search

Synss / python-mbedtls

Cryptographic library with an mbed TLS back end
MIT License
79 stars 28 forks source link

TLSWrappedBuffer do_handshake fails #55

Closed skelsec closed 2 years ago

skelsec commented 2 years ago

NOTE: Please use stackoverflow for support questions. This repository's issues are reserved for feature requests and bug reports.

I am submitting a …

Description

I'm trying to set up a client context and inspect the handshake messages without using sockets. # _pep543.TLSWrappedBuffer

Current behavior

When invoking do_handshake() I get mbedtls.exceptions.TLSError: TLSError([0x7100] 'SSL - Bad input parameters to function')

Expected behavior

I expect to get a WantReadError or a WantWriteError and be able to obtain the initial handshake bytes

Steps to reproduce

from mbedtls import tls

ctx = tls.ClientContext(tls.TLSConfiguration(validate_certificates=False))
ssl = ctx.wrap_buffers(None)
ssl.do_handshake()

This should produce WantWriteError

Minimal demo of the problem

Python 3.8.10 (default, Nov 26 2021, 20:14:08) 
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from mbedtls import tls
ls.TLSConfiguration(validate_certificates=False))
ssl = ctx.wrap_buffers(None)
ssl.do_handshake()>>> 
>>> ctx = tls.ClientContext(tls.TLSConfiguration(validate_certificates=False))
>>> ssl = ctx.wrap_buffers(None)
>>> ssl.do_handshake()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "src/mbedtls/tls.pyx", line 1460, in mbedtls.tls.TLSWrappedBuffer.do_handshake
  File "src/mbedtls/tls.pyx", line 1281, in mbedtls.tls._BaseContext._do_handshake
  File "src/mbedtls/tls.pyx", line 1286, in mbedtls.tls._BaseContext._do_handshake_step
  File "src/mbedtls/tls.pyx", line 1305, in mbedtls.tls._BaseContext._handle_handshake_response
  File "src/mbedtls/exceptions.pyx", line 54, in mbedtls.exceptions.check_error
  File "src/mbedtls/exceptions.pyx", line 57, in mbedtls.exceptions.check_error
mbedtls.exceptions.TLSError: TLSError([0x7100] 'SSL - Bad input parameters to function')

Other information

Awesome project, thank you for it!

skelsec commented 2 years ago

Additional info: I'm using the pip packaged version here. I tried to compile it myself on my Ubuntu 20.04 machine. Compilation was done without errors, but when importing the mbedtls package I got segfault.

Synss commented 2 years ago

I expect to get a WantReadError or a WantWriteError and be able to obtain the initial handshake bytes

Yes, I am aware of that and it is partly fixed on master. I am still working on it, however. The changes required are not trivial.

but when importing the mbedtls package I got segfault

The bindings only support the latest mbedtls 2.6 (I have 2.16.12 on my own machine now). You should probably set LD_LIBRARY_PATH or use auditwheel on Linux or delocate on MacOS. I would recommend using the scripts under scripts, such as scripts/download* and scripts/install-pymbedtls*.

Awesome project, thank you for it!

Thank you!

Synss commented 2 years ago

I have added a comprehensive test on master with a full handshake using the wrapped buffer. I checked that calling do_handshake() on the wrong end raises WantReadError or WantWriteError but I have no test for that yet. I have to think how to organise the code better.