[Openvpn-devel] [M] Change in openvpn[master]: Added PQE to WolfSSL
comododragon has abandoned this change. ( http://gerrit.openvpn.net/c/openvpn/+/1044?usp=email ) Change subject: Added PQE to WolfSSL .. Abandoned a -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1044?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Id4293137a577f93ea9f2178ece7ef86c4e1429c8 Gerrit-Change-Number: 1044 Gerrit-PatchSet: 1 Gerrit-Owner: comododragon Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: abandon ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Added PQE to WolfSSL
Attention is currently required from: flichtenheld, plaisthos.
Hello plaisthos, flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1044?usp=email
to review the following change.
Change subject: Added PQE to WolfSSL
..
Added PQE to WolfSSL
Change-Id: Id4293137a577f93ea9f2178ece7ef86c4e1429c8
---
M README.wolfssl
M src/openvpn/ssl_openssl.c
A src/openvpn/wolfssl_compat.h
3 files changed, 92 insertions(+), 0 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/44/1044/1
diff --git a/README.wolfssl b/README.wolfssl
index a5dfe31..27b9087 100644
--- a/README.wolfssl
+++ b/README.wolfssl
@@ -28,3 +28,40 @@
* blowfish support (BF-CBC), you must use something like
cipher AES-128-CBC to avoid trying to use BF-CBC
* Windows CryptoAPI support
+
+*
+To build WolfSSL with these PQE, you'll want to configure it like this:
+
+```bash
+./configure --enable-openvpn --enable-kyber --enable-mlkem --enable-curve25519
+```
+
+WolfSSL supports the following Quantum Safe algorithms by specifying them
using the `tls-groups`
+option in a config.
+
+```
+ML_KEM_512
+ML_KEM_768
+ML_KEM_1024
+P256_ML_KEM_512
+P384_ML_KEM_768
+P256_ML_KEM_768
+P521_ML_KEM_1024
+P384_ML_KEM_1024
+X25519_ML_KEM_512
+X448_ML_KEM_768
+X25519_ML_KEM_768
+
+KYBER_LEVEL1
+KYBER_LEVEL3
+KYBER_LEVEL5
+
+P256_KYBER_LEVEL1
+P384_KYBER_LEVEL3
+P256_KYBER_LEVEL3
+P521_KYBER_LEVEL5
+
+X25519_KYBER_LEVEL1
+X448_KYBER_LEVEL3
+X25519_KYBER_LEVEL3
+```
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 2fc77d8..5dbacf0 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -76,6 +76,8 @@
#include
#endif
+#include "wolfssl_compat.h"
+
OSSL_LIB_CTX *tls_libctx; /* Global */
static void unload_xkey_provider(void);
@@ -588,7 +590,12 @@
{
token = "prime256v1";
}
+
+#ifdef ENABLE_CRYPTO_WOLFSSL
+int nid = wolfssl_OBJ_sn2nid(token);
+#else
int nid = OBJ_sn2nid(token);
+#endif
if (nid == 0)
{
diff --git a/src/openvpn/wolfssl_compat.h b/src/openvpn/wolfssl_compat.h
new file mode 100644
index 000..c16d918
--- /dev/null
+++ b/src/openvpn/wolfssl_compat.h
@@ -0,0 +1,48 @@
+#pragma once
+
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2023 Fox Crypto B.V.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+/**
+ * @file
+ * wolfssl compatibility stub.
+ * This file provide compatibility stubs for the wolfssl libraries
+ */
+
+#ifdef ENABLE_CRYPTO_WOLFSSL
+
+int
+wolfssl_OBJ_sn2nid(const char *sn)
+{
+
+int nid = OBJ_sn2nid(sn);
+
+if (nid == WC_NID_undef)
+{
+return wolfSSL_EC_curve_nist2nid(sn);
+}
+
+return WC_NID_undef;
+}
+
+#endif
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1044?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Id4293137a577f93ea9f2178ece7ef86c4e1429c8
Gerrit-Change-Number: 1044
Gerrit-PatchSet: 1
Gerrit-Owner: comododragon
Gerrit-Reviewer: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-Attention: plaisthos
Gerrit-Attention: flichtenheld
Gerrit-MessageType: newchange
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Removed trailing whitespaces
Attention is currently required from: flichtenheld, plaisthos.
Hello plaisthos, flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1045?usp=email
to review the following change.
Change subject: Removed trailing whitespaces
..
Removed trailing whitespaces
Change-Id: I8eb1ded62a415a0734de11a4503cffafcc23d9f3
---
M src/openvpn/ssl_openssl.c
M src/openvpn/wolfssl_compat.h
2 files changed, 9 insertions(+), 9 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/45/1045/1
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 5dbacf0..29aa502 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -593,7 +593,7 @@
#ifdef ENABLE_CRYPTO_WOLFSSL
int nid = wolfssl_OBJ_sn2nid(token);
-#else
+#else
int nid = OBJ_sn2nid(token);
#endif
diff --git a/src/openvpn/wolfssl_compat.h b/src/openvpn/wolfssl_compat.h
index c16d918..a25e5c3 100644
--- a/src/openvpn/wolfssl_compat.h
+++ b/src/openvpn/wolfssl_compat.h
@@ -31,18 +31,18 @@
#ifdef ENABLE_CRYPTO_WOLFSSL
-int
-wolfssl_OBJ_sn2nid(const char *sn)
+int
+wolfssl_OBJ_sn2nid(const char *sn)
{
-int nid = OBJ_sn2nid(sn);
+ int nid = OBJ_sn2nid(sn);
-if (nid == WC_NID_undef)
-{
-return wolfSSL_EC_curve_nist2nid(sn);
-}
+ if (nid == WC_NID_undef)
+ {
+ return wolfSSL_EC_curve_nist2nid(sn);
+ }
-return WC_NID_undef;
+ return WC_NID_undef;
}
#endif
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1045?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I8eb1ded62a415a0734de11a4503cffafcc23d9f3
Gerrit-Change-Number: 1045
Gerrit-PatchSet: 1
Gerrit-Owner: comododragon
Gerrit-Reviewer: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-Attention: plaisthos
Gerrit-Attention: flichtenheld
Gerrit-MessageType: newchange
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Removed trailing whitespaces
comododragon has abandoned this change. ( http://gerrit.openvpn.net/c/openvpn/+/1045?usp=email ) Change subject: Removed trailing whitespaces .. Abandoned -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1045?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8eb1ded62a415a0734de11a4503cffafcc23d9f3 Gerrit-Change-Number: 1045 Gerrit-PatchSet: 1 Gerrit-Owner: comododragon Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-MessageType: abandon ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Added PQE to WolfSSL
Attention is currently required from: flichtenheld, plaisthos.
Hello plaisthos, flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email
to review the following change.
Change subject: Added PQE to WolfSSL
..
Added PQE to WolfSSL
Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
---
M README.wolfssl
M src/openvpn/ssl_openssl.c
A src/openvpn/wolfssl_compat.h
3 files changed, 92 insertions(+), 0 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/46/1046/1
diff --git a/README.wolfssl b/README.wolfssl
index a5dfe31..27b9087 100644
--- a/README.wolfssl
+++ b/README.wolfssl
@@ -28,3 +28,40 @@
* blowfish support (BF-CBC), you must use something like
cipher AES-128-CBC to avoid trying to use BF-CBC
* Windows CryptoAPI support
+
+*
+To build WolfSSL with these PQE, you'll want to configure it like this:
+
+```bash
+./configure --enable-openvpn --enable-kyber --enable-mlkem --enable-curve25519
+```
+
+WolfSSL supports the following Quantum Safe algorithms by specifying them
using the `tls-groups`
+option in a config.
+
+```
+ML_KEM_512
+ML_KEM_768
+ML_KEM_1024
+P256_ML_KEM_512
+P384_ML_KEM_768
+P256_ML_KEM_768
+P521_ML_KEM_1024
+P384_ML_KEM_1024
+X25519_ML_KEM_512
+X448_ML_KEM_768
+X25519_ML_KEM_768
+
+KYBER_LEVEL1
+KYBER_LEVEL3
+KYBER_LEVEL5
+
+P256_KYBER_LEVEL1
+P384_KYBER_LEVEL3
+P256_KYBER_LEVEL3
+P521_KYBER_LEVEL5
+
+X25519_KYBER_LEVEL1
+X448_KYBER_LEVEL3
+X25519_KYBER_LEVEL3
+```
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 2fc77d8..29aa502 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -76,6 +76,8 @@
#include
#endif
+#include "wolfssl_compat.h"
+
OSSL_LIB_CTX *tls_libctx; /* Global */
static void unload_xkey_provider(void);
@@ -588,7 +590,12 @@
{
token = "prime256v1";
}
+
+#ifdef ENABLE_CRYPTO_WOLFSSL
+int nid = wolfssl_OBJ_sn2nid(token);
+#else
int nid = OBJ_sn2nid(token);
+#endif
if (nid == 0)
{
diff --git a/src/openvpn/wolfssl_compat.h b/src/openvpn/wolfssl_compat.h
new file mode 100644
index 000..a25e5c3
--- /dev/null
+++ b/src/openvpn/wolfssl_compat.h
@@ -0,0 +1,48 @@
+#pragma once
+
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2023 Fox Crypto B.V.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+/**
+ * @file
+ * wolfssl compatibility stub.
+ * This file provide compatibility stubs for the wolfssl libraries
+ */
+
+#ifdef ENABLE_CRYPTO_WOLFSSL
+
+int
+wolfssl_OBJ_sn2nid(const char *sn)
+{
+
+ int nid = OBJ_sn2nid(sn);
+
+ if (nid == WC_NID_undef)
+ {
+ return wolfSSL_EC_curve_nist2nid(sn);
+ }
+
+ return WC_NID_undef;
+}
+
+#endif
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
Gerrit-Change-Number: 1046
Gerrit-PatchSet: 1
Gerrit-Owner: comododragon
Gerrit-Reviewer: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-Attention: plaisthos
Gerrit-Attention: flichtenheld
Gerrit-MessageType: newchange
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Added PQE to WolfSSL
Attention is currently required from: comododragon, flichtenheld.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email
to look at the new patch set (#3).
Change subject: Added PQE to WolfSSL
..
Added PQE to WolfSSL
Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
---
M README.wolfssl
M src/openvpn/ssl_openssl.c
2 files changed, 45 insertions(+), 8 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/46/1046/3
diff --git a/README.wolfssl b/README.wolfssl
index a5dfe31..27b9087 100644
--- a/README.wolfssl
+++ b/README.wolfssl
@@ -28,3 +28,40 @@
* blowfish support (BF-CBC), you must use something like
cipher AES-128-CBC to avoid trying to use BF-CBC
* Windows CryptoAPI support
+
+*
+To build WolfSSL with these PQE, you'll want to configure it like this:
+
+```bash
+./configure --enable-openvpn --enable-kyber --enable-mlkem --enable-curve25519
+```
+
+WolfSSL supports the following Quantum Safe algorithms by specifying them
using the `tls-groups`
+option in a config.
+
+```
+ML_KEM_512
+ML_KEM_768
+ML_KEM_1024
+P256_ML_KEM_512
+P384_ML_KEM_768
+P256_ML_KEM_768
+P521_ML_KEM_1024
+P384_ML_KEM_1024
+X25519_ML_KEM_512
+X448_ML_KEM_768
+X25519_ML_KEM_768
+
+KYBER_LEVEL1
+KYBER_LEVEL3
+KYBER_LEVEL5
+
+P256_KYBER_LEVEL1
+P384_KYBER_LEVEL3
+P256_KYBER_LEVEL3
+P521_KYBER_LEVEL5
+
+X25519_KYBER_LEVEL1
+X448_KYBER_LEVEL3
+X25519_KYBER_LEVEL3
+```
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 2fc77d8..b873e54 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -560,7 +560,13 @@
tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
{
ASSERT(ctx);
-#if OPENSSL_VERSION_NUMBER < 0x3000L
+#if defined(ENABLE_CRYPTO_WOLFSSL) || OPENSSL_VERSION_NUMBER >= 0x3000L
+if (!SSL_CTX_set1_groups_list(ctx->ctx, groups))
+{
+crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s",
+groups);
+}
+#else
struct gc_arena gc = gc_new();
/* This method could be as easy as
* SSL_CTX_set1_groups_list(ctx->ctx, groups)
@@ -607,13 +613,7 @@
groups);
}
gc_free(&gc);
-#else /* if OPENSSL_VERSION_NUMBER < 0x3000L */
-if (!SSL_CTX_set1_groups_list(ctx->ctx, groups))
-{
-crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s",
- groups);
-}
-#endif /* if OPENSSL_VERSION_NUMBER < 0x3000L */
+#endif
}
void
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
Gerrit-Change-Number: 1046
Gerrit-PatchSet: 3
Gerrit-Owner: comododragon
Gerrit-Reviewer: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-Attention: flichtenheld
Gerrit-Attention: comododragon
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Added PQE to WolfSSL
Attention is currently required from: comododragon, flichtenheld.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email
to look at the new patch set (#2).
Change subject: Added PQE to WolfSSL
..
Added PQE to WolfSSL
Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
---
M README.wolfssl
M src/openvpn/ssl_openssl.c
2 files changed, 47 insertions(+), 8 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/46/1046/2
diff --git a/README.wolfssl b/README.wolfssl
index a5dfe31..27b9087 100644
--- a/README.wolfssl
+++ b/README.wolfssl
@@ -28,3 +28,40 @@
* blowfish support (BF-CBC), you must use something like
cipher AES-128-CBC to avoid trying to use BF-CBC
* Windows CryptoAPI support
+
+*
+To build WolfSSL with these PQE, you'll want to configure it like this:
+
+```bash
+./configure --enable-openvpn --enable-kyber --enable-mlkem --enable-curve25519
+```
+
+WolfSSL supports the following Quantum Safe algorithms by specifying them
using the `tls-groups`
+option in a config.
+
+```
+ML_KEM_512
+ML_KEM_768
+ML_KEM_1024
+P256_ML_KEM_512
+P384_ML_KEM_768
+P256_ML_KEM_768
+P521_ML_KEM_1024
+P384_ML_KEM_1024
+X25519_ML_KEM_512
+X448_ML_KEM_768
+X25519_ML_KEM_768
+
+KYBER_LEVEL1
+KYBER_LEVEL3
+KYBER_LEVEL5
+
+P256_KYBER_LEVEL1
+P384_KYBER_LEVEL3
+P256_KYBER_LEVEL3
+P521_KYBER_LEVEL5
+
+X25519_KYBER_LEVEL1
+X448_KYBER_LEVEL3
+X25519_KYBER_LEVEL3
+```
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 2fc77d8..dd3dcca 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -76,6 +76,8 @@
#include
#endif
+#include "wolfssl_compat.h"
+
OSSL_LIB_CTX *tls_libctx; /* Global */
static void unload_xkey_provider(void);
@@ -560,7 +562,13 @@
tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
{
ASSERT(ctx);
-#if OPENSSL_VERSION_NUMBER < 0x3000L
+#if defined(ENABLE_CRYPTO_WOLFSSL) || OPENSSL_VERSION_NUMBER >= 0x3000L
+if (!SSL_CTX_set1_groups_list(ctx->ctx, groups))
+{
+crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s",
+groups);
+}
+#else
struct gc_arena gc = gc_new();
/* This method could be as easy as
* SSL_CTX_set1_groups_list(ctx->ctx, groups)
@@ -607,13 +615,7 @@
groups);
}
gc_free(&gc);
-#else /* if OPENSSL_VERSION_NUMBER < 0x3000L */
-if (!SSL_CTX_set1_groups_list(ctx->ctx, groups))
-{
-crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s",
- groups);
-}
-#endif /* if OPENSSL_VERSION_NUMBER < 0x3000L */
+#endif
}
void
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
Gerrit-Change-Number: 1046
Gerrit-PatchSet: 2
Gerrit-Owner: comododragon
Gerrit-Reviewer: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-Attention: flichtenheld
Gerrit-Attention: comododragon
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Added PQE to WolfSSL
Attention is currently required from: comododragon, cron2, flichtenheld.
Hello cron2, flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email
to look at the new patch set (#5).
Change subject: Added PQE to WolfSSL
..
Added PQE to WolfSSL
Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
---
M README.wolfssl
M src/openvpn/ssl_openssl.c
2 files changed, 24 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/46/1046/5
diff --git a/README.wolfssl b/README.wolfssl
index a5dfe31..46b080c 100644
--- a/README.wolfssl
+++ b/README.wolfssl
@@ -28,3 +28,26 @@
* blowfish support (BF-CBC), you must use something like
cipher AES-128-CBC to avoid trying to use BF-CBC
* Windows CryptoAPI support
+
+*
+To build WolfSSL with support for post-quantum KEMs, the following command is
used:
+
+./configure --enable-openvpn --enable-kyber=all --enable-curve25519
+
+WolfSSL supports the following post-quantum KEMs or post-quantum hybrid KEMs
by specifying them using the `tls-groups`
+option in an OpenVPN config.
+
+ML_KEM_512
+ML_KEM_768
+ML_KEM_1024
+
+P256_ML_KEM_512
+X25519_ML_KEM_512
+
+P384_ML_KEM_768
+P256_ML_KEM_768
+X448_ML_KEM_768
+X25519_ML_KEM_768
+
+P384_ML_KEM_1024
+P521_ML_KEM_1024
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 2fc77d8..4c11cd4 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -560,7 +560,7 @@
tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
{
ASSERT(ctx);
-#if OPENSSL_VERSION_NUMBER < 0x3000L
+#if OPENSSL_VERSION_NUMBER < 0x3000L && !defined(ENABLE_CRYPTO_WOLFSSL)
struct gc_arena gc = gc_new();
/* This method could be as easy as
* SSL_CTX_set1_groups_list(ctx->ctx, groups)
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
Gerrit-Change-Number: 1046
Gerrit-PatchSet: 5
Gerrit-Owner: comododragon
Gerrit-Reviewer: cron2
Gerrit-Reviewer: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-Attention: cron2
Gerrit-Attention: flichtenheld
Gerrit-Attention: comododragon
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Added PQE to WolfSSL
Attention is currently required from: cron2, flichtenheld, plaisthos. comododragon has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email ) Change subject: Added PQE to WolfSSL .. Patch Set 5: (1 comment) File README.wolfssl: http://gerrit.openvpn.net/c/openvpn/+/1046/comment/9582318b_73069ab0 : PS3, Line 39: WolfSSL supports the following Quantum Safe algorithms by specifying them using the `tls-groups` > you should also mention that wolfSSL uses different names for standard groups > like secp384r1 vs P-38 […] What do you mean? WolfSSL allows the definition of secp384r1 and P-384 respectively interchangeably. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35 Gerrit-Change-Number: 1046 Gerrit-PatchSet: 5 Gerrit-Owner: comododragon Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: cron2 Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Wed, 25 Jun 2025 12:48:47 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: plaisthos Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Added PQE to WolfSSL
Attention is currently required from: comododragon, cron2, flichtenheld.
Hello cron2, flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email
to look at the new patch set (#4).
The following approvals got outdated and were removed:
Code-Review-1 by cron2
Change subject: Added PQE to WolfSSL
..
Added PQE to WolfSSL
Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
---
M README.wolfssl
M src/openvpn/ssl_openssl.c
2 files changed, 25 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/46/1046/4
diff --git a/README.wolfssl b/README.wolfssl
index a5dfe31..46b080c 100644
--- a/README.wolfssl
+++ b/README.wolfssl
@@ -28,3 +28,26 @@
* blowfish support (BF-CBC), you must use something like
cipher AES-128-CBC to avoid trying to use BF-CBC
* Windows CryptoAPI support
+
+*
+To build WolfSSL with support for post-quantum KEMs, the following command is
used:
+
+./configure --enable-openvpn --enable-kyber=all --enable-curve25519
+
+WolfSSL supports the following post-quantum KEMs or post-quantum hybrid KEMs
by specifying them using the `tls-groups`
+option in an OpenVPN config.
+
+ML_KEM_512
+ML_KEM_768
+ML_KEM_1024
+
+P256_ML_KEM_512
+X25519_ML_KEM_512
+
+P384_ML_KEM_768
+P256_ML_KEM_768
+X448_ML_KEM_768
+X25519_ML_KEM_768
+
+P384_ML_KEM_1024
+P521_ML_KEM_1024
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 2fc77d8..ec5419c 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -560,7 +560,7 @@
tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
{
ASSERT(ctx);
-#if OPENSSL_VERSION_NUMBER < 0x3000L
+#if OPENSSL_VERSION_NUMBER < 0x3000L && !defined(ENABLE_CRYPTO_WOLFSSL)
struct gc_arena gc = gc_new();
/* This method could be as easy as
* SSL_CTX_set1_groups_list(ctx->ctx, groups)
@@ -608,6 +608,7 @@
}
gc_free(&gc);
#else /* if OPENSSL_VERSION_NUMBER < 0x3000L */
+msg(M_WARN, "Hells yeah");
if (!SSL_CTX_set1_groups_list(ctx->ctx, groups))
{
crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s",
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
Gerrit-Change-Number: 1046
Gerrit-PatchSet: 4
Gerrit-Owner: comododragon
Gerrit-Reviewer: cron2
Gerrit-Reviewer: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-Attention: cron2
Gerrit-Attention: flichtenheld
Gerrit-Attention: comododragon
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
