                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 8.7.1 (27 Mar 2024)

Daniel Stenberg (27 Mar 2024)

- RELEASE-PROCEDURE: remove old release dates, add new pending ones

Version 8.7.0 (27 Mar 2024)

Daniel Stenberg (27 Mar 2024)

- RELEASE-NOTES: synced

  curl 8.7.0 release

- THANKS: new contributors from the 8.7.0 release

- CURLOPT_POSTFIELDS.md: used for MQTT as well

  Closes #13189

- http: remove stale comment about rewindbeforesend

  ... because that struct field exists no more.

  Follow-up to 14bcea074a782272.

  Closes #13187

- DISTROS: add document with distro pointers

  Lots of organizations distribute curl packages to end users. This is a
  collection of pointers to where to learn more about curl on and with
  each distro.

  Assisted-by: Alan Coopersmith
  Assisted-by: Andrew Kaster
  Assisted-by: Andy Fiddaman
  Assisted-by: Arjan van de Ven
  Assisted-by: Brian Clemens
  Assisted-by: chrysos349 on github
  Assisted-by: Dan Fandrich
  Assisted-by: Dan McDonald
  Assisted-by: Gaelan Steele
  Assisted-by: graywolf on github
  Assisted-by: Jan Macku
  Assisted-by: John Marshall
  Assisted-by: Jonathan Perkin
  Assisted-by: Kevin Daudt
  Assisted-by: Marcus Müller
  Assisted-by: Michał Górny
  Assisted-by: Outvi V
  Assisted-by: Ross Burton
  Assisted-by: Sean Molenaar
  Assisted-by: Till Wegmüller
  Assisted-by: Viktor Szakats
  Assisted-by: Winni Neessen

  Closes #13178

Fabian Keil (25 Mar 2024)

- wolfSSL: do not call the stub function wolfSSL_BIO_set_init()

  Calling the function isn't necessary and causes the build
  to fail when wolfSSL has been compiled with NO_WOLFSSL_STUB:

       Making all in opts
         CCLD     curl
       ld: error: undefined symbol: wolfSSL_BIO_set_init
       >>> referenced by wolfssl.c:235 (vtls/wolfssl.c:235)
       >>>               libcurl_la-wolfssl.o:(wolfssl_bio_cf_create) in archiv
  e ../lib/.libs/libcurl.a
       cc: error: linker command failed with exit code 1 (use -v to see invocat
  ion)
       *** Error code 1

  Closes #13164

Daniel Stenberg (25 Mar 2024)

- cmdline-opts: shorter help texts

  In an effort to increase the readability of the "--help all" output on
  narrow (80 column) terminals.

  Co-authored-by: Jay Satiro

  Closes #13169

Matt Jolly (25 Mar 2024)

- curl-rustls.m4: add pkg-config support to rustls detection

  Based on the existing openssl pkg-config detection, this commit tries to
  use pkg-config to find `rustls` then falls back to the current approach
  if that fails.

  We use the following logic:

  - if no path is provided, just use pkg-config, if it's not there we have
    a problem!
  - if a path is provided, try pkg-config
    + if pkg-config fails, try and find rustls directly

  Closes #13179

Mohammadreza Hendiani (25 Mar 2024)

- TODO: update 13.11 with more information

  Closes #13173

Daniel Stenberg (23 Mar 2024)

- docs/libcurl: generate PROTOCOLS from meta-data

  Remove the PROTOCOLS section from the source files completely and
  instead generate them based on the header data in the curldown files.

  It also generates TLS backend information for options marked for TLS as
  protocol.

  Closes #13175

- CURLMOPT_MAX*: mention what happens if changed mid-transfer

  For CURLMOPT_MAXCONNECTS and CURLMOPT_MAX_HOST_CONNECTIONS

  Ref: #13158
  Closes #13176

- docs/libcurl: add TLS backend info for all TLS options

  All man pages that are listed to be for TLS now must also specify
  exactly what TLS backends the option works for, or use All if they all
  work.

  cd2nroff makes sure this is done and that the listed backends exist.

  Closes #13168

- docs/libcurl: cleanups

  - CURLINFO_TLS_SESSION.md: remove mention of NSS
  - CURLINFO_TLS_SSL_PTR.md: remove NSS leftover
  - CURLOPT_CAINFO.md: drop mention of backends not supporting this
  - CURLOPT_CAPATH.md: wolfSSL also supports this

  Closes #13166

- docs: make each libcurl man specify protocol(s)

  The mandatory header now has a mandatory list of protocols for which the
  manpage is relevant.

  Most man pages already has a "PROTOCOLS" section, but this introduces a
  stricter way to specify the relevant protocols.

  cd2nroff verifies that at least one protocol is mentioned (which can be
  `*`).

  This information is not used just yet, but A) the PROTOCOLS section can
  now instead get generated and get a unified wording across all manpages
  and B) this allows us to more reliably filter/search for protocol
  specific manpages/options.

  Closes #13166

Stefan Eissing (21 Mar 2024)

- http2, http3: only return CURLE_PARTIAL_FILE when bytes were received

  - should resolve spurious pytest failures when stream were reset
    right after response header were received

  Clsoes #13151

- http: separate response parsing from response action

  - move code that triggers on end-of-response into separate function from
    parsing
  - simplify some headp/headerlen usage
  - add `httpversion` to SingleRequest to indicate the version of the
    current response

  Closes #13134

Daniel Stenberg (21 Mar 2024)

- http2: remove the third (unused) argument from http2_data_done()

  Closes #13154

- RELEASE-NOTES: synced

Evgeny Grin (Karlson2k) (21 Mar 2024)

- RELEASE-NOTES: corrected

  Corrected link for item 118

  Closes #13157

Daniel Stenberg (19 Mar 2024)

- CURLOPT_INTERFACE.md: remove spurious amp, add see-also

  Closes #13149

Stefan Eissing (19 Mar 2024)

- http: improve response header handling, save cpu cycles

  Saving some cpu cycles in http response header processing:
  - pass the length of the header line along
  - use string constant sizeof() instead of strlen()
  - check line length if prefix is possible
  - switch on first header char to limit checks

  Closes #13143

Daniel Stenberg (19 Mar 2024)

- tool_getparam: accept a blank -w ""

  Added test 468 to verify.

  Regression from 07bcae89d5d00 (shipped in 8.6.0)
  Reported-by: Thomas Pyle
  Fixes #13144
  Closes #13145

Evgeny Grin (Karlson2k) (18 Mar 2024)

- curl_sha512_256: work around a NetBSD bug

  Based on Michael Kaufmann analysis and suggestion

  Closes #13133

Stefan Eissing (18 Mar 2024)

- http: expect 100 rework

  Move all handling of HTTP's `Expect: 100-continue` feature into a client
  reader. Add sending flag `KEEP_SEND_TIMED` that triggers transfer
  sending on general events like a timer.

  HTTP installs a `CURL_CR_PROTOCOL` reader when announcing `Expect:
  100-continue`. That reader works as follows:

  - on first invocation, records time, starts the `EXPIRE_100_TIMEOUT`
    timer, disables `KEEP_SEND`, enables `KEEP_SEND_TIMER` and returns 0,
    eos=FALSE like a paused upload.

  - on subsequent invocation it checks if the timer has expired. If so, it
    enables `KEEP_SEND` and switches to passing through reads to the
    underlying readers.

  Transfer handling's `readwrite()` will be invoked when a timer expires
  (like `EXPIRE_100_TIMEOUT`) or when data from the server arrives. Seeing
  `KEEP_SEND_TIMER`, it will try to upload more data, which triggers
  reading from the client readers again. Which then may lead to a new
  pausing or cause the upload to start.

  Flags and timestamps connected to this have been moved from
  `SingleRequest` into the reader's context.

  Closes #13110

- mbedtls: fix pytest for newer versions

  Fix the expectations in pytest for newer versions of mbedtls

  Closes #13132

Daniel Stenberg (15 Mar 2024)

- ipv6.md: mention IPv4 mapped addresses

  Reported-by: Josh Soref
  Assisted-by: Jay Satiro
  Fixes #13112
  Closes #13131

Stefan Eissing (15 Mar 2024)

- http: revisit http_perhapsrewind()

  - use facilities provided by client readers better
  - work also for non-uploading requests like GET/HEAD
  - update documentation

  Closes #13117

- test 1541: verify getinfo values on first header callback

  Reported-by: chensong1211 on github
  Ref: #13125
  Closes #13128

- TLS: start shutdown only when peer did not already close

  - When curl sees a TCP close from the peer, do not start a TLS shutdown.
    TLS shutdown is a handshake and if the peer already closed the
    connection, it is not interested in participating.

  Reported-by: dfdity on github
  Assisted-by: Jiří Bok
  Assisted-by: Pēteris Caune
  Fixes #10290
  Closes #13087

Daniel Stenberg (14 Mar 2024)

- RELEASE-NOTES: synced

- curl: make --libcurl output better CURLOPT_*SSLVERSION

  The option is really two enums ORed together, so it needs special
  attention to make the code output nice.

  Added test 1481 to verify. Both the server and the proxy versions.

  Reported-by: Boris Verkhovskiy
  Fixes #13127
  Closes #13129

- GHA/linux: add sysctl trick to work-around GitHub runner issue

  The GitHub image runner update from 20240304.1.0 to 20240310.1
  introduces a problem for clang-14. The issue is caused by
  incompatibility between llvm 14 provided in ubuntu-22.04 image and the
  much newer kernel configured with high-entropy ASLR.

  As a work-around, we issue a sysctl command to lower the entropy and get
  clang-14 to work again.

  URL: https://github.com/actions/runner-images/issues/9491

  Closes #13124

- SPONSORS: describe the basics

  Closes #13119

- GOVERNANCE: document the core team

  Closes #13118

Jay Satiro (13 Mar 2024)

- vquic-tls: fix the error code returned for bad CA file

  - Return CURLE_SSL_CACERT_BADFILE if wolfSSL encounters a problem
    reading the cert file or path.

  This is a follow-up to the parent commit aedbbdf1.

  Reported-by: Karthikdasari0423@users.noreply.github.com

  Fixes https://github.com/curl/curl/issues/13115

Daniel Stenberg (12 Mar 2024)

- vquic-tls: return appropirate errors on wolfSSL errors

  Reported-by: Dexter Gerig
  Closes #13107

Viktor Szakats (12 Mar 2024)

- tidy-up: one comment and EOF newlines

  Reviewed-by: Daniel Stenberg
  Closes #13108

Daniel Stenberg (12 Mar 2024)

- cmdline-opts: language cleanups

  Use imperative mood consistently for the first sentence describing an
  option.

  "Set this" instead "tell curl to set" or "this sets..."

  Plus some extra cleanups and rephrasing.

  Closes #13106

- managen: remove space before protocols

  For options that are listed for specific protocols, the protocols (shown
  first within parentheses) are now output without the leading space in the
  manpage output.

  Closes #13105

Jay Satiro (12 Mar 2024)

- mbedtls: properly cleanup the thread-shared entropy

  - Store the state of the thread-shared entropy for global init/cleanup.

  - Use curl's thread support of mbedtls for all Windows builds instead of
    just when the threaded resolver is used via USE_THREADS_WIN32.

  Prior to this change on global cleanup curl builds that have curl thread
  support for mbedtls freed the entropy (8b1d2298) but failed to mark that
  it had been freed, which caused problems on subsequent init + transfer.

  Bug: https://github.com/curl/curl/discussions/11919#discussioncomment-8687105
  Reported-by: awesomekosm@users.noreply.github.com

  Closes https://github.com/curl/curl/pull/13071

Daniel Stenberg (12 Mar 2024)

- tool_getparam: handle non-existing (out of range) short-options

  ... correctly, even when they follow an existing one without a space in
  between.

  Verify with test 467

  Follow-up to 07dd60c05b
  Reported-by: Geeknik Labs
  Fixes #13101
  Closes #13102

Stefan Eissing (11 Mar 2024)

- lib: move 'done' parameter to SingleRequests

  A transfer may do several `SingleRequest`s for its success. This happens
  regularly for authentication, follows and retries on failed connections.
  The "readwrite()" calls and functions connected to those carried a `bool
  *done` parameter to indicate that the current `SingleRequest` is over.
  This may happen before `upload_done` or `download_done` bits of
  `SingleRequest` are set.

  The problem with that is now `write_resp()` protocol handlers are
  invoked in places where the `bool *done` cannot be passed up to the
  caller. Instead of being a bool in the call chain, it needs to become a
  member of `SingleRequest`, reflecting its state.

  This removes the `bool *done` parameter and adds the `done` bit to
  `SingleRequest` instead. It adds `Curl_req_soft_reset()` for using a
  `SingleRequest` in a follow up, clearing `done` and other
  flags/counters.

  Closes #13096

- request: clarify message when request has been sent off

  Change the "uploaded and fine" message for requests without a body

  Reported-by: Karthikdasari0423 on github
  Fixes #13093
  Closes #13095

Daniel Stenberg (11 Mar 2024)

- RELEASE-NOTES: synced

Stefan Eissing (9 Mar 2024)

- lib: keep conn IP information together

  new struct ip_quadruple for holding local/remote addr+port

  - used in data->info and conn and cf-socket.c
  - copy back and forth complete struct
  - add 'secondary' to conn
  - use secondary in reporting success for ftp 2nd connection

  Reported-by: DasKutti on github
  Fixes #13084
  Closes #13090

Daniel Stenberg (8 Mar 2024)

- scripts/managen: the new name and home for the manpage generator

  It was previously docs/cmdline-opts/gen.pl

  Closes #13089

- VULN-DISCLOSURE-POLICY.md: update detail about CVE requests

  curl is a CNA now

  Closes #13088

Stefan Eissing (8 Mar 2024)

- lib: client reader polish

  - seek_func/seek_client, use transfer values only
      - remove copies held in `struct connectdata`, use only
        ever `data->set.seek_func`
      - resolves possible issues in multiuse connections
      - new mime post reader eliminates need to ever overwriting this

  - websockets, remove empty Curl_ws_done() function

  Closes #13079

Marcel Raad (8 Mar 2024)

- lib1598: fix `CURLOPT_POSTFIELDSIZE` usage

  It requires a `long` argument.

  Closes https://github.com/curl/curl/pull/13085

Daniel Stenberg (8 Mar 2024)

- docs/cmdline-opts: drop the curl.1 from the dist tarball

  Since it is no longer needed for building tool_hugehelp.c and all the
  docs is available in readable markdown format in the tarball, the peeps
  that don't want to build the manpage still do good.

  Removing it also fixes the complexity of out-of-tree builds when the
  curl.1 exists in the source tree.

- test1140/1173: extend wildcards to find curl.1

  ... in its new build path.

  Also update the test scripts to be more precise in error messages to
  help us understand CI errors better.

  Follow-up to f03c85635f35269f1
  Ref: #13029
  Closes #13083

- http2: minor tweaks to optimize two struct sizes

  - use BIT() instead of bool
  - place the struct fields in (roughly) size order

  Closes #13082

- buildconf.bat: remove outdated groff/nroff use

  - don't try to generate the real hugehelp file, because it requires
    curl.txt which needs a build
  - don't attempt to do anything in a c-ares subdirectory

  Follow-up to f03c85635f35269
  Closes #13078

- http2: memory errors in the push callbacks are fatal

  Use the correct nghttp2 error code accordingly.

  Closes #13081

Viktor Szakats (7 Mar 2024)

- mkhelp: rename variable to fix compiler warnings

  ```
  src\tool_operate.c(541,33): warning C4459: declaration of 'm' hides global de
  claration [_bld\src\curl.vcxproj]
    _bld\src\tool_hugehelp.c(8,27):
    see declaration of 'm'
  src\tool_paramhlp.c(307,14): warning C4459: declaration of 'm' hides global d
  eclaration [_bld\src\curl.vcxproj]
  src\tool_progress.c(118,16): warning C4459: declaration of 'm' hides global d
  eclaration [_bld\src\curl.vcxproj]
  src\tool_writeout.c(288,31): warning C4459: declaration of 'm' hides global d
  eclaration [_bld\src\curl.vcxproj]
  ```
  Ref: https://ci.appveyor.com/project/curlorg/curl/builds/49348159/job/51ee75c
  d2n0wj6lc#L614

  Reviewed-by: Daniel Stenberg
  Closes #13077

Daniel Stenberg (7 Mar 2024)

- KNOWN_BUGS: POP3 issue when reading small chunks

  Closes #12063

- RELEASE-NOTES: synced

Robert Moreton (7 Mar 2024)

- asyn-ares: fix data race warning

  - Store the c-ares version during global init.

  Prior to this change several threads could write the same data to a
  static int variable at the same time. Though in practice it's not a
  problem ThreadSanitizer may warn.

  Reported-by: Nikita Taranov
  Assisted-by: Jay Satiro

  Fixes #13065
  Closes #13000

Stefan Eissing (7 Mar 2024)

- hyper: implement unpausing via client reader

  Just a tidy up to contain 'ifdef' pollution of common
  code parts with implementation specifics.

  - remove the ifdef hyper unpausing in easy.c
  - add hyper client reader for CURL_CR_PROTOCOL phase
    that implements the unpause method for calling
    the hyper waker if it is set

  Closes #13075

- ngtcp2: no recvbuf for stream

  - write response data directly to the transfer via
   `Curl_xfer_write_resp()` like we do in HTTP/2.

  Closes #13073

- docs/cmdline-opts/.gitignore: ignore curl.txt

  Closes #13076

Evgeny Grin (Karlson2k) (7 Mar 2024)

- sha512_256: add support for GnuTLS and OpenSSL

  This is a follow-up for PR #12897.

  Add support for SHA-512/256 digest calculation by TLS backends.
  Currently only OpenSSL and GnuTLS (actually, nettle) support
  SHA-512/256.

  Closes #13070

- digest: add check for hashing error

  Closes #13072

Viktor Szakats (7 Mar 2024)

- cmake: enable `ENABLE_CURL_MANUAL` by default

  Meaning `curl.1` and `src/tool_hugehelp.c` are built by default,
  and `--manual` in curl tool is also enabled by default.

  This syncs behaviour with autotools.

  For a reproducible `curl.1`, `SOURCE_DATE_EPOCH` needs to be set
  to a consistent date, e.g. the timestamp of `CHANGES`.

  A pre-built manual (e.g. the one distributed in the official source
  tarball) will be ignored and rebuilt after this patch, unless
  explicitly disabling this option.

  Fixes #13028
  Closes #13069

Stefan Eissing (7 Mar 2024)

- http2: push headers better cleanup

  - provide common cleanup method for push headers

  Closes #13054

Daniel Stenberg (7 Mar 2024)

- GIT-INFO: convert to markdown

  Closes #13074

Richard Levitte (7 Mar 2024)

- cmake: fix libcurl.pc and curl-config library specifications

  Letting CMake figure out where libraries are located gives you full
  paths. When generating libcurl.pc and curl-config, getting libraries as
  full paths is unusual when one expects to get a list of -l<libname>.

  To meet expectations, an effort is made to convert the full paths into
  -l<libname>, possibly with -L<libdir> before it.

  Fixes #6169
  Fixes #12748
  Closes #12930

Daniel Stenberg (7 Mar 2024)

- test463: HTTP with -d @file with file containing CR, LF and null byte

- paramhlp: fix CRLF-stripping files with "-d @file"

  All CR and LF bytes should be stripped, as documented, and all other
  bytes are inluded in the data. Starting now, it also excludes null bytes
  as they would otherwise also cut the data short.

  Reported-by: Simon K
  Fixes #13063
  Closes #13064

Viktor Szakats (7 Mar 2024)

- cmake: fix `CURL_WINDOWS_SSPI=ON` with Schannel disabled

  Prior to this change `CURL_WINDOWS_SSPI` was accidentally forced `OFF`
  when building without the Schannel TLS backend.

  This in turn may have caused Kerberos, SPNEGO and SSPI features
  disappearing even with `CURL_WINDOWS_SSPI=ON` set.

  This patch fixes it by using the `CURL_USE_SCHANNEL` setting as a
  default for `CURL_WINDOWS_SSPI`, but allowing a manual override.

  Also update the option text to better tell its purpose.

  Thanks-to: Andreas Loew
  Reviewed-by: Daniel Stenberg
  Ref: #13056
  Closes #13061

Jay Satiro (6 Mar 2024)

- KNOWN_BUGS: FTPS server compatibility on Windows with Schannel

  - Remove "2.12 FTPS with Schannel times out file list operation"

  - Remove "7.12 FTPS directory listing hangs on Windows with Schannel"

  - Add "7.12 FTPS server compatibility on Windows with Schannel"

  This change adds a more generic bug description that explains FTPS with
  the latest curl and Schannel is not widely used and may have more bugs
  than other TLS backends.

  The two removed FTPS Schannel bugs can't be reproduced any longer and
  were likely fixed by 24d6c288.

  Ref: https://github.com/curl/curl/issues/5284
  Ref: https://github.com/curl/curl/issues/9161
  Ref: https://github.com/curl/curl/issues/12894

  Closes https://github.com/curl/curl/pull/13032

- trace-config.md: remove the mutexed options list

  - Remove the rendered manpage message that says:
    "[--trace-config] is mutually exclusive to --trace and -v, --verbose".

  Actually it can be used with either of those options, which are mutually
  exclusive to each other but not to --trace-config.

  Ref: https://curl.se/docs/manpage.html#--trace-config

  Closes https://github.com/curl/curl/pull/13031

Daniel Stenberg (6 Mar 2024)

- mkhelp: simplify the generated hugehelp program

  Use a plain array and puts() every line, also allows us to provide the
  strings without ending newlines.

  - merge blank lines into the next one as a prefixed newline.
  - turn eight consecutive spaces into a tab (since they can only be on the
    left side of text)
  - the newly generated tool_hugehelp is 3K lines shorter and 50K smaller
  - modifies the top logo layout a little by reducing the indent

  Closes #13047

- docs: ascii version of manpage without nroff

  Create ASCII version of manpage without nroff

   - build src/tool_hugegelp.c from the ascii manpage
   - move the the manpage and the ascii version build to docs/cmdline-opts
   - remove all use of nroff from the build process
   - should make the build entirely reproducible (by avoiding nroff)

   - partly reverts 2620aa9 to build libcurl option man pages one by one
     in cmake because the appveyor builds got all crazy until I did

  The ASCII version of the manpage

   - is built with gen.pl, just like the manpage is
   - has a right-justified column making the appearance similar to the previous
     version
   - uses a 4-space indent per level (instead of the old version's 7)
   - does not do hyphenation of words (which nroff does)

  History

    We first made the curl build use nroff for building the hugehelp file in
    December 1998, for curl 5.2.

  Closes #13047

Stefan Eissing (6 Mar 2024)

- lib: add `void *ctx` to reader/writer instances

  - `struct Curl_cwriter` and `struct Curl_creader` now carry a
    `void *ctx` member that points to the instance as allocated.
  - using `r->ctx` and `w->ctx` as pointer to the instance specific
    struct that has been allocated

  Reported-by: Rudi Heitbaum
  Fixes #13035
  Closes #13059

- http: fix dead code in setting post client reader

  - postsize was always 0, thus the check's else never happened
    after the mime client reader was introduced

  Follow-up to 0ba47146f7ff3d
  Closes #13060

- http2: fix push discard

  - fix logic in discarding a failed pushed stream so that
    stream context is properly cleaned up

  Closes #13055

- transfer.c: break receive loop in speed limited transfers

  - the change breaks looping in transfer.c receive for transfers that are
    speed limited on having gotten *some* bytes.
  - the overall speed limit timing is done in multi.c

  Reported-by: Dmitry Karpov
  Bug: https://curl.se/mail/lib-2024-03/0001.html
  Closes #13050

- mime: add client reader

  Add `mime` client reader. Encapsulates reading from mime parts, getting
  their length, rewinding and unpausing.

  - remove special mime handling from sendf.c and easy.c
  - add general "unpause" method to client readers
  - use new reader in http/imap/smtp
  - make some mime functions static that are now only used internally

  In addition:
  - remove flag 'forbidchunk' as no longer needed

  Closes #13039

Daniel Stenberg (5 Mar 2024)

- RELEASE-NOTES: synced

- TODO: remove "build HTTP/3 with OpenSSL and nghttp3 using cmake"

  Follow-up to 8e741644a229c37

Tal Regev (5 Mar 2024)

- cmake: add USE_OPENSSL_QUIC support

  Closes #13034

Stefan Eissing (5 Mar 2024)

- TIMER_STARTTRANSFER: set the same for everyone

  - set TIMER_STARTTRANSFER on seeing the first response bytes
    in the download client writer, not coming from a CONNECT
  - initialized the timer the same way for all protocols
  - remove explicit setting of TIMER_STARTTRANSFER in file.c
    and c-hyper.c

  Closes #13052

Michael Kaufmann (5 Mar 2024)

- http: better error message for HTTP/1.x response without status line

  If a response without a status line is received, and the connection is
  known to use HTTP/1.x (not HTTP/0.9), report the error "Invalid status
  line" instead of "Received HTTP/0.9 when not allowed".

  Closes #13045

Viktor Szakats (5 Mar 2024)

- KNOWN_BUGS: fix typo

  Reviewed-by: Daniel Stenberg
  Closes #13051

Sebastian Neubauer (5 Mar 2024)

- smpt: fix starttls

  In cases where the connection was fast, curl sometimes failed to open a
  connection. This fixes a regression of c2d973627bab12abc5486a3f3.

  The regression triggered in these steps:

  1. Create an smtp connection
  2. Use STARTTLS
  3. Receive the response
  4. We are inside the loop in `smtp_statemachine`, calling
     `smtp_state_starttls_resp`
  5. In the good flow, we exit the loop, re-enter `smtp_statemachine` and
     run `smtp_perform_upgrade_tls` at the start of the function.

     In the bad flow, we stay in the while loop, calling
     `Curl_pp_readresp`, which reads part of the TLS handshake and things
     go wrong.

  The reason is that `Curl_pp_moredata` changed behavior and always
  returns `true`, so we stay in the loop in `smtp_statemachine`. With a
  slow connection `Curl_pp_readresp` cannot read new data and returns
  `CURL_AGAIN`, so we leave the loop and re-enter `smtp_statemachine`.

  With a fast connection, `Curl_pp_readresp` reads new data from the tcp
  connection, which is part of the TLS handshake.

  The fix is in `Curl_pp_moredata`, which needs to take the final line
  into account and return `false` if only the final line is stored.

  Closes #13048

Stefan Eissing (5 Mar 2024)

- lib: enhance client reader resume + rewind

  - update client reader documentation
  - client reader, add rewind capabilities
      - tell creader to rewind on next start
      - Curl_client_reset() will keep reader for future rewind if requested
      - add Curl_client_cleanup() for freeing all resources independent of
        rewinds
      - add Curl_client_start() to trigger rewinds
      - move rewind code from multi.c to sendf.c and make part of
        "cr-in"'s implementation
  - http, move the "resume_from" handling into the client readers
      - the setup of a HTTP request is reshuffled to follow:
        * determine method, target, auth negotiation
        * install the client reader(s) for the request, including crlf
          conversions and "chunked" encoding
        * apply ranges to client reader
        * concat request headers, upgrades, cookies, etc.
        * complete request by determining Content-Length of installed
          readers in combination with method
        * send
      - add methods for client readers to
        * return the overall length they will generate (or -1 when unknown)
        * return the amount of data on the CLIENT level, so that
          expect-100 can decide if it want to apply itself
        * set a "resume_from" offset or fail if unsupported
      - struct HTTP has become largely empty now
  - rename `Client_reader_*` to `Curl_creader_*`

  Closes #13026

Viktor Szakats (5 Mar 2024)

- openssl-quic: fix BIO leak and Windows warning

  Caused by an accidentally duplicated line in
  d6825df334def106f735ce7e0c1a2ea87bddffb0.

  ```
  .../lib/vquic/curl_osslq.c:1095:30: warning: implicit conversion loses intege
  r precision: 'curl_socket_t' (aka 'unsigned long long') to 'int' [-Wshorten-6
  4-to-32]
   1095 |   bio = BIO_new_dgram(ctx->q.sockfd, BIO_NOCLOSE);
        |         ~~~~~~~~~~~~~ ~~~~~~~^~~~~~
  1 warning and 2 errors generated.
  ```

  Reviewed-by: Stefan Eissing
  Closes #13043

- openssl-quic: fix unity build, casing, indentation

  - rename static functions to avoid duplicate symbols in unity mode.
  - windows -> Windows/window in error message and comment.
