mbedTLS: Implemented CURLOPT_SSL_CIPHER_LIST option

Use a lookup list to set the cipher suites, allowing the ciphers to be set by either openssl or IANA names. To keep the binary size of the lookup list down we compress each entry in the cipher list down to 2 + 6 bytes using the C preprocessor.
jan2000 · Apr 22, 2024 · b35aea9 · b35aea9
1 parent d1a8b35
commit b35aea9
Show file tree

Hide file tree

Showing 10 changed files with 1,476 additions and 16 deletions.
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSL_CIPHER_LIST.md b/docs/libcurl/opts/CURLOPT_PROXY_SSL_CIPHER_LIST.md
@@ -19,6 +19,7 @@ TLS-backend:
   - Secure Transport
   - wolfSSL
   - GnuTLS
+  - mbedTLS
 ---
 
 # NAME
@@ -49,12 +50,13 @@ set when you compile OpenSSL.
 For WolfSSL, valid examples of cipher lists include **ECDHE-RSA-RC4-SHA**,
 **AES256-SHA:AES256-SHA256**, etc.
 
-For BearSSL, valid examples of cipher lists include
-**ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256**, or when using IANA names
+For mbedTLS and BearSSL, valid examples of cipher lists include
+**ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256**, or when using
+IANA names
 **TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256**,
-etc.
-With BearSSL you do not add/remove ciphers. If one uses this option then all
-known ciphers are disabled and only those passed in are enabled.
+etc. With mbedTLS and BearSSL you do not add/remove ciphers. If one uses this
+option then all known ciphers are disabled and only those passed in are
+enabled.
 
 Find more details about cipher lists on this URL:
 
@@ -86,7 +88,7 @@ int main(void)
 
 # AVAILABILITY
 
-Added in 7.52.0, in 7.83.0 for BearSSL
+Added in 7.52.0, in 7.83.0 for BearSSL, in 8.8.0 for mbedTLS
 
 If built TLS enabled.
 

diff --git a/docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.md b/docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.md
@@ -19,6 +19,7 @@ TLS-backend:
   - Secure Transport
   - wolfSSL
   - GnuTLS
+  - mbedTLS
 ---
 
 # NAME
@@ -48,12 +49,13 @@ you compile OpenSSL.
 For WolfSSL, valid examples of cipher lists include **ECDHE-RSA-RC4-SHA**,
 **AES256-SHA:AES256-SHA256**, etc.
 
-For BearSSL, valid examples of cipher lists include
+For mbedTLS and BearSSL, valid examples of cipher lists include
 **ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256**, or when using
 IANA names
 **TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256**,
-etc. With BearSSL you do not add/remove ciphers. If one uses this option then
-all known ciphers are disabled and only those passed in are enabled.
+etc. With mbedTLS and BearSSL you do not add/remove ciphers. If one uses this
+option then all known ciphers are disabled and only those passed in are
+enabled.
 
 For Schannel, you can use this option to set algorithms but not specific
 cipher suites. Refer to the ciphers lists document for algorithms.
@@ -87,7 +89,7 @@ int main(void)
 
 # AVAILABILITY
 
-Added in 7.9, in 7.83.0 for BearSSL
+Added in 7.9, in 7.83.0 for BearSSL, in 8.8.0 for mbedTLS
 
 If built TLS enabled.
 

diff --git a/lib/Makefile.inc b/lib/Makefile.inc
@@ -44,6 +44,7 @@ LIB_VAUTH_HFILES =      \
 
 LIB_VTLS_CFILES =           \
   vtls/bearssl.c            \
+  vtls/cipher_suite.c       \
   vtls/gtls.c               \
   vtls/hostcheck.c          \
   vtls/keylog.c             \
@@ -60,6 +61,7 @@ LIB_VTLS_CFILES =           \
 
 LIB_VTLS_HFILES =           \
   vtls/bearssl.h            \
+  vtls/cipher_suite.h       \
   vtls/gtls.h               \
   vtls/hostcheck.h          \
   vtls/keylog.h             \