[Openvpn-devel] [PATCH v6] Added PQE to WolfSSL

Mon, 07 Jul 2025 06:35:52 -0700 

From: rein.vanbaaren <rein.vanbaa...@fox-it.com>

Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
Signed-off-by: comododragon <rein.vanbaa...@fox-it.com>
Acked-by: Arne Schwabe <arne-open...@rfc2549.org>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1046
This mail reflects revision 6 of this Change.

Signed-off-by line for the author was added as per our policy.

Acked-by according to Gerrit (reflected above):
Arne Schwabe <arne-open...@rfc2549.org>

        
diff --git a/README.wolfssl b/README.wolfssl
index a5dfe31..7475164 100644
--- a/README.wolfssl
+++ b/README.wolfssl
@@ -28,3 +28,33 @@
  * blowfish support (BF-CBC), you must use something like
    cipher AES-128-CBC to avoid trying to use BF-CBC
  * Windows CryptoAPI support
+
+*************************************************************************
+To build WolfSSL with post-quantum KEMs built in, the following command is 
used:
+
+./configure --enable-openvpn --enable-kyber=all --enable-curve25519
+
+WolfSSL supports the following post-quantum KEMs and post-quantum hybrid KEMs 
which must be specified 
+using the tls-groups option in an OpenVPN config. Unlike OpenSSL, which 
includes X25519MLKEM768 
+in the default config, WolfSSL requires explicit configuration of tls-groups 
to include 
+at least one post-quantum KEM.
+
+ML_KEM_512
+ML_KEM_768
+ML_KEM_1024
+
+P256_ML_KEM_512
+X25519_ML_KEM_512
+
+P384_ML_KEM_768
+P256_ML_KEM_768
+X448_ML_KEM_768
+X25519_ML_KEM_768
+
+P384_ML_KEM_1024
+P521_ML_KEM_1024
+
+The naming conventions of algorithms differ between WolfSSL and OpenSSL. An 
example is that
+OpenSSL omits underscores for their naming notation whereas WolfSSL expects 
them. Additionally, 
+OpenSSL does not accept the P curve notation and instead uses the equivalent 
secp notation. 
+A specific example is that WolfSSL expects P384_ML_KEM_1024, while OpenSSL 
expects secp384r1MLKEM1024.
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 2fc77d8..4c11cd4 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -560,7 +560,7 @@
 tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
 {
     ASSERT(ctx);
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L && !defined(ENABLE_CRYPTO_WOLFSSL)
     struct gc_arena gc = gc_new();
     /* This method could be as easy as
      *  SSL_CTX_set1_groups_list(ctx->ctx, groups)


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to