git-market/curl-curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-15 01:05:56 +08:00
Code Issues Actions 15 Packages Projects Releases Wiki Activity
测试 mirror
37,359 Commits 14 Branches 229 Tags 263 MiB
C 74.4%
Perl 8.3%
Python 5.3%
M4 4.6%
CMake 2.8%
Other 4.5%
1dc6ddde06
Go to file
Wyatt O'Day 1dc6ddde06
mbedTLS: cleanup insecure/deprecated code 
1. With `MBEDTLS_SSL_PROTO_TLS1_2` not enabled, the mbedTLS code was not
able to connect to any server due to broken logic in curl's
`mbed_set_ssl_version_min_max()`. Now it correctly sets the minimum
supported TLS version based on what is compiled in the library.

2. If debugging is enabled, move the debugging enabling earlier in the
`mbed_connect_step1()` so that verbose errors are actually displayed if
failures happen (see the previous point -- it would've made debugging
that issue easier).

3. Remove the constant `mbedtls_x509_crt_profile_fr` and instead use
mbedTLS-included profile `mbedtls_x509_crt_profile_next` with
`mbedtls_ssl_conf_cert_profile()`. This will follow the latest standards
as new mbedTLS versions are released (rather than being stuck-in-time
until someone comes along to fix what was hard-coded here). This has the
immediate benefit of no longer supporting SHA1 certs and insecure RSA
key-lengths (1024). This fix immediately prevents previously possible
MITM attacks (SHA1 hashes and RSA-1024 keys can be forged relatively
easily by nation-state actors and criminal organizations with
deep-pockets).

4. Added [predictive
resistance](https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-a-random-generator/#enabling-prediction-resistance)
to the random number generator (adding more entropy to the RNG).

5. Split the random number generator into initialization, the actual
random generation, and the "freeing" of the resources. This
significantly reduces the overhead of using the RNG.

6. Removed the separate RNG function in the TLS connect stage (instead
use the "main" one) and remove the ad-hoc threading support. Instead
properly document how to enable threading in mbedTLS. As it was, other
internals of mbedTLS could have race conditions (in the RSA module in
particular) if `MBEDTLS_THREADING_C` was *not* enabled. And if it is
enabled, then these race-conditions cannot happen. And also, if
MBEDTLS_THREADING_C is enabled then the RNG functions [are fully
thread-safe](https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading/).

   So, the previous ad-hoc threading support was both partial and broken.

7. Enable support for disabling `MBEDTLS_PEM_PARSE_C`.

8. Add support for `CURLOPT_SSLCERTTYPE` so user can specify `PEM` or
`DER` and get faster execution.

Closes #19983
2025-12-20 17:33:57 +01:00
.circleci runtests: detect bad libssh differently for test 1459 (fixing CircleCI libssh job) 2025-11-16 23:28:44 +01:00
.github GHA/http3-linux: set minimum number of runtest tests 2025-12-20 15:31:30 +01:00
CMake cmake: match filename suffixes with file content 2025-12-20 11:34:27 +01:00
docs mbedTLS: cleanup insecure/deprecated code 2025-12-20 17:33:57 +01:00
include badwords: catch and fix threading-related words 2025-12-16 21:26:58 +01:00
lib mbedTLS: cleanup insecure/deprecated code 2025-12-20 17:33:57 +01:00
LICENSES krb5: drop support for Kerberos FTP 2025-09-20 23:58:28 +02:00
m4 openssl: drop includes unused or duplicate 2025-12-20 13:51:05 +01:00
packages tidy-up: miscellaneous 2025-12-12 04:18:48 +01:00
plan9 tidy-up: LibreSSL Git repository URLs and local CI builds 2025-10-01 12:55:20 +02:00
projects localtime: detect thread-safe alternatives and use them 2025-12-16 14:30:06 +01:00
scripts curlx: add curlx_rename(), fix to support long filenames on Windows 2025-12-20 16:03:11 +01:00
src windows: fix CreateFile() calls to support long filenames 2025-12-20 14:16:42 +01:00
tests GHA/http3-linux: set minimum number of runtest tests 2025-12-20 15:31:30 +01:00
.dir-locals.el copyright: update all copyright lines and remove year ranges 2023-01-03 09:19:21 +01:00
.editorconfig .editorconfig: add 2025-09-02 08:36:40 +02:00
.git-blame-ignore-revs copyright: update all copyright lines and remove year ranges 2023-01-03 09:19:21 +01:00
.gitattributes winbuild: MS-DOS batch tidy-ups 2024-07-02 19:26:15 +02:00
.gitignore build: drop the winbuild build system 2025-09-20 01:20:25 +02:00
.mailmap REUSE: add copyright header to two files 2025-11-03 16:08:52 +01:00
acinclude.m4 tidy-up: miscellaneous 2025-12-18 21:27:58 +01:00
appveyor.sh tidy-up: miscellaneous 2025-12-04 20:14:11 +01:00
appveyor.yml appveyor: add support for using custom CMake versions 2025-11-28 00:51:08 +01:00
buildconf copyright: update all copyright lines and remove year ranges 2023-01-03 09:19:21 +01:00
CHANGES.md CHANGES: rename to CHANGES.md, no longer generated 2024-08-01 13:37:12 +02:00
CMakeLists.txt cmake: match filename suffixes with file content 2025-12-20 11:34:27 +01:00
configure.ac localtime: detect thread-safe alternatives and use them 2025-12-16 14:30:06 +01:00
COPYING COPYING: bump copyright year range to 1996 - 2025 2025-01-01 21:12:12 +01:00
curl-config.in autotools: tidy-up if expressions 2025-12-10 22:29:19 +01:00
Dockerfile Dockerfile: update debian:bookworm-slim digest to e899040 2025-12-09 12:40:18 +01:00
GIT-INFO.md REUSE: add copyright header to two files 2025-11-03 16:08:52 +01:00
libcurl.pc.in configure: do not echo most inherited LDFLAGS to config files 2024-11-14 09:55:45 +01:00
Makefile.am cmake: match filename suffixes with file content 2025-12-20 11:34:27 +01:00
README FAQ/TODO/KNOWN_BUGS: convert to markdown 2025-12-09 10:52:56 +01:00
README.md tidy-up: URLs 2025-12-09 00:19:10 +01:00
RELEASE-NOTES RELEASE-NOTES: synced 2025-12-19 11:07:53 +01:00
renovate.json renovate: try to disable GitHub Actions updates differently 2025-12-14 09:17:08 +01:00
REUSE.toml FAQ/TODO/KNOWN_BUGS: convert to markdown 2025-12-09 10:52:56 +01:00
SECURITY.md docs: Clarify OpenSSF Best Practices vs Scorecard 2024-08-22 11:50:20 +02:00

README.md

curl logo

curl is a command-line tool for transferring data from or to a server using URLs. It supports these protocols: DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS.

Learn how to use curl by reading the man page or everything curl.

Find out how to install curl by reading the INSTALL document.

libcurl is the library curl is using to do its job. It is readily available to be used by your software. Read the libcurl man page to learn how.

Open Source

curl is Open Source and is distributed under an MIT-like license.

Contact

Contact us on a suitable mailing list or use GitHub issues/ pull requests/ discussions.

All contributors to the project are listed in the THANKS document.

Commercial support

For commercial support, maybe private and dedicated help with your problems or applications using (lib)curl visit the support page.

Website

Visit the curl website for the latest news and downloads.

Source code

Download the latest source from the Git server:

git clone https://github.com/curl/curl

Security problems

Report suspected security problems via our HackerOne page and not in public.

Backers

Thank you to all our backers 🙏 Become a backer.

Sponsors

Support this project by becoming a sponsor.