alexnask / iguanatls Goto Github PK
View Code? Open in Web Editor NEWMinimal, experimental TLS 1.2 implementation in Zig
License: MIT License
Minimal, experimental TLS 1.2 implementation in Zig
License: MIT License
it should instead return the usize
value of 0
instead of an error.
❯ zig build test
test "HTTPS request on wikipedia main page"... FAIL (CertificateVerificationFailed)
/usr/lib/zig/std/heap/general_purpose_allocator.zig:606:13: 0x21ede9 in std.heap.general_purpose_allocator.GeneralPurposeAllocator((struct std.heap.general_purpose_allocator.Config constant)).resize (test)
return error.OutOfMemory;
I've been working on a HTTP client and so far I'm stuck on this issue: I receive the end of the HTTP headers, and then the first read of the payload fails with error.ServerMalformedResponse
. eg.
> https://en.wikipedia.org/
Event{ .status = StatusEvent{ .version = 1.1, .code = 301, .reason = Moved Permanently } }
Event{ .header = Header{ .name = Date, .value = Sun, 27 Dec 2020 19:04:44 GMT } }
Event{ .header = Header{ .name = Server, .value = mw1351.eqiad.wmnet } }
Event{ .header = Header{ .name = X-Content-Type-Options, .value = nosniff } }
Event{ .header = Header{ .name = P3p, .value = CP="See https://en.wikipedia.org/wiki/Special:CentralAutoLogin/P3P for more info." } }
Event{ .header = Header{ .name = Vary, .value = Accept-Encoding,X-Forwarded-Proto,Cookie,Authorization } }
Event{ .header = Header{ .name = Cache-Control, .value = s-maxage=1200, must-revalidate, max-age=0 } }
Event{ .header = Header{ .name = X-Request-Id, .value = X@jazApAMMEAAnDqqMUAAABD } }
Event{ .header = Header{ .name = Last-Modified, .value = Sun, 27 Dec 2020 19:04:44 GMT } }
Event{ .header = Header{ .name = Location, .value = https://en.wikipedia.org/wiki/Main_Page } }
Event{ .header = Header{ .name = Content-Length, .value = 0 } }
Event{ .header = Header{ .name = Content-Type, .value = text/html; charset=utf-8 } }
Event{ .header = Header{ .name = Age, .value = 1073 } }
Event{ .header = Header{ .name = X-Cache, .value = cp2041 miss, cp2031 hit/158 } }
Event{ .header = Header{ .name = X-Cache-Status, .value = hit-front } }
Event{ .header = Header{ .name = Server-Timing, .value = cache;desc="hit-front" } }
Event{ .header = Header{ .name = Strict-Transport-Security, .value = max-age=106384710; includeSubDomains; preload } }
Event{ .header = Header{ .name = Report-To, .value = { "group": "wm_nel", "max_age": 86400, "endpoints": [{ "url": "https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c/reportingapi/network_error/1.0.0" }] } } }
Event{ .header = Header{ .name = NEL, .value = { "report_to": "wm_nel", "max_age": 86400, "failure_fraction": 0.05, "success_fraction": 0.0} } }
Event{ .header = Header{ .name = Set-Cookie, .value = WMF-Last-Access=27-Dec-2020;Path=/;HttpOnly;secure;Expires=Thu, 28 Jan 2021 12:00:00 GMT } }
Event{ .header = Header{ .name = Set-Cookie, .value = WMF-Last-Access-Global=27-Dec-2020;Path=/;Domain=.wikipedia.org;HttpOnly;secure;Expires=Thu, 28 Jan 2021 12:00:00 GMT } }
Event{ .header = Header{ .name = X-Client-IP, .value = [omitted] } }
Event{ .header = Header{ .name = Set-Cookie, .value = GeoIP=[omitted]; Path=/; secure; Domain=.wikipedia.org } }
Event{ .header = Header{ .name = Connection, .value = close } }
Event{ .head_done = void }
Test [3/3] request.test ""... [default] (err): ServerMalformedResponse
Where Event.head_done
at the bottom is the end of HTTP headers.
The stack trace is as shown:
[default] (err): ServerMalformedResponse
H:\repositories\truemedian\zfetch\zig-deps\c68076598504378d2760103321b684a8\src\main.zig:113:9: 0x7ff76b11126b in .iguanatls.check_record_type (test.obj)
return switch (err_num) {
^
H:\repositories\truemedian\zfetch\zig-deps\c68076598504378d2760103321b684a8\src\main.zig:63:5: 0x7ff76b0f5bf5 in .iguanatls.record_length (test.obj)
try check_record_type(t, reader);
^
H:\repositories\truemedian\zfetch\zig-deps\c68076598504378d2760103321b684a8\src\main.zig:778:37: 0x7ff76b0f4e0d in .iguanatls.Client(std.io.reader.Reader(.network.Socket,std.os.RecvFromError,.network.Socket.receive),std.io.writer.Writer(.network.Socket,.network.SendError,.network.Socket.send))::.iguanatls.Client(std.io.reader.Reader(.network.Socket,std.os.RecvFromError,.network.Socket.receive),std.io.writer.Writer(.network.Socket,.network.SendError,.network.Socket.send)).read (test.obj)
else => |e| return e,
^
H:\repositories\truemedian\zfetch\src\conn.zig:78:9: 0x7ff76b0fdf9c in conn.Connection::conn.Connection.read (test.obj)
return switch (self.protocol) {
When digging into Iguana to look at what i'm actually getting, it appears to be reading in an invalid place. in check_record_type
the 4 skipped bytes are 3 3 0 18
, which would indicate the server is using TLS 3.3 (right..), severity
is 99, and err_num
is 200 (an invalid enum).
Hi @alexnask !
I use iguanaTLS for my http client (requestz) and it works like a charm !
But yesterday, someone figured out he could not request a specific HTTP server because of a TLS handshake failure.
After a small analysis, it seems like the cypher suites available in iguanaTLS are not accepted by the server:
it accepts "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" and the closest one that iguanaTLS provides is "ECDHE-RSA-CHACHA20-POLY1305".
I don't know much about TLS/crypto in general, but if possible I am willing to try something to make it work for iguanaTLS. I would be very happy if anyone could provide me some advice/guidelines on the matter !
I hope you are doing fine, and I wish you a nice day :)
Cf:
Issue: ducdetronquito/requestz#22
The targeted server: api.forismatic.com
Server's accepted cypher suites: https://www.ssllabs.com/ssltest/analyze.html?d=api.forismatic.com&s=104.21.72.231
Cypher suites provided by iguanaTLS:
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-RSA-AES128-GCM-SHA256
I am trying to connect to CockroachDB secure instance using IguanaTLS
, but cant manage to do it.
If I use default cert validation, code fails with error: CertificateVerificationFailed
If using no validation, I get error: ServerMalformedResponse
The same certs worked, in Node.js TLS and config like below
{
host: "localhost",
port: 26257,
key: fs.readFileSync('certs/client.root.key'),
cert: fs.readFileSync('certs/client.root.crt'),
ca: fs.readFileSync('certs/ca.crt')
}
My iguanaTLS connection looks like below
var tlsSocket = try TLS.client_connect(.{
.rand = rand,
.temp_allocator = allocator,
.reader = socket.reader(),
.writer = socket.writer(),
.cert_verifier = .default,
.ciphersuites = TLS.ciphersuites.all,
.trusted_certificates = ca_cert.data.items,
.client_certificates = &[1]x509.ClientCertificateChain{client_cert},
}, "127.0.0.1");
Perhaps someone can help me out here : /
When connecting to irc.libera.chat
port 6697, iguanaTLS returns a ServerMalformedResponse
. The line that returns this error is:
Line 1353 in 44485c6
After some triage I realized that the reason iguana is expecting there to be 8 extra bytes at the end of the "Certificate Request" message is for the "Server Hello Done" message. However, in this case, the libera irc server splits these 2 messages into 2 separate records.
you still working on this?
After initializing an tls client with:
try tls.client_connect(.{
.reader = self.socket.reader(),
.writer = self.socket.writer(),
.cert_verifier = .none,
.temp_allocator = self.allocator,
.ciphersuites = tls.ciphersuites.all,
.protocols = &[_][]const u8{"http/1.1"},
}, self.hostname);
Where self.socket
is a zig-network
Socket type.
Reading the payload portion of a https request to https://httpbin.org/get returns:
{
"args": {},
"headers": {
"Host": "httpbin.org",
"User-Agent": "zfetch",
"X-Amzn-Trace-Id": "Root=1-6027525d-67064b6874605a484ba4d0ef"
},
"origin": "[redacted]",
"url": "https:/t"
}
bin.org/ge�����
After a quick look into the path this code takes: it appears to be coming from a call to ctr
in the ECDHE_RSA_AES128_GCM_SHA256
ciphersuite. Specifically lines 177-190 in crypto.zig
seem to be returning garbage.
With this PEM file and the following code, I get a MalformedDER error.
var reader = std.io.fixedBufferStream(
@embedFile("/etc/ssl/certs/ca-certificates.crt"),
).reader();
const trust = try tls.x509.CertificateChain.from_pem(alloc, reader);
Tell me if you want/need any other information.
Hi, iguanaTLS works perfectly well when getting emotes, but I get a handshake error when trying to connect to Twitch's token validation endpoint.
To test you can just send a GET request to https://id.twitch.tv/oauth2/validate, it should return a nice json response with an error code in it.
/home/snuc/dev/zigmod/.zigmod/deps/git/github.com/alexnask/iguanaTLS/src/main.zig:1607:24: error: mutable 'seed' not accessible from here
a1: *[32 + seed.len]u8,
^
/home/snuc/dev/zigmod/.zigmod/deps/git/github.com/alexnask/iguanaTLS/src/main.zig:1577:13: note: declared mutable here
var seed: [77]u8 = undefined;
^
/home/snuc/dev/zigmod/.zigmod/deps/git/github.com/alexnask/iguanaTLS/src/main.zig:1605:35: note: crosses namespace boundary here
const KeyExpansionState = struct {
^
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.