August 5, 2020...Built with wolfSSL < 100K file size on 32 bit architectures* Ported to FreeRTOS...
Transcript of August 5, 2020...Built with wolfSSL < 100K file size on 32 bit architectures* Ported to FreeRTOS...
Why everyone uses curl – Why everyone uses curl – Japanese SpecialJapanese Special
August 5, 2020August 5, 2020
Daniel Stenberg@bagder
what is curlwhat is curlwho uses curlwho uses curl
why do they use curlwhy do they use curlwho makes curlwho makes curl
how we make curlhow we make curlhow we support curlhow we support curl
Q&AQ&A
@bagder@bagder
A client-sidecommand line toolcommand line tool and
librarylibrary for transferring data using Internet protocols
@bagder@bagder
Transfers data using Transfers data using FILE, FILE, FTP, FTPS, FTP, FTPS, HTTP, HTTPS, HTTP, HTTPS, IMAP, IMAP, LDAP, POP3, RTMP, RTSP, SCP, LDAP, POP3, RTMP, RTSP, SCP,
SFTP, SMTP, TFTP SFTP, SMTP, TFTP (and more)(and more)
@bagder@bagder
curl is supported Open Source!
Polished and hardened since 1998
Licensed under MIT
Supported by wolfSSL (and Daniel)
Daniel is the founder and lead developer
@bagder@bagder
… and time passed...
Number of lines of code
@bagder@bagder
First curl release
2200
2200
@bagder@bagder
Widely used@bagder@bagder
16 Software, 1C Company, ACCESS, Actuate, Adara Networks, AddLive, Adobe, Aditiva, Adknowledge, alaTEST, Altera, Altova, Ananse Productions, AOL, Apple, Archivas, ATX, AT&T, Autodesk, Avaya, Backblaze, BBC, Bietfuchs, Biicode, Bitcartel, Blackberry, Blizzard, Bloglines.com, Blue Digits, Blue Security, BMW, Bosch, Broadcom, bwin, Candela Technologies, Canonical, Carestream Health, Cascade Data Systems, CatchFIRE Systems, CERN, CheckPoint, Chevrolet, Chronos, Cisco, Citrix, CLAAS Tractor SAS, Comcast, Contactor, CounterPath, Cybernetica, Datasphere, Datordax, Denon, DesignQuotes, Device Scape, Digium, EdelWeb, EFS Technology, Eiffel Software, Electronic Arts, Emsoft, Enigma Software, Euroling, Ergon Informatik, ESRI, etikett.de, www.expandtalk.se, Eye-Fi, E2E Technologies Ltd, F-Secure, Facebook, FalconView, Feitian Technologies, FriendFeed, FMWebschool, GeekDrop, GRIN, Groopex, Grooveshark, focuseek, Games Workshop, Garmin, GipsyMedia, Google, Haxx, HPC, Heynow Software, Hitachi, Honeywell, HP, Huawei, HTC, inSORS, IBM, ideelabor.ee, Idruna Software Inc, Id Software, Infomedia Business Systems Division, Informatica, Information Handling Services, Insignia, Instagram, Intel, Internet Security Systems, Intra2net AG, isee systems, Jajja Communications, Jawbone, JET, JLynx Software, Kajala Group Ltd., Kaleidescape, Karelia, Kaseya, kencast inc, Kerio Technologies, Kongsberg Spacetec, LassoSoft, lastpass, LG, LifeSize Software, Linden Lab, Machina Networks, Macromates, Macromedia, Magic TV, Matrix Science, Mandiant, MandrakeSoft, Marantz, Mazda, McAfee, MediaAnalys, Mellanox, Mercedes-Benz, Metaio, Micromuse Inc., Miniclip, Modio, MokaFive, Inc, Momento, Moodstocks, Motorola, Mozilla, Music FX Live, Nagarsoft, Neptune Labs, Nest, Netflix, Netgear, Netiq, Network Mail, Neuros, Nintendo, NoDesign, Nortel, Office2office Plc, OKTET Labs Ltd, One Laptop Per Child, Onkyo, On Technology, OpenLogic, opsmate, Optimsys, Oracle, Outrider, Palm, Panasonic, Pandigital, Parrot, Passiv Systems, Pelco, Philips, Pioneer, Plogue, Pocket Gems, Polaroid Corporation, Polycom, Pure Storage, Quest, QVD, QNX, RBS, Research in Motion, Retarus Network Services GmbH, Riverbed, ROBLOX, Rockstar Games, Rolltech, Inc, RSA Security Inc, RSSS, Samsung, SanDisk, SAP, SAS Institute, SEB, Sharp, Siemens, Silicon Landmark, Sjphone, Slingbox, SmithMicro, Sony, Sophos, Source Remoting, Splunk, Spotify, Steambird, Sun, SurfEasy Inc, Swisscom, Symantec, System Garden, Tango, tasvideos, Tellabs, Telstra, Telvue, Thumbtack, Tilgin, Tomtom, ToolAware, Toshiba, Trend Micro, Tribalmedia, Trion Worlds, Tiempo de Espera, Unisys, UniPlot, Unity3d, ustream, Valve, VETport, Vivisimo, Vmware, Voddler, Volition Inc, Vuo, Wump Research, Xilinx, XonaSoftware, Yahoo, Yamaha, Yubico, Zimbra, Zixcorp, Zonar Systems, Zyxel, Z2,
@bagder@bagder
10,000,000,00010,000,000,000installationsinstallations
@bagder@bagder
Why use libcurl?Why use libcurl?Commercial support – from wolfSSL
Stable well-documented API – examples from 2001 still workSame API everywhere – 70 OSs, 20 CPU architectures
Open source – free and immortalRock solid – battle proven, furiously maintained, secure
Customizable – use what you want, disable what you don’tInternet hardened – speaks protocols the way they should
Multiple protocols – 50% of users use more than two!Keeps up – TLS 1.3, HTTP/2, HTTP/3, ...
@bagder@bagder
Customize
@bagder@bagder
Customize it for Customize it for youryour needs needs
1. Tiny-curl
2. FIPS ready
3. Configurable build
@bagder@bagder
Customize: tiny-curlCustomize: tiny-curl
Small footprint HTTPS transfers
Built with wolfSSL
< 100K file size on 32 bit architectures*
Ported to FreeRTOS
Supported by wolfSSL
@bagder@bagder
Customize: FIPS-readyCustomize: FIPS-ready
Customizable TLS backend
Select a backend that is FIPS ready (wolfSSL)
curl and libcurl usage and API remains the same
Supported by wolfSSL
@bagder@bagder
Customize: configurableCustomize: configurable
Cherry-pick individual features
Cherry-pick individual third party libs
Easily ported to additional OSes
Still using the same API
Supported by wolfSSL
@bagder@bagder
Features can be disabled at build-time
pthreads crypto authsspiverbose output
ntlm-wb cookiesunix-socketsTLS SRP
HTTP auth date parserMIMEDNS-over-HTTPS
netrc alt-svcDNS shuffleprogress meter
libcurl
@bagder@bagder
72 operating systemslibcurl
Linux FreeBSDmacOSWindows MS DOSSCO Unix z/OS WebOSipadOS
NetBSD Tru64VMSOpenBSD HaikuRISC OS UNICOS TizenPlayStationPortable
Cell OS IRIXucLinuxHP-UX OS/2ChromeOS MPE/iX NCR MP-RASReactOS
OS/400 AmigaOSSymbianSolaris NetwareHurd SINIX-Z Syllable OSSunOS
Ultrix eCOSBeOSTPF QNXPlan 9 NonStop OS tvOSLineage OS
Android IntegrityiOS MINIXFreeRTOS OS21 CygwinMbed Blackberry 10
UnixWare Mac OS 9AIXIllumos Windows CESailfish OS vxWorksBlackberryTablet OS
@bagder@bagder
DragonFly BSD SerenityFuchsiaNintendoSwitch RedoxGenode Hardened BSD FreeDOSGarmin OS
NuttX
20 CPU architectures
libcurl
@bagder@bagder
x86 MIPSARMPowerPC
SPARC POWERm68k
s390 HP-PASH4Nios
RISC-V
OpenRISC
ARC
Cell
Itanium VAXMicroBlazeAlpha Xtensa
How?
@bagder@bagder
821 822 850 854 959 974 1035 1081 1123 1225 1350 1425 1427 1436 1460 1510 1635 1639 1651 1653 1725 1730 1734 1738 1777 1808 1867 1869 1870 1884 1928 1939 1945 1950 1951 1952 1959 1964 2045 2046 2047 2048 2049 2060 2061 2068 2095 2104 2109 2133 2145 2183 2184 2192 2195 2222 2228 2229 2231 2246 2255 2326 2373 2384 2388 2389 2396 2428 2449 2459 2478 2487 2518 2553 2554 2577 2595 2616 2617 2640 2718 2732 2817 2818 2821 2831 2854 2936 2964 2965 3207 3280 3493 3501 3513 3617 3659 3961 3986 4120 4121 4178 4217 4248 4346 4366 4422 4511 4516 4559 4616 4954 4959 5034 5092 5321 5322 5849 6749 7230 7231 7232 7233 7234 7235 7238 7540 7541 7628 7838 8314 8446 8484
133 Relevant RFCs (260,000 lines)libcurl
@bagder@bagder
1,327,449 words@bagder@bagder
curl RFCsHarry PotterLord of the ringsWar and peace0
200000
400000
600000
800000
1000000
1200000
1400000
2,200 contributors
Who makes curlcurl
820 authors
150 authors per year12 regulars
Daniel
@bagder@bagder
(The boxes are not drawn to scale)
… and time passed...
Number of contributors
@bagder@bagder
… and time passed...
Number of authors
@bagder@bagder
Releases
193 releases since 1998193 releases since 1998
50-60 contributors per release50-60 contributors per release
Release every 8 weeksRelease every 8 weeks
We ship source code onlyWe ship source code only
@bagder@bagder
Secure enough for the billions?Secure enough for the billions?
ReviewsReviews
(at 94 CVEs and counting)(at 94 CVEs and counting)
Code audit,Code audit,Bug BountyBug Bounty
Code styleCode style
FuzzingFuzzingDocsDocs
Static code Static code analyzersanalyzers
Valgrind andValgrind andsanitizerssanitizers
ManyMany tests tests
@bagder@bagder
CI like crazyCI like crazy
Code and test policies
Fix all warnings (oh well...)Fix all warnings (oh well...)
No defects leftNo defects left
Use the most picky compiler optionsUse the most picky compiler options
As many tests as possibleAs many tests as possible
Fix security issues asapFix security issues asap
@bagder@bagder
User support?
Issues and Pull Requests on githubIssues and Pull Requests on github
Discussions and help on the public mailing listsDiscussions and help on the public mailing lists
Security issues on HackerOneSecurity issues on HackerOne
Stack overflow?Stack overflow?
Commercial support and private help via wolfSSLCommercial support and private help via wolfSSL
@bagder@bagder
36
RoadmapRoadmap@bagder@bagder
Future: configurable tooFuture: configurable too
Custom development on demand
Merged upstream – or not
Supported by wolfSSL
@bagder@bagder
Learn more about curl!
https://curl.haxx.se/
https://www.wolfssl.com/products/curl/
https://www.wolfssl.jp/products/curl/
@bagder@bagder