[Bug]: Header file inconsistency detected combining OpenSSL and Encrypted Client Hello

[1div0]

Contact Details

peter.kovar@reflexion.tv

Version

master

Description

Configuration error combining --enable-opensslall and --enable-ech

Fedora Linux 40

Reproduction steps

I have encountered the configuration error while adding ECH option.

./configure --enable-curve25519 --enable-ed25519 --enable-opensslall --enable-opensslextra --enable-dtls --enable-dtls13 --enable-certgen --enable-keygen --enable-intelasm --enable-benchmark --enable-harden --enable-harden-tls --enable-ech

Relevant log output

configure: Generating user options header...
checking for wolfssl/openssl/aes.h... no
configure: error: Header file inconsistency detected -- error including wolfssl/openssl/aes.h.

[embhorn]

Hi @1div0

I was not able to reproduce with ./configure --enable-opensslall --enable-ech

But I was able to reproduce with ./configure --enable-opensslall --enable-ech --enable-harden-tls

I will review and provide an update.

Thanks,
@embhorn - wolfSSL Support

[embhorn]

The harden-tls option is conflicting with the ech option. You can overcome this using the override for checking the truncated hmac extension (which is enabled by the ech option), WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC.

./configure --enable-opensslextra --enable-ech --enable-harden-tls CFLAGS='-DWOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC'

Else, if you do not need to use the truncated HMAC extension, you can disable it explicitly with:

./configure --enable-opensslextra --enable-ech --enable-harden-tls CFLAGS='-UHAVE_TRUNCATED_HMAC'

This option is better, as it does not lower the overall security.

Let me know if that resolves the issue for you.

[1div0]

@embhorn thank you so much for the quick response.

I tried both options, library compilation succeeded. However there is failing one test 610: test_wolfSSL_cert_cb_dyn_ciphers
` 610: test_wolfSSL_cert_cb_dyn_ciphers :Client message: hello wolfssl!
Server response: I hear you fa shizzle!
Client message: hello wolfssl!
Server response: I hear you fa shizzle!
Testing TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256 ciphers with RSA-PSS+SHA256 sigalgs
Testing TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256 ciphers with ECDSA+SHA256 sigalgs
Testing DHE-RSA-AES128-GCM-SHA256 ciphers with RSA-PSS+SHA256 sigalgs

ERROR - ../../../../tests/api.c line 68738 failed with:
expected: wolfSSL_CTX_set_cipher_list(ctx, test_wolfSSL_cert_cb_dyn_ciphers_client_cipher) == WOLFSSL_SUCCESS
result: 0 != 1

ERROR - ../../../../tests/api.c line 7120 failed with:
expected: ctx->c_cb.ctx_ready(ctx->c_ctx) == (1)
result: 0 != 1

ERROR - ../../../../tests/api.c line 7429 failed with:
expected: test_ssl_memio_setup(&test_ctx) == (1)
result: 0 != 1

ERROR - ../../../../tests/api.c line 68889 failed with:
expected: test_wolfSSL_client_server_nofail_memio(&func_cb_client, &func_cb_server, ((void*)0)) == (1)
result: 0 != 1

Testing ECDHE-ECDSA-AES128-GCM-SHA256 ciphers with ECDSA+SHA256 sigalgs

failed ( 0.01100)

ERROR - ../../../../tests/api.c line 96451 failed with:
expected: Test failed

result:   ret 0

`