This project forked from openssl/openssl
UNSUPPORTED Fork of OpenSSL 1.1.1 that includes prototype quantum-resistant algorithms and ciphersuites based on liboqs PLEASE SWITCH TO OQS-Provider for OpenSSL 3
Home Page: https://openquantumsafe.org/
License: Other
I have created an client/server application to establish ssl session via certificates.
Client.c
###############
#include <stdio.h>
#include <errno.h>
#include <unistd.h>
#include <malloc.h>
#include <string.h>
#include <sys/socket.h>
#include <resolv.h>
#include <netdb.h>
#include "ssl.h"
#include "err.h"
#include "crypto.h"
#include "apps.h"
#include "ssl.h"
#include "s_apps.h"
#define FAIL -1
int OpenConnection(const char *hostname, int port)
{ int sd;
struct hostent *host;
struct sockaddr_in addr;
if ( (host = gethostbyname(hostname)) == NULL )
{
perror(hostname);
abort();
}
sd = socket(PF_INET, SOCK_STREAM, 0);
bzero(&addr, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = *(long*)(host->h_addr);
if ( connect(sd, (struct sockaddr*)&addr, sizeof(addr)) != 0 )
{
close(sd);
perror(hostname);
abort();
}
return sd;
}
SSL_CTX* InitCTX(void)
{ SSL_METHOD *method;
SSL_CTX *ctx;
OpenSSL_add_all_algorithms(); /* Load cryptos, et.al. */
SSL_load_error_strings(); /* Bring in and register error messages */
method = SSLv3_client_method(); /* Create new client-method instance */
ctx = SSL_CTX_new(method); /* Create new context */
if ( ctx == NULL )
{
ERR_print_errors_fp(stderr);
abort();
}
return ctx;
}
void ShowCerts(SSL* ssl)
{ X509 *cert;
char *line;
cert = SSL_get_peer_certificate(ssl); /* get the server's certificate */
if ( cert != NULL )
{
printf("Server certificates:\n");
line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
printf("Subject: %s\n", line);
free(line); /* free the malloc'ed string */
line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
printf("Issuer: %s\n", line);
free(line); /* free the malloc'ed string */
X509_free(cert); /* free the malloc'ed certificate copy */
}
else
printf("No certificates.\n");
}
int main(int count, char *strings[])
{ SSL_CTX *ctx;
int server,cipherset;
SSL *ssl;
char buf[1024];
int bytes;
char *hostname, *portnum;
if ( count != 3 )
{
printf("usage: %s <hostname> <portnum>\n", strings[0]);
exit(0);
}
SSL_library_init();
hostname=strings[1];
portnum=strings[2];
ctx = InitCTX();
_cipherset=SSL_CTX_set_cipher_list(ctx,"OQSKEX-GENERIC");
server = OpenConnection(hostname, atoi(portnum));
ssl = SSL_new(ctx); /* create new SSL connection state /
SSL_set_fd(ssl, server); / attach the socket descriptor /
//cipherset=SSL_CTX_set_cipher_list(ctx,"SSL_kOQSKEX_SIDH_CLN16");
if ( SSL_connect(ssl) == FAIL ) / perform the connection */
ERR_print_errors_fp(stderr);
else
{ char *msg = "Hello???";
printf("Connected with %s encryption\n", SSL_get_cipher(ssl));
ShowCerts(ssl); /* get any certs */
SSL_write(ssl, msg, strlen(msg)); /* encrypt & send message */
bytes = SSL_read(ssl, buf, sizeof(buf)); /* get reply & decrypt */
buf[bytes] = 0;
printf("Received: "%s"\n", buf);
SSL_free(ssl); /* release connection state /
}
close(server); / close socket /
SSL_CTX_free(ctx); / release context */
return 0;
}
server.c
#########################
#include <errno.h>
#include <unistd.h>
#include <malloc.h>
#include <string.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <resolv.h>
#include "openssl/ssl.h"
#include "openssl/err.h"
#define FAIL -1
int OpenListener(int port)
{ int sd;
struct sockaddr_in addr;
sd = socket(PF_INET, SOCK_STREAM, 0);
bzero(&addr, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = INADDR_ANY;
if ( bind(sd, (struct sockaddr*)&addr, sizeof(addr)) != 0 )
{
perror("can't bind port");
abort();
}
if ( listen(sd, 10) != 0 )
{
perror("Can't configure listening port");
abort();
}
return sd;
}
int isRoot()
{
if (getuid() != 0)
{
return 0;
}
else
{
return 1;
}
}
SSL_CTX* InitServerCTX(void)
{ SSL_METHOD *method;
SSL_CTX *ctx;
OpenSSL_add_all_algorithms(); /* load & register all cryptos, etc. */
SSL_load_error_strings(); /* load all error messages */
method = SSLv3_server_method(); /* create new server-method instance */
ctx = SSL_CTX_new(method); /* create new context from method */
if ( ctx == NULL )
{
ERR_print_errors_fp(stderr);
abort();
}
return ctx;
}
void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile)
{
/* set the local certificate from CertFile /
if ( SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0 )
{
ERR_print_errors_fp(stderr);
abort();
}
/ set the private key from KeyFile (may be the same as CertFile) /
if ( SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0 )
{
ERR_print_errors_fp(stderr);
abort();
}
/ verify private key */
if ( !SSL_CTX_check_private_key(ctx) )
{
fprintf(stderr, "Private key does not match the public certificate\n");
abort();
}
}
void ShowCerts(SSL* ssl)
{ X509 *cert;
char *line;
cert = SSL_get_peer_certificate(ssl); /* Get certificates (if available) */
if ( cert != NULL )
{
printf("Server certificates:\n");
line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
printf("Subject: %s\n", line);
free(line);
line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
printf("Issuer: %s\n", line);
free(line);
X509_free(cert);
}
else
printf("No certificates.\n");
}
void Servlet(SSL* ssl) /* Serve the connection -- threadable /
{ char buf[1024];
char reply[1024];
int sd, bytes;
const char HTMLecho="
%s\n\n";
if ( SSL_accept(ssl) == FAIL ) /* do SSL-protocol accept */
ERR_print_errors_fp(stderr);
else
{
ShowCerts(ssl); /* get any certificates */
bytes = SSL_read(ssl, buf, sizeof(buf)); /* get request */
if ( bytes > 0 )
{
buf[bytes] = 0;
printf("Client msg: \"%s\"\n", buf);
sprintf(reply, HTMLecho, buf); /* construct reply */
SSL_write(ssl, reply, strlen(reply)); /* send reply */
}
else
ERR_print_errors_fp(stderr);
}
sd = SSL_get_fd(ssl); /* get socket connection */
SSL_free(ssl); /* release SSL state */
close(sd); /* close connection */
}
int main(int count, char *strings[])
{ SSL_CTX *ctx;
int server;
char *portnum;
if(!isRoot())
{
printf("This program must be run as root/sudo user!!");
exit(0);
}
if ( count != 2 )
{
printf("Usage: %s <portnum>\n", strings[0]);
exit(0);
}
SSL_library_init();
portnum = strings[1];
ctx = InitServerCTX(); /* initialize SSL */
LoadCertificates(ctx, "mycert.pem", "mycert.pem"); /* load certs */
server = OpenListener(atoi(portnum)); /* create server socket */
while (1)
{ struct sockaddr_in addr;
socklen_t len = sizeof(addr);
SSL *ssl;
int client = accept(server, (struct sockaddr*)&addr, &len); /* accept connection as usual */
printf("Connection: %s:%d\n",inet_ntoa(addr.sin_addr), ntohs(addr.sin_port));
ssl = SSL_new(ctx); /* get new SSL state with context */
SSL_set_fd(ssl, client); /* set connection socket to SSL state */
Servlet(ssl); /* service connection */
}
close(server); /* close server socket */
SSL_CTX_free(ctx); /* release context */
}
#######
compilation command for server.c:gcc -Wall -o server server.c -L/usr/local/ssl/lib/ -lssl -lcrypto -loqs -ldl
compilation command for client.c:gcc -Wall -o client client.c -L/usr/local/ssl/lib/ -lssl -lcrypto -loqs -ldl
(/usr/local/ssl/lib contain compiled libcrypto amd liboqs library).
to run server code:./server port-number
to run client code:./client server-ip port-number
i am using set_cipher_list function to set QS cipher text but when i run client side code it is showing error
ERROR:140135386150560:error:140830B5:SSL routines:ssl3_client_hello:no ciphers available:s3_clnt.c:841:
Merge our depot with the latest OpenSSL release
Some BIKE ciphersuites (e.g., bike2l1, bike2l3, bike2l5, bike3l1, bike3l3, bike3l5) are not reliable for me in TLS 1.3 on my Mac. About 50% of the time, the connection goes through, and 50% of the time I get the following error:
CONNECTED(00000006)
4452943296:error:14200044:SSL routines:add_key_share:internal error:ssl/statem/extensions_clnt.c:626:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
I'm not sure what the problem is.
Any ideas, @christianpaquin?
Currently, the OQS-OpenSSL_1_1_1-stable branch only supports liboqs's master. Enable using the nist-branch.
First error is that oqs/oqs.h can't be found while building ssl3.h.
When I'm running the version from today on Debian 8, I got with "openssl speed oqskex_lwe_frodo_recommended" the output:
Doing OQS KEX LWE Frodo recommended Alice 0's for 10s: Invalid machine command
All other oqskex cipher will run.
I have compiled OQS-OpenSSL on CentOS 7.7 using gcc 7.3.1 by following the instructions (First get OQS-OpenSSL, then build and install liboqs at the root of OQS-OpenSSL and finally build OQS-OpenSSL).
Everything seems to work during the build process of OQS-OpenSSL, I've installed OQS-OpenSSL into "/usr/local/1.1.1d-OQS-OpenSSL_1_1_1-stable_snapshot_2019-10-0.2.0"
Issue:
The issue I get is when I try to compile code using standard OpenSSL is it complains that "oqs/oqs.h" couldn't be found. Indeed "oqs/oqs.h" is not installed when I issue a "make install" inside the OQS-OpenSSL directory. Also the instructions doesn't tell to separately install liboqs outside of OQS-OpenSSL.
Here's my build process:
cd /root/build/openssl/openssl-OpenSSL_1_1_1d && make clean ; ./Configure shared linux-x86_64 -lm --prefix="/usr/local/openssl-1.1.1d" && make -j 4 && make install
cd /root/build/liboqs/liboqs-0.2.0/ && autoreconf -i
cd /root/build/liboqs/liboqs-0.2.0/ && make clean ; ./configure --enable-shared --prefix="/root/build/openssloqs/openssl-OQS-OpenSSL_1_1_1-stable-snapshot-2019-10//oqs" --with-openssl="/usr/local/openssl-1.1.1d" "--disable-kem-bike" && make -j 4 && make install
cd /root/build/openssloqs/openssl-OQS-OpenSSL_1_1_1-stable-snapshot-2019-10/ && make clean ; ./Configure --prefix="/usr/local/1.1.1d-OQS-OpenSSL_1_1_1-stable_snapshot_2019-10-0.2.0" shared linux-x86_64 -lm && make -j 4 && make install
Now, when I try to build code that uses standard OpenSSL with OQS-OpenSSL I get this error (evp.h)
Error:
/usr/local/1.1.1d-OQS-OpenSSL_1_1_1-stable_snapshot_2019-10-0.2.0/include/openssl/evp.h:18:11: fatal error: oqs/oqs.h: No such file or directory
include <oqs/oqs.h>
^~~~~~~~~~~
compilation terminated.
make: *** [: OutboundTransferMgr.o] Error 1
[ CHROOT ] bash-4.2$>
==> How should I use the OpenSSL fork when building software that uses OpenSSL?
I have added
"-I/root/build/openssloqs/openssl-OQS-OpenSSL_1_1_1-stable-snapshot-2019-10/oqs/include"
to the Makefile so that "oqs/oqs.h" could resolve but I get other strange errors following this.
Thanks for your work here! I appreciate it :)
Sylvain
When liboqs is built, autoconf outputs config.h, which contains preprocessor defines that state what algorithms are enabled at the variant level; for e.g.: if in the file we have
...
#define OQS_ENABLE_SIG_qTESLA_I 1
/* #define OQS_ENABLE_SIG_qTESLA_III_size*/
...
this means qTESLA_I is enabled and qTESLA_III_size is not.
OpenSSL should also be able to enable and disable the use of these algorithms according to the config.h output.
The current 1.1.1 branch breaks interoperability with the previous tagged release due to different assignment of the code points for the PQ KEM algs. Up to the integration of templating code, the code points (used in TLS to specify the selected "curve") were assigned manually and care was taken to keep previously defined values the same, to ensure that client/server remained interoperable between versions or implementations (e.g., openssl and boringssl). Templating simplifies the integration of new algs, but overwrites previous code point values. This means that, in the future, any changes of the OQS supported list of algs will result in different code point values.
We should design a mechanism to assign specific code points to an algorithm, both if this is specified in a standard, or to preserve interop between releases. We support this already for signature OIDs.
If we break compatibility in this release, we should document that and bump the release version number accordingly.
I've tried to run the TLS demo on both Ubuntu and MacOS using the pure post-quantum certificate option for the CA and the server.
When I run the client app to establish a connection based on post-quantum kex ciphers like bike1l1 or sike503, the cipher suite is getting set to TLS_AES_256_GCM_SHA384. Here is what it shows:
"No client certificate CA names sent
Peer signature type: qTESLA-III-size
Server Temp Key: bike1l1
SSL handshake has read 10127 bytes and written 2895 bytes
Verification: OK
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2976 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)"
Shouldn't the cipher be something like BIKEL1-ECDHE-QTESLAIIISIZE-AES256-GCM-SHA384?
Also, I think the server public key shown should be 2976 bytes instead of bits.
P.S.: The CA certificate uses qteslaI and the server certificate uses qteslaIIIsize. (The same issue also happens for other post-quantum signature algorithms such as picnicl1)
Dear PQS Team,
I am running into the following problem after a successful build of the corresponding library. I am not sure how to further debug the error, as searching for the gcc commands using grep did not find the correct line. What could I do to solve the issue and install the library?
${LDCMD:-gcc} -pthread -m64 -Ioqs/include -Wa,--noexecstack -Wall -O3 -L. -Loqs/lib \
-o test/buildtest_c_srp test/buildtest_srp.o \
-lssl -lcrypto -ldl -pthread -loqs -lm
rm -f test/buildtest_c_txt_db
/usr/bin/ld: cannot find -loqs
collect2: error: ld returned 1 exit status
Is it an issue with the capital, as using -Loqs does not seem to throw any errors! Perhaps you'll find the problem quicker, as if I spend more time trying to identify the problem. Should oqs be placed as loqs?
Best regards,
Cob
Hi'!
I need help, when I type in @ terminal: "make -j"
...then I got a few errors:
How can I fix that?
licit-function-declaration]
if (BN_GF2m_add(r, a, b) == 0) {
^~~~~~~~~~~
BN_mod_add
ref//openssl_utils.c:86:13: error: implicit declaration of function ‘BN_GF2m_mod_inv’; did you mean ‘BN_nist_mod_func’? [-Werror=implicit-function-declaration]
inv_res = BN_GF2m_mod_inv(r, a, m, bn_ctx);
^~~~~~~~~~~~~~~
BN_nist_mod_func
ref//openssl_utils.c: In function ‘OQS_KEM_bike3_l1_ossl_add’:
ref//openssl_utils.c:178:6: error: implicit declaration of function ‘BN_GF2m_add’; did you mean ‘BN_mod_add’? [-Werror=implicit-function-declaration]
if (BN_GF2m_add(r, a, b) == 0) {
^~~~~~~~~~~
BN_mod_add
ref//openssl_utils.c: In function ‘ossl_cyclic_product’:
ref//openssl_utils.c:59:6: error: implicit declaration of function ‘BN_GF2m_mod_mul’; did you mean ‘BN_mod_mul’? [-Werror=implicit-function-declaration]
if (BN_GF2m_mod_mul(r, a, b, m, bn_ctx) == 0) {
^~~~~~~~~~~~~~~
BN_mod_mul
ref//openssl_utils.c: In function ‘invert_poly’:
ref//openssl_utils.c:86:13: error: implicit declaration of function ‘BN_GF2m_mod_inv’; did you mean ‘BN_nist_mod_func’? [-Werror=implicit-function-declaration]
inv_res = BN_GF2m_mod_inv(r, a, m, bn_ctx);
^~~~~~~~~~~~~~~
BN_nist_mod_func
ref//openssl_utils.c: In function ‘OQS_KEM_bike3_l3_ossl_add’:
ref//openssl_utils.c:178:6: error: implicit declaration of function ‘BN_GF2m_add’; did you mean ‘BN_mod_add’? [-Werror=implicit-function-declaration]
if (BN_GF2m_add(r, a, b) == 0) {
^~~~~~~~~~~
BN_mod_add
ref//openssl_utils.c: In function ‘ossl_cyclic_product’:
ref//openssl_utils.c:59:6: error: implicit declaration of function ‘BN_GF2m_mod_mul’; did you mean ‘BN_mod_mul’? [-Werror=implicit-function-declaration]
if (BN_GF2m_mod_mul(r, a, b, m, bn_ctx) == 0) {
^~~~~~~~~~~~~~~
BN_mod_mul
ref//openssl_utils.c: In function ‘invert_poly’:
ref//openssl_utils.c:86:13: error: implicit declaration of function ‘BN_GF2m_mod_inv’; did you mean ‘BN_nist_mod_func’? [-Werror=implicit-function-declaration]
inv_res = BN_GF2m_mod_inv(r, a, m, bn_ctx);
^~~~~~~~~~~~~~~
BN_nist_mod_func
ref//openssl_utils.c: In function ‘OQS_KEM_bike3_l5_ossl_add’:
ref//openssl_utils.c:178:6: error: implicit declaration of function ‘BN_GF2m_add’; did you mean ‘BN_mod_add’? [-Werror=implicit-function-declaration]
if (BN_GF2m_add(r, a, b) == 0) {
^~~~~~~~~~~
cc1: all warnings being treated as errors
make[2]: *** [Makefile:1478: ref//libkembike1_l1_la-openssl_utils.lo] Error 1
make[2]: *** Waiting for unfinished jobs....
cc1: all warnings being treated as errors
make[2]: *** [Makefile:1514: ref//libkembike1_l3_la-openssl_utils.lo] Error 1
cc1: all warnings being treated as errors
make[2]: *** [Makefile:1550: ref//libkembike1_l5_la-openssl_utils.lo] Error 1
cc1: all warnings being treated as errors
make[2]: *** [Makefile:1586: ref//libkembike2_l1_la-openssl_utils.lo] Error 1
cc1: all warnings being treated as errors
make[2]: *** [Makefile:1622: ref//libkembike2_l3_la-openssl_utils.lo] Error 1
cc1: all warnings being treated as errors
cc1: all warnings being treated as errors
make[2]: *** [Makefile:1658: ref//libkembike2_l5_la-openssl_utils.lo] Error 1
cc1: all warnings being treated as errors
make[2]: *** [Makefile:1694: ref//libkembike3_l1_la-openssl_utils.lo] Error 1
make[2]: *** [Makefile:1730: ref//libkembike3_l3_la-openssl_utils.lo] Error 1
cc1: all warnings being treated as errors
make[2]: *** [Makefile:1766: ref//libkembike3_l5_la-openssl_utils.lo] Error 1
Good evening,
i just tried to build your openssl fork using the run.sh in ops_test.
It downloads liboqs just fine, compiles it (without any obvious error) and then tries to compile openssl.
Here it fails with the following errors:
/usr/bin/perl test/generate_buildtest.pl txt_db > test/buildtest_txt_db.c
/usr/bin/perl test/generate_buildtest.pl ui > test/buildtest_ui.c
In file included from ssl/statem/extensions_clnt.c:19:
ssl/statem/extensions_clnt.c: In function 'add_key_share':
ssl/statem/../ssl_locl.h:712:37: error: 'OQS_KEM_alg_newhope_512_cca_kem' undeclared (first use in this function); did you mean 'OQS_KEM_alg_newhope_512cca'?
(nid == NID_OQS_NEWHOPE_512_CCA ? OQS_KEM_alg_newhope_512_cca_kem : \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ssl/statem/extensions_clnt.c:616:36: note: in expansion of macro 'OQS_ALG_NAME'
const char* oqs_alg_name = OQS_ALG_NAME(oqs_nid);
^~~~~~~~~~~~
ssl/statem/../ssl_locl.h:712:37: note: each undeclared identifier is reported only once for each function it appears in
(nid == NID_OQS_NEWHOPE_512_CCA ? OQS_KEM_alg_newhope_512_cca_kem : \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ssl/statem/extensions_clnt.c:616:36: note: in expansion of macro 'OQS_ALG_NAME'
const char* oqs_alg_name = OQS_ALG_NAME(oqs_nid);
^~~~~~~~~~~~
In file included from ssl/statem/extensions_srvr.c:18:
ssl/statem/extensions_srvr.c: In function 'tls_construct_stoc_key_share':
ssl/statem/../ssl_locl.h:712:37: error: 'OQS_KEM_alg_newhope_512_cca_kem' undeclared (first use in this function); did you mean 'OQS_KEM_alg_newhope_512cca'?
(nid == NID_OQS_NEWHOPE_512_CCA ? OQS_KEM_alg_newhope_512_cca_kem : \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ssl/statem/extensions_srvr.c:1817:34: note: in expansion of macro 'OQS_ALG_NAME'
const char* oqs_alg_name = OQS_ALG_NAME(oqs_nid);
^~~~~~~~~~~~
ssl/statem/../ssl_locl.h:712:37: note: each undeclared identifier is reported only once for each function it appears in
(nid == NID_OQS_NEWHOPE_512_CCA ? OQS_KEM_alg_newhope_512_cca_kem : \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ssl/statem/extensions_srvr.c:1817:34: note: in expansion of macro 'OQS_ALG_NAME'
const char* oqs_alg_name = OQS_ALG_NAME(oqs_nid);
^~~~~~~~~~~~
/usr/bin/perl test/generate_buildtest.pl whrlpool > test/buildtest_whrlpool.c
/usr/bin/perl test/generate_buildtest.pl x509 > test/buildtest_x509.c
/usr/bin/perl test/generate_buildtest.pl x509_vfy > test/buildtest_x509_vfy.c
/usr/bin/perl test/generate_buildtest.pl x509v3 > test/buildtest_x509v3.c
gcc -Iinclude -pthread -m64 -Ioqs/include -Wa,--noexecstack -Wall -O3 -DNDEBUG -MMD -MF test/casttest.d.tmp -MT test/casttest.o -c -o test/casttest.o test/casttest.c
gcc -I. -Iinclude -Icrypto/include -pthread -m64 -Ioqs/include -Wa,--noexecstack -Wall -O3 -DNDEBUG -MMD -MF test/chacha_internal_test.d.tmp -MT test/chacha_internal_test.o -c -o test/chacha_internal_test.o test/chacha_internal_test.c
gcc -I. -Iinclude -pthread -m64 -Ioqs/include -Wa,--noexecstack -Wall -O3 -DNDEBUG -MMD -MF test/cipher_overhead_test.d.tmp -MT test/cipher_overhead_test.o -c -o test/cipher_overhead_test.o test/cipher_overhead_test.c
gcc -Iinclude -pthread -m64 -Ioqs/include -Wa,--noexecstack -Wall -O3 -DNDEBUG -MMD -MF test/cipherbytes_test.d.tmp -MT test/cipherbytes_test.o -c -o test/cipherbytes_test.o test/cipherbytes_test.c
gcc -Iinclude -pthread -m64 -Ioqs/include -Wa,--noexecstack -Wall -O3 -DNDEBUG -MMD -MF test/cipherlist_test.d.tmp -MT test/cipherlist_test.o -c -o test/cipherlist_test.o test/cipherlist_test.c
gcc -Iinclude -pthread -m64 -Ioqs/include -Wa,--noexecstack -Wall -O3 -DNDEBUG -MMD -MF test/ciphername_test.d.tmp -MT test/ciphername_test.o -c -o test/ciphername_test.o test/ciphername_test.c
gcc -Iinclude -pthread -m64 -Ioqs/include -Wa,--noexecstack -Wall -O3 -DNDEBUG -MMD -MF test/clienthellotest.d.tmp -MT test/clienthellotest.o -c -o test/clienthellotest.o test/clienthellotest.c
ssl/statem/../ssl_locl.h:713:37: error: 'OQS_KEM_alg_newhope_1024_cca_kem' undeclared (first use in this function); did you mean 'OQS_KEM_alg_newhope_1024cca'?
(nid == NID_OQS_NEWHOPE_1024_CCA? OQS_KEM_alg_newhope_1024_cca_kem : \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ssl/statem/extensions_clnt.c:616:36: note: in expansion of macro 'OQS_ALG_NAME'
const char* oqs_alg_name = OQS_ALG_NAME(oqs_nid);
^~~~~~~~~~~~
ssl/statem/../ssl_locl.h:713:37: error: 'OQS_KEM_alg_newhope_1024_cca_kem' undeclared (first use in this function); did you mean 'OQS_KEM_alg_newhope_1024cca'?
(nid == NID_OQS_NEWHOPE_1024_CCA? OQS_KEM_alg_newhope_1024_cca_kem : \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ssl/statem/extensions_srvr.c:1817:34: note: in expansion of macro 'OQS_ALG_NAME'
const char* oqs_alg_name = OQS_ALG_NAME(oqs_nid);
^~~~~~~~~~~~
gcc -Iinclude -pthread -m64 -Ioqs/include -Wa,--noexecstack -Wall -O3 -DNDEBUG -MMD -MF test/cmsapitest.d.tmp -MT test/cmsapitest.o -c -o test/cmsapitest.o test/cmsapitest.c
make[1]: *** [Makefile:6186: ssl/statem/extensions_srvr.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: *** [Makefile:6170: ssl/statem/extensions_clnt.o] Error 1
make[1]: Leaving directory '/home/scarjit/Documents/openssl'
make: *** [Makefile:172: all] Error 2
Iv included the full log as a gist. (Please note, that i omitted the clone script, since my internet is very slow. I have however used make clean in both the openssl and oqs_test/tmp/liboqs.
https://gist.github.com/Scarjit/1c7c15e0c37bfa7eb24afc4e2a07364a
In the C source code e.g. https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/crypto/objects/obj_dat.h#L5798 hybrid signature algorithms have an underscore e.g. p256_oqsdefault.
But in the test harness https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs_test/tests/test_openssl.py#L23 and in README.md, the hybrid signature algorithms have a hyphen e.g. p256-oqsdefault.
Does this mean that they are not running correctly?
Observed by Michael Baentsch.
Since liboqs supports the Google Ciphersuites and they are implemented in the liboqs-Library, i guess it makes sense to let this fork have the ability to use them, too!
Would this be possible?
Thanks
HI! I'm trying to compile the PQ OpenSSL fork into NGINX, I've run into some problems when building nginx wirth openssl underneath. I'll show my Dockerfile to clarify my procedure for installing Nginx. I have tested the TLS demo and works fine, but when configuring Nginx on Ubuntu 18.04 it fails. I kindly ask if anyone know how to solve this problem.
FROM ubuntu:18.04
### Building NGINX from source with post quantum openssl for TLS connections
RUN apt update && apt upgrade -y
RUN apt install wget autoconf automake libtool libssl-dev make unzip xsltproc git -y
RUN apt install build-essential -y
### Step 1: Build required libraries: pcre, zlib and quantum safe openssl
### PCRE
RUN wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.42.tar.gz && \
tar -zxf pcre-8.42.tar.gz && \
cd pcre-8.42 && \
./configure && \
make && \
make install
### ZLIB
RUN wget http://zlib.net/zlib-1.2.11.tar.gz && \
tar -zxf zlib-1.2.11.tar.gz && \
cd zlib-1.2.11 && \
./configure && \
make && \
make install
### Install liboqs
WORKDIR /usr/local/
RUN git clone --branch OQS-OpenSSL_1_1_1-stable https://github.com/open-quantum-safe/openssl.git
RUN git clone --branch master https://github.com/open-quantum-safe/liboqs.git
WORKDIR /usr/local/liboqs
RUN autoreconf -i
RUN ./configure --prefix=/usr/local/openssl/oqs --enable-shared=no
RUN make -j
RUN make install
### Install openssl
WORKDIR /usr/local/openssl
RUN ./config --prefix=/usr/local/openssl -Wl,-rpath -Wl,/usr/local/openssl/oqs/lib
RUN make -j
RUN cp libcrypto.so.1.1 ./oqs/lib
RUN cp libssl.so.1.1 ./oqs/lib
WORKDIR /
### Step 2: Download NGINX and RTMP module
RUN wget https://nginx.org/download/nginx-1.15.11.tar.gz && \
tar zxf nginx-1.15.11.tar.gz
RUN wget https://github.com/arut/nginx-rtmp-module/archive/master.zip && \
unzip master.zip
RUN rm -rf *.tar.gz
### Step 3: Build and install NGINX
RUN wget https://nginx.org/download/nginx-1.15.11.tar.gz && \
tar zxf nginx-1.15.11.tar.gz
RUN cd nginx-1.15.11 && ./configure \
--with-cc-opt="-I /usr/local/openssl/oqs/include/" \
--with-ld-opt="-L /usr/local/openssl/oqs/lib/"\
--sbin-path=/usr/local/nginx/nginx \
--conf-path=/usr/local/nginx/nginx.conf \
--pid-path=/usr/local/nginx/nginx.pid \
--with-pcre=../pcre-8.42 \
--with-zlib=../zlib-1.2.11 \
--with-openssl=/usr/local/openssl \
--with-http_ssl_module \
--with-stream \
--with-mail=dynamic \
--add-module=/nginx-rtmp-module-master && \
make && \
make install
The error is the following:
/usr/local/openssl/.openssl/lib/libssl.a(s3_lib.o): In function ssl3_clear': s3_lib.c:(.text+0x51b): undefined reference to OQS_KEM_free'
/usr/local/openssl/.openssl/lib/libssl.a(extensions_clnt.o): In function tls_construct_ctos_key_share': extensions_clnt.c:(.text+0x18af): undefined reference to OQS_KEM_new'
extensions_clnt.c:(.text+0x1952): undefined reference to OQS_KEM_keypair' extensions_clnt.c:(.text+0x199c): undefined reference to OQS_MEM_secure_free'
extensions_clnt.c:(.text+0x19a4): undefined reference to OQS_MEM_insecure_free' extensions_clnt.c:(.text+0x19c2): undefined reference to OQS_KEM_free'
/usr/local/openssl/.openssl/lib/libssl.a(extensions_clnt.o): In function tls_parse_stoc_key_share': extensions_clnt.c:(.text+0x3c96): undefined reference to OQS_MEM_secure_free'
extensions_clnt.c:(.text+0x3cb4): undefined reference to OQS_MEM_secure_free' extensions_clnt.c:(.text+0x3cd2): undefined reference to OQS_KEM_free'
extensions_clnt.c:(.text+0x3d77): undefined reference to OQS_KEM_decaps' /usr/local/openssl/.openssl/lib/libssl.a(extensions_srvr.o): In function tls_construct_stoc_key_share':
extensions_srvr.c:(.text+0x3769): undefined reference to OQS_KEM_new' extensions_srvr.c:(.text+0x37be): undefined reference to OQS_KEM_encaps'
extensions_srvr.c:(.text+0x3906): undefined reference to OQS_MEM_secure_free' extensions_srvr.c:(.text+0x390e): undefined reference to OQS_KEM_free'
extensions_srvr.c:(.text+0x3aeb): undefined reference to OQS_MEM_secure_free' extensions_srvr.c:(.text+0x3af3): undefined reference to OQS_KEM_free'
/usr/local/openssl/.openssl/lib/libcrypto.a(oqs_meth.o): In function pkey_oqs_digestverify': oqs_meth.c:(.text+0x101): undefined reference to OQS_SIG_verify'
/usr/local/openssl/.openssl/lib/libcrypto.a(oqs_meth.o): In function pkey_oqs_digestsign': oqs_meth.c:(.text+0x62f): undefined reference to OQS_SIG_sign'
/usr/local/openssl/.openssl/lib/libcrypto.a(oqs_meth.o): In function oqs_free': oqs_meth.c:(.text+0x1d0e): undefined reference to OQS_SIG_free'
/usr/local/openssl/.openssl/lib/libcrypto.a(oqs_meth.o): In function oqs_key_init': oqs_meth.c:(.text+0x1df9): undefined reference to OQS_SIG_new'
oqs_meth.c:(.text+0x1f30): undefined reference to OQS_SIG_free' /usr/local/openssl/.openssl/lib/libcrypto.a(oqs_meth.o): In function oqs_priv_decode':
oqs_meth.c:(.text+0x22f6): undefined reference to OQS_SIG_free' /usr/local/openssl/.openssl/lib/libcrypto.a(oqs_meth.o): In function pkey_oqs_keygen':
oqs_meth.c:(.text+0x2528): undefined reference to OQS_SIG_new' oqs_meth.c:(.text+0x273c): undefined reference to OQS_SIG_keypair'
oqs_meth.c:(.text+0x2778): undefined reference to OQS_SIG_free' oqs_meth.c:(.text+0x2810): undefined reference to OQS_SIG_free'
/usr/local/openssl/.openssl/lib/libcrypto.a(oqs_meth.o): In function oqs_pub_decode': oqs_meth.c:(.text+0x2b6a): undefined reference to OQS_SIG_free'
collect2: error: ld returned 1 exit status
objs/Makefile:323: recipe for target 'objs/nginx' failed
make[1]: Leaving directory '/nginx-1.15.11'
make[1]: *** [objs/nginx] Error 1
Makefile:8: recipe for target 'build' failed
make: *** [build] Error 2
Thanks!
It would be nice to have a Docker image for automatic benchmarking of liboqs-based ciphersuites in this OpenSSL fork.
The newly added .circleci/git_no_checkin_in_last_day.sh script usage in the .circleci/config.yml should only skip if there was no check-in in both OpenSSL and liboqs; currently it skips if there was no check-in in just OpenSSL.
Also needs to be changed in OQS-OpenSSH.
Denis Butin wrote in an email:
I had crashes with Ubuntu 16.10, which uses GCC 6 instead of GCC 5. There may be a link with the aforementioned warnings. Taking a closer look with gdb showed a segfault that went away once I commented out the following lines:
In s3_clnt.c:
OQS_KEX_free(oqskex_kex);
OQS_RAND_free(oqskex_rand);
On 1.1.1, s_client prints out OQS pub key sizes in bytes, rather than in bits.
Running nmake -f ms\ntdll.mak (instead of nt.mak, as described in the README.md) fails; many unresolved external symbol OQS_KEM_* errors. liboqs must be correctly linked in this makefile to fix this.
Also set it up so that it builds the current branch, not just master
Hi!
Can I easily update the following OpenSSL packages in my package-manager after compiling OpenSSL Quantum myself and installed it.
My package-manager shows me new updates of:
Or I always have to compile and install updates of OpenSSL Quantum myself?
Not that I'm overwriting OpenSSL Quantum.
I receive an error
on the OpenSSL fork built $ make -j execution:
¿Any help? Thanks!
Add KEMs from open-quantum-safe/liboqs#445
Latest OQS update breaks the OpenSSL build. "./config" results in the following error:
cd vendor/liboqs && make links
make[1]: Entering directory '/mnt/c/temp/openssl/vendor/liboqs'
make[1]: *** No rule to make target 'links'. Stop.
make[1]: Leaving directory '/mnt/c/temp/openssl/vendor/liboqs'
Makefile:451: recipe for target 'links' failed
make: *** [links] Error 2
The config script shouldn't be "making" vendor/liboqs. This is currently done in "make".
Compiling OpenSSL with your instructions works very well, but when I started with "make install" after all other commands, I got some error.
cp include/oqs/*.h /usr/local/ssl/include/oqs
cp: der Aufruf von stat für „include/oqs/kex_lwe_newhope.h“ ist nicht möglich: Datei oder Verzeichnis nicht gefunden
Makefile:551: recipe for target 'install_sw' failed
make: *** [install_sw] Error 1
I tried it on Debian 8 with gcc (Debian 4.9.2-10) 4.9.2.
Update the PQC integration into TLS 1.3 page.
Hi! I'm considering doing a little benchmark of the post quantum ciphers in a openssl playground (mainly kex & signature algorithms). I've tested the command line server that comes with the openssl server and generated a self signed certificate with the pq signature of choice. I could connect to this server via the openssl s_client tool, which lets you specify with the -curves parameter the algorithm. This option is not available with the s_time command, very handy when benchmarking TLS connections. How do I specifically force a KEX algorithm in the test server/client connection with s_time. Are there any workarounds that you might know?
Thank you!
When using liboqs-master with OQS-OpenSSL-1_1_1_stable, key generation fails for the combinations: rsa3072_qteslaI, p384_qteslaIIIsize, p384_qteslaIIIspeed. See https://circleci.com/gh/open-quantum-safe/testing/127 or https://circleci.com/gh/open-quantum-safe/testing/128.
For much easier use, KEMs should probably be integrated in the EVP framework. I did some experiments, and I now do have a certified Kyber 512 public key.
This should then be useful to consider OPTLS-like setups.
The challenge of course is EVP_PKEY_derive being almost but not quite suitable for this task. I have not tackled this problem yet, but it may be possible to slightly extend the API to obtain a ciphertext instead of the public key. That seems the main challenge, I think it should be possible to override the derive function such that it conditionally encapsulates or decapsulates:
static int pkey_oqs_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) {
OQS_KEY *oqs_key = (OQS_KEY*) ctx->pkey->pkey.ptr;
OQS_KEY *oqs_peer = (OQS_KEY*) ctx->peerkey->pkey.ptr;
*keylen = oqs_size(ctx->pkey);
if (key == NULL) {
return 1;
}
if (oqs_peer->ciphertext) {
if (OQS_KEM_decaps(oqs_key->k, key, oqs_peer->ciphertext, oqs_key->privkey) == OQS_SUCCESS) {
return 1;
}
} else {
oqs_peer->ciphertext = OPENSSL_malloc(*keylen);
if (OQS_KEM_encaps(oqs_key->k, key, oqs_peer->ciphertext, oqs_peer->pubkey) == OQS_SUCCESS) {
return 1;
}
}
return 0;
}
Obviously, that does mean that the users of the EVP API need to do some detection "is this method a KEM" and obtain and/or set the ciphertext if needed.
"make test" fails on OQS-OpenSSL_1_1_1-stable (and not on the upstream's OpenSSL_1_1_1-stable branch)
I'm interested in using the signature algorithms from liboqs thru OpenSSL's PKCS7 interface. Through some experimentation, I've noticed that for the OQS algorithms, an oqs_pkey_ctrl() function that handles the ASN1_PKEY_CTRL_PKCS7_SIGN operation isn't defined in oqs_meth.c as has been done for classical algorithms such as in rsa_ameth.c or ec_ameth.c. I blindly wrote a crude implementation of that function to see what else fails with generating a PKCS7 signature with an quantum safe signature algorithm and I hit a lot of issues with OpenSSL's PKCS7 code not handling a NULL digest associated with OQS private keys.
Could someone provide some background on why PKCS7 support with OQS along wasn't done (totally understand if it wasn't a priority) as it seems a lot of the core ASN1 calls were implemented in oqs_meth.c or if there is some gating technical reason that would make this work a challenge?
Document the examples from issue #68, either in README.md or in the wiki.
Should we also add this to the integration tests?
I'm getting a whole bunch of errors like
ssl/t1_trce.c:563:6: error: initializer element is not constant
{OQS_KEM_CURVEID(NID_OQS_ledakem_C1_N02), "ledakem_C1_N02"},
^~~~~~~~~~~~~~~
ssl/t1_trce.c:563:6: note: (near initialization for 'ssl_groups_tbl[58].num')
When attempt to build the OQS-OpenSSL_1_1_1-stable branch as a shared library with the following configure statement:
./Configure shared linux-x86_64 -lmmake fails with the following error:
ranlib libssl.a || echo Never mind.
Error: EVP_MD_CTX_create does not have a number assigned
Makefile:762: recipe for target 'libcrypto.map' failed
make[1]: *** [libcrypto.map] Error 25
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory '/home/peter/Documents/openssl'
Makefile:172: recipe for target 'all' failed
make: *** [all] Error 2Is there something special that needs to be done in order to build the fork as a shared library?
edit specify branch
I just realized that the liboqs code is redundant in this repository; should we add liboqs as a git submodule rather than copy/pasting all the code?
Provide CI testing for the OQS fork
We should be able to generate a server cert issued by a root CA using these instructions:
./apps/openssl req -x509 -new -newkey qteslaI -keyout rootCA.key -out rootCA.crt -nodes -subj "/CN=rootCA" -days 365 -config apps/openssl.cnf./apps/openssl genpkey -algorithm qteslaI -out server.key./apps/openssl req -new -newkey qteslaI -keyout server.key -out server.csr -nodes -subj "/CN=server" -days 365 -config apps/openssl.cnf./apps/openssl x509 -req -in server.csr -out server.crt -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -days 365The last step however fails with:
Signature verification error 140249734448896:error:0D0C50C7:asn1 encoding routines:ASN1_item_verify:unknown signature algorithm:crypto/asn1/a_verify.c:111:
(tested with master branch of liboqs)
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.