stunnel build with wolf-ssl(pre-built with the liboqs) failure about osp HOT 11 OPEN

Hi @mukeshmohanan ,

Thanks for your interest in wolfSSL.

Looks like you are running into some unimplemented sk_ functions in stunnel. In src/str.c, you will need to manually change all #if OPENSSL_VERSION_NUMBER >= 0x10100000L lines to #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(WITH_WOLFSSL) as covered in our stunnel readme. Are you confident you've replaced these checks, specifically the one on line 583 in 5.67? https://github.com/mtrojnar/stunnel/blob/stunnel-5.67/src/str.c#L583

from osp.

Hi @kareem-wolfssl ,

Thank you very much , you are absolutely correct !! , In fact I overlooked your instruction and did the change only at one place.

Build is successful now .!! Was going through the GitHub repo and documentation on how I can enable the pqc algorithms like kyber for KEM with in stunnel

Looking at the tls.c file under wolf_ssl I see the kyber level are defined from WOLFSSL_KYBER_LEVEL1 to WOLFSSL_KYBER_LEVEL5 .

would you mind to share some light on that logic or is there abstraction done such that there is a possibility to define KEM group or cipher with in the stunnel config ?

Once again thank you for taking time answer to my questions

Cheers

from osp.

Hi, I have a set up with stunnel 5.67 built with wolfssl 5.6.4(enabled with liboqs and stunnel) . could you please let me me how can I configure a hybrid algorithm say (p521_kyber1024) as default or only option which tunnel support ?

could see see here there is a possibility to set WOLFSSL_PQ_GROUP to the target support group so that it will be used by the the service . I believe this is something only applicable to the version 5.57 as I don't such such an entry in the patch of 5.67.

However I tried to connect the stunnel end point using openssl which is built with liboqs and looking at the key exchange group could see that tunnel support the pqc group(attached the wire shark client/server hello screenshot ) . Could you please guide how this groups are configured in the stunnel for key .like which would be the default and so on ?

Not sure whether I am terribly wrong here

from osp.

Hi @mukeshmohanan ,

Thanks for your interest in this. We don't currently support post-quantum on stunnel 5.67, we only support it on stunnel 5.57 currently. Please retry this with wolfSSL 5.6.4 + stunnel 5.57, and let me know if you run into any issues.

from osp.

Hi @kareem-wolfssl , Thank you for the info.

I tried to build stunnel 5.57 with already built 5.6.4 version of wolfssl , but strange make end up in failure with the error messaged provided follow . I followed the procedure here and used the specific patch.

am I missing something or missing some steps ?

/usr/local/include/wolfssl/ssl.h:3982:5: note: 'WOLFSSL_P256_KYBER_LEVEL1' declared here WOLFSSL_P256_KYBER_LEVEL1 = 12090, ^ client.c:581:16: error: use of undeclared identifier 'WOLFSSL_P384_SABER_LEVEL3'; did you mean 'WOLFSSL_P384_KYBER_LEVEL3'? return WOLFSSL_P384_SABER_LEVEL3; ^~~~~~~~~~~~~~~~~~~~~~~~~ WOLFSSL_P384_KYBER_LEVEL3 /usr/local/include/wolfssl/ssl.h:3983:5: note: 'WOLFSSL_P384_KYBER_LEVEL3' declared here WOLFSSL_P384_KYBER_LEVEL3 = 12092, ^ client.c:585:16: error: use of undeclared identifier 'WOLFSSL_P521_SABER_LEVEL5'; did you mean 'WOLFSSL_P521_KYBER_LEVEL5'? return WOLFSSL_P521_SABER_LEVEL5; ^~~~~~~~~~~~~~~~~~~~~~~~~ WOLFSSL_P521_KYBER_LEVEL5 /usr/local/include/wolfssl/ssl.h:3984:5: note: 'WOLFSSL_P521_KYBER_LEVEL5' declared here WOLFSSL_P521_KYBER_LEVEL5 = 12093, ^ client.c:601:16: error: use of undeclared identifier 'WOLFSSL_P256_KYBER_90S_LEVEL1'; did you mean 'WOLFSSL_P256_KYBER_LEVEL1'? return WOLFSSL_P256_KYBER_90S_LEVEL1; ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WOLFSSL_P256_KYBER_LEVEL1 /usr/local/include/wolfssl/ssl.h:3982:5: note: 'WOLFSSL_P256_KYBER_LEVEL1' declared here WOLFSSL_P256_KYBER_LEVEL1 = 12090, ^ client.c:605:16: error: use of undeclared identifier 'WOLFSSL_P384_KYBER_90S_LEVEL3'; did you mean 'WOLFSSL_P384_KYBER_LEVEL3'? return WOLFSSL_P384_KYBER_90S_LEVEL3; ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WOLFSSL_P384_KYBER_LEVEL3 /usr/local/include/wolfssl/ssl.h:3983:5: note: 'WOLFSSL_P384_KYBER_LEVEL3' declared here WOLFSSL_P384_KYBER_LEVEL3 = 12092,

aishwaryanarayanan@Aishwaryas-MBP stunnel-5.57 % /usr/local/bin/wolfssl-config --version
5.6.4
aishwaryanarayanan@Aishwaryas-MBP stunnel-5.57 %
aishwaryanarayanan@Aishwaryas-MBP stunnel-5.57 % pwd
/Users/aishwaryanarayanan/mukesh/wolf_ssl_stunnel_poc/stunnel-5.57
aishwaryanarayanan@Aishwaryas-MBP stunnel-5.57 %

Thanks
Mukesh

from osp.

Hello,
You will need to uninstall wolfssl
sudo make uninstall in the wolfssl directory is required.

Alternative, the following commands will work too:

sudo rm -rf /usr/local/include/wolfssl
sudo rm /usr/local/lib/libwolfssl*

Warm regards, Anthony

from osp.

Hello @anhu

Thank you for your comment .
Unfortunately its does go through well . I wiped both directories and uninstalled (just to make sure there is no trace of other versions) wolfssl and reinstall wolfssl 5.6.4 stable version . However build of tunnel 5.57 failed with the similar errors

client.c:565:16: error: use of undeclared identifier 'WOLFSSL_P384_NTRU_HPS_LEVEL3' return WOLFSSL_P384_NTRU_HPS_LEVEL3; ^ client.c:601:16: error: use of undeclared identifier 'WOLFSSL_P256_KYBER_90S_LEVEL1'; did you mean 'WOLFSSL_P256_KYBER_LEVEL1'? return WOLFSSL_P256_KYBER_90S_LEVEL1; ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WOLFSSL_P256_KYBER_LEVEL1 /usr/local/include/wolfssl/ssl.h:3964:5: note: 'WOLFSSL_P256_KYBER_LEVEL1' declared here WOLFSSL_P256_KYBER_LEVEL1 = 12090, ^ client.c:605:16: error: use of undeclared identifier 'WOLFSSL_P384_KYBER_90S_LEVEL3'; did you mean 'WOLFSSL_P384_KYBER_LEVEL3'? return WOLFSSL_P384_KYBER_90S_LEVEL3; ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~

if I look at the patch file here https://github.com/wolfSSL/osp/blob/master/stunnel/5.57/stunnel-5.57.patch it has those entries for WOLFSSL_P256_KYBER_90S_LEVEL1 , WOLFSSL_P384_NTRU_HPS_LEVEL3 and so on . But this are not defined under the ssl header . Would that mean I need to adjust the patch or I must use a specific version (or commit) 5.6.4 to make it work with stunnel 5.57 version?

Thank you in advance

Regards
Mukesh

from osp.

Hi @mukeshmohanan ,

I see the problem now. That patch was made when wolfSSL still supported KYBER-90s and NTRU. Those were removed in wolfSSL version 5.5.4, so please try using version 5.5.2 of wolfSSL.

Warm regards, Anthony

from osp.

Hello @anhu

Thanks for the message , however If I consume the wolfssl version 5.52-stable code with liboqs, then I end up with numerous while building of wolfssl with liboqs enabled

aishwaryanarayanan@Aishwaryas-MBP wolfssl % make
/Library/Developer/CommandLineTools/usr/bin/make -j11 all-recursive
make[2]: warning: -jN forced in submake: disabling jobserver mode.
CC wolfcrypt/test/testsuite_testsuite_test-test.o
CC examples/client/tests_unit_test-client.o
CC wolfcrypt/benchmark/benchmark.o
CC wolfcrypt/src/src_libwolfssl_la-hash.lo
CC wolfcrypt/src/src_libwolfssl_la-hmac.lo
CC wolfcrypt/src/src_libwolfssl_la-cpuid.lo
CC wolfcrypt/src/src_libwolfssl_la-kdf.lo
CC wolfcrypt/src/src_libwolfssl_la-sha256.lo
CC wolfcrypt/src/src_libwolfssl_la-random.lo
CC wolfcrypt/src/src_libwolfssl_la-rsa.lo
CC wolfcrypt/src/src_libwolfssl_la-sp_int.lo
In file included from wolfcrypt/benchmark/benchmark.c:236:
./wolfssl/wolfcrypt/sphincs.h:89:12: error: use of undeclared identifier 'OQS_SIG_sphincs_shake256_256f_simple_length_public_key'
byte p[SPHINCS_MAX_PUB_KEY_SIZE];
^
./wolfssl/wolfcrypt/sphincs.h:76:34: note: expanded from macro 'SPHINCS_MAX_PUB_KEY_SIZE'
#define SPHINCS_MAX_PUB_KEY_SIZE SPHINCS_LEVEL5_PUB_KEY_SIZE
^
./wolfssl/wolfcrypt/sphincs.h:70:37: note: expanded from macro 'SPHINCS_LEVEL5_PUB_KEY_SIZE'
#define SPHINCS_LEVEL5_PUB_KEY_SIZE OQS_SIG_sphincs_shake256_256f_simple_length_public_key
^
./wolfssl/wolfcrypt/sphincs.h:90:12: error: use of undeclared identifier 'OQS_SIG_sphincs_shake256_256f_simple_length_public_key'
byte k[SPHINCS_MAX_PRV_KEY_SIZE];
^
./wolfssl/wolfcrypt/sphincs.h:77:34: note: expanded from macro 'SPHINCS_MAX_PRV_KEY_SIZE'
#define SPHINCS_MAX_PRV_KEY_SIZE SPHINCS_LEVEL5_PRV_KEY_SIZE
^
./wolfssl/wolfcrypt/sphincs.h:71:38: note: expanded from macro 'SPHINCS_LEVEL5_PRV_KEY_SIZE'
#define SPHINCS_LEVEL5_PRV_KEY_SIZE (SPHINCS_LEVEL5_PUB_KEY_SIZE+SPHINCS_LEVEL5_KEY_SIZE)
^
./wolfssl/wolfcrypt/sphincs.h:70:37: note: expanded from macro 'SPHINCS_LEVEL5_PUB_KEY_SIZE'
#define SPHINCS_LEVEL5_PUB_KEY_SIZE OQS_SIG_sphincs_shake256_256f_simple_length_public_key
^
./wolfssl/wolfcrypt/sphincs.h:90:12: error: use of undeclared identifier 'OQS_SIG_sphincs_shake256_256f_simple_length_secret_key'
./wolfssl/wolfcrypt/sphincs.h:77:34: note: expanded from macro 'SPHINCS_MAX_PRV_KEY_SIZE'
#define SPHINCS_MAX_PRV_KEY_SIZE SPHINCS_LEVEL5_PRV_KEY_SIZE

Regards
Mukesh

from osp.

Hi Muesh,

It seems I will need to spend some time to update our code. Perhaps it has gotten stale.

In the meantime, can you please let me know a bit about your project and any kind of organizations or institutions that are associated with this work? Please let me know a bit about yourself such as where you are located and whether you are doing this project out of personal, academic or professional interest.

Warm regards, Anthony

from osp.

Hi Anthony,

I work as Security solution architect based out of Frankfurt, At this point this project work or PoC which I am carrying is out of personal interest . For last few months I am playing around oqs project libraries and especially with openssl 1.x & 3.x supported without pqc algorithm . I also had a small testing with bouncy castle offered algorithm. However one thing which I could not get hold of is nothing but enabling pqc (kyber key exchange ) over TLS for my sample application unless I re-work on the application code and consume any custom openssl tunnel solutions

I am sure in the very near future this could be one of my book of work and organisations will look into PQC area . So basically my motive is to build knowledge and involve in the community projects

Note: In the meantime I tried my luck with wolfssl 5.6.6 and stunnel 5.6.7 , on top of the 5.6.7 patch provided by your team and had to slightly tweak the client.c file (attached the client.c) before building the stunnel .

with this approach I could see the stunnel client and server instance use the key share entry group which I set via the env variable (attached the Wireshark screenshots ) , I must acknowledge that I am not sure whether my understanding about the logic is correct and is there are lot many more things need to be patched or addressed in the upstream version of wolfssl /stunnel . would you mind to have a look at it ?

mukeshmohanan@Mukeshs-MBP stunnel-5.67 % /usr/local/bin/wolfssl-config --version
5.6.6
mukeshmohanan@Mukeshs-MBP stunnel-5.67 % /usr/local/bin/stunnel --version
[ ] Initializing inetd mode configuration
[ ] Clients allowed=31999
[.] stunnel 5.67 on aarch64-apple-darwin22.5.0 platform
[.] Compiled/running with wolfSSL 5.6.6
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:OCSP,PSK,SNI
[ ] errno: (*__error())
[!] Invalid configuration file name "--version"
[!] realpath: No such file or directory (2)
mukeshmohanan@Mukeshs-MBP stunnel-5.67 %
mukeshmohanan@Mukeshs-MBP stunnel-5.67 %
mukeshmohanan@Mukeshs-MBP stunnel-5.67 % env | grep WOLFSSL_PQ_GROUP
WOLFSSL_PQ_GROUP=P521_KYBER_LEVEL5
mukeshmohanan@Mukeshs-MBP stunnel-5.67 %

Regards
Mukesh
client.c.txt

from osp.