Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls 1.2 decode error for https://cdn.kernel.org #21952

Open
Allar opened this issue Nov 10, 2024 · 1 comment
Open

tls 1.2 decode error for https://cdn.kernel.org #21952

Allar opened this issue Nov 10, 2024 · 1 comment
Labels
bug Observed behavior contradicts documented or intended behavior

Comments

@Allar
Copy link

Allar commented Nov 10, 2024
edited
Loading

Zig Version

0.14.0-dev.2198+e5f5229fd

Steps to Reproduce and Observed Behavior

I'm using this function to download files, which is probably not ideal but it seems to work for the most part.

https://github.com/torvalds/linux/archive/refs/tags/v6.11.tar.gz works successfully
https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.11.7.tar.xz results in a tls decode error

It would be nice to be able to support downloading from cdn.kernel.org imo.

Opening a specific issue for this url as per #14172 (comment)

pub fn downloadFile(allocator: std.mem.Allocator, uri: std.Uri, destSubPath: []const u8) !void {
    var client: std.http.Client = .{ .allocator = allocator };
    defer client.deinit();

    try client.ca_bundle.rescan(allocator);

    var serverHeaderBuffer: [8192]u8 = undefined;

    var req = try client.open(.GET, uri, .{
        .server_header_buffer = &serverHeaderBuffer,
    });
    defer req.deinit();

    try req.send();
    try req.finish();

    std.log.info("downloading {}", .{uri});

    try req.wait();

    switch (req.response.status) {
        .ok => {},
        else => {
            return FetchError.BadResponse;
        },
    }

    const bodyBufferSize = 4096;

    // create br with bodyBufferSize?
    var br = std.io.bufferedReader(req.reader());
    const r = br.reader();

    var bodyBuf: [bodyBufferSize]u8 = undefined;

    var readBytes = try r.read(&bodyBuf);

    if (readBytes <= 0) {
        return FetchError.NoData;
    }

    const file = try std.fs.cwd().createFile(destSubPath, .{});
    defer file.close();

    var bw = std.io.bufferedWriter(file.writer());

    while (readBytes > 0) {
        _ = try bw.write(bodyBuf[0..readBytes]);
        readBytes = try r.read(&bodyBuf);
    }

    try bw.flush();
}

Expected Behavior

For the http client to negotiate and download the file using the kernel.org url as it does for the github url.
@Allar Allar added the bug Observed behavior contradicts documented or intended behavior label Nov 10, 2024
@Allar Allar changed the title zls 1.2 decode error for https://cdn.kernel.org tls 1.2 decode error for https://cdn.kernel.org Nov 10, 2024
@ianic
Copy link
Contributor

ianic commented Dec 17, 2024

When connecting to cdn.kernel.org server is choosing:
tls version: tls_1_2
cipher: ECDHE_RSA_WITH_AES_128_GCM_SHA256
named group: x25519
signature scheme: rsa_pss_rsae_sha256

For this case named group is interesting because in zig implementation client key exchange message is always using public key from secp256r1 named group. If I change that line to:

array(u24, u8, array(u8, u8, key_share.x25519_kp.public_key)));

than it works for cdn.kernel.org (but breaks all other named groups).
Key exchange message should use public key based on the server chosen named group.

Some other domains which are also affected:
imgur.com
forbes.com
independent.co.uk
etsy.com
fastly.net

@ianic ianic mentioned this issue Feb 7, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Observed behavior contradicts documented or intended behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ianic @Allar