Upgrade to 8.4.0

That in particular fixes CVE-2023-38545 CVE-2023-38546.

15 files changed, 369 insertions, 72 deletions

diff --git a/README-DEV b/README-DEV
index 2c75418..1b6895f 100644
--- a/README-DEV
+++ b/README-DEV
@@ -28,11 +28,11 @@ Debian and Fedora distributions. The configuration options defining these sets
 are specified in the Debian's rules and Fedora's RPM .spec files. These files
 can be obtained as follows:
 
-$wget http://deb.debian.org/debian/pool/main/c/curl/curl_7.88.1-6.debian.tar.xz
-$ tar xf curl_7.88.1-6.debian.tar.xz
+$ wget http://deb.debian.org/debian/pool/main/c/curl/curl_8.3.0-3.debian.tar.xz
+$ tar xf curl_8.3.0-3.debian.tar.xz
 
-$ wget https://kojipkgs.fedoraproject.org/packages/curl/7.88.1/1.fc39/src/curl-7.88.1-1.fc39.src.rpm
-$ rpm2cpio curl-7.88.1-1.fc39.src.rpm | cpio -civ '*.spec'
+$ wget https://kojipkgs.fedoraproject.org/packages/curl/8.4.0/1.fc40/src/curl-8.4.0-1.fc40.src.rpm
+$ rpm2cpio curl-8.4.0-1.fc40.src.rpm | cpio -civ '*.spec'
 
 As a side note, on Debian and Fedora the source, library, headers, and tools
 are packaged as follows:
@@ -48,24 +48,25 @@ Here are the discovered configuration options.
 
 Debian:
 
-  --disable-symbol-hiding --enable-versioned-symbols
-  --enable-threaded-resolver --with-lber-lib=lber
-  --with-gssapi=/usr --with-libssh2 --with-nghttp2
+  --disable-dependency-tracking --disable-symbol-hiding
+  --enable-versioned-symbols --enable-threaded-resolver --with-lber-lib=lber
+  --with-gssapi=/usr --with-nghttp2
   --with-zsh-functions-dir=/usr/share/zsh/vendor-completions
-  --with-openssl
+  --without-libssh --with-libssh2
+  --with-openssl --with-gnutls
   --with-ca-path=/etc/ssl/certs
   --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt
 
 Fedora:
 
-  --disable-static --enable-symbol-hiding --enable-ipv6
-  --enable-threaded-resolver --with-gssapi --with-nghttp2 --with-ssl
-  --with-ca-bundle=/etc/pki/tls/certs/ca-bundle.crt
-  --enable-ldap --enable-ldaps --enable-manual --with-brotli --with-libidn2
-  --with-libpsl --with-libssh
-  --enable-hsts --without-zstd --enable-dict --enable-gopher --enable-imap
-  --enable-mqtt --enable-ntlm --enable-ntlm-wb --enable-pop3 --enable-rtsp
-  --enable-smb --enable-smtp --enable-telnet --enable-tftp --enable-tls-srp
+  --disable-static --enable-hsts --enable-ipv6 --enable-symbol-hiding
+  --enable-threaded-resolver --without-zstd --with-gssapi --with-libidn2
+  --with-nghttp2 --with-ssl --with-ca-bundle=/etc/pki/tls/certs/ca-bundle.crt
+  --enable-dict --enable-gopher --enable-imap --enable-ldap --enable-ldaps
+  --enable-manual --enable-mqtt --enable-ntlm --enable-ntlm-wb --enable-pop3
+  --enable-rtsp --enable-smb --enable-smtp --enable-telnet --enable-tftp
+  --enable-tls-srp --enable-websockets --with-brotli --with-libpsl
+  --with-libssh
 
 The union of these feature sets translates into the following options:
 
@@ -74,10 +75,11 @@ The union of these feature sets translates into the following options:
   --with-nghttp2 --with-zsh-functions-dir=<path> --with-ca-path=<path>
   --with-ca-bundle=<path> --enable-ipv6 --with-openssl --enable-ldap
   --enable-ldaps --enable-manual --with-brotli --with-libidn2
-  --with-libpsl --with-libssh
+  --with-libpsl --with-libssh --with-gnutls
   --enable-hsts --enable-dict --enable-gopher --enable-imap
   --enable-mqtt --enable-ntlm --enable-ntlm-wb --enable-pop3 --enable-rtsp
   --enable-smb --enable-smtp --enable-telnet --enable-tftp --enable-tls-srp
+  --enable-websockets
 
 We, however, drop the external dependencies that are not packaged for build2,
 disable default CA bundle/directory and use --with-ca-fallback instead,
@@ -89,11 +91,12 @@ explicitly request to use zlib and end up with the following options:
   --without-gssapi --without-libssh --without-libssh2 --without-nghttp2
   --without-zsh-functions-dir --without-brotli --without-libidn2
   --without-libpsl --without-bearssl --without-libgsasl --without-hyper
-  --without-rustls --without-wolfssh
+  --without-rustls --without-wolfssh --without-gnutls
   --without-ca-bundle --without-ca-path --with-ca-fallback
   --enable-hsts --enable-dict --enable-gopher --enable-imap
   --enable-mqtt --enable-ntlm --enable-ntlm-wb --enable-pop3 --enable-rtsp
   --enable-smb --enable-smtp --enable-telnet --enable-tftp --enable-tls-srp
+  --enable-websockets
 
 See the configuration options description at the "Install from source" page
 (https://curl.se/docs/install.html).
@@ -151,6 +154,7 @@ $ ../configure --enable-symbol-hiding --enable-versioned-symbols \
   --enable-hsts --enable-dict --enable-gopher --enable-imap \
   --enable-mqtt --enable-ntlm --enable-ntlm-wb --enable-pop3 --enable-rtsp \
   --enable-smb --enable-smtp --enable-telnet --enable-tftp --enable-tls-srp \
+  --enable-websockets \
   >build.log 2>&1
 $ make V=1 >>build.log 2>&1
 
diff --git a/curl/.gitignore b/curl/.gitignore
index 3dcc22f..d4a1da2 100644
--- a/curl/.gitignore
+++ b/curl/.gitignore
@@ -13,6 +13,7 @@
 *.ifc
 *.so
 *.so.*
+*.dylib
 *.dll
 *.a
 *.lib
diff --git a/curl/README-DEV b/curl/README-DEV
index 760e273..fa202e4 100644
--- a/curl/README-DEV
+++ b/curl/README-DEV
@@ -5,11 +5,16 @@ understanding will be useful when upgrading to a new upstream version. See
 Symlink the required upstream directories into curl/:
 
 $ ln -s ../../upstream/{src,lib} curl
-$ ln -s lib/{strtoofft,nonblock,warnless,dynbuf,version_win32,curl_multibyte}.c curl
+$ ln -s lib/{strtoofft,nonblock,warnless,dynbuf,version_win32,curl_multibyte,base64}.c curl
 $ ln -s ../../libcurl/libcurl/curl_config.h curl
 
 Patch curl to use CA certificate bundle provided by the
 libca-certificates-curl package by default:
 
+$ cp curl/src/tool_main.c curl/tool_main.c.orig
 $ cp curl/src/tool_main.c curl
-$ patch -p0 <curl/tool_main.c.patch
+$ git apply curl/tool_main.c.patch
+
+Note that the above patch is produced by the following command:
+
+$ git diff >curl/tool_main.c.patch
diff --git a/curl/curl/base64.c b/curl/curl/base64.c
new file mode 120000
index 0000000..6a380e3
--- /dev/null
+++ b/curl/curl/base64.c
@@ -0,0 +1 @@
+lib/base64.c
\ No newline at end of file
diff --git a/curl/curl/buildfile b/curl/curl/buildfile
index 9780540..cdd8f9f 100644
--- a/curl/curl/buildfile
+++ b/curl/curl/buildfile
@@ -11,7 +11,7 @@ tsys   = $c.target.system
 
 # Build options.
 #
-c.poptions += -DHAVE_CONFIG_H
+c.poptions += -DBUILDING_CURL -DHAVE_CONFIG_H
 
 switch $tclass, $tsys
 {
diff --git a/curl/curl/tool_main.c b/curl/curl/tool_main.c
index 0eb4e6d..494ec02 100644
--- a/curl/curl/tool_main.c
+++ b/curl/curl/tool_main.c
@@ -29,19 +29,12 @@
 #include <tchar.h>
 #endif
 
-#ifdef HAVE_SIGNAL_H
 #include <signal.h>
-#endif
 
 #ifdef HAVE_FCNTL_H
 #include <fcntl.h>
 #endif
 
-#ifdef USE_NSS
-#include <nspr.h>
-#include <plarenas.h>
-#endif
-
 #include <stdlib.h> /* setenv(), _putenv() */
 
 #include <libca-certificates-curl/path.h>
@@ -57,6 +50,7 @@
 #include "tool_vms.h"
 #include "tool_main.h"
 #include "tool_libinfo.h"
+#include "tool_stderr.h"
 
 /*
  * This is low-level hard-hacking memory leak tracking and similar. Using
@@ -81,6 +75,7 @@ int vms_show = 0;
  * when command-line argument globbing is enabled under the MSYS shell, so turn
  * it off.
  */
+extern int _CRT_glob;
 int _CRT_glob = 0;
 #endif /* __MINGW32__ */
 
@@ -195,7 +190,6 @@ static CURLcode main_init(struct GlobalConfig *config)
 
   /* Initialise the global config */
   config->showerror = FALSE;          /* show errors when silent */
-  config->errors = stderr;            /* Default errors to stderr */
   config->styled_output = TRUE;       /* enable detection */
   config->parallel_max = PARALLEL_DEFAULT;
 
@@ -214,17 +208,17 @@ static CURLcode main_init(struct GlobalConfig *config)
         config->first->global = config;
       }
       else {
-        errorf(config, "error retrieving curl library information\n");
+        errorf(config, "error retrieving curl library information");
         free(config->first);
       }
     }
     else {
-      errorf(config, "error initializing curl library\n");
+      errorf(config, "error initializing curl library");
       free(config->first);
     }
   }
   else {
-    errorf(config, "error initializing curl\n");
+    errorf(config, "error initializing curl");
     result = CURLE_FAILED_INIT;
   }
 
@@ -235,10 +229,6 @@ static void free_globalconfig(struct GlobalConfig *config)
 {
   Curl_safefree(config->trace_dump);
 
-  if(config->errors_fopened && config->errors)
-    fclose(config->errors);
-  config->errors = NULL;
-
   if(config->trace_fopened && config->trace_stream)
     fclose(config->trace_stream);
   config->trace_stream = NULL;
@@ -255,14 +245,6 @@ static void main_free(struct GlobalConfig *config)
   /* Cleanup the easy handle */
   /* Main cleanup */
   curl_global_cleanup();
-#ifdef USE_NSS
-  if(PR_Initialized()) {
-    /* prevent valgrind from reporting still reachable mem from NSPR arenas */
-    PL_ArenaFinish();
-    /* prevent valgrind from reporting possibly lost memory (fd cache, ...) */
-    PR_Cleanup();
-  }
-#endif
   free_globalconfig(config);
 
   /* Free the config structures */
@@ -275,6 +257,11 @@ static void main_free(struct GlobalConfig *config)
 ** curl tool main function.
 */
 #ifdef _UNICODE
+#if defined(__GNUC__)
+/* GCC doesn't know about wmain() */
+#pragma GCC diagnostic ignored "-Wmissing-prototypes"
+#pragma GCC diagnostic ignored "-Wmissing-declarations"
+#endif
 int wmain(int argc, wchar_t *argv[])
 #else
 int main(int argc, char *argv[])
@@ -284,6 +271,8 @@ int main(int argc, char *argv[])
   struct GlobalConfig global;
   memset(&global, 0, sizeof(global));
 
+  tool_init_stderr();
+
 #ifdef WIN32
   /* Undocumented diagnostic option to list the full paths of all loaded
      modules. This is purposely pre-init. */
@@ -297,13 +286,13 @@ int main(int argc, char *argv[])
   /* win32_init must be called before other init routines. */
   result = win32_init();
   if(result) {
-    fprintf(stderr, "curl: (%d) Windows-specific init failed.\n", result);
+    errorf(&global, "(%d) Windows-specific init failed", result);
     return result;
   }
 #endif
 
   if(main_checkfds()) {
-    fprintf(stderr, "curl: out of file descriptors\n");
+    errorf(&global, "out of file descriptors");
     return CURLE_FAILED_INIT;
   }
 
diff --git a/curl/curl/tool_main.c.orig b/curl/curl/tool_main.c.orig
new file mode 100644
index 0000000..2f132e2
--- /dev/null
+++ b/curl/curl/tool_main.c.orig
@@ -0,0 +1,290 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+#include "tool_setup.h"
+
+#include <sys/stat.h>
+
+#ifdef WIN32
+#include <tchar.h>
+#endif
+
+#include <signal.h>
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+
+#define ENABLE_CURLX_PRINTF
+/* use our own printf() functions */
+#include "curlx.h"
+
+#include "tool_cfgable.h"
+#include "tool_doswin.h"
+#include "tool_msgs.h"
+#include "tool_operate.h"
+#include "tool_vms.h"
+#include "tool_main.h"
+#include "tool_libinfo.h"
+#include "tool_stderr.h"
+
+/*
+ * This is low-level hard-hacking memory leak tracking and similar. Using
+ * the library level code from this client-side is ugly, but we do this
+ * anyway for convenience.
+ */
+#include "memdebug.h" /* keep this as LAST include */
+
+#ifdef __VMS
+/*
+ * vms_show is a global variable, used in main() as parameter for
+ * function vms_special_exit() to allow proper curl tool exiting.
+ * Its value may be set in other tool_*.c source files thanks to
+ * forward declaration present in tool_vms.h
+ */
+int vms_show = 0;
+#endif
+
+#ifdef __MINGW32__
+/*
+ * There seems to be no way to escape "*" in command-line arguments with MinGW
+ * when command-line argument globbing is enabled under the MSYS shell, so turn
+ * it off.
+ */
+extern int _CRT_glob;
+int _CRT_glob = 0;
+#endif /* __MINGW32__ */
+
+/* if we build a static library for unit tests, there is no main() function */
+#ifndef UNITTESTS
+
+#if defined(HAVE_PIPE) && defined(HAVE_FCNTL)
+/*
+ * Ensure that file descriptors 0, 1 and 2 (stdin, stdout, stderr) are
+ * open before starting to run.  Otherwise, the first three network
+ * sockets opened by curl could be used for input sources, downloaded data
+ * or error logs as they will effectively be stdin, stdout and/or stderr.
+ *
+ * fcntl's F_GETFD instruction returns -1 if the file descriptor is closed,
+ * otherwise it returns "the file descriptor flags (which typically can only
+ * be FD_CLOEXEC, which is not set here).
+ */
+static int main_checkfds(void)
+{
+  int fd[2];
+  while((fcntl(STDIN_FILENO, F_GETFD) == -1) ||
+        (fcntl(STDOUT_FILENO, F_GETFD) == -1) ||
+        (fcntl(STDERR_FILENO, F_GETFD) == -1))
+    if(pipe(fd))
+      return 1;
+  return 0;
+}
+#else
+#define main_checkfds() 0
+#endif
+
+#ifdef CURLDEBUG
+static void memory_tracking_init(void)
+{
+  char *env;
+  /* if CURL_MEMDEBUG is set, this starts memory tracking message logging */
+  env = curlx_getenv("CURL_MEMDEBUG");
+  if(env) {
+    /* use the value as file name */
+    char fname[CURL_MT_LOGFNAME_BUFSIZE];
+    if(strlen(env) >= CURL_MT_LOGFNAME_BUFSIZE)
+      env[CURL_MT_LOGFNAME_BUFSIZE-1] = '\0';
+    strcpy(fname, env);
+    curl_free(env);
+    curl_dbg_memdebug(fname);
+    /* this weird stuff here is to make curl_free() get called before
+       curl_dbg_memdebug() as otherwise memory tracking will log a free()
+       without an alloc! */
+  }
+  /* if CURL_MEMLIMIT is set, this enables fail-on-alloc-number-N feature */
+  env = curlx_getenv("CURL_MEMLIMIT");
+  if(env) {
+    char *endptr;
+    long num = strtol(env, &endptr, 10);
+    if((endptr != env) && (endptr == env + strlen(env)) && (num > 0))
+      curl_dbg_memlimit(num);
+    curl_free(env);
+  }
+}
+#else
+#  define memory_tracking_init() Curl_nop_stmt
+#endif
+
+/*
+ * This is the main global constructor for the app. Call this before
+ * _any_ libcurl usage. If this fails, *NO* libcurl functions may be
+ * used, or havoc may be the result.
+ */
+static CURLcode main_init(struct GlobalConfig *config)
+{
+  CURLcode result = CURLE_OK;
+
+#if defined(__DJGPP__) || defined(__GO32__)
+  /* stop stat() wasting time */
+  _djstat_flags |= _STAT_INODE | _STAT_EXEC_MAGIC | _STAT_DIRSIZE;
+#endif
+
+  /* Initialise the global config */
+  config->showerror = FALSE;          /* show errors when silent */
+  config->styled_output = TRUE;       /* enable detection */
+  config->parallel_max = PARALLEL_DEFAULT;
+
+  /* Allocate the initial operate config */
+  config->first = config->last = malloc(sizeof(struct OperationConfig));
+  if(config->first) {
+    /* Perform the libcurl initialization */
+    result = curl_global_init(CURL_GLOBAL_DEFAULT);
+    if(!result) {
+      /* Get information about libcurl */
+      result = get_libcurl_info();
+
+      if(!result) {
+        /* Initialise the config */
+        config_init(config->first);
+        config->first->global = config;
+      }
+      else {
+        errorf(config, "error retrieving curl library information");
+        free(config->first);
+      }
+    }
+    else {
+      errorf(config, "error initializing curl library");
+      free(config->first);
+    }
+  }
+  else {
+    errorf(config, "error initializing curl");
+    result = CURLE_FAILED_INIT;
+  }
+
+  return result;
+}
+
+static void free_globalconfig(struct GlobalConfig *config)
+{
+  Curl_safefree(config->trace_dump);
+
+  if(config->trace_fopened && config->trace_stream)
+    fclose(config->trace_stream);
+  config->trace_stream = NULL;
+
+  Curl_safefree(config->libcurl);
+}
+
+/*
+ * This is the main global destructor for the app. Call this after
+ * _all_ libcurl usage is done.
+ */
+static void main_free(struct GlobalConfig *config)
+{
+  /* Cleanup the easy handle */
+  /* Main cleanup */
+  curl_global_cleanup();
+  free_globalconfig(config);
+
+  /* Free the config structures */
+  config_free(config->last);
+  config->first = NULL;
+  config->last = NULL;
+}
+
+/*
+** curl tool main function.
+*/
+#ifdef _UNICODE
+#if defined(__GNUC__)
+/* GCC doesn't know about wmain() */
+#pragma GCC diagnostic ignored "-Wmissing-prototypes"
+#pragma GCC diagnostic ignored "-Wmissing-declarations"
+#endif
+int wmain(int argc, wchar_t *argv[])
+#else
+int main(int argc, char *argv[])
+#endif
+{
+  CURLcode result = CURLE_OK;
+  struct GlobalConfig global;
+  memset(&global, 0, sizeof(global));
+
+  tool_init_stderr();
+
+#ifdef WIN32
+  /* Undocumented diagnostic option to list the full paths of all loaded
+     modules. This is purposely pre-init. */
+  if(argc == 2 && !_tcscmp(argv[1], _T("--dump-module-paths"))) {
+    struct curl_slist *item, *head = GetLoadedModulePaths();
+    for(item = head; item; item = item->next)
+      printf("%s\n", item->data);
+    curl_slist_free_all(head);
+    return head ? 0 : 1;
+  }
+  /* win32_init must be called before other init routines. */
+  result = win32_init();
+  if(result) {
+    errorf(&global, "(%d) Windows-specific init failed", result);
+    return result;
+  }
+#endif
+
+  if(main_checkfds()) {
+    errorf(&global, "out of file descriptors");
+    return CURLE_FAILED_INIT;
+  }
+
+#if defined(HAVE_SIGNAL) && defined(SIGPIPE)
+  (void)signal(SIGPIPE, SIG_IGN);
+#endif
+
+  /* Initialize memory tracking */
+  memory_tracking_init();
+
+  /* Initialize the curl library - do not call any libcurl functions before
+     this point */
+  result = main_init(&global);
+  if(!result) {
+    /* Start our curl operation */
+    result = operate(&global, argc, argv);
+
+    /* Perform the main cleanup */
+    main_free(&global);
+  }
+
+#ifdef WIN32
+  /* Flush buffers of all streams opened in write or update mode */
+  fflush(NULL);
+#endif
+
+#ifdef __VMS
+  vms_special_exit(result, vms_show);
+#else
+  return (int)result;
+#endif
+}
+
+#endif /* ndef UNITTESTS */
diff --git a/curl/curl/tool_main.c.patch b/curl/curl/tool_main.c.patch
index cae1787..b344940 100644
--- a/curl/curl/tool_main.c.patch
+++ b/curl/curl/tool_main.c.patch
@@ -1,9 +1,11 @@
---- curl/src/tool_main.c	2020-01-18 23:47:34.559751631 +0300
-+++ curl/tool_main.c	2020-01-20 16:07:17.183814044 +0300
-@@ -32,6 +32,10 @@
- #include <plarenas.h>
+diff --git a/curl/curl/tool_main.c b/curl/curl/tool_main.c
+index 2f132e2..494ec02 100644
+--- a/curl/curl/tool_main.c
++++ b/curl/curl/tool_main.c
+@@ -35,6 +35,10 @@
+ #include <fcntl.h>
  #endif
-
+ 
 +#include <stdlib.h> /* setenv(), _putenv() */
 +
 +#include <libca-certificates-curl/path.h>
@@ -11,7 +13,7 @@
  #define ENABLE_CURLX_PRINTF
  /* use our own printf() functions */
  #include "curlx.h"
-@@ -138,6 +142,41 @@ static void memory_tracking_init(void)
+@@ -142,6 +146,41 @@ static void memory_tracking_init(void)
   */
  static CURLcode main_init(struct GlobalConfig *config)
  {
@@ -51,5 +53,5 @@
 +    return CURLE_FAILED_INIT;
 +
    CURLcode result = CURLE_OK;
-
+ 
  #if defined(__DJGPP__) || defined(__GO32__)
diff --git a/curl/manifest b/curl/manifest
index 80cbfe4..009133d 100644
--- a/curl/manifest
+++ b/curl/manifest
@@ -1,6 +1,6 @@
 : 1
 name: curl
-version: 7.88.1
+version: 8.4.0-a.0.z
 priority: security
 summary: Command line tool for transferring data with URLs
 license: curl ; MIT/X derivate license.
diff --git a/libcurl/.gitignore b/libcurl/.gitignore
index 3dcc22f..d4a1da2 100644
--- a/libcurl/.gitignore
+++ b/libcurl/.gitignore
@@ -13,6 +13,7 @@
 *.ifc
 *.so
 *.so.*
+*.dylib
 *.dll
 *.a
 *.lib
diff --git a/libcurl/build/bootstrap.build b/libcurl/build/bootstrap.build
index 29c04ff..9704ab7 100644
--- a/libcurl/build/bootstrap.build
+++ b/libcurl/build/bootstrap.build
@@ -24,7 +24,7 @@ using dist
 #
 # https://curl.se/libcurl/abi.html
 #
-if ($version.major == 7 && $version.minor == 88 && $version.patch == 1)
+if ($version.major == 8 && $version.minor == 4 && $version.patch == 0)
 {
   abi_version_major = 4
   abi_version = "$abi_version_major.8.0" # <current - age>.<age>.<revision>
diff --git a/libcurl/libcurl/buildfile b/libcurl/libcurl/buildfile
index cdae37c..62c8680 100644
--- a/libcurl/libcurl/buildfile
+++ b/libcurl/libcurl/buildfile
@@ -61,7 +61,7 @@ vsc{libcurl}: lib/in{libcurl}
 # <stdatomic.h> for Clang versions prior to 7.0.
 #
 if ($c.id == 'clang' && $c.version.major < 7)
-  lib/obj{easy version}: cc.reprocess = true
+  lib/obj{easy version hostip}: cc.reprocess = true
 
 # Build options.
 #
@@ -131,7 +131,7 @@ switch $tclass, $tsys
   case 'windows', 'mingw32'
   {
     c.loptions += -Wl,--enable-auto-image-base
-    c.libs     += -lws2_32 -lcrypt32
+    c.libs     += -lws2_32 -lcrypt32 -lbcrypt
   }
   case 'windows'
   {
diff --git a/libcurl/libcurl/curl_config.h b/libcurl/libcurl/curl_config.h
index 8458725..2ccc522 100644
--- a/libcurl/libcurl/curl_config.h
+++ b/libcurl/libcurl/curl_config.h
@@ -47,16 +47,15 @@
 
 #define CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG 1
 
-#undef  HAVE_BORINGSSL
 #undef  USE_WOLFSSL
 
 /* Enabled features.
  */
-#define ENABLE_IPV6 1
-#define HAVE_LIBZ   1
+#define ENABLE_IPV6    1
+#define HAVE_LIBZ      1
+#define USE_WEBSOCKETS 1
 
 #undef CURL_DISABLE_COOKIES
-#undef CURL_DISABLE_CRYPTO_AUTH
 #undef CURL_DISABLE_DICT
 #undef CURL_DISABLE_DOH
 #undef CURL_DISABLE_FILE
@@ -86,6 +85,14 @@
 #undef CURL_DISABLE_HEADERS_API
 #undef CURL_DISABLE_HSTS
 #undef CURL_DISABLE_NTLM
+#undef CURL_DISABLE_AWS
+#undef CURL_DISABLE_BASIC_AUTH
+#undef CURL_DISABLE_BEARER_AUTH
+#undef CURL_DISABLE_BINDLOCAL
+#undef CURL_DISABLE_DIGEST_AUTH
+#undef CURL_DISABLE_FORM_API
+#undef CURL_DISABLE_KERBEROS_AUTH
+#undef CURL_DISABLE_NEGOTIATE_AUTH
 
 /* Diabled features.
  */
@@ -107,7 +114,6 @@
 #undef USE_NGHTTP2
 #undef USE_NGHTTP3
 #undef USE_NGTCP2
-#undef USE_NSS
 #undef USE_OPENLDAP
 #undef USE_LIBRTMP
 #undef USE_QUICHE
@@ -117,7 +123,6 @@
 #undef USE_RUSTLS
 #undef USE_WOLFSSH
 #undef USE_MSH3
-#undef USE_WEBSOCKETS
 
 /* Specific for (non-) Linux.
  */
@@ -153,12 +158,14 @@
  */
 #if defined(__FreeBSD__) || defined(__APPLE__)
 #  define HAVE_SYS_SOCKIO_H 1
+#  define HAVE_ARC4RANDOM   1
 #endif
 
 /* Specific for Linux and Mac OS.
  */
 #if defined(__linux__) || defined(__APPLE__)
-#  define HAVE_FSETXATTR 1
+#  define HAVE_FSETXATTR                   1
+#  define HAVE_CLOCK_GETTIME_MONOTONIC_RAW 1
 #endif
 
 /* Specific for POSIX.
@@ -230,6 +237,7 @@
 #  define HAVE_SYS_UTIME_H         1
 #  define HAVE_WINDOWS_H           1
 #  define HAVE_WINSOCK2_H          1
+#  define HAVE__FSEEKI64           1
 
 #  undef _UNICODE
 #  undef UNICODE
@@ -276,11 +284,9 @@
 #  define HAVE_INET_PTON               1
 #  define HAVE_LIBGEN_H                1
 #  define HAVE_PTHREAD_H               1
-#  define HAVE_SETJMP_H                1
 #  define HAVE_SIGNAL                  1
 #  define HAVE_STRCASECMP              1
 #  define HAVE_STRINGS_H               1
-#  define HAVE_STRING_H                1
 #  define HAVE_STRTOK_R                1
 #  define HAVE_SYS_PARAM_H             1
 #  define HAVE_SYS_TIME_H              1
@@ -290,6 +296,7 @@
 #  define HAVE_OPENSSL_SRP             1
 #  define HAVE_FTRUNCATE               1
 #  define HAVE_SCHED_YIELD             1
+#  define HAVE_FSEEKO                  1
 #else
 #  define USE_THREADS_WIN32 1
 #  undef  USE_THREADS_POSIX
@@ -303,7 +310,6 @@
 #define HAVE_BOOL_T                     1
 #define HAVE_FCNTL_H                    1
 #define HAVE_WS2TCPIP_H                 1
-#define HAVE_SIGNAL_H                   1
 #define HAVE_LOCALE_H                   1
 #define HAVE_SETLOCALE                  1
 #define HAVE_GETADDRINFO                1
@@ -328,6 +334,8 @@
 #define HAVE_SNPRINTF                   1
 #define HAVE_STDATOMIC_H                1
 #define HAVE_ATOMIC                     1
+#define HAVE_INTTYPES_H                 1
+#define HAVE_STDINT_H                   1
 
 /* SSL_set0_wbio() was added in OpenSSL 1.1.0 and we don't care about earlier
  * versions.
@@ -353,9 +361,7 @@
 #undef HAVE_GSSGNU
 #undef HAVE_IOCTLSOCKET_CAMEL_FIONBIO
 #undef HAVE_OLD_GSSMIT
-#undef HAVE_PK11_CREATEMANAGEDGENERICOBJECT
 #undef HAVE_PROTO_BSDSOCKET_H
-#undef HAVE_RAND_EGD
 #undef HAVE_STRCMPI
 #undef HAVE_STROPTS_H
 #undef HAVE_TERMIO_H
@@ -379,11 +385,9 @@
 #undef NEED_REENTRANT
 #undef NEED_THREAD_SAFE
 
-#undef USE_GSKIT
 #undef USE_OS400CRYPTO
 
 #undef BSD
-#undef EGD_SOCKET
 #undef CURLDEBUG
 #undef DEBUGBUILD
 #undef ENABLE_QUIC
diff --git a/libcurl/manifest b/libcurl/manifest
index 5d88d1f..433e9d8 100644
--- a/libcurl/manifest
+++ b/libcurl/manifest
@@ -1,6 +1,6 @@
 : 1
 name: libcurl
-version: 7.88.1
+version: 8.4.0-a.0.z
 project: curl
 priority: security
 summary: C library for transferring data with URLs
diff --git a/upstream b/upstream
-Subproject 046209e561b7e9b5aab1aef7daebf29ee6e6e8c
+Subproject d755a5f7c009dd63a61b2c745180d8ba937cbfe