dpkg -i freexian-archive-keyring_2022.06.08_all.deb
echo 'deb http://deb.freexian.com/extended-lts stretch-lts main contrib non-free' | tee /etc/apt/sources.list.d/extended-lts.list
apt-get -o Dpkg::Use-Pty=0 update
- apt-get -o Dpkg::Use-Pty=0 install -y --no-install-suggests --no-install-recommends cmake make automake autoconf libtool gcc pkg-config libpsl-dev libzstd-dev zlib1g-dev libssl1.0-dev libssh-dev libssh2-1-dev libc-ares-dev heimdal-dev libldap2-dev librtmp-dev stunnel4 groff
+ apt-get -o Dpkg::Use-Pty=0 install -y --no-install-suggests --no-install-recommends cmake make automake autoconf libtool gcc pkg-config libpsl-dev libzstd-dev zlib1g-dev libgnutls28-dev libssh-dev libssh2-1-dev libc-ares-dev heimdal-dev libldap2-dev librtmp-dev stunnel4 groff
# GitHub's actions/checkout needs newer glibc and libstdc++. The latter also depends on
# gcc-8-base, but it doesn't actually seem used in our situation and isn't available in
# the main repo, so force the install.
mkdir bld-1
cd bld-1
cmake .. -DCMAKE_UNITY_BUILD=ON -DCURL_WERROR=ON -DBUILD_SHARED_LIBS=ON \
- -DENABLE_ARES=OFF -DCURL_ZSTD=OFF -DCURL_USE_GSSAPI=OFF -DCURL_USE_LIBSSH2=ON -DCURL_USE_LIBSSH=OFF -DUSE_LIBRTMP=ON
+ -DCURL_USE_GNUTLS=ON -DENABLE_ARES=OFF -DCURL_ZSTD=OFF -DCURL_USE_GSSAPI=OFF -DCURL_USE_LIBSSH2=ON -DCURL_USE_LIBSSH=OFF -DUSE_LIBRTMP=ON
make install
src/curl --disable --version
mkdir bld-cares
cd bld-cares
cmake .. -DCMAKE_UNITY_BUILD=ON -DCURL_WERROR=ON -DBUILD_SHARED_LIBS=ON \
- -DENABLE_ARES=ON -DCURL_USE_GSSAPI=ON -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=OFF -DUSE_LIBRTMP=ON \
+ -DCURL_USE_GNUTLS=ON -DENABLE_ARES=ON -DCURL_USE_GSSAPI=ON -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=OFF -DUSE_LIBRTMP=ON \
-DCURL_LIBCURL_VERSIONED_SYMBOLS=ON
- name: 'cmake curl_config.h'
mkdir bld-am
cd bld-am
../configure --disable-dependency-tracking --enable-unity --enable-warnings --enable-werror \
- --with-openssl --enable-ares --with-libssh2 --with-zstd --with-gssapi --with-librtmp \
+ --with-gnutls --enable-ares --with-libssh2 --with-zstd --with-gssapi --with-librtmp \
--prefix="$PWD"/../curl-install-am
- name: 'autotools curl_config.h'
#error "too old GnuTLS version"
#endif
-# include <gnutls/ocsp.h>
+#undef CURL_GNUTLS_EARLY_DATA
+#if GNUTLS_VERSION_NUMBER >= 0x03060d
+#define CURL_GNUTLS_EARLY_DATA
+#endif
+
+#include <gnutls/ocsp.h>
struct gtls_ssl_backend_data {
struct gtls_ctx gtls;
return CURLE_OK;
}
+#ifdef CURL_GNUTLS_EARLY_DATA
CURLcode Curl_gtls_cache_session(struct Curl_cfilter *cf,
struct Curl_easy *data,
const char *ssl_peer_key,
}
return result;
}
+#endif
int Curl_glts_get_ietf_proto(gnutls_session_t session)
{
return CURL_IETF_PROTO_TLS1_1;
case GNUTLS_TLS1_2:
return CURL_IETF_PROTO_TLS1_2;
+#if GNUTLS_VERSION_NUMBER >= 0x030603
case GNUTLS_TLS1_3:
return CURL_IETF_PROTO_TLS1_3;
+#endif
default:
return CURL_IETF_PROTO_UNKNOWN;
}
}
+#ifdef CURL_GNUTLS_EARLY_DATA
static CURLcode cf_gtls_update_session_id(struct Curl_cfilter *cf,
struct Curl_easy *data,
gnutls_session_t session)
}
return 0;
}
+#endif
static CURLcode gtls_set_priority(struct Curl_cfilter *cf,
struct Curl_easy *data,
/* Initialize TLS session as a client */
init_flags = GNUTLS_CLIENT;
+#ifdef CURL_GNUTLS_EARLY_DATA
if(peer->transport == TRNSPRT_QUIC && earlydata_max > 0)
init_flags |= GNUTLS_ENABLE_EARLY_DATA | GNUTLS_NO_END_OF_EARLY_DATA;
else if(earlydata_max > 0 && earlydata_max != 0xFFFFFFFFUL)
* and one announcing 0xFFFFFFFFUL. On TCP+TLS, this is unlikely, but
* on QUIC this is common. */
init_flags |= GNUTLS_ENABLE_EARLY_DATA;
+#endif
#ifdef GNUTLS_FORCE_CLIENT_CERT
init_flags |= GNUTLS_FORCE_CLIENT_CERT;
#endif
#ifdef GNUTLS_NO_TICKETS_TLS12
- init_flags |= GNUTLS_NO_TICKETS_TLS12;
+ init_flags |= GNUTLS_NO_TICKETS_TLS12;
#endif
#ifdef GNUTLS_NO_STATUS_REQUEST
return CURLE_OK;
}
+#ifdef CURL_GNUTLS_EARLY_DATA
static int keylog_callback(gnutls_session_t session, const char *label,
const gnutls_datum_t *secret)
{
}
return result;
}
+#endif
CURLcode Curl_gtls_ctx_init(struct gtls_ctx *gctx,
struct Curl_cfilter *cf,
goto out;
}
+#ifdef CURL_GNUTLS_EARLY_DATA
/* Open the file if a TLS or QUIC backend has not done this before. */
Curl_tls_keylog_open();
if(Curl_tls_keylog_enabled()) {
gnutls_session_set_keylog_function(gctx->session, keylog_callback);
}
+#endif
/* convert the ALPN string from our arguments to a list of strings that
* gnutls wants and will convert internally back to this string for sending
result = Curl_gtls_ctx_init(&backend->gtls, cf, data, &connssl->peer,
connssl->alpn, NULL, NULL, cf,
- gtls_on_session_reuse);
+#ifdef CURL_GNUTLS_EARLY_DATA
+ gtls_on_session_reuse
+#else
+ NULL
+#endif
+ );
+
if(result)
return result;
infof(data, VTLS_INFOF_ALPN_OFFER_1STR, proto.data);
}
+#ifdef CURL_GNUTLS_EARLY_DATA
gnutls_handshake_set_hook_function(backend->gtls.session,
GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST,
gtls_handshake_cb);
+#endif
/* register callback functions and handle to send and receive data. */
gnutls_transport_set_ptr(backend->gtls.session, cf);
if(result)
goto out;
+#ifdef CURL_GNUTLS_EARLY_DATA
/* Only on TLSv1.2 or lower do we have the session id now. For
* TLSv1.3 we get it via a SESSION_TICKET message that arrives later. */
if(gnutls_protocol_get_version(session) < GNUTLS_TLS1_3)
result = cf_gtls_update_session_id(cf, data, session);
+#endif
out:
return result;
}
+#ifdef CURL_GNUTLS_EARLY_DATA
static CURLcode gtls_send_earlydata(struct Curl_cfilter *cf,
struct Curl_easy *data)
{
out:
return result;
}
+#endif
/*
* This function is called after the TCP connect has completed. Setup the TLS
}
if(connssl->connecting_state == ssl_connect_2) {
+#ifdef CURL_GNUTLS_EARLY_DATA
if(connssl->earlydata_state == ssl_earlydata_await) {
goto out;
}
}
DEBUGASSERT((connssl->earlydata_state == ssl_earlydata_none) ||
(connssl->earlydata_state == ssl_earlydata_sent));
-
+#endif
result = handshake(cf, data);
if(result)
goto out;
if(result)
goto out;
+#ifdef CURL_GNUTLS_EARLY_DATA
if(connssl->earlydata_state > ssl_earlydata_none) {
/* We should be in this state by now */
DEBUGASSERT(connssl->earlydata_state == ssl_earlydata_sent);
GNUTLS_SFLAGS_EARLY_DATA) ?
ssl_earlydata_accepted : ssl_earlydata_rejected;
}
+#endif
connssl->connecting_state = ssl_connect_done;
}
struct Curl_easy *data,
bool *done)
{
+#ifdef CURL_GNUTLS_EARLY_DATA
struct ssl_connect_data *connssl = cf->ctx;
if((connssl->state == ssl_connection_deferred) &&
(connssl->earlydata_state == ssl_earlydata_await)) {
*done = TRUE;
return CURLE_OK;
}
+#endif
return gtls_connect_common(cf, data, done);
}
projects / thirdparty / curl.git / commitdiff
