                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.49.1 (30 May 2016)

Daniel Stenberg (30 May 2016)
- RELEASE-NOTES: 7.49.1

- [Steve Holme brought this change]

  loadlibrary: Only load system DLLs from the system directory
  
  Inspiration provided by: Daniel Stenberg and Ray Satiro
  
  Bug: https://curl.haxx.se/docs/adv_20160530.html
  
  Ref: Windows DLL hijacking with curl, CVE-2016-4802

- ssh: fix version number check typo

Jay Satiro (29 May 2016)
- curl_share_setopt.3: Add min ver needed for ssl session lock
  
  Bug: https://github.com/curl/curl/issues/826
  Reported-by: Michael Wallner

Daniel Stenberg (29 May 2016)
- ssh: fix build for libssh2 before 1.2.6
  
  The statvfs functionality was added to libssh2 in that version, so we
  switch off that functionality when built with older libraries.
  
  Fixes #831

- mbedtls: fix includes so snprintf() works
  
  Regression from the previous *printf() rearrangements, this file missed to
  include the correct header to make sure snprintf() works universally.
  
  Reported-by: Moti Avrahami
  Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html

Steve Holme (23 May 2016)
- checksrc.pl: Added variants of strcat() & strncat() to banned function list
  
  Added support for checking the tchar, unicode and mbcs variants of
  strcat() and strncat() in the banned function list.

Daniel Stenberg (23 May 2016)
- smtp: minor ident (white space) fixes

- THANKS: updated after script fixes
  
  Now giving credit properly to github user names, fixed some UTF-8 issues
  and added names discovered when contrithanks was improved.

- THANKS-filter: more name cleanups

- contrithanks.sh: exclude existing names case insensitively

- contrithanks.sh: use same grep pattern and -a flag as contributors.sh

- contributors.sh: better grep pattern, use grep -a

- THANKS-filter: fix more names

- contrithanks.sh: do the same github fix as contributors.sh
  
  from 1577bfa35ba

Jay Satiro (23 May 2016)
- contributors: Show GitHub username if real name unknown
  
  Prior to this change if a GitHub contributor's real name was unknown
  they would be omitted from the list.
  
  Bug: https://github.com/curl/curl/issues/824

Daniel Stenberg (21 May 2016)
- RELEASE-NOTES: synced with 3caaeffbe8ded4

Jay Satiro (20 May 2016)
- openssl: cleanup must free compression methods
  
  - Free compression methods if OpenSSL 1.0.2 to avoid a memory leak.
  
  Bug: https://github.com/curl/curl/issues/817
  Reported-by: jveazey@users.noreply.github.com

Daniel Stenberg (20 May 2016)
- [Gisle Vanem brought this change]

  curl_multibyte: fix compiler error
  
  While compiling lib/curl_multibyte.c with '-DUSE_WIN32_IDN' etc. I was
  getting:
  
  f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2054: expected '('
  to follow 'CURL_EXTERN'
  
  f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2085:
  'curl_domalloc': not in formal parameter list

- THANKS-filter: make Jan-E get proper credit

- [Jan-E brought this change]

  winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity
  
  Closes #818

- [Alexander Traud brought this change]

  libcurl.m4: Avoid obsolete warning
  
  Closes #821

Jay Satiro (20 May 2016)
- [Michael Kaufmann brought this change]

  CURLOPT_CONNECT_TO.3: user must not free the list prematurely
  
  The connect-to list isn't copied so as long as the handle may be used
  for a transfer the list must be valid.
  
  Bug: https://github.com/curl/curl/pull/819
  Reported-by: Michael Kaufmann

Daniel Stenberg (19 May 2016)
- RELEASE-NOTES: synced with 48114a8634242c

- openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
  
  See OpenSSL commit 21e001747d4a

- http2: use HTTP/2 in the HTTP/1.1-alike header
  
  ... when generating them, not "2.0" as the protocol is called just
  HTTP/2 and nothing else.

Jay Satiro (19 May 2016)
- dist: include curl_multi_socket_all.3
  
  Closes https://github.com/curl/curl/pull/816

Steve Holme (18 May 2016)
- bump: Start work on 7.49.1

Daniel Stenberg (18 May 2016)
- curlbuild.h.dist: check __LP64__ as well to fix MIPS build
  
  The preprocessor check that sets up the 32bit defines for non-configure
  builds didn't work properly for MIPS systems as __mips__ is defined for
  both 32bit and 64bit. Now __LP64__ is also checked and indicates 64bit.
  
  Reported-by: Tomas Jakobsson
  Fixes #813

- [Marcel Raad brought this change]

  schannel: fix compile break with MSVC XP toolset
  
  For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK
  7.1 is used. In this case, _USING_V110_SDK71_ is defined.
  
  Closes #812

- dist: include CHECKSRC.md
  
  Reported-by: Paul Howarth
  Bug: https://curl.haxx.se/mail/lib-2016-05/0116.html

- test/Makefile.am: include manpage-scan.pl and nroff-scan.pl in dist
  
  Reported-by: Ray Satiro
  Bug: https://curl.haxx.se/mail/lib-2016-05/0113.html

Version 7.49.0 (17 May 2016)

Daniel Stenberg (17 May 2016)
- THANKS: 24 new names from 7.49.0 release notes

- RELEASE-NOTES: 7.49.0

- mbedtls/polarssl: set "hostname" unconditionally
  
  ...as otherwise the TLS libs will skip the CN/SAN check and just allow
  connection to any server. curl previously skipped this function when SNI
  wasn't used or when connecting to an IP address specified host.
  
  CVE-2016-3739
  
  Bug: https://curl.haxx.se/docs/adv_20160518A.html
  Reported-by: Moti Avrahami

- [Frank Gevaerts brought this change]

  CURLOPT_RESOLVE.3: fix typo
  
  Closes #811

- docs: CURLOPT_RESOLVE overrides CURLOPT_IPRESOLVE

- KNOWN_BUGS: GnuTLS backend skips really long certificate fields
  
  Closes #762

- CURLOPT_HTTPPOST.3: the data needs to be around while in use

- openssl: get_cert_chain: fix NULL dereference
  
  CID 1361815: Explicit null dereferenced (FORWARD_NULL)

- openssl: get_cert_chain: avoid NULL dereference
  
  CID 1361811: Explicit null dereferenced (FORWARD_NULL)

- dprintf_formatf: fix (false?) Coverity warning
  
  CID 1024412: Memory - illegal accesses (OVERRUN). Claimed to happen when
  we run over 'workend' but the condition says <= workend and for all I
  can see it should be safe. Compensating for the warning by adding a byte
  margin in the buffer.
  
  Also, removed the extra brace level indentation in the code and made it
  so that 'workend' is only assigned once within the function.

- RELEASE-NOTES: synced with 2dcb5adc72d6

- THANKS-filter: fixed Jonathan Cardoso

Jay Satiro (15 May 2016)
- ftp: fix incorrect out-of-memory code in Curl_pretransfer
  
  - Return value type must match function type.
  
  s/CURLM_OUT_OF_MEMORY/CURLE_OUT_OF_MEMORY/
  
  Caught by Travis CI

Daniel Stenberg (15 May 2016)
- ftp wildcard: segfault due to init only in multi_perform
  
  The proper FTP wildcard init is now more properly done in Curl_pretransfer()
  and the corresponding cleanup in Curl_close().
  
  The previous place of init/cleanup code made the internal pointer to be NULL
  when this feature was used with the multi_socket() API, as it was made within
  the curl_multi_perform() function.
  
  Reported-by: Jonathan Cardoso Machado
  Fixes #800

Jay Satiro (13 May 2016)
- libcurl-tlibcurl-thread: Update OpenSSL links
  
  Because the old OpenSSL link now redirects to their master documentation
  (currently 1.1.0), which does not document the required actions for
  OpenSSL <= 1.0.2.

Daniel Stenberg (13 May 2016)
- [Viktor Szakats brought this change]

  darwinssl.c: fix OS X codename typo in comment

- RELEASE-NOTES: synced with 68701e51c1f7
  
  Added 8 bug fixes and 5 more contrbutors

- [Jay Satiro brought this change]

  mprintf: Fix processing of width and prec args
  
  Prior to this change a width arg could be erroneously output, and also
  width and precision args could not be used together without crashing.
  
  "%0*d%s", 2, 9, "foo"
  
  Before: "092"
  After: "09foo"
  
  "%*.*s", 5, 2, "foo"
  
  Before: crash
  After: "   fo"
  
  Test 557 is updated to verify this and more

- [Michael Kaufmann brought this change]

  ConnectionExists: follow-up fix for proxy re-use
  
  Follow-up commit to 5823179
  
  Closes #648

- [Per Malmberg brought this change]

  darwinssl: fix certificate verification disable on OS X 10.8
  
  The new way of disabling certificate verification doesn't work on
  Mountain Lion (OS X 10.8) so we need to use the old way in that version
  too. I've tested this solution on versions 10.7.5, 10.8, 10.9, 10.10.2
  and 10.11.
  
  Closes #802

- [Cory Benfield brought this change]

  http2: Add space between colon and header value
  
  curl's representation of HTTP/2 responses involves transforming the
  response to a format that is similar to HTTP/1.1. Prior to this change,
  curl would do this by separating header names and values with only a
  colon, without introducing a space after the colon.
  
  While this is technically a valid way to represent a HTTP/1.1 header
  block, it is much more common to see a space following the colon. This
  change introduces that space, to ensure that incautious tools are safely
  able to parse the header block.
  
  This also ensures that the difference between the HTTP/1.1 and HTTP/2
  response layout is as minimal as possible.
  
  Bug: https://github.com/curl/curl/issues/797
  
  Closes #798
  Fixes #797

Kamil Dudka (12 May 2016)
- openssl: fix compile-time warning in Curl_ossl_check_cxn()
  
  ... introduced in curl-7_48_0-293-g2968c83:
  
  Error: COMPILER_WARNING:
  lib/vtls/openssl.c: scope_hint: In function ‘Curl_ossl_check_cxn’
  lib/vtls/openssl.c:767:15: warning: conversion to ‘int’ from ‘ssize_t’
  may alter its value [-Wconversion]

Jay Satiro (11 May 2016)
- openssl: stricter connection check function
  
  - In the case of recv error, limit returning 'connection still in place'
  to EINPROGRESS, EAGAIN and EWOULDBLOCK.
  
  This is an improvement on the parent commit which changed the openssl
  connection check to use recv MSG_PEEK instead of SSL_peek.
  
  Ref: https://github.com/curl/curl/commit/856baf5#comments

Daniel Stenberg (11 May 2016)
- [Anders Bakken brought this change]

  TLS: SSL_peek is not a const operation
  
  Calling SSL_peek can cause bytes to be read from the raw socket which in
  turn can upset the select machinery that determines whether there's data
  available on the socket.
  
  Since Curl_ossl_check_cxn only tries to determine whether the socket is
  alive and doesn't actually need to see the bytes SSL_peek seems like
  the wrong function to call.
  
  We're able to occasionally reproduce a connect timeout due to this
  bug. What happens is that Curl doesn't know to call SSL_connect again
  after the peek happens since data is buffered in the SSL buffer and thus
  select won't fire for this socket.
  
  Closes #795

Jay Satiro (9 May 2016)
- [Daniel Stenberg brought this change]

  TLS: move the ALPN/NPN enable bits to the connection
  
  Only protocols that actually have a protocol registered for ALPN and NPN
  should try to get that negotiated in the TLS handshake. That is only
  HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN
  would wrongly be used in all handshakes if libcurl was built with it
  enabled.
  
  Reported-by: Jay Satiro
  
  Fixes #789

Daniel Stenberg (8 May 2016)
- libcurl-thread.3: openssl 1.1.0 is safe, and so is boringssl

- [Antonio Larrosa brought this change]

  connect: fix invalid "Network is unreachable" errors
  
  Sometimes, in systems with both ipv4 and ipv6 addresses but where the
  network doesn't support ipv6, Curl_is_connected returns an error
  (intermittently) even if the ipv4 socket connects successfully.
  
  This happens because there's a for-loop that iterates on the sockets but
  the error variable is not resetted when the ipv4 is checked and is ok.
  
  This patch fixes this problem by setting error to 0 when checking the
  second socket and not having a result yet.
  
  Fixes #794

Jay Satiro (5 May 2016)
- FAQ: refer to thread safety guidelines

Daniel Stenberg (3 May 2016)
- connections: non-HTTP proxies on different ports aren't reused either
  
  Reported-by: Oleg Pudeyev and fuchaoqun
  
  Fixes #648

- http: make sure a blank header overrides accept_decoding
  
  Reported-by: rcanavan
  Assisted-by: Isaac Boukris
  Closes #785

- CHECKSRC.md: clarified, explained the whitelist file

- nroff-scan.pl: verify that references are made with \fI

- docs: unified man page references to use \fI

- TODO: 17.14 --fail without --location should treat 3xx as a failure
  
  Closes #727

- RELEASE-NOTES: synced with 7987f5cb14d

- [Isaac Boukris brought this change]

  CURLOPT_ACCEPT_ENCODING.3: Follow-up clarification
  
  Mention possible content-length mismatch with sum of bytes reported
  by write callbacks when auto decoding is enabled.
  
  See #785

- test1140: run nroff-scan to verify man pages

- nroff-scan.pl: verify the .BR references as well

- CURLOPT_CONV_TO_NETWORK_FUNCTION.3: fix bad man page reference

- CURLOPT_BUFFERSIZE.3: fix reference to CURLOPT_MAX_RECV_SPEED_LARGE

- curl_easy_pause.3: fix man page reference

Jay Satiro (1 May 2016)
- tool_cb_hdr: Fix --remote-header-name with schemeless URL
  
  - Move the existing scheme check from tool_operate.
  
  In the case of --remote-header-name we want to parse Content-disposition
  for a filename, but only if the scheme is http or https. A recent
  adjustment 0dc4d8e was made to account for schemeless URLs however it's
  not 100% accurate. To remedy that I've moved the scheme check to the
  header callback, since at that point the library has already determined
  the scheme.
  
  Bug: https://github.com/curl/curl/issues/760
  Reported-by: Kai Noda

Daniel Stenberg (1 May 2016)
- tls: make setting pinnedkey option fail if not supported
  
  to make it obvious to users trying to use the feature with TLS backends
  not supporting it.
  
  Discussed in #781
  Reported-by: Travis Burtrum

- nroff-scan.pl: verifies nroff pages
  
  ... not used by any test yet but can be used stand-alone.

- opts: fix broken/bad references

- [Michael Kaufmann brought this change]

  docs: fix bugs in CURLOPT_HTTP_VERSION.3 and CURLOPT_PIPEWAIT.3
  
  Closes #786

- CURLOPT_ACCEPT_ENCODING.3: clarified
  
  As discussed in #785

- curl.1: --mail-rcpt can be used multiple times
  
  Reported-by: mgendre
  Closes #784

- [Karlson2k brought this change]

  tests: Use 'pathhelp' for paths conversions in secureserver.pl
  
  Closes #675

- [Karlson2k brought this change]

  tests: Use 'pathhelp' for paths conversions in sshserver.pl

- [Karlson2k brought this change]

  tests: Use 'pathhelp' for current path in runtests.pl

- [Karlson2k brought this change]

  tests: pathhelp.pm to process paths on Msys/Cygwin

- lib: include curl_printf.h as one of the last headers
  
  curl_printf.h defines printf to curl_mprintf, etc. This can cause
  problems with external headers which may use
  __attribute__((format(printf, ...))) markers etc.
  
  To avoid that they cause problems with system includes, we include
  curl_printf.h after any system headers. That makes the three last
  headers to always be, and we keep them in this order:
  
   curl_printf.h
   curl_memory.h
   memdebug.h
  
  None of them include system headers, they all do funny #defines.
  
  Reported-by: David Benjamin
  
  Fixes #743

- memdebug.h: remove inclusion of other headers
  
  Mostly because they're not needed, because memdebug.h is always included
  last of all headers so the others already included the correct ones.
  
  But also, starting now we don't want this to accidentally include any
  system headers, as the header included _before_ this header may add
  defines and other fun stuff that we won't want used in system includes.

- [Jay Satiro brought this change]

  curl -J: make it work even without http:// scheme on URL
  
  It does open up a miniscule risk that one of the other protocols that
  libcurl could use would send back a Content-Disposition header and then
  curl would act on it even if not HTTP.
  
  A future mitigation for this risk would be to allow the callback to ask
  libcurl which protocol is being used.
  
  Verified with test 1312
  
  Closes #760

- manpage-scan.pl: also verify the command line option docs
  
  This script now also scans src/tool_getparam.c, docs/curl.1 and
  src/tool_help.c and will warn if any of them lists a command line option
  not mentioned in one of the other places.

- curl: show the long option version of -q in the -h list

- curl: remove "--socks" as "--socks5" turned 8
  
  In commit 2e42b0a2524 (Jan 2008) we made the option "--socks" deprecated
  and it has not been documented since. The more explicit socks options
  (like --socks4 or --socks5) should be used.

- curl.1: document the deprecated --ftp-ssl option

- curl: remove --http-request
  
  It was mentioned as deprecated already in commit ae1912cb0d4 from
  1999. It has not been documented in this millennium.

- curl: mention --ntlm-wb in -h list

- curl: -h output lacked --proxy-header

- curl.1: document --ntlm-wb

- curl.1: document the long format of -q: --disable

- curl.1: mention the deprecated --krb4 option

- curl.1: document --ftp-ssl-reqd
  
  Even if deprecated, document it so that people will find it as old
  scripts may still use it.

- curl: use --telnet-option as documented
  
  The code said "telnet-options" but no documentation ever said so. It
  worked fine since the code is fine with a unique match of the first
  part.

- getparam: remove support for --ftpport
  
  It has been deprecated and undocumented since commit ad5ead8bed7 (Dec
  2003). --ftp-port is the proper long option name.

- curl: make --disable work as long form of -q
  
  To make the aliases list reflect reality.

- aliases: remove trailing space from capath string

- cmdline parse: only single letter options have single-letter strings
  
  ... moved around options so that parsing the code to find all
  single-letter options easier.

Jay Satiro (28 Apr 2016)
- CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability
  
  Bug: https://curl.haxx.se/mail/lib-2016-04/0126.html
  Reported-by: Bru Rom

Daniel Stenberg (28 Apr 2016)
- curl_easy_getinfo.3: remove superfluous blank lines

- test1139: verifies libcurl option man page presence
  
  - checks that each option has its own man page present
  
  - checks that each option is mentioned in its corresponding index man
    page

- curl_easy_getinfo.3: added missing mention of CURLINFO_TLS_SESSION
  
  ... although it is deprecated.

Jay Satiro (28 Apr 2016)
- mbedtls: Fix session resume
  
  This also fixes PolarSSL session resume.
  
  Prior to this change the TLS session information wasn't properly
  saved and restored for PolarSSL and mbedTLS.
  
  Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html
  Reported-by: Thomas Glanzmann
  
  Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html
  Reported-by: Moti Avrahami

Daniel Stenberg (27 Apr 2016)
- RELEASE-NOTES: synced with f4298fcc6d2

- [Michael Kaufmann brought this change]

  opts: Fix some syntax errors in example code fragments
  
  Fixes #779

- openssl: avoid BN_print a NULL bignum
  
  OpenSSL 1.1.0-pre seems to return NULL(?) for a whole lot of those
  numbers so make sure the function handles this.
  
  Reported-by: Linus Nordberg

- [Marcel Raad brought this change]

  CONNECT_ONLY: don't close connection on GSS 401/407 reponses
  
  Previously, connections were closed immediately before the user had a
  chance to extract the socket when the proxy required Negotiate
  authentication.
  
  This regression was brought in with the security fix in commit
  79b9d5f1a42578f
  
  Closes #655

- CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0

- mbedtls.c: silly spellfix of a comment

- KNOWN_BUGS: 1.10 Strips trailing dot from host name
  
  Closes #716

- test1322: verify stripping of trailing dot from host name
  
  While being debated (in #716) and a violation of RFC 7230 section 5.4,
  this test verifies that the existing functionality works as intended. It
  strips the dot from the host name and uses the host without dot
  throughout the internals.

- multi: accidentally used resolved host name instead of proxy
  
  Regression introduced in 09b5a998
  
  Bug: https://curl.haxx.se/mail/lib-2016-04/0084.html
  Reported-by: BoBo

- symbols-in-versions: added new CURLSSLBACKEND_ symbols

- test148: fixed after the --ftp-create-dirs retry change
  
  follow-up commit to 3c1e84f569 as it made curl try a little harder

- curl.h: clarify curl_sslbackend for openssl clones and renames

- [Karlson2k brought this change]

  url.c: fixed DEBUGASSERT() for WinSock workaround
  
  If buffer is allocated, but nothing is received during prereceive
  stage, than number of processed bytes must be zero.
  
  Closes #778

- KNOWN_BUGS: --interface for ipv6 binds to unusable IP address
  
  Closes #686 for now.

- TODO: 1.17 Add support for IRIs
  
  Adding support for IRIs is a mouthful, but is probably interesting at
  least for areas and countries where the use of such "URLs" are growing
  popularity.
  
  Closes #776

- THANKS-filter: Travis Burtrum

- lib1517: checksrc compliance

- [moparisthebest brought this change]

  PolarSSL: Implement public key pinning

Patrick Monnerat (22 Apr 2016)
- os400: upgrade ILE/RPG binding

- curl.h: CURLOPT_CONNECT_TO sets a struct slist *, not a string

Daniel Stenberg (22 Apr 2016)
- contributors.sh: make --releasenotes implied
  
  It got too annoying to type =)

- RELEASE-NOTES: synced with 3c1e84f5693d8093

- curl: make --ftp-create-dirs retry on failure
  
  The underlying libcurl option used for this feature is
  CURLOPT_FTP_CREATE_MISSING_DIRS which has the ability to retry the dir
  creation, but it was never set to do that by the command line tool.
  
  Now it does.
  
  Bug: https://curl.haxx.se/mail/archive-2016-04/0021.html
  Reported-by: John Wanghui
  Help-by: Leif W

- [Henrik Gaßmann brought this change]

  winbuild: add mbedtls support
  
  Add WITH_MBEDTLS option. Make WITH_SSL, WITH_MBEDTLS and ENABLE_WINSSL
  options mutual exclusive.
  
  Closes #606

- KNOWN_BUGS: fixed "5.6 Improper use of Autoconf cache variables"
  
  As of commit d9f3b365a3

- [Irfan Adilovic brought this change]

  configure: ac_cv_ -> curl_cv_ for write-only vars
  
  These configure vars are modified in a curl-specific way but never
  evaluated or loaded from cache, even though they are designated as
  _cv_. We could either implement proper AC_CACHE_CHECKs for them, or
  remove them completely.
  
  Fixes #603 as ac_cv_func_gethostbyname is no longer clobbered, and
  AC_CHECK_FUNC(gethostbyname...) will no longer spuriously succeed after
  the first configure run with caching.
  
  `ac_cv_func_strcasecmp` is curious, see #770.
  
  `eval "ac_cv_func_$func=yes"` can still cause problems as it works in
  tandem with AC_CHECK_FUNCS and then potentially modifies its result. It
  would be best to rewrite this test to use a new CURL_CHECK_FUNCS macro,
  which works the same as AC_CHECK_FUNCS but relies on caching the values
  of curl_cv_func_* variables, without modifiying ac_cv_func_*.

- [Irfan Adilovic brought this change]

  configure: ac_cv_ -> curl_cv_ for r/w vars
  
  These configure vars are modified in a curl-specific way and modified by
  the configure process, but are never loaded from cache, even though they
  are designated as _cv_. We should implement proper AC_CACHE_CHECKs for
  them eventually.

- [Irfan Adilovic brought this change]

  configure: ac_cv_func_clock_gettime -> curl_...
  
  This variable must not be cached in its current form, as any cached
  information will prevent the next configure run from determining the
  correct LIBS needed for the function. Thus, rename prefix `ac_cv_` to
  just `curl_`.

- [Irfan Adilovic brought this change]

  configure: ac_cv_ -> curl_cv_ for all cached vars
  
  This was automated by:
  
  sed -b -i -f <(ack -A1 AC_CACHE_CHECK | \
                 ack -o 'ac_cv_.*?\b' | \
                 sort -u | xargs -n1 bash -c \
                      'echo "s/$0/curl_cv_${0#ac_cv_}/g"') \
      $(git ls-files)
  
  This only changed the prefix for 16 variables actually checked with
  AC_CACHE_CHECK.

- openssl: builds with OpenSSL 1.1.0-pre5
  
  The RSA, DSA and DH structs are now opaque and require use of new APIs
  
  Fixes #763

Steve Holme (20 Apr 2016)
- url.c: Prefer we don't use explicit NULLs in conditions
  
  Fixed commit fa5fa65a30 to not use NULLs in if condition.

Daniel Stenberg (20 Apr 2016)
- [Isaac Boukris brought this change]

  NTLM: check for NULL pointer before deferencing
  
  At ConnectionExists, both check->proxyuser and check->proxypasswd
  could be NULL, so make sure to check first.
  
  Fixes #765

- [Karlson2k brought this change]

  tests: added test1517
  
  ... for checking ability to receive full HTTP response when POST request
  is used with slow read callback function.
  
  This test checks for bug #657 and verifies the work-around from
  72d5e144fbc6.
  
  Closes #720

- [Karlson2k brought this change]

  sendf.c: added ability to call recv() before send() as workaround
  
  WinSock destroys recv() buffer if send() is failed. As result - server
  response may be lost if server sent it while curl is still sending
  request. This behavior noticeable on HTTP server short replies if
  libcurl use several send() for request (usually for POST request).
  To workaround this problem, libcurl use recv() before every send() and
  keeps received data in intermediate buffer for further processing.
  
  Fixes: #657
  Closes: #668

Kamil Dudka (19 Apr 2016)
- connect: make sure that rc is initialized in singleipconnect()
  
  This commit fixes a Clang warning introduced in curl-7_48_0-190-g8f72b13:
  
  Error: CLANG_WARNING:
  lib/connect.c:1120:11: warning: The right operand of '==' is a garbage value
  1118|       }
  1119|
  1120|->     if(-1 == rc)
  1121|         error = SOCKERRNO;
  1122|     }

Daniel Stenberg (19 Apr 2016)
- make/checksrc: use $srcdir, not $top_srcdir

- src/checksrc.whitelist: removed

- tool_operate: switch to inline checksrc ignore

- lib/checksrc.whitelist: not needed anymore
  
  ... as checksrc now skips comments

- vtls.h: remove a space before semicolon
  
  ... that the new checksrc detected

- darwinssl: removed commented out code

- http_chunks: removed checksrc disable
  
  ... since checksrc now skips comments

- imap: inlined checksrc disable instead of whitelist edit

- checksrc: taught to skip comments
  
  ... but output non-stripped version of the line, even if that then can
  make the script identify the wrong position in the line at
  times. Showing the line stripped (ie without comments) is just too
  surprising.

- opts/Makefile.am: list all docs file one by one
  
  ... to make it easier to add lines in patches that won't just break all
  other patches trying to add lines too.

- curl_easy_setopt.3: mention CURLOPT_TCP_FASTOPEN

- RELEASE-NOTES: synced with 03de4e4b219
  
  (since we just merged two major features)

- [Alessandro Ghedini brought this change]

  connect: implement TCP Fast Open for Linux
  
  Closes #660

- [Alessandro Ghedini brought this change]

  tool: add --tcp-fastopen option

- [Alessandro Ghedini brought this change]

  connect: implement TCP Fast Open for OS X

- [Alessandro Ghedini brought this change]

  url: add CURLOPT_TCP_FASTOPEN option

- checksrc: pass on -D so the whitelists are found correctly

- configure: remove check for libresolve
  
  'strncasecmp' was once provided by libresolv (no trailing e) for SunOS,
  but this check is broken and most likely adds nothing useful. Removing
  now.
  
  Reported-by: Irfan Adilovic
  
  Discussed in #770

- scripts/make: use $(EXEEXT) for executables
  
  Reported-by: bodop
  
  Fixes #771

- includes: avoid duplicate memory callback typdefs even harder

- checksrc/makefile.am: use $top_srcdir to find source files
  
  ... to properly support out of source tree builds.

- RELEASE-NOTES: synced with 26ec93dd6aeba8dfb5

- opts: fix option references missing (section)

- [Michael Kaufmann brought this change]

  news: CURLOPT_CONNECT_TO and --connect-to
  
  Makes curl connect to the given host+port instead of the host+port found
  in the URL.

- makefile.vc6: use d suffix on debug object
  
  To allow both release and debug builds in parallel.
  
  Reported-by: Rod Widdowson
  
  Fixes #769

Jay Satiro (12 Apr 2016)
- http2: Use size_t type for data drain count
  
  Ref: https://github.com/curl/curl/issues/659
