Topic: OpenSSL compatibility

Hello all,

I am begginer user with wolfssl. I already have my openssl app that works and i wanted to port it to wolfssl. I am having issues with a couple of things that i am having troubles with. Building my code gives me the following errors:

undefined reference to `wolfSSL_EC_KEY_dup'
undefined reference to `EC_GROUP_get0_generator'
undefined reference to `wolfSSL_EC_POINT_is_on_curve'
undefined reference to `PEM_write_PrivateKey'

I assume these without wolfSSL prefix do not exist?
Also some of these warning seem strange to me. Like this:

note: expected ‘WOLFSSL_EC_GROUP *’ {aka ‘struct WOLFSSL_EC_GROUP *’} but argument is of type ‘const EC_GROUP *’ {aka ‘const struct WOLFSSL_EC_GROUP *’}
  217 | int wolfSSL_EC_KEY_set_group(WOLFSSL_EC_KEY *key, WOLFSSL_EC_GROUP *group);

My includes are setup like this:
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
#include <wolfssl/openssl/ec.h>
#include <wolfssl/openssl/bn.h>
#include <wolfssl/openssl/bio.h>
#include <wolfssl/openssl/ecdh.h>
#include <wolfssl/openssl/objects.h>
#include <wolfssl/openssl/rand.h>
#include <wolfssl/openssl/pem.h>
#include <wolfssl/openssl/evp.h>

Do you have any advice on how to proceed?
Thank you

Share

Re: OpenSSL compatibility

Hello,

Which version of wolfSSL are you using?  If you aren't using our latest release (5.4.0), try upgrading and let me know if it helps.
How are you building wolfSSL?  Can you share your build settings (user_settings.h or ./configure line)?
Your includes look correct, make sure you have <wolfssl/options.h> included before all other wolfssl headers in all files using these headers.

Thanks,
Kareem

Share

Re: OpenSSL compatibility

Thanks for your help.

I installed and compiled this one wolfssl-5.4.0.zip .

I used the following command ./configure --enable-opensslextra

and this is my Makefile:

CFLAGS=-c -g -O0 -Wextra -Wall -pedantic -std=gnu99 -lwolfssl
LDFLAGS=-lwolfssl
SOURCES=$(wildcard *.c)
OBJECTS=$(SOURCES:.c=.o)
EXEC=ecqv
CC=gcc

all: $(SOURCES) $(EXEC)

$(EXEC): $(OBJECTS)
    $(CC) -o $@ $(OBJECTS) $(LDFLAGS)

.c.o:
    $(CC) $(CFLAGS) $< -o $@

clean:
    rm -f *.o $(EXEC)

And this was my openssl one:

CFLAGS=-c -g -O0 -Wextra -Wall -pedantic -std=gnu99 `pkg-config --cflags openssl`
LDFLAGS=`pkg-config --libs openssl`
SOURCES=$(wildcard *.c)
OBJECTS=$(SOURCES:.c=.o)
EXEC=ecqv
CC=gcc

all: $(SOURCES) $(EXEC)

$(EXEC): $(OBJECTS)
    $(CC) -o $@ $(OBJECTS) $(LDFLAGS)

.c.o:
    $(CC) $(CFLAGS) $< -o $@

clean:
    rm -f *.o $(EXEC)

I am using Ubuntu 20.04.4 LTS but as a subsytem on Windows.

Thanks

Share

Re: OpenSSL compatibility

Happy to help.

For wolfSSL_EC_KEY_dup, you'll need OpenSSL all enabled as well, so you'll need to add --enable-opensslall to your ./configure line.
wolfSSL_EC_POINT_is_on_curve requires USE_ECC_B_PARAM.  Add CFLAGS='-DUSE_ECC_B_PARAM' to your configure line.

We don't currently support EC_GROUP_get0_generator or PEM_write_PrivateKey.  You will need to replace these functions, or send a request to support AT wolfssl DOT com if you'd like to see these added to our compatibility layer.
I also wanted to note we provide wolfEngine, for full OpenSSL compatibility: https://github.com/wolfSSL/wolfEngine  But we do recommend using our OpenSSL compatibility layer when possible.

Share

5 (edited by juvebogdan 2022-07-25 12:06:12)

Re: OpenSSL compatibility

Thanks for the help.

I am having issues with the wolfSSL_PEM_read_PrivateKey function. I am unable to load EC Private key. I see that tests in source code load "./certs/server-key.pem" which is RSA private key in Pem format. And this works but EC private key doesnt. Is it possible to load EC Private key?

I would also add that these two lines of code do not work for me. There has to be something i am doing wrong

if(NULL == (ca_key = EC_KEY_new_by_curve_name(NID_secp256k1)))
        goto ERROR;

    if(1 != EC_KEY_generate_key(ca_key)) goto ERROR;

EC_KEY_generate_key returns 0. I have no errors printed to console.

thanks

Share

Re: OpenSSL compatibility

Happy to help.

What error code is wolfSSL_PEM_read_PrivateKey returning?  Can you provide the private key you are trying to load, and the code you are using?  Feel free to email us at support [AT] wolfssl [DOT] com if this is sensitive info.

Thanks,
Kareem

Share

Re: OpenSSL compatibility

Hello,

I am not able to see any errors. What i am doing is the following:

    EVP_PKEY *pk = wolfSSL_PEM_read_PrivateKey(file, NULL, NULL, NULL);

    if (!pk) {
        fprintf(stderr, "Error reading private key file.\n");
        return NULL;
    }

I uploaded the file i am using. I generated the file using this CLI command:
openssl ecparam -name secp256k1 -genkey -noout -out ca_key.pem

As i said when i use the file server-key.pem that i found in /certs directory of wolfssl github it works fine. I can upload that one as well if needed.

Thanks

Post's attachments

ca_key.pem 228 b, 1 downloads since 2022-07-25 

You don't have the permssions to download the attachments of this post.

Share

Re: OpenSSL compatibility

kareem_wolfssl wrote:

Happy to help.

What error code is wolfSSL_PEM_read_PrivateKey returning?  Can you provide the private key you are trying to load, and the code you are using?  Feel free to email us at support [AT] wolfssl [DOT] com if this is sensitive info.

Thanks,
Kareem

Hi Kareem. I am still having an issue with reading PEM file using function PEM_read_PrivateKey. I went through the source code and used that like this:

    int err = 0;
    WOLFSSL_EVP_PKEY* ret = NULL;
    WOLFSSL_BIO* bio = NULL;
    bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file());
    err = bio == NULL;
    if(err == 0) {
        printf("step 1 \n");
    }
    if (err == 0) {
        err = wolfSSL_BIO_set_fp(bio, file, BIO_NOCLOSE) != WOLFSSL_SUCCESS;
        printf("step 2 \n");
    }
    if (err == 0) {
        ret = wolfSSL_PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
        printf("step 3 \n");
    }

    if (bio != NULL) {
        wolfSSL_BIO_free(bio);
    }
    printf("final step");

    if (!ret) {
        //ERR_dump_errors_fp(stdout);
        fprintf(stderr, "Error reading private key file.\n");
        return NULL;
    }

So this is the source code of wolfSSL_PEM_read_PrivateKey and i get to final step print but I still have nothing in ret variable.
Is there something I am doing wrong here? This code works fine with openssl. the pem file is provided in above message. Can you help with this?
Thank you

Share

Re: OpenSSL compatibility

Hello,

Your ECC key is using a Koblitz curve which we do not enable support for by default.
Please add --enable-ecccustcurves=all to your configure line, rebuild wolfSSL and let me know if you still see any issues.

Thanks,
Kareem

Share

Re: OpenSSL compatibility

kareem_wolfssl wrote:

Hello,

Your ECC key is using a Koblitz curve which we do not enable support for by default.
Please add --enable-ecccustcurves=all to your configure line, rebuild wolfSSL and let me know if you still see any issues.

Thanks,
Kareem

It works now. Thank you very much.

Share

Re: OpenSSL compatibility

Hello kareem,

Thanks for all the help.

Since I don't have the access to the EC_GROUP_get0_generator function I wanted to load the generator point from a fixed structure. I saw that wolfssl has the support for only wolfSSL_EC_POINT_oct2point so I used Openssl and saved the generator point as an octet and tried to use the following code to load it into EC_POINT and print coordinates

        EC_POINT *G;
    unsigned char buf[] = {0x02, 0x79, 0xbe, 0x66, 0x7e, 0xf9, 0xdc, 0xbb, 0xac, 0x55, 0xa0, 0x62, 0x95, 0xce, 0x87, 0x0b, 0x07, 0x02, 0x9b, 0xfc, 0xdb, 0x2d, 0xce, 0x28, 0xd9, 0x59, 0xf2, 0x81, 0x5b, 0x16, 0xf8, 0x17, 0x98};
    size_t octets_len = 33;
    G = EC_POINT_new(group);
    EC_POINT_oct2point(group, G, buf, octets_len, ctx);
    if (!G) {
        fprintf(stderr, "Failed to get the generator from octet.\n");
    }      
    BIGNUM *x = BN_new();
    BIGNUM *y = BN_new();
    EC_POINT_get_affine_coordinates_GFp(group, G, x, y, NULL);
    BN_print_fp(stdout, x);
    putc('\n', stdout);
    BN_print_fp(stdout, y);
    putc('\n', stdout);  

this particular piece of code works with openssl but here it just prints
00
00
for x and y.
the debug log shows the following:

wolfSSL Entering wolfSSL_EC_POINT_oct2point
wolfSSL Entering wolfSSL_ECPoint_d2i
wc_ecc_import_point_der_ex failed

Does this needs some additional enabling of options?

Share