Comments (14)
As we describe password authentication in our README, no, it doesn't provide any additional security. It's provided as an alternative to client certificate authentication, purely for usability reasons. It has no bearing on the key exchange, and you can only make the argument that it's at least as strong as client certificates if you can enforce that all client secrets are sufficiently long and random to provide 128-bit security. Client certificates are definitely preferred for authentication, if possible.
from pqcrypto-vpn.
I don't recall precisely the problem you're having, but if you can provide more details, I'd be happy to give my input.
In particular, logs of output from the build, as well as the commit IDs of each repo you're building would be a good start, including where the build break is happening: in liboqs, openssl-oqs, or in OpenVPN.
from pqcrypto-vpn.
The build break might be the result of this PR: open-quantum-safe/openssl#217. It looks like something in OpenSSL's Makefile is attempting to create that "lib" directory after it's already been created, thus causing the error. I expect there'll be some effort required to dig into OpenSSL's build infrastructure to figure out where it comes from, and where to fix it. I don't expect I'll be able to look at this soon. You may be able to comment out where that mkdir is happening, but it'll require working back to where that Makefile gets generated, since I believe OpenSSL generates its Makefiles on the fly during configuration.
As for AES vs Camellia, I don't feel comfortable offering an opinion, because symmetric cryptography isn't my forte, and I don't know anything about Camellia.
from pqcrypto-vpn.
You might check with the OQS project and inquire if they're keeping their Windows build system up to date, since everything can be cross-compiled in Linux, now.
Before, we used to build our OpenSSL DLLs in Windows, and copy them over to the Linux OpenVPN build, but this was very awkward. It's good to know it can still be done, although I definitely wouldn't want to return to this build process as the norm. Still, I'm glad you were able to find a workaround for your experiments.
from pqcrypto-vpn.
The best way for you to get any changes to us would be to open pull requests from forks where you've made the necessary changes.
Now that OQS has released its OpenSSL fork, we won't be moving past liboqs 0.3.0 until we do our next release, which I will be working on in the near future. After our release is done, though, I'll be happy to look at your pull requests to enable building with liboqs's latest version.
from pqcrypto-vpn.
Kevin,
Never mind, the project bumped to 0.4.0 now and I encounter some steady AES-NI related errors on building with ninja.
I will stick with the currect stable release you provide and try to test it out the most I can.
I wonder if PQCrypto-VPN with password protected authentication provides additional security on top of the algorithms base.
Thank you very much for your time, efforts and support so far Kev.
from pqcrypto-vpn.
Kevin,
Check this commit from dstebila on liboqs 0.4.0, it seems to nicely work with your build system along with openssl-oqs latest release, for building the very latest engine. Just posting this for your records and later releases.
Thanks a lot again
from pqcrypto-vpn.
Greetings Kevin,
There is still work being done on liboqs 0.4.0 (dev) and openssl-oqs (dev) and I confirm that on the latest version of PQCrypto-VPN (the current master branch here) and following step-by-step the according guide from open-quantum-safe project, I managed to build a custom (again) PQCrypto-VPN with the latest dev versions of the oqs software and with all the signature schemes enabled and passed to openssl. That means that I can now use any scheme from the liboqs fork I want.
### I can locate two bugs on this (custom) build:
1. sidhp751 still provides memory segmentation failure/error
2. Classic McEliece can be built to the openssl but seems that the core of PQCrypto-VPN or the core of OpenSSL is not able to support a negotiation with it, provides some connection refused errors etc.
Also, I like that the core of PQCrypto is fully ipv6 enabled, so I managed after some guide search to run an ipv6-only tunnel. So I am on ipv6 now. I could provide some tips on the project's blog here on how to achieve it or a guide for it.
Last but not least, openvpn 2.5 uses a different adapter for the openvpn-gui called wintun or something like this. I will attempt to modify the source more and possibly sync with 2.5 on my next build
(Working with VMware Workstation local computer build on Ubuntu 18.04 (host Windows 10) - please note that Ubuntu 19.04 and/or 20.04 provide some building errors, if used)
That's my mini report for now, hoping to guide you on your future coding on this.
Best regards
from pqcrypto-vpn.
More likely than not, any crash in sidhp751 is nothing to do with our code, and should be reported to OQS or the SIKE team for further investigation.
Is there anything specific to our project about the IPv6-only setup that isn't applicable to OpenVPN generally? If not, offering it up to OpenVPN would seem the better choice, and it would certainly get far more notice there.
from pqcrypto-vpn.
Greetings Kevin.
I am still getting that /lib file exists cross-compiling/building error for custom builds using latest liboqs openssl-oqs.
If you have any coding tip that could help me disassociate this error, I would really appreaciate it.
It appears only on the building of the windows openvpn version if that helps at all.
I will provide a few more logs if requested.
Thanks again
from pqcrypto-vpn.
Kevin. thanks for your answer,
Here are some guiding details as you requested
It is clearly happening on the openvpn part of the windows cross-compiling (no matter the platform I use to build, e.g. virtualbox-ubuntu or normal ubuntu on my computer)
-
Logs from the output:
install ./oqs/include/oqs/sig_dilithium.h -> /home/slitherin/Desktop/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/tmp/image-x86_64/openvpn//include/oqs/sig_dilithium.h
install ./oqs/include/oqs/sig_falcon.h -> /home/slitherin/Desktop/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/tmp/image-x86_64/openvpn//include/oqs/sig_falcon.h
install ./oqs/include/oqs/sig_picnic.h -> /home/slitherin/Desktop/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/tmp/image-x86_64/openvpn//include/oqs/sig_picnic.h
install ./oqs/include/oqs/sig_rainbow.h -> /home/slitherin/Desktop/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/tmp/image-x86_64/openvpn//include/oqs/sig_rainbow.h
install ./oqs/include/oqs/sig_sphincs.h -> /home/slitherin/Desktop/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/tmp/image-x86_64/openvpn//include/oqs/sig_sphincs.h
Cannot create directory /home/slitherin/Desktop/PQCrypto-VPN/openvpn/build/repos/openvpn-build/windows-nsis/tmp/image-x86_64/openvpn/lib: File exists
Makefile:339: recipe for target 'install_dev' failed
make: *** [install_dev] Error 17
FATAL: make openssl
FATAL: build x86_64 >&2
Traceback (most recent call last):
File "build.py", line 259, in
build_openvpn_windows()
File "build.py", line 217, in build_openvpn_windows
run_command(['./windows-nsis/build-complete'])
File "build.py", line 43, in run_command
raise RuntimeError('Command failed')
RuntimeError: Command failed -
liboqs commit ID: 0c17d3d (the current main repo)
openssl-oqs commit ID: 67afc13 (current default repo)
Also I would like to ask your (off-topic) opinion on which bulk cipher you consider better and currently more secure, aes-256 or camellia-256 (no need to give details at all, just the prefered one)
I truly appreciate all your time on this.
Looking forward to receive your feedback.
Best regards
from pqcrypto-vpn.
Kevin,
I am trying to build openssl-oqs directly on Windows using VS tools, NASM, Perl (Strawberry & Active), e.t.c.
It all goes well when I follow the according rules at the exact repo README files except the following error I receive this during nmake:
IF EXIST .manifest DEL /F /Q .manifest
IF EXIST libcrypto-1_1-x64.dll DEL /F /Q libcrypto-1_1-x64.dll
link /nologo /debug /dll /LIBPATH:"oqs\lib" /nologo /debug /implib:libcrypto.lib /out:libcrypto-1_1-x64.dll /def:libcrypto.def @C:\Users\CARDIO~1\AppData\Local\Temp\nm380F.tmp || (DEL /Q libcrypto-1_1-x64.* libcrypto.lib && EXIT 1)
LINK : fatal error LNK1104: cannot open file 'oqs.lib'
Could Not Find C:\Users\Cardiohome\Desktop\openssl-oqs\libcrypto-1_1-x64.*
NMAKE : fatal error U1077: 'link' : return code '0x1'
Stop.
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.28.29333\bin\HostX86\x86\nmake.exe"' : return code '0x2'
Stop.
any help will be much appreciated
Thanks!
from pqcrypto-vpn.
Kevin,
Ok finally managed to surpass this error by using the commands I mentioned within my quick guide!
Best regards
from pqcrypto-vpn.
Kevin,
Yes, kind of a quick temporary patch! Looking forward for the next official PQCrypto release!
Best regards
from pqcrypto-vpn.
Related Issues (20)
- Enabling KEM and QSIGNATURE of choice in PQCrypto-VPN HOT 2
- OQS OpenSSL fails to run after build. HOT 2
- PQCrypto-VPN builds and runs, but OQS-KEX keys missing in traffic. HOT 15
- dev1.3 branch, build error HOT 2
- Add command-line parameters to skip either the Linux or Windows build
- Add logging to show key exchange algorithm negotiated HOT 1
- build error
- Broken implementation of kyber512, kyber768 and kyber1024 as KEX. HOT 6
- Update Raspberry Pi "post-quantum access point" instructions for PQCrypto-VPN 1.3 HOT 1
- Instructions for more/all liboqs algorithms support (KEMs and signature) HOT 1
- OpenVPN version update? HOT 1
- Compatibility with OQS-OpenSSL_1_1_1 branch of openssl HOT 1
- Curve configuration setting HOT 10
- sidhp751 crash - linux HOT 7
- How to build a custom PQCrypto-VPN with latest (dev) liboqs and OQS-OpenSSL (1.1.1k) on Windows 10 HOT 4
- tls-cipher schemes for control channel negotiation request and certificate read issue HOT 38
- Picnic HOT 3
- Build failure at step 1. HOT 3
- branch: oqsrepo Build Error HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pqcrypto-vpn.