Reported-by: Joshua Rogers
Fixes curl#19227
Closes curl#19239

Closes curl#19255

It was previously two minutes by default and sometimes one minute.
Removes a struct field.

Closes curl#19254

Change the test certificate to carry a altname 'dns:127.0.0.1' which
should *not* match in test_17_05_bad_ip_addr.

wolfSSL: since `wolfSSL_check_domain_name()` does not differentiate
between DNS and IP names, use if only for DNS names. For IP addresses,
get the peer certificate after the handshake and check that using
wolfSSL_X509_check_ip_asc().

Unfortunately, this succeeds where it should not, as wolfSSL internally
used the same check code for both cases. So, skip the test case until
wolfSSL fixes that.

Reported-by: Joshua Rogers
Closes curl#19252

Also move the old name mention to a HISTORY section

Closes curl#19258

Closes curl#19259

When handling incoming DNS packets.

Reported-by: Joshua Rogers

Closes curl#19261

"Use of uninitialized value $unittests in concatenation on line 170"

Closes curl#19266

Closes curl#19263

Fixes curl#19267
Reported-by: Harry Sintonen
Closes curl#19268

Avoid a resource leak in the error path.

Reported-by: Joshua Rogers

Closes curl#19265

and completely remove the check for one

Closes curl#19260

- Move the checks into the function that needs them, cacertpaths().

Prior to this change the caller made the determination whether to skip
calling cacertpaths for cert detection. However for posterity it is
better to have the checks in cacertpaths since other code could call it.

Closes curl#19148

Replace the check if a ssl session cache is configured with
a function checking if it is configured *and* if an ssl session
cache is available.

During normal operations, a session cache is always there, however
for "connect-only" transfers this might not be the case. When such
transfers receive new sessions/tickets, they need to silently
discard those and not fail.

Reported-by: Marc Aldorasi

Fixes curl#18983
Closes curl#19251

Closes curl#19257

Closes curl#19262

This bug was found with ZeroPath

Fixes curl#19240
Reported-by: Joshua Rogers
Closes curl#19273

In pytests test_08 with the Caddy server, the new rate-limiting in
ngtcp2 did close the connection because it found "too many" stream data
packet repeats.

It is unclear if this is some Caddy issue or if the ngtcp2 implementaton
is wrong. Or if curl can do anything here.

Reported as ngtcp2/ngtcp2#1850

This PR overwrites the ratelimit defaults in ngtcp2 with ten times
increased values. This makes the errors disappear on macOS.

Enable test_08_04/05 in CI again to see if there are any issues
to be found there. (We had those disabled before having parallel
pytests.)

Closes curl#19274

Also requires non-unity build. Possibly more non-default options are
necessary to reproduce. Seen with llvm/clang.

```
lib/http.c:1856:15: error: code will never be executed [-Werror,-Wunreachable-code]
 1856 |     httpreq = HTTPREQ_GET;
      |               ^~~~~~~~~~~
1 error generated.
```

Closes curl#19275

```
lib/http.c:2783:23: error: unused variable 'conn' [-Werror,-Wunused-variable]
 2783 |   struct connectdata *conn = data->conn;
      |                       ^~~~
1 error generated.
```

Closes curl#19276

Custom IMAP commands using -X (e.g. 'FETCH 123 BODY[1]') were only
returning the first line of responses containing literals, instead of
the full multi-line body data.

The issue was that custom commands route through imap_perform_list()
and imap_state_listsearch_resp(), which didn't detect or handle IMAP
literal syntax {size}.

This commit adds literal detection to imap_state_listsearch_resp():
- Detects literal syntax {size} in untagged responses
- Writes the response header line containing the literal marker
- Handles any literal body data already in the pingpong buffer
- Sets up transfer layer to read remaining literal data from socket
- Configures maxdownload and transfer size to include header + body
- Initializes pp->overflow to 0 when no buffered data present
- Modifies imap_done() to transition to FETCH_FINAL for custom
  commands that set up downloads

Test 841 and 3206 verify.

Fixes curl#18847
Reported-by: BohwaZ
Bug: curl#18847
Closes curl#19246

Avoid putting huge chunks of repeated texts in test cases.

test3206, test1060, test1061 and test22

Closes curl#19279

Reported by ZeroPath

Closes curl#19278

Closes curl#19271

socks_gssapi: the malloc + memcpy was superflous and can be skipped

cleartext: avoid malloc + three memcpy with aprintf()

digest_sspi: use memdup0 instead of malloc + memcpy

vtls: use memdup0 instead of malloc + memcpy

Closes curl#19282

The maximum size is set to 16MB.

It should not possible to call this function with this large input, but
this is a precaution to catch mistakes and replaces the earlier check on
architectures with small size_t.

Closes curl#19280

Closes curl#19283

Also for mqttd and sockfilt. The < 1025 check was not serving any
purpose.

Follow-up to bb1391f

Continuing when one of these has failed is fragile and error-prone.

Closes curl#19513

Closes curl#19512

Closes curl#19512

An error case that previously did not properly return error.

Closes curl#19517

Sync outliers with the rest of the code.

Also:
- return error in some failed init cases, instead of `CURLE_OK`:
  1908, 1910, 1913, 2082, 3010
- lib1541: delete unused struct member.

Closes curl#19515

Follow-up to 9678ff5 curl#18776

Closes curl#19519

Closes curl#19518

URL: https://curl.se/mail/lib-2025-11/0008.html

Reported-by: Nick Korepanov
Fixes curl#19524
Closes curl#19526

Line 143: "if(duringconnect)" would always equal true. While this is
harmless, I believe this minor tweak makes the flow slightly more
obvious to the reader and avoids the redundant condition.

Pointed out by CodeSonar

Closes curl#19523

Save some cpu cycles in debug mode for getinfo. Look up env vars for
overwriting variables only when variables are actually requested.

Closes curl#19525

Cleanup the vtls pinned key matching somewhat. Add a DEBUGF
for pinned key hashes that do not match, so we can see in
traces what was going on.

Ref curl#19489
Closes curl#19529

Instead of blasting the user with infof() statements.

Reported-by: Aleksandr Sergeev
Fixes curl#19520
Closes curl#19527

Closes curl#19531

The HTTP/3 tests did send 20 transfers against nghttpx with a backend
that failed the uploads with a 400 and an incomplete response body. This
causes stream resets.

Apache keeps the connection open, but newer nghttpx closes the front
connection after "too many" reset. When that bites, it depends on the
number of transfers ongoing how the test case fails. This led to flaky
outcomes.

Reduce the transfers to just a single one and check the result of
that one. Parallelism is not important here.

refs curl#19489
Closes curl#19530

Closes curl#19473

Closes curl#19528

Also:
- extend `dir` rule to exclude C assignments.

Closes curl#19532

Also:
- GHA/checkdocs: fix CI filters to catch it early.
  Follow-up to 28dd14a curl#15797

Closes curl#19533

Causing warnings if a matched line has mask patterns.

Closes curl#19534

Replacing previous default: MD5.

You can use the existing `-s` option to override the default.

Also bump version to 1.30.

Closes curl#19359

- badwords.pl: add `-a` option to check all lines in source code files.
  Before this patch indented lines were skipped (to avoid Markdown code
  fences.)
- GHA/checksrc: use `-a` when verifying the source code.
- GHA/checksrc: disable `So` and `But` rules for source code.
- GHA/checksrc: add docs/examples to the verified sources.
- badwords.txt: delete 4 duplicates.
- badwords.txt: group and sort contractions.
- badwords.txt: allow ` url = `, `DIR`, `<file name`.

Closes curl#19536