wolfssl
wolfssl copied to clipboard
wolfSSL
[Bug]: TLS 1.3 session using CCM mode fails
Contact Details
Version
Master latest
Description
TLS session using CCM mode for AES encryption is failing with below error:
SSL_accept error -308, error state on socket wolfSSL error: SSL_accept failed
Configure options are listed below:
---
Configuration summary for wolfssl version 5.8.0
* Installation prefix: /usr/local
* System type: pc-linux-gnu
* Host CPU: x86_64
* C Compiler: gcc
* C Flags: -DNO_AES_192 -DNO_AES_256 -DWOLFSSL_SP_NO_256 -Werror -Wno-pragmas -Wall -Wextra -Wunknown-pragmas --param=ssp-buffer-size=1 -Waddress -Warray-bounds -Wbad-function-cast -Wchar-subscripts -Wcomment -Wfloat-equal -Wformat-security -Wformat=2 -Wmaybe-uninitialized -Wmissing-field-initializers -Wmissing-noreturn -Wmissing-prototypes -Wnested-externs -Wnormalized=id -Woverride-init -Wpointer-arith -Wpointer-sign -Wshadow -Wsign-compare -Wstrict-overflow=1 -Wstrict-prototypes -Wswitch-enum -Wundef -Wunused -Wunused-result -Wunused-variable -Wwrite-strings -fwrapv
* C++ Compiler:
* C++ Flags:
* CPP Flags:
* CCAS Flags: -DNO_AES_192 -DNO_AES_256 -DWOLFSSL_SP_NO_256
* LD Flags:
* LIB Flags: -pie -z relro -z now -Werror
* Library Suffix:
* Debug enabled: no
* Coverage enabled:
* Warnings as failure: yes
* make -j: 9
* VCS checkout: yes
Features
* Experimental settings: Forbidden
* FIPS: no
* Single threaded: no
* Filesystem: yes
* OpenSSH Build: no
* OpenSSL Extra API: no
* OpenSSL Coexist: no
* Old Names: yes
* Max Strength Build: no
* Distro Build: no
* Reproducible Build: no
* Side-channel Hardening: yes
* Single Precision Math: no
* SP implementation: all
* Fast Math: no
* Heap Math: no
* Assembly Allowed: yes
* sniffer: no
* snifftest: no
* ARC4: no
* AES: yes
* AES-NI: no
* AVX for AES: no
* AES-CBC: no
* AES-CBC length checks: no
* AES-GCM: no
* AES-GCM streaming: no
* AES-CCM: yes
* AES-CTR: yes
* AES-CFB: no
* AES-OFB: no
* AES-XTS: no
* AES-XTS streaming: no
* AES-SIV: no
* AES-EAX: no
* AES Bitspliced: no
* AES Key Wrap: no
* ARIA: no
* ASCON: no
* DES3: no
* DES3 TLS Suites: no
* Camellia: no
* CUDA: no
* SM4-ECB: no
* SM4-CBC: no
* SM4-CTR: no
* SM4-GCM: no
* SM4-CCM: no
* NULL Cipher: no
* MD2: no
* MD4: no
* MD5: yes
* RIPEMD: no
* SHA: yes
* SHA-224: yes
* SHA-256: yes
* SHA-384: yes
* SHA-512: yes
* SHA3: yes
* SHAKE128: no
* SHAKE256: no
* SM3: no
* BLAKE2: no
* BLAKE2S: no
* SipHash: no
* CMAC: no
* keygen: no
* acert: no
* certgen: no
* certreq: no
* certext: no
* certgencache: no
* CHACHA: yes
* XCHACHA: no
* Hash DRBG: yes
* MmemUse Entropy:
* (AKA: wolfEntropy): no
* PWDBASED: yes
* Encrypted keys: no
* scrypt: no
* wolfCrypt Only: no
* HKDF: yes
* HPKE: no
* X9.63 KDF: no
* SRTP-KDF: no
* PSK: no
* Poly1305: yes
* LEANPSK: no
* LEANTLS: no
* RSA: yes
* RSA-PSS: yes
* DSA: no
* DH: yes
* DH Default Parameters: yes
* ECC: yes
* ECC Custom Curves: no
* ECC Minimum Bits: 224
* FPECC: no
* ECC_ENCRYPT: no
* Brainpool: no
* SM2: no
* CURVE25519: no
* ED25519: no
* ED25519 streaming: no
* CURVE448: no
* ED448: no
* ED448 streaming: no
* LMS: no
* LMS wolfSSL impl: no
* XMSS: no
* XMSS wolfSSL impl: no
* MLKEM: no
* MLKEM wolfSSL impl: no
* DILITHIUM: no
* ECCSI no
* SAKKE no
* ASN: yes
* Anonymous cipher: no
* CODING: yes
* MEMORY: yes
* I/O POOL: no
* wolfSentry: no
* LIGHTY: no
* WPA Supplicant: no
* HAPROXY: no
* STUNNEL: no
* tcpdump: no
* libssh2: no
* ntp: no
* rsyslog: no
* Apache httpd: no
* NGINX: no
* OpenResty: no
* ASIO: no
* LIBWEBSOCKETS: no
* Qt: no
* Qt Unit Testing: no
* SIGNAL: no
* chrony: no
* strongSwan: no
* OpenLDAP: no
* hitch: no
* memcached: no
* Mosquitto no
* ERROR_STRINGS: yes
* DTLS: no
* DTLS v1.3: no
* SCTP: no
* SRTP: no
* Indefinite Length: no
* Multicast: no
* SSL v3.0 (Old): no
* TLS v1.0 (Old): no
* TLS v1.1 (Old): no
* TLS v1.2: yes
* TLS v1.3: yes
* RPK: no
* Post-handshake Auth: no
* Early Data: no
* QUIC: no
* Send State in HRR Cookie: undefined
* OCSP: no
* OCSP Stapling: no
* OCSP Stapling v2: no
* CRL: no
* CRL-MONITOR: no
* Persistent session cache: no
* Persistent cert cache: no
* Atomic User Record Layer: no
* Public Key Callbacks: no
* libxmss: no
* liblms: no
* liboqs: no
* Whitewood netRandom: no
* Server Name Indication: yes
* ALPN: no
* Maximum Fragment Length: no
* Trusted CA Indication: no
* Truncated HMAC: no
* Supported Elliptic Curves: yes
* FFDHE only in client: no
* Session Ticket: no
* Extended Master Secret: yes
* Renegotiation Indication: no
* Secure Renegotiation: no
* Fallback SCSV: no
* Keying Material Exporter: no
* All TLS Extensions: no
* S/MIME: no
* PKCS#7: no
* PKCS#8: yes
* PKCS#11: no
* PKCS#12: yes
* wolfSSH: no
* wolfEngine: no
* wolfTPM: no
* wolfCLU: no
* wolfSCEP: no
* Secure Remote Password: no
* Small Stack: no
* Linux Kernel Module: no
* valgrind unit tests: no
* LIBZ: no
* Examples: yes
* Crypt tests: yes
* Stack sizes in tests: no
* Heap stats in tests: no
* Asynchronous Crypto: no
* Asynchronous Crypto (sim): no
* Cavium Nitrox: no
* Cavium Octeon (Sync): no
* Intel Quick Assist: no
* ARM ASM: no
* ARM ASM SHA512/SHA3 Crypto no
* ARM ASM SM3/SM4 Crypto no
* RISC-V ASM no
* Write duplicate: no
* Xilinx Hardware Acc.: no
* C89: no
* Inline Code: yes
* Linux AF_ALG: no
* Linux KCAPI: no
* Linux devcrypto: no
* PK callbacks: no
* Crypto callbacks: no
* i.MX CAAM: no
* IoT-Safe: no
* IoT-Safe HWRNG: no
* NXP SE050: no
* Maxim Integrated MAXQ10XX: no
* PSA: no
* System CA certs: yes
* Dual alg cert support: no
* ERR Queues per Thread: yes
* rwlock: no
* keylog export: no
* AutoSAR : no
---
./configure flags: 'CFLAGS=-DNO_AES_192 -DNO_AES_256 -DWOLFSSL_SP_NO_256' --disable-aesgcm --disable-aescbc --enable-aesccm --enable-aesctr --enable-tls13 --enable-rsapss LIBS=-lm
---
Reproduction steps
- ./configure CFLAGS="-DNO_AES_192 -DNO_AES_256 -DWOLFSSL_SP_NO_256" --disable-aesgcm --disable-aescbc --enable-aesccm --enable-aesctr --enable-tls13 --enable-rsapss LIBS=-lm
- make
- sudo make install
Execute below commands in separate windows:
- ./examples/server/server -v 4 -c rsa_srv_cert.pem -k rsa_srv_pvt.pem -A rsa_cert.pem -D dh_param.pem
- ./examples/client/client -h 127.0.0.1 -v 4 -c rsa_cli_cert.pem -k rsa_cli_pvt.pem -A rsa_cert.pem -y
Relevant log output
err=-308, server_test, examples/server/server.c, 3601
SSL_accept error -308, error state on socket
server_test, examples/server/server.c, 3630
wolfSSL error: SSL_accept failed
Hi @sroy9gmu ,
Which ECC curve are you trying to use? I noticed you are supplying WOLFSSL_SP_NO_256? Is that because you are trying to disable ECC P256? If so please also add -DNO_ECC256.
For TLS v1.3 and AES CCM-8 I don't see supported, but I will let the support captain @anhu run some tests. I only see we support TLS13-AES256-GCM-SHA384 for AES-256bit.
Thanks, David Garske, wolfSSL
I did a git pull again now and can see compilation failing with below reproduction steps:
- git pull
- make clean
- ./configure CFLAGS="-DNO_AES_192 -DNO_AES_256 -DNO_ECC256" --disable-aesgcm --disable-aescbc --enable-aesccm --enable-aesctr --enable-tls13 --enable-rsapss LIBS=-lm
---
Configuration summary for wolfssl version 5.8.0
* Installation prefix: /usr/local
* System type: pc-linux-gnu
* Host CPU: x86_64
* C Compiler: gcc
* C Flags: -DNO_AES_192 -DNO_AES_256 -DNO_ECC256 -Werror -Wno-pragmas -Wall -Wextra -Wunknown-pragmas --param=ssp-buffer-size=1 -Waddress -Warray-bounds -Wbad-function-cast -Wchar-subscripts -Wcomment -Wfloat-equal -Wformat-security -Wformat=2 -Wmaybe-uninitialized -Wmissing-field-initializers -Wmissing-noreturn -Wmissing-prototypes -Wnested-externs -Wnormalized=id -Woverride-init -Wpointer-arith -Wpointer-sign -Wshadow -Wsign-compare -Wstrict-overflow=1 -Wstrict-prototypes -Wswitch-enum -Wundef -Wunused -Wunused-result -Wunused-variable -Wwrite-strings -fwrapv
* C++ Compiler:
* C++ Flags:
* CPP Flags:
* CCAS Flags: -DNO_AES_192 -DNO_AES_256 -DNO_ECC256
* LD Flags:
* LIB Flags: -pie -z relro -z now -Werror
* Library Suffix:
* Debug enabled: no
* Coverage enabled:
* Warnings as failure: yes
* make -j: 9
* VCS checkout: yes
Features
* Experimental settings: Forbidden
* FIPS: no
* Single threaded: no
* Filesystem: yes
* OpenSSH Build: no
* OpenSSL Extra API: no
* OpenSSL Coexist: no
* Old Names: yes
* Max Strength Build: no
* Distro Build: no
* Reproducible Build: no
* Side-channel Hardening: yes
* Single Precision Math: no
* SP implementation: all
* Fast Math: no
* Heap Math: no
* Assembly Allowed: yes
* sniffer: no
* snifftest: no
* ARC4: no
* AES: yes
* AES-NI: no
* AVX for AES: no
* AES-CBC: no
* AES-CBC length checks: no
* AES-GCM: no
* AES-GCM streaming: no
* AES-CCM: yes
* AES-CTR: yes
* AES-CFB: no
* AES-OFB: no
* AES-XTS: no
* AES-XTS streaming: no
* AES-SIV: no
* AES-EAX: no
* AES Bitspliced: no
* AES Key Wrap: no
* ARIA: no
* ASCON: no
* DES3: no
* DES3 TLS Suites: no
* Camellia: no
* CUDA: no
* SM4-ECB: no
* SM4-CBC: no
* SM4-CTR: no
* SM4-GCM: no
* SM4-CCM: no
* NULL Cipher: no
* MD2: no
* MD4: no
* MD5: yes
* RIPEMD: no
* SHA: yes
* SHA-224: yes
* SHA-256: yes
* SHA-384: yes
* SHA-512: yes
* SHA3: yes
* SHAKE128: no
* SHAKE256: no
* SM3: no
* BLAKE2: no
* BLAKE2S: no
* SipHash: no
* CMAC: no
* keygen: no
* acert: no
* certgen: no
* certreq: no
* certext: no
* certgencache: no
* CHACHA: yes
* XCHACHA: no
* Hash DRBG: yes
* MmemUse Entropy:
* (AKA: wolfEntropy): no
* PWDBASED: yes
* Encrypted keys: no
* scrypt: no
* wolfCrypt Only: no
* HKDF: yes
* HPKE: no
* X9.63 KDF: no
* SRTP-KDF: no
* PSK: no
* Poly1305: yes
* LEANPSK: no
* LEANTLS: no
* RSA: yes
* RSA-PSS: yes
* DSA: no
* DH: yes
* DH Default Parameters: yes
* ECC: yes
* ECC Custom Curves: no
* ECC Minimum Bits: 224
* FPECC: no
* ECC_ENCRYPT: no
* Brainpool: no
* SM2: no
* CURVE25519: no
* ED25519: no
* ED25519 streaming: no
* CURVE448: no
* ED448: no
* ED448 streaming: no
* LMS: no
* LMS wolfSSL impl: no
* XMSS: no
* XMSS wolfSSL impl: no
* MLKEM: no
* MLKEM wolfSSL impl: no
* DILITHIUM: no
* ECCSI no
* SAKKE no
* ASN: yes
* Anonymous cipher: no
* CODING: yes
* MEMORY: yes
* I/O POOL: no
* wolfSentry: no
* LIGHTY: no
* WPA Supplicant: no
* HAPROXY: no
* STUNNEL: no
* tcpdump: no
* libssh2: no
* ntp: no
* rsyslog: no
* Apache httpd: no
* NGINX: no
* OpenResty: no
* ASIO: no
* LIBWEBSOCKETS: no
* Qt: no
* Qt Unit Testing: no
* SIGNAL: no
* chrony: no
* strongSwan: no
* OpenLDAP: no
* hitch: no
* memcached: no
* Mosquitto no
* ERROR_STRINGS: yes
* DTLS: no
* DTLS v1.3: no
* SCTP: no
* SRTP: no
* Indefinite Length: no
* Multicast: no
* SSL v3.0 (Old): no
* TLS v1.0 (Old): no
* TLS v1.1 (Old): no
* TLS v1.2: yes
* TLS v1.3: yes
* RPK: no
* Post-handshake Auth: no
* Early Data: no
* QUIC: no
* Send State in HRR Cookie: undefined
* OCSP: no
* OCSP Stapling: no
* OCSP Stapling v2: no
* CRL: no
* CRL-MONITOR: no
* Persistent session cache: no
* Persistent cert cache: no
* Atomic User Record Layer: no
* Public Key Callbacks: no
* libxmss: no
* liblms: no
* liboqs: no
* Whitewood netRandom: no
* Server Name Indication: yes
* ALPN: no
* Maximum Fragment Length: no
* Trusted CA Indication: no
* Truncated HMAC: no
* Supported Elliptic Curves: yes
* FFDHE only in client: no
* Session Ticket: no
* Extended Master Secret: yes
* Renegotiation Indication: no
* Secure Renegotiation: no
* Fallback SCSV: no
* Keying Material Exporter: no
* All TLS Extensions: no
* S/MIME: no
* PKCS#7: no
* PKCS#8: yes
* PKCS#11: no
* PKCS#12: yes
* wolfSSH: no
* wolfEngine: no
* wolfTPM: no
* wolfCLU: no
* wolfSCEP: no
* Secure Remote Password: no
* Small Stack: no
* Linux Kernel Module: no
* valgrind unit tests: no
* LIBZ: no
* Examples: yes
* Crypt tests: yes
* Stack sizes in tests: no
* Heap stats in tests: no
* Asynchronous Crypto: no
* Asynchronous Crypto (sim): no
* Cavium Nitrox: no
* Cavium Octeon (Sync): no
* Intel Quick Assist: no
* ARM ASM: no
* ARM ASM SHA512/SHA3 Crypto no
* ARM ASM SM3/SM4 Crypto no
* RISC-V ASM no
* Write duplicate: no
* Xilinx Hardware Acc.: no
* C89: no
* Inline Code: yes
* Linux AF_ALG: no
* Linux KCAPI: no
* Linux devcrypto: no
* PK callbacks: no
* Crypto callbacks: no
* i.MX CAAM: no
* IoT-Safe: no
* IoT-Safe HWRNG: no
* NXP SE050: no
* Maxim Integrated MAXQ10XX: no
* PSA: no
* System CA certs: yes
* Dual alg cert support: no
* ERR Queues per Thread: yes
* rwlock: no
* keylog export: no
* AutoSAR : no
---
./configure flags: 'CFLAGS=-DNO_AES_192 -DNO_AES_256 -DNO_ECC256' --disable-aesgcm --disable-aescbc --enable-aesccm --enable-aesctr --enable-tls13 --enable-rsapss LIBS=-lm
---
- make
wolfcrypt/test/test.c:29663:10: error: #error No ECC keygen size defined for test
29663 | #error No ECC keygen size defined for test
| ^~~~~
wolfcrypt/test/test.c: In function ‘ecc_test_make_pub’:
wolfcrypt/test/test.c:30941:33: error: ‘ECC_KEYGEN_SIZE’ undeclared (first use in this function); did you mean ‘RC4_KEY_SIZE’?
30941 | ret = wc_ecc_make_key(rng, ECC_KEYGEN_SIZE, key);
| ^~~~~~~~~~~~~~~
| RC4_KEY_SIZE
wolfcrypt/test/test.c:30941:33: note: each undeclared identifier is reported only once for each function it appears in
CC examples/server/server-server.o
CC examples/asn1/asn1.o
CC examples/pem/pem.o
CC wolfcrypt/test/testsuite_testsuite_test-test.o
wolfcrypt/test/test.c: In function ‘ecc_def_curve_test’:
wolfcrypt/test/test.c:32363:32: error: ‘ECC_KEYGEN_SIZE’ undeclared (first use in this function); did you mean ‘RC4_KEY_SIZE’?
32363 | ret = wc_ecc_make_key(rng, ECC_KEYGEN_SIZE, key);
| ^~~~~~~~~~~~~~~
| RC4_KEY_SIZE
CC examples/client/testsuite_testsuite_test-client.o
CC examples/echoclient/testsuite_testsuite_test-echoclient.o
wolfcrypt/test/test.c:32401:29: error: ‘eccKeyDerFile’ undeclared (first use in this function); did you mean ‘eccPubKeyDerFile’?
32401 | XFILE file = XFOPEN(eccKeyDerFile, "rb");
| ^~~~~~~~~~~~~
| eccPubKeyDerFile
wolfcrypt/test/test.c: In function ‘ecc_test_allocator’:
wolfcrypt/test/test.c:33611:32: error: ‘ECC_KEYGEN_SIZE’ undeclared (first use in this function); did you mean ‘RC4_KEY_SIZE’?
33611 | ret = wc_ecc_make_key(rng, ECC_KEYGEN_SIZE, key);
| ^~~~~~~~~~~~~~~
| RC4_KEY_SIZE
CC examples/echoserver/testsuite_testsuite_test-echoserver.o
CC examples/server/testsuite_testsuite_test-server.o
CC testsuite/testsuite_test-testsuite.o
make[2]: *** [Makefile:7650: wolfcrypt/test/test.o] Error 1
make[2]: *** Waiting for unfinished jobs....
wolfcrypt/test/test.c:29663:10: error: #error No ECC keygen size defined for test
29663 | #error No ECC keygen size defined for test
| ^~~~~
wolfcrypt/test/test.c: In function ‘ecc_test_make_pub’:
wolfcrypt/test/test.c:30941:33: error: ‘ECC_KEYGEN_SIZE’ undeclared (first use in this function); did you mean ‘RC4_KEY_SIZE’?
30941 | ret = wc_ecc_make_key(rng, ECC_KEYGEN_SIZE, key);
| ^~~~~~~~~~~~~~~
| RC4_KEY_SIZE
wolfcrypt/test/test.c:30941:33: note: each undeclared identifier is reported only once for each function it appears in
wolfcrypt/test/test.c: In function ‘ecc_def_curve_test’:
wolfcrypt/test/test.c:32363:32: error: ‘ECC_KEYGEN_SIZE’ undeclared (first use in this function); did you mean ‘RC4_KEY_SIZE’?
32363 | ret = wc_ecc_make_key(rng, ECC_KEYGEN_SIZE, key);
| ^~~~~~~~~~~~~~~
| RC4_KEY_SIZE
wolfcrypt/test/test.c:32401:29: error: ‘eccKeyDerFile’ undeclared (first use in this function); did you mean ‘eccPubKeyDerFile’?
32401 | XFILE file = XFOPEN(eccKeyDerFile, "rb");
| ^~~~~~~~~~~~~
| eccPubKeyDerFile
wolfcrypt/test/test.c: In function ‘ecc_test_allocator’:
wolfcrypt/test/test.c:33611:32: error: ‘ECC_KEYGEN_SIZE’ undeclared (first use in this function); did you mean ‘RC4_KEY_SIZE’?
33611 | ret = wc_ecc_make_key(rng, ECC_KEYGEN_SIZE, key);
| ^~~~~~~~~~~~~~~
| RC4_KEY_SIZE
I am testing AES-128-CCM mode only as shown by below settings:
* AES-GCM: no
* AES-GCM streaming: no
* AES-CCM: yes
* AES-CTR: yes
Previously I tested for AES-128-GCM mode and FFDHE_2048 successfully using below settings:
./configure CFLAGS="-DNO_AES_192 -DNO_AES_256 -DWOLFSSL_SP_NO_256" --enable-aesgcm --enable-aesctr --enable-tls13 --enable-rsapss LIBS=-lm
Thanks for all the details. I'll need to look into this for you. Please stay tuned. Warm regards, Anthony
Sorry it has taken so long for me to get to this! It fell off my plate I suppose. I've reproduced what you are seeing. I'll need to dig into this further.
I think I understand what you are seeing now. You are disabling ECC 256 but you are not enabling any larger sizes by using flags such as HAVE_ECC521 .
Thus you are bumping into this error:
#if !defined(NO_ECC256) || defined(WOLFSSL_SM2)
#define ECC_KEYGEN_SIZE 32
#elif defined(HAVE_ECC384)
#define ECC_KEYGEN_SIZE 48
#elif defined(HAVE_ECC224)
#define ECC_KEYGEN_SIZE 28
#elif defined(HAVE_ECC521)
#define ECC_KEYGEN_SIZE 66
#else
#error No ECC keygen size defined for test
#endif
Do you want to use ECC at larger sizes?
If so, please define. HAVE_ECCxxx where xxx is 384, 224, or 521?
if not, then instead of -DNO_ECC256 please use --disable-ecc
I have tested both approaches and they both build successfully. This message will close this bug. Please re-open if something further comes up.
Warm regards, Anthony