[Bug]: wolfSSL QUIC handshake failure

[icing]

Contact Details

stefan.eissing@gmail.com

Version

all

Description

As reported in ngtcp2/ngtcp2#1193. Fixing the returned ciper in

wolfssl/src/quic.c

Line 997 in c768f76

evp_cipher = wolfSSL_EVP_aes_128_ctr();

from wolfSSL_EVP_aes_128_ctr to wolfSSL_EVP_aes_128_ccm fixes the assertion failure, but handshake still fails for some reason.

Reproduction steps

No response

Relevant log output

No response

[nbars]

Hey,

Does this mean that instead of using the CCM mode, the CTR mode was always used?

[julek-wolfssl]

Hi @icing

I cleaned up the EVP layer usage in quic in a PR here: #7465. Thanks for the report.

Juliusz

[icing]

QUIC handshake is now failing in tests at ngtcp2 and curl CI. Easiest to reproduce probably in ngtcp2.

Build https://github.com/ngtcp2/ngtcp2 as in the instructions with wolfssl and another tls lib (openssl-quictls or gnutls or boring). Run pytest:

> pytest -v -k test_01
examples/tests/test_01_handshake.py::TestHandshake::test_01_01_get[quictls-quictls] PASSED                                                                                                     [  6%]
examples/tests/test_01_handshake.py::TestHandshake::test_01_01_get[quictls-boringssl] PASSED                                                                                                   [ 12%]
examples/tests/test_01_handshake.py::TestHandshake::test_01_01_get[quictls-picotls] PASSED                                                                                                     [ 18%]
examples/tests/test_01_handshake.py::TestHandshake::test_01_01_get[quictls-wolfssl] FAILED                                                                                                     [ 25%]
examples/tests/test_01_handshake.py::TestHandshake::test_01_01_get[boringssl-quictls] PASSED                                                                                                   [ 31%]
examples/tests/test_01_handshake.py::TestHandshake::test_01_01_get[boringssl-boringssl] PASSED                                                                                                 [ 37%]
examples/tests/test_01_handshake.py::TestHandshake::test_01_01_get[boringssl-picotls] PASSED                                                                                                   [ 43%]
examples/tests/test_01_handshake.py::TestHandshake::test_01_01_get[boringssl-wolfssl] FAILED                                                                                                   [ 50%]
examples/tests/test_01_handshake.py::TestHandshake::test_01_01_get[picotls-quictls] PASSED                                                                                                     [ 56%]
examples/tests/test_01_handshake.py::TestHandshake::test_01_01_get[picotls-boringssl] PASSED                                                                                                   [ 62%]
examples/tests/test_01_handshake.py::TestHandshake::test_01_01_get[picotls-picotls] PASSED                                                                                                     [ 68%]
...

You see that wolfssl can only connect if it is used in client and server. The problem seems to be cipher selection as in the logs you'll see ` pkt packet has incorrect reserved bits...pkt could not decrypt packet payload"

[julek-wolfssl]

#7477 will fix that. My previous commit was wrongly assuming what wolfSSL_quic_get_hp is returning. It would be nice for ngtcp2_crypto_hp_mask to include an explanation why CTR is necessary instead of ECB for AES.