From a50d8910bab55b4e02adfafd143bfa935e051ef6 Mon Sep 17 00:00:00 2001 From: Siddharth Date: Mon, 20 May 2024 19:48:23 -0400 Subject: [PATCH 1/4] Add PQ Groups and the provider for them --- src/Mayaqua/Encrypt.c | 8 ++++++++ src/Mayaqua/Network.c | 5 ++++- src/Mayaqua/Network.h | 2 ++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/Mayaqua/Encrypt.c b/src/Mayaqua/Encrypt.c index fed18bdb..fab64387 100644 --- a/src/Mayaqua/Encrypt.c +++ b/src/Mayaqua/Encrypt.c @@ -88,6 +88,7 @@ int ssl_clientcert_index = 0; #if OPENSSL_VERSION_NUMBER >= 0x30000000L static OSSL_PROVIDER *ossl_provider_legacy = NULL; static OSSL_PROVIDER *ossl_provider_default = NULL; +static OSSL_PROVIDER *ossl_provider_oqsprovider = NULL; #endif LOCK **ssl_lock_obj = NULL; @@ -3974,6 +3975,12 @@ void FreeCryptLibrary() OSSL_PROVIDER_unload(ossl_provider_legacy); ossl_provider_legacy = NULL; } + + if (ossl_provider_oqsprovider != NULL) + { + OSSL_PROVIDER_unload(ossl_provider_oqsprovider); + ossl_provider_oqsprovider = NULL; + } #endif } @@ -3996,6 +4003,7 @@ void InitCryptLibrary() #if OPENSSL_VERSION_NUMBER >= 0x30000000L ossl_provider_default = OSSL_PROVIDER_load(NULL, "legacy"); ossl_provider_legacy = OSSL_PROVIDER_load(NULL, "default"); + ossl_provider_oqsprovider = OSSL_PROVIDER_load(NULL, "oqsprovider"); #endif ssl_clientcert_index = SSL_get_ex_new_index(0, "struct SslClientCertInfo *", NULL, NULL, NULL); diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index c9ea7595..0aede291 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -25,6 +25,7 @@ #include #include +#include #ifdef OS_UNIX #include @@ -11905,6 +11906,8 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char Unlock(openssl_lock); } + SSL_set1_groups_list(sock->ssl, PQ_GROUP_LIST); + if (sock->ServerMode) { // Lock(ssl_connect_lock); @@ -11984,7 +11987,7 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char // Unlock(ssl_connect_lock); } else - { + { prev_timeout = GetTimeout(sock); SetTimeout(sock, ssl_timeout); // Client mode diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h index 39e3f5fc..d6a0f29f 100644 --- a/src/Mayaqua/Network.h +++ b/src/Mayaqua/Network.h @@ -59,6 +59,8 @@ struct DYN_VALUE #define DEFAULT_CIPHER_LIST "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES" +#define PQ_GROUP_LIST "?p521_kyber1024:?x25519_kyber768:P-512:X25519:P-256" + // SSL logging function //#define ENABLE_SSL_LOGGING #define SSL_LOGGING_DIRNAME "@ssl_log" From 2fe4ca0f8cc944e764692d72c8b01562d5af6d62 Mon Sep 17 00:00:00 2001 From: Siddharth Date: Mon, 20 May 2024 21:46:57 -0400 Subject: [PATCH 2/4] Fix incorrect PQ_GROUP_LIST string --- src/Mayaqua/Network.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h index d6a0f29f..720a0770 100644 --- a/src/Mayaqua/Network.h +++ b/src/Mayaqua/Network.h @@ -59,7 +59,7 @@ struct DYN_VALUE #define DEFAULT_CIPHER_LIST "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES" -#define PQ_GROUP_LIST "?p521_kyber1024:?x25519_kyber768:P-512:X25519:P-256" +#define PQ_GROUP_LIST "p521_kyber1024:x25519_kyber768:P-521:X25519:P-256" // SSL logging function //#define ENABLE_SSL_LOGGING From b06486b37d9e7228bcb4629b2120b5b41f1ba26a Mon Sep 17 00:00:00 2001 From: Siddharth Date: Tue, 18 Jun 2024 00:01:58 -0400 Subject: [PATCH 3/4] Remove unecessary provider include --- src/Mayaqua/Network.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index 0aede291..ce5421b8 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -25,7 +25,6 @@ #include #include -#include #ifdef OS_UNIX #include From 68964ab0d795835e4d36e707baf8a1cad23bc481 Mon Sep 17 00:00:00 2001 From: Siddharth Date: Tue, 18 Jun 2024 16:09:10 -0400 Subject: [PATCH 4/4] Guard variables with OpenSSL version --- src/Mayaqua/Network.c | 6 ++++-- src/Mayaqua/Network.h | 2 ++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index ee25308c..6b53ecfb 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -11905,8 +11905,10 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char Unlock(openssl_lock); } - SSL_set1_groups_list(sock->ssl, PQ_GROUP_LIST); - + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + SSL_set1_groups_list(sock->ssl, PQ_GROUP_LIST); + #endif + if (sock->ServerMode) { // Lock(ssl_connect_lock); diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h index 720a0770..94a50c2b 100644 --- a/src/Mayaqua/Network.h +++ b/src/Mayaqua/Network.h @@ -59,7 +59,9 @@ struct DYN_VALUE #define DEFAULT_CIPHER_LIST "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES" +#if OPENSSL_VERSION_NUMBER >= 0x30000000L #define PQ_GROUP_LIST "p521_kyber1024:x25519_kyber768:P-521:X25519:P-256" +#endif // SSL logging function //#define ENABLE_SSL_LOGGING