update openvpn

Co-authored-by: Dave Kelsey <[email protected]>
ajbozarth · Oct 25, 2024 · 67bd003 · 67bd003
1 parent 8ca9e7b
commit 67bd003
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 23 deletions.
diff --git a/openvpn/Dockerfile b/openvpn/Dockerfile
@@ -1,10 +1,15 @@
 # Multi-stage build: First the full builder image:
 
+# define the openssl tag to be used
+ARG OPENSSL_TAG=openssl-3.3.2
+
 # define the liboqs tag to be used
-ARG LIBOQS_TAG=main
+ARG LIBOQS_TAG=0.11.0
 
 # define the oqsprovider tag to be used
-ARG OQSPROVIDER_TAG=main
+ARG OQSPROVIDER_TAG=0.7.0
+
+ARG OPENVPN_TAG=v2.6.12
 
 # Default location where all binaries wind up:
 ARG INSTALLDIR=/opt/oqssa
@@ -23,15 +28,17 @@ ARG KEM_ALGLIST="kyber768:p384_kyber768"
 
 FROM debian:bullseye as intermediate
 # Take in all global args
+ARG OPENSSL_TAG
 ARG LIBOQS_TAG
 ARG OQSPROVIDER_TAG
+ARG OPENVPN_TAG
 ARG INSTALLDIR
 ARG LIBOQS_BUILD_DEFINES
 ARG MAKE_DEFINES
 ARG KEM_ALGLIST
 ARG OPENVPNDIR
 
-LABEL version="2"
+LABEL version "2"
 
 ENV DEBIAN_FRONTEND noninteractive
 
@@ -49,25 +56,33 @@ RUN apt install -y  \
 # get all sources
 WORKDIR /opt
 RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \
-    git clone --depth 1 --branch master https://github.com/openssl/openssl.git && \
+    git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \
     git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \
-    git clone https://github.com/OpenVPN/openvpn.git
+    git clone --depth 1 --branch ${OPENVPN_TAG} https://github.com/OpenVPN/openvpn.git
 
 # build liboqs
 WORKDIR /opt/liboqs
 RUN mkdir build && cd build && cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} && ninja install
 
 # build OpenSSL3
 WORKDIR /opt/openssl
-RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \
-    make ${MAKE_DEFINES} && make install_sw install_ssldirs;
+RUN openssl_libdir='lib64' && if [ "$(uname -m)" = "aarch64" ]; then openssl_libdir='lib'; fi && \
+    LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/$openssl_libdir" ./config shared --prefix=${INSTALLDIR} && \
+    make ${MAKE_DEFINES} && \
+    make install_sw install_ssldirs;
 
 # set path to use 'new' openssl. Dyn libs have been properly linked in to match
 ENV PATH="${INSTALLDIR}/bin:${PATH}"
 
 # build & install provider (and activate by default)
 WORKDIR /opt/oqs-provider
-RUN ln -s ../openssl . && cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && cmake --build _build  && cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = ${KEM_ALGLIST}\n/g" /opt/oqssa/ssl/openssl.cnf
+RUN ln -s ../openssl . && \
+    openssl_libdir='lib64' && if [ "$(uname -m)" = "aarch64" ]; then openssl_libdir='lib'; fi && \
+    cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \
+    cmake --build _build  && cp _build/lib/oqsprovider.so ${INSTALLDIR}/$openssl_libdir/ossl-modules && \
+    sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && \
+    sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && \
+    sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = ${KEM_ALGLIST}\n/g" /opt/oqssa/ssl/openssl.cnf
 
 
 # build openvpn based on OpenSSL3
@@ -76,8 +91,16 @@ ENV OPENSSL3_DIR=${INSTALLDIR}
 
 WORKDIR /opt/openvpn
 
-RUN libtoolize --force && aclocal && autoheader && automake --force-missing --add-missing && autoconf && \
-    CFLAGS="-I$OPENSSL3_DIR/include -Wl,-rpath=$OPENSSL3_DIR/lib64 -L$OPENSSL3_DIR/lib64" ./configure --prefix=${INSTALLDIR} --disable-lz4 && make ${MAKE_DEFINES} && make check && make install
+RUN openssl_libdir='lib64' && if [ "$(uname -m)" = "aarch64" ]; then openssl_libdir='lib'; fi && \
+    libtoolize --force && \
+    aclocal && \
+    autoheader && \
+    automake --force-missing --add-missing && \
+    autoconf && \
+    CFLAGS="-I$OPENSSL3_DIR/include -Wl,-rpath=$OPENSSL3_DIR/$openssl_libdir -L$OPENSSL3_DIR/$openssl_libdir" ./configure --prefix=${INSTALLDIR} --disable-lz4 && \
+    make ${MAKE_DEFINES} && \
+    make check && \
+    make install
 
 ## second stage: Only create minimal image without build tooling and intermediate build results generated above:
 FROM debian:bullseye-slim
@@ -86,7 +109,14 @@ ARG INSTALLDIR
 ARG OPENVPNDIR
 
 # install basics to run executable and enable network control
-RUN apt update && apt upgrade -y && apt install -y liblzo2-2 libnl-3-200 libnl-genl-3-200 procps net-tools iputils-ping && mkdir -p ${OPENVPNDIR}
+RUN apt update && apt upgrade -y && \
+    apt install -y liblzo2-2 \
+    libnl-3-200 \
+    libnl-genl-3-200 \
+    procps \
+    net-tools \
+    iputils-ping && \
+    mkdir -p ${OPENVPNDIR}
 
 # Only retain the ${INSTALLDIR} contents in the final image
 COPY --from=intermediate ${INSTALLDIR} ${INSTALLDIR}
@@ -104,7 +134,7 @@ COPY createcerts_and_config.sh ${INSTALLDIR}/bin
 WORKDIR ${OPENVPNDIR}
 
 # Activate to limit access to normal user rights
-#RUN addgroup -g 1000 -S oqs && adduser --uid 1000 -S oqs -G oqs 
+#RUN addgroup -g 1000 -S oqs && adduser --uid 1000 -S oqs -G oqs
 #USER oqs
 
 CMD ["serverstart.sh"]

diff --git a/openvpn/README.md b/openvpn/README.md
@@ -46,4 +46,4 @@ The default is conservative and known not to overload normal machines. If one ha
 
 Defines the list of QSC KEM algorithms to be supported by default. This value is colon separated and inserted into the system-wide `openssl.cnf` configuration file defining the behaviour of the OpenSSL3 library embedded into the OpenVPN code base.
 
-The default value is "kyber768:p384_kyber768". Any algorithm name(s) [supported by OQS-OpenSSL](https://github.com/open-quantum-safe/openssl/tree/OQS-OpenSSL_1_1_1-stable#key-exchange) can be chosen instead.
+The default value is "kyber768:p384_kyber768". Any algorithm name(s) [supported by OQS OpenSSL 3 provider](https://github.com/open-quantum-safe/oqs-provider#algorithms) can be chosen instead.
diff --git a/openvpn/USAGE.md b/openvpn/USAGE.md
@@ -53,7 +53,7 @@ The last three commands clean up all data structures established.
 
 ## Advanced usage options
 
-The docker image has been pre-configured to use the quantum-safe crypto (QSC) algorithm family "Kyber" for key establishment. For TLS1.3 handshaking, the QSC algorithm "dilithium3" is configured by default, but for both algorithm types, any plain or hybrid QSC algorithm can be selected. For the full list of supported OQS KEM and signature algorithms see here](https://github.com/open-quantum-safe/oqs-provider#algorithms).
+The docker image has been pre-configured to use the quantum-safe crypto (QSC) algorithm family "Kyber" for key establishment. For TLS1.3 handshaking, the QSC algorithm "dilithium3" is configured by default, but for both algorithm types, any plain or hybrid QSC algorithm can be selected. For the full list of supported OQS KEM and signature algorithms see [here](https://github.com/open-quantum-safe/oqs-provider#algorithms).
 
 ### TLS_GROUPS
 

diff --git a/openvpn/test.sh b/openvpn/test.sh
@@ -22,36 +22,42 @@ if [ ! -z "$1" ]; then
     export OQS_SIGALG=$1
 fi
 
-RC=0 
+RC=0
 
+echo "Creating test volume $OQS_DATA and test network $OQS_NETWORK"
 docker volume create --name $OQS_DATA && docker network create $OQS_NETWORK
 
 if [ $? -ne 0 ]; then
    echo "Could not create volume and network. Exiting."
    exit 1
 fi
+echo "Test volume $OQS_DATA and test network $OQS_NETWORK created successfully"
 
 # use docker image to create certs and openvpn config
+echo "Creating test certs and config"
 docker run -e OQSSIGALG=$OQS_SIGALG -e SERVERFQDN=$OQS_SERVER -e CLIENTFQDN=$OQS_CLIENT -v $OQS_DATA:/config/openvpn --rm $OQS_OPENVPN_DOCKERIMAGE sh -c "cd /config/openvpn && createcerts_and_config.sh"
 
 if [ $? -ne 0 ]; then
    echo "Could not create certs and config correctly. Exiting."
    RC=1
 fi
+echo "Test certs and config created successfully"
 
+echo "Starting test openvpn server and client"
 # OQS server & test client:
 if [ -z "$2" ]; then
-# use default TLS_GROUPS
-docker run --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN $OQS_OPENVPN_DOCKERIMAGE
-docker run --rm --name $OQS_CLIENT --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn --cap-add=NET_ADMIN -d $OQS_OPENVPN_DOCKERIMAGE clientstart.sh
+   # use default TLS_GROUPS
+   docker run --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN $OQS_OPENVPN_DOCKERIMAGE
+   docker run --rm --name $OQS_CLIENT --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn --cap-add=NET_ADMIN -d $OQS_OPENVPN_DOCKERIMAGE clientstart.sh
 else
-# assume the first parameter to be (a list of) TLS_GROUPS to be utilized:
-docker run -e TLS_GROUPS=$2 --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN oqs-openvpn 
-docker run -e TLS_GROUPS=$2 --rm --name $OQS_CLIENT --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn --cap-add=NET_ADMIN -d oqs-openvpn clientstart.sh
+   # assume the first parameter to be (a list of) TLS_GROUPS to be utilized:
+   docker run -e TLS_GROUPS=$2 --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN oqs-openvpn
+   docker run -e TLS_GROUPS=$2 --rm --name $OQS_CLIENT --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn --cap-add=NET_ADMIN -d oqs-openvpn clientstart.sh
 fi
 
 # Allow time to start up
 sleep 3
+echo "Startup completed, checking initialization worked OK"
 # Check that initialization went OK for both server and client:
 docker logs $OQS_SERVER | grep "Initialization Sequence Completed"
 if [ $? -ne 0 ]; then
@@ -65,13 +71,14 @@ if [ $? -ne 0 ]; then
 fi
 
 # cleanup
-
 docker kill $OQS_SERVER $OQS_CLIENT
 docker network rm $OQS_NETWORK
 # Allow time to clean data structures
 sleep 3
 docker volume rm $OQS_DATA
-if [ $RC -ne 0 ]; then
+if [ $RC -eq 0 ]; then
+   echo "Test completed successfully"
+else
    echo "Test failed."
 fi
 exit $RC
Original file line number	Diff line number	Diff line change
Expand Up		@@ -46,4 +46,4 @@ The default is conservative and known not to overload normal machines. If one ha

		Defines the list of QSC KEM algorithms to be supported by default. This value is colon separated and inserted into the system-wide `openssl.cnf` configuration file defining the behaviour of the OpenSSL3 library embedded into the OpenVPN code base.

		The default value is "kyber768:p384_kyber768". Any algorithm name(s) [supported by OQS-OpenSSL](https://github.com/open-quantum-safe/openssl/tree/OQS-OpenSSL_1_1_1-stable#key-exchange) can be chosen instead.
		The default value is "kyber768:p384_kyber768". Any algorithm name(s) [supported by OQS OpenSSL 3 provider](https://github.com/open-quantum-safe/oqs-provider#algorithms) can be chosen instead.