                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.66.0 (10 Sep 2019)

Daniel Stenberg (10 Sep 2019)
- RELEASE-NOTES: curl 7.66.0

- THANKS: from the 7.66.0 release

- curl: make sure the parallel transfers do them all
  
  The logic could erroneously break the loop too early before all
  transfers had been transferred.
  
  Reported-by: Tom van der Woerdt
  Fixes #4316
  Closes #4317

- urlapi: one colon is enough for the strspn() input (typo)

- urlapi: verify the IPv6 numerical address
  
  It needs to parse correctly. Otherwise it could be tricked into letting
  through a-f using host names that libcurl would then resolve. Like
  '[ab.be]'.
  
  Reported-by: Thomas Vegas
  Closes #4315

- [Clément Notin brought this change]

  openssl: use SSL_CTX_set_<min|max>_proto_version() when available
  
  OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use
  when available.  Existing code is preserved for older versions of
  OpenSSL.
  
  Closes #4304

- [Clément Notin brought this change]

  openssl: indent, re-organize and add comments

- [migueljcrum brought this change]

  sspi: fix memory leaks
  
  Closes #4299

- travis: disable ngtcp2 builds (again)

- Curl_fillreadbuffer: avoid double-free trailer buf on error
  
  Reviewed-by: Jay Satiro
  Reported-by: Thomas Vegas
  
  Closes #4307

- tool_setopt: handle a libcurl build without netrc support
  
  Reported-by: codesniffer13 on github
  Fixes #4302
  Closes #4305

- security:read_data fix bad realloc()
  
  ... that could end up a double-free
  
  CVE-2019-5481
  Bug: https://curl.haxx.se/docs/CVE-2019-5481.html

- [Thomas Vegas brought this change]

  tftp: Alloc maximum blksize, and use default unless OACK is received
  
  Fixes potential buffer overflow from 'recvfrom()', should the server
  return an OACK without blksize.
  
  Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
  CVE-2019-5482

- [Thomas Vegas brought this change]

  tftp: return error when packet is too small for options

- KNOWN_BUGS/TODO: cleanup and remove outdated issues

- RELEASE-NOTES: synced

- netrc: free 'home' on error
  
  Follow-up to f9c7ba9096ec2
  
  Coverity CID 1453474
  
  Closes #4291

- urldata: avoid 'generic', use dedicated pointers
  
  For the 'proto' union within the connectdata struct.
  
  Closes #4290

- cleanup: move functions out of url.c and make them static
  
  Closes #4289

- smtp: check for and bail out on too short EHLO response
  
  Otherwise, a three byte response would make the smtp_state_ehlo_resp()
  function misbehave.
  
  Credit to OSS-Fuzz
  Bug: https://crbug.com/oss-fuzz/16918
  
  Assisted-by: Max Dymond
  
  Closes #4287

- smb: init *msg to NULL in smb_send_and_recv()
  
  ... it might otherwise return OK from this function leaving that pointer
  uninitialized.
  
  Bug: https://crbug.com/oss-fuzz/16907
  
  Closes #4286

- ROADMAP: updated after recent user poll
  
  In rough prio order

- THANKS: remove duplicate

- Curl_addr2string: take an addrlen argument too
  
  This allows the function to figure out if a unix domain socket has a
  file name or not associated with it! When a socket is created with
  socketpair(), as done in the fuzzer testing, the path struct member is
  uninitialized and must not be accessed.
  
  Bug: https://crbug.com/oss-fuzz/16699
  
  Closes #4283

- [Rolf Eike Beer brought this change]

  CMake: remove needless newlines at end of gss variables

- [Rolf Eike Beer brought this change]

  CI: remove duplicate configure flag for LGTM.com

- [Rolf Eike Beer brought this change]

  CMake: use platform dependent name for dlopen() library
  
  Closes #4279

- quiche: expire when poll returned data
  
  ... to make sure we continue draining the queue until empty
  
  Closes #4281

- quiche: decrease available buffer size, don't assign it!
  
  Found-by: Jeremy Lainé

- RELEASE-NOTES: synced

- [Kyohei Kadota brought this change]

  curl: fix include conditions

- [Kyohei Kadota brought this change]

  plan9: fix installation instructions
  
  Closes #4276

- ngtcp2: on h3 stream close, call expire
  
  ... to trigger a new read to detect the stream close!
  
  Closes #4275

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: build latest ngtcp2 and ngtcp2_crypto_openssl
  
  Closes #4278

- ngtcp2: set flow control window to stream buffer size
  
  Closes #4274

- [Christopher Head brought this change]

  CURLOPT_HEADERFUNCTION.3: clarify
  
  Closes #4273

- CURLINFO docs: mention that in redirects times are added
  
  Suggested-by: Brandon Dong
  Fixes #4250
  Closes #4269

- travis: enable ngtcp2 builds again
  
  Switched to the openssl-quic-draft-22 openssl branch.
  
  Closes #4271

- HTTP3: switched openssl branch to use

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: Build with latest ngtcp2 and ngtcp2_crypto_openssl
  
  Closes #4270

- http2: when marked for closure and wanted to close == OK
  
  It could otherwise return an error even when closed correctly if GOAWAY
  had been received previously.
  
  Reported-by: Tom van der Woerdt
  Fixes #4267
  Closes #4268

- RELEASE-NOTES: synced

- build-openssl: fix build with Visual Studio 2019
  
  Reviewed-by: Marcel Raad
  Contributed-by: osabc on github
  Fixes #4188
  Closes #4266

Kamil Dudka (26 Aug 2019)
- vauth: return CURLE_AUTH_ERROR on gss_init_sec_context() failure
  
  This is a follow-up to https://github.com/curl/curl/pull/3864 .
  
  Closes #4224

Daniel Stenberg (26 Aug 2019)
- KNOWN_BUGS: USE_UNIX_SOCKETS on Windows
  
  Closes #4040

- quiche: send the HTTP body correctly on callback uploads
  
  Closes #4265

- travis: disable ngtcp2 builds (temporarily)
  
  Just too many API changes right now
  
  Closes #4264

- ngtcp2: add support for SSLKEYLOGFILE
  
  Closes #4260

- ngtcp2: improve h3 response receiving
  
  Closes #4259

- ngtcp2: use nghttp3_version()

- ngtcp2: sync with upstream API changes
  
  Assisted-by: Tatsuhiro Tsujikawa

- [Kyle Abramowitz brought this change]

  scp: fix directory name length used in memcpy
  
  Fix read off end of array due to bad pointer math in getworkingpath for
  SCP home directory case.
  
  Closes #4258

- http: the 'closed' struct field is used by both ngh2 and ngh3
  
  and remove 'header_recvbuf', not used for anything
  
  Reported-by: Jeremy Lainé
  
  Closes #4257

- ngtcp2: accept upload via callback
  
  Closes #4256

- defines: avoid underscore-prefixed defines
  
  Double-underscored or underscore plus uppercase letter at least.
  
  ... as they're claimed to be reserved.
  
  Reported-by: patnyb on github
  
  Fixes #4254
  Closes #4255

- travis: add a build using ngtcp2 + nghttp3 (and a patched OpenSSL)
  
  Runs no tests
  
  Closes #4253

- travis: bump to using nghttp2 version 1.39.2
  
  Closes #4252

- [Gisle Vanem brought this change]

  docs/examples/curlx: fix errors
  
  Initialise 'mimetype' and require the -p12 arg.
  
  Closes #4248

- cleanup: remove DOT_CHAR completely
  
  Follow-up to f9c7ba9096ec
  
  The use of DOT_CHAR for ".ssh" was probably a mistake and is removed
  now.
  
  Pointed-out-by: Gisle Vanem
  Bug: https://github.com/curl/curl/pull/4230#issuecomment-522960638
  
  Closes #4247

- spnego_sspi: add typecast to fix build warning
  
  Reported in build "Win32 target on Debian Stretch (64-bit) -
  i686-w64-mingw32 - gcc-20170516"
  
  Closes #4245

- openssl: build warning free with boringssl
  
  Closes #4244

- curl: make --libcurl use CURL_HTTP_VERSION_3
  
  Closes #4243

- ngtcp2: make postfields-set posts work
  
  Closes #4242

- http: remove chunked-encoding and expect header use for HTTP/3

- [Alessandro Ghedini brought this change]

  configure: use pkg-config to detect quiche
  
  This removes the need to hard-code the quiche target path in
  configure.ac.
  
  This depends on https://github.com/cloudflare/quiche/pull/128
  
  Closes #4237

- CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
  
  For a long time (since 7.28.1) we've returned error when setting the
  value to 1 to make applications notice that we stopped supported the old
  behavior for 1. Starting now, we treat 1 and 2 exactly the same.
  
  Closes #4241

- curl: use .curlrc (with a dot) on Windows as well
  
  Fall-back to _curlrc if the dot-version is missing.
  
  Co-Authored-By: Steve Holme
  
  Closes #4230

- netrc: make the code try ".netrc" on Windows as well
  
  ... but fall back and try "_netrc" too if the dot version didn't work.
  
  Co-Authored-By: Steve Holme

- ngtcp2: use ngtcp2_version() to get the run-time version
  
  ... which of course doesn't have to be the same used at build-time.
  
  Function just recently merged in ngtcp2.

- ngtcp2: move the h3 initing to immediately after the rx key
  
  To fix a segfault and to better deal with 0-RTT
  
  Assisted-by: Tatsuhiro Tsujikawa

- [Alessandro Ghedini brought this change]

  quiche: register debug callback once and earlier
  
  The quiche debug callback is global and can only be initialized once, so
  make sure we don't do it multiple times (e.g. if multiple requests are
  executed).
  
  In addition this initializes the callback before the connection is
  created, so we get logs for the handshake as well.
  
  Closes #4236

- ssh: add a generic Curl_ssh_version function for SSH backends
  
  Closes #4235

- base64: check for SSH, not specific SSH backends

- vssh: move ssh init/cleanup functions into backend code

- vssh: create directory for SSH backend code

- TODO/ROADMAP: remove "refuse downgrade redirects" and HTTP/3
  
  HTTP3 is now already in full progress
  
  Downgrade redirects can be achived almost exactly like that by setting
  CURLOPT_REDIR_PROTOCOLS.

- RELEASE-NOTES: synced

- travis: add a quiche build
  
  Closes #4207

- http: fix use of credentials from URL when using HTTP proxy
  
  When a username and password are provided in the URL, they were wrongly
  removed from the stored URL so that subsequent uses of the same URL
  wouldn't find the crendentials. This made doing HTTP auth with multiple
  connections (like Digest) mishave.
  
  Regression from 46e164069d1a5230 (7.62.0)
  
  Test case 335 added to verify.
  
  Reported-by: Mike Crowe
  
  Fixes #4228
  Closes #4229

- [Mike Crowe brought this change]

  tests: Replace outdated test case numbering documentation
  
  Tests are no longer grouped by numeric range[1]. Let's stop saying that
  and provide some alternative advice for numbering tests.
  
  [1] https://curl.haxx.se/mail/lib-2019-08/0043.html
  
  Closes #4227

- travis: reduce number of torture tests in 'coverage'
  
  ... to make it complete in time. This cut seems not almost not affect
  the coverage percentage and yet completes within 35 minutes on travis
  where the previous runs recently always timed out after 50.
  
  Closes #4223

- [Igor Makarov brought this change]

  configure: use -lquiche to link to quiche
  
  Closes #4226

- ngtcp2: provide the callbacks as a static struct
  
  ... instead of having them in quicsocket

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: add missing nghttp3_conn_add_write_offset call
  
  Closes #4225

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: deal with stream close

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: Consume QUIC STREAM data properly

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: don't reinitialize SSL on Retry

- multi: getsock improvements for QUIC connecting

- connect: connections are persistent by default for HTTP/3

- quiche: happy eyeballs
  
  Closes #4220

- ngtcp2: do QUIC connections happy-eyeballs friendly

- curl_version: bump string buffer size to 250
  
  With HTTP/3 libs and plenty TLS libs, I manged to hit the limit (which
  causes a truncated output).

- CURLOPT_ALTSVC.3: use a "" file name to not load from a file

Jay Satiro (14 Aug 2019)
- vauth: Use CURLE_AUTH_ERROR for auth function errors
  
  - Add new error code CURLE_AUTH_ERROR.
  
  Prior to this change auth function errors were signaled by
  CURLE_OUT_OF_MEMORY and CURLE_RECV_ERROR, and neither one was
  technically correct.
  
  Ref: https://github.com/curl/curl/pull/3848
  
  Co-authored-by: Dominik Hölzl
  
  Closes https://github.com/curl/curl/pull/3864

Daniel Stenberg (13 Aug 2019)
- curl_version_info: make the quic_version a const
  
  Follow-up from 1a2df1518ad8653f
  
  Closes #4222

- examples: add http3.c, altsvc.c and http3-present.c
  
  Closes #4221

Peter Wu (13 Aug 2019)
- nss: use TLSv1.3 as default if supported
  
  SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported
  range in NSS 3.45. It looks like the intention is to raise the minimum
  version rather than lowering the maximum, so adjust accordingly. Note
  that the caller (nss_setup_connect) initializes the version range to
  (TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again.
  
  Closes #4187
  Reviewed-by: Daniel Stenberg
  Reviewed-by: Kamil Dudka

Daniel Stenberg (13 Aug 2019)
- quic.h: remove unused proto

- curl_version_info.3: mentioned ALTSVC and HTTP3
  
  ... and sorted the list alphabetically

- lib/quic.c: unused - removed

- CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
  
  Follow-up to 98c3f148 that removed it from the header file

- [Junho Choi brought this change]

  docs/HTTP3: simplify quiche build instruction
  
  Use --recursive to get boringssl in one line
  
  Closes #4219

- altsvc: make it use h3-22 with ngtcp2 as well

- ngtcp2: initial h3 request work
  
  Closes #4217

- curl_version_info: offer quic (and h3) library info
  
  Closes #4216

- HTTP3: use ngtcp2's draft-22 branch

- RELEASE-NOTES: synced

- CURLOPT_READFUNCTION.3: provide inline example
  
  ... instead of mentioning one in another place

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: send HTTP/3 request with nghttp3
  
  This commit makes sending HTTP/3 request with nghttp3 work.  It
  minimally receives HTTP response and calls nghttp3 callbacks, but no
  processing is made at the moment.
  
  Closes #4215

- nghttp3: initial h3 template code added

- nghttp3: required when ngtcp2 is used for QUIC
  
  - checked for by configure
  - updated docs/HTTP3.md
  - shown in the version string
  
  Closes #4210

- [Eric Wong brought this change]

  asyn-thread: issue CURL_POLL_REMOVE before closing socket
  
  This avoids EBADF errors from EPOLL_CTL_DEL operations in the
  ephiperfifo.c example.  EBADF is dangerous in multi-threaded
  applications where I rely on epoll_ctl to operate on the same
  epoll description from different threads.
  
  Follow-up to eb9a604f8d7db8
  
  Bug: https://curl.haxx.se/mail/lib-2019-08/0026.html
  Closes #4211

- [Carlo Marcelo Arenas Belón brought this change]

  configure: avoid undefined check_for_ca_bundle
  
  instead of using a "greater than 0" test, check for variable being
  set, as it is always set to 1, and could be left unset if non of
  OPENSSL MBEDTLS GNUTLS WOLFSSL is being configured for.
  
  Closes #4213

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: Send ALPN h3-22
  
  Closes #4212

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: use ngtcp2_settings_default and specify initial_ts

- curl_global_init_mem.3: mention it was added in 7.12.0

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: make the QUIC handshake work
  
  Closes #4209

- [Alex Mayorga brought this change]

  HTTP3.md: Update quiche build instructions
  
  Added cloning for quiche and BoringSSL and modified the build
  instructions so they work on a clean folder.
  
  Closes #4208

- CURLOPT_H3: removed
  
  There's no use for this anymore and it was never in a release.
  
  Closes #4206

- http3: make connection reuse work
  
  Closes #4204

- quiche: add SSLKEYLOGFILE support

- cleanup: s/curl_debug/curl_dbg_debug in comments and docs
  
  Leftovers from the function rename back in 76b63489495
  
  Reported-by: Gisle Vanem
  Bug: https://github.com/curl/curl/commit/f3e0f071b14fcb46a453f69bdf4e062bcaacf362#com
  mitcomment-34601751
  
  Closes #4203

- RELEASE-NOTES: synced

- alt-svc: add protocol version selection masking
  
  So that users can mask in/out specific HTTP versions when Alt-Svc is
  used.
  
   - Removed "h2c" and updated test case accordingly
   - Changed how the altsvc struct is laid out
   - Added ifdefs to make the unittest run even in a quiche-tree
  
  Closes #4201

- http3: fix the HTTP/3 in the request, make alt-svc set right versions
  
  Closes #4200

- alt-svc: send Alt-Used: in redirected requests
  
  RFC 7838 section 5:
  
     When using an alternative service, clients SHOULD include an Alt-Used
     header field in all requests.
  
  Removed CURLALTSVC_ALTUSED again (feature is still EXPERIMENTAL thus
  this is deemed ok).
  
  You can disable sending this header just like you disable any other HTTP
  header in libcurl.
  
  Closes #4199

- CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
  
  Even though it cannot fall-back to a lower HTTP version automatically. The
  safer way to upgrade remains via CURLOPT_ALTSVC.
  
  CURLOPT_H3 no longer has any bits that do anything and might be removed
  before we remove the experimental label.
  
  Updated the curl tool accordingly to use "--http3".
  
  Closes #4197

- docs/ALTSVC: remove what works and the experimental explanation
  
  Also, put the TODO items at the bottom.
  
  Closes #4198

- docs/EXPERIMENTAL: explain what it means and what's experimental now

- curl: make use of CURLINFO_RETRY_AFTER when retrying
  
  If a Retry-After: header was used in the response, that value overrides
  other retry timing options.
  
  Fixes #3794
  Closes #4195

- curl: use CURLINFO_PROTOCOL to check for HTTP(s)
  
  ... instead of CURLINFO_EFFECTIVE_URL to avoid string operations.

- CURLINFO_RETRY_AFTER: parse the Retry-After header value
  
  This is only the libcurl part that provides the information. There's no
  user of the parsed value. This change includes three new tests for the
  parser.
  
  Ref: #3794

- docs/ALTSVC.md: first basic file format description

- curl: have -w's 'http_version' show '3' for HTTP/3
  
  Closes #4196

- curl.h: add CURL_HTTP_VERSION_3 to the version enum
  
  It can't be set for CURLOPT_HTTP_VERSION, but it can be extracted with
  CURLINFO_HTTP_VERSION.

- quiche: make use of the connection timeout API properly

- quiche: make POSTFIELDS posts work

- quiche: improved error handling and memory cleanups

- quiche: flush egress in h3_stream_recv() too

- RELEASE-NOTES: synced

Jay Satiro (6 Aug 2019)
- [Patrick Monnerat brought this change]

  os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid().
  
  Ref: https://github.com/curl/curl/issues/3653
  Ref: https://github.com/curl/curl/pull/3790
  
  NOTE: This commit was cherry-picked and is part of a series of commits
  that added the authzid feature for upcoming 7.66.0. The series was
  temporarily reverted in db8ec1f so that it would not ship in a 7.65.x
  patch release.
  
  Closes https://github.com/curl/curl/pull/4186

- tests: Fix the line endings for the SASL alt-auth tests
  
  - Change data and protocol sections to CRLF line endings.
  
  Prior to this change the tests would fail or hang, which is because
  certain sections such as protocol require CRLF line endings.
  
  Follow-up to grandparent commit which added the tests.
  
  Ref: https://github.com/curl/curl/issues/3653
  Ref: https://github.com/curl/curl/pull/3790
  
  NOTE: This commit was cherry-picked and is part of a series of commits
  that added the authzid feature for upcoming 7.66.0. The series was
  temporarily reverted in db8ec1f so that it would not ship in a 7.65.x
  patch release.
  
  Closes https://github.com/curl/curl/pull/4186

- [Steve Holme brought this change]

  examples: Added SASL PLAIN authorisation identity (authzid) examples
  
  Ref: https://github.com/curl/curl/issues/3653
  Ref: https://github.com/curl/curl/pull/3790
  
  NOTE: This commit was cherry-picked and is part of a series of commits
  that added the authzid feature for upcoming 7.66.0. The series was
  temporarily reverted in db8ec1f so that it would not ship in a 7.65.x
  patch release.
  
  Closes https://github.com/curl/curl/pull/4186

- [Steve Holme brought this change]

  curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
  
  Ref: https://github.com/curl/curl/issues/3653
  Ref: https://github.com/curl/curl/pull/3790
  
  NOTE: This commit was cherry-picked and is part of a series of commits
  that added the authzid feature for upcoming 7.66.0. The series was
  temporarily reverted in db8ec1f so that it would not ship in a 7.65.x
  patch release.
  
  Closes https://github.com/curl/curl/pull/4186

- [Steve Holme brought this change]

  sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
  
  Added the ability for the calling program to specify the authorisation
  identity (authzid), the identity to act as, in addition to the
  authentication identity (authcid) and password when using SASL PLAIN
  authentication.
  
  Fixes #3653
  Closes #3790
  
  NOTE: This commit was cherry-picked and is part of a series of commits
  that added the authzid feature for upcoming 7.66.0. The series was
  temporarily reverted in db8ec1f so that it would not ship in a 7.65.x
  patch release.
  
  Closes https://github.com/curl/curl/pull/4186

Daniel Stenberg (6 Aug 2019)
- docs/HTTP3: refreshed as it is now in master and HTTP/3 can be tested

- [Yiming Jing brought this change]

  mesalink: implement client authentication
  
  Closes #4184

- curl_multi_poll: a sister to curl_multi_wait() that waits more
  
  Repeatedly we see problems where using curl_multi_wait() is difficult or
  just awkward because if it has no file descriptor to wait for
  internally, it returns immediately and leaves it to the caller to wait
  for a small amount of time in order to avoid occasional busy-looping.
  
  This is often missed or misunderstood, leading to underperforming
  applications.
  
  This change introduces curl_multi_poll() as a replacement drop-in
  function that accepts the exact same set of arguments. This function
  works identically to curl_multi_wait() - EXCEPT - for the case when
  there's nothing to wait for internally, as then this function will by
  itself wait for a "suitable" short time before it returns. This
  effectiely avoids all risks of busy-looping and should also make it less
  likely that apps "over-wait".
  
  This also changes the curl tool to use this funtion internally when
  doing parallel transfers and changes curl_easy_perform() to use it
  internally.
  
  Closes #4163

- quiche:h3_stream_recv return 0 at end of stream
  
  ... and remove some verbose messages we don't need. Made transfers from
  facebook.com work better.

- altsvc: make quiche use h3-22 now

- quiche: show the actual version number

- quiche: first working HTTP/3 request
  
   - enable debug log
   - fix use of quiche API
   - use download buffer
   - separate header/body
  
  Closes #4193

- http09: disable HTTP/0.9 by default in both tool and library
  
  As the plan has been laid out in DEPRECATED. Update docs accordingly and
  verify in test 1174. Now requires the option to be set to allow HTTP/0.9
  responses.
  
  Closes #4191

- quiche: initial h3 request send/receive

- lib/Makefile.am: make checksrc run in vquic too

- altsvc: fix removal of expired cache entry
  
  Closes #4192

- RELEASE-NOTES: synced

Steve Holme (4 Aug 2019)
- md4: Use our own MD4 implementation when no crypto libraries are available
  
  Closes #3780

- md4: No need to include Curl_md4.h for each TLS library

- md4: No need for the NTLM code to call Curl_md4it() for each TLS library
  
  As the NTLM code no longer calls any of TLS libraries' specific MD4
  functions, there is no need to call this function for each #ifdef.

- md4: Move the mbed TLS MD4 implementation out of the NTLM code

- md4: Move the WinCrypt implementation out of the NTLM code

- md4: Move the SecureTransport implementation out of the NTLM code

- md4: Use the Curl_md4it() function for OpenSSL based NTLM

- md4: Move the GNU TLS gcrypt MD4 implementation out of the NTLM code

- md4: Move the GNU TLS Nettle MD4 implementation out of the NTLM code

Jay Satiro (4 Aug 2019)
- OS400: Add CURLOPT_H3 symbols
  
  Follow-up to 3af0e76 which added experimental H3 support.
  
  Closes https://github.com/curl/curl/pull/4185

Daniel Stenberg (3 Aug 2019)
- url: make use of new HTTP version if alt-svc has one

- url: set conn->transport to default TCP at init time

- altsvc: with quiche, use the quiche h3 alpn string
  
  Closes #4183

- alt-svc: more liberal ALPN name parsing
  
  Allow pretty much anything to be part of the ALPN identifier. In
  particular minus, which is used for "h3-20" (in-progress HTTP/3
  versions) etc.
  
  Updated test 356.
  Closes #4182

- quiche: use the proper HTTP/3 ALPN

- quiche: add failf() calls for two error cases
  
  To aid debugging
  
  Closes #4181

- mailmap: added Kyohei Kadota

