From 69a5e366bfe0aa467cd3c2187cabab479d115ec3 Mon Sep 17 00:00:00 2001
From: PI <74706004+pi-314159@users.noreply.github.com>
Date: Fri, 23 Aug 2024 15:09:02 +0800
Subject: [PATCH] Add QUIC Workflow (#295)

Signed-off-by: PI <74706004+pi-314159@users.noreply.github.com>
---
 .github/workflows/quic.yml       | 56 ++++++++++++++++++++++++++++++++
 README.md                        |  5 +--
 nginx/Dockerfile-QUIC            | 15 ++++-----
 nginx/nginx-conf/nginx-quic.conf | 49 ++++++++++++++++++++++++++++
 4 files changed, 115 insertions(+), 10 deletions(-)
 create mode 100644 .github/workflows/quic.yml
 create mode 100644 nginx/nginx-conf/nginx-quic.conf

diff --git a/.github/workflows/quic.yml b/.github/workflows/quic.yml
new file mode 100644
index 00000000..2b7f1169
--- /dev/null
+++ b/.github/workflows/quic.yml
@@ -0,0 +1,56 @@
+name: QUIC
+
+on:
+  push:
+    branches: ['main']
+    paths: ['.github/workflows/quic.yml', 'curl/**', 'nginx/**']
+  pull_request:
+    paths: ['.github/workflows/quic.yml', 'curl/**', 'nginx/**']
+  schedule:
+    - cron: '2 7 18,28 * *'
+  workflow_dispatch:
+
+env:
+  TARGET_NAME: openquantumsafe
+
+jobs:
+  test-push:
+    name: Test and push QUIC images
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Login to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+    - name: Create a shared volume
+      run: docker volume create shared-1
+      shell: bash
+    - name: Generate a quantum-safe certificate chain
+      run: |
+        docker run -v shared-1:/certs $TARGET_NAME/openssl3 /bin/sh -c "\
+        openssl req -x509 -new -newkey p256_falcon512 -keyout /certs/CA.key -out /certs/CA.crt -nodes -subj '/C=US/O=Open Quantum Safe/CN=OQS Demos' -days 1461 && \
+        openssl req -new -newkey mldsa87 -keyout /certs/server.key -out /certs/server.csr -nodes -subj /CN=host.docker.internal && \
+        openssl x509 -req -in /certs/server.csr -out /certs/server.crt -CA /certs/CA.crt -CAkey /certs/CA.key -CAcreateserial -days 365"
+      shell: bash
+    - name: Build NGINX with QUIC support and start the server
+      working-directory: ./nginx
+      run: |
+        docker build -t $TARGET_NAME/nginx-quic:latest -f Dockerfile-QUIC . && \
+        docker run -d -p 443:443/udp -v shared-1:/certs --name nginx-quic-daemon $TARGET_NAME/nginx-quic:latest && \
+        docker cp ./nginx-conf/nginx-quic.conf nginx-quic-daemon:/etc/nginx/nginx-quic.conf && \
+        docker exec nginx-quic-daemon bash -c "cd /etc/nginx && rm nginx.conf && mv nginx-quic.conf nginx.conf && nginx -s reload"
+      shell: bash
+    - name: Build cURL with QUIC support and test it with the server that's started earlier
+      working-directory: ./curl
+      run: |
+        docker build -t $TARGET_NAME/curl-quic:latest -f Dockerfile-QUIC . && \
+        docker run -v shared-1:/certs --add-host=host.docker.internal:host-gateway $TARGET_NAME/curl-quic:latest \
+        curl --cacert /certs/CA.crt --http3-only https://host.docker.internal --curves hqc192 -vvvv
+      shell: bash
+    - name: Push Docker images to Docker Hub
+      run: |
+        docker push $TARGET_NAME/curl-quic:latest
+        docker push $TARGET_NAME/nginx-quic:latest
+      shell: bash
diff --git a/README.md b/README.md
index bf4723e3..a01c377d 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,5 @@
 [![GitHub actions](https://github.com/open-quantum-safe/oqs-demos/actions/workflows/linux.yml/badge.svg)](https://github.com/open-quantum-safe/oqs-demos/actions/workflows/linux.yml)
+[![QUIC](https://github.com/open-quantum-safe/oqs-demos/actions/workflows/quic.yml/badge.svg)](https://github.com/open-quantum-safe/oqs-demos/actions/workflows/quic.yml)
 [![open-quantum-safe](https://circleci.com/gh/open-quantum-safe/oqs-demos.svg?style=svg)](https://app.circleci.com/pipelines/github/open-quantum-safe/oqs-demos)
 
 oqs-demos
@@ -18,9 +19,9 @@ Currently available integrations at their respective support level:
 
 |                  | **Build instructions**                 | **Pre-built Docker image or binary files**                                                                                   | Support? |
 | ---------------- | -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | -------- |
-| **curl**         | [Github: oqs-demos/curl](curl)         | [Dockerhub: openquantumsafe/curl](https://hub.docker.com/repository/docker/openquantumsafe/curl)                             | @baentsch, @pi-314159
+| **curl**         | [Github: oqs-demos/curl](curl)         | [Dockerhub: openquantumsafe/curl](https://hub.docker.com/repository/docker/openquantumsafe/curl), [Dockerhub: openquantumsafe/curl-quic](https://hub.docker.com/repository/docker/openquantumsafe/curl-quic) | @baentsch, @pi-314159
 | **Apache httpd** | [Github: oqs-demos/httpd](httpd)       | [Dockerhub: openquantumsafe/httpd](https://hub.docker.com/repository/docker/openquantumsafe/httpd)                           | @baentsch
-| **nginx**        | [Github: oqs-demos/nginx](nginx)       | [Dockerhub: openquantumsafe/nginx](https://hub.docker.com/repository/docker/openquantumsafe/nginx)                           | @baentsch, @bhess, @pi-314159
+| **nginx**        | [Github: oqs-demos/nginx](nginx)       | [Dockerhub: openquantumsafe/nginx](https://hub.docker.com/repository/docker/openquantumsafe/nginx), [Dockerhub: openquantumsafe/nginx-quic](https://hub.docker.com/repository/docker/openquantumsafe/nginx-quic) | @baentsch, @bhess, @pi-314159
 | **Chromium** | [Github: oqs-demos/chromium](chromium) (limited support) | - | @pi-314159 |
 | **OpenSSH**      | [Github: oqs-demos/openssh](openssh)   | [Dockerhub: openquantumsafe/openssh](https://hub.docker.com/repository/docker/openquantumsafe/openssh)                       | unsupported
 | **Wireshark**    | [Github: oqs-demos/wireshark](wireshark)   | [Dockerhub: openquantumsafe/wireshark](https://hub.docker.com/repository/docker/openquantumsafe/wireshark)                       | unsupported
diff --git a/nginx/Dockerfile-QUIC b/nginx/Dockerfile-QUIC
index 40383971..55ad8d7e 100644
--- a/nginx/Dockerfile-QUIC
+++ b/nginx/Dockerfile-QUIC
@@ -1,11 +1,11 @@
 FROM ubuntu:latest AS build
 
-ARG NGINX_VERSION=1.26.1
+ARG NGINX_VERSION=1.26.2
 
 RUN apt update && apt upgrade -y && mkdir /home/build && cd /home/build && \
-  apt install -y g++ make git libssl-dev libpcre3 libpcre3-dev build-essential zlib1g-dev wget && \
+  apt install -y g++ make git libpcre3 libpcre3-dev build-essential zlib1g-dev wget && \
 # liboqs deps
-  liboqs_pkgs="cmake gcc ninja-build libunwind-dev pkg-config python3 python3-psutil golang-go" && apt install -y $liboqs_pkgs && \
+  liboqs_pkgs="cmake gcc ninja-build libunwind-dev pkg-config python3" && apt install -y $liboqs_pkgs && \
 # Download liboqs
   git clone --branch main --single-branch --depth 1 https://github.com/open-quantum-safe/liboqs.git && \
 # Download open-quantum-safe/boringssl
@@ -18,9 +18,9 @@ RUN apt update && apt upgrade -y && mkdir /home/build && cd /home/build && \
 # prepare dir
   cp -p ssl/libssl.so /usr/local/lib && cp -p crypto/libcrypto.so /usr/local/lib && cd ../.. && \
 # Download nginx
-  wget https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -O nginx.tgz && tar xvf nginx.tgz && \
+  wget https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -O nginx.tgz && tar xvf nginx.tgz && mv nginx-${NGINX_VERSION} nginx && \
 # build nginx
-  cd nginx-${NGINX_VERSION} && \
+  cd nginx && \
   ./configure \
   --prefix=/etc/nginx \
   --sbin-path=/usr/sbin/nginx \
@@ -62,9 +62,8 @@ RUN apt update && apt upgrade -y && mkdir /home/build && cd /home/build && \
   make
 
 FROM ubuntu:latest
-ARG NGINX_VERSION=1.26.1
-COPY --from=build /home/build/nginx-${NGINX_VERSION}/objs/nginx /usr/sbin/nginx
-COPY --from=build /home/build/nginx-${NGINX_VERSION}/conf /etc/nginx
+COPY --from=build /home/build/nginx/objs/nginx /usr/sbin/nginx
+COPY --from=build /home/build/nginx/conf /etc/nginx
 COPY --from=build /usr/local/lib /usr/local/lib
 RUN set -x \
     && apt update && apt upgrade -y && apt install --no-install-recommends --no-install-suggests -y adduser libpcre3 && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list \
diff --git a/nginx/nginx-conf/nginx-quic.conf b/nginx/nginx-conf/nginx-quic.conf
new file mode 100644
index 00000000..03879edd
--- /dev/null
+++ b/nginx/nginx-conf/nginx-quic.conf
@@ -0,0 +1,49 @@
+
+#user  nobody;
+worker_processes  1;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+    sendfile        on;
+    keepalive_timeout  65;
+    gzip  on;
+
+    server {
+        listen 443 ssl;
+        listen 443 quic reuseport;
+        listen [::]:443 ssl;
+        listen [::]:443 quic reuseport;
+
+        http2 on;
+        http3 on;
+        ssl_early_data on;
+        quic_retry on;
+        add_header Alt-Svc 'h3=":443"; ma=86400';
+
+        server_name host.docker.internal;
+        ssl_certificate		/certs/server.crt;
+        ssl_certificate_key	/certs/server.key;
+
+        ssl_ecdh_curve 'mlkem1024:bikel3:hqc192:x25519_frodo640shake';
+
+        location / {
+            add_header Content-Type text/plain;
+            return 200 'OK';
+        }
+
+        ssl_session_timeout 1d;
+        ssl_session_cache shared:MozSSL:10m;
+        ssl_session_tickets off;
+        ssl_protocols TLSv1.3;
+        ssl_prefer_server_ciphers off;
+        add_header Strict-Transport-Security "max-age=63072000" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header X-Content-Type-Options "nosniff" always;
+    }
+}