romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-15 00:41:41 +03:00
Code Issues Projects Releases Packages Wiki Activity
curl/lib/Makefile.inc
Wyatt O'Day 1dc6ddde06
mbedTLS: cleanup insecure/deprecated code 
1. With `MBEDTLS_SSL_PROTO_TLS1_2` not enabled, the mbedTLS code was not
able to connect to any server due to broken logic in curl's
`mbed_set_ssl_version_min_max()`. Now it correctly sets the minimum
supported TLS version based on what is compiled in the library.

2. If debugging is enabled, move the debugging enabling earlier in the
`mbed_connect_step1()` so that verbose errors are actually displayed if
failures happen (see the previous point -- it would've made debugging
that issue easier).

3. Remove the constant `mbedtls_x509_crt_profile_fr` and instead use
mbedTLS-included profile `mbedtls_x509_crt_profile_next` with
`mbedtls_ssl_conf_cert_profile()`. This will follow the latest standards
as new mbedTLS versions are released (rather than being stuck-in-time
until someone comes along to fix what was hard-coded here). This has the
immediate benefit of no longer supporting SHA1 certs and insecure RSA
key-lengths (1024). This fix immediately prevents previously possible
MITM attacks (SHA1 hashes and RSA-1024 keys can be forged relatively
easily by nation-state actors and criminal organizations with
deep-pockets).

4. Added [predictive
resistance](https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-a-random-generator/#enabling-prediction-resistance)
to the random number generator (adding more entropy to the RNG).

5. Split the random number generator into initialization, the actual
random generation, and the "freeing" of the resources. This
significantly reduces the overhead of using the RNG.

6. Removed the separate RNG function in the TLS connect stage (instead
use the "main" one) and remove the ad-hoc threading support. Instead
properly document how to enable threading in mbedTLS. As it was, other
internals of mbedTLS could have race conditions (in the RSA module in
particular) if `MBEDTLS_THREADING_C` was *not* enabled. And if it is
enabled, then these race-conditions cannot happen. And also, if
MBEDTLS_THREADING_C is enabled then the RNG functions [are fully
thread-safe](https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading/).

   So, the previous ad-hoc threading support was both partial and broken.

7. Enable support for disabling `MBEDTLS_PEM_PARSE_C`.

8. Add support for `CURLOPT_SSLCERTTYPE` so user can specify `PEM` or
`DER` and get faster execution.

Closes #19983
2025-12-20 17:33:57 +01:00

403 lines
9.5 KiB
Makefile
Raw Blame History

#***************************************************************************
# _ _ ____ _
# Project ___| | | | _ \| |
# / __| | | | |_) | |
# | (__| |_| | _ <| |___
# \___|\___/|_| \_\_____|
#
# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
#
# This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms
# are also available at https://curl.se/docs/copyright.html.
#
# You may opt to use, copy, modify, merge, publish, distribute and/or sell
# copies of the Software, and permit persons to whom the Software is
# furnished to do so, under the terms of the COPYING file.
#
# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
# KIND, either express or implied.
#
# SPDX-License-Identifier: curl
#
###########################################################################
# Shared between CMakeLists.txt and Makefile.am
LIB_CURLX_CFILES = \
curlx/base64.c \
curlx/dynbuf.c \
curlx/fopen.c \
curlx/inet_ntop.c \
curlx/inet_pton.c \
curlx/multibyte.c \
curlx/nonblock.c \
curlx/strerr.c \
curlx/strparse.c \
curlx/timediff.c \
curlx/timeval.c \
curlx/version_win32.c \
curlx/wait.c \
curlx/warnless.c \
curlx/winapi.c
LIB_CURLX_HFILES = \
curlx/binmode.h \
curlx/base64.h \
curlx/curlx.h \
curlx/dynbuf.h \
curlx/fopen.h \
curlx/inet_ntop.h \
curlx/inet_pton.h \
curlx/multibyte.h \
curlx/nonblock.h \
curlx/snprintf.h \
curlx/strerr.h \
curlx/strparse.h \
curlx/timediff.h \
curlx/timeval.h \
curlx/version_win32.h \
curlx/wait.h \
curlx/warnless.h \
curlx/winapi.h
LIB_VAUTH_CFILES = \
vauth/cleartext.c \
vauth/cram.c \
vauth/digest.c \
vauth/digest_sspi.c \
vauth/gsasl.c \
vauth/krb5_gssapi.c \
vauth/krb5_sspi.c \
vauth/ntlm.c \
vauth/ntlm_sspi.c \
vauth/oauth2.c \
vauth/spnego_gssapi.c \
vauth/spnego_sspi.c \
vauth/vauth.c
LIB_VAUTH_HFILES = \
vauth/digest.h \
vauth/vauth.h
LIB_VTLS_CFILES = \
vtls/apple.c \
vtls/cipher_suite.c \
vtls/gtls.c \
vtls/hostcheck.c \
vtls/keylog.c \
vtls/mbedtls.c \
vtls/openssl.c \
vtls/rustls.c \
vtls/schannel.c \
vtls/schannel_verify.c \
vtls/vtls.c \
vtls/vtls_scache.c \
vtls/vtls_spack.c \
vtls/wolfssl.c \
vtls/x509asn1.c
LIB_VTLS_HFILES = \
vtls/apple.h \
vtls/cipher_suite.h \
vtls/gtls.h \
vtls/hostcheck.h \
vtls/keylog.h \
vtls/mbedtls.h \
vtls/openssl.h \
vtls/rustls.h \
vtls/schannel.h \
vtls/schannel_int.h \
vtls/vtls.h \
vtls/vtls_int.h \
vtls/vtls_scache.h \
vtls/vtls_spack.h \
vtls/wolfssl.h \
vtls/x509asn1.h
LIB_VQUIC_CFILES = \
vquic/curl_ngtcp2.c \
vquic/curl_osslq.c \
vquic/curl_quiche.c \
vquic/vquic.c \
vquic/vquic-tls.c
LIB_VQUIC_HFILES = \
vquic/curl_ngtcp2.h \
vquic/curl_osslq.h \
vquic/curl_quiche.h \
vquic/vquic.h \
vquic/vquic_int.h \
vquic/vquic-tls.h
LIB_VSSH_CFILES = \
vssh/libssh.c \
vssh/libssh2.c \
vssh/vssh.c
LIB_VSSH_HFILES = \
vssh/vssh.h \
vssh/ssh.h
LIB_CFILES = \
altsvc.c \
amigaos.c \
asyn-ares.c \
asyn-base.c \
asyn-thrdd.c \
bufq.c \
bufref.c \
cf-h1-proxy.c \
cf-h2-proxy.c \
cf-haproxy.c \
cf-https-connect.c \
cf-ip-happy.c \
cf-socket.c \
cfilters.c \
conncache.c \
connect.c \
content_encoding.c \
cookie.c \
cshutdn.c \
curl_addrinfo.c \
curl_endian.c \
curl_fnmatch.c \
curl_fopen.c \
curl_get_line.c \
curl_gethostname.c \
curl_gssapi.c \
curl_memrchr.c \
curl_ntlm_core.c \
curl_range.c \
curl_rtmp.c \
curl_sasl.c \
curl_sha512_256.c \
curl_share.c \
curl_sspi.c \
curl_threads.c \
curl_trc.c \
cw-out.c \
cw-pause.c \
dict.c \
doh.c \
dynhds.c \
easy.c \
easygetopt.c \
easyoptions.c \
escape.c \
fake_addrinfo.c \
file.c \
fileinfo.c \
formdata.c \
ftp.c \
ftplistparser.c \
getenv.c \
getinfo.c \
gopher.c \
hash.c \
headers.c \
hmac.c \
hostip.c \
hostip4.c \
hostip6.c \
hsts.c \
http.c \
http1.c \
http2.c \
http_aws_sigv4.c \
http_chunks.c \
http_digest.c \
http_negotiate.c \
http_ntlm.c \
http_proxy.c \
httpsrr.c \
idn.c \
if2ip.c \
imap.c \
ldap.c \
llist.c \
macos.c \
md4.c \
md5.c \
memdebug.c \
mime.c \
mprintf.c \
mqtt.c \
multi.c \
multi_ev.c \
multi_ntfy.c \
netrc.c \
noproxy.c \
openldap.c \
parsedate.c \
pingpong.c \
pop3.c \
progress.c \
psl.c \
rand.c \
ratelimit.c \
request.c \
rtsp.c \
select.c \
sendf.c \
setopt.c \
sha256.c \
slist.c \
smb.c \
smtp.c \
socketpair.c \
socks.c \
socks_gssapi.c \
socks_sspi.c \
splay.c \
strcase.c \
strdup.c \
strequal.c \
strerror.c \
system_win32.c \
telnet.c \
tftp.c \
transfer.c \
uint-bset.c \
uint-hash.c \
uint-spbset.c \
uint-table.c \
url.c \
urlapi.c \
version.c \
ws.c
LIB_HFILES = \
altsvc.h \
amigaos.h \
arpa_telnet.h \
asyn.h \
bufq.h \
bufref.h \
cf-h1-proxy.h \
cf-h2-proxy.h \
cf-haproxy.h \
cf-https-connect.h \
cf-ip-happy.h \
cf-socket.h \
cfilters.h \
conncache.h \
cshutdn.h \
connect.h \
content_encoding.h \
cookie.h \
curl_addrinfo.h \
curl_ctype.h \
curl_endian.h \
curl_fnmatch.h \
curl_fopen.h \
curl_get_line.h \
curl_gethostname.h \
curl_gssapi.h \
curl_hmac.h \
curl_ldap.h \
curl_md4.h \
curl_md5.h \
curl_memrchr.h \
curl_ntlm_core.h \
curl_printf.h \
curl_range.h \
curl_rtmp.h \
curl_sasl.h \
curl_setup.h \
curl_setup_once.h \
curl_sha256.h \
curl_sha512_256.h \
curl_share.h \
curl_sspi.h \
curl_threads.h \
curl_trc.h \
cw-out.h \
cw-pause.h \
dict.h \
doh.h \
dynhds.h \
easy_lock.h \
easyif.h \
easyoptions.h \
escape.h \
fake_addrinfo.h \
file.h \
fileinfo.h \
formdata.h \
ftp.h \
ftplistparser.h \
functypes.h \
getinfo.h \
gopher.h \
hash.h \
headers.h \
hostip.h \
hsts.h \
http.h \
http1.h \
http2.h \
http_aws_sigv4.h \
http_chunks.h \
http_digest.h \
http_negotiate.h \
http_ntlm.h \
http_proxy.h \
httpsrr.h \
idn.h \
if2ip.h \
imap.h \
llist.h \
macos.h \
mime.h \
mqtt.h \
multihandle.h \
multi_ev.h \
multi_ntfy.h \
multiif.h \
netrc.h \
noproxy.h \
parsedate.h \
pingpong.h \
pop3.h \
progress.h \
psl.h \
rand.h \
ratelimit.h \
request.h \
rtsp.h \
select.h \
sendf.h \
setopt.h \
setup-os400.h \
setup-vms.h \
setup-win32.h \
sigpipe.h \
slist.h \
smb.h \
smtp.h \
sockaddr.h \
socketpair.h \
socks.h \
splay.h \
strcase.h \
strdup.h \
strerror.h \
system_win32.h \
telnet.h \
tftp.h \
transfer.h \
uint-bset.h \
uint-hash.h \
uint-spbset.h \
uint-table.h \
url.h \
urlapi-int.h \
urldata.h \
ws.h
LIB_RCFILES = libcurl.rc
CSOURCES = $(LIB_CFILES) $(LIB_VAUTH_CFILES) $(LIB_VTLS_CFILES) \
$(LIB_VQUIC_CFILES) $(LIB_VSSH_CFILES) $(LIB_CURLX_CFILES)
HHEADERS = $(LIB_HFILES) $(LIB_VAUTH_HFILES) $(LIB_VTLS_HFILES) \
$(LIB_VQUIC_HFILES) $(LIB_VSSH_HFILES) $(LIB_CURLX_HFILES)
Reference in a new issue View git blame Copy permalink