sftcd / openssl Goto Github PK
View Code? Open in Web Editor NEWThis project forked from openssl/openssl
TLS/SSL and crypto library
Home Page: https://www.openssl.org
License: Apache License 2.0
This project forked from openssl/openssl
TLS/SSL and crypto library
Home Page: https://www.openssl.org
License: Apache License 2.0
ESNI-and-ECH:
/usr/bin/ld: ./libssl.so: undefined reference to ossl_ssl_connection_free' /usr/bin/ld: ./libssl.so: undefined reference to
ossl_ssl_connection_reset'
/usr/bin/ld: ./libssl.so: undefined reference to `ossl_ssl_connection_new'
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:23656: apps/openssl] Error 1
make[1]: Leaving directory '/opt/openssl'
make: *** [Makefile:3279: build_sw] Error 2
Hey, I was trying to enable eSNI on my Apache server and am following the steps as given in https://github.com/sftcd/openssl/blob/master/esnistuff/apache2.md
After "./configure --enable-ssl --with-ssl=$HOME/code/openssl-for-apache --with-libxml2" when i try make, it gives the following error:
......warnings.......
ssl_engine_init.c:334:17: error: too few arguments to function ‘SSL_CTX_esni_server_enable’
if (SSL_CTX_esni_server_enable(ctx,privname,pubname)!=1) {
^~~~~~~~~~~~~~~~~~~~~~~~~~
......warnings.......
/home/azureuser/code/httpd/build/rules.mk:213: recipe for target 'ssl_engine_init.slo' failed
make[4]: *** [ssl_engine_init.slo] Error 1
make[4]: Leaving directory '/home/azureuser/code/httpd/modules/ssl'
/home/azureuser/code/httpd/build/rules.mk:117: recipe for target 'shared-build-recursive' failed
make[3]: *** [shared-build-recursive] Error 1
make[3]: Leaving directory '/home/azureuser/code/httpd/modules/ssl'
/home/azureuser/code/httpd/build/rules.mk:117: recipe for target 'shared-build-recursive' failed
make[2]: *** [shared-build-recursive] Error 1
make[2]: Leaving directory '/home/azureuser/code/httpd/modules'
/home/azureuser/code/httpd/build/rules.mk:117: recipe for target 'shared-build-recursive' failed
make[1]: *** [shared-build-recursive] Error 1
make[1]: Leaving directory '/home/azureuser/code/httpd'
/home/azureuser/code/httpd/build/rules.mk:75: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1
There are a fair few warnings as well:
ssl_engine_init.c: In function ‘make_dh_params’:
ssl_engine_init.c:110:5: warning: ‘DH_new’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
DH *dh = DH_new();
^~
In file included from /home/azureuser/code/openssl-for-apache/include/openssl/dsa.h:51:0,
from /home/azureuser/code/openssl-for-apache/include/openssl/x509.h:37,
from /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:31,
from ssl_private.h:90,
from ssl_engine_init.c:29:
/home/azureuser/code/openssl-for-apache/include/openssl/dh.h:199:27: note: declared here
OSSL_DEPRECATEDIN_3_0 DH *DH_new(void);
^~~~~~
ssl_engine_init.c:121:5: warning: ‘DH_set0_pqg’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
if (!p || !g || !DH_set0_pqg(dh, p, NULL, g)) {
^~
In file included from /home/azureuser/code/openssl-for-apache/include/openssl/dsa.h:51:0,
from /home/azureuser/code/openssl-for-apache/include/openssl/x509.h:37,
from /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:31,
from ssl_private.h:90,
from ssl_engine_init.c:29:
/home/azureuser/code/openssl-for-apache/include/openssl/dh.h:255:27: note: declared here
OSSL_DEPRECATEDIN_3_0 int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
^~~~~~~~~~~
ssl_engine_init.c:122:9: warning: ‘DH_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
DH_free(dh);
^~~~~~~
In file included from /home/azureuser/code/openssl-for-apache/include/openssl/dsa.h:51:0,
from /home/azureuser/code/openssl-for-apache/include/openssl/x509.h:37,
from /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:31,
from ssl_private.h:90,
from ssl_engine_init.c:29:
/home/azureuser/code/openssl-for-apache/include/openssl/dh.h:200:28: note: declared here
OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh);
^~~~~~~
ssl_engine_init.c: In function ‘free_dh_params’:
ssl_engine_init.c:160:9: warning: ‘DH_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
DH_free(dhparams[n].dh);
^~~~~~~
In file included from /home/azureuser/code/openssl-for-apache/include/openssl/dsa.h:51:0,
from /home/azureuser/code/openssl-for-apache/include/openssl/x509.h:37,
from /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:31,
from ssl_private.h:90,
from ssl_engine_init.c:29:
/home/azureuser/code/openssl-for-apache/include/openssl/dh.h:200:28: note: declared here
OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh);
^~~~~~~
ssl_engine_init.c: In function ‘load_esnikeys’:
ssl_engine_init.c:334:48: warning: passing argument 2 of ‘SSL_CTX_esni_server_enable’ from incompatible pointer type [-Wincompatible-pointer-types]
if (SSL_CTX_esni_server_enable(ctx,privname,pubname)!=1) {
^~~~~~~~
In file included from ssl_engine_init.c:40:0:
/home/azureuser/code/openssl-for-apache/include/openssl/esni.h:545:5: note: expected ‘SSL * {aka struct ssl_st *}’ but argument is of type ‘char *’
int SSL_CTX_esni_server_enable(SSL_CTX *s, SSL *con, const char *esnikeyfile, const char *esnipubfile);
^~~~~~~~~~~~~~~~~~~~~~~~~~
ssl_engine_init.c:334:17: error: too few arguments to function ‘SSL_CTX_esni_server_enable’
if (SSL_CTX_esni_server_enable(ctx,privname,pubname)!=1) {
^~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ssl_engine_init.c:40:0:
/home/azureuser/code/openssl-for-apache/include/openssl/esni.h:545:5: note: declared here
int SSL_CTX_esni_server_enable(SSL_CTX *s, SSL *con, const char *esnikeyfile, const char *esnipubfile);
^~~~~~~~~~~~~~~~~~~~~~~~~~
ssl_engine_init.c: In function ‘ssl_init_Engine’:
ssl_engine_init.c:633:9: warning: ‘ENGINE_by_id’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
if (!(e = ENGINE_by_id(mc->szCryptoDevice))) {
^~
In file included from ssl_private.h:105:0,
from ssl_engine_init.c:29:
/home/azureuser/code/openssl-for-apache/include/openssl/engine.h:336:31: note: declared here
OSSL_DEPRECATEDIN_3_0 ENGINE *ENGINE_by_id(const char *id);
^~~~~~~~~~~~
ssl_engine_init.c:643:13: warning: ‘ENGINE_ctrl’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
^~~~~~~~~~~
In file included from ssl_private.h:105:0,
from ssl_engine_init.c:29:
/home/azureuser/code/openssl-for-apache/include/openssl/engine.h:429:27: note: declared here
OSSL_DEPRECATEDIN_3_0 int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p,
^~~~~~~~~~~
ssl_engine_init.c:647:9: warning: ‘ENGINE_set_default’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
^~
In file included from ssl_private.h:105:0,
from ssl_engine_init.c:29:
/home/azureuser/code/openssl-for-apache/include/openssl/engine.h:708:27: note: declared here
OSSL_DEPRECATEDIN_3_0 int ENGINE_set_default(ENGINE *e, unsigned int flags);
^~~~~~~~~~~~~~~~~~
ssl_engine_init.c:658:9: warning: ‘ENGINE_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
ENGINE_free(e);
^~~~~~~~~~~
In file included from ssl_private.h:105:0,
from ssl_engine_init.c:29:
/home/azureuser/code/openssl-for-apache/include/openssl/engine.h:493:27: note: declared here
OSSL_DEPRECATEDIN_3_0 int ENGINE_free(ENGINE *e);
^~~~~~~~~~~
ssl_engine_init.c: In function ‘ssl_init_ctx_tls_extensions’:
ssl_engine_init.c:736:9: warning: ‘SRP_VBASE_new’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
if (!(mctx->srp_vbase = SRP_VBASE_new(mctx->srp_unknown_user_seed))) {
^~
In file included from ssl_private.h:220:0,
from ssl_engine_init.c:29:
/home/azureuser/code/openssl-for-apache/include/openssl/srp.h:173:12: note: declared here
SRP_VBASE *SRP_VBASE_new(char *seed_key);
^~~~~~~~~~~~~
ssl_engine_init.c:745:9: warning: ‘SRP_VBASE_init’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
err = SRP_VBASE_init(mctx->srp_vbase, mctx->srp_vfile);
^~~
In file included from ssl_private.h:220:0,
from ssl_engine_init.c:29:
/home/azureuser/code/openssl-for-apache/include/openssl/srp.h:177:5: note: declared here
int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file);
^~~~~~~~~~~~~~
ssl_engine_init.c:753:9: warning: ‘SSL_CTX_set_srp_username_callback’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
SSL_CTX_set_srp_username_callback(mctx->ssl_ctx,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ssl_private.h:90:0,
from ssl_engine_init.c:29:
/home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:1959:5: note: declared here
int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ssl_engine_init.c:755:9: warning: ‘SSL_CTX_set_srp_cb_arg’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
SSL_CTX_set_srp_cb_arg(mctx->ssl_ctx, mctx);
^~~~~~~~~~~~~~~~~~~~~~
In file included from ssl_private.h:90:0,
from ssl_engine_init.c:29:
/home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:1961:27: note: declared here
OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);
^~~~~~~~~~~~~~~~~~~~~~
ssl_engine_init.c: In function ‘ssl_init_ctx_callbacks’:
ssl_engine_init.c:1078:5: warning: ‘SSL_CTX_set_tmp_dh_callback’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
^~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ssl_private.h:90:0,
from ssl_engine_init.c:29:
/home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:2286:6: note: declared here
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
^~~~~~~~~~~~~~~~~~~~~~~~~~~
ssl_engine_init.c: In function ‘ssl_init_server_certs’:
ssl_engine_init.c:1716:9: warning: ‘DH_bits’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
^~~~~~~~~~~~
In file included from /home/azureuser/code/openssl-for-apache/include/openssl/dsa.h:51:0,
from /home/azureuser/code/openssl-for-apache/include/openssl/x509.h:37,
from /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:31,
from ssl_private.h:90,
from ssl_engine_init.c:29:
/home/azureuser/code/openssl-for-apache/include/openssl/dh.h:202:27: note: declared here
OSSL_DEPRECATEDIN_3_0 int DH_bits(const DH *dh);
^~~~~~~
ssl_engine_init.c:1719:9: warning: ‘DH_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
DH_free(dhparams);
^~~~~~~
In file included from /home/azureuser/code/openssl-for-apache/include/openssl/dsa.h:51:0,
from /home/azureuser/code/openssl-for-apache/include/openssl/x509.h:37,
from /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:31,
from ssl_private.h:90,
from ssl_engine_init.c:29:
/home/azureuser/code/openssl-for-apache/include/openssl/dh.h:200:28: note: declared here
OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh);
^~~~~~~
ssl_engine_init.c:1729:9: warning: ‘EC_KEY_new_by_curve_name’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
&& (eckey = EC_KEY_new_by_curve_name(nid))) {
^~
In file included from /home/azureuser/code/openssl-for-apache/include/openssl/x509.h:33:0,
from /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:31,
from ssl_private.h:90,
from ssl_engine_init.c:29:
/home/azureuser/code/openssl-for-apache/include/openssl/ec.h:994:31: note: declared here
OSSL_DEPRECATEDIN_3_0 EC_KEY *EC_KEY_new_by_curve_name(int nid);
^~~~~~~~~~~~~~~~~~~~~~~~
ssl_engine_init.c:1751:5: warning: ‘EC_KEY_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
EC_KEY_free(eckey);
^~~~~~~~~~~
In file included from /home/azureuser/code/openssl-for-apache/include/openssl/x509.h:33:0,
from /home/azureuser/code/openssl-for-apache/include/openssl/ssl.h:31,
from ssl_private.h:90,
from ssl_engine_init.c:29:
/home/azureuser/code/openssl-for-apache/include/openssl/ec.h:999:28: note: declared here
OSSL_DEPRECATEDIN_3_0 void EC_KEY_free(EC_KEY *key);
^~~~~~~~~~~
ssl_engine_init.c: In function ‘ssl_init_ctx_cleanup’:
ssl_engine_init.c:2008:9: warning: ‘SRP_VBASE_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
SRP_VBASE_free(mctx->srp_vbase);
^~~~~~~~~~~~~~
In file included from ssl_private.h:220:0,
from ssl_engine_init.c:29:
/home/azureuser/code/openssl-for-apache/include/openssl/srp.h:175:6: note: declared here
void SRP_VBASE_free(SRP_VBASE *vb);
^~~~~~~~~~~~~~
Is this a mistake on my end or the code itself? And how can I try and fix this?
Thank you
I try add -DOPENSSL_API_COMPAT=30000
, still get this error:
In file included from crypto/aes/aes_ofb.c:11:
In file included from include/openssl/modes.h:14:
include/openssl/macros.h:102:4: error: "The requested API level higher than the configured API compatibility level"
# error "The requested API level higher than the configured API compatibility level"
^
include/openssl/macros.h:110:4: error: "OPENSSL_API_COMPAT expresses an impossible API compatibility level"
# error "OPENSSL_API_COMPAT expresses an impossible API compatibility level"
^
In file included from crypto/aes/aes_ofb.c:11:
In file included from include/openssl/modes.h:20:
In file included from include/openssl/types.h:19:
include/openssl/e_os2.h:168:11: warning: 'OPENSSL_EXPORT' macro redefined [-Wmacro-redefined]
# define OPENSSL_EXPORT extern
^
boringssl/include/openssl/base.h:168:9: note: previous definition is here
#define OPENSSL_EXPORT
^
In file included from crypto/aes/aes_ecb.c:13:
In file included from crypto/aes/aes_local.h:13:
In file included from include/openssl/e_os2.h:14:
include/openssl/macros.h:102:4: error: "The requested API level higher than the configured API compatibility level"
# error "The requested API level higher than the configured API compatibility level"
^
include/openssl/macros.h:110:4: error: "OPENSSL_API_COMPAT expresses an impossible API compatibility level"
# error "OPENSSL_API_COMPAT expresses an impossible API compatibility level"
^
In file included from crypto/aes/aes_ecb.c:13:
In file included from crypto/aes/aes_local.h:13:
include/openssl/e_os2.h:168:11: warning: 'OPENSSL_EXPORT' macro redefined [-Wmacro-redefined]
# define OPENSSL_EXPORT extern
^
boringssl/include/openssl/base.h:168:9: note: previous definition is here
#define OPENSSL_EXPORT
with last commit:
cc -I. -Iinclude -DAES_ASM -arch x86_64 -O3 -Wall -DL_ENDIAN --DNDEBUG -Iinclude -c -o ssl/libssl-lib-ssl_rsa.o ssl/ssl_rsa.c
ssl/esni.c:3076:28: error: no member named 'st_mtim' in 'struct stat'
time_t privmod=pubstat.st_mtim.tv_sec;
~~~~~~~ ^
ssl/esni.c:3077:37: error: no member named 'st_mtim' in 'struct stat'
time_t pubmod=(pubfname?pubstat.st_mtim.tv_sec:0);
chrome 105,openssl 13a,13c
SSL_ECH_STATUS:error getting ECH status
the nginx log:
2022/09/25 08:27:40 [error] 10#10: *63 Error getting ECH status while SSL handshaking, client: 172.30.0.1, server: 0.0.0.0:443
2022/09/25 08:27:40 [crit] 10#10: *65 SSL_do_handshake() failed (SSL: error:0A00006E:SSL routines::bad extension error:0A0C0103:SSL routines::internal error) while SSL handshaking, client: 172.30.0.1, server: 0.0.0.0:443
2022/09/25 08:31:58 [crit] 10#10: *69 SSL_do_handshake() failed (SSL: error:0A00006E:SSL routines::bad extension error:0A0C0103:SSL routines::internal error) while SSL handshaking, client: 172.30.0.1, server: 0.0.0.0:443
2022/09/25 08:31:58 [crit] 10#10: *70 SSL_do_handshake() failed (SSL: error:0A00006E:SSL routines::bad extension error:0A0C0103:SSL routines::internal error) while SSL handshaking, client: 172.30.0.1, server: 0.0.0.0:443
2022/09/25 08:31:58 [error] 10#10: *71 Error getting ECH status while SSL handshaking, client: 172.30.0.1, server: 0.0.0.0:443
2022/09/25 08:31:59 [crit] 10#10: *73 SSL_do_handshake() failed (SSL: error:0A00006E:SSL routines::bad extension error:0A0C0103:SSL routines::internal error) while SSL handshaking, client: 172.30.0.1, server: 0.0.0.0:443
I tried to compile this and the esnistuff I followed the instructions here https://defo.ie/building-curl-openssl-with-esni.html
I tried to test it like the instructions from the link above
$ ./testclient.sh -H ietf.org
Running ./testclient.sh at 20190828-072413
./testclient.sh Summary:
Looks like 1 ok's and 0 bad's.
But I only get
Running ./testclient.sh at 20210427-025718
./testclient.sh Summary:
Looks like 0 ok's and 0 bad's.
I got 0 ok's
I'm trying to decrypt encryted sni record using SSL_ESNI_dec function which is in ssl/esni.c line 2475.
The problem is in ssl/esni.c line 2648 ssl_md function.
2475 unsigned char *SSL_ESNI_dec(SSL_ESNI *esni,
2476 size_t client_random_len,
2477 unsigned char *client_random,
2478 uint16_t curve_id,
2479 size_t client_keyshare_len,
2480 unsigned char *client_keyshare,
2481 size_t *encservername_len)
2482 {
...
2647 const SSL_CIPHER *sc=cs2sc(esni->ciphersuite);
2648 const EVP_MD *md=ssl_md(sc->algorithm2);
2649 esni->Zx_len=0;
2650 if (esni->Zx!=NULL) OPENSSL_free(esni->Zx);
2651 esni->Zx=esni_hkdf_extract(esni->Z,esni->Z_len,&esni->Zx_len,md);
I checked that sc has right value but ssl_md always return NULL value. I step in to ssl_md(ssl/ssl_ciph.c line 587) while debuging. ssl_md receive argument named idx and returns ssl_digest_methods[idx] but ssl_digest_methods's value is initialized as NULL in ssl/ssl_ciph.c line 117 so ssl_md will always return NULL value.
117 static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
118 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
119 };
...
587 const EVP_MD *ssl_md(int idx)
588 {
589 idx &= SSL_HANDSHAKE_MAC_MASK;
590 if (idx < 0 || idx >= SSL_MD_NUM_IDX)
591 return NULL;
592 return ssl_digest_methods[idx];
593 }
It doesn't matter md's value is NULL or not but in ssl/esni.c line 2651 esni_hkdf_extract tries to reference md->prov even md is NULL so program crashes with SIGSEGV. Does esnistuff/testserver.sh not using SSL_ESNI_dec while running?
I'm trying to build and run a working ECH setup. I've built latest cURL, nginx and openssl (from the relevant branches).
When trying to run echsvr.sh
as described here localhost-tests.md I'm getting the following error:
Running ./scripts/echsvr.sh at 20231207-213521
Not forcing HRR
Using all key pairs found in $HOME/ech-dev-utils/echkeydir
error setting private key
00000000:error:0480006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:773:
00000000:error:0A080106:SSL routines:SSL_CTX_ech_server_enable_file:passed invalid argument:ssl/ech.c:5013:
00000000:error:0A0000F7:SSL routines:ssl_set_pkey:unknown certificate type:ssl/ssl_rsa.c:132:
I'm using an EC (P-384) certificate (from LetsEncrypt, actually) and it seems that is causing issues for openssl s_server
with ECH.
When following HOWTO for building ESNI-aware OpenSSL and curl, make
fails
in esnistuff directory, with following compiler messages.
mk_esnikeys.c:417:54: error: incomplete definition of type 'struct sockaddr_in'
&((struct sockaddr_in *)sa)->sin_addr,
~~~~~~~~~~~~~~~~~~~~~~~~~~^
mk_esnikeys.c:417:37: note: forward declaration of 'struct sockaddr_in'
&((struct sockaddr_in *)sa)->sin_addr,
^
mk_esnikeys.c:421:55: error: incomplete definition of type 'struct sockaddr_in6'
&((struct sockaddr_in6 *)sa)->sin6_addr,
~~~~~~~~~~~~~~~~~~~~~~~~~~~^
mk_esnikeys.c:421:37: note: forward declaration of 'struct sockaddr_in6'
&((struct sockaddr_in6 *)sa)->sin6_addr,
^
2 errors generated.
*** Error code 1
Stop.
make: stopped in /tmp/tmp.nB2w3U9p/openssl/esnistuff
$
build from master branch with x86_64-w64-mingw32-gcc, get this error:
../ssl/statem/extensions_srvr.c:18:10: fatal error: netinet/in.h: No such file or directory
#include <netinet/in.h>
^~~~~~~~~~~~~~
openssl/esnistuff/building-curl-openssl-with-ech.md
Lines 19 to 20 in 4ead0b3
i'm afraid that cd openssl
is required between those commands.
I am following the March 2023 steps here:
Line 172 in 9e66beb
I've generated some fake CA / website certs via make-example-ca.sh
, which seems to be fine. However if I try testnginx-draft-13.sh
, I get the following:
Executing: /home/ubuntu/code/nginx/objs/nginx -c /home/ubuntu/code/openssl-for-nginx/esnistuff/nginxmin-draft-13.conf
nginx: [emerg] load_echkeys, error opening /home/ubuntu/code/openssl-for-nginx/esnistuff/echkeydir at 1463
nginx: [emerg] Hey some bad ech stuff happened at 1544
I tried to search around a bit, but not too sure how to populate this directory with the ECH keys. Any advice would be great.
configuration data:
Command line (with current working directory = .):
C:\Strawberry\perl\bin\perl.exe Configure
Perl information:
C:\Strawberry\perl\bin\perl.exe
5.32.1 for MSWin32-x64-multi-thread
Enabled features:
acvp_tests
aria
asm
async
autoalginit
autoerrinit
autoload-config
bf
blake2
bulk
cached-fetch
camellia
capieng
cast
chacha
cmac
cmp
cms
comp
ct
deprecated
des
dgram
dh
dsa
dso
dtls
dynamic-engine
ec
ec2m
ecdh
ecdsa
engine
err
filenames
fips
fips-securitychecks
gost
idea
legacy
makedepend
md4
mdc2
module
multiblock
nextprotoneg
pinshared
ocb
ocsp
padlockeng
pic
poly1305
posix-io
psk
rc2
rc4
rdrand
rfc3779
rmd160
scrypt
secure-memory
seed
shared
siphash
siv
sm2
sm3
sm4
sock
srp
srtp
sse2
ssl
static-engine
stdio
tests
threads
tls
ts
ui-console
uplink
whirlpool
tls1
tls1-method
tls1_1
tls1_1-method
tls1_2
tls1_2-method
tls1_3
dtls1
dtls1-method
dtls1_2
dtls1_2-method
Disabled features:
afalgeng [not-linux] OPENSSL_NO_AFALGENG
asan [default] OPENSSL_NO_ASAN
buildtest-c++ [default]
crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG
devcryptoeng [default] OPENSSL_NO_DEVCRYPTOENG
ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128
egd [default] OPENSSL_NO_EGD
external-tests [default] OPENSSL_NO_EXTERNAL_TESTS
fuzz-libfuzzer [default] OPENSSL_NO_FUZZ_LIBFUZZER
fuzz-afl [default] OPENSSL_NO_FUZZ_AFL
ktls [default] OPENSSL_NO_KTLS
md2 [default] OPENSSL_NO_MD2 (skip crypto\md2)
msan [default] OPENSSL_NO_MSAN
rc5 [default] OPENSSL_NO_RC5 (skip crypto\rc5)
sctp [default] OPENSSL_NO_SCTP
ssl-trace [default] OPENSSL_NO_SSL_TRACE
trace [default] OPENSSL_NO_TRACE
ubsan [default] OPENSSL_NO_UBSAN
unit-test [default] OPENSSL_NO_UNIT_TEST
weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS
zlib [default]
zlib-dynamic [default]
ssl3 [default] OPENSSL_NO_SSL3
ssl3-method [default] OPENSSL_NO_SSL3_METHOD
Config target attributes:
AR => "lib",
ARFLAGS => "/nologo",
AS => "nasm",
ASFLAGS => "-g",
CC => "cl",
CFLAGS => "/W3 /wd4090 /nologo /O2",
CPP => "\"\$(CC)\" /EP /C",
HASHBANGPERL => "/usr/bin/env perl",
LD => "link",
LDFLAGS => "/nologo /debug",
MT => "mt",
MTFLAGS => "-nologo",
RANLIB => "CODE(0x26b5e60)",
RC => "rc",
ar_resp_delim => "
",
aroutflag => "/out:",
asflags => "-Ox -f win64 -DNEAR",
asm_arch => "x86_64",
asoutflag => "-o ",
bin_cflags => "/Zi /Fdapp.pdb",
bin_lflags => "setargv.obj /subsystem:console /opt:ref",
bn_ops => "SIXTY_FOUR_BIT",
build_file => "makefile",
build_scheme => [ "unified", "windows", "VC-common" ],
cflags => "/Gs0 /GF /Gy /MD",
coutflag => "/Fo",
cpp_depend_flags => "/Zs /showIncludes",
cppflags => "",
defines => [ "OPENSSL_BUILDING_OPENSSL", "OPENSSL_SYS_WIN32", "WIN32_LEAN_AND_MEAN", "UNICODE", "_UNICODE", "_CRT_SECURE_NO_DEPRECATE", "_WINSOCK_DEPRECATED_NO_WARNINGS" ],
disable => [ ],
dso_cflags => "/Zi /Fddso.pdb",
dso_scheme => "win32",
enable => [ ],
ex_libs => "ws2_32.lib gdi32.lib advapi32.lib crypt32.lib user32.lib",
includes => [ ],
ld_implib_flag => "/implib:",
ld_resp_delim => "
",
lddefflag => "/def:",
ldoutflag => "/out:",
ldpostoutflag => "",
ldresflag => " ",
lflags => "",
lib_cflags => "/Zi /Fdossl_static.pdb",
lib_cppflags => "",
lib_defines => [ "L_ENDIAN" ],
module_cflags => "",
module_cxxflags => undef,
module_ldflags => "/dll",
mtinflag => "-manifest ",
mtoutflag => "-outputresource:",
multilib => "-x64",
perl_platform => "Windows::MSVC",
perlasm_scheme => "auto",
rcoutflag => "/fo",
shared_cflag => "",
shared_defflag => "",
shared_defines => [ ],
shared_ldflag => "/dll",
shared_rcflag => "",
shared_target => "win-shared",
sys_id => "WIN64A",
thread_defines => [ ],
thread_scheme => "winthreads",
unistd => "<unistd.h>",
uplink_arch => "x86_64",
Recorded environment:
AR =
ARFLAGS =
AS =
ASFLAGS =
BUILDFILE =
CC =
CFLAGS =
CPP =
CPPDEFINES =
CPPFLAGS =
CPPINCLUDES =
CROSS_COMPILE =
CXX =
CXXFLAGS =
HASHBANGPERL =
LD =
LDFLAGS =
LDLIBS =
MT =
MTFLAGS =
OPENSSL_LOCAL_CONFIG_DIR =
PERL =
RANLIB =
RC =
RCFLAGS =
RM =
WINDRES =
__CNF_CFLAGS =
__CNF_CPPDEFINES =
__CNF_CPPFLAGS =
__CNF_CPPINCLUDES =
__CNF_CXXFLAGS =
__CNF_LDFLAGS =
__CNF_LDLIBS =
Makevars:
AR = lib
ARFLAGS = /nologo
AS = nasm
ASFLAGS = -g
CC = cl
CFLAGS = /W3 /wd4090 /nologo /O2
CPP = "$(CC)" /EP /C
CPPDEFINES =
CPPFLAGS =
CPPINCLUDES =
CXXFLAGS =
HASHBANGPERL = /usr/bin/env perl
LD = link
LDFLAGS = /nologo /debug
LDLIBS =
MT = mt
MTFLAGS = -nologo
PERL = C:\Strawberry\perl\bin\perl.exe
RANLIB = ranlib
RC = rc
RCFLAGS =
NOTE: These variables only represent the configuration view. The build file
template may have processed these variables further, please have a look at the
build file for more exact data:
makefile
build file:
makefile
build file templates:
Configurations\common0.tmpl
Configurations\windows-makefile.tmpl
Configurations\common.tmpl
Error parts of log:
crypto\hpke.c(444): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data
crypto\hpke.c(455): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data
crypto\hpke.c(462): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data
crypto\hpke.c(468): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data
crypto\hpke.c(521): error C2057: expected constant expression
crypto\hpke.c(521): error C2466: cannot allocate an array of constant size 0
crypto\hpke.c(521): error C2133: 'tag': unknown size
crypto\hpke.c(545): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data
crypto\hpke.c(556): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data
crypto\hpke.c(563): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data
crypto\hpke.c(577): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data
crypto\hpke.c(742): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data
crypto\hpke.c(745): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data
crypto\hpke.c(894): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data
crypto\hpke.c(897): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data
crypto\hpke.c(954): warning C4267: 'function': conversion from 'size_t' to 'const uint32_t', possible loss of data
crypto\hpke.c(1527): warning C4267: 'function': conversion from 'size_t' to 'const uint32_t', possible loss of data
crypto\hpke.c(1538): warning C4267: 'function': conversion from 'size_t' to 'const uint32_t', possible loss of data
crypto\hpke.c(1546): warning C4267: 'function': conversion from 'size_t' to 'const uint32_t', possible loss of data
crypto\hpke.c(1992): warning C4267: 'function': conversion from 'size_t' to 'const uint32_t', possible loss of data
crypto\hpke.c(2003): warning C4267: 'function': conversion from 'size_t' to 'const uint32_t', possible loss of data
crypto\hpke.c(2011): warning C4267: 'function': conversion from 'size_t' to 'const uint32_t', possible loss of data
crypto\hpke.c(2019): warning C4267: 'function': conversion from 'size_t' to 'const uint32_t', possible loss of data
crypto\hpke.c(2340): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data
crypto\hpke.c(2374): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data
crypto\hpke.c(2397): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data
I am trying to run echcli.sh
but it continues to show that it failed
My openssl code folder was not $HOME/code/openssl
but I chose $HOME/openssl
So I edited the shell script by replacing the directory
However it prints the following instead of the success message
Running ./echcli.sh at 20211015-180418
Running: /Users/david/openssl/apps/openssl s_client -msg -debug -trace -tlsextdebug -keylogfile keys.cli -CApath /etc/ssl/certs/ -no_ssl3 -no_tls1 -no_tls1_1 -no_tls1_2 -connect crypto.cloudflare.com:443 -servername crypto.cloudflare.com -svcb -alpn inner,secret,http/1.1 -alpn-outer outer,public,h2
./echcli.sh All output
s_client: Use -help for summary.
./echcli.sh Summary:
Bummer - probably didn't work
Is there something wrong with what I am doing or the code?
I'm working through auditing the ECH code now, and will post findings as put them together. One quick thing is that there are many lines with trailing spaces, which might annoy upstream. Those can be removed with:
find * -type f -print0 | xargs -0 sed -i 's, *$,,'
Here's the first notable thing found with cppcheck
:
[apps/s_server.c:595]: (style) Obsolete function 'asctime' called. It is recommended to use 'strftime' instead.
# Be nice to not have to use an absolute path here.
var.rootroot="/home/stephen/code/openssl/esnistuff"
openssl/esnistuff/lighttpdmin.conf
Line 4 in 512c181
This might do what you want for testing (current working directory).
include_shell "printf var.rootroot=\\"$PWD\\""
Hi, I tried to build openssl but make test failed at Ubuntu 18.04.1. How can I fix it?
$ uname -a Linux pol4bear 5.0.0-29-generic #31~18.04.1-Ubuntu SMP Thu Sep 12 18:29:21 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
../test/recipes/95-test_external_pyca.t ............ skipped: No external tests in this configuration
../test/recipes/99-test_ecstress.t ................. ok
../test/recipes/99-test_fuzz.t ..................... ok
../test/recipes/01-test_symbol_presence.t (Wstat: 256 Tests: 4 Failed: 1)
Failed test: 4
Non-zero exit status: 1
Files=176, Tests=1662, 118 wallclock secs ( 1.64 usr 0.14 sys + 91.41 cusr 5.62 csys = 98.81 CPU)
Result: FAIL
Makefile:198: recipe for target '_tests' failed
make[1]: *** [_tests] Error 1
make[1]: Leaving directory '/home/pol4bear/ESNI/openssl'
Makefile:196: recipe for target 'tests' failed
make: *** [tests] Error 2
Hi, I'm trying to decrypt encrypted sni using SSL_ESNI_dec function in this library. I successfully decrypt ESNI connection via this library. I know that firefox also supports ESNI draft 01 connection so I tried to decrypt ESNI connection via firefox but decrypt fails. Do you have any idea why decrypting ESNI connection via this library is successful otherwise via firefox fails?
do you see this error in openssl build of ECH-draft-13c
?
i tried to fix it but didn't get anywhere...
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.