From 309daf49771bbe7c5fea26f7daf811a6e4a26fc8 Mon Sep 17 00:00:00 2001 From: Lukas Kastern Date: Thu, 7 Aug 2025 12:46:42 +0200 Subject: [PATCH 01/10] add boringssl support --- build.zig | 40 +++++++++++++++++++++++++++++++--------- build.zig.zon | 5 +++++ 2 files changed, 36 insertions(+), 9 deletions(-) diff --git a/build.zig b/build.zig index 0e6fe3d..3709ceb 100644 --- a/build.zig +++ b/build.zig @@ -20,7 +20,8 @@ pub fn build(b: *std.Build) !void { const use_wolfssl = dependentBoolOption(b, "use-wolfssl", "Enable wolfSSL for SSL/TLS", false, enable_ssl, false); const use_gnutls = dependentBoolOption(b, "use-gnutls", "Enable GnuTLS for SSL/TLS", false, enable_ssl, false); const use_rustls = dependentBoolOption(b, "use-rustls", "Enable Rustls for SSL/TLS", false, enable_ssl, false); - const openssl_default = !(target.result.os.tag == .windows or use_sectransp or use_schannel or use_mbedtls or use_bearssl or use_wolfssl or use_gnutls or use_rustls); + const use_boringssl = dependentBoolOption(b, "use-boringssl", "Enable BoringSSL for SSL/TLS", false, enable_ssl, false); + const openssl_default = !(target.result.os.tag == .windows or use_sectransp or use_schannel or use_mbedtls or use_bearssl or use_wolfssl or use_gnutls or use_rustls or use_boringssl); const use_openssl = dependentBoolOption(b, "use-openssl", "Enable OpenSSL for SSL/TLS", openssl_default, enable_ssl, false); const default_ssl_backend = b.option(enum { @@ -28,6 +29,7 @@ pub fn build(b: *std.Build) !void { gnutls, mbedtls, openssl, + boringssl, schannel, @"secure-transport", }, "default-ssl-backend", "Override default TLS backend in MultiSSL builds."); @@ -276,15 +278,14 @@ pub fn build(b: *std.Build) !void { @as(usize, @intFromBool(use_bearssl)) + @as(usize, @intFromBool(use_wolfssl)) + @as(usize, @intFromBool(use_gnutls)) + - @as(usize, @intFromBool(use_rustls)); + @as(usize, @intFromBool(use_rustls)) + + @as(usize, @intFromBool(use_boringssl)); const with_multi_sll = enabled_ssl_options_count > 1; if (enabled_ssl_options_count == 0) { disable_hsts = true; } - var have_boring_ssl = false; // TODO - _ = &have_boring_ssl; var have_awslc = false; // TODO _ = &have_awslc; @@ -294,6 +295,7 @@ pub fn build(b: *std.Build) !void { .gnutls => use_gnutls, .mbedtls => use_mbedtls, .openssl => use_openssl, + .boringssl => use_boringssl, .schannel => use_schannel, .@"secure-transport" => use_sectransp, }; @@ -311,7 +313,7 @@ pub fn build(b: *std.Build) !void { } if (use_openssl) { - // TODO BoringSSL, AWS-LC, LibreSSL, and quictls + // TODO AWS-LC, LibreSSL, and quictls if (b.systemIntegrationOption("openssl", .{})) { curl.root_module.linkSystemLibrary("openssl", .{}); } else { @@ -323,9 +325,24 @@ pub fn build(b: *std.Build) !void { } } // TODO -DOPENSSL_SUPPRESS_DEPRECATED - // TODO HAVE_BORINGSSL // TODO HAVE_AWSLC } + + if (use_boringssl) { + if (b.systemIntegrationOption("boringssl", .{})) { + curl.root_module.linkSystemLibrary("boringssl", .{}); + } else { + if (b.lazyDependency("boringssl", .{ + .target = target, + .optimize = optimize, + })) |dependency| { + curl.root_module.linkLibrary(dependency.artifact("bcm")); + curl.root_module.linkLibrary(dependency.artifact("ssl")); + curl.root_module.linkLibrary(dependency.artifact("crypto")); + } + } + } + if (use_mbedtls) { if (b.systemIntegrationOption("mbedtls", .{})) { curl.root_module.linkSystemLibrary("mbedtls", .{}); @@ -435,7 +452,7 @@ pub fn build(b: *std.Build) !void { if (use_openssl or use_wolfssl) { if (use_wolfssl) { // ngtcp2_crypto_wolfssl - } else if (have_boring_ssl or have_awslc) { + } else if (use_boringssl or have_awslc) { // ngtcp2_crypto_boringssl } else { // ngtcp2_crypto_quictls @@ -454,7 +471,7 @@ pub fn build(b: *std.Build) !void { std.debug.panic("Only one HTTP/3 backend can be selected", .{}); } // Quiche - if (!have_boring_ssl) { + if (!use_boringssl) { std.debug.panic("quiche requires BoringSSL", .{}); } // TODO HAVE_QUICHE_CONN_SET_QLOG_FD @@ -896,7 +913,7 @@ pub fn build(b: *std.Build) !void { .USE_WOLFSSH = use_wolfssh and use_wolfssl and !use_libssh2 and !use_libssh, .USE_LIBPSL = use_libpsl, .USE_OPENLDAP = !disable_ldap and !use_win32_ldap, // TODO - .USE_OPENSSL = use_openssl, + .USE_OPENSSL = use_openssl or use_boringssl, .USE_AMISSL = null, // AMIGA .USE_LIBRTMP = use_librtmp, .USE_GSASL = use_gsasl, @@ -937,6 +954,11 @@ pub fn build(b: *std.Build) !void { curl.addConfigHeader(curl_config); exe.root_module.addConfigHeader(curl_config); + // Boring SSL does not hook crypt32 in for us - need to do that ourselves + if (use_boringssl and target.result.os.tag == .windows) { + exe.linkSystemLibrary("Crypt32"); + } + // b.getInstallStep().dependOn(&b.addInstallHeaderFile(curl_config.getOutput(), "curl_config.h").step); } diff --git a/build.zig.zon b/build.zig.zon index f6f4978..43882f4 100644 --- a/build.zig.zon +++ b/build.zig.zon @@ -32,6 +32,11 @@ .hash = "mbedtls-3.6.2-E4NURzYUAABWLBwHJWx_ppb_j2kDSoGfCfR2rI2zs9dz", .lazy = true, }, + .boringssl = .{ + .url = "git+https://github.com/lukaskastern/boringssl#d783826096c28c5afdbb9b3229ab8b3607847eba", + .hash = "boringssl-0.20250514.0-EhtkNSbxAgCUK9k3WQtiC7XAPoQbyBomPt2EjHbBiqJw", + .lazy = true, + }, }, .paths = .{ "build.zig", From 84bf2447d22f3c538167c093747752e2fc20ceb6 Mon Sep 17 00:00:00 2001 From: Lukas Kastern Date: Thu, 7 Aug 2025 13:07:15 +0200 Subject: [PATCH 02/10] fix ca bundle detection --- build.zig | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/build.zig b/build.zig index 3709ceb..1963115 100644 --- a/build.zig +++ b/build.zig @@ -586,10 +586,10 @@ pub fn build(b: *std.Build) !void { // CA handling // - const ca_bundle_autodetect = std.mem.eql(u8, ca_bundle, "auto") and target.query.isNative() and target.result.os.tag != .windows; + const ca_bundle_autodetect = std.mem.eql(u8, ca_bundle, "auto") and target.result.os.tag != .windows; var ca_bundle_set = !std.mem.eql(u8, ca_bundle, "none") and !std.mem.eql(u8, ca_bundle, "auto"); - const ca_path_autodetect = std.mem.eql(u8, ca_path, "auto") and target.query.isNative() and target.result.os.tag != .windows; + const ca_path_autodetect = std.mem.eql(u8, ca_path, "auto") and target.result.os.tag != .windows; var ca_path_set = !std.mem.eql(u8, ca_path, "none") and !std.mem.eql(u8, ca_path, "auto"); if (ca_bundle_set and ca_path_autodetect) { @@ -598,7 +598,6 @@ pub fn build(b: *std.Build) !void { // Skip auto-detection of unset CA bundle because CA path is set explicitly } else if (ca_bundle_autodetect or ca_path_autodetect) { // First try auto-detecting a CA bundle, then a CA path - if (ca_bundle_autodetect) { for ([_][]const u8{ "/etc/ssl/certs/ca-certificates.crt", From 6659d805631ae484e3bdcd711832676fd2bc9590 Mon Sep 17 00:00:00 2001 From: Lukas Kastern Date: Thu, 7 Aug 2025 13:11:14 +0200 Subject: [PATCH 03/10] fix auto detection --- build.zig | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/build.zig b/build.zig index 1963115..e3916a5 100644 --- a/build.zig +++ b/build.zig @@ -616,20 +616,23 @@ pub fn build(b: *std.Build) !void { if (ca_path_autodetect and !ca_path_set) { const search_ca_path: []const u8 = "/etc/ssl/certs"; - const ca_dir = try std.fs.openDirAbsolute(search_ca_path, .{ .iterate = true }); - var ca_dir_it = ca_dir.iterate(); - while (try ca_dir_it.next()) |item| { - if (item.name.len != 10) continue; - if (!std.mem.endsWith(u8, item.name, ".0")) continue; - for (item.name[0..8]) |c| { - if (!std.ascii.isDigit(c)) continue; - if (!std.ascii.isLower(c)) continue; + + ca_path = blk: { + const ca_dir = std.fs.openDirAbsolute(search_ca_path, .{ .iterate = true }) catch break :blk ca_path; + var ca_dir_it = ca_dir.iterate(); + while (try ca_dir_it.next()) |item| { + if (item.name.len != 10) continue; + if (!std.mem.endsWith(u8, item.name, ".0")) continue; + for (item.name[0..8]) |c| { + if (!std.ascii.isDigit(c)) continue; + if (!std.ascii.isLower(c)) continue; + } + // std.log.info("Found CA path: {s}", .{search_ca_path}); + + ca_path_set = true; + break :blk search_ca_path; } - // std.log.info("Found CA path: {s}", .{search_ca_path}); - ca_path = search_ca_path; - ca_path_set = true; - break; - } + }; } var ca_embed_set = false; From bcd7a660601c1f022e65f44b4e345e8e26f6501f Mon Sep 17 00:00:00 2001 From: Lukas Kastern Date: Thu, 7 Aug 2025 13:12:28 +0200 Subject: [PATCH 04/10] fix compilation --- build.zig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build.zig b/build.zig index e3916a5..d3a1066 100644 --- a/build.zig +++ b/build.zig @@ -632,6 +632,8 @@ pub fn build(b: *std.Build) !void { ca_path_set = true; break :blk search_ca_path; } + + break :blk ca_path; }; } From a65800cef34207481863981b8b9d8094931725b5 Mon Sep 17 00:00:00 2001 From: Lukas Kastern Date: Sat, 9 May 2026 22:40:57 +0200 Subject: [PATCH 05/10] use latest boringssl --- build.zig.zon | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.zig.zon b/build.zig.zon index 60c2fcc..639adcb 100644 --- a/build.zig.zon +++ b/build.zig.zon @@ -33,8 +33,8 @@ .lazy = true, }, .boringssl = .{ - .url = "git+https://github.com/lukaskastern/boringssl#d783826096c28c5afdbb9b3229ab8b3607847eba", - .hash = "boringssl-0.20250514.0-EhtkNSbxAgCUK9k3WQtiC7XAPoQbyBomPt2EjHbBiqJw", + .url = "git+https://github.com/lukaskastern/boringssl#9ad283afad7e95eb315ab8f455da19951935a4b5", + .hash = "boringssl-0.20260508.0-EhtkNTr_AgBdldMVRsK9LWUjafcMFGaWHonByzeb9EHC", .lazy = true, }, }, From 95666d3e6a1780a7e4d043de531fa691704c61f8 Mon Sep 17 00:00:00 2001 From: Lukas Kastern Date: Sat, 9 May 2026 23:14:52 +0200 Subject: [PATCH 06/10] upgrade boringssl --- build.zig.zon | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.zig.zon b/build.zig.zon index 639adcb..addac1f 100644 --- a/build.zig.zon +++ b/build.zig.zon @@ -33,8 +33,8 @@ .lazy = true, }, .boringssl = .{ - .url = "git+https://github.com/lukaskastern/boringssl#9ad283afad7e95eb315ab8f455da19951935a4b5", - .hash = "boringssl-0.20260508.0-EhtkNTr_AgBdldMVRsK9LWUjafcMFGaWHonByzeb9EHC", + .url = "git+https://github.com/lukaskastern/boringssl#5b1074600fa56f744fdbfab3cf591455a4034f5a", + .hash = "boringssl-0.20260508.0-EhtkNTr_AgAH2zpa4ujBmCTKOhsUo-MJ30-y_AO42NNy", .lazy = true, }, }, From 79c7db96e951a5ddbb0180c1412b1d5a2022e1ad Mon Sep 17 00:00:00 2001 From: Lukas Kastern Date: Sun, 10 May 2026 14:27:38 +0200 Subject: [PATCH 07/10] fix windows host ca detection --- build.zig | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.zig b/build.zig index f4fce8e..fb9388c 100644 --- a/build.zig +++ b/build.zig @@ -574,10 +574,10 @@ pub fn build(b: *std.Build) !void { // CA handling // - const ca_bundle_autodetect = std.mem.eql(u8, ca_bundle, "auto") and target.result.os.tag != .windows; + const ca_bundle_autodetect = std.mem.eql(u8, ca_bundle, "auto") and b.graph.host.result.os.tag != .windows; var ca_bundle_set = !std.mem.eql(u8, ca_bundle, "none") and !std.mem.eql(u8, ca_bundle, "auto"); - const ca_path_autodetect = std.mem.eql(u8, ca_path, "auto") and target.result.os.tag != .windows; + const ca_path_autodetect = std.mem.eql(u8, ca_path, "auto") and b.graph.host.result.os.tag != .windows; var ca_path_set = !std.mem.eql(u8, ca_path, "none") and !std.mem.eql(u8, ca_path, "auto"); if (ca_bundle_set and ca_path_autodetect) { From 14e71eda2d02b423585898f7cf865b86e88deac2 Mon Sep 17 00:00:00 2001 From: Lukas Kastern Date: Sun, 10 May 2026 15:41:09 +0200 Subject: [PATCH 08/10] revert accidental comment removal --- build.zig | 1 + 1 file changed, 1 insertion(+) diff --git a/build.zig b/build.zig index fb9388c..9bd5562 100644 --- a/build.zig +++ b/build.zig @@ -613,6 +613,7 @@ pub fn build(b: *std.Build) !void { if (!std.ascii.isDigit(c)) continue; if (!std.ascii.isLower(c)) continue; } + // std.log.info("Found CA path: {s}", .{search_ca_path}); ca_path = search_ca_path; ca_path_set = true; From ec6d6c6cdc2025dd5111f2bac1d643082b7606a7 Mon Sep 17 00:00:00 2001 From: Lukas Kastern Date: Sun, 10 May 2026 15:50:51 +0200 Subject: [PATCH 09/10] fix crypt32 linking --- build.zig | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/build.zig b/build.zig index 9bd5562..f2abaae 100644 --- a/build.zig +++ b/build.zig @@ -304,9 +304,11 @@ pub fn build(b: *std.Build) !void { curl.root_module.linkSystemLibrary("iphlpapi", .{}); curl.root_module.linkSystemLibrary("bcrypt", .{}); + if (use_schannel or use_boringssl) { + curl.root_module.linkSystemLibrary("crypt32", .{}); + } if (use_schannel) { curl.root_module.linkSystemLibrary("advapi32", .{}); - curl.root_module.linkSystemLibrary("crypt32", .{}); } if (enable_windows_sspi) { curl.root_module.linkSystemLibrary("secur32", .{}); @@ -958,11 +960,6 @@ pub fn build(b: *std.Build) !void { curl.root_module.addConfigHeader(curl_config); exe.root_module.addConfigHeader(curl_config); - // Boring SSL does not hook crypt32 in for us - need to do that ourselves - if (use_boringssl and target.result.os.tag == .windows) { - exe.root_module.linkSystemLibrary("Crypt32", .{}); - } - // b.getInstallStep().dependOn(&b.addInstallHeaderFile(curl_config.getOutput(), "curl_config.h").step); } From 25f1e9788638e14ebce895d0e1883ddfd5e023ed Mon Sep 17 00:00:00 2001 From: Lukas Kastern Date: Sun, 10 May 2026 17:42:28 +0200 Subject: [PATCH 10/10] update boringssl --- build.zig.zon | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.zig.zon b/build.zig.zon index addac1f..b2de7f5 100644 --- a/build.zig.zon +++ b/build.zig.zon @@ -33,8 +33,8 @@ .lazy = true, }, .boringssl = .{ - .url = "git+https://github.com/lukaskastern/boringssl#5b1074600fa56f744fdbfab3cf591455a4034f5a", - .hash = "boringssl-0.20260508.0-EhtkNTr_AgAH2zpa4ujBmCTKOhsUo-MJ30-y_AO42NNy", + .url = "git+https://github.com/lukasKastern/boringssl.git#eb7370088c9a2e7f610a2436468dcf6904cd2282", + .hash = "boringssl-0.20260508.0-EhtkNTr_AgBIuFqi2C2o_aWHGyBwNTOWNqV6X8l7g4I-", .lazy = true, }, },