... for the local variable name in functions holding the return
code. Using the same name universally makes code easier to read and
follow.

Also, unify code for checking for CURLcode errors with:

 if(result) or if(!result)

instead of

 if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)

Detected by cppcheck.

Detected by cppcheck.

Variable already assigned a few lines up.

Detected by cppcheck.

The variable is already assigned, skip the duplicate assignment.

Pointed out by cppcheck.

Prefer usage of Perl modules for sha1 calculation since there
might be systems where openssl is not installed or not in path.
If openssl is used for sha1 calculation then dont rely on cut
since it is usually not available on other systems than Linux.

Bug: http://curl.haxx.se/bug/view.cgi?id=1437
Reported-by: Julien

This is not actually used uninitialized but we silence warnings.

Bug: http://curl.haxx.se/bug/view.cgi?id=1437
Reported-by: Julien

... when the handshake succeeds

This fixes a connection failure when FTPS handle is reused.

Updated the info text when the base-64 decode of the type-2 message
returns a null buffer to be more specific.

Certificates based on SHA-1 are being phased out[1].
So we should expect a rise in certificates based on SHA-2.
Adding SHA-384 as a valid signature algorithm.

[1] https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/



Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>

cppcheck pointed these out.

cppcheck pointed this out.

It turned out some features were not enabled in the build since for
example url.c #ifdefs on features that are defined on a per-backend
basis but vtls.h didn't include the backend headers.

CURLOPT_CERTINFO was one such feature that was accidentally disabled.

There is no need for such function. Include_directories propagate by
themselves and having a function with one simple link statement makes
little sense.

This fixes a copy-paste mistake from commit 2968f957.

Coverity CID 252518. This function is in general far too complicated for
its own good and really should be broken down into several smaller
funcitons instead - but I'm adding this protection here now since it
seems there's a risk the code flow can end up here and dereference a
NULL pointer.

Coverity CID 1241951. The condition 'len >= 0' would always be true at
that point and thus not necessary to check for.

Coverity CID 1241957. Removed the unused argument. As this struct and
pointer now are used only for krb5, there's no need to keep unused
function arguments around.

Option --pinnedpubkey takes a path to a public key in DER format and
only connect if it matches (currently only implemented with OpenSSL).

Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt().

Extract a public RSA key from a website like so:
openssl s_client -connect google.com:443 2>&1 < /dev/null | \
sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \
| openssl rsa -pubin -outform DER > google.com.der

Coverity CID 1202837. 'newurl' can in fact be allocated even when
Curl_retry_request() returns failure so free it if need be.

Coverity CID 1243581. 'conn' will never be NULL here, and if it would be
the subsequent statement would dereference it!

just a minor code style thing to make the code clearer

First try to fix possible memory leaks, in this case:
Only connssl->ctxt xor onnssl->cred being initialized.

Coverity CID 1241950. The pointer is never NULL but it might point to
NULL.

Coverity CID 1241947. Since if sscanf() fails, the previously set value
remains set.

Coverity pointed out several of these.