moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2025-02-28 01:11:47 -05:00
Code Issues Releases Wiki Activity

axtls: removed

Browse Source 
As has been outlined in the DEPRECATE.md document, the axTLS code has
been disabled for 6 months and is hereby removed.

Use a better supported TLS library!

Assisted-by: Daniel Gustafsson
Closes #3194
This commit is contained in:
Daniel Stenberg 2018-10-30 10:00:00 +01:00
parent 7f4c358541
commit 302d125b42
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
31 changed files with 24 additions and 996 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CMakeLists.txt
View File

@ -291,7 +291,7 @@ if(WIN32)
endif()
# check SSL libraries
# TODO support GNUTLS, NSS, POLARSSL, AXTLS, CYASSL
# TODO support GNUTLS, NSS, POLARSSL, CYASSL
if(APPLE)
option(CMAKE_USE_DARWINSSL "enable Apple OS native SSL/TLS" OFF)

68
configure.ac
View File

@ -158,7 +158,7 @@ AC_SUBST(PKGADD_VENDOR)
dnl
dnl initialize all the info variables
curl_ssl_msg="no (--with-{ssl,gnutls,nss,polarssl,mbedtls,cyassl,axtls,winssl,darwinssl,mesalink} )"
curl_ssl_msg="no (--with-{ssl,gnutls,nss,polarssl,mbedtls,cyassl,winssl,darwinssl,mesalink} )"
curl_ssh_msg="no (--with-libssh2)"
curl_zlib_msg="no (--with-zlib)"
curl_brotli_msg="no (--with-brotli)"
@ -2631,70 +2631,10 @@ if test -z "$ssl_backends" -o "x$OPT_NSS" != xno; then
test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
fi
OPT_AXTLS=off
AC_ARG_WITH(axtls,dnl
AC_HELP_STRING([--with-axtls=PATH],[Where to look for axTLS, PATH points to the axTLS installation prefix (default: /usr/local). Ignored if another SSL engine is selected.])
AC_HELP_STRING([--without-axtls], [disable axTLS]),
OPT_AXTLS=$withval)
if test -z "$ssl_backends" -o "x$OPT_AXTLS" != xno; then
ssl_msg=
if test X"$OPT_AXTLS" != Xno; then
dnl backup the pre-axtls variables
CLEANLDFLAGS="$LDFLAGS"
CLEANCPPFLAGS="$CPPFLAGS"
CLEANLIBS="$LIBS"
case "$OPT_AXTLS" in
yes)
dnl --with-axtls (without path) used
PREFIX_AXTLS=/usr/local
LIB_AXTLS="$PREFIX_AXTLS/lib"
LDFLAGS="$LDFLAGS -L$LIB_AXTLS"
CPPFLAGS="$CPPFLAGS -I$PREFIX_AXTLS/include"
;;
off)
dnl no --with-axtls option given, just check default places
PREFIX_AXTLS=
;;
*)
dnl check the given --with-axtls spot
PREFIX_AXTLS=$OPT_AXTLS
LIB_AXTLS="$PREFIX_AXTLS/lib"
LDFLAGS="$LDFLAGS -L$LIB_AXTLS"
CPPFLAGS="$CPPFLAGS -I$PREFIX_AXTLS/include"
;;
esac
AC_CHECK_LIB(axtls, ssl_version,[
LIBS="-laxtls $LIBS"
AC_DEFINE(USE_AXTLS, 1, [if axTLS is enabled])
AC_SUBST(USE_AXTLS, [1])
AXTLS_ENABLED=1
check_for_ca_bundle=1
USE_AXTLS="yes"
ssl_msg="axTLS"
test axtls != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
if test "x$cross_compiling" != "xyes"; then
CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$LIB_AXTLS"
export CURL_LIBRARY_PATH
AC_MSG_NOTICE([Added $LIB_AXTLS to CURL_LIBRARY_PATH])
fi
],[
LDFLAGS="$CLEANLDFLAGS"
CPPFLAGS="$CLEANCPPFLAGS"
LIBS="$CLEANLIBS"
])
fi
test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
fi
case "x$OPENSSL_ENABLED$GNUTLS_ENABLED$NSS_ENABLED$POLARSSL_ENABLED$MBEDTLS_ENABLED$AXTLS_ENABLED$CYASSL_ENABLED$WINSSL_ENABLED$DARWINSSL_ENABLED$MESALINK_ENABLED" in
case "x$OPENSSL_ENABLED$GNUTLS_ENABLED$NSS_ENABLED$POLARSSL_ENABLED$MBEDTLS_ENABLED$CYASSL_ENABLED$WINSSL_ENABLED$DARWINSSL_ENABLED$MESALINK_ENABLED" in
x)
AC_MSG_WARN([SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.])
AC_MSG_WARN([Use --with-ssl, --with-gnutls, --with-polarssl, --with-cyassl, --with-nss, --with-axtls, --with-winssl, --with-darwinssl, or --with-mesalink to address this.])
AC_MSG_WARN([Use --with-ssl, --with-gnutls, --with-polarssl, --with-cyassl, --with-nss, --with-winssl, --with-darwinssl, or --with-mesalink to address this.])
;;
x1)
# one SSL backend is enabled
@ -3122,8 +3062,6 @@ AC_HELP_STRING([--disable-versioned-symbols], [Disable versioned symbols in shar
versioned_symbols_flavour="POLARSSL_"
elif test "x$CYASSL_ENABLED" = "x1"; then
versioned_symbols_flavour="CYASSL_"
elif test "x$AXTLS_ENABLED" = "x1"; then
versioned_symbols_flavour="AXTLS_"
elif test "x$WINSSL_ENABLED" = "x1"; then
versioned_symbols_flavour="WINSSL_"
elif test "x$DARWINSSL_ENABLED" = "x1"; then

26
docs/DEPRECATE.md
View File

@ -5,32 +5,6 @@ email the curl-library mailing list as soon as possible and explain to us why
this is a problem for you and how your use case can't be satisfied properly
using a work around.
## axTLS backend
Here are some complaints on axTLS.
- home page without HTTPS
- [doesn't support modern TLS features like SNI](https://github.com/dsheets/axtls/issues/2)
- [lacks support for modern ciphers](https://github.com/micropython/micropython/issues/3198)
- [doesn't allow for outside bug report submissions](https://sourceforge.net/p/axtls/bugs/)
- there's virtually no discussion about it in its [forum](https://sourceforge.net/p/axtls/discussion/)
nor [mailing list](https://sourceforge.net/p/axtls/mailman/axtls-general/)
Combined, this list hints that this is not a library and project we should
recommend to users.
### State
Since June 1st, 2018 (curl 7.61.0) axTLS support is disabled in code and
requires a small code change to build without errors. [See
PR](https://github.com/curl/curl/pull/2628)
### Removal
Remove all axTLS related code from curl on December 1st, exactly six months
after previously mentioned commit. To be shipped on December 26, 2018
(possibly called version 7.64.0)
## HTTP pipelining
HTTP pipelining is badly supported by curl in the sense that we have bugs and

2
docs/FAQ
View File

@ -447,7 +447,7 @@ FAQ
backends.
curl can be built to use one of the following SSL alternatives: OpenSSL,
GnuTLS, yassl, NSS, PolarSSL, axTLS, Secure Transport (native iOS/OS X),
GnuTLS, yassl, NSS, PolarSSL, MesaLink, Secure Transport (native iOS/OS X),
WinSSL (native Windows) or GSKit (native IBM i). They all have their pros
and cons, and we try to maintain a comparison of them here:
https://curl.haxx.se/docs/ssl-compared.html

6
docs/FEATURES
View File

@ -183,8 +183,7 @@ IMAPS (*1)
FOOTNOTES
=========
*1 = requires OpenSSL, GnuTLS, NSS, yassl, axTLS, PolarSSL, WinSSL (native
Windows), Secure Transport (native iOS/OS X) or GSKit (native IBM i)
*1 = requires a TLS library
*2 = requires OpenLDAP or WinLDAP
*3 = requires a GSS-API implementation (such as Heimdal or MIT Kerberos) or
SSPI (native Windows)
@ -197,8 +196,7 @@ FOOTNOTES
*8 = requires libssh2
*9 = requires OpenSSL, GnuTLS, mbedTLS, NSS, yassl, Secure Transport or SSPI
(native Windows)
*10 = requires any of the SSL libraries in (*1) above other than axTLS, which
does not support SSLv3
*10 = requires an SSL library that supports SSLv3
*11 = requires libidn or Windows
*12 = requires libz
*13 = requires libmetalink, and either an Apple or Microsoft operating

1
docs/INSTALL.md
View File

@ -105,7 +105,6 @@ libressl.
- NSS: `--without-ssl --with-nss`
- PolarSSL: `--without-ssl --with-polarssl`
- mbedTLS: `--without-ssl --with-mbedtls`
- axTLS: `--without-ssl --with-axtls`
- schannel: `--without-ssl --with-winssl`
- secure transport: `--without-ssl --with-darwinssl`
- MesaLink: `--without-ssl --with-mesalink`

1
docs/INTERNALS.md
View File

@ -88,7 +88,6 @@ Dependencies
- MIT Kerberos 1.2.4
- GSKit V5R3M0
- NSS 3.14.x
- axTLS 2.1.0
- PolarSSL 1.3.0
- Heimdal ?
- nghttp2 1.0.0

4
docs/LICENSE-MIXING.md
View File

@ -57,10 +57,6 @@ not have the announcement clause that collides with GPL.
different obligations. You should select the license that best meets your
needs.
## axTLS
(May be used for SSL/TLS support) Uses a Modified BSD-style license.
## mbedTLS
(May be used for SSL/TLS support) Uses the [Apache 2.0

19
docs/examples/Makefile.netware
View File

@ -27,11 +27,6 @@ ifndef LIBSSH2_PATH
LIBSSH2_PATH = ../../../libssh2-1.5.0
endif
# Edit the path below to point to the base of your axTLS package.
ifndef AXTLS_PATH
AXTLS_PATH = ../../../axTLS-1.2.7
endif
# Edit the path below to point to the base of your libidn package.
ifndef LIBIDN_PATH
LIBIDN_PATH = ../../../libidn-1.32
@ -197,14 +192,9 @@ WITH_SSH2 = 1
WITH_SSL = 1
WITH_ZLIB = 1
endif
ifeq ($(findstring -axtls,$(CFG)),-axtls)
WITH_AXTLS = 1
WITH_SSL =
else
ifeq ($(findstring -ssl,$(CFG)),-ssl)
WITH_SSL = 1
endif
endif
ifeq ($(findstring -zlib,$(CFG)),-zlib)
WITH_ZLIB = 1
endif
@ -245,15 +235,6 @@ ifdef WITH_SSL
LDLIBS += $(OPENSSL_PATH)/out_nw_$(LIBARCH_L)/crypto.$(LIBEXT)
IMPORTS += GetProcessSwitchCount RunningProcess
else
ifdef WITH_AXTLS
INCLUDES += -I$(AXTLS_PATH)/inc
ifdef LINK_STATIC
LDLIBS += $(AXTLS_PATH)/lib/libaxtls.$(LIBEXT)
else
MODULES += libaxtls.nlm
IMPORTS += $(AXTLS_PATH)/lib/libaxtls.imp
endif
endif
endif
ifdef WITH_ZLIB
# INCLUDES += -I$(ZLIB_PATH)

2
docs/libcurl/curl_global_sslset.3
View File

@ -41,7 +41,7 @@ typedef enum {
CURLSSLBACKEND_WOLFSSL = 7,
CURLSSLBACKEND_SCHANNEL = 8,
CURLSSLBACKEND_DARWINSSL = 9,
CURLSSLBACKEND_AXTLS = 10,
CURLSSLBACKEND_AXTLS = 10, /* deprecated */
CURLSSLBACKEND_MBEDTLS = 11,
CURLSSLBACKEND_MESALINK = 12
} curl_sslbackend;

2
docs/libcurl/libcurl-thread.3
View File

@ -60,8 +60,6 @@ thread-safe already without anything required.
Required actions unknown.
.IP yassl
Required actions unknown.
.IP axTLS
Required actions unknown.
.IP Secure-Transport
The engine is used by libcurl in a way that is fully thread-safe.
.IP WinSSL

4
docs/libcurl/opts/CURLINFO_TLS_SSL_PTR.3
View File

@ -54,7 +54,7 @@ struct curl_tlssessioninfo {
The \fIbackend\fP struct member is one of the defines in the CURLSSLBACKEND_*
series: CURLSSLBACKEND_NONE (when built without TLS support),
CURLSSLBACKEND_AXTLS, CURLSSLBACKEND_CYASSL, CURLSSLBACKEND_DARWINSSL,
CURLSSLBACKEND_CYASSL, CURLSSLBACKEND_DARWINSSL,
CURLSSLBACKEND_GNUTLS, CURLSSLBACKEND_GSKIT, CURLSSLBACKEND_MBEDTLS,
CURLSSLBACKEND_NSS, CURLSSLBACKEND_OPENSSL, CURLSSLBACKEND_POLARSSL,
CURLSSLBACKEND_SCHANNEL or CURLSSLBACKEND_MESALINK. (Note that the OpenSSL
@ -77,8 +77,6 @@ CURLINFO_TLS_SSL_PTR: SSL *
Since 7.48.0 the \fIinternals\fP member can point to these other SSL backends
as well:
.RS
.IP axTLS
SSL *
.IP mbedTLS
mbedtls_ssl_context *
.IP PolarSSL

4
docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.3
View File

@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____|
.\" *
.\" * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" * Copyright (C) 1998 - 2016, 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" *
.\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms
@ -50,7 +50,7 @@ TLSv1.3
The maximum TLS version can be set by using \fIone\fP of the
CURL_SSLVERSION_MAX_ macros below. It is also possible to OR \fIone\fP of the
CURL_SSLVERSION_ macros with \fIone\fP of the CURL_SSLVERSION_MAX_ macros.
The MAX macros are not supported for SSL backends axTLS or wolfSSL.
The MAX macros are not supported for WolfSSL.
.RS
.IP CURL_SSLVERSION_MAX_DEFAULT
The flag defines the maximum supported TLS version as TLSv1.2, or the default

2
docs/libcurl/opts/CURLOPT_SSLVERSION.3
View File

@ -59,7 +59,7 @@ TLS v1.3 or later (Added in 7.52.0)
The maximum TLS version can be set by using \fIone\fP of the
CURL_SSLVERSION_MAX_ macros below. It is also possible to OR \fIone\fP of the
CURL_SSLVERSION_ macros with \fIone\fP of the CURL_SSLVERSION_MAX_ macros.
The MAX macros are not supported for SSL backends axTLS or wolfSSL.
The MAX macros are not supported for WolfSSL.
.RS
.IP CURL_SSLVERSION_MAX_DEFAULT
The flag defines the maximum supported TLS version by libcurl, or the default

2
docs/libcurl/symbols-in-versions
View File

@ -700,7 +700,7 @@ CURLSSH_AUTH_KEYBOARD 7.16.1
CURLSSH_AUTH_NONE 7.16.1
CURLSSH_AUTH_PASSWORD 7.16.1
CURLSSH_AUTH_PUBLICKEY 7.16.1
CURLSSLBACKEND_AXTLS 7.38.0
CURLSSLBACKEND_AXTLS 7.38.0 7.61.0
CURLSSLBACKEND_BORINGSSL 7.49.0
CURLSSLBACKEND_CYASSL 7.34.0
CURLSSLBACKEND_DARWINSSL 7.34.0

2
include/curl/curl.h
View File

@ -145,7 +145,7 @@ typedef enum {
CURLSSLBACKEND_WOLFSSL = 7,
CURLSSLBACKEND_SCHANNEL = 8,
CURLSSLBACKEND_DARWINSSL = 9,
CURLSSLBACKEND_AXTLS = 10,
CURLSSLBACKEND_AXTLS = 10, /* never used since 7.63.0 */
CURLSSLBACKEND_MBEDTLS = 11,
CURLSSLBACKEND_MESALINK = 12
} curl_sslbackend;

4
lib/Makefile.inc
View File

@ -28,12 +28,12 @@ LIB_VAUTH_CFILES = vauth/vauth.c vauth/cleartext.c vauth/cram.c \
LIB_VAUTH_HFILES = vauth/vauth.h vauth/digest.h vauth/ntlm.h
LIB_VTLS_CFILES = vtls/openssl.c vtls/gtls.c vtls/vtls.c vtls/nss.c \
vtls/polarssl.c vtls/polarssl_threadlock.c vtls/axtls.c \
vtls/polarssl.c vtls/polarssl_threadlock.c \
vtls/cyassl.c vtls/schannel.c vtls/schannel_verify.c \
vtls/darwinssl.c vtls/gskit.c vtls/mbedtls.c vtls/mesalink.c
LIB_VTLS_HFILES = vtls/openssl.h vtls/vtls.h vtls/gtls.h \
vtls/nssg.h vtls/polarssl.h vtls/polarssl_threadlock.h vtls/axtls.h \
vtls/nssg.h vtls/polarssl.h vtls/polarssl_threadlock.h \
vtls/cyassl.h vtls/schannel.h vtls/darwinssl.h vtls/gskit.h \
vtls/mbedtls.h vtls/mesalink.h

25
lib/Makefile.netware
View File

@ -6,7 +6,7 @@
# \___|\___/|_| \_\_____|
#
# Copyright (C) 2004 - 2015, Guenter Knauf
# Copyright (C) 2001 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
# Copyright (C) 2001 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
#
# This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms
@ -49,11 +49,6 @@ ifndef LIBSSH2_PATH
LIBSSH2_PATH = ../../libssh2-1.5.0
endif
# Edit the path below to point to the base of your axTLS package.
ifndef AXTLS_PATH
AXTLS_PATH = ../../axTLS-1.2.7
endif
# Edit the path below to point to the base of your libidn package.
ifndef LIBIDN_PATH
LIBIDN_PATH = ../../libidn-1.18
@ -230,10 +225,6 @@ WITH_SSH2 = 1
WITH_SSL = 1
WITH_ZLIB = 1
endif
ifeq ($(findstring -axtls,$(CFG)),-axtls)
WITH_AXTLS = 1
WITH_SSL =
else
ifeq ($(findstring -ssl,$(CFG)),-ssl)
WITH_SSL = 1
ifeq ($(findstring -srp,$(CFG)),-srp)
@ -242,7 +233,6 @@ WITH_SRP = 1
endif
endif
endif
endif
ifeq ($(findstring -zlib,$(CFG)),-zlib)
WITH_ZLIB = 1
endif
@ -280,16 +270,6 @@ ifdef WITH_SSL
IMPORTS += GetProcessSwitchCount RunningProcess
INSTDEP += ca-bundle.crt
else
ifdef WITH_AXTLS
INCLUDES += -I$(AXTLS_PATH)/inc
ifdef LINK_STATIC
LDLIBS += $(AXTLS_PATH)/lib/libaxtls.$(LIBEXT)
else
MODULES += libaxtls.nlm
IMPORTS += $(AXTLS_PATH)/lib/libaxtls.imp
endif
INSTDEP += ca-bundle.crt
endif
endif
ifdef WITH_ZLIB
INCLUDES += -I$(ZLIB_PATH)
@ -672,9 +652,6 @@ ifdef WITH_SPNEGO
@echo $(DL)#define HAVE_SPNEGO 1$(DL) >> $@
endif
else
ifdef WITH_AXTLS
@echo $(DL)#define USE_AXTLS 1$(DL) >> $@
endif
endif
ifdef WITH_SSH2
@echo $(DL)#define USE_LIBSSH2 1$(DL) >> $@

2
lib/curl_setup.h
View File

@ -646,7 +646,7 @@ int netware_init(void);
#define LIBIDN_REQUIRED_VERSION "0.4.1"
#if defined(USE_GNUTLS) || defined(USE_OPENSSL) || defined(USE_NSS) || \
defined(USE_POLARSSL) || defined(USE_AXTLS) || defined(USE_MBEDTLS) || \
defined(USE_POLARSSL) || defined(USE_MBEDTLS) || \
defined(USE_CYASSL) || defined(USE_SCHANNEL) || \
defined(USE_DARWINSSL) || defined(USE_GSKIT) || defined(USE_MESALINK)
#define USE_SSL /* SSL support has been enabled */

5
lib/hostcheck.c
View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
* Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@ -23,7 +23,6 @@
#include "curl_setup.h"
#if defined(USE_OPENSSL) \
|| defined(USE_AXTLS) \
|| defined(USE_GSKIT) \
|| defined(USE_SCHANNEL)
/* these backends use functions from this file */
@ -150,4 +149,4 @@ int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
return res;
}
#endif /* OPENSSL, AXTLS, GSKIT or schannel+wince */
#endif /* OPENSSL, GSKIT or schannel+wince */

7
lib/md5.c
View File

@ -163,13 +163,6 @@ static void MD5_Final(unsigned char digest[16], MD5_CTX *ctx)
CryptReleaseContext(ctx->hCryptProv, 0);
}
#elif defined(USE_AXTLS)
#include <axTLS/config.h>
#include <axTLS/os_int.h>
#include <axTLS/crypto.h>
#include "curl_memory.h"
/* The last #include file should be: */
#include "memdebug.h"
#else
/* When no other crypto library is available we use this code segment */
/*

741
lib/vtls/axtls.c
View File

@ -1,741 +0,0 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) 2010, DirecTV, Contact: Eric Hu, <ehu@directv.com>.
* Copyright (C) 2010 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.haxx.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
***************************************************************************/
/*
* Source file for all axTLS-specific code for the TLS/SSL layer. No code
* but vtls.c should ever call or use these functions.
*/
#include "curl_setup.h"
#ifdef USE_AXTLS
#error axTLS support has been disabled in curl due to doubts about quality,
#error user dedication and a lack of use/testing. We urge users to consider
#error using a more established TLS backend instead.
#include <axTLS/config.h>
#include <axTLS/ssl.h>
#include "axtls.h"
#include "sendf.h"
#include "inet_pton.h"
#include "vtls.h"
#include "parsedate.h"
#include "connect.h" /* for the connect timeout */
#include "select.h"
#include "curl_printf.h"
#include "hostcheck.h"
#include <unistd.h>
/* The last #include files should be: */
#include "curl_memory.h"
#include "memdebug.h"
struct ssl_backend_data {
SSL_CTX* ssl_ctx;
SSL* ssl;
};
#define BACKEND connssl->backend
static CURLcode map_error_to_curl(int axtls_err)
{
switch(axtls_err) {
case SSL_ERROR_NOT_SUPPORTED:
case SSL_ERROR_INVALID_VERSION:
case -70: /* protocol version alert from server */
return CURLE_UNSUPPORTED_PROTOCOL;
break;
case SSL_ERROR_NO_CIPHER:
return CURLE_SSL_CIPHER;
break;
case SSL_ERROR_BAD_CERTIFICATE: /* this may be bad server cert too */
case SSL_ERROR_NO_CERT_DEFINED:
case -42: /* bad certificate alert from server */
case -43: /* unsupported cert alert from server */
case -44: /* cert revoked alert from server */
case -45: /* cert expired alert from server */
case -46: /* cert unknown alert from server */
return CURLE_SSL_CERTPROBLEM;
break;
case SSL_X509_ERROR(X509_NOT_OK):
case SSL_X509_ERROR(X509_VFY_ERROR_NO_TRUSTED_CERT):
case SSL_X509_ERROR(X509_VFY_ERROR_BAD_SIGNATURE):
case SSL_X509_ERROR(X509_VFY_ERROR_NOT_YET_VALID):
case SSL_X509_ERROR(X509_VFY_ERROR_EXPIRED):
case SSL_X509_ERROR(X509_VFY_ERROR_SELF_SIGNED):
case SSL_X509_ERROR(X509_VFY_ERROR_INVALID_CHAIN):
case SSL_X509_ERROR(X509_VFY_ERROR_UNSUPPORTED_DIGEST):
case SSL_X509_ERROR(X509_INVALID_PRIV_KEY):
return CURLE_PEER_FAILED_VERIFICATION;
break;
case -48: /* unknown ca alert from server */
return CURLE_SSL_CACERT;
break;
case -49: /* access denied alert from server */
return CURLE_REMOTE_ACCESS_DENIED;
break;
case SSL_ERROR_CONN_LOST:
case SSL_ERROR_SOCK_SETUP_FAILURE:
case SSL_ERROR_INVALID_HANDSHAKE:
case SSL_ERROR_INVALID_PROT_MSG:
case SSL_ERROR_INVALID_HMAC:
case SSL_ERROR_INVALID_SESSION:
case SSL_ERROR_INVALID_KEY: /* it's too bad this doesn't map better */
case SSL_ERROR_FINISHED_INVALID:
case SSL_ERROR_NO_CLIENT_RENOG:
default:
return CURLE_SSL_CONNECT_ERROR;
break;
}
}
static Curl_recv axtls_recv;
static Curl_send axtls_send;
static void free_ssl_structs(struct ssl_connect_data *connssl)
{
if(BACKEND->ssl) {
ssl_free(BACKEND->ssl);
BACKEND->ssl = NULL;
}
if(BACKEND->ssl_ctx) {
ssl_ctx_free(BACKEND->ssl_ctx);
BACKEND->ssl_ctx = NULL;
}
}
/*
* For both blocking and non-blocking connects, this function sets up the
* ssl context and state. This function is called after the TCP connect
* has completed.
*/
static CURLcode connect_prep(struct connectdata *conn, int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct Curl_easy *data = conn->data;
SSL_CTX *ssl_ctx;
SSL *ssl = NULL;
int cert_types[] = {SSL_OBJ_X509_CERT, SSL_OBJ_PKCS12, 0};
int key_types[] = {SSL_OBJ_RSA_KEY, SSL_OBJ_PKCS8, SSL_OBJ_PKCS12, 0};
int i, ssl_fcn_return;
/* Assuming users will not compile in custom key/cert to axTLS.
* Also, even for blocking connects, use axTLS non-blocking feature.
*/
uint32_t client_option = SSL_NO_DEFAULT_KEY |
SSL_SERVER_VERIFY_LATER |
SSL_CONNECT_IN_PARTS;
if(connssl->state == ssl_connection_complete)
/* to make us tolerant against being called more than once for the
same connection */
return CURLE_OK;
if(SSL_CONN_CONFIG(version_max) != CURL_SSLVERSION_MAX_NONE) {
failf(data, "axtls does not support CURL_SSLVERSION_MAX");
return CURLE_SSL_CONNECT_ERROR;
}
/* axTLS only supports TLSv1 */
/* check to see if we've been told to use an explicit SSL/TLS version */
switch(SSL_CONN_CONFIG(version)) {
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
break;
default:
failf(data, "axTLS only supports TLS 1.0 and 1.1, "
"and it cannot be specified which one to use");
return CURLE_SSL_CONNECT_ERROR;
}
#ifdef AXTLSDEBUG
client_option |= SSL_DISPLAY_STATES | SSL_DISPLAY_RSA | SSL_DISPLAY_CERTS;
#endif /* AXTLSDEBUG */
/* Allocate an SSL_CTX struct */
ssl_ctx = ssl_ctx_new(client_option, SSL_DEFAULT_CLNT_SESS);
if(ssl_ctx == NULL) {
failf(data, "unable to create client SSL context");
return CURLE_SSL_CONNECT_ERROR;
}
BACKEND->ssl_ctx = ssl_ctx;
BACKEND->ssl = NULL;
/* Load the trusted CA cert bundle file */
if(SSL_CONN_CONFIG(CAfile)) {
if(ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT,
SSL_CONN_CONFIG(CAfile), NULL) != SSL_OK) {
infof(data, "error reading ca cert file %s \n",
SSL_CONN_CONFIG(CAfile));
if(SSL_CONN_CONFIG(verifypeer)) {
return CURLE_SSL_CACERT_BADFILE;
}
}
else
infof(data, "found certificates in %s\n", SSL_CONN_CONFIG(CAfile));
}
/* gtls.c tasks we're skipping for now:
* 1) certificate revocation list checking
* 2) dns name assignment to host
* 3) set protocol priority. axTLS is TLSv1 only, so can probably ignore
* 4) set certificate priority. axTLS ignores type and sends certs in
* order added. can probably ignore this.
*/
/* Load client certificate */
if(SSL_SET_OPTION(cert)) {
i = 0;
/* Instead of trying to analyze cert type here, let axTLS try them all. */
while(cert_types[i] != 0) {
ssl_fcn_return = ssl_obj_load(ssl_ctx, cert_types[i],
SSL_SET_OPTION(cert), NULL);
if(ssl_fcn_return == SSL_OK) {
infof(data, "successfully read cert file %s \n",
SSL_SET_OPTION(cert));
break;
}
i++;
}
/* Tried all cert types, none worked. */
if(cert_types[i] == 0) {
failf(data, "%s is not x509 or pkcs12 format",
SSL_SET_OPTION(cert));
return CURLE_SSL_CERTPROBLEM;
}
}
/* Load client key.
If a pkcs12 file successfully loaded a cert, then there's nothing to do
because the key has already been loaded. */
if(SSL_SET_OPTION(key) && cert_types[i] != SSL_OBJ_PKCS12) {
i = 0;
/* Instead of trying to analyze key type here, let axTLS try them all. */
while(key_types[i] != 0) {
ssl_fcn_return = ssl_obj_load(ssl_ctx, key_types[i],
SSL_SET_OPTION(key), NULL);
if(ssl_fcn_return == SSL_OK) {
infof(data, "successfully read key file %s \n",
SSL_SET_OPTION(key));
break;
}
i++;
}
/* Tried all key types, none worked. */
if(key_types[i] == 0) {
failf(data, "Failure: %s is not a supported key file",
SSL_SET_OPTION(key));
return CURLE_SSL_CONNECT_ERROR;
}
}
/* gtls.c does more here that is being left out for now
* 1) set session credentials. can probably ignore since axtls puts this
* info in the ssl_ctx struct
* 2) setting up callbacks. these seem gnutls specific
*/
if(SSL_SET_OPTION(primary.sessionid)) {
const uint8_t *ssl_sessionid;
size_t ssl_idsize;
/* In axTLS, handshaking happens inside ssl_client_new. */
Curl_ssl_sessionid_lock(conn);
if(!Curl_ssl_getsessionid(conn, (void **) &ssl_sessionid, &ssl_idsize,
sockindex)) {
/* we got a session id, use it! */
infof(data, "SSL re-using session ID\n");
ssl = ssl_client_new(ssl_ctx, conn->sock[sockindex],
ssl_sessionid, (uint8_t)ssl_idsize, NULL);
}
Curl_ssl_sessionid_unlock(conn);
}
if(!ssl)
ssl = ssl_client_new(ssl_ctx, conn->sock[sockindex], NULL, 0, NULL);
BACKEND->ssl = ssl;
return CURLE_OK;
}
static void Curl_axtls_close(struct connectdata *conn, int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
infof(conn->data, " Curl_axtls_close\n");
/* line from openssl.c: (void)SSL_shutdown(BACKEND->ssl);
axTLS compat layer does nothing for SSL_shutdown */
/* The following line is from openssl.c. There seems to be no axTLS
equivalent. ssl_free and ssl_ctx_free close things.
SSL_set_connect_state(connssl->handle); */
free_ssl_structs(connssl);
}
/*
* For both blocking and non-blocking connects, this function finalizes the
* SSL connection.
*/
static CURLcode connect_finish(struct connectdata *conn, int sockindex)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
SSL *ssl = BACKEND->ssl;
const char *peer_CN;
uint32_t dns_altname_index;
const char *dns_altname;
int8_t found_subject_alt_names = 0;
int8_t found_subject_alt_name_matching_conn = 0;
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
const char * const dispname = SSL_IS_PROXY() ?
conn->http_proxy.host.dispname : conn->host.dispname;
/* Here, gtls.c gets the peer certificates and fails out depending on
* settings in "data." axTLS api doesn't have get cert chain fcn, so omit?
*/
/* Verify server's certificate */
if(SSL_CONN_CONFIG(verifypeer)) {
if(ssl_verify_cert(ssl) != SSL_OK) {
Curl_axtls_close(conn, sockindex);
failf(data, "server cert verify failed");
return CURLE_PEER_FAILED_VERIFICATION;
}
}
else
infof(data, "\t server certificate verification SKIPPED\n");
/* Here, gtls.c does issuer verification. axTLS has no straightforward
* equivalent, so omitting for now.*/
/* Here, gtls.c does the following
* 1) x509 hostname checking per RFC2818. axTLS doesn't support this, but
* it seems useful. This is now implemented, by Oscar Koeroo
* 2) checks cert validity based on time. axTLS does this in ssl_verify_cert
* 3) displays a bunch of cert information. axTLS doesn't support most of
* this, but a couple fields are available.
*/
/* There is no (DNS) Altnames count in the version 1.4.8 API. There is a
risk of an inifite loop */
for(dns_altname_index = 0; ; dns_altname_index++) {
dns_altname = ssl_get_cert_subject_alt_dnsname(ssl, dns_altname_index);
if(dns_altname == NULL) {
break;
}
found_subject_alt_names = 1;
infof(data, "\tComparing subject alt name DNS with hostname: %s <-> %s\n",
dns_altname, hostname);
if(Curl_cert_hostcheck(dns_altname, hostname)) {
found_subject_alt_name_matching_conn = 1;
break;
}
}
/* RFC2818 checks */
if(found_subject_alt_names && !found_subject_alt_name_matching_conn) {
if(SSL_CONN_CONFIG(verifyhost)) {
/* Break connection ! */
Curl_axtls_close(conn, sockindex);
failf(data, "\tsubjectAltName(s) do not match %s\n", dispname);
return CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\tsubjectAltName(s) do not match %s\n", dispname);
}
else if(found_subject_alt_names == 0) {
/* Per RFC2818, when no Subject Alt Names were available, examine the peer
CN as a legacy fallback */
peer_CN = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME);
if(peer_CN == NULL) {
if(SSL_CONN_CONFIG(verifyhost)) {
Curl_axtls_close(conn, sockindex);
failf(data, "unable to obtain common name from peer certificate");
return CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "unable to obtain common name from peer certificate");
}
else {
if(!Curl_cert_hostcheck((const char *)peer_CN, hostname)) {
if(SSL_CONN_CONFIG(verifyhost)) {
/* Break connection ! */
Curl_axtls_close(conn, sockindex);
failf(data, "\tcommon name \"%s\" does not match \"%s\"\n",
peer_CN, dispname);
return CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\tcommon name \"%s\" does not match \"%s\"\n",
peer_CN, dispname);
}
}
}
/* General housekeeping */
connssl->state = ssl_connection_complete;
conn->recv[sockindex] = axtls_recv;
conn->send[sockindex] = axtls_send;
/* Put our freshly minted SSL session in cache */
if(SSL_SET_OPTION(primary.sessionid)) {
const uint8_t *ssl_sessionid = ssl_get_session_id(ssl);
size_t ssl_idsize = ssl_get_session_id_size(ssl);
Curl_ssl_sessionid_lock(conn);
if(Curl_ssl_addsessionid(conn, (void *) ssl_sessionid, ssl_idsize,
sockindex) != CURLE_OK)
infof(data, "failed to add session to cache\n");
Curl_ssl_sessionid_unlock(conn);
}
return CURLE_OK;
}
/*
* Use axTLS's non-blocking connection feature to open an SSL connection.
* This is called after a TCP connection is already established.
*/
static CURLcode Curl_axtls_connect_nonblocking(struct connectdata *conn,
int sockindex, bool *done)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
CURLcode conn_step;
int ssl_fcn_return;
int i;
*done = FALSE;
/* connectdata is calloc'd and connecting_state is only changed in this
function, so this is safe, as the state is effectively initialized. */
if(connssl->connecting_state == ssl_connect_1) {
conn_step = connect_prep(conn, sockindex);
if(conn_step != CURLE_OK) {
Curl_axtls_close(conn, sockindex);
return conn_step;
}
connssl->connecting_state = ssl_connect_2;
}
if(connssl->connecting_state == ssl_connect_2) {
/* Check to make sure handshake was ok. */
if(ssl_handshake_status(BACKEND->ssl) != SSL_OK) {
/* Loop to perform more work in between sleeps. This is work around the
fact that axtls does not expose any knowledge about when work needs
to be performed. This can save ~25% of time on SSL handshakes. */
for(i = 0; i<5; i++) {
ssl_fcn_return = ssl_read(BACKEND->ssl, NULL);
if(ssl_fcn_return < 0) {
Curl_axtls_close(conn, sockindex);
ssl_display_error(ssl_fcn_return); /* goes to stdout. */
return map_error_to_curl(ssl_fcn_return);
}
return CURLE_OK;
}
}
infof(conn->data, "handshake completed successfully\n");
connssl->connecting_state = ssl_connect_3;
}
if(connssl->connecting_state == ssl_connect_3) {
conn_step = connect_finish(conn, sockindex);
if(conn_step != CURLE_OK) {
Curl_axtls_close(conn, sockindex);
return conn_step;
}
/* Reset connect state */
connssl->connecting_state = ssl_connect_1;
*done = TRUE;
return CURLE_OK;
}
/* Unrecognized state. Things are very bad. */
connssl->state = ssl_connection_none;
connssl->connecting_state = ssl_connect_1;
/* Return value perhaps not strictly correct, but distinguishes the issue.*/
return CURLE_BAD_FUNCTION_ARGUMENT;
}
/*
* This function is called after the TCP connect has completed. Setup the TLS
* layer and do all necessary magic for a blocking connect.
*/
static CURLcode Curl_axtls_connect(struct connectdata *conn, int sockindex)
{
struct Curl_easy *data = conn->data;
CURLcode conn_step = connect_prep(conn, sockindex);
int ssl_fcn_return;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
SSL *ssl = BACKEND->ssl;
long timeout_ms;
if(conn_step != CURLE_OK) {
Curl_axtls_close(conn, sockindex);
return conn_step;
}
/* Check to make sure handshake was ok. */
while(ssl_handshake_status(ssl) != SSL_OK) {
/* check allowed time left */
timeout_ms = Curl_timeleft(data, NULL, TRUE);
if(timeout_ms < 0) {
/* no need to continue if time already is up */
failf(data, "SSL connection timeout");
return CURLE_OPERATION_TIMEDOUT;
}
ssl_fcn_return = ssl_read(ssl, NULL);
if(ssl_fcn_return < 0) {
Curl_axtls_close(conn, sockindex);
ssl_display_error(ssl_fcn_return); /* goes to stdout. */
return map_error_to_curl(ssl_fcn_return);
}
/* TODO: avoid polling */
Curl_wait_ms(10);
}
infof(conn->data, "handshake completed successfully\n");
conn_step = connect_finish(conn, sockindex);
if(conn_step != CURLE_OK) {
Curl_axtls_close(conn, sockindex);
return conn_step;
}
return CURLE_OK;
}
/* return number of sent (non-SSL) bytes */
static ssize_t axtls_send(struct connectdata *conn,
int sockindex,
const void *mem,
size_t len,
CURLcode *err)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
/* ssl_write() returns 'int' while write() and send() returns 'size_t' */
int rc = ssl_write(BACKEND->ssl, mem, (int)len);
infof(conn->data, " axtls_send\n");
if(rc < 0) {
*err = map_error_to_curl(rc);
rc = -1; /* generic error code for send failure */
}
*err = CURLE_OK;
return rc;
}
/*
* This function is called to shut down the SSL layer but keep the
* socket open (CCC - Clear Command Channel)
*/
static int Curl_axtls_shutdown(struct connectdata *conn, int sockindex)
{
/* Outline taken from openssl.c since functions are in axTLS compat layer.
axTLS's error set is much smaller, so a lot of error-handling was removed.
*/
int retval = 0;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct Curl_easy *data = conn->data;
uint8_t *buf;
ssize_t nread;
infof(conn->data, " Curl_axtls_shutdown\n");
/* This has only been tested on the proftpd server, and the mod_tls code
sends a close notify alert without waiting for a close notify alert in
response. Thus we wait for a close notify alert from the server, but
we do not send one. Let's hope other servers do the same... */
/* axTLS compat layer does nothing for SSL_shutdown, so we do nothing too
if(data->set.ftp_ccc == CURLFTPSSL_CCC_ACTIVE)
(void)SSL_shutdown(BACKEND->ssl);
*/
if(BACKEND->ssl) {
int what = SOCKET_READABLE(conn->sock[sockindex], SSL_SHUTDOWN_TIMEOUT);
if(what > 0) {
/* Something to read, let's do it and hope that it is the close
notify alert from the server. buf is managed internally by
axTLS and will be released upon calling ssl_free via
free_ssl_structs. */
nread = (ssize_t)ssl_read(BACKEND->ssl, &buf);
if(nread < SSL_OK) {
failf(data, "close notify alert not received during shutdown");
retval = -1;
}
}
else if(0 == what) {
/* timeout */
failf(data, "SSL shutdown timeout");
}
else {
/* anything that gets here is fatally bad */
failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
retval = -1;
}
free_ssl_structs(connssl);
}
return retval;
}
static ssize_t axtls_recv(struct connectdata *conn, /* connection data */
int num, /* socketindex */
char *buf, /* store read data here */
size_t buffersize, /* max amount to read */
CURLcode *err)
{
struct ssl_connect_data *connssl = &conn->ssl[num];
ssize_t ret = 0;
uint8_t *read_buf;
infof(conn->data, " axtls_recv\n");
*err = CURLE_OK;
if(connssl) {
ret = ssl_read(BACKEND->ssl, &read_buf);
if(ret > SSL_OK) {
/* ssl_read returns SSL_OK if there is more data to read, so if it is
larger, then all data has been read already. */
memcpy(buf, read_buf,
(size_t)ret > buffersize ? buffersize : (size_t)ret);
}
else if(ret == SSL_OK) {
/* more data to be read, signal caller to call again */
*err = CURLE_AGAIN;
ret = -1;
}
else if(ret == -3) {
/* With patched axTLS, SSL_CLOSE_NOTIFY=-3. Hard-coding until axTLS
team approves proposed fix. */
Curl_axtls_close(conn, num);
}
else {
failf(conn->data, "axTLS recv error (%d)", ret);
*err = map_error_to_curl((int) ret);
ret = -1;
}
}
return ret;
}
/*
* Return codes:
* 1 means the connection is still in place
* 0 means the connection has been closed
* -1 means the connection status is unknown
*/
static int Curl_axtls_check_cxn(struct connectdata *conn)
{
/* openssl.c line:
rc = SSL_peek(conn->ssl[FIRSTSOCKET].backend->ssl, (void*)&buf, 1);
axTLS compat layer always returns the last argument, so connection is
always alive? */
infof(conn->data, " Curl_axtls_check_cxn\n");
return 1; /* connection still in place */
}
static void Curl_axtls_session_free(void *ptr)
{
(void)ptr;
/* free the ID */
/* both openssl.c and gtls.c do something here, but axTLS's OpenSSL
compatibility layer does nothing, so we do nothing too. */
}
static size_t Curl_axtls_version(char *buffer, size_t size)
{
return snprintf(buffer, size, "axTLS/%s", ssl_version());
}
static CURLcode Curl_axtls_random(struct Curl_easy *data,
unsigned char *entropy, size_t length)
{
static bool ssl_seeded = FALSE;
(void)data;
if(!ssl_seeded) {
ssl_seeded = TRUE;
/* Initialize the seed if not already done. This call is not exactly thread
* safe (and neither is the ssl_seeded check), but the worst effect of a
* race condition is that some global resources will leak. */
RNG_initialize();
}
get_random((int)length, entropy);
return CURLE_OK;
}
static void *Curl_axtls_get_internals(struct ssl_connect_data *connssl,
CURLINFO info UNUSED_PARAM)
{
(void)info;
return BACKEND->ssl;
}
const struct Curl_ssl Curl_ssl_axtls = {
{ CURLSSLBACKEND_AXTLS, "axtls" }, /* info */
0, /* no fancy stuff */
sizeof(struct ssl_backend_data),
/*
* axTLS has no global init. Everything is done through SSL and SSL_CTX
* structs stored in connectdata structure.
*/
Curl_none_init, /* init */
/* axTLS has no global cleanup. */
Curl_none_cleanup, /* cleanup */
Curl_axtls_version, /* version */
Curl_axtls_check_cxn, /* check_cxn */
Curl_axtls_shutdown, /* shutdown */
Curl_none_data_pending, /* data_pending */
Curl_axtls_random, /* random */
Curl_none_cert_status_request, /* cert_status_request */
Curl_axtls_connect, /* connect */
Curl_axtls_connect_nonblocking, /* connect_nonblocking */
Curl_axtls_get_internals, /* get_internals */
Curl_axtls_close, /* close_one */
Curl_none_close_all, /* close_all */
Curl_axtls_session_free, /* session_free */
Curl_none_set_engine, /* set_engine */
Curl_none_set_engine_default, /* set_engine_default */
Curl_none_engines_list, /* engines_list */
Curl_none_false_start, /* false_start */
Curl_none_md5sum, /* md5sum */
NULL /* sha256sum */
};
#endif /* USE_AXTLS */

33
lib/vtls/axtls.h
View File

@ -1,33 +0,0 @@
#ifndef HEADER_CURL_AXTLS_H
#define HEADER_CURL_AXTLS_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) 2010, DirecTV, Contact: Eric Hu <ehu@directv.com>
* Copyright (C) 2010 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.haxx.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
***************************************************************************/
#ifdef USE_AXTLS
#include "curl/curl.h"
#include "urldata.h"
extern const struct Curl_ssl Curl_ssl_axtls;
#endif /* USE_AXTLS */
#endif /* HEADER_CURL_AXTLS_H */

5
lib/vtls/vtls.c
View File

@ -1170,8 +1170,6 @@ static const struct Curl_ssl Curl_ssl_multi = {
const struct Curl_ssl *Curl_ssl =
#if defined(CURL_WITH_MULTI_SSL)
&Curl_ssl_multi;
#elif defined(USE_AXTLS)
&Curl_ssl_axtls;
#elif defined(USE_CYASSL)
&Curl_ssl_cyassl;
#elif defined(USE_DARWINSSL)
@ -1197,9 +1195,6 @@ const struct Curl_ssl *Curl_ssl =
#endif
static const struct Curl_ssl *available_backends[] = {
#if defined(USE_AXTLS)
&Curl_ssl_axtls,
#endif
#if defined(USE_CYASSL)
&Curl_ssl_cyassl,
#endif

1
lib/vtls/vtls.h
View File

@ -103,7 +103,6 @@ CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen,
#include "nssg.h" /* NSS versions */
#include "gskit.h" /* Global Secure ToolKit versions */
#include "polarssl.h" /* PolarSSL versions */
#include "axtls.h" /* axTLS versions */
#include "cyassl.h" /* CyaSSL versions */
#include "schannel.h" /* Schannel SSPI version */
#include "darwinssl.h" /* SecureTransport (Darwin) version */

2
packages/Symbian/group/libcurl.mmp
View File

@ -35,7 +35,7 @@ SOURCE \
socks_sspi.c curl_sspi.c slist.c nonblock.c curl_memrchr.c imap.c \
pop3.c smtp.c pingpong.c rtsp.c curl_threads.c warnless.c hmac.c \
vtls/polarssl.c curl_rtmp.c openldap.c curl_gethostname.c gopher.c \
vtls/axtls.c idn_win32.c vtls/cyassl.c http_proxy.c non-ascii.c \
idn_win32.c vtls/cyassl.c http_proxy.c non-ascii.c \
asyn-ares.c asyn-thread.c curl_gssapi.c http_ntlm.c curl_ntlm_wb.c \
curl_ntlm_core.c curl_sasl.c vtls/schannel.c curl_multibyte.c \
vtls/darwinssl.c conncache.c curl_sasl_sspi.c smb.c curl_endian.c \

3
packages/vms/generate_config_vms_h_curl.com
View File

@ -325,9 +325,6 @@ $! configure defaults to USE_*, a real configure on VMS chooses different.
$write cvh "#ifdef USE_ARES"
$write cvh "#undef USE_ARES"
$write cvh "#endif"
$write cvh "#ifdef USE_AXTLS"
$write cvh "#undef USE_AXTLS"
$write cvh "#endif"
$write cvh "#ifdef USE_CYASSL"
$write cvh "#undef USE_CYASSL"
$write cvh "#endif"

22
src/Makefile.netware
View File

@ -6,7 +6,7 @@
# \___|\___/|_| \_\_____|
#
# Copyright (C) 2004 - 2014, Guenter Knauf
# Copyright (C) 2001 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
# Copyright (C) 2001 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
#
# This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms
@ -49,11 +49,6 @@ ifndef LIBSSH2_PATH
LIBSSH2_PATH = ../../libssh2-1.5.0
endif
# Edit the path below to point to the base of your axTLS package.
ifndef AXTLS_PATH
AXTLS_PATH = ../../axTLS-1.2.7
endif
# Edit the path below to point to the base of your libidn package.
ifndef LIBIDN_PATH
LIBIDN_PATH = ../../libidn-1.18
@ -239,14 +234,9 @@ WITH_SSH2 = 1
WITH_SSL = 1
WITH_ZLIB = 1
endif
ifeq ($(findstring -axtls,$(CFG)),-axtls)
WITH_AXTLS = 1
WITH_SSL =
else
ifeq ($(findstring -ssl,$(CFG)),-ssl)
WITH_SSL = 1
endif
endif
ifeq ($(findstring -zlib,$(CFG)),-zlib)
WITH_ZLIB = 1
endif
@ -293,16 +283,6 @@ ifdef WITH_SSL
LDLIBS += $(OPENSSL_PATH)/out_nw_$(LIBARCH_L)/ssl.$(LIBEXT)
LDLIBS += $(OPENSSL_PATH)/out_nw_$(LIBARCH_L)/crypto.$(LIBEXT)
IMPORTS += GetProcessSwitchCount RunningProcess
else
ifdef WITH_AXTLS
# INCLUDES += -I$(AXTLS_PATH)/inc
ifdef LINK_STATIC
LDLIBS += $(AXTLS_PATH)/lib/libaxtls.$(LIBEXT)
else
MODULES += libaxtls.nlm
IMPORTS += $(AXTLS_PATH)/lib/libaxtls.imp
endif
endif
endif
ifdef WITH_ZLIB
INCLUDES += -I$(ZLIB_PATH)

1
tests/FILEFORMAT
View File

@ -220,7 +220,6 @@ SKIPPED.
Features testable here are:
axTLS
crypto
debug
getrlimit

18
tests/runtests.pl
View File

@ -245,7 +245,6 @@ my $has_gnutls; # built with GnuTLS
my $has_nss; # built with NSS
my $has_yassl; # built with yassl
my $has_polarssl; # built with polarssl
my $has_axtls; # built with axTLS
my $has_winssl; # built with WinSSL (Secure Channel aka Schannel)
my $has_darwinssl; # built with DarwinSSL (Secure Transport)
my $has_boringssl; # built with BoringSSL
@ -793,7 +792,6 @@ sub verifyhttp {
$flags .= "--verbose ";
$flags .= "--globoff ";
$flags .= "--unix-socket '$port_or_path' " if $ipvnum eq "unix";
$flags .= "-1 " if($has_axtls);
$flags .= "--insecure " if($proto eq 'https');
$flags .= "\"$proto://$ip:$port/${bonus}verifiedserver\"";
@ -2720,10 +2718,6 @@ sub checksystem {
$has_sslpinning=1;
$ssllib="polarssl";
}
elsif ($libcurl =~ /axtls/i) {
$has_axtls=1;
$ssllib="axTLS";
}
elsif ($libcurl =~ /securetransport/i) {
$has_darwinssl=1;
$has_sslpinning=1;
@ -3278,11 +3272,6 @@ sub singletest {
next;
}
}
elsif($1 eq "axTLS") {
if($has_axtls) {
next;
}
}
elsif($1 eq "WinSSL") {
if($has_winssl) {
next;
@ -3456,11 +3445,6 @@ sub singletest {
next;
}
}
elsif($1 eq "axTLS") {
if(!$has_axtls) {
next;
}
}
elsif($1 eq "WinSSL") {
if(!$has_winssl) {
next;
@ -3887,8 +3871,6 @@ sub singletest {
}
elsif(!$tool) {
# run curl, add suitable command line options
$cmd = "-1 ".$cmd if(exists $feature{"SSL"} && ($has_axtls));
my $inc="";
if((!$cmdhash{'option'}) || ($cmdhash{'option'} !~ /no-include/)) {
$inc = " --include";

4
tests/unit/unit1397.c
View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
* Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@ -36,7 +36,7 @@ static void unit_stop(void)
UNITTEST_START
/* only these backends define the tested functions */
#if defined(USE_OPENSSL) || defined(USE_AXTLS) || defined(USE_GSKIT)
#if defined(USE_OPENSSL) || defined(USE_GSKIT)
/* here you start doing things and checking that the results are good */