Comments (8)
And yes, basic support for Q-safe 'groups' is readily available using liboqs
and oqsprovider
. I recommend to build/use the latest OpenSSL version along with the former two.
Remark (as this seems to be of interest for you): Was tested successfully with HAproxy
.
from openssl.
It's doable by liboqs with proper algorithms selection and oqsprovider.
from openssl.
@mikkorantalainen Just FYI - in the context of work on #21633, based on the discussion in #22203 and based on the NSA mandate to 'support and prefer' Q-safe. we're already working on a revision of the group selection algorithm on the server side (keeping backward compatibility to the current algorithm).
This will be enabled by using a newly introduced '!' prefix for those groups in the list for which key shares are requested:
On client side, a '!' prefix means: Send a client share for this group (-> 'will arrive as "keyshare list" on server side')
On server side, a '!' prefix means: This group has higher priority (-> 'is part of "requested keyshare" list on server side').
If no '!' prefix is used in any of the groups in the list, the existing algorithm will be used for backward compatibility.
For the server side group selection algorithm, 4 possibilities exist, with sequence is priority (=> read table below like so: If entries in the client side list have overlap with the the server side list, do the overlap action; if not, use the next line and repeat):
Client Server If they overlap
1) keyshare list requested keyshare list Use leftmost group_id from server requested keyshare list
2) supported groups list requested keyshare list HRR with leftmost group_id from server requested keyshare list
3) keyshare list supported groups list Use leftmost group_id from server groups list
4) supported groups list supported groups list HRR with leftmost group_id from server groups list
Therefore, for example, if a client sends a keyshare for a legacy group, but would also support a Q-safe 'group', the server would trigger a HRR for the Q-safe 'group' (and with that a round-trip) even if it would support the legacy group.
Code is already 'wiggling' nicely, needs more tests and cleanup, but is intended for a PR soon.
from openssl.
Remark (as this seems to be of interest for you): Was tested successfully with
HAproxy
.
Great to know, I'll try to document this on the HAProxy wiki.
from openssl.
@wlallemand FYI & completeness - For simplicity, I did the verification for HAproxy
in Docker containers (to avoid 'pollution' of my system), but that can easily be replicated on VM or bare-metal. I tested with both Ubuntu v24.04 and UBI (~=RHEL) v9.4 as base OS and got HAproxy
via the Ubuntu supplied package for both OS cases (HAProxy version 2.8.5-1ubuntu3).
I used liboqs v0.10.0 and OQS OpenSSLv3 provider v0.6.0 in combination with OpenSSL 3.0.13 (Rem: does not support Q-safe sigalgs).
from openssl.
@martinschmatz okay, thanks for the details, that's useful!
from openssl.
@nhorman It looks like this was marked inactive by a mistake.
from openssl.
yup, miss on my part, thank you for catching @t8m
from openssl.
Related Issues (20)
- How to visualize providers function call paths?
- 3.3.1: ${prefix} missing in /usr/lib/pkg-config HOT 13
- Base 64 decoding truncation
- memory leak in OPENSSL_config HOT 5
- `apps/openssl.cnf` default is to not enforce TLS. Should default to: enforce TLS HOT 8
- `SSL_get_ex_data_X509_STORE_CTX_idx` does not respect `OSSL_LIB_CTX` HOT 4
- OpenSSL 3.0.8 - How to fallback to default provider when property fips=yes set and FIPS provider is loaded
- OS Zoo CI currently broken HOT 12
- Use of RSA_test_flags generates Segmentation fault HOT 2
- The EVP_PKEY_derive() does not returns maximum size of the output buffer for ECDH with X963KDF HOT 9
- add default cases to switch statements HOT 13
- want to install openssl HOT 1
- -Werror missing from many unit tests HOT 2
- error during make : For bug reporting instructions, please see: <file:///usr/share/doc/gcc-13/README.Bugs>. ar: providers/common/der/libdefault-lib-der_rsa_sig.o: No such file or directory make[1]: *** [Makefile:22733: providers/libdefault.a] Error 1 make[1]: Leaving directory '/home/alexandre/Téléchargements/openssl' make: *** [Makefile:3731 : build_sw] Erreur 2 HOT 6
- [BUG] asn1_time_test started failing on NonStop as of 3.2 HOT 6
- Investigate Clusterfuzz heap buffer overflow
- Could OpenSSL send alerts when DTLS is over sctp? HOT 2
- OpenSSL 3.0.13 can't decrypt file encrypted with OpenSSL 1.1.1 HOT 2
- issue with libssl with 3x version and authentication error with 1.1.1c version when deploying through aws codebuild, HOT 4
- May be an infinite loop occurs during the ossl_rsa_fips186_4_gen_prob_primes()?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openssl.