New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mbedTLS support for curl #496

Closed
wants to merge 6 commits into
base: master
from

Conversation

Projects
None yet
3 participants
@sasq64
Contributor

sasq64 commented Oct 19, 2015

Initial support for mbedTLS as an SSL backend for curl. Should be used in the same way as polarssl;
configure --with-mbedtls=<path>

sasq64 added some commits Oct 19, 2015

@bagder

This comment has been minimized.

Member

bagder commented Oct 19, 2015

Cool, thanks. What mbedTLS version have you tried this with? I get build errors with my 2.1.1 install.

vtls/mbedtls.c: In function 'mbedtls_connect_step1':
vtls/mbedtls.c:359:39: warning: passing argument 1 of 'mbedtls_ssl_conf_alpn_protocols' from incompatible pointer type [-Wincompatible-pointer-types]
       mbedtls_ssl_conf_alpn_protocols(&connssl->ssl, protocols);
                                       ^
In file included from /home/daniel/build-mbedtls/include/mbedtls/net.h:32:0,
                 from vtls/mbedtls.c:34:
/home/daniel/build-mbedtls/include/mbedtls/ssl.h:1690:5: note: expected 'mbedtls_ssl_config * {aka struct mbedtls_ssl_config *}' but argument is of type 'mbedtls_ssl_context * {aka struct mbedtls_ssl_context *}'
 int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos
     ^
vtls/mbedtls.c: In function 'mbedtls_connect_step2':
vtls/mbedtls.c:464:24: error: 'NPN_HTTP2' undeclared (first use in this function)
         conn->negnpn = NPN_HTTP2;
                        ^
vtls/mbedtls.c:464:24: note: each undeclared identifier is reported only once for each function it appears in
vtls/mbedtls.c:467:24: error: 'NPN_HTTP1_1' undeclared (first use in this function)
         conn->negnpn = NPN_HTTP1_1;
                        ^
Makefile:1944: recipe for target 'vtls/libcurl_la-mbedtls.lo' failed
make[1]: *** [vtls/libcurl_la-mbedtls.lo] Error 1
Makefile
@sasq64

This comment has been minimized.

Contributor

sasq64 commented Oct 19, 2015

The latest, 2.1.2. I didn't realize it was still ongoing such heavy changes. I better add a version check.

@hasufell

This comment has been minimized.

Contributor

hasufell commented Oct 19, 2015

Cool, thanks. What mbedTLS version have you tried this with? I get build errors with my 2.1.1 install.

uh, you should upgrade, since 2.1.1 is vulnerable ;)

@bagder

This comment has been minimized.

Member

bagder commented Oct 19, 2015

I get the same warning/errors with 2.1.2. Note that I build my curl HTTP/2-enabled.

@bagder

This comment has been minimized.

Member

bagder commented Oct 19, 2015

I have a local fix for the errors:

From 9fd58a9921817c258c4aa1af360c8ed70504c23d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 19 Oct 2015 15:19:13 +0200
Subject: [PATCH] mbedtls: use current libcurl defines for HTTP versions

---
 lib/vtls/mbedtls.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index dcaa60e..3b6ef24 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -459,14 +459,14 @@ mbedtls_connect_step2(struct connectdata *conn,
     if(next_protocol != NULL) {
       infof(data, "ALPN, server accepted to use %s\n", next_protocol);

       if(strncmp(next_protocol, NGHTTP2_PROTO_VERSION_ID,
                   NGHTTP2_PROTO_VERSION_ID_LEN)) {
-        conn->negnpn = NPN_HTTP2;
+        conn->negnpn = CURL_HTTP_VERSION_2_0;
       }
       else if(strncmp(next_protocol, ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH)) {
-        conn->negnpn = NPN_HTTP1_1;
+        conn->negnpn = CURL_HTTP_VERSION_1_1;
       }
     }
     else {
       infof(data, "ALPN, server did not agree to a protocol\n");
     }
-- 
2.6.1

@sasq64

This comment has been minimized.

Contributor

sasq64 commented Oct 19, 2015

Hmm so what is this test...

test 1119...[Verify that symbols-in-versions and headers are in sync]
perl  returned 2, when expecting 0
 exit FAILED
@bagder

This comment has been minimized.

Member

bagder commented Oct 19, 2015

That's because CURLSSLBACKEND_MBEDTLS is missing from docs/libcurl/symbols-in-versions, I'll fix that. The warning at vtls/mbedtls.c:359:39: is more important.

@sasq64

This comment has been minimized.

Contributor

sasq64 commented Oct 19, 2015

Which test shows that warning?

@bagder

This comment has been minimized.

Member

bagder commented Oct 19, 2015

Line 359 gives that warning and it will be built if you build libcurl HTTP/2-enabled (ie you need nghttp2 installed as well). The first input argument to mbedtls_ssl_conf_alpn_protocols is apparently wrong there: expected 'mbedtls_ssl_config * but argument is of type 'mbedtls_ssl_context *'

@bagder

This comment has been minimized.

Member

bagder commented Oct 19, 2015

Awesome!

@bagder

This comment has been minimized.

Member

bagder commented Oct 19, 2015

Possibly one of the the last nits, which you can opt to ignore, is that curlssl_sha256sum isn't defined by mbedtls.h so vtls/vtls.c now shows a warning for me as it can't do the generic pinning functions. I use "configure --enable-debug" which enables rather picky compiler options.

@bagder bagder closed this in fe7590f Oct 20, 2015

@sasq64

This comment has been minimized.

Contributor

sasq64 commented Oct 20, 2015

Thanks for actively helping getting this in. First time I used the github pullrequest system - works really well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment