romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-14 18:01:41 +03:00
Code Issues Projects Releases Packages Wiki Activity

TLS: remove support for Secure Transport and BearSSL

Browse source 
These libraries do not support TLS 1.3 and have been marked for removal
for over a year. We want to help users select a TLS dependency that is
future-proof and reliable, and not supporting TLS 1.3 in 2025 does not
infer confidence. Users who build libcurl are likely to be served better
and get something more future-proof with a TLS library that supports
1.3.

Closes #16677
This commit is contained in:
Daniel Stenberg 2025-06-09 14:07:21 +02:00
parent b761eb5add
commit 08a3e8e19a
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
89 changed files with 163 additions and 5036 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.github/labeler.yml vendored
View file

@ -28,9 +28,7 @@ appleOS:
- any-glob-to-all-files: "{\
.github/workflows/macos.yml,\
lib/config-mac.h,\
lib/macos*,\
lib/vtls/sectransp*,\
m4/curl-sectransp.m4\
lib/macos*\
}"
authentication:
@ -455,7 +453,6 @@ TLS:
- all:
- changed-files:
- any-glob-to-all-files: "{\
CMake/FindBearSSL.cmake,\
CMake/FindMbedTLS.cmake,\
CMake/FindWolfSSL.cmake,\
CMake/FindRustls.cmake,\
@ -475,13 +472,11 @@ TLS:
docs/libcurl/opts/CURLOPT_TLS*,\
docs/libcurl/opts/CURLOPT_USE_SSL*,\
lib/vtls/**,\
m4/curl-bearssl.m4,\
m4/curl-gnutls.m4,\
m4/curl-mbedtls.m4,\
m4/curl-openssl.m4,\
m4/curl-rustls.m4,\
m4/curl-schannel.m4,\
m4/curl-sectransp.m4,\
m4/curl-wolfssl.m4\
}"

33
.github/workflows/linux.yml vendored
View file

@ -39,8 +39,6 @@ env:
MAKEFLAGS: -j 5
CURL_CI: github
CURL_CLANG_TIDYFLAGS: '-checks=-clang-analyzer-security.insecureAPI.strcpy,-clang-analyzer-optin.performance.Padding,-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling,-clang-analyzer-valist.Uninitialized'
# unhandled
BEARSSL_VERSION: 0.6
# renovate: datasource=github-tags depName=libressl-portable/portable versioning=semver registryUrl=https://github.com
LIBRESSL_VERSION: 4.1.0
# renovate: datasource=github-tags depName=wolfSSL/wolfssl versioning=semver extractVersion=^v?(?<version>.+)-stable$ registryUrl=https://github.com
@ -75,16 +73,6 @@ jobs:
fail-fast: false
matrix:
build:
- name: bearssl
install_packages: zlib1g-dev
install_steps: bearssl pytest
configure: LDFLAGS=-Wl,-rpath,/home/runner/bearssl/lib --with-bearssl=/home/runner/bearssl --enable-debug
- name: bearssl clang
install_packages: zlib1g-dev clang
install_steps: bearssl
configure: CC=clang LDFLAGS=-Wl,-rpath,/home/runner/bearssl/lib --with-bearssl=/home/runner/bearssl --enable-debug
- name: libressl heimdal
install_packages: zlib1g-dev libnghttp2-dev libldap-dev heimdal-dev
install_steps: libressl pytest
@ -344,27 +332,6 @@ jobs:
py3-impacket py3-asn1 py3-six py3-pycryptodomex \
perl-time-hires openssh stunnel sudo git openssl
- name: 'cache bearssl'
if: ${{ contains(matrix.build.install_steps, 'bearssl') }}
uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4
id: cache-bearssl
env:
cache-name: cache-bearssl
with:
path: ~/bearssl
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.BEARSSL_VERSION }}
- name: 'build bearssl'
if: ${{ contains(matrix.build.install_steps, 'bearssl') && steps.cache-bearssl.outputs.cache-hit != 'true' }}
run: |
curl -LOsSf --retry 6 --retry-connrefused --max-time 999 \
"https://bearssl.org/bearssl-${BEARSSL_VERSION}.tar.gz" | tar -xz
cd "bearssl-${BEARSSL_VERSION}"
make
mkdir -p ~/bearssl/lib ~/bearssl/include
cp inc/*.h ~/bearssl/include
cp build/libbearssl.* ~/bearssl/lib
- name: 'cache libressl'
if: ${{ contains(matrix.build.install_steps, 'libressl') }}
uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4

24
.github/workflows/macos.yml vendored
View file

@ -43,8 +43,6 @@ permissions: {}
# - 10.9 Mavericks (2013) - LDAP
# - 10.14 Mojave (2018) - Secure Transport
#
# For Secure Transport, curl implements features that require a target
# newer than the 10.8 required by `CFURLCreateDataAndPropertiesFromResource`.
env:
CURL_CI: github
@ -105,18 +103,6 @@ jobs:
--without-nghttp2 --disable-ntlm --without-ssl --without-zlib --without-zstd
macos-version-min: '10.15' # Catalina (2019)
- name: 'SecureTransport libssh2'
compiler: clang
configure: --enable-debug --with-secure-transport --with-libssh2=/opt/homebrew/opt/libssh2
macos-version-min: '10.8'
- name: 'SecureTransport libssh2 10.12'
compiler: clang
configure: --enable-debug --with-secure-transport --with-libssh2=/opt/homebrew/opt/libssh2
macos-version-min: '10.12' # for monotonic timers
- name: 'SecureTransport libssh2'
compiler: gcc-12
configure: --enable-debug --with-secure-transport --with-libssh2=/opt/homebrew/opt/libssh2
macos-version-min: '10.8'
- name: 'LibreSSL +examples'
compiler: clang
install: libressl
@ -147,9 +133,6 @@ jobs:
- name: 'quictls +static libssh +examples'
install: quictls libssh
generate: -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/quictls -DBUILD_STATIC_LIBS=ON -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=ON
- name: 'SecureTransport debug'
generate: -DCURL_USE_SECTRANSP=ON -DENABLE_DEBUG=ON
macos-version-min: '10.8'
- name: 'LibreSSL !ldap heimdal c-ares +examples'
install: libressl heimdal
generate: -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/libressl -DENABLE_ARES=ON -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=/opt/homebrew/opt/heimdal -DCURL_DISABLE_LDAP=ON
@ -367,7 +350,7 @@ jobs:
make -C bld examples V=1
fi
combinations: # Test buildability with host OS, Xcode / SDK, compiler, target-OS, Secure Transport/not, built tool, combinations
combinations: # Test buildability with host OS, Xcode / SDK, compiler, target-OS, built tool, combinations
name: "${{ matrix.build == 'cmake' && 'CM' || 'AM' }} ${{ matrix.compiler }} ${{ matrix.image }} ${{ matrix.xcode }} ${{ matrix.config }}"
runs-on: ${{ matrix.image }}
timeout-minutes: 10
@ -382,7 +365,7 @@ jobs:
strategy:
fail-fast: false
matrix:
config: [SecureTransport] # also: OpenSSL
config: [OpenSSL]
compiler: [gcc-12, gcc-13, gcc-14, llvm@15, llvm@18, clang]
# Xcode support matrix as of 2024-07, with default macOS SDK versions and OS names, years:
# * = default Xcode on the runner.
@ -427,7 +410,6 @@ jobs:
- { image: macos-14, compiler: 'llvm@18' }
- { image: macos-15, compiler: 'llvm@15' }
# Reduce build combinations, by dropping less interesting ones
- { compiler: gcc-12, config: SecureTransport }
- { compiler: gcc-13, build: cmake }
- { compiler: gcc-14, build: autotools }
steps:
@ -478,7 +460,6 @@ jobs:
if [ "${MATRIX_BUILD}" = 'cmake' ]; then
[ "${MATRIX_CONFIG}" = 'OpenSSL' ] && options+=' -DCURL_USE_OPENSSL=ON'
[ "${MATRIX_CONFIG}" = 'SecureTransport' ] && options+=' -DCURL_USE_SECTRANSP=ON'
[ -n "${MATRIX_MACOS_VERSION_MIN}" ] && options+=" -DCMAKE_OSX_DEPLOYMENT_TARGET=${MATRIX_MACOS_VERSION_MIN}"
# would pick up nghttp2, libidn2, and libssh2
cmake -B bld -G Ninja -D_CURL_PREFILL=ON \
@ -500,7 +481,6 @@ jobs:
CFLAGS+=" --sysroot=${sysroot}"
fi
[ "${MATRIX_CONFIG}" = 'OpenSSL' ] && options+=" --with-openssl=$(brew --prefix openssl)"
[ "${MATRIX_CONFIG}" = 'SecureTransport' ] && options+=' --with-secure-transport'
[ -n "${MATRIX_MACOS_VERSION_MIN}" ] && CFLAGS+=" -mmacosx-version-min=${MATRIX_MACOS_VERSION_MIN}"
# would pick up nghttp2, libidn2, but libssh2 is disabled by default
mkdir bld && cd bld && ../configure --enable-unity --enable-test-bundles --enable-warnings --enable-werror \

58
CMake/FindBearSSL.cmake
View file

@ -1,58 +0,0 @@
#***************************************************************************
# _ _ ____ _
# Project ___| | | | _ \| |
# / __| | | | |_) | |
# | (__| |_| | _ <| |___
# \___|\___/|_| \_\_____|
#
# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
#
# This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms
# are also available at https://curl.se/docs/copyright.html.
#
# You may opt to use, copy, modify, merge, publish, distribute and/or sell
# copies of the Software, and permit persons to whom the Software is
# furnished to do so, under the terms of the COPYING file.
#
# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
# KIND, either express or implied.
#
# SPDX-License-Identifier: curl
#
###########################################################################
# Find the BearSSL library
#
# Input variables:
#
# - `BEARSSL_INCLUDE_DIR`: The BearSSL include directory.
# - `BEARSSL_LIBRARY`: Path to `bearssl` library.
#
# Result variables:
#
# - `BEARSSL_FOUND`: System has BearSSL.
# - `BEARSSL_INCLUDE_DIRS`: The BearSSL include directories.
# - `BEARSSL_LIBRARIES`: The BearSSL library names.
if(DEFINED BEARSSL_INCLUDE_DIRS AND NOT DEFINED BEARSSL_INCLUDE_DIR)
message(WARNING "BEARSSL_INCLUDE_DIRS is deprecated, use BEARSSL_INCLUDE_DIR instead.")
set(BEARSSL_INCLUDE_DIR "${BEARSSL_INCLUDE_DIRS}")
unset(BEARSSL_INCLUDE_DIRS)
endif()
find_path(BEARSSL_INCLUDE_DIR NAMES "bearssl.h")
find_library(BEARSSL_LIBRARY NAMES "bearssl")
include(FindPackageHandleStandardArgs)
find_package_handle_standard_args(BearSSL
REQUIRED_VARS
BEARSSL_INCLUDE_DIR
BEARSSL_LIBRARY
)
if(BEARSSL_FOUND)
set(BEARSSL_INCLUDE_DIRS ${BEARSSL_INCLUDE_DIR})
set(BEARSSL_LIBRARIES ${BEARSSL_LIBRARY})
endif()
mark_as_advanced(BEARSSL_INCLUDE_DIR BEARSSL_LIBRARY)

49
CMakeLists.txt
View file

@ -679,24 +679,18 @@ if(CURL_DEFAULT_SSL_BACKEND)
set(_valid_default_ssl_backend FALSE)
endif()
if(APPLE)
cmake_dependent_option(CURL_USE_SECTRANSP "Enable Apple OS native SSL/TLS (Secure Transport)" OFF CURL_ENABLE_SSL OFF)
endif()
if(WIN32)
cmake_dependent_option(CURL_USE_SCHANNEL "Enable Windows native SSL/TLS (Schannel)" OFF CURL_ENABLE_SSL OFF)
option(CURL_WINDOWS_SSPI "Enable SSPI on Windows" ${CURL_USE_SCHANNEL})
endif()
cmake_dependent_option(CURL_USE_MBEDTLS "Enable mbedTLS for SSL/TLS" OFF CURL_ENABLE_SSL OFF)
cmake_dependent_option(CURL_USE_BEARSSL "Enable BearSSL for SSL/TLS" OFF CURL_ENABLE_SSL OFF)
cmake_dependent_option(CURL_USE_WOLFSSL "Enable wolfSSL for SSL/TLS" OFF CURL_ENABLE_SSL OFF)
cmake_dependent_option(CURL_USE_GNUTLS "Enable GnuTLS for SSL/TLS" OFF CURL_ENABLE_SSL OFF)
cmake_dependent_option(CURL_USE_RUSTLS "Enable Rustls for SSL/TLS" OFF CURL_ENABLE_SSL OFF)
if(WIN32 OR
CURL_USE_SECTRANSP OR
CURL_USE_SCHANNEL OR
CURL_USE_MBEDTLS OR
CURL_USE_BEARSSL OR
CURL_USE_WOLFSSL OR
CURL_USE_GNUTLS OR
CURL_USE_RUSTLS)
@ -714,10 +708,8 @@ option(CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG "Disable automatic loading of OpenS
curl_count_true(_enabled_ssl_options_count
CURL_USE_SCHANNEL
CURL_USE_SECTRANSP
CURL_USE_OPENSSL
CURL_USE_MBEDTLS
CURL_USE_BEARSSL
CURL_USE_WOLFSSL
CURL_USE_GNUTLS
CURL_USE_RUSTLS
@ -741,26 +733,6 @@ if(CURL_WINDOWS_SSPI)
set(USE_WINDOWS_SSPI ON)
endif()
if(CURL_USE_SECTRANSP)
set(_use_core_foundation_and_core_services ON)
find_library(SECURITY_FRAMEWORK NAMES "Security")
mark_as_advanced(SECURITY_FRAMEWORK)
if(NOT SECURITY_FRAMEWORK)
message(FATAL_ERROR "Security framework not found")
endif()
list(APPEND CURL_LIBS "-framework Security")
set(_ssl_enabled ON)
set(USE_SECTRANSP ON)
if(CURL_DEFAULT_SSL_BACKEND AND CURL_DEFAULT_SSL_BACKEND STREQUAL "secure-transport")
set(_valid_default_ssl_backend TRUE)
endif()
message(WARNING "Secure Transport does not support TLS 1.3.")
endif()
if(_use_core_foundation_and_core_services)
find_library(COREFOUNDATION_FRAMEWORK NAMES "CoreFoundation")
mark_as_advanced(COREFOUNDATION_FRAMEWORK)
@ -844,21 +816,6 @@ if(CURL_USE_MBEDTLS)
set(_curl_ca_bundle_supported TRUE)
endif()
if(CURL_USE_BEARSSL)
find_package(BearSSL REQUIRED)
set(_ssl_enabled ON)
set(USE_BEARSSL ON)
list(APPEND CURL_LIBS ${BEARSSL_LIBRARIES})
include_directories(SYSTEM ${BEARSSL_INCLUDE_DIRS})
if(CURL_DEFAULT_SSL_BACKEND AND CURL_DEFAULT_SSL_BACKEND STREQUAL "bearssl")
set(_valid_default_ssl_backend TRUE)
endif()
set(_curl_ca_bundle_supported TRUE)
message(WARNING "BearSSL does not support TLS 1.3.")
endif()
if(CURL_USE_WOLFSSL)
find_package(WolfSSL REQUIRED)
set(_ssl_enabled ON)
@ -2134,7 +2091,6 @@ if(NOT CURL_DISABLE_NTLM AND
(USE_OPENSSL OR
USE_MBEDTLS OR
USE_GNUTLS OR
USE_SECTRANSP OR
USE_WIN32_CRYPTO OR
(USE_WOLFSSL AND HAVE_WOLFSSL_DES_ECB_ENCRYPT)))
set(_use_curl_ntlm_core ON)
@ -2215,8 +2171,7 @@ curl_add_if("HTTP2" USE_NGHTTP2)
curl_add_if("HTTP3" USE_NGTCP2 OR USE_QUICHE OR USE_MSH3 OR USE_OPENSSL_QUIC)
curl_add_if("MultiSSL" CURL_WITH_MULTI_SSL)
curl_add_if("HTTPS-proxy" NOT CURL_DISABLE_PROXY AND _ssl_enabled AND (USE_OPENSSL OR USE_GNUTLS
OR USE_SCHANNEL OR USE_RUSTLS OR USE_BEARSSL OR
USE_MBEDTLS OR USE_SECTRANSP OR
OR USE_SCHANNEL OR USE_RUSTLS OR USE_MBEDTLS OR
(USE_WOLFSSL AND HAVE_WOLFSSL_BIO_NEW)))
curl_add_if("Unicode" ENABLE_UNICODE)
curl_add_if("threadsafe" HAVE_ATOMIC OR
@ -2245,9 +2200,7 @@ set(_items "")
curl_add_if("Schannel" _ssl_enabled AND USE_SCHANNEL)
curl_add_if("${_openssl}" _ssl_enabled AND USE_OPENSSL AND OPENSSL_VERSION VERSION_LESS 3.0.0)
curl_add_if("${_openssl} v3+" _ssl_enabled AND USE_OPENSSL AND OPENSSL_VERSION VERSION_GREATER_EQUAL 3.0.0)
curl_add_if("Secure Transport" _ssl_enabled AND USE_SECTRANSP)
curl_add_if("mbedTLS" _ssl_enabled AND USE_MBEDTLS)
curl_add_if("BearSSL" _ssl_enabled AND USE_BEARSSL)
curl_add_if("wolfSSL" _ssl_enabled AND USE_WOLFSSL)
curl_add_if("GnuTLS" _ssl_enabled AND USE_GNUTLS)
curl_add_if("rustls" _ssl_enabled AND USE_RUSTLS)

1
Makefile.am
View file

@ -32,7 +32,6 @@ CMAKE_DIST = \
CMake/curl-config.cmake.in \
CMake/CurlSymbolHiding.cmake \
CMake/CurlTests.c \
CMake/FindBearSSL.cmake \
CMake/FindBrotli.cmake \
CMake/FindCares.cmake \
CMake/FindGSS.cmake \

41
configure.ac
View file

@ -144,7 +144,7 @@ AC_SUBST(VERSIONNUM)
dnl
dnl initialize all the info variables
curl_ssl_msg="no (--with-{openssl,gnutls,mbedtls,wolfssl,schannel,secure-transport,amissl,bearssl,rustls} )"
curl_ssl_msg="no (--with-{openssl,gnutls,mbedtls,wolfssl,schannel,amissl,rustls} )"
curl_ssh_msg="no (--with-{libssh,libssh2})"
curl_zlib_msg="no (--with-zlib)"
curl_brotli_msg="no (--with-brotli)"
@ -213,13 +213,6 @@ AS_HELP_STRING([--with-schannel],[enable Windows native SSL/TLS]),
OPT_SCHANNEL=$withval
TLSCHOICE="schannel")
OPT_SECURETRANSPORT=no
AC_ARG_WITH(secure-transport,dnl
AS_HELP_STRING([--with-secure-transport],[enable Apple OS native SSL/TLS]),[
OPT_SECURETRANSPORT=$withval
TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }Secure-Transport"
])
OPT_AMISSL=no
AC_ARG_WITH(amissl,dnl
AS_HELP_STRING([--with-amissl],[enable Amiga native SSL/TLS (AmiSSL)]),[
@ -277,15 +270,6 @@ AS_HELP_STRING([--with-wolfssl=PATH],[where to look for wolfSSL, PATH points to
fi
])
OPT_BEARSSL=no
AC_ARG_WITH(bearssl,dnl
AS_HELP_STRING([--with-bearssl=PATH],[where to look for BearSSL, PATH points to the installation root]),[
OPT_BEARSSL=$withval
if test X"$withval" != Xno; then
TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }BearSSL"
fi
])
OPT_RUSTLS=no
AC_ARG_WITH(rustls,dnl
AS_HELP_STRING([--with-rustls=PATH],[where to look for Rustls, PATH points to the installation root]),[
@ -414,13 +398,11 @@ if test -z "$TLSCHOICE"; then
Select from these:
--with-amissl
--with-bearssl
--with-gnutls
--with-mbedtls
--with-openssl (also works for BoringSSL and LibreSSL)
--with-rustls
--with-schannel
--with-secure-transport
--with-wolfssl
])
fi
@ -2121,13 +2103,11 @@ case "$DEFAULT_SSL_BACKEND" in
esac
CURL_WITH_SCHANNEL
CURL_WITH_SECURETRANSPORT
CURL_WITH_AMISSL
CURL_WITH_OPENSSL
CURL_WITH_GNUTLS
CURL_WITH_MBEDTLS
CURL_WITH_WOLFSSL
CURL_WITH_BEARSSL
CURL_WITH_RUSTLS
dnl link required libraries for USE_WIN32_CRYPTO or SCHANNEL_ENABLED
@ -2143,10 +2123,10 @@ if test "x$curl_cv_native_windows" = "xyes" -a "$curl_cv_wince" = 'no'; then
LIBS="-lbcrypt $LIBS"
fi
case "x$SSL_DISABLED$OPENSSL_ENABLED$GNUTLS_ENABLED$MBEDTLS_ENABLED$WOLFSSL_ENABLED$SCHANNEL_ENABLED$SECURETRANSPORT_ENABLED$BEARSSL_ENABLED$RUSTLS_ENABLED" in
case "x$SSL_DISABLED$OPENSSL_ENABLED$GNUTLS_ENABLED$MBEDTLS_ENABLED$WOLFSSL_ENABLED$SCHANNEL_ENABLED$RUSTLS_ENABLED" in
x)
AC_MSG_ERROR([TLS not detected, you will not be able to use HTTPS, FTPS, NTLM and more.
Use --with-openssl, --with-gnutls, --with-wolfssl, --with-mbedtls, --with-schannel, --with-secure-transport, --with-amissl, --with-bearssl or --with-rustls to address this.])
Use --with-openssl, --with-gnutls, --with-wolfssl, --with-mbedtls, --with-schannel, --with-amissl or --with-rustls to address this.])
;;
x1)
# one SSL backend is enabled
@ -2158,7 +2138,7 @@ Use --with-openssl, --with-gnutls, --with-wolfssl, --with-mbedtls, --with-schann
;;
xD*)
AC_MSG_ERROR([--without-ssl has been set together with an explicit option to use an ssl library
(e.g. --with-openssl, --with-gnutls, --with-wolfssl, --with-mbedtls, --with-schannel, --with-secure-transport, --with-amissl, --with-bearssl, --with-rustls).
(e.g. --with-openssl, --with-gnutls, --with-wolfssl, --with-mbedtls, --with-schannel, --with-amissl, --with-rustls).
Since these are conflicting parameters, verify which is the desired one and drop the other.])
;;
*)
@ -2654,8 +2634,6 @@ AS_HELP_STRING([--disable-versioned-symbols], [Disable versioned symbols in shar
versioned_symbols_flavour="OPENSSL_"
elif test "x$MBEDTLS_ENABLED" = "x1"; then
versioned_symbols_flavour="MBEDTLS_"
elif test "x$BEARSSL_ENABLED" = "x1"; then
versioned_symbols_flavour="BEARSSL_"
elif test "x$WOLFSSL_ENABLED" = "x1"; then
versioned_symbols_flavour="WOLFSSL_"
elif test "x$GNUTLS_ENABLED" = "x1"; then
@ -5227,7 +5205,6 @@ use_curl_ntlm_core=no
if test "x$CURL_DISABLE_NTLM" != "x1"; then
if test "x$OPENSSL_ENABLED" = "x1" -o "x$MBEDTLS_ENABLED" = "x1" \
-o "x$GNUTLS_ENABLED" = "x1" \
-o "x$SECURETRANSPORT_ENABLED" = "x1" \
-o "x$USE_WIN32_CRYPTO" = "x1" \
-o "x$HAVE_WOLFSSL_DES_ECB_ENCRYPT" = "x1"; then
use_curl_ntlm_core=yes
@ -5265,9 +5242,7 @@ if test "x$CURL_DISABLE_HTTP" != "x1"; then
if test "x$https_proxy" != "xno"; then
if test "x$OPENSSL_ENABLED" = "x1" \
-o "x$GNUTLS_ENABLED" = "x1" \
-o "x$SECURETRANSPORT_ENABLED" = "x1" \
-o "x$RUSTLS_ENABLED" = "x1" \
-o "x$BEARSSL_ENABLED" = "x1" \
-o "x$SCHANNEL_ENABLED" = "x1" \
-o "x$GNUTLS_ENABLED" = "x1" \
-o "x$MBEDTLS_ENABLED" = "x1"; then
@ -5571,14 +5546,6 @@ AC_MSG_NOTICE([Configured to build curl/libcurl:
Features: ${SUPPORT_FEATURES}
])
# grep -o would simplify this, but is nonportable
[non13=`echo "$TLSCHOICE" | $AWK '{split("bearssl secure-transport", a); for (i in a) if(match(tolower($0), a[i])) print a[i];}'`]
if test -n "$non13"; then
for a in $non13; do
AC_MSG_WARN([$a is enabled for TLS but it does not support TLS 1.3])
done
fi
if test -n "$experimental"; then
for a in $experimental; do
AC_MSG_WARN([$a is enabled but marked EXPERIMENTAL. Use with caution!])

7
docs/CIPHERS.md
View file

@ -96,8 +96,7 @@ are NULL ciphers, offering no encryption whatsoever.)
### TLS 1.2 (1.1, 1.0) cipher suites
Setting TLS 1.2 cipher suites is supported by curl with OpenSSL, LibreSSL,
BoringSSL, mbedTLS (curl 8.8.0+), wolfSSL (curl 7.53.0+),
Secure Transport (curl 7.77.0+) and BearSSL (curl 7.83.0+). Schannel does not
BoringSSL, mbedTLS (curl 8.8.0+), wolfSSL (curl 7.53.0+). Schannel does not
support setting cipher suites directly, but does support setting algorithms
(curl 7.61.0+), see Schannel notes below.
@ -201,7 +200,7 @@ ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 \
```
Restrict TLS 1.2 ciphers to `aes128-gcm` and `chacha20`, use default TLS 1.3
ciphers (if TLS 1.3 is available). Works with OpenSSL, LibreSSL, BoringSSL,
mbedTLS, wolfSSL, Secure Transport and BearSSL.
mbedTLS and wolfSSL.
## ciphers, the GnuTLS way
@ -266,8 +265,6 @@ Restrict to only TLS 1.2 with the `CAMELLIA-128-GCM` cipher.
- [wolfSSL cipher support documentation](https://www.wolfssl.com/documentation/manuals/wolfssl/chapter04.html#cipher-support)
- [mbedTLS cipher suites reference](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/ssl__ciphersuites_8h/)
- [Schannel cipher suites documentation](https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel)
- [BearSSL supported crypto](https://www.bearssl.org/support.html)
- [Secure Transport cipher suite values](https://developer.apple.com/documentation/security/1550981-ssl_cipher_suite_values)
- [IANA cipher suites list](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4)
- [Wikipedia cipher suite article](https://en.wikipedia.org/wiki/Cipher_suite)
- [GnuTLS Priority Strings](https://gnutls.org/manual/html_node/Priority-Strings.html)

2
docs/CURLDOWN.md
View file

@ -95,13 +95,11 @@ If the `Protocol` list contains `TLS`, then there must also be a `TLS-backend`
list, specifying `All` or a list of what TLS backends that work with this
option. The available TLS backends are:
- `BearSSL`
- `GnuTLS`
- `mbedTLS`
- `OpenSSL` (also covers BoringSSL, LibreSSL, quictls, AWS-LC and AmiSSL)
- `rustls`
- `Schannel`
- `Secure Transport`
- `wolfSSL`
- `All`: all TLS backends

13
docs/DEPRECATE.md
View file

@ -12,16 +12,9 @@ email the
as soon as possible and explain to us why this is a problem for you and
how your use case cannot be satisfied properly using a workaround.
## TLS libraries without 1.3 support
## Nothing
curl drops support for TLS libraries without TLS 1.3 capability after May
2025.
It requires that a curl build using the library should be able to negotiate
and use TLS 1.3, or else it is not good enough.
As of May 2024, the libraries that need to get fixed to remain supported after
May 2025 are: BearSSL and Secure Transport.
Nothing is currently scheduled to be removed.
## msh3 support
@ -75,3 +68,5 @@ Previous discussion and details: https://github.com/curl/curl/discussions/15972
- NTLM_WB (removed in 8.8.0)
- space-separated `NOPROXY` patterns (removed in 8.9.0)
- hyper (removed in 8.12.0)
- Secure Transport (8.15.0)
- BearSSL (8.15.0)

11
docs/FAQ
View file

@ -423,10 +423,9 @@ FAQ
backends.
curl can be built to use one of the following SSL alternatives: OpenSSL,
LibreSSL, BoringSSL, AWS-LC, GnuTLS, wolfSSL, mbedTLS, Secure Transport
(native iOS/macOS), Schannel (native Windows), BearSSL or Rustls. They all
have their pros and cons, and we try to maintain a comparison of them here:
https://curl.se/docs/ssl-compared.html
LibreSSL, BoringSSL, AWS-LC, GnuTLS, wolfSSL, mbedTLS, Schannel (native
Windows) or Rustls. They all have their pros and cons, and we try to
maintain a comparison of them here: https://curl.se/docs/ssl-compared.html
2.3 How do I upgrade curl.exe in Windows?
@ -918,8 +917,8 @@ FAQ
4.9 curl cannot authenticate to a server that requires NTLM?
NTLM support requires OpenSSL, GnuTLS, mbedTLS, Secure Transport, or
Microsoft Windows libraries at build-time to provide this functionality.
NTLM support requires OpenSSL, GnuTLS, mbedTLS or Microsoft Windows
libraries at build-time to provide this functionality.
4.10 My HTTP request using HEAD, PUT or DELETE does not work

6
docs/INSTALL-CMAKE.md
View file

@ -235,7 +235,7 @@ target_link_libraries(my_target PRIVATE CURL::libcurl)
- `CURL_COMPLETION_ZSH_DIR`: Custom zsh completion install directory.
- `CURL_DEFAULT_SSL_BACKEND`: Override default TLS backend in MultiSSL builds.
Accepted values in order of default priority:
`wolfssl`, `gnutls`, `mbedtls`, `openssl`, `secure-transport`, `schannel`, `bearssl`, `rustls`
`wolfssl`, `gnutls`, `mbedtls`, `openssl`, `schannel`, `rustls`
- `CURL_ENABLE_EXPORT_TARGET`: Enable CMake export target. Default: `ON`
- `CURL_HIDDEN_SYMBOLS`: Hide libcurl internal symbols (=hide all symbols that are not officially external). Default: `ON`
- `CURL_LIBCURL_SOVERSION`: Enable libcurl SOVERSION. Default: `ON` for supported platforms
@ -354,7 +354,6 @@ Details via CMake
## Dependencies
- `CURL_BROTLI`: Use brotli (`ON`, `OFF` or `AUTO`). Default: `AUTO`
- `CURL_USE_BEARSSL`: Enable BearSSL for SSL/TLS. Default: `OFF`
- `CURL_USE_GNUTLS`: Enable GnuTLS for SSL/TLS. Default: `OFF`
- `CURL_USE_GSASL`: Use libgsasl. Default: `OFF`
- `CURL_USE_GSSAPI`: Use GSSAPI implementation. Default: `OFF`
@ -367,7 +366,6 @@ Details via CMake
- `CURL_USE_PKGCONFIG`: Enable `pkg-config` to detect dependencies. Default: `ON` for Unix (except Android, Apple devices), vcpkg, MinGW if not cross-compiling.
- `CURL_USE_RUSTLS`: Enable Rustls for SSL/TLS. Default: `OFF`
- `CURL_USE_SCHANNEL`: Enable Windows native SSL/TLS (Schannel). Default: `OFF`
- `CURL_USE_SECTRANSP`: Enable Apple OS native SSL/TLS (Secure Transport). Default: `OFF`
- `CURL_USE_WOLFSSH`: Use wolfSSH. Default: `OFF`
- `CURL_USE_WOLFSSL`: Enable wolfSSL for SSL/TLS. Default: `OFF`
- `CURL_ZLIB`: Use zlib (`ON`, `OFF` or `AUTO`). Default: `AUTO`
@ -404,8 +402,6 @@ Details via CMake
- `AMISSL_INCLUDE_DIR`: The AmiSSL include directory.
- `AMISSL_STUBS_LIBRARY`: Path to `amisslstubs` library.
- `AMISSL_AUTO_LIBRARY`: Path to `amisslauto` library.
- `BEARSSL_INCLUDE_DIR`: The BearSSL include directory.
- `BEARSSL_LIBRARY`: Path to `bearssl` library.
- `BROTLI_INCLUDE_DIR`: The brotli include directory.
- `BROTLICOMMON_LIBRARY`: Path to `brotlicommon` library.
- `BROTLIDEC_LIBRARY`: Path to `brotlidec` library.

81
docs/INSTALL.md
View file

@ -137,13 +137,11 @@ alter it, you can select how to deal with each individual library.
These options are provided to select the TLS backend to use.
- AmiSSL: `--with-amissl`
- BearSSL: `--with-bearssl`
- GnuTLS: `--with-gnutls`.
- mbedTLS: `--with-mbedtls`
- OpenSSL: `--with-openssl` (also for BoringSSL, AWS-LC, LibreSSL, and quictls)
- rustls: `--with-rustls`
- Schannel: `--with-schannel`
- Secure Transport: `--with-secure-transport`
- wolfSSL: `--with-wolfssl`
You can build curl with *multiple* TLS backends at your choice, but some TLS
@ -396,85 +394,6 @@ support the legacy handshakes and algorithms used by those versions. If you
are using curl in one of those earlier versions of Windows you should choose
another SSL backend such as OpenSSL.
# Apple Platforms (macOS, iOS, tvOS, watchOS, and their simulator counterparts)
On modern Apple operating systems, curl can be built to use Apple's SSL/TLS
implementation, Secure Transport, instead of OpenSSL. To build with Secure
Transport for SSL/TLS, use the configure option `--with-secure-transport`.
When Secure Transport is in use, the curl options `--cacert` and `--capath`
and their libcurl equivalents, are ignored, because Secure Transport uses the
certificates stored in the Keychain to evaluate whether or not to trust the
server. This, of course, includes the root certificates that ship with the OS.
The `--cert` and `--engine` options, and their libcurl equivalents, are
currently unimplemented in curl with Secure Transport.
In general, a curl build for an Apple `ARCH/SDK/DEPLOYMENT_TARGET` combination
can be taken by providing appropriate values for `ARCH`, `SDK`, `DEPLOYMENT_TARGET`
below and running the commands:
```bash
# Set these three according to your needs
export ARCH=x86_64
export SDK=macosx
export DEPLOYMENT_TARGET=10.8
export CFLAGS="-arch $ARCH -isysroot $(xcrun -sdk $SDK --show-sdk-path) -m$SDK-version-min=$DEPLOYMENT_TARGET"
./configure --host=$ARCH-apple-darwin --prefix $(pwd)/artifacts --with-secure-transport
make -j8
make install
```
With CMake:
```bash
cmake . \
-DCMAKE_OSX_ARCHITECTURES=x86_64 \
-DCMAKE_OSX_DEPLOYMENT_TARGET=10.8 \
-DCMAKE_OSX_SYSROOT="$(xcrun --sdk macosx --show-sdk-path)"
```
The above command lines build curl for macOS platform with `x86_64`
architecture and `10.8` as deployment target.
Here is an example for iOS device:
```bash
export ARCH=arm64
export SDK=iphoneos
export DEPLOYMENT_TARGET=11.0
export CFLAGS="-arch $ARCH -isysroot $(xcrun -sdk $SDK --show-sdk-path) -m$SDK-version-min=$DEPLOYMENT_TARGET"
./configure --host=$ARCH-apple-darwin --prefix $(pwd)/artifacts --with-secure-transport
make -j8
make install
```
With CMake (3.16 or upper recommended):
```bash
cmake . \
-DCMAKE_SYSTEM_NAME=iOS \
-DCMAKE_OSX_ARCHITECTURES=arm64 \
-DCMAKE_OSX_DEPLOYMENT_TARGET=11.0
```
Another example for watchOS simulator for macs with Apple Silicon:
```bash
export ARCH=arm64
export SDK=watchsimulator
export DEPLOYMENT_TARGET=5.0
export CFLAGS="-arch $ARCH -isysroot $(xcrun -sdk $SDK --show-sdk-path) -m$SDK-version-min=$DEPLOYMENT_TARGET"
./configure --host=$ARCH-apple-darwin --prefix $(pwd)/artifacts --with-secure-transport
make -j8
make install
```
In all above, the built libraries and executables can be found in the
`artifacts` folder.
# Android
When building curl for Android you can you CMake or curl's `configure` script.

20
docs/KNOWN_BUGS
View file

@ -15,8 +15,7 @@ problems may have been fixed or changed somewhat since this was written.
2. TLS
2.1 IMAPS connection fails with Rustls error
2.3 Unable to use PKCS12 certificate with Secure Transport
2.4 Secure Transport does not import PKCS#12 client certificates without a password
2.5 Client cert handling with Issuer DN differs between backends
2.7 Client cert (MTLS) issues with Schannel
2.11 Schannel TLS 1.2 handshake bug in old Windows versions
2.13 CURLOPT_CERTINFO results in CURLE_OUT_OF_MEMORY with Schannel
@ -53,7 +52,6 @@ problems may have been fixed or changed somewhat since this was written.
6.9 SHA-256 digest not supported in Windows SSPI builds
6.10 curl never completes Negotiate over HTTP
6.11 Negotiate on Windows fails
6.12 cannot use Secure Transport with Crypto Token Kit
6.13 Negotiate against Hadoop HDFS
7. FTP
@ -122,15 +120,13 @@ problems may have been fixed or changed somewhat since this was written.
https://github.com/curl/curl/issues/10457
2.3 Unable to use PKCS12 certificate with Secure Transport
2.5 Client cert handling with Issuer DN differs between backends
See https://github.com/curl/curl/issues/5403
When the specified client certificate does not match any of the
server-specified DNs, the OpenSSL and GnuTLS backends behave differently.
The github discussion may contain a solution.
2.4 Secure Transport does not import PKCS#12 client certificates without a password
libcurl calls SecPKCS12Import with the PKCS#12 client certificate, but that
function rejects certificates that do not have a password.
https://github.com/curl/curl/issues/1308
See https://github.com/curl/curl/issues/1411
2.7 Client cert (MTLS) issues with Schannel
@ -368,10 +364,6 @@ problems may have been fixed or changed somewhat since this was written.
https://github.com/curl/curl/issues/5881
6.12 cannot use Secure Transport with Crypto Token Kit
https://github.com/curl/curl/issues/7048
6.13 Negotiate authentication against Hadoop HDFS
https://github.com/curl/curl/issues/8264

20
docs/SSLCERTS.md
View file

@ -8,9 +8,9 @@ SPDX-License-Identifier: curl
## Native vs file based
If curl was built with Schannel or Secure Transport support, then curl uses
the system native CA store for verification. All other TLS libraries use a
file based CA store by default.
If curl was built with Schannel support, then curl uses the system native CA
store for verification. All other TLS libraries use a file based CA store by
default.
## Verification
@ -102,17 +102,13 @@ latest Firefox bundle.
## Native CA store
If curl was built with Schannel, Secure Transport or were instructed to use
the native CA Store, then curl uses the certificates that are built into the
OS. These are the same certificates that appear in the Internet Options
control panel (under Windows) or Keychain Access application (under macOS).
Any custom security rules for certificates are honored.
If curl was built with Schannel or was instructed to use the native CA Store,
then curl uses the certificates that are built into the OS. These are the same
certificates that appear in the Internet Options control panel (under Windows)
or Keychain Access application (under macOS). Any custom security rules for
certificates are honored.
Schannel runs CRL checks on certificates unless peer verification is disabled.
Secure Transport on iOS runs OCSP checks on certificates unless peer
verification is disabled. Secure Transport on macOS runs either OCSP or CRL
checks on certificates if those features are enabled, and this behavior can be
adjusted in the preferences of Keychain Access.
## HTTPS proxy

4
docs/cmdline-opts/_ENVIRONMENT.md
View file

@ -72,8 +72,8 @@ the case insensitive name of the particular backend to use when curl is
invoked. Setting a name that is not a built-in alternative makes curl stay
with the default.
SSL backend names (case-insensitive): **bearssl**, **gnutls**, **mbedtls**,
**openssl**, **rustls**, **schannel**, **secure-transport**, **wolfssl**
SSL backend names (case-insensitive): **gnutls**, **mbedtls**, **openssl**,
**rustls**, **schannel**, **wolfssl**
## `HOME` <dir>
If set, this is used to find the home directory when that is needed. Like when

14
docs/cmdline-opts/cacert.md
View file

@ -34,13 +34,7 @@ Current Working Directory, or in any folder along your PATH.
curl 8.11.0 added a build-time option to disable this search behavior, and
another option to restrict search to the application's directory.
(iOS and macOS only) If curl is built against Secure Transport, then this
option is supported for backward compatibility with other SSL engines, but it
should not be set. If the option is not set, then curl uses the certificates
in the system and user Keychain to verify the peer, which is the preferred
method of verifying the peer's certificate chain.
(Schannel only) This option is supported for Schannel in Windows 7 or later
(added in 7.60.0). This option is supported for backward compatibility with
other SSL engines; instead it is recommended to use Windows' store of root
certificates (the default for Schannel).
(Schannel) This option is supported for Schannel in Windows 7 or later (added
in 7.60.0). This option is supported for backward compatibility with other SSL
engines; instead it is recommended to use Windows' store of root certificates
(the default for Schannel).

6
docs/cmdline-opts/cert-type.md
View file

@ -21,6 +21,6 @@ Example:
Set type of the provided client certificate. PEM, DER, ENG, PROV and P12 are
recognized types.
The default type depends on the TLS backend and is usually PEM, however for
Secure Transport and Schannel it is P12. If --cert is a pkcs11: URI then ENG
or PROV is the default type (depending on OpenSSL version).
The default type depends on the TLS backend and is usually PEM. For Schannel
it is P12. If --cert is a pkcs11: URI then ENG or PROV is the default type
(depending on OpenSSL version).

13
docs/cmdline-opts/cert.md
View file

@ -20,8 +20,7 @@ Example:
# `--cert`
Use the specified client certificate file when getting a file with HTTPS, FTPS
or another SSL-based protocol. The certificate must be in PKCS#12 format if
using Secure Transport, or PEM format if using any other engine. If the
or another SSL-based protocol. The certificate must be PEM format. If the
optional password is not specified, it is queried for on the terminal. Note
that this option assumes a certificate file that is the private key and the
client certificate concatenated. See --cert and --key to specify them
@ -43,14 +42,8 @@ If curl is built against GnuTLS, a PKCS#11 URI can be used to specify
a certificate located in a PKCS#11 device. A string beginning with `pkcs11:`
is interpreted as a PKCS#11 URI.
(iOS and macOS only) If curl is built against Secure Transport, then the
certificate string can either be the name of a certificate/private key in the
system or user keychain, or the path to a PKCS#12-encoded certificate and
private key. If you want to use a file from the current directory, please
precede it with `./` prefix, in order to avoid confusion with a nickname.
(Schannel only) Client certificates must be specified by a path expression to
a certificate store. (Loading *PFX* is not supported; you can import it to a
(Schannel) Client certificates must be specified by a path expression to a
certificate store. (Loading *PFX* is not supported; you can import it to a
store first). You can use "\<store location\>\\<store name\>\\<thumbprint\>"
to refer to a certificate in the system certificates store, for example,
*"CurrentUser\MY\934a7ac6f8a5d579285a74fa61e19f23ddfe8d7a"*. Thumbprint is

5
docs/cmdline-opts/false-start.md
View file

@ -15,9 +15,8 @@ Example:
# `--false-start`
No TLS backend currently supports this feature.
Use false start during the TLS handshake. False start is a mode where a TLS
client starts sending application data before verifying the server's Finished
message, thus saving a round trip when performing a full handshake.
This functionality is currently only implemented in the Secure Transport (on
iOS 7.0 or later, or macOS 10.9 or later) backend.

7
docs/cmdline-opts/key.md
View file

@ -28,7 +28,6 @@ interpreted as a PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine
option is set as `pkcs11` if none was provided and the --key-type option is
set as `ENG` or `PROV` if none was provided (depending on OpenSSL version).
If curl is built against Secure Transport or Schannel then this option is
ignored for TLS protocols (HTTPS, etc). Those backends expect the private key
to be already present in the keychain or PKCS#12 file containing the
certificate.
If curl is built against Schannel then this option is ignored for TLS
protocols (HTTPS, etc). That backend expects the private key to be already
present in the keychain or PKCS#12 file containing the certificate.

7
docs/cmdline-opts/pinnedpubkey.md
View file

@ -33,14 +33,11 @@ together then the peer is still verified by public key.
PEM/DER support:
OpenSSL and GnuTLS (added in 7.39.0), wolfSSL (added in 7.43.0),
mbedTLS (added in 7.47.0),
Secure Transport macOS 10.7+/iOS 10+ (added in 7.54.1),
Schannel (added in 7.58.1)
mbedTLS (added in 7.47.0), Schannel (added in 7.58.1)
sha256 support:
OpenSSL, GnuTLS and wolfSSL (added in 7.44.0), mbedTLS (added in 7.47.0),
Secure Transport macOS 10.7+/iOS 10+ (added in 7.54.1), Schannel
(added in 7.58.1)
Schannel (added in 7.58.1)
Other SSL backends not supported.

6
docs/cmdline-opts/proxy-cert-type.md
View file

@ -19,8 +19,8 @@ Example:
Set type of the provided client certificate when using HTTPS proxy. PEM, DER,
ENG, PROV and P12 are recognized types.
The default type depends on the TLS backend and is usually PEM, however for
Secure Transport and Schannel it is P12. If --proxy-cert is a pkcs11: URI then
ENG or PROV is the default type (depending on OpenSSL version).
The default type depends on the TLS backend and is usually PEM. For Schannel
it is P12. If --proxy-cert is a pkcs11: URI then ENG or PROV is the default
type (depending on OpenSSL version).
Equivalent to --cert-type but used in HTTPS proxy context.

3
docs/cmdline-opts/proxy-cert.md
View file

@ -18,8 +18,7 @@ Example:
# `--proxy-cert`
Use the specified client certificate file when communicating with an HTTPS
proxy. The certificate must be in PKCS#12 format if using Secure Transport, or
PEM format if using any other engine. If the optional password is not
proxy. The certificate must be PEM format. If the optional password is not
specified, it is queried for on the terminal. Use --proxy-key to provide the
private key.

6
docs/cmdline-opts/proxy.md
View file

@ -27,9 +27,9 @@ used. (Added in 7.21.7)
Unix domain sockets are supported for socks proxy. Set localhost for the host
part. e.g. socks5h://localhost/path/to/socket.sock
HTTPS proxy support works with the https:// protocol prefix for OpenSSL
and GnuTLS (added in 7.52.0). It also works for BearSSL, mbedTLS, Rustls,
Schannel, Secure Transport and wolfSSL (added in 7.87.0).
HTTPS proxy support works with the https:// protocol prefix for OpenSSL and
GnuTLS (added in 7.52.0). It also works for BearSSL, mbedTLS, Rustls, Schannel
and wolfSSL (added in 7.87.0).
Unrecognized and unsupported proxy protocols cause an error (added in 7.52.0).
Ancient curl versions ignored unknown schemes and used http:// instead.

5
docs/cmdline-opts/write-out.md
View file

@ -62,7 +62,7 @@ The variables available are:
## `certs`
Output the certificate chain with details. Supported only by the OpenSSL,
GnuTLS, Schannel, Rustls, and Secure Transport backends. (Added in 7.88.0)
GnuTLS, Schannel and Rustls backends. (Added in 7.88.0)
## `conn_id`
The connection identifier last used by the transfer. The connection id is
@ -128,8 +128,7 @@ The http method used in the most recent HTTP request. (Added in 7.72.0)
## `num_certs`
Number of server certificates received in the TLS handshake. Supported only by
the OpenSSL, GnuTLS, Schannel, Rustls and Secure Transport backends.
(Added in 7.88.0)
the OpenSSL, GnuTLS, Schannel and Rustls backends. (Added in 7.88.0)
## `num_connects`
Number of new connects made in the recent transfer. (Added in 7.12.3)

1
docs/libcurl/curl_easy_ssls_export.md
View file

@ -13,7 +13,6 @@ Protocol:
TLS-backend:
- GnuTLS
- OpenSSL
- BearSSL
- wolfSSL
- mbedTLS
Added-in: 8.12.0

1
docs/libcurl/curl_easy_ssls_import.md
View file

@ -13,7 +13,6 @@ Protocol:
TLS-backend:
- GnuTLS
- OpenSSL
- BearSSL
- wolfSSL
- mbedTLS
Added-in: 8.12.0

16
docs/libcurl/curl_global_sslset.md
View file

@ -66,15 +66,15 @@ This does not just mean no other thread that is using libcurl.
# Names
SSL backend names (case-insensitive): BearSSL, GnuTLS, mbedTLS, OpenSSL,
Rustls, Schannel, Secure-Transport, wolfSSL
SSL backend names (case-insensitive): GnuTLS, mbedTLS, OpenSSL, Rustls,
Schannel, wolfSSL
The name "OpenSSL" is used for all versions of OpenSSL and its associated
forks/flavors in this function. OpenSSL, BoringSSL, LibreSSL, quictls and
AmiSSL are all supported by libcurl, but in the eyes of
curl_global_sslset(3) they are all just "OpenSSL". They all mostly
provide the same API. curl_version_info(3) can return more specific info about
the exact OpenSSL flavor and version number in use.
AmiSSL are all supported by libcurl, but in the eyes of curl_global_sslset(3)
they are all just "OpenSSL". They all mostly provide the same API.
curl_version_info(3) can return more specific info about the exact OpenSSL
flavor and version number in use.
# struct
@ -93,11 +93,11 @@ typedef enum {
CURLSSLBACKEND_POLARSSL = 6, /* deprecated */
CURLSSLBACKEND_WOLFSSL = 7,
CURLSSLBACKEND_SCHANNEL = 8,
CURLSSLBACKEND_SECURETRANSPORT = 9,
CURLSSLBACKEND_SECURETRANSPORT = 9, /* deprecated */
CURLSSLBACKEND_AXTLS = 10, /* deprecated */
CURLSSLBACKEND_MBEDTLS = 11,
CURLSSLBACKEND_MESALINK = 12, /* deprecated */
CURLSSLBACKEND_BEARSSL = 13,
CURLSSLBACKEND_BEARSSL = 13, /* deprecated */
CURLSSLBACKEND_RUSTLS = 14
} curl_sslbackend;
~~~

4
docs/libcurl/libcurl-env.md
View file

@ -51,8 +51,8 @@ backend at first use. If no selection is done by the program using libcurl,
this variable's selection is used. Setting a name that is not a built-in
alternative makes libcurl stay with the default.
SSL backend names (case-insensitive): BearSSL, GnuTLS, mbedTLS, OpenSSL,
Rustls, Schannel, Secure-Transport, wolfSSL
SSL backend names (case-insensitive): GnuTLS, mbedTLS, OpenSSL, Rustls,
Schannel, wolfSSL
## `HOME`

5
docs/libcurl/opts/CURLINFO_CERTINFO.md
View file

@ -14,7 +14,6 @@ TLS-backend:
- OpenSSL
- GnuTLS
- Schannel
- Secure Transport
- rustls
Added-in: 7.19.1
---
@ -97,8 +96,8 @@ See also the *certinfo.c* example.
# HISTORY
GnuTLS support added in 7.42.0. Schannel support added in 7.50.0. Secure
Transport support added in 7.79.0. mbedTLS support added in 8.9.0.
GnuTLS support added in 7.42.0. Schannel support added in 7.50.0. mbedTLS
support added in 8.9.0.
# %AVAILABILITY%

6
docs/libcurl/opts/CURLINFO_TLS_SSL_PTR.md
View file

@ -11,12 +11,10 @@ See-also:
Protocol:
- TLS
TLS-backend:
- BearSSL
- GnuTLS
- mbedTLS
- OpenSSL
- Schannel
- Secure Transport
- wolfSSL
Added-in: 7.48.0
---
@ -87,10 +85,6 @@ as well:
**CtxtHandle ***
## Secure Transport
**SSLContext ***
## wolfSSL
**SSL ***

8
docs/libcurl/opts/CURLOPT_ALTSVC_CTRL.md
View file

@ -35,10 +35,10 @@ CURLcode curl_easy_setopt(CURL *handle, CURLOPT_ALTSVC_CTRL, long bitmask);
Populate the long *bitmask* with the correct set of features to instruct
libcurl how to handle Alt-Svc for the transfers using this handle.
libcurl only accepts Alt-Svc headers over a Secure Transport, meaning
HTTPS. It also only completes a request to an alternative origin if that
origin is properly hosted over HTTPS. These requirements are there to make
sure both the source and the destination are legitimate.
libcurl only accepts Alt-Svc headers over HTTPS. It also only completes a
request to an alternative origin if that origin is properly hosted over HTTPS.
These requirements are there to make sure both the source and the destination
are legitimate.
Alternative services are only used when setting up new connections. If there
exists an existing connection to the host in the connection pool, then that is

8
docs/libcurl/opts/CURLOPT_CAINFO.md
View file

@ -42,10 +42,6 @@ accessible file.
This option is by default set to the system path where libcurl's CA
certificate bundle is assumed to be stored, as established at build time.
(iOS and macOS) When curl uses Secure Transport this option is supported. If
the option is not set, then curl uses the certificates in the system and user
Keychain to verify the peer.
(Schannel) This option is supported for Schannel in Windows 7 or later but we
recommend not using it until Windows 8 since it works better starting then.
If the option is not set, then curl uses the certificates in the Windows'
@ -61,8 +57,8 @@ The default value for this can be figured out with CURLINFO_CAINFO(3).
# DEFAULT
Built-in system specific. When curl is built with Secure Transport or
Schannel, this option is not set by default.
Built-in system specific. When curl is built with Schannel, this option is not
set by default.
# %PROTOCOLS%

7
docs/libcurl/opts/CURLOPT_CAINFO_BLOB.md
View file

@ -12,12 +12,10 @@ See-also:
- CURLOPT_SSL_VERIFYHOST (3)
- CURLOPT_SSL_VERIFYPEER (3)
TLS-backend:
- BearSSL
- OpenSSL
- mbedTLS
- rustls
- wolfSSL
- Secure Transport
- Schannel
Added-in: 7.77.0
---
@ -81,9 +79,8 @@ int main(void)
# HISTORY
This option is supported by the BearSSL (since 7.79.0), mbedTLS (since
7.81.0), Rustls (since 7.82.0), wolfSSL (since 8.2.0), OpenSSL, Secure
Transport and Schannel backends.
This option is supported by the mbedTLS (since 7.81.0), Rustls (since 7.82.0),
wolfSSL (since 8.2.0), OpenSSL and Schannel backends.
# %AVAILABILITY%

4
docs/libcurl/opts/CURLOPT_CERTINFO.md
View file

@ -16,7 +16,6 @@ TLS-backend:
- OpenSSL
- GnuTLS
- Schannel
- Secure Transport
- rustls
Added-in: 7.19.1
---
@ -88,8 +87,7 @@ int main(void)
# HISTORY
Schannel support added in 7.50.0. Secure Transport support added in 7.79.0.
mbedTLS support added in 8.9.0.
Schannel support added in 7.50.0. mbedTLS support added in 8.9.0.
# %AVAILABILITY%

5
docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.md
View file

@ -16,7 +16,6 @@ TLS-backend:
- GnuTLS
- wolfSSL
- mbedTLS
- Secure Transport
- Schannel
Added-in: 7.39.0
---
@ -129,8 +128,6 @@ footer:
7.47.0: mbedTLS
7.54.1: Secure Transport on macOS 10.7+/iOS 10+
7.58.1: Schannel
## sha256 support
@ -139,8 +136,6 @@ footer:
7.47.0: mbedTLS
7.54.1: Secure Transport on macOS 10.7+/iOS 10+
7.58.1: Schannel
Other SSL backends not supported.

5
docs/libcurl/opts/CURLOPT_PROXY.md
View file

@ -53,9 +53,8 @@ HTTP Proxy. Default when no scheme or proxy type is specified.
## https://
HTTPS Proxy. (Added in 7.52.0 for OpenSSL and GnuTLS Since 7.87.0, it
also works for BearSSL, mbedTLS, Rustls, Schannel, Secure Transport and
wolfSSL.)
HTTPS Proxy. (Added in 7.52.0 for OpenSSL and GnuTLS Since 7.87.0, it also
works for mbedTLS, Rustls, Schannel and wolfSSL.)
This uses HTTP/1 by default. Setting CURLOPT_PROXYTYPE(3) to
**CURLPROXY_HTTPS2** allows libcurl to negotiate using HTTP/2 with proxy.

3
docs/libcurl/opts/CURLOPT_PROXYTYPE.md
View file

@ -35,8 +35,7 @@ HTTP Proxy. Default.
## CURLPROXY_HTTPS
HTTPS Proxy using HTTP/1. (Added in 7.52.0 for OpenSSL and GnuTLS. Since
7.87.0, it also works for BearSSL, mbedTLS, Rustls, Schannel, Secure Transport
and wolfSSL.)
7.87.0, it also works for mbedTLS, Rustls, Schannel and wolfSSL.)
## CURLPROXY_HTTPS2

6
docs/libcurl/opts/CURLOPT_PROXY_CAINFO.md
View file

@ -47,12 +47,6 @@ accessible file.
This option is by default set to the system path where libcurl's CA
certificate bundle is assumed to be stored, as established at build time.
(iOS and macOS only) If curl is built against Secure Transport, then this
option is supported for backward compatibility with other SSL engines, but it
should not be set. If the option is not set, then curl uses the certificates
in the system and user Keychain to verify the peer, which is the preferred
method of verifying the peer's certificate chain.
The application does not have to keep the string around after setting this
option.

1
docs/libcurl/opts/CURLOPT_PROXY_CAINFO_BLOB.md
View file

@ -19,7 +19,6 @@ Protocol:
TLS-backend:
- OpenSSL
- rustls
- Secure Transport
- Schannel
Added-in: 7.77.0
---

10
docs/libcurl/opts/CURLOPT_PROXY_SSLCERT.md
View file

@ -15,7 +15,6 @@ TLS-backend:
- GnuTLS
- mbedTLS
- Schannel
- Secure Transport
- wolfSSL
Added-in: 7.52.0
---
@ -38,13 +37,8 @@ This option is for connecting to an HTTPS proxy, not an HTTPS server.
Pass a pointer to a null-terminated string as parameter. The string should be
the filename of your client certificate used to connect to the HTTPS proxy.
The default format is "P12" on Secure Transport and "PEM" on other engines,
and can be changed with CURLOPT_PROXY_SSLCERTTYPE(3).
With Secure Transport, this can also be the nickname of the certificate you
wish to authenticate with as it is named in the security database. If you want
to use a file from the current directory, please precede it with "./" prefix,
in order to avoid confusion with a nickname.
The default format "PEM", and can be changed with
CURLOPT_PROXY_SSLCERTTYPE(3).
When using a client certificate, you most likely also need to provide a
private key with CURLOPT_PROXY_SSLKEY(3).

7
docs/libcurl/opts/CURLOPT_PROXY_SSLCERTTYPE.md
View file

@ -15,7 +15,6 @@ TLS-backend:
- GnuTLS
- mbedTLS
- Schannel
- Secure Transport
- wolfSSL
Added-in: 7.52.0
---
@ -37,10 +36,8 @@ CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY_SSLCERTTYPE, char *type);
Pass a pointer to a null-terminated string as parameter. The string should be
the format of your client certificate used when connecting to an HTTPS proxy.
Supported formats are "PEM" and "DER", except with Secure Transport or
Schannel. OpenSSL (versions 0.9.3 and later), Secure Transport (on iOS 5 or
later, or macOS 10.7 or later) and Schannel support "P12" for PKCS#12-encoded
files.
Supported formats are "PEM" and "DER", except with Schannel. OpenSSL and
Schannel support "P12" for PKCS#12-encoded files.
The application does not have to keep the string around after setting this
option.

7
docs/libcurl/opts/CURLOPT_PROXY_SSLCERT_BLOB.md
View file

@ -14,7 +14,6 @@ Protocol:
TLS-backend:
- OpenSSL
- Schannel
- Secure Transport
Added-in: 7.71.0
---
@ -35,9 +34,9 @@ CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY_SSLCERT_BLOB,
Pass a pointer to a curl_blob structure, which contains information (pointer
and size) about a memory block with binary data of the certificate used to
connect to the HTTPS proxy. The format must be "P12" on Secure Transport or
Schannel. The format must be "P12" or "PEM" on OpenSSL. The string "P12" or
"PEM" must be specified with CURLOPT_PROXY_SSLCERTTYPE(3).
connect to the HTTPS proxy. The format must be "P12" on Schannel. The format
must be "P12" or "PEM" on OpenSSL. The string "P12" or "PEM" must be specified
with CURLOPT_PROXY_SSLCERTTYPE(3).
If the blob is initialized with the flags member of struct curl_blob set to
CURL_BLOB_COPY, the application does not have to keep the buffer around after

6
docs/libcurl/opts/CURLOPT_PROXY_SSLKEY.md
View file

@ -39,9 +39,9 @@ the filename of your private key used for connecting to the HTTPS proxy. The
default format is "PEM" and can be changed with
CURLOPT_PROXY_SSLKEYTYPE(3).
(Windows, iOS and macOS) This option is ignored by Secure Transport and
Schannel SSL backends because they expect the private key to be already
present in the key chain or PKCS#12 file containing the certificate.
This option is ignored by the Schannel backend because it expects the private
key to be already present in the key chain or PKCS#12 file containing the
certificate.
The application does not have to keep the string around after setting this
option.

1
docs/libcurl/opts/CURLOPT_PROXY_SSLKEYTYPE.md
View file

@ -12,7 +12,6 @@ Protocol:
- TLS
TLS-backend:
- OpenSSL
- BearSSL
- wolfSSL
Added-in: 7.52.0
---

4
docs/libcurl/opts/CURLOPT_PROXY_SSL_CIPHER_LIST.md
View file

@ -14,9 +14,7 @@ Protocol:
- TLS
TLS-backend:
- OpenSSL
- BearSSL
- Schannel
- Secure Transport
- wolfSSL
- mbedTLS
- rustls
@ -92,7 +90,7 @@ int main(void)
# HISTORY
OpenSSL support added in 7.52.0.
wolfSSL, Schannel, Secure Transport, and BearSSL support added in 7.87.0
wolfSSL, Schannel support added in 7.87.0
mbedTLS support added in 8.8.0.
Rustls support added in 8.10.0.

13
docs/libcurl/opts/CURLOPT_SSLCERT.md
View file

@ -15,7 +15,6 @@ TLS-backend:
- GnuTLS
- mbedTLS
- Schannel
- Secure Transport
- wolfSSL
Added-in: 7.1
---
@ -35,16 +34,10 @@ CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLCERT, char *cert);
# DESCRIPTION
Pass a pointer to a null-terminated string as parameter. The string should be
the filename of your client certificate. The default format is `P12` on Secure
Transport and `PEM` on other engines, and can be changed with
CURLOPT_SSLCERTTYPE(3).
the filename of your client certificate. The default format is `PEM` but can
be changed with CURLOPT_SSLCERTTYPE(3).
With Secure Transport, this can also be the nickname of the certificate you
wish to authenticate with as it is named in the security database. If you want
to use a file from the current directory, please precede it with `./` prefix,
in order to avoid confusion with a nickname.
(Schannel only) Client certificates can be specified by a path expression to a
(Schannel) Client certificates can be specified by a path expression to a
certificate store. (You can import *PFX* to a store first). You can use
"\<store location\>\\\<store name\>\\\<thumbprint\>" to refer to a certificate
in the system certificates store, for example,

8
docs/libcurl/opts/CURLOPT_SSLCERTTYPE.md
View file

@ -14,7 +14,6 @@ TLS-backend:
- GnuTLS
- mbedTLS
- Schannel
- Secure Transport
- wolfSSL
Added-in: 7.9.3
---
@ -36,10 +35,9 @@ CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLCERTTYPE, char *type);
Pass a pointer to a null-terminated string as parameter. The string should be
the format of your certificate.
Supported formats are "PEM" and "DER", except with Secure Transport or
Schannel. OpenSSL (versions 0.9.3 and later), Secure Transport (on iOS 5 or
later, or macOS 10.7 or later) and Schannel support "P12" for PKCS#12-encoded
files. GnuTLS supports P12 starting with curl 8.11.0.
Supported formats are "PEM" and "DER", except with Schannel. OpenSSL and
Schannel support "P12" for PKCS#12-encoded files. GnuTLS supports P12 starting
with curl 8.11.0.
The application does not have to keep the string around after setting this
option.

8
docs/libcurl/opts/CURLOPT_SSLCERT_BLOB.md
View file

@ -12,7 +12,6 @@ Protocol:
- TLS
TLS-backend:
- OpenSSL
- Secure Transport
- Schannel
- mbedTLS
- wolfSSL
@ -35,10 +34,9 @@ CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLCERT_BLOB,
# DESCRIPTION
Pass a pointer to a curl_blob structure, which contains (pointer and size) a
client certificate. The format must be "P12" on Secure Transport or
Schannel. The format must be "P12" or "PEM" on OpenSSL. The format must be
"DER" or "PEM" on mbedTLS. The format must be specified with
CURLOPT_SSLCERTTYPE(3).
client certificate. The format must be "P12" on Schannel. The format must be
"P12" or "PEM" on OpenSSL. The format must be "DER" or "PEM" on mbedTLS. The
format must be specified with CURLOPT_SSLCERTTYPE(3).
If the blob is initialized with the flags member of struct curl_blob set to
CURL_BLOB_COPY, the application does not have to keep the buffer around after

6
docs/libcurl/opts/CURLOPT_SSLKEY.md
View file

@ -36,9 +36,9 @@ Pass a pointer to a null-terminated string as parameter. The string should be
the filename of your private key. The default format is "PEM" and can be
changed with CURLOPT_SSLKEYTYPE(3).
(Windows, iOS and macOS) This option is ignored by Secure Transport and
Schannel SSL backends because they expect the private key to be already present
in the key-chain or PKCS#12 file containing the certificate.
(Windows) This option is ignored by the Schannel SSL backend because it
expects the private key to be already present in the key-chain or PKCS#12 file
containing the certificate.
The application does not have to keep the string around after setting this
option.

1
docs/libcurl/opts/CURLOPT_SSLKEYTYPE.md
View file

@ -12,7 +12,6 @@ Protocol:
- TLS
TLS-backend:
- OpenSSL
- BearSSL
- wolfSSL
Added-in: 7.9.3
---

4
docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.md
View file

@ -14,9 +14,7 @@ Protocol:
- TLS
TLS-backend:
- OpenSSL
- BearSSL
- Schannel
- Secure Transport
- wolfSSL
- mbedTLS
- rustls
@ -98,8 +96,6 @@ int main(void)
OpenSSL support added in 7.9.
wolfSSL support added in 7.53.0.
Schannel support added in 7.61.0.
Secure Transport support added in 7.77.0.
BearSSL support added in 7.83.0.
mbedTLS support added in 8.8.0.
Rustls support added in 8.10.0.

4
docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.md
View file

@ -13,7 +13,6 @@ TLS-backend:
- OpenSSL
- wolfSSL
- mbedTLS
- BearSSL
Added-in: 7.10.6
---
@ -118,8 +117,7 @@ int main(void)
# HISTORY
Added in 7.11.0 for OpenSSL, in 7.42.0 for wolfSSL, in 7.54.0 for mbedTLS,
in 7.83.0 in BearSSL.
Added in 7.11.0 for OpenSSL, in 7.42.0 for wolfSSL, in 7.54.0 for mbedTLS.
# %AVAILABILITY%

9
docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.md
View file

@ -17,7 +17,6 @@ TLS-backend:
- OpenSSL
- wolfSSL
- mbedTLS
- BearSSL
Added-in: 7.10.6
---
@ -46,10 +45,10 @@ of an SSL connection after having processed all other SSL related options to
give a last chance to an application to modify the behavior of the SSL
initialization. The *ssl_ctx* parameter is a pointer to the SSL library's
*SSL_CTX* for OpenSSL or wolfSSL, a pointer to *mbedtls_ssl_config* for
mbedTLS or a pointer to *br_ssl_client_context* for BearSSL. If an error is
returned from the callback no attempt to establish a connection is made and
the perform operation returns the callback's error code. Set the *clientp*
argument passed in to this callback with the CURLOPT_SSL_CTX_DATA(3) option.
mbedTLS. If an error is returned from the callback no attempt to establish a
connection is made and the perform operation returns the callback's error
code. Set the *clientp* argument passed in to this callback with the
CURLOPT_SSL_CTX_DATA(3) option.
This function gets called for all new connections made to a server, during the
SSL negotiation. While *ssl_ctx* points to a newly initialized object each

2
docs/libcurl/opts/CURLOPT_SSL_FALSESTART.md
View file

@ -9,7 +9,7 @@ See-also:
Protocol:
- TLS
TLS-backend:
- Secure Transport
- none
Added-in: 7.42.0
---

8
docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.md
View file

@ -73,14 +73,6 @@ A certificate can be set for a numerical IP address (IPv4 or IPv6), but then
it should be a Subject Alternate Name kind and its type should correctly
identify the field as an IP address.
# LIMITATIONS
Secure Transport: If *verify* value is 0, then SNI is also disabled. SNI is a
TLS extension that sends the hostname to the server. The server may use that
information to do such things as sending back a specific certificate for the
hostname, or forwarding the request to a specific origin server. Some
hostnames may be inaccessible if SNI is not sent.
# DEFAULT
2

2
docs/tests/FILEFORMAT.md
View file

@ -441,7 +441,6 @@ Features testable here are:
- `aws` - built with **aws-sigv4** support
- `AppleIDN`
- `asyn-rr` - c-ares is used for additional records only
- `bearssl`
- `brotli`
- `c-ares` - c-ares is used for (all) name resolves
- `CharConv`
@ -488,7 +487,6 @@ Features testable here are:
- `PSL`
- `rustls`
- `Schannel`
- `sectransp`
- `shuffle-dns`
- `socks`
- `SPNEGO`

2
lib/CMakeLists.txt
View file

@ -255,8 +255,6 @@ if(BUILD_SHARED_LIBS)
set(CURL_LIBCURL_VERSIONED_SYMBOLS_PREFIX "OPENSSL_")
elseif(CURL_USE_MBEDTLS)
set(CURL_LIBCURL_VERSIONED_SYMBOLS_PREFIX "MBEDTLS_")
elseif(CURL_USE_BEARSSL)
set(CURL_LIBCURL_VERSIONED_SYMBOLS_PREFIX "BEARSSL_")
elseif(CURL_USE_WOLFSSL)
set(CURL_LIBCURL_VERSIONED_SYMBOLS_PREFIX "WOLFSSL_")
elseif(CURL_USE_GNUTLS)

4
lib/Makefile.inc
View file

@ -71,7 +71,6 @@ LIB_VAUTH_HFILES = \
vauth/vauth.h
LIB_VTLS_CFILES = \
vtls/bearssl.c \
vtls/cipher_suite.c \
vtls/gtls.c \
vtls/hostcheck.c \
@ -82,7 +81,6 @@ LIB_VTLS_CFILES = \
vtls/rustls.c \
vtls/schannel.c \
vtls/schannel_verify.c \
vtls/sectransp.c \
vtls/vtls.c \
vtls/vtls_scache.c \
vtls/vtls_spack.c \
@ -90,7 +88,6 @@ LIB_VTLS_CFILES = \
vtls/x509asn1.c
LIB_VTLS_HFILES = \
vtls/bearssl.h \
vtls/cipher_suite.h \
vtls/gtls.h \
vtls/hostcheck.h \
@ -101,7 +98,6 @@ LIB_VTLS_HFILES = \
vtls/rustls.h \
vtls/schannel.h \
vtls/schannel_int.h \
vtls/sectransp.h \
vtls/vtls.h \
vtls/vtls_int.h \
vtls/vtls_scache.h \

6
lib/curl_config.h.cmake
View file

@ -685,18 +685,12 @@ ${SIZEOF_TIME_T_CODE}
/* if GnuTLS is enabled */
#cmakedefine USE_GNUTLS 1
/* if Secure Transport is enabled */
#cmakedefine USE_SECTRANSP 1
/* if SSL session export support is available */
#cmakedefine USE_SSLS_EXPORT 1
/* if mbedTLS is enabled */
#cmakedefine USE_MBEDTLS 1
/* if BearSSL is enabled */
#cmakedefine USE_BEARSSL 1
/* if Rustls is enabled */
#cmakedefine USE_RUSTLS 1

1
lib/curl_des.c
View file

@ -26,7 +26,6 @@
#if defined(USE_CURL_NTLM_CORE) && \
(defined(USE_GNUTLS) || \
defined(USE_SECTRANSP) || \
defined(USE_OS400CRYPTO) || \
defined(USE_WIN32_CRYPTO))

1
lib/curl_des.h
View file

@ -28,7 +28,6 @@
#if defined(USE_CURL_NTLM_CORE) && \
(defined(USE_GNUTLS) || \
defined(USE_SECTRANSP) || \
defined(USE_OS400CRYPTO) || \
defined(USE_WIN32_CRYPTO))

41
lib/curl_ntlm_core.c
View file

@ -40,9 +40,8 @@
3. USE_GNUTLS
4. -
5. USE_MBEDTLS
6. USE_SECTRANSP
7. USE_OS400CRYPTO
8. USE_WIN32_CRYPTO
6. USE_OS400CRYPTO
7. USE_WIN32_CRYPTO
This ensures that:
- the same SSL branch gets activated throughout this source
@ -107,11 +106,6 @@
# include <mbedtls/des.h>
#elif defined(USE_SECTRANSP)
# include <CommonCrypto/CommonCryptor.h>
# include <CommonCrypto/CommonDigest.h>
#elif defined(USE_OS400CRYPTO)
# include "cipher.mih" /* mih/cipher */
#elif defined(USE_WIN32_CRYPTO)
@ -209,29 +203,6 @@ static bool encrypt_des(const unsigned char *in, unsigned char *out,
return mbedtls_des_crypt_ecb(&ctx, in, out) == 0;
}
#elif defined(USE_SECTRANSP)
static bool encrypt_des(const unsigned char *in, unsigned char *out,
const unsigned char *key_56)
{
char key[8];
size_t out_len;
CCCryptorStatus err;
/* Expand the 56-bit key to 64 bits */
extend_key_56_to_64(key_56, key);
/* Set the key parity to odd */
Curl_des_set_odd_parity((unsigned char *) key, sizeof(key));
/* Perform the encryption */
err = CCCrypt(kCCEncrypt, kCCAlgorithmDES, kCCOptionECBMode, key,
kCCKeySizeDES, NULL, in, 8 /* inbuflen */, out,
8 /* outbuflen */, &out_len);
return err == kCCSuccess;
}
#elif defined(USE_OS400CRYPTO)
static bool encrypt_des(const unsigned char *in, unsigned char *out,
@ -339,8 +310,8 @@ void Curl_ntlm_core_lm_resp(const unsigned char *keys,
des_encrypt(&des, 8, results + 8, plaintext);
setup_des_key(keys + 14, &des);
des_encrypt(&des, 8, results + 16, plaintext);
#elif defined(USE_MBEDTLS) || defined(USE_SECTRANSP) \
|| defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO)
#elif defined(USE_MBEDTLS) || defined(USE_OS400CRYPTO) || \
defined(USE_WIN32_CRYPTO)
encrypt_des(plaintext, results, keys);
encrypt_des(plaintext, results + 8, keys + 7);
encrypt_des(plaintext, results + 16, keys + 14);
@ -387,8 +358,8 @@ CURLcode Curl_ntlm_core_mk_lm_hash(const char *password,
des_encrypt(&des, 8, lmbuffer, magic);
setup_des_key(pw + 7, &des);
des_encrypt(&des, 8, lmbuffer + 8, magic);
#elif defined(USE_MBEDTLS) || defined(USE_SECTRANSP) \
|| defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO)
#elif defined(USE_MBEDTLS) || defined(USE_OS400CRYPTO) || \
defined(USE_WIN32_CRYPTO)
encrypt_des(magic, lmbuffer, pw);
encrypt_des(magic, lmbuffer + 8, pw + 7);
#endif

6
lib/curl_setup.h
View file

@ -739,8 +739,8 @@
#endif
#if defined(USE_GNUTLS) || defined(USE_OPENSSL) || defined(USE_MBEDTLS) || \
defined(USE_WOLFSSL) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
defined(USE_BEARSSL) || defined(USE_RUSTLS)
defined(USE_WOLFSSL) || defined(USE_SCHANNEL) || \
defined(USE_RUSTLS)
#define USE_SSL /* SSL support has been enabled */
#endif
@ -775,7 +775,7 @@
/* Single point where USE_NTLM definition might be defined */
#ifndef CURL_DISABLE_NTLM
# if defined(USE_OPENSSL) || defined(USE_MBEDTLS) || \
defined(USE_GNUTLS) || defined(USE_SECTRANSP) || \
defined(USE_GNUTLS) || \
defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) || \
(defined(USE_WOLFSSL) && defined(HAVE_WOLFSSL_DES_ECB_ENCRYPT))
# define USE_CURL_NTLM_CORE

2
lib/curl_sha512_256.c
View file

@ -34,9 +34,7 @@
* * GnuTLS
* * wolfSSL
* * Schannel SSPI
* * Secure Transport (Darwin)
* * mbedTLS
* * BearSSL
* * Rustls
* Skip the backend if it does not support the required algorithm */

10
lib/url.c
View file

@ -425,13 +425,11 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
/* Set the default CA cert bundle/path detected/specified at build time.
*
* If Schannel or Secure Transport is the selected SSL backend then these
* locations are ignored. We allow setting CA location for Schannel and
* Secure Transport when explicitly specified by the user via
* CURLOPT_CAINFO / --cacert.
* If Schannel is the selected SSL backend then these locations are ignored.
* We allow setting CA location for Schannel when explicitly specified by
* the user via CURLOPT_CAINFO / --cacert.
*/
if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL &&
Curl_ssl_backend() != CURLSSLBACKEND_SECURETRANSPORT) {
if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) {
#ifdef CURL_CA_BUNDLE
result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], CURL_CA_BUNDLE);
if(result)

1104
lib/vtls/bearssl.c
View file

File diff suppressed because it is too large Load diff

34
lib/vtls/bearssl.h
View file

@ -1,34 +0,0 @@
#ifndef HEADER_CURL_BEARSSL_H
#define HEADER_CURL_BEARSSL_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Michael Forney, <mforney@mforney.org>
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#ifdef USE_BEARSSL
extern const struct Curl_ssl Curl_ssl_bearssl;
#endif /* USE_BEARSSL */
#endif /* HEADER_CURL_BEARSSL_H */

191
lib/vtls/cipher_suite.c
View file

@ -23,8 +23,7 @@
***************************************************************************/
#include "../curl_setup.h"
#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || \
defined(USE_BEARSSL) || defined(USE_RUSTLS)
#if defined(USE_MBEDTLS) || defined(USE_RUSTLS)
#include "cipher_suite.h"
#include "../curl_printf.h"
#include "../strcase.h"
@ -90,21 +89,6 @@ static const char *cs_txt =
"CAMELLIA128" "\0"
"CAMELLIA256" "\0"
#endif
#if defined(USE_SECTRANSP)
"40" "\0"
"ADH" "\0"
"AECDH" "\0"
"anon" "\0"
"DES40" "\0"
"DH" "\0"
"DSS" "\0"
"EDH" "\0"
"EXP" "\0"
"EXPORT" "\0"
"IDEA" "\0"
"RC2" "\0"
"RC4" "\0"
#endif
;
/* Indexes of above cs_txt */
enum {
@ -145,21 +129,6 @@ enum {
CS_TXT_IDX_CAMELLIA,
CS_TXT_IDX_CAMELLIA128,
CS_TXT_IDX_CAMELLIA256,
#endif
#if defined(USE_SECTRANSP)
CS_TXT_IDX_40,
CS_TXT_IDX_ADH,
CS_TXT_IDX_AECDH,
CS_TXT_IDX_anon,
CS_TXT_IDX_DES40,
CS_TXT_IDX_DH,
CS_TXT_IDX_DSS,
CS_TXT_IDX_EDH,
CS_TXT_IDX_EXP,
CS_TXT_IDX_EXPORT,
CS_TXT_IDX_IDEA,
CS_TXT_IDX_RC2,
CS_TXT_IDX_RC4,
#endif
CS_TXT_LEN,
};
@ -192,7 +161,7 @@ struct cs_entry {
/* !checksrc! disable COMMANOSPACE all */
static const struct cs_entry cs_list [] = {
/* TLS 1.3 ciphers */
#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || defined(USE_RUSTLS)
#if defined(USE_MBEDTLS) || defined(USE_RUSTLS)
CS_ENTRY(0x1301, TLS,AES,128,GCM,SHA256,,,),
CS_ENTRY(0x1302, TLS,AES,256,GCM,SHA384,,,),
CS_ENTRY(0x1303, TLS,CHACHA20,POLY1305,SHA256,,,,),
@ -212,7 +181,7 @@ static const struct cs_entry cs_list [] = {
CS_ENTRY(0xCCA8, ECDHE,RSA,CHACHA20,POLY1305,,,,),
CS_ENTRY(0xCCA9, TLS,ECDHE,ECDSA,WITH,CHACHA20,POLY1305,SHA256,),
CS_ENTRY(0xCCA9, ECDHE,ECDSA,CHACHA20,POLY1305,,,,),
#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || defined(USE_BEARSSL)
#if defined(USE_MBEDTLS)
CS_ENTRY(0x002F, TLS,RSA,WITH,AES,128,CBC,SHA,),
CS_ENTRY(0x002F, AES128,SHA,,,,,,),
CS_ENTRY(0x0035, TLS,RSA,WITH,AES,256,CBC,SHA,),
@ -266,7 +235,7 @@ static const struct cs_entry cs_list [] = {
CS_ENTRY(0xC032, TLS,ECDH,RSA,WITH,AES,256,GCM,SHA384),
CS_ENTRY(0xC032, ECDH,RSA,AES256,GCM,SHA384,,,),
#endif
#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS)
#if defined(USE_MBEDTLS)
CS_ENTRY(0x0001, TLS,RSA,WITH,NULL,MD5,,,),
CS_ENTRY(0x0001, NULL,MD5,,,,,,),
CS_ENTRY(0x0002, TLS,RSA,WITH,NULL,SHA,,,),
@ -354,19 +323,7 @@ static const struct cs_entry cs_list [] = {
CS_ENTRY(0xCCAB, TLS,PSK,WITH,CHACHA20,POLY1305,SHA256,,),
CS_ENTRY(0xCCAB, PSK,CHACHA20,POLY1305,,,,,),
#endif
#if defined(USE_SECTRANSP) || defined(USE_BEARSSL)
CS_ENTRY(0x000A, TLS,RSA,WITH,3DES,EDE,CBC,SHA,),
CS_ENTRY(0x000A, DES,CBC3,SHA,,,,,),
CS_ENTRY(0xC003, TLS,ECDH,ECDSA,WITH,3DES,EDE,CBC,SHA),
CS_ENTRY(0xC003, ECDH,ECDSA,DES,CBC3,SHA,,,),
CS_ENTRY(0xC008, TLS,ECDHE,ECDSA,WITH,3DES,EDE,CBC,SHA),
CS_ENTRY(0xC008, ECDHE,ECDSA,DES,CBC3,SHA,,,),
CS_ENTRY(0xC00D, TLS,ECDH,RSA,WITH,3DES,EDE,CBC,SHA),
CS_ENTRY(0xC00D, ECDH,RSA,DES,CBC3,SHA,,,),
CS_ENTRY(0xC012, TLS,ECDHE,RSA,WITH,3DES,EDE,CBC,SHA),
CS_ENTRY(0xC012, ECDHE,RSA,DES,CBC3,SHA,,,),
#endif
#if defined(USE_MBEDTLS) || defined(USE_BEARSSL)
#if defined(USE_MBEDTLS)
CS_ENTRY(0xC09C, TLS,RSA,WITH,AES,128,CCM,,),
CS_ENTRY(0xC09C, AES128,CCM,,,,,,),
CS_ENTRY(0xC09D, TLS,RSA,WITH,AES,256,CCM,,),
@ -384,141 +341,6 @@ static const struct cs_entry cs_list [] = {
CS_ENTRY(0xC0AF, TLS,ECDHE,ECDSA,WITH,AES,256,CCM,8),
CS_ENTRY(0xC0AF, ECDHE,ECDSA,AES256,CCM8,,,,),
#endif
#if defined(USE_SECTRANSP)
/* entries marked bc are backward compatible aliases for old OpenSSL names */
CS_ENTRY(0x0003, TLS,RSA,EXPORT,WITH,RC4,40,MD5,),
CS_ENTRY(0x0003, EXP,RC4,MD5,,,,,),
CS_ENTRY(0x0004, TLS,RSA,WITH,RC4,128,MD5,,),
CS_ENTRY(0x0004, RC4,MD5,,,,,,),
CS_ENTRY(0x0005, TLS,RSA,WITH,RC4,128,SHA,,),
CS_ENTRY(0x0005, RC4,SHA,,,,,,),
CS_ENTRY(0x0006, TLS,RSA,EXPORT,WITH,RC2,CBC,40,MD5),
CS_ENTRY(0x0006, EXP,RC2,CBC,MD5,,,,),
CS_ENTRY(0x0007, TLS,RSA,WITH,IDEA,CBC,SHA,,),
CS_ENTRY(0x0007, IDEA,CBC,SHA,,,,,),
CS_ENTRY(0x0008, TLS,RSA,EXPORT,WITH,DES40,CBC,SHA,),
CS_ENTRY(0x0008, EXP,DES,CBC,SHA,,,,),
CS_ENTRY(0x0009, TLS,RSA,WITH,DES,CBC,SHA,,),
CS_ENTRY(0x0009, DES,CBC,SHA,,,,,),
CS_ENTRY(0x000B, TLS,DH,DSS,EXPORT,WITH,DES40,CBC,SHA),
CS_ENTRY(0x000B, EXP,DH,DSS,DES,CBC,SHA,,),
CS_ENTRY(0x000C, TLS,DH,DSS,WITH,DES,CBC,SHA,),
CS_ENTRY(0x000C, DH,DSS,DES,CBC,SHA,,,),
CS_ENTRY(0x000D, TLS,DH,DSS,WITH,3DES,EDE,CBC,SHA),
CS_ENTRY(0x000D, DH,DSS,DES,CBC3,SHA,,,),
CS_ENTRY(0x000E, TLS,DH,RSA,EXPORT,WITH,DES40,CBC,SHA),
CS_ENTRY(0x000E, EXP,DH,RSA,DES,CBC,SHA,,),
CS_ENTRY(0x000F, TLS,DH,RSA,WITH,DES,CBC,SHA,),
CS_ENTRY(0x000F, DH,RSA,DES,CBC,SHA,,,),
CS_ENTRY(0x0010, TLS,DH,RSA,WITH,3DES,EDE,CBC,SHA),
CS_ENTRY(0x0010, DH,RSA,DES,CBC3,SHA,,,),
CS_ENTRY(0x0011, TLS,DHE,DSS,EXPORT,WITH,DES40,CBC,SHA),
CS_ENTRY(0x0011, EXP,DHE,DSS,DES,CBC,SHA,,),
CS_ENTRY(0x0011, EXP,EDH,DSS,DES,CBC,SHA,,), /* bc */
CS_ENTRY(0x0012, TLS,DHE,DSS,WITH,DES,CBC,SHA,),
CS_ENTRY(0x0012, DHE,DSS,DES,CBC,SHA,,,),
CS_ENTRY(0x0012, EDH,DSS,DES,CBC,SHA,,,), /* bc */
CS_ENTRY(0x0013, TLS,DHE,DSS,WITH,3DES,EDE,CBC,SHA),
CS_ENTRY(0x0013, DHE,DSS,DES,CBC3,SHA,,,),
CS_ENTRY(0x0013, EDH,DSS,DES,CBC3,SHA,,,), /* bc */
CS_ENTRY(0x0014, TLS,DHE,RSA,EXPORT,WITH,DES40,CBC,SHA),
CS_ENTRY(0x0014, EXP,DHE,RSA,DES,CBC,SHA,,),
CS_ENTRY(0x0014, EXP,EDH,RSA,DES,CBC,SHA,,), /* bc */
CS_ENTRY(0x0015, TLS,DHE,RSA,WITH,DES,CBC,SHA,),
CS_ENTRY(0x0015, DHE,RSA,DES,CBC,SHA,,,),
CS_ENTRY(0x0015, EDH,RSA,DES,CBC,SHA,,,), /* bc */
CS_ENTRY(0x0016, TLS,DHE,RSA,WITH,3DES,EDE,CBC,SHA),
CS_ENTRY(0x0016, DHE,RSA,DES,CBC3,SHA,,,),
CS_ENTRY(0x0016, EDH,RSA,DES,CBC3,SHA,,,), /* bc */
CS_ENTRY(0x0017, TLS,DH,anon,EXPORT,WITH,RC4,40,MD5),
CS_ENTRY(0x0017, EXP,ADH,RC4,MD5,,,,),
CS_ENTRY(0x0018, TLS,DH,anon,WITH,RC4,128,MD5,),
CS_ENTRY(0x0018, ADH,RC4,MD5,,,,,),
CS_ENTRY(0x0019, TLS,DH,anon,EXPORT,WITH,DES40,CBC,SHA),
CS_ENTRY(0x0019, EXP,ADH,DES,CBC,SHA,,,),
CS_ENTRY(0x001A, TLS,DH,anon,WITH,DES,CBC,SHA,),
CS_ENTRY(0x001A, ADH,DES,CBC,SHA,,,,),
CS_ENTRY(0x001B, TLS,DH,anon,WITH,3DES,EDE,CBC,SHA),
CS_ENTRY(0x001B, ADH,DES,CBC3,SHA,,,,),
CS_ENTRY(0x0030, TLS,DH,DSS,WITH,AES,128,CBC,SHA),
CS_ENTRY(0x0030, DH,DSS,AES128,SHA,,,,),
CS_ENTRY(0x0031, TLS,DH,RSA,WITH,AES,128,CBC,SHA),
CS_ENTRY(0x0031, DH,RSA,AES128,SHA,,,,),
CS_ENTRY(0x0032, TLS,DHE,DSS,WITH,AES,128,CBC,SHA),
CS_ENTRY(0x0032, DHE,DSS,AES128,SHA,,,,),
CS_ENTRY(0x0034, TLS,DH,anon,WITH,AES,128,CBC,SHA),
CS_ENTRY(0x0034, ADH,AES128,SHA,,,,,),
CS_ENTRY(0x0036, TLS,DH,DSS,WITH,AES,256,CBC,SHA),
CS_ENTRY(0x0036, DH,DSS,AES256,SHA,,,,),
CS_ENTRY(0x0037, TLS,DH,RSA,WITH,AES,256,CBC,SHA),
CS_ENTRY(0x0037, DH,RSA,AES256,SHA,,,,),
CS_ENTRY(0x0038, TLS,DHE,DSS,WITH,AES,256,CBC,SHA),
CS_ENTRY(0x0038, DHE,DSS,AES256,SHA,,,,),
CS_ENTRY(0x003A, TLS,DH,anon,WITH,AES,256,CBC,SHA),
CS_ENTRY(0x003A, ADH,AES256,SHA,,,,,),
CS_ENTRY(0x003E, TLS,DH,DSS,WITH,AES,128,CBC,SHA256),
CS_ENTRY(0x003E, DH,DSS,AES128,SHA256,,,,),
CS_ENTRY(0x003F, TLS,DH,RSA,WITH,AES,128,CBC,SHA256),
CS_ENTRY(0x003F, DH,RSA,AES128,SHA256,,,,),
CS_ENTRY(0x0040, TLS,DHE,DSS,WITH,AES,128,CBC,SHA256),
CS_ENTRY(0x0040, DHE,DSS,AES128,SHA256,,,,),
CS_ENTRY(0x0068, TLS,DH,DSS,WITH,AES,256,CBC,SHA256),
CS_ENTRY(0x0068, DH,DSS,AES256,SHA256,,,,),
CS_ENTRY(0x0069, TLS,DH,RSA,WITH,AES,256,CBC,SHA256),
CS_ENTRY(0x0069, DH,RSA,AES256,SHA256,,,,),
CS_ENTRY(0x006A, TLS,DHE,DSS,WITH,AES,256,CBC,SHA256),
CS_ENTRY(0x006A, DHE,DSS,AES256,SHA256,,,,),
CS_ENTRY(0x006C, TLS,DH,anon,WITH,AES,128,CBC,SHA256),
CS_ENTRY(0x006C, ADH,AES128,SHA256,,,,,),
CS_ENTRY(0x006D, TLS,DH,anon,WITH,AES,256,CBC,SHA256),
CS_ENTRY(0x006D, ADH,AES256,SHA256,,,,,),
CS_ENTRY(0x008A, TLS,PSK,WITH,RC4,128,SHA,,),
CS_ENTRY(0x008A, PSK,RC4,SHA,,,,,),
CS_ENTRY(0x008B, TLS,PSK,WITH,3DES,EDE,CBC,SHA,),
CS_ENTRY(0x008B, PSK,3DES,EDE,CBC,SHA,,,),
CS_ENTRY(0x008E, TLS,DHE,PSK,WITH,RC4,128,SHA,),
CS_ENTRY(0x008E, DHE,PSK,RC4,SHA,,,,),
CS_ENTRY(0x008F, TLS,DHE,PSK,WITH,3DES,EDE,CBC,SHA),
CS_ENTRY(0x008F, DHE,PSK,3DES,EDE,CBC,SHA,,),
CS_ENTRY(0x0092, TLS,RSA,PSK,WITH,RC4,128,SHA,),
CS_ENTRY(0x0092, RSA,PSK,RC4,SHA,,,,),
CS_ENTRY(0x0093, TLS,RSA,PSK,WITH,3DES,EDE,CBC,SHA),
CS_ENTRY(0x0093, RSA,PSK,3DES,EDE,CBC,SHA,,),
CS_ENTRY(0x00A0, TLS,DH,RSA,WITH,AES,128,GCM,SHA256),
CS_ENTRY(0x00A0, DH,RSA,AES128,GCM,SHA256,,,),
CS_ENTRY(0x00A1, TLS,DH,RSA,WITH,AES,256,GCM,SHA384),
CS_ENTRY(0x00A1, DH,RSA,AES256,GCM,SHA384,,,),
CS_ENTRY(0x00A2, TLS,DHE,DSS,WITH,AES,128,GCM,SHA256),
CS_ENTRY(0x00A2, DHE,DSS,AES128,GCM,SHA256,,,),
CS_ENTRY(0x00A3, TLS,DHE,DSS,WITH,AES,256,GCM,SHA384),
CS_ENTRY(0x00A3, DHE,DSS,AES256,GCM,SHA384,,,),
CS_ENTRY(0x00A4, TLS,DH,DSS,WITH,AES,128,GCM,SHA256),
CS_ENTRY(0x00A4, DH,DSS,AES128,GCM,SHA256,,,),
CS_ENTRY(0x00A5, TLS,DH,DSS,WITH,AES,256,GCM,SHA384),
CS_ENTRY(0x00A5, DH,DSS,AES256,GCM,SHA384,,,),
CS_ENTRY(0x00A6, TLS,DH,anon,WITH,AES,128,GCM,SHA256),
CS_ENTRY(0x00A6, ADH,AES128,GCM,SHA256,,,,),
CS_ENTRY(0x00A7, TLS,DH,anon,WITH,AES,256,GCM,SHA384),
CS_ENTRY(0x00A7, ADH,AES256,GCM,SHA384,,,,),
CS_ENTRY(0xC002, TLS,ECDH,ECDSA,WITH,RC4,128,SHA,),
CS_ENTRY(0xC002, ECDH,ECDSA,RC4,SHA,,,,),
CS_ENTRY(0xC007, TLS,ECDHE,ECDSA,WITH,RC4,128,SHA,),
CS_ENTRY(0xC007, ECDHE,ECDSA,RC4,SHA,,,,),
CS_ENTRY(0xC00C, TLS,ECDH,RSA,WITH,RC4,128,SHA,),
CS_ENTRY(0xC00C, ECDH,RSA,RC4,SHA,,,,),
CS_ENTRY(0xC011, TLS,ECDHE,RSA,WITH,RC4,128,SHA,),
CS_ENTRY(0xC011, ECDHE,RSA,RC4,SHA,,,,),
CS_ENTRY(0xC015, TLS,ECDH,anon,WITH,NULL,SHA,,),
CS_ENTRY(0xC015, AECDH,NULL,SHA,,,,,),
CS_ENTRY(0xC016, TLS,ECDH,anon,WITH,RC4,128,SHA,),
CS_ENTRY(0xC016, AECDH,RC4,SHA,,,,,),
CS_ENTRY(0xC017, TLS,ECDH,anon,WITH,3DES,EDE,CBC,SHA),
CS_ENTRY(0xC017, AECDH,DES,CBC3,SHA,,,,),
CS_ENTRY(0xC018, TLS,ECDH,anon,WITH,AES,128,CBC,SHA),
CS_ENTRY(0xC018, AECDH,AES128,SHA,,,,,),
CS_ENTRY(0xC019, TLS,ECDH,anon,WITH,AES,256,CBC,SHA),
CS_ENTRY(0xC019, AECDH,AES256,SHA,,,,,),
#endif
#if defined(USE_MBEDTLS)
/* entries marked ns are "non-standard", they are not in OpenSSL */
CS_ENTRY(0x0041, TLS,RSA,WITH,CAMELLIA,128,CBC,SHA,),
@ -887,5 +709,4 @@ int Curl_cipher_suite_get_str(uint16_t id, char *buf, size_t buf_size,
return r;
}
#endif /* defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || \
defined(USE_BEARSSL) || defined(USE_RUSTLS) */
#endif /* defined(USE_MBEDTLS) || defined(USE_RUSTLS) */

6
lib/vtls/cipher_suite.h
View file

@ -26,8 +26,7 @@
#include "../curl_setup.h"
#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || \
defined(USE_BEARSSL) || defined(USE_RUSTLS)
#if defined(USE_MBEDTLS) || defined(USE_RUSTLS)
#include <stdint.h>
/* Lookup IANA id for cipher suite string, returns 0 if not recognized */
@ -43,6 +42,5 @@ uint16_t Curl_cipher_suite_walk_str(const char **str, const char **end);
int Curl_cipher_suite_get_str(uint16_t id, char *buf, size_t buf_size,
bool prefer_rfc);
#endif /* defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || \
defined(USE_BEARSSL) || defined(USE_RUSTLS) */
#endif /* defined(USE_MBEDTLS) || defined(USE_RUSTLS) */
#endif /* HEADER_CURL_CIPHER_SUITE_H */

2708
lib/vtls/sectransp.c
View file

File diff suppressed because it is too large Load diff

34
lib/vtls/sectransp.h
View file

@ -1,34 +0,0 @@
#ifndef HEADER_CURL_SECTRANSP_H
#define HEADER_CURL_SECTRANSP_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Nick Zitzmann, <nickzman@gmail.com>.
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#ifdef USE_SECTRANSP
extern const struct Curl_ssl Curl_ssl_sectransp;
#endif /* USE_SECTRANSP */
#endif /* HEADER_CURL_SECTRANSP_H */

12
lib/vtls/vtls.c
View file

@ -61,9 +61,7 @@
#include "gtls.h" /* GnuTLS versions */
#include "wolfssl.h" /* wolfSSL versions */
#include "schannel.h" /* Schannel SSPI version */
#include "sectransp.h" /* Secure Transport (Darwin) version */
#include "mbedtls.h" /* mbedTLS versions */
#include "bearssl.h" /* BearSSL versions */
#include "rustls.h" /* Rustls versions */
#include "../slist.h"
@ -988,12 +986,8 @@ const struct Curl_ssl *Curl_ssl =
&Curl_ssl_rustls;
#elif defined(USE_OPENSSL)
&Curl_ssl_openssl;
#elif defined(USE_SECTRANSP)
&Curl_ssl_sectransp;
#elif defined(USE_SCHANNEL)
&Curl_ssl_schannel;
#elif defined(USE_BEARSSL)
&Curl_ssl_bearssl;
#else
#error "Missing struct Curl_ssl for selected SSL backend"
#endif
@ -1011,15 +1005,9 @@ static const struct Curl_ssl *available_backends[] = {
#if defined(USE_OPENSSL)
&Curl_ssl_openssl,
#endif
#if defined(USE_SECTRANSP)
&Curl_ssl_sectransp,
#endif
#if defined(USE_SCHANNEL)
&Curl_ssl_schannel,
#endif
#if defined(USE_BEARSSL)
&Curl_ssl_bearssl,
#endif
#if defined(USE_RUSTLS)
&Curl_ssl_rustls,
#endif

15
lib/vtls/x509asn1.c
View file

@ -24,17 +24,16 @@
#include "../curl_setup.h"
#if defined(USE_GNUTLS) || defined(USE_WOLFSSL) || \
defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
#if defined(USE_GNUTLS) || defined(USE_WOLFSSL) || defined(USE_SCHANNEL) || \
defined(USE_MBEDTLS) || defined(USE_RUSTLS)
#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
defined(USE_MBEDTLS) || defined(USE_WOLFSSL) || defined(USE_RUSTLS)
#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_MBEDTLS) || \
defined(USE_WOLFSSL) || defined(USE_RUSTLS)
#define WANT_PARSEX509 /* uses Curl_parseX509() */
#endif
#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
defined(USE_MBEDTLS) || defined(USE_RUSTLS)
#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_MBEDTLS) || \
defined(USE_RUSTLS)
#define WANT_EXTRACT_CERTINFO /* uses Curl_extract_certinfo() */
#endif
@ -1277,5 +1276,5 @@ done:
#endif /* WANT_EXTRACT_CERTINFO */
#endif /* USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL or USE_SECTRANSP
or USE_MBEDTLS or USE_RUSTLS */
#endif /* USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL or USE_MBEDTLS or
USE_RUSTLS */

11
lib/vtls/x509asn1.h
View file

@ -27,8 +27,7 @@
#include "../curl_setup.h"
#if defined(USE_GNUTLS) || defined(USE_WOLFSSL) || \
defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
#if defined(USE_GNUTLS) || defined(USE_WOLFSSL) || defined(USE_SCHANNEL) || \
defined(USE_MBEDTLS) || defined(USE_RUSTLS)
#include "../cfilters.h"
@ -79,8 +78,8 @@ CURLcode Curl_verifyhost(struct Curl_cfilter *cf, struct Curl_easy *data,
const char *beg, const char *end);
#ifdef UNITTESTS
#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
defined(USE_MBEDTLS) || defined(USE_RUSTLS)
#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_MBEDTLS) || \
defined(USE_RUSTLS)
/* used by unit1656.c */
CURLcode Curl_x509_GTime2str(struct dynbuf *store,
@ -91,6 +90,6 @@ CURLcode Curl_x509_getASN1Element(struct Curl_asn1Element *elem,
#endif
#endif
#endif /* USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL or USE_SECTRANSP
or USE_MBEDTLS or USE_RUSTLS */
#endif /* USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL or USE_MBEDTLS or
USE_RUSTLS */
#endif /* HEADER_CURL_X509ASN1_H */

111
m4/curl-bearssl.m4
View file

@ -1,111 +0,0 @@
#***************************************************************************
# _ _ ____ _
# Project ___| | | | _ \| |
# / __| | | | |_) | |
# | (__| |_| | _ <| |___
# \___|\___/|_| \_\_____|
#
# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
#
# This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms
# are also available at https://curl.se/docs/copyright.html.
#
# You may opt to use, copy, modify, merge, publish, distribute and/or sell
# copies of the Software, and permit persons to whom the Software is
# furnished to do so, under the terms of the COPYING file.
#
# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
# KIND, either express or implied.
#
# SPDX-License-Identifier: curl
#
#***************************************************************************
AC_DEFUN([CURL_WITH_BEARSSL], [
dnl ----------------------------------------------------
dnl check for BearSSL
dnl ----------------------------------------------------
if test "x$OPT_BEARSSL" != xno; then
_cppflags=$CPPFLAGS
_ldflags=$LDFLAGS
_ldflagspc=$LDFLAGSPC
ssl_msg=
if test X"$OPT_BEARSSL" != Xno; then
if test "$OPT_BEARSSL" = "yes"; then
OPT_BEARSSL=""
fi
if test -z "$OPT_BEARSSL" ; then
dnl check for lib first without setting any new path
AC_CHECK_LIB(bearssl, br_ssl_client_init_full,
dnl libbearssl found, set the variable
[
AC_DEFINE(USE_BEARSSL, 1, [if BearSSL is enabled])
BEARSSL_ENABLED=1
USE_BEARSSL="yes"
ssl_msg="BearSSL"
test bearssl != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
], [], -lbearssl)
fi
addld=""
addlib=""
addcflags=""
bearssllib=""
if test "x$USE_BEARSSL" != "xyes"; then
dnl add the path and test again
addld=-L$OPT_BEARSSL/lib$libsuff
addcflags=-I$OPT_BEARSSL/include
bearssllib=$OPT_BEARSSL/lib$libsuff
LDFLAGS="$LDFLAGS $addld"
LDFLAGSPC="$LDFLAGSPC $addld"
if test "$addcflags" != "-I/usr/include"; then
CPPFLAGS="$CPPFLAGS $addcflags"
fi
AC_CHECK_LIB(bearssl, br_ssl_client_init_full,
[
AC_DEFINE(USE_BEARSSL, 1, [if BearSSL is enabled])
BEARSSL_ENABLED=1
USE_BEARSSL="yes"
ssl_msg="BearSSL"
test bearssl != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
],
[
CPPFLAGS=$_cppflags
LDFLAGS=$_ldflags
LDFLAGSPC=$_ldflagspc
], -lbearssl)
fi
if test "x$USE_BEARSSL" = "xyes"; then
AC_MSG_NOTICE([detected BearSSL])
check_for_ca_bundle=1
LIBS="-lbearssl $LIBS"
if test -n "$bearssllib"; then
dnl when shared libs were found in a path that the run-time
dnl linker doesn't search through, we need to add it to
dnl CURL_LIBRARY_PATH to prevent further configure tests to fail
dnl due to this
if test "x$cross_compiling" != "xyes"; then
CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$bearssllib"
export CURL_LIBRARY_PATH
AC_MSG_NOTICE([Added $bearssllib to CURL_LIBRARY_PATH])
fi
fi
fi
fi dnl BearSSL not disabled
test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
fi
])

46
m4/curl-sectransp.m4
View file

@ -1,46 +0,0 @@
#***************************************************************************
# _ _ ____ _
# Project ___| | | | _ \| |
# / __| | | | |_) | |
# | (__| |_| | _ <| |___
# \___|\___/|_| \_\_____|
#
# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
#
# This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms
# are also available at https://curl.se/docs/copyright.html.
#
# You may opt to use, copy, modify, merge, publish, distribute and/or sell
# copies of the Software, and permit persons to whom the Software is
# furnished to do so, under the terms of the COPYING file.
#
# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
# KIND, either express or implied.
#
# SPDX-License-Identifier: curl
#
#***************************************************************************
AC_DEFUN([CURL_WITH_SECURETRANSPORT], [
AC_MSG_CHECKING([whether to enable Secure Transport])
if test "x$OPT_SECURETRANSPORT" != xno; then
if test "x$OPT_SECURETRANSPORT" != "xno" &&
(test "x$cross_compiling" != "xno" || test -d "/System/Library/Frameworks/Security.framework"); then
AC_MSG_RESULT(yes)
AC_DEFINE(USE_SECTRANSP, 1, [enable Secure Transport])
ssl_msg="Secure Transport"
test secure-transport != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
SECURETRANSPORT_ENABLED=1
SECURETRANSPORT_LDFLAGS='-framework CoreFoundation -framework CoreServices -framework Security'
LDFLAGS="$LDFLAGS $SECURETRANSPORT_LDFLAGS"
LDFLAGSPC="$LDFLAGSPC $SECURETRANSPORT_LDFLAGS"
else
AC_MSG_RESULT(no)
fi
test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
else
AC_MSG_RESULT(no)
fi
])

2
scripts/cd2nroff
View file

@ -186,13 +186,11 @@ my %knownprotos = (
);
my %knowntls = (
'BearSSL' => 1,
'GnuTLS' => 1,
'mbedTLS' => 1,
'OpenSSL' => 1,
'rustls' => 1,
'Schannel' => 1,
'Secure Transport' => 1,
'wolfSSL' => 1,
'All' => 1,
'none' => 1,

2
tests/data/test2088
View file

@ -26,8 +26,6 @@ MooMoo
<features>
SSL
!Schannel
!sectransp
!bearssl
local-http
</features>
<server>

1
tests/data/test3102
View file

@ -19,7 +19,6 @@ HTTP GET
# SSL with libraries supporting CURLOPT_CERTINFO
<features>
SSL
!bearssl
!wolfssl
</features>
<server>

2
tests/data/test313
View file

@ -14,9 +14,7 @@ CRL
<features>
SSL
local-http
!bearssl
!Schannel
!sectransp
!wolfssl
</features>
<server>

1
tests/data/test417
View file

@ -24,7 +24,6 @@ nomnom
<features>
SSL
!wolfssl
!bearssl
!mbedtls
</features>
<server>

1
tests/http/test_10_proxy.py
View file

@ -363,7 +363,6 @@ class TestProxy:
# download via https: proxy (no tunnel) using IP address
@pytest.mark.skipif(condition=not Env.curl_has_feature('HTTPS-proxy'),
reason='curl lacks HTTPS-proxy support')
@pytest.mark.skipif(condition=Env.curl_uses_lib('bearssl'), reason="ip address cert verification not supported")
@pytest.mark.parametrize("proto", ['http/1.1', 'h2'])
def test_10_14_proxys_ip_addr(self, env: Env, httpd, proto):
if proto == 'h2' and not env.curl_uses_lib('nghttp2'):

20
tests/http/test_17_ssl_use.py
View file

@ -63,8 +63,6 @@ class TestSSLUse:
exp_resumed = 'Initial' # 1.2 works in LibreSSL, but 1.3 does not, TODO
if env.curl_uses_lib('rustls-ffi'):
exp_resumed = 'Initial' # Rustls does not support sessions, TODO
if env.curl_uses_lib('bearssl') and tls_max == '1.3':
pytest.skip('BearSSL does not support TLSv1.3')
if env.curl_uses_lib('mbedtls') and tls_max == '1.3' and \
not env.curl_lib_version_at_least('mbedtls', '3.6.0'):
pytest.skip('mbedtls TLSv1.3 session resume not working in 3.6.0')
@ -132,8 +130,6 @@ class TestSSLUse:
# use ip address for connect
@pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
def test_17_05_good_ip_addr(self, env: Env, proto, httpd, nghttpx):
if env.curl_uses_lib('bearssl'):
pytest.skip("BearSSL does not support cert verification with IP addresses")
if env.curl_uses_lib('mbedtls'):
pytest.skip("mbedTLS does use IP addresses in SNI")
if proto == 'h3' and not env.have_h3():
@ -235,17 +231,9 @@ class TestSSLUse:
elif env.curl_uses_lib('schannel'): # not in CI, so untested
if ciphers12 is not None:
pytest.skip('Schannel does not support setting TLSv1.2 ciphers by name')
elif env.curl_uses_lib('bearssl'):
if tls_proto == 'TLSv1.3':
pytest.skip('BearSSL does not support TLSv1.3')
tls_proto = 'TLSv1.2'
elif env.curl_uses_lib('mbedtls') and not env.curl_lib_version_at_least('mbedtls', '3.6.0'):
if tls_proto == 'TLSv1.3':
pytest.skip('mbedTLS < 3.6.0 does not support TLSv1.3')
elif env.curl_uses_lib('sectransp'): # not in CI, so untested
if tls_proto == 'TLSv1.3':
pytest.skip('Secure Transport does not support TLSv1.3')
tls_proto = 'TLSv1.2'
# test
extra_args = ['--tls13-ciphers', ':'.join(ciphers13)] if ciphers13 else []
extra_args += ['--ciphers', ':'.join(ciphers12)] if ciphers12 else []
@ -308,11 +296,7 @@ class TestSSLUse:
curl = CurlClient(env=env, run_env=run_env)
url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
# SSL backend specifics
if env.curl_uses_lib('bearssl'):
supported = ['TLSv1', 'TLSv1.1', 'TLSv1.2', None]
elif env.curl_uses_lib('sectransp'): # not in CI, so untested
supported = ['TLSv1', 'TLSv1.1', 'TLSv1.2', None]
elif env.curl_uses_lib('gnutls'):
if env.curl_uses_lib('gnutls'):
supported = ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3']
elif env.curl_uses_lib('quiche'):
supported = ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3']
@ -420,8 +404,6 @@ class TestSSLUse:
pytest.skip('Libressl resumption does not work inTLSv1.3')
if env.curl_uses_lib('rustls-ffi'):
pytest.skip('rustsls does not expose sessions')
if env.curl_uses_lib('bearssl'):
pytest.skip('BearSSL does not support TLSv1.3')
if env.curl_uses_lib('mbedtls') and \
not env.curl_lib_version_at_least('mbedtls', '3.6.0'):
pytest.skip('mbedtls TLSv1.3 session resume not working before 3.6.0')

7
tests/runtests.pl
View file

@ -574,13 +574,6 @@ sub checksystemfeatures {
$feature{"wolfssl"} = 1;
$feature{"SSLpinning"} = 1;
}
elsif ($libcurl =~ /\sbearssl\b/i) {
$feature{"bearssl"} = 1;
}
elsif ($libcurl =~ /\ssecuretransport\b/i) {
$feature{"sectransp"} = 1;
$feature{"SSLpinning"} = 1;
}
elsif ($libcurl =~ /\s(BoringSSL|AWS-LC)\b/i) {
# OpenSSL compatible API
$feature{"OpenSSL"} = 1;

2
tests/unit/unit1651.c
View file

@ -34,7 +34,7 @@ static void unit_stop(void)
{
}
#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP)
#if defined(USE_GNUTLS) || defined(USE_SCHANNEL)
/* cert captured from gdb when connecting to curl.se on October 26
2018 */

3
tests/unit/unit1656.c
View file

@ -35,8 +35,7 @@ static void unit_stop(void)
}
#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
defined(USE_MBEDTLS)
#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_MBEDTLS)
struct test_spec {
const char *input;

184
tests/unit/unit3205.c
View file

@ -34,8 +34,7 @@ static void unit_stop(void)
{
}
#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || \
defined(USE_BEARSSL) || defined(USE_RUSTLS)
#if defined(USE_MBEDTLS) || defined(USE_RUSTLS)
struct test_cs_entry {
uint16_t id;
@ -43,7 +42,7 @@ struct test_cs_entry {
const char *openssl;
};
static const struct test_cs_entry test_cs_list[] = {
#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || defined(USE_RUSTLS)
#if defined(USE_MBEDTLS) || defined(USE_RUSTLS)
{ 0x1301, "TLS_AES_128_GCM_SHA256",
NULL },
{ 0x1302, "TLS_AES_256_GCM_SHA384",
@ -67,7 +66,7 @@ static const struct test_cs_entry test_cs_list[] = {
"ECDHE-RSA-CHACHA20-POLY1305" },
{ 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"ECDHE-ECDSA-CHACHA20-POLY1305" },
#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || defined(USE_BEARSSL)
#if defined(USE_MBEDTLS)
{ 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA",
"AES128-SHA" },
{ 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA",
@ -121,7 +120,7 @@ static const struct test_cs_entry test_cs_list[] = {
{ 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
"ECDH-RSA-AES256-GCM-SHA384" },
#endif
#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS)
#if defined(USE_MBEDTLS)
{ 0x0001, "TLS_RSA_WITH_NULL_MD5",
"NULL-MD5" },
{ 0x0002, "TLS_RSA_WITH_NULL_SHA",
@ -209,19 +208,7 @@ static const struct test_cs_entry test_cs_list[] = {
{ 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256",
"PSK-CHACHA20-POLY1305" },
#endif
#if defined(USE_SECTRANSP) || defined(USE_BEARSSL)
{ 0x000A, "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
"DES-CBC3-SHA" },
{ 0xC003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
"ECDH-ECDSA-DES-CBC3-SHA" },
{ 0xC008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
"ECDHE-ECDSA-DES-CBC3-SHA" },
{ 0xC00D, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
"ECDH-RSA-DES-CBC3-SHA" },
{ 0xC012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
"ECDHE-RSA-DES-CBC3-SHA" },
#endif
#if defined(USE_MBEDTLS) || defined(USE_BEARSSL)
#if defined(USE_MBEDTLS)
{ 0xC09C, "TLS_RSA_WITH_AES_128_CCM",
"AES128-CCM" },
{ 0xC09D, "TLS_RSA_WITH_AES_256_CCM",
@ -239,147 +226,6 @@ static const struct test_cs_entry test_cs_list[] = {
{ 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",
"ECDHE-ECDSA-AES256-CCM8" },
#endif
#if defined(USE_SECTRANSP)
{ 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
"EXP-RC4-MD5" },
{ 0x0004, "TLS_RSA_WITH_RC4_128_MD5",
"RC4-MD5" },
{ 0x0005, "TLS_RSA_WITH_RC4_128_SHA",
"RC4-SHA" },
{ 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
"EXP-RC2-CBC-MD5" },
{ 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA",
"IDEA-CBC-SHA" },
{ 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
"EXP-DES-CBC-SHA" },
{ 0x0009, "TLS_RSA_WITH_DES_CBC_SHA",
"DES-CBC-SHA" },
{ 0x000B, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
"EXP-DH-DSS-DES-CBC-SHA" },
{ 0x000C, "TLS_DH_DSS_WITH_DES_CBC_SHA",
"DH-DSS-DES-CBC-SHA" },
{ 0x000D, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
"DH-DSS-DES-CBC3-SHA" },
{ 0x000E, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
"EXP-DH-RSA-DES-CBC-SHA" },
{ 0x000F, "TLS_DH_RSA_WITH_DES_CBC_SHA",
"DH-RSA-DES-CBC-SHA" },
{ 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
"DH-RSA-DES-CBC3-SHA" },
{ 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
"EXP-DHE-DSS-DES-CBC-SHA" },
{ 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA",
"DHE-DSS-DES-CBC-SHA" },
{ 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
"DHE-DSS-DES-CBC3-SHA" },
{ 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
"EXP-DHE-RSA-DES-CBC-SHA" },
{ 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA",
"DHE-RSA-DES-CBC-SHA" },
{ 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
"DHE-RSA-DES-CBC3-SHA" },
{ 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
"EXP-ADH-RC4-MD5" },
{ 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5",
"ADH-RC4-MD5" },
{ 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
"EXP-ADH-DES-CBC-SHA" },
{ 0x001A, "TLS_DH_anon_WITH_DES_CBC_SHA",
"ADH-DES-CBC-SHA" },
{ 0x001B, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA",
"ADH-DES-CBC3-SHA" },
{ 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
"DH-DSS-AES128-SHA" },
{ 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
"DH-RSA-AES128-SHA" },
{ 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
"DHE-DSS-AES128-SHA" },
{ 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA",
"ADH-AES128-SHA" },
{ 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
"DH-DSS-AES256-SHA" },
{ 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
"DH-RSA-AES256-SHA" },
{ 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
"DHE-DSS-AES256-SHA" },
{ 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA",
"ADH-AES256-SHA" },
{ 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
"DH-DSS-AES128-SHA256" },
{ 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
"DH-RSA-AES128-SHA256" },
{ 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
"DHE-DSS-AES128-SHA256" },
{ 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
"DH-DSS-AES256-SHA256" },
{ 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
"DH-RSA-AES256-SHA256" },
{ 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
"DHE-DSS-AES256-SHA256" },
{ 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
"ADH-AES128-SHA256" },
{ 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256",
"ADH-AES256-SHA256" },
{ 0x008A, "TLS_PSK_WITH_RC4_128_SHA",
"PSK-RC4-SHA" },
{ 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
"PSK-3DES-EDE-CBC-SHA" },
{ 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA",
"DHE-PSK-RC4-SHA" },
{ 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
"DHE-PSK-3DES-EDE-CBC-SHA" },
{ 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA",
"RSA-PSK-RC4-SHA" },
{ 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
"RSA-PSK-3DES-EDE-CBC-SHA" },
{ 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
"DH-RSA-AES128-GCM-SHA256" },
{ 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
"DH-RSA-AES256-GCM-SHA384" },
{ 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
"DHE-DSS-AES128-GCM-SHA256" },
{ 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
"DHE-DSS-AES256-GCM-SHA384" },
{ 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
"DH-DSS-AES128-GCM-SHA256" },
{ 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
"DH-DSS-AES256-GCM-SHA384" },
{ 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
"ADH-AES128-GCM-SHA256" },
{ 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
"ADH-AES256-GCM-SHA384" },
{ 0xC002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
"ECDH-ECDSA-RC4-SHA" },
{ 0xC007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"ECDHE-ECDSA-RC4-SHA" },
{ 0xC00C, "TLS_ECDH_RSA_WITH_RC4_128_SHA",
"ECDH-RSA-RC4-SHA" },
{ 0xC011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"ECDHE-RSA-RC4-SHA" },
{ 0xC015, "TLS_ECDH_anon_WITH_NULL_SHA",
"AECDH-NULL-SHA" },
{ 0xC016, "TLS_ECDH_anon_WITH_RC4_128_SHA",
"AECDH-RC4-SHA" },
{ 0xC017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
"AECDH-DES-CBC3-SHA" },
{ 0xC018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
"AECDH-AES128-SHA" },
{ 0xC019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
"AECDH-AES256-SHA" },
/* Backward compatible aliases (EDH vs DHE) */
{ 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
"EXP-EDH-DSS-DES-CBC-SHA" },
{ 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA",
"EDH-DSS-DES-CBC-SHA" },
{ 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
"EDH-DSS-DES-CBC3-SHA" },
{ 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
"EXP-EDH-RSA-DES-CBC-SHA" },
{ 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA",
"EDH-RSA-DES-CBC-SHA" },
{ 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
"EDH-RSA-DES-CBC3-SHA" },
#endif
#if defined(USE_MBEDTLS)
/* entries marked ns are non-"standard", they are not in OpenSSL */
{ 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
@ -608,7 +454,7 @@ struct test_str_entry {
const char *str;
};
static const struct test_str_entry test_str_list[] = {
#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || defined(USE_RUSTLS)
#if defined(USE_MBEDTLS) || defined(USE_RUSTLS)
{ 0x1301, "TLS_AES_128_GCM_SHA256"},
{ 0x1302, "TLS_AES_256_GCM_SHA384"},
{ 0x1303, "TLS_CHACHA20_POLY1305_SHA256"},
@ -623,7 +469,7 @@ static const struct test_str_entry test_str_list[] = {
{ 0xC030, "ECDHE-RSA-AES256-GCM-SHA384"},
{ 0xCCA9, "ECDHE-ECDSA-CHACHA20-POLY1305"},
{ 0xCCA8, "ECDHE-RSA-CHACHA20-POLY1305"},
#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS)
#if defined(USE_MBEDTLS)
{ 0x009E, "DHE-RSA-AES128-GCM-SHA256"},
{ 0x009F, "DHE-RSA-AES256-GCM-SHA384"},
#else
@ -635,7 +481,7 @@ static const struct test_str_entry test_str_list[] = {
#else
{ 0x0000, "DHE-RSA-CHACHA20-POLY1305"},
#endif
#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || defined(USE_BEARSSL)
#if defined(USE_MBEDTLS)
{ 0xC023, "ECDHE-ECDSA-AES128-SHA256" },
{ 0xC027, "ECDHE-RSA-AES128-SHA256" },
{ 0xC009, "ECDHE-ECDSA-AES128-SHA" },
@ -654,14 +500,14 @@ static const struct test_str_entry test_str_list[] = {
{ 0x0000, "ECDHE-ECDSA-AES256-SHA" },
{ 0x0000, "ECDHE-RSA-AES256-SHA" },
#endif
#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS)
#if defined(USE_MBEDTLS)
{ 0x0067, "DHE-RSA-AES128-SHA256" },
{ 0x006B, "DHE-RSA-AES256-SHA256" },
#else
{ 0x0000, "DHE-RSA-AES128-SHA256" },
{ 0x0000, "DHE-RSA-AES256-SHA256" },
#endif
#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || defined(USE_BEARSSL)
#if defined(USE_MBEDTLS)
{ 0x009C, "AES128-GCM-SHA256" },
{ 0x009D, "AES256-GCM-SHA384" },
{ 0x003C, "AES128-SHA256" },
@ -676,11 +522,7 @@ static const struct test_str_entry test_str_list[] = {
{ 0x0000, "AES128-SHA" },
{ 0x0000, "AES256-SHA" },
#endif
#if defined(USE_SECTRANSP) || defined(USE_BEARSSL)
{ 0x000A, "DES-CBC3-SHA" },
#else
{ 0x0000, "DES-CBC3-SHA" },
#endif
{ 0x0000, "GIBBERISH" },
{ 0x0000, "" },
};
@ -785,11 +627,9 @@ UNITTEST_START
}
UNITTEST_STOP
#else /* defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || \
defined(USE_BEARSSL) */
#else /* defined(USE_MBEDTLS) */
UNITTEST_START
UNITTEST_STOP
#endif /* defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || \
defined(USE_BEARSSL) || defined(USE_RUSTLS) */
#endif /* defined(USE_MBEDTLS) || defined(USE_RUSTLS) */