mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-04-12 16:20:35 +08:00
Code Issues Packages Projects Releases Wiki Activity

nss: remove support for this TLS library

Browse Source 
Closes #11459
This commit is contained in:
Daniel Stenberg 2023-07-29 23:44:28 +02:00
parent 8b7cbe9dec
commit 7c8bae0d9c
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
74 changed files with 117 additions and 3159 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/linux.yml vendored
View File

@ -153,10 +153,6 @@ jobs:
install_steps: intel
configure: CC=icc --enable-debug --with-openssl
- name: NSS
install_packages: clang libnss3-dev libnghttp2-dev nss-plugin-pem
configure: CC=clang CPPFLAGS="-isystem /usr/include/nss" --with-nss --enable-debug --with-nss-deprecated
- name: Slackware-openssl-with-gssapi-gcc
# These are essentially the same flags used to build the curl Slackware package
# https://ftpmirror.infania.net/slackware/slackware64-current/source/n/curl/curl.SlackBuild

40
CMake/FindNSS.cmake
View File

@ -1,40 +0,0 @@
#***************************************************************************
# _ _ ____ _
# Project ___| | | | _ \| |
# / __| | | | |_) | |
# | (__| |_| | _ <| |___
# \___|\___/|_| \_\_____|
#
# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
#
# This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms
# are also available at https://curl.se/docs/copyright.html.
#
# You may opt to use, copy, modify, merge, publish, distribute and/or sell
# copies of the Software, and permit persons to whom the Software is
# furnished to do so, under the terms of the COPYING file.
#
# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
# KIND, either express or implied.
#
# SPDX-License-Identifier: curl
#
###########################################################################
if(UNIX)
find_package(PkgConfig QUIET)
pkg_search_module(PC_NSS nss)
endif()
if(NOT PC_NSS_FOUND)
return()
endif()
set(NSS_LIBRARIES ${PC_NSS_LINK_LIBRARIES})
set(NSS_INCLUDE_DIRS ${PC_NSS_INCLUDE_DIRS})
include(FindPackageHandleStandardArgs)
find_package_handle_standard_args(NSS
REQUIRED_VARS NSS_LIBRARIES NSS_INCLUDE_DIRS
VERSION_VAR PC_NSS_VERSION)
mark_as_advanced(NSS_INCLUDE_DIRS NSS_LIBRARIES)

24
CMakeLists.txt
View File

@ -400,11 +400,10 @@ if(WIN32)
endif()
cmake_dependent_option(CURL_USE_MBEDTLS "Enable mbedTLS for SSL/TLS" OFF CURL_ENABLE_SSL OFF)
cmake_dependent_option(CURL_USE_BEARSSL "Enable BearSSL for SSL/TLS" OFF CURL_ENABLE_SSL OFF)
cmake_dependent_option(CURL_USE_NSS "Enable NSS for SSL/TLS" OFF CURL_ENABLE_SSL OFF)
cmake_dependent_option(CURL_USE_WOLFSSL "enable wolfSSL for SSL/TLS" OFF CURL_ENABLE_SSL OFF)
set(openssl_default ON)
if(WIN32 OR CURL_USE_SECTRANSP OR CURL_USE_SCHANNEL OR CURL_USE_MBEDTLS OR CURL_USE_NSS OR CURL_USE_WOLFSSL)
if(WIN32 OR CURL_USE_SECTRANSP OR CURL_USE_SCHANNEL OR CURL_USE_MBEDTLS OR CURL_USE_WOLFSSL)
set(openssl_default OFF)
endif()
cmake_dependent_option(CURL_USE_OPENSSL "Use OpenSSL code. Experimental" ${openssl_default} CURL_ENABLE_SSL OFF)
@ -416,7 +415,6 @@ count_true(enabled_ssl_options_count
CURL_USE_OPENSSL
CURL_USE_MBEDTLS
CURL_USE_BEARSSL
CURL_USE_NSS
CURL_USE_WOLFSSL
)
if(enabled_ssl_options_count GREATER "1")
@ -512,21 +510,6 @@ if(CURL_USE_WOLFSSL)
include_directories(${WolfSSL_INCLUDE_DIRS})
endif()
if(CURL_USE_NSS)
find_package(NSS REQUIRED)
include_directories(${NSS_INCLUDE_DIRS})
list(APPEND CURL_LIBS ${NSS_LIBRARIES})
set(SSL_ENABLED ON)
set(USE_NSS ON)
if(NOT DEFINED HAVE_PK11_CREATEMANAGEDGENERICOBJECT)
cmake_push_check_state()
set(CMAKE_REQUIRED_INCLUDES ${NSS_INCLUDE_DIRS})
set(CMAKE_REQUIRED_LIBRARIES ${NSS_LIBRARIES})
check_symbol_exists(PK11_CreateManagedGenericObject "pk11pub.h" HAVE_PK11_CREATEMANAGEDGENERICOBJECT)
cmake_pop_check_state()
endif()
endif()
# Keep ZLIB detection after TLS detection,
# and before calling CheckQuicSupportInOpenSSL.
@ -950,7 +933,7 @@ elseif("${CURL_CA_PATH}" STREQUAL "none")
unset(CURL_CA_PATH CACHE)
elseif("${CURL_CA_PATH}" STREQUAL "auto")
unset(CURL_CA_PATH CACHE)
if(NOT CMAKE_CROSSCOMPILING AND NOT USE_NSS)
if(NOT CMAKE_CROSSCOMPILING)
set(CURL_CA_PATH_AUTODETECT TRUE)
endif()
else()
@ -1497,7 +1480,7 @@ _add_if("HTTP2" USE_NGHTTP2)
_add_if("HTTP3" USE_NGTCP2 OR USE_QUICHE)
_add_if("MultiSSL" CURL_WITH_MULTI_SSL)
# TODO wolfSSL only support this from v5.0.0 onwards
_add_if("HTTPS-proxy" SSL_ENABLED AND (USE_OPENSSL OR USE_GNUTLS OR USE_NSS
_add_if("HTTPS-proxy" SSL_ENABLED AND (USE_OPENSSL OR USE_GNUTLS
OR USE_SCHANNEL OR USE_RUSTLS OR USE_BEARSSL OR
USE_MBEDTLS OR USE_SECTRANSP))
_add_if("unicode" ENABLE_UNICODE)
@ -1555,7 +1538,6 @@ _add_if("OpenSSL" SSL_ENABLED AND USE_OPENSSL)
_add_if("Secure Transport" SSL_ENABLED AND USE_SECTRANSP)
_add_if("mbedTLS" SSL_ENABLED AND USE_MBEDTLS)
_add_if("BearSSL" SSL_ENABLED AND USE_BEARSSL)
_add_if("NSS" SSL_ENABLED AND USE_NSS)
_add_if("wolfSSL" SSL_ENABLED AND USE_WOLFSSL)
if(_items)
list(SORT _items)

37
configure.ac
View File

@ -147,7 +147,7 @@ AC_SUBST(PKGADD_VENDOR)
dnl
dnl initialize all the info variables
curl_ssl_msg="no (--with-{openssl,gnutls,nss,mbedtls,wolfssl,schannel,secure-transport,amissl,bearssl,rustls} )"
curl_ssl_msg="no (--with-{openssl,gnutls,mbedtls,wolfssl,schannel,secure-transport,amissl,bearssl,rustls} )"
curl_ssh_msg="no (--with-{libssh,libssh2})"
curl_zlib_msg="no (--with-zlib)"
curl_brotli_msg="no (--with-brotli)"
@ -298,28 +298,6 @@ AS_HELP_STRING([--with-rustls=PATH],[where to look for rustls, PATH points to th
fi
])
OPT_NSS_AWARE=no
AC_ARG_WITH(nss-deprecated,dnl
AS_HELP_STRING([--with-nss-deprecated],[confirm you realize NSS is going away]),
if test X"$withval" != Xno; then
OPT_NSS_AWARE=$withval
fi
)
OPT_NSS=no
AC_ARG_WITH(nss,dnl
AS_HELP_STRING([--with-nss=PATH],[where to look for NSS, PATH points to the installation root]),
OPT_NSS=$withval
if test X"$withval" != Xno; then
if test X"$OPT_NSS_AWARE" = "Xno" ; then
AC_MSG_ERROR([NSS use must be confirmed using --with-nss-deprecated. NSS support will be dropped from curl in August 2022. See docs/DEPRECATE.md])
fi
[TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }NSS"]
fi
)
TEST_NGHTTPX=nghttpx
AC_ARG_WITH(test-nghttpx,dnl
AS_HELP_STRING([--with-test-nghttpx=PATH],[where to find nghttpx for testing]),
@ -427,7 +405,6 @@ Select from these:
--with-bearssl
--with-gnutls
--with-mbedtls
--with-nss
--with-openssl (also works for BoringSSL and libressl)
--with-rustls
--with-schannel
@ -2091,7 +2068,6 @@ CURL_WITH_MBEDTLS
CURL_WITH_WOLFSSL
CURL_WITH_BEARSSL
CURL_WITH_RUSTLS
CURL_WITH_NSS
dnl link required libraries for USE_WIN32_CRYPTO or USE_SCHANNEL
if test "x$USE_WIN32_CRYPTO" = "x1" -o "x$USE_SCHANNEL" = "x1"; then
@ -2104,11 +2080,11 @@ if test "x$curl_cv_native_windows" = "xyes" &&
LIBS="-lbcrypt $LIBS"
fi
case "x$SSL_DISABLED$OPENSSL_ENABLED$GNUTLS_ENABLED$NSS_ENABLED$MBEDTLS_ENABLED$WOLFSSL_ENABLED$SCHANNEL_ENABLED$SECURETRANSPORT_ENABLED$BEARSSL_ENABLED$RUSTLS_ENABLED"
case "x$SSL_DISABLED$OPENSSL_ENABLED$GNUTLS_ENABLED$MBEDTLS_ENABLED$WOLFSSL_ENABLED$SCHANNEL_ENABLED$SECURETRANSPORT_ENABLED$BEARSSL_ENABLED$RUSTLS_ENABLED"
in
x)
AC_MSG_ERROR([TLS not detected, you will not be able to use HTTPS, FTPS, NTLM and more.
Use --with-openssl, --with-gnutls, --with-wolfssl, --with-mbedtls, --with-nss, --with-schannel, --with-secure-transport, --with-amissl, --with-bearssl or --with-rustls to address this.])
Use --with-openssl, --with-gnutls, --with-wolfssl, --with-mbedtls, --with-schannel, --with-secure-transport, --with-amissl, --with-bearssl or --with-rustls to address this.])
;;
x1)
# one SSL backend is enabled
@ -2121,7 +2097,7 @@ xD)
;;
xD*)
AC_MSG_ERROR([--without-ssl has been set together with an explicit option to use an ssl library
(e.g. --with-openssl, --with-gnutls, --with-wolfssl, --with-mbedtls, --with-nss, --with-schannel, --with-secure-transport, --with-amissl, --with-bearssl, --with-rustls).
(e.g. --with-openssl, --with-gnutls, --with-wolfssl, --with-mbedtls, --with-schannel, --with-secure-transport, --with-amissl, --with-bearssl, --with-rustls).
Since these are conflicting parameters, verify which is the desired one and drop the other.])
;;
*)
@ -2504,8 +2480,6 @@ AS_HELP_STRING([--disable-versioned-symbols], [Disable versioned symbols in shar
versioned_symbols_flavour="OPENSSL_"
elif test "x$GNUTLS_ENABLED" = "x1"; then
versioned_symbols_flavour="GNUTLS_"
elif test "x$NSS_ENABLED" = "x1"; then
versioned_symbols_flavour="NSS_"
elif test "x$WOLFSSL_ENABLED" = "x1"; then
versioned_symbols_flavour="WOLFSSL_"
elif test "x$SCHANNEL_ENABLED" = "x1"; then
@ -4490,7 +4464,7 @@ use_curl_ntlm_core=no
if test "x$CURL_DISABLE_CRYPTO_AUTH" != "x1" -a \
"x$CURL_DISABLE_NTLM" != "x1"; then
if test "x$OPENSSL_ENABLED" = "x1" -o "x$MBEDTLS_ENABLED" = "x1" \
-o "x$GNUTLS_ENABLED" = "x1" -o "x$NSS_ENABLED" = "x1" \
-o "x$GNUTLS_ENABLED" = "x1" \
-o "x$SECURETRANSPORT_ENABLED" = "x1" \
-o "x$USE_WIN32_CRYPTO" = "x1" \
-o "x$WOLFSSL_NTLM" = "x1"; then
@ -4529,7 +4503,6 @@ dnl if not explicitly turned off, HTTPS-proxy comes with some TLS backends
if test "x$https_proxy" != "xno"; then
if test "x$OPENSSL_ENABLED" = "x1" \
-o "x$GNUTLS_ENABLED" = "x1" \
-o "x$NSS_ENABLED" = "x1" \
-o "x$SECURETRANSPORT_ENABLED" = "x1" \
-o "x$RUSTLS_ENABLED" = "x1" \
-o "x$BEARSSL_ENABLED" = "x1" \

14
docs/DEPRECATE.md
View File

@ -6,19 +6,6 @@ email the
as soon as possible and explain to us why this is a problem for you and
how your use case cannot be satisfied properly using a workaround.
## NSS
We remove support for building curl with the NSS TLS library in August 2023.
- There are few users left who use curl+NSS
- NSS has few users outside of curl as well (primarily Firefox)
- NSS is harder than ever to find documentation for
- NSS was always "best" used with Red Hat Linux when they provided additional
features on top of the regular NSS that is not shipped by the vanilla library
Starting in 7.82.0, building curl to use NSS configure requires the additional
flag `--with-nss-deprecated` in an attempt to highlight these plans.
## gskit
We remove support for building curl with the gskit TLS library in August 2023.
@ -69,3 +56,4 @@ curl will remove the support for space-separated names in July 2024.
- PolarSSL
- NPN
- Support for systems without 64 bit data types
- NSS

10
docs/FAQ
View File

@ -422,10 +422,10 @@ FAQ
backends.
curl can be built to use one of the following SSL alternatives: OpenSSL,
libressl, BoringSSL, AWS-LC, GnuTLS, wolfSSL, NSS, mbedTLS, Secure
Transport (native iOS/OS X), Schannel (native Windows), GSKit (native IBM
i), BearSSL, or Rustls. They all have their pros and cons, and we try to
maintain a comparison of them here: https://curl.se/docs/ssl-compared.html
libressl, BoringSSL, AWS-LC, GnuTLS, wolfSSL, mbedTLS, Secure Transport
(native iOS/OS X), Schannel (native Windows), GSKit (native IBM i), BearSSL,
or Rustls. They all have their pros and cons, and we try to maintain a
comparison of them here: https://curl.se/docs/ssl-compared.html
2.4 Does curl support SOCKS (RFC 1928) ?
@ -902,7 +902,7 @@ FAQ
4.9 curl cannot authenticate to a server that requires NTLM?
NTLM support requires OpenSSL, GnuTLS, mbedTLS, NSS, Secure Transport, or
NTLM support requires OpenSSL, GnuTLS, mbedTLS, Secure Transport, or
Microsoft Windows libraries at build-time to provide this functionality.
4.10 My HTTP request using HEAD, PUT or DELETE does not work

2
docs/FEATURES.md
View File

@ -212,7 +212,7 @@
6. requires c-ares
7. requires libssh2, libssh or wolfSSH
8. requires libssh2 or libssh
9. requires OpenSSL, GnuTLS, mbedTLS, NSS, Secure Transport or SSPI
9. requires OpenSSL, GnuTLS, mbedTLS, Secure Transport or SSPI
(native Windows)
10. requires libidn2 or Windows
11. requires libz, brotli and/or zstd

5
docs/HISTORY.md
View File

@ -430,3 +430,8 @@ April: added the cyassl backend (later renamed to WolfSSL)
The curl.se website serves 16,500 GB/month over 462M requests, the
official docker image has been pulled 4,098,015,431 times.
2023
----
August: Dropped support for the NSS library

2
docs/HTTP2.md
View File

@ -7,7 +7,7 @@ HTTP/2 with curl
Build prerequisites
-------------------
- nghttp2
- OpenSSL, libressl, BoringSSL, NSS, GnuTLS, mbedTLS, wolfSSL or Schannel
- OpenSSL, libressl, BoringSSL, GnuTLS, mbedTLS, wolfSSL or Schannel
with a new enough version.
[nghttp2](https://nghttp2.org/)

2
docs/INSTALL.cmake
View File

@ -25,7 +25,7 @@ Current flaws in the curl CMake build
- Builds libcurl without large file support
- Does not support all SSL libraries (only OpenSSL, Schannel,
Secure Transport, and mbed TLS, NSS, WolfSSL)
Secure Transport, and mbedTLS, WolfSSL)
- Does not allow different resolver backends (no c-ares build support)
- No RTMP support built
- Does not allow build curl and libcurl debug enabled

1
docs/INSTALL.md
View File

@ -134,7 +134,6 @@ These options are provided to select the TLS backend to use.
- BearSSL: `--with-bearssl`
- GnuTLS: `--with-gnutls`.
- mbedTLS: `--with-mbedtls`
- NSS: `--with-nss`
- OpenSSL: `--with-openssl` (also for BoringSSL, AWS-LC, libressl, and quictls)
- rustls: `--with-rustls`
- Schannel: `--with-schannel`

1
docs/INTERNALS.md
View File

@ -28,7 +28,6 @@ versions of libs and build tools.
- OpenLDAP 2.0
- MIT Kerberos 1.2.4
- GSKit V5R3M0
- NSS 3.14.x
- Heimdal ?
- nghttp2 1.15.0
- WinSock 2.2 (on Windows 95+ and Windows CE .NET 4.1+)

5
docs/KNOWN_BUGS
View File

@ -83,7 +83,6 @@ problems may have been fixed or changed somewhat since this was written.
12.1 OpenLDAP hangs after returning results
12.2 LDAP on Windows does authentication wrong?
12.3 LDAP on Windows does not work
12.4 LDAPS with NSS is slow
13. TCP/IP
13.2 Trying local ports fails on Windows
@ -504,10 +503,6 @@ problems may have been fixed or changed somewhat since this was written.
https://github.com/curl/curl/issues/4261
12.4 LDAPS with NSS is slow
See https://github.com/curl/curl/issues/5874
13. TCP/IP
13.2 Trying local ports fails on Windows

20
docs/SSLCERTS.md
View File

@ -127,26 +127,6 @@ certificate store, will cause SSL to report an error ("certificate verify
failed") during the handshake and SSL will then refuse further communication
with that server.
Certificate Verification with NSS
---------------------------------
If libcurl was built with NSS support, then depending on the OS distribution,
it is probably required to take some additional steps to use the system-wide
CA cert db. Red Hat ships with an additional module, libnsspem.so, which
enables NSS to read the OpenSSL PEM CA bundle. On openSUSE you can install
p11-kit-nss-trust which makes NSS use the system wide CA certificate
store. NSS also has a new [database
format](https://wiki.mozilla.org/NSS_Shared_DB).
Starting with version 7.19.7, libcurl automatically adds the `sql:` prefix to
the certificate database directory (either the set default `/etc/pki/nssdb` or
the directory configured with the `SSL_DIR` environment variable). To check
which certificate database format your distribution provides, examine the
default certificate database location: `/etc/pki/nssdb`; the new certificate
database format can be identified by the filenames `cert9.db`, `key4.db`,
`pkcs11.txt`; filenames of older versions are `cert8.db`, `key3.db`,
`secmod.db`.
Certificate Verification with Schannel and Secure Transport
-----------------------------------------------------------

3
docs/cmdline-opts/cacert.d
View File

@ -23,9 +23,6 @@ The windows version of curl will automatically look for a CA certs file named
'curl-ca-bundle.crt', either in the same directory as curl.exe, or in the
Current Working Directory, or in any folder along your PATH.
If curl is built against the NSS SSL library, the NSS PEM PKCS#11 module
(libnsspem.so) needs to be available for this option to work properly.
(iOS and macOS only) If curl is built against Secure Transport, then this
option is supported for backward compatibility with other SSL engines, but it
should not be set. If the option is not set, then curl will use the

2
docs/cmdline-opts/cert-status.d
View File

@ -16,4 +16,4 @@ If this option is enabled and the server sends an invalid (e.g. expired)
response, if the response suggests that the server certificate has been
revoked, or no response at all is received, the verification fails.
This is currently only implemented in the OpenSSL, GnuTLS and NSS backends.
This is currently only implemented in the OpenSSL and GnuTLS backends.

9
docs/cmdline-opts/cert.d
View File

@ -24,15 +24,6 @@ as "\\:" so that it is not recognized as the password delimiter. Similarly, you
must escape the character "\\" as "\\\\" so that it is not recognized as an
escape character.
If curl is built against the NSS SSL library then this option can tell
curl the nickname of the certificate to use within the NSS database defined
by the environment variable SSL_DIR (or by default /etc/pki/nssdb). If the
NSS PEM PKCS#11 module (libnsspem.so) is available then PEM files may be
loaded.
If you provide a path relative to the current directory, you must prefix the
path with "./" in order to avoid confusion with an NSS database nickname.
If curl is built against OpenSSL library, and the engine pkcs11 is available,
then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in
a PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a

4
docs/cmdline-opts/false-start.d
View File

@ -14,5 +14,5 @@ where a TLS client will start sending application data before verifying the
server's Finished message, thus saving a round trip when performing a full
handshake.
This is currently only implemented in the NSS and Secure Transport (on iOS 7.0
or later, or OS X 10.9 or later) backends.
This is currently only implemented in the Secure Transport (on iOS 7.0 or
later, or OS X 10.9 or later) backend.

2
docs/cmdline-opts/page-footer
View File

@ -82,7 +82,7 @@ If you set this environment variable to a file name, curl will store TLS
secrets from its connections in that file when invoked to enable you to
analyze the TLS traffic in real time using network analyzing tools such as
Wireshark. This works with the following TLS backends: OpenSSL, libressl,
BoringSSL, GnuTLS, NSS and wolfSSL.
BoringSSL, GnuTLS and wolfSSL.
.IP "USERPROFILE <dir>"
On Windows, this variable is used when trying to find the home directory. If
the other, primary, variable are all unset. If set, curl will use the path

4
docs/cmdline-opts/pinnedpubkey.d
View File

@ -25,13 +25,13 @@ PEM/DER support:
7.39.0: OpenSSL, GnuTLS and GSKit
7.43.0: NSS and wolfSSL
7.43.0: wolfSSL
7.47.0: mbedtls
sha256 support:
7.44.0: OpenSSL, GnuTLS, NSS and wolfSSL
7.44.0: OpenSSL, GnuTLS and wolfSSL
7.47.0: mbedtls

2
docs/cmdline-opts/proxy.d
View File

@ -21,7 +21,7 @@ Unix domain sockets are supported for socks proxy. Set localhost for the host
part. e.g. socks5h://localhost/path/to/socket.sock
HTTPS proxy support via https:// protocol prefix was added in 7.52.0 for
OpenSSL, GnuTLS and NSS. Since 7.87.0, it also works for BearSSL, mbedTLS,
OpenSSL and GnuTLS. Since 7.87.0, it also works for BearSSL, mbedTLS,
rustls, Schannel, Secure Transport and wolfSSL.
Unrecognized and unsupported proxy protocols cause an error since 7.52.0.

4
docs/cmdline-opts/write-out.d
View File

@ -41,7 +41,7 @@ The variables available are:
.TP 15
.B certs
Output the certificate chain with details. Supported only by the OpenSSL,
GnuTLS, Schannel, NSS, GSKit and Secure Transport backends. (Added in 7.88.0)
GnuTLS, Schannel, GSKit and Secure Transport backends. (Added in 7.88.0)
.TP
.B content_type
The Content-Type of the requested document, if there was any.
@ -97,7 +97,7 @@ The http method used in the most recent HTTP request. (Added in 7.72.0)
.TP
.B num_certs
Number of server certificates received in the TLS handshake. Supported only by
the OpenSSL, GnuTLS, Schannel, NSS, GSKit and Secure Transport backends. (Added
the OpenSSL, GnuTLS, Schannel, GSKit and Secure Transport backends. (Added
in 7.88.0)
.TP
.B num_connects

3
docs/libcurl/libcurl-env.3
View File

@ -74,9 +74,6 @@ When set and libcurl runs with a SSL backend that supports this feature,
libcurl will save SSL secrets into the given file name. Using those SSL
secrets, other tools (such as Wireshark) can decrypt the SSL communication and
analyze/view the traffic.
.IP SSL_DIR
When libcurl runs with the NSS backends for TLS features, this variable is
used to find the directory for NSS PKI database instead of the built-in.
.IP USER
User name to use when invoking the \fIntlm-wb\fP tool, if \fINTLMUSER\fP and
\fILOGNAME\fP were not set.

4
docs/libcurl/opts/CURLINFO_CERTINFO.3
View File

@ -75,8 +75,8 @@ if(curl) {
}
.fi
.SH AVAILABILITY
This option is only working in libcurl built with OpenSSL, NSS, Schannel, GSKit
or Secure Transport support. Schannel support added in 7.50.0. Secure Transport
This option is only working in libcurl built with OpenSSL, Schannel, GSKit or
Secure Transport support. Schannel support added in 7.50.0. Secure Transport
support added in 7.79.0.
Added in 7.19.1

2
docs/libcurl/opts/CURLINFO_SSL_VERIFYRESULT.3
View File

@ -55,7 +55,7 @@ if(curl) {
}
.fi
.SH AVAILABILITY
Added in 7.5. Only set by the OpenSSL/libressl/boringssl, NSS and GnuTLS backends.
Added in 7.5. Only set by the OpenSSL/libressl/boringssl and GnuTLS backends.
.SH RETURN VALUE
Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
.SH "SEE ALSO"

8
docs/libcurl/opts/CURLOPT_CAINFO.3
View File

@ -42,14 +42,6 @@ accessible file.
This option is by default set to the system path where libcurl's CA
certificate bundle is assumed to be stored, as established at build time.
If curl is built against the NSS SSL library, the NSS PEM PKCS#11 module
(libnsspem.so) needs to be available for this option to work properly.
Starting with curl 7.55.0, if both \fICURLOPT_CAINFO(3)\fP and
\fICURLOPT_CAPATH(3)\fP are unset, NSS-linked libcurl tries to load
libnssckbi.so, which contains a more comprehensive set of trust information
than supported by nss-pem, because libnssckbi.so also includes information
about distrusted certificates.
(iOS and macOS) When curl uses Secure Transport this option is supported. If
the option is not set, then curl will use the certificates in the system and
user Keychain to verify the peer.

2
docs/libcurl/opts/CURLOPT_CAPATH.3
View File

@ -61,7 +61,7 @@ if(curl) {
.fi
.SH AVAILABILITY
This option is supported by the OpenSSL, GnuTLS and mbedTLS (since 7.56.0)
backends. The NSS backend provides the option only for backward compatibility.
backends.
.SH RETURN VALUE
CURLE_OK if supported; or an error such as:

6
docs/libcurl/opts/CURLOPT_CERTINFO.3
View File

@ -74,9 +74,9 @@ if(curl) {
}
.fi
.SH AVAILABILITY
This option is supported by the OpenSSL, GnuTLS, Schannel, NSS, GSKit and
Secure Transport backends. Schannel support added in 7.50.0. Secure Transport
support added in 7.79.0.
This option is supported by the OpenSSL, GnuTLS, Schannel, GSKit and Secure
Transport backends. Schannel support added in 7.50.0. Secure Transport support
added in 7.79.0.
.SH RETURN VALUE
Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
.SH "SEE ALSO"

4
docs/libcurl/opts/CURLOPT_CRLFILE.3
View File

@ -36,8 +36,8 @@ Pass a char * to a null-terminated string naming a \fIfile\fP with the
concatenation of CRL (in PEM format) to use in the certificate validation that
occurs during the SSL exchange.
When curl is built to use NSS or GnuTLS, there is no way to influence the use
of CRL passed to help in the verification process.
When curl is built to use GnuTLS, there is no way to influence the use of CRL
passed to help in the verification process.
When libcurl is built with OpenSSL support, X509_V_FLAG_CRL_CHECK and
X509_V_FLAG_CRL_CHECK_ALL are both set, requiring CRL check against all the

5
docs/libcurl/opts/CURLOPT_DOH_SSL_VERIFYHOST.3
View File

@ -55,10 +55,7 @@ When the \fIverify\fP value is set to 0L, the connection succeeds regardless of
the names used in the certificate. Use that ability with caution!
See also \fICURLOPT_DOH_SSL_VERIFYPEER(3)\fP to verify the digital signature
of the DoH server certificate. If libcurl is built against NSS and
\fICURLOPT_DOH_SSL_VERIFYPEER(3)\fP is zero,
\fICURLOPT_DOH_SSL_VERIFYHOST(3)\fP is also set to zero and cannot be
overridden.
of the DoH server certificate.
.SH DEFAULT
2
.SH PROTOCOLS

4
docs/libcurl/opts/CURLOPT_DOH_SSL_VERIFYSTATUS.3
View File

@ -63,8 +63,8 @@ if(curl) {
}
.fi
.SH AVAILABILITY
Added in 7.76.0. This option is currently only supported by the OpenSSL, GnuTLS
and NSS TLS backends.
Added in 7.76.0. This option is currently only supported by the OpenSSL, and
GnuTLS TLS backends.
.SH RETURN VALUE
Returns CURLE_OK if OCSP stapling is supported by the SSL backend, otherwise
returns CURLE_NOT_BUILT_IN.

2
docs/libcurl/opts/CURLOPT_HTTPAUTH.3
View File

@ -73,7 +73,7 @@ HTTP NTLM authentication. A proprietary protocol invented and used by
Microsoft. It uses a challenge-response and hash concept similar to Digest, to
prevent the password from being eavesdropped.
You need to build libcurl with either OpenSSL, GnuTLS or NSS support for this
You need to build libcurl with either OpenSSL or GnuTLS support for this
option to work, or build libcurl on Windows with SSPI support.
.IP CURLAUTH_NTLM_WB
NTLM delegating to winbind helper. Authentication is performed by a separate

4
docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3
View File

@ -104,7 +104,7 @@ PEM/DER support:
7.39.0-7.48.0,7.58.1+: GSKit
7.43.0: NSS and wolfSSL
7.43.0: wolfSSL
7.47.0: mbedTLS
@ -114,7 +114,7 @@ PEM/DER support:
sha256 support:
7.44.0: OpenSSL, GnuTLS, NSS and wolfSSL
7.44.0: OpenSSL, GnuTLS and wolfSSL
7.47.0: mbedTLS

5
docs/libcurl/opts/CURLOPT_PROXY.3
View File

@ -48,7 +48,7 @@ proxy is used.
.IP http://
HTTP Proxy. Default when no scheme or proxy type is specified.
.IP https://
HTTPS Proxy. (Added in 7.52.0 for OpenSSL, GnuTLS and NSS. Since 7.87.0, it
HTTPS Proxy. (Added in 7.52.0 for OpenSSL and GnuTLS Since 7.87.0, it
also works for BearSSL, mbedTLS, rustls, Schannel, Secure Transport and
wolfSSL.)
@ -123,9 +123,6 @@ Since 7.21.7 the proxy string supports the socks protocols as "schemes".
Since 7.50.2, unsupported schemes in proxy strings cause libcurl to return
error.
curl built to use NSS cannot connect to an HTTPS server over a unix domain
socket.
.SH RETURN VALUE
Returns CURLE_OK if proxies are supported, CURLE_UNKNOWN_OPTION if not, or
CURLE_OUT_OF_MEMORY if there was insufficient heap space.

2
docs/libcurl/opts/CURLOPT_PROXYTYPE.3
View File

@ -38,7 +38,7 @@ Pass one of the values below to set the type of the proxy.
.IP CURLPROXY_HTTP
HTTP Proxy. Default.
.IP CURLPROXY_HTTPS
HTTPS Proxy using HTTP/1. (Added in 7.52.0 for OpenSSL, GnuTLS and NSS. Since
HTTPS Proxy using HTTP/1. (Added in 7.52.0 for OpenSSL and GnuTLS. Since
7.87.0, it also works for BearSSL, mbedTLS, rustls, Schannel, Secure Transport
and wolfSSL.)
.IP CURLPROXY_HTTPS2

3
docs/libcurl/opts/CURLOPT_PROXY_CAINFO.3
View File

@ -44,9 +44,6 @@ accessible file.
This option is by default set to the system path where libcurl's CA
certificate bundle is assumed to be stored, as established at build time.
If curl is built against the NSS SSL library, the NSS PEM PKCS#11 module
(libnsspem.so) needs to be available for this option to work properly.
(iOS and macOS only) If curl is built against Secure Transport, then this
option is supported for backward compatibility with other SSL engines, but it
should not be set. If the option is not set, then curl will use the

2
docs/libcurl/opts/CURLOPT_PROXY_CAPATH.3
View File

@ -62,7 +62,7 @@ if(curl) {
Added in 7.52.0
This option is supported by the OpenSSL, GnuTLS, and mbedTLS (since 7.56.0)
backends. The NSS backend provides the option only for backward compatibility.
backends.
.SH RETURN VALUE
CURLE_OK if supported; or an error such as:

10
docs/libcurl/opts/CURLOPT_PROXY_CRLFILE.3
View File

@ -38,11 +38,11 @@ Pass a char * to a null-terminated string naming a \fIfile\fP with the
concatenation of CRL (in PEM format) to use in the certificate validation that
occurs during the SSL exchange.
When curl is built to use NSS or GnuTLS, there is no way to influence the use
of CRL passed to help in the verification process. When libcurl is built with
OpenSSL support, X509_V_FLAG_CRL_CHECK and X509_V_FLAG_CRL_CHECK_ALL are both
set, requiring CRL check against all the elements of the certificate chain if
a CRL file is passed.
When curl is built to use GnuTLS, there is no way to influence the use of CRL
passed to help in the verification process. When libcurl is built with OpenSSL
support, X509_V_FLAG_CRL_CHECK and X509_V_FLAG_CRL_CHECK_ALL are both set,
requiring CRL check against all the elements of the certificate chain if a CRL
file is passed.
This option makes sense only when used in combination with the
\fICURLOPT_PROXY_SSL_VERIFYPEER(3)\fP option.

4
docs/libcurl/opts/CURLOPT_PROXY_PINNEDPUBLICKEY.3
View File

@ -98,11 +98,11 @@ footer:
.SH AVAILABILITY
PEM/DER support:
7.52.0: GSKit, GnuTLS, NSS, OpenSSL, mbedTLS, wolfSSL
7.52.0: GSKit, GnuTLS, OpenSSL, mbedTLS, wolfSSL
sha256 support:
7.52.0: GnuTLS, NSS, OpenSSL, mbedTLS, wolfSSL
7.52.0: GnuTLS, OpenSSL, mbedTLS, wolfSSL
Other SSL backends not supported.
.SH RETURN VALUE

8
docs/libcurl/opts/CURLOPT_PROXY_SSLCERT.3
View File

@ -39,10 +39,10 @@ the file name of your client certificate used to connect to the HTTPS proxy.
The default format is "P12" on Secure Transport and "PEM" on other engines,
and can be changed with \fICURLOPT_PROXY_SSLCERTTYPE(3)\fP.
With NSS or Secure Transport, this can also be the nickname of the certificate
you wish to authenticate with as it is named in the security database. If you
want to use a file from the current directory, please precede it with "./"
prefix, in order to avoid confusion with a nickname.
With Secure Transport, this can also be the nickname of the certificate you
wish to authenticate with as it is named in the security database. If you want
to use a file from the current directory, please precede it with "./" prefix,
in order to avoid confusion with a nickname.
When using a client certificate, you most likely also need to provide a
private key with \fICURLOPT_PROXY_SSLKEY(3)\fP.

5
docs/libcurl/opts/CURLOPT_PROXY_SSL_CIPHER_LIST.3
View File

@ -43,11 +43,6 @@ For OpenSSL and GnuTLS valid examples of cipher lists include \fBRC4-SHA\fP,
\fBSHA1+DES\fP, \fBTLSv1\fP and \fBDEFAULT\fP. The default list is normally
set when you compile OpenSSL.
For NSS, valid examples of cipher lists include \fBrsa_rc4_128_md5\fP,
\fBrsa_aes_128_sha\fP, etc. With NSS you do not add/remove ciphers. If one uses
this option then all known ciphers are disabled and only those passed in are
enabled.
For WolfSSL, valid examples of cipher lists include \fBECDHE-RSA-RC4-SHA\fP,
\fBAES256-SHA:AES256-SHA256\fP, etc.

12
docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.3
View File

@ -37,12 +37,12 @@ Pass a long with a bitmask to tell libcurl about specific SSL
behaviors. Available bits:
.IP CURLSSLOPT_ALLOW_BEAST
Tells libcurl to not attempt to use any workarounds for a security flaw in the
SSL3 and TLS1.0 protocols. If this option is not used or this bit is set to 0,
the SSL layer libcurl uses may use a work-around for this flaw although it
might cause interoperability problems with some (older) SSL
implementations. WARNING: avoiding this work-around lessens the security, and
by setting this option to 1 you ask for exactly that. This option is only
supported for Secure Transport, NSS and OpenSSL.
SSL3 and TLS1.0 protocols. If this option is not used or this bit is set to
0, the SSL layer libcurl uses may use a work-around for this flaw although it
might cause interoperability problems with some (older) SSL implementations.
WARNING: avoiding this work-around lessens the security, and by setting this
option to 1 you ask for exactly that. This option is only supported for
Secure Transport and OpenSSL.
.IP CURLSSLOPT_NO_REVOKE
Tells libcurl to disable certificate revocation checks for those SSL backends
where such behavior is present. This option is only supported for Schannel

5
docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYHOST.3
View File

@ -61,10 +61,7 @@ When the \fIverify\fP value is 0L, the connection succeeds regardless of the
names used in the certificate. Use that ability with caution!
See also \fICURLOPT_PROXY_SSL_VERIFYPEER(3)\fP to verify the digital signature
of the proxy certificate. If libcurl is built against NSS and
\fICURLOPT_PROXY_SSL_VERIFYPEER(3)\fP is zero,
\fICURLOPT_PROXY_SSL_VERIFYHOST(3)\fP is also set to zero and cannot be
overridden.
of the proxy certificate.
.SH DEFAULT
2
.SH PROTOCOLS

8
docs/libcurl/opts/CURLOPT_SSLCERT.3
View File

@ -37,10 +37,10 @@ the file name of your client certificate. The default format is "P12" on
Secure Transport and "PEM" on other engines, and can be changed with
\fICURLOPT_SSLCERTTYPE(3)\fP.
With NSS or Secure Transport, this can also be the nickname of the certificate
you wish to authenticate with as it is named in the security database. If you
want to use a file from the current directory, please precede it with "./"
prefix, in order to avoid confusion with a nickname.
With Secure Transport, this can also be the nickname of the certificate you
wish to authenticate with as it is named in the security database. If you want
to use a file from the current directory, please precede it with "./" prefix,
in order to avoid confusion with a nickname.
(Schannel only) Client certificates can be specified by a path expression to a
certificate store. (You can import \fIPFX\fP to a store first). You can use

5
docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.3
View File

@ -42,11 +42,6 @@ For OpenSSL and GnuTLS valid examples of cipher lists include \fBRC4-SHA\fP,
\fBSHA1+DES\fP, \fBTLSv1\fP and \fBDEFAULT\fP. The default list is normally
set when you compile OpenSSL.
For NSS, valid examples of cipher lists include \fBrsa_rc4_128_md5\fP,
\fBrsa_aes_128_sha\fP, etc. With NSS you do not add/remove ciphers. If one uses
this option then all known ciphers are disabled and only those passed in are
enabled.
For WolfSSL, valid examples of cipher lists include \fBECDHE-RSA-RC4-SHA\fP,
\fBAES256-SHA:AES256-SHA256\fP, etc.

4
docs/libcurl/opts/CURLOPT_SSL_FALSESTART.3
View File

@ -52,8 +52,8 @@ if(curl) {
}
.fi
.SH AVAILABILITY
Added in 7.42.0. This option is currently only supported by the NSS and
Secure Transport (on iOS 7.0 or later, or OS X 10.9 or later) TLS backends.
Added in 7.42.0. This option is currently only supported by the Secure
Transport (on iOS 7.0 or later, or OS X 10.9 or later) TLS backend.
.SH RETURN VALUE
Returns CURLE_OK if false start is supported by the SSL backend, otherwise
returns CURLE_NOT_BUILT_IN.

4
docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
View File

@ -40,8 +40,8 @@ SSL3 and TLS1.0 protocols. If this option is not used or this bit is set to 0,
the SSL layer libcurl uses may use a work-around for this flaw although it
might cause interoperability problems with some (older) SSL
implementations. WARNING: avoiding this work-around lessens the security, and
by setting this option to 1 you ask for exactly that. This option is only
supported for Secure Transport, NSS and OpenSSL.
by setting this option to 1 you ask for exactly that. This option is only
supported for Secure Transport and OpenSSL.
.IP CURLSSLOPT_NO_REVOKE
Tells libcurl to disable certificate revocation checks for those SSL backends
where such behavior is present. This option is only supported for Schannel

4
docs/libcurl/opts/CURLOPT_SSL_VERIFYSTATUS.3
View File

@ -55,8 +55,8 @@ if(curl) {
}
.fi
.SH AVAILABILITY
Added in 7.41.0. This option is currently only supported by the OpenSSL, GnuTLS
and NSS TLS backends.
Added in 7.41.0. This option is currently only supported by the OpenSSL and
GnuTLS TLS backends.
.SH RETURN VALUE
Returns CURLE_OK if OCSP stapling is supported by the SSL backend, otherwise
returns CURLE_NOT_BUILT_IN.

2
lib/Makefile.inc
View File

@ -50,7 +50,6 @@ LIB_VTLS_CFILES = \
vtls/keylog.c \
vtls/mbedtls.c \
vtls/mbedtls_threadlock.c \
vtls/nss.c \
vtls/openssl.c \
vtls/rustls.c \
vtls/schannel.c \
@ -68,7 +67,6 @@ LIB_VTLS_HFILES = \
vtls/keylog.h \
vtls/mbedtls.h \
vtls/mbedtls_threadlock.h \
vtls/nssg.h \
vtls/openssl.h \
vtls/rustls.h \
vtls/schannel.h \

3
lib/curl_config.h.cmake
View File

@ -688,9 +688,6 @@ ${SIZEOF_TIME_T_CODE}
/* If you want to build curl with the built-in manual */
#cmakedefine USE_MANUAL 1
/* if NSS is enabled */
#cmakedefine USE_NSS 1
/* if you have the PK11_CreateManagedGenericObject function */
#cmakedefine HAVE_PK11_CREATEMANAGEDGENERICOBJECT 1

11
lib/curl_des.c
View File

@ -24,12 +24,11 @@
#include "curl_setup.h"
#if defined(USE_CURL_NTLM_CORE) && !defined(USE_WOLFSSL) && \
(defined(USE_GNUTLS) || \
defined(USE_NSS) || \
defined(USE_SECTRANSP) || \
defined(USE_OS400CRYPTO) || \
defined(USE_WIN32_CRYPTO))
#if defined(USE_CURL_NTLM_CORE) && !defined(USE_WOLFSSL) && \
(defined(USE_GNUTLS) || \
defined(USE_SECTRANSP) || \
defined(USE_OS400CRYPTO) || \
defined(USE_WIN32_CRYPTO))
#include "curl_des.h"

11
lib/curl_des.h
View File

@ -26,12 +26,11 @@
#include "curl_setup.h"
#if defined(USE_CURL_NTLM_CORE) && !defined(USE_WOLFSSL) && \
(defined(USE_GNUTLS) || \
defined(USE_NSS) || \
defined(USE_SECTRANSP) || \
defined(USE_OS400CRYPTO) || \
defined(USE_WIN32_CRYPTO))
#if defined(USE_CURL_NTLM_CORE) && !defined(USE_WOLFSSL) && \
(defined(USE_GNUTLS) || \
defined(USE_SECTRANSP) || \
defined(USE_OS400CRYPTO) || \
defined(USE_WIN32_CRYPTO))
/* Applies odd parity to the given byte array */
void Curl_des_set_odd_parity(unsigned char *bytes, size_t length);

78
lib/curl_ntlm_core.c
View File

@ -38,7 +38,7 @@
1. USE_OPENSSL
2. USE_WOLFSSL
3. USE_GNUTLS
4. USE_NSS
4. -
5. USE_MBEDTLS
6. USE_SECTRANSP
7. USE_OS400CRYPTO
@ -47,7 +47,7 @@
This ensures that:
- the same SSL branch gets activated throughout this source
file even if multiple backends are enabled at the same time.
- OpenSSL and NSS have higher priority than Windows Crypt, due
- OpenSSL has higher priority than Windows Crypt, due
to issues with the latter supporting NTLM2Session responses
in NTLM type-3 messages.
*/
@ -96,12 +96,6 @@
# include <nettle/des.h>
#elif defined(USE_NSS)
# include <nss.h>
# include <pk11pub.h>
# include <hasht.h>
#elif defined(USE_MBEDTLS)
# include <mbedtls/des.h>
@ -188,70 +182,6 @@ static void setup_des_key(const unsigned char *key_56,
des_set_key(des, (const uint8_t *) key);
}
#elif defined(USE_NSS)
/*
* encrypt_des() expands a 56 bit key KEY_56 to 64 bit and encrypts 64 bit of
* data, using the expanded key. IN should point to 64 bits of source data,
* OUT to a 64 bit output buffer.
*/
static bool encrypt_des(const unsigned char *in, unsigned char *out,
const unsigned char *key_56)
{
const CK_MECHANISM_TYPE mech = CKM_DES_ECB; /* DES cipher in ECB mode */
char key[8]; /* expanded 64 bit key */
SECItem key_item;
PK11SymKey *symkey = NULL;
SECItem *param = NULL;
PK11Context *ctx = NULL;
int out_len; /* not used, required by NSS */
bool rv = FALSE;
/* use internal slot for DES encryption (requires NSS to be initialized) */
PK11SlotInfo *slot = PK11_GetInternalKeySlot();
if(!slot)
return FALSE;
/* Expand the 56-bit key to 64-bits */
extend_key_56_to_64(key_56, key);
/* Set the key parity to odd */
Curl_des_set_odd_parity((unsigned char *) key, sizeof(key));
/* Import the key */
key_item.data = (unsigned char *)key;
key_item.len = sizeof(key);
symkey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap, CKA_ENCRYPT,
&key_item, NULL);
if(!symkey)
goto fail;
/* Create the DES encryption context */
param = PK11_ParamFromIV(mech, /* no IV in ECB mode */ NULL);
if(!param)
goto fail;
ctx = PK11_CreateContextBySymKey(mech, CKA_ENCRYPT, symkey, param);
if(!ctx)
goto fail;
/* Perform the encryption */
if(SECSuccess == PK11_CipherOp(ctx, out, &out_len, /* outbuflen */ 8,
(unsigned char *)in, /* inbuflen */ 8)
&& SECSuccess == PK11_Finalize(ctx))
rv = /* all OK */ TRUE;
fail:
/* cleanup */
if(ctx)
PK11_DestroyContext(ctx, PR_TRUE);
if(symkey)
PK11_FreeSymKey(symkey);
if(param)
SECITEM_FreeItem(param, PR_TRUE);
PK11_FreeSlot(slot);
return rv;
}
#elif defined(USE_MBEDTLS)
static bool encrypt_des(const unsigned char *in, unsigned char *out,
@ -402,7 +332,7 @@ void Curl_ntlm_core_lm_resp(const unsigned char *keys,
des_encrypt(&des, 8, results + 8, plaintext);
setup_des_key(keys + 14, &des);
des_encrypt(&des, 8, results + 16, plaintext);
#elif defined(USE_NSS) || defined(USE_MBEDTLS) || defined(USE_SECTRANSP) \
#elif defined(USE_MBEDTLS) || defined(USE_SECTRANSP) \
|| defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO)
encrypt_des(plaintext, results, keys);
encrypt_des(plaintext, results + 8, keys + 7);
@ -444,7 +374,7 @@ CURLcode Curl_ntlm_core_mk_lm_hash(const char *password,
des_encrypt(&des, 8, lmbuffer, magic);
setup_des_key(pw + 7, &des);
des_encrypt(&des, 8, lmbuffer + 8, magic);
#elif defined(USE_NSS) || defined(USE_MBEDTLS) || defined(USE_SECTRANSP) \
#elif defined(USE_MBEDTLS) || defined(USE_SECTRANSP) \
|| defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO)
encrypt_des(magic, lmbuffer, pw);
encrypt_des(magic, lmbuffer + 8, pw + 7);

9
lib/curl_ntlm_core.h
View File

@ -28,15 +28,6 @@
#if defined(USE_CURL_NTLM_CORE)
/* If NSS is the first available SSL backend (see order in curl_ntlm_core.c)
then it must be initialized to be used by NTLM. */
#if !defined(USE_OPENSSL) && \
!defined(USE_WOLFSSL) && \
!defined(USE_GNUTLS) && \
defined(USE_NSS)
#define NTLM_NEEDS_NSS_INIT
#endif
#if defined(USE_OPENSSL)
# include <openssl/ssl.h>
#elif defined(USE_WOLFSSL)

16
lib/curl_setup.h
View File

@ -645,11 +645,9 @@
#define LIBIDN_REQUIRED_VERSION "0.4.1"
#if defined(USE_GNUTLS) || defined(USE_OPENSSL) || defined(USE_NSS) || \
defined(USE_MBEDTLS) || \
defined(USE_WOLFSSL) || defined(USE_SCHANNEL) || \
defined(USE_SECTRANSP) || defined(USE_GSKIT) || \
defined(USE_BEARSSL) || defined(USE_RUSTLS)
#if defined(USE_GNUTLS) || defined(USE_OPENSSL) || defined(USE_MBEDTLS) || \
defined(USE_WOLFSSL) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
defined(USE_GSKIT) || defined(USE_BEARSSL) || defined(USE_RUSTLS)
#define USE_SSL /* SSL support has been enabled */
#endif
@ -667,10 +665,10 @@
/* Single point where USE_NTLM definition might be defined */
#if !defined(CURL_DISABLE_CRYPTO_AUTH) && !defined(CURL_DISABLE_NTLM)
# if defined(USE_OPENSSL) || defined(USE_MBEDTLS) || \
defined(USE_GNUTLS) || defined(USE_NSS) || defined(USE_SECTRANSP) || \
defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) || \
(defined(USE_WOLFSSL) && defined(HAVE_WOLFSSL_DES_ECB_ENCRYPT))
# if defined(USE_OPENSSL) || defined(USE_MBEDTLS) || \
defined(USE_GNUTLS) || defined(USE_SECTRANSP) || \
defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) || \
(defined(USE_WOLFSSL) && defined(HAVE_WOLFSSL_DES_ECB_ENCRYPT))
# define USE_CURL_NTLM_CORE
# endif
# if defined(USE_CURL_NTLM_CORE) || defined(USE_WINDOWS_SSPI)

6
lib/urldata.h
View File

@ -1116,10 +1116,8 @@ struct PureInfo {
int conn_local_port;
const char *conn_scheme;
unsigned int conn_protocol;
struct curl_certinfo certs; /* info about the certs, only populated in
OpenSSL, GnuTLS, Schannel, NSS and GSKit
builds. Asked for with CURLOPT_CERTINFO
/ CURLINFO_CERTINFO */
struct curl_certinfo certs; /* info about the certs. Asked for with
CURLOPT_CERTINFO / CURLINFO_CERTINFO */
CURLproxycode pxcode;
BIT(timecond); /* set to TRUE if the time condition didn't match, which
thus made the document NOT get fetched */

13
lib/vauth/ntlm.c
View File

@ -45,12 +45,6 @@
#include "rand.h"
#include "vtls/vtls.h"
/* SSL backend-specific #if branches in this file must be kept in the order
documented in curl_ntlm_core. */
#if defined(NTLM_NEEDS_NSS_INIT)
#include "vtls/nssg.h" /* for Curl_nss_force_init() */
#endif
#define BUILDING_CURL_NTLM_MSGS_C
#include "vauth/vauth.h"
#include "vauth/ntlm.h"
@ -274,12 +268,7 @@ CURLcode Curl_auth_decode_ntlm_type2_message(struct Curl_easy *data,
const unsigned char *type2 = Curl_bufref_ptr(type2ref);
size_t type2len = Curl_bufref_len(type2ref);
#if defined(NTLM_NEEDS_NSS_INIT)
/* Make sure the crypto backend is initialized */
result = Curl_nss_force_init(data);
if(result)
return result;
#elif defined(CURL_DISABLE_VERBOSE_STRINGS)
#if defined(CURL_DISABLE_VERBOSE_STRINGS)
(void)data;
#endif

2551
lib/vtls/nss.c
View File

File diff suppressed because it is too large Load Diff

41
lib/vtls/nssg.h
View File

@ -1,41 +0,0 @@
#ifndef HEADER_CURL_NSSG_H
#define HEADER_CURL_NSSG_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "curl_setup.h"
#ifdef USE_NSS
/*
* This header should only be needed to get included by vtls.c and nss.c
*/
#include "urldata.h"
/* initialize NSS library if not already */
CURLcode Curl_nss_force_init(struct Curl_easy *data);
extern const struct Curl_ssl Curl_ssl_nss;
#endif /* USE_NSS */
#endif /* HEADER_CURL_NSSG_H */

2
lib/vtls/sectransp.c
View File

@ -1293,7 +1293,7 @@ static OSStatus CopyIdentityFromPKCS12File(const char *cPath,
/* This code was borrowed from nss.c, with some modifications:
* Determine whether the nickname passed in is a filename that needs to
* be loaded as a PEM or a regular NSS nickname.
* be loaded as a PEM or a nickname.
*
* returns 1 for a file
* returns 0 for not a file

5
lib/vtls/vtls.c
View File

@ -1244,8 +1244,6 @@ const struct Curl_ssl *Curl_ssl =
&Curl_ssl_gskit;
#elif defined(USE_MBEDTLS)
&Curl_ssl_mbedtls;
#elif defined(USE_NSS)
&Curl_ssl_nss;
#elif defined(USE_RUSTLS)
&Curl_ssl_rustls;
#elif defined(USE_OPENSSL)
@ -1274,9 +1272,6 @@ static const struct Curl_ssl *available_backends[] = {
#if defined(USE_MBEDTLS)
&Curl_ssl_mbedtls,
#endif
#if defined(USE_NSS)
&Curl_ssl_nss,
#endif
#if defined(USE_OPENSSL)
&Curl_ssl_openssl,
#endif

1
lib/vtls/vtls_int.h
View File

@ -217,7 +217,6 @@ CURLcode Curl_ssl_addsessionid(struct Curl_cfilter *cf,
#include "openssl.h" /* OpenSSL versions */
#include "gtls.h" /* GnuTLS versions */
#include "nssg.h" /* NSS versions */
#include "gskit.h" /* Global Secure ToolKit versions */
#include "wolfssl.h" /* wolfSSL versions */
#include "schannel.h" /* Schannel SSPI version */

12
lib/vtls/x509asn1.c
View File

@ -24,15 +24,15 @@
#include "curl_setup.h"
#if defined(USE_GSKIT) || defined(USE_NSS) || defined(USE_GNUTLS) || \
defined(USE_WOLFSSL) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP)
#if defined(USE_GSKIT) || defined(USE_GNUTLS) || defined(USE_WOLFSSL) || \
defined(USE_SCHANNEL) || defined(USE_SECTRANSP)
#if defined(USE_GSKIT) || defined(USE_WOLFSSL) || defined(USE_SCHANNEL)
#define WANT_PARSEX509 /* uses Curl_parseX509() */
#endif
#if defined(USE_GSKIT) || defined(USE_NSS) || defined(USE_GNUTLS) || \
defined(USE_SCHANNEL) || defined(USE_SECTRANSP)
#if defined(USE_GSKIT) || defined(USE_GNUTLS) || defined(USE_SCHANNEL) || \
defined(USE_SECTRANSP)
#define WANT_EXTRACT_CERTINFO /* uses Curl_extract_certinfo() */
#define WANT_PARSEX509 /* ... uses Curl_parseX509() */
#endif
@ -1261,8 +1261,8 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data,
#endif /* WANT_EXTRACT_CERTINFO */
#endif /* USE_GSKIT or USE_NSS or USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL
* or USE_SECTRANSP */
#endif /* USE_GSKIT or USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL * or
USE_SECTRANSP */
#ifdef WANT_VERIFYHOST

6
lib/vtls/x509asn1.h
View File

@ -27,8 +27,8 @@
#include "curl_setup.h"
#if defined(USE_GSKIT) || defined(USE_NSS) || defined(USE_GNUTLS) || \
defined(USE_WOLFSSL) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP)
#if defined(USE_GSKIT) || defined(USE_GNUTLS) || defined(USE_WOLFSSL) || \
defined(USE_SCHANNEL) || defined(USE_SECTRANSP)
#include "cfilters.h"
#include "urldata.h"
@ -76,6 +76,6 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, int certnum,
const char *beg, const char *end);
CURLcode Curl_verifyhost(struct Curl_cfilter *cf, struct Curl_easy *data,
const char *beg, const char *end);
#endif /* USE_GSKIT or USE_NSS or USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL
#endif /* USE_GSKIT or USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL
* or USE_SECTRANSP */
#endif /* HEADER_CURL_X509ASN1_H */

144
m4/curl-nss.m4
View File

@ -1,144 +0,0 @@
#***************************************************************************
# _ _ ____ _
# Project ___| | | | _ \| |
# / __| | | | |_) | |
# | (__| |_| | _ <| |___
# \___|\___/|_| \_\_____|
#
# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
#
# This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms
# are also available at https://curl.se/docs/copyright.html.
#
# You may opt to use, copy, modify, merge, publish, distribute and/or sell
# copies of the Software, and permit persons to whom the Software is
# furnished to do so, under the terms of the COPYING file.
#
# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
# KIND, either express or implied.
#
# SPDX-License-Identifier: curl
#
#***************************************************************************
AC_DEFUN([CURL_WITH_NSS], [
if test "x$OPT_NSS" != xno; then
ssl_msg=
if test X"$OPT_NSS" != Xno; then
addld=""
addlib=""
addcflags=""
nssprefix=""
version=""
if test "x$OPT_NSS" = "xyes"; then
CURL_CHECK_PKGCONFIG(nss)
if test "$PKGCONFIG" != "no" ; then
addlib=`$PKGCONFIG --libs nss`
addcflags=`$PKGCONFIG --cflags nss`
version=`$PKGCONFIG --modversion nss`
nssprefix=`$PKGCONFIG --variable=prefix nss`
else
dnl Without pkg-config, we check for nss-config
check=`nss-config --version 2>/dev/null`
if test -n "$check"; then
addlib=`nss-config --libs`
addcflags=`nss-config --cflags`
version=`nss-config --version`
nssprefix=`nss-config --prefix`
else
addlib="-lnss3"
addcflags=""
version="unknown"
fi
fi
else
NSS_PCDIR="$OPT_NSS/lib/pkgconfig"
if test -f "$NSS_PCDIR/nss.pc"; then
CURL_CHECK_PKGCONFIG(nss, [$NSS_PCDIR])
if test "$PKGCONFIG" != "no" ; then
addld=`CURL_EXPORT_PCDIR([$NSS_PCDIR]) $PKGCONFIG --libs-only-L nss`
addlib=`CURL_EXPORT_PCDIR([$NSS_PCDIR]) $PKGCONFIG --libs-only-l nss`
addcflags=`CURL_EXPORT_PCDIR([$NSS_PCDIR]) $PKGCONFIG --cflags nss`
version=`CURL_EXPORT_PCDIR([$NSS_PCDIR]) $PKGCONFIG --modversion nss`
nssprefix=`CURL_EXPORT_PCDIR([$NSS_PCDIR]) $PKGCONFIG --variable=prefix nss`
fi
fi
fi
if test -z "$addlib"; then
# Without pkg-config, we'll kludge in some defaults
AC_MSG_WARN([Using hard-wired libraries and compilation flags for NSS.])
addld="-L$OPT_NSS/lib"
addlib="-lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4"
addcflags="-I$OPT_NSS/include"
version="unknown"
nssprefix=$OPT_NSS
fi
CLEANLDFLAGS="$LDFLAGS"
CLEANLIBS="$LIBS"
CLEANCPPFLAGS="$CPPFLAGS"
LDFLAGS="$addld $LDFLAGS"
LIBS="$addlib $LIBS"
if test "$addcflags" != "-I/usr/include"; then
CPPFLAGS="$CPPFLAGS $addcflags"
fi
dnl The function SSL_VersionRangeSet() is needed to enable TLS > 1.0
AC_CHECK_LIB(nss3, SSL_VersionRangeSet,
[
AC_DEFINE(USE_NSS, 1, [if NSS is enabled])
AC_SUBST(USE_NSS, [1])
USE_NSS="yes"
NSS_ENABLED=1
ssl_msg="NSS"
test nss != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
],
[
LDFLAGS="$CLEANLDFLAGS"
LIBS="$CLEANLIBS"
CPPFLAGS="$CLEANCPPFLAGS"
])
if test "x$USE_NSS" = "xyes"; then
AC_MSG_NOTICE([detected NSS version $version])
dnl PK11_CreateManagedGenericObject() was introduced in NSS 3.34 because
dnl PK11_DestroyGenericObject() does not release resources allocated by
dnl PK11_CreateGenericObject() early enough.
AC_CHECK_FUNC(PK11_CreateManagedGenericObject,
[
AC_DEFINE(HAVE_PK11_CREATEMANAGEDGENERICOBJECT, 1,
[if you have the PK11_CreateManagedGenericObject function])
])
dnl needed when linking the curl tool without USE_EXPLICIT_LIB_DEPS
NSS_LIBS=$addlib
AC_SUBST([NSS_LIBS])
dnl when shared libs were found in a path that the run-time
dnl linker doesn't search through, we need to add it to
dnl CURL_LIBRARY_PATH to prevent further configure tests to fail
dnl due to this
if test "x$cross_compiling" != "xyes"; then
CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$nssprefix/lib$libsuff"
export CURL_LIBRARY_PATH
AC_MSG_NOTICE([Added $nssprefix/lib$libsuff to CURL_LIBRARY_PATH])
fi
fi dnl NSS found
fi dnl NSS not disabled
test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
fi
])

3
packages/vms/generate_config_vms_h_curl.com
View File

@ -336,9 +336,6 @@ $write cvh "#endif"
$write cvh "#ifdef USE_NGHTTP2"
$write cvh "#undef USE_NGHTTP2"
$write cvh "#endif"
$write cvh "#ifdef USE_NSS"
$write cvh "#undef USE_NSS"
$write cvh "#endif"
$write cvh "#ifdef USE_OPENLDAP"
$write cvh "#undef USE_OPENLDAP"
$write cvh "#endif"

2
src/Makefile.am
View File

@ -69,7 +69,7 @@ LIBS = $(BLANK_AT_MAKETIME)
if USE_EXPLICIT_LIB_DEPS
curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@
else
curl_LDADD = $(top_builddir)/lib/libcurl.la @NSS_LIBS@ @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@
curl_LDADD = $(top_builddir)/lib/libcurl.la @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@
endif
# if unit tests are enabled, build a static library to link them with

13
src/tool_main.c
View File

@ -37,11 +37,6 @@
#include <fcntl.h>
#endif
#ifdef USE_NSS
#include <nspr.h>
#include <plarenas.h>
#endif
#define ENABLE_CURLX_PRINTF
/* use our own printf() functions */
#include "curlx.h"
@ -213,14 +208,6 @@ static void main_free(struct GlobalConfig *config)
/* Cleanup the easy handle */
/* Main cleanup */
curl_global_cleanup();
#ifdef USE_NSS
if(PR_Initialized()) {
/* prevent valgrind from reporting still reachable mem from NSPR arenas */
PL_ArenaFinish();
/* prevent valgrind from reporting possibly lost memory (fd cache, ...) */
PR_Cleanup();
}
#endif
free_globalconfig(config);
/* Free the config structures */

1
tests/FILEFORMAT.md
View File

@ -439,7 +439,6 @@ Features testable here are:
- `netrc`
- `nghttpx`
- `nghttpx-h3`
- `NSS`
- `NTLM`
- `NTLM_WB`
- `OpenSSL`

4
tests/libtest/Makefile.am
View File

@ -52,8 +52,8 @@ if USE_EXPLICIT_LIB_DEPS
SUPPORTFILES_LIBS = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@
TESTUTIL_LIBS = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@
else
SUPPORTFILES_LIBS = $(top_builddir)/lib/libcurl.la @CURL_NETWORK_LIBS@ @NSS_LIBS@
TESTUTIL_LIBS = $(top_builddir)/lib/libcurl.la @CURL_NETWORK_AND_TIME_LIBS@ @NSS_LIBS@
SUPPORTFILES_LIBS = $(top_builddir)/lib/libcurl.la @CURL_NETWORK_LIBS@
TESTUTIL_LIBS = $(top_builddir)/lib/libcurl.la @CURL_NETWORK_AND_TIME_LIBS@
endif
# Dependencies (may need to be overridden)

10
tests/libtest/first.c
View File

@ -35,10 +35,6 @@
# include <fcntl.h> /* for setmode() */
#endif
#ifdef USE_NSS
#include <nspr.h>
#endif
#ifdef CURLDEBUG
# define MEMDEBUG_NODEFINES
# include "memdebug.h"
@ -177,12 +173,6 @@ int main(int argc, char **argv)
result = test(URL);
#ifdef USE_NSS
if(PR_Initialized())
/* prevent valgrind from reporting possibly lost memory (fd cache, ...) */
PR_Cleanup();
#endif
#ifdef WIN32
/* flush buffers of all streams regardless of mode */
_flushall();

4
tests/runtests.pl
View File

@ -541,10 +541,6 @@ sub checksystemfeatures {
elsif ($libcurl =~ /\srustls-ffi\b/i) {
$feature{"rustls"} = 1;
}
elsif ($libcurl =~ /\snss\b/i) {
$feature{"NSS"} = 1;
$feature{"SSLpinning"} = 1;
}
elsif ($libcurl =~ /\swolfssl\b/i) {
$feature{"wolfssl"} = 1;
$feature{"SSLpinning"} = 1;

2
tests/unit/Makefile.am
View File

@ -47,7 +47,7 @@ LIBS = $(BLANK_AT_MAKETIME)
LDADD = $(top_builddir)/src/libcurltool.la \
$(top_builddir)/lib/libcurlu.la \
@LDFLAGS@ @LIBCURL_LIBS@ @NSS_LIBS@
@LDFLAGS@ @LIBCURL_LIBS@
AM_CPPFLAGS += -DCURL_STATICLIB -DUNITTESTS

4
tests/unit/unit1651.c
View File

@ -34,8 +34,8 @@ static void unit_stop(void)
{
}
#if defined(USE_GSKIT) || defined(USE_NSS) || defined(USE_GNUTLS) || \
defined(USE_SCHANNEL) || defined(USE_SECTRANSP)
#if defined(USE_GSKIT) || defined(USE_GNUTLS) || defined(USE_SCHANNEL) || \
defined(USE_SECTRANSP)
/* cert captured from gdb when connecting to curl.se on October 26
2018 */