Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CURLOPT_CAINFO_BLOB on mbtedls fails test 678 #8079

Closed
bagder opened this issue Dec 1, 2021 · 2 comments
Closed

CURLOPT_CAINFO_BLOB on mbtedls fails test 678 #8079

bagder opened this issue Dec 1, 2021 · 2 comments
Labels

Comments

@bagder
Copy link
Member

@bagder bagder commented Dec 1, 2021

Test 678 seems to fail in mebdtls builds: https://curl.zuul.vexxhost.dev/build/a9732e2c883a4672aabd1c89dc4e40bd

The exact error output is:

 * Error importing ca cert blob  - mbedTLS: (-0x2180) X509 - The CRT/CRL/CSR format is invalid, e.g. different type expected

Originally posted by @bagder in #8071 (comment)

/cc @Floni

@bagder bagder added the TLS label Dec 1, 2021
@Floni
Copy link
Contributor

@Floni Floni commented Dec 1, 2021

I did run tests locally, but it seems like the test did not run locally due to stunnel not being installed on my system.
(Side note: that test also never failed on CI test builds, are tests only ran with a single backend or why was it never caught during the PR?)

I had a look into the failing test, the problem is that mbedtls_x509_crt_parse of mbedTLS requires the terminating null-byte to be part of the data, while the passed length does not include the null-byte.

buflen | The size of buf, including the terminating NULL byte in case of PEM encoded data.
(see https://tls.mbed.org/api/group__x509__module.html#ga033567483649030f7f859db4f4cb7e14)

CURLOPT_SSLCERT_BLOB support was already added before my PR, so I had a look how this discrepancy was dealt with there, but it seems like it was not handled either. No tests seem to exist for this API, so I assume the same issue happens there, but was just never detected.

There are some issues about this null-termination requirement for mbedTLS:

Since CURLOPT_CAINFO_BLOB only supports PEM format certs, an easy fix would be to simply append the buffer with a null byte and increment the buffer length before calling mbedtls_x509_crt_parse.

@bagder What do you think about the proposed fix? If that seems fine then I'll work on creating PR for it.

@bagder
Copy link
Member Author

@bagder bagder commented Dec 1, 2021

It didn't show up in the CI builds because of the #7522, a bug in the zuul CI which hides most of its runs from github! 😢

Your proposed fix sounds perfectly fine!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants