mbedTLS: implement CURLOPT_SSL_CIPHER_LIST option

Use a lookup list to set the cipher suites, allowing the ciphers to be set by either openssl or IANA names. To keep the binary size of the lookup list down we compress each entry in the cipher list down to 2 + 6 bytes using the C preprocessor. Closes curl#13442
jan2000 · Apr 24, 2024 · fba9afe · fba9afe
1 parent 43299e9
commit fba9afe
Show file tree

Hide file tree

Showing 11 changed files with 1,485 additions and 16 deletions.
diff --git a/.github/scripts/codespell-ignore.txt b/.github/scripts/codespell-ignore.txt
@@ -13,3 +13,4 @@ inout
 msdos
 ba
 fo
+ede
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSL_CIPHER_LIST.md b/docs/libcurl/opts/CURLOPT_PROXY_SSL_CIPHER_LIST.md
@@ -19,6 +19,7 @@ TLS-backend:
   - Secure Transport
   - wolfSSL
   - GnuTLS
+  - mbedTLS
 ---
 
 # NAME
@@ -49,12 +50,13 @@ set when you compile OpenSSL.
 For WolfSSL, valid examples of cipher lists include **ECDHE-RSA-RC4-SHA**,
 **AES256-SHA:AES256-SHA256**, etc.
 
-For BearSSL, valid examples of cipher lists include
-**ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256**, or when using IANA names
+For mbedTLS and BearSSL, valid examples of cipher lists include
+**ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256**, or when using
+IANA names
 **TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256**,
-etc.
-With BearSSL you do not add/remove ciphers. If one uses this option then all
-known ciphers are disabled and only those passed in are enabled.
+etc. With mbedTLS and BearSSL you do not add/remove ciphers. If one uses this
+option then all known ciphers are disabled and only those passed in are
+enabled.
 
 Find more details about cipher lists on this URL:
 
@@ -86,7 +88,7 @@ int main(void)
 
 # AVAILABILITY
 
-Added in 7.52.0, in 7.83.0 for BearSSL
+Added in 7.52.0, in 7.83.0 for BearSSL, in 8.8.0 for mbedTLS
 
 If built TLS enabled.
 

diff --git a/docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.md b/docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.md
@@ -19,6 +19,7 @@ TLS-backend:
   - Secure Transport
   - wolfSSL
   - GnuTLS
+  - mbedTLS
 ---
 
 # NAME
@@ -48,12 +49,13 @@ you compile OpenSSL.
 For WolfSSL, valid examples of cipher lists include **ECDHE-RSA-RC4-SHA**,
 **AES256-SHA:AES256-SHA256**, etc.
 
-For BearSSL, valid examples of cipher lists include
+For mbedTLS and BearSSL, valid examples of cipher lists include
 **ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256**, or when using
 IANA names
 **TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256**,
-etc. With BearSSL you do not add/remove ciphers. If one uses this option then
-all known ciphers are disabled and only those passed in are enabled.
+etc. With mbedTLS and BearSSL you do not add/remove ciphers. If one uses this
+option then all known ciphers are disabled and only those passed in are
+enabled.
 
 For Schannel, you can use this option to set algorithms but not specific
 cipher suites. Refer to the ciphers lists document for algorithms.
@@ -87,7 +89,7 @@ int main(void)
 
 # AVAILABILITY
 
-Added in 7.9, in 7.83.0 for BearSSL
+Added in 7.9, in 7.83.0 for BearSSL, in 8.8.0 for mbedTLS
 
 If built TLS enabled.
 

diff --git a/lib/Makefile.inc b/lib/Makefile.inc
@@ -44,6 +44,7 @@ LIB_VAUTH_HFILES =      \
 
 LIB_VTLS_CFILES =           \
   vtls/bearssl.c            \
+  vtls/cipher_suite.c       \
   vtls/gtls.c               \
   vtls/hostcheck.c          \
   vtls/keylog.c             \
@@ -60,6 +61,7 @@ LIB_VTLS_CFILES =           \
 
 LIB_VTLS_HFILES =           \
   vtls/bearssl.h            \
+  vtls/cipher_suite.h       \
   vtls/gtls.h               \
   vtls/hostcheck.h          \
   vtls/keylog.h             \