[Openvpn-devel] [M] Change in openvpn[master]: Added PQE to WolfSSL

Wed, 18 Jun 2025 01:29:13 -0700 

Attention is currently required from: flichtenheld, plaisthos.

Hello plaisthos, flichtenheld,

I'd like you to do a code review.
Please visit

    http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email

to review the following change.


Change subject: Added PQE to WolfSSL
......................................................................

Added PQE to WolfSSL

Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
---
M README.wolfssl
M src/openvpn/ssl_openssl.c
A src/openvpn/wolfssl_compat.h
3 files changed, 92 insertions(+), 0 deletions(-)



  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/46/1046/1

diff --git a/README.wolfssl b/README.wolfssl
index a5dfe31..27b9087 100644
--- a/README.wolfssl
+++ b/README.wolfssl
@@ -28,3 +28,40 @@
  * blowfish support (BF-CBC), you must use something like
    cipher AES-128-CBC to avoid trying to use BF-CBC
  * Windows CryptoAPI support
+
+*************************************************************************
+To build WolfSSL with these PQE, you'll want to configure it like this:
+
+```bash
+./configure --enable-openvpn --enable-kyber --enable-mlkem --enable-curve25519
+```
+
+WolfSSL supports the following Quantum Safe algorithms by specifying them 
using the `tls-groups`
+option in a config.
+
+```
+ML_KEM_512
+ML_KEM_768
+ML_KEM_1024
+P256_ML_KEM_512
+P384_ML_KEM_768
+P256_ML_KEM_768
+P521_ML_KEM_1024
+P384_ML_KEM_1024
+X25519_ML_KEM_512
+X448_ML_KEM_768
+X25519_ML_KEM_768
+
+KYBER_LEVEL1
+KYBER_LEVEL3
+KYBER_LEVEL5
+
+P256_KYBER_LEVEL1
+P384_KYBER_LEVEL3
+P256_KYBER_LEVEL3
+P521_KYBER_LEVEL5
+
+X25519_KYBER_LEVEL1
+X448_KYBER_LEVEL3
+X25519_KYBER_LEVEL3
+```
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 2fc77d8..29aa502 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -76,6 +76,8 @@
 #include <openssl/applink.c>
 #endif

+#include "wolfssl_compat.h"
+
 OSSL_LIB_CTX *tls_libctx; /* Global */

 static void unload_xkey_provider(void);
@@ -588,7 +590,12 @@
         {
             token = "prime256v1";
         }
+
+#ifdef ENABLE_CRYPTO_WOLFSSL
+        int nid = wolfssl_OBJ_sn2nid(token);
+#else
         int nid = OBJ_sn2nid(token);
+#endif

         if (nid == 0)
         {
diff --git a/src/openvpn/wolfssl_compat.h b/src/openvpn/wolfssl_compat.h
new file mode 100644
index 0000000..a25e5c3
--- /dev/null
+++ b/src/openvpn/wolfssl_compat.h
@@ -0,0 +1,48 @@
+#pragma once
+
+/*
+ *  OpenVPN -- An application to securely tunnel IP networks
+ *             over a single TCP/UDP port, with support for SSL/TLS-based
+ *             session authentication and key exchange,
+ *             packet encryption, packet authentication, and
+ *             packet compression.
+ *
+ *  Copyright (C) 2023 Fox Crypto B.V. <open...@foxcrypto.com>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+/**
+ * @file
+ * wolfssl compatibility stub.
+ * This file provide compatibility stubs for the wolfssl libraries
+ */
+
+#ifdef ENABLE_CRYPTO_WOLFSSL
+
+int
+wolfssl_OBJ_sn2nid(const char *sn)
+{
+
+       int nid = OBJ_sn2nid(sn);
+
+       if (nid == WC_NID_undef)
+       {
+               return wolfSSL_EC_curve_nist2nid(sn);
+       }
+
+       return WC_NID_undef;
+}
+
+#endif

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
Gerrit-Change-Number: 1046
Gerrit-PatchSet: 1
Gerrit-Owner: comododragon <rein.vanbaa...@fox-it.com>
Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com>
Gerrit-Reviewer: plaisthos <arne-open...@rfc2549.org>
Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Gerrit-Attention: plaisthos <arne-open...@rfc2549.org>
Gerrit-Attention: flichtenheld <fr...@lichtenheld.com>
Gerrit-MessageType: newchange

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to