Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Header file inconsistency detected combining OpenSSL and Encrypted Client Hello #7981

Open
1div0 opened this issue Sep 17, 2024 · 3 comments
Assignees
Labels

Comments

@1div0
Copy link

1div0 commented Sep 17, 2024

Contact Details

[email protected]

Version

master

Description

Configuration error combining --enable-opensslall and --enable-ech

Fedora Linux 40

Reproduction steps

I have encountered the configuration error while adding ECH option.

./configure --enable-curve25519 --enable-ed25519 --enable-opensslall --enable-opensslextra --enable-dtls --enable-dtls13 --enable-certgen --enable-keygen --enable-intelasm --enable-benchmark --enable-harden --enable-harden-tls --enable-ech

Relevant log output

configure: Generating user options header...
checking for wolfssl/openssl/aes.h... no
configure: error: Header file inconsistency detected -- error including wolfssl/openssl/aes.h.
@1div0 1div0 added the bug label Sep 17, 2024
@embhorn embhorn self-assigned this Sep 17, 2024
@embhorn
Copy link
Member

embhorn commented Sep 17, 2024

Hi @1div0

I was not able to reproduce with ./configure --enable-opensslall --enable-ech

But I was able to reproduce with ./configure --enable-opensslall --enable-ech --enable-harden-tls

I will review and provide an update.

Thanks,
@embhorn - wolfSSL Support

@embhorn
Copy link
Member

embhorn commented Sep 17, 2024

The harden-tls option is conflicting with the ech option. You can overcome this using the override for checking the truncated hmac extension (which is enabled by the ech option), WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC.

./configure --enable-opensslextra --enable-ech --enable-harden-tls CFLAGS='-DWOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC'

Else, if you do not need to use the truncated HMAC extension, you can disable it explicitly with:

./configure --enable-opensslextra --enable-ech --enable-harden-tls CFLAGS='-UHAVE_TRUNCATED_HMAC'

This option is better, as it does not lower the overall security.

Let me know if that resolves the issue for you.

@1div0
Copy link
Author

1div0 commented Sep 18, 2024

@embhorn thank you so much for the quick response.

I tried both options, library compilation succeeded. However there is failing one test 610: test_wolfSSL_cert_cb_dyn_ciphers
` 610: test_wolfSSL_cert_cb_dyn_ciphers :Client message: hello wolfssl!
Server response: I hear you fa shizzle!
Client message: hello wolfssl!
Server response: I hear you fa shizzle!
Testing TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256 ciphers with RSA-PSS+SHA256 sigalgs
Testing TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256 ciphers with ECDSA+SHA256 sigalgs
Testing DHE-RSA-AES128-GCM-SHA256 ciphers with RSA-PSS+SHA256 sigalgs

ERROR - ../../../../tests/api.c line 68738 failed with:
expected: wolfSSL_CTX_set_cipher_list(ctx, test_wolfSSL_cert_cb_dyn_ciphers_client_cipher) == WOLFSSL_SUCCESS
result: 0 != 1

ERROR - ../../../../tests/api.c line 7120 failed with:
expected: ctx->c_cb.ctx_ready(ctx->c_ctx) == (1)
result: 0 != 1

ERROR - ../../../../tests/api.c line 7429 failed with:
expected: test_ssl_memio_setup(&test_ctx) == (1)
result: 0 != 1

ERROR - ../../../../tests/api.c line 68889 failed with:
expected: test_wolfSSL_client_server_nofail_memio(&func_cb_client, &func_cb_server, ((void*)0)) == (1)
result: 0 != 1

Testing ECDHE-ECDSA-AES128-GCM-SHA256 ciphers with ECDSA+SHA256 sigalgs

failed ( 0.01100)

ERROR - ../../../../tests/api.c line 96451 failed with:
expected: Test failed

result:   ret 0

`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants