... only call it when there is data arriving for another handle than the
one that is currently driving it.

Improves single-stream download performance quite a lot.

Thanks-to: Tatsuhiro Tsujikawa
Bug: http://curl.haxx.se/mail/lib-2015-09/0097.html

... as otherwise a really fast pipe can "lock" one transfer for some
protocols, like with HTTP/2.

... don't try to increase the supposed file size on newlines if we don't
know what file size it is!

Patch-by: lzsiga

Closes #457

If GnuTLS fails to read the certificate then include whatever reason it
provides in the failure message reported to the client.

Signed-off-by: Mike Crowe <mac@mcrowe.com>

The gnutls vtls back-end was previously ignoring any password set via
CURLOPT_KEYPASSWD. Presumably this was because
gnutls_certificate_set_x509_key_file did not support encrypted keys.

gnutls now has a gnutls_certificate_set_x509_key_file2 function that
does support encrypted keys. Let's determine at compile time whether the
available gnutls supports this new function. If it does then use it to
pass the password. If it does not then emit a helpful diagnostic if a
password is set. This is preferable to the previous behaviour of just
failing to read the certificate without giving a reason in that case.

Signed-off-by: Mike Crowe <mac@mcrowe.com>

... even for those that don't support providing anything in the
'internals' struct member since it offers a convenient way for
applications to figure this out.

- Change the designator name we use to show the base64 encoded sha256
hash of the server's public key from 'pinnedpubkey' to
'public key hash'.

Though the server's public key hash is only shown when comparing pinned
public key hashes, the server's hash may not match one of the pinned.

With NTLM a new connection will always require authentication.
Fixes #435

Add a "pinnedpubkey" section to the "Server Certificate" verbose

Bug: https://github.com/bagder/curl/issues/410
Reported-by: W. Mark Kubacki

Closes #430
Closes #410

Introduced with commit 65d141e6

Closes #440

Fixes #427

Without this workaround, NSS re-uses a session cache entry despite the
server name does not match.  This causes SNI host name to differ from
the actual host name.  Consequently, certain servers (e.g. github.com)
respond by 400 to such requests.

Bug: https://bugzilla.mozilla.org/1202264

... without sha256 support and no define saying so.

Reported-by: Rajkumar Mandal

Bug: https://github.com/bagder/curl/pull/411
Reported-by: Viktor Szakats

If the port number in the proxy string ended weirdly or the number is
too large, skip it. Mostly as a means to bail out early if a "bare" IPv6
numerical address is used without enclosing brackets.

Also mention the bracket requirement for IPv6 numerical addresses to the
man page for CURLOPT_PROXY.

Closes #415

Reported-by: Marcel Raad

In some timing-dependnt cases when a 4xx response immediately followed
after a 150 when a STOR was issued, this function would wrongly return
'complete == true' while 'wait_data_conn' was still set.

Closes #405

Reported-by: Patricia Muscalu

It causes dynamic linking issues at run-time after an update of NSS.

Bug: https://lists.fedoraproject.org/pipermail/devel/2015-September/214117.html

RFC 7540 section 8.1.2.2 states: "An endpoint MUST NOT generate an
HTTP/2 message containing connection-specific header fields; any message
containing connection-specific header fields MUST be treated as
malformed"

Closes #401

This fixes another run-time check failure because of a narrowing cast on
Visual C++.

Closes #408

Introduced in commit 59f3f92b this function is only implemented when
CURL_DISABLE_CRYPTO_AUTH is not defined. As such we shouldn't define
the function in the header file either.

In places the "host name" and "realm" variable was referred to as
"instance" whilst in others it was referred to as "host".

Set HAVE_DES_SET_ODD_PARITY when using OpenSSL/BoringSSL as native
Windows builds don't use the autoconf tools.

curl_ntlm_core.c:150: warning 'Curl_des_set_odd_parity' undefined;
                      assuming extern returning int

But kept the original author, when they were specified in a comment, as
the initial copyright holder.

Closes #399

This patch addresses known bug #76, where on 64-bit Windows SOCKET is 64
bits wide, but long is only 32, making CURLINFO_LASTSOCKET unreliable.

Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com>

Leftovers from when we removed the private socket hash.

Coverity CID 1317365, "Logically dead code"

Coverity CID 1317367, "Missing break in switch"

"Explicit null dereferenced (FORWARD_NULL)"

Coverity CID 1317366

- Add new option CURLOPT_DEFAULT_PROTOCOL to allow specifying a default
protocol for schemeless URLs.

- Add new tool option --proto-default to expose
CURLOPT_DEFAULT_PROTOCOL.

In the case of schemeless URLs libcurl will behave in this way:

When the option is used libcurl will use the supplied default.

When the option is not used, libcurl will follow its usual plan of
guessing from the hostname and falling back to 'http'.

... so improve the #ifdefs for using our local implementation.

If strict certificate checking is disabled (CURLOPT_SSL_VERIFYPEER
and CURLOPT_SSL_VERIFYHOST are disabled) do not fail if the server
doesn't present a certificate at all.

Closes #392

The multi state machine would otherwise go into the DO_MORE state after
DO, even for the case when the FTP state machine had already performed
those duties, which caused libcurl to get stuck in that state and fail
miserably. This occured for for active ftp uploads.

Reported-by: Patricia Muscalu

Based-on-patch-by: Jim Hollinger