.. and include the core NTLM header in all NTLM-related source files.

Follow up to 6f86022d. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT
but did not include vtls.h where it was defined.

Closes https://github.com/curl/curl/pull/1911

When trying to bump the value with one and the value is already at max,
it causes an integer overflow.

Closes #1908
Detected by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465

Assisted-by: Max Dymond

- Use spaces instead of tabs as the delimiter.

Follow up to 7c52b12d which added the entry. The entry had used tabs but
the symbol-scan parser doesn't recognize tabs and would fail the symbol.

In MultiSSL mode (i.e. when more than one SSL backend is compiled
in), we cannot use the compile time flag `USE_NSS` as indicator that
the NSS backend is in use. As far as Metalink is concerned, the SSL
backend is only used for MD5, SHA-1 and SHA-256 calculations,
therefore one of the available SSL backends is selected at compile
time, in a strict order of preference.

Let's introduce a new `HAVE_NSS_CONTEXT` constant that can be used
to determine whether the SSL backend used for Metalink is the NSS
backend, and use that to guard the code that wants to de-initialize
the NSS-specific data structure.

Ref: https://github.com/curl/curl/pull/1848

With the recently introduced MultiSSL support multiple SSL backends
can be compiled into cURL That means that now the order of the SSL

One option would be to use the same SSL backend as was configured
via `curl_global_sslset()`, however, NTLMv2 support would appear
to be available only with some SSL backends. For example, when
eb88d778 (ntlm: Use Windows Crypt API, 2014-12-02) introduced
support for NTLMv1 using Windows' Crypt API, it specifically did
*not* introduce NTLMv2 support using Crypt API at the same time.

So let's select one specific SSL backend for NTLM support when
compiled with multiple SSL backends, using a priority order such
that we support NTLMv2 even if only one compiled-in SSL backend can
be used for that.

Ref: https://github.com/curl/curl/pull/1848

...fixup from b8e0fe19

Updates test 800 to verify

Fixes #1902
Closes #1903

... as the test cases themselves do that and it makes it easier to add
crazy test cases.

Test 800 updated to use user name + password that need quoting.

Test 856 updated to trigger an auth fail differently.

Ref: #1902

... it just returns error:

Bug: https://github.com/curl/curl/commit/1328f69d53f2f2e937696ea954c480412b018451#commitcomment-24470367
Reported-by: Marcel Raad

Closes #1906

Also suppress length argument of curl_mime_name() (names are always
zero-terminated).

In some cases the RSA key does not support verifying it because it's
located on a smart card, an engine wants to hide it, ...
Check the flags on the key before trying to verify it.
OpenSSL does the same thing internally; see ssl/ssl_rsa.c

Closes #1904

Otherwise, typecheck-gcc.h warns on MinGW-w64.

... in hope coverity will like it much.

Detected by coverity. CID 1418137.

Regression since ce0881ed

Coverity CID 1418139 and CID 1418136 found it, but it was also seen in
torture testing.

Closes #1896

Before merging in the oss-fuzz corpora from Google, there are some changes
to the fuzzer.
- Add a read corpus script, to display corpus files nicely.
- Change the behaviour of the fuzzer so that TLV parse failures all now
  go down the same execution paths, which should reduce the size of the
  corpora.
- Make unknown TLVs a failure to parse, which should decrease the size
  of the corpora as well.

Closes #1881

... as it also removes a warning with old gcc versions.

Bug: https://curl.haxx.se/mail/lib-2017-09/0049.html
Reported-by: Ben Greear

Don't make the fuzzer write out to stdout - instead write some of the
contents to a memory block so we exercise the data output code but
quietly.

Closes #1885

... instead of truncating them.

There's no fixed limit for acceptable cookie names in RFC 6265, but the
entire cookie is said to be less than 4096 bytes (section 6.1). This is
also what browsers seem to implement.

We now allow max 5000 bytes cookie header. Max 4095 bytes length per
cookie name and value. Name + value together may not exceed 4096 bytes.

Added test 1151 to verify

Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html
Reported-by: Kevin Smith

Closes #1894

- openssl is already installed and causes warnings when trying to
  install again

- libidn isn't used these days, and homebrew doesn't seem to have a
  libidn2 package to replace with easily

Closes #1895

... previously it would store a return value even when it returned
error, which could make the value get used anyway!

Reported-by: Brian Carpenter
Closes #1893

Prior to this change it appears the SOCKS5 port parsing was erroneously
used for the SOCKS4 error message, and as a result an incorrect port
would be shown in the error message.

Bug: https://github.com/curl/curl/issues/1892


Reported-by:  <Jackarain@users.noreply.github.com>

Schannel can only encrypt a certain amount of data at once.  Instead of
failing when too much data is to be sent at once, send as much data as
we can and let the caller send the remaining data by calling send again.

Bug: https://curl.haxx.se/mail/lib-2014-07/0033.html

Closes https://github.com/curl/curl/pull/1890

lib/vtls/openssl.c uses OpenSSL APIs from BUF_MEM and BIO APIs. Include
their headers directly rather than relying on other OpenSSL headers
including things.

Closes https://github.com/curl/curl/pull/1891

Bug: https://curl.haxx.se/mail/lib-2017-09/0031.html

If the INTERLEAVEFUNCTION is defined, then use that plus the
INTERLEAVEDATA information when writing RTP. Otherwise, use
WRITEFUNCTION and WRITEDATA.

Fixes #1880
Closes #1884

Closes https://github.com/curl/curl/pull/1687

The stub implementation is pre-loaded using LD_PRELOAD
and emulates common gssapi uses (only builds if curl is
initially built with gssapi support).

The initial tests are currently disabled for debug builds
as LD_PRELOAD is not used then.

Ref: https://github.com/curl/curl/pull/1687

Closes #1889

... as when a proxy connection is being re-used, it can still get a
different remote port.

Fixes #1887
Reported-by: Oli Kingshott