Made the netrc parser return a more consistent set of error codes and
error messages, and also return error properly if the .netrc file is
missing.

Add test 697 to verify error on missing netrc file.

Fixes #16163
Reported-by: arlt on github

Closes #16158

We don't pursue this, and the necessary `#pragma` got in the way of
compiling curl with gcc 4.2 and older. Drop the logic completely.

Follow-up to 8a266ac4 #15939

Reported-by: prpr19xx on Github
Fixes #16152
Closes #16157

Those 2 symbols were available since the first 7.1.1 release

Closes #16141

For ASN.1 tags with indefinite length, curl's own parser for TLS
backends that do not support certificate inspection calls itself
recursively. A malicious server certificate can then lead to high
recursion level exhausting the stack space.

This PR limits the recursion level to 16 which should be safe on all
architectures.

Added unit test 1657 to verify behaviour.

Fixes #16135
Reported-by: z2_
Closes #16137

Closes #16118

The condition `!$cmdtype eq "perl"` (introduced in a4765b05) is always
false. It checks whether a logical negation (giving true/false) is equal
to the string `"perl"`. This is impossible, so the logging never worked.

The intent was probably to negate the result of the string
comparison:`!($cmdtype eq "perl")` or simply `$cmdtype ne "perl"`.

Fixes #16128
Reported-by: Igor Todorovski
Closes #16129

While this is useful on CI to highlight issues in the scripts, it's a
recipe for pain when enabled on users' builds.

Suggested-by: Leon Timmermans
Ref: #16128

- replace deprecated `ares_init()` call with `ares_init_options()`.
  Follow-up to 0d4fdbf1 #16054

- dedupe `CARES_STATICLIB` initalizations into `curl_setup.h`, to
  ensure it's defined before the first (and every) `ares.h` include and
  avoid a potential confusion.

- move `CARES_NO_DEPRECATED` from build level to `curl_setup.h`.
  To work regardless of build system.
  It is necessary because curl calls `ares_getsock()` from two places,
  of which one feeds a chain of wrappers: `Curl_ares_getsock()`,
  `Curl_resolver_getsock()`, `Curl_resolv_getsock()`.

Closes #16131

- drop `--quiet 2` option where used, to have uniform output.
- replace `apt` with `apt-get` in one job. sync options with rest.
- replace deprecated `apt-key` command with the alternative recommended
  by `apt-key(8)`.
- drop stray `cd /tmp`, no longer needed after migrating to GHA.
- shorten `--option Dpkg::Use-Pty=0` to `-o Dpkg::Use-Pty=0`.
- add `-o Dpkg::Use-Pty=0` to hide `apt-get` progress bars taking
  vertical log space, where missing.
- drop `-y --no-install-suggests --no-install-recommends` `apt-get`
  options. They are the default in the ubuntu-24.04 image.
- GHA/distcheck: move `name:` to top in steps where not there.
- scripts/cijobs.pl: catch `apt-get` lines with the `-o` option.

Closes #16127

Closes #16044

The socket was closed while the handle was still in use, so
curl_easy_cleanup ended up setting nonblocking mode on a closed handle.

Closes #16123

To match existing warnings for Secure Transport and BearSSL.

OpenSSL 1.1.1 or upper are offering TLS 1.3 support.

Ref: https://wiki.openssl.org/index.php/TLS1.3

Closes #16120

Ref: #16118
Closes #16121

When parallel connects are attempted, the second one is started on a
delay. Start it right away when the first one failed.

Closes #16114

Range matches are not supported with `+`: https://git-scm.com/docs/gitignore

Also sync `.gitignore` file lists with source files and alphasort them.

Follow-up to 5c31c2e6 #16093
Reported-by: Stefan Eissing
Fixes #16112
Fixes #16115
Closes #16116

When a QUIC connection using ngtcp2 failed immediately, the TLS
instances were not always released.

Closes #16113

Closes #16110

`lib/vtls/wolfssl.c` enforces it via a hard #error.

Cherry-picked from #16104

Before this patch this macro was used in `vtls/openssl.h` without
setting it first, causing the `keylog_done` member be present in
struct `ossl_ctx` while the code did not use it.

Follow-up to 32101010 #13172
Closes #16105

Follow-up to c31041b1 #13904
Closes #16103

Reported-by: Harry Sintonen
Closes #16109

RFC 6455 Section 5.2 notes that for bits RSV1, RSV2, and RSV3 of the
framing header, a non-zero value that is not defined by a negotiated
extension MUST Fail the WebSocket connection.

Test 2310 verifies

Closes #16069

- Use build-time CURL_DEFAULT_SSL_BACKEND as a fallback when environment
  variable CURL_SSL_BACKEND contains a backend that is unavailable.

Prior to this change if CURL_SSL_BACKEND was set then
CURL_DEFAULT_SSL_BACKEND was ignored even if the backend of the former
was unavailable. In that case libcurl would instead select the first
available backend in the list of backends.

Bug: https://github.com/curl/curl/issues/16076#issuecomment-2617354254
Reported-by: Jeroen Ooms

Closes https://github.com/curl/curl/pull/16108

- Detach and disconnect an attached connection before performing.

Prior to this change it was not possible to safely reuse an easy handle
with an attached connection in a second call to curl_easy_perform. The
only known case of this is a connect-only type handle where the
connection was detached when curl_easy_perform returned, only to be
reattached by either curl_easy_send/recv.

This commit effectively reverts 2f8ecd5d and be82a360, the latter of
which treated the reuse as an error. Prior to that change undefined
behavior may occur in such a case.

Bug: https://curl.se/mail/lib-2025-01/0044.html
Reported-by: Aleksander Mazur

Closes https://github.com/curl/curl/pull/16008

Closes #16107

Store the received data correctly.

Closes #16107

Follow-up to 71cf0d1f #14772

Necessary to catch rare cases when `checksrc` hits these files when they
are not populated yet:
```
./curltool_unity.c:1:1: error: Missing copyright statement (COPYRIGHT)
 ^
```
https://github.com/curl/curl/actions/runs/12995546740/job/36242556713?pr=16094#step:37:123

Follow-up to 71cf0d1f #14772
Closes #16102

Also fix indentation/formatting around similar pragmas.

Closes #16101

It had shorthand aliases to launch `./configure` and
`./configure --with-openssl`. The former hasn't worked for a long while
because of missing TLS.

Its `ca-bundle` and `ca-firefox` targets have been broken for 2.5 years
till recently. These targets also exist in `./configure` and have been
working all along.

Also:
- cmake: add support `curl-ca-bundle` and `curl-ca-firefox` targets.
- tests/testcurl.pl: drop obsolete build logic.

Closes #16094

- `.gitignore`: delete, dedupe and move rules upwards.
  Ref: 6389ba87 #13311
- `.gitignore`: fix generated test sources.
  Follow-up to 71cf0d1f #14772
- `.gitignore`: replace exe listings with a wildcard.
- lib: move `setup-*.h` from `EXTRA_DIST` to `CURL_HFILES`.
- `makedebug.bat`: uppercase an argument to match docs.
- GHA/non-native: delete stray env.
  Follow-up to 12a6de2f #16043
- sort source lists.

Closes #16093

Problems that only trigger using *legacy* dependencies are not
considered security problems.

Closes #16086

By better sticking to listing the struct members sorted by size, this
struct is now 48 bytes smaller on my fairly maximized build, without
removing anything.

Turned 'connect_only' into two bits instead of an unsigned char with two
magic values.

Also put the 'gssapi_delegation' field within ifdef HAVE_GSSAPI.

Closes #16097