Ref: https://github.com/curl/curl/issues/1002

Compare these settings in Curl_ssl_config_matches():
- verifystatus (CURLOPT_SSL_VERIFYSTATUS)
- random_file (CURLOPT_RANDOM_FILE)
- egdsocket (CURLOPT_EGDSOCKET)

Also copy the setting "verifystatus" in Curl_clone_primary_ssl_config(),
and copy the setting "sessionid" unconditionally.

This means that reusing connections that are secured with a client
certificate is now possible, and the statement "TLS session resumption
is disabled when a client certificate is used" in the old advisory at
https://curl.haxx.se/docs/adv_20170419.html is obsolete.

Reviewed-by: Daniel Stenberg

Closes #1917

Reviewed-by: Daniel Stenberg

Closes #1919

... now with a -formadd suffix. While the new mime API is introduced in
7.56.0 we must acknowledge that lots of users can't upgrade their curl
versions immediately.

... a single double quote could leave the entry path buffer without a zero
terminating byte. CVE-2017-1000254

Test 1152 added to verify.

Reported-by: Max Dymond
Bug: https://curl.haxx.se/docs/adv_20171004.html

Fixes https://github.com/curl/curl/issues/1500
Reported-by: Jay Satiro

Fixes https://github.com/curl/curl/pull/1662


Assisted-by: Tom Seddon
Assisted-by:  <dpull@users.noreply.github.com>
Assisted-by:  <elelel@users.noreply.github.com>

Closes https://github.com/curl/curl/pull/1924

Include a guide to form/mime API conversion.

... this will let the second occurance override the first.

Added test 1161 to verify.

Reported-by: Max Dymond
Fixes #1932
Closes #1933

Otherwise, the test fails when the -b test option is used to set a
different test port range.

When curl and libcurl are built with some protocols disabled, they stop
setting and receiving some options that don't make sense with those
protocols.  In particular, when HTTP is disabled many options aren't set
that are used only by HTTP.  However, some options that appear to be
HTTP-only are actually used by other protocols as well (some despite
having HTTP in the name) and should be set, but weren't. This change now
causes some of these options to be set and used for more (or for all)
protocols. In particular, this fixes tests 646 through 649 in an
HTTP-disabled build, which use the MIME API in the mail protocols.

The fix done in 20ea22ff

Regression brought by 2bc230de

Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3513
Assisted-by: Max Dymond

Closes #1930

The timer should be started after conn->connecttime is set. Otherwise
the timer could expire without this condition being true:

    /* should we try another protocol family? */
    if(i == 0 && conn->tempaddr[1] == NULL &&
      curlx_tvdiff(now, conn->connecttime) >= HAPPY_EYEBALLS_TIMEOUT) {

Ref: #1928

Closes #1922

Closes #1921

Closes #1920

A connection can only be reused if the flags "conn_to_host" and
"conn_to_port" match. Therefore it is not necessary to copy these flags
in reuse_conn().

Closes #1918

When building with -std=c++14 on cygwin, this header won't be
automatically included as it otherwise is.

The <sys/select.h> include decision should ideally be reversed and be
avoided where that header file doesn't exist.

Reported-by: Ian Fette
Fixes #1925

.. and include the core NTLM header in all NTLM-related source files.

Follow up to 6f86022d. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT
but did not include vtls.h where it was defined.

Closes https://github.com/curl/curl/pull/1911

When trying to bump the value with one and the value is already at max,
it causes an integer overflow.

Closes #1908
Detected by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465

Assisted-by: Max Dymond

- Use spaces instead of tabs as the delimiter.

Follow up to 7c52b12d which added the entry. The entry had used tabs but
the symbol-scan parser doesn't recognize tabs and would fail the symbol.

In MultiSSL mode (i.e. when more than one SSL backend is compiled
in), we cannot use the compile time flag `USE_NSS` as indicator that
the NSS backend is in use. As far as Metalink is concerned, the SSL
backend is only used for MD5, SHA-1 and SHA-256 calculations,
therefore one of the available SSL backends is selected at compile
time, in a strict order of preference.

Let's introduce a new `HAVE_NSS_CONTEXT` constant that can be used
to determine whether the SSL backend used for Metalink is the NSS
backend, and use that to guard the code that wants to de-initialize
the NSS-specific data structure.

Ref: https://github.com/curl/curl/pull/1848

With the recently introduced MultiSSL support multiple SSL backends
can be compiled into cURL That means that now the order of the SSL

One option would be to use the same SSL backend as was configured
via `curl_global_sslset()`, however, NTLMv2 support would appear
to be available only with some SSL backends. For example, when
eb88d778 (ntlm: Use Windows Crypt API, 2014-12-02) introduced
support for NTLMv1 using Windows' Crypt API, it specifically did
*not* introduce NTLMv2 support using Crypt API at the same time.

So let's select one specific SSL backend for NTLM support when
compiled with multiple SSL backends, using a priority order such
that we support NTLMv2 even if only one compiled-in SSL backend can
be used for that.

Ref: https://github.com/curl/curl/pull/1848

...fixup from b8e0fe19

Updates test 800 to verify

Fixes #1902
Closes #1903

... as the test cases themselves do that and it makes it easier to add
crazy test cases.

Test 800 updated to use user name + password that need quoting.

Test 856 updated to trigger an auth fail differently.

Ref: #1902

... it just returns error:

Bug: https://github.com/curl/curl/commit/1328f69d53f2f2e937696ea954c480412b018451#commitcomment-24470367
Reported-by: Marcel Raad

Closes #1906

Also suppress length argument of curl_mime_name() (names are always
zero-terminated).

In some cases the RSA key does not support verifying it because it's
located on a smart card, an engine wants to hide it, ...
Check the flags on the key before trying to verify it.
OpenSSL does the same thing internally; see ssl/ssl_rsa.c

Closes #1904

Otherwise, typecheck-gcc.h warns on MinGW-w64.

... in hope coverity will like it much.