RELEASE-NOTES: synced

x509asn1: make do_pubkey handle EC public keys

Closes #8757

mbedtls: bail out if rng init fails

There was a failf() call but no actual error return.

Closes #8796

urlapi: address (harmless) UndefinedBehavior sanitizer warning

`while(i--)` causes runtime error: unsigned integer overflow: 0 - 1
cannot be represented in type 'size_t' (aka 'unsigned l

urlapi: address (harmless) UndefinedBehavior sanitizer warning

`while(i--)` causes runtime error: unsigned integer overflow: 0 - 1
cannot be represented in type 'size_t' (aka 'unsigned long')

Closes #8797

show more ...

test{898,974,976}: add 'HTTP proxy' keywords

... so the tests can be automatically skipped when
testing external HTTP proxies like Privoxy.

Closes #8791

gskit_connect_step1: fixed bogus setsockopt calls

setsockopt takes a reference to value, not value. With the current
code this just leads to -1 return value with errno EFAULT.

C

gskit_connect_step1: fixed bogus setsockopt calls

setsockopt takes a reference to value, not value. With the current
code this just leads to -1 return value with errno EFAULT.

Closes #8793

show more ...

CURLOPT_SSH_AUTH_TYPES.3: fix the default

The default is all possible methods.

Closes #8792

CURLOPT_DOH_URL.3: mention the known bug

It is mostly duplicating info from KNOWN_BUGS but make it easier to find
for users of this option.

Closes #8790

CURLOPT_HSTS*FUNCTION.3: document the involved structs as well

Reviewed-By: Daniel Gustafsson
Closes #8788

docs/SECURITY-PROCESS.md: "Visible command line arguments"

SECURITY-PROCESS: mention "URL inconsistencies"

... as common problems that are *not* vulns.

contributors: strip off final comma

The final row of contributors should not end with a comma as it's the
end of the list.

Closes: #8785
Reviewed-by: Daniel Stenberg <daniel

contributors: strip off final comma

The final row of contributors should not end with a comma as it's the
end of the list.

Closes: #8785
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

show more ...

misc: use "autoreconf -fi" instead buildconf

Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com>
Closes #8777

cirrus: Use pip for Python packages on FreeBSD

Using pip instead of easy_install is more in line with how other
CI images are being maintained.

Closes: #8783
Reviewed-by: Da

cirrus: Use pip for Python packages on FreeBSD

Using pip instead of easy_install is more in line with how other
CI images are being maintained.

Closes: #8783
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>

show more ...

cirrus: Update to FreeBSD 12.3

Closes: #8783
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>

tool_getparam: simplify conditional statement

param_place cannot be NULL here since we immediately efter this block
perform arithmetic on it (and use it in order to get here) so there is

tool_getparam: simplify conditional statement

param_place cannot be NULL here since we immediately efter this block
perform arithmetic on it (and use it in order to get here) so there is
little reason to check.

Closes: #8786
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

show more ...

RELEASE-NOTES: synced

gskit: remove unused function set_callback

This function has been unused since the initial commit of the GSKit
backend in 0eba02fd4. The motivation for the code was getting the
whol

gskit: remove unused function set_callback

This function has been unused since the initial commit of the GSKit
backend in 0eba02fd4. The motivation for the code was getting the
whole certificate chain: the only place where the latter is available
is as a callback parameter. Unfortunately it is not possible to pass
a user pointer to this callback, which precludes the possibility to
associate the cert chain with a data/conn structure.

For further information, search for pgsk_cert_validation_callback on:
https://www.ibm.com/docs/api/v1/content/ssw_ibm_i_71/apis/gsk_attribute_set_callback.htm

As the upstream library never added a parameter like that to the API,
we give up the wait and remove the dead code.

Closes: #8782
Reviewed-by: Patrick Monnerat <patrick@monnerat.net>

show more ...

curl: free resource in error path

If the new filename cannot be generated due to memory pressure, free
the allocated aname on the way out to avoid a small leak.

Closes: #8770

curl: free resource in error path

If the new filename cannot be generated due to memory pressure, free
the allocated aname on the way out to avoid a small leak.

Closes: #8770
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

show more ...

curl: guard against size_t wraparound in no-clobber code

When generating the new filename, make sure we aren't overflowing the
size_t limit when calculating the new length. This is mostl

curl: guard against size_t wraparound in no-clobber code

When generating the new filename, make sure we aren't overflowing the
size_t limit when calculating the new length. This is mostly academic
but good code hygeine nonetheless.

Closes: #8771
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

show more ...

gha: build msh3

Closes #8779

scripts/cijobs.pl: try "current branch" first then "master"

msh3: get msh3 version from MsH3Version

Closes #8762

msh3: psss remote_port to MsH3ConnectionOpen

MsH3 supported additional "Port" parameter to connect not hosted on
443 port QUIC website.

* https://github.com/nibanks/msh3/release

msh3: psss remote_port to MsH3ConnectionOpen

MsH3 supported additional "Port" parameter to connect not hosted on
443 port QUIC website.

* https://github.com/nibanks/msh3/releases/tag/v0.3.0
* https://github.com/nibanks/msh3/pull/37

Closes #8762

show more ...

openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl

SSL_CTX_set1_curves_list() has been available since LibreSSL 2.5.3,
released five years ago.

Bug: https://curl.se/mail/li

openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl

SSL_CTX_set1_curves_list() has been available since LibreSSL 2.5.3,
released five years ago.

Bug: https://curl.se/mail/lib-2022-04/0059.html
Closes #8773

show more ...