[WIP] SSL support for eval #9009
Conversation
|
I have only a slight knowledge of SSL, so I can't properly review that. |
|
Don't commit mbedtls source code into our repo. I think you can let dune to download and extract a mbedtls archive, when it doesn't exist globally or in the project folder. It's mainly because the Linux packages have to use the distros' mbedtls. |
The mbedtls API isn't eval-specific. |
That used to be a private class so it didn't matter, but you're right. I've moved it to eval.vm now, which is not a good package name but follows the neko layout. |
Maybe move it into |
I can't find anything about it downloading sources. The foreign build section explicitly states "put all the foreign code in a sub-directory". The best alternative I can think of right now is using a submodule... |
| mbedtls_x509_crt* cert = X509Crt_val(chain); | ||
| mbedtls_x509_time *t = &cert->valid_to; | ||
| time_t time = time_to_time_t(t); | ||
| CAMLreturn(caml_copy_double((double)time)); |
There was a problem hiding this comment.
I thought time_t was usually an integer type? Also will this work on 32-bit systems?
There was a problem hiding this comment.
I expect the C compiler to handle this accordingly, but if you have an alternative suggestion I'll be happy to change this.
| private function get_altNames():Array<String> { | ||
| throw "Not implemented"; | ||
| } | ||
| extern private function get_altNames():Array<String>; |
There was a problem hiding this comment.
I don't know if this actually works because no Certificate I come across has a value for this, so all we get are empty arrays.
|
I have completed the I'll add the APIs for |
| CAMLlocal1(obj); | ||
| mbedtls_x509_crt* cert = X509Crt_val(chain); | ||
| if (cert->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME == 0 || &cert->subject_alt_names == NULL) { | ||
| obj = Atom(0); |
There was a problem hiding this comment.
@Aurel300 fyi, I found another potential trap here:
Atom(t) returns an “atom” (zero-sized block) with tag t. Zero-sized blocks are preallocated outside of the heap. It is incorrect to try and allocate a zero-sized block using the functions below. For instance, Atom(0) represents the empty array.
This means that whenever we want to return an array from C externs, we have to deal with the length == 0 special case.
RealyUniqueName
added
the
platform-eval
|
@Aurel300 Could you look into the OS X default certificate situation some time soon? I want to merge SSL support for the next release and this is blocking it at the moment. |
|
@Simn Sorry for the delay, this should be good now. Python failure is unrelated. For reference, the reason the |
|
Alright, thanks! I'm gonna merge this now. For people building Haxe, please refer to the CI-related changes here. I think we've made this as straightforward as possible. |
This PR starts adding SSL support for eval. To that end, we currently include the entire mbedtls code in
libs/mbedtls, have a FFI layer inmbedtls_stubs.candmbedtls.mland then Haxe extern definitions ineval/_std/mbedtls. As a result, the diff is a mess.There are several TODOs here:
LIB_PARAMS
I have added this toMakefile.winin order to link crypt32 on Windows:This probably isn't ideal.Update: This is fine.
Default certificate loading
For Linux, this is handled in
Mbedtls.hxwith the code being copied from neko/HL. For Windows, it is handled at C-level throughMbedtls.loadDefaultswith that code also being copied from neko/HL. This requires some testing.There's currently no implementation for Mac. I was hoping that @Aurel300 could look into setting that up. It should be a matter of copying the code from https://github.com/HaxeFoundation/hashlink/blob/master/libs/ssl/ssl.c#L364-L397 and then figuring out how to handle the linking.
Amount of .c and .h files
We probably don't need to include all these files, so we should look into removing some of them.Update: The C files have been removed.
SNI stuff
The neko/HL implementations have some code in
sys.ssl.Socketwhich, from my understanding, is about server-side sockets. I ignored that completely as I don't plan to run https servers in eval. We have to verify that this is fine to ignore.Rest of the sys.ssl package
The sys.ssl package has some other files:
CertificateDigestAlgorithmKeyUpdate: Certificate is done. DigestAlgorithm is just an enum.
I thinkDigestandKeycan be added easily, but I don't know what to do withCertificate. It goes beyond being a simple extern for an mbedtls certificate and provides some public API that deals with its wrapping nature, such asnext. I don't want to replicate this wrapping because it's a bad pattern for eval, so we have to think about the public API for this.I don't think this should stop us from merging theSocketpart this PR focuses on though.Update: I'll just shut up and follow the API.
Update: Key has been added.
Overall testing
The CI is green so building works, but we don't actually have any https tests.
Packaging and licensing
This is something I usually forget about, so this time around I'd like to check with @andyli if the approach taken here causes any issues for packaging.On a maybe related note, I have no idea about licensing and if we can just drop the mbedtls source code into our project.Update: The C files have been removed.