Reported-by: Michael Osipov

Bug: https://github.com/curl/curl/issues/536


Reported-by:  <eXeC64@users.noreply.github.com>

Due to their age (we don't fully know if they actually remain) and lack
of detail - very few people will bother to find out what they're about
or work on them. If people truly still suffer from any of these, I
assume they will be reported again and then we'll deal with them.

72. "Pausing pipeline problems."
  https://curl.haxx.se/mail/lib-2009-07/0214.html

70. Problem re-using easy handle after call to curl_multi_remove_handle
  https://curl.haxx.se/mail/lib-2009-07/0249.html

68. "More questions about ares behavior".
  https://curl.haxx.se/mail/lib-2009-08/0012.html

It turns out the google GFE HTTP/2 servers send a PING frame immediately
after a stream ends and its last DATA has been received by curl. So if
we don't drain that from the socket, it makes the socket readable in
subsequent checks and libcurl then (wrongly) assumes the connection is
dead when trying to reuse the connection.

Reported-by: Joonas Kuorilehto

Discussed in #750

... now works correctly when invoke from the root makefile

Following the recent changes to the source in the tests directory,
re-enabled tests for the default scan.

In addition to commit 83b174b3 and following the recent changes.

... to please the new, slightly picker, checksrc.pl

Although this should never happen due to the relationship between the
'mech' and 'resp' variables, and the way they are allocated together,
it does cause problems for code analysis tools:

V595 The 'mech' pointer was utilized before it was verified against
     nullptr. Check lines: 376, 381. curl_sasl.c 376

Bug: https://github.com/curl/curl/issues/745
Reported-by: Alexis La Goutte

* Prefer dereference of string pointer rather than strlen()
* Free challenge pointer in one place
* Additional comments

* Prefer dereference of string pointer rather than strlen()
* Free challenge pointer in one place
* Additional comments

This wouldn't cause a problem because of the way the function is called,
but prior to this change, we were processing the challenge message when
the credentials were NULL rather than when the challenge message was
populated.

This also brings this part of the Kerberos 5 code in line with the
Negotiate code.

Although mutual authentication is currently turned off and can only be
enabled by changing libcurl source code, authentication using Kerberos
5 has been broken since commit 79543caf in this use case.

This wouldn't cause a problem because of the way the function is called,
but prior to this change, we were processing the challenge message when
the credentials were NULL rather than when the challenge message was
populated.

This also brings this part of the Kerberos 5 code in line with the
Negotiate code.

Prior to this change, we were generating the output token when the
credentials were NULL rather than when the output token was NULL.

This also brings this part of the Kerberos 5 code in line with the
Negotiate code.

Prior to this change, we were generating the SPN in the SSPI code when
the credentials were NULL and in the GSS-API code when the context was
empty. It is better to decouple the SPN generation from these checks
and only generate it when the SPN itself is NULL.

This also brings this part of the Kerberos 5 code in line with the
Negotiate code.