Hi,
I have used the Dockerfile of the nginx oqs-demo here to manually setup an OQC enabled NGINX server without the use of docker. I have generated a dilithium2 signed server certificate and referrenced it in the nginx.conf file. The certificate can be successfully retrieved using the s_client of the OQC fork of OpenSSL, doing the following:
<OpenSSL DIR>/apps/openssl s_client -connect //https:my-domain.com -curves <ALG> .

However, when i use the curl program provided in your image, using the command:
docker run -it openquantumsafe/curl curl -k https://my-domain.com --curves kyber512
I get the error: curl: (35) error:101310B0:elliptic curve routines:pkey_oqs_digestverify:verification failed.
Why might this be the case?

As per discussion in open-quantum-safe/openssl#311 the reference to the ID spreadsheet is stale and needs to be replaced once open-quantum-safe/openssl#311 or open-quantum-safe/openssl#313 have landed.

This issue is for the Wireshark demo:

While trying to use the Wireshark demo, I run the build.sh script only to find that the path on Wireshark's download server (at line 43) didn't find anything. The script declares ${WIRESHARK_VERSION}=3.4.9, so the correct URL should be the following:

https://2.na.dl.wireshark.org/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz

Probably Wireshark version 3.4.9 has moved from /src/ directory in the directory /src/all-versions/ in Wireshark's download server.

The image seems to work well but somehow connecting using the instruction from openssh/USAGE.md with oqs user and password oqs.pw did not work. I connected as root, did passwd oqs then was able to connect with the changed password via ssh@localhost.

Hello,
I want to integrate this fork of OpenSSL into the MQTT broker mosquitto. I already compiled both, and it works fine with the classical ciphers, as expected. Now I would like to use one of the PQ KEM in the handshake process. The MQTT client APIs that use OpenSSL (Paho, mosquitto) only allow to specified the ciphers to use (e.g., ECDHE-ECDSA-AES128-SHA), but give no option for groups or curves, used in the example opnessl s_client given, and in other integrations (Chromium). Any suggestions of what can I do?

Thanks in advance.

Visiting https://test.openquantumsafe.org:6007/ using https://github.com/open-quantum-safe/oqs-demos/releases/download/0.7.0/chromium-ubuntu-0.7.0.tgz gives a ERR_SSL_VERSION_OR_CIPHER_MISMATCH error. Same for https://test.openquantumsafe.org:6010/ with the assumption of using P256_NTRU_HPS2048509. Maybe the paragraph with "Therefore, only the following hybrid algorithms will work" could directly link to the right port with matching working (hybrid) algorithms?

Based on work by Igor Barshteyn create a demo integrating OQS crypto into QUIC in the form of 2 docker images:

• server: quic-enabled nginx
• client: msquic

The docker images shall support all plain and hybrid KEM and signature QSC algorithm combinations and run both in local docker networks as well as on cloud hosts permitting performance evaluation of all QSC algorithm (combinations).

Similar to our OpenSSH demo Docker images

• Contain algorithm/port mapping
• Warn about mapping to change
• Use for outputting (performance) test results

Hello OQS team,

I would like to test our crypto+TLS implementation of hybrid-PQ against a different implementation. I think, testing against test.openquantumsfe.org would be ideal (as it means 0 setup cost). The goal is to verify the code functionally and look for "unknown-unkonwns".
Is it OK to shoot TLS client hello's into ports 6007 (kyber512) and 6045 (ecdh/p256-kyber512) for a couple of days?

Hello,

I've already contacted @baentsch regarding this issue, and it might be helpful to post it.

Here is the problem: we've created the following certificate chain:

The root certificate has been imported into Chromium successfully. The website https://dilithium2.webhop.me (IPv6 Only) supports frodo640aes:ntru_hps2048509:bikel1:hqc128:p256_lightsaber:p256_sikep434:p256_sidhp434 key exchange algorithms and is accessible (we checked with OQS-cURL).

What We Expect:
Since the root certificate has been installed and the verification of root certificate - intermediate certificate chain doesn't require any OQS-enabled library, the website should be accessible in Chromium.

What Actually Happened:
Chromium returned two errors:

[10842:10862:1231/225648.339848:ERROR:ssl_client_socket_impl.cc(959)] handshake failed; returned -1, SSL error code 1, net_error -113
[10842:10862:1231/225648.343227:ERROR:ssl_client_socket_impl.cc(959)] handshake failed; returned -1, SSL error code 1, net_error -207

We further found that Chromium failed to verify the root certificate - intermediate certificate chain, but it succeeded in verifying the intermediate certificate - leaf certificate chain.

We tried to add the intermediate certificate to Chromium; nonetheless, we got the same error as #92.

Any ideas why this happened?

p.s. Wish everyone a joyful New Year! ☺️

Working around default algorithm list reduction & enabling same capabilities as in nginx and apache httpd.

Hi
After running the last command of Nginx I am getting the following output. Please help.

C:\Users\openssl-OQS-OpenSSL_1_1_1-stable\nginx> docker exec oqs-nginx /opt/openssl/apps/openssl s_client -CAfile CA.crt -curves oqs_kem_default -connect localhost:4433
0:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1544:SSL alert number 40
CONNECTED(00000003)

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 9909 bytes
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

I saw that the oqs-demos repo offers a number of integrations of OQS-OpenSSL with client-server style applications.
My question is if there is any (current or futurely planned) example of integration with an open source peer-to-peer protocol to evaluate how the post-quantum migration impacts other networking paradigms?

Continuing the discussion from here

I see a warning about a weak key: ERR_CERT_WEAK_KEY, when connecting to test servers.

It’s happening with all signature algorithms supported by OQS-enabled Chromium build 0.4.0, except ecdsap256 and rsa3072. The secure connection symbol is missing on server page.

Also the "subject public key" field in certificate details is empty.

Why does Chromium display that field incorrectly? What could be the problem and how to solve it?

Hi,

I have followed the instructions within the oqs-demos repository to build an OQS-enabled chromium and an OQS-enabled httpd server.

I found out that due to the chromium currently doesn't support curves option like the command line, it will use the default algorithm when I issue a HTTP request to my httpd server from it.
So if I configure my server only support algorithm "kyber512", the chromium will return the error page as shown below.

I have read the implementation notes of the BoringSSL saying that the client can use the SSL_CTX_set1_curves_list call to override this. But I can't find any instructions about how to actually do this.

Is that possible can anyone provide some information or instructions about how to do this?

Kind regards,

Ray

I would like to benchmark the performance of OQS enabled server. But it turns out the openssl s-time returns the performance of user secs which I assume it is mainly on the client side.
I wonder will the OQS-NGINX server supports wrk or wrk2.
Or is there any other benchmarking tools could be used to test the server?

Completing the discussion from here this issue is to suggest creating

• documentation how to integrate liboqs and oqs-openssl into and use this functionality easily from within python
• a ready-to run docker image (with separate build and run instructions) already encoding this documentation
• a patch for upstream python to enable setting TLS1.3 groups via API calls (into SSL_CTX_set1_groups_list)
• working on bringing this patch into upstream python ssl module

@LeShadow : As discussed, please feel free to amend and/or work on this.

Hello,

I am currently trying to use the quantum-safe Chromium (0.5.0) build as a client to connect to the OQS haproxy container using its default certificate generation settings (the default signature algorithm used is dilithium3 according to this page: https://github.com/open-quantum-safe/oqs-demos/tree/main/haproxy). I tried to load the CA certificate from the haproxy container into Chromium but got the following error:

I have verified that I am able to use Curl with this certificate for authentication to access the haproxy, so it is not an issue with the certificate.

It appears that I obtain this error when I try to install certificates that use quantum-safe digital signature algorithms. For example, making use of the OQS fork of OpenSSL contained within the Curl container, I run the following command with <SIG_ALGO> = dilithium2, dilithium3, RSA, and falcon512:

docker run -v pwd:/opt/tmp -it openquantumsafe/curl openssl req -x509 -new -newkey <SIG_ALGO> -keyout /opt/tmp/CA.key -out /opt/tmp/CA.crt -nodes -subj "/CN=oqstest CA" -days 365

The certificates that used dilithium2, dilithium3, and falcon512 failed to load, but the certificate that used RSA loaded just fine.

Any help is appreciated!

Here is the certificate that I grabbed from within the haproxy container:

-----BEGIN CERTIFICATE-----
MIIVejCCCIWgAwIBAgIUAepY4WbwHzFTZHk5LX1YZEhPzzcwDQYLKwYBBAECggsH
BgUwFTETMBEGA1UEAwwKb3FzdGVzdCBDQTAeFw0yMTA2MjIxNjAxMDdaFw0yMjA2
MjIxNjAxMDdaMBUxEzARBgNVBAMMCm9xc3Rlc3QgQ0Ewgge0MA0GCysGAQQBAoIL
BwYFA4IHoQBVwCWhM80rjUCbrPOId2aPoiV3mfNDQoNXvieqvCCCRAz8HQUNLfY5
jlLC74xCSXOTY802dlLx/B3d7yeddNTTCnyk8PDVBRRrcobru7xQ3DiEX1rlD6fU
u8XD+YiHRcAVGkJ+O9TA4Tcshgj2J8DIUWNVFoiiAnkv0OnRAf+BmO0pVv11b0kK
oszV8ldDSwKWyEFRZZ/eKGTx7j/DNLlCkk6j8ybHr1m5G9el0FhzmL0IZ9ShFZby
ffEYgYNPRAo+HZb6S5y9cjP7Xj7VRhjQ5Y6+Y5zJaw/0x4dtCHSsOrftU+eaEHSi
irqZjf5HJhwHz9srgcJe4kbKNrzlmY2Pvx5f1tVLLm3LfIv1i6uUkvI+SjbRPrIv
UsTZQk0r40krWk7LJjhFuweyjbyrVQFitfZRmKOazm9em4Gvkxg1FUiuZW2MnVYD
8SohlUocrj7r34asbD8OLL+E35gasgUKdGZiCdVFjL8USuMRPekslbSLan7qs5yz
fwoAZjT5mWVWLJtrwXD4gH0dSllUnAcxxsf2eEeot2wOeaSs7l5DWnBgts/blpXn
mKZxx+GBFU/18zxfytl8n2qMD3BduEJRVVUrug1lNhjjMl3lkDuRHzkemkBCTFwg
aCs7/NqVBPsL0g8HE+sokml84cRoHNFPzOEcnTo/5iLBRiLfhWEC6vS+01f3EC+L
Ozi+TzZiiwiTIJzY1tJWgp7tM5WFXsWeIVfk9IPaDZbsfus9AwAiAOQJbkOan6Zx
ePMwTdYo9NKYBuw9ckzcOk2sY4QfhFYx2c25kGxDZkVGVzRQ9VLfKZUANgBr0fGv
GLpVlgSYMv+8hGB/iVJuQ6sEl7jI7AmSxKIDYrjbEEeVHP9tvew7EuMhJr2s4M5n
yjVj+bRKFz/eyGphm1mDU3iuYE6s0LWH/Ayqdl7yZ/hLvu7yPRLGzgADRv7jZSYl
mNzCCQM/HGh103wUOGbat8zSqYBKiC6i7clyLEmXQnmiFR0ZoFxnL6qteXjLLffj
vReD8WWn1mC/2BheJfTpWg5UmzJhIPUHk8gXCRKS6SYo2MvrCxvQb0Y1SHbb3s1V
n5nMjO+6Doz7yb0SdWNtR9p1I/fOyn/jD7ZLSZtsrMuPF/6l/kUGTwwXkPCuwyC8
fqC9AuakY1CwcFodFLOukzrdHAD3rhkk9CSgfHVoIgK5SYhZ8FoNri5V9W1rN/dG
yYjrHJFHxcWc9L1dwzvbWhhf3EsFZ0/4urmwAJjNFsc/aTkyrEc1km6MZxLmgurA
BU8sAL2qSlZDnQQ0VDdFzvz67wGNGJvLy71czsGWbR6HAq/E6bYmtDC0vwYvmPsS
kc5tcQzFLdwW2jTGmRXKRwAoQhSFAc1DnAUsMO1N8oT5Azbaw98yXEBehslCXglN
idrZs02U13xk/UkZbvebREuuY/fX6o5eXcENdy0di0tTEeNk3wgbaSSVtlGaOTOX
7i+8+n7rWGXVsPESkifmDyJPtHyQ/w5sZKRImKFdRw4HzyBkBQeJT8u7auVdm1Os
BsXoasK704TE25zHYzX1yRmOac9Z7Lw7rXC0mXFqPaibow0zBtZsyCyutL9lYMw6
lFjY0VmKpy/2OMIDyR7mz6WN6dcPbSaRU4/qYJ3PwW0LTyeo7Kmmai2VddcPq6Mq
1/PJhD0EuT0+s3DmVNO1Lr5lTulefBAHX8OKaRXydP5YIQ/jkr4UqApQw1vBUYP2
D31FwPO0UjcuQ7+REmfO8amUiVhJSKLncusBNSraKVTdo3zZo3mk/JY6zu+nv0fb
GXU3WSBOC4/wMs1hjVvfWLzvwgg9RM5f64SEFv7XGqjw06wNmTvua+moQi1eVNib
RPsNRKbTSdC2czq4zDZQ6XjZMRBMLnQ7DtoLxVweRn9woE75JhaDXlkJxLzU2roK
B8vlmxJ2B54VfVjo7q3LWttBb3dSovWJoIZ5MdktnV0hp2XSGHpzE41buydO4FpY
ElK4ckYieDRqkbdthOKIEdYNlGZFlJ1WauHpQBQyFsoOiMom4m/WcmxYkqVst86i
Jlbi8EuDXxSmpa/hTZj5PPhFLZuS5eSr1QInXY6SKMbD2/jDDdY5JBethv/kBZpP
g1NPe4bgXeJFLykQQJCApJSIaHrQFxytQUZdRWQy0AUQD6nxJ/Efu3GE7/SXnj9h
YzkHvqpCA9Biqs7qHCZhkTcTxKm9l8WQC4rEGcBPVzC1g5YIlGXa3N1SM0xNXYmP
qvIDXHZjEleVK8JuaB5YOT0SrazEpMmKckz0Vge1bB+dB3Rk1aB0xuFzoFNJbTx7
gahzZm0zcDRDkzAvEoWY6i3y94iP3/ewtlRefNdQRUc5av7+6dXSjisEF0ViPFIL
vTLTK9zhB7gRRa+yjDNP/xyUMfFOGTfzt6Td4JrW6KZnO3rm1tVD76SswsU/zPIA
IdZKjXo9UF62hiMnKTMfBYrgHTWpcdigF4eeTba0Q77cI3y2xGJr6BgDz8Chi/d4
TFH3cYyWoWGuQBPQgf2ScXUSD18pdhayQzpNe83b4erO9VUZGll6K3n53cQ7u5E1
ZyhW9heZALys3oDy7x9qjh5cA+G9GXsznfVpaZ4bq99wXo0Pbvh8DqNTMFEwHQYD
VR0OBBYEFOw5eLQtwcOYb/rCxX1quad/8ukdMB8GA1UdIwQYMBaAFOw5eLQtwcOY
b/rCxX1quad/8ukdMA8GA1UdEwEB/wQFMAMBAf8wDQYLKwYBBAECggsHBgUDggze
AAskMXI3a713Z6OrJMUd4OQd8g5RZ/oEnlgtOSpVhGVfPhfgEecFiCEiPQ2UZcHJ
4QK1/YtMbiFxPhXrZzsyUE3d/+dQhpu+jpgvlFwX3RCVSS9KMZeuA/ypVI6VetV+
MbDlUZib9NQBoUeO9H4Ni4WEOLFg0PZ8+dOcBWhk8NrUZI4I03NXTovHZNVkFhbw
J3yq6R4QNxaHB8iSK+KZ4CtOdpC/vuwxsSQcw5izFF5qHg2M+aYMzMkZIybUIlzw
Bbdg5aaVMlOsBd4k7nNLvPOyLTNKj/StDF+TnzCPaauIvnglfBqyUfLd0giJWwUL
IZ8trHZDPIBYHzHfCBZXSRJNRrLJKCoWmmJs97SBolpIrYiHLEQqy2PqROt+uXyL
fjSA95G71Inb1ULOBt6QvycN4rt/Lksg2CVF5SE2IhTYhpdytv9F6ZkMgHkfLdn/
lNtu81sMcaIe5gbIg53fqWwsmaDgAos+snXbocyuWzswE1BHQA9u7DeklIBh9JBT
b+MHLnp1r5UT0xMM5pk44j/5ITOXC5CeD+XD50IygoWrwbwR4jSNj0QCji8U4mV/
8qvdLhgFJPxuTWRwJCf1CrgWl8RBqAJtIAdCUiEvqGP77emuGeKoNV6qCv/uaegc
z/I74E8G50ztx4+KhhpMNLIoh7uU3j3/PmC8ZqGidGz7QN+W2gz9UGLw68/fI+al
c82iG0E4I6T0TqPT3oJ53WImCAK9hFyAQyd272+StbVLjcqRkADhUTbyYTqdHVau
WfOiCqC1vHse4qQt4uEPA5A18gMrwbrYFsaaPjp0ws8KPu72z5cD96qDJkxxP5DB
YDlb0352iElhsWRGoBlyT6QE9Nh+pGN6ynka6ExmRmXkv1M7DemKrEIO1inZalnG
uiZ6wXME6xPj3teqZz4GePUlqrqNGtDl1AhJQNiPBXaZzxnEn2xCpp3RhWxDeFYq
xurE6oPPMEZ2jltCv7lXvIxhewKVqguk6Htb6cPtyYfkDZWaZHX6VrRNiqxCFEkJ
jkt/JmKFkijd0Zx0vlVKFNKLm7ptRzWyWPG+Mk9cOmKDdnP0Jkl78s/I5HflVCUG
t/mPCbepsQLmHPzzSSaxTIIb6iEsIZxkuKonA00O7ZwuskBpVEFre6GeL2yULIEh
vcJWgNWJwwUczKsByr5diI4vwn0rRkBx1MsNwJHJ+zAGhgtT6IsvkK7g6+lRPebJ
XYWT9UkdD9Q8DvG20pkidFhL3VL5+JtITnOO8cKp41ZlpPP/7F0K5cf75AI9A/qy
o2XLXp7jv4kmoHsNOBledlk8BHPajLn8XJB+jx9Y0dsRVPmqDOJbpi/jMuRGJxo5
ObG6SzTXAD9ulcqcueQ+5hzAi7zAflxIUQ9iZ02ODYuM9eBU067pFnkCiuQJfPm/
y5v4RB4BE+6Sjc5Ymoti+wGYLXOGUJe2ls1GKaNTZZJnlf5XhnJ1SXtV0B+339gC
sxauyXeVlcBfc6Ug4kOuICZBkVqJux9FMAR8lEsMttmRNIA8UkBFtxnYAXnBKrgg
nF3mdHvuHQmsO4bLg36Kqgzza77ZNxX0Ggq/w60Eq/fOET+jk258OtHEvIglRH9L
qitOGA9QXJuJ5cm2XV9W+J+gjwMiRh2ZhjjqUHYZYUFI28n0J5Tdn3XLOVUxv5l1
Q6/T5XjDZEovqRr84+4GHBGN8HnXtMB/g6JuUwqLgsHiif6cLsMTDFtbxIhAL1j2
hKOTk9JfZ7lnJIA+LTEWrflHeSchICJUa4ZoY5jOnXVWBLq2ZlpgMVwiC4wJhcGq
2c0uAoxCKDiZIwcaWkEoVHP2CJFk1+vs19m2DVS60+mtG+2w+b+oqpBgtRcKT8wK
3BMOGJgkAau+XkCvJsK7gX57igBlM9xFRueCaedRWFBmNQ7LbesjDbUn825Whoy4
WRuBuPLgz6loKu1n96sog9kmZRjF3kmZyf5Y/zatpymvYaEIJgoob1AVwYnvmm4N
YZi7dZKOY9BHHOPYC6dnw/i+73aodeLhMCdc4PANgmhx4PC+hfmBZSzgFgM4g3E9
vBjZ26lxCMmVFHvNkA40tWr/xvFH8sF0TE3aCJojaZdMnxslKAS0Squh+EXJLwS3
WEuK/k4L30/KwxiQXgoieXQfPOXPaj5KCK/bmlrHU/auap/n08UmdoIC6mLb/a3b
Pj/+TMgiqTMf+IiFJPqAoJvFIq9TjlL1BwWRuR/mr81+xhlWcY5faNgPC8As9zlR
dq1Z5XyBqgJ92ctiaP1CkeQvda6fA03bLh0noiXbLC6rKpjunGgMpyozeZIxFhgS
WM6NWLYcfun5jbiFQWB/eCDXySZTq6uxed+Un9RdihNy7pTe50TUTBTBx6pNYVqA
pk6iCT5MUCeHfKZInMKsVBEeIe5HCd89rJ7qQN6eh3grDYrg2sR4E4O2MeFUoJYw
ID+zjqqtbi6yj5sKZSMtxvQuFgt6Ud/L654eaIFDUT/yPCliBDEhsia09osoS3wi
ChQPgD7M/enTPxMQWd1mltmFswHA9zj8WInMXeJPK1G6Z5yTw4fTKDT0w5k4onqj
h2n97K41pEUsXTxkghptyRcyWkr85rHEoK+HITmkwMD1CGXklw/ETrrnNU+/1xmt
5MKiU9qsCZfDTzVeBP/RooKpd4YrSYFMugbmrRfPFNM/gwNFwycD5xlKQ5NkEDsb
Q86ImNXJdXdWqrHX3Ilb9eSSzkl1wSR2ollZLZ7BjDb4fUvuMHNt4tNK3YOCvERx
yNw+NxPnP7KWBKVGrt/23Nq4GeXn1QbfMsq07GzgMTWMaSezcXHpq7gsME9oD9fy
mc528pA8osHv5ug1hbUpohiEi/ynf2zZ7lZs3wCv5kHKnHsge+zP430/EwGiFhHe
cV1xPdv5OgYi7QtJJkcp9gJ4ifa3dREN3XsDXhNFQFmBCO4xvFgM+96SLhpVztZN
R1zWzPwTKJz4WXGNVhilmQALYXYyC+jGaL6ouJGM4xEN1/0WW9m7dREqOVFRzcbz
Px/3nB5Y/XQLb+aWutmMiMPt60C3U2lfqdmPBMNa7Mmw9zOxO5Rbp5OBcHB82yTJ
GH4yW77v7NXHmGn5zTzHjsATP6/opz/pHAc2i/uft7zN4AtQJ3ecik5/hEIM+2CD
N4SpdcG3+ZGfHLXQhrW+bSR9hFm+3xSzDRFb9rEyHCKBC9eUZgtyzXL0/vJN5IvC
0Wv6vjIU0b3eO2/2uzlNwxSFxKwx5y49kphY1srVtyFDyhXRpi76U3p4e8CZ2rJZ
kI3MtQpy51PHwx4Yv7emb4kHEAGOF/WGxu/2UGk1boSVFcmKe4lWR1xEGMQC16UD
aYVM7E0iTxtqG0gqkpsNfVcxFjHP7ygQeYFF65coq+i4cbSUIcta0RCAWqNGiMdz
BQuOe7mv8+byzFR0rltu5op7AViIRx5afWGEI3SBaOabLIm6B5VKke0ueqtkL2Ey
dQ6Y/wb37o0CCPzKJRIHN74OCaA0VhvD89vHumQCaI3EgQZmw0MY/87wvMN+DqPn
gLVDAXHGOdwq8uHtkyYdNvWCd6KOgrFoAAk4Z3NdcQRgKjuZ4iklaRHseHbI8b3D
DiNWF7De1BnzRKXB4osrFvn2yjW1elMuu1MhUPqyUrLzIvk3nmTGGoCY/3GI0/vM
vr8td39pa6Nw4A07wFAe9IlX3pcBbXy1nptx3fVwTnA+kq2MW4eLzUIZ4dIycNx5
PdGO6fCXvB8ifJ4Ng4GhznZYoWuYwrro3KhE4YGaTc0oIQbwqFFSJ/KIQ46IZhNy
KCHYuXmj6pG3UulyrgME/cRTKWL+SVff8RguHXMTB2HU46lB6KbI/ZwyEaK7aD36
N21SW1hMjeBwErZZVC9v61tXeRDVVDrjA9OvgopwIkhkl13n7GC5HTNZzw+sM3Rr
RthrYTCoST3XfQ/J/Wuagga5Gm+4g9VQS3IaCQen+3ETJn5HtiKYcWcwlc/Mf9rg
u27Zg1SZ3F4Nq/3FN0LN8FMGbqODDQck4Z0rCeay3kj4pjW5J92AwfJU3/5Rlolm
SyOwX3hQhV0jTVohC2lchILpb/ol6VlUeI1hhyQzCrshlKSJy7r2ntTLqtxKlB43
RuQ5l8lbNyH/XAfMC6xmV44VsWcZ52mP1ugIO7ifTU1UZyPtfhG9K380tG73Ymqi
FqucW6G7j7VF5Mr7mq3bSPcYHAX2yQjEZbI31wH/31Lp9S/kRMgZqgrLr7vJg5Pd
aK2T8E3ujsh/uO8MEuIs4tcf7EVhwZ7kIgrBMMMRGqx9fXKELyyHv5vwFGNSRjT1
n8jSJAfJ3ItBo1HX1N40yRIkMnGaorO33fMqhJTC2Py2wlJajJOY4LE0Pj/j7wAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQ8RFxgd
-----END CERTIFICATE-----

Would it be an idea to create a BoringSSL-based curl image, too? This might make interop testing easier (ensuring matching curve config files, e.g.). I'd be happy to do that, probably building on the present curl version (using openssl to create certs if bssl doesn't have that). I'd give it a try using the new curl-dev image #29 . Side benefit: I'd learn a bit about using BoringSSL...

@xvzcf : Sensible? Useless? Any comment welcome.

Depends on #45

My system

iMac 2010, Ubuntu LTS 18.04

What I tried

docker build -t oqs-curl .

What happened

building openssl fails

crypto/ec/oqs_meth.c: In function 'get_oqs_alg_name':
crypto/ec/oqs_meth.c:324:14: error: 'OQS_KEM_alg_hqc_128_1_cca2' undeclared (first use in this function); did you mean 'OQS_KEM_alg_hqc_128'?
  324 |       return OQS_KEM_alg_hqc_128_1_cca2;
      |              ^~~~~~~~~~~~~~~~~~~~~~~~~~
      |              OQS_KEM_alg_hqc_128
crypto/ec/oqs_meth.c:324:14: note: each undeclared identifier is reported only once for each function it appears in
crypto/ec/oqs_meth.c:327:14: error: 'OQS_KEM_alg_hqc_192_1_cca2' undeclared (first use in this function); did you mean 'OQS_KEM_alg_hqc_192'?
  327 |       return OQS_KEM_alg_hqc_192_1_cca2;
      |              ^~~~~~~~~~~~~~~~~~~~~~~~~~
      |              OQS_KEM_alg_hqc_192
crypto/ec/oqs_meth.c:330:14: error: 'OQS_KEM_alg_hqc_192_2_cca2' undeclared (first use in this function); did you mean 'OQS_KEM_alg_hqc_192'?
  330 |       return OQS_KEM_alg_hqc_192_2_cca2;
      |              ^~~~~~~~~~~~~~~~~~~~~~~~~~
      |              OQS_KEM_alg_hqc_192
gcc  -I. -Iinclude -fPIC -pthread -m64 -Ioqs/include -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/oqssa/ssl\"" -DENGINESDIR="\"/opt/oqssa/lib/engines-1.1\"" -DNDEBUG -DOQS_DEFAULT_GROUPS=p384_kyber768:X25519:kyber768 -MMD -MF crypto/engine/eng_cnf.d.tmp -MT crypto/engine/eng_cnf.o -c -o crypto/engine/eng_cnf.o crypto/engine/eng_cnf.c
crypto/ec/oqs_meth.c:333:14: error: 'OQS_KEM_alg_hqc_256_1_cca2' undeclared (first use in this function); did you mean 'OQS_KEM_alg_hqc_256'?
  333 |       return OQS_KEM_alg_hqc_256_1_cca2;
      |              ^~~~~~~~~~~~~~~~~~~~~~~~~~
      |              OQS_KEM_alg_hqc_256
crypto/ec/oqs_meth.c:336:14: error: 'OQS_KEM_alg_hqc_256_2_cca2' undeclared (first use in this function); did you mean 'OQS_KEM_alg_hqc_256'?
  336 |       return OQS_KEM_alg_hqc_256_2_cca2;
      |              ^~~~~~~~~~~~~~~~~~~~~~~~~~
      |              OQS_KEM_alg_hqc_256
crypto/ec/oqs_meth.c:339:14: error: 'OQS_KEM_alg_hqc_256_3_cca2' undeclared (first use in this function); did you mean 'OQS_KEM_alg_hqc_256'?
  339 |       return OQS_KEM_alg_hqc_256_3_cca2;
      |              ^~~~~~~~~~~~~~~~~~~~~~~~~~
      |              OQS_KEM_alg_hqc_256
make[1]: *** [Makefile:3174: crypto/ec/oqs_meth.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory '/opt/ossl-src'
make: *** [Makefile:174: all] Error 2
The command '/bin/sh -c LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib" ./config shared ${OPENSSL_BUILD_DEFINES} --prefix=${INSTALLDIR} &&     make ${MAKE_DEFINES} && make install;' returned a non-zero code: 2

Comments

Last week it worked without throwing this error. Hope that you can help me fix it.

Hello Team,

i am building chromium server inside docker with taking the image of ubuntu. I am able to do the handshake with boring SSL.
Now, i am at step 0 and not able to run the below command
$ ./build/install-build-deps.sh.
The install-build-deps.sh file is present in the build folder but on running it , it throws the error :invalid option.
please help how to run this shell script.

The wireshark container is way too large for sensible use (3.58G) and could need some "trimming down". Anyone using it for real, please upvote this issue for resolution :-)

I tried connecting to the Open Quantum Safe test server on Internet using Chrome browser and traditional curl without any modification for Quantum safe algorithms.

My assumption is that the chrome browser and traditional curl are Non-hybrid-aware clients and hence the Open Quantum Safe test server should establish a traditional, non-PQ, connection.

I cycled through all the ports of the Open Quantum Safe test server. But traditional curl could not connect to any of the ports.

Is my assumption about hybrid model wrong? Can traditional chrome and curl (clients unaware of PQ algos) not connect to Open Quantum Safe test server?

Hello Team,

I have built the keys using curl and nginx but i am not able to shocase the demo in the same way i was able to do in the TLS and CMS demo.
Can you please provide the elaborated method to do the same.
Below are the result set , I have received in curl, nginx and httpd.
I am using Windows 10 and installed docker on top of it.

Curl :
$

s_server -cert /opt/test/server.crt -key /opt/test/server.key -curves kyber512 -www -tls1_3 -accept localhost:4433
Secure Renegotiation IS supported
Ciphers supported in s_server binary
TLSv1.3    :TLS_AES_256_GCM_SHA384    TLSv1.3    :TLS_CHACHA20_POLY1305_SHA256
TLSv1.3    :TLS_AES_128_GCM_SHA256    TLSv1.2    :ECDHE-ECDSA-AES256-GCM-SHA384
TLSv1.2    :ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2    :DHE-RSA-AES256-GCM-SHA384
TLSv1.2    :ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2    :ECDHE-RSA-CHACHA20-POLY1305
TLSv1.2    :DHE-RSA-CHACHA20-POLY1305 TLSv1.2    :ECDHE-ECDSA-AES128-GCM-SHA256
TLSv1.2    :ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2    :DHE-RSA-AES128-GCM-SHA256
TLSv1.2    :ECDHE-ECDSA-AES256-SHA384 TLSv1.2    :ECDHE-RSA-AES256-SHA384
TLSv1.2    :DHE-RSA-AES256-SHA256     TLSv1.2    :ECDHE-ECDSA-AES128-SHA256
TLSv1.2    :ECDHE-RSA-AES128-SHA256   TLSv1.2    :DHE-RSA-AES128-SHA256
TLSv1.0    :ECDHE-ECDSA-AES256-SHA    TLSv1.0    :ECDHE-RSA-AES256-SHA
SSLv3      :DHE-RSA-AES256-SHA        TLSv1.0    :ECDHE-ECDSA-AES128-SHA
TLSv1.0    :ECDHE-RSA-AES128-SHA      SSLv3      :DHE-RSA-AES128-SHA
TLSv1.2    :RSA-PSK-AES256-GCM-SHA384 TLSv1.2    :DHE-PSK-AES256-GCM-SHA384
TLSv1.2    :RSA-PSK-CHACHA20-POLY1305 TLSv1.2    :DHE-PSK-CHACHA20-POLY1305
TLSv1.2    :ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2    :AES256-GCM-SHA384
TLSv1.2    :PSK-AES256-GCM-SHA384     TLSv1.2    :PSK-CHACHA20-POLY1305
TLSv1.2    :RSA-PSK-AES128-GCM-SHA256 TLSv1.2    :DHE-PSK-AES128-GCM-SHA256
TLSv1.2    :AES128-GCM-SHA256         TLSv1.2    :PSK-AES128-GCM-SHA256
TLSv1.2    :AES256-SHA256             TLSv1.2    :AES128-SHA256
TLSv1.0    :ECDHE-PSK-AES256-CBC-SHA384 TLSv1.0    :ECDHE-PSK-AES256-CBC-SHA
SSLv3      :SRP-RSA-AES-256-CBC-SHA   SSLv3      :SRP-AES-256-CBC-SHA
TLSv1.0    :RSA-PSK-AES256-CBC-SHA384 TLSv1.0    :DHE-PSK-AES256-CBC-SHA384
SSLv3      :RSA-PSK-AES256-CBC-SHA    SSLv3      :DHE-PSK-AES256-CBC-SHA
SSLv3      :AES256-SHA                TLSv1.0    :PSK-AES256-CBC-SHA384
SSLv3      :PSK-AES256-CBC-SHA        TLSv1.0    :ECDHE-PSK-AES128-CBC-SHA256
TLSv1.0    :ECDHE-PSK-AES128-CBC-SHA  SSLv3      :SRP-RSA-AES-128-CBC-SHA
SSLv3      :SRP-AES-128-CBC-SHA       TLSv1.0    :RSA-PSK-AES128-CBC-SHA256
TLSv1.0    :DHE-PSK-AES128-CBC-SHA256 SSLv3      :RSA-PSK-AES128-CBC-SHA
SSLv3      :DHE-PSK-AES128-CBC-SHA    SSLv3      :AES128-SHA
TLSv1.0    :PSK-AES128-CBC-SHA256     SSLv3      :PSK-AES128-CBC-SHA
---
Ciphers common between both SSL end points:
TLS_AES_256_GCM_SHA384     TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256
ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384  ECDHE-RSA-AES256-SHA384    DHE-RSA-AES256-SHA256
ECDHE-ECDSA-AES128-SHA256  ECDHE-RSA-AES128-SHA256    DHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA     ECDHE-RSA-AES256-SHA       DHE-RSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA     ECDHE-RSA-AES128-SHA       DHE-RSA-AES128-SHA
AES256-GCM-SHA384          AES128-GCM-SHA256          AES256-SHA256
AES128-SHA256              AES256-SHA                 AES128-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:OQS Default Signature Algorithm:ECDSA p256 - OQS Default Signature Algorithm:RSA3072 - OQS Default Signature Algorithm:Dilithium-2:ECDSA p256 - Dilithium-2:RSA3072 - Dilithium-2:Dilithium-3:Dilithium-4:ECDSA p384 - Dilithium-4:Picnic L1 FS:ECDSA p256 - Picnic L1 FS:RSA3072 - Picnic L1 FS:Picnic2 L1 FS:ECDSA p256 - Picnic2 L1 FS:RSA3072 - Picnic2 L1 FS:qTesla-I-p:ECDSA p256 - qTesla-I-p:RSA3072 - qTesla-I-p:qTESLA-p-III:ECDSA p384 - qTESLA-p-III:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:OQS Default Signature Algorithm:ECDSA p256 - OQS Default Signature Algorithm:RSA3072 - OQS Default Signature Algorithm:Dilithium-2:ECDSA p256 - Dilithium-2:RSA3072 - Dilithium-2:Dilithium-3:Dilithium-4:ECDSA p384 - Dilithium-4:Picnic L1 FS:ECDSA p256 - Picnic L1 FS:RSA3072 - Picnic L1 FS:Picnic2 L1 FS:ECDSA p256 - Picnic2 L1 FS:RSA3072 - Picnic2 L1 FS:qTesla-I-p:ECDSA p256 - qTesla-I-p:RSA3072 - qTesla-I-p:qTESLA-p-III:ECDSA p384 - qTESLA-p-III:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Supported Elliptic Groups: kyber512
Shared Elliptic groups: kyber512
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: BC842CFAE63738AE998BC2A1EC0608FC457A7382F331AB9D1FDE363F8364DD20
    Session-ID-ctx: 01000000
    Resumption PSK: 94234BE186149FC4C8462848DEEB4232CFBE0335A2C03F3C4304DDBA43C3B127FE1DC4B1D1CC7FBA656978B674021F8F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1588071105
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)
---
no client certificate available

I have recied this how to connect this reult with API so that i can view the working model of cryptography,

Nginx:
On browsing the site https://localhost:4433

httpd:
Subject=CN = httpd.demo.openquantumsafe.or
issuer=CN = oqstest CA

No client certificate CA names sent
Peer signature type: qTesla-I-p
Server Temp Key: saber

SSL handshake has read 21667 bytes and written 1365 bytes
Verification error: unable to verify the first certificate

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 119040 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)

Hello,

I am trying to install the QUIC docker server and client for testing purposes. I am having issues with the Docker client execution.

Error:

make[2]: Leaving directory '/root/msquic/build/linux/x64_openssl'
[ 98%] Built target msquictest
make[1]: Leaving directory '/root/msquic/build/linux/x64_openssl'
make: *** [Makefile:141: all] Error 2
CMake-Execute: /root/msquic/scripts/build.ps1:449
Line |
449 | CMake-Execute $Arguments
| ~~~~~~~~~~~~~~~~~~~~~~~~
| [02/18/2022 21:42:39] CMake exited with status code 2

The command '/bin/sh -c pwsh /root/msquic/scripts/build.ps1 -Config Debug -Arch x64 -Tls openssl' returned a non-zero code: 1

I have seen this error on msquic's website and they ask to use: git submodule update --init --recursive
Not sure exactly where in the client code to add this.

Hi, thanks for the awesome work on developing the LibOQS.
I was building nginx Ingress-controller to deploy it on the GKE.
I used the nginx (oqs-demo) to build the nginx-ingres controller image.

But when I deploy it , says the following error:
Error creating TemplateExecutor: open nginx-plus.tmpl: no such file or directory.

Thanks

I get the following error when compiling OQS-OpenSSL, any idea what it could mean (i have pulled the latest version):

/usr/bin/ld: /opt/openssl/.openssl/lib/libssl.a(s3_lib.o): in function ssl3_clear':
s3_lib.c:(.text+0x51b): undefined reference to OQS_KEM_free' /usr/bin/ld: /opt/openssl/.openssl/lib/libssl.a(extensions_clnt.o): in function tls_construct_ctos_key_share':
extensions_clnt.c:(.text+0x19fa): undefined reference to OQS_KEM_new' /usr/bin/ld: extensions_clnt.c:(.text+0x1a87): undefined reference to OQS_KEM_keypair'
/usr/bin/ld: extensions_clnt.c:(.text+0x1b35): undefined reference to OQS_MEM_secure_free' /usr/bin/ld: extensions_clnt.c:(.text+0x1b3f): undefined reference to OQS_MEM_insecure_free'
/usr/bin/ld: extensions_clnt.c:(.text+0x1b62): undefined reference to OQS_KEM_free' /usr/bin/ld: /opt/openssl/.openssl/lib/libssl.a(extensions_clnt.o): in function tls_parse_stoc_key_share':
extensions_clnt.c:(.text+0x4202): undefined reference to OQS_KEM_decaps' /usr/bin/ld: extensions_clnt.c:(.text+0x4317): undefined reference to OQS_MEM_secure_free'
/usr/bin/ld: extensions_clnt.c:(.text+0x4335): undefined reference to OQS_MEM_secure_free' /usr/bin/ld: extensions_clnt.c:(.text+0x4353): undefined reference to OQS_KEM_free'
/usr/bin/ld: extensions_clnt.c:(.text+0x477d): undefined reference to OQS_KEM_new' /usr/bin/ld: /opt/openssl/.openssl/lib/libssl.a(extensions_srvr.o): in function tls_parse_ctos_key_share':
extensions_srvr.c:(.text+0x1708): undefined reference to OQS_KEM_new' /usr/bin/ld: /opt/openssl/.openssl/lib/libssl.a(extensions_srvr.o): in function tls_construct_stoc_key_share':
extensions_srvr.c:(.text+0x4431): undefined reference to OQS_KEM_new' /usr/bin/ld: extensions_srvr.c:(.text+0x447c): undefined reference to OQS_KEM_encaps'
/usr/bin/ld: extensions_srvr.c:(.text+0x45c4): undefined reference to OQS_MEM_secure_free' /usr/bin/ld: extensions_srvr.c:(.text+0x45cc): undefined reference to OQS_KEM_free'
/usr/bin/ld: extensions_srvr.c:(.text+0x4891): undefined reference to OQS_MEM_secure_free' /usr/bin/ld: extensions_srvr.c:(.text+0x489c): undefined reference to OQS_KEM_free'
/usr/bin/ld: /opt/openssl/.openssl/lib/libssl.a(t1_lib.o): in function nid_cb': t1_lib.c:(.text+0x234): undefined reference to OQS_KEM_alg_is_enabled'
/usr/bin/ld: /opt/openssl/.openssl/lib/libcrypto.a(oqs_meth.o): in function pkey_oqs_digestverify': oqs_meth.c:(.text+0x13d): undefined reference to OQS_SIG_verify'
/usr/bin/ld: /opt/openssl/.openssl/lib/libcrypto.a(oqs_meth.o): in function pkey_oqs_digestsign': oqs_meth.c:(.text+0x47b): undefined reference to OQS_SIG_sign'
/usr/bin/ld: extensions_srvr.c:(.text+0x45c4): undefined reference to OQS_MEM_secure_free' /usr/bin/ld: extensions_srvr.c:(.text+0x45cc): undefined reference to OQS_KEM_free'
/usr/bin/ld: extensions_srvr.c:(.text+0x4891): undefined reference to OQS_MEM_secure_free' /usr/bin/ld: extensions_srvr.c:(.text+0x489c): undefined reference to OQS_KEM_free'
/usr/bin/ld: /opt/openssl/.openssl/lib/libssl.a(t1_lib.o): in function nid_cb': t1_lib.c:(.text+0x234): undefined reference to OQS_KEM_alg_is_enabled'
/usr/bin/ld: /opt/openssl/.openssl/lib/libcrypto.a(oqs_meth.o): in function pkey_oqs_digestverify': oqs_meth.c:(.text+0x13d): undefined reference to OQS_SIG_verify'
/usr/bin/ld: /opt/openssl/.openssl/lib/libcrypto.a(oqs_meth.o): in function pkey_oqs_digestsign': oqs_meth.c:(.text+0x47b): undefined reference to OQS_SIG_sign'
/usr/bin/ld: /opt/openssl/.openssl/lib/libcrypto.a(oqs_meth.o): in function oqs_free': oqs_meth.c:(.text+0x325e): undefined reference to OQS_SIG_free'
/usr/bin/ld: /opt/openssl/.openssl/lib/libcrypto.a(oqs_meth.o): in function oqs_key_init': oqs_meth.c:(.text+0x3822): undefined reference to OQS_SIG_alg_is_enabled'
/usr/bin/ld: oqs_meth.c:(.text+0x382e): undefined reference to OQS_SIG_new' /usr/bin/ld: oqs_meth.c:(.text+0x3968): undefined reference to OQS_SIG_free'
/usr/bin/ld: /opt/openssl/.openssl/lib/libcrypto.a(oqs_meth.o): in function pkey_oqs_keygen': oqs_meth.c:(.text+0x3b09): undefined reference to OQS_SIG_free'
/usr/bin/ld: oqs_meth.c:(.text+0x3c28): undefined reference to OQS_SIG_keypair' /usr/bin/ld: /opt/openssl/.openssl/lib/libcrypto.a(oqs_meth.o): in function oqs_priv_decode':
oqs_meth.c:(.text+0x40ae): undefined reference to OQS_SIG_free' /usr/bin/ld: /opt/openssl/.openssl/lib/libcrypto.a(oqs_meth.o): in function oqs_pub_decode':
oqs_meth.c:(.text+0x445e): undefined reference to OQS_SIG_free' /usr/bin/ld: /opt/openssl/.openssl/lib/libcrypto.a(oqs_meth.o): in function OQSKEM_options':
oqs_meth.c:(.text+0x45b3): undefined reference to OQS_KEM_alg_is_enabled' /usr/bin/ld: /opt/openssl/.openssl/lib/libcrypto.a(oqs_meth.o): in function OQSSIG_options':
oqs_meth.c:(.text+0x4673): undefined reference to OQS_SIG_alg_is_enabled' collect2: error: ld returned 1 exit status

As of now (Mar 2020) CircleCI does not support building current OSX docker images, so CCI config needs to be updated if that capability is available again.

Hello Team,
I have bult the chromium demo un ubuntu server but at the last step i have recived the error "The site can't provide a secure connection". Client ans server dont support the common ssl.
I am able to successfully rin the TLS connection in boringssl

whenever I try to create and add test certificate the following error pops up

req: Can't open "/opt/tmp/CA.key" for writing, Permission denied
failed to resize tty, using default size

on exploring the container files with shell no tmp folder is found and am unable to create it using mkdir
Please help

I suppose the pattern to support liboqs is to

1. identify where encrypted communication takes place in the code base
2. in there identify how a specific algorithm is selected
3. change, or better in the long run generalize, the selection of an algorithm
4. rely on liboqs (direct use in C or current wrappers for C++ C# Rust Python Go or Java) to encrypt/decrypt messages or if available at a higher level (e.g oqs openssl or boringssl)
5. verify that communication of messages encrypted through the new algorithm can get decrypted

If this is not correct what should be considered instead?

These is asked in terms of https://github.com/matrix-org/matrix-doc/issues/3516 to potentially demo https://github.com/matrix-org/synapse with oqs.

Hi, I integrated OQS-OpenSSL into Mosquitto and provided a Dockerfile to fully automate the integration.

May I pull request to main branch? (#136)

Thanks!

--Chia-Chin Chung

I have setup a test OQS Nginx server, that integrates your OQS fork of OpenSSL. I was wondering how to route clients to different server ports based on the cipher suites they support. In your test server: https://test.openquantumsafe.org/ I can see that the site is accessible using clients that do not support post-quantum TLS as well, and that the site then uses a classical certificate. But if I use your OQS curl demo https://github.com/open-quantum-safe/oqs-demos/tree/main/curl, that supports post-quantum TLS, I can get a response from your test serve when curving with a post-quantum key-exchange algorithm such as Kyber512, doing the following:

docker run -it oqs-curl curl -k https://test.openquantumsafe.org --curves kyber512

So my question is how can you identify clients that do not support post-quantum TLS and then use a classical certificate for those types of clients, if i've understood the setup correctly.

I'm getting the following error when I run the ./configure nginx script that also should compile the OQS fork of OpenSSL with.

These are my configure arguments:

./configure --with-http_ssl_module --with-openssl=/home/ibra/pqs_server_files/openssl --with-openssl-opt='zlib no-tests' --with-cc-opt=-I/home/ibra/pqs_server_files/openssl/oqs/include --with-ld-opt=-L/home/ibra/pqs_server_files/openssl/oqs/lib

Any ideas what that could mean?

"Weak key" error when connecting Chromium to QSC-sig cert protected test port, e.g., https://test.openquantumsafe.org:6471/

85.0.4161.2 seems dated relying on software packages not state of the art any more

Depends on open-quantum-safe/boringssl#57

Goal would be to enable using/testing all supported QSC algorithms.

Low priority.

Hi, I'm trying to build Chromium using the oqs-demos/chromium. The first few steps are executed successfully. But when I type autoninja -C out/Default chrome to build Chromium, I get an error message.
Just like:

FAILED: obj/third_party/boringssl/boringssl/p_oqs.o
../../third_party/boringssl/src/crypto/evp/p_oqs.c:19:10: fatal error: 'oqs/oqs.h' file not found
#include <oqs/oqs.h>
         ^~~~~~~~~~~
1 error generated.
...
FAILED: obj/third_party/boringssl/boringssl/p_oqs_asn1.o
...
../../third_party/boringssl/src/crypto/evp/p_oqs_asn1.c:20:10: fatal error: 'oqs/oqs.h' file not found
...
ninja: build stopped: subcommand failed.

How can I fix it? Thank you for your help!!

Move to more current openssh when open-quantum-safe/openssh#78 is landed

Script to verify (new) client code can interact with all algorithms supported by test server

By default, demos are always built using the current upstream masters.
For interoperability and regression testing, specific builds tagged to a liboqs release tag and all corresponding downstream package versions are sensible additional build options. This feature can then also be used to automate generating liboqs-version-tagged docker images for all applications and thus, improve (reduce) release-cycle build time over the complete OQS SW stack.

Challenge is that (tag-)conditional Dockerfiles make builds un-cacheable.
Additional challenge is that such logic would have to be copied into each Dockerfile as there seems to be no #include logic in Dockerfiles.
Another challenge is that more parameters than just tags need to be considered (other upstream options change over time, e.g. OQS_USE_CPU_EXTENSIONS came and went away).

Maybe just keeping liboqs-version-tagged Dockerfiles is sufficient?

I followed the instructions at
https://github.com/open-quantum-safe/oqs-demos/tree/main/chromium .

I am building on Ubuntu 20.04 .

The first build error I got was :

ninja: Entering directory `out/Default'
[1/1] Regenerating ninja files
FAILED: build.ninja
../../buildtools/linux64/gn --root=../.. -q gen .
ERROR at //third_party/boringssl/BUILD.gn:48:46: Undefined identifier
all_headers = crypto_headers + ssl_headers + oqs_headers
^----------
See //crypto/BUILD.gn:78:19: which caused the file to be included.
public_deps = [ "//third_party/boringssl" ]
^------------------------

I tried to comment out oqs_headers . Then I hit the following :

../../net/cert/internal/simple_path_builder_delegate.cc:38:7: error: use of undeclared identifier 'IS_OQS_PKEY'
if (IS_OQS_PKEY(curve_nid)) {
^
../../net/cert/internal/simple_path_builder_delegate.cc:117:7: error: use of undeclared identifier 'IS_OQS_PKEY'
if (IS_OQS_PKEY(pkey_id)) {
^
2 errors generated.

It looks like the oqs-mods.patch file is quite old - 5 months.
I don't think it works with the current liboqs 0.7.0 .
I tried liboqs 0.6.0 and 0.5.0, and reinstalled them into the Chromium tree, but I still hit the same error.

Can someone please provide the proper version of liboqs I should be using with Chromium, as well as the correct patch ?

Thanks.

Hi,
I have completed the steps of oqs demo for Chromium up to step 5.
for number 5 it has been said:
"navigate to <CHROMIUM_ROOT> and apply the chromium94.patch file provided here by running git apply <PATH_TO_PATCH_FILE>."

what should I do in this step? what will be the value of <PATH_TO_PATCH_FILE>?
should I have chromium94.patch in my directory? Because I have searched for a file with this name but there is no file with this name.

Thank you.