                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.56.1 (23 Oct 2017)

Daniel Stenberg (23 Oct 2017)
- RELEASE-NOTES: 7.56.1

- THANKS: update at 7.56.1 release time

- [Jon DeVree brought this change]

  mk-ca-bundle: Remove URL for aurora
  
  Aurora is no longer used by Mozilla
  https://hacks.mozilla.org/2017/04/simplifying-firefox-release-channels/

- [Jon DeVree brought this change]

  mk-ca-bundle: Fix URL for NSS
  
  The 'tip' is the most recent branch committed to, this should be
  'default' like the URLs for the browser are.
  
  Closes #1998

- imap: if a FETCH response has no size, don't call write callback
  
  CVE-2017-1000257
  
  Reported-by: Brian Carpenter and 0xd34db347
  Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586

- ftp: reject illegal IP/port in PASV 227 response
  
  ... by using range checks. Among other things, this avoids an undefined
  behavior for a left shift that could happen on negative or very large
  values.
  
  Closes #1997
  
  Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694

Patrick Monnerat (20 Oct 2017)
- test653: check reuse of easy handle after mime data change
  
  See issue #1999

- mime: do not reuse previously computed multipart size
  
  The contents might have changed: size must be recomputed.
  
  Reported-by: moteus on github
  Fixes #1999

- test308: disable if MultiSSL feature enabled
  
  Even if OpenSSL is enabled, it might not be the default backend when
  multi-ssl is enabled, causing the test to fail.

- runtests: support MultiSSL client feature

- vtls: change struct Curl_ssl `close' field name to `close_one'.
  
  On OS/400, `close' is an ASCII system macro that corrupts the code if
  not used in a context not targetting the close() system API.

- os400: add missing symbols in config file.
  
  Also adjust makefile to renamed files and warn about installation dirs mix-up.

- test652: curl_mime_data + base64 encoder with large contents

- mime: limit bas64-encoded lines length to 76 characters

Daniel Stenberg (16 Oct 2017)
- RELEASE-NOTES: synced with f121575c0

- setopt: range check most long options
  
  ... filter early instead of risking "funny values" having to be dealt
  with elsewhere.

- setopt: avoid integer overflows when setting millsecond values
  
  ... that are multiplied by 1000 when stored.
  
  For 32 bit long systems, the max value accepted (2147483 seconds) is >
  596 hours which is unlikely to ever be set by a legitimate application -
  and previously it didn't work either, it just caused undefined behavior.
  
  Also updated the man pages for these timeout options to mention the
  return code.
  
  Closes #1938

Viktor Szakats (15 Oct 2017)
- makefile.m32: allow to override gcc, ar and ranlib
  
  Allow to ovverride certain build tools, making it possible to
  use LLVM/Clang to build curl. The default behavior is unchanged.
  To build with clang (as offered by MSYS2), these settings can
  be used:
  
  CURL_CC=clang
  CURL_AR=llvm-ar
  CURL_RANLIB=llvm-ranlib
  
  Closes https://github.com/curl/curl/pull/1993

- ldap: silence clang warning
  
  Use memset() to initialize a structure to avoid LLVM/Clang warning:
  ldap.c:193:39: warning: missing field 'UserLength' initializer [-Wmissing-field-initializers]
  
  Closes https://github.com/curl/curl/pull/1992

Daniel Stenberg (14 Oct 2017)
- runtests: use valgrind for torture as well
  
  NOTE: it makes them terribly slow. I recommend only using valgrind for
  specific torture tests or using lots of patience.

- memdebug: trace send, recv and socket
  
  ... to allow them to be included in torture tests too.
  
  closes #1980

- configure: remove the C++ compiler check
  
  ... we used it only for the fuzzer, which we now have in a separate git
  repo.
  
  Closes #1990

Patrick Monnerat (13 Oct 2017)
- mime: do not call failf() if easy handle is NULL.

Daniel Stenberg (13 Oct 2017)
- test651: curl_formadd with huge COPYCONTENTS

- mime: fix the content reader to handle >16K data properly
  
  Reported-by: Jeroen Ooms
  Closes #1988

Patrick Monnerat (12 Oct 2017)
- mime: keep "text/plain" content type if user-specified.
  
  Include test cases in 554, 587, 650.
  
  Fixes https://github.com/curl/curl/issues/1986

- cli tool: use file2memory() to buffer stdin in -F option.
  
  Closes PR https://github.com/curl/curl/pull/1985

- cli tool: reimplement stdin buffering in -F option.
  
  If stdin is not a regular file, its content is memory-buffered to enable
  a possible data "rewind".
  In all cases, stdin data size is determined before real use to avoid
  having an unknown part's size.
  
  --libcurl generated code is left as an unbuffered stdin fread/fseek callback
  part with unknown data size.
  
  Buffering is not supported in deprecated curl_formadd() API.

Daniel Stenberg (12 Oct 2017)
- winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2

- HELP-US: the label "PR-welcome" is now renamed to "help wanted"
  
  following the new github "standard"

- RELEASE-NOTES: synced with 5505df7d2

Jay Satiro (11 Oct 2017)
- [Artak Galoyan brought this change]

  url: Update current connection SSL verify params in setopt
  
  Now VERIFYHOST, VERIFYPEER and VERIFYSTATUS options change during active
  connection updates the current connection's (i.e.'connectdata'
  structure) appropriate ssl_config (and ssl_proxy_config) structures
  variables, making these options effective for ongoing connection.
  
  This functionality was available before and was broken by the
  following change:
  "proxy: Support HTTPS proxy and SOCKS+HTTP(s)"
  CommitId: cb4e2be7c6d42ca0780f8e0a747cecf9ba45f151.
  
  Bug: https://github.com/curl/curl/issues/1941
  
  Closes https://github.com/curl/curl/pull/1951

Daniel Stenberg (11 Oct 2017)
- [David Benjamin brought this change]

  openssl: don't use old BORINGSSL_YYYYMM macros
  
  Those were temporary things we'd add and remove for our own convenience
  long ago. The last few stayed around for too long as an oversight but
  have since been removed. These days we have a running
  BORINGSSL_API_VERSION counter which is bumped when we find it
  convenient, but 2015-11-19 was quite some time ago, so just check
  OPENSSL_IS_BORINGSSL.
  
  Closes #1979

- test950; verify SMTP with custom request

- ftpserver: support case insensitive commands

- smtp_done: free data before returning (on send failure)
  
  ... as otherwise it could leak that memory.
  
  Detected by OSS-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3600
  
  Assisted-by: Max Dymond
  Closes #1977

- FTP: URL decode path for dir listing in nocwd mode
  
  Reported-by: Zenju on github
  
  Test 244 added to verify
  Fixes #1974
  Closes #1976

- test298: verify --ftp-method nowcwd with URL encoded path
  
  Ref: #1974

- CURLOPT_XFERINFODATA.3: fix duplicate see also

- CURLOPT_NOPROGRESS.3: also refer to xferinfofunction

- FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION

- openssl: enable PKCS12 support for !BoringSSL
  
  Enable PKCS12 for all non-boringssl builds without relying on configure
  or cmake checks.
  
  Bug: https://curl.haxx.se/mail/lib-2017-10/0007.html
  Reported-by: Christian Schmitz
  Closes #1948

- [Kristiyan Tsaklev brought this change]

  curl: don't pass semicolons when parsing Content-Disposition
  
  Test 1422 updated to verify.
  
  Closes #1964

Patrick Monnerat (9 Oct 2017)
- mime: properly unbind mime structure in curl_mime_free().
  
  This allows freeing a mime structure bound to the easy handle before
  curl_easy_cleanup().
  
  Fixes #1970.

Daniel Stenberg (9 Oct 2017)
- RTSP: avoid integer overflow on funny RTSP response
  
  ... like a very large non-existing RTSP version number.
  
  Added test 577 to verify.
  
  Detected by OSS-fuzz.
  Closes #1969

Patrick Monnerat (8 Oct 2017)
- ftpserver: properly reset $ftptargetdir.

- test643: verify curl_mime_subparts() rejects cyclic additions.

- mime: refuse to add subparts to one of their own descendants.
  
  Reported-by: Alexey Melnichuk
  Fixes #1962

- mime: avoid resetting a part's encoder when part's contents change.

- mime: improve unbinding top multipart from easy handle.
  
  Also avoid dangling pointers in referencing parts.

Daniel Stenberg (8 Oct 2017)
- RELEASE-NOTES: synced with a4c1c75da30af1

- curlver.h: next expected release is 7.57.0

Patrick Monnerat (8 Oct 2017)
- mime: be tolerant about setting twice the same header list in a part.

- docs: clarify form/mime usage of non-regular data files.

Daniel Stenberg (8 Oct 2017)
- Revert "multi_done: wait for name resolve to finish if still ongoing"
  
  This reverts commit f3e03f6c0ac52a1bf396e03f7d7e9b5b3b7165fe.
  
  Caused memory leaks in the fuzzer, needs to be done differently.
  
  Disable test 1553 for now too, as it causes memory leaks without this
  commit!

- remove_handle: call multi_done() first, then clear dns cache pointer
  
  Closes #1960

- multi_done: wait for name resolve to finish if still ongoing
  
  ... as we must clean up memory.

- pingpong: return error when trying to send without connection
  
  When imap_done() got called before a connection is setup, it would try
  to "finish up" and dereffed a NULL pointer.
  
  Test case 1553 managed to reproduce. I had to actually use a host name
  to try to resolve to slow it down, as using the normal local server IP
  will make libcurl get a connection in the first curl_multi_perform()
  loop and then the bug doesn't trigger.
  
  Fixes #1953
  Assisted-by: Max Dymond

Dan Fandrich (6 Oct 2017)
- tests: added flaky keyword to tests 587 and 644
  
  These are around 5% flaky in my Linux x86 autobuilds.

Marcel Raad (6 Oct 2017)
- vtls: fix warnings with --disable-crypto-auth
  
  When CURL_DISABLE_CRYPTO_AUTH is defined, Curl_none_md5sum's parameters
  are not used.

Daniel Stenberg (6 Oct 2017)
- multi_cleanup: call DONE on handles that never got that
  
  ... fixes a memory leak with at least IMAP when remove_handle is never
  called and the transfer is abruptly just abandoned early.
  
  Test 1552 added to verify
  
  Detected by OSS-fuzz
  Assisted-by: Max Dymond
  Closes #1954

- [Benbuck Nason brought this change]

  strtoofft: Remove extraneous null check
  
  Fixes #1950: curlx_strtoofft() doesn't fully protect against null 'str'
  argument.
  
  Closes #1952

- openssl: fix build without HAVE_OPAQUE_EVP_PKEY
  
  Reported-by: Javier Sixto
  Fixes #1955
  Closes #1956

Viktor Szakats (6 Oct 2017)
- lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS
  
  The source code is now prepared to handle the case when both
  Win32 Crypto and OpenSSL/NSS crypto backends are enabled
  at the same time, making it now possible to enable `USE_WIN32_CRYPTO`
  whenever the targeted Windows version supports it. Since this
  matches the minimum Windows version supported by curl
  (Windows 2000), enable it unconditionally for the Win32 platform.
  
  This in turn enables SMB (and SMBS) protocol support whenever
  Win32 Crypto is available, regardless of what other crypto backends
  are enabled.
  
  Ref: https://github.com/curl/curl/pull/1840#issuecomment-325682052
  
  Closes https://github.com/curl/curl/pull/1943

Daniel Stenberg (5 Oct 2017)
- build: fix --disable-crypto-auth
  
  Reported-by: Wyatt O'Day
  Fixes #1945
  Closes #1947

Jay Satiro (5 Oct 2017)
- [Nick Zitzmann brought this change]

  darwinssl: add support for TLSv1.3
  
  Closes https://github.com/curl/curl/pull/1794

Daniel Stenberg (4 Oct 2017)
- [Felix Kaiser brought this change]

  docs: fix typo in curl_mime_data_cb man page
  
  Closes #1946

Viktor Szakats (4 Oct 2017)
- lib/Makefile.m32: allow customizing dll suffixes
  
  - New `CURL_DLL_SUFFIX` envvar will add a suffix to the generated
    libcurl dll name. Useful to add `-x64` to 64-bit builds so that
    it can live in the same directory as the 32-bit one. By default
    this is empty.
  
  - New `CURL_DLL_A_SUFFIX` envvar to customize the suffix of the
    generated import library (implib) for libcurl .dll. It defaults
    to `dll`, and it's useful to modify that to `.dll` to have the
    standard naming scheme for mingw-built .dlls, i.e. `libcurl.dll.a`.
  
  Closes https://github.com/curl/curl/pull/1942

Daniel Stenberg (4 Oct 2017)
- [Max Dymond brought this change]

  fuzzer: move to using external curl-fuzzer
  
  Use the external curl-fuzzer repository for fuzzing.
  
  Closes #1923

- failf: skip the sprintf() if there are no consumers
  
  Closes #1936

- ftp: UBsan fixup 'pointer index expression overflowed'
  
  Closes #1939

- RELEASE-PROCEDURE: update the release schedule

Version 7.56.0 (4 Oct 2017)

Daniel Stenberg (4 Oct 2017)
- RELEASE-NOTES: curl 7.56.0

- THANKS: added new 7.56.0 contributors

Jay Satiro (4 Oct 2017)
- build-openssl.bat: Warn OpenSSL 1.1.0 not yet supported
  
  Ref: https://github.com/curl/curl/issues/1002

Michael Kaufmann (3 Oct 2017)
- idn: fix source code comment

- vtls: compare and clone ssl configs properly
  
  Compare these settings in Curl_ssl_config_matches():
  - verifystatus (CURLOPT_SSL_VERIFYSTATUS)
  - random_file (CURLOPT_RANDOM_FILE)
  - egdsocket (CURLOPT_EGDSOCKET)
  
  Also copy the setting "verifystatus" in Curl_clone_primary_ssl_config(),
  and copy the setting "sessionid" unconditionally.
  
  This means that reusing connections that are secured with a client
  certificate is now possible, and the statement "TLS session resumption
  is disabled when a client certificate is used" in the old advisory at
  https://curl.haxx.se/docs/adv_20170419.html is obsolete.
  
  Reviewed-by: Daniel Stenberg
  
  Closes #1917

- proxy: read the "no_proxy" variable only if necessary
  
  Reviewed-by: Daniel Stenberg
  
  Closes #1919

Patrick Monnerat (3 Oct 2017)
- libcurl-tutorial: add casts in example to avoid compilation warnings.

Daniel Stenberg (3 Oct 2017)
- examples: bring back curl_formadd-using examples
  
  ... now with a -formadd suffix. While the new mime API is introduced in
  7.56.0 we must acknowledge that lots of users can't upgrade their curl
  versions immediately.

- test1153: verify quoted double-qoutes in PWD response

- FTP: zero terminate the entry path even on bad input
  
  ... a single double quote could leave the entry path buffer without a zero
  terminating byte. CVE-2017-1000254
  
  Test 1152 added to verify.
  
  Reported-by: Max Dymond
  Bug: https://curl.haxx.se/docs/adv_20171004.html

Jay Satiro (2 Oct 2017)
- [Sergei Nikulov brought this change]

  cmake: disable tests and man generation if perl/nroff not found
  
  Fixes https://github.com/curl/curl/issues/1500
  Reported-by: Jay Satiro
  
  Fixes https://github.com/curl/curl/pull/1662
  Assisted-by: Tom Seddon
  Assisted-by: dpull@users.noreply.github.com
  Assisted-by: elelel@users.noreply.github.com
  
  Closes https://github.com/curl/curl/pull/1924

Patrick Monnerat (2 Oct 2017)
- libcurl-tutorial: fix two typos.

- TODO: remove deprecated form API items.

- libcurl-tutorial: describe MIME API and deprecate form API.
  
  Include a guide to form/mime API conversion.

Daniel Stenberg (30 Sep 2017)
- cookie: fix memory leak if path was set twice in header
  
  ... this will let the second occurance override the first.
  
  Added test 1161 to verify.
  
  Reported-by: Max Dymond
  Fixes #1932
  Closes #1933

Dan Fandrich (30 Sep 2017)
- test650: Use variable replacement to set the host address and port
  
  Otherwise, the test fails when the -b test option is used to set a
  different test port range.

- Set and use more necessary options when some protocols are disabled
  
  When curl and libcurl are built with some protocols disabled, they stop
  setting and receiving some options that don't make sense with those
  protocols.  In particular, when HTTP is disabled many options aren't set
  that are used only by HTTP.  However, some options that appear to be
  HTTP-only are actually used by other protocols as well (some despite
  having HTTP in the name) and should be set, but weren't. This change now
  causes some of these options to be set and used for more (or for all)
  protocols. In particular, this fixes tests 646 through 649 in an
  HTTP-disabled build, which use the MIME API in the mail protocols.

Daniel Stenberg (29 Sep 2017)
- test1160: verifies cookie leak for large cookies
  
  The fix done in 20ea22ff735

- cookie: fix memory leak on oversized rejection
  
  Regression brought by 2bc230de63b
  
  Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3513
  Assisted-by: Max Dymond
  
  Closes #1930

- [Anders Bakken brought this change]

  connect: fix race condition with happy eyeballs timeout
  
  The timer should be started after conn->connecttime is set. Otherwise
  the timer could expire without this condition being true:
  
      /* should we try another protocol family? */
      if(i == 0 && conn->tempaddr[1] == NULL &&
        curlx_tvdiff(now, conn->connecttime) >= HAPPY_EYEBALLS_TIMEOUT) {
  
  Ref: #1928

Michael Kaufmann (28 Sep 2017)
- docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MS
  
  Closes #1922

- docs: clarify the use of environment variables for proxy
  
  Closes #1921

- http: add custom empty headers to repeated requests
  
  Closes #1920

- reuse_conn: don't copy flags that are known to be equal
  
  A connection can only be reused if the flags "conn_to_host" and
  "conn_to_port" match. Therefore it is not necessary to copy these flags
  in reuse_conn().
  
  Closes #1918

Daniel Stenberg (27 Sep 2017)
- curl.h: include <sys/select.h> on cygwin too
  
  When building with -std=c++14 on cygwin, this header won't be
  automatically included as it otherwise is.
  
  The <sys/select.h> include decision should ideally be reversed and be
  avoided where that header file doesn't exist.
  
  Reported-by: Ian Fette
  Fixes #1925

- RELEASE-NOTES: synced with d8ab5dc50

Michael Kaufmann (24 Sep 2017)
- tests: adjust .gitignore for new tests

Jay Satiro (23 Sep 2017)
- ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header
  
  .. and include the core NTLM header in all NTLM-related source files.
  
  Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT
  but did not include vtls.h where it was defined.
  
  Closes https://github.com/curl/curl/pull/1911

Daniel Stenberg (23 Sep 2017)
- file_range: avoid integer overflow when figuring out byte range
  
  When trying to bump the value with one and the value is already at max,
  it causes an integer overflow.
  
  Closes #1908
  Detected by oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465
  
  Assisted-by: Max Dymond

Michael Kaufmann (23 Sep 2017)
- tests: fix a compiler warning in test 643

Jay Satiro (23 Sep 2017)
- symbols-in-versions: fix CURLSSLSET_NO_BACKENDS entry
  
  - Use spaces instead of tabs as the delimiter.
  
  Follow up to 7c52b12 which added the entry. The entry had used tabs but
  the symbol-scan parser doesn't recognize tabs and would fail the symbol.

Viktor Szakats (22 Sep 2017)
- metalink: fix NSS issue in MultiSSL builds
  
  In MultiSSL mode (i.e. when more than one SSL backend is compiled
  in), we cannot use the compile time flag `USE_NSS` as indicator that
  the NSS backend is in use. As far as Metalink is concerned, the SSL
  backend is only used for MD5, SHA-1 and SHA-256 calculations,
  therefore one of the available SSL backends is selected at compile
  time, in a strict order of preference.
  
  Let's introduce a new `HAVE_NSS_CONTEXT` constant that can be used
  to determine whether the SSL backend used for Metalink is the NSS
  backend, and use that to guard the code that wants to de-initialize
  the NSS-specific data structure.
  
  Ref: https://github.com/curl/curl/pull/1848

- ntlm: use strict order for SSL backend #if branches
  
  With the recently introduced MultiSSL support multiple SSL backends
  can be compiled into cURL That means that now the order of the SSL
  
  One option would be to use the same SSL backend as was configured
  via `curl_global_sslset()`, however, NTLMv2 support would appear
  to be available only with some SSL backends. For example, when
  eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced
  support for NTLMv1 using Windows' Crypt API, it specifically did
  *not* introduce NTLMv2 support using Crypt API at the same time.
  
  So let's select one specific SSL backend for NTLM support when
  compiled with multiple SSL backends, using a priority order such
  that we support NTLMv2 even if only one compiled-in SSL backend can
  be used for that.
  
  Ref: https://github.com/curl/curl/pull/1848

Daniel Stenberg (22 Sep 2017)
- symbols-in-versions: add CURLSSLSET_NO_BACKENDS
  
  ...fixup from b8e0fe19ec

- imap: quote atoms properly when escaping characters
  
  Updates test 800 to verify
  
  Fixes #1902
  Closes #1903

- tests: make the imap server not verify user+password
  
  ... as the test cases themselves do that and it makes it easier to add
  crazy test cases.
  
  Test 800 updated to use user name + password that need quoting.
  
  Test 856 updated to trigger an auth fail differently.
  
  Ref: #1902

- vtls: provide curl_global_sslset() even in non-SSL builds
  
  ... it just returns error:
  
  Bug: https://github.com/curl/curl/commit/1328f69d53f2f2e937696ea954c480412b018451#commitcomment-24470367
  Reported-by: Marcel Raad
  
  Closes #1906

Patrick Monnerat (22 Sep 2017)
- form/mime: field names are not allowed to contain zero-valued bytes.
  
  Also suppress length argument of curl_mime_name() (names are always
  zero-terminated).

Daniel Stenberg (21 Sep 2017)
- [Dirk Feytons brought this change]

  openssl: only verify RSA private key if supported
  
  In some cases the RSA key does not support verifying it because it's
  located on a smart card, an engine wants to hide it, ...
  Check the flags on the key before trying to verify it.
  OpenSSL does the same thing internally; see ssl/ssl_rsa.c
  
  Closes #1904

Marcel Raad (21 Sep 2017)
- examples/post-callback: use long for CURLOPT_POSTFIELDSIZE
  
  Otherwise, typecheck-gcc.h warns on MinGW-w64.

Patrick Monnerat (20 Sep 2017)
- mime: rephrase the multipart output state machine (#1898) ...
  
  ... in hope coverity will like it much.

- mime: fix an explicit null dereference (#1899)

Daniel Stenberg (20 Sep 2017)
- curl: check fseek() return code and bail on error
  
  Detected by coverity. CID 1418137.

- smtp: fix memory leak in OOM
  
  Regression since ce0881edee
  
  Coverity CID 1418139 and CID 1418136 found it, but it was also seen in
  torture testing.

- RELEASE-NOTES: synced with 5fe85587c

- [Pavel P brought this change]

  cookies: use lock when using CURLINFO_COOKIELIST
  
  Closes #1896

- [Max Dymond brought this change]

  ossfuzz: changes before merging the generated corpora
  
  Before merging in the oss-fuzz corpora from Google, there are some changes
  to the fuzzer.
  - Add a read corpus script, to display corpus files nicely.
  - Change the behaviour of the fuzzer so that TLV parse failures all now
    go down the same execution paths, which should reduce the size of the
    corpora.
  - Make unknown TLVs a failure to parse, which should decrease the size
    of the corpora as well.
  
  Closes #1881

- mime:escape_string minor clarification change
  
  ... as it also removes a warning with old gcc versions.
  
  Bug: https://curl.haxx.se/mail/lib-2017-09/0049.html
  Reported-by: Ben Greear

- [Max Dymond brought this change]

  ossfuzz: don't write out to stdout
  
  Don't make the fuzzer write out to stdout - instead write some of the
  contents to a memory block so we exercise the data output code but
  quietly.
  
  Closes #1885

- cookies: reject oversized cookies
  
  ... instead of truncating them.
  
  There's no fixed limit for acceptable cookie names in RFC 6265, but the
  entire cookie is said to be less than 4096 bytes (section 6.1). This is
  also what browsers seem to implement.
  
  We now allow max 5000 bytes cookie header. Max 4095 bytes length per
  cookie name and value. Name + value together may not exceed 4096 bytes.
  
  Added test 1151 to verify
  
  Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html
  Reported-by: Kevin Smith
  
  Closes #1894

- travis: on mac, don't install openssl or libidn
  
  - openssl is already installed and causes warnings when trying to
    install again
  
  - libidn isn't used these days, and homebrew doesn't seem to have a
    libidn2 package to replace with easily
  
  Closes #1895

- curl: make str2udouble not return values on error
  
  ... previously it would store a return value even when it returned
  error, which could make the value get used anyway!
  
  Reported-by: Brian Carpenter
  Closes #1893

Jay Satiro (18 Sep 2017)
- socks: fix incorrect port number in SOCKS4 error message
  
  Prior to this change it appears the SOCKS5 port parsing was erroneously
  used for the SOCKS4 error message, and as a result an incorrect port
  would be shown in the error message.
  
  Bug: https://github.com/curl/curl/issues/1892
  Reported-by: Jackarain@users.noreply.github.com

- [Marc Aldorasi brought this change]

  schannel: Support partial send for when data is too large
  
  Schannel can only encrypt a certain amount of data at once.  Instead of
  failing when too much data is to be sent at once, send as much data as
  we can and let the caller send the remaining data by calling send again.
  
  Bug: https://curl.haxx.se/mail/lib-2014-07/0033.html
  
  Closes https://github.com/curl/curl/pull/1890

- [David Benjamin brought this change]

  openssl: add missing includes
  
  lib/vtls/openssl.c uses OpenSSL APIs from BUF_MEM and BIO APIs. Include
  their headers directly rather than relying on other OpenSSL headers
  including things.
  
  Closes https://github.com/curl/curl/pull/1891

Daniel Stenberg (15 Sep 2017)
- conversions: fix several compiler warnings

- server/getpart: provide dummy function to build conversion enabled

- non-ascii: use iconv() with 'char **' argument
  
  Bug: https://curl.haxx.se/mail/lib-2017-09/0031.html

- escape.c: error: pointer targets differ in signedness

- docs: clarify the CURLOPT_INTERLEAVE* options behavior

- [Max Dymond brought this change]

  rtsp: Segfault in rtsp.c when using WRITEDATA
  
  If the INTERLEAVEFUNCTION is defined, then use that plus the
  INTERLEAVEDATA information when writing RTP. Otherwise, use
  WRITEFUNCTION and WRITEDATA.
  
  Fixes #1880
  Closes #1884

Marcel Raad (15 Sep 2017)
- [Isaac Boukris brought this change]

  tests: enable gssapi in travis-ci linux build
  
  Closes https://github.com/curl/curl/pull/1687

- [Isaac Boukris brought this change]

  tests: add initial gssapi test using stub implementation
  
  The stub implementation is pre-loaded using LD_PRELOAD
  and emulates common gssapi uses (only builds if curl is
  initially built with gssapi support).
  
  The initial tests are currently disabled for debug builds
  as LD_PRELOAD is not used then.
  
  Ref: https://github.com/curl/curl/pull/1687

Daniel Stenberg (15 Sep 2017)
- test1150: verify same host fetch using different ports over proxy
  
  Closes #1889

- URL: on connection re-use, still pick the new remote port
  
  ... as when a proxy connection is being re-used, it can still get a
  different remote port.
  
  Fixes #1887
  Reported-by: Oli Kingshott

- RELEASE-NOTES: synced with 87501e57f

- code style: remove wrong uses of multiple spaces
  
  Closes #1878

- checksrc: detect and warn for multiple spaces

- code style: use space after semicolon

- checksrc: verify space after semicolons

- code style: use spaces around pluses

- checksrc: detect and warn for lack of spaces next to plus signs

- code style: use spaces around equals signs

- checksrc: verify spaces around equals signs
  
  ... as the code style mandates.

- Curl_checkheaders: make it available for IMAP and SMTP too
  
  ... not only HTTP uses this now.
  
  Closes #1875

- travis: add build without HTTP/SMTP/IMAP

Jay Satiro (10 Sep 2017)
- mbedtls: enable CA path processing
  
  CA path processing was implemented when mbedtls.c was added to libcurl
  in fe7590f, but it was never enabled.
  
  Bug: https://github.com/curl/curl/issues/1877
  Reported-by: SBKarr@users.noreply.github.com

Daniel Stenberg (8 Sep 2017)
- rtsp: do not call fwrite() with NULL pointer FILE *
  
  If the default write callback is used and no destination has been set, a
  NULL pointer would be passed to fwrite()'s 4th argument.
  
  OSS-fuzz bug https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3327
  (not publicly open yet)
  
  Detected by OSS-fuzz
  Closes #1874

- configure: use -Wno-varargs on clang 3.9[.X] debug builds
  
  ... to avoid a clang bug

- [Max Dymond brought this change]

  ossfuzz: add some more handled CURL options
  
  Add support for HEADER, COOKIE, RANGE, CUSTOMREQUEST, MAIL_RECIPIENT,
