THANKS: 18 new contributors for 7.37.0

Possibly the final update before release...

Makefile.am

@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -30,28 +30,88 @@ CMake/CurlTests.c CMake/FindOpenSSL.cmake CMake/FindZLIB.cmake		\
 CMake/OtherTests.cmake CMake/Platforms/WindowsCache.cmake		\
 CMake/Utilities.cmake include/curl/curlbuild.h.cmake
 
-VC6LIBDSP = vs/vc6/lib/vc6libcurl.dsp
-VC6LIBDSPHEAD = vs/t/lib/vc6_libcurl_dsp.head
-VC6LIBDSPFOOT = vs/t/lib/vc6_libcurl_dsp.foot
+VC6_LIBTMPL = projects/Windows/VC6/lib/libcurl.tmpl
+VC6_LIBDSP = projects/Windows/VC6/lib/libcurl.dsp
+VC6_LIBDSP_DEPS = $(VC6_LIBTMPL) Makefile.am lib/Makefile.inc
+VC6_SRCTMPL = projects/Windows/VC6/src/curlsrc.tmpl
+VC6_SRCDSP = projects/Windows/VC6/src/curlsrc.dsp
+VC6_SRCDSP_DEPS = $(VC6_SRCTMPL) Makefile.am src/Makefile.inc
 
-VC8LIBPRJ = vs/vc8/lib/vc8libcurl.vcproj
-VC8LIBPRJHEAD = vs/t/lib/vc8_libcurl_prj.head
-VC8LIBPRJFOOT = vs/t/lib/vc8_libcurl_prj.foot
+VC7_LIBTMPL = projects/Windows/VC7/lib/libcurl.tmpl
+VC7_LIBVCPROJ = projects/Windows/VC7/lib/libcurl.vcproj
+VC7_LIBVCPROJ_DEPS = $(VC7_LIBTMPL) Makefile.am lib/Makefile.inc
+VC7_SRCTMPL = projects/Windows/VC7/src/curlsrc.tmpl
+VC7_SRCVCPROJ = projects/Windows/VC7/src/curlsrc.vcproj
+VC7_SRCVCPROJ_DEPS = $(VC7_SRCTMPL) Makefile.am src/Makefile.inc
 
-VC_DIST = \
- vs/t/README \
- $(VC6LIBDSP) $(VC6LIBDSPHEAD) $(VC6LIBDSPFOOT) \
- $(VC8LIBPRJ) $(VC8LIBPRJHEAD) $(VC8LIBPRJFOOT) \
- vs/vc6/vc6curl.dsw \
- vs/vc6/lib/vc6libcurl.dsw \
- vs/vc6/src/vc6curltool.dsw \
- vs/vc6/src/vc6curltool.dsp
+VC71_LIBTMPL = projects/Windows/VC7.1/lib/libcurl.tmpl
+VC71_LIBVCPROJ = projects/Windows/VC7.1/lib/libcurl.vcproj
+VC71_LIBVCPROJ_DEPS = $(VC71_LIBTMPL) Makefile.am lib/Makefile.inc
+VC71_SRCTMPL = projects/Windows/VC7.1/src/curlsrc.tmpl
+VC71_SRCVCPROJ = projects/Windows/VC7.1/src/curlsrc.vcproj
+VC71_SRCVCPROJ_DEPS = $(VC71_SRCTMPL) Makefile.am src/Makefile.inc
 
-VC6LIBDSP_DEPS = $(VC6LIBDSPHEAD) $(VC6LIBDSPFOOT) \
- Makefile.am lib/Makefile.inc
+VC8_LIBTMPL = projects/Windows/VC8/lib/libcurl.tmpl
+VC8_LIBVCPROJ = projects/Windows/VC8/lib/libcurl.vcproj
+VC8_LIBVCPROJ_DEPS = $(VC8_LIBTMPL) Makefile.am lib/Makefile.inc
+VC8_SRCTMPL = projects/Windows/VC8/src/curlsrc.tmpl
+VC8_SRCVCPROJ = projects/Windows/VC8/src/curlsrc.vcproj
+VC8_SRCVCPROJ_DEPS = $(VC8_SRCTMPL) Makefile.am src/Makefile.inc
 
-VC8LIBPRJ_DEPS = $(VC8LIBPRJHEAD) $(VC8LIBPRJFOOT) \
- Makefile.am lib/Makefile.inc
+VC9_LIBTMPL = projects/Windows/VC9/lib/libcurl.tmpl
+VC9_LIBVCPROJ = projects/Windows/VC9/lib/libcurl.vcproj
+VC9_LIBVCPROJ_DEPS = $(VC9_LIBTMPL) Makefile.am lib/Makefile.inc
+VC9_SRCTMPL = projects/Windows/VC9/src/curlsrc.tmpl
+VC9_SRCVCPROJ = projects/Windows/VC9/src/curlsrc.vcproj
+VC9_SRCVCPROJ_DEPS = $(VC9_SRCTMPL) Makefile.am src/Makefile.inc
+
+VC10_LIBTMPL = projects/Windows/VC10/lib/libcurl.tmpl
+VC10_LIBVCXPROJ = projects/Windows/VC10/lib/libcurl.vcxproj
+VC10_LIBVCXPROJ_DEPS = $(VC10_LIBTMPL) Makefile.am lib/Makefile.inc
+VC10_SRCTMPL = projects/Windows/VC10/src/curlsrc.tmpl
+VC10_SRCVCXPROJ = projects/Windows/VC10/src/curlsrc.vcxproj
+VC10_SRCVCXPROJ_DEPS = $(VC10_SRCTMPL) Makefile.am src/Makefile.inc
+
+VC11_LIBTMPL = projects/Windows/VC11/lib/libcurl.tmpl
+VC11_LIBVCXPROJ = projects/Windows/VC11/lib/libcurl.vcxproj
+VC11_LIBVCXPROJ_DEPS = $(VC11_LIBTMPL) Makefile.am lib/Makefile.inc
+VC11_SRCTMPL = projects/Windows/VC11/src/curlsrc.tmpl
+VC11_SRCVCXPROJ = projects/Windows/VC11/src/curlsrc.vcxproj
+VC11_SRCVCXPROJ_DEPS = $(VC11_SRCTMPL) Makefile.am src/Makefile.inc
+
+VC12_LIBTMPL = projects/Windows/VC12/lib/libcurl.tmpl
+VC12_LIBVCXPROJ = projects/Windows/VC12/lib/libcurl.vcxproj
+VC12_LIBVCXPROJ_DEPS = $(VC12_LIBTMPL) Makefile.am lib/Makefile.inc
+VC12_SRCTMPL = projects/Windows/VC12/src/curlsrc.tmpl
+VC12_SRCVCXPROJ = projects/Windows/VC12/src/curlsrc.vcxproj
+VC12_SRCVCXPROJ_DEPS = $(VC12_SRCTMPL) Makefile.am src/Makefile.inc
+
+VC_DIST = projects/README	\
+ projects/build-openssl.bat	\
+ projects/Windows/VC6/curl.dsw	\
+ projects/Windows/VC6/lib/libcurl.dsw $(VC6_LIBDSP)	\
+ projects/Windows/VC6/src/curlsrc.dsw $(VC6_SRCDSP)	\
+ projects/Windows/VC7/curl.sln	\
+ projects/Windows/VC7/lib/libcurl.sln $(VC7_LIBVCPROJ)	\
+ projects/Windows/VC7/src/curlsrc.sln $(VC7_SRCVCPROJ)	\
+ projects/Windows/VC7.1/curl.sln	\
+ projects/Windows/VC7.1/lib/libcurl.sln $(VC71_LIBVCPROJ)	\
+ projects/Windows/VC7.1/src/curlsrc.sln $(VC71_SRCVCPROJ)	\
+ projects/Windows/VC8/curl.sln	\
+ projects/Windows/VC8/lib/libcurl.sln $(VC8_LIBVCPROJ)	\
+ projects/Windows/VC8/src/curlsrc.sln $(VC8_SRCVCPROJ)	\
+ projects/Windows/VC9/curl.sln	\
+ projects/Windows/VC9/lib/libcurl.sln $(VC9_LIBVCPROJ)	\
+ projects/Windows/VC9/src/curlsrc.sln $(VC9_SRCVCPROJ)	\
+ projects/Windows/VC10/curl.sln	\
+ projects/Windows/VC10/lib/libcurl.sln $(VC10_LIBVCXPROJ)	\
+ projects/Windows/VC10/src/curlsrc.sln $(VC10_SRCVCXPROJ)	\
+ projects/Windows/VC11/curl.sln	\
+ projects/Windows/VC11/lib/libcurl.sln $(VC11_LIBVCXPROJ)	\
+ projects/Windows/VC11/src/curlsrc.sln $(VC11_SRCVCXPROJ)	\
+ projects/Windows/VC12/curl.sln	\
+ projects/Windows/VC12/lib/libcurl.sln $(VC12_LIBVCXPROJ)	\
+ projects/Windows/VC12/src/curlsrc.sln $(VC12_SRCVCXPROJ)
 
 WINBUILD_DIST = winbuild/BUILD.WINDOWS.txt winbuild/gen_resp_file.bat	\
  winbuild/MakefileBuild.vc winbuild/Makefile.vc				\
@@ -61,7 +121,10 @@ EXTRA_DIST = CHANGES COPYING maketgz Makefile.dist curl-config.in	\
  RELEASE-NOTES buildconf libcurl.pc.in MacOSX-Framework	\
  $(CMAKE_DIST) $(VC_DIST) $(WINBUILD_DIST) lib/libcurl.vers.in
 
-CLEANFILES = $(VC6LIBDSP) $(VC8LIBPRJ)
+CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP) $(VC7_LIBVCPROJ) $(VC7_SRCVCPROJ)	\
+ $(VC71_LIBVCPROJ) $(VC71_SRCVCPROJ) $(VC8_LIBVCPROJ) $(VC8_SRCVCPROJ)	\
+ $(VC9_LIBVCPROJ) $(VC9_SRCVCPROJ) $(VC10_LIBVCXPROJ) $(VC10_SRCVCXPROJ)	\
+ $(VC11_LIBVCXPROJ) $(VC11_SRCVCXPROJ) $(VC12_LIBVCXPROJ) $(VC12_SRCVCXPROJ)
 
 bin_SCRIPTS = curl-config
 
@@ -71,11 +134,9 @@ DIST_SUBDIRS = $(SUBDIRS) tests packages docs
 pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libcurl.pc
 
-# List of libcurl source files required to generate VC IDE dsp and prj files
+# List of files required to generate VC IDE .dsp, .vcproj and .vcxproj files
 include lib/Makefile.inc
-
-WIN32SOURCES = $(CSOURCES)
-WIN32HEADERS = $(HHEADERS) config-win32.h
+include src/Makefile.inc
 
 dist-hook:
 	rm -rf $(top_builddir)/tests/log
@@ -187,96 +248,249 @@ uninstall-hook:
 	cd docs && $(MAKE) uninstall
 
 ca-bundle: lib/mk-ca-bundle.pl
-	@echo "generate a fresh ca-bundle.crt"
+	@echo "generating a fresh ca-bundle.crt"
 	@perl $< -b -l -u lib/ca-bundle.crt
 
 ca-firefox: lib/firefox-db2pem.sh
-	@echo "generate a fresh ca-bundle.crt"
+	@echo "generating a fresh ca-bundle.crt"
 	./lib/firefox-db2pem.sh lib/ca-bundle.crt
 
 checksrc:
 	cd lib && $(MAKE) checksrc
 	cd src && $(MAKE) checksrc
 
-.PHONY: vc6-ide
+.PHONY: vc-ide
 
-vc6-ide:
-	$(MAKE) $(VC6LIBDSP)
-
-$(VC6LIBDSP): $(VC6LIBDSP_DEPS)
-	@(echo "generating '$(VC6LIBDSP)'"; \
+vc-ide: $(VC6_LIBDSP_DEPS) $(VC6_SRCDSP_DEPS) $(VC7_LIBVCPROJ_DEPS)	\
+ $(VC7_SRCVCPROJ_DEPS) $(VC71_LIBVCPROJ_DEPS) $(VC71_SRCVCPROJ_DEPS)	\
+ $(VC8_LIBVCPROJ_DEPS) $(VC8_SRCVCPROJ_DEPS) $(VC9_LIBVCPROJ_DEPS)	\
+ $(VC9_SRCVCPROJ_DEPS) $(VC10_LIBVCXPROJ_DEPS) $(VC10_SRCVCXPROJ_DEPS)	\
+ $(VC11_LIBVCXPROJ_DEPS) $(VC11_SRCVCXPROJ_DEPS) $(VC12_LIBVCXPROJ_DEPS)	\
+ $(VC12_SRCVCXPROJ_DEPS)
+	@(win32_lib_srcs='$(LIB_CFILES)'; \
+	win32_lib_hdrs='$(LIB_HFILES) config-win32.h'; \
+	win32_lib_rc='$(LIB_RCFILES)'; \
+	win32_lib_vtls_srcs='$(LIB_VTLS_CFILES)'; \
+	win32_lib_vtls_hdrs='$(LIB_VTLS_HFILES)'; \
+	win32_src_srcs='$(CURL_CFILES)'; \
+	win32_src_hdrs='$(CURL_HFILES)'; \
+	win32_src_rc='$(CURL_RCFILES)'; \
 	\
-	for dir in 'vs' 'vs/vc6' 'vs/vc6/lib'; do \
-	  test -d "$$dir" || mkdir "$$dir" || exit 1; \
-	done; \
+	sorted_lib_srcs=`for file in $$win32_lib_srcs; do echo $$file; done | sort`; \
+	sorted_lib_hdrs=`for file in $$win32_lib_hdrs; do echo $$file; done | sort`; \
+	sorted_lib_vtls_srcs=`for file in $$win32_lib_vtls_srcs; do echo $$file; done | sort`; \
+	sorted_lib_vtls_hdrs=`for file in $$win32_lib_vtls_hdrs; do echo $$file; done | sort`; \
+	sorted_src_srcs=`for file in $$win32_src_srcs; do echo $$file; done | sort`; \
+	sorted_src_hdrs=`for file in $$win32_src_hdrs; do echo $$file; done | sort`; \
 	\
-	dir='..\..\..\lib\'; \
-	body='$(VC6LIBDSP)'.body; \
-	win32_srcs='$(WIN32SOURCES)'; \
-	win32_hdrs='$(WIN32HEADERS)'; \
-	sorted_srcs=`for file in $$win32_srcs; do echo $$file; done | sort`; \
-	sorted_hdrs=`for file in $$win32_hdrs; do echo $$file; done | sort`; \
+	awk_code='\
+function gen_element(type, dir, file)\
+{\
+  sub(/vtls\//, "", file);\
+\
+  spaces="    ";\
+  if(dir == "lib\\vtls")\
+    tabs="				";\
+  else\
+    tabs="			";\
+\
+  if(type == "dsp") {\
+    printf("# Begin Source File\r\n");\
+    printf("\r\n");\
+    printf("SOURCE=..\\..\\..\\..\\%s\\%s\r\n", dir, file);\
+    printf("# End Source File\r\n");\
+  }\
+  else if(type == "vcproj1") {\
+    printf("%s<File\r\n", tabs);\
+    printf("%s	RelativePath=\"..\\..\\..\\..\\%s\\%s\">\r\n",\
+           tabs, dir, file);\
+    printf("%s</File>\r\n", tabs);\
+  }\
+  else if(type == "vcproj2") {\
+    printf("%s<File\r\n", tabs);\
+    printf("%s	RelativePath=\"..\\..\\..\\..\\%s\\%s\"\r\n",\
+           tabs, dir, file);\
+    printf("%s>\r\n", tabs);\
+    printf("%s</File>\r\n", tabs);\
+  }\
+  else if(type == "vcxproj") {\
+    i = index(file, ".");\
+    ext = substr(file, i == 0 ? 0 : i + 1);\
+\
+    if(ext == "c")\
+      printf("%s<ClCompile Include=\"..\\..\\..\\..\\%s\\%s\" />\r\n",\
+             spaces, dir, file);\
+    else if(ext == "h")\
+      printf("%s<ClInclude Include=\"..\\..\\..\\..\\%s\\%s\" />\r\n",\
+             spaces, dir, file);\
+    else if(ext == "rc")\
+      printf("%s<ResourceCompile Include=\"..\\..\\..\\..\\%s\\%s\" />\r\n",\
+      spaces, dir, file);\
+  }\
+}\
+\
+{\
+\
+  if($$0 == "CURL_LIB_C_FILES") {\
+    split(lib_srcs, arr);\
+    for(val in arr) gen_element(proj_type, "lib", arr[val]);\
+  }\
+  else if($$0 == "CURL_LIB_H_FILES") {\
+    split(lib_hdrs, arr);\
+    for(val in arr) gen_element(proj_type, "lib", arr[val]);\
+  }\
+  else if($$0 == "CURL_LIB_RC_FILES") {\
+    split(lib_rc, arr);\
+    for(val in arr) gen_element(proj_type, "lib", arr[val]);\
+  }\
+  else if($$0 == "CURL_LIB_VTLS_C_FILES") {\
+    split(lib_vtls_srcs, arr);\
+    for(val in arr) gen_element(proj_type, "lib\\vtls", arr[val]);\
+  }\
+  else if($$0 == "CURL_LIB_VTLS_H_FILES") {\
+    split(lib_vtls_hdrs, arr);\
+    for(val in arr) gen_element(proj_type, "lib\\vtls", arr[val]);\
+  }\
+  else if($$0 == "CURL_SRC_C_FILES") {\
+    split(src_srcs, arr);\
+    for(val in arr) gen_element(proj_type, "src", arr[val]);\
+  }\
+  else if($$0 == "CURL_SRC_H_FILES") {\
+    split(src_hdrs, arr);\
+    for(val in arr) gen_element(proj_type, "src", arr[val]);\
+  }\
+  else if($$0 == "CURL_SRC_RC_FILES") {\
+    split(src_rc, arr);\
+    for(val in arr) gen_element(proj_type, "src", arr[val]);\
+  }\
+  else\
+    printf("%s\r\n", $$0);\
+}';\
 	\
-	echo "# Begin Group \"Source Files\""  > $$body; \
-	echo ""                               >> $$body; \
-	echo "# PROP Default_Filter \"\""     >> $$body; \
-	for file in $$sorted_srcs; do \
-	  echo "# Begin Source File"          >> $$body; \
-	  echo ""                             >> $$body; \
-	  echo "SOURCE="$$dir$$file           >> $$body; \
-	  echo "# End Source File"            >> $$body; \
-	done; \
-	echo "# End Group"                    >> $$body; \
-	echo "# Begin Group \"Header Files\"" >> $$body; \
-	echo ""                               >> $$body; \
-	echo "# PROP Default_Filter \"\""     >> $$body; \
-	for file in $$sorted_hdrs; do \
-	  echo "# Begin Source File"          >> $$body; \
-	  echo ""                             >> $$body; \
-	  echo "SOURCE="$$dir$$file           >> $$body; \
-	  echo "# End Source File"            >> $$body; \
-	done; \
-	echo "# End Group"                    >> $$body; \
+	echo "generating '$(VC6_LIBDSP)'"; \
+	awk -v proj_type=dsp \
+		-v lib_srcs="$$sorted_lib_srcs" \
+		-v lib_hdrs="$$sorted_lib_hdrs" \
+		-v lib_rc="$$win32_lib_rc" \
+		-v lib_vtls_srcs="$$sorted_lib_vtls_srcs" \
+		-v lib_vtls_hdrs="$$sorted_lib_vtls_hdrs" \
+		"$$awk_code" $(srcdir)/$(VC6_LIBTMPL) > $(VC6_LIBDSP) || { exit 1; }; \
 	\
-	awk '{ printf("%s\r\n", $$0); }' \
-	  $(srcdir)/$(VC6LIBDSPHEAD) $$body $(srcdir)/$(VC6LIBDSPFOOT) \
-	  > $(VC6LIBDSP) || { rm -f $$body; exit 1; }; \
+	echo "generating '$(VC6_SRCDSP)'"; \
+	awk -v proj_type=dsp \
+		-v src_srcs="$$sorted_src_srcs" \
+		-v src_hdrs="$$sorted_src_hdrs" \
+		-v src_rc="$$win32_src_rc" \
+		"$$awk_code" $(srcdir)/$(VC6_SRCTMPL) > $(VC6_SRCDSP) || { exit 1; }; \
 	\
-	rm -f $$body)
-
-.PHONY: vc8-ide
-
-vc8-ide:
-	$(MAKE) $(VC8LIBPRJ)
-
-$(VC8LIBPRJ): $(VC8LIBPRJ_DEPS)
-	@(echo "generating '$(VC8LIBPRJ)'"; \
+	echo "generating '$(VC7_LIBVCPROJ)'"; \
+	awk -v proj_type=vcproj1 \
+		-v lib_srcs="$$sorted_lib_srcs" \
+		-v lib_hdrs="$$sorted_lib_hdrs" \
+		-v lib_rc="$$win32_lib_rc" \
+		-v lib_vtls_srcs="$$sorted_lib_vtls_srcs" \
+		-v lib_vtls_hdrs="$$sorted_lib_vtls_hdrs" \
+		"$$awk_code" $(srcdir)/$(VC7_LIBTMPL) > $(VC7_LIBVCPROJ) || { exit 1; }; \
 	\
-	for dir in 'vs' 'vs/vc8' 'vs/vc8/lib'; do \
-	  test -d "$$dir" || mkdir "$$dir" || exit 1; \
-	done; \
+	echo "generating '$(VC7_SRCVCPROJ)'"; \
+	awk -v proj_type=vcproj1 \
+		-v src_srcs="$$sorted_src_srcs" \
+		-v src_hdrs="$$sorted_src_hdrs" \
+		-v src_rc="$$win32_src_rc" \
+		"$$awk_code" $(srcdir)/$(VC7_SRCTMPL) > $(VC7_SRCVCPROJ) || { exit 1; }; \
 	\
-	dir='..\..\..\lib\'; \
-	body='$(VC8LIBPRJ)'.body; \
-	win32_srcs='$(WIN32SOURCES)'; \
-	win32_hdrs='$(WIN32HEADERS)'; \
-	sorted_srcs=`for file in $$win32_srcs; do echo $$file; done | sort`; \
-	sorted_hdrs=`for file in $$win32_hdrs; do echo $$file; done | sort`; \
+	echo "generating '$(VC71_LIBVCPROJ)'"; \
+	awk -v proj_type=vcproj1 \
+		-v lib_srcs="$$sorted_lib_srcs" \
+		-v lib_hdrs="$$sorted_lib_hdrs" \
+		-v lib_rc="$$win32_lib_rc" \
+		-v lib_vtls_srcs="$$sorted_lib_vtls_srcs" \
+		-v lib_vtls_hdrs="$$sorted_lib_vtls_hdrs" \
+		"$$awk_code" $(srcdir)/$(VC71_LIBTMPL) > $(VC71_LIBVCPROJ) || { exit 1; }; \
 	\
-	echo "%tab%%tab%<Filter Name=\"Source Files\">"  > $$body; \
-	for file in $$sorted_srcs; do \
-	  echo "%tab%%tab%%tab%<File RelativePath=\""$$dir$$file"\"></File>" >> $$body; \
-	done; \
-	echo "%tab%%tab%</Filter>"                      >> $$body; \
-	echo "%tab%%tab%<Filter Name=\"Header Files\">" >> $$body; \
-	for file in $$sorted_hdrs; do \
-	  echo "%tab%%tab%%tab%<File RelativePath=\""$$dir$$file"\"></File>" >> $$body; \
-	done; \
-	echo "%tab%%tab%</Filter>"                      >> $$body; \
+	echo "generating '$(VC71_SRCVCPROJ)'"; \
+	awk -v proj_type=vcproj1 \
+		-v src_srcs="$$sorted_src_srcs" \
+		-v src_hdrs="$$sorted_src_hdrs" \
+		-v src_rc="$$win32_src_rc" \
+		"$$awk_code" $(srcdir)/$(VC71_SRCTMPL) > $(VC71_SRCVCPROJ) || { exit 1; }; \
 	\
-	awk '{ gsub(/%tab%/, "\t"); printf("%s\r\n", $$0); }' \
-	  $(srcdir)/$(VC8LIBPRJHEAD) $$body $(srcdir)/$(VC8LIBPRJFOOT) \
-	  > $(VC8LIBPRJ) || { rm -f $$body; exit 1; }; \
+	echo "generating '$(VC8_LIBVCPROJ)'"; \
+	awk -v proj_type=vcproj2 \
+		-v lib_srcs="$$sorted_lib_srcs" \
+		-v lib_hdrs="$$sorted_lib_hdrs" \
+		-v lib_rc="$$win32_lib_rc" \
+		-v lib_vtls_srcs="$$sorted_lib_vtls_srcs" \
+		-v lib_vtls_hdrs="$$sorted_lib_vtls_hdrs" \
+		"$$awk_code" $(srcdir)/$(VC8_LIBTMPL) > $(VC8_LIBVCPROJ) || { exit 1; }; \
 	\
-	rm -f $$body)
-
+	echo "generating '$(VC8_SRCVCPROJ)'"; \
+	awk -v proj_type=vcproj2 \
+		-v src_srcs="$$sorted_src_srcs" \
+		-v src_hdrs="$$sorted_src_hdrs" \
+		-v src_rc="$$win32_src_rc" \
+		"$$awk_code" $(srcdir)/$(VC8_SRCTMPL) > $(VC8_SRCVCPROJ) || { exit 1; }; \
+	\
+	echo "generating '$(VC9_LIBVCPROJ)'"; \
+	awk -v proj_type=vcproj2 \
+		-v lib_srcs="$$sorted_lib_srcs" \
+		-v lib_hdrs="$$sorted_lib_hdrs" \
+		-v lib_rc="$$win32_lib_rc" \
+		-v lib_vtls_srcs="$$sorted_lib_vtls_srcs" \
+		-v lib_vtls_hdrs="$$sorted_lib_vtls_hdrs" \
+		"$$awk_code" $(srcdir)/$(VC9_LIBTMPL) > $(VC9_LIBVCPROJ) || { exit 1; }; \
+	\
+	echo "generating '$(VC9_SRCVCPROJ)'"; \
+	awk -v proj_type=vcproj2 \
+		-v src_srcs="$$sorted_src_srcs" \
+		-v src_hdrs="$$sorted_src_hdrs" \
+		-v src_rc="$$win32_src_rc" \
+		"$$awk_code" $(srcdir)/$(VC9_SRCTMPL) > $(VC9_SRCVCPROJ) || { exit 1; }; \
+	\
+	echo "generating '$(VC10_LIBVCXPROJ)'"; \
+	awk -v proj_type=vcxproj \
+		-v lib_srcs="$$sorted_lib_srcs" \
+		-v lib_hdrs="$$sorted_lib_hdrs" \
+		-v lib_rc="$$win32_lib_rc" \
+		-v lib_vtls_srcs="$$sorted_lib_vtls_srcs" \
+		-v lib_vtls_hdrs="$$sorted_lib_vtls_hdrs" \
+		"$$awk_code" $(srcdir)/$(VC10_LIBTMPL) > $(VC10_LIBVCXPROJ) || { exit 1; }; \
+	\
+	echo "generating '$(VC10_SRCVCXPROJ)'"; \
+	awk -v proj_type=vcxproj \
+		-v src_srcs="$$sorted_src_srcs" \
+		-v src_hdrs="$$sorted_src_hdrs" \
+		-v src_rc="$$win32_src_rc" \
+		"$$awk_code" $(srcdir)/$(VC10_SRCTMPL) > $(VC10_SRCVCXPROJ) || { exit 1; }; \
+	\
+	echo "generating '$(VC11_LIBVCXPROJ)'"; \
+	awk -v proj_type=vcxproj \
+		-v lib_srcs="$$sorted_lib_srcs" \
+		-v lib_hdrs="$$sorted_lib_hdrs" \
+		-v lib_rc="$$win32_lib_rc" \
+		-v lib_vtls_srcs="$$sorted_lib_vtls_srcs" \
+		-v lib_vtls_hdrs="$$sorted_lib_vtls_hdrs" \
+		"$$awk_code" $(srcdir)/$(VC11_LIBTMPL) > $(VC11_LIBVCXPROJ) || { exit 1; }; \
+	\
+	echo "generating '$(VC11_SRCVCXPROJ)'"; \
+	awk -v proj_type=vcxproj \
+		-v src_srcs="$$sorted_src_srcs" \
+		-v src_hdrs="$$sorted_src_hdrs" \
+		-v src_rc="$$win32_src_rc" \
+		"$$awk_code" $(srcdir)/$(VC11_SRCTMPL) > $(VC11_SRCVCXPROJ) || { exit 1; }; \
+	\
+	echo "generating '$(VC12_LIBVCXPROJ)'"; \
+	awk -v proj_type=vcxproj \
+		-v lib_srcs="$$sorted_lib_srcs" \
+		-v lib_hdrs="$$sorted_lib_hdrs" \
+		-v lib_rc="$$win32_lib_rc" \
+		-v lib_vtls_srcs="$$sorted_lib_vtls_srcs" \
+		-v lib_vtls_hdrs="$$sorted_lib_vtls_hdrs" \
+		"$$awk_code" $(srcdir)/$(VC12_LIBTMPL) > $(VC12_LIBVCXPROJ) || { exit 1; }; \
+	\
+	echo "generating '$(VC12_SRCVCXPROJ)'"; \
+	awk -v proj_type=vcxproj \
+		-v src_srcs="$$sorted_src_srcs" \
+		-v src_hdrs="$$sorted_src_hdrs" \
+		-v src_rc="$$win32_src_rc" \
+		"$$awk_code" $(srcdir)/$(VC12_SRCTMPL) > $(VC12_SRCVCXPROJ) || { exit 1; };)

RELEASE-NOTES

@@ -1,68 +1,87 @@
-Curl and libcurl 7.35.0
+Curl and libcurl 7.37.0
 
- Public curl releases:         137
+ Public curl releases:         139
  Command line options:         161
  curl_easy_setopt() options:   206
  Public functions in libcurl:  58
- Known libcurl bindings:       42
- Contributors:                 1104
+ Contributors:                 1137
 
 This release includes the following changes:
 
- o imap/pop3/smtp: Added support for SASL authentication downgrades
- o imap/pop3/smtp: Extended the login options to support multiple auth mechanisms
- o TheArtOfHttpScripting: major update, converted layout and more
- o mprintf: Added support for I, I32 and I64 size specifiers
- o makefile: Added support for VC7, VC11 and VC12
+ o URL parser: IPv6 zone identifiers are now supported
+ o CURLOPT_PROXYHEADER: set headers for proxy-only
+ o CURLOPT_HEADEROPT: added
+ o curl: add --proxy-header
+ o sasl: Added support for DIGEST-MD5 via Windows SSPI
+ o sasl: Added DIGEST-MD5 qop-option validation in native challange handling
+ o imap: Expanded mailbox SEARCH support to use URL query strings [7]
+ o imap: Extended FETCH support to include PARTIAL URL specifier [7]
+ o nss: implement non-blocking SSL handshake
+ o build: Reworked Visual Studio project files
+ o poll: enable poll on darwin13
+ o mk-ca-bundle: added -p
+ o libtests: add a wait_ms() function
 
 This release includes the following bugfixes:
 
- o SECURITY ADVISORY: re-use of wrong HTTP NTLM connection [25]
-
- o curl_easy_setopt: Fixed OAuth 2.0 Bearer option name [1]
- o pop3: Fixed APOP being determined by CAPA response rather than by timestamp
- o Curl_pp_readresp: zero terminate line [2]
- o FILE: don't wait due to CURLOPT_MAX_RECV_SPEED_LARGE [3]
- o docs: mention CURLOPT_MAX_RECV/SEND_SPEED_LARGE don't work for FILE://
- o pop3: Fixed auth preference not being honored when CAPA not supported
- o imap: Fixed auth preference not being honored when CAPABILITY not supported
- o threaded resolver: Use pthread_t * for curl_thread_t [4]
- o FILE: we don't support paused transfers using this protocol [5]
- o connect: Try all addresses in first connection attempt [6]
- o curl_easy_setopt.3: Added SMTP information to CURLOPT_INFILESIZE_LARGE
- o OpenSSL: Fix forcing SSLv3 connections [7]
- o openssl: allow explicit sslv2 selection [8]
- o FTP parselist: fix "total" parser [9]
- o conncache: fix possible dereference of null pointer
- o multi.c: fix possible dereference of null pointer
- o mk-ca-bundle: introduces -d and warns about using this script
- o ConnectionExists: fix NTLM check for new connection [10]
- o trynextip: fix build for non-IPV6 capable systems [11]
- o Curl_updateconninfo: don't do anything for UDP "connections" [12]
- o darwinssl: un-break Leopard build after PKCS#12 change [13]
- o threaded-resolver: never use NULL hints with getaddrinf [14]
- o multi_socket: remind app if timeout didn't run
- o OpenSSL: deselect weak ciphers by default [15]
- o error message: Sensible message on timeout when transfer size unknown [16]
- o curl_easy_setopt.3: mention how to unset CURLOPT_INFILESIZE*
- o win32: Fixed use of deprecated function 'GetVersionInfoEx' for VC12 [17]
- o configure: fix gssapi linking on HP-UX [18]
- o chunked-parser: abort on overflows, allow 64 bit chunks
- o chunked parsing: relax the CR strictness [19]
- o cookie: max-age fixes [20]
- o progress bar: always update when at 100%
- o progress bar: increase update frequency to 10Hz
- o tool: Fixed incorrect return code if command line parser runs out of memory
- o tool: Fixed incorrect return code if password prompting runs out of memory
- o HTTP POST: omit Content-Length if data size is unknown [21]
- o GnuTLS: disable insecure ciphers
- o GnuTLS: honor --slv2 and the --tlsv1[.N] switches
- o multi: Fixed a memory leak on OOM condition
- o netrc: Fixed a memory and file descriptor leak on OOM
- o getpass: fix password parsing from console [22]
- o TFTP: fix crash on time-out [23]
- o hostip: don't remove DNS entries that are in use [24]
- o tests: lots of tests fixed to pass the OOM torture tests
+ o mkhelp: generate code for --disable-manual as well [1]
+ o hostcheck: added a system include to define struct in_addr
+ o winbuild: added warnless.c to fix build
+ o Makefile.vc6: added warnless.c to fix build
+ o smtp: Fixed login denied when server doesn't support AUTH capability [2]
+ o smtp: Fixed login denied with a RFC-821 based server [2]
+ o curl: stop interpreting IPv6 literals as glob patterns
+ o http2: remove _DRAFT09 from the NPN_HTTP2 enum
+ o http2: let openssl mention the exact protocol negotiated
+ o http2+openssl: fix compiler warnings in ALPN using code
+ o ftp: in passive data connect wait for happy eyeballs sockets [3]
+ o HTTP: don't send Content-Length: 0 _and_ Expect: 100-continue [4]
+ o http2: Compile with current nghttp2, which supports h2-11 [5]
+ o http_negotiate_sspi: Fixed compilation when USE_HTTP_NEGOTIATE not defined
+ o strerror: fix comment about vxworks' strerror_r buffer size [6]
+ o url: only use if_nametoindex() if IFNAMSIZ is available
+ o imap: Fixed untagged response detection when no data after command
+ o various: fix possible dereference of null pointer
+ o various: fix use of uninitialized variable
+ o various: fix use of non-null terminated strings
+ o telnet.c: check sscanf results before passing them to snprintf
+ o parsedate.c: check sscanf result before passing it to strlen
+ o sockfilt.c: free memory in case of memory allocation errors
+ o sockfilt.c: ignore non-key-events and continue waiting for input
+ o sockfilt.c: properly handle disk files, pipes and character input
+ o sockfilt.c: fixed getting stuck waiting for MinGW stdin pipe
+ o sockfilt.c: clean up threaded approach and add documentation
+ o configure: use the nghttp2 path correctly with pkg-config [8]
+ o curl_global_init_mem: bump initialized even if already initialized [9]
+ o gtls: fix NULL pointer dereference [10]
+ o cyassl: Use error-ssl.h when available
+ o handler: make 'protocol' always specified as a single bit [11]
+ o INFILESIZE: fields in UserDefined must not be changed run-time
+ o openssl: biomem->data is not zero terminated
+ o config-win32.h: Fixed HAVE_LONGLONG for Visual Studio .NET 2003 and up
+ o curl_ntlm_core: Fixed use of long long for VC6 and VC7
+ o SNI: strip off a single trailing dot from host name [12]
+ o curl: bail on cookie use when built with disabled cookies
+ o curl_easy_setopt.3: added the proto for CURLOPT_SSH_KNOWNHOSTS
+ o curl_multi_cleanup: ignore SIGPIPE better [13]
+ o schannel: don't use the connect-timeout during send [14]
+ o mprintf: allow %.s with data not being zero terminated
+ o tool_help: Fixed missing --login-options option
+ o configure: Don't set LD_LIBRARY_PATH when cross-compiling
+ o http: auth failure on duplicated 'WWW-Authenticate: Negotiate' header [15]
+ o cacertinmem: fix memory leak [16]
+ o lib1506: make sure the transfers are not within the same ms [17]
+ o Makefile.b32: Fixed for vtls changes [18]
+ o sasl: Fixed missing qop in the client's challenge-response message
+ o openssl: unbreak PKCS12 support [19]
+ o darwinssl: fix potential crash with a P12 file [20]
+ o timers: fix timer regression involving redirects / reconnects [21]
+ o CURLINFO_SSL_VERIFYRESULT: made more reliable [22]
+ o HTTP: fixed connection re-use [23]
+ o configure: add SPNEGO to supported features [24]
+ o configure: add GSS-API to supported features [25]
+ o ALPN: fix typo in http/1.1 identifier
+ o http2: make connection re-use work [26]
 
 This release includes the following known bugs:
 
@@ -71,40 +90,41 @@ This release includes the following known bugs:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
-  Abram Pousada, Barry Abrahamson, Björn Stenberg, Cédric Deltheil, Chen Prog,
-  Christian Weisgerber, Colin Hogben, Dan Fandrich, Daniel Stenberg,
-  Fabian Frank, Glenn Sheridan, Guenter Knauf, He Qin, Iida Yosiaki,
-  Jeff Hodges, Justin Maggard, Leif W, Luke Dashjr, Maks Naumov, Marc Hoersken,
-  Michael Osipov, Michal Górny and Anthony G. Basile, Mohammad AlSaleh,
-  Nick Zitzmann, Paras Sethia, Petr Novak, Priyanka Shah, Romulo A. Ceccon,
-  Steve Holme, Tobias Markus, Viktor Szakáts, Yehezkel Horowitz, Yingwei Liu
+  Aaro Koskinen, Cody Mack, Damian Dixon, Dan Fandrich, Daniel Johnson,
+  Daniel Stenberg, David Woodhouse, Dilyan Palauzov, Fabian Frank,
+  Ivo Bellin Salarin, Jeff King, Jeroen Koekkoek, Jon Torrey, Kamil Dudka,
+  Larry Lin, Leon Winter, Maciej Puzio, Marc Hoersken, Michael Osipov,
+  Nick Zitzmann, Patrick Watson, Paul Marks, Radu Simionescu, Remi Gacogne,
+  Ryan Braud, Steve Holme, Tatsuhiro Tsujikawa, Till Maas, Tom Sparrow,
+  Török Edwin, Vijay Panghal,
 
         Thanks! (and sorry if I forgot to mention someone)
 
 References to bug reports and discussions on issues:
 
- [1] = http://curl.haxx.se/bug/view.cgi?id=1313
- [2] = http://curl.haxx.se/mail/lib-2013-12/0113.html
- [3] = http://curl.haxx.se/bug/view.cgi?id=1312
- [4] = http://curl.haxx.se/bug/view.cgi?id=1314
- [5] = http://curl.haxx.se/bug/view.cgi?id=1286
- [6] = http://curl.haxx.se/bug/view.cgi?id=1315
- [7] = http://curl.haxx.se/mail/lib-2014-01/0002.html
- [8] = http://curl.haxx.se/mail/lib-2014-01/0013.html
- [9] = http://curl.haxx.se/mail/lib-2014-01/0019.html
- [10] = http://curl.haxx.se/mail/lib-2014-01/0046.html
- [11] = http://curl.haxx.se/bug/view.cgi?id=1322
- [12] = http://curl.haxx.se/mail/archive-2014-01/0016.html
- [13] = http://curl.haxx.se/mail/lib-2013-12/0150.html
- [14] = http://curl.haxx.se/mail/lib-2014-01/0061.html
- [15] = http://curl.haxx.se/bug/view.cgi?id=1323
- [16] = http://curl.haxx.se/mail/lib-2014-01/0115.html
- [17] = http://curl.haxx.se/mail/lib-2014-01/0134.html
- [18] = http://curl.haxx.se/bug/view.cgi?id=1321
- [19] = http://curl.haxx.se/mail/archive-2014-01/0000.html
- [20] = http://curl.haxx.se/mail/lib-2014-01/0130.html
- [21] = http://curl.haxx.se/mail/lib-2014-01/0103.html
- [22] = https://github.com/bagder/curl/pull/87
- [23] = http://curl.haxx.se/mail/lib-2014-01/0246.html
- [24] = http://curl.haxx.se/bug/view.cgi?id=1327
- [25] = http://curl.haxx.se/docs/adv_20140129.html
+ [1] = http://curl.haxx.se/bug/view.cgi?id=1350
+ [2] = http://curl.haxx.se/mail/lib-2014-03/0173.html
+ [3] = http://curl.haxx.se/mail/lib-2014-02/0135.html (ruined)
+ [4] = http://curl.haxx.se/bug/view.cgi?id=1349
+ [5] = http://curl.haxx.se/mail/lib-2014-04/0053.html
+ [6] = http://curl.haxx.se/mail/lib-2014-04/0063.html
+ [7] = http://curl.haxx.se/mail/lib-2014-04/0067.html
+ [8] = http://curl.haxx.se/mail/lib-2014-04/0159.html
+ [9] = http://curl.haxx.se/bug/view.cgi?id=1362
+ [10] = http://curl.haxx.se/mail/lib-2014-04/0145.html
+ [11] = https://github.com/bagder/curl/pull/97
+ [12] = http://curl.haxx.se/mail/lib-2014-04/0161.html
+ [13] = http://thread.gmane.org/gmane.comp.version-control.git/238242
+ [14] = http://curl.haxx.se/bug/view.cgi?id=1352
+ [15] = https://bugzilla.redhat.com/1093348
+ [16] = http://curl.haxx.se/bug/view.cgi?id=1368
+ [17] = http://curl.haxx.se/mail/lib-2014-05/0081.html
+ [18] = http://curl.haxx.se/mail/lib-2014-05/0025.html
+ [19] = http://curl.haxx.se/bug/view.cgi?id=1371
+ [20] = http://curl.haxx.se/bug/view.cgi?id=1369
+ [21] = http://curl.haxx.se/mail/lib-2014-05/0147.html
+ [22] = http://curl.haxx.se/mail/lib-2014-04/0203.html
+ [23] = http://curl.haxx.se/mail/lib-2014-05/0127.html
+ [24] = http://curl.haxx.se/bug/view.cgi?id=1343
+ [25] = http://curl.haxx.se/bug/view.cgi?id=1344
+ [26] = http://curl.haxx.se/bug/view.cgi?id=1374

configure.ac

@@ -1173,26 +1173,26 @@ dnl **********************************************************************
 dnl Check for GSS-API libraries
 dnl **********************************************************************
 
-dnl check for gss stuff in the /usr as default
+dnl check for GSS-API stuff in the /usr as default
 
 GSSAPI_ROOT="/usr"
 AC_ARG_WITH(gssapi-includes,
   AC_HELP_STRING([--with-gssapi-includes=DIR],
-                 [Specify location of GSSAPI header]),
+                 [Specify location of GSS-API headers]),
   [ GSSAPI_INCS="-I$withval"
     want_gss="yes" ]
 )
 
 AC_ARG_WITH(gssapi-libs,
   AC_HELP_STRING([--with-gssapi-libs=DIR],
-                 [Specify location of GSSAPI libs]),
+                 [Specify location of GSS-API libs]),
   [ GSSAPI_LIB_DIR="-L$withval"
     want_gss="yes" ]
 )
 
 AC_ARG_WITH(gssapi,
   AC_HELP_STRING([--with-gssapi=DIR],
-                 [Where to look for GSSAPI]), [
+                 [Where to look for GSS-API]), [
   GSSAPI_ROOT="$withval"
   if test x"$GSSAPI_ROOT" != xno; then
     want_gss="yes"
@@ -1204,7 +1204,7 @@ AC_ARG_WITH(gssapi,
 ])
 
 save_CPPFLAGS="$CPPFLAGS"
-AC_MSG_CHECKING([if GSSAPI support is requested])
+AC_MSG_CHECKING([if GSS-API support is requested])
 if test x"$want_gss" = xyes; then
   AC_MSG_RESULT(yes)
 
@@ -1221,7 +1221,7 @@ if test x"$want_gss" = xyes; then
   AC_CHECK_HEADER(gss.h,
     [
       dnl found in the given dirs
-      AC_DEFINE(HAVE_GSSGNU, 1, [if you have the GNU gssapi libraries])
+      AC_DEFINE(HAVE_GSSGNU, 1, [if you have GNU GSS])
       gnu_gss=yes
     ],
     [
@@ -1242,19 +1242,19 @@ AC_INCLUDES_DEFAULT
         AC_CHECK_HEADER(gssapi.h,
             [
               dnl found
-              AC_DEFINE(HAVE_GSSHEIMDAL, 1, [if you have the Heimdal gssapi libraries])
+              AC_DEFINE(HAVE_GSSHEIMDAL, 1, [if you have Heimdal])
             ],
             [
               dnl no header found, disabling GSS
               want_gss=no
-              AC_MSG_WARN(disabling GSSAPI since no header files was found)
+              AC_MSG_WARN(disabling GSS-API support since no header files were found)
             ]
           )
       else
         dnl MIT found
-        AC_DEFINE(HAVE_GSSMIT, 1, [if you have the MIT gssapi libraries])
-        dnl check if we have a really old MIT kerberos (<= 1.2)
-        AC_MSG_CHECKING([if gssapi headers declare GSS_C_NT_HOSTBASED_SERVICE])
+        AC_DEFINE(HAVE_GSSMIT, 1, [if you have MIT Kerberos])
+        dnl check if we have a really old MIT Kerberos version (<= 1.2)
+        AC_MSG_CHECKING([if GSS-API headers declare GSS_C_NT_HOSTBASED_SERVICE])
         AC_COMPILE_IFELSE([
           AC_LANG_PROGRAM([[
 #include <gssapi/gssapi.h>
@@ -1272,7 +1272,7 @@ AC_INCLUDES_DEFAULT
         ],[
           AC_MSG_RESULT([no])
           AC_DEFINE(HAVE_OLD_GSSMIT, 1,
-            [if you have an old MIT gssapi library, lacking GSS_C_NT_HOSTBASED_SERVICE])
+            [if you have an old MIT Kerberos version, lacking GSS_C_NT_HOSTBASED_SERVICE])
         ])
       fi
     ]
@@ -1281,9 +1281,9 @@ else
   AC_MSG_RESULT(no)
 fi
 if test x"$want_gss" = xyes; then
-  AC_DEFINE(HAVE_GSSAPI, 1, [if you have the gssapi libraries])
+  AC_DEFINE(HAVE_GSSAPI, 1, [if you have GSS-API libraries])
 
-  curl_gss_msg="enabled (MIT/Heimdal)"
+  curl_gss_msg="enabled (MIT Kerberos/Heimdal)"
 
   if test -n "$gnu_gss"; then
     curl_gss_msg="enabled (GNU GSS)"
@@ -1594,7 +1594,10 @@ if test "$curl_ssl_msg" = "$init_ssl_msg" && test X"$OPT_SSL" != Xno; then
                     ENGINE_cleanup \
                     CRYPTO_cleanup_all_ex_data \
                     SSL_get_shutdown \
-                    SSLv2_client_method )
+                    SSLv2_client_method \
+                    SSL_CTX_set_next_proto_select_cb \
+                    SSL_CTX_set_alpn_protos \
+                    SSL_CTX_set_alpn_select_cb )
 
     dnl Make an attempt to detect if this is actually yassl's headers and
     dnl OpenSSL emulation layer. We still leave everything else believing
@@ -2000,6 +2003,9 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then
       dnl cyassl/ctaocrypt/types.h needs SIZEOF_LONG_LONG defined!
       AC_CHECK_SIZEOF(long long)
 
+      dnl Versions since at least 2.9.4 renamed error.h to error-ssl.h
+      AC_CHECK_HEADERS(cyassl/error-ssl.h)
+
       LIBS="-lcyassl -lm $LIBS"
 
       if test -n "$cyassllib"; then
@@ -2161,10 +2167,11 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then
       USE_AXTLS="yes"
       curl_ssl_msg="enabled (axTLS)"
 
-
-      LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$LIB_AXTLS"
-      export LD_LIBRARY_PATH
-      AC_MSG_NOTICE([Added $LIB_AXTLS to LD_LIBRARY_PATH])
+      if test "x$cross_compiling" != "xyes"; then
+        LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$LIB_AXTLS"
+        export LD_LIBRARY_PATH
+        AC_MSG_NOTICE([Added $LIB_AXTLS to LD_LIBRARY_PATH])
+      fi
       ],[
       LDFLAGS="$CLEANLDFLAGS"
       CPPFLAGS="$CLEANCPPFLAGS"
@@ -2466,19 +2473,19 @@ AC_HELP_STRING([--disable-versioned-symbols], [Disable versioned symbols in shar
         AC_MSG_RESULT(yes)
         if test "x$OPENSSL_ENABLED" = "x1"; then
           versioned_symbols_flavour="OPENSSL_"
-        elif test "x$GNUTLS_ENABLED" == "x1"; then
+        elif test "x$GNUTLS_ENABLED" = "x1"; then
           versioned_symbols_flavour="GNUTLS_"
-        elif test "x$NSS_ENABLED" == "x1"; then
+        elif test "x$NSS_ENABLED" = "x1"; then
           versioned_symbols_flavour="NSS_"
-        elif test "x$POLARSSL_ENABLED" == "x1"; then
+        elif test "x$POLARSSL_ENABLED" = "x1"; then
           versioned_symbols_flavour="POLARSSL_"
-        elif test "x$CYASSL_ENABLED" == "x1"; then
+        elif test "x$CYASSL_ENABLED" = "x1"; then
           versioned_symbols_flavour="CYASSL_"
-        elif test "x$AXTLS_ENABLED" == "x1"; then
+        elif test "x$AXTLS_ENABLED" = "x1"; then
           versioned_symbols_flavour="AXTLS_"
-        elif test "x$WINSSL_ENABLED" == "x1"; then
+        elif test "x$WINSSL_ENABLED" = "x1"; then
           versioned_symbols_flavour="WINSSL_"
-        elif test "x$DARWINSSL_ENABLED" == "x1"; then
+        elif test "x$DARWINSSL_ENABLED" = "x1"; then
           versioned_symbols_flavour="DARWINSSL_"
         else
           versioned_symbols_flavour=""
@@ -2696,7 +2703,7 @@ if test "$want_idn" = "yes"; then
     if test "x$ac_cv_header_tld_h" = "xyes"; then
       AC_SUBST([IDN_ENABLED], [1])
       curl_idn_msg="enabled"
-      if test -n "$IDN_DIR"; then
+      if test -n "$IDN_DIR" -a "x$cross_compiling" != "xyes"; then
         LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$IDN_DIR"
         export LD_LIBRARY_PATH
         AC_MSG_NOTICE([Added $IDN_DIR to LD_LIBRARY_PATH])
@@ -2734,13 +2741,12 @@ AC_HELP_STRING([--without-nghttp2],[Disable nghttp2 usage]),
 case "$OPT_H2" in
   no)
     dnl --without-nghttp2 option used
-    want_idn="no"
+    want_h2="no"
     AC_MSG_RESULT([no])
     ;;
   default)
     dnl configure option not specified
     want_h2="no"
-    want_h2_path="default"
     AC_MSG_RESULT([no])
     ;;
   yes)
@@ -2752,31 +2758,30 @@ case "$OPT_H2" in
   *)
     dnl --with-nghttp2 option used with path
     want_h2="yes"
-    want_h2_path="$withval"
+    want_h2_path="$withval/lib/pkgconfig"
     AC_MSG_RESULT([yes ($withval)])
     ;;
 esac
 
 curl_h2_msg="disabled (--with-nghttp2)"
-if test X"$OPT_H2" != Xno; then
-  dnl backup the pre-librtmp variables
+if test X"$want_h2" != Xno; then
+  dnl backup the pre-nghttp2 variables
   CLEANLDFLAGS="$LDFLAGS"
   CLEANCPPFLAGS="$CPPFLAGS"
   CLEANLIBS="$LIBS"
 
-  h2pcdir=${want_h2_path}/lib/pkgconfig
-  CURL_CHECK_PKGCONFIG(libnghttp2, $h2pcdir)
+  CURL_CHECK_PKGCONFIG(libnghttp2, $want_h2_path)
 
   if test "$PKGCONFIG" != "no" ; then
-    LIB_H2=`CURL_EXPORT_PCDIR([$h2pcdir])
+    LIB_H2=`CURL_EXPORT_PCDIR([$want_h2_path])
       $PKGCONFIG --libs-only-l libnghttp2`
     AC_MSG_NOTICE([-l is $LIB_H2])
 
-    CPP_H2=`CURL_EXPORT_PCDIR([$h2pcdir]) dnl
+    CPP_H2=`CURL_EXPORT_PCDIR([$want_h2_path]) dnl
       $PKGCONFIG --cflags-only-I libnghttp2`
     AC_MSG_NOTICE([-I is $CPP_H2])
 
-    LD_H2=`CURL_EXPORT_PCDIR([$h2pcdir])
+    LD_H2=`CURL_EXPORT_PCDIR([$want_h2_path])
       $PKGCONFIG --libs-only-L libnghttp2`
     AC_MSG_NOTICE([-L is $LD_H2])
 
@@ -3246,6 +3251,7 @@ AC_HELP_STRING([--disable-crypto-auth],[Disable cryptographic authentication]),
   no)
        AC_MSG_RESULT(no)
        AC_DEFINE(CURL_DISABLE_CRYPTO_AUTH, 1, [to disable cryptographic authentication])
+       CURL_DISABLE_CRYPTO_AUTH=1
        ;;
   *)   AC_MSG_RESULT(yes)
        ;;
@@ -3379,7 +3385,8 @@ fi
 if test "x$USE_WINDOWS_SSPI" = "x1"; then
   SUPPORT_FEATURES="$SUPPORT_FEATURES SSPI"
 fi
-if test "x$CURL_DISABLE_HTTP" != "x1"; then
+if test "x$CURL_DISABLE_HTTP" != "x1" -a \
+	"x$CURL_DISABLE_CRYPTO_AUTH" != "x1"; then
   if test "x$USE_SSLEAY" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \
       -o "x$GNUTLS_ENABLED" = "x1" -o "x$NSS_ENABLED" = "x1" \
       -o "x$DARWINSSL_ENABLED" = "x1"; then
@@ -3396,6 +3403,12 @@ fi
 if test "x$USE_NGHTTP2" = "x1"; then
   SUPPORT_FEATURES="$SUPPORT_FEATURES HTTP2"
 fi
+if test "x$curl_spnego_msg" = "xenabled"; then
+  SUPPORT_FEATURES="$SUPPORT_FEATURES SPNEGO"
+fi
+if test "x$want_gss" = "xyes"; then
+  SUPPORT_FEATURES="$SUPPORT_FEATURES GSS-API"
+fi
 
 AC_SUBST(SUPPORT_FEATURES)
 
@@ -3542,7 +3555,7 @@ AC_MSG_NOTICE([Configured to build curl/libcurl:
   SSL support:      ${curl_ssl_msg}
   SSH support:      ${curl_ssh_msg}
   zlib support:     ${curl_zlib_msg}
-  GSSAPI support:   ${curl_gss_msg}
+  GSS-API support:  ${curl_gss_msg}
   SPNEGO support:   ${curl_spnego_msg}
   TLS-SRP support:  ${curl_tls_srp_msg}
   resolver:         ${curl_res_msg}

docs/CONTRIBUTE

@@ -278,6 +278,10 @@
       [full description, no wider than 72 columns that describe as much as
       possible as to why this change is made, and possibly what things
       it fixes and everything else that is related]
+
+      [Bug: link to source of the report or more related discussion]
+      [Reported-by: John Doe - credit the reporter]
+      [whatever-else-by: credit all helpers, finders, doers]
       ---- stop ----
 
  Don't forget to use commit --author="" if you commit someone else's work,

docs/DISTRO-DILEMMA

@@ -59,7 +59,7 @@ GnuTLS
  OpenSSL does. Now, you can build and distribute an TLS/SSL capable libcurl
  without including any Original BSD licensed code.
 
- I believe Debian is the first (only?) distro that provides libcurl/GnutTLS
+ I believe Debian is the first (only?) distro that provides libcurl/GnuTLS
  packages.
 
 yassl
@@ -72,20 +72,20 @@ GnuTLS vs OpenSSL vs yassl
 
  While these three libraries offer similar features, they are not equal.
  libcurl does not (yet) offer a standardized stable ABI if you decide to
- switch from using libcurl-openssl to libcurl-gnutls or vice versa. The GnuTLS
+ switch from using libcurl-openssl to libcurl-gnutls or vice-versa. The GnuTLS
  and yassl support is very recent in libcurl and it has not been tested nor
  used very extensively, while the OpenSSL equivalent code has been used and
  thus matured since 1999.
 
  GnuTLS
-   - LGPL licensened
+   - LGPL licensed
    - supports SRP
    - lacks SSLv2 support
    - lacks MD2 support (used by at least some CA certs)
    - lacks the crypto functions libcurl uses for NTLM
 
  OpenSSL
-   - Original BSD licensened
+   - Original BSD licensed
    - lacks SRP
    - supports SSLv2
    - older and more widely used

docs/FAQ

@@ -99,6 +99,7 @@ FAQ
   5.15 How do I get an FTP directory listing?
   5.16 I want a different time-out!
   5.17 Can I write a server with libcurl?
+  5.18 Does libcurl use threads?
 
  6. License Issues
   6.1 I have a GPL program, can I use the libcurl library?
@@ -1365,6 +1366,19 @@ FAQ
   server for. And there are really good stand-alone ones that have been tested
   and proven for many years. There's no need for you to reinvent them!
 
+  5.18 Does libcurl use threads?
+
+  Put simply: no, libcurl will execute in the same thread you call it in. All
+  callbacks will be called in the same thread as the one you call libcurl in.
+
+  If you want to avoid your thread to be blocked by the libcurl call, you make
+  sure you use the non-blocking API which will do transfers asynchronously -
+  but still in the same single thread.
+
+  libcurl will potentially internally use threads for name resolving, if it
+  was built to work like that, but in those cases it'll create the child
+  threads by itself and they will only be used and then killed internally by
+  libcurl and never exposed to the outside.
 
 6. License Issues
 

docs/FEATURES

@@ -55,7 +55,7 @@ HTTP
  - reads/writes the netscape cookie file format
  - custom headers (replace/remove internally generated headers)
  - custom user-agent string
- - custom referer string
+ - custom referrer string
  - range
  - proxy authentication
  - time conditions
@@ -161,8 +161,8 @@ IMAP
  - SASL based authentication: Plain, Login, CRAM-MD5, Digest-MD5 and
    NTLM (*9)
  - list the folders of a mailbox
- - select a mailbox with support for verifing the UIDVALIDITY
- - fetch e-mails with support for specifing the UID and SECTION
+ - select a mailbox with support for verifying the UIDVALIDITY
+ - fetch e-mails with support for specifying the UID and SECTION
  - upload e-mails via the append command
  - enhanced command support for: EXAMINE, CREATE, DELETE, RENAME, STATUS,
    STORE, COPY and UID via custom requests

docs/INSTALL

@@ -115,18 +115,6 @@ UNIX
 
        ./configure --disable-thread
 
-     To build curl with kerberos4 support enabled, curl requires the krb4 libs
-     and headers installed. You can then use a set of options to tell
-     configure where those are:
-
-          --with-krb4-includes[=DIR]   Specify location of kerberos4 headers
-          --with-krb4-libs[=DIR]       Specify location of kerberos4 libs
-          --with-krb4[=DIR]            where to look for Kerberos4
-
-     In most cases, /usr/athena is the install prefix and then it works with
-
-       ./configure --with-krb4=/usr/athena
-
      If you're a curl developer and use gcc, you might want to enable more
      debug options with the --enable-debug option.
 
@@ -264,8 +252,10 @@ Win32
    MSVC 6 caveats
    --------------
 
-   If you use MSVC 6 it is required that you use the February 2003 edition PSDK:
-   http://www.microsoft.com/msdownload/platformsdk/sdkupdate/psdk-full.htm
+   If you use MSVC 6 it is required that you use the February 2003 edition of
+   the 'Platform SDK' which can be downloaded from:
+
+   http://www.microsoft.com/en-us/download/details.aspx?id=12261
 
    Building any software with MSVC 6 without having PSDK installed is just
    asking for trouble down the road once you have released it, you might notice
@@ -273,8 +263,6 @@ Win32
    choice of static vs dynamic runtime and third party libraries. Anyone using
    software built in such way will at some point regret having done so.
 
-   When someone uses MSVC 6 without PSDK he is using a compiler back from 1998.
-
    If the compiler has been updated with the installation of a service pack as
    those mentioned in http://support.microsoft.com/kb/194022 the compiler can be
    safely used to read source code, translate and make it object code.
@@ -284,13 +272,6 @@ Win32
    header files and libraries with bugs and security issues which have already
    been addressed and fixed long time ago.
 
-   In order to make use of the updated system headers and fixed libraries
-   for MSVC 6, it is required that 'Platform SDK', PSDK from now onwards,
-   is installed. The specific PSDK that must be installed for MSVC 6 is the
-   February 2003 edition, which is the latest one supporting the MSVC 6 compiler,
-   this PSDK is also known as 'Windows Server 2003 PSDK' and can be downloaded
-   from http://www.microsoft.com/msdownload/platformsdk/sdkupdate/psdk-full.htm
-
    So, building curl and libcurl with MSVC 6 without PSDK is absolutely
    discouraged for the benefit of anyone using software built in such
    environment. And it will not be supported in any way, as we could just
@@ -352,39 +333,18 @@ Win32
    at runtime.
    Run 'nmake vc-ssl-zlib' to build with both ssl and zlib support.
 
-   MSVC 6 IDE
-   ----------
+   MSVC IDE
+   --------
 
-   A minimal VC++ 6.0 reference workspace (vc6curl.dsw) is available with the
-   source distribution archive to allow proper building of the two included
-   projects, the libcurl library and the curl tool.
+   A fairly comprehensive set of Visual Studio project files are available for
+   v6.0 through v12.0 and are located in the projects folder to allow proper
+   building of both the libcurl library as well as the curl tool.
 
-   1) Open the vs/vc6/vc6curl.dsw workspace with MSVC6's IDE.
-   2) Select 'Build' from top menu.
-   3) Select 'Batch Build' from dropdown menu.
-   4) Make sure that the eight project configurations are 'checked'.
-   5) Click on the 'Build' button.
-   6) Once the eight project configurations are built you are done.
-
-   Dynamic and static libcurl libraries are built in debug and release flavours,
-   and can be located each one in its own subdirectory, dll-debug, dll-release,
-   lib-debug and lib-release, all of them below the 'vs/vc6/lib' subdirectory.
-
-   In the same way four curl executables are created, each using its respective
-   library. The resulting curl executables are located in its own subdirectory,
-   dll-debug, dll-release, lib-debug and lib-release, below 'vs/vc6/src' subdir.
-
-   These reference VC++ 6.0 configurations are generated using the dynamic CRT.
-
-   Intentionally, these reference VC++ 6.0 projects and configurations don't use
-   third party libraries, such as OpenSSL or Zlib, to allow proper compilation
-   and configuration for all new users without further requirements.
-
-   If you need something more 'involved' you might adjust them for your own use,
-   or explore the world of makefiles described above 'MSVC from command line'.
+   For more information about these projects and building via Visual Studio
+   please see the README file located in the projects folder.
 
    Borland C++ compiler
-   ---------------------
+   --------------------
 
    Ensure that your build environment is properly set up to use the compiler
    and associated tools. PATH environment variable must include the path to
@@ -1013,7 +973,7 @@ REDUCING SIZE
 
    Using these techniques it is possible to create a basic HTTP-only shared
    libcurl library for i386 Linux platforms that is only 114 KiB in size, and
-   an FTP-only library that is 115 KiB in size (as of libcurl version 7.34.1,
+   an FTP-only library that is 115 KiB in size (as of libcurl version 7.35.0,
    using gcc 4.8.2).
 
    You may find that statically linking libcurl to your application will
@@ -1026,7 +986,6 @@ REDUCING SIZE
    command line.  Following is a list of appropriate key words:
 
      --disable-cookies          !cookies
-     --disable-crypto-auth      !HTTP\ Digest\ auth !HTTP\ proxy\ Digest\ auth
      --disable-manual           !--manual
      --disable-proxy            !HTTP\ proxy !proxytunnel !SOCKS4 !SOCKS5
 

docs/INSTALL.cmake

@@ -71,7 +71,7 @@ Command Line CMake
 
     $ make install
 
-    (The teste suit does not work with the cmake build)
+    (The test suite does not work with the cmake build)
 
 ccmake
 =========

docs/INTERNALS

@@ -45,6 +45,7 @@ Portability
  qsossl       V5R3M0
  NSS          3.14.x
  axTLS        1.2.7
+ PolarSSL     1.3.0
  Heimdal      ?
 
  On systems where configure runs, we aim at working on them all - if they have
@@ -300,7 +301,7 @@ Persistent Connections
  o When libcurl is told to perform a transfer, it first checks for an already
    existing connection in the cache that we can use. Otherwise it creates a
    new one and adds that the cache. If the cache is full already when a new
-   conncetion is added added, it will first close the oldest unused one.
+   connection is added added, it will first close the oldest unused one.
  o When the transfer operation is complete, the connection is left
    open. Particular options may tell libcurl not to, and protocols may signal
    closure on connections and then they won't be kept open of course.

docs/KNOWN_BUGS

@@ -6,13 +6,13 @@ may have been fixed since this was written!
 87. -J/--remote-header-name doesn't decode %-encoded file names. RFC6266
   details how it should be done. The can of worm is basically that we have no
   charset handling in curl and ascii >=128 is a challenge for us. Not to
-  mention that decoding also means that we need to check for nastyness that is
+  mention that decoding also means that we need to check for nastiness that is
   attempted, like "../" sequences and the like. Probably everything to the left
   of any embedded slashes should be cut off.
   http://curl.haxx.se/bug/view.cgi?id=1294
 
 86. The disconnect commands (LOGOUT and QUIT) may not be sent by IMAP, POP3
-  and SMTP if a failure occures during the authentication phase of a
+  and SMTP if a failure occurs during the authentication phase of a
   connection.
 
 85. Wrong STARTTRANSFER timer accounting for POST requests
@@ -38,9 +38,9 @@ may have been fixed since this was written!
   such in the build.
   http://curl.haxx.se/bug/view.cgi?id=1222
 
-81. When using -J (with -O), automaticly resumed downloading together with "-C
-  -" fails. Without -J the same command line works! This happens because the
-  resume logic is worked out before the target file name (and thus its
+81. When using -J (with -O), automatically resumed downloading together with
+  "-C -" fails. Without -J the same command line works! This happens because
+  the resume logic is worked out before the target file name (and thus its
   pre-transfer size) has been figured out!
   http://curl.haxx.se/bug/view.cgi?id=1169
 
@@ -180,16 +180,7 @@ may have been fixed since this was written!
   --cflags suffers from the same effects with CFLAGS/CPPFLAGS.
 
 30. You need to use -g to the command line tool in order to use RFC2732-style
-  IPv6 numerical addresses in URLs.
-
-29. IPv6 URLs with zone ID is not nicely supported.
-  http://www.ietf.org/internet-drafts/draft-fenner-literal-zone-02.txt (expired)
-  specifies the use of a plus sign instead of a percent when specifying zone
-  IDs in URLs to get around the problem of percent signs being
-  special. According to the reporter, Firefox deals with the URL _with_ a
-  percent letter (which seems like a blatant URL spec violation).
-  libcurl supports zone IDs where the percent sign is URL-escaped (i.e. %25):
-  http://curl.haxx.se/bug/view.cgi?id=555
+  or RFC6874-style IPv6 numerical addresses in URLs.
 
 26. NTLM authentication using SSPI (on Windows) when (lib)curl is running in
   "system context" will make it use wrong(?) user name - at least when compared

docs/LIBCURL-STRUCTS

@@ -47,7 +47,7 @@ for older and later versions as things don't change drastically that often.
   ->mstate is the multi state of this particular SessionHandle. When
   multi_runsingle() is called, it will act on this handle according to which
   state it is in. The mstate is also what tells which sockets to return for a
-  speicific SessionHandle when curl_multi_fdset() is called etc.
+  specific SessionHandle when curl_multi_fdset() is called etc.
 
   The libcurl source code generally use the name 'data' for the variable that
   points to the SessionHandle.
@@ -60,7 +60,7 @@ for older and later versions as things don't change drastically that often.
   re-use an existing one instead of creating a new as it creates a significant
   performance boost.
 
-  Each 'connectdata' identifies a single physical conncetion to a server. If
+  Each 'connectdata' identifies a single physical connection to a server. If
   the connection can't be kept alive, the connection will be closed after use
   and then this struct can be removed from the cache and freed.
 
@@ -158,18 +158,18 @@ for older and later versions as things don't change drastically that often.
 
   ->do_it is the function called to issue the transfer request. What we call
   the DO action internally. If the DO is not enough and things need to be kept
-  getting done for the entier DO sequence to complete, ->doing is then usually
+  getting done for the entire DO sequence to complete, ->doing is then usually
   also provided. Each protocol that needs to do multiple commands or similar
   for do/doing need to implement their own state machines (see SCP, SFTP,
   FTP). Some protocols (only FTP and only due to historical reasons) has a
   separate piece of the DO state called DO_MORE.
 
-  ->doing keeps getting called while issudeing the transfer request command(s)
+  ->doing keeps getting called while issuing the transfer request command(s)
 
   ->done gets called when the transfer is complete and DONE. That's after the
   main data has been transferred.
 
-  ->do_more gets called doring the DO_MORE state. The FTP protocol uses this
+  ->do_more gets called during the DO_MORE state. The FTP protocol uses this
   state when setting up the second connection.
 
   ->proto_getsock

docs/MAIL-ETIQUETTE

@@ -105,7 +105,7 @@ MAIL ETIQUETTE
   No matter what, we NEVER EVER respond to trolls or spammers on the list. If
   you believe the list admin should do something particular, contact him/her
   off-list. The subject will be taken care of as good as possible to prevent
-  repeated offences, but responding on the list to such messages never lead to
+  repeated offenses, but responding on the list to such messages never lead to
   anything good and only puts the light even more on the offender: which was
   the entire purpose of it getting to the list in the first place.
 

docs/MANUAL

@@ -50,7 +50,7 @@ SIMPLE USAGE
 
   Get the main page from an IPv6 web server:
 
-        curl -g "http://[2001:1890:1112:1::20]/"
+        curl "http://[2001:1890:1112:1::20]/"
 
 DOWNLOAD TO A FILE
 
@@ -956,9 +956,9 @@ IPv6
   When this style is used, the -g option must be given to stop curl from
   interpreting the square brackets as special globbing characters.  Link local
   and site local addresses including a scope identifier, such as fe80::1234%1,
-  may also be used, but the scope portion must be numeric and the percent
-  character must be URL escaped. The previous example in an SFTP URL might
-  look like:
+  may also be used, but the scope portion must be numeric or match an existing
+  network interface on Linux and the percent character must be URL escaped. The
+  previous example in an SFTP URL might look like:
 
     sftp://[fe80::1234%251]/
 

docs/Makefile.am

@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -37,7 +37,8 @@ EXTRA_DIST = MANUAL BUGS CONTRIBUTE FAQ FEATURES INTERNALS SSLCERTS	 \
  README.win32 RESOURCES TODO TheArtOfHttpScripting THANKS VERSIONS	 \
  KNOWN_BUGS BINDINGS $(man_MANS) $(HTMLPAGES) HISTORY INSTALL		 \
  $(PDFPAGES) LICENSE-MIXING README.netware DISTRO-DILEMMA INSTALL.devcpp \
- MAIL-ETIQUETTE HTTP-COOKIES LIBCURL-STRUCTS SECURITY RELEASE-PROCEDURE
+ MAIL-ETIQUETTE HTTP-COOKIES LIBCURL-STRUCTS SECURITY RELEASE-PROCEDURE  \
+ SSL-PROBLEMS
 
 MAN2HTML= roffit < $< >$@
 

docs/README.netware

@@ -10,7 +10,7 @@ README.netware
 
   Curl has been successfully compiled with gcc / nlmconv on different flavours
   of Linux as well as with the official Metrowerks CodeWarrior compiler.
-  While not being the main development target, a continously growing share of
+  While not being the main development target, a continuously growing share of
   curl users are NetWare-based, specially also consuming the lib from PHP.
 
   The unix-style man pages are tricky to read on windows, so therefore are all

docs/SECURITY

@@ -60,7 +60,7 @@ announcement.
 
 - Write a security advisory draft about the problem that explains what the
   problem is, its impact, which versions it affects, solutions or
-  work-arounds, when the release is out and make sure to credit all
+  workarounds, when the release is out and make sure to credit all
   contributors properly.
 
 - Request a CVE number from distros@openwall.org[1] when also informing and
@@ -85,7 +85,7 @@ announcement.
   the same manner we always announce releases. It gets sent to the
   curl-announce, curl-library and curl-users mailing lists.
 
-- The security web page on the web site should get the new vulernability
+- The security web page on the web site should get the new vulnerability
   mentioned.
 
 [1] = http://oss-security.openwall.org/wiki/mailing-lists/distros

docs/SSL-PROBLEMS

@@ -0,0 +1,67 @@
+                                  _   _ ____  _
+                              ___| | | |  _ \| |
+                             / __| | | | |_) | |
+                            | (__| |_| |  _ <| |___
+                             \___|\___/|_| \_\_____|
+
+SSL problems
+
+  First, let's establish that we often refer to TLS and SSL interchangeably as
+  SSL here. The current protocol is called TLS, it was called SSL a long time
+  ago.
+
+  There are several known reasons why a connection that involves SSL might
+  fail. This is a document that attempts to details the most common ones and
+  how to mitigate them.
+
+CA certs
+
+  CA certs are used to digitally verify the server's certificate. You need a
+  "ca bundle" for this. See lots of more details on this in the SSLCERTS
+  document.
+
+CA bundle missing intermediate certificates
+
+  When using said CA bundle to verify a server cert, you will experience
+  problems if your CA cert does not have the certificates for the
+  intermediates in the whole trust chain.
+
+SSL version
+
+  Some broken servers fail to support the protocol negotiation properly that
+  SSL servers are supposed to handle. This may cause the connection to fail
+  completely. Sometimes you may need to explicitly select a SSL version to use
+  when connecting to make the connection succeed.
+
+  An additional complication can be that modern SSL libraries sometimes are
+  built with support for older SSL and TLS versions disabled!
+
+SSL ciphers
+
+  Clients give servers a list of ciphers to select from. If the list doesn't
+  include any ciphers the server wants/can use, the connection handshake
+  fails.
+
+  curl has recently disabled the user of a whole bunch of seriously insecure
+  ciphers from its default set (slightly depending on SSL backend in use).
+
+  You may have to explicitly provide an alternative list of ciphers for curl
+  to use to allow the server to use a WEAK cipher for you.
+
+  Note that these weak ciphers are identified as flawed. For example, this
+  includes symmetric ciphers with less than 128 bit keys and RC4.
+
+  References:
+
+  http://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-01
+  
+Allow BEAST
+
+  BEAST is the name of a TLS 1.0 attack that surfaced 2011. When adding means
+  to mitigate this attack, it turned out that some broken servers out there in
+  the wild didn't work properly with the BEAST mitigation in place.
+
+  To make such broken servers work, the --ssl-allow-beast option was
+  introduced. Exactly as it sounds, it re-introduces the BEAST vulnerability
+  but on the other hand it allows curl to connect to that kind of strange
+  servers.

docs/SSLCERTS

@@ -110,7 +110,7 @@ Starting with version 7.19.7, libcurl will check for the NSS version it runs,
 and automatically add the 'sql:' prefix to the certdb directory (either the
 hardcoded default /etc/pki/nssdb or the directory configured with SSL_DIR
 environment variable) if version 3.12.0 or later is detected. To check which
-ertdb format your distribution provides, examine the default
+certdb format your distribution provides, examine the default
 certdb location: /etc/pki/nssdb; the new certdb format can be identified by
 the filenames cert9.db, key4.db, pkcs11.txt; filenames of older versions are
 cert8.db, key3.db, modsec.db.

docs/THANKS

@@ -4,11 +4,14 @@
 
  If you have contributed but are missing here, please let us know!
 
+Aaro Koskinen
 Aaron Oneal
 Aaron Orenstein
+Abram Pousada
 Adam D. Moss
 Adam Light
 Adam Piggott
+Adam Sampson
 Adam Tkac
 Adrian Schuur
 Adriano Meirelles
@@ -93,12 +96,14 @@ Arnaud Compan
 Arnaud Ebalard
 Arthur Murray
 Arve Knudsen
+Arvid Norberg
 Ates Goral
 Augustus Saunders
 Avery Fay
 Axel Tillequin
 Balaji Parasuram
 Balint Szilakszi
+Barry Abrahamson
 Bart Whiteley
 Bas Mevissen
 Ben Darnell
@@ -131,6 +136,7 @@ Bogdan Nicula
 Brad Burdick
 Brad Hards
 Brad King
+Brad Spencer
 Bradford Bruce
 Brandon Wang
 Brendan Jurd
@@ -155,6 +161,7 @@ Cedric Deltheil
 Chad Monroe
 Chandrakant Bagul
 Charles Kerr
+Chen Prog
 Chih-Chung Chang
 Chris "Bob Bob"
 Chris Combes
@@ -186,6 +193,7 @@ Clarence Gardner
 Clemens Gruber
 Clifford Wolf
 Cody Jones
+Cody Mack
 Colby Ranger
 Colin Hogben
 Colin Watson
@@ -203,6 +211,7 @@ Cédric Deltheil
 D. Flinkmann
 Dag Ekengren
 Dagobert Michelsen
+Damian Dixon
 Damien Adant
 Dan Becker
 Dan C
@@ -248,11 +257,13 @@ David McCreedy
 David Odin
 David Phillips
 David Rosenstrauch
+David Ryskalczyk
 David Shaw
 David Strauss
 David Tarendash
 David Thiel
 David Walser
+David Woodhouse
 David Wright
 David Yan
 Dengminwen
@@ -260,6 +271,7 @@ Derek Higgins
 Detlef Schmier
 Didier Brisebourg
 Diego Casorran
+Dilyan Palauzov
 Dima Barsky
 Dima Tisnek
 Dimitre Dimitrov
@@ -327,6 +339,7 @@ Eugene Kotlyarov
 Evan Jordan
 Evgeny Turnaev
 Eygene Ryabinkin
+Fabian Frank
 Fabian Hiernaux
 Fabian Keil
 Fabrizio Ammollo
@@ -357,6 +370,7 @@ Gautam Kachroo
 Gautam Mani
 Gavrie Philipson
 Gaz Iqbal
+Gaël Portay
 Geoff Beier
 Georg Horn
 Georg Huettenegger
@@ -378,6 +392,7 @@ Giuseppe Attardi
 Giuseppe D'Ambrosio
 Glen Nakamura
 Glen Scott
+Glenn Sheridan
 Gokhan Sengun
 Gordon Marler
 Gorilla Maguila
@@ -416,6 +431,7 @@ Ho-chi Chen
 Hoi-Ho Chan
 Hongli Lai
 Howard Chu
+Hubert Kario
 Hzhijun
 Ian D Allen
 Ian Ford
@@ -427,6 +443,7 @@ Ignacio Vazquez-Abrams
 Igor Franchuk
 Igor Novoseltsev
 Igor Polyakov
+Iida Yosiaki
 Ilguiz Latypov
 Ilja van Sprundel
 Immanuel Gregoire
@@ -434,6 +451,7 @@ Ingmar Runge
 Ingo Ralf Blum
 Ingo Wilken
 Ishan SinghLevett
+Ivo Bellin Salarin
 Jack Zhang
 Jacky Lam
 Jacob Meuser
@@ -475,6 +493,7 @@ Jean-Marc Ranger
 Jean-Noel Rouvignac
 Jean-Philippe Barrette-LaPierre
 Jeff Connelly
+Jeff Hodges
 Jeff Johnson
 Jeff King
 Jeff Lawson
@@ -484,6 +503,7 @@ Jeff Weber
 Jeffrey Pohlmeyer
 Jeremy Friesner
 Jeremy Huddleston
+Jeroen Koekkoek
 Jerome Muffat-Meridol
 Jerome Vouillon
 Jerry Krinock
@@ -498,6 +518,7 @@ Jim Hollinger
 Jim Meyering
 Jiri Hruska
 Jiri Jaburek
+Jiri Malak
 Jocelyn Jaubert
 Joe Halpin
 Joe Malicki
@@ -529,6 +550,7 @@ Johnny Luong
 Jon Grubbs
 Jon Nelson
 Jon Sargeant
+Jon Torrey
 Jon Travis
 Jon Turner
 Jonas Forsman
@@ -556,6 +578,7 @@ Jun-ichiro itojun Hagino
 Jurij Smakov
 Justin Fletcher
 Justin Karneges
+Justin Maggard
 Jörg Mueller-Tolk
 Jörn Hartroth
 Kai Engert
@@ -600,6 +623,7 @@ Kyle Sallee
 Lachlan O'Dea
 Larry Campbell
 Larry Fahnoe
+Larry Lin
 Lars Buitinck
 Lars Gustafsson
 Lars J. Aas
@@ -610,9 +634,11 @@ Lau Hang Kin
 Laurent Rabret
 Legoff Vincent
 Lehel Bernadt
+Leif W
 Len Krause
 Lenaic Lefever
 Lenny Rachitsky
+Leon Winter
 Liam Healy
 Lijo Antony
 Linas Vepstas
@@ -630,9 +656,12 @@ Ludovico Cavedon
 Lukasz Czekierda
 Luke Amery
 Luke Call
+Luke Dashjr
 Luong Dinh Dung
 Maciej Karpiuk
+Maciej Puzio
 Maciej W. Rozycki
+Maks Naumov
 Mamoru Tasaka
 Mandy Wu
 Manfred Schwarb
@@ -730,6 +759,7 @@ Mike Bytnar
 Mike Crowe
 Mike Dobbs
 Mike Giancola
+Mike Hasselberg
 Mike Hommey
 Mike Mio
 Mike Power
@@ -738,6 +768,7 @@ Mike Revi
 Miklos Nemeth
 Mitz Wark
 Mohamed Lrhazi
+Mohammad AlSaleh
 Mohun Biswas
 Moonesamy
 Myk Taylor
@@ -784,6 +815,7 @@ Oscar Koeroo
 Oscar Norlander
 P R Schaffner
 Paolo Piacentini
+Paras Sethia
 Pascal Terjan
 Pasha Kuznetsov
 Pat Ray
@@ -793,6 +825,7 @@ Patrick Bihan-Faou
 Patrick Monnerat
 Patrick Scott
 Patrick Smith
+Patrick Watson
 Patrik Thunstrom
 Pau Garcia i Quiles
 Paul Donohue
@@ -828,6 +861,7 @@ Peter Verhas
 Peter Wullinger
 Peteris Krumins
 Petr Bahula
+Petr Novak
 Petr Pisar
 Phil Blundell
 Phil Karn
@@ -846,10 +880,13 @@ Pierre Joye
 Pierre Ynard
 Pooyan McSporran
 Pramod Sharma
+Prash Dush
+Priyanka Shah
 Puneet Pawaia
 Quagmire
 Quanah Gibson-Mount
 Quinn Slack
+Radu Simionescu
 Rafa Muyo
 Rafael Sagula
 Rainer Canavan
@@ -865,6 +902,7 @@ Ravi Pratap
 Ray Dassen
 Ray Pekowski
 Reinout van Schouwen
+Remi Gacogne
 Renato Botelho
 Renaud Chaillat
 Renaud Duhaut
@@ -888,6 +926,7 @@ Richard Silverman
 Rick Jones
 Rick Richardson
 Rob Crittenden
+Rob Davies
 Rob Jones
 Rob Stanzel
 Rob Ward
@@ -919,6 +958,7 @@ Roy Shan
 Rune Kleveland
 Ruslan Gazizov
 Rutger Hofman
+Ryan Braud
 Ryan Chan
 Ryan Nelson
 Ryan Schmidt
@@ -952,6 +992,7 @@ Sergey Tatarincev
 Sergio Ballestrero
 Seshubabu Pasam
 Sh Diao
+Shao Shuchao
 Sharad Gupta
 Shard
 Shawn Landden
@@ -1005,12 +1046,15 @@ Taneli Vahakangas
 Tanguy Fautre
 Tatsuhiro Tsujikawa
 Temprimus
+Thomas Braun
 Thomas J. Moore
 Thomas Klausner
 Thomas L. Shinnick
 Thomas Lopatic
 Thomas Schwinge
 Thomas Tonino
+Tiit Pikma
+Till Maas
 Tim Ansell
 Tim Baker
 Tim Bartley
@@ -1022,6 +1066,7 @@ Tim Newsome
 Tim Sneddon
 Timo Sirainen
 Tinus van den Berg
+Tobias Markus
 Tobias Rundström
 Toby Peterson
 Todd A Ouska
@@ -1036,6 +1081,7 @@ Tom Mattison
 Tom Moers
 Tom Mueller
 Tom Regner
+Tom Sparrow
 Tom Wright
 Tom Zerucha
 Tomas Hoger
@@ -1057,13 +1103,16 @@ Troels Walsted Hansen
 Troy Engel
 Tupone Alfredo
 Tyler Hall
+Török Edwin
 Ulf Härnhammar
 Ulf Samuelsson
 Ulrich Doehner
 Ulrich Zadow
 Venkat Akella
 Victor Snezhko
+Vijay Panghal
 Vikram Saxena
+Viktor Szakáts
 Vilmos Nebehaj
 Vincent Bronner
 Vincent Le Normand
@@ -1095,8 +1144,10 @@ Yaakov Selkowitz
 Yamada Yasuharu
 Yang Tse
 Yarram Sunil
+Yehezkel Horowitz
 Yehoshua Hershberg
 Yi Huang
+Yingwei Liu
 Yukihiro Kawada
 Yuriy Sosov
 Yves Arrouye

docs/TODO

@@ -17,7 +17,7 @@
  1.4 signal-based resolver timeouts
  1.5 get rid of PATH_MAX
  1.6 Modified buffer size approach
- 1.7 Detect when called from witin callbacks
+ 1.7 Detect when called from within callbacks
  1.8 Allow SSL (HTTPS) to proxy
 
  2. libcurl - multi interface
@@ -25,7 +25,7 @@
  2.2 Fix HTTP Pipelining for PUT
 
  3. Documentation
- 3.1  More and better
+ 3.1 Update date and version in man pages
 
  4. FTP
  4.1 HOST
@@ -38,7 +38,7 @@
  5.1 Better persistency for HTTP 1.0
  5.2 support FF3 sqlite cookie files
  5.3 Rearrange request header order
- 5.4 HTTP2/SPDY
+ 5.4 SPDY
  5.5 auth= in URLs
 
  6. TELNET
@@ -87,9 +87,7 @@
  15.3 prevent file overwriting
  15.4 simultaneous parallel transfers
  15.5 provide formpost headers
- 15.6 url-specific options
- 15.7 warning when setting an option
- 15.8 IPv6 addresses with globbing
+ 15.6 warning when setting an option
 
  16. Build
  16.1 roffit
@@ -99,9 +97,10 @@
  17.2 nicer lacking perl message
  17.3 more protocols supported
  17.4 more platforms supported
+ 17.5 Add support for concurrent connections
 
  18. Next SONAME bump
- 18.1 http-style HEAD output for ftp
+ 18.1 http-style HEAD output for FTP
  18.2 combine error codes
  18.3 extend CURLOPT_SOCKOPTFUNCTION prototype
 
@@ -175,7 +174,7 @@
  Dynamically allocate buffer size depending on protocol in use in combination
  with freeing it after each individual transfer? Other suggestions?
 
-1.7 Detect when called from witin callbacks
+1.7 Detect when called from within callbacks
 
  We should set a state variable before calling callbacks, so that we
  subsequently can add code within libcurl that returns error if called within
@@ -187,6 +186,8 @@
  by Chrome already:
  http://www.chromium.org/developers/design-documents/secure-web-proxy
 
+ ...and by Firefox soon:
+ https://bugzilla.mozilla.org/show_bug.cgi?id=378637
 
 2. libcurl - multi interface
 
@@ -212,18 +213,20 @@
 
 3. Documentation
 
-3.1  More and better
+3.1 Update date and version in man pages
 
- Exactly
+ 'maketgz' or another suitable script could update the .TH sections of the man
+ pages at release time to use the current date and curl/libcurl version
+ number.
 
 4. FTP
 
 4.1 HOST
 
- HOST is a suggested command in the works for a client to tell which host name
- to use, to offer FTP servers named-based virtual hosting:
+ HOST is a command for a client to tell which host name to use, to offer FTP
+ servers named-based virtual hosting:
 
- http://tools.ietf.org/html/draft-hethmon-mcmurray-ftp-hosts-11
+ http://tools.ietf.org/html/rfc7151
 
 4.2 Alter passive/active on failure and retry
 
@@ -234,7 +237,7 @@
 
 4.3 Earlier bad letter detection
 
- Make the detection of (bad) %0d and %0a codes in FTP url parts earlier in the
+ Make the detection of (bad) %0d and %0a codes in FTP URL parts earlier in the
  process to avoid doing a resolve and connect in vain.
 
 4.4 REST for large files
@@ -273,23 +276,13 @@
  headers use a default value so only headers that need to be moved have to be
  specified.
 
-5.4 HTTP2/SPDY
+5.4 SPDY
 
- The first drafts for HTTP2 have been published
- (http://tools.ietf.org/html/draft-ietf-httpbis-http2-03) and is so far based
- on SPDY (http://www.chromium.org/spdy) designs and experiences. Chances are
- it will end up in that style. Chrome and Firefox already support SPDY and
- lots of web services do.
+ Chrome and Firefox already support SPDY and lots of web services do. There's
+ a library for us to use for this (spdylay) that has a similar API and the
+ same author as nghttp2.
 
- It would make sense to implement SPDY support now and later transition into
- or add HTTP2 support as well.
-
- We should base or HTTP2/SPDY work on a 3rd party library for the protocol
- fiddling. The Spindy library (http://spindly.haxx.se/) was an attempt to make
- such a library with an API suitable for use by libcurl but that effort has
- more or less stalled.  spdylay (https://github.com/tatsuhiro-t/spdylay) may
- be a better option, either used directly or wrapped with a more spindly-like
- API.
+ spdylay: https://github.com/tatsuhiro-t/spdylay
 
 5.5 auth= in URLs
 
@@ -298,7 +291,7 @@
 
  For example:
 
- http://test:pass;auth=NTLM@example.com would be equivalent to specifing --user
+ http://test:pass;auth=NTLM@example.com would be equivalent to specifying --user
  test:pass;auth=NTLM or --user test:pass --ntlm from the command line. 
 
  Additionally this should be implemented for proxy base URLs as well.
@@ -363,7 +356,7 @@ to provide the data to send.
  Currently the LDAP module only supports ldap_simple_bind_s() in order to bind
  to an LDAP server. However, this function sends username and password details
  using the simple authentication mechanism (as clear text). However, it should
- be possible to use ldap_bind_s() instead specifing the security context
+ be possible to use ldap_bind_s() instead specifying the security context
  information ourselves.
 
 11. New protocols
@@ -394,7 +387,7 @@ to provide the data to send.
 12.4 Cache OpenSSL contexts
 
  "Look at SSL cafile - quick traces look to me like these are done on every
- request as well, when they should only be necessary once per ssl context (or
+ request as well, when they should only be necessary once per SSL context (or
  once per handle)". The major improvement we can rather easily do is to make
  sure we don't create and kill a new SSL "context" for every request, but
  instead make one for every connection and re-use that SSL context in the same
@@ -494,33 +487,12 @@ to provide the data to send.
  which should overwrite the program reasonable defaults (plain/text,
  8bit...)
 
-15.6 url-specific options
-
- Provide a way to make options bound to a specific URL among several on the
- command line. Possibly by letting ':' separate options between URLs,
- similar to this:
-
-    curl --data foo --url url.com : \
-        --url url2.com : \
-        --url url3.com --data foo3
-
- (More details: http://curl.haxx.se/mail/archive-2004-07/0133.html)
-
- The example would do a POST-GET-POST combination on a single command line.
-
-15.7 warning when setting an option
+15.6 warning when setting an option
 
   Display a warning when libcurl returns an error when setting an option.
   This can be useful to tell when support for a particular feature hasn't been
   compiled into the library.
 
-15.8 IPv6 addresses with globbing
-
-  Currently the command line client needs to get url globbing disabled (with
-  -g) for it to support IPv6 numerical addresses. This is a rather silly flaw
-  that should be corrected. It probably involves a smarter detection of the
-  '[' and ']' letters.
-
 16. Build
 
 16.1 roffit
@@ -543,7 +515,7 @@ to provide the data to send.
 
 17.3 more protocols supported
 
- Extend the test suite to include more protocols. The telnet could just do ftp
+ Extend the test suite to include more protocols. The telnet could just do FTP
  or http operations (for which we have test servers).
 
 17.4 more platforms supported
@@ -551,12 +523,26 @@ to provide the data to send.
  Make the test suite work on more platforms. OpenBSD and Mac OS. Remove
  fork()s and it should become even more portable.
 
+17.5 Add support for concurrent connections
+
+ Tests 836, 882 and 938 were designed to verify that separate connections aren't
+ used when using different login credentials in protocols that shouldn't re-use
+ a connection under such circumstances.
+
+ Unfortunately, ftpserver.pl doesn't appear to support multiple concurrent
+ connections. The read while() loop seems to loop until it receives a disconnect
+ from the client, where it then enters the waiting for connections loop. When
+ the client opens a second connection to the server, the first connection hasn't
+ been dropped (unless it has been forced - which we shouldn't do in these tests)
+ and thus the wait for connections loop is never entered to receive the second
+ connection.
+
 18. Next SONAME bump
 
-18.1 http-style HEAD output for ftp
+18.1 http-style HEAD output for FTP
 
  #undef CURL_FTP_HTTPSTYLE_HEAD in lib/ftp.c to remove the HTTP-style headers
- from being output in NOBODY requests over ftp
+ from being output in NOBODY requests over FTP
 
 18.2 combine error codes
 
@@ -590,7 +576,7 @@ to provide the data to send.
  for applications to differentiate on TCP vs UDP and even HTTP vs FTP and
  similar.
 
-10. Next major release
+19. Next major release
 
 19.1 cleanup return codes
 
@@ -654,7 +640,7 @@ to provide the data to send.
  but instead often restricts how the form functions can or can't be modified.
 
  Changing them to return a private handle will benefit the implementation and
- allow us much greater freedoms while still maintining a solid API and ABI.
+ allow us much greater freedoms while still maintaining a solid API and ABI.
 
 19.9 have form functions use CURL handle argument
 
@@ -668,7 +654,7 @@ to provide the data to send.
 
  Rather than use the URL to specify the mail client string to present in the
  HELO and EHLO commands, libcurl should support a new CURLOPT specifically for
- specifing this data as the URL is non-standard and to be honest a bit of a
+ specifying this data as the URL is non-standard and to be honest a bit of a
  hack ;-)
 
  Please see the following thread for more information:

docs/TheArtOfHttpScripting

@@ -171,7 +171,7 @@ The Art Of Scripting HTTP Requests Using Curl
  2.4 User name and password
 
  Some services are setup to require HTTP authentication and then you need to
- provide name and password which then is transfered to the remote site in
+ provide name and password which then is transferred to the remote site in
  various ways depending on the exact authentication protocol used.
 
  You can opt to either insert the user and password in the URL or you can
@@ -520,7 +520,7 @@ The Art Of Scripting HTTP Requests Using Curl
 
  Curl has a full blown cookie parsing engine built-in that comes to use if you
  want to reconnect to a server and use cookies that were stored from a
- previous connection (or handicrafted manually to fool the server into
+ previous connection (or hand-crafted manually to fool the server into
  believing you had a previous connection). To use previously stored cookies,
  you run curl like:
 
@@ -645,7 +645,7 @@ The Art Of Scripting HTTP Requests Using Curl
  sometimes they use such code to set or modify cookie contents. Possibly they
  do that to prevent programmed logins, like this manual describes how to...
  Anyway, if reading the code isn't enough to let you repeat the behavior
- manually, capturing the HTTP requests done by your browers and analyzing the
+ manually, capturing the HTTP requests done by your browsers and analyzing the
  sent cookies is usually a working method to work out how to shortcut the
  javascript need.
 

docs/curl.1

@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -124,18 +124,38 @@ same command line option.)
 .IP "-#, --progress-bar"
 Make curl display progress as a simple progress bar instead of the standard,
 more informational, meter.
+.IP "-:, --next"
+Tells curl to use a separate operation for the following URL and associated
+options. This allows you to send several URL requests, each with their own
+specific options, for example, such as different user names or custom requests
+for each. (Added in 7.36.0)
 .IP "-0, --http1.0"
 (HTTP) Tells curl to use HTTP version 1.0 instead of using its internally
 preferred: HTTP 1.1.
 .IP "--http1.1"
 (HTTP) Tells curl to use HTTP version 1.1. This is the internal default
 version. (Added in 7.33.0)
-.IP "--http2.0"
-(HTTP) Tells curl to issue its requests using HTTP 2.0. This requires that the
+.IP "--http2"
+(HTTP) Tells curl to issue its requests using HTTP 2. This requires that the
 underlying libcurl was built to support it. (Added in 7.33.0)
+.IP "--no-npn"
+Disable the NPN TLS extension. NPN is enabled by default if libcurl was built
+with an SSL library that supports NPN. NPN is used by a libcurl that supports
+HTTP 2 to negotiate HTTP 2 support with the server during https sessions.
+
+(Added in 7.36.0)
+.IP "--no-alpn"
+Disable the ALPN TLS extension. ALPN is enabled by default if libcurl was built
+with an SSL library that supports ALPN. ALPN is used by a libcurl that supports
+HTTP 2 to negotiate HTTP 2 support with the server during https sessions.
+
+(Added in 7.36.0)
 .IP "-1, --tlsv1"
 (SSL)
-Forces curl to use TLS version 1 when negotiating with a remote TLS server.
+Forces curl to use TLS version 1.x when negotiating with a remote TLS server.
+You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, and \fI--tlsv1.2\fP to
+control the TLS version more precisely (if the SSL backend in use supports such
+a level of control).
 .IP "-2, --sslv2"
 (SSL)
 Forces curl to use SSL version 2 when negotiating with a remote SSL server.
@@ -422,7 +442,7 @@ This option requires that libcurl was built with a resolver backend that
 supports this operation. The c-ares backend is the only such one.  (Added in
 7.33.0)
 .IP "-e, --referer <URL>"
-(HTTP) Sends the "Referer Page" information to the HTTP server. This can also
+(HTTP) Sends the "Referrer Page" information to the HTTP server. This can also
 be set with the \fI-H, --header\fP flag of course.  When used with
 \fI-L, --location\fP you can append ";auto" to the --referer URL to make curl
 automatically set the previous URL when it follows a Location: header. The
@@ -658,16 +678,16 @@ If this option is used several times, only the first one is used. This is
 because undoing a GET doesn't make sense, but you should then instead enforce
 the alternative method you prefer.
 .IP "-H, --header <header>"
-(HTTP) Extra header to use when getting a web page. You may specify any number
-of extra headers. Note that if you should add a custom header that has the
-same name as one of the internal ones curl would use, your externally set
-header will be used instead of the internal one. This allows you to make even
-trickier stuff than curl would normally do. You should not replace internally
-set headers without knowing perfectly well what you're doing. Remove an
-internal header by giving a replacement without content on the right side of
-the colon, as in: -H \&"Host:". If you send the custom header with no-value
-then its header must be terminated with a semicolon, such as \-H
-\&"X-Custom-Header;" to send "X-Custom-Header:".
+(HTTP) Extra header to include in the request when sending HTTP to a
+server. You may specify any number of extra headers. Note that if you should
+add a custom header that has the same name as one of the internal ones curl
+would use, your externally set header will be used instead of the internal
+one. This allows you to make even trickier stuff than curl would normally
+do. You should not replace internally set headers without knowing perfectly
+well what you're doing. Remove an internal header by giving a replacement
+without content on the right side of the colon, as in: -H \&"Host:". If you
+send the custom header with no-value then its header must be terminated with a
+semicolon, such as \-H \&"X-Custom-Header;" to send "X-Custom-Header:".
 
 curl will make sure that each header you add/replace is sent with the proper
 end-of-line marker, you should thus \fBnot\fP add that as a part of the header
@@ -676,6 +696,9 @@ for you.
 
 See also the \fI-A, --user-agent\fP and \fI-e, --referer\fP options.
 
+Starting in 7.37.0, you need \fI--proxy-header\fP to send custom headers
+intended for a proxy.
+
 This option can be used multiple times to add/replace/remove multiple headers.
 .IP "--hostpubmd5 <md5>"
 (SCP/SFTP) Pass a string containing 32 hexadecimal digits. The string should
@@ -887,6 +910,16 @@ values, but the actual timeout will decrease in accuracy as the specified
 timeout increases in decimal precision.  See also the \fI--connect-timeout\fP
 option.
 
+If this option is used several times, the last one will be used.
+.IP "--login-options <options>"
+Specify the login options to use during server authentication.
+
+You can use the login options to specify protocol specific options that may
+be used during authentication. At present only IMAP, POP3 and SMTP support
+login options. For more information about the login options please see
+RFC 2384, RFC 5092 and IETF draft draft-earhart-url-smtp-00.txt (Added in
+7.34.0).
+
 If this option is used several times, the last one will be used.
 .IP "--mail-auth <address>"
 (SMTP) Specify a single address. This will be used to specify the
@@ -1087,6 +1120,24 @@ is used in conjunction with the user name which can be specified as part of the
 The Bearer Token and user name are formatted according to RFC 6750.
 
 If this option is used several times, the last one will be used.
+.IP "--proxy-header <header>"
+(HTTP) Extra header to include in the request when sending HTTP to a
+proxy. You may specify any number of extra headers. This is the equivalent
+option to \fI-H, --header\fP but is for proxy communication only like in
+CONNECT requests when you want a separate header sent to the proxy to what is
+sent to the actual remote host.
+
+curl will make sure that each header you add/replace is sent with the proper
+end-of-line marker, you should thus \fBnot\fP add that as a part of the header
+content: do not add newlines or carriage returns, they will only mess things
+up for you.
+
+Headers specified with this option will not be included in requests that curl
+knows will not be sent to a proxy.
+
+This option can be used multiple times to add/replace/remove multiple headers.
+
+(Added in 7.37.0)
 .IP "-p, --proxytunnel"
 When an HTTP proxy is used (\fI-x, --proxy\fP), this option will cause non-HTTP
 protocols to attempt to tunnel through the proxy instead of merely using it to
@@ -1404,7 +1455,7 @@ option name can still be used but will be removed in a future version.
 .IP "--ssl-allow-beast"
 (SSL) This option tells curl to not work around a security flaw in the SSL3
 and TLS1.0 protocols known as BEAST.  If this option isn't used, the SSL layer
-may use work-arounds known to cause interoperability problems with some older
+may use workarounds known to cause interoperability problems with some older
 SSL implementations. WARNING: this option loosens the SSL security, and by
 using this flag you ask for exactly that.  (Added in 7.25.0)
 .IP "--socks4 <host[:port]>"
@@ -1572,23 +1623,15 @@ If this option is used several times, the last one will be used.
 .IP "--trace-time"
 Prepends a time stamp to each trace or verbose line that curl displays.
 (Added in 7.14.0)
-.IP "-u, --user <user:password;options>"
-Specify the user name, password and optional login options to use for server
-authentication. Overrides \fI-n, --netrc\fP and \fI--netrc-optional\fP.
+.IP "-u, --user <user:password>"
+Specify the user name and password to use for server authentication. Overrides
+\fI-n, --netrc\fP and \fI--netrc-optional\fP.
 
-If you simply specify the user name, with or without the login options, curl
-will prompt for a password.
+If you simply specify the user name, curl will prompt for a password.
 
 If you use an SSPI-enabled curl binary and perform NTLM authentication, you
 can force curl to select the user name and password from your environment by
-simply specifying a single colon with this option: "-u :" or by specfying the
-login options on their own, for example "-u ;auth=NTLM".
-
-You can use the optional login options part to specify protocol specific
-options that may be used during authentication. At present only IMAP, POP3 and
-SMTP support login options as part of the user login information. For more
-information about the login options please see RFC 2384, RFC 5092 and IETF
-draft draft-earhart-url-smtp-00.txt (Added in 7.31.0). 
+specifying a single colon with this option: "-u :".
 
 If this option is used several times, the last one will be used.
 .IP "-U, --proxy-user <user:password>"
@@ -1803,7 +1846,7 @@ Specifies a custom POP3 command to use instead of LIST or RETR. (Added in
 7.26.0)
 
 (IMAP)
-Specifies a custom IMAP command to use insead of LIST. (Added in 7.30.0)
+Specifies a custom IMAP command to use instead of LIST. (Added in 7.30.0)
 
 (SMTP)
 Specifies a custom SMTP command to use instead of HELP or VRFY. (Added in 7.34.0)

docs/examples/.gitignore

@@ -20,15 +20,39 @@ httpcustomheader
 httpput
 https
 imap
+imap-append
+imap-copy
+imap-create
+imap-delete
+imap-examine
+imap-fetch
+imap-list
+imap-multi
+imap-noop
+imap-search
+imap-ssl
+imap-store
+imap-tls
 multi-app
 multi-debugcallback
 multi-double
 multi-post
 multi-single
 persistant
+pop3-dele
+pop3-list
+pop3-multi
+pop3-noop
+pop3-retr
+pop3-ssl
+pop3-stat
+pop3-tls
+pop3-top
+pop3-uidl
 pop3s
 pop3slist
 post-callback
+postinmemory
 postit2
 progressfunc
 resolve
@@ -40,8 +64,12 @@ simple
 simplepost
 simplesmtp
 simplessl
+smtp-expn
+smtp-mail
 smtp-multi
+smtp-ssl
 smtp-tls
+smtp-vrfy
 url2file
 usercertinmem
 xmlstream

docs/examples/Makefile.inc

@@ -7,9 +7,9 @@ check_PROGRAMS = 10-at-a-time anyauthput cookie_interface debug fileupload \
   smtp-mail smtp-multi smtp-ssl smtp-tls smtp-vrfy smtp-expn rtsp \
   externalsocket resolve progressfunc pop3-retr pop3-list pop3-uidl pop3-dele \
   pop3-top pop3-stat pop3-noop pop3-ssl pop3-tls pop3-multi imap-list \
-  imap-fetch imap-store imap-append imap-examine imap-search imap-create \
-  imap-delete imap-copy imap-noop imap-ssl imap-tls imap-multi url2file \
-  sftpget ftpsget postinmemory
+  imap-lsub imap-fetch imap-store imap-append imap-examine imap-search \
+  imap-create imap-delete imap-copy imap-noop imap-ssl imap-tls imap-multi \
+  url2file sftpget ftpsget postinmemory
 
 # These examples require external dependencies that may not be commonly
 # available on POSIX systems, so don't bother attempting to compile them here.

docs/examples/cacertinmem.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -103,6 +103,10 @@ static CURLcode sslctx_function(CURL * curl, void * sslctx, void * parm)
   if (X509_STORE_add_cert(store, cert)==0)
     printf("error adding certificate\n");
 
+  /* decrease reference counts */
+  X509_free(cert);
+  BIO_free(bio);
+
   /* all set to go */
   return CURLE_OK ;
 }

docs/examples/evhiperfifo.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -133,7 +133,6 @@ static void mcode_or_die(const char *where, CURLMcode code)
     const char *s;
     switch ( code )
     {
-    case CURLM_CALL_MULTI_PERFORM: s="CURLM_CALL_MULTI_PERFORM"; break;
     case CURLM_BAD_HANDLE:         s="CURLM_BAD_HANDLE";         break;
     case CURLM_BAD_EASY_HANDLE:    s="CURLM_BAD_EASY_HANDLE";    break;
     case CURLM_OUT_OF_MEMORY:      s="CURLM_OUT_OF_MEMORY";      break;

docs/examples/ghiper.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -104,7 +104,6 @@ static void mcode_or_die(const char *where, CURLMcode code) {
   if ( CURLM_OK != code ) {
     const char *s;
     switch (code) {
-      case     CURLM_CALL_MULTI_PERFORM: s="CURLM_CALL_MULTI_PERFORM"; break;
       case     CURLM_BAD_HANDLE:         s="CURLM_BAD_HANDLE";         break;
       case     CURLM_BAD_EASY_HANDLE:    s="CURLM_BAD_EASY_HANDLE";    break;
       case     CURLM_OUT_OF_MEMORY:      s="CURLM_OUT_OF_MEMORY";      break;

docs/examples/hiperfifo.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -125,7 +125,6 @@ static void mcode_or_die(const char *where, CURLMcode code)
   if ( CURLM_OK != code ) {
     const char *s;
     switch (code) {
-      case     CURLM_CALL_MULTI_PERFORM: s="CURLM_CALL_MULTI_PERFORM"; break;
       case     CURLM_BAD_HANDLE:         s="CURLM_BAD_HANDLE";         break;
       case     CURLM_BAD_EASY_HANDLE:    s="CURLM_BAD_EASY_HANDLE";    break;
       case     CURLM_OUT_OF_MEMORY:      s="CURLM_OUT_OF_MEMORY";      break;

docs/examples/imap-append.c

@@ -20,6 +20,7 @@
  *
  ***************************************************************************/
 #include <stdio.h>
+#include <string.h>
 #include <curl/curl.h>
 
 /* This is a simple example showing how to send mail using libcurl's IMAP

docs/examples/imap-lsub.c

@@ -0,0 +1,62 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at http://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+#include <stdio.h>
+#include <curl/curl.h>
+
+/* This is a simple example showing how to list the subscribed folders within
+ * an IMAP mailbox.
+ *
+ * Note that this example requires libcurl 7.30.0 or above.
+ */
+
+int main(void)
+{
+  CURL *curl;
+  CURLcode res = CURLE_OK;
+
+  curl = curl_easy_init();
+  if(curl) {
+    /* Set username and password */
+    curl_easy_setopt(curl, CURLOPT_USERNAME, "user");
+    curl_easy_setopt(curl, CURLOPT_PASSWORD, "secret");
+
+    /* This is just the server URL */
+    curl_easy_setopt(curl, CURLOPT_URL, "imap://imap.example.com");
+
+    /* Set the LSUB command. Note the syntax is very similar to that of a LIST
+       command. */
+    curl_easy_setopt(curl, CURLOPT_CUSTOMREQUEST, "LSUB \"\" *");
+
+    /* Perform the custom request */
+    res = curl_easy_perform(curl);
+
+    /* Check for errors */
+    if(res != CURLE_OK)
+      fprintf(stderr, "curl_easy_perform() failed: %s\n",
+              curl_easy_strerror(res));
+
+    /* Always cleanup */
+    curl_easy_cleanup(curl);
+  }
+
+  return (int)res;
+}

docs/libcurl/curl_easy_getinfo.3

@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -109,7 +109,9 @@ uploaded.
 .IP CURLINFO_SIZE_DOWNLOAD
 Pass a pointer to a double to receive the total amount of bytes that were
 downloaded. The amount is only for the latest transfer and will be reset again
-for each new transfer.
+for each new transfer. This counts actual payload data, what's also commonly
+called body. All meta and header data are excluded and will not be counted in
+this number.
 .IP CURLINFO_SPEED_DOWNLOAD
 Pass a pointer to a double to receive the average download speed that curl
 measured for the complete download. Measured in bytes/second.

docs/libcurl/curl_easy_perform.3

@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -25,33 +25,41 @@ curl_easy_perform - Perform a file transfer
 .SH SYNOPSIS
 .B #include <curl/curl.h>
 .sp
-.BI "CURLcode curl_easy_perform(CURL *" handle ");"
+.BI "CURLcode curl_easy_perform(CURL *" easy_handle ");"
 .ad
 .SH DESCRIPTION
-This function is called after the init and all the \fIcurl_easy_setopt(3)\fP
-calls are made, and will perform the transfer as described in the options.  It
-must be called with the same
-.I handle
-as input as the curl_easy_init call returned.
+Invoke this function after \fIcurl_easy_init(3)\fP and all the
+\fIcurl_easy_setopt(3)\fP calls are made, and will perform the transfer as
+described in the options. It must be called with the same \fBeasy_handle\fP as
+input as the \fIcurl_easy_init(3)\fP call returned.
+
+\fIcurl_easy_perform(3)\fP performs the entire request in a blocking manner
+and returns when done, or if it failed. For non-blocking behavior, see
+\fIcurl_multi_perform(3)\fP.
 
 You can do any amount of calls to \fIcurl_easy_perform(3)\fP while using the
-same handle. If you intend to transfer more than one file, you are even
-encouraged to do so. libcurl will then attempt to re-use the same connection
-for the following transfers, thus making the operations faster, less CPU
-intense and using less network resources. Just note that you will have to use
-\fIcurl_easy_setopt(3)\fP between the invokes to set options for the following
-curl_easy_perform.
+same \fBeasy_handle\fP. If you intend to transfer more than one file, you are
+even encouraged to do so. libcurl will then attempt to re-use the same
+connection for the following transfers, thus making the operations faster,
+less CPU intense and using less network resources. Just note that you will
+have to use \fIcurl_easy_setopt(3)\fP between the invokes to set options for
+the following curl_easy_perform.
 
 You must never call this function simultaneously from two places using the
-same handle. Let the function return first before invoking it another time. If
-you want parallel transfers, you must use several curl handles.
+same \fBeasy_handle\fP. Let the function return first before invoking it
+another time. If you want parallel transfers, you must use several curl
+easy_handles.
+
+While the \fBeasy_handle\fP is added to a multi handle, it cannot be used by
+\fIcurl_easy_perform(3)\fP.
 .SH RETURN VALUE
-0 means everything was ok, non-zero means an error occurred as
+CURLE_OK (0) means everything was ok, non-zero means an error occurred as
 .I <curl/curl.h>
-defines. If the CURLOPT_ERRORBUFFER was set with
-.I curl_easy_setopt
-there will be a readable error message in the error buffer when non-zero is
-returned.
+defines - see \fIlibcurl-errors(3)\fP. If the \fBCURLOPT_ERRORBUFFER\fP was
+set with \fIcurl_easy_setopt(3)\fP there will be a readable error message in
+the error buffer when non-zero is returned.
 .SH "SEE ALSO"
 .BR curl_easy_init "(3), " curl_easy_setopt "(3), "
+.BR curl_multi_add_handle "(3), " curl_multi_perform "(3), "
+.BR libcurl-errors "(3), "
 

docs/libcurl/curl_easy_setopt.3

@@ -347,6 +347,8 @@ Pass a pointer to a function that matches the following prototype:
 \fBint function(void *clientp, double dltotal, double dlnow, double ultotal,
 double ulnow);\fP
 
+We encourage users to use \fICURLOPT_XFERINFOFUNCTION\fP instead, if you can.
+
 This function gets called by libcurl instead of its internal equivalent with a
 frequent interval. While data is being transferred it will be called very
 frequently, and during slow periods like when nothing is being transferred it
@@ -493,6 +495,10 @@ The data is header (or header-like) data sent to the peer.
 The data is protocol data received from the peer.
 .IP CURLINFO_DATA_OUT
 The data is protocol data sent to the peer.
+.IP CURLINFO_SSL_DATA_OUT
+The data is SSL/TLS (binary) data sent to the peer.
+.IP CURLINFO_SSL_DATA_IN
+The data is SSL/TLS (binary) data received from the peer.
 .RE
 .IP CURLOPT_DEBUGDATA
 Pass a pointer to whatever you want passed in to your
@@ -817,8 +823,9 @@ the user
 
 The path part of an IMAP request not only specifies the mailbox to list (Added
 in 7.30.0) or select, but can also be used to check the UIDVALIDITY of the
-mailbox and to specify the UID and SECTION of the message to fetch (Added in
-7.30.0).
+mailbox, to specify the UID, SECTION (Added in 7.30.0) and PARTIAL octets
+(Added in 7.37.0) of the message to fetch and to specify what nessages to
+search for (Added in 7.37.0).
 
 imap://user:password@mail.example.com - Performs a top level folder list
 
@@ -833,7 +840,17 @@ the user's inbox, checks the UIDVALIDITY of the mailbox is 50 and fetches
 message 2 if it is
 
 imap://user:password@mail.example.com/INBOX/;UID=3/;SECTION=TEXT - Selects the
-user's inbox and fetches message 3 with only the text portion of the message
+user's inbox and fetches the text portial of message 3
+
+imap://user:password@mail.example.com/INBOX/;UID=4/;PARTIAL=0.1024 - Selects
+the user's inbox and fetches the first 1024 octets of message 4
+
+imap://user:password@mail.example.com/INBOX?NEW - Selects the user's inbox and
+checks for NEW messages
+
+imap://user:password@mail.example.com/INBOX?SUBJECT%20shadows - Selects the
+user's inbox and searches for messages containing "shadows" in the subject
+line
 
 For more information about the individual components of an IMAP URL please
 see RFC5092.
@@ -936,9 +953,9 @@ Set HTTP proxy to use. The parameter should be a char * to a zero terminated
 string holding the host name or dotted IP address. To specify port number in
 this string, append :[port] to the end of the host name. The proxy string may
 be prefixed with [protocol]:// since any such prefix will be ignored. The
-proxy's port number may optionally be specified with the separate option. If
-not specified, libcurl will default to using port 1080 for proxies.
-\fICURLOPT_PROXYPORT\fP.
+proxy's port number may optionally be specified with the separate option
+\fICURLOPT_PROXYPORT\fP. If not specified, libcurl will default to using port
+1080 for proxies.
 
 When you tell the library to use a HTTP proxy, libcurl will transparently
 convert operations to HTTP even if you specify an FTP URL etc. This may have
@@ -985,8 +1002,8 @@ if one is specified.  The only wildcard available is a single * character,
 which matches all hosts, and effectively disables the proxy. Each name in this
 list is matched as either a domain which contains the hostname, or the
 hostname itself. For example, example.com would match example.com,
-example.com:80, and www.example.com, but not www.notanexample.com.  (Added in
-7.19.4)
+example.com:80, and www.example.com, but not www.notanexample.com or
+example.com.othertld.  (Added in 7.19.4)
 .IP CURLOPT_HTTPPROXYTUNNEL
 Set the parameter to 1 to make the library tunnel all operations through a
 given HTTP proxy. There is a big difference between using a proxy and to
@@ -1511,17 +1528,20 @@ set the User-Agent: header in the http request sent to the remote server. This
 can be used to fool servers or scripts. You can also set any custom header
 with \fICURLOPT_HTTPHEADER\fP.
 .IP CURLOPT_HTTPHEADER
-Pass a pointer to a linked list of HTTP headers to pass to the server in your
-HTTP request. The linked list should be a fully valid list of \fBstruct
-curl_slist\fP structs properly filled in. Use \fIcurl_slist_append(3)\fP to
-create the list and \fIcurl_slist_free_all(3)\fP to clean up an entire
-list. If you add a header that is otherwise generated and used by libcurl
-internally, your added one will be used instead. If you add a header with no
-content as in 'Accept:' (no data on the right side of the colon), the
-internally used header will get disabled. Thus, using this option you can add
-new headers, replace internal headers and remove internal headers. To add a
-header with no content (nothing to the right side of the colon), use the
-form 'MyHeader;' (note the ending semicolon).
+Pass a pointer to a linked list of HTTP headers to pass to the server and/or
+proxy in your HTTP request. The same list is used for both host and proxy
+requests!
+
+The linked list should be a fully valid list of \fBstruct curl_slist\fP
+structs properly filled in. Use \fIcurl_slist_append(3)\fP to create the list
+and \fIcurl_slist_free_all(3)\fP to clean up an entire list. If you add a
+header that is otherwise generated and used by libcurl internally, your added
+one will be used instead. If you add a header with no content as in 'Accept:'
+(no data on the right side of the colon), the internally used header will get
+disabled. With this option you can add new headers, replace internal headers
+and remove internal headers. To add a header with no content (nothing to the
+right side of the colon), use the form 'MyHeader;' (note the ending
+semicolon).
 
 The headers included in the linked list must not be CRLF-terminated, because
 curl adds CRLF after each header item. Failure to comply with this will result
@@ -1537,6 +1557,42 @@ Pass a NULL to this to reset back to no custom headers.
 
 The most commonly replaced headers have "shortcuts" in the options
 \fICURLOPT_COOKIE\fP, \fICURLOPT_USERAGENT\fP and \fICURLOPT_REFERER\fP.
+
+There's an alternative option that sets or replaces headers only for requests
+that are sent with CONNECT to a proxy: \fICURLOPT_PROXYHEADER\fP. Use
+\fICURLOPT_HEADEROPT\fP to control the behavior.
+.IP CURLOPT_HEADEROPT
+Pass a long that is a bitmask of options of how to deal with headers. The two
+mutually exclusive options are:
+
+CURLHEADER_UNIFIED - keep working as before. This means CURLOPT_HTTPHEADER
+headers will be used in requests both to servers and proxies. With this option
+enabled, \fICURLOPT_PROXYHEADER\fP will not have any effect.
+
+CURLHEADER_SEPARATE - makes \fICURLOPT_HTTPHEADER\fP headers only get sent to
+a server and not to a proxy. Proxy headers must be set with
+\fICURLOPT_PROXYHEADER\fP to get used. Note that if a non-CONNECT request is
+sent to a proxy, libcurl will send both server headers and proxy headers. When
+doing CONNECT, libcurl will send \fICURLOPT_PROXYHEADER\fP headers only do the
+proxy and then \fICURLOPT_HTTPHEADER\fP headers only to the server.
+
+(Added in 7.37.0)
+.IP CURLOPT_PROXYHEADER
+Pass a pointer to a linked list of HTTP headers to pass in your HTTP request
+sent to a proxy. The rules for this list is identical to the
+\fICURLOPT_HTTPHEADER\fP option's.
+
+The headers set with this option is only ever used in requests sent to a proxy
+- when there's also a request sent to a host.
+
+The first line in a request (containing the method, usually a GET or POST) is
+NOT a header and cannot be replaced using this option. Only the lines
+following the request-line are headers. Adding this method line in this list
+of headers will only cause your request to send an invalid header.
+
+Pass a NULL to this to reset back to no custom headers.
+
+This option was added in libcurl 7.37.0.
 .IP CURLOPT_HTTP200ALIASES
 Pass a pointer to a linked list of aliases to be treated as valid HTTP 200
 responses.  Some servers respond with a custom header response line.  For
@@ -1619,7 +1675,8 @@ When setting \fICURLOPT_HTTPGET\fP to 1, it will automatically set
 .IP CURLOPT_HTTP_VERSION
 Pass a long, set to one of the values described below. They force libcurl to
 use the specific HTTP versions. This is not sensible to do unless you have a
-good reason.
+good reason. You have to set this option if you want to use libcurl's HTTP 2.0
+support.
 .RS
 .IP CURL_HTTP_VERSION_NONE
 We don't care about what version the library uses. libcurl will use whatever
@@ -1628,6 +1685,9 @@ it thinks fit.
 Enforce HTTP 1.0 requests.
 .IP CURL_HTTP_VERSION_1_1
 Enforce HTTP 1.1 requests.
+.IP CURL_HTTP_VERSION_2_0
+Attempt HTTP 2.0 requests. libcurl will fall back to HTTP 1.x if HTTP 2.0
+can't be negotiated with the server.
 .RE
 .IP CURLOPT_IGNORE_CONTENT_LENGTH
 Ignore the Content-Length header. This is useful for Apache 1.x (and similar
@@ -1645,6 +1705,12 @@ Pass a long to tell libcurl how to act on transfer decoding. If set to zero,
 transfer decoding will be disabled, if set to 1 it is enabled
 (default). libcurl does chunked transfer decoding by default unless this
 option is set to zero. (added in 7.16.2)
+.IP CURLOPT_EXPECT_100_TIMEOUT_MS
+Pass a long to tell libcurl the number of milliseconds to wait for a server
+response with the HTTP status 100 (Continue), 417 (Expectation Failed) or
+similar after sending a HTTP request containing an Expect: 100-continue
+header. If this times out before a response is received, the request body is
+sent anyway. By default, libcurl waits 1000 milliseconds. (Added in 7.36.0)
 .SH SMTP OPTIONS
 .IP CURLOPT_MAIL_FROM
 Pass a pointer to a zero terminated string as parameter. This should be used
@@ -2451,6 +2517,20 @@ load your private key.
 
 (This option was known as CURLOPT_SSLKEYPASSWD up to 7.16.4 and
 CURLOPT_SSLCERTPASSWD up to 7.9.2)
+.IP CURLOPT_SSL_ENABLE_ALPN
+Pass a long as parameter, 0 or 1 where 1 is for enable and 0 for disable. By
+default, libcurl assumes a value of 1. This option enables/disables ALPN in
+the SSL handshake (if the SSL backend libcurl is built to use supports it),
+which can be used to negotiate http2.
+
+(Added in 7.36.0)
+.IP CURLOPT_SSL_ENABLE_NPN
+Pass a long as parameter, 0 or 1 where 1 is for enable and 0 for disable. By
+default, libcurl assumes a value of 1. This option enables/disables NPN in the
+SSL handshake (if the SSL backend libcurl is built to use supports it), which
+can be used to negotiate http2.
+
+(Added in 7.36.0)
 .IP CURLOPT_SSLENGINE
 Pass a pointer to a zero terminated string as parameter. It will be used as
 the identifier for the crypto engine you want to use for your private
@@ -2715,6 +2795,14 @@ known_host matching has been done, to allow the application to act and decide
 for libcurl how to proceed. The callback will only be called if
 \fICURLOPT_SSH_KNOWNHOSTS\fP is also set.
 
+.nf
+int curl_sshkeycallback (CURL *easy,     /* easy handle */
+                         const struct curl_khkey *knownkey, /* known */
+                         const struct curl_khkey *foundkey, /* found */
+                         enum curl_khmatch, /* libcurl's view on the keys */
+                         void *clientp);
+.fi
+
 The curl_sshkeycallback function gets passed the CURL handle, the key from the
 known_hosts file, the key from the remote site, info from libcurl on the
 matching status and a custom pointer (set with \fICURLOPT_SSH_KEYDATA\fP). It

docs/libcurl/curl_multi_add_handle.3

@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -33,8 +33,10 @@ this \fImulti_handle\fP control the specified \fIeasy_handle\fP.  Furthermore,
 libcurl now initiates the connection associated with the specified
 \fIeasy_handle\fP.
 
-When an easy handle has been added to a multi stack, you can not and you must
-not use \fIcurl_easy_perform(3)\fP on that handle!
+While an easy handle is added to a multi stack, you can not and you must not
+use \fIcurl_easy_perform(3)\fP on that handle. After having removed the handle
+from the multi stack again, it is perfectly fine to use it with the easy
+interface again.
 
 If the easy handle is not set to use a shared (CURLOPT_SHARE) or global DNS
 cache (CURLOPT_DNS_USE_GLOBAL_CACHE), it will be made to use the DNS cache

docs/libcurl/curl_multi_assign.3

@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -28,8 +28,8 @@ curl_multi_assign \- set data to association with an internal socket
 CURLMcode curl_multi_assign(CURLM *multi_handle, curl_socket_t sockfd,
                             void *sockptr);
 .SH DESCRIPTION
-This function assigns an association in the multi handle between the given
-socket and a private pointer of the application. This is (only) useful for
+This function creates an association in the multi handle between the given
+socket and a private pointer of the application. This is designed for
 \fIcurl_multi_socket(3)\fP uses.
 
 When set, the \fIsockptr\fP pointer will be passed to all future socket
@@ -51,13 +51,13 @@ The standard CURLMcode for multi interface error codes.
 .SH "TYPICAL USAGE"
 In a typical application you allocate a struct or at least use some kind of
 semi-dynamic data for each socket that we must wait for action on when using
-the \fIcurl_multi_socket(3)\fP approach.
+the \fIcurl_multi_socket_action(3)\fP approach.
 
 When our socket-callback gets called by libcurl and we get to know about yet
 another socket to wait for, we can use \fIcurl_multi_assign(3)\fP to point out
 the particular data so that when we get updates about this same socket again,
 we don't have to find the struct associated with this socket by ourselves.
 .SH AVAILABILITY
-This function was added in libcurl 7.15.5, although not deemed stable yet.
+This function was added in libcurl 7.15.5.
 .SH "SEE ALSO"
-.BR curl_multi_setopt "(3), " curl_multi_socket "(3) "
+.BR curl_multi_setopt "(3), " curl_multi_socket_action "(3) "

docs/libcurl/curl_multi_setopt.3

@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -81,9 +81,9 @@ not used by libcurl but only passed-thru as-is. Set the callback pointer with
 \fICURLMOPT_TIMERFUNCTION\fP. (Added in 7.16.0)
 .IP CURLMOPT_MAXCONNECTS
 Pass a long. The set number will be used as the maximum amount of
-simultaneously open connections that libcurl may cache. Default is 10, and
-libcurl will enlarge the size for each added easy handle to make it fit 4
-times the number of added easy handles.
+simultaneously open connections that libcurl may keep in its connection cache
+after completed use. By default libcurl will enlarge the size for each added
+easy handle to make it fit 4 times the number of added easy handles.
 
 By setting this option, you can prevent the cache size from growing beyond the
 limit set by you.
@@ -94,6 +94,9 @@ number of open connections from increasing.
 This option is for the multi handle's use only, when using the easy interface
 you should instead use the \fICURLOPT_MAXCONNECTS\fP option.
 
+See \fICURLMOPT_MAX_TOTAL_CONNECTIONS\fP for limiting the number of active
+connections.
+
 (Added in 7.16.3)
 .IP CURLMOPT_MAX_HOST_CONNECTIONS
 Pass a long. The set number will be used as the maximum amount of

docs/libcurl/curl_version.3

@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -30,6 +30,8 @@ curl_version - returns the libcurl version string
 .SH DESCRIPTION
 Returns a human readable string with the version number of libcurl and some of
 its important components (like OpenSSL version).
+
+We recommend using \fIcurl_version_info(3)\fP instead!
 .SH RETURN VALUE
 A pointer to a zero terminated string. The string resides in a statically
 allocated buffer and must not be freed by the caller.

docs/libcurl/curl_version_info.3

@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -20,7 +20,7 @@
 .\" *
 .\" **************************************************************************
 .\"
-.TH curl_version_info 3 "10 June 2009" "libcurl 7.19.6" "libcurl Manual"
+.TH curl_version_info 3 "18 Feb 2014" "libcurl 7.33.0" "libcurl Manual"
 .SH NAME
 curl_version_info - returns run-time libcurl version info
 .SH SYNOPSIS
@@ -30,11 +30,12 @@ curl_version_info - returns run-time libcurl version info
 .ad
 .SH DESCRIPTION
 Returns a pointer to a filled in struct with information about various
-run-time features in libcurl. \fItype\fP should be set to the version of this
-functionality by the time you write your program. This way, libcurl will
-always return a proper struct that your program understands, while programs in
-the future might get a different struct. CURLVERSION_NOW will be the most
-recent one for the library you have installed:
+features in the running version of libcurl. \fItype\fP should be set to the
+version of this functionality by the time you write your program. This way,
+libcurl will always return a proper struct that your program understands,
+while programs in the future might get a different
+struct. \fBCURLVERSION_NOW\fP will be the most recent one for the library you
+have installed:
 
         data = curl_version_info(CURLVERSION_NOW);
 
@@ -133,6 +134,9 @@ libcurl was built with support for TLS-SRP. (Added in 7.21.4)
 .IP CURL_VERSION_NTLM_WB
 libcurl was built with support for NTLM delegation to a winbind helper.
 (Added in 7.22.0)
+.IP CURL_VERSION_HTTP2
+libcurl was built with support for HTTP2.
+(Added in 7.33.0)
 .RE
 \fIssl_version\fP is an ASCII string for the OpenSSL version used. If libcurl
 has no SSL support, this is NULL.

docs/libcurl/libcurl.3

@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -29,22 +29,21 @@ specific man pages for each function mentioned in here. There are also the
 \fIlibcurl-share(3)\fP man page and the \fIlibcurl-tutorial(3)\fP man page for
 in-depth understanding on how to program with libcurl.
 
-There are more than thirty custom bindings available that bring libcurl access
-to your favourite language. Look elsewhere for documentation on those.
+There are many bindings available that bring libcurl access to your favourite
+language. Look elsewhere for documentation on those.
 
-libcurl has a global constant environment that you must set up and
-maintain while using libcurl.  This essentially means you call
+libcurl has a global constant environment that you must set up and maintain
+while using libcurl.  This essentially means you call
 \fIcurl_global_init(3)\fP at the start of your program and
-\fIcurl_global_cleanup(3)\fP at the end.  See GLOBAL CONSTANTS below
-for details.
+\fIcurl_global_cleanup(3)\fP at the end.  See \fBGLOBAL CONSTANTS\fP below for
+details.
 
-To transfer files, you always set up an "easy handle" using
-\fIcurl_easy_init(3)\fP for a single specific transfer (in either
-direction). You then set your desired set of options in that handle with
-\fIcurk_easy_setopt(3)\fP. Options you set with \fIcurl_easy_setopt(3)\fP will
-be used on every repeated use of this handle until you either call the
-function again and change the option, or you reset them all with
-\fIcurl_easy_reset(3)\fP.
+To transfer files, you create an "easy handle" using \fIcurl_easy_init(3)\fP
+for a single individual transfer (in either direction). You then set your
+desired set of options in that handle with \fIcurk_easy_setopt(3)\fP. Options
+you set with \fIcurl_easy_setopt(3)\fP stick. They will be used on every
+repeated use of this handle until you either change the option, or you reset
+them all with \fIcurl_easy_reset(3)\fP.
 
 To actually transfer data you have the option of using the "easy" interface,
 or the "multi" interface.
@@ -98,6 +97,8 @@ Unix-like operating system that ship libcurl as part of their distributions
 often don't provide the curl-config tool, but simply install the library and
 headers in the common path for this purpose.
 
+Many Linux and similar sytems use pkg-config to provide build and link options
+about libraries and libcurl supports that as well.
 .SH "LIBCURL SYMBOL NAMES"
 All public functions in the libcurl interface are prefixed with 'curl_' (with
 a lowercase c). You can find other functions in the library source code, but
@@ -115,8 +116,8 @@ several threads. libcurl is thread-safe and can be used in any number of
 threads, but you must use separate curl handles if you want to use libcurl in
 more than one thread simultaneously.
 
-The global environment functions are not thread-safe.  See GLOBAL CONSTANTS
-below for details.
+The global environment functions are not thread-safe.  See \fBGLOBAL
+CONSTANTS\fP below for details.
 
 .SH "PERSISTENT CONNECTIONS"
 Persistent connections means that libcurl can re-use the same connection for

docs/libcurl/symbols-in-versions

@@ -193,6 +193,8 @@ CURLFTP_CREATE_DIR_RETRY        7.19.4
 CURLGSSAPI_DELEGATION_FLAG      7.22.0
 CURLGSSAPI_DELEGATION_NONE      7.22.0
 CURLGSSAPI_DELEGATION_POLICY_FLAG 7.22.0
+CURLHEADER_SEPARATE             7.37.0
+CURLHEADER_UNIFIED              7.37.0
 CURLINFO_APPCONNECT_TIME        7.19.0
 CURLINFO_CERTINFO               7.19.1
 CURLINFO_CONDITION_UNMET        7.19.4
@@ -341,6 +343,7 @@ CURLOPT_DNS_USE_GLOBAL_CACHE    7.9.3         7.11.1
 CURLOPT_EGDSOCKET               7.7
 CURLOPT_ENCODING                7.10
 CURLOPT_ERRORBUFFER             7.1
+CURLOPT_EXPECT_100_TIMEOUT_MS   7.36.0
 CURLOPT_FAILONERROR             7.1
 CURLOPT_FILE                    7.1           7.9.7
 CURLOPT_FILETIME                7.5
@@ -369,6 +372,7 @@ CURLOPT_GSSAPI_DELEGATION       7.22.0
 CURLOPT_HEADER                  7.1
 CURLOPT_HEADERDATA              7.10
 CURLOPT_HEADERFUNCTION          7.7.2
+CURLOPT_HEADEROPT               7.37.0
 CURLOPT_HTTP200ALIASES          7.10.3
 CURLOPT_HTTPAUTH                7.10.6
 CURLOPT_HTTPGET                 7.8.1
@@ -438,6 +442,7 @@ CURLOPT_PROGRESSFUNCTION        7.1           7.32.0
 CURLOPT_PROTOCOLS               7.19.4
 CURLOPT_PROXY                   7.1
 CURLOPT_PROXYAUTH               7.10.7
+CURLOPT_PROXYHEADER             7.37.0
 CURLOPT_PROXYPASSWORD           7.19.1
 CURLOPT_PROXYPORT               7.1
 CURLOPT_PROXYTYPE               7.10
@@ -498,6 +503,8 @@ CURLOPT_SSLVERSION              7.1
 CURLOPT_SSL_CIPHER_LIST         7.9
 CURLOPT_SSL_CTX_DATA            7.10.6
 CURLOPT_SSL_CTX_FUNCTION        7.10.6
+CURLOPT_SSL_ENABLE_ALPN         7.36.0
+CURLOPT_SSL_ENABLE_NPN          7.36.0
 CURLOPT_SSL_OPTIONS             7.25.0
 CURLOPT_SSL_SESSIONID_CACHE     7.16.0
 CURLOPT_SSL_VERIFYHOST          7.8.1

docs/mk-ca-bundle.1

@@ -24,13 +24,14 @@
 .SH NAME
 mk-ca-bundle \- convert mozilla's certdata.txt to PEM format
 .SH SYNOPSIS
-mk-ca-bundle [bilnqtuv]
+mk-ca-bundle [bilnpqstuv]
 .I [outputfile]
 .SH DESCRIPTION
 The mk-ca-bundle tool downloads the certdata.txt file from Mozilla's source
-tree over HTTP, then parses certdata.txt and extracts CA Root Certificates
-into PEM format.  These are then processed with the OpenSSL commandline tool
-to produce the final ca-bundle file.
+tree over HTTP, then parses certdata.txt and extracts certificates
+into PEM format.  By default, only CA root certificates trusted to issue SSL
+server authentication certificates are extracted. These are then processed with
+the OpenSSL commandline tool to produce the final ca-bundle file.
 
 The default \fIoutputfile\fP name is \fBca-bundle.crt\fP. By setting it to '-'
 (a single dash) you will get the output sent to STDOUT instead of a file.
@@ -54,10 +55,40 @@ print version info about used modules
 print license info about certdata.txt
 .IP -n
 no download of certdata.txt (to use existing)
+.IP "-p [purposes]:[levels]"
+list of Mozilla trust purposes and levels for certificates to include in output.
+Takes the form of a comma separated list of purposes, a colon, and a comma
+separated list of levels. The default is to include all certificates trusted
+to issue SSL Server certificates (SERVER_AUTH:TRUSTED_DELEGATOR).
+
+(Added in version 1.21, Perl only)
+
+Valid purposes are:
+.RS
+ALL, DIGITAL_SIGNATURE, NON_REPUDIATION, KEY_ENCIPHERMENT,
+DATA_ENCIPHERMENT, KEY_AGREEMENT, KEY_CERT_SIGN, CRL_SIGN,
+SERVER_AUTH (default), CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION,
+IPSEC_END_SYSTEM, IPSEC_TUNNEL, IPSEC_USER, TIME_STAMPING, STEP_UP_APPROVED
+.RE
+
+Valid trust levels are:
+.RS
+ALL, TRUSTED_DELEGATOR (default), NOT_TRUSTED, MUST_VERIFY_TRUST, TRUSTED
+.RE
 .IP -q
 be really quiet (no progress output at all)
 .IP -t
 include plain text listing of certificates
+.IP "-s [algorithms]"
+comma separated list of signature algorithms with which to hash/fingerprint
+each certificate and output when run in plain text mode.
+
+(Added in version 1.21, Perl only)
+
+Valid algorithms are:
+.RS
+ALL, NONE, MD5 (default), SHA1, SHA256, SHA512
+.RE
 .IP -u
 unlink (remove) certdata.txt after processing
 .IP -v

include/curl/curl.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -754,6 +754,10 @@ typedef enum {
   CURLFTPMETHOD_LAST       /* not an option, never use */
 } curl_ftpmethod;
 
+/* bitmask defines for CURLOPT_HEADEROPT */
+#define CURLHEADER_UNIFIED  0
+#define CURLHEADER_SEPARATE (1<<0)
+
 /* CURLPROTO_ defines are for the CURLOPT_*PROTOCOLS options */
 #define CURLPROTO_HTTP   (1<<0)
 #define CURLPROTO_HTTPS  (1<<1)
@@ -903,7 +907,8 @@ typedef enum {
   /* Set cookie in request: */
   CINIT(COOKIE, OBJECTPOINT, 22),
 
-  /* This points to a linked list of headers, struct curl_slist kind */
+  /* This points to a linked list of headers, struct curl_slist kind. This
+     list is also used for RTSP (in spite of its name) */
   CINIT(HTTPHEADER, OBJECTPOINT, 23),
 
   /* This points to a linked list of post entries, struct curl_httppost */
@@ -1571,6 +1576,23 @@ typedef enum {
   /* Set authentication options directly */
   CINIT(LOGIN_OPTIONS, OBJECTPOINT, 224),
 
+  /* Enable/disable TLS NPN extension (http2 over ssl might fail without) */
+  CINIT(SSL_ENABLE_NPN, LONG, 225),
+
+  /* Enable/disable TLS ALPN extension (http2 over ssl might fail without) */
+  CINIT(SSL_ENABLE_ALPN, LONG, 226),
+
+  /* Time to wait for a response to a HTTP request containing an
+   * Expect: 100-continue header before sending the data anyway. */
+  CINIT(EXPECT_100_TIMEOUT_MS, LONG, 227),
+
+  /* This points to a linked list of headers used for proxy requests only,
+     struct curl_slist kind */
+  CINIT(PROXYHEADER, OBJECTPOINT, 228),
+
+  /* Pass in a bitmask of "header options" */
+  CINIT(HEADEROPT, LONG, 229),
+
   CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;
 

include/curl/curlver.h

@@ -30,13 +30,13 @@
 
 /* This is the version number of the libcurl package from which this header
    file origins: */
-#define LIBCURL_VERSION "7.34.1-DEV"
+#define LIBCURL_VERSION "7.37.0-DEV"
 
 /* The numeric version number is also available "in parts" by using these
    defines: */
 #define LIBCURL_VERSION_MAJOR 7
-#define LIBCURL_VERSION_MINOR 34
-#define LIBCURL_VERSION_PATCH 1
+#define LIBCURL_VERSION_MINOR 37
+#define LIBCURL_VERSION_PATCH 0
 
 /* This is the numeric version of the libcurl version number, meant for easier
    parsing and comparions by programs. The LIBCURL_VERSION_NUM define will
@@ -53,7 +53,7 @@
    and it is always a greater number in a more recent release. It makes
    comparisons with greater than and less than work.
 */
-#define LIBCURL_VERSION_NUM 0x072201
+#define LIBCURL_VERSION_NUM 0x072500
 
 /*
  * This is the date and time when the full source package was created. The

lib/Makefile.Watcom

@@ -3,16 +3,31 @@
 #  G. Vanem <gvanem@broadpark.no>
 #
 
+.ERASE
+
+!if $(__VERSION__) < 1280
+!message !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!message ! This Open Watcom version is too old and is no longer supported !
+!message !     Please download latest version from www.openwatcom.org     !
+!message !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!error Unsupported version of Open Watcom
+!endif
+
 !ifndef %watcom
 !error WATCOM environment variable not set!
 !endif
 
+# In order to process Makefile.inc wmake must be called with -u switch!
+!ifndef %MAKEFLAGS
+!error You MUST call wmake with the -u switch!
+!endif
+
 !ifdef %libname
 LIBNAME = $(%libname)
 !else
 LIBNAME = libcurl
 !endif
-TARGETS = $(LIBNAME).dll $(LIBNAME)_imp.lib $(LIBNAME).lib
+TARGETS = $(LIBNAME).dll $(LIBNAME).lib
 
 CC = wcc386
 LD = wlink
@@ -23,37 +38,29 @@ RC = wrc
 !  loaddll wcc386  wccd386
 !  loaddll wpp386  wppd386
 !  loaddll wlib    wlibd
-!  if $(__VERSION__) > 1270
-!    loaddll wlink   wlinkd
-!  else
-!    loaddll wlink   wlink
-!  endif
+!  loaddll wlink   wlinkd
 !endif
 
 !ifdef __LINUX__
-DS = /
 CP = cp
 MD = mkdir -p
-RD = rmdir -p
-RM = rm -f
 !else
-DS = $(X)\$(X)
 CP = copy 2>NUL
 MD = mkdir
-RD = rmdir /q /s 2>NUL
-!if $(__VERSION__) < 1250
-RM = del /q /f 2>NUL
-!else
-RM = rm -f
 !endif
+!if $(__VERSION__) > 1290
+RD = rm -rf
+!else ifdef __UNIX__
+RD = rm -rf
+!else
+RD = rmdir /q /s 2>NUL
 !endif
 
-SYS_INCL = -I$(%watcom)$(DS)h$(DS)nt -I$(%watcom)$(DS)h
-SYS_LIBS = $(%watcom)$(DS)lib386$(DS)nt;$(%watcom)$(DS)lib386
+SYS_INCL = -I"$(%watcom)/h/nt" -I"$(%watcom)/h"
 
 CFLAGS = -3r -mf -hc -zff -zgf -zq -zm -zc -s -fr=con -w2 -fpi -oilrtfm &
          -wcd=201 -bt=nt -d+ -dWIN32 -dCURL_WANTS_CA_BUNDLE_ENV         &
-         -dBUILDING_LIBCURL -dHAVE_SPNEGO=1 -I. -I..$(DS)include $(SYS_INCL)
+         -dBUILDING_LIBCURL -dHAVE_SPNEGO=1 -I. -I"../include" $(SYS_INCL)
 
 !ifdef %debug
 DEBUG  = -dDEBUG=1 -dDEBUGBUILD
@@ -83,169 +90,162 @@ CFLAGS += -dWANT_IDN_PROTOTYPES
 !ifdef %zlib_root
 ZLIB_ROOT = $(%zlib_root)
 !else
-ZLIB_ROOT = ..$(DS)..$(DS)zlib-1.2.8
+ZLIB_ROOT = ../../zlib-1.2.8
 !endif
 
 !ifdef %libssh2_root
 LIBSSH2_ROOT = $(%libssh2_root)
 !else
-LIBSSH2_ROOT = ..$(DS)..$(DS)libssh2-1.4.3
+LIBSSH2_ROOT = ../../libssh2-1.4.3
 !endif
 
 !ifdef %librtmp_root
 LIBRTMP_ROOT = $(%librtmp_root)
 !else
-LIBRTMP_ROOT = ..$(DS)..$(DS)rtmpdump-2.3
+LIBRTMP_ROOT = ../../rtmpdump-2.3
 !endif
 
 !ifdef %openssl_root
 OPENSSL_ROOT = $(%openssl_root)
 !else
-OPENSSL_ROOT = ..$(DS)..$(DS)openssl-0.9.8y
+OPENSSL_ROOT = ../../openssl-0.9.8y
 !endif
 
 !ifdef %ares_root
 ARES_ROOT = $(%ares_root)
 !else
-ARES_ROOT = ..$(DS)ares
+ARES_ROOT = ../ares
 !endif
 
 !ifdef %use_zlib
-CFLAGS += -dHAVE_ZLIB_H -dHAVE_LIBZ -I$(ZLIB_ROOT)
+CFLAGS += -dHAVE_ZLIB_H -dHAVE_LIBZ -I"$(ZLIB_ROOT)"
 !endif
 
 !ifdef %use_rtmp
-CFLAGS += -dUSE_LIBRTMP -I$(LIBRTMP_ROOT)
+CFLAGS += -dUSE_LIBRTMP -I"$(LIBRTMP_ROOT)"
 !endif
 
 !ifdef %use_ssh2
-CFLAGS += -DUSE_LIBSSH2 -DHAVE_LIBSSH2_H -I$(LIBSSH2_ROOT)$(DS)include -I$(LIBSSH2_ROOT)$(DS)win32
+CFLAGS += -DUSE_LIBSSH2 -DHAVE_LIBSSH2_H -I"$(LIBSSH2_ROOT)/include" -I"$(LIBSSH2_ROOT)/win32"
 !endif
 
 !ifdef %use_ssl
-CFLAGS += -wcd=138 -dUSE_OPENSSL -dUSE_SSLEAY -I$(OPENSSL_ROOT)$(DS)inc32
+CFLAGS += -wcd=138 -dUSE_OPENSSL -dUSE_SSLEAY -I"$(OPENSSL_ROOT)/inc32"
 !endif
 
 !ifdef %use_ares
-CFLAGS += -dUSE_ARES -I$(ARES_ROOT)
+CFLAGS += -dUSE_ARES -I"$(ARES_ROOT)"
 !endif
 
 !ifdef %use_watt32
-CFLAGS += -dUSE_WATT32 -I$(%watt_root)$(DS)inc
+CFLAGS += -dUSE_WATT32 -I"$(%watt_root)/inc"
 !endif
 
 OBJ_BASE = WC_Win32.obj
-LINK_ARG = $(OBJ_BASE)$(DS)dyn$(DS)wlink.arg
-LIB_ARG  = $(OBJ_BASE)$(DS)stat$(DS)wlib.arg
-
-# In order to process Makefile.inc wmake must be called with -u switch!
-!ifndef %MAKEFLAGS
-!error You MUST call wmake with the -u switch!
+!if $(__VERSION__) > 1290
+OBJ_STAT = $(OBJ_BASE)/stat
+OBJ_DYN  = $(OBJ_BASE)/dyn
+!else ifdef __UNIX__
+OBJ_STAT = $(OBJ_BASE)/stat
+OBJ_DYN  = $(OBJ_BASE)/dyn
 !else
+OBJ_STAT = $(OBJ_BASE)\stat
+OBJ_DYN  = $(OBJ_BASE)\dyn
+!endif
+
+LINK_ARG = $(OBJ_DYN)/wlink.arg
+LIB_ARG  = $(OBJ_STAT)/wlib.arg
+
 !include Makefile.inc
-!endif
 
-OBJS = $(CSOURCES:.c=.obj)
-!ifdef __LINUX__
-OBJS = $OBJ_DIR/$(OBJS: = $OBJ_DIR/)
+OBJS1 = ./$(CSOURCES:.c=.obj)
+OBJS2 = $(OBJS1:vtls/=)
+OBJS3 = $(OBJS2: = ./)
+OBJS_STAT = $(OBJS3:./=$(OBJ_STAT)/)
+OBJS_DYN  = $(OBJS3:./=$(OBJ_DYN)/)
 
-!else
-OBJS = $OBJ_DIR\$(OBJS: = $OBJ_DIR\)
-!endif
+CURLBUILDH = ../include/curl/curlbuild.h
+RESOURCE   = $(OBJ_DYN)/libcurl.res
 
-#
-# Use $(OBJS) as a template to generate $(OBJS_STAT) and $(OBJS_DYN).
-#
-OBJ_DIR    = $(OBJ_BASE)$(DS)stat
-OBJS_STAT  = $+ $(OBJS) $-
+DIRS = $(OBJ_BASE) $(OBJ_BASE)/stat $(OBJ_BASE)/dyn
 
-OBJ_DIR    = $(OBJ_BASE)$(DS)dyn
-OBJS_DYN   = $+ $(OBJS) $-
+.c : vtls
 
-CURLBUILDH = ..$(DS)include$(DS)curl$(DS)curlbuild.h
-RESOURCE   = $(OBJ_BASE)$(DS)dyn$(DS)libcurl.res
-
-all: $(CURLBUILDH) $(OBJ_BASE) $(TARGETS) .SYMBOLIC
+all: $(CURLBUILDH) $(DIRS) $(TARGETS) .SYMBOLIC
 	@echo Welcome to libcurl
 
 clean: .SYMBOLIC
-	-$(RM) $(OBJS_STAT)
-	-$(RM) $(OBJS_DYN)
-	-$(RM) $(RESOURCE) $(LINK_ARG) $(LIB_ARG)
+	-rm -f $(OBJS_STAT)
+	-rm -f $(OBJS_DYN)
+	-rm -f $(RESOURCE) $(LINK_ARG) $(LIB_ARG)
 
 vclean distclean: clean .SYMBOLIC
-	-$(RM) $(TARGETS) $(LIBNAME).map $(LIBNAME).sym
-	-$(RD) $(OBJ_BASE)$(DS)stat
-	-$(RD) $(OBJ_BASE)$(DS)dyn
+	-rm -f $(TARGETS) $(LIBNAME).map $(LIBNAME).sym
+	-$(RD) $(OBJ_STAT)
+	-$(RD) $(OBJ_DYN)
 	-$(RD) $(OBJ_BASE)
 
-$(OBJ_BASE):
+$(DIRS):
 	-$(MD) $^@
-	-$(MD) $^@$(DS)stat
-	-$(MD) $^@$(DS)dyn
 
 $(CURLBUILDH): .EXISTSONLY
 	$(CP) $^@.dist $^@
 
-$(LIBNAME).dll: $(OBJS_DYN) $(RESOURCE) $(LINK_ARG)
-	$(LD) name $^@ @$]@
-
-$(LIBNAME).lib: $(OBJS_STAT) $(LIB_ARG)
-	$(AR) -q -b -c $^@ @$]@
-
-.ERASE
-$(RESOURCE): libcurl.rc
-	$(RC) $(DEBUG) -q -r -zm -bt=nt -I..$(DS)include $(SYS_INCL) $[@ -fo=$^@
-
-.ERASE
-.c{$(OBJ_BASE)$(DS)dyn}.obj:
-	$(CC) $(CFLAGS) -bd -br $[@ -fo=$^@
-
-.ERASE
-.c{$(OBJ_BASE)$(DS)stat}.obj:
-	$(CC) $(CFLAGS) -DCURL_STATICLIB $[@ -fo=$^@
-
-$(LINK_ARG): $(__MAKEFILES__)
-	%create $^@
-	@%append $^@ system nt dll
-	@%append $^@ file { $(OBJS_DYN) }
+$(LIBNAME).dll: $(OBJS_DYN) $(RESOURCE) $(__MAKEFILES__)
+	%create $(LINK_ARG)
+	@%append $(LINK_ARG) system nt dll
 !ifdef %debug
-	@%append $^@ debug all
-	@%append $^@ option symfile
+	@%append $(LINK_ARG) debug all
+	@%append $(LINK_ARG) option symfile
 !endif
-	@%append $^@ option quiet, map, caseexact, eliminate, implib=$(LIBNAME)_imp.lib,
-	@%append $^@ res=$(RESOURCE) libpath $(SYS_LIBS)
-	@%append $^@ library wldap32.lib
+	@%append $(LINK_ARG) option quiet, caseexact, eliminate
+	@%append $(LINK_ARG) option map=$(OBJ_DYN)/$(LIBNAME).map
+	@%append $(LINK_ARG) option implib=$(LIBNAME)_imp.lib
+	@%append $(LINK_ARG) option res=$(RESOURCE)
+	@for %f in ($(OBJS_DYN)) do @%append $(LINK_ARG) file %f
+	@%append $(LINK_ARG) library wldap32.lib
 !ifdef %use_watt32
-	@%append $^@ library $(%watt_root)$(DS)lib$(DS)wattcpw_imp.lib
+	@%append $(LINK_ARG) library '$(%watt_root)/lib/wattcpw_imp.lib'
 !else
-	@%append $^@ library ws2_32.lib
+	@%append $(LINK_ARG) library ws2_32.lib
 !endif
 !ifdef %use_zlib
-	@%append $^@ library $(ZLIB_ROOT)$(DS)zlib.lib
+	@%append $(LINK_ARG) library '$(ZLIB_ROOT)/zlib.lib'
 !endif
 !ifdef %use_rtmp
-	@%append $^@ library $(LIBRTMP_ROOT)$(DS)librtmp$(DS)librtmp.lib
+	@%append $(LINK_ARG) library '$(LIBRTMP_ROOT)/librtmp/librtmp.lib'
 !endif
 !ifdef %use_ssh2
-	@%append $^@ library $(LIBSSH2_ROOT)$(DS)win32$(DS)libssh2.lib
+	@%append $(LINK_ARG) library '$(LIBSSH2_ROOT)/win32/libssh2.lib'
 !endif
 !ifdef %use_ssl
-	@%append $^@ library $(OPENSSL_ROOT)$(DS)out32$(DS)libeay32.lib, $(OPENSSL_ROOT)$(DS)out32$(DS)ssleay32.lib
+	@%append $(LINK_ARG) library '$(OPENSSL_ROOT)/out32/libeay32.lib'
+	@%append $(LINK_ARG) library '$(OPENSSL_ROOT)/out32/ssleay32.lib'
 !endif
 !ifdef %use_ares
-	@%append $^@ library $(ARES_ROOT)$(DS)cares.lib
+	@%append $(LINK_ARG) library '$(ARES_ROOT)/cares.lib'
 !endif
 !ifdef %use_winidn
 !  if $(__VERSION__) > 1290
-	@%append $^@ library normaliz.lib
+	@%append $(LINK_ARG) library normaliz.lib
 !  else
-	@%append $^@ import '_IdnToAscii@20' 'NORMALIZ.DLL'.'IdnToAscii'
-	@%append $^@ import '_IdnToUnicode@20' 'NORMALIZ.DLL'.'IdnToUnicode'
+	@%append $(LINK_ARG) import '_IdnToAscii@20' 'NORMALIZ.DLL'.'IdnToAscii'
+	@%append $(LINK_ARG) import '_IdnToUnicode@20' 'NORMALIZ.DLL'.'IdnToUnicode'
 !  endif
 !endif
+	$(LD) name $^@ @$(LINK_ARG)
 
-$(LIB_ARG): $(__MAKEFILES__)
-	%create $^@
-	@for %f in ($(OBJS_STAT)) do @%append $^@ +- %f
+$(LIBNAME).lib: $(OBJS_STAT)
+	%create $(LIB_ARG)
+	@for %f in ($<) do @%append $(LIB_ARG) +- %f
+	$(AR) -q -b -c -pa $^@ @$(LIB_ARG)
 
+$(RESOURCE): libcurl.rc
+	$(RC) $(DEBUG) -q -r -zm -bt=nt -I"../include" $(SYS_INCL) $[@ -fo=$^@
+
+.c{$(OBJ_DYN)}.obj:
+	$(CC) $(CFLAGS) -bd -br $[@ -fo=$^@
+
+.c{$(OBJ_STAT)}.obj:
+	$(CC) $(CFLAGS) -DCURL_STATICLIB $[@ -fo=$^@
+	

lib/Makefile.b32

@@ -49,9 +49,9 @@ CC_FLAGS = -5 -O2 -tWM -w -w-aus -w-ccc -w-dup -w-prc -w-pro -w-rch -w-sig -w-sp
 LIBFLAGS = /C /P32
 LDFLAGS  = -q -lq -laa -tWD
 
-SRCDIR   = .
+SRCDIR   = .;.\vtls
 OBJDIR   = .\BCC_objs
-INCDIRS  = -I.;..\include
+INCDIRS  = -I.;.\lib;..\include
 LINKLIB  = $(BCCDIR)\lib\cw32mt.lib $(BCCDIR)\lib\ws2_32.lib
 DEFINES  = -DNDEBUG -DWIN32 -DBUILDING_LIBCURL
 
@@ -94,10 +94,11 @@ LINKLIB  = $(LINKLIB) $(OPENSSL_PATH)\out32\ssleay32.lib $(OPENSSL_PATH)\out32\l
 # build source files with hyphens in their name as objects with underscores
 # using explicit compilation build rules instead of implicit ones.
 
-NOHYPHEN = $(CSOURCES:-=_)
+NOHYPHEN1 = $(CSOURCES:-=_)
+NOHYPHEN2 = $(NOHYPHEN1:vtls/=)
 
-OBJECTS = $(NOHYPHEN:.c=.obj)
-PREPROCESSED = $(NOHYPHEN:.c=.int)
+OBJECTS = $(NOHYPHEN2:.c=.obj)
+PREPROCESSED = $(NOHYPHEN2:.c=.int)
 
 # Borland's command line compiler (BCC32) version 5.5.1 integrated
 # preprocessor has a bug which results in silently generating wrong

lib/Makefile.inc

@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -20,14 +20,15 @@
 #
 ###########################################################################
 
-VSOURCES=vtls/openssl.c vtls/gtls.c vtls/vtls.c vtls/nss.c vtls/qssl.c	\
-  vtls/polarssl.c vtls/polarssl_threadlock.c vtls/axtls.c vtls/cyassl.c	\
-  vtls/curl_schannel.c vtls/curl_darwinssl.c vtls/gskit.c
-VHEADERS= vtls/qssl.h vtls/openssl.h vtls/vtls.h vtls/gtls.h		\
+LIB_VTLS_CFILES = vtls/openssl.c vtls/gtls.c vtls/vtls.c vtls/nss.c	\
+  vtls/qssl.c vtls/polarssl.c vtls/polarssl_threadlock.c vtls/axtls.c	\
+  vtls/cyassl.c vtls/curl_schannel.c vtls/curl_darwinssl.c vtls/gskit.c
+
+LIB_VTLS_HFILES = vtls/qssl.h vtls/openssl.h vtls/vtls.h vtls/gtls.h	\
   vtls/nssg.h vtls/polarssl.h vtls/polarssl_threadlock.h vtls/axtls.h	\
   vtls/cyassl.h vtls/curl_schannel.h vtls/curl_darwinssl.h vtls/gskit.h
 
-CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c	\
+LIB_CFILES = file.c timeval.c base64.c hostip.c progress.c formdata.c	\
   cookie.c http.c sendf.c ftp.c url.c dict.c if2ip.c speedcheck.c	\
   ldap.c version.c getenv.c escape.c mprintf.c telnet.c netrc.c		\
   getinfo.c transfer.c strequal.c easy.c security.c curl_fnmatch.c	\
@@ -44,9 +45,9 @@ CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c	\
   asyn-thread.c curl_gssapi.c curl_ntlm.c curl_ntlm_wb.c		\
   curl_ntlm_core.c curl_ntlm_msgs.c curl_sasl.c curl_multibyte.c	\
   hostcheck.c bundles.c conncache.c pipeline.c dotdot.c x509asn1.c	\
-  http2.c $(VSOURCES)
+  http2.c curl_sasl_sspi.c
 
-HHEADERS = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h	\
+LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h	\
   formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h if2ip.h		\
   speedcheck.h urldata.h curl_ldap.h escape.h telnet.h getinfo.h	\
   strequal.h curl_sec.h memdebug.h http_chunks.h curl_fnmatch.h		\
@@ -62,4 +63,9 @@ HHEADERS = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h	\
   curl_ntlm.h curl_gssapi.h curl_ntlm_wb.h curl_ntlm_core.h		\
   curl_ntlm_msgs.h curl_sasl.h curl_multibyte.h hostcheck.h bundles.h	\
   conncache.h curl_setup_once.h multihandle.h setup-vms.h pipeline.h	\
-  dotdot.h x509asn1.h http2.h sigpipe.h $(VHEADERS)
+  dotdot.h x509asn1.h http2.h sigpipe.h
+
+LIB_RCFILES = libcurl.rc
+
+CSOURCES = $(LIB_CFILES) $(LIB_VTLS_CFILES)
+HHEADERS = $(LIB_HFILES) $(LIB_VTLS_HFILES)

lib/Makefile.m32

@@ -285,7 +285,7 @@ $(libcurl_dll_LIBRARY): $(libcurl_a_OBJECTS) $(RESOURCE) $(libcurl_dll_DEPENDENC
 	  $(libcurl_a_OBJECTS) $(RESOURCE) $(DLL_LIBS)
 
 %.o: %.c $(PROOT)/include/curl/curlbuild.h
-	$(CC) $(INCLUDES) $(CFLAGS) -c $<
+	$(CC) $(INCLUDES) $(CFLAGS) -c $< -o $@
 
 %.res: %.rc
 	$(RC) $(RCFLAGS) $< -o $@

lib/Makefile.vc6

@@ -542,6 +542,7 @@ X_OBJS= \
 	$(DIROBJ)\curl_ntlm_wb.obj \
 	$(DIROBJ)\curl_rtmp.obj \
 	$(DIROBJ)\curl_sasl.obj \
+	$(DIROBJ)\curl_sasl_sspi.obj \
 	$(DIROBJ)\curl_schannel.obj \
 	$(DIROBJ)\curl_sspi.obj \
 	$(DIROBJ)\curl_threads.obj \

lib/README.http2

@@ -1,28 +1,73 @@
 
 HTTP2 with libcurl
 
- Spec: http://tools.ietf.org/html/draft-ietf-httpbis-http2-06
+ Spec: http://tools.ietf.org/html/draft-ietf-httpbis-http2
+
+ Build prerequisites
+  - nghttp2
+  - OpenSSL or NSS or GnutTLS with a new enough version
 
  nghttp2 (https://github.com/tatsuhiro-t/nghttp2)
 
-  We're depending on this 3rd party library for the actual low level protocol
-  handling parts. The reason for this is that HTTP2 is much more complex at
-  that layer than HTTP1.1 (which we implement on our own) and that nghttp2 is
-  an already existing and well functional library.
+  libcurl uses this 3rd party library for the low level protocol handling
+  parts. The reason for this is that HTTP2 is much more complex at that layer
+  than HTTP1.1 (which we implement on our own) and that nghttp2 is an already
+  existing and well functional library.
+
+  Right now, nghttp2 implements http2 draft-09
+
+  We require at least version 0.3.0
 
  Over an http:// URL
 
   If CURLOPT_HTTP_VERSION is set to CURL_HTTP_VERSION_2, libcurl will include
   an upgrade header in the initial request to the host to allow upgrading to
-  http2. Possibly introduce an option that will cause libcurl to fail if not
-  possible to upgrade. Possibly introduce an option that makes libcurl use
-  http2 at once over http://
+  http2.
+
+  Possibly we can later introduce an option that will cause libcurl to fail if
+  not possible to upgrade. Possibly we introduce an option that makes libcurl
+  use http2 at once over http://
 
  Over an https:// URL
 
   If CURLOPT_HTTP_VERSION is set to CURL_HTTP_VERSION_2, libcurl will use ALPN
   (or NPN) to negotiate which protocol to continue with. Possibly introduce an
   option that will cause libcurl to fail if not possible to use http2.
+  Consider options to explicitly disable ALPN and/or NPN.
+
+  ALPN is the TLS extension that http2 is expected to use. The NPN extension
+  is for a similar purpose, was made prior to ALPN and is used for SPDY so
+  early http2 servers are implemented using NPN before ALPN support is
+  widespread.
+
+SSL libs
+
+  The challenge is the ALPN and NPN support and all our different SSL
+  backends. You may need a fairly updated SSL library version for it to
+  provide the necessary TLS features. Right now we support:
+
+    OpenSSL: ALPN and NPN
+    NSS:     ALPN and NPN
+    GnuTLS:  ALPN
+
+Alt-Svc
+
+  Alt-Svc is a suggested new header with a corresponding frame (ALTSVC) in
+  http2 that tells the client about an alternative "route" to the same content
+  for the same origin server that you get the response from. A browser or
+  long-living client can use that hint to create a new connection
+  asynchronously.  For libcurl, we may introduce a way to bring such clues to
+  the applicaton and/or let a subsequent request use the alternate route
+  automatically.
+
+Applications
+
+  We hide http2's binary nature and convert received http2 traffic to headers
+  in HTTP 1.1 style. This allows applications to work unmodified.
+
+curl tool
+
+  curl offers the --http2 command line option to enable use of http2
 
 To consider:
 

lib/config-win32.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -465,7 +465,8 @@
 #endif
 
 /* Define if the compiler supports the 'long long' data type. */
-#if defined(__MINGW32__) || defined(__WATCOMC__)
+#if defined(__MINGW32__) || defined(__WATCOMC__) || \
+    (defined(_MSC_VER) && (_MSC_VER >= 1310))
 #define HAVE_LONGLONG 1
 #endif
 

lib/connect.c

@@ -224,7 +224,12 @@ long Curl_timeleft(struct SessionHandle *data,
   }
 
   /* subtract elapsed time */
-  timeout_ms -= Curl_tvdiff(*nowp, data->progress.t_startsingle);
+  if(duringconnect)
+    /* since this most recent connect started */
+    timeout_ms -= Curl_tvdiff(*nowp, data->progress.t_startsingle);
+  else
+    /* since the entire operation started */
+    timeout_ms -= Curl_tvdiff(*nowp, data->progress.t_startop);
   if(!timeout_ms)
     /* avoid returning 0 as that means no timeout! */
     return -1;
@@ -545,7 +550,7 @@ static CURLcode trynextip(struct connectdata *conn,
   conn->tempsock[tempindex] = CURL_SOCKET_BAD;
 
   if(sockindex == FIRSTSOCKET) {
-    Curl_addrinfo *ai;
+    Curl_addrinfo *ai = NULL;
     int family;
 
     if(conn->tempaddr[tempindex]) {
@@ -553,7 +558,7 @@ static CURLcode trynextip(struct connectdata *conn,
       family = conn->tempaddr[tempindex]->ai_family;
       ai = conn->tempaddr[tempindex]->ai_next;
     }
-    else {
+    else if(conn->tempaddr[0]) {
       /* happy eyeballs - try the other protocol family */
       int firstfamily = conn->tempaddr[0]->ai_family;
 #ifdef ENABLE_IPV6
@@ -570,11 +575,11 @@ static CURLcode trynextip(struct connectdata *conn,
 
       if(ai) {
         rc = singleipconnect(conn, ai, &conn->tempsock[tempindex]);
-        conn->tempaddr[tempindex] = ai;
         if(rc == CURLE_COULDNT_CONNECT) {
           ai = ai->ai_next;
           continue;
         }
+        conn->tempaddr[tempindex] = ai;
       }
       break;
     }
@@ -811,14 +816,16 @@ CURLcode Curl_is_connected(struct connectdata *conn,
       char ipaddress[MAX_IPADR_LEN];
       data->state.os_errno = error;
       SET_SOCKERRNO(error);
-      Curl_printable_address(conn->tempaddr[i], ipaddress, MAX_IPADR_LEN);
-      infof(data, "connect to %s port %ld failed: %s\n",
-            ipaddress, conn->port, Curl_strerror(conn, error));
+      if(conn->tempaddr[i]) {
+        Curl_printable_address(conn->tempaddr[i], ipaddress, MAX_IPADR_LEN);
+        infof(data, "connect to %s port %ld failed: %s\n",
+              ipaddress, conn->port, Curl_strerror(conn, error));
 
-      conn->timeoutms_per_addr = conn->tempaddr[i]->ai_next == NULL ?
-                                 allow : allow / 2;
+        conn->timeoutms_per_addr = conn->tempaddr[i]->ai_next == NULL ?
+                                   allow : allow / 2;
 
-      code = trynextip(conn, sockindex, i);
+        code = trynextip(conn, sockindex, i);
+      }
     }
   }
 

lib/curl_ntlm.c

@@ -235,6 +235,14 @@ void Curl_http_ntlm_cleanup(struct connectdata *conn)
 #else
   (void)conn;
 #endif
+
+#ifndef USE_WINDOWS_SSPI
+  Curl_safefree(conn->ntlm.target_info);
+  conn->ntlm.target_info_len = 0;
+
+  Curl_safefree(conn->proxyntlm.target_info);
+  conn->proxyntlm.target_info_len = 0;
+#endif
 }
 
 #endif /* USE_NTLM */

lib/curl_ntlm_core.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -96,6 +96,9 @@
 #include "rawstr.h"
 #include "curl_memory.h"
 #include "curl_ntlm_core.h"
+#include "curl_md5.h"
+#include "curl_hmac.h"
+#include "warnless.h"
 
 #define _MPRINTF_REPLACE /* use our functions only */
 #include <curl/mprintf.h>
@@ -103,6 +106,10 @@
 /* The last #include file should be: */
 #include "memdebug.h"
 
+#define NTLM_HMAC_MD5_LEN     (16)
+#define NTLMv2_BLOB_SIGNATURE "\x01\x01\x00\x00"
+#define NTLMv2_BLOB_LEN       (44 -16 + ntlm->target_info_len + 4)
+
 #ifdef USE_SSLEAY
 /*
  * Turns a 56 bit key into the 64 bit, odd parity key and sets the key.  The
@@ -377,6 +384,34 @@ static void ascii_to_unicode_le(unsigned char *dest, const char *src,
   }
 }
 
+static void ascii_uppercase_to_unicode_le(unsigned char *dest,
+                                          const char *src, size_t srclen)
+{
+  size_t i;
+  for(i = 0; i < srclen; i++) {
+    dest[2 * i] = (unsigned char)(toupper(src[i]));
+    dest[2 * i + 1] = '\0';
+  }
+}
+
+static void write32_le(const int value, unsigned char *buffer)
+{
+  buffer[0] = (char)(value & 0x000000FF);
+  buffer[1] = (char)((value & 0x0000FF00) >> 8);
+  buffer[2] = (char)((value & 0x00FF0000) >> 16);
+  buffer[3] = (char)((value & 0xFF000000) >> 24);
+}
+
+#if defined(HAVE_LONGLONG)
+static void write64_le(const long long value, unsigned char *buffer)
+#else
+static void write64_le(const __int64 value, unsigned char *buffer)
+#endif
+{
+  write32_le((int)value, buffer);
+  write32_le((int)(value >> 32), buffer + 4);
+}
+
 /*
  * Set up nt hashed passwords
  */
@@ -431,6 +466,191 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct SessionHandle *data,
 
   return CURLE_OK;
 }
+
+/* This returns the HMAC MD5 digest */
+CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
+                       const unsigned char *data, unsigned int datalen,
+                       unsigned char *output)
+{
+  HMAC_context *ctxt = Curl_HMAC_init(Curl_HMAC_MD5, key, keylen);
+
+  if(!ctxt)
+    return CURLE_OUT_OF_MEMORY;
+
+  /* Update the digest with the given challenge */
+  Curl_HMAC_update(ctxt, data, datalen);
+
+  /* Finalise the digest */
+  Curl_HMAC_final(ctxt, output);
+
+  return CURLE_OK;
+}
+
+/* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
+ * (uppercase UserName + Domain) as the data
+ */
+CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
+                                       const char *domain, size_t domlen,
+                                       unsigned char *ntlmhash,
+                                       unsigned char *ntlmv2hash)
+{
+  /* Unicode representation */
+  size_t identity_len = (userlen + domlen) * 2;
+  unsigned char *identity = malloc(identity_len);
+  CURLcode res = CURLE_OK;
+
+  if(!identity)
+    return CURLE_OUT_OF_MEMORY;
+
+  ascii_uppercase_to_unicode_le(identity, user, userlen);
+  ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
+
+  res = Curl_hmac_md5(ntlmhash, 16, identity, curlx_uztoui(identity_len),
+                      ntlmv2hash);
+
+  Curl_safefree(identity);
+
+  return res;
+}
+
+/*
+ * Curl_ntlm_core_mk_ntlmv2_resp()
+ *
+ * This creates the NTLMv2 response as set in the ntlm type-3 message.
+ *
+ * Parameters:
+ *
+ * ntlmv2hash       [in] - The ntlmv2 hash (16 bytes)
+ * challenge_client [in] - The client nonce (8 bytes)
+ * ntlm             [in] - The ntlm data struct being used to read TargetInfo
+                           and Server challenge received in the type-2 message
+ * ntresp          [out] - The address where a pointer to newly allocated
+ *                         memory holding the NTLMv2 response.
+ * ntresp_len      [out] - The length of the output message.
+ *
+ * Returns CURLE_OK on success.
+ */
+CURLcode Curl_ntlm_core_mk_ntlmv2_resp(unsigned char *ntlmv2hash,
+                                       unsigned char *challenge_client,
+                                       struct ntlmdata *ntlm,
+                                       unsigned char **ntresp,
+                                       unsigned int *ntresp_len)
+{
+/* NTLMv2 response structure :
+------------------------------------------------------------------------------
+0     HMAC MD5         16 bytes
+------BLOB--------------------------------------------------------------------
+16    Signature        0x01010000
+20    Reserved         long (0x00000000)
+24    Timestamp        LE, 64-bit signed value representing the number of
+                       tenths of a microsecond since January 1, 1601.
+32    Client Nonce     8 bytes
+40    Unknown          4 bytes
+44    Target Info      N bytes (from the type-2 message)
+44+N  Unknown          4 bytes
+------------------------------------------------------------------------------
+*/
+
+  unsigned int len = 0;
+  unsigned char *ptr = NULL;
+  unsigned char hmac_output[NTLM_HMAC_MD5_LEN];
+#if defined(HAVE_LONGLONG)
+  long long tw;
+#else
+  __int64 tw;
+#endif
+  CURLcode res = CURLE_OK;
+
+  /* Calculate the timestamp */
+#if defined(HAVE_LONGLONG)
+#if defined(DEBUGBUILD)
+  tw = 11644473600ULL * 10000000ULL;
+#else
+  tw = ((long long)time(NULL) + 11644473600ULL) * 10000000ULL;
+#endif
+#else
+#if defined(DEBUGBUILD)
+  tw = 11644473600ui64 * 10000000ui64;
+#else
+  tw = ((__int64)time(NULL) + 11644473600ui64) * 10000000ui64;
+#endif
+#endif
+  /* Calculate the response len */
+  len = NTLM_HMAC_MD5_LEN + NTLMv2_BLOB_LEN;
+
+  /* Allocate the response */
+  ptr = malloc(len);
+  if(!ptr)
+    return CURLE_OUT_OF_MEMORY;
+
+  memset(ptr, 0, len);
+
+  /* Create the BLOB structure */
+  snprintf((char *)ptr + NTLM_HMAC_MD5_LEN, NTLMv2_BLOB_LEN,
+           NTLMv2_BLOB_SIGNATURE
+           "%c%c%c%c",  /* Reserved = 0 */
+           0, 0, 0, 0);
+
+  write64_le(tw, ptr + 24);
+  memcpy(ptr + 32, challenge_client, 8);
+  memcpy(ptr + 44, ntlm->target_info, ntlm->target_info_len);
+
+  /* Concatenate the Type 2 challenge with the BLOB and do HMAC MD5 */
+  memcpy(ptr + 8, &ntlm->nonce[0], 8);
+  res = Curl_hmac_md5(ntlmv2hash, NTLM_HMAC_MD5_LEN, ptr + 8,
+                      NTLMv2_BLOB_LEN + 8, hmac_output);
+  if(res) {
+    Curl_safefree(ptr);
+    return res;
+  }
+
+  /* Concatenate the HMAC MD5 output  with the BLOB */
+  memcpy(ptr, hmac_output, NTLM_HMAC_MD5_LEN);
+
+  /* Return the response */
+  *ntresp = ptr;
+  *ntresp_len = len;
+
+  return res;
+}
+
+/*
+ * Curl_ntlm_core_mk_lmv2_resp()
+ *
+ * This creates the LMv2 response as used in the ntlm type-3 message.
+ *
+ * Parameters:
+ *
+ * ntlmv2hash        [in] - The ntlmv2 hash (16 bytes)
+ * challenge_client  [in] - The client nonce (8 bytes)
+ * challenge_client  [in] - The server challenge (8 bytes)
+ * lmresp           [out] - The LMv2 response (24 bytes)
+ *
+ * Returns CURLE_OK on success.
+ */
+CURLcode  Curl_ntlm_core_mk_lmv2_resp(unsigned char *ntlmv2hash,
+                                      unsigned char *challenge_client,
+                                      unsigned char *challenge_server,
+                                      unsigned char *lmresp)
+{
+  unsigned char data[16];
+  unsigned char hmac_output[16];
+  CURLcode res = CURLE_OK;
+
+  memcpy(&data[0], challenge_server, 8);
+  memcpy(&data[8], challenge_client, 8);
+
+  res = Curl_hmac_md5(ntlmv2hash, 16, &data[0], 16, hmac_output);
+  if(res)
+    return res;
+
+  /* Concatenate the HMAC MD5 output  with the client nonce */
+  memcpy(lmresp, hmac_output, 16);
+  memcpy(lmresp+16, challenge_client, 8);
+
+  return res;
+}
+
 #endif /* USE_NTRESPONSES */
 
 #endif /* USE_NTLM && !USE_WINDOWS_SSPI */

lib/curl_ntlm_core.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -58,9 +58,30 @@ void Curl_ntlm_core_mk_lm_hash(struct SessionHandle *data,
                                unsigned char *lmbuffer /* 21 bytes */);
 
 #if USE_NTRESPONSES
+CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
+                       const unsigned char *data, unsigned int datalen,
+                       unsigned char *output);
+
 CURLcode Curl_ntlm_core_mk_nt_hash(struct SessionHandle *data,
                                    const char *password,
                                    unsigned char *ntbuffer /* 21 bytes */);
+
+CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
+                                       const char *domain, size_t domlen,
+                                       unsigned char *ntlmhash,
+                                       unsigned char *ntlmv2hash);
+
+CURLcode  Curl_ntlm_core_mk_ntlmv2_resp(unsigned char *ntlmv2hash,
+                                        unsigned char *challenge_client,
+                                        struct ntlmdata *ntlm,
+                                        unsigned char **ntresp,
+                                        unsigned int *ntresp_len);
+
+CURLcode  Curl_ntlm_core_mk_lmv2_resp(unsigned char *ntlmv2hash,
+                                      unsigned char *challenge_client,
+                                      unsigned char *challenge_server,
+                                      unsigned char *lmresp);
+
 #endif
 
 #endif /* USE_NTLM && !USE_WINDOWS_SSPI */

lib/curl_ntlm_msgs.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -158,6 +158,68 @@ static unsigned int readint_le(unsigned char *buf)
   return ((unsigned int)buf[0]) | ((unsigned int)buf[1] << 8) |
     ((unsigned int)buf[2] << 16) | ((unsigned int)buf[3] << 24);
 }
+
+/*
+ * This function converts from the little endian format used in the incoming
+ * package to whatever endian format we're using natively. Argument is a
+ * pointer to a 2 byte buffer.
+ */
+static unsigned int readshort_le(unsigned char *buf)
+{
+  return ((unsigned int)buf[0]) | ((unsigned int)buf[1] << 8);
+}
+
+/*
+ * Curl_ntlm_decode_type2_target()
+ *
+ * This is used to decode the "target info" in the ntlm type-2 message
+ * received.
+ *
+ * Parameters:
+ *
+ * data      [in]    - Pointer to the session handle
+ * buffer    [in]    - The decoded base64 ntlm header of Type 2
+ * size      [in]    - The input buffer size, atleast 32 bytes
+ * ntlm      [in]    - Pointer to ntlm data struct being used and modified.
+ *
+ * Returns CURLE_OK on success.
+ */
+CURLcode Curl_ntlm_decode_type2_target(struct SessionHandle *data,
+                                       unsigned char *buffer,
+                                       size_t size,
+                                       struct ntlmdata *ntlm)
+{
+  unsigned int target_info_len = 0;
+  unsigned int target_info_offset = 0;
+
+  Curl_safefree(ntlm->target_info);
+  ntlm->target_info_len = 0;
+
+  if(size >= 48) {
+    target_info_len = readshort_le(&buffer[40]);
+    target_info_offset = readint_le(&buffer[44]);
+    if(target_info_len > 0) {
+      if(((target_info_offset + target_info_len) > size) ||
+         (target_info_offset < 48)) {
+        infof(data, "NTLM handshake failure (bad type-2 message). "
+                    "Target Info Offset Len is set incorrect by the peer\n");
+        return CURLE_REMOTE_ACCESS_DENIED;
+      }
+
+      ntlm->target_info = malloc(target_info_len);
+      if(!ntlm->target_info)
+        return CURLE_OUT_OF_MEMORY;
+
+      memcpy(ntlm->target_info, &buffer[target_info_offset], target_info_len);
+      ntlm->target_info_len = target_info_len;
+
+    }
+
+  }
+
+  return CURLE_OK;
+}
+
 #endif
 
 /*
@@ -194,8 +256,8 @@ static unsigned int readint_le(unsigned char *buf)
  * Returns CURLE_OK on success.
  */
 CURLcode Curl_ntlm_decode_type2_message(struct SessionHandle *data,
-                                        const char* header,
-                                        struct ntlmdata* ntlm)
+                                        const char *header,
+                                        struct ntlmdata *ntlm)
 {
 #ifndef USE_WINDOWS_SSPI
   static const char type2_marker[] = { 0x02, 0x00, 0x00, 0x00 };
@@ -257,6 +319,15 @@ CURLcode Curl_ntlm_decode_type2_message(struct SessionHandle *data,
   ntlm->flags = readint_le(&buffer[20]);
   memcpy(ntlm->nonce, &buffer[24], 8);
 
+  if(ntlm->flags & NTLMFLAG_NEGOTIATE_TARGET_INFO) {
+    error = Curl_ntlm_decode_type2_target(data, buffer, size, ntlm);
+    if(error) {
+      free(buffer);
+      infof(data, "NTLM handshake failure (bad type-2 message)\n");
+      return error;
+    }
+  }
+
   DEBUG_OUT({
     fprintf(stderr, "**** TYPE2 header flags=0x%08.8lx ", ntlm->flags);
     ntlm_print_flags(stderr, ntlm->flags);
@@ -275,25 +346,22 @@ CURLcode Curl_ntlm_decode_type2_message(struct SessionHandle *data,
 void Curl_ntlm_sspi_cleanup(struct ntlmdata *ntlm)
 {
   Curl_safefree(ntlm->type_2);
+
   if(ntlm->has_handles) {
     s_pSecFn->DeleteSecurityContext(&ntlm->c_handle);
     s_pSecFn->FreeCredentialsHandle(&ntlm->handle);
     ntlm->has_handles = 0;
   }
-  if(ntlm->p_identity) {
-    Curl_safefree(ntlm->identity.User);
-    Curl_safefree(ntlm->identity.Password);
-    Curl_safefree(ntlm->identity.Domain);
-    ntlm->p_identity = NULL;
-  }
+
+  Curl_sspi_free_identity(ntlm->p_identity);
+  ntlm->p_identity = NULL;
 }
 #endif
 
 #ifndef USE_WINDOWS_SSPI
 /* copy the source to the destination and fill in zeroes in every
    other destination byte! */
-static void unicodecpy(unsigned char *dest,
-                       const char *src, size_t length)
+static void unicodecpy(unsigned char *dest, const char *src, size_t length)
 {
   size_t i;
   for(i = 0; i < length; i++) {
@@ -346,92 +414,30 @@ CURLcode Curl_ntlm_create_type1_message(const char *userp,
 
 #ifdef USE_WINDOWS_SSPI
 
-  SecBuffer buf;
-  SecBufferDesc desc;
+  SecBuffer type_1_buf;
+  SecBufferDesc type_1_desc;
   SECURITY_STATUS status;
   unsigned long attrs;
-  xcharp_u useranddomain;
-  xcharp_u user, dup_user;
-  xcharp_u domain, dup_domain;
-  xcharp_u passwd, dup_passwd;
-  size_t domlen = 0;
   TimeStamp tsDummy; /* For Windows 9x compatibility of SSPI calls */
 
-  domain.const_tchar_ptr = TEXT("");
-
   Curl_ntlm_sspi_cleanup(ntlm);
 
   if(userp && *userp) {
+    CURLcode result;
 
-    /* null initialize ntlm identity's data to allow proper cleanup */
+    /* Populate our identity structure */
+    result = Curl_create_sspi_identity(userp, passwdp, &ntlm->identity);
+    if(result)
+      return result;
+
+    /* Allow proper cleanup of the identity structure */
     ntlm->p_identity = &ntlm->identity;
-    memset(ntlm->p_identity, 0, sizeof(*ntlm->p_identity));
-
-    useranddomain.tchar_ptr = Curl_convert_UTF8_to_tchar((char *)userp);
-    if(!useranddomain.tchar_ptr)
-      return CURLE_OUT_OF_MEMORY;
-
-    user.const_tchar_ptr = _tcschr(useranddomain.const_tchar_ptr, TEXT('\\'));
-    if(!user.const_tchar_ptr)
-      user.const_tchar_ptr = _tcschr(useranddomain.const_tchar_ptr, TEXT('/'));
-
-    if(user.tchar_ptr) {
-      domain.tchar_ptr = useranddomain.tchar_ptr;
-      domlen = user.tchar_ptr - useranddomain.tchar_ptr;
-      user.tchar_ptr++;
-    }
-    else {
-      user.tchar_ptr = useranddomain.tchar_ptr;
-      domain.const_tchar_ptr = TEXT("");
-      domlen = 0;
-    }
-
-    /* setup ntlm identity's user and length */
-    dup_user.tchar_ptr = _tcsdup(user.tchar_ptr);
-    if(!dup_user.tchar_ptr) {
-      Curl_unicodefree(useranddomain.tchar_ptr);
-      return CURLE_OUT_OF_MEMORY;
-    }
-    ntlm->identity.User = dup_user.tbyte_ptr;
-    ntlm->identity.UserLength = curlx_uztoul(_tcslen(dup_user.tchar_ptr));
-    dup_user.tchar_ptr = NULL;
-
-    /* setup ntlm identity's domain and length */
-    dup_domain.tchar_ptr = malloc(sizeof(TCHAR) * (domlen + 1));
-    if(!dup_domain.tchar_ptr) {
-      Curl_unicodefree(useranddomain.tchar_ptr);
-      return CURLE_OUT_OF_MEMORY;
-    }
-    _tcsncpy(dup_domain.tchar_ptr, domain.tchar_ptr, domlen);
-    *(dup_domain.tchar_ptr + domlen) = TEXT('\0');
-    ntlm->identity.Domain = dup_domain.tbyte_ptr;
-    ntlm->identity.DomainLength = curlx_uztoul(domlen);
-    dup_domain.tchar_ptr = NULL;
-
-    Curl_unicodefree(useranddomain.tchar_ptr);
-
-    /* setup ntlm identity's password and length */
-    passwd.tchar_ptr = Curl_convert_UTF8_to_tchar((char *)passwdp);
-    if(!passwd.tchar_ptr)
-      return CURLE_OUT_OF_MEMORY;
-    dup_passwd.tchar_ptr = _tcsdup(passwd.tchar_ptr);
-    if(!dup_passwd.tchar_ptr) {
-      Curl_unicodefree(passwd.tchar_ptr);
-      return CURLE_OUT_OF_MEMORY;
-    }
-    ntlm->identity.Password = dup_passwd.tbyte_ptr;
-    ntlm->identity.PasswordLength =
-      curlx_uztoul(_tcslen(dup_passwd.tchar_ptr));
-    dup_passwd.tchar_ptr = NULL;
-
-    Curl_unicodefree(passwd.tchar_ptr);
-
-    /* setup ntlm identity's flags */
-    ntlm->identity.Flags = SECFLAG_WINNT_AUTH_IDENTITY;
   }
   else
+    /* Use the current Windows user */
     ntlm->p_identity = NULL;
 
+  /* Acquire our credientials handle */
   status = s_pSecFn->AcquireCredentialsHandle(NULL,
                                               (TCHAR *) TEXT("NTLM"),
                                               SECPKG_CRED_OUTBOUND, NULL,
@@ -440,13 +446,15 @@ CURLcode Curl_ntlm_create_type1_message(const char *userp,
   if(status != SEC_E_OK)
     return CURLE_OUT_OF_MEMORY;
 
-  desc.ulVersion = SECBUFFER_VERSION;
-  desc.cBuffers  = 1;
-  desc.pBuffers  = &buf;
-  buf.cbBuffer   = NTLM_BUFSIZE;
-  buf.BufferType = SECBUFFER_TOKEN;
-  buf.pvBuffer   = ntlmbuf;
+  /* Setup the type-1 "output" security buffer */
+  type_1_desc.ulVersion = SECBUFFER_VERSION;
+  type_1_desc.cBuffers  = 1;
+  type_1_desc.pBuffers  = &type_1_buf;
+  type_1_buf.cbBuffer   = NTLM_BUFSIZE;
+  type_1_buf.BufferType = SECBUFFER_TOKEN;
+  type_1_buf.pvBuffer   = ntlmbuf;
 
+  /* Generate our type-1 message */
   status = s_pSecFn->InitializeSecurityContext(&ntlm->handle, NULL,
                                                (TCHAR *) TEXT(""),
                                                ISC_REQ_CONFIDENTIALITY |
@@ -454,19 +462,19 @@ CURLcode Curl_ntlm_create_type1_message(const char *userp,
                                                ISC_REQ_CONNECTION,
                                                0, SECURITY_NETWORK_DREP,
                                                NULL, 0,
-                                               &ntlm->c_handle, &desc,
+                                               &ntlm->c_handle, &type_1_desc,
                                                &attrs, &tsDummy);
 
   if(status == SEC_I_COMPLETE_AND_CONTINUE ||
      status == SEC_I_CONTINUE_NEEDED)
-    s_pSecFn->CompleteAuthToken(&ntlm->c_handle, &desc);
+    s_pSecFn->CompleteAuthToken(&ntlm->c_handle, &type_1_desc);
   else if(status != SEC_E_OK) {
     s_pSecFn->FreeCredentialsHandle(&ntlm->handle);
     return CURLE_RECV_ERROR;
   }
 
   ntlm->has_handles = 1;
-  size = buf.cbBuffer;
+  size = type_1_buf.cbBuffer;
 
 #else
 
@@ -598,8 +606,8 @@ CURLcode Curl_ntlm_create_type3_message(struct SessionHandle *data,
   size_t size;
 
 #ifdef USE_WINDOWS_SSPI
-  SecBuffer type_2;
-  SecBuffer type_3;
+  SecBuffer type_2_buf;
+  SecBuffer type_3_buf;
   SecBufferDesc type_2_desc;
   SecBufferDesc type_3_desc;
   SECURITY_STATUS status;
@@ -610,18 +618,23 @@ CURLcode Curl_ntlm_create_type3_message(struct SessionHandle *data,
   (void)userp;
   (void)data;
 
-  type_2_desc.ulVersion = type_3_desc.ulVersion  = SECBUFFER_VERSION;
-  type_2_desc.cBuffers  = type_3_desc.cBuffers   = 1;
-  type_2_desc.pBuffers  = &type_2;
-  type_3_desc.pBuffers  = &type_3;
+  /* Setup the type-2 "input" security buffer */
+  type_2_desc.ulVersion = SECBUFFER_VERSION;
+  type_2_desc.cBuffers  = 1;
+  type_2_desc.pBuffers  = &type_2_buf;
+  type_2_buf.BufferType = SECBUFFER_TOKEN;
+  type_2_buf.pvBuffer   = ntlm->type_2;
+  type_2_buf.cbBuffer   = ntlm->n_type_2;
 
-  type_2.BufferType = SECBUFFER_TOKEN;
-  type_2.pvBuffer   = ntlm->type_2;
-  type_2.cbBuffer   = ntlm->n_type_2;
-  type_3.BufferType = SECBUFFER_TOKEN;
-  type_3.pvBuffer   = ntlmbuf;
-  type_3.cbBuffer   = NTLM_BUFSIZE;
+  /* Setup the type-3 "output" security buffer */
+  type_3_desc.ulVersion = SECBUFFER_VERSION;
+  type_3_desc.cBuffers  = 1;
+  type_3_desc.pBuffers  = &type_3_buf;
+  type_3_buf.BufferType = SECBUFFER_TOKEN;
+  type_3_buf.pvBuffer   = ntlmbuf;
+  type_3_buf.cbBuffer   = NTLM_BUFSIZE;
 
+  /* Generate our type-3 message */
   status = s_pSecFn->InitializeSecurityContext(&ntlm->handle,
                                                &ntlm->c_handle,
                                                (TCHAR *) TEXT(""),
@@ -636,7 +649,7 @@ CURLcode Curl_ntlm_create_type3_message(struct SessionHandle *data,
   if(status != SEC_E_OK)
     return CURLE_RECV_ERROR;
 
-  size = type_3.cbBuffer;
+  size = type_3_buf.cbBuffer;
 
   Curl_ntlm_sspi_cleanup(ntlm);
 
@@ -645,7 +658,10 @@ CURLcode Curl_ntlm_create_type3_message(struct SessionHandle *data,
   unsigned char lmresp[24]; /* fixed-size */
 #if USE_NTRESPONSES
   int ntrespoff;
+  unsigned int ntresplen = 24;
   unsigned char ntresp[24]; /* fixed-size */
+  unsigned char *ptr_ntresp = &ntresp[0];
+  unsigned char *ntlmv2resp = NULL;
 #endif
   bool unicode = (ntlm->flags & NTLMFLAG_NEGOTIATE_UNICODE) ? TRUE : FALSE;
   char host[HOSTNAME_MAX + 1] = "";
@@ -657,7 +673,7 @@ CURLcode Curl_ntlm_create_type3_message(struct SessionHandle *data,
   size_t hostlen = 0;
   size_t userlen = 0;
   size_t domlen = 0;
-  CURLcode res;
+  CURLcode res = CURLE_OK;
 
   user = strchr(userp, '\\');
   if(!user)
@@ -684,11 +700,45 @@ CURLcode Curl_ntlm_create_type3_message(struct SessionHandle *data,
     hostlen = strlen(host);
   }
 
-  if(unicode) {
-    domlen = domlen * 2;
-    userlen = userlen * 2;
-    hostlen = hostlen * 2;
+#if USE_NTRESPONSES
+  if(ntlm->target_info_len) {
+    unsigned char ntbuffer[0x18];
+    unsigned char entropy[8];
+    unsigned char ntlmv2hash[0x18];
+
+#if defined(DEBUGBUILD)
+    /* Use static client nonce in debug (Test Suite) builds */
+    memcpy(entropy, "12345678", sizeof(entropy));
+#else
+    /* Create an 8 byte random client nonce */
+    Curl_ssl_random(data, entropy, sizeof(entropy));
+#endif
+
+    res = Curl_ntlm_core_mk_nt_hash(data, passwdp, ntbuffer);
+    if(res)
+      return res;
+
+    res = Curl_ntlm_core_mk_ntlmv2_hash(user, userlen, domain, domlen,
+                                        ntbuffer, ntlmv2hash);
+    if(res)
+      return res;
+
+    /* LMv2 response */
+    res = Curl_ntlm_core_mk_lmv2_resp(ntlmv2hash, entropy, &ntlm->nonce[0],
+                                      lmresp);
+    if(res)
+      return res;
+
+    /* NTLMv2 response */
+    res = Curl_ntlm_core_mk_ntlmv2_resp(ntlmv2hash, entropy, ntlm, &ntlmv2resp,
+                                        &ntresplen);
+    if(res)
+      return res;
+
+    ptr_ntresp = ntlmv2resp;
   }
+  else
+#endif
 
 #if USE_NTLM2SESSION
   /* We don't support NTLM2 if we don't have USE_NTRESPONSES */
@@ -718,9 +768,11 @@ CURLcode Curl_ntlm_create_type3_message(struct SessionHandle *data,
     if(CURLE_OUT_OF_MEMORY ==
        Curl_ntlm_core_mk_nt_hash(data, passwdp, ntbuffer))
       return CURLE_OUT_OF_MEMORY;
+
     Curl_ntlm_core_lm_resp(ntbuffer, md5sum, ntresp);
 
     /* End of NTLM2 Session code */
+
   }
   else
 #endif
@@ -745,10 +797,16 @@ CURLcode Curl_ntlm_create_type3_message(struct SessionHandle *data,
      * See http://davenport.sourceforge.net/ntlm.html#ntlmVersion2 */
   }
 
+  if(unicode) {
+    domlen = domlen * 2;
+    userlen = userlen * 2;
+    hostlen = hostlen * 2;
+  }
+
   lmrespoff = 64; /* size of the message header */
 #if USE_NTRESPONSES
   ntrespoff = lmrespoff + 0x18;
-  domoff = ntrespoff + 0x18;
+  domoff = ntrespoff + ntresplen;
 #else
   domoff = lmrespoff + 0x18;
 #endif
@@ -807,8 +865,8 @@ CURLcode Curl_ntlm_create_type3_message(struct SessionHandle *data,
                   0x0, 0x0,
 
 #if USE_NTRESPONSES
-                  SHORTPAIR(0x18),  /* NT-response length, twice */
-                  SHORTPAIR(0x18),
+                  SHORTPAIR(ntresplen),  /* NT-response length, twice */
+                  SHORTPAIR(ntresplen),
                   SHORTPAIR(ntrespoff),
                   0x0, 0x0,
 #else
@@ -854,17 +912,19 @@ CURLcode Curl_ntlm_create_type3_message(struct SessionHandle *data,
   });
 
 #if USE_NTRESPONSES
-  if(size < (NTLM_BUFSIZE - 0x18)) {
+  if(size < (NTLM_BUFSIZE - ntresplen)) {
     DEBUGASSERT(size == (size_t)ntrespoff);
-    memcpy(&ntlmbuf[size], ntresp, 0x18);
-    size += 0x18;
+    memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
+    size += ntresplen;
   }
 
   DEBUG_OUT({
     fprintf(stderr, "\n   ntresp=");
-    ntlm_print_hex(stderr, (char *)&ntlmbuf[ntrespoff], 0x18);
+    ntlm_print_hex(stderr, (char *)&ntlmbuf[ntrespoff], ntresplen);
   });
 
+  Curl_safefree(ntlmv2resp);/* Free the dynamic buffer allocated for NTLMv2 */
+
 #endif
 
   DEBUG_OUT({

lib/curl_ntlm_msgs.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -46,6 +46,13 @@ CURLcode Curl_ntlm_decode_type2_message(struct SessionHandle *data,
                                         const char* header,
                                         struct ntlmdata* ntlm);
 
+/* This is to decode target info received in NTLM type-2 message */
+CURLcode Curl_ntlm_decode_type2_target(struct SessionHandle *data,
+                                       unsigned char* buffer,
+                                       size_t size,
+                                       struct ntlmdata* ntlm);
+
+
 /* This is to clean up the ntlm data structure */
 #ifdef USE_WINDOWS_SSPI
 void Curl_ntlm_sspi_cleanup(struct ntlmdata *ntlm);
@@ -163,14 +170,6 @@ void Curl_ntlm_sspi_cleanup(struct ntlmdata *ntlm);
 #define NTLMFLAG_NEGOTIATE_56                    (1<<31)
 /* Indicates that 56-bit encryption is supported. */
 
-#ifdef UNICODE
-#  define SECFLAG_WINNT_AUTH_IDENTITY \
-     (unsigned long)SEC_WINNT_AUTH_IDENTITY_UNICODE
-#else
-#  define SECFLAG_WINNT_AUTH_IDENTITY \
-     (unsigned long)SEC_WINNT_AUTH_IDENTITY_ANSI
-#endif
-
 #endif /* BUILDING_CURL_NTLM_MSGS_C */
 
 #endif /* USE_NTLM */

lib/curl_rtmp.c

@@ -5,6 +5,7 @@
  *                | (__| |_| |  _ <| |___
  *                 \___|\___/|_| \_\_____|
  *
+ * Copyright (C) 2012 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  * Copyright (C) 2010, Howard Chu, <hyc@highlandsun.com>
  *
  * This software is licensed as described in the file COPYING, which
@@ -240,7 +241,7 @@ static CURLcode rtmp_do(struct connectdata *conn, bool *done)
     return CURLE_FAILED_INIT;
 
   if(conn->data->set.upload) {
-    Curl_pgrsSetUploadSize(conn->data, conn->data->set.infilesize);
+    Curl_pgrsSetUploadSize(conn->data, conn->data->state.infilesize);
     Curl_setup_transfer(conn, -1, -1, FALSE, NULL, FIRSTSOCKET, NULL);
   }
   else

lib/curl_sasl.c

@@ -40,6 +40,8 @@
 #include "curl_sasl.h"
 #include "warnless.h"
 #include "curl_memory.h"
+#include "strtok.h"
+#include "rawstr.h"
 
 #ifdef USE_NSS
 #include "vtls/nssg.h" /* for Curl_nss_force_init() */
@@ -51,7 +53,15 @@
 /* The last #include file should be: */
 #include "memdebug.h"
 
-#ifndef CURL_DISABLE_CRYPTO_AUTH
+#if !defined(CURL_DISABLE_CRYPTO_AUTH) && !defined(USE_WINDOWS_SSPI)
+#define DIGEST_QOP_VALUE_AUTH             (1 << 0)
+#define DIGEST_QOP_VALUE_AUTH_INT         (1 << 1)
+#define DIGEST_QOP_VALUE_AUTH_CONF        (1 << 2)
+
+#define DIGEST_QOP_VALUE_STRING_AUTH      "auth"
+#define DIGEST_QOP_VALUE_STRING_AUTH_INT  "auth-int"
+#define DIGEST_QOP_VALUE_STRING_AUTH_CONF "auth-conf"
+
 /* Retrieves the value for a corresponding key from the challenge string
  * returns TRUE if the key could be found, FALSE if it does not exists
  */
@@ -76,6 +86,38 @@ static bool sasl_digest_get_key_value(const char *chlg,
 
   return TRUE;
 }
+
+static CURLcode sasl_digest_get_qop_values(const char *options, int *value)
+{
+  char *tmp;
+  char *token;
+  char *tok_buf;
+
+  /* Initialise the output */
+  *value = 0;
+
+  /* Tokenise the list of qop values. Use a temporary clone of the buffer since
+     strtok_r() ruins it. */
+  tmp = strdup(options);
+  if(!tmp)
+    return CURLE_OUT_OF_MEMORY;
+
+  token = strtok_r(tmp, ",", &tok_buf);
+  while(token != NULL) {
+    if(Curl_raw_equal(token, DIGEST_QOP_VALUE_STRING_AUTH))
+      *value |= DIGEST_QOP_VALUE_AUTH;
+    else if(Curl_raw_equal(token, DIGEST_QOP_VALUE_STRING_AUTH_INT))
+      *value |= DIGEST_QOP_VALUE_AUTH_INT;
+    else if(Curl_raw_equal(token, DIGEST_QOP_VALUE_STRING_AUTH_CONF))
+      *value |= DIGEST_QOP_VALUE_AUTH_CONF;
+
+    token = strtok_r(NULL, ",", &tok_buf);
+  }
+
+  Curl_safefree(tmp);
+
+  return CURLE_OK;
+}
 #endif
 
 /*
@@ -263,10 +305,12 @@ CURLcode Curl_sasl_create_cram_md5_message(struct SessionHandle *data,
   return result;
 }
 
+#ifndef USE_WINDOWS_SSPI
 /*
- * Curl_sasl_decode_digest_md5_message()
+ * sasl_decode_digest_md5_message()
  *
- * This is used to decode an already encoded DIGEST-MD5 challenge message.
+ * This is used internally to decode an already encoded DIGEST-MD5 challenge
+ * message into the seperate attributes.
  *
  * Parameters:
  *
@@ -277,19 +321,23 @@ CURLcode Curl_sasl_create_cram_md5_message(struct SessionHandle *data,
  * rlen    [in]     - The length of the realm buffer.
  * alg     [in/out] - The buffer where the algorithm will be stored.
  * alen    [in]     - The length of the algorithm buffer.
+ * qop     [in/out] - The buffer where the qop-options will be stored.
+ * qlen    [in]     - The length of the qop buffer.
  *
  * Returns CURLE_OK on success.
  */
-CURLcode Curl_sasl_decode_digest_md5_message(const char *chlg64,
-                                             char *nonce, size_t nlen,
-                                             char *realm, size_t rlen,
-                                             char *alg, size_t alen)
+static CURLcode sasl_decode_digest_md5_message(const char *chlg64,
+                                               char *nonce, size_t nlen,
+                                               char *realm, size_t rlen,
+                                               char *alg, size_t alen,
+                                               char *qop, size_t qlen)
 {
   CURLcode result = CURLE_OK;
   unsigned char *chlg = NULL;
   size_t chlglen = 0;
   size_t chlg64len = strlen(chlg64);
 
+  /* Decode the base-64 encoded challenge message */
   if(chlg64len && *chlg64 != '=') {
     result = Curl_base64_decode(chlg64, &chlg, &chlglen);
     if(result)
@@ -318,6 +366,12 @@ CURLcode Curl_sasl_decode_digest_md5_message(const char *chlg64,
     return CURLE_BAD_CONTENT_ENCODING;
   }
 
+  /* Retrieve qop-options string from the challenge */
+  if(!sasl_digest_get_key_value((char *)chlg, "qop=\"", qop, qlen, '\"')) {
+    Curl_safefree(chlg);
+    return CURLE_BAD_CONTENT_ENCODING;
+  }
+
   Curl_safefree(chlg);
 
   return CURLE_OK;
@@ -332,8 +386,7 @@ CURLcode Curl_sasl_decode_digest_md5_message(const char *chlg64,
  * Parameters:
  *
  * data    [in]     - The session handle.
- * nonce   [in]     - The nonce.
- * realm   [in]     - The realm.
+ * chlg64  [in]     - Pointer to the base64 encoded challenge message.
  * userp   [in]     - The user name.
  * passdwp [in]     - The user's password.
  * service [in]     - The service type such as www, smtp, pop or imap.
@@ -344,8 +397,7 @@ CURLcode Curl_sasl_decode_digest_md5_message(const char *chlg64,
  * Returns CURLE_OK on success.
  */
 CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
-                                             const char *nonce,
-                                             const char *realm,
+                                             const char *chlg64,
                                              const char *userp,
                                              const char *passwdp,
                                              const char *service,
@@ -363,12 +415,39 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
   char HA2_hex[2 * MD5_DIGEST_LEN + 1];
   char resp_hash_hex[2 * MD5_DIGEST_LEN + 1];
 
+  char nonce[64];
+  char realm[128];
+  char algorithm[64];
+  char qop_options[64];
+  int qop_values;
+
   char nonceCount[] = "00000001";
   char cnonce[]     = "12345678"; /* will be changed */
   char method[]     = "AUTHENTICATE";
-  char qop[]        = "auth";
+  char qop[]        = DIGEST_QOP_VALUE_STRING_AUTH;
   char uri[128];
 
+  /* Decode the challange message */
+  result = sasl_decode_digest_md5_message(chlg64, nonce, sizeof(nonce),
+                                          realm, sizeof(realm),
+                                          algorithm, sizeof(algorithm),
+                                          qop_options, sizeof(qop_options));
+  if(result)
+    return result;
+
+  /* We only support md5 sessions */
+  if(strcmp(algorithm, "md5-sess") != 0)
+    return CURLE_BAD_CONTENT_ENCODING;
+
+  /* Get the qop-values from the qop-options */
+  result = sasl_digest_get_qop_values(qop_options, &qop_values);
+  if(result)
+    return result;
+
+  /* We only support auth quality-of-protection */
+  if(!(qop_values & DIGEST_QOP_VALUE_AUTH))
+    return CURLE_BAD_CONTENT_ENCODING;
+
 #ifndef DEBUGBUILD
   /* Generate 64 bits of random data */
   for(i = 0; i < 8; i++)
@@ -454,9 +533,11 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
 
   /* Generate the response */
   response = aprintf("username=\"%s\",realm=\"%s\",nonce=\"%s\","
-                     "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\",response=%s",
+                     "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\",response=%s,"
+                     "qop=%s",
                      userp, realm, nonce,
-                     cnonce, nonceCount, uri, resp_hash_hex);
+                     cnonce, nonceCount, uri, resp_hash_hex,
+                     qop);
   if(!response)
     return CURLE_OUT_OF_MEMORY;
 
@@ -467,7 +548,9 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
 
   return result;
 }
-#endif
+#endif  /* USE_WINDOWS_SSPI */
+
+#endif  /* CURL_DISABLE_CRYPTO_AUTH */
 
 #ifdef USE_NTLM
 /*

lib/curl_sasl.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 2012 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2012 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -22,7 +22,11 @@
  *
  ***************************************************************************/
 
-#include "pingpong.h"
+#include <curl/curl.h>
+
+struct SessionHandle;
+struct connectdata;
+struct ntlmdata;
 
 /* Authentication mechanism values */
 #define SASL_AUTH_NONE          0
@@ -77,17 +81,10 @@ CURLcode Curl_sasl_create_cram_md5_message(struct SessionHandle *data,
                                            const char *passwdp,
                                            char **outptr, size_t *outlen);
 
-/* This is used to decode a base64 encoded DIGEST-MD5 challange message */
-CURLcode Curl_sasl_decode_digest_md5_message(const char *chlg64,
-                                             char *nonce, size_t nlen,
-                                             char *realm, size_t rlen,
-                                             char *alg, size_t alen);
-
 /* This is used to generate a base64 encoded DIGEST-MD5 response message */
 CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
-                                             const char *nonce,
-                                             const char *realm,
-                                             const char *user,
+                                             const char *chlg64,
+                                             const char *userp,
                                              const char *passwdp,
                                              const char *service,
                                              char **outptr, size_t *outlen);

lib/curl_sasl_sspi.c

@@ -0,0 +1,200 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at http://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * RFC2831 DIGEST-MD5 authentication
+ * RFC4422 Simple Authentication and Security Layer (SASL)
+ *
+ ***************************************************************************/
+
+#include "curl_setup.h"
+
+#if defined(USE_WINDOWS_SSPI) && !defined(CURL_DISABLE_CRYPTO_AUTH)
+
+#include <curl/curl.h>
+
+#include "curl_sasl.h"
+#include "urldata.h"
+#include "curl_base64.h"
+#include "warnless.h"
+#include "curl_memory.h"
+
+#define _MPRINTF_REPLACE /* use our functions only */
+#include <curl/mprintf.h>
+
+/* The last #include file should be: */
+#include "memdebug.h"
+
+/*
+ * Curl_sasl_create_digest_md5_message()
+ *
+ * This is used to generate an already encoded DIGEST-MD5 response message
+ * ready for sending to the recipient.
+ *
+ * Parameters:
+ *
+ * data    [in]     - The session handle.
+ * chlg64  [in]     - Pointer to the base64 encoded challenge message.
+ * userp   [in]     - The user name.
+ * passdwp [in]     - The user's password.
+ * service [in]     - The service type such as www, smtp, pop or imap.
+ * outptr  [in/out] - The address where a pointer to newly allocated memory
+ *                    holding the result will be stored upon completion.
+ * outlen  [out]    - The length of the output message.
+ *
+ * Returns CURLE_OK on success.
+ */
+CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
+                                             const char *chlg64,
+                                             const char *userp,
+                                             const char *passwdp,
+                                             const char *service,
+                                             char **outptr, size_t *outlen)
+{
+  CURLcode result = CURLE_OK;
+  char *spn = NULL;
+  size_t chlglen = 0;
+  unsigned char *chlg = NULL;
+  unsigned char resp[1024];
+  CredHandle handle;
+  CtxtHandle ctx;
+  PSecPkgInfo SecurityPackage;
+  SEC_WINNT_AUTH_IDENTITY identity;
+  SecBuffer chlg_buf;
+  SecBuffer resp_buf;
+  SecBufferDesc chlg_desc;
+  SecBufferDesc resp_desc;
+  SECURITY_STATUS status;
+  unsigned long attrs;
+  TimeStamp tsDummy; /* For Windows 9x compatibility of SSPI calls */
+
+  /* Decode the base-64 encoded challenge message */
+  if(strlen(chlg64) && *chlg64 != '=') {
+    result = Curl_base64_decode(chlg64, &chlg, &chlglen);
+    if(result)
+      return result;
+  }
+
+  /* Ensure we have a valid challenge message */
+  if(!chlg)
+    return CURLE_BAD_CONTENT_ENCODING;
+
+  /* Ensure we have some login credientials as DigestSSP cannot use the current
+     Windows user like NTLMSSP can */
+  if(!userp || !*userp) {
+    Curl_safefree(chlg);
+    return CURLE_LOGIN_DENIED;
+  }
+
+  /* Query the security package for DigestSSP */
+  status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *) TEXT("WDigest"),
+                                              &SecurityPackage);
+  if(status != SEC_E_OK) {
+    Curl_safefree(chlg);
+    return CURLE_NOT_BUILT_IN;
+  }
+
+  /* Calculate our SPN */
+  spn = aprintf("%s/%s", service, data->easy_conn->host);
+  if(!spn)
+    return CURLE_OUT_OF_MEMORY;
+
+  /* Populate our identity structure */
+  result = Curl_create_sspi_identity(userp, passwdp, &identity);
+  if(result) {
+    Curl_safefree(spn);
+    Curl_safefree(chlg);
+
+    return result;
+  }
+
+  /* Acquire our credientials handle */
+  status = s_pSecFn->AcquireCredentialsHandle(NULL,
+                                              (TCHAR *) TEXT("WDigest"),
+                                              SECPKG_CRED_OUTBOUND, NULL,
+                                              &identity, NULL, NULL,
+                                              &handle, &tsDummy);
+
+  if(status != SEC_E_OK) {
+    Curl_sspi_free_identity(&identity);
+    Curl_safefree(spn);
+    Curl_safefree(chlg);
+
+    return CURLE_OUT_OF_MEMORY;
+  }
+
+  /* Setup the challenge "input" security buffer */
+  chlg_desc.ulVersion = SECBUFFER_VERSION;
+  chlg_desc.cBuffers  = 1;
+  chlg_desc.pBuffers  = &chlg_buf;
+  chlg_buf.BufferType = SECBUFFER_TOKEN;
+  chlg_buf.pvBuffer   = chlg;
+  chlg_buf.cbBuffer   = curlx_uztoul(chlglen);
+
+  /* Setup the response "output" security buffer */
+  resp_desc.ulVersion = SECBUFFER_VERSION;
+  resp_desc.cBuffers  = 1;
+  resp_desc.pBuffers  = &resp_buf;
+  resp_buf.BufferType = SECBUFFER_TOKEN;
+  resp_buf.pvBuffer   = resp;
+  resp_buf.cbBuffer   = sizeof(resp);
+
+  /* Generate our challenge-response message */
+  status = s_pSecFn->InitializeSecurityContext(&handle,
+                                               NULL,
+                                               (TCHAR *) spn,
+                                               0, 0, 0,
+                                               &chlg_desc,
+                                               0, &ctx,
+                                               &resp_desc,
+                                               &attrs, &tsDummy);
+
+  if(status == SEC_I_COMPLETE_AND_CONTINUE ||
+     status == SEC_I_CONTINUE_NEEDED)
+    s_pSecFn->CompleteAuthToken(&handle, &resp_desc);
+  else if(status != SEC_E_OK) {
+    s_pSecFn->FreeCredentialsHandle(&handle);
+    Curl_sspi_free_identity(&identity);
+    Curl_safefree(spn);
+    Curl_safefree(chlg);
+
+    return CURLE_RECV_ERROR;
+  }
+
+  /* Base64 encode the response */
+  result = Curl_base64_encode(data, (char *)resp, resp_buf.cbBuffer, outptr,
+                              outlen);
+
+  /* Free our handles */
+  s_pSecFn->DeleteSecurityContext(&ctx);
+  s_pSecFn->FreeCredentialsHandle(&handle);
+
+  /* Free the identity structure */
+  Curl_sspi_free_identity(&identity);
+
+  /* Free the SPN */
+  Curl_safefree(spn);
+
+  /* Free the decoeded challenge message */
+  Curl_safefree(chlg);
+
+  return result;
+}
+
+#endif /* USE_WINDOWS_SSPI && !CURL_DISABLE_CRYPTO_AUTH */

lib/curl_setup.h

@@ -601,12 +601,14 @@ int netware_init(void);
 #define USE_SSL    /* SSL support has been enabled */
 #endif
 
-#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
+#if !defined(CURL_DISABLE_CRYPTO_AUTH) && \
+    (defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI))
 #define USE_HTTP_NEGOTIATE
 #endif
 
 /* Single point where USE_NTLM definition might be done */
-#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_NTLM)
+#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_NTLM) && \
+    !defined(CURL_DISABLE_CRYPTO_AUTH)
 #if defined(USE_SSLEAY) || defined(USE_WINDOWS_SSPI) || \
     defined(USE_GNUTLS) || defined(USE_NSS) || defined(USE_DARWINSSL)
 #define USE_NTLM

lib/curl_sspi.c

@@ -32,6 +32,9 @@
 #include <curl/mprintf.h>
 
 #include "curl_memory.h"
+#include "curl_multibyte.h"
+#include "warnless.h"
+
 /* The last #include file should be: */
 #include "memdebug.h"
 
@@ -150,4 +153,105 @@ void Curl_sspi_global_cleanup(void)
   }
 }
 
+/*
+ * Curl_create_sspi_identity()
+ *
+ * This is used to populate a SSPI identity structure based on the supplied
+ * username and password.
+ *
+ * Parameters:
+ *
+ * userp    [in]     - The user name in the format User or Domain\User.
+ * passdwp  [in]     - The user's password.
+ * identity [in/out] - The identity structure.
+ *
+ * Returns CURLE_OK on success.
+ */
+CURLcode Curl_create_sspi_identity(const char *userp, const char *passwdp,
+                                   SEC_WINNT_AUTH_IDENTITY *identity)
+{
+  xcharp_u useranddomain;
+  xcharp_u user, dup_user;
+  xcharp_u domain, dup_domain;
+  xcharp_u passwd, dup_passwd;
+  size_t domlen = 0;
+
+  domain.const_tchar_ptr = TEXT("");
+
+  /* Initialize the identity */
+  memset(identity, 0, sizeof(*identity));
+
+  useranddomain.tchar_ptr = Curl_convert_UTF8_to_tchar((char *)userp);
+  if(!useranddomain.tchar_ptr)
+    return CURLE_OUT_OF_MEMORY;
+
+  user.const_tchar_ptr = _tcschr(useranddomain.const_tchar_ptr, TEXT('\\'));
+  if(!user.const_tchar_ptr)
+    user.const_tchar_ptr = _tcschr(useranddomain.const_tchar_ptr, TEXT('/'));
+
+  if(user.tchar_ptr) {
+    domain.tchar_ptr = useranddomain.tchar_ptr;
+    domlen = user.tchar_ptr - useranddomain.tchar_ptr;
+    user.tchar_ptr++;
+  }
+  else {
+    user.tchar_ptr = useranddomain.tchar_ptr;
+    domain.const_tchar_ptr = TEXT("");
+    domlen = 0;
+  }
+
+  /* Setup the identity's user and length */
+  dup_user.tchar_ptr = _tcsdup(user.tchar_ptr);
+  if(!dup_user.tchar_ptr) {
+    Curl_unicodefree(useranddomain.tchar_ptr);
+    return CURLE_OUT_OF_MEMORY;
+  }
+  identity->User = dup_user.tbyte_ptr;
+  identity->UserLength = curlx_uztoul(_tcslen(dup_user.tchar_ptr));
+  dup_user.tchar_ptr = NULL;
+
+  /* Setup the identity's domain and length */
+  dup_domain.tchar_ptr = malloc(sizeof(TCHAR) * (domlen + 1));
+  if(!dup_domain.tchar_ptr) {
+    Curl_unicodefree(useranddomain.tchar_ptr);
+    return CURLE_OUT_OF_MEMORY;
+  }
+  _tcsncpy(dup_domain.tchar_ptr, domain.tchar_ptr, domlen);
+  *(dup_domain.tchar_ptr + domlen) = TEXT('\0');
+  identity->Domain = dup_domain.tbyte_ptr;
+  identity->DomainLength = curlx_uztoul(domlen);
+  dup_domain.tchar_ptr = NULL;
+
+  Curl_unicodefree(useranddomain.tchar_ptr);
+
+  /* Setup ntlm identity's password and length */
+  passwd.tchar_ptr = Curl_convert_UTF8_to_tchar((char *)passwdp);
+  if(!passwd.tchar_ptr)
+    return CURLE_OUT_OF_MEMORY;
+  dup_passwd.tchar_ptr = _tcsdup(passwd.tchar_ptr);
+  if(!dup_passwd.tchar_ptr) {
+    Curl_unicodefree(passwd.tchar_ptr);
+    return CURLE_OUT_OF_MEMORY;
+  }
+  identity->Password = dup_passwd.tbyte_ptr;
+  identity->PasswordLength = curlx_uztoul(_tcslen(dup_passwd.tchar_ptr));
+  dup_passwd.tchar_ptr = NULL;
+
+  Curl_unicodefree(passwd.tchar_ptr);
+
+  /* Setup the identity's flags */
+  identity->Flags = SECFLAG_WINNT_AUTH_IDENTITY;
+
+  return CURLE_OK;
+}
+
+void Curl_sspi_free_identity(SEC_WINNT_AUTH_IDENTITY *identity)
+{
+  if(identity) {
+    Curl_safefree(identity->User);
+    Curl_safefree(identity->Password);
+    Curl_safefree(identity->Domain);
+  }
+}
+
 #endif /* USE_WINDOWS_SSPI */

lib/curl_sspi.h

@@ -43,6 +43,13 @@
 CURLcode Curl_sspi_global_init(void);
 void Curl_sspi_global_cleanup(void);
 
+/* This is used to generate an SSPI identity structure */
+CURLcode Curl_create_sspi_identity(const char *userp, const char *passwdp,
+                                   SEC_WINNT_AUTH_IDENTITY *identity);
+
+/* This is used to free an SSPI identity structure */
+void Curl_sspi_free_identity(SEC_WINNT_AUTH_IDENTITY *identity);
+
 /* Forward-declaration of global variables defined in curl_sspi.c */
 
 extern HMODULE s_hSecDll;
@@ -289,5 +296,13 @@ extern PSecurityFunctionTable s_pSecFn;
 # define SEC_I_SIGNATURE_NEEDED                ((HRESULT)0x0009035CL)
 #endif
 
+#ifdef UNICODE
+#  define SECFLAG_WINNT_AUTH_IDENTITY \
+     (unsigned long)SEC_WINNT_AUTH_IDENTITY_UNICODE
+#else
+#  define SECFLAG_WINNT_AUTH_IDENTITY \
+     (unsigned long)SEC_WINNT_AUTH_IDENTITY_ANSI
+#endif
+
 #endif /* USE_WINDOWS_SSPI */
 #endif /* HEADER_CURL_SSPI_H */

lib/dict.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -122,9 +122,8 @@ static char *unescape_word(struct SessionHandle *data, const char *inputbuff)
       dictp[olen++] = byte;
     }
     dictp[olen]=0;
-
-    free(newp);
   }
+  free(newp);
   return dictp;
 }
 

lib/dotdot.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -47,7 +47,7 @@
  *
  * an allocated dedotdotified output string
  */
-char *Curl_dedotdotify(char *input)
+char *Curl_dedotdotify(const char *input)
 {
   size_t inlen = strlen(input);
   char *clone;

lib/dotdot.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -21,5 +21,5 @@
  * KIND, either express or implied.
  *
  ***************************************************************************/
-char *Curl_dedotdotify(char *input);
+char *Curl_dedotdotify(const char *input);
 #endif

lib/easy.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -299,9 +299,13 @@ CURLcode curl_global_init_mem(long flags, curl_malloc_callback m,
   if(!m || !f || !r || !s || !c)
     return CURLE_FAILED_INIT;
 
-  /* Already initialized, don't do it again */
-  if(initialized)
+  if(initialized) {
+    /* Already initialized, don't do it again, but bump the variable anyway to
+       work like curl_global_init() and require the same amount of cleanup
+       calls. */
+    initialized++;
     return CURLE_OK;
+  }
 
   /* Call the actual init function first */
   code = curl_global_init(flags);
@@ -715,6 +719,15 @@ static CURLcode easy_transfer(CURLM *multi)
       }
     }
   }
+
+  /* Make sure to return some kind of error if there was a multi problem */
+  if(mcode) {
+    return (mcode == CURLM_OUT_OF_MEMORY) ? CURLE_OUT_OF_MEMORY :
+            /* The other multi errors should never happen, so return
+               something suitably generic */
+            CURLE_BAD_FUNCTION_ARGUMENT;
+  }
+
   return code;
 }
 
@@ -747,7 +760,7 @@ static CURLcode easy_perform(struct SessionHandle *data, bool events)
     return CURLE_BAD_FUNCTION_ARGUMENT;
 
   if(data->multi) {
-    failf(data, "easy handled already used in multi handle");
+    failf(data, "easy handle already used in multi handle");
     return CURLE_FAILED_INIT;
   }
 

lib/escape.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -196,9 +196,8 @@ CURLcode Curl_urldecode(struct SessionHandle *data,
     /* store output size */
     *olen = strindex;
 
-  if(ostring)
-    /* store output string */
-    *ostring = ns;
+  /* store output string */
+  *ostring = ns;
 
   return CURLE_OK;
 }

lib/file.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -336,9 +336,9 @@ static CURLcode file_upload(struct connectdata *conn)
     return CURLE_WRITE_ERROR;
   }
 
-  if(-1 != data->set.infilesize)
+  if(-1 != data->state.infilesize)
     /* known size of data to "upload" */
-    Curl_pgrsSetUploadSize(data, data->set.infilesize);
+    Curl_pgrsSetUploadSize(data, data->state.infilesize);
 
   /* treat the negative resume offset value as the case of "-" */
   if(data->state.resume_from < 0) {

lib/formdata.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -1110,8 +1110,10 @@ static CURLcode formdata_add_filename(const struct curl_httppost *file,
 
     /* filename need be escaped */
     filename_escaped = malloc(strlen(filename)*2+1);
-    if(!filename_escaped)
+    if(!filename_escaped) {
+      Curl_safefree(filebasename);
       return CURLE_OUT_OF_MEMORY;
+    }
     p0 = filename_escaped;
     p1 = filename;
     while(*p1) {
@@ -1227,7 +1229,7 @@ CURLcode Curl_getformdata(struct SessionHandle *data,
       }
 
       result = AddFormDataf(&form, &size,
-                            "\r\nContent-Type: multipart/mixed,"
+                            "\r\nContent-Type: multipart/mixed;"
                             " boundary=%s\r\n",
                             fileboundary);
       if(result)

lib/ftp.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -208,7 +208,7 @@ const struct Curl_handler Curl_handler_ftps = {
   ftp_disconnect,                  /* disconnect */
   ZERO_NULL,                       /* readwrite */
   PORT_FTPS,                       /* defport */
-  CURLPROTO_FTP | CURLPROTO_FTPS,  /* protocol */
+  CURLPROTO_FTPS,                  /* protocol */
   PROTOPT_SSL | PROTOPT_DUAL | PROTOPT_CLOSEACTION |
   PROTOPT_NEEDSPWD | PROTOPT_NOURLQUERY /* flags */
 };
@@ -507,7 +507,7 @@ static CURLcode InitiateTransfer(struct connectdata *conn)
     /* When we know we're uploading a specified file, we can get the file
        size prior to the actual upload. */
 
-    Curl_pgrsSetUploadSize(data, data->set.infilesize);
+    Curl_pgrsSetUploadSize(data, data->state.infilesize);
 
     /* set the SO_SNDBUF for the secondary socket for those who need it */
     Curl_sndbufset(conn->sock[SECONDARYSOCKET]);
@@ -877,13 +877,30 @@ static int ftp_domore_getsock(struct connectdata *conn, curl_socket_t *socks,
    */
 
   if(FTP_STOP == ftpc->state) {
+    int bits = GETSOCK_READSOCK(0);
+
     /* if stopped and still in this state, then we're also waiting for a
        connect on the secondary connection */
     socks[0] = conn->sock[FIRSTSOCKET];
-    socks[1] = conn->sock[SECONDARYSOCKET];
 
-    return GETSOCK_READSOCK(FIRSTSOCKET) |
-      GETSOCK_WRITESOCK(SECONDARYSOCKET);
+    if(!conn->data->set.ftp_use_port) {
+      int s;
+      int i;
+      /* PORT is used to tell the server to connect to us, and during that we
+         don't do happy eyeballs, but we do if we connect to the server */
+      for(s=1, i=0; i<2; i++) {
+        if(conn->tempsock[i] != CURL_SOCKET_BAD) {
+          socks[s] = conn->tempsock[i];
+          bits |= GETSOCK_WRITESOCK(s++);
+        }
+      }
+    }
+    else {
+      socks[1] = conn->sock[SECONDARYSOCKET];
+      bits |= GETSOCK_WRITESOCK(1);
+    }
+
+    return bits;
   }
   else
     return Curl_pp_getsock(&conn->proto.ftpc.pp, socks, numsocks);
@@ -1666,10 +1683,10 @@ static CURLcode ftp_state_ul_setup(struct connectdata *conn,
       }
     }
     /* now, decrease the size of the read */
-    if(data->set.infilesize>0) {
-      data->set.infilesize -= data->state.resume_from;
+    if(data->state.infilesize>0) {
+      data->state.infilesize -= data->state.resume_from;
 
-      if(data->set.infilesize <= 0) {
+      if(data->state.infilesize <= 0) {
         infof(data, "File already completely uploaded\n");
 
         /* no data to transfer */
@@ -3365,13 +3382,13 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status,
        use checking further */
     ;
   else if(data->set.upload) {
-    if((-1 != data->set.infilesize) &&
-       (data->set.infilesize != *ftp->bytecountp) &&
+    if((-1 != data->state.infilesize) &&
+       (data->state.infilesize != *ftp->bytecountp) &&
        !data->set.crlf &&
        (ftp->transfer == FTPTRANSFER_BODY)) {
       failf(data, "Uploaded unaligned file size (%" CURL_FORMAT_CURL_OFF_T
             " out of %" CURL_FORMAT_CURL_OFF_T " bytes)",
-            *ftp->bytecountp, data->set.infilesize);
+            *ftp->bytecountp, data->state.infilesize);
       result = CURLE_PARTIAL_FILE;
     }
   }

lib/getinfo.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -325,7 +325,6 @@ static CURLcode getinfo_slist(struct SessionHandle *data, CURLINFO info,
          to return from 'struct ssl_connect_data'; thus, for now we keep the
          backend as CURLSSLBACKEND_NONE in those cases, which should be
          interpreted as "not supported" */
-      break;
     }
     break;
   default:

lib/hostcheck.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -23,11 +23,20 @@
 #include "curl_setup.h"
 
 #if defined(USE_SSLEAY) || defined(USE_AXTLS) || defined(USE_QSOSSL) || \
-    defined(USE_GSKIT) || defined(USE_NSS)
+    defined(USE_GSKIT)
 /* these backends use functions from this file */
 
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
 #include "hostcheck.h"
 #include "rawstr.h"
+#include "inet_pton.h"
+
+#include "curl_memory.h"
+/* The last #include file should be: */
+#include "memdebug.h"
 
 /*
  * Match a hostname against a wildcard pattern.
@@ -36,18 +45,50 @@
  *
  * We use the matching rule described in RFC6125, section 6.4.3.
  * http://tools.ietf.org/html/rfc6125#section-6.4.3
+ *
+ * In addition: ignore trailing dots in the host names and wildcards, so that
+ * the names are used normalized. This is what the browsers do.
+ *
+ * Do not allow wildcard matching on IP numbers. There are apparently
+ * certificates being used with an IP address in the CN field, thus making no
+ * apparent distinction between a name and an IP. We need to detect the use of
+ * an IP address and not wildcard match on such names.
+ *
+ * NOTE: hostmatch() gets called with copied buffers so that it can modify the
+ * contents at will.
  */
 
-static int hostmatch(const char *hostname, const char *pattern)
+static int hostmatch(char *hostname, char *pattern)
 {
   const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
   int wildcard_enabled;
   size_t prefixlen, suffixlen;
+  struct in_addr ignored;
+#ifdef ENABLE_IPV6
+  struct sockaddr_in6 si6;
+#endif
+
+  /* normalize pattern and hostname by stripping off trailing dots */
+  size_t len = strlen(hostname);
+  if(hostname[len-1]=='.')
+    hostname[len-1]=0;
+  len = strlen(pattern);
+  if(pattern[len-1]=='.')
+    pattern[len-1]=0;
+
   pattern_wildcard = strchr(pattern, '*');
   if(pattern_wildcard == NULL)
     return Curl_raw_equal(pattern, hostname) ?
       CURL_HOST_MATCH : CURL_HOST_NOMATCH;
 
+  /* detect IP address as hostname and fail the match if so */
+  if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
+    return CURL_HOST_NOMATCH;
+#ifdef ENABLE_IPV6
+  else if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0)
+    return CURL_HOST_NOMATCH;
+#endif
+
   /* We require at least 2 dots in pattern to avoid too wide wildcard
      match. */
   wildcard_enabled = 1;
@@ -82,16 +123,26 @@ static int hostmatch(const char *hostname, const char *pattern)
 
 int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
 {
+  char *matchp;
+  char *hostp;
+  int res = 0;
   if(!match_pattern || !*match_pattern ||
       !hostname || !*hostname) /* sanity check */
-    return 0;
+    ;
+  else {
+    matchp = strdup(match_pattern);
+    if(matchp) {
+      hostp = strdup(hostname);
+      if(hostp) {
+        if(hostmatch(hostp, matchp) == CURL_HOST_MATCH)
+          res= 1;
+        free(hostp);
+      }
+      free(matchp);
+    }
+  }
 
-  if(Curl_raw_equal(hostname, match_pattern)) /* trivial case */
-    return 1;
-
-  if(hostmatch(hostname,match_pattern) == CURL_HOST_MATCH)
-    return 1;
-  return 0;
+  return res;
 }
 
-#endif /* SSLEAY or AXTLS or QSOSSL or GSKIT or NSS */
+#endif /* SSLEAY or AXTLS or QSOSSL or GSKIT */

lib/http.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -121,7 +121,7 @@ const struct Curl_handler Curl_handler_http = {
   ZERO_NULL,                            /* readwrite */
   PORT_HTTP,                            /* defport */
   CURLPROTO_HTTP,                       /* protocol */
-  PROTOPT_NONE                          /* flags */
+  PROTOPT_CREDSPERREQUEST               /* flags */
 };
 
 #ifdef USE_SSL
@@ -144,8 +144,8 @@ const struct Curl_handler Curl_handler_https = {
   ZERO_NULL,                            /* disconnect */
   ZERO_NULL,                            /* readwrite */
   PORT_HTTPS,                           /* defport */
-  CURLPROTO_HTTP | CURLPROTO_HTTPS,     /* protocol */
-  PROTOPT_SSL                           /* flags */
+  CURLPROTO_HTTPS,                      /* protocol */
+  PROTOPT_SSL | PROTOPT_CREDSPERREQUEST /* flags */
 };
 #endif
 
@@ -169,12 +169,40 @@ CURLcode Curl_http_setup_conn(struct connectdata *conn)
  *
  * Returns a pointer to the first matching header or NULL if none matched.
  */
-char *Curl_checkheaders(struct SessionHandle *data, const char *thisheader)
+char *Curl_checkheaders(const struct connectdata *conn,
+                        const char *thisheader)
 {
   struct curl_slist *head;
   size_t thislen = strlen(thisheader);
+  struct SessionHandle *data = conn->data;
 
-  for(head = data->set.headers; head; head=head->next) {
+  for(head = data->set.headers;head; head=head->next) {
+    if(Curl_raw_nequal(head->data, thisheader, thislen))
+      return head->data;
+  }
+  return NULL;
+}
+
+/*
+ * checkProxyHeaders() checks the linked list of custom proxy headers
+ * if proxy headers are not available, then it will lookup into http header
+ * link list
+ *
+ * It takes a connectdata struct as input instead of the SessionHandle simply
+ * to know if this is a proxy request or not, as it then might check a
+ * different header list.
+ *
+ */
+char *Curl_checkProxyheaders(const struct connectdata *conn,
+                             const char *thisheader)
+{
+  struct curl_slist *head;
+  size_t thislen = strlen(thisheader);
+  struct SessionHandle *data = conn->data;
+
+  for(head = (conn->bits.proxy && data->set.sep_headers)?
+        data->set.proxyheaders:data->set.headers;
+      head; head=head->next) {
     if(Curl_raw_nequal(head->data, thisheader, thislen))
       return head->data;
   }
@@ -377,8 +405,8 @@ static CURLcode http_perhapsrewind(struct connectdata *conn)
         expectsend = (curl_off_t)strlen(data->set.postfields);
       break;
     case HTTPREQ_PUT:
-      if(data->set.infilesize != -1)
-        expectsend = data->set.infilesize;
+      if(data->state.infilesize != -1)
+        expectsend = data->state.infilesize;
       break;
     case HTTPREQ_POST_FORM:
       expectsend = http->postsize;
@@ -584,9 +612,9 @@ output_auth_headers(struct connectdata *conn,
   if(authstatus->picked == CURLAUTH_BASIC) {
     /* Basic */
     if((proxy && conn->bits.proxy_user_passwd &&
-       !Curl_checkheaders(data, "Proxy-authorization:")) ||
+        !Curl_checkProxyheaders(conn, "Proxy-authorization:")) ||
        (!proxy && conn->bits.user_passwd &&
-       !Curl_checkheaders(data, "Authorization:"))) {
+        !Curl_checkheaders(conn, "Authorization:"))) {
       auth="Basic";
       result = http_output_basic(conn, proxy);
       if(result)
@@ -752,7 +780,7 @@ CURLcode Curl_http_input_auth(struct connectdata *conn, bool proxy,
           infof(data, "Authentication problem. Ignoring this.\n");
           data->state.authproblem = TRUE;
         }
-        else {
+        else if(data->state.negotiate.state == GSS_AUTHNONE) {
           neg = Curl_input_negotiate(conn, proxy, auth);
           if(neg == 0) {
             DEBUGASSERT(!data->req.newurl);
@@ -1056,6 +1084,7 @@ CURLcode Curl_add_buffer_send(Curl_send_buffer *in,
     return res;
   }
 
+
   if(conn->handler->flags & PROTOPT_SSL) {
     /* We never send more than CURL_MAX_WRITE_SIZE bytes in one single chunk
        when we speak HTTPS, as if only a fraction of it is sent now, this data
@@ -1360,8 +1389,8 @@ static CURLcode https_connecting(struct connectdata *conn, bool *done)
 #endif
 
 #if defined(USE_SSLEAY) || defined(USE_GNUTLS) || defined(USE_SCHANNEL) || \
-    defined(USE_DARWINSSL)
-/* This function is for OpenSSL, GnuTLS, darwinssl, and schannel only.
+    defined(USE_DARWINSSL) || defined(USE_POLARSSL) || defined(USE_NSS)
+/* This function is for OpenSSL, GnuTLS, darwinssl, schannel and polarssl only.
    It should be made to query the generic SSL layer instead. */
 static int https_getsock(struct connectdata *conn,
                          curl_socket_t *socks,
@@ -1492,11 +1521,15 @@ static CURLcode expect100(struct SessionHandle *data,
   const char *ptr;
   data->state.expect100header = FALSE; /* default to false unless it is set
                                           to TRUE below */
+  if(conn->httpversion == 20) {
+    /* We don't use Expect in HTTP2 */
+    return CURLE_OK;
+  }
   if(use_http_1_1plus(data, conn)) {
     /* if not doing HTTP 1.0 or disabled explicitly, we add a Expect:
        100-continue to the headers which actually speeds up post operations
        (as there is one packet coming back from the web server) */
-    ptr = Curl_checkheaders(data, "Expect:");
+    ptr = Curl_checkheaders(conn, "Expect:");
     if(ptr) {
       data->state.expect100header =
         Curl_compareheader(ptr, "Expect:", "100-continue");
@@ -1511,77 +1544,120 @@ static CURLcode expect100(struct SessionHandle *data,
   return result;
 }
 
+enum proxy_use {
+  HEADER_SERVER,  /* direct to server */
+  HEADER_PROXY,   /* regular request to proxy */
+  HEADER_CONNECT  /* sending CONNECT to a proxy */
+};
+
 CURLcode Curl_add_custom_headers(struct connectdata *conn,
-                                   Curl_send_buffer *req_buffer)
+                                 bool is_connect,
+                                 Curl_send_buffer *req_buffer)
 {
   char *ptr;
-  struct curl_slist *headers=conn->data->set.headers;
+  struct curl_slist *h[2];
+  struct curl_slist *headers;
+  int numlists=1; /* by default */
+  struct SessionHandle *data = conn->data;
+  int i;
 
-  while(headers) {
-    ptr = strchr(headers->data, ':');
-    if(ptr) {
-      /* we require a colon for this to be a true header */
+  enum proxy_use proxy;
 
-      ptr++; /* pass the colon */
-      while(*ptr && ISSPACE(*ptr))
-        ptr++;
+  if(is_connect)
+    proxy = HEADER_CONNECT;
+  else
+    proxy = conn->bits.httpproxy && !conn->bits.tunnel_proxy?
+      HEADER_PROXY:HEADER_SERVER;
 
-      if(*ptr) {
-        /* only send this if the contents was non-blank */
-
-        if(conn->allocptr.host &&
-           /* a Host: header was sent already, don't pass on any custom Host:
-              header as that will produce *two* in the same request! */
-           checkprefix("Host:", headers->data))
-          ;
-        else if(conn->data->set.httpreq == HTTPREQ_POST_FORM &&
-                /* this header (extended by formdata.c) is sent later */
-                checkprefix("Content-Type:", headers->data))
-          ;
-        else if(conn->bits.authneg &&
-                /* while doing auth neg, don't allow the custom length since
-                   we will force length zero then */
-                checkprefix("Content-Length", headers->data))
-          ;
-        else if(conn->allocptr.te &&
-                /* when asking for Transfer-Encoding, don't pass on a custom
-                   Connection: */
-                checkprefix("Connection", headers->data))
-          ;
-        else {
-          CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n",
-                                             headers->data);
-          if(result)
-            return result;
-        }
-      }
+  switch(proxy) {
+  case HEADER_SERVER:
+    h[0] = data->set.headers;
+    break;
+  case HEADER_PROXY:
+    h[0] = data->set.headers;
+    if(data->set.sep_headers) {
+      h[1] = data->set.proxyheaders;
+      numlists++;
     }
-    else {
-      ptr = strchr(headers->data, ';');
-      if(ptr) {
+    break;
+  case HEADER_CONNECT:
+    if(data->set.sep_headers)
+      h[0] = data->set.proxyheaders;
+    else
+      h[0] = data->set.headers;
+    break;
+  }
 
-        ptr++; /* pass the semicolon */
+  /* loop through one or two lists */
+  for(i=0; i < numlists; i++) {
+    headers = h[i];
+
+    while(headers) {
+      ptr = strchr(headers->data, ':');
+      if(ptr) {
+        /* we require a colon for this to be a true header */
+
+        ptr++; /* pass the colon */
         while(*ptr && ISSPACE(*ptr))
           ptr++;
 
         if(*ptr) {
-          /* this may be used for something else in the future */
-        }
-        else {
-          if(*(--ptr) == ';') {
-            CURLcode result;
+          /* only send this if the contents was non-blank */
 
-            /* send no-value custom header if terminated by semicolon */
-            *ptr = ':';
-            result = Curl_add_bufferf(req_buffer, "%s\r\n",
-                                             headers->data);
+          if(conn->allocptr.host &&
+             /* a Host: header was sent already, don't pass on any custom Host:
+                header as that will produce *two* in the same request! */
+             checkprefix("Host:", headers->data))
+            ;
+          else if(data->set.httpreq == HTTPREQ_POST_FORM &&
+                  /* this header (extended by formdata.c) is sent later */
+                  checkprefix("Content-Type:", headers->data))
+            ;
+          else if(conn->bits.authneg &&
+                  /* while doing auth neg, don't allow the custom length since
+                     we will force length zero then */
+                  checkprefix("Content-Length", headers->data))
+            ;
+          else if(conn->allocptr.te &&
+                  /* when asking for Transfer-Encoding, don't pass on a custom
+                     Connection: */
+                  checkprefix("Connection", headers->data))
+            ;
+          else {
+            CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n",
+                                               headers->data);
             if(result)
               return result;
           }
         }
       }
+      else {
+        ptr = strchr(headers->data, ';');
+        if(ptr) {
+
+          ptr++; /* pass the semicolon */
+          while(*ptr && ISSPACE(*ptr))
+            ptr++;
+
+          if(*ptr) {
+            /* this may be used for something else in the future */
+          }
+          else {
+            if(*(--ptr) == ';') {
+              CURLcode result;
+
+              /* send no-value custom header if terminated by semicolon */
+              *ptr = ':';
+              result = Curl_add_bufferf(req_buffer, "%s\r\n",
+                                        headers->data);
+              if(result)
+                return result;
+            }
+          }
+        }
+      }
+      headers = headers->next;
     }
-    headers = headers->next;
   }
   return CURLE_OK;
 }
@@ -1668,6 +1744,26 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
      the rest of the request in the PERFORM phase. */
   *done = TRUE;
 
+  if(conn->httpversion < 20) { /* unless the connection is re-used and already
+                                  http2 */
+    switch (conn->negnpn) {
+    case NPN_HTTP2:
+      Curl_http2_init(conn);
+      Curl_http2_setup(conn);
+      Curl_http2_switched(conn);
+      break;
+    case NPN_HTTP1_1:
+      /* continue with HTTP/1.1 when explicitly requested */
+      break;
+    default:
+      /* and as fallback */
+      break;
+    }
+  }
+  else
+    /* prepare for a http2 request */
+    Curl_http2_setup(conn);
+
   http = data->req.protop;
 
   if(!data->state.this_is_a_follow) {
@@ -1682,7 +1778,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
   }
   http->writebytecount = http->readbytecount = 0;
 
-  if((conn->handler->protocol&(CURLPROTO_HTTP|CURLPROTO_FTP)) &&
+  if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) &&
      data->set.upload) {
     httpreq = HTTPREQ_PUT;
   }
@@ -1718,7 +1814,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
      it might have been used in the proxy connect, but if we have got a header
      with the user-agent string specified, we erase the previously made string
      here. */
-  if(Curl_checkheaders(data, "User-Agent:") && conn->allocptr.uagent) {
+  if(Curl_checkheaders(conn, "User-Agent:") && conn->allocptr.uagent) {
     free(conn->allocptr.uagent);
     conn->allocptr.uagent=NULL;
   }
@@ -1739,7 +1835,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
     conn->bits.authneg = FALSE;
 
   Curl_safefree(conn->allocptr.ref);
-  if(data->change.referer && !Curl_checkheaders(data, "Referer:")) {
+  if(data->change.referer && !Curl_checkheaders(conn, "Referer:")) {
     conn->allocptr.ref = aprintf("Referer: %s\r\n", data->change.referer);
     if(!conn->allocptr.ref)
       return CURLE_OUT_OF_MEMORY;
@@ -1747,10 +1843,10 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
   else
     conn->allocptr.ref = NULL;
 
-  if(data->set.str[STRING_COOKIE] && !Curl_checkheaders(data, "Cookie:"))
+  if(data->set.str[STRING_COOKIE] && !Curl_checkheaders(conn, "Cookie:"))
     addcookies = data->set.str[STRING_COOKIE];
 
-  if(!Curl_checkheaders(data, "Accept-Encoding:") &&
+  if(!Curl_checkheaders(conn, "Accept-Encoding:") &&
      data->set.str[STRING_ENCODING]) {
     Curl_safefree(conn->allocptr.accept_encoding);
     conn->allocptr.accept_encoding =
@@ -1762,13 +1858,14 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
 #ifdef HAVE_LIBZ
   /* we only consider transfer-encoding magic if libz support is built-in */
 
-  if(!Curl_checkheaders(data, "TE:") && data->set.http_transfer_encoding) {
+  if(!Curl_checkheaders(conn, "TE:") &&
+     data->set.http_transfer_encoding) {
     /* When we are to insert a TE: header in the request, we must also insert
        TE in a Connection: header, so we need to merge the custom provided
        Connection: header and prevent the original to get sent. Note that if
        the user has inserted his/hers own TE: header we don't do this magic
        but then assume that the user will handle it all! */
-    char *cptr = Curl_checkheaders(data, "Connection:");
+    char *cptr = Curl_checkheaders(conn, "Connection:");
 #define TE_HEADER "TE: gzip\r\n"
 
     Curl_safefree(conn->allocptr.te);
@@ -1782,40 +1879,45 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
   }
 #endif
 
-  ptr = Curl_checkheaders(data, "Transfer-Encoding:");
-  if(ptr) {
-    /* Some kind of TE is requested, check if 'chunked' is chosen */
-    data->req.upload_chunky =
-      Curl_compareheader(ptr, "Transfer-Encoding:", "chunked");
-  }
+  if(conn->httpversion == 20)
+    /* In HTTP2 forbids Transfer-Encoding: chunked */
+    ptr = NULL;
   else {
-    if((conn->handler->protocol&CURLPROTO_HTTP) &&
-       data->set.upload &&
-       (data->set.infilesize == -1)) {
-      if(conn->bits.authneg)
-        /* don't enable chunked during auth neg */
-        ;
-      else if(use_http_1_1plus(data, conn)) {
-        /* HTTP, upload, unknown file size and not HTTP 1.0 */
-        data->req.upload_chunky = TRUE;
-      }
-      else {
-        failf(data, "Chunky upload is not supported by HTTP 1.0");
-        return CURLE_UPLOAD_FAILED;
-      }
+    ptr = Curl_checkheaders(conn, "Transfer-Encoding:");
+    if(ptr) {
+      /* Some kind of TE is requested, check if 'chunked' is chosen */
+      data->req.upload_chunky =
+        Curl_compareheader(ptr, "Transfer-Encoding:", "chunked");
     }
     else {
-      /* else, no chunky upload */
-      data->req.upload_chunky = FALSE;
-    }
+      if((conn->handler->protocol&PROTO_FAMILY_HTTP) &&
+         data->set.upload &&
+         (data->state.infilesize == -1)) {
+        if(conn->bits.authneg)
+          /* don't enable chunked during auth neg */
+          ;
+        else if(use_http_1_1plus(data, conn)) {
+          /* HTTP, upload, unknown file size and not HTTP 1.0 */
+          data->req.upload_chunky = TRUE;
+        }
+        else {
+          failf(data, "Chunky upload is not supported by HTTP 1.0");
+          return CURLE_UPLOAD_FAILED;
+        }
+      }
+      else {
+        /* else, no chunky upload */
+        data->req.upload_chunky = FALSE;
+      }
 
-    if(data->req.upload_chunky)
-      te = "Transfer-Encoding: chunked\r\n";
+      if(data->req.upload_chunky)
+        te = "Transfer-Encoding: chunked\r\n";
+    }
   }
 
   Curl_safefree(conn->allocptr.host);
 
-  ptr = Curl_checkheaders(data, "Host:");
+  ptr = Curl_checkheaders(conn, "Host:");
   if(ptr && (!data->state.this_is_a_follow ||
              Curl_raw_equal(data->state.first_host, conn->host.name))) {
 #if !defined(CURL_DISABLE_COOKIES)
@@ -1960,13 +2062,13 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
     /* we must build the whole post sequence first, so that we have a size of
        the whole transfer before we start to send it */
     result = Curl_getformdata(data, &http->sendit, data->set.httppost,
-                              Curl_checkheaders(data, "Content-Type:"),
+                              Curl_checkheaders(conn, "Content-Type:"),
                               &http->postsize);
     if(result)
       return result;
   }
 
-  http->p_accept = Curl_checkheaders(data, "Accept:")?NULL:"Accept: */*\r\n";
+  http->p_accept = Curl_checkheaders(conn, "Accept:")?NULL:"Accept: */*\r\n";
 
   if(( (HTTPREQ_POST == httpreq) ||
        (HTTPREQ_POST_FORM == httpreq) ||
@@ -2028,10 +2130,10 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
       }
 
       /* now, decrease the size of the read */
-      if(data->set.infilesize>0) {
-        data->set.infilesize -= data->state.resume_from;
+      if(data->state.infilesize>0) {
+        data->state.infilesize -= data->state.resume_from;
 
-        if(data->set.infilesize <= 0) {
+        if(data->state.infilesize <= 0) {
           failf(data, "File already completely uploaded");
           return CURLE_PARTIAL_FILE;
         }
@@ -2046,7 +2148,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
      * ones if any such are specified.
      */
     if(((httpreq == HTTPREQ_GET) || (httpreq == HTTPREQ_HEAD)) &&
-       !Curl_checkheaders(data, "Range:")) {
+       !Curl_checkheaders(conn, "Range:")) {
       /* if a line like this was already allocated, free the previous one */
       if(conn->allocptr.rangeline)
         free(conn->allocptr.rangeline);
@@ -2054,7 +2156,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
                                          data->state.range);
     }
     else if((httpreq != HTTPREQ_GET) &&
-            !Curl_checkheaders(data, "Content-Range:")) {
+            !Curl_checkheaders(conn, "Content-Range:")) {
 
       /* if a line like this was already allocated, free the previous one */
       if(conn->allocptr.rangeline)
@@ -2067,13 +2169,13 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
         conn->allocptr.rangeline =
           aprintf("Content-Range: bytes 0-%" CURL_FORMAT_CURL_OFF_T
                   "/%" CURL_FORMAT_CURL_OFF_T "\r\n",
-                  data->set.infilesize - 1, data->set.infilesize);
+                  data->state.infilesize - 1, data->state.infilesize);
 
       }
       else if(data->state.resume_from) {
         /* This is because "resume" was selected */
         curl_off_t total_expected_size=
-          data->state.resume_from + data->set.infilesize;
+          data->state.resume_from + data->state.infilesize;
         conn->allocptr.rangeline =
           aprintf("Content-Range: bytes %s%" CURL_FORMAT_CURL_OFF_T
                   "/%" CURL_FORMAT_CURL_OFF_T "\r\n",
@@ -2085,7 +2187,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
            append total size */
         conn->allocptr.rangeline =
           aprintf("Content-Range: bytes %s/%" CURL_FORMAT_CURL_OFF_T "\r\n",
-                  data->state.range, data->set.infilesize);
+                  data->state.range, data->state.infilesize);
       }
       if(!conn->allocptr.rangeline)
         return CURLE_OUT_OF_MEMORY;
@@ -2156,7 +2258,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
                      conn->allocptr.ref:"" /* Referer: <data> */,
                      (conn->bits.httpproxy &&
                       !conn->bits.tunnel_proxy &&
-                      !Curl_checkheaders(data, "Proxy-Connection:"))?
+                      !Curl_checkProxyheaders(conn, "Proxy-Connection:"))?
                      "Proxy-Connection: Keep-Alive\r\n":"",
                      te
       );
@@ -2176,7 +2278,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
      (data->set.httpversion == CURL_HTTP_VERSION_2_0)) {
     /* append HTTP2 updrade magic stuff to the HTTP request if it isn't done
        over SSL */
-    result = Curl_http2_request(req_buffer, conn);
+    result = Curl_http2_request_upgrade(req_buffer, conn);
     if(result)
       return result;
   }
@@ -2241,7 +2343,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
       return result;
   }
 
-  result = Curl_add_custom_headers(conn, req_buffer);
+  result = Curl_add_custom_headers(conn, FALSE, req_buffer);
   if(result)
     return result;
 
@@ -2291,7 +2393,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
     http->sending = HTTPSEND_BODY;
 
     if(!data->req.upload_chunky &&
-       !Curl_checkheaders(data, "Content-Length:")) {
+       !Curl_checkheaders(conn, "Content-Length:")) {
       /* only add Content-Length if not uploading chunked */
       result = Curl_add_bufferf(req_buffer,
                                 "Content-Length: %" CURL_FORMAT_CURL_OFF_T
@@ -2360,10 +2462,10 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
     if(conn->bits.authneg)
       postsize = 0;
     else
-      postsize = data->set.infilesize;
+      postsize = data->state.infilesize;
 
     if((postsize != -1) && !data->req.upload_chunky &&
-       !Curl_checkheaders(data, "Content-Length:")) {
+       !Curl_checkheaders(conn, "Content-Length:")) {
       /* only add Content-Length if not uploading chunked */
       result = Curl_add_bufferf(req_buffer,
                                 "Content-Length: %" CURL_FORMAT_CURL_OFF_T
@@ -2372,9 +2474,11 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
         return result;
     }
 
-    result = expect100(data, conn, req_buffer);
-    if(result)
-      return result;
+    if(postsize != 0) {
+      result = expect100(data, conn, req_buffer);
+      if(result)
+        return result;
+    }
 
     result = Curl_add_buffer(req_buffer, "\r\n", 2); /* end of headers */
     if(result)
@@ -2413,7 +2517,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
        we don't upload data chunked, as RFC2616 forbids us to set both
        kinds of headers (Transfer-Encoding: chunked and Content-Length) */
     if((postsize != -1) && !data->req.upload_chunky &&
-       !Curl_checkheaders(data, "Content-Length:")) {
+       !Curl_checkheaders(conn, "Content-Length:")) {
       /* we allow replacing this header if not during auth negotiation,
          although it isn't very wise to actually set your own */
       result = Curl_add_bufferf(req_buffer,
@@ -2423,7 +2527,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
         return result;
     }
 
-    if(!Curl_checkheaders(data, "Content-Type:")) {
+    if(!Curl_checkheaders(conn, "Content-Type:")) {
       result = Curl_add_bufferf(req_buffer,
                                 "Content-Type: application/"
                                 "x-www-form-urlencoded\r\n");
@@ -2435,7 +2539,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
        the somewhat bigger ones we allow the app to disable it. Just make
        sure that the expect100header is always set to the preferred value
        here. */
-    ptr = Curl_checkheaders(data, "Expect:");
+    ptr = Curl_checkheaders(conn, "Expect:");
     if(ptr) {
       data->state.expect100header =
         Curl_compareheader(ptr, "Expect:", "100-continue");
@@ -2450,7 +2554,10 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
 
     if(data->set.postfields) {
 
-      if(!data->state.expect100header &&
+      /* In HTTP2, we send request body in DATA frame regardless of
+         its size. */
+      if(conn->httpversion != 20 &&
+         !data->state.expect100header &&
          (postsize < MAX_INITIAL_POST_SIZE))  {
         /* if we don't use expect: 100  AND
            postsize is less than MAX_INITIAL_POST_SIZE
@@ -2872,17 +2979,34 @@ CURLcode Curl_http_readwrite_headers(struct SessionHandle *data,
         k->header = TRUE;
         k->headerline = 0; /* restart the header line counter */
 
-        /* if we did wait for this do enable write now! */
-        if(k->exp100) {
-          k->exp100 = EXP100_SEND_DATA;
-          k->keepon |= KEEP_SEND;
+        /* "A user agent MAY ignore unexpected 1xx status responses." */
+        switch(k->httpcode) {
+        case 100:
+          /* if we did wait for this do enable write now! */
+          if(k->exp100) {
+            k->exp100 = EXP100_SEND_DATA;
+            k->keepon |= KEEP_SEND;
+          }
+          break;
+        case 101:
+          /* Switching Protocols */
+          if(k->upgr101 == UPGR101_REQUESTED) {
+            infof(data, "Received 101\n");
+            k->upgr101 = UPGR101_RECEIVED;
+
+            /* switch to http2 now */
+            Curl_http2_switched(conn);
+          }
+          break;
+        default:
+          break;
         }
       }
       else {
         k->header = FALSE; /* no more header to parse! */
 
         if((k->size == -1) && !k->chunk && !conn->bits.close &&
-           (conn->httpversion >= 11) &&
+           (conn->httpversion == 11) &&
            !(conn->handler->protocol & CURLPROTO_RTSP) &&
            data->set.httpreq != HTTPREQ_HEAD) {
           /* On HTTP 1.1, when connection is not to get closed, but no
@@ -3073,7 +3197,7 @@ CURLcode Curl_http_readwrite_headers(struct SessionHandle *data,
 #define HEADER1 k->p /* no conversion needed, just use k->p */
 #endif /* CURL_DOES_CONVERSIONS */
 
-      if(conn->handler->protocol & CURLPROTO_HTTP) {
+      if(conn->handler->protocol & PROTO_FAMILY_HTTP) {
         nc = sscanf(HEADER1,
                     " HTTP/%d.%d %3d",
                     &httpversion_major,
@@ -3370,7 +3494,8 @@ CURLcode Curl_http_readwrite_headers(struct SessionHandle *data,
 
     }
     else if(checkprefix("Content-Encoding:", k->p) &&
-            data->set.str[STRING_ENCODING]) {
+            (data->set.str[STRING_ENCODING] ||
+             conn->httpversion == 20)) {
       /*
        * Process Content-Encoding. Look for the values: identity,
        * gzip, deflate, compress, x-gzip and x-compress. x-gzip and

lib/http.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -39,9 +39,13 @@ extern const struct Curl_handler Curl_handler_https;
 bool Curl_compareheader(const char *headerline,  /* line to check */
                         const char *header,   /* header keyword _with_ colon */
                         const char *content); /* content string to find */
-char *Curl_checkheaders(struct SessionHandle *data, const char *thisheader);
+
+char *Curl_checkheaders(const struct connectdata *conn,
+                        const char *thisheader);
 char *Curl_copy_header_value(const char *header);
 
+char *Curl_checkProxyheaders(const struct connectdata *conn,
+                             const char *thisheader);
 /* ------------------------------------------------------------------------- */
 /*
  * The add_buffer series of functions are used to build one large memory chunk
@@ -67,7 +71,8 @@ CURLcode Curl_add_buffer_send(Curl_send_buffer *in,
 CURLcode Curl_add_timecondition(struct SessionHandle *data,
                                 Curl_send_buffer *buf);
 CURLcode Curl_add_custom_headers(struct connectdata *conn,
-                                   Curl_send_buffer *req_buffer);
+                                 bool is_connect,
+                                 Curl_send_buffer *req_buffer);
 
 /* protocol-specific functions set up to be called by the main engine */
 CURLcode Curl_http(struct connectdata *conn, bool *done);
@@ -149,9 +154,37 @@ struct HTTP {
                         points to an allocated send_buffer struct */
 };
 
+typedef int (*sending)(void); /* Curl_send */
+typedef int (*recving)(void); /* Curl_recv */
+
 struct http_conn {
 #ifdef USE_NGHTTP2
+#define H2_BINSETTINGS_LEN 80
   nghttp2_session *h2;
+  uint8_t binsettings[H2_BINSETTINGS_LEN];
+  size_t  binlen; /* length of the binsettings data */
+  char *mem;     /* points to a buffer in memory to store */
+  size_t len;    /* size of the buffer 'mem' points to */
+  bool bodystarted;
+  sending send_underlying; /* underlying send Curl_send callback */
+  recving recv_underlying; /* underlying recv Curl_recv callback */
+  bool closed; /* TRUE on HTTP2 stream close */
+  Curl_send_buffer *header_recvbuf; /* store response headers */
+  size_t nread_header_recvbuf; /* number of bytes in header_recvbuf
+                                  fed into upper layer */
+  int32_t stream_id; /* stream we are interested in */
+  const uint8_t *data; /* pointer to data chunk, received in
+                          on_data_chunk */
+  size_t datalen; /* the number of bytes left in data */
+  char *inbuf; /* buffer to receive data from underlying socket */
+  /* We need separate buffer for transmission and reception because we
+     may call nghttp2_session_send() after the
+     nghttp2_session_mem_recv() but mem buffer is still not full. In
+     this case, we wrongly sends the content of mem buffer if we share
+     them for both cases. */
+  const uint8_t *upload_mem; /* points to a buffer to read from */
+  size_t upload_len; /* size of the buffer 'upload_mem' points to */
+  size_t upload_left; /* number of bytes left to upload */
 #else
   int unused; /* prevent a compiler warning */
 #endif

lib/http2.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -33,10 +33,113 @@
 #include "sendf.h"
 #include "curl_base64.h"
 #include "curl_memory.h"
+#include "rawstr.h"
+#include "multiif.h"
 
 /* include memdebug.h last */
 #include "memdebug.h"
 
+#if (NGHTTP2_VERSION_NUM < 0x000300)
+#error too old nghttp2 version, upgrade!
+#endif
+
+static int http2_perform_getsock(const struct connectdata *conn,
+                                 curl_socket_t *sock, /* points to
+                                                         numsocks
+                                                         number of
+                                                         sockets */
+                                 int numsocks)
+{
+  const struct http_conn *httpc = &conn->proto.httpc;
+  int bitmap = GETSOCK_BLANK;
+  (void)numsocks;
+
+  /* TODO We should check underlying socket state if it is SSL socket
+     because of renegotiation. */
+  sock[0] = conn->sock[FIRSTSOCKET];
+
+  if(nghttp2_session_want_read(httpc->h2))
+    bitmap |= GETSOCK_READSOCK(FIRSTSOCKET);
+
+  if(nghttp2_session_want_write(httpc->h2))
+    bitmap |= GETSOCK_WRITESOCK(FIRSTSOCKET);
+
+  return bitmap;
+}
+
+static int http2_getsock(struct connectdata *conn,
+                         curl_socket_t *sock, /* points to numsocks
+                                                 number of sockets */
+                         int numsocks)
+{
+  return http2_perform_getsock(conn, sock, numsocks);
+}
+
+static CURLcode http2_disconnect(struct connectdata *conn,
+                                 bool dead_connection)
+{
+  struct http_conn *httpc = &conn->proto.httpc;
+  (void)dead_connection;
+
+  infof(conn->data, "HTTP/2 DISCONNECT starts now\n");
+
+  nghttp2_session_del(httpc->h2);
+
+  Curl_safefree(httpc->header_recvbuf->buffer);
+  Curl_safefree(httpc->header_recvbuf);
+
+  Curl_safefree(httpc->inbuf);
+
+  infof(conn->data, "HTTP/2 DISCONNECT done\n");
+
+  return CURLE_OK;
+}
+
+/*
+ * HTTP2 handler interface. This isn't added to the general list of protocols
+ * but will be used at run-time when the protocol is dynamically switched from
+ * HTTP to HTTP2.
+ */
+const struct Curl_handler Curl_handler_http2 = {
+  "HTTP2",                              /* scheme */
+  ZERO_NULL,                            /* setup_connection */
+  Curl_http,                            /* do_it */
+  ZERO_NULL,                            /* done */
+  ZERO_NULL,                            /* do_more */
+  ZERO_NULL,                            /* connect_it */
+  ZERO_NULL,                            /* connecting */
+  ZERO_NULL,                            /* doing */
+  http2_getsock,                        /* proto_getsock */
+  http2_getsock,                        /* doing_getsock */
+  ZERO_NULL,                            /* domore_getsock */
+  http2_perform_getsock,                /* perform_getsock */
+  http2_disconnect,                     /* disconnect */
+  ZERO_NULL,                            /* readwrite */
+  PORT_HTTP,                            /* defport */
+  CURLPROTO_HTTP,                       /* protocol */
+  PROTOPT_NONE                          /* flags */
+};
+
+const struct Curl_handler Curl_handler_http2_ssl = {
+  "HTTP2",                              /* scheme */
+  ZERO_NULL,                            /* setup_connection */
+  Curl_http,                            /* do_it */
+  ZERO_NULL,                            /* done */
+  ZERO_NULL,                            /* do_more */
+  ZERO_NULL,                            /* connect_it */
+  ZERO_NULL,                            /* connecting */
+  ZERO_NULL,                            /* doing */
+  http2_getsock,                        /* proto_getsock */
+  http2_getsock,                        /* doing_getsock */
+  ZERO_NULL,                            /* domore_getsock */
+  http2_perform_getsock,                /* perform_getsock */
+  http2_disconnect,                     /* disconnect */
+  ZERO_NULL,                            /* readwrite */
+  PORT_HTTP,                            /* defport */
+  CURLPROTO_HTTPS,                      /* protocol */
+  PROTOPT_SSL                           /* flags */
+};
+
 /*
  * Store nghttp2 version info in this buffer, Prefix with a space.  Return
  * total length written.
@@ -57,68 +160,273 @@ static ssize_t send_callback(nghttp2_session *h2,
                              void *userp)
 {
   struct connectdata *conn = (struct connectdata *)userp;
+  struct http_conn *httpc = &conn->proto.httpc;
   ssize_t written;
-  CURLcode rc =
-    Curl_write(conn, conn->sock[0], data, length, &written);
+  CURLcode rc;
   (void)h2;
   (void)flags;
 
-  if(rc) {
+  rc = 0;
+  written = ((Curl_send*)httpc->send_underlying)(conn, FIRSTSOCKET,
+                                                 data, length, &rc);
+
+  if(rc == CURLE_AGAIN) {
+    return NGHTTP2_ERR_WOULDBLOCK;
+  }
+
+  if(written == -1) {
     failf(conn->data, "Failed sending HTTP2 data");
     return NGHTTP2_ERR_CALLBACK_FAILURE;
   }
-  else if(!written)
+
+  if(!written)
     return NGHTTP2_ERR_WOULDBLOCK;
 
   return written;
 }
 
-/*
- * The implementation of nghttp2_recv_callback type. Here we read data from
- * the network and write them in |buf|. The capacity of |buf| is |length|
- * bytes. Returns the number of bytes stored in |buf|. See the documentation
- * of nghttp2_recv_callback for the details.
- */
-static ssize_t recv_callback(nghttp2_session *h2,
-                             uint8_t *buf, size_t length, int flags,
+static int on_frame_recv(nghttp2_session *session, const nghttp2_frame *frame,
+                         void *userp)
+{
+  struct connectdata *conn = (struct connectdata *)userp;
+  struct http_conn *c = &conn->proto.httpc;
+  int rv;
+  (void)session;
+  (void)frame;
+  infof(conn->data, "on_frame_recv() was called with header %x\n",
+        frame->hd.type);
+  switch(frame->hd.type) {
+  case NGHTTP2_HEADERS:
+    if(frame->headers.cat != NGHTTP2_HCAT_RESPONSE)
+      break;
+    c->bodystarted = TRUE;
+    Curl_add_buffer(c->header_recvbuf, "\r\n", 2);
+    c->nread_header_recvbuf = c->len < c->header_recvbuf->size_used ?
+      c->len : c->header_recvbuf->size_used;
+
+    memcpy(c->mem, c->header_recvbuf->buffer, c->nread_header_recvbuf);
+
+    c->mem += c->nread_header_recvbuf;
+    c->len -= c->nread_header_recvbuf;
+    break;
+  case NGHTTP2_PUSH_PROMISE:
+    rv = nghttp2_submit_rst_stream(session, NGHTTP2_FLAG_NONE,
+                                   frame->hd.stream_id, NGHTTP2_CANCEL);
+    if(nghttp2_is_fatal(rv)) {
+      return rv;
+    }
+    break;
+  }
+  return 0;
+}
+
+static int on_invalid_frame_recv(nghttp2_session *session,
+                                 const nghttp2_frame *frame,
+                                 nghttp2_error_code error_code, void *userp)
+{
+  struct connectdata *conn = (struct connectdata *)userp;
+  (void)session;
+  (void)frame;
+  infof(conn->data, "on_invalid_frame_recv() was called, error_code = %d\n",
+        error_code);
+  return 0;
+}
+
+static int on_data_chunk_recv(nghttp2_session *session, uint8_t flags,
+                              int32_t stream_id,
+                              const uint8_t *data, size_t len, void *userp)
+{
+  struct connectdata *conn = (struct connectdata *)userp;
+  struct http_conn *c = &conn->proto.httpc;
+  size_t nread;
+  (void)session;
+  (void)flags;
+  (void)data;
+  infof(conn->data, "on_data_chunk_recv() "
+        "len = %u, stream = %x\n", len, stream_id);
+
+  if(stream_id != c->stream_id) {
+    return 0;
+  }
+
+  nread = c->len < len ? c->len : len;
+  memcpy(c->mem, data, nread);
+
+  c->mem += nread;
+  c->len -= nread;
+
+  infof(conn->data, "%zu data written\n", nread);
+
+  if(nread < len) {
+    c->data = data + nread;
+    c->datalen = len - nread;
+    return NGHTTP2_ERR_PAUSE;
+  }
+  return 0;
+}
+
+static int before_frame_send(nghttp2_session *session,
+                             const nghttp2_frame *frame,
                              void *userp)
 {
   struct connectdata *conn = (struct connectdata *)userp;
-  ssize_t nread;
-  CURLcode rc = Curl_read(conn, conn->sock[0], (char *)buf, length, &nread);
-  (void)h2;
+  (void)session;
+  (void)frame;
+  infof(conn->data, "before_frame_send() was called\n");
+  return 0;
+}
+static int on_frame_send(nghttp2_session *session,
+                         const nghttp2_frame *frame,
+                         void *userp)
+{
+  struct connectdata *conn = (struct connectdata *)userp;
+  (void)session;
+  (void)frame;
+  infof(conn->data, "on_frame_send() was called\n");
+  return 0;
+}
+static int on_frame_not_send(nghttp2_session *session,
+                             const nghttp2_frame *frame,
+                             int lib_error_code, void *userp)
+{
+  struct connectdata *conn = (struct connectdata *)userp;
+  (void)session;
+  (void)frame;
+  infof(conn->data, "on_frame_not_send() was called, lib_error_code = %d\n",
+        lib_error_code);
+  return 0;
+}
+static int on_stream_close(nghttp2_session *session, int32_t stream_id,
+                           nghttp2_error_code error_code, void *userp)
+{
+  struct connectdata *conn = (struct connectdata *)userp;
+  struct http_conn *c = &conn->proto.httpc;
+  (void)session;
+  (void)stream_id;
+  infof(conn->data, "on_stream_close() was called, error_code = %d\n",
+        error_code);
+
+  if(stream_id != c->stream_id) {
+    return 0;
+  }
+
+  c->closed = TRUE;
+
+  return 0;
+}
+
+static int on_unknown_frame_recv(nghttp2_session *session,
+                                 const uint8_t *head, size_t headlen,
+                                 const uint8_t *payload, size_t payloadlen,
+                                 void *userp)
+{
+  struct connectdata *conn = (struct connectdata *)userp;
+  (void)session;
+  (void)head;
+  (void)headlen;
+  (void)payload;
+  (void)payloadlen;
+  infof(conn->data, "on_unknown_frame_recv() was called\n");
+  return 0;
+}
+static int on_begin_headers(nghttp2_session *session,
+                            const nghttp2_frame *frame, void *userp)
+{
+  struct connectdata *conn = (struct connectdata *)userp;
+  (void)session;
+  (void)frame;
+  infof(conn->data, "on_begin_headers() was called\n");
+  return 0;
+}
+
+static const char STATUS[] = ":status";
+
+/* frame->hd.type is either NGHTTP2_HEADERS or NGHTTP2_PUSH_PROMISE */
+static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
+                     const uint8_t *name, size_t namelen,
+                     const uint8_t *value, size_t valuelen,
+                     uint8_t flags,
+                     void *userp)
+{
+  struct connectdata *conn = (struct connectdata *)userp;
+  struct http_conn *c = &conn->proto.httpc;
+  (void)session;
+  (void)frame;
   (void)flags;
 
-  if(rc) {
-    failf(conn->data, "Failed recving HTTP2 data");
-    return NGHTTP2_ERR_CALLBACK_FAILURE;
+  if(frame->hd.stream_id != c->stream_id) {
+    return 0;
   }
-  if(!nread)
-    return NGHTTP2_ERR_WOULDBLOCK;
 
-  return nread;
+  if(namelen == sizeof(":status") - 1 &&
+     memcmp(STATUS, name, namelen) == 0) {
+    snprintf(c->header_recvbuf->buffer, 13, "HTTP/2.0 %s", value);
+    c->header_recvbuf->buffer[12] = '\r';
+    return 0;
+  }
+  else {
+    /* convert to a HTTP1-style header */
+    infof(conn->data, "got header\n");
+    Curl_add_buffer(c->header_recvbuf, name, namelen);
+    Curl_add_buffer(c->header_recvbuf, ":", 1);
+    Curl_add_buffer(c->header_recvbuf, value, valuelen);
+    Curl_add_buffer(c->header_recvbuf, "\r\n", 2);
+  }
+
+  return 0; /* 0 is successful */
 }
 
 /*
  * This is all callbacks nghttp2 calls
  */
 static const nghttp2_session_callbacks callbacks = {
-  send_callback,
-  recv_callback,
-  NULL,
-  NULL,
-  NULL,
-  NULL,
-  NULL,
-  NULL,
-  NULL,
-  NULL,
-  NULL,
-  NULL,
-  NULL,
-  NULL
+  send_callback,         /* nghttp2_send_callback */
+  NULL,                  /* nghttp2_recv_callback */
+  on_frame_recv,         /* nghttp2_on_frame_recv_callback */
+  on_invalid_frame_recv, /* nghttp2_on_invalid_frame_recv_callback */
+  on_data_chunk_recv,    /* nghttp2_on_data_chunk_recv_callback */
+  before_frame_send,     /* nghttp2_before_frame_send_callback */
+  on_frame_send,         /* nghttp2_on_frame_send_callback */
+  on_frame_not_send,     /* nghttp2_on_frame_not_send_callback */
+  on_stream_close,       /* nghttp2_on_stream_close_callback */
+  on_unknown_frame_recv, /* nghttp2_on_unknown_frame_recv_callback */
+  on_begin_headers,      /* nghttp2_on_begin_headers_callback */
+  on_header              /* nghttp2_on_header_callback */
+#if NGHTTP2_VERSION_NUM >= 0x000400
+  , NULL                 /* nghttp2_select_padding_callback */
+#endif
 };
 
+static ssize_t data_source_read_callback(nghttp2_session *session,
+                                         int32_t stream_id,
+                                         uint8_t *buf, size_t length,
+                                         uint32_t *data_flags,
+                                         nghttp2_data_source *source,
+                                         void *userp)
+{
+  struct connectdata *conn = (struct connectdata *)userp;
+  struct http_conn *c = &conn->proto.httpc;
+  size_t nread;
+  (void)session;
+  (void)stream_id;
+  (void)source;
+
+  nread = c->upload_len < length ? c->upload_len : length;
+  if(nread > 0) {
+    memcpy(buf, c->upload_mem, nread);
+    c->upload_mem += nread;
+    c->upload_len -= nread;
+    c->upload_left -= nread;
+  }
+
+  if(c->upload_left == 0)
+    *data_flags = 1;
+  else if(nread == 0)
+    return NGHTTP2_ERR_DEFERRED;
+
+  return nread;
+}
+
 /*
  * The HTTP2 settings we send in the Upgrade request
  */
@@ -127,27 +435,53 @@ static nghttp2_settings_entry settings[] = {
   { NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE, NGHTTP2_INITIAL_WINDOW_SIZE },
 };
 
-/*
- * Append headers to ask for a HTTP1.1 to HTTP2 upgrade.
- */
-CURLcode Curl_http2_request(Curl_send_buffer *req,
-                            struct connectdata *conn)
-{
-  uint8_t binsettings[80];
-  CURLcode result;
-  ssize_t binlen;
-  char *base64;
-  size_t blen;
+#define H2_BUFSIZE 4096
 
+/*
+ * Initialize nghttp2 for a Curl connection
+ */
+CURLcode Curl_http2_init(struct connectdata *conn)
+{
   if(!conn->proto.httpc.h2) {
+    int rc;
+    conn->proto.httpc.inbuf = malloc(H2_BUFSIZE);
+    if(conn->proto.httpc.inbuf == NULL)
+      return CURLE_OUT_OF_MEMORY;
+
     /* The nghttp2 session is not yet setup, do it */
-    int rc = nghttp2_session_client_new(&conn->proto.httpc.h2,
-                                        &callbacks, &conn);
+    rc = nghttp2_session_client_new(&conn->proto.httpc.h2,
+                                    &callbacks, conn);
     if(rc) {
       failf(conn->data, "Couldn't initialize nghttp2!");
       return CURLE_OUT_OF_MEMORY; /* most likely at least */
     }
   }
+  return CURLE_OK;
+}
+
+/*
+ * Send a request using http2
+ */
+CURLcode Curl_http2_send_request(struct connectdata *conn)
+{
+  (void)conn;
+  return CURLE_OK;
+}
+
+/*
+ * Append headers to ask for a HTTP1.1 to HTTP2 upgrade.
+ */
+CURLcode Curl_http2_request_upgrade(Curl_send_buffer *req,
+                                    struct connectdata *conn)
+{
+  CURLcode result;
+  ssize_t binlen;
+  char *base64;
+  size_t blen;
+  struct SingleRequest *k = &conn->data->req;
+  uint8_t *binsettings = conn->proto.httpc.binsettings;
+
+  Curl_http2_init(conn);
 
   /* As long as we have a fixed set of settings, we don't have to dynamically
    * figure out the base64 strings since it'll always be the same. However,
@@ -155,14 +489,14 @@ CURLcode Curl_http2_request(Curl_send_buffer *req,
    */
 
   /* this returns number of bytes it wrote */
-  binlen = nghttp2_pack_settings_payload(binsettings,
-                                         sizeof(binsettings),
+  binlen = nghttp2_pack_settings_payload(binsettings, H2_BINSETTINGS_LEN,
                                          settings,
                                          sizeof(settings)/sizeof(settings[0]));
   if(!binlen) {
     failf(conn->data, "nghttp2 unexpectedly failed on pack_settings_payload");
     return CURLE_FAILED_INIT;
   }
+  conn->proto.httpc.binlen = binlen;
 
   result = Curl_base64_encode(conn->data, (const char *)binsettings, binlen,
                               &base64, &blen);
@@ -173,10 +507,344 @@ CURLcode Curl_http2_request(Curl_send_buffer *req,
                             "Connection: Upgrade, HTTP2-Settings\r\n"
                             "Upgrade: %s\r\n"
                             "HTTP2-Settings: %s\r\n",
-                            NGHTTP2_PROTO_VERSION_ID, base64);
-  free(base64);
+                            NGHTTP2_CLEARTEXT_PROTO_VERSION_ID, base64);
+  Curl_safefree(base64);
+
+  k->upgr101 = UPGR101_REQUESTED;
 
   return result;
 }
 
+/*
+ * If the read would block (EWOULDBLOCK) we return -1. Otherwise we return
+ * a regular CURLcode value.
+ */
+static ssize_t http2_recv(struct connectdata *conn, int sockindex,
+                          char *mem, size_t len, CURLcode *err)
+{
+  CURLcode rc;
+  ssize_t rv;
+  ssize_t nread;
+  struct http_conn *httpc = &conn->proto.httpc;
+
+  (void)sockindex; /* we always do HTTP2 on sockindex 0 */
+
+  if(httpc->closed) {
+    return 0;
+  }
+
+  /* Nullify here because we call nghttp2_session_send() and they
+     might refer to the old buffer. */
+  httpc->upload_mem = NULL;
+  httpc->upload_len = 0;
+
+  if(httpc->bodystarted &&
+     httpc->nread_header_recvbuf < httpc->header_recvbuf->size_used) {
+    size_t left =
+      httpc->header_recvbuf->size_used - httpc->nread_header_recvbuf;
+    size_t ncopy = len < left ? len : left;
+    memcpy(mem, httpc->header_recvbuf->buffer + httpc->nread_header_recvbuf,
+           ncopy);
+    httpc->nread_header_recvbuf += ncopy;
+    return ncopy;
+  }
+
+  if(httpc->data) {
+    nread = len < httpc->datalen ? len : httpc->datalen;
+    memcpy(mem, httpc->data, nread);
+
+    httpc->data += nread;
+    httpc->datalen -= nread;
+
+    infof(conn->data, "%zu data written\n", nread);
+    if(httpc->datalen == 0) {
+      httpc->data = NULL;
+      httpc->datalen = 0;
+    }
+    return nread;
+  }
+
+  conn->proto.httpc.mem = mem;
+  conn->proto.httpc.len = len;
+
+  infof(conn->data, "http2_recv: %d bytes buffer\n",
+        conn->proto.httpc.len);
+
+  rc = 0;
+  nread = ((Curl_recv*)httpc->recv_underlying)(conn, FIRSTSOCKET,
+                                               httpc->inbuf, H2_BUFSIZE, &rc);
+
+  if(rc == CURLE_AGAIN) {
+    *err = rc;
+    return -1;
+  }
+
+  if(nread == -1) {
+    failf(conn->data, "Failed receiving HTTP2 data");
+    *err = rc;
+    return 0;
+  }
+
+  infof(conn->data, "nread=%zd\n", nread);
+  rv = nghttp2_session_mem_recv(httpc->h2,
+                                (const uint8_t *)httpc->inbuf, nread);
+
+  if(nghttp2_is_fatal((int)rv)) {
+    failf(conn->data, "nghttp2_session_mem_recv() returned %d:%s\n",
+          rv, nghttp2_strerror((int)rv));
+    *err = CURLE_RECV_ERROR;
+    return 0;
+  }
+  infof(conn->data, "nghttp2_session_mem_recv() returns %zd\n", rv);
+  /* Always send pending frames in nghttp2 session, because
+     nghttp2_session_mem_recv() may queue new frame */
+  rv = nghttp2_session_send(httpc->h2);
+  if(rv != 0) {
+    *err = CURLE_SEND_ERROR;
+    return 0;
+  }
+  if(len != httpc->len) {
+    return len - conn->proto.httpc.len;
+  }
+  /* If stream is closed, return 0 to signal the http routine to close
+     the connection */
+  if(httpc->closed) {
+    return 0;
+  }
+  *err = CURLE_AGAIN;
+  return -1;
+}
+
+/* return number of received (decrypted) bytes */
+static ssize_t http2_send(struct connectdata *conn, int sockindex,
+                          const void *mem, size_t len, CURLcode *err)
+{
+  /*
+   * BIG TODO: Currently, we send request in this function, but this
+   * function is also used to send request body. It would be nice to
+   * add dedicated function for request.
+   */
+  int rv;
+  struct http_conn *httpc = &conn->proto.httpc;
+  nghttp2_nv *nva;
+  size_t nheader;
+  size_t i;
+  char *hdbuf = (char*)mem;
+  char *end;
+  nghttp2_data_provider data_prd;
+  int32_t stream_id;
+
+  (void)sockindex;
+
+  infof(conn->data, "http2_send len=%zu\n", len);
+
+  if(httpc->stream_id != -1) {
+    /* If stream_id != -1, we have dispatched request HEADERS, and now
+       are going to send or sending request body in DATA frame */
+    httpc->upload_mem = mem;
+    httpc->upload_len = len;
+    nghttp2_session_resume_data(httpc->h2, httpc->stream_id);
+    rv = nghttp2_session_send(httpc->h2);
+    if(nghttp2_is_fatal(rv)) {
+      *err = CURLE_SEND_ERROR;
+      return -1;
+    }
+    return len - httpc->upload_len;
+  }
+
+  /* Calculate number of headers contained in [mem, mem + len) */
+  /* Here, we assume the curl http code generate *correct* HTTP header
+     field block */
+  nheader = 0;
+  for(i = 0; i < len; ++i) {
+    if(hdbuf[i] == 0x0a) {
+      ++nheader;
+    }
+  }
+  /* We counted additional 2 \n in the first and last line. We need 3
+     new headers: :method, :path and :scheme. Therefore we need one
+     more space. */
+  nheader += 1;
+  nva = malloc(sizeof(nghttp2_nv) * nheader);
+  if(nva == NULL) {
+    *err = CURLE_OUT_OF_MEMORY;
+    return -1;
+  }
+  /* Extract :method, :path from request line */
+  end = strchr(hdbuf, ' ');
+  nva[0].name = (unsigned char *)":method";
+  nva[0].namelen = (uint16_t)strlen((char *)nva[0].name);
+  nva[0].value = (unsigned char *)hdbuf;
+  nva[0].valuelen = (uint16_t)(end - hdbuf);
+  nva[0].flags = NGHTTP2_NV_FLAG_NONE;
+
+  hdbuf = end + 1;
+
+  end = strchr(hdbuf, ' ');
+  nva[1].name = (unsigned char *)":path";
+  nva[1].namelen = (uint16_t)strlen((char *)nva[1].name);
+  nva[1].value = (unsigned char *)hdbuf;
+  nva[1].valuelen = (uint16_t)(end - hdbuf);
+  nva[1].flags = NGHTTP2_NV_FLAG_NONE;
+
+  nva[2].name = (unsigned char *)":scheme";
+  nva[2].namelen = (uint16_t)strlen((char *)nva[2].name);
+  if(conn->handler->flags & PROTOPT_SSL)
+    nva[2].value = (unsigned char *)"https";
+  else
+    nva[2].value = (unsigned char *)"http";
+  nva[2].valuelen = (uint16_t)strlen((char *)nva[2].value);
+  nva[2].flags = NGHTTP2_NV_FLAG_NONE;
+
+  hdbuf = strchr(hdbuf, 0x0a);
+  ++hdbuf;
+
+  for(i = 3; i < nheader; ++i) {
+    end = strchr(hdbuf, ':');
+    assert(end);
+    if(end - hdbuf == 4 && Curl_raw_nequal("host", hdbuf, 4)) {
+      nva[i].name = (unsigned char *)":authority";
+      nva[i].namelen = (uint16_t)strlen((char *)nva[i].name);
+    }
+    else {
+      nva[i].name = (unsigned char *)hdbuf;
+      nva[i].namelen = (uint16_t)(end - hdbuf);
+    }
+    hdbuf = end + 1;
+    for(; *hdbuf == ' '; ++hdbuf);
+    end = strchr(hdbuf, 0x0d);
+    assert(end);
+    nva[i].value = (unsigned char *)hdbuf;
+    nva[i].valuelen = (uint16_t)(end - hdbuf);
+    nva[i].flags = NGHTTP2_NV_FLAG_NONE;
+
+    hdbuf = end + 2;
+    /* Inspect Content-Length header field and retrieve the request
+       entity length so that we can set END_STREAM to the last DATA
+       frame. */
+    if(nva[i].namelen == 14 &&
+       Curl_raw_nequal("content-length", (char*)nva[i].name, 14)) {
+      size_t j;
+      for(j = 0; j < nva[i].valuelen; ++j) {
+        httpc->upload_left *= 10;
+        httpc->upload_left += nva[i].value[j] - '0';
+      }
+      infof(conn->data, "request content-length=%zu\n", httpc->upload_left);
+    }
+  }
+
+  switch(conn->data->set.httpreq) {
+  case HTTPREQ_POST:
+  case HTTPREQ_POST_FORM:
+  case HTTPREQ_PUT:
+    data_prd.read_callback = data_source_read_callback;
+    data_prd.source.ptr = NULL;
+    stream_id = nghttp2_submit_request(httpc->h2, NULL, nva, nheader,
+                                       &data_prd, NULL);
+    break;
+  default:
+    stream_id = nghttp2_submit_request(httpc->h2, NULL, nva, nheader,
+                                       NULL, NULL);
+  }
+
+  Curl_safefree(nva);
+
+  if(stream_id < 0) {
+    *err = CURLE_SEND_ERROR;
+    return -1;
+  }
+
+  httpc->stream_id = stream_id;
+
+  rv = nghttp2_session_send(httpc->h2);
+
+  if(rv != 0) {
+    *err = CURLE_SEND_ERROR;
+    return -1;
+  }
+
+  if(httpc->stream_id != -1) {
+    /* If whole HEADERS frame was sent off to the underlying socket,
+       the nghttp2 library calls data_source_read_callback. But only
+       it found that no data available, so it deferred the DATA
+       transmission. Which means that nghttp2_session_want_write()
+       returns 0 on http2_perform_getsock(), which results that no
+       writable socket check is performed. To workaround this, we
+       issue nghttp2_session_resume_data() here to bring back DATA
+       transmission from deferred state. */
+    nghttp2_session_resume_data(httpc->h2, httpc->stream_id);
+  }
+
+  return len;
+}
+
+void Curl_http2_setup(struct connectdata *conn)
+{
+  struct http_conn *httpc = &conn->proto.httpc;
+  if(conn->handler->flags & PROTOPT_SSL)
+    conn->handler = &Curl_handler_http2_ssl;
+  else
+    conn->handler = &Curl_handler_http2;
+
+  infof(conn->data, "Using HTTP2\n");
+  httpc->bodystarted = FALSE;
+  httpc->closed = FALSE;
+  httpc->header_recvbuf = Curl_add_buffer_init();
+  httpc->nread_header_recvbuf = 0;
+  httpc->data = NULL;
+  httpc->datalen = 0;
+  httpc->upload_left = 0;
+  httpc->upload_mem = NULL;
+  httpc->upload_len = 0;
+  httpc->stream_id = -1;
+
+  conn->httpversion = 20;
+
+  /* Put place holder for status line */
+  Curl_add_buffer(httpc->header_recvbuf, "HTTP/2.0 200\r\n", 14);
+}
+
+int Curl_http2_switched(struct connectdata *conn)
+{
+  /* TODO: May get CURLE_AGAIN */
+  CURLcode rc;
+  struct http_conn *httpc = &conn->proto.httpc;
+  int rv;
+
+  httpc->recv_underlying = (recving)conn->recv[FIRSTSOCKET];
+  httpc->send_underlying = (sending)conn->send[FIRSTSOCKET];
+  conn->recv[FIRSTSOCKET] = http2_recv;
+  conn->send[FIRSTSOCKET] = http2_send;
+
+  rv = (int) ((Curl_send*)httpc->send_underlying)
+    (conn, FIRSTSOCKET,
+     NGHTTP2_CLIENT_CONNECTION_PREFACE,
+     NGHTTP2_CLIENT_CONNECTION_PREFACE_LEN,
+     &rc);
+  assert(rv == 24);
+  if(conn->data->req.upgr101 == UPGR101_RECEIVED) {
+    /* stream 1 is opened implicitly on upgrade */
+    httpc->stream_id = 1;
+    /* queue SETTINGS frame (again) */
+    rv = nghttp2_session_upgrade(httpc->h2, httpc->binsettings,
+                                 httpc->binlen, NULL);
+    if(rv != 0) {
+      failf(conn->data, "nghttp2_session_upgrade() failed: %s(%d)",
+            nghttp2_strerror(rv), rv);
+      return -1;
+    }
+  }
+  else {
+    /* stream ID is unknown at this point */
+    httpc->stream_id = -1;
+    rv = nghttp2_submit_settings(httpc->h2, NGHTTP2_FLAG_NONE, NULL, 0);
+    if(rv != 0) {
+      failf(conn->data, "nghttp2_submit_settings() failed: %s(%d)",
+            nghttp2_strerror(rv), rv);
+      return -1;
+    }
+  }
+  return 0;
+}
+
 #endif

lib/http2.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -32,10 +32,18 @@
  */
 int Curl_http2_ver(char *p, size_t len);
 
-CURLcode Curl_http2_request(Curl_send_buffer *req,
-                            struct connectdata *conn);
+CURLcode Curl_http2_init(struct connectdata *conn);
+CURLcode Curl_http2_send_request(struct connectdata *conn);
+CURLcode Curl_http2_request_upgrade(Curl_send_buffer *req,
+                                    struct connectdata *conn);
+void Curl_http2_setup(struct connectdata *conn);
+int Curl_http2_switched(struct connectdata *conn);
 #else /* USE_NGHTTP2 */
-#define Curl_http2_request(x,y) CURLE_OK
+#define Curl_http2_init(x)
+#define Curl_http2_send_request(x)
+#define Curl_http2_request_upgrade(x,y) CURLE_OK
+#define Curl_http2_switched(x)
+#define Curl_http2_setup(x)
 #endif
 
 #endif /* HEADER_CURL_HTTP2_H */

lib/http_chunks.c

@@ -162,8 +162,8 @@ CHUNKcode Curl_httpchunk_read(struct connectdata *conn,
         }
 
         ch->datasize=curlx_strtoofft(ch->hexbuffer, &endptr, 16);
-        if(errno == ERANGE)
-          /* over or underflow is an error */
+        if((ch->datasize == CURL_OFF_T_MAX) && (errno == ERANGE))
+          /* overflow is an error */
           return CHUNKE_ILLEGAL_HEX;
         ch->state = CHUNK_LF; /* now wait for the CRLF */
       }
@@ -361,4 +361,25 @@ CHUNKcode Curl_httpchunk_read(struct connectdata *conn,
   }
   return CHUNKE_OK;
 }
+
+const char *Curl_chunked_strerror(CHUNKcode code)
+{
+  switch (code) {
+  default:
+    return "OK";
+  case CHUNKE_TOO_LONG_HEX:
+    return "Too long hexadecimal number";
+  case CHUNKE_ILLEGAL_HEX:
+    return "Illegal or missing hexadecimal sequence";
+  case CHUNKE_BAD_CHUNK:
+    return "Malformed encoding found";
+  case CHUNKE_WRITE_ERROR:
+    return "Write error";
+  case CHUNKE_BAD_ENCODING:
+    return "Bad content-encoding found";
+  case CHUNKE_OUT_OF_MEMORY:
+    return "Out of memory";
+  }
+}
+
 #endif /* CURL_DISABLE_HTTP */

lib/http_chunks.h

@@ -72,12 +72,13 @@ typedef enum {
   CHUNKE_ILLEGAL_HEX,
   CHUNKE_BAD_CHUNK,
   CHUNKE_WRITE_ERROR,
-  CHUNKE_STATE_ERROR,
   CHUNKE_BAD_ENCODING,
   CHUNKE_OUT_OF_MEMORY,
   CHUNKE_LAST
 } CHUNKcode;
 
+const char *Curl_chunked_strerror(CHUNKcode code);
+
 struct Curl_chunker {
   char hexbuffer[ MAXNUM_SIZE + 1];
   int hexindex;

lib/http_negotiate_sspi.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -24,7 +24,7 @@
 
 #ifdef USE_WINDOWS_SSPI
 
-#ifndef CURL_DISABLE_HTTP
+#if !defined(CURL_DISABLE_HTTP) && defined(USE_HTTP_NEGOTIATE)
 
 #include "urldata.h"
 #include "sendf.h"
@@ -300,6 +300,6 @@ void Curl_cleanup_negotiate(struct SessionHandle *data)
   cleanup(&data->state.proxyneg);
 }
 
+#endif /* !CURL_DISABLE_HTTP && USE_HTTP_NEGOTIATE */
 
-#endif
-#endif
+#endif /* USE_WINDOWS_SSPI */

lib/http_proxy.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -92,7 +92,7 @@ CURLcode Curl_proxy_connect(struct connectdata *conn)
 CURLcode Curl_proxyCONNECT(struct connectdata *conn,
                            int sockindex,
                            const char *hostname,
-                           unsigned short remote_port)
+                           int remote_port)
 {
   int subversion=0;
   struct SessionHandle *data=conn->data;
@@ -165,7 +165,7 @@ CURLcode Curl_proxyCONNECT(struct connectdata *conn,
           return CURLE_OUT_OF_MEMORY;
         }
 
-        if(!Curl_checkheaders(data, "Host:")) {
+        if(!Curl_checkProxyheaders(conn, "Host:")) {
           host = aprintf("Host: %s\r\n", hostheader);
           if(!host) {
             free(hostheader);
@@ -173,10 +173,10 @@ CURLcode Curl_proxyCONNECT(struct connectdata *conn,
             return CURLE_OUT_OF_MEMORY;
           }
         }
-        if(!Curl_checkheaders(data, "Proxy-Connection:"))
+        if(!Curl_checkProxyheaders(conn, "Proxy-Connection:"))
           proxyconn = "Proxy-Connection: Keep-Alive\r\n";
 
-        if(!Curl_checkheaders(data, "User-Agent:") &&
+        if(!Curl_checkProxyheaders(conn, "User-Agent:") &&
            data->set.str[STRING_USERAGENT])
           useragent = conn->allocptr.uagent;
 
@@ -200,7 +200,7 @@ CURLcode Curl_proxyCONNECT(struct connectdata *conn,
         free(hostheader);
 
         if(CURLE_OK == result)
-          result = Curl_add_custom_headers(conn, req_buffer);
+          result = Curl_add_custom_headers(conn, TRUE, req_buffer);
 
         if(CURLE_OK == result)
           /* CRLF terminate the request */

lib/http_proxy.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -26,7 +26,7 @@
 /* ftp can use this as well */
 CURLcode Curl_proxyCONNECT(struct connectdata *conn,
                            int tunnelsocket,
-                           const char *hostname, unsigned short remote_port);
+                           const char *hostname, int remote_port);
 
 /* Default proxy timeout in milliseconds */
 #define PROXY_TIMEOUT (3600*1000)

lib/imap.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -131,8 +131,7 @@ const struct Curl_handler Curl_handler_imap = {
   ZERO_NULL,                        /* readwrite */
   PORT_IMAP,                        /* defport */
   CURLPROTO_IMAP,                   /* protocol */
-  PROTOPT_CLOSEACTION | PROTOPT_NEEDSPWD
-  | PROTOPT_NOURLQUERY              /* flags */
+  PROTOPT_CLOSEACTION | PROTOPT_NEEDSPWD  /* flags */
 };
 
 #ifdef USE_SSL
@@ -156,9 +155,9 @@ const struct Curl_handler Curl_handler_imaps = {
   imap_disconnect,                  /* disconnect */
   ZERO_NULL,                        /* readwrite */
   PORT_IMAPS,                       /* defport */
-  CURLPROTO_IMAP | CURLPROTO_IMAPS, /* protocol */
-  PROTOPT_CLOSEACTION | PROTOPT_SSL | PROTOPT_NEEDSPWD
-  | PROTOPT_NOURLQUERY              /* flags */
+  CURLPROTO_IMAPS,                  /* protocol */
+  PROTOPT_CLOSEACTION | PROTOPT_SSL |
+  PROTOPT_NEEDSPWD                  /* flags */
 };
 #endif
 
@@ -258,7 +257,7 @@ static bool imap_matchresp(const char *line, size_t len, const char *cmd)
   /* Does the command name match and is it followed by a space character or at
      the end of line? */
   if(line + cmd_len <= end && Curl_raw_nequal(line, cmd, cmd_len) &&
-     (line[cmd_len] == ' ' || line + cmd_len == end))
+     (line[cmd_len] == ' ' || line + cmd_len + 2 == end))
     return TRUE;
 
   return FALSE;
@@ -332,6 +331,11 @@ static bool imap_endofresp(struct connectdata *conn, char *line, size_t len,
           return FALSE;
         break;
 
+      case IMAP_SEARCH:
+        if(!imap_matchresp(line, len, "SEARCH"))
+          return FALSE;
+        break;
+
       /* Ignore other untagged responses */
       default:
         return FALSE;
@@ -439,6 +443,7 @@ static void state(struct connectdata *conn, imapstate newstate)
     "FETCH_FINAL",
     "APPEND",
     "APPEND_FINAL",
+    "SEARCH",
     "LOGOUT",
     /* LAST */
   };
@@ -735,9 +740,15 @@ static CURLcode imap_perform_fetch(struct connectdata *conn)
   }
 
   /* Send the FETCH command */
-  result = imap_sendf(conn, "FETCH %s BODY[%s]",
-                      imap->uid,
-                      imap->section ? imap->section : "");
+  if(imap->partial)
+    result = imap_sendf(conn, "FETCH %s BODY[%s]<%s>",
+                        imap->uid,
+                        imap->section ? imap->section : "",
+                        imap->partial);
+  else
+    result = imap_sendf(conn, "FETCH %s BODY[%s]",
+                        imap->uid,
+                        imap->section ? imap->section : "");
 
   if(!result)
     state(conn, IMAP_FETCH);
@@ -764,7 +775,7 @@ static CURLcode imap_perform_append(struct connectdata *conn)
   }
 
   /* Check we know the size of the upload */
-  if(conn->data->set.infilesize < 0) {
+  if(conn->data->state.infilesize < 0) {
     failf(conn->data, "Cannot APPEND with unknown input file size\n");
     return CURLE_UPLOAD_FAILED;
   }
@@ -776,7 +787,7 @@ static CURLcode imap_perform_append(struct connectdata *conn)
 
   /* Send the APPEND command */
   result = imap_sendf(conn, "APPEND %s (\\Seen) {%" CURL_FORMAT_CURL_OFF_T "}",
-                      mailbox, conn->data->set.infilesize);
+                      mailbox, conn->data->state.infilesize);
 
   Curl_safefree(mailbox);
 
@@ -786,6 +797,32 @@ static CURLcode imap_perform_append(struct connectdata *conn)
   return result;
 }
 
+/***********************************************************************
+ *
+ * imap_perform_search()
+ *
+ * Sends a SEARCH command.
+ */
+static CURLcode imap_perform_search(struct connectdata *conn)
+{
+  CURLcode result = CURLE_OK;
+  struct IMAP *imap = conn->data->req.protop;
+
+  /* Check we have a query string */
+  if(!imap->query) {
+    failf(conn->data, "Cannot SEARCH without a query string.");
+    return CURLE_URL_MALFORMAT;
+  }
+
+  /* Send the SEARCH command */
+  result = imap_sendf(conn, "SEARCH %s", imap->query);
+
+  if(!result)
+    state(conn, IMAP_SEARCH);
+
+  return result;
+}
+
 /***********************************************************************
  *
  * imap_perform_logout()
@@ -1110,10 +1147,6 @@ static CURLcode imap_state_auth_digest_resp(struct connectdata *conn,
   char *rplyb64 = NULL;
   size_t len = 0;
 
-  char nonce[64];
-  char realm[128];
-  char algorithm[64];
-
   (void)instate; /* no use for this yet */
 
   if(imapcode != '+') {
@@ -1124,30 +1157,26 @@ static CURLcode imap_state_auth_digest_resp(struct connectdata *conn,
   /* Get the challenge message */
   imap_get_message(data->state.buffer, &chlg64);
 
-  /* Decode the challange message */
-  result = Curl_sasl_decode_digest_md5_message(chlg64, nonce, sizeof(nonce),
-                                               realm, sizeof(realm),
-                                               algorithm, sizeof(algorithm));
-  if(result || strcmp(algorithm, "md5-sess") != 0) {
-    /* Send the cancellation */
-    result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", "*");
-
-    if(!result)
-      state(conn, IMAP_AUTHENTICATE_CANCEL);
-  }
-  else {
-    /* Create the response message */
-    result = Curl_sasl_create_digest_md5_message(data, nonce, realm,
-                                                 conn->user, conn->passwd,
-                                                 "imap", &rplyb64, &len);
-    if(!result && rplyb64) {
-      /* Send the response */
-      result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", rplyb64);
+  /* Create the response message */
+  result = Curl_sasl_create_digest_md5_message(data, chlg64,
+                                               conn->user, conn->passwd,
+                                               "imap", &rplyb64, &len);
+  if(result) {
+    if(result == CURLE_BAD_CONTENT_ENCODING) {
+      /* Send the cancellation */
+      result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", "*");
 
       if(!result)
-        state(conn, IMAP_AUTHENTICATE_DIGESTMD5_RESP);
+        state(conn, IMAP_AUTHENTICATE_CANCEL);
     }
   }
+  else {
+    /* Send the response */
+    result = Curl_pp_sendf(&conn->proto.imapc.pp, "%s", rplyb64);
+
+    if(!result)
+      state(conn, IMAP_AUTHENTICATE_DIGESTMD5_RESP);
+  }
 
   Curl_safefree(rplyb64);
 
@@ -1448,6 +1477,8 @@ static CURLcode imap_state_select_resp(struct connectdata *conn, int imapcode,
 
       if(imap->custom)
         result = imap_perform_list(conn);
+      else if(imap->query)
+        result = imap_perform_search(conn);
       else
         result = imap_perform_fetch(conn);
     }
@@ -1587,7 +1618,7 @@ static CURLcode imap_state_append_resp(struct connectdata *conn, int imapcode,
   }
   else {
     /* Set the progress upload size */
-    Curl_pgrsSetUploadSize(data, data->set.infilesize);
+    Curl_pgrsSetUploadSize(data, data->state.infilesize);
 
     /* IMAP upload */
     Curl_setup_transfer(conn, -1, -1, FALSE, NULL, FIRSTSOCKET, NULL);
@@ -1617,6 +1648,31 @@ static CURLcode imap_state_append_final_resp(struct connectdata *conn,
   return result;
 }
 
+/* For SEARCH responses */
+static CURLcode imap_state_search_resp(struct connectdata *conn, int imapcode,
+                                       imapstate instate)
+{
+  CURLcode result = CURLE_OK;
+  char *line = conn->data->state.buffer;
+  size_t len = strlen(line);
+
+  (void)instate; /* No use for this yet */
+
+  if(imapcode == '*') {
+    /* Temporarily add the LF character back and send as body to the client */
+    line[len] = '\n';
+    result = Curl_client_write(conn, CLIENTWRITE_BODY, line, len + 1);
+    line[len] = '\0';
+  }
+  else if(imapcode != 'O')
+    result = CURLE_QUOTE_ERROR; /* TODO: Fix error code */
+  else
+    /* End of DO phase */
+    state(conn, IMAP_STOP);
+
+  return result;
+}
+
 static CURLcode imap_statemach_act(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
@@ -1739,6 +1795,10 @@ static CURLcode imap_statemach_act(struct connectdata *conn)
       result = imap_state_append_final_resp(conn, imapcode, imapc->state);
       break;
 
+    case IMAP_SEARCH:
+      result = imap_state_search_resp(conn, imapcode, imapc->state);
+      break;
+
     case IMAP_LOGOUT:
       /* fallthrough, just stop! */
     default:
@@ -1909,6 +1969,8 @@ static CURLcode imap_done(struct connectdata *conn, CURLcode status,
   Curl_safefree(imap->uidvalidity);
   Curl_safefree(imap->uid);
   Curl_safefree(imap->section);
+  Curl_safefree(imap->partial);
+  Curl_safefree(imap->query);
   Curl_safefree(imap->custom);
   Curl_safefree(imap->custom_params);
 
@@ -1962,7 +2024,11 @@ static CURLcode imap_perform(struct connectdata *conn, bool *connected,
   else if(!imap->custom && selected && imap->uid)
     /* FETCH from the same mailbox */
     result = imap_perform_fetch(conn);
-  else if(imap->mailbox && !selected && (imap->custom || imap->uid))
+  else if(!imap->custom && selected && imap->query)
+    /* SEARCH the current mailbox */
+    result = imap_perform_search(conn);
+  else if(imap->mailbox && !selected &&
+         (imap->custom || imap->uid || imap->query))
     /* SELECT the mailbox */
     result = imap_perform_select(conn);
   else
@@ -2447,8 +2513,8 @@ static CURLcode imap_parse_url_path(struct connectdata *conn)
 
     DEBUGF(infof(conn->data, "IMAP URL parameter '%s' = '%s'\n", name, value));
 
-    /* Process the known hierarchical parameters (UIDVALIDITY, UID and SECTION)
-       stripping of the trailing slash character if it is present.
+    /* Process the known hierarchical parameters (UIDVALIDITY, UID, SECTION and
+       PARTIAL) stripping of the trailing slash character if it is present.
 
        Note: Unknown parameters trigger a URL_MALFORMAT error. */
     if(Curl_raw_equal(name, "UIDVALIDITY") && !imap->uidvalidity) {
@@ -2472,6 +2538,13 @@ static CURLcode imap_parse_url_path(struct connectdata *conn)
       imap->section = value;
       value = NULL;
     }
+    else if(Curl_raw_equal(name, "PARTIAL") && !imap->partial) {
+      if(valuelen > 0 && value[valuelen - 1] == '/')
+        value[valuelen - 1] = '\0';
+
+      imap->partial = value;
+      value = NULL;
+    }
     else {
       Curl_safefree(name);
       Curl_safefree(value);
@@ -2483,6 +2556,21 @@ static CURLcode imap_parse_url_path(struct connectdata *conn)
     Curl_safefree(value);
   }
 
+  /* Does the URL contain a query parameter? Only valid when we have a mailbox
+     and no UID as per RFC-5092 */
+  if(imap->mailbox && !imap->uid && *ptr == '?') {
+    /* Find the length of the query parameter */
+    begin = ++ptr;
+    while(imap_is_bchar(*ptr))
+      ptr++;
+
+    /* Decode the query parameter */
+    result = Curl_urldecode(data, begin, ptr - begin, &imap->query, NULL,
+                            TRUE);
+    if(result)
+      return result;
+  }
+
   /* Any extra stuff at the end of the URL is an error */
   if(*ptr)
     return CURLE_URL_MALFORMAT;

lib/imap.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 2009 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2009 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -53,6 +53,7 @@ typedef enum {
   IMAP_FETCH_FINAL,
   IMAP_APPEND,
   IMAP_APPEND_FINAL,
+  IMAP_SEARCH,
   IMAP_LOGOUT,
   IMAP_LAST          /* never used */
 } imapstate;
@@ -67,6 +68,8 @@ struct IMAP {
   char *uidvalidity;      /* UIDVALIDITY to check in select */
   char *uid;              /* Message UID to fetch */
   char *section;          /* Message SECTION to fetch */
+  char *partial;          /* Message PARTIAL to fetch */
+  char *query;            /* Query to search for */
   char *custom;           /* Custom request */
   char *custom_params;    /* Parameters for the custom request */
 };

lib/ldap.c

@@ -5,7 +5,7 @@
  *                | (__| |_| |  _ <| |___
  *                 \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -159,7 +159,7 @@ const struct Curl_handler Curl_handler_ldaps = {
   ZERO_NULL,                            /* disconnect */
   ZERO_NULL,                            /* readwrite */
   PORT_LDAPS,                           /* defport */
-  CURLPROTO_LDAP | CURLPROTO_LDAPS,     /* protocol */
+  CURLPROTO_LDAPS,                      /* protocol */
   PROTOPT_SSL                           /* flags */
 };
 #endif

lib/md5.c

@@ -147,7 +147,7 @@ static void MD5_Update(MD5_CTX *ctx,
 
 static void MD5_Final(unsigned char digest[16], MD5_CTX *ctx)
 {
-  unsigned long length;
+  unsigned long length = 0;
   CryptGetHashParam(ctx->hHash, HP_HASHVAL, NULL, &length, 0);
   if(length == 16)
     CryptGetHashParam(ctx->hHash, HP_HASHVAL, digest, &length, 0);

lib/mk-ca-bundle.pl

@@ -34,7 +34,9 @@ use Getopt::Std;
 use MIME::Base64;
 use LWP::UserAgent;
 use strict;
-use vars qw($opt_b $opt_d $opt_f $opt_h $opt_i $opt_l $opt_n $opt_q $opt_t $opt_u $opt_v $opt_w);
+use vars qw($opt_b $opt_d $opt_f $opt_h $opt_i $opt_l $opt_n $opt_p $opt_q $opt_s $opt_t $opt_u $opt_v $opt_w);
+use List::Util;
+use Text::Wrap;
 
 my %urls = (
   'nss' =>
@@ -56,13 +58,53 @@ $opt_d = 'release';
 # If the OpenSSL commandline is not in search path you can configure it here!
 my $openssl = 'openssl';
 
-my $version = '1.20';
+my $version = '1.21';
 
 $opt_w = 76; # default base64 encoded lines length
 
+# default cert types to include in the output (default is to include CAs which may issue SSL server certs)
+my $default_mozilla_trust_purposes = "SERVER_AUTH";
+my $default_mozilla_trust_levels = "TRUSTED_DELEGATOR";
+$opt_p = $default_mozilla_trust_purposes . ":" . $default_mozilla_trust_levels;
+
+my @valid_mozilla_trust_purposes = (
+  "DIGITAL_SIGNATURE",
+  "NON_REPUDIATION",
+  "KEY_ENCIPHERMENT",
+  "DATA_ENCIPHERMENT",
+  "KEY_AGREEMENT",
+  "KEY_CERT_SIGN",
+  "CRL_SIGN",
+  "SERVER_AUTH",
+  "CLIENT_AUTH",
+  "CODE_SIGNING",
+  "EMAIL_PROTECTION",
+  "IPSEC_END_SYSTEM",
+  "IPSEC_TUNNEL",
+  "IPSEC_USER",
+  "TIME_STAMPING",
+  "STEP_UP_APPROVED"
+);
+
+my @valid_mozilla_trust_levels = (
+  "TRUSTED_DELEGATOR",    # CAs
+  "NOT_TRUSTED",          # Don't trust these certs.
+  "MUST_VERIFY_TRUST",    # This explicitly tells us that it ISN'T a CA but is otherwise ok. In other words, this should tell the app to ignore any other sources that claim this is a CA.
+  "TRUSTED"               # This cert is trusted, but only for itself and not for delegates (i.e. it is not a CA).
+);
+
+my $default_signature_algorithms = $opt_s = "MD5";
+
+my @valid_signature_algorithms = (
+  "MD5",
+  "SHA1",
+  "SHA256",
+  "SHA512"  
+);
+
 $0 =~ s@.*(/|\\)@@;
 $Getopt::Std::STANDARD_HELP_VERSION = 1;
-getopts('bd:fhilnqtuvw:');
+getopts('bd:fhilnp:qs:tuvw:');
 
 if(!defined($opt_d)) {
     # to make plain "-d" use not cause warnings, and actually still work
@@ -102,7 +144,7 @@ sub WARNING_MESSAGE() {
 }
 
 sub HELP_MESSAGE() {
-  print "Usage:\t${0} [-b] [-d<certdata>] [-f] [-i] [-l] [-n] [-q] [-t] [-u] [-v] [-w<l>] [<outputfile>]\n";
+  print "Usage:\t${0} [-b] [-d<certdata>] [-f] [-i] [-l] [-n] [-p<purposes:levels>] [-q] [-s<algorithms>] [-t] [-u] [-v] [-w<l>] [<outputfile>]\n";
   print "\t-b\tbackup an existing version of ca-bundle.crt\n";
   print "\t-d\tspecify Mozilla tree to pull certdata.txt or custom URL\n";
   print "\t\t  Valid names are:\n";
@@ -111,7 +153,15 @@ sub HELP_MESSAGE() {
   print "\t-i\tprint version info about used modules\n";
   print "\t-l\tprint license info about certdata.txt\n";
   print "\t-n\tno download of certdata.txt (to use existing)\n";
+  print wrap("\t","\t\t", "-p\tlist of Mozilla trust purposes and levels for certificates to include in output. Takes the form of a comma separated list of purposes, a colon, and a comma separated list of levels. (default: $default_mozilla_trust_purposes:$default_mozilla_trust_levels)"), "\n";
+  print "\t\t  Valid purposes are:\n";
+  print wrap("\t\t    ","\t\t    ", join( ", ", "ALL", @valid_mozilla_trust_purposes ) ), "\n";
+  print "\t\t  Valid levels are:\n";
+  print wrap("\t\t    ","\t\t    ", join( ", ", "ALL", @valid_mozilla_trust_levels ) ), "\n";
   print "\t-q\tbe really quiet (no progress output at all)\n";
+  print wrap("\t","\t\t", "-s\tcomma separated list of certificate signatures/hashes to output in plain text mode. (default: $default_signature_algorithms)\n");
+  print "\t\t  Valid signature algorithms are:\n";
+  print wrap("\t\t    ","\t\t    ", join( ", ", "ALL", @valid_signature_algorithms ) ), "\n";
   print "\t-t\tinclude plain text listing of certificates\n";
   print "\t-u\tunlink (remove) certdata.txt after processing\n";
   print "\t-v\tbe verbose and print out processed CAs\n";
@@ -126,6 +176,61 @@ sub VERSION_MESSAGE() {
 WARNING_MESSAGE() unless ($opt_q || $url =~ m/^(ht|f)tps:/i );
 HELP_MESSAGE() if ($opt_h);
 
+sub IS_IN_LIST($@) {
+  my $target = shift;
+
+  return defined(List::Util::first { $target eq $_ } @_);
+}
+
+# Parses $param_string as a case insensitive comma separated list with optional whitespace
+# validates that only allowed parameters are supplied
+sub PARSE_CSV_PARAM($$@) {
+  my $description = shift;
+  my $param_string = shift;
+  my @valid_values = @_;
+
+  my @values = map {
+    s/^\s+//;  # strip leading spaces
+    s/\s+$//;  # strip trailing spaces
+    uc $_      # return the modified string as upper case
+  } split( ',', $param_string );
+
+  # Find all values which are not in the list of valid values or "ALL"
+  my @invalid = grep { !IS_IN_LIST($_,"ALL",@valid_values) } @values;
+
+  if ( scalar(@invalid) > 0 ) {
+    # Tell the user which parameters were invalid and print the standard help message which will exit
+    print "Error: Invalid ", $description, scalar(@invalid) == 1 ? ": " : "s: ", join( ", ", map { "\"$_\"" } @invalid ), "\n";
+    HELP_MESSAGE();
+  }
+  
+  @values = @valid_values if ( IS_IN_LIST("ALL",@values) );
+  
+  return @values;
+}
+
+if ( $opt_p !~ m/:/ ) {
+  print "Error: Mozilla trust identifier list must include both purposes and levels\n";
+  HELP_MESSAGE();
+}
+
+(my $included_mozilla_trust_purposes_string, my $included_mozilla_trust_levels_string) = split( ':', $opt_p );
+my @included_mozilla_trust_purposes = PARSE_CSV_PARAM( "trust purpose", $included_mozilla_trust_purposes_string, @valid_mozilla_trust_purposes );
+my @included_mozilla_trust_levels = PARSE_CSV_PARAM( "trust level", $included_mozilla_trust_levels_string, @valid_mozilla_trust_levels );
+
+my @included_signature_algorithms = PARSE_CSV_PARAM( "signature algorithm", $opt_s, @valid_signature_algorithms );
+
+sub SHOULD_OUTPUT_CERT(%) {
+  my %trust_purposes_by_level = @_;
+  
+  foreach my $level (@included_mozilla_trust_levels) {
+    # for each level we want to output, see if any of our desired purposes are included
+    return 1 if ( defined( List::Util::first { IS_IN_LIST( $_, @included_mozilla_trust_purposes ) } @{$trust_purposes_by_level{$level}} ) );
+  }
+  
+  return 0;
+}
+
 my $crt = $ARGV[0] || 'ca-bundle.crt';
 (my $txt = $url) =~ s@(.*/|\?.*)@@g;
 
@@ -209,7 +314,7 @@ while (<TXT>) {
   if ($start_of_cert && /^CKA_LABEL UTF8 \"(.*)\"/) {
     $caname = $1;
   }
-  my $untrusted = 1;
+  my %trust_purposes_by_level;
   if ($start_of_cert && /^CKA_VALUE MULTILINE_OCTAL/) {
     my $data;
     while (<TXT>) {
@@ -226,14 +331,21 @@ while (<TXT>) {
       last if (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/);
       chomp;
     }
-    # now scan the trust part for untrusted certs
+    # now scan the trust part to determine how we should trust this cert
     while (<TXT>) {
       last if (/^#/);
-      if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUSTED_DELEGATOR$/) {
-          $untrusted = 0;
+      if (/^CKA_TRUST_([A-Z_]+)\s+CK_TRUST\s+CKT_NSS_([A-Z_]+)\s*$/) {
+        if ( !IS_IN_LIST($1,@valid_mozilla_trust_purposes) ) {
+          print STDERR "Warning: Unrecognized trust purpose for cert: $caname. Trust purpose: $1. Trust Level: $2\n" if (!$opt_q);
+        } elsif ( !IS_IN_LIST($2,@valid_mozilla_trust_levels) ) {
+          print STDERR "Warning: Unrecognized trust level for cert: $caname. Trust purpose: $1. Trust Level: $2\n" if (!$opt_q);
+        } else {
+          push @{$trust_purposes_by_level{$2}}, $1;
+        }
       }
     }
-    if ($untrusted) {
+
+    if ( !SHOULD_OUTPUT_CERT(%trust_purposes_by_level) ) {
       $skipnum ++;
     } else {
       my $encoded = MIME::Base64::encode_base64($data, '');
@@ -242,11 +354,34 @@ while (<TXT>) {
               . $encoded
               . "-----END CERTIFICATE-----\n";
       print CRT "\n$caname\n";
-      print CRT ("=" x length($caname) . "\n");
+
+      my $maxStringLength = length($caname);
+      if ($opt_t) {
+        foreach my $key (keys %trust_purposes_by_level) {
+           my $string = $key . ": " . join(", ", @{$trust_purposes_by_level{$key}});
+           $maxStringLength = List::Util::max( length($string), $maxStringLength );
+           print CRT $string . "\n";
+        }
+      }
+      print CRT ("=" x $maxStringLength . "\n");
       if (!$opt_t) {
         print CRT $pem;
       } else {
-        my $pipe = "|$openssl x509 -md5 -fingerprint -text -inform PEM";
+        my $pipe = "";
+        foreach my $hash (@included_signature_algorithms) {
+          $pipe = "|$openssl x509 -" . $hash . " -fingerprint -noout -inform PEM";
+          if (!$stdout) {
+            $pipe .= " >> $crt.~";
+            close(CRT) or die "Couldn't close $crt.~: $!";
+          }
+          open(TMP, $pipe) or die "Couldn't open openssl pipe: $!";
+          print TMP $pem;
+          close(TMP) or die "Couldn't close openssl pipe: $!";
+          if (!$stdout) {
+            open(CRT, ">>$crt.~") or die "Couldn't open $crt.~: $!";
+          }
+        }
+        $pipe = "|$openssl x509 -text -inform PEM";
         if (!$stdout) {
           $pipe .= " >> $crt.~";
           close(CRT) or die "Couldn't close $crt.~: $!";
@@ -279,7 +414,7 @@ unless( $stdout ) {
     rename "$crt.~", $crt or die "Failed to rename $crt.~ to $crt: $!\n";
 }
 unlink $txt if ($opt_u);
-print STDERR "Done ($certnum CA certs processed, $skipnum untrusted skipped).\n" if (!$opt_q);
+print STDERR "Done ($certnum CA certs processed, $skipnum skipped).\n" if (!$opt_q);
 
 exit;
 

lib/mprintf.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1999 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1999 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -804,11 +804,11 @@ static int dprintf_formatf(
             len = 0;
           }
         }
+        else if(prec != -1)
+          len = (size_t)prec;
         else
           len = strlen(str);
 
-        if(prec != -1 && (size_t) prec < len)
-          len = (size_t)prec;
         width -= (long)len;
 
         if(p->flags & FLAGS_ALT)
@@ -818,7 +818,7 @@ static int dprintf_formatf(
           while(width-- > 0)
             OUTCHAR(' ');
 
-        while(len-- > 0)
+        while((len-- > 0) && *str)
           OUTCHAR(*str++);
         if(p->flags&FLAGS_LEFT)
           while(width-- > 0)

lib/multi.c

@@ -317,6 +317,9 @@ struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */
   multi->closure_handle->state.conn_cache = multi->conn_cache;
 
   multi->max_pipeline_length = 5;
+
+  /* -1 means it not set by user, use the default value */
+  multi->maxconnects = -1;
   return (CURLM *) multi;
 
   error:
@@ -401,6 +404,8 @@ CURLMcode curl_multi_add_handle(CURLM *multi_handle,
   /* Point to the multi's connection cache */
   data->state.conn_cache = multi->conn_cache;
 
+  data->state.infilesize = data->set.filesize;
+
   /* This adds the new entry at the 'end' of the doubly-linked circular
      list of SessionHandle structs to try and maintain a FIFO queue so
      the pipelined requests are in order. */
@@ -551,9 +556,11 @@ CURLMcode curl_multi_remove_handle(CURLM *multi_handle,
         Curl_getoff_all_pipelines(data, data->easy_conn);
     }
 
+    Curl_wildcard_dtor(&data->wildcard);
+
     /* as this was using a shared connection cache we clear the pointer
        to that since we're not part of that multi handle anymore */
-      data->state.conn_cache = NULL;
+    data->state.conn_cache = NULL;
 
     /* change state without using multistate(), only to make singlesocket() do
        what we want */
@@ -823,7 +830,7 @@ CURLMcode curl_multi_wait(CURLM *multi_handle,
   curlfds = nfds; /* number of internal file descriptors */
   nfds += extra_nfds; /* add the externally provided ones */
 
-  if(nfds) {
+  if(nfds || extra_nfds) {
     ufds = malloc(nfds * sizeof(struct pollfd));
     if(!ufds)
       return CURLM_OUT_OF_MEMORY;
@@ -1019,6 +1026,7 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
       if(CURLE_OK == data->result) {
         /* after init, go CONNECT */
         multistate(data, CURLM_STATE_CONNECT);
+        Curl_pgrsTime(data, TIMER_STARTOP);
         result = CURLM_CALL_MULTI_PERFORM;
       }
       break;
@@ -1739,6 +1747,7 @@ CURLMcode curl_multi_perform(CURLM *multi_handle, int *running_handles)
   while(data) {
     CURLMcode result;
     struct WildcardData *wc = &data->wildcard;
+    SIGPIPE_VARIABLE(pipe_st);
 
     if(data->set.wildcardmatch) {
       if(!wc->filelist) {
@@ -1748,9 +1757,11 @@ CURLMcode curl_multi_perform(CURLM *multi_handle, int *running_handles)
       }
     }
 
+    sigpipe_ignore(data, &pipe_st);
     do
       result = multi_runsingle(multi, now, data);
     while(CURLM_CALL_MULTI_PERFORM == result);
+    sigpipe_restore(&pipe_st);
 
     if(data->set.wildcardmatch) {
       /* destruct wildcard structures if it is needed */
@@ -1796,10 +1807,13 @@ static void close_all_connections(struct Curl_multi *multi)
 
   conn = Curl_conncache_find_first_connection(multi->conn_cache);
   while(conn) {
+    SIGPIPE_VARIABLE(pipe_st);
     conn->data = multi->closure_handle;
 
+    sigpipe_ignore(conn->data, &pipe_st);
     /* This will remove the connection from the cache */
     (void)Curl_disconnect(conn, FALSE);
+    sigpipe_restore(&pipe_st);
 
     conn = Curl_conncache_find_first_connection(multi->conn_cache);
   }
@@ -2195,6 +2209,8 @@ static CURLMcode multi_socket(struct Curl_multi *multi,
          and just move on. */
       ;
     else {
+      SIGPIPE_VARIABLE(pipe_st);
+
       data = entry->easy;
 
       if(data->magic != CURLEASY_MAGIC_NUMBER)
@@ -2220,9 +2236,11 @@ static CURLMcode multi_socket(struct Curl_multi *multi,
         /* set socket event bitmask if they're not locked */
         data->easy_conn->cselect_bits = ev_bitmask;
 
+      sigpipe_ignore(data, &pipe_st);
       do
         result = multi_runsingle(multi, now, data);
       while(CURLM_CALL_MULTI_PERFORM == result);
+      sigpipe_restore(&pipe_st);
 
       if(data->easy_conn &&
          !(data->easy_conn->handler->flags & PROTOPT_DIRLOCK))
@@ -2260,9 +2278,13 @@ static CURLMcode multi_socket(struct Curl_multi *multi,
   do {
     /* the first loop lap 'data' can be NULL */
     if(data) {
+      SIGPIPE_VARIABLE(pipe_st);
+
+      sigpipe_ignore(data, &pipe_st);
       do
         result = multi_runsingle(multi, now, data);
       while(CURLM_CALL_MULTI_PERFORM == result);
+      sigpipe_restore(&pipe_st);
 
       if(CURLM_OK >= result)
         /* get the socket(s) and check if the state has been changed since

lib/netrc.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -61,7 +61,7 @@ int Curl_parsenetrc(const char *host,
 {
   FILE *file;
   int retcode=1;
-  int specific_login = (**loginp != 0);
+  int specific_login = (*loginp && **loginp != 0);
   bool netrc_alloc = FALSE;
   enum host_lookup_state state=NOTHING;
 
@@ -113,7 +113,7 @@ int Curl_parsenetrc(const char *host,
       tok=strtok_r(netrcbuffer, " \t\n", &tok_buf);
       while(!done && tok) {
 
-        if(**loginp && **passwordp) {
+        if((*loginp && **loginp) && (*passwordp && **passwordp)) {
           done=TRUE;
           break;
         }

lib/parsedate.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -353,9 +353,11 @@ static int parsedate(const char *date, time_t *output)
       /* a name coming up */
       char buf[32]="";
       size_t len;
-      sscanf(date, "%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]",
-             buf);
-      len = strlen(buf);
+      if(sscanf(date, "%31[ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+                          "abcdefghijklmnopqrstuvwxyz]", buf))
+        len = strlen(buf);
+      else
+        len = 0;
 
       if(wdaynum == -1) {
         wdaynum = checkday(buf, len);
@@ -410,8 +412,10 @@ static int parsedate(const char *date, time_t *output)
         if(error)
           return PARSEDATE_FAIL;
 
+#if LONG_MAX != INT_MAX
         if((lval > (long)INT_MAX) || (lval < (long)INT_MIN))
           return PARSEDATE_FAIL;
+#endif
 
         val = curlx_sltosi(lval);
 

lib/pipeline.c

@@ -201,11 +201,18 @@ CURLMcode Curl_pipeline_set_site_blacklist(char **sites,
       char *port;
       struct site_blacklist_entry *entry;
 
-      entry = malloc(sizeof(struct site_blacklist_entry));
-
       hostname = strdup(*sites);
-      if(!hostname)
+      if(!hostname) {
+        Curl_llist_destroy(new_list, NULL);
         return CURLM_OUT_OF_MEMORY;
+      }
+
+      entry = malloc(sizeof(struct site_blacklist_entry));
+      if(!entry) {
+        free(hostname);
+        Curl_llist_destroy(new_list, NULL);
+        return CURLM_OUT_OF_MEMORY;
+      }
 
       port = strchr(hostname, ':');
       if(port) {
@@ -220,8 +227,11 @@ CURLMcode Curl_pipeline_set_site_blacklist(char **sites,
 
       entry->hostname = hostname;
 
-      if(!Curl_llist_insert_next(new_list, new_list->tail, entry))
+      if(!Curl_llist_insert_next(new_list, new_list->tail, entry)) {
+        site_blacklist_llist_dtor(NULL, entry);
+        Curl_llist_destroy(new_list, NULL);
         return CURLM_OUT_OF_MEMORY;
+      }
 
       sites++;
     }

lib/pop3.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -156,7 +156,7 @@ const struct Curl_handler Curl_handler_pop3s = {
   pop3_disconnect,                  /* disconnect */
   ZERO_NULL,                        /* readwrite */
   PORT_POP3S,                       /* defport */
-  CURLPROTO_POP3 | CURLPROTO_POP3S, /* protocol */
+  CURLPROTO_POP3S,                  /* protocol */
   PROTOPT_CLOSEACTION | PROTOPT_SSL
   | PROTOPT_NOURLQUERY              /* flags */
 };
@@ -978,10 +978,6 @@ static CURLcode pop3_state_auth_digest_resp(struct connectdata *conn,
   char *rplyb64 = NULL;
   size_t len = 0;
 
-  char nonce[64];
-  char realm[128];
-  char algorithm[64];
-
   (void)instate; /* no use for this yet */
 
   if(pop3code != '+') {
@@ -992,30 +988,26 @@ static CURLcode pop3_state_auth_digest_resp(struct connectdata *conn,
   /* Get the challenge message */
   pop3_get_message(data->state.buffer, &chlg64);
 
-  /* Decode the challange message */
-  result = Curl_sasl_decode_digest_md5_message(chlg64, nonce, sizeof(nonce),
-                                               realm, sizeof(realm),
-                                               algorithm, sizeof(algorithm));
-  if(result || strcmp(algorithm, "md5-sess") != 0) {
-    /* Send the cancellation */
-    result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", "*");
-
-    if(!result)
-      state(conn, POP3_AUTH_CANCEL);
-  }
-  else {
-    /* Create the response message */
-    result = Curl_sasl_create_digest_md5_message(data, nonce, realm,
-                                                 conn->user, conn->passwd,
-                                                 "pop", &rplyb64, &len);
-    if(!result && rplyb64) {
-      /* Send the response */
-      result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", rplyb64);
+  /* Create the response message */
+  result = Curl_sasl_create_digest_md5_message(data, chlg64,
+                                               conn->user, conn->passwd,
+                                               "pop", &rplyb64, &len);
+  if(result) {
+    if(result == CURLE_BAD_CONTENT_ENCODING) {
+      /* Send the cancellation */
+      result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", "*");
 
       if(!result)
-        state(conn, POP3_AUTH_DIGESTMD5_RESP);
+        state(conn, POP3_AUTH_CANCEL);
     }
   }
+  else {
+    /* Send the response */
+    result = Curl_pp_sendf(&conn->proto.pop3c.pp, "%s", rplyb64);
+
+    if(!result)
+      state(conn, POP3_AUTH_DIGESTMD5_RESP);
+  }
 
   Curl_safefree(rplyb64);
 

lib/progress.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -172,8 +172,12 @@ void Curl_pgrsTime(struct SessionHandle *data, timerid timer)
   case TIMER_NONE:
     /* mistake filter */
     break;
+  case TIMER_STARTOP:
+    /* This is set at the start of a transfer */
+    data->progress.t_startop = now;
+    break;
   case TIMER_STARTSINGLE:
-    /* This is set at the start of a single fetch */
+    /* This is set at the start of each single fetch */
     data->progress.t_startsingle = now;
     break;
 

lib/progress.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -27,13 +27,14 @@
 
 typedef enum {
   TIMER_NONE,
+  TIMER_STARTOP,
+  TIMER_STARTSINGLE,
   TIMER_NAMELOOKUP,
   TIMER_CONNECT,
   TIMER_APPCONNECT,
   TIMER_PRETRANSFER,
   TIMER_STARTTRANSFER,
   TIMER_POSTRANSFER,
-  TIMER_STARTSINGLE,
   TIMER_STARTACCEPT,
   TIMER_REDIRECT,
   TIMER_LAST /* must be last */

lib/rtsp.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -341,7 +341,7 @@ static CURLcode rtsp_do(struct connectdata *conn, bool *done)
   }
 
   /* Transport Header for SETUP requests */
-  p_transport = Curl_checkheaders(data, "Transport:");
+  p_transport = Curl_checkheaders(conn, "Transport:");
   if(rtspreq == RTSPREQ_SETUP && !p_transport) {
     /* New Transport: setting? */
     if(data->set.str[STRING_RTSP_TRANSPORT]) {
@@ -365,11 +365,11 @@ static CURLcode rtsp_do(struct connectdata *conn, bool *done)
   /* Accept Headers for DESCRIBE requests */
   if(rtspreq == RTSPREQ_DESCRIBE) {
     /* Accept Header */
-    p_accept = Curl_checkheaders(data, "Accept:")?
+    p_accept = Curl_checkheaders(conn, "Accept:")?
       NULL:"Accept: application/sdp\r\n";
 
     /* Accept-Encoding header */
-    if(!Curl_checkheaders(data, "Accept-Encoding:") &&
+    if(!Curl_checkheaders(conn, "Accept-Encoding:") &&
        data->set.str[STRING_ENCODING]) {
       Curl_safefree(conn->allocptr.accept_encoding);
       conn->allocptr.accept_encoding =
@@ -386,18 +386,18 @@ static CURLcode rtsp_do(struct connectdata *conn, bool *done)
      it might have been used in the proxy connect, but if we have got a header
      with the user-agent string specified, we erase the previously made string
      here. */
-  if(Curl_checkheaders(data, "User-Agent:") && conn->allocptr.uagent) {
+  if(Curl_checkheaders(conn, "User-Agent:") && conn->allocptr.uagent) {
     Curl_safefree(conn->allocptr.uagent);
     conn->allocptr.uagent = NULL;
   }
-  else if(!Curl_checkheaders(data, "User-Agent:") &&
+  else if(!Curl_checkheaders(conn, "User-Agent:") &&
           data->set.str[STRING_USERAGENT]) {
     p_uagent = conn->allocptr.uagent;
   }
 
   /* Referrer */
   Curl_safefree(conn->allocptr.ref);
-  if(data->change.referer && !Curl_checkheaders(data, "Referer:"))
+  if(data->change.referer && !Curl_checkheaders(conn, "Referer:"))
     conn->allocptr.ref = aprintf("Referer: %s\r\n", data->change.referer);
   else
     conn->allocptr.ref = NULL;
@@ -414,7 +414,7 @@ static CURLcode rtsp_do(struct connectdata *conn, bool *done)
      (rtspreq  & (RTSPREQ_PLAY | RTSPREQ_PAUSE | RTSPREQ_RECORD))) {
 
     /* Check to see if there is a range set in the custom headers */
-    if(!Curl_checkheaders(data, "Range:") && data->state.range) {
+    if(!Curl_checkheaders(conn, "Range:") && data->state.range) {
       Curl_safefree(conn->allocptr.rangeline);
       conn->allocptr.rangeline = aprintf("Range: %s\r\n", data->state.range);
       p_range = conn->allocptr.rangeline;
@@ -424,11 +424,11 @@ static CURLcode rtsp_do(struct connectdata *conn, bool *done)
   /*
    * Sanity check the custom headers
    */
-  if(Curl_checkheaders(data, "CSeq:")) {
+  if(Curl_checkheaders(conn, "CSeq:")) {
     failf(data, "CSeq cannot be set as a custom header.");
     return CURLE_RTSP_CSEQ_ERROR;
   }
-  if(Curl_checkheaders(data, "Session:")) {
+  if(Curl_checkheaders(conn, "Session:")) {
     failf(data, "Session ID cannot be set as a custom header.");
     return CURLE_BAD_FUNCTION_ARGUMENT;
   }
@@ -484,7 +484,7 @@ static CURLcode rtsp_do(struct connectdata *conn, bool *done)
       return result;
   }
 
-  result = Curl_add_custom_headers(conn, req_buffer);
+  result = Curl_add_custom_headers(conn, FALSE, req_buffer);
   if(result)
     return result;
 
@@ -493,7 +493,7 @@ static CURLcode rtsp_do(struct connectdata *conn, bool *done)
      rtspreq == RTSPREQ_GET_PARAMETER) {
 
     if(data->set.upload) {
-      putsize = data->set.infilesize;
+      putsize = data->state.infilesize;
       data->set.httpreq = HTTPREQ_PUT;
 
     }
@@ -507,7 +507,7 @@ static CURLcode rtsp_do(struct connectdata *conn, bool *done)
     if(putsize > 0 || postsize > 0) {
       /* As stated in the http comments, it is probably not wise to
        * actually set a custom Content-Length in the headers */
-      if(!Curl_checkheaders(data, "Content-Length:")) {
+      if(!Curl_checkheaders(conn, "Content-Length:")) {
         result = Curl_add_bufferf(req_buffer,
             "Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n",
             (data->set.upload ? putsize : postsize));
@@ -517,7 +517,7 @@ static CURLcode rtsp_do(struct connectdata *conn, bool *done)
 
       if(rtspreq == RTSPREQ_SET_PARAMETER ||
          rtspreq == RTSPREQ_GET_PARAMETER) {
-        if(!Curl_checkheaders(data, "Content-Type:")) {
+        if(!Curl_checkheaders(conn, "Content-Type:")) {
           result = Curl_add_bufferf(req_buffer,
               "Content-Type: text/parameters\r\n");
           if(result)
@@ -526,7 +526,7 @@ static CURLcode rtsp_do(struct connectdata *conn, bool *done)
       }
 
       if(rtspreq == RTSPREQ_ANNOUNCE) {
-        if(!Curl_checkheaders(data, "Content-Type:")) {
+        if(!Curl_checkheaders(conn, "Content-Type:")) {
           result = Curl_add_bufferf(req_buffer,
               "Content-Type: application/sdp\r\n");
           if(result)
@@ -763,7 +763,7 @@ CURLcode Curl_rtsp_parseheader(struct connectdata *conn,
     char *start;
 
     /* Find the first non-space letter */
-    start = header + 9;
+    start = header + 8;
     while(*start && ISSPACE(*start))
       start++;
 

lib/sendf.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -422,7 +422,7 @@ CURLcode Curl_client_write(struct connectdata *conn,
   }
 
   if(type & CLIENTWRITE_BODY) {
-    if((conn->handler->protocol&CURLPROTO_FTP) &&
+    if((conn->handler->protocol&PROTO_FAMILY_FTP) &&
        conn->proto.ftpc.transfertype == 'A') {
       /* convert from the network encoding */
       CURLcode rc = Curl_convert_from_network(data, ptr, len);

lib/smtp.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -155,7 +155,7 @@ const struct Curl_handler Curl_handler_smtps = {
   smtp_disconnect,                  /* disconnect */
   ZERO_NULL,                        /* readwrite */
   PORT_SMTPS,                       /* defport */
-  CURLPROTO_SMTP | CURLPROTO_SMTPS, /* protocol */
+  CURLPROTO_SMTPS,                  /* protocol */
   PROTOPT_CLOSEACTION | PROTOPT_SSL
   | PROTOPT_NOURLQUERY              /* flags */
 };
@@ -349,10 +349,11 @@ static CURLcode smtp_perform_ehlo(struct connectdata *conn)
   CURLcode result = CURLE_OK;
   struct smtp_conn *smtpc = &conn->proto.smtpc;
 
-  smtpc->authmechs = 0;         /* No known authentication mechanisms yet */
-  smtpc->authused = 0;          /* Clear the authentication mechanism used
-                                   for esmtp connections */
-  smtpc->tls_supported = FALSE; /* Clear the TLS capability */
+  smtpc->authmechs = 0;           /* No known authentication mechanisms yet */
+  smtpc->authused = 0;            /* Clear the authentication mechanism used
+                                     for esmtp connections */
+  smtpc->tls_supported = FALSE;   /* Clear the TLS capability */
+  smtpc->auth_supported = FALSE;  /* Clear the AUTH capability */
 
   /* Send the EHLO command */
   result = Curl_pp_sendf(&smtpc->pp, "EHLO %s", smtpc->domain);
@@ -475,15 +476,16 @@ static CURLcode smtp_perform_auth(struct connectdata *conn,
 static CURLcode smtp_perform_authentication(struct connectdata *conn)
 {
   CURLcode result = CURLE_OK;
+  struct smtp_conn *smtpc = &conn->proto.smtpc;
   const char *mech = NULL;
   char *initresp = NULL;
   size_t len = 0;
   smtpstate state1 = SMTP_STOP;
   smtpstate state2 = SMTP_STOP;
 
-  /* Check we have a username and password to authenticate with and end the
-     connect phase if we don't */
-  if(!conn->bits.user_passwd) {
+  /* Check we have a username and password to authenticate with, and the
+     server supports authentiation, and end the connect phase if not */
+  if(!conn->bits.user_passwd || !smtpc->auth_supported) {
     state(conn, SMTP_STOP);
 
     return result;
@@ -581,8 +583,8 @@ static CURLcode smtp_perform_mail(struct connectdata *conn)
   }
 
   /* Calculate the optional SIZE parameter */
-  if(conn->proto.smtpc.size_supported && conn->data->set.infilesize > 0) {
-    size = aprintf("%" CURL_FORMAT_CURL_OFF_T, data->set.infilesize);
+  if(conn->proto.smtpc.size_supported && conn->data->state.infilesize > 0) {
+    size = aprintf("%" CURL_FORMAT_CURL_OFF_T, data->state.infilesize);
 
     if(!size) {
       Curl_safefree(from);
@@ -719,8 +721,7 @@ static CURLcode smtp_state_ehlo_resp(struct connectdata *conn, int smtpcode,
   (void)instate; /* no use for this yet */
 
   if(smtpcode/100 != 2 && smtpcode != 1) {
-    if((data->set.use_ssl <= CURLUSESSL_TRY || conn->ssl[FIRSTSOCKET].use) &&
-     !conn->bits.user_passwd)
+    if(data->set.use_ssl <= CURLUSESSL_TRY || conn->ssl[FIRSTSOCKET].use)
       result = smtp_perform_helo(conn);
     else {
       failf(data, "Remote access denied: %d", smtpcode);
@@ -739,8 +740,11 @@ static CURLcode smtp_state_ehlo_resp(struct connectdata *conn, int smtpcode,
     else if(len >= 4 && !memcmp(line, "SIZE", 4))
       smtpc->size_supported = TRUE;
 
-    /* Do we have the authentication mechanism list? */
+    /* Does the server support authentication? */
     else if(len >= 5 && !memcmp(line, "AUTH ", 5)) {
+      smtpc->auth_supported = TRUE;
+
+      /* Advance past the AUTH keyword */
       line += 5;
       len -= 5;
 
@@ -992,10 +996,6 @@ static CURLcode smtp_state_auth_digest_resp(struct connectdata *conn,
   char *rplyb64 = NULL;
   size_t len = 0;
 
-  char nonce[64];
-  char realm[128];
-  char algorithm[64];
-
   (void)instate; /* no use for this yet */
 
   if(smtpcode != 334) {
@@ -1006,30 +1006,26 @@ static CURLcode smtp_state_auth_digest_resp(struct connectdata *conn,
   /* Get the challenge message */
   smtp_get_message(data->state.buffer, &chlg64);
 
-  /* Decode the challange message */
-  result = Curl_sasl_decode_digest_md5_message(chlg64, nonce, sizeof(nonce),
-                                               realm, sizeof(realm),
-                                               algorithm, sizeof(algorithm));
-  if(result || strcmp(algorithm, "md5-sess") != 0) {
-    /* Send the cancellation */
-    result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", "*");
-
-    if(!result)
-      state(conn, SMTP_AUTH_CANCEL);
-  }
-  else {
-    /* Create the response message */
-    result = Curl_sasl_create_digest_md5_message(data, nonce, realm,
-                                                 conn->user, conn->passwd,
-                                                 "smtp", &rplyb64, &len);
-    if(!result && rplyb64) {
-      /* Send the response */
-      result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", rplyb64);
+  /* Create the response message */
+  result = Curl_sasl_create_digest_md5_message(data, chlg64,
+                                               conn->user, conn->passwd,
+                                               "smtp", &rplyb64, &len);
+  if(result) {
+    if(result == CURLE_BAD_CONTENT_ENCODING) {
+      /* Send the cancellation */
+      result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", "*");
 
       if(!result)
-        state(conn, SMTP_AUTH_DIGESTMD5_RESP);
+        state(conn, SMTP_AUTH_CANCEL);
     }
   }
+  else {
+    /* Send the response */
+    result = Curl_pp_sendf(&conn->proto.smtpc.pp, "%s", rplyb64);
+
+    if(!result)
+      state(conn, SMTP_AUTH_DIGESTMD5_RESP);
+  }
 
   Curl_safefree(rplyb64);
 
@@ -1360,7 +1356,7 @@ static CURLcode smtp_state_data_resp(struct connectdata *conn, int smtpcode,
   }
   else {
     /* Set the progress upload size */
-    Curl_pgrsSetUploadSize(data, data->set.infilesize);
+    Curl_pgrsSetUploadSize(data, data->state.infilesize);
 
     /* SMTP upload */
     Curl_setup_transfer(conn, -1, -1, FALSE, NULL, FIRSTSOCKET, NULL);
@@ -1663,7 +1659,7 @@ static CURLcode smtp_done(struct connectdata *conn, CURLcode status,
        is "no mail data". RFC-5321, sect. 4.1.1.4. */
     eob = SMTP_EOB;
     len = SMTP_EOB_LEN;
-    if(smtp->trailing_crlf || !conn->data->set.infilesize) {
+    if(smtp->trailing_crlf || !conn->data->state.infilesize) {
       eob += 2;
       len -= 2;
     }

lib/smtp.h

@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 2009 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2009 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -82,6 +82,7 @@ struct smtp_conn {
   bool tls_supported;      /* StartTLS capability supported by server */
   bool size_supported;     /* If server supports SIZE extension according to
                               RFC 1870 */
+  bool auth_supported;     /* AUTH capability supported by server */
 };
 
 extern const struct Curl_handler Curl_handler_smtp;