Comments (10)
I make sure the dev-1.3
branch always builds before I update it, so you should always be able to git submodule update
to get back to known good points, if you're experimenting with newer version of the dependencies on your own.
We'll make our next official release (and merge all of these changes to PQCrypto-VPN's master) when OQS declares an official OpenSSL 1.1.1 release.
Are you observing any particular problems with the proper functioning of the ecdh-curve
directive with those versions of liboqs and OQS-OpenSSL?
from pqcrypto-vpn.
When I attempt to build with liboqs 0.3.1-dev and openssl-oqs-rc2 the produced windows and linux binaries include the original crypto libraries, meaning that the ecdh-curve setting does not recognize OQS options such as sikep610 or sidhp610 etc. so when a negotiation is started it turns back to classic curves such as secp or sect. In this case the size of the binaries is almost same as the original one (~8,7MB for the windows binary or something like that). If I cmbine liboqs 0.3.0 and openssl-oqs-rc2 then the binaries have sizes similar to the working oqs binaries but again the ecdh-curve setting turns back to classic curves.
I wish my statements give you a directing point for your next commits on the OQS projects.
Best regards
from pqcrypto-vpn.
Kevin I think that I found out the answer, it seems that
ecdh-curve
changes to
group
from now on, but please have a look at it
from pqcrypto-vpn.
Kevin,
Also "remote-cert-ku serverAuth" seems to be more sufficient that "remote-cert-tls server" when creating the certs in Windows
from pqcrypto-vpn.
The ecdh-curve
is an OpenVPN configuration directive as of version 2.4.9; changes in liboqs or OQS-OpenSSL cannot have changed this. This is still the correct directive to use to choose an PQ key exchange algorithm for OpenVPN.
Have you observed any problems when using the liboqs 0.3.0 and OQS-OpenSSL-rc1 where dev-1.3
currently is?
As for the problems with getting OpenVPN to link against the correct OpenSSL binaries, that's always a tricky business, especially if you're doing builds by hand instead of using our build.py
script. If you are doing builds by hand, make sure you're including the command line arguments to point the compiler and linker at wherever you've installed OQS-OpenSSL's include and library paths. Our build.py
script is still doing this correctly the last I checked on both Linux and Windows; please forward a bug report with a repro if you're seeing otherwise.
For this upcoming release, I expect we'll stick with liboqs 0.3.0. The only thing that would change this is if liboqs 0.3.1 is released before OQS-OpenSSL 1.1.1, and the latter depends on the former.
from pqcrypto-vpn.
dev-3.1 latest works perfectly as expected, with ecdh-curve recognizing the OQS KEMs etc.
dev-3.1 with custom "injected" liboqs 0.3.1-dev and rc2 has issues with ecdh-curve, which recognizes only classical curves etc. but works when group directive is used. Normally group seems to be Linux-only directive but on my build it works with Windows 10 aswell. But probably all this is due to the library linking mismatch you mentioned.
from pqcrypto-vpn.
Here is the actual OpenVPN error:
Mon Jun 29 21:24:03 2020 Failed to use supplied curve (ntru_hps4096821), using secp384r1 instead.
Mon Jun 29 21:24:03 2020 ECDH curve secp384r1 added
from pqcrypto-vpn.
We've found the change between RC1 and RC2 broke our curve-setting code. I'll have a fix on the way soon as part of updating the dev-1.3
branch.
from pqcrypto-vpn.
That's great Kevin,
I always want to build the pretty latest version of the OQS OpenVPN engine, that's why I run these custom tests.
Another issue is that if you build liboqs 0.3.1-dev with rc2 a normal/original OpenVPN is produced (a binary of about 8,5MB or so)
Have a look at this too, when you have some available time.
Thanks for all this work again
from pqcrypto-vpn.
I won't be able to look at 0.3.1-dev at this time. We're only going to be looking at the current released version of liboqs once the OQS-OpenSSL 1.1.1 release is official.
That being said, the size of the openvpn binary shouldn't vary noticeably in size if it's accidentally linked against the wrong version of OpenSSL, because all of the OQS code is in the dynamically-linked OpenSSL binaries. The size of the openvpn binary is not a reliable indicator of correct linking. What will change is the size of libcrypto.so.1.1
(on Linux) or libcrypto-1_1-x64.dll
(on Windows) compared to normal OpenSSL. An easy check is to search the libcrypto binary for the string "OQS". That doesn't appear in stock OpenSSL.
Please note that if you want to use a pure PQ scheme like ntru_hps4096821, you must specify the ecdh-curve
directive in both the server and client configurations. Otherwise, OQS-OpenSSL will only offer the hybrid (classical + PQ) schemes in the ClientHello, and if the server is configured to only accept a pure PQ scheme, they will fail to agree on a key exchange algorithm and fail to connect.
The dev-1.3
branch has now been updated to use liboqs 0.3.0 and OQS-OpenSSL 1.1.1-rc2.
from pqcrypto-vpn.
Related Issues (20)
- Enabling KEM and QSIGNATURE of choice in PQCrypto-VPN HOT 2
- OQS OpenSSL fails to run after build. HOT 2
- PQCrypto-VPN builds and runs, but OQS-KEX keys missing in traffic. HOT 15
- dev1.3 branch, build error HOT 2
- Add command-line parameters to skip either the Linux or Windows build
- Add logging to show key exchange algorithm negotiated HOT 1
- build error
- Broken implementation of kyber512, kyber768 and kyber1024 as KEX. HOT 6
- Update Raspberry Pi "post-quantum access point" instructions for PQCrypto-VPN 1.3 HOT 1
- Instructions for more/all liboqs algorithms support (KEMs and signature) HOT 1
- OpenVPN version update? HOT 1
- Compatibility with OQS-OpenSSL_1_1_1 branch of openssl HOT 1
- Integrate with liboqs 0.4.0 HOT 14
- sidhp751 crash - linux HOT 7
- How to build a custom PQCrypto-VPN with latest (dev) liboqs and OQS-OpenSSL (1.1.1k) on Windows 10 HOT 4
- tls-cipher schemes for control channel negotiation request and certificate read issue HOT 38
- Picnic HOT 3
- Build failure at step 1. HOT 3
- branch: oqsrepo Build Error HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pqcrypto-vpn.