curl client checkpoint #1
Conversation
|
Nice! I will give this some 👀 early-to-mid next week. |
|
Do we have a good rationale for keeping this work private? It's public in our roadmap, so might make sense to just make this repo public, too? @cpu is this waiting for something in particular? ISTR that this is relatively high priority? |
Sorry, this just fell off my task list when I went out of office. I will do a review pass today. I don't have any preference w.r.t keeping the repo private or public in the meantime. |
|
I don't mind making it public now, really. My thought was: in case the initial commit wants edits, that would mean force-pushing main. But likely not a big deal as I doubt there would be anyone looking at this repo until it contains something useful and substantial. |
It sounds like we have at least a couple of people who would be looking at this repo today if they could, and I remember it came up one time before when I inadvertently linked to it. But yeah, force pushing main is probably okay for now. |
There was a problem hiding this comment.
Phew, that's a lot to digest 😆 In general: this is really, really cool.
I left a lot of comments, some of them are actionable feedback, some of them are questions, and some are just me rubber ducking in the hopes it might save someone else reviewing this branch from chasing the same threads as I did. I hope it's useful!
| entry! { | ||
| pub fn _SSL_get_peer_cert_chain(ssl: *const SSL) -> *mut stack_st_X509 { | ||
| let ssl = try_clone_arc!(ssl); | ||
| ssl.lock() | ||
| .ok() | ||
| .and_then(|mut ssl| ssl.get_peer_cert_chain().map(|x509| x509.pointer())) | ||
| .unwrap_or_else(ptr::null_mut) | ||
| } | ||
| } | ||
|
|
||
| entry! { | ||
| pub fn _SSL_get0_verified_chain(ssl: *const SSL) -> *mut stack_st_X509 { | ||
| _SSL_get_peer_cert_chain(ssl) | ||
| } | ||
| } |
There was a problem hiding this comment.
I wonder if there's somewhere we should be documenting small divergences like occur here. The upstream API has an important distinction between the peer's presented chain (returned in SSL_get_peer_cert_chain) and the verified chain (returned in SSL_get0_verified_chain). Rustls (sensibly) doesn't have this distinction, and so the API surface is flattened here. I don't know that it's super important to call out the change that now SSL_get_peer_cert_chain is returning a verified chain but it gave me reason to think.
| @@ -0,0 +1,24 @@ | |||
| -----BEGIN CERTIFICATE----- | |||
There was a problem hiding this comment.
This expires in 2029, so we have a decent window before needing to regenerate it, but there might still be value in lifting some of the rcgen test PKI tooling in here to make these easier to recreate.
Can I ask what curl version you're getting on your Ubuntu system? I haven't looked closely yet, but on my system w/ curl 8.6.0 the repro fails with a complaint about the |
|
Thanks for the review! I'll work my way through these today.
Ubuntu 22.04 has curl 7.81.0. |
ctz
force-pushed
the
jbp-curl-checkpoint
branch
2 times, most recently
from
7145fb9 to
b33f41e
Compare
Introduce integration test programs -- written in C and linked against the openssl known to pkg-config -- that are required to produce the same output when run against rustls-libssl or openssl-libssl. Run `make integration`. Note that openssl project has no test coverage of these functions, so they produce incorrect output (eg, `SSL_alert_desc_string_long(TLS13_AD_MISSING_EXTENSION)` gives "unknown"). This commit gives bug-for-bug compatibility because that is easiest to test for.
These are notable because they have different return value convention, `error::MysteriouslyOppositeReturnValue` represents that fact.
This includes `SSL_ctrl` because it backs `SSL_set_tlsext_host_name` for setting the SNI hostname. `SSL_CTX_ctrl` comes along for the ride.
Some of these certainly will be implemented later, others almost certainly will not.
ctz
force-pushed
the
jbp-curl-checkpoint
branch
from
736cc01 to
dae2189
Compare
I came back around to see if I could repro the check-point success by matching this curl version and the answer was: almost 🎉 If I stub Otherwise it seems like all of my review feedback was addressed. Should we merge? 🚀 |
Yes that sounds like a good call! |
I turned on the automatic branch tidying in the settings to match the other repos. Hope that's OK. |
|
Yep! I have just protected the main branch too, and made this repo public. |
The commits here are kinda artificial for the purposes of review -- I started from a single commit that contained everything. So there's are some commits that introduce fully-fledged modules that only pay off later. That is especially true of
ffi.rs, which is mostly cloned from rustls-ffi.The initial commit currently on main also contains things wanting review -- please leave comments there and I will collect some fixes on this PR.
At the end of this branch, on ubuntu linux1 you should be able to:
$ make (...) $ LD_LIBRARY_PATH=target/debug curl https://google.com [2024-02-23T16:42:51Z ERROR ssl::error] raising Error { lib: Ssl, reason: Unsupported, string: Some("_SSL_CTX_set_next_proto_select_cb") } [2024-02-23T16:42:51Z ERROR ssl::error] raising Error { lib: Ssl, reason: Unsupported, string: Some("_SSL_CTX_set_post_handshake_auth") } [2024-02-23T16:42:51Z ERROR ssl::error] raising Error { lib: Ssl, reason: Unsupported, string: Some("_SSL_CTX_sess_set_new_cb") } [2024-02-23T16:42:51Z ERROR ssl::error] raising Error { lib: User, reason: OperationFailed, string: Some("operation would block") } <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="https://www.google.com/">here</A>. </BODY></HTML> [2024-02-23T16:42:51Z ERROR ssl::error] raising Error { lib: User, reason: OperationFailed, string: Some("operation would block") }In other words, the libssl.so.3 is enough to be a drop-in for really very basic uses of curl.
Footnotes
others untested, but probably work ↩