[Bug, openSSL compatibility]:
laurenzfg opened this issue · comments
Contact Details
my first name is laurenz. E-Mail [firstname].grote@rwth-aachen.de
Version
reproduced in current HEAD c768f76
Description
Hello!
First and foremost thank you for the support provided so far. I am writing about an inconsistency with OpenSSL. In Wolf the function wolfSSL_CTX_set1_groups_list
only accepts NIST Dh functions (e.g. prime256) , but not Bernstein DG functions such as X25519
. This is because populate_groups
in ssl.c
refers to the dictionary kNistCurves
in the same file, which lacks the Bernstein curves.
The analogous function SSL_CTX_set1_groups_list
in OpenSSL accepts X25519, as also listed in their documentation: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups_list.html`
I would suggest to extend the dicitionary by the Non-NIST Curves such that wolfSSL_CTX_set1_groups_list
a) is compatible to OpenSSL and b) wolfSSL_CTX_set1_groups_list
can supersede wolfSSL_CTX_set1_curves_list
.
My configuration is:
./autogen.sh && ./configure --with-liboqs=/liboqs --enable-nullcipher --enable-psk --enable-opensslextra --enable-debug --enable-tls13 --enable-ecccustcurves --enable-brainpool --enable-curve25519 --enable-ed25519 --enable-curve448 --enable-ed448 CFLAGS="-DWOLFSSL_STATIC_RSA -DWOLFSSL_STATIC_DH -DKEEP_PEER_CERT -DHAVE_SECRET_CALLBACK -DHAVE_SUPPORTED_CURVES"
Many Thanks
Cheers
Laurenz
Reproduction steps
Apply
std::string name = "X25519"; wolfSSL_CTX_set1_curves_list(ctx, name.c_str())
. Works!
Apply
std::string name = "X25519"; wolfSSL_CTX_set1_groups_list(ctx, name.c_str()))
. Error Unrecognized curve name in list
!
But (in OpenSSL 3.1.1)
std::string name = "X25519"; SSL_CTX_set1_groups_list(ctx, name.c_str()))
. Works!
Relevant log output
No response
For the time being, I use this pattern as a bug fix:
if ((wolfSSL_CTX_set1_curves_list(ctx, mappedName.c_str()) || wolfSSL_CTX_set1_groups_list(ctx, (char*) mappedName.c_str()))!= 1) {