search

h2o / picotls

TLS 1.3 implementation in C (master supports RFC8446 as well as draft-26, -27, -28)
527 stars 140 forks source link

Complete mbedtls backend coding #519

Closed huitema closed 2 months ago

huitema commented 3 months ago

Develop a static function to load file content in memory, as a replacement for the API mbedtls_pk_load_file issue() that is not available in recent versions of MbedTLS.

Also fix missing parentheses in cmake/FindMbedTLS.cmake

Edited on May 16, 2024: the PR now includes the complete code needed for using MbedTLS as a back end.

huitema commented 3 months ago

The last failure is in the linker:

/usr/bin/cc -D_GNU_SOURCE -pthread -std=c99 -Wall -O2 -g   -DPICOTLS_USE_DTRACE=1 -DPICOTLS_USE_BROTLI=1 -DPTLS_HAVE_FUSION=1 -DPTLS_HAVE_MBEDTLS=1 -rdynamic CMakeFiles/test-mbedtls.t.dir/deps/picotest/picotest.c.o CMakeFiles/test-mbedtls.t.dir/t/hpke.c.o CMakeFiles/test-mbedtls.t.dir/t/picotls.c.o CMakeFiles/test-mbedtls.t.dir/t/mbedtls.c.o picotls-probes.o -o test-mbedtls.t   -L"/picotls/("  -L"/picotls/)"  -Wl,-rpath,"/picotls/(:/picotls/)" libpicotls-minicrypto.a libpicotls-mbedtls.a /usr/local/lib/libmbedtls.a /usr/local/lib/libmbedcrypto.a /usr/local/lib/libmbedx509.a libpicotls-core.a -lbrotlidec -lbrotlienc 
/usr/bin/ld: errno: TLS definition in /lib/x86_64-linux-gnu/libc.so.6 section .tbss mismatches non-TLS reference in libpicotls-mbedtls.a(mbedtls_sign.c.o)
/usr/bin/ld: /lib/x86_64-linux-gnu/libc.so.6: error adding symbols: bad value

The diagnostic error adding symbols: bad value supposedly happens because some function was present in multiple binaries, but these binaries were not compiled with exactly the same flags -- see this page on stack overflow.

The error only happens after we tried to use errno, so maybe removing that will solve the issue.

huitema commented 3 months ago

@kazuho This is finally ready. I am sorry for the mess yesterday. I was down with a fever, trying to make it work and missing basic stuff. The latest fix was to add a final NULL byte to the returned buffer -- just copying the content of the file was not enough. Overall, a very small fix, and very contained.

huitema commented 2 months ago

@kazuho Since this PR was not checked in, I am adding the missing pieces to fully support MbedTLS as a backend: loading of certificates, implementation of the sign certificate and verify certificates call back.

huitema commented 2 months ago

@kazuho The tests are failing because this branch somehow picked the wrong version of picotest, which does not support adding arguments to the "subtest" function. This is weird, because the test scripts supposedly load the latest version.

huitema commented 2 months ago

The issue is probably happening when building the docker image in the github actions, but I don't know how to fix that.