wolfSSL / wolfssl

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
https://www.wolfssl.com
GNU General Public License v2.0
2.35k stars 831 forks source link

[Bug]: Header file inconsistency detected combining OpenSSL and Encrypted Client Hello #7981

Open 1div0 opened 1 month ago

1div0 commented 1 month ago

Contact Details

peter.kovar@reflexion.tv

Version

master

Description

Configuration error combining --enable-opensslall and --enable-ech

Fedora Linux 40

Reproduction steps

I have encountered the configuration error while adding ECH option.

./configure --enable-curve25519 --enable-ed25519 --enable-opensslall --enable-opensslextra --enable-dtls --enable-dtls13 --enable-certgen --enable-keygen --enable-intelasm --enable-benchmark --enable-harden --enable-harden-tls --enable-ech

Relevant log output

configure: Generating user options header...
checking for wolfssl/openssl/aes.h... no
configure: error: Header file inconsistency detected -- error including wolfssl/openssl/aes.h.
embhorn commented 1 month ago

Hi @1div0

I was not able to reproduce with ./configure --enable-opensslall --enable-ech

But I was able to reproduce with ./configure --enable-opensslall --enable-ech --enable-harden-tls

I will review and provide an update.

Thanks, @embhorn - wolfSSL Support

embhorn commented 1 month ago

The harden-tls option is conflicting with the ech option. You can overcome this using the override for checking the truncated hmac extension (which is enabled by the ech option), WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC.

./configure --enable-opensslextra --enable-ech --enable-harden-tls CFLAGS='-DWOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC'

Else, if you do not need to use the truncated HMAC extension, you can disable it explicitly with:

./configure --enable-opensslextra --enable-ech --enable-harden-tls CFLAGS='-UHAVE_TRUNCATED_HMAC'

This option is better, as it does not lower the overall security.

Let me know if that resolves the issue for you.

1div0 commented 1 month ago

@embhorn thank you so much for the quick response.

I tried both options, library compilation succeeded. However there is failing one test 610: test_wolfSSL_cert_cb_dyn_ciphers ` 610: test_wolfSSL_cert_cb_dyn_ciphers :Client message: hello wolfssl! Server response: I hear you fa shizzle! Client message: hello wolfssl! Server response: I hear you fa shizzle! Testing TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256 ciphers with RSA-PSS+SHA256 sigalgs Testing TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256 ciphers with ECDSA+SHA256 sigalgs Testing DHE-RSA-AES128-GCM-SHA256 ciphers with RSA-PSS+SHA256 sigalgs

ERROR - ../../../../tests/api.c line 68738 failed with: expected: wolfSSL_CTX_set_cipher_list(ctx, test_wolfSSL_cert_cb_dyn_ciphers_client_cipher) == WOLFSSL_SUCCESS result: 0 != 1

ERROR - ../../../../tests/api.c line 7120 failed with: expected: ctx->c_cb.ctx_ready(ctx->c_ctx) == (1) result: 0 != 1

ERROR - ../../../../tests/api.c line 7429 failed with: expected: test_ssl_memio_setup(&test_ctx) == (1) result: 0 != 1

ERROR - ../../../../tests/api.c line 68889 failed with: expected: test_wolfSSL_client_server_nofail_memio(&func_cb_client, &func_cb_server, ((void*)0)) == (1) result: 0 != 1

Testing ECDHE-ECDSA-AES128-GCM-SHA256 ciphers with ECDSA+SHA256 sigalgs

failed ( 0.01100)

ERROR - ../../../../tests/api.c line 96451 failed with: expected: Test failed

result:   ret 0

`