[Openvpn-devel] [S] Change in openvpn[master]: Added PQE to WolfSSL

Wed, 25 Jun 2025 05:41:08 -0700 

Attention is currently required from: comododragon, cron2, flichtenheld.

Hello cron2, flichtenheld, plaisthos,

I'd like you to reexamine a change. Please visit

    http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email

to look at the new patch set (#4).

The following approvals got outdated and were removed:
Code-Review-1 by cron2


Change subject: Added PQE to WolfSSL
......................................................................

Added PQE to WolfSSL

Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
---
M README.wolfssl
M src/openvpn/ssl_openssl.c
2 files changed, 25 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/46/1046/4

diff --git a/README.wolfssl b/README.wolfssl
index a5dfe31..46b080c 100644
--- a/README.wolfssl
+++ b/README.wolfssl
@@ -28,3 +28,26 @@
  * blowfish support (BF-CBC), you must use something like
    cipher AES-128-CBC to avoid trying to use BF-CBC
  * Windows CryptoAPI support
+
+*************************************************************************
+To build WolfSSL with support for post-quantum KEMs, the following command is 
used:
+
+./configure --enable-openvpn --enable-kyber=all --enable-curve25519
+
+WolfSSL supports the following post-quantum KEMs or post-quantum hybrid KEMs 
by specifying them using the `tls-groups`
+option in an OpenVPN config.
+
+ML_KEM_512
+ML_KEM_768
+ML_KEM_1024
+
+P256_ML_KEM_512
+X25519_ML_KEM_512
+
+P384_ML_KEM_768
+P256_ML_KEM_768
+X448_ML_KEM_768
+X25519_ML_KEM_768
+
+P384_ML_KEM_1024
+P521_ML_KEM_1024
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 2fc77d8..ec5419c 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -560,7 +560,7 @@
 tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
 {
     ASSERT(ctx);
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L && !defined(ENABLE_CRYPTO_WOLFSSL)
     struct gc_arena gc = gc_new();
     /* This method could be as easy as
      *  SSL_CTX_set1_groups_list(ctx->ctx, groups)
@@ -608,6 +608,7 @@
     }
     gc_free(&gc);
 #else  /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
+    msg(M_WARN, "Hells yeah");
     if (!SSL_CTX_set1_groups_list(ctx->ctx, groups))
     {
         crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s",

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
Gerrit-Change-Number: 1046
Gerrit-PatchSet: 4
Gerrit-Owner: comododragon <rein.vanbaa...@fox-it.com>
Gerrit-Reviewer: cron2 <g...@greenie.muc.de>
Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com>
Gerrit-Reviewer: plaisthos <arne-open...@rfc2549.org>
Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Gerrit-Attention: cron2 <g...@greenie.muc.de>
Gerrit-Attention: flichtenheld <fr...@lichtenheld.com>
Gerrit-Attention: comododragon <rein.vanbaa...@fox-it.com>
Gerrit-MessageType: newpatchset

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to