microsoft / pqcrypto-vpn Goto Github PK
View Code? Open in Web Editor NEWPost-quantum Cryptography VPN
Home Page: https://www.microsoft.com/research/project/post-quantum-crypto-vpn/
License: MIT License
pqcrypto-vpn's People
Contributors
Stargazers
Watchers
Forkers
dconnolly techlord-rce sctnightcore cybermonitor devilcoder prodef-tl otakumonster nicolas040 stowage d4r5c0d3 siriusanalyst minabarret northeastwolf myqiuyun wangqiaozi zoltanharmath superf0sh mblackbourne nuzumco nuzumglobal luckyginger seamaster300 lazerhawk dgotrik cobra16319 stjordanis rythmosadvisory wadx2019 jittrfunc lrubens iqranaz240 suvrajeet01 pu55yf3r prchander bhaskers-blu-org2 yeswici taffywrinkle claudiusgonzo geovandro jartlov 00mjk m-jabari global-localhost global19 global19-atlassian-net open-qkd-network sycomix bpanicker13 pickkaa hhy5277 digital-startup librechain xshengshe vojtechsu leancssmbb ashleshaatrey laichis pantyhose-x laplacekorea marcus-arcadius yuanmabiji adityakoranga imhojeong viper3784 v41bh4v ujjwalmsft foodchain1028 thecoder0xff filip2142 kurhulapqcrypto-vpn's Issues
Broken implementation of kyber512, kyber768 and kyber1024 as KEX.
I tested kyber512, kyber768 and kyber1024. The test is simple:
- Establish a VPN using each of those algorithms as KEX.
- Observe the raw network traffic.
- Confirm both parties exchange the keys.
- Confirm the number of bytes for said keys are correct.
Kyber512 ( click to see the Kyber NIST submission paper for round 2 with the Kyber specs):
- Here is what happens with
openssl s_server/s_clienttesting.
- Private kyber512 Key: 768 bytes
- Public kyber512 Key: 800 bytes
-Kyber is designed for KEM, although it is being used as a KEX. I haven't looked at the KEX mechanism for it, but the private key being sent in the clear probably makes sense in this use case. - Everything checks out.
- Here is what happens with openvpn --config server/client(.ovpn):
- client.ovpn has
ecdh-curve kyber512 - server.ovpn has
ecdh-curve kyber512andtls-version-min 1.3:
- Observation 1: Keys exchanged are from a different "ec-groups'; mismatch.
- Observation 2: Client does not choose kyber512 "ec-curve", but instead ec-curve x25519.
- Observation 3: Client does not send its key kyber512 key, but instead the x25519 key.
- Observation 4: server chooses kyber512 and returns its kyber512 key.
- Observation 5: This establishes a
validconnection, but the crypto is utterly incorrect/broken just from glancing at the observations above. - Observation 2 means the client is never setting the
ecdh-curveparameter found in the configuration file, but it seems the server does set it.
Kyber768:
- Same configuration as above except
ecdh-curve kyber768.
- Observation 1: Observation 1, 2 and 3 in kyber512 hold true here as well.
- Observation 2: The server responds with
Change Cipher Specand specifies the kyber768 group, but does not send its key.
kyber1024:
- Observations are the same as kyber768.
dev1.3 branch, build error
I tried building in a docker container and I get this error following the instructions on the readme for the new branch. Since I am building in Linux the build should not fail if the windows-building-process fails.
Also, is nsis really required? Can we get rid of it? :)
Edit 1: I build on alpine base image, not ubuntu or the one in the repo.
Error message
Extract '/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/sources/liboqs.tar.gz'
Extract '/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/sources/lzo-2.10.tar.gz'
Extract '/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/sources/openssl-oqs.tar.gz'
Extract '/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/sources/openvpn-2.4.8.tar.gz'
Extract '/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/sources/openvpn-gui-11.tar.gz'
Extract '/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/sources/pkcs11-helper-1.22.tar.bz2'
Extract '/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/sources/tap-windows-9.24.2.zip'
Archive: /opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/sources/tap-windows-9.24.2.zip
creating: tap-windows-9.24.2/
creating: tap-windows-9.24.2/arm64/
inflating: tap-windows-9.24.2/arm64/tapinstall.exe
inflating: tap-windows-9.24.2/arm64/tap0901.cat
inflating: tap-windows-9.24.2/arm64/tap0901.sys
inflating: tap-windows-9.24.2/arm64/OemVista.inf
creating: tap-windows-9.24.2/include/
inflating: tap-windows-9.24.2/include/tap-windows.h
creating: tap-windows-9.24.2/amd64/
inflating: tap-windows-9.24.2/amd64/tapinstall.exe
inflating: tap-windows-9.24.2/amd64/tap0901.cat
inflating: tap-windows-9.24.2/amd64/tap0901.sys
inflating: tap-windows-9.24.2/amd64/OemVista.inf
creating: tap-windows-9.24.2/i386/
inflating: tap-windows-9.24.2/i386/tapinstall.exe
inflating: tap-windows-9.24.2/i386/tap0901.cat
inflating: tap-windows-9.24.2/i386/tap0901.sys
inflating: tap-windows-9.24.2/i386/OemVista.inf
Patch: '/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/generic/patches/pkcs11-helper-001-RFC7512.patch'
patching file lib/pkcs11h-serialization.c
patching file lib/pkcs11h-util.c
Build liboqs
-- The C compiler identification is GNU 8.3.0
-- The ASM compiler identification is GNU
-- Found assembler: /usr/bin/x86_64-w64-mingw32-gcc
-- Check for working C compiler: /usr/bin/x86_64-w64-mingw32-gcc
-- Check for working C compiler: /usr/bin/x86_64-w64-mingw32-gcc -- broken
CMake Error at /usr/share/cmake/Modules/CMakeTestCCompiler.cmake:60 (message):
The C compiler
"/usr/bin/x86_64-w64-mingw32-gcc"
is not able to compile a simple test program.
It fails with the following output:
Change Dir: /opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/tmp/build-x86_64/liboqs/build-win/CMakeFiles/CMakeTmp
Run Build Command(s):/usr/bin/ninja cmTC_38761 && [1/2] Building C object CMakeFiles/cmTC_38761.dir/testCCompiler.c.obj
[2/2] Linking C executable cmTC_38761.exe
FAILED: cmTC_38761.exe
: && /usr/bin/x86_64-w64-mingw32-gcc -Wl,--dynamicbase,--nxcompat CMakeFiles/cmTC_38761.dir/testCCompiler.c.obj -o cmTC_38761.exe -Wl,--out-implib,libcmTC_38761.dll.a -Wl,--major-image-version,0,--minor-image-version,0 -lkernel32 -luser32 -lgdi32 -lwinspool -lshell32 -lole32 -loleaut32 -luuid -lcomdlg32 -ladvapi32 && :
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find crt2.o: No such file or directory
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find crtbegin.o: No such file or directory
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lkernel32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -luser32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lgdi32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lwinspool
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lshell32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lole32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -loleaut32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -luuid
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lcomdlg32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -ladvapi32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lmingw32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lgcc
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lgcc_eh
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lmoldname
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lmingwex
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lmsvcrt
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -ladvapi32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lshell32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -luser32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lkernel32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lmingw32
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lgcc
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lgcc_eh
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lmoldname
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lmingwex
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find -lmsvcrt
/usr/lib/gcc/x86_64-w64-mingw32/8.3.0/../../../../x86_64-w64-mingw32/bin/ld: cannot find crtend.o: No such file or directory
collect2: error: ld returned 1 exit status
ninja: build stopped: subcommand failed.
CMake will not be able to correctly generate this project.
Call Stack (most recent call first):
CMakeLists.txt:4 (project)
-- Configuring incomplete, errors occurred!
See also "/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/tmp/build-x86_64/liboqs/build-win/CMakeFiles/CMakeOutput.log".
See also "/opt/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/tmp/build-x86_64/liboqs/build-win/CMakeFiles/CMakeError.log".
FATAL: cmake
FATAL: build x86_64 >&2
***** Running command: ninja
***** Running command: ninja install
***** Running command: ./config shared --prefix=/opt/PQCrypto-VPN/openvpn/build/scratch/oqs-openssl-output/openssl --openssldir=/opt/PQCrypto-VPN/openvpn/build/scratch/oqs-openssl-output/ssl -lm
***** Running command: make -j
***** Running command: make install
***** Running command: autoreconf -i -f -v
***** Running command: touch ./usr/local/openvpn/etc/.placeholder ./usr/local/openvpn/log/.placeholder
***** Running command: tar -cz --group=root --owner=root -f ../pq-openvpn-linux-staged.tar.gz .
***** Running command: tar czvvf /tmp/liboqs.tar.gz liboqs
***** Running command: tar czvvf /tmp/openssl-oqs.tar.gz openssl-oqs
***** Running command: autoreconf -i -v -f
***** Running command: ./configure
***** Running command: tar czvvf /tmp/openvpn-2.4.8.tar.gz openvpn-2.4.8
***** Running command: autoreconf -i -v -f
***** Running command: tar czvvf /tmp/openvpn-gui-11.tar.gz openvpn-gui
***** Running command: ./windows-nsis/build-complete
Traceback (most recent call last):
File "build.py", line 236, in <module>
build_openvpn_windows()
File "build.py", line 207, in build_openvpn_windows
run_command(['./windows-nsis/build-complete'])
File "build.py", line 42, in run_command
raise RuntimeError('Command failed')
RuntimeError: Command failed
The command '/bin/sh -c cd /opt/PQCrypto-VPN/openvpn/build && python build.py' returned a non-zero code: 1
(ERROR)-(Exit Code 1)-(General error)
Compatibility with OQS-OpenSSL_1_1_1 branch of openssl
Are there any updates on integrating OpenSSL 1.1.1? Are there compatibility issues? I am currently working on integrating one of the PQ algorithms into this project; however, it was built on the OQS-OpenSSL_1_1_1 branch.
Picnic
I wonder if Picnic is really usable in PQCrypto-VPN as you mentioned here?
I created the certificate with picnicl1fs key and received the error:
Mon Jan 13 12:55:40 2020 OpenSSL: error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm
Mon Jan 13 12:55:40 2020 OpenSSL: error:0B07706F:x509 certificate routines:X509_PUBKEY_get:unsupported algorithm
Mon Jan 13 12:55:40 2020 OpenSSL: error:140BF10C:SSL routines:SSL_SET_CERT:x509 lib
Mon Jan 13 12:55:40 2020 MANAGEMENT: Client disconnected
Mon Jan 13 12:55:40 2020 Cannot load certificate file C:\Program Files\OpenVPN_PQCrypto\config\client.crt
Mon Jan 13 12:55:40 2020 Exiting due to fatal error
Curve configuration setting
Greetings Kevin,
Thank you for your working on those latest commits on OQS-OpenSSL and OQS-liboqs because I was stuck for days.
I am trying to figure out if the 0.3.1-dev version of liboqs in combination with openssl-oqs rc2 produce a different curve configuration directive. In dev-3.1 this one is represented within ecdh-curve.
Thank you for your time and work.
Best regards!
build error
ninja: error: manifest 'build.ninja' still dirty after 100 tries
Build failure at step 1.
Error message:
docker build -t vpn_microsoft_test .
Sending build context to Docker daemon 2.048kB
Step 1/5 : FROM ubuntu:19.10
---> 4f82834f04c6
Step 2/5 : WORKDIR /tmp
---> Using cache
---> c7c7524a447f
Step 3/5 : RUN apt update && apt install -y git gcc cmake make python
---> Using cache
---> 7eb2fb99e108
Step 4/5 : RUN git clone https://github.com/microsoft/PQCrypto-VPN.git
---> Running in 11898c70764e
Cloning into 'PQCrypto-VPN'...
Removing intermediate container 11898c70764e
---> 492e553a7b01
Step 5/5 : RUN cd /tmp/PQCrypto-VPN/openvpn/build && python build.py
---> Running in 01de9c40f600
fatal: Remote branch OpenSSL_1_0_2-stable not found in upstream origin
Cloning openssl ...
***** Running command: git clone -q --branch OpenSSL_1_0_2-stable https://github.com/open-quantum-safe/openssl openssl-oqs
Traceback (most recent call last):
File "build.py", line 258, in <module>
build_oqs_openssl()
File "build.py", line 121, in build_oqs_openssl
git_clone(OPENSSL_OQS_REPO, OPENSSL_OQS_BRANCH, 'openssl-oqs', OPENSSL_OQS_COMMIT)
File "build.py", line 74, in git_clone
os.chdir(local_name)
OSError: [Errno 2] No such file or directory: 'openssl-oqs'
The command '/bin/sh -c cd /tmp/PQCrypto-VPN/openvpn/build && python build.py' returned a non-zero code: 1
Dockerfile to reproduce error:
FROM ubuntu:19.10
WORKDIR /tmp
RUN apt update && apt install -y git gcc cmake make python
RUN git clone https://github.com/microsoft/PQCrypto-VPN.git
RUN cd /tmp/PQCrypto-VPN/openvpn/build && python build.py
I modified the build.py script quiet a bit to get past several errors, but they just keep coming. Could someone please update the build system for this repo so that it actually builds on the first try. There have many changes in OQS OpenSSL and it breaks everything.
branch: oqsrepo Build Error
The error:
Traceback (most recent call last):
File "build.py", line 270, in <module>
build_openvpn_linux()
File "build.py", line 185, in build_openvpn_linux
shutil.copy('../oqs-openssl-output/openssl/lib/libcrypto.so.1.0.0', stagepath + '/' + OPENVPN_LINUX_PREFIX + '/lib')
File "/usr/lib/python2.7/shutil.py", line 139, in copy
copyfile(src, dst)
File "/usr/lib/python2.7/shutil.py", line 97, in copyfile
with open(dst, 'wb') as fdst:
IOError: [Errno 2] No such file or directory: '/opt/PQCrypto-VPN/openvpn/build/scratch/stage//usr/local/openvpn/lib'
The command '/bin/sh -c cd /opt/PQCrypto-VPN/openvpn/build && python build.py' returned a non-zero code: 1
This is a simple error to fix, but after I fix it more errors just keep coming. If you look at "'/opt/PQCrypto-VPN/openvpn/build/scratch/stage//usr/local/openvpn/lib'" it has two forward slashes instead of one. Please take a look.
Dockerfile:
FROM ubuntu:19.10
RUN apt update && apt install -y \
liblz4-dev \
liblzo2-dev \
libpam-dev \
libssl-dev \
libtool \
libtool-bin \
cmake \
make \
autoconf \
python \
git
RUN cd /opt && git clone --branch oqsrepo https://github.com/microsoft/PQCrypto-VPN.git
RUN cd /opt/PQCrypto-VPN/openvpn/build && python build.py
I should mention that python3 has the built in path module in pathlib which handles path independent of operating system. If the build script is ever ported to python 3, path error of this kind can be avoided all together.
Edit 1: The "oqsrepo" branch was merged into master at commit 1d35894 for future reference.
tls-cipher schemes for control channel negotiation request and certificate read issue
Greetings all,
Congratulations and thanks for all this work you have done so far and the quest to implement post quantum algorithms into current cryptography protocols.
First of all I have to state that I have pretty basic knowledge of programming languages, but I can handle various operating systems. Lately I had the interest to start learning about cryptography and started encrypting my connection, playing around with the various available classic protocols etc.
I have successfully installed your software in both *nix based and microsoft platforms of mine, at least up to the openssl-integrated-with-liboqs stage, but still I am not sure I have understood how I should form the tls-cipher and/or tls-ciphersuites (for the openssl 1.1.1d version I use) directive to handle the oqskex. Also the openssl certificates I issue with the openssl commands (openssl seems to have been integrated correctly since I can use it for -at least- most of the pq algorithms) seem not readable from my openvpn software on neither side. (It provides various certificate related errors such as the "unsupported certificate purpose" / "certificate verify failed" / extended key usage errors etc.)
I reached as far as I could alone, but I think I will need your help to go further. I use Debian Buster and Windows 10 Pro Edition.
Any help and recommendation will be appreciated. Keep up the good work.
Best regards,
Alex
sidhp751 crash - linux
Kevin,
Since a while ago (since the dev-1.3 testing started or so) I would like to report that PQCrypto-VPN seems to crash when sidhp751 is used as KEM. This occurs in the linux built if I have observed correctly.
Thanks in advance
Instructions for more/all liboqs algorithms support (KEMs and signature)
Kevin,
Within this link I found that there are instructions on how to implement at code/compile-level those liboqs algorithms you want, who are not (currently) included in the oqs-openssl forks. There seem to be two ways to achieve that. I propose for the full liboqs list support of algorithms (KEMs and signatures) so those interested may have the widest possible range of options and ability to test the algorithms.
Also I confirm that I have tested all the oqs-openssl signature schemes and all of them are working on my Windows build (which is the exact latest since I am always checking the devel repo for updates)
It would be great if you would implement the total range of algorithms, in the end, the more the options the better the cryptography result. Please let us know of your thoughts on this possibility.
Best regards!
How to build a custom PQCrypto-VPN with latest (dev) liboqs and OQS-OpenSSL (1.1.1k) on Windows 10
My building system's basic details:
O.S.: Windows 10 Home Edition
CPU: AMD-type
CMD Prompt: Using Administrator x64 Native tools command prompt of VS 2019
Stage: all tests passed, oqs-openssl and libs installed correctly and working
Here is a quick guide on how to achieve it:
1. Build the repository of Microsoft PQCrypto-VPN as it currently is resulting is the windows binary and install it.
2. Install all the according Windows dependencies (git, VS 2019, Perl - Active & Strawberry - MinGW & MSys, other needed extensions like Ninja, NASM e.t.c. - check the liboqs and openssl-oqs repo) and clone the latest (dev versions) of liboqs and openssl-oqs from the gits.
3. After cloning, when in \liboqs\build use:
cmake -GNinja -DCMAKE_INSTALL_PREFIX=..\..\openssl-oqs\oqs -DBUILD_SHARED_LIBS=OFF ..
then ninja and ninja install should work just fine
4. build normally according to the instructions (perl Configure VC-WIN64A, then nmake test, then nmake install)
5. Import (copy) the libraries from the newly install Program Files\OpenSSL directory (under C:) to the openvpn\bin directory
You should also copy the newly created openssl.exe (binary) from \Program Files\OpenSSL\bin to \OpenVPN\bin aswell. It works but the system may need to be restarted.
**6. Don't forget to set the according PATH variables
7. Test the new algorithms
You can also activate other desired OQS algorithms than the default enabled ones. Follow this guide of the openssl-oqs folder on an Ubuntu machine and the download the updated archive/directory to your Windows system, re-install liboqs as explained above targeting this new directory and then perl Configure... , nmake... and you should be ready!
I wish you find my guide useful.
Best regards!
virustotal
Fix Windows build in darwin branch
The darwin branch has significant improvements to the build.py script. The contributor confirmed the build works on Darwin and I confirmed it works on Linux, but the Windows build is broken, and needs to be fixed before it can be merged into master.
PQCrypto-VPN builds and runs, but OQS-KEX keys missing in traffic.
I have been able to successfully build and run PQCrypto-VPN, but there is a key issue (double meaning intended):
- I have
tls-cipher OQSKEX-MLWE-KYBER-ECDHE-RSA-WITH-AES-256-GCM-SHA384set in the ovpn config file for the client. - In the traffic, I do not see the keys being sent from either the Client Hello or the Server Hello.
- My executable is linked as follows, not sure that it matters though:
ldd /opt/PQCrypto-VPN/openvpn/build/scratch/stage/usr/local/openvpn/sbin/openvpn
/lib/ld-musl-x86_64.so.1 (0x7f4ea75cc000)
liblzo2.so.2 => /usr/lib/liblzo2.so.2 (0x7f4ea70f5000)
liblz4.so.1 => /usr/lib/liblz4.so.1 (0x7f4ea70c1000)
libssl.so.1.0.0 => /opt/PQCrypto-VPN/openvpn/build/scratch/openssl-oqs//libssl.so.1.0.0 (0x7f4ea7044000)
libcrypto.so.1.0.0 => /opt/PQCrypto-VPN/openvpn/build/scratch/openssl-oqs//libcrypto.so.1.0.0 (0x7f4ea6cec000)
libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7f4ea75cc000)
What needs to be done to fix this? I expect to see keys for kyber on the DHE from both sides. Also, the fact that wireshark cannot parse that TLS record suggests something is amiss.
Add command-line parameters to skip either the Linux or Windows build
Default build will remain both, but this will allow skipping one build in private builds as suggested in #15.
OpenVPN version update?
The project update to integrate with the latest OpenSSL is great step forward. Is there any roadmap to update the OpenVPN side to the latest version as well?
Thanks.
Enabling KEM and QSIGNATURE of choice in PQCrypto-VPN
The "PQCrypto-VPN/openvpn/config" folder contains examples on how to enable any available QCipherSuite:
How can I specify what KEM or QSIGNATURE PQCrypto-VPN should use? Thanks.
EDIT 1: I just realized that KEMs are part of the Cipher Suite, but they are coded as KEX, or more precisely as "OQSKEX" which is slightly confusing. "OQSKEM" would be better. Any notes on how to use the QSIGNATURE in the vpn would still be valuable though.
Here for reference, the available traditional and quantum cipher suites.:
* SSL/TLS Cipher suite name translation table
*/
static const tls_cipher_name_pair tls_cipher_name_translation_table[] = {
{"ADH-SEED-SHA", "TLS-DH-anon-WITH-SEED-CBC-SHA"},
{"AES128-GCM-SHA256", "TLS-RSA-WITH-AES-128-GCM-SHA256"},
{"AES128-SHA256", "TLS-RSA-WITH-AES-128-CBC-SHA256"},
{"AES128-SHA", "TLS-RSA-WITH-AES-128-CBC-SHA"},
{"AES256-GCM-SHA384", "TLS-RSA-WITH-AES-256-GCM-SHA384"},
{"AES256-SHA256", "TLS-RSA-WITH-AES-256-CBC-SHA256"},
{"AES256-SHA", "TLS-RSA-WITH-AES-256-CBC-SHA"},
{"CAMELLIA128-SHA256", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
{"CAMELLIA128-SHA", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"},
{"CAMELLIA256-SHA256", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
{"CAMELLIA256-SHA", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"},
{"DES-CBC3-SHA", "TLS-RSA-WITH-3DES-EDE-CBC-SHA"},
{"DES-CBC-SHA", "TLS-RSA-WITH-DES-CBC-SHA"},
{"DH-DSS-SEED-SHA", "TLS-DH-DSS-WITH-SEED-CBC-SHA"},
{"DHE-DSS-AES128-GCM-SHA256", "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256"},
{"DHE-DSS-AES128-SHA256", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256"},
{"DHE-DSS-AES128-SHA", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA"},
{"DHE-DSS-AES256-GCM-SHA384", "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384"},
{"DHE-DSS-AES256-SHA256", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"},
{"DHE-DSS-AES256-SHA", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA"},
{"DHE-DSS-CAMELLIA128-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256"},
{"DHE-DSS-CAMELLIA128-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA"},
{"DHE-DSS-CAMELLIA256-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256"},
{"DHE-DSS-CAMELLIA256-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA"},
{"DHE-DSS-SEED-SHA", "TLS-DHE-DSS-WITH-SEED-CBC-SHA"},
{"DHE-RSA-AES128-GCM-SHA256", "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"},
{"DHE-RSA-AES128-SHA256", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"},
{"DHE-RSA-AES128-SHA", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"},
{"DHE-RSA-AES256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"},
{"DHE-RSA-AES256-SHA256", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"},
{"DHE-RSA-AES256-SHA", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"},
{"DHE-RSA-CAMELLIA128-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
{"DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
{"DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
{"DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
{"DHE-RSA-CHACHA20-POLY1305", "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
{"DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA"},
{"DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA"},
{"ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"},
{"ECDH-ECDSA-AES128-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256"},
{"ECDH-ECDSA-AES128-SHA", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA"},
{"ECDH-ECDSA-AES256-GCM-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384"},
{"ECDH-ECDSA-AES256-SHA256", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256"},
{"ECDH-ECDSA-AES256-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384"},
{"ECDH-ECDSA-AES256-SHA", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA"},
{"ECDH-ECDSA-CAMELLIA128-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
{"ECDH-ECDSA-CAMELLIA128-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
{"ECDH-ECDSA-CAMELLIA256-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
{"ECDH-ECDSA-CAMELLIA256-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
{"ECDH-ECDSA-DES-CBC3-SHA", "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA"},
{"ECDH-ECDSA-DES-CBC-SHA", "TLS-ECDH-ECDSA-WITH-DES-CBC-SHA"},
{"ECDH-ECDSA-RC4-SHA", "TLS-ECDH-ECDSA-WITH-RC4-128-SHA"},
{"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"},
{"ECDHE-ECDSA-AES128-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"},
{"ECDHE-ECDSA-AES128-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384"},
{"ECDHE-ECDSA-AES128-SHA", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA"},
{"ECDHE-ECDSA-AES256-GCM-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"},
{"ECDHE-ECDSA-AES256-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256"},
{"ECDHE-ECDSA-AES256-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384"},
{"ECDHE-ECDSA-AES256-SHA", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA"},
{"ECDHE-ECDSA-CAMELLIA128-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
{"ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
{"ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
{"ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
{"ECDHE-ECDSA-CHACHA20-POLY1305", "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"},
{"ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"},
{"ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA"},
{"ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"},
{"ECDHE-RSA-AES128-GCM-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"},
{"ECDHE-RSA-AES128-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256"},
{"ECDHE-RSA-AES128-SHA384", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384"},
{"ECDHE-RSA-AES128-SHA", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA"},
{"ECDHE-RSA-AES256-GCM-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"},
{"ECDHE-RSA-AES256-SHA256", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256"},
{"ECDHE-RSA-AES256-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"},
{"ECDHE-RSA-AES256-SHA", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA"},
{"ECDHE-RSA-CAMELLIA128-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
{"ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
{"ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
{"ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
{"ECDHE-RSA-CHACHA20-POLY1305", "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
{"ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"},
{"ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA"},
{"ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA"},
{"ECDH-RSA-AES128-GCM-SHA256", "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256"},
{"ECDH-RSA-AES128-SHA256", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"},
{"ECDH-RSA-AES128-SHA384", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384"},
{"ECDH-RSA-AES128-SHA", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA"},
{"ECDH-RSA-AES256-GCM-SHA384", "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384"},
{"ECDH-RSA-AES256-SHA256", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256"},
{"ECDH-RSA-AES256-SHA384", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384"},
{"ECDH-RSA-AES256-SHA", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA"},
{"ECDH-RSA-CAMELLIA128-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
{"ECDH-RSA-CAMELLIA128-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA"},
{"ECDH-RSA-CAMELLIA256-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
{"ECDH-RSA-CAMELLIA256-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA"},
{"ECDH-RSA-DES-CBC3-SHA", "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA"},
{"ECDH-RSA-DES-CBC-SHA", "TLS-ECDH-RSA-WITH-DES-CBC-SHA"},
{"ECDH-RSA-RC4-SHA", "TLS-ECDH-RSA-WITH-RC4-128-SHA"},
{"EDH-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"},
{"EDH-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA"},
{"EDH-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"},
{"EDH-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA"},
{"EXP-DES-CBC-SHA", "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA"},
{"EXP-EDH-DSS-DES-CBC-SHA", "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA"},
{"EXP-EDH-RSA-DES-CBC-SHA", "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA"},
{"EXP-RC2-CBC-MD5", "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5"},
{"EXP-RC4-MD5", "TLS-RSA-EXPORT-WITH-RC4-40-MD5"},
{"NULL-MD5", "TLS-RSA-WITH-NULL-MD5"},
{"NULL-SHA256", "TLS-RSA-WITH-NULL-SHA256"},
{"NULL-SHA", "TLS-RSA-WITH-NULL-SHA"},
{"PSK-3DES-EDE-CBC-SHA", "TLS-PSK-WITH-3DES-EDE-CBC-SHA"},
{"PSK-AES128-CBC-SHA", "TLS-PSK-WITH-AES-128-CBC-SHA"},
{"PSK-AES256-CBC-SHA", "TLS-PSK-WITH-AES-256-CBC-SHA"},
{"PSK-RC4-SHA", "TLS-PSK-WITH-RC4-128-SHA"},
{"RC4-MD5", "TLS-RSA-WITH-RC4-128-MD5"},
{"RC4-SHA", "TLS-RSA-WITH-RC4-128-SHA"},
{"SEED-SHA", "TLS-RSA-WITH-SEED-CBC-SHA"},
{"SRP-DSS-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA"},
{"SRP-DSS-AES-128-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA"},
{"SRP-DSS-AES-256-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA"},
{"SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"},
{"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"},
{"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"},
/*
* Non-standard, post-quantum cipher suites, provided by the OQS fork of OpenSSL.
* https://github.com/open-quantum-safe/openssl
*/
{"OQSKEX-SIDH-MSR-ECDHE-RSA-AES256-GCM-SHA384", "OQSKEX-SIDH-MSR-ECDHE-RSA-AES256-GCM-SHA384"},
{"OQSKEX-LWE-FRODO-RECOMMENDED-ECDHE-RSA-AES256-GCM-SHA384", "OQSKEX-LWE-FRODO-RECOMMENDED-ECDHE-RSA-AES256-GCM-SHA384"},
{"OQSKEX-RLWE-BCNS15-ECDHE-RSA-AES256-GCM-SHA384", "OQSKEX-RLWE-BCNS15-ECDHE-RSA-AES256-GCM-SHA384"},
{"OQSKEX-RLWE-NEWHOPE-ECDHE-RSA-AES256-GCM-SHA384", "OQSKEX-RLWE-NEWHOPE-ECDHE-RSA-AES256-GCM-SHA384"},
{"OQSKEX-RLWE-MSRLN16-ECDHE-RSA-AES256-GCM-SHA384", "OQSKEX-RLWE-MSRLN16-ECDHE-RSA-AES256-GCM-SHA384"},
{"OQSKEX-SIDH-IQC-REF-ECDHE-RSA-WITH-AES-256-GCM-SHA384", "OQSKEX-SIDH-IQC-REF-ECDHE-RSA-WITH-AES-256-GCM-SHA384"},
{"OQSKEX-CODE-MCBITS-ECDHE-RSA-WITH-AES-256-GCM-SHA384", "OQSKEX-CODE-MCBITS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"},
{"OQSKEX-NTRU-ECDHE-RSA-WITH-AES-256-GCM-SHA384", "OQSKEX-NTRU-ECDHE-RSA-WITH-AES-256-GCM-SHA384"},
{"OQSKEX-MLWE-KYBER-ECDHE-RSA-WITH-AES-256-GCM-SHA384", "OQSKEX-MLWE-KYBER-ECDHE-RSA-WITH-AES-256-GCM-SHA384"},
/* same list as above, but with ECDSA instead of RSA */
{"OQSKEX-SIDH-MSR-ECDHE-ECDSA-AES256-GCM-SHA384", "OQSKEX-SIDH-MSR-ECDHE-ECDSA-AES256-GCM-SHA384"},
{"OQSKEX-LWE-FRODO-RECOMMENDED-ECDHE-ECDSA-AES256-GCM-SHA384", "OQSKEX-LWE-FRODO-RECOMMENDED-ECDHE-ECDSA-AES256-GCM-SHA384"},
{"OQSKEX-RLWE-BCNS15-ECDHE-ECDSA-AES256-GCM-SHA384", "OQSKEX-RLWE-BCNS15-ECDHE-ECDSA-AES256-GCM-SHA384"},
{"OQSKEX-RLWE-NEWHOPE-ECDHE-ECDSA-AES256-GCM-SHA384", "OQSKEX-RLWE-NEWHOPE-ECDHE-ECDSA-AES256-GCM-SHA384"},
{"OQSKEX-RLWE-MSRLN16-ECDHE-ECDSA-AES256-GCM-SHA384", "OQSKEX-RLWE-MSRLN16-ECDHE-ECDSA-AES256-GCM-SHA384"},
{"OQSKEX-SIDH-IQC-REF-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384", "OQSKEX-SIDH-IQC-REF-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"},
{"OQSKEX-CODE-MCBITS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384", "OQSKEX-CODE-MCBITS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"},
{"OQSKEX-NTRU-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384", "OQSKEX-NTRU-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"},
{"OQSKEX-MLWE-KYBER-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384", "OQSKEX-MLWE-KYBER-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"},
/* Picnic-capable ciphersuites */
{"OQSKEX-LWE-FRODO-RECOMMENDED-PICNIC-AES256-GCM-SHA384", "OQSKEX-LWE-FRODO-RECOMMENDED-PICNIC-AES256-GCM-SHA384"},
{"OQSKEX-RLWE-MSRLN16-PICNIC-AES256-GCM-SHA384", "OQSKEX-RLWE-MSRLN16-PICNIC-AES256-GCM-SHA384"},
{"OQSKEX-SIDH-MSR-PICNIC-AES256-GCM-SHA384", "OQSKEX-SIDH-MSR-PICNIC-AES256-GCM-SHA384"},
{"OQSKEX-LWE-FRODO-RECOMMENDED-ECDHE-PICNIC-AES256-GCM-SHA384", "OQSKEX-LWE-FRODO-RECOMMENDED-ECDHE-PICNIC-AES256-GCM-SHA384"},
{"OQSKEX-RLWE-MSRLN16-ECDHE-PICNIC-AES256-GCM-SHA384", "OQSKEX-RLWE-MSRLN16-ECDHE-PICNIC-AES256-GCM-SHA384"},
{"OQSKEX-SIDH-MSR-ECDHE-PICNIC-AES256-GCM-SHA384", "OQSKEX-SIDH-MSR-ECDHE-PICNIC-AES256-GCM-SHA384"},
#ifdef ENABLE_CRYPTO_OPENSSL
/* OpenSSL-specific group names */
{"DEFAULT", "DEFAULT"},
{"ALL", "ALL"},
{"HIGH", "HIGH"}, {"!HIGH", "!HIGH"},
{"MEDIUM", "MEDIUM"}, {"!MEDIUM", "!MEDIUM"},
{"LOW", "LOW"}, {"!LOW", "!LOW"},
{"ECDH", "ECDH"}, {"!ECDH", "!ECDH"},
{"ECDSA", "ECDSA"}, {"!ECDSA", "!ECDSA"},
{"EDH", "EDH"}, {"!EDH", "!EDH"},
{"EXP", "EXP"}, {"!EXP", "!EXP"},
{"RSA", "RSA"}, {"!RSA", "!RSA"},
{"kRSA", "kRSA"}, {"!kRSA", "!kRSA"},
{"SRP", "SRP"}, {"!SRP", "!SRP"},
#endif
{NULL, NULL}
};
Add logging to show key exchange algorithm negotiated
It's not obvious what algorithm is being used for key exchange on the control connection. Add logging to state which algorithm is being used when a tunnel is established.
Update Raspberry Pi "post-quantum access point" instructions for PQCrypto-VPN 1.3
Instructions in the pqap subtree have not been tested to work with version 1.3 of PQCrypto-VPN, and likely need updating.
OQS OpenSSL fails to run after build.
The error:
root@7dc66bd1ac35: cd /opt/PQCrypto-VPN/openvpn/build/scratch/pq-openvpn-linux/oqs-openssl-output/openssl/bin/
root@7dc66bd1ac35:/opt/PQCrypto-VPN/openvpn/build/scratch/pq-openvpn-linux/oqs-openssl-output/openssl/bin# ./openssl
./openssl: symbol lookup error: ./openssl: undefined symbol: OQS_RAND_free
Dockerfile:
FROM ubuntu:18.04
RUN apt update && apt install -y \
liblz4-dev \
liblzo2-dev \
libpam-dev \
libssl-dev \
libtool \
libtool-bin \
cmake \
make \
autoconf \
python \
git \
curl \
libpam0g-dev \
unzip \
net-tools \
pkg-config \
wget
RUN cd /opt && \
git clone -b master https://github.com/microsoft/PQCrypto-VPN.git && \
cd PQCrypto-VPN
RUN cd /opt/PQCrypto-VPN/openvpn/build && python build.py
After getting inside the container just run:
cd /opt/PQCrypto-VPN/openvpn/build/scratch/pq-openvpn-linux/oqs-openssl-output/openssl/bin/
./openssl
Integrate with liboqs 0.4.0
Greetings Kevin,
After your previous fix I managed to locate two points within the PQCrypto-VPN code which I changed and managed to build the latest engine of PQCrypto-VPN, initially by downloading the fork here and then by replacing (re-downloading) the current master liboqs fork (0.3.1-dev) with the very latest OQS-OpenSSL. I should note that this latest version of the engine built, is way smaller than the previous one, about half the size of the current found in dev-3.1 for both windows and linux. But it seems to perfectly work after your latest fixes.
It is more than welcome for me if you want to me to provide those fixes either here in my post or directly in the code.
Looking forward to hearing from you, thanks again.
Best regards
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.