From 333de4b97c506dc42362a419d5c839852813e1d9 Mon Sep 17 00:00:00 2001 From: Alex Bozarth Date: Wed, 20 Nov 2024 03:55:24 -0600 Subject: [PATCH] Pin libraries to current releases (#298) Updates demos to use a pinned release version rather than main/master Updates demo builds to support both linux/amd64 and linux/arm64 Deprecates demos that were unable to be updated due to any reason haproxy and mosquitto demo updates provided by David Kelsey Signed-off-by: Alex Bozarth --- .circleci/config.yml | 115 ++++++++++++++++++---- README.md | 41 ++++---- curl/Dockerfile | 36 +++++-- curl/README.md | 12 ++- curl/USAGE.md | 2 +- envoy/README.md | 5 +- epiphany/README.md | 7 +- h2load/Dockerfile | 41 ++++++-- h2load/README.md | 2 +- h2load/USAGE.md | 2 +- haproxy/Dockerfile | 162 +++++++++++++++++++------------ haproxy/README.md | 44 ++++----- haproxy/USAGE.md | 30 +++--- haproxy/conf/haproxy.cfg | 4 +- httpd/Dockerfile | 40 +++++--- httpd/README.md | 11 ++- httpd/USAGE.md | 2 +- mosquitto/Dockerfile | 153 ++++++++++++++++++----------- mosquitto/README.md | 54 ++++------- mosquitto/USAGE.md | 32 +++--- nginx/Dockerfile | 39 ++++++-- nginx/README.md | 12 ++- nginx/USAGE.md | 2 +- nginx/fulltest/Dockerfile | 32 +++--- nginx/fulltest/chromium-template | 2 +- nginx/fulltest/index-template | 2 +- ngtcp2/Dockerfile-client | 48 ++++++--- ngtcp2/Dockerfile-server | 48 ++++++--- ngtcp2/README.md | 2 +- ngtcp2/USAGE-client.md | 8 +- ngtcp2/USAGE-server.md | 8 +- ngtcp2/serverstart.sh | 2 +- openlitespeed/README.md | 7 +- openlitespeed/USAGE-client.md | 2 +- openlitespeed/USAGE-server.md | 2 +- openssh/Dockerfile | 27 ++++-- openssh/README.md | 10 +- openssh/USAGE.md | 20 ++-- openssh/connect-test.sh | 2 +- openssh/serverstart.sh | 2 +- openssh/ssh_config | 6 +- openssh/sshd_config | 6 +- openssl3/Dockerfile | 54 ++++++++--- openssl3/Dockerfile-interop | 43 ++++++-- openssl3/README.md | 27 ++++-- openssl3/USAGE.md | 8 +- openvpn/Dockerfile | 54 ++++++++--- openvpn/README.md | 4 +- openvpn/USAGE.md | 4 +- openvpn/test.sh | 25 +++-- unbound/README.md | 5 +- wireshark/README.md | 5 + 52 files changed, 852 insertions(+), 461 deletions(-) mode change 100755 => 100644 openvpn/test.sh diff --git a/.circleci/config.yml b/.circleci/config.yml index ac55e942..02f5fe71 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -35,13 +35,19 @@ jobs: - run: name: Build Provider command: | - docker build --build-arg MAKE_DEFINES="-j 18" -t oqs-ossl3-img . + docker build --build-arg MAKE_DEFINES="-j 18" -t oqs-ossl3-img . && + docker build --build-arg MAKE_DEFINES="-j 18" --build-arg OPENSSL_TAG=master --build-arg LIBOQS_TAG=main --build-arg OQSPROVIDER_TAG=main -t oqs-ossl3-img-main . working_directory: openssl3 - run: name: Spot-test Provider -- One baseline and one hybrid QSC alg command: | docker run --rm --name oqs-ossl3 oqs-ossl3-img sh -c "openssl list -providers; /opt/openssl32/bin/serverstart.sh; sleep 2; echo 'GET /' | openssl s_client -connect localhost --groups kyber768 --CAfile /opt/openssl32/bin/CA.crt" && docker run --rm --name oqs-ossl3 oqs-ossl3-img sh -c "KEM_ALG=p521_frodo1344aes /opt/openssl32/bin/serverstart.sh; sleep 2; echo 'GET /' | openssl s_client -connect localhost --groups p521_frodo1344aes --CAfile /opt/openssl32/bin/CA.crt" + - run: + name: Spot-test Provider -- One baseline and one hybrid QSC alg (main/master) + command: | + docker run --rm --name oqs-ossl3-main oqs-ossl3-img-main sh -c "openssl list -providers; /opt/openssl32/bin/serverstart.sh; sleep 2; echo 'GET /' | openssl s_client -connect localhost --groups kyber768 --CAfile /opt/openssl32/bin/CA.crt" && + docker run --rm --name oqs-ossl3-main oqs-ossl3-img-main sh -c "KEM_ALG=p521_frodo1344aes /opt/openssl32/bin/serverstart.sh; sleep 2; echo 'GET /' | openssl s_client -connect localhost --groups p521_frodo1344aes --CAfile /opt/openssl32/bin/CA.crt" - when: condition: or: @@ -73,17 +79,23 @@ jobs: - run: name: Build OQS nginx command: | - docker build --build-arg MAKE_DEFINES="-j 18" -t oqs-nginx-img . + docker build --build-arg MAKE_DEFINES="-j 18" -t oqs-nginx-img . && + docker build --build-arg MAKE_DEFINES="-j 18" --build-arg OPENSSL_TAG=master --build-arg LIBOQS_TAG=main --build-arg OQSPROVIDER_TAG=main -t oqs-nginx-img-main . working_directory: nginx - run: name: Build curl with generic liboqs command: | - docker build --build-arg MAKE_DEFINES="-j 18" --build-arg LIBOQS_BUILD_DEFINES="-DOQS_OPT_TARGET=generic" -t oqs-curl-generic . + docker build --build-arg MAKE_DEFINES="-j 18" --build-arg LIBOQS_BUILD_DEFINES="-DOQS_OPT_TARGET=generic" -t oqs-curl-generic . && + docker build --build-arg MAKE_DEFINES="-j 18" --build-arg LIBOQS_BUILD_DEFINES="-DOQS_OPT_TARGET=generic" --build-arg OPENSSL_TAG=master --build-arg LIBOQS_TAG=main --build-arg OQSPROVIDER_TAG=main -t oqs-curl-generic-main . working_directory: curl - run: name: Test Curl with generic liboqs command: | - docker run -e TEST_TIME=5 -e KEM_ALG=kyber768 -e SIG_ALG=dilithium3 -it oqs-curl-generic perftest.sh + docker run -e TEST_TIME=5 -e KEM_ALG=kyber768 -e SIG_ALG=dilithium3 -it oqs-curl-generic perftest.sh + - run: + name: Test Curl with generic liboqs (main/master) + command: | + docker run -e TEST_TIME=5 -e KEM_ALG=kyber768 -e SIG_ALG=dilithium3 -it oqs-curl-generic-main perftest.sh - run: name: Test nginx and curl generic command: | @@ -91,6 +103,13 @@ jobs: docker run --network nginx-test --detach --rm --name oqs-nginx oqs-nginx-img && sleep 2 && docker run --network nginx-test oqs-curl-generic curl -k https://oqs-nginx:4433 + - run: + name: Test nginx and curl generic (main/master) + command: | + docker network create nginx-test-main && + docker run --network nginx-test-main --detach --rm --name oqs-nginx-main oqs-nginx-img-main && + sleep 2 && + docker run --network nginx-test-main oqs-curl-generic-main curl -k https://oqs-nginx-main:4433 - when: condition: or: @@ -211,7 +230,8 @@ jobs: - run: name: Build Apache httpd command: | - docker build --build-arg MAKE_DEFINES="-j 18" -t oqs-httpd-img . + docker build --build-arg MAKE_DEFINES="-j 18" -t oqs-httpd-img . && + docker build --build-arg MAKE_DEFINES="-j 18" --build-arg OPENSSL_TAG=master --build-arg LIBOQS_TAG=main --build-arg OQSPROVIDER_TAG=main -t oqs-httpd-img-main . working_directory: httpd - run: name: Build Curl (dev) @@ -219,12 +239,17 @@ jobs: # The CircleCI executor offers 35 cores, but using # all of them might exhaust memory docker build --build-arg MAKE_DEFINES="-j 18" -t oqs-curl . && - docker build --build-arg MAKE_DEFINES="-j 18" --target dev -t oqs-curl-dev . + docker build --build-arg MAKE_DEFINES="-j 18" --target dev -t oqs-curl-dev . && + docker build --build-arg MAKE_DEFINES="-j 18" --build-arg OPENSSL_TAG=master --build-arg LIBOQS_TAG=main --build-arg OQSPROVIDER_TAG=main -t oqs-curl-main . && working_directory: curl - run: name: Test Curl (dev) command: | - docker run -e TEST_TIME=5 -e KEM_ALG=kyber768 -e SIG_ALG=dilithium3 -it oqs-curl perftest.sh + docker run -e TEST_TIME=5 -e KEM_ALG=kyber768 -e SIG_ALG=dilithium3 -it oqs-curl perftest.sh + - run: + name: Test Curl (dev) (main/master) + command: | + docker run -e TEST_TIME=5 -e KEM_ALG=kyber768 -e SIG_ALG=dilithium3 -it oqs-curl-main perftest.sh - run: name: Test httpd using curl (dev) command: | @@ -232,6 +257,13 @@ jobs: docker run --network httpd-test --detach --rm --name oqs-httpd oqs-httpd-img && sleep 2 && docker run --network httpd-test oqs-curl curl -k https://oqs-httpd:4433 --curves kyber768 + - run: + name: Test httpd using curl (dev) (main/master) + command: | + docker network create httpd-test-main && + docker run --network httpd-test-main --detach --rm --name oqs-httpd-main oqs-httpd-img-main && + sleep 2 && + docker run --network httpd-test-main oqs-curl-main curl -k https://oqs-httpd:4433 --curves kyber768 - when: condition: or: @@ -287,7 +319,6 @@ jobs: docker tag oqs-haproxy-img $TARGETNAME/haproxy:latest && docker push $TARGETNAME/haproxy:latest -# Not actively maintained: ubuntu_x64_openvpn: description: Building OQS-based OpenVPN docker image docker: @@ -303,10 +334,20 @@ jobs: name: Authenticate to Docker command: echo $DOCKER_PASSWORD | docker login --username $DOCKER_LOGIN --password-stdin + - run: + name: Build OpenVPN (main/master) + command: | + docker build --build-arg MAKE_DEFINES="-j 18" --build-arg OPENSSL_TAG=master --build-arg LIBOQS_TAG=main --build-arg OQSPROVIDER_TAG=main --build-arg OPENVPN_TAG=master -t oqs-openvpn . + working_directory: openvpn + - run: + name: Test OpenVPN using local docker network (main/master) + command: | + ./test.sh dilithium5 p521_kyber1024 + working_directory: openvpn - run: name: Build OpenVPN command: | - docker build --build-arg MAKE_DEFINES="-j 18" -t oqs-openvpn . + docker build --build-arg MAKE_DEFINES="-j 18" -t oqs-openvpn . working_directory: openvpn - run: name: Test OpenVPN using local docker network @@ -399,7 +440,6 @@ jobs: command: | docker push $TARGETNAME/wireshark -# Not actively maintained: ubuntu_x64_ngtcp2: description: Building OQS-based ngtcp2 docker image docker: @@ -420,6 +460,12 @@ jobs: docker build -t oqs-ngtcp2-server -f Dockerfile-server . && docker build -t oqs-ngtcp2-client -f Dockerfile-client . working_directory: ngtcp2 + - run: + name: Build ngtcp2 server and client (main/master) + command: | + docker build --build-arg LIBOQS_TAG=main --build-arg OQSPROVIDER_TAG=main --build-arg NGHTTP3_TAG=main --build-arg NGTCP2_TAG=main -t oqs-ngtcp2-server-main -f Dockerfile-server . && + docker build --build-arg LIBOQS_TAG=main --build-arg OQSPROVIDER_TAG=main --build-arg NGHTTP3_TAG=main --build-arg NGTCP2_TAG=main -t oqs-ngtcp2-client-main -f Dockerfile-client . + working_directory: ngtcp2 - run: name: Test ngtcp2 using local docker network command: | @@ -432,6 +478,18 @@ jobs: docker rm oqs-ngtcp2server docker network rm ngtcp2-test working_directory: ngtcp2 + - run: + name: Test ngtcp2 using local docker network (main/master) + command: | + docker network create ngtcp2-test-main + docker run --network ngtcp2-test-main --name oqs-ngtcp2server-main oqs-ngtcp2-server-main & + docker run --network ngtcp2-test-main -it --name oqs-ngtcp2client-main oqs-ngtcp2-client-main sh -c 'qtlsclient --exit-on-first-stream-close --groups kyber512 oqs-ngtcp2server-main 6000' + docker logs oqs-ngtcp2client | grep "QUIC handshake has been confirmed" + docker rm oqs-ngtcp2client-main + docker stop oqs-ngtcp2server-main + docker rm oqs-ngtcp2server-main + docker network rm ngtcp2-test-main + working_directory: ngtcp2 - when: condition: or: @@ -446,7 +504,6 @@ jobs: docker push $TARGETNAME/ngtcp2-server:latest && docker push $TARGETNAME/ngtcp2-client:latest -# Not actively maintained: ubuntu_x64_openssh: description: A template for building and pushing OQS demo Docker images on Ubuntu that do not use OQS-OpenSSL, but rather liboqs in another form @@ -469,6 +526,12 @@ jobs: docker build --build-arg MAKE_DEFINES="-j 18" -t oqs-openssh-img . && docker run --rm --name oqs-openssh oqs-openssh-img connect-test.sh working_directory: openssh + - run: + name: Test OpenSSH (main/master) + command: | + docker build --build-arg LIBOQS_RELEASE=main --build-arg MAKE_DEFINES="-j 18" -t oqs-openssh-img-main . && + docker run --rm --name oqs-openssh-main oqs-openssh-img-main connect-test.sh + working_directory: openssh - when: condition: equal: [ main, << pipeline.git.branch >> ] @@ -534,7 +597,6 @@ jobs: docker tag envoy-oqs $TARGETNAME/envoy:latest && docker push $TARGETNAME/envoy:latest -# Not actively maintained: ubuntu_x64_h2load: description: Building and pushing OQS-h2load demo Docker images docker: @@ -555,11 +617,22 @@ jobs: docker build -t oqs-h2load . working_directory: h2load - run: - name: Test oqs-h2load using public oqs-nginx and oqs-nginx-quic + name: Build h2load with liboqs (main/master) + command: | + docker build --build-arg OPENSSL_TAG=master --build-arg LIBOQS_TAG=main --build-arg OQSPROVIDER_TAG=main --build-arg NGHTTP2_TAG=master -t oqs-h2load-main . + working_directory: h2load + - run: + name: Test oqs-h2load using public oqs-nginx command: | docker network create h2load-test && docker run --network h2load-test --detach --rm --name oqs-nginx openquantumsafe/nginx && docker run --network h2load-test oqs-h2load sh -c "h2load -n 100 -c 10 https://oqs-nginx:4433 --groups kyber512" + - run: + name: Test oqs-h2load using public oqs-nginx (main/master) + command: | + docker network create h2load-test-main && + docker run --network h2load-test-main --detach --rm --name oqs-nginx-main openquantumsafe/nginx && + docker run --network h2load-test-main oqs-h2load-main sh -c "h2load -n 100 -c 10 https://oqs-nginx-main:4433 --groups kyber512" - when: condition: or: @@ -586,14 +659,14 @@ workflows: context: openquantumsafe #- ubuntu_x64_haproxy: # context: openquantumsafe - #- ubuntu_x64_openvpn: - # context: openquantumsafe + - ubuntu_x64_openvpn: + context: openquantumsafe #- ubuntu_x64_mosquitto: # context: openquantumsafe - #- ubuntu_x64_ngtcp2: - # context: openquantumsafe - #- ubuntu_x64_openssh: - # context: openquantumsafe + - ubuntu_x64_ngtcp2: + context: openquantumsafe + - ubuntu_x64_openssh: + context: openquantumsafe # Disabled in CI as failing to conclude test properly as per # https://github.com/open-quantum-safe/oqs-demos/pull/167#issuecomment-1383673300 # - ubuntu_x64_openlitespeed: @@ -603,5 +676,5 @@ workflows: # Disable as it takes too long on OQS CCI plan #- ubuntu_x64_envoy: # context: openquantumsafe - #- ubuntu_x64_h2load: - # context: openquantumsafe + - ubuntu_x64_h2load: + context: openquantumsafe diff --git a/README.md b/README.md index 60921a61..bdf46a18 100644 --- a/README.md +++ b/README.md @@ -11,33 +11,32 @@ A repository of instructions (with associated patches and scripts) to enable, th In most cases, Dockerfiles encode the instructions for ease-of-use: Just do `docker build -t .`. For more detailed usage instructions (parameters, algorithms, etc.) refer to the README for each package. Pre-built Docker images may also be available. -As the level of interest in providing and maintaining these integrations for public consumption has fallen, the packages are tagged with the github monikers of the persons willing to keep supporting them or the term "unsupported". If that tag is listed, no CI and github support for the integration is available and the code shall be seen as a snapshot that once worked only. +As the level of interest in providing and maintaining these integrations for public consumption has fallen, the packages are tagged with the github monikers of the persons willing to keep supporting them or the term "Unmaintained". If that tag is listed, no CI and github support for the integration is available and the code shall be seen as a snapshot that once worked only. We are explicitly soliciting contributors to maintain those integrations labelled "unsupported". Currently available integrations at their respective support level: -| | **Build instructions** | **Pre-built Docker image or binary files** | Support? | +| | **Build instructions** | **Pre-built Docker image or binary files** | Support | |-------------------|----------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -------- | -| **curl** | [Github: oqs-demos/curl](curl) | [Dockerhub: openquantumsafe/curl](https://hub.docker.com/repository/docker/openquantumsafe/curl), [Dockerhub: openquantumsafe/curl-quic](https://hub.docker.com/repository/docker/openquantumsafe/curl-quic) | @baentsch, @pi-314159 -| **Apache httpd** | [Github: oqs-demos/httpd](httpd) | [Dockerhub: openquantumsafe/httpd](https://hub.docker.com/repository/docker/openquantumsafe/httpd) | @baentsch -| **nginx** | [Github: oqs-demos/nginx](nginx) | [Dockerhub: openquantumsafe/nginx](https://hub.docker.com/repository/docker/openquantumsafe/nginx), [Dockerhub: openquantumsafe/nginx-quic](https://hub.docker.com/repository/docker/openquantumsafe/nginx-quic) | @baentsch, @bhess, @pi-314159 -| **Chromium** | [Github: oqs-demos/chromium](chromium) (limited support) | - | @pi-314159 | -| **Locust** | [Github: oqs-demos/locust](locust) | - | @davidgca| -| **OpenSSH** | [Github: oqs-demos/openssh](openssh) | [Dockerhub: openquantumsafe/openssh](https://hub.docker.com/repository/docker/openquantumsafe/openssh) | unsupported -| **Wireshark** | [Github: oqs-demos/wireshark](wireshark) | [Dockerhub: openquantumsafe/wireshark](https://hub.docker.com/repository/docker/openquantumsafe/wireshark) | unsupported -| **Epiphany** | [Github: oqs-demos/epiphany](epiphany) | [Dockerhub: openquantumsafe/epiphany](https://hub.docker.com/repository/docker/openquantumsafe/epiphany) | unsupported -| **OpenVPN** | [Github: oqs-demos/openvpn](openvpn) | [Dockerhub: openquantumsafe/openvpn](https://hub.docker.com/repository/docker/openquantumsafe/openvpn) | unsupported -| **ngtcp2** | [Github: oqs-demos/ngtcp2](ngtcp2) | Dockerhub: [Server: openquantumsafe/ngtcp2-server](https://hub.docker.com/repository/docker/openquantumsafe/ngtcp2-server), [Client: openquantumsafe/ngtcp2-client](https://hub.docker.com/repository/docker/openquantumsafe/ngtcp2-client) | unsupported -| **OpenLiteSpeed** | [Github: oqs-demos/openlitespeed](openlitespeed) | [ Dockerhub: openquantumsafe/openlitespeed](https://hub.docker.com/repository/docker/openquantumsafe/openlitespeed) | unsupported -| **h2load** | [Github: oqs-demos/h2load](h2load) | [ Dockerhub: openquantumsafe/h2load](https://hub.docker.com/repository/docker/openquantumsafe/h2load) | unsupported -| **HAproxy** | [Github: oqs-demos/haproxy](haproxy) | [Dockerhub: openquantumsafe/haproxy](https://hub.docker.com/repository/docker/openquantumsafe/haproxy) | unsupported -| **Mosquitto** | [Github: oqs-demos/mosquitto](mosquitto) | [Dockerhub: openquantumsafe/mosquitto](https://hub.docker.com/repository/docker/openquantumsafe/mosquitto) | unsupported -| **Envoy** | [Github: oqs-demos/envoy](envoy) | [ Dockerhub: openquantumsafe/envoy](https://hub.docker.com/repository/docker/openquantumsafe/envoy) | unsupported -| **Unbound** | [Github: oqs-demos/unbound](unbound) | [ Dockerhub: openquantumsafe/unbound](https://hub.docker.com/repository/docker/openquantumsafe/unbound) | unsupported - - -It should be possible to use the openssl (s_client), curl and GNOME Web/epiphany clients with all algorithm combinations available at the Open Quantum Safe TLS/X.509 interoperability test server at https://test.openquantumsafe.org (set up using `oqs-provider v0.6.1` and `liboqs v0.10.1`) but no guarantees are given for software not explicitly labelled with the name of a person offering support for it. Since [OQS-BoringSSL](https://github.com/open-quantum-safe/boringssl) no longer maintains the same set of algorithms, software that depends on OQS-BoringSSL (e.g., nginx-quic and curl-quic) may not fully (inter)operate with the test server. +| **curl** | [Github: oqs-demos/curl](curl) | [Dockerhub: openquantumsafe/curl](https://hub.docker.com/repository/docker/openquantumsafe/curl), [Dockerhub: openquantumsafe/curl-quic](https://hub.docker.com/repository/docker/openquantumsafe/curl-quic) | Maintained: @baentsch, @pi-314159 +| **Apache httpd** | [Github: oqs-demos/httpd](httpd) | [Dockerhub: openquantumsafe/httpd](https://hub.docker.com/repository/docker/openquantumsafe/httpd) | Maintained: @baentsch +| **nginx** | [Github: oqs-demos/nginx](nginx) | [Dockerhub: openquantumsafe/nginx](https://hub.docker.com/repository/docker/openquantumsafe/nginx), [Dockerhub: openquantumsafe/nginx-quic](https://hub.docker.com/repository/docker/openquantumsafe/nginx-quic) | Maintained: @baentsch, @bhess, @pi-314159 +| **Chromium** | [Github: oqs-demos/chromium](chromium) (limited support) | - | Maintained: @pi-314159 +| **Locust** | [Github: oqs-demos/locust](locust) | - | Maintained: @davidgca +| **OpenSSH** | [Github: oqs-demos/openssh](openssh) | [Dockerhub: openquantumsafe/openssh](https://hub.docker.com/repository/docker/openquantumsafe/openssh) | Unmaintained +| **OpenVPN** | [Github: oqs-demos/openvpn](openvpn) | [Dockerhub: openquantumsafe/openvpn](https://hub.docker.com/repository/docker/openquantumsafe/openvpn) | Unmaintained +| **ngtcp2** | [Github: oqs-demos/ngtcp2](ngtcp2) | Dockerhub: [Server: openquantumsafe/ngtcp2-server](https://hub.docker.com/repository/docker/openquantumsafe/ngtcp2-server), [Client: openquantumsafe/ngtcp2-client](https://hub.docker.com/repository/docker/openquantumsafe/ngtcp2-client) | Unmaintained +| **h2load** | [Github: oqs-demos/h2load](h2load) | [ Dockerhub: openquantumsafe/h2load](https://hub.docker.com/repository/docker/openquantumsafe/h2load) | Unmaintained +| **HAproxy** | [Github: oqs-demos/haproxy](haproxy) | [Dockerhub: openquantumsafe/haproxy](https://hub.docker.com/repository/docker/openquantumsafe/haproxy) | Unmaintained +| **Mosquitto** | [Github: oqs-demos/mosquitto](mosquitto) | [Dockerhub: openquantumsafe/mosquitto](https://hub.docker.com/repository/docker/openquantumsafe/mosquitto) | Unmaintained +| **Epiphany** | [Github: oqs-demos/epiphany](epiphany) | [Dockerhub: openquantumsafe/epiphany](https://hub.docker.com/repository/docker/openquantumsafe/epiphany) | Deprecated +| **OpenLiteSpeed** | [Github: oqs-demos/openlitespeed](openlitespeed) | [ Dockerhub: openquantumsafe/openlitespeed](https://hub.docker.com/repository/docker/openquantumsafe/openlitespeed) | Deprecated +| **Wireshark** | [Github: oqs-demos/wireshark](wireshark) | [Dockerhub: openquantumsafe/wireshark](https://hub.docker.com/repository/docker/openquantumsafe/wireshark) | Deprecated +| **Envoy** | [Github: oqs-demos/envoy](envoy) | [ Dockerhub: openquantumsafe/envoy](https://hub.docker.com/repository/docker/openquantumsafe/envoy) | Deprecated +| **Unbound** | [Github: oqs-demos/unbound](unbound) | [ Dockerhub: openquantumsafe/unbound](https://hub.docker.com/repository/docker/openquantumsafe/unbound) | Deprecated + +It should be possible to use the openssl (s_client) and curl clients with all algorithm combinations available at the Open Quantum Safe TLS/X.509 interoperability test server at https://test.openquantumsafe.org (set up using `oqs-provider v0.7.0` and `liboqs v0.11.0`) but no guarantees are given for software not explicitly labelled with the name of a person offering support for it. Since [OQS-BoringSSL](https://github.com/open-quantum-safe/boringssl) no longer maintains the same set of algorithms, software that depends on OQS-BoringSSL (e.g., nginx-quic and curl-quic) may not fully (inter)operate with the test server. ## Contributing diff --git a/curl/Dockerfile b/curl/Dockerfile index 8d801eca..f0d0a60f 100644 --- a/curl/Dockerfile +++ b/curl/Dockerfile @@ -1,13 +1,19 @@ # Multi-stage build: First the full builder image: +# define the alpine image version to use +ARG ALPINE_VERSION=3.20 + +# define the openssl tag to be used +ARG OPENSSL_TAG=openssl-3.3.2 + # define the liboqs tag to be used -ARG LIBOQS_TAG=main +ARG LIBOQS_TAG=0.11.0 # define the oqsprovider tag to be used -ARG OQSPROVIDER_TAG=main +ARG OQSPROVIDER_TAG=0.7.0 # define the Curl version to be baked in -ARG CURL_VERSION=7.81.0 +ARG CURL_VERSION=8.10.0 # Default location where all binaries wind up: ARG INSTALLDIR=/opt/oqssa @@ -25,8 +31,9 @@ ARG DEFAULT_GROUPS="x25519:x448:kyber512:p256_kyber512:kyber768:p384_kyber768:ky ARG MAKE_DEFINES="-j 4" -FROM alpine:3.11 as intermediate +FROM alpine:${ALPINE_VERSION} as intermediate # Take in all global args +ARG OPENSSL_TAG ARG LIBOQS_TAG ARG OQSPROVIDER_TAG ARG CURL_VERSION @@ -36,7 +43,7 @@ ARG SIG_ALG ARG DEFAULT_GROUPS ARG MAKE_DEFINES -LABEL version="4" +LABEL version="5" ENV DEBIAN_FRONTEND noninteractive @@ -52,7 +59,7 @@ RUN apk add build-base linux-headers \ # get all sources WORKDIR /opt RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ - git clone --depth 1 --branch master https://github.com/openssl/openssl.git && \ + git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \ git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ wget https://curl.haxx.se/download/curl-${CURL_VERSION}.tar.gz && tar -zxvf curl-${CURL_VERSION}.tar.gz; @@ -62,7 +69,9 @@ RUN mkdir build && cd build && cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DCMAK # build OpenSSL3 WORKDIR /opt/openssl -RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \ +RUN if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \ + if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi && \ + LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \ make ${MAKE_DEFINES} && make install_sw install_ssldirs; # set path to use 'new' openssl. Dyn libs have been properly linked in to match @@ -70,7 +79,13 @@ ENV PATH="${INSTALLDIR}/bin:${PATH}" # build & install provider (and activate by default) WORKDIR /opt/oqs-provider -RUN ln -s ../openssl . && cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && cmake --build _build && cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM groups if not set via environment variable\nKDEFAULT_GROUPS = $DEFAULT_GROUPS\n\n# Use this in order to automatically load providers/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/HOME\t\t\t= ./HOME\t\t= .\nDEFAULT_GROUPS\t= ${DEFAULT_GROUPS}/g" /opt/oqssa/ssl/openssl.cnf +RUN ln -s ../openssl . && cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && cmake --build _build && \ + cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && \ + sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${INSTALLDIR}/ssl/openssl.cnf && \ + sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${INSTALLDIR}/ssl/openssl.cnf && \ + sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${INSTALLDIR}/ssl/openssl.cnf && \ + sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM groups if not set via environment variable\nKDEFAULT_GROUPS = $DEFAULT_GROUPS\n\n# Use this in order to automatically load providers/g" ${INSTALLDIR}/ssl/openssl.cnf && \ + sed -i "s/HOME\t\t\t= ./HOME\t\t= .\nDEFAULT_GROUPS\t= ${DEFAULT_GROUPS}/g" ${INSTALLDIR}/ssl/openssl.cnf # generate certificates for openssl s_server, which is what we will test curl against ENV OPENSSL=${INSTALLDIR}/bin/openssl @@ -93,7 +108,8 @@ RUN wget https://letsencrypt.org/certs/isrgrootx1.pem -O oqs-bundle.pem && cat $ RUN env LDFLAGS=-Wl,-R${INSTALLDIR}/lib64 \ ./configure --prefix=${INSTALLDIR} \ --with-ca-bundle=${INSTALLDIR}/oqs-bundle.pem \ - --with-ssl=${INSTALLDIR} && \ + --with-ssl=${INSTALLDIR} \ + --without-libpsl && \ make ${MAKE_DEFINES} && make install && mv oqs-bundle.pem ${INSTALLDIR}; # Download current test.openquantumsafe.org test CA cert @@ -107,7 +123,7 @@ COPY serverstart.sh ${INSTALLDIR}/bin CMD ["serverstart.sh"] ## second stage: Only create minimal image without build tooling and intermediate build results generated above: -FROM alpine:3.11 as dev +FROM alpine:${ALPINE_VERSION} as dev # Take in all global args ARG INSTALLDIR ARG SIG_ALG diff --git a/curl/README.md b/curl/README.md index 426c743a..ba41cac2 100644 --- a/curl/README.md +++ b/curl/README.md @@ -11,7 +11,7 @@ This directory contains a Dockerfile that builds `curl` using OpenSSL v3 using t ## More details The Dockerfile -- obtains all source code required for building the quantum-safe crypto (QSC) algorithms, the QSC-enabled oqs-provider, curl (v.7.87.0) and the latest OpenSSL (master) code +- obtains all source code required for building the quantum-safe crypto (QSC) algorithms, the QSC-enabled oqs-provider, curl, and OpenSSL - builds all libraries and applications - creates OQS-enabled certificate files for a mini-root certificate authority (CA) - creates an OQS-enabled server certificate for running a `localhost` QSC-TLS server @@ -49,14 +49,17 @@ Information how to use the image is [available in the separate file USAGE.md](US The Dockerfile provided allows for significant customization of the image built: +### OPENSSL_TAG + +Tag of `openssl` release to be used. ### LIBOQS_TAG -Tag of `liboqs` release to be used. Default "main". +Tag of `liboqs` release to be used. ### OQSPROVIDER_TAG -Tag of `oqsprovider` release to be used. Default "main". +Tag of `oqsprovider` release to be used. ### LIBOQS_BUILD_DEFINES @@ -94,3 +97,6 @@ Allow setting parameters to `make` operation, e.g., '-j nnn' where nnn defines t The default is conservative and known not to overload normal machines. If one has a very powerful (many cores, >64GB RAM) machine, passing larger numbers (or only '-j' for maximum parallelism) speeds up building considerably. +### ALPINE_VERSION + +The version of the `alpine` docker image to to be used. diff --git a/curl/USAGE.md b/curl/USAGE.md index 4e95366a..160d0058 100644 --- a/curl/USAGE.md +++ b/curl/USAGE.md @@ -37,7 +37,7 @@ A 'worked example' and more general alternative form of the command is ``` docker run -e TEST_TIME=5 -e KEM_ALG=kyber768 -e SIG_ALG=dilithium3 -it openquantumsafe/curl perftest.sh ``` -runs TLS handshakes for 5 seconds exercizing `dilithium3` and `kyber768`. Again, all [supported QSC algorithms](https://github.com/open-quantum-safe/openssl#supported-algorithms) can be set here. Be sure to properly distinguish between SIGnature_ALGorithms and KEM(Key Exchange Mechanism)_ALGorithms. +runs TLS handshakes for 5 seconds exercizing `dilithium3` and `kyber768`. Again, all [supported QSC algorithms](https://github.com/open-quantum-safe/oqs-provider#algorithms) can be set here. Be sure to properly distinguish between SIGnature_ALGorithms and KEM(Key Exchange Mechanism)_ALGorithms. ### Algorithm performance diff --git a/envoy/README.md b/envoy/README.md index 811a2edf..986e87a3 100644 --- a/envoy/README.md +++ b/envoy/README.md @@ -1,6 +1,7 @@ -## Warning +# DEPRECATED -This integration is currently not supported due to [the end of life of oqs-openssl111](https://github.com/open-quantum-safe/openssl#warning). Feel free to vote this back into supported state by visiting [the discussion on the topic](https://github.com/orgs/open-quantum-safe/discussions/1602). +> [!Warning] +> This integration is currently not supported due to [the end of life of oqs-openssl111](https://github.com/open-quantum-safe/openssl#warning). ## Purpose diff --git a/epiphany/README.md b/epiphany/README.md index f9605614..dddb6e70 100644 --- a/epiphany/README.md +++ b/epiphany/README.md @@ -1,3 +1,8 @@ +# DEPRECATED + +> [!Warning] +> This integration is longer supported due to lack of interest and support, if you're interested in revitalizing this demo please submit a PR. A previous update attempt can be found [here](https://github.com/open-quantum-safe/oqs-demos/commit/da3d03042a0b39caf500f0ce3744145e66b09f70) + This directory contains a Dockerfile that builds the GNOME web browser epiphany such as to run TLS 1.3 using OQS-OpenSSL. This demo is based on work done by [Igor Barshteyn](https://www.linkedin.com/pulse/demonstrating-quantum-safe-tls-13-web-server-client-nist-barshteyn). @@ -5,7 +10,7 @@ This demo is based on work done by [Igor Barshteyn](https://www.linkedin.com/pul ## Quick start 1) Be sure to have [docker installed](https://docs.docker.com/install). -2) Run `docker build -t openquantumsafe/epiphany .` to create a QSC-enabled epiphany docker image. +2) Run `docker build -t oqs-epiphany .` to create a QSC-enabled epiphany docker image. ## Usage diff --git a/h2load/Dockerfile b/h2load/Dockerfile index 7700652d..1f88d58a 100644 --- a/h2load/Dockerfile +++ b/h2load/Dockerfile @@ -1,10 +1,24 @@ # Multi-stage build: First the full builder image: -FROM alpine as intermediate + +# define the alpine image version to use +ARG ALPINE_VERSION=3.20 + +FROM alpine:${ALPINE_VERSION} as intermediate ENV DEBIAN_FRONTEND=noninteractive -ARG LIBOQS_TAG=main -ARG OQSPROVIDER_TAG=main +# define the openssl tag to be used +ARG OPENSSL_TAG=openssl-3.3.2 + +# define the liboqs tag to be used +ARG LIBOQS_TAG=0.11.0 + +# define the oqsprovider tag to be used +ARG OQSPROVIDER_TAG=0.7.0 + +# define the nghttp2 tag to be used +ARG NGHTTP2_TAG=v1.64.0 + ARG INSTALLDIR=/opt/oqssa # Update image and apt software @@ -19,9 +33,9 @@ WORKDIR /opt # get all sources RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ - git clone --depth 1 --branch master https://github.com/openssl/openssl.git && \ + git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \ git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ - git clone --depth 1 --branch master https://github.com/nghttp2/nghttp2.git + git clone --depth 1 --branch ${NGHTTP2_TAG} https://github.com/nghttp2/nghttp2.git # build liboqs WORKDIR /opt/liboqs @@ -30,11 +44,20 @@ RUN mkdir build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=${INSTALLDIR # build openssl 3 WORKDIR /opt/openssl RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \ - make ${MAKE_DEFINES} && make install_sw install_ssldirs + make ${MAKE_DEFINES} && make install_sw install_ssldirs && \ + if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \ + if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi # build & install provider (and activate by default) WORKDIR /opt/oqs-provider -RUN ln -s ../openssl . && cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && cmake --build _build && cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:KEM_ALG\n/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM alg if not set via environment variable\nKEM_ALG = kyber512\n\n# Use this in order to automatically load providers/g" /opt/oqssa/ssl/openssl.cnf +RUN ln -s ../openssl . && \ + cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \ + cmake --build _build && \ + cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && \ + sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && \ + sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && \ + sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:KEM_ALG\n/g" /opt/oqssa/ssl/openssl.cnf && \ + sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM alg if not set via environment variable\nKEM_ALG = kyber512\n\n# Use this in order to automatically load providers/g" /opt/oqssa/ssl/openssl.cnf # build nghttp2 @@ -52,7 +75,7 @@ RUN mkdir /opt/lib && cd /opt/lib && \ cp /usr/lib/libgcc_s.so.* . ## second stage: Only create minimal image without build tooling and intermediate build results generated above: -FROM alpine as dev +FROM alpine:${ALPINE_VERSION} as dev ENV DEBIAN_FRONTEND=noninteractive # copy executable @@ -63,3 +86,5 @@ COPY check_algorithms.sh /usr/local/bin COPY --from=intermediate /opt/lib /usr/local/lib COPY --from=intermediate /opt/oqssa/lib64/ossl-modules/oqsprovider.so /opt/oqssa/lib64/ossl-modules/oqsprovider.so COPY --from=intermediate /opt/oqssa/ssl/openssl.cnf /opt/oqssa/ssl/openssl.cnf + +RUN ln -s /opt/oqssa/lib64 /opt/oqssa/lib; diff --git a/h2load/README.md b/h2load/README.md index 962e4730..06e438d2 100644 --- a/h2load/README.md +++ b/h2load/README.md @@ -32,4 +32,4 @@ Documentation for using the h2load docker image is contained in the separate [US ## Disclaimer -[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/openssl#limitations-and-security). +[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). diff --git a/h2load/USAGE.md b/h2load/USAGE.md index 3d3ff249..9ce147e3 100644 --- a/h2load/USAGE.md +++ b/h2load/USAGE.md @@ -58,4 +58,4 @@ More information can be found at https://nghttp2.org/documentation/h2load.1.html ## Disclaimer -[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/openssl#limitations-and-security). +[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). diff --git a/haproxy/Dockerfile b/haproxy/Dockerfile index 56e91333..eaa21aab 100644 --- a/haproxy/Dockerfile +++ b/haproxy/Dockerfile @@ -1,103 +1,142 @@ # Multi-stage build: First the full builder image: -# First: global build arguments: +# define the alpine image version to use +ARG ALPINE_VERSION=3.20 -# liboqs build type variant; maximum portability of image: -ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON" +# define the openssl tag to be used +ARG OPENSSL_TAG=openssl-3.3.2 -ARG BUILDDIR=/root +# define the liboqs tag to be used +ARG LIBOQS_TAG=0.11.0 -# installation paths -ARG INSTALLPATH=/opt/oqssa -ARG HAPROXY_PATH=/opt/haproxy +# define the oqsprovider tag to be used +ARG OQSPROVIDER_TAG=0.7.0 -# defines the QSC signature algorithm used for the certificates: -ARG SIG_ALG="dilithium3" +# define the version of haproxy here +ARG HAPROXY_RELEASE=3.0 +ARG HAPROXY_MICRO=5 +ARG HAPROXY_VERSION=${HAPROXY_RELEASE}.${HAPROXY_MICRO} -# define the haproxy version to include -ARG HAPROXY_VERSION=2.2.6 - -# Pass parameters to `make`. Most notably set parallelism (`-j` [degree]) -# only if you know your machine can handle it -ARG MAKE_DEFINES="" +# Default location where all binaries wind up: +ARG INSTALLDIR=/opt/oqssa +ARG HAPROXYDIR=/opt/haproxy +# liboqs build type variant; maximum portability of image: +ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON" -FROM alpine:3.13 as intermediate -# ToDo: Upgrade possible if https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2 addressed +# Default KEM algorithms to be utilized +ARG KEM_ALGLIST="kyber768:p384_kyber768" -# Take in global args -ARG INSTALLPATH -ARG BUILDDIR +FROM alpine:${ALPINE_VERSION} AS intermediate +# Take in all global args +ARG OPENSSL_TAG +ARG LIBOQS_TAG +ARG OQSPROVIDER_TAG +ARG INSTALLDIR +ARG HAPROXYDIR ARG LIBOQS_BUILD_DEFINES -ARG HAPROXY_PATH -ARG SIG_ALG +ARG KEM_ALGLIST ARG HAPROXY_VERSION -ARG MAKE_DEFINES - - -# Get all software packages required for builing all components: -# All SW-build and docker-image build prereqs -RUN apk update && apk upgrade && apk add openssl make build-base linux-headers openssl-dev autoconf automake git libtool unzip wget cmake +ARG HAPROXY_RELEASE -# get sources -WORKDIR ${BUILDDIR} -RUN git clone --depth 1 --branch main https://github.com/open-quantum-safe/liboqs && \ - git clone --depth 1 --branch OQS-OpenSSL_1_1_1-stable https://github.com/open-quantum-safe/openssl && \ - wget http://www.haproxy.org/download/2.2/src/haproxy-${HAPROXY_VERSION}.tar.gz && tar xzvf haproxy-${HAPROXY_VERSION}.tar.gz && mv haproxy-${HAPROXY_VERSION} haproxy +LABEL version "2" -# build liboqs (dynamic linking only) -WORKDIR ${BUILDDIR}/liboqs -RUN mkdir build && cd build && if [[ -z "$MAKE_DEFINES" ]] ; then nproc=$(getconf _NPROCESSORS_ONLN) && MAKE_DEFINES="-j $nproc"; fi && cmake .. ${LIBOQS_BUILD_DEFINES} -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=${BUILDDIR}/openssl/oqs && make $MAKE_DEFINES && make install +ENV DEBIAN_FRONTEND noninteractive -# build OQS-OpenSSL (again, dynamic/shared libs only) -WORKDIR ${BUILDDIR}/openssl -RUN LDFLAGS="-Wl,-rpath -Wl,$INSTALLPATH/lib" ./Configure linux-x86_64 -lm --prefix=$INSTALLPATH && if [[ -z "$MAKE_DEFINES" ]] ; then nproc=$(getconf _NPROCESSORS_ONLN) && MAKE_DEFINES="-j $nproc"; fi && make $MAKE_DEFINES && make install_sw +# Get all software packages required for builing all components: +RUN apk update && apk upgrade && apk add openssl make build-base linux-headers openssl-dev autoconf automake git libtool unzip wget cmake ninja + +# get all sources +WORKDIR /opt +RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ + git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \ + git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ + wget http://www.haproxy.org/download/${HAPROXY_RELEASE}/src/haproxy-${HAPROXY_VERSION}.tar.gz && tar xzvf haproxy-${HAPROXY_VERSION}.tar.gz && mv haproxy-${HAPROXY_VERSION} $HAPROXYDIR + +# build liboqs +WORKDIR /opt/liboqs +RUN mkdir build && cd build && \ + cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} && \ + ninja install + +# build OpenSSL3 +WORKDIR /opt/openssl +RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \ + make -j $(nproc) && \ + make install_sw install_ssldirs && \ + if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \ + if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi + +# set path to use 'new' openssl. Dyn libs have been properly linked in to match +ENV PATH="${INSTALLDIR}/bin:${PATH}" + +# build & install provider (and activate by default) +WORKDIR /opt/oqs-provider +RUN ln -s ../openssl . && \ + cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \ + cmake --build _build && cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && \ + sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && \ + sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && \ + sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = ${KEM_ALGLIST}\n/g" /opt/oqssa/ssl/openssl.cnf + + +ENV OPENSSL3_DIR=${INSTALLDIR} # build haproxy -WORKDIR ${BUILDDIR}/haproxy +WORKDIR ${HAPROXYDIR} -RUN if [[ -z "$MAKE_DEFINES" ]] ; then nproc=$(getconf _NPROCESSORS_ONLN) && MAKE_DEFINES="-j $nproc"; fi && make $MAKE_DEFINES LDFLAGS="-Wl,-rpath,$INSTALLPATH/lib" SSL_INC=$INSTALLPATH/include SSL_LIB=$INSTALLPATH/lib TARGET=linux-musl USE_OPENSSL=1 && make PREFIX=$INSTALLPATH install +RUN make -j $(nproc) \ + LDFLAGS="-Wl,-rpath,$INSTALLDIR/lib64" \ + SSL_INC=$INSTALLDIR/include \ + SSL_LIB=$INSTALLDIR/lib64 \ + TARGET=linux-musl \ + USE_OPENSSL=1 && \ + make PREFIX=$INSTALLDIR install -# # prepare to run haproxy -ARG OPENSSL_CNF=${BUILDDIR}/openssl/apps/openssl.cnf +ENV OPENSSL=${INSTALLDIR}/bin/openssl +ENV OPENSSL_CNF=${INSTALLDIR}/ssl/openssl.cnf -# Set a default QSC signature algorithm from the list at https://github.com/open-quantum-safe/openssl#authentication +# Set a default QSC signature algorithm from the list at https://github.com/open-quantum-safe/oqs-provider#algorithms ARG SIG_ALG=dilithium3 -WORKDIR ${HAPROXY_PATH} +WORKDIR ${HAPROXYDIR} # generate CA key and cert # generate server CSR # generate server cert RUN set -x && \ mkdir pki && \ mkdir cacert && \ - ${INSTALLPATH}/bin/openssl req -x509 -new -newkey ${SIG_ALG} -keyout cacert/CA.key -out cacert/CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -config ${OPENSSL_CNF} && \ - ${INSTALLPATH}/bin/openssl req -new -newkey ${SIG_ALG} -keyout pki/server.key -out pki/server.csr -nodes -subj "/CN=oqs-haproxy" -config ${OPENSSL_CNF} && \ - ${INSTALLPATH}/bin/openssl x509 -req -in pki/server.csr -out pki/server.crt -CA cacert/CA.crt -CAkey cacert/CA.key -CAcreateserial -days 365 + ${OPENSSL} req -x509 -new -newkey ${SIG_ALG} -keyout cacert/CA.key -out cacert/CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -config ${OPENSSL_CNF} && \ + ${OPENSSL} req -new -newkey ${SIG_ALG} -keyout pki/server.key -out pki/server.csr -nodes -subj "/CN=oqs-haproxy" -config ${OPENSSL_CNF} && \ + ${OPENSSL} x509 -req -in pki/server.csr -out pki/server.crt -CA cacert/CA.crt -CAkey cacert/CA.key -CAcreateserial -days 365 -# second stage: Only create minimal image without build tooling and intermediate build results generated above: -FROM alpine:3.13 -# Take in global args -ARG HAPROXY_PATH -ARG INSTALLPATH +## second stage: Only create minimal image without build tooling and intermediate build results generated above: +FROM alpine:${ALPINE_VERSION} +# Take in all global args +ARG INSTALLDIR +ARG HAPROXYDIR +ARG KEM_ALGLIST # lighttpd as built-in backend RUN apk add lighttpd # # Only retain the ${*_PATH} contents in the final image -COPY --from=intermediate ${HAPROXY_PATH} ${HAPROXY_PATH} -COPY --from=intermediate ${INSTALLPATH} ${INSTALLPATH} +COPY --from=intermediate ${HAPROXYDIR} ${HAPROXYDIR} +COPY --from=intermediate ${INSTALLDIR} ${INSTALLDIR} + +# copy the haproxy configuration file and set the supported Key exchange mechanisms +COPY conf ${HAPROXYDIR}/conf/ +RUN sed -i "s|@@CURVES@@|$KEM_ALGLIST|g" ${HAPROXYDIR}/conf/haproxy.cfg -COPY conf ${HAPROXY_PATH}/conf/ -WORKDIR ${HAPROXY_PATH} +WORKDIR ${HAPROXYDIR} ADD lighttpd.conf /etc/lighttpd/lighttpd.conf ADD lighttpd2.conf /etc/lighttpd/lighttpd2.conf -ADD start.sh ${HAPROXY_PATH}/start.sh +ADD start.sh ${HAPROXYDIR}/start.sh # set up normal user -RUN addgroup -g 1000 -S oqs && adduser --uid 1000 -S oqs -G oqs && chown -R oqs.oqs ${HAPROXY_PATH} +RUN addgroup -g 1000 -S oqs && adduser --uid 1000 -S oqs -G oqs && chown -R oqs.oqs ${HAPROXYDIR} # set up file permissions for lighttpd RUN mkdir -p /opt/lighttpd/log && mkdir -p /opt/lighttpd/log2 && chown -R oqs.oqs /opt @@ -109,11 +148,10 @@ RUN mkdir -p /var/www/localhost2/htdocs && echo "Hello World from lighthttpd bac USER oqs # Ensure haproxy just runs -ENV PATH ${HAPROXY_PATH}/sbin:$PATH +ENV PATH ${HAPROXYDIR}/sbin:$PATH EXPOSE 4433 -# + STOPSIGNAL SIGTERM CMD ["/opt/haproxy/start.sh"] - diff --git a/haproxy/README.md b/haproxy/README.md index 23be2b2a..29e9f74a 100644 --- a/haproxy/README.md +++ b/haproxy/README.md @@ -1,17 +1,11 @@ -## Warning - -This integration is currently not supported due to [the end of life of oqs-openssl111](https://github.com/open-quantum-safe/openssl#warning). Feel free to vote this back into supported state by visiting [the discussion on the topic](https://github.com/orgs/open-quantum-safe/discussions/1602). - -## Purpose - -This directory contains a Dockerfile that builds [haproxy](https://www.haproxy.org) with the [OQS OpenSSL 1.1.1 fork](https://github.com/open-quantum-safe/openssl), which allows haproxy to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3. +This directory contains a Dockerfile that builds `haproxy` using OpenSSL v3 using the [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows `haproxy` to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3. ## Getting started [Install Docker](https://docs.docker.com/install) and run the following commands in this directory: -1. `docker build --build-arg SIG_ALG= --tag oqs-haproxy-img .` (`` can be any of the authentication algorithms listed [here](https://github.com/open-quantum-safe/openssl#authentication)). An alternative, simplified build instruction is `docker build -t oqs-haproxy-img .`: This will generate the image with a default QSC algorithm (dilithium3 -- see Dockerfile to change this). -2. `docker run --detach --rm --name oqs-haproxy -p 4433:4433 oqs-haproxy-img` +1. `docker build --build-arg SIG_ALG= --build-arg KEM_ALGLIST= --tag oqs-haproxy .` (`` can be any of the signature authentication algorithms and `` can be a colon separated list of the Key exchange mechanisms listed [here](https://github.com/open-quantum-safe/oqs-provider#algorithms)). An alternative, simplified build instruction is `docker build -t oqs-haproxy .`: This will generate the image with a default QSC algorithm and KEMs (dilithium3, p384_kyber768:kyber768 -- see Dockerfile to change this). +2. `docker run --detach --rm --name oqs-haproxy -p 4433:4433 oqs-haproxy` This will start a docker container that has haproxy listening for TLS 1.3 connections on port 4433. Actual data will be served via a load-balanced `lighttpd` server running on ports 8181 and 8182. @@ -24,34 +18,36 @@ Complete information how to use the image is [available in the separate file USA The Dockerfile provided allows for significant customization of the image built: -### LIBOQS_BUILD_DEFINES +### OPENSSL_TAG -This permits changing the build options for the underlying library with the quantum safe algorithms. All possible options are documented [here](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs). +Tag of `openssl` release to be used. -By default, the image is built such as to have maximum portability regardless of CPU type and optimizations available, i.e. to run on the widest possible range of cloud machines. +### LIBOQS_TAG -### SIG_ALG +Tag of `liboqs` release to be used. -This defines the quantum-safe cryptographic signature algorithm for the internally generated (demonstration) CA and server certificates. +### OQSPROVIDER_TAG -The default value is 'dilithium3' but can be set to any value documented [here](https://github.com/open-quantum-safe/openssl#authentication). +Tag of `oqsprovider` release to be used. +### LIBOQS_BUILD_DEFINES -### HAPROXY_PATH +This permits changing the build options for the underlying library with the quantum safe algorithms. All possible options are documented [here](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs). -This defines the resultant location of the haproxy installation. +By default, the image is built such as to have maximum portability regardless of CPU type and optimizations available, i.e. to run on the widest possible range of cloud machines. -By default this is '/opt/haproxy'. It is recommended to not change this. Also, all [usage documentation](USAGE.md) assumes this path. +### SIG_ALG -### HAPROXY_VERSION +This defines the quantum-safe cryptographic signature algorithm for the internally generated (demonstration) CA and server certificates. -This defines the haproxy software version to be build into the image. By default, this is an LTS version. +The default value is 'dilithium3' but can be set to any value documented [here](https://github.com/open-quantum-safe/oqs-provider#algorithms). -The default version set is known to work OK but one could try any value available [for download](https://www.haproxy.org/#down). +### KEM_ALGLIST -### MAKE_DEFINES +This defines the quantum-safe key exchange mechanisms to be supported. -Allow setting parameters to `make` operation, e.g., '-j nnn' where nnn defines the number of jobs run in parallel during build. +The default value is `p384_kyber768:kyber768` but can be set to any set of colon separated values documented [here](https://github.com/open-quantum-safe/oqs-provider#algorithms). -The default is conservative and known not to overload normal machines. If one has a very powerful (many cores, >64GB RAM) machine, passing larger numbers (or only '-j' for maximum parallelism) speeds up building considerably. +### HAPROXY_RELEASE and HAPROXY_MICRO +These define the version of HAPROXY to use with the default set to 3.0 and 5 respectively to represent haproxy version 3.0.5. diff --git a/haproxy/USAGE.md b/haproxy/USAGE.md index a2bf4581..9e1a5722 100644 --- a/haproxy/USAGE.md +++ b/haproxy/USAGE.md @@ -1,16 +1,18 @@ -## Purpose +## Purpose -This is an [haproxy](https://www.haproxy.org) docker image building on the [OQS OpenSSL 1.1.1 fork](https://github.com/open-quantum-safe/openssl), which allows haproxy to negotiate quantum-safe keys and use quantum-safe authentication using TLS 1.3. +This docker image contains a version of [haproxy](https://www.haproxy.org) configured to also utilize quantum-safe crypto (QSC) operations. -If you built the docker image yourself following the instructions [here](https://github.com/open-quantum-safe/oqs-demos/tree/main/haproxy), exchange the name of the image from 'openquantumsafe/haproxy' in the examples below suitably. +To this end, it contains [oqs-provider](https://github.com/open-quantum-safe/oqs-provider) from the [OpenQuantumSafe](https://openquantumsafe.org) project together with the latest OpenSSL v3 code. + +As different images providing the same base functionality may be available, e.g., for debug or performance-optimized operations, the image name `openquantumsafe/haproxy` is consistently used in the description below. Be sure to adapt it to the image you want to use. This image has a built-in non-root user to permit execution without particular [docker privileges](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) such as to allow installation in all types of Kubernetes clusters. Also built-in is a backend server whose content is served via the load-balancing features of HAproxy. This is a standard lighttpd without any special configuration settings. -## Quick start +## Quick start -Assuming Docker is [installed](https://docs.docker.com/install) the following command +Assuming Docker is [installed](https://docs.docker.com/install) the following command ``` docker run -p 4433:4433 openquantumsafe/haproxy @@ -18,7 +20,7 @@ docker run -p 4433:4433 openquantumsafe/haproxy will start up the QSC-enabled haproxy running and listening for quantum-safe crypto protected TLS 1.3 connections on port 4433. -To retrieve a test page, a quantum-safe crypto client program is required. For the most simple use case, use the [docker image for curl](https://hub.docker.com/r/openquantumsafe/curl) with the required quantum-safe crypto enablement. +To retrieve a test page, a quantum-safe crypto client program is required. For the most simple use case, use the [docker image for curl](https://hub.docker.com/r/openquantumsafe/curl) with the required quantum-safe crypto enablement. If you started the OQS-haproxy image on a machine with a registered IP name the required command is simply @@ -36,12 +38,14 @@ docker run --network haproxy-test -it openquantumsafe/curl curl -k https://oqs-h ## Slightly more advanced usage options -This haproxy image supports all quantum-safe key exchange algorithms [presently supported by OQS-OpenSSL](https://github.com/open-quantum-safe/openssl#key-exchange). If you want to control with algorithm is actually used, you can request one from the list above to the curl command with the '--curves' parameter, e.g., requesting the hybrid Frodo976Shake variant also configured into the default 'haproxy.cfg' file: +This haproxy image is capable of supporting all quantum-safe key exchange algorithms listed [here](https://github.com/open-quantum-safe/oqs-provider#algorithms). By default the image is built supporting p384_kyber768 and kyber768. You can select a specific curve on the curl command ``` -docker run -it openquantumsafe/curl curl -k https://oqs-haproxy:4433 --curves p384_frodo976shake +docker run -it openquantumsafe/curl curl -k https://oqs-haproxy:4433 --curves kyber768 ``` +You can also change the key exchange mechanisms supported by haproxy when you build the image by setting the KEM_ALGLIST build argument + ## Seriously more advanced usage options @@ -85,14 +89,14 @@ docker run -p 4433:4433 -v `pwd`/server-pki:/opt/haproxy/pki openquantumsafe/hap ### Creating (test) CA and server certificates -For creating the required keys and certificates, it is also possible to utilize the [openquantumsafe/curl](https://hub.docker.com/r/openquantumsafe/curl) image using standard `openssl` commands. +For creating the required keys and certificates, it is also possible to utilize the [openquantumsafe/curl](https://hub.docker.com/r/openquantumsafe/curl) image using standard `openssl` commands. -An example sequence is shown below, using +An example sequence is shown below, using - 'qteslapi' for signing the CA certificate, - 'dilithium2' for signing the server certificate, - 'haproxy.server.my.org' as the address of the server for which the certificate is intended. -Instead of 'qteslapi' or 'dilithium2' any of the [quantum safe authentication algorithms presently supported](https://github.com/open-quantum-safe/openssl#authentication) can be used. +Instead of 'qteslapi' or 'dilithium2' any of the [quantum safe authentication algorithms presently supported](https://github.com/open-quantum-safe/oqs-provider#algorithms) can be used. ``` # create and enter directory to contain keys and certificates @@ -161,8 +165,8 @@ docker run -v `pwd`/server-pki:/opt/tmp -it openquantumsafe/curl \ curl --cacert /opt/tmp/CA.crt https://haproxy.server.my.org:4433 ``` -Again, if you don't have your own server and want to test on a local machine, start both of them in a docker network (adding the option `--network haproxy-test`). +Again, if you don't have your own server and want to test on a local machine, start both of them in a docker network (adding the option `--network haproxy-test`). ## Disclaimer -[THIS IS NOT FIT FOR PRODUCTIVE USE](https://github.com/open-quantum-safe/openssl#limitations-and-security). +[THIS IS NOT FIT FOR PRODUCTIVE USE](https://github.com/open-quantum-safe/oqs-provider#component-disclaimer). diff --git a/haproxy/conf/haproxy.cfg b/haproxy/conf/haproxy.cfg index 2e889e9e..b93c5604 100644 --- a/haproxy/conf/haproxy.cfg +++ b/haproxy/conf/haproxy.cfg @@ -20,9 +20,7 @@ listen stats frontend oqs.ha.proxy bind :8088 - # set any QSC KEM algorithm in the curves parameter, e.g. these: - # if you want to test a default group, be sure to include a level 1 hybrid: - bind :4433 ssl crt /opt/haproxy/certkey.pem curves p384_frodo976shake:p256_frodo640shake:kyber768 + bind :4433 ssl crt /opt/haproxy/certkey.pem curves @@CURVES@@ http-request redirect scheme https unless { ssl_fc } default_backend web_servers diff --git a/httpd/Dockerfile b/httpd/Dockerfile index fbd27aff..5dc893d9 100644 --- a/httpd/Dockerfile +++ b/httpd/Dockerfile @@ -2,11 +2,17 @@ # First: global build arguments: +# define the alpine image version to use +ARG ALPINE_VERSION=3.20 + +# define the openssl tag to be used +ARG OPENSSL_TAG=openssl-3.3.2 + # define the liboqs tag to be used -ARG LIBOQS_TAG=main +ARG LIBOQS_TAG=0.11.0 # define the oqsprovider tag to be used -ARG OQSPROVIDER_TAG=main +ARG OQSPROVIDER_TAG=0.7.0 # liboqs build type variant; maximum portability of image: ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON" @@ -37,10 +43,9 @@ ARG APR_MIRROR="https://dlcdn.apache.org" ARG MAKE_DEFINES="-j 2" -FROM alpine:3.13 as intermediate -# ToDo: Upgrade possible if https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2 addressed - +FROM alpine:${ALPINE_VERSION} as intermediate # Take in global args +ARG OPENSSL_TAG ARG LIBOQS_TAG ARG OQSPROVIDER_TAG ARG LIBOQS_BUILD_DEFINES @@ -64,30 +69,33 @@ RUN apk add build-base linux-headers \ # get sources WORKDIR /opt RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ - git clone --depth 1 --branch master https://github.com/openssl/openssl ossl-src && \ + git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl ossl-src && \ git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider && \ wget ${APR_MIRROR}/apr/apr-${APR_VERSION}.tar.gz && tar xzvf apr-${APR_VERSION}.tar.gz && \ wget ${APR_MIRROR}/apr/apr-util-${APRU_VERSION}.tar.gz && tar xzvf apr-util-${APRU_VERSION}.tar.gz && \ wget --trust-server-names "https://archive.apache.org/dist/httpd/httpd-${HTTPD_VERSION}.tar.gz" && tar -zxvf httpd-${HTTPD_VERSION}.tar.gz; -# build OpenSSL3 (latest); make libs detectable to old (APRU) tooling not knowing about lib64 +# build OpenSSL3 WORKDIR /opt/ossl-src -RUN ./config no-shared --prefix=${OPENSSL_PATH} && \ +RUN LDFLAGS="-Wl,-rpath -Wl,${OPENSSL_PATH}/lib64" ./config no-shared --prefix=${OPENSSL_PATH} && \ make ${MAKE_DEFINES} && make install_sw install_ssldirs && \ - ln -s ${OPENSSL_PATH}/lib64 ${OPENSSL_PATH}/lib; + if [ -d ${OPENSSL_PATH}/lib64 ]; then ln -s ${OPENSSL_PATH}/lib64 ${OPENSSL_PATH}/lib; fi && \ + if [ -d ${OPENSSL_PATH}/lib ]; then ln -s ${OPENSSL_PATH}/lib ${OPENSSL_PATH}/lib64; fi # build liboqs (shared lib only for oqsprovider) WORKDIR /opt/liboqs RUN mkdir build && cd build && cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=${OPENSSL_PATH} && ninja && ninja install -# create openssl.cnf activating oqsprovider & setting default groups -RUN sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${OPENSSL_PATH}/ssl/openssl.cnf && sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${OPENSSL_PATH}/ssl/openssl.cnf && sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${OPENSSL_PATH}/ssl/openssl.cnf && sed -i "s/HOME\t\t\t= ./HOME\t\t= .\nDEFAULT_GROUPS\t= ${DEFAULT_GROUPS}/g" ${OPENSSL_PATH}/ssl/openssl.cnf - - # build oqs-provider WORKDIR /opt/oqs-provider RUN rm -rf build && cmake -DCMAKE_BUILD_TYPE=Debug -DOPENSSL_ROOT_DIR=${OPENSSL_PATH} -DCMAKE_PREFIX_PATH=${OPENSSL_PATH} -S . -B build && cmake --build build && export MODULESDIR=$(find ${OPENSSL_PATH} -name ossl-modules) && cp build/lib/oqsprovider.so $MODULESDIR/oqsprovider.so +# create openssl.cnf activating oqsprovider & setting default groups +RUN sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${OPENSSL_PATH}/ssl/openssl.cnf && \ + sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${OPENSSL_PATH}/ssl/openssl.cnf && \ + sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${OPENSSL_PATH}/ssl/openssl.cnf && \ + sed -i "s/HOME\t\t\t= ./HOME\t\t= .\nDEFAULT_GROUPS\t= ${DEFAULT_GROUPS}/g" ${OPENSSL_PATH}/ssl/openssl.cnf + # build httpd WORKDIR /opt RUN sed -i "s/\$RM \"\$cfgfile\"/\$RM -f \"\$cfgfile\"/g" apr-${APR_VERSION}/configure && \ @@ -120,9 +128,9 @@ RUN set -x && \ RUN rm -rf ${HTTPD_PATH}/bin/ab # second stage: Only create minimal image without build tooling and intermediate build results generated above: -FROM alpine:3.13 +FROM alpine:${ALPINE_VERSION} -LABEL version="2" +LABEL version="3" # Take in global args ARG HTTPD_PATH @@ -139,6 +147,8 @@ COPY --from=intermediate /usr/local/apr/lib /usr/local/apr/lib COPY --from=intermediate ${OPENSSL_PATH}/ssl ${OPENSSL_PATH}/ssl COPY --from=intermediate ${OPENSSL_PATH}/lib64 ${OPENSSL_PATH}/lib64 +RUN ln -s ${OPENSSL_PATH}/lib64 ${OPENSSL_PATH}/lib; + COPY httpd-conf/httpd-ssl.conf ${HTTPD_PATH}/httpd-conf/httpd-ssl.conf COPY httpd-conf/httpd.conf ${HTTPD_PATH}/httpd-conf/httpd.conf WORKDIR ${HTTPD_PATH} diff --git a/httpd/README.md b/httpd/README.md index 3851d1ed..44cb3c1b 100644 --- a/httpd/README.md +++ b/httpd/README.md @@ -20,13 +20,17 @@ Complete information how to use the image is [available in the separate file USA The Dockerfile provided allows for significant customization of the image built: +### OPENSSL_TAG + +Tag of `openssl` release to be used. + ### LIBOQS_TAG -Tag of `liboqs` release to be used. Default "main". +Tag of `liboqs` release to be used. ### OQSPROVIDER_TAG -Tag of `oqsprovider` release to be used. Default "main". +Tag of `oqsprovider` release to be used. ### LIBOQS_BUILD_DEFINES @@ -65,3 +69,6 @@ Allow setting parameters to `make` operation, e.g., '-j nnn' where nnn defines t The default is conservative and known not to overload normal machines. If one has a very powerful (many cores, >64GB RAM) machine, passing larger numbers (or only '-j' for maximum parallelism) speeds up building considerably. +### ALPINE_VERSION + +The version of the `alpine` docker image to to be used. diff --git a/httpd/USAGE.md b/httpd/USAGE.md index 2b485cce..98d9f2ee 100644 --- a/httpd/USAGE.md +++ b/httpd/USAGE.md @@ -197,4 +197,4 @@ Again, if you don't have your own server and want to test on a local machine, st ## Disclaimer -[THIS IS NOT FIT FOR PRODUCTIVE USE](https://github.com/open-quantum-safe/openssl#limitations-and-security). +[THIS IS NOT FIT FOR PRODUCTIVE USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). diff --git a/mosquitto/Dockerfile b/mosquitto/Dockerfile index e7409482..67e8e01d 100644 --- a/mosquitto/Dockerfile +++ b/mosquitto/Dockerfile @@ -1,20 +1,28 @@ -# This Dockerfile is made by Chia-Chin Chung <60947091s@gapps.ntnu.edu.tw> -# Multi-stage build +# Original Dockerfile made by Chia-Chin Chung <60947091s@gapps.ntnu.edu.tw> +# Multi-stage build: First the full builder image: -# Global build arguments: +# define the openssl tag to be used +ARG OPENSSL_TAG=openssl-3.3.2 -# define the installation paths -ARG SOURCE_PATH="/usr/local/src" -ARG OPENSSL_LIB_PATH="/usr/local/ssl" +# define the liboqs tag to be used +ARG LIBOQS_TAG=0.11.0 + +# define the oqsprovider tag to be used +ARG OQSPROVIDER_TAG=0.7.0 + +# Default location where all binaries wind up: +ARG INSTALLDIR=/opt/oqssa # liboqs build type variant; maximum portability of image: ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON" -# openssl build defines (https://github.com/open-quantum-safe/openssl#build-options) -ARG OPENSSL_BUILD_DEFINES="-DOQS_DEFAULT_GROUPS=kyber512:X25519:p384_kyber768" +# Default KEM algorithms to be utilized +ARG KEM_ALGLIST="kyber768:p384_kyber768" -# define the QSC signature algorithm used for the certificates -ARG SIG_ALG="dilithium2" +# Default Signature algorithm to be used +ARG SIG_ALG="dilithium3" + +ARG MOSQUITTO_TAG=v2.0.20 # define IP addresses or Domain Name ARG BROKER_IP=localhost @@ -24,57 +32,83 @@ ARG SUB_IP=localhost # choose the shell script(simple example) ARG EXAMPLE=broker-start.sh - # First stage: the full build image: - -FROM ubuntu:20.04 AS builder -# FROM debian:buster AS builder +FROM ubuntu:22.04 AS builder # Set timezone -ENV TZ=Asia/Taipei +ARG TZ=Europe/London ENV DEBIAN_FRONTEND=noninteractive -ARG SOURCE_PATH -ARG OPENSSL_LIB_PATH +ARG OPENSSL_TAG +ARG LIBOQS_TAG +ARG OQSPROVIDER_TAG +ARG INSTALLDIR +ARG HAPROXYDIR ARG LIBOQS_BUILD_DEFINES -ARG OPENSSL_BUILD_DEFINES +ARG KEM_ALGLIST +ARG MOSQUITTO_TAG # Update image and install all prerequisites -RUN apt update && apt install build-essential vim cmake gcc libtool libssl-dev make ninja-build git doxygen \ - libcjson1 libcjson-dev uthash-dev libcunit1-dev libsqlite3-dev xsltproc docbook-xsl -y && apt clean - -# Get the fork of OQS-OpenSSL_1_1_1-stable -WORKDIR $SOURCE_PATH -RUN git clone --depth 1 --branch OQS-OpenSSL_1_1_1-stable https://github.com/open-quantum-safe/openssl.git OQS-OpenSSL - -# Get and build liboqs, then install it into a subdirectory inside the OQS-OpenSSL folder -RUN git clone --depth 1 --branch main https://github.com/open-quantum-safe/liboqs.git liboqs && \ - cd liboqs && mkdir build && cd build && \ - cmake -GNinja $LIBOQS_BUILD_DEFINES -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=$SOURCE_PATH/OQS-OpenSSL/oqs .. && \ - ninja && ninja install && echo "liboqs installed successfully" || exit 1 - -# Build and install OQS-OpenSSL_1_1_1-stable -WORKDIR $SOURCE_PATH/OQS-OpenSSL -## OS type: x86_64, aarch64 -RUN ./Configure shared linux-x86_64 -lm --prefix=$OPENSSL_LIB_PATH/ \ - --openssldir=$OPENSSL_LIB_PATH/ $OPENSSL_BUILD_DEFINES && \ - make -j$(nproc) && make install && echo "OQS-OpenSSL installed successfully" || exit 1 -# RUN ./Configure shared no-asm linux-aarch64 -lm --prefix=$OPENSSL_LIB_PATH/ \ -# --openssldir=$OPENSSL_LIB_PATH/ $OPENSSL_BUILD_DEFINES && \ -# make -j$(nproc) && make install && echo "OQS-OpenSSL installed successfully" || exit 1 +RUN apt update && apt install -y build-essential \ + cmake \ + gcc \ + libtool \ + libssl-dev \ + make \ + ninja-build \ + git \ + doxygen \ + libcjson1 \ + libcjson-dev \ + uthash-dev \ + libcunit1-dev \ + libsqlite3-dev \ + xsltproc \ + docbook-xsl && \ + apt clean + +# get all sources +WORKDIR /opt +RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ + git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \ + git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ + git clone --depth 1 --branch ${MOSQUITTO_TAG} https://github.com/eclipse/mosquitto.git + +# build liboqs +WORKDIR /opt/liboqs +RUN mkdir build && cd build && \ + cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} && \ + ninja install + +# build OpenSSL3 +WORKDIR /opt/openssl +RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \ + make -j $(nproc) && \ + make install_sw install_ssldirs && \ + if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \ + if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi + +# set path to use 'new' openssl. Dyn libs have been properly linked in to match +ENV PATH="${INSTALLDIR}/bin:${PATH}" + +# build & install provider (and activate by default) +WORKDIR /opt/oqs-provider +RUN ln -s ../openssl . && \ + cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \ + cmake --build _build && cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && \ + sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && \ + sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && \ + sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = ${KEM_ALGLIST}\n/g" /opt/oqssa/ssl/openssl.cnf # Build and install Mosquitto -WORKDIR $SOURCE_PATH -RUN git clone -b master https://github.com/eclipse/mosquitto.git mosquitto && cd mosquitto && \ - make -j$(nproc) && make install && echo "Mosquitto installed successfully" || exit 1 - +WORKDIR /opt/mosquitto +RUN make -j$(nproc) && \ + make install # Second stage: Only create minimal image: +FROM ubuntu:22.04 +RUN apt update && apt install -y libcjson1 -FROM ubuntu:20.04 -# FROM debian:buster - -ARG OPENSSL_LIB_PATH ARG SIG_ALG ENV SIG_ALG=${SIG_ALG} ARG BROKER_IP @@ -86,8 +120,11 @@ ENV SUB_IP=${SUB_IP} ARG EXAMPLE ENV EXAMPLE=${EXAMPLE} -# Set the TLS_DEFAULT_GROUPS environment variable to permit selection of QSC KEMs(https://github.com/open-quantum-safe/openssl#build-options) -ENV TLS_DEFAULT_GROUPS="kyber512" +ARG KEM_ALGLIST +# Set the TLS_DEFAULT_GROUPS environment variable to permit selection of QSC KEMs, by default the ones associated with the openssl configuration are chosen +ENV TLS_DEFAULT_GROUPS=${KEM_ALGLIST} + +ARG INSTALLDIR # Copy files from the local storage to a destination in the Docker image WORKDIR / @@ -95,28 +132,26 @@ RUN mkdir test ADD . /test RUN chmod 777 /test/* && sed -i 's/\r//' /test/* -# Only keep the necessary library contents in the final image -# OQS-OpenSSL -COPY --from=builder $OPENSSL_LIB_PATH $OPENSSL_LIB_PATH +# openssl +COPY --from=builder ${INSTALLDIR} ${INSTALLDIR} # Mosquitto COPY --from=builder /usr/local/lib /usr/local/lib COPY --from=builder /usr/local/bin /usr/local/bin COPY --from=builder /usr/local/sbin /usr/local/sbin -COPY --from=builder /lib/x86_64-linux-gnu/libcjson.so.1 /lib/x86_64-linux-gnu # Dynamically link to mosquitto RUN ln -s /usr/local/lib/libmosquitto.so.1 /usr/lib/libmosquitto.so.1 && ldconfig -# Dynamically link to OQS-OpenSSL library -ENV LD_LIBRARY_PATH=$OPENSSL_LIB_PATH/lib +# Dynamically link to Newly built OpenSSL +ENV LD_LIBRARY_PATH=$INSTALLDIR/lib64 -# Set path -ENV PATH="/usr/local/bin:/usr/local/sbin:$OPENSSL_LIB_PATH/bin:$PATH" +# Set path +ENV PATH="/usr/local/bin:/usr/local/sbin:${INSTALLDIR}/bin:$PATH" # Generate the CA key and the cert RUN openssl req -x509 -new -newkey $SIG_ALG -keyout /test/CA.key -out /test/CA.crt -nodes -subj "/O=test-ca" -days 3650 -# MQTTS port +# MQTTS port EXPOSE 8883 # Run shell script diff --git a/mosquitto/README.md b/mosquitto/README.md index 589e6d78..eaa03808 100644 --- a/mosquitto/README.md +++ b/mosquitto/README.md @@ -1,16 +1,4 @@ -## Warning - -This integration is currently not supported due to [the end of life of oqs-openssl111](https://github.com/open-quantum-safe/openssl#warning). Feel free to vote this back into supported state by visiting [the discussion on the topic](https://github.com/orgs/open-quantum-safe/discussions/1602). - -## Purpose - -This directory contains a Dockerfile that builds [Mosquitto](https://mosquitto.org) with the [OQS OpenSSL 1.1.1 fork](https://github.com/open-quantum-safe/openssl), which allows Mosquitto to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3. - -Work to further experiment with the quantum-safe algorithms using the MQTT protocol is ongoing. Questions, comments, corrections, improvements, and other contributions are welcome, e.g., via issues to this project. - -Thanks, - ---Chia-Chin Chung +This directory contains a Dockerfile that builds [Mosquitto](https://mosquitto.org) using OpenSSL v3 using the [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows `Moquitto` to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3. ## Background @@ -22,14 +10,14 @@ The following provides some introduction to Mosquitto: - Introduction: [Beginners Guide To The MQTT Protocol](http://www.steves-internet-guide.com/mqtt/) - Usage: [Mosquitto MQTT Broker](http://www.steves-internet-guide.com/mosquitto-broker/), [Using The Mosquitto_pub and Mosquitto_sub MQTT Client Tools- Examples](http://www.steves-internet-guide.com/mosquitto_pub-sub-clients/) -- Man pages: [Mosquitto Man Pages](https://mosquitto.org/documentation/) +- Man pages: [Mosquitto Man Pages](https://mosquitto.org/documentation/) ## Getting started [Install Docker](https://docs.docker.com/install) and run the following simplified commands in this directory: -1. `docker build -t oqs-mosquitto-img .` This will generate the image with a default QSC algorithm (key exchange: kyber512, authentication: dilithium2 -- see Dockerfile to change). -2. `docker run -it --rm --name oqs-mosquitto -p 8883:8883 oqs-mosquitto-img` +1. `docker build -t oqs-mosquitto .` This will generate the image with a default QSC algorithm (key exchange: kyber768:p384_kyber768, authentication: dilithium3 -- see Dockerfile to change). +2. `docker run -it --rm --name oqs-mosquitto -p 8883:8883 oqs-mosquitto` This will start a docker container that has mosquitto MQTT broker listening for TLS 1.3 connections on port 8883. @@ -41,17 +29,17 @@ Complete information on how to use the image is [available in the separate file The Dockerfile allows for significant customization of the built image: -### SOURCE_PATH +### OPENSSL_TAG -This defines the resultant location of the OQS-OpenSSL, liboqs and Mosquitto installatiions. +Tag of `openssl` release to be used. -By default this is '/usr/local/src'. +### LIBOQS_TAG -### OPENSSL_LIB_PATH +Tag of `liboqs` release to be used. -This defines the resultant location of the OQS-OpenSSL library installatiion. +### OQSPROVIDER_TAG -By default this is '/usr/local/ssl'. +Tag of `oqsprovider` release to be used. ### LIBOQS_BUILD_DEFINES @@ -59,23 +47,21 @@ This permits changing the build options for the underlying library with the quan By default, the image is built such as to have maximum portability regardless of CPU type and optimizations available, i.e. to run on the widest possible range of cloud machines. -### OPENSSL_BUILD_DEFINES - -This permits changing the build options for the underlying openssl library containing the quantum safe algorithms. +### SIG_ALG -The default setting defines a range of default algorithms suggested for key exchange. For more information see [the documentation](https://github.com/open-quantum-safe/openssl#default-algorithms-announced). +This defines the quantum-safe cryptographic signature algorithm for the internally generated (demonstration) CA and server certificates. -### KEM_ALG +The default value is 'dilithium3' but can be set to any value documented [here](https://github.com/open-quantum-safe/oqs-provider#algorithms). -This defines the quantum-safe cryptographic key exchange algorithm. +### KEM_ALGLIST -The default value is 'kyber512', but this value can be set to any value documented [here](https://github.com/open-quantum-safe/openssl#key-exchange). +This defines the quantum-safe key exchange mechanisms to be supported. -### SIG_ALG +The default value is `p384_kyber768:kyber768` but can be set to any set of colon separated values documented [here](https://github.com/open-quantum-safe/oqs-provider#algorithms). -This defines the quantum-safe cryptographic signature algorithm for the internally generated server and client certificates. +### MOSQUITTO_TAG -The default value is 'dilithium2' but can be set to any value documented [here](https://github.com/open-quantum-safe/openssl#authentication). +These define the version of Mosquitto to use, currently set to v2.0.20 ### BROKER_IP @@ -100,7 +86,3 @@ By default this is 'localhost'. This defines which shell script to use. There are three shell scripts(broker-start.sh, publisher-start.sh, and subscriber-start.sh) that can be used in this directory. By default this is 'broker-start.sh'. - -## License - -All modifications to this repository are released under the same terms as OpenSSL, namely as described in the file [LICENSE](https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/LICENSE). diff --git a/mosquitto/USAGE.md b/mosquitto/USAGE.md index 8c7af5e4..4cb3e321 100644 --- a/mosquitto/USAGE.md +++ b/mosquitto/USAGE.md @@ -1,6 +1,4 @@ -## Purpose - -This is a [mosquitto](https://mosquitto.org) docker image building on the [OQS OpenSSL 1.1.1 fork](https://github.com/open-quantum-safe/openssl), which allows mosquitto to negotiate quantum-safe keys and use quantum-safe authentication using TLS 1.3. +This directory contains a Dockerfile that builds [Mosquitto](https://mosquitto.org) using OpenSSL v3 using the [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows `Moquitto` to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3. ## Suggested use @@ -11,23 +9,23 @@ To communicate between the server(broker) and the client(publisher and subscribe We can use docker network to do a simple test. A docker network named "mosquitto-test": Create a docker network and specify a network segment -``` -docker network create --subnet=172.18.0.0/16 mosquitto-test +```bash +docker network create --subnet=174.18.0.0/16 mosquitto-test ``` Run a Mosquitto MQTT broker -``` -docker run --network mosquitto-test --ip 172.18.0.2 -it --rm --name oqs-mosquitto-broker -e "BROKER_IP=172.18.0.2" -e "EXAMPLE=broker-start.sh" oqs-mosquitto-img +```bash +docker run --network mosquitto-test --ip 174.18.0.2 -it --rm --name oqs-mosquitto-broker -e "BROKER_IP=174.18.0.2" -e "EXAMPLE=broker-start.sh" oqs-mosquitto ``` Then run a Mosquitto MQTT subscriber -``` -docker run --network mosquitto-test --ip 172.18.0.3 -it --rm --name oqs-mosquitto-subscriber -e "BROKER_IP=172.18.0.2" -e "SUB_IP=172.18.0.3" -e "EXAMPLE=subscriber-start.sh" oqs-mosquitto-img +```bash +docker run --network mosquitto-test --ip 174.18.0.3 -it --rm --name oqs-mosquitto-subscriber -e "BROKER_IP=174.18.0.2" -e "SUB_IP=174.18.0.3" -e "EXAMPLE=subscriber-start.sh" oqs-mosquitto ``` Finally run a Mosquitto MQTT publisher -``` -docker run --network mosquitto-test --ip 172.18.0.4 -it --rm --name oqs-mosquitto-publisher -e "BROKER_IP=172.18.0.2" -e "PUB_IP=172.18.0.4" -e "EXAMPLE=publisher-start.sh" oqs-mosquitto-img +```bash +docker run --network mosquitto-test --ip 174.18.0.4 -it --rm --name oqs-mosquitto-publisher -e "BROKER_IP=174.18.0.2" -e "PUB_IP=174.18.0.4" -e "EXAMPLE=publisher-start.sh" oqs-mosquitto ``` According to these steps, we can do a simple MQTT test including a broker, a subscriber, and a publisher. If you want to do more experiments, you can use other options below. @@ -38,22 +36,22 @@ By the way, the docker image has already generated a CA certificate and a CA key ### Authentication algorithm -This mosquitto image supports all quantum-safe signature algorithms [presently supported by OQS-OpenSSL](https://github.com/open-quantum-safe/openssl#authentication). If you want to control with algorithm is actually used, you can set an environment variable when running the Docker container, e.g., requesting the Falcon512 variant: +This mosquitto image is capable of supporting all quantum-safe signature algorithms listed [here](https://github.com/open-quantum-safe/oqs-provider#algorithms). If you want to control with algorithm is actually used, you can set an environment variable when running the Docker container, e.g., requesting the dilithium5 variant: -``` -docker run -it --rm --name oqs-mosquitto-demo -p 8883:8883 -e "BROKER_IP=" -e "SIG_ALG=falcon512" oqs-mosquitto-img +```bash +docker run -it --rm --name oqs-mosquitto-demo -p 8883:8883 -e "BROKER_IP=" -e "SIG_ALG=dilithium5" oqs-mosquitto ``` ### Set the TLS_DEFAULT_GROUPS -`TLS_DEFAULT_GROUPS` is an environment variable that allows selection of QSC KEMs. This supports the colon-separated list of KEM algorithms. This option only works if the SSL_CTX_set1_groups_list API call has not been used. You can see [here](https://github.com/open-quantum-safe/openssl#build-options). +`TLS_DEFAULT_GROUPS` is an environment variable that allows selection of QSC KEMs. This supports the colon-separated list of KEM algorithms. You can only select either the complete list or subset of what was defined in `KEM_ALGLIST` when the docker image was built. ### Change Mosquitto instructions or configurations There are three shell scripts(broker-start.sh, publisher-start.sh, and subscriber-start.sh) that can be used in this directory. Use subscriber as an example: -``` -docker run -it --rm --name oqs-mosquitto-demo -p 8883:8883 -e "BROKER_IP=" -e "EXAMPLE=subscriber-start.sh" oqs-mosquitto-img +```bash +docker run -it --rm --name oqs-mosquitto-demo -p 8883:8883 -e "BROKER_IP=" -e "EXAMPLE=subscriber-start.sh" oqs-mosquitto ``` If you want to change Mosquitto's instructions, you can modify instructions to what you want in these scripts. If you also want to change Mosquitto broker's configuration file, you can modify this to what you want in 'broker-start.sh'. diff --git a/nginx/Dockerfile b/nginx/Dockerfile index b9c53f4a..ed7431f3 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -2,11 +2,17 @@ # First: global build arguments: +# define the alpine image version to use +ARG ALPINE_VERSION=3.20 + +# define the openssl tag to be used +ARG OPENSSL_TAG=openssl-3.3.2 + # define the liboqs tag to be used -ARG LIBOQS_TAG=main +ARG LIBOQS_TAG=0.11.0 # define the oqsprovider tag to be used -ARG OQSPROVIDER_TAG=main +ARG OQSPROVIDER_TAG=0.7.0 # liboqs build type variant; maximum portability of image: ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON" @@ -24,15 +30,15 @@ ARG SIG_ALG="dilithium3" ARG DEFAULT_GROUPS=x25519:x448:kyber512:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024 # define the nginx version to include -ARG NGINX_VERSION=1.25.2 +ARG NGINX_VERSION=1.27.2 # Define the degree of parallelism when building the image; leave the number away only if you know what you are doing ARG MAKE_DEFINES="-j 18" -FROM alpine:3.13 as intermediate -# ToDo: Upgrade possible if https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2 addressed +FROM alpine:${ALPINE_VERSION} as intermediate # Take in global args +ARG OPENSSL_TAG ARG LIBOQS_TAG ARG OQSPROVIDER_TAG ARG BASEDIR @@ -56,7 +62,7 @@ RUN apk add build-base linux-headers \ WORKDIR /opt RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ - git clone --depth 1 --branch master https://github.com/openssl/openssl.git && \ + git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \ wget nginx.org/download/nginx-${NGINX_VERSION}.tar.gz && tar -zxvf nginx-${NGINX_VERSION}.tar.gz; # build liboqs (static only) @@ -72,12 +78,25 @@ RUN ./configure --prefix=${INSTALLDIR} \ make ${MAKE_DEFINES} && make install; # create openssl.cnf activating oqsprovider & setting default groups -RUN mkdir -p ${OSSLDIR=}/ssl && cp /opt/openssl/apps/openssl.cnf ${OSSLDIR}/ssl/ && sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${OSSLDIR}/ssl/openssl.cnf && sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${OSSLDIR}/ssl/openssl.cnf && sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${OSSLDIR}/ssl/openssl.cnf && sed -i "s/HOME\t\t\t= ./HOME\t\t= .\nDEFAULT_GROUPS\t= ${DEFAULT_GROUPS}/g" ${OSSLDIR}/ssl/openssl.cnf +RUN mkdir -p ${OSSLDIR=}/ssl && \ + cp /opt/openssl/apps/openssl.cnf ${OSSLDIR}/ssl/ && \ + sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${OSSLDIR}/ssl/openssl.cnf && \ + sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${OSSLDIR}/ssl/openssl.cnf && \ + sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${OSSLDIR}/ssl/openssl.cnf && \ + sed -i "s/HOME\t\t\t= ./HOME\t\t= .\nDEFAULT_GROUPS\t= ${DEFAULT_GROUPS}/g" ${OSSLDIR}/ssl/openssl.cnf # build oqsprovider WORKDIR /opt/oqs-provider -RUN ln -s /opt/nginx/include/oqs ${OSSLDIR}/include && rm -rf build && cmake -DCMAKE_BUILD_TYPE=Debug -DOPENSSL_ROOT_DIR=${OSSLDIR} -DCMAKE_PREFIX_PATH=$INSTALLDIR -S . -B build && cmake --build build && export MODULESDIR=$(find ${OSSLDIR} -name ossl-modules) && cp build/lib/oqsprovider.so $MODULESDIR && mkdir -p ${OSSLDIR}/lib64 && ln -s ${OSSLDIR}/lib/ossl-modules ${OSSLDIR}/lib64 && rm -rf ${INSTALLDIR}/lib64 +RUN ln -s /opt/nginx/include/oqs ${OSSLDIR}/include && \ + rm -rf build && \ + cmake -DCMAKE_BUILD_TYPE=Debug -DOPENSSL_ROOT_DIR=${OSSLDIR} -DCMAKE_PREFIX_PATH=$INSTALLDIR -S . -B build && \ + cmake --build build && \ + export MODULESDIR=$(find ${OSSLDIR} -name ossl-modules) && \ + cp build/lib/oqsprovider.so $MODULESDIR && \ + mkdir -p ${OSSLDIR}/lib64 && \ + ln -s ${OSSLDIR}/lib/ossl-modules ${OSSLDIR}/lib64 && \ + rm -rf ${INSTALLDIR}/lib64 WORKDIR ${INSTALLDIR} @@ -100,7 +119,7 @@ RUN set -x && \ RUN rm ${OSSLDIR}/bin/* # second stage: Only create minimal image without build tooling and intermediate build results generated above: -FROM alpine:3.13 +FROM alpine:${ALPINE_VERSION} # Take in global args ARG LIBOQS_BUILD_DEFINES ARG INSTALLDIR @@ -108,7 +127,7 @@ ARG SIG_ALG ARG BASEDIR ARG OSSLDIR=${BASEDIR}/openssl/.openssl -LABEL version="2" +LABEL version="3" RUN apk add pcre-dev diff --git a/nginx/README.md b/nginx/README.md index b62bc593..13ff7c1f 100644 --- a/nginx/README.md +++ b/nginx/README.md @@ -17,13 +17,17 @@ Complete information how to use the image is [available in the separate file USA The Dockerfile provided allows for significant customization of the image built: +### OPENSSL_TAG + +Tag of `openssl` release to be used. + ### LIBOQS_TAG -Tag of `liboqs` release to be used. Default "main". +Tag of `liboqs` release to be used. ### OQSPROVIDER_TAG -Tag of `oqsprovider` release to be used. Default "main". +Tag of `oqsprovider` release to be used. ### LIBOQS_BUILD_DEFINES @@ -66,3 +70,7 @@ The default version set is known to work OK but one could try any value availabl Allow setting parameters to `make` operation, e.g., '-j nnn' where nnn defines the number of jobs run in parallel during build. The default is conservative and known not to overload normal machines. If one has a very powerful (many cores, >64GB RAM) machine, passing larger numbers (or only '-j' for maximum parallelism) speeds up building considerably. + +### ALPINE_VERSION + +The version of the `alpine` docker image to to be used. diff --git a/nginx/USAGE.md b/nginx/USAGE.md index 32ef217e..13b3aa23 100644 --- a/nginx/USAGE.md +++ b/nginx/USAGE.md @@ -201,4 +201,4 @@ Again, if you don't have your own server and want to test on a local machine, st ## Disclaimer -[THIS IS NOT FIT FOR PRODUCTIVE USE](https://github.com/open-quantum-safe/openssl#limitations-and-security). +[THIS IS NOT FIT FOR PRODUCTIVE USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). diff --git a/nginx/fulltest/Dockerfile b/nginx/fulltest/Dockerfile index c0882943..f12356b6 100644 --- a/nginx/fulltest/Dockerfile +++ b/nginx/fulltest/Dockerfile @@ -3,11 +3,11 @@ # First: global build arguments: # liboqs build type variant; maximum portability of image: -ARG LIBOQS_VERSION=0.10.1 +ARG LIBOQS_TAG=0.11.0 -ARG OPENSSL_VERSION=master +ARG OPENSSL_TAG=openssl-3.3.2 -ARG OQS_PROVIDER_VERSION=0.6.1 +ARG OQSPROVIDER_TAG=0.6.1 ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON" @@ -26,7 +26,7 @@ ARG SIG_ALG="dilithium3" ARG DEFAULT_GROUPS=x25519:x448:prime256v1:secp384r1:secp521r1:kyber512:x25519_kyber768:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024 # define the nginx version to include -ARG NGINX_VERSION=1.26.1 +ARG NGINX_VERSION=1.27.2 # Define the degree of parallelism when building the image; leave the number away only if you know what you are doing ARG MAKE_DEFINES="-j" @@ -39,9 +39,9 @@ FROM ubuntu:focal-20230412 as intermediate ARG BASEDIR ARG CONFIGDIR ARG CAROOTDIR -ARG LIBOQS_VERSION -ARG OPENSSL_VERSION -ARG OQS_PROVIDER_VERSION +ARG LIBOQS_TAG +ARG OPENSSL_TAG +ARG OQSPROVIDER_TAG ARG LIBOQS_BUILD_DEFINES ARG INSTALLDIR ARG SIG_ALG @@ -56,9 +56,9 @@ RUN apt update && apt install -y sed libpcre3 libpcre3-dev libtool automake auto # get OQS sources WORKDIR /opt -RUN git clone --depth 1 --branch ${LIBOQS_VERSION} https://github.com/open-quantum-safe/liboqs && \ - git clone --depth 1 --branch ${OQS_PROVIDER_VERSION} https://github.com/open-quantum-safe/oqs-provider.git && \ - git clone --depth 1 --branch ${OPENSSL_VERSION} https://github.com/openssl/openssl.git && \ +RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ + git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ + git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \ wget nginx.org/download/nginx-${NGINX_VERSION}.tar.gz && tar -zxvf nginx-${NGINX_VERSION}.tar.gz; # build liboqs (static only) @@ -112,10 +112,10 @@ RUN for i in 128 192 256; do echo "seclevel:$i"; OPENSSL_MODULES=${OSSLDIR}/lib6 RUN python3 genconfig.py -RUN sed -i "s/LIBOQS_RELEASE/${LIBOQS_VERSION}/g" index-base.html -RUN sed -i "s/OQSPROVIDER_RELEASE/${OQS_PROVIDER_VERSION}/g" index-base.html -#RUN sed -i "s/LIBOQS_RELEASE/${LIBOQS_VERSION}/g" chromium-base.html -#RUN sed -i "s/OQSPROVIDER_RELEASE/${OQS_PROVIDER_VERSION}/g" chromium-base.html +RUN sed -i "s/LIBOQS_RELEASE/${LIBOQS_TAG}/g" index-base.html +RUN sed -i "s/OQSPROVIDER_RELEASE/${OQSPROVIDER_TAG}/g" index-base.html +#RUN sed -i "s/LIBOQS_RELEASE/${LIBOQS_TAG}/g" chromium-base.html +#RUN sed -i "s/OQSPROVIDER_RELEASE/${OQSPROVIDER_TAG}/g" chromium-base.html RUN rm -rf ${INSTALLDIR}/pki RUN rm -rf ${INSTALLDIR}/logs/* @@ -153,7 +153,7 @@ COPY --from=intermediate ${OSSLDIR} ${OSSLDIR} COPY --from=intermediate ${CAROOTDIR} ${CAROOTDIR} # Package for deployment -RUN tar czvf oqs-nginx-${LIBOQS_VERSION}.tgz ${BASEDIR} +RUN tar czvf oqs-nginx-${LIBOQS_TAG}.tgz ${BASEDIR} # Package for root CA cert and key -RUN tar czvf oqs-testserver-rootca-${LIBOQS_VERSION}.tgz ${CAROOTDIR} +RUN tar czvf oqs-testserver-rootca-${LIBOQS_TAG}.tgz ${CAROOTDIR} diff --git a/nginx/fulltest/chromium-template b/nginx/fulltest/chromium-template index abee3f2a..3d06868a 100644 --- a/nginx/fulltest/chromium-template +++ b/nginx/fulltest/chromium-template @@ -50,7 +50,7 @@ tr:nth-child(even) {

Caveats

    -
  1. This test server by no means should be taken as containing production-ready software. See disclaimer. Its purpose is simply to provide a best-effort facility to allow anyone to "test-drive" QSC software packages including testing protocol level interoperability.
  2. +
  3. This test server by no means should be taken as containing production-ready software. See disclaimer. Its purpose is simply to provide a best-effort facility to allow anyone to "test-drive" QSC software packages including testing protocol level interoperability.
diff --git a/nginx/fulltest/index-template b/nginx/fulltest/index-template index 3b7087e0..297b0893 100644 --- a/nginx/fulltest/index-template +++ b/nginx/fulltest/index-template @@ -47,7 +47,7 @@ tr:nth-child(even) {

Caveats

    -
  1. This test server by no means should be taken as containing production-ready software. See disclaimer. Its purpose is simply to provide a best-effort facility to allow anyone to "test-drive" QSC software packages including testing protocol level interoperability.
  2. +
  3. This test server by no means should be taken as containing production-ready software. See disclaimer. Its purpose is simply to provide a best-effort facility to allow anyone to "test-drive" QSC software packages including testing protocol level interoperability.
  4. When using the OQS-enabled Chromium build to access this web site, please heed its usage instructions.
  5. When using the OQS-enabled GNOME Web/epiphany browser to access this web site, all ports can be accessed, provided the browser is suitably started enabling the algorithms of interest. Please read the documentation how to do this. diff --git a/ngtcp2/Dockerfile-client b/ngtcp2/Dockerfile-client index f6c96869..47a85140 100644 --- a/ngtcp2/Dockerfile-client +++ b/ngtcp2/Dockerfile-client @@ -1,10 +1,27 @@ # Multi-stage build: First the full builder image: -FROM alpine as intermediate + +# define the alpine image version to use +ARG ALPINE_VERSION=3.20 + +FROM alpine:${ALPINE_VERSION} as intermediate ENV DEBIAN_FRONTEND=noninteractive -ARG LIBOQS_TAG=main -ARG OQSPROVIDER_TAG=main +# define the quictls openssl tag to be used +ARG OPENSSLQUIC_TAG=openssl-3.1.7-quic1 + +# define the liboqs tag to be used +ARG LIBOQS_TAG=0.11.0 + +# define the oqsprovider tag to be used +ARG OQSPROVIDER_TAG=0.7.0 + +# define the nghttp3 tag to be used +ARG NGHTTP3_TAG=v1.6.0 + +# define the ngtcp2 tag to be used +ARG NGTCP2_TAG=v1.5.0 + ARG INSTALLDIR=/opt/oqssa # Update image and apt software @@ -18,10 +35,10 @@ WORKDIR /opt # get all sources RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ - git clone --depth 1 --branch openssl-3.0.8+quic https://github.com/quictls/openssl.git && \ + git clone --depth 1 --branch ${OPENSSLQUIC_TAG} https://github.com/quictls/openssl.git && \ git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ - git clone --depth 1 --branch main https://github.com/ngtcp2/nghttp3 && \ - git clone --depth 1 --branch main https://github.com/ngtcp2/ngtcp2 + git clone --depth 1 --branch ${NGHTTP3_TAG} https://github.com/ngtcp2/nghttp3 && \ + git clone --depth 1 --branch ${NGTCP2_TAG} https://github.com/ngtcp2/ngtcp2 # build liboqs WORKDIR /opt/liboqs @@ -31,17 +48,24 @@ RUN mkdir build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=${INSTALLDIR # build openssl 3 WORKDIR /opt/openssl RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \ - make ${MAKE_DEFINES} && make install_sw install_ssldirs; + make ${MAKE_DEFINES} && make install_sw install_ssldirs && \ + if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \ + if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi # build & install provider (and activate by default) WORKDIR /opt/oqs-provider -RUN ln -s ../openssl . && cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && cmake --build _build && cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:KEM_ALG\n/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM alg if not set via environment variable\nKEM_ALG = kyber512\n\n# Use this in order to automatically load providers/g" /opt/oqssa/ssl/openssl.cnf +RUN ln -s ../openssl . && \ + cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \ + cmake --build _build && cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && \ + sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && \ + sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && \ + sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:KEM_ALG\n/g" /opt/oqssa/ssl/openssl.cnf && \ + sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM alg if not set via environment variable\nKEM_ALG = kyber512\n\n# Use this in order to automatically load providers/g" /opt/oqssa/ssl/openssl.cnf # build nghttp3 WORKDIR /opt/nghttp3 -RUN autoreconf -i && ./configure --prefix=$PWD/build --enable-lib-only && make -j$(nproc) check && make install - +RUN git submodule update --init && autoreconf -i && ./configure --prefix=$PWD/build --enable-lib-only && make -j$(nproc) check && make install # build ngtcp2 WORKDIR /opt/ngtcp2 @@ -59,7 +83,7 @@ RUN mkdir /opt/lib && cd /opt/lib && \ cp /usr/lib/libgcc_s.so.* . ## second stage: Only create minimal image without build tooling and intermediate build results generated above: -FROM alpine as dev +FROM alpine:${ALPINE_VERSION} as dev ENV DEBIAN_FRONTEND=noninteractive RUN apk update && apk upgrade @@ -71,3 +95,5 @@ COPY --from=intermediate /opt/ngtcp2/examples/qtlsclient /usr/local/bin COPY --from=intermediate /opt/lib /usr/local/lib COPY --from=intermediate /opt/oqssa/lib64/ossl-modules/oqsprovider.so /opt/oqssa/lib64/ossl-modules/oqsprovider.so COPY --from=intermediate /opt/oqssa/ssl/openssl.cnf /opt/oqssa/ssl/openssl.cnf + +RUN ln -s /opt/oqssa/lib64 /opt/oqssa/lib; diff --git a/ngtcp2/Dockerfile-server b/ngtcp2/Dockerfile-server index 583d6274..fd739a50 100644 --- a/ngtcp2/Dockerfile-server +++ b/ngtcp2/Dockerfile-server @@ -1,10 +1,27 @@ # Multi-stage build: First the full builder image: -FROM alpine as intermediate + +# define the alpine image version to use +ARG ALPINE_VERSION=3.20 + +FROM alpine:${ALPINE_VERSION} as intermediate ENV DEBIAN_FRONTEND=noninteractive -ARG LIBOQS_TAG=main -ARG OQSPROVIDER_TAG=main +# define the quictls openssl tag to be used +ARG OPENSSLQUIC_TAG=openssl-3.1.7-quic1 + +# define the liboqs tag to be used +ARG LIBOQS_TAG=0.11.0 + +# define the oqsprovider tag to be used +ARG OQSPROVIDER_TAG=0.7.0 + +# define the nghttp3 tag to be used +ARG NGHTTP3_TAG=v1.6.0 + +# define the ngtcp2 tag to be used +ARG NGTCP2_TAG=v1.5.0 + ARG INSTALLDIR=/opt/oqssa # Update image and apt software @@ -18,10 +35,10 @@ WORKDIR /opt # get all sources RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ - git clone --depth 1 --branch openssl-3.0.8+quic https://github.com/quictls/openssl.git && \ + git clone --depth 1 --branch ${OPENSSLQUIC_TAG} https://github.com/quictls/openssl.git && \ git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ - git clone --depth 1 --branch main https://github.com/ngtcp2/nghttp3 && \ - git clone --depth 1 --branch main https://github.com/ngtcp2/ngtcp2 + git clone --depth 1 --branch ${NGHTTP3_TAG} https://github.com/ngtcp2/nghttp3 && \ + git clone --depth 1 --branch ${NGTCP2_TAG} https://github.com/ngtcp2/ngtcp2 # build liboqs WORKDIR /opt/liboqs @@ -31,17 +48,24 @@ RUN mkdir build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=${INSTALLDIR # build openssl 3 WORKDIR /opt/openssl RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \ - make ${MAKE_DEFINES} && make install_sw install_ssldirs; + make ${MAKE_DEFINES} && make install_sw install_ssldirs && \ + if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \ + if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi # build & install provider (and activate by default) WORKDIR /opt/oqs-provider -RUN ln -s ../openssl . && cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && cmake --build _build && cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:KEM_ALG\n/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM alg if not set via environment variable\nKEM_ALG = kyber512\n\n# Use this in order to automatically load providers/g" /opt/oqssa/ssl/openssl.cnf +RUN ln -s ../openssl . && \ + cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \ + cmake --build _build && cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && \ + sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && \ + sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && \ + sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:KEM_ALG\n/g" /opt/oqssa/ssl/openssl.cnf && \ + sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM alg if not set via environment variable\nKEM_ALG = kyber512\n\n# Use this in order to automatically load providers/g" /opt/oqssa/ssl/openssl.cnf # build nghttp3 WORKDIR /opt/nghttp3 -RUN autoreconf -i && ./configure --prefix=$PWD/build --enable-lib-only && make -j$(nproc) check && make install - +RUN git submodule update --init && autoreconf -i && ./configure --prefix=$PWD/build --enable-lib-only && make -j$(nproc) check && make install # build ngtcp2 WORKDIR /opt/ngtcp2 @@ -63,7 +87,7 @@ RUN mkdir /opt/lib && cd /opt/lib && \ cp /usr/lib/libgcc_s.so.* . ## second stage: Only create minimal image without build tooling and intermediate build results generated above: -FROM alpine as dev +FROM alpine:${ALPINE_VERSION} as dev ENV DEBIAN_FRONTEND=noninteractive RUN apk update && apk upgrade && apk add mailcap && echo "This is my index page">index.html @@ -80,4 +104,6 @@ COPY --from=intermediate /opt/lib /usr/local/lib COPY --from=intermediate /opt/oqssa/lib64/ossl-modules/oqsprovider.so /opt/oqssa/lib64/ossl-modules/oqsprovider.so COPY --from=intermediate /opt/oqssa/ssl/openssl.cnf /opt/oqssa/ssl/openssl.cnf +RUN ln -s /opt/oqssa/lib64 /opt/oqssa/lib; + CMD ["./serverstart.sh"] diff --git a/ngtcp2/README.md b/ngtcp2/README.md index 765a7c55..88cc4af0 100644 --- a/ngtcp2/README.md +++ b/ngtcp2/README.md @@ -36,4 +36,4 @@ Documentation for using the client docker image is contained in the separate [US ## Disclaimer -[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/openssl#limitations-and-security). +[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). diff --git a/ngtcp2/USAGE-client.md b/ngtcp2/USAGE-client.md index 328315d9..d30d5073 100644 --- a/ngtcp2/USAGE-client.md +++ b/ngtcp2/USAGE-client.md @@ -15,10 +15,10 @@ will run the container for the quantum-safe crypto (QSC) protected ngtcp2 client ### ngtcp2 client To interact with the ngtcp2 server, run ``` -client
    [][--groups ] +qtlsclient
    [][--groups ] ``` -For example, `client ngtcp2server 6000 https://ngtcp2server --groups kyber512` +For example, `qtlsclient ngtcp2server 6000 https://ngtcp2server --groups kyber512` By default the ngtcp2 client supports X25519, P-256, P-384 and P-521 for key exchange but any plain or hybrid QSC (Quantum-Safe Cryptography) algorithm can be selected. [See list of supported key exchange algorithms here](https://github.com/open-quantum-safe/oqs-provider#algorithms). @@ -27,8 +27,8 @@ If multiple algorithms are selected, they are separated with colons. For example, `--groups=kyber512:p256_bikel1` -For more options, run `client --help` +For more options, run `qtlsclient --help` ## Disclaimer -[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/openssl#limitations-and-security). +[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). diff --git a/ngtcp2/USAGE-server.md b/ngtcp2/USAGE-server.md index b5bccf3f..88a8177c 100644 --- a/ngtcp2/USAGE-server.md +++ b/ngtcp2/USAGE-server.md @@ -30,11 +30,11 @@ docker exec -it ngtcp2server sh Once inside the container, start the server using ``` -server
    --groups= +qtlsserver
    --groups= ``` For example, ```sh -server "*" 6000 /certs/server.key /certs/server.crt --groups=kyber512 +qtlsserver "*" 6000 /certs/server.key /certs/server.crt --groups=kyber512 ``` By default the ngtcp2 server supports X25519, P-256, P-384 and P-521 for key exchange but any plain or hybrid QSC (Quantum-Safe Cryptography) algorithm can be selected. [See list of supported key exchange algorithms here](https://github.com/open-quantum-safe/oqs-provider#algorithms). @@ -42,9 +42,9 @@ By default the ngtcp2 server supports X25519, P-256, P-384 and P-521 for key exc If multiple algorithms are selected, they are separated with colons. For example `--groups=kyber512:p256_bikel1` -For more options, run `server --help` +For more options, run `qtlsserver --help` ## Disclaimer -[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/openssl#limitations-and-security). +[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). diff --git a/ngtcp2/serverstart.sh b/ngtcp2/serverstart.sh index 68e1873d..16484f60 100755 --- a/ngtcp2/serverstart.sh +++ b/ngtcp2/serverstart.sh @@ -1,7 +1,7 @@ #!/bin/sh set -e -# Optionally set KEM to one defined in https://github.com/open-quantum-safe/openssl#key-exchange +# Optionally set KEM to one defined in https://github.com/open-quantum-safe/oqs-provider#algorithms if [ "x$KEM_ALG" == "x" ]; then export KEM_ALG=kyber512 fi diff --git a/openlitespeed/README.md b/openlitespeed/README.md index d7745638..1c50fa34 100644 --- a/openlitespeed/README.md +++ b/openlitespeed/README.md @@ -1,3 +1,8 @@ +# DEPRECATED + +> [!Warning] +> This integration is longer supported due to lack of interest and support, if you're interested in revitalizing this demo please submit a PR. A previous update attempt can be found [here](https://github.com/open-quantum-safe/oqs-demos/commit/864f56e0015886e1ad931f82a0bbe93a5045eb1d) + OpenLiteSpeed =============== [OpenLiteSpeed](https://github.com/litespeedtech/openlitespeed) is the Open Source edition of [LiteSpeed Web Server Enterprise](https://www.litespeedtech.com/). @@ -42,4 +47,4 @@ Documentation for using the client docker image is contained in the separate [US ## Disclaimer -[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/openssl#limitations-and-security). +[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). diff --git a/openlitespeed/USAGE-client.md b/openlitespeed/USAGE-client.md index 74bb86a4..a9a7a11a 100644 --- a/openlitespeed/USAGE-client.md +++ b/openlitespeed/USAGE-client.md @@ -43,4 +43,4 @@ For more options, run `quicreach --help` ## Disclaimer -[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/openssl#limitations-and-security). +[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). diff --git a/openlitespeed/USAGE-server.md b/openlitespeed/USAGE-server.md index 2c6c9946..50ca2c09 100644 --- a/openlitespeed/USAGE-server.md +++ b/openlitespeed/USAGE-server.md @@ -39,4 +39,4 @@ To reset your WebAdmin Console credentials, run `/usr/local/lsws/admin/misc/admp ## Disclaimer -[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/openssl#limitations-and-security). +[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). diff --git a/openssh/Dockerfile b/openssh/Dockerfile index c7fa959d..21062276 100644 --- a/openssh/Dockerfile +++ b/openssh/Dockerfile @@ -1,18 +1,21 @@ # Multi-stage build: First the full builder image: +# define the alpine image version to use +ARG ALPINE_VERSION=3.20 + # Default location where all binaries wind up: ARG DEFAULT_INSTALL_DIR=/opt/oqs-ssh ARG INSTALL_DIR=${DEFAULT_INSTALL_DIR} # liboqs version # ATTENTION: Changing this could mean that further adaptions in sshd_config and ssh_config are required -ARG LIBOQS_RELEASE="main" +ARG LIBOQS_TAG="0.11.0" # liboqs build defines (https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs) ARG LIBOQS_BUILD_DEFINES= # Open quantum safe OpenSSH release -ARG OQS_OPENSSH_RELEASE="OQS-v8" +ARG OQS_OPENSSH_RELEASE="OQS-v9" # openssh build defines (https://github.com/open-quantum-safe/openssh#step-2-build-the-fork) ARG OPENSSH_BUILD_OPTIONS= @@ -25,10 +28,10 @@ ARG MAKE_INSTALL="install-nokeys" ARG OQS_USER="oqs" ARG OQS_PASSWORD="Pa55W0rd" -FROM alpine:3.13 as intermediate +FROM alpine:${ALPINE_VERSION} as intermediate # Take in all global args ARG INSTALL_DIR -ARG LIBOQS_RELEASE +ARG LIBOQS_TAG ARG LIBOQS_BUILD_DEFINES ARG OQS_OPENSSH_RELEASE ARG OPENSSH_BUILD_OPTIONS @@ -36,7 +39,7 @@ ARG MAKE_DEFINES ARG MAKE_INSTALL ARG OQS_USER -LABEL version="2" +LABEL version="3" ENV DEBIAN_FRONTEND noninteractive @@ -53,13 +56,17 @@ RUN apk add gcc musl-dev linux-headers \ # get all sources WORKDIR /opt -RUN git clone --depth 1 --branch ${LIBOQS_RELEASE} https://github.com/open-quantum-safe/liboqs && \ +RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ git clone --depth 1 --branch ${OQS_OPENSSH_RELEASE} https://github.com/open-quantum-safe/openssh ossh-src; # build liboqs static (does not work with shared lib!) WORKDIR /opt/liboqs # RUN mkdir build && cd build && cmake .. ${LIBOQS_BUILD_DEFINES} -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=/opt/ossh-src/oqs && make ${MAKE_DEFINES} && make install -RUN mkdir build-static && cd build-static && cmake .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_BUILD_TYPE=${LIBOQS_BUILD_TYPE} -DBUILD_SHARED_LIBS=OFF -DCMAKE_INSTALL_PREFIX=/opt/ossh-src/oqs && make ${MAKE_DEFINES} && make install +RUN mkdir build-static && \ + cd build-static && \ + cmake .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_BUILD_TYPE=${LIBOQS_BUILD_TYPE} -DBUILD_SHARED_LIBS=OFF -DCMAKE_INSTALL_PREFIX=/opt/ossh-src/oqs && \ + make ${MAKE_DEFINES} && \ + make install # builds and installs OQS-OpenSSH WORKDIR /opt/ossh-src @@ -78,7 +85,7 @@ STOPSIGNAL SIGTERM ## second stage: Only create minimal image without build tooling and intermediate build results generated above: -FROM alpine:3.13 as dev +FROM alpine:${ALPINE_VERSION} as dev # Take in all global args ARG DEFAULT_INSTALL_DIR ARG INSTALL_DIR @@ -93,7 +100,9 @@ RUN apk update \ COPY --from=intermediate ${INSTALL_DIR} ${INSTALL_DIR} # Create a normal user to be able to log into the system via ssh -RUN addgroup --gid 1000 --system ${OQS_USER} && adduser --uid 1000 --system ${OQS_USER} --ingroup ${OQS_USER} --shell /bin/sh && echo -e -e "${OQS_PASSWORD}\n${OQS_PASSWORD}\n" | passwd ${OQS_USER} +RUN addgroup --gid 1000 --system ${OQS_USER} && \ + adduser --uid 1000 --system ${OQS_USER} --ingroup ${OQS_USER} --shell /bin/sh && \ + echo -e -e "${OQS_PASSWORD}\n${OQS_PASSWORD}\n" | passwd ${OQS_USER} # Set up login shell: Add ssh-binaries to path for ssh login shell, fix /etc/profile not executing /etc/profile.d/* RUN sed -i "s|PATH=|PATH=${INSTALL_DIR}/bin:|;s|/etc/profile.d/\*\.sh|/etc/profile.d/\*|" /etc/profile diff --git a/openssh/README.md b/openssh/README.md index ebf6b44e..fd27116a 100644 --- a/openssh/README.md +++ b/openssh/README.md @@ -44,7 +44,7 @@ The first command adds user `` (yourself) to the group `docker`, and the s ## General information The Dockerfile -- obtains all source code required for building the quantum safe cryptography (QSC) algorithms and the [QSC-enabled version of OpenSSH (7.9-2020-08_p1)](https://github.com/open-quantum-safe/openssh/releases/tag/OQS-OpenSSH-snapshot-2020-08) +- obtains all source code required for building the quantum safe cryptography (QSC) algorithms and the [QSC-enabled version of OpenSSH (9.7)](https://github.com/open-quantum-safe/openssh/releases/tag/OQS-OpenSSH-snapshot-2024-08) - builds all libraries and applications - creates a second user `oqs` with the default password `Pa55W0rd` - by default starts the openssh daemon\* @@ -57,7 +57,7 @@ The Dockerfile ## Updating the liboqs version -Currently the used version of liboqs is [0.4.0](https://github.com/open-quantum-safe/liboqs/releases/tag/0.4.0). Be aware that upon changing this version, which can be done in the [Dockerfile](Dockerfile), the default algorithms may change. If this is the case [sshd_config](sshd_config)/[sshd_config](sshd_config) must be updated accordingly. +Currently the used version of liboqs is [0.11.0](https://github.com/open-quantum-safe/liboqs/releases/tag/0.11.0). Be aware that upon changing this version, which can be done in the [Dockerfile](Dockerfile), the default algorithms may change. If this is the case [sshd_config](sshd_config)/[sshd_config](sshd_config) must be updated accordingly. # Usage @@ -67,9 +67,9 @@ Detailed information on how to use the image is available in [the separate file The Dockerfile provided allows for some customization of the image built. Those build arguments can be used at buildtime via the flag `--build-arg`, e.g. `docker build --build-arg INSTALL_DIR="/some/directory/" -t name-of-image .`. -## LIBOQS_RELEASE +## LIBOQS_TAG -Tag of `liboqs` release to be used. Default "main". +Tag of `liboqs` release to be used. ## INSTALL_DIR @@ -79,7 +79,7 @@ By default this is `/opt/oqs-ssh`. When it is changed, every occurrence of this ## LIBOQS_BUILD_DEFINES -This permits changing the build options for the underlying library with the quantum safe algorithms. All possible options are documented [here](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs). +This permits changing the build options for the underlying library with the quantum safe algorithms. All possible options are documented [here](https://github.com/open-quantum-safe/liboqs/blob/main/CONFIGURE.md). By default, the image is built such as to have maximum portability regardless of CPU type and optimizations available, i.e. to run on the widest possible range of cloud machines. diff --git a/openssh/USAGE.md b/openssh/USAGE.md index dfb1f3b7..a6f3dbdb 100644 --- a/openssh/USAGE.md +++ b/openssh/USAGE.md @@ -1,6 +1,6 @@ # Purpose -This is an [opensshd](https://https.openssh.com) docker image based on the [OQS OpenSSH 7.9 fork](https://github.com/open-quantum-safe/openssh), which allows ssh to quantum-safely negotiate session keys and use quantum-safe authentication with algorithms from the [Post-Quantum Cryptography Project by NIST](https://csrc.nist.gov/projects/post-quantum-cryptography). +This is an [opensshd](https://https.openssh.com) docker image based on the [OQS OpenSSH 9.7 fork](https://github.com/open-quantum-safe/openssh), which allows ssh to quantum-safely negotiate session keys and use quantum-safe authentication with algorithms from the [Post-Quantum Cryptography Project by NIST](https://csrc.nist.gov/projects/post-quantum-cryptography). This image has a built-in non-root user to permit execution without particular [docker privileges](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities). This is necessary as logging in as root in ssh is not recommended practice. But it is worth to note that this user, per default called `oqs`, is not set as the default user when the image starts. The reason for that is that the the start up script needs root permissions to generate all host keys and start the sshd service. This means that when executing a command as the user `oqs`, the `docker exec` command needs to be used together with the option `--user oqs`. @@ -175,7 +175,7 @@ docker exec -it /opt/oqs-ssh/scripts/key-gen.sh For a list of all signature and key exchange algorithms see [here](https://github.com/open-quantum-safe/openssh#supported-algorithms). Be aware that there is a limitation of what algorithms are enabled in PQS-OpenSSH per default, more information in the section **Enabling additional PQC algorithms** below. It is recommended to only use the hybrid variants to maintain established classical security. The post-quantum safe algorithms have not yet received enough confidence to be relied on as the only security mechanism. -The image's default key exchange algorithm is `ecdh-nistp384-kyber-768-sha384`. For host and identity keys (server and client authentication, respectively) the `ssh-ecdsa-nistp384-dilithium3` algorithm is used. Those algorithms may be changed by adjusting the files `ssh_config` and `sshd_config` respectively. +The image's default key exchange algorithm is `ecdh-nistp384-kyber-768-sha384`. For host and identity keys (server and client authentication, respectively) the `ssh-ecdsa-nistp384-mldsa65` algorithm is used. Those algorithms may be changed by adjusting the files `ssh_config` and `sshd_config` respectively. **In `ssh_config` (client side)** - `KexAlgorithms`: Comma-separated list of enabled key-exchange algorithms. Priority given by order. Names according to [this KEX naming scheme](https://github.com/open-quantum-safe/openssh#key-exchange). @@ -203,9 +203,9 @@ The generation of the host and identity keys happens via the script [key-gen.sh] Which keys to generate is determined using the configuration files (`ssh_config` and `sshd_config`). The need for a specific key is determined based on the following parameters: 1. `IdentityFile` (in `ssh_config`) for **identity keys**: For every entry (there may be multiple) the corresponding identity key is generated. - e.g. `IdentityFile ~/.ssh/id_ed25519` or - - `IdentityFile ~/.ssh/id_ssh-ecdsa-nistp384-dilithium3` + - `IdentityFile ~/.ssh/id_ssh-ecdsa-nistp384-mldsa65` 2. `HostKey` (in `sshd_config`) for **host keys**: For every entry (there may be multiple) the corresponding host key is generated. - - e.g. `HostKey /opt/oqs-ssh/ssh_host_ssh-ecdsa-nistp384-dilithium3_key` or + - e.g. `HostKey /opt/oqs-ssh/ssh_host_ssh-ecdsa-nistp384-mldsa65_key` or - `HostKey /opt/oqs-ssh/ssh_host_ssh-falcon512_key` In order to generate the host keys and start the `sshd` the image needs to be run as the `root` user, meaning the `docker run` command shall not contain the `--user oqs` option. @@ -218,10 +218,10 @@ The location where `key-gen.sh` is looking for `ssh_config`/`sshd_config` is the Post-quantum safe algorithms must (in theory) be enabled at docker image build time when compiling [OQS-OpenSSH](https://github.com/open-quantum-safe/openssh). For this reason, in this pre-built image on Dockerhub no more algorithms can be enabled. However, before jumping over to the [build instructions](https://github.com/open-quantum-safe/oqs-demos/tree/main/openssh), please continue reading as there is a big BUT. -Long story short: Thus far, no more algorithms may be enabled for this Docker image than described [here](https://github.com/open-quantum-safe/openssh/tree/OQS-OpenSSH-snapshot-2020-08#supported-algorithms). Find out **More details on the why** below. +Long story short: Thus far, no more algorithms may be enabled for this Docker image than described [here](https://github.com/open-quantum-safe/openssh/tree/OQS-OpenSSH-snapshot-2024-08#supported-algorithms). Find out **More details on the why** below. ### More details on the why -It is not quite straight forward how to figure out what PQC algorithms are actually enabled, where to enable them and how. The supported algorithms in release `OQS-OpenSSH-snapshot-2020-08` (the one used when building this Docker image) are listed [in this section](https://github.com/open-quantum-safe/openssh/tree/OQS-OpenSSH-snapshot-2020-08#supported-algorithms). Be especially aware of the limitation for the signature algorithms, where only all L1 signature algorithms and all **Rainbow Classic** variants are enabled by default. **Classic** rainbow only, documentation has it slightly wrong there. This is corrected and clarified in more detail [in newer releases](https://github.com/open-quantum-safe/openssh#digital-signature). +It is not quite straight forward how to figure out what PQC algorithms are actually enabled, where to enable them and how. The supported algorithms in release `OQS-OpenSSH-snapshot-2024-08` (the one used when building this Docker image) are listed [in this section](https://github.com/open-quantum-safe/openssh/tree/OQS-OpenSSH-snapshot-2024-08#supported-algorithms). Be especially aware of the limitation for the signature algorithms, where only all L1 signature algorithms and all **Rainbow Classic** variants are enabled by default. **Classic** rainbow only, documentation has it slightly wrong there. This is corrected and clarified in more detail [in newer releases](https://github.com/open-quantum-safe/openssh#digital-signature). Enabling more algorithms would require changing [openssh/oqs_templates/generate.yml](https://github.com/open-quantum-safe/openssh/blob/OQS-master/oqs-template/generate.yml) according to [this documentation](https://github.com/open-quantum-safe/openssh/wiki/Using-liboqs-supported-algorithms-in-the-fork#code-generation). Additionally, you need to make sure that the algorithms are enabled in [liboqs](https://github.com/open-quantum-safe/liboqs) as well (see [here for more information](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs#oqs_enable_kem_algoqs_enable_sig_alg)). Enabling more algorithms in `liboqs` can be done at Docker build time using the build option `LIBOQS_BUILD_DEFINES`. But enabling them in `OpenSSH` would require changing [openssh/oqs_templates/generate.yml](https://github.com/open-quantum-safe/openssh/blob/OQS-master/oqs-template/generate.yml) after checking out `openssh` in the [Dockerfile](https://github.com/open-quantum-safe/oqs-demos/tree/main/openssh/Dockerfile), and in this docker image this is just not implemented at this moment in time. @@ -234,9 +234,9 @@ To enable classical SSH support on client side, edit/add lines in [ssh_config]([ ``` KexAlgorithms ecdh-nistp384-kyber-768-sha384@openquantumsafe.org,curve25519-sha256@libssh.org -HostKeyAlgorithms ssh-ecdsa-nistp384-dilithium3,ssh-ed25519 +HostKeyAlgorithms ssh-ecdsa-nistp384-mldsa65,ssh-ed25519 -PubkeyAcceptedKeyTypes ssh-ecdsa-nistp384-dilithium3,ssh-ed25519 +PubkeyAcceptedKeyTypes ssh-ecdsa-nistp384-mldsa65,ssh-ed25519 IdentityFile ~/.ssh/id_ed25519 ``` @@ -246,9 +246,9 @@ For adding support for classical SSH on server side, edit/add lines in [sshd_con ``` KexAlgorithms ecdh-nistp384-kyber-768-sha384@openquantumsafe.org,curve25519-sha256 -HostKeyAlgorithms ssh-ecdsa-nistp384-dilithium3,ssh-ed25519 +HostKeyAlgorithms ssh-ecdsa-nistp384-mldsa65,ssh-ed25519 -PubkeyAcceptedKeyTypes ssh-ecdsa-nistp384-dilithium3,ssh-ed25519 +PubkeyAcceptedKeyTypes ssh-ecdsa-nistp384-mldsa65,ssh-ed25519 HostKey /opt/oqs-ssh/ssh_host_ed25519_key ``` diff --git a/openssh/connect-test.sh b/openssh/connect-test.sh index d44565c8..df01d0bf 100755 --- a/openssh/connect-test.sh +++ b/openssh/connect-test.sh @@ -8,7 +8,7 @@ rc-service oqs-sshd stop # default options OPTIONS=${OPTIONS:="-q -o BatchMode=yes -o StrictHostKeyChecking=no"} -SIG=${SIG_ALG:="ecdsa-nistp384-dilithium3"} +SIG=${SIG_ALG:="ecdsa-nistp384-mldsa65"} KEM=${KEM_ALG:="ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org"} # Generate new identity keys, overwrite old keys diff --git a/openssh/serverstart.sh b/openssh/serverstart.sh index ede9f6ab..a20a439b 100755 --- a/openssh/serverstart.sh +++ b/openssh/serverstart.sh @@ -4,7 +4,7 @@ OPTIONS=${OPTIONS:=""} -SIG=${SIG_ALG:="ecdsa-nistp384-dilithium3"} +SIG=${SIG_ALG:="ecdsa-nistp384-mldsa65"} KEM=${KEM_ALG:="ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org"} # Optionally set port diff --git a/openssh/ssh_config b/openssh/ssh_config index 92de28f4..594c51ac 100644 --- a/openssh/ssh_config +++ b/openssh/ssh_config @@ -25,10 +25,10 @@ KexAlgorithms ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org # The host key algorithms ssh accepts -HostKeyAlgorithms ssh-ecdsa-nistp384-dilithium3 +HostKeyAlgorithms ssh-ecdsa-nistp384-mldsa65 # The algorithms used for public key authentication -PubkeyAcceptedKeyTypes ssh-ecdsa-nistp384-dilithium3 +PubkeyAcceptedKeyTypes ssh-ecdsa-nistp384-mldsa65 # Define how unknown host keys should be handled #StrictHostKeyChecking ask @@ -45,7 +45,7 @@ Port 2222 #IdentityFile ~/.ssh/id_ssh-falcon512 -IdentityFile ~/.ssh/id_ssh-ecdsa-nistp384-dilithium3 +IdentityFile ~/.ssh/id_ssh-ecdsa-nistp384-mldsa65 #IdentityFile ~/.ssh/id_ssh-ecdsa-nistp256-falcon512 #IdentityFile ~/.ssh/id_ssh-rsa3072-falcon512 diff --git a/openssh/sshd_config b/openssh/sshd_config index fd260729..a3d2cf23 100644 --- a/openssh/sshd_config +++ b/openssh/sshd_config @@ -18,10 +18,10 @@ KexAlgorithms ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org # Host key algorithms, these determine the generated host keys -HostKeyAlgorithms ssh-ecdsa-nistp384-dilithium3 +HostKeyAlgorithms ssh-ecdsa-nistp384-mldsa65 # Those determine the accepted public keys for public key authentication -PubkeyAcceptedKeyTypes ssh-ecdsa-nistp384-dilithium3 +PubkeyAcceptedKeyTypes ssh-ecdsa-nistp384-mldsa65 # The port sshd is listening on Port 2222 @@ -35,7 +35,7 @@ Port 2222 #HostKey /opt/oqs-ssh/ssh_host_ssh-falcon512_key -HostKey /opt/oqs-ssh/ssh_host_ssh-ecdsa-nistp384-dilithium3_key +HostKey /opt/oqs-ssh/ssh_host_ssh-ecdsa-nistp384-mldsa65_key #HostKey /opt/oqs-ssh/ssh_host_ssh-ecdsa-nistp256-falcon512_key #HostKey /opt/oqs-ssh/ssh_host_ssh-rsa3072-falcon512_key diff --git a/openssl3/Dockerfile b/openssl3/Dockerfile index 52ea59d9..31c90b16 100644 --- a/openssl3/Dockerfile +++ b/openssl3/Dockerfile @@ -1,5 +1,17 @@ # Multi-stage build: First the full builder image: +# define the alpine image version to use +ARG ALPINE_VERSION=3.20 + +# define the openssl tag to be used +ARG OPENSSL_TAG=openssl-3.3.2 + +# define the liboqs tag to be used +ARG LIBOQS_TAG=0.11.0 + +# define the oqsprovider tag to be used +ARG OQSPROVIDER_TAG=0.7.0 + ARG INSTALLDIR_OPENSSL=/opt/openssl32 ARG INSTALLDIR_LIBOQS=/opt/liboqs @@ -11,15 +23,16 @@ ARG MAKE_DEFINES="-j 8" ARG SIG_ALG="dilithium3" -FROM alpine:3.13 as buildopenssl +FROM alpine:${ALPINE_VERSION} as buildopenssl # Take in all global args +ARG OPENSSL_TAG ARG INSTALLDIR_OPENSSL ARG INSTALLDIR_LIBOQS ARG LIBOQS_BUILD_DEFINES ARG MAKE_DEFINES ARG SIG_ALG -LABEL version="1" +LABEL version="2" ENV DEBIAN_FRONTEND noninteractive RUN apk update && apk upgrade @@ -31,22 +44,26 @@ RUN apk add build-base linux-headers \ git wget # get current openssl sources -RUN mkdir /optbuild && cd /optbuild && git clone --depth 1 --branch master https://github.com/openssl/openssl.git +RUN mkdir /optbuild && cd /optbuild && git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git # build OpenSSL3 WORKDIR /optbuild/openssl RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR_OPENSSL}/lib64" ./config shared --prefix=${INSTALLDIR_OPENSSL} && \ - make ${MAKE_DEFINES} && make install && if [ -d ${INSTALLDIR_OPENSSL}/lib64 ]; then ln -s ${INSTALLDIR_OPENSSL}/lib64 ${INSTALLDIR_OPENSSL}/lib; fi && if [ -d ${INSTALLDIR_OPENSSL}/lib ]; then ln -s ${INSTALLDIR_OPENSSL}/lib ${INSTALLDIR_OPENSSL}/lib64; fi + make ${MAKE_DEFINES} && \ + make install && \ + if [ -d ${INSTALLDIR_OPENSSL}/lib64 ]; then ln -s ${INSTALLDIR_OPENSSL}/lib64 ${INSTALLDIR_OPENSSL}/lib; fi && \ + if [ -d ${INSTALLDIR_OPENSSL}/lib ]; then ln -s ${INSTALLDIR_OPENSSL}/lib ${INSTALLDIR_OPENSSL}/lib64; fi -FROM alpine:3.13 as buildliboqs +FROM alpine:${ALPINE_VERSION} as buildliboqs # Take in all global args +ARG LIBOQS_TAG ARG INSTALLDIR_OPENSSL ARG INSTALLDIR_LIBOQS ARG LIBOQS_BUILD_DEFINES ARG MAKE_DEFINES ARG SIG_ALG -LABEL version="1" +LABEL version="2" ENV DEBIAN_FRONTEND noninteractive # Get all software packages required for builing liboqs: @@ -58,20 +75,24 @@ RUN apk add build-base linux-headers \ # Get OpenSSL image (from cache) COPY --from=buildopenssl ${INSTALLDIR_OPENSSL} ${INSTALLDIR_OPENSSL} -RUN mkdir /optbuild && cd /optbuild && git clone --depth 1 --branch main https://github.com/open-quantum-safe/liboqs +RUN mkdir /optbuild && cd /optbuild && git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs WORKDIR /optbuild/liboqs -RUN mkdir build && cd build && cmake -G"Ninja" .. -DOPENSSL_ROOT_DIR=${INSTALLDIR_OPENSSL} ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR_LIBOQS} && ninja install +RUN mkdir build && \ + cd build && \ + cmake -G"Ninja" .. -DOPENSSL_ROOT_DIR=${INSTALLDIR_OPENSSL} ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR_LIBOQS} && \ + ninja install -FROM alpine:3.13 as buildoqsprovider +FROM alpine:${ALPINE_VERSION} as buildoqsprovider # Take in all global args +ARG OQSPROVIDER_TAG ARG INSTALLDIR_OPENSSL ARG INSTALLDIR_LIBOQS ARG LIBOQS_BUILD_DEFINES ARG MAKE_DEFINES ARG SIG_ALG -LABEL version="1" +LABEL version="2" ENV DEBIAN_FRONTEND noninteractive # Get all software packages required for builing oqsprovider @@ -79,7 +100,7 @@ RUN apk add build-base linux-headers \ libtool cmake ninja \ git wget -RUN mkdir /optbuild && cd /optbuild && git clone --depth 1 --branch main https://github.com/open-quantum-safe/oqs-provider.git +RUN mkdir /optbuild && cd /optbuild && git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git # Get openssl32 and liboqs COPY --from=buildopenssl ${INSTALLDIR_OPENSSL} ${INSTALLDIR_OPENSSL} @@ -87,7 +108,14 @@ COPY --from=buildliboqs ${INSTALLDIR_LIBOQS} ${INSTALLDIR_LIBOQS} # build & install provider (and activate by default) WORKDIR /optbuild/oqs-provider -RUN liboqs_DIR=${INSTALLDIR_LIBOQS} cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR_OPENSSL} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR_OPENSSL} -S . -B _build && cmake --build _build && cmake --install _build && cp _build/lib/oqsprovider.so ${INSTALLDIR_OPENSSL}/lib64/ossl-modules && sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf && sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf && sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf && sed -i "s/HOME\t\t\t= ./HOME = .\nDEFAULT_GROUPS = kyber768/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf +RUN liboqs_DIR=${INSTALLDIR_LIBOQS} cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR_OPENSSL} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR_OPENSSL} -S . -B _build && \ + cmake --build _build && \ + cmake --install _build && \ + cp _build/lib/oqsprovider.so ${INSTALLDIR_OPENSSL}/lib64/ossl-modules && \ + sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf && \ + sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf && \ + sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf && \ + sed -i "s/HOME\t\t\t= ./HOME = .\nDEFAULT_GROUPS = kyber768/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf WORKDIR ${INSTALLDIR_OPENSSL}/bin # set path to use 'new' openssl. Dyn libs have been properly linked in to match @@ -98,7 +126,7 @@ RUN set -x; \ openssl req -x509 -new -newkey ${SIG_ALG} -keyout CA.key -out CA.crt -nodes -subj "/CN=oqstest CA" -days 365 ## second stage: Only create minimal image without build tooling and intermediate build results generated above: -FROM alpine:3.13 as dev +FROM alpine:${ALPINE_VERSION} as dev # Take in all global args ARG INSTALLDIR_OPENSSL ARG SIG_ALG diff --git a/openssl3/Dockerfile-interop b/openssl3/Dockerfile-interop index 4840e8ef..719284b4 100644 --- a/openssl3/Dockerfile-interop +++ b/openssl3/Dockerfile-interop @@ -1,5 +1,14 @@ # Multi-stage build: First the full builder image: +# define the openssl tag to be used +ARG OPENSSL_TAG=openssl-3.3.2 + +# define the liboqs tag to be used +ARG LIBOQS_TAG=0.11.0 + +# define the oqsprovider tag to be used +ARG OQSPROVIDER_TAG=0.7.0 + ARG INSTALLDIR_OPENSSL=/opt/openssl32 ARG INSTALLDIR_LIBOQS=/opt/liboqs @@ -13,13 +22,14 @@ ARG SIG_ALG="dilithium3" FROM ubuntu as buildopenssl # Take in all global args +ARG OPENSSL_TAG ARG INSTALLDIR_OPENSSL ARG INSTALLDIR_LIBOQS ARG LIBOQS_BUILD_DEFINES ARG MAKE_DEFINES ARG SIG_ALG -LABEL version="1" +LABEL version="2" ENV DEBIAN_FRONTEND noninteractive RUN apt update && apt upgrade -y @@ -28,22 +38,26 @@ RUN apt update && apt upgrade -y RUN apt install -y build-essential clang libtool make gcc ninja-build cmake libtool wget git # get current openssl sources -RUN mkdir /optbuild && cd /optbuild && git clone --depth 1 --branch master https://github.com/openssl/openssl.git +RUN mkdir /optbuild && cd /optbuild && git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git # build OpenSSL3 WORKDIR /optbuild/openssl RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR_OPENSSL}/lib64" ./config shared --prefix=${INSTALLDIR_OPENSSL} && \ - make ${MAKE_DEFINES} && make install && if [ -d ${INSTALLDIR_OPENSSL}/lib64 ]; then ln -s ${INSTALLDIR_OPENSSL}/lib64 ${INSTALLDIR_OPENSSL}/lib; fi && if [ -d ${INSTALLDIR_OPENSSL}/lib ]; then ln -s ${INSTALLDIR_OPENSSL}/lib ${INSTALLDIR_OPENSSL}/lib64; fi + make ${MAKE_DEFINES} && \ + make install && \ + if [ -d ${INSTALLDIR_OPENSSL}/lib64 ]; then ln -s ${INSTALLDIR_OPENSSL}/lib64 ${INSTALLDIR_OPENSSL}/lib; fi && \ + if [ -d ${INSTALLDIR_OPENSSL}/lib ]; then ln -s ${INSTALLDIR_OPENSSL}/lib ${INSTALLDIR_OPENSSL}/lib64; fi FROM ubuntu as buildliboqs # Take in all global args +ARG LIBOQS_TAG ARG INSTALLDIR_OPENSSL ARG INSTALLDIR_LIBOQS ARG LIBOQS_BUILD_DEFINES ARG MAKE_DEFINES ARG SIG_ALG -LABEL version="1" +LABEL version="2" ENV DEBIAN_FRONTEND noninteractive RUN apt update && apt upgrade -y @@ -54,20 +68,24 @@ RUN apt install -y build-essential clang libtool make gcc ninja-build cmake libt # Get OpenSSL image (from cache) COPY --from=buildopenssl ${INSTALLDIR_OPENSSL} ${INSTALLDIR_OPENSSL} -RUN mkdir /optbuild && cd /optbuild && git clone --depth 1 --branch main https://github.com/open-quantum-safe/liboqs +RUN mkdir /optbuild && cd /optbuild && git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs WORKDIR /optbuild/liboqs -RUN mkdir build && cd build && cmake -G"Ninja" .. -DOPENSSL_ROOT_DIR=${INSTALLDIR_OPENSSL} ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR_LIBOQS} && ninja install +RUN mkdir build && \ + cd build && \ + cmake -G"Ninja" .. -DOPENSSL_ROOT_DIR=${INSTALLDIR_OPENSSL} ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR_LIBOQS} && \ + ninja install FROM ubuntu as buildoqsprovider # Take in all global args +ARG OQSPROVIDER_TAG ARG INSTALLDIR_OPENSSL ARG INSTALLDIR_LIBOQS ARG LIBOQS_BUILD_DEFINES ARG MAKE_DEFINES ARG SIG_ALG -LABEL version="1" +LABEL version="2" ENV DEBIAN_FRONTEND noninteractive RUN apt update && apt upgrade -y @@ -75,7 +93,7 @@ RUN apt update && apt upgrade -y # Get all software packages required for builing oqsprovider RUN apt install -y build-essential clang libtool make gcc ninja-build cmake wget git python3 python3-pip && pip3 install jinja2 tabulate -RUN mkdir /optbuild && cd /optbuild && git clone --depth 1 --branch main https://github.com/open-quantum-safe/oqs-provider.git +RUN mkdir /optbuild && cd /optbuild && git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git # Get openssl32 and liboqs COPY --from=buildopenssl ${INSTALLDIR_OPENSSL} ${INSTALLDIR_OPENSSL} @@ -87,7 +105,14 @@ WORKDIR /optbuild/oqs-provider RUN sed -i "s/false/true/g" oqs-template/generate.yml && LIBOQS_SRC_DIR=/optbuild/liboqs python3 oqs-template/generate.py # build & install provider (and activate by default) -RUN liboqs_DIR=${INSTALLDIR_LIBOQS} cmake -DNOPUBKEY_IN_PRIVKEY=ON -DOPENSSL_ROOT_DIR=${INSTALLDIR_OPENSSL} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR_OPENSSL} -S . -B _build && cmake --build _build && cmake --install _build && cp _build/lib/oqsprovider.so ${INSTALLDIR_OPENSSL}/lib64/ossl-modules && sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf && sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf && sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf && sed -i "s/HOME\t\t\t= ./HOME = .\nDEFAULT_GROUPS = kyber768/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf +RUN liboqs_DIR=${INSTALLDIR_LIBOQS} cmake -DNOPUBKEY_IN_PRIVKEY=ON -DOPENSSL_ROOT_DIR=${INSTALLDIR_OPENSSL} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR_OPENSSL} -S . -B _build && \ + cmake --build _build && \ + cmake --install _build && \ + cp _build/lib/oqsprovider.so ${INSTALLDIR_OPENSSL}/lib64/ossl-modules && \ + sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf && \ + sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf && \ + sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf && \ + sed -i "s/HOME\t\t\t= ./HOME = .\nDEFAULT_GROUPS = kyber768/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf WORKDIR ${INSTALLDIR_OPENSSL}/bin # set path to use 'new' openssl. Dyn libs have been properly linked in to match diff --git a/openssl3/README.md b/openssl3/README.md index 16f1506b..9f92bf56 100644 --- a/openssl3/README.md +++ b/openssl3/README.md @@ -5,9 +5,9 @@ This directory contains a Dockerfile that builds OpenSSL3 master with the [OQS p 1) Be sure to have [docker installed](https://docs.docker.com/install). 2) Run `docker build -t oqs-ossl3 .` to create a post quantum-enabled OpenSSL3 image 3) To verify all components perform quantum-safe operations, first start the container with `docker run -it oqs-ossl3` thus starting an OQS-enabled TLS test server. -4) On the command prompt in the docker container query that server using `openssl s_client -connect localhost --groups kyber512 `. If all works, the last command returns all TLS information documenting use of OQS-enabled TLS. The parameter to the `--groups` argument is the KEM_ALG chosen when building the docker container ('kyber512' by default). +4) On the command prompt in the docker container query that server using `openssl s_client -connect localhost --groups kyber768 `. If all works, the last command returns all TLS information documenting use of OQS-enabled TLS. The parameter to the `--groups` argument is the KEM_ALG chosen when building the docker container ('kyber768' by default). -*Note*: The last command creates a HTTP command window into the sample server. It can be exited either by typing CTRL-C or by issuing a valid command, e.g., `GET /`. The latter command will also return server-side information on the protocol and cryptographic methods used, e.g., the TLS 1.3 group actually used (kyber512 in this example). +*Note*: The last command creates a HTTP command window into the sample server. It can be exited either by typing CTRL-C or by issuing a valid command, e.g., `GET /`. The latter command will also return server-side information on the protocol and cryptographic methods used, e.g., the TLS 1.3 group actually used (kyber768 in this example). ## More details @@ -22,7 +22,7 @@ The Dockerfile One runtime configuration option exists that can be optionally set via docker environment variable: Setting the key exchange mechanism (KEM): By setting 'KEM_ALG' -to any of the [supported KEM algorithms built into OQS-OpenSSL](https://github.com/open-quantum-safe/openssl#key-exchange) one can run TLS using a KEM other than the default algorithm 'kyber512'. Example: `docker run -e KEM_ALG=ntru_hps2048509 -it oqs-ossl3`. It is always necessary to also request use of this KEM algorithm by passing it to the invocation of `openssl s_client` with the `--groups` parameter, i.e. as such in the same example: `openssl s_client -connect localhost --groups ntru_hps2048509 `. +to any of the [supported KEM algorithms built into OQS-OpenSSL](https://github.com/open-quantum-safe/oqs-provider#kem-algorithms) one can run TLS using a KEM other than the default algorithm 'kyber768'. Example: `docker run -e KEM_ALG=mlkem768 -it oqs-ossl3`. It is always necessary to also request use of this KEM algorithm by passing it to the invocation of `openssl s_client` with the `--groups` parameter, i.e. as such in the same example: `openssl s_client -connect localhost --groups mlkem768 `. ## Usage @@ -32,17 +32,23 @@ Information how to use the image is [available in the separate file USAGE.md](US The Dockerfile provided allows for significant customization of the image built: -### LIBOQS_BUILD_DEFINES +### OPENSSL_TAG -This permits changing the build options for the underlying library with the quantum safe algorithms. All possible options are documented [here](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs). +Tag of `openssl` release to be used. -By default, the image is built such as to have maximum portability regardless of CPU type and optimizations available, i.e. to run on the widest possible range of cloud machines. +### LIBOQS_TAG + +Tag of `liboqs` release to be used. + +### OQSPROVIDER_TAG -### OPENSSL_BUILD_DEFINES +Tag of `oqsprovider` release to be used. -This permits changing the build options for the underlying openssl library containing the quantum safe algorithms. +### LIBOQS_BUILD_DEFINES -The default setting defines a range of default algorithms suggested for key exchange. For more information see [the documentation](https://github.com/open-quantum-safe/openssl#default-algorithms-announced). +This permits changing the build options for the underlying library with the quantum safe algorithms. All possible options are documented [here](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs). + +By default, the image is built such as to have maximum portability regardless of CPU type and optimizations available, i.e. to run on the widest possible range of cloud machines. ### INSTALLDIR @@ -56,3 +62,6 @@ Allow setting parameters to `make` operation, e.g., '-j nnn' where nnn defines t The default is conservative and known not to overload normal machines. If one has a very powerful (many cores, >64GB RAM) machine, passing larger numbers (or only '-j' for maximum parallelism) speeds up building considerably. +### ALPINE_VERSION + +The version of the `alpine` docker image to to be used. diff --git a/openssl3/USAGE.md b/openssl3/USAGE.md index c1370ace..abe2e154 100644 --- a/openssl3/USAGE.md +++ b/openssl3/USAGE.md @@ -2,16 +2,16 @@ This docker image contains a version of [OpenSSL3](https://github.com/openssl/openssl) built and extended with a [provider enabling quantum-safe crypto (QSC) operations](https://github.com/open-quantum-safe/oqs-provider). -To this end, it contains [liboqs](https://github.com/open-quantum-safe/liboqs) as well as [OpenSSL 3/master](https://github.com/openssl/openssl) and [oqs-provider](https://github.com/open-quantum-safe/oqs-provider) from the [OpenQuantumSafe](https://openquantumsafe.org) project. +To this end, it contains [liboqs](https://github.com/open-quantum-safe/liboqs) as well as [OpenSSL 3](https://github.com/openssl/openssl) and [oqs-provider](https://github.com/open-quantum-safe/oqs-provider) from the [OpenQuantumSafe](https://openquantumsafe.org) project. As different images providing the same base functionality may be available, e.g., for debug or performance-optimized operations, the image name `oqs-ossl3` is consistently used in the description below. Be sure to adapt it to the image you want to use. ## Quick start 1) With `docker run -it oqs-ossl3` start an OQS-enabled TLS test server. -2) On the command prompt in the docker container resulting from the first comment, one can query that server by issuing the command `openssl s_client -connect localhost --groups kyber512`. +2) On the command prompt in the docker container resulting from the first comment, one can query that server by issuing the command `openssl s_client -connect localhost --groups kyber768`. -The latter command returns all TLS information documenting use of OQS-enabled TLS. The parameter to the `--groups` argument is [any Kex Exchange algorithm supported by OQS-OpenSSL](https://github.com/open-quantum-safe/openssl#key-exchange). +The latter command returns all TLS information documenting use of OQS-enabled TLS. The parameter to the `--groups` argument is [any Kex Exchange algorithm supported by OQS-OpenSSL](https://github.com/open-quantum-safe/oqs-provider#kem-algorithms). ## Retrieving data from other QSC-enabled TLS servers @@ -19,4 +19,4 @@ Beyond interacting with the built-in test server (utilizing `openssl s_server`) ## Limitations -This image is limited in functionality as per the [open issues documented for oqs-provider](https://github.com/open-quantum-safe/oqs-provider/issues). It also is [not fit for productive use](https://github.com/open-quantum-safe/openssl#limitations-and-security). +This image is limited in functionality as per the [open issues documented for oqs-provider](https://github.com/open-quantum-safe/oqs-provider/issues). It also is [not fit for productive use](https://github.com/open-quantum-safe/liboqs#limitations-and-security). diff --git a/openvpn/Dockerfile b/openvpn/Dockerfile index 2b2de6f6..17ba60a7 100644 --- a/openvpn/Dockerfile +++ b/openvpn/Dockerfile @@ -1,10 +1,15 @@ # Multi-stage build: First the full builder image: +# define the openssl tag to be used +ARG OPENSSL_TAG=openssl-3.3.2 + # define the liboqs tag to be used -ARG LIBOQS_TAG=main +ARG LIBOQS_TAG=0.11.0 # define the oqsprovider tag to be used -ARG OQSPROVIDER_TAG=main +ARG OQSPROVIDER_TAG=0.7.0 + +ARG OPENVPN_TAG=v2.6.12 # Default location where all binaries wind up: ARG INSTALLDIR=/opt/oqssa @@ -23,15 +28,17 @@ ARG KEM_ALGLIST="kyber768:p384_kyber768" FROM debian:bullseye as intermediate # Take in all global args +ARG OPENSSL_TAG ARG LIBOQS_TAG ARG OQSPROVIDER_TAG +ARG OPENVPN_TAG ARG INSTALLDIR ARG LIBOQS_BUILD_DEFINES ARG MAKE_DEFINES ARG KEM_ALGLIST ARG OPENVPNDIR -LABEL version="2" +LABEL version "2" ENV DEBIAN_FRONTEND noninteractive @@ -49,9 +56,9 @@ RUN apt install -y \ # get all sources WORKDIR /opt RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ - git clone --depth 1 --branch master https://github.com/openssl/openssl.git && \ + git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \ git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ - git clone https://github.com/OpenVPN/openvpn.git + git clone --depth 1 --branch ${OPENVPN_TAG} https://github.com/OpenVPN/openvpn.git # build liboqs WORKDIR /opt/liboqs @@ -59,15 +66,23 @@ RUN mkdir build && cd build && cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DCMAK # build OpenSSL3 WORKDIR /opt/openssl -RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \ - make ${MAKE_DEFINES} && make install_sw install_ssldirs; +RUN openssl_libdir='lib64' && if [ "$(uname -m)" = "aarch64" ]; then openssl_libdir='lib'; fi && \ + LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/$openssl_libdir" ./config shared --prefix=${INSTALLDIR} && \ + make ${MAKE_DEFINES} && \ + make install_sw install_ssldirs; # set path to use 'new' openssl. Dyn libs have been properly linked in to match ENV PATH="${INSTALLDIR}/bin:${PATH}" # build & install provider (and activate by default) WORKDIR /opt/oqs-provider -RUN ln -s ../openssl . && cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && cmake --build _build && cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = ${KEM_ALGLIST}\n/g" /opt/oqssa/ssl/openssl.cnf +RUN ln -s ../openssl . && \ + openssl_libdir='lib64' && if [ "$(uname -m)" = "aarch64" ]; then openssl_libdir='lib'; fi && \ + cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \ + cmake --build _build && cp _build/lib/oqsprovider.so ${INSTALLDIR}/$openssl_libdir/ossl-modules && \ + sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && \ + sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && \ + sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = ${KEM_ALGLIST}\n/g" /opt/oqssa/ssl/openssl.cnf # build openvpn based on OpenSSL3 @@ -76,8 +91,16 @@ ENV OPENSSL3_DIR=${INSTALLDIR} WORKDIR /opt/openvpn -RUN libtoolize --force && aclocal && autoheader && automake --force-missing --add-missing && autoconf && \ - CFLAGS="-I$OPENSSL3_DIR/include -Wl,-rpath=$OPENSSL3_DIR/lib64 -L$OPENSSL3_DIR/lib64" ./configure --prefix=${INSTALLDIR} --disable-lz4 && make ${MAKE_DEFINES} && make check && make install +RUN openssl_libdir='lib64' && if [ "$(uname -m)" = "aarch64" ]; then openssl_libdir='lib'; fi && \ + libtoolize --force && \ + aclocal && \ + autoheader && \ + automake --force-missing --add-missing && \ + autoconf && \ + CFLAGS="-I$OPENSSL3_DIR/include -Wl,-rpath=$OPENSSL3_DIR/$openssl_libdir -L$OPENSSL3_DIR/$openssl_libdir" ./configure --prefix=${INSTALLDIR} --disable-lz4 && \ + make ${MAKE_DEFINES} && \ + make check && \ + make install ## second stage: Only create minimal image without build tooling and intermediate build results generated above: FROM debian:bullseye-slim @@ -86,7 +109,14 @@ ARG INSTALLDIR ARG OPENVPNDIR # install basics to run executable and enable network control -RUN apt update && apt upgrade -y && apt install -y liblzo2-2 libnl-3-200 libnl-genl-3-200 procps net-tools iputils-ping && mkdir -p ${OPENVPNDIR} +RUN apt update && apt upgrade -y && \ + apt install -y liblzo2-2 \ + libnl-3-200 \ + libnl-genl-3-200 \ + procps \ + net-tools \ + iputils-ping && \ + mkdir -p ${OPENVPNDIR} # Only retain the ${INSTALLDIR} contents in the final image COPY --from=intermediate ${INSTALLDIR} ${INSTALLDIR} @@ -104,7 +134,7 @@ COPY createcerts_and_config.sh ${INSTALLDIR}/bin WORKDIR ${OPENVPNDIR} # Activate to limit access to normal user rights -#RUN addgroup -g 1000 -S oqs && adduser --uid 1000 -S oqs -G oqs +#RUN addgroup -g 1000 -S oqs && adduser --uid 1000 -S oqs -G oqs #USER oqs CMD ["serverstart.sh"] diff --git a/openvpn/README.md b/openvpn/README.md index ef7fe186..7d74daad 100644 --- a/openvpn/README.md +++ b/openvpn/README.md @@ -7,7 +7,7 @@ This directory contains a Dockerfile that builds [OpenVPN](https://openvpn.net) [Install Docker](https://docs.docker.com/install) and run the following commands in this directory: 1. `docker build -t oqs-openvpn .` -2. `./test.sh` +2. `sh ./test.sh` This will create an image for creating configurations, keys and certificates as well as running openvpn server(s) and client(s) within a docker network performing a quantum-safe key exchange via the Kyber768 (plain and hybrid) KEM algorithm. Any of the other [supported quantum safe KEM algorithms](https://github.com/open-quantum-safe/oqs-provider#algorithms) can be set via the parameter `--tls-groups` in the server and client startup scripts, e.g., by setting the "TLS_GROUPS" environment variable. @@ -46,4 +46,4 @@ The default is conservative and known not to overload normal machines. If one ha Defines the list of QSC KEM algorithms to be supported by default. This value is colon separated and inserted into the system-wide `openssl.cnf` configuration file defining the behaviour of the OpenSSL3 library embedded into the OpenVPN code base. -The default value is "kyber768:p384_kyber768". Any algorithm name(s) [supported by OQS-OpenSSL](https://github.com/open-quantum-safe/openssl/tree/OQS-OpenSSL_1_1_1-stable#key-exchange) can be chosen instead. +The default value is "kyber768:p384_kyber768". Any algorithm name(s) [supported by OQS OpenSSL 3 provider](https://github.com/open-quantum-safe/oqs-provider#algorithms) can be chosen instead. diff --git a/openvpn/USAGE.md b/openvpn/USAGE.md index c0b7b88d..5cd6498f 100644 --- a/openvpn/USAGE.md +++ b/openvpn/USAGE.md @@ -53,7 +53,7 @@ The last three commands clean up all data structures established. ## Advanced usage options -The docker image has been pre-configured to use the quantum-safe crypto (QSC) algorithm family "Kyber" for key establishment. For TLS1.3 handshaking, the QSC algorithm "dilithium3" is configured by default, but for both algorithm types, any plain or hybrid QSC algorithm can be selected. For the full list of supported OQS KEM and signature algorithms see here](https://github.com/open-quantum-safe/oqs-provider#algorithms). +The docker image has been pre-configured to use the quantum-safe crypto (QSC) algorithm family "Kyber" for key establishment. For TLS1.3 handshaking, the QSC algorithm "dilithium3" is configured by default, but for both algorithm types, any plain or hybrid QSC algorithm can be selected. For the full list of supported OQS KEM and signature algorithms see [here](https://github.com/open-quantum-safe/oqs-provider#algorithms). ### TLS_GROUPS @@ -69,6 +69,6 @@ In order to change the signature algorithm used for performing the TLS authentic ## Disclaimer -[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/openssl#limitations-and-security). +[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). Most notably, the CA key is not protected by a password and thus accessible to anyone with access to the docker volume. diff --git a/openvpn/test.sh b/openvpn/test.sh old mode 100755 new mode 100644 index bd25cfde..1c7c1e0a --- a/openvpn/test.sh +++ b/openvpn/test.sh @@ -22,36 +22,42 @@ if [ ! -z "$1" ]; then export OQS_SIGALG=$1 fi -RC=0 +RC=0 +echo "Creating test volume $OQS_DATA and test network $OQS_NETWORK" docker volume create --name $OQS_DATA && docker network create $OQS_NETWORK if [ $? -ne 0 ]; then echo "Could not create volume and network. Exiting." exit 1 fi +echo "Test volume $OQS_DATA and test network $OQS_NETWORK created successfully" # use docker image to create certs and openvpn config +echo "Creating test certs and config" docker run -e OQSSIGALG=$OQS_SIGALG -e SERVERFQDN=$OQS_SERVER -e CLIENTFQDN=$OQS_CLIENT -v $OQS_DATA:/config/openvpn --rm $OQS_OPENVPN_DOCKERIMAGE sh -c "cd /config/openvpn && createcerts_and_config.sh" if [ $? -ne 0 ]; then echo "Could not create certs and config correctly. Exiting." RC=1 fi +echo "Test certs and config created successfully" +echo "Starting test openvpn server and client" # OQS server & test client: if [ -z "$2" ]; then -# use default TLS_GROUPS -docker run --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN $OQS_OPENVPN_DOCKERIMAGE -docker run --rm --name $OQS_CLIENT --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn --cap-add=NET_ADMIN -d $OQS_OPENVPN_DOCKERIMAGE clientstart.sh + # use default TLS_GROUPS + docker run --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN $OQS_OPENVPN_DOCKERIMAGE + docker run --rm --name $OQS_CLIENT --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn --cap-add=NET_ADMIN -d $OQS_OPENVPN_DOCKERIMAGE clientstart.sh else -# assume the first parameter to be (a list of) TLS_GROUPS to be utilized: -docker run -e TLS_GROUPS=$2 --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN oqs-openvpn -docker run -e TLS_GROUPS=$2 --rm --name $OQS_CLIENT --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn --cap-add=NET_ADMIN -d oqs-openvpn clientstart.sh + # assume the first parameter to be (a list of) TLS_GROUPS to be utilized: + docker run -e TLS_GROUPS=$2 --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN oqs-openvpn + docker run -e TLS_GROUPS=$2 --rm --name $OQS_CLIENT --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn --cap-add=NET_ADMIN -d oqs-openvpn clientstart.sh fi # Allow time to start up sleep 3 +echo "Startup completed, checking initialization worked OK" # Check that initialization went OK for both server and client: docker logs $OQS_SERVER | grep "Initialization Sequence Completed" if [ $? -ne 0 ]; then @@ -65,13 +71,14 @@ if [ $? -ne 0 ]; then fi # cleanup - docker kill $OQS_SERVER $OQS_CLIENT docker network rm $OQS_NETWORK # Allow time to clean data structures sleep 3 docker volume rm $OQS_DATA -if [ $RC -ne 0 ]; then +if [ $RC -eq 0 ]; then + echo "Test completed successfully" +else echo "Test failed." fi exit $RC diff --git a/unbound/README.md b/unbound/README.md index af04bc23..f1208f25 100644 --- a/unbound/README.md +++ b/unbound/README.md @@ -1,6 +1,7 @@ -## Warning +# DEPRECATED -This integration is currently not supported due to [the end of life of oqs-openssl111](https://github.com/open-quantum-safe/openssl#warning). Feel free to vote this back into supported state by visiting [the discussion on the topic](https://github.com/orgs/open-quantum-safe/discussions/1602). +> [!Warning] +> This integration is currently not supported due to [the end of life of oqs-openssl111](https://github.com/open-quantum-safe/openssl#warning). # Unbound(DNS-over-Tls) diff --git a/wireshark/README.md b/wireshark/README.md index adfb0bc2..aa2806fd 100644 --- a/wireshark/README.md +++ b/wireshark/README.md @@ -1,3 +1,8 @@ +# DEPRECATED + +> [!Warning] +> This integration is currently not supported due to [the end of life of oqs-openssl111](https://github.com/open-quantum-safe/openssl#warning). + This directory contains a Dockerfile that builds wireshark that is patched to understand the OIDs and codepoints in TLS 1.3 that are supported by OQS-OpenSSL. ## Quick start