Integrate with liboqs 0.4.0 about pqcrypto-vpn HOT 14 CLOSED

As we describe password authentication in our README, no, it doesn't provide any additional security. It's provided as an alternative to client certificate authentication, purely for usability reasons. It has no bearing on the key exchange, and you can only make the argument that it's at least as strong as client certificates if you can enforce that all client secrets are sufficiently long and random to provide 128-bit security. Client certificates are definitely preferred for authentication, if possible.

from pqcrypto-vpn.

I don't recall precisely the problem you're having, but if you can provide more details, I'd be happy to give my input.

In particular, logs of output from the build, as well as the commit IDs of each repo you're building would be a good start, including where the build break is happening: in liboqs, openssl-oqs, or in OpenVPN.

from pqcrypto-vpn.

The build break might be the result of this PR: open-quantum-safe/openssl#217. It looks like something in OpenSSL's Makefile is attempting to create that "lib" directory after it's already been created, thus causing the error. I expect there'll be some effort required to dig into OpenSSL's build infrastructure to figure out where it comes from, and where to fix it. I don't expect I'll be able to look at this soon. You may be able to comment out where that mkdir is happening, but it'll require working back to where that Makefile gets generated, since I believe OpenSSL generates its Makefiles on the fly during configuration.

As for AES vs Camellia, I don't feel comfortable offering an opinion, because symmetric cryptography isn't my forte, and I don't know anything about Camellia.

from pqcrypto-vpn.

You might check with the OQS project and inquire if they're keeping their Windows build system up to date, since everything can be cross-compiled in Linux, now.

Before, we used to build our OpenSSL DLLs in Windows, and copy them over to the Linux OpenVPN build, but this was very awkward. It's good to know it can still be done, although I definitely wouldn't want to return to this build process as the norm. Still, I'm glad you were able to find a workaround for your experiments.

from pqcrypto-vpn.

The best way for you to get any changes to us would be to open pull requests from forks where you've made the necessary changes.

Now that OQS has released its OpenSSL fork, we won't be moving past liboqs 0.3.0 until we do our next release, which I will be working on in the near future. After our release is done, though, I'll be happy to look at your pull requests to enable building with liboqs's latest version.

from pqcrypto-vpn.

Kevin,
Never mind, the project bumped to 0.4.0 now and I encounter some steady AES-NI related errors on building with ninja.
I will stick with the currect stable release you provide and try to test it out the most I can.

I wonder if PQCrypto-VPN with password protected authentication provides additional security on top of the algorithms base.

Thank you very much for your time, efforts and support so far Kev.

from pqcrypto-vpn.

Kevin,
Check this commit from dstebila on liboqs 0.4.0, it seems to nicely work with your build system along with openssl-oqs latest release, for building the very latest engine. Just posting this for your records and later releases.

Thanks a lot again

from pqcrypto-vpn.

Greetings Kevin,

There is still work being done on liboqs 0.4.0 (dev) and openssl-oqs (dev) and I confirm that on the latest version of PQCrypto-VPN (the current master branch here) and following step-by-step the according guide from open-quantum-safe project, I managed to build a custom (again) PQCrypto-VPN with the latest dev versions of the oqs software and with all the signature schemes enabled and passed to openssl. That means that I can now use any scheme from the liboqs fork I want.

### I can locate two bugs on this (custom) build:
1. sidhp751 still provides memory segmentation failure/error
2. Classic McEliece can be built to the openssl but seems that the core of PQCrypto-VPN or the core of OpenSSL is not able to support a negotiation with it, provides some connection refused errors etc.

Also, I like that the core of PQCrypto is fully ipv6 enabled, so I managed after some guide search to run an ipv6-only tunnel. So I am on ipv6 now. I could provide some tips on the project's blog here on how to achieve it or a guide for it.

Last but not least, openvpn 2.5 uses a different adapter for the openvpn-gui called wintun or something like this. I will attempt to modify the source more and possibly sync with 2.5 on my next build
(Working with VMware Workstation local computer build on Ubuntu 18.04 (host Windows 10) - please note that Ubuntu 19.04 and/or 20.04 provide some building errors, if used)

That's my mini report for now, hoping to guide you on your future coding on this.

Best regards

from pqcrypto-vpn.

More likely than not, any crash in sidhp751 is nothing to do with our code, and should be reported to OQS or the SIKE team for further investigation.

Is there anything specific to our project about the IPv6-only setup that isn't applicable to OpenVPN generally? If not, offering it up to OpenVPN would seem the better choice, and it would certainly get far more notice there.

from pqcrypto-vpn.

Greetings Kevin.
I am still getting that /lib file exists cross-compiling/building error for custom builds using latest liboqs openssl-oqs.
If you have any coding tip that could help me disassociate this error, I would really appreaciate it.
It appears only on the building of the windows openvpn version if that helps at all.

I will provide a few more logs if requested.

Thanks again

from pqcrypto-vpn.

Kevin. thanks for your answer,

Here are some guiding details as you requested

It is clearly happening on the openvpn part of the windows cross-compiling (no matter the platform I use to build, e.g. virtualbox-ubuntu or normal ubuntu on my computer)

1. Logs from the output:
   install ./oqs/include/oqs/sig_dilithium.h -> /home/slitherin/Desktop/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/tmp/image-x86_64/openvpn//include/oqs/sig_dilithium.h
   install ./oqs/include/oqs/sig_falcon.h -> /home/slitherin/Desktop/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/tmp/image-x86_64/openvpn//include/oqs/sig_falcon.h
   install ./oqs/include/oqs/sig_picnic.h -> /home/slitherin/Desktop/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/tmp/image-x86_64/openvpn//include/oqs/sig_picnic.h
   install ./oqs/include/oqs/sig_rainbow.h -> /home/slitherin/Desktop/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/tmp/image-x86_64/openvpn//include/oqs/sig_rainbow.h
   install ./oqs/include/oqs/sig_sphincs.h -> /home/slitherin/Desktop/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/tmp/image-x86_64/openvpn//include/oqs/sig_sphincs.h
   Cannot create directory /home/slitherin/Desktop/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/tmp/image-x86_64/openvpn/lib: File exists
   Makefile:339: recipe for target 'install_dev' failed
   make: *** [install_dev] Error 17
   FATAL: make openssl
   FATAL: build x86_64 >&2
   Traceback (most recent call last):
   File "build.py", line 259, in
   build_openvpn_windows()
   File "build.py", line 217, in build_openvpn_windows
   run_command(['./windows-nsis/build-complete'])
   File "build.py", line 43, in run_command
   raise RuntimeError('Command failed')
   RuntimeError: Command failed

2. liboqs commit ID: 0c17d3d (the current main repo)
   openssl-oqs commit ID: 67afc13 (current default repo)

Also I would like to ask your (off-topic) opinion on which bulk cipher you consider better and currently more secure, aes-256 or camellia-256 (no need to give details at all, just the prefered one)

I truly appreciate all your time on this.
Looking forward to receive your feedback.

Best regards

from pqcrypto-vpn.

Kevin,
I am trying to build openssl-oqs directly on Windows using VS tools, NASM, Perl (Strawberry & Active), e.t.c.
It all goes well when I follow the according rules at the exact repo README files except the following error I receive this during nmake:

    IF EXIST .manifest DEL /F /Q .manifest
    IF EXIST libcrypto-1_1-x64.dll DEL /F /Q libcrypto-1_1-x64.dll
    link /nologo /debug /dll /LIBPATH:"oqs\lib" /nologo /debug  /implib:libcrypto.lib /out:libcrypto-1_1-x64.dll /def:libcrypto.def @C:\Users\CARDIO~1\AppData\Local\Temp\nm380F.tmp || (DEL /Q libcrypto-1_1-x64.* libcrypto.lib && EXIT 1)

LINK : fatal error LNK1104: cannot open file 'oqs.lib'
Could Not Find C:\Users\Cardiohome\Desktop\openssl-oqs\libcrypto-1_1-x64.*
NMAKE : fatal error U1077: 'link' : return code '0x1'
Stop.
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.28.29333\bin\HostX86\x86\nmake.exe"' : return code '0x2'
Stop.

any help will be much appreciated

Thanks!

from pqcrypto-vpn.

Kevin,
Ok finally managed to surpass this error by using the commands I mentioned within my quick guide!

Best regards

from pqcrypto-vpn.

Kevin,
Yes, kind of a quick temporary patch! Looking forward for the next official PQCrypto release!
Best regards

from pqcrypto-vpn.