microsoft / pqcrypto-vpn Goto Github PK
View Code? Open in Web Editor NEWPost-quantum Cryptography VPN
Home Page: https://www.microsoft.com/research/project/post-quantum-crypto-vpn/
License: MIT License
Post-quantum Cryptography VPN
Home Page: https://www.microsoft.com/research/project/post-quantum-crypto-vpn/
License: MIT License
I tested kyber512, kyber768 and kyber1024. The test is simple:
Kyber512 ( click to see the Kyber NIST submission paper for round 2 with the Kyber specs):
ecdh-curve kyber512
ecdh-curve kyber512
and tls-version-min 1.3
:valid
connection, but the crypto is utterly incorrect/broken just from glancing at the observations above.ecdh-curve
parameter found in the configuration file, but it seems the server does set it.Kyber768:
ecdh-curve kyber768
.Change Cipher Spec
and specifies the kyber768 group, but does not send its key.kyber1024:
I tried building in a docker container and I get this error following the instructions on the readme for the new branch. Since I am building in Linux the build should not fail if the windows-building-process fails.
Also, is nsis really required? Can we get rid of it? :)
Edit 1: I build on alpine base image, not ubuntu or the one in the repo.
Error message
Extract '/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/sources/liboqs.tar.gz'
Extract '/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/sources/lzo-2.10.tar.gz'
Extract '/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/sources/openssl-oqs.tar.gz'
Extract '/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/sources/openvpn-2.4.8.tar.gz'
Extract '/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/sources/openvpn-gui-11.tar.gz'
Extract '/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/sources/pkcs11-helper-1.22.tar.bz2'
Extract '/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/sources/tap-windows-9.24.2.zip'
Archive: /opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/sources/tap-windows-9.24.2.zip
creating: tap-windows-9.24.2/
creating: tap-windows-9.24.2/arm64/
inflating: tap-windows-9.24.2/arm64/tapinstall.exe
inflating: tap-windows-9.24.2/arm64/tap0901.cat
inflating: tap-windows-9.24.2/arm64/tap0901.sys
inflating: tap-windows-9.24.2/arm64/OemVista.inf
creating: tap-windows-9.24.2/include/
inflating: tap-windows-9.24.2/include/tap-windows.h
creating: tap-windows-9.24.2/amd64/
inflating: tap-windows-9.24.2/amd64/tapinstall.exe
inflating: tap-windows-9.24.2/amd64/tap0901.cat
inflating: tap-windows-9.24.2/amd64/tap0901.sys
inflating: tap-windows-9.24.2/amd64/OemVista.inf
creating: tap-windows-9.24.2/i386/
inflating: tap-windows-9.24.2/i386/tapinstall.exe
inflating: tap-windows-9.24.2/i386/tap0901.cat
inflating: tap-windows-9.24.2/i386/tap0901.sys
inflating: tap-windows-9.24.2/i386/OemVista.inf
Patch: '/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/generic/patches/pkcs11-helper-001-RFC7512.patch'
patching file lib/pkcs11h-serialization.c
patching file lib/pkcs11h-util.c
Build liboqs
-- The C compiler identification is GNU 8.3.0
-- The ASM compiler identification is GNU
-- Found assembler: /usr/bin/x86_64-w64-mingw32-gcc
-- Check for working C compiler: /usr/bin/x86_64-w64-mingw32-gcc
-- Check for working C compiler: /usr/bin/x86_64-w64-mingw32-gcc -- broken
CMake Error at /usr/share/cmake/Modules/CMakeTestCCompiler.cmake:60 (message):
The C compiler
"/usr/bin/x86_64-w64-mingw32-gcc"
is not able to compile a simple test program.
It fails with the following output:
Change Dir: /opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/tmp/build-x86_64/liboqs/build-win/CMakeFiles/CMakeTmp
Run Build Command(s):/usr/bin/ninja cmTC_38761 && [1/2] Building C object CMakeFiles/cmTC_38761.dir/testCCompiler.c.obj
[2/2] Linking C executable cmTC_38761.exe
FAILED: cmTC_38761.exe
: && /usr/bin/x86_64-w64-mingw32-gcc -Wl,--dynamicbase,--nxcompat CMakeFiles/cmTC_38761.dir/testCCompiler.c.obj -o cmTC_38761.exe -Wl,--out-implib,libcmTC_38761.dll.a -Wl,--major-image-version,0,--minor-image-version,0 -lkernel32 -luser32 -lgdi32 -lwinspool -lshell32 -lole32 -loleaut32 -luuid -lcomdlg32 -ladvapi32 && :
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find crt2.o: No such file or directory
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find crtbegin.o: No such file or directory
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lkernel32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -luser32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lgdi32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lwinspool
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lshell32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lole32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -loleaut32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -luuid
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lcomdlg32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -ladvapi32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lmingw32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lgcc
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lgcc_eh
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lmoldname
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lmingwex
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lmsvcrt
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -ladvapi32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lshell32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -luser32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lkernel32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lmingw32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lgcc
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lgcc_eh
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lmoldname
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lmingwex
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lmsvcrt
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find crtend.o: No such file or directory
collect2: error: ld returned 1 exit status
ninja: build stopped: subcommand failed.
CMake will not be able to correctly generate this project.
Call Stack (most recent call first):
CMakeLists.txt:4 (project)
-- Configuring incomplete, errors occurred!
See also "/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/tmp/build-x86_64/liboqs/build-win/CMakeFiles/CMakeOutput.log".
See also "/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/tmp/build-x86_64/liboqs/build-win/CMakeFiles/CMakeError.log".
FATAL: cmake
FATAL: build x86_64 >&2
***** Running command: ninja
***** Running command: ninja install
***** Running command: ./config shared --prefix=/opt/PQCrypto-VPN/openvpn/build/scratch/oqs-openssl-output/openssl --openssldir=/opt/PQCrypto-VPN/openvpn/build/scratch/oqs-openssl-output/ssl -lm
***** Running command: make -j
***** Running command: make install
***** Running command: autoreconf -i -f -v
***** Running command: touch ./usr/local/openvpn/etc/.placeholder ./usr/local/openvpn/log/.placeholder
***** Running command: tar -cz --group=root --owner=root -f ../pq-openvpn-linux-staged.tar.gz .
***** Running command: tar czvvf /tmp/liboqs.tar.gz liboqs
***** Running command: tar czvvf /tmp/openssl-oqs.tar.gz openssl-oqs
***** Running command: autoreconf -i -v -f
***** Running command: ./configure
***** Running command: tar czvvf /tmp/openvpn-2.4.8.tar.gz openvpn-2.4.8
***** Running command: autoreconf -i -v -f
***** Running command: tar czvvf /tmp/openvpn-gui-11.tar.gz openvpn-gui
***** Running command: ./windows-nsis/build-complete
Traceback (most recent call last):
File "build.py", line 236, in <module>
build_openvpn_windows()
File "build.py", line 207, in build_openvpn_windows
run_command(['./windows-nsis/build-complete'])
File "build.py", line 42, in run_command
raise RuntimeError('Command failed')
RuntimeError: Command failed
The command '/bin/sh -c cd /opt/PQCrypto-VPN/openvpn/build && python build.py' returned a non-zero code: 1
(ERROR)-(Exit Code 1)-(General error)
Are there any updates on integrating OpenSSL 1.1.1? Are there compatibility issues? I am currently working on integrating one of the PQ algorithms into this project; however, it was built on the OQS-OpenSSL_1_1_1 branch.
I wonder if Picnic is really usable in PQCrypto-VPN as you mentioned here?
I created the certificate with picnicl1fs key and received the error:
Mon Jan 13 12:55:40 2020 OpenSSL: error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm
Mon Jan 13 12:55:40 2020 OpenSSL: error:0B07706F:x509 certificate routines:X509_PUBKEY_get:unsupported algorithm
Mon Jan 13 12:55:40 2020 OpenSSL: error:140BF10C:SSL routines:SSL_SET_CERT:x509 lib
Mon Jan 13 12:55:40 2020 MANAGEMENT: Client disconnected
Mon Jan 13 12:55:40 2020 Cannot load certificate file C:\Program Files\OpenVPN_PQCrypto\config\client.crt
Mon Jan 13 12:55:40 2020 Exiting due to fatal error
Greetings Kevin,
Thank you for your working on those latest commits on OQS-OpenSSL and OQS-liboqs because I was stuck for days.
I am trying to figure out if the 0.3.1-dev version of liboqs in combination with openssl-oqs rc2 produce a different curve configuration directive. In dev-3.1 this one is represented within ecdh-curve.
Thank you for your time and work.
Best regards!
ninja: error: manifest 'build.ninja' still dirty after 100 tries
Error message:
docker build -t vpn_microsoft_test .
Sending build context to Docker daemon 2.048kB
Step 1/5 : FROM ubuntu:19.10
---> 4f82834f04c6
Step 2/5 : WORKDIR /tmp
---> Using cache
---> c7c7524a447f
Step 3/5 : RUN apt update && apt install -y git gcc cmake make python
---> Using cache
---> 7eb2fb99e108
Step 4/5 : RUN git clone https://github.com/microsoft/PQCrypto-VPN.git
---> Running in 11898c70764e
Cloning into 'PQCrypto-VPN'...
Removing intermediate container 11898c70764e
---> 492e553a7b01
Step 5/5 : RUN cd /tmp/PQCrypto-VPN/openvpn/build && python build.py
---> Running in 01de9c40f600
fatal: Remote branch OpenSSL_1_0_2-stable not found in upstream origin
Cloning openssl ...
***** Running command: git clone -q --branch OpenSSL_1_0_2-stable https://github.com/open-quantum-safe/openssl openssl-oqs
Traceback (most recent call last):
File "build.py", line 258, in <module>
build_oqs_openssl()
File "build.py", line 121, in build_oqs_openssl
git_clone(OPENSSL_OQS_REPO, OPENSSL_OQS_BRANCH, 'openssl-oqs', OPENSSL_OQS_COMMIT)
File "build.py", line 74, in git_clone
os.chdir(local_name)
OSError: [Errno 2] No such file or directory: 'openssl-oqs'
The command '/bin/sh -c cd /tmp/PQCrypto-VPN/openvpn/build && python build.py' returned a non-zero code: 1
Dockerfile to reproduce error:
FROM ubuntu:19.10
WORKDIR /tmp
RUN apt update && apt install -y git gcc cmake make python
RUN git clone https://github.com/microsoft/PQCrypto-VPN.git
RUN cd /tmp/PQCrypto-VPN/openvpn/build && python build.py
I modified the build.py script quiet a bit to get past several errors, but they just keep coming. Could someone please update the build system for this repo so that it actually builds on the first try. There have many changes in OQS OpenSSL and it breaks everything.
The error:
Traceback (most recent call last):
File "build.py", line 270, in <module>
build_openvpn_linux()
File "build.py", line 185, in build_openvpn_linux
shutil.copy('../oqs-openssl-output/openssl/lib/libcrypto.so.1.0.0', stagepath + '/' + OPENVPN_LINUX_PREFIX + '/lib')
File "/usr/lib/python2.7/shutil.py", line 139, in copy
copyfile(src, dst)
File "/usr/lib/python2.7/shutil.py", line 97, in copyfile
with open(dst, 'wb') as fdst:
IOError: [Errno 2] No such file or directory: '/opt/PQCrypto-VPN/openvpn/build/scratch/stage//usr/local/openvpn/lib'
The command '/bin/sh -c cd /opt/PQCrypto-VPN/openvpn/build && python build.py' returned a non-zero code: 1
This is a simple error to fix, but after I fix it more errors just keep coming. If you look at "'/opt/PQCrypto-VPN/openvpn/build/scratch/stage//usr/local/openvpn/lib'" it has two forward slashes instead of one. Please take a look.
Dockerfile:
FROM ubuntu:19.10
RUN apt update && apt install -y \
liblz4-dev \
liblzo2-dev \
libpam-dev \
libssl-dev \
libtool \
libtool-bin \
cmake \
make \
autoconf \
python \
git
RUN cd /opt && git clone --branch oqsrepo https://github.com/microsoft/PQCrypto-VPN.git
RUN cd /opt/PQCrypto-VPN/openvpn/build && python build.py
I should mention that python3 has the built in path module in pathlib which handles path independent of operating system. If the build script is ever ported to python 3, path error of this kind can be avoided all together.
Edit 1: The "oqsrepo" branch was merged into master at commit 1d35894 for future reference.
Greetings all,
Congratulations and thanks for all this work you have done so far and the quest to implement post quantum algorithms into current cryptography protocols.
First of all I have to state that I have pretty basic knowledge of programming languages, but I can handle various operating systems. Lately I had the interest to start learning about cryptography and started encrypting my connection, playing around with the various available classic protocols etc.
I have successfully installed your software in both *nix based and microsoft platforms of mine, at least up to the openssl-integrated-with-liboqs stage, but still I am not sure I have understood how I should form the tls-cipher and/or tls-ciphersuites (for the openssl 1.1.1d version I use) directive to handle the oqskex. Also the openssl certificates I issue with the openssl commands (openssl seems to have been integrated correctly since I can use it for -at least- most of the pq algorithms) seem not readable from my openvpn software on neither side. (It provides various certificate related errors such as the "unsupported certificate purpose" / "certificate verify failed" / extended key usage errors etc.)
I reached as far as I could alone, but I think I will need your help to go further. I use Debian Buster and Windows 10 Pro Edition.
Any help and recommendation will be appreciated. Keep up the good work.
Best regards,
Alex
Kevin,
Since a while ago (since the dev-1.3 testing started or so) I would like to report that PQCrypto-VPN seems to crash when sidhp751 is used as KEM. This occurs in the linux built if I have observed correctly.
Thanks in advance
Kevin,
Within this link I found that there are instructions on how to implement at code/compile-level those liboqs algorithms you want, who are not (currently) included in the oqs-openssl forks. There seem to be two ways to achieve that. I propose for the full liboqs list support of algorithms (KEMs and signatures) so those interested may have the widest possible range of options and ability to test the algorithms.
Also I confirm that I have tested all the oqs-openssl signature schemes and all of them are working on my Windows build (which is the exact latest since I am always checking the devel repo for updates)
It would be great if you would implement the total range of algorithms, in the end, the more the options the better the cryptography result. Please let us know of your thoughts on this possibility.
Best regards!
My building system's basic details:
O.S.: Windows 10 Home Edition
CPU: AMD-type
CMD Prompt: Using Administrator x64 Native tools command prompt of VS 2019
Stage: all tests passed, oqs-openssl and libs installed correctly and working
Here is a quick guide on how to achieve it:
1. Build the repository of Microsoft PQCrypto-VPN as it currently is resulting is the windows binary and install it.
2. Install all the according Windows dependencies (git, VS 2019, Perl - Active & Strawberry - MinGW & MSys, other needed extensions like Ninja, NASM e.t.c. - check the liboqs and openssl-oqs repo)
and clone the latest (dev versions) of liboqs and openssl-oqs from the gits.
3. After cloning, when in \liboqs\build use:
cmake -GNinja -DCMAKE_INSTALL_PREFIX=..\..\openssl-oqs\oqs -DBUILD_SHARED_LIBS=OFF ..
then ninja and ninja install should work just fine
4. build normally according to the instructions (perl Configure VC-WIN64A, then nmake test, then nmake install)
5. Import (copy) the libraries from the newly install Program Files\OpenSSL directory (under C:) to the openvpn\bin directory
You should also copy the newly created openssl.exe (binary) from \Program Files\OpenSSL\bin to \OpenVPN\bin aswell. It works but the system may need to be restarted.
**6. Don't forget to set the according PATH variables
7. Test the new algorithms
You can also activate other desired OQS algorithms than the default enabled ones. Follow this guide of the openssl-oqs folder on an Ubuntu machine and the download the updated archive/directory to your Windows system, re-install liboqs as explained above targeting this new directory and then perl Configure... , nmake... and you should be ready!
I wish you find my guide useful.
Best regards!
The darwin branch has significant improvements to the build.py script. The contributor confirmed the build works on Darwin and I confirmed it works on Linux, but the Windows build is broken, and needs to be fixed before it can be merged into master.
I have been able to successfully build and run PQCrypto-VPN, but there is a key issue (double meaning intended):
tls-cipher OQSKEX-MLWE-KYBER-ECDHE-RSA-WITH-AES-256-GCM-SHA384
set in the ovpn config file for the client.ldd /opt/PQCrypto-VPN/openvpn/build/scratch/stage/usr/local/openvpn/sbin/openvpn
/lib/ld-musl-x86_64.so.1 (0x7f4ea75cc000)
liblzo2.so.2 => /usr/lib/liblzo2.so.2 (0x7f4ea70f5000)
liblz4.so.1 => /usr/lib/liblz4.so.1 (0x7f4ea70c1000)
libssl.so.1.0.0 => /opt/PQCrypto-VPN/openvpn/build/scratch/openssl-oqs//libssl.so.1.0.0 (0x7f4ea7044000)
libcrypto.so.1.0.0 => /opt/PQCrypto-VPN/openvpn/build/scratch/openssl-oqs//libcrypto.so.1.0.0 (0x7f4ea6cec000)
libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7f4ea75cc000)
What needs to be done to fix this? I expect to see keys for kyber on the DHE from both sides. Also, the fact that wireshark cannot parse that TLS record suggests something is amiss.
Default build will remain both, but this will allow skipping one build in private builds as suggested in #15.
The project update to integrate with the latest OpenSSL is great step forward. Is there any roadmap to update the OpenVPN side to the latest version as well?
Thanks.
The "PQCrypto-VPN/openvpn/config" folder contains examples on how to enable any available QCipherSuite:
How can I specify what KEM or QSIGNATURE PQCrypto-VPN should use? Thanks.
EDIT 1: I just realized that KEMs are part of the Cipher Suite, but they are coded as KEX, or more precisely as "OQSKEX" which is slightly confusing. "OQSKEM" would be better. Any notes on how to use the QSIGNATURE in the vpn would still be valuable though.
Here for reference, the available traditional and quantum cipher suites.:
* SSL/TLS Cipher suite name translation table
*/
static const tls_cipher_name_pair tls_cipher_name_translation_table[] = {
{"ADH-SEED-SHA", "TLS-DH-anon-WITH-SEED-CBC-SHA"},
{"AES128-GCM-SHA256", "TLS-RSA-WITH-AES-128-GCM-SHA256"},
{"AES128-SHA256", "TLS-RSA-WITH-AES-128-CBC-SHA256"},
{"AES128-SHA", "TLS-RSA-WITH-AES-128-CBC-SHA"},
{"AES256-GCM-SHA384", "TLS-RSA-WITH-AES-256-GCM-SHA384"},
{"AES256-SHA256", "TLS-RSA-WITH-AES-256-CBC-SHA256"},
{"AES256-SHA", "TLS-RSA-WITH-AES-256-CBC-SHA"},
{"CAMELLIA128-SHA256", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
{"CAMELLIA128-SHA", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"},
{"CAMELLIA256-SHA256", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
{"CAMELLIA256-SHA", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"},
{"DES-CBC3-SHA", "TLS-RSA-WITH-3DES-EDE-CBC-SHA"},
{"DES-CBC-SHA", "TLS-RSA-WITH-DES-CBC-SHA"},
{"DH-DSS-SEED-SHA", "TLS-DH-DSS-WITH-SEED-CBC-SHA"},
{"DHE-DSS-AES128-GCM-SHA256", "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256"},
{"DHE-DSS-AES128-SHA256", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256"},
{"DHE-DSS-AES128-SHA", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA"},
{"DHE-DSS-AES256-GCM-SHA384", "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384"},
{"DHE-DSS-AES256-SHA256", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"},
{"DHE-DSS-AES256-SHA", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA"},
{"DHE-DSS-CAMELLIA128-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256"},
{"DHE-DSS-CAMELLIA128-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA"},
{"DHE-DSS-CAMELLIA256-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256"},
{"DHE-DSS-CAMELLIA256-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA"},
{"DHE-DSS-SEED-SHA", "TLS-DHE-DSS-WITH-SEED-CBC-SHA"},
{"DHE-RSA-AES128-GCM-SHA256", "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"},
{"DHE-RSA-AES128-SHA256", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"},
{"DHE-RSA-AES128-SHA", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"},
{"DHE-RSA-AES256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"},
{"DHE-RSA-AES256-SHA256", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"},
{"DHE-RSA-AES256-SHA", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"},
{"DHE-RSA-CAMELLIA128-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
{"DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
{"DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
{"DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
{"DHE-RSA-CHACHA20-POLY1305", "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
{"DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA"},
{"DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA"},
{"ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"},
{"ECDH-ECDSA-AES128-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256"},
{"ECDH-ECDSA-AES128-SHA", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA"},
{"ECDH-ECDSA-AES256-GCM-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384"},
{"ECDH-ECDSA-AES256-SHA256", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256"},
{"ECDH-ECDSA-AES256-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384"},
{"ECDH-ECDSA-AES256-SHA", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA"},
{"ECDH-ECDSA-CAMELLIA128-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
{"ECDH-ECDSA-CAMELLIA128-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
{"ECDH-ECDSA-CAMELLIA256-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
{"ECDH-ECDSA-CAMELLIA256-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
{"ECDH-ECDSA-DES-CBC3-SHA", "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA"},
{"ECDH-ECDSA-DES-CBC-SHA", "TLS-ECDH-ECDSA-WITH-DES-CBC-SHA"},
{"ECDH-ECDSA-RC4-SHA", "TLS-ECDH-ECDSA-WITH-RC4-128-SHA"},
{"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"},
{"ECDHE-ECDSA-AES128-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"},
{"ECDHE-ECDSA-AES128-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384"},
{"ECDHE-ECDSA-AES128-SHA", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA"},
{"ECDHE-ECDSA-AES256-GCM-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"},
{"ECDHE-ECDSA-AES256-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256"},
{"ECDHE-ECDSA-AES256-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384"},
{"ECDHE-ECDSA-AES256-SHA", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA"},
{"ECDHE-ECDSA-CAMELLIA128-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
{"ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
{"ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
{"ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
{"ECDHE-ECDSA-CHACHA20-POLY1305", "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"},
{"ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"},
{"ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA"},
{"ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"},
{"ECDHE-RSA-AES128-GCM-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"},
{"ECDHE-RSA-AES128-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256"},
{"ECDHE-RSA-AES128-SHA384", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384"},
{"ECDHE-RSA-AES128-SHA", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA"},
{"ECDHE-RSA-AES256-GCM-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"},
{"ECDHE-RSA-AES256-SHA256", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256"},
{"ECDHE-RSA-AES256-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"},
{"ECDHE-RSA-AES256-SHA", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA"},
{"ECDHE-RSA-CAMELLIA128-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
{"ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
{"ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
{"ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
{"ECDHE-RSA-CHACHA20-POLY1305", "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
{"ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"},
{"ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA"},
{"ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA"},
{"ECDH-RSA-AES128-GCM-SHA256", "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256"},
{"ECDH-RSA-AES128-SHA256", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"},
{"ECDH-RSA-AES128-SHA384", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384"},
{"ECDH-RSA-AES128-SHA", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA"},
{"ECDH-RSA-AES256-GCM-SHA384", "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384"},
{"ECDH-RSA-AES256-SHA256", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256"},
{"ECDH-RSA-AES256-SHA384", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384"},
{"ECDH-RSA-AES256-SHA", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA"},
{"ECDH-RSA-CAMELLIA128-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
{"ECDH-RSA-CAMELLIA128-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA"},
{"ECDH-RSA-CAMELLIA256-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
{"ECDH-RSA-CAMELLIA256-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA"},
{"ECDH-RSA-DES-CBC3-SHA", "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA"},
{"ECDH-RSA-DES-CBC-SHA", "TLS-ECDH-RSA-WITH-DES-CBC-SHA"},
{"ECDH-RSA-RC4-SHA", "TLS-ECDH-RSA-WITH-RC4-128-SHA"},
{"EDH-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"},
{"EDH-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA"},
{"EDH-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"},
{"EDH-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA"},
{"EXP-DES-CBC-SHA", "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA"},
{"EXP-EDH-DSS-DES-CBC-SHA", "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA"},
{"EXP-EDH-RSA-DES-CBC-SHA", "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA"},
{"EXP-RC2-CBC-MD5", "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5"},
{"EXP-RC4-MD5", "TLS-RSA-EXPORT-WITH-RC4-40-MD5"},
{"NULL-MD5", "TLS-RSA-WITH-NULL-MD5"},
{"NULL-SHA256", "TLS-RSA-WITH-NULL-SHA256"},
{"NULL-SHA", "TLS-RSA-WITH-NULL-SHA"},
{"PSK-3DES-EDE-CBC-SHA", "TLS-PSK-WITH-3DES-EDE-CBC-SHA"},
{"PSK-AES128-CBC-SHA", "TLS-PSK-WITH-AES-128-CBC-SHA"},
{"PSK-AES256-CBC-SHA", "TLS-PSK-WITH-AES-256-CBC-SHA"},
{"PSK-RC4-SHA", "TLS-PSK-WITH-RC4-128-SHA"},
{"RC4-MD5", "TLS-RSA-WITH-RC4-128-MD5"},
{"RC4-SHA", "TLS-RSA-WITH-RC4-128-SHA"},
{"SEED-SHA", "TLS-RSA-WITH-SEED-CBC-SHA"},
{"SRP-DSS-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA"},
{"SRP-DSS-AES-128-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA"},
{"SRP-DSS-AES-256-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA"},
{"SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"},
{"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"},
{"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"},
/*
* Non-standard, post-quantum cipher suites, provided by the OQS fork of OpenSSL.
* https://github.com/open-quantum-safe/openssl
*/
{"OQSKEX-SIDH-MSR-ECDHE-RSA-AES256-GCM-SHA384", "OQSKEX-SIDH-MSR-ECDHE-RSA-AES256-GCM-SHA384"},
{"OQSKEX-LWE-FRODO-RECOMMENDED-ECDHE-RSA-AES256-GCM-SHA384", "OQSKEX-LWE-FRODO-RECOMMENDED-ECDHE-RSA-AES256-GCM-SHA384"},
{"OQSKEX-RLWE-BCNS15-ECDHE-RSA-AES256-GCM-SHA384", "OQSKEX-RLWE-BCNS15-ECDHE-RSA-AES256-GCM-SHA384"},
{"OQSKEX-RLWE-NEWHOPE-ECDHE-RSA-AES256-GCM-SHA384", "OQSKEX-RLWE-NEWHOPE-ECDHE-RSA-AES256-GCM-SHA384"},
{"OQSKEX-RLWE-MSRLN16-ECDHE-RSA-AES256-GCM-SHA384", "OQSKEX-RLWE-MSRLN16-ECDHE-RSA-AES256-GCM-SHA384"},
{"OQSKEX-SIDH-IQC-REF-ECDHE-RSA-WITH-AES-256-GCM-SHA384", "OQSKEX-SIDH-IQC-REF-ECDHE-RSA-WITH-AES-256-GCM-SHA384"},
{"OQSKEX-CODE-MCBITS-ECDHE-RSA-WITH-AES-256-GCM-SHA384", "OQSKEX-CODE-MCBITS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"},
{"OQSKEX-NTRU-ECDHE-RSA-WITH-AES-256-GCM-SHA384", "OQSKEX-NTRU-ECDHE-RSA-WITH-AES-256-GCM-SHA384"},
{"OQSKEX-MLWE-KYBER-ECDHE-RSA-WITH-AES-256-GCM-SHA384", "OQSKEX-MLWE-KYBER-ECDHE-RSA-WITH-AES-256-GCM-SHA384"},
/* same list as above, but with ECDSA instead of RSA */
{"OQSKEX-SIDH-MSR-ECDHE-ECDSA-AES256-GCM-SHA384", "OQSKEX-SIDH-MSR-ECDHE-ECDSA-AES256-GCM-SHA384"},
{"OQSKEX-LWE-FRODO-RECOMMENDED-ECDHE-ECDSA-AES256-GCM-SHA384", "OQSKEX-LWE-FRODO-RECOMMENDED-ECDHE-ECDSA-AES256-GCM-SHA384"},
{"OQSKEX-RLWE-BCNS15-ECDHE-ECDSA-AES256-GCM-SHA384", "OQSKEX-RLWE-BCNS15-ECDHE-ECDSA-AES256-GCM-SHA384"},
{"OQSKEX-RLWE-NEWHOPE-ECDHE-ECDSA-AES256-GCM-SHA384", "OQSKEX-RLWE-NEWHOPE-ECDHE-ECDSA-AES256-GCM-SHA384"},
{"OQSKEX-RLWE-MSRLN16-ECDHE-ECDSA-AES256-GCM-SHA384", "OQSKEX-RLWE-MSRLN16-ECDHE-ECDSA-AES256-GCM-SHA384"},
{"OQSKEX-SIDH-IQC-REF-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384", "OQSKEX-SIDH-IQC-REF-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"},
{"OQSKEX-CODE-MCBITS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384", "OQSKEX-CODE-MCBITS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"},
{"OQSKEX-NTRU-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384", "OQSKEX-NTRU-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"},
{"OQSKEX-MLWE-KYBER-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384", "OQSKEX-MLWE-KYBER-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"},
/* Picnic-capable ciphersuites */
{"OQSKEX-LWE-FRODO-RECOMMENDED-PICNIC-AES256-GCM-SHA384", "OQSKEX-LWE-FRODO-RECOMMENDED-PICNIC-AES256-GCM-SHA384"},
{"OQSKEX-RLWE-MSRLN16-PICNIC-AES256-GCM-SHA384", "OQSKEX-RLWE-MSRLN16-PICNIC-AES256-GCM-SHA384"},
{"OQSKEX-SIDH-MSR-PICNIC-AES256-GCM-SHA384", "OQSKEX-SIDH-MSR-PICNIC-AES256-GCM-SHA384"},
{"OQSKEX-LWE-FRODO-RECOMMENDED-ECDHE-PICNIC-AES256-GCM-SHA384", "OQSKEX-LWE-FRODO-RECOMMENDED-ECDHE-PICNIC-AES256-GCM-SHA384"},
{"OQSKEX-RLWE-MSRLN16-ECDHE-PICNIC-AES256-GCM-SHA384", "OQSKEX-RLWE-MSRLN16-ECDHE-PICNIC-AES256-GCM-SHA384"},
{"OQSKEX-SIDH-MSR-ECDHE-PICNIC-AES256-GCM-SHA384", "OQSKEX-SIDH-MSR-ECDHE-PICNIC-AES256-GCM-SHA384"},
#ifdef ENABLE_CRYPTO_OPENSSL
/* OpenSSL-specific group names */
{"DEFAULT", "DEFAULT"},
{"ALL", "ALL"},
{"HIGH", "HIGH"}, {"!HIGH", "!HIGH"},
{"MEDIUM", "MEDIUM"}, {"!MEDIUM", "!MEDIUM"},
{"LOW", "LOW"}, {"!LOW", "!LOW"},
{"ECDH", "ECDH"}, {"!ECDH", "!ECDH"},
{"ECDSA", "ECDSA"}, {"!ECDSA", "!ECDSA"},
{"EDH", "EDH"}, {"!EDH", "!EDH"},
{"EXP", "EXP"}, {"!EXP", "!EXP"},
{"RSA", "RSA"}, {"!RSA", "!RSA"},
{"kRSA", "kRSA"}, {"!kRSA", "!kRSA"},
{"SRP", "SRP"}, {"!SRP", "!SRP"},
#endif
{NULL, NULL}
};
It's not obvious what algorithm is being used for key exchange on the control connection. Add logging to state which algorithm is being used when a tunnel is established.
Instructions in the pqap
subtree have not been tested to work with version 1.3 of PQCrypto-VPN, and likely need updating.
The error:
root@7dc66bd1ac35: cd /opt/PQCrypto-VPN/openvpn/build/scratch/pq-openvpn-linux/oqs-openssl-output/openssl/bin/
root@7dc66bd1ac35:/opt/PQCrypto-VPN/openvpn/build/scratch/pq-openvpn-linux/oqs-openssl-output/openssl/bin# ./openssl
./openssl: symbol lookup error: ./openssl: undefined symbol: OQS_RAND_free
Dockerfile:
FROM ubuntu:18.04
RUN apt update && apt install -y \
liblz4-dev \
liblzo2-dev \
libpam-dev \
libssl-dev \
libtool \
libtool-bin \
cmake \
make \
autoconf \
python \
git \
curl \
libpam0g-dev \
unzip \
net-tools \
pkg-config \
wget
RUN cd /opt && \
git clone -b master https://github.com/microsoft/PQCrypto-VPN.git && \
cd PQCrypto-VPN
RUN cd /opt/PQCrypto-VPN/openvpn/build && python build.py
After getting inside the container just run:
cd /opt/PQCrypto-VPN/openvpn/build/scratch/pq-openvpn-linux/oqs-openssl-output/openssl/bin/
./openssl
Greetings Kevin,
After your previous fix I managed to locate two points within the PQCrypto-VPN code which I changed and managed to build the latest engine of PQCrypto-VPN, initially by downloading the fork here and then by replacing (re-downloading) the current master liboqs fork (0.3.1-dev) with the very latest OQS-OpenSSL. I should note that this latest version of the engine built, is way smaller than the previous one, about half the size of the current found in dev-3.1 for both windows and linux. But it seems to perfectly work after your latest fixes.
It is more than welcome for me if you want to me to provide those fixes either here in my post or directly in the code.
Looking forward to hearing from you, thanks again.
Best regards
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.