4(conn->proxyuser, newhost, newport,
                          SECONDARYSOCKET, conn, TRUE);
+    connected = TRUE;
     break;
   case CURLPROXY_HTTP:
   case CURLPROXY_HTTP_1_0:
@@ -2060,13 +2046,13 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn,
      * FTP pointer
      */
     struct HTTP http_proxy;
-    struct FTP *ftp_save = data->state.proto.ftp;
+    struct FTP *ftp_save = data->req.protop;
     memset(&http_proxy, 0, sizeof(http_proxy));
-    data->state.proto.http = &http_proxy;
+    data->req.protop = &http_proxy;
 
     result = Curl_proxyCONNECT(conn, SECONDARYSOCKET, newhost, newport);
 
-    data->state.proto.ftp = ftp_save;
+    data->req.protop = ftp_save;
 
     if(result)
       return result;
@@ -2080,8 +2066,7 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn,
     }
   }
 
-  conn->bits.tcpconnect[SECONDARYSOCKET] = TRUE;
-
+  conn->bits.tcpconnect[SECONDARYSOCKET] = connected;
   conn->bits.do_more = TRUE;
   state(conn, FTP_STOP); /* this phase is completed */
 
@@ -2127,7 +2112,7 @@ static CURLcode ftp_state_mdtm_resp(struct connectdata *conn,
 {
   CURLcode result = CURLE_OK;
   struct SessionHandle *data=conn->data;
-  struct FTP *ftp = data->state.proto.ftp;
+  struct FTP *ftp = data->req.protop;
   struct ftp_conn *ftpc = &conn->proto.ftpc;
 
   switch(ftpcode) {
@@ -2221,7 +2206,7 @@ static CURLcode ftp_state_mdtm_resp(struct connectdata *conn,
   }
 
   if(!result)
-    result = ftp_state_post_mdtm(conn);
+    result = ftp_state_type(conn);
 
   return result;
 }
@@ -2245,23 +2230,23 @@ static CURLcode ftp_state_type_resp(struct connectdata *conn,
           ftpcode);
 
   if(instate == FTP_TYPE)
-    result = ftp_state_post_type(conn);
+    result = ftp_state_size(conn);
   else if(instate == FTP_LIST_TYPE)
-    result = ftp_state_post_listtype(conn);
+    result = ftp_state_list(conn);
   else if(instate == FTP_RETR_TYPE)
-    result = ftp_state_post_retrtype(conn);
+    result = ftp_state_retr_prequote(conn);
   else if(instate == FTP_STOR_TYPE)
-    result = ftp_state_post_stortype(conn);
+    result = ftp_state_stor_prequote(conn);
 
   return result;
 }
 
-static CURLcode ftp_state_post_retr_size(struct connectdata *conn,
+static CURLcode ftp_state_retr(struct connectdata *conn,
                                          curl_off_t filesize)
 {
   CURLcode result = CURLE_OK;
   struct SessionHandle *data=conn->data;
-  struct FTP *ftp = data->state.proto.ftp;
+  struct FTP *ftp = data->req.protop;
   struct ftp_conn *ftpc = &conn->proto.ftpc;
 
   if(data->set.max_filesize && (filesize > data->set.max_filesize)) {
@@ -2361,11 +2346,11 @@ static CURLcode ftp_state_size_resp(struct connectdata *conn,
     }
 #endif
     Curl_pgrsSetDownloadSize(data, filesize);
-    result = ftp_state_post_size(conn);
+    result = ftp_state_rest(conn);
   }
   else if(instate == FTP_RETR_SIZE) {
     Curl_pgrsSetDownloadSize(data, filesize);
-    result = ftp_state_post_retr_size(conn, filesize);
+    result = ftp_state_retr(conn, filesize);
   }
   else if(instate == FTP_STOR_SIZE) {
     data->state.resume_from = filesize;
@@ -2393,7 +2378,7 @@ static CURLcode ftp_state_rest_resp(struct connectdata *conn,
         return result;
     }
 #endif
-    result = ftp_state_post_rest(conn);
+    result = ftp_state_prepare_transfer(conn);
     break;
 
   case FTP_RETR_REST:
@@ -2430,6 +2415,8 @@ static CURLcode ftp_state_stor_resp(struct connectdata *conn,
   if(data->set.ftp_use_port) {
     bool connected;
 
+    state(conn, FTP_STOP); /* no longer in STOR state */
+
     result = AllowServerConnect(conn, &connected);
     if(result)
       return result;
@@ -2453,7 +2440,7 @@ static CURLcode ftp_state_get_resp(struct connectdata *conn,
 {
   CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
-  struct FTP *ftp = data->state.proto.ftp;
+  struct FTP *ftp = data->req.protop;
   char *buf = data->state.buffer;
 
   if((ftpcode == 150) || (ftpcode == 125)) {
@@ -2577,19 +2564,6 @@ static CURLcode ftp_state_loggedin(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
 
-#ifdef HAVE_KRB4
-  if(conn->data->set.krb) {
-    /* We may need to issue a KAUTH here to have access to the files
-     * do it if user supplied a password
-     */
-    if(conn->passwd && *conn->passwd) {
-      /* BLOCKING */
-      result = Curl_krb_kauth(conn);
-      if(result)
-        return result;
-    }
-  }
-#endif
   if(conn->ssl[FIRSTSOCKET].use) {
     /* PBSZ = PROTECTION BUFFER SIZE.
 
@@ -2621,7 +2595,7 @@ static CURLcode ftp_state_user_resp(struct connectdata *conn,
 {
   CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
-  struct FTP *ftp = data->state.proto.ftp;
+  struct FTP *ftp = data->req.protop;
   struct ftp_conn *ftpc = &conn->proto.ftpc;
   (void)instate; /* no use for this yet */
 
@@ -2719,7 +2693,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
       }
 
       /* We have received a 220 response fine, now we proceed. */
-#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
+#ifdef HAVE_GSSAPI
       if(data->set.krb) {
         /* If not anonymous login, try a secure login. Note that this
            procedure is still BLOCKING. */
@@ -2834,7 +2808,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
       if(data->set.ftp_ccc) {
         /* CCC - Clear Command Channel
          */
-        PPSENDF(&ftpc->pp, "CCC", NULL);
+        PPSENDF(&ftpc->pp, "%s", "CCC");
         state(conn, FTP_CCC);
       }
       else {
@@ -2921,7 +2895,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
 
           if(!ftpc->server_os && dir[0] != '/') {
 
-            result = Curl_pp_sendf(&ftpc->pp, "SYST", NULL);
+            result = Curl_pp_sendf(&ftpc->pp, "%s", "SYST");
             if(result != CURLE_OK) {
               free(dir);
               return result;
@@ -2974,7 +2948,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
 
         if(strequal(os, "OS/400")) {
           /* Force OS400 name format 1. */
-          result = Curl_pp_sendf(&ftpc->pp, "SITE NAMEFMT 1", NULL);
+          result = Curl_pp_sendf(&ftpc->pp, "%s", "SITE NAMEFMT 1");
           if(result != CURLE_OK) {
             free(os);
             return result;
@@ -3052,7 +3026,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
           PPSENDF(&ftpc->pp, "CWD %s", ftpc->dirs[ftpc->count1 - 1]);
         }
         else {
-          result = ftp_state_post_cwd(conn);
+          result = ftp_state_mdtm(conn);
           if(result)
             return result;
         }
@@ -3161,63 +3135,13 @@ static CURLcode ftp_block_statemach(struct connectdata *conn)
   return result;
 }
 
-/*
- * Allocate and initialize the struct FTP for the current SessionHandle.  If
- * need be.
- */
-
-#if defined(__INTEL_COMPILER) && (__INTEL_COMPILER == 910) && \
-    defined(__OPTIMIZE__) && defined(__unix__) && defined(__i386__)
-  /* workaround icc 9.1 optimizer issue */
-#pragma optimize("", off)
-#endif
-
-static CURLcode ftp_init(struct connectdata *conn)
-{
-  struct FTP *ftp;
-
-  if(NULL == conn->data->state.proto.ftp) {
-    conn->data->state.proto.ftp = malloc(sizeof(struct FTP));
-    if(NULL == conn->data->state.proto.ftp)
-      return CURLE_OUT_OF_MEMORY;
-  }
-
-  ftp = conn->data->state.proto.ftp;
-
-  /* get some initial data into the ftp struct */
-  ftp->bytecountp = &conn->data->req.bytecount;
-  ftp->transfer = FTPTRANSFER_BODY;
-  ftp->downloadsize = 0;
-
-  /* No need to duplicate user+password, the connectdata struct won't change
-     during a session, but we re-init them here since on subsequent inits
-     since the conn struct may have changed or been replaced.
-  */
-  ftp->user = conn->user;
-  ftp->passwd = conn->passwd;
-  if(isBadFtpString(ftp->user))
-    return CURLE_URL_MALFORMAT;
-  if(isBadFtpString(ftp->passwd))
-    return CURLE_URL_MALFORMAT;
-
-  conn->proto.ftpc.known_filesize = -1; /* unknown size for now */
-
-  return CURLE_OK;
-}
-
-#if defined(__INTEL_COMPILER) && (__INTEL_COMPILER == 910) && \
-    defined(__OPTIMIZE__) && defined(__unix__) && defined(__i386__)
-  /* workaround icc 9.1 optimizer issue */
-#pragma optimize("", on)
-#endif
-
 /*
  * ftp_connect() should do everything that is to be considered a part of
  * the connection phase.
  *
  * The variable 'done' points to will be TRUE if the protocol-layer connect
- * phase is done when this function returns, or FALSE is not. When called as
- * a part of the easy interface, it will always be TRUE.
+ * phase is done when this function returns, or FALSE if not.
+ *
  */
 static CURLcode ftp_connect(struct connectdata *conn,
                                  bool *done) /* see description above */
@@ -3228,14 +3152,6 @@ static CURLcode ftp_connect(struct connectdata *conn,
 
   *done = FALSE; /* default to not done yet */
 
-  /* If there already is a protocol-specific struct allocated for this
-     sessionhandle, deal with it */
-  Curl_reset_reqproto(conn);
-
-  result = ftp_init(conn);
-  if(CURLE_OK != result)
-    return result;
-
   /* We always support persistent connections on ftp */
   conn->bits.close = FALSE;
 
@@ -3275,7 +3191,7 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status,
                               bool premature)
 {
   struct SessionHandle *data = conn->data;
-  struct FTP *ftp = data->state.proto.ftp;
+  struct FTP *ftp = data->req.protop;
   struct ftp_conn *ftpc = &conn->proto.ftpc;
   struct pingpong *pp = &ftpc->pp;
   ssize_t nread;
@@ -3383,7 +3299,7 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status,
   if(conn->sock[SECONDARYSOCKET] != CURL_SOCKET_BAD) {
     if(!result && ftpc->dont_check && data->req.maxdownload > 0) {
       /* partial download completed */
-      result = Curl_pp_sendf(pp, "ABOR");
+      result = Curl_pp_sendf(pp, "%s", "ABOR");
       if(result) {
         failf(data, "Failure sending ABOR command: %s",
               curl_easy_strerror(result));
@@ -3677,19 +3593,22 @@ static CURLcode ftp_range(struct connectdata *conn)
  *
  * This function shall be called when the second FTP (data) connection is
  * connected.
+ *
+ * 'complete' can return 0 for incomplete, 1 for done and -1 for go back
+ * (which basically is only for when PASV is being sent to retry a failed
+ * EPSV).
  */
 
-static CURLcode ftp_do_more(struct connectdata *conn, bool *complete)
+static CURLcode ftp_do_more(struct connectdata *conn, int *completep)
 {
   struct SessionHandle *data=conn->data;
   struct ftp_conn *ftpc = &conn->proto.ftpc;
   CURLcode result = CURLE_OK;
   bool connected = FALSE;
+  bool complete = FALSE;
 
   /* the ftp struct is inited in ftp_connect() */
-  struct FTP *ftp = data->state.proto.ftp;
-
-  *complete = FALSE;
+  struct FTP *ftp = data->req.protop;
 
   /* if the second connection isn't done yet, wait for it */
   if(!conn->bits.tcpconnect[SECONDARYSOCKET]) {
@@ -3707,14 +3626,22 @@ static CURLcode ftp_do_more(struct connectdata *conn, bool *complete)
     if(connected) {
       DEBUGF(infof(data, "DO-MORE connected phase starts\n"));
     }
-    else
+    else {
+      if(result && (ftpc->count1 == 0)) {
+        *completep = -1; /* go back to DOING please */
+        /* this is a EPSV connect failing, try PASV instead */
+        return ftp_epsv_disable(conn);
+      }
       return result;
+    }
   }
 
   if(ftpc->state) {
     /* already in a state so skip the intial commands.
        They are only done to kickstart the do_more state */
-    result = ftp_multi_statemach(conn, complete);
+    result = ftp_multi_statemach(conn, &complete);
+
+    *completep = (int)complete;
 
     /* if we got an error or if we don't wait for a data connection return
        immediately */
@@ -3725,7 +3652,7 @@ static CURLcode ftp_do_more(struct connectdata *conn, bool *complete)
       /* if we reach the end of the FTP state machine here, *complete will be
          TRUE but so is ftpc->wait_data_conn, which says we need to wait for
          the data connection and therefore we're not actually complete */
-      *complete = FALSE;
+      *completep = 0;
   }
 
   if(ftp->transfer <= FTPTRANSFER_INFO) {
@@ -3748,6 +3675,9 @@ static CURLcode ftp_do_more(struct connectdata *conn, bool *complete)
 
         if(result)
           return result;
+
+        *completep = 1; /* this state is now complete when the server has
+                           connected back to us */
       }
     }
     else if(data->set.upload) {
@@ -3755,7 +3685,8 @@ static CURLcode ftp_do_more(struct connectdata *conn, bool *complete)
       if(result)
         return result;
 
-      result = ftp_multi_statemach(conn, complete);
+      result = ftp_multi_statemach(conn, &complete);
+      *completep = (int)complete;
     }
     else {
       /* download */
@@ -3783,7 +3714,8 @@ static CURLcode ftp_do_more(struct connectdata *conn, bool *complete)
           return result;
       }
 
-      result = ftp_multi_statemach(conn, complete);
+      result = ftp_multi_statemach(conn, &complete);
+      *completep = (int)complete;
     }
     return result;
   }
@@ -3795,7 +3727,7 @@ static CURLcode ftp_do_more(struct connectdata *conn, bool *complete)
 
   if(!ftpc->wait_data_conn) {
     /* no waiting for the data connection so this is now complete */
-    *complete = TRUE;
+    *completep = 1;
     DEBUGF(infof(data, "DO-MORE phase ends with %d\n", (int)result));
   }
 
@@ -3824,7 +3756,7 @@ CURLcode ftp_perform(struct connectdata *conn,
 
   if(conn->data->set.opt_no_body) {
     /* requested no body means no transfer... */
-    struct FTP *ftp = conn->data->state.proto.ftp;
+    struct FTP *ftp = conn->data->req.protop;
     ftp->transfer = FTPTRANSFER_INFO;
   }
 
@@ -3838,7 +3770,9 @@ CURLcode ftp_perform(struct connectdata *conn,
   /* run the state-machine */
   result = ftp_multi_statemach(conn, dophase_done);
 
-  *connected = conn->bits.tcpconnect[FIRSTSOCKET];
+  *connected = conn->bits.tcpconnect[SECONDARYSOCKET];
+
+  infof(conn->data, "ftp_perform ends with SECONDARY: %d\n", *connected);
 
   if(*dophase_done)
     DEBUGF(infof(conn->data, "DO phase is complete1\n"));
@@ -4084,17 +4018,6 @@ static CURLcode ftp_do(struct connectdata *conn, bool *done)
   *done = FALSE; /* default to false */
   ftpc->wait_data_conn = FALSE; /* default to no such wait */
 
-  /*
-    Since connections can be re-used between SessionHandles, this might be a
-    connection already existing but on a fresh SessionHandle struct so we must
-    make sure we have a good 'struct FTP' to play with. For new connections,
-    the struct FTP is allocated and setup in the ftp_connect() function.
-  */
-  Curl_reset_reqproto(conn);
-  retcode = ftp_init(conn);
-  if(retcode)
-    return retcode;
-
   if(conn->data->set.wildcardmatch) {
     retcode = wc_statemach(conn);
     if(conn->data->wildcard.state == CURLWC_SKIP ||
@@ -4126,7 +4049,7 @@ CURLcode Curl_ftpsendf(struct connectdata *conn,
   size_t write_len;
   char *sptr=s;
   CURLcode res = CURLE_OK;
-#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
+#ifdef HAVE_GSSAPI
   enum protection_level data_sec = conn->data_prot;
 #endif
 
@@ -4146,12 +4069,12 @@ CURLcode Curl_ftpsendf(struct connectdata *conn,
     return(res);
 
   for(;;) {
-#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
+#ifdef HAVE_GSSAPI
     conn->data_prot = PROT_CMD;
 #endif
     res = Curl_write(conn, conn->sock[FIRSTSOCKET], sptr, write_len,
                      &bytes_written);
-#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
+#ifdef HAVE_GSSAPI
     DEBUGASSERT(data_sec > PROT_NONE && data_sec < PROT_LAST);
     conn->data_prot = data_sec;
 #endif
@@ -4189,7 +4112,7 @@ static CURLcode ftp_quit(struct connectdata *conn)
   CURLcode result = CURLE_OK;
 
   if(conn->proto.ftpc.ctl_valid) {
-    result = Curl_pp_sendf(&conn->proto.ftpc.pp, "QUIT", NULL);
+    result = Curl_pp_sendf(&conn->proto.ftpc.pp, "%s", "QUIT");
     if(result) {
       failf(conn->data, "Failure sending QUIT command: %s",
             curl_easy_strerror(result));
@@ -4253,7 +4176,7 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection)
 
   Curl_pp_disconnect(pp);
 
-#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
+#ifdef HAVE_GSSAPI
   Curl_sec_end(conn);
 #endif
 
@@ -4272,7 +4195,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
 {
   struct SessionHandle *data = conn->data;
   /* the ftp struct is already inited in ftp_connect() */
-  struct FTP *ftp = data->state.proto.ftp;
+  struct FTP *ftp = data->req.protop;
   struct ftp_conn *ftpc = &conn->proto.ftpc;
   const char *slash_pos;  /* position of the first '/' char in curpos */
   const char *path_to_use = data->state.path;
@@ -4327,7 +4250,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
         dirlen++;
 
       ftpc->dirs[0] = curl_easy_unescape(conn->data, slash_pos ? cur_pos : "/",
-                                         slash_pos ? curlx_sztosi(dirlen) : 1,
+                                         slash_pos ? curlx_uztosi(dirlen) : 1,
                                          NULL);
       if(!ftpc->dirs[0]) {
         freedirs(ftpc);
@@ -4462,11 +4385,11 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
 static CURLcode ftp_dophase_done(struct connectdata *conn,
                                  bool connected)
 {
-  struct FTP *ftp = conn->data->state.proto.ftp;
+  struct FTP *ftp = conn->data->req.protop;
   struct ftp_conn *ftpc = &conn->proto.ftpc;
 
   if(connected) {
-    bool completed;
+    int completed;
     CURLcode result = ftp_do_more(conn, &completed);
 
     if(result) {
@@ -4557,11 +4480,12 @@ CURLcode ftp_regular_transfer(struct connectdata *conn,
   return result;
 }
 
-static CURLcode ftp_setup_connection(struct connectdata * conn)
+static CURLcode ftp_setup_connection(struct connectdata *conn)
 {
   struct SessionHandle *data = conn->data;
-  char * type;
+  char *type;
   char command;
+  struct FTP *ftp;
 
   if(conn->bits.httpproxy && !data->set.tunnel_thru_httpproxy) {
     /* Unless we have asked to tunnel ftp operations through the proxy, we
@@ -4577,18 +4501,18 @@ static CURLcode ftp_setup_connection(struct connectdata * conn)
       return CURLE_UNSUPPORTED_PROTOCOL;
 #endif
     }
-    /*
-     * We explicitly mark this connection as persistent here as we're doing
-     * FTP over HTTP and thus we accidentally avoid setting this value
-     * otherwise.
-     */
-    conn->bits.close = FALSE;
+    /* set it up as a HTTP connection instead */
+    return conn->handler->setup_connection(conn);
 #else
     failf(data, "FTP over http proxy requires HTTP support built-in!");
     return CURLE_UNSUPPORTED_PROTOCOL;
 #endif
   }
 
+  conn->data->req.protop = ftp = malloc(sizeof(struct FTP));
+  if(NULL == ftp)
+    return CURLE_OUT_OF_MEMORY;
+
   data->state.path++;   /* don't include the initial slash */
   data->state.slash_removed = TRUE; /* we've skipped the slash */
 
@@ -4621,6 +4545,24 @@ static CURLcode ftp_setup_connection(struct connectdata * conn)
     }
   }
 
+  /* get some initial data into the ftp struct */
+  ftp->bytecountp = &conn->data->req.bytecount;
+  ftp->transfer = FTPTRANSFER_BODY;
+  ftp->downloadsize = 0;
+
+  /* No need to duplicate user+password, the connectdata struct won't change
+     during a session, but we re-init them here since on subsequent inits
+     since the conn struct may have changed or been replaced.
+  */
+  ftp->user = conn->user;
+  ftp->passwd = conn->passwd;
+  if(isBadFtpString(ftp->user))
+    return CURLE_URL_MALFORMAT;
+  if(isBadFtpString(ftp->passwd))
+    return CURLE_URL_MALFORMAT;
+
+  conn->proto.ftpc.known_filesize = -1; /* unknown size for now */
+
   return CURLE_OK;
 }
 

lib/getinfo.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -53,9 +53,9 @@ CURLcode Curl_initinfo(struct SessionHandle *data)
   pro->t_redirect = 0;
 
   info->httpcode = 0;
-  info->httpversion=0;
-  info->filetime=-1; /* -1 is an illegal time and thus means unknown */
-  info->timecond=0;
+  info->httpversion = 0;
+  info->filetime = -1; /* -1 is an illegal time and thus means unknown */
+  info->timecond = FALSE;
 
   if(info->contenttype)
     free(info->contenttype);
@@ -186,7 +186,7 @@ static CURLcode getinfo_long(struct SessionHandle *data, CURLINFO info,
     break;
   case CURLINFO_CONDITION_UNMET:
     /* return if the condition prevented the document to get transferred */
-    *param_longp = data->info.timecond;
+    *param_longp = data->info.timecond ? 1L : 0L;
     break;
   case CURLINFO_RTSP_CLIENT_CSEQ:
     *param_longp = data->state.rtsp_next_client_CSeq;

lib/gskit.c

@@ -0,0 +1,906 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at http://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+#include "curl_setup.h"
+
+#ifdef USE_GSKIT
+
+#include <gskssl.h>
+#include <qsoasync.h>
+
+/* Some symbols are undefined/unsupported on OS400 versions < V7R1. */
+#ifndef GSK_SSL_EXTN_SERVERNAME_REQUEST
+#define GSK_SSL_EXTN_SERVERNAME_REQUEST                 230
+#endif
+
+#ifdef HAVE_LIMITS_H
+#  include <limits.h>
+#endif
+
+#include <curl/curl.h>
+#include "urldata.h"
+#include "sendf.h"
+#include "gskit.h"
+#include "sslgen.h"
+#include "connect.h" /* for the connect timeout */
+#include "select.h"
+#include "strequal.h"
+#include "x509asn1.h"
+
+#define _MPRINTF_REPLACE /* use our functions only */
+#include <curl/mprintf.h>
+
+#include "curl_memory.h"
+/* The last #include file should be: */
+#include "memdebug.h"
+
+
+/* Supported ciphers. */
+typedef struct {
+  const char *  name;           /* Cipher name. */
+  const char *  gsktoken;       /* Corresponding token for GSKit String. */
+  int           sslver;         /* SSL version. */
+}  gskit_cipher;
+
+static const gskit_cipher  ciphertable[] = {
+  { "null-md5",         "01",   CURL_SSLVERSION_SSLv3 },
+  { "null-sha",         "02",   CURL_SSLVERSION_SSLv3 },
+  { "exp-rc4-md5",      "03",   CURL_SSLVERSION_SSLv3 },
+  { "rc4-md5",          "04",   CURL_SSLVERSION_SSLv3 },
+  { "rc4-sha",          "05",   CURL_SSLVERSION_SSLv3 },
+  { "exp-rc2-cbc-md5",  "06",   CURL_SSLVERSION_SSLv3 },
+  { "exp-des-cbc-sha",  "09",   CURL_SSLVERSION_SSLv3 },
+  { "des-cbc3-sha",     "0A",   CURL_SSLVERSION_SSLv3 },
+  { "aes128-sha",       "2F",   CURL_SSLVERSION_TLSv1 },
+  { "aes256-sha",       "35",   CURL_SSLVERSION_TLSv1 },
+  { "rc4-md5",          "1",    CURL_SSLVERSION_SSLv2 },
+  { "exp-rc4-md5",      "2",    CURL_SSLVERSION_SSLv2 },
+  { "rc2-md5",          "3",    CURL_SSLVERSION_SSLv2 },
+  { "exp-rc2-md5",      "4",    CURL_SSLVERSION_SSLv2 },
+  { "des-cbc-md5",      "6",    CURL_SSLVERSION_SSLv2 },
+  { "des-cbc3-md5",     "7",    CURL_SSLVERSION_SSLv2 },
+  { (const char *) NULL, (const char *) NULL, 0       }
+};
+
+
+static bool is_separator(char c)
+{
+  /* Return whether character is a cipher list separator. */
+  switch (c) {
+  case ' ':
+  case '\t':
+  case ':':
+  case ',':
+  case ';':
+    return true;
+  }
+  return false;
+}
+
+
+static CURLcode gskit_status(struct SessionHandle * data, int rc,
+                             const char * procname, CURLcode defcode)
+{
+  CURLcode cc;
+
+  /* Process GSKit status and map it to a CURLcode. */
+  switch (rc) {
+  case GSK_OK:
+  case GSK_OS400_ASYNCHRONOUS_SOC_INIT:
+    return CURLE_OK;
+  case GSK_KEYRING_OPEN_ERROR:
+  case GSK_OS400_ERROR_NO_ACCESS:
+    return CURLE_SSL_CACERT_BADFILE;
+  case GSK_INSUFFICIENT_STORAGE:
+    return CURLE_OUT_OF_MEMORY;
+  case GSK_ERROR_BAD_V2_CIPHER:
+  case GSK_ERROR_BAD_V3_CIPHER:
+  case GSK_ERROR_NO_CIPHERS:
+    return CURLE_SSL_CIPHER;
+  case GSK_OS400_ERROR_NOT_TRUSTED_ROOT:
+  case GSK_ERROR_CERT_VALIDATION:
+    return CURLE_PEER_FAILED_VERIFICATION;
+  case GSK_OS400_ERROR_TIMED_OUT:
+    return CURLE_OPERATION_TIMEDOUT;
+  case GSK_WOULD_BLOCK:
+    return CURLE_AGAIN;
+  case GSK_OS400_ERROR_NOT_REGISTERED:
+    break;
+  case GSK_ERROR_IO:
+    switch (errno) {
+    case ENOMEM:
+      return CURLE_OUT_OF_MEMORY;
+    default:
+      failf(data, "%s I/O error: %s", procname, strerror(errno));
+      break;
+    }
+    break;
+  default:
+    failf(data, "%s: %s", procname, gsk_strerror(rc));
+    break;
+    }
+  return defcode;
+}
+
+
+static CURLcode set_enum(struct SessionHandle * data,
+                         gsk_handle h, GSK_ENUM_ID id, GSK_ENUM_VALUE value)
+{
+  int rc = gsk_attribute_set_enum(h, id, value);
+
+  switch (rc) {
+  case GSK_OK:
+    return CURLE_OK;
+  case GSK_ERROR_IO:
+    failf(data, "gsk_attribute_set_enum() I/O error: %s", strerror(errno));
+    break;
+  default:
+    failf(data, "gsk_attribute_set_enum(): %s", gsk_strerror(rc));
+    break;
+  }
+  return CURLE_SSL_CONNECT_ERROR;
+}
+
+
+static CURLcode set_buffer(struct SessionHandle * data,
+                           gsk_handle h, GSK_BUF_ID id, const char * buffer)
+{
+  int rc = gsk_attribute_set_buffer(h, id, buffer, 0);
+
+  switch (rc) {
+  case GSK_OK:
+    return CURLE_OK;
+  case GSK_ERROR_IO:
+    failf(data, "gsk_attribute_set_buffer() I/O error: %s", strerror(errno));
+    break;
+  default:
+    failf(data, "gsk_attribute_set_buffer(): %s", gsk_strerror(rc));
+    break;
+  }
+  return CURLE_SSL_CONNECT_ERROR;
+}
+
+
+static CURLcode set_numeric(struct SessionHandle * data,
+                            gsk_handle h, GSK_NUM_ID id, int value)
+{
+  int rc = gsk_attribute_set_numeric_value(h, id, value);
+
+  switch (rc) {
+  case GSK_OK:
+    return CURLE_OK;
+  case GSK_ERROR_IO:
+    failf(data, "gsk_attribute_set_numeric_value() I/O error: %s",
+          strerror(errno));
+    break;
+  default:
+    failf(data, "gsk_attribute_set_numeric_value(): %s", gsk_strerror(rc));
+    break;
+  }
+  return CURLE_SSL_CONNECT_ERROR;
+}
+
+
+static CURLcode set_callback(struct SessionHandle * data,
+                             gsk_handle h, GSK_CALLBACK_ID id, void * info)
+{
+  int rc = gsk_attribute_set_callback(h, id, info);
+
+  switch (rc) {
+  case GSK_OK:
+    return CURLE_OK;
+  case GSK_ERROR_IO:
+    failf(data, "gsk_attribute_set_callback() I/O error: %s", strerror(errno));
+    break;
+  default:
+    failf(data, "gsk_attribute_set_callback(): %s", gsk_strerror(rc));
+    break;
+  }
+  return CURLE_SSL_CONNECT_ERROR;
+}
+
+
+static CURLcode set_ciphers(struct SessionHandle * data, gsk_handle h)
+{
+  const char * cipherlist = data->set.str[STRING_SSL_CIPHER_LIST];
+  char * sslv2ciphers;
+  char * sslv3ciphers;
+  const char * clp;
+  const gskit_cipher * ctp;
+  char * v2p;
+  char * v3p;
+  int i;
+  CURLcode cc;
+
+  /* Compile cipher list into GSKit-compatible cipher lists. */
+
+  if(!cipherlist)
+    return CURLE_OK;
+  while(is_separator(*cipherlist))     /* Skip initial separators. */
+    cipherlist++;
+  if(!*cipherlist)
+    return CURLE_OK;
+
+  /* We allocate GSKit buffers of the same size as the input string: since
+     GSKit tokens are always shorter than their cipher names, allocated buffers
+     will always be large enough to accomodate the result. */
+  i = strlen(cipherlist) + 1;
+  v2p = malloc(i);
+  if(!v2p)
+    return CURLE_OUT_OF_MEMORY;
+  v3p = malloc(i);
+  if(!v3p) {
+    free(v2p);
+    return CURLE_OUT_OF_MEMORY;
+  }
+  sslv2ciphers = v2p;
+  sslv3ciphers = v3p;
+
+  /* Process each cipher in input string. */
+  for(;;) {
+    for(clp = cipherlist; *cipherlist && !is_separator(*cipherlist);)
+      cipherlist++;
+    i = cipherlist - clp;
+    if(!i)
+      break;
+    /* Search the cipher in our table. */
+    for(ctp = ciphertable; ctp->name; ctp++)
+      if(strnequal(ctp->name, clp, i) && !ctp->name[i])
+        break;
+    if(!ctp->name)
+      failf(data, "Unknown cipher %.*s: ignored", i, clp);
+    else {
+      switch (ctp->sslver) {
+      case CURL_SSLVERSION_SSLv2:
+        strcpy(v2p, ctp->gsktoken);
+        v2p += strlen(v2p);
+        break;
+      default:
+        /* GSKit wants TLSv1 ciphers with SSLv3 ciphers. */
+        strcpy(v3p, ctp->gsktoken);
+        v3p += strlen(v3p);
+        break;
+      }
+    }
+
+   /* Advance to next cipher name or end of string. */
+    while(is_separator(*cipherlist))
+      cipherlist++;
+  }
+  *v2p = '\0';
+  *v3p = '\0';
+  cc = set_buffer(data, h, GSK_V2_CIPHER_SPECS, sslv2ciphers);
+  if(cc == CURLE_OK)
+    cc = set_buffer(data, h, GSK_V3_CIPHER_SPECS, sslv3ciphers);
+  free(sslv2ciphers);
+  free(sslv3ciphers);
+  return cc;
+}
+
+
+int Curl_gskit_init(void)
+{
+  /* No initialisation needed. */
+
+  return 1;
+}
+
+
+void Curl_gskit_cleanup(void)
+{
+  /* Nothing to do. */
+}
+
+
+static CURLcode init_environment(struct SessionHandle * data,
+                                 gsk_handle * envir, const char * appid,
+                                 const char * file, const char * label,
+                                 const char * password)
+{
+  int rc;
+  CURLcode c;
+  gsk_handle h;
+
+  /* Creates the GSKit environment. */
+
+  rc = gsk_environment_open(&h);
+  switch (rc) {
+  case GSK_OK:
+    break;
+  case GSK_INSUFFICIENT_STORAGE:
+    return CURLE_OUT_OF_MEMORY;
+  default:
+    failf(data, "gsk_environment_open(): %s", gsk_strerror(rc));
+    return CURLE_SSL_CONNECT_ERROR;
+  }
+
+  c = set_enum(data, h, GSK_SESSION_TYPE, GSK_CLIENT_SESSION);
+  if(c == CURLE_OK && appid)
+    c = set_buffer(data, h, GSK_OS400_APPLICATION_ID, appid);
+  if(c == CURLE_OK && file)
+    c = set_buffer(data, h, GSK_KEYRING_FILE, file);
+  if(c == CURLE_OK && label)
+    c = set_buffer(data, h, GSK_KEYRING_LABEL, label);
+  if(c == CURLE_OK && password)
+    c = set_buffer(data, h, GSK_KEYRING_PW, password);
+
+  if(c == CURLE_OK) {
+    /* Locate CAs, Client certificate and key according to our settings.
+       Note: this call may be blocking for some tenths of seconds. */
+    c = gskit_status(data, gsk_environment_init(h),
+                     "gsk_environment_init()", CURLE_SSL_CERTPROBLEM);
+    if(c == CURLE_OK) {
+      *envir = h;
+      return c;
+    }
+  }
+  /* Error: rollback. */
+  gsk_environment_close(&h);
+  return c;
+}
+
+
+static void cancel_async_handshake(struct connectdata * conn, int sockindex)
+{
+  struct ssl_connect_data * connssl = &conn->ssl[sockindex];
+  Qso_OverlappedIO_t cstat;
+
+  if(QsoCancelOperation(conn->sock[sockindex], 0) > 0)
+    QsoWaitForIOCompletion(connssl->iocport, &cstat, (struct timeval *) NULL);
+}
+
+
+static void close_async_handshake(struct ssl_connect_data * connssl)
+{
+  QsoDestroyIOCompletionPort(connssl->iocport);
+  connssl->iocport = -1;
+}
+
+
+static void close_one(struct ssl_connect_data * conn,
+                      struct SessionHandle * data)
+{
+  if(conn->handle) {
+    gskit_status(data, gsk_secure_soc_close(&conn->handle),
+              "gsk_secure_soc_close()", 0);
+    conn->handle = (gsk_handle) NULL;
+  }
+  if(conn->iocport >= 0)
+    close_async_handshake(conn);
+}
+
+
+static ssize_t gskit_send(struct connectdata * conn, int sockindex,
+                           const void * mem, size_t len, CURLcode * curlcode)
+{
+  struct SessionHandle * data = conn->data;
+  CURLcode cc;
+  int written;
+
+  cc = gskit_status(data,
+                    gsk_secure_soc_write(conn->ssl[sockindex].handle,
+                                         (char *) mem, (int) len, &written),
+                    "gsk_secure_soc_write()", CURLE_SEND_ERROR);
+  if(cc != CURLE_OK) {
+    *curlcode = cc;
+    written = -1;
+  }
+  return (ssize_t) written; /* number of bytes */
+}
+
+
+static ssize_t gskit_recv(struct connectdata * conn, int num, char * buf,
+                           size_t buffersize, CURLcode * curlcode)
+{
+  struct SessionHandle * data = conn->data;
+  int buffsize;
+  int nread;
+  CURLcode cc;
+
+  buffsize = buffersize > (size_t) INT_MAX? INT_MAX: (int) buffersize;
+  cc = gskit_status(data, gsk_secure_soc_read(conn->ssl[num].handle,
+                                              buf, buffsize, &nread),
+                    "gsk_secure_soc_read()", CURLE_RECV_ERROR);
+  if(cc != CURLE_OK) {
+    *curlcode = cc;
+    nread = -1;
+  }
+  return (ssize_t) nread;
+}
+
+
+static CURLcode gskit_connect_step1(struct connectdata * conn, int sockindex)
+{
+  struct SessionHandle * data = conn->data;
+  struct ssl_connect_data * connssl = &conn->ssl[sockindex];
+  gsk_handle envir;
+  CURLcode cc;
+  int rc;
+  char * keyringfile;
+  char * keyringpwd;
+  char * keyringlabel;
+  char * v2ciphers;
+  char * v3ciphers;
+  char * sni;
+  bool sslv2enable, sslv3enable, tlsv1enable;
+  long timeout;
+  Qso_OverlappedIO_t commarea;
+
+  /* Create SSL environment, start (preferably asynchronous) handshake. */
+
+  connssl->handle = (gsk_handle) NULL;
+  connssl->iocport = -1;
+
+  /* GSKit supports two ways of specifying an SSL context: either by
+   *  application identifier (that should have been defined at the system
+   *  level) or by keyring file, password and certificate label.
+   * Local certificate name (CURLOPT_SSLCERT) is used to hold either the
+   *  application identifier of the certificate label.
+   * Key password (CURLOPT_KEYPASSWD) holds the keyring password.
+   * It is not possible to have different keyrings for the CAs and the
+   *  local certificate. We thus use the CA file (CURLOPT_CAINFO) to identify
+   *  the keyring file.
+   * If no key password is given and the keyring is the system keyring,
+   *  application identifier mode is tried first, as recommended in IBM doc.
+   */
+
+  keyringfile = data->set.str[STRING_SSL_CAFILE];
+  keyringpwd = data->set.str[STRING_KEY_PASSWD];
+  keyringlabel = data->set.str[STRING_CERT];
+  envir = (gsk_handle) NULL;
+
+  if(keyringlabel && *keyringlabel && !keyringpwd &&
+      !strcmp(keyringfile, CURL_CA_BUNDLE)) {
+    /* Try application identifier mode. */
+    init_environment(data, &envir, keyringlabel, (const char *) NULL,
+                     (const char *) NULL, (const char *) NULL);
+  }
+
+  if(!envir) {
+    /* Use keyring mode. */
+    cc = init_environment(data, &envir, (const char *) NULL,
+                          keyringfile, keyringlabel, keyringpwd);
+    if(cc != CURLE_OK)
+      return cc;
+  }
+
+  /* Create secure session. */
+  cc = gskit_status(data, gsk_secure_soc_open(envir, &connssl->handle),
+                    "gsk_secure_soc_open()", CURLE_SSL_CONNECT_ERROR);
+  gsk_environment_close(&envir);
+  if(cc != CURLE_OK)
+    return cc;
+
+  /* Determine which SSL/TLS version should be enabled. */
+  sslv2enable = sslv3enable = tlsv1enable = false;
+  sni = conn->host.name;
+  switch (data->set.ssl.version) {
+  case CURL_SSLVERSION_SSLv2:
+    sslv2enable = true;
+    sni = (char *) NULL;
+    break;
+  case CURL_SSLVERSION_SSLv3:
+    sslv3enable = true;
+    sni = (char *) NULL;
+    break;
+  case CURL_SSLVERSION_TLSv1:
+    tlsv1enable = true;
+    break;
+  default:              /* CURL_SSLVERSION_DEFAULT. */
+    sslv3enable = true;
+    tlsv1enable = true;
+    break;
+  }
+
+  /* Process SNI. Ignore if not supported (on OS400 < V7R1). */
+  if(sni) {
+    rc = gsk_attribute_set_buffer(connssl->handle,
+                                  GSK_SSL_EXTN_SERVERNAME_REQUEST, sni, 0);
+    switch (rc) {
+    case GSK_OK:
+    case GSK_ATTRIBUTE_INVALID_ID:
+      break;
+    case GSK_ERROR_IO:
+      failf(data, "gsk_attribute_set_buffer() I/O error: %s", strerror(errno));
+      cc = CURLE_SSL_CONNECT_ERROR;
+      break;
+    default:
+      failf(data, "gsk_attribute_set_buffer(): %s", gsk_strerror(rc));
+      cc = CURLE_SSL_CONNECT_ERROR;
+      break;
+    }
+  }
+
+  /* Set session parameters. */
+  if(cc == CURLE_OK) {
+    /* Compute the handshake timeout. Since GSKit granularity is 1 second,
+       we round up the required value. */
+    timeout = Curl_timeleft(data, NULL, TRUE);
+    if(timeout < 0)
+      cc = CURLE_OPERATION_TIMEDOUT;
+    else
+      cc = set_numeric(data, connssl->handle, GSK_HANDSHAKE_TIMEOUT,
+                       (timeout + 999) / 1000);
+  }
+  if(cc == CURLE_OK)
+    cc = set_numeric(data, connssl->handle, GSK_FD, conn->sock[sockindex]);
+  if(cc == CURLE_OK)
+    cc = set_ciphers(data, connssl->handle);
+  if(cc == CURLE_OK)
+      cc = set_enum(data, connssl->handle, GSK_PROTOCOL_SSLV2,
+                    sslv2enable? GSK_PROTOCOL_SSLV2_ON:
+                    GSK_PROTOCOL_SSLV2_OFF);
+  if(cc == CURLE_OK)
+    cc = set_enum(data, connssl->handle, GSK_PROTOCOL_SSLV3,
+                  sslv3enable? GSK_PROTOCOL_SSLV3_ON:
+                  GSK_PROTOCOL_SSLV3_OFF);
+  if(cc == CURLE_OK)
+    cc = set_enum(data, connssl->handle, GSK_PROTOCOL_TLSV1,
+                  sslv3enable?  GSK_PROTOCOL_TLSV1_ON:
+                  GSK_PROTOCOL_TLSV1_OFF);
+  if(cc == CURLE_OK)
+    cc = set_enum(data, connssl->handle, GSK_SERVER_AUTH_TYPE,
+                  data->set.ssl.verifypeer? GSK_SERVER_AUTH_FULL:
+                  GSK_SERVER_AUTH_PASSTHRU);
+
+  if(cc == CURLE_OK) {
+    /* Start handshake. Try asynchronous first. */
+    memset(&commarea, 0, sizeof commarea);
+    connssl->iocport = QsoCreateIOCompletionPort();
+    if(connssl->iocport != -1) {
+      cc = gskit_status(data, gsk_secure_soc_startInit(connssl->handle,
+                        connssl->iocport, &commarea),
+                        "gsk_secure_soc_startInit()", CURLE_SSL_CONNECT_ERROR);
+      if(cc == CURLE_OK) {
+        connssl->connecting_state = ssl_connect_2;
+        return CURLE_OK;
+      }
+      else
+        close_async_handshake(connssl);
+    }
+    else if(errno != ENOBUFS)
+      cc = gskit_status(data, GSK_ERROR_IO, "QsoCreateIOCompletionPort()", 0);
+    else {
+      /* No more completion port available. Use synchronous IO. */
+      cc = gskit_status(data, gsk_secure_soc_init(connssl->handle),
+                       "gsk_secure_soc_init()", CURLE_SSL_CONNECT_ERROR);
+      if(cc == CURLE_OK) {
+        connssl->connecting_state = ssl_connect_3;
+        return CURLE_OK;
+      }
+    }
+  }
+
+  /* Error: rollback. */
+  close_one(connssl, data);
+  return cc;
+}
+
+
+static CURLcode gskit_connect_step2(struct connectdata * conn, int sockindex,
+                                    bool nonblocking)
+{
+  struct SessionHandle * data = conn->data;
+  struct ssl_connect_data * connssl = &conn->ssl[sockindex];
+  Qso_OverlappedIO_t cstat;
+  long timeout_ms;
+  struct timeval stmv;
+  CURLcode cc;
+
+  /* Poll or wait for end of SSL asynchronous handshake. */
+
+  for(;;) {
+    timeout_ms = nonblocking? 0: Curl_timeleft(data, NULL, TRUE);
+    if(timeout_ms < 0)
+      timeout_ms = 0;
+    stmv.tv_sec = timeout_ms / 1000;
+    stmv.tv_usec = (timeout_ms - stmv.tv_sec * 1000) * 1000;
+    switch (QsoWaitForIOCompletion(connssl->iocport, &cstat, &stmv)) {
+    case 1:             /* Operation complete. */
+      break;
+    case -1:            /* An error occurred: handshake still in progress. */
+      if(errno == EINTR) {
+        if(nonblocking)
+          return CURLE_OK;
+        continue;       /* Retry. */
+      }
+      if(errno != ETIME) {
+        failf(data, "QsoWaitForIOCompletion() I/O error: %s", strerror(errno));
+        cancel_async_handshake(conn, sockindex);
+        close_async_handshake(connssl);
+        return CURLE_SSL_CONNECT_ERROR;
+      }
+      /* FALL INTO... */
+    case 0:             /* Handshake in progress, timeout occurred. */
+      if(nonblocking)
+        return CURLE_OK;
+      cancel_async_handshake(conn, sockindex);
+      close_async_handshake(connssl);
+      return CURLE_OPERATION_TIMEDOUT;
+    }
+    break;
+  }
+  cc = gskit_status(data, cstat.returnValue, "SSL handshake",
+                    CURLE_SSL_CONNECT_ERROR);
+  if(cc == CURLE_OK)
+    connssl->connecting_state = ssl_connect_3;
+  close_async_handshake(connssl);
+  return cc;
+}
+
+
+static CURLcode gskit_connect_step3(struct connectdata * conn, int sockindex)
+{
+  struct SessionHandle * data = conn->data;
+  struct ssl_connect_data * connssl = &conn->ssl[sockindex];
+  const gsk_cert_data_elem * cdev;
+  int cdec;
+  const gsk_cert_data_elem * p;
+  const char * cert = (const char *) NULL;
+  const char * certend;
+  int i;
+  CURLcode cc;
+
+  /* SSL handshake done: gather certificate info and verify host. */
+
+  if(gskit_status(data, gsk_attribute_get_cert_info(connssl->handle,
+                                                    GSK_PARTNER_CERT_INFO,
+                                                    &cdev, &cdec),
+                  "gsk_attribute_get_cert_info()", CURLE_SSL_CONNECT_ERROR) ==
+     CURLE_OK) {
+    infof(data, "Server certificate:\n");
+    p = cdev;
+    for(i = 0; i++ < cdec; p++)
+      switch (p->cert_data_id) {
+      case CERT_BODY_DER:
+        cert = p->cert_data_p;
+        certend = cert + cdev->cert_data_l;
+        break;
+      case CERT_DN_PRINTABLE:
+        infof(data, "\t subject: %.*s\n", p->cert_data_l, p->cert_data_p);
+        break;
+      case CERT_ISSUER_DN_PRINTABLE:
+        infof(data, "\t issuer: %.*s\n", p->cert_data_l, p->cert_data_p);
+        break;
+      case CERT_VALID_FROM:
+        infof(data, "\t start date: %.*s\n", p->cert_data_l, p->cert_data_p);
+        break;
+      case CERT_VALID_TO:
+        infof(data, "\t expire date: %.*s\n", p->cert_data_l, p->cert_data_p);
+        break;
+    }
+  }
+
+  /* Verify host. */
+  cc = Curl_verifyhost(conn, cert, certend);
+  if(cc != CURLE_OK)
+    return cc;
+
+  /* The only place GSKit can get the whole CA chain is a validation
+     callback where no user data pointer is available. Therefore it's not
+     possible to copy this chain into our structures for CAINFO.
+     However the server certificate may be available, thus we can return
+     info about it. */
+  if(data->set.ssl.certinfo) {
+    if(Curl_ssl_init_certinfo(data, 1))
+      return CURLE_OUT_OF_MEMORY;
+    if(cert) {
+      cc = Curl_extract_certinfo(conn, 0, cert, certend);
+      if(cc != CURLE_OK)
+        return cc;
+    }
+  }
+
+  connssl->connecting_state = ssl_connect_done;
+  return CURLE_OK;
+}
+
+
+static CURLcode gskit_connect_common(struct connectdata * conn, int sockindex,
+                                     bool nonblocking, bool * done)
+{
+  struct SessionHandle * data = conn->data;
+  struct ssl_connect_data * connssl = &conn->ssl[sockindex];
+  long timeout_ms;
+  Qso_OverlappedIO_t cstat;
+  CURLcode cc = CURLE_OK;
+
+  *done = connssl->state == ssl_connection_complete;
+  if(*done)
+    return CURLE_OK;
+
+  /* Step 1: create session, start handshake. */
+  if(connssl->connecting_state == ssl_connect_1) {
+    /* check allowed time left */
+    timeout_ms = Curl_timeleft(data, NULL, TRUE);
+
+    if(timeout_ms < 0) {
+      /* no need to continue if time already is up */
+      failf(data, "SSL connection timeout");
+      cc = CURLE_OPERATION_TIMEDOUT;
+    }
+    else
+      cc = gskit_connect_step1(conn, sockindex);
+  }
+
+  /* Step 2: check if handshake is over. */
+  if(cc == CURLE_OK && connssl->connecting_state == ssl_connect_2) {
+    /* check allowed time left */
+    timeout_ms = Curl_timeleft(data, NULL, TRUE);
+
+    if(timeout_ms < 0) {
+      /* no need to continue if time already is up */
+      failf(data, "SSL connection timeout");
+      cc = CURLE_OPERATION_TIMEDOUT;
+    }
+    else
+      cc = gskit_connect_step2(conn, sockindex, nonblocking);
+  }
+
+  /* Step 3: gather certificate info, verify host. */
+  if(cc == CURLE_OK && connssl->connecting_state == ssl_connect_3)
+    cc = gskit_connect_step3(conn, sockindex);
+
+  if(cc != CURLE_OK)
+    close_one(connssl, data);
+  else if(connssl->connecting_state == ssl_connect_done) {
+    connssl->state = ssl_connection_complete;
+    connssl->connecting_state = ssl_connect_1;
+    conn->recv[sockindex] = gskit_recv;
+    conn->send[sockindex] = gskit_send;
+    *done = TRUE;
+  }
+
+  return cc;
+}
+
+
+CURLcode Curl_gskit_connect_nonblocking(struct connectdata * conn,
+                                        int sockindex,
+                                        bool * done)
+{
+  CURLcode cc;
+
+  cc = gskit_connect_common(conn, sockindex, TRUE, done);
+  if(*done || cc != CURLE_OK)
+    conn->ssl[sockindex].connecting_state = ssl_connect_1;
+  return cc;
+}
+
+
+CURLcode Curl_gskit_connect(struct connectdata * conn, int sockindex)
+{
+  CURLcode retcode;
+  bool done;
+
+  conn->ssl[sockindex].connecting_state = ssl_connect_1;
+  retcode = gskit_connect_common(conn, sockindex, FALSE, &done);
+  if(retcode)
+    return retcode;
+
+  DEBUGASSERT(done);
+
+  return CURLE_OK;
+}
+
+
+void Curl_gskit_close(struct connectdata * conn, int sockindex)
+{
+  struct SessionHandle * data = conn->data;
+  struct ssl_connect_data * connssl = &conn->ssl[sockindex];
+
+  if(connssl->use)
+    close_one(connssl, data);
+}
+
+
+int Curl_gskit_close_all(struct SessionHandle * data)
+{
+  /* Unimplemented. */
+  (void) data;
+  return 0;
+}
+
+
+int Curl_gskit_shutdown(struct connectdata * conn, int sockindex)
+{
+  struct ssl_connect_data * connssl = &conn->ssl[sockindex];
+  struct SessionHandle * data = conn->data;
+  ssize_t nread;
+  int what;
+  int rc;
+  char buf[120];
+
+  if(!connssl->handle)
+    return 0;
+
+  if(data->set.ftp_ccc != CURLFTPSSL_CCC_ACTIVE)
+    return 0;
+
+  close_one(connssl, data);
+  rc = 0;
+  what = Curl_socket_ready(conn->sock[sockindex],
+                           CURL_SOCKET_BAD, SSL_SHUTDOWN_TIMEOUT);
+
+  for(;;) {
+    if(what < 0) {
+      /* anything that gets here is fatally bad */
+      failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
+      rc = -1;
+      break;
+    }
+
+    if(!what) {                                /* timeout */
+      failf(data, "SSL shutdown timeout");
+      break;
+    }
+
+    /* Something to read, let's do it and hope that it is the close
+       notify alert from the server. No way to gsk_secure_soc_read() now, so
+       use read(). */
+
+    nread = read(conn->sock[sockindex], buf, sizeof(buf));
+
+    if(nread < 0) {
+      failf(data, "read: %s", strerror(errno));
+      rc = -1;
+    }
+
+    if(nread <= 0)
+      break;
+
+    what = Curl_socket_ready(conn->sock[sockindex], CURL_SOCKET_BAD, 0);
+  }
+
+  return rc;
+}
+
+
+size_t Curl_gskit_version(char * buffer, size_t size)
+{
+  strncpy(buffer, "GSKit", size);
+  return strlen(buffer);
+}
+
+
+int Curl_gskit_check_cxn(struct connectdata * cxn)
+{
+  int err;
+  int errlen;
+
+  /* The only thing that can be tested here is at the socket level. */
+
+  if(!cxn->ssl[FIRSTSOCKET].handle)
+    return 0; /* connection has been closed */
+
+  err = 0;
+  errlen = sizeof err;
+
+  if(getsockopt(cxn->sock[FIRSTSOCKET], SOL_SOCKET, SO_ERROR,
+                 (unsigned char *) &err, &errlen) ||
+     errlen != sizeof err || err)
+    return 0; /* connection has been closed */
+
+  return -1;  /* connection status unknown */
+}
+
+#endif /* USE_GSKIT */

lib/gskit.h

@@ -0,0 +1,64 @@
+#ifndef HEADER_CURL_GSKIT_H
+#define HEADER_CURL_GSKIT_H
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at http://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+#include "curl_setup.h"
+
+/*
+ * This header should only be needed to get included by sslgen.c and gskit.c
+ */
+
+#include "urldata.h"
+
+#ifdef USE_GSKIT
+int Curl_gskit_init(void);
+void Curl_gskit_cleanup(void);
+CURLcode Curl_gskit_connect(struct connectdata * conn, int sockindex);
+CURLcode Curl_gskit_connect_nonblocking(struct connectdata * conn,
+                                        int sockindex, bool * done);
+void Curl_gskit_close(struct connectdata *conn, int sockindex);
+int Curl_gskit_close_all(struct SessionHandle * data);
+int Curl_gskit_shutdown(struct connectdata * conn, int sockindex);
+
+size_t Curl_gskit_version(char * buffer, size_t size);
+int Curl_gskit_check_cxn(struct connectdata * cxn);
+
+/* API setup for GSKit */
+#define curlssl_init Curl_gskit_init
+#define curlssl_cleanup Curl_gskit_cleanup
+#define curlssl_connect Curl_gskit_connect
+#define curlssl_connect_nonblocking Curl_gskit_connect_nonblocking
+
+/*  No session handling for GSKit */
+#define curlssl_session_free(x) Curl_nop_stmt
+#define curlssl_close_all Curl_gskit_close_all
+#define curlssl_close Curl_gskit_close
+#define curlssl_shutdown(x,y) Curl_gskit_shutdown(x,y)
+#define curlssl_set_engine(x,y) CURLE_NOT_BUILT_IN
+#define curlssl_set_engine_default(x) CURLE_NOT_BUILT_IN
+#define curlssl_engines_list(x) NULL
+#define curlssl_version Curl_gskit_version
+#define curlssl_check_cxn(x) Curl_gskit_check_cxn(x)
+#define curlssl_data_pending(x,y) 0
+#endif /* USE_GSKIT */
+
+#endif /* HEADER_CURL_GSKIT_H */

lib/gtls.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -55,6 +55,10 @@ void Curl_gtls_md5sum(unsigned char *tmp, /* input */
                       unsigned char *md5sum, /* output */
                       size_t md5len);
 
+/* this backend provides these functions: */
+#define have_curlssl_random 1
+#define have_curlssl_md5sum 1
+
 /* API setup for GnuTLS */
 #define curlssl_init Curl_gtls_init
 #define curlssl_cleanup Curl_gtls_cleanup

lib/hash.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -391,7 +391,7 @@ void Curl_hash_print(struct curl_hash *h,
     if(func)
       func(he->ptr);
     else
-      fprintf(stderr, " [%p]", he->ptr);
+      fprintf(stderr, " [%p]", (void *)he->ptr);
 
     he = Curl_hash_next_element(&iter);
   }

lib/hostcheck.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -22,8 +22,9 @@
 
 #include "curl_setup.h"
 
-#if defined(USE_SSLEAY) || defined(USE_AXTLS)
-/* these two backends use functions from this file */
+#if defined(USE_SSLEAY) || defined(USE_AXTLS) || defined(USE_QSOSSL) || \
+    defined(USE_GSKIT)
+/* these backends use functions from this file */
 
 #include "hostcheck.h"
 #include "rawstr.h"
@@ -93,4 +94,4 @@ int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
   return 0;
 }
 
-#endif /* SSLEAY or AXTLS */
+#endif /* SSLEAY or AXTLS or QSOSSL or GSKIT */

lib/hostip.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -140,6 +140,10 @@ struct curl_hash *Curl_global_host_cache_init(void)
 void Curl_global_host_cache_dtor(void)
 {
   if(host_cache_initialized) {
+    /* first make sure that any custom "CURLOPT_RESOLVE" names are
+       cleared off */
+    Curl_hostcache_clean(NULL, &hostname_cache);
+    /* then free the remaining hash completely */
     Curl_hash_clean(&hostname_cache);
     host_cache_initialized = 0;
   }
@@ -681,12 +685,14 @@ clean_up:
  * Curl_resolv_unlock() unlocks the given cached DNS entry. When this has been
  * made, the struct may be destroyed due to pruning. It is important that only
  * one unlock is made for each Curl_resolv() call.
+ *
+ * May be called with 'data' == NULL for global cache.
  */
 void Curl_resolv_unlock(struct SessionHandle *data, struct Curl_dns_entry *dns)
 {
   DEBUGASSERT(dns && (dns->inuse>0));
 
-  if(data->share)
+  if(data && data->share)
     Curl_share_lock(data, CURL_LOCK_DATA_DNS, CURL_LOCK_ACCESS_SINGLE);
 
   dns->inuse--;
@@ -697,7 +703,7 @@ void Curl_resolv_unlock(struct SessionHandle *data, struct Curl_dns_entry *dns)
     free(dns);
   }
 
-  if(data->share)
+  if(data && data->share)
     Curl_share_unlock(data, CURL_LOCK_DATA_DNS);
 }
 
@@ -734,22 +740,23 @@ static int hostcache_inuse(void *data, void *hc)
   return 1; /* free all entries */
 }
 
-void Curl_hostcache_clean(struct SessionHandle *data)
+/*
+ * Curl_hostcache_clean()
+ *
+ * This _can_ be called with 'data' == NULL but then of course no locking
+ * can be done!
+ */
+
+void Curl_hostcache_clean(struct SessionHandle *data,
+                          struct curl_hash *hash)
 {
   /* Entries added to the hostcache with the CURLOPT_RESOLVE function are
    * still present in the cache with the inuse counter set to 1. Detect them
    * and cleanup!
    */
-  Curl_hash_clean_with_criterium(data->dns.hostcache, data, hostcache_inuse);
+  Curl_hash_clean_with_criterium(hash, data, hostcache_inuse);
 }
 
-void Curl_hostcache_destroy(struct SessionHandle *data)
-{
-  Curl_hostcache_clean(data);
-  Curl_hash_destroy(data->dns.hostcache);
-  data->dns.hostcachetype = HCACHE_NONE;
-  data->dns.hostcache = NULL;
-}
 
 CURLcode Curl_loadhostpairs(struct SessionHandle *data)
 {

lib/hostip.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -200,10 +200,31 @@ extern sigjmp_buf curl_jmpenv;
  */
 CURLcode Curl_set_dns_servers(struct SessionHandle *data, char *servers);
 
+/*
+ * Function provided by the resolver backend to set
+ * outgoing interface to use for DNS requests
+ */
+CURLcode Curl_set_dns_interface(struct SessionHandle *data,
+                                const char *interf);
+
+/*
+ * Function provided by the resolver backend to set
+ * local IPv4 address to use as source address for DNS requests
+ */
+CURLcode Curl_set_dns_local_ip4(struct SessionHandle *data,
+                                const char *local_ip4);
+
+/*
+ * Function provided by the resolver backend to set
+ * local IPv6 address to use as source address for DNS requests
+ */
+CURLcode Curl_set_dns_local_ip6(struct SessionHandle *data,
+                                const char *local_ip6);
+
 /*
  * Clean off entries from the cache
  */
-void Curl_hostcache_clean(struct SessionHandle *data);
+void Curl_hostcache_clean(struct SessionHandle *data, struct curl_hash *hash);
 
 /*
  * Destroy the hostcache of this handle.

lib/hostip4.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -140,7 +140,7 @@ Curl_addrinfo *Curl_ipv4_resolve_r(const char *hostname,
 #if defined(HAVE_GETADDRINFO_THREADSAFE)
   else {
     struct addrinfo hints;
-    char sbuf[NI_MAXSERV];
+    char sbuf[12];
     char *sbufptr = NULL;
 
     memset(&hints, 0, sizeof(hints));

lib/hostip6.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -168,7 +168,7 @@ Curl_addrinfo *Curl_getaddrinfo(struct connectdata *conn,
   struct addrinfo hints;
   Curl_addrinfo *res;
   int error;
-  char sbuf[NI_MAXSERV];
+  char sbuf[12];
   char *sbufptr = NULL;
   char addrbuf[128];
   int pf;

lib/hostsyn.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -72,4 +72,40 @@ CURLcode Curl_set_dns_servers(struct SessionHandle *data,
 
 }
 
+/*
+ * Function provided by the resolver backend to set
+ * outgoing interface to use for DNS requests
+ */
+CURLcode Curl_set_dns_interface(struct SessionHandle *data,
+                                const char *interf)
+{
+  (void)data;
+  (void)interf;
+  return CURLE_NOT_BUILT_IN;
+}
+
+/*
+ * Function provided by the resolver backend to set
+ * local IPv4 address to use as source address for DNS requests
+ */
+CURLcode Curl_set_dns_local_ip4(struct SessionHandle *data,
+                                const char *local_ip4)
+{
+  (void)data;
+  (void)local_ip4;
+  return CURLE_NOT_BUILT_IN;
+}
+
+/*
+ * Function provided by the resolver backend to set
+ * local IPv6 address to use as source address for DNS requests
+ */
+CURLcode Curl_set_dns_local_ip6(struct SessionHandle *data,
+                                const char *local_ip6)
+{
+  (void)data;
+  (void)local_ip6;
+  return CURLE_NOT_BUILT_IN;
+}
+
 #endif /* truly sync */

lib/http.c

@@ -75,6 +75,7 @@
 #include "non-ascii.h"
 #include "bundles.h"
 #include "pipeline.h"
+#include "http2.h"
 
 #define _MPRINTF_REPLACE /* use our functions only */
 #include <curl/mprintf.h>
@@ -105,7 +106,7 @@ static int https_getsock(struct connectdata *conn,
  */
 const struct Curl_handler Curl_handler_http = {
   "HTTP",                               /* scheme */
-  ZERO_NULL,                            /* setup_connection */
+  Curl_http_setup_conn,                 /* setup_connection */
   Curl_http,                            /* do_it */
   Curl_http_done,                       /* done */
   ZERO_NULL,                            /* do_more */
@@ -129,7 +130,7 @@ const struct Curl_handler Curl_handler_http = {
  */
 const struct Curl_handler Curl_handler_https = {
   "HTTPS",                              /* scheme */
-  ZERO_NULL,                            /* setup_connection */
+  Curl_http_setup_conn,                 /* setup_connection */
   Curl_http,                            /* do_it */
   Curl_http_done,                       /* done */
   ZERO_NULL,                            /* do_more */
@@ -149,6 +150,19 @@ const struct Curl_handler Curl_handler_https = {
 #endif
 
 
+CURLcode Curl_http_setup_conn(struct connectdata *conn)
+{
+  /* allocate the HTTP-specific struct for the SessionHandle, only to survive
+     during this request */
+  DEBUGASSERT(conn->data->req.protop == NULL);
+
+  conn->data->req.protop = calloc(1, sizeof(struct HTTP));
+  if(!conn->data->req.protop)
+    return CURLE_OUT_OF_MEMORY;
+
+  return CURLE_OK;
+}
+
 /*
  * checkheaders() checks the linked list of custom HTTP headers for a
  * particular header (prefix).
@@ -330,7 +344,7 @@ static bool pickoneauth(struct auth *pick)
 static CURLcode http_perhapsrewind(struct connectdata *conn)
 {
   struct SessionHandle *data = conn->data;
-  struct HTTP *http = data->state.proto.http;
+  struct HTTP *http = data->req.protop;
   curl_off_t bytessent;
   curl_off_t expectsend = -1; /* default is unknown */
 
@@ -948,7 +962,7 @@ static size_t readmoredata(char *buffer,
                            void *userp)
 {
   struct connectdata *conn = (struct connectdata *)userp;
-  struct HTTP *http = conn->data->state.proto.http;
+  struct HTTP *http = conn->data->req.protop;
   size_t fullsize = size * nitems;
 
   if(0 == http->postsize)
@@ -1019,7 +1033,7 @@ CURLcode Curl_add_buffer_send(Curl_send_buffer *in,
   CURLcode res;
   char *ptr;
   size_t size;
-  struct HTTP *http = conn->data->state.proto.http;
+  struct HTTP *http = conn->data->req.protop;
   size_t sendsize;
   curl_socket_t sockfd;
   size_t headersize;
@@ -1402,7 +1416,7 @@ CURLcode Curl_http_done(struct connectdata *conn,
                         CURLcode status, bool premature)
 {
   struct SessionHandle *data = conn->data;
-  struct HTTP *http =data->state.proto.http;
+  struct HTTP *http =data->req.protop;
 
   Curl_unencode_cleanup(conn);
 
@@ -1442,6 +1456,7 @@ CURLcode Curl_http_done(struct connectdata *conn,
   if(!premature && /* this check is pointless when DONE is called before the
                       entire operation is complete */
      !conn->bits.retry &&
+     !data->set.connect_only &&
      ((http->readbytecount +
        data->req.headerbytecount -
        data->req.deductheadercount)) <= 0) {
@@ -1456,14 +1471,19 @@ CURLcode Curl_http_done(struct connectdata *conn,
 }
 
 
-/* Determine if we should use HTTP 1.1 for this request. Reasons to avoid it
-   are if the user specifically requested HTTP 1.0, if the server we are
-   connected to only supports 1.0, or if any server previously contacted to
-   handle this request only supports 1.0. */
-static bool use_http_1_1(const struct SessionHandle *data,
-                         const struct connectdata *conn)
+/*
+ * Determine if we should use HTTP 1.1 (OR BETTER) for this request. Reasons
+ * to avoid it include:
+ *
+ * - if the user specifically requested HTTP 1.0
+ * - if the server we are connected to only supports 1.0
+ * - if any server previously contacted to handle this request only supports
+ * 1.0.
+ */
+static bool use_http_1_1plus(const struct SessionHandle *data,
+                             const struct connectdata *conn)
 {
-  return ((data->set.httpversion == CURL_HTTP_VERSION_1_1) ||
+  return ((data->set.httpversion >= CURL_HTTP_VERSION_1_1) ||
          ((data->set.httpversion != CURL_HTTP_VERSION_1_0) &&
           ((conn->httpversion == 11) ||
            ((conn->httpversion != 10) &&
@@ -1479,7 +1499,7 @@ static CURLcode expect100(struct SessionHandle *data,
   const char *ptr;
   data->state.expect100header = FALSE; /* default to false unless it is set
                                           to TRUE below */
-  if(use_http_1_1(data, conn)) {
+  if(use_http_1_1plus(data, conn)) {
     /* if not doing HTTP 1.0 or disabled explicitly, we add a Expect:
        100-continue to the headers which actually speeds up post operations
        (as there is one packet coming back from the web server) */
@@ -1655,20 +1675,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
      the rest of the request in the PERFORM phase. */
   *done = TRUE;
 
-  /* If there already is a protocol-specific struct allocated for this
-     sessionhandle, deal with it */
-  Curl_reset_reqproto(conn);
-
-  if(!data->state.proto.http) {
-    /* Only allocate this struct if we don't already have it! */
-
-    http = calloc(1, sizeof(struct HTTP));
-    if(!http)
-      return CURLE_OUT_OF_MEMORY;
-    data->state.proto.http = http;
-  }
-  else
-    http = data->state.proto.http;
+  http = data->req.protop;
 
   if(!data->state.this_is_a_follow) {
     /* this is not a followed location, get the original host name */
@@ -1795,7 +1802,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
       if(conn->bits.authneg)
         /* don't enable chunked during auth neg */
         ;
-      else if(use_http_1_1(data, conn)) {
+      else if(use_http_1_1plus(data, conn)) {
         /* HTTP, upload, unknown file size and not HTTP 1.0 */
         data->req.upload_chunky = TRUE;
       }
@@ -2095,7 +2102,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
 
   /* Use 1.1 unless the user specifically asked for 1.0 or the server only
      supports 1.0 */
-  httpstring= use_http_1_1(data, conn)?"1.1":"1.0";
+  httpstring= use_http_1_1plus(data, conn)?"1.1":"1.0";
 
   /* initialize a dynamic send-buffer */
   req_buffer = Curl_add_buffer_init();
@@ -2173,6 +2180,15 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
   if(result)
     return result;
 
+  if(!(conn->handler->flags&PROTOPT_SSL) &&
+     (data->set.httpversion == CURL_HTTP_VERSION_2_0)) {
+    /* append HTTP2 updrade magic stuff to the HTTP request if it isn't done
+       over SSL */
+    result = Curl_http2_request(req_buffer, conn);
+    if(result)
+      return result;
+  }
+
 #if !defined(CURL_DISABLE_COOKIES)
   if(data->cookies || addcookies) {
     struct Cookie *co=NULL; /* no cookies from start */

lib/http.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -21,8 +21,14 @@
  * KIND, either express or implied.
  *
  ***************************************************************************/
+#include "curl_setup.h"
+
 #ifndef CURL_DISABLE_HTTP
 
+#ifdef USE_NGHTTP2
+#include <nghttp2/nghttp2.h>
+#endif
+
 extern const struct Curl_handler Curl_handler_http;
 
 #ifdef USE_SSL
@@ -66,6 +72,7 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn,
 CURLcode Curl_http(struct connectdata *conn, bool *done);
 CURLcode Curl_http_done(struct connectdata *, CURLcode, bool premature);
 CURLcode Curl_http_connect(struct connectdata *conn, bool *done);
+CURLcode Curl_http_setup_conn(struct connectdata *conn);
 
 /* The following functions are defined in http_chunks.c */
 void Curl_httpchunk_init(struct connectdata *conn);
@@ -141,6 +148,14 @@ struct HTTP {
                         points to an allocated send_buffer struct */
 };
 
+struct http_conn {
+#ifdef USE_NGHTTP2
+  nghttp2_session *h2;
+#else
+  int unused; /* prevent a compiler warning */
+#endif
+};
+
 CURLcode Curl_http_readwrite_headers(struct SessionHandle *data,
                                      struct connectdata *conn,
                                      ssize_t *nread,

lib/http2.c

@@ -0,0 +1,182 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at http://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+#include "curl_setup.h"
+
+#ifdef USE_NGHTTP2
+#define _MPRINTF_REPLACE
+#include <curl/mprintf.h>
+
+#include <nghttp2/nghttp2.h>
+#include "urldata.h"
+#include "http2.h"
+#include "http.h"
+#include "sendf.h"
+#include "curl_base64.h"
+#include "curl_memory.h"
+
+/* include memdebug.h last */
+#include "memdebug.h"
+
+/*
+ * Store nghttp2 version info in this buffer, Prefix with a space.  Return
+ * total length written.
+ */
+int Curl_http2_ver(char *p, size_t len)
+{
+  nghttp2_info *h2 = nghttp2_version(0);
+  return snprintf(p, len, " nghttp2/%s", h2->version_str);
+}
+
+/*
+ * The implementation of nghttp2_send_callback type. Here we write |data| with
+ * size |length| to the network and return the number of bytes actually
+ * written. See the documentation of nghttp2_send_callback for the details.
+ */
+static ssize_t send_callback(nghttp2_session *h2,
+                             const uint8_t *data, size_t length, int flags,
+                             void *userp)
+{
+  struct connectdata *conn = (struct connectdata *)userp;
+  ssize_t written;
+  CURLcode rc =
+    Curl_write(conn, conn->sock[0], data, length, &written);
+  (void)h2;
+  (void)flags;
+
+  if(rc) {
+    failf(conn->data, "Failed sending HTTP2 data");
+    return NGHTTP2_ERR_CALLBACK_FAILURE;
+  }
+  else if(!written)
+    return NGHTTP2_ERR_WOULDBLOCK;
+
+  return written;
+}
+
+/*
+ * The implementation of nghttp2_recv_callback type. Here we read data from
+ * the network and write them in |buf|. The capacity of |buf| is |length|
+ * bytes. Returns the number of bytes stored in |buf|. See the documentation
+ * of nghttp2_recv_callback for the details.
+ */
+static ssize_t recv_callback(nghttp2_session *h2,
+                             uint8_t *buf, size_t length, int flags,
+                             void *userp)
+{
+  struct connectdata *conn = (struct connectdata *)userp;
+  ssize_t nread;
+  CURLcode rc = Curl_read(conn, conn->sock[0], (char *)buf, length, &nread);
+  (void)h2;
+  (void)flags;
+
+  if(rc) {
+    failf(conn->data, "Failed recving HTTP2 data");
+    return NGHTTP2_ERR_CALLBACK_FAILURE;
+  }
+  if(!nread)
+    return NGHTTP2_ERR_WOULDBLOCK;
+
+  return nread;
+}
+
+/*
+ * This is all callbacks nghttp2 calls
+ */
+static const nghttp2_session_callbacks callbacks = {
+  send_callback,
+  recv_callback,
+  NULL,
+  NULL,
+  NULL,
+  NULL,
+  NULL,
+  NULL,
+  NULL,
+  NULL,
+  NULL,
+  NULL,
+  NULL,
+  NULL
+};
+
+/*
+ * The HTTP2 settings we send in the Upgrade request
+ */
+static nghttp2_settings_entry settings[] = {
+  { NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS, 100 },
+  { NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE, NGHTTP2_INITIAL_WINDOW_SIZE },
+};
+
+/*
+ * Append headers to ask for a HTTP1.1 to HTTP2 upgrade.
+ */
+CURLcode Curl_http2_request(Curl_send_buffer *req,
+                            struct connectdata *conn)
+{
+  uint8_t binsettings[80];
+  CURLcode result;
+  ssize_t binlen;
+  char *base64;
+  size_t blen;
+
+  if(!conn->proto.httpc.h2) {
+    /* The nghttp2 session is not yet setup, do it */
+    int rc = nghttp2_session_client_new(&conn->proto.httpc.h2,
+                                        &callbacks, &conn);
+    if(rc) {
+      failf(conn->data, "Couldn't initialize nghttp2!");
+      return CURLE_OUT_OF_MEMORY; /* most likely at least */
+    }
+  }
+
+  /* As long as we have a fixed set of settings, we don't have to dynamically
+   * figure out the base64 strings since it'll always be the same. However,
+   * the settings will likely not be fixed every time in the future.
+   */
+
+  /* this returns number of bytes it wrote */
+  binlen = nghttp2_pack_settings_payload(binsettings,
+                                         sizeof(binsettings),
+                                         settings,
+                                         sizeof(settings)/sizeof(settings[0]));
+  if(!binlen) {
+    failf(conn->data, "nghttp2 unexpectedly failed on pack_settings_payload");
+    return CURLE_FAILED_INIT;
+  }
+
+  result = Curl_base64_encode(conn->data, (const char *)binsettings, binlen,
+                              &base64, &blen);
+  if(result)
+    return result;
+
+  result = Curl_add_bufferf(req,
+                            "Connection: Upgrade, HTTP2-Settings\r\n"
+                            "Upgrade: %s\r\n"
+                            "HTTP2-Settings: %s\r\n",
+                            NGHTTP2_PROTO_VERSION_ID, base64);
+  free(base64);
+
+  return result;
+}
+
+#endif

lib/http2.h

@@ -1,3 +1,5 @@
+#ifndef HEADER_CURL_HTTP2_H
+#define HEADER_CURL_HTTP2_H
 /***************************************************************************
  *                                  _   _ ____  _
  *  Project                     ___| | | |  _ \| |
@@ -5,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -22,40 +24,19 @@
 
 #include "curl_setup.h"
 
-#include <curl/curl.h>
+#ifdef USE_NGHTTP2
+#include "http.h"
+/*
+ * Store nghttp2 version info in this buffer, Prefix with a space.  Return
+ * total length written.
+ */
+int Curl_http2_ver(char *p, size_t len);
 
-#include "curl_rand.h"
+CURLcode Curl_http2_request(Curl_send_buffer *req,
+                            struct connectdata *conn);
+#else /* USE_NGHTTP2 */
+#define Curl_http2_request(x,y) CURLE_OK
+#endif
 
-#define _MPRINTF_REPLACE /* use our functions only */
-#include <curl/mprintf.h>
-
-#include "curl_memory.h"
-/* The last #include file should be: */
-#include "memdebug.h"
-
-/* Private pseudo-random number seed. Unsigned integer >= 32bit. Threads
-   mutual exclusion is not implemented to acess it since we do not require
-   high quality random numbers (only used in form boudary generation). */
-
-static unsigned int randseed;
-
-/* Pseudo-random number support. */
-
-unsigned int Curl_rand(void)
-{
-  unsigned int r;
-  /* Return an unsigned 32-bit pseudo-random number. */
-  r = randseed = randseed * 1103515245 + 12345;
-  return (r << 16) | ((r >> 16) & 0xFFFF);
-}
-
-void Curl_srand(void)
-{
-  /* Randomize pseudo-random number sequence. */
-
-  randseed = (unsigned int) time(NULL);
-  Curl_rand();
-  Curl_rand();
-  Curl_rand();
-}
+#endif /* HEADER_CURL_HTTP2_H */
 

lib/http_digest.c

@@ -25,14 +25,13 @@
 #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH)
 
 #include "urldata.h"
-#include "sendf.h"
 #include "rawstr.h"
 #include "curl_base64.h"
 #include "curl_md5.h"
 #include "http_digest.h"
 #include "strtok.h"
-#include "url.h" /* for Curl_safefree() */
 #include "curl_memory.h"
+#include "sslgen.h" /* for Curl_rand() */
 #include "non-ascii.h" /* included for Curl_convert_... prototypes */
 #include "warnless.h"
 
@@ -283,7 +282,7 @@ static char *string_quoted(const char *source)
     ++s;
   }
 
-  dest = (char *)malloc(n);
+  dest = malloc(n);
   if(dest) {
     s = source;
     d = dest;
@@ -310,14 +309,12 @@ CURLcode Curl_output_digest(struct connectdata *conn,
   unsigned char md5buf[16]; /* 16 bytes/128 bits */
   unsigned char request_digest[33];
   unsigned char *md5this;
-  unsigned char *ha1;
+  unsigned char ha1[33];/* 32 digits and 1 zero byte */
   unsigned char ha2[33];/* 32 digits and 1 zero byte */
   char cnoncebuf[33];
   char *cnonce = NULL;
   size_t cnonce_sz = 0;
   char *tmp = NULL;
-  struct timeval now;
-
   char **allocuserpwd;
   size_t userlen;
   const char *userp;
@@ -354,10 +351,7 @@ CURLcode Curl_output_digest(struct connectdata *conn,
     authp = &data->state.authhost;
   }
 
-  if(*allocuserpwd) {
-    Curl_safefree(*allocuserpwd);
-    *allocuserpwd = NULL;
-  }
+  Curl_safefree(*allocuserpwd);
 
   /* not set means empty */
   if(!userp)
@@ -376,10 +370,11 @@ CURLcode Curl_output_digest(struct connectdata *conn,
     d->nc = 1;
 
   if(!d->cnonce) {
-    /* Generate a cnonce */
-    now = Curl_tvnow();
-    snprintf(cnoncebuf, sizeof(cnoncebuf), "%32ld",
-             (long)now.tv_sec + now.tv_usec);
+    struct timeval now = Curl_tvnow();
+    snprintf(cnoncebuf, sizeof(cnoncebuf), "%08x%08x%08x%08x",
+             Curl_rand(data), Curl_rand(data),
+             (unsigned int)now.tv_sec,
+             (unsigned int)now.tv_usec);
 
     rc = Curl_base64_encode(data, cnoncebuf, strlen(cnoncebuf),
                             &cnonce, &cnonce_sz);
@@ -406,12 +401,7 @@ CURLcode Curl_output_digest(struct connectdata *conn,
 
   CURL_OUTPUT_DIGEST_CONV(data, md5this); /* convert on non-ASCII machines */
   Curl_md5it(md5buf, md5this);
-  free(md5this); /* free this again */
-
-  ha1 = malloc(33); /* 32 digits and 1 zero byte */
-  if(!ha1)
-    return CURLE_OUT_OF_MEMORY;
-
+  Curl_safefree(md5this);
   md5_to_ascii(md5buf, ha1);
 
   if(d->algo == CURLDIGESTALGO_MD5SESS) {
@@ -421,7 +411,7 @@ CURLcode Curl_output_digest(struct connectdata *conn,
       return CURLE_OUT_OF_MEMORY;
     CURL_OUTPUT_DIGEST_CONV(data, tmp); /* convert on non-ASCII machines */
     Curl_md5it(md5buf, (unsigned char *)tmp);
-    free(tmp); /* free this again */
+    Curl_safefree(tmp);
     md5_to_ascii(md5buf, ha1);
   }
 
@@ -463,18 +453,16 @@ CURLcode Curl_output_digest(struct connectdata *conn,
        TODO: replace md5 of empty string with entity-body for PUT/POST */
     unsigned char *md5this2 = (unsigned char *)
       aprintf("%s:%s", md5this, "d41d8cd98f00b204e9800998ecf8427e");
-    free(md5this);
+    Curl_safefree(md5this);
     md5this = md5this2;
   }
 
-  if(!md5this) {
-    free(ha1);
+  if(!md5this)
     return CURLE_OUT_OF_MEMORY;
-  }
 
   CURL_OUTPUT_DIGEST_CONV(data, md5this); /* convert on non-ASCII machines */
   Curl_md5it(md5buf, md5this);
-  free(md5this); /* free this again */
+  Curl_safefree(md5this);
   md5_to_ascii(md5buf, ha2);
 
   if(d->qop) {
@@ -492,13 +480,12 @@ CURLcode Curl_output_digest(struct connectdata *conn,
                                        d->nonce,
                                        ha2);
   }
-  free(ha1);
   if(!md5this)
     return CURLE_OUT_OF_MEMORY;
 
   CURL_OUTPUT_DIGEST_CONV(data, md5this); /* convert on non-ASCII machines */
   Curl_md5it(md5buf, md5this);
-  free(md5this); /* free this again */
+  Curl_safefree(md5this);
   md5_to_ascii(md5buf, request_digest);
 
   /* for test case 64 (snooped from a Mozilla 1.3a request)
@@ -515,7 +502,7 @@ CURLcode Curl_output_digest(struct connectdata *conn,
     chracters.
   */
   userp_quoted = string_quoted(userp);
-  if(!*userp_quoted)
+  if(!userp_quoted)
     return CURLE_OUT_OF_MEMORY;
 
   if(d->qop) {
@@ -559,7 +546,7 @@ CURLcode Curl_output_digest(struct connectdata *conn,
                uripath, /* this is the PATH part of the URL */
                request_digest);
   }
-  free(userp_quoted);
+  Curl_safefree(userp_quoted);
   if(!*allocuserpwd)
     return CURLE_OUT_OF_MEMORY;
 
@@ -595,29 +582,12 @@ CURLcode Curl_output_digest(struct connectdata *conn,
 
 static void digest_cleanup_one(struct digestdata *d)
 {
-  if(d->nonce)
-    free(d->nonce);
-  d->nonce = NULL;
-
-  if(d->cnonce)
-    free(d->cnonce);
-  d->cnonce = NULL;
-
-  if(d->realm)
-    free(d->realm);
-  d->realm = NULL;
-
-  if(d->opaque)
-    free(d->opaque);
-  d->opaque = NULL;
-
-  if(d->qop)
-    free(d->qop);
-  d->qop = NULL;
-
-  if(d->algorithm)
-    free(d->algorithm);
-  d->algorithm = NULL;
+  Curl_safefree(d->nonce);
+  Curl_safefree(d->cnonce);
+  Curl_safefree(d->realm);
+  Curl_safefree(d->opaque);
+  Curl_safefree(d->qop);
+  Curl_safefree(d->algorithm);
 
   d->nc = 0;
   d->algo = CURLDIGESTALGO_MD5; /* default algorithm */

lib/http_proxy.c

@@ -66,13 +66,13 @@ CURLcode Curl_proxy_connect(struct connectdata *conn)
      * This function might be called several times in the multi interface case
      * if the proxy's CONNTECT response is not instant.
      */
-    prot_save = conn->data->state.proto.generic;
+    prot_save = conn->data->req.protop;
     memset(&http_proxy, 0, sizeof(http_proxy));
-    conn->data->state.proto.http = &http_proxy;
+    conn->data->req.protop = &http_proxy;
     conn->bits.close = FALSE;
     result = Curl_proxyCONNECT(conn, FIRSTSOCKET,
                                conn->host.name, conn->remote_port);
-    conn->data->state.proto.generic = prot_save;
+    conn->data->req.protop = prot_save;
     if(CURLE_OK != result)
       return result;
 #else

lib/imap.c

@@ -26,6 +26,7 @@
  * RFC4616 PLAIN authentication
  * RFC4959 IMAP Extension for SASL Initial Client Response
  * RFC5092 IMAP URL Scheme
+ * RFC6749 OAuth 2.0 Authorization Framework
  *
  ***************************************************************************/
 
@@ -77,6 +78,7 @@
 #include "url.h"
 #include "rawstr.h"
 #include "curl_sasl.h"
+#include "warnless.h"
 
 #define _MPRINTF_REPLACE /* use our functions only */
 #include <curl/mprintf.h>
@@ -162,7 +164,7 @@ const struct Curl_handler Curl_handler_imaps = {
 
 static const struct Curl_handler Curl_handler_imap_proxy = {
   "IMAP",                               /* scheme */
-  ZERO_NULL,                            /* setup_connection */
+  Curl_http_setup_conn,                 /* setup_connection */
   Curl_http,                            /* do_it */
   Curl_http_done,                       /* done */
   ZERO_NULL,                            /* do_more */
@@ -187,7 +189,7 @@ static const struct Curl_handler Curl_handler_imap_proxy = {
 
 static const struct Curl_handler Curl_handler_imaps_proxy = {
   "IMAPS",                              /* scheme */
-  ZERO_NULL,                            /* setup_connection */
+  Curl_http_setup_conn,                 /* setup_connection */
   Curl_http,                            /* do_it */
   Curl_http_done,                       /* done */
   ZERO_NULL,                            /* do_more */
@@ -267,7 +269,7 @@ static bool imap_matchresp(const char *line, size_t len, const char *cmd)
 static bool imap_endofresp(struct connectdata *conn, char *line, size_t len,
                            int *resp)
 {
-  struct IMAP *imap = conn->data->state.proto.imap;
+  struct IMAP *imap = conn->data->req.protop;
   struct imap_conn *imapc = &conn->proto.imapc;
   const char *id = imapc->resptag;
   size_t id_len = strlen(id);
@@ -306,7 +308,12 @@ static bool imap_endofresp(struct connectdata *conn, char *line, size_t len,
            (strcmp(imap->custom, "STORE") ||
             !imap_matchresp(line, len, "FETCH")) &&
            strcmp(imap->custom, "SELECT") &&
-           strcmp(imap->custom, "EXAMINE")))
+           strcmp(imap->custom, "EXAMINE") &&
+           strcmp(imap->custom, "SEARCH") &&
+           strcmp(imap->custom, "EXPUNGE") &&
+           strcmp(imap->custom, "LSUB") &&
+           strcmp(imap->custom, "UID") &&
+           strcmp(imap->custom, "NOOP")))
           return FALSE;
         break;
 
@@ -329,7 +336,10 @@ static bool imap_endofresp(struct connectdata *conn, char *line, size_t len,
     return TRUE;
   }
 
-  /* Do we have a continuation response? */
+  /* Do we have a continuation response? This should be a + symbol followed by
+     a space and optionally some text as per RFC-3501 for the AUTHENTICATE and
+     APPEND commands and as outlined in Section 4. Examples of RFC-4959 but
+     some e-mail servers ignore this and only send a single + instead. */
   if((len == 3 && !memcmp("+", line, 1)) ||
      (len >= 2 && !memcmp("+ ", line, 2))) {
     switch(imapc->state) {
@@ -342,6 +352,7 @@ static bool imap_endofresp(struct connectdata *conn, char *line, size_t len,
       case IMAP_AUTHENTICATE_DIGESTMD5_RESP:
       case IMAP_AUTHENTICATE_NTLM:
       case IMAP_AUTHENTICATE_NTLM_TYPE2MSG:
+      case IMAP_AUTHENTICATE_XOAUTH2:
       case IMAP_AUTHENTICATE_FINAL:
       case IMAP_APPEND:
         *resp = '+';
@@ -384,6 +395,7 @@ static void state(struct connectdata *conn, imapstate newstate)
     "AUTHENTICATE_DIGESTMD5_RESP",
     "AUTHENTICATE_NTLM",
     "AUTHENTICATE_NTLM_TYPE2MSG",
+    "AUTHENTICATE_XOAUTH2",
     "AUTHENTICATE_FINAL",
     "LOGIN",
     "LIST",
@@ -398,7 +410,7 @@ static void state(struct connectdata *conn, imapstate newstate)
 
   if(imapc->state != newstate)
     infof(conn->data, "IMAP %p state change from %s to %s\n",
-          imapc, names[imapc->state], names[newstate]);
+          (void *)imapc, names[imapc->state], names[newstate]);
 #endif
 
   imapc->state = newstate;
@@ -546,13 +558,13 @@ static CURLcode imap_perform_authenticate(struct connectdata *conn)
 #ifndef CURL_DISABLE_CRYPTO_AUTH
   if((imapc->authmechs & SASL_MECH_DIGEST_MD5) &&
      (imapc->prefmech & SASL_MECH_DIGEST_MD5)) {
-    mech = "DIGEST-MD5";
+    mech = SASL_MECH_STRING_DIGEST_MD5;
     state1 = IMAP_AUTHENTICATE_DIGESTMD5;
     imapc->authused = SASL_MECH_DIGEST_MD5;
   }
   else if((imapc->authmechs & SASL_MECH_CRAM_MD5) &&
           (imapc->prefmech & SASL_MECH_CRAM_MD5)) {
-    mech = "CRAM-MD5";
+    mech = SASL_MECH_STRING_CRAM_MD5;
     state1 = IMAP_AUTHENTICATE_CRAMMD5;
     imapc->authused = SASL_MECH_CRAM_MD5;
   }
@@ -561,7 +573,7 @@ static CURLcode imap_perform_authenticate(struct connectdata *conn)
 #ifdef USE_NTLM
     if((imapc->authmechs & SASL_MECH_NTLM) &&
        (imapc->prefmech & SASL_MECH_NTLM)) {
-    mech = "NTLM";
+    mech = SASL_MECH_STRING_NTLM;
     state1 = IMAP_AUTHENTICATE_NTLM;
     state2 = IMAP_AUTHENTICATE_NTLM_TYPE2MSG;
     imapc->authused = SASL_MECH_NTLM;
@@ -573,9 +585,22 @@ static CURLcode imap_perform_authenticate(struct connectdata *conn)
   }
   else
 #endif
-  if((imapc->authmechs & SASL_MECH_LOGIN) &&
+  if(((imapc->authmechs & SASL_MECH_XOAUTH2) &&
+      (imapc->prefmech & SASL_MECH_XOAUTH2) &&
+      (imapc->prefmech != SASL_AUTH_ANY)) || conn->xoauth2_bearer) {
+    mech = SASL_MECH_STRING_XOAUTH2;
+    state1 = IMAP_AUTHENTICATE_XOAUTH2;
+    state2 = IMAP_AUTHENTICATE_FINAL;
+    imapc->authused = SASL_MECH_XOAUTH2;
+
+    if(imapc->ir_supported || data->set.sasl_ir)
+      result = Curl_sasl_create_xoauth2_message(conn->data, conn->user,
+                                                conn->xoauth2_bearer,
+                                                &initresp, &len);
+  }
+  else if((imapc->authmechs & SASL_MECH_LOGIN) &&
      (imapc->prefmech & SASL_MECH_LOGIN)) {
-    mech = "LOGIN";
+    mech = SASL_MECH_STRING_LOGIN;
     state1 = IMAP_AUTHENTICATE_LOGIN;
     state2 = IMAP_AUTHENTICATE_LOGIN_PASSWD;
     imapc->authused = SASL_MECH_LOGIN;
@@ -586,7 +611,7 @@ static CURLcode imap_perform_authenticate(struct connectdata *conn)
   }
   else if((imapc->authmechs & SASL_MECH_PLAIN) &&
           (imapc->prefmech & SASL_MECH_PLAIN)) {
-    mech = "PLAIN";
+    mech = SASL_MECH_STRING_PLAIN;
     state1 = IMAP_AUTHENTICATE_PLAIN;
     state2 = IMAP_AUTHENTICATE_FINAL;
     imapc->authused = SASL_MECH_PLAIN;
@@ -637,7 +662,7 @@ static CURLcode imap_perform_list(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
-  struct IMAP *imap = data->state.proto.imap;
+  struct IMAP *imap = data->req.protop;
   char *mailbox;
 
   if(imap->custom)
@@ -672,7 +697,7 @@ static CURLcode imap_perform_select(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
-  struct IMAP *imap = data->state.proto.imap;
+  struct IMAP *imap = data->req.protop;
   struct imap_conn *imapc = &conn->proto.imapc;
   char *mailbox;
 
@@ -711,7 +736,7 @@ static CURLcode imap_perform_select(struct connectdata *conn)
 static CURLcode imap_perform_fetch(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
-  struct IMAP *imap = conn->data->state.proto.imap;
+  struct IMAP *imap = conn->data->req.protop;
 
   /* Check we have a UID */
   if(!imap->uid) {
@@ -739,7 +764,7 @@ static CURLcode imap_perform_fetch(struct connectdata *conn)
 static CURLcode imap_perform_append(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
-  struct IMAP *imap = conn->data->state.proto.imap;
+  struct IMAP *imap = conn->data->req.protop;
   char *mailbox;
 
   /* Check we have a mailbox */
@@ -863,20 +888,22 @@ static CURLcode imap_state_capability_resp(struct connectdata *conn,
         wordlen -= 5;
 
         /* Test the word for a matching authentication mechanism */
-        if(wordlen == 5 && !memcmp(line, "LOGIN", 5))
+        if(sasl_mech_equal(line, wordlen, SASL_MECH_STRING_LOGIN))
           imapc->authmechs |= SASL_MECH_LOGIN;
-        if(wordlen == 5 && !memcmp(line, "PLAIN", 5))
+        else if(sasl_mech_equal(line, wordlen, SASL_MECH_STRING_PLAIN))
           imapc->authmechs |= SASL_MECH_PLAIN;
-        else if(wordlen == 8 && !memcmp(line, "CRAM-MD5", 8))
+        else if(sasl_mech_equal(line, wordlen, SASL_MECH_STRING_CRAM_MD5))
           imapc->authmechs |= SASL_MECH_CRAM_MD5;
-        else if(wordlen == 10 && !memcmp(line, "DIGEST-MD5", 10))
+        else if(sasl_mech_equal(line, wordlen, SASL_MECH_STRING_DIGEST_MD5))
           imapc->authmechs |= SASL_MECH_DIGEST_MD5;
-        else if(wordlen == 6 && !memcmp(line, "GSSAPI", 6))
+        else if(sasl_mech_equal(line, wordlen, SASL_MECH_STRING_GSSAPI))
           imapc->authmechs |= SASL_MECH_GSSAPI;
-        else if(wordlen == 8 && !memcmp(line, "EXTERNAL", 8))
+        else if(sasl_mech_equal(line, wordlen, SASL_MECH_STRING_EXTERNAL))
           imapc->authmechs |= SASL_MECH_EXTERNAL;
-        else if(wordlen == 4 && !memcmp(line, "NTLM", 4))
+        else if(sasl_mech_equal(line, wordlen, SASL_MECH_STRING_NTLM))
           imapc->authmechs |= SASL_MECH_NTLM;
+        else if(sasl_mech_equal(line, wordlen, SASL_MECH_STRING_XOAUTH2))
+          imapc->authmechs |= SASL_MECH_XOAUTH2;
       }
 
       line += wordlen;
@@ -1152,7 +1179,7 @@ static CURLcode imap_state_auth_digest_resp_resp(struct connectdata *conn,
   }
   else {
     /* Send an empty response */
-    result = Curl_pp_sendf(&conn->proto.imapc.pp, "");
+    result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", "");
 
     if(!result)
       state(conn, IMAP_AUTHENTICATE_FINAL);
@@ -1242,6 +1269,44 @@ static CURLcode imap_state_auth_ntlm_type2msg_resp(struct connectdata *conn,
 }
 #endif
 
+/* For AUTH XOAUTH2 (without initial response) responses */
+static CURLcode imap_state_auth_xoauth2_resp(struct connectdata *conn,
+                                             int imapcode,
+                                             imapstate instate)
+{
+  CURLcode result = CURLE_OK;
+  struct SessionHandle *data = conn->data;
+  size_t len = 0;
+  char *xoauth = NULL;
+
+  (void)instate; /* no use for this yet */
+
+  if(imapcode != '+') {
+    failf(data, "Access denied: %d", imapcode);
+    result = CURLE_LOGIN_DENIED;
+  }
+  else {
+    /* Create the authorisation message */
+    result = Curl_sasl_create_xoauth2_message(conn->data, conn->user,
+                                              conn->xoauth2_bearer,
+                                              &xoauth, &len);
+
+    /* Send the message */
+    if(!result) {
+      if(xoauth) {
+        result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", xoauth);
+
+        if(!result)
+          state(conn, IMAP_AUTHENTICATE_FINAL);
+      }
+
+      Curl_safefree(xoauth);
+    }
+  }
+
+  return result;
+}
+
 /* For final responses to the AUTHENTICATE sequence */
 static CURLcode imap_state_auth_final_resp(struct connectdata *conn,
                                            int imapcode,
@@ -1315,7 +1380,7 @@ static CURLcode imap_state_select_resp(struct connectdata *conn, int imapcode,
 {
   CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
-  struct IMAP *imap = conn->data->state.proto.imap;
+  struct IMAP *imap = conn->data->req.protop;
   struct imap_conn *imapc = &conn->proto.imapc;
   const char *line = data->state.buffer;
   char tmp[20];
@@ -1406,10 +1471,10 @@ static CURLcode imap_state_fetch_resp(struct connectdata *conn, int imapcode,
         return result;
 
       data->req.bytecount += chunk;
-      size -= chunk;
 
       infof(data, "Written %" FORMAT_OFF_TU " bytes, %" FORMAT_OFF_TU
-            " bytes are left for transfer\n", (curl_off_t)chunk, size);
+            " bytes are left for transfer\n", (curl_off_t)chunk,
+            size - chunk);
 
       /* Have we used the entire cache or just part of it?*/
       if(pp->cache_size > chunk) {
@@ -1426,7 +1491,7 @@ static CURLcode imap_state_fetch_resp(struct connectdata *conn, int imapcode,
       }
     }
 
-    if(!size)
+    if(data->req.bytecount == size)
       /* The entire data is already transferred! */
       Curl_setup_transfer(conn, -1, -1, FALSE, NULL, -1, NULL);
     else {
@@ -1591,6 +1656,10 @@ static CURLcode imap_statemach_act(struct connectdata *conn)
       break;
 #endif
 
+    case IMAP_AUTHENTICATE_XOAUTH2:
+      result = imap_state_auth_xoauth2_resp(conn, imapcode, imapc->state);
+      break;
+
     case IMAP_AUTHENTICATE_FINAL:
       result = imap_state_auth_final_resp(conn, imapcode, imapc->state);
       break;
@@ -1641,11 +1710,13 @@ static CURLcode imap_multi_statemach(struct connectdata *conn, bool *done)
   CURLcode result = CURLE_OK;
   struct imap_conn *imapc = &conn->proto.imapc;
 
-  if((conn->handler->flags & PROTOPT_SSL) && !imapc->ssldone)
+  if((conn->handler->flags & PROTOPT_SSL) && !imapc->ssldone) {
     result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, &imapc->ssldone);
-  else
-    result = Curl_pp_statemach(&imapc->pp, FALSE);
+    if(result || !imapc->ssldone)
+      return result;
+  }
 
+  result = Curl_pp_statemach(&imapc->pp, FALSE);
   *done = (imapc->state == IMAP_STOP) ? TRUE : FALSE;
 
   return result;
@@ -1668,13 +1739,11 @@ static CURLcode imap_init(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
-  struct IMAP *imap = data->state.proto.imap;
+  struct IMAP *imap;
 
-  if(!imap) {
-    imap = data->state.proto.imap = calloc(sizeof(struct IMAP), 1);
-    if(!imap)
-      result = CURLE_OUT_OF_MEMORY;
-  }
+  imap = data->req.protop = calloc(sizeof(struct IMAP), 1);
+  if(!imap)
+    result = CURLE_OUT_OF_MEMORY;
 
   return result;
 }
@@ -1694,8 +1763,7 @@ static int imap_getsock(struct connectdata *conn, curl_socket_t *socks,
  * connection phase.
  *
  * The variable 'done' points to will be TRUE if the protocol-layer connect
- * phase is done when this function returns, or FALSE is not. When called as
- * a part of the easy interface, it will always be TRUE.
+ * phase is done when this function returns, or FALSE if not.
  */
 static CURLcode imap_connect(struct connectdata *conn, bool *done)
 {
@@ -1705,15 +1773,6 @@ static CURLcode imap_connect(struct connectdata *conn, bool *done)
 
   *done = FALSE; /* default to not done yet */
 
-  /* If there already is a protocol-specific struct allocated for this
-     sessionhandle, deal with it */
-  Curl_reset_reqproto(conn);
-
-  /* Initialise the IMAP layer */
-  result = imap_init(conn);
-  if(result)
-    return result;
-
   /* We always support persistent connections in IMAP */
   conn->bits.close = FALSE;
 
@@ -1759,7 +1818,7 @@ static CURLcode imap_done(struct connectdata *conn, CURLcode status,
 {
   CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
-  struct IMAP *imap = data->state.proto.imap;
+  struct IMAP *imap = data->req.protop;
 
   (void)premature;
 
@@ -1781,7 +1840,7 @@ static CURLcode imap_done(struct connectdata *conn, CURLcode status,
       state(conn, IMAP_FETCH_FINAL);
     else {
       /* End the APPEND command first by sending an empty line */
-      result = Curl_pp_sendf(&conn->proto.imapc.pp, "");
+      result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", "");
       if(!result)
         state(conn, IMAP_APPEND_FINAL);
     }
@@ -1824,7 +1883,7 @@ static CURLcode imap_perform(struct connectdata *conn, bool *connected,
   /* This is IMAP and no proxy */
   CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
-  struct IMAP *imap = data->state.proto.imap;
+  struct IMAP *imap = data->req.protop;
   struct imap_conn *imapc = &conn->proto.imapc;
   bool selected = FALSE;
 
@@ -1891,15 +1950,6 @@ static CURLcode imap_do(struct connectdata *conn, bool *done)
 
   *done = FALSE; /* default to false */
 
-  /* Since connections can be re-used between SessionHandles, there might be a
-     connection already existing but on a fresh SessionHandle struct. As such
-     we make sure we have a good IMAP struct to play with. For new connections
-     the IMAP struct is allocated and setup in the imap_connect() function. */
-  Curl_reset_reqproto(conn);
-  result = imap_init(conn);
-  if(result)
-    return result;
-
   /* Parse the URL path */
   result = imap_parse_url_path(conn);
   if(result)
@@ -1952,7 +2002,7 @@ static CURLcode imap_disconnect(struct connectdata *conn, bool dead_connection)
 /* Call this when the DO phase has completed */
 static CURLcode imap_dophase_done(struct connectdata *conn, bool connected)
 {
-  struct IMAP *imap = conn->data->state.proto.imap;
+  struct IMAP *imap = conn->data->req.protop;
 
   (void)connected;
 
@@ -2018,6 +2068,11 @@ static CURLcode imap_setup_connection(struct connectdata *conn)
 {
   struct SessionHandle *data = conn->data;
 
+  /* Initialise the IMAP layer */
+  CURLcode result = imap_init(conn);
+  if(result)
+    return result;
+
   if(conn->bits.httpproxy && !data->set.tunnel_thru_httpproxy) {
     /* Unless we have asked to tunnel IMAP operations through the proxy, we
        switch and use HTTP operations only */
@@ -2033,10 +2088,8 @@ static CURLcode imap_setup_connection(struct connectdata *conn)
 #endif
     }
 
-    /* We explicitly mark this connection as persistent here as we're doing
-       IMAP over HTTP and thus we accidentally avoid setting this value
-       otherwise */
-    conn->bits.close = FALSE;
+    /* set it up as an HTTP connection instead */
+    return conn->handler->setup_connection(conn);
 #else
     failf(data, "IMAP over http proxy requires HTTP support built-in!");
     return CURLE_UNSUPPORTED_PROTOCOL;
@@ -2062,14 +2115,15 @@ static CURLcode imap_sendf(struct connectdata *conn, const char *fmt, ...)
   struct imap_conn *imapc = &conn->proto.imapc;
   char *taggedfmt;
   va_list ap;
-  va_start(ap, fmt);
+
+  DEBUGASSERT(fmt);
 
   /* Calculate the next command ID wrapping at 3 digits */
   imapc->cmdid = (imapc->cmdid + 1) % 1000;
 
   /* Calculate the tag based on the connection ID and command ID */
   snprintf(imapc->resptag, sizeof(imapc->resptag), "%c%03d",
-           'A' + (conn->connection_id % 26), imapc->cmdid);
+           'A' + curlx_sltosi(conn->connection_id % 26), imapc->cmdid);
 
   /* Prefix the format with the tag */
   taggedfmt = aprintf("%s %s", imapc->resptag, fmt);
@@ -2077,10 +2131,11 @@ static CURLcode imap_sendf(struct connectdata *conn, const char *fmt, ...)
     return CURLE_OUT_OF_MEMORY;
 
   /* Send the data with the tag */
+  va_start(ap, fmt);
   result = Curl_pp_vsendf(&imapc->pp, taggedfmt, ap);
+  va_end(ap);
 
   Curl_safefree(taggedfmt);
-  va_end(ap);
 
   return result;
 }
@@ -2223,18 +2278,20 @@ static CURLcode imap_parse_url_options(struct connectdata *conn)
 
       if(strequal(value, "*"))
         imapc->prefmech = SASL_AUTH_ANY;
-      else if(strequal(value, "LOGIN"))
+      else if(strequal(value, SASL_MECH_STRING_LOGIN))
         imapc->prefmech = SASL_MECH_LOGIN;
-      else if(strequal(value, "PLAIN"))
+      else if(strequal(value, SASL_MECH_STRING_PLAIN))
         imapc->prefmech = SASL_MECH_PLAIN;
-      else if(strequal(value, "CRAM-MD5"))
+      else if(strequal(value, SASL_MECH_STRING_CRAM_MD5))
         imapc->prefmech = SASL_MECH_CRAM_MD5;
-      else if(strequal(value, "DIGEST-MD5"))
+      else if(strequal(value, SASL_MECH_STRING_DIGEST_MD5))
         imapc->prefmech = SASL_MECH_DIGEST_MD5;
-      else if(strequal(value, "GSSAPI"))
+      else if(strequal(value, SASL_MECH_STRING_GSSAPI))
         imapc->prefmech = SASL_MECH_GSSAPI;
-      else if(strequal(value, "NTLM"))
+      else if(strequal(value, SASL_MECH_STRING_NTLM))
         imapc->prefmech = SASL_MECH_NTLM;
+      else if(strequal(value, SASL_MECH_STRING_XOAUTH2))
+        imapc->prefmech = SASL_MECH_XOAUTH2;
       else
         imapc->prefmech = SASL_AUTH_NONE;
     }
@@ -2257,7 +2314,7 @@ static CURLcode imap_parse_url_path(struct connectdata *conn)
   /* The imap struct is already initialised in imap_connect() */
   CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
-  struct IMAP *imap = data->state.proto.imap;
+  struct IMAP *imap = data->req.protop;
   const char *begin = data->state.path;
   const char *ptr = begin;
 
@@ -2365,7 +2422,7 @@ static CURLcode imap_parse_custom_request(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
-  struct IMAP *imap = data->state.proto.imap;
+  struct IMAP *imap = data->req.protop;
   const char *custom = data->set.str[STRING_CUSTOMREQUEST];
 
   if(custom) {

lib/imap.h

@@ -43,6 +43,7 @@ typedef enum {
   IMAP_AUTHENTICATE_DIGESTMD5_RESP,
   IMAP_AUTHENTICATE_NTLM,
   IMAP_AUTHENTICATE_NTLM_TYPE2MSG,
+  IMAP_AUTHENTICATE_XOAUTH2,
   IMAP_AUTHENTICATE_FINAL,
   IMAP_LOGIN,
   IMAP_LIST,

lib/krb4.c

@@ -1,440 +0,0 @@
-/* This source code was modified by Martin Hedenfalk <mhe@stacken.kth.se> for
- * use in Curl. Martin's latest changes were done 2000-09-18.
- *
- * It has since been patched away like a madman by Daniel Stenberg to make it
- * better applied to curl conditions, and to make it not use globals, pollute
- * name space and more.
- *
- * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska H<>gskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * Copyright (c) 2004 - 2011 Daniel Stenberg
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- */
-
-#include "curl_setup.h"
-
-#ifndef CURL_DISABLE_FTP
-#ifdef HAVE_KRB4
-
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif
-#include <krb.h>
-#include <des.h>
-
-#include "urldata.h"
-#include "curl_base64.h"
-#include "ftp.h"
-#include "sendf.h"
-#include "krb4.h"
-#include "inet_ntop.h"
-#include "curl_memory.h"
-
-/* The last #include file should be: */
-#include "memdebug.h"
-
-#define LOCAL_ADDR (&conn->local_addr)
-#define REMOTE_ADDR conn->ip_addr->ai_addr
-#define myctladdr LOCAL_ADDR
-#define hisctladdr REMOTE_ADDR
-
-struct krb4_data {
-  des_cblock key;
-  des_key_schedule schedule;
-  char name[ANAME_SZ];
-  char instance[INST_SZ];
-  char realm[REALM_SZ];
-};
-
-#ifndef HAVE_STRLCPY
-/* if it ever goes non-static, make it Curl_ prefixed! */
-static size_t
-strlcpy (char *dst, const char *src, size_t dst_sz)
-{
-  size_t n;
-  char *p;
-
-  for(p = dst, n = 0;
-      n + 1 < dst_sz && *src != '\0';
-      ++p, ++src, ++n)
-    *p = *src;
-  *p = '\0';
-  if(*src == '\0')
-    return n;
-  else
-    return n + strlen (src);
-}
-#else
-size_t strlcpy (char *dst, const char *src, size_t dst_sz);
-#endif
-
-static int
-krb4_check_prot(void *app_data, int level)
-{
-  app_data = NULL; /* prevent compiler warning */
-  if(level == PROT_CONFIDENTIAL)
-    return -1;
-  return 0;
-}
-
-static int
-krb4_decode(void *app_data, void *buf, int len, int level,
-            struct connectdata *conn)
-{
-  MSG_DAT m;
-  int e;
-  struct krb4_data *d = app_data;
-
-  if(level == PROT_SAFE)
-    e = krb_rd_safe(buf, len, &d->key,
-                    (struct sockaddr_in *)REMOTE_ADDR,
-                    (struct sockaddr_in *)LOCAL_ADDR, &m);
-  else
-    e = krb_rd_priv(buf, len, d->schedule, &d->key,
-                    (struct sockaddr_in *)REMOTE_ADDR,
-                    (struct sockaddr_in *)LOCAL_ADDR, &m);
-  if(e) {
-    struct SessionHandle *data = conn->data;
-    infof(data, "krb4_decode: %s\n", krb_get_err_text(e));
-    return -1;
-  }
-  memmove(buf, m.app_data, m.app_length);
-  return m.app_length;
-}
-
-static int
-krb4_overhead(void *app_data, int level, int len)
-{
-  /* no arguments are used, just init them to prevent compiler warnings */
-  app_data = NULL;
-  level = 0;
-  len = 0;
-  return 31;
-}
-
-static int
-krb4_encode(void *app_data, const void *from, int length, int level, void **to,
-            struct connectdata *conn)
-{
-  struct krb4_data *d = app_data;
-  *to = malloc(length + 31);
-  if(!*to)
-    return -1;
-  if(level == PROT_SAFE)
-    /* NOTE that the void* cast is safe, krb_mk_safe/priv don't modify the
-     * input buffer
-     */
-    return krb_mk_safe((void*)from, *to, length, &d->key,
-                       (struct sockaddr_in *)LOCAL_ADDR,
-                       (struct sockaddr_in *)REMOTE_ADDR);
-  else if(level == PROT_PRIVATE)
-    return krb_mk_priv((void*)from, *to, length, d->schedule, &d->key,
-                       (struct sockaddr_in *)LOCAL_ADDR,
-                       (struct sockaddr_in *)REMOTE_ADDR);
-  else
-    return -1;
-}
-
-static int
-mk_auth(struct krb4_data *d, KTEXT adat,
-        const char *service, char *host, int checksum)
-{
-  int ret;
-  CREDENTIALS cred;
-  char sname[SNAME_SZ], inst[INST_SZ], realm[REALM_SZ];
-
-  strlcpy(sname, service, sizeof(sname));
-  strlcpy(inst, krb_get_phost(host), sizeof(inst));
-  strlcpy(realm, krb_realmofhost(host), sizeof(realm));
-  ret = krb_mk_req(adat, sname, inst, realm, checksum);
-  if(ret)
-    return ret;
-  strlcpy(sname, service, sizeof(sname));
-  strlcpy(inst, krb_get_phost(host), sizeof(inst));
-  strlcpy(realm, krb_realmofhost(host), sizeof(realm));
-  ret = krb_get_cred(sname, inst, realm, &cred);
-  memmove(&d->key, &cred.session, sizeof(des_cblock));
-  des_key_sched(&d->key, d->schedule);
-  memset(&cred, 0, sizeof(cred));
-  return ret;
-}
-
-#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM
-int krb_get_our_ip_for_realm(char *, struct in_addr *);
-#endif
-
-static int
-krb4_auth(void *app_data, struct connectdata *conn)
-{
-  int ret;
-  char *p;
-  unsigned char *ptr;
-  size_t len = 0;
-  KTEXT_ST adat;
-  MSG_DAT msg_data;
-  int checksum;
-  u_int32_t cs;
-  struct krb4_data *d = app_data;
-  char *host = conn->host.name;
-  ssize_t nread;
-  int l = sizeof(conn->local_addr);
-  struct SessionHandle *data = conn->data;
-  CURLcode result;
-  size_t base64_sz = 0;
-
-  if(getsockname(conn->sock[FIRSTSOCKET],
-                 (struct sockaddr *)LOCAL_ADDR, &l) < 0)
-    perror("getsockname()");
-
-  checksum = getpid();
-  ret = mk_auth(d, &adat, "ftp", host, checksum);
-  if(ret == KDC_PR_UNKNOWN)
-    ret = mk_auth(d, &adat, "rcmd", host, checksum);
-  if(ret) {
-    infof(data, "%s\n", krb_get_err_text(ret));
-    return AUTH_CONTINUE;
-  }
-
-#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM
-  if(krb_get_config_bool("nat_in_use")) {
-    struct sockaddr_in *localaddr  = (struct sockaddr_in *)LOCAL_ADDR;
-    struct in_addr natAddr;
-
-    if(krb_get_our_ip_for_realm(krb_realmofhost(host),
-                                 &natAddr) != KSUCCESS
-        && krb_get_our_ip_for_realm(NULL, &natAddr) != KSUCCESS)
-      infof(data, "Can't get address for realm %s\n",
-                 krb_realmofhost(host));
-    else {
-      if(natAddr.s_addr != localaddr->sin_addr.s_addr) {
-        char addr_buf[128];
-        if(Curl_inet_ntop(AF_INET, natAddr, addr_buf, sizeof(addr_buf)))
-          infof(data, "Using NAT IP address (%s) for kerberos 4\n", addr_buf);
-        localaddr->sin_addr = natAddr;
-      }
-    }
-  }
-#endif
-
-  result = Curl_base64_encode(conn->data, (char *)adat.dat, adat.length,
-                              &p, &base64_sz);
-  if(result) {
-    Curl_failf(data, "base64-encoding: %s", curl_easy_strerror(result));
-    return AUTH_CONTINUE;
-  }
-
-  result = Curl_ftpsendf(conn, "ADAT %s", p);
-
-  free(p);
-
-  if(result)
-    return -2;
-
-  if(Curl_GetFTPResponse(&nread, conn, NULL))
-    return -1;
-
-  if(data->state.buffer[0] != '2') {
-    Curl_failf(data, "Server didn't accept auth data");
-    return AUTH_ERROR;
-  }
-
-  p = strstr(data->state.buffer, "ADAT=");
-  if(!p) {
-    Curl_failf(data, "Remote host didn't send adat reply");
-    return AUTH_ERROR;
-  }
-  p += 5;
-  result = Curl_base64_decode(p, &ptr, &len);
-  if(result) {
-    Curl_failf(data, "base64-decoding: %s", curl_easy_strerror(result));
-    return AUTH_ERROR;
-  }
-  if(len > sizeof(adat.dat)-1) {
-    free(ptr);
-    ptr = NULL;
-    len = 0;
-  }
-  if(!len || !ptr) {
-    Curl_failf(data, "Failed to decode base64 from server");
-    return AUTH_ERROR;
-  }
-  memcpy((char *)adat.dat, ptr, len);
-  free(ptr);
-  adat.length = len;
-  ret = krb_rd_safe(adat.dat, adat.length, &d->key,
-                    (struct sockaddr_in *)hisctladdr,
-                    (struct sockaddr_in *)myctladdr, &msg_data);
-  if(ret) {
-    Curl_failf(data, "Error reading reply from server: %s",
-               krb_get_err_text(ret));
-    return AUTH_ERROR;
-  }
-  krb_get_int(msg_data.app_data, &cs, 4, 0);
-  if(cs - checksum != 1) {
-    Curl_failf(data, "Bad checksum returned from server");
-    return AUTH_ERROR;
-  }
-  return AUTH_OK;
-}
-
-struct Curl_sec_client_mech Curl_krb4_client_mech = {
-    "KERBEROS_V4",
-    sizeof(struct krb4_data),
-    NULL, /* init */
-    krb4_auth,
-    NULL, /* end */
-    krb4_check_prot,
-    krb4_overhead,
-    krb4_encode,
-    krb4_decode
-};
-
-static enum protection_level
-krb4_set_command_prot(struct connectdata *conn, enum protection_level level)
-{
-  enum protection_level old = conn->command_prot;
-  DEBUGASSERT(level > PROT_NONE && level < PROT_LAST);
-  conn->command_prot = level;
-  return old;
-}
-
-CURLcode Curl_krb_kauth(struct connectdata *conn)
-{
-  des_cblock key;
-  des_key_schedule schedule;
-  KTEXT_ST tkt, tktcopy;
-  char *name;
-  char *p;
-  char passwd[100];
-  size_t tmp = 0;
-  ssize_t nread;
-  enum protection_level save;
-  CURLcode result;
-  unsigned char *ptr;
-  size_t base64_sz = 0;
-
-  save = krb4_set_command_prot(conn, PROT_PRIVATE);
-
-  result = Curl_ftpsendf(conn, "SITE KAUTH %s", conn->user);
-
-  if(result)
-    return result;
-
-  result = Curl_GetFTPResponse(&nread, conn, NULL);
-  if(result)
-    return result;
-
-  if(conn->data->state.buffer[0] != '3') {
-    krb4_set_command_prot(conn, save);
-    return CURLE_FTP_WEIRD_SERVER_REPLY;
-  }
-
-  p = strstr(conn->data->state.buffer, "T=");
-  if(!p) {
-    Curl_failf(conn->data, "Bad reply from server");
-    krb4_set_command_prot(conn, save);
-    return CURLE_FTP_WEIRD_SERVER_REPLY;
-  }
-
-  p += 2;
-  result = Curl_base64_decode(p, &ptr, &tmp);
-  if(result) {
-    Curl_failf(conn->data, "base64-decoding: %s", curl_easy_strerror(result));
-    return result;
-  }
-  if(tmp >= sizeof(tkt.dat)) {
-    free(ptr);
-    ptr = NULL;
-    tmp = 0;
-  }
-  if(!tmp || !ptr) {
-    Curl_failf(conn->data, "Failed to decode base64 in reply");
-    krb4_set_command_prot(conn, save);
-    return CURLE_FTP_WEIRD_SERVER_REPLY;
-  }
-  memcpy((char *)tkt.dat, ptr, tmp);
-  free(ptr);
-  tkt.length = tmp;
-  tktcopy.length = tkt.length;
-
-  p = strstr(conn->data->state.buffer, "P=");
-  if(!p) {
-    Curl_failf(conn->data, "Bad reply from server");
-    krb4_set_command_prot(conn, save);
-    return CURLE_FTP_WEIRD_SERVER_REPLY;
-  }
-  name = p + 2;
-  for(; *p && *p != ' ' && *p != '\r' && *p != '\n'; p++);
-  *p = 0;
-
-  des_string_to_key (conn->passwd, &key);
-  des_key_sched(&key, schedule);
-
-  des_pcbc_encrypt((void *)tkt.dat, (void *)tktcopy.dat,
-                   tkt.length,
-                   schedule, &key, DES_DECRYPT);
-  if(strcmp ((char*)tktcopy.dat + 8,
-              KRB_TICKET_GRANTING_TICKET) != 0) {
-    afs_string_to_key(passwd,
-                      krb_realmofhost(conn->host.name),
-                      &key);
-    des_key_sched(&key, schedule);
-    des_pcbc_encrypt((void *)tkt.dat, (void *)tktcopy.dat,
-                     tkt.length,
-                     schedule, &key, DES_DECRYPT);
-  }
-  memset(key, 0, sizeof(key));
-  memset(schedule, 0, sizeof(schedule));
-  memset(passwd, 0, sizeof(passwd));
-  result = Curl_base64_encode(conn->data, (char *)tktcopy.dat, tktcopy.length,
-                              &p, &base64_sz);
-  if(result) {
-    Curl_failf(conn->data, "base64-encoding: %s", curl_easy_strerror(result));
-    krb4_set_command_prot(conn, save);
-    return result;
-  }
-  memset (tktcopy.dat, 0, tktcopy.length);
-
-  result = Curl_ftpsendf(conn, "SITE KAUTH %s %s", name, p);
-  free(p);
-  if(result)
-    return result;
-
-  result = Curl_GetFTPResponse(&nread, conn, NULL);
-  if(result)
-    return result;
-  krb4_set_command_prot(conn, save);
-
-  return CURLE_OK;
-}
-
-#endif /* HAVE_KRB4 */
-#endif /* CURL_DISABLE_FTP */

lib/krb5.c

@@ -1,6 +1,6 @@
 /* GSSAPI/krb5 support for FTP - loosely based on old krb4.c
  *
- * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska H<>gskolan
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999, 2013 Kungliga Tekniska H<>gskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * Copyright (c) 2004 - 2012 Daniel Stenberg
  * All rights reserved.
@@ -51,7 +51,7 @@
 #include "ftp.h"
 #include "curl_gssapi.h"
 #include "sendf.h"
-#include "krb4.h"
+#include "curl_sec.h"
 #include "curl_memory.h"
 #include "warnless.h"
 

lib/ldap.c

@@ -5,7 +5,7 @@
  *                | (__| |_| |  _ <| |___
  *                 \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -77,13 +77,16 @@
 /* Use our own implementation. */
 
 typedef struct {
-    char   *lud_host;
-    int     lud_port;
-    char   *lud_dn;
-    char  **lud_attrs;
-    int     lud_scope;
-    char   *lud_filter;
-    char  **lud_exts;
+  char   *lud_host;
+  int     lud_port;
+  char   *lud_dn;
+  char  **lud_attrs;
+  int     lud_scope;
+  char   *lud_filter;
+  char  **lud_exts;
+  size_t    lud_attrs_dups; /* how many were dup'ed, this field is not in the
+                               "real" struct so can only be used in code
+                               without HAVE_LDAP_URL_PARSE defined */
 } CURL_LDAPURLDesc;
 
 #undef LDAPURLDesc
@@ -260,7 +263,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
     }
     server = ldapssl_init(conn->host.name, (int)conn->port, 1);
     if(server == NULL) {
-      failf(data, "LDAP local: Cannot connect to %s:%hu",
+      failf(data, "LDAP local: Cannot connect to %s:%ld",
               conn->host.name, conn->port);
       status = CURLE_COULDNT_CONNECT;
       goto quit;
@@ -301,7 +304,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
     }
     server = ldap_init(conn->host.name, (int)conn->port);
     if(server == NULL) {
-      failf(data, "LDAP local: Cannot connect to %s:%hu",
+      failf(data, "LDAP local: Cannot connect to %s:%ld",
               conn->host.name, conn->port);
       status = CURLE_COULDNT_CONNECT;
       goto quit;
@@ -337,7 +340,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
   else {
     server = ldap_init(conn->host.name, (int)conn->port);
     if(server == NULL) {
-      failf(data, "LDAP local: Cannot connect to %s:%hu",
+      failf(data, "LDAP local: Cannot connect to %s:%ld",
               conn->host.name, conn->port);
       status = CURLE_COULDNT_CONNECT;
       goto quit;
@@ -539,19 +542,15 @@ static bool unescape_elements (void *data, LDAPURLDesc *ludp)
   if(ludp->lud_filter) {
     ludp->lud_filter = curl_easy_unescape(data, ludp->lud_filter, 0, NULL);
     if(!ludp->lud_filter)
-       return (FALSE);
+       return FALSE;
   }
 
   for(i = 0; ludp->lud_attrs && ludp->lud_attrs[i]; i++) {
-    ludp->lud_attrs[i] = curl_easy_unescape(data, ludp->lud_attrs[i], 0, NULL);
+    ludp->lud_attrs[i] = curl_easy_unescape(data, ludp->lud_attrs[i],
+                                            0, NULL);
     if(!ludp->lud_attrs[i])
-      return (FALSE);
-  }
-
-  for(i = 0; ludp->lud_exts && ludp->lud_exts[i]; i++) {
-    ludp->lud_exts[i] = curl_easy_unescape(data, ludp->lud_exts[i], 0, NULL);
-    if(!ludp->lud_exts[i])
-      return (FALSE);
+      return FALSE;
+    ludp->lud_attrs_dups++;
   }
 
   if(ludp->lud_dn) {
@@ -637,8 +636,9 @@ static int _ldap_url_parse2 (const struct connectdata *conn, LDAPURLDesc *ludp)
 
   if(*p && *p != '?') {
     ludp->lud_scope = str2scope(p);
-    if(ludp->lud_scope == -1)
+    if(ludp->lud_scope == -1) {
       return LDAP_INVALID_SYNTAX;
+    }
     LDAP_TRACE (("scope %d\n", ludp->lud_scope));
   }
 
@@ -651,25 +651,13 @@ static int _ldap_url_parse2 (const struct connectdata *conn, LDAPURLDesc *ludp)
   q = strchr(p, '?');
   if(q)
     *q++ = '\0';
-  if(!*p)
+  if(!*p) {
     return LDAP_INVALID_SYNTAX;
+  }
 
   ludp->lud_filter = p;
   LDAP_TRACE (("filter '%s'\n", ludp->lud_filter));
 
-  p = q;
-  if(!p)
-    goto success;
-
-  /* parse extensions
-   */
-  ludp->lud_exts = split_str(p);
-  if(!ludp->lud_exts)
-    return LDAP_NO_MEMORY;
-
-  for(i = 0; ludp->lud_exts[i]; i++)
-    LDAP_TRACE (("exts[%d] '%s'\n", i, ludp->lud_exts[i]));
-
   success:
   if(!unescape_elements(conn->data, ludp))
     return LDAP_NO_MEMORY;
@@ -697,7 +685,7 @@ static int _ldap_url_parse (const struct connectdata *conn,
 
 static void _ldap_free_urldesc (LDAPURLDesc *ludp)
 {
-  int i;
+  size_t i;
 
   if(!ludp)
     return;
@@ -709,16 +697,11 @@ static void _ldap_free_urldesc (LDAPURLDesc *ludp)
     free(ludp->lud_filter);
 
   if(ludp->lud_attrs) {
-    for(i = 0; ludp->lud_attrs[i]; i++)
+    for(i = 0; i < ludp->lud_attrs_dups; i++)
       free(ludp->lud_attrs[i]);
     free(ludp->lud_attrs);
   }
 
-  if(ludp->lud_exts) {
-    for(i = 0; ludp->lud_exts[i]; i++)
-      free(ludp->lud_exts[i]);
-    free(ludp->lud_exts);
-  }
   free (ludp);
 }
 #endif  /* !HAVE_LDAP_URL_PARSE */

lib/md5.c

@@ -90,16 +90,36 @@ static void MD5_Final(unsigned char digest[16], MD5_CTX * ctx)
 #    include <md5.h>
 #  endif
 
-#elif defined(__MAC_10_4) || defined(__IPHONE_5_0)
+#elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \
+              (__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040)) || \
+      (defined(__IPHONE_OS_VERSION_MAX_ALLOWED) && \
+              (__IPHONE_OS_VERSION_MAX_ALLOWED >= 20000))
 
 /* For Apple operating systems: CommonCrypto has the functions we need.
-   The library's headers are even backward-compatible with OpenSSL's
-   headers as long as we define COMMON_DIGEST_FOR_OPENSSL first.
+   These functions are available on Tiger and later, as well as iOS 2.0
+   and later. If you're building for an older cat, well, sorry.
 
-   These functions are available on Tiger and later, as well as iOS 5.0
-   and later. If you're building for an older cat, well, sorry. */
-#  define COMMON_DIGEST_FOR_OPENSSL
+   Declaring the functions as static like this seems to be a bit more
+   reliable than defining COMMON_DIGEST_FOR_OPENSSL on older cats. */
 #  include <CommonCrypto/CommonDigest.h>
+#  define MD5_CTX CC_MD5_CTX
+
+static void MD5_Init(MD5_CTX *ctx)
+{
+  CC_MD5_Init(ctx);
+}
+
+static void MD5_Update(MD5_CTX *ctx,
+                       const unsigned char *input,
+                       unsigned int inputLen)
+{
+  CC_MD5_Update(ctx, input, inputLen);
+}
+
+static void MD5_Final(unsigned char digest[16], MD5_CTX *ctx)
+{
+  CC_MD5_Final(digest, ctx);
+}
 
 #elif defined(_WIN32)
 

lib/memdebug.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -185,8 +185,10 @@ void *curl_domalloc(size_t wantedsize, int line, const char *source)
   }
 
   if(source)
-    curl_memlog("MEM %s:%d malloc(%zd) = %p\n",
-                source, line, wantedsize, mem ? mem->mem : 0);
+    curl_memlog("MEM %s:%d malloc(%zu) = %p\n",
+                source, line, wantedsize,
+                mem ? (void *)mem->mem : (void *)0);
+
   return (mem ? mem->mem : NULL);
 }
 
@@ -212,7 +214,9 @@ void *curl_docalloc(size_t wanted_elements, size_t wanted_size,
 
   if(source)
     curl_memlog("MEM %s:%d calloc(%zu,%zu) = %p\n",
-                source, line, wanted_elements, wanted_size, mem?mem->mem:0);
+                source, line, wanted_elements, wanted_size,
+                mem ? (void *)mem->mem : (void *)0);
+
   return (mem ? mem->mem : NULL);
 }
 
@@ -234,11 +238,37 @@ char *curl_dostrdup(const char *str, int line, const char *source)
 
   if(source)
     curl_memlog("MEM %s:%d strdup(%p) (%zu) = %p\n",
-                source, line, str, len, mem);
+                source, line, (void *)str, len, (void *)mem);
 
   return mem;
 }
 
+#if defined(WIN32) && defined(UNICODE)
+wchar_t *curl_dowcsdup(const wchar_t *str, int line, const char *source)
+{
+  wchar_t *mem;
+  size_t wsiz, bsiz;
+
+  assert(str != NULL);
+
+  if(countcheck("wcsdup", line, source))
+    return NULL;
+
+  wsiz = wcslen(str) + 1;
+  bsiz = wsiz * sizeof(wchar_t);
+
+  mem = curl_domalloc(bsiz, 0, NULL); /* NULL prevents logging */
+  if(mem)
+    memcpy(mem, str, bsiz);
+
+  if(source)
+    curl_memlog("MEM %s:%d wcsdup(%p) (%zu) = %p\n",
+                source, line, (void *)str, bsiz, (void *)mem);
+
+  return mem;
+}
+#endif
+
 /* We provide a realloc() that accepts a NULL as pointer, which then
    performs a malloc(). In order to work with ares. */
 void *curl_dorealloc(void *ptr, size_t wantedsize,
@@ -269,7 +299,8 @@ void *curl_dorealloc(void *ptr, size_t wantedsize,
   mem = (Curl_crealloc)(mem, size);
   if(source)
     curl_memlog("MEM %s:%d realloc(%p, %zu) = %p\n",
-                source, line, ptr, wantedsize, mem?mem->mem:NULL);
+                source, line, (void *)ptr, wantedsize,
+                mem ? (void *)mem->mem : (void *)0);
 
   if(mem) {
     mem->size = wantedsize;
@@ -304,7 +335,7 @@ void curl_dofree(void *ptr, int line, const char *source)
   (Curl_cfree)(mem);
 
   if(source)
-    curl_memlog("MEM %s:%d free(%p)\n", source, line, ptr);
+    curl_memlog("MEM %s:%d free(%p)\n", source, line, (void *)ptr);
 }
 
 curl_socket_t curl_socket(int domain, int type, int protocol,
@@ -317,8 +348,10 @@ curl_socket_t curl_socket(int domain, int type, int protocol,
                     "FD %s:%d socket() = %zd\n" ;
 
   curl_socket_t sockfd = socket(domain, type, protocol);
+
   if(source && (sockfd != CURL_SOCKET_BAD))
     curl_memlog(fmt, source, line, sockfd);
+
   return sockfd;
 }
 
@@ -334,8 +367,10 @@ int curl_socketpair(int domain, int type, int protocol,
                     "FD %s:%d socketpair() = %zd %zd\n" ;
 
   int res = socketpair(domain, type, protocol, socket_vector);
+
   if(source && (0 == res))
     curl_memlog(fmt, source, line, socket_vector[0], socket_vector[1]);
+
   return res;
 }
 #endif
@@ -351,9 +386,12 @@ curl_socket_t curl_accept(curl_socket_t s, void *saddr, void *saddrlen,
 
   struct sockaddr *addr = (struct sockaddr *)saddr;
   curl_socklen_t *addrlen = (curl_socklen_t *)saddrlen;
+
   curl_socket_t sockfd = accept(s, addr, addrlen);
+
   if(source && (sockfd != CURL_SOCKET_BAD))
     curl_memlog(fmt, source, line, sockfd);
+
   return sockfd;
 }
 
@@ -382,9 +420,11 @@ FILE *curl_fopen(const char *file, const char *mode,
                  int line, const char *source)
 {
   FILE *res=fopen(file, mode);
+
   if(source)
     curl_memlog("FILE %s:%d fopen(\"%s\",\"%s\") = %p\n",
-                source, line, file, mode, res);
+                source, line, file, mode, (void *)res);
+
   return res;
 }
 
@@ -393,9 +433,11 @@ FILE *curl_fdopen(int filedes, const char *mode,
                   int line, const char *source)
 {
   FILE *res=fdopen(filedes, mode);
+
   if(source)
     curl_memlog("FILE %s:%d fdopen(\"%d\",\"%s\") = %p\n",
-                source, line, filedes, mode, res);
+                source, line, filedes, mode, (void *)res);
+
   return res;
 }
 #endif
@@ -407,9 +449,11 @@ int curl_fclose(FILE *file, int line, const char *source)
   assert(file != NULL);
 
   res=fclose(file);
+
   if(source)
     curl_memlog("FILE %s:%d fclose(%p)\n",
-                source, line, file);
+                source, line, (void *)file);
+
   return res;
 }
 

lib/memdebug.h

@@ -8,7 +8,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -46,6 +46,11 @@ CURL_EXTERN void *curl_dorealloc(void *ptr, size_t size, int line,
                                  const char *source);
 CURL_EXTERN void curl_dofree(void *ptr, int line, const char *source);
 CURL_EXTERN char *curl_dostrdup(const char *str, int line, const char *source);
+#if defined(WIN32) && defined(UNICODE)
+CURL_EXTERN wchar_t *curl_dowcsdup(const wchar_t *str, int line,
+                                   const char *source);
+#endif
+
 CURL_EXTERN void curl_memdebug(const char *logname);
 CURL_EXTERN void curl_memlimit(long limit);
 CURL_EXTERN void curl_memlog(const char *format, ...);
@@ -84,6 +89,20 @@ CURL_EXTERN int curl_fclose(FILE *file, int line, const char *source);
 #define realloc(ptr,size) curl_dorealloc(ptr, size, __LINE__, __FILE__)
 #define free(ptr) curl_dofree(ptr, __LINE__, __FILE__)
 
+#ifdef WIN32
+#  ifdef UNICODE
+#    undef wcsdup
+#    define wcsdup(ptr) curl_dowcsdup(ptr, __LINE__, __FILE__)
+#    undef _wcsdup
+#    define _wcsdup(ptr) curl_dowcsdup(ptr, __LINE__, __FILE__)
+#    undef _tcsdup
+#    define _tcsdup(ptr) curl_dowcsdup(ptr, __LINE__, __FILE__)
+#  else
+#    undef _tcsdup
+#    define _tcsdup(ptr) curl_dostrdup(ptr, __LINE__, __FILE__)
+#  endif
+#endif
+
 #define socket(domain,type,protocol)\
  curl_socket(domain,type,protocol,__LINE__,__FILE__)
 #undef accept /* for those with accept as a macro */

lib/mk-ca-bundle.pl

@@ -40,7 +40,7 @@ my $url = 'http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/
 # If the OpenSSL commandline is not in search path you can configure it here!
 my $openssl = 'openssl';
 
-my $version = '1.18';
+my $version = '1.19';
 
 $opt_w = 76; # default base64 encoded lines length
 
@@ -164,7 +164,7 @@ while (<TXT>) {
   if ($start_of_cert && /^CKA_LABEL UTF8 \"(.*)\"/) {
     $caname = $1;
   }
-  my $untrusted = 0;
+  my $untrusted = 1;
   if ($start_of_cert && /^CKA_VALUE MULTILINE_OCTAL/) {
     my $data;
     while (<TXT>) {
@@ -184,9 +184,8 @@ while (<TXT>) {
     # now scan the trust part for untrusted certs
     while (<TXT>) {
       last if (/^#/);
-      if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/
-          or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/) {
-          $untrusted = 1;
+      if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUSTED_DELEGATOR$/) {
+          $untrusted = 0;
       }
     }
     if ($untrusted) {

lib/mk-ca-bundle.vbs

@@ -26,7 +26,7 @@
 '* Hacked by Guenter Knauf
 '***************************************************************************
 Option Explicit
-Const myVersion = "0.3.7"
+Const myVersion = "0.3.8"
 
 Const myUrl = "http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1"
 
@@ -130,9 +130,8 @@ For i = 0 To UBound(myLines)
       myInsideCert = FALSE
       While (i < UBound(myLines)) And Not (myLines(i) = "#")
         i = i + 1
-        If (InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED") Or _
-           InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN")) Then
-          myUntrusted = TRUE
+        If InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR") Then
+          myUntrusted = FALSE
         End If
       Wend
       If (myUntrusted = TRUE) Then
@@ -182,7 +181,7 @@ For i = 0 To UBound(myLines)
   End If
   If InstrRev(myLines(i), "CKA_VALUE MULTILINE_OCTAL") Then
     myInsideCert = TRUE
-    myUntrusted = FALSE
+    myUntrusted = TRUE
     myData = ""
   End If
   If InstrRev(myLines(i), "***** BEGIN LICENSE BLOCK *****") Then

lib/mprintf.c

@@ -380,11 +380,11 @@ static long dprintf_Pass1(const char *format, va_stack_t *vto, char **endpos,
         break;
       case 'x':
         vto[i].type = FORMAT_INT;
-        flags |= FLAGS_HEX;
+        flags |= FLAGS_HEX|FLAGS_UNSIGNED;
         break;
       case 'X':
         vto[i].type = FORMAT_INT;
-        flags |= FLAGS_HEX|FLAGS_UPPER;
+        flags |= FLAGS_HEX|FLAGS_UPPER|FLAGS_UNSIGNED;
         break;
       case 'c':
         vto[i].type = FORMAT_INT;
@@ -633,23 +633,23 @@ static int dprintf_formatf(
             OUTCHAR(' ');
         break;
       }
-      if(p->flags & FLAGS_UNSIGNED) {
-        /* Decimal unsigned integer.  */
-        base = 10;
-        goto unsigned_number;
-      }
       if(p->flags & FLAGS_OCTAL) {
         /* Octal unsigned integer.  */
         base = 8;
         goto unsigned_number;
       }
-      if(p->flags & FLAGS_HEX) {
+      else if(p->flags & FLAGS_HEX) {
         /* Hexadecimal unsigned integer.  */
 
         digits = (p->flags & FLAGS_UPPER)? upper_digits : lower_digits;
         base = 16;
         goto unsigned_number;
       }
+      else if(p->flags & FLAGS_UNSIGNED) {
+        /* Decimal unsigned integer.  */
+        base = 10;
+        goto unsigned_number;
+      }
 
       /* Decimal integer.  */
       base = 10;

lib/multihandle.h

@@ -59,27 +59,6 @@ typedef enum {
 #define GETSOCK_READABLE (0x00ff)
 #define GETSOCK_WRITABLE (0xff00)
 
-struct Curl_one_easy {
-  /* first, two fields for the linked list of these */
-  struct Curl_one_easy *next;
-  struct Curl_one_easy *prev;
-
-  struct SessionHandle *easy_handle; /* the easy handle for this unit */
-  struct connectdata *easy_conn;     /* the "unit's" connection */
-
-  CURLMstate state;  /* the handle's state */
-  CURLcode result;   /* previous result */
-
-  struct Curl_message msg; /* A single posted message. */
-
-  /* Array with the plain socket numbers this handle takes care of, in no
-     particular order. Note that all sockets are added to the sockhash, where
-     the state etc are also kept. This array is mostly used to detect when a
-     socket is to be removed from the hash. See singlesocket(). */
-  curl_socket_t sockets[MAX_SOCKSPEREASYHANDLE];
-  int numsocks;
-};
-
 /* This is the struct known as CURLM on the outside */
 struct Curl_multi {
   /* First a simple identifier to easier detect if a user mix up
@@ -87,7 +66,8 @@ struct Curl_multi {
   long type;
 
   /* We have a doubly-linked circular list with easy handles */
-  struct Curl_one_easy easy;
+  struct SessionHandle *easyp;
+  struct SessionHandle *easylp; /* last node */
 
   int num_easy; /* amount of entries in the linked list above. */
   int num_alive; /* amount of easy handles that are added but have not yet

lib/multiif.h

@@ -22,7 +22,13 @@
  *
  ***************************************************************************/
 
-
+/* See multi_socket() for the explanation of this constant. Counted in number
+   of microseconds. */
+#ifdef WIN32
+#define MULTI_TIMEOUT_INACCURACY 40000
+#else
+#define MULTI_TIMEOUT_INACCURACY 3000
+#endif
 
 /*
  * Prototypes for library-wide functions provided by multi.c

lib/netrc.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -50,15 +50,18 @@ enum host_lookup_state {
 
 /*
  * @unittest: 1304
+ *
+ * *loginp and *passwordp MUST be allocated if they aren't NULL when passed
+ * in.
  */
 int Curl_parsenetrc(const char *host,
-                    char *login,
-                    char *password,
+                    char **loginp,
+                    char **passwordp,
                     char *netrcfile)
 {
   FILE *file;
   int retcode=1;
-  int specific_login = (login[0] != 0);
+  int specific_login = (**loginp != 0);
   char *home = NULL;
   bool home_alloc = FALSE;
   bool netrc_alloc = FALSE;
@@ -109,7 +112,7 @@ int Curl_parsenetrc(const char *host,
       tok=strtok_r(netrcbuffer, " \t\n", &tok_buf);
       while(!done && tok) {
 
-        if(login[0] && password[0]) {
+        if(**loginp && **passwordp) {
           done=TRUE;
           break;
         }
@@ -138,16 +141,22 @@ int Curl_parsenetrc(const char *host,
           /* we are now parsing sub-keywords concerning "our" host */
           if(state_login) {
             if(specific_login) {
-              state_our_login = Curl_raw_equal(login, tok);
+              state_our_login = Curl_raw_equal(*loginp, tok);
             }
             else {
-              strncpy(login, tok, LOGINSIZE-1);
+              free(*loginp);
+              *loginp = strdup(tok);
+              if(!*loginp)
+                return -1; /* allocation failed */
             }
             state_login=0;
           }
           else if(state_password) {
             if(state_our_login || !specific_login) {
-              strncpy(password, tok, PASSWORDSIZE-1);
+              free(*passwordp);
+              *passwordp = strdup(tok);
+              if(!*passwordp)
+                return -1; /* allocation failed */
             }
             state_password=0;
           }

lib/netrc.h

@@ -22,19 +22,15 @@
  *
  ***************************************************************************/
 
-/* Make sure we have room for at least this size: */
-#define LOGINSIZE 64
-#define PASSWORDSIZE 64
-
 /* returns -1 on failure, 0 if the host is found, 1 is the host isn't found */
 int Curl_parsenetrc(const char *host,
-                    char *login,
-                    char *password,
+                    char **loginp,
+                    char **passwordp,
                     char *filename);
-  /* Assume: password[0]=0, host[0] != 0.
-   * If login[0] = 0, search for login and password within a machine section
-   * in the netrc.
-   * If login[0] != 0, search for password within machine and login.
+  /* Assume: (*passwordp)[0]=0, host[0] != 0.
+   * If (*loginp)[0] = 0, search for login and password within a machine
+   * section in the netrc.
+   * If (*loginp)[0] != 0, search for password within machine and login.
    */
 
 #endif /* HEADER_CURL_NETRC_H */

lib/nss.c

@@ -1543,9 +1543,8 @@ size_t Curl_nss_version(char *buffer, size_t size)
 
 int Curl_nss_seed(struct SessionHandle *data)
 {
-  /* TODO: implement? */
-  (void) data;
-  return 0;
+  /* make sure that NSS is initialized */
+  return !!Curl_nss_force_init(data);
 }
 
 void Curl_nss_random(struct SessionHandle *data,
@@ -1553,7 +1552,11 @@ void Curl_nss_random(struct SessionHandle *data,
                      size_t length)
 {
   Curl_nss_seed(data);  /* Initiate the seed if not already done */
-  PK11_GenerateRandom(entropy, curlx_uztosi(length));
+  if(SECSuccess != PK11_GenerateRandom(entropy, curlx_uztosi(length))) {
+    /* no way to signal a failure from here, we have to abort */
+    failf(data, "PK11_GenerateRandom() failed, calling abort()...");
+    abort();
+  }
 }
 
 void Curl_nss_md5sum(unsigned char *tmp, /* input */

lib/nssg.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -60,6 +60,10 @@ void Curl_nss_md5sum(unsigned char *tmp, /* input */
                      unsigned char *md5sum, /* output */
                      size_t md5len);
 
+/* this backend provides these functions: */
+#define have_curlssl_random 1
+#define have_curlssl_md5sum 1
+
 /* API setup for NSS */
 #define curlssl_init Curl_nss_init
 #define curlssl_cleanup Curl_nss_cleanup

lib/openldap.c

@@ -378,7 +378,7 @@ static CURLcode ldap_do(struct connectdata *conn, bool *done)
   if(!lr)
     return CURLE_OUT_OF_MEMORY;
   lr->msgid = msgid;
-  data->state.proto.generic = lr;
+  data->req.protop = lr;
   Curl_setup_transfer(conn, FIRSTSOCKET, -1, FALSE, NULL, -1, NULL);
   *done = TRUE;
   return CURLE_OK;
@@ -387,7 +387,7 @@ static CURLcode ldap_do(struct connectdata *conn, bool *done)
 static CURLcode ldap_done(struct connectdata *conn, CURLcode res,
                           bool premature)
 {
-  ldapreqinfo *lr = conn->data->state.proto.generic;
+  ldapreqinfo *lr = conn->data->req.protop;
   (void)res;
   (void)premature;
 
@@ -398,7 +398,7 @@ static CURLcode ldap_done(struct connectdata *conn, CURLcode res,
       ldap_abandon_ext(li->ld, lr->msgid, NULL, NULL);
       lr->msgid = 0;
     }
-    conn->data->state.proto.generic = NULL;
+    conn->data->req.protop = NULL;
     free(lr);
   }
   return CURLE_OK;
@@ -409,7 +409,7 @@ static ssize_t ldap_recv(struct connectdata *conn, int sockindex, char *buf,
 {
   ldapconninfo *li = conn->proto.generic;
   struct SessionHandle *data=conn->data;
-  ldapreqinfo *lr = data->state.proto.generic;
+  ldapreqinfo *lr = data->req.protop;
   int rc, ret;
   LDAPMessage *result = NULL;
   LDAPMessage *ent;

lib/pingpong.c

@@ -33,6 +33,7 @@
 #include "pingpong.h"
 #include "multiif.h"
 #include "non-ascii.h"
+#include "sslgen.h"
 
 #define _MPRINTF_REPLACE /* use our functions only */
 #include <curl/mprintf.h>
@@ -105,6 +106,9 @@ CURLcode Curl_pp_statemach(struct pingpong *pp, bool block)
   if(Curl_pp_moredata(pp))
     /* We are receiving and there is data in the cache so just read it */
     rc = 1;
+  else if(!pp->sendleft && Curl_ssl_data_pending(conn, FIRSTSOCKET))
+    /* We are receiving and there is data ready in the SSL library */
+    rc = 1;
   else
     rc = Curl_socket_ready(pp->sendleft?CURL_SOCKET_BAD:sock, /* reading */
                            pp->sendleft?sock:CURL_SOCKET_BAD, /* writing */
@@ -165,7 +169,7 @@ CURLcode Curl_pp_vsendf(struct pingpong *pp,
   struct connectdata *conn = pp->conn;
   struct SessionHandle *data = conn->data;
 
-#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
+#ifdef HAVE_GSSAPI
   enum protection_level data_sec = conn->data_prot;
 #endif
 
@@ -194,12 +198,12 @@ CURLcode Curl_pp_vsendf(struct pingpong *pp,
     return error;
   }
 
-#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
+#ifdef HAVE_GSSAPI
   conn->data_prot = PROT_CMD;
 #endif
   error = Curl_write(conn, conn->sock[FIRSTSOCKET], s, write_len,
                      &bytes_written);
-#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
+#ifdef HAVE_GSSAPI
   DEBUGASSERT(data_sec > PROT_NONE && data_sec < PROT_LAST);
   conn->data_prot = data_sec;
 #endif
@@ -302,14 +306,14 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd,
     }
     else {
       int res;
-#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
+#ifdef HAVE_GSSAPI
       enum protection_level prot = conn->data_prot;
       conn->data_prot = PROT_CLEAR;
 #endif
       DEBUGASSERT((ptr+BUFSIZE-pp->nread_resp) <= (buf+BUFSIZE+1));
       res = Curl_read(conn, sockfd, ptr, BUFSIZE-pp->nread_resp,
                       &gotbytes);
-#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
+#ifdef HAVE_GSSAPI
       DEBUGASSERT(prot  > PROT_NONE && prot < PROT_LAST);
       conn->data_prot = prot;
 #endif
@@ -352,7 +356,7 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd,
              the line isn't really terminated until the LF comes */
 
           /* output debug output if that is requested */
-#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
+#ifdef HAVE_GSSAPI
           if(!conn->sec_complete)
 #endif
             if(data->set.verbose)
@@ -371,8 +375,7 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd,
 
           if(pp->endofresp(conn, pp->linestart_resp, perline, code)) {
             /* This is the end of the last line, copy the last line to the
-               start of the buffer and zero terminate, for old times sake (and
-               krb4)! */
+               start of the buffer and zero terminate, for old times sake */
             char *meow;
             int n;
             for(meow=pp->linestart_resp, n=0; meow<ptr; meow++, n++)

lib/pipeline.c

@@ -6,6 +6,7 @@
  *                             \___|\___/|_| \_\_____|
  *
  * Copyright (C) 2013, Linus Nielsen Feltzing, <linus@haxx.se>
+ * Copyright (C) 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -84,9 +85,10 @@ bool Curl_pipeline_penalized(struct SessionHandle *data,
        (curl_off_t)conn->chunk.datasize > chunk_penalty_size)
       penalized = TRUE;
 
-    infof(data, "Conn: %d (%p) Receive pipe weight: (%d/%d), penalized: %d\n",
-          conn->connection_id, conn, recv_size,
-          conn->chunk.datasize, penalized);
+    infof(data, "Conn: %ld (%p) Receive pipe weight: (%" FORMAT_OFF_T
+          "/%zu), penalized: %s\n",
+          conn->connection_id, (void *)conn, recv_size,
+          conn->chunk.datasize, penalized?"TRUE":"FALSE");
     return penalized;
   }
   return FALSE;
@@ -101,7 +103,7 @@ CURLcode Curl_add_handle_to_pipeline(struct SessionHandle *handle,
 
   pipeline = conn->send_pipe;
 
-  infof(conn->data, "Adding handle: conn: %p\n", conn);
+  infof(conn->data, "Adding handle: conn: %p\n", (void *)conn);
   infof(conn->data, "Adding handle: send: %d\n", conn->send_pipe->size);
   infof(conn->data, "Adding handle: recv: %d\n", conn->recv_pipe->size);
   rc = Curl_addHandleToPipeline(handle, pipeline);
@@ -111,7 +113,7 @@ CURLcode Curl_add_handle_to_pipeline(struct SessionHandle *handle,
     conn->writechannel_inuse = FALSE; /* not in use yet */
 #ifdef DEBUGBUILD
     infof(conn->data, "%p is at send pipe head!\n",
-          conn->send_pipe->head->ptr);
+          (void *)conn->send_pipe->head->ptr);
 #endif
     Curl_expire(conn->send_pipe->head->ptr, 1);
   }
@@ -144,7 +146,7 @@ void Curl_move_handle_from_send_to_recv_pipe(struct SessionHandle *handle,
         conn->writechannel_inuse = FALSE; /* not used now */
 #ifdef DEBUGBUILD
         infof(conn->data, "%p is at send pipe head B!\n",
-              conn->send_pipe->head->ptr);
+              (void *)conn->send_pipe->head->ptr);
 #endif
         Curl_expire(conn->send_pipe->head->ptr, 1);
       }
@@ -320,9 +322,9 @@ void print_pipeline(struct connectdata *conn)
     curr = cb_ptr->conn_list->head;
     while(curr) {
       conn = curr->ptr;
-      infof(data, "- Conn %d (%p) send_pipe: %d, recv_pipe: %d\n",
+      infof(data, "- Conn %ld (%p) send_pipe: %zu, recv_pipe: %zu\n",
             conn->connection_id,
-            conn,
+            (void *)conn,
             conn->send_pipe->size,
             conn->recv_pipe->size);
       curr = curr->next;

lib/pop3.c

@@ -28,6 +28,7 @@
  * RFC4422 Simple Authentication and Security Layer (SASL)
  * RFC4616 PLAIN authentication
  * RFC5034 POP3 SASL Authentication Mechanism
+ * RFC6749 OAuth 2.0 Authorization Framework
  *
  ***************************************************************************/
 
@@ -163,7 +164,7 @@ const struct Curl_handler Curl_handler_pop3s = {
 
 static const struct Curl_handler Curl_handler_pop3_proxy = {
   "POP3",                               /* scheme */
-  ZERO_NULL,                            /* setup_connection */
+  Curl_http_setup_conn,                 /* setup_connection */
   Curl_http,                            /* do_it */
   Curl_http_done,                       /* done */
   ZERO_NULL,                            /* do_more */
@@ -188,7 +189,7 @@ static const struct Curl_handler Curl_handler_pop3_proxy = {
 
 static const struct Curl_handler Curl_handler_pop3s_proxy = {
   "POP3S",                              /* scheme */
-  ZERO_NULL,                            /* setup_connection */
+  Curl_http_setup_conn,                 /* setup_connection */
   Curl_http,                            /* do_it */
   Curl_http_done,                       /* done */
   ZERO_NULL,                            /* do_more */
@@ -312,20 +313,22 @@ static bool pop3_endofresp(struct connectdata *conn, char *line, size_t len,
           wordlen++;
 
         /* Test the word for a matching authentication mechanism */
-        if(wordlen == 5 && !memcmp(line, "LOGIN", 5))
+        if(sasl_mech_equal(line, wordlen, SASL_MECH_STRING_LOGIN))
           pop3c->authmechs |= SASL_MECH_LOGIN;
-        else if(wordlen == 5 && !memcmp(line, "PLAIN", 5))
+        else if(sasl_mech_equal(line, wordlen, SASL_MECH_STRING_PLAIN))
           pop3c->authmechs |= SASL_MECH_PLAIN;
-        else if(wordlen == 8 && !memcmp(line, "CRAM-MD5", 8))
+        else if(sasl_mech_equal(line, wordlen, SASL_MECH_STRING_CRAM_MD5))
           pop3c->authmechs |= SASL_MECH_CRAM_MD5;
-        else if(wordlen == 10 && !memcmp(line, "DIGEST-MD5", 10))
+        else if(sasl_mech_equal(line, wordlen, SASL_MECH_STRING_DIGEST_MD5))
           pop3c->authmechs |= SASL_MECH_DIGEST_MD5;
-        else if(wordlen == 6 && !memcmp(line, "GSSAPI", 6))
+        else if(sasl_mech_equal(line, wordlen, SASL_MECH_STRING_GSSAPI))
           pop3c->authmechs |= SASL_MECH_GSSAPI;
-        else if(wordlen == 8 && !memcmp(line, "EXTERNAL", 8))
+        else if(sasl_mech_equal(line, wordlen, SASL_MECH_STRING_EXTERNAL))
           pop3c->authmechs |= SASL_MECH_EXTERNAL;
-        else if(wordlen == 4 && !memcmp(line, "NTLM", 4))
+        else if(sasl_mech_equal(line, wordlen, SASL_MECH_STRING_NTLM))
           pop3c->authmechs |= SASL_MECH_NTLM;
+        else if(sasl_mech_equal(line, wordlen, SASL_MECH_STRING_XOAUTH2))
+          pop3c->authmechs |= SASL_MECH_XOAUTH2;
 
         line += wordlen;
         len -= wordlen;
@@ -371,6 +374,7 @@ static void state(struct connectdata *conn, pop3state newstate)
     "AUTH_DIGESTMD5_RESP",
     "AUTH_NTLM",
     "AUTH_NTLM_TYPE2MSG",
+    "AUTH_XOAUTH2",
     "AUTH_FINAL",
     "APOP",
     "USER",
@@ -382,7 +386,7 @@ static void state(struct connectdata *conn, pop3state newstate)
 
   if(pop3c->state != newstate)
     infof(conn->data, "POP3 %p state change from %s to %s\n",
-          pop3c, names[pop3c->state], names[newstate]);
+          (void *)pop3c, names[pop3c->state], names[newstate]);
 #endif
 
   pop3c->state = newstate;
@@ -405,7 +409,7 @@ static CURLcode pop3_perform_capa(struct connectdata *conn)
   pop3c->tls_supported = FALSE; /* Clear the TLS capability */
 
   /* Send the CAPA command */
-  result = Curl_pp_sendf(&pop3c->pp, "CAPA");
+  result = Curl_pp_sendf(&pop3c->pp, "%s", "CAPA");
 
   if(!result)
     state(conn, POP3_CAPA);
@@ -424,7 +428,7 @@ static CURLcode pop3_perform_starttls(struct connectdata *conn)
   CURLcode result = CURLE_OK;
 
   /* Send the STLS command */
-  result = Curl_pp_sendf(&conn->proto.pop3c.pp, "STLS");
+  result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", "STLS");
 
   if(!result)
     state(conn, POP3_STARTTLS);
@@ -572,13 +576,13 @@ static CURLcode pop3_perform_authenticate(struct connectdata *conn)
 #ifndef CURL_DISABLE_CRYPTO_AUTH
     if((pop3c->authmechs & SASL_MECH_DIGEST_MD5) &&
        (pop3c->prefmech & SASL_MECH_DIGEST_MD5)) {
-      mech = "DIGEST-MD5";
+      mech = SASL_MECH_STRING_DIGEST_MD5;
       state1 = POP3_AUTH_DIGESTMD5;
       pop3c->authused = SASL_MECH_DIGEST_MD5;
     }
     else if((pop3c->authmechs & SASL_MECH_CRAM_MD5) &&
             (pop3c->prefmech & SASL_MECH_CRAM_MD5)) {
-      mech = "CRAM-MD5";
+      mech = SASL_MECH_STRING_CRAM_MD5;
       state1 = POP3_AUTH_CRAMMD5;
       pop3c->authused = SASL_MECH_CRAM_MD5;
     }
@@ -587,7 +591,7 @@ static CURLcode pop3_perform_authenticate(struct connectdata *conn)
 #ifdef USE_NTLM
     if((pop3c->authmechs & SASL_MECH_NTLM) &&
        (pop3c->prefmech & SASL_MECH_NTLM)) {
-      mech = "NTLM";
+      mech = SASL_MECH_STRING_NTLM;
       state1 = POP3_AUTH_NTLM;
       state2 = POP3_AUTH_NTLM_TYPE2MSG;
       pop3c->authused = SASL_MECH_NTLM;
@@ -599,9 +603,22 @@ static CURLcode pop3_perform_authenticate(struct connectdata *conn)
     }
     else
 #endif
-    if((pop3c->authmechs & SASL_MECH_LOGIN) &&
+    if(((pop3c->authmechs & SASL_MECH_XOAUTH2) &&
+        (pop3c->prefmech & SASL_MECH_XOAUTH2) &&
+        (pop3c->prefmech != SASL_AUTH_ANY)) || conn->xoauth2_bearer) {
+      mech = SASL_MECH_STRING_XOAUTH2;
+      state1 = POP3_AUTH_XOAUTH2;
+      state2 = POP3_AUTH_FINAL;
+      pop3c->authused = SASL_MECH_XOAUTH2;
+
+      if(data->set.sasl_ir)
+        result = Curl_sasl_create_xoauth2_message(conn->data, conn->user,
+                                                  conn->xoauth2_bearer,
+                                                  &initresp, &len);
+    }
+    else if((pop3c->authmechs & SASL_MECH_LOGIN) &&
        (pop3c->prefmech & SASL_MECH_LOGIN)) {
-      mech = "LOGIN";
+      mech = SASL_MECH_STRING_LOGIN;
       state1 = POP3_AUTH_LOGIN;
       state2 = POP3_AUTH_LOGIN_PASSWD;
       pop3c->authused = SASL_MECH_LOGIN;
@@ -612,7 +629,7 @@ static CURLcode pop3_perform_authenticate(struct connectdata *conn)
     }
     else if((pop3c->authmechs & SASL_MECH_PLAIN) &&
             (pop3c->prefmech & SASL_MECH_PLAIN)) {
-      mech = "PLAIN";
+      mech = SASL_MECH_STRING_PLAIN;
       state1 = POP3_AUTH_PLAIN;
       state2 = POP3_AUTH_FINAL;
       pop3c->authused = SASL_MECH_PLAIN;
@@ -673,7 +690,7 @@ static CURLcode pop3_perform_command(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
-  struct POP3 *pop3 = data->state.proto.pop3;
+  struct POP3 *pop3 = data->req.protop;
   const char *command = NULL;
 
   /* Calculate the default command */
@@ -693,7 +710,7 @@ static CURLcode pop3_perform_command(struct connectdata *conn)
                            (pop3->custom && pop3->custom[0] != '\0' ?
                             pop3->custom : command), pop3->id);
   else
-    result = Curl_pp_sendf(&conn->proto.pop3c.pp,
+    result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s",
                            (pop3->custom && pop3->custom[0] != '\0' ?
                             pop3->custom : command));
 
@@ -714,7 +731,7 @@ static CURLcode pop3_perform_quit(struct connectdata *conn)
   CURLcode result = CURLE_OK;
 
   /* Send the QUIT command */
-  result = Curl_pp_sendf(&conn->proto.pop3c.pp, "QUIT");
+  result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", "QUIT");
 
   if(!result)
     state(conn, POP3_QUIT);
@@ -1020,7 +1037,7 @@ static CURLcode pop3_state_auth_digest_resp_resp(struct connectdata *conn,
   }
   else {
     /* Send an empty response */
-    result = Curl_pp_sendf(&conn->proto.pop3c.pp, "");
+    result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", "");
 
     if(!result)
       state(conn, POP3_AUTH_FINAL);
@@ -1110,6 +1127,43 @@ static CURLcode pop3_state_auth_ntlm_type2msg_resp(struct connectdata *conn,
 }
 #endif
 
+/* For AUTH XOAUTH2 (without initial response) responses */
+static CURLcode pop3_state_auth_xoauth2_resp(struct connectdata *conn,
+                                             int pop3code, pop3state instate)
+{
+  CURLcode result = CURLE_OK;
+  struct SessionHandle *data = conn->data;
+  size_t len = 0;
+  char *xoauth = NULL;
+
+  (void)instate; /* no use for this yet */
+
+  if(pop3code != '+') {
+    failf(data, "Access denied: %d", pop3code);
+    result = CURLE_LOGIN_DENIED;
+  }
+  else {
+    /* Create the authorisation message */
+    result = Curl_sasl_create_xoauth2_message(conn->data, conn->user,
+                                              conn->xoauth2_bearer,
+                                              &xoauth, &len);
+
+    /* Send the message */
+    if(!result) {
+      if(xoauth) {
+        result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", xoauth);
+
+        if(!result)
+          state(conn, POP3_AUTH_FINAL);
+      }
+
+      Curl_safefree(xoauth);
+    }
+  }
+
+  return result;
+}
+
 /* For final responses to the AUTH sequence */
 static CURLcode pop3_state_auth_final_resp(struct connectdata *conn,
                                            int pop3code,
@@ -1203,7 +1257,7 @@ static CURLcode pop3_state_command_resp(struct connectdata *conn,
 {
   CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
-  struct POP3 *pop3 = data->state.proto.pop3;
+  struct POP3 *pop3 = data->req.protop;
   struct pop3_conn *pop3c = &conn->proto.pop3c;
   struct pingpong *pp = &pop3c->pp;
 
@@ -1328,6 +1382,10 @@ static CURLcode pop3_statemach_act(struct connectdata *conn)
       break;
 #endif
 
+    case POP3_AUTH_XOAUTH2:
+      result = pop3_state_auth_xoauth2_resp(conn, pop3code, pop3c->state);
+      break;
+
     case POP3_AUTH_FINAL:
       result = pop3_state_auth_final_resp(conn, pop3code, pop3c->state);
       break;
@@ -1368,11 +1426,13 @@ static CURLcode pop3_multi_statemach(struct connectdata *conn, bool *done)
   CURLcode result = CURLE_OK;
   struct pop3_conn *pop3c = &conn->proto.pop3c;
 
-  if((conn->handler->flags & PROTOPT_SSL) && !pop3c->ssldone)
+  if((conn->handler->flags & PROTOPT_SSL) && !pop3c->ssldone) {
     result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, &pop3c->ssldone);
-  else
-    result = Curl_pp_statemach(&pop3c->pp, FALSE);
+    if(result || !pop3c->ssldone)
+      return result;
+  }
 
+  result = Curl_pp_statemach(&pop3c->pp, FALSE);
   *done = (pop3c->state == POP3_STOP) ? TRUE : FALSE;
 
   return result;
@@ -1395,13 +1455,11 @@ static CURLcode pop3_init(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
-  struct POP3 *pop3 = data->state.proto.pop3;
+  struct POP3 *pop3;
 
-  if(!pop3) {
-    pop3 = data->state.proto.pop3 = calloc(sizeof(struct POP3), 1);
-    if(!pop3)
-      result = CURLE_OUT_OF_MEMORY;
-  }
+  pop3 = data->req.protop = calloc(sizeof(struct POP3), 1);
+  if(!pop3)
+    result = CURLE_OUT_OF_MEMORY;
 
   return result;
 }
@@ -1421,8 +1479,7 @@ static int pop3_getsock(struct connectdata *conn, curl_socket_t *socks,
  * connection phase.
  *
  * The variable 'done' points to will be TRUE if the protocol-layer connect
- * phase is done when this function returns, or FALSE is not. When called as
- * a part of the easy interface, it will always be TRUE.
+ * phase is done when this function returns, or FALSE if not.
  */
 static CURLcode pop3_connect(struct connectdata *conn, bool *done)
 {
@@ -1432,15 +1489,6 @@ static CURLcode pop3_connect(struct connectdata *conn, bool *done)
 
   *done = FALSE; /* default to not done yet */
 
-  /* If there already is a protocol-specific struct allocated for this
-     sessionhandle, deal with it */
-  Curl_reset_reqproto(conn);
-
-  /* Initialise the POP3 layer */
-  result = pop3_init(conn);
-  if(result)
-    return result;
-
   /* We always support persistent connections in POP3 */
   conn->bits.close = FALSE;
 
@@ -1484,7 +1532,7 @@ static CURLcode pop3_done(struct connectdata *conn, CURLcode status,
 {
   CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
-  struct POP3 *pop3 = data->state.proto.pop3;
+  struct POP3 *pop3 = data->req.protop;
 
   (void)premature;
 
@@ -1527,7 +1575,7 @@ static CURLcode pop3_perform(struct connectdata *conn, bool *connected,
 
   if(conn->data->set.opt_no_body) {
     /* Requested no body means no transfer */
-    struct POP3 *pop3 = conn->data->state.proto.pop3;
+    struct POP3 *pop3 = conn->data->req.protop;
     pop3->transfer = FTPTRANSFER_INFO;
   }
 
@@ -1564,15 +1612,6 @@ static CURLcode pop3_do(struct connectdata *conn, bool *done)
 
   *done = FALSE; /* default to false */
 
-  /* Since connections can be re-used between SessionHandles, there might be a
-     connection already existing but on a fresh SessionHandle struct. As such
-     we make sure we have a good POP3 struct to play with. For new connections
-     the POP3 struct is allocated and setup in the pop3_connect() function. */
-  Curl_reset_reqproto(conn);
-  result = pop3_init(conn);
-  if(result)
-    return result;
-
   /* Parse the URL path */
   result = pop3_parse_url_path(conn);
   if(result)
@@ -1686,6 +1725,11 @@ static CURLcode pop3_setup_connection(struct connectdata *conn)
 {
   struct SessionHandle *data = conn->data;
 
+  /* Initialise the POP3 layer */
+  CURLcode result = pop3_init(conn);
+  if(result)
+    return result;
+
   if(conn->bits.httpproxy && !data->set.tunnel_thru_httpproxy) {
     /* Unless we have asked to tunnel POP3 operations through the proxy, we
        switch and use HTTP operations only */
@@ -1701,10 +1745,8 @@ static CURLcode pop3_setup_connection(struct connectdata *conn)
 #endif
     }
 
-    /* We explicitly mark this connection as persistent here as we're doing
-       POP3 over HTTP and thus we accidentally avoid setting this value
-       otherwise */
-    conn->bits.close = FALSE;
+    /* set it up as an HTTP connection instead */
+    return conn->handler->setup_connection(conn);
 #else
     failf(data, "POP3 over http proxy requires HTTP support built-in!");
     return CURLE_UNSUPPORTED_PROTOCOL;
@@ -1746,30 +1788,34 @@ static CURLcode pop3_parse_url_options(struct connectdata *conn)
         pop3c->preftype = POP3_TYPE_APOP;
         pop3c->prefmech = SASL_AUTH_NONE;
       }
-      else if(strequal(value, "LOGIN")) {
+      else if(strequal(value, SASL_MECH_STRING_LOGIN)) {
         pop3c->preftype = POP3_TYPE_SASL;
         pop3c->prefmech = SASL_MECH_LOGIN;
       }
-      else if(strequal(value, "PLAIN")) {
+      else if(strequal(value, SASL_MECH_STRING_PLAIN)) {
         pop3c->preftype = POP3_TYPE_SASL;
         pop3c->prefmech = SASL_MECH_PLAIN;
       }
-      else if(strequal(value, "CRAM-MD5")) {
+      else if(strequal(value, SASL_MECH_STRING_CRAM_MD5)) {
         pop3c->preftype = POP3_TYPE_SASL;
         pop3c->prefmech = SASL_MECH_CRAM_MD5;
       }
-      else if(strequal(value, "DIGEST-MD5")) {
+      else if(strequal(value, SASL_MECH_STRING_DIGEST_MD5)) {
         pop3c->preftype = POP3_TYPE_SASL;
         pop3c->prefmech = SASL_MECH_DIGEST_MD5;
       }
-      else if(strequal(value, "GSSAPI")) {
+      else if(strequal(value, SASL_MECH_STRING_GSSAPI)) {
         pop3c->preftype = POP3_TYPE_SASL;
         pop3c->prefmech = SASL_MECH_GSSAPI;
       }
-      else if(strequal(value, "NTLM")) {
+      else if(strequal(value, SASL_MECH_STRING_NTLM)) {
         pop3c->preftype = POP3_TYPE_SASL;
         pop3c->prefmech = SASL_MECH_NTLM;
       }
+      else if(strequal(value, SASL_MECH_STRING_XOAUTH2)) {
+        pop3c->preftype = POP3_TYPE_SASL;
+        pop3c->prefmech = SASL_MECH_XOAUTH2;
+      }
       else {
         pop3c->preftype = POP3_TYPE_NONE;
         pop3c->prefmech = SASL_AUTH_NONE;
@@ -1792,7 +1838,7 @@ static CURLcode pop3_parse_url_path(struct connectdata *conn)
 {
   /* The POP3 struct is already initialised in pop3_connect() */
   struct SessionHandle *data = conn->data;
-  struct POP3 *pop3 = data->state.proto.pop3;
+  struct POP3 *pop3 = data->req.protop;
   const char *path = data->state.path;
 
   /* URL decode the path for the message ID */
@@ -1809,7 +1855,7 @@ static CURLcode pop3_parse_custom_request(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
   struct SessionHandle *data = conn->data;
-  struct POP3 *pop3 = data->state.proto.pop3;
+  struct POP3 *pop3 = data->req.protop;
   const char *custom = data->set.str[STRING_CUSTOMREQUEST];
 
   /* URL decode the custom request */

lib/pop3.h

@@ -43,6 +43,7 @@ typedef enum {
   POP3_AUTH_DIGESTMD5_RESP,
   POP3_AUTH_NTLM,
   POP3_AUTH_NTLM_TYPE2MSG,
+  POP3_AUTH_XOAUTH2,
   POP3_AUTH_FINAL,
   POP3_APOP,
   POP3_USER,

lib/progress.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -357,12 +357,21 @@ int Curl_pgrsUpdate(struct connectdata *conn)
   } /* Calculations end */
 
   if(!(data->progress.flags & PGRS_HIDE)) {
-
     /* progress meter has not been shut off */
 
-    if(data->set.fprogress) {
-      /* There's a callback set, so we call that instead of writing
-         anything ourselves. This really is the way to go. */
+    if(data->set.fxferinfo) {
+      /* There's a callback set, call that */
+      result= data->set.fxferinfo(data->set.progress_client,
+                                  data->progress.size_dl,
+                                  data->progress.downloaded,
+                                  data->progress.size_ul,
+                                  data->progress.uploaded);
+      if(result)
+        failf(data, "Callback aborted");
+      return result;
+    }
+    else if(data->set.fprogress) {
+      /* The older deprecated callback is set, call that */
       result= data->set.fprogress(data->set.progress_client,
                                   (double)data->progress.size_dl,
                                   (double)data->progress.downloaded,