From acf0af0570aa93e3cb6017093cda62f6c286124c Mon Sep 17 00:00:00 2001 From: K1 Date: Fri, 3 Jan 2025 16:23:44 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8Dwindows=E4=B8=8Acurl=20TLCP?= =?UTF-8?q?=E6=97=A0=E6=B3=95=E4=BD=BF=E7=94=A8=E7=9A=84=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit windows上使用nmake构建,和Linux构建脚本不一样,增加NTLS相关编译选项; 同步curl最新代码,重新适配。 --- .github/scripts/spacecheck.pl | 2 + .github/workflows/release.yml | 31 +- .github/workflows/reuse.yml | 33 - .github/workflows/tongsuo.yml | 91 +- Makefile.am | 2 +- docs/examples/https-tlcp-doublecerts.c | 52 +- docs/examples/https-tlcp.c | 41 +- tongsuo.patch | 1652 +++++++++++++----------- 8 files changed, 1025 insertions(+), 879 deletions(-) delete mode 100644 .github/workflows/reuse.yml diff --git a/.github/scripts/spacecheck.pl b/.github/scripts/spacecheck.pl index b2473b154414..760c081f57bf 100755 --- a/.github/scripts/spacecheck.pl +++ b/.github/scripts/spacecheck.pl @@ -33,6 +33,7 @@ "\\.(bat|sln|vc)\$", "^tests/certs/.+\\.der\$", "^tests/data/test", + "tongsuo.patch", ); my @mixed_eol = ( @@ -49,6 +50,7 @@ my @space_at_eol = ( "^tests/.+\\.(cacert|crt|pem)\$", "^tests/data/test", + "tongsuo.patch", ); my @eol_at_eof = ( diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0c0c014489b1..f5b9190f9a6d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,7 +4,7 @@ name: release -on: +'on': workflow_dispatch: tags: - '*' @@ -34,20 +34,20 @@ jobs: needs: [new_release] strategy: matrix: - builder: [macos-latest, ubuntu-20.04] + builder: [ubuntu-20.04, macos-latest, macos-13] name: "build-${{ matrix.builder }}" steps: - - run: | - brew install libtool autoconf automake pkg-config - mv /usr/local/include/openssl /usr/local/include/openssl.bak - if: ${{ matrix.builder == 'macos-latest' }} + - run: brew install libtool autoconf automake pkg-config + if: ${{ matrix.builder == 'macos-latest' || matrix.builder == 'macos-13' }} + - run: mv /usr/local/include/openssl /usr/local/include/openssl.bak + if: ${{ matrix.builder == 'macos-13' }} - name: build Tongsuo run: | - VERSION=8.3.3 + VERSION=8.4.0 wget "https://github.com/Tongsuo-Project/Tongsuo/archive/refs/tags/${VERSION}.tar.gz" tar zxf "${VERSION}.tar.gz" pushd "Tongsuo-${VERSION}" - ./config --prefix=${GITHUB_WORKSPACE}/tongsuo no-shared enable-ntls --release + ./config --prefix=${GITHUB_WORKSPACE}/tongsuo no-shared enable-ntls enable-ssl-trace --release make -s -j4 make install_sw popd @@ -62,7 +62,6 @@ jobs: autoreconf -fi ./configure --enable-warnings --enable-werror --with-openssl=${GITHUB_WORKSPACE}/tongsuo --without-zlib --without-brotli --disable-shared --disable-ldap --disable-ldaps --disable-rtsp --without-librtmp --enable-static make -s -j4 - - name: upload artifact uses: actions/upload-release-asset@v1 env: @@ -70,7 +69,7 @@ jobs: with: upload_url: ${{ needs.new_release.outputs.upload_url }} asset_path: ./curl/src/curl - asset_name: curl-${{ runner.os }} + asset_name: curl-${{ runner.os }}-${{ runner.arch }} asset_content_type: application/octet-stream build_windows: @@ -88,7 +87,7 @@ jobs: - name: Export env shell: bash run: | - VERSION=8.3.3 + VERSION=8.4.0 echo "TONGSUO_VERSION=${VERSION}" >> $GITHUB_ENV echo "TONGSUO_HOME=${GITHUB_WORKSPACE}\tongsuo${VERSION}" >> $GITHUB_ENV - name: Download Tongsuo source @@ -103,7 +102,7 @@ jobs: pushd "Tongsuo-%TONGSUO_VERSION%" mkdir _build pushd _build - perl ..\Configure no-makedepend no-shared VC-WIN64A --prefix=%TONGSUO_HOME% + perl ..\Configure no-makedepend no-shared enable-ntls enable-ssl-trace VC-WIN64A --prefix=%TONGSUO_HOME% --release nmake /S nmake install_sw popd @@ -116,10 +115,12 @@ jobs: working-directory: ./curl shell: powershell run: | - git apply tongsuo.diff + git apply tongsuo.patch ./buildconf.bat cd winbuild - nmake /f Makefile.vc mode=static WITH_SSL=static SSL_PATH=${env:TONGSUO_HOME} RTLIBCFG=static + nmake /f Makefile.vc MACHINE=x64 mode=static WITH_SSL=static SSL_PATH=${env:TONGSUO_HOME} RTLIBCFG=static ENABLE_NTLS=yes + cd .. + builds\libcurl-vc-x64-release-static-ssl-static-ipv6-sspi\bin\curl.exe --help tls | findstr tlcp - name: upload artifact uses: actions/upload-release-asset@v1 env: @@ -127,5 +128,5 @@ jobs: with: upload_url: ${{ needs.new_release.outputs.upload_url }} asset_path: .\curl\builds\libcurl-vc-x64-release-static-ssl-static-ipv6-sspi\bin\curl.exe - asset_name: curl-${{ runner.os }}.exe + asset_name: curl-${{ runner.os }}-${{ runner.arch }}.exe asset_content_type: application/octet-stream diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml deleted file mode 100644 index f9e34b29557e..000000000000 --- a/.github/workflows/reuse.yml +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright (C) Daniel Stenberg, , et al. -# SPDX-FileCopyrightText: 2022 Free Software Foundation Europe e.V. -# -# SPDX-License-Identifier: curl - -name: REUSE compliance - -on: - push: - branches: - - master - - '*/ci' - pull_request: - branches: - - master - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} - cancel-in-progress: true - -permissions: {} - -jobs: - check: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: patch tongsuo - run: | - git apply tongsuo.patch - rm -f tongsuo.patch - - name: REUSE Compliance Check - uses: fsfe/reuse-action@v2 diff --git a/.github/workflows/tongsuo.yml b/.github/workflows/tongsuo.yml index c96592f15105..b6d91a036408 100644 --- a/.github/workflows/tongsuo.yml +++ b/.github/workflows/tongsuo.yml @@ -4,36 +4,91 @@ name: build-with-tongsuo -on: [workflow_dispatch, pull_request, push] +'on': [workflow_dispatch, pull_request, push] jobs: - autotools: - runs-on: 'ubuntu-latest' - timeout-minutes: 60 - + build_linux_macos: + runs-on: ${{ matrix.builder }} + strategy: + matrix: + builder: [ubuntu-20.04, macos-latest, macos-13] + name: "build-${{ matrix.builder }}" steps: - - name: checkout tongsuo - uses: actions/checkout@v2 - with: - repository: Tongsuo-Project/Tongsuo - path: Tongsuo - - name: install Tongsuo - working-directory: ./Tongsuo + - run: brew install libtool autoconf automake pkg-config + if: ${{ matrix.builder == 'macos-latest' || matrix.builder == 'macos-13' }} + - run: mv /usr/local/include/openssl /usr/local/include/openssl.bak + if: ${{ matrix.builder == 'macos-13' }} + - name: build Tongsuo run: | - ./config --banner=Configured --prefix=${GITHUB_WORKSPACE}/install enable-ntls + VERSION=8.4.0 + wget "https://github.com/Tongsuo-Project/Tongsuo/archive/refs/tags/${VERSION}.tar.gz" + tar zxf "${VERSION}.tar.gz" + pushd "Tongsuo-${VERSION}" + ./config --prefix=${GITHUB_WORKSPACE}/tongsuo no-shared enable-ntls enable-ssl-trace --release make -s -j4 - make install - - uses: actions/checkout@v3 + make install_sw + popd + - uses: actions/checkout@v2 with: path: curl - + fetch-depth: 0 - name: build curl working-directory: ./curl run: | git apply tongsuo.patch autoreconf -fi - LDFLAGS=-Wl,-rpath=${GITHUB_WORKSPACE}/install/lib64/ ./configure --enable-warnings --enable-werror --with-openssl=${GITHUB_WORKSPACE}/install - make V=1 + ./configure --enable-warnings --enable-werror --with-openssl=${GITHUB_WORKSPACE}/tongsuo --without-zlib --without-brotli --disable-shared --disable-ldap --disable-ldaps --disable-rtsp --without-librtmp --without-libpsl --enable-static + make -s -j4 make V=1 examples make V=1 -C tests make V=1 test-ci + ./src/curl --help tls | grep tlcp + + build_windows: + runs-on: windows-latest + steps: + - run: choco install -y winrar + - uses: ilammy/msvc-dev-cmd@v1 + with: + arch: win64 + - uses: ilammy/setup-nasm@v1 + with: + platform: win64 + - uses: shogo82148/actions-setup-perl@v1 + - name: Export env + shell: bash + run: | + VERSION=8.4.0 + echo "TONGSUO_VERSION=${VERSION}" >> $GITHUB_ENV + echo "TONGSUO_HOME=${GITHUB_WORKSPACE}\tongsuo${VERSION}" >> $GITHUB_ENV + - name: Download Tongsuo source + run: | + wget "https://github.com/Tongsuo-Project/Tongsuo/archive/refs/tags/${env:TONGSUO_VERSION}.tar.gz" -OutFile "${env:TONGSUO_VERSION}.tar.gz" + shell: powershell + - run: '"C:\Program Files\WinRAR\WinRAR.exe" -INUL x %TONGSUO_VERSION%.tar.gz' + shell: cmd + - name: Build Tongsuo + shell: cmd + run: | + pushd "Tongsuo-%TONGSUO_VERSION%" + mkdir _build + pushd _build + perl ..\Configure no-makedepend no-shared enable-ntls enable-ssl-trace VC-WIN64A --prefix=%TONGSUO_HOME% --release + nmake /S + nmake install_sw + popd + popd + - uses: actions/checkout@v2 + with: + path: curl + fetch-depth: 0 + - name: build curl + working-directory: ./curl + shell: powershell + run: | + git apply tongsuo.patch + ./buildconf.bat + cd winbuild + nmake /f Makefile.vc MACHINE=x64 mode=static WITH_SSL=static SSL_PATH=${env:TONGSUO_HOME} RTLIBCFG=static ENABLE_NTLS=yes + cd .. + builds\libcurl-vc-x64-release-static-ssl-static-ipv6-sspi\bin\curl.exe --help tls | findstr tlcp diff --git a/Makefile.am b/Makefile.am index 20405122d43d..6d302e7243cd 100644 --- a/Makefile.am +++ b/Makefile.am @@ -83,7 +83,7 @@ PLAN9_DIST = plan9/include/mkfile \ EXTRA_DIST = CHANGES.md COPYING Makefile.dist \ RELEASE-NOTES $(CMAKE_DIST) $(VC_DIST) $(WINBUILD_DIST) \ - $(PLAN9_DIST) buildconf.bat Dockerfile + $(PLAN9_DIST) buildconf.bat Dockerfile tongsuo.patch CLEANFILES = $(VC14_LIBVCXPROJ) $(VC14_SRCVCXPROJ) \ $(VC14_10_LIBVCXPROJ) $(VC14_10_SRCVCXPROJ) \ diff --git a/docs/examples/https-tlcp-doublecerts.c b/docs/examples/https-tlcp-doublecerts.c index 0196d509a5b1..1c767afecb3b 100644 --- a/docs/examples/https-tlcp-doublecerts.c +++ b/docs/examples/https-tlcp-doublecerts.c @@ -28,36 +28,40 @@ #include #include -int main(int argc, char **argv) +int main(void) { - CURL *curl; - CURLcode res; + CURL *curl; + CURLcode res; - curl = curl_easy_init(); - if (curl) { - curl_easy_setopt(curl, CURLOPT_URL, "https://127.0.0.1:443"); - curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_NTLSv1_1); - curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, - "ECDHE-SM2-SM4-CBC-SM3"); + curl = curl_easy_init(); + if(curl) { + curl_easy_setopt(curl, CURLOPT_URL, "https://127.0.0.1:443"); + curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_NTLSv1_1); + curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, + "ECDHE-SM2-SM4-CBC-SM3"); - curl_easy_setopt(curl, CURLOPT_SSLSIGNCERT, "sm2_sign.crt"); - curl_easy_setopt(curl, CURLOPT_SSLSIGNKEY, "sm2_sign.key"); - curl_easy_setopt(curl, CURLOPT_SSLENCCERT, "sm2_enc.crt"); - curl_easy_setopt(curl, CURLOPT_SSLENCKEY, "sm2_enc.key"); + curl_easy_setopt(curl, CURLOPT_SSLSIGNCERT, "sm2_sign.crt"); + curl_easy_setopt(curl, CURLOPT_SSLSIGNKEY, "sm2_sign.key"); + curl_easy_setopt(curl, CURLOPT_SSLENCCERT, "sm2_enc.crt"); + curl_easy_setopt(curl, CURLOPT_SSLENCKEY, "sm2_enc.key"); - /* optional */ - curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); - curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0); + /* optional */ + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0); - res = curl_easy_perform(curl); + res = curl_easy_perform(curl); - if(res != CURLE_OK) - fprintf(stderr, "curl_easy_perform() failed: %s\n", - curl_easy_strerror(res)); + if(res != CURLE_OK) + fprintf(stderr, "curl_easy_perform() failed: %s\n", + curl_easy_strerror(res)); - curl_easy_cleanup(curl); - } + curl_easy_cleanup(curl); + } - return 0; + return 0; } -// gcc https-tlcp-doublecerts.c -o https-tlcp-doublecerts -I/usr/local/curl/include -lcurl -L/usr/local/curl/lib -Wl,-rpath=/usr/local/curl/lib \ No newline at end of file +/* +gcc https-tlcp-doublecerts.c -o https-tlcp-doublecerts \ +-I/usr/local/curl/include -lcurl -L/usr/local/curl/lib \ +-Wl,-rpath=/usr/local/curl/lib +*/ diff --git a/docs/examples/https-tlcp.c b/docs/examples/https-tlcp.c index 329461b8efeb..5099c8dbe757 100644 --- a/docs/examples/https-tlcp.c +++ b/docs/examples/https-tlcp.c @@ -28,30 +28,33 @@ #include #include -int main(int argc, char **argv) +int main(void) { - CURL *curl; - CURLcode res; + CURL *curl; + CURLcode res; - curl = curl_easy_init(); - if (curl) { - curl_easy_setopt(curl, CURLOPT_URL, "https://127.0.0.1:443"); - curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_NTLSv1_1); - curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, "ECC-SM2-SM4-CBC-SM3"); + curl = curl_easy_init(); + if(curl) { + curl_easy_setopt(curl, CURLOPT_URL, "https://127.0.0.1:443"); + curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_NTLSv1_1); + curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, "ECC-SM2-SM4-CBC-SM3"); - /* optional */ - curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); - curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0); + /* optional */ + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0); - res = curl_easy_perform(curl); + res = curl_easy_perform(curl); - if(res != CURLE_OK) - fprintf(stderr, "curl_easy_perform() failed: %s\n", - curl_easy_strerror(res)); + if(res != CURLE_OK) + fprintf(stderr, "curl_easy_perform() failed: %s\n", + curl_easy_strerror(res)); - curl_easy_cleanup(curl); - } + curl_easy_cleanup(curl); + } - return 0; + return 0; } -// gcc https-tlcp.c -o https-tlcp -I/usr/local/curl/include -lcurl -L/usr/local/curl/lib -Wl,-rpath=/usr/local/curl/lib \ No newline at end of file +/* +gcc https-tlcp.c -o https-tlcp -I/usr/local/curl/include -lcurl \ +-L/usr/local/curl/lib -Wl,-rpath=/usr/local/curl/lib +*/ diff --git a/tongsuo.patch b/tongsuo.patch index 46dd0231119e..d4ed72c40b41 100644 --- a/tongsuo.patch +++ b/tongsuo.patch @@ -1,517 +1,428 @@ -diff --git a/docs/examples/https-tlcp-doublecerts.c b/docs/examples/https-tlcp-doublecerts.c -new file mode 100644 -index 000000000..0196d509a ---- /dev/null -+++ b/docs/examples/https-tlcp-doublecerts.c -@@ -0,0 +1,63 @@ -+/*************************************************************************** -+ * _ _ ____ _ -+ * Project ___| | | | _ \| | -+ * / __| | | | |_) | | -+ * | (__| |_| | _ <| |___ -+ * \___|\___/|_| \_\_____| -+ * -+ * Copyright (C) 2022 -+ * -+ * This software is licensed as described in the file COPYING, which -+ * you should have received as part of this distribution. The terms -+ * are also available at https://curl.se/docs/copyright.html. -+ * -+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+ * copies of the Software, and permit persons to whom the Software is -+ * furnished to do so, under the terms of the COPYING file. -+ * -+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+ * KIND, either express or implied. -+ * -+ * SPDX-License-Identifier: curl -+ * -+ ***************************************************************************/ -+/* -+ * HTTP over TLCP with double certificates -+ * -+ */ -+#include -+#include +diff --git a/docs/libcurl/curl_easy_setopt.md b/docs/libcurl/curl_easy_setopt.md +index e0fe95cac..cc88339fd 100644 +--- a/docs/libcurl/curl_easy_setopt.md ++++ b/docs/libcurl/curl_easy_setopt.md +@@ -1068,6 +1068,14 @@ Client cert type. See CURLOPT_SSLCERTTYPE(3) + + Client cert memory buffer. See CURLOPT_SSLCERT_BLOB(3) + ++## CURLOPT_SSLENCCERT + -+int main(int argc, char **argv) -+{ -+ CURL *curl; -+ CURLcode res; ++Encryption certificate. See CURLOPT_SSLENCCERT(3) + -+ curl = curl_easy_init(); -+ if (curl) { -+ curl_easy_setopt(curl, CURLOPT_URL, "https://127.0.0.1:443"); -+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_NTLSv1_1); -+ curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, -+ "ECDHE-SM2-SM4-CBC-SM3"); ++## CURLOPT_SSLENCKEY + -+ curl_easy_setopt(curl, CURLOPT_SSLSIGNCERT, "sm2_sign.crt"); -+ curl_easy_setopt(curl, CURLOPT_SSLSIGNKEY, "sm2_sign.key"); -+ curl_easy_setopt(curl, CURLOPT_SSLENCCERT, "sm2_enc.crt"); -+ curl_easy_setopt(curl, CURLOPT_SSLENCKEY, "sm2_enc.key"); ++Encryption key. See CURLOPT_SSLENCKEY(3) + -+ /* optional */ -+ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); -+ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0); + ## CURLOPT_SSLENGINE + + Use identifier with SSL engine. See CURLOPT_SSLENGINE(3) +@@ -1088,6 +1096,14 @@ Client key type. See CURLOPT_SSLKEYTYPE(3) + + Client key memory buffer. See CURLOPT_SSLKEY_BLOB(3) + ++## CURLOPT_SSLSIGNCERT + -+ res = curl_easy_perform(curl); ++Signature certificate. See CURLOPT_SSLSIGNCERT(3) + -+ if(res != CURLE_OK) -+ fprintf(stderr, "curl_easy_perform() failed: %s\n", -+ curl_easy_strerror(res)); ++## CURLOPT_SSLSIGNKEY + -+ curl_easy_cleanup(curl); -+ } ++Signature key. See CURLOPT_SSLSIGNKEY(3) + -+ return 0; -+} -+// gcc https-tlcp-doublecerts.c -o https-tlcp-doublecerts -I/usr/local/curl/include -lcurl -L/usr/local/curl/lib -Wl,-rpath=/usr/local/curl/lib -\ No newline at end of file -diff --git a/docs/examples/https-tlcp.c b/docs/examples/https-tlcp.c + ## CURLOPT_SSLVERSION + + SSL version to use. See CURLOPT_SSLVERSION(3) +diff --git a/docs/libcurl/opts/CURLOPT_SSLENCCERT.md b/docs/libcurl/opts/CURLOPT_SSLENCCERT.md new file mode 100644 -index 000000000..329461b8e +index 000000000..bc833bee3 --- /dev/null -+++ b/docs/examples/https-tlcp.c -@@ -0,0 +1,57 @@ -+/*************************************************************************** -+ * _ _ ____ _ -+ * Project ___| | | | _ \| | -+ * / __| | | | |_) | | -+ * | (__| |_| | _ <| |___ -+ * \___|\___/|_| \_\_____| -+ * -+ * Copyright (C) 2022 -+ * -+ * This software is licensed as described in the file COPYING, which -+ * you should have received as part of this distribution. The terms -+ * are also available at https://curl.se/docs/copyright.html. -+ * -+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+ * copies of the Software, and permit persons to whom the Software is -+ * furnished to do so, under the terms of the COPYING file. -+ * -+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+ * KIND, either express or implied. -+ * -+ * SPDX-License-Identifier: curl -+ * -+ ***************************************************************************/ -+/* -+ * HTTP over TLCP -+ * -+ */ -+#include -+#include ++++ b/docs/libcurl/opts/CURLOPT_SSLENCCERT.md +@@ -0,0 +1,96 @@ ++--- ++c: Copyright (C) Daniel Stenberg, , et al. ++SPDX-License-Identifier: curl ++Title: CURLOPT_SSLENCCERT ++Section: 3 ++Source: libcurl ++See-also: ++ - CURLOPT_SSLCERTTYPE (3) ++ - CURLOPT_SSLENCKEY (3) ++ - CURLOPT_SSLSIGNCERT (3) ++ - CURLOPT_SSLSIGNKEY (3) ++ - CURLOPT_KEYPASSWD (3) ++Protocol: ++ - NTLS ++TLS-backend: ++ - Tongsuo ++Added-in: 7.80.0 ++--- + -+int main(int argc, char **argv) -+{ -+ CURL *curl; -+ CURLcode res; -+ -+ curl = curl_easy_init(); -+ if (curl) { -+ curl_easy_setopt(curl, CURLOPT_URL, "https://127.0.0.1:443"); -+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_NTLSv1_1); -+ curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, "ECC-SM2-SM4-CBC-SM3"); -+ -+ /* optional */ -+ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); -+ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0); ++# NAME + -+ res = curl_easy_perform(curl); ++CURLOPT_SSLENCCERT - SSL client encryption certificate + -+ if(res != CURLE_OK) -+ fprintf(stderr, "curl_easy_perform() failed: %s\n", -+ curl_easy_strerror(res)); ++# SYNOPSIS + -+ curl_easy_cleanup(curl); -+ } -+ -+ return 0; -+} -+// gcc https-tlcp.c -o https-tlcp -I/usr/local/curl/include -lcurl -L/usr/local/curl/lib -Wl,-rpath=/usr/local/curl/lib -\ No newline at end of file -diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 -index ae43811ab..6d9b21ba2 100644 ---- a/docs/libcurl/curl_easy_setopt.3 -+++ b/docs/libcurl/curl_easy_setopt.3 -@@ -690,6 +690,14 @@ Custom pointer to pass to ssh key callback. See \fICURLOPT_SSH_KEYDATA(3)\fP - Callback for checking host key handling. See \fICURLOPT_SSH_HOSTKEYFUNCTION(3)\fP - .IP CURLOPT_SSH_HOSTKEYDATA - Custom pointer to pass to ssh host key callback. See \fICURLOPT_SSH_HOSTKEYDATA(3)\fP -+.IP CURLOPT_SSLSIGNCERT -+Signature certificate. See \fICURLOPT_SSLSIGNCERT(3)\fP -+.IP CURLOPT_SSLSIGNKEY -+Signature key. See \fICURLOPT_SSLSIGNKEY(3)\fP -+.IP CURLOPT_SSLENCCERT -+Encryption certificate. See \fICURLOPT_SSLENCCERT(3)\fP -+.IP CURLOPT_SSLENCKEY -+Encryption key. See \fICURLOPT_SSLENCKEY(3)\fP - .SH WEBSOCKET - .IP CURLOPT_WS_OPTIONS - Set WebSocket options. See \fICURLOPT_WS_OPTIONS(3)\fP -diff --git a/docs/libcurl/opts/CURLOPT_SSLENCCERT.3 b/docs/libcurl/opts/CURLOPT_SSLENCCERT.3 -new file mode 100644 -index 000000000..fe60dba63 ---- /dev/null -+++ b/docs/libcurl/opts/CURLOPT_SSLENCCERT.3 -@@ -0,0 +1,91 @@ -+.\" ************************************************************************** -+.\" * _ _ ____ _ -+.\" * Project ___| | | | _ \| | -+.\" * / __| | | | |_) | | -+.\" * | (__| |_| | _ <| |___ -+.\" * \___|\___/|_| \_\_____| -+.\" * -+.\" * Copyright (C) Daniel Stenberg, , et al. -+.\" * -+.\" * This software is licensed as described in the file COPYING, which -+.\" * you should have received as part of this distribution. The terms -+.\" * are also available at https://curl.se/docs/copyright.html. -+.\" * -+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+.\" * copies of the Software, and permit persons to whom the Software is -+.\" * furnished to do so, under the terms of the COPYING file. -+.\" * -+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+.\" * KIND, either express or implied. -+.\" * -+.\" * SPDX-License-Identifier: curl -+.\" * -+.\" ************************************************************************** -+.\" -+.TH CURLOPT_SSLENCCERT 3 "28 Oct 2023" libcurl libcurl -+.SH NAME -+CURLOPT_SSLENCCERT \- SSL client encryption certificate -+.SH SYNOPSIS -+.nf ++~~~c +#include + +CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLENCCERT, char *cert); -+.fi -+.SH DESCRIPTION ++~~~ ++ ++# DESCRIPTION ++ +Pass a pointer to a null-terminated string as parameter. The string should be -+the file name of your client encryption certificate. The default format is "P12" -+on Secure Transport and "PEM" on other engines, and can be changed with -+\fICURLOPT_SSLCERTTYPE(3)\fP. ++the filename of your client encryption certificate. The default format is `P12` ++on Secure Transport and `PEM` on other engines, and can be changed with ++CURLOPT_SSLCERTTYPE(3). + +With Secure Transport, this can also be the nickname of the certificate you +wish to authenticate with as it is named in the security database. If you want -+to use a file from the current directory, please precede it with "./" prefix, ++to use a file from the current directory, please precede it with `./` prefix, +in order to avoid confusion with a nickname. + +(Schannel only) Client certificates can be specified by a path expression to a -+certificate store. (You can import \fIPFX\fP to a store first). You can use -+"\\\\" to refer to a certificate in -+the system certificates store, for example, -+\fB"CurrentUser\\MY\\934a7ac6f8a5d579285a74fa"\fP. The thumbprint is usually a -+SHA-1 hex string which you can see in certificate details. Following store -+locations are supported: \fBCurrentUser\fP, \fBLocalMachine\fP, -+\fBCurrentService\fP, \fBServices\fP, \fBCurrentUserGroupPolicy\fP, -+\fBLocalMachineGroupPolicy\fP, \fBLocalMachineEnterprise\fP. Schannel also -+support P12 certificate file, with the string "P12" specified with -+\fICURLOPT_SSLCERTTYPE(3)\fP. -+ -+When using a client encryption certificate, you most likely also need to provide a -+private key with \fICURLOPT_SSLENCKEY(3)\fP. ++certificate store. (You can import *PFX* to a store first). You can use ++"\\\\\\\" to refer to a certificate ++in the system certificates store, for example, ++**"CurrentUser\\MY\\934a7ac6f8a5d5"**. The thumbprint is usually a SHA-1 hex ++string which you can see in certificate details. Following store locations are ++supported: **CurrentUser**, **LocalMachine**, **CurrentService**, ++**Services**, **CurrentUserGroupPolicy**, **LocalMachineGroupPolicy**, ++**LocalMachineEnterprise**. Schannel also support P12 certificate file, with ++the string `P12` specified with CURLOPT_SSLCERTTYPE(3). ++ ++When using a client encryption certificate, you most likely also need to provide ++a private key with CURLOPT_SSLENCKEY(3). + +The application does not have to keep the string around after setting this +option. -+.SH DEFAULT ++ ++Using this option multiple times makes the last set string override the ++previous ones. Set it to NULL to disable its use again. ++ ++# DEFAULT ++ +NULL -+.SH PROTOCOLS -+All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc. -+.SH EXAMPLE -+.nf -+CURL *curl = curl_easy_init(); -+if(curl) { -+ curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); -+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_NTLSv1_1); -+ curl_easy_setopt(curl, CURLOPT_SSLENCCERT, "enc.crt"); -+ curl_easy_setopt(curl, CURLOPT_SSLENCKEY, "enc.key"); -+ curl_easy_setopt(curl, CURLOPT_SSLSIGNCERT, "sign.crt"); -+ curl_easy_setopt(curl, CURLOPT_SSLSIGNKEY, "sign.key"); -+ curl_easy_setopt(curl, CURLOPT_KEYPASSWD, "s3cret"); -+ ret = curl_easy_perform(curl); -+ curl_easy_cleanup(curl); ++ ++# %PROTOCOLS% ++ ++# EXAMPLE ++ ++~~~c ++int main(void) ++{ ++ CURL *curl = curl_easy_init(); ++ if(curl) { ++ CURLcode res; ++ curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); ++ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_NTLSv1_1); ++ curl_easy_setopt(curl, CURLOPT_SSLENCCERT, "enc.crt"); ++ curl_easy_setopt(curl, CURLOPT_SSLENCKEY, "enc.key"); ++ curl_easy_setopt(curl, CURLOPT_SSLSIGNCERT, "sign.crt"); ++ curl_easy_setopt(curl, CURLOPT_SSLSIGNKEY, "sign.key"); ++ curl_easy_setopt(curl, CURLOPT_KEYPASSWD, "s3cret"); ++ res = curl_easy_perform(curl); ++ curl_easy_cleanup(curl); ++ } +} -+.fi -+.SH AVAILABILITY -+If built TLS enabled. -+.SH RETURN VALUE -+Returns CURLE_OK if TLS enabled, CURLE_UNKNOWN_OPTION if not, or ++~~~ ++ ++# %AVAILABILITY% ++ ++# RETURN VALUE ++ ++Returns CURLE_OK if NTLS enabled, CURLE_UNKNOWN_OPTION if not, or +CURLE_OUT_OF_MEMORY if there was insufficient heap space. -+.SH "SEE ALSO" -+.BR CURLOPT_SSLCERTTYPE (3), -+.BR CURLOPT_SSLENCKEY (3), -+.BR CURLOPT_SSLSIGNCERT (3), -+.BR CURLOPT_SSLSIGNKEY (3), -+.BR CURLOPT_KEYPASSWD (3) -diff --git a/docs/libcurl/opts/CURLOPT_SSLENCKEY.3 b/docs/libcurl/opts/CURLOPT_SSLENCKEY.3 +diff --git a/docs/libcurl/opts/CURLOPT_SSLENCKEY.md b/docs/libcurl/opts/CURLOPT_SSLENCKEY.md new file mode 100644 -index 000000000..092f99cab +index 000000000..16a923230 --- /dev/null -+++ b/docs/libcurl/opts/CURLOPT_SSLENCKEY.3 -@@ -0,0 +1,74 @@ -+.\" ************************************************************************** -+.\" * _ _ ____ _ -+.\" * Project ___| | | | _ \| | -+.\" * / __| | | | |_) | | -+.\" * | (__| |_| | _ <| |___ -+.\" * \___|\___/|_| \_\_____| -+.\" * -+.\" * Copyright (C) Daniel Stenberg, , et al. -+.\" * -+.\" * This software is licensed as described in the file COPYING, which -+.\" * you should have received as part of this distribution. The terms -+.\" * are also available at https://curl.se/docs/copyright.html. -+.\" * -+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+.\" * copies of the Software, and permit persons to whom the Software is -+.\" * furnished to do so, under the terms of the COPYING file. -+.\" * -+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+.\" * KIND, either express or implied. -+.\" * -+.\" * SPDX-License-Identifier: curl -+.\" * -+.\" ************************************************************************** -+.\" -+.TH CURLOPT_SSLENCKEY 3 "28 Oct 2023" libcurl libcurl -+.SH NAME -+CURLOPT_SSLENCKEY \- SSL client encryption key -+.SH SYNOPSIS -+.nf ++++ b/docs/libcurl/opts/CURLOPT_SSLENCKEY.md +@@ -0,0 +1,78 @@ ++--- ++c: Copyright (C) Daniel Stenberg, , et al. ++SPDX-License-Identifier: curl ++Title: CURLOPT_SSLENCKEY ++Section: 3 ++Source: libcurl ++See-also: ++ - CURLOPT_SSLENCCERT (3) ++ - CURLOPT_SSLSIGNCERT (3) ++ - CURLOPT_SSLSIGNKEY (3) ++ - CURLOPT_SSLKEYTYPE (3) ++Protocol: ++ - NTLS ++TLS-backend: ++ - Tongsuo ++Added-in: 7.80.0 ++--- ++ ++# NAME ++ ++CURLOPT_SSLENCKEY - private key file for NTLS and SSL client encryption cert ++ ++# SYNOPSIS ++ ++~~~c +#include + +CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLENCKEY, char *keyfile); -+.fi -+.SH DESCRIPTION ++~~~ ++ ++# DESCRIPTION ++ +Pass a pointer to a null-terminated string as parameter. The string should be -+the file name of your private key. The default format is "PEM" and can be -+changed with \fICURLOPT_SSLKEYTYPE(3)\fP. ++the filename of your private key. The default format is "PEM" and can be ++changed with CURLOPT_SSLKEYTYPE(3). + -+(Windows, iOS and Mac OS X) This option is ignored by Secure Transport and -+Schannel SSL backends because they expect the private key to be already present -+in the key-chain or PKCS#12 file containing the certificate. ++(Windows, iOS and macOS) This option is ignored by Secure Transport because ++they expect the private key to be already present in the key-chain or PKCS#12 ++file containing the certificate. + +The application does not have to keep the string around after setting this +option. -+.SH DEFAULT ++ ++Using this option multiple times makes the last set string override the ++previous ones. Set it to NULL to disable its use again. ++ ++# DEFAULT ++ +NULL -+.SH PROTOCOLS -+All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc. -+.SH EXAMPLE -+.nf -+CURL *curl = curl_easy_init(); -+if(curl) { -+ curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); -+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_NTLSv1_1); -+ curl_easy_setopt(curl, CURLOPT_SSLENCCERT, "enc.crt"); -+ curl_easy_setopt(curl, CURLOPT_SSLENCKEY, "enc.key"); -+ curl_easy_setopt(curl, CURLOPT_SSLSIGNCERT, "sign.crt"); -+ curl_easy_setopt(curl, CURLOPT_SSLSIGNKEY, "sign.key"); -+ curl_easy_setopt(curl, CURLOPT_KEYPASSWD, "s3cret"); -+ ret = curl_easy_perform(curl); -+ curl_easy_cleanup(curl); ++ ++# %PROTOCOLS% ++ ++# EXAMPLE ++ ++~~~c ++int main(void) ++{ ++ CURL *curl = curl_easy_init(); ++ if(curl) { ++ CURLcode res; ++ curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); ++ curl_easy_setopt(curl, CURLOPT_SSLENCCERT, "enc.crt"); ++ curl_easy_setopt(curl, CURLOPT_SSLENCKEY, "enc.key"); ++ curl_easy_setopt(curl, CURLOPT_SSLSIGNCERT, "sign.crt"); ++ curl_easy_setopt(curl, CURLOPT_SSLSIGNKEY, "sign.key"); ++ curl_easy_setopt(curl, CURLOPT_KEYPASSWD, "s3cret"); ++ res = curl_easy_perform(curl); ++ curl_easy_cleanup(curl); ++ } +} -+.fi -+.SH AVAILABILITY -+If built TLS enabled. -+.SH RETURN VALUE -+Returns CURLE_OK if TLS is supported, CURLE_UNKNOWN_OPTION if not, or ++~~~ ++ ++# %AVAILABILITY% ++ ++# RETURN VALUE ++ ++Returns CURLE_OK if NTLS is supported, CURLE_UNKNOWN_OPTION if not, or +CURLE_OUT_OF_MEMORY if there was insufficient heap space. -+.SH "SEE ALSO" -+.BR CURLOPT_SSLCERTTYPE (3), -+.BR CURLOPT_SSLENCKEY (3), -+.BR CURLOPT_SSLSIGNCERT (3), -+.BR CURLOPT_SSLSIGNKEY (3), -+.BR CURLOPT_KEYPASSWD (3) -\ No newline at end of file -diff --git a/docs/libcurl/opts/CURLOPT_SSLSIGNCERT.3 b/docs/libcurl/opts/CURLOPT_SSLSIGNCERT.3 +diff --git a/docs/libcurl/opts/CURLOPT_SSLSIGNCERT.md b/docs/libcurl/opts/CURLOPT_SSLSIGNCERT.md new file mode 100644 -index 000000000..5d8cadea2 +index 000000000..eca84f1c6 --- /dev/null -+++ b/docs/libcurl/opts/CURLOPT_SSLSIGNCERT.3 -@@ -0,0 +1,91 @@ -+.\" ************************************************************************** -+.\" * _ _ ____ _ -+.\" * Project ___| | | | _ \| | -+.\" * / __| | | | |_) | | -+.\" * | (__| |_| | _ <| |___ -+.\" * \___|\___/|_| \_\_____| -+.\" * -+.\" * Copyright (C) Daniel Stenberg, , et al. -+.\" * -+.\" * This software is licensed as described in the file COPYING, which -+.\" * you should have received as part of this distribution. The terms -+.\" * are also available at https://curl.se/docs/copyright.html. -+.\" * -+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+.\" * copies of the Software, and permit persons to whom the Software is -+.\" * furnished to do so, under the terms of the COPYING file. -+.\" * -+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+.\" * KIND, either express or implied. -+.\" * -+.\" * SPDX-License-Identifier: curl -+.\" * -+.\" ************************************************************************** -+.\" -+.TH CURLOPT_SSLSIGNCERT 3 "28 Oct 2023" libcurl libcurl -+.SH NAME -+CURLOPT_SSLSIGNCERT \- SSL client signature certificate -+.SH SYNOPSIS -+.nf ++++ b/docs/libcurl/opts/CURLOPT_SSLSIGNCERT.md +@@ -0,0 +1,96 @@ ++--- ++c: Copyright (C) Daniel Stenberg, , et al. ++SPDX-License-Identifier: curl ++Title: CURLOPT_SSLSIGNCERT ++Section: 3 ++Source: libcurl ++See-also: ++ - CURLOPT_SSLCERTTYPE (3) ++ - CURLOPT_SSLENCKEY (3) ++ - CURLOPT_SSLENCCERT (3) ++ - CURLOPT_SSLSIGNKEY (3) ++ - CURLOPT_KEYPASSWD (3) ++Protocol: ++ - NTLS ++TLS-backend: ++ - Tongsuo ++Added-in: 7.80.0 ++--- ++ ++# NAME ++ ++CURLOPT_SSLSIGNCERT - SSL client signature certificate ++ ++# SYNOPSIS ++ ++~~~c +#include + +CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLSIGNCERT, char *cert); -+.fi -+.SH DESCRIPTION ++~~~ ++ ++# DESCRIPTION ++ +Pass a pointer to a null-terminated string as parameter. The string should be -+the file name of your client encryption certificate. The default format is "P12" -+on Secure Transport and "PEM" on other engines, and can be changed with -+\fICURLOPT_SSLCERTTYPE(3)\fP. ++the filename of your client signature certificate. The default format is `P12` ++on Secure Transport and `PEM` on other engines, and can be changed with ++CURLOPT_SSLCERTTYPE(3). + +With Secure Transport, this can also be the nickname of the certificate you +wish to authenticate with as it is named in the security database. If you want -+to use a file from the current directory, please precede it with "./" prefix, ++to use a file from the current directory, please precede it with `./` prefix, +in order to avoid confusion with a nickname. + +(Schannel only) Client certificates can be specified by a path expression to a -+certificate store. (You can import \fIPFX\fP to a store first). You can use -+"\\\\" to refer to a certificate in -+the system certificates store, for example, -+\fB"CurrentUser\\MY\\934a7ac6f8a5d579285a74fa"\fP. The thumbprint is usually a -+SHA-1 hex string which you can see in certificate details. Following store -+locations are supported: \fBCurrentUser\fP, \fBLocalMachine\fP, -+\fBCurrentService\fP, \fBServices\fP, \fBCurrentUserGroupPolicy\fP, -+\fBLocalMachineGroupPolicy\fP, \fBLocalMachineEnterprise\fP. Schannel also -+support P12 certificate file, with the string "P12" specified with -+\fICURLOPT_SSLCERTTYPE(3)\fP. -+ -+When using a client encryption certificate, you most likely also need to provide a -+private key with \fICURLOPT_SSLSIGNKEY(3)\fP. ++certificate store. (You can import *PFX* to a store first). You can use ++"\\\\\\\" to refer to a certificate ++in the system certificates store, for example, ++**"CurrentUser\\MY\\934a7ac6f8a5d5"**. The thumbprint is usually a SHA-1 hex ++string which you can see in certificate details. Following store locations are ++supported: **CurrentUser**, **LocalMachine**, **CurrentService**, ++**Services**, **CurrentUserGroupPolicy**, **LocalMachineGroupPolicy**, ++**LocalMachineEnterprise**. Schannel also support P12 certificate file, with ++the string `P12` specified with CURLOPT_SSLCERTTYPE(3). ++ ++When using a client signature certificate, you most likely also need to provide ++a private key with CURLOPT_SSLSIGNKEY(3). + +The application does not have to keep the string around after setting this +option. -+.SH DEFAULT ++ ++Using this option multiple times makes the last set string override the ++previous ones. Set it to NULL to disable its use again. ++ ++# DEFAULT ++ +NULL -+.SH PROTOCOLS -+All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc. -+.SH EXAMPLE -+.nf -+CURL *curl = curl_easy_init(); -+if(curl) { -+ curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); -+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_NTLSv1_1); -+ curl_easy_setopt(curl, CURLOPT_SSLENCCERT, "enc.crt"); -+ curl_easy_setopt(curl, CURLOPT_SSLENCKEY, "enc.key"); -+ curl_easy_setopt(curl, CURLOPT_SSLSIGNCERT, "sign.crt"); -+ curl_easy_setopt(curl, CURLOPT_SSLSIGNKEY, "sign.key"); -+ curl_easy_setopt(curl, CURLOPT_KEYPASSWD, "s3cret"); -+ ret = curl_easy_perform(curl); -+ curl_easy_cleanup(curl); ++ ++# %PROTOCOLS% ++ ++# EXAMPLE ++ ++~~~c ++int main(void) ++{ ++ CURL *curl = curl_easy_init(); ++ if(curl) { ++ CURLcode res; ++ curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); ++ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_NTLSv1_1); ++ curl_easy_setopt(curl, CURLOPT_SSLENCCERT, "enc.crt"); ++ curl_easy_setopt(curl, CURLOPT_SSLENCKEY, "enc.key"); ++ curl_easy_setopt(curl, CURLOPT_SSLSIGNCERT, "sign.crt"); ++ curl_easy_setopt(curl, CURLOPT_SSLSIGNKEY, "sign.key"); ++ curl_easy_setopt(curl, CURLOPT_KEYPASSWD, "s3cret"); ++ res = curl_easy_perform(curl); ++ curl_easy_cleanup(curl); ++ } +} -+.fi -+.SH AVAILABILITY -+If built TLS enabled. -+.SH RETURN VALUE -+Returns CURLE_OK if TLS enabled, CURLE_UNKNOWN_OPTION if not, or ++~~~ ++ ++# %AVAILABILITY% ++ ++# RETURN VALUE ++ ++Returns CURLE_OK if NTLS enabled, CURLE_UNKNOWN_OPTION if not, or +CURLE_OUT_OF_MEMORY if there was insufficient heap space. -+.SH "SEE ALSO" -+.BR CURLOPT_SSLCERTTYPE (3), -+.BR CURLOPT_SSLSIGNKEY (3), -+.BR CURLOPT_SSLENCCERT (3), -+.BR CURLOPT_SSLENCKEY (3), -+.BR CURLOPT_KEYPASSWD (3) -diff --git a/docs/libcurl/opts/CURLOPT_SSLSIGNKEY.3 b/docs/libcurl/opts/CURLOPT_SSLSIGNKEY.3 +diff --git a/docs/libcurl/opts/CURLOPT_SSLSIGNKEY.md b/docs/libcurl/opts/CURLOPT_SSLSIGNKEY.md new file mode 100644 -index 000000000..7c95b8733 +index 000000000..81b7a9d00 --- /dev/null -+++ b/docs/libcurl/opts/CURLOPT_SSLSIGNKEY.3 -@@ -0,0 +1,74 @@ -+.\" ************************************************************************** -+.\" * _ _ ____ _ -+.\" * Project ___| | | | _ \| | -+.\" * / __| | | | |_) | | -+.\" * | (__| |_| | _ <| |___ -+.\" * \___|\___/|_| \_\_____| -+.\" * -+.\" * Copyright (C) Daniel Stenberg, , et al. -+.\" * -+.\" * This software is licensed as described in the file COPYING, which -+.\" * you should have received as part of this distribution. The terms -+.\" * are also available at https://curl.se/docs/copyright.html. -+.\" * -+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+.\" * copies of the Software, and permit persons to whom the Software is -+.\" * furnished to do so, under the terms of the COPYING file. -+.\" * -+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+.\" * KIND, either express or implied. -+.\" * -+.\" * SPDX-License-Identifier: curl -+.\" * -+.\" ************************************************************************** -+.\" -+.TH CURLOPT_SSLSIGNKEY 3 "28 Oct 2023" libcurl libcurl -+.SH NAME -+CURLOPT_SSLSIGNKEY \- SSL client signature key -+.SH SYNOPSIS -+.nf ++++ b/docs/libcurl/opts/CURLOPT_SSLSIGNKEY.md +@@ -0,0 +1,78 @@ ++--- ++c: Copyright (C) Daniel Stenberg, , et al. ++SPDX-License-Identifier: curl ++Title: CURLOPT_SSLSIGNKEY ++Section: 3 ++Source: libcurl ++See-also: ++ - CURLOPT_SSLSIGNCERT (3) ++ - CURLOPT_SSLENCCERT (3) ++ - CURLOPT_SSLENCKEY (3) ++ - CURLOPT_SSLKEYTYPE (3) ++Protocol: ++ - NTLS ++TLS-backend: ++ - Tongsuo ++Added-in: 7.80.0 ++--- ++ ++# NAME ++ ++CURLOPT_SSLSIGNKEY - private key file for NTLS and SSL client signature cert ++ ++# SYNOPSIS ++ ++~~~c +#include + +CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLSIGNKEY, char *keyfile); -+.fi -+.SH DESCRIPTION ++~~~ ++ ++# DESCRIPTION ++ +Pass a pointer to a null-terminated string as parameter. The string should be -+the file name of your private key. The default format is "PEM" and can be -+changed with \fICURLOPT_SSLKEYTYPE(3)\fP. ++the filename of your private key. The default format is "PEM" and can be ++changed with CURLOPT_SSLKEYTYPE(3). + -+(Windows, iOS and Mac OS X) This option is ignored by Secure Transport and -+Schannel SSL backends because they expect the private key to be already present -+in the key-chain or PKCS#12 file containing the certificate. ++(Windows, iOS and macOS) This option is ignored by Secure Transport because ++they expect the private key to be already present in the key-chain or PKCS#12 ++file containing the certificate. + +The application does not have to keep the string around after setting this +option. -+.SH DEFAULT ++ ++Using this option multiple times makes the last set string override the ++previous ones. Set it to NULL to disable its use again. ++ ++# DEFAULT ++ +NULL -+.SH PROTOCOLS -+All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc. -+.SH EXAMPLE -+.nf -+CURL *curl = curl_easy_init(); -+if(curl) { -+ curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); -+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_NTLSv1_1); -+ curl_easy_setopt(curl, CURLOPT_SSLENCCERT, "enc.crt"); -+ curl_easy_setopt(curl, CURLOPT_SSLENCKEY, "enc.key"); -+ curl_easy_setopt(curl, CURLOPT_SSLSIGNCERT, "sign.crt"); -+ curl_easy_setopt(curl, CURLOPT_SSLSIGNKEY, "sign.key"); -+ curl_easy_setopt(curl, CURLOPT_KEYPASSWD, "s3cret"); -+ ret = curl_easy_perform(curl); -+ curl_easy_cleanup(curl); ++ ++# %PROTOCOLS% ++ ++# EXAMPLE ++ ++~~~c ++int main(void) ++{ ++ CURL *curl = curl_easy_init(); ++ if(curl) { ++ CURLcode res; ++ curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); ++ curl_easy_setopt(curl, CURLOPT_SSLENCCERT, "enc.crt"); ++ curl_easy_setopt(curl, CURLOPT_SSLENCKEY, "enc.key"); ++ curl_easy_setopt(curl, CURLOPT_SSLSIGNCERT, "sign.crt"); ++ curl_easy_setopt(curl, CURLOPT_SSLSIGNKEY, "sign.key"); ++ curl_easy_setopt(curl, CURLOPT_KEYPASSWD, "s3cret"); ++ res = curl_easy_perform(curl); ++ curl_easy_cleanup(curl); ++ } +} -+.fi -+.SH AVAILABILITY -+If built TLS enabled. -+.SH RETURN VALUE -+Returns CURLE_OK if TLS is supported, CURLE_UNKNOWN_OPTION if not, or ++~~~ ++ ++# %AVAILABILITY% ++ ++# RETURN VALUE ++ ++Returns CURLE_OK if NTLS is supported, CURLE_UNKNOWN_OPTION if not, or +CURLE_OUT_OF_MEMORY if there was insufficient heap space. -+.SH "SEE ALSO" -+.BR CURLOPT_SSLCERTTYPE (3), -+.BR CURLOPT_SSLSIGNCERT (3), -+.BR CURLOPT_SSLENCCERT (3), -+.BR CURLOPT_SSLENCKEY (3), -+.BR CURLOPT_KEYPASSWD (3) -\ No newline at end of file +diff --git a/docs/libcurl/opts/Makefile.inc b/docs/libcurl/opts/Makefile.inc +index 9d8606dd0..890d4328a 100644 +--- a/docs/libcurl/opts/Makefile.inc ++++ b/docs/libcurl/opts/Makefile.inc +@@ -428,4 +428,8 @@ man_MANS = \ + CURLSHOPT_SHARE.3 \ + CURLSHOPT_UNLOCKFUNC.3 \ + CURLSHOPT_UNSHARE.3 \ +- CURLSHOPT_USERDATA.3 ++ CURLSHOPT_USERDATA.3 \ ++ CURLOPT_SSLENCCERT.3 \ ++ CURLOPT_SSLENCKEY.3 \ ++ CURLOPT_SSLSIGNCERT.3 \ ++ CURLOPT_SSLSIGNKEY.3 diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions -index 24a954ece..c79f5f445 100644 +index 0fd02ff09..643025d44 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions -@@ -12,6 +12,11 @@ +@@ -12,6 +12,12 @@ Name Introduced Deprecated Last @@ -520,45 +431,58 @@ index 24a954ece..c79f5f445 100644 +CURLOPT_SSLSIGNCERT 7.80.0 +CURLOPT_SSLSIGNKEY 7.80.0 +CURL_SSLVERSION_NTLSv1_1 7.80.0 ++CURL_SSLVERSION_MAX_NTLSv1_1 7.80.0 CURL_AT_LEAST_VERSION 7.43.0 CURL_BLOB_COPY 7.71.0 CURL_BLOB_NOCOPY 7.71.0 diff --git a/include/curl/curl.h b/include/curl/curl.h -index 1ef7c8d45..2d7830721 100644 +index fae168966..0788bab69 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h -@@ -2210,6 +2210,18 @@ typedef enum { - /* set a specific client IP for HAProxy PROXY protocol header? */ - CURLOPT(CURLOPT_HAPROXY_CLIENT_IP, CURLOPTTYPE_STRINGPOINT, 323), +@@ -2228,6 +2228,18 @@ typedef enum { + /* maximum number of keepalive probes (Linux, *BSD, macOS, etc.) */ + CURLOPT(CURLOPT_TCP_KEEPCNT, CURLOPTTYPE_LONG, 326), + /* name of the file keeping your SSL sign certificate */ -+ CURLOPT(CURLOPT_SSLSIGNCERT, CURLOPTTYPE_STRINGPOINT, 324), ++ CURLOPT(CURLOPT_SSLSIGNCERT, CURLOPTTYPE_STRINGPOINT, 327), + + /* name of the file keeping your SSL sign key */ -+ CURLOPT(CURLOPT_SSLSIGNKEY, CURLOPTTYPE_STRINGPOINT, 325), ++ CURLOPT(CURLOPT_SSLSIGNKEY, CURLOPTTYPE_STRINGPOINT, 328), + + /* name of the file keeping your SSL enc certificate */ -+ CURLOPT(CURLOPT_SSLENCCERT, CURLOPTTYPE_STRINGPOINT, 326), ++ CURLOPT(CURLOPT_SSLENCCERT, CURLOPTTYPE_STRINGPOINT, 329), + + /* name of the file keeping your SSL enc key */ -+ CURLOPT(CURLOPT_SSLENCKEY, CURLOPTTYPE_STRINGPOINT, 327), ++ CURLOPT(CURLOPT_SSLENCKEY, CURLOPTTYPE_STRINGPOINT, 330), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; -@@ -2324,6 +2336,7 @@ enum { - CURL_SSLVERSION_TLSv1_1, - CURL_SSLVERSION_TLSv1_2, - CURL_SSLVERSION_TLSv1_3, -+ CURL_SSLVERSION_NTLSv1_1, +@@ -2341,8 +2353,9 @@ enum CURL_NETRC_OPTION { + #define CURL_SSLVERSION_TLSv1_1 5 + #define CURL_SSLVERSION_TLSv1_2 6 + #define CURL_SSLVERSION_TLSv1_3 7 ++#define CURL_SSLVERSION_NTLSv1_1 8 + +-#define CURL_SSLVERSION_LAST 8 /* never use, keep last */ ++#define CURL_SSLVERSION_LAST 9 /* never use, keep last */ + + #define CURL_SSLVERSION_MAX_NONE 0 + #define CURL_SSLVERSION_MAX_DEFAULT (CURL_SSLVERSION_TLSv1 << 16) +@@ -2350,7 +2363,7 @@ enum CURL_NETRC_OPTION { + #define CURL_SSLVERSION_MAX_TLSv1_1 (CURL_SSLVERSION_TLSv1_1 << 16) + #define CURL_SSLVERSION_MAX_TLSv1_2 (CURL_SSLVERSION_TLSv1_2 << 16) + #define CURL_SSLVERSION_MAX_TLSv1_3 (CURL_SSLVERSION_TLSv1_3 << 16) +- ++#define CURL_SSLVERSION_MAX_NTLSv1_1 (CURL_SSLVERSION_NTLSv1_1 << 16) + /* never use, keep last */ + #define CURL_SSLVERSION_MAX_LAST (CURL_SSLVERSION_LAST << 16) - CURL_SSLVERSION_LAST /* never use, keep last */ - }; diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h -index b880f3dc6..771409dfa 100644 +index e532e6997..e1d1555c4 100644 --- a/include/curl/typecheck-gcc.h +++ b/include/curl/typecheck-gcc.h -@@ -348,6 +348,10 @@ CURLWARNING(_curl_easy_getinfo_err_curl_off_t, +@@ -349,6 +349,10 @@ CURLWARNING(_curl_easy_getinfo_err_curl_off_t, (option) == CURLOPT_USERPWD || \ (option) == CURLOPT_XOAUTH2_BEARER || \ (option) == CURLOPT_SSL_EC_CURVES || \ @@ -569,11 +493,24 @@ index b880f3dc6..771409dfa 100644 0) /* evaluates to true if option takes a curl_write_callback argument */ +diff --git a/lib/config-win32.h b/lib/config-win32.h +index 1f280a96c..167ccfb5b 100644 +--- a/lib/config-win32.h ++++ b/lib/config-win32.h +@@ -497,4 +497,8 @@ Vista + /* If you want to build curl with the built-in manual */ + #define USE_MANUAL 1 + ++#ifdef USE_NTLS ++# define HAVE_NTLS 1 ++#endif ++ + #endif /* HEADER_CURL_CONFIG_WIN32_H */ diff --git a/lib/easyoptions.c b/lib/easyoptions.c -index e69c658b0..aded8dff5 100644 +index 81091c405..ab864f7de 100644 --- a/lib/easyoptions.c +++ b/lib/easyoptions.c -@@ -298,12 +298,16 @@ struct curl_easyoption Curl_easyopts[] = { +@@ -301,12 +301,16 @@ struct curl_easyoption Curl_easyopts[] = { {"SSLCERTPASSWD", CURLOPT_KEYPASSWD, CURLOT_STRING, CURLOT_FLAG_ALIAS}, {"SSLCERTTYPE", CURLOPT_SSLCERTTYPE, CURLOT_STRING, 0}, {"SSLCERT_BLOB", CURLOPT_SSLCERT_BLOB, CURLOT_BLOB, 0}, @@ -590,77 +527,40 @@ index e69c658b0..aded8dff5 100644 {"SSLVERSION", CURLOPT_SSLVERSION, CURLOT_VALUES, 0}, {"SSL_CIPHER_LIST", CURLOPT_SSL_CIPHER_LIST, CURLOT_STRING, 0}, {"SSL_CTX_DATA", CURLOPT_SSL_CTX_DATA, CURLOT_CBPTR, 0}, -@@ -373,6 +377,6 @@ struct curl_easyoption Curl_easyopts[] = { +@@ -377,6 +381,6 @@ struct curl_easyoption Curl_easyopts[] = { */ int Curl_easyopts_check(void) { -- return ((CURLOPT_LASTENTRY%10000) != (323 + 1)); -+ return ((CURLOPT_LASTENTRY%10000) != (327 + 1)); +- return ((CURLOPT_LASTENTRY%10000) != (326 + 1)); ++ return ((CURLOPT_LASTENTRY%10000) != (330 + 1)); } #endif diff --git a/lib/setopt.c b/lib/setopt.c -index 0d399adfe..c9cddd01f 100644 +index 7366d4a3e..d3fa1aa52 100644 --- a/lib/setopt.c +++ b/lib/setopt.c -@@ -3170,6 +3170,36 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - case CURLOPT_QUICK_EXIT: - data->set.quick_exit = (0 != va_arg(param, long)) ? 1L:0L; - break; +@@ -1663,6 +1663,16 @@ static CURLcode setopt_cptr(struct Curl_easy *data, CURLoption option, + { + CURLcode result = CURLE_OK; + switch(option) { +#ifdef HAVE_NTLS + case CURLOPT_SSLSIGNCERT: -+ /* -+ * String that holds file name of the SSL sign certificate to use -+ */ -+ result = Curl_setstropt(&data->set.str[STRING_SIGN_CERT], -+ va_arg(param, char *)); -+ break; ++ return Curl_setstropt(&data->set.str[STRING_SIGN_CERT], ptr); + case CURLOPT_SSLSIGNKEY: -+ /* -+ * String that holds file name of the SSL sign key to use -+ */ -+ result = Curl_setstropt(&data->set.str[STRING_SIGN_KEY], -+ va_arg(param, char *)); -+ break; ++ return Curl_setstropt(&data->set.str[STRING_SIGN_KEY], ptr); + case CURLOPT_SSLENCCERT: -+ /* -+ * String that holds file name of the SSL enc certificate to use -+ */ -+ result = Curl_setstropt(&data->set.str[STRING_ENC_CERT], -+ va_arg(param, char *)); -+ break; ++ return Curl_setstropt(&data->set.str[STRING_ENC_CERT], ptr); + case CURLOPT_SSLENCKEY: -+ /* -+ * String that holds file name of the SSL enc key to use -+ */ -+ result = Curl_setstropt(&data->set.str[STRING_ENC_KEY], -+ va_arg(param, char *)); -+ break; -+#endif - default: - /* unknown tag and its companion, just ignore: */ - result = CURLE_UNKNOWN_OPTION; -diff --git a/lib/url.c b/lib/url.c -index f3ca694d5..1b9c11c42 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -3642,6 +3642,12 @@ static CURLcode create_conn(struct Curl_easy *data, - data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; - data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; - data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; -+#ifdef HAVE_NTLS -+ data->set.ssl.sign_cert = data->set.str[STRING_SIGN_CERT]; -+ data->set.ssl.sign_key = data->set.str[STRING_SIGN_KEY]; -+ data->set.ssl.enc_cert = data->set.str[STRING_ENC_CERT]; -+ data->set.ssl.enc_key = data->set.str[STRING_ENC_KEY]; ++ return Curl_setstropt(&data->set.str[STRING_ENC_KEY], ptr); +#endif - #ifdef USE_TLS_SRP - data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; - data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; + case CURLOPT_SSL_CIPHER_LIST: + if(Curl_ssl_supports(data, SSLSUPP_CIPHER_LIST)) + /* set a list of cipher we want to use in the SSL connection */ diff --git a/lib/urldata.h b/lib/urldata.h -index 2f927a393..c3077cd78 100644 +index fc09efad6..6966495d8 100644 --- a/lib/urldata.h +++ b/lib/urldata.h -@@ -302,6 +302,12 @@ struct ssl_config_data { +@@ -301,6 +301,12 @@ struct ssl_config_data { struct curl_blob *key_blob; char *key_type; /* format for private key (default: PEM) */ char *key_passwd; /* plain text private key password */ @@ -672,72 +572,62 @@ index 2f927a393..c3077cd78 100644 +#endif BIT(certinfo); /* gather lots of certificate info */ BIT(falsestart); - BIT(enable_beast); /* allow this flaw for interoperability's sake */ -@@ -1619,6 +1625,10 @@ enum dupstring { - STRING_SSL_EC_CURVES, - STRING_AWS_SIGV4, /* Parameters for V4 signature */ + BIT(earlydata); /* use tls1.3 early data */ +@@ -1484,6 +1490,12 @@ enum dupstring { + #endif + #ifndef CURL_DISABLE_PROXY STRING_HAPROXY_CLIENT_IP, /* CURLOPT_HAPROXY_CLIENT_IP */ ++#endif ++#ifdef HAVE_NTLS + STRING_SIGN_CERT, + STRING_SIGN_KEY, + STRING_ENC_CERT, + STRING_ENC_KEY, - - /* -- end of null-terminated strings -- */ - + #endif + STRING_ECH_CONFIG, /* CURLOPT_ECH_CONFIG */ + STRING_ECH_PUBLIC, /* CURLOPT_ECH_PUBLIC */ diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 8dfad38fa..5b78d436e 100644 +index f253674b2..d9b0e6386 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c -@@ -3484,6 +3484,12 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, - /* check to see if we've been told to use an explicit SSL/TLS version */ - - switch(ssl_version) { -+#ifdef HAVE_NTLS -+ case CURL_SSLVERSION_NTLSv1_1: -+ req_method = NTLS_client_method(); -+ use_sni(TRUE); -+ break; -+#endif - case CURL_SSLVERSION_DEFAULT: - case CURL_SSLVERSION_TLSv1: - case CURL_SSLVERSION_TLSv1_0: -@@ -3523,6 +3529,11 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, - return CURLE_OUT_OF_MEMORY; - } - +@@ -3498,6 +3498,11 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, + case TRNSPRT_TCP: + /* check to see if we have been told to use an explicit SSL/TLS version */ + switch(ssl_version_min) { +#ifdef HAVE_NTLS -+ if(ssl_version == CURL_SSLVERSION_NTLSv1_1) -+ SSL_CTX_enable_ntls(backend->ctx); ++ case CURL_SSLVERSION_NTLSv1_1: ++ req_method = NTLS_client_method(); ++ break; +#endif -+ - #ifdef SSL_MODE_RELEASE_BUFFERS - SSL_CTX_set_mode(backend->ctx, SSL_MODE_RELEASE_BUFFERS); - #endif -@@ -3598,6 +3609,11 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, + case CURL_SSLVERSION_DEFAULT: + case CURL_SSLVERSION_TLSv1: + case CURL_SSLVERSION_TLSv1_0: +@@ -3628,7 +3633,11 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, + case CURL_SSLVERSION_SSLv2: case CURL_SSLVERSION_SSLv3: return CURLE_NOT_BUILT_IN; - +- +#ifdef HAVE_NTLS -+ case CURL_SSLVERSION_NTLSv1_1: -+ break; ++ case CURL_SSLVERSION_NTLSv1_1: ++ SSL_CTX_enable_ntls(octx->ssl_ctx); ++ break; +#endif -+ /* "--tlsv" options mean TLS >= version */ case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: /* TLS >= version 1.0 */ -@@ -3653,6 +3669,51 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, +@@ -3683,6 +3692,51 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, return result; } +#ifdef HAVE_NTLS -+ if(ssl_version == CURL_SSLVERSION_NTLSv1_1) { ++ if(ssl_version_min == CURL_SSLVERSION_NTLSv1_1) { + char *sign_cert = ssl_config->sign_cert; + char *sign_key = ssl_config->sign_key; + char *enc_cert = ssl_config->enc_cert; + char *enc_key = ssl_config->enc_key; + + if(sign_cert -+ && !SSL_CTX_use_sign_certificate_file(backend->ctx, sign_cert, ++ && !SSL_CTX_use_sign_certificate_file(octx->ssl_ctx, sign_cert, + SSL_FILETYPE_PEM)) { + failf(data, "SSL: failed settting sign certificate file: %s", + ossl_strerror(ERR_get_error(), error_buffer, @@ -746,7 +636,7 @@ index 8dfad38fa..5b78d436e 100644 + } + + if(sign_key -+ && !SSL_CTX_use_sign_PrivateKey_file(backend->ctx, sign_key, ++ && !SSL_CTX_use_sign_PrivateKey_file(octx->ssl_ctx, sign_key, + SSL_FILETYPE_PEM)) { + failf(data, "SSL: failed settting sign key file: %s", + ossl_strerror(ERR_get_error(), error_buffer, @@ -755,7 +645,7 @@ index 8dfad38fa..5b78d436e 100644 + } + + if(enc_cert -+ && !SSL_CTX_use_enc_certificate_file(backend->ctx, enc_cert, ++ && !SSL_CTX_use_enc_certificate_file(octx->ssl_ctx, enc_cert, + SSL_FILETYPE_PEM)) { + failf(data, "SSL: failed settting enc certificate file: %s", + ossl_strerror(ERR_get_error(), error_buffer, @@ -764,7 +654,7 @@ index 8dfad38fa..5b78d436e 100644 + } + + if(enc_key -+ && !SSL_CTX_use_enc_PrivateKey_file(backend->ctx, enc_key, ++ && !SSL_CTX_use_enc_PrivateKey_file(octx->ssl_ctx, enc_key, + SSL_FILETYPE_PEM)) { + failf(data, "SSL: failed settting enc key file: %s", + ossl_strerror(ERR_get_error(), error_buffer, @@ -775,24 +665,43 @@ index 8dfad38fa..5b78d436e 100644 +#endif + ciphers = conn_config->cipher_list; - if(!ciphers) - ciphers = (char *)DEFAULT_CIPHER_SELECTION; + if(!ciphers && (peer->transport != TRNSPRT_QUIC)) + ciphers = DEFAULT_CIPHER_SELECTION; +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 02085f412..effdeeb6a 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -313,6 +313,13 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data) + data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; + data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; + ++#ifdef HAVE_NTLS ++ data->set.ssl.sign_cert = data->set.str[STRING_SIGN_CERT]; ++ data->set.ssl.sign_key = data->set.str[STRING_SIGN_KEY]; ++ data->set.ssl.enc_cert = data->set.str[STRING_ENC_CERT]; ++ data->set.ssl.enc_key = data->set.str[STRING_ENC_KEY]; ++#endif ++ + #ifndef CURL_DISABLE_PROXY + data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY]; + data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY]; diff --git a/m4/curl-openssl.m4 b/m4/curl-openssl.m4 -index a4811d2a3..3235537af 100644 +index de20a64f7..f4868f1bf 100644 --- a/m4/curl-openssl.m4 +++ b/m4/curl-openssl.m4 -@@ -399,6 +399,26 @@ if test "$OPENSSL_ENABLED" = "1"; then +@@ -401,4 +401,24 @@ if test "$OPENSSL_ENABLED" = "1"; then + AC_MSG_RESULT([no]) ]) fi - -+dnl ********************************************************************** ++ ++dnl --- +dnl Check for NTLS provided by Tongsuo -+dnl ********************************************************************** ++dnl --- +if test "$OPENSSL_ENABLED" = "1"; then + AC_MSG_CHECKING([for NTLS support in Tongsuo]) + AC_LINK_IFELSE([ + AC_LANG_PROGRAM([[ -+#include ++ #include + ]],[[ + const SSL_METHOD *meth = NTLS_method(); + ]]) @@ -804,15 +713,12 @@ index a4811d2a3..3235537af 100644 + AC_MSG_RESULT([no]) + ]) +fi -+ - dnl --- - dnl Whether the OpenSSL configuration will be loaded automatically - dnl --- + ]) diff --git a/packages/OS400/ccsidcurl.c b/packages/OS400/ccsidcurl.c -index 48f1f5fbd..5fc65c417 100644 +index 48f7f6d4a..ee1855def 100644 --- a/packages/OS400/ccsidcurl.c +++ b/packages/OS400/ccsidcurl.c -@@ -1154,9 +1154,13 @@ curl_easy_setopt_ccsid(CURL *easy, CURLoption tag, ...) +@@ -1157,9 +1157,13 @@ curl_easy_setopt_ccsid(CURL *easy, CURLoption tag, ...) case CURLOPT_SSH_PUBLIC_KEYFILE: case CURLOPT_SSLCERT: case CURLOPT_SSLCERTTYPE: @@ -826,15 +732,28 @@ index 48f1f5fbd..5fc65c417 100644 case CURLOPT_SSL_CIPHER_LIST: case CURLOPT_SSL_EC_CURVES: case CURLOPT_TLS13_CIPHERS: +diff --git a/scripts/cd2nroff b/scripts/cd2nroff +index 86cae2137..9c16dbee8 100755 +--- a/scripts/cd2nroff ++++ b/scripts/cd2nroff +@@ -182,7 +182,8 @@ my %knownprotos = ( + 'TLS' => 1, + 'TCP' => 1, + 'QUIC' => 1, +- 'All' => 1 ++ 'All' => 1, ++ 'NTLS' => 1, + ); + + my %knowntls = ( diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c -index 906e23e14..c25560a51 100644 +index d7ee7b1b2..1165d0aa8 100644 --- a/src/tool_cfgable.c +++ b/src/tool_cfgable.c -@@ -175,6 +175,13 @@ static void free_config_fields(struct OperationConfig *config) - Curl_safefree(config->aws_sigv4); - Curl_safefree(config->proto_str); - Curl_safefree(config->proto_redir_str); -+ +@@ -181,6 +181,12 @@ static void free_config_fields(struct OperationConfig *config) + Curl_safefree(config->ech); + Curl_safefree(config->ech_config); + Curl_safefree(config->ech_public); +#ifdef HAVE_NTLS + Curl_safefree(config->sign_cert); + Curl_safefree(config->sign_key); @@ -845,13 +764,13 @@ index 906e23e14..c25560a51 100644 void config_free(struct OperationConfig *config) diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h -index 57e8fce52..21a6ff898 100644 +index 62f0e58cc..83a4043f7 100644 --- a/src/tool_cfgable.h +++ b/src/tool_cfgable.h -@@ -298,6 +298,12 @@ struct OperationConfig { - struct State state; /* for create_transfer() */ - bool rm_partial; /* on error, remove partially written output - files */ +@@ -310,6 +310,12 @@ struct OperationConfig { + char *ech; /* Config set by --ech keywords */ + char *ech_config; /* Config set by "--ech esl:" option */ + char *ech_public; /* Config set by "--ech pn:" option */ +#ifdef HAVE_NTLS + char *sign_cert; + char *sign_key; @@ -862,217 +781,124 @@ index 57e8fce52..21a6ff898 100644 struct GlobalConfig { diff --git a/src/tool_getparam.c b/src/tool_getparam.c -index b80d65792..0c0c706d1 100644 +index 81dbbb883..eac91ddb6 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c -@@ -340,8 +340,13 @@ static const struct LongShort aliases[]= { - {"R", "remote-time", ARG_BOOL}, - {"s", "silent", ARG_BOOL}, - {"S", "show-error", ARG_BOOL}, +@@ -118,6 +118,10 @@ static const struct LongShort aliases[]= { + {"dump-header", ARG_FILE, 'D', C_DUMP_HEADER}, + {"ech", ARG_STRG, ' ', C_ECH}, + {"egd-file", ARG_STRG, ' ', C_EGD_FILE}, +#ifdef HAVE_NTLS -+ {"Sc", "sign-cert", ARG_FILENAME}, -+ {"Sk", "sign-key", ARG_FILENAME}, ++ {"enc-cert", ARG_FILE, ' ', C_ENC_CERT}, ++ {"enc-key", ARG_FILE, ' ', C_ENC_KEY}, +#endif - {"t", "telnet-option", ARG_STRING}, - {"T", "upload-file", ARG_FILENAME}, -+ {"Tp", "tlcp", ARG_BOOL}, - {"u", "user", ARG_STRING}, - {"U", "proxy-user", ARG_STRING}, - {"v", "verbose", ARG_BOOL}, -@@ -351,6 +356,10 @@ static const struct LongShort aliases[]= { - {"xa", "preproxy", ARG_STRING}, - {"X", "request", ARG_STRING}, - {"Y", "speed-limit", ARG_STRING}, + {"engine", ARG_STRG, ' ', C_ENGINE}, + {"eprt", ARG_BOOL, ' ', C_EPRT}, + {"epsv", ARG_BOOL, ' ', C_EPSV}, +@@ -282,6 +286,10 @@ static const struct LongShort aliases[]= { + {"sessionid", ARG_BOOL|ARG_NO, ' ', C_SESSIONID}, + {"show-error", ARG_BOOL, 'S', C_SHOW_ERROR}, + {"show-headers", ARG_BOOL, 'i', C_SHOW_HEADERS}, +#ifdef HAVE_NTLS -+ {"Yc", "enc-cert", ARG_FILENAME}, -+ {"Yk", "enc-key", ARG_FILENAME}, ++ {"sign-cert", ARG_FILE, ' ', C_SIGN_CERT}, ++ {"sign-key", ARG_FILE, ' ', C_SIGN_KEY}, +#endif - {"y", "speed-time", ARG_STRING}, - {"z", "time-cond", ARG_STRING}, - {"Z", "parallel", ARG_BOOL}, -@@ -2469,49 +2478,69 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ - case 's': /* --silent */ - global->silent = toggle; - break; -- case 'S': /* --show-error */ -- global->showerror = toggle; -+ case 'S': -+ switch(subletter) { -+ case '\0': /* show errors */ -+ global->showerror = toggle; /* --show-error */ -+ break; + {"silent", ARG_BOOL, 's', C_SILENT}, + {"skip-existing", ARG_BOOL, ' ', C_SKIP_EXISTING}, + {"socks4", ARG_STRG, ' ', C_SOCKS4}, +@@ -315,6 +323,9 @@ static const struct LongShort aliases[]= { + {"tftp-blksize", ARG_STRG, ' ', C_TFTP_BLKSIZE}, + {"tftp-no-options", ARG_BOOL, ' ', C_TFTP_NO_OPTIONS}, + {"time-cond", ARG_STRG, 'z', C_TIME_COND}, +#ifdef HAVE_NTLS -+ case 'c': /* sign certificate */ -+ GetStr(&config->sign_cert, nextarg); -+ break; -+ case 'k': /* sign key */ -+ GetStr(&config->sign_key, nextarg); -+ break; ++ {"tlcp", ARG_BOOL, ' ', C_TLCP}, +#endif -+ } - break; - case 't': - /* Telnet options */ - err = add2list(&config->telnet_options, nextarg); - break; - case 'T': -- /* we are uploading */ -- { -- struct getout *url; -- if(!config->url_ul) -- config->url_ul = config->url_list; -- if(config->url_ul) { -- /* there's a node here, if it already is filled-in continue to find -- an "empty" node */ -- while(config->url_ul && (config->url_ul->flags & GETOUT_UPLOAD)) -- config->url_ul = config->url_ul->next; -- } -+ switch(subletter) { -+ case '\0': /* we are uploading */ -+ { -+ struct getout *url; -+ if(!config->url_ul) -+ config->url_ul = config->url_list; -+ if(config->url_ul) { -+ /* there's a node here, if it already is filled-in continue to find -+ an "empty" node */ -+ while(config->url_ul && (config->url_ul->flags & GETOUT_UPLOAD)) -+ config->url_ul = config->url_ul->next; -+ } - -- /* now there might or might not be an available node to fill in! */ -+ /* now there might or might not be an available node to fill in! */ - -- if(config->url_ul) -- /* existing node */ -- url = config->url_ul; -- else -- /* there was no free node, create one! */ -- config->url_ul = url = new_getout(config); -+ if(config->url_ul) -+ /* existing node */ -+ url = config->url_ul; -+ else -+ /* there was no free node, create one! */ -+ config->url_ul = url = new_getout(config); - -- if(!url) { -- err = PARAM_NO_MEM; -- break; -- } -+ if(!url) { -+ err = PARAM_NO_MEM; -+ break; -+ } + {"tls-earlydata", ARG_BOOL, ' ', C_TLS_EARLYDATA}, + {"tls-max", ARG_STRG, ' ', C_TLS_MAX}, + {"tls13-ciphers", ARG_STRG, ' ', C_TLS13_CIPHERS}, +@@ -1703,6 +1714,23 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + nextarg = (char *)""; -- url->flags |= GETOUT_UPLOAD; /* mark -T used */ -- if(!*nextarg) -- url->flags |= GETOUT_NOUPLOAD; -- else { -- /* "-" equals stdin, but keep the string around for now */ -- GetStr(&url->infile, nextarg); -+ url->flags |= GETOUT_UPLOAD; /* mark -T used */ -+ if(!*nextarg) -+ url->flags |= GETOUT_NOUPLOAD; -+ else { -+ /* "-" equals stdin, but keep the string around for now */ -+ GetStr(&url->infile, nextarg); -+ } -+ } -+ break; + switch(cmd) { +#ifdef HAVE_NTLS -+ case 'p': /* TLCP */ -+ config->ssl_version = CURL_SSLVERSION_NTLSv1_1; -+ break; -+#endif - } -- } -- break; ++ case C_TLCP: ++ config->ssl_version = CURL_SSLVERSION_NTLSv1_1; ++ break; ++ case C_ENC_CERT: ++ err = getstr(&config->enc_cert, nextarg, DENY_BLANK); ++ break; ++ case C_ENC_KEY: ++ err = getstr(&config->enc_key, nextarg, DENY_BLANK); ++ break; ++ case C_SIGN_CERT: ++ err = getstr(&config->sign_cert, nextarg, DENY_BLANK); + break; - case 'u': - /* user:password */ - GetStr(&config->userpwd, nextarg); -@@ -2606,12 +2635,23 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ - config->low_speed_limit = 1; - break; - case 'Y': -- /* low speed limit */ -- err = str2unum(&config->low_speed_limit, nextarg); -- if(err) -- break; -- if(!config->low_speed_time) -- config->low_speed_time = 30; -+ switch(subletter) { -+ case '\0': /* low speed limit */ -+ err = str2unum(&config->low_speed_limit, nextarg); -+ if(err) -+ break; -+ if(!config->low_speed_time) -+ config->low_speed_time = 30; -+ break; ++ case C_SIGN_KEY: ++ err = getstr(&config->sign_key, nextarg, DENY_BLANK); ++ break; ++#endif + case C_RANDOM_FILE: /* --random-file */ + case C_EGD_FILE: /* --egd-file */ + case C_NTLM_WB: /* --ntlm-wb */ +diff --git a/src/tool_getparam.h b/src/tool_getparam.h +index 90708e001..b1685b5f1 100644 +--- a/src/tool_getparam.h ++++ b/src/tool_getparam.h +@@ -80,6 +80,10 @@ typedef enum { + C_DUMP_HEADER, + C_ECH, + C_EGD_FILE, +#ifdef HAVE_NTLS -+ case 'c': /* enc certificate */ -+ GetStr(&config->enc_cert, nextarg); -+ break; -+ case 'k': /* enc key */ -+ GetStr(&config->enc_key, nextarg); -+ break; ++ C_ENC_CERT, ++ C_ENC_KEY, +#endif -+ } - break; - case 'Z': - switch(subletter) { -diff --git a/src/tool_listhelp.c b/src/tool_listhelp.c -index 4e7a6dd63..351b0dac1 100644 ---- a/src/tool_listhelp.c -+++ b/src/tool_listhelp.c -@@ -69,6 +69,23 @@ const struct helptxt helptext[] = { - {" --cert-type ", - "Certificate type (DER/PEM/ENG/P12)", - CURLHELP_TLS}, + C_ENGINE, + C_EPRT, + C_EPSV, +@@ -241,6 +245,10 @@ typedef enum { + C_SESSIONID, + C_SHOW_ERROR, + C_SHOW_HEADERS, +#ifdef HAVE_NTLS -+ {" --sign-cert ", -+ "Client sign certificate file", -+ CURLHELP_TLS}, -+ {" --enc-cert ", -+ "Client enc certificate file", -+ CURLHELP_TLS}, -+ {" --sign-key ", -+ "Client sign key file", -+ CURLHELP_TLS}, -+ {" --enc-key ", -+ "Client enc key file", -+ CURLHELP_TLS}, -+ {" --tlcp", -+ "Use TLCPv1.1", -+ CURLHELP_TLS}, ++ C_SIGN_CERT, ++ C_SIGN_KEY, +#endif - {" --ciphers ", - "SSL ciphers to use", - CURLHELP_TLS}, + C_SILENT, + C_SKIP_EXISTING, + C_SOCKS4, +@@ -271,6 +279,9 @@ typedef enum { + C_TEST_EVENT, + C_TFTP_BLKSIZE, + C_TFTP_NO_OPTIONS, ++#ifdef HAVE_NTLS ++ C_TLCP, ++#endif + C_TIME_COND, + C_TLS_EARLYDATA, + C_TLS_MAX, diff --git a/src/tool_operate.c b/src/tool_operate.c -index 697b64e38..eb6a643f1 100644 +index 1bba71f82..7496e281f 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c -@@ -1927,6 +1927,12 @@ static CURLcode single_transfer(struct GlobalConfig *global, - free(certdata); - } - else -+#endif +@@ -1285,6 +1285,12 @@ static CURLcode config2setopts(struct GlobalConfig *global, + my_setopt_str(curl, CURLOPT_SSLKEYTYPE, config->key_type); + my_setopt_str(curl, CURLOPT_PROXY_SSLKEYTYPE, + config->proxy_key_type); +#ifdef HAVE_NTLS -+ my_setopt_str(curl, CURLOPT_SSLSIGNCERT, config->sign_cert); -+ my_setopt_str(curl, CURLOPT_SSLSIGNKEY, config->sign_key); -+ my_setopt_str(curl, CURLOPT_SSLENCCERT, config->enc_cert); -+ my_setopt_str(curl, CURLOPT_SSLENCKEY, config->enc_key); - #endif - my_setopt_str(curl, CURLOPT_SSLKEY, config->key); - my_setopt_str(curl, CURLOPT_PROXY_SSLKEY, config->proxy_key); -diff --git a/tests/manpage-scan.pl b/tests/manpage-scan.pl -index c09e979d0..6ad4e9e8b 100755 ---- a/tests/manpage-scan.pl -+++ b/tests/manpage-scan.pl -@@ -171,6 +171,13 @@ my %opts = ( - # for tests and debug only, can remain hidden ++ my_setopt_str(curl, CURLOPT_SSLSIGNCERT, config->sign_cert); ++ my_setopt_str(curl, CURLOPT_SSLSIGNKEY, config->sign_key); ++ my_setopt_str(curl, CURLOPT_SSLENCCERT, config->enc_cert); ++ my_setopt_str(curl, CURLOPT_SSLENCKEY, config->enc_key); ++#endif + + /* libcurl default is strict verifyhost -> 1L, verifypeer -> 1L */ + if(config->insecure_ok) { +diff --git a/tests/test1139.pl b/tests/test1139.pl +index 0c99ab6f3..7f9a12e11 100755 +--- a/tests/test1139.pl ++++ b/tests/test1139.pl +@@ -183,6 +183,13 @@ my %opts = ( + '--test-duphandle' => 6, '--test-event' => 6, '--wdebug' => 6, + @@ -1085,3 +911,291 @@ index c09e979d0..6ad4e9e8b 100755 ); +diff --git a/winbuild/Makefile.vc b/winbuild/Makefile.vc +index bc20d05d8..090a425d3 100644 +--- a/winbuild/Makefile.vc ++++ b/winbuild/Makefile.vc +@@ -124,6 +124,14 @@ USE_UNICODE = true + USE_UNICODE = false + !ENDIF + ++!IFNDEF ENABLE_NTLS ++USE_NTLS = false ++!ELSEIF "$(ENABLE_NTLS)"=="yes" ++USE_NTLS = true ++!ELSEIF "$(ENABLE_NTLS)"=="no" ++USE_NTLS = false ++!ENDIF ++ + CONFIG_NAME_LIB = libcurl + + !IF "$(WITH_SSL)"=="dll" +@@ -303,6 +311,7 @@ $(MODE): + @SET USE_UNICODE=$(USE_UNICODE) + # compatibility bit + @SET WITH_NGHTTP2=$(WITH_NGHTTP2) ++ @SET USE_NTLS=$(USE_NTLS) + + @$(MAKE) /NOLOGO /F MakefileBuild.vc + +diff --git a/winbuild/MakefileBuild.vc b/winbuild/MakefileBuild.vc +index aee03d564..006a963f9 100644 +--- a/winbuild/MakefileBuild.vc ++++ b/winbuild/MakefileBuild.vc +@@ -141,6 +141,11 @@ SSL_CFLAGS = $(SSL_CFLAGS) /DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG + !ENDIF + !ENDIF + ++!IF "$(USE_NTLS)"=="true" ++SSL_CFLAGS = $(SSL_CFLAGS) /DUSE_NTLS ++CURL_CFLAGS = $(CURL_CFLAGS) /DUSE_NTLS ++!ENDIF ++ + !IF "$(DISABLE_WEBSOCKETS)"=="true" + CFLAGS = $(CFLAGS) /DCURL_DISABLE_WEBSOCKETS=1 + !ENDIF +diff --git a/docs/cmdline-opts/enc-key.md b/docs/cmdline-opts/enc-key.md +new file mode 100644 +index 000000000..f16705980 +--- /dev/null ++++ b/docs/cmdline-opts/enc-key.md +@@ -0,0 +1,21 @@ ++--- ++c: Copyright (C) Daniel Stenberg, , et al. ++SPDX-License-Identifier: curl ++Long: enc-key ++Arg: ++Protocols: NTLS ++Help: Client encryption private key file ++Category: tls ++Added: 7.80.0 ++Multi: single ++See-also: ++ - enc-cert ++ - sign-cert ++ - sign-key ++Example: ++ - --enc-cert certificate --enc-key key here $URL ++--- ++ ++# `--enc-key` ++ ++Client encryption private key file. +diff --git a/docs/cmdline-opts/sign-key.md b/docs/cmdline-opts/sign-key.md +new file mode 100644 +index 000000000..6658e60ef +--- /dev/null ++++ b/docs/cmdline-opts/sign-key.md +@@ -0,0 +1,21 @@ ++--- ++c: Copyright (C) Daniel Stenberg, , et al. ++SPDX-License-Identifier: curl ++Long: sign-key ++Arg: ++Protocols: NTLS ++Help: Client signature private key file ++Category: tls ++Added: 7.80.0 ++Multi: single ++See-also: ++ - sign-cert ++ - enc-cert ++ - enc-key ++Example: ++ - --sign-cert certificate --sign-key key here $URL ++--- ++ ++# `--sign-key` ++ ++Client signature private key file. +diff --git a/docs/cmdline-opts/tlcp.md b/docs/cmdline-opts/tlcp.md +new file mode 100644 +index 000000000..c2ab8e690 +--- /dev/null ++++ b/docs/cmdline-opts/tlcp.md +@@ -0,0 +1,20 @@ ++--- ++c: Copyright (C) Daniel Stenberg, , et al. ++SPDX-License-Identifier: curl ++Long: tlcp ++Help: TLCP ++Protocols: TLCP ++Added: 7.80.0 ++Category: tls ++Multi: mutex ++See-also: ++ - tls-max ++Example: ++ - --tlcp $URL ++--- ++ ++# `--tlcp` ++ ++Forces curl to use TLCP version 1.1 when connecting to a remote server. ++ ++Note that TLCP is only supported by Tongsuo backend. +diff --git a/docs/options-in-versions b/docs/options-in-versions +index a7a11630d..872509f0a 100644 +--- a/docs/options-in-versions ++++ b/docs/options-in-versions +@@ -58,6 +58,8 @@ + --dump-header (-D) 5.7 + --ech 8.8.0 + --egd-file 7.7 ++--enc-cert 7.80.0 ++--enc-key 7.80.0 + --engine 7.9.3 + --etag-compare 7.68.0 + --etag-save 7.68.0 +@@ -217,6 +219,8 @@ + --service-name 7.43.0 + --show-error (-S) 5.9 + --show-headers (-i) 4.8 ++--sign-cert 7.80.0 ++--sign-key 7.80.0 + --silent (-s) 4.0 + --skip-existing 8.10.0 + --socks4 7.15.2 +@@ -246,6 +250,7 @@ + --tftp-blksize 7.20.0 + --tftp-no-options 7.48.0 + --time-cond (-z) 5.8 ++--tlcp 7.80.0 + --tls-earlydata 8.11.0 + --tls-max 7.54.0 + --tls13-ciphers 7.61.0 +diff --git a/docs/cmdline-opts/Makefile.inc b/docs/cmdline-opts/Makefile.inc +index 3bcffa49f..6bcaa092b 100644 +--- a/docs/cmdline-opts/Makefile.inc ++++ b/docs/cmdline-opts/Makefile.inc +@@ -93,6 +93,8 @@ DPAGES = \ + dump-header.md \ + ech.md \ + egd-file.md \ ++ enc-cert.md \ ++ enc-key.md \ + engine.md \ + etag-compare.md \ + etag-save.md \ +@@ -252,6 +254,8 @@ DPAGES = \ + service-name.md \ + show-error.md \ + show-headers.md \ ++ sign-cert.md \ ++ sign-key.md \ + silent.md \ + skip-existing.md \ + socks4.md \ +@@ -281,6 +285,7 @@ DPAGES = \ + tftp-blksize.md \ + tftp-no-options.md \ + time-cond.md \ ++ tlcp.md \ + tls-earlydata.md \ + tls-max.md \ + tls13-ciphers.md \ +diff --git a/src/tool_listhelp.c b/src/tool_listhelp.c +index 2d5f2b3ab..38d64cbb5 100644 +--- a/src/tool_listhelp.c ++++ b/src/tool_listhelp.c +@@ -177,6 +177,12 @@ const struct helptxt helptext[] = { + {" --egd-file ", + "EGD socket path for random data", + CURLHELP_DEPRECATED}, ++ {" --enc-cert ", ++ "Client encryption certificate file", ++ CURLHELP_TLS}, ++ {" --enc-key ", ++ "Client encryption private key file", ++ CURLHELP_TLS}, + {" --engine ", + "Crypto engine to use", + CURLHELP_TLS}, +@@ -659,6 +665,12 @@ const struct helptxt helptext[] = { + {"-i, --show-headers", + "Show response headers in output", + CURLHELP_IMPORTANT | CURLHELP_VERBOSE | CURLHELP_OUTPUT}, ++ {" --sign-cert ", ++ "Client signature certificate file", ++ CURLHELP_TLS}, ++ {" --sign-key ", ++ "Client signature private key file", ++ CURLHELP_TLS}, + {"-s, --silent", + "Silent mode", + CURLHELP_IMPORTANT | CURLHELP_VERBOSE}, +@@ -748,6 +760,9 @@ const struct helptxt helptext[] = { + {"-z, --time-cond