                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 8.8.0 (22 May 2024)

Daniel Stenberg (22 May 2024)

- RELEASE-NOTES: synced

- THANKS: add contributors from 8.8.0

Nathan Moinvaziri (21 May 2024)

- url: remove duplicate call to Curl_conncache_remove_conn when pruning

  - remove unnecessary prunedead struct from prune_dead_connections
  - rename extract_if_dead to prune_if_dead for clarity

  Closes #13710

Joseph Chen (21 May 2024)

- curl_setup.h: add support for IAR compiler

  Closes #13728

Stephen Farrell (21 May 2024)

- docs/ECH: typo/clarification

  Closes #13727

Viktor Szakats (21 May 2024)

- hash: delete unused debug function

  It had no use in the curl codebase and was also protected by the macro
  `AGGRESSIVE_TEST` (renamed in 2020), also with no local reference.

  Added in ca6e77083768858aa34207f8c5dce38b3c05336d (2002-11-11)

  Closes #13729

Stefan Eissing (21 May 2024)

- content_encoding: reject transfer-encoding after chunked

  reject a response that applies a transfer-encoding after a 'chunked'
  encoding. RFC 9112 ch. 6.1 required chunked to be the final encoding.

  Closes #13733

- http: HEAD response body tolerance

  - as reported in #13725, some servers wrongly send body bytes in
    responses to a HEAD request. This used to be tolerated in curl
    8.4 and before and leads to failed transfers in newer versions.
  - restore previous behaviour for HTTP/1.1 and HTTP/2:
    * 1.1: do not add 'Transfer-Encoding' writers from HEAD
      responses. RFC 9112 says they do not apply.
    * 2: when the transfer expects 'no_body', to not report stream
      resets as error when all response headers have been received.

  Reported-by: Jeroen Ooms
  Fixes #13725
  Closes #13732

Viktor Szakats (20 May 2024)

- tests: fix TFTP test 2305 on Windows

  Ref: #13692
  Closes #13724

Jay Satiro (20 May 2024)

- openssl: revert keylog_callback support for LibreSSL

  - Revert to the legacy TLS 1.2 key logging code for LibreSSL.

  - Document SSLKEYLOGFILE for LibreSSL is TLS 1.2 max.

  Prior to this change if the user specified a filename in the
  SSLKEYLOGFILE environment variable and was using LibreSSL 3.5.0+ then
  an empty file would be created and no keys would be logged.

  This is effectively a revert of e43474b4 which changed openssl.c to use
  SSL_CTX_set_keylog_callback for LibreSSL 3.5.0+. Unfortunately LibreSSL
  added that function only as a stub that doesn't actually do anything.

  Reported-by: Gonçalo Carvalho

  Fixes https://github.com/curl/curl/issues/13672
  Closes https://github.com/curl/curl/pull/13682

renovate[bot] (19 May 2024)

- GHA: pin dependencies

  Closes #13712

Viktor Szakats (19 May 2024)

- appveyor: drop unnecessary `--clean-first` cmake option

  In CI all machines are fresh on startup, making the `clean` operation
  unnecessary. This can save some time/energy for each job run.

  Closes #13707

- cmake: merge two `if(BUILD_TESTING)` branches

  Closes #13708

Tatsuhiro Tsujikawa (19 May 2024)

- GHA: bump nghttp2 to v1.62.1

  Use gcc-12 explicitly to compile C++20 source files.

  Closes #13702

Viktor Szakats (19 May 2024)

- GHA: add NetBSD, OpenBSD, FreeBSD/arm64 and OmniOS jobs

  Add these jobs to GHA:
  - NetBSD, cmake-unity, clang, OpenSSL, x86_64, with tests, w/o python,
    no parallelism (was flaky sometimes)
  - OpenBSD, cmake-unity, clang, LibreSSL, x86_64, with tests,
    with python, -j8, TFTP results ignored due to #13623.
  - FreeBSD, cmake-unity and autotools, clang, OpenSSL, arm64
    (Tests disabled for arm64, because they are slow. It's available for
    x86_64 with python, -j12.)
    Configuration matches our existing Cirrus CI one.
  - OmniOS, autotools, gcc, OpenSSL, x86_64, with tests, -j12.

  All build with websockets and examples.

  Closes #13583

- GHA: disable TFTP test on native Windows

  Some TFTP tests seem to enter into a loop and maybe hang?

  E.g. 1007, 1009, 1238

  Try fixing it by skipping all TFTP tests.

  Ref: https://github.com/curl/curl/actions/runs/9141987545/job/25137038249?pr=
  13698

  Also drop mingw-w64 test exclusions copy-pasted from MSYS jobs.

  Possibly related: cffbcc3110c1eda2e333f9cfe2e269154618793a #5364

  Close #13699

renovate[bot] (18 May 2024)

- GHA: pin dependencies

  Closes #13691

Viktor Szakats (18 May 2024)

- cmake: do not pass linker flags to the static library tool

  Do not add linker flags to the global CMake static library tool (aka
  "static linker") (e.g. `ar`) flags list. They don't mix well. This was
  only done after successfully detecting GSSAPI.

  Linker flags seen on Old Linux CI:
  ```
  -- |GSS_LINKER_FLAGS|-Wl,--enable-new-dtags -Wl,-rpath -Wl,/usr/lib/x86_64-li
  nux-gnu/heimdal|
  -- |CMAKE_STATIC_LINKER_FLAGS| -Wl,--enable-new-dtags -Wl,-rpath -Wl,/usr/lib
  /x86_64-linux-gnu/heimdal|
  ```
  Ref: https://github.com/curl/curl/actions/runs/9138988036/job/25130791712#ste
  p:6:85

  Causing:
  ```
  /usr/bin/ar qc libcurltool.a  -Wl,--enable-new-dtags -Wl,-rpath -Wl,/usr/lib/
  x86_64-linux-gnu/heimdal
    CMakeFiles/curltool.dir/slist_wc.c.o CMakeFiles/curltool.dir/tool_binmode.c
  .o CMakeFiles/curltool.dir/tool_bname.c.o
    [...]
    CMakeFiles/curltool.dir/tool_writeout_json.c.o CMakeFiles/curltool.dir/tool
  _xattr.c.o CMakeFiles/curltool.dir/var.c.o
    CMakeFiles/curltool.dir/__/lib/base64.c.o CMakeFiles/curltool.dir/__/lib/dy
  nbuf.c.o
  /usr/bin/ar: invalid option -- 'W'
  Usage: /usr/bin/ar [emulation options] [-]{dmpqrstx}[abcDfilMNoPsSTuvV] [--pl
  ugin <name>] [member-name] [count] archive-file file...
         /usr/bin/ar -M [<mri-script]
  ```
  Ref: https://github.com/curl/curl/actions/runs/9138988036/job/25130791712#ste
  p:9:125

  This problem is invisible at the moment because of another bug (#13698)
  that misses building unit tests when not using either the
  `ENABLE_DEBUG=ON` or `ENABLE_CURLDEBUG=ON` options (to set
  `-DCURLDEBUG`):
  ```
  test 1300 SKIPPED: curl lacks unittest support
  ```
  Ref: https://github.com/curl/curl/actions/runs/9135571781/job/25123104557#ste
  p:9:2883

  With that fixed, this becomes the next issue.

  It's possible this bug also required an older CMake version and/or
  a specific OS environment which uses linker flags in GSSAPI that are not
  playing well with `ar` options, to reproduce.

  Follow-up to 558814e16d84aa202c5ccc0c8108a9d728e77a58 (2014-09-25)
  Ref: #13698
  Closes #13697

- GHA: ignore flaky test2302 results on Windows

  WebSockets:
  ```
  TESTFAIL: These test cases failed: 2302
  ```
  Ref: https://github.com/curl/curl/actions/runs/9139155361/job/25131144383?pr=
  13689#step:14:9892

  Follow-up to 36fd2dd6ee874726c628e67fcf6415a2e52bfe29 #13599
  Ref: #13692
  Closes #13696

- GHA: add MSYS, mingw-w64, Cygwin jobs

  - re-implement autotools MSYS and Cygwin AppVeyor jobs in GHA.
    Now build with SSL and PSL to improve test coverage.
  - re-implement MSYS2 mingw-w64 gcc 13 AppVeyor job in GHA.
    `CMake, mingw-w64, gcc 13, Debug, x64, Schannel, Static, Unicode`
  - add new cmake Cygwin job (build-only).
  - enable `-j14` parallelism when running tests.
  - delete the 5 migrated jobs from AppVeyor CI.
  - add 2 build-only mingw-w64 builds, gcc Release and clang OpenSSL.
  - also enable brotli, libssh2, nghttp2 for more test coverage.

  These jobs offer better performance, more flexibility and
  parallelization compared to the AppVeyor ones they replace. It also
  offloads AppVeyor, allowing to iterate faster. They also appear more
  reliable than e.g. Azure Windows jobs, where runners are prone to fail
  [1].

  Closes #13599

  [1]:
  `Exit code 143 returned from process: file name 'C:\Windows\system32\docker.E
  XE',
  arguments 'exec -i   6b13a669c6dfe7fb9f59414369872fd64d61c7182f880c3d39c135cb
  4c115c8f
  C:\__a\externals\node\bin\node.exe C:\__w\_temp\containerHandlerInvoker.js'.`

Stefan Eissing (17 May 2024)

- pytest: fixes for recent python, add FTP tests

  Fixes:
  - in uds tests, abort also silently on os errors
  - be conservative on the h3 goaway duration
  - detect curl debug build and use in checks
  - fix caddy version check for slight difference under linux
  - set caddy default path fitting for linux
  - fix deprecation warnings in valid time checks

  FTP tests:
  - add '--with-test-vsftpd=path' to configure
  - use vsftpd default path suitable for linux
  - add test_30 with plain FTP tests
  - add test_31 with --ssl-reqd FTP tests
  - add vsftpd to linux GHA for pytest workflows

  Closes #13661

- rustls: fix handshake done handling

  - rustls report it has finished the TLS handshake *before*
    all relevant data has been sent off, e.g. it FINISHED message
  - On connections the send data immediately, this was never noticed
    as the FINISHED in rustls buffers was send with the app data
  - On passive FTP connections, curl does not send any data after
    the handshake, leaving FINISHED unsent and the server never
    responded as it was waiting on this.

  Closes #13686

Daniel Stenberg (17 May 2024)

- x509asn1: return error on missing OID

  to avoid crash when dereferencing a NULL pointer.

  Reported-by: Trzik on github
  Patch-by: Trzik on github
  Fixes #13684
  Closes #13685

- CURLOPT_WRITEFUNCTION.md: fix the callback proto in the example

  Reported-by: Michael Litwak
  Fixes #13681
  Closes #13687

Viktor Szakats (17 May 2024)

- src: tidy up types, add necessary casts

  Cherry-picked from #13489
  Closes #13614

- lib: fix compiler warnings (gcc)

  Seen when setting `ENABLE_DEBUG=ON` and `-DDEBUGBUILD` for mingw-w64
  gcc 13.2.0 CMake unity builds in 'Release' configurations.

  ```
  curl/lib/curl_gethostname.c:71:5: error: 'strncpy' specified bound 1025 equal
  s destination size [-Werror=stringop-truncation]
     71 |     strncpy(name, force_hostname, namelen);
        |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  In file included from curl/_bld/lib/CMakeFiles/libcurl_object.dir/Unity/unity
  _0_c.c:175:
  In function 'hostcache_timestamp_remove',
      inlined from 'Curl_hash_clean_with_criterium' at curl/lib/hash.c:265:19,
      inlined from 'Curl_hash_clean_with_criterium' at curl/lib/hash.c:247:1,
      inlined from 'hostcache_prune' at curl/lib/hostip.c:228:3,
      inlined from 'Curl_hostcache_prune' at curl/lib/hostip.c:256:21:
  curl/lib/hostip.c:205:12: error: 'now' may be used uninitialized [-Werror=may
  be-uninitialized]
    205 |     time_t age = prune->now - c->timestamp;
        |            ^~~
  curl/lib/hostip.c: In function 'Curl_hostcache_prune':
  curl/lib/hostip.c:241:10: note: 'now' was declared here
    241 |   time_t now;
        |          ^~~
  In function 'hostcache_timestamp_remove',
      inlined from 'fetch_addr' at curl/lib/hostip.c:310:8:
  curl/lib/hostip.c:205:23: error: 'user.now' may be used uninitialized [-Werro
  r=maybe-uninitialized]
    205 |     time_t age = prune->now - c->timestamp;
        |                  ~~~~~^~~~~
  curl/lib/hostip.c: In function 'fetch_addr':
  curl/lib/hostip.c:304:33: note: 'user' declared here
    304 |     struct hostcache_prune_data user;
        |                                 ^~~~
  In file included from curl/_bld/lib/CMakeFiles/libcurl_object.dir/Unity/unity
  _0_c.c:40:
  curl/lib/cf-socket.c: In function 'cf_socket_send':
  curl/lib/cf-socket.c:1294:10: error: 'c' may be used uninitialized [-Werror=m
  aybe-uninitialized]
   1294 |     if(c >= ((100-ctx->wblock_percent)*256/100)) {
        |        ~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  curl/lib/cf-socket.c:1292:19: note: 'c' was declared here
   1292 |     unsigned char c;
        |                   ^
  In file included from curl/_bld/lib/CMakeFiles/libcurl_object.dir/Unity/unity
  _0_c.c:364:
  In function 'tftp_state_timeout',
      inlined from 'tftp_multi_statemach' at curl/lib/tftp.c:1230:27:
  curl/lib/tftp.c:1208:5: error: 'current' may be used uninitialized [-Werror=m
  aybe-uninitialized]
   1208 |   if(current > state->rx_time + state->retry_time) {
        |     ^
  curl/lib/tftp.c: In function 'tftp_multi_statemach':
  curl/lib/tftp.c:1192:10: note: 'current' was declared here
   1192 |   time_t current;
        |          ^~~~~~~
  ```
  Ref: https://ci.appveyor.com/project/curlorg/curl/builds/49792835/job/91c8dj5
  qb36spfe0#L112
  Ref: https://github.com/curl/curl/actions/runs/9082968838/job/24960616145#ste
  p:12:62

  Ref: #13592
  Closes #13643

Andrew (16 May 2024)

- wakeup_create: use FD_CLOEXEC/SOCK_CLOEXEC

  for `pipe()`/`socketpair()`

  Fixes #13618
  Closes #13625

Stefan Eissing (16 May 2024)

- rustls: fix partial send handling

  When TLS bytes could not completely sent off, the amount of plain bytes
  already added to rustls were forgotten. This lead to send those byte
  duplicate, corrupting the request send to the server.

  Closes #13676

- pytest: add DELETE tests, check server version

  - add tests for DELETE working
  - check apache version in keepalive test
  - fix some comments

  Closes #13679

Juliusz Sosinowicz (16 May 2024)

- vquic-tls: use correct cert name check API for wolfSSL

  wolfSSL_X509_check_host checks the peer name against the alt names and
  the common name.

  Fixes #13487
  Closes #13680

Viktor Szakats (16 May 2024)

- cmake: initialize `BUILD_TESTING` before first use

  Before this patch `BUILD_TESTING` was used once, then initialized, then
  used again. This caused the `curlu` library not being built when relying
  on an implicit `BUILD_TESTING=ON` setting, and ending up with a link
  error when building the `testdeps` target.

  It did not cause issues when `BUILD_TESTING` was explicitly set.

  Move the initialization before the first use to fix it.

  Regression from aace27b0965c10394544d1dacc9c2cb2fe0de3d3 #12287
  Closes #13668

Daniel Stenberg (16 May 2024)

- libtest: 2308 verifies CURLE_WRITE_ERROR after write callback error

  Verifies that the issue in #13669 actually is fixed. This return code is
  what the CURLOPT_WRITEFUNCTION manpage documents should be returned.

  This code is mostly from the
  Source-written-by: Trumeet on github
  Closes #13671

Antoine Bollengier (16 May 2024)

- socketpair: fix compilation when USE_UNIX_SOCKETS is not defined

  Closes #13666

Stefan Eissing (16 May 2024)

- rustsls: fix error code on receive

  - use CURLE_RECV_ERROR instead of CURLE_READ_ERROR when receiving
    data fails.

  Closes #13670

Max Dymond (16 May 2024)

- ci: disable Renovate dashboard

  The Renovate dashboard insists on an open issue,
  which is a problem. Disable the dashboard. Status
  can still be seen at https://developer.mend.io/github/curl/curl.

  Fixes #13630
  Closes #13673

Daniel Stenberg (16 May 2024)

- RELEASE-NOTES: synced

renovate[bot] (16 May 2024)

- GHA: update awslabs/aws-lc to v1.27.0

  Closes #13667

Daniel Stenberg (15 May 2024)

- curl_easy_pause.md: use correct defines in example

  Spotted-by: Harry Sintonen
  Closes #13664

Viktor Szakats (15 May 2024)

- appveyor: more tidy-ups

  - use `--disable` when calling `curl --version`. Just in case.

  - use single-quotes for a constant.

  Closes #13662

- reuse: migrate standalone license file to dep5

  Follow-up to 73a36021207284ad2b4340ffde34a51b0ba4d47a
  Closes #13660

- appveyor: guard against crash-build with VS2008

  The combination of `-DDEBUGBUILD`, a shared `curl.exe`, and the VS2008
  compiler creates a `curl.exe` segfaulting on startup:

  ```
  + _bld/src/curl.exe --version
  ./appveyor.sh: line 122:   793 Segmentation fault      "${curl}" --version
  Command exited with code 139
  ```
  Ref: https://ci.appveyor.com/project/curlorg/curl/builds/49817266/job/651iy6q
  n1e238pqj#L191

  Add job that triggers the issue and add the necessary logic to skip
  running the affected `curl.exe`.

  Ref: #13592
  Closes #13654

renovate[bot] (15 May 2024)

- GHA: pin dependencies

  Closes #13628

Orgad Shaneh (15 May 2024)

- socket: remove redundant call to getsockname

  The result "add" is unused.

  Closes #13655

renovate[bot] (15 May 2024)

- CI: renovate updates

  - GHA: update actions/checkout action to v4
  - GHA: update wolfSSL/wolfssh to v1.4.17
  - GHA: update wolfSSL/wolfssl to v5.7.0
  - Update the regex config in renovate.json

  Closes #13632
  Closes #13641
  Closes #13658
  Closes #13659

Max Dymond (15 May 2024)

- ci: fix renovate config for WolfSSL/WolfSSH tagging scheme

  WolfSSL/WolfSSH use a different versioning scheme;
  stable builds end with `-stable`. Renovate requires
  some extra configuration to extract the version
  from these types of tags.

  Closes #13644

- ci: set semantic type as CI and include digests as CI operations

  Replace "chore" with "ci" for renovate's semantic
  type, and include digests with "pin" and
  "pinDigest" as ci operations.

  Closes #13644

Daniel Stenberg (15 May 2024)

- DEPRECATE.md: TLS libraries without 1.3 support

  curl drops support for TLS libraries without TLS 1.3 capability after
  May 2025.

  It requires that a curl build using the library should be able to
  negotiate and use TLS 1.3, or else it is not good enough. We support a
  vast amount of other TLS libraries that are likely to satisfy users
  better.

  Closes #13544

- Revert "ci: update nghttp2/nghttp2 to v1.62.0"

  This reverts commit 14f2c767555b7598d7783ccd9093670b84d28488.

  We need to also upgrade the C++ compiler for that bump to work.

  Closes #13656

renovate[bot] (15 May 2024)

- Dockerfile: update debian digest to 911821c

  Closes #13629

- ci: update gnutls/gnutls to v3.8.5

  Closes #13640

- ci: update awslabs/aws-lc to v1.26.0

  Closes #13647

- ci: update cloudflare/quiche to v0.21.0

  Closes #13648

- ci: update libressl-portable/portable to v3.9.2

  Closes #13649

- ci: update nghttp2/nghttp2 to v1.62.0

  Closes #13650

- ci: update ngtcp2/nghttp3 to v1.3.0

  Closes #13651

- ci: update ngtcp2/ngtcp2 to v1.5.0

  Closes #13652

Max Dymond (14 May 2024)

- ci: handle git submodules for mbedTLS

- ci: reconfigure renovate

  - set prefix for github actions updates to be gha:
  - set prefix for other renovate actions to be ci:
  - disable debian updates in linux-old.yml

Viktor Szakats (14 May 2024)

- tidy-up: whitespace [ci skip]

- warnless: delete orphan declarations

  Follow-up to 358f7e757781857c4b498a68634726609fa3884a #11932
  Closes #13639

Daniel Stenberg (14 May 2024)

- BUG-BOUNTY.md: clarify the third party situation

  We do not pay bounties for problems in other libraries.

  Closes #13560

Stefan Eissing (14 May 2024)

- http tests: in CI skip test_02_23* for quiche

  For unknown reasons, these tests fail in CI often, but run fine locally.
  Skip them in CI to avoid unrelated PRs to have failures.

  Closes #13638

Daniel Gustafsson (14 May 2024)

- hsts: explicitly skip blank lines

  Keep blank lines or lines containing only whitespace to make it all
  the way to the more expensive sscanf call in hsts_add.

  Closes: #13603
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

- autotools: Only probe for SGI MIPS compilers on IRIX

  MIPSPro and the predecessor compiler which was part of the IDO (IRIS
  Development Option) were only ever shipped on the SGI IRIX operating
  system (with MIPSPro on 6.0+ which was released in 1994).  Limit the
  autoconf check to IRIX when probing for these compilers to save some
  cycles on other platforms.

  Closes: #13611
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Viktor Szakats (14 May 2024)

- tests: fix test 1167 to skip digit-only symbols

  This avoids mistaking symbols with their numeric value when using
  certain C preprocessors which output these numeric values at the
  beginning of the line as part of an expression.

  Seen on OpenBSD 7.5 + clang.

  Example `test1167.pl -v` output, before this patch:
  ```
  Source: cpp /home/runner/work/curl/curl/tests/../include/curl/curl.h
  Symbol: 20000
  Line #3835:   20000 +  142,
  [...]
  Bad symbols in public header files:
     20000
     [...]
  ```
  Ref: https://github.com/curl/curl/actions/runs/9069136530/job/24918015357#ste
  p:3:7513

  Ref: #13583
  Closes #13634

Daniel Stenberg (14 May 2024)

- lib: call Curl_strntolower instead of doing crafted loops

  Closes #13627

- setopt: acknowledge errors proper for CURLOPT_COOKIEJAR

  Error out on error, do not continue.

  Closes #13624

- vtls: remove duplicate assign

  Curl_ssl_peer_cleanup() already clears the ->sni field, no point in
  assigning it again.

  Spotted by CodeSonar

  Closes #13626

Max Dymond (13 May 2024)

- Group all non-major updates together to reduce PR spam

- Add the remainder of the workflows

- Add some basic versioning for some workflows to check whether this is detecte
  d properly

renovate[bot] (13 May 2024)

- Add renovate.json

Daniel Stenberg (13 May 2024)

- vauth: make two functions void that always just returned OK

  Removes the need to check return values when they can never fail.

  Pointed out by CodeSonar

  Closes #13621

- setopt: remove check for 'option' that is always true

  - make sure that passing in option set to NULL clears the fields
    correctly

  - remove the weird second take if Curl_parse_login_details() returns
    error

  Follow-up to 7333faf00bf25db7cd1e0012d6b140

  Spotted by CodeSonar

  Closes #13619

Viktor Szakats (13 May 2024)

- tests: tidy up types in server code

  Cherry-picked from #13489
  Closes #13610

Daniel Stenberg (13 May 2024)

- setopt: make the setstropt_userpwd args compulsory

  They were always used so no point in allowing them to be optional.

  follow-up to 0e37b42dc956bd8a

  Closes #13608
  Reviewed-by: Daniel Gustafsson

- RELEASE-NOTES: synced

Daniel Gustafsson (13 May 2024)

- websocket: Avoid memory leak in error path

  In the errorpath for randstr being too long to copy into the buffer
  we leak the randstr when returning CURLE_FAILED_INIT.  Fix by using
  an explicit free on randstr in the errorpath.

  Closes: #13602
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

- hsts: Remove single-use single-line function

  The hsts_entry() function contains of a single line and is only
  used in a single place in the code, so move the allocation into
  hsts_create instead to improve code readability. C code usually
  don't use the factory abstraction for object creation, and this
  small example wasn't following our usual code style.

  Closes: #13604
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Viktor Szakats (12 May 2024)

- lib: bump hash sizes to `size_t`

  Follow-up to cc907e80a2498c0599253271a6f657f614b52a4e #13502
  Cherry-picked from #13489
  Closes #13601

- tests: make the unit test result type `CURLcode`

  Before this patch, the result code was a mixture of `int` and
  `CURLcode`.

  Also adjust casts and fix a couple of minor issues found along the way.

  Cherry-picked from #13489
  Closes #13600

- appveyor: tidy-ups

  - delete a duplicate line.
  - simplify a `make` call.
  - merge two `if` branches.
  - reorder autotools options for clarity.
  - add `--enable-warnings` where missing (it's also the default.)
  - add empty lines to YAML for readability.
  - use lowercase install prefix/directory.

  Closes #13598

Daniel Stenberg (12 May 2024)

- docs/cmdline-opts: mention STARTTLS for --ssl and --ssl-reqd

  ... since users might look for those terms in the manpage.

  Closes #13590

- setopt: warn on Curl_set*opt() uses not using the return value

  And switch the invokes that would "set" NULL to instead just plainly
  free the pointer, as those were otherwise the invokes that would ignore
  the return code. And possibly confuse static code analyzers.

  Closes #13591

Orgad Shaneh (12 May 2024)

- autotools: delete unused functions

  Closes #13605

Viktor Szakats (11 May 2024)

- examples: fix/silence `-Wsign-conversion`

  - extend `FD_SET()` hack to all platforms (was only Cygwin).
    Warnings may also happen in other envs, e.g. OmniOS.
    Ref: https://github.com/libssh2/libssh2/actions/runs/8854199687/job/2431676
  2831#step:3:2021

  - tidy-up `CURLcode` vs `int` use.

  - cast an unsigned to `long` before passing to `curl_easy_setopt()`.

  Cherry-picked from #13489
  Follow-up to 3829759bd042c03225ae862062560f568ba1a231 #12489
  Closes #13501

Orgad Shaneh (11 May 2024)

- cmake: fix `HAVE_IOCTLSOCKET_FIONBIO` test with gcc 14

  The function signature has had u_long flags since ever. This is how it
  is defined in the documentation, and implemented in MinGW.

  The code that uses ioctlsocket in nonblock.c also has unsigned long.

  Error:
  CurlTests.c:275:41: error: passing argument 3 of 'ioctlsocket' from incompati
  ble pointer type [-Wincompatible-pointer-types]
    275 |         if(0 != ioctlsocket(0, FIONBIO, &flags))
        |                                         ^~~~~~
        |                                         |
        |                                         int *
  In file included from CurlTests.c:266:
  /opt/mxe/usr/i686-w64-mingw32.static/include/winsock2.h:1007:76: note: expect
  ed 'u_long *' {aka 'long unsigned int *'} but argument is of type 'int *'
   1007 |   WINSOCK_API_LINKAGE int WSAAPI ioctlsocket(SOCKET s,__LONG32 cmd,u_
  long *argp);
        |                                                                    ~~
  ~~~~~~^~~~

  Closes #13578

Jay Satiro (10 May 2024)

- ftp: fix build for CURL_DISABLE_VERBOSE_STRINGS

  This is a follow-up to b7c7dffe which changed the FTP state change
  verbose debug text (aka infof) to tracing debug text (aka trc).

  Prior to this change if libcurl was without DEBUGBUILD and built with
  CURL_DISABLE_VERBOSE_STRINGS (ie --disable-verbose) the build would
  error.

  Caught by Circle CI job openssl-no-verbose.

- lib: clear the easy handle's saved errno before transfer

  - Clear data->state.os_errno before transfer.

  - Explain the change in behavior in the CURLINFO_OS_ERRNO doc.

  - Add to the CURLINFO_OS_ERRNO doc the list of libcurl network-related
    errors that may cause the errno to be saved.

  data->state.os_errno is saved before libcurl returns a network-related
  failure such as connection failure. It is accessible to the user via
  CURLINFO_OS_ERRNO so they can get more information about the failure.

  Prior to this change it wasn't cleared before transfer, so if a user
  retrieved the saved errno it could be from a previous transfer. That is
  because an errno is not always saved for network-related errors.

  Closes https://github.com/curl/curl/pull/13574

Stefan Eissing (10 May 2024)

- ftp: add tracing support

  - add `Curl_trc_feat_ftp` for tracing via trace config
  - add macro CURL_TRC_FTP(data, fmt, ...)
  - replace DEBUGF(infof()) statements in ftp.c by CURL_TRC_FTP()
  - always trace FTP connection state

  Closes #13580

Daniel Stenberg (10 May 2024)

- http: remove redundant check

  Spotted by CodeSonar

  Closes #13582

Viktor Szakats (10 May 2024)

- ldap: fix unused variables (seen on OmniOS)

  ```
  ../../lib/ldap.c: In function 'ldap_do':
    ../../lib/ldap.c:380:11: error: unused variable 'ldap_ca' [-Werror=unused-v
  ariable]
      380 |     char *ldap_ca = conn->ssl_config.CAfile;
          |           ^~~~~~~
    ../../lib/ldap.c:379:9: error: unused variable 'ldap_option' [-Werror=unuse
  d-variable]
      379 |     int ldap_option;
          |         ^~~~~~~~~~~
  ```
  Ref: https://github.com/curl/curl/actions/runs/9033564377/job/24824192730#ste
  p:3:6059

  Ref: #13583
  Closes #13588

Daniel Stenberg (10 May 2024)

- url: make parse_login_details use memdup0

  Also make the user and password arguments mandatory, since all code
  paths in libcurl used them anyway.

  Adapted unit test case 1620 to the new rules.

  Closes #13584

Orgad Shaneh (10 May 2024)

- digest: replace strcpy for empty string with simple assignment

  Closes #13586

