From: Viktor Szakats Date: Tue, 8 Oct 2024 20:41:18 +0000 (+0200) Subject: GHA: add Linux and macOS mbedTLS jobs, fix issue X-Git-Tag: curl-8_11_0~198 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e377c917664241d8cccf67316b96d59a280ad8e4;p=thirdparty%2Fcurl.git GHA: add Linux and macOS mbedTLS jobs, fix issue - update mbedTLS repo URL. - switch local mbedTLS build to use CMake, and Ninja. CMake build is required to create and install mbedTLS `pkg-config` files. (as of v3.6.1) `-DCMAKE_POSITION_INDEPENDENT_CODE=ON` required to avoid this error when linking mbedtls to `libcurl.so`: ``` /usr/bin/ld: /home/runner/mbedtls/lib/libmbedcrypto.a(cipher.c.o): warning: relocation against `mbedtls_cipher_base_lookup_table' in read-only section `.text' /usr/bin/ld: /home/runner/mbedtls/lib/libmbedtls.a(ssl_tls.c.o): relocation R_X86_64_PC32 against symbol `mbedtls_x509_crt_profile_suiteb' can not be used when making a shared object; recompile with -fPIC /usr/bin/ld: final link failed: bad value ``` Ref: https://github.com/curl/curl/actions/runs/11245069259/job/31264386723#step:40:43 - make local mbedTLS build 10x smaller by omitting programs and tests. - GHA/linux: fix cmake warning by adding `-B .` option. - GHA/linux: add build-only cmake job for packaged mbedTLS (2.x). - fix compiler warning when building with mbedTLS 2.x: ``` /home/runner/work/curl/curl/lib/vtls/mbedtls.c:344:1: error: ‘mbed_cipher_suite_get_str’ defined but not used [-Werror=unused-function] 344 | mbed_cipher_suite_get_str(uint16_t id, char *buf, size_t buf_size, | ^~~~~~~~~~~~~~~~~~~~~~~~~ ``` Ref: https://github.com/curl/curl/actions/runs/11244999065/job/31264168295#step:40:50 Also in preparation for #15193 Closes #15208 --- diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index c4113337d1..94625f74bb 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -43,7 +43,7 @@ env: libressl-version: 3.9.2 # renovate: datasource=github-tags depName=wolfSSL/wolfssl versioning=semver extractVersion=^v?(?.+)-stable$ registryUrl=https://github.com wolfssl-version: 5.7.2 - # renovate: datasource=github-tags depName=ARMmbed/mbedtls versioning=semver registryUrl=https://github.com + # renovate: datasource=github-tags depName=Mbed-TLS/mbedtls versioning=semver registryUrl=https://github.com mbedtls-version: 3.6.0 # renovate: datasource=github-tags depName=icing/mod_h2 versioning=semver registryUrl=https://github.com mod_h2-version: 2.0.29 @@ -113,6 +113,10 @@ jobs: install_steps: mbedtls configure: CC=clang LDFLAGS="-Wl,-rpath,$HOME/mbedtls/lib" --with-mbedtls=$HOME/mbedtls --enable-debug + - name: mbedtls-pkg + install_packages: libnghttp2-dev libmbedtls-dev + generate: -DCURL_USE_MBEDTLS=ON -DENABLE_DEBUG=ON -DCURL_USE_PKGCONFIG=OFF + - name: msh3 install_packages: zlib1g-dev install_steps: quictls msh3 @@ -373,10 +377,12 @@ jobs: - name: 'build mbedtls' if: contains(matrix.build.install_steps, 'mbedtls') && steps.cache-mbedtls.outputs.cache-hit != 'true' run: | - git clone --quiet --depth=1 -b v${{ env.mbedtls-version }} https://github.com/ARMmbed/mbedtls + git clone --quiet --depth=1 -b v${{ env.mbedtls-version }} https://github.com/Mbed-TLS/mbedtls cd mbedtls git submodule update --init - make DESTDIR=$HOME/mbedtls install + cmake -B . -G Ninja -DENABLE_PROGRAMS=OFF -DENABLE_TESTING=OFF -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DCMAKE_INSTALL_PREFIX=$HOME/mbedtls + cmake --build . + cmake --install . - name: cache openssl3 if: contains(matrix.build.install_steps, 'openssl3') @@ -561,7 +567,7 @@ jobs: run: | [[ '${{ matrix.build.install_steps }}' = *'awslc'* ]] && sudo apt remove --yes libssl-dev if [ -n '${{ matrix.build.generate }}' ]; then - cmake -G Ninja \ + cmake -B . -G Ninja \ -DCMAKE_C_COMPILER_TARGET=$(uname -m)-pc-linux-gnu -DBUILD_STATIC_LIBS=ON \ -DCMAKE_UNITY_BUILD=ON -DCURL_TEST_BUNDLES=ON -DCURL_WERROR=ON \ -DCURL_BROTLI=ON -DCURL_ZSTD=ON \ diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index 661dc2f04d..8c137a1001 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -287,6 +287,10 @@ jobs: install: brotli wolfssl zstd generate: -DCURL_USE_WOLFSSL=ON -DCURL_BROTLI=ON -DCURL_ZSTD=ON -DCURL_DISABLE_LDAP=ON macos-version-min: '10.15' + - name: 'mbedTLS !ldap brotli zstd' + install: brotli mbedtls zstd + generate: -DCURL_USE_MBEDTLS=ON -DCURL_BROTLI=ON -DCURL_ZSTD=ON -DCURL_DISABLE_LDAP=ON + macos-version-min: '10.15' - name: 'GnuTLS !ldap krb5' install: gnutls nettle krb5 generate: -DCURL_USE_GNUTLS=ON -DCURL_USE_OPENSSL=OFF -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=$(brew --prefix krb5) -DCURL_DISABLE_LDAP=ON diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index 0865bec470..65171a1a47 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -340,6 +340,7 @@ mbed_set_ssl_version_min_max(struct Curl_easy *data, cipher suite present in other SSL implementations. Provide provisional support for specifying the cipher suite here. */ #ifdef MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 +#if MBEDTLS_VERSION_NUMBER >= 0x03020000 static int mbed_cipher_suite_get_str(uint16_t id, char *buf, size_t buf_size, bool prefer_rfc) @@ -350,6 +351,7 @@ mbed_cipher_suite_get_str(uint16_t id, char *buf, size_t buf_size, return Curl_cipher_suite_get_str(id, buf, buf_size, prefer_rfc); return 0; } +#endif static uint16_t mbed_cipher_suite_walk_str(const char **str, const char **end) @@ -1048,7 +1050,7 @@ mbed_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data) /* Make a copy of our const peercert because mbedtls_pk_write_pubkey_der needs a non-const key, for now. - https://github.com/ARMmbed/mbedtls/issues/396 */ + https://github.com/Mbed-TLS/mbedtls/issues/396 */ #if MBEDTLS_VERSION_NUMBER == 0x03000000 if(mbedtls_x509_crt_parse_der(p, peercert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(p),