From patchwork Mon Jul 7 13:34:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4298 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:3846:b0:671:5a2c:6455 with SMTP id n6csp6900530mal; Mon, 7 Jul 2025 06:35:03 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVxMd9fuYKjQMb4iq2ez7LERIiFy1c7u4jxjX4KQN7HT+jIH2D5v57voFOGe4G1K0Zw5n4iNOyt+ik=@openvpn.net X-Google-Smtp-Source: AGHT+IG4eq/KXuIaf7MNNDoBeg8c0CiXLlkc6CaLKanSrgR0XkBaKQvgNa0+plY5jejGZk9baB17 X-Received: by 2002:a05:6820:2114:b0:611:4bfe:610a with SMTP id 006d021491bc7-61392be7a60mr8716720eaf.8.1751895303298; Mon, 07 Jul 2025 06:35:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1751895303; cv=none; d=google.com; s=arc-20240605; b=k43KkTwIsGcHlTlFA7YqItPl5vJAMys6Aasl7j8aDuFEkwcoQ1krHgag6iyCsz1Mjz B4CdxeXo5CYUJihSvBniNS36uXuNLy1yKwx12V4fUhj2GIWcjF3SBqzhMeH3kiyG0uxQ OzDP/BF4C9OIkmDFS7s5dnKDAoXu/gMeTLuPjHh8eOsL3GQ9jonKbJvwThtKx+ZDIQjR gpfSWJLlNtuB73wePo6O+IajzNhJ2WblOCj/bM+6gDPGOkh2OrbnAHlFcpwkZRsgr1aX lW93nFCVEMYgYx/tAeBW2G5qhzOVL5dqf6aDJdFJ8AadxNG/d3TVbqpjsmnkKBJdfSxw 8+mQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=rOKHngKINfJGQuJ3CLunFI7ImXCfFFTKsJf46+CYM4k=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=jQFiIizWbH+6pnf4SjI6C4Rg7WI0BI8XCQV1E6rQVz+O1uRlcMeFeqdTV1ufbGfM9I rlDxUv6HbvTuVDFraAFikJ1RinW8bYAvNqThaY7S6Gq2950xBSIHOAkWVt4n6JuaLEBw rs21xZIMzDxEXB5wBGvVceJOQyCjxvxj/HZv8VgcHYC/kobzG7Ce70S7o0rt+UGfs24T qilm4QmAF7F8NVJtNy7D8AIe4sI6ddZJ3MKGHY+Fgo8OLGyZGuJo7mjiNXL0M+3IY67j 9ZiHBXQJut1XJjA9cb513txqoZOUFibxPzJE6fJ66GNtrzKjhhed2QXHYXBnJtLNZTgI DI1A==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=PkhQYA30; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=lFuj7jTN; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ZAPKVc2W; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 006d021491bc7-6138e49c296si5560645eaf.9.2025.07.07.06.35.02 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 Jul 2025 06:35:02 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=PkhQYA30; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=lFuj7jTN; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ZAPKVc2W; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=rOKHngKINfJGQuJ3CLunFI7ImXCfFFTKsJf46+CYM4k=; b=PkhQYA303H58l3BjPffK/saYR7 XaAudIuyexeP356B5QI0NnSvICtEfGCEUWM2BdQYrTpHkONjd8e8yWYhYitHDPkrIEOFVI/bTKiyW u2HXze1k8AHPkeJfAuuhKmjq2Ly+ZSkf+FbizfNtkDpusTQPFDoUhJXM1HkvM5+WAeX8=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1uYlzl-0004lN-3X; Mon, 07 Jul 2025 13:34:57 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1uYlzj-0004lD-UN for openvpn-devel@lists.sourceforge.net; Mon, 07 Jul 2025 13:34:55 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=H1Icibi7s923fV/TjbbH69CC/MOJaf7OzRm4woXFEn0=; b=lFuj7jTNEqteHI6FERsiqv2HnV FdSdypO2MOxm87C5bW/ylOVZT8Q5hzjGGcmUzQf5VP5FfNG8J7vAnNFWy7CHfcgZI6sRzxVB7hEbF WjCU/Y+Z4LgnMAsZFrJjWF5ntf6QGFKCfgwtMwu7+VbEA/ejRW//pVL6gcwP/Qa75Rdw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=H1Icibi7s923fV/TjbbH69CC/MOJaf7OzRm4woXFEn0=; b=ZAPKVc2W7YNg4gMoaaZrUCjgti y9Bcbwynu7Cn1127QlY6FLcrQHjAwAwe1E9F1yYxb//kA9SOIKByP1e6PH0i8GnRxq5VyD3HV7L+p ARkWHmjwu41nRCdV6AWNc6WvDWYTlWoJfMCHb/xuDouV8QgHw3mr470ptT5wyTOYTSx8=; Received: from [193.149.48.143] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1uYlzi-00050s-Qi for openvpn-devel@lists.sourceforge.net; Mon, 07 Jul 2025 13:34:55 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 567DYlCW012435 for ; Mon, 7 Jul 2025 15:34:47 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 567DYlUs012434 for openvpn-devel@lists.sourceforge.net; Mon, 7 Jul 2025 15:34:47 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Mon, 7 Jul 2025 15:34:39 +0200 Message-ID: <20250707133447.12404-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: rein.vanbaaren Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35 Signed-off-by: comododragon Acked-by: Arne Schwabe --- Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1uYlzi-00050s-Qi Subject: [Openvpn-devel] [PATCH v6] Added PQE to WolfSSL X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1836995369520635864?= X-GMAIL-MSGID: =?utf-8?q?1836995369520635864?= From: rein.vanbaaren Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35 Signed-off-by: comododragon Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1046 This mail reflects revision 6 of this Change. Signed-off-by line for the author was added as per our policy. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/README.wolfssl b/README.wolfssl index a5dfe31..7475164 100644 --- a/README.wolfssl +++ b/README.wolfssl @@ -28,3 +28,33 @@ * blowfish support (BF-CBC), you must use something like cipher AES-128-CBC to avoid trying to use BF-CBC * Windows CryptoAPI support + +************************************************************************* +To build WolfSSL with post-quantum KEMs built in, the following command is used: + +./configure --enable-openvpn --enable-kyber=all --enable-curve25519 + +WolfSSL supports the following post-quantum KEMs and post-quantum hybrid KEMs which must be specified +using the tls-groups option in an OpenVPN config. Unlike OpenSSL, which includes X25519MLKEM768 +in the default config, WolfSSL requires explicit configuration of tls-groups to include +at least one post-quantum KEM. + +ML_KEM_512 +ML_KEM_768 +ML_KEM_1024 + +P256_ML_KEM_512 +X25519_ML_KEM_512 + +P384_ML_KEM_768 +P256_ML_KEM_768 +X448_ML_KEM_768 +X25519_ML_KEM_768 + +P384_ML_KEM_1024 +P521_ML_KEM_1024 + +The naming conventions of algorithms differ between WolfSSL and OpenSSL. An example is that +OpenSSL omits underscores for their naming notation whereas WolfSSL expects them. Additionally, +OpenSSL does not accept the P curve notation and instead uses the equivalent secp notation. +A specific example is that WolfSSL expects P384_ML_KEM_1024, while OpenSSL expects secp384r1MLKEM1024. diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 2fc77d8..4c11cd4 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -560,7 +560,7 @@ tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups) { ASSERT(ctx); -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L && !defined(ENABLE_CRYPTO_WOLFSSL) struct gc_arena gc = gc_new(); /* This method could be as easy as * SSL_CTX_set1_groups_list(ctx->ctx, groups)