Pending RELEASE-NOTES for the upcoming release

This is work in progress and will change before the release goes public on 2025-04-02.

Changes:

• curl: add write-out variable 'tls_earlydata'
• curl: make --url support a file with URLs
• gnutls: set priority via --ciphers
• IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags
• lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY
• OpenSSL/quictls: add support for TLSv1.3 early data
• rustls: add support for CERTINFO
• var: add a '64dec' function that can base64 decode a string
• wolfssl: tls early data support

Bugfixes:

• addrinfo: add curl macro to avoid redefining foreign symbols
• asyn-thread: avoid the separate 'struct resdata' alloc
• asyn-thread: avoid the separate curl_mutex_t alloc
• asyn-thread: do not allocate thread_data separately
• asyn-thread: remove 'status' from struct Curl_async
• autotools: fix `dllmain.c` in unity builds
• autotools: fix `libtest` bundle to depend on `FIRSTFILES`
• autotools: use `CURLDEBUG` to exclude TrackMemory code from unity
• base64: drop `BUILDING_CURL` macro, always include in tests/server
• build: add Windows CE / CeGCC support, with CI jobs
• build: cmake multi-pkg-config detection improvements (brotli, ldap, mbedtls)
• build: do not apply curl debug macros to `tests/server` by default
• build: drop unused `getpart` tool
• build: enable -Wjump-misses-init for GCC 4.5+
• build: enable `-Wcast-qual`, fix or silence compiler warnings
• build: fix compiler warnings in feature detections
• build: replace Curl_ prefix with curlx_ for functions used in servers
• build: set `-O3` and tune WinCE in CI, fix `getpart`, `vtls_scache` fallouts
• build: set `HAVE_STDINT_H` if `stdint.h` is available
• build: set `HAVE_WRITABLE_ARGV` for Apple cross-builds
• build: silence bogus `-Wconversion` warnings with gcc 5.1-5.4
• build: silence mingw32ce C99 format warnings, simplify CI
• build: tidy-ups around `inet_pton`
• c-ares: error out for unsupported versions, drop unused macros
• ca-native.md: sync with CURLSSLOPT_NATIVE_CA
• cf-socket: deduplicate Windows Vista detection
• cf-socket: remove empty switch
• client writer: handle pause before decoding
• cmake: `CURL_LIBDIRS` improvements (upstreamed from vcpkg)
• cmake: `SHARE_LIB_OBJECT=ON` requires CMake 3.12 or newer
• cmake: add pre-fill for Unix, enable in GHA/macos, verify pre-fills
• cmake: allow `CURL_STATIC_CRT` with shared libcurl and no curl exe
• cmake: allow `CURL_STATIC_CRT` with UCRT VS2015+ builds
• cmake: allow empty `IMPORT_LIB_SUFFIX`, add suffix collision detection
• cmake: avoid `-Wnonnull` warning in `HAVE_FSETXATTR_5` detection
• cmake: disable HTTPS-proxy as a feature if proxy is disabled
• cmake: drop `CURL_DISABLE_TESTS` option
• cmake: drop `HAVE_C_FLAG_Wno_long_double` logic for ancient Apple gcc
• cmake: drop `HAVE_IN_ADDR_T` from pre-fill too
• cmake: drop two stray TLS feature checks for wolfSSL
• cmake: exclude `-MP` for `clang-cl` again
• cmake: fix `HAVE_ATOMIC`/`HAVE_STDATOMIC` pre-fill for clang-cl
• cmake: fix detection pre-fills for iOS
• cmake: fix ECH detection in custom-patched OpenSSL
• cmake: hide empty `MINGW64_VERSION` output for mingw32ce
• cmake: improve httpd detection for pytest
• cmake: mention 'insecure' in the debug build warning
• cmake: misc tidy-ups
• cmake: pre-fill known type sizes for Windows OSes
• cmake: restrict static CRT builds to static curl exe, test in CI
• cmake: sync cutoff version with autotools for picky option `-ftree-vrp`
• cmake: sync OpenSSL(-fork) feature checks with `./configure`
• cmake: unity mode optimization for non-`CURLDEBUG` `testdeps` targets
• CODE_STYLE: readability and banned functions
• configure: call the blocking resolver "blocking", not "default"
• configure: silence compiler warnings in feature checks, drop duplicates
• configure: use `curl_cv_apple` variable
• conn: fix connection reuse when SSL is optional
• contributors.sh: lowercase 'github' for consistency
• contrithanks.sh: update docs/THANKS in place
• cookie: do prefix matching case-sensitively
• cookie: minor parser simplification
• cookie: simplify invalid_octets()
• core: stop redefining `E*` macros on Windows, map `EACCES`, related fixes
• curl.h: change some enums to defines with L suffix
• curl.h: convert CURLUSESSL* names to defines
• curl.h: stop defining non-curl `__has_declspec_attribute`
• curl.h: switch `CURL_HTTP_VERSION*` enums to long constants
• curl: add my_setopt_long() and _offt()
• curl_msh3: remove verify bypass from DEBUGBUILDs
• curl_setup: drop `ERANGE` (for WinCE), no longer used
• curl_setup_once: drop `E*` macro redefines unused (with winsock2)
• curl_setup_once: stop redefining `ENAMETOOLONG` to winsock2 error code
• curl_trc: fix build with CURL_DISABLE_VERBOSE_STRINGS
• curl_ws_recv.md: expand a little on the fragments the API delivers
• CURLMOPT_SOCKETFUNCTION.md: add advice for socket callback invocation
• CURLOPT_HTTPHEADER.md: add comments to the example
• CURLOPT_HTTPHEADER.md: rephrases
• curltime: use libcurl time functions in src and tests/server
• DISABLED: add 313 for sectransp (move from GHA/macos)
• docs/cmdline-opts: unify HTTP version style in --help output
• docs: adapt to removed --with-random
• docs: add FD_ZERO to curl_multi_fdset example
• docs: bump `rustls` to 0.14.1
• docs: correct argument names & URL redirection
• docs: minor edits to please the new spellchecker regime
• docs: vulnerabilities in debug code are not eligible for a bounty
• doh: improve HTTPS RR svcparams parsing
• doh: remove wrong but unreachable exit path from doh_decode_rdata_name
• easy: fix warning about possible comma misuse
• eventfd: allow use on all CPUs
• examples: prefer `return` over `exit()` (cont.)
• ftp/sftp: strdup data info memory
• ftp: fix comment
• gnutls: fix connection state check on handshake
• gnutls: fix use of pkcs11 urls for keys/certs
• gtls: fix uninitialized variable
• hash: use single linked list for entries
• hostip: don't use alarm() for DoH resolves
• hostip: make CURLOPT_RESOLVE support replacing IPv6 addresses
• http2: add on_invalid_frame callback for error detection
• http2: detect session being closed on ingress handling
• http2: enhance error messages on Curl_dyn* upon receiving headers
• http2: reset stream on response header error
• HTTP3.md: only speak about minimal versions
• http: convert parsers to strparse
• http: fix NTLM info message typo
• http: fix the auth check
• http: make the RTSP version check stricter
• http: negotiation and room for alt-svc/https rr to navigate
• http: remove a HTTP method size restriction
• http: version negotiation
• http_aws_sigv4: cannot be used for proxy
• http_aws_sigv4: use strparse more for parsing
• http_chunks: replace a strofft call with curl_str_hex
• https-rr: implementation improvements
• httpsrr: fix port detection
• httpsrr: fix the HTTPS-RR threaded-resolver build combo
• INSTALL-CMAKE.md: CMake usage updates
• INSTALL-CMAKE.md: mention `ZLIB_USE_STATIC_LIBS`
• lib1156: pass longs to `curl_easy_setopt()`
• lib2302: fix crash due to stack overflow on MSVC and clang Windows
• lib: better optimized casecompare() and ncasecompare()
• lib: clear up CURLRES_ASYNCH vs USE_CURL_ASYNC use
• lib: fix two curlx_strtoofft invokes
• lib: rename curlx_strtoofft to Curl_str_numblanks()
• lib: replace while(ISBLANK()) loops with Curl_str_passblanks()
• lib: simplify more white space loops
• lib: strtoofft.h header cleanup
• lib: use Curl_str_* instead of strtok_r()
• lib: use Curl_str_number() for parsing decimal numbers
• libssh2: fix freeing of resources in disconnect
• libssh2: fix memory leak in `SSH_SFTP_REALPATH` state
• libssh2: print user with verbose flag
• libssh: fix freeing of resources in disconnect
• libssh: fix scp large file upload for 32-bit size_t systems
• libtest/libprereq.c: set CURLOPT_FOLLOWLOCATION with a long
• managen: accept more markdown-quote-markers
• managen: correct the warning for un-escaped '<' and '>'
• memdebug.h: avoid `-Wredundant-decls` with an extra guard
• mprintf: switch three number parsers to use strparse
• msvc: drop support for VS2005 and older
• multi: call protocol handler done() if PROTOCONNECT or later
• multi: event based rework
• multi: kill off remaining internal handles in curl_multi_cleanup
• multi: start the loop over when handles are removed
• ngtcp2: do not iterate over multi handles
• ntlm: merge ntlm.h into ntlm.c
• openssl-quic: do not iterate over multi handles
• openssl: check return value of X509_get0_pubkey
• openssl: drop support for old OpenSSL/LibreSSL versions
• openssl: fix pkcs11 URI checking for key files.
• openssl: remove bad `goto`s into other scope
• pytest: test negotiate with http proxy
• quiche: do not iterate over multi handles
• RELEASE-PROCEDURE.md: explain release candidates
• request: clear sendbuf_hds_len when resetting request bufq
• resolve: fix building without Unix sockets and `CURLDEBUG`
• runtests: accept `CURL_DIRSUFFIX` without ending slash
• runtests: check and report if `diff` tool is missing
• runtests: drop recognizing 'winssl' as Schannel
• runtests: drop ref to unused external function
• runtests: fix SSH server not starting in cases, re-ignore failing vcpkg CI jobs
• runtests: recognize AWS-LC as OpenSSL
• runtests: support multi-target cmake, drop workarounds from CI
• rustls: cap maximum allowed CRL file size to 8MB
• schannel: deduplicate Windows Vista detection
• schannel: enable ALPN support under WINE 6.0+
• schannel: enable ALPN with MinGW, fix ALPN for UWP builds
• schannel: guard ALPN init code to ALPN builds
• scripts/managen: fix option 'single'
• scripts/managen: fix parsing of markdown code sections
• sectransp: add support for HTTP/2 in gcc builds
• sendf: client reader line conversion: do not change data->state.infilesize
• setopt: illegal CURLOPT_SOCKS5_AUTH should return error
• setopt: remove unnecessary void pointer typecasts
• setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine
• shutdowns: split shutdown handling from connection pool
• socks: remove bad assert from do_SOCKS5()
• src: avoid strdup on platforms not doing UTF-8 conversions
• src: cleanup ISBLANK vs ISSPACE
• src: remove Curl_ prefix from tool-specific function
• src: remove final uses of Curl_ symbol prefixes in tool code
• src: replace strto[u][ld] with curlx_str_ parsers
• ssh: consider sftp quote commands case sensitive
• ssl session cache: add exportable flag
• strparse: make Curl_str_number() return error for no digits
• strparse: switch the API to work on 'const char *'
• strparse: switch to curl_off_t as base data type
• test1022: add support for rc releases
• test1167: catch #defines with extra whitespace
• test489: set output dir
• tests/certs: cleanup
• tests/server: drop unused `base64.pl`
• tests/server: fix to check against winsock2 error codes on Windows
• tests/server: give global `path` variable a more descriptive name
• tests/server: replace `errno` with `SOCKERRNO` in sockfilt, socksd, sws
• tests/server: replace `strerror` with `sstrerror` in socksd
• tests/server: support bundle binary
• tests/server: sync `wait_ms()` with the libcurl implementation
• tests/server: use `curlx_str_numblanks()` to avoid `errno`
• tests/servers.pm: remove unused variable 'portrange'
• tests: fix comment in lib533
• tests: fix enum/int confusion, fix autotools `CFLAGS` for `servers`
• tests: make sure 'commands.log' is generated in the correct logdir
• tests: mark tests 1631, 1632 flaky
• tests: reformat error messages to avoid tripping MSBuild
• tftpd: prefix TFTP protocol error `E*` constants with `TFTP_`
• tidy-up: align MSYS2/Cygwin codepaths, follow Cygwin `MAX_PID` bump
• tidy-up: delete, comment or scope C macros reported unused
• tidy-up: drop unused `CURL_INADDR_NONE` macro and `in_addr_t` type
• tidy-up: use `CURL_ARRAYSIZE()`
• timediff: fix comment for curlx_mstotv()
• timediff: remove unnecessary double typecast
• tool_dirhie: create dir hierarchy without strtok
• tool_getparam: clear sensitive arguments better
• tool_getparam: do parse_upload_flags without the alloc/free
• tool_getparam: parse --trace-config without strdup()/free()
• tool_getparam: parse_header() without strtok
• tool_operate: change "1 retries" to "1 retry"
• tool_operate: fail SSH transfers without server auth
• tool_operate: remove unnecessary (long) typecasts
• tool_paramhlp: do --proto parsing without strtok
• tool_parsecfg: make my_get_line skip comments and newlines
• tool_setopt: reduce use of "code hiding" macros
• url: call protocol handler's disconnect in Curl_conn_free
• urlapi: fix redirect from file:// with query, and simplify
• urlapi: simplify junkscan
• urldata: remove 'hostname' from struct Curl_async
• variable.md: clarify 'trim' example
• vtls: fix compiler warnings seen with gcc 7.3.0 and mbedTLS
• winbuild: reduce command-line length by dropping whitespace
• windows: do not use winsock2 `inet_ntop()`/`inet_pton()`
• windows: drop code and curl manifest targeting W2K and older
• wolfssh: fix freeing of resources in disconnect
• wolfssh: retrieve the error using wolfSSH_get_error
• wolfssl: fix CA certificate multiple location import
• wolfssl: fix unused variable warning
• wolfssl: warn if CA native import option is ignored
• wolfssl: when using PQ KEM, use ML-KEM, not Kyber
• ws: corrected curlws_cont to reflect its documented purpose
• ws: fix and extend CURLWS_CONT handling
• zlib: bump minimum to 1.2.5.2 (was: 1.2.0.4)

Contributors:

Anthony Hu, Calvin Ruocco, Carlos Henrique Lima Melara, Catena cyber, Christian Schmitz, Dan Fandrich, Daniel McCarney, Daniel Stenberg, dependabot[bot], Derek Huang, Dexter Gerig, Ethan Wilkes, Harry Sintonen, Jan Macku, Jeremy Drake, John Bampton, Joseph Chen, Justin Steventon, Kai Pastor, kayrus on github, kriztalz, Lars Karlitski, Laurențiu Nicola, lf- on github, Marcel Raad, Marius Albrecht, Mark Phillips, Martxel, Michał Antoniak, Ondřej Hlavatý, Orgad Shaneh, Peng-Yu Chen, Philippe Antoine, qhill on github, Ray Satiro, renovate[bot], Rinku Das, rmg-x on github, Ronald Crane, RubisetCie on github, saimen, Samuel Dionne-Riel, Samuel Henrique, Scott Talbert, Sergey, Stefan Eissing, stevenpackardblp on github, Tatsuhiro Tsujikawa, Tianyi Song, Timo Tijhof, tiymat, Viktor Szakats, Vulpes Vulpes, Yedaya Katsman, Zenju on github, Zhang Wen, Zhaoming Luo