                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.88.0 (15 Feb 2023)

Daniel Stenberg (15 Feb 2023)

- RELEASE-NOTES: synced

  7.88.0 release

- THANKS: added contributors from 7.88.0

- openssl: rename 'errcode_t' to 'sslerr_t'

  Turns out "/usr/include/et/com_err.h" typedefs this type (without proper
  variable scoping).

  comerr is the "common error description library" that apparently might be use
  d
  by krb5 code, which then makes this header get used in a curl build.

  Reported-by: Bruno Henrique Batista Cruz da Silva
  Fixed #10502
  Closes #10500

Dan Fandrich (13 Feb 2023)

- CONTRIBUTE: More formally specify the commit description

  This codifies what people have actually used in git commits over the
  past 6 years. I've left off some lesser-used headers that appear to
  duplicate others and tried to describe a consistent use for several
  others that were used more arbitrarily.

  This makes it easier for new committers to find out the kinds of things
  we want to acknowledge, makes it easier to perform statistical analysis
  on commits, and opens the possibility of performing lint checks on
  descriptions before submission.

  Reviewed-by: Daniel Stenberg
  Reviewed-by: Jay Satiro

  Closes #10478

Stefan Eissing (13 Feb 2023)

- openssl: test and fix for forward proxy handling (non-tunneling).

  - adding pytest test_10 cases for proxy httpd setup tests
  - fixing openssl bug in https: proxy hostname verification that
    used the hostname of the request and not the proxy name.

  Closes #10498

Daniel Stenberg (13 Feb 2023)

- cmdline-opts/Makefile: on error, do not leave a partial

  And support 'make V=1' to show the full command line

  Closes #10497

- curl.1: make help, version and manual sections "custom"

  Instead of using "multi: boolean", as these are slightly special as in
  they do are not enable/disable ones.

  Fixes #10490
  Reported-by: u20221022 on github
  Closes #10497

Stefan Eissing (13 Feb 2023)

- tests: add tests for HTTP/2 and HTTP/3 to verify the header API

  Test 2403 and 2503 check "header_json" output and therefore use of
  header-api

  Closes #10495

Philip Heiduck (13 Feb 2023)

- CI: update wolfssl / wolfssh to 5.5.4 / 1.4.12

  Closes #10493

Daniel Stenberg (13 Feb 2023)

- KNOW_BUGS: cleanups with some changed to TODOs

  - remove "Excessive HTTP/2 packets with TCP_NODELAY"

    This is not a bug. Rather room for improvement.

  I believe these have been fixed:

  - 17.4 Connection failures with parallel HTTP/2
  - 17.5 HTTP/2 connections through HTTPS proxy frequently stall

  - remove "FTPS needs session reuse"

  That is still true, but curl should also do session reuse now.

  - remove "ASCII FTP"

  It is documented behavior, and not single user has asked for extended
  functionality here the last decade or so.

  - remove "Passive transfer tries only one IP address"

  add as a TODO

  - remove "DoH leaks memory after followlocation"

  With a recipe on how to reproduce, this is pointless to keep around

  - remove "DoH does not inherit all transfer options"

  add it as a TODO

  Closes #10487

Tatsuhiro Tsujikawa (13 Feb 2023)

- GHA: bump ngtcp2 workflow dependencies

  Closes #10494

Patrick Monnerat (13 Feb 2023)

- content_encoding: do not reset stage counter for each header

  Test 418 verifies

  Closes #10492

Daniel Stenberg (13 Feb 2023)

- RELEASE-NOTES: synced

Jay Satiro (13 Feb 2023)

- multi: stop sending empty HTTP/3 UDP datagrams on Windows

  - Limit the 0-sized send procedure that is used to reset a SOCKET's
    FD_WRITE to TCP sockets only.

  Prior to this change the reset was used on UDP sockets as well, but
  unlike TCP sockets a 0-sized send actually sends out a datagram.

  Assisted-by: Marc Hörsken

  Ref: https://github.com/curl/curl/pull/9203

  Fixes https://github.com/curl/curl/issues/9086
  Closes https://github.com/curl/curl/pull/10430

Viktor Szakats (12 Feb 2023)

- h3: silence compiler warnings

  Reviewed-by: Daniel Stenberg
  Fixes #10485
  Closes #10486

Daniel Stenberg (12 Feb 2023)

- smb: return error on upload without size

  The protocol needs to know the size ahead of time, this is now a known
  restriction and not a bug.

  Also output a clearer error if the URL path does not contain proper
  share.

  Ref: #7896
  Closes #10484

Viktor Szakats (12 Feb 2023)

- windows: always use curl's basename() implementation

  The `basename()` [1][2] implementation provided by mingw-w64 [3] makes
  assumptions about input encoding and may break with non-ASCII strings.

  `basename()` was auto-detected with CMake, autotools and since
  68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6 (2022-10-13), also in
  `Makefile.mk` after syncing its behaviour with the mainline build
  methods. A similar patch for curl-for-win broke official Windows
  builds earlier, in release 7.83.1_4 (2022-06-15).

  This patch forces all Windows builds to use curl's internal
  `basename()` implementation to avoid such problems.

  [1]: https://pubs.opengroup.org/onlinepubs/9699919799/utilities/basename.html
  [2]: https://www.man7.org/linux/man-pages/man3/basename.3.html
  [3]: https://sourceforge.net/p/mingw-w64/mingw-w64/ci/master/tree/mingw-w64-c
  rt/misc/basename.c

  Reported-by: UnicornZhang on Github
  Assisted-by: Cherish98 on Github
  Reviewed-by: Daniel Stenberg

  Fixes #10261
  Closes #10475

Philip Heiduck (12 Feb 2023)

- Linux CI: Bump rustls-ffi to v0.9.1

  Closes #10476

Daniel Stenberg (12 Feb 2023)

- libtest: build lib2305 with multibyte as well

  Fixes a build regression.

  Follow-up to 5a9a04d5567
  Reported-by: Viktor Szakats
  Ref: https://github.com/curl/curl/pull/10475#issuecomment-1426831800

  Closes #10477

Dmitry Atamanov (12 Feb 2023)

- cmake: fix dev warning due to mismatched arg

  The package name passed to find_package_handle_standard_args (BROTLI)
  does not match the name of the calling package (Brotli). This can lead
  to problems in calling code that expects find_package result variables
  (e.g., _FOUND) to follow a certain pattern.

  Closes https://github.com/curl/curl/pull/10471

James Keast (11 Feb 2023)

- setopt: Address undefined behaviour by checking for null

  This addresses undefined behaviour found using clang's UBsan:

  curl/lib/setopt.c:177:14: runtime error: applying non-zero offset 1 to null p
  ointer
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior curl/lib/setopt.c:177
  :14 in

  Closes #10472

Jacob Hoffman-Andrews (11 Feb 2023)

- rustls: improve error messages

  Changes numeric error codes into verbose error codes in two places.
  Adds a prefix indicating that the error came from rustls, and in some
  places which function it came from.

  Adds special handling for RUSTLS_RESULT_UNEXPECTED_EOF, since the
  default message of "Unexpected EOF" is insufficiently explanatory.

  Closes #10463

Daniel Stenberg (11 Feb 2023)

- openssl: remove dead code

  Follow-up to e8b00fcd6a

  Due to the new 'if(!nonblocking)' check on the block a level above,
  there is no need to check for it again within the same conditional.

  Detected by Coverity

  Closes #10473

- ngtcp2: replace removed define and stop using removed function

  They were removed upstream.

  Reported-by: Karthikdasari0423 on github
  Fixes #10469
  Closes #10474

- scripts/delta: show percent of number of files changed since last tag

- RELEASE-NOTES: synced

Stefan Eissing (10 Feb 2023)

- pytest: add a test case for PUSH related things.

  - checking that "103 Early Hints" are visible in curl's header dump file

  Closes #10452

Gregory Panakkal (10 Feb 2023)

- WEBSOCKET.md: typo

  Fixing missing slash for ws protocol scheme

  Closes #10464

Stefan Eissing (10 Feb 2023)

- vquic: stabilization and improvements

  vquic stabilization
  - udp send code shared between ngtcp2 and quiche
  - quiche handling of data and events improved

  ngtcp2 and pytest improvements
  - fixes handling of "drain" situations, discovered in scorecard
    tests with the Caddy server.
  - improvements in handling transfers that have already  data or
    are already closed to make an early return on recv

  pytest
  - adding caddy tests when available

  scorecard improvemnts.
  - using correct caddy port
  - allowing tests for only httpd or caddy

  Closes #10451

Philip Heiduck (10 Feb 2023)

- Linux CI: update some dependecies to latest tag

  Closes #10458

Daniel Stenberg (10 Feb 2023)

- test2305: send 3 frames, 4097 bytes each, as one message

  Receive them using a 256 bytes buffer in a loop.

- ws: fix recv of larger frames

   + remove 'oleft' from the struct
   + deal with "overflow data" in a separate dynbuf

  Reported-by: Mike Duglas
  Fixes #10438
  Closes #10447

- curl/websockets.h: extend the websocket frame struct

- sws: fix typo, indentation add more ws logging

- test2304: remove stdout verification

  This cripples the test somewhat but the check was bad since depending on
  timing it could exit before the output was done, making the test flaky.

Dan Fandrich (9 Feb 2023)

- CI: Add more labeler match patterns

- CI: Retry failed downloads to reduce spurious failures

  A temporary error with a remote server shouldn't cause a CI run to fail.
  Also, put a cap on the time to download to fail faster on a misbehaving
  server or connection and use HTTP compression where possible to reduce
  download times.

Daniel Stenberg (9 Feb 2023)

- no-clobber.d: only use long form options in man page text

  ... since they are expanded and the short-form gets mentioned
  automatically so if the short form is mentioned as well, it gets
  repeated.

  Fixes #10461
  Closes #10462
  Reported-by: Dan Fandrich

- GHA: enable websockets in the torture job

  Closes #10448

- header.d: add a header file example

  Closes #10455

Stefan Eissing (9 Feb 2023)

- HTTP/[23]: continue upload when state.drain is set

  - as reported in #10433, HTTP/2 uploads may stall when a response is
    received before the upload is done. This happens when the
    data->state.drain is set for such a transfer, as the special handling
    in transfer.c from then on only cared about downloads.
  - add continuation of uploads, if applicable, in this case.
  - add pytest case test_07_12_upload_seq_large to reproduce this scenario
    (although, current nghttp2 implementation is using drain less often)

  Reported-by: Lucas Pardue

  Fixes #10433
  Closes #10443

- http2: minor buffer and error path fixes

  - use memory buffer in full available size
  - fail receive of reset/errored streams early

  pytest:
  - make test_05 error cases more reliable

  Closes #10444

Federico Pellegrin (9 Feb 2023)

- openldap: fix missing sasl symbols at build in specific configs

  If curl is built with openldap support (USE_OPENLDAP=1) but does not
  have also some other protocol (IMAP/SMTP/POP3) enabled that brings
  in Curl_sasl_* functions, then the build will fail with undefined
  references to various symbols:

  ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_decode_mech'
  ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_parse_url_auth
  _option'
  ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_cleanup'
  ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_can_authentica
  te'
  ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_continue'
  ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_start'
  ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_sasl_init'

  This was tracked down to these functions bein used in openldap.c but
  defined in curl_sasl.c and then forward in two vauth/ files to have
  a guard against a set of #define configurations that was now extended
  to cover also this case.

  Example configuration targeted that could reproduce the problem:

  curl 7.87.1-DEV () libcurl/7.87.1-DEV .... OpenLDAP/2.6.3
  Protocols: file ftp ftps http https ldap ldaps

  Closes #10445

Daniel Stenberg (9 Feb 2023)

- ws: use %Ou for outputting curl_off_t with info()

  Reported-by: Mike Duglas
  Fixes #10439
  Closes #10441

Jay Satiro (9 Feb 2023)

- curl_setup: Disable by default recv-before-send in Windows

  Prior to this change a workaround for Windows to recv before every send
  was enabled by default. The way it works is a recv is called before
  every send and saves the received data, in case send fails because in
  Windows apparently that can wipe out the socket's internal received
  data buffer.

  This feature has led to several bugs because the way libcurl operates
  it waits on a socket to read or to write, and may not at all times
  check for buffered receive data.

  Two recent significant bugs this workaround caused:
  - Broken Schannel TLS 1.3 connections (#9431)
  - HTTP/2 arbitrary hangs (#10253)

  The actual code remains though it is disabled by default. Though future
  changes to connection filter buffering could improve the situation IMO
  it's just not tenable to manage this workaround.

  Ref: https://github.com/curl/curl/issues/657
  Ref: https://github.com/curl/curl/pull/668
  Ref: https://github.com/curl/curl/pull/720

  Ref: https://github.com/curl/curl/issues/9431
  Ref: https://github.com/curl/curl/issues/10253

  Closes https://github.com/curl/curl/pull/10409

Stefan Eissing (8 Feb 2023)

- http2: aggregate small SETTINGS/PRIO/WIN_UPDATE frames

  add a small buffer to nghttp2 session sending in order to aggregate
  small SETTINGS/PRIO/WIN_UPDATE frames that nghttp2 "writes" to the
  callback individually.

  Ref: #10389
  Closes #10432

- openssl: store the CA after first send (ClientHello)

  move Curl_ssl_setup_x509_store() call after the first send (ClientHello)
  this gives time to parse CA anchors while waiting on the server reply

  Ref: #10389
  Closes #10432

Daniel Stenberg (8 Feb 2023)

- RELEASE-NOTES: synced

Anthony Hu (8 Feb 2023)

- wolfssl: remove deprecated post-quantum algorithms

  Closes #10440

John Bampton (8 Feb 2023)

- misc: fix spelling

  Closes #10437

Daniel Stenberg (7 Feb 2023)

- man pages: call the custom user pointer 'clientp' consistently

  The variable had a few different names. Now try to use 'clientp'
  consistently for all man pages using a custom pointer set by the
  application.

  Reported-by: Gerrit Renker

  Fixes #10434
  Closes #10435

- vtls: infof using %.*s needs to provide the length as int

  Fixes a Coverity warning.

  Closes #10436

Stefan Eissing (7 Feb 2023)

- vrls: addressing issues reported by coverity

  I believe the code was secure before this, but limiting the accepted
  name length to what is used in the structures should help Coverity's
  analysis.

  Closes #10431

Daniel Stenberg (7 Feb 2023)

- tool_operate: move the 'updated' variable

  This was already done by Dan Fandrich in the previous PR but somehow I
  lost that fixup.

  Follow-up to 349c5391f2121e

Dan Fandrich (7 Feb 2023)

- tool_operate: Fix error codes during DOS filename sanitize

  It would return CURLE_URL_MALFORMAT in an OOM condition.

  Closes #10414

- tool_operate: Fix error codes on bad URL & OOM

  curl would erroneously report CURLE_OUT_OF_MEMORY in some cases instead
  of CURLE_URL_MALFORMAT. In other cases, it would erroneously return
  CURLE_URL_MALFORMAT instead of CURLE_OUT_OF_MEMORY.  Add a test case to
  test the former condition.

  Fixes #10130
  Closes #10414

Daniel Stenberg (6 Feb 2023)

- setopt: use >, not >=, when checking if uarg is larger than uint-max

  Closes #10421

- vtls: fix failf() format argument type for %.*s handling

  Reported by Coverity

  Closes #10422

- openssl: fix "Improper use of negative value"

  By getting the socket first and returning error in case of bad socket.

  Detected by Coverity.

  Closes #10423

Dan Fandrich (6 Feb 2023)

- packages: Remove Android.mk from makefile

  This was missed in commit #44141512

  Ref: #10418

Daniel Stenberg (6 Feb 2023)

- curl_ws_send.3: clarify how to send multi-frame messages

Mike Duglas (6 Feb 2023)

- ws: fix multiframe send handling

  Fixes #10413
  Closes #10420

Daniel Stenberg (6 Feb 2023)

- unit2600: make sure numerical curl_easy_setopt sets long

  Follow-up to 671158242db3203

  Reported-by: Marcel Raad
  Fixes #10410
  Closes #10419

Andy Alt (6 Feb 2023)

- GHA: move Slackware test into matrix

  Closes #10412

Pronyushkin Petr (6 Feb 2023)

- urlapi: fix part of conditional expression is always true: qlen

  Closes #10408

- url: fix part of conditional expression is always true

  Closes #10407

Daniel Stenberg (6 Feb 2023)

- RELEASE-NOTES: synced

Philip Heiduck (6 Feb 2023)

- GHA/macos.yml: bump to gcc-12

  Closes #10415

Daniel Stenberg (6 Feb 2023)

- packages: remove Android, update README

  - Nobody builds curl for Android using this anymore
  - Refreshed the README and converted to markdown

  Reported-by: John Porter
  Fixes #10416
  Closes #10418

Kvarec Lezki (5 Feb 2023)

- fopen: remove unnecessary assignment

  [CWE-1164] V1048: The '* tempname' variable was assigned the same value.

  Ref: https://pvs-studio.com/en/docs/warnings/v1048/

  Closes https://github.com/curl/curl/pull/10398

Gisle Vanem (5 Feb 2023)

- libtest: add a sleep macro for Windows

  .. because sleep() is used in some libtests.

  Closes https://github.com/curl/curl/pull/10295

Kvarec Lezki (3 Feb 2023)

- http_aws_sigv4: remove typecasts from HMAC_SHA256 macro

  V220: Suspicious sequence of types castings: memsize -> 32-bit integer -> mem
  size.

  https://pvs-studio.com/en/docs/warnings/v220/

  Closes #10400

Daniel Stenberg (3 Feb 2023)

- mailmap: Thomas1664 on github

Thomas1664 on github (3 Feb 2023)

- CURLOPT_WRITEFUNCTION.3: fix memory leak in example

  Closes #10390

Kvarec Lezki (3 Feb 2023)

- doh: ifdef IPv6 code

  For disabled IPv6 a condition (conn->ip_version != CURL_IPRESOLVE_V4) is
  always false. https://pvs-studio.com/en/docs/warnings/v560/

  Closes #10397

Daniel Stenberg (3 Feb 2023)

- urlapi: remove pathlen assignment

  "Value stored to 'pathlen' is never read"

  Follow-up to 804d5293f89

  Reported-by: Kvarec Lezki

  Closes #10405

Kvarec Lezki (3 Feb 2023)

- http: fix "part of conditional expression is always false"

  [CWE-570] V560: A part of conditional expression is always false: conn->bits.
  authneg.
  [CWE-570] V560: A part of conditional expression is always false: conn->handl
  er->protocol & (0 | 0).

  https://pvs-studio.com/en/docs/warnings/v560/

  Closes #10399

Daniel Stenberg (2 Feb 2023)

- urlapi: skip the extra dedotdot alloc if no dot in path

  Saves an allocation for many/most URLs.

  Updates test 1395 accordingly

  Closes #10403

Stefan Eissing (2 Feb 2023)

- connections: introduce http/3 happy eyeballs

  New cfilter HTTP-CONNECT for h3/h2/http1.1 eyeballing.
  - filter is installed when `--http3` in the tool is used (or
    the equivalent CURLOPT_ done in the library)
  - starts a QUIC/HTTP/3 connect right away. Should that not
    succeed after 100ms (subject to change), a parallel attempt
    is started for HTTP/2 and HTTP/1.1 via TCP
  - both attempts are subject to IPv6/IPv4 eyeballing, same
    as happens for other connections
  - tie timeout to the ip-version HAPPY_EYEBALLS_TIMEOUT
  - use a `soft` timeout at half the value. When the soft timeout
    expires, the HTTPS-CONNECT filter checks if the QUIC filter
    has received any data from the server. If not, it will start
    the HTTP/2 attempt.

  HTTP/3(ngtcp2) improvements.
  - setting call_data in all cfilter calls similar to http/2 and vtls filters
    for use in callback where no stream data is available.
  - returning CURLE_PARTIAL_FILE for prematurely terminated transfers
  - enabling pytest test_05 for h3
  - shifting functionality to "connect" UDP sockets from ngtcp2
    implementation into the udp socket cfilter. Because unconnected
    UDP sockets are weird. For example they error when adding to a
    pollset.

  HTTP/3(quiche) improvements.
  - fixed upload bug in quiche implementation, now passes 251 and pytest
  - error codes on stream RESET
  - improved debug logs
  - handling of DRAIN during connect
  - limiting pending event queue

  HTTP/2 cfilter improvements.
  - use LOG_CF macros for dynamic logging in debug build
  - fix CURLcode on RST streams to be CURLE_PARTIAL_FILE
  - enable pytest test_05 for h2
  - fix upload pytests and improve parallel transfer performance.

  GOAWAY handling for ngtcp2/quiche
  - during connect, when the remote server refuses to accept new connections
    and closes immediately (so the local conn goes into DRAIN phase), the
    connection is torn down and a another attempt is made after a short grace
    period.
    This is the behaviour observed with nghttpx when we tell it to  shut
    down gracefully. Tested in pytest test_03_02.

  TLS improvements
  - ALPN selection for SSL/SSL-PROXY filters in one vtls set of functions, repl
  aces
    copy of logic in all tls backends.
  - standardized the infof logging of offered ALPNs
  - ALPN negotiated: have common function for all backends that sets alpn propr
  ty
    and connection related things based on the negotiated protocol (or lack the
  reof).

  - new tests/tests-httpd/scorecard.py for testing h3/h2 protocol implementatio
  n.
    Invoke:
      python3 tests/tests-httpd/scorecard.py --help
    for usage.

  Improvements on gathering connect statistics and socket access.
  - new CF_CTRL_CONN_REPORT_STATS cfilter control for having cfilters
    report connection statistics. This is triggered when the connection
    has completely connected.
  - new void Curl_pgrsTimeWas(..) method to report a timer update with
    a timestamp of when it happend. This allows for updating timers
    "later", e.g. a connect statistic after full connectivity has been
    reached.
  - in case of HTTP eyeballing, the previous changes will update
    statistics only from the filter chain that "won" the eyeballing.
  - new cfilter query CF_QUERY_SOCKET for retrieving the socket used
    by a filter chain.
    Added methods Curl_conn_cf_get_socket() and Curl_conn_get_socket()
    for convenient use of this query.
  - Change VTLS backend to query their sub-filters for the socket when
    checks during the handshake are made.

  HTTP/3 documentation on how https eyeballing works.

  TLS improvements
  - ALPN selection for SSL/SSL-PROXY filters in one vtls set of functions, repl
  aces
    copy of logic in all tls backends.
  - standardized the infof logging of offered ALPNs
  - ALPN negotiated: have common function for all backends that sets alpn propr
  ty
    and connection related things based on the negotiated protocol (or lack the
  reof).

  Scorecard with Caddy.
  - configure can be run with `--with-test-caddy=path` to specify which caddy t
  o use for testing
  - tests/tests-httpd/scorecard.py now measures download speeds with caddy

  pytest improvements
  - adding Makfile to clean gen dir
  - adding nghttpx rundir creation on start
  - checking httpd version 2.4.55 for test_05 cases where it is needed. Skippin
  g with message if too old.
  - catch exception when checking for caddy existance on system.

  Closes #10349

Daniel Stenberg (2 Feb 2023)

- CODEOWNERS: remove the peeps mentioned as CI owners

  These owners do not have the bandwidth/energy to do the reviews which
  makes PRs stall and this ownership claim flawed. We can bring people
  back when the situation is different.

  Follow-up to c04c78ac87c4d46737934345a

  Closes #10386

Martin D'Aloia (2 Feb 2023)

- write-out.d: add 'since version' to %{header_json} documentation

  The documentation of `%{header_json}` missed to mention since which
  version this variable for `--write-out` is present.

  Based on commit https://github.com/curl/curl/commit/4133a69f2daa476bb
  we can determine from the tags were this commit is present that the
  first version to include it was `7.83.0`.
  This could be also checked with:
  `git tag --contains 4133a69f2daa476bb6d902687f1dd6660ea9c3c5`

  Closes #10395

Daniel Stenberg (1 Feb 2023)

- urlapi: avoid Curl_dyn_addf() for hex outputs

  Inspired by the recent fixes to escape.c, we should avoid calling
  Curl_dyn_addf() in loops, perhaps in particular when adding something so
  simple as %HH codes - for performance reasons. This change makes the
  same thing for the URL parser's two URL-encoding loops.

  Closes #10384

- urlapi: skip path checks if path is just "/"

  As a miniscule optimization, treat a path of the length 1 as the same as
  non-existing, as it can only be a single leading slash, and that's what
  we do for no paths as well.

  Closes #10385

Philip Heiduck (1 Feb 2023)

- GHA/macos: use Xcode_14.0.1 for cmake builds

  Fixes #10356
  Closes #10381

Viktor Szakats (1 Feb 2023)

- tls: fixes for wolfssl + openssl combo builds

  1. Add `USE_WOLFSSL` to the TLS backend priority list in
     `lib/curl_ntlm_core.c`.

  2. Fix `lib/curl_ntlm_core.h` to respect TLS backend priority, bringing
     it in sync with the above list and `lib/curl_ntlm_core.c` itself.

     Reported-by: Mark Roszko
     Ref: https://github.com/curl/curl/issues/10321

  3. Allow enabling both wolfSSL and OpenSSL at the same time in
     `lib/Makefile.mk` bringing this in line with cmake/autotools builds.
     Update logic to select the crypto-specific lib for `ngtcp2`, which
     supports a single TLS backend at the same time.

  Closes #10322

Daniel Stenberg (1 Feb 2023)

- RELEASE-NOTES: synced

- docs/INSTALL: document how to use multiple TLS backends

  And document how OpenSSL forks and wolfSSL cannot be used at the same
  time.

  Reported-by: Mark Roszko
  Fixes #10321
  Closes #10382

Kvarec Lezki (1 Feb 2023)

- cookies: fp is always not NULL

  Closes #10383

Daniel Stenberg (31 Jan 2023)

- escape: use table lookup when adding %-codes to output

  On my dev host, this code runs 7.8 times faster.

  Closes #10377

- unit2600: avoid error: ‘TEST_CASES’ defined but not used

  Follow-up to d55de24dce9d51

  Closes #10379

- escape: hex decode with a lookup-table

  Makes the decoding 2.8 times faster in my tests.

  Closes #10376

- cf-socket: fix build error wo TCP_FASTOPEN_CONNECT

  Follow-up to 5651a36d1a

  Closes #10378

  Reviewed-by: Stefan Eissing

Stefan Eissing (31 Jan 2023)

- CI: add pytest github workflow to CI test/tests-httpd on a HTTP/3 setup

  Closes #10317

- connect: fix strategy testing for attempts, timeouts and happy-eyeball

  - add test2600 as a unit test that triggers various connect conditions
    and monitors behaviour, available in a debug build only.

  - this exposed edge cases in connect.c that have been fixed

  Closes #10312

- cf-socket: improvements in socket I/O handling

  - Curl_write_plain/Curl_read_plain have been eliminated. Last code use
    now uses Curl_conn_send/recv so that requests use conn->send/revc
    callbacks which defaults to cfilters use.
  - Curl_recv_plain/Curl_send_plain have been internalized in cf-socket.c.
  - USE_RECV_BEFORE_SEND_WORKAROUND (active on Windows) has been moved
    into cf-socket.c. The pre_recv buffer is held at the socket filter
