THANKS: added contributors from the 7.41.0 RELEASE-NOTES

RELEASE-NOTES: sync with ffc2aeec6e (7.41.0 release time!)
Revert "telnet.c: fix handling of 0 being returned from custom read function"
2015-02-25 08:34:06 +01:00 · 2015-02-25 08:30:27 +01:00 · 2015-02-25 00:16:10 +01:00 · 2015-02-25 00:01:14 +01:00 · 2015-02-24 23:59:06 +01:00 · 2015-02-24 11:51:22 +01:00
162 changed files with 4740 additions and 7147 deletions
--- a/CMake/FindGSS.cmake
+++ b/CMake/FindGSS.cmake
@@ -155,7 +155,7 @@ message(STATUS "LDFLAGS: ${_GSS_LIB_FLAGS}")
                set(GSS_FLAVOUR "MIT")
            else()
                # prevent compiling the header - just check if we can include it
-                set(CMAKE_REQUIRED_DEFINITIONS "-D__ROKEN_H__")
+                set(CMAKE_REQUIRED_DEFINITIONS "${CMAKE_REQUIRED_DEFINITIONS} -D__ROKEN_H__")
                check_include_file( "roken.h" _GSS_HAVE_ROKEN_H)

                check_include_file( "heimdal/roken.h" _GSS_HAVE_HEIMDAL_ROKEN_H)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -238,6 +238,7 @@ include (CheckCSourceCompiles)

 # On windows preload settings
 if(WIN32)
+  set(CMAKE_REQUIRED_DEFINITIONS "${CMAKE_REQUIRED_DEFINITIONS} -D_WINSOCKAPI_")
  include(${CMAKE_CURRENT_SOURCE_DIR}/CMake/Platforms/WindowsCache.cmake)
 endif(WIN32)

@@ -294,26 +295,26 @@ if(CMAKE_USE_OPENSSL)
    set(HAVE_LIBSSL ON)
    include_directories(${OPENSSL_INCLUDE_DIR})
    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    check_include_file_concat("openssl/crypto.h" HAVE_OPENSSL_CRYPTO_H)
-    check_include_file_concat("openssl/engine.h" HAVE_OPENSSL_ENGINE_H)
-    check_include_file_concat("openssl/err.h"    HAVE_OPENSSL_ERR_H)
-    check_include_file_concat("openssl/pem.h"    HAVE_OPENSSL_PEM_H)
-    check_include_file_concat("openssl/pkcs12.h" HAVE_OPENSSL_PKCS12_H)
-    check_include_file_concat("openssl/rsa.h"    HAVE_OPENSSL_RSA_H)
-    check_include_file_concat("openssl/ssl.h"    HAVE_OPENSSL_SSL_H)
-    check_include_file_concat("openssl/x509.h"   HAVE_OPENSSL_X509_H)
-    check_include_file_concat("openssl/rand.h"   HAVE_OPENSSL_RAND_H)
+    check_include_file("openssl/crypto.h" HAVE_OPENSSL_CRYPTO_H)
+    check_include_file("openssl/engine.h" HAVE_OPENSSL_ENGINE_H)
+    check_include_file("openssl/err.h"    HAVE_OPENSSL_ERR_H)
+    check_include_file("openssl/pem.h"    HAVE_OPENSSL_PEM_H)
+    check_include_file("openssl/pkcs12.h" HAVE_OPENSSL_PKCS12_H)
+    check_include_file("openssl/rsa.h"    HAVE_OPENSSL_RSA_H)
+    check_include_file("openssl/ssl.h"    HAVE_OPENSSL_SSL_H)
+    check_include_file("openssl/x509.h"   HAVE_OPENSSL_X509_H)
+    check_include_file("openssl/rand.h"   HAVE_OPENSSL_RAND_H)
  endif()
 endif()

 if(NOT CURL_DISABLE_LDAP)

  if(WIN32)
-    option(CURL_LDAP_WIN "Use Windows LDAP implementation" ON)
-    if(CURL_LDAP_WIN)
+    option(USE_WIN32_LDAP "Use Windows LDAP implementation" ON)
+    if(USE_WIN32_LDAP)
      check_library_exists("wldap32" cldap_open "" HAVE_WLDAP32)
      if(NOT HAVE_WLDAP32)
-        set(CURL_LDAP_WIN OFF)
+        set(USE_WIN32_LDAP OFF)
      endif()
    endif()
  endif()
@@ -323,12 +324,12 @@ if(NOT CURL_DISABLE_LDAP)
  set(CMAKE_LDAP_LIB "ldap" CACHE STRING "Name or full path to ldap library")
  set(CMAKE_LBER_LIB "lber" CACHE STRING "Name or full path to lber library")

-  if(CMAKE_USE_OPENLDAP AND CURL_LDAP_WIN)
-    message(FATAL_ERROR "Cannot use CURL_LDAP_WIN and CMAKE_USE_OPENLDAP at the same time")
+  if(CMAKE_USE_OPENLDAP AND USE_WIN32_LDAP)
+    message(FATAL_ERROR "Cannot use USE_WIN32_LDAP and CMAKE_USE_OPENLDAP at the same time")
  endif()
  
  # Now that we know, we're not using windows LDAP...
-  if(NOT CURL_LDAP_WIN)
+  if(NOT USE_WIN32_LDAP)
    # Check for LDAP
    set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_LIBRARIES})
    check_library_exists_concat(${CMAKE_LDAP_LIB} ldap_init HAVE_LIBLDAP)
@@ -384,7 +385,7 @@ if(NOT CURL_DISABLE_LDAP)
        return 0;
      }"
    )
-    set(CMAKE_REQUIRED_DEFINITIONS "-DLDAP_DEPRECATED=1" "-DWIN32_LEAN_AND_MEAN")
+    set(CMAKE_REQUIRED_DEFINITIONS "${CMAKE_REQUIRED_DEFINITIONS} -DLDAP_DEPRECATED=1")
    list(APPEND CMAKE_REQUIRED_LIBRARIES ${CMAKE_LDAP_LIB})
    if(HAVE_LIBLBER)
      list(APPEND CMAKE_REQUIRED_LIBRARIES ${CMAKE_LBER_LIB})
@@ -537,15 +538,13 @@ endif()

 # Check for header files
 if(NOT UNIX)
+  check_include_file_concat("windows.h"      HAVE_WINDOWS_H)
+  check_include_file_concat("winsock.h"      HAVE_WINSOCK_H)
  check_include_file_concat("ws2tcpip.h"     HAVE_WS2TCPIP_H)
  check_include_file_concat("winsock2.h"     HAVE_WINSOCK2_H)
 endif(NOT UNIX)
-check_include_file_concat("stdio.h"          HAVE_STDIO_H)
-if(NOT UNIX)
-  check_include_file_concat("windows.h"      HAVE_WINDOWS_H)
-  check_include_file_concat("winsock.h"      HAVE_WINSOCK_H)
-endif(NOT UNIX)

+check_include_file_concat("stdio.h"          HAVE_STDIO_H)
 check_include_file_concat("inttypes.h"       HAVE_INTTYPES_H)
 check_include_file_concat("sys/filio.h"      HAVE_SYS_FILIO_H)
 check_include_file_concat("sys/ioctl.h"      HAVE_SYS_IOCTL_H)
--- a/Makefile.am
+++ b/Makefile.am
@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -30,88 +30,88 @@ CMAKE_DIST = CMakeLists.txt CMake/CMakeConfigurableFile.in	\
 include/curl/curlbuild.h.cmake CMake/Macros.cmake

 VC6_LIBTMPL = projects/Windows/VC6/lib/libcurl.tmpl
-VC6_LIBDSP = projects/Windows/VC6/lib/libcurl.dsp
+VC6_LIBDSP = projects/Windows/VC6/lib/libcurl.dsp.dist
 VC6_LIBDSP_DEPS = $(VC6_LIBTMPL) Makefile.am lib/Makefile.inc
 VC6_SRCTMPL = projects/Windows/VC6/src/curlsrc.tmpl
-VC6_SRCDSP = projects/Windows/VC6/src/curlsrc.dsp
+VC6_SRCDSP = projects/Windows/VC6/src/curlsrc.dsp.dist
 VC6_SRCDSP_DEPS = $(VC6_SRCTMPL) Makefile.am src/Makefile.inc

 VC7_LIBTMPL = projects/Windows/VC7/lib/libcurl.tmpl
-VC7_LIBVCPROJ = projects/Windows/VC7/lib/libcurl.vcproj
+VC7_LIBVCPROJ = projects/Windows/VC7/lib/libcurl.vcproj.dist
 VC7_LIBVCPROJ_DEPS = $(VC7_LIBTMPL) Makefile.am lib/Makefile.inc
 VC7_SRCTMPL = projects/Windows/VC7/src/curlsrc.tmpl
-VC7_SRCVCPROJ = projects/Windows/VC7/src/curlsrc.vcproj
+VC7_SRCVCPROJ = projects/Windows/VC7/src/curlsrc.vcproj.dist
 VC7_SRCVCPROJ_DEPS = $(VC7_SRCTMPL) Makefile.am src/Makefile.inc

 VC71_LIBTMPL = projects/Windows/VC7.1/lib/libcurl.tmpl
-VC71_LIBVCPROJ = projects/Windows/VC7.1/lib/libcurl.vcproj
+VC71_LIBVCPROJ = projects/Windows/VC7.1/lib/libcurl.vcproj.dist
 VC71_LIBVCPROJ_DEPS = $(VC71_LIBTMPL) Makefile.am lib/Makefile.inc
 VC71_SRCTMPL = projects/Windows/VC7.1/src/curlsrc.tmpl
-VC71_SRCVCPROJ = projects/Windows/VC7.1/src/curlsrc.vcproj
+VC71_SRCVCPROJ = projects/Windows/VC7.1/src/curlsrc.vcproj.dist
 VC71_SRCVCPROJ_DEPS = $(VC71_SRCTMPL) Makefile.am src/Makefile.inc

 VC8_LIBTMPL = projects/Windows/VC8/lib/libcurl.tmpl
-VC8_LIBVCPROJ = projects/Windows/VC8/lib/libcurl.vcproj
+VC8_LIBVCPROJ = projects/Windows/VC8/lib/libcurl.vcproj.dist
 VC8_LIBVCPROJ_DEPS = $(VC8_LIBTMPL) Makefile.am lib/Makefile.inc
 VC8_SRCTMPL = projects/Windows/VC8/src/curlsrc.tmpl
-VC8_SRCVCPROJ = projects/Windows/VC8/src/curlsrc.vcproj
+VC8_SRCVCPROJ = projects/Windows/VC8/src/curlsrc.vcproj.dist
 VC8_SRCVCPROJ_DEPS = $(VC8_SRCTMPL) Makefile.am src/Makefile.inc

 VC9_LIBTMPL = projects/Windows/VC9/lib/libcurl.tmpl
-VC9_LIBVCPROJ = projects/Windows/VC9/lib/libcurl.vcproj
+VC9_LIBVCPROJ = projects/Windows/VC9/lib/libcurl.vcproj.dist
 VC9_LIBVCPROJ_DEPS = $(VC9_LIBTMPL) Makefile.am lib/Makefile.inc
 VC9_SRCTMPL = projects/Windows/VC9/src/curlsrc.tmpl
-VC9_SRCVCPROJ = projects/Windows/VC9/src/curlsrc.vcproj
+VC9_SRCVCPROJ = projects/Windows/VC9/src/curlsrc.vcproj.dist
 VC9_SRCVCPROJ_DEPS = $(VC9_SRCTMPL) Makefile.am src/Makefile.inc

 VC10_LIBTMPL = projects/Windows/VC10/lib/libcurl.tmpl
-VC10_LIBVCXPROJ = projects/Windows/VC10/lib/libcurl.vcxproj
+VC10_LIBVCXPROJ = projects/Windows/VC10/lib/libcurl.vcxproj.dist
 VC10_LIBVCXPROJ_DEPS = $(VC10_LIBTMPL) Makefile.am lib/Makefile.inc
 VC10_SRCTMPL = projects/Windows/VC10/src/curlsrc.tmpl
-VC10_SRCVCXPROJ = projects/Windows/VC10/src/curlsrc.vcxproj
+VC10_SRCVCXPROJ = projects/Windows/VC10/src/curlsrc.vcxproj.dist
 VC10_SRCVCXPROJ_DEPS = $(VC10_SRCTMPL) Makefile.am src/Makefile.inc

 VC11_LIBTMPL = projects/Windows/VC11/lib/libcurl.tmpl
-VC11_LIBVCXPROJ = projects/Windows/VC11/lib/libcurl.vcxproj
+VC11_LIBVCXPROJ = projects/Windows/VC11/lib/libcurl.vcxproj.dist
 VC11_LIBVCXPROJ_DEPS = $(VC11_LIBTMPL) Makefile.am lib/Makefile.inc
 VC11_SRCTMPL = projects/Windows/VC11/src/curlsrc.tmpl
-VC11_SRCVCXPROJ = projects/Windows/VC11/src/curlsrc.vcxproj
+VC11_SRCVCXPROJ = projects/Windows/VC11/src/curlsrc.vcxproj.dist
 VC11_SRCVCXPROJ_DEPS = $(VC11_SRCTMPL) Makefile.am src/Makefile.inc

 VC12_LIBTMPL = projects/Windows/VC12/lib/libcurl.tmpl
-VC12_LIBVCXPROJ = projects/Windows/VC12/lib/libcurl.vcxproj
+VC12_LIBVCXPROJ = projects/Windows/VC12/lib/libcurl.vcxproj.dist
 VC12_LIBVCXPROJ_DEPS = $(VC12_LIBTMPL) Makefile.am lib/Makefile.inc
 VC12_SRCTMPL = projects/Windows/VC12/src/curlsrc.tmpl
-VC12_SRCVCXPROJ = projects/Windows/VC12/src/curlsrc.vcxproj
+VC12_SRCVCXPROJ = projects/Windows/VC12/src/curlsrc.vcxproj.dist
 VC12_SRCVCXPROJ_DEPS = $(VC12_SRCTMPL) Makefile.am src/Makefile.inc

 VC_DIST = projects/README	\
 projects/build-openssl.bat	\
 projects/checksrc.bat	\
- projects/Windows/VC6/curl.dsw	\
- projects/Windows/VC6/lib/libcurl.dsw $(VC6_LIBDSP)	\
- projects/Windows/VC6/src/curlsrc.dsw $(VC6_SRCDSP)	\
- projects/Windows/VC7/curl.sln	\
- projects/Windows/VC7/lib/libcurl.sln $(VC7_LIBVCPROJ)	\
- projects/Windows/VC7/src/curlsrc.sln $(VC7_SRCVCPROJ)	\
- projects/Windows/VC7.1/curl.sln	\
- projects/Windows/VC7.1/lib/libcurl.sln $(VC71_LIBVCPROJ)	\
- projects/Windows/VC7.1/src/curlsrc.sln $(VC71_SRCVCPROJ)	\
- projects/Windows/VC8/curl.sln	\
- projects/Windows/VC8/lib/libcurl.sln $(VC8_LIBVCPROJ)	\
- projects/Windows/VC8/src/curlsrc.sln $(VC8_SRCVCPROJ)	\
- projects/Windows/VC9/curl.sln	\
- projects/Windows/VC9/lib/libcurl.sln $(VC9_LIBVCPROJ)	\
- projects/Windows/VC9/src/curlsrc.sln $(VC9_SRCVCPROJ)	\
- projects/Windows/VC10/curl.sln	\
- projects/Windows/VC10/lib/libcurl.sln $(VC10_LIBVCXPROJ)	\
- projects/Windows/VC10/src/curlsrc.sln $(VC10_SRCVCXPROJ)	\
- projects/Windows/VC11/curl.sln	\
- projects/Windows/VC11/lib/libcurl.sln $(VC11_LIBVCXPROJ)	\
- projects/Windows/VC11/src/curlsrc.sln $(VC11_SRCVCXPROJ)	\
- projects/Windows/VC12/curl.sln	\
- projects/Windows/VC12/lib/libcurl.sln $(VC12_LIBVCXPROJ)	\
- projects/Windows/VC12/src/curlsrc.sln $(VC12_SRCVCXPROJ)
+ projects/Windows/VC6/curl-all.dsw	\
+ projects/Windows/VC6/lib/libcurl.dsw \
+ projects/Windows/VC6/src/curlsrc.dsw \
+ projects/Windows/VC7/curl-all.sln	\
+ projects/Windows/VC7/lib/libcurl.sln 	\
+ projects/Windows/VC7/src/curlsrc.sln 	\
+ projects/Windows/VC7.1/curl-all.sln	\
+ projects/Windows/VC7.1/lib/libcurl.sln \
+ projects/Windows/VC7.1/src/curlsrc.sln \
+ projects/Windows/VC8/curl-all.sln	\
+ projects/Windows/VC8/lib/libcurl.sln 	\
+ projects/Windows/VC8/src/curlsrc.sln 	\
+ projects/Windows/VC9/curl-all.sln	\
+ projects/Windows/VC9/lib/libcurl.sln 	\
+ projects/Windows/VC9/src/curlsrc.sln 	\
+ projects/Windows/VC10/curl-all.sln	\
+ projects/Windows/VC10/lib/libcurl.sln 	\
+ projects/Windows/VC10/src/curlsrc.sln  \
+ projects/Windows/VC11/curl-all.sln	\
+ projects/Windows/VC11/lib/libcurl.sln 	\
+ projects/Windows/VC11/src/curlsrc.sln 	\
+ projects/Windows/VC12/curl-all.sln	\
+ projects/Windows/VC12/lib/libcurl.sln 	\
+ projects/Windows/VC12/src/curlsrc.sln

 WINBUILD_DIST = winbuild/BUILD.WINDOWS.txt winbuild/gen_resp_file.bat	\
 winbuild/MakefileBuild.vc winbuild/Makefile.vc				\
--- a/264
+++ b/264
@@ -1,146 +1,89 @@
-Curl and libcurl 7.40.0
+Curl and libcurl 7.41.0

- Public curl releases:         143
- Command line options:         162
- curl_easy_setopt() options:   208
+ Public curl releases:         144
+ Command line options:         163
+ curl_easy_setopt() options:   209
 Public functions in libcurl:  58
- Contributors:                 1219
+ Contributors:                 1233

 This release includes the following changes:

- o http_digest: Added support for Windows SSPI based authentication
- o version info: Added Kerberos V5 to the supported features
- o Makefile: Added VC targets for WinIDN
- o config-win32: Introduce build targets for VS2012+
- o SSL: Add PEM format support for public key pinning
- o smtp: Added support for the conversion of Unix newlines during mail send [8]
- o smb: Added initial support for the SMB/CIFS protocol
- o Added support for HTTP over unix domain sockets, via
-   CURLOPT_UNIX_SOCKET_PATH and --unix-socket
- o sasl: Added support for GSS-API based Kerberos V5 authentication
+ o NetWare build: added TLS-SRP enabled build
+ o winbuild: Added option to build with c-ares
+ o Added --cert-status [9]
+ o Added CURLOPT_SSL_VERIFYSTATUS [10]
+ o sasl: implement EXTERNAL authentication mechanism

 This release includes the following bugfixes:

- o darwinssl: fix session ID keys to only reuse identical sessions [18]
- o url-parsing: reject CRLFs within URLs [19]
- o OS400: Adjust specific support to last release
- o THANKS: Remove duplicate names
- o url.c: Fixed compilation warning
- o ssh: Fixed build on platforms where R_OK is not defined [1]
- o tool_strdup.c: include the tool strdup.h
- o build: Fixed Visual Studio project file generation of strdup.[c|h]
- o curl_easy_setopt.3: add CURLOPT_PINNEDPUBLICKEY [2]
- o curl.1: show zone index use in a URL
- o mk-ca-bundle.vbs: switch to new certdata.txt url
- o Makefile.dist: Added some missing SSPI configurations
- o build: Fixed no NTLM support for email when CURL_DISABLE_HTTP is defined
- o SSH: use the port number as well for known_known checks [3]
- o libssh2: detect features based on version, not configure checks
- o http2: Deal with HTTP/2 data inside Upgrade response header buffer [4]
- o multi: removed Curl_multi_set_easy_connection
- o symbol-scan.pl: do not require autotools
- o cmake: add ENABLE_THREADED_RESOLVER, rename ARES
- o cmake: build libhostname for test suite
- o cmake: fix HAVE_GETHOSTNAME definition
- o tests: fix libhostname visibility
- o tests: fix memleak in server/resolve.c
- o vtls.h: Fixed compiler warning when compiled without SSL
- o CMake: Restore order-dependent header checks
- o CMake: Restore order-dependent library checks
- o tool: Removed krb4 from the supported features
- o http2: Don't send Upgrade headers when we already do HTTP/2
- o examples: Don't call select() to sleep on windows [6]
- o win32: Updated some legacy APIs to use the newer extended versions [5]
- o easy.c: Fixed compilation warning when no verbose string support
- o connect.c: Fixed compilation warning when no verbose string support
- o build: in Makefile.m32 pass -F flag to windres
- o build: in Makefile.m32 add -m32 flag for 32bit
- o multi: when leaving for timeout, close accordingly
- o CMake: Simplify if() conditions on check result variables
- o build: in Makefile.m32 try to detect 64bit target
- o multi: inform about closed sockets before they are closed
- o multi-uv.c: close the file handle after download
- o examples: Wait recommended 100ms when no file descriptors are ready
- o ntlm: Split the SSPI based messaging code from the native messaging code
- o cmake: fix NTLM detection when CURL_DISABLE_HTTP defined
- o cmake: add Kerberos to the supported feature
- o CURLOPT_POSTFIELDS.3: mention the COPYPOSTFIELDS option
- o http: Disable pipelining for HTTP/2 and upgraded connections
- o ntlm: Fixed static'ness of local decode function
- o sasl: Reduced the need for two sets of NTLM messaging functions
- o multi.c: Fixed compilation warnings when no verbose string support
- o select.c: fix compilation for VxWorks [7]
- o multi-single.c: switch to use curl_multi_wait
- o curl_multi_wait.3: clarify numfds being used if not NULL
- o http.c: Fixed compilation warnings from features being disabled
- o NSS: enable the CAPATH option [9]
- o docs: Fix FAILONERROR typos
- o HTTP: don't abort connections with pending Negotiate authentication
- o HTTP: Free (proxy)userpwd for NTLM/Negotiate after sending a request
- o http_perhapsrewind: don't abort CONNECT requests
- o build: updated dependencies in makefiles
- o multi.c: Fixed compilation warning
- o ftp.c: Fixed compilation warnings when proxy support disabled
- o get_url_file_name: Fixed crash on OOM on debug build
- o cookie.c: Refactored cleanup code to simplify
- o OS400: enable NTLM authentication
- o ntlm: Use Windows Crypt API
- o http2: avoid logging neg "failure" if h2 was not requested
- o schannel_recv: return the correct code [10]
- o VC build: added sspi define for winssl-zlib builds
- o Curl_client_write(): chop long data, convert data only once
- o openldap: do not ignore Curl_client_write() return code
- o ldap: check Curl_client_write() return codes
- o parsedate.c: Fixed compilation warning
- o url.c: Fixed compilation warning when USE_NTLM is not defined
- o ntlm_wb_response: fix "statement not reached" [11]
- o telnet: fix "cast increases required alignment of target type"
- o smtp: Fixed dot stuffing when EOL characters at end of input buffers [12]
- o ntlm: Allow NTLM2Session messages when USE_NTRESPONSES manually defined
- o ntlm: Disable NTLM v2 when 64-bit integers are not supported
- o ntlm: Use short integer when decoding 16-bit values
- o ftp.c: Fixed compilation warning when no verbose string support
- o synctime.c: fixed timeserver URLs
- o mk-ca-bundle.pl: restored forced run again
- o ntlm: Fixed return code for bad type-2 Target Info
- o curl_schannel.c: Data may be available before connection shutdown
- o curl_schannel: Improvements to memory re-allocation strategy [13]
- o darwinssl: aprintf() to allocate the session key
- o tool_util.c: Use GetTickCount64 if it is available
- o lib: Fixed multiple code analysis warnings if SAL are available
- o tool_binmode.c: Explicitly ignore the return code of setmode
- o tool_urlglob.c: Silence warning C6293: Ill-defined for-loop
- o opts: Warn CURLOPT_TIMEOUT overrides when set after CURLOPT_TIMEOUT_MS
- o SFTP: work-around servers that return zero size on STAT [14]
- o connect: singleipconnect(): properly try other address families after failure
- o IPV6: address scope != scope id [15]
- o parseurlandfillconn(): fix improper non-numeric scope_id stripping [16]
- o secureserver.pl: make OpenSSL CApath and cert absolute path values
- o secureserver.pl: update Windows detection and fix path conversion
- o secureserver.pl: clean up formatting of config and fix verbose output
- o tests: Added Windows support using Cygwin-based OpenSSH
- o sockfilt.c: use non-Ex functions that are available before WinXP
- o VMS: Updates for 0740-0D1220
- o openssl: warn for SRP set if SSLv3 is used, not for TLS version
- o openssl: make it compile against openssl 1.1.0-DEV master branch
- o openssl: fix SSL/TLS versions in verbose output
- o curl: show size of inhibited data when using -v
- o build: Removed WIN32 definition from the Visual Studio projects
- o build: Removed WIN64 definition from the libcurl Visual Studio projects
- o vtls: Use bool for Curl_ssl_getsessionid() return type
- o sockfilt.c: Replace 100ms sleep with thread throttle
- o sockfilt.c: Reduce the number of individual memory allocations
- o vtls: Don't set cert info count until memory allocation is successful
- o nss: Don't ignore Curl_ssl_init_certinfo() OOM failure
- o nss: Don't ignore Curl_extract_certinfo() OOM failure
- o vtls: Fixed compilation warning and an ignored return code
- o sockfilt.c: Fixed compilation warnings
- o darwinssl: Fixed compilation warning
- o vtls: Use '(void) arg' for unused parameters
- o sepheaders.c: Fixed resource leak on failure
- o lib1900.c: Fixed cppcheck error [17]
- o ldap: Fixed Unicode connection details in Win32 initialsation / bind calls
- o ldap: Fixed Unicode DN, attributes and filter in Win32 search calls
+ o sasl_gssapi: Fixed build on NetBSD with built-in GSS-API [1]
+ o FTP: fix IPv6 host using link-local address [2]
+ o FTP: if EPSV fails on IPV6 connections, bail out
+ o gssapi: Remove need for duplicated GSS_C_NT_HOSTBASED_SERVICE definitions
+ o NSS: fix compiler error when built http2-enabled
+ o mingw build: allow to pass custom CFLAGS [3]
+ o add -m64 CFLAGS when targeting mingw64, add -m32/-m64 to LDFLAGS [4]
+ o curl_schannel.c: mark session as removed from cache if not freed [5]
+ o Curl_pretransfer: reset expected transfer sizes [6]
+ o curl.h: remove extra space [7]
+ o curl_endian: Fixed build when 64-bit integers are not supported [8]
+ o checksrc.bat: Better detection of Perl installation
+ o build-openssl.bat: Added check for Perl installation
+ o http_negotiate: Return CURLcode in Curl_input_negotiate() instead of int
+ o http_negotiate: Added empty decoded challenge message info text
+ o vtls: Removed unimplemented overrides of curlssl_close_all()
+ o sasl_gssapi: Fixed memory leak with local SPN variable
+ o http_negotiate: Use dynamic buffer for SPN generation
+ o ldap: Renamed the CURL_LDAP_WIN definition to USE_WIN32_LDAP
+ o openssl: do public key pinning check independently [11]
+ o timeval: typecast for better type (on Amiga)
+ o ipv6: enclose AF_INET6 uses with proper #ifdefs for ipv6
+ o SASL: common URL option and auth capabilities decoders for all protocols
+ o BoringSSL: fix build
+ o BoringSSL: detected by configure, switches off NTLM
+ o openvms: Handle openssl/0.8.9zb version parsing
+ o configure: detect libresssl
+ o configure: remove detection of the old yassl emulation API
+ o curl_setup: Disable SMB/CIFS support when HTTP only
+ o imap: remove automatic password setting: it breaks external sasl authentication
+ o sasl: remove XOAUTH2 from default enabled authentication mechanism
+ o runtests: identify BoringSSL and libressl
+ o security: avoid compiler warning
+ o ldap: build with BoringSSL
+ o des: Added Curl_des_set_odd_parity()
+ o CURLOPT_SEEKFUNCTION.3: also when server closes a connection
+ o CURLOPT_HTTP_VERSION.3: CURL_HTTP_VERSION_2_0 added in 7.33.0
+ o build: Removed unused Visual Studio bscmake settings
+ o build: Enabled DEBUGBUILD in Visual Studio debug builds
+ o build: Renamed top level Visual Studio solution files
+ o build: Removed Visual Studio SuppressStartupBanner directive for VC8+
+ o libcurl-symbols: first basic shot for autogenerated docs
+ o Makefile.am: fix 'make distcheck'
+ o getpass_r: read from stdin, not stdout! [12]
+ o getpass: protect include with proper #ifdef
+ o opts: CURLOPT_CAINFO availability depends on SSL engine
+ o more cleanup of 'CURLcode result' return code 
+ o MD4: replace implementation
+ o MD5: replace implementation
+ o openssl: SSL_SESSION->ssl_version no longer exist [13]
+ o md5: use axTLS's own MD5 functions when available
+ o schannel: Removed curl_ prefix from source files
+ o curl.1: add warning when using -H and redirects
+ o curl.1: clarify that -X is used for all requests
+ o gskit: Fix exclusive SSLv3 option
+ o polarssl: Fix exclusive SSL protocol version options [14]
+ o http2: Fix bug that associated stream canceled on PUSH_PROMISE
+ o ftp: accept all 2xx responses to the PORT command
+ o configure: allow both --with-ca-bundle and --with-ca-path [15]
+ o cmake: install the dll file to the correct directory
+ o nss: fix NPN/ALPN protocol negotiation
+ o polarssl: fix ALPN protocol negotiation
+ o cmake: Fix generation of tool_hugehelp.c on windows
+ o cmake: fix winsock2 detection on windows
+ o gnutls: fix build with HTTP2
+ o connect: fix a spurious connect failure on dual-stacked hosts [16]
+ o test: test 530 is now less timing dependent
+ o telnet: invalid use of custom read function if not set

 This release includes the following known bugs:

@@ -149,35 +92,32 @@ This release includes the following known bugs:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:

-  Andrey Labunets, Anthon Pang, Bill Nagel, Brad Harder, Brad King, Carlo Wood,
-  Christian Hägele, Dan Fandrich, Daniel Stenberg, Dave Reisner, Frank Gevaerts,
-  Gisle Vanem, Guenter Knauf, Jan Ehrhardt, Johan Lantz, John E. Malmberg,
-  Jon Spencer, Julien Nabet, Kamil Dudka, Kyle J. McKay, Lucas Pardue,
-  Marc Hesse, Marc Hoersken, Marc Renault, Michael Osipov, Nick Zitzmann,
-  Nobuhiro Ban, Patrick Monnerat, Peter Wu, Ray Satiro, Sam Hurst,
-  Stefan Bühler, Stefan Neis, Steve Holme, Tae Hyoung Ahn, Tatsuhiro Tsujikawa,
-  Tomasz Kojm, Tor Arntsen, Waldek Kozba, Warren Menzer
+  Alessandro Ghedini, Alexander Peslyak, Ben Boeckel, Brad King, Brad Spencer,
+  Chris Young, Dan Fandrich, Daniel Stenberg, Gisle Vanem, Guenter Knauf,
+  Jean-Francois Durand, Joe Mason, John E. Malmberg, Jon Seymour, Julian Ospald,
+  Kamil Dudka, Kyle J. McKay, Leith Bade, Marc Hoersken, Michael Kaufmann,
+  Michael Wallner, Mohammad AlSaleh, Nick Zitzmann, Patrick Monnerat,
+  Ray Satiro, Rich Burridge, Sam Schanken, Sergei Nikulov, Steve Holme,
+  Tatsuhiro Tsujikawa, Thomas Klausner, Viktor Szakats, Vojtěch Král,
+  Yun SangHo

        Thanks! (and sorry if I forgot to mention someone)

 References to bug reports and discussions on issues:

- [1] = http://curl.haxx.se/mail/lib-2014-11/0035.html
- [2] = http://curl.haxx.se/mail/lib-2014-11/0078.html
- [3] = http://curl.haxx.se/bug/view.cgi?id=1448
- [4] = https://github.com/tatsuhiro-t/nghttp2/issues/103
- [5] = http://sourceforge.net/p/curl/feature-requests/82/
- [6] = http://curl.haxx.se/mail/lib-2014-11/0221.html
- [7] = http://curl.haxx.se/bug/view.cgi?id=1455
- [8] = http://curl.haxx.se/bug/view.cgi?id=1456
- [9] = http://curl.haxx.se/bug/view.cgi?id=1457
- [10] = http://curl.haxx.se/bug/view.cgi?id=1462
- [11] = http://curl.haxx.se/mail/lib-2014-12/0089.html
- [12] = http://curl.haxx.se/bug/view.cgi?id=1456
- [13] = http://curl.haxx.se/bug/view.cgi?id=1450
- [14] = http://curl.haxx.se/mail/lib-2014-12/0103.html
- [15] = http://curl.haxx.se/bug/view.cgi?id=1451
- [16] = http://curl.haxx.se/bug/view.cgi?id=1449
- [17] = https://github.com/bagder/curl/pull/133
- [18] = http://curl.haxx.se/docs/adv_20150108A.html
- [19] = http://curl.haxx.se/docs/adv_20150108B.html
+ [1] = http://curl.haxx.se/bug/view.cgi?id=1469
+ [2] = http://curl.haxx.se/bug/view.cgi?id=1468
+ [3] = https://github.com/bagder/curl/pull/136
+ [4] = https://github.com/bagder/curl/pull/134
+ [5] = http://curl.haxx.se/mail/lib-2015-01/0036.html
+ [6] = http://curl.haxx.se/mail/lib-2015-01/0065.html
+ [7] = https://github.com/bagder/curl/pull/137
+ [8] = http://curl.haxx.se/mail/lib-2015-01/0094.html
+ [9] = http://curl.haxx.se/docs/manpage.html#--cert-status
+ [10] = http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYSTATUS.html
+ [11] = http://curl.haxx.se/bug/view.cgi?id=1471
+ [12] = http://curl.haxx.se/bug/view.cgi?id=1476
+ [13] = http://curl.haxx.se/mail/lib-2015-02/0034.html
+ [14] = http://curl.haxx.se/mail/lib-2015-01/0002.html
+ [15] = https://github.com/bagder/curl/pull/139
+ [16] = https://bugzilla.redhat.com/1187531
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -2607,7 +2607,8 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
  if test "x$want_ca" != "xno" -a "x$want_ca" != "xunset" -a \
          "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then
    dnl both given
-    AC_MSG_ERROR([Can't specify both --with-ca-bundle and --with-ca-path.])
+    ca="$want_ca"
+    capath="$want_capath"
  elif test "x$want_ca" != "xno" -a "x$want_ca" != "xunset"; then
    dnl --with-ca-bundle given
    ca="$want_ca"
@@ -2669,11 +2670,13 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
    AC_DEFINE_UNQUOTED(CURL_CA_BUNDLE, "$ca", [Location of default ca bundle])
    AC_SUBST(CURL_CA_BUNDLE)
    AC_MSG_RESULT([$ca])
-  elif test "x$capath" != "xno"; then
+  fi
+  if test "x$capath" != "xno"; then
    CURL_CA_PATH="\"$capath\""
    AC_DEFINE_UNQUOTED(CURL_CA_PATH, "$capath", [Location of default ca path])
    AC_MSG_RESULT([$capath (capath)])
-  else
+  fi
+  if test "x$ca" == "xno" && test "x$capath" == "xno"; then
    AC_MSG_RESULT([no])
  fi
 ])
--- a/configure.ac
+++ b/configure.ac
@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -1046,7 +1046,7 @@ if test x$CURL_DISABLE_LDAP != x1 ; then

  if test "$LDAPLIBNAME" = "wldap32"; then
    curl_ldap_msg="enabled (winldap)"
-    AC_DEFINE(CURL_LDAP_WIN, 1, [Use Windows LDAP implementation])
+    AC_DEFINE(USE_WIN32_LDAP, 1, [Use Windows LDAP implementation])
  else
    curl_ldap_msg="enabled (OpenLDAP)"
    if test "x$ac_cv_func_ldap_init_fd" = "xyes"; then
@@ -1579,7 +1579,8 @@ if test "$curl_ssl_msg" = "$init_ssl_msg" && test X"$OPT_SSL" != Xno; then
              ])

    dnl these can only exist if openssl exists
-    dnl yassl doesn't have SSL_get_shutdown
+    dnl Cyassl doesn't have SSL_get_shutdown
+    dnl BoringSSL doesn't have DES_set_odd_parity

    AC_CHECK_FUNCS( RAND_status \
                    RAND_screen \
@@ -1587,28 +1588,30 @@ if test "$curl_ssl_msg" = "$init_ssl_msg" && test X"$OPT_SSL" != Xno; then
                    ENGINE_cleanup \
                    CRYPTO_cleanup_all_ex_data \
                    SSL_get_shutdown \
-                    SSLv2_client_method )
+                    SSLv2_client_method \
+                    DES_set_odd_parity )

-    dnl Make an attempt to detect if this is actually yassl's headers and
-    dnl OpenSSL emulation layer. We still leave everything else believing
-    dnl and acting like OpenSSL.
-
-    AC_MSG_CHECKING([for yaSSL using OpenSSL compatibility mode])
+    AC_MSG_CHECKING([for BoringSSL])
+    if test "x$ac_cv_func_DES_set_odd_parity" != "xyes"; then
+      curl_ssl_msg="enabled (BoringSSL)"
+      AC_DEFINE_UNQUOTED(HAVE_BORINGSSL, 1,
+        [Define to 1 if using BoringSSL.])
+      AC_MSG_RESULT([yes])
+    else
+      AC_MSG_RESULT([no])
+    fi
+    AC_MSG_CHECKING([for libressl])
    AC_COMPILE_IFELSE([
      AC_LANG_PROGRAM([[
-#include <openssl/ssl.h>
+#include <openssl/opensslv.h>
      ]],[[
-#if defined(YASSL_VERSION) && defined(OPENSSL_VERSION_NUMBER)
-        int dummy = SSL_ERROR_NONE;
-#else
-        Not the yaSSL OpenSSL compatibility header.
-#endif
+        int dummy = LIBRESSL_VERSION_NUMBER;
      ]])
    ],[
      AC_MSG_RESULT([yes])
-      AC_DEFINE_UNQUOTED(USE_YASSLEMUL, 1,
-        [Define to 1 if using yaSSL in OpenSSL compatibility mode.])
-      curl_ssl_msg="enabled (OpenSSL emulation by yaSSL)"
+      AC_DEFINE_UNQUOTED(HAVE_LIBRESSL, 1,
+        [Define to 1 if using libressl.])
+      curl_ssl_msg="enabled (libressl)"
    ],[
      AC_MSG_RESULT([no])
    ])
--- a/docs/FAQ
+++ b/docs/FAQ
@@ -764,8 +764,9 @@ FAQ
  request-body in a GET request with something like "curl -X GET -d data
  [URL]"

-  Note that -X doesn't change curl's behavior. It only modifies the actual
-  string sent in the request.
+  Note that -X doesn't actually change curl's behavior as it only modifies the
+  actual string sent in the request, but that may of course trigger a
+  different set of events.

  Accordingly, by using -XPOST on a command line that for example would follow
  a 303 redirect, you will effectively prevent curl from behaving
--- a/docs/FEATURES
+++ b/docs/FEATURES
@@ -134,8 +134,8 @@ SMB
 - authentication with NTLMv1

 SMTP
- - authentication: Plain, Login, CRAM-MD5, Digest-MD5, NTLM (*9) and Kerberos 5
-   (*4)
+ - authentication: Plain, Login, CRAM-MD5, Digest-MD5, NTLM (*9), Kerberos 5
+   (*4) and External.
 - send e-mails
 - mail from support
 - mail size support
@@ -150,8 +150,8 @@ SMTPS (*1)

 POP3
 - authentication: Clear Text, APOP and SASL
- - SASL based authentication: Plain, Login, CRAM-MD5, Digest-MD5, NTLM (*9) and
-   Kerberos 5 (*4)
+ - SASL based authentication: Plain, Login, CRAM-MD5, Digest-MD5, NTLM (*9),
+   Kerberos 5 (*4) and External.
 - list e-mails
 - retrieve e-mails
 - enhanced command support for: CAPA, DELE, TOP, STAT, UIDL and NOOP via
@@ -165,8 +165,8 @@ POP3S (*1)

 IMAP
 - authentication: Clear Text and SASL
- - SASL based authentication: Plain, Login, CRAM-MD5, Digest-MD5, NTLM (*9) and
-   Kerberos 5 (*4)
+ - SASL based authentication: Plain, Login, CRAM-MD5, Digest-MD5, NTLM (*9),
+   Kerberos 5 (*4) and External.
 - list the folders of a mailbox
 - select a mailbox with support for verifying the UIDVALIDITY
 - fetch e-mails with support for specifying the UID and SECTION
--- a/docs/ROADMAP.md
+++ b/docs/ROADMAP.md
@@ -8,38 +8,39 @@ possible participation.
 New stuff - libcurl
 -------------------

-1. http2 test suite
+1. HTTP/2

-2. http2 multiplexing/pipelining
+ - test suite
+ - http2 multiplexing/pipelining
+ - provide option for HTTP/2 "prior knowledge" over clear text
+ - provide option to allow curl to default to HTTP/2 only when using HTTPS

-3. SPDY
+2. SRV records

-4. SRV records
+3. HTTPS to proxy

-5. HTTPS to proxy
-
-6. make sure there's an easy handle passed in to `curl_formadd()`,
+4. make sure there's an easy handle passed in to `curl_formadd()`,
   `curl_formget()` and `curl_formfree()` by adding replacement functions and
   deprecating the old ones to allow custom mallocs and more

-7. add support for third-party SASL libraries such as Cyrus SASL - may need to
+5. add support for third-party SASL libraries such as Cyrus SASL - may need to
   move existing native and SSPI based authentication into vsasl folder after
   reworking HTTP and SASL code

-8. SASL authentication in LDAP
+6. SASL authentication in LDAP

-9. Simplify the SMTP email interface so that programmers don't have to
+7. Simplify the SMTP email interface so that programmers don't have to
   construct the body of an email that contains all the headers, alternative
   content, images and attachments - maintain raw interface so that
   programmers that want to do this can

-10. Allow the email protocols to return the capabilities before
+8. Allow the email protocols to return the capabilities before
    authenticating. This will allow an application to decide on the best
    authentication mechanism

-11. Allow Windows threading model to be replaced by Win32 pthreads port
+9. Allow Windows threading model to be replaced by Win32 pthreads port

-12. Implement a dynamic buffer size to allow SFTP to use much larger buffers
+10. Implement a dynamic buffer size to allow SFTP to use much larger buffers
    and possibly allow the size to be customizable by applications. Use less
    memory when handles are not in use?

@@ -66,7 +67,6 @@ Improve

 4. docs (considered "bad" by users but how do we make it better?)

-  - split up `curl_easy_setopt.3`
  - split up curl.1

 5. authentication framework (consider merging HTTP and SASL authentication to
@@ -79,7 +79,5 @@ Improve
 Remove
 ------

-1. cmake support (nobody maintains it)
-
-2. makefile.vc files as there is no point in maintaining two sets of Windows
+1. makefile.vc files as there is no point in maintaining two sets of Windows
   makefiles. Note: These are currently being used by the Windows autobuilds
--- a/docs/THANKS
+++ b/docs/THANKS
@@ -40,6 +40,7 @@ Alexander Klauer
 Alexander Kourakos
 Alexander Krasnostavsky
 Alexander Lazic
+Alexander Peslyak
 Alexander Zhuravlev
 Alexey Borzov
 Alexey Pesternikov
@@ -79,6 +80,7 @@ Andrew Kurushin
 Andrew Moise
 Andrew Wansink
 Andrew de los Reyes
+Andrey Labunets
 Andrii Moiseiev
 Andrés García
 Andy Cedilnik
@@ -112,6 +114,7 @@ Balint Szilakszi
 Barry Abrahamson
 Bart Whiteley
 Bas Mevissen
+Ben Boeckel
 Ben Darnell
 Ben Greear
 Ben Madsen
@@ -142,6 +145,7 @@ Bob Richmond
 Bob Schader
 Bogdan Nicula
 Brad Burdick
+Brad Harder
 Brad Hards
 Brad King
 Brad Spencer
@@ -516,6 +520,7 @@ Jaz Fresh
 Jean Jacques Drouin
 Jean-Claude Chauve
 Jean-Francois Bertrand
+Jean-Francois Durand
 Jean-Louis Lemaire
 Jean-Marc Ranger
 Jean-Noël Rouvignac
@@ -555,6 +560,7 @@ Joe Mason
 Joel Chen
 Jofell Gallardo
 Johan Anderson
+Johan Lantz
 Johan Nilsson
 Johan van Selst
 Johannes Bauer
@@ -581,6 +587,8 @@ Johnny Luong
 Jon Grubbs
 Jon Nelson
 Jon Sargeant
+Jon Seymour
+Jon Spencer
 Jon Torrey
 Jon Travis
 Jon Turner
@@ -605,8 +613,10 @@ Judson Bishop
 Juergen Wilke
 Jukka Pihl
 Julian Noble
+Julian Ospald
 Julian Taylor
 Julien Chaffraix
+Julien Nabet
 Julien Royer
 Jun-ichiro itojun Hagino
 Jurij Smakov
@@ -652,6 +662,7 @@ Krishnendu Majumdar
 Krister Johansen
 Kristian Gunstone
 Kristian Köhntopp
+Kyle J. McKay
 Kyle L. Huff
 Kyle Sallee
 Lachlan O'Dea
@@ -670,6 +681,7 @@ Laurent Rabret
 Legoff Vincent
 Lehel Bernadt
 Leif W
+Leith Bade
 Len Krause
 Lenaic Lefever
 Lenny Rachitsky
@@ -709,8 +721,10 @@ Manuel Massing
 Marc Boucher
 Marc Deslauriers
 Marc Doughty
+Marc Hesse
 Marc Hoersken
 Marc Kleine-Budde
+Marc Renault
 Marcel Raad
 Marcel Roelofs
 Marcelo Juchem
@@ -781,6 +795,7 @@ Michael Day
 Michael Goffioul
 Michael Jahn
 Michael Jerris
+Michael Kaufmann
 Michael Mealling
 Michael Mueller
 Michael Osipov
@@ -843,6 +858,7 @@ Nikos Mavrogiannopoulos
 Ning Dong
 Nir Soffer
 Nis Jorgensen
+Nobuhiro Ban
 Nodak Sodak
 Norbert Frese
 Norbert Novotny
@@ -963,6 +979,7 @@ Rene Rebe
 Reuven Wachtfogel
 Reza Arbab
 Ricardo Cadime
+Rich Burridge
 Rich Gray
 Rich Rauenzahn
 Richard Archer
@@ -1021,6 +1038,8 @@ S. Moonesamy
 Salvador Dávila
 Salvatore Sorrentino
 Sam Deane
+Sam Hurst
+Sam Schanken
 Sampo Kellomaki
 Samuel Díaz García
 Samuel Listopad
@@ -1065,6 +1084,7 @@ Spork Schivago
 Stadler Stephan
 Stan van de Burgt
 Stanislav Ivochkin
+Stefan Bühler
 Stefan Esser
 Stefan Krause
 Stefan Neis
@@ -1099,6 +1119,7 @@ Symeon Paraschoudis
 Sébastien Willemijns
 T. Bharath
 T. Yamada
+Tae Hyoung Ahn
 Taneli Vahakangas
 Tanguy Fautre
 Tatsuhiro Tsujikawa
@@ -1147,6 +1168,7 @@ Tomas Hoger
 Tomas Mlcoch
 Tomas Pospisek
 Tomas Szepe
+Tomasz Kojm
 Tomasz Lacki
 Tommie Gannert
 Tommy Tam
@@ -1185,10 +1207,12 @@ Vladimir Grishchenko
 Vladimir Lazarenko
 Vojtech Janota
 Vojtech Minarik
+Vojtěch Král
 Vsevolod Novikov
 Waldek Kozba
 Walter J. Mack
 Ward Willats
+Warren Menzer
 Wayne Haigh
 Werner Koch
 Wesley Laxton
@@ -1212,6 +1236,7 @@ Yi Huang
 Yingwei Liu
 Yousuke Kimoto
 Yukihiro Kawada
+Yun SangHo
 Yuriy Sosov
 Yves Arrouye
 Yves Lejeune
--- a/docs/THANKS-filter
+++ b/docs/THANKS-filter
@@ -46,3 +46,4 @@ s/Frank Van Uffelen and Fabian Hiernaux//
 s/Rodrigo Silva (MestreLion)/Rodrigo Silva/
 s/tetetest tetetest//
 s/Jiří Hruška/Jiri Hruska/
+s/Viktor Szakats/Viktor Szakáts/
--- a/docs/TODO
+++ b/docs/TODO
@@ -65,61 +65,71 @@
 10. LDAP
 10.1 SASL based authentication mechanisms
 
- 11. New protocols
- 11.1 RSYNC
+ 11. SMB
+ 11.1 File listing support
+ 11.2 Honor file timestamps
+ 11.3 Use NTLMv2
 
- 12. SSL
- 12.1 Disable specific versions
- 12.2 Provide mutex locking API
- 12.3 Evaluate SSL patches
- 12.4 Cache OpenSSL contexts
- 12.5 Export session ids
- 12.6 Provide callback for cert verification
- 12.7 improve configure --with-ssl
- 12.8 Support DANE
+ 12. New protocols
+ 12.1 RSYNC

- 13. GnuTLS
- 13.1 SSL engine stuff
- 13.2 check connection
+ 13. SSL
+ 13.1 Disable specific versions
+ 13.2 Provide mutex locking API
+ 13.3 Evaluate SSL patches
+ 13.4 Cache OpenSSL contexts
+ 13.5 Export session ids
+ 13.6 Provide callback for cert verification
+ 13.7 improve configure --with-ssl
+ 13.8 Support DANE

- 14. SASL
- 14.1 Other authentication mechanisms
- 14.2 Add QOP support to GSSAPI authentication
+ 14. GnuTLS
+ 14.1 SSL engine stuff
+ 14.2 check connection

- 15. Client
- 15.1 sync
- 15.2 glob posts
- 15.3 prevent file overwriting
- 15.4 simultaneous parallel transfers
- 15.5 provide formpost headers
- 15.6 warning when setting an option
+ 15. WinSSL/SChannel
+ 15.1 Add support for client certificate authentication
+ 15.2 Add support for custom server certificate validation
+ 15.3 Add support for the --ciphers option

- 16. Build
- 16.1 roffit
+ 16. SASL
+ 16.1 Other authentication mechanisms
+ 16.2 Add QOP support to GSSAPI authentication
 
- 17. Test suite
- 17.1 SSL tunnel
- 17.2 nicer lacking perl message
- 17.3 more protocols supported
- 17.4 more platforms supported
- 17.5 Add support for concurrent connections
+ 17. Client
+ 17.1 sync
+ 17.2 glob posts
+ 17.3 prevent file overwriting
+ 17.4 simultaneous parallel transfers
+ 17.5 provide formpost headers
+ 17.6 warning when setting an option

- 18. Next SONAME bump
- 18.1 http-style HEAD output for FTP
- 18.2 combine error codes
- 18.3 extend CURLOPT_SOCKOPTFUNCTION prototype
+ 18. Build
+ 18.1 roffit

- 19. Next major release
- 19.1 cleanup return codes
- 19.2 remove obsolete defines
- 19.3 size_t
- 19.4 remove several functions
- 19.5 remove CURLOPT_FAILONERROR
- 19.6 remove CURLOPT_DNS_USE_GLOBAL_CACHE
- 19.7 remove progress meter from libcurl
- 19.8 remove 'curl_httppost' from public
- 19.9 have form functions use CURL handle argument
- 19.10 Add CURLOPT_MAIL_CLIENT option
+ 19. Test suite
+ 19.1 SSL tunnel
+ 19.2 nicer lacking perl message
+ 19.3 more protocols supported
+ 19.4 more platforms supported
+ 19.5 Add support for concurrent connections
+
+ 20. Next SONAME bump
+ 20.1 http-style HEAD output for FTP
+ 20.2 combine error codes
+ 20.3 extend CURLOPT_SOCKOPTFUNCTION prototype
+
+ 21. Next major release
+ 21.1 cleanup return codes
+ 21.2 remove obsolete defines
+ 21.3 size_t
+ 21.4 remove several functions
+ 21.5 remove CURLOPT_FAILONERROR
+ 21.6 remove CURLOPT_DNS_USE_GLOBAL_CACHE
+ 21.7 remove progress meter from libcurl
+ 21.8 remove 'curl_httppost' from public
+ 21.9 have form functions use CURL handle argument
+ 21.10 Add CURLOPT_MAIL_CLIENT option

 ==============================================================================

@@ -393,32 +403,47 @@ to provide the data to send.
 be possible to use ldap_bind_s() instead specifying the security context
 information ourselves.

-11. New protocols
+11. SMB

-11.1 RSYNC
+11.1 File listing support
+
+Add support for listing the contents of a SMB share. The output should probably
+be the same as/similar to FTP.
+
+11.2 Honor file timestamps
+
+The timestamp of the transfered file should reflect that of the original file.
+
+11.3 Use NTLMv2
+
+Currently the SMB authentication uses NTLMv1.
+
+12. New protocols
+
+12.1 RSYNC

 There's no RFC for the protocol or an URI/URL format.  An implementation
 should most probably use an existing rsync library, such as librsync.

-12. SSL
+13. SSL

-12.1 Disable specific versions
+13.1 Disable specific versions

 Provide an option that allows for disabling specific SSL versions, such as
 SSLv2 http://curl.haxx.se/bug/feature.cgi?id=1767276

-12.2 Provide mutex locking API
+13.2 Provide mutex locking API

 Provide a libcurl API for setting mutex callbacks in the underlying SSL
 library, so that the same application code can use mutex-locking
 independently of OpenSSL or GnutTLS being used.

-12.3 Evaluate SSL patches
+13.3 Evaluate SSL patches

 Evaluate/apply Gertjan van Wingerde's SSL patches:
 http://curl.haxx.se/mail/lib-2004-03/0087.html

-12.4 Cache OpenSSL contexts
+13.4 Cache OpenSSL contexts

 "Look at SSL cafile - quick traces look to me like these are done on every
 request as well, when they should only be necessary once per SSL context (or
@@ -428,7 +453,7 @@ to provide the data to send.
 style connections are re-used. It will make us use slightly more memory but
 it will libcurl do less creations and deletions of SSL contexts.

-12.5 Export session ids
+13.5 Export session ids

 Add an interface to libcurl that enables "session IDs" to get
 exported/imported. Cris Bailiff said: "OpenSSL has functions which can
@@ -436,18 +461,18 @@ to provide the data to send.
 the state from such a buffer at a later date - this is used by mod_ssl for
 apache to implement and SSL session ID cache".

-12.6 Provide callback for cert verification
+13.6 Provide callback for cert verification

 OpenSSL supports a callback for customised verification of the peer
 certificate, but this doesn't seem to be exposed in the libcurl APIs. Could
 it be? There's so much that could be done if it were!

-12.7 improve configure --with-ssl
+13.7 improve configure --with-ssl

 make the configure --with-ssl option first check for OpenSSL, then GnuTLS,
 then NSS...

-12.8 Support DANE
+13.8 Support DANE

 DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL
 keys and certs over DNS using DNSSEC as an alternative to the CA model.
@@ -459,34 +484,69 @@ to provide the data to send.
 http://curl.haxx.se/mail/lib-2013-03/0103.html . libunbound may be the
 correct library to base this development on.

-13. GnuTLS
+14. GnuTLS

-13.1 SSL engine stuff
+14.1 SSL engine stuff

 Is this even possible?

-13.2 check connection
+14.2 check connection

 Add a way to check if the connection seems to be alive, to correspond to the
 SSL_peak() way we use with OpenSSL.

-14. SASL
+15. WinSSL/SChannel

-14.1 Other authentication mechanisms
+15.1 Add support for client certificate authentication

- Add support for other authentication mechanisms such as EXTERNAL, OLP,
+ WinSSL/SChannel currently makes use of the OS-level system and user
+ certificate and private key stores. This does not allow the application
+ or the user to supply a custom client certificate using curl or libcurl.
+
+ Therefore support for the existing -E/--cert and --key options should be
+ implemented by supplying a custom certificate to the SChannel APIs, see:
+ - Getting a Certificate for Schannel
+   http://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx
+
+15.2 Add support for custom server certificate validation
+
+ WinSSL/SChannel currently makes use of the OS-level system and user
+ certificate trust store. This does not allow the application or user to
+ customize the server certificate validation process using curl or libcurl.
+
+ Therefore support for the existing --cacert or --capath options should be
+ implemented by supplying a custom certificate to the SChannel APIs, see:
+ - Getting a Certificate for Schannel
+   http://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx
+
+15.3 Add support for the --ciphers option
+
+ The cipher suites used by WinSSL/SChannel are configured on an OS-level
+ instead of an application-level. This does not allow the application or
+ the user to customize the configured cipher suites using curl or libcurl.
+
+ Therefore support for the existing --ciphers option should be implemented
+ by mapping the OpenSSL/GnuTLS cipher suites to the SChannel APIs, see
+ - Specifying Schannel Ciphers and Cipher Strengths
+   http://msdn.microsoft.com/en-us/library/windows/desktop/aa380161.aspx
+
+16. SASL
+
+16.1 Other authentication mechanisms
+
+ Add support for other authentication mechanisms such as OLP,
 GSS-SPNEGO and others.
 
-14.2 Add QOP support to GSSAPI authentication
+16.2 Add QOP support to GSSAPI authentication

 Currently the GSSAPI authentication only supports the default QOP of auth
 (Authentication), whilst Kerberos V5 supports both auth-int (Authentication
 with integrity protection) and auth-conf (Authentication with integrity and
 privacy protection).

-15. Client
+17. Client

-15.1 sync
+17.1 sync

 "curl --sync http://example.com/feed[1-100].rss" or
 "curl --sync http://example.net/{index,calendar,history}.html"
@@ -495,12 +555,12 @@ to provide the data to send.
 remote file is newer than the local file. A Last-Modified HTTP date header
 should also be used to set the mod date on the downloaded file.

-15.2 glob posts
+17.2 glob posts

 Globbing support for -d and -F, as in 'curl -d "name=foo[0-9]" URL'.
 This is easily scripted though.

-15.3 prevent file overwriting
+17.3 prevent file overwriting

 Add an option that prevents cURL from overwriting existing local files. When
 used, and there already is an existing file with the target file name
@@ -508,14 +568,14 @@ to provide the data to send.
 existing). So that index.html becomes first index.html.1 and then
 index.html.2 etc.

-15.4 simultaneous parallel transfers
+17.4 simultaneous parallel transfers

 The client could be told to use maximum N simultaneous parallel transfers and
 then just make sure that happens. It should of course not make more than one
 connection to the same remote host. This would require the client to use the
 multi interface. http://curl.haxx.se/bug/feature.cgi?id=1558595

-15.5 provide formpost headers
+17.5 provide formpost headers

 Extending the capabilities of the multipart formposting. How about leaving
 the ';type=foo' syntax as it is and adding an extra tag (headers) which
@@ -529,43 +589,43 @@ to provide the data to send.
 which should overwrite the program reasonable defaults (plain/text,
 8bit...)

-15.6 warning when setting an option
+17.6 warning when setting an option

  Display a warning when libcurl returns an error when setting an option.
  This can be useful to tell when support for a particular feature hasn't been
  compiled into the library.

-16. Build
+18. Build

-16.1 roffit
+18.1 roffit

 Consider extending 'roffit' to produce decent ASCII output, and use that
 instead of (g)nroff when building src/tool_hugehelp.c

-17. Test suite
+19. Test suite

-17.1 SSL tunnel
+19.1 SSL tunnel

 Make our own version of stunnel for simple port forwarding to enable HTTPS
 and FTP-SSL tests without the stunnel dependency, and it could allow us to
 provide test tools built with either OpenSSL or GnuTLS

-17.2 nicer lacking perl message
+19.2 nicer lacking perl message

 If perl wasn't found by the configure script, don't attempt to run the tests
 but explain something nice why it doesn't.

-17.3 more protocols supported
+19.3 more protocols supported

 Extend the test suite to include more protocols. The telnet could just do FTP
 or http operations (for which we have test servers).

-17.4 more platforms supported
+19.4 more platforms supported

 Make the test suite work on more platforms. OpenBSD and Mac OS. Remove
 fork()s and it should become even more portable.

-17.5 Add support for concurrent connections
+19.5 Add support for concurrent connections

 Tests 836, 882 and 938 were designed to verify that separate connections aren't
 used when using different login credentials in protocols that shouldn't re-use
@@ -579,14 +639,14 @@ to provide the data to send.
 and thus the wait for connections loop is never entered to receive the second
 connection.

-18. Next SONAME bump
+20. Next SONAME bump

-18.1 http-style HEAD output for FTP
+20.1 http-style HEAD output for FTP

 #undef CURL_FTP_HTTPSTYLE_HEAD in lib/ftp.c to remove the HTTP-style headers
 from being output in NOBODY requests over FTP

-18.2 combine error codes
+20.2 combine error codes

 Combine some of the error codes to remove duplicates.  The original
 numbering should not be changed, and the old identifiers would be
@@ -611,29 +671,29 @@ to provide the data to send.

    CURLE_TFTP_PERM => CURLE_REMOTE_ACCESS_DENIED

-18.3 extend CURLOPT_SOCKOPTFUNCTION prototype
+20.3 extend CURLOPT_SOCKOPTFUNCTION prototype

 The current prototype only provides 'purpose' that tells what the
 connection/socket is for, but not any protocol or similar. It makes it hard
 for applications to differentiate on TCP vs UDP and even HTTP vs FTP and
 similar.

-19. Next major release
+21. Next major release

-19.1 cleanup return codes
+21.1 cleanup return codes

 curl_easy_cleanup() returns void, but curl_multi_cleanup() returns a
 CURLMcode. These should be changed to be the same.

-19.2 remove obsolete defines
+21.2 remove obsolete defines

 remove obsolete defines from curl/curl.h

-19.3 size_t
+21.3 size_t

 make several functions use size_t instead of int in their APIs

-19.4 remove several functions
+21.4 remove several functions

 remove the following functions from the public API:

@@ -654,18 +714,18 @@ to provide the data to send.

 curl_multi_socket_all

-19.5 remove CURLOPT_FAILONERROR
+21.5 remove CURLOPT_FAILONERROR

 Remove support for CURLOPT_FAILONERROR, it has gotten too kludgy and weird
 internally. Let the app judge success or not for itself.

-19.6 remove CURLOPT_DNS_USE_GLOBAL_CACHE
+21.6 remove CURLOPT_DNS_USE_GLOBAL_CACHE

 Remove support for a global DNS cache. Anything global is silly, and we
 already offer the share interface for the same functionality but done
 "right".

-19.7 remove progress meter from libcurl
+21.7 remove progress meter from libcurl

 The internally provided progress meter output doesn't belong in the library.
 Basically no application wants it (apart from curl) but instead applications
@@ -675,7 +735,7 @@ to provide the data to send.
 variable types passed to it instead of doubles so that big files work
 correctly.

-19.8 remove 'curl_httppost' from public
+21.8 remove 'curl_httppost' from public

 curl_formadd() was made to fill in a public struct, but the fact that the
 struct is public is never really used by application for their own advantage
@@ -684,7 +744,7 @@ to provide the data to send.
 Changing them to return a private handle will benefit the implementation and
 allow us much greater freedoms while still maintaining a solid API and ABI.

-19.9 have form functions use CURL handle argument
+21.9 have form functions use CURL handle argument

 curl_formadd() and curl_formget() both currently have no CURL handle
 argument, but both can use a callback that is set in the easy handle, and
@@ -692,7 +752,7 @@ to provide the data to send.
 curl_easy_perform() (or similar) called - which is hard to grasp and a design
 mistake.

-19.10 Add CURLOPT_MAIL_CLIENT option
+21.10 Add CURLOPT_MAIL_CLIENT option

 Rather than use the URL to specify the mail client string to present in the
 HELO and EHLO commands, libcurl should support a new CURLOPT specifically for
--- a/docs/TheArtOfHttpScripting
+++ b/docs/TheArtOfHttpScripting
@@ -1,4 +1,3 @@
-Updated: Dec 24, 2013 (http://curl.haxx.se/docs/httpscripting.html)
                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
@@ -557,8 +556,10 @@ The Art Of Scripting HTTP Requests Using Curl
 truckload of advanced features to allow all those encryptions and key
 infrastructure mechanisms encrypted HTTP requires.

- Curl supports encrypted fetches thanks to the freely available OpenSSL
- libraries. To get a page from a HTTPS server, simply run curl like:
+ Curl supports encrypted fetches when built to use a TLS library and it can be
+ built to use one out of a fairly large set of libraries - "curl -V" will show
+ which one your curl was built to use (if any!). To get a page from a HTTPS
+ server, simply run curl like:

        curl https://secure.example.com

--- a/docs/curl.1
+++ b/docs/curl.1
@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -552,6 +552,16 @@ This is currently only implemented in the OpenSSL, GnuTLS and GSKit backends.

 If this option is used several times, the last one will be used.
 (Added in 7.39.0)
+.IP "--cert-status"
+(SSL) Tells curl to verify the status of the server certificate by using the
+Certificate Status Request (aka. OCSP stapling) TLS extension.
+
+If this option is enabled and the server sends an invalid (e.g. expired)
+response, if the response suggests that the server certificate has been revoked,
+or no response at all is received, the verification fails.
+
+This is currently only implemented in the OpenSSL, GnuTLS and NSS backends.
+(Added in 7.41.0)
 .IP "-f, --fail"
 (HTTP) Fail silently (no output at all) on server errors. This is mostly done
 to better enable scripts etc to better deal with failed attempts. In normal
@@ -733,6 +743,12 @@ Example:

 \&# curl -H "X-First-Name: Joe" http://192.168.0.1/

+\fBWARNING\fP: headers set with this option will be set in all requests - even
+after redirects are followed, like when told with \fB-L, --location\fP. This
+can lead to the header being sent to other hosts than the original host, so
+sensitive headers should be used with caution combined with following
+redirects.
+
 This option can be used multiple times to add/replace/remove multiple headers.
 .IP "--hostpubmd5 <md5>"
 (SCP/SFTP) Pass a string containing 32 hexadecimal digits. The string should
@@ -1884,7 +1900,7 @@ password.
 If this option is used several times, the last one will be used.
 .IP "-X, --request <command>"
 (HTTP) Specifies a custom request method to use when communicating with the
-HTTP server.  The specified request will be used instead of the method
+HTTP server.  The specified request method will be used instead of the method
 otherwise used (which defaults to GET). Read the HTTP 1.1 specification for
 details and explanations. Common additional HTTP requests include PUT and
 DELETE, but related technologies like WebDAV offers PROPFIND, COPY, MOVE and
@@ -1898,6 +1914,11 @@ alter the way curl behaves. So for example if you want to make a proper HEAD
 request, using -X HEAD will not suffice. You need to use the \fI-I, --head\fP
 option.

+The the method string you set with -X will be used for all requests, which if
+you for example use \fB-L, --location\fP may cause unintended side-effects
+when curl doesn't change request method according to the HTTP 30x response
+codes - and similar.
+
 (FTP)
 Specifies a custom FTP command to use instead of LIST when doing file lists
 with FTP.
--- a/docs/libcurl/Makefile.am
+++ b/docs/libcurl/Makefile.am
@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -40,7 +40,7 @@ man_MANS = curl_easy_cleanup.3 curl_easy_getinfo.3 curl_easy_init.3	 \
 curl_easy_unescape.3 curl_multi_setopt.3 curl_multi_socket.3		 \
 curl_multi_timeout.3 curl_formget.3 curl_multi_assign.3		 \
 curl_easy_pause.3 curl_easy_recv.3 curl_easy_send.3			 \
- curl_multi_socket_action.3 curl_multi_wait.3
+ curl_multi_socket_action.3 curl_multi_wait.3 libcurl-symbols.3

 HTMLPAGES = curl_easy_cleanup.html curl_easy_getinfo.html		\
 curl_easy_init.html curl_easy_perform.html curl_easy_setopt.html	\
@@ -60,7 +60,7 @@ HTMLPAGES = curl_easy_cleanup.html curl_easy_getinfo.html		\
 curl_easy_unescape.html curl_multi_setopt.html curl_multi_socket.html	\
 curl_multi_timeout.html curl_formget.html curl_multi_assign.html	\
 curl_easy_pause.html curl_easy_recv.html curl_easy_send.html		\
- curl_multi_socket_action.html curl_multi_wait.html
+ curl_multi_socket_action.html curl_multi_wait.html libcurl-symbols.html

 PDFPAGES = curl_easy_cleanup.pdf curl_easy_getinfo.pdf			 \
 curl_easy_init.pdf curl_easy_perform.pdf curl_easy_setopt.pdf		 \
@@ -79,7 +79,8 @@ PDFPAGES = curl_easy_cleanup.pdf curl_easy_getinfo.pdf			 \
 curl_easy_escape.pdf curl_easy_unescape.pdf curl_multi_setopt.pdf	 \
 curl_multi_socket.pdf curl_multi_timeout.pdf curl_formget.pdf		 \
 curl_multi_assign.pdf curl_easy_pause.pdf curl_easy_recv.pdf		 \
- curl_easy_send.pdf curl_multi_socket_action.pdf curl_multi_wait.pdf
+ curl_easy_send.pdf curl_multi_socket_action.pdf curl_multi_wait.pdf     \
+ libcurl-symbols.pdf

 m4macrodir = $(datadir)/aclocal
 dist_m4macro_DATA = libcurl.m4
@@ -87,11 +88,14 @@ dist_m4macro_DATA = libcurl.m4
 CLEANFILES = $(HTMLPAGES) $(PDFPAGES)

 EXTRA_DIST = $(man_MANS) $(HTMLPAGES) index.html $(PDFPAGES) ABI \
-  symbols-in-versions symbols.pl
+  symbols-in-versions symbols.pl mksymbolsmanpage.pl
 MAN2HTML= roffit --mandir=. < $< >$@

 SUFFIXES = .3 .html

+libcurl-symbols.3: $(srcdir)/symbols-in-versions $(srcdir)/mksymbolsmanpage.pl
+	perl $(srcdir)/mksymbolsmanpage.pl < $< > $@
+
 html: $(HTMLPAGES)
 	cd opts; make html

--- a/docs/libcurl/mksymbolsmanpage.pl
+++ b/docs/libcurl/mksymbolsmanpage.pl
@@ -0,0 +1,72 @@
+#!/usr/bin/perl
+
+my $version="7.41.0";
+
+use POSIX qw(strftime);
+my $date = strftime "%b %e, %Y", localtime;
+my $year = strftime "%Y", localtime;
+
+print <<HEADER
+.\" **************************************************************************
+.\" *                                  _   _ ____  _
+.\" *  Project                     ___| | | |  _ \| |
+.\" *                             / __| | | | |_) | |
+.\" *                            | (__| |_| |  _ <| |___
+.\" *                             \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 1998 - $year, Daniel Stenberg, <daniel\@haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at http://curl.haxx.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" **************************************************************************
+.TH libcurl-symbols 3 "$date" "libcurl $version" "libcurl symbols"
+.SH NAME
+libcurl-symbols \- libcurl symbol version information
+.SH "libcurl symbols"
+This man page details version information for public symbols provided in the
+libcurl header files. This lists the first version in which the symbol was
+introduced and for some symbols two additional information pieces:
+
+The first version in which the symbol is marked "deprecated" - meaning that
+since that version no new code should be written to use the symbol as it is
+marked for getting removed in a future.
+
+The last version that featured the specific symbol. Using the symbol in source
+code will make it no longer compile error-free after that specified version.
+
+This man page is automatically generated from the symbols-in-versions file.
+HEADER
+    ;
+
+while(<STDIN>) {
+    if($_ =~ /^(CURL[A-Z0-9_.]*) *(.*)/) {
+        my ($symbol, $rest)=($1,$2);
+        my ($intro, $dep, $rem);
+        if($rest =~ s/^([0-9.]*) *//) {
+           $intro = $1;
+        }
+        if($rest =~ s/^([0-9.]*) *//) {
+           $dep = $1;
+        }
+        if($rest =~ s/^([0-9.]*) *//) {
+           $rem = $1;
+        }
+        print ".IP $symbol\nIntroduced in $intro\n";
+        if($dep) {
+          print "Deprecated since $dep\n";
+        }
+        if($rem) {
+          print "Last used in $dep\n";
+        }
+    }
+
+}
--- a/docs/libcurl/opts/CURLOPT_CAINFO.3
+++ b/docs/libcurl/opts/CURLOPT_CAINFO.3
@@ -47,7 +47,8 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc.
 .SH EXAMPLE
 TODO
 .SH AVAILABILITY
-If built TLS enabled
+For SSL engines that don't support certificate files the CURLOPT_CAINFO option
+is ignored. Refer to http://curl.haxx.se/docs/ssl-compared.html
 .SH RETURN VALUE
 Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or
 CURLE_OUT_OF_MEMORY if there was insufficient heap space.
--- a/docs/libcurl/opts/CURLOPT_HTTP_VERSION.3
+++ b/docs/libcurl/opts/CURLOPT_HTTP_VERSION.3
@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -41,8 +41,8 @@ Enforce HTTP 1.0 requests.
 .IP CURL_HTTP_VERSION_1_1
 Enforce HTTP 1.1 requests.
 .IP CURL_HTTP_VERSION_2_0
-Attempt HTTP 2.0 requests. libcurl will fall back to HTTP 1.x if HTTP 2.0
-can't be negotiated with the server.
+Attempt HTTP 2 requests. libcurl will fall back to HTTP 1.x if HTTP 2 can't be
+negotiated with the server. (Added in 7.33.0)
 .SH DEFAULT
 CURL_HTTP_VERSION_NONE
 .SH PROTOCOLS
--- a/docs/libcurl/opts/CURLOPT_SEEKFUNCTION.3
+++ b/docs/libcurl/opts/CURLOPT_SEEKFUNCTION.3
@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -43,10 +43,13 @@ shown above.
 This function gets called by libcurl to seek to a certain position in the
 input stream and can be used to fast forward a file in a resumed upload
 (instead of reading all uploaded bytes with the normal read
-function/callback). It is also called to rewind a stream when doing a HTTP PUT
-or POST with a multi-pass authentication method. The function shall work like
-fseek(3) or lseek(3) and it gets SEEK_SET, SEEK_CUR or SEEK_END as argument
-for \fIorigin\fP, although libcurl currently only passes SEEK_SET.
+function/callback). It is also called to rewind a stream when data has already
+been sent to the server and needs to be sent again. This may happen when doing
+a HTTP PUT or POST with a multi-pass authentication method, or when an
+existing HTTP connection is reused too late and the server closes the
+connection. The function shall work like fseek(3) or lseek(3) and it gets
+SEEK_SET, SEEK_CUR or SEEK_END as argument for \fIorigin\fP, although libcurl
+currently only passes SEEK_SET.

 \fIuserp\fP is the pointer you set with \fICURLOPT_SEEKDATA(3)\fP.

--- a/docs/libcurl/opts/CURLOPT_SSL_VERIFYSTATUS.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_VERIFYSTATUS.3
@@ -0,0 +1,53 @@
+.\" **************************************************************************
+.\" *                                  _   _ ____  _
+.\" *  Project                     ___| | | |  _ \| |
+.\" *                             / __| | | | |_) | |
+.\" *                            | (__| |_| |  _ <| |___
+.\" *                             \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at http://curl.haxx.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" **************************************************************************
+.\"
+.TH CURLOPT_SSL_VERIFYSTATUS 3 "04 Dec 2014" "libcurl 7.40.0" "curl_easy_setopt options"
+.SH NAME
+CURLOPT_SSL_VERIFYSTATUS \- verify the certificate's status
+.SH SYNOPSIS
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_VERIFYSTATUS, long verify);
+.SH DESCRIPTION
+Pass a long as parameter set to 1 to enable or 0 to disable.
+
+This option determines whether libcurl verifies the status of the server cert
+using the "Certificate Status Request" TLS extension (aka. OCSP stapling).
+
+Note that if this option is enabled but the server does not support the TLS
+extension, the verification will fail.
+.SH DEFAULT
+0
+.SH PROTOCOLS
+All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc.
+.SH EXAMPLE
+TODO
+.SH AVAILABILITY
+Added in 7.41.0. This option is currently only supported by the OpenSSL, GnuTLS
+and NSS TLS backends.
+.SH RETURN VALUE
+Returns CURLE_OK if OCSP stapling is supported by the SSL backend, otherwise
+returns CURLE_NOT_BUILT_IN.
+.SH "SEE ALSO"
+.BR CURLOPT_SSL_VERIFYHOST "(3), "
+.BR CURLOPT_SSL_VERIFYPEER "(3), "
+.BR CURLOPT_CAINFO "(3), "
--- a/docs/libcurl/opts/Makefile.am
+++ b/docs/libcurl/opts/Makefile.am
@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -92,15 +92,15 @@ man_MANS = CURLOPT_ACCEPT_ENCODING.3 CURLOPT_ACCEPTTIMEOUT_MS.3		\
 CURLOPT_SSL_ENABLE_ALPN.3 CURLOPT_SSL_ENABLE_NPN.3 CURLOPT_SSLENGINE.3	\
 CURLOPT_SSLENGINE_DEFAULT.3 CURLOPT_SSLKEY.3 CURLOPT_SSLKEYTYPE.3	\
 CURLOPT_SSL_OPTIONS.3 CURLOPT_SSL_SESSIONID_CACHE.3			\
- CURLOPT_SSL_VERIFYHOST.3 CURLOPT_SSL_VERIFYPEER.3 CURLOPT_SSLVERSION.3	\
- CURLOPT_STDERR.3 CURLOPT_TCP_KEEPALIVE.3 CURLOPT_TCP_KEEPIDLE.3	\
- CURLOPT_TCP_KEEPINTVL.3 CURLOPT_TCP_NODELAY.3 CURLOPT_TELNETOPTIONS.3	\
- CURLOPT_TFTP_BLKSIZE.3 CURLOPT_TIMECONDITION.3 CURLOPT_TIMEOUT.3	\
- CURLOPT_TIMEOUT_MS.3 CURLOPT_TIMEVALUE.3 CURLOPT_TLSAUTH_PASSWORD.3	\
- CURLOPT_TLSAUTH_TYPE.3 CURLOPT_TLSAUTH_USERNAME.3			\
- CURLOPT_TRANSFER_ENCODING.3 CURLOPT_TRANSFERTEXT.3			\
- CURLOPT_UNRESTRICTED_AUTH.3 CURLOPT_UPLOAD.3 CURLOPT_URL.3		\
- CURLOPT_USERAGENT.3 CURLOPT_USERNAME.3 CURLOPT_USERPWD.3		\
+ CURLOPT_SSL_VERIFYHOST.3 CURLOPT_SSL_VERIFYPEER.3			\
+ CURLOPT_SSL_VERIFYSTATUS.3 CURLOPT_SSLVERSION.3 CURLOPT_STDERR.3	\
+ CURLOPT_TCP_KEEPALIVE.3 CURLOPT_TCP_KEEPIDLE.3 CURLOPT_TCP_KEEPINTVL.3	\
+ CURLOPT_TCP_NODELAY.3 CURLOPT_TELNETOPTIONS.3 CURLOPT_TFTP_BLKSIZE.3	\
+ CURLOPT_TIMECONDITION.3 CURLOPT_TIMEOUT.3 CURLOPT_TIMEOUT_MS.3		\
+ CURLOPT_TIMEVALUE.3 CURLOPT_TLSAUTH_PASSWORD.3 CURLOPT_TLSAUTH_TYPE.3	\
+ CURLOPT_TLSAUTH_USERNAME.3 CURLOPT_TRANSFER_ENCODING.3			\
+ CURLOPT_TRANSFERTEXT.3 CURLOPT_UNRESTRICTED_AUTH.3 CURLOPT_UPLOAD.3	\
+ CURLOPT_URL.3 CURLOPT_USERAGENT.3 CURLOPT_USERNAME.3 CURLOPT_USERPWD.3	\
 CURLOPT_USE_SSL.3 CURLOPT_VERBOSE.3 CURLOPT_WILDCARDMATCH.3		\
 CURLOPT_WRITEDATA.3 CURLOPT_WRITEFUNCTION.3 CURLOPT_XFERINFODATA.3	\
 CURLOPT_XFERINFOFUNCTION.3 CURLOPT_XOAUTH2_BEARER.3			\
@@ -196,8 +196,8 @@ HTMLPAGES = CURLOPT_ACCEPT_ENCODING.html CURLOPT_ACCEPTTIMEOUT_MS.html	\
 CURLOPT_SSLENGINE_DEFAULT.html CURLOPT_SSLKEY.html			\
 CURLOPT_SSLKEYTYPE.html CURLOPT_SSL_OPTIONS.html			\
 CURLOPT_SSL_SESSIONID_CACHE.html CURLOPT_SSL_VERIFYHOST.html		\
- CURLOPT_SSL_VERIFYPEER.html CURLOPT_SSLVERSION.html			\
- CURLOPT_STDERR.html CURLOPT_TCP_KEEPALIVE.html				\
+ CURLOPT_SSL_VERIFYPEER.html CURLOPT_SSL_VERIFYSTATUS.html		\
+ CURLOPT_SSLVERSION.html CURLOPT_STDERR.html CURLOPT_TCP_KEEPALIVE.html	\
 CURLOPT_TCP_KEEPIDLE.html CURLOPT_TCP_KEEPINTVL.html			\
 CURLOPT_TCP_NODELAY.html CURLOPT_TELNETOPTIONS.html			\
 CURLOPT_TFTP_BLKSIZE.html CURLOPT_TIMECONDITION.html			\
@@ -299,20 +299,21 @@ PDFPAGES = CURLOPT_ACCEPT_ENCODING.pdf CURLOPT_ACCEPTTIMEOUT_MS.pdf	\
 CURLOPT_SSLENGINE_DEFAULT.pdf CURLOPT_SSLKEY.pdf			\
 CURLOPT_SSLKEYTYPE.pdf CURLOPT_SSL_OPTIONS.pdf				\
 CURLOPT_SSL_SESSIONID_CACHE.pdf CURLOPT_SSL_VERIFYHOST.pdf		\
- CURLOPT_SSL_VERIFYPEER.pdf CURLOPT_SSLVERSION.pdf CURLOPT_STDERR.pdf	\
- CURLOPT_TCP_KEEPALIVE.pdf CURLOPT_TCP_KEEPIDLE.pdf			\
- CURLOPT_TCP_KEEPINTVL.pdf CURLOPT_TCP_NODELAY.pdf			\
- CURLOPT_TELNETOPTIONS.pdf CURLOPT_TFTP_BLKSIZE.pdf			\
- CURLOPT_TIMECONDITION.pdf CURLOPT_TIMEOUT.pdf CURLOPT_TIMEOUT_MS.pdf	\
- CURLOPT_TIMEVALUE.pdf CURLOPT_TLSAUTH_PASSWORD.pdf			\
- CURLOPT_TLSAUTH_TYPE.pdf CURLOPT_TLSAUTH_USERNAME.pdf			\
- CURLOPT_TRANSFER_ENCODING.pdf CURLOPT_TRANSFERTEXT.pdf			\
- CURLOPT_UNRESTRICTED_AUTH.pdf CURLOPT_UPLOAD.pdf CURLOPT_URL.pdf	\
- CURLOPT_USERAGENT.pdf CURLOPT_USERNAME.pdf CURLOPT_USERPWD.pdf		\
- CURLOPT_USE_SSL.pdf CURLOPT_VERBOSE.pdf CURLOPT_WILDCARDMATCH.pdf	\
- CURLOPT_WRITEDATA.pdf CURLOPT_WRITEFUNCTION.pdf			\
- CURLOPT_XFERINFODATA.pdf CURLOPT_XFERINFOFUNCTION.pdf			\
- CURLOPT_XOAUTH2_BEARER.pdf CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE.pdf	\
+ CURLOPT_SSL_VERIFYPEER.pdf CURLOPT_SSL_VERIFYSTATUS.pdf		\
+ CURLOPT_SSLVERSION.pdf CURLOPT_STDERR.pdf CURLOPT_TCP_KEEPALIVE.pdf	\
+ CURLOPT_TCP_KEEPIDLE.pdf CURLOPT_TCP_KEEPINTVL.pdf			\
+ CURLOPT_TCP_NODELAY.pdf CURLOPT_TELNETOPTIONS.pdf			\
+ CURLOPT_TFTP_BLKSIZE.pdf CURLOPT_TIMECONDITION.pdf CURLOPT_TIMEOUT.pdf	\
+ CURLOPT_TIMEOUT_MS.pdf CURLOPT_TIMEVALUE.pdf				\
+ CURLOPT_TLSAUTH_PASSWORD.pdf CURLOPT_TLSAUTH_TYPE.pdf			\
+ CURLOPT_TLSAUTH_USERNAME.pdf CURLOPT_TRANSFER_ENCODING.pdf		\
+ CURLOPT_TRANSFERTEXT.pdf CURLOPT_UNRESTRICTED_AUTH.pdf			\
+ CURLOPT_UPLOAD.pdf CURLOPT_URL.pdf CURLOPT_USERAGENT.pdf		\
+ CURLOPT_USERNAME.pdf CURLOPT_USERPWD.pdf CURLOPT_USE_SSL.pdf		\
+ CURLOPT_VERBOSE.pdf CURLOPT_WILDCARDMATCH.pdf CURLOPT_WRITEDATA.pdf	\
+ CURLOPT_WRITEFUNCTION.pdf CURLOPT_XFERINFODATA.pdf			\
+ CURLOPT_XFERINFOFUNCTION.pdf CURLOPT_XOAUTH2_BEARER.pdf		\
+ CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE.pdf					\
 CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE.pdf CURLMOPT_MAXCONNECTS.pdf	\
 CURLMOPT_MAX_HOST_CONNECTIONS.pdf CURLMOPT_MAX_PIPELINE_LENGTH.pdf	\
 CURLMOPT_MAX_TOTAL_CONNECTIONS.pdf CURLMOPT_PIPELINING.pdf		\
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -118,6 +118,7 @@ CURLE_SSL_CRL_BADFILE           7.19.0
 CURLE_SSL_ENGINE_INITFAILED     7.12.3
 CURLE_SSL_ENGINE_NOTFOUND       7.9.3
 CURLE_SSL_ENGINE_SETFAILED      7.9.3
+CURLE_SSL_INVALIDCERTSTATUS     7.41.0
 CURLE_SSL_ISSUER_ERROR          7.19.0
 CURLE_SSL_PEER_CERTIFICATE      7.8           7.17.1
 CURLE_SSL_PINNEDPUBKEYNOTMATCH  7.39.0
@@ -513,6 +514,7 @@ CURLOPT_SSL_OPTIONS             7.25.0
 CURLOPT_SSL_SESSIONID_CACHE     7.16.0
 CURLOPT_SSL_VERIFYHOST          7.8.1
 CURLOPT_SSL_VERIFYPEER          7.4.2
+CURLOPT_SSL_VERIFYSTATUS        7.41.0
 CURLOPT_STDERR                  7.1
 CURLOPT_TCP_KEEPALIVE           7.25.0
 CURLOPT_TCP_KEEPIDLE            7.25.0
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -523,6 +523,7 @@ typedef enum {
                                    session will be queued */
  CURLE_SSL_PINNEDPUBKEYNOTMATCH, /* 90 - specified pinned public key did not
                                     match */
+  CURLE_SSL_INVALIDCERTSTATUS,   /* 91 - invalid certificate status */
  CURL_LAST /* never use! */
 } CURLcode;

@@ -1622,6 +1623,9 @@ typedef enum {
  /* Path to Unix domain socket */
  CINIT(UNIX_SOCKET_PATH, OBJECTPOINT, 231),

+  /* Set if we should verify the certificate status. */
+  CINIT(SSL_VERIFYSTATUS, LONG, 232),
+
  CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;

--- a/include/curl/curlver.h
+++ b/include/curl/curlver.h
@@ -30,12 +30,12 @@

 /* This is the version number of the libcurl package from which this header
   file origins: */
-#define LIBCURL_VERSION "7.40.0-DEV"
+#define LIBCURL_VERSION "7.41.0-DEV"

 /* The numeric version number is also available "in parts" by using these
   defines: */
 #define LIBCURL_VERSION_MAJOR 7
-#define LIBCURL_VERSION_MINOR 40
+#define LIBCURL_VERSION_MINOR 41
 #define LIBCURL_VERSION_PATCH 0

 /* This is the numeric version of the libcurl version number, meant for easier
@@ -53,7 +53,7 @@
   and it is always a greater number in a more recent release. It makes
   comparisons with greater than and less than work.
 */
-#define LIBCURL_VERSION_NUM 0x072800
+#define LIBCURL_VERSION_NUM 0x072900

 /*
 * This is the date and time when the full source package was created. The
--- a/lib/CMakeLists.txt
+++ b/lib/CMakeLists.txt
@@ -98,4 +98,7 @@ if(WIN32)
  endif()
 endif()

-install(TARGETS ${LIB_NAME} DESTINATION lib)
+install(TARGETS ${LIB_NAME}
+  ARCHIVE DESTINATION lib
+  LIBRARY DESTINATION lib
+  RUNTIME DESTINATION bin)
--- a/lib/Makefile.inc
+++ b/lib/Makefile.inc
@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -22,11 +22,11 @@

 LIB_VTLS_CFILES = vtls/openssl.c vtls/gtls.c vtls/vtls.c vtls/nss.c     \
  vtls/polarssl.c vtls/polarssl_threadlock.c vtls/axtls.c               \
-  vtls/cyassl.c vtls/curl_schannel.c vtls/curl_darwinssl.c vtls/gskit.c
+  vtls/cyassl.c vtls/schannel.c vtls/darwinssl.c vtls/gskit.c

 LIB_VTLS_HFILES = vtls/openssl.h vtls/vtls.h vtls/gtls.h                \
  vtls/nssg.h vtls/polarssl.h vtls/polarssl_threadlock.h vtls/axtls.h   \
-  vtls/cyassl.h vtls/curl_schannel.h vtls/curl_darwinssl.h vtls/gskit.h
+  vtls/cyassl.h vtls/schannel.h vtls/darwinssl.h vtls/gskit.h

 LIB_CFILES = file.c timeval.c base64.c hostip.c progress.c formdata.c   \
  cookie.c http.c sendf.c ftp.c url.c dict.c if2ip.c speedcheck.c       \
@@ -45,7 +45,8 @@ LIB_CFILES = file.c timeval.c base64.c hostip.c progress.c formdata.c   \
  asyn-thread.c curl_gssapi.c curl_ntlm.c curl_ntlm_wb.c                \
  curl_ntlm_core.c curl_ntlm_msgs.c curl_sasl.c curl_multibyte.c        \
  hostcheck.c bundles.c conncache.c pipeline.c dotdot.c x509asn1.c      \
-  http2.c curl_sasl_sspi.c smb.c curl_sasl_gssapi.c curl_endian.c
+  http2.c curl_sasl_sspi.c smb.c curl_sasl_gssapi.c curl_endian.c       \
+  curl_des.c

 LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \
  formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h if2ip.h         \
@@ -63,7 +64,7 @@ LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \
  curl_ntlm.h curl_gssapi.h curl_ntlm_wb.h curl_ntlm_core.h             \
  curl_ntlm_msgs.h curl_sasl.h curl_multibyte.h hostcheck.h bundles.h   \
  conncache.h curl_setup_once.h multihandle.h setup-vms.h pipeline.h    \
-  dotdot.h x509asn1.h http2.h sigpipe.h smb.h curl_endian.h
+  dotdot.h x509asn1.h http2.h sigpipe.h smb.h curl_endian.h curl_des.h

 LIB_RCFILES = libcurl.rc

--- a/lib/Makefile.m32
+++ b/lib/Makefile.m32
@@ -55,7 +55,7 @@ LIBCARES_PATH = $(PROOT)/ares
 endif

 CC	= $(CROSSPREFIX)gcc
-CFLAGS	= -g -O2 -Wall
+CFLAGS	= $(CURL_CFLAG_EXTRAS) -g -O2 -Wall
 CFLAGS	+= -fno-strict-aliasing
 # comment LDFLAGS below to keep debug info
 LDFLAGS	= -s
@@ -75,7 +75,7 @@ endif
 endif

 ifeq ($(ARCH),w64)
-CFLAGS  += -D_AMD64_
+CFLAGS  += -m64 -D_AMD64_
 RCFLAGS += -F pe-x86-64
 else
 CFLAGS  += -m32
@@ -323,5 +323,3 @@ $(PROOT)/include/curl/curlbuild.h:

 $(LIBCARES_PATH)/libcares.a:
 	$(MAKE) -C $(LIBCARES_PATH) -f Makefile.m32
-
-
--- a/lib/Makefile.netware
+++ b/lib/Makefile.netware
@@ -214,6 +214,11 @@ WITH_SSL =
 else
 ifeq ($(findstring -ssl,$(CFG)),-ssl)
 WITH_SSL = 1
+ifeq ($(findstring -srp,$(CFG)),-srp)
+ifeq "$(wildcard $(OPENSSL_PATH)/outinc_nw_$(LIBARCH_L)/openssl/srp.h)" "$(OPENSSL_PATH)/outinc_nw_$(LIBARCH_L)/openssl/srp.h"
+WITH_SRP = 1
+endif
+endif
 endif
 endif
 ifeq ($(findstring -zlib,$(CFG)),-zlib)
@@ -638,6 +643,10 @@ ifdef WITH_SSL
 	@echo $(DL)#define HAVE_LIBSSL 1$(DL) >> $@
 	@echo $(DL)#define HAVE_LIBCRYPTO 1$(DL) >> $@
 	@echo $(DL)#define OPENSSL_NO_KRB5 1$(DL) >> $@
+ifdef WITH_SRP
+	@echo $(DL)#define HAVE_SSLEAY_SRP 1$(DL) >> $@
+	@echo $(DL)#define USE_TLS_SRP 1$(DL) >> $@
+endif
 ifdef WITH_SPNEGO
 	@echo $(DL)#define HAVE_SPNEGO 1$(DL) >> $@
 endif
@@ -690,6 +699,11 @@ ifdef WITH_SSL
 else
 	@echo SSL support:     no
 endif
+ifdef WITH_SRP
+	@echo SRP support:     enabled
+else
+	@echo SRP support:     no
+endif
 ifdef WITH_SSH2
 	@echo SSH2 support:    enabled (libssh2)
 else
--- a/lib/Makefile.vc6
+++ b/lib/Makefile.vc6
@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1999 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1999 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -534,7 +534,7 @@ X_OBJS= \
 	$(DIROBJ)\content_encoding.obj \
 	$(DIROBJ)\cookie.obj \
 	$(DIROBJ)\curl_addrinfo.obj \
-	$(DIROBJ)\curl_darwinssl.obj \
+	$(DIROBJ)\curl_des.obj \
 	$(DIROBJ)\curl_endian.obj \
 	$(DIROBJ)\curl_fnmatch.obj \
 	$(DIROBJ)\curl_gethostname.obj \
@@ -549,10 +549,10 @@ X_OBJS= \
 	$(DIROBJ)\curl_sasl.obj \
 	$(DIROBJ)\curl_sasl_gssapi.obj \
 	$(DIROBJ)\curl_sasl_sspi.obj \
-	$(DIROBJ)\curl_schannel.obj \
 	$(DIROBJ)\curl_sspi.obj \
 	$(DIROBJ)\curl_threads.obj \
 	$(DIROBJ)\cyassl.obj \
+	$(DIROBJ)\darwinssl.obj \
 	$(DIROBJ)\dict.obj \
 	$(DIROBJ)\dotdot.obj \
 	$(DIROBJ)\easy.obj \
@@ -607,6 +607,7 @@ X_OBJS= \
 	$(DIROBJ)\progress.obj \
 	$(DIROBJ)\rawstr.obj \
 	$(DIROBJ)\rtsp.obj \
+	$(DIROBJ)\schannel.obj \
 	$(DIROBJ)\security.obj \
 	$(DIROBJ)\select.obj \
 	$(DIROBJ)\sendf.obj \
--- a/lib/config-symbian.h
+++ b/lib/config-symbian.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -69,7 +69,7 @@
 /* #undef CURL_EXTERN_SYMBOL */

 /* Use Windows LDAP implementation */
-/* #undef CURL_LDAP_WIN */
+/* #undef USE_WIN32_LDAP */

 /* your Entropy Gathering Daemon socket pathname */
 /* #undef EGD_SOCKET */
--- a/lib/config-vxworks.h
+++ b/lib/config-vxworks.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -75,7 +75,7 @@
 /* #undef CURL_EXTERN_SYMBOL */

 /* Use Windows LDAP implementation */
-/* #undef CURL_LDAP_WIN */
+/* #undef USE_WIN32_LDAP */

 /* your Entropy Gathering Daemon socket pathname */
 /* #undef EGD_SOCKET */
--- a/lib/config-win32.h
+++ b/lib/config-win32.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -678,25 +678,25 @@ Vista
 /* ---------------------------------------------------------------- */

 #if defined(CURL_HAS_NOVELL_LDAPSDK) || defined(CURL_HAS_MOZILLA_LDAPSDK)
-#undef CURL_LDAP_WIN
+#undef USE_WIN32_LDAP
 #define HAVE_LDAP_SSL_H 1
 #define HAVE_LDAP_URL_PARSE 1
 #elif defined(CURL_HAS_OPENLDAP_LDAPSDK)
-#undef CURL_LDAP_WIN
+#undef USE_WIN32_LDAP
 #define HAVE_LDAP_URL_PARSE 1
 #else
 #undef HAVE_LDAP_URL_PARSE
-#define CURL_LDAP_WIN 1
+#define USE_WIN32_LDAP 1
 #endif

-#if defined(__WATCOMC__) && defined(CURL_LDAP_WIN)
+#if defined(__WATCOMC__) && defined(USE_WIN32_LDAP)
 #if __WATCOMC__ < 1280
 #define WINBERAPI  __declspec(cdecl)
 #define WINLDAPAPI __declspec(cdecl)
 #endif
 #endif

-#if defined(__POCC__) && defined(CURL_LDAP_WIN)
+#if defined(__POCC__) && defined(USE_WIN32_LDAP)
 #  define CURL_DISABLE_LDAP 1
 #endif

--- a/lib/config-win32ce.h
+++ b/lib/config-win32ce.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -409,7 +409,7 @@
 /*                           LDAP SUPPORT                           */
 /* ---------------------------------------------------------------- */

-#define CURL_LDAP_WIN 1
+#define USE_WIN32_LDAP 1
 #undef HAVE_LDAP_URL_PARSE

 /* ---------------------------------------------------------------- */
--- a/lib/connect.c
+++ b/lib/connect.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -542,6 +542,7 @@ static CURLcode trynextip(struct connectdata *conn,
                          int sockindex,
                          int tempindex)
 {
+  const int other = tempindex ^ 1;
  CURLcode result = CURLE_COULDNT_CONNECT;

  /* First clean up after the failed socket.
@@ -572,8 +573,11 @@ static CURLcode trynextip(struct connectdata *conn,
    }

    while(ai) {
+      if(conn->tempaddr[other]) {
+        /* we can safely skip addresses of the other protocol family */
        while(ai && ai->ai_family != family)
          ai = ai->ai_next;
+      }

      if(ai) {
        result = singleipconnect(conn, ai, &conn->tempsock[tempindex]);
@@ -749,6 +753,7 @@ CURLcode Curl_is_connected(struct connectdata *conn,
  }

  for(i=0; i<2; i++) {
+    const int other = i ^ 1;
    if(conn->tempsock[i] == CURL_SOCKET_BAD)
      continue;

@@ -778,7 +783,6 @@ CURLcode Curl_is_connected(struct connectdata *conn,
    else if(rc == CURL_CSELECT_OUT) {
      if(verifyconnect(conn->tempsock[i], &error)) {
        /* we are connected with TCP, awesome! */
-        int other = i ^ 1;

        /* use this socket from now on */
        conn->sock[sockindex] = conn->tempsock[i];
@@ -820,6 +824,7 @@ CURLcode Curl_is_connected(struct connectdata *conn,
      data->state.os_errno = error;
      SET_SOCKERRNO(error);
      if(conn->tempaddr[i]) {
+        CURLcode status;
        char ipaddress[MAX_IPADR_LEN];
        Curl_printable_address(conn->tempaddr[i], ipaddress, MAX_IPADR_LEN);
        infof(data, "connect to %s port %ld failed: %s\n",
@@ -828,7 +833,11 @@ CURLcode Curl_is_connected(struct connectdata *conn,
        conn->timeoutms_per_addr = conn->tempaddr[i]->ai_next == NULL ?
                                   allow : allow / 2;

-        result = trynextip(conn, sockindex, i);
+        status = trynextip(conn, sockindex, i);
+        if(status != CURLE_COULDNT_CONNECT
+            || conn->tempsock[other] == CURL_SOCKET_BAD)
+          /* the last attempt failed and no other sockets remain open */
+          result = status;
      }
    }
  }
@@ -1016,8 +1025,12 @@ static CURLcode singleipconnect(struct connectdata *conn,
  }
  infof(data, "  Trying %s...\n", ipaddress);

+#ifdef ENABLE_IPV6
  is_tcp = (addr.family == AF_INET || addr.family == AF_INET6) &&
    addr.socktype == SOCK_STREAM;
+#else
+  is_tcp = (addr.family == AF_INET) && addr.socktype == SOCK_STREAM;
+#endif
  if(is_tcp && data->set.tcp_nodelay)
    tcpnodelay(conn, sockfd);

@@ -1043,7 +1056,11 @@ static CURLcode singleipconnect(struct connectdata *conn,
  }

  /* possibly bind the local end to an IP, interface or port */
-  if(addr.family == AF_INET || addr.family == AF_INET6) {
+  if(addr.family == AF_INET
+#ifdef ENABLE_IPV6
+     || addr.family == AF_INET6
+#endif
+    ) {
    result = bindlocal(conn, sockfd, addr.family,
                       Curl_ipv6_scope((struct sockaddr*)&addr.sa_addr));
    if(result) {
--- a/lib/curl_config.h.cmake
+++ b/lib/curl_config.h.cmake
@@ -53,7 +53,7 @@
 #endif

 /* Use Windows LDAP implementation */
-#cmakedefine CURL_LDAP_WIN 1
+#cmakedefine USE_WIN32_LDAP 1

 /* when not building a shared library */
 #cmakedefine CURL_STATICLIB 1
--- a/lib/curl_des.c
+++ b/lib/curl_des.c
@@ -0,0 +1,63 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 2015, Steve Holme, <steve_holme@hotmail.com>.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at http://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+#include "curl_setup.h"
+
+#if defined(USE_NTLM) && (!defined(USE_SSLEAY) || defined(HAVE_BORINGSSL))
+
+#include "curl_des.h"
+
+/*
+ * Curl_des_set_odd_parity()
+ *
+ * This is used to apply odd parity to the given byte array. It is typically
+ * used by when a cryptography engines doesn't have it's own version.
+ *
+ * The function is a port of the Java based oddParity() function over at:
+ *
+ * http://davenport.sourceforge.net/ntlm.html
+ *
+ * Parameters:
+ *
+ * bytes       [in/out] - The data whose parity bits are to be adjusted for
+ *                        odd parity.
+ * len         [out]    - The length of the data.
+ */
+void Curl_des_set_odd_parity(unsigned char *bytes, size_t len)
+{
+  size_t i;
+
+  for(i = 0; i < len; i++) {
+    unsigned char b = bytes[i];
+
+    bool needs_parity = (((b >> 7) ^ (b >> 6) ^ (b >> 5) ^
+                          (b >> 4) ^ (b >> 3) ^ (b >> 2) ^
+                          (b >> 1)) & 0x01) == 0;
+
+    if(needs_parity)
+      bytes[i] |= 0x01;
+    else
+      bytes[i] &= 0xfe;
+  }
+}
+
+#endif /* USE_NTLM && (!USE_SSLEAY || HAVE_BORINGSSL) */
--- a/lib/curl_des.h
+++ b/lib/curl_des.h
@@ -0,0 +1,34 @@
+#ifndef HEADER_CURL_DES_H
+#define HEADER_CURL_DES_H
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 2015, Steve Holme, <steve_holme@hotmail.com>.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at http://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+#include "curl_setup.h"
+
+#if defined(USE_NTLM) && (!defined(USE_SSLEAY) || defined(HAVE_BORINGSSL))
+
+/* Applies odd parity to the given byte array */
+void Curl_des_set_odd_parity(unsigned char *bytes, size_t length);
+
+#endif /* USE_NTLM && (!USE_SSLEAY || HAVE_BORINGSSL) */
+
+#endif /* HEADER_CURL_DES_H */
--- a/lib/curl_endian.c
+++ b/lib/curl_endian.c
@@ -62,6 +62,7 @@ unsigned int Curl_read32_le(unsigned char *buf)
         ((unsigned int)buf[2] << 16) | ((unsigned int)buf[3] << 24);
 }

+#if (CURL_SIZEOF_CURL_OFF_T > 4)
 /*
 * Curl_read64_le()
 *
@@ -97,6 +98,8 @@ unsigned __int64 Curl_read64_le(unsigned char *buf)
 }
 #endif

+#endif /* CURL_SIZEOF_CURL_OFF_T > 4 */
+
 /*
 * Curl_read16_be()
 *
@@ -135,6 +138,7 @@ unsigned int Curl_read32_be(unsigned char *buf)
         ((unsigned int)buf[2] << 8) | ((unsigned int)buf[3]);
 }

+#if (CURL_SIZEOF_CURL_OFF_T > 4)
 /*
 * Curl_read64_be()
 *
@@ -170,6 +174,8 @@ unsigned __int64 Curl_read64_be(unsigned char *buf)
 }
 #endif

+#endif /* CURL_SIZEOF_CURL_OFF_T > 4 */
+
 /*
 * Curl_write16_le()
 *
@@ -227,4 +233,4 @@ void Curl_write64_le(const __int64 value, unsigned char *buffer)
  Curl_write32_le((int)value, buffer);
  Curl_write32_le((int)(value >> 32), buffer + 4);
 }
-#endif
+#endif /* CURL_SIZEOF_CURL_OFF_T > 4 */
--- a/lib/curl_gssapi.h
+++ b/lib/curl_gssapi.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 2011 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2011 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -59,6 +59,17 @@ OM_uint32 Curl_gss_init_sec_context(
 void Curl_gss_log_error(struct SessionHandle *data, OM_uint32 status,
                        const char *prefix);

+/* Provide some definitions missing in old headers */
+#ifdef HAVE_OLD_GSSMIT
+#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
+#define NCOMPAT 1
+#endif
+
+/* Define our privacy and integrity protection values */
+#define GSSAUTH_P_NONE      1
+#define GSSAUTH_P_INTEGRITY 2
+#define GSSAUTH_P_PRIVACY   4
+
 #endif /* HAVE_GSSAPI */

 #endif /* HEADER_CURL_GSSAPI_H */
--- a/lib/curl_multibyte.c
+++ b/lib/curl_multibyte.c
@@ -23,7 +23,7 @@
 #include "curl_setup.h"

 #if defined(USE_WIN32_IDN) || ((defined(USE_WINDOWS_SSPI) || \
-                                defined(CURL_LDAP_WIN)) && defined(UNICODE))
+                                defined(USE_WIN32_LDAP)) && defined(UNICODE))

 /*
  * MultiByte conversions using Windows kernel32 library.
@@ -80,4 +80,4 @@ char *Curl_convert_wchar_to_UTF8(const wchar_t *str_w)
  return str_utf8;
 }

-#endif /* USE_WIN32_IDN || ((USE_WINDOWS_SSPI || CURL_LDAP_WIN) && UNICODE) */
+#endif /* USE_WIN32_IDN || ((USE_WINDOWS_SSPI || USE_WIN32_LDAP) && UNICODE) */
--- a/lib/curl_multibyte.h
+++ b/lib/curl_multibyte.h
@@ -24,7 +24,7 @@
 #include "curl_setup.h"

 #if defined(USE_WIN32_IDN) || ((defined(USE_WINDOWS_SSPI) || \
-                                defined(CURL_LDAP_WIN)) && defined(UNICODE))
+                                defined(USE_WIN32_LDAP)) && defined(UNICODE))

 /*
  * MultiByte conversions using Windows kernel32 library.
@@ -33,11 +33,11 @@
 wchar_t *Curl_convert_UTF8_to_wchar(const char *str_utf8);
 char *Curl_convert_wchar_to_UTF8(const wchar_t *str_w);

-#endif /* USE_WIN32_IDN || ((USE_WINDOWS_SSPI || CURL_LDAP_WIN) && UNICODE) */
+#endif /* USE_WIN32_IDN || ((USE_WINDOWS_SSPI || USE_WIN32_LDAP) && UNICODE) */


 #if defined(USE_WIN32_IDN) || defined(USE_WINDOWS_SSPI) || \
-    defined(CURL_LDAP_WIN)
+    defined(USE_WIN32_LDAP)

 /*
 * Macros Curl_convert_UTF8_to_tchar(), Curl_convert_tchar_to_UTF8()
@@ -87,6 +87,6 @@ typedef union {

 #endif /* UNICODE */

-#endif /* USE_WIN32_IDN || USE_WINDOWS_SSPI || CURL_LDAP_WIN */
+#endif /* USE_WIN32_IDN || USE_WINDOWS_SSPI || USE_WIN32_LDAP */

 #endif /* HEADER_CURL_MULTIBYTE_H */
--- a/lib/curl_ntlm_core.c
+++ b/lib/curl_ntlm_core.c
@@ -107,6 +107,7 @@
 #include "curl_hmac.h"
 #include "warnless.h"
 #include "curl_endian.h"
+#include "curl_des.h"

 #define _MPRINTF_REPLACE /* use our functions only */
 #include <curl/mprintf.h>
@@ -143,8 +144,17 @@ static void setup_des_key(const unsigned char *key_56,
 {
  DES_cblock key;

+  /* Expand the 56-bit key to 64-bits */
  extend_key_56_to_64(key_56, (char *) key);
+
+  /* Set the key parity to odd */
+#if defined(HAVE_BORINGSSL)
+  Curl_des_set_odd_parity((unsigned char *) &key, sizeof(key));
+#else
  DES_set_odd_parity(&key);
+#endif
+
+  /* Set the key */
  DES_set_key(&key, ks);
 }

@@ -154,7 +164,14 @@ static void setup_des_key(const unsigned char *key_56,
                          struct des_ctx *des)
 {
  char key[8];
+
+  /* Expand the 56-bit key to 64-bits */
  extend_key_56_to_64(key_56, key);
+
+  /* Set the key parity to odd */
+  Curl_des_set_odd_parity((unsigned char *) key, sizeof(key));
+
+  /* Set the key */
  des_set_key(des, (const uint8_t *) key);
 }

@@ -167,8 +184,15 @@ static void setup_des_key(const unsigned char *key_56,
                          gcry_cipher_hd_t *des)
 {
  char key[8];
+
+  /* Expand the 56-bit key to 64-bits */
  extend_key_56_to_64(key_56, key);
-  gcry_cipher_setkey(*des, key, 8);
+
+  /* Set the key parity to odd */
+  Curl_des_set_odd_parity((unsigned char *) key, sizeof(key));
+
+  /* Set the key */
+  gcry_cipher_setkey(*des, key, sizeof(key));
 }

 #elif defined(USE_NSS)
@@ -196,16 +220,21 @@ static bool encrypt_des(const unsigned char *in, unsigned char *out,
  if(!slot)
    return FALSE;

-  /* expand the 56 bit key to 64 bit and wrap by NSS */
+  /* Expand the 56-bit key to 64-bits */
  extend_key_56_to_64(key_56, key);
+
+  /* Set the key parity to odd */
+  Curl_des_set_odd_parity((unsigned char *) key, sizeof(key));
+
+  /* Import the key */
  key_item.data = (unsigned char *)key;
-  key_item.len = /* hard-wired */ 8;
+  key_item.len = sizeof(key);
  symkey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap, CKA_ENCRYPT,
                             &key_item, NULL);
  if(!symkey)
    goto fail;

-  /* create DES encryption context */
+  /* Create the DES encryption context */
  param = PK11_ParamFromIV(mech, /* no IV in ECB mode */ NULL);
  if(!param)
    goto fail;
@@ -213,7 +242,7 @@ static bool encrypt_des(const unsigned char *in, unsigned char *out,
  if(!ctx)
    goto fail;

-  /* perform the encryption */
+  /* Perform the encryption */
  if(SECSuccess == PK11_CipherOp(ctx, out, &out_len, /* outbuflen */ 8,
                                 (unsigned char *)in, /* inbuflen */ 8)
      && SECSuccess == PK11_Finalize(ctx))
@@ -240,10 +269,17 @@ static bool encrypt_des(const unsigned char *in, unsigned char *out,
  size_t out_len;
  CCCryptorStatus err;

+  /* Expand the 56-bit key to 64-bits */
  extend_key_56_to_64(key_56, key);
+
+  /* Set the key parity to odd */
+  Curl_des_set_odd_parity((unsigned char *) key, sizeof(key));
+
+  /* Perform the encryption */
  err = CCCrypt(kCCEncrypt, kCCAlgorithmDES, kCCOptionECBMode, key,
                kCCKeySizeDES, NULL, in, 8 /* inbuflen */, out,
                8 /* outbuflen */, &out_len);
+
  return err == kCCSuccess;
 }

@@ -255,10 +291,19 @@ static bool encrypt_des(const unsigned char *in, unsigned char *out,
  char key[8];
  _CIPHER_Control_T ctl;

+  /* Setup the cipher control structure */
  ctl.Func_ID = ENCRYPT_ONLY;
-  ctl.Data_Len = 8;
+  ctl.Data_Len = sizeof(key);
+
+  /* Expand the 56-bit key to 64-bits */
  extend_key_56_to_64(key_56, ctl.Crypto_Key);
+
+  /* Set the key parity to odd */
+  Curl_des_set_odd_parity((unsigned char *) ctl.Crypto_Key, ctl.Data_Len);
+
+  /* Perform the encryption */
  _CIPHER((_SPCPTR *) &out, &ctl, (_SPCPTR *) &in);
+
  return TRUE;
 }

@@ -281,13 +326,19 @@ static bool encrypt_des(const unsigned char *in, unsigned char *out,
                          CRYPT_VERIFYCONTEXT))
    return FALSE;

+  /* Setup the key blob structure */
  memset(&blob, 0, sizeof(blob));
-  extend_key_56_to_64(key_56, blob.key);
  blob.hdr.bType = PLAINTEXTKEYBLOB;
  blob.hdr.bVersion = 2;
  blob.hdr.aiKeyAlg = CALG_DES;
  blob.len = sizeof(blob.key);

+  /* Expand the 56-bit key to 64-bits */
+  extend_key_56_to_64(key_56, blob.key);
+
+  /* Set the key parity to odd */
+  Curl_des_set_odd_parity((unsigned char *) blob.key, sizeof(blob.key));
+
  /* Import the key */
  if(!CryptImportKey(hprov, (BYTE *) &blob, sizeof(blob), 0, 0, &hkey)) {
    CryptReleaseContext(hprov, 0);
@@ -459,6 +510,7 @@ static void ascii_uppercase_to_unicode_le(unsigned char *dest,

 /*
 * Set up nt hashed passwords
+ * @unittest: 1600
 */
 CURLcode Curl_ntlm_core_mk_nt_hash(struct SessionHandle *data,
                                   const char *password,
--- a/lib/curl_sasl.c
+++ b/lib/curl_sasl.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 2012 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2012 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -41,7 +41,9 @@
 #include "warnless.h"
 #include "curl_memory.h"
 #include "strtok.h"
+#include "strequal.h"
 #include "rawstr.h"
+#include "sendf.h"
 #include "non-ascii.h" /* included for Curl_convert_... prototypes */

 #define _MPRINTF_REPLACE /* use our functions only */
@@ -50,6 +52,23 @@
 /* The last #include file should be: */
 #include "memdebug.h"

+/* Supported mechanisms */
+const struct {
+  const char   *name;  /* Name */
+  size_t        len;   /* Name length */
+  unsigned int  bit;   /* Flag bit */
+} mechtable[] = {
+  { "LOGIN",      5,  SASL_MECH_LOGIN },
+  { "PLAIN",      5,  SASL_MECH_PLAIN },
+  { "CRAM-MD5",   8,  SASL_MECH_CRAM_MD5 },
+  { "DIGEST-MD5", 10, SASL_MECH_DIGEST_MD5 },
+  { "GSSAPI",     6,  SASL_MECH_GSSAPI },
+  { "EXTERNAL",   8,  SASL_MECH_EXTERNAL },
+  { "NTLM",       4,  SASL_MECH_NTLM },
+  { "XOAUTH2",    7,  SASL_MECH_XOAUTH2 },
+  { ZERO_NULL,    0,  0 }
+};
+
 #if !defined(CURL_DISABLE_CRYPTO_AUTH) && !defined(USE_WINDOWS_SSPI)
 #define DIGEST_QOP_VALUE_AUTH             (1 << 0)
 #define DIGEST_QOP_VALUE_AUTH_INT         (1 << 1)
@@ -74,7 +93,7 @@
  }

 /*
- * Return 0 on success and then the buffers are filled in fine.
+ * Returns 0 on success and then the buffers are filled in fine.
 *
 * Non-zero means failure to parse.
 */
@@ -248,7 +267,7 @@ static CURLcode sasl_digest_get_qop_values(const char *options, int *value)
 *
 * Parameters:
 *
- * serivce  [in] - The service type such as www, smtp, pop or imap.
+ * service  [in] - The service type such as www, smtp, pop or imap.
 * host     [in] - The host name or realm.
 *
 * Returns a pointer to the newly allocated SPN.
@@ -261,7 +280,7 @@ char *Curl_sasl_build_spn(const char *service, const char *host)
 #endif

 /*
- * Curl_sasl_create_plain_message()
+ * sasl_create_plain_message()
 *
 * This is used to generate an already encoded PLAIN message ready
 * for sending to the recipient.
@@ -277,7 +296,7 @@ char *Curl_sasl_build_spn(const char *service, const char *host)
 *
 * Returns CURLE_OK on success.
 */
-CURLcode Curl_sasl_create_plain_message(struct SessionHandle *data,
+static CURLcode sasl_create_plain_message(struct SessionHandle *data,
                                          const char *userp,
                                          const char *passwdp,
                                          char **outptr, size_t *outlen)
@@ -312,7 +331,7 @@ CURLcode Curl_sasl_create_plain_message(struct SessionHandle *data,
 }

 /*
- * Curl_sasl_create_login_message()
+ * sasl_create_login_message()
 *
 * This is used to generate an already encoded LOGIN message containing the
 * user name or password ready for sending to the recipient.
@@ -327,7 +346,7 @@ CURLcode Curl_sasl_create_plain_message(struct SessionHandle *data,
 *
 * Returns CURLE_OK on success.
 */
-CURLcode Curl_sasl_create_login_message(struct SessionHandle *data,
+static CURLcode sasl_create_login_message(struct SessionHandle *data,
                                          const char *valuep, char **outptr,
                                          size_t *outlen)
 {
@@ -349,9 +368,33 @@ CURLcode Curl_sasl_create_login_message(struct SessionHandle *data,
  return Curl_base64_encode(data, valuep, vlen, outptr, outlen);
 }

+/*
+ * sasl_create_external_message()
+ *
+ * This is used to generate an already encoded EXTERNAL message containing
+ * the user name ready for sending to the recipient.
+ *
+ * Parameters:
+ *
+ * data    [in]     - The session handle.
+ * user    [in]     - The user name.
+ * outptr  [in/out] - The address where a pointer to newly allocated memory
+ *                    holding the result will be stored upon completion.
+ * outlen  [out]    - The length of the output message.
+ *
+ * Returns CURLE_OK on success.
+ */
+static CURLcode sasl_create_external_message(struct SessionHandle *data,
+                                             const char *user, char **outptr,
+                                             size_t *outlen)
+{
+  /* This is the same formatting as the login message. */
+  return sasl_create_login_message(data, user, outptr, outlen);
+}
+
 #ifndef CURL_DISABLE_CRYPTO_AUTH
 /*
- * Curl_sasl_decode_cram_md5_message()
+ * sasl_decode_cram_md5_message()
 *
 * This is used to decode an already encoded CRAM-MD5 challenge message.
 *
@@ -364,7 +407,7 @@ CURLcode Curl_sasl_create_login_message(struct SessionHandle *data,
 *
 * Returns CURLE_OK on success.
 */
-CURLcode Curl_sasl_decode_cram_md5_message(const char *chlg64, char **outptr,
+static CURLcode sasl_decode_cram_md5_message(const char *chlg64, char **outptr,
                                             size_t *outlen)
 {
  CURLcode result = CURLE_OK;
@@ -381,7 +424,7 @@ CURLcode Curl_sasl_decode_cram_md5_message(const char *chlg64, char **outptr,
 }

 /*
- * Curl_sasl_create_cram_md5_message()
+ * sasl_create_cram_md5_message()
 *
 * This is used to generate an already encoded CRAM-MD5 response message ready
 * for sending to the recipient.
@@ -398,7 +441,7 @@ CURLcode Curl_sasl_decode_cram_md5_message(const char *chlg64, char **outptr,
 *
 * Returns CURLE_OK on success.
 */
-CURLcode Curl_sasl_create_cram_md5_message(struct SessionHandle *data,
+static CURLcode sasl_create_cram_md5_message(struct SessionHandle *data,
                                             const char *chlg,
                                             const char *userp,
                                             const char *passwdp,
@@ -1110,7 +1153,7 @@ void Curl_sasl_ntlm_cleanup(struct ntlmdata *ntlm)
 #endif /* USE_NTLM && !USE_WINDOWS_SSPI*/

 /*
- * Curl_sasl_create_xoauth2_message()
+ * sasl_create_xoauth2_message()
 *
 * This is used to generate an already encoded OAuth 2.0 message ready for
 * sending to the recipient.
@@ -1126,7 +1169,7 @@ void Curl_sasl_ntlm_cleanup(struct ntlmdata *ntlm)
 *
 * Returns CURLE_OK on success.
 */
-CURLcode Curl_sasl_create_xoauth2_message(struct SessionHandle *data,
+static CURLcode sasl_create_xoauth2_message(struct SessionHandle *data,
                                            const char *user,
                                            const char *bearer,
                                            char **outptr, size_t *outlen)
@@ -1180,3 +1223,447 @@ void Curl_sasl_cleanup(struct connectdata *conn, unsigned int authused)
  (void)authused;
 #endif
 }
+
+/*
+ * Curl_sasl_decode_mech()
+ *
+ * Convert a SASL mechanism name into a token.
+ *
+ * Parameters:
+ *
+ * ptr    [in]     - The mechanism string.
+ * maxlen [in]     - Maximum mechanism string length.
+ * len    [out]    - If not NULL, effective name length.
+ *
+ * Returns the SASL mechanism token or 0 if no match.
+ */
+unsigned int Curl_sasl_decode_mech(const char *ptr, size_t maxlen, size_t *len)
+{
+  unsigned int i;
+  char c;
+
+  for(i = 0; mechtable[i].name; i++) {
+    if(maxlen >= mechtable[i].len &&
+       !memcmp(ptr, mechtable[i].name, mechtable[i].len)) {
+      if(len)
+        *len = mechtable[i].len;
+
+      if(maxlen == mechtable[i].len)
+        return mechtable[i].bit;
+
+      c = ptr[mechtable[i].len];
+      if(!ISUPPER(c) && !ISDIGIT(c) && c != '-' && c != '_')
+        return mechtable[i].bit;
+    }
+  }
+
+  return 0;
+}
+
+/*
+ * Curl_sasl_parse_url_auth_option()
+ *
+ * Parse the URL login options.
+ */
+CURLcode Curl_sasl_parse_url_auth_option(struct SASL *sasl,
+                                         const char *value, size_t len)
+{
+  CURLcode result = CURLE_OK;
+  unsigned int mechbit;
+  size_t mechlen;
+
+  if(!len)
+    return CURLE_URL_MALFORMAT;
+
+    if(sasl->resetprefs) {
+      sasl->resetprefs = FALSE;
+      sasl->prefmech = SASL_AUTH_NONE;
+    }
+
+    if(strnequal(value, "*", len))
+      sasl->prefmech = SASL_AUTH_DEFAULT;
+    else if((mechbit = Curl_sasl_decode_mech(value, len, &mechlen)) &&
+            mechlen == len)
+      sasl->prefmech |= mechbit;
+    else
+      result = CURLE_URL_MALFORMAT;
+
+  return result;
+}
+
+/*
+ * Curl_sasl_init()
+ *
+ * Initializes the SASL structure.
+ */
+void Curl_sasl_init(struct SASL *sasl, const struct SASLproto *params)
+{
+  sasl->params = params;           /* Set protocol dependent parameters */
+  sasl->state = SASL_STOP;         /* Not yet running */
+  sasl->authmechs = SASL_AUTH_NONE; /* No known authentication mechanism yet */
+  sasl->prefmech = SASL_AUTH_DEFAULT; /* Prefer all mechanisms */
+  sasl->authused = SASL_AUTH_NONE; /* No the authentication mechanism used */
+  sasl->resetprefs = TRUE;         /* Reset prefmech upon AUTH parsing. */
+  sasl->mutual_auth = FALSE;       /* No mutual authentication (GSSAPI only) */
+  sasl->force_ir = FALSE;          /* Respect external option */
+}
+
+/*
+ * state()
+ *
+ * This is the ONLY way to change SASL state!
+ */
+static void state(struct SASL *sasl, struct connectdata *conn,
+                  saslstate newstate)
+{
+#if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS)
+  /* for debug purposes */
+  static const char * const names[]={
+    "STOP",
+    "PLAIN",
+    "LOGIN",
+    "LOGIN_PASSWD",
+    "EXTERNAL",
+    "CRAMMD5",
+    "DIGESTMD5",
+    "DIGESTMD5_RESP",
+    "NTLM",
+    "NTLM_TYPE2MSG",
+    "GSSAPI",
+    "GSSAPI_TOKEN",
+    "GSSAPI_NO_DATA",
+    "XOAUTH2",
+    "CANCEL",
+    "FINAL",
+    /* LAST */
+  };
+
+  if(sasl->state != newstate)
+    infof(conn->data, "SASL %p state change from %s to %s\n",
+          (void *)sasl, names[sasl->state], names[newstate]);
+#else
+  (void) conn;
+#endif
+
+  sasl->state = newstate;
+}
+
+/*
+ * Curl_sasl_can_authenticate()
+ *
+ * Check if we have enough auth data and capabilities to authenticate.
+ */
+bool Curl_sasl_can_authenticate(struct SASL *sasl, struct connectdata *conn)
+{
+  /* Have credentials been provided? */
+  if(conn->bits.user_passwd)
+    return TRUE;
+
+  /* EXTERNAL can authenticate without a user name and/or password */
+  if(sasl->authmechs & sasl->prefmech & SASL_MECH_EXTERNAL)
+    return TRUE;
+
+  return FALSE;
+}
+
+/*
+ * Curl_sasl_start()
+ *
+ * Calculate the required login details for SASL authentication.
+ */
+CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
+                         bool force_ir, saslprogress *progress)
+{
+  CURLcode result = CURLE_OK;
+  struct SessionHandle *data = conn->data;
+  unsigned int enabledmechs;
+  const char *mech = NULL;
+  char *resp = NULL;
+  size_t len = 0;
+  saslstate state1 = SASL_STOP;
+  saslstate state2 = SASL_FINAL;
+
+  sasl->force_ir = force_ir;    /* Latch for future use */
+  sasl->authused = 0;           /* No mechanism used yet */
+  enabledmechs = sasl->authmechs & sasl->prefmech;
+  *progress = SASL_IDLE;
+
+  /* Calculate the supported authentication mechanism, by decreasing order of
+     security, as well as the initial response where appropriate */
+  if((enabledmechs & SASL_MECH_EXTERNAL) && !conn->passwd[0]) {
+    mech = SASL_MECH_STRING_EXTERNAL;
+    state1 = SASL_EXTERNAL;
+    sasl->authused = SASL_MECH_EXTERNAL;
+
+    if(force_ir || data->set.sasl_ir)
+      result = sasl_create_external_message(data, conn->user, &resp, &len);
+  }
+  else if(conn->bits.user_passwd) {
+#if defined(USE_KERBEROS5)
+    if(enabledmechs & SASL_MECH_GSSAPI) {
+      sasl->mutual_auth = FALSE; /* TODO: Calculate mutual authentication */
+      mech = SASL_MECH_STRING_GSSAPI;
+      state1 = SASL_GSSAPI;
+      state2 = SASL_GSSAPI_TOKEN;
+      sasl->authused = SASL_MECH_GSSAPI;
+
+      if(force_ir || data->set.sasl_ir)
+        result = Curl_sasl_create_gssapi_user_message(data, conn->user,
+                                                      conn->passwd,
+                                                      sasl->params->service,
+                                                      sasl->mutual_auth,
+                                                      NULL, &conn->krb5,
+                                                      &resp, &len);
+    }
+    else
+#endif
+#ifndef CURL_DISABLE_CRYPTO_AUTH
+    if(enabledmechs & SASL_MECH_DIGEST_MD5) {
+      mech = SASL_MECH_STRING_DIGEST_MD5;
+      state1 = SASL_DIGESTMD5;
+      sasl->authused = SASL_MECH_DIGEST_MD5;
+    }
+    else if(enabledmechs & SASL_MECH_CRAM_MD5) {
+      mech = SASL_MECH_STRING_CRAM_MD5;
+      state1 = SASL_CRAMMD5;
+      sasl->authused = SASL_MECH_CRAM_MD5;
+    }
+    else
+#endif
+#ifdef USE_NTLM
+    if(enabledmechs & SASL_MECH_NTLM) {
+      mech = SASL_MECH_STRING_NTLM;
+      state1 = SASL_NTLM;
+      state2 = SASL_NTLM_TYPE2MSG;
+      sasl->authused = SASL_MECH_NTLM;
+
+      if(force_ir || data->set.sasl_ir)
+        result = Curl_sasl_create_ntlm_type1_message(conn->user, conn->passwd,
+                                                     &conn->ntlm, &resp, &len);
+      }
+    else
+#endif
+    if((enabledmechs & SASL_MECH_XOAUTH2) || conn->xoauth2_bearer) {
+      mech = SASL_MECH_STRING_XOAUTH2;
+      state1 = SASL_XOAUTH2;
+      sasl->authused = SASL_MECH_XOAUTH2;
+
+      if(force_ir || data->set.sasl_ir)
+        result = sasl_create_xoauth2_message(data, conn->user,
+                                             conn->xoauth2_bearer,
+                                             &resp, &len);
+    }
+    else if(enabledmechs & SASL_MECH_LOGIN) {
+      mech = SASL_MECH_STRING_LOGIN;
+      state1 = SASL_LOGIN;
+      state2 = SASL_LOGIN_PASSWD;
+      sasl->authused = SASL_MECH_LOGIN;
+
+      if(force_ir || data->set.sasl_ir)
+        result = sasl_create_login_message(data, conn->user, &resp, &len);
+    }
+    else if(enabledmechs & SASL_MECH_PLAIN) {
+      mech = SASL_MECH_STRING_PLAIN;
+      state1 = SASL_PLAIN;
+      sasl->authused = SASL_MECH_PLAIN;
+
+      if(force_ir || data->set.sasl_ir)
+        result = sasl_create_plain_message(data, conn->user, conn->passwd,
+                                           &resp, &len);
+    }
+  }
+
+  if(!result) {
+    if(resp && sasl->params->maxirlen &&
+       strlen(mech) + len > sasl->params->maxirlen) {
+      Curl_safefree(resp);
+      resp = NULL;
+    }
+
+    if(mech) {
+      result = sasl->params->sendauth(conn, mech, resp);
+      if(!result) {
+        *progress = SASL_INPROGRESS;
+        state(sasl, conn, resp? state2: state1);
+      }
+    }
+  }
+
+  Curl_safefree(resp);
+
+  return result;
+}
+
+/*
+ * Curl_sasl_continue()
+ *
+ * Continue the authentication.
+ */
+CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
+                            int code, saslprogress *progress)
+{
+  CURLcode result = CURLE_OK;
+  struct SessionHandle *data = conn->data;
+  saslstate newstate = SASL_FINAL;
+  char *resp = NULL;
+#if !defined(CURL_DISABLE_CRYPTO_AUTH)
+  char *serverdata;
+  char *chlg = NULL;
+  size_t chlglen = 0;
+#endif
+  size_t len = 0;
+
+  *progress = SASL_INPROGRESS;
+
+  if(sasl->state == SASL_FINAL) {
+    if(code != sasl->params->finalcode)
+      result = CURLE_LOGIN_DENIED;
+    *progress = SASL_DONE;
+    state(sasl, conn, SASL_STOP);
+    return result;
+  }
+
+  if(sasl->state != SASL_CANCEL && code != sasl->params->contcode) {
+    *progress = SASL_DONE;
+    state(sasl, conn, SASL_STOP);
+    return CURLE_LOGIN_DENIED;
+  }
+
+  switch(sasl->state) {
+  case SASL_STOP:
+    *progress = SASL_DONE;
+    return result;
+  case SASL_PLAIN:
+    result = sasl_create_plain_message(data, conn->user, conn->passwd, &resp,
+                                       &len);
+    break;
+  case SASL_LOGIN:
+    result = sasl_create_login_message(data, conn->user, &resp, &len);
+    newstate = SASL_LOGIN_PASSWD;
+    break;
+  case SASL_LOGIN_PASSWD:
+    result = sasl_create_login_message(data, conn->passwd, &resp, &len);
+    break;
+  case SASL_EXTERNAL:
+    result = sasl_create_external_message(data, conn->user, &resp, &len);
+    break;
+
+#ifndef CURL_DISABLE_CRYPTO_AUTH
+  case SASL_CRAMMD5:
+    sasl->params->getmessage(data->state.buffer, &serverdata);
+    result = sasl_decode_cram_md5_message(serverdata, &chlg, &chlglen);
+    if(!result)
+      result = sasl_create_cram_md5_message(data, chlg, conn->user,
+                                            conn->passwd, &resp, &len);
+    Curl_safefree(chlg);
+    break;
+  case SASL_DIGESTMD5:
+    sasl->params->getmessage(data->state.buffer, &serverdata);
+    result = Curl_sasl_create_digest_md5_message(data, serverdata,
+                                                 conn->user, conn->passwd,
+                                                 sasl->params->service,
+                                                 &resp, &len);
+    newstate = SASL_DIGESTMD5_RESP;
+    break;
+  case SASL_DIGESTMD5_RESP:
+    if(!(resp = strdup("")))
+      result = CURLE_OUT_OF_MEMORY;
+    break;
+#endif
+
+#ifdef USE_NTLM
+  case SASL_NTLM:
+    /* Create the type-1 message */
+    result = Curl_sasl_create_ntlm_type1_message(conn->user, conn->passwd,
+                                                 &conn->ntlm, &resp, &len);
+    newstate = SASL_NTLM_TYPE2MSG;
+    break;
+  case SASL_NTLM_TYPE2MSG:
+    /* Decode the type-2 message */
+    sasl->params->getmessage(data->state.buffer, &serverdata);
+    result = Curl_sasl_decode_ntlm_type2_message(data, serverdata,
+                                                 &conn->ntlm);
+    if(!result)
+      result = Curl_sasl_create_ntlm_type3_message(data, conn->user,
+                                                   conn->passwd, &conn->ntlm,
+                                                   &resp, &len);
+    break;
+#endif
+
+#if defined(USE_KERBEROS5)
+  case SASL_GSSAPI:
+    result = Curl_sasl_create_gssapi_user_message(data, conn->user,
+                                                  conn->passwd,
+                                                  sasl->params->service,
+                                                  sasl->mutual_auth, NULL,
+                                                  &conn->krb5,
+                                                  &resp, &len);
+    newstate = SASL_GSSAPI_TOKEN;
+    break;
+  case SASL_GSSAPI_TOKEN:
+    sasl->params->getmessage(data->state.buffer, &serverdata);
+    if(sasl->mutual_auth) {
+      /* Decode the user token challenge and create the optional response
+         message */
+      result = Curl_sasl_create_gssapi_user_message(data, NULL, NULL, NULL,
+                                                    sasl->mutual_auth,
+                                                    serverdata, &conn->krb5,
+                                                    &resp, &len);
+      newstate = SASL_GSSAPI_NO_DATA;
+    }
+    else
+      /* Decode the security challenge and create the response message */
+      result = Curl_sasl_create_gssapi_security_message(data, serverdata,
+                                                        &conn->krb5,
+                                                        &resp, &len);
+    break;
+  case SASL_GSSAPI_NO_DATA:
+    sasl->params->getmessage(data->state.buffer, &serverdata);
+    /* Decode the security challenge and create the response message */
+    result = Curl_sasl_create_gssapi_security_message(data, serverdata,
+                                                      &conn->krb5,
+                                                      &resp, &len);
+    break;
+#endif
+
+  case SASL_XOAUTH2:
+    /* Create the authorisation message */
+    result = sasl_create_xoauth2_message(data, conn->user,
+                                         conn->xoauth2_bearer, &resp, &len);
+    break;
+  case SASL_CANCEL:
+    /* Remove the offending mechanism from the supported list */
+    sasl->authmechs ^= sasl->authused;
+
+    /* Start an alternative SASL authentication */
+    result = Curl_sasl_start(sasl, conn, sasl->force_ir, progress);
+    newstate = sasl->state;   /* Use state from Curl_sasl_start() */
+    break;
+  default:
+    failf(data, "Unsupported SASL authentication mechanism");
+    result = CURLE_UNSUPPORTED_PROTOCOL;  /* Should not happen */
+    break;
+  }
+
+  switch(result) {
+  case CURLE_BAD_CONTENT_ENCODING:
+    /* Cancel dialog */
+    result = sasl->params->sendcont(conn, "*");
+    newstate = SASL_CANCEL;
+    break;
+  case CURLE_OK:
+    if(resp)
+      result = sasl->params->sendcont(conn, resp);
+    break;
+  default:
+    newstate = SASL_STOP;    /* Stop on error */
+    *progress = SASL_DONE;
+    break;
+  }
+
+  Curl_safefree(resp);
+
+  state(sasl, conn, newstate);
+
+  return result;
+}
--- a/lib/curl_sasl.h
+++ b/lib/curl_sasl.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 2012 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2012 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -39,10 +39,6 @@ struct ntlmdata;
 struct kerberos5data;
 #endif

-/* Authentication mechanism values */
-#define SASL_AUTH_NONE          0
-#define SASL_AUTH_ANY           ~0U
-
 /* Authentication mechanism flags */
 #define SASL_MECH_LOGIN             (1 << 0)
 #define SASL_MECH_PLAIN             (1 << 1)
@@ -53,6 +49,12 @@ struct kerberos5data;
 #define SASL_MECH_NTLM              (1 << 6)
 #define SASL_MECH_XOAUTH2           (1 << 7)

+/* Authentication mechanism values */
+#define SASL_AUTH_NONE          0
+#define SASL_AUTH_ANY           ~0U
+#define SASL_AUTH_DEFAULT       (SASL_AUTH_ANY & \
+                                 ~(SASL_MECH_EXTERNAL | SASL_MECH_XOAUTH2))
+
 /* Authentication mechanism strings */
 #define SASL_MECH_STRING_LOGIN      "LOGIN"
 #define SASL_MECH_STRING_PLAIN      "PLAIN"
@@ -68,6 +70,60 @@ enum {
  CURLDIGESTALGO_MD5SESS
 };

+/* SASL machine states */
+typedef enum {
+  SASL_STOP,
+  SASL_PLAIN,
+  SASL_LOGIN,
+  SASL_LOGIN_PASSWD,
+  SASL_EXTERNAL,
+  SASL_CRAMMD5,
+  SASL_DIGESTMD5,
+  SASL_DIGESTMD5_RESP,
+  SASL_NTLM,
+  SASL_NTLM_TYPE2MSG,
+  SASL_GSSAPI,
+  SASL_GSSAPI_TOKEN,
+  SASL_GSSAPI_NO_DATA,
+  SASL_XOAUTH2,
+  SASL_CANCEL,
+  SASL_FINAL
+} saslstate;
+
+/* Progress indicator */
+typedef enum {
+  SASL_IDLE,
+  SASL_INPROGRESS,
+  SASL_DONE
+} saslprogress;
+
+/* Protocol dependent SASL parameters */
+struct SASLproto {
+  const char *service;     /* The service name */
+  int contcode;            /* Code to receive when continuation is expected */
+  int finalcode;           /* Code to receive upon authentication success */
+  size_t maxirlen;         /* Maximum initial response length */
+  CURLcode (*sendauth)(struct connectdata *conn,
+                       const char *mech, const char *ir);
+                           /* Send authentication command */
+  CURLcode (*sendcont)(struct connectdata *conn, const char *contauth);
+                           /* Send authentication continuation */
+  void (*getmessage)(char *buffer, char **outptr);
+                           /* Get SASL response message */
+};
+
+/* Per-connection parameters */
+struct SASL {
+  const struct SASLproto *params; /* Protocol dependent parameters */
+  saslstate state;         /* Current machine state */
+  unsigned int authmechs;  /* Accepted authentication mechanisms */
+  unsigned int prefmech;   /* Preferred authentication mechanism */
+  unsigned int authused;   /* Auth mechanism used for the connection */
+  bool resetprefs;         /* For URL auth option parsing. */
+  bool mutual_auth;        /* Mutual authentication enabled (GSSAPI only) */
+  bool force_ir;           /* Protocol always supports initial response */
+};
+
 /* This is used to test whether the line starts with the given mechanism */
 #define sasl_mech_equal(line, wordlen, mech) \
  (wordlen == (sizeof(mech) - 1) / sizeof(char) && \
@@ -80,29 +136,11 @@ char *Curl_sasl_build_spn(const char *service, const char *instance);
 TCHAR *Curl_sasl_build_spn(const char *service, const char *instance);
 #endif

-/* This is used to generate a base64 encoded PLAIN authentication message */
-CURLcode Curl_sasl_create_plain_message(struct SessionHandle *data,
-                                        const char *userp,
-                                        const char *passwdp,
-                                        char **outptr, size_t *outlen);
-
-/* This is used to generate a base64 encoded LOGIN authentication message
-   containing either the user name or password details */
-CURLcode Curl_sasl_create_login_message(struct SessionHandle *data,
-                                        const char *valuep, char **outptr,
-                                        size_t *outlen);
+#if defined(HAVE_GSSAPI)
+char *Curl_sasl_build_gssapi_spn(const char *service, const char *host);
+#endif

 #ifndef CURL_DISABLE_CRYPTO_AUTH
-/* This is used to decode a base64 encoded CRAM-MD5 challange message */
-CURLcode Curl_sasl_decode_cram_md5_message(const char *chlg64, char **outptr,
-                                           size_t *outlen);
-
-/* This is used to generate a base64 encoded CRAM-MD5 response message */
-CURLcode Curl_sasl_create_cram_md5_message(struct SessionHandle *data,
-                                           const char *chlg,
-                                           const char *user,
-                                           const char *passwdp,
-                                           char **outptr, size_t *outlen);

 /* This is used to generate a base64 encoded DIGEST-MD5 response message */
 CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
@@ -178,15 +216,30 @@ CURLcode Curl_sasl_create_gssapi_security_message(struct SessionHandle *data,
 void Curl_sasl_gssapi_cleanup(struct kerberos5data *krb5);
 #endif /* USE_KERBEROS5 */

-/* This is used to generate a base64 encoded XOAUTH2 authentication message
-   containing the user name and bearer token */
-CURLcode Curl_sasl_create_xoauth2_message(struct SessionHandle *data,
-                                          const char *user,
-                                          const char *bearer,
-                                          char **outptr, size_t *outlen);
-
 /* This is used to cleanup any libraries or curl modules used by the sasl
   functions */
 void Curl_sasl_cleanup(struct connectdata *conn, unsigned int authused);

+/* Convert a mechanism name to a token */
+unsigned int Curl_sasl_decode_mech(const char *ptr,
+                                   size_t maxlen, size_t *len);
+
+/* Parse the URL login options */
+CURLcode Curl_sasl_parse_url_auth_option(struct SASL *sasl,
+                                         const char *value, size_t len);
+
+/* Initializes an SASL structure */
+void Curl_sasl_init(struct SASL *sasl, const struct SASLproto *params);
+
+/* Check if we have enough auth data and capabilities to authenticate */
+bool Curl_sasl_can_authenticate(struct SASL *sasl, struct connectdata *conn);
+
+/* Calculate the required login details for SASL authentication  */
+CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
+                         bool force_ir, saslprogress *progress);
+
+/* Continue an SASL authentication  */
+CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
+                            int code, saslprogress *progress);
+
 #endif /* HEADER_CURL_SASL_H */
--- a/lib/curl_sasl_gssapi.c
+++ b/lib/curl_sasl_gssapi.c
@@ -5,7 +5,8 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 2014, Steve Holme, <steve_holme@hotmail.com>.
+ * Copyright (C) 2014 - 2015, Steve Holme, <steve_holme@hotmail.com>.
+ * Copyright (C) 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -26,15 +27,6 @@

 #if defined(HAVE_GSSAPI) && defined(USE_KERBEROS5)

-#ifdef HAVE_OLD_GSSMIT
-#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
-#define NCOMPAT 1
-#endif
-
-#define GSSAUTH_P_NONE      1
-#define GSSAUTH_P_INTEGRITY 2
-#define GSSAUTH_P_PRIVACY   4
-
 #include <curl/curl.h>

 #include "curl_sasl.h"
@@ -62,7 +54,7 @@
 *
 * Returns a pointer to the newly allocated SPN.
 */
-static char *Curl_sasl_build_gssapi_spn(const char *service, const char *host)
+char *Curl_sasl_build_gssapi_spn(const char *service, const char *host)
 {
  /* Generate and return our SPN */
  return aprintf("%s@%s", service, host);
@@ -126,12 +118,16 @@ CURLcode Curl_sasl_create_gssapi_user_message(struct SessionHandle *data,

    /* Import the SPN */
    gss_major_status = gss_import_name(&gss_minor_status, &spn_token,
-                                       gss_nt_service_name, &krb5->spn);
+                                       GSS_C_NT_HOSTBASED_SERVICE, &krb5->spn);
    if(GSS_ERROR(gss_major_status)) {
      Curl_gss_log_error(data, gss_minor_status, "gss_import_name() failed: ");

+      Curl_safefree(spn);
+
      return CURLE_OUT_OF_MEMORY;
    }
+
+    Curl_safefree(spn);
  }
  else {
    /* Decode the base-64 encoded challenge message */
--- a/lib/curl_setup.h
+++ b/lib/curl_setup.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -190,6 +190,9 @@
 #  ifndef CURL_DISABLE_GOPHER
 #    define CURL_DISABLE_GOPHER
 #  endif
+#  ifndef CURL_DISABLE_SMB
+#    define CURL_DISABLE_SMB
+#  endif
 #endif

 /*
@@ -625,9 +628,14 @@ int netware_init(void);
 #if defined(USE_SSLEAY) || defined(USE_WINDOWS_SSPI) || \
    defined(USE_GNUTLS) || defined(USE_NSS) || defined(USE_DARWINSSL) || \
    defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO)
+
+#ifdef HAVE_BORINGSSL /* BoringSSL is not NTLM capable */
+#undef USE_NTLM
+#else
 #define USE_NTLM
 #endif
 #endif
+#endif

 /* non-configure builds may define CURL_WANTS_CA_BUNDLE_ENV */
 #if defined(CURL_WANTS_CA_BUNDLE_ENV) && !defined(CURL_CA_BUNDLE)
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -294,10 +294,10 @@ static void freedirs(struct ftp_conn *ftpc)
    ftpc->dirs = NULL;
    ftpc->dirdepth = 0;
  }
-  if(ftpc->file) {
-    free(ftpc->file);
-    ftpc->file = NULL;
-  }
+  Curl_safefree(ftpc->file);
+
+  /* no longer of any use */
+  Curl_safefree(ftpc->newhost);
 }

 /* Returns non-zero if the given string contains CR (\r) or LF (\n),
@@ -1815,6 +1815,13 @@ static CURLcode ftp_state_quote(struct connectdata *conn,
 static CURLcode ftp_epsv_disable(struct connectdata *conn)
 {
  CURLcode result = CURLE_OK;
+
+  if(conn->bits.ipv6) {
+    /* We can't disable EPSV when doing IPv6, so this is instead a fail */
+    failf(conn->data, "Failed EPSV attempt, exiting\n");
+    return CURLE_FTP_WEIRD_SERVER_REPLY;
+  }
+
  infof(conn->data, "Failed EPSV attempt. Disabling EPSV\n");
  /* disable it for next transfer */
  conn->bits.ftp_use_epsv = FALSE;
@@ -1917,6 +1924,9 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn,
  unsigned short connectport; /* the local port connect() should use! */
  char *str=&data->state.buffer[4];  /* start on the first letter */

+  /* if we come here again, make sure the former name is cleared */
+  Curl_safefree(ftpc->newhost);
+
  if((ftpc->count1 == 0) &&
     (ftpcode == 229)) {
    /* positive EPSV response */
@@ -1949,18 +1959,10 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn,
        if(ptr) {
          ftpc->newport = (unsigned short)(num & 0xffff);

-          if(conn->bits.tunnel_proxy ||
-             conn->proxytype == CURLPROXY_SOCKS5 ||
-             conn->proxytype == CURLPROXY_SOCKS5_HOSTNAME ||
-             conn->proxytype == CURLPROXY_SOCKS4 ||
-             conn->proxytype == CURLPROXY_SOCKS4A)
-            /* proxy tunnel -> use other host info because ip_addr_str is the
-               proxy address not the ftp host */
-            snprintf(ftpc->newhost, sizeof(ftpc->newhost), "%s",
-                     conn->host.name);
-          else
-            /* use the same IP we are already connected to */
-            snprintf(ftpc->newhost, NEWHOST_BUFSIZE, "%s", conn->ip_addr_str);
+          /* use the original host name again */
+          ftpc->newhost = strdup(conn->host.name);
+          if(!ftpc->newhost)
+            return CURLE_OUT_OF_MEMORY;
        }
      }
      else
@@ -2001,26 +2003,21 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn,

    /* we got OK from server */
    if(data->set.ftp_skip_ip) {
-      /* told to ignore the remotely given IP but instead use the one we used
+      /* told to ignore the remotely given IP but instead use the host we used
         for the control connection */
-      infof(data, "Skips %d.%d.%d.%d for data connection, uses %s instead\n",
+      infof(data, "Skip %d.%d.%d.%d for data connection, re-use %s instead\n",
            ip[0], ip[1], ip[2], ip[3],
-            conn->ip_addr_str);
-      if(conn->bits.tunnel_proxy ||
-         conn->proxytype == CURLPROXY_SOCKS5 ||
-         conn->proxytype == CURLPROXY_SOCKS5_HOSTNAME ||
-         conn->proxytype == CURLPROXY_SOCKS4 ||
-         conn->proxytype == CURLPROXY_SOCKS4A)
-        /* proxy tunnel -> use other host info because ip_addr_str is the
-           proxy address not the ftp host */
-        snprintf(ftpc->newhost, sizeof(ftpc->newhost), "%s", conn->host.name);
-      else
-        snprintf(ftpc->newhost, sizeof(ftpc->newhost), "%s",
-                 conn->ip_addr_str);
+            conn->host.name);
+
+      /* use the original host name again */
+      ftpc->newhost = strdup(conn->host.name);
    }
    else
-      snprintf(ftpc->newhost, sizeof(ftpc->newhost),
-               "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
+      ftpc->newhost = aprintf("%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
+
+    if(!ftpc->newhost)
+      return CURLE_OUT_OF_MEMORY;
+
    ftpc->newport = (unsigned short)(((port[0]<<8) + port[1]) & 0xffff);
  }
  else if(ftpc->count1 == 0) {
@@ -2105,7 +2102,9 @@ static CURLcode ftp_state_port_resp(struct connectdata *conn,
  ftpport fcmd = (ftpport)ftpc->count1;
  CURLcode result = CURLE_OK;

-  if(ftpcode != 200) {
+  /* The FTP spec tells a positive response should have code 200.
+     Be more permissive here to tolerate deviant servers. */
+  if(ftpcode / 100 != 2) {
    /* the command failed */

    if(EPRT == fcmd) {
--- a/lib/ftp.h
+++ b/lib/ftp.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -147,10 +147,9 @@ struct ftp_conn {
  curl_off_t known_filesize; /* file size is different from -1, if wildcard
                                LIST parsing was done and wc_statemach set
                                it */
-  /* newhost must be able to hold a full IP-style address in ASCII, which
-     in the IPv6 case means 5*8-1 = 39 letters */
-#define NEWHOST_BUFSIZE 48
-  char newhost[NEWHOST_BUFSIZE]; /* this is the pair to connect the DATA... */
+  /* newhost is the (allocated) IP addr or host name to connect the data
+     connection to */
+  char *newhost;          /* this is the pair to connect the DATA... */
  unsigned short newport; /* connection to */

 };
--- a/lib/hostasyn.c
+++ b/lib/hostasyn.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -123,21 +123,21 @@ CURLcode Curl_addrinfo_callback(struct connectdata *conn,
 CURLcode Curl_async_resolved(struct connectdata *conn,
                             bool *protocol_done)
 {
-  CURLcode code;
+  CURLcode result;

  if(conn->async.dns) {
    conn->dns_entry = conn->async.dns;
    conn->async.dns = NULL;
  }

-  code = Curl_setup_conn(conn, protocol_done);
+  result = Curl_setup_conn(conn, protocol_done);

-  if(code)
+  if(result)
    /* We're not allowed to return failure with memory left allocated
       in the connectdata struct, free those here */
    Curl_disconnect(conn, FALSE); /* close the connection */

-  return code;
+  return result;
 }

 /*
--- a/lib/http.c
+++ b/lib/http.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -834,14 +834,13 @@ CURLcode Curl_http_input_auth(struct connectdata *conn, bool proxy,
  while(*auth) {
 #ifdef USE_SPNEGO
    if(checkprefix("Negotiate", auth)) {
-      int neg;
      *availp |= CURLAUTH_NEGOTIATE;
      authp->avail |= CURLAUTH_NEGOTIATE;

      if(authp->picked == CURLAUTH_NEGOTIATE) {
        if(negdata->state == GSS_AUTHSENT || negdata->state == GSS_AUTHNONE) {
-          neg = Curl_input_negotiate(conn, proxy, auth);
-          if(neg == 0) {
+          CURLcode result = Curl_input_negotiate(conn, proxy, auth);
+          if(!result) {
            DEBUGASSERT(!data->req.newurl);
            data->req.newurl = strdup(data->change.url);
            if(!data->req.newurl)
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -424,6 +424,11 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
  (void)frame;
  (void)flags;

+  /* Ignore PUSH_PROMISE for now */
+  if(frame->hd.type != NGHTTP2_HEADERS) {
+    return 0;
+  }
+
  if(frame->hd.stream_id != c->stream_id) {
    return 0;
  }
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -22,14 +22,7 @@

 #include "curl_setup.h"

-#ifdef HAVE_GSSAPI
-
-#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
-
-#ifdef HAVE_OLD_GSSMIT
-#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
-#define NCOMPAT 1
-#endif
+#if defined(HAVE_GSSAPI) && !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)

 #include "urldata.h"
 #include "sendf.h"
@@ -38,6 +31,7 @@
 #include "curl_base64.h"
 #include "http_negotiate.h"
 #include "curl_memory.h"
+#include "curl_sasl.h"
 #include "url.h"

 #define _MPRINTF_REPLACE /* use our functions only */
@@ -46,43 +40,16 @@
 /* The last #include file should be: */
 #include "memdebug.h"

-static int
-get_gss_name(struct connectdata *conn, bool proxy, gss_name_t *server)
-{
-  OM_uint32 major_status, minor_status;
-  gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
-  char name[2048];
-  const char* service = "HTTP";
-
-  token.length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name :
-                                              conn->host.name) + 1;
-  if(token.length + 1 > sizeof(name))
-    return EMSGSIZE;
-
-  snprintf(name, sizeof(name), "%s@%s", service, proxy ? conn->proxy.name :
-           conn->host.name);
-
-  token.value = (void *) name;
-  major_status = gss_import_name(&minor_status,
-                                 &token,
-                                 GSS_C_NT_HOSTBASED_SERVICE,
-                                 server);
-
-  return GSS_ERROR(major_status) ? -1 : 0;
-}
-
-/* returning zero (0) means success, everything else is treated as "failure"
-   with no care exactly what the failure was */
-int Curl_input_negotiate(struct connectdata *conn, bool proxy,
+CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy,
                              const char *header)
 {
  struct SessionHandle *data = conn->data;
  struct negotiatedata *neg_ctx = proxy?&data->state.proxyneg:
    &data->state.negotiate;
  OM_uint32 major_status, minor_status, discard_st;
+  gss_buffer_desc spn_token = GSS_C_EMPTY_BUFFER;
  gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
  gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
-  int ret;
  size_t len;
  size_t rawlen = 0;
  CURLcode result;
@@ -92,12 +59,34 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
     * rejected it (since we're again here). Exit with an error since we
     * can't invent anything better */
    Curl_cleanup_negotiate(data);
-    return -1;
+    return CURLE_LOGIN_DENIED;
  }

-  if(neg_ctx->server_name == NULL &&
-      (ret = get_gss_name(conn, proxy, &neg_ctx->server_name)))
-    return ret;
+  if(!neg_ctx->server_name) {
+    /* Generate our SPN */
+    char *spn = Curl_sasl_build_gssapi_spn("HTTP", proxy ? conn->proxy.name :
+                                                           conn->host.name);
+    if(!spn)
+      return CURLE_OUT_OF_MEMORY;
+
+    /* Populate the SPN structure */
+    spn_token.value = spn;
+    spn_token.length = strlen(spn);
+
+    /* Import the SPN */
+    major_status = gss_import_name(&minor_status, &spn_token,
+                                   GSS_C_NT_HOSTBASED_SERVICE,
+                                   &neg_ctx->server_name);
+    if(GSS_ERROR(major_status)) {
+      Curl_gss_log_error(data, minor_status, "gss_import_name() failed: ");
+
+      Curl_safefree(spn);
+
+      return CURLE_OUT_OF_MEMORY;
+    }
+
+      Curl_safefree(spn);
+  }

  header += strlen("Negotiate");
  while(*header && ISSPACE(*header))
@@ -107,8 +96,15 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
  if(len > 0) {
    result = Curl_base64_decode(header, (unsigned char **)&input_token.value,
                                &rawlen);
-    if(result || rawlen == 0)
-      return -1;
+    if(result)
+      return result;
+
+    if(!rawlen) {
+      infof(data, "Negotiate handshake failure (empty challenge message)\n");
+
+      return CURLE_BAD_CONTENT_ENCODING;
+    }
+
    input_token.length = rawlen;

    DEBUGASSERT(input_token.value != NULL);
@@ -132,19 +128,19 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
      gss_release_buffer(&discard_st, &output_token);
    Curl_gss_log_error(conn->data, minor_status,
                       "gss_init_sec_context() failed: ");
-    return -1;
+    return CURLE_OUT_OF_MEMORY;
  }

  if(!output_token.value || !output_token.length) {
    if(output_token.value)
      gss_release_buffer(&discard_st, &output_token);
-    return -1;
+    return CURLE_OUT_OF_MEMORY;
  }

  neg_ctx->output_token = output_token;
-  return 0;
-}

+  return CURLE_OK;
+}

 CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
 {
@@ -211,6 +207,4 @@ void Curl_cleanup_negotiate(struct SessionHandle *data)
  cleanup(&data->state.proxyneg);
 }

-#endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */
-
-#endif /* HAVE_GSSAPI */
+#endif /* HAVE_GSSAPI && !CURL_DISABLE_HTTP && USE_SPNEGO */
--- a/lib/http_negotiate.h
+++ b/lib/http_negotiate.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -25,7 +25,7 @@
 #ifdef USE_SPNEGO

 /* this is for Negotiate header input */
-int Curl_input_negotiate(struct connectdata *conn, bool proxy,
+CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy,
                              const char *header);

 /* this is for creating Negotiate header output */
--- a/lib/http_negotiate_sspi.c
+++ b/lib/http_negotiate_sspi.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -42,9 +42,7 @@
 /* The last #include file should be: */
 #include "memdebug.h"

-/* returning zero (0) means success, everything else is treated as "failure"
-   with no care exactly what the failure was */
-int Curl_input_negotiate(struct connectdata *conn, bool proxy,
+CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy,
                              const char *header)
 {
  BYTE              *input_token = NULL;
@@ -52,11 +50,11 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
  SecBuffer         out_sec_buff;
  SecBufferDesc     in_buff_desc;
  SecBuffer         in_sec_buff;
-  unsigned long     context_attributes;
-  TimeStamp         expiry;
-  int ret;
+  SECURITY_STATUS   status;
+  unsigned long     attrs;
+  TimeStamp         expiry; /* For Windows 9x compatibility of SSPI calls */
  size_t len = 0, input_token_len = 0;
-  CURLcode error;
+  CURLcode result;

  /* Point to the username and password */
  const char *userp;
@@ -88,28 +86,29 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
     * rejected it (since we're again here). Exit with an error since we
     * can't invent anything better */
    Curl_cleanup_negotiate(conn->data);
-    return -1;
+    return CURLE_LOGIN_DENIED;
  }

  if(!neg_ctx->server_name) {
    /* Check proxy auth requested but no given proxy name */
    if(proxy && !conn->proxy.name)
-      return -1;
+      return CURLE_BAD_FUNCTION_ARGUMENT;

    /* Generate our SPN */
    neg_ctx->server_name = Curl_sasl_build_spn("HTTP",
                                                proxy ? conn->proxy.name :
                                                        conn->host.name);
    if(!neg_ctx->server_name)
-      return -1;
+      return CURLE_OUT_OF_MEMORY;
  }

  if(!neg_ctx->output_token) {
    PSecPkgInfo SecurityPackage;
-    ret = s_pSecFn->QuerySecurityPackageInfo((TCHAR *) TEXT(SP_NAME_NEGOTIATE),
+    status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *)
+                                                TEXT(SP_NAME_NEGOTIATE),
                                                &SecurityPackage);
-    if(ret != SEC_E_OK)
-      return -1;
+    if(status != SEC_E_OK)
+      return CURLE_NOT_BUILT_IN;

    /* Allocate input and output buffers according to the max token size
       as indicated by the security package */
@@ -129,7 +128,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
    if(neg_ctx->context) {
      /* The server rejected our authentication and hasn't suppled any more
         negotiation mechanisms */
-      return -1;
+      return CURLE_LOGIN_DENIED;
    }

    /* We have to acquire credentials and allocate memory for the context */
@@ -137,13 +136,13 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
    neg_ctx->context = malloc(sizeof(CtxtHandle));

    if(!neg_ctx->credentials || !neg_ctx->context)
-      return -1;
+      return CURLE_OUT_OF_MEMORY;

    if(userp && *userp) {
      /* Populate our identity structure */
-      error = Curl_create_sspi_identity(userp, passwdp, &neg_ctx->identity);
-      if(error)
-        return -1;
+      result = Curl_create_sspi_identity(userp, passwdp, &neg_ctx->identity);
+      if(result)
+        return result;

      /* Allow proper cleanup of the identity structure */
      neg_ctx->p_identity = &neg_ctx->identity;
@@ -160,14 +159,21 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
                                         neg_ctx->p_identity, NULL, NULL,
                                         neg_ctx->credentials, &expiry);
    if(neg_ctx->status != SEC_E_OK)
-      return -1;
+      return CURLE_LOGIN_DENIED;
  }
  else {
-    error = Curl_base64_decode(header,
+    result = Curl_base64_decode(header,
                                (unsigned char **)&input_token,
                                &input_token_len);
-    if(error || !input_token_len)
-      return -1;
+    if(result)
+      return result;
+
+    if(!input_token_len) {
+      infof(conn->data,
+            "Negotiate handshake failure (empty challenge message)\n");
+
+      return CURLE_BAD_CONTENT_ENCODING;
+    }
  }

  /* Setup the "output" security buffer */
@@ -200,28 +206,27 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
    0,
    neg_ctx->context,
    &out_buff_desc,
-    &context_attributes,
+    &attrs,
    &expiry);

  Curl_safefree(input_token);

  if(GSS_ERROR(neg_ctx->status))
-    return -1;
+    return CURLE_OUT_OF_MEMORY;

  if(neg_ctx->status == SEC_I_COMPLETE_NEEDED ||
     neg_ctx->status == SEC_I_COMPLETE_AND_CONTINUE) {
    neg_ctx->status = s_pSecFn->CompleteAuthToken(neg_ctx->context,
                                                  &out_buff_desc);
    if(GSS_ERROR(neg_ctx->status))
-      return -1;
+      return CURLE_RECV_ERROR;
  }

  neg_ctx->output_token_length = out_sec_buff.cbBuffer;

-  return 0;
+  return CURLE_OK;
 }

-
 CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
 {
  struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg:
--- a/lib/imap.c
+++ b/lib/imap.c
--- a/lib/imap.h
+++ b/lib/imap.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 2009 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2009 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -23,6 +23,7 @@
 ***************************************************************************/

 #include "pingpong.h"
+#include "curl_sasl.h"

 /****************************************************************************
 * IMAP unique setup
@@ -35,20 +36,7 @@ typedef enum {
  IMAP_STARTTLS,
  IMAP_UPGRADETLS,   /* asynchronously upgrade the connection to SSL/TLS
                       (multi mode only) */
-  IMAP_AUTHENTICATE_PLAIN,
-  IMAP_AUTHENTICATE_LOGIN,
-  IMAP_AUTHENTICATE_LOGIN_PASSWD,
-  IMAP_AUTHENTICATE_CRAMMD5,
-  IMAP_AUTHENTICATE_DIGESTMD5,
-  IMAP_AUTHENTICATE_DIGESTMD5_RESP,
-  IMAP_AUTHENTICATE_NTLM,
-  IMAP_AUTHENTICATE_NTLM_TYPE2MSG,
-  IMAP_AUTHENTICATE_GSSAPI,
-  IMAP_AUTHENTICATE_GSSAPI_TOKEN,
-  IMAP_AUTHENTICATE_GSSAPI_NO_DATA,
-  IMAP_AUTHENTICATE_XOAUTH2,
-  IMAP_AUTHENTICATE_CANCEL,
-  IMAP_AUTHENTICATE_FINAL,
+  IMAP_AUTHENTICATE,
  IMAP_LOGIN,
  IMAP_LIST,
  IMAP_SELECT,
@@ -83,16 +71,13 @@ struct imap_conn {
  struct pingpong pp;
  imapstate state;            /* Always use imap.c:state() to change state! */
  bool ssldone;               /* Is connect() over SSL done? */
-  unsigned int authmechs;     /* Accepted authentication mechanisms */
+  struct SASL sasl;           /* SASL-related parameters */
  unsigned int preftype;      /* Preferred authentication type */
-  unsigned int prefmech;      /* Preferred authentication mechanism */
-  unsigned int authused;      /* Auth mechanism used for the connection */
  int cmdid;                  /* Last used command ID */
  char resptag[5];            /* Response tag to wait for */
  bool tls_supported;         /* StartTLS capability supported by server */
  bool login_disabled;        /* LOGIN command disabled by server */
  bool ir_supported;          /* Initial response supported by server */
-  bool mutual_auth;           /* Mutual authentication enabled (GSSAPI only) */
  char *mailbox;              /* The last selected mailbox */
  char *mailbox_uidvalidity;  /* UIDVALIDITY parsed from select response */
 };
--- a/lib/krb5.c
+++ b/lib/krb5.c
@@ -2,7 +2,7 @@
 *
 * Copyright (c) 1995, 1996, 1997, 1998, 1999, 2013 Kungliga Tekniska H<>gskolan
 * (Royal Institute of Technology, Stockholm, Sweden).
- * Copyright (c) 2004 - 2014 Daniel Stenberg
+ * Copyright (c) 2004 - 2015 Daniel Stenberg
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -34,13 +34,7 @@

 #include "curl_setup.h"

-#ifndef CURL_DISABLE_FTP
-#ifdef HAVE_GSSAPI
-
-#ifdef HAVE_OLD_GSSMIT
-#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
-#define NCOMPAT 1
-#endif
+#if defined(HAVE_GSSAPI) && !defined(CURL_DISABLE_FTP)

 #ifdef HAVE_NETDB_H
 #include <netdb.h>
@@ -335,5 +329,4 @@ struct Curl_sec_client_mech Curl_krb5_client_mech = {
    krb5_decode
 };

-#endif /* HAVE_GSSAPI */
-#endif /* CURL_DISABLE_FTP */
+#endif /* HAVE_GSSAPI && !CURL_DISABLE_FTP */
--- a/lib/ldap.c
+++ b/lib/ldap.c
@@ -35,7 +35,7 @@
 * OpenLDAP library versions, USE_OPENLDAP shall not be defined.
 */

-#ifdef CURL_LDAP_WIN            /* Use Windows LDAP implementation. */
+#ifdef USE_WIN32_LDAP           /* Use Windows LDAP implementation. */
 # include <winldap.h>
 # ifndef LDAP_VENDOR_NAME
 #  error Your Platform SDK is NOT sufficient for LDAP support! \
@@ -54,6 +54,15 @@
 # endif /* HAVE_LDAP_SSL && HAVE_LDAP_SSL_H */
 #endif

+/* These are macros in both <wincrypt.h> (in above <winldap.h>) and typedefs
+ * in BoringSSL's <openssl/x509.h>
+ */
+#ifdef HAVE_BORINGSSL
+# undef X509_NAME
+# undef X509_CERT_PAIR
+# undef X509_EXTENSIONS
+#endif
+
 #include "urldata.h"
 #include <curl/curl.h>
 #include "sendf.h"
@@ -81,7 +90,7 @@
 typedef struct {
  char   *lud_host;
  int     lud_port;
-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
  TCHAR  *lud_dn;
  TCHAR **lud_attrs;
 #else
@@ -89,7 +98,7 @@ typedef struct {
  char  **lud_attrs;
 #endif
  int     lud_scope;
-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
  TCHAR  *lud_filter;
 #else
  char   *lud_filter;
@@ -194,7 +203,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
 #ifdef LDAP_OPT_NETWORK_TIMEOUT
  struct timeval ldap_timeout = {10,0}; /* 10 sec connection/search timeout */
 #endif
-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
  TCHAR *host = NULL;
  TCHAR *user = NULL;
  TCHAR *passwd = NULL;
@@ -226,7 +235,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
  infof(data, "LDAP local: trying to establish %s connection\n",
          ldap_ssl ? "encrypted" : "cleartext");

-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
  host = Curl_convert_UTF8_to_tchar(conn->host.name);
  if(!host) {
    result = CURLE_OUT_OF_MEMORY;
@@ -259,7 +268,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)

  if(ldap_ssl) {
 #ifdef HAVE_LDAP_SSL
-#ifdef CURL_LDAP_WIN
+#ifdef USE_WIN32_LDAP
    /* Win32 LDAP SDK doesn't support insecure mode without CA! */
    server = ldap_sslinit(host, (int)conn->port, 1);
    ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON);
@@ -392,7 +401,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
      goto quit;
    }
  }
-#ifdef CURL_LDAP_WIN
+#ifdef USE_WIN32_LDAP
  ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
 #endif

@@ -421,7 +430,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
      entryIterator;
      entryIterator = ldap_next_entry(server, entryIterator), num++) {
    BerElement *ber = NULL;
-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
    TCHAR *attribute;
 #else
    char  *attribute;       /*! suspicious that this isn't 'const' */
@@ -432,7 +441,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
    {
      char *name;
      size_t name_len;
-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
      TCHAR *dn = ldap_get_dn(server, entryIterator);
      name = Curl_convert_tchar_to_UTF8(dn);
      if(!name) {
@@ -449,7 +458,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)

      result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"DN: ", 4);
      if(result) {
-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
        Curl_unicodefree(name);
 #endif
        ldap_memfree(dn);
@@ -460,7 +469,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
      result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *) name,
                                 name_len);
      if(result) {
-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
        Curl_unicodefree(name);
 #endif
        ldap_memfree(dn);
@@ -470,7 +479,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)

      result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"\n", 1);
      if(result) {
-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
        Curl_unicodefree(name);
 #endif
        ldap_memfree(dn);
@@ -480,7 +489,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)

      dlsize += name_len + 5;

-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
      Curl_unicodefree(name);
 #endif
      ldap_memfree(dn);
@@ -492,7 +501,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
        attribute = ldap_next_attribute(server, entryIterator, ber)) {
      BerValue **vals;
      size_t attr_len;
-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
      char *attr = Curl_convert_tchar_to_UTF8(attribute);
      if(!attr) {
        if(ber)
@@ -513,7 +522,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
          result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"\t", 1);
          if(result) {
            ldap_value_free_len(vals);
-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
            Curl_unicodefree(attr);
 #endif
            ldap_memfree(attribute);
@@ -527,7 +536,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
                                     (char *) attr, attr_len);
          if(result) {
            ldap_value_free_len(vals);
-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
            Curl_unicodefree(attr);
 #endif
            ldap_memfree(attribute);
@@ -540,7 +549,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
          result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)": ", 2);
          if(result) {
            ldap_value_free_len(vals);
-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
            Curl_unicodefree(attr);
 #endif
            ldap_memfree(attribute);
@@ -562,7 +571,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
                                        &val_b64_sz);
            if(result) {
              ldap_value_free_len(vals);
-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
              Curl_unicodefree(attr);
 #endif
              ldap_memfree(attribute);
@@ -578,7 +587,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
              free(val_b64);
              if(result) {
                ldap_value_free_len(vals);
-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
                Curl_unicodefree(attr);
 #endif
                ldap_memfree(attribute);
@@ -596,7 +605,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
                                       vals[i]->bv_len);
            if(result) {
              ldap_value_free_len(vals);
-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
              Curl_unicodefree(attr);
 #endif
              ldap_memfree(attribute);
@@ -612,7 +621,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
          result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"\n", 1);
          if(result) {
            ldap_value_free_len(vals);
-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
            Curl_unicodefree(attr);
 #endif
            ldap_memfree(attribute);
@@ -630,7 +639,7 @@ static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
      }

      /* Free the attribute as we are done with it */
-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
      Curl_unicodefree(attr);
 #endif
      ldap_memfree(attribute);
@@ -662,7 +671,7 @@ quit:
    ldapssl_client_deinit();
 #endif /* HAVE_LDAP_SSL && CURL_HAS_NOVELL_LDAPSDK */

-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
  Curl_unicodefree(passwd);
  Curl_unicodefree(user);
  Curl_unicodefree(host);
@@ -802,7 +811,7 @@ static int _ldap_url_parse2 (const struct connectdata *conn, LDAPURLDesc *ludp)
      goto quit;
    }

-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
    /* Convert the unescaped string to a tchar */
    ludp->lud_dn = Curl_convert_UTF8_to_tchar(unescaped);

@@ -840,7 +849,7 @@ static int _ldap_url_parse2 (const struct connectdata *conn, LDAPURLDesc *ludp)
    }

    /* Allocate our array (+1 for the NULL entry) */
-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
    ludp->lud_attrs = calloc(count + 1, sizeof(TCHAR *));
 #else
    ludp->lud_attrs = calloc(count + 1, sizeof(char *));
@@ -868,7 +877,7 @@ static int _ldap_url_parse2 (const struct connectdata *conn, LDAPURLDesc *ludp)
        goto quit;
      }

-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
      /* Convert the unescaped string to a tchar */
      ludp->lud_attrs[i] = Curl_convert_UTF8_to_tchar(unescaped);

@@ -934,7 +943,7 @@ static int _ldap_url_parse2 (const struct connectdata *conn, LDAPURLDesc *ludp)
      goto quit;
    }

-#if defined(CURL_LDAP_WIN)
+#if defined(USE_WIN32_LDAP)
    /* Convert the unescaped string to a tchar */
    ludp->lud_filter = Curl_convert_UTF8_to_tchar(unescaped);

--- a/lib/md4.c
+++ b/lib/md4.c
@@ -1,23 +1,38 @@
-/*-
-   Copyright (C) 1990-2, RSA Data Security, Inc. All rights reserved.
-
-   License to copy and use this software is granted provided that it
-   is identified as the "RSA Data Security, Inc. MD4 Message-Digest
-   Algorithm" in all material mentioning or referencing this software
-   or this function.
-
-   License is also granted to make and use derivative works provided
-   that such works are identified as "derived from the RSA Data
-   Security, Inc. MD4 Message-Digest Algorithm" in all material
-   mentioning or referencing the derived work.
-
-   RSA Data Security, Inc. makes no representations concerning either
-   the merchantability of this software or the suitability of this
-   software for any particular purpose. It is provided "as is"
-   without express or implied warranty of any kind.
-
-   These notices must be retained in any copies of any part of this
-   documentation and/or software.
+/*
+ * This is an OpenSSL-compatible implementation of the RSA Data Security, Inc.
+ * MD4 Message-Digest Algorithm (RFC 1320).
+ *
+ * Homepage:
+ http://openwall.info/wiki/people/solar/software/public-domain-source-code/md4
+ *
+ * Author:
+ * Alexander Peslyak, better known as Solar Designer <solar at openwall.com>
+ *
+ * This software was written by Alexander Peslyak in 2001.  No copyright is
+ * claimed, and the software is hereby placed in the public domain.  In case
+ * this attempt to disclaim copyright and place the software in the public
+ * domain is deemed null and void, then the software is Copyright (c) 2001
+ * Alexander Peslyak and it is hereby released to the general public under the
+ * following terms:
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * There's ABSOLUTELY NO WARRANTY, express or implied.
+ *
+ * (This is a heavily cut-down "BSD license".)
+ *
+ * This differs from Colin Plumb's older public domain implementation in that
+ * no exactly 32-bit integer data type is required (any 32-bit or wider
+ * unsigned integer data type will do), there's no compile-time endianness
+ * configuration, and the function prototypes match OpenSSL's.  No code from
+ * Colin Plumb's implementation has been reused; this comment merely compares
+ * the properties of the two independent implementations.
+ *
+ * The primary goals of this implementation are portability and ease of use.
+ * It is meant to be fast, but not as fast as possible.  Some known
+ * optimizations are not included to reduce source code size and avoid
+ * compile-time configuration.
 */

 #include "curl_setup.h"
@@ -29,254 +44,261 @@
 #include "curl_md4.h"
 #include "warnless.h"

-typedef unsigned int UINT4;
+#ifndef HAVE_OPENSSL

-typedef struct MD4Context {
-  UINT4 state[4];               /* state (ABCD) */
-  UINT4 count[2];               /* number of bits, modulo 2^64 (lsb first) */
-  unsigned char buffer[64];     /* input buffer */
+#include <string.h>
+
+/* Any 32-bit or wider unsigned integer data type will do */
+typedef unsigned int MD4_u32plus;
+
+typedef struct {
+  MD4_u32plus lo, hi;
+  MD4_u32plus a, b, c, d;
+  unsigned char buffer[64];
+  MD4_u32plus block[16];
 } MD4_CTX;

-/* Constants for MD4Transform routine.
+static void MD4_Init(MD4_CTX *ctx);
+static void MD4_Update(MD4_CTX *ctx, const void *data, unsigned long size);
+static void MD4_Final(unsigned char *result, MD4_CTX *ctx);
+
+/*
+ * The basic MD4 functions.
+ *
+ * F and G are optimized compared to their RFC 1320 definitions, with the
+ * optimization for F borrowed from Colin Plumb's MD5 implementation.
 */
-#define S11 3
-#define S12 7
-#define S13 11
-#define S14 19
-#define S21 3
-#define S22 5
-#define S23 9
-#define S24 13
-#define S31 3
-#define S32 9
-#define S33 11
-#define S34 15
-
-static void MD4Transform(UINT4 [4], const unsigned char [64]);
-static void Encode(unsigned char *, UINT4 *, unsigned int);
-static void Decode(UINT4 *, const unsigned char *, unsigned int);
-
-static unsigned char PADDING[64] = {
-  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-
-/* F, G and H are basic MD4 functions.
- */
-#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
-#define G(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))
+#define F(x, y, z)                      ((z) ^ ((x) & ((y) ^ (z))))
+#define G(x, y, z)                      (((x) & ((y) | (z))) | ((y) & (z)))
 #define H(x, y, z)                      ((x) ^ (y) ^ (z))

-/* ROTATE_LEFT rotates x left n bits.
+/*
+ * The MD4 transformation for all three rounds.
 */
-#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
+#define STEP(f, a, b, c, d, x, s) \
+        (a) += f((b), (c), (d)) + (x); \
+        (a) = (((a) << (s)) | (((a) & 0xffffffff) >> (32 - (s))));

-/* FF, GG and HH are transformations for rounds 1, 2 and 3 */
-/* Rotation is separate from addition to prevent recomputation */
-#define FF(a, b, c, d, x, s) { \
-    (a) += F ((b), (c), (d)) + (x); \
-    (a) = ROTATE_LEFT ((a), (s)); \
-  }
-#define GG(a, b, c, d, x, s) { \
-    (a) += G ((b), (c), (d)) + (x) + (UINT4)0x5a827999; \
-    (a) = ROTATE_LEFT ((a), (s)); \
-  }
-#define HH(a, b, c, d, x, s) { \
-    (a) += H ((b), (c), (d)) + (x) + (UINT4)0x6ed9eba1; \
-    (a) = ROTATE_LEFT ((a), (s)); \
-  }
-
-/* MD4 initialization. Begins an MD4 operation, writing a new context.
+/*
+ * SET reads 4 input bytes in little-endian byte order and stores them
+ * in a properly aligned word in host byte order.
+ *
+ * The check for little-endian architectures that tolerate unaligned
+ * memory accesses is just an optimization.  Nothing will break if it
+ * doesn't work.
 */
-static void MD4Init(MD4_CTX *context)
+#if defined(__i386__) || defined(__x86_64__) || defined(__vax__)
+#define SET(n) \
+        (*(MD4_u32plus *)&ptr[(n) * 4])
+#define GET(n) \
+        SET(n)
+#else
+#define SET(n) \
+        (ctx->block[(n)] = \
+        (MD4_u32plus)ptr[(n) * 4] | \
+        ((MD4_u32plus)ptr[(n) * 4 + 1] << 8) | \
+        ((MD4_u32plus)ptr[(n) * 4 + 2] << 16) | \
+        ((MD4_u32plus)ptr[(n) * 4 + 3] << 24))
+#define GET(n) \
+        (ctx->block[(n)])
+#endif
+
+/*
+ * This processes one or more 64-byte data blocks, but does NOT update
+ * the bit counters.  There are no alignment requirements.
+ */
+static const void *body(MD4_CTX *ctx, const void *data, unsigned long size)
 {
-  context->count[0] = context->count[1] = 0;
+  const unsigned char *ptr;
+  MD4_u32plus a, b, c, d;
+  MD4_u32plus saved_a, saved_b, saved_c, saved_d;

-  /* Load magic initialization constants.
-   */
-  context->state[0] = 0x67452301;
-  context->state[1] = 0xefcdab89;
-  context->state[2] = 0x98badcfe;
-  context->state[3] = 0x10325476;
-}
+  ptr = (const unsigned char *)data;

-/* MD4 block update operation. Continues an MD4 message-digest
-     operation, processing another message block, and updating the
-     context.
- */
-static void MD4Update(MD4_CTX *context, const unsigned char *input,
-                      unsigned int inputLen)
-{
-  unsigned int i, bufindex, partLen;
+  a = ctx->a;
+  b = ctx->b;
+  c = ctx->c;
+  d = ctx->d;

-  /* Compute number of bytes mod 64 */
-  bufindex = (unsigned int)((context->count[0] >> 3) & 0x3F);
-  /* Update number of bits */
-  if((context->count[0] += ((UINT4)inputLen << 3))
-     < ((UINT4)inputLen << 3))
-    context->count[1]++;
-  context->count[1] += ((UINT4)inputLen >> 29);
-
-  partLen = 64 - bufindex;
-  /* Transform as many times as possible.
-   */
-  if(inputLen >= partLen) {
-    memcpy(&context->buffer[bufindex], input, partLen);
-    MD4Transform (context->state, context->buffer);
-
-    for(i = partLen; i + 63 < inputLen; i += 64)
-      MD4Transform (context->state, &input[i]);
-
-    bufindex = 0;
-  }
-  else
-    i = 0;
-
-  /* Buffer remaining input */
-  memcpy(&context->buffer[bufindex], &input[i], inputLen-i);
-}
-
-/* MD4 padding. */
-static void MD4Pad(MD4_CTX *context)
-{
-  unsigned char bits[8];
-  unsigned int bufindex, padLen;
-
-  /* Save number of bits */
-  Encode (bits, context->count, 8);
-
-  /* Pad out to 56 mod 64.
-   */
-  bufindex = (unsigned int)((context->count[0] >> 3) & 0x3f);
-  padLen = (bufindex < 56) ? (56 - bufindex) : (120 - bufindex);
-  MD4Update (context, PADDING, padLen);
-
-  /* Append length (before padding) */
-  MD4Update (context, bits, 8);
-}
-
-/* MD4 finalization. Ends an MD4 message-digest operation, writing the
-     the message digest and zeroizing the context.
- */
-static void MD4Final (unsigned char digest[16], MD4_CTX *context)
-{
-  /* Do padding */
-  MD4Pad (context);
-
-  /* Store state in digest */
-  Encode (digest, context->state, 16);
-
-  /* Zeroize sensitive information.
-   */
-  memset(context, 0, sizeof(*context));
-}
-
-/* MD4 basic transformation. Transforms state based on block.
- */
-static void MD4Transform (UINT4 state[4], const unsigned char block[64])
-{
-  UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];
-
-  Decode (x, block, 64);
+  do {
+    saved_a = a;
+    saved_b = b;
+    saved_c = c;
+    saved_d = d;

 /* Round 1 */
-  FF (a, b, c, d, x[ 0], S11); /* 1 */
-  FF (d, a, b, c, x[ 1], S12); /* 2 */
-  FF (c, d, a, b, x[ 2], S13); /* 3 */
-  FF (b, c, d, a, x[ 3], S14); /* 4 */
-  FF (a, b, c, d, x[ 4], S11); /* 5 */
-  FF (d, a, b, c, x[ 5], S12); /* 6 */
-  FF (c, d, a, b, x[ 6], S13); /* 7 */
-  FF (b, c, d, a, x[ 7], S14); /* 8 */
-  FF (a, b, c, d, x[ 8], S11); /* 9 */
-  FF (d, a, b, c, x[ 9], S12); /* 10 */
-  FF (c, d, a, b, x[10], S13); /* 11 */
-  FF (b, c, d, a, x[11], S14); /* 12 */
-  FF (a, b, c, d, x[12], S11); /* 13 */
-  FF (d, a, b, c, x[13], S12); /* 14 */
-  FF (c, d, a, b, x[14], S13); /* 15 */
-  FF (b, c, d, a, x[15], S14); /* 16 */
+    STEP(F, a, b, c, d, SET(0), 3)
+      STEP(F, d, a, b, c, SET(1), 7)
+      STEP(F, c, d, a, b, SET(2), 11)
+      STEP(F, b, c, d, a, SET(3), 19)
+      STEP(F, a, b, c, d, SET(4), 3)
+      STEP(F, d, a, b, c, SET(5), 7)
+      STEP(F, c, d, a, b, SET(6), 11)
+      STEP(F, b, c, d, a, SET(7), 19)
+      STEP(F, a, b, c, d, SET(8), 3)
+      STEP(F, d, a, b, c, SET(9), 7)
+      STEP(F, c, d, a, b, SET(10), 11)
+      STEP(F, b, c, d, a, SET(11), 19)
+      STEP(F, a, b, c, d, SET(12), 3)
+      STEP(F, d, a, b, c, SET(13), 7)
+      STEP(F, c, d, a, b, SET(14), 11)
+      STEP(F, b, c, d, a, SET(15), 19)

 /* Round 2 */
-  GG (a, b, c, d, x[ 0], S21); /* 17 */
-  GG (d, a, b, c, x[ 4], S22); /* 18 */
-  GG (c, d, a, b, x[ 8], S23); /* 19 */
-  GG (b, c, d, a, x[12], S24); /* 20 */
-  GG (a, b, c, d, x[ 1], S21); /* 21 */
-  GG (d, a, b, c, x[ 5], S22); /* 22 */
-  GG (c, d, a, b, x[ 9], S23); /* 23 */
-  GG (b, c, d, a, x[13], S24); /* 24 */
-  GG (a, b, c, d, x[ 2], S21); /* 25 */
-  GG (d, a, b, c, x[ 6], S22); /* 26 */
-  GG (c, d, a, b, x[10], S23); /* 27 */
-  GG (b, c, d, a, x[14], S24); /* 28 */
-  GG (a, b, c, d, x[ 3], S21); /* 29 */
-  GG (d, a, b, c, x[ 7], S22); /* 30 */
-  GG (c, d, a, b, x[11], S23); /* 31 */
-  GG (b, c, d, a, x[15], S24); /* 32 */
+      STEP(G, a, b, c, d, GET(0) + 0x5a827999, 3)
+      STEP(G, d, a, b, c, GET(4) + 0x5a827999, 5)
+      STEP(G, c, d, a, b, GET(8) + 0x5a827999, 9)
+      STEP(G, b, c, d, a, GET(12) + 0x5a827999, 13)
+      STEP(G, a, b, c, d, GET(1) + 0x5a827999, 3)
+      STEP(G, d, a, b, c, GET(5) + 0x5a827999, 5)
+      STEP(G, c, d, a, b, GET(9) + 0x5a827999, 9)
+      STEP(G, b, c, d, a, GET(13) + 0x5a827999, 13)
+      STEP(G, a, b, c, d, GET(2) + 0x5a827999, 3)
+      STEP(G, d, a, b, c, GET(6) + 0x5a827999, 5)
+      STEP(G, c, d, a, b, GET(10) + 0x5a827999, 9)
+      STEP(G, b, c, d, a, GET(14) + 0x5a827999, 13)
+      STEP(G, a, b, c, d, GET(3) + 0x5a827999, 3)
+      STEP(G, d, a, b, c, GET(7) + 0x5a827999, 5)
+      STEP(G, c, d, a, b, GET(11) + 0x5a827999, 9)
+      STEP(G, b, c, d, a, GET(15) + 0x5a827999, 13)

 /* Round 3 */
-  HH (a, b, c, d, x[ 0], S31); /* 33 */
-  HH (d, a, b, c, x[ 8], S32); /* 34 */
-  HH (c, d, a, b, x[ 4], S33); /* 35 */
-  HH (b, c, d, a, x[12], S34); /* 36 */
-  HH (a, b, c, d, x[ 2], S31); /* 37 */
-  HH (d, a, b, c, x[10], S32); /* 38 */
-  HH (c, d, a, b, x[ 6], S33); /* 39 */
-  HH (b, c, d, a, x[14], S34); /* 40 */
-  HH (a, b, c, d, x[ 1], S31); /* 41 */
-  HH (d, a, b, c, x[ 9], S32); /* 42 */
-  HH (c, d, a, b, x[ 5], S33); /* 43 */
-  HH (b, c, d, a, x[13], S34); /* 44 */
-  HH (a, b, c, d, x[ 3], S31); /* 45 */
-  HH (d, a, b, c, x[11], S32); /* 46 */
-  HH (c, d, a, b, x[ 7], S33); /* 47 */
-  HH (b, c, d, a, x[15], S34); /* 48 */
+      STEP(H, a, b, c, d, GET(0) + 0x6ed9eba1, 3)
+      STEP(H, d, a, b, c, GET(8) + 0x6ed9eba1, 9)
+      STEP(H, c, d, a, b, GET(4) + 0x6ed9eba1, 11)
+      STEP(H, b, c, d, a, GET(12) + 0x6ed9eba1, 15)
+      STEP(H, a, b, c, d, GET(2) + 0x6ed9eba1, 3)
+      STEP(H, d, a, b, c, GET(10) + 0x6ed9eba1, 9)
+      STEP(H, c, d, a, b, GET(6) + 0x6ed9eba1, 11)
+      STEP(H, b, c, d, a, GET(14) + 0x6ed9eba1, 15)
+      STEP(H, a, b, c, d, GET(1) + 0x6ed9eba1, 3)
+      STEP(H, d, a, b, c, GET(9) + 0x6ed9eba1, 9)
+      STEP(H, c, d, a, b, GET(5) + 0x6ed9eba1, 11)
+      STEP(H, b, c, d, a, GET(13) + 0x6ed9eba1, 15)
+      STEP(H, a, b, c, d, GET(3) + 0x6ed9eba1, 3)
+      STEP(H, d, a, b, c, GET(11) + 0x6ed9eba1, 9)
+      STEP(H, c, d, a, b, GET(7) + 0x6ed9eba1, 11)
+      STEP(H, b, c, d, a, GET(15) + 0x6ed9eba1, 15)

-  state[0] += a;
-  state[1] += b;
-  state[2] += c;
-  state[3] += d;
+      a += saved_a;
+    b += saved_b;
+    c += saved_c;
+    d += saved_d;

-  /* Zeroize sensitive information.
-   */
-  memset(x, 0, sizeof(x));
+    ptr += 64;
+  } while(size -= 64);
+
+  ctx->a = a;
+  ctx->b = b;
+  ctx->c = c;
+  ctx->d = d;
+
+  return ptr;
 }

-/* Encodes input (UINT4) into output (unsigned char). Assumes len is
-     a multiple of 4.
- */
-static void Encode(unsigned char *output, UINT4 *input, unsigned int len)
+static void MD4_Init(MD4_CTX *ctx)
 {
-  unsigned int i, j;
+  ctx->a = 0x67452301;
+  ctx->b = 0xefcdab89;
+  ctx->c = 0x98badcfe;
+  ctx->d = 0x10325476;

-  for(i = 0, j = 0; j < len; i++, j += 4) {
-    output[j] = (unsigned char)(input[i] & 0xff);
-    output[j+1] = (unsigned char)((input[i] >> 8) & 0xff);
-    output[j+2] = (unsigned char)((input[i] >> 16) & 0xff);
-    output[j+3] = (unsigned char)((input[i] >> 24) & 0xff);
-  }
+  ctx->lo = 0;
+  ctx->hi = 0;
 }

-/* Decodes input (unsigned char) into output (UINT4). Assumes len is
-     a multiple of 4.
- */
-static void Decode (UINT4 *output, const unsigned char *input,
-                    unsigned int len)
+static void MD4_Update(MD4_CTX *ctx, const void *data, unsigned long size)
 {
-  unsigned int i, j;
+  MD4_u32plus saved_lo;
+  unsigned long used, available;

-  for(i = 0, j = 0; j < len; i++, j += 4)
-    output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) |
-      (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24);
+  saved_lo = ctx->lo;
+  if((ctx->lo = (saved_lo + size) & 0x1fffffff) < saved_lo)
+    ctx->hi++;
+  ctx->hi += (MD4_u32plus)size >> 29;
+
+  used = saved_lo & 0x3f;
+
+  if(used) {
+    available = 64 - used;
+
+    if(size < available) {
+      memcpy(&ctx->buffer[used], data, size);
+      return;
    }

+    memcpy(&ctx->buffer[used], data, available);
+    data = (const unsigned char *)data + available;
+    size -= available;
+    body(ctx, ctx->buffer, 64);
+  }
+
+  if(size >= 64) {
+    data = body(ctx, data, size & ~(unsigned long)0x3f);
+    size &= 0x3f;
+  }
+
+  memcpy(ctx->buffer, data, size);
+}
+
+static void MD4_Final(unsigned char *result, MD4_CTX *ctx)
+{
+  unsigned long used, available;
+
+  used = ctx->lo & 0x3f;
+
+  ctx->buffer[used++] = 0x80;
+
+  available = 64 - used;
+
+  if(available < 8) {
+    memset(&ctx->buffer[used], 0, available);
+    body(ctx, ctx->buffer, 64);
+    used = 0;
+    available = 64;
+  }
+
+  memset(&ctx->buffer[used], 0, available - 8);
+
+  ctx->lo <<= 3;
+  ctx->buffer[56] = curlx_ultouc((ctx->lo)&0xff);
+  ctx->buffer[57] = curlx_ultouc((ctx->lo >> 8)&0xff);
+  ctx->buffer[58] = curlx_ultouc((ctx->lo >> 16)&0xff);
+  ctx->buffer[59] = curlx_ultouc((ctx->lo >> 24)&0xff);
+  ctx->buffer[60] = curlx_ultouc((ctx->hi)&0xff);
+  ctx->buffer[61] = curlx_ultouc((ctx->hi >> 8)&0xff);
+  ctx->buffer[62] = curlx_ultouc((ctx->hi >> 16)&0xff);
+  ctx->buffer[63] = curlx_ultouc(ctx->hi >> 24);
+
+  body(ctx, ctx->buffer, 64);
+
+  result[0] = curlx_ultouc((ctx->a)&0xff);
+  result[1] = curlx_ultouc((ctx->a >> 8)&0xff);
+  result[2] = curlx_ultouc((ctx->a >> 16)&0xff);
+  result[3] = curlx_ultouc(ctx->a >> 24);
+  result[4] = curlx_ultouc((ctx->b)&0xff);
+  result[5] = curlx_ultouc((ctx->b >> 8)&0xff);
+  result[6] = curlx_ultouc((ctx->b >> 16)&0xff);
+  result[7] = curlx_ultouc(ctx->b >> 24);
+  result[8] = curlx_ultouc((ctx->c)&0xff);
+  result[9] = curlx_ultouc((ctx->c >> 8)&0xff);
+  result[10] = curlx_ultouc((ctx->c >> 16)&0xff);
+  result[11] = curlx_ultouc(ctx->c >> 24);
+  result[12] = curlx_ultouc((ctx->d)&0xff);
+  result[13] = curlx_ultouc((ctx->d >> 8)&0xff);
+  result[14] = curlx_ultouc((ctx->d >> 16)&0xff);
+  result[15] = curlx_ultouc(ctx->d >> 24);
+
+  memset(ctx, 0, sizeof(*ctx));
+}
+
+#endif
+
 void Curl_md4it(unsigned char *output, const unsigned char *input, size_t len)
 {
  MD4_CTX ctx;
-  MD4Init(&ctx);
-  MD4Update(&ctx, input, curlx_uztoui(len));
-  MD4Final(output, &ctx);
+  MD4_Init(&ctx);
+  MD4_Update(&ctx, input, curlx_uztoui(len));
+  MD4_Final(output, &ctx);
 }
 #endif /* defined(USE_NSS) || defined(USE_OS400CRYPTO) */
--- a/lib/md5.c
+++ b/lib/md5.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -157,307 +157,314 @@ static void MD5_Final(unsigned char digest[16], MD5_CTX *ctx)
    CryptReleaseContext(ctx->hCryptProv, 0);
 }

+#elif defined(USE_AXTLS)
+#include <axTLS/os_int.h>
+#include <axTLS/crypto.h>
 #else
 /* When no other crypto library is available we use this code segment */
-
-/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
-rights reserved.
-
-License to copy and use this software is granted provided that it
-is identified as the "RSA Data Security, Inc. MD5 Message-Digest
-Algorithm" in all material mentioning or referencing this software
-or this function.
-
-License is also granted to make and use derivative works provided
-that such works are identified as "derived from the RSA Data
-Security, Inc. MD5 Message-Digest Algorithm" in all material
-mentioning or referencing the derived work.
-
-RSA Data Security, Inc. makes no representations concerning either
-the merchantability of this software or the suitability of this
-software for any particular purpose. It is provided "as is"
-without express or implied warranty of any kind.
-
-These notices must be retained in any copies of any part of this
-documentation and/or software.
+/*
+ * This is an OpenSSL-compatible implementation of the RSA Data Security, Inc.
+ * MD5 Message-Digest Algorithm (RFC 1321).
+ *
+ * Homepage:
+ http://openwall.info/wiki/people/solar/software/public-domain-source-code/md5
+ *
+ * Author:
+ * Alexander Peslyak, better known as Solar Designer <solar at openwall.com>
+ *
+ * This software was written by Alexander Peslyak in 2001.  No copyright is
+ * claimed, and the software is hereby placed in the public domain.
+ * In case this attempt to disclaim copyright and place the software in the
+ * public domain is deemed null and void, then the software is
+ * Copyright (c) 2001 Alexander Peslyak and it is hereby released to the
+ * general public under the following terms:
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * There's ABSOLUTELY NO WARRANTY, express or implied.
+ *
+ * (This is a heavily cut-down "BSD license".)
+ *
+ * This differs from Colin Plumb's older public domain implementation in that
+ * no exactly 32-bit integer data type is required (any 32-bit or wider
+ * unsigned integer data type will do), there's no compile-time endianness
+ * configuration, and the function prototypes match OpenSSL's.  No code from
+ * Colin Plumb's implementation has been reused; this comment merely compares
+ * the properties of the two independent implementations.
+ *
+ * The primary goals of this implementation are portability and ease of use.
+ * It is meant to be fast, but not as fast as possible.  Some known
+ * optimizations are not included to reduce source code size and avoid
+ * compile-time configuration.
 */

-/* UINT4 defines a four byte word */
-typedef unsigned int UINT4;
+#include <string.h>

-/* MD5 context. */
-struct md5_ctx {
-  UINT4 state[4];                                   /* state (ABCD) */
-  UINT4 count[2];        /* number of bits, modulo 2^64 (lsb first) */
-  unsigned char buffer[64];                         /* input buffer */
-};
+/* Any 32-bit or wider unsigned integer data type will do */
+typedef unsigned int MD5_u32plus;

-typedef struct md5_ctx MD5_CTX;
+typedef struct {
+  MD5_u32plus lo, hi;
+  MD5_u32plus a, b, c, d;
+  unsigned char buffer[64];
+  MD5_u32plus block[16];
+} MD5_CTX;

-static void MD5_Init(struct md5_ctx *);
-static void MD5_Update(struct md5_ctx *, const unsigned char *, unsigned int);
-static void MD5_Final(unsigned char [16], struct md5_ctx *);
+static void MD5_Init(MD5_CTX *ctx);
+static void MD5_Update(MD5_CTX *ctx, const void *data, unsigned long size);
+static void MD5_Final(unsigned char *result, MD5_CTX *ctx);

-/* Constants for MD5Transform routine.
+/*
+ * The basic MD5 functions.
+ *
+ * F and G are optimized compared to their RFC 1321 definitions for
+ * architectures that lack an AND-NOT instruction, just like in Colin Plumb's
+ * implementation.
 */
+#define F(x, y, z)                      ((z) ^ ((x) & ((y) ^ (z))))
+#define G(x, y, z)                      ((y) ^ ((z) & ((x) ^ (y))))
+#define H(x, y, z)                      (((x) ^ (y)) ^ (z))
+#define H2(x, y, z)                     ((x) ^ ((y) ^ (z)))
+#define I(x, y, z)                      ((y) ^ ((x) | ~(z)))

-#define S11 7
-#define S12 12
-#define S13 17
-#define S14 22
-#define S21 5
-#define S22 9
-#define S23 14
-#define S24 20
-#define S31 4
-#define S32 11
-#define S33 16
-#define S34 23
-#define S41 6
-#define S42 10
-#define S43 15
-#define S44 21
-
-static void MD5Transform(UINT4 [4], const unsigned char [64]);
-static void Encode(unsigned char *, UINT4 *, unsigned int);
-static void Decode(UINT4 *, const unsigned char *, unsigned int);
-
-static const unsigned char PADDING[64] = {
-  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-
-/* F, G, H and I are basic MD5 functions.
+/*
+ * The MD5 transformation for all four rounds.
 */
-#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
-#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
-#define H(x, y, z) ((x) ^ (y) ^ (z))
-#define I(x, y, z) ((y) ^ ((x) | (~z)))
+#define STEP(f, a, b, c, d, x, t, s) \
+        (a) += f((b), (c), (d)) + (x) + (t); \
+        (a) = (((a) << (s)) | (((a) & 0xffffffff) >> (32 - (s)))); \
+        (a) += (b);

-/* ROTATE_LEFT rotates x left n bits.
+/*
+ * SET reads 4 input bytes in little-endian byte order and stores them
+ * in a properly aligned word in host byte order.
+ *
+ * The check for little-endian architectures that tolerate unaligned
+ * memory accesses is just an optimization.  Nothing will break if it
+ * doesn't work.
 */
-#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
+#if defined(__i386__) || defined(__x86_64__) || defined(__vax__)
+#define SET(n) \
+        (*(MD5_u32plus *)&ptr[(n) * 4])
+#define GET(n) \
+        SET(n)
+#else
+#define SET(n) \
+        (ctx->block[(n)] = \
+        (MD5_u32plus)ptr[(n) * 4] | \
+        ((MD5_u32plus)ptr[(n) * 4 + 1] << 8) | \
+        ((MD5_u32plus)ptr[(n) * 4 + 2] << 16) | \
+        ((MD5_u32plus)ptr[(n) * 4 + 3] << 24))
+#define GET(n) \
+        (ctx->block[(n)])
+#endif

-/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
-Rotation is separate from addition to prevent recomputation.
+/*
+ * This processes one or more 64-byte data blocks, but does NOT update
+ * the bit counters.  There are no alignment requirements.
 */
-#define FF(a, b, c, d, x, s, ac) { \
- (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
-  }
-#define GG(a, b, c, d, x, s, ac) { \
- (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
-  }
-#define HH(a, b, c, d, x, s, ac) { \
- (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
-  }
-#define II(a, b, c, d, x, s, ac) { \
- (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
-  }
-
-/* MD5 initialization. Begins an MD5 operation, writing a new context.
- */
-static void MD5_Init(struct md5_ctx *context)
+static const void *body(MD5_CTX *ctx, const void *data, unsigned long size)
 {
-  context->count[0] = context->count[1] = 0;
-  /* Load magic initialization constants. */
-  context->state[0] = 0x67452301;
-  context->state[1] = 0xefcdab89;
-  context->state[2] = 0x98badcfe;
-  context->state[3] = 0x10325476;
-}
+  const unsigned char *ptr;
+  MD5_u32plus a, b, c, d;
+  MD5_u32plus saved_a, saved_b, saved_c, saved_d;

-/* MD5 block update operation. Continues an MD5 message-digest
-  operation, processing another message block, and updating the
-  context.
- */
-static void MD5_Update (struct md5_ctx *context,    /* context */
-                        const unsigned char *input, /* input block */
-                        unsigned int inputLen)      /* length of input block */
-{
-  unsigned int i, bufindex, partLen;
+  ptr = (const unsigned char *)data;

-  /* Compute number of bytes mod 64 */
-  bufindex = (unsigned int)((context->count[0] >> 3) & 0x3F);
+  a = ctx->a;
+  b = ctx->b;
+  c = ctx->c;
+  d = ctx->d;

-  /* Update number of bits */
-  if((context->count[0] += ((UINT4)inputLen << 3))
-      < ((UINT4)inputLen << 3))
-    context->count[1]++;
-  context->count[1] += ((UINT4)inputLen >> 29);
-
-  partLen = 64 - bufindex;
-
-  /* Transform as many times as possible. */
-  if(inputLen >= partLen) {
-    memcpy(&context->buffer[bufindex], input, partLen);
-    MD5Transform(context->state, context->buffer);
-
-    for(i = partLen; i + 63 < inputLen; i += 64)
-      MD5Transform(context->state, &input[i]);
-
-    bufindex = 0;
-  }
-  else
-    i = 0;
-
-  /* Buffer remaining input */
-  memcpy(&context->buffer[bufindex], &input[i], inputLen-i);
-}
-
-/* MD5 finalization. Ends an MD5 message-digest operation, writing the
-   the message digest and zeroizing the context.
-*/
-static void MD5_Final(unsigned char digest[16], /* message digest */
-                      struct md5_ctx *context) /* context */
-{
-  unsigned char bits[8];
-  unsigned int count, padLen;
-
-  /* Save number of bits */
-  Encode (bits, context->count, 8);
-
-  /* Pad out to 56 mod 64. */
-  count = (unsigned int)((context->count[0] >> 3) & 0x3f);
-  padLen = (count < 56) ? (56 - count) : (120 - count);
-  MD5_Update (context, PADDING, padLen);
-
-  /* Append length (before padding) */
-  MD5_Update (context, bits, 8);
-
-  /* Store state in digest */
-  Encode (digest, context->state, 16);
-
-  /* Zeroize sensitive information. */
-  memset ((void *)context, 0, sizeof (*context));
-}
-
-/* MD5 basic transformation. Transforms state based on block. */
-static void MD5Transform(UINT4 state[4],
-                         const unsigned char block[64])
-{
-  UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];
-
-  Decode (x, block, 64);
+  do {
+    saved_a = a;
+    saved_b = b;
+    saved_c = c;
+    saved_d = d;

 /* Round 1 */
-  FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
-  FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
-  FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
-  FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
-  FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
-  FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
-  FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
-  FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
-  FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
-  FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
-  FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
-  FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
-  FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
-  FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
-  FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
-  FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
+    STEP(F, a, b, c, d, SET(0), 0xd76aa478, 7)
+      STEP(F, d, a, b, c, SET(1), 0xe8c7b756, 12)
+      STEP(F, c, d, a, b, SET(2), 0x242070db, 17)
+      STEP(F, b, c, d, a, SET(3), 0xc1bdceee, 22)
+      STEP(F, a, b, c, d, SET(4), 0xf57c0faf, 7)
+      STEP(F, d, a, b, c, SET(5), 0x4787c62a, 12)
+      STEP(F, c, d, a, b, SET(6), 0xa8304613, 17)
+      STEP(F, b, c, d, a, SET(7), 0xfd469501, 22)
+      STEP(F, a, b, c, d, SET(8), 0x698098d8, 7)
+      STEP(F, d, a, b, c, SET(9), 0x8b44f7af, 12)
+      STEP(F, c, d, a, b, SET(10), 0xffff5bb1, 17)
+      STEP(F, b, c, d, a, SET(11), 0x895cd7be, 22)
+      STEP(F, a, b, c, d, SET(12), 0x6b901122, 7)
+      STEP(F, d, a, b, c, SET(13), 0xfd987193, 12)
+      STEP(F, c, d, a, b, SET(14), 0xa679438e, 17)
+      STEP(F, b, c, d, a, SET(15), 0x49b40821, 22)

 /* Round 2 */
-  GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
-  GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
-  GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
-  GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
-  GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
-  GG (d, a, b, c, x[10], S22,  0x2441453); /* 22 */
-  GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
-  GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
-  GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
-  GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
-  GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
-  GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
-  GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
-  GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
-  GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
-  GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
+      STEP(G, a, b, c, d, GET(1), 0xf61e2562, 5)
+      STEP(G, d, a, b, c, GET(6), 0xc040b340, 9)
+      STEP(G, c, d, a, b, GET(11), 0x265e5a51, 14)
+      STEP(G, b, c, d, a, GET(0), 0xe9b6c7aa, 20)
+      STEP(G, a, b, c, d, GET(5), 0xd62f105d, 5)
+      STEP(G, d, a, b, c, GET(10), 0x02441453, 9)
+      STEP(G, c, d, a, b, GET(15), 0xd8a1e681, 14)
+      STEP(G, b, c, d, a, GET(4), 0xe7d3fbc8, 20)
+      STEP(G, a, b, c, d, GET(9), 0x21e1cde6, 5)
+      STEP(G, d, a, b, c, GET(14), 0xc33707d6, 9)
+      STEP(G, c, d, a, b, GET(3), 0xf4d50d87, 14)
+      STEP(G, b, c, d, a, GET(8), 0x455a14ed, 20)
+      STEP(G, a, b, c, d, GET(13), 0xa9e3e905, 5)
+      STEP(G, d, a, b, c, GET(2), 0xfcefa3f8, 9)
+      STEP(G, c, d, a, b, GET(7), 0x676f02d9, 14)
+      STEP(G, b, c, d, a, GET(12), 0x8d2a4c8a, 20)

 /* Round 3 */
-  HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
-  HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
-  HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
-  HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
-  HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
-  HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
-  HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
-  HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
-  HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
-  HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
-  HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
-  HH (b, c, d, a, x[ 6], S34,  0x4881d05); /* 44 */
-  HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
-  HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
-  HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
-  HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
+      STEP(H, a, b, c, d, GET(5), 0xfffa3942, 4)
+      STEP(H2, d, a, b, c, GET(8), 0x8771f681, 11)
+      STEP(H, c, d, a, b, GET(11), 0x6d9d6122, 16)
+      STEP(H2, b, c, d, a, GET(14), 0xfde5380c, 23)
+      STEP(H, a, b, c, d, GET(1), 0xa4beea44, 4)
+      STEP(H2, d, a, b, c, GET(4), 0x4bdecfa9, 11)
+      STEP(H, c, d, a, b, GET(7), 0xf6bb4b60, 16)
+      STEP(H2, b, c, d, a, GET(10), 0xbebfbc70, 23)
+      STEP(H, a, b, c, d, GET(13), 0x289b7ec6, 4)
+      STEP(H2, d, a, b, c, GET(0), 0xeaa127fa, 11)
+      STEP(H, c, d, a, b, GET(3), 0xd4ef3085, 16)
+      STEP(H2, b, c, d, a, GET(6), 0x04881d05, 23)
+      STEP(H, a, b, c, d, GET(9), 0xd9d4d039, 4)
+      STEP(H2, d, a, b, c, GET(12), 0xe6db99e5, 11)
+      STEP(H, c, d, a, b, GET(15), 0x1fa27cf8, 16)
+      STEP(H2, b, c, d, a, GET(2), 0xc4ac5665, 23)

 /* Round 4 */
-  II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
-  II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
-  II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
-  II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
-  II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
-  II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
-  II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
-  II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
-  II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
-  II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
-  II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
-  II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
-  II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
-  II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
-  II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
-  II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
+      STEP(I, a, b, c, d, GET(0), 0xf4292244, 6)
+      STEP(I, d, a, b, c, GET(7), 0x432aff97, 10)
+      STEP(I, c, d, a, b, GET(14), 0xab9423a7, 15)
+      STEP(I, b, c, d, a, GET(5), 0xfc93a039, 21)
+      STEP(I, a, b, c, d, GET(12), 0x655b59c3, 6)
+      STEP(I, d, a, b, c, GET(3), 0x8f0ccc92, 10)
+      STEP(I, c, d, a, b, GET(10), 0xffeff47d, 15)
+      STEP(I, b, c, d, a, GET(1), 0x85845dd1, 21)
+      STEP(I, a, b, c, d, GET(8), 0x6fa87e4f, 6)
+      STEP(I, d, a, b, c, GET(15), 0xfe2ce6e0, 10)
+      STEP(I, c, d, a, b, GET(6), 0xa3014314, 15)
+      STEP(I, b, c, d, a, GET(13), 0x4e0811a1, 21)
+      STEP(I, a, b, c, d, GET(4), 0xf7537e82, 6)
+      STEP(I, d, a, b, c, GET(11), 0xbd3af235, 10)
+      STEP(I, c, d, a, b, GET(2), 0x2ad7d2bb, 15)
+      STEP(I, b, c, d, a, GET(9), 0xeb86d391, 21)

-  state[0] += a;
-  state[1] += b;
-  state[2] += c;
-  state[3] += d;
+      a += saved_a;
+    b += saved_b;
+    c += saved_c;
+    d += saved_d;

-  /* Zeroize sensitive information. */
-  memset((void *)x, 0, sizeof (x));
+    ptr += 64;
+  } while(size -= 64);
+
+  ctx->a = a;
+  ctx->b = b;
+  ctx->c = c;
+  ctx->d = d;
+
+  return ptr;
 }

-/* Encodes input (UINT4) into output (unsigned char). Assumes len is
-  a multiple of 4.
- */
-static void Encode (unsigned char *output,
-                    UINT4 *input,
-                    unsigned int len)
+static void MD5_Init(MD5_CTX *ctx)
 {
-  unsigned int i, j;
+  ctx->a = 0x67452301;
+  ctx->b = 0xefcdab89;
+  ctx->c = 0x98badcfe;
+  ctx->d = 0x10325476;

-  for(i = 0, j = 0; j < len; i++, j += 4) {
-    output[j] = (unsigned char)(input[i] & 0xff);
-    output[j+1] = (unsigned char)((input[i] >> 8) & 0xff);
-    output[j+2] = (unsigned char)((input[i] >> 16) & 0xff);
-    output[j+3] = (unsigned char)((input[i] >> 24) & 0xff);
-  }
+  ctx->lo = 0;
+  ctx->hi = 0;
 }

-/* Decodes input (unsigned char) into output (UINT4). Assumes len is
-   a multiple of 4.
-*/
-static void Decode (UINT4 *output,
-                    const unsigned char *input,
-                    unsigned int len)
+static void MD5_Update(MD5_CTX *ctx, const void *data, unsigned long size)
 {
-  unsigned int i, j;
+  MD5_u32plus saved_lo;
+  unsigned long used, available;

-  for(i = 0, j = 0; j < len; i++, j += 4)
-    output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) |
-      (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24);
+  saved_lo = ctx->lo;
+  if((ctx->lo = (saved_lo + size) & 0x1fffffff) < saved_lo)
+    ctx->hi++;
+  ctx->hi += (MD5_u32plus)size >> 29;
+
+  used = saved_lo & 0x3f;
+
+  if(used) {
+    available = 64 - used;
+
+    if(size < available) {
+      memcpy(&ctx->buffer[used], data, size);
+      return;
+    }
+
+    memcpy(&ctx->buffer[used], data, available);
+    data = (const unsigned char *)data + available;
+    size -= available;
+    body(ctx, ctx->buffer, 64);
+  }
+
+  if(size >= 64) {
+    data = body(ctx, data, size & ~(unsigned long)0x3f);
+    size &= 0x3f;
+  }
+
+  memcpy(ctx->buffer, data, size);
+}
+
+static void MD5_Final(unsigned char *result, MD5_CTX *ctx)
+{
+  unsigned long used, available;
+
+  used = ctx->lo & 0x3f;
+
+  ctx->buffer[used++] = 0x80;
+
+  available = 64 - used;
+
+  if(available < 8) {
+    memset(&ctx->buffer[used], 0, available);
+    body(ctx, ctx->buffer, 64);
+    used = 0;
+    available = 64;
+  }
+
+  memset(&ctx->buffer[used], 0, available - 8);
+
+  ctx->lo <<= 3;
+  ctx->buffer[56] = curlx_ultouc((ctx->lo)&0xff);
+  ctx->buffer[57] = curlx_ultouc((ctx->lo >> 8)&0xff);
+  ctx->buffer[58] = curlx_ultouc((ctx->lo >> 16)&0xff);
+  ctx->buffer[59] = curlx_ultouc(ctx->lo >> 24);
+  ctx->buffer[60] = curlx_ultouc((ctx->hi)&0xff);
+  ctx->buffer[61] = curlx_ultouc((ctx->hi >> 8)&0xff);
+  ctx->buffer[62] = curlx_ultouc((ctx->hi >> 16)&0xff);
+  ctx->buffer[63] = curlx_ultouc(ctx->hi >> 24);
+
+  body(ctx, ctx->buffer, 64);
+
+  result[0] = curlx_ultouc((ctx->a)&0xff);
+  result[1] = curlx_ultouc((ctx->a >> 8)&0xff);
+  result[2] = curlx_ultouc((ctx->a >> 16)&0xff);
+  result[3] = curlx_ultouc(ctx->a >> 24);
+  result[4] = curlx_ultouc((ctx->b)&0xff);
+  result[5] = curlx_ultouc((ctx->b >> 8)&0xff);
+  result[6] = curlx_ultouc((ctx->b >> 16)&0xff);
+  result[7] = curlx_ultouc(ctx->b >> 24);
+  result[8] = curlx_ultouc((ctx->c)&0xff);
+  result[9] = curlx_ultouc((ctx->c >> 8)&0xff);
+  result[10] = curlx_ultouc((ctx->c >> 16)&0xff);
+  result[11] = curlx_ultouc(ctx->c >> 24);
+  result[12] = curlx_ultouc((ctx->d)&0xff);
+  result[13] = curlx_ultouc((ctx->d >> 8)&0xff);
+  result[14] = curlx_ultouc((ctx->d >> 16)&0xff);
+  result[15] = curlx_ultouc(ctx->d >> 24);
+
+  memset(ctx, 0, sizeof(*ctx));
 }

 #endif /* CRYPTO LIBS */
@@ -486,6 +493,9 @@ const MD5_params Curl_DIGEST_MD5[] = {
  }
 };

+/*
+ * @unittest: 1601
+ */
 void Curl_md5it(unsigned char *outbuffer, /* 16 bytes */
                const unsigned char *input)
 {
--- a/lib/pop3.c
+++ b/lib/pop3.c
--- a/lib/pop3.h
+++ b/lib/pop3.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 2009 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2009 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -23,6 +23,7 @@
 ***************************************************************************/

 #include "pingpong.h"
+#include "curl_sasl.h"

 /****************************************************************************
 * POP3 unique setup
@@ -35,20 +36,7 @@ typedef enum {
  POP3_STARTTLS,
  POP3_UPGRADETLS,   /* asynchronously upgrade the connection to SSL/TLS
                       (multi mode only) */
-  POP3_AUTH_PLAIN,
-  POP3_AUTH_LOGIN,
-  POP3_AUTH_LOGIN_PASSWD,
-  POP3_AUTH_CRAMMD5,
-  POP3_AUTH_DIGESTMD5,
-  POP3_AUTH_DIGESTMD5_RESP,
-  POP3_AUTH_NTLM,
-  POP3_AUTH_NTLM_TYPE2MSG,
-  POP3_AUTH_GSSAPI,
-  POP3_AUTH_GSSAPI_TOKEN,
-  POP3_AUTH_GSSAPI_NO_DATA,
-  POP3_AUTH_XOAUTH2,
-  POP3_AUTH_CANCEL,
-  POP3_AUTH_FINAL,
+  POP3_AUTH,
  POP3_APOP,
  POP3_USER,
  POP3_PASS,
@@ -77,14 +65,11 @@ struct pop3_conn {
                             have been received so far */
  size_t strip;           /* Number of bytes from the start to ignore as
                             non-body */
+  struct SASL sasl;       /* SASL-related storage */
  unsigned int authtypes; /* Accepted authentication types */
-  unsigned int authmechs; /* Accepted SASL authentication mechanisms */
  unsigned int preftype;  /* Preferred authentication type */
-  unsigned int prefmech;  /* Preferred SASL authentication mechanism */
-  unsigned int authused;  /* SASL auth mechanism used for the connection */
  char *apoptimestamp;    /* APOP timestamp from the server greeting */
  bool tls_supported;     /* StartTLS capability supported by server */
-  bool mutual_auth;       /* Mutual authentication enabled (GSSAPI only) */
 };

 extern const struct Curl_handler Curl_handler_pop3;
--- a/lib/security.c
+++ b/lib/security.c
@@ -7,10 +7,10 @@
 * rewrite to work around the paragraph 2 in the BSD licenses as explained
 * below.
 *
- * Copyright (c) 1998, 1999, 2013 Kungliga Tekniska H<>gskolan
+ * Copyright (c) 1998, 1999 Kungliga Tekniska H<>gskolan
 * (Royal Institute of Technology, Stockholm, Sweden).
 *
- * Copyright (C) 2001 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2001 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * All rights reserved.
 *
@@ -121,7 +121,7 @@ static const struct Curl_sec_client_mech * const mechs[] = {
 static int ftp_send_command(struct connectdata *conn, const char *message, ...)
 {
  int ftp_code;
-  ssize_t nread;
+  ssize_t nread=0;
  va_list args;
  char print_buffer[50];

--- a/lib/smtp.c
+++ b/lib/smtp.c
--- a/lib/smtp.h
+++ b/lib/smtp.h
@@ -23,6 +23,7 @@
 ***************************************************************************/

 #include "pingpong.h"
+#include "curl_sasl.h"

 /****************************************************************************
 * SMTP unique setup
@@ -36,20 +37,7 @@ typedef enum {
  SMTP_STARTTLS,
  SMTP_UPGRADETLS,  /* asynchronously upgrade the connection to SSL/TLS
                       (multi mode only) */
-  SMTP_AUTH_PLAIN,
-  SMTP_AUTH_LOGIN,
-  SMTP_AUTH_LOGIN_PASSWD,
-  SMTP_AUTH_CRAMMD5,
-  SMTP_AUTH_DIGESTMD5,
-  SMTP_AUTH_DIGESTMD5_RESP,
-  SMTP_AUTH_NTLM,
-  SMTP_AUTH_NTLM_TYPE2MSG,
-  SMTP_AUTH_GSSAPI,
-  SMTP_AUTH_GSSAPI_TOKEN,
-  SMTP_AUTH_GSSAPI_NO_DATA,
-  SMTP_AUTH_XOAUTH2,
-  SMTP_AUTH_CANCEL,
-  SMTP_AUTH_FINAL,
+  SMTP_AUTH,
  SMTP_COMMAND,     /* VRFY, EXPN, NOOP, RSET and HELP */
  SMTP_MAIL,        /* MAIL FROM */
  SMTP_RCPT,        /* RCPT TO */
@@ -79,14 +67,11 @@ struct smtp_conn {
  smtpstate state;         /* Always use smtp.c:state() to change state! */
  bool ssldone;            /* Is connect() over SSL done? */
  char *domain;            /* Client address/name to send in the EHLO */
-  unsigned int authmechs;  /* Accepted authentication mechanisms */
-  unsigned int prefmech;   /* Preferred authentication mechanism */
-  unsigned int authused;   /* Auth mechanism used for the connection */
+  struct SASL sasl;        /* SASL-related storage */
  bool tls_supported;      /* StartTLS capability supported by server */
  bool size_supported;     /* If server supports SIZE extension according to
                              RFC 1870 */
  bool auth_supported;     /* AUTH capability supported by server */
-  bool mutual_auth;        /* Mutual authentication enabled (GSSAPI only) */
 };

 extern const struct Curl_handler Curl_handler_smtp;
--- a/lib/socks_gssapi.c
+++ b/lib/socks_gssapi.c
@@ -6,7 +6,7 @@
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) 2009, 2011, Markus Moeller, <markus_moeller@compuserve.com>
- * Copyright (C) 2012 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2012 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -23,16 +23,7 @@

 #include "curl_setup.h"

-#ifndef CURL_DISABLE_PROXY
-
-#ifdef HAVE_GSSAPI
-#ifdef HAVE_OLD_GSSMIT
-#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
-#define NCOMPAT 1
-#endif
-#ifndef gss_nt_service_name
-#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
-#endif
+#if defined(HAVE_GSSAPI) && !defined(CURL_DISABLE_PROXY)

 #include "curl_gssapi.h"
 #include "urldata.h"
@@ -162,7 +153,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
             serviceptr, conn->proxy.name);

    gss_major_status = gss_import_name(&gss_minor_status, &service,
-                                       gss_nt_service_name, &server);
+                                       GSS_C_NT_HOSTBASED_SERVICE, &server);
  }

  gss_release_buffer(&gss_status, &service); /* clear allocated memory */
@@ -530,6 +521,5 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,

  return CURLE_OK;
 }
-#endif

-#endif /* CURL_DISABLE_PROXY */
+#endif /* HAVE_GSSAPI && !CURL_DISABLE_PROXY */
--- a/lib/strerror.c
+++ b/lib/strerror.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 2004 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2004 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -301,6 +301,9 @@ curl_easy_strerror(CURLcode error)
  case CURLE_SSL_PINNEDPUBKEYNOTMATCH:
    return "SSL public key does not match pinned public key";

+  case CURLE_SSL_INVALIDCERTSTATUS:
+    return "SSL server certificate status verification FAILED";
+
    /* error codes not used by current libcurl */
  case CURLE_OBSOLETE20:
  case CURLE_OBSOLETE24:
--- a/lib/telnet.c
+++ b/lib/telnet.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -1282,7 +1282,7 @@ static CURLcode telnet_done(struct connectdata *conn,

 static CURLcode telnet_do(struct connectdata *conn, bool *done)
 {
-  CURLcode code;
+  CURLcode result;
  struct SessionHandle *data = conn->data;
  curl_socket_t sockfd = conn->sock[FIRSTSOCKET];
 #ifdef USE_WINSOCK
@@ -1315,24 +1315,24 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done)

  *done = TRUE; /* unconditionally */

-  code = init_telnet(conn);
-  if(code)
-    return code;
+  result = init_telnet(conn);
+  if(result)
+    return result;

  tn = (struct TELNET *)data->req.protop;

-  code = check_telnet_options(conn);
-  if(code)
-    return code;
+  result = check_telnet_options(conn);
+  if(result)
+    return result;

 #ifdef USE_WINSOCK
  /*
  ** This functionality only works with WinSock >= 2.0.  So,
  ** make sure have it.
  */
-  code = check_wsock2(data);
-  if(code)
-    return code;
+  result = check_wsock2(data);
+  if(result)
+    return result;

  /* OK, so we have WinSock 2.0.  We need to dynamically */
  /* load ws2_32.dll and get the function pointers we need. */
@@ -1427,29 +1427,29 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done)
    case WAIT_TIMEOUT:
    {
      for(;;) {
-        if(obj_count == 1) {
+        if(data->set.is_fread_set) {
          /* read from user-supplied method */
-          code = (int)conn->fread_func(buf, 1, BUFSIZE - 1, conn->fread_in);
-          if(code == CURL_READFUNC_ABORT) {
+          result = (int) conn->fread_func(buf, 1, BUFSIZE - 1, conn->fread_in);
+          if(result == CURL_READFUNC_ABORT) {
            keepon = FALSE;
-            code = CURLE_READ_ERROR;
+            result = CURLE_READ_ERROR;
            break;
          }

-          if(code == CURL_READFUNC_PAUSE)
+          if(result == CURL_READFUNC_PAUSE)
            break;

-          if(code == 0)                        /* no bytes */
+          if(result == 0)                        /* no bytes */
            break;

-          readfile_read = code; /* fall thru with number of bytes read */
+          readfile_read = result; /* fall thru with number of bytes read */
        }
        else {
          /* read from stdin */
          if(!PeekNamedPipe(stdin_handle, NULL, 0, NULL,
                            &readfile_read, NULL)) {
            keepon = FALSE;
-            code = CURLE_READ_ERROR;
+            result = CURLE_READ_ERROR;
            break;
          }

@@ -1459,13 +1459,13 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done)
          if(!ReadFile(stdin_handle, buf, sizeof(data->state.buffer),
                       &readfile_read, NULL)) {
            keepon = FALSE;
-            code = CURLE_READ_ERROR;
+            result = CURLE_READ_ERROR;
            break;
          }
        }

-        code = send_telnet_data(conn, buf, readfile_read);
-        if(code) {
+        result = send_telnet_data(conn, buf, readfile_read);
+        if(result) {
          keepon = FALSE;
          break;
        }
@@ -1478,12 +1478,12 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done)
      if(!ReadFile(stdin_handle, buf, sizeof(data->state.buffer),
                   &readfile_read, NULL)) {
        keepon = FALSE;
-        code = CURLE_READ_ERROR;
+        result = CURLE_READ_ERROR;
        break;
      }

-      code = send_telnet_data(conn, buf, readfile_read);
-      if(code) {
+      result = send_telnet_data(conn, buf, readfile_read);
+      if(result) {
        keepon = FALSE;
        break;
      }
@@ -1497,18 +1497,18 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done)
        if((err = SOCKERRNO) != EINPROGRESS) {
          infof(data,"WSAEnumNetworkEvents failed (%d)", err);
          keepon = FALSE;
-          code = CURLE_READ_ERROR;
+          result = CURLE_READ_ERROR;
        }
        break;
      }
      if(events.lNetworkEvents & FD_READ) {
        /* read data from network */
-        code = Curl_read(conn, sockfd, buf, BUFSIZE - 1, &nread);
+        result = Curl_read(conn, sockfd, buf, BUFSIZE - 1, &nread);
        /* read would've blocked. Loop again */
-        if(code == CURLE_AGAIN)
+        if(result == CURLE_AGAIN)
          break;
        /* returned not-zero, this an error */
-        else if(code) {
+        else if(result) {
          keepon = FALSE;
          break;
        }
@@ -1519,8 +1519,8 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done)
          break;
        }

-        code = telrcv(conn, (unsigned char *)buf, nread);
-        if(code) {
+        result = telrcv(conn, (unsigned char *) buf, nread);
+        if(result) {
          keepon = FALSE;
          break;
        }
@@ -1544,7 +1544,7 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done)
      now = Curl_tvnow();
      if(Curl_tvdiff(now, conn->created) >= data->set.timeout) {
        failf(data, "Time-out");
-        code = CURLE_OPERATION_TIMEDOUT;
+        result = CURLE_OPERATION_TIMEDOUT;
        keepon = FALSE;
      }
    }
@@ -1592,12 +1592,12 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done)
    default:                    /* read! */
      if(pfd[0].revents & POLLIN) {
        /* read data from network */
-        code = Curl_read(conn, sockfd, buf, BUFSIZE - 1, &nread);
+        result = Curl_read(conn, sockfd, buf, BUFSIZE - 1, &nread);
        /* read would've blocked. Loop again */
-        if(code == CURLE_AGAIN)
+        if(result == CURLE_AGAIN)
          break;
        /* returned not-zero, this an error */
-        else if(code) {
+        else if(result) {
          keepon = FALSE;
          break;
        }
@@ -1610,8 +1610,8 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done)

        total_dl += nread;
        Curl_pgrsSetDownloadCounter(data, total_dl);
-        code = telrcv(conn, (unsigned char *)buf, nread);
-        if(code) {
+        result = telrcv(conn, (unsigned char *)buf, nread);
+        if(result) {
          keepon = FALSE;
          break;
        }
@@ -1643,8 +1643,8 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done)
      }

      if(nread > 0) {
-        code = send_telnet_data(conn, buf, nread);
-        if(code) {
+        result = send_telnet_data(conn, buf, nread);
+        if(result) {
          keepon = FALSE;
          break;
        }
@@ -1661,13 +1661,13 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done)
      now = Curl_tvnow();
      if(Curl_tvdiff(now, conn->created) >= data->set.timeout) {
        failf(data, "Time-out");
-        code = CURLE_OPERATION_TIMEDOUT;
+        result = CURLE_OPERATION_TIMEDOUT;
        keepon = FALSE;
      }
    }

    if(Curl_pgrsUpdate(conn)) {
-      code = CURLE_ABORTED_BY_CALLBACK;
+      result = CURLE_ABORTED_BY_CALLBACK;
      break;
    }
  }
@@ -1675,6 +1675,6 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done)
  /* mark this as "no further transfer wanted" */
  Curl_setup_transfer(conn, -1, -1, FALSE, NULL, -1, NULL);

-  return code;
+  return result;
 }
 #endif
--- a/lib/tftp.c
+++ b/lib/tftp.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -454,7 +454,7 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event)
  char *filename;
  char buf[64];
  struct SessionHandle *data = state->conn->data;
-  CURLcode res = CURLE_OK;
+  CURLcode result = CURLE_OK;

  /* Set ascii mode if -B flag was used */
  if(data->set.prefer_ascii)
@@ -469,7 +469,7 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event)
    if(state->retries>state->retry_max) {
      state->error = TFTP_ERR_NORESPONSE;
      state->state = TFTP_STATE_FIN;
-      return res;
+      return result;
    }

    if(data->set.upload) {
@@ -539,19 +539,19 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event)

  case TFTP_EVENT_OACK:
    if(data->set.upload) {
-      res = tftp_connect_for_tx(state, event);
+      result = tftp_connect_for_tx(state, event);
    }
    else {
-      res = tftp_connect_for_rx(state, event);
+      result = tftp_connect_for_rx(state, event);
    }
    break;

  case TFTP_EVENT_ACK: /* Connected for transmit */
-    res = tftp_connect_for_tx(state, event);
+    result = tftp_connect_for_tx(state, event);
    break;

  case TFTP_EVENT_DATA: /* Connected for receive */
-    res = tftp_connect_for_rx(state, event);
+    result = tftp_connect_for_rx(state, event);
    break;

  case TFTP_EVENT_ERROR:
@@ -562,7 +562,8 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event)
    failf(state->conn->data, "tftp_send_first: internal error");
    break;
  }
-  return res;
+
+  return result;
 }

 /* the next blocknum is x + 1 but it needs to wrap at an unsigned 16bit
@@ -702,7 +703,7 @@ static CURLcode tftp_tx(tftp_state_data_t *state, tftp_event_t event)
  struct SessionHandle *data = state->conn->data;
  ssize_t sbytes;
  int rblock;
-  CURLcode res = CURLE_OK;
+  CURLcode result = CURLE_OK;
  struct SingleRequest *k = &data->req;

  switch(event) {
@@ -728,7 +729,7 @@ static CURLcode tftp_tx(tftp_state_data_t *state, tftp_event_t event)
        if(state->retries>state->retry_max) {
          failf(data, "tftp_tx: giving up waiting for block %d ack",
                state->block);
-          res = CURLE_SEND_ERROR;
+          result = CURLE_SEND_ERROR;
        }
        else {
          /* Re-send the data packet */
@@ -739,10 +740,11 @@ static CURLcode tftp_tx(tftp_state_data_t *state, tftp_event_t event)
          /* Check all sbytes were sent */
          if(sbytes<0) {
            failf(data, "%s", Curl_strerror(state->conn, SOCKERRNO));
-            res = CURLE_SEND_ERROR;
+            result = CURLE_SEND_ERROR;
          }
        }
-        return res;
+
+        return result;
      }
      /* This is the expected packet.  Reset the counters and send the next
         block */
@@ -759,9 +761,11 @@ static CURLcode tftp_tx(tftp_state_data_t *state, tftp_event_t event)
      state->state = TFTP_STATE_FIN;
      return CURLE_OK;
    }
-    res = Curl_fillreadbuffer(state->conn, state->blksize, &state->sbytes);
-    if(res)
-      return res;
+
+    result = Curl_fillreadbuffer(state->conn, state->blksize, &state->sbytes);
+    if(result)
+      return result;
+
    sbytes = sendto(state->sockfd, (void *) state->spacket.data,
                    4 + state->sbytes, SEND_4TH_ARG,
                    (struct sockaddr *)&state->remote_addr,
@@ -819,7 +823,7 @@ static CURLcode tftp_tx(tftp_state_data_t *state, tftp_event_t event)
    break;
  }

-  return res;
+  return result;
 }

 /**********************************************************
@@ -831,48 +835,47 @@ static CURLcode tftp_tx(tftp_state_data_t *state, tftp_event_t event)
 **********************************************************/
 static CURLcode tftp_translate_code(tftp_error_t error)
 {
-  CURLcode code = CURLE_OK;
+  CURLcode result = CURLE_OK;

  if(error != TFTP_ERR_NONE) {
    switch(error) {
    case TFTP_ERR_NOTFOUND:
-      code = CURLE_TFTP_NOTFOUND;
+      result = CURLE_TFTP_NOTFOUND;
      break;
    case TFTP_ERR_PERM:
-      code = CURLE_TFTP_PERM;
+      result = CURLE_TFTP_PERM;
      break;
    case TFTP_ERR_DISKFULL:
-      code = CURLE_REMOTE_DISK_FULL;
+      result = CURLE_REMOTE_DISK_FULL;
      break;
    case TFTP_ERR_UNDEF:
    case TFTP_ERR_ILLEGAL:
-      code = CURLE_TFTP_ILLEGAL;
+      result = CURLE_TFTP_ILLEGAL;
      break;
    case TFTP_ERR_UNKNOWNID:
-      code = CURLE_TFTP_UNKNOWNID;
+      result = CURLE_TFTP_UNKNOWNID;
      break;
    case TFTP_ERR_EXISTS:
-      code = CURLE_REMOTE_FILE_EXISTS;
+      result = CURLE_REMOTE_FILE_EXISTS;
      break;
    case TFTP_ERR_NOSUCHUSER:
-      code = CURLE_TFTP_NOSUCHUSER;
+      result = CURLE_TFTP_NOSUCHUSER;
      break;
    case TFTP_ERR_TIMEOUT:
-      code = CURLE_OPERATION_TIMEDOUT;
+      result = CURLE_OPERATION_TIMEDOUT;
      break;
    case TFTP_ERR_NORESPONSE:
-      code = CURLE_COULDNT_CONNECT;
+      result = CURLE_COULDNT_CONNECT;
      break;
    default:
-      code= CURLE_ABORTED_BY_CALLBACK;
+      result = CURLE_ABORTED_BY_CALLBACK;
      break;
    }
  }
-  else {
-    code = CURLE_OK;
-  }
+  else
+    result = CURLE_OK;

-  return(code);
+  return result;
 }

 /**********************************************************
@@ -885,20 +888,21 @@ static CURLcode tftp_translate_code(tftp_error_t error)
 static CURLcode tftp_state_machine(tftp_state_data_t *state,
                                   tftp_event_t event)
 {
-  CURLcode res = CURLE_OK;
+  CURLcode result = CURLE_OK;
  struct SessionHandle *data = state->conn->data;
+
  switch(state->state) {
  case TFTP_STATE_START:
    DEBUGF(infof(data, "TFTP_STATE_START\n"));
-    res = tftp_send_first(state, event);
+    result = tftp_send_first(state, event);
    break;
  case TFTP_STATE_RX:
    DEBUGF(infof(data, "TFTP_STATE_RX\n"));
-    res = tftp_rx(state, event);
+    result = tftp_rx(state, event);
    break;
  case TFTP_STATE_TX:
    DEBUGF(infof(data, "TFTP_STATE_TX\n"));
-    res = tftp_tx(state, event);
+    result = tftp_tx(state, event);
    break;
  case TFTP_STATE_FIN:
    infof(data, "%s\n", "TFTP finished");
@@ -906,10 +910,11 @@ static CURLcode tftp_state_machine(tftp_state_data_t *state,
  default:
    DEBUGF(infof(data, "STATE: %d\n", state->state));
    failf(data, "%s", "Internal state machine error");
-    res = CURLE_TFTP_ILLEGAL;
+    result = CURLE_TFTP_ILLEGAL;
    break;
  }
-  return res;
+
+  return result;
 }

 /**********************************************************
@@ -943,7 +948,6 @@ static CURLcode tftp_disconnect(struct connectdata *conn, bool dead_connection)
 **********************************************************/
 static CURLcode tftp_connect(struct connectdata *conn, bool *done)
 {
-  CURLcode code;
  tftp_state_data_t *state;
  int blksize, rc;

@@ -1017,8 +1021,8 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
  Curl_pgrsStartNow(conn->data);

  *done = TRUE;
-  code = CURLE_OK;
-  return(code);
+
+  return CURLE_OK;
 }

 /**********************************************************
@@ -1031,7 +1035,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
 static CURLcode tftp_done(struct connectdata *conn, CURLcode status,
                          bool premature)
 {
-  CURLcode code = CURLE_OK;
+  CURLcode result = CURLE_OK;
  tftp_state_data_t *state = (tftp_state_data_t *)conn->proto.tftpc;

  (void)status; /* unused */
@@ -1042,9 +1046,9 @@ static CURLcode tftp_done(struct connectdata *conn, CURLcode status,

  /* If we have encountered an error */
  if(state)
-    code = tftp_translate_code(state->error);
+    result = tftp_translate_code(state->error);

-  return code;
+  return result;
 }

 /**********************************************************
--- a/lib/timeval.c
+++ b/lib/timeval.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -118,7 +118,7 @@ struct timeval curlx_tvnow(void)
 long curlx_tvdiff(struct timeval newer, struct timeval older)
 {
  return (newer.tv_sec-older.tv_sec)*1000+
-    (newer.tv_usec-older.tv_usec)/1000;
+    (long)(newer.tv_usec-older.tv_usec)/1000;
 }

 /*
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -1342,6 +1342,7 @@ CURLcode Curl_pretransfer(struct SessionHandle *data)
 #endif

    Curl_initinfo(data); /* reset session-specific information "variables" */
+    Curl_pgrsResetTimesSizes(data);
    Curl_pgrsStartNow(data);

    if(data->set.timeout)
--- a/lib/url.c
+++ b/lib/url.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -586,8 +586,13 @@ CURLcode Curl_init_userdefined(struct UserDefined *set)
  /* This is our preferred CA cert bundle/path since install time */
 #if defined(CURL_CA_BUNDLE)
  result = setstropt(&set->str[STRING_SSL_CAFILE], (char *) CURL_CA_BUNDLE);
-#elif defined(CURL_CA_PATH)
+  if(result)
+    return result;
+#endif
+#if defined(CURL_CA_PATH)
  result = setstropt(&set->str[STRING_SSL_CAPATH], (char *) CURL_CA_PATH);
+  if(result)
+    return result;
 #endif

  set->wildcardmatch  = FALSE;
@@ -1997,6 +2002,17 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,

    data->set.ssl.verifyhost = (0 != arg)?TRUE:FALSE;
    break;
+  case CURLOPT_SSL_VERIFYSTATUS:
+    /*
+     * Enable certificate status verifying.
+     */
+    if(!Curl_ssl_cert_status_request()) {
+      result = CURLE_NOT_BUILT_IN;
+      break;
+    }
+
+    data->set.ssl.verifystatus = (0 != va_arg(param, long))?TRUE:FALSE;
+    break;
  case CURLOPT_SSL_CTX_FUNCTION:
 #ifdef have_curlssl_ssl_ctx
    /*
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -366,6 +366,7 @@ struct ssl_config_data {

  bool verifypeer;       /* set TRUE if this is desired */
  bool verifyhost;       /* set TRUE if CN/SAN must match hostname */
+  bool verifystatus;     /* set TRUE if certificate status must be checked */
  char *CApath;          /* certificate dir (doesn't work on windows) */
  char *CAfile;          /* certificate to verify peer against */
  const char *CRLfile;   /* CRL to check certificate revocation */
--- a/lib/vtls/axtls.c
+++ b/lib/vtls/axtls.c
@@ -6,7 +6,7 @@
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) 2010, DirecTV, Contact: Eric Hu, <ehu@directv.com>.
- * Copyright (C) 2010 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2010 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -515,12 +515,6 @@ static ssize_t axtls_send(struct connectdata *conn,
  return rc;
 }

-void Curl_axtls_close_all(struct SessionHandle *data)
-{
-  (void)data;
-  infof(data, "  Curl_axtls_close_all\n");
-}
-
 void Curl_axtls_close(struct connectdata *conn, int sockindex)
 {
  struct ssl_connect_data *connssl = &conn->ssl[sockindex];
@@ -677,7 +671,7 @@ int Curl_axtls_random(struct SessionHandle *data,
     * race condition is that some global resources will leak. */
    RNG_initialize();
  }
-  get_random(length, entropy);
+  get_random((int)length, entropy);
  return 0;
 }

--- a/lib/vtls/axtls.h
+++ b/lib/vtls/axtls.h
@@ -8,7 +8,7 @@
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) 2010, DirecTV, Contact: Eric Hu <ehu@directv.com>
- * Copyright (C) 2010 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2010 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -35,10 +35,6 @@ CURLcode Curl_axtls_connect_nonblocking(
    int sockindex,
    bool *done);

-/* tell axTLS to close down all open information regarding connections (and
-   thus session ID caching etc) */
-void Curl_axtls_close_all(struct SessionHandle *data);
-
 /* close a SSL connection */
 void Curl_axtls_close(struct connectdata *conn, int sockindex);

@@ -50,13 +46,16 @@ int Curl_axtls_random(struct SessionHandle *data,
                      unsigned char *entropy,
                      size_t length);

+/* Set the API backend definition to axTLS */
+#define CURL_SSL_BACKEND CURLSSLBACKEND_AXTLS
+
 /* API setup for axTLS */
 #define curlssl_init Curl_axtls_init
 #define curlssl_cleanup Curl_axtls_cleanup
 #define curlssl_connect Curl_axtls_connect
 #define curlssl_connect_nonblocking Curl_axtls_connect_nonblocking
 #define curlssl_session_free(x)  Curl_axtls_session_free(x)
-#define curlssl_close_all Curl_axtls_close_all
+#define curlssl_close_all(x) ((void)x)
 #define curlssl_close Curl_axtls_close
 #define curlssl_shutdown(x,y) Curl_axtls_shutdown(x,y)
 #define curlssl_set_engine(x,y) ((void)x, (void)y, CURLE_NOT_BUILT_IN)
@@ -66,7 +65,6 @@ int Curl_axtls_random(struct SessionHandle *data,
 #define curlssl_check_cxn(x) Curl_axtls_check_cxn(x)
 #define curlssl_data_pending(x,y) ((void)x, (void)y, 0)
 #define curlssl_random(x,y,z) Curl_axtls_random(x,y,z)
-#define CURL_SSL_BACKEND CURLSSLBACKEND_AXTLS

 #endif /* USE_AXTLS */
 #endif /* HEADER_CURL_AXTLS_H */
--- a/lib/vtls/cyassl.c
+++ b/lib/vtls/cyassl.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -393,11 +393,6 @@ static ssize_t cyassl_send(struct connectdata *conn,
  return rc;
 }

-void Curl_cyassl_close_all(struct SessionHandle *data)
-{
-  (void)data;
-}
-
 void Curl_cyassl_close(struct connectdata *conn, int sockindex)
 {
  struct ssl_connect_data *conssl = &conn->ssl[sockindex];
--- a/lib/vtls/cyassl.h
+++ b/lib/vtls/cyassl.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -29,10 +29,6 @@ CURLcode Curl_cyassl_connect(struct connectdata *conn, int sockindex);
 bool Curl_cyassl_data_pending(const struct connectdata* conn,int connindex);
 int Curl_cyassl_shutdown(struct connectdata* conn, int sockindex);

-/* tell CyaSSL to close down all open information regarding connections (and
-   thus session ID caching etc) */
-void Curl_cyassl_close_all(struct SessionHandle *data);
-
 /* close a SSL connection */
 void Curl_cyassl_close(struct connectdata *conn, int sockindex);

@@ -47,13 +43,16 @@ int Curl_cyassl_random(struct SessionHandle *data,
                       unsigned char *entropy,
                       size_t length);

+/* Set the API backend definition to Schannel */
+#define CURL_SSL_BACKEND CURLSSLBACKEND_CYASSL
+
 /* API setup for CyaSSL */
 #define curlssl_init Curl_cyassl_init
 #define curlssl_cleanup() Curl_nop_stmt
 #define curlssl_connect Curl_cyassl_connect
 #define curlssl_connect_nonblocking Curl_cyassl_connect_nonblocking
 #define curlssl_session_free(x)  Curl_cyassl_session_free(x)
-#define curlssl_close_all Curl_cyassl_close_all
+#define curlssl_close_all(x) ((void)x)
 #define curlssl_close Curl_cyassl_close
 #define curlssl_shutdown(x,y) Curl_cyassl_shutdown(x,y)
 #define curlssl_set_engine(x,y) ((void)x, (void)y, CURLE_NOT_BUILT_IN)
@@ -63,7 +62,6 @@ int Curl_cyassl_random(struct SessionHandle *data,
 #define curlssl_check_cxn(x) ((void)x, -1)
 #define curlssl_data_pending(x,y) Curl_cyassl_data_pending(x,y)
 #define curlssl_random(x,y,z) Curl_cyassl_random(x,y,z)
-#define CURL_SSL_BACKEND CURLSSLBACKEND_CYASSL

 #endif /* USE_CYASSL */
 #endif /* HEADER_CURL_CYASSL_H */
--- a/lib/vtls/curl_darwinssl.c
+++ b/lib/vtls/curl_darwinssl.c
@@ -102,7 +102,7 @@
 #include "connect.h"
 #include "select.h"
 #include "vtls.h"
-#include "curl_darwinssl.h"
+#include "darwinssl.h"

 #define _MPRINTF_REPLACE /* use our functions only */
 #include <curl/mprintf.h>
@@ -2229,12 +2229,6 @@ void Curl_darwinssl_close(struct connectdata *conn, int sockindex)
  connssl->ssl_sockfd = 0;
 }

-void Curl_darwinssl_close_all(struct SessionHandle *data)
-{
-  /* SecureTransport doesn't separate sessions from contexts, so... */
-  (void)data;
-}
-
 int Curl_darwinssl_shutdown(struct connectdata *conn, int sockindex)
 {
  struct ssl_connect_data *connssl = &conn->ssl[sockindex];
--- a/lib/vtls/curl_darwinssl.h
+++ b/lib/vtls/curl_darwinssl.h
@@ -8,7 +8,7 @@
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) 2012 - 2014, Nick Zitzmann, <nickzman@gmail.com>.
- * Copyright (C) 2012 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2012 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -32,9 +32,6 @@ CURLcode Curl_darwinssl_connect_nonblocking(struct connectdata *conn,
                                            int sockindex,
                                            bool *done);

-/* this function doesn't actually do anything */
-void Curl_darwinssl_close_all(struct SessionHandle *data);
-
 /* close a SSL connection */
 void Curl_darwinssl_close(struct connectdata *conn, int sockindex);

@@ -52,13 +49,16 @@ void Curl_darwinssl_md5sum(unsigned char *tmp, /* input */
                           unsigned char *md5sum, /* output */
                           size_t md5len);

+/* Set the API backend definition to SecureTransport */
+#define CURL_SSL_BACKEND CURLSSLBACKEND_DARWINSSL
+
 /* API setup for SecureTransport */
 #define curlssl_init() (1)
 #define curlssl_cleanup() Curl_nop_stmt
 #define curlssl_connect Curl_darwinssl_connect
 #define curlssl_connect_nonblocking Curl_darwinssl_connect_nonblocking
 #define curlssl_session_free(x) Curl_darwinssl_session_free(x)
-#define curlssl_close_all Curl_darwinssl_close_all
+#define curlssl_close_all(x) ((void)x)
 #define curlssl_close Curl_darwinssl_close
 #define curlssl_shutdown(x,y) 0
 #define curlssl_set_engine(x,y) ((void)x, (void)y, CURLE_NOT_BUILT_IN)
@@ -69,7 +69,6 @@ void Curl_darwinssl_md5sum(unsigned char *tmp, /* input */
 #define curlssl_data_pending(x,y) Curl_darwinssl_data_pending(x, y)
 #define curlssl_random(x,y,z) ((void)x, Curl_darwinssl_random(y,z))
 #define curlssl_md5sum(a,b,c,d) Curl_darwinssl_md5sum(a,b,c,d)
-#define CURL_SSL_BACKEND CURLSSLBACKEND_DARWINSSL

 #endif /* USE_DARWINSSL */
 #endif /* HEADER_CURL_DARWINSSL_H */
--- a/lib/vtls/gskit.c
+++ b/lib/vtls/gskit.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -625,7 +625,7 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
    sni = (char *) NULL;
    break;
  case CURL_SSLVERSION_SSLv3:
-    protoflags = CURL_GSKPROTO_SSLV2_MASK;
+    protoflags = CURL_GSKPROTO_SSLV3_MASK;
    sni = (char *) NULL;
    break;
  case CURL_SSLVERSION_TLSv1:
@@ -986,13 +986,6 @@ void Curl_gskit_close(struct connectdata *conn, int sockindex)
 }


-void Curl_gskit_close_all(struct SessionHandle *data)
-{
-  /* Unimplemented. */
-  (void) data;
-}
-
-
 int Curl_gskit_shutdown(struct connectdata *conn, int sockindex)
 {
  struct ssl_connect_data *connssl = &conn->ssl[sockindex];
--- a/lib/vtls/gskit.h
+++ b/lib/vtls/gskit.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -36,12 +36,14 @@ CURLcode Curl_gskit_connect(struct connectdata * conn, int sockindex);
 CURLcode Curl_gskit_connect_nonblocking(struct connectdata *conn,
                                        int sockindex, bool *done);
 void Curl_gskit_close(struct connectdata *conn, int sockindex);
-void Curl_gskit_close_all(struct SessionHandle * data);
 int Curl_gskit_shutdown(struct connectdata *conn, int sockindex);

 size_t Curl_gskit_version(char *buffer, size_t size);
 int Curl_gskit_check_cxn(struct connectdata *cxn);

+/* Set the API backend definition to GSKit */
+#define CURL_SSL_BACKEND CURLSSLBACKEND_GSKIT
+
 /* this backend supports CURLOPT_CERTINFO */
 #define have_curlssl_certinfo 1

@@ -53,7 +55,7 @@ int Curl_gskit_check_cxn(struct connectdata * cxn);

 /*  No session handling for GSKit */
 #define curlssl_session_free(x) Curl_nop_stmt
-#define curlssl_close_all Curl_gskit_close_all
+#define curlssl_close_all(x) ((void)x)
 #define curlssl_close Curl_gskit_close
 #define curlssl_shutdown(x,y) Curl_gskit_shutdown(x,y)
 #define curlssl_set_engine(x,y) CURLE_NOT_BUILT_IN
@@ -63,7 +65,7 @@ int Curl_gskit_check_cxn(struct connectdata * cxn);
 #define curlssl_check_cxn(x) Curl_gskit_check_cxn(x)
 #define curlssl_data_pending(x,y) 0
 #define curlssl_random(x,y,z) -1
-#define CURL_SSL_BACKEND CURLSSLBACKEND_GSKIT
+
 #endif /* USE_GSKIT */

 #endif /* HEADER_CURL_GSKIT_H */
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -98,6 +98,14 @@ static bool gtls_inited = FALSE;
 #      define HAS_ALPN
 #    endif
 #  endif
+
+#  if (GNUTLS_VERSION_NUMBER >= 0x03020d)
+#    define HAS_OCSP
+#  endif
+#endif
+
+#ifdef HAS_OCSP
+# include <gnutls/ocsp.h>
 #endif

 /*
@@ -618,7 +626,7 @@ gtls_connect_step1(struct connectdata *conn,
      gnutls_alpn_set_protocols(session, protocols, protocols_size, 0);
      infof(data, "ALPN, offering %s, %s\n", NGHTTP2_PROTO_VERSION_ID,
            ALPN_HTTP_1_1);
-      connssl->asked_for_h2 = TRUE;
+      conn->ssl[sockindex].asked_for_h2 = TRUE;
    }
    else {
      infof(data, "SSL, can't negotiate HTTP/2.0 without ALPN\n");
@@ -663,6 +671,16 @@ gtls_connect_step1(struct connectdata *conn,
  /* lowat must be set to zero when using custom push and pull functions. */
  gnutls_transport_set_lowat(session, 0);

+#ifdef HAS_OCSP
+  if(data->set.ssl.verifystatus) {
+    rc = gnutls_ocsp_status_request_enable_client(session, NULL, 0, NULL);
+    if(rc != GNUTLS_E_SUCCESS) {
+      failf(data, "gnutls_ocsp_status_request_enable_client() failed: %d", rc);
+      return CURLE_SSL_CONNECT_ERROR;
+    }
+  }
+#endif
+
  /* This might be a reconnect, so we check for a session ID in the cache
     to speed up things */

@@ -822,6 +840,23 @@ gtls_connect_step3(struct connectdata *conn,
  else
    infof(data, "\t server certificate verification SKIPPED\n");

+#ifdef HAS_OCSP
+  if(data->set.ssl.verifystatus) {
+    if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
+      if(verify_status & GNUTLS_CERT_REVOKED)
+        failf(data, "SSL server certificate was REVOKED\n");
+      else
+        failf(data, "SSL server certificate status verification FAILED");
+
+      return CURLE_SSL_INVALIDCERTSTATUS;
+    }
+    else
+      infof(data, "SSL server certificate status verification OK\n");
+  }
+  else
+    infof(data, "SSL server certificate status verification SKIPPED\n");
+#endif
+
  /* initialize an X.509 certificate structure. */
  gnutls_x509_crt_init(&x509_cert);

@@ -1048,7 +1083,7 @@ gtls_connect_step3(struct connectdata *conn,
        conn->negnpn = NPN_HTTP1_1;
      }
    }
-    else if(connssl->asked_for_h2) {
+    else if(conn->ssl[sockindex].asked_for_h2) {
      infof(data, "ALPN, server did not agree to a protocol\n");
    }
  }
@@ -1182,12 +1217,6 @@ static ssize_t gtls_send(struct connectdata *conn,
  return rc;
 }

-void Curl_gtls_close_all(struct SessionHandle *data)
-{
-  /* FIX: make the OpenSSL code more generic and use parts of it here */
-  (void)data;
-}
-
 static void close_one(struct connectdata *conn,
                      int idx)
 {
@@ -1392,4 +1421,13 @@ void Curl_gtls_md5sum(unsigned char *tmp, /* input */
 #endif
 }

+bool Curl_gtls_cert_status_request(void)
+{
+#ifdef HAS_OCSP
+  return TRUE;
+#else
+  return FALSE;
+#endif
+}
+
 #endif /* USE_GNUTLS */
--- a/lib/vtls/gtls.h
+++ b/lib/vtls/gtls.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -35,10 +35,6 @@ CURLcode Curl_gtls_connect_nonblocking(struct connectdata *conn,
                                       int sockindex,
                                       bool *done);

-/* tell GnuTLS to close down all open information regarding connections (and
-   thus session ID caching etc) */
-void Curl_gtls_close_all(struct SessionHandle *data);
-
 /* close a SSL connection */
 void Curl_gtls_close(struct connectdata *conn, int sockindex);

@@ -53,13 +49,18 @@ void Curl_gtls_md5sum(unsigned char *tmp, /* input */
                      unsigned char *md5sum, /* output */
                      size_t md5len);

+bool Curl_gtls_cert_status_request(void);
+
+/* Set the API backend definition to GnuTLS */
+#define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS
+
 /* API setup for GnuTLS */
 #define curlssl_init Curl_gtls_init
 #define curlssl_cleanup Curl_gtls_cleanup
 #define curlssl_connect Curl_gtls_connect
 #define curlssl_connect_nonblocking Curl_gtls_connect_nonblocking
 #define curlssl_session_free(x)  Curl_gtls_session_free(x)
-#define curlssl_close_all Curl_gtls_close_all
+#define curlssl_close_all(x) ((void)x)
 #define curlssl_close Curl_gtls_close
 #define curlssl_shutdown(x,y) Curl_gtls_shutdown(x,y)
 #define curlssl_set_engine(x,y) ((void)x, (void)y, CURLE_NOT_BUILT_IN)
@@ -70,7 +71,7 @@ void Curl_gtls_md5sum(unsigned char *tmp, /* input */
 #define curlssl_data_pending(x,y) ((void)x, (void)y, 0)
 #define curlssl_random(x,y,z) Curl_gtls_random(x,y,z)
 #define curlssl_md5sum(a,b,c,d) Curl_gtls_md5sum(a,b,c,d)
-#define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS
+#define curlssl_cert_status_request() Curl_gtls_cert_status_request()

 #endif /* USE_GNUTLS */
 #endif /* HEADER_CURL_GTLS_H */
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -60,6 +60,12 @@
 #include <cert.h>
 #include <prerror.h>

+#define NSSVERNUM ((NSS_VMAJOR<<16)|(NSS_VMINOR<<8)|NSS_VPATCH)
+
+#if NSSVERNUM >= 0x030f00 /* 3.15.0 */
+#include <ocsp.h>
+#endif
+
 #include "curl_memory.h"
 #include "rawstr.h"
 #include "warnless.h"
@@ -639,6 +645,34 @@ static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig,
                                    PRBool isServer)
 {
  struct connectdata *conn = (struct connectdata *)arg;
+
+#ifdef SSL_ENABLE_OCSP_STAPLING
+  if(conn->data->set.ssl.verifystatus) {
+    SECStatus cacheResult;
+
+    const SECItemArray *csa = SSL_PeerStapledOCSPResponses(fd);
+    if(!csa) {
+      failf(conn->data, "Invalid OCSP response");
+      return SECFailure;
+    }
+
+    if(csa->len == 0) {
+      failf(conn->data, "No OCSP response received");
+      return SECFailure;
+    }
+
+    cacheResult = CERT_CacheOCSPResponseFromSideChannel(
+      CERT_GetDefaultCertDB(), SSL_PeerCertificate(fd),
+      PR_Now(), &csa->items[0], arg
+    );
+
+    if(cacheResult != SECSuccess) {
+      failf(conn->data, "Invalid OCSP response");
+      return cacheResult;
+    }
+  }
+#endif
+
  if(!conn->data->set.ssl.verifypeer) {
    infof(conn->data, "skipping SSL peer certificate verification\n");
    return SECSuccess;
@@ -659,6 +693,8 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg)
  unsigned int buflen;
  SSLNextProtoState state;

+  struct ssl_connect_data *connssl = &conn->ssl[FIRSTSOCKET];
+
  if(!conn->data->set.ssl_enable_npn && !conn->data->set.ssl_enable_alpn) {
    return;
  }
@@ -682,12 +718,11 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg)
    }

    if(buflen == NGHTTP2_PROTO_VERSION_ID_LEN &&
-       memcmp(NGHTTP2_PROTO_VERSION_ID, buf, NGHTTP2_PROTO_VERSION_ID_LEN)
-       == 0) {
+       !memcmp(NGHTTP2_PROTO_VERSION_ID, buf, NGHTTP2_PROTO_VERSION_ID_LEN)) {
      conn->negnpn = NPN_HTTP2;
    }
-    else if(buflen == ALPN_HTTP_1_1_LENGTH && memcmp(ALPN_HTTP_1_1, buf,
-                                                     ALPN_HTTP_1_1_LENGTH)) {
+    else if(buflen == ALPN_HTTP_1_1_LENGTH &&
+            !memcmp(ALPN_HTTP_1_1, buf, ALPN_HTTP_1_1_LENGTH)) {
      conn->negnpn = NPN_HTTP1_1;
    }
  }
@@ -1224,15 +1259,6 @@ void Curl_nss_close(struct connectdata *conn, int sockindex)
  }
 }

-/*
- * This function is called when the 'data' struct is going away. Close
- * down everything and free all resources!
- */
-void Curl_nss_close_all(struct SessionHandle *data)
-{
-  (void)data;
-}
-
 /* return true if NSS can provide error code (and possibly msg) for the
   error */
 static bool is_nss_error(CURLcode err)
@@ -1618,6 +1644,14 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
    SSL_SetPKCS11PinArg(connssl->handle, data->set.str[STRING_KEY_PASSWD]);
  }

+#ifdef SSL_ENABLE_OCSP_STAPLING
+  if(data->set.ssl.verifystatus) {
+    if(SSL_OptionSet(connssl->handle, SSL_ENABLE_OCSP_STAPLING, PR_TRUE)
+        != SECSuccess)
+      goto error;
+  }
+#endif
+
 #ifdef USE_NGHTTP2
  if(data->set.httpversion == CURL_HTTP_VERSION_2_0) {
 #ifdef SSL_ENABLE_NPN
@@ -1906,4 +1940,13 @@ void Curl_nss_md5sum(unsigned char *tmp, /* input */
  PK11_DestroyContext(MD5pw, PR_TRUE);
 }

+bool Curl_nss_cert_status_request(void)
+{
+#ifdef SSL_ENABLE_OCSP_STAPLING
+  return TRUE;
+#else
+  return FALSE;
+#endif
+}
+
 #endif /* USE_NSS */
--- a/lib/vtls/nssg.h
+++ b/lib/vtls/nssg.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -37,10 +37,6 @@ CURLcode Curl_nss_connect_nonblocking(struct connectdata *conn,
 /* close a SSL connection */
 void Curl_nss_close(struct connectdata *conn, int sockindex);

-/* tell NSS to close down all open information regarding connections (and
-   thus session ID caching etc) */
-void Curl_nss_close_all(struct SessionHandle *data);
-
 int Curl_nss_init(void);
 void Curl_nss_cleanup(void);

@@ -60,6 +56,11 @@ void Curl_nss_md5sum(unsigned char *tmp, /* input */
                     unsigned char *md5sum, /* output */
                     size_t md5len);

+bool Curl_nss_cert_status_request(void);
+
+/* Set the API backend definition to NSS */
+#define CURL_SSL_BACKEND CURLSSLBACKEND_NSS
+
 /* this backend supports the CAPATH option */
 #define have_curlssl_ca_path 1

@@ -74,7 +75,7 @@ void Curl_nss_md5sum(unsigned char *tmp, /* input */

 /* NSS has its own session ID cache */
 #define curlssl_session_free(x) Curl_nop_stmt
-#define curlssl_close_all Curl_nss_close_all
+#define curlssl_close_all(x) ((void)x)
 #define curlssl_close Curl_nss_close
 /* NSS has no shutdown function provided and thus always fail */
 #define curlssl_shutdown(x,y) ((void)x, (void)y, 1)
@@ -86,7 +87,7 @@ void Curl_nss_md5sum(unsigned char *tmp, /* input */
 #define curlssl_data_pending(x,y) ((void)x, (void)y, 0)
 #define curlssl_random(x,y,z) Curl_nss_random(x,y,z)
 #define curlssl_md5sum(a,b,c,d) Curl_nss_md5sum(a,b,c,d)
-#define CURL_SSL_BACKEND CURLSSLBACKEND_NSS
+#define curlssl_cert_status_request() Curl_nss_cert_status_request()

 #endif /* USE_NSS */
 #endif /* HEADER_CURL_NSSG_H */
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -64,6 +64,9 @@
 #include <openssl/md5.h>
 #include <openssl/conf.h>
 #include <openssl/bn.h>
+#ifndef HAVE_BORINGSSL
+#include <openssl/ocsp.h>
+#endif
 #else
 #include <rand.h>
 #include <x509v3.h>
@@ -81,6 +84,10 @@
 #error "OPENSSL_VERSION_NUMBER not defined"
 #endif

+#if !defined(SSLEAY_VERSION_NUMBER)
+#define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER
+#endif
+
 #if OPENSSL_VERSION_NUMBER >= 0x0090581fL
 #define HAVE_SSL_GET1_SESSION 1
 #else
@@ -93,7 +100,7 @@
 #undef HAVE_USERDATA_IN_PWD_CALLBACK
 #endif

-#if OPENSSL_VERSION_NUMBER >= 0x00907001L
+#if OPENSSL_VERSION_NUMBER >= 0x00907001L && !defined(OPENSSL_IS_BORINGSSL)
 /* ENGINE_load_private_key() takes four arguments */
 #define HAVE_ENGINE_LOAD_FOUR_ARGS
 #include <openssl/ui.h>
@@ -102,8 +109,10 @@
 #undef HAVE_ENGINE_LOAD_FOUR_ARGS
 #endif

-#if (OPENSSL_VERSION_NUMBER >= 0x00903001L) && defined(HAVE_OPENSSL_PKCS12_H)
-/* OpenSSL has PKCS 12 support */
+#if (OPENSSL_VERSION_NUMBER >= 0x00903001L) && \
+    defined(HAVE_OPENSSL_PKCS12_H) && \
+    !defined(OPENSSL_IS_BORINGSSL)
+/* OpenSSL has PKCS 12 support, BoringSSL does not */
 #define HAVE_PKCS12_SUPPORT
 #else
 /* OpenSSL/SSLEay does not have PKCS12 support */
@@ -127,7 +136,10 @@
 #define X509_STORE_set_flags(x,y) Curl_nop_stmt
 #endif

-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#ifdef OPENSSL_IS_BORINGSSL
+/* BoringSSL has no ERR_remove_state() */
+#define ERR_remove_state(x)
+#elif (OPENSSL_VERSION_NUMBER >= 0x10000000L)
 #define HAVE_ERR_REMOVE_THREAD_STATE 1
 #endif

@@ -137,6 +149,14 @@
 #define OPENSSL_NO_SSL2
 #endif

+#if defined(OPENSSL_IS_BORINGSSL)
+#define NO_RAND_SEED 1
+/* In BoringSSL OpenSSL_add_all_algorithms does nothing */
+#define OpenSSL_add_all_algorithms()
+/* BoringSSL does not have CONF_modules_load_file */
+#define CONF_modules_load_file(a,b,c)
+#endif
+
 /*
 * Number of bytes to read from the random number seed file. This must be
 * a finite value (because some entropy "files" like /dev/urandom have
@@ -177,6 +197,7 @@ static int passwd_callback(char *buf, int num, int encrypting
 * pass in an argument that is never used.
 */

+#ifndef NO_RAND_SEED
 #ifdef HAVE_RAND_STATUS
 #define seed_enough(x) rand_enough()
 static bool rand_enough(void)
@@ -261,7 +282,7 @@ static int ossl_seed(struct SessionHandle *data)
  return nread;
 }

-static int Curl_ossl_seed(struct SessionHandle *data)
+static void Curl_ossl_seed(struct SessionHandle *data)
 {
  /* we have the "SSL is seeded" boolean static to prevent multiple
     time-consuming seedings in vain */
@@ -272,8 +293,11 @@ static int Curl_ossl_seed(struct SessionHandle *data)
    ossl_seed(data);
    ssl_seeded = TRUE;
  }
-  return 0;
 }
+#else
+/* BoringSSL needs no seeding */
+#define Curl_ossl_seed(x)
+#endif


 #ifndef SSL_FILETYPE_ENGINE
@@ -756,7 +780,7 @@ int Curl_ossl_init(void)
 #define CONF_MFLAGS_DEFAULT_SECTION 0x0
 #endif

-  (void)CONF_modules_load_file(NULL, NULL,
+  CONF_modules_load_file(NULL, NULL,
                         CONF_MFLAGS_DEFAULT_SECTION|
                         CONF_MFLAGS_IGNORE_MISSING_FILE);

@@ -1298,6 +1322,133 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)

  return result;
 }
+
+#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
+    !defined(OPENSSL_IS_BORINGSSL)
+static CURLcode verifystatus(struct connectdata *conn,
+                             struct ssl_connect_data *connssl)
+{
+  int i, ocsp_status;
+  const unsigned char *p;
+  CURLcode result = CURLE_OK;
+  struct SessionHandle *data = conn->data;
+
+  OCSP_RESPONSE *rsp = NULL;
+  OCSP_BASICRESP *br = NULL;
+  X509_STORE     *st = NULL;
+  STACK_OF(X509) *ch = NULL;
+
+  long len = SSL_get_tlsext_status_ocsp_resp(connssl->handle, &p);
+
+  if(!p) {
+    failf(data, "No OCSP response received");
+    result = CURLE_SSL_INVALIDCERTSTATUS;
+    goto end;
+  }
+
+  rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
+  if(!rsp) {
+    failf(data, "Invalid OCSP response");
+    result = CURLE_SSL_INVALIDCERTSTATUS;
+    goto end;
+  }
+
+  ocsp_status = OCSP_response_status(rsp);
+  if(ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
+    failf(data, "Invalid OCSP response status: %s (%d)",
+          OCSP_response_status_str(ocsp_status), ocsp_status);
+    result = CURLE_SSL_INVALIDCERTSTATUS;
+    goto end;
+  }
+
+  br = OCSP_response_get1_basic(rsp);
+  if(!br) {
+    failf(data, "Invalid OCSP response");
+    result = CURLE_SSL_INVALIDCERTSTATUS;
+    goto end;
+  }
+
+  ch = SSL_get_peer_cert_chain(connssl->handle);
+  st = SSL_CTX_get_cert_store(connssl->ctx);
+
+  /* The authorized responder cert in the OCSP response MUST be signed by the
+     peer cert's issuer (see RFC6960 section 4.2.2.2). If that's a root cert,
+     no problem, but if it's an intermediate cert OpenSSL has a bug where it
+     expects this issuer to be present in the chain embedded in the OCSP
+     response. So we add it if necessary. */
+
+  /* First make sure the peer cert chain includes both a peer and an issuer,
+     and the OCSP response contains a responder cert. */
+  if(sk_X509_num(ch) >= 2 && sk_X509_num(br->certs) >= 1) {
+    X509 *responder = sk_X509_value(br->certs, sk_X509_num(br->certs) - 1);
+
+    /* Find issuer of responder cert and add it to the OCSP response chain */
+    for(i = 0; i < sk_X509_num(ch); i++) {
+      X509 *issuer = sk_X509_value(ch, i);
+      if(X509_check_issued(issuer, responder) == X509_V_OK) {
+        if(!OCSP_basic_add1_cert(br, issuer)) {
+          failf(data, "Could not add issuer cert to OCSP response");
+          result = CURLE_SSL_INVALIDCERTSTATUS;
+          goto end;
+        }
+      }
+    }
+  }
+
+  if(OCSP_basic_verify(br, ch, st, 0) <= 0) {
+    failf(data, "OCSP response verification failed");
+    result = CURLE_SSL_INVALIDCERTSTATUS;
+    goto end;
+  }
+
+  for(i = 0; i < sk_OCSP_SINGLERESP_num(br->tbsResponseData->responses); i++) {
+    int cert_status, crl_reason;
+    OCSP_SINGLERESP *single = NULL;
+
+    ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
+
+    if(!sk_OCSP_SINGLERESP_value(br->tbsResponseData->responses, i))
+      continue;
+
+    single = sk_OCSP_SINGLERESP_value(br->tbsResponseData->responses, i);
+
+    cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
+                                          &thisupd, &nextupd);
+
+    if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
+      failf(data, "OCSP response has expired");
+      result = CURLE_SSL_INVALIDCERTSTATUS;
+      goto end;
+    }
+
+    infof(data, "SSL certificate status: %s (%d)\n",
+          OCSP_cert_status_str(cert_status), cert_status);
+
+    switch(cert_status) {
+      case V_OCSP_CERTSTATUS_GOOD:
+        break;
+
+      case V_OCSP_CERTSTATUS_REVOKED:
+        result = CURLE_SSL_INVALIDCERTSTATUS;
+
+        failf(data, "SSL certificate revocation reason: %s (%d)",
+              OCSP_crl_reason_str(crl_reason), crl_reason);
+        goto end;
+
+      case V_OCSP_CERTSTATUS_UNKNOWN:
+        result = CURLE_SSL_INVALIDCERTSTATUS;
+        goto end;
+    }
+  }
+
+end:
+  if(br) OCSP_BASICRESP_free(br);
+  OCSP_RESPONSE_free(rsp);
+
+  return result;
+}
+#endif
+
 #endif /* USE_SSLEAY */

 /* The SSL_CTRL_SET_MSG_CALLBACK doesn't exist in ancient OpenSSL versions
@@ -1510,12 +1661,12 @@ select_next_proto_cb(SSL *ssl,
 #endif /* USE_NGHTTP2 */

 static const char *
-get_ssl_version_txt(SSL_SESSION *session)
+get_ssl_version_txt(SSL *ssl)
 {
-  if(!session)
+  if(!ssl)
    return "";

-  switch(session->ssl_version) {
+  switch(SSL_version(ssl)) {
 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
  case TLS1_2_VERSION:
    return "TLSv1.2";
@@ -1909,6 +2060,13 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
    failf(data, "SSL: couldn't create a context (handle)!");
    return CURLE_OUT_OF_MEMORY;
  }
+
+#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
+    !defined(OPENSSL_IS_BORINGSSL)
+  if(data->set.ssl.verifystatus)
+    SSL_set_tlsext_status_type(connssl->handle, TLSEXT_STATUSTYPE_ocsp);
+#endif
+
  SSL_set_connect_state(connssl->handle);

  connssl->server_cert = 0x0;
@@ -2047,7 +2205,7 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)

    /* Informational message */
    infof(data, "SSL connection using %s / %s\n",
-          get_ssl_version_txt(SSL_get_session(connssl->handle)),
+          get_ssl_version_txt(connssl->handle),
          SSL_get_cipher(connssl->handle));

 #ifdef HAS_ALPN
@@ -2592,6 +2750,22 @@ static CURLcode servercert(struct connectdata *conn,
      infof(data, "\t SSL certificate verify ok.\n");
  }

+#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
+    !defined(OPENSSL_IS_BORINGSSL)
+  if(data->set.ssl.verifystatus) {
+    result = verifystatus(conn, connssl);
+    if(result) {
+      X509_free(connssl->server_cert);
+      connssl->server_cert = NULL;
+      return result;
+    }
+  }
+#endif
+
+  if(!strict)
+    /* when not strict, we don't bother about the verify cert problems */
+    result = CURLE_OK;
+
  ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
  if(!result && ptr) {
    result = pkp_pin_peer_pubkey(connssl->server_cert, ptr);
@@ -2671,10 +2845,8 @@ static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex)
   * operations.
   */

-  if(!data->set.ssl.verifypeer && !data->set.ssl.verifyhost)
-    (void)servercert(conn, connssl, FALSE);
-  else
-    result = servercert(conn, connssl, TRUE);
+  result = servercert(conn, connssl,
+                      (data->set.ssl.verifypeer || data->set.ssl.verifyhost));

  if(!result)
    connssl->connecting_state = ssl_connect_done;
@@ -2935,6 +3107,9 @@ size_t Curl_ossl_version(char *buffer, size_t size)
     to OpenSSL in all other aspects */
  return snprintf(buffer, size, "yassl/%s", YASSL_VERSION);
 #else /* YASSL_VERSION */
+#ifdef OPENSSL_IS_BORINGSSL
+  return snprintf(buffer, size, "BoringSSL");
+#else /* OPENSSL_IS_BORINGSSL */

 #if(SSLEAY_VERSION_NUMBER >= 0x905000)
  {
@@ -2964,14 +3139,10 @@ size_t Curl_ossl_version(char *buffer, size_t size)
    }

    return snprintf(buffer, size, "%s/%lx.%lx.%lx%s",
-#ifdef OPENSSL_IS_BORINGSSL
-                    "BoringSSL"
-#else
 #ifdef LIBRESSL_VERSION_NUMBER
                    "LibreSSL"
 #else
                    "OpenSSL"
-#endif
 #endif
                    , (ssleay_value>>28)&0xf,
                    (ssleay_value>>20)&0xff,
@@ -3005,6 +3176,7 @@ size_t Curl_ossl_version(char *buffer, size_t size)
 #endif /* (SSLEAY_VERSION_NUMBER >= 0x900000) */
 #endif /* SSLEAY_VERSION_NUMBER is less than 0.9.5 */

+#endif /* OPENSSL_IS_BORINGSSL */
 #endif /* YASSL_VERSION */
 }

@@ -3012,8 +3184,9 @@ size_t Curl_ossl_version(char *buffer, size_t size)
 int Curl_ossl_random(struct SessionHandle *data, unsigned char *entropy,
                     size_t length)
 {
-  if(data)
+  if(data) {
    Curl_ossl_seed(data); /* Initiate the seed if not already done */
+  }
  RAND_bytes(entropy, curlx_uztosi(length));
  return 0; /* 0 as in no problem */
 }
@@ -3029,4 +3202,14 @@ void Curl_ossl_md5sum(unsigned char *tmp, /* input */
  MD5_Update(&MD5pw, tmp, tmplen);
  MD5_Final(md5sum, &MD5pw);
 }
+
+bool Curl_ossl_cert_status_request(void)
+{
+#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
+    !defined(OPENSSL_IS_BORINGSSL)
+  return TRUE;
+#else
+  return FALSE;
+#endif
+}
 #endif /* USE_SSLEAY */
--- a/lib/vtls/openssl.h
+++ b/lib/vtls/openssl.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -73,6 +73,11 @@ void Curl_ossl_md5sum(unsigned char *tmp, /* input */
                      unsigned char *md5sum /* output */,
                      size_t unused);

+bool Curl_ossl_cert_status_request(void);
+
+/* Set the API backend definition to OpenSSL */
+#define CURL_SSL_BACKEND CURLSSLBACKEND_OPENSSL
+
 /* this backend supports the CAPATH option */
 #define have_curlssl_ca_path 1

@@ -99,7 +104,7 @@ void Curl_ossl_md5sum(unsigned char *tmp, /* input */
 #define curlssl_data_pending(x,y) Curl_ossl_data_pending(x,y)
 #define curlssl_random(x,y,z) Curl_ossl_random(x,y,z)
 #define curlssl_md5sum(a,b,c,d) Curl_ossl_md5sum(a,b,c,d)
-#define CURL_SSL_BACKEND CURLSSLBACKEND_OPENSSL
+#define curlssl_cert_status_request() Curl_ossl_cert_status_request()

 #define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4"

--- a/lib/vtls/polarssl.c
+++ b/lib/vtls/polarssl.c
@@ -6,7 +6,7 @@
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) 2010 - 2011, Hoi-Ho Chan, <hoiho.chan@gmail.com>
- * Copyright (C) 2012 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2012 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -289,27 +289,36 @@ polarssl_connect_step1(struct connectdata *conn,
  switch(data->set.ssl.version) {
  default:
  case CURL_SSLVERSION_DEFAULT:
+  case CURL_SSLVERSION_TLSv1:
    ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
                        SSL_MINOR_VERSION_1);
    break;
  case CURL_SSLVERSION_SSLv3:
    ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
                        SSL_MINOR_VERSION_0);
+    ssl_set_max_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
+                        SSL_MINOR_VERSION_0);
    infof(data, "PolarSSL: Forced min. SSL Version to be SSLv3\n");
    break;
  case CURL_SSLVERSION_TLSv1_0:
    ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
                        SSL_MINOR_VERSION_1);
+    ssl_set_max_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
+                        SSL_MINOR_VERSION_1);
    infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.0\n");
    break;
  case CURL_SSLVERSION_TLSv1_1:
    ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
                        SSL_MINOR_VERSION_2);
+    ssl_set_max_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
+                        SSL_MINOR_VERSION_2);
    infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.1\n");
    break;
  case CURL_SSLVERSION_TLSv1_2:
    ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
                        SSL_MINOR_VERSION_3);
+    ssl_set_max_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
+                        SSL_MINOR_VERSION_3);
    infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.2\n");
    break;
  }
@@ -459,11 +468,11 @@ polarssl_connect_step2(struct connectdata *conn,
    if(next_protocol != NULL) {
      infof(data, "ALPN, server accepted to use %s\n", next_protocol);

-      if(strncmp(next_protocol, NGHTTP2_PROTO_VERSION_ID,
+      if(!strncmp(next_protocol, NGHTTP2_PROTO_VERSION_ID,
                  NGHTTP2_PROTO_VERSION_ID_LEN)) {
        conn->negnpn = NPN_HTTP2;
      }
-      else if(strncmp(next_protocol, ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH)) {
+      else if(!strncmp(next_protocol, ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH)) {
        conn->negnpn = NPN_HTTP1_1;
      }
    }
@@ -544,11 +553,6 @@ static ssize_t polarssl_send(struct connectdata *conn,
  return ret;
 }

-void Curl_polarssl_close_all(struct SessionHandle *data)
-{
-  (void)data;
-}
-
 void Curl_polarssl_close(struct connectdata *conn, int sockindex)
 {
  rsa_free(&conn->ssl[sockindex].rsa);
--- a/lib/vtls/polarssl.h
+++ b/lib/vtls/polarssl.h
@@ -8,7 +8,7 @@
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) 2010, Hoi-Ho Chan, <hoiho.chan@gmail.com>
- * Copyright (C) 2012 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2012 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -37,10 +37,6 @@ CURLcode Curl_polarssl_connect_nonblocking(struct connectdata *conn,
                                           int sockindex,
                                           bool *done);

-/* tell PolarSSL to close down all open information regarding connections (and
-   thus session ID caching etc) */
-void Curl_polarssl_close_all(struct SessionHandle *data);
-
 /* close a SSL connection */
 void Curl_polarssl_close(struct connectdata *conn, int sockindex);

@@ -48,6 +44,9 @@ void Curl_polarssl_session_free(void *ptr);
 size_t Curl_polarssl_version(char *buffer, size_t size);
 int Curl_polarssl_shutdown(struct connectdata *conn, int sockindex);

+/* Set the API backend definition to PolarSSL */
+#define CURL_SSL_BACKEND CURLSSLBACKEND_POLARSSL
+
 /* this backend supports the CAPATH option */
 #define have_curlssl_ca_path 1

@@ -57,7 +56,7 @@ int Curl_polarssl_shutdown(struct connectdata *conn, int sockindex);
 #define curlssl_connect Curl_polarssl_connect
 #define curlssl_connect_nonblocking Curl_polarssl_connect_nonblocking
 #define curlssl_session_free(x)  Curl_polarssl_session_free(x)
-#define curlssl_close_all Curl_polarssl_close_all
+#define curlssl_close_all(x) ((void)x)
 #define curlssl_close Curl_polarssl_close
 #define curlssl_shutdown(x,y) 0
 #define curlssl_set_engine(x,y) ((void)x, (void)y, CURLE_NOT_BUILT_IN)
@@ -66,7 +65,6 @@ int Curl_polarssl_shutdown(struct connectdata *conn, int sockindex);
 #define curlssl_version Curl_polarssl_version
 #define curlssl_check_cxn(x) ((void)x, -1)
 #define curlssl_data_pending(x,y) ((void)x, (void)y, 0)
-#define CURL_SSL_BACKEND CURLSSLBACKEND_POLARSSL

 /* This might cause libcurl to use a weeker random!
   TODO: implement proper use of Polarssl's CTR-DRBG or HMAC-DRBG and use that
--- a/lib/vtls/curl_schannel.c
+++ b/lib/vtls/curl_schannel.c
@@ -7,7 +7,7 @@
 *
 * Copyright (C) 2012 - 2014, Marc Hoersken, <info@marc-hoersken.de>
 * Copyright (C) 2012, Mark Salisbury, <mark.salisbury@hp.com>
- * Copyright (C) 2012 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2012 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -38,19 +38,6 @@
 * Thanks for code and inspiration!
 */

-/*
- * TODO list for TLS/SSL implementation:
- * - implement client certificate authentication
- * - implement custom server certificate validation
- * - implement cipher/algorithm option
- *
- * Related articles on MSDN:
- * - Getting a Certificate for Schannel
- *   http://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx
- * - Specifying Schannel Ciphers and Cipher Strengths
- *   http://msdn.microsoft.com/en-us/library/windows/desktop/aa380161.aspx
- */
-
 #include "curl_setup.h"

 #ifdef USE_SCHANNEL
@@ -60,7 +47,7 @@
 #endif

 #include "curl_sspi.h"
-#include "curl_schannel.h"
+#include "schannel.h"
 #include "vtls.h"
 #include "sendf.h"
 #include "connect.h" /* for the connect timeout */
@@ -121,7 +108,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
  struct in6_addr addr6;
 #endif
  TCHAR *host_name;
-  CURLcode code;
+  CURLcode result;

  infof(data, "schannel: SSL/TLS connection with %s port %hu (step 1/3)\n",
        conn->host.name, conn->remote_port);
@@ -269,10 +256,10 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
        "sending %lu bytes...\n", outbuf.cbBuffer);

  /* send initial handshake data which is now stored in output buffer */
-  code = Curl_write_plain(conn, conn->sock[sockindex], outbuf.pvBuffer,
+  result = Curl_write_plain(conn, conn->sock[sockindex], outbuf.pvBuffer,
                            outbuf.cbBuffer, &written);
  s_pSecFn->FreeContextBuffer(outbuf.pvBuffer);
-  if((code != CURLE_OK) || (outbuf.cbBuffer != (size_t)written)) {
+  if((result != CURLE_OK) || (outbuf.cbBuffer != (size_t) written)) {
    failf(data, "schannel: failed to send initial handshake data: "
          "sent %zd of %lu bytes", written, outbuf.cbBuffer);
    return CURLE_SSL_CONNECT_ERROR;
@@ -302,7 +289,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
  SecBufferDesc inbuf_desc;
  SECURITY_STATUS sspi_status = SEC_E_OK;
  TCHAR *host_name;
-  CURLcode code;
+  CURLcode result;
  bool doread;

  doread = (connssl->connecting_state != ssl_connect_2_writing) ? TRUE : FALSE;
@@ -346,18 +333,20 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
  for(;;) {
    if(doread) {
      /* read encrypted handshake data from socket */
-      code = Curl_read_plain(conn->sock[sockindex],
-                (char *) (connssl->encdata_buffer + connssl->encdata_offset),
-                          connssl->encdata_length - connssl->encdata_offset,
+      result = Curl_read_plain(conn->sock[sockindex],
+                               (char *) (connssl->encdata_buffer +
+                                         connssl->encdata_offset),
+                               connssl->encdata_length -
+                               connssl->encdata_offset,
                               &nread);
-      if(code == CURLE_AGAIN) {
+      if(result == CURLE_AGAIN) {
        if(connssl->connecting_state != ssl_connect_2_writing)
          connssl->connecting_state = ssl_connect_2_reading;
        infof(data, "schannel: failed to receive handshake, "
              "need more data\n");
        return CURLE_OK;
      }
-      else if((code != CURLE_OK) || (nread == 0)) {
+      else if((result != CURLE_OK) || (nread == 0)) {
        failf(data, "schannel: failed to receive handshake, "
              "SSL/TLS connection failed");
        return CURLE_SSL_CONNECT_ERROR;
@@ -422,10 +411,11 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
                "sending %lu bytes...\n", outbuf[i].cbBuffer);

          /* send handshake token to server */
-          code = Curl_write_plain(conn, conn->sock[sockindex],
+          result = Curl_write_plain(conn, conn->sock[sockindex],
                                    outbuf[i].pvBuffer, outbuf[i].cbBuffer,
                                    &written);
-          if((code != CURLE_OK) || (outbuf[i].cbBuffer != (size_t)written)) {
+          if((result != CURLE_OK) ||
+             (outbuf[i].cbBuffer != (size_t) written)) {
            failf(data, "schannel: failed to send next handshake data: "
                  "sent %zd of %lu bytes", written, outbuf[i].cbBuffer);
            return CURLE_SSL_CONNECT_ERROR;
@@ -691,7 +681,7 @@ schannel_send(struct connectdata *conn, int sockindex,
  SecBuffer outbuf[4];
  SecBufferDesc outbuf_desc;
  SECURITY_STATUS sspi_status = SEC_E_OK;
-  CURLcode code;
+  CURLcode result;

  /* check if the maximum stream sizes were queried */
  if(connssl->stream_sizes.cbMaximumMessage == 0) {
@@ -797,12 +787,12 @@ schannel_send(struct connectdata *conn, int sockindex,
      }
      /* socket is writable */

-      code = Curl_write_plain(conn, conn->sock[sockindex], data + written,
+      result = Curl_write_plain(conn, conn->sock[sockindex], data + written,
                                len - written, &this_write);
-      if(code == CURLE_AGAIN)
+      if(result == CURLE_AGAIN)
        continue;
-      else if(code != CURLE_OK) {
-        *err = code;
+      else if(result != CURLE_OK) {
+        *err = result;
        written = -1;
        break;
      }
@@ -1121,7 +1111,7 @@ int Curl_schannel_shutdown(struct connectdata *conn, int sockindex)
    SECURITY_STATUS sspi_status;
    SecBuffer outbuf;
    SecBufferDesc outbuf_desc;
-    CURLcode code;
+    CURLcode result;
    TCHAR *host_name;
    DWORD dwshut = SCHANNEL_SHUTDOWN;

@@ -1162,13 +1152,13 @@ int Curl_schannel_shutdown(struct connectdata *conn, int sockindex)
    if((sspi_status == SEC_E_OK) || (sspi_status == SEC_I_CONTEXT_EXPIRED)) {
      /* send close message which is in output buffer */
      ssize_t written;
-      code = Curl_write_plain(conn, conn->sock[sockindex], outbuf.pvBuffer,
+      result = Curl_write_plain(conn, conn->sock[sockindex], outbuf.pvBuffer,
                                outbuf.cbBuffer, &written);

      s_pSecFn->FreeContextBuffer(outbuf.pvBuffer);
-      if((code != CURLE_OK) || (outbuf.cbBuffer != (size_t)written)) {
+      if((result != CURLE_OK) || (outbuf.cbBuffer != (size_t) written)) {
        infof(data, "schannel: failed to send close msg: %s"
-              " (bytes written: %zd)\n", curl_easy_strerror(code), written);
+              " (bytes written: %zd)\n", curl_easy_strerror(result), written);
      }
    }
  }
@@ -1218,10 +1208,15 @@ void Curl_schannel_session_free(void *ptr)
 {
  struct curl_schannel_cred *cred = ptr;

-  if(cred && cred->cached && cred->refcount == 0) {
+  if(cred && cred->cached) {
+    if(cred->refcount == 0) {
      s_pSecFn->FreeCredentialsHandle(&cred->cred_handle);
      Curl_safefree(cred);
    }
+    else {
+      cred->cached = FALSE;
+    }
+  }
 }

 int Curl_schannel_init(void)
--- a/lib/vtls/curl_schannel.h
+++ b/lib/vtls/curl_schannel.h
@@ -8,7 +8,7 @@
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) 2012, Marc Hoersken, <info@marc-hoersken.de>, et al.
- * Copyright (C) 2012 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2012 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -93,6 +93,9 @@ size_t Curl_schannel_version(char *buffer, size_t size);

 int Curl_schannel_random(unsigned char *entropy, size_t length);

+/* Set the API backend definition to Schannel */
+#define CURL_SSL_BACKEND CURLSSLBACKEND_SCHANNEL
+
 /* API setup for Schannel */
 #define curlssl_init Curl_schannel_init
 #define curlssl_cleanup Curl_schannel_cleanup
@@ -108,7 +111,6 @@ int Curl_schannel_random(unsigned char *entropy, size_t length);
 #define curlssl_version Curl_schannel_version
 #define curlssl_check_cxn(x) ((void)x, -1)
 #define curlssl_data_pending Curl_schannel_data_pending
-#define CURL_SSL_BACKEND CURLSSLBACKEND_SCHANNEL
 #define curlssl_random(x,y,z) ((void)x, Curl_schannel_random(y,z))

 #endif /* USE_SCHANNEL */
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -848,4 +848,16 @@ void Curl_ssl_md5sum(unsigned char *tmp, /* input */
 #endif
 }

+/*
+ * Check whether the SSL backend supports the status_request extension.
+ */
+bool Curl_ssl_cert_status_request(void)
+{
+#ifdef curlssl_cert_status_request
+  return curlssl_cert_status_request();
+#else
+  return FALSE;
+#endif
+}
+
 #endif /* USE_SSL */
--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -30,8 +30,8 @@
 #include "polarssl.h"       /* PolarSSL versions */
 #include "axtls.h"          /* axTLS versions */
 #include "cyassl.h"         /* CyaSSL versions */
-#include "curl_schannel.h"  /* Schannel SSPI version */
-#include "curl_darwinssl.h" /* SecureTransport (Darwin) version */
+#include "schannel.h"       /* Schannel SSPI version */
+#include "darwinssl.h"      /* SecureTransport (Darwin) version */

 #ifndef MAX_PINNED_PUBKEY_SIZE
 #define MAX_PINNED_PUBKEY_SIZE 1048576 /* 1MB */
@@ -116,9 +116,14 @@ void Curl_ssl_md5sum(unsigned char *tmp, /* input */
 CURLcode Curl_pin_peer_pubkey(const char *pinnedpubkey,
                              const unsigned char *pubkey, size_t pubkeylen);

+bool Curl_ssl_cert_status_request(void);
+
 #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */

 #else
+/* Set the API backend definition to none */
+#define CURL_SSL_BACKEND CURLSSLBACKEND_NONE
+
 /* When SSL support is not present, just define away these function calls */
 #define Curl_ssl_init() 1
 #define Curl_ssl_cleanup() Curl_nop_stmt
@@ -139,7 +144,7 @@ CURLcode Curl_pin_peer_pubkey(const char *pinnedpubkey,
 #define Curl_ssl_connect_nonblocking(x,y,z) CURLE_NOT_BUILT_IN
 #define Curl_ssl_kill_session(x) Curl_nop_stmt
 #define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN)
-#define CURL_SSL_BACKEND CURLSSLBACKEND_NONE
+#define Curl_ssl_cert_status_request() FALSE
 #endif

 #endif /* HEADER_CURL_VTLS_H */
--- a/packages/OS400/curl.inc.in
+++ b/packages/OS400/curl.inc.in
@@ -517,6 +517,8 @@
     d                 c                   89
     d  CURLE_SSL_PINNEDPUBKEYNOTMATCH...
     d                 c                   90
+     d  CURLE_SSL_INVALIDCERTSTATUS...
+     d                 c                   91
      *
      /if not defined(CURL_NO_OLDIES)
     d  CURLE_URL_MALFORMAT_USER...
@@ -1203,6 +1205,8 @@
     d                 c                   10230
     d  CURLOPT_UNIX_SOCKET_PATH...
     d                 c                   10231
+     d  CURLOPT_CURLOPT_SSL_VERIFYSTATUS...
+     d                 c                   00232
      *
      /if not defined(CURL_NO_OLDIES)
     d  CURLOPT_FILE   c                   10001
--- a/packages/Symbian/group/libcurl.mmp
+++ b/packages/Symbian/group/libcurl.mmp
@@ -38,9 +38,9 @@ SOURCE \
  vtls/axtls.c idn_win32.c http_negotiate_sspi.c vtls/cyassl.c         \
  http_proxy.c non-ascii.c asyn-ares.c asyn-thread.c curl_gssapi.c     \
  curl_ntlm.c curl_ntlm_wb.c curl_ntlm_core.c curl_ntlm_msgs.c         \
-  curl_sasl.c vtls/curl_schannel.c curl_multibyte.c                    \
-  vtls/curl_darwinssl.c bundles.c conncache.c curl_sasl_sspi.c smb.c   \
-  curl_sasl_gssapi.c curl_endian.c
+  curl_sasl.c vtls/schannel.c curl_multibyte.c vtls/darwinssl.c        \
+  bundles.c conncache.c curl_sasl_sspi.c smb.c curl_sasl_gssapi.c      \
+  curl_endian.c curl_des.c

 USERINCLUDE   ../../../lib ../../../include/curl
 #ifdef ENABLE_SSL
--- a/packages/vms/gnv_link_curl.com
+++ b/packages/vms/gnv_link_curl.com
@@ -173,9 +173,17 @@ $       full_version = f$element(1, " ", hp_ssl_version)
 $       ver_maj = f$element(0, ".", full_version)
 $       ver_min = f$element(1, ".", full_version)
 $       ver_patch = f$element(2, ".", full_version)
+$!      ! ver_patch is typically both a number and some letters
 $       ver_patch_len = f$length(ver_patch)
-$       ver_patchnum = f$extract(0, ver_patch_len - 1, ver_patch)
-$       ver_patchltr = f$extract(ver_patch_len - 1, 1, ver_patch)
+$       ver_patchltr = ""
+$ver_patch_loop:
+$           ver_patchltr_c = f$extract(ver_patch_len - 1, 1, ver_patch)
+$           if ver_patchltr_c .les. "9" then goto ver_patch_loop_end
+$           ver_patchltr = ver_patchltr_c + ver_patchltr
+$           ver_patch_len = ver_patch_len - 1
+$           goto ver_patch_loop
+$ver_patch_loop_end:
+$       ver_patchnum = ver_patch - ver_patchltr
 $       if 'ver_maj' .ge. 0
 $       then
 $           if 'ver_min' .ge. 9
@@ -186,6 +194,7 @@ $                   if ver_patchltr .ges. "w" then use_hp_ssl = 1
 $               endif
 $           endif
 $       endif
+$set nover
 $       if use_hp_ssl .eq. 0
 $       then
 $           write sys$output -
--- a/projects/Windows/VC10/curl-all.sln
+++ b/projects/Windows/VC10/curl-all.sln
--- a/projects/Windows/VC10/lib/libcurl.tmpl
+++ b/projects/Windows/VC10/lib/libcurl.tmpl
--- a/projects/Windows/VC10/src/curlsrc.tmpl
+++ b/projects/Windows/VC10/src/curlsrc.tmpl
--- a/projects/Windows/VC11/curl-all.sln
+++ b/projects/Windows/VC11/curl-all.sln
--- a/Show More
+++ b/Show More