From 5f565760cd67eb0feecb1b9c963cac3926037fd8 Mon Sep 17 00:00:00 2001 From: pi-314159 <74706004+pi-314159@users.noreply.github.com> Date: Mon, 12 Aug 2024 04:25:57 -0500 Subject: [PATCH 1/4] Add nginx with QUIC Dockerfile Co-authored-by: Raytonne <86047362+Raytonne@users.noreply.github.com> Co-authored-by: lxwzy Co-authored-by: pi-314159 <74706004+pi-314159@users.noreply.github.com> Signed-off-by: pi-314159 <74706004+pi-314159@users.noreply.github.com> --- README.md | 1 - nginx/Dockerfile-QUIC | 84 +++++++++++++++ nginx/README-QUIC.md | 56 ++++++++++ nginx/README.md | 2 +- quic/CMakeLists.txt.patch | 18 ---- quic/Dockerfile-client | 74 ------------- quic/Dockerfile-server | 56 ---------- quic/README.md | 66 ------------ quic/USAGE-client.md | 32 ------ quic/USAGE-server.md | 44 -------- quic/ext-csr.conf | 15 --- quic/fulltest.sh | 13 --- quic/genconfig.py | 150 --------------------------- quic/merge-oqs-openssl-quic.sh | 92 ---------------- quic/reach.sh | 18 ---- quic/recert.sh | 54 ---------- quic/serverstart.sh | 18 ---- quic/src-inc-CMakeLists.txt.patch | 16 --- quic/src-tools-reach-reach.cpp.patch | 97 ----------------- quic/testrun.py | 33 ------ 20 files changed, 141 insertions(+), 798 deletions(-) create mode 100644 nginx/Dockerfile-QUIC create mode 100644 nginx/README-QUIC.md delete mode 100644 quic/CMakeLists.txt.patch delete mode 100644 quic/Dockerfile-client delete mode 100644 quic/Dockerfile-server delete mode 100644 quic/README.md delete mode 100644 quic/USAGE-client.md delete mode 100644 quic/USAGE-server.md delete mode 100644 quic/ext-csr.conf delete mode 100755 quic/fulltest.sh delete mode 100644 quic/genconfig.py delete mode 100755 quic/merge-oqs-openssl-quic.sh delete mode 100755 quic/reach.sh delete mode 100755 quic/recert.sh delete mode 100755 quic/serverstart.sh delete mode 100644 quic/src-inc-CMakeLists.txt.patch delete mode 100644 quic/src-tools-reach-reach.cpp.patch delete mode 100644 quic/testrun.py diff --git a/README.md b/README.md index 68763cc5..83beab7a 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,6 @@ Currently available integrations at their respective support level: | **ngtcp2** | [Github: oqs-demos/ngtcp2](ngtcp2) | Dockerhub: [Server: openquantumsafe/ngtcp2-server](https://hub.docker.com/repository/docker/openquantumsafe/ngtcp2-server), [Client: openquantumsafe/ngtcp2-client](https://hub.docker.com/repository/docker/openquantumsafe/ngtcp2-client) | unsupported | **OpenLiteSpeed** | [Github: oqs-demos/openlitespeed](openlitespeed) | [ Dockerhub: openquantumsafe/openlitespeed](https://hub.docker.com/repository/docker/openquantumsafe/openlitespeed) | unsupported | **h2load** | [Github: oqs-demos/h2load](h2load) | [ Dockerhub: openquantumsafe/h2load](https://hub.docker.com/repository/docker/openquantumsafe/h2load) | unsupported -| **QUIC** | [Github: oqs-demos/quic](quic) | Dockerhub: [Server: openquantumsafe/nginx-quic](https://hub.docker.com/repository/docker/openquantumsafe/nginx-quic), [Client: openquantumsafe/msquic](https://hub.docker.com/repository/docker/openquantumsafe/msquic-reach) | unsupported | **HAproxy** | [Github: oqs-demos/haproxy](haproxy) | [Dockerhub: openquantumsafe/haproxy](https://hub.docker.com/repository/docker/openquantumsafe/haproxy) | unsupported | **Mosquitto** | [Github: oqs-demos/mosquitto](mosquitto) | [Dockerhub: openquantumsafe/mosquitto](https://hub.docker.com/repository/docker/openquantumsafe/mosquitto) | unsupported | **Envoy** | [Github: oqs-demos/envoy](envoy) | [ Dockerhub: openquantumsafe/envoy](https://hub.docker.com/repository/docker/openquantumsafe/envoy) | unsupported diff --git a/nginx/Dockerfile-QUIC b/nginx/Dockerfile-QUIC new file mode 100644 index 00000000..cef1ab80 --- /dev/null +++ b/nginx/Dockerfile-QUIC @@ -0,0 +1,84 @@ +FROM ubuntu:noble AS build + +ARG NGINX_VERSION=1.26.1 + +RUN apt update && apt upgrade -y && mkdir /home/build && cd /home/build && \ + apt install -y g++ make git libssl-dev libpcre3 libpcre3-dev build-essential zlib1g-dev wget && \ +# liboqs deps + liboqs_pkgs="cmake gcc ninja-build libunwind-dev pkg-config python3 python3-psutil golang-go" && apt install -y $liboqs_pkgs && \ +# Download liboqs + git clone --branch main --single-branch --depth 1 https://github.com/open-quantum-safe/liboqs.git && \ +# Download open-quantum-safe/boringssl + git clone --branch master --single-branch --depth 1 https://github.com/open-quantum-safe/boringssl.git && \ +# Build liboqs +# https://github.com/open-quantum-safe/liboqs/blob/main/CONFIGURE.md#options-for-configuring-liboqs-builds + cd liboqs && mkdir build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=../../boringssl/oqs -DCMAKE_BUILD_TYPE=Release -DOQS_DIST_BUILD=ON -DOQS_USE_OPENSSL=OFF .. && ninja && ninja install && \ +# build boringssl + cd ../../boringssl && mkdir build && cd build && cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1 .. && ninja && \ +# prepare dir + cp -p ssl/libssl.so /usr/local/lib && cp -p crypto/libcrypto.so /usr/local/lib && cd ../.. && \ +# Download nginx + wget https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -O nginx.tgz && tar xvf nginx.tgz && \ +# build nginx + cd nginx-${NGINX_VERSION} && \ + ./configure \ + --prefix=/etc/nginx \ + --sbin-path=/usr/sbin/nginx \ + --modules-path=/usr/lib/nginx/modules \ + --conf-path=/etc/nginx/nginx.conf \ + --error-log-path=/var/log/nginx/error.log \ + --http-log-path=/var/log/nginx/access.log \ + --pid-path=/var/run/nginx.pid \ + --lock-path=/var/run/nginx.lock \ + --http-client-body-temp-path=/var/cache/nginx/client_temp \ + --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ + --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ + --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ + --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ + --user=nginx --group=nginx \ + --with-http_v3_module \ + --with-http_v2_module \ + --with-http_ssl_module \ + --with-http_realip_module \ + --with-http_gzip_static_module \ + --with-http_gunzip_module \ + --with-http_slice_module \ + --with-stream \ + --with-stream_ssl_module \ + --with-stream_ssl_preread_module \ + --with-stream_realip_module \ + --with-compat \ + --with-threads \ + --with-http_mp4_module \ + --with-file-aio \ + --with-http_secure_link_module \ + --with-http_stub_status_module \ + --with-http_auth_request_module \ + --with-http_dav_module \ + --with-http_flv_module \ + --with-cc=c++ \ + --with-cc-opt="-I../boringssl/include -x c -Ofast" \ + --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto -Wl,-rpath,/usr/local/lib" && \ + make + +FROM ubuntu:noble +ARG NGINX_VERSION=1.26.1 +COPY --from=build /home/build/nginx-${NGINX_VERSION}/objs/nginx /usr/sbin/nginx +COPY --from=build /home/build/nginx-${NGINX_VERSION}/conf /etc/nginx +COPY --from=build /usr/local/lib /usr/local/lib +RUN set -x \ + && apt update && apt upgrade -y && apt install --no-install-recommends --no-install-suggests -y adduser libpcre3 && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list \ + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && mkdir -p '/var/run' && mkdir -p '/var/cache/nginx' && mkdir -p '/var/log/nginx' \ + && touch /var/log/nginx/access.log /var/log/nginx/error.log \ + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +EXPOSE 80 +EXPOSE 443 +EXPOSE 443/udp + +STOPSIGNAL SIGQUIT + +CMD ["nginx", "-g", "daemon off;"] diff --git a/nginx/README-QUIC.md b/nginx/README-QUIC.md new file mode 100644 index 00000000..55bfa27d --- /dev/null +++ b/nginx/README-QUIC.md @@ -0,0 +1,56 @@ +# NGINX with OQS-BoringSSL for QUIC + +This Docker setup provides an nginx instance configured to use OQS-BoringSSL, which supports QUIC with quantum-safe algorithms. For more information on the supported quantum-safe algorithms and how to enable additional algorithms, please refer to the following resources: + +- [Supported Algorithms](https://github.com/open-quantum-safe/boringssl?tab=readme-ov-file#supported-algorithms) +- [Using LibOQS Algorithms Not in the Fork](https://github.com/open-quantum-safe/boringssl/wiki/Using-liboqs-algorithms-not-in-the-fork) + +## Setup Instructions + +### Step 1: Build the Docker Image + +Build the Docker image using the provided Dockerfile: + +```bash +docker build -f Dockerfile-QUIC . +``` + +After building, remember the SHA256 hash of the image from the last line of the output. + +### Step 2: Run the Docker Image + +To run the image: + +- **Without Port Forwarding:** + + ```bash + docker run -d SHA256_OF_THE_IMAGE + ``` + +- **With Port Forwarding:** + + ```bash + docker run -d -p 80:80 -p 443:443 -p 443:443/udp SHA256_OF_THE_IMAGE + ``` + +Replace `SHA256_OF_THE_IMAGE` with the actual SHA256 hash of the Docker image. + +### Step 3: Find the Container ID + +To find the container ID, use: + +```bash +docker ps +``` + +### Step 4: Access the Container + +To access the container, use: + +```bash +docker exec -it CONTAINER_ID bash +``` + +Replace `CONTAINER_ID` with the ID obtained from the previous step. + +Inside the container, nginx configuration files are located in `/etc/nginx`, and the nginx executable is at `/usr/sbin/nginx`. diff --git a/nginx/README.md b/nginx/README.md index ccca0a6f..b62bc593 100644 --- a/nginx/README.md +++ b/nginx/README.md @@ -1,6 +1,6 @@ ## Purpose -This directory contains a Dockerfile that builds nginx using OpenSSL3 with the [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows nginx to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3. +This directory contains a Dockerfile that builds nginx using OpenSSL3 with the [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows nginx to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3. For instructions on setting up and using nginx with HTTP/3 QUIC support, please refer to the [NGINX QUIC README](https://github.com/open-quantum-safe/oqs-demos/blob/main/nginx/README-QUIC.md). ## Getting started diff --git a/quic/CMakeLists.txt.patch b/quic/CMakeLists.txt.patch deleted file mode 100644 index 30a5983d..00000000 --- a/quic/CMakeLists.txt.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 419715963..16776981e 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -423,6 +423,13 @@ if (NOT MSVC AND NOT APPLE AND NOT ANDROID) - else() - message(STATUS "libatomic not found. If build fails, install libatomic") - endif() -+ find_library(LIBOQS NAMES oqs PATHS submodules/openssl/oqs/lib) -+ if (LIBOQS) -+ message(STATUS "Found liboqs: ${LIBOQS}") -+ else() -+ message(STATUS "liboqs not found at submodules/openssl/oqs/lib. If build fails, install liboqs") -+ endif() -+ - - find_library(NUMA NAMES NUMA libnuma.so.1) - if (NUMA) diff --git a/quic/Dockerfile-client b/quic/Dockerfile-client deleted file mode 100644 index 1b5641ab..00000000 --- a/quic/Dockerfile-client +++ /dev/null @@ -1,74 +0,0 @@ -FROM ubuntu:focal as builder - -ENV TZ=Europe/Zurich -ENV DEBIAN_FRONTEND=noninteractive - -WORKDIR /root -# Update image and apt software -RUN apt update && apt install software-properties-common apt-utils -y - -# Install all prerequisites -RUN apt-add-repository ppa:lttng/stable-2.12 -y && apt update && apt install wget build-essential cmake liblttng-ust-dev lttng-tools git ninja-build libssl-dev -y - -# Install powershell as testing requires it: -RUN wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb && dpkg -i packages-microsoft-prod.deb && apt-get update && add-apt-repository universe && apt-get install -y powershell - -# activate this to only build plain msquic: -#RUN git clone https://github.com/microsoft/msquic && cd msquic && git submodule init && git submodule update --recursive - -COPY merge-oqs-openssl-quic.sh /tmp/merge/merge-oqs-openssl-quic.sh -WORKDIR /tmp/merge -RUN ./merge-oqs-openssl-quic.sh mergeonly - -WORKDIR /root - -RUN git clone --depth 1 --branch main https://github.com/open-quantum-safe/liboqs.git && git clone --recursive https://github.com/microsoft/quicreach && cd quicreach/msquic && git submodule deinit -f -- submodules/openssl && rm -rf ../.git/modules/msquic/modules/submodules/openssl && git rm -f submodules/openssl && GIT_ALLOW_PROTOCOL=file git submodule add /tmp/merge/oqs-openssl-quic submodules/openssl && git submodule update --init submodules/googletest && cd ../.. - -# until oqs-openssl builds liboqs as submodule, need to do it manually: -# also copy oqs-includes into a location that the quic-openssl out-of-tree-build will find: -RUN cd liboqs && mkdir build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=/root/quicreach/msquic/submodules/openssl/oqs .. && ninja && ninja install && cp -R /root/quicreach/msquic/submodules/openssl/oqs/include/oqs /root/quicreach/msquic/submodules/openssl/include - -# builds but test would fail b/o powershell dependency of tests: -# RUN cd /root/msquic && mkdir build && cd build && cmake -G 'Unix Makefiles' .. && cmake --build . - -# patch cmake files to find liboqs.a: -COPY CMakeLists.txt.patch /root/quicreach/msquic -RUN patch /root/quicreach/msquic/CMakeLists.txt < /root/quicreach/msquic/CMakeLists.txt.patch -COPY src-inc-CMakeLists.txt.patch /root/quicreach/msquic -RUN patch /root/quicreach/msquic/src/inc/CMakeLists.txt < /root/quicreach/msquic/src-inc-CMakeLists.txt.patch - -# build using powershell if testing is desired: -#RUN pwsh /root/msquic/scripts/build.ps1 -Config Debug -Arch x64 -Tls openssl - -# otherwise, just use standard tooling: -WORKDIR /root/quicreach -RUN mkdir build && cd build && cmake -G 'Unix Makefiles' .. && cmake --build . - -# Note: ipv6 must be enabled for tests to succeed -#RUN pwsh /root/msquic/scripts/test.ps1 - -# Do a baseline handshake against quic.nginx.org -RUN /root/quicreach/build/src/quicreach quic.nginx.org - - -# Just install the bare minimum to run reachability test -FROM ubuntu:focal - -ENV TZ=Europe/Zurich -ENV DEBIAN_FRONTEND=noninteractive - -WORKDIR /root -RUN apt update && apt install software-properties-common wget -y - -COPY --from=builder /root/quicreach/build/msquic/bin/Release/libmsquic.so.2 /root/quicreach/build/msquic/bin/Release/libmsquic.so.2 -COPY --from=builder /root/quicreach/build/src/quicreach /usr/bin/quicreach - - -COPY reach.sh /root/reach.sh -COPY testrun.py /root/testrun.py -COPY fulltest.sh /root/fulltest.sh - -# set TLS_DEFAULT_GROUPS env var to OQS group to be tested; default/unset: classic groups -# be sure to match OQS_QUIC_PORT env var (default: 8443) -CMD /root/reach.sh - diff --git a/quic/Dockerfile-server b/quic/Dockerfile-server deleted file mode 100644 index 2fc17f1f..00000000 --- a/quic/Dockerfile-server +++ /dev/null @@ -1,56 +0,0 @@ -FROM ubuntu:focal as builder - -ENV TZ=Europe/Zurich -ENV DEBIAN_FRONTEND=noninteractive - -# All build prerequisites for the various software packages: -RUN apt update && apt full-upgrade -y -RUN apt install build-essential iputils-ping vim git mercurial cmake gcc libtool libssl-dev make ninja-build unzip xsltproc doxygen python3-yaml libpcre3-dev libpcre3 zlib1g-dev locate net-tools python3-pip -y && pip3 install psutil - -WORKDIR /opt -COPY merge-oqs-openssl-quic.sh /opt -RUN /opt/merge-oqs-openssl-quic.sh mergeonly - -WORKDIR /opt -#RUN git clone https://github.com/open-quantum-safe/liboqs.git && git clone https://github.com/igorbarshteyn/oqs-openssl-quic.git && hg clone -b quic https://hg.nginx.org/nginx-quic && cd nginx-quic -RUN git clone https://github.com/open-quantum-safe/liboqs.git && hg clone https://hg.nginx.org/nginx-quic && cd nginx-quic - -# Make sure library runs on all CPUs: -RUN cd liboqs && mkdir build && cd build && cmake -GNinja -DOQS_DIST_BUILD=ON -DCMAKE_INSTALL_PREFIX=/opt/oqs-openssl-quic/oqs .. && ninja && ninja install - -WORKDIR /opt -RUN cd oqs-openssl-quic && ./Configure '-Wl,--enable-new-dtags,-rpath,$(LIBRPATH)' no-shared linux-x86_64 -lm && make -j 2 && make install_sw - -WORKDIR /opt - -# only change required for nginx: insert liboqs as link library: -RUN cd nginx-quic && ./auto/configure --with-debug --with-http_v3_module --with-openssl=/opt/oqs-openssl-quic && sed -i "s/-ldl -lpthread -lz/\/opt\/oqs-openssl-quic\/.openssl\/lib\/liboqs.a -ldl -lpthread -lz/g" objs/Makefile && make && make install && cp /opt/oqs-openssl-quic/apps/openssl.cnf /opt/oqs-openssl-quic/.openssl - -COPY ext-csr.conf /opt -COPY genconfig.py /opt -#COPY common.py /opt -RUN cp /opt/oqs-openssl-quic/oqs-test/common.py /opt - -# generate root and all server certs -WORKDIR /opt -RUN mkdir certs && python3 genconfig.py && mkdir /usr/local/nginx/certs && cp certs/* /usr/local/nginx/certs && cp oqs-nginx.conf /usr/local/nginx/conf && cp assignments.json /usr/local/nginx/html && cp root/CA.crt /usr/local/nginx/html - -FROM ubuntu:focal - -ENV TZ=Europe/Zurich -ENV DEBIAN_FRONTEND=noninteractive - -RUN apt update && apt install -y python3 python3-psutil - -COPY --from=builder /opt/oqs-openssl-quic/.openssl /opt/oqs-openssl-quic/.openssl -COPY --from=builder /usr/local/nginx /usr/local/nginx -COPY --from=builder /opt/root/CA.crt /opt/root/CA.crt -COPY --from=builder /opt/assignments.json /opt/assignments.json -COPY --from=builder /opt/common.py /opt/common.py -COPY recert.sh /opt -COPY serverstart.sh /opt -COPY ext-csr.conf /opt -COPY genconfig.py /opt - - -CMD ["/opt/serverstart.sh"] diff --git a/quic/README.md b/quic/README.md deleted file mode 100644 index a1877b9a..00000000 --- a/quic/README.md +++ /dev/null @@ -1,66 +0,0 @@ -OQS-OpenSSL-QUIC -================================== - -## Warning - -This integration is currently not supported due to [the end of life of oqs-openssl111](https://github.com/open-quantum-safe/openssl#warning). Feel free to vote this back into supported state by visiting [the discussion on the topic](https://github.com/orgs/open-quantum-safe/discussions/1602). - -[OpenSSL](https://openssl.org/) is an open-source implementation of the TLS protocol and various cryptographic algorithms ([View the original README for the OQS-enabled fork here](https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/README).) - -OQS-OpenSSL\_1\_1\_1 is a fork of OpenSSL 1.1.1 that adds quantum-safe key exchange and authentication algorithms using [liboqs](https://github.com/open-quantum-safe/liboqs) for prototyping and evaluation purposes. This fork is not endorsed by the OpenSSL project. - -This project adds QUIC protocol support from [quictls](https://github.com/quictls/openssl), a project by Microsoft and Akamai to add QUIC protocol support to OQS-OpenSSL. - -A demo for merging OQS-OpenSSL and quictls was originally manually built and [published](https://www.linkedin.com/pulse/quic-protocol-quantum-safe-cryptography-presenting-future-igor/) by [Igor Barshteyn](https://www.linkedin.com/in/igorbarshteyn/). - -It was then improved upon by Michael Baentsch of the Open Quantum Safe team to automate the build process (see the **merge-oqs-openssl-quic.sh** shell script in this folder) and to enable further testing of quantum-safe algorithms with the QUIC protocol, resulting in the code in this folder. - -Please [see the original README](https://github.com/open-quantum-safe/openssl#readme) for OQS-OpenSSL for additional information about using and configuring OQS-OpenSSL. - -Work to further experiment with the quantum-safe algorithms using the QUIC protocol is ongoing. Questions, comments, corrections, improvements, and other contributions are welcome, e.g., via issues to this project. - -Thanks, - ---Igor Barshteyn - -## Dockerfiles - -In order to simplify the experimentation with QUIC-enabled OQS-OpenSSL this folder contains all components to create a server and a client component. The server is based on a [QUIC-enabled nginx](https://hg.nginx.org/nginx-quic), the client is based on [msquic](https://github.com/microsoft/msquic/). - -### Server - -#### Building - -In order to build the server one can simply issue the command `docker build -t oqs-quic-nginx -f Dockerfile-server .`. - -#### Background - -The build process first merges the two OpenSSL forks, [OQS-OpenSSL](https://github.com/open-quantum-safe/openssl) and [quictls](https://github.com/quictls/openssl) into one OQS-QUIC-OpenSSL code repository. It then proceeds to build nginx using this OpenSSL code base incl. the base OQS library, [liboqs](https://github.com/open-quantum-safe/liboqs). In the second stage of the build process all build artifacts not required for running oqs-quic-nginx are dropped and scripts are added to permit starting an nginx server opening one port for each OQS-signature x OQS-KEM algorithm combination. Also, a default root CA and server certificates for a demo server FQDN "nginx" are created. - -The server is designed to be run both in a local docker network as well as on a cloud host. Most notably, it contains all logic to create server certificates for all supported OQS signature algorithms parameterized on the fully qualified domain name (FQDN) of the host ultimately hosting the server. - -#### Usage - -Documentation for using the server docker image is contained in the separate [USAGE-server.md](USAGE-server.md) file. - -### Client - -#### Building - -In order to build the client one can simply issue the command `docker build -t oqs-msquic -f Dockerfile-client .`. - -#### Usage - -Documentation for using the client docker image is contained in the separate [USAGE-client.md](USAGE-client.md) file. - -#### Background - -The build process first merges the two OpenSSL forks, [OQS-OpenSSL](https://github.com/open-quantum-safe/openssl) and [quictls](https://github.com/quictls/openssl) into one OQS-QUIC-OpenSSL code repository. It then proceeds to build msquic using this OpenSSL code base incl. the base OQS library, [liboqs](https://github.com/open-quantum-safe/liboqs). Some patches to the `msquic` code base are applied to enable the build and experimentation with different OQS algorithms. In the second stage of the build process all build artifacts not required for running the baseline QUIC reachability test are dropped and scripts are added to permit a full test of all OQS-algorithm combinations as afforded by the server. - -The client is meant for basic QUIC reachability tests by way of completing TLS handshakesn only. For further details about the client [see its documentation](https://github.com/microsoft/quicreach). - -## License - -All modifications to this repository are released under the same terms as OpenSSL, namely as described in the file [LICENSE](https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/LICENSE). - - diff --git a/quic/USAGE-client.md b/quic/USAGE-client.md deleted file mode 100644 index 24cd8d61..00000000 --- a/quic/USAGE-client.md +++ /dev/null @@ -1,32 +0,0 @@ -# Quantum-safe QUIC client - -Extending the [the initial work by Igor Barshteyn](https://www.linkedin.com/pulse/quic-protocol-quantum-safe-cryptography-presenting-future-igor/) this image integrates quantum safe cryptography (QSC) into the [msquic](https://github.com/microsoft/msquic) software package to allow exercising all QSC algorithm combinations currently supported by the [OpenQuantumSafe](https://www.openquantumsafe.org) project. - -## Background - -To limit the size of the docker image (and the amount of functionality to be tested :) this image only contains a QSC-enabled [QUIC reachability test](https://github.com/microsoft/quicreach). - -## Suggested use - -In order to interact with the [companion QSC-QUIC nginx image](https://hub.docker.com/repository/docker/openquantumsafe/nginx-quic) the client shall be started within the same docker network: - -``` -docker run --network oqs-quic -it openquantumsafe/msquic-reach bash -``` - -Within the resulting shell, tests for QUIC functionality can be performed. - -As a baseline, to ascertain proper QUIC interoperability, it is recommended to contact the [nginx QUIC test server](https://quic.nginx.org) via `quicreach quic.nginx.org --stats`. This should output correct reachability (completion of TLS handshake) and some connection (quality) statistics. - -### Test of all QSC algorithm combinations - -The latter information also is output for each of the QSC signature and KEM algorithms when running the full matrix test via the command - -``` -/root/fulltest.sh [] -``` - -To perform this test, the image downloads from the server optionally passed as an argument ('nginx' being the default) the server's root CA certificate and list of OQS-algorithm port assignments. - -Output is a CSV structure comprising QSC signature name, QSC KEM name, and connection establishment statistics as [defined by quicreach](https://github.com/microsoft/quicreach) (if successful). - diff --git a/quic/USAGE-server.md b/quic/USAGE-server.md deleted file mode 100644 index 287658c5..00000000 --- a/quic/USAGE-server.md +++ /dev/null @@ -1,44 +0,0 @@ -# Quantum-safe nginx QUIC server - -Extending the [the initial work by Igor Barshteyn](https://www.linkedin.com/pulse/quic-protocol-quantum-safe-cryptography-presenting-future-igor/) this mirrors the [HTTP and TCP-based quantum-safe crypto test server](https://test.openquantumsafe.org) operating quantum-safe cryptographic (QSC) algorithms using nginx using QUIC: - -When starting this image, it opens one [QUIC-based](https://en.wikipedia.org/wiki/QUIC) server port for each combination of 2 classic and 39 [quantum-safe or hybrid digital signature algorithms](https://github.com/open-quantum-safe/openssl#authentication) for each of the 84 [quantum-safe or hybrid KEM algorithms](https://github.com/open-quantum-safe/openssl#key-exchange) supported by the [OpenQuantumSafe](https://www.openquantumsafe.org) [openssl 1.1.1 fork](https://github.com/open-quantum-safe/openssl) (plus one classic KEM for completeness), i.e. currently 3485 ports. - -The server exposes the root CA certificate it uses to sign all ports' certificates as well as a JSON file with the mapping between the signature+KEM algorithm accessible at each port via the URIs "CA.crt" and "assignments.json", respectively at port 5999 for download by test clients. - -## Background - -This work deviates in setup from [the original](https://www.linkedin.com/pulse/quic-protocol-quantum-safe-cryptography-presenting-future-igor/) in order to facilitate two things: - -1) By supporting exactly one QSC sig+KEM pair per port, a successfully completed connection (handshake) assures that a suitable client has successfully connected exactly this algorithm combination, doing away with the need for packet inspection to ascertain the use of specific algorithms. - -2) A suitable client can thus request and announce exactly one KEM algorithm via the TLS1.3 supported groups mechanism, thus doing away with the need to carry a long list of supported groups somewhat restricting the amount of scarce QUIC packet size for other TLS handshake data. - -## Suggested use - -Due to the need for creating (classic and quantum-safe) certificates for each port, the default server name "nginx" has been chosen and is encoded in default server certificates. In order to facilitate running this image on a host with a different fully qualified domain name (FQDN) it is possible to start the server with the environment variable `SERVER_FQDN` set. In case of such start, root CA and all server certificates are re-created to match this server FQDN. - -### In a docker network - -Due to the large number of ports opened the server should be started this way in a docker network named "oqs-quic": - -``` - docker network create oqs-quic - docker run --ulimit nofile=5000:5000 --rm --network oqs-quic --name nginx -it openquantumsafe/nginx-quic -``` - - -### Standalone start - -If the server is to be started on a host with the FQDN "quictest.sample.org" and exposing all QUIC ports, it should be started like this: - -``` - docker run --ulimit nofile=5000:5000 -e SERVER_FQDN=quictest.sample.org --rm --network=host -it openquantumsafe/nginx-quic -``` - -As many certificates for the given SERVER_FQDN and thousands of ports are created, some time should be given to the server to become fully operational before accessing it with a client, e.g., the below: - -## Accessing the server - -A [companion docker image](https://hub.docker.com/repository/docker/openquantumsafe/msquic-reach) is available to exercise all these algorithms by an OQS-enabled QUIC test client based on `msquic`. - diff --git a/quic/ext-csr.conf b/quic/ext-csr.conf deleted file mode 100644 index d40bec7f..00000000 --- a/quic/ext-csr.conf +++ /dev/null @@ -1,15 +0,0 @@ -[req] -distinguished_name = req_distinguished_name -req_extensions = v3_req -prompt = no - -[req_distinguished_name] -CN = moin.test.org - -[v3_req] -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -extendedKeyUsage = serverAuth -subjectAltName = @alt_names -[alt_names] -DNS.1 = moin.test.org - diff --git a/quic/fulltest.sh b/quic/fulltest.sh deleted file mode 100755 index 3da32620..00000000 --- a/quic/fulltest.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -cd /root - -if [ $# -gt 0 ]; then - export OQS_QUIC_SERVER=$1 -else - export OQS_QUIC_SERVER=nginx -fi - -rm -f CA.crt assignments.json && wget ${OQS_QUIC_SERVER}:5999/CA.crt && wget ${OQS_QUIC_SERVER}:5999/assignments.json - -python3 testrun.py assignments.json diff --git a/quic/genconfig.py b/quic/genconfig.py deleted file mode 100644 index ebe30333..00000000 --- a/quic/genconfig.py +++ /dev/null @@ -1,150 +0,0 @@ -import common -import os -import json -import sys - -############# Configuration section starting here - -# This is where nginx is (to be) installed -BASEPATH="/usr/local/nginx/" - -# This is the (relative to BASEPATH) path of all certificates -PKIPATH="certs" - -# This is the port where all algorithms start to be present(ed) -STARTPORT=6000 - -# This is the local location of the OQS-enabled OpenSSL -OPENSSL="/opt/oqs-openssl-quic/.openssl/bin/openssl" - -# This is the local OQS-OpenSSL config file -OPENSSL_CNF="/opt/oqs-openssl-quic/.openssl/openssl.cnf" - -# This is the fully-qualified domain name of the server to be set up -# Ensure this is in sync with contents of ext-csr.conf file -TESTFQDN="nginx" - -# This is the local folder where the root CA (key and cert) resides -CAROOTDIR="root" - -# This contains all algorithm/port assignments -ASSIGNMENT_FILE = "assignments.json" - -############# Functions starting here - -# Generate cert chain (server and CA for a given sig alg: -# srv crt/key wind up in '/_srv.crt|key -def gen_cert(sig_alg): - # first check whether we already have a root CA; if not create it - if not os.path.exists(CAROOTDIR): - os.mkdir(CAROOTDIR) - common.run_subprocess([OPENSSL, 'req', '-x509', '-new', - '-newkey', "rsa:3072", - '-keyout', os.path.join(CAROOTDIR, "CA.key"), - '-out', os.path.join(CAROOTDIR, "CA.crt"), - '-nodes', - '-subj', '/CN=oqstest_CA', - '-days', '500', - '-config', OPENSSL_CNF]) - print("New root cert residing in %s." % (os.path.join(CAROOTDIR, "CA.crt"))) - - # now generate suitable server keys signed by that root; adapt algorithm names to std ossl - if sig_alg == 'rsa3072': - ossl_sig_alg_arg = 'rsa:3072' - elif sig_alg == 'ecdsap256': - common.run_subprocess([OPENSSL, "ecparam", "-name", "prime256v1", "-out", os.path.join(PKIPATH, "prime256v1.pem")]) - ossl_sig_alg_arg = 'ec:{}'.format(os.path.join(PKIPATH, "prime256v1.pem")) - else: - ossl_sig_alg_arg = sig_alg - # generate server key and CSR - common.run_subprocess([OPENSSL, 'req', '-new', - '-newkey', ossl_sig_alg_arg, - '-keyout', os.path.join(PKIPATH, '{}_srv.key'.format(sig_alg)), - '-out', os.path.join(PKIPATH, '{}_srv.csr'.format(sig_alg)), - '-nodes', - '-subj', '/CN='+TESTFQDN, - '-config', OPENSSL_CNF]) - # generate server cert off common root - common.run_subprocess([OPENSSL, 'x509', '-req', - '-in', os.path.join(PKIPATH, '{}_srv.csr'.format(sig_alg)), - '-out', os.path.join(PKIPATH, '{}_srv.crt'.format(sig_alg)), - '-CA', os.path.join(CAROOTDIR, 'CA.crt'), - '-CAkey', os.path.join(CAROOTDIR, 'CA.key'), - '-CAcreateserial', - '-extfile', 'ext-csr.conf', - '-extensions', 'v3_req', - '-days', '365']) - -def write_nginx_config(f, port, sig, k): - f.write("server {\n") - f.write(" listen 0.0.0.0:"+str(port)+" quic reuseport;\n\n") - f.write(" server_name "+TESTFQDN+";\n") - f.write(" access_log "+BASEPATH+"logs/"+sig+"-access.log;\n") - f.write(" error_log "+BASEPATH+"logs/"+sig+"-error.log;\n\n") - f.write(" ssl_certificate "+BASEPATH+PKIPATH+"/"+sig+"_srv.crt;\n") - f.write(" ssl_certificate_key "+BASEPATH+PKIPATH+"/"+sig+"_srv.key;\n\n") - f.write(" ssl_protocols TLSv1.3;\n") - if k!="*" : - f.write(" ssl_ecdh_curve "+k+";\n") - f.write("}\n\n") - - -# generates nginx config -def gen_conf(filename): - port = STARTPORT - assignments={} - - with open(filename, "w") as f: - # baseline config - f.write("worker_processes 1;\n") - f.write("worker_rlimit_nofile 5000;\n") - f.write("events {\n") - f.write(" worker_connections 32000;\n") - f.write("}\n") - f.write("\n") - f.write("http {\n") - f.write(" log_format quic '$remote_addr - $remote_user [$time_local] '\n") - f.write(" '\"$request\" $status $body_bytes_sent '\n") - f.write(" '\"$http_referer\" \"$http_user_agent\" \"$http3\"';\n") - f.write("server {\n") - f.write(" listen 5999 default_server;\n") - f.write(" listen [::]:5999 default_server;\n") - f.write(" root /usr/local/nginx/html;\n") - f.write(" index index.html;\n") - f.write(" server_name "+TESTFQDN+";\n") - f.write(" location / {\n") - f.write(" try_files $uri $uri/ =404;\n") - f.write(" }\n") - f.write("}\n\n") - - - f.write("\n") - for sig in common.signatures: - assignments[sig]={} - assignments[sig]["*"]=port - write_nginx_config(f, port, sig, "*") - port = port+1 - for kex in common.key_exchanges: - # replace oqs_kem_default with X25519: - k = "X25519" if kex=='oqs_kem_default' else kex - write_nginx_config(f, port, sig, k) - assignments[sig][k]=port - port = port+1 - f.write("}\n") - with open(ASSIGNMENT_FILE, 'w') as outfile: - json.dump(assignments, outfile) - - -def main(): - global TESTFQDN - # if a parameter is given, it's the FQDN for the server - if len(sys.argv)>1: - TESTFQDN = sys.argv[1] - print("Generating for FQDN %s" % (TESTFQDN)) - # first generate certs for all supported sig algs: - for sig in common.signatures: - gen_cert(sig) - # now do conf and HTML files - gen_conf("oqs-nginx.conf") - -main() diff --git a/quic/merge-oqs-openssl-quic.sh b/quic/merge-oqs-openssl-quic.sh deleted file mode 100755 index 42cd638c..00000000 --- a/quic/merge-oqs-openssl-quic.sh +++ /dev/null @@ -1,92 +0,0 @@ -#!/bin/bash - -#OQS-OpenSSL-QUIC Auto-Build Script v0.1 by Igor Barshteyn (CC BY 4.0, January 25, 2022) -#amended by Michael Baentsch - -# if script is called with "mergeonly" argument, don't build and test things - -MERGEONLY=0 -if [ $# -gt 0 ] && [ $1 == "mergeonly" ]; then - MERGEONLY=1 - # Install merge prereqs - apt update && apt install -y git - else - # Install build prereqs - apt update && apt install build-essential git cmake gcc libtool libssl-dev make astyle ninja-build python3-pytest python3-pytest-xdist unzip xsltproc doxygen graphviz python3-yaml python3-psutil -y -fi - -# Set TARGETDIR for updating oqs-openssl to support the QUIC API as developed in quictls: - -TARGETDIR=`pwd` - -# define known-good OSSL111 tags that may be merged: Change this only when you have -# confirmed both OpenSSL forks, quictls and oqs-openssl have integrated a specific -# upstream tag (1.1.1m in this case): -QUIC_OPENSSL_TAG=OpenSSL_1_1_1m+quic -# known to work: OQS_OPENSSL_TAG=OQS-OpenSSL-1_1_1-stable-snapshot-2022-01 -# use "master" to get latest code: -OQS_OPENSSL_TAG=OQS-OpenSSL_1_1_1-stable - - -# Clone required repositories: OQS-OpenSSL, liboqs and quictls-OpenSSL - -git clone https://github.com/open-quantum-safe/openssl.git oqs-openssl-quic - -git clone --branch $QUIC_OPENSSL_TAG https://github.com/quictls/openssl.git quictls - -# Locate the QUIC commits to cherry pick, checkout oqs-openssl branch, add quictls, -# fetch it, then automatically cherry pick them to oqs-openssl, favoring quictls -# for conflict resolution - -# It is very useful here that the quictls team tagged all their QUIC commits (and only these) with "QUIC:" - -cd $TARGETDIR/quictls - -LAST_CHERRY=$(git log --grep "QUIC:" --format=format:%H | sed -e 1q) -FIRST_CHERRY=$(git log --grep "QUIC:" --format=format:%H | tail -n 1) - -cd $TARGETDIR/oqs-openssl-quic - -git checkout $OQS_OPENSSL_TAG - -git remote add $QUIC_OPENSSL_TAG ../quictls - -git fetch $QUIC_OPENSSL_TAG - -git cherry-pick $FIRST_CHERRY^..$LAST_CHERRY -Xtheirs -n - -# Update version name to indicate both QUIC+OQS support -sed -i "s/quic/quic\+$OQS_OPENSSL_TAG/g" include/openssl/opensslv.h && git add include/openssl/opensslv.h - -if [ $MERGEONLY == 0 ]; then - cd $TARGETDIR && git clone --depth 1 https://github.com/open-quantum-safe/liboqs.git - - # Build liboqs, then build out oqs-openssl-quic and install it - cd $TARGETDIR/liboqs - - mkdir build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=$TARGETDIR/oqs-openssl-quic/oqs .. && ninja && ninja install - - # Configure, build, and verify custom version of oqs-openssl with QUIC support (enable all PQ and hybrid KEMs) - cd $TARGETDIR/oqs-openssl-quic - - ./Configure '-Wl,--enable-new-dtags,-rpath,$(LIBRPATH)' no-shared linux-x86_64 -lm --prefix=$TARGETDIR/install - - make -j 2 && make install_sw - - clear - - # Should output OpenSSL+quic+OQS release: - $TARGETDIR/install/bin/openssl version -a - - # Alternative 1: Baseline test ensuring merge result still does OQS-OpenSSL OK: - python3 -m pytest oqs-test/test_tls_basic.py - - # Alternative 2: Activate the code below to check in resulting directory to git - # commit only when we know everything tests OK - - # python3 -m pytest oqs-test/test_tls_basic.py && git checkout -b "$OQS_OPENSSL_TAG-quic" && git commit -m "merging in $QUIC_OPENSSL_TAG" -else - # not intented for global commit, just local one to enable local submodule addition - git config --global user.email "auto@merge.org" && git commit -m "+quic" -fi # mergeonly==0 - diff --git a/quic/reach.sh b/quic/reach.sh deleted file mode 100755 index 405bb8f8..00000000 --- a/quic/reach.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -if [[ -z "${OQS_QUIC_PORT}" ]]; then - echo "OQS_QUIC_PORT environment variable unset. Setting to 6000." - export OQS_QUIC_PORT=6000 -fi - -if [[ -z "${OQS_QUIC_SERVER}" ]]; then - echo "OQS_QUIC_SERVER environment variable unset. Setting to nginx." - export OQS_QUIC_SERVER=nginx -fi - -if [[ -z "${TLS_DEFAULT_GROUPS}" ]]; then - echo "TLS_DEFAULT_GROUPS environment variable unset: No OQS algorithms will be announced." -fi - -SSL_CERT_FILE=/root/CA.crt quicreach ${OQS_QUIC_SERVER} --port ${OQS_QUIC_PORT} --stats | grep ${OQS_QUIC_SERVER} - diff --git a/quic/recert.sh b/quic/recert.sh deleted file mode 100755 index 77b9756d..00000000 --- a/quic/recert.sh +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/bash - -cd /opt - -if [ -f "/usr/local/nginx/logs/nginx.pid" ]; then - - kill $(cat /usr/local/nginx/logs/nginx.pid) -fi - -if [ -f "/usr/local/nginx/conf/certs/srv.crt" ]; then - - rm /usr/local/nginx/conf/certs/srv.crt -fi - -if [ -f "/usr/local/nginx/conf/certs/srv.key" ]; then - - rm /usr/local/nginx/conf/certs/srv.key -fi - -if [ -f "CA.crt" ]; then - - rm CA.crt -fi - -if [ -f "CA.key" ]; then - - rm CA.key -fi - -if [ -f "CA.srl" ]; then - - rm CA.srl -fi - -if [ -f "srv.csr" ]; then - - rm srv.csr -fi - -read -e -p "Enter the classic, post-quantum, or hybrid signature algorithm for certificates (for initial setup we used default RSA-2048):" -i "rsa:2048" SIGCIPHER - -oqs-openssl-quic/apps/openssl req -x509 -new -newkey $SIGCIPHER -keyout CA.key -out CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -config oqs-openssl-quic/apps/openssl.cnf - -oqs-openssl-quic/apps/openssl req -new -newkey $SIGCIPHER -keyout srv.key -out srv.csr -nodes -subj "/CN=localhost" -config oqs-openssl-quic/apps/openssl.cnf - -oqs-openssl-quic/apps/openssl x509 -req -in srv.csr -out srv.crt -CA CA.crt -CAkey CA.key -CAcreateserial -days 365 - -mv srv.crt /usr/local/nginx/conf/certs/srv.crt - -mv srv.key /usr/local/nginx/conf/certs/srv.key - -#echo CA and Server certificates have been regenerated. Please restart the nginx server with sudo /usr/local/nginx/sbin/nginx -/usr/local/nginx/sbin/nginx - diff --git a/quic/serverstart.sh b/quic/serverstart.sh deleted file mode 100755 index 62f7b88f..00000000 --- a/quic/serverstart.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -if [[ -z "${SERVER_FQDN}" ]]; then - echo "Running server with default nginx configuration" - export SERVER_FQDN="nginx" - echo "hostname: $hostname" -else - echo "Configuring server for SERVER_FQDN ${SERVER_FQDN}" - cd /opt - rm -rf root && mkdir certs - sed -i "s/nginx/$SERVER_FQDN/g" ext-csr.conf - python3 genconfig.py $SERVER_FQDN > /tmp/genconfig.log 2>&1 - cp certs/* /usr/local/nginx/certs && cp oqs-nginx.conf /usr/local/nginx/conf && cp assignments.json /usr/local/nginx/html && cp root/CA.crt /usr/local/nginx/html -fi - -echo "CA.crt and assignments.json exposed at http://$SERVER_FQDN:5999" -/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/oqs-nginx.conf -g 'daemon off;' > /usr/local/nginx/logs/stdouterr 2>&1 -#bash diff --git a/quic/src-inc-CMakeLists.txt.patch b/quic/src-inc-CMakeLists.txt.patch deleted file mode 100644 index 7e1182c1..00000000 --- a/quic/src-inc-CMakeLists.txt.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff --git a/src/inc/CMakeLists.txt b/src/inc/CMakeLists.txt -index 94daef9a6..305028ac5 100644 ---- a/src/inc/CMakeLists.txt -+++ b/src/inc/CMakeLists.txt -@@ -32,6 +32,10 @@ if (ATOMIC) - target_link_libraries(base_link INTERFACE ${ATOMIC}) - endif() - -+if (LIBOQS) -+ target_link_libraries(base_link INTERFACE ${LIBOQS}) -+endif() -+ - if (NUMA) - target_link_libraries(base_link INTERFACE ${NUMA}) - endif() - diff --git a/quic/src-tools-reach-reach.cpp.patch b/quic/src-tools-reach-reach.cpp.patch deleted file mode 100644 index 515607c1..00000000 --- a/quic/src-tools-reach-reach.cpp.patch +++ /dev/null @@ -1,97 +0,0 @@ -diff --git a/src/tools/reach/reach.cpp b/src/tools/reach/reach.cpp -index 72b1edc8..697c1120 100644 ---- a/src/tools/reach/reach.cpp -+++ b/src/tools/reach/reach.cpp -@@ -25,6 +25,7 @@ QUIC_ADDR ServerAddress = {0}; - std::vector ALPNs({ "h3", "h3-29", "hq-interop", "hq-29", "smb" }); - const char* InputAlpn = nullptr; - uint32_t InputVersion = 0; -+uint32_t ErrorExitOnUnreachability = 0; - - const QUIC_API_TABLE* MsQuic; - HQUIC Registration; -@@ -32,6 +33,9 @@ HQUIC Registration; - struct ConnectionContext { - bool GotConnected; - uint32_t QuicVersion; -+ uint32_t HandshakeInitialFlight; -+ uint32_t HandshakeFlight; -+ uint32_t HandshakeBytes; - CXPLAT_EVENT Complete; - }; - -@@ -49,6 +53,19 @@ ConnectionHandler( - switch (Event->Type) { - case QUIC_CONNECTION_EVENT_CONNECTED: { - Context->GotConnected = true; -+ QUIC_STATISTICS value = {}; -+ uint32_t valueSize = sizeof(value); -+ QUIC_STATUS Status = -+ MsQuic->GetParam( -+ Connection, -+ QUIC_PARAM_CONN_STATISTICS_PLAT, -+ &valueSize, -+ &value); -+ if (!QUIC_FAILED(Status)) { -+ Context->HandshakeInitialFlight = value.Timing.InitialFlightEnd - value.Timing.Start; -+ Context->HandshakeFlight = value.Timing.HandshakeFlightEnd - value.Timing.Start; -+ Context->HandshakeBytes = value.Handshake.ClientFlight1Bytes; -+ } - MsQuic->ConnectionShutdown(Connection, QUIC_CONNECTION_SHUTDOWN_FLAG_NONE, 0); - uint32_t Size = sizeof(Context->QuicVersion); - MsQuic->GetParam(Connection, QUIC_PARAM_CONN_QUIC_VERSION, &Size, &Context->QuicVersion); -@@ -96,7 +113,7 @@ CXPLAT_THREAD_CALLBACK(TestReachability, _Alpn) - - QUIC_CREDENTIAL_CONFIG CredConfig; - CxPlatZeroMemory(&CredConfig, sizeof(CredConfig)); -- CredConfig.Flags = QUIC_CREDENTIAL_FLAG_CLIENT; // TODO - Disable certificate validation? -+ CredConfig.Flags = QUIC_CREDENTIAL_FLAG_CLIENT | QUIC_CREDENTIAL_FLAG_USE_TLS_BUILTIN_CERTIFICATE_VALIDATION; // rely on OpenSSL default cert validation - - if (QUIC_FAILED(MsQuic->ConfigurationLoadCredential(Configuration, &CredConfig))) { - printf("ConfigurationOpen failed.\n"); -@@ -128,8 +145,12 @@ CXPLAT_THREAD_CALLBACK(TestReachability, _Alpn) - - if (Context.GotConnected) { - printf(" 0x%08x %12s reachable\n", Context.QuicVersion, (char*)_Alpn); -+ printf("QUIC_STATISTICS InitialFlight: %d\n", Context.HandshakeInitialFlight); -+ printf("QUIC_STATISTICS HandshakeFlight: %d\n", Context.HandshakeFlight); -+ printf("QUIC_STATISTICS Handshake Bytes: %d\n", Context.HandshakeBytes); - } else { - printf(" %12s unreachable\n", (char*)_Alpn); -+ if (ErrorExitOnUnreachability) exit(ErrorExitOnUnreachability); - } - - CXPLAT_THREAD_RETURN(0); -@@ -219,7 +240,7 @@ main(int argc, char **argv) - !strcmp(argv[1], "/?") || - !strcmp(argv[1], "help") - )) { -- printf("Usage: quicreach.exe [-server:] [-ip:] [-port:] [-alpn:] [-version:]\n"); -+ printf("Usage: quicreach.exe [-server:] [-ip:] [-port:] [-alpn:] [-version:] [-errorexitonunreachability:]\n"); - exit(1); - } - -@@ -228,6 +249,7 @@ main(int argc, char **argv) - TryGetValue(argc, argv, "port", &Port); - TryGetValue(argc, argv, "alpn", &InputAlpn); - TryGetValue(argc, argv, "version", &InputVersion); -+ TryGetValue(argc, argv, "errorexitonunreachability", &ErrorExitOnUnreachability); - - CxPlatSystemLoad(); - CxPlatInitialize(); -@@ -300,6 +322,14 @@ main(int argc, char **argv) - CxPlatThreadDelete(&Thread); - } - -+ uint64_t Counters[QUIC_PERF_COUNTER_MAX]; -+ uint32_t BufferLength = sizeof(Counters); -+ MsQuic->GetParam( NULL, QUIC_PARAM_GLOBAL_PERF_COUNTERS, &BufferLength, Counters); -+ printf("QUIC_PERF_COUNTER_UDP_RECV: %ld\n", Counters[QUIC_PERF_COUNTER_UDP_RECV]); -+ printf("QUIC_PERF_COUNTER_UDP_SEND: %ld\n", Counters[QUIC_PERF_COUNTER_UDP_SEND]); -+ printf("QUIC_PERF_COUNTER_UDP_RECV_BYTES: %ld\n", Counters[QUIC_PERF_COUNTER_UDP_RECV_BYTES]); -+ printf("QUIC_PERF_COUNTER_UDP_SEND_BYTES: %ld\n", Counters[QUIC_PERF_COUNTER_UDP_SEND_BYTES]); -+ - MsQuic->RegistrationClose(Registration); - - MsQuicClose(MsQuic); - diff --git a/quic/testrun.py b/quic/testrun.py deleted file mode 100644 index 91893e63..00000000 --- a/quic/testrun.py +++ /dev/null @@ -1,33 +0,0 @@ -import json -import sys -import subprocess -import os -import re - -# Parameter checks already done in shellscript - -if len(sys.argv) != 2: - print("Usage: python3 testrun.py . Exiting.") - exit(-1) - -with open(sys.argv[1], "r") as f: - jsoncontents = f.read(); - -assignments = json.loads(jsoncontents) -#print("signature algorithm (name), KEM algorithm (name), conn established (bool), InitialHandhake (ms), FullHandshakeFlight (ms), Handshake data (bytes), UDP packets received (count), UDP packets sent (count), UDP data received (bytes)") -for sig in assignments: - for kem in assignments[sig]: - if kem != "*": - # assemble testing command - cmd = "./reach.sh" - env = os.environ.copy() - env["OQS_QUIC_PORT"] = str(assignments[sig][kem]) - env["TLS_DEFAULT_GROUPS"] = kem - run = subprocess.run(cmd.split(" "),shell=True,env=env,stdout=subprocess.PIPE,stderr=subprocess.PIPE) - outstr = run.stdout.decode().rstrip() - m = re.search(r"\d", outstr) - if (m != None): - print("%s,%s: %s" % (sig, kem,outstr[m.start():])) - else: - print("%s,%s: FAILURE" % (sig, kem)) - From 809320b5317bf6927ec2c522b686386aa8509cdc Mon Sep 17 00:00:00 2001 From: PI <74706004+pi-314159@users.noreply.github.com> Date: Tue, 13 Aug 2024 09:31:30 -0500 Subject: [PATCH 2/4] update Signed-off-by: PI <74706004+pi-314159@users.noreply.github.com> --- nginx/Dockerfile-QUIC | 4 +-- nginx/README-QUIC.md | 65 +++++++++++++++++++++++++++++++------------ 2 files changed, 49 insertions(+), 20 deletions(-) diff --git a/nginx/Dockerfile-QUIC b/nginx/Dockerfile-QUIC index cef1ab80..40383971 100644 --- a/nginx/Dockerfile-QUIC +++ b/nginx/Dockerfile-QUIC @@ -1,4 +1,4 @@ -FROM ubuntu:noble AS build +FROM ubuntu:latest AS build ARG NGINX_VERSION=1.26.1 @@ -61,7 +61,7 @@ RUN apt update && apt upgrade -y && mkdir /home/build && cd /home/build && \ --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto -Wl,-rpath,/usr/local/lib" && \ make -FROM ubuntu:noble +FROM ubuntu:latest ARG NGINX_VERSION=1.26.1 COPY --from=build /home/build/nginx-${NGINX_VERSION}/objs/nginx /usr/sbin/nginx COPY --from=build /home/build/nginx-${NGINX_VERSION}/conf /etc/nginx diff --git a/nginx/README-QUIC.md b/nginx/README-QUIC.md index 55bfa27d..3ca53b48 100644 --- a/nginx/README-QUIC.md +++ b/nginx/README-QUIC.md @@ -12,11 +12,9 @@ This Docker setup provides an nginx instance configured to use OQS-BoringSSL, wh Build the Docker image using the provided Dockerfile: ```bash -docker build -f Dockerfile-QUIC . +docker build -t nginx-quic -f Dockerfile-QUIC . ``` -After building, remember the SHA256 hash of the image from the last line of the output. - ### Step 2: Run the Docker Image To run the image: @@ -24,33 +22,64 @@ To run the image: - **Without Port Forwarding:** ```bash - docker run -d SHA256_OF_THE_IMAGE + docker run -d --name nginx-quic-daemon nginx-quic ``` - **With Port Forwarding:** ```bash - docker run -d -p 80:80 -p 443:443 -p 443:443/udp SHA256_OF_THE_IMAGE + docker run -d -p 80:80 -p 443:443 -p 443:443/udp --name nginx-quic-daemon nginx-quic ``` -Replace `SHA256_OF_THE_IMAGE` with the actual SHA256 hash of the Docker image. - -### Step 3: Find the Container ID +### Step 3: Access the Container -To find the container ID, use: +To access the container, use: ```bash -docker ps +docker exec -it nginx-quic-daemon bash ``` -### Step 4: Access the Container +Inside the container, nginx configuration files are located in `/etc/nginx`, and the nginx executable is at `/usr/sbin/nginx`. -To access the container, use: +## Configure NGINX Server Block -```bash -docker exec -it CONTAINER_ID bash -``` - -Replace `CONTAINER_ID` with the ID obtained from the previous step. +Make sure to update `server_name`, `ssl_certificate`, `ssl_certificate_key`, and `ssl_ecdh_curve` according to your specific needs and configuration. -Inside the container, nginx configuration files are located in `/etc/nginx`, and the nginx executable is at `/usr/sbin/nginx`. +``` + server { + listen 443 ssl; + listen 443 quic reuseport; + listen [::]:443 ssl; + listen [::]:443 quic reuseport; + + http2 on; + http3 on; + ssl_early_data on; + quic_retry on; + add_header Alt-Svc 'h3=":443"; ma=86400'; + + server_name EXAMPLE.COM; + ssl_certificate /PATH/TO/SSL/CERT.PEM; + ssl_certificate_key /PATH/TO/SSL/KEY.PEM; + + # Select a subset of supported key exchange algorithms from + # https://github.com/open-quantum-safe/boringssl?tab=readme-ov-file#key-exchange + ssl_ecdh_curve 'mlkem1024:bikel3:hqc192:x25519_frodo640shake'; + + location / { + root html; + index index.html index.htm; + } + + # OPTIONAL SSL CONFIGURATION + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + } +``` From 04f779908e90d1a6af9b4d5b9e17bd46dbd67d17 Mon Sep 17 00:00:00 2001 From: PI <74706004+pi-314159@users.noreply.github.com> Date: Mon, 19 Aug 2024 04:19:31 -0500 Subject: [PATCH 3/4] curl with http3 support Signed-off-by: PI <74706004+pi-314159@users.noreply.github.com> --- curl/Dockerfile-QUIC | 25 +++++++++++++++++++++++++ curl/README-QUIC.md | 34 ++++++++++++++++++++++++++++++++++ curl/README.md | 2 +- 3 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 curl/Dockerfile-QUIC create mode 100644 curl/README-QUIC.md diff --git a/curl/Dockerfile-QUIC b/curl/Dockerfile-QUIC new file mode 100644 index 00000000..37d4ac76 --- /dev/null +++ b/curl/Dockerfile-QUIC @@ -0,0 +1,25 @@ +FROM ubuntu:latest AS build + +ARG CURL_VERSION=8.9.1 +ARG QUICHE_VERSION=0.22.0 + +RUN apt update && apt install cmake gcc ninja-build libunwind-dev pkg-config build-essential cargo git wget -y && cd /root && \ +# Clone BoringSSL&liboqs + git clone --branch master https://github.com/open-quantum-safe/boringssl.git bssl && git clone --branch main --single-branch --depth 1 https://github.com/open-quantum-safe/liboqs.git && \ +# Build liboqs + cd liboqs && mkdir build && cd build && cmake -G"Ninja" -DCMAKE_INSTALL_PREFIX=../../bssl/oqs -DOQS_USE_OPENSSL=OFF .. && ninja && ninja install && \ +# Build BoringSSL + cd /root/bssl && mkdir build && cd build && cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1 .. && ninja && ninja install && cp -rp ../install/include /usr/local/include/bssl && cp -rp ../install/lib /usr/local/lib/bssl && \ +# Build quiche + cd /root && git clone --recursive -b ${QUICHE_VERSION} https://github.com/cloudflare/quiche && cd quiche/quiche/deps && rm -R boringssl && ln -s /root/bssl boringssl && cd /root/quiche && cargo build --package quiche --release --features ffi,pkg-config-meta,qlog && cp -p target/release/libquiche.so /usr/local/lib/bssl/libquiche.so.0 && \ +# Build curl + cd /root && wget https://curl.se/download/curl-${CURL_VERSION}.tar.gz && tar -zxf curl-${CURL_VERSION}.tar.gz && rm -R curl-${CURL_VERSION}.tar.gz && mv curl-${CURL_VERSION} curl && cd curl && LIBS=-lpthread ./configure LDFLAGS="-Wl,-rpath,/usr/local/lib/bssl" --with-openssl=/root/bssl/install --with-quiche=/root/quiche/target/release --prefix="/usr/local/curl" && make && make install + + +FROM ubuntu:latest + +COPY --from=build /usr/local/include/bssl /usr/local/include/bssl +COPY --from=build /usr/local/lib/bssl /usr/local/lib/bssl +COPY --from=build /usr/local/curl /usr/local/curl + +RUN ln -s /usr/local/curl/bin/curl /usr/local/bin/curl diff --git a/curl/README-QUIC.md b/curl/README-QUIC.md new file mode 100644 index 00000000..66efac3b --- /dev/null +++ b/curl/README-QUIC.md @@ -0,0 +1,34 @@ +# cURL with OQS-BoringSSL for QUIC + +This Docker setup provides a curl instance configured to use OQS-BoringSSL, which supports QUIC with quantum-safe algorithms. For more information on the supported quantum-safe algorithms and how to enable additional algorithms, please refer to the following resources: + +- [Supported Algorithms](https://github.com/open-quantum-safe/boringssl?tab=readme-ov-file#supported-algorithms) +- [Using LibOQS Algorithms Not in the Fork](https://github.com/open-quantum-safe/boringssl/wiki/Using-liboqs-algorithms-not-in-the-fork) + +## Setup Instructions + +### Step 1: Build the Docker Image + +Build the Docker image using the provided Dockerfile: + +```bash +docker build -t curl-quic -f Dockerfile-QUIC . +``` + +### Step 2: Start the Docker Container + +To start the container from the Docker image, use the following command: + +```bash +docker run -it --name curl-quic-instance curl-quic +``` + +### Step 3: Use cURL Inside the Container + +Once inside the container, you can use the following command to make HTTP/3 requests: + +```bash +curl --http3-only https://example.com -curves kex +``` + +In this command, `kex` represents the key exchange algorithm, such as `mlkem768`. \ No newline at end of file diff --git a/curl/README.md b/curl/README.md index 7eacae34..426c743a 100644 --- a/curl/README.md +++ b/curl/README.md @@ -1,4 +1,4 @@ -This directory contains a Dockerfile that builds `curl` using OpenSSL v3 using the [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows `curl` to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3. +This directory contains a Dockerfile that builds `curl` using OpenSSL v3 using the [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows `curl` to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3. For instructions on setting up and using curl with HTTP/3 QUIC support, please refer to the [cURL QUIC README](https://github.com/open-quantum-safe/oqs-demos/blob/main/curl/README-QUIC.md). ## Quick start From 212d4f21df98d78e4caa58722e33f154870b2f2b Mon Sep 17 00:00:00 2001 From: PI <74706004+pi-314159@users.noreply.github.com> Date: Wed, 21 Aug 2024 03:01:15 -0500 Subject: [PATCH 4/4] README.md (minor edit) Signed-off-by: PI <74706004+pi-314159@users.noreply.github.com> --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 83beab7a..bf4723e3 100644 --- a/README.md +++ b/README.md @@ -18,9 +18,9 @@ Currently available integrations at their respective support level: | | **Build instructions** | **Pre-built Docker image or binary files** | Support? | | ---------------- | -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | -------- | -| **curl** | [Github: oqs-demos/curl](curl) | [Dockerhub: openquantumsafe/curl](https://hub.docker.com/repository/docker/openquantumsafe/curl) | @baentsch +| **curl** | [Github: oqs-demos/curl](curl) | [Dockerhub: openquantumsafe/curl](https://hub.docker.com/repository/docker/openquantumsafe/curl) | @baentsch, @pi-314159 | **Apache httpd** | [Github: oqs-demos/httpd](httpd) | [Dockerhub: openquantumsafe/httpd](https://hub.docker.com/repository/docker/openquantumsafe/httpd) | @baentsch -| **nginx** | [Github: oqs-demos/nginx](nginx) | [Dockerhub: openquantumsafe/nginx](https://hub.docker.com/repository/docker/openquantumsafe/nginx) | @baentsch, @bhess +| **nginx** | [Github: oqs-demos/nginx](nginx) | [Dockerhub: openquantumsafe/nginx](https://hub.docker.com/repository/docker/openquantumsafe/nginx) | @baentsch, @bhess, @pi-314159 | **Chromium** | [Github: oqs-demos/chromium](chromium) (limited support) | - | @pi-314159 | | **OpenSSH** | [Github: oqs-demos/openssh](openssh) | [Dockerhub: openquantumsafe/openssh](https://hub.docker.com/repository/docker/openquantumsafe/openssh) | unsupported | **Wireshark** | [Github: oqs-demos/wireshark](wireshark) | [Dockerhub: openquantumsafe/wireshark](https://hub.docker.com/repository/docker/openquantumsafe/wireshark) | unsupported @@ -34,7 +34,7 @@ Currently available integrations at their respective support level: | **Envoy** | [Github: oqs-demos/envoy](envoy) | [ Dockerhub: openquantumsafe/envoy](https://hub.docker.com/repository/docker/openquantumsafe/envoy) | unsupported | **Unbound** | [Github: oqs-demos/unbound](unbound) | [ Dockerhub: openquantumsafe/unbound](https://hub.docker.com/repository/docker/openquantumsafe/unbound) | unsupported -It should be possible to use the openssl (s_client), curl and GNOME Web/epiphany clients with all algorithm combinations available at the Open Quantum Safe TLS/X.509 interoperability test server at https://test.openquantumsafe.org (set up using `oqs-provider v0.6.1` and `liboqs v0.10.1`) but no guarantees are given for software not explicitly labelled with the name of a person offering support for it. Also Chromium and [oqs-boringssl](https://github.com/open-quantum-safe/boringssl) are no longer maintained to the same set of algorithms, so are not to be expected to (inter)operate fully with the test server. +It should be possible to use the openssl (s_client), curl and GNOME Web/epiphany clients with all algorithm combinations available at the Open Quantum Safe TLS/X.509 interoperability test server at https://test.openquantumsafe.org (set up using `oqs-provider v0.6.1` and `liboqs v0.10.1`) but no guarantees are given for software not explicitly labelled with the name of a person offering support for it. Since [OQS-BoringSSL](https://github.com/open-quantum-safe/boringssl) no longer maintains the same set of algorithms, software that depends on OQS-BoringSSL (e.g., nginx-quic and curl-quic) may not fully (inter)operate with the test server. ## Contributing