Merge pull request #1 from dongbeiouba/feature/ntls

Support TLCP based on Tongsuo

Author: dongbeiouba

.github/workflows/linux.yml

@@ -101,8 +101,8 @@ jobs:
           configure: CC=icc --enable-debug --with-openssl
 
         - name: NSS
-          install_packages: clang-9 libnss3-dev libpsl-dev libbrotli-dev libzstd-dev libnghttp2-dev nss-plugin-pem
-          configure: CC=clang-9 CPPFLAGS="-isystem /usr/include/nss" --with-nss --enable-debug --with-nss-deprecated
+          install_packages: clang libnss3-dev libpsl-dev libbrotli-dev libzstd-dev libnghttp2-dev nss-plugin-pem
+          configure: CC=clang CPPFLAGS="-isystem /usr/include/nss" --with-nss --enable-debug --with-nss-deprecated
 
     steps:
     - run: |

.github/workflows/tongsuo.yml

@@ -0,0 +1,39 @@
+# Copyright (C) 2022
+#
+# SPDX-License-Identifier: curl
+
+name: build-with-tongsuo
+
+on: [workflow_dispatch, pull_request, push]
+
+jobs:
+  autotools:
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 60
+
+    steps:
+      - name: checkout tongsuo
+        uses: actions/checkout@v2
+        with:
+          repository: Tongsuo-Project/Tongsuo
+          path: Tongsuo
+      - name: install Tongsuo
+        working-directory: ./Tongsuo
+        run: |
+          ./config --banner=Configured --prefix=${GITHUB_WORKSPACE}/install enable-ntls
+          make -s -j4
+          make install
+
+      - uses: actions/checkout@v3
+        with:
+          path: curl
+
+      - name: build curl
+        working-directory: ./curl
+        run: |
+          autoreconf -fi
+          LDFLAGS=-Wl,-rpath=${GITHUB_WORKSPACE}/install/lib64/ ./configure --enable-warnings --enable-werror --with-openssl=${GITHUB_WORKSPACE}/install
+          make V=1
+          make V=1 examples
+          make V=1 -C tests
+          make V=1 test-ci

docs/examples/https-tlcp-doublecerts.c

@@ -0,0 +1,63 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 2022
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+/* <DESC>
+ * HTTP over TLCP with double certificates
+ * </DESC>
+ */
+#include <stdio.h>
+#include <curl/curl.h>
+
+int main(int argc, char **argv)
+{
+    CURL *curl;
+    CURLcode res;
+
+    curl = curl_easy_init();
+    if (curl) {
+        curl_easy_setopt(curl, CURLOPT_URL, "https://127.0.0.1:443");
+        curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_NTLSv1_1);
+        curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST,
+                         "ECDHE-SM2-SM4-CBC-SM3");
+
+        curl_easy_setopt(curl, CURLOPT_SSLSIGNCERT, "sm2_sign.crt");
+        curl_easy_setopt(curl, CURLOPT_SSLSIGNKEY, "sm2_sign.key");
+        curl_easy_setopt(curl, CURLOPT_SSLENCCERT, "sm2_enc.crt");
+        curl_easy_setopt(curl, CURLOPT_SSLENCKEY, "sm2_enc.key");
+
+        /* optional */
+        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
+        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
+
+        res = curl_easy_perform(curl);
+
+        if(res != CURLE_OK)
+            fprintf(stderr, "curl_easy_perform() failed: %s\n",
+                    curl_easy_strerror(res));
+
+        curl_easy_cleanup(curl);
+    }
+
+    return 0;
+}
+// gcc https-tlcp-doublecerts.c -o https-tlcp-doublecerts -I/usr/local/curl/include -lcurl -L/usr/local/curl/lib -Wl,-rpath=/usr/local/curl/lib

docs/examples/https-tlcp.c

@@ -0,0 +1,57 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 2022
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+/* <DESC>
+ * HTTP over TLCP
+ * </DESC>
+ */
+#include <stdio.h>
+#include <curl/curl.h>
+
+int main(int argc, char **argv)
+{
+    CURL *curl;
+    CURLcode res;
+
+    curl = curl_easy_init();
+    if (curl) {
+        curl_easy_setopt(curl, CURLOPT_URL, "https://127.0.0.1:443");
+        curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_NTLSv1_1);
+        curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, "ECC-SM2-SM4-CBC-SM3");
+
+        /* optional */
+        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
+        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
+
+        res = curl_easy_perform(curl);
+
+        if(res != CURLE_OK)
+            fprintf(stderr, "curl_easy_perform() failed: %s\n",
+                    curl_easy_strerror(res));
+
+        curl_easy_cleanup(curl);
+    }
+
+    return 0;
+}
+// gcc https-tlcp.c -o https-tlcp -I/usr/local/curl/include -lcurl -L/usr/local/curl/lib -Wl,-rpath=/usr/local/curl/lib

docs/libcurl/symbols-in-versions

@@ -1123,3 +1123,8 @@ LIBCURL_VERSION_MAJOR           7.11.0
 LIBCURL_VERSION_MINOR           7.11.0
 LIBCURL_VERSION_NUM             7.11.0
 LIBCURL_VERSION_PATCH           7.11.0
+CURLOPT_SSLENCCERT              1             -           1
+CURLOPT_SSLENCKEY               1             -           1
+CURLOPT_SSLSIGNCERT             1             -           1
+CURLOPT_SSLSIGNKEY              1             -           1
+CURL_SSLVERSION_NTLSv1_1        1             -           1

include/curl/curl.h

@@ -2157,6 +2157,18 @@ typedef enum {
   /* websockets options */
   CURLOPT(CURLOPT_WS_OPTIONS, CURLOPTTYPE_LONG, 320),
 
+  /* name of the file keeping your SSL sign certificate */
+  CURLOPT(CURLOPT_SSLSIGNCERT, CURLOPTTYPE_STRINGPOINT, 321),
+
+  /* name of the file keeping your SSL sign key */
+  CURLOPT(CURLOPT_SSLSIGNKEY, CURLOPTTYPE_STRINGPOINT, 322),
+
+  /* name of the file keeping your SSL enc certificate */
+  CURLOPT(CURLOPT_SSLENCCERT, CURLOPTTYPE_STRINGPOINT, 323),
+
+  /* name of the file keeping your SSL enc key */
+  CURLOPT(CURLOPT_SSLENCKEY, CURLOPTTYPE_STRINGPOINT, 324),
+
   CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;
 
@@ -2263,6 +2275,7 @@ enum {
   CURL_SSLVERSION_TLSv1_1,
   CURL_SSLVERSION_TLSv1_2,
   CURL_SSLVERSION_TLSv1_3,
+  CURL_SSLVERSION_NTLSv1_1,
 
   CURL_SSLVERSION_LAST /* never use, keep last */
 };

include/curl/typecheck-gcc.h

@@ -343,6 +343,10 @@ CURLWARNING(_curl_easy_getinfo_err_curl_off_t,
    (option) == CURLOPT_USERPWD ||                                             \
    (option) == CURLOPT_XOAUTH2_BEARER ||                                      \
    (option) == CURLOPT_SSL_EC_CURVES ||                                       \
+   (option) == CURLOPT_SSLSIGNCERT ||                                         \
+   (option) == CURLOPT_SSLSIGNKEY ||                                          \
+   (option) == CURLOPT_SSLENCCERT ||                                          \
+   (option) == CURLOPT_SSLENCKEY ||                                           \
    0)
 
 /* evaluates to true if option takes a curl_write_callback argument */

lib/c-hyper.c

@@ -415,8 +415,10 @@ CURLcode Curl_hyper_stream(struct Curl_easy *data,
       break;
     }
     else if(h->endtask == task) {
-      /* end of transfer */
+      /* end of transfer, forget the task handled, we might get a
+       * new one with the same address in the future. */
       *done = TRUE;
+      h->endtask = NULL;
       infof(data, "hyperstream is done");
       if(!k->bodywrites) {
         /* hyper doesn't always call the body write callback */

lib/easyoptions.c

@@ -293,13 +293,17 @@ struct curl_easyoption Curl_easyopts[] = {
   {"SSLCERTPASSWD", CURLOPT_KEYPASSWD, CURLOT_STRING, CURLOT_FLAG_ALIAS},
   {"SSLCERTTYPE", CURLOPT_SSLCERTTYPE, CURLOT_STRING, 0},
   {"SSLCERT_BLOB", CURLOPT_SSLCERT_BLOB, CURLOT_BLOB, 0},
+  {"SSLENCCERT", CURLOPT_SSLENCCERT, CURLOT_STRING, 0},
+  {"SSLENCKEY", CURLOPT_SSLENCKEY, CURLOT_STRING, 0},
   {"SSLENGINE", CURLOPT_SSLENGINE, CURLOT_STRING, 0},
   {"SSLENGINE_DEFAULT", CURLOPT_SSLENGINE_DEFAULT, CURLOT_LONG, 0},
   {"SSLKEY", CURLOPT_SSLKEY, CURLOT_STRING, 0},
   {"SSLKEYPASSWD", CURLOPT_KEYPASSWD, CURLOT_STRING, CURLOT_FLAG_ALIAS},
   {"SSLKEYTYPE", CURLOPT_SSLKEYTYPE, CURLOT_STRING, 0},
   {"SSLKEY_BLOB", CURLOPT_SSLKEY_BLOB, CURLOT_BLOB, 0},
   {"SSLVERSION", CURLOPT_SSLVERSION, CURLOT_VALUES, 0},
+  {"SSLSIGNCERT", CURLOPT_SSLSIGNCERT, CURLOT_STRING, 0},
+  {"SSLSIGNKEY", CURLOPT_SSLSIGNKEY, CURLOT_STRING, 0},
   {"SSL_CIPHER_LIST", CURLOPT_SSL_CIPHER_LIST, CURLOT_STRING, 0},
   {"SSL_CTX_DATA", CURLOPT_SSL_CTX_DATA, CURLOT_CBPTR, 0},
   {"SSL_CTX_FUNCTION", CURLOPT_SSL_CTX_FUNCTION, CURLOT_FUNCTION, 0},
@@ -368,6 +372,6 @@ struct curl_easyoption Curl_easyopts[] = {
  */
 int Curl_easyopts_check(void)
 {
-  return ((CURLOPT_LASTENTRY%10000) != (320 + 1));
+  return ((CURLOPT_LASTENTRY%10000) != (324 + 1));
 }
 #endif

lib/setopt.c

@@ -3106,6 +3106,36 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
     data->set.ws_raw_mode = raw;
     break;
   }
+#endif
+#ifdef HAVE_NTLS
+  case CURLOPT_SSLSIGNCERT:
+    /*
+     * String that holds file name of the SSL sign certificate to use
+     */
+    result = Curl_setstropt(&data->set.str[STRING_SIGN_CERT],
+                            va_arg(param, char *));
+    break;
+  case CURLOPT_SSLSIGNKEY:
+    /*
+     * String that holds file name of the SSL sign key to use
+     */
+    result = Curl_setstropt(&data->set.str[STRING_SIGN_KEY],
+                            va_arg(param, char *));
+    break;
+  case CURLOPT_SSLENCCERT:
+    /*
+     * String that holds file name of the SSL enc certificate to use
+     */
+    result = Curl_setstropt(&data->set.str[STRING_ENC_CERT],
+                            va_arg(param, char *));
+    break;
+  case CURLOPT_SSLENCKEY:
+    /*
+     * String that holds file name of the SSL enc key to use
+     */
+    result = Curl_setstropt(&data->set.str[STRING_ENC_KEY],
+                            va_arg(param, char *));
+    break;
 #endif
   default:
     /* unknown tag and its companion, just ignore: */

lib/url.c

@@ -3868,6 +3868,12 @@ static CURLcode create_conn(struct Curl_easy *data,
   data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
   data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
   data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
+#ifdef HAVE_NTLS
+  data->set.ssl.sign_cert = data->set.str[STRING_SIGN_CERT];
+  data->set.ssl.sign_key = data->set.str[STRING_SIGN_KEY];
+  data->set.ssl.enc_cert = data->set.str[STRING_ENC_CERT];
+  data->set.ssl.enc_key = data->set.str[STRING_ENC_KEY];
+#endif
 #ifdef USE_TLS_SRP
   data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
   data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];

lib/urldata.h

@@ -299,6 +299,12 @@ struct ssl_config_data {
   struct curl_blob *key_blob;
   char *key_type; /* format for private key (default: PEM) */
   char *key_passwd; /* plain text private key password */
+#ifdef HAVE_NTLS
+  char *sign_cert;
+  char *sign_key;
+  char *enc_cert;
+  char *enc_key;
+#endif
   BIT(certinfo);     /* gather lots of certificate info */
   BIT(falsestart);
   BIT(enable_beast); /* allow this flaw for interoperability's sake */
@@ -1621,6 +1627,10 @@ enum dupstring {
   STRING_DNS_LOCAL_IP6,
   STRING_SSL_EC_CURVES,
 
+  STRING_SIGN_CERT,
+  STRING_SIGN_KEY,
+  STRING_ENC_CERT,
+  STRING_ENC_KEY,
   /* -- end of null-terminated strings -- */
 
   STRING_LASTZEROTERMINATED,