Merge branch 'main' into curl

.github/workflows/quic.yml

@@ -0,0 +1,56 @@
+name: QUIC
+
+on:
+  push:
+    branches: ['main']
+    paths: ['.github/workflows/quic.yml', 'curl/**', 'nginx/**']
+  pull_request:
+    paths: ['.github/workflows/quic.yml', 'curl/**', 'nginx/**']
+  schedule:
+    - cron: '2 7 18,28 * *'
+  workflow_dispatch:
+
+env:
+  TARGET_NAME: openquantumsafe
+
+jobs:
+  test-push:
+    name: Test and push QUIC images
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Login to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+    - name: Create a shared volume
+      run: docker volume create shared-1
+      shell: bash
+    - name: Generate a quantum-safe certificate chain
+      run: |
+        docker run -v shared-1:/certs $TARGET_NAME/openssl3 /bin/sh -c "\
+        openssl req -x509 -new -newkey rsa3072_falcon512 -keyout /certs/CA.key -out /certs/CA.crt -nodes -subj '/C=US/O=Open Quantum Safe/CN=OQS Demos' -days 1461 && \
+        openssl req -new -newkey sphincssha2128fsimple -keyout /certs/server.key -out /certs/server.csr -nodes -subj /CN=host.docker.internal && \
+        openssl x509 -req -in /certs/server.csr -out /certs/server.crt -CA /certs/CA.crt -CAkey /certs/CA.key -CAcreateserial -days 365"
+      shell: bash
+    - name: Build NGINX with QUIC support and start the server
+      working-directory: ./nginx
+      run: |
+        docker build -t $TARGET_NAME/nginx-quic:latest -f Dockerfile-QUIC . && \
+        docker run -d -p 443:443/udp -v shared-1:/certs --name nginx-quic-daemon $TARGET_NAME/nginx-quic:latest && \
+        docker cp ./nginx-conf/nginx-quic.conf nginx-quic-daemon:/etc/nginx/nginx-quic.conf && \
+        docker exec nginx-quic-daemon bash -c "cd /etc/nginx && rm nginx.conf && mv nginx-quic.conf nginx.conf && nginx -s reload"
+      shell: bash
+    - name: Build cURL with QUIC support and test it with the server that's started earlier
+      working-directory: ./curl
+      run: |
+        docker build -t $TARGET_NAME/curl-quic:latest -f Dockerfile-QUIC . && \
+        docker run -v shared-1:/certs --add-host=host.docker.internal:host-gateway $TARGET_NAME/curl-quic:latest \
+        curl --cacert /certs/CA.crt --http3-only https://host.docker.internal --curves hqc192 -vvvv
+      shell: bash
+    - name: Push Docker images to Docker Hub
+      run: |
+        docker push $TARGET_NAME/curl-quic:latest
+        docker push $TARGET_NAME/nginx-quic:latest
+      shell: bash

README.md

@@ -1,4 +1,5 @@
 [![GitHub actions](https://github.com/open-quantum-safe/oqs-demos/actions/workflows/linux.yml/badge.svg)](https://github.com/open-quantum-safe/oqs-demos/actions/workflows/linux.yml)
+[![QUIC](https://github.com/open-quantum-safe/oqs-demos/actions/workflows/quic.yml/badge.svg)](https://github.com/open-quantum-safe/oqs-demos/actions/workflows/quic.yml)
 [![open-quantum-safe](https://circleci.com/gh/open-quantum-safe/oqs-demos.svg?style=svg)](https://app.circleci.com/pipelines/github/open-quantum-safe/oqs-demos)
 
 oqs-demos
@@ -18,9 +19,9 @@ Currently available integrations at their respective support level:
 
 |                  | **Build instructions**                 | **Pre-built Docker image or binary files**                                                                                   | Support? |
 | ---------------- | -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | -------- |
-| **curl**         | [Github: oqs-demos/curl](curl)         | [Dockerhub: openquantumsafe/curl](https://hub.docker.com/repository/docker/openquantumsafe/curl)                             | @baentsch, @pi-314159
+| **curl**         | [Github: oqs-demos/curl](curl)         | [Dockerhub: openquantumsafe/curl](https://hub.docker.com/repository/docker/openquantumsafe/curl), [Dockerhub: openquantumsafe/curl-quic](https://hub.docker.com/repository/docker/openquantumsafe/curl-quic) | @baentsch, @pi-314159
 | **Apache httpd** | [Github: oqs-demos/httpd](httpd)       | [Dockerhub: openquantumsafe/httpd](https://hub.docker.com/repository/docker/openquantumsafe/httpd)                           | @baentsch
-| **nginx**        | [Github: oqs-demos/nginx](nginx)       | [Dockerhub: openquantumsafe/nginx](https://hub.docker.com/repository/docker/openquantumsafe/nginx)                           | @baentsch, @bhess, @pi-314159
+| **nginx**        | [Github: oqs-demos/nginx](nginx)       | [Dockerhub: openquantumsafe/nginx](https://hub.docker.com/repository/docker/openquantumsafe/nginx), [Dockerhub: openquantumsafe/nginx-quic](https://hub.docker.com/repository/docker/openquantumsafe/nginx-quic) | @baentsch, @bhess, @pi-314159
 | **Chromium** | [Github: oqs-demos/chromium](chromium) (limited support) | - | @pi-314159 |
 | **OpenSSH**      | [Github: oqs-demos/openssh](openssh)   | [Dockerhub: openquantumsafe/openssh](https://hub.docker.com/repository/docker/openquantumsafe/openssh)                       | unsupported
 | **Wireshark**    | [Github: oqs-demos/wireshark](wireshark)   | [Dockerhub: openquantumsafe/wireshark](https://hub.docker.com/repository/docker/openquantumsafe/wireshark)                       | unsupported

chromium/README-Linux.md

@@ -8,48 +8,39 @@ The rest of the instructions will use **$CHROMIUM_ROOT** to refer to the root di
 
 ```shellscript
 cd $CHROMIUM_ROOT
-git checkout tags/124.0.6339.0
+git checkout tags/131.0.6767.0
 gclient sync
 ```
 
-### 2. Install Go and Perl
-
-### 3. Switch to the OQS-BoringSSL
+### 2. Switch to the OQS-BoringSSL
 
 ```shellscript
 cd $CHROMIUM_ROOT/third_party/boringssl/src
 git remote add oqs-bssl https://github.com/open-quantum-safe/boringssl
 git fetch oqs-bssl
-git checkout -b oqs-bssl-master c0a0bb4d1243952819b983129c546f9ae1c03008
+git checkout -b oqs-bssl-master 0599bb559d3be76a98f0940d494411b6a8e0b18e
 ```
 
-### 4. Clone and Build liboqs
+### 3. Clone and Build liboqs
 
 Choose a directory to store the liboqs source code and use the `cd` command to move to that directory. We will use ninja to build liboqs.
 
 ```shellscript
-git clone https://github.com/open-quantum-safe/liboqs.git && git checkout 890a6aa448598a019e72b5431d8ba8e0a5dbcc85
+git clone https://github.com/open-quantum-safe/liboqs.git && git checkout 9aa2e1481cd0c242658ec8e92776741feabec163
 cd liboqs && mkdir build && cd build
 cmake .. -G"Ninja" -DCMAKE_INSTALL_PREFIX=$CHROMIUM_ROOT/third_party/boringssl/src/oqs -DOQS_USE_OPENSSL=OFF -DCMAKE_BUILD_TYPE=Release
 ninja && ninja install
 ```
 
-### 5. Enable Quantum-Safe Crypto
+### 4. Enable Quantum-Safe Crypto
 
 ```shellscript
 cd $CHROMIUM_ROOT
 wget https://raw.githubusercontent.com/open-quantum-safe/oqs-demos/main/chromium/oqs-Linux.patch
 git apply oqs-Linux.patch
 ```
 
-### 6. Generate BoringSSL Build Files for Chromium
-
-```shellscript
-cd $CHROMIUM_ROOT/third_party/boringssl
-python src/util/generate_build_files.py gn
-```
-
-### 7. Build
+### 5. Build
 
 ```shellscript
 cd $CHROMIUM_ROOT
@@ -68,6 +59,6 @@ blink_symbol_level = 0
 Save and close the configuration file. Last, run `autoninja -C out/Default chrome`.\
 If the build completes successfully, it will create _chrome_ in _$CHROMIUM_ROOT/out/Default_.
 
-### 8. Miscellaneous
+### 6. Miscellaneous
 
-- This guide is published on March 8, 2024, and may be outdated.
+- This guide is published on October 10, 2024, and may be outdated.

chromium/README-Windows.md

@@ -11,54 +11,43 @@ In Command Prompt, run following commands:
 
 ```bat
 cd %CHROMIUM_ROOT%
-git checkout tags/124.0.6339.0
+git checkout tags/131.0.6769.0
 gclient sync
 ```
 
-### 2. Install Go and Perl
-
-### 3. Switch to the OQS-BoringSSL
+### 2. Switch to the OQS-BoringSSL
 
 In Command Prompt, run following commands:
 
 ```bat
 cd %CHROMIUM_ROOT%/third_party/boringssl/src
 git remote add oqs-bssl https://github.com/open-quantum-safe/boringssl
 git fetch oqs-bssl
-git checkout -b oqs-bssl-master c0a0bb4d1243952819b983129c546f9ae1c03008
+git checkout -b oqs-bssl-master 0599bb559d3be76a98f0940d494411b6a8e0b18e
 ```
 
-### 4. Clone and Build liboqs
+### 3. Clone and Build liboqs
 
 Choose a directory to store the liboqs source code and use the `cd` command to move to that directory. We will use msbuild instead of ninja to build liboqs.\
 Start _x64 Native Tools Command Prompt for VS 2022_ (usually it's in _C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Visual Studio 2022\Visual Studio Tools\VC_) and run following commands:
 
 ```bat
-git clone https://github.com/open-quantum-safe/liboqs.git && git checkout 890a6aa448598a019e72b5431d8ba8e0a5dbcc85
+git clone https://github.com/open-quantum-safe/liboqs.git && git checkout 9aa2e1481cd0c242658ec8e92776741feabec163
 cd liboqs && mkdir build && cd build
 cmake .. -DCMAKE_INSTALL_PREFIX=%CHROMIUM_ROOT%/third_party/boringssl/src/oqs -DOQS_USE_OPENSSL=OFF -DCMAKE_BUILD_TYPE=Release
 msbuild ALL_BUILD.vcxproj
 msbuild INSTALL.vcxproj
 ```
 
-### 5. Enable Quantum-Safe Crypto
+### 4. Enable Quantum-Safe Crypto
 
-Download the [oqs-changes.patch](https://raw.githubusercontent.com/open-quantum-safe/oqs-demos/main/chromium/oqs-Windows.patch) and save it at _%CHROMIUM_ROOT%_, then apply the patch by running
+Download the [oqs-Windows.patch](https://raw.githubusercontent.com/open-quantum-safe/oqs-demos/main/chromium/oqs-Windows.patch) and save it at _%CHROMIUM_ROOT%_, then apply the patch by running
 
 ```bat
 git apply oqs-Windows.patch
 ```
 
-### 6. Generate BoringSSL Build Files for Chromium
-
-In Command Prompt, run following commands:
-
-```bat
-cd %CHROMIUM_ROOT%/third_party/boringssl
-python src/util/generate_build_files.py gn
-```
-
-### 7. Build
+### 5. Build
 
 In Command Prompt, run following commands:
 
@@ -81,8 +70,7 @@ target_os = "win"
 Save and close the configuration file. Last, run `autoninja -C out/Default chrome` in Command Prompt.\
 If the build completes successfully, it will create _chrome.exe_ in _%CHROMIUM_ROOT%/out/Default_.
 
-### 8. Miscellaneous
+### 6. Miscellaneous
 
 - BIKE key exchange is not supported.
-- This guide was initially published on March 8, 2024, and may be outdated.
-- These instructions have been tested on 64-bit Windows 10 Enterprise with Visual Studio 2022 Community, [Go 1.20.5](https://go.dev/dl/), and [ActiveState Perl 5.36](https://www.activestate.com/products/perl/).
+- This guide was initially published on October 10, 2024, and may be outdated.

chromium/README.md

@@ -1,6 +1,6 @@
 This directory contains no longer fully maintained instructions and corresponding patches to build the Chromium web browser using the [OQS-BoringSSL fork](https://github.com/open-quantum-safe/boringssl), thereby enabling Chromium to use quantum-safe key exchange algorithms.
 
-These instructions are specifically tailored for liboqs commit `890a6aa448598a019e72b5431d8ba8e0a5dbcc85` and Chromium version `124.0.6339.0`. It is important to note that using any other versions of liboqs or Chromium may result in failure. The instructions have been tested on Windows 10 and Ubuntu 22 LTS(x64) installations only. Additionally, they currently apply to a limited subset of quantum-safe key-exchanges, as detailed in the documentation [provided here](https://github.com/open-quantum-safe/boringssl#key-exchange).
+These instructions are specifically tailored for liboqs commit `9aa2e1481cd0c242658ec8e92776741feabec163` and Chromium version `131`. It is important to note that using any other versions of liboqs or Chromium may result in failure. The instructions have been tested on Windows 11 and Ubuntu 24.04 LTS installations only. Additionally, they currently apply to a limited subset of quantum-safe algorithms, as detailed in the documentation [provided here](https://github.com/open-quantum-safe/boringssl#key-exchange).
 
 Please be aware that this information is intended for individuals who acknowledge and accept these limitations. While we prioritize support for open source software, we are unable to dedicate the same level of support to the Chromium and BoringSSL PQ software stack as we have in the past. We encourage contributors to update the instructions and patch files for more recent versions of liboqs and Chromium.
 

chromium/USAGE.md

@@ -13,7 +13,7 @@ For the unwary user we *strongly* recommend to use a ready-build binary (for x64
 3) Install the certificate in the Chromium certificate store by clicking on "..." in the upper right hand corner , then/-> "Preferences" -> "..." in upper left corner -> "Privacy and Security" -> "Security" -> "Certificate Management" -> "Certification Authorities" -> Import: Load the file "CA.crt" downloaded in step 2.
 4) Return to the test server at [https://test.openquantumsafe.org](https://test.openquantumsafe.org) and click any of the supported ports representing all available quantum safe KEM and signature algorithms. A success message is returned if everything works as intended.
 
-Please note that not all algorithm combinations are expected to work. Most notably, none of the X25519 or X448 KEM hybrids are supported by the [underlying integration of OQS-BoringSSL](https://github.com/open-quantum-safe/boringssl).
+Please note that not all algorithm combinations are expected to work. Most notably, X448 KEM hybrids and composite signature algorithms are not supported by the [underlying integration of OQS-BoringSSL](https://github.com/open-quantum-safe/boringssl?tab=readme-ov-file#supported-algorithms).
 
 Please create a [discussion item](https://github.com/open-quantum-safe/boringssl/discussions/landing) if you feel some algorithm combination that does not work should do.