From 3b6264dd6b60bd5c2182354e22ca8246abdc89d0 Mon Sep 17 00:00:00 2001
From: Alex Bozarth <ajbozart@us.ibm.com>
Date: Thu, 24 Oct 2024 14:42:59 -0500
Subject: [PATCH] update ngtcp2 demo

---
 .circleci/config.yml     | 23 ++++++++++++++++---
 ngtcp2/Dockerfile-client | 48 +++++++++++++++++++++++++++++++---------
 ngtcp2/Dockerfile-server | 48 +++++++++++++++++++++++++++++++---------
 ngtcp2/USAGE-client.md   |  6 ++---
 ngtcp2/USAGE-server.md   |  6 ++---
 ngtcp2/serverstart.sh    |  2 +-
 6 files changed, 101 insertions(+), 32 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 0516280b..bdc26980 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -431,7 +431,6 @@ jobs:
                 command: |
                   docker push $TARGETNAME/wireshark
 
-# Not actively maintained:
   ubuntu_x64_ngtcp2:
     description: Building OQS-based ngtcp2 docker image
     docker:
@@ -452,6 +451,12 @@ jobs:
             docker build -t oqs-ngtcp2-server -f Dockerfile-server . &&
             docker build -t oqs-ngtcp2-client -f Dockerfile-client . 
           working_directory: ngtcp2
+      - run:
+          name: Build ngtcp2 server and client (main/master)
+          command: |
+            docker build --build-arg LIBOQS_TAG=main --build-arg OQSPROVIDER_TAG=main --build-arg NGHTTP3_TAG=main --build-arg NGTCP2_TAG=main -t oqs-ngtcp2-server-main -f Dockerfile-server . &&
+            docker build --build-arg LIBOQS_TAG=main --build-arg OQSPROVIDER_TAG=main --build-arg NGHTTP3_TAG=main --build-arg NGTCP2_TAG=main -t oqs-ngtcp2-client-main -f Dockerfile-client . 
+          working_directory: ngtcp2
       - run:
           name: Test ngtcp2 using local docker network
           command: |
@@ -464,6 +469,18 @@ jobs:
             docker rm oqs-ngtcp2server
             docker network rm ngtcp2-test
           working_directory: ngtcp2
+      - run:
+          name: Test ngtcp2 using local docker network (main/master)
+          command: |
+            docker network create ngtcp2-test-main
+            docker run --network ngtcp2-test-main --name oqs-ngtcp2server-main oqs-ngtcp2-server-main &
+            docker run --network ngtcp2-test-main -it --name oqs-ngtcp2client-main oqs-ngtcp2-client-main sh -c 'qtlsclient --exit-on-first-stream-close --groups kyber512 oqs-ngtcp2server-main 6000'
+            docker logs oqs-ngtcp2client | grep "QUIC handshake has been confirmed"
+            docker rm oqs-ngtcp2client-main
+            docker stop oqs-ngtcp2server-main
+            docker rm oqs-ngtcp2server-main
+            docker network rm ngtcp2-test-main
+          working_directory: ngtcp2
       - when:
           condition:
             or:
@@ -637,8 +654,8 @@ workflows:
       #    context: openquantumsafe
       #- ubuntu_x64_mosquitto:
       #    context: openquantumsafe
-      #- ubuntu_x64_ngtcp2:
-      #    context: openquantumsafe
+      - ubuntu_x64_ngtcp2:
+         context: openquantumsafe
       - ubuntu_x64_openssh:
          context: openquantumsafe
       # Disabled in CI as failing to conclude test properly as per
diff --git a/ngtcp2/Dockerfile-client b/ngtcp2/Dockerfile-client
index f6c96869..3e03169e 100644
--- a/ngtcp2/Dockerfile-client
+++ b/ngtcp2/Dockerfile-client
@@ -1,10 +1,27 @@
 # Multi-stage build: First the full builder image:
-FROM alpine as intermediate
+
+# define the alpine image version to use
+ARG ALPINE_VERSION=3.20
+
+FROM alpine:${ALPINE_VERSION} as intermediate
 
 ENV DEBIAN_FRONTEND=noninteractive
 
-ARG LIBOQS_TAG=main
-ARG OQSPROVIDER_TAG=main
+# define the quictls openssl tag to be used
+ARG OPENSSL_TAG=openssl-3.3.0-quic1
+
+# define the liboqs tag to be used
+ARG LIBOQS_TAG=0.11.0
+
+# define the oqsprovider tag to be used
+ARG OQSPROVIDER_TAG=0.7.0
+
+# define the nghttp3 tag to be used
+ARG NGHTTP3_TAG=v1.6.0
+
+# define the ngtcp2 tag to be used
+ARG NGTCP2_TAG=v1.8.1
+
 ARG INSTALLDIR=/opt/oqssa
 
 # Update image and apt software 
@@ -18,10 +35,10 @@ WORKDIR /opt
 
 # get all sources
 RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \
-    git clone --depth 1 --branch openssl-3.0.8+quic https://github.com/quictls/openssl.git && \
+    git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/quictls/openssl.git && \
     git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \
-    git clone --depth 1 --branch main  https://github.com/ngtcp2/nghttp3 && \
-    git clone --depth 1 --branch main https://github.com/ngtcp2/ngtcp2
+    git clone --depth 1 --branch ${NGHTTP3_TAG}  https://github.com/ngtcp2/nghttp3 && \
+    git clone --depth 1 --branch ${NGTCP2_TAG} https://github.com/ngtcp2/ngtcp2
 
 # build liboqs
 WORKDIR /opt/liboqs
@@ -31,17 +48,24 @@ RUN mkdir build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=${INSTALLDIR
 # build openssl 3
 WORKDIR /opt/openssl
 RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \
-    make ${MAKE_DEFINES} && make install_sw install_ssldirs;
+    make ${MAKE_DEFINES} && make install_sw install_ssldirs && \
+    if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \
+    if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi
     
 
 # build & install provider (and activate by default)
 WORKDIR /opt/oqs-provider
-RUN ln -s ../openssl . && cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && cmake --build _build  && cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:KEM_ALG\n/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM alg if not set via environment variable\nKEM_ALG = kyber512\n\n# Use this in order to automatically load providers/g" /opt/oqssa/ssl/openssl.cnf
+RUN ln -s ../openssl . && \
+    cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \
+    cmake --build _build  && cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && \
+    sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && \
+    sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && \
+    sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:KEM_ALG\n/g" /opt/oqssa/ssl/openssl.cnf && \
+    sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM alg if not set via environment variable\nKEM_ALG = kyber512\n\n# Use this in order to automatically load providers/g" /opt/oqssa/ssl/openssl.cnf
 
 # build nghttp3
 WORKDIR /opt/nghttp3
-RUN autoreconf -i && ./configure --prefix=$PWD/build --enable-lib-only && make -j$(nproc) check && make install
-
+RUN git submodule update --init && autoreconf -i && ./configure --prefix=$PWD/build --enable-lib-only && make -j$(nproc) check && make install
 
 # build ngtcp2
 WORKDIR /opt/ngtcp2
@@ -59,7 +83,7 @@ RUN mkdir /opt/lib && cd /opt/lib && \
         cp /usr/lib/libgcc_s.so.* .
 
 ## second stage: Only create minimal image without build tooling and intermediate build results generated above:
-FROM alpine as dev
+FROM alpine:${ALPINE_VERSION} as dev
 ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apk update && apk upgrade
@@ -71,3 +95,5 @@ COPY --from=intermediate /opt/ngtcp2/examples/qtlsclient /usr/local/bin
 COPY --from=intermediate /opt/lib /usr/local/lib
 COPY --from=intermediate /opt/oqssa/lib64/ossl-modules/oqsprovider.so /opt/oqssa/lib64/ossl-modules/oqsprovider.so
 COPY --from=intermediate /opt/oqssa/ssl/openssl.cnf /opt/oqssa/ssl/openssl.cnf
+
+RUN ln -s /opt/oqssa/lib64 /opt/oqssa/lib;
diff --git a/ngtcp2/Dockerfile-server b/ngtcp2/Dockerfile-server
index 583d6274..a0411640 100644
--- a/ngtcp2/Dockerfile-server
+++ b/ngtcp2/Dockerfile-server
@@ -1,10 +1,27 @@
 # Multi-stage build: First the full builder image:
-FROM alpine as intermediate
+
+# define the alpine image version to use
+ARG ALPINE_VERSION=3.20
+
+FROM alpine:${ALPINE_VERSION} as intermediate
 
 ENV DEBIAN_FRONTEND=noninteractive
 
-ARG LIBOQS_TAG=main
-ARG OQSPROVIDER_TAG=main
+# define the quictls openssl tag to be used
+ARG OPENSSL_TAG=openssl-3.3.0-quic1
+
+# define the liboqs tag to be used
+ARG LIBOQS_TAG=0.11.0
+
+# define the oqsprovider tag to be used
+ARG OQSPROVIDER_TAG=0.7.0
+
+# define the nghttp3 tag to be used
+ARG NGHTTP3_TAG=v1.6.0
+
+# define the ngtcp2 tag to be used
+ARG NGTCP2_TAG=v1.8.1
+
 ARG INSTALLDIR=/opt/oqssa
 
 # Update image and apt software 
@@ -18,10 +35,10 @@ WORKDIR /opt
 
 # get all sources
 RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \
-    git clone --depth 1 --branch openssl-3.0.8+quic https://github.com/quictls/openssl.git && \
+    git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/quictls/openssl.git && \
     git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \
-    git clone --depth 1 --branch main  https://github.com/ngtcp2/nghttp3 && \
-    git clone --depth 1 --branch main https://github.com/ngtcp2/ngtcp2
+    git clone --depth 1 --branch ${NGHTTP3_TAG}  https://github.com/ngtcp2/nghttp3 && \
+    git clone --depth 1 --branch ${NGTCP2_TAG} https://github.com/ngtcp2/ngtcp2
 
 # build liboqs
 WORKDIR /opt/liboqs
@@ -31,17 +48,24 @@ RUN mkdir build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=${INSTALLDIR
 # build openssl 3
 WORKDIR /opt/openssl
 RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \
-    make ${MAKE_DEFINES} && make install_sw install_ssldirs;
+    make ${MAKE_DEFINES} && make install_sw install_ssldirs && \
+    if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \
+    if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi
 
 
 # build & install provider (and activate by default)
 WORKDIR /opt/oqs-provider
-RUN ln -s ../openssl . && cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && cmake --build _build  && cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:KEM_ALG\n/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM alg if not set via environment variable\nKEM_ALG = kyber512\n\n# Use this in order to automatically load providers/g" /opt/oqssa/ssl/openssl.cnf
+RUN ln -s ../openssl . && \
+    cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \
+    cmake --build _build  && cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && \
+    sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && \
+    sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && \
+    sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:KEM_ALG\n/g" /opt/oqssa/ssl/openssl.cnf && \
+    sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM alg if not set via environment variable\nKEM_ALG = kyber512\n\n# Use this in order to automatically load providers/g" /opt/oqssa/ssl/openssl.cnf
 
 # build nghttp3
 WORKDIR /opt/nghttp3
-RUN autoreconf -i && ./configure --prefix=$PWD/build --enable-lib-only && make -j$(nproc) check && make install
-
+RUN git submodule update --init && autoreconf -i && ./configure --prefix=$PWD/build --enable-lib-only && make -j$(nproc) check && make install
 
 # build ngtcp2
 WORKDIR /opt/ngtcp2
@@ -63,7 +87,7 @@ RUN mkdir /opt/lib && cd /opt/lib && \
         cp /usr/lib/libgcc_s.so.* .
 
 ## second stage: Only create minimal image without build tooling and intermediate build results generated above:
-FROM alpine as dev
+FROM alpine:${ALPINE_VERSION} as dev
 ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apk update && apk upgrade && apk add mailcap && echo "This is my index page">index.html
@@ -80,4 +104,6 @@ COPY --from=intermediate /opt/lib /usr/local/lib
 COPY --from=intermediate /opt/oqssa/lib64/ossl-modules/oqsprovider.so /opt/oqssa/lib64/ossl-modules/oqsprovider.so
 COPY --from=intermediate /opt/oqssa/ssl/openssl.cnf /opt/oqssa/ssl/openssl.cnf
 
+RUN ln -s /opt/oqssa/lib64 /opt/oqssa/lib;
+
 CMD ["./serverstart.sh"]
diff --git a/ngtcp2/USAGE-client.md b/ngtcp2/USAGE-client.md
index 328315d9..499d7872 100644
--- a/ngtcp2/USAGE-client.md
+++ b/ngtcp2/USAGE-client.md
@@ -15,10 +15,10 @@ will run the container for the quantum-safe crypto (QSC) protected ngtcp2 client
 ### ngtcp2 client
 To interact with the ngtcp2 server, run
 ```
-client <address> <port> [<URI>][--groups <groups>]
+qtlsclient <address> <port> [<URI>][--groups <groups>]
 ```
 
-For example, `client ngtcp2server 6000 https://ngtcp2server --groups kyber512`
+For example, `qtlsclient ngtcp2server 6000 https://ngtcp2server --groups kyber512`
 
 By default the ngtcp2 client supports X25519, P-256, P-384 and P-521 for key exchange but any plain or hybrid QSC (Quantum-Safe Cryptography) algorithm can be selected. [See list of supported key exchange algorithms here](https://github.com/open-quantum-safe/oqs-provider#algorithms).
 
@@ -27,7 +27,7 @@ If multiple algorithms are selected, they are separated with colons.
 For example, `--groups=kyber512:p256_bikel1`
 
 
-For more options, run `client --help`
+For more options, run `qtlsclient --help`
 
 ## Disclaimer
 
diff --git a/ngtcp2/USAGE-server.md b/ngtcp2/USAGE-server.md
index b5bccf3f..94da6d60 100644
--- a/ngtcp2/USAGE-server.md
+++ b/ngtcp2/USAGE-server.md
@@ -30,11 +30,11 @@ docker exec -it ngtcp2server sh
 
 Once inside the container, start the server using
 ```
-server <address> <port> <private key file> <certificate key file>  --groups=<groups>
+qtlsserver <address> <port> <private key file> <certificate key file>  --groups=<groups>
 ```
 For example,
 ```sh
-server "*" 6000  /certs/server.key /certs/server.crt --groups=kyber512
+qtlsserver "*" 6000  /certs/server.key /certs/server.crt --groups=kyber512
 ```
 
 By default the ngtcp2 server supports X25519, P-256, P-384 and P-521 for key exchange but any plain or hybrid QSC (Quantum-Safe Cryptography) algorithm can be selected. [See list of supported key exchange algorithms here](https://github.com/open-quantum-safe/oqs-provider#algorithms).
@@ -42,7 +42,7 @@ By default the ngtcp2 server supports X25519, P-256, P-384 and P-521 for key exc
 
 If multiple algorithms are selected, they are separated with colons. For example `--groups=kyber512:p256_bikel1`
 
-For more options, run `server --help`
+For more options, run `qtlsserver --help`
 
 
 ## Disclaimer
diff --git a/ngtcp2/serverstart.sh b/ngtcp2/serverstart.sh
index 68e1873d..16484f60 100755
--- a/ngtcp2/serverstart.sh
+++ b/ngtcp2/serverstart.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e
 
-# Optionally set KEM to one defined in https://github.com/open-quantum-safe/openssl#key-exchange
+# Optionally set KEM to one defined in https://github.com/open-quantum-safe/oqs-provider#algorithms
 if [ "x$KEM_ALG" == "x" ]; then
 	export KEM_ALG=kyber512
 fi