Certificates based on SHA-1 are being phased out[1].
So we should expect a rise in certificates based on SHA-2.
Adding SHA-384 as a valid signature algorithm.

[1] https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/



Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>

cppcheck pointed these out.

cppcheck pointed this out.

This change allows runtests.pl to be run from the CMake builddir:

    export srcdir=/tmp/curl/tests;
    perl -I$srcdir $srcdir/runtests.pl -l

In order to make this possible, all test cases have been moved from
Makefile.am to Makefile.inc.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>

ENABLE_IPV6 depends on HAVE_GETADDRINFO or you will get a
Curl_getaddrinfo_ex error. Enable IPv6 by default, disabling it if
struct sockaddr_in6 is not found in netinet/in.h.

Note that HAVE_GETADDRINFO_THREADSAFE is still not set as it needs more
platform checks even though POSIX requires a thread-safe getaddrinfo.

Verified on Arch Linux x86_64 with glibc 2.20-2 and Linux 3.16-rc7.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>

Rather than always outputting an empty manual page for the '-M' option,
generate a full manual page as done by autotools. For simplicity in
CMake, always generate the gzipped page as it will not be used anyway
when zlib is not available.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>

The 2to3 tool converted socketserver (which I manually fixed up with an
import fallback) and the print(e) line. The xrange option was converted
to range, but it seems better to use the '*' operator here for
simplicity.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>

... and bumped the planned release version.

It turned out some features were not enabled in the build since for
example url.c #ifdefs on features that are defined on a per-backend
basis but vtls.h didn't include the backend headers.

CURLOPT_CERTINFO was one such feature that was accidentally disabled.

Similar to test 76 but that test's URL has a slash just no file name
part.

Change 987a4a73 assumes that as it simplifies life in the calling
function.

Reported-by: Fabian Keil

It tries hard to recognise SDK's on different platforms. On windows MIT
Kerberos installs SDK with other things and puts path into registry.
Heimdal have separate zip archive. On linux pkg-config is tried, then
krb5-config script and finally old-style libs and headers detection.

Command line args:
* CMAKE_USE_GSSAPI - enables GSSAPI detection
* GSS_ROOT_DIR - if set, should point to the root of GSSAPI installation
                 (the one with include and lib directories)

There is no need for such function. Include_directories propagate by
themselves and having a function with one simple link statement makes
little sense.

Because we prepended libraries to list, CMake had troubles resolving
link directory order as it detected some cycles. Appending to list ensures
that dependencies will preceed dependees.

The list must be set after those nice CMake tests as we mess with
CMAKE_REQUIRED_LIBRARIES there.

OpenLDAP might have been build with OpenSSL. Checking for OpenLDAP first
may result in undefined symbols. Of course, the found OpenSSL libraries
must also be linked whenever OpenLDAP is.

This fixes a copy-paste mistake from commit 2968f957.

Coverity CID 252518. This function is in general far too complicated for
its own good and really should be broken down into several smaller
funcitons instead - but I'm adding this protection here now since it
seems there's a risk the code flow can end up here and dereference a
NULL pointer.

Coverity CID 1241948. dumpeasysrc() would get called with
config->current set to NULL which could be dereferenced by a warnf()
call.

Coverity CID 1241951. The condition 'len >= 0' would always be true at
that point and thus not necessary to check for.

Coverity CID 1241957. Removed the unused argument. As this struct and
pointer now are used only for krb5, there's no need to keep unused
function arguments around.

Coverity CID 1243583. get_url_file_name() cannot fail and return a NULL
file name pointer so skip the check for that - it tricks coverity into
believing it can happen and it then warns later on when we use 'outfile'
without checking for NULL.

Reported-By: Luan Cestari

Option --pinnedpubkey takes a path to a public key in DER format and
only connect if it matches (currently only implemented with OpenSSL).

Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt().

Extract a public RSA key from a website like so:
openssl s_client -connect google.com:443 2>&1 < /dev/null | \
sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \
| openssl rsa -pubin -outform DER > google.com.der

Coverity CID 1202837. 'newurl' can in fact be allocated even when
Curl_retry_request() returns failure so free it if need be.