cmake: use `list(APPEND)` on `CURL_INCLUDES`

It does the same as the `set()` used before this patch.
Makes the code easier to read.

Closes #15399

cmake: tidy up `CURL_DISABLE_FORM_API` initialization

Initialization of `CURL_DISABLE_FORM_API` depends on another option.
Make sure the other option is initialized before this one.

cmake: tidy up `CURL_DISABLE_FORM_API` initialization

Initialization of `CURL_DISABLE_FORM_API` depends on another option.
Make sure the other option is initialized before this one.

Due to the defaults and logic this did not cause an issue.

Also fix the order of two other lines to match with the rest.

Closes #15394

show more ...

cmake: drop obsolete items from `TODO` and `INSTALL-CMAKE`

- INSTALL-CMAKE: delete `Current flaws in the curl CMake build` section.
#1123 was fixed in 7e93637acd9f5741ac4c09bbca353ac8d

cmake: drop obsolete items from `TODO` and `INSTALL-CMAKE`

- INSTALL-CMAKE: delete `Current flaws in the curl CMake build` section.
#1123 was fixed in 7e93637acd9f5741ac4c09bbca353ac8da42bb17 #2443

- TODO: delete item 3.2.
Follow-up to 1cb4f5d6e8e470638759a48ba99fda230089712f #1879

Closes #15405

show more ...

docs/libcurl/opts/Makefile.inc: alphasort the options list

curl: detect ECH support dynamically, not at build time

Closes #15402

quic: use the session cache with wolfSSL as well

Use session cache for QUIC when built with quictls or wolfSSL.

Add test_017_10 for verifying QUIC TLS session reuse when built with

quic: use the session cache with wolfSSL as well

Use session cache for QUIC when built with quictls or wolfSSL.

Add test_017_10 for verifying QUIC TLS session reuse when built with
quictls, gnutls or wolfssl.

Closes #15358

show more ...

ngtcp2: set max window size to 10x of initial (128KB)

Just as the quiche backend does

Closes #15392

bearssl: improved session handling, test exceptions

Add length to session saves, making it clear that we are storing a byte
blob and allowing memcmp() on sameness check.

Remove

bearssl: improved session handling, test exceptions

Add length to session saves, making it clear that we are storing a byte
blob and allowing memcmp() on sameness check.

Remove some pytest skips for bearssl to see if they now work properly in
CI.

Closes #15395

show more ...

mbedtls: handle session as blobs

Use mbedtls_ssl_session_load() and mbedtls_ssl_session_save() to convert
TLS sessions to byte blobs for the session cache.

Fix a skip message to

mbedtls: handle session as blobs

Use mbedtls_ssl_session_load() and mbedtls_ssl_session_save() to convert
TLS sessions to byte blobs for the session cache.

Fix a skip message to better indicate why the test is skipped for
mbedtls.

Closes #15398

show more ...

RELEASE-NOTES: synced

url.md: clarify

- the specified URL can also get data sent to it
- rephrase the scheme guessing part
- mention target options for each URL for saving data
- mention --remote-name

url.md: clarify

- the specified URL can also get data sent to it
- rephrase the scheme guessing part
- mention target options for each URL for saving data
- mention --remote-name-all
- remove "warning" and make it into normal text

Closes #15396

show more ...

version: minor cleanups

- remove typecasts and parentheses in zstd_version()
- create and use oldap_version() for OpenLDAP
- create and use psl_version() for libpsl
- reduce the

version: minor cleanups

- remove typecasts and parentheses in zstd_version()
- create and use oldap_version() for OpenLDAP
- create and use psl_version() for libpsl
- reduce the size of the 40 byte buffers to 30 bytes
- use the brotil/zstd like the others (add the lib name in the functions)
- create and use idn_version for IDN builds
- handle (unlikely) error from ldap_get_option

Closes #15393

show more ...

schannel: reclassify extra-verbose schannel_recv messages

- Create a new macro SCH_DEV() to manage verbose debug messages that are
only useful for debugging Schannel recv decryption.

schannel: reclassify extra-verbose schannel_recv messages

- Create a new macro SCH_DEV() to manage verbose debug messages that are
only useful for debugging Schannel recv decryption.

schannel_recv contains a lot of useful debug messages to help debug the
function, however in practice they are not otherwise useful and showing
them in debug builds adds a lot of noise.

To show these messages curl must now be built with
CURL_SCHANNEL_DEV_DEBUG defined.

Prior to this change many, but not all, extra-verbose messages were
wrapped in DEBUGF() so they were only shown in debug builds.

Ref: https://github.com/curl/curl/issues/14807

Closes #14826

show more ...

mprintf: treat `%o` as unsigned, add tests for `%o`, `%x`, `%X`

`%x` and `%X` were already treated as unsigned, but `%o` was not, even
though it was used with unsigned numbers.

mprintf: treat `%o` as unsigned, add tests for `%o`, `%x`, `%X`

`%x` and `%X` were already treated as unsigned, but `%o` was not, even
though it was used with unsigned numbers.

Closes #15348

show more ...

mprintf: do not ignore length modifiers of `%o`, `%x`, `%X`

There are uses of `%lx` and `%zx` in the codebase, but `parsefmt`
interpreted them as `%x`.

Closes #15348

schannel: ignore error on recv beyond close notify

When receiving data, schannel does a recv from the lower filters, e.g.
the socket, *before* it decrypts and analyses the buffered data

schannel: ignore error on recv beyond close notify

When receiving data, schannel does a recv from the lower filters, e.g.
the socket, *before* it decrypts and analyses the buffered data it
already has. When that buffer contains a close-notify, e.g. the end of
the TLS stream, any error on the previous receive from the socket are
not applicable to its return codes.

Example from #153345: a server sends a close notify and closes its
connection. The encrypted data, including the close notify is received.
Another receive on the sockets gets a CONNABORTED which curl reports as
CURLE_RECV_ERROR. Schannel analyses its bufferi, sees the close notify
and early returns to the caller. On this return, the error on the
attempted receive does not apply.

Closes #15381

show more ...

GHA: update five dependencies

- rojopolis/spellcheck-github-actions digest to ab8ac45
- nghttp2/nghttp2 to v1.64.0
- actions/cache digest to 6849a64
- github/codeql-action digest

GHA: update five dependencies

- rojopolis/spellcheck-github-actions digest to ab8ac45
- nghttp2/nghttp2 to v1.64.0
- actions/cache digest to 6849a64
- github/codeql-action digest to 6624720
- Update actions/checkout digest to 11bd719

Closes #15341
Closes #15346
Closes #15365
Closes #15366
Closes #15387

show more ...

tool_operate: split up the huge single_transfer into sub functions

- split up in a few smaller and easier to read functions
- simplify several sections
- avoid superfluous extra allo

tool_operate: split up the huge single_transfer into sub functions

- split up in a few smaller and easier to read functions
- simplify several sections
- avoid superfluous extra allocations
- remove unused debug code

Closes #15385

show more ...

setopt: split Curl_vsetopt() into several sub functions

Reduce the ~3000 line super function into smaller pieces, easier to read and
manage.

Extract the option's argument earlie

setopt: split Curl_vsetopt() into several sub functions

Reduce the ~3000 line super function into smaller pieces, easier to read and
manage.

Extract the option's argument earlier and use a fixed type instead of using
va_arg() everywhere.

Closes #15376

show more ...

cmake: avoid setting `BUILD_TESTING`

`BUILD_TESTING` variable is used by other projects and CMake internally.
Replace `cmake_dependent_option()` with `option()` and introduce an
inte

cmake: avoid setting `BUILD_TESTING`

`BUILD_TESTING` variable is used by other projects and CMake internally.
Replace `cmake_dependent_option()` with `option()` and introduce an
internal variable to track if want and can do testing.

Follow-up to #6036
Follow-up to 3a1e798009799be1e9fad30666351b66f250befb #6072

Reported-by: Robert Maynard
Fixes #15351
Closes #15355

show more ...

libssh2: delete duplicate `break`

```
lib/vssh/libssh2.c:2495:7: warning: 'break' will never be executed [-Wunreachable-code-break]
break;
^~~~~
```

CI d

libssh2: delete duplicate `break`

```
lib/vssh/libssh2.c:2495:7: warning: 'break' will never be executed [-Wunreachable-code-break]
break;
^~~~~
```

CI did not catch it due to llvm skipping this check for all #included
files. It's designed this way to avoid performance issues and false
positive when checking headers:
https://github.com/llvm/llvm-project/issues/71046

Closes #15384

show more ...

GHA: drop "3" from openssl names and keys

Also:
- drop patch suffix from cache key for thread-sanitizer local build
Follow-up to 73d2779196f5b4d5b45945e06b4bbdec11b6d921 #15379

GHA: drop "3" from openssl names and keys

Also:
- drop patch suffix from cache key for thread-sanitizer local build
Follow-up to 73d2779196f5b4d5b45945e06b4bbdec11b6d921 #15379

Closes #15383

show more ...

cmake: tidy up line order [ci skip]

GHA/windows: work around Git for Windows perf regression

Fix the significant perf regression for vcpkg jobs by switching to the
MSYS2 shell environment from Git for Windows. This env is

GHA/windows: work around Git for Windows perf regression

Fix the significant perf regression for vcpkg jobs by switching to the
MSYS2 shell environment from Git for Windows. This env is already used
for old-mingw-w64 job that remained unaffected by this issue.

The issue began with the windows-runner update 20241015.1.0. It bumped
Git for Windows from Git 2.46.2.windows.1 to Git 2.47.0.windows.1. GfW
bumped its MSYS2 components, including `msys-2.0.dll`. That's Cygwin
code, which may have contributed to this. Pipes were involved and
`runtests.pl` relies on pipes heavily in parallel mode. (The issue was
not seen with parallel tests disabled, in retrospect.)

This is useful as a permanent solution too. It drop GfW as a dependency
and makes Windows jobs use one less shell/env flavour.

Long term it might help to use native Windows Perl to avoid the MSYS
layer completely, if there is a way to make that work.

Assortment of possibly related links:
https://cygwin.com/pipermail/cygwin/2024-August/256398.html
https://github.com/cygwin/cygwin/commit/f78009cb1ccf84cc343cf2441c76196461d87532
https://github.com/cygwin/cygwin/commit/7f3c22532577ae0a926e8eb8ad63787c9841abbf

https://github.com/actions/runner-images/issues/10843
https://github.com/git-for-windows/git/issues/5199
https://github.com/git-for-windows/msys2-runtime/pull/75
https://github.com/git-for-windows/msys2-runtime/commit/7913a41703dbc476ad3cf1b85e6939ebbe524251
https://github.com/git-for-windows/msys2-runtime/commit/555afcb2f3a6638084912ce1011bd6acef59ea79
https://github.com/cygwin/cygwin/commit/1c5f4dcdc5ec3344e3fd741c43fa359d0e1323c0

Follow-up to c33174d42fc8a4a0625b46f1d09f5e79eb2abbf1 #15364
Follow-up to 1e0305973c22b1d84036fe0c4eee34aea5cd40cc #15356

Closes #15380

show more ...

GHA/linux: drop patch from openssl3 thread sanitizer

The patch is now part of the 3.4.0 stable release.
(Turns out it was part of 3.3.2 already.)

Also:
- rename this local b

GHA/linux: drop patch from openssl3 thread sanitizer

The patch is now part of the 3.4.0 stable release.
(Turns out it was part of 3.3.2 already.)

Also:
- rename this local build to match the scheme used with wolfssl.
- drop '3' from local openssl build name.
- sync job name with others.
- quote step names where missing.

Follow-up to a2bcec0ee0895c23b98aea8e72ad4e9278fa67c8 #14751
Closes #15379

show more ...