search

drogue-iot / embedded-tls

An Rust TLS 1.3 implementation for embedded devices.
Apache License 2.0
168 stars 21 forks source link

Example fails #136

Open Ddystopia opened 5 months ago

Ddystopia commented 5 months ago 
 π rustls main
❯ openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout key.pem -out cert.pem -batch
  cargo run --bin tlsserver-mio -- -p 12345 --certs cert.pem --key key.pem --protover 1.3 --tickets --verbose echo
.........+...+.+......+.........+++++++++++++++++++++++++++++++++++++++*.......+++++++++++++++++++++++++++++++++++++++*.......+....+...........+...+.......+........+..........+......+.................+...+....+............+.....+.+...+..+.........+.+..+.+.........+......+.....+.........+.+......+...+.....+......+.+..................+...+.....+....+.....+.........+....+...+...+..............+.+..+....+...+...+...+............+........................+......+...............+...+..+.......+..+.+.........+........+.+.....+.........+...+...+......+.+..+......+.......+.....+...+.+........+............+.+...+..+.......+.....+.....................+.......+.........+........+.+......+......+.....+....+...+.....+...+.............+..+...+................+...........+.......+......+..........................+.............+.....+.......+...+...+.....+.........+.+..+.+.................+....+...+........+....+...+.....+.+.....+......+.........+.........++++++
.+..+...+.+.....+.+.....+...+....+...........+....+..+...+............+................+..+.......+........+......+.+.....+.............+++++++++++++++++++++++++++++++++++++++*....+.....+....+........+...+++++++++++++++++++++++++++++++++++++++*.......+..+.+......+........+...+...+.........+.+......+......+.........+......+.....+........................+.+...+.....+....+.....+.+..+.........+...+.+......+......+.................+............+...+.+...........+.+.........+...++++++
-----
    Finished dev [unoptimized + debuginfo] target(s) in 0.04s
     Running `target/debug/tlsserver-mio -p 12345 --certs cert.pem --key key.pem --protover 1.3 --tickets --verbose echo`
listening on [::]:12345
[2024-02-20T12:22:53Z TRACE mio::poll] registering event source with poller: token=Token(0), interests=READABLE
[2024-02-20T12:23:00Z DEBUG tlsserver_mio] Accepting new connection from [::ffff:127.0.0.1]:37640
[2024-02-20T12:23:00Z TRACE mio::poll] registering event source with poller: token=Token(2), interests=READABLE
[2024-02-20T12:23:00Z TRACE rustls::server::hs] we got a clienthello ClientHelloPayload { client_version: TLSv1_2, random: e52c4d461020251710656752cd69d774020c2ee61701dd4784607dfb317e7dc5, session_id: , cipher_suites: [TLS13_AES_128_GCM_SHA256], compression_methods: [Null], extensions: [SupportedVersions([TLSv1_3]), SignatureAlgorithms([ECDSA_NISTP256_SHA256, ECDSA_NISTP384_SHA384, ED25519]), NamedGroups([secp256r1]), PresharedKeyModes([PSK_DHE_KE]), KeyShare([KeyShareEntry { group: secp256r1, payload: 04d8974964d8c2a19cfa2e6d6effee1b4613b1c500974369acf325fc947233befe47e98def1e0b02049362111e696a7ffc26cb9d71f994141fd4975695359447d1 }]), ServerName([ServerName { typ: HostName, payload: HostName(DnsName("localhost")) }])] }
[2024-02-20T12:23:00Z TRACE rustls::server::server_conn] sni Some(DnsName("localhost"))
[2024-02-20T12:23:00Z TRACE rustls::server::server_conn] sig schemes [ECDSA_NISTP256_SHA256, ECDSA_NISTP384_SHA384, ED25519]
[2024-02-20T12:23:00Z TRACE rustls::server::server_conn] alpn protocols None
[2024-02-20T12:23:00Z TRACE rustls::server::server_conn] cipher suites [TLS13_AES_128_GCM_SHA256]
[2024-02-20T12:23:00Z DEBUG rustls::server::hs] decided upon suite TLS13_AES_128_GCM_SHA256
[2024-02-20T12:23:00Z TRACE rustls::server::tls13::client_hello] sending server hello Message { version: TLSv1_2, payload: Handshake { parsed: HandshakeMessagePayload { typ: ServerHello, payload: ServerHello(ServerHelloPayload { legacy_version: TLSv1_2, random: 2599d14bf1b8d18d9fe1128b1421d776bdf6edab48b9a1d8dce73b7e90fabe84, session_id: , cipher_suite: TLS13_AES_128_GCM_SHA256, compression_method: Null, extensions: [KeyShare(KeyShareEntry { group: secp256r1, payload: 04dc85aa3de608fa8cc00f70d3ac4e42f8a1c3f08ab35b7a7c1ffc84cc354aae6496704d1e50cb5e400d1082f6cd91b981183c8c571cd3d259e8314bf13db1997d }), SupportedVersions(TLSv1_3)] }) }, encoded: 0200007703032599d14bf1b8d18d9fe1128b1421d776bdf6edab48b9a1d8dce73b7e90fabe8400130100004f003300450017004104dc85aa3de608fa8cc00f70d3ac4e42f8a1c3f08ab35b7a7c1ffc84cc354aae6496704d1e50cb5e400d1082f6cd91b981183c8c571cd3d259e8314bf13db1997d002b00020304 } }
[2024-02-20T12:23:00Z TRACE rustls::server::tls13::client_hello] sending encrypted extensions Message { version: TLSv1_3, payload: Handshake { parsed: HandshakeMessagePayload { typ: EncryptedExtensions, payload: EncryptedExtensions([ServerNameAck]) }, encoded: 08000006000400000000 } }
[2024-02-20T12:23:00Z TRACE rustls::server::tls13::client_hello] sending certificate Message { version: TLSv1_3, payload: Handshake { parsed: HandshakeMessagePayload { typ: Certificate, payload: CertificateTls13(CertificatePayloadTls13 { context: , entries: [CertificateEntry { cert: CertificateDer(0x3082036b30820253a00302010202144e04aa80092092a41588510b3c9e4f02b1849574300d06092a864886f70d01010b05003045310b30090603550406130241553113301106035504080c0a536f6d652d53746174653121301f060355040a0c18496e7465726e6574205769646769747320507479204c7464301e170d3234303232303132323235335a170d3235303231393132323235335a3045310b30090603550406130241553113301106035504080c0a536f6d652d53746174653121301f060355040a0c18496e7465726e6574205769646769747320507479204c746430820122300d06092a864886f70d01010105000382010f003082010a0282010100aaf88dfd9ecb4cddb3cf5c13d6985adfd28ba32d2295cec9784ca78cb19c8a208cb4649e2f5977ef231290bdb5fb2fa457e0a34d6606b773d9bdfbba9d0bd0305ae9d72ea803e782367512dcb9c4952c22cdcfeb84c588f0b1c9e6da7dcd9588f44c7f1d6627af206f24cbedb04ae5f32109ca7135be24a78b93f9496a814a19cd63398af046a02164f73d07062dfec28fb6e887614bbe077645530b3e605f3da3a691fd9923c0cec71c80f8938660c90d1ac7ca9c8c44e4e22c4d0f907a1eae46a45c0726088f5aeeafee0e39b18e5eac97aa209af5268e5fed0ea35802ceb4a074fdf631da3f388e1104ccf3313f536f0c40f99a69bcee0e5fbf92c99537c30203010001a3533051301d0603551d0e04160414876f640a5e219d9a2f2c4a40a563163228e7518a301f0603551d23041830168014876f640a5e219d9a2f2c4a40a563163228e7518a300f0603551d130101ff040530030101ff300d06092a864886f70d01010b05000382010100554edca185cea35e5c801e462c713c8964a2d8e6ea8cd82610bbe61f550d9a7bec5d06b04070b8996ac413ec114edda94db286a46b7bf60dc87a006ec3834cddb21dcab0e74b1c0e959ac7ab8fcf7b57eaf6d59783e237e41d0b0bd5973cdab548b4e342e68d769e7a7a4d847eafa8e8e50550db413c2f79650e7e073ed149cc0360cd71392df49997c61f48e5a93d002234ee9661216cb3c29a2dc235ba943bb7fd656c9b1c7b0f1d2f4e78b66fe92f6433e333b6d29c780a8b464a2ed3fd8f9269f6bc85e0c4a8b698c4c3b55b4f4f4efb24c3539aa3e913e01ca6dea25ef1cf3b7802f0dbdeaa343dc8582a235957082fb87c120e403c5154a0f74db0bf4c), exts: [] }] }) }, encoded: 0b0003780000037400036f3082036b30820253a00302010202144e04aa80092092a41588510b3c9e4f02b1849574300d06092a864886f70d01010b05003045310b30090603550406130241553113301106035504080c0a536f6d652d53746174653121301f060355040a0c18496e7465726e6574205769646769747320507479204c7464301e170d3234303232303132323235335a170d3235303231393132323235335a3045310b30090603550406130241553113301106035504080c0a536f6d652d53746174653121301f060355040a0c18496e7465726e6574205769646769747320507479204c746430820122300d06092a864886f70d01010105000382010f003082010a0282010100aaf88dfd9ecb4cddb3cf5c13d6985adfd28ba32d2295cec9784ca78cb19c8a208cb4649e2f5977ef231290bdb5fb2fa457e0a34d6606b773d9bdfbba9d0bd0305ae9d72ea803e782367512dcb9c4952c22cdcfeb84c588f0b1c9e6da7dcd9588f44c7f1d6627af206f24cbedb04ae5f32109ca7135be24a78b93f9496a814a19cd63398af046a02164f73d07062dfec28fb6e887614bbe077645530b3e605f3da3a691fd9923c0cec71c80f8938660c90d1ac7ca9c8c44e4e22c4d0f907a1eae46a45c0726088f5aeeafee0e39b18e5eac97aa209af5268e5fed0ea35802ceb4a074fdf631da3f388e1104ccf3313f536f0c40f99a69bcee0e5fbf92c99537c30203010001a3533051301d0603551d0e04160414876f640a5e219d9a2f2c4a40a563163228e7518a301f0603551d23041830168014876f640a5e219d9a2f2c4a40a563163228e7518a300f0603551d130101ff040530030101ff300d06092a864886f70d01010b05000382010100554edca185cea35e5c801e462c713c8964a2d8e6ea8cd82610bbe61f550d9a7bec5d06b04070b8996ac413ec114edda94db286a46b7bf60dc87a006ec3834cddb21dcab0e74b1c0e959ac7ab8fcf7b57eaf6d59783e237e41d0b0bd5973cdab548b4e342e68d769e7a7a4d847eafa8e8e50550db413c2f79650e7e073ed149cc0360cd71392df49997c61f48e5a93d002234ee9661216cb3c29a2dc235ba943bb7fd656c9b1c7b0f1d2f4e78b66fe92f6433e333b6d29c780a8b464a2ed3fd8f9269f6bc85e0c4a8b698c4c3b55b4f4f4efb24c3539aa3e913e01ca6dea25ef1cf3b7802f0dbdeaa343dc8582a235957082fb87c120e403c5154a0f74db0bf4c0000 } }
[2024-02-20T12:23:00Z ERROR tlsserver_mio] cannot process packet: PeerIncompatible(NoSignatureSchemesInCommon)
[2024-02-20T12:23:00Z TRACE mio::poll] deregistering event source from poller
 ∮ embedded-tls/examples/tokio/src main ✗
❯ RUST_LOG=trace cargo run
    Finished dev [unoptimized + debuginfo] target(s) in 0.02s
     Running `/home/ddystopia/code/embedded-tls/examples/tokio/target/debug/ping-tokio`
[2024-02-20T12:23:00Z INFO  ping_tokio] Connected
[2024-02-20T12:23:00Z DEBUG embedded_tls::write_buffer] start_record(Handshake(false))
[2024-02-20T12:23:00Z TRACE embedded_tls::asynch] State ClientHello -> ServerHello
[2024-02-20T12:23:00Z DEBUG embedded_tls::record_reader] advance: Handshake - content_length = 123 bytes
[2024-02-20T12:23:00Z TRACE embedded_tls::handshake] handshake = ServerHello
[2024-02-20T12:23:00Z TRACE embedded_tls::extensions::messages] Extension buffer: 79
[2024-02-20T12:23:00Z DEBUG embedded_tls::extensions::messages] Read extension type KeyShare
[2024-02-20T12:23:00Z TRACE embedded_tls::extensions::messages] Extension data length: 69
[2024-02-20T12:23:00Z TRACE embedded_tls::extensions::messages] Extension buffer: 6
[2024-02-20T12:23:00Z DEBUG embedded_tls::extensions::messages] Read extension type SupportedVersions
[2024-02-20T12:23:00Z TRACE embedded_tls::extensions::messages] Extension data length: 2
[2024-02-20T12:23:00Z TRACE embedded_tls::extensions::messages] Read 2 extensions
[2024-02-20T12:23:00Z DEBUG embedded_tls::handshake::server_hello] server cipher_suite TlsAes128GcmSha256
[2024-02-20T12:23:00Z DEBUG embedded_tls::handshake::server_hello] server extensions [KeyShare(KeyShareServerHello(KeyShareEntry { group: Secp256r1, opaque: [4, 220, 133, 170, 61, 230, 8, 250, 140, 192, 15, 112, 211, 172, 78, 66, 248, 161, 195, 240, 138, 179, 91, 122, 124, 31, 252, 132, 204, 53, 74, 174, 100, 150, 112, 77, 30, 80, 203, 94, 64, 13, 16, 130, 246, 205, 145, 185, 129, 24, 60, 140, 87, 28, 211, 210, 89, 232, 49, 75, 241, 61, 177, 153, 125] })), SupportedVersions(SupportedVersionsServerHello { selected_version: ProtocolVersion(772) })]
[2024-02-20T12:23:00Z TRACE embedded_tls::connection] ********* ServerHello
[2024-02-20T12:23:00Z TRACE embedded_tls::asynch] State ServerHello -> ServerVerify
[2024-02-20T12:23:00Z DEBUG embedded_tls::record_reader] advance: ChangeCipherSpec - content_length = 1 bytes
[2024-02-20T12:23:00Z TRACE embedded_tls::connection] Not decrypting: content_type = ChangeCipherSpec
[2024-02-20T12:23:00Z TRACE embedded_tls::asynch] State ServerVerify -> ServerVerify
[2024-02-20T12:23:00Z DEBUG embedded_tls::record_reader] advance: ApplicationData - content_length = 27 bytes
[2024-02-20T12:23:00Z TRACE embedded_tls::connection] Decrypting: content type = Handshake
[2024-02-20T12:23:00Z TRACE embedded_tls::handshake] handshake = EncryptedExtensions
[2024-02-20T12:23:00Z TRACE embedded_tls::extensions::messages] Extension buffer: 4
[2024-02-20T12:23:00Z DEBUG embedded_tls::extensions::messages] Read extension type ServerName
[2024-02-20T12:23:00Z TRACE embedded_tls::extensions::messages] Extension data length: 0
[2024-02-20T12:23:00Z TRACE embedded_tls::extensions::messages] Read 1 extensions
[2024-02-20T12:23:00Z TRACE embedded_tls::asynch] State ServerVerify -> ServerVerify
[2024-02-20T12:23:00Z DEBUG embedded_tls::record_reader] advance: ApplicationData - content_length = 909 bytes
[2024-02-20T12:23:00Z TRACE embedded_tls::connection] Decrypting: content type = Handshake
[2024-02-20T12:23:00Z TRACE embedded_tls::handshake] handshake = Certificate
[2024-02-20T12:23:00Z TRACE embedded_tls::extensions::messages] Read 0 extensions
[2024-02-20T12:23:00Z DEBUG embedded_tls::connection] Certificate verified!
[2024-02-20T12:23:00Z TRACE embedded_tls::asynch] State ServerVerify -> ServerVerify
[2024-02-20T12:23:00Z DEBUG embedded_tls::record_reader] advance: ApplicationData - content_length = 19 bytes
[2024-02-20T12:23:00Z TRACE embedded_tls::connection] Decrypting: content type = Alert
thread 'main' panicked at src/main.rs:29:10:
error establishing TLS connection: InvalidRecord
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Ddystopia commented 5 months ago

Adding "alloc" feature to example solved the issue, but example still should be updated

Ddystopia commented 5 months ago

You have to use elliptic curve certificates, or compile embedded-tls crate with the alloc feature to support RSA signatures

Could you please explain, how does it relate to error? And how to avoid using alloc?

lulf commented 5 months ago

I think we can probably remove that alloc feature, it doesn't really do any alloc if you enable it. It was previously added because there were RSA verification in webpki that required alloc. However, there is no signature verification at the moment for any type of key, so I think there is no need to treat RSA differently than the others.