mbedTLS support for curl #496

Closed
wants to merge 6 commits into
from

Projects

None yet

3 participants

@sasq64
Contributor
sasq64 commented Oct 19, 2015

Initial support for mbedTLS as an SSL backend for curl. Should be used in the same way as polarssl;
configure --with-mbedtls=<path>

@sasq64 sasq64 mbedTLS support for curl
98afbed
sasq64 added some commits Oct 19, 2015
@sasq64 sasq64 Code style fixes
4dfa80d
@sasq64 sasq64 Removed trailing whitespace
a781655
@bagder
Member
bagder commented Oct 19, 2015

Cool, thanks. What mbedTLS version have you tried this with? I get build errors with my 2.1.1 install.

vtls/mbedtls.c: In function 'mbedtls_connect_step1':
vtls/mbedtls.c:359:39: warning: passing argument 1 of 'mbedtls_ssl_conf_alpn_protocols' from incompatible pointer type [-Wincompatible-pointer-types]
       mbedtls_ssl_conf_alpn_protocols(&connssl->ssl, protocols);
                                       ^
In file included from /home/daniel/build-mbedtls/include/mbedtls/net.h:32:0,
                 from vtls/mbedtls.c:34:
/home/daniel/build-mbedtls/include/mbedtls/ssl.h:1690:5: note: expected 'mbedtls_ssl_config * {aka struct mbedtls_ssl_config *}' but argument is of type 'mbedtls_ssl_context * {aka struct mbedtls_ssl_context *}'
 int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos
     ^
vtls/mbedtls.c: In function 'mbedtls_connect_step2':
vtls/mbedtls.c:464:24: error: 'NPN_HTTP2' undeclared (first use in this function)
         conn->negnpn = NPN_HTTP2;
                        ^
vtls/mbedtls.c:464:24: note: each undeclared identifier is reported only once for each function it appears in
vtls/mbedtls.c:467:24: error: 'NPN_HTTP1_1' undeclared (first use in this function)
         conn->negnpn = NPN_HTTP1_1;
                        ^
Makefile:1944: recipe for target 'vtls/libcurl_la-mbedtls.lo' failed
make[1]: *** [vtls/libcurl_la-mbedtls.lo] Error 1
Makefile
@sasq64
Contributor
sasq64 commented Oct 19, 2015

The latest, 2.1.2. I didn't realize it was still ongoing such heavy changes. I better add a version check.

@hasufell
Contributor

Cool, thanks. What mbedTLS version have you tried this with? I get build errors with my 2.1.1 install.

uh, you should upgrade, since 2.1.1 is vulnerable ;)

@bagder
Member
bagder commented Oct 19, 2015

I get the same warning/errors with 2.1.2. Note that I build my curl HTTP/2-enabled.

@bagder
Member
bagder commented Oct 19, 2015

I have a local fix for the errors:

From 9fd58a9921817c258c4aa1af360c8ed70504c23d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 19 Oct 2015 15:19:13 +0200
Subject: [PATCH] mbedtls: use current libcurl defines for HTTP versions

---
 lib/vtls/mbedtls.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index dcaa60e..3b6ef24 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -459,14 +459,14 @@ mbedtls_connect_step2(struct connectdata *conn,
     if(next_protocol != NULL) {
       infof(data, "ALPN, server accepted to use %s\n", next_protocol);

       if(strncmp(next_protocol, NGHTTP2_PROTO_VERSION_ID,
                   NGHTTP2_PROTO_VERSION_ID_LEN)) {
-        conn->negnpn = NPN_HTTP2;
+        conn->negnpn = CURL_HTTP_VERSION_2_0;
       }
       else if(strncmp(next_protocol, ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH)) {
-        conn->negnpn = NPN_HTTP1_1;
+        conn->negnpn = CURL_HTTP_VERSION_1_1;
       }
     }
     else {
       infof(data, "ALPN, server did not agree to a protocol\n");
     }
-- 
2.6.1

@sasq64 sasq64 mbedTLS version check and HTTP2 fix
5d7ae7e
@sasq64
Contributor
sasq64 commented Oct 19, 2015

Hmm so what is this test...

test 1119...[Verify that symbols-in-versions and headers are in sync]
perl  returned 2, when expecting 0
 exit FAILED
@bagder
Member
bagder commented Oct 19, 2015

That's because CURLSSLBACKEND_MBEDTLS is missing from docs/libcurl/symbols-in-versions, I'll fix that. The warning at vtls/mbedtls.c:359:39: is more important.

@sasq64
Contributor
sasq64 commented Oct 19, 2015

Which test shows that warning?

@bagder
Member
bagder commented Oct 19, 2015

Line 359 gives that warning and it will be built if you build libcurl HTTP/2-enabled (ie you need nghttp2 installed as well). The first input argument to mbedtls_ssl_conf_alpn_protocols is apparently wrong there: expected 'mbedtls_ssl_config * but argument is of type 'mbedtls_ssl_context *'

sasq64 added some commits Oct 19, 2015
@sasq64 sasq64 Fix: Missing conversion from ssl to conf
b702fd7
@sasq64 sasq64 Added CURLSSLBACKEND_MBEDTLS to Dsymbols-in-versions. Another ssl to …
…conf fix.
1865c04
@bagder
Member
bagder commented Oct 19, 2015

Awesome!

@bagder
Member
bagder commented Oct 19, 2015

Possibly one of the the last nits, which you can opt to ignore, is that curlssl_sha256sum isn't defined by mbedtls.h so vtls/vtls.c now shows a warning for me as it can't do the generic pinning functions. I use "configure --enable-debug" which enables rather picky compiler options.

@bagder bagder added a commit that closed this pull request Oct 20, 2015
@sasq64 @bagder sasq64 + bagder vtls: added support for mbedTLS
closes #496
fe7590f
@bagder bagder closed this in fe7590f Oct 20, 2015
@sasq64
Contributor
sasq64 commented Oct 20, 2015

Thanks for actively helping getting this in. First time I used the github pullrequest system - works really well.

@tkelman tkelman referenced this pull request in JuliaLang/julia Aug 1, 2016
Closed

libcurl problems with libgit2 on master #13472

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment