Skip to content

Commit

Permalink
gskit: remove
Browse files Browse the repository at this point in the history
We remove support for building curl with gskit.

 - This is a niche TLS library, only running on some IBM systems
 - no regular curl contributors use this backend
 - no CI builds use or verify this backend
 - gskit, or the curl adaption for it, lacks many modern TLS features
   making it an inferior solution
 - build breakages in this code take weeks or more to get detected
 - fixing gskit code is mostly done "flying blind"

This removal has been advertized in DEPRECATED in Jan 2, 2023 and it has
been mentioned on the curl-library mailing list.

It could be brought back, this is not a ban. Given proper effort and
will, gskit support is welcome back into the curl TLS backend family.

Closes curl#11460
  • Loading branch information
bagder committed Aug 7, 2023
1 parent 08b9f24 commit 78d6232
Show file tree
Hide file tree
Showing 33 changed files with 35 additions and 1,995 deletions.
65 changes: 0 additions & 65 deletions docs/CIPHERS.md
Original file line number Diff line number Diff line change
Expand Up @@ -165,71 +165,6 @@ When specifying multiple cipher names, separate them with colon (`:`).
`TLS_AES_128_CCM_8_SHA256`
`TLS_AES_128_CCM_SHA256`

## GSKit

Ciphers are internally defined as [numeric
codes](https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/apis/gsk_attribute_set_buffer.htm). libcurl
maps them to the following case-insensitive names.

### SSL2 cipher suites (insecure: disabled by default)

`rc2-md5`
`rc4-md5`
`exp-rc2-md5`
`exp-rc4-md5`
`des-cbc-md5`
`des-cbc3-md5`

### SSL3 cipher suites

`null-md5`
`null-sha`
`rc4-md5`
`rc4-sha`
`exp-rc2-cbc-md5`
`exp-rc4-md5`
`exp-des-cbc-sha`
`des-cbc3-sha`

### TLS v1.0 cipher suites

`null-md5`
`null-sha`
`rc4-md5`
`rc4-sha`
`exp-rc2-cbc-md5`
`exp-rc4-md5`
`exp-des-cbc-sha`
`des-cbc3-sha`
`aes128-sha`
`aes256-sha`

### TLS v1.1 cipher suites

`null-md5`
`null-sha`
`rc4-md5`
`rc4-sha`
`exp-des-cbc-sha`
`des-cbc3-sha`
`aes128-sha`
`aes256-sha`

### TLS v1.2 cipher suites

`null-md5`
`null-sha`
`null-sha256`
`rc4-md5`
`rc4-sha`
`des-cbc3-sha`
`aes128-sha`
`aes256-sha`
`aes128-sha256`
`aes256-sha256`
`aes128-gcm-sha256`
`aes256-gcm-sha384`

## WolfSSL

`RC4-SHA`,
Expand Down
14 changes: 2 additions & 12 deletions docs/DEPRECATE.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,18 +6,6 @@ email the
as soon as possible and explain to us why this is a problem for you and
how your use case cannot be satisfied properly using a workaround.

## gskit

We remove support for building curl with the gskit TLS library in August 2023.

- This is a niche TLS library, only running on some IBM systems
- no regular curl contributors use this backend
- no CI builds use or verify this backend
- gskit, or the curl adaption for it, lacks many modern TLS features making it
an inferior solution
- build breakages in this code take weeks or more to get detected
- fixing gskit code is mostly done "flying blind"

## mingw v1

We remove support for building curl with the original legacy mingw version 1
Expand Down Expand Up @@ -57,3 +45,5 @@ curl will remove the support for space-separated names in July 2024.
- NPN
- Support for systems without 64 bit data types
- NSS
- gskit

6 changes: 3 additions & 3 deletions docs/FAQ
Original file line number Diff line number Diff line change
Expand Up @@ -423,9 +423,9 @@ FAQ

curl can be built to use one of the following SSL alternatives: OpenSSL,
libressl, BoringSSL, AWS-LC, GnuTLS, wolfSSL, mbedTLS, Secure Transport
(native iOS/OS X), Schannel (native Windows), GSKit (native IBM i), BearSSL,
or Rustls. They all have their pros and cons, and we try to maintain a
comparison of them here: https://curl.se/docs/ssl-compared.html
(native iOS/OS X), Schannel (native Windows), BearSSL or Rustls. They all
have their pros and cons, and we try to maintain a comparison of them here:
https://curl.se/docs/ssl-compared.html

2.4 Does curl support SOCKS (RFC 1928) ?

Expand Down
1 change: 0 additions & 1 deletion docs/INTERNALS.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ versions of libs and build tools.
- wolfSSL 2.0.0
- OpenLDAP 2.0
- MIT Kerberos 1.2.4
- GSKit V5R3M0
- Heimdal ?
- nghttp2 1.15.0
- WinSock 2.2 (on Windows 95+ and Windows CE .NET 4.1+)
Expand Down
5 changes: 2 additions & 3 deletions docs/cmdline-opts/page-footer
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,8 @@ the case insensitive name of the particular backend to use when curl is
invoked. Setting a name that is not a built-in alternative will make curl
stay with the default.

SSL backend names (case-insensitive): **bearssl**, **gnutls**, **gskit**,
**mbedtls**, **openssl**, **rustls**, **schannel**, **secure-transport**,
**wolfssl**
SSL backend names (case-insensitive): **bearssl**, **gnutls**, **mbedtls**,
**openssl**, **rustls**, **schannel**, **secure-transport**, **wolfssl**
.IP "HOME <dir>"
If set, this is used to find the home directory when that is needed. Like when
looking for the default .curlrc. *CURL_HOME* and *XDG_CONFIG_HOME*
Expand Down
2 changes: 1 addition & 1 deletion docs/cmdline-opts/pinnedpubkey.d
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ abort the connection before sending or receiving any data.

PEM/DER support:

7.39.0: OpenSSL, GnuTLS and GSKit
7.39.0: OpenSSL and GnuTLS

7.43.0: wolfSSL

Expand Down
4 changes: 2 additions & 2 deletions docs/cmdline-opts/write-out.d
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ The variables available are:
.TP 15
**certs**
Output the certificate chain with details. Supported only by the OpenSSL,
GnuTLS, Schannel, GSKit and Secure Transport backends. (Added in 7.88.0)
GnuTLS, Schannel and Secure Transport backends. (Added in 7.88.0)
.TP
**content_type**
The Content-Type of the requested document, if there was any.
Expand Down Expand Up @@ -105,7 +105,7 @@ The http method used in the most recent HTTP request. (Added in 7.72.0)
.TP
**num_certs**
Number of server certificates received in the TLS handshake. Supported only by
the OpenSSL, GnuTLS, Schannel, GSKit and Secure Transport backends. (Added
the OpenSSL, GnuTLS, Schannel and Secure Transport backends. (Added
in 7.88.0)
.TP
**num_connects**
Expand Down
2 changes: 1 addition & 1 deletion docs/libcurl/curl_global_sslset.3
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ typedef enum {
CURLSSLBACKEND_OPENSSL = 1, /* or one of its forks */
CURLSSLBACKEND_GNUTLS = 2,
CURLSSLBACKEND_NSS = 3,
CURLSSLBACKEND_GSKIT = 5,
CURLSSLBACKEND_GSKIT = 5, /* deprecated */
CURLSSLBACKEND_POLARSSL = 6, /* deprecated */
CURLSSLBACKEND_WOLFSSL = 7,
CURLSSLBACKEND_SCHANNEL = 8,
Expand Down
2 changes: 1 addition & 1 deletion docs/libcurl/libcurl-env.3
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ specific backend at first use. If no selection is done by the program using
libcurl, this variable's selection will be used. Setting a name that is not a
built-in alternative will make libcurl stay with the default.

SSL backend names (case-insensitive): BearSSL, GnuTLS, gskit, mbedTLS,
SSL backend names (case-insensitive): BearSSL, GnuTLS, mbedTLS,
nss, OpenSSL, rustls, Schannel, Secure-Transport, wolfSSL
.IP HOME
When the netrc feature is used (\fICURLOPT_NETRC(3)\fP), this variable is
Expand Down
2 changes: 1 addition & 1 deletion docs/libcurl/opts/CURLINFO_CERTINFO.3
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ if(curl) {
}
.fi
.SH AVAILABILITY
This option is only working in libcurl built with OpenSSL, Schannel, GSKit or
This option is only working in libcurl built with OpenSSL, Schannel or
Secure Transport support. Schannel support added in 7.50.0. Secure Transport
support added in 7.79.0.

Expand Down
4 changes: 2 additions & 2 deletions docs/libcurl/opts/CURLINFO_TLS_SESSION.3
Original file line number Diff line number Diff line change
Expand Up @@ -63,8 +63,8 @@ if(curl) {
}
.fi
.SH AVAILABILITY
Added in 7.34.0. Deprecated since 7.48.0 and supported OpenSSL, GnuTLS,
NSS and gskit only up until this version was released.
Added in 7.34.0. Deprecated since 7.48.0 and supported OpenSSL, GnuTLS, and
NSS only up until this version was released.
.SH RETURN VALUE
Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
.SH "SEE ALSO"
Expand Down
9 changes: 3 additions & 6 deletions docs/libcurl/opts/CURLINFO_TLS_SSL_PTR.3
Original file line number Diff line number Diff line change
Expand Up @@ -57,18 +57,15 @@ struct curl_tlssessioninfo {
The \fIbackend\fP struct member is one of the defines in the CURLSSLBACKEND_*
series: CURLSSLBACKEND_NONE (when built without TLS support),
CURLSSLBACKEND_WOLFSSL, CURLSSLBACKEND_SECURETRANSPORT, CURLSSLBACKEND_GNUTLS,
CURLSSLBACKEND_GSKIT, CURLSSLBACKEND_MBEDTLS, CURLSSLBACKEND_NSS,
CURLSSLBACKEND_OPENSSL, CURLSSLBACKEND_SCHANNEL or
CURLSSLBACKEND_MESALINK. (Note that the OpenSSL forks are all reported as just
OpenSSL here.)
CURLSSLBACKEND_MBEDTLS, CURLSSLBACKEND_NSS, CURLSSLBACKEND_OPENSSL,
CURLSSLBACKEND_SCHANNEL or CURLSSLBACKEND_MESALINK. (Note that the OpenSSL
forks are all reported as just OpenSSL here.)

The \fIinternals\fP struct member will point to a TLS library specific pointer
for the active ("in use") SSL connection, with the following underlying types:
.RS
.IP GnuTLS
\fBgnutls_session_t\fP
.IP gskit
\fBgsk_handle\fP
.IP NSS
\fBPRFileDesc *\fP
.IP OpenSSL
Expand Down
2 changes: 1 addition & 1 deletion docs/libcurl/opts/CURLOPT_CERTINFO.3
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ if(curl) {
}
.fi
.SH AVAILABILITY
This option is supported by the OpenSSL, GnuTLS, Schannel, GSKit and Secure
This option is supported by the OpenSSL, GnuTLS, Schannel and Secure
Transport backends. Schannel support added in 7.50.0. Secure Transport support
added in 7.79.0.
.SH RETURN VALUE
Expand Down
2 changes: 0 additions & 2 deletions docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3
Original file line number Diff line number Diff line change
Expand Up @@ -102,8 +102,6 @@ PEM/DER support:

7.39.0: OpenSSL, GnuTLS

7.39.0-7.48.0,7.58.1+: GSKit

7.43.0: wolfSSL

7.47.0: mbedTLS
Expand Down
2 changes: 1 addition & 1 deletion docs/libcurl/opts/CURLOPT_PROXY_PINNEDPUBLICKEY.3
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ footer:
.SH AVAILABILITY
PEM/DER support:

7.52.0: GSKit, GnuTLS, OpenSSL, mbedTLS, wolfSSL
7.52.0: GnuTLS, OpenSSL, mbedTLS, wolfSSL

sha256 support:

Expand Down
6 changes: 3 additions & 3 deletions include/curl/curl.h
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,7 @@ typedef enum {
CURLSSLBACKEND_GNUTLS = 2,
CURLSSLBACKEND_NSS = 3,
CURLSSLBACKEND_OBSOLETE4 = 4, /* Was QSOSSL. */
CURLSSLBACKEND_GSKIT = 5,
CURLSSLBACKEND_GSKIT CURL_DEPRECATED(8.3.0, "") = 5,
CURLSSLBACKEND_POLARSSL CURL_DEPRECATED(7.69.0, "") = 6,
CURLSSLBACKEND_WOLFSSL = 7,
CURLSSLBACKEND_SCHANNEL = 8,
Expand Down Expand Up @@ -2824,8 +2824,8 @@ CURL_EXTERN void curl_slist_free_all(struct curl_slist *list);
*/
CURL_EXTERN time_t curl_getdate(const char *p, const time_t *unused);

/* info about the certificate chain, only for OpenSSL, GnuTLS, Schannel, NSS
and GSKit builds. Asked for with CURLOPT_CERTINFO / CURLINFO_CERTINFO */
/* info about the certificate chain, only for OpenSSL, GnuTLS, Schannel and
NSS builds. Asked for with CURLOPT_CERTINFO / CURLINFO_CERTINFO */
struct curl_certinfo {
int num_of_certs; /* number of certificates with information */
struct curl_slist **certinfo; /* for each index in this array, there's a
Expand Down
2 changes: 0 additions & 2 deletions lib/Makefile.inc
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,6 @@ LIB_VAUTH_HFILES = \

LIB_VTLS_CFILES = \
vtls/bearssl.c \
vtls/gskit.c \
vtls/gtls.c \
vtls/hostcheck.c \
vtls/keylog.c \
Expand All @@ -61,7 +60,6 @@ LIB_VTLS_CFILES = \

LIB_VTLS_HFILES = \
vtls/bearssl.h \
vtls/gskit.h \
vtls/gtls.h \
vtls/hostcheck.h \
vtls/keylog.h \
Expand Down
3 changes: 0 additions & 3 deletions lib/config-os400.h
Original file line number Diff line number Diff line change
Expand Up @@ -338,9 +338,6 @@
/* Define to the function return type for send. */
#define SEND_TYPE_RETV int

/* Define to use the GSKit package. */
#define USE_GSKIT

/* Define to use the OS/400 crypto library. */
#define USE_OS400CRYPTO

Expand Down
2 changes: 1 addition & 1 deletion lib/curl_setup.h
Original file line number Diff line number Diff line change
Expand Up @@ -647,7 +647,7 @@

#if defined(USE_GNUTLS) || defined(USE_OPENSSL) || defined(USE_MBEDTLS) || \
defined(USE_WOLFSSL) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
defined(USE_GSKIT) || defined(USE_BEARSSL) || defined(USE_RUSTLS)
defined(USE_BEARSSL) || defined(USE_RUSTLS)
#define USE_SSL /* SSL support has been enabled */
#endif

Expand Down
2 changes: 1 addition & 1 deletion lib/rand.c
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,7 @@ static CURLcode randit(struct Curl_easy *data, unsigned int *rnd)
* 'rnd' points to.
*
* If libcurl is built without TLS support or with a TLS backend that lacks a
* proper random API (rustls, Gskit or mbedTLS), this function will use "weak"
* proper random API (rustls or mbedTLS), this function will use "weak"
* random.
*
* When built *with* TLS support and a backend that offers strong random, it
Expand Down
14 changes: 0 additions & 14 deletions lib/rand.h
Original file line number Diff line number Diff line change
Expand Up @@ -24,20 +24,6 @@
*
***************************************************************************/

/*
* Curl_rand() stores 'num' number of random unsigned characters in the buffer
* 'rnd' points to.
*
* If libcurl is built without TLS support or with a TLS backend that lacks a
* proper random API (Gskit or mbedTLS), this function will use "weak" random.
*
* When built *with* TLS support and a backend that offers strong random, it
* will return error if it cannot provide strong random values.
*
* NOTE: 'data' may be passed in as NULL when coming from external API without
* easy handle!
*
*/
CURLcode Curl_rand(struct Curl_easy *data, unsigned char *rnd, size_t num);

/*
Expand Down
Loading

0 comments on commit 78d6232

Please sign in to comment.