stunnel build with wolf-ssl(pre-built with the liboqs) failure

[mukeshmohanan]

Hi ,

First of all the appreciate for the great work .

I am following your procedure outlined in here .

could successfully the wolfssl with liboqs, however stunnel build failed with the below error . could you please let me know where am I going wrong or what I would be missing ?

I am doing this whole build in Mac OS 13.4.1 (c) (M1 chip) .

aishwaryanarayanan@Aishwaryas-MBP stunnel-5.67 % make
Making all in src
/Library/Developer/CommandLineTools/usr/bin/make  all-am
  CC       stunnel-str.o
str.c:239:21: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
void str_canary_init() {
                    ^
                     void
str.c:248:15: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
void str_stats() {
              ^
               void
str.c:565:28: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
void leak_table_utilization() {
                           ^
                            void
str.c:587:11: error: call to undeclared function 'sk_LEAK_ENTRY_new_reserve'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
    stats=sk_LEAK_ENTRY_new_reserve(leak_cmp, utilization);
          ^
str.c:587:37: error: use of undeclared identifier 'leak_cmp'
    stats=sk_LEAK_ENTRY_new_reserve(leak_cmp, utilization);
                                    ^
str.c:590:13: error: call to undeclared function 'sk_LEAK_ENTRY_push'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
            sk_LEAK_ENTRY_push(stats, leak_hash_table + i);
            ^

I did the wolfssl build following the below approach after building liboqs as detailed in the instruction provided here

---

aishwaryanarayanan@Aishwaryas-MBP wolfssl % /usr/local/bin/wolfssl-config --version
5.6.4
aishwaryanarayanan@Aishwaryas-MBP wolfssl % ./examples/server/server -v 4 --pqc P521_KYBER_LEVEL5
Using Post-Quantum KEM: P521_KYBER_LEVEL5

aishwaryanarayanan@Aishwaryas-MBP wolfssl % ./configure --enable-stunnel --with-liboqs

aishwaryanarayanan@Aishwaryas-MBP wolfssl % /usr/local/bin/wolfssl-config --version
5.6.4
aishwaryanarayanan@Aishwaryas-MBP wolfssl % ./examples/server/server -v 4 --pqc P521_KYBER_LEVEL5
Using Post-Quantum KEM: P521_KYBER_LEVEL5

[kareem-wolfssl]

Hi @mukeshmohanan ,

Thanks for your interest in wolfSSL.

Looks like you are running into some unimplemented sk_ functions in stunnel. In src/str.c, you will need to manually change all #if OPENSSL_VERSION_NUMBER >= 0x10100000L lines to #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(WITH_WOLFSSL) as covered in our stunnel readme. Are you confident you've replaced these checks, specifically the one on line 583 in 5.67? https://github.com/mtrojnar/stunnel/blob/stunnel-5.67/src/str.c#L583

[mukeshmohanan]

Hi @kareem-wolfssl ,

Thank you very much , you are absolutely correct !! , In fact I overlooked your instruction and did the change only at one place.

Build is successful now .!! Was going through the GitHub repo and documentation on how I can enable the pqc algorithms like kyber for KEM with in stunnel

Looking at the tls.c file under wolf_ssl I see the kyber level are defined from WOLFSSL_KYBER_LEVEL1 to WOLFSSL_KYBER_LEVEL5 .

would you mind to share some light on that logic or is there abstraction done such that there is a possibility to define KEM group or cipher with in the stunnel config ?

Once again thank you for taking time answer to my questions

Cheers

[mukeshmohanan]

Hi, I have a set up with stunnel 5.67 built with wolfssl 5.6.4(enabled with liboqs and stunnel) . could you please let me me how can I configure a hybrid algorithm say (p521_kyber1024) as default or only option which tunnel support ?

could see see here there is a possibility to set WOLFSSL_PQ_GROUP to the target support group so that it will be used by the the service . I believe this is something only applicable to the version 5.57 as I don't such such an entry in the patch of 5.67.

However I tried to connect the stunnel end point using openssl which is built with liboqs and looking at the key exchange group could see that tunnel support the pqc group(attached the wire shark client/server hello screenshot ) . Could you please guide how this groups are configured in the stunnel for key .like which would be the default and so on ?

Not sure whether I am terribly wrong here

[kareem-wolfssl]

Hi @mukeshmohanan ,

Thanks for your interest in this. We don't currently support post-quantum on stunnel 5.67, we only support it on stunnel 5.57 currently. Please retry this with wolfSSL 5.6.4 + stunnel 5.57, and let me know if you run into any issues.

[mukeshmohanan]

Hi @kareem-wolfssl , Thank you for the info.

I tried to build stunnel 5.57 with already built 5.6.4 version of wolfssl , but strange make end up in failure with the error messaged provided follow . I followed the procedure here and used the specific patch.

am I missing something or missing some steps ?

/usr/local/include/wolfssl/ssl.h:3982:5: note: 'WOLFSSL_P256_KYBER_LEVEL1' declared here WOLFSSL_P256_KYBER_LEVEL1 = 12090, ^ client.c:581:16: error: use of undeclared identifier 'WOLFSSL_P384_SABER_LEVEL3'; did you mean 'WOLFSSL_P384_KYBER_LEVEL3'? return WOLFSSL_P384_SABER_LEVEL3; ^~~~~~~~~~~~~~~~~~~~~~~~~ WOLFSSL_P384_KYBER_LEVEL3 /usr/local/include/wolfssl/ssl.h:3983:5: note: 'WOLFSSL_P384_KYBER_LEVEL3' declared here WOLFSSL_P384_KYBER_LEVEL3 = 12092, ^ client.c:585:16: error: use of undeclared identifier 'WOLFSSL_P521_SABER_LEVEL5'; did you mean 'WOLFSSL_P521_KYBER_LEVEL5'? return WOLFSSL_P521_SABER_LEVEL5; ^~~~~~~~~~~~~~~~~~~~~~~~~ WOLFSSL_P521_KYBER_LEVEL5 /usr/local/include/wolfssl/ssl.h:3984:5: note: 'WOLFSSL_P521_KYBER_LEVEL5' declared here WOLFSSL_P521_KYBER_LEVEL5 = 12093, ^ client.c:601:16: error: use of undeclared identifier 'WOLFSSL_P256_KYBER_90S_LEVEL1'; did you mean 'WOLFSSL_P256_KYBER_LEVEL1'? return WOLFSSL_P256_KYBER_90S_LEVEL1; ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WOLFSSL_P256_KYBER_LEVEL1 /usr/local/include/wolfssl/ssl.h:3982:5: note: 'WOLFSSL_P256_KYBER_LEVEL1' declared here WOLFSSL_P256_KYBER_LEVEL1 = 12090, ^ client.c:605:16: error: use of undeclared identifier 'WOLFSSL_P384_KYBER_90S_LEVEL3'; did you mean 'WOLFSSL_P384_KYBER_LEVEL3'? return WOLFSSL_P384_KYBER_90S_LEVEL3; ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WOLFSSL_P384_KYBER_LEVEL3 /usr/local/include/wolfssl/ssl.h:3983:5: note: 'WOLFSSL_P384_KYBER_LEVEL3' declared here WOLFSSL_P384_KYBER_LEVEL3 = 12092,

aishwaryanarayanan@Aishwaryas-MBP stunnel-5.57 % /usr/local/bin/wolfssl-config --version
5.6.4
aishwaryanarayanan@Aishwaryas-MBP stunnel-5.57 %
aishwaryanarayanan@Aishwaryas-MBP stunnel-5.57 % pwd
/Users/aishwaryanarayanan/mukesh/wolf_ssl_stunnel_poc/stunnel-5.57
aishwaryanarayanan@Aishwaryas-MBP stunnel-5.57 %

Thanks
Mukesh

[anhu]

Hello,
You will need to uninstall wolfssl
sudo make uninstall in the wolfssl directory is required.

Alternative, the following commands will work too:

sudo rm -rf /usr/local/include/wolfssl
sudo rm /usr/local/lib/libwolfssl*

Warm regards, Anthony

[mukeshmohanan]

Hello @anhu

Thank you for your comment .
Unfortunately its does go through well . I wiped both directories and uninstalled (just to make sure there is no trace of other versions) wolfssl and reinstall wolfssl 5.6.4 stable version . However build of tunnel 5.57 failed with the similar errors

client.c:565:16: error: use of undeclared identifier 'WOLFSSL_P384_NTRU_HPS_LEVEL3' return WOLFSSL_P384_NTRU_HPS_LEVEL3; ^ client.c:601:16: error: use of undeclared identifier 'WOLFSSL_P256_KYBER_90S_LEVEL1'; did you mean 'WOLFSSL_P256_KYBER_LEVEL1'? return WOLFSSL_P256_KYBER_90S_LEVEL1; ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WOLFSSL_P256_KYBER_LEVEL1 /usr/local/include/wolfssl/ssl.h:3964:5: note: 'WOLFSSL_P256_KYBER_LEVEL1' declared here WOLFSSL_P256_KYBER_LEVEL1 = 12090, ^ client.c:605:16: error: use of undeclared identifier 'WOLFSSL_P384_KYBER_90S_LEVEL3'; did you mean 'WOLFSSL_P384_KYBER_LEVEL3'? return WOLFSSL_P384_KYBER_90S_LEVEL3; ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~

if I look at the patch file here https://github.com/wolfSSL/osp/blob/master/stunnel/5.57/stunnel-5.57.patch it has those entries for WOLFSSL_P256_KYBER_90S_LEVEL1 , WOLFSSL_P384_NTRU_HPS_LEVEL3 and so on . But this are not defined under the ssl header . Would that mean I need to adjust the patch or I must use a specific version (or commit) 5.6.4 to make it work with stunnel 5.57 version?

Thank you in advance

Regards
Mukesh

[anhu]

Hi @mukeshmohanan ,

I see the problem now. That patch was made when wolfSSL still supported KYBER-90s and NTRU. Those were removed in wolfSSL version 5.5.4, so please try using version 5.5.2 of wolfSSL.

Warm regards, Anthony

[mukeshmohanan]

Hello @anhu

Thanks for the message , however If I consume the wolfssl version 5.52-stable code with liboqs, then I end up with numerous while building of wolfssl with liboqs enabled

aishwaryanarayanan@Aishwaryas-MBP wolfssl % make
/Library/Developer/CommandLineTools/usr/bin/make -j11 all-recursive
make[2]: warning: -jN forced in submake: disabling jobserver mode.
CC wolfcrypt/test/testsuite_testsuite_test-test.o
CC examples/client/tests_unit_test-client.o
CC wolfcrypt/benchmark/benchmark.o
CC wolfcrypt/src/src_libwolfssl_la-hash.lo
CC wolfcrypt/src/src_libwolfssl_la-hmac.lo
CC wolfcrypt/src/src_libwolfssl_la-cpuid.lo
CC wolfcrypt/src/src_libwolfssl_la-kdf.lo
CC wolfcrypt/src/src_libwolfssl_la-sha256.lo
CC wolfcrypt/src/src_libwolfssl_la-random.lo
CC wolfcrypt/src/src_libwolfssl_la-rsa.lo
CC wolfcrypt/src/src_libwolfssl_la-sp_int.lo
In file included from wolfcrypt/benchmark/benchmark.c:236:
./wolfssl/wolfcrypt/sphincs.h:89:12: error: use of undeclared identifier 'OQS_SIG_sphincs_shake256_256f_simple_length_public_key'
byte p[SPHINCS_MAX_PUB_KEY_SIZE];
^
./wolfssl/wolfcrypt/sphincs.h:76:34: note: expanded from macro 'SPHINCS_MAX_PUB_KEY_SIZE'
#define SPHINCS_MAX_PUB_KEY_SIZE SPHINCS_LEVEL5_PUB_KEY_SIZE
^
./wolfssl/wolfcrypt/sphincs.h:70:37: note: expanded from macro 'SPHINCS_LEVEL5_PUB_KEY_SIZE'
#define SPHINCS_LEVEL5_PUB_KEY_SIZE OQS_SIG_sphincs_shake256_256f_simple_length_public_key
^
./wolfssl/wolfcrypt/sphincs.h:90:12: error: use of undeclared identifier 'OQS_SIG_sphincs_shake256_256f_simple_length_public_key'
byte k[SPHINCS_MAX_PRV_KEY_SIZE];
^
./wolfssl/wolfcrypt/sphincs.h:77:34: note: expanded from macro 'SPHINCS_MAX_PRV_KEY_SIZE'
#define SPHINCS_MAX_PRV_KEY_SIZE SPHINCS_LEVEL5_PRV_KEY_SIZE
^
./wolfssl/wolfcrypt/sphincs.h:71:38: note: expanded from macro 'SPHINCS_LEVEL5_PRV_KEY_SIZE'
#define SPHINCS_LEVEL5_PRV_KEY_SIZE (SPHINCS_LEVEL5_PUB_KEY_SIZE+SPHINCS_LEVEL5_KEY_SIZE)
^
./wolfssl/wolfcrypt/sphincs.h:70:37: note: expanded from macro 'SPHINCS_LEVEL5_PUB_KEY_SIZE'
#define SPHINCS_LEVEL5_PUB_KEY_SIZE OQS_SIG_sphincs_shake256_256f_simple_length_public_key
^
./wolfssl/wolfcrypt/sphincs.h:90:12: error: use of undeclared identifier 'OQS_SIG_sphincs_shake256_256f_simple_length_secret_key'
./wolfssl/wolfcrypt/sphincs.h:77:34: note: expanded from macro 'SPHINCS_MAX_PRV_KEY_SIZE'
#define SPHINCS_MAX_PRV_KEY_SIZE SPHINCS_LEVEL5_PRV_KEY_SIZE

Regards
Mukesh

[anhu]

Hi Muesh,

It seems I will need to spend some time to update our code. Perhaps it has gotten stale.

In the meantime, can you please let me know a bit about your project and any kind of organizations or institutions that are associated with this work? Please let me know a bit about yourself such as where you are located and whether you are doing this project out of personal, academic or professional interest.

Warm regards, Anthony

[mukeshmohanan]

Hi Anthony,

I work as Security solution architect based out of Frankfurt, At this point this project work or PoC which I am carrying is out of personal interest . For last few months I am playing around oqs project libraries and especially with openssl 1.x & 3.x supported without pqc algorithm . I also had a small testing with bouncy castle offered algorithm. However one thing which I could not get hold of is nothing but enabling pqc (kyber key exchange ) over TLS for my sample application unless I re-work on the application code and consume any custom openssl tunnel solutions

I am sure in the very near future this could be one of my book of work and organisations will look into PQC area . So basically my motive is to build knowledge and involve in the community projects

Note: In the meantime I tried my luck with wolfssl 5.6.6 and stunnel 5.6.7 , on top of the 5.6.7 patch provided by your team and had to slightly tweak the client.c file (attached the client.c) before building the stunnel .

with this approach I could see the stunnel client and server instance use the key share entry group which I set via the env variable (attached the Wireshark screenshots ) , I must acknowledge that I am not sure whether my understanding about the logic is correct and is there are lot many more things need to be patched or addressed in the upstream version of wolfssl /stunnel . would you mind to have a look at it ?

mukeshmohanan@Mukeshs-MBP stunnel-5.67 % /usr/local/bin/wolfssl-config --version
5.6.6
mukeshmohanan@Mukeshs-MBP stunnel-5.67 % /usr/local/bin/stunnel --version
[ ] Initializing inetd mode configuration
[ ] Clients allowed=31999
[.] stunnel 5.67 on aarch64-apple-darwin22.5.0 platform
[.] Compiled/running with wolfSSL 5.6.6
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:OCSP,PSK,SNI
[ ] errno: (*__error())
[!] Invalid configuration file name "--version"
[!] realpath: No such file or directory (2)
mukeshmohanan@Mukeshs-MBP stunnel-5.67 %
mukeshmohanan@Mukeshs-MBP stunnel-5.67 %
mukeshmohanan@Mukeshs-MBP stunnel-5.67 % env | grep WOLFSSL_PQ_GROUP
WOLFSSL_PQ_GROUP=P521_KYBER_LEVEL5
mukeshmohanan@Mukeshs-MBP stunnel-5.67 %

Regards
Mukesh
client.c.txt

[soragaonakash]

Hi

I tried to use openssh 9.6 wolfssl patch and enabled with-wolfssl

CONFIGURE_ARGS += \ --sysconfdir=/etc/ssh \ --with-privsep-user=sshd \ --with-privsep-path=/var/empty \ --disable-strip \ --disable-etc-default-login \ --disable-lastlog \ --disable-utmp \ --disable-utmpx \ --disable-wtmp \ --disable-wtmpx \ --without-bsd-auth \ --without-kerberos5 \ --with-stackprotect \ --with$(if $(CONFIG_OPENSSL_ENGINE),,out)-ssl-engine \ --with$(if $(CONFIG_OPENSSH_LIBFIDO2),,out)-security-key-builtin \ --with-wolfssl

configure output
OpenSSH has been configured with the following options: User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc/ssh Askpass program: /usr/lib/ssh-askpass Manual pages: /usr/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin Manpage format: doc PAM support: yes OSF SIA support: no KerberosV support: no SELinux support: no libedit support: no libldns support: no Solaris process contract support: no Solaris project support: no Solaris privilege support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no WolfSSL support: yes Random number source: OpenSSL internal ONLY Privsep sandbox style: seccomp_filter PKCS#11 support: disabled; wolfSSL doesn't support the METH API used to implement PKCS#11 U2F/FIDO support: yes

that confirm wolfssl support yes, but I'm facing below issue.

In file included from port-net.c:36: ../sshbuf.h:219:48: error: unknown type name 'BIGNUM' 219 | int sshbuf_get_bignum2(struct sshbuf *buf, BIGNUM **valp); | ^~~~~~ ../sshbuf.h:220:54: error: unknown type name 'BIGNUM' 220 | int sshbuf_put_bignum2(struct sshbuf *buf, const BIGNUM *v); | ^~~~~~ ../sshbuf.h:222:43: error: unknown type name 'EC_POINT' 222 | int sshbuf_get_ec(struct sshbuf *buf, EC_POINT *v, const EC_GROUP *g); | ^~~~~~~~ ../sshbuf.h:222:62: error: unknown type name 'EC_GROUP' 222 | int sshbuf_get_ec(struct sshbuf *buf, EC_POINT *v, const EC_GROUP *g); | ^~~~~~~~ ../sshbuf.h:223:46: error: unknown type name 'EC_KEY'; did you mean 'ENOKEY'? 223 | int sshbuf_get_eckey(struct sshbuf *buf, EC_KEY *v); | ^~~~~~ | ENOKEY ../sshbuf.h:224:49: error: unknown type name 'EC_POINT' 224 | int sshbuf_put_ec(struct sshbuf *buf, const EC_POINT *v, const EC_GROUP *g); | ^~~~~~~~ ../sshbuf.h:224:68: error: unknown type name 'EC_GROUP' 224 | int sshbuf_put_ec(struct sshbuf *buf, const EC_POINT *v, const EC_GROUP *g); | ^~~~~~~~ ../sshbuf.h:225:52: error: unknown type name 'EC_KEY' 225 | int sshbuf_put_eckey(struct sshbuf *buf, const EC_KEY *v); | ^~~~~~ make[4]: *** [Makefile:106: port-net.o] Error 1

Please help us understand what mistake we doing.

Thank you

Regards
Soragaon