moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-11-12 12:35:04 -05:00
Code Issues Releases Wiki Activity

schannel: stop calling it "winssl"

Browse Source 
Stick to "Schannel" everywhere. The configure option --with-winssl is
kept to allow existing builds to work but --with-schannel is added as an
alias.

Closes #3504
This commit is contained in:
Daniel Stenberg 2019-01-29 10:09:29 +01:00
parent 6f61933adf
commit 180501cb02
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
17 changed files with 62 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
configure.ac
View File

@ -1480,6 +1480,11 @@ AC_HELP_STRING([--with-winssl],[enable Windows native SSL/TLS])
AC_HELP_STRING([--without-winssl], [disable Windows native SSL/TLS]), AC_HELP_STRING([--without-winssl], [disable Windows native SSL/TLS]),
OPT_WINSSL=$withval) OPT_WINSSL=$withval)
AC_ARG_WITH(schannel,dnl
AC_HELP_STRING([--with-schannel],[enable Windows native SSL/TLS])
AC_HELP_STRING([--without-schannel], [disable Windows native SSL/TLS]),
OPT_WINSSL=$withval)
AC_MSG_CHECKING([whether to enable Windows native SSL/TLS (Windows native builds only)]) AC_MSG_CHECKING([whether to enable Windows native SSL/TLS (Windows native builds only)])
if test -z "$ssl_backends" -o "x$OPT_WINSSL" != xno; then if test -z "$ssl_backends" -o "x$OPT_WINSSL" != xno; then
ssl_msg= ssl_msg=

8
docs/cmdline-opts/cacert.d
View File

@ -25,9 +25,9 @@ should not be set. If the option is not set, then curl will use the
certificates in the system and user Keychain to verify the peer, which is the certificates in the system and user Keychain to verify the peer, which is the
preferred method of verifying the peer's certificate chain. preferred method of verifying the peer's certificate chain.
(Schannel/WinSSL only) This option is supported for WinSSL in Windows 7 or (Schannel only) This option is supported for Schannel in Windows 7 or later with
later with libcurl 7.60 or later. This option is supported for backward libcurl 7.60 or later. This option is supported for backward compatibility
compatibility with other SSL engines; instead it is recommended to use Windows' with other SSL engines; instead it is recommended to use Windows' store of
store of root certificates (the default for WinSSL). root certificates (the default for Schannel).
If this option is used several times, the last one will be used. If this option is used several times, the last one will be used.

2
docs/cmdline-opts/cert.d
View File

@ -36,7 +36,7 @@ system or user keychain, or the path to a PKCS#12-encoded certificate and
private key. If you want to use a file from the current directory, please private key. If you want to use a file from the current directory, please
precede it with "./" prefix, in order to avoid confusion with a nickname. precede it with "./" prefix, in order to avoid confusion with a nickname.
(Schannel/WinSSL only) Client certificates must be specified by a path (Schannel only) Client certificates must be specified by a path
expression to a certificate store. (Loading PFX is not supported; you can expression to a certificate store. (Loading PFX is not supported; you can
import it to a store first). You can use import it to a store first). You can use
"<store location>\\<store name>\\<thumbprint>" to refer to a certificate "<store location>\\<store name>\\<thumbprint>" to refer to a certificate

4
docs/cmdline-opts/ssl-no-revoke.d
View File

@ -1,7 +1,7 @@
Long: ssl-no-revoke Long: ssl-no-revoke
Help: Disable cert revocation checks (WinSSL) Help: Disable cert revocation checks (Schannel)
Added: 7.44.0 Added: 7.44.0
--- ---
(WinSSL) This option tells curl to disable certificate revocation checks. (Schannel) This option tells curl to disable certificate revocation checks.
WARNING: this option loosens the SSL security, and by using this flag you ask WARNING: this option loosens the SSL security, and by using this flag you ask
for exactly that. for exactly that.

4
docs/libcurl/curl_version_info.3
View File

@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___ .\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____| .\" * \___|\___/|_| \_\_____|
.\" * .\" *
.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al. .\" * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" * .\" *
.\" * This software is licensed as described in the file COPYING, which .\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms .\" * you should have received as part of this distribution. The terms
@ -170,7 +170,7 @@ libcurl was built with multiple SSL backends. For details, see
supports HTTP Brotli content encoding using libbrotlidec (Added in 7.57.0) supports HTTP Brotli content encoding using libbrotlidec (Added in 7.57.0)
.RE .RE
\fIssl_version\fP is an ASCII string for the TLS library name + version \fIssl_version\fP is an ASCII string for the TLS library name + version
used. If libcurl has no SSL support, this is NULL. For example "WinSSL", used. If libcurl has no SSL support, this is NULL. For example "Schannel",
\&"SecureTransport" or "OpenSSL/1.1.0g". \&"SecureTransport" or "OpenSSL/1.1.0g".
\fIssl_version_num\fP is always 0. \fIssl_version_num\fP is always 0.

4
docs/libcurl/opts/CURLINFO_TLS_SSL_PTR.3
View File

@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___ .\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____| .\" * \___|\___/|_| \_\_____|
.\" * .\" *
.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al. .\" * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" * .\" *
.\" * This software is licensed as described in the file COPYING, which .\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms .\" * you should have received as part of this distribution. The terms
@ -81,7 +81,7 @@ as well:
mbedtls_ssl_context * mbedtls_ssl_context *
.IP PolarSSL .IP PolarSSL
ssl_context * ssl_context *
.IP "Secure Channel (WinSSL)" .IP "Secure Channel"
CtxtHandle * CtxtHandle *
.IP "Secure Transport (DarwinSSL)" .IP "Secure Transport (DarwinSSL)"
SSLContext * SSLContext *

10
docs/libcurl/opts/CURLOPT_CAINFO.3
View File

@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___ .\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____| .\" * \___|\___/|_| \_\_____|
.\" * .\" *
.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. .\" * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" * .\" *
.\" * This software is licensed as described in the file COPYING, which .\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms .\" * you should have received as part of this distribution. The terms
@ -52,10 +52,10 @@ should not be set. If the option is not set, then curl will use the
certificates in the system and user Keychain to verify the peer, which is the certificates in the system and user Keychain to verify the peer, which is the
preferred method of verifying the peer's certificate chain. preferred method of verifying the peer's certificate chain.
(Schannel/WinSSL only) This option is supported for WinSSL in Windows 7 or (Schannel only) This option is supported for Schannel in Windows 7 or later
later with libcurl 7.60 or later. This option is supported for backward with libcurl 7.60 or later. This option is supported for backward
compatibility with other SSL engines; instead it is recommended to use Windows' compatibility with other SSL engines; instead it is recommended to use
store of root certificates (the default for WinSSL). Windows' store of root certificates (the default for Schannel).
The application does not have to keep the string around after setting this The application does not have to keep the string around after setting this
option. option.

5
docs/libcurl/opts/CURLOPT_CERTINFO.3
View File

@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___ .\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____| .\" * \___|\___/|_| \_\_____|
.\" * .\" *
.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. .\" * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" * .\" *
.\" * This software is licensed as described in the file COPYING, which .\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms .\" * you should have received as part of this distribution. The terms
@ -70,7 +70,8 @@ if(curl) {
} }
.fi .fi
.SH AVAILABILITY .SH AVAILABILITY
This option is supported by the OpenSSL, GnuTLS, WinSSL, NSS and GSKit backends. This option is supported by the OpenSSL, GnuTLS, Schannel, NSS and GSKit
backends.
.SH RETURN VALUE .SH RETURN VALUE
Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not. Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
.SH "SEE ALSO" .SH "SEE ALSO"

6
docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3
View File

@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___ .\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____| .\" * \___|\___/|_| \_\_____|
.\" * .\" *
.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al. .\" * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" * .\" *
.\" * This software is licensed as described in the file COPYING, which .\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms .\" * you should have received as part of this distribution. The terms
@ -107,7 +107,7 @@ PEM/DER support:
7.54.1: SecureTransport/DarwinSSL on macOS 10.7+/iOS 10+ 7.54.1: SecureTransport/DarwinSSL on macOS 10.7+/iOS 10+
7.58.1: SChannel/WinSSL 7.58.1: SChannel
sha256 support: sha256 support:
@ -119,7 +119,7 @@ sha256 support:
7.54.1: SecureTransport/DarwinSSL on macOS 10.7+/iOS 10+ 7.54.1: SecureTransport/DarwinSSL on macOS 10.7+/iOS 10+
7.58.1: SChannel/WinSSL Windows XP SP3+ 7.58.1: SChannel Windows XP SP3+
Other SSL backends not supported. Other SSL backends not supported.
.SH RETURN VALUE .SH RETURN VALUE

4
docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.3
View File

@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___ .\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____| .\" * \___|\___/|_| \_\_____|
.\" * .\" *
.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. .\" * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" * .\" *
.\" * This software is licensed as described in the file COPYING, which .\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms .\" * you should have received as part of this distribution. The terms
@ -40,7 +40,7 @@ that. This option is only supported for DarwinSSL, NSS and OpenSSL.
\fICURLSSLOPT_NO_REVOKE\fP tells libcurl to disable certificate revocation \fICURLSSLOPT_NO_REVOKE\fP tells libcurl to disable certificate revocation
checks for those SSL backends where such behavior is present. \fBCurrently checks for those SSL backends where such behavior is present. \fBCurrently
this option is only supported for WinSSL (the native Windows SSL library), this option is only supported for Schannel (the native Windows SSL library),
with an exception in the case of Windows' Untrusted Publishers blacklist which with an exception in the case of Windows' Untrusted Publishers blacklist which
it seems can't be bypassed.\fP This option may have broader support to it seems can't be bypassed.\fP This option may have broader support to
accommodate other SSL backends in the future. accommodate other SSL backends in the future.

11
docs/libcurl/opts/CURLOPT_SSLCERT.3
View File

@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___ .\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____| .\" * \___|\___/|_| \_\_____|
.\" * .\" *
.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. .\" * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" * .\" *
.\" * This software is licensed as described in the file COPYING, which .\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms .\" * you should have received as part of this distribution. The terms
@ -38,11 +38,10 @@ you wish to authenticate with as it is named in the security database. If you
want to use a file from the current directory, please precede it with "./" want to use a file from the current directory, please precede it with "./"
prefix, in order to avoid confusion with a nickname. prefix, in order to avoid confusion with a nickname.
(Schannel/WinSSL only) Client certificates must be specified by a path (Schannel only) Client certificates must be specified by a path expression to
expression to a certificate store. (Loading PFX is not supported; you can a certificate store. (Loading PFX is not supported; you can import it to a
import it to a store first). You can use store first). You can use "<store location>\\<store name>\\<thumbprint>" to
"<store location>\\<store name>\\<thumbprint>" to refer to a certificate refer to a certificate in the system certificates store, for example,
in the system certificates store, for example,
"CurrentUser\\MY\\934a7ac6f8a5d579285a74fa61e19f23ddfe8d7a". Thumbprint is "CurrentUser\\MY\\934a7ac6f8a5d579285a74fa61e19f23ddfe8d7a". Thumbprint is
usually a SHA-1 hex string which you can see in certificate details. Following usually a SHA-1 hex string which you can see in certificate details. Following
store locations are supported: CurrentUser, LocalMachine, CurrentService, store locations are supported: CurrentUser, LocalMachine, CurrentService,

4
docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
View File

@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___ .\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____| .\" * \___|\___/|_| \_\_____|
.\" * .\" *
.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. .\" * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" * .\" *
.\" * This software is licensed as described in the file COPYING, which .\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms .\" * you should have received as part of this distribution. The terms
@ -42,7 +42,7 @@ Added in 7.44.0:
\fICURLSSLOPT_NO_REVOKE\fP tells libcurl to disable certificate revocation \fICURLSSLOPT_NO_REVOKE\fP tells libcurl to disable certificate revocation
checks for those SSL backends where such behavior is present. \fBCurrently this checks for those SSL backends where such behavior is present. \fBCurrently this
option is only supported for WinSSL (the native Windows SSL library), with an option is only supported for Schannel (the native Windows SSL library), with an
exception in the case of Windows' Untrusted Publishers blacklist which it seems exception in the case of Windows' Untrusted Publishers blacklist which it seems
can't be bypassed.\fP This option may have broader support to accommodate other can't be bypassed.\fP This option may have broader support to accommodate other
SSL backends in the future. SSL backends in the future.

6
lib/url.c
View File

@ -492,9 +492,9 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
/* Set the default CA cert bundle/path detected/specified at build time. /* Set the default CA cert bundle/path detected/specified at build time.
* *
* If Schannel (WinSSL) is the selected SSL backend then these locations * If Schannel is the selected SSL backend then these locations are
* are ignored. We allow setting CA location for schannel only when * ignored. We allow setting CA location for schannel only when explicitly
* explicitly specified by the user via CURLOPT_CAINFO / --cacert. * specified by the user via CURLOPT_CAINFO / --cacert.
*/ */
if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) { if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) {
#if defined(CURL_CA_BUNDLE) #if defined(CURL_CA_BUNDLE)

26
lib/vtls/schannel.c
View File

@ -440,7 +440,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
VERSION_LESS_THAN_EQUAL)) { VERSION_LESS_THAN_EQUAL)) {
/* Schannel in Windows XP (OS version 5.1) uses legacy handshakes and /* Schannel in Windows XP (OS version 5.1) uses legacy handshakes and
algorithms that may not be supported by all servers. */ algorithms that may not be supported by all servers. */
infof(data, "schannel: WinSSL version is old and may not be able to " infof(data, "schannel: Windows version is old and may not be able to "
"connect to some servers due to lack of SNI, algorithms, etc.\n"); "connect to some servers due to lack of SNI, algorithms, etc.\n");
} }
@ -2073,7 +2073,7 @@ static void Curl_schannel_cleanup(void)
static size_t Curl_schannel_version(char *buffer, size_t size) static size_t Curl_schannel_version(char *buffer, size_t size)
{ {
size = msnprintf(buffer, size, "WinSSL"); size = msnprintf(buffer, size, "Schannel");
return size; return size;
} }
@ -2161,11 +2161,11 @@ static CURLcode pkp_pin_peer_pubkey(struct connectdata *conn, int sockindex,
} }
static void Curl_schannel_checksum(const unsigned char *input, static void Curl_schannel_checksum(const unsigned char *input,
size_t inputlen, size_t inputlen,
unsigned char *checksum, unsigned char *checksum,
size_t checksumlen, size_t checksumlen,
DWORD provType, DWORD provType,
const unsigned int algId) const unsigned int algId)
{ {
HCRYPTPROV hProv = 0; HCRYPTPROV hProv = 0;
HCRYPTHASH hHash = 0; HCRYPTHASH hHash = 0;
@ -2215,9 +2215,9 @@ static CURLcode Curl_schannel_md5sum(unsigned char *input,
unsigned char *md5sum, unsigned char *md5sum,
size_t md5len) size_t md5len)
{ {
Curl_schannel_checksum(input, inputlen, md5sum, md5len, Curl_schannel_checksum(input, inputlen, md5sum, md5len,
PROV_RSA_FULL, CALG_MD5); PROV_RSA_FULL, CALG_MD5);
return CURLE_OK; return CURLE_OK;
} }
static CURLcode Curl_schannel_sha256sum(const unsigned char *input, static CURLcode Curl_schannel_sha256sum(const unsigned char *input,
@ -2225,9 +2225,9 @@ static CURLcode Curl_schannel_sha256sum(const unsigned char *input,
unsigned char *sha256sum, unsigned char *sha256sum,
size_t sha256len) size_t sha256len)
{ {
Curl_schannel_checksum(input, inputlen, sha256sum, sha256len, Curl_schannel_checksum(input, inputlen, sha256sum, sha256len,
PROV_RSA_AES, CALG_SHA_256); PROV_RSA_AES, CALG_SHA_256);
return CURLE_OK; return CURLE_OK;
} }
static void *Curl_schannel_get_internals(struct ssl_connect_data *connssl, static void *Curl_schannel_get_internals(struct ssl_connect_data *connssl,

8
src/tool_doswin.c
View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -646,9 +646,9 @@ CURLcode FindWin32CACert(struct OperationConfig *config,
/* Search and set cert file only if libcurl supports SSL. /* Search and set cert file only if libcurl supports SSL.
* *
* If Schannel (WinSSL) is the selected SSL backend then these locations * If Schannel is the selected SSL backend then these locations are
* are ignored. We allow setting CA location for schannel only when * ignored. We allow setting CA location for schannel only when explicitly
* explicitly specified by the user via CURLOPT_CAINFO / --cacert. * specified by the user via CURLOPT_CAINFO / --cacert.
*/ */
if((curlinfo->features & CURL_VERSION_SSL) && if((curlinfo->features & CURL_VERSION_SSL) &&
backend != CURLSSLBACKEND_SCHANNEL) { backend != CURLSSLBACKEND_SCHANNEL) {

4
src/tool_help.c
View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -413,7 +413,7 @@ static const struct helptxt helptext[] = {
{" --ssl-allow-beast", {" --ssl-allow-beast",
"Allow security flaw to improve interop"}, "Allow security flaw to improve interop"},
{" --ssl-no-revoke", {" --ssl-no-revoke",
"Disable cert revocation checks (WinSSL)"}, "Disable cert revocation checks (Schannel)"},
{" --ssl-reqd", {" --ssl-reqd",
"Require SSL/TLS"}, "Require SSL/TLS"},
{"-2, --sslv2", {"-2, --sslv2",

8
src/tool_operate.c
View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -258,9 +258,9 @@ static CURLcode operate_do(struct GlobalConfig *global,
* no environment-specified filename is found then check for CA bundle * no environment-specified filename is found then check for CA bundle
* default filename curl-ca-bundle.crt in the user's PATH. * default filename curl-ca-bundle.crt in the user's PATH.
* *
* If Schannel (WinSSL) is the selected SSL backend then these locations * If Schannel is the selected SSL backend then these locations are
* are ignored. We allow setting CA location for schannel only when * ignored. We allow setting CA location for schannel only when explicitly
* explicitly specified by the user via CURLOPT_CAINFO / --cacert. * specified by the user via CURLOPT_CAINFO / --cacert.
*/ */
if(tls_backend_info->backend != CURLSSLBACKEND_SCHANNEL) { if(tls_backend_info->backend != CURLSSLBACKEND_SCHANNEL) {
char *env; char *env;