Compiling MbedTLS

[pkulchenko]

I've looked into available TLS implementations and it appears MbedTLS may be the best one to integrate with Cosmopolitan/Redbean, as it's described as "easy to understand, use, integrate and expand" and "Its small code footprint makes it suitable for embedded systems". It's available under Apache-2.0 license.

Here is the list of changes I applied to compile it using Cosmopolitan libraries:

1. Updated library source to remove case EAGAIN (as suggested/discussed in errno constants not usable in switch-case #134):

diff --git a/library/net_sockets.c b/library/net_sockets.c
index 8f79b7401..e1c72249e 100644
--- a/library/net_sockets.c
+++ b/library/net_sockets.c
@@ -294,14 +294,16 @@ static int net_would_block( const mbedtls_net_context *ctx )
         return( 0 );
     }
 
-    switch( errno = err )
-    {
+    errno = err;
+    if (false
 #if defined EAGAIN
-        case EAGAIN:
+        || EAGAIN == errno
 #endif
 #if defined EWOULDBLOCK && EWOULDBLOCK != EAGAIN
-        case EWOULDBLOCK:
+        || EWOULDBLOCK == errno
 #endif
+       )
+    {
             return( 1 );
     }
     return( 0 );

2. Added stubs for netinet/in.h and netdb.h.
3. Added sockaddr_in6 definitions based on ws2ipdef.h and in6addr.h from mingw distribution:

// in6addr.h
typedef struct in6_addr {
  union {
    unsigned char Byte[16];
    unsigned short Word[8];
  } u;
};

#define _S6_un		u
#define _S6_u8		Byte
#define s6_addr		_S6_un._S6_u8

// ws2ipdef.h
struct sockaddr_in6 {
  short sin6_family;
  unsigned short sin6_port;
  unsigned long sin6_flowinfo;
  struct in6_addr sin6_addr;
  unsigned long sin6_scope_id;
};

I can write a script that would apply these changes to the original MbedTLS source tree (to minimize the amount of manual work to be done for upgrades), but not sure what tools I can expect. Is sed or lua interpreter available in addition to shell to execute the scripts?

What would be needed to integrate MbedTLS into Redbean? I realize that the size is critical (as discussed in #95) and MbedTLS seems to work quite well in that regard: its libraries are around 900k and the compiled binary is likely to be much less, as most of the code is not going to be needed for adding TLS support.

[pkulchenko]

Here are a couple of documentation links with details on how a specific configuration can be created to minimize the binary size and memory usage:

• Obtaining Code Size using provided footprint script
• Reduce mbed TLS memory and storage footprint

[jart]

I'm willing to merge changes that help get you unblocked and able to use mbed-tls with redbean. As for merging it into the mainline distribution, I'm reluctant to do that. It's not just a question of code size. It's a question of the responsibilities offering security technologies entails. redbean lets you use something like stunnel to bolt on the tls security layer separately. The varnish proxy does the same thing. I seem to recall the "unsecure approach" (neither secure or insecure) even being required by certain FIPS standards. So I believe it should be possible for you to choose whatever security approach works best for you. It's just not something I can recommend people do or not do more broadly.

[pkulchenko]

@jart, thank you for looking into this. What would merging the changes entail? Would it add TSL support, but keep it behind an option that is off by default or would it make it available as a third-party module or something else? Maybe you can allow hooking into HandleMessages and HandleConnection to provide read/write functions and the initial handshake/setup? If it's exposed to the Lua code, I can then use something like https://github.com/neoxic/lua-mbedtls to provide my own implementation, but this would also keep options to use other libraries available as well.

Another option would be to integrate mbedtsl as the library and use its encryption/decryption module to sign/encrypt/decrypt individual messages.

[pkulchenko]

@jart, what would be the best way to see if MbedTLS can be integrated? Would it make sense to expose Lua methods for establishing connections and reading/writing messages (similar to how onHttpRequest is implemented), so I can use the Lua messages to establish handshake and provide read/write functions? This appears to be the least invasive method and would potentially allow other TLS implementations (and also would keep things optional and out of the core).

[jart]

I'm sorry MbedTLS integration is not a contribution that can be accepted at this time. I believe it should be possible for you to satisfy your requirements by implementing SSL at the frontend, or by using a separate program such as stunnel. redbean is designed to play a part in the broader systems architecture of your choosing. There currently isn't an intent to provide those architectural choices within redbean itself.

[jart]

The situation changed and it turns out we can do this after all. You'll be excited to hear that redbean now has mbedtls support as of cc19207 Enjoy!

[pkulchenko]

Super exciting; thank you for incorporating this!