From 48150707948cc1390c816934691524bdfde6c4af Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Fri, 1 May 2026 13:25:49 +0200 Subject: [PATCH] tidy-up: sort TLS backends, distros, alphabetically Also: - replace stray [Rr]ustls-ffi with Rustls for consistency. - add AWS-LC to a couple of lists where missing. Closes #21481 --- .github/workflows/http3-linux.yml | 378 +++++++++--------- .github/workflows/linux.yml | 146 +++---- CMakeLists.txt | 26 +- docs/CIPHERS.md | 8 +- docs/CURLDOWN.md | 2 +- docs/ECH.md | 14 +- docs/FAQ.md | 8 +- docs/INSTALL.md | 4 +- docs/cmdline-opts/ca-native.md | 2 +- docs/cmdline-opts/tls-earlydata.md | 4 +- docs/libcurl/curl_global_sslset.md | 10 +- .../libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.md | 6 +- docs/libcurl/opts/CURLOPT_SSL_OPTIONS.md | 12 +- lib/dllmain.c | 2 +- lib/ldap.c | 2 +- lib/vquic/curl_ngtcp2.c | 6 +- lib/vtls/openssl.c | 16 +- lib/vtls/openssl.h | 6 +- m4/curl-openssl.m4 | 34 +- tests/libtest/lib1587.c | 2 +- tests/runtests.pl | 2 +- 21 files changed, 345 insertions(+), 345 deletions(-) diff --git a/.github/workflows/http3-linux.yml b/.github/workflows/http3-linux.yml index 216cafd664..b4939e8118 100644 --- a/.github/workflows/http3-linux.yml +++ b/.github/workflows/http3-linux.yml @@ -36,13 +36,6 @@ env: CURL_CI: github CURL_TEST_MIN: 1850 DO_NOT_TRACK: '1' - # renovate: datasource=github-releases depName=openssl/openssl versioning=semver extractVersion=^openssl-(?.+)$ registryUrl=https://github.com - OPENSSL_VERSION: 4.0.0 - # manually bumped - OPENSSL_PREV_VERSION: 3.6.2 - OPENSSL_PREV_SHA256: aaf51a1fe064384f811daeaeb4ec4dce7340ec8bd893027eee676af31e83a04f - # renovate: datasource=github-tags depName=libressl/portable versioning=semver registryUrl=https://github.com - LIBRESSL_VERSION: 4.3.1 # renovate: datasource=github-tags depName=awslabs/aws-lc versioning=semver registryUrl=https://github.com AWSLC_VERSION: 1.73.0 # renovate: datasource=github-tags depName=google/boringssl versioning=semver registryUrl=https://github.com @@ -51,6 +44,15 @@ env: NETTLE_VERSION: 3.10.2 # renovate: datasource=github-tags depName=gnutls/gnutls versioning=semver extractVersion=^nettle_?(?.+)_release_.+$ registryUrl=https://github.com GNUTLS_VERSION: 3.8.11 + # renovate: datasource=github-tags depName=libressl/portable versioning=semver registryUrl=https://github.com + LIBRESSL_VERSION: 4.3.1 + # renovate: datasource=github-releases depName=openssl/openssl versioning=semver extractVersion=^openssl-(?.+)$ registryUrl=https://github.com + OPENSSL_VERSION: 4.0.0 + # manually bumped + OPENSSL_PREV_VERSION: 3.6.2 + OPENSSL_PREV_SHA256: aaf51a1fe064384f811daeaeb4ec4dce7340ec8bd893027eee676af31e83a04f + # renovate: datasource=github-tags depName=cloudflare/quiche versioning=semver registryUrl=https://github.com + QUICHE_VERSION: 0.24.7 # renovate: datasource=github-tags depName=wolfSSL/wolfssl versioning=semver extractVersion=^v?(?.+)-stable$ registryUrl=https://github.com WOLFSSL_VERSION: 5.9.1 # renovate: datasource=github-tags depName=ngtcp2/nghttp3 versioning=semver registryUrl=https://github.com @@ -59,8 +61,6 @@ env: NGTCP2_VERSION: 1.22.1 # renovate: datasource=github-tags depName=nghttp2/nghttp2 versioning=semver registryUrl=https://github.com NGHTTP2_VERSION: 1.69.0 - # renovate: datasource=github-tags depName=cloudflare/quiche versioning=semver registryUrl=https://github.com - QUICHE_VERSION: 0.24.7 jobs: build-cache: @@ -68,33 +68,6 @@ jobs: runs-on: ubuntu-latest steps: - - name: 'cache openssl' - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 - id: cache-openssl-http3-no-deprecated - env: - cache-name: cache-openssl-http3-no-deprecated - with: - path: ~/openssl/build - key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }} - - - name: 'cache openssl-prev' - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 - id: cache-openssl-prev-http3-no-deprecated - env: - cache-name: cache-openssl-prev-http3-no-deprecated - with: - path: ~/openssl-prev/build - key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_PREV_VERSION }} - - - name: 'cache libressl' - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 - id: cache-libressl - env: - cache-name: cache-libressl - with: - path: ~/libressl/build - key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.LIBRESSL_VERSION }} - - name: 'cache awslc' uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 id: cache-awslc @@ -131,6 +104,33 @@ jobs: path: ~/gnutls/build key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.GNUTLS_VERSION }}-${{ env.NETTLE_VERSION }} + - name: 'cache libressl' + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + id: cache-libressl + env: + cache-name: cache-libressl + with: + path: ~/libressl/build + key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.LIBRESSL_VERSION }} + + - name: 'cache openssl' + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + id: cache-openssl-http3-no-deprecated + env: + cache-name: cache-openssl-http3-no-deprecated + with: + path: ~/openssl/build + key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }} + + - name: 'cache openssl-prev' + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + id: cache-openssl-prev-http3-no-deprecated + env: + cache-name: cache-openssl-prev-http3-no-deprecated + with: + path: ~/openssl-prev/build + key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_PREV_VERSION }} + - name: 'cache wolfssl' uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 id: cache-wolfssl @@ -159,15 +159,6 @@ jobs: key: "${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_VERSION }}-\ ${{ env.LIBRESSL_VERSION }}-${{ env.AWSLC_VERSION }}-${{ env.NETTLE_VERSION }}-${{ env.GNUTLS_VERSION }}-${{ env.WOLFSSL_VERSION }}" - - name: 'cache ngtcp2 openssl-prev' - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 - id: cache-ngtcp2-openssl-prev - env: - cache-name: cache-ngtcp2-openssl-prev - with: - path: ~/ngtcp2-openssl-prev/build - key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_PREV_VERSION }} - - name: 'cache ngtcp2 boringssl' uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 id: cache-ngtcp2-boringssl @@ -177,6 +168,15 @@ jobs: path: ~/ngtcp2-boringssl/build key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.BORINGSSL_VERSION }} + - name: 'cache ngtcp2 openssl-prev' + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + id: cache-ngtcp2-openssl-prev + env: + cache-name: cache-ngtcp2-openssl-prev + with: + path: ~/ngtcp2-openssl-prev/build + key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_PREV_VERSION }} + - name: 'cache nghttp2' uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 id: cache-nghttp2 @@ -189,18 +189,18 @@ jobs: - id: settings if: >- - ${{ steps.cache-openssl-http3-no-deprecated.outputs.cache-hit != 'true' || - steps.cache-openssl-prev-http3-no-deprecated.outputs.cache-hit != 'true' || - steps.cache-libressl.outputs.cache-hit != 'true' || - steps.cache-awslc.outputs.cache-hit != 'true' || + ${{ steps.cache-awslc.outputs.cache-hit != 'true' || steps.cache-boringssl.outputs.cache-hit != 'true' || steps.cache-nettle.outputs.cache-hit != 'true' || steps.cache-gnutls.outputs.cache-hit != 'true' || + steps.cache-libressl.outputs.cache-hit != 'true' || + steps.cache-openssl-http3-no-deprecated.outputs.cache-hit != 'true' || + steps.cache-openssl-prev-http3-no-deprecated.outputs.cache-hit != 'true' || steps.cache-wolfssl.outputs.cache-hit != 'true' || steps.cache-nghttp3.outputs.cache-hit != 'true' || - steps.cache-ngtcp2.outputs.cache-hit != 'true' || - steps.cache-ngtcp2-openssl-prev.outputs.cache-hit != 'true' || steps.cache-ngtcp2-boringssl.outputs.cache-hit != 'true' || + steps.cache-ngtcp2-openssl-prev.outputs.cache-hit != 'true' || + steps.cache-ngtcp2.outputs.cache-hit != 'true' || steps.cache-nghttp2.outputs.cache-hit != 'true' }} run: echo 'needs-build=true' >> "$GITHUB_OUTPUT" @@ -221,40 +221,6 @@ jobs: echo 'CC=gcc-12' >> "$GITHUB_ENV" echo 'CXX=g++-12' >> "$GITHUB_ENV" - - name: 'build openssl' - if: ${{ steps.cache-openssl-http3-no-deprecated.outputs.cache-hit != 'true' }} - run: | - cd ~ - git clone --quiet --depth 1 --branch "openssl-${OPENSSL_VERSION}" https://github.com/openssl/openssl - cd openssl - ./config --prefix="$PWD"/build --libdir=lib no-makedepend no-apps no-docs no-tests no-deprecated - make - make -j1 install_sw - - - name: 'build openssl-prev' - if: ${{ steps.cache-openssl-prev-http3-no-deprecated.outputs.cache-hit != 'true' }} - run: | - cd ~ - curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \ - --location "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_PREV_VERSION}/openssl-${OPENSSL_PREV_VERSION}.tar.gz" --output pkg.bin - sha256sum pkg.bin | tee /dev/stderr | grep -qwF -- "${OPENSSL_PREV_SHA256}" && tar -xzf pkg.bin && rm -f pkg.bin - cd "openssl-${OPENSSL_PREV_VERSION}" - ./config --prefix=/home/runner/openssl-prev/build --libdir=lib no-makedepend no-apps no-docs no-tests no-deprecated - make - make -j1 install_sw - - - name: 'build libressl' - if: ${{ steps.cache-libressl.outputs.cache-hit != 'true' }} - run: | - cd ~ - curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \ - --location "https://github.com/libressl/portable/releases/download/v${LIBRESSL_VERSION}/libressl-${LIBRESSL_VERSION}.tar.gz" --output pkg.bin - sha256sum pkg.bin && tar -xzf pkg.bin && rm -f pkg.bin - cd "libressl-${LIBRESSL_VERSION}" - cmake -B . -G Ninja -DLIBRESSL_APPS=OFF -DLIBRESSL_TESTS=OFF -DCMAKE_INSTALL_PREFIX=/home/runner/libressl/build - cmake --build . - cmake --install . - - name: 'build awslc' if: ${{ steps.cache-awslc.outputs.cache-hit != 'true' }} run: | @@ -309,6 +275,40 @@ jobs: --disable-guile --disable-doc --disable-tests --disable-tools make install + - name: 'build libressl' + if: ${{ steps.cache-libressl.outputs.cache-hit != 'true' }} + run: | + cd ~ + curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \ + --location "https://github.com/libressl/portable/releases/download/v${LIBRESSL_VERSION}/libressl-${LIBRESSL_VERSION}.tar.gz" --output pkg.bin + sha256sum pkg.bin && tar -xzf pkg.bin && rm -f pkg.bin + cd "libressl-${LIBRESSL_VERSION}" + cmake -B . -G Ninja -DLIBRESSL_APPS=OFF -DLIBRESSL_TESTS=OFF -DCMAKE_INSTALL_PREFIX=/home/runner/libressl/build + cmake --build . + cmake --install . + + - name: 'build openssl' + if: ${{ steps.cache-openssl-http3-no-deprecated.outputs.cache-hit != 'true' }} + run: | + cd ~ + git clone --quiet --depth 1 --branch "openssl-${OPENSSL_VERSION}" https://github.com/openssl/openssl + cd openssl + ./config --prefix="$PWD"/build --libdir=lib no-makedepend no-apps no-docs no-tests no-deprecated + make + make -j1 install_sw + + - name: 'build openssl-prev' + if: ${{ steps.cache-openssl-prev-http3-no-deprecated.outputs.cache-hit != 'true' }} + run: | + cd ~ + curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \ + --location "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_PREV_VERSION}/openssl-${OPENSSL_PREV_VERSION}.tar.gz" --output pkg.bin + sha256sum pkg.bin | tee /dev/stderr | grep -qwF -- "${OPENSSL_PREV_SHA256}" && tar -xzf pkg.bin && rm -f pkg.bin + cd "openssl-${OPENSSL_PREV_VERSION}" + ./config --prefix=/home/runner/openssl-prev/build --libdir=lib no-makedepend no-apps no-docs no-tests no-deprecated + make + make -j1 install_sw + - name: 'build wolfssl' if: ${{ steps.cache-wolfssl.outputs.cache-hit != 'true' }} run: | @@ -412,57 +412,6 @@ jobs: fail-fast: false matrix: build: - - name: 'openssl' - tflags: '--min=1700' - LDFLAGS: -Wl,-rpath,/home/runner/openssl/build/lib - PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig - configure: >- - --with-openssl=/home/runner/openssl/build --with-ngtcp2=/home/runner/ngtcp2/build --enable-ech --enable-ssls-export - - - name: 'openssl' - install_steps: skipall - PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig - generate: >- - -DOPENSSL_ROOT_DIR=/home/runner/openssl/build -DUSE_NGTCP2=ON - -DCURL_DISABLE_LDAP=ON - -DUSE_ECH=ON - -DCMAKE_UNITY_BUILD=ON - - - name: 'openssl-prev' - install_steps: skipall - LDFLAGS: -Wl,-rpath,/home/runner/openssl-prev/build/lib - PKG_CONFIG_PATH: "\ - /home/runner/openssl-prev/build/lib/pkgconfig:\ - /home/runner/nghttp3/build/lib/pkgconfig:\ - /home/runner/nghttp2-openssl-prev/build/lib/pkgconfig" - configure: >- - --with-openssl=/home/runner/openssl-prev/build --with-ngtcp2=/home/runner/ngtcp2-openssl-prev/build --enable-ssls-export - - - name: 'openssl-prev' - tflags: '--min=1700' - PKG_CONFIG_PATH: "\ - /home/runner/openssl-prev/build/lib/pkgconfig:\ - /home/runner/nghttp3/build/lib/pkgconfig:\ - /home/runner/ngtcp2-openssl-prev/build/lib/pkgconfig:\ - /home/runner/nghttp2/build/lib/pkgconfig" - generate: >- - -DOPENSSL_ROOT_DIR=/home/runner/openssl-prev/build -DUSE_NGTCP2=ON - -DCURL_DISABLE_LDAP=ON - - - name: 'libressl' - install_steps: skipall - LDFLAGS: -Wl,-rpath,/home/runner/libressl/build/lib - PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig - # Intentionally using '--with-ngtcp2=' to test this way of configuration, in addition to bare '--with-ngtcp2' + 'PKG_CONFIG_PATH' in other jobs. - configure: >- - --with-openssl=/home/runner/libressl/build --with-ngtcp2=/home/runner/ngtcp2/build --enable-ssls-export - --enable-unity - - - name: 'libressl' - PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig - generate: >- - -DOPENSSL_ROOT_DIR=/home/runner/libressl/build -DUSE_NGTCP2=ON - - name: 'awslc' install_steps: skipall LDFLAGS: -Wl,-rpath,/home/runner/awslc/build/lib @@ -515,22 +464,56 @@ jobs: -DCURL_USE_GNUTLS=ON -DUSE_NGTCP2=ON -DCURL_USE_LIBSSH=ON -DCMAKE_UNITY_BUILD=ON - - name: 'wolfssl' - install_packages: libssh2-1-dev + - name: 'libressl' install_steps: skipall - LDFLAGS: -Wl,-rpath,/home/runner/wolfssl/build/lib - PKG_CONFIG_PATH: /home/runner/wolfssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig + LDFLAGS: -Wl,-rpath,/home/runner/libressl/build/lib + PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig + # Intentionally using '--with-ngtcp2=' to test this way of configuration, in addition to bare '--with-ngtcp2' + 'PKG_CONFIG_PATH' in other jobs. configure: >- - --with-wolfssl=/home/runner/wolfssl/build --with-ngtcp2=/home/runner/ngtcp2/build --enable-ech --with-libssh2 --enable-ssls-export + --with-openssl=/home/runner/libressl/build --with-ngtcp2=/home/runner/ngtcp2/build --enable-ssls-export --enable-unity - - name: 'wolfssl' - install_packages: libssh2-1-dev - tflags: '--min=1900' - PKG_CONFIG_PATH: /home/runner/wolfssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig + - name: 'libressl' + PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig generate: >- - -DCURL_USE_WOLFSSL=ON -DUSE_NGTCP2=ON + -DOPENSSL_ROOT_DIR=/home/runner/libressl/build -DUSE_NGTCP2=ON + + - name: 'openssl' + tflags: '--min=1700' + LDFLAGS: -Wl,-rpath,/home/runner/openssl/build/lib + PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig + configure: >- + --with-openssl=/home/runner/openssl/build --with-ngtcp2=/home/runner/ngtcp2/build --enable-ech --enable-ssls-export + + - name: 'openssl' + install_steps: skipall + PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig + generate: >- + -DOPENSSL_ROOT_DIR=/home/runner/openssl/build -DUSE_NGTCP2=ON + -DCURL_DISABLE_LDAP=ON -DUSE_ECH=ON + -DCMAKE_UNITY_BUILD=ON + + - name: 'openssl-prev' + install_steps: skipall + LDFLAGS: -Wl,-rpath,/home/runner/openssl-prev/build/lib + PKG_CONFIG_PATH: "\ + /home/runner/openssl-prev/build/lib/pkgconfig:\ + /home/runner/nghttp3/build/lib/pkgconfig:\ + /home/runner/nghttp2-openssl-prev/build/lib/pkgconfig" + configure: >- + --with-openssl=/home/runner/openssl-prev/build --with-ngtcp2=/home/runner/ngtcp2-openssl-prev/build --enable-ssls-export + + - name: 'openssl-prev' + tflags: '--min=1700' + PKG_CONFIG_PATH: "\ + /home/runner/openssl-prev/build/lib/pkgconfig:\ + /home/runner/nghttp3/build/lib/pkgconfig:\ + /home/runner/ngtcp2-openssl-prev/build/lib/pkgconfig:\ + /home/runner/nghttp2/build/lib/pkgconfig" + generate: >- + -DOPENSSL_ROOT_DIR=/home/runner/openssl-prev/build -DUSE_NGTCP2=ON + -DCURL_DISABLE_LDAP=ON - name: 'quiche' install_steps: skipall @@ -549,6 +532,23 @@ jobs: -DUSE_QUICHE=ON -DCURL_CA_FALLBACK=ON + - name: 'wolfssl' + install_packages: libssh2-1-dev + install_steps: skipall + LDFLAGS: -Wl,-rpath,/home/runner/wolfssl/build/lib + PKG_CONFIG_PATH: /home/runner/wolfssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig + configure: >- + --with-wolfssl=/home/runner/wolfssl/build --with-ngtcp2=/home/runner/ngtcp2/build --enable-ech --with-libssh2 --enable-ssls-export + --enable-unity + + - name: 'wolfssl' + install_packages: libssh2-1-dev + tflags: '--min=1900' + PKG_CONFIG_PATH: /home/runner/wolfssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig + generate: >- + -DCURL_USE_WOLFSSL=ON -DUSE_NGTCP2=ON + -DUSE_ECH=ON + steps: - name: 'install prereqs' timeout-minutes: 2 @@ -570,38 +570,6 @@ jobs: echo 'CC=gcc-12' >> "$GITHUB_ENV" echo 'CXX=g++-12' >> "$GITHUB_ENV" - - name: 'cache openssl' - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 - id: cache-openssl-http3-no-deprecated - env: - cache-name: cache-openssl-http3-no-deprecated - with: - path: ~/openssl/build - key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }} - fail-on-cache-miss: true - - - name: 'cache openssl-prev' - if: ${{ contains(matrix.build.name, 'openssl-prev') }} - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 - id: cache-openssl-prev-http3-no-deprecated - env: - cache-name: cache-openssl-prev-http3-no-deprecated - with: - path: ~/openssl-prev/build - key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_PREV_VERSION }} - fail-on-cache-miss: true - - - name: 'cache libressl' - if: ${{ contains(matrix.build.name, 'libressl') }} - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 - id: cache-libressl - env: - cache-name: cache-libressl - with: - path: ~/libressl/build - key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.LIBRESSL_VERSION }} - fail-on-cache-miss: true - - name: 'cache awslc' if: ${{ contains(matrix.build.name, 'awslc') }} uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 @@ -646,6 +614,38 @@ jobs: key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.GNUTLS_VERSION }}-${{ env.NETTLE_VERSION }} fail-on-cache-miss: true + - name: 'cache libressl' + if: ${{ contains(matrix.build.name, 'libressl') }} + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + id: cache-libressl + env: + cache-name: cache-libressl + with: + path: ~/libressl/build + key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.LIBRESSL_VERSION }} + fail-on-cache-miss: true + + - name: 'cache openssl' + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + id: cache-openssl-http3-no-deprecated + env: + cache-name: cache-openssl-http3-no-deprecated + with: + path: ~/openssl/build + key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }} + fail-on-cache-miss: true + + - name: 'cache openssl-prev' + if: ${{ contains(matrix.build.name, 'openssl-prev') }} + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + id: cache-openssl-prev-http3-no-deprecated + env: + cache-name: cache-openssl-prev-http3-no-deprecated + with: + path: ~/openssl-prev/build + key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_PREV_VERSION }} + fail-on-cache-miss: true + - name: 'cache wolfssl' if: ${{ contains(matrix.build.name, 'wolfssl') }} uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 @@ -678,17 +678,6 @@ jobs: ${{ env.LIBRESSL_VERSION }}-${{ env.AWSLC_VERSION }}-${{ env.NETTLE_VERSION }}-${{ env.GNUTLS_VERSION }}-${{ env.WOLFSSL_VERSION }}" fail-on-cache-miss: true - - name: 'cache ngtcp2 openssl-prev' - if: ${{ contains(matrix.build.name, 'openssl-prev') }} - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 - id: cache-ngtcp2-openssl-prev - env: - cache-name: cache-ngtcp2-openssl-prev - with: - path: ~/ngtcp2-openssl-prev/build - key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_PREV_VERSION }} - fail-on-cache-miss: true - - name: 'cache ngtcp2 boringssl' if: ${{ contains(matrix.build.name, 'boringssl') }} uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 @@ -700,6 +689,17 @@ jobs: key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.BORINGSSL_VERSION }} fail-on-cache-miss: true + - name: 'cache ngtcp2 openssl-prev' + if: ${{ contains(matrix.build.name, 'openssl-prev') }} + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + id: cache-ngtcp2-openssl-prev + env: + cache-name: cache-ngtcp2-openssl-prev + with: + path: ~/ngtcp2-openssl-prev/build + key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_PREV_VERSION }} + fail-on-cache-miss: true + - name: 'cache nghttp2' uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 id: cache-nghttp2 diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 1a7621f25f..14623ac0c1 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -34,29 +34,29 @@ env: CURL_CI: github CURL_TEST_MIN: 1660 DO_NOT_TRACK: '1' + # renovate: datasource=github-tags depName=awslabs/aws-lc versioning=semver registryUrl=https://github.com + AWSLC_VERSION: 1.73.0 + # renovate: datasource=github-tags depName=google/boringssl versioning=semver registryUrl=https://github.com + BORINGSSL_VERSION: 0.20260508.0 + # renovate: datasource=github-releases depName=pizlonator/fil-c versioning=semver-coerced registryUrl=https://github.com + FIL_C_VERSION: 0.678 # renovate: datasource=github-tags depName=libressl/portable versioning=semver registryUrl=https://github.com LIBRESSL_VERSION: 4.3.1 - # renovate: datasource=github-tags depName=wolfSSL/wolfssl versioning=semver extractVersion=^v?(?.+)-stable$ registryUrl=https://github.com - WOLFSSL_VERSION: 5.9.1 # renovate: datasource=github-tags depName=Mbed-TLS/mbedtls versioning=semver registryUrl=https://github.com MBEDTLS_VERSION: 4.0.0 # manually bumped MBEDTLS_PREV_VERSION: 3.6.5 MBEDTLS_PREV_SHA256: 4a11f1777bb95bf4ad96721cac945a26e04bf19f57d905f241fe77ebeddf46d8 - # renovate: datasource=github-tags depName=awslabs/aws-lc versioning=semver registryUrl=https://github.com - AWSLC_VERSION: 1.73.0 - # renovate: datasource=github-tags depName=google/boringssl versioning=semver registryUrl=https://github.com - BORINGSSL_VERSION: 0.20260508.0 + # renovate: datasource=github-tags depName=nghttp2/nghttp2 versioning=semver registryUrl=https://github.com + NGHTTP2_VERSION: 1.69.0 + # handled in renovate.json + OPENLDAP_VERSION: 2.6.10 # renovate: datasource=github-releases depName=openssl/openssl versioning=semver extractVersion=^openssl-(?.+)$ registryUrl=https://github.com OPENSSL_VERSION: 4.0.0 # renovate: datasource=github-tags depName=rustls/rustls-ffi versioning=semver registryUrl=https://github.com RUSTLS_VERSION: 0.15.3 - # handled in renovate.json - OPENLDAP_VERSION: 2.6.10 - # renovate: datasource=github-tags depName=nghttp2/nghttp2 versioning=semver registryUrl=https://github.com - NGHTTP2_VERSION: 1.69.0 - # renovate: datasource=github-releases depName=pizlonator/fil-c versioning=semver-coerced registryUrl=https://github.com - FIL_C_VERSION: 0.678 + # renovate: datasource=github-tags depName=wolfSSL/wolfssl versioning=semver extractVersion=^v?(?.+)-stable$ registryUrl=https://github.com + WOLFSSL_VERSION: 5.9.1 jobs: linux: @@ -72,6 +72,20 @@ jobs: fail-fast: false matrix: build: + - name: 'awslc' + install_steps: awslc pytest + LDFLAGS: -Wl,-rpath,/home/runner/awslc/lib + configure: --with-openssl=/home/runner/awslc --enable-ech --enable-ntlm + + - name: 'awslc' + install_packages: libidn2-dev + install_steps: awslc + generate: -DOPENSSL_ROOT_DIR=/home/runner/awslc -DUSE_ECH=ON -DCMAKE_UNITY_BUILD=OFF -DCURL_DROP_UNUSED=ON -DCURL_PATCHSTAMP=test-patch -DCURL_ENABLE_NTLM=ON + + - name: 'boringssl' + install_steps: boringssl pytest + generate: -DOPENSSL_ROOT_DIR=/home/runner/boringssl -DUSE_ECH=ON -DCURL_ENABLE_NTLM=ON + - name: 'libressl krb5' image: ubuntu-24.04-arm install_packages: libidn2-dev libnghttp2-dev libldap-dev libkrb5-dev @@ -101,27 +115,17 @@ jobs: LDFLAGS: -Wl,-rpath,/home/runner/libressl/lib configure: --with-openssl=/home/runner/libressl --enable-debug - - name: 'wolfssl-all' - image: ubuntu-24.04-arm - install_steps: wolfssl-all-arm - LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-all/lib - configure: --with-wolfssl=/home/runner/wolfssl-all --enable-ech --enable-debug - - - name: 'wolfssl-opensslextra valgrind 1' - image: ubuntu-24.04-arm - install_packages: valgrind - install_steps: wolfssl-opensslextra-arm - tflags: '--min=815 1 to 1000' - LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-opensslextra/lib - configure: --with-wolfssl=/home/runner/wolfssl-opensslextra --enable-ech --enable-debug - - - name: 'wolfssl-opensslextra valgrind 2' - image: ubuntu-24.04-arm - install_packages: valgrind - install_steps: wolfssl-opensslextra-arm - tflags: '--min=835 1001 to 9999' - LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-opensslextra/lib - configure: --with-wolfssl=/home/runner/wolfssl-opensslextra --enable-ech --enable-debug + - name: 'libressl Fil-C' + install_steps: filc libressl-filc nghttp2-filc pytest + tflags: '!776' # adds 1-9 minutes to the test run step, and fails consistently + CC: /home/runner/filc/build/bin/filcc + PKG_CONFIG_PATH: /home/runner/nghttp2/lib/pkgconfig + generate: >- + -DBUILD_STATIC_LIBS=ON -DBUILD_SHARED_LIBS=OFF -DCMAKE_UNITY_BUILD=OFF -DCURL_DISABLE_TYPECHECK=ON + -DOPENSSL_ROOT_DIR=/home/runner/libressl -DCURL_USE_LIBPSL=OFF + -DCURL_ZLIB=OFF -DCURL_BROTLI=OFF -DCURL_ZSTD=OFF + -DCURL_DISABLE_LDAP=ON -DUSE_LIBIDN2=OFF -DCURL_USE_LIBSSH2=OFF + -DCURL_ENABLE_NTLM=ON - name: 'mbedtls gss valgrind 1' image: ubuntu-24.04-arm @@ -167,19 +171,44 @@ jobs: -DBUILD_LIBCURL_DOCS=OFF -DBUILD_MISC_DOCS=OFF -DENABLE_CURL_MANUAL=OFF -DCURL_COMPLETION_FISH=ON -DCURL_COMPLETION_ZSH=ON - - name: 'awslc' - install_steps: awslc pytest - LDFLAGS: -Wl,-rpath,/home/runner/awslc/lib - configure: --with-openssl=/home/runner/awslc --enable-ech --enable-ntlm + - name: 'rustls valgrind 1' + install_packages: libnghttp2-dev libldap-dev valgrind + install_steps: rust rustls + tflags: '--min=820 1 to 1000' + generate: -DCURL_USE_RUSTLS=ON -DUSE_ECH=ON -DENABLE_DEBUG=ON - - name: 'awslc' - install_packages: libidn2-dev - install_steps: awslc - generate: -DOPENSSL_ROOT_DIR=/home/runner/awslc -DUSE_ECH=ON -DCMAKE_UNITY_BUILD=OFF -DCURL_DROP_UNUSED=ON -DCURL_PATCHSTAMP=test-patch -DCURL_ENABLE_NTLM=ON + - name: 'rustls valgrind 2' + install_packages: libnghttp2-dev libldap-dev valgrind + install_steps: rust rustls + tflags: '--min=830 1001 to 9999' + generate: -DCURL_USE_RUSTLS=ON -DUSE_ECH=ON -DENABLE_DEBUG=ON - - name: 'boringssl' - install_steps: boringssl pytest - generate: -DOPENSSL_ROOT_DIR=/home/runner/boringssl -DUSE_ECH=ON -DCURL_ENABLE_NTLM=ON + - name: 'rustls' + install_packages: libnghttp2-dev libldap-dev + install_steps: rust rustls skiprun pytest + configure: --with-rustls --enable-ech --enable-debug + + - name: 'wolfssl-all' + image: ubuntu-24.04-arm + install_steps: wolfssl-all-arm + LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-all/lib + configure: --with-wolfssl=/home/runner/wolfssl-all --enable-ech --enable-debug + + - name: 'wolfssl-opensslextra valgrind 1' + image: ubuntu-24.04-arm + install_packages: valgrind + install_steps: wolfssl-opensslextra-arm + tflags: '--min=815 1 to 1000' + LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-opensslextra/lib + configure: --with-wolfssl=/home/runner/wolfssl-opensslextra --enable-ech --enable-debug + + - name: 'wolfssl-opensslextra valgrind 2' + image: ubuntu-24.04-arm + install_packages: valgrind + install_steps: wolfssl-opensslextra-arm + tflags: '--min=835 1001 to 9999' + LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-opensslextra/lib + configure: --with-wolfssl=/home/runner/wolfssl-opensslextra --enable-ech --enable-debug - name: 'openssl default' install_steps: pytest @@ -287,18 +316,6 @@ jobs: tflags: '--min=500' configure: --without-ssl --enable-debug --disable-http --disable-smtp --disable-imap --disable-unity - - name: 'libressl Fil-C' - install_steps: filc libressl-filc nghttp2-filc pytest - tflags: '!776' # adds 1-9 minutes to the test run step, and fails consistently - CC: /home/runner/filc/build/bin/filcc - PKG_CONFIG_PATH: /home/runner/nghttp2/lib/pkgconfig - generate: >- - -DBUILD_STATIC_LIBS=ON -DBUILD_SHARED_LIBS=OFF -DCMAKE_UNITY_BUILD=OFF -DCURL_DISABLE_TYPECHECK=ON - -DOPENSSL_ROOT_DIR=/home/runner/libressl -DCURL_USE_LIBPSL=OFF - -DCURL_ZLIB=OFF -DCURL_BROTLI=OFF -DCURL_ZSTD=OFF - -DCURL_DISABLE_LDAP=ON -DUSE_LIBIDN2=OFF -DCURL_USE_LIBSSH2=OFF - -DCURL_ENABLE_NTLM=ON - - name: 'clang-tidy' install_packages: clang-20 clang-tidy-20 libssl-dev libidn2-dev libssh2-1-dev libnghttp2-dev libldap-dev libkrb5-dev libgnutls28-dev install_steps: skiprun mbedtls-latest-intel rustls wolfssl-opensslextra-intel @@ -412,23 +429,6 @@ jobs: configure: --enable-debug --enable-static --disable-shared --disable-threaded-resolver --with-libssh --with-openssl tflags: '-n --test-duphandle' - - name: 'rustls valgrind 1' - install_packages: libnghttp2-dev libldap-dev valgrind - install_steps: rust rustls - tflags: '--min=820 1 to 1000' - generate: -DCURL_USE_RUSTLS=ON -DUSE_ECH=ON -DENABLE_DEBUG=ON - - - name: 'rustls valgrind 2' - install_packages: libnghttp2-dev libldap-dev valgrind - install_steps: rust rustls - tflags: '--min=830 1001 to 9999' - generate: -DCURL_USE_RUSTLS=ON -DUSE_ECH=ON -DENABLE_DEBUG=ON - - - name: 'rustls' - install_packages: libnghttp2-dev libldap-dev - install_steps: rust rustls skiprun pytest - configure: --with-rustls --enable-ech --enable-debug - - name: 'IntelC openssl' install_packages: libssl-dev install_steps: intelc diff --git a/CMakeLists.txt b/CMakeLists.txt index 5dd9c7aa70..506dfeb305 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -835,26 +835,26 @@ if(CURL_USE_OPENSSL) cmake_push_check_state() list(APPEND CMAKE_REQUIRED_LIBRARIES OpenSSL::SSL OpenSSL::Crypto) - if(NOT DEFINED HAVE_BORINGSSL) - check_symbol_exists("OPENSSL_IS_BORINGSSL" "openssl/base.h" HAVE_BORINGSSL) - endif() if(NOT DEFINED HAVE_AWSLC) check_symbol_exists("OPENSSL_IS_AWSLC" "openssl/base.h" HAVE_AWSLC) endif() + if(NOT DEFINED HAVE_BORINGSSL) + check_symbol_exists("OPENSSL_IS_BORINGSSL" "openssl/base.h" HAVE_BORINGSSL) + endif() if(NOT DEFINED HAVE_LIBRESSL) check_symbol_exists("LIBRESSL_VERSION_NUMBER" "openssl/opensslv.h" HAVE_LIBRESSL) endif() cmake_pop_check_state() - if(HAVE_BORINGSSL OR HAVE_AWSLC) - if(NOT MSVC AND NOT ANDROID) # BoringSSL/AWS-LC MSVC builds use native Windows threads + if(HAVE_AWSLC OR HAVE_BORINGSSL) + if(NOT MSVC AND NOT ANDROID) # AWS-LC/BoringSSL MSVC builds use native Windows threads find_package(Threads) if(CMAKE_USE_PTHREADS_INIT) set(HAVE_THREADS_POSIX_BORINGSSL 1) list(APPEND CURL_NETWORK_AND_TIME_LIBS Threads::Threads) list(APPEND CMAKE_REQUIRED_LIBRARIES Threads::Threads) elseif(OPENSSL_USE_STATIC_LIBS) - message(WARNING "BoringSSL/AWS-LC requires POSIX Threads.") + message(WARNING "AWS-LC/BoringSSL requires POSIX Threads.") endif() endif() if(OPENSSL_USE_STATIC_LIBS AND CMAKE_C_COMPILER_ID MATCHES "Clang") @@ -863,17 +863,17 @@ if(CURL_USE_OPENSSL) endif() endif() - if(HAVE_BORINGSSL) + if(USE_AMISSL) + set(_openssl "AmiSSL") + elseif(HAVE_AWSLC) + set(_openssl "AWS-LC") + elseif(HAVE_BORINGSSL) if(BORINGSSL_VERSION) set(CURL_BORINGSSL_VERSION "\"${BORINGSSL_VERSION}\"") endif() set(_openssl "BoringSSL") - elseif(HAVE_AWSLC) - set(_openssl "AWS-LC") elseif(HAVE_LIBRESSL) set(_openssl "LibreSSL") - elseif(USE_AMISSL) - set(_openssl "AmiSSL") else() set(_openssl "OpenSSL") endif() @@ -1097,7 +1097,7 @@ if(USE_ECH) set(HAVE_ECH 1) endif() if(NOT HAVE_ECH) - message(FATAL_ERROR "ECH support missing in OpenSSL/BoringSSL/AWS-LC/wolfSSL/rustls-ffi") + message(FATAL_ERROR "ECH support missing in AWS-LC/BoringSSL/OpenSSL/Rustls/wolfSSL") else() message(STATUS "ECH enabled") # ECH wants HTTPSRR @@ -1105,7 +1105,7 @@ if(USE_ECH) message(STATUS "HTTPSRR enabled") endif() else() - message(FATAL_ERROR "ECH requires ECH-enabled OpenSSL, BoringSSL, AWS-LC, wolfSSL or rustls-ffi") + message(FATAL_ERROR "ECH requires ECH-enabled AWS-LC, BoringSSL, OpenSSL, Rustls or wolfSSL") endif() endif() diff --git a/docs/CIPHERS.md b/docs/CIPHERS.md index 060d3da949..9606f2d795 100644 --- a/docs/CIPHERS.md +++ b/docs/CIPHERS.md @@ -96,10 +96,10 @@ are NULL ciphers, offering no encryption whatsoever.) ### TLS 1.2 (1.1, 1.0) cipher suites -Setting TLS 1.2 cipher suites is supported by curl with OpenSSL, LibreSSL, -BoringSSL, mbedTLS (curl 8.8.0+), wolfSSL (curl 7.53.0+). Schannel does not -support setting cipher suites directly, but does support setting algorithms -(curl 7.61.0+), see Schannel notes below. +Setting TLS 1.2 cipher suites is supported by curl with AWS-LC, BoringSSL, +LibreSSL, mbedTLS (curl 8.8.0+), OpenSSL, wolfSSL (curl 7.53.0+). Schannel +does not support setting cipher suites directly, but does support setting +algorithms (curl 7.61.0+), see Schannel notes below. For TLS 1.2 cipher suites there are multiple naming schemes, the two most used are with OpenSSL names (e.g. `ECDHE-RSA-AES128-GCM-SHA256`) and IANA names diff --git a/docs/CURLDOWN.md b/docs/CURLDOWN.md index ce19b5f5d6..c804eae746 100644 --- a/docs/CURLDOWN.md +++ b/docs/CURLDOWN.md @@ -97,7 +97,7 @@ option. The available TLS backends are: - `GnuTLS` - `mbedTLS` -- `OpenSSL` (also covers BoringSSL, LibreSSL, quictls, AWS-LC and AmiSSL) +- `OpenSSL` (also covers AmiSSL, AWS-LC, BoringSSL, LibreSSL and quictls) - `rustls` - `Schannel` - `wolfSSL` diff --git a/docs/ECH.md b/docs/ECH.md index 6314abb5f3..8a0153209d 100644 --- a/docs/ECH.md +++ b/docs/ECH.md @@ -8,8 +8,8 @@ SPDX-License-Identifier: curl We have added support for ECH to curl. It can use HTTPS RRs published in the DNS if curl uses DoH, or else can accept the relevant ECHConfigList values -from the command line. This works with OpenSSL, wolfSSL, BoringSSL, AWS-LC -or rustls-ffi as the TLS provider. +from the command line. This works with AWS-LC, BoringSSL, OpenSSL, Rustls or +wolfSSL as the TLS provider. This feature is EXPERIMENTAL. DO NOT USE IN PRODUCTION. @@ -153,7 +153,7 @@ LD_LIBRARY_PATH=$HOME/code/openssl ./src/curl -vvv --ech ecl:AED+DQA8yAAgACDRMQo ``` At that point, you could copy the base64 encoded value above and try again. -For now, this only works for the OpenSSL and BoringSSL/AWS-LC builds. +For now, this only works for the OpenSSL and AWS-LC/BoringSSL builds. ## Default settings @@ -338,11 +338,11 @@ WARNING: ECH HTTPSRR enabled but marked EXPERIMENTAL. Use with caution. make ``` -The BoringSSL/AWS-LC APIs are fairly similar to those in our ECH-enabled +The AWS-LC/BoringSSL APIs are fairly similar to those in our ECH-enabled OpenSSL fork, so code changes are also in `lib/vtls/openssl.c`, protected via `#ifdef OPENSSL_IS_BORINGSSL` and are mostly obvious API variations. -The BoringSSL/AWS-LC APIs however do not support the `--ech pn:` command +The AWS-LC/BoringSSL APIs however do not support the `--ech pn:` command line variant as of now. ## wolfSSL build @@ -405,7 +405,7 @@ Then there are some functional code changes: The lack of support for `--ech false` is because wolfSSL has decided to always at least GREASE if built to support ECH. In other words, GREASE is a compile time choice for wolfSSL, but a runtime choice for OpenSSL or -BoringSSL/AWS-LC. (Both are reasonable.) +AWS-LC/BoringSSL. (Both are reasonable.) ## Additional notes @@ -471,7 +471,7 @@ get the HTTPS RR and pass the ECHConfigList from that on the command line, if needed, or one can access the value from command line output in verbose more and then reuse that in another invocation. -Both our OpenSSL fork and BoringSSL/AWS-LC have APIs for both controlling GREASE +Both our OpenSSL fork and AWS-LC/BoringSSL have APIs for both controlling GREASE and accessing and logging `retry_configs`, it seems wolfSSL has neither. ### Testing ECH diff --git a/docs/FAQ.md b/docs/FAQ.md index 05f7eda382..7748d1bd2c 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -294,10 +294,10 @@ curl has been written to use a generic SSL function layer internally, and that SSL functionality can then be provided by one out of many different SSL backends. -curl can be built to use one of the following SSL alternatives: OpenSSL, -LibreSSL, BoringSSL, AWS-LC, GnuTLS, wolfSSL, mbedTLS, Schannel (native -Windows) or Rustls. They all have their pros and cons, and we maintain [a TLS -library comparison](https://curl.se/docs/ssl-compared.html). +curl can be built to use one of the following SSL alternatives: AWS-LC, +BoringSSL, GnuTLS, LibreSSL, OpenSSL, mbedTLS, Rustls, Schannel (native +Windows), or wolfSSL. They all have their pros and cons, and we maintain +[a TLS library comparison](https://curl.se/docs/ssl-compared.html). ## How do I upgrade curl.exe in Windows? diff --git a/docs/INSTALL.md b/docs/INSTALL.md index db743e0554..467aa64c05 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -146,7 +146,7 @@ These options are provided to select the TLS backend to use. - AmiSSL: `--with-amissl` - GnuTLS: `--with-gnutls`. - mbedTLS: `--with-mbedtls` -- OpenSSL: `--with-openssl` (also for BoringSSL, AWS-LC, LibreSSL, and quictls) +- OpenSSL: `--with-openssl` (also for AWS-LC, BoringSSL, LibreSSL, and quictls) - Rustls: `--with-rustls` - Schannel: `--with-schannel` - wolfSSL: `--with-wolfssl` @@ -486,7 +486,7 @@ install `libssl.a` and `libcrypto.a` to `$TOOLCHAIN/sysroot/usr/lib` and copy for Android using OpenSSL like this: ```sh -# For OpenSSL/BoringSSL. In general, you need to the SSL/TLS layer's transitive +# For BoringSSL/OpenSSL. In general, you need to the SSL/TLS layer's transitive # dependencies if you are linking statically. LIBS='-lssl -lcrypto -lc++' ./configure --host aarch64-linux-android --with-pic --disable-shared --with-openssl="$TOOLCHAIN/sysroot/usr" diff --git a/docs/cmdline-opts/ca-native.md b/docs/cmdline-opts/ca-native.md index 4a887df558..67fdf8c3ac 100644 --- a/docs/cmdline-opts/ca-native.md +++ b/docs/cmdline-opts/ca-native.md @@ -24,7 +24,7 @@ Use the operating system's native CA store for certificate verification. This option is independent of other CA certificate locations set at run time or build time. Those locations are searched in addition to the native CA store. -This option works with OpenSSL and its forks (LibreSSL, BoringSSL, etc) on +This option works with OpenSSL and its forks (BoringSSL, LibreSSL, etc) on Windows (Added in 7.71.0) and on Apple OS when libcurl is built with Apple SecTrust enabled. (Added in 8.17.0) diff --git a/docs/cmdline-opts/tls-earlydata.md b/docs/cmdline-opts/tls-earlydata.md index 8e344758be..22a7abd3c3 100644 --- a/docs/cmdline-opts/tls-earlydata.md +++ b/docs/cmdline-opts/tls-earlydata.md @@ -20,8 +20,8 @@ Example: Enable the use of TLSv1.3 early data, also known as '0RTT' where possible. This has security implications for the requests sent that way. -This option can be used when curl is built to use GnuTLS, wolfSSL, quictls and -OpenSSL as a TLS provider (but not BoringSSL, AWS-LC, or Rustls). +This option can be used when curl is built to use GnuTLS, OpenSSL, quictls and +wolfSSL as a TLS provider (but not AWS-LC, BoringSSL, or Rustls). If a server supports this TLSv1.3 feature, and to what extent, is announced as part of the TLS "session" sent back to curl. Until curl has seen such diff --git a/docs/libcurl/curl_global_sslset.md b/docs/libcurl/curl_global_sslset.md index 8ef0ca9992..8218d355e2 100644 --- a/docs/libcurl/curl_global_sslset.md +++ b/docs/libcurl/curl_global_sslset.md @@ -70,11 +70,11 @@ SSL backend names (case-insensitive): GnuTLS, mbedTLS, OpenSSL, Rustls, Schannel, wolfSSL The name "OpenSSL" is used for all versions of OpenSSL and its associated -forks/flavors in this function. OpenSSL, BoringSSL, LibreSSL, quictls and -AmiSSL are all supported by libcurl, but in the eyes of curl_global_sslset(3) -they are all called "OpenSSL". They all mostly provide the same API. -curl_version_info(3) can return more specific info about the exact OpenSSL -flavor and version number in use. +forks/flavors in this function. AmiSSL, AWS-LC, BoringSSL, LibreSSL, OpenSSL +and quictls are all supported by libcurl, but in the eyes of +curl_global_sslset(3) they are all called "OpenSSL". They all mostly provide +the same API. curl_version_info(3) can return more specific info about the +exact OpenSSL flavor and version number in use. # struct diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.md b/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.md index ab0e366b0d..e7c596d15a 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.md +++ b/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.md @@ -58,7 +58,7 @@ Tells libcurl to not accept "partial" certificate chains, which it otherwise does by default. This option fails the certificate verification if the chain ends with an intermediate certificate and not with a root cert. -Works with OpenSSL and its forks (LibreSSL, BoringSSL, etc). (Added in 7.68.0) +Works with OpenSSL and its forks (BoringSSL, LibreSSL, etc). (Added in 7.68.0) Works with Schannel if the user specified certificates to verify the peer. (Added in 8.15.0) @@ -78,9 +78,9 @@ verification. This option is independent of other CA certificate locations set at run time or build time. Those locations are searched in addition to the native CA store. -Works with wolfSSL on Windows, Linux (Debian, Ubuntu, Gentoo, Fedora, RHEL), +Works with wolfSSL on Windows, Linux (Debian, Fedora, Gentoo, RHEL, Ubuntu), macOS, Android and iOS (added in 8.3.0); with GnuTLS (added in 8.5.0) and with -OpenSSL and its forks (LibreSSL, BoringSSL, etc) on Windows (Added in 7.71.0). +OpenSSL and its forks (BoringSSL, LibreSSL, etc) on Windows (Added in 7.71.0). ## CURLSSLOPT_AUTO_CLIENT_CERT diff --git a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.md b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.md index 2fdf8ee15f..1314ae0e8d 100644 --- a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.md +++ b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.md @@ -56,7 +56,7 @@ Tells libcurl to not accept "partial" certificate chains, which it otherwise does by default. This option fails the certificate verification if the chain ends with an intermediate certificate and not with a root cert. -Works with OpenSSL and its forks (LibreSSL, BoringSSL, etc). (Added in 7.68.0) +Works with OpenSSL and its forks (BoringSSL, LibreSSL, etc). (Added in 7.68.0) Works with Schannel if the user specified certificates to verify the peer. (Added in 8.15.0) @@ -76,9 +76,9 @@ verification. This option is independent of other CA certificate locations set at run time or build time. Those locations are searched in addition to the native CA store. -Works with wolfSSL on Windows, Linux (Debian, Ubuntu, Gentoo, Fedora, RHEL), +Works with wolfSSL on Windows, Linux (Debian, Fedora, Gentoo, RHEL, Ubuntu), macOS, Android and iOS (added in 8.3.0); with GnuTLS (added in 8.5.0) and with -OpenSSL and its forks (LibreSSL, BoringSSL, etc) on Windows (Added in 7.71.0). +OpenSSL and its forks (BoringSSL, LibreSSL, etc) on Windows (Added in 7.71.0). This works with Rustls on Windows, macOS, Android and iOS. On Linux it is equivalent to using the Mozilla CA certificate bundle. When used with Rustls @@ -98,13 +98,13 @@ could be a privacy violation and unexpected. ## CURLSSLOPT_EARLYDATA Tell libcurl to try sending application data as TLS1.3 early data. This option -is supported for GnuTLS, wolfSSL, quictls and OpenSSL (but not BoringSSL -or AWS-LC). It works on TCP and QUIC connections using ngtcp2. +is supported for GnuTLS, OpenSSL, quictls and wolfSSL (but not AWS-LC or +BoringSSL). It works on TCP and QUIC connections using ngtcp2. This option works on a best effort basis, in cases when it was not possible to send early data the request is resent normally post-handshake. This option does not work when using QUIC. -(Added in 8.11.0 for GnuTLS and 8.13.0 for wolfSSL, quictls and OpenSSL) +(Added in 8.11.0 for GnuTLS and 8.13.0 for OpenSSL, quictls and wolfSSL) # DEFAULT diff --git a/lib/dllmain.c b/lib/dllmain.c index f715b6d301..5aa6565010 100644 --- a/lib/dllmain.c +++ b/lib/dllmain.c @@ -31,7 +31,7 @@ #if defined(_WIN32) && !defined(CURL_STATICLIB) #if defined(USE_OPENSSL) && \ - !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && \ + !defined(OPENSSL_IS_AWSLC) && !defined(OPENSSL_IS_BORINGSSL) && \ !defined(LIBRESSL_VERSION_NUMBER) #define PREVENT_OPENSSL_MEMLEAK #endif diff --git a/lib/ldap.c b/lib/ldap.c index 9c689c24c6..3705754476 100644 --- a/lib/ldap.c +++ b/lib/ldap.c @@ -45,7 +45,7 @@ #ifdef USE_WIN32_LDAP /* Use Windows LDAP implementation. */ # include -/* Undefine indirect symbols conflicting with BoringSSL/AWS-LC. */ +/* Undefine indirect symbols conflicting with AWS-LC/BoringSSL. */ # undef X509_NAME # undef X509_EXTENSIONS # undef PKCS7_ISSUER_AND_SERIAL diff --git a/lib/vquic/curl_ngtcp2.c b/lib/vquic/curl_ngtcp2.c index 8cf3886d22..2f5cae5116 100644 --- a/lib/vquic/curl_ngtcp2.c +++ b/lib/vquic/curl_ngtcp2.c @@ -29,7 +29,7 @@ #ifdef USE_OPENSSL #include -#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) +#if defined(OPENSSL_IS_AWSLC) || defined(OPENSSL_IS_BORINGSSL) #include #elif defined(OPENSSL_QUIC_API2) #include @@ -2484,7 +2484,7 @@ static CURLcode cf_ngtcp2_tls_ctx_setup(struct Curl_cfilter *cf, struct curl_tls_ctx *ctx = user_data; #ifdef USE_OPENSSL -#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) +#if defined(OPENSSL_IS_AWSLC) || defined(OPENSSL_IS_BORINGSSL) if(ngtcp2_crypto_boringssl_configure_client_context(ctx->ossl.ssl_ctx) != 0) { failf(data, "ngtcp2_crypto_boringssl_configure_client_context failed"); @@ -2497,7 +2497,7 @@ static CURLcode cf_ngtcp2_tls_ctx_setup(struct Curl_cfilter *cf, failf(data, "ngtcp2_crypto_quictls_configure_client_context failed"); return CURLE_FAILED_INIT; } -#endif /* !OPENSSL_IS_BORINGSSL && !OPENSSL_IS_AWSLC */ +#endif /* !OPENSSL_IS_AWSLC && !OPENSSL_IS_BORINGSSL */ if(Curl_ssl_scache_use(cf, data)) { /* Enable the session cache because it is a prerequisite for the * "new session" callback. Use the "external storage" mode to prevent diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 0e9796f009..0178acfe59 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -127,9 +127,9 @@ #endif /* Whether SSL_CTX_set_ciphersuites is available. - * OpenSSL: supported since 1.1.1 (commit a53b5be6a05) * BoringSSL: no * LibreSSL: supported since 3.4.1 (released 2021-10-14) + * OpenSSL: supported since 1.1.1 (commit a53b5be6a05) */ #if (!defined(LIBRESSL_VERSION_NUMBER) || \ (defined(LIBRESSL_VERSION_NUMBER) && \ @@ -142,9 +142,9 @@ #endif /* Whether SSL_CTX_set1_sigalgs_list is available - * OpenSSL: supported since 1.0.2 (commit 0b362de5f575) * BoringSSL: supported since 0.20240913.0 (commit 826ce15) * LibreSSL: no + * OpenSSL: supported since 1.0.2 (commit 0b362de5f575) */ #ifndef LIBRESSL_VERSION_NUMBER #define HAVE_SSL_CTX_SET1_SIGALGS @@ -152,10 +152,10 @@ #ifdef LIBRESSL_VERSION_NUMBER #define OSSL_PACKAGE "LibreSSL" -#elif defined(OPENSSL_IS_BORINGSSL) -#define OSSL_PACKAGE "BoringSSL" #elif defined(OPENSSL_IS_AWSLC) #define OSSL_PACKAGE "AWS-LC" +#elif defined(OPENSSL_IS_BORINGSSL) +#define OSSL_PACKAGE "BoringSSL" #elif defined(USE_NGTCP2) && defined(USE_NGHTTP3) && \ !defined(OPENSSL_QUIC_API2) #define OSSL_PACKAGE "quictls" @@ -4219,7 +4219,7 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf, } #ifdef SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED /* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on - OpenSSL version above v1.1.1, not LibreSSL, BoringSSL, or AWS-LC */ + OpenSSL version above v1.1.1, not AWS-LC, BoringSSL, or LibreSSL */ else if((lib == ERR_LIB_SSL) && (reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)) { /* If client certificate is required, communicate the @@ -5408,6 +5408,9 @@ size_t Curl_ossl_version(char *buffer, size_t size) *p = '_'; } return count; +#elif defined(OPENSSL_IS_AWSLC) + return curl_msnprintf(buffer, size, "%s/%s", + OSSL_PACKAGE, AWSLC_VERSION_NUMBER_STRING); #elif defined(OPENSSL_IS_BORINGSSL) #ifdef CURL_BORINGSSL_VERSION return curl_msnprintf(buffer, size, "%s/%s", @@ -5415,9 +5418,6 @@ size_t Curl_ossl_version(char *buffer, size_t size) #else return curl_msnprintf(buffer, size, OSSL_PACKAGE); #endif -#elif defined(OPENSSL_IS_AWSLC) - return curl_msnprintf(buffer, size, "%s/%s", - OSSL_PACKAGE, AWSLC_VERSION_NUMBER_STRING); #else /* OpenSSL 3+ */ return curl_msnprintf(buffer, size, "%s/%s", OSSL_PACKAGE, OpenSSL_version(OPENSSL_VERSION_STRING)); diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h index 61d4a1757e..717058c657 100644 --- a/lib/vtls/openssl.h +++ b/lib/vtls/openssl.h @@ -33,7 +33,7 @@ * , , or something else, does this: * #define X509_NAME ((LPCSTR)7) * - * In BoringSSL/AWC-LC's there is: + * In AWC-LC/BoringSSL's there is: * typedef struct X509_name_st X509_NAME; * etc. * @@ -74,7 +74,7 @@ #define HAVE_OPENSSL3 /* non-fork OpenSSL 3.x or later */ #endif -#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) +#if defined(OPENSSL_IS_AWSLC) || defined(OPENSSL_IS_BORINGSSL) #define HAVE_BORINGSSL_LIKE #endif @@ -86,9 +86,9 @@ /* * Whether SSL_CTX_set_keylog_callback is available. - * OpenSSL: supported since 1.1.1 https://github.com/openssl/openssl/pull/2287 * BoringSSL: supported since d28f59c27bac (committed 2015-11-19) * LibreSSL: not supported. 3.5.0+ has a stub function that does nothing. + * OpenSSL: supported since 1.1.1 https://github.com/openssl/openssl/pull/2287 */ #ifndef LIBRESSL_VERSION_NUMBER #define HAVE_KEYLOG_CALLBACK diff --git a/m4/curl-openssl.m4 b/m4/curl-openssl.m4 index 256037b19a..d0f2f261ed 100644 --- a/m4/curl-openssl.m4 +++ b/m4/curl-openssl.m4 @@ -231,23 +231,6 @@ if test "x$OPT_OPENSSL" != "xno"; then if test "$OPENSSL_ENABLED" = "1"; then dnl These can only exist if OpenSSL exists - AC_MSG_CHECKING([for BoringSSL]) - AC_COMPILE_IFELSE([ - AC_LANG_PROGRAM([[ - #include - ]],[[ - #ifndef OPENSSL_IS_BORINGSSL - #error not boringssl - #endif - ]]) - ],[ - AC_MSG_RESULT([yes]) - ssl_msg="BoringSSL" - OPENSSL_IS_BORINGSSL=1 - ],[ - AC_MSG_RESULT([no]) - ]) - AC_MSG_CHECKING([for AWS-LC]) AC_COMPILE_IFELSE([ AC_LANG_PROGRAM([[ @@ -265,6 +248,23 @@ if test "x$OPT_OPENSSL" != "xno"; then AC_MSG_RESULT([no]) ]) + AC_MSG_CHECKING([for BoringSSL]) + AC_COMPILE_IFELSE([ + AC_LANG_PROGRAM([[ + #include + ]],[[ + #ifndef OPENSSL_IS_BORINGSSL + #error not BoringSSL + #endif + ]]) + ],[ + AC_MSG_RESULT([yes]) + ssl_msg="BoringSSL" + OPENSSL_IS_BORINGSSL=1 + ],[ + AC_MSG_RESULT([no]) + ]) + AC_MSG_CHECKING([for LibreSSL]) AC_COMPILE_IFELSE([ AC_LANG_PROGRAM([[ diff --git a/tests/libtest/lib1587.c b/tests/libtest/lib1587.c index ad66c003f0..a0739cb221 100644 --- a/tests/libtest/lib1587.c +++ b/tests/libtest/lib1587.c @@ -32,7 +32,7 @@ #include #ifdef HAVE_BORINGSSL_LIKE -/* BoringSSL and AWS-LC */ +/* AWS-LC and BoringSSL */ typedef uint32_t opt1587; #else typedef uint64_t opt1587; diff --git a/tests/runtests.pl b/tests/runtests.pl index 050875dc5b..b0230330c8 100755 --- a/tests/runtests.pl +++ b/tests/runtests.pl @@ -589,7 +589,7 @@ sub checksystemfeatures { $feature{"wolfssl"} = 1; $feature{"SSLpinning"} = 1; } - elsif($libcurl =~ /\s(BoringSSL|AWS-LC)\b/i) { + elsif($libcurl =~ /\s(AWS-LC|BoringSSL)\b/i) { # OpenSSL compatible API $feature{"OpenSSL"} = 1; $feature{"SSLpinning"} = 1;