gskit: remove

We remove support for building curl with gskit.

 - This is a niche TLS library, only running on some IBM systems
 - no regular curl contributors use this backend
 - no CI builds use or verify this backend
 - gskit, or the curl adaption for it, lacks many modern TLS features
   making it an inferior solution
 - build breakages in this code take weeks or more to get detected
 - fixing gskit code is mostly done "flying blind"

This removal has been advertized in DEPRECATED in Jan 2, 2023 and it has
been mentioned on the curl-library mailing list.

It could be brought back, this is not a ban. Given proper effort and
will, gskit support is welcome back into the curl TLS backend family.

Closes curl#11460

Author: bagder

docs/CIPHERS.md

@@ -165,71 +165,6 @@ When specifying multiple cipher names, separate them with colon (`:`).
 `TLS_AES_128_CCM_8_SHA256`
 `TLS_AES_128_CCM_SHA256`
 
-## GSKit
-
-Ciphers are internally defined as [numeric
-codes](https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/apis/gsk_attribute_set_buffer.htm). libcurl
-maps them to the following case-insensitive names.
-
-### SSL2 cipher suites (insecure: disabled by default)
-
-`rc2-md5`
-`rc4-md5`
-`exp-rc2-md5`
-`exp-rc4-md5`
-`des-cbc-md5`
-`des-cbc3-md5`
-
-### SSL3 cipher suites
-
-`null-md5`
-`null-sha`
-`rc4-md5`
-`rc4-sha`
-`exp-rc2-cbc-md5`
-`exp-rc4-md5`
-`exp-des-cbc-sha`
-`des-cbc3-sha`
-
-### TLS v1.0 cipher suites
-
-`null-md5`
-`null-sha`
-`rc4-md5`
-`rc4-sha`
-`exp-rc2-cbc-md5`
-`exp-rc4-md5`
-`exp-des-cbc-sha`
-`des-cbc3-sha`
-`aes128-sha`
-`aes256-sha`
-
-### TLS v1.1 cipher suites
-
-`null-md5`
-`null-sha`
-`rc4-md5`
-`rc4-sha`
-`exp-des-cbc-sha`
-`des-cbc3-sha`
-`aes128-sha`
-`aes256-sha`
-
-### TLS v1.2 cipher suites
-
-`null-md5`
-`null-sha`
-`null-sha256`
-`rc4-md5`
-`rc4-sha`
-`des-cbc3-sha`
-`aes128-sha`
-`aes256-sha`
-`aes128-sha256`
-`aes256-sha256`
-`aes128-gcm-sha256`
-`aes256-gcm-sha384`
-
 ## WolfSSL
 
 `RC4-SHA`,

docs/DEPRECATE.md

@@ -6,18 +6,6 @@ email the
 as soon as possible and explain to us why this is a problem for you and
 how your use case cannot be satisfied properly using a workaround.
 
-## gskit
-
-We remove support for building curl with the gskit TLS library in August 2023.
-
-- This is a niche TLS library, only running on some IBM systems
-- no regular curl contributors use this backend
-- no CI builds use or verify this backend
-- gskit, or the curl adaption for it, lacks many modern TLS features making it
-  an inferior solution
-- build breakages in this code take weeks or more to get detected
-- fixing gskit code is mostly done "flying blind"
-
 ## mingw v1
 
 We remove support for building curl with the original legacy mingw version 1
@@ -57,3 +45,5 @@ curl will remove the support for space-separated names in July 2024.
  - NPN
  - Support for systems without 64 bit data types
  - NSS
+ - gskit
+

docs/FAQ

@@ -423,9 +423,9 @@ FAQ
 
   curl can be built to use one of the following SSL alternatives: OpenSSL,
   libressl, BoringSSL, AWS-LC, GnuTLS, wolfSSL, mbedTLS, Secure Transport
-  (native iOS/OS X), Schannel (native Windows), GSKit (native IBM i), BearSSL,
-  or Rustls. They all have their pros and cons, and we try to maintain a
-  comparison of them here: https://curl.se/docs/ssl-compared.html
+  (native iOS/OS X), Schannel (native Windows), BearSSL or Rustls. They all
+  have their pros and cons, and we try to maintain a comparison of them here:
+  https://curl.se/docs/ssl-compared.html
 
   2.4 Does curl support SOCKS (RFC 1928) ?
 

docs/INTERNALS.md

@@ -27,7 +27,6 @@ versions of libs and build tools.
  - wolfSSL      2.0.0
  - OpenLDAP     2.0
  - MIT Kerberos 1.2.4
- - GSKit        V5R3M0
  - Heimdal      ?
  - nghttp2      1.15.0
  - WinSock      2.2 (on Windows 95+ and Windows CE .NET 4.1+)

docs/cmdline-opts/page-footer

@@ -60,9 +60,8 @@ the case insensitive name of the particular backend to use when curl is
 invoked. Setting a name that is not a built-in alternative will make curl
 stay with the default.
 
-SSL backend names (case-insensitive): **bearssl**, **gnutls**, **gskit**,
-**mbedtls**, **openssl**, **rustls**, **schannel**, **secure-transport**,
-**wolfssl**
+SSL backend names (case-insensitive): **bearssl**, **gnutls**, **mbedtls**,
+**openssl**, **rustls**, **schannel**, **secure-transport**, **wolfssl**
 .IP "HOME <dir>"
 If set, this is used to find the home directory when that is needed. Like when
 looking for the default .curlrc. *CURL_HOME* and *XDG_CONFIG_HOME*

docs/cmdline-opts/pinnedpubkey.d

@@ -23,7 +23,7 @@ abort the connection before sending or receiving any data.
 
 PEM/DER support:
 
-7.39.0: OpenSSL, GnuTLS and GSKit
+7.39.0: OpenSSL and GnuTLS
 
 7.43.0: wolfSSL
 

docs/cmdline-opts/write-out.d

@@ -49,7 +49,7 @@ The variables available are:
 .TP 15
 **certs**
 Output the certificate chain with details. Supported only by the OpenSSL,
-GnuTLS, Schannel, GSKit and Secure Transport backends. (Added in 7.88.0)
+GnuTLS, Schannel and Secure Transport backends. (Added in 7.88.0)
 .TP
 **content_type**
 The Content-Type of the requested document, if there was any.
@@ -105,7 +105,7 @@ The http method used in the most recent HTTP request. (Added in 7.72.0)
 .TP
 **num_certs**
 Number of server certificates received in the TLS handshake. Supported only by
-the OpenSSL, GnuTLS, Schannel, GSKit and Secure Transport backends. (Added
+the OpenSSL, GnuTLS, Schannel and Secure Transport backends. (Added
 in 7.88.0)
 .TP
 **num_connects**

docs/libcurl/curl_global_sslset.3

@@ -38,7 +38,7 @@ typedef enum {
   CURLSSLBACKEND_OPENSSL = 1, /* or one of its forks */
   CURLSSLBACKEND_GNUTLS = 2,
   CURLSSLBACKEND_NSS = 3,
-  CURLSSLBACKEND_GSKIT = 5,
+  CURLSSLBACKEND_GSKIT = 5, /* deprecated */
   CURLSSLBACKEND_POLARSSL = 6, /* deprecated */
   CURLSSLBACKEND_WOLFSSL = 7,
   CURLSSLBACKEND_SCHANNEL = 8,

docs/libcurl/libcurl-env.3

@@ -50,7 +50,7 @@ specific backend at first use. If no selection is done by the program using
 libcurl, this variable's selection will be used. Setting a name that is not a
 built-in alternative will make libcurl stay with the default.
 
-SSL backend names (case-insensitive): BearSSL, GnuTLS, gskit, mbedTLS,
+SSL backend names (case-insensitive): BearSSL, GnuTLS, mbedTLS,
 nss, OpenSSL, rustls, Schannel, Secure-Transport, wolfSSL
 .IP HOME
 When the netrc feature is used (\fICURLOPT_NETRC(3)\fP), this variable is

docs/libcurl/opts/CURLINFO_CERTINFO.3

@@ -75,7 +75,7 @@ if(curl) {
 }
 .fi
 .SH AVAILABILITY
-This option is only working in libcurl built with OpenSSL, Schannel, GSKit or
+This option is only working in libcurl built with OpenSSL, Schannel or
 Secure Transport support. Schannel support added in 7.50.0. Secure Transport
 support added in 7.79.0.
 

docs/libcurl/opts/CURLINFO_TLS_SESSION.3

@@ -63,8 +63,8 @@ if(curl) {
 }
 .fi
 .SH AVAILABILITY
-Added in 7.34.0. Deprecated since 7.48.0 and supported OpenSSL, GnuTLS,
-NSS and gskit only up until this version was released.
+Added in 7.34.0. Deprecated since 7.48.0 and supported OpenSSL, GnuTLS, and
+NSS only up until this version was released.
 .SH RETURN VALUE
 Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
 .SH "SEE ALSO"

docs/libcurl/opts/CURLINFO_TLS_SSL_PTR.3

@@ -57,18 +57,15 @@ struct curl_tlssessioninfo {
 The \fIbackend\fP struct member is one of the defines in the CURLSSLBACKEND_*
 series: CURLSSLBACKEND_NONE (when built without TLS support),
 CURLSSLBACKEND_WOLFSSL, CURLSSLBACKEND_SECURETRANSPORT, CURLSSLBACKEND_GNUTLS,
-CURLSSLBACKEND_GSKIT, CURLSSLBACKEND_MBEDTLS, CURLSSLBACKEND_NSS,
-CURLSSLBACKEND_OPENSSL, CURLSSLBACKEND_SCHANNEL or
-CURLSSLBACKEND_MESALINK. (Note that the OpenSSL forks are all reported as just
-OpenSSL here.)
+CURLSSLBACKEND_MBEDTLS, CURLSSLBACKEND_NSS, CURLSSLBACKEND_OPENSSL,
+CURLSSLBACKEND_SCHANNEL or CURLSSLBACKEND_MESALINK. (Note that the OpenSSL
+forks are all reported as just OpenSSL here.)
 
 The \fIinternals\fP struct member will point to a TLS library specific pointer
 for the active ("in use") SSL connection, with the following underlying types:
 .RS
 .IP GnuTLS
 \fBgnutls_session_t\fP
-.IP gskit
-\fBgsk_handle\fP
 .IP NSS
 \fBPRFileDesc *\fP
 .IP OpenSSL

docs/libcurl/opts/CURLOPT_CERTINFO.3

@@ -74,7 +74,7 @@ if(curl) {
 }
 .fi
 .SH AVAILABILITY
-This option is supported by the OpenSSL, GnuTLS, Schannel, GSKit and Secure
+This option is supported by the OpenSSL, GnuTLS, Schannel and Secure
 Transport backends. Schannel support added in 7.50.0. Secure Transport support
 added in 7.79.0.
 .SH RETURN VALUE

docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3

@@ -102,8 +102,6 @@ PEM/DER support:
 
   7.39.0: OpenSSL, GnuTLS
 
-  7.39.0-7.48.0,7.58.1+: GSKit
-
   7.43.0: wolfSSL
 
   7.47.0: mbedTLS

docs/libcurl/opts/CURLOPT_PROXY_PINNEDPUBLICKEY.3

@@ -98,7 +98,7 @@ footer:
 .SH AVAILABILITY
 PEM/DER support:
 
-  7.52.0: GSKit, GnuTLS, OpenSSL, mbedTLS, wolfSSL
+  7.52.0: GnuTLS, OpenSSL, mbedTLS, wolfSSL
 
 sha256 support:
 

include/curl/curl.h

@@ -161,7 +161,7 @@ typedef enum {
   CURLSSLBACKEND_GNUTLS = 2,
   CURLSSLBACKEND_NSS = 3,
   CURLSSLBACKEND_OBSOLETE4 = 4,  /* Was QSOSSL. */
-  CURLSSLBACKEND_GSKIT = 5,
+  CURLSSLBACKEND_GSKIT                  CURL_DEPRECATED(8.3.0, "") = 5,
   CURLSSLBACKEND_POLARSSL               CURL_DEPRECATED(7.69.0, "") = 6,
   CURLSSLBACKEND_WOLFSSL = 7,
   CURLSSLBACKEND_SCHANNEL = 8,
@@ -2824,8 +2824,8 @@ CURL_EXTERN void curl_slist_free_all(struct curl_slist *list);
  */
 CURL_EXTERN time_t curl_getdate(const char *p, const time_t *unused);
 
-/* info about the certificate chain, only for OpenSSL, GnuTLS, Schannel, NSS
-   and GSKit builds. Asked for with CURLOPT_CERTINFO / CURLINFO_CERTINFO */
+/* info about the certificate chain, only for OpenSSL, GnuTLS, Schannel and
+   NSS builds. Asked for with CURLOPT_CERTINFO / CURLINFO_CERTINFO */
 struct curl_certinfo {
   int num_of_certs;             /* number of certificates with information */
   struct curl_slist **certinfo; /* for each index in this array, there's a

lib/Makefile.inc

@@ -44,7 +44,6 @@ LIB_VAUTH_HFILES =      \
 
 LIB_VTLS_CFILES =           \
   vtls/bearssl.c            \
-  vtls/gskit.c              \
   vtls/gtls.c               \
   vtls/hostcheck.c          \
   vtls/keylog.c             \
@@ -61,7 +60,6 @@ LIB_VTLS_CFILES =           \
 
 LIB_VTLS_HFILES =           \
   vtls/bearssl.h            \
-  vtls/gskit.h              \
   vtls/gtls.h               \
   vtls/hostcheck.h          \
   vtls/keylog.h             \

lib/config-os400.h

@@ -338,9 +338,6 @@
 /* Define to the function return type for send. */
 #define SEND_TYPE_RETV int
 
-/* Define to use the GSKit package. */
-#define USE_GSKIT
-
 /* Define to use the OS/400 crypto library. */
 #define USE_OS400CRYPTO
 

lib/curl_setup.h

@@ -647,7 +647,7 @@
 
 #if defined(USE_GNUTLS) || defined(USE_OPENSSL) || defined(USE_MBEDTLS) || \
   defined(USE_WOLFSSL) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
-  defined(USE_GSKIT) || defined(USE_BEARSSL) || defined(USE_RUSTLS)
+  defined(USE_BEARSSL) || defined(USE_RUSTLS)
 #define USE_SSL    /* SSL support has been enabled */
 #endif
 

lib/rand.c

@@ -188,7 +188,7 @@ static CURLcode randit(struct Curl_easy *data, unsigned int *rnd)
  * 'rnd' points to.
  *
  * If libcurl is built without TLS support or with a TLS backend that lacks a
- * proper random API (rustls, Gskit or mbedTLS), this function will use "weak"
+ * proper random API (rustls or mbedTLS), this function will use "weak"
  * random.
  *
  * When built *with* TLS support and a backend that offers strong random, it

lib/rand.h

@@ -24,20 +24,6 @@
  *
  ***************************************************************************/
 
-/*
- * Curl_rand() stores 'num' number of random unsigned characters in the buffer
- * 'rnd' points to.
- *
- * If libcurl is built without TLS support or with a TLS backend that lacks a
- * proper random API (Gskit or mbedTLS), this function will use "weak" random.
- *
- * When built *with* TLS support and a backend that offers strong random, it
- * will return error if it cannot provide strong random values.
- *
- * NOTE: 'data' may be passed in as NULL when coming from external API without
- * easy handle!
- *
- */
 CURLcode Curl_rand(struct Curl_easy *data, unsigned char *rnd, size_t num);
 
 /*