vtls: fix failf() format argument type for %.*s handling

Reported by Coverity

Closes #10422

openssl: fix "Improper use of negative value"

By getting the socket first and returning error in case of bad socket.

Detected by Coverity.

Closes #10423

packages: Remove Android.mk from makefile

This was missed in commit #44141512

Ref: #10418

curl_ws_send.3: clarify how to send multi-frame messages

ws: fix multiframe send handling

Fixes #10413
Closes #10420

unit2600: make sure numerical curl_easy_setopt sets long

Follow-up to 671158242db3203

Reported-by: Marcel Raad
Fixes #10410
Closes #10419

GHA: move Slackware test into matrix

Closes #10412

urlapi: fix part of conditional expression is always true: qlen

Closes #10408

url: fix part of conditional expression is always true

Closes #10407

RELEASE-NOTES: synced

GHA/macos.yml: bump to gcc-12

Closes #10415

packages: remove Android, update README

- Nobody builds curl for Android using this anymore
- Refreshed the README and converted to markdown

Reported-by: John Porter
Fixes #

packages: remove Android, update README

- Nobody builds curl for Android using this anymore
- Refreshed the README and converted to markdown

Reported-by: John Porter
Fixes #10416
Closes #10418

show more ...

fopen: remove unnecessary assignment

[CWE-1164] V1048: The '* tempname' variable was assigned the same value.

Ref: https://pvs-studio.com/en/docs/warnings/v1048/

Closes htt

fopen: remove unnecessary assignment

[CWE-1164] V1048: The '* tempname' variable was assigned the same value.

Ref: https://pvs-studio.com/en/docs/warnings/v1048/

Closes https://github.com/curl/curl/pull/10398

show more ...

libtest: add a sleep macro for Windows

.. because sleep() is used in some libtests.

Closes https://github.com/curl/curl/pull/10295

http_aws_sigv4: remove typecasts from HMAC_SHA256 macro

V220: Suspicious sequence of types castings: memsize -> 32-bit integer -> memsize.

https://pvs-studio.com/en/docs/warnings/v2

http_aws_sigv4: remove typecasts from HMAC_SHA256 macro

V220: Suspicious sequence of types castings: memsize -> 32-bit integer -> memsize.

https://pvs-studio.com/en/docs/warnings/v220/

Closes #10400

show more ...

mailmap: Thomas1664 on github

CURLOPT_WRITEFUNCTION.3: fix memory leak in example

Closes #10390

doh: ifdef IPv6 code

For disabled IPv6 a condition (conn->ip_version != CURL_IPRESOLVE_V4) is
always false. https://pvs-studio.com/en/docs/warnings/v560/

Closes #10397

urlapi: remove pathlen assignment

"Value stored to 'pathlen' is never read"

Follow-up to 804d5293f89

Reported-by: Kvarec Lezki

Closes #10405

http: fix "part of conditional expression is always false"

[CWE-570] V560: A part of conditional expression is always false: conn->bits.authneg.
[CWE-570] V560: A part of conditional exp

http: fix "part of conditional expression is always false"

[CWE-570] V560: A part of conditional expression is always false: conn->bits.authneg.
[CWE-570] V560: A part of conditional expression is always false: conn->handler->protocol & (0 | 0).

https://pvs-studio.com/en/docs/warnings/v560/

Closes #10399

show more ...

urlapi: skip the extra dedotdot alloc if no dot in path

Saves an allocation for many/most URLs.

Updates test 1395 accordingly

Closes #10403

connections: introduce http/3 happy eyeballs

New cfilter HTTP-CONNECT for h3/h2/http1.1 eyeballing.
- filter is installed when `--http3` in the tool is used (or
the equivalent CURL

connections: introduce http/3 happy eyeballs

New cfilter HTTP-CONNECT for h3/h2/http1.1 eyeballing.
- filter is installed when `--http3` in the tool is used (or
the equivalent CURLOPT_ done in the library)
- starts a QUIC/HTTP/3 connect right away. Should that not
succeed after 100ms (subject to change), a parallel attempt
is started for HTTP/2 and HTTP/1.1 via TCP
- both attempts are subject to IPv6/IPv4 eyeballing, same
as happens for other connections
- tie timeout to the ip-version HAPPY_EYEBALLS_TIMEOUT
- use a `soft` timeout at half the value. When the soft timeout
expires, the HTTPS-CONNECT filter checks if the QUIC filter
has received any data from the server. If not, it will start
the HTTP/2 attempt.

HTTP/3(ngtcp2) improvements.
- setting call_data in all cfilter calls similar to http/2 and vtls filters
for use in callback where no stream data is available.
- returning CURLE_PARTIAL_FILE for prematurely terminated transfers
- enabling pytest test_05 for h3
- shifting functionality to "connect" UDP sockets from ngtcp2
implementation into the udp socket cfilter. Because unconnected
UDP sockets are weird. For example they error when adding to a
pollset.

HTTP/3(quiche) improvements.
- fixed upload bug in quiche implementation, now passes 251 and pytest
- error codes on stream RESET
- improved debug logs
- handling of DRAIN during connect
- limiting pending event queue

HTTP/2 cfilter improvements.
- use LOG_CF macros for dynamic logging in debug build
- fix CURLcode on RST streams to be CURLE_PARTIAL_FILE
- enable pytest test_05 for h2
- fix upload pytests and improve parallel transfer performance.

GOAWAY handling for ngtcp2/quiche
- during connect, when the remote server refuses to accept new connections
and closes immediately (so the local conn goes into DRAIN phase), the
connection is torn down and a another attempt is made after a short grace
period.
This is the behaviour observed with nghttpx when we tell it to shut
down gracefully. Tested in pytest test_03_02.

TLS improvements
- ALPN selection for SSL/SSL-PROXY filters in one vtls set of functions, replaces
copy of logic in all tls backends.
- standardized the infof logging of offered ALPNs
- ALPN negotiated: have common function for all backends that sets alpn proprty
and connection related things based on the negotiated protocol (or lack thereof).

- new tests/tests-httpd/scorecard.py for testing h3/h2 protocol implementation.
Invoke:
python3 tests/tests-httpd/scorecard.py --help
for usage.

Improvements on gathering connect statistics and socket access.
- new CF_CTRL_CONN_REPORT_STATS cfilter control for having cfilters
report connection statistics. This is triggered when the connection
has completely connected.
- new void Curl_pgrsTimeWas(..) method to report a timer update with
a timestamp of when it happend. This allows for updating timers
"later", e.g. a connect statistic after full connectivity has been
reached.
- in case of HTTP eyeballing, the previous changes will update
statistics only from the filter chain that "won" the eyeballing.
- new cfilter query CF_QUERY_SOCKET for retrieving the socket used
by a filter chain.
Added methods Curl_conn_cf_get_socket() and Curl_conn_get_socket()
for convenient use of this query.
- Change VTLS backend to query their sub-filters for the socket when
checks during the handshake are made.

HTTP/3 documentation on how https eyeballing works.

TLS improvements
- ALPN selection for SSL/SSL-PROXY filters in one vtls set of functions, replaces
copy of logic in all tls backends.
- standardized the infof logging of offered ALPNs
- ALPN negotiated: have common function for all backends that sets alpn proprty
and connection related things based on the negotiated protocol (or lack thereof).

Scorecard with Caddy.
- configure can be run with `--with-test-caddy=path` to specify which caddy to use for testing
- tests/tests-httpd/scorecard.py now measures download speeds with caddy

pytest improvements
- adding Makfile to clean gen dir
- adding nghttpx rundir creation on start
- checking httpd version 2.4.55 for test_05 cases where it is needed. Skipping with message if too old.
- catch exception when checking for caddy existance on system.

Closes #10349

show more ...

CODEOWNERS: remove the peeps mentioned as CI owners

These owners do not have the bandwidth/energy to do the reviews which
makes PRs stall and this ownership claim flawed. We can bring pe

CODEOWNERS: remove the peeps mentioned as CI owners

These owners do not have the bandwidth/energy to do the reviews which
makes PRs stall and this ownership claim flawed. We can bring people
back when the situation is different.

Follow-up to c04c78ac87c4d46737934345a

Closes #10386

show more ...

write-out.d: add 'since version' to %{header_json} documentation

The documentation of `%{header_json}` missed to mention since which
version this variable for `--write-out` is present.

write-out.d: add 'since version' to %{header_json} documentation

The documentation of `%{header_json}` missed to mention since which
version this variable for `--write-out` is present.

Based on commit https://github.com/curl/curl/commit/4133a69f2daa476bb
we can determine from the tags were this commit is present that the
first version to include it was `7.83.0`.
This could be also checked with:
`git tag --contains 4133a69f2daa476bb6d902687f1dd6660ea9c3c5`

Closes #10395

show more ...

urlapi: avoid Curl_dyn_addf() for hex outputs

Inspired by the recent fixes to escape.c, we should avoid calling
Curl_dyn_addf() in loops, perhaps in particular when adding something so

urlapi: avoid Curl_dyn_addf() for hex outputs

Inspired by the recent fixes to escape.c, we should avoid calling
Curl_dyn_addf() in loops, perhaps in particular when adding something so
simple as %HH codes - for performance reasons. This change makes the
same thing for the URL parser's two URL-encoding loops.

Closes #10384

show more ...