... to cater for systems with unsigned time_t variables.

- Renamed the functions to curlx_timediff and Curl_timediff_us.

- Added overflow protection for both of them in either direction for
  both 32 bit and 64 bit time_ts

- Reprefixed the curlx_time functions to use Curl_*

Reported-by: Peter Piekarski
Fixes #2004
Closes #2005

They use $(TESTUTIL) and thus should use $(TESTUTIL_LIBS) too.

This fixes build failures on Fedora 13.

Closes #2006

closes #2008

We don't expect any steps to fail in travis. Exit the script if they do.

Closes #1966

Aurora is no longer used by Mozilla
https://hacks.mozilla.org/2017/04/simplifying-firefox-release-channels/

The 'tip' is the most recent branch committed to, this should be
'default' like the URLs for the browser are.

Closes #1998

CVE-2017-1000257

Reported-by: Brian Carpenter and 0xd34db347
Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586

... by using range checks. Among other things, this avoids an undefined
behavior for a left shift that could happen on negative or very large
values.

Closes #1997

Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694

See issue #1999

The contents might have changed: size must be recomputed.

Reported-by: moteus on github
Fixes #1999

Even if OpenSSL is enabled, it might not be the default backend when
multi-ssl is enabled, causing the test to fail.

On OS/400, `close' is an ASCII system macro that corrupts the code if
not used in a context not targetting the close() system API.

Also adjust makefile to renamed files and warn about installation dirs mix-up.

... filter early instead of risking "funny values" having to be dealt
with elsewhere.

... that are multiplied by 1000 when stored.

For 32 bit long systems, the max value accepted (2147483 seconds) is >
596 hours which is unlikely to ever be set by a legitimate application -
and previously it didn't work either, it just caused undefined behavior.

Also updated the man pages for these timeout options to mention the
return code.

Closes #1938

Allow to ovverride certain build tools, making it possible to
use LLVM/Clang to build curl. The default behavior is unchanged.
To build with clang (as offered by MSYS2), these settings can
be used:

CURL_CC=clang
CURL_AR=llvm-ar
CURL_RANLIB=llvm-ranlib

Closes https://github.com/curl/curl/pull/1993

Use memset() to initialize a structure to avoid LLVM/Clang warning:
ldap.c:193:39: warning: missing field 'UserLength' initializer [-Wmissing-field-initializers]

Closes https://github.com/curl/curl/pull/1992

NOTE: it makes them terribly slow. I recommend only using valgrind for
specific torture tests or using lots of patience.

... to allow them to be included in torture tests too.

closes #1980

... we used it only for the fuzzer, which we now have in a separate git
repo.

Closes #1990

Reported-by: Jeroen Ooms
Closes #1988

Include test cases in 554, 587, 650.

Fixes https://github.com/curl/curl/issues/1986

Closes PR https://github.com/curl/curl/pull/1985

If stdin is not a regular file, its content is memory-buffered to enable
a possible data "rewind".
In all cases, stdin data size is determined before real use to avoid
having an unknown part's size.

--libcurl generated code is left as an unbuffered stdin fread/fseek callback
part with unknown data size.

Buffering is not supported in deprecated curl_formadd() API.

following the new github "standard"

Now VERIFYHOST, VERIFYPEER and VERIFYSTATUS options change during active
connection updates the current connection's (i.e.'connectdata'
structure) appropriate ssl_config (and ssl_proxy_config) structures
variables, making these options effective for ongoing connection.

This functionality was available before and was broken by the
following change:
"proxy: Support HTTPS proxy and SOCKS+HTTP(s)"
CommitId: cb4e2be7.

Bug: https://github.com/curl/curl/issues/1941

Closes https://github.com/curl/curl/pull/1951

Those were temporary things we'd add and remove for our own convenience
long ago. The last few stayed around for too long as an oversight but
have since been removed. These days we have a running
BORINGSSL_API_VERSION counter which is bumped when we find it
convenient, but 2015-11-19 was quite some time ago, so just check
OPENSSL_IS_BORINGSSL.

Closes #1979