Although this should never happen due to the relationship between the
'mech' and 'resp' variables, and the way they are allocated together,
it does cause problems for code analysis tools:

V595 The 'mech' pointer was utilized before it was verified against
     nullptr. Check lines: 376, 381. curl_sasl.c 376

Bug: https://github.com/curl/curl/issues/745
Reported-by: Alexis La Goutte

* Prefer dereference of string pointer rather than strlen()
* Free challenge pointer in one place
* Additional comments

* Prefer dereference of string pointer rather than strlen()
* Free challenge pointer in one place
* Additional comments

This wouldn't cause a problem because of the way the function is called,
but prior to this change, we were processing the challenge message when
the credentials were NULL rather than when the challenge message was
populated.

This also brings this part of the Kerberos 5 code in line with the
Negotiate code.

Although mutual authentication is currently turned off and can only be
enabled by changing libcurl source code, authentication using Kerberos
5 has been broken since commit 79543caf in this use case.

This wouldn't cause a problem because of the way the function is called,
but prior to this change, we were processing the challenge message when
the credentials were NULL rather than when the challenge message was
populated.

This also brings this part of the Kerberos 5 code in line with the
Negotiate code.

Prior to this change, we were generating the output token when the
credentials were NULL rather than when the output token was NULL.

This also brings this part of the Kerberos 5 code in line with the
Negotiate code.

Prior to this change, we were generating the SPN in the SSPI code when
the credentials were NULL and in the GSS-API code when the context was
empty. It is better to decouple the SPN generation from these checks
and only generate it when the SPN itself is NULL.

This also brings this part of the Kerberos 5 code in line with the
Negotiate code.

... checksrc of all test code is pending.

The quote scanner was too fragile, now look for a comma instead to find
the mode argument.

follow-up to 0326b067

sizeof(pointer) is no good for the buffer size!

Reported-by: Viktor Szakats

warning: implicit declaration of function 'sprintf_was_used'
         [-Wimplicit-function-declaration]

Follow up to the modications made to tests/libtest in commit 55452ebd
as we prefer not to use sprintf() now.

We never made a 7.25.1 release

It offers extra info from nghttp2 in certain error cases. Like for
example when trying prior-knowledge http2 on a server that doesn't speak
http2 at all. The error message is passed on as a verbose message to
libcurl.

Discussed in #722

The error callback was added in nghttp2 1.9.0

To be consistent with the Kerberos 5 context and other authentication
code.

For consistency with the spnego code.

For consistency with the spnego and oauth2 code moved the setting of
the host name outside of the Curl_auth_create_gssapi_user_messag()
function.

This will allow us to more easily override it in the future.

As this was introduced in the recent vauth changes and not a prior
release.

I had accidentally used the proxy server name for the host and the host
server name for the proxy in commit ad5e9bfd and 6d6f9ca1. Whilst
Windows SSPI was quite happy with this, GSS-API wasn't.

Thanks-to:  Michael Osipov

After squashing most of our compiler warnings, up'ed the default
warning level from 3 to 4 in order to increase the likelyhood of
catching future warnings.

may be null in the CURLOPT_CONNECT_ONLY case

Fixes #747

From commit 7218b52c.

Corrected typos from commit ad5e9bfd and 6d6f9ca1.

Follow up to commit 7db9782d.

When an upload is done, there are two places where that can be detected
and only one of them would rewind the input stream - which sometimes is
necessary for example when doing NTLM HTTP POSTs and more.

This could then end up libcurl hanging.

Figured-out-by: Isaac Boukris
Reported-by: Anatol Belski

Fixes #741

So that we only do the extra typedefs in curl_memory.h when we really
need to and avoid double typedefs.

follow-up commit to 7218b52c

Thanks-to: Steve Holme

The define is not in our name space and is therefore not protected by
our API promises.

It was only really used by libcurl internals but was mostly erased from
there already in 8aabbf5f (March 2015). This is supposedly the final
death blow to that define from everywhere.

As a side-effect, making sure _MPRINTF_REPLACE is gone and not used, I
made the lib tests in tests/libtest/ use curl_printf.h for its redefine
magic and then subsequently the use of sprintf() got banned in the tests
as well (as it is in libcurl internals) and I then replaced them all
with snprintf().

In the unlikely event that any users is actually using this define and
gets sad by this change, it is very easily copied to the user's own
code.

Discussed in #743

Fixed copy/paste error from commit a5aec587.

Bug: https://github.com/curl/curl/issues/744
Reported-by: Alexis La Goutte

Supports HTTP/2 over clear TCP

- Optimize switching to HTTP/2 by removing calls to init and setup
before switching. Switching will eventually call setup and setup calls
init.

- Supports new version to “force” the use of HTTP/2 over clean TCP

- Add common line parameter “--http2-prior-knowledge” to the Curl
  command line tool.

The list and search response functions were identical! Merged into one
now. Detected by PVS Studio.

Reported-by: Alexis La Goutte

The code copied one byte from a 32bit integer, which works fine as long
as the byte order is the same. Not a fine assumption. Reported by PVS
Studio.

Reported-by: Alexis La Goutte