Programmatically load provider

[micheleselea]

Hi all, I was able to compile libqos and oqsprovider under windows, so I end up with oqsprovider.dll
I'm trying to integrate dll in my c++ code loading dll in some way as I do for "legacy" and "default" (even if that providers are not dll in my scenario)
OSSL_PROVIDER_try_load(NULL, "oqsprovider", 1);
but I can't load it. Do you have some advice for me on how can programmatically load provider?
thanks

[baentsch]

Thanks for your interest in using oqsprovider. The API call looks OK, but maybe OPENSSL_MODULES isn't properly set? Why wouldn't you want to load it via config (as in the test code)? That way it's much easier to switch on and off (and be install path independent). That way you also don't have to fiddle with OPENSSL_MODULES.

[micheleselea]

We develop a software that implement an HTTP(s) server with Poco library and OpenSSL 3.0.9 ( using C++)
https://pocoproject.org/
So I was trying to load provider (as I do with legacy and default) to let OpenSSL using oqs. Anyway I'm try to dig into OPENSSL_MODULES

[baentsch]

as I do with legacy and default

OK, if you already load legacy and default successfully, then the only reason for oqsprovider to not be successfully loaded are: 1) It's not in ossl-modules (as is legacy) OR 2) the environment variable OPENSSL_MODULES isn't set to the directory where the oqsprovider DLL is located OR 3) you linked in liboqs SHARED into oqsprovider and do not have liboqs.dll in the PATH. I'd strongly urge to build liboqs statically (and link it as such to oqsprovider) to avoid situation 3.

[micheleselea]

Ok thanks for advices, I'm using OpenSSL as static link so library are inside my executable so I do not need legacy and default as external lib. I'm trying to figure out how to do the same work with oqsprovider, I'll follow your advices and let ou know, thanks

[baentsch]

I'm using OpenSSL as static link so library are inside my executable so I do not need legacy and default as external lib.

OK, thanks for the additional background. It might be then that you may need to wait for #201 to land...

[micheleselea]

Ah ok thanks, I'll try the #201

[micheleselea]

thanks @baentsch I add the oqs_provider_init and load_oqs_provider code from 201 pull request and now I'm able to load provider correctly.
I'm going to make some client/server tests

[micheleselea]

I'm trying with
https://hub.docker.com/r/openquantumsafe/httpd
I'm able to get it work with the curl docker example but if I try with my http client (where I loaded oqs provider successfully) I can't get the handshake done, it's like the algotihm to use is not negotiated. Do you think I have to enable it in client openssl configuration?

[micheleselea]

Probably I'm doing something wrong, I'm using Openssl 3.0.9 and for 3.0/3.1 I understand that can't work, is it correct? with curl docker I see OpenSSL 3.2 is used

[baentsch]

it's like the algotihm to use is not negotiated. Do you think I have to enable it in client openssl configuration

Yes. You need to configure the group (KEM) to use (as per the port you want to test against).

I understand that can't work, is it correct?

Possibly, it does. Depends on what features you want to use. Check out https://github.com/open-quantum-safe/oqs-provider#note-on-openssl-versions. Using PQ KEMs with classic SIGs should work in OpenSSL3.0.9

[baentsch]

@micheleselea FYI, here's (two) proposals how to force use of specific PQC/QSC KEMs: https://github.com/open-quantum-safe/oqs-provider/blob/main/USAGE.md#selecting-tls13-default-groups. A third obviously is use of the OpenSSL API.

[micheleselea]

Ok thanks @baentsch I'm going to check the link proposal, probably the best way in my environment is to use directly OpenSSL API.
I read that the best interaction between oqs and OpenSSL should be using 3.2 and I wanna make a try. Do you know if there's a scheduled release date for 3.2 alfa or beta?

[baentsch]

Do you know if there's a scheduled release date for 3.2 alfa or beta?

No. That's probably best asked upstream. IMO highly unlikely that that's going to be still 2023 given that 3.1.0 only came out a few months ago.

[micheleselea]

Hi @baentsch I tried to use curl and httpd docker oqs image but I have some problem.
If I use for server:
docker run -p 4433:4433 openquantumsafe/httpd
and
docker run -it openquantumsafe/curl curl -k https://SERVERIP:4433
it's ok
instead if I use
docker run -it openquantumsafe/curl curl -k https://SERVERIP:4433 --curves p256_kyber768
I endup with a handshake error and I can't understand why, I tried with different curves, but seems not negotiate oqs

[micheleselea]

I checked and this seems to work
docker run -it openquantumsafe/curl curl -k https://serverip:4433/ --curves kyber768
but I can't undestand in verbose mode to check if I'm using correct curves

[baentsch]

Topic is resolved. If not, please feel free to re-open with new input.