oqs-provider: oqs_tlssig fails against OpenSSL 3.2.1

Describe the bug oqs_tlssig fails being built against OpenSSL 3.2.1

To Reproduce Build liboqs and OQS provider against OpenSSL 3.2 make test

Expected behavior Test passes

Environment (please complete the following information):

  • OS: CentOS 10
  • OpenSSL version 3.2.1
  • oqsprovider version 0.5.3

Additional context Diagnostics (see also https://github.com/open-quantum-safe/oqs-provider/pull/357) is

4: SSL_accept() failed returning -1, SSL error 1. 000003FF947FADE0:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:ssl/t1_lib.c:3774:
4: SSL_connect() failed returning -1, SSL error 1. 000003FF947FADE0:error:0A000410:SSL routines:ssl3_read_bytes:ssl/tls alert handshake failure:ssl/record/rec_layer_s3.c:865:SSL alert number 40
4:   TLS-SIG handshake test failed: dilithium2, return code: -5

Can it be related to https://github.com/openssl/openssl/pull/22779?

About this issue

  • Original URL
  • State: open
  • Created 4 months ago
  • Comments: 16 (15 by maintainers)

Most upvoted comments

Can it be related to https://github.com/openssl/openssl/pull/22779?

Unlikely as the error cannot be reproduced using oqsprovider “main” branch (Ubuntu, though – but @openssl-3.2.1 tag).

Also, error cannot be reproduced using oqsprovider 0.5.3. Please double check for correctness of setup:

$ ./scripts/runtests.sh  -V
Test setup:
LD_LIBRARY_PATH=/home/mib/git/oqs/oqs-provider/.local/lib64
OPENSSL_APP=/home/mib/git/oqs/oqs-provider/openssl/apps/openssl
OPENSSL_CONF=/home/mib/git/oqs/oqs-provider/scripts/openssl-ca.cnf
OPENSSL_MODULES=/home/mib/git/oqs/oqs-provider/_build/lib
Version information:
OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.2.1
    status: active
    build info: 3.2.1
    gettable provider parameters:
      name: pointer to a UTF8 encoded string (arbitrary size)
      version: pointer to a UTF8 encoded string (arbitrary size)
      buildinfo: pointer to a UTF8 encoded string (arbitrary size)
      status: integer (arbitrary size)
  oqsprovider
    name: OpenSSL OQS Provider
    version: 0.5.3
    status: active
    build info: OQS Provider v.0.5.3 (42ff366) based on liboqs v.0.9.2
    gettable provider parameters:
      name: pointer to a UTF8 encoded string (arbitrary size)
      version: pointer to a UTF8 encoded string (arbitrary size)
      buildinfo: pointer to a UTF8 encoded string (arbitrary size)
      status: integer (arbitrary size)
Cert gen/verify, CMS sign/verify, CA tests for all enabled OQS signature algorithms commencing: 
Testing dilithium2
.Testing p256_dilithium2
.Testing rsa3072_dilithium2
.Testing dilithium3
.Testing p384_dilithium3
.Testing dilithium5
.Testing p521_dilithium5
.Testing falcon512
.Testing p256_falcon512
.Testing rsa3072_falcon512
.Testing falcon1024
.Testing p521_falcon1024
.Testing sphincssha2128fsimple
.Testing p256_sphincssha2128fsimple
.Testing rsa3072_sphincssha2128fsimple
.Testing sphincssha2128ssimple
.Testing p256_sphincssha2128ssimple
.Testing rsa3072_sphincssha2128ssimple
.Testing sphincssha2192fsimple
.Testing p384_sphincssha2192fsimple
.Testing sphincsshake128fsimple
.Testing p256_sphincsshake128fsimple
.Testing rsa3072_sphincsshake128fsimple
.Certificates successfully generated in /home/mib/git/oqs/oqs-provider/tmp

External interop tests commencing
 Cloudflare:
kex=X25519Kyber768Draft00
kex=X25519Kyber512Draft00
UpdateCTestConfiguration  from :/home/mib/git/oqs/oqs-provider/_build/DartConfiguration.tcl
UpdateCTestConfiguration  from :/home/mib/git/oqs/oqs-provider/_build/DartConfiguration.tcl
Test project /home/mib/git/oqs/oqs-provider/_build
Constructing a list of tests
Done constructing a list of tests
Updating test list for fixtures
Added 0 tests to meet fixture requirements
Checking test dependency graph...
Checking test dependency graph end
test 1
    Start 1: oqs_signatures

1: Test command: /home/mib/git/oqs/oqs-provider/_build/test/oqs_test_signatures "oqsprovider" "/home/mib/git/oqs/oqs-provider/test/oqs.cnf"
1: Environment variables: 
1:  OPENSSL_MODULES=/home/mib/git/oqs/oqs-provider/_build/lib
1: Test timeout computed to be: 10000000
1:   Signature test succeeded: dilithium2
1:   Signature test succeeded: p256_dilithium2
1:   Signature test succeeded: rsa3072_dilithium2
1:   Signature test succeeded: dilithium3
1:   Signature test succeeded: p384_dilithium3
1:   Signature test succeeded: dilithium5
1:   Signature test succeeded: p521_dilithium5
1:   Signature test succeeded: falcon512
1:   Signature test succeeded: p256_falcon512
1:   Signature test succeeded: rsa3072_falcon512
1:   Signature test succeeded: falcon1024
1:   Signature test succeeded: p521_falcon1024
1:   Signature test succeeded: sphincssha2128fsimple
1:   Signature test succeeded: p256_sphincssha2128fsimple
1:   Signature test succeeded: rsa3072_sphincssha2128fsimple
1:   Signature test succeeded: sphincssha2128ssimple
1:   Signature test succeeded: p256_sphincssha2128ssimple
1:   Signature test succeeded: rsa3072_sphincssha2128ssimple
1:   Signature test succeeded: sphincssha2192fsimple
1:   Signature test succeeded: p384_sphincssha2192fsimple
1:   Signature test succeeded: sphincsshake128fsimple
1:   Signature test succeeded: p256_sphincsshake128fsimple
1:   Signature test succeeded: rsa3072_sphincsshake128fsimple
1:   Test passed
1/5 Test #1: oqs_signatures ...................   Passed    2.17 sec
test 2
    Start 2: oqs_kems

2: Test command: /home/mib/git/oqs/oqs-provider/_build/test/oqs_test_kems "oqsprovider" "/home/mib/git/oqs/oqs-provider/test/oqs.cnf"
2: Environment variables: 
2:  OPENSSL_MODULES=/home/mib/git/oqs/oqs-provider/_build/lib
2: Test timeout computed to be: 10000000
2:   KEM test succeeded: frodo640aes
2:   KEM test succeeded: p256_frodo640aes
2:   KEM test succeeded: x25519_frodo640aes
2:   KEM test succeeded: frodo640shake
2:   KEM test succeeded: p256_frodo640shake
2:   KEM test succeeded: x25519_frodo640shake
2:   KEM test succeeded: frodo976aes
2:   KEM test succeeded: p384_frodo976aes
2:   KEM test succeeded: x448_frodo976aes
2:   KEM test succeeded: frodo976shake
2:   KEM test succeeded: p384_frodo976shake
2:   KEM test succeeded: x448_frodo976shake
2:   KEM test succeeded: frodo1344aes
2:   KEM test succeeded: p521_frodo1344aes
2:   KEM test succeeded: frodo1344shake
2:   KEM test succeeded: p521_frodo1344shake
2:   KEM test succeeded: kyber512
2:   KEM test succeeded: p256_kyber512
2:   KEM test succeeded: x25519_kyber512
2:   KEM test succeeded: kyber768
2:   KEM test succeeded: p384_kyber768
2:   KEM test succeeded: x448_kyber768
2:   KEM test succeeded: x25519_kyber768
2:   KEM test succeeded: p256_kyber768
2:   KEM test succeeded: kyber1024
2:   KEM test succeeded: p521_kyber1024
2:   KEM test succeeded: bikel1
2:   KEM test succeeded: p256_bikel1
2:   KEM test succeeded: x25519_bikel1
2:   KEM test succeeded: bikel3
2:   KEM test succeeded: p384_bikel3
2:   KEM test succeeded: x448_bikel3
2:   KEM test succeeded: bikel5
2:   KEM test succeeded: p521_bikel5
2:   KEM test succeeded: hqc128
2:   KEM test succeeded: p256_hqc128
2:   KEM test succeeded: x25519_hqc128
2:   KEM test succeeded: hqc192
2:   KEM test succeeded: p384_hqc192
2:   KEM test succeeded: x448_hqc192
2:   KEM test succeeded: hqc256
2:   KEM test succeeded: p521_hqc256
2:   Test passed
2/5 Test #2: oqs_kems .........................   Passed    0.17 sec
test 3
    Start 3: oqs_groups

3: Test command: /home/mib/git/oqs/oqs-provider/_build/test/oqs_test_groups "oqsprovider" "/home/mib/git/oqs/oqs-provider/test/oqs.cnf" "/home/mib/git/oqs/oqs-provider/test"
3: Environment variables: 
3:  OPENSSL_MODULES=/home/mib/git/oqs/oqs-provider/_build/lib
3: Test timeout computed to be: 10000000
3:   TLS-KEM handshake test succeeded: frodo640aes
3:   TLS-KEM handshake test succeeded: p256_frodo640aes
3:   TLS-KEM handshake test succeeded: x25519_frodo640aes
3:   TLS-KEM handshake test succeeded: frodo640shake
3:   TLS-KEM handshake test succeeded: p256_frodo640shake
3:   TLS-KEM handshake test succeeded: x25519_frodo640shake
3:   TLS-KEM handshake test succeeded: frodo976aes
3:   TLS-KEM handshake test succeeded: p384_frodo976aes
3:   TLS-KEM handshake test succeeded: x448_frodo976aes
3:   TLS-KEM handshake test succeeded: frodo976shake
3:   TLS-KEM handshake test succeeded: p384_frodo976shake
3:   TLS-KEM handshake test succeeded: x448_frodo976shake
3:   TLS-KEM handshake test succeeded: frodo1344aes
3:   TLS-KEM handshake test succeeded: p521_frodo1344aes
3:   TLS-KEM handshake test succeeded: frodo1344shake
3:   TLS-KEM handshake test succeeded: p521_frodo1344shake
3:   TLS-KEM handshake test succeeded: kyber512
3:   TLS-KEM handshake test succeeded: p256_kyber512
3:   TLS-KEM handshake test succeeded: x25519_kyber512
3:   TLS-KEM handshake test succeeded: kyber768
3:   TLS-KEM handshake test succeeded: p384_kyber768
3:   TLS-KEM handshake test succeeded: x448_kyber768
3:   TLS-KEM handshake test succeeded: x25519_kyber768
3:   TLS-KEM handshake test succeeded: p256_kyber768
3:   TLS-KEM handshake test succeeded: kyber1024
3:   TLS-KEM handshake test succeeded: p521_kyber1024
3:   TLS-KEM handshake test succeeded: bikel1
3:   TLS-KEM handshake test succeeded: p256_bikel1
3:   TLS-KEM handshake test succeeded: x25519_bikel1
3:   TLS-KEM handshake test succeeded: bikel3
3:   TLS-KEM handshake test succeeded: p384_bikel3
3:   TLS-KEM handshake test succeeded: x448_bikel3
3:   TLS-KEM handshake test succeeded: bikel5
3:   TLS-KEM handshake test succeeded: p521_bikel5
3:   TLS-KEM handshake test succeeded: hqc128
3:   TLS-KEM handshake test succeeded: p256_hqc128
3:   TLS-KEM handshake test succeeded: x25519_hqc128
3:   TLS-KEM handshake test succeeded: hqc192
3:   TLS-KEM handshake test succeeded: p384_hqc192
3:   TLS-KEM handshake test succeeded: x448_hqc192
3:   TLS-KEM handshake test succeeded: hqc256
3:   TLS-KEM handshake test succeeded: p521_hqc256
3:   Test passed
3/5 Test #3: oqs_groups .......................   Passed    0.25 sec
test 4
    Start 4: oqs_tlssig

4: Test command: /home/mib/git/oqs/oqs-provider/_build/test/oqs_test_tlssig "oqsprovider" "/home/mib/git/oqs/oqs-provider/test/openssl-ca.cnf" "/home/mib/git/oqs/oqs-provider/_build/test/tmp"
4: Environment variables: 
4:  OPENSSL_MODULES=/home/mib/git/oqs/oqs-provider/_build/lib
4: Test timeout computed to be: 10000000
4:   TLS-SIG handshake test succeeded: dilithium2
4:   TLS-SIG handshake test succeeded: p256_dilithium2
4:   TLS-SIG handshake test succeeded: rsa3072_dilithium2
4:   TLS-SIG handshake test succeeded: dilithium3
4:   TLS-SIG handshake test succeeded: p384_dilithium3
4:   TLS-SIG handshake test succeeded: dilithium5
4:   TLS-SIG handshake test succeeded: p521_dilithium5
4:   TLS-SIG handshake test succeeded: falcon512
4:   TLS-SIG handshake test succeeded: p256_falcon512
4:   TLS-SIG handshake test succeeded: rsa3072_falcon512
4:   TLS-SIG handshake test succeeded: falcon1024
4:   TLS-SIG handshake test succeeded: p521_falcon1024
4:   TLS-SIG handshake test succeeded: sphincssha2128fsimple
4:   TLS-SIG handshake test succeeded: p256_sphincssha2128fsimple
4:   TLS-SIG handshake test succeeded: rsa3072_sphincssha2128fsimple
4:   TLS-SIG handshake test succeeded: sphincssha2128ssimple
4:   TLS-SIG handshake test succeeded: p256_sphincssha2128ssimple
4:   TLS-SIG handshake test succeeded: rsa3072_sphincssha2128ssimple
4:   TLS-SIG handshake test succeeded: sphincssha2192fsimple
4:   TLS-SIG handshake test succeeded: p384_sphincssha2192fsimple
4:   TLS-SIG handshake test succeeded: sphincsshake128fsimple
4:   TLS-SIG handshake test succeeded: p256_sphincsshake128fsimple
4:   TLS-SIG handshake test succeeded: rsa3072_sphincsshake128fsimple
4:   Test passed
4/5 Test #4: oqs_tlssig .......................   Passed    1.86 sec
test 5
    Start 5: oqs_endecode

5: Test command: /home/mib/git/oqs/oqs-provider/_build/test/oqs_test_endecode "oqsprovider" "/home/mib/git/oqs/oqs-provider/test/openssl-ca.cnf"
5: Environment variables: 
5:  OPENSSL_MODULES=/home/mib/git/oqs/oqs-provider/_build/lib
5: Test timeout computed to be: 10000000
5:   Encoding/Decoding test succeeded: dilithium2
5:   Encoding/Decoding test succeeded: p256_dilithium2
5:   Encoding/Decoding test succeeded: rsa3072_dilithium2
5:   Encoding/Decoding test succeeded: dilithium3
5:   Encoding/Decoding test succeeded: p384_dilithium3
5:   Encoding/Decoding test succeeded: dilithium5
5:   Encoding/Decoding test succeeded: p521_dilithium5
5:   Encoding/Decoding test succeeded: falcon512
5:   Encoding/Decoding test succeeded: p256_falcon512
5:   Encoding/Decoding test succeeded: rsa3072_falcon512
5:   Encoding/Decoding test succeeded: falcon1024
5:   Encoding/Decoding test succeeded: p521_falcon1024
5:   Encoding/Decoding test succeeded: sphincssha2128fsimple
5:   Encoding/Decoding test succeeded: p256_sphincssha2128fsimple
5:   Encoding/Decoding test succeeded: rsa3072_sphincssha2128fsimple
5:   Encoding/Decoding test succeeded: sphincssha2128ssimple
5:   Encoding/Decoding test succeeded: p256_sphincssha2128ssimple
5:   Encoding/Decoding test succeeded: rsa3072_sphincssha2128ssimple
5:   Encoding/Decoding test succeeded: sphincssha2192fsimple
5:   Encoding/Decoding test succeeded: p384_sphincssha2192fsimple
5:   Encoding/Decoding test succeeded: sphincsshake128fsimple
5:   Encoding/Decoding test succeeded: p256_sphincsshake128fsimple
5:   Encoding/Decoding test succeeded: rsa3072_sphincsshake128fsimple
5:   Test passed
5/5 Test #5: oqs_endecode .....................   Passed    4.53 sec

100% tests passed, 0 tests failed out of 5

Total Test time (real) =   8.98 sec

All oqsprovider tests passed.
+1
baentsch on Feb 29, 2024
Read more comments on GitHub
← oqs-provider: MacOS: fails to find liboqs
oqs-provider: Too many advertised sig algs cause TLS server hang-up →