- Linux TFO + TLS is not implemented yet.

Bug: https://github.com/curl/curl/issues/907

- Curl_ipv6works() is not thread-safe until after the first call, so
call it once during global init to avoid a possible race condition.

Bug: https://github.com/curl/curl/issues/915
PR: https://github.com/curl/curl/pull/918

Closes https://github.com/curl/curl/pull/913

Closes https://github.com/curl/curl/pull/911

Reported-by: Gou Lingfeng
Bug: https://curl.haxx.se/mail/lib-2016-06/0139.html

- the expression of an 'if' was always true
- a 'while' contained a condition that was always true
- use 'if(k->exp100 > EXP100_SEND_DATA)' instead of 'if(k->exp100)'
- fixed a typo

Closes #889

... as otherwise we could get a 0 which would count as no error and we'd
wrongly continue and could end up segfaulting.

Bug: https://curl.haxx.se/mail/lib-2016-06/0052.html
Reported-by: 暖和的和暖

Necessary since 6cabd785

Fixes #853

Broken since 6cabd785, which adds use of the Curl_extract_certinfo
function from the x509asn1.c file.

... and save the typedef'ed names for headers and external APIs.

Prior to this change we called Curl_ssl_getsessionid and
Curl_ssl_addsessionid regardless of whether session ID reusing was
enabled. According to comments that is in case session ID reuse was
disabled but then later enabled.

The old way was not intuitive and probably not something users expected.
When a user disables session ID caching I'd guess they don't expect the
session ID to be cached anyway in case the caching is later enabled.

Closes #887

Regression introduced in 5f5b6263 (released in 7.48.0)

Reported-by: Fabian Ruff
Fixes #875

- Enable protocol family logic for IPv6 resolves even when support
for synthesized addresses is enabled.

This is a follow up to the parent commit that added support for
synthesized IPv6 addresses from IPv4 on iOS/OS X. The protocol family
logic needed for IPv6 was inadvertently excluded if support for
synthesized addresses was enabled.

Bug: https://github.com/curl/curl/issues/863
Ref: https://github.com/curl/curl/pull/866
Ref: https://github.com/curl/curl/pull/867

Use getaddrinfo() to resolve the IPv4 address literal on iOS/Mac OS X.
If the current network interface doesn’t support IPv4, but supports
IPv6, NAT64, and DNS64.

Closes #866
Fixes #863

Calling QueryContextAttributes with SECPKG_ATTR_APPLICATION_PROTOCOL
fails on Windows < 8.1 so we need to disable ALPN on these OS versions.

Inspiration provide by: Daniel Seither

Closes #848
Fixes #840

LoadLibrary was supplanted by Curl_load_library for security
reasons in 6df916d7.

- Change the parser to not require a minor version for HTTP/2.

HTTP/2 connection reuse broke when we changed from HTTP/2.0 to HTTP/2
in 8243a958 because the parser still expected a minor version.

Bug: https://github.com/curl/curl/issues/855
Reported-by: Andrew Robbins, Frank Gevaerts

connect.c:952:5: warning: suggest explicit braces to avoid ambiguous 'else'

Closes #845

Dependency added by 6cabd785

Closes #849

Sessionid cache management is inseparable from managing individual
session lifetimes. E.g. for reference-counted sessions (like those in
SChannel and OpenSSL engines) every session addition and removal
should be accompanied with refcount increment and decrement
respectively. Failing to do so synchronously leads to a race condition
that causes symptoms like use-after-free and memory corruption.
This commit:
 - makes existing session cache locking explicit, thus allowing
   individual engines to manage lock's scope.
 - fixes OpenSSL and SChannel engines by putting refcount management
   inside this lock's scope in relevant places.
 - adds these explicit locking calls to other engines that use
   sessionid cache to accommodate for this change. Note, however,
   that it is unknown whether any of these engines could also have
   this race.

Bug: https://github.com/curl/curl/issues/815
Fixes #815
Closes #847

Closes #822

... to make it not look like an OpenSSL function

Closes #844

Mostly in order to support broken web sites that redirect to broken URLs
that are accepted by browsers.

Browsers are typically even more leniant than this as the WHATWG URL
spec they should allow an _infinite_ amount. I tested 8000 slashes with
Firefox and it just worked.

Added test case 1141, 1142 and 1143 to verify the new parser.

Closes #791

Closes #837

Closes #838

Adds access to the effectively used http version to both libcurl and
curl.

Closes #799

With OPENSSL_NO_COMP defined, there is no function
SSL_COMP_free_compression_methods

Closes #836

Fixes #828

Inspiration provided by: Daniel Stenberg and Ray Satiro

Bug: https://curl.haxx.se/docs/adv_20160530.html

Ref: Windows DLL hijacking with curl, CVE-2016-4802

The statvfs functionality was added to libssh2 in that version, so we
switch off that functionality when built with older libraries.

Fixes #831