├── .github ├── CODEOWNERS ├── workflow-templates │ └── template.yml └── workflows │ ├── build.yml │ ├── curl.yml │ ├── epiphany.yml │ ├── h2load.yml │ ├── haproxy.yml │ ├── httpd.yml │ ├── locust.yml │ ├── mosquitto.yml │ ├── nginx.yml │ ├── ngtcp2.yml │ ├── nodejs.yml │ ├── openssh.yml │ ├── openssl3.yml │ ├── openvpn.yml │ ├── push-manifest.yml │ ├── quic.yml │ └── wireshark.yml ├── CONTRIBUTING.md ├── README.md ├── RELEASE.md ├── chromium ├── README-Linux.md ├── README-Windows.md ├── README.md ├── USAGE.md ├── oqs-Linux.patch └── oqs-Windows.patch ├── curl ├── Dockerfile ├── Dockerfile-QUIC ├── README-QUIC.md ├── README.md ├── USAGE.md ├── perftest.sh └── serverstart.sh ├── deprecated ├── README.md ├── envoy │ ├── Dockerfile │ ├── README.md │ ├── USAGE.md │ └── tls │ │ ├── Dockerfile │ │ ├── README.md │ │ ├── certs │ │ └── gen_cert.sh │ │ ├── docker-compose.yaml │ │ ├── envoy-https-http.yaml │ │ ├── init.sh │ │ ├── kill.sh │ │ └── query.sh ├── openlitespeed │ ├── Dockerfile-server │ ├── README.md │ ├── USAGE-client.md │ ├── USAGE-server.md │ ├── build.sh.patch │ ├── build_bssl.sh.patch │ ├── httpd_config.conf │ └── serverstart.sh └── unbound │ ├── Dockerfile-getdns │ ├── Dockerfile-unbound │ ├── README.md │ ├── USAGE-client.md │ ├── USAGE-server.md │ ├── unbound.sh │ └── wireshark_screenshot.png ├── epiphany ├── Dockerfile ├── README.md └── USAGE.md ├── h2load ├── Dockerfile ├── README.md ├── USAGE.md └── check_algorithms.sh ├── haproxy ├── Dockerfile ├── README.md ├── USAGE.md ├── conf │ └── haproxy.cfg ├── lighttpd.conf ├── lighttpd2.conf └── start.sh ├── httpd ├── Dockerfile ├── README.md ├── USAGE.md └── httpd-conf │ ├── httpd-ssl.conf │ └── httpd.conf ├── locust ├── Dockerfile ├── README.md ├── USAGE.md ├── docker-compose.yaml ├── images │ ├── img.png │ └── img_charts.png ├── requirements.txt └── scenarios │ └── locustfile.py ├── mosquitto ├── Dockerfile ├── README.md ├── USAGE.md ├── broker-start.sh ├── publisher-start.sh └── subscriber-start.sh ├── nginx ├── Dockerfile ├── Dockerfile-QUIC ├── README-QUIC.md ├── README.md ├── USAGE.md ├── fulltest │ ├── Dockerfile │ ├── OsslAlgParser.scala │ ├── README.md │ ├── build_ubuntu.sh │ ├── chromium-template │ ├── common.py │ ├── ext-csr.conf │ ├── genconfig.py │ ├── index-template │ ├── ngx_event_openssl.patch │ ├── success.htm │ ├── testrun.py │ └── testrun.sh └── nginx-conf │ ├── nginx-quic.conf │ └── nginx.conf ├── ngtcp2 ├── Dockerfile-client ├── Dockerfile-server ├── README.md ├── USAGE-client.md ├── USAGE-server.md └── serverstart.sh ├── nodejs ├── Dockerfile ├── README.md ├── USAGE.md ├── client.js ├── createcerts.sh ├── test.sh └── testserver.js ├── openssh ├── Dockerfile ├── README.md ├── USAGE.md ├── connect-test.sh ├── entrypoint.sh ├── key-gen.sh ├── oqs-sshd ├── serverstart.sh ├── ssh_config └── sshd_config ├── openssl3 ├── Dockerfile ├── Dockerfile-interop ├── README.md ├── USAGE.md ├── fulltest │ ├── testrun.py │ └── testrun.sh └── serverstart.sh ├── openvpn ├── Dockerfile ├── README.md ├── USAGE.md ├── client.config ├── clientstart.sh ├── createcerts_and_config.sh ├── openvpn-openssl.cnf ├── server.config ├── serverstart.sh └── test.sh ├── scripts └── buildnpush.sh └── wireshark ├── Dockerfile ├── README.md ├── USAGE.md ├── generate_qsc_header.py ├── qsc_template.jinja2 └── requirements.txt /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @baentsch @SWilson4 2 | -------------------------------------------------------------------------------- /.github/workflows/build.yml: -------------------------------------------------------------------------------- 1 | name: OQS Demos 2 | 3 | on: 4 | workflow_call: 5 | inputs: 6 | build_main: 7 | description: "Build using liboqs and oqsprovider main branches" 8 | required: false 9 | default: false 10 | type: boolean 11 | release_tag: 12 | description: "Which docker tag to push to" 13 | required: false 14 | type: string 15 | workflow_dispatch: 16 | inputs: 17 | build_main: 18 | description: "Build using liboqs and oqsprovider main branches" 19 | required: false 20 | default: false 21 | type: boolean 22 | release_tag: 23 | description: "Which docker tag to push to" 24 | required: false 25 | type: string 26 | schedule: # run with "build_main: true" weekly on Mon at 1:01 27 | - cron: '1 1 * * 1' 28 | 29 | jobs: 30 | curl: 31 | uses: ./.github/workflows/curl.yml 32 | secrets: inherit 33 | with: 34 | build_main: ${{ !contains(inputs.build_main == 'true', 'false') }} 35 | release_tag: ${{ inputs.release_tag }} 36 | 37 | h2load: 38 | uses: ./.github/workflows/h2load.yml 39 | secrets: inherit 40 | with: 41 | build_main: ${{ !contains(inputs.build_main == 'true', 'false') }} 42 | release_tag: ${{ inputs.release_tag }} 43 | 44 | haproxy: 45 | uses: ./.github/workflows/haproxy.yml 46 | secrets: inherit 47 | with: 48 | build_main: ${{ !contains(inputs.build_main == 'true', 'false') }} 49 | release_tag: ${{ inputs.release_tag }} 50 | 51 | httpd: 52 | uses: ./.github/workflows/httpd.yml 53 | secrets: inherit 54 | with: 55 | build_main: ${{ !contains(inputs.build_main == 'true', 'false') }} 56 | release_tag: ${{ inputs.release_tag }} 57 | 58 | locust: 59 | uses: ./.github/workflows/locust.yml 60 | secrets: inherit 61 | with: 62 | build_main: ${{ !contains(inputs.build_main == 'true', 'false') }} 63 | release_tag: ${{ inputs.release_tag }} 64 | 65 | mosquitto: 66 | uses: ./.github/workflows/mosquitto.yml 67 | secrets: inherit 68 | with: 69 | build_main: ${{ !contains(inputs.build_main == 'true', 'false') }} 70 | release_tag: ${{ inputs.release_tag }} 71 | 72 | nginx: 73 | uses: ./.github/workflows/nginx.yml 74 | secrets: inherit 75 | with: 76 | build_main: ${{ !contains(inputs.build_main == 'true', 'false') }} 77 | release_tag: ${{ inputs.release_tag }} 78 | 79 | ngtcp2: 80 | uses: ./.github/workflows/ngtcp2.yml 81 | secrets: inherit 82 | with: 83 | build_main: ${{ !contains(inputs.build_main == 'true', 'false') }} 84 | release_tag: ${{ inputs.release_tag }} 85 | 86 | openssh: 87 | uses: ./.github/workflows/openssh.yml 88 | secrets: inherit 89 | with: 90 | build_main: ${{ !contains(inputs.build_main == 'true', 'false') }} 91 | release_tag: ${{ inputs.release_tag }} 92 | 93 | openssl3: 94 | uses: ./.github/workflows/openssl3.yml 95 | secrets: inherit 96 | with: 97 | build_main: ${{ !contains(inputs.build_main == 'true', 'false') }} 98 | release_tag: ${{ inputs.release_tag }} 99 | 100 | openvpn: 101 | uses: ./.github/workflows/openvpn.yml 102 | secrets: inherit 103 | with: 104 | build_main: ${{ !contains(inputs.build_main == 'true', 'false') }} 105 | release_tag: ${{ inputs.release_tag }} 106 | 107 | nodejs: 108 | uses: ./.github/workflows/nodejs.yml 109 | secrets: inherit 110 | with: 111 | build_main: ${{ !contains(inputs.build_main == 'true', 'false') }} 112 | release_tag: ${{ inputs.release_tag }} 113 | 114 | wireshark: 115 | uses: ./.github/workflows/wireshark.yml 116 | secrets: inherit 117 | with: 118 | build_main: ${{ !contains(inputs.build_main == 'true', 'false') }} 119 | release_tag: ${{ inputs.release_tag }} 120 | 121 | epiphany: 122 | uses: ./.github/workflows/epiphany.yml 123 | secrets: inherit 124 | with: 125 | build_main: ${{ !contains(inputs.build_main == 'true', 'false') }} 126 | release_tag: ${{ inputs.release_tag }} 127 | -------------------------------------------------------------------------------- /.github/workflows/epiphany.yml: -------------------------------------------------------------------------------- 1 | name: epiphany 2 | 3 | on: 4 | push: 5 | branches: [ 'main' ] 6 | paths: ['.github/workflows/epiphany.yml', 'epiphany/**'] 7 | pull_request: 8 | branches: [ 'main' ] 9 | paths: ['.github/workflows/epiphany.yml', 'epiphany/**'] 10 | workflow_call: 11 | inputs: 12 | build_main: 13 | description: "Build using liboqs and oqsprovider main branches" 14 | required: false 15 | default: false 16 | type: boolean 17 | release_tag: 18 | description: "Which docker tag to push to" 19 | required: false 20 | type: string 21 | workflow_dispatch: 22 | inputs: 23 | build_main: 24 | description: "Build using liboqs and oqsprovider main branches" 25 | required: false 26 | default: false 27 | type: boolean 28 | release_tag: 29 | description: "Which docker tag to push to" 30 | required: false 31 | type: string 32 | 33 | env: 34 | build-args: | 35 | LIBOQS_TAG=main 36 | OQSPROVIDER_TAG=main 37 | push: ${{ github.repository == 'open-quantum-safe/oqs-demos' && github.ref == 'refs/heads/main' && github.event_name != 'pull_request' && inputs.build_main != 'true' }} 38 | 39 | jobs: 40 | build: 41 | strategy: 42 | fail-fast: false 43 | matrix: 44 | include: 45 | - arch: x86_64 46 | runner: ubuntu-latest 47 | - arch: arm64 48 | runner: ubuntu-24.04-arm 49 | runs-on: ${{ matrix.runner }} 50 | steps: 51 | - uses: actions/checkout@v4 52 | - uses: docker/login-action@v3 53 | if: env.push == 'true' 54 | with: 55 | username: ${{ secrets.DOCKERHUB_USERNAME }} 56 | password: ${{ secrets.DOCKERHUB_TOKEN }} 57 | - uses: docker/login-action@v3 58 | with: 59 | registry: ghcr.io 60 | username: ${{ github.actor }} 61 | password: ${{ secrets.GITHUB_TOKEN }} 62 | 63 | - name: Determine architecture 64 | id: arch 65 | run: echo "arch=$(uname -m)" >> $GITHUB_OUTPUT 66 | 67 | - name: Build the epiphany Docker image 68 | uses: docker/build-push-action@v6 69 | with: 70 | load: true 71 | context: epiphany 72 | build-args: | 73 | ARCH=${{ steps.arch.outputs.arch }} 74 | ${{ (inputs.build_main == 'true') && env.build-args || null }} 75 | tags: oqs-epiphany 76 | 77 | - name: Scan Docker Image 78 | if: matrix.arch == 'x86_64' && env.push == 'true' 79 | uses: docker/scout-action@v1.16.1 80 | with: 81 | image: oqs-epiphany 82 | command: cves,recommendations 83 | sarif-file: epiphany-scan-results.sarif 84 | 85 | - name: Upload Scan Results 86 | if: matrix.arch == 'x86_64' && env.push == 'true' 87 | uses: actions/upload-artifact@v4.4.3 88 | with: 89 | name: epiphany-scan-results 90 | path: epiphany-scan-results.sarif 91 | 92 | - name: Push Docker image to registries 93 | if: env.push == 'true' 94 | uses: docker/build-push-action@v6 95 | with: 96 | push: true 97 | context: epiphany 98 | build-args: | 99 | ${{ (inputs.build_main == 'true') && env.build-args || null }} 100 | tags: | 101 | ghcr.io/${{ github.repository_owner }}/epiphany:${{ inputs.release_tag || 'latest' }}-${{ matrix.arch }} 102 | openquantumsafe/epiphany:${{ inputs.release_tag || 'latest' }}-${{ matrix.arch }} 103 | 104 | push: 105 | if: ${{ github.repository == 'open-quantum-safe/oqs-demos' && github.ref == 'refs/heads/main' && github.event_name != 'pull_request' && inputs.build_main != 'true' }} 106 | needs: build 107 | uses: ./.github/workflows/push-manifest.yml 108 | secrets: inherit 109 | with: 110 | image_name: epiphany 111 | release_tag: ${{ inputs.release_tag || 'latest' }} 112 | -------------------------------------------------------------------------------- /.github/workflows/nodejs.yml: -------------------------------------------------------------------------------- 1 | name: nodejs 2 | 3 | on: 4 | push: 5 | branches: [ 'main' ] 6 | paths: ['.github/workflows/nodejs.yml', 'nodejs/**'] 7 | pull_request: 8 | branches: [ 'main' ] 9 | paths: ['.github/workflows/nodejs.yml', 'nodejs/**'] 10 | workflow_call: 11 | inputs: 12 | build_main: 13 | description: "Build using liboqs and oqsprovider main branches" 14 | required: false 15 | default: false 16 | type: boolean 17 | release_tag: 18 | description: "Which docker tag to push to" 19 | required: false 20 | type: string 21 | workflow_dispatch: 22 | inputs: 23 | build_main: 24 | description: "Build using liboqs and oqsprovider main branches" 25 | required: false 26 | default: false 27 | type: boolean 28 | release_tag: 29 | description: "Which docker tag to push to" 30 | required: false 31 | type: string 32 | 33 | env: 34 | build-args: | 35 | LIBOQS_TAG=main 36 | OQSPROVIDER_TAG=main 37 | push: ${{ github.repository == 'open-quantum-safe/oqs-demos' && github.ref == 'refs/heads/main' && github.event_name != 'pull_request' && inputs.build_main != 'true' }} 38 | 39 | jobs: 40 | build: 41 | strategy: 42 | fail-fast: false 43 | matrix: 44 | include: 45 | - arch: x86_64 46 | runner: ubuntu-latest 47 | - arch: arm64 48 | runner: ubuntu-24.04-arm 49 | runs-on: ${{ matrix.runner }} 50 | steps: 51 | - uses: actions/checkout@v4 52 | - uses: docker/login-action@v3 53 | if: env.push == 'true' 54 | with: 55 | username: ${{ secrets.DOCKERHUB_USERNAME }} 56 | password: ${{ secrets.DOCKERHUB_TOKEN }} 57 | - uses: docker/login-action@v3 58 | with: 59 | registry: ghcr.io 60 | username: ${{ github.actor }} 61 | password: ${{ secrets.GITHUB_TOKEN }} 62 | 63 | - name: Build the NodeJS Docker image 64 | uses: docker/build-push-action@v6 65 | with: 66 | load: true 67 | context: nodejs 68 | build-args: | 69 | ${{ (inputs.build_main == 'true') && env.build-args || null }} 70 | tags: oqs-nodejs 71 | 72 | - name: Build the curl Docker image (with generic liboqs for interop testing) 73 | uses: docker/build-push-action@v6 74 | with: 75 | load: true 76 | context: curl 77 | build-args: | 78 | MAKE_DEFINES=-j4 79 | LIBOQS_BUILD_DEFINES="-DOQS_OPT_TARGET=generic" 80 | ${{ (inputs.build_main == 'true') && env.build-args || null }} 81 | tags: oqs-curl-generic 82 | 83 | - name: Scan Docker Image 84 | if: matrix.arch == 'x86_64' && env.push == 'true' 85 | uses: docker/scout-action@v1.16.1 86 | with: 87 | image: oqs-nodejs 88 | command: cves,recommendations 89 | sarif-file: nodejs-scan-results.sarif 90 | 91 | - name: Upload Scan Results 92 | if: matrix.arch == 'x86_64' && env.push == 'true' 93 | uses: actions/upload-artifact@v4.4.3 94 | with: 95 | name: nodejs-scan-results 96 | path: nodejs-scan-results.sarif 97 | 98 | - name: Test nodejs 99 | working-directory: ./nodejs 100 | run: | 101 | sh ./test.sh 102 | 103 | - name: Push Docker image to registries 104 | if: env.push == 'true' 105 | uses: docker/build-push-action@v6 106 | with: 107 | push: true 108 | context: nodejs 109 | build-args: | 110 | ${{ (inputs.build_main == 'true') && env.build-args || null }} 111 | tags: | 112 | ghcr.io/${{ github.repository_owner }}/nodejs:${{ inputs.release_tag || 'latest' }}-${{ matrix.arch }} 113 | openquantumsafe/nodejs:${{ inputs.release_tag || 'latest' }}-${{ matrix.arch }} 114 | 115 | push: 116 | if: ${{ github.repository == 'open-quantum-safe/oqs-demos' && github.ref == 'refs/heads/main' && github.event_name != 'pull_request' && inputs.build_main != 'true' }} 117 | needs: build 118 | uses: ./.github/workflows/push-manifest.yml 119 | secrets: inherit 120 | with: 121 | image_name: nodejs 122 | release_tag: ${{ inputs.release_tag || 'latest' }} 123 | -------------------------------------------------------------------------------- /.github/workflows/openssh.yml: -------------------------------------------------------------------------------- 1 | name: openssh 2 | 3 | on: 4 | push: 5 | branches: [ 'main' ] 6 | paths: ['.github/workflows/openssh.yml', 'openssh/**'] 7 | pull_request: 8 | branches: [ 'main' ] 9 | paths: ['.github/workflows/openssh.yml', 'openssh/**'] 10 | workflow_call: 11 | inputs: 12 | build_main: 13 | description: "Build using liboqs and oqsprovider main branches" 14 | required: false 15 | default: false 16 | type: boolean 17 | release_tag: 18 | description: "Which docker tag to push to" 19 | required: false 20 | type: string 21 | workflow_dispatch: 22 | inputs: 23 | build_main: 24 | description: "Build using liboqs and oqsprovider main branches" 25 | required: false 26 | default: false 27 | type: boolean 28 | release_tag: 29 | description: "Which docker tag to push to" 30 | required: false 31 | type: string 32 | 33 | env: 34 | build-args: | 35 | LIBOQS_TAG=main 36 | OQSPROVIDER_TAG=main 37 | push: ${{ github.repository == 'open-quantum-safe/oqs-demos' && github.ref == 'refs/heads/main' && github.event_name != 'pull_request' && inputs.build_main != 'true' }} 38 | 39 | jobs: 40 | build: 41 | strategy: 42 | fail-fast: false 43 | matrix: 44 | include: 45 | - arch: x86_64 46 | runner: ubuntu-latest 47 | - arch: arm64 48 | runner: ubuntu-24.04-arm 49 | runs-on: ${{ matrix.runner }} 50 | steps: 51 | - uses: actions/checkout@v4 52 | - uses: docker/login-action@v3 53 | if: env.push == 'true' 54 | with: 55 | username: ${{ secrets.DOCKERHUB_USERNAME }} 56 | password: ${{ secrets.DOCKERHUB_TOKEN }} 57 | - uses: docker/login-action@v3 58 | with: 59 | registry: ghcr.io 60 | username: ${{ github.actor }} 61 | password: ${{ secrets.GITHUB_TOKEN }} 62 | 63 | - name: Build the Docker image 64 | uses: docker/build-push-action@v6 65 | with: 66 | load: true 67 | context: openssh 68 | build-args: | 69 | MAKE_DEFINES=-j4 70 | ${{ (inputs.build_main == 'true') && env.build-args || null }} 71 | tags: oqs-openssh 72 | 73 | - name: Scan Docker Image 74 | if: matrix.arch == 'x86_64' && env.push == 'true' 75 | uses: docker/scout-action@v1.16.1 76 | with: 77 | image: oqs-openssh 78 | command: cves,recommendations 79 | sarif-file: openssh-scan-results.sarif 80 | 81 | - name: Upload Scan Results 82 | if: matrix.arch == 'x86_64' && env.push == 'true' 83 | uses: actions/upload-artifact@v4.4.3 84 | with: 85 | name: openssh-scan-results 86 | path: openssh-scan-results.sarif 87 | 88 | - name: Test openssh 89 | run: | 90 | docker run --rm --name oqs-openssh oqs-openssh connect-test.sh 91 | 92 | - name: Push Docker image to registries 93 | if: env.push == 'true' 94 | uses: docker/build-push-action@v6 95 | with: 96 | push: true 97 | context: openssh 98 | build-args: | 99 | MAKE_DEFINES=-j4 100 | ${{ (inputs.build_main == 'true') && env.build-args || null }} 101 | tags: | 102 | ghcr.io/${{ github.repository_owner }}/openssh:${{ inputs.release_tag || 'latest' }}-${{ matrix.arch }} 103 | openquantumsafe/openssh:${{ inputs.release_tag || 'latest' }}-${{ matrix.arch }} 104 | 105 | push: 106 | if: ${{ github.repository == 'open-quantum-safe/oqs-demos' && github.ref == 'refs/heads/main' && github.event_name != 'pull_request' && inputs.build_main != 'true' }} 107 | needs: build 108 | uses: ./.github/workflows/push-manifest.yml 109 | secrets: inherit 110 | with: 111 | image_name: openssh 112 | release_tag: ${{ inputs.release_tag || 'latest' }} 113 | -------------------------------------------------------------------------------- /.github/workflows/openssl3.yml: -------------------------------------------------------------------------------- 1 | name: openssl3 2 | 3 | on: 4 | push: 5 | branches: [ 'main' ] 6 | paths: ['.github/workflows/openssl3.yml', 'openssl3/**'] 7 | pull_request: 8 | branches: [ 'main' ] 9 | paths: ['.github/workflows/openssl3.yml', 'openssl3/**'] 10 | workflow_call: 11 | inputs: 12 | build_main: 13 | description: "Build using liboqs and oqsprovider main branches" 14 | required: false 15 | default: false 16 | type: boolean 17 | release_tag: 18 | description: "Which docker tag to push to" 19 | required: false 20 | type: string 21 | workflow_dispatch: 22 | inputs: 23 | build_main: 24 | description: "Build using liboqs and oqsprovider main branches" 25 | required: false 26 | default: false 27 | type: boolean 28 | release_tag: 29 | description: "Which docker tag to push to" 30 | required: false 31 | type: string 32 | 33 | env: 34 | build-args: | 35 | LIBOQS_TAG=main 36 | OQSPROVIDER_TAG=main 37 | push: ${{ github.repository == 'open-quantum-safe/oqs-demos' && github.ref == 'refs/heads/main' && github.event_name != 'pull_request' && inputs.build_main != 'true' }} 38 | 39 | jobs: 40 | build: 41 | strategy: 42 | fail-fast: false 43 | matrix: 44 | include: 45 | - arch: x86_64 46 | runner: ubuntu-latest 47 | - arch: arm64 48 | runner: ubuntu-24.04-arm 49 | runs-on: ${{ matrix.runner }} 50 | steps: 51 | - uses: actions/checkout@v4 52 | - uses: docker/login-action@v3 53 | if: env.push == 'true' 54 | with: 55 | username: ${{ secrets.DOCKERHUB_USERNAME }} 56 | password: ${{ secrets.DOCKERHUB_TOKEN }} 57 | - uses: docker/login-action@v3 58 | with: 59 | registry: ghcr.io 60 | username: ${{ github.actor }} 61 | password: ${{ secrets.GITHUB_TOKEN }} 62 | 63 | - name: Build the Docker image 64 | uses: docker/build-push-action@v6 65 | with: 66 | load: true 67 | context: openssl3 68 | build-args: | 69 | MAKE_DEFINES=-j4 70 | ${{ (inputs.build_main == 'true') && env.build-args || null }} 71 | tags: oqs-ossl3 72 | 73 | - name: Scan Docker Image 74 | if: matrix.arch == 'x86_64' && env.push == 'true' 75 | uses: docker/scout-action@v1.16.1 76 | with: 77 | image: oqs-ossl3 78 | command: cves,recommendations 79 | sarif-file: openssh-scan-results.sarif 80 | 81 | - name: Upload Scan Results 82 | if: matrix.arch == 'x86_64' && env.push == 'true' 83 | uses: actions/upload-artifact@v4.4.3 84 | with: 85 | name: openssh-scan-results 86 | path: openssh-scan-results.sarif 87 | 88 | - name: Test openssl3 with provider - one baseline and one hybrid QSC algorithm 89 | run: | 90 | docker run --rm --name oqs-ossl3 oqs-ossl3 sh -c "openssl list -providers; /opt/openssl/bin/serverstart.sh; sleep 2; echo 'GET /' | openssl s_client -connect localhost --groups kyber768 --CAfile /opt/openssl/bin/CA.crt" && 91 | docker run --rm --name oqs-ossl3 oqs-ossl3 sh -c "KEM_ALG=p521_frodo1344aes /opt/openssl/bin/serverstart.sh; sleep 2; echo 'GET /' | openssl s_client -connect localhost --groups p521_frodo1344aes --CAfile /opt/openssl/bin/CA.crt" 92 | 93 | - name: Push Docker image to registries 94 | if: env.push == 'true' 95 | uses: docker/build-push-action@v6 96 | with: 97 | push: true 98 | context: openssl3 99 | build-args: | 100 | MAKE_DEFINES=-j4 101 | ${{ (inputs.build_main == 'true') && env.build-args || null }} 102 | tags: | 103 | ghcr.io/${{ github.repository_owner }}/oqs-ossl3:${{ inputs.release_tag || 'latest' }}-${{ matrix.arch }} 104 | openquantumsafe/oqs-ossl3:${{ inputs.release_tag || 'latest' }}-${{ matrix.arch }} 105 | 106 | push: 107 | if: ${{ github.repository == 'open-quantum-safe/oqs-demos' && github.ref == 'refs/heads/main' && github.event_name != 'pull_request' && inputs.build_main != 'true' }} 108 | needs: build 109 | uses: ./.github/workflows/push-manifest.yml 110 | secrets: inherit 111 | with: 112 | image_name: oqs-ossl3 113 | release_tag: ${{ inputs.release_tag || 'latest' }} 114 | -------------------------------------------------------------------------------- /.github/workflows/openvpn.yml: -------------------------------------------------------------------------------- 1 | name: openvpn 2 | 3 | on: 4 | push: 5 | branches: [ 'main' ] 6 | paths: ['.github/workflows/openvpn.yml', 'openvpn/**'] 7 | pull_request: 8 | branches: [ 'main' ] 9 | paths: ['.github/workflows/openvpn.yml', 'openvpn/**'] 10 | workflow_call: 11 | inputs: 12 | build_main: 13 | description: "Build using liboqs and oqsprovider main branches" 14 | required: false 15 | default: false 16 | type: boolean 17 | release_tag: 18 | description: "Which docker tag to push to" 19 | required: false 20 | type: string 21 | workflow_dispatch: 22 | inputs: 23 | build_main: 24 | description: "Build using liboqs and oqsprovider main branches" 25 | required: false 26 | default: false 27 | type: boolean 28 | release_tag: 29 | description: "Which docker tag to push to" 30 | required: false 31 | type: string 32 | 33 | env: 34 | build-args: | 35 | LIBOQS_TAG=main 36 | OQSPROVIDER_TAG=main 37 | push: ${{ github.repository == 'open-quantum-safe/oqs-demos' && github.ref == 'refs/heads/main' && github.event_name != 'pull_request' && inputs.build_main != 'true' }} 38 | 39 | jobs: 40 | build: 41 | strategy: 42 | fail-fast: false 43 | matrix: 44 | include: 45 | - arch: x86_64 46 | runner: ubuntu-latest 47 | - arch: arm64 48 | runner: ubuntu-24.04-arm 49 | runs-on: ${{ matrix.runner }} 50 | steps: 51 | - uses: actions/checkout@v4 52 | - uses: docker/login-action@v3 53 | if: env.push == 'true' 54 | with: 55 | username: ${{ secrets.DOCKERHUB_USERNAME }} 56 | password: ${{ secrets.DOCKERHUB_TOKEN }} 57 | - uses: docker/login-action@v3 58 | with: 59 | registry: ghcr.io 60 | username: ${{ github.actor }} 61 | password: ${{ secrets.GITHUB_TOKEN }} 62 | 63 | - name: Build the Docker image 64 | uses: docker/build-push-action@v6 65 | with: 66 | load: true 67 | context: openvpn 68 | build-args: | 69 | MAKE_DEFINES=-j4 70 | ${{ (inputs.build_main == 'true') && env.build-args || null }} 71 | tags: oqs-openvpn 72 | 73 | - name: Scan Docker Image 74 | if: matrix.arch == 'x86_64' && env.push == 'true' 75 | uses: docker/scout-action@v1.16.1 76 | with: 77 | image: oqs-openvpn 78 | command: cves,recommendations 79 | sarif-file: openvpn-scan-results.sarif 80 | 81 | - name: Upload Scan Results 82 | if: matrix.arch == 'x86_64' && env.push == 'true' 83 | uses: actions/upload-artifact@v4.4.3 84 | with: 85 | name: openvpn-scan-results 86 | path: openvpn-scan-results.sarif 87 | 88 | - name: Test openvpn 89 | working-directory: ./openvpn 90 | run: | 91 | sh ./test.sh mldsa87 p521_mlkem1024 92 | 93 | - name: Push Docker image to registries 94 | if: env.push == 'true' 95 | uses: docker/build-push-action@v6 96 | with: 97 | push: true 98 | context: openvpn 99 | build-args: | 100 | MAKE_DEFINES=-j4 101 | ${{ (inputs.build_main == 'true') && env.build-args || null }} 102 | tags: | 103 | ghcr.io/${{ github.repository_owner }}/openvpn:${{ inputs.release_tag || 'latest' }}-${{ matrix.arch }} 104 | openquantumsafe/openvpn:${{ inputs.release_tag || 'latest' }}-${{ matrix.arch }} 105 | 106 | push: 107 | if: ${{ github.repository == 'open-quantum-safe/oqs-demos' && github.ref == 'refs/heads/main' && github.event_name != 'pull_request' && inputs.build_main != 'true' }} 108 | needs: build 109 | uses: ./.github/workflows/push-manifest.yml 110 | secrets: inherit 111 | with: 112 | image_name: openvpn 113 | release_tag: ${{ inputs.release_tag || 'latest' }} 114 | -------------------------------------------------------------------------------- /.github/workflows/push-manifest.yml: -------------------------------------------------------------------------------- 1 | name: push-manifest 2 | 3 | on: 4 | workflow_call: 5 | inputs: 6 | image_name: 7 | description: "Which docker image to push to" 8 | required: true 9 | type: string 10 | release_tag: 11 | description: "Which docker tag to push to" 12 | required: false 13 | type: string 14 | 15 | jobs: 16 | push: 17 | runs-on: ubuntu-latest 18 | steps: 19 | - uses: docker/login-action@v3 20 | with: 21 | username: ${{ secrets.DOCKERHUB_USERNAME }} 22 | password: ${{ secrets.DOCKERHUB_TOKEN }} 23 | - uses: docker/login-action@v3 24 | with: 25 | registry: ghcr.io 26 | username: ${{ github.actor }} 27 | password: ${{ secrets.GITHUB_TOKEN }} 28 | 29 | - name: Push multiarch image to ghcr.io 30 | run: | 31 | docker manifest create ghcr.io/${{ github.repository_owner }}/${{ inputs.image_name }}:${{ inputs.release_tag || 'latest' }} \ 32 | --amend ghcr.io/${{ github.repository_owner }}/${{ inputs.image_name }}:${{ inputs.release_tag || 'latest' }}-x86_64 \ 33 | --amend ghcr.io/${{ github.repository_owner }}/${{ inputs.image_name }}:${{ inputs.release_tag || 'latest' }}-arm64 && 34 | docker manifest push ghcr.io/${{ github.repository_owner }}/${{ inputs.image_name }}:${{ inputs.release_tag || 'latest' }} 35 | 36 | - name: Push multiarch image to DockerHub 37 | run: | 38 | docker manifest create openquantumsafe/${{ inputs.image_name }}:${{ inputs.release_tag || 'latest' }} \ 39 | --amend openquantumsafe/${{ inputs.image_name }}:${{ inputs.release_tag || 'latest' }}-x86_64 \ 40 | --amend openquantumsafe/${{ inputs.image_name }}:${{ inputs.release_tag || 'latest' }}-arm64 && 41 | docker manifest push openquantumsafe/${{ inputs.image_name }}:${{ inputs.release_tag || 'latest' }} 42 | -------------------------------------------------------------------------------- /.github/workflows/wireshark.yml: -------------------------------------------------------------------------------- 1 | name: wireshark 2 | 3 | on: 4 | push: 5 | branches: [ 'main' ] 6 | paths: ['.github/workflows/wireshark.yml', 'wireshark/**'] 7 | pull_request: 8 | branches: [ 'main' ] 9 | paths: ['.github/workflows/wireshark.yml', 'wireshark/**'] 10 | workflow_call: 11 | inputs: 12 | build_main: 13 | description: "Build using liboqs and oqsprovider main branches" 14 | required: false 15 | default: false 16 | type: boolean 17 | release_tag: 18 | description: "Which docker tag to push to" 19 | required: false 20 | type: string 21 | workflow_dispatch: 22 | inputs: 23 | build_main: 24 | description: "Build using liboqs and oqsprovider main branches" 25 | required: false 26 | default: false 27 | type: boolean 28 | release_tag: 29 | description: "Which docker tag to push to" 30 | required: false 31 | type: string 32 | 33 | env: 34 | build-args: | 35 | LIBOQS_TAG=main 36 | OQSPROVIDER_TAG=main 37 | push: ${{ github.repository == 'open-quantum-safe/oqs-demos' && github.ref == 'refs/heads/main' && github.event_name != 'pull_request' && inputs.build_main != 'true' }} 38 | 39 | jobs: 40 | build: 41 | strategy: 42 | fail-fast: false 43 | matrix: 44 | include: 45 | - arch: x86_64 46 | runner: ubuntu-latest 47 | - arch: arm64 48 | runner: ubuntu-24.04-arm 49 | runs-on: ${{ matrix.runner }} 50 | steps: 51 | - uses: actions/checkout@v4 52 | - uses: docker/login-action@v3 53 | if: env.push == 'true' 54 | with: 55 | username: ${{ secrets.DOCKERHUB_USERNAME }} 56 | password: ${{ secrets.DOCKERHUB_TOKEN }} 57 | - uses: docker/login-action@v3 58 | with: 59 | registry: ghcr.io 60 | username: ${{ github.actor }} 61 | password: ${{ secrets.GITHUB_TOKEN }} 62 | 63 | - name: Build the Docker image 64 | uses: docker/build-push-action@v6 65 | with: 66 | load: true 67 | context: wireshark 68 | build-args: | 69 | ${{ (inputs.build_main == 'true') && env.build-args || null }} 70 | tags: oqs-wireshark 71 | 72 | - name: Scan Docker Image 73 | if: matrix.arch == 'x86_64' && env.push == 'true' 74 | uses: docker/scout-action@v1.16.1 75 | with: 76 | image: oqs-wireshark 77 | command: cves,recommendations 78 | sarif-file: wireshark-scan-results.sarif 79 | 80 | - name: Upload Scan Results 81 | if: matrix.arch == 'x86_64' && env.push == 'true' 82 | uses: actions/upload-artifact@v4.4.3 83 | with: 84 | name: wireshark-scan-results 85 | path: wireshark-scan-results.sarif 86 | 87 | - name: Push Docker image to registries 88 | if: env.push == 'true' 89 | uses: docker/build-push-action@v6 90 | with: 91 | push: true 92 | context: wireshark 93 | build-args: | 94 | ${{ (inputs.build_main == 'true') && env.build-args || null }} 95 | tags: | 96 | ghcr.io/${{ github.repository_owner }}/wireshark:${{ inputs.release_tag || 'latest' }}-${{ matrix.arch }} 97 | openquantumsafe/wireshark:${{ inputs.release_tag || 'latest' }}-${{ matrix.arch }} 98 | 99 | push: 100 | if: ${{ github.repository == 'open-quantum-safe/oqs-demos' && github.ref == 'refs/heads/main' && github.event_name != 'pull_request' && inputs.build_main != 'true' }} 101 | needs: build 102 | uses: ./.github/workflows/push-manifest.yml 103 | secrets: inherit 104 | with: 105 | image_name: wireshark 106 | release_tag: ${{ inputs.release_tag || 'latest' }} 107 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing new quantum-safe application integrations 2 | 3 | All submissions must meet acceptance criteria given below. Demos may be removed if they no longer meet the acceptance criteria. 4 | 5 | ## Documentation requirements 6 | 7 | - Purpose of integration and upstream (code origin) location must be clearly documented. 8 | - README must contain all steps to build the OQS-enabled code. 9 | - An optional USAGE file must be present if the integration can be built into a docker image. 10 | 11 | ## Execution requirements 12 | 13 | - If possible, a Dockerfile should be provided such as to automate the integration completely. In this case, a separate USAGE file must be available that shall document usage of the docker file at [docker hub](https://hub.docker.com/orgs/openquantumsafe/repositories). 14 | - If a docker file is provided, it is expected that build-and-test code is added to the continuous integration environment testing (see below). 15 | 16 | ## Maintenance 17 | 18 | We hope the contributor will intend to help update the integration over time as the upstream code bases as well as the underlying algorithms and APIs evolve. 19 | 20 | ## Continuous Integration 21 | 22 | Each demo should have it's own GitHub Actions workflow to handle building, testing, and pushing its Docker image. An [example template](.github/workflow-templates/template.yml) is provided to get started. 23 | 24 | A workflow should run the build and test steps whenever changes are detected for the integration in a pull request or push to main. 25 | The push step should only be triggered when the workflow is run on the main branch of the upstream repository (not forks) and not when building against the latest liboqs and oqs-provider code. -------------------------------------------------------------------------------- /chromium/README-Linux.md: -------------------------------------------------------------------------------- 1 | # Instructions for Building Chromium on Linux 2 | 3 | ### 1. Obtain the Chromium Source Code 4 | 5 | Please read [Google's instructions](https://chromium.googlesource.com/chromium/src/+/main/docs/linux/build_instructions.md) carefully, then complete every step before **Setting up the build**. 6 | 7 | The rest of the instructions will use **$CHROMIUM_ROOT** to refer to the root directory of the Chromium source code. 8 | 9 | ```shellscript 10 | cd $CHROMIUM_ROOT 11 | git checkout tags/133.0.6943.98 12 | gclient sync 13 | ``` 14 | 15 | ### 2. Switch to the OQS-BoringSSL 16 | 17 | ```shellscript 18 | cd $CHROMIUM_ROOT/third_party/boringssl/src 19 | git remote add oqs-bssl https://github.com/open-quantum-safe/boringssl 20 | git fetch oqs-bssl 21 | git checkout -b oqs-bssl-master ac42ca1431e487df2247a714d31eb23b926842b1 22 | ``` 23 | 24 | ### 3. Clone and Build liboqs 25 | 26 | Choose a directory to store the liboqs source code and use the `cd` command to move to that directory. We will use ninja to build liboqs. 27 | 28 | ```shellscript 29 | git clone https://github.com/open-quantum-safe/liboqs.git && cd liboqs && git checkout f4b96220e4bd208895172acc4fedb5a191d9f5b1 30 | mkdir build && cd build 31 | cmake .. -G"Ninja" -DCMAKE_INSTALL_PREFIX=$CHROMIUM_ROOT/third_party/boringssl/src/oqs -DOQS_USE_OPENSSL=OFF -DCMAKE_BUILD_TYPE=Release 32 | ninja && ninja install 33 | ``` 34 | 35 | ### 4. Enable Quantum-Safe Crypto 36 | 37 | ```shellscript 38 | cd $CHROMIUM_ROOT 39 | wget https://raw.githubusercontent.com/open-quantum-safe/oqs-demos/main/chromium/oqs-Linux.patch 40 | git apply oqs-Linux.patch 41 | ``` 42 | 43 | ### 5. Build 44 | 45 | ```shellscript 46 | cd $CHROMIUM_ROOT 47 | gn args out/Default 48 | ``` 49 | 50 | Then append following lines to the configuration file opened in editor: 51 | 52 | ``` 53 | is_debug = false 54 | symbol_level = 0 55 | enable_nacl = false 56 | blink_symbol_level = 0 57 | ``` 58 | 59 | Save and close the configuration file. Last, run `autoninja -C out/Default chrome`.\ 60 | If the build completes successfully, it will create _chrome_ in _$CHROMIUM_ROOT/out/Default_. 61 | 62 | ### 6. Miscellaneous 63 | 64 | - This guide was published on February 16, 2025, and may be outdated. 65 | -------------------------------------------------------------------------------- /chromium/README-Windows.md: -------------------------------------------------------------------------------- 1 | # Instructions for Building Chromium on Windows 2 | 3 | ### 1. Obtain the Chromium Source Code 4 | 5 | Please read [Google's instructions](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/windows_build_instructions.md) carefully, then complete every step before **Setting up the build**. 6 | 7 | The rest of the instructions will use **%CHROMIUM_ROOT%** to refer to the root directory of the Chromium source code.\ 8 | You may set `CHROMIUM_ROOT` variable by running `set CHROMIUM_ROOT=/path/to/the/Chromium/source` in Command Prompt. 9 | 10 | In Command Prompt, run following commands: 11 | 12 | ```bat 13 | cd %CHROMIUM_ROOT% 14 | git checkout tags/133.0.6943.98 15 | gclient sync 16 | ``` 17 | 18 | ### 2. Switch to the OQS-BoringSSL 19 | 20 | In Command Prompt, run following commands: 21 | 22 | ```bat 23 | cd %CHROMIUM_ROOT%/third_party/boringssl/src 24 | git remote add oqs-bssl https://github.com/open-quantum-safe/boringssl 25 | git fetch oqs-bssl 26 | git checkout -b oqs-bssl-master ac42ca1431e487df2247a714d31eb23b926842b1 27 | ``` 28 | 29 | ### 3. Clone and Build liboqs 30 | 31 | Choose a directory to store the liboqs source code and use the `cd` command to move to that directory. We will use msbuild instead of ninja to build liboqs.\ 32 | Start _x64 Native Tools Command Prompt for VS 2022_ (usually it's in _C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Visual Studio 2022\Visual Studio Tools\VC_) and run following commands: 33 | 34 | ```bat 35 | git clone https://github.com/open-quantum-safe/liboqs.git && cd liboqs && git checkout f4b96220e4bd208895172acc4fedb5a191d9f5b1 36 | mkdir build && cd build 37 | cmake .. -DCMAKE_INSTALL_PREFIX=%CHROMIUM_ROOT%/third_party/boringssl/src/oqs -DOQS_USE_OPENSSL=OFF -DCMAKE_BUILD_TYPE=Release 38 | msbuild ALL_BUILD.vcxproj 39 | msbuild INSTALL.vcxproj 40 | ``` 41 | 42 | ### 4. Enable Quantum-Safe Crypto 43 | 44 | Download the [oqs-Windows.patch](https://raw.githubusercontent.com/open-quantum-safe/oqs-demos/main/chromium/oqs-Windows.patch) and save it at _%CHROMIUM_ROOT%_, then apply the patch by running 45 | 46 | ```bat 47 | git apply oqs-Windows.patch 48 | ``` 49 | 50 | ### 5. Build 51 | 52 | In Command Prompt, run following commands: 53 | 54 | ```bat 55 | cd %CHROMIUM_ROOT% 56 | gn args out/Default 57 | ``` 58 | 59 | Then append following lines to the configuration file opened in editor: 60 | 61 | ``` 62 | is_debug = false 63 | symbol_level = 0 64 | enable_nacl = false 65 | blink_symbol_level = 0 66 | target_cpu = "x64" 67 | target_os = "win" 68 | ``` 69 | 70 | Save and close the configuration file. Last, run `autoninja -C out/Default chrome` in Command Prompt.\ 71 | If the build completes successfully, it will create _chrome.exe_ in _%CHROMIUM_ROOT%/out/Default_. 72 | 73 | ### 6. Miscellaneous 74 | 75 | - BIKE key exchange is not supported. 76 | - This guide was published on February 16, 2025, and may be outdated. 77 | -------------------------------------------------------------------------------- /chromium/README.md: -------------------------------------------------------------------------------- 1 | This directory contains no longer fully maintained instructions and corresponding patches to build the Chromium web browser using the [OQS-BoringSSL fork](https://github.com/open-quantum-safe/boringssl), thereby enabling Chromium to use quantum-safe key exchange algorithms. 2 | 3 | These instructions are specifically tailored for liboqs commit `f4b96220e4bd208895172acc4fedb5a191d9f5b1` and Chromium version `133`. It is important to note that using any other versions of liboqs or Chromium may result in failure. The instructions have been tested on Windows 11, Ubuntu 24.04 LTS, and Fedora 41 installations only. Additionally, they currently apply to a limited subset of quantum-safe algorithms, as detailed in the documentation [provided here](https://github.com/open-quantum-safe/boringssl#key-exchange). 4 | 5 | Please be aware that this information is intended for individuals who acknowledge and accept these limitations. While we prioritize support for open source software, we are unable to dedicate the same level of support to the Chromium and BoringSSL PQ software stack as we have in the past. We encourage contributors to update the instructions and patch files for more recent versions of liboqs and Chromium. 6 | 7 | --- 8 | 9 | [Build Instructions for Linux](README-Linux.md) 10 | 11 | [Build Instructions for Windows](README-Windows.md) 12 | -------------------------------------------------------------------------------- /chromium/USAGE.md: -------------------------------------------------------------------------------- 1 | # OQS-chromium 2 | 3 | This file contains usage information for a build of Chromium configured to also support quantum-safe crypto (QSC) operations. 4 | 5 | All information to build this from source is contained in the [main subproject README](https://github.com/open-quantum-safe/oqs-demos/tree/main/chromium). 6 | 7 | For the unwary user we *strongly* recommend to use a ready-build binary (for x64 Linux) available in the most current [release of oqs-demos](https://github.com/open-quantum-safe/oqs-demos/releases). 8 | 9 | ## Quick start 10 | 11 | 1) Execute `./chrome` (or `chrome.exe` in case of a Windows build) in the directory to which oqs-chromium has been built or extracted to. 12 | 2) Navigate to [https://test.openquantumsafe.org](https://test.openquantumsafe.org) and [download the current test server certificate](https://test.openquantumsafe.org/CA.crt). 13 | 3) Install the certificate in the Chromium certificate store by clicking on "..." in the upper right hand corner , then/-> "Preferences" -> "..." in upper left corner -> "Privacy and Security" -> "Security" -> "Certificate Management" -> "Certification Authorities" -> Import: Load the file "CA.crt" downloaded in step 2. 14 | 4) Return to the test server at [https://test.openquantumsafe.org](https://test.openquantumsafe.org) and click any of the supported ports representing all available quantum safe KEM and signature algorithms. A success message is returned if everything works as intended. 15 | 16 | Please note that not all algorithm combinations are expected to work. Most notably, X448 KEM hybrids and composite signature algorithms are not supported by the [underlying integration of OQS-BoringSSL](https://github.com/open-quantum-safe/boringssl?tab=readme-ov-file#supported-algorithms). 17 | 18 | Please create a [discussion item](https://github.com/open-quantum-safe/boringssl/discussions/landing) if you feel some algorithm combination that does not work should do. 19 | 20 | ## Issues and Workarounds 21 | 22 | ### Ubuntu/Deb 23 | 24 | `ERROR:nsNSSCertificateDB.cpp(95)] PK11_ImportCert failed with error -8168` 25 | 26 | There are a few things to try should you recieve this error whilst importing your proxy CA certificate: 27 | 28 | 1. Manually install CA cert into nssdb. 29 | ```sh 30 | # Change permissions to avoid error "read only database" 31 | # chmod -R 766 /home/username/.pki/ 32 | # manually invoke certutl 33 | # certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n "CertName" -i /usr/share/ca-certificates/your_ca.crt 34 | ``` 35 | If running this in ansible you may need to replace `$HOME` with a path to the target users home directory instead of `$HOME`. 36 | 37 | 2. Symlink Linux trust store over libnss file (last resort) 38 | ```sh 39 | #backup store 40 | mv /usr/lib/x86_64-linux-gnu/libnssckbi.so /usr/lib/x86_64-linux-gnu/libnssckbi.so.bak 41 | #create symlink 42 | ln -s -f /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/x86_64-linux-gnu/libnssckbi.so 43 | ``` 44 | -------------------------------------------------------------------------------- /curl/Dockerfile-QUIC: -------------------------------------------------------------------------------- 1 | ARG CURL_VERSION=8.13.0 2 | ARG QUICHE_VERSION=0.24.2 3 | 4 | # Stage 1: Build - Compile and assemble all necessary components and dependencies. 5 | FROM ubuntu:latest AS build 6 | ARG CURL_VERSION 7 | ARG QUICHE_VERSION 8 | 9 | # Install required build tools and system dependencies (excluding rustc/cargo from apt) 10 | RUN apt-get update && apt-get install -y --no-install-recommends \ 11 | cmake gcc ninja-build libunwind-dev \ 12 | pkg-config build-essential \ 13 | git wget ca-certificates curl \ 14 | && apt-get clean \ 15 | && rm -rf /var/lib/apt/lists/* 16 | 17 | # Install Rust using rustup to ensure we get a version >= 1.81 18 | # quiche v0.23.5 requires rustc >= 1.81, but until now Ubuntu does not provide it via apt. 19 | # In the future, if Ubuntu includes rustc >= 1.81 in its default repositories, 20 | # this rustup installation can be removed and replaced with a standard `apt install rustc cargo`. 21 | RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && \ 22 | ln -s /root/.cargo/bin/rustc /usr/local/bin/rustc && \ 23 | ln -s /root/.cargo/bin/cargo /usr/local/bin/cargo && \ 24 | rustc --version 25 | 26 | # Download and prepare source files needed for the build process. 27 | WORKDIR /root 28 | RUN git clone --branch main --depth 1 https://github.com/open-quantum-safe/boringssl.git bssl \ 29 | && git clone --recursive --depth 1 https://github.com/open-quantum-safe/liboqs.git \ 30 | && git clone --recursive --depth 1 --branch ${QUICHE_VERSION} https://github.com/cloudflare/quiche.git \ 31 | && mkdir -p /root/curl \ 32 | && wget -qO- "https://curl.se/download/curl-${CURL_VERSION}.tar.gz" | tar -xzf - -C /root/curl --strip-components=1 33 | 34 | # Build and install liboqs 35 | WORKDIR /root/liboqs/build 36 | RUN cmake -G"Ninja" \ 37 | "-DCMAKE_INSTALL_PREFIX=../../bssl/oqs" \ 38 | "-DOQS_USE_OPENSSL=OFF" .. \ 39 | && ninja -j"$(nproc)" && ninja install 40 | 41 | # Build and install BoringSSL 42 | WORKDIR /root/bssl/build 43 | RUN cmake -GNinja \ 44 | "-DCMAKE_BUILD_TYPE=Release" \ 45 | "-DBUILD_SHARED_LIBS=1" .. \ 46 | && ninja -j"$(nproc)" && ninja install \ 47 | && cp -rp "../install/include" "/usr/local/include/bssl" \ 48 | && cp -rp "../install/lib" "/usr/local/lib/bssl" 49 | 50 | # Build quiche with custom BoringSSL integration, enabling HTTP/3 and QUIC support 51 | WORKDIR /root/quiche/quiche/deps 52 | RUN rm -R boringssl \ 53 | && ln -s /root/bssl boringssl 54 | 55 | WORKDIR /root/quiche 56 | RUN cargo build --package quiche --release --features ffi,pkg-config-meta,qlog \ 57 | && cp -p target/release/libquiche.so /usr/local/lib/bssl/libquiche.so.0 58 | 59 | # Build and install cURL 60 | WORKDIR /root/curl 61 | RUN LIBS=-lpthread ./configure \ 62 | LDFLAGS=-Wl,-rpath,/usr/local/lib/bssl \ 63 | --with-openssl=/root/bssl/install \ 64 | --with-quiche=/root/quiche/target/release \ 65 | --without-libpsl \ 66 | --prefix=/usr/local/curl \ 67 | && make -j"$(nproc)" && make install 68 | 69 | # Stage 2: Runtime - Create a lightweight image with essential binaries and configurations. 70 | FROM ubuntu:latest 71 | 72 | RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates \ 73 | && apt-get clean \ 74 | && rm -rf /var/lib/apt/lists/* 75 | 76 | # Copy necessary files from the build stage 77 | COPY --from=build /usr/local/include/bssl /usr/local/include/bssl 78 | COPY --from=build /usr/local/lib/bssl /usr/local/lib/bssl 79 | COPY --from=build /usr/local/curl /usr/local/curl 80 | 81 | # Create a symbolic link for cURL 82 | RUN ln -s /usr/local/curl/bin/curl /usr/local/bin/curl -------------------------------------------------------------------------------- /curl/README-QUIC.md: -------------------------------------------------------------------------------- 1 | # cURL with OQS-BoringSSL for QUIC 2 | 3 | This Docker setup provides a curl instance configured to use OQS-BoringSSL, which supports QUIC with quantum-safe algorithms. For more information on the supported quantum-safe algorithms and how to enable additional algorithms, please refer to the following resources: 4 | 5 | - [Supported Algorithms](https://github.com/open-quantum-safe/boringssl?tab=readme-ov-file#supported-algorithms) 6 | - [Using LibOQS Algorithms Not in the Fork](https://github.com/open-quantum-safe/boringssl/wiki/Using-liboqs-algorithms-not-in-the-fork) 7 | 8 | ## Setup Instructions 9 | 10 | ### Step 1: Build the Docker Image 11 | 12 | Build the Docker image using the provided Dockerfile: 13 | 14 | ```bash 15 | docker build -t curl-quic -f Dockerfile-QUIC . 16 | ``` 17 | 18 | ### Step 2: Start the Docker Container 19 | 20 | To start the container from the Docker image, use the following command: 21 | 22 | ```bash 23 | docker run -it --name curl-quic-instance curl-quic 24 | ``` 25 | 26 | ### Step 3: Use cURL Inside the Container 27 | 28 | Once inside the container, you can use the following command to make HTTP/3 requests: 29 | 30 | ```bash 31 | curl --http3-only https://example.com -curves kex 32 | ``` 33 | 34 | In this command, `kex` represents the key exchange algorithm, such as `mlkem768`. -------------------------------------------------------------------------------- /curl/USAGE.md: -------------------------------------------------------------------------------- 1 | # OQS-curl 2 | 3 | This docker image contains a version of [curl](https://curl.haxx.se) configured to also utilize quantum-safe crypto (QSC) operations. 4 | 5 | To this end, it contains [oqs-provider](https://github.com/open-quantum-safe/oqs-provider) from the [OpenQuantumSafe](https://openquantumsafe.org) project together with the latest OpenSSL (v3/master) code. 6 | 7 | As different images providing the same base functionality may be available, e.g., for debug or performance-optimized operations, the image name `openquantumsafe/curl` is consistently used in the description below. Be sure to adapt it to the image you want to use. 8 | 9 | ## Quick start 10 | 11 | 1) `docker run -it openquantumsafe/curl` starts an OQS-enabled TLS test server. 12 | 2) On the command prompt in the docker container resulting from the first comment, one can query that server by issuing the command `curl --curves kyber768 https://localhost:4433`. 13 | 14 | The latter command returns all TLS information documenting use of OQS-enabled TLS. The parameter to the `--curves` argument is [any Kex Exchange algorithm supported by oqs-provider](https://github.com/open-quantum-safe/oqs-provider#algorithms). Alternatively, the environment variable "DEFAULT_GROUPS" can be set to request a specific PQ KEM, e.g., `DEFAULT_GROUPS=p384_kyber768 curl https://localhost:4433`. The latter example of course also necessitates starting the test server with the same KEM, e.g., by running `docker run -e KEM_ALG=p384_kyber768 -it oqs-curl`. 15 | 16 | ## Retrieving data from other QSC-enabled TLS servers 17 | 18 | Beyond interacting with the built-in test server (utilizing `openssl s_server`) the image can also be used to retrieve data from any OQS-enabled TLS (1.3) server with the command `docker run -it openquantumsafe/curl curl `. 19 | 20 | All standard `curl` parameters are available plus the option to explicitly request a specific OQS algorithm ("--curves") from the [supported list of KEM algorithms](https://github.com/open-quantum-safe/oqs-provider#algorithms). 21 | 22 | 23 | ## Performance testing 24 | 25 | The docker image can also be used to execute performance tests using the different algoritms supported: 26 | 27 | 28 | ### TLS handshake performance 29 | 30 | Simply start 31 | ``` 32 | docker run -it openquantumsafe/curl perftest.sh 33 | ``` 34 | to perform TLS handshakes for 200 seconds (TEST_TIME default value) using dilithium2 (SIG_ALG default value) and kyber768 (KEM_ALG default value) keys and certificates. 35 | 36 | A 'worked example' and more general alternative form of the command is 37 | ``` 38 | docker run -e TEST_TIME=5 -e KEM_ALG=kyber768 -e SIG_ALG=dilithium3 -it openquantumsafe/curl perftest.sh 39 | ``` 40 | runs TLS handshakes for 5 seconds exercizing `dilithium3` and `kyber768`. Again, all [supported QSC algorithms](https://github.com/open-quantum-safe/oqs-provider#algorithms) can be set here. Be sure to properly distinguish between SIGnature_ALGorithms and KEM(Key Exchange Mechanism)_ALGorithms. 41 | 42 | 43 | ### Algorithm performance 44 | 45 | Simply start 46 | ``` 47 | docker run -it openquantumsafe/curl openssl speed 48 | ``` 49 | to run through all crypto algorithms built into and enabled in the docker image. This includes classic as well as quantum-safe algorithms side by side. 50 | 51 | If interested in performance of only specific algorithms, this can be done by providing parameters as usual for [openssl speed](https://www.openssl.org/docs/man1.1.1/man1/openssl-speed.html). The list of [currently supported OQS algorithms is accessible here](https://github.com/open-quantum-safe/oqs-provider#algorithms), so an example call would be `docker run -it openquantumsafe/curl openssl speed -seconds 2 kyber512`. 52 | 53 | #### Classic algorithm names for reference 54 | 55 | The following algorithm names may be set if one is interested in comparative performance measurements using "classic", i.e., non-quantumsafe, crypto: 56 | 57 | - SIG_ALG: ed25519 ed448 58 | 59 | - KEM_ALG: X25519 P-384 P-256 P-521 60 | 61 | 62 | -------------------------------------------------------------------------------- /curl/perftest.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | # Optionally set KEM to one defined in https://github.com/open-quantum-safe/oqs-provider#algorithms 5 | if [ "x$KEM_ALG" == "x" ]; then 6 | export DEFAULT_GROUPS=kyber512 7 | else 8 | export DEFAULT_GROUPS=$KEM_ALG 9 | fi 10 | 11 | # Optionally set SIG to one defined in https://github.com/open-quantum-safe/oqs-provider#algorithms 12 | if [ "x$SIG_ALG" == "x" ]; then 13 | export SIG_ALG=dilithium2 14 | fi 15 | 16 | # Optionally set TEST_TIME 17 | if [ "x$TEST_TIME" == "x" ]; then 18 | export TEST_TIME=100 19 | fi 20 | 21 | # Optionally set server certificate alg to one defined in https://github.com/open-quantum-safe/oqs-provider#algorithms 22 | # The root CA's signature alg remains as set when building the image 23 | if [ "x$SIG_ALG" != "x" ]; then 24 | cd /opt/oqssa/bin 25 | # generate new server CSR using pre-set CA.key & cert 26 | openssl req -new -newkey $SIG_ALG -keyout /opt/test/server.key -out /opt/test/server.csr -nodes -subj "/CN=localhost" 27 | if [ $? -ne 0 ]; then 28 | echo "Error generating keys - aborting." 29 | exit 1 30 | fi 31 | # generate server cert 32 | openssl x509 -req -in /opt/test/server.csr -out /opt/test/server.crt -CA CA.crt -CAkey CA.key -CAcreateserial -days 365 33 | if [ $? -ne 0 ]; then 34 | echo "Error generating cert - aborting." 35 | exit 1 36 | fi 37 | fi 38 | 39 | echo "Running $0 with SIG_ALG=$SIG_ALG and KEM_ALG=$KEM_ALG" 40 | echo 41 | 42 | # Start a TLS1.3 test server based on OpenSSL accepting only the specified KEM_ALG 43 | # The env var DEFAULT_GROUPS activates the required Group via the system openssl.cnf: 44 | # we put it on the command line to check for possible typos otherwise silently discarded: 45 | openssl s_server -cert /opt/test/server.crt -key /opt/test/server.key -groups $DEFAULT_GROUPS -www -tls1_3 -accept localhost:4433& 46 | 47 | # Give server time to come up first: 48 | sleep 1 49 | 50 | # Run handshakes for $TEST_TIME seconds 51 | # The env var DEFAULT_GROUPS activates the required Group via the system openssl.cnf: 52 | openssl s_time -connect :4433 -new -time $TEST_TIME -verify 1 | grep connections 53 | -------------------------------------------------------------------------------- /curl/serverstart.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | # Optionally set KEM to one defined in https://github.com/open-quantum-safe/openssl#key-exchange 5 | if [ "x$KEM_ALG" == "x" ]; then 6 | export DEFAULT_GROUPS=kyber768 7 | else 8 | export DEFAULT_GROUPS=$KEM_ALG 9 | fi 10 | 11 | # Optionally set server certificate alg to one defined in https://github.com/open-quantum-safe/oqs-provider#algorithms 12 | # The root CA's signature alg remains as set when building the image 13 | if [ "x$SIG_ALG" != "x" ]; then 14 | cd /opt/oqssa/bin 15 | # generate new server CSR using pre-set CA.key & cert 16 | openssl req -new -newkey $SIG_ALG -keyout /opt/test/server.key -out /opt/test/server.csr -nodes -subj "/CN=localhost" 17 | # generate server cert 18 | openssl x509 -req -in /opt/test/server.csr -out /opt/test/server.crt -CA CA.crt -CAkey CA.key -CAcreateserial -days 365 19 | fi 20 | 21 | # Start a TLS1.3 test server based on OpenSSL accepting only the specified 22 | # KEM_ALG by way of the environment variable DEFAULT_GROUPS used in openssl.cnf 23 | openssl s_server -cert /opt/test/server.crt -key /opt/test/server.key -www -tls1_3 -accept localhost:4433& 24 | 25 | # Open a shell for local experimentation 26 | sh 27 | -------------------------------------------------------------------------------- /deprecated/README.md: -------------------------------------------------------------------------------- 1 | # Deprecated demos 2 | 3 | > [!Warning] 4 | > Demos in this directory are longer supported, if you're interested in revitalizing a demo please submit a PR. 5 | 6 | Demos are considered deprecated when two factors are met, and can be un-deprecated by anyone willing to address them: 7 | 8 | 1. **Out of date or broken**: Either the demo is still based on the old oqs openssl1.1.1 fork rather than openssl3 using the oqs provider or it is not in a working state. 9 | 2. **No interest or expertise**: The community has shown no interest in updating or maintaining the demo 10 | 11 | > **Note**: Demos that only meet factor 2 are considered Unmaintained, not Deprecated. 12 | -------------------------------------------------------------------------------- /deprecated/envoy/README.md: -------------------------------------------------------------------------------- 1 | # DEPRECATED 2 | 3 | > [!Warning] 4 | > This integration is currently not supported due to [the end of life of oqs-openssl111](https://github.com/open-quantum-safe/openssl#warning). 5 | 6 | ## Purpose 7 | 8 | This directory contains a Dockerfile that builds Envoy with the [OQS BoringSSL master-with-bazel branch](https://github.com/Post-Quantum-Mesh/boringssl) modified to build the liboqs library and use the most updated BoringSSL source code. 9 | 10 | ## Getting Started 11 | 12 | ### Docker Image 13 | 14 | A pre-built [Docker image](https://hub.docker.com/layers/drouhana/envoy-oqs/envoy/images/sha256-e779ccfd8707e31fbf3f47f1f2ac99cb52ea56f6e923a87fbb12b7fa1dbca114?context=repo) has been provided for streamlined use in envoy implementations. 15 | 16 | It can be used identically to the standard envoy images. For example, when setting a base image for a standard Envoy implementation, one may write 17 | 18 | FROM envoyproxy/envoy-dev:latest 19 | 20 | To use the post-quantum image, replace with 21 | 22 | FROM openquantumsafe/envoy:latest 23 | 24 | ### Local Docker Build 25 | 26 | Install [Docker](https://docs.docker.com/get-docker/) and run the following commands: 27 | 28 | docker build -t envoy . 29 | 30 | ### Build From Source 31 | 32 | Full source code, instructions, and demo can be found [here](https://github.com/Post-Quantum-Mesh/envoy-oqs). 33 | 34 | ## Sample Usage 35 | 36 | An example implementation of oqs-enabled envoy terminating a tls handshake and proxying to an http backend has been included. 37 | 38 | ## Contact 39 | 40 | For questions or contributions to the post-quantum cloud native project: 41 | 42 | [Github repo](https://github.com/Post-Quantum-Mesh) 43 | 44 | danielrouhana@pm.me 45 | -------------------------------------------------------------------------------- /deprecated/envoy/USAGE.md: -------------------------------------------------------------------------------- 1 | ## Using the Image 2 | 3 | Both the locally built and pre-built images can be used identically to the standard envoy images. For example, when setting a base image for a standard Envoy implementation, one may write 4 | 5 | FROM envoyproxy/envoy-dev:latest 6 | 7 | To use the post-quantum image, replace with 8 | 9 | FROM openquantumsafe/envoy:latest 10 | 11 | An example implementation of oqs-enabled envoy terminating a tls handshake and proxying to an http backend has been included. -------------------------------------------------------------------------------- /deprecated/envoy/tls/Dockerfile: -------------------------------------------------------------------------------- 1 | # Define global arguments 2 | ARG DEBIAN_FRONTEND=noninteractive 3 | 4 | #FROM openquantumsafe/envoy:latest 5 | #FROM drouhana/envoy-oqs:envoy 6 | FROM envoy-oqs:latest 7 | 8 | # copy certs 9 | COPY ./certs/servercert.pem /etc/example/servercert.pem 10 | COPY ./certs/serverkey.pem /etc/example/serverkey.pem 11 | COPY ./certs/CA_cert.pem /etc/example/CA_cert.pem 12 | COPY ./envoy-https-http.yaml /etc/envoy.yaml 13 | 14 | 15 | WORKDIR /etc/example 16 | RUN chown "$USER" -R * 17 | 18 | RUN chmod go+r /etc/example/servercert.pem 19 | RUN chmod go+r /etc/example/serverkey.pem 20 | RUN chmod go+r /etc/example/CA_cert.pem 21 | RUN chmod go+r /etc/envoy.yaml 22 | 23 | 24 | CMD ["envoy", "-c /etc/envoy.yaml"] 25 | -------------------------------------------------------------------------------- /deprecated/envoy/tls/README.md: -------------------------------------------------------------------------------- 1 | ## Transport Layer Security (TLS) Demo 2 | 3 | ### Generate Certificates: 4 | 5 | All necessary commands are encapsulated in gen_cert.sh. In order to change the encryption algorithm, change the term following "-newkey" flag in lines 3 and 5. All paths in the shell script assume a standard installation of the OpenQuantumSafe OpenSSL fork in /usr/local. To execute, navigate to ./certs and run the following command: 6 | 7 | ./gen_cert.sh 8 | 9 | If local installation differs in location, the individual commands can be ran with paths corrected. 10 | 11 | ### Startup TLS Server: 12 | 13 | Open one terminal and run the following command: 14 | 15 | ./init.sh 16 | 17 | The following commands will be run by the shell script: 18 | 19 | sudo docker-compose pull 20 | sudo docker-compose up --build -d 21 | sudo docker-compose ps 22 | 23 | ### Query TLS Server: 24 | 25 | In a second terminal, run the following command: 26 | 27 | sudo docker run --network host -it openquantumsafe/curl curl -v -k https://localhost:10000 -e SIG_ALG=dilithium3 28 | 29 | ### Terminate TLS Server: 30 | 31 | In a second terminal, run the following command: 32 | 33 | ./kill.sh 34 | 35 | The following commands will be run by the shell script: 36 | 37 | sudo docker kill $(sudo docker ps -q) 38 | sudo docker container prune -f 39 | -------------------------------------------------------------------------------- /deprecated/envoy/tls/certs/gen_cert.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | openssl req -x509 -new -newkey dilithium3 -keyout CA_key.pem -out CA_cert.pem -nodes -subj "/CN=localhost" -days 365 #-config /usr/local/openssl/apps/openssl.cnf 4 | #chown -R $USER * 5 | 6 | openssl req -new -newkey dilithium3 -keyout serverkey.pem -out servercsr.csr -nodes -subj "/CN=localhost" #-config /usr/local/openssl/apps/openssl.cnf 7 | #chown -R $USER * 8 | 9 | openssl x509 -req -in servercsr.csr -out servercert.pem -CA CA_cert.pem -CAkey CA_key.pem -CAcreateserial -days 365 10 | #chown -R $USER * 11 | 12 | ls -la -------------------------------------------------------------------------------- /deprecated/envoy/tls/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: "3.7" 2 | services: 3 | 4 | proxy: 5 | container_name: https-proxy 6 | hostname: https-proxy 7 | build: 8 | context: . 9 | dockerfile: Dockerfile 10 | ports: 11 | - "10000:10000" 12 | 13 | service-http: 14 | image: mendhak/http-https-echo:23 15 | container_name: service-http 16 | hostname: service-http 17 | 18 | environment: 19 | - HTTPS_PORT=0 20 | - HTTP_PORT=80 21 | -------------------------------------------------------------------------------- /deprecated/envoy/tls/envoy-https-http.yaml: -------------------------------------------------------------------------------- 1 | static_resources: 2 | listeners: 3 | - address: 4 | socket_address: 5 | address: 0.0.0.0 6 | port_value: 10000 7 | filter_chains: 8 | - filters: 9 | - name: envoy.filters.network.http_connection_manager 10 | typed_config: 11 | "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager 12 | codec_type: AUTO 13 | stat_prefix: ingress_http 14 | route_config: 15 | name: local_route 16 | virtual_hosts: 17 | - name: app 18 | domains: 19 | - "*" 20 | routes: 21 | - match: 22 | prefix: "/" 23 | route: 24 | cluster: service-http 25 | http_filters: 26 | - name: envoy.filters.http.router 27 | typed_config: 28 | "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router 29 | transport_socket: 30 | name: envoy.transport_sockets.tls 31 | typed_config: 32 | "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext 33 | common_tls_context: 34 | tls_certificates: 35 | certificate_chain: {"filename": "/etc/example/servercert.pem"} 36 | private_key: {"filename": "/etc/example/serverkey.pem"} 37 | 38 | clusters: 39 | - name: service-http 40 | type: STRICT_DNS 41 | connect_timeout: 10s 42 | lb_policy: ROUND_ROBIN 43 | load_assignment: 44 | cluster_name: service-http 45 | endpoints: 46 | - lb_endpoints: 47 | - endpoint: 48 | address: 49 | socket_address: 50 | address: service-http 51 | port_value: 80 52 | -------------------------------------------------------------------------------- /deprecated/envoy/tls/init.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | echo "Initializing..." 4 | echo 5 | sudo docker-compose pull 6 | sudo docker-compose up --build -d 7 | sudo docker-compose ps -------------------------------------------------------------------------------- /deprecated/envoy/tls/kill.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Run from CWD using "./kill.sh" 4 | 5 | # Kill container 6 | echo "Killing tls container..." 7 | echo 8 | sudo docker kill $(sudo docker ps -q) && sudo docker container prune -f 9 | -------------------------------------------------------------------------------- /deprecated/envoy/tls/query.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Defaults 4 | HELP='' 5 | QUANTUM='' 6 | FAIL='' 7 | 8 | while getopts 'hfq' flag; do 9 | case "${flag}" in 10 | h) HELP=1 ;; 11 | f) FAIL=1 ;; 12 | q) QUANTUM=1 ;; 13 | esac 14 | done 15 | 16 | if [[ $HELP == 1 ]]; 17 | then 18 | printf "Envoy-OQS TLS Demo: \n -h: Print help menu\n -f: Query post-quantum server with standard curl implementation (will fail)\n -q: Use post-quantum curl implementation\n" 19 | exit 1 20 | fi 21 | 22 | if [[ $FAIL == '' && $QUANTUM == '' ]]; 23 | then 24 | echo "Error, must specify pre-quantum (-f) or post-quantum (-q) query..." 25 | exit 1 26 | fi 27 | 28 | if [[ $QUANTUM == 1 ]]; 29 | then 30 | echo "Querying https server using post-quantum enabled curl..." 31 | echo 32 | sudo docker run --network host -it openquantumsafe/curl curl -v -k https://localhost:10000 -e SIG_ALG=dilithium3 33 | fi 34 | 35 | if [[ $FAIL == 1 ]]; 36 | then 37 | echo "Querying https server using standard curl implementation..." 38 | echo 39 | curl https://localhost:10000 -k -v 40 | fi 41 | -------------------------------------------------------------------------------- /deprecated/openlitespeed/Dockerfile-server: -------------------------------------------------------------------------------- 1 | ARG LIBOQS_TAG=main 2 | 3 | FROM ubuntu:focal as builder 4 | 5 | ARG LIBOQS_TAG 6 | 7 | ENV TZ=Europe/Zurich 8 | ENV DEBIAN_FRONTEND=noninteractive 9 | 10 | # Update apt software 11 | RUN apt update 12 | 13 | # Install prerequisites 14 | RUN apt install git libz-dev libevent-dev cmake gcc ninja-build libunwind-dev pkg-config python3 python3-psutil golang-go -y 15 | 16 | WORKDIR /opt 17 | 18 | # Download openlitespeed repository 19 | RUN git clone https://github.com/litespeedtech/openlitespeed.git 20 | 21 | COPY build.sh.patch /opt/ 22 | COPY build_bssl.sh.patch /opt/ 23 | 24 | # Apply patch to build.sh 25 | RUN cd openlitespeed && git apply --reject --whitespace=fix /opt/build.sh.patch 26 | 27 | 28 | ENV LIBOQS_TAG=${LIBOQS_TAG} 29 | # Build and install openlitespeed 30 | RUN cd openlitespeed && ./build.sh && ./install.sh 31 | 32 | WORKDIR /root/ 33 | 34 | # Configuring the server to expose CA.crt on port 80 and to enable QUIC on port 443 35 | COPY httpd_config.conf /usr/local/lsws/conf/ 36 | 37 | FROM ubuntu:focal 38 | 39 | ENV TZ=Europe/Zurich 40 | ENV DEBIAN_FRONTEND=noninteractive 41 | 42 | COPY --from=builder /usr/local/lsws/ /usr/local/lsws 43 | COPY --from=builder /usr/local/lib/liboqs.* /usr/local/lib 44 | 45 | RUN ldconfig 46 | 47 | RUN apt update && apt install -y openssl net-tools 48 | WORKDIR /root/ 49 | 50 | COPY serverstart.sh . 51 | -------------------------------------------------------------------------------- /deprecated/openlitespeed/README.md: -------------------------------------------------------------------------------- 1 | # DEPRECATED 2 | 3 | > [!Warning] 4 | > This integration is longer supported due to lack of interest and support, if you're interested in revitalizing this demo please submit a PR. A previous update attempt can be found [here](https://github.com/open-quantum-safe/oqs-demos/commit/864f56e0015886e1ad931f82a0bbe93a5045eb1d) 5 | 6 | OpenLiteSpeed 7 | =============== 8 | [OpenLiteSpeed](https://github.com/litespeedtech/openlitespeed) is the Open Source edition of [LiteSpeed Web Server Enterprise](https://www.litespeedtech.com/). 9 | More information about OpenLiteSpeed can be found [here](https://openlitespeed.org/). 10 | 11 | ## Purpose 12 | This directory contains a Dockerfile that builds [OpenLiteSpeed](https://github.com/litespeedtech/openlitespeed) with [OQS-BoringSSL](https://github.com/open-quantum-safe/boringssl), which allows OpenLiteSpeed to negotiate quantum-safe key exchange using [liboqs](https://github.com/open-quantum-safe/liboqs/). 13 | 14 | 15 | 16 | ## Getting started 17 | 18 | ## Server 19 | ### Building 20 | Assuming Docker is [installed](https://docs.docker.com/install) the following command 21 | 22 | ``` 23 | docker build -t lsws -f Dockerfile-server . 24 | docker network create lsws-test 25 | docker run --network lsws-test --name lsws -it lsws bash 26 | ``` 27 | 28 | will run the container for the quantum-safe crypto (QSC) protected OpenLiteSpeed server on the docker network called lsws-test. 29 | 30 | ### Usage 31 | Documentation for using the server docker image is contained in the separate [USAGE-server.md](USAGE-server.md) file. 32 | 33 | ## Client 34 | 35 | The QUIC client from https://github.com/open-quantum-safe/oqs-demos/tree/main/quic can be used to test the post quantum key exchange. 36 | 37 | The following command 38 | 39 | ``` 40 | docker run --network lsws-test --name client -it openquantumsafe/msquic-reach bash 41 | ``` 42 | 43 | runs the container for the QSC-enabled QUIC client on the same network as the server. 44 | ### Usage 45 | Documentation for using the client docker image is contained in the separate [USAGE-client.md](USAGE-client.md) file. 46 | 47 | 48 | ## Disclaimer 49 | 50 | [THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). 51 | -------------------------------------------------------------------------------- /deprecated/openlitespeed/USAGE-client.md: -------------------------------------------------------------------------------- 1 | ## Purpose 2 | Extending the [the initial work by Igor Barshteyn](https://www.linkedin.com/pulse/quic-protocol-quantum-safe-cryptography-presenting-future-igor/) this image integrates quantum safe cryptography (QSC) into the [msquic](https://github.com/microsoft/msquic) software package to allow exercising all QSC algorithm combinations currently supported by the [OpenQuantumSafe](https://www.openquantumsafe.org) project. 3 | 4 | 5 | ## Quick start 6 | Assuming Docker is [installed](https://docs.docker.com/install) the following command 7 | 8 | ``` 9 | docker run --network lsws-test --name client -it openquantumsafe/msquic-reach bash 10 | ``` 11 | 12 | will run the container on the docker network called lsws-test (assuming it has already been created. If not, run `docker network create lsws-test`). 13 | 14 | 15 | ### quicreach 16 | 17 | The CA certificate should first be downloaded from the server with 18 | ``` 19 | wget
/CA.crt 20 | ``` 21 | 22 | For example, `wget lsws/CA.crt` 23 | 24 | To interact with the openlitespeed server, run 25 | ``` 26 | SSL_CERT_FILE=CA.crt quicreach
--port --stats 27 | ``` 28 | For example, `SSL_CERT_FILE=CA.crt quicreach lsws --port 443 --stats` 29 | 30 | The environment variable SSL_CERT_FILE should point to the location of the downloaded CA.crt. 31 | The address and port should correspond to those of the openlitespeed server. 32 | 33 | In order to change the list of algorithms, simply set the environment variable "TLS_DEFAULT_GROUPS" to a list of desired algorithms. 34 | [See list of quantum-safe key exchange algorithms which the OpenLiteSpeed server supports here](https://github.com/open-quantum-safe/boringssl#key-exchange). 35 | 36 | For example, 37 | ``` 38 | SSL_CERT_FILE=CA.crt TLS_DEFAULT_GROUPS=kyber768:kyber512 quicreach
--port 39 | ``` 40 | 41 | 42 | For more options, run `quicreach --help` 43 | 44 | ## Disclaimer 45 | 46 | [THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). 47 | -------------------------------------------------------------------------------- /deprecated/openlitespeed/USAGE-server.md: -------------------------------------------------------------------------------- 1 | ## Purpose 2 | 3 | This is an [OpenLiteSpeed](https://github.com/litespeedtech/openlitespeed) docker image building on [OQS-BoringSSL](https://github.com/open-quantum-safe/boringssl), which allows OpenLiteSpeed to negotiate quantum-safe keys in TLS 1.3. 4 | 5 | 6 | ## Quick start 7 | Assuming Docker is [installed](https://docs.docker.com/install) the following command 8 | 9 | ``` 10 | docker network create lsws-test 11 | docker run --network lsws-test --name lsws -it openquantumsafe/lsws bash 12 | ``` 13 | 14 | will run the container for the quantum-safe crypto (QSC) protected OpenLiteSpeed server on the docker network called lsws-test. 15 | 16 | Run the serverstart.sh script, `/root/serverstart.sh`, to generate certificate and key files and to start the server. 17 | 18 | To start the server, run `/usr/local/lsws/bin/lswsctrl start`. For more commands, run `/usr/local/lsws/bin/lswsctrl help` 19 | 20 | The document root is `/usr/local/lsws/Example/html/` 21 | 22 | The CA.crt file is hosted on port 80 and QUIC is enabled on port 443. 23 | 24 | ### What is WebAdmin Console? 25 | It is a GUI interface which makes OpenLiteSpeed configuration so much easier. It uses port 7080. 26 | 27 | The WebAdmin Console can be accessed through `your-server-ip:7080` 28 | For example `172.17.0.2:7080` 29 | Run `ifconfig` to find your IP address. 30 | 31 | To get your WebAdmin Console username and password, run `cat /usr/local/lsws/adminpasswd` 32 | To reset your WebAdmin Console credentials, run `/usr/local/lsws/admin/misc/admpass.sh` 33 | 34 | 35 | ## List of supported key exchange algorithms 36 | [See list of supported quantum-safe key exchange algorithms here](https://github.com/open-quantum-safe/boringssl#key-exchange) 37 | 38 | 39 | 40 | ## Disclaimer 41 | 42 | [THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). 43 | -------------------------------------------------------------------------------- /deprecated/openlitespeed/build.sh.patch: -------------------------------------------------------------------------------- 1 | diff --git a/build.sh b/build.sh 2 | index fee6cefb..1e72204f 100755 3 | --- a/build.sh 4 | +++ b/build.sh 5 | @@ -514,7 +514,7 @@ if [ ! -d third-party ]; then 6 | if [ "${ISLINUX}" != "yes" ] || [ "${ARCH}" != "x86_64" ] ; then 7 | sed -i -e "s/psol/ /g" ./build_ols.sh 8 | fi 9 | - 10 | + git apply --reject --whitespace=fix ../../build_bssl.sh.patch 11 | ./build_ols.sh 12 | 13 | fi 14 | @@ -549,6 +549,9 @@ if [ ! -d build ]; then 15 | fi 16 | cd build 17 | cmake -DCMAKE_BUILD_TYPE=$BUILD .. 18 | +# Add -loqs in link.txt 19 | +sed -i ' 1 s/.*/&-loqs/' src/CMakeFiles/openlitespeed.dir/link.txt 20 | + 21 | jobs=$(nproc) 22 | make -j${jobs} 23 | cd .. 24 | -------------------------------------------------------------------------------- /deprecated/openlitespeed/build_bssl.sh.patch: -------------------------------------------------------------------------------- 1 | diff --git a/script/build_bssl.sh b/script/build_bssl.sh 2 | index cb7f229..60e0822 100755 3 | --- a/script/build_bssl.sh 4 | +++ b/script/build_bssl.sh 5 | @@ -6,7 +6,11 @@ cd src 6 | 7 | 8 | if [ ! -d "boringssl" ]; then 9 | - git clone https://github.com/google/boringssl.git 10 | + # download boringssl and liboqs from oqs 11 | + echo "Downloading oqs boringssl" 12 | + git clone --branch master https://github.com/open-quantum-safe/boringssl.git 13 | + 14 | + git clone --branch $LIBOQS_TAG --single-branch --depth 1 https://github.com/open-quantum-safe/liboqs.git 15 | fi 16 | 17 | if [ -d "go" ]; then 18 | @@ -17,9 +21,6 @@ echo $PATH 19 | fi 20 | 21 | cd boringssl 22 | -git reset --hard 23 | -git checkout master 24 | -git pull 25 | 26 | #git checkout 49de1fc291 27 | #git checkout bfe527fa35735e8e045cbfb42b012e13ca68f9cf 28 | @@ -27,7 +28,7 @@ git pull 29 | #git checkout b117a3a0b7bd11fe6ebd503ec6b45d6b910b41a1 30 | # HTTP/3 v1 and ID-34 support 31 | #git checkout a2278d4d2cabe73f6663e3299ea7808edfa306b9 32 | -git checkout cf8d3ad3cea51cf7184307d54f465da62b7d8408 33 | +# git checkout cf8d3ad3cea51cf7184307d54f465da62b7d8408 34 | 35 | rm -rf build 36 | 37 | @@ -37,8 +38,13 @@ patch -p1 < ../../patches/boringssl/bssl_max_early_data_sz.patch 38 | #patch -p1 < ../../patches/boringssl/bssl_no_eoed.patch 39 | sed -i -e "s/-Werror//" CMakeLists.txt 40 | 41 | -mkdir build 42 | -cd build 43 | +# Build liboqs both as shared and static library 44 | +cd ../liboqs && mkdir build-static && cd build-static && cmake -G"Ninja" -DCMAKE_INSTALL_PREFIX=/opt/third-party/src/boringssl/oqs -DOQS_USE_OPENSSL=OFF .. && ninja && ninja install 45 | +cd .. && mkdir build && cd build && cmake -G"Ninja" -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=/opt/third-party/src/boringssl/oqs -DOQS_USE_OPENSSL=OFF .. && ninja && ninja install 46 | + 47 | +cp /opt/third-party/src/liboqs/build/lib/liboqs.so /usr/local/lib && ldconfig 48 | +cd ../../boringssl && mkdir build && cd build 49 | + 50 | cmake ../ -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_FLAGS="-fPIC" -DCMAKE_CXX_FLAGS="-fPIC" 51 | #cmake ../ -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_FLAGS="-fPIC -DOPENSSL_C11_ATOMIC" -DCMAKE_CXX_FLAGS="-fPIC -DOPENSSL_C11_ATOMIC" 52 | make -j4 53 | @@ -50,9 +56,11 @@ make -j4 54 | cd .. 55 | 56 | cp crypto/libcrypto.a ../../../lib 57 | -cp ssl/libssl.a ../../../lib 58 | +cp ssl/libssl.a ../../../lib 59 | cp decrepit/libdecrepit.a ../../../lib 60 | +cp ../oqs/lib/liboqs* ../../../lib 61 | 62 | cd .. 63 | +cp -r oqs/include/oqs ../../include/ 64 | cp -r include/openssl ../../include/ 65 | 66 | -------------------------------------------------------------------------------- /deprecated/openlitespeed/serverstart.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Generate keys and certificates 4 | openssl req -x509 \ 5 | -new -newkey rsa:3072 \ 6 | -keyout CA.key \ 7 | -out CA.crt \ 8 | -nodes -subj '/CN=oqstest_CA' -days 500 9 | 10 | openssl req \ 11 | -new -newkey rsa:3072 \ 12 | -keyout srv.key \ 13 | -out srv.csr \ 14 | -nodes \ 15 | -subj '/CN= openlitespeed' 16 | 17 | openssl x509 -req \ 18 | -in srv.csr \ 19 | -out srv.crt \ 20 | -CA CA.crt \ 21 | -CAkey CA.key \ 22 | -CAcreateserial \ 23 | -extensions v3_req \ 24 | -days 365 25 | 26 | cp CA.crt /usr/local/lsws/Example/html/ 27 | 28 | /usr/local/lsws/bin/lswsctrl start -------------------------------------------------------------------------------- /deprecated/unbound/Dockerfile-getdns: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | ##necessary lib 3 | ARG DEBIAN_FRONTEND=noninteractive 4 | RUN apt update && apt install -y \ 5 | cmake \ 6 | gcc \ 7 | libtool \ 8 | libssl-dev \ 9 | make \ 10 | ninja-build \ 11 | git 12 | 13 | ##installation of openssl with oqs 14 | ############################################################################## 15 | WORKDIR /root 16 | RUN git clone --depth 1 --branch OQS-OpenSSL_1_1_1-stable https://github.com/open-quantum-safe/openssl.git openssl 17 | 18 | RUN cd openssl && git clone --depth 1 --branch main https://github.com/open-quantum-safe/liboqs.git \ 19 | && cd liboqs \ 20 | && mkdir build && cd build \ 21 | && cmake -GNinja -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=/root/openssl/oqs .. \ 22 | && ninja && ninja install 23 | 24 | WORKDIR /root 25 | RUN cd openssl \ 26 | && ./Configure shared linux-x86_64 -lm \ 27 | && ldconfig \ 28 | && make && make install 29 | 30 | ##installation of getdns && other dependency 31 | ############################################################################## 32 | RUN apt update && apt install -y \ 33 | wget build-essential libunbound-dev libidn2-dev libssl-dev cmake libevent-dev libev-dev libuv1-dev autoconf check 34 | 35 | RUN git clone https://github.com/libuv/libuv.git && \ 36 | cd libuv && \ 37 | sh autogen.sh && \ 38 | ./configure && \ 39 | make install 40 | 41 | ##getdns to query unbound with tls encryption 42 | RUN apt install -y getdns-utils 43 | 44 | ##force kex to be "p384_kyber768:X25519" 45 | ENV TLS_DEFAULT_GROUPS="p384_kyber768:X25519" 46 | 47 | 48 | #RUN wget --no-check-certificate -O getdns.tar.gz https://getdnsapi.net/releases/getdns-1-7-2/getdns-1.7.2.tar.gz && \ 49 | # tar xzf getdns.tar.gz && \ 50 | # cd getdns-1.7.2 && \ 51 | # mkdir build && cd build && \ 52 | # ldconfig && \ 53 | # cmake .. && \ 54 | # make install 55 | -------------------------------------------------------------------------------- /deprecated/unbound/Dockerfile-unbound: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | ##necessary lib 3 | ARG DEBIAN_FRONTEND=noninteractive 4 | RUN apt update && apt install -y \ 5 | cmake \ 6 | gcc \ 7 | libtool \ 8 | libssl-dev \ 9 | make \ 10 | ninja-build \ 11 | git 12 | 13 | ##installation of openssl with oqs 14 | ############################################################################## 15 | WORKDIR /root 16 | RUN git clone --depth 1 --branch OQS-OpenSSL_1_1_1-stable https://github.com/open-quantum-safe/openssl.git openssl 17 | 18 | RUN cd openssl && git clone --depth 1 --branch main https://github.com/open-quantum-safe/liboqs.git \ 19 | && cd liboqs \ 20 | && mkdir build && cd build \ 21 | && cmake -GNinja -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=/root/openssl/oqs .. \ 22 | && ninja && ninja install 23 | 24 | WORKDIR /root 25 | RUN cd openssl \ 26 | && ./Configure shared linux-x86_64 -lm \ 27 | && make && make install 28 | 29 | ##installation of necessary lib for unbound 30 | ############################################################################## 31 | RUN apt update && apt install -y \ 32 | wget \ 33 | tar \ 34 | libevent-dev \ 35 | tar \ 36 | autoconf \ 37 | libldns-dev \ 38 | libevent-dev \ 39 | ca-certificates \ 40 | libexpat1 \ 41 | libexpat1-dev \ 42 | flex \ 43 | bison 44 | 45 | ##installation of unbound 46 | ENV UNBOUND_DOWNLOAD_URL https://www.unbound.net/downloads/unbound-latest.tar.gz 47 | RUN set -x && \ 48 | mkdir -p /tmp/src && \ 49 | cd /tmp/src && \ 50 | wget --no-check-certificate -O unbound.tar.gz $UNBOUND_DOWNLOAD_URL && \ 51 | tar xzf unbound.tar.gz && \ 52 | rm -f unbound.tar.gz && \ 53 | cd */ && \ 54 | groupadd unbound && \ 55 | useradd -g unbound -s /etc -d /dev/null unbound && \ 56 | ./configure --prefix=/opt/unbound \ 57 | --with-username=unbound --disable-ecdsa --with-pthreads --with-ssl=/usr/local && \ 58 | ldconfig && \ 59 | make install && \ 60 | mv /opt/unbound/etc/unbound/unbound.conf /opt/unbound/etc/unbound/unbound.conf.example && \ 61 | rm -fr /opt/unbound/share/man && \ 62 | rm -fr /tmp/* /var/tmp/* 63 | 64 | ##setup unbound to be dns-over-tls 65 | COPY unbound.sh /opt 66 | RUN chmod 777 /opt/unbound.sh 67 | 68 | EXPOSE 853/tcp 69 | CMD ["/opt/unbound.sh"] 70 | -------------------------------------------------------------------------------- /deprecated/unbound/README.md: -------------------------------------------------------------------------------- 1 | # DEPRECATED 2 | 3 | > [!Warning] 4 | > This integration is currently not supported due to [the end of life of oqs-openssl111](https://github.com/open-quantum-safe/openssl#warning). 5 | 6 | # Unbound(DNS-over-Tls) 7 | 8 | This section is intended to implement the post 9 | quantum key exchange using [openssl](https://github.com/open-quantum-safe/openssl) on a [DNS server](https://github.com/NLnetLabs/unbound). Two Dockerfile were provided to test the key exchange between a client and the dns server over a tls connection. 10 | 11 | A first Dockerfile with unbound configure with dns-over-tls and using the key exchange of openssl post quantum variant. 12 | 13 | A second Dockerfile with getdns with openssl post quantum variant is used to query the DNS server to test the key exchange. 14 | 15 | ## Installation 16 | Assuming you have docker [installed](https://docs.docker.com/install) on your machine all command below will launch respective docker. 17 | 18 | Run Unbound DNS container: 19 | ```bash 20 | docker network create unbound-test && \ 21 | docker build -t unbound_docker -f Dockerfile-unbound . && \ 22 | docker run --network unbound-test --interactive --publish=853:853 --tty --hostname unbound --name unbound unbound_docker 23 | ``` 24 | Documentation for using the server docker image is contained in the separate [USAGE-server.md](USAGE-server.md) file. 25 | 26 | Open another terminal in the folder to run the getdns container: 27 | ```bash 28 | docker build -t getdns_docker Dockerfile-getdns . && \ 29 | docker run --network unbound-test --interactive --tty --hostname getdns --name getdns getdns_docker 30 | ``` 31 | Documentation for using the client docker image is contained in the separate [USAGE-client.md](USAGE-client.md) file. 32 | 33 | # DISCLAIMER 34 | 35 | [Please check the limitations and security information](https://github.com/open-quantum-safe/openssl#limitations-and-security) 36 | -------------------------------------------------------------------------------- /deprecated/unbound/USAGE-client.md: -------------------------------------------------------------------------------- 1 | 2 | # Usage of the client side container 3 | 4 | The post quantum key exchange [openssl](https://github.com/open-quantum-safe/openssl) variant and [getdns](https://getdnsapi.net/) were installed to query the DNS server with a post quantum key exchange algorithm. 5 | ## Installation 6 | Assuming you have docker [installed](https://docs.docker.com/install) on your machine all command below will launch getdns docker. 7 | 8 | Run getdns container: 9 | ```bash 10 | docker run --network unbound-test --interactive --tty --hostname getdns --name getdns -it openquantumsafe/getdns 11 | ``` 12 | After running all the command above a container will open with getdns running with openssl post quantum variant. 13 | 14 | ## Usage 15 | 16 | 17 | The key exchange between the server and the client is set on p384_kyber768:X25519, other key exchange algorithms can be used, find more algorithm in the [list of available post quantum key exchange algorithms](https://github.com/open-quantum-safe/boringssl#key-exchange). To specify the desired key exchange algorithm use the parameter `-e` in the `docker run` command.The example below used `kyber1024` to do the key exchange. 18 | 19 | ```bash 20 | docker run --network unbound-test -e TLS_DEFAULT_GROUPS=kyber1024 --interactive --tty --hostname getdns --name getdns -it openquantumsafe/getdns 21 | ``` 22 | 23 | To query the DNS server, run the command: 24 | 25 | ```bash 26 | getdns_query -s -d example.com A @:853 -L +return_call_reporting 27 | ``` 28 | 29 | The DNS server container has the name of "unbound" to get its ip address use the command: 30 | ```bash 31 | docker network inspect unbound-test 32 | ``` 33 | 34 | Below is an example output of the command where "unbound" has the ip address of 172.20.0.2. 35 | ```json 36 | "Containers": { 37 | "3763586e7b1fce6232671e7d2515cf7aa2bbfb0ba90231b2e0945f2bebb7242c": { 38 | "Name": "getdns", 39 | "EndpointID": "e6b043d166395b1ce6b368ab3ec975f7ffa7eac517a3b3f9774c2950ce4c126d", 40 | "MacAddress": "02:42:ac:14:00:03", 41 | "IPv4Address": "172.20.0.3/16", 42 | "IPv6Address": "" 43 | }, 44 | "95e5bd787333afc893e90e2398407133f1a421933eabdf1c0cd77eaec6feb5e2": { 45 | "Name": "unbound", 46 | "EndpointID": "3479a7c99d9cea7a76218f449ca1bafd35527d79778bcd4af68e8113d96166dd", 47 | "MacAddress": "02:42:ac:14:00:02", 48 | "IPv4Address": "172.20.0.2/16", 49 | "IPv6Address": "" 50 | } 51 | }, 52 | ``` 53 | After query the DNS server, we can check the key exchange algorithm using wireshark. To verify the key exchange algorithm, use the post quantum [wireshark](https://github.com/open-quantum-safe/oqs-demos/tree/main/wireshark) variant to check the "client hello" package. 54 | 55 | ![wireshark screenshot](wireshark_screenshot.png) 56 | 57 | # DISCLAIMER 58 | 59 | [Please check the limitations and security information](https://github.com/open-quantum-safe/openssl#limitations-and-security) 60 | -------------------------------------------------------------------------------- /deprecated/unbound/USAGE-server.md: -------------------------------------------------------------------------------- 1 | 2 | # Usage of the DNS server 3 | 4 | [Unbound DNS server](https://github.com/NLnetLabs/unbound) was configured with tls connection using the post quantum [openssl](https://github.com/open-quantum-safe/openssl) variant. 5 | ## Installation 6 | Assuming you have docker [installed](https://docs.docker.com/install) on your machine all command below will launch dns server docker. 7 | 8 | Run Unbound DNS container: 9 | ```bash 10 | docker network create unbound-test 11 | docker run --network unbound-test --interactive --publish=853:853 --tty --hostname unbound --name unbound -it openquantumsafe/unbound 12 | ``` 13 | After running all the command above a container will open with unbound running configure with dns-over-tls and a self signed certificate. 14 | 15 | The key exchange between the server and the client is set on p384_kyber768:X25519, other key exchange algorithms can be used, find more algorithm in the [list of available post quantum key exchange algorithms](https://github.com/open-quantum-safe/boringssl#key-exchange). To specify the desired key exchange algorithm use the parameter `-e` in the `docker run` command.The example below used `kyber1024` to do the key exchange. 16 | 17 | ```bash 18 | docker run --network unbound-test -e TLS_DEFAULT_GROUPS=kyber1024 --interactive --publish=853:853 --tty --hostname unbound --name unbound -it openquantumsafe/unbound 19 | ``` 20 | # DISCLAIMER 21 | 22 | [Please check the limitations and security information](https://github.com/open-quantum-safe/openssl#limitations-and-security) 23 | -------------------------------------------------------------------------------- /deprecated/unbound/unbound.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -x 3 | 4 | openssl genrsa -out /opt/unbound/etc/unbound/dnsPrivate.key 2048 5 | openssl req -key /opt/unbound/etc/unbound/dnsPrivate.key -new -out /opt/unbound/etc/unbound/domain.csr -subj "/C=MU/ST=Plaine Wilhem/L=Curepipe/O=University Of Mauritius & cyberstorm.mu/OU=IT Department/CN=ryndia" 6 | openssl x509 -signkey /opt/unbound/etc/unbound/dnsPrivate.key -in /opt/unbound/etc/unbound/domain.csr -req -days 365 -out /opt/unbound/etc/unbound/unbound_dns.crt 7 | 8 | 9 | cat <> /opt/unbound/etc/unbound/unbound.conf 10 | server: 11 | directory: "/opt/unbound/etc/unbound" 12 | username: "unbound" 13 | num-threads: 4 14 | verbosity: 1 15 | chroot: "/opt/unbound/etc/unbound" 16 | pidfile: "/opt/unbound/etc/unbound.pid" 17 | logfile: "/opt/unbound/etc/unbound/unbound.log" 18 | ssl-service-key: "/opt/unbound/etc/unbound/dnsPrivate.key" 19 | ssl-service-pem: "/opt/unbound/etc/unbound/unbound_dns.crt" 20 | auto-trust-anchor-file: "/opt/unbound/etc/unbound/var/root.key" 21 | interface: 0.0.0.0@853 22 | ssl-port: 853 23 | so-reuseport: yes 24 | do-daemonize: no 25 | num-queries-per-thread: 4096 26 | outgoing-range: 8192 27 | access-control: 0.0.0.0/0 allow 28 | hide-version: yes 29 | hide-identity: yes 30 | do-ip4: yes 31 | do-ip6: no 32 | harden-dnssec-stripped: yes 33 | private-address: 192.168.0.0/16 34 | private-address: 172.16.0.0/12 35 | private-address: 10.0.0.0/8 36 | private-address: 169.254.0.0/16 37 | # Cipher setting for newer TLS 1.3 connections. 38 | # Set the list of ciphersuites to allow when serving TLS. 39 | # Use "" for defaults, and that is the default. 40 | # tls-ciphersuites: "TLS_CHACHA20_POLY1305_SHA256" 41 | # tls-ciphersuites: "bikel1" 42 | EOT 43 | 44 | export TLS_DEFAULT_GROUPS="p384_kyber768:X25519" 45 | mkdir -p -m 700 /opt/unbound/etc/unbound/var 46 | chown unbound:unbound /opt/unbound/etc/unbound/var 47 | /opt/unbound/sbin/unbound-anchor -a "/opt/unbound/etc/unbound/var/root.key" 48 | touch /opt/unbound/etc/unbound/unbound.log 49 | chown unbound:unbound /opt/unbound/etc/unbound/unbound.log 50 | exec /opt/unbound/sbin/unbound -vv 51 | -------------------------------------------------------------------------------- /deprecated/unbound/wireshark_screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/open-quantum-safe/oqs-demos/e8110afa4dda5e0fab89dd6aeba4451ffd594e03/deprecated/unbound/wireshark_screenshot.png -------------------------------------------------------------------------------- /epiphany/README.md: -------------------------------------------------------------------------------- 1 | ## Purpose 2 | 3 | This directory contains a Dockerfile that builds the GNOME web browser epiphany such as to run TLS 1.3 using OQS-OpenSSL. 4 | 5 | ## Quick start 6 | 7 | 1) Be sure to have [docker installed](https://docs.docker.com/install). 8 | 2) Run `docker build --build-arg ARCH=$(uname -m) -t oqs-epiphany .` to create a QSC-enabled epiphany docker 9 | 10 | ## Usage 11 | 12 | Information how to use the image is [available in the separate file USAGE.md](USAGE.md). 13 | 14 | ## Build options 15 | 16 | The Dockerfile provided allows for significant customization of the image built: 17 | 18 | ### LIBOQS_TAG 19 | 20 | Tag of `liboqs` release to be used. 21 | 22 | ### OQSPROVIDER_TAG 23 | 24 | Tag of `oqsprovider` release to be used. 25 | -------------------------------------------------------------------------------- /epiphany/USAGE.md: -------------------------------------------------------------------------------- 1 | # OQS-epiphany 2 | 3 | This docker image contains a version of the [GNOME Web/epiphany](https://github.com/GNOME/epiphany) web browser built to also properly execute quantum-safe crypto (QSC) TLS operations. 4 | 5 | To this end, it contains QSC algorithms implemented by [liboqs](https://github.com/open-quantum-safe/liboqs) and made available to OpenSSL(3) via [oqs-provider](https://github.com/open-quantum-safe/oqs-provider) developed as part of the [OpenQuantumSafe](https://openquantumsafe.org) project. 6 | 7 | The image is based on Ubuntu and requires the host to run the Unix X-Window system. It has been tested on a Ubuntu 24.04 system. The ARM image has been tested on a Raspberry pi 5 with Raspian Bookworm 64 bit. 8 | 9 | ## Quick start 10 | 11 | Execute this command to open the epiphany browser window on your host: 12 | 13 | docker run -it --rm --entrypoint /bin/bash -e DISPLAY=$DISPLAY --ipc=host -v /tmp/.X11-unix:/tmp/.X11-unix openquantumsafe/epiphany 14 | 15 | *Note*: You may need to grant permissions for Docker to access the X display. As most users run docker in root mode, you would need: 16 | 17 | xhost +si:localuser:root 18 | 19 | It may require other actions in order to make it work in other environments as well as running docker in rootless mode. 20 | 21 | ## Suggested test 22 | 23 | Go to https://test.openquantumsafe.org where all standardized and most of the quantum-safe algorithms that are still part of the NIST PQC competition are available for TLS interoperability testing. 24 | 25 | *Note:* By default, only the algorithms "mlkem768:p384_mlkem768:x25519" are supported by the configuration built into this Docker image. 26 | 27 | ## Quantum-safe crypto server components 28 | 29 | If you want to set up your own server running QSC algorithms, check out [OQS-httpd/Apache](https://hub.docker.com/repository/docker/openquantumsafe/httpd) or [OQS-nginx](https://hub.docker.com/repository/docker/openquantumsafe/nginx). 30 | 31 | ## Disclaimer 32 | 33 | [THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). 34 | -------------------------------------------------------------------------------- /h2load/Dockerfile: -------------------------------------------------------------------------------- 1 | # Multi-stage build: First the full builder image: 2 | 3 | # Define build arguments for version tags, installation paths, and configurations. 4 | ARG ALPINE_VERSION=3.21 5 | ARG OPENSSL_TAG=openssl-3.4.0 6 | ARG LIBOQS_TAG=0.12.0 7 | ARG OQSPROVIDER_TAG=0.8.0 8 | ARG NGHTTP2_TAG=v1.64.0 9 | ARG INSTALLDIR=/opt/oqssa 10 | 11 | # Stage 1: Build - Compile and assemble all necessary components and dependencies. 12 | FROM alpine:${ALPINE_VERSION} AS intermediate 13 | ARG INSTALLDIR 14 | ARG OPENSSL_TAG 15 | ARG LIBOQS_TAG 16 | ARG OQSPROVIDER_TAG 17 | ARG NGHTTP2_TAG 18 | 19 | # Install required build tools and system dependencies. 20 | RUN apk update && apk --no-cache add bash git g++ make cmake ninja autoconf automake libtool \ 21 | libev-dev libevent-dev openssl-dev openssl zlib c-ares-dev pkgconfig \ 22 | linux-headers zlib-dev jansson-dev 23 | 24 | # Download and prepare source files needed for the build process. 25 | WORKDIR /opt 26 | RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ 27 | git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \ 28 | git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ 29 | git clone --depth 1 --branch ${NGHTTP2_TAG} https://github.com/nghttp2/nghttp2.git 30 | 31 | # Build and install liboqs 32 | WORKDIR /opt/liboqs/build 33 | RUN cmake -GNinja -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} .. \ 34 | && ninja && ninja install 35 | 36 | # Build and install OpenSSL 37 | WORKDIR /opt/openssl 38 | RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix="${INSTALLDIR}" && \ 39 | make -j"$(nproc)" && make install_sw install_ssldirs && \ 40 | if [ -d "${INSTALLDIR}/lib64" ]; then ln -s "${INSTALLDIR}/lib64" "${INSTALLDIR}/lib"; fi && \ 41 | if [ -d "${INSTALLDIR}/lib" ]; then ln -s "${INSTALLDIR}/lib" "${INSTALLDIR}/lib64"; fi 42 | 43 | # Build, install, and configure the oqs-provider for OpenSSL integration. 44 | WORKDIR /opt/oqs-provider 45 | RUN ln -s ../openssl . && \ 46 | cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \ 47 | cmake --build _build && \ 48 | cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && \ 49 | sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && \ 50 | sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && \ 51 | sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:KEM_ALG\n/g" /opt/oqssa/ssl/openssl.cnf && \ 52 | sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM alg if not set via environment variable\nKEM_ALG = kyber512\n\n# Use this in order to automatically load providers/g" /opt/oqssa/ssl/openssl.cnf 53 | 54 | # Build and install nghttp2 55 | WORKDIR /opt/nghttp2 56 | RUN LD_LIBRARY_PATH="${INSTALLDIR}/lib64" autoreconf -i && automake && autoconf && ./configure \ 57 | PKG_CONFIG_PATH="/opt/oqssa/lib64/pkgconfig" && make -j"$(nproc)" install 58 | 59 | # Copy all required shared object dependencies to a single directory 60 | WORKDIR /opt/lib 61 | RUN cp /usr/local/lib/libnghttp2.so.* . && \ 62 | cp /usr/lib/libev.so.* . && \ 63 | cp /opt/oqssa/lib64/libssl.so.* . && \ 64 | cp /opt/oqssa/lib64/libcrypto.so.* . && \ 65 | cp /usr/lib/libstdc++.so.* . && \ 66 | cp /usr/lib/libgcc_s.so.* . 67 | 68 | # Stage 2: Runtime - Create a lightweight image with essential binaries and configurations. 69 | FROM alpine:${ALPINE_VERSION} AS dev 70 | 71 | # copy executable 72 | COPY --from=intermediate /usr/local/bin/h2load /usr/local/bin 73 | COPY check_algorithms.sh /usr/local/bin 74 | 75 | # copy shared object dependencies and configuration file 76 | COPY --from=intermediate /opt/lib /usr/local/lib 77 | COPY --from=intermediate /opt/oqssa/lib64/ossl-modules/oqsprovider.so /opt/oqssa/lib64/ossl-modules/oqsprovider.so 78 | COPY --from=intermediate /opt/oqssa/ssl/openssl.cnf /opt/oqssa/ssl/openssl.cnf 79 | 80 | RUN ln -s /opt/oqssa/lib64 /opt/oqssa/lib; 81 | -------------------------------------------------------------------------------- /h2load/README.md: -------------------------------------------------------------------------------- 1 | ## Purpose 2 | This directory contains a Dockerfile that builds the [h2load](https://nghttp2.org/documentation/h2load-howto.html) using [OpenSSL v3](https://github.com/openssl/openssl) and [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows h2load to negotiate quantum-safe keys in TLS 1.3. 3 | 4 | ## Getting started 5 | 6 | ### Building 7 | Assuming Docker is [installed](https://docs.docker.com/install), the following command 8 | 9 | ``` 10 | docker network create h2load-test 11 | docker build -t h2load . 12 | docker run --name h2load --network h2load-test -it h2load 13 | ``` 14 | 15 | will run the container for the PQ-enabled h2load. 16 | 17 | ### Testing 18 | After running the h2load container, to verify that h2load performs quantum-safe key exchange, run an OQS-enabled TLS test server using the following commands 19 | ```bash 20 | docker run --rm --name oqs-nginx --network h2load-test openquantumsafe/nginx 21 | ``` 22 | To force http/1.1 for both http and https URI, specify `--h1` 23 | 24 | On the command prompt in the h2load docker container, run 25 | ```bash 26 | h2load -n 1000 -c 10 https://oqs-nginx:4433 --groups kyber512 27 | ``` 28 | 29 | ### Usage 30 | Documentation for using the h2load docker image is contained in the separate [USAGE.md](./USAGE.md) file. 31 | 32 | 33 | ## Disclaimer 34 | 35 | [THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). 36 | -------------------------------------------------------------------------------- /h2load/USAGE.md: -------------------------------------------------------------------------------- 1 | ## Purpose 2 | This directory contains a Dockerfile that builds the [h2load](https://nghttp2.org/documentation/h2load-howto.html) using [OpenSSL v3](https://github.com/openssl/openssl) and [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows h2load to negotiate quantum-safe keys in TLS 1.3. 3 | 4 | ## Quick start 5 | Assuming Docker is [installed](https://docs.docker.com/install) the following command 6 | 7 | ``` 8 | docker run --network h2load-test --name h2load -it openquantumsafe/h2load 9 | ``` 10 | will run the container for the PQ-enabled h2load on the docker network called h2load-test (assuming it has already been created. If not, run `docker network create h2load-test`) 11 | 12 | ### Running Load Tests 13 | After running the h2load container, you can perform HTTP/2 load tests. 14 | 15 | For local testing, make sure that the container hosting the test server is on the same network by using the `--network` flag and `--name` flag to specify the network and name of the container. For example, you can use the following command to run OQS-enabled TLS test server: 16 | 17 | ```bash 18 | docker run --rm --name oqs-nginx --network h2load-test openquantumsafe/nginx 19 | ``` 20 | 21 | 22 | ### HTTP/2 Load Test 23 | To perform an HTTP/2 load test, run the following command: 24 | ``` 25 | h2load -n -c --groups 26 | ``` 27 | where is the number of requests to send, is the number of concurrent clients to simulate, and \ is the URL to test. 28 | 29 | For example, 30 | ```bash 31 | h2load -n 1000 -c 10 https://oqs-nginx:4433 --groups kyber512 32 | ``` 33 | 34 | This will send 1000 requests with 10 clients to the oqs-nginx web server on port 4433. The test uses Kyber512 key exchange algorithm. 35 | If multiple algorithms are selected, they are separated with colons. 36 | For example, `--groups=kyber512:p256_bikel1` 37 | 38 | 39 | 40 | By default the h2load supports X25519 for key exchange but any plain or hybrid QSC (Quantum-Safe Cryptography) algorithm can be selected. [See list of supported key exchange algorithms here](https://github.com/open-quantum-safe/oqs-provider#algorithms 41 | ). 42 | 43 | To force http/1.1 for both http and https URI, specify `--h1` 44 | 45 | ### Timing-based load-testing 46 | This method conducts load testing based on a specified time duration instead of a predetermined number of requests. 47 | 48 | To perform timing-based load testing with h2load, use the --duration option followed by the desired duration in seconds. For example, to run a load test for 10 seconds with 100 concurrent clients while limiting the maximum number of streams to 100 per client, use: 49 | 50 | ``` 51 | h2load -c100 --duration=10 --warm-up-time=5 https://oqs-nginx:4433 --groups kyber512 52 | ``` 53 | 54 | For more options, run `h2load --help` 55 | 56 | 57 | More information can be found at https://nghttp2.org/documentation/h2load.1.html 58 | 59 | ## Disclaimer 60 | 61 | [THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). 62 | -------------------------------------------------------------------------------- /h2load/check_algorithms.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This script checks which algorithms work and which ones fail due to segmentation fault 3 | 4 | server="https://test.openquantumsafe.org:6000/" 5 | 6 | # create an array of algorithms 7 | algorithms="bikel1 bikel3 bikel5 kyber512 kyber768 kyber1024 frodo640aes frodo640shake frodo976aes frodo976shake frodo1344aes frodo1344shake hqc128 hqc192 hqc256" 8 | 9 | # declare variables for successes and failures 10 | successes="" 11 | failures="" 12 | 13 | # loop through algorithms and execute h2load 14 | for algorithm in $algorithms 15 | do 16 | h2load -n 1 -c 1 $server --groups $algorithm >/dev/null 2>error.txt 17 | if grep -q "Segmentation fault" error.txt; then 18 | echo "$algorithm failed." 19 | failures="$failures $algorithm" 20 | else 21 | echo "$algorithm succeeded." 22 | successes="$successes $algorithm" 23 | fi 24 | done 25 | 26 | rm -f error.txt h2load*.dmp 27 | 28 | # output results 29 | echo "Successes: $successes" 30 | echo "Failures: $failures" 31 | -------------------------------------------------------------------------------- /haproxy/README.md: -------------------------------------------------------------------------------- 1 | This directory contains a Dockerfile that builds `haproxy` using OpenSSL v3 using the [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows `haproxy` to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3. 2 | 3 | ## Getting started 4 | 5 | [Install Docker](https://docs.docker.com/install) and run the following commands in this directory: 6 | 7 | 1. `docker build --build-arg SIG_ALG= --build-arg KEM_ALGLIST= --tag oqs-haproxy .` (`` can be any of the signature authentication algorithms and `` can be a colon separated list of the Key exchange mechanisms listed [here](https://github.com/open-quantum-safe/oqs-provider#algorithms)). An alternative, simplified build instruction is `docker build -t oqs-haproxy .`: This will generate the image with a default QSC algorithm and KEMs (dilithium3, p384_kyber768:kyber768 -- see Dockerfile to change this). 8 | 2. `docker run --detach --rm --name oqs-haproxy -p 4433:4433 oqs-haproxy` 9 | 10 | This will start a docker container that has haproxy listening for TLS 1.3 connections on port 4433. Actual data will be served via a load-balanced `lighttpd` server running on ports 8181 and 8182. 11 | 12 | 13 | ## Usage 14 | 15 | Complete information how to use the image is [available in the separate file USAGE.md](USAGE.md). 16 | 17 | ## Build options 18 | 19 | The Dockerfile provided allows for significant customization of the image built: 20 | 21 | ### OPENSSL_TAG 22 | 23 | Tag of `openssl` release to be used. 24 | 25 | ### LIBOQS_TAG 26 | 27 | Tag of `liboqs` release to be used. 28 | 29 | ### OQSPROVIDER_TAG 30 | 31 | Tag of `oqsprovider` release to be used. 32 | 33 | ### LIBOQS_BUILD_DEFINES 34 | 35 | This permits changing the build options for the underlying library with the quantum safe algorithms. All possible options are documented [here](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs). 36 | 37 | By default, the image is built such as to have maximum portability regardless of CPU type and optimizations available, i.e. to run on the widest possible range of cloud machines. 38 | 39 | ### SIG_ALG 40 | 41 | This defines the quantum-safe cryptographic signature algorithm for the internally generated (demonstration) CA and server certificates. 42 | 43 | The default value is 'dilithium3' but can be set to any value documented [here](https://github.com/open-quantum-safe/oqs-provider#algorithms). 44 | 45 | ### KEM_ALGLIST 46 | 47 | This defines the quantum-safe key exchange mechanisms to be supported. 48 | 49 | The default value is `p384_kyber768:kyber768` but can be set to any set of colon separated values documented [here](https://github.com/open-quantum-safe/oqs-provider#algorithms). 50 | 51 | ### HAPROXY_RELEASE and HAPROXY_MICRO 52 | 53 | These define the version of HAPROXY to use with the default set to 3.0 and 5 respectively to represent haproxy version 3.0.5. 54 | -------------------------------------------------------------------------------- /haproxy/conf/haproxy.cfg: -------------------------------------------------------------------------------- 1 | global 2 | maxconn 50000 3 | cpu-map auto:1/1-4 0-3 4 | ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 5 | ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets 6 | 7 | defaults 8 | timeout connect 15s 9 | timeout client 45s 10 | timeout server 45s 11 | log global 12 | mode http 13 | maxconn 3000 14 | 15 | listen stats 16 | bind *:8484 17 | stats enable 18 | stats uri / 19 | stats refresh 5s 20 | 21 | frontend oqs.ha.proxy 22 | bind :8088 23 | bind :4433 ssl crt /opt/haproxy/certkey.pem curves @@CURVES@@ 24 | http-request redirect scheme https unless { ssl_fc } 25 | default_backend web_servers 26 | 27 | backend web_servers 28 | balance roundrobin 29 | cookie SERVERUSED insert indirect nocache 30 | option httpchk HEAD / 31 | default-server check maxconn 20 32 | # just 2 plain servers for simplicity/demo purposes: 33 | server server1 127.0.0.1:8181 cookie server1 34 | server server2 127.0.0.1:8182 cookie server2 35 | 36 | -------------------------------------------------------------------------------- /haproxy/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ "x$KEM_ALG" != "x" ]; then 4 | # kem name given, set it 5 | echo "Setting KEM alg $KEM_ALG" 6 | sed -i "s/kyber768/$KEM_ALG/g" /opt/haproxy/conf/haproxy.cfg 7 | fi 8 | 9 | cd /opt/haproxy 10 | 11 | if [ $# -eq 1 ]; then 12 | # backend address as sole optional parameter 13 | echo "Setting target backend $1" 14 | sed -i "s/127.0.0.1:8181/$1/g" /opt/haproxy/conf/haproxy.cfg 15 | # removing backend 2 16 | sed -i "s/server server2 127\.0\.0\.1\:8182 cookie server2//g" /opt/haproxy/conf/haproxy.cfg 17 | fi 18 | 19 | # Start backends: 20 | lighttpd -D -f /etc/lighttpd/lighttpd.conf & 21 | lighttpd -D -f /etc/lighttpd/lighttpd2.conf & 22 | 23 | sleep 2 24 | 25 | cat pki/server.crt pki/server.key > certkey.pem 26 | 27 | # Start HAProxy: 28 | /opt/oqssa/sbin/haproxy -f /opt/haproxy/conf/haproxy.cfg 29 | 30 | -------------------------------------------------------------------------------- /httpd/README.md: -------------------------------------------------------------------------------- 1 | ## Purpose 2 | 3 | This directory contains a Dockerfile that builds [httpd (a.k.a the Apache HTTP Server)](https://httpd.apache.org) using OpenSSL(v3) using [oqs-provider](https://github.com/open-quantum-safe/oqs-provider), which allows httpd to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3. 4 | 5 | ## Getting started 6 | 7 | [Install Docker](https://docs.docker.com/install) and run the following commands in this directory: 8 | 9 | 1. `docker build --build-arg SIG_ALG= --tag oqs-httpd-img .` (`` can be any of the authentication algorithms listed [here](https://github.com/open-quantum-safe/oqs-provider#algorithms)). An alternative, simplified build instruction is `docker build -t oqs-httpd-img .`: This will generate the image with a default QSC algorithm (dilithium3 -- see Dockerfile to change this). 10 | 2. `docker run --detach --rm --name oqs-httpd -p 4433:4433 oqs-httpd-img` 11 | 12 | This will start a docker container that has httpd listening for TLS 1.3 connections on port 4433. 13 | 14 | 15 | ## Usage 16 | 17 | Complete information how to use the image is [available in the separate file USAGE.md](USAGE.md). 18 | 19 | ## Build options 20 | 21 | The Dockerfile provided allows for significant customization of the image built: 22 | 23 | ### OPENSSL_TAG 24 | 25 | Tag of `openssl` release to be used. 26 | 27 | ### LIBOQS_TAG 28 | 29 | Tag of `liboqs` release to be used. 30 | 31 | ### OQSPROVIDER_TAG 32 | 33 | Tag of `oqsprovider` release to be used. 34 | 35 | ### LIBOQS_BUILD_DEFINES 36 | 37 | This permits changing the build options for the underlying library with the quantum safe algorithms. All possible options are documented [here](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs). 38 | 39 | By default, the image is built such as to have maximum portability regardless of CPU type and optimizations available, i.e. to run on the widest possible range of cloud machines. 40 | 41 | ### SIG_ALG 42 | 43 | This defines the quantum-safe cryptographic signature algorithm for the internally generated (demonstration) CA and server certificates. 44 | 45 | The default value is 'dilithium3' but can be set to any value documented [here](https://github.com/open-quantum-safe/oqs-provider#algorithms). 46 | 47 | ### DEFAULT_GROUPS 48 | 49 | This defines the (quantum-safe) cryptographic KEM algorithms utilized for TLS 1.3 session establishment. 50 | 51 | The default value is 'kyber768:p384_kyber768' activating Kyber768 and its hybrid variant for session setup. 52 | 53 | 54 | ### HTTPD_PATH 55 | 56 | This defines the resultant location of the httpd installatiion. 57 | 58 | By default this is '/opt/httpd'. It is recommended to not change this. Also, all [usage documentation](USAGE.md) assumes this path. 59 | 60 | ### HTTPD_VERSION 61 | 62 | This defines the apache httpd software version to be build into the image. 63 | 64 | The default version set is known to work OK but one could try any value available [for download](https://httpd.apache.org/download.cgi). 65 | 66 | ### MAKE_DEFINES 67 | 68 | Allow setting parameters to `make` operation, e.g., '-j nnn' where nnn defines the number of jobs run in parallel during build. 69 | 70 | The default is conservative and known not to overload normal machines. If one has a very powerful (many cores, >64GB RAM) machine, passing larger numbers (or only '-j' for maximum parallelism) speeds up building considerably. 71 | 72 | ### ALPINE_VERSION 73 | 74 | The version of the `alpine` docker image to to be used. 75 | -------------------------------------------------------------------------------- /locust/README.md: -------------------------------------------------------------------------------- 1 | ## Purpose 2 | This directory contains a Dockerfile that builds Locust using OpenSSL v3 using the [OQS provider](https://github.com/open-quantum-safe/oqs-provider) and Python3, which allows `Locust` to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3. 3 | 4 | For more information on `Locust`, see the [official Locust project](https://github.com/locustio/locust). 5 | 6 | ## Quick start 7 | 8 | 1) Be sure to have [docker installed](https://docs.docker.com/install). 9 | 2) Run `docker build -t oqs-locust:0.0.1 .` to create a post quantum-enabled Locust docker image. 10 | 3) In order to configure endpoints and their weight, modify the file [scenarios/locustfile.py](scenarios/locustfile.py), more information can be found in [USAGE.md](USAGE.md) 11 | 4) To verify all components perform quantum-safe operations, first start the container with docker compose 12 | 13 | ``` 14 | LOGGER_LEVEL=DEBUG HOST=https://YOUR_QS_HOST:4433 docker compose up --scale worker=8 15 | ``` 16 | 4) Connect to the locust web interface at `http://localhost:8189` and start a load test. 17 | 18 | 19 | ## Notes on this Version: 20 | 21 | In this version, we utilize the subprocess module to execute the oqs-openssl command within Locust. Ideally, the objective should be to leverage native Python libraries. However, as of now, there are no Python libraries that support quantum-safe (QS) group for TLS 1.3. Once such libraries become available, we should prioritize recompiling Python (for add the OQS-openssl version) and using the appropriate Python libraries for this functionality. 22 | 23 | For further reference on the Locust API, please refer to the official documentation [here](https://docs.locust.io/en/stable/). 24 | 25 | ## Usage 26 | 27 | Information how to use locust: [available in the separate file USAGE.md](USAGE.md). 28 | 29 | ## Disclaimer 30 | 31 | [THIS IS NOT FIT FOR PRODUCTION USE] 32 | 33 | -------------------------------------------------------------------------------- /locust/USAGE.md: -------------------------------------------------------------------------------- 1 | ## Purpose 2 | This directory contains a Dockerfile that builds the [OpenSSL v3](https://github.com/openssl/openssl) [OQS provider](https://github.com/open-quantum-safe/oqs-provider), and Python3 which allows locust to negotiate quantum-safe keys in TLS 1.3. 3 | 4 | ## Start 5 | 1) Run `docker build -t oqs-locust:0.0.1 .` to create a post quantum-enabled Locust docker image. 6 | 2) To verify all components perform quantum-safe operations, first start the container with docker compose, setting all environment variables as needed. For example: 7 | ``` 8 | LOGGER_LEVEL=DEBUG HOST=https://YOUR_QS_HOST:4433 GROUP=kyber1024 docker compose up --scale worker=8 9 | ``` 10 | 3) Connect to the locust web interface at `http://localhost:8189` and start a load test. 11 | 12 | By default, Locust supports all algorithms supported by the OQS openssl. 13 | 14 | Some environments variables you need to know 15 | - LOGGER_LEVEL: Set the log level for the locust master and worker. Default is ERROR. 16 | - HOST: Set the host to test. Default is https://test:4433 17 | - WORKERS: Set the number of workers. Default is 8. Ideally, the number of workers should be the same as the number of cores in the machine. 18 | - MASTER_PORT: Set the port for the master. Default is 8189. 19 | - GROUP: Set the key exchange scheme for openssl. Default is kyber768. 20 | 21 | In Locust web server, you need to set 2 variables: 22 | - Number of users to simulate: The number of users to simulate that will hit the server. 23 | - Hatch rate: The rate per second in which users are spawned. 24 | 25 | After that, you can start the test: 26 | 27 | STATISTICS 28 | ![img.png](images/img.png) 29 | 30 | CHARTS 31 | ![img.png](images/img_charts.png) 32 | 33 | ### HOW TO CREATE A PERFORMANCE SCENARIO IN LOCUST 34 | 35 | Using Locust, you can configure a performance scenario. For this, you can use the following structure. Note: This is just a basic example, and the real implementation might use subprocess and openssl to handle post-quantum cryptographic curves, as in the actual [locustfile.py](scenarios/locustfile.py). 36 | 37 | ```python 38 | from locust import HttpUser, TaskSet, task, between 39 | class UserBehavior(TaskSet): 40 | # on_start is called when a Locust starts, before any task is scheduled 41 | def on_start(self): 42 | self.index() 43 | self.about() 44 | 45 | # tasks is a list of tasks that a Locust will choose from to execute 46 | # tasks are chosen with the weighted_task_set attribute 47 | @task(1) 48 | def index(self): 49 | self.client.get("/") 50 | 51 | # in this case the about task is twice as likely to be chosen as the index task 52 | @task(2) 53 | def about(self): 54 | self.client.get("/about/") 55 | 56 | 57 | -------------------------------------------------------------------------------- /locust/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | master: 5 | image: oqs-locust:0.0.1 6 | volumes: 7 | - .:/mnt/locust 8 | ports: 9 | - ${MASTER_HTTP_PORT:-8189}:8089 10 | environment: 11 | - LOGGER_LEVEL=${LOGGER_LEVEL:-ERROR} 12 | - GROUP=${GROUP:-kyber768} 13 | logging: 14 | options: 15 | max-size: "50m" 16 | command: locust -f /mnt/locust/scenarios/locustfile.py --master --host ${HOST:-https://test:4433} 17 | 18 | worker: 19 | image: oqs-locust:0.0.1 20 | volumes: 21 | - .:/mnt/locust 22 | environment: 23 | - LOGGER_LEVEL=${LOGGER_LEVEL:-ERROR} 24 | - GROUP=${GROUP:-kyber768} 25 | - HOST=${HOST:-https://test:4433} 26 | logging: 27 | options: 28 | max-size: "50m" 29 | command: locust -f /mnt/locust/scenarios/locustfile.py --worker --master-host ${MASTER_HOST:-master} 30 | -------------------------------------------------------------------------------- /locust/images/img.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/open-quantum-safe/oqs-demos/e8110afa4dda5e0fab89dd6aeba4451ffd594e03/locust/images/img.png -------------------------------------------------------------------------------- /locust/images/img_charts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/open-quantum-safe/oqs-demos/e8110afa4dda5e0fab89dd6aeba4451ffd594e03/locust/images/img_charts.png -------------------------------------------------------------------------------- /locust/requirements.txt: -------------------------------------------------------------------------------- 1 | locust==2.31.6 2 | liboqs==0.9.1 3 | psutil==6.0.0 4 | -------------------------------------------------------------------------------- /locust/scenarios/locustfile.py: -------------------------------------------------------------------------------- 1 | import logging 2 | import os 3 | import subprocess 4 | import time 5 | 6 | from locust import HttpUser, task, between 7 | from urllib.parse import urlparse 8 | 9 | 10 | url = str(os.environ.get("HOST")) 11 | parsed_url = urlparse(url) 12 | host = parsed_url.hostname 13 | port = parsed_url.port 14 | 15 | logger_level = str(os.environ.get("LOGGER_LEVEL")) 16 | logger = logging.getLogger(__name__) 17 | logger.setLevel(logger_level) 18 | 19 | group = str(os.environ.get("GROUP")) 20 | 21 | class QscNginxUser(HttpUser): 22 | wait_time = between(1, 2) 23 | 24 | def on_start(self): 25 | self.client.base_url = host 26 | logger.info("Starting Locust test using OpenSSL for TLS connection") 27 | 28 | def make_post_quantum_request_with_openssl(self, endpoint): 29 | try: 30 | logger.debug(f"Making request to {url}{endpoint} with group {group}") 31 | host_and_port = host + ":" + str(port) 32 | http_headers="Post-quantum" 33 | request_name = f"Group {group} {endpoint}" 34 | 35 | start = time.time() 36 | result = subprocess.run( 37 | ["openssl", "s_client", "-groups", group, "-connect", host_and_port, "-ign_eof"], 38 | input=f"GET {endpoint} HTTP/1.1\r\n" 39 | f"Host: {host}\r\n" 40 | f"User-Agent: {http_headers}\r\n" 41 | f"Connection: close\r\n\r\n", 42 | capture_output=True, text=True 43 | ) 44 | total = int((time.time() - start) * 1000) 45 | logger.debug(f"result: {result.stdout}") 46 | response_output = result.stdout 47 | content_length = 0 48 | headers, _, body = response_output.partition("\r\n\r\n") 49 | for line in headers.splitlines(): 50 | if line.lower().startswith("content-length:"): 51 | content_length = int(line.split(":")[1].strip()) 52 | break 53 | if result.returncode == 0: 54 | logger.debug(f"Request to {endpoint} succeeded") 55 | logger.debug(f"Response:\n{result.stdout}") 56 | self.environment.events.request.fire( 57 | request_type="GET", 58 | name=request_name, 59 | response_time=total, 60 | response_length=content_length, 61 | exception=None, 62 | ) 63 | else: 64 | logger.error(f"Request to {endpoint} failed with return code {result.returncode}") 65 | logger.error(f"Error:\n{result.stderr}") 66 | self.environment.events.request.fire( 67 | request_type="GET", 68 | name=host+endpoint, 69 | response_time=total, 70 | response_length=content_length, 71 | exception=f"Error Code: {result.returncode} - {result.stderr}" 72 | ) 73 | 74 | except subprocess.CalledProcessError as e: 75 | logger.error(f"Error executing OpenSSL command: {e}") 76 | 77 | # Change the following methods to use the make_post_quantum_request_with_openssl method where 78 | # first parameter is the endpoint and the second parameter is the group (kyber768 by default) 79 | @task(1) 80 | def post_quantum_customers(self): 81 | self.make_post_quantum_request_with_openssl("/customers") 82 | 83 | @task(1) 84 | def post_quantum_devices(self): 85 | self.make_post_quantum_request_with_openssl("/devices") 86 | 87 | 88 | 89 | -------------------------------------------------------------------------------- /mosquitto/README.md: -------------------------------------------------------------------------------- 1 | This directory contains a Dockerfile that builds [Mosquitto](https://mosquitto.org) using OpenSSL v3 using the [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows `Moquitto` to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3. 2 | 3 | ## Background 4 | 5 | [Eclipse Mosquitto](https://mosquitto.org) is an open source (EPL/EDL licensed) message broker that implements the MQTT protocol versions 5.0, 3.1.1 and 3.1. Mosquitto is lightweight and is suitable for use on all devices from low power single board computers to full servers. 6 | 7 | The MQTT protocol provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for Internet of Things messaging such as with low power sensors or mobile devices such as phones, embedded computers or microcontrollers. 8 | 9 | The following provides some introduction to Mosquitto: 10 | 11 | - Introduction: [Beginners Guide To The MQTT Protocol](http://www.steves-internet-guide.com/mqtt/) 12 | - Usage: [Mosquitto MQTT Broker](http://www.steves-internet-guide.com/mosquitto-broker/), [Using The Mosquitto_pub and Mosquitto_sub MQTT Client Tools- Examples](http://www.steves-internet-guide.com/mosquitto_pub-sub-clients/) 13 | - Man pages: [Mosquitto Man Pages](https://mosquitto.org/documentation/) 14 | 15 | ## Getting started 16 | 17 | [Install Docker](https://docs.docker.com/install) and run the following simplified commands in this directory: 18 | 19 | 1. `docker build -t oqs-mosquitto .` This will generate the image with a default QSC algorithm (key exchange: kyber768:p384_kyber768, authentication: dilithium3 -- see Dockerfile to change). 20 | 2. `docker run -it --rm --name oqs-mosquitto -p 8883:8883 oqs-mosquitto` 21 | 22 | This will start a docker container that has mosquitto MQTT broker listening for TLS 1.3 connections on port 8883. 23 | 24 | ## Usage 25 | 26 | Complete information on how to use the image is [available in the separate file USAGE.md](USAGE.md). 27 | 28 | ## Build options 29 | 30 | The Dockerfile allows for significant customization of the built image: 31 | 32 | ### OPENSSL_TAG 33 | 34 | Tag of `openssl` release to be used. 35 | 36 | ### LIBOQS_TAG 37 | 38 | Tag of `liboqs` release to be used. 39 | 40 | ### OQSPROVIDER_TAG 41 | 42 | Tag of `oqsprovider` release to be used. 43 | 44 | ### LIBOQS_BUILD_DEFINES 45 | 46 | This permits changing the build options for the underlying library with the quantum safe algorithms. All possible options are documented [here](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs). 47 | 48 | By default, the image is built such as to have maximum portability regardless of CPU type and optimizations available, i.e. to run on the widest possible range of cloud machines. 49 | 50 | ### SIG_ALG 51 | 52 | This defines the quantum-safe cryptographic signature algorithm for the internally generated (demonstration) CA and server certificates. 53 | 54 | The default value is 'dilithium3' but can be set to any value documented [here](https://github.com/open-quantum-safe/oqs-provider#algorithms). 55 | 56 | ### KEM_ALGLIST 57 | 58 | This defines the quantum-safe key exchange mechanisms to be supported. 59 | 60 | The default value is `p384_kyber768:kyber768` but can be set to any set of colon separated values documented [here](https://github.com/open-quantum-safe/oqs-provider#algorithms). 61 | 62 | ### MOSQUITTO_TAG 63 | 64 | These define the version of Mosquitto to use, currently set to v2.0.20 65 | 66 | ### BROKER_IP 67 | 68 | This defines the IP address(or Domain Name) of the Mosquitto MQTT broker. 69 | 70 | By default this is 'localhost'. 71 | 72 | ### PUB_IP 73 | 74 | This defines the IP address(or Domain Name) of the Mosquitto MQTT publisher. 75 | 76 | By default this is 'localhost'. 77 | 78 | ### SUB_IP 79 | 80 | This defines the IP address(or Domain Name) of the Mosquitto MQTT subscriber. 81 | 82 | By default this is 'localhost'. 83 | 84 | ### EXAMPLE 85 | 86 | This defines which shell script to use. There are three shell scripts(broker-start.sh, publisher-start.sh, and subscriber-start.sh) that can be used in this directory. 87 | 88 | By default this is 'broker-start.sh'. 89 | -------------------------------------------------------------------------------- /mosquitto/USAGE.md: -------------------------------------------------------------------------------- 1 | This directory contains a Dockerfile that builds [Mosquitto](https://mosquitto.org) using OpenSSL v3 using the [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows `Moquitto` to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3. 2 | 3 | ## Suggested use 4 | 5 | To communicate between the server(broker) and the client(publisher and subscriber), a quantum-safe crypto client program is required. 6 | 7 | ### In a docker network 8 | 9 | We can use docker network to do a simple test. A docker network named "mosquitto-test": 10 | 11 | Create a docker network and specify a network segment 12 | ```bash 13 | docker network create --subnet=174.18.0.0/16 mosquitto-test 14 | ``` 15 | 16 | Run a Mosquitto MQTT broker 17 | ```bash 18 | docker run --network mosquitto-test --ip 174.18.0.2 -it --rm --name oqs-mosquitto-broker -e "BROKER_IP=174.18.0.2" -e "EXAMPLE=broker-start.sh" oqs-mosquitto 19 | ``` 20 | 21 | Then run a Mosquitto MQTT subscriber 22 | ```bash 23 | docker run --network mosquitto-test --ip 174.18.0.3 -it --rm --name oqs-mosquitto-subscriber -e "BROKER_IP=174.18.0.2" -e "SUB_IP=174.18.0.3" -e "EXAMPLE=subscriber-start.sh" oqs-mosquitto 24 | ``` 25 | 26 | Finally run a Mosquitto MQTT publisher 27 | ```bash 28 | docker run --network mosquitto-test --ip 174.18.0.4 -it --rm --name oqs-mosquitto-publisher -e "BROKER_IP=174.18.0.2" -e "PUB_IP=174.18.0.4" -e "EXAMPLE=publisher-start.sh" oqs-mosquitto 29 | ``` 30 | 31 | According to these steps, we can do a simple MQTT test including a broker, a subscriber, and a publisher. If you want to do more experiments, you can use other options below. 32 | 33 | By the way, the docker image has already generated a CA certificate and a CA key at build time. You can create the CA certificate and CA key yourself. 34 | 35 | ## Other usage options 36 | 37 | ### Authentication algorithm 38 | 39 | This mosquitto image is capable of supporting all quantum-safe signature algorithms listed [here](https://github.com/open-quantum-safe/oqs-provider#algorithms). If you want to control with algorithm is actually used, you can set an environment variable when running the Docker container, e.g., requesting the dilithium5 variant: 40 | 41 | ```bash 42 | docker run -it --rm --name oqs-mosquitto-demo -p 8883:8883 -e "BROKER_IP=" -e "SIG_ALG=dilithium5" oqs-mosquitto 43 | ``` 44 | 45 | ### Set the TLS_DEFAULT_GROUPS 46 | 47 | `TLS_DEFAULT_GROUPS` is an environment variable that allows selection of QSC KEMs. This supports the colon-separated list of KEM algorithms. You can only select either the complete list or subset of what was defined in `KEM_ALGLIST` when the docker image was built. 48 | 49 | ### Change Mosquitto instructions or configurations 50 | 51 | There are three shell scripts(broker-start.sh, publisher-start.sh, and subscriber-start.sh) that can be used in this directory. Use subscriber as an example: 52 | 53 | ```bash 54 | docker run -it --rm --name oqs-mosquitto-demo -p 8883:8883 -e "BROKER_IP=" -e "EXAMPLE=subscriber-start.sh" oqs-mosquitto 55 | ``` 56 | 57 | If you want to change Mosquitto's instructions, you can modify instructions to what you want in these scripts. If you also want to change Mosquitto broker's configuration file, you can modify this to what you want in 'broker-start.sh'. 58 | 59 | ### Set the IP address of the machine 60 | 61 | There are three environment variables(BROKER_IP, PUB_IP, and SUB_IP) that can be set when running the Docker container. 62 | 63 | ### docker -name and --rm options 64 | 65 | To ease rapid startup and teardown, we strongly recommend using the docker [--name](https://docs.docker.com/engine/reference/commandline/run/#assign-name-and-allocate-pseudo-tty---name--it) and automatic removal option [--rm](https://docs.docker.com/engine/reference/commandline/run/). 66 | 67 | -------------------------------------------------------------------------------- /mosquitto/broker-start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This shell script is made by Chia-Chin Chung <60947091s@gapps.ntnu.edu.tw> 3 | 4 | # generate the configuration file for mosquitto 5 | echo -e " 6 | ## Listeners 7 | listener 8883 8 | max_connections -1 9 | max_qos 2 10 | protocol mqtt 11 | 12 | ## General configuration 13 | allow_anonymous false 14 | # Comment out the following two lines if using two-way authentication 15 | #password_file /test/passwd 16 | #acl_file /test/acl 17 | 18 | ## Certificate based SSL/TLS support 19 | cafile /test/cert/CA.crt 20 | keyfile /test/cert/server.key 21 | certfile /test/cert/server.crt 22 | tls_version tlsv1.3 23 | ciphers_tls1.3 TLS_AES_128_GCM_SHA256 24 | # Comment out the following two lines if using one-way authentication 25 | require_certificate true 26 | ## Same as above 27 | use_identity_as_username true 28 | " > mosquitto.conf 29 | 30 | # generate the password file(add username and password) for the mosquitto MQTT broker 31 | mosquitto_passwd -b -c passwd user1 1234 32 | 33 | # generate the Access Control List 34 | echo -e "user user1\ntopic readwrite test/sensor1" > acl 35 | 36 | mkdir cert 37 | 38 | # copy the CA key and the cert to the cert folder 39 | cp /test/CA.key /test/CA.crt /test/cert 40 | 41 | # generate the new server CSR using pre-set CA.key & cert 42 | openssl req -new -newkey $SIG_ALG -keyout /test/cert/server.key -out /test/cert/server.csr -nodes -subj "/O=test-server/CN=$BROKER_IP" 43 | 44 | # generate the server cert 45 | openssl x509 -req -in /test/cert/server.csr -out /test/cert/server.crt -CA /test/cert/CA.crt -CAkey /test/cert/CA.key -CAcreateserial -days 365 46 | 47 | # modify file permissions 48 | chmod 777 cert/* 49 | 50 | # execute the mosquitto MQTT broker 51 | mosquitto -c mosquitto.conf -v 52 | -------------------------------------------------------------------------------- /mosquitto/publisher-start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This shell script is made by Chia-Chin Chung <60947091s@gapps.ntnu.edu.tw> 3 | 4 | mkdir cert 5 | 6 | # copy the CA key and the cert to the cert folder 7 | cp /test/CA.key /test/CA.crt /test/cert 8 | 9 | # generate the new publisher CSR using pre-set CA.key & cert 10 | openssl req -new -newkey $SIG_ALG -keyout /test/cert/publisher.key -out /test/cert/publisher.csr -nodes -subj "/O=test-publisher/CN=$PUB_IP" 11 | 12 | # generate the publisher cert 13 | openssl x509 -req -in /test/cert/publisher.csr -out /test/cert/publisher.crt -CA /test/cert/CA.crt -CAkey /test/cert/CA.key -CAcreateserial -days 365 14 | 15 | # modify file permissions 16 | chmod 777 cert/* 17 | 18 | # execute the mosquitto MQTT publisher 19 | mosquitto_pub -h $BROKER_IP -m "Hello world." -t test/sensor1 -q 0 -i "Client_pub" -d --repeat 60 --repeat-delay 1 \ 20 | --tls-version tlsv1.3 --cafile /test/cert/CA.crt \ 21 | --cert /test/cert/publisher.crt --key /test/cert/publisher.key 22 | -------------------------------------------------------------------------------- /mosquitto/subscriber-start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This shell script is made by Chia-Chin Chung <60947091s@gapps.ntnu.edu.tw> 3 | 4 | mkdir cert 5 | 6 | # copy the CA key and the cert to the cert folder 7 | cp /test/CA.key /test/CA.crt /test/cert 8 | 9 | # generate the new subscriber CSR using pre-set CA.key & cert 10 | openssl req -new -newkey $SIG_ALG -keyout /test/cert/subscriber.key -out /test/cert/subscriber.csr -nodes -subj "/O=test-subscriber/CN=$SUB_IP" 11 | 12 | # generate the subscriber cert 13 | openssl x509 -req -in /test/cert/subscriber.csr -out /test/cert/subscriber.crt -CA /test/cert/CA.crt -CAkey /test/cert/CA.key -CAcreateserial -days 365 14 | 15 | # modify file permissions 16 | chmod 777 cert/* 17 | 18 | # execute the mosquitto MQTT subscriber 19 | mosquitto_sub -h $BROKER_IP -t test/sensor1 -q 0 -i "Client_sub" -d -v \ 20 | --tls-version tlsv1.3 --cafile /test/cert/CA.crt \ 21 | --cert /test/cert/subscriber.crt --key /test/cert/subscriber.key 22 | -------------------------------------------------------------------------------- /nginx/README-QUIC.md: -------------------------------------------------------------------------------- 1 | # NGINX with OQS-BoringSSL for QUIC 2 | 3 | This Docker setup provides an nginx instance configured to use OQS-BoringSSL, which supports QUIC with quantum-safe algorithms. For more information on the supported quantum-safe algorithms and how to enable additional algorithms, please refer to the following resources: 4 | 5 | - [Supported Algorithms](https://github.com/open-quantum-safe/boringssl?tab=readme-ov-file#supported-algorithms) 6 | - [Using LibOQS Algorithms Not in the Fork](https://github.com/open-quantum-safe/boringssl/wiki/Using-liboqs-algorithms-not-in-the-fork) 7 | 8 | ## Setup Instructions 9 | 10 | ### Step 1: Build the Docker Image 11 | 12 | Build the Docker image using the provided Dockerfile: 13 | 14 | ```bash 15 | docker build -t nginx-quic -f Dockerfile-QUIC . 16 | ``` 17 | 18 | ### Step 2: Run the Docker Image 19 | 20 | To run the image: 21 | 22 | - **Without Port Forwarding:** 23 | 24 | ```bash 25 | docker run -d --name nginx-quic-daemon nginx-quic 26 | ``` 27 | 28 | - **With Port Forwarding:** 29 | 30 | ```bash 31 | docker run -d -p 80:80 -p 443:443 -p 443:443/udp --name nginx-quic-daemon nginx-quic 32 | ``` 33 | 34 | ### Step 3: Access the Container 35 | 36 | To access the container, use: 37 | 38 | ```bash 39 | docker exec -it nginx-quic-daemon bash 40 | ``` 41 | 42 | Inside the container, nginx configuration files are located in `/etc/nginx`, and the nginx executable is at `/usr/sbin/nginx`. 43 | 44 | ## Configure NGINX Server Block 45 | 46 | Make sure to update `server_name`, `ssl_certificate`, `ssl_certificate_key`, and `ssl_ecdh_curve` according to your specific needs and configuration. 47 | 48 | ``` 49 | server { 50 | listen 443 ssl; 51 | listen 443 quic reuseport; 52 | listen [::]:443 ssl; 53 | listen [::]:443 quic reuseport; 54 | 55 | http2 on; 56 | http3 on; 57 | ssl_early_data on; 58 | quic_retry on; 59 | add_header Alt-Svc 'h3=":443"; ma=86400'; 60 | 61 | server_name EXAMPLE.COM; 62 | ssl_certificate /PATH/TO/SSL/CERT.PEM; 63 | ssl_certificate_key /PATH/TO/SSL/KEY.PEM; 64 | 65 | # Select a subset of supported key exchange algorithms from 66 | # https://github.com/open-quantum-safe/boringssl?tab=readme-ov-file#key-exchange 67 | ssl_ecdh_curve 'mlkem1024:bikel3:x25519_frodo640shake'; 68 | 69 | location / { 70 | root html; 71 | index index.html index.htm; 72 | } 73 | 74 | # OPTIONAL SSL CONFIGURATION 75 | ssl_session_timeout 1d; 76 | ssl_session_cache shared:MozSSL:10m; 77 | ssl_session_tickets off; 78 | ssl_protocols TLSv1.3; 79 | ssl_prefer_server_ciphers off; 80 | add_header Strict-Transport-Security "max-age=63072000" always; 81 | add_header X-Frame-Options "SAMEORIGIN" always; 82 | add_header X-XSS-Protection "1; mode=block" always; 83 | add_header X-Content-Type-Options "nosniff" always; 84 | } 85 | ``` 86 | -------------------------------------------------------------------------------- /nginx/README.md: -------------------------------------------------------------------------------- 1 | ## Purpose 2 | 3 | This directory contains a Dockerfile that builds nginx using OpenSSL3 with the [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows nginx to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3. For instructions on setting up and using nginx with HTTP/3 QUIC support, please refer to the [NGINX QUIC README](https://github.com/open-quantum-safe/oqs-demos/blob/main/nginx/README-QUIC.md). 4 | 5 | ## Getting started 6 | 7 | [Install Docker](https://docs.docker.com/install) and run the following commands in this directory: 8 | 9 | 1. `docker build -t oqs-nginx .` This will generate the image with a default QSC algorithm built-in (dilithium3 -- see Build options below to change this). 10 | 2. `docker run --detach --rm --name oqs-nginx -p 4433:4433 oqs-nginx` will start up the resulting container with QSC-enabled nginx running and listening for TLS 1.3 connections on port 4433. 11 | 12 | ## Usage 13 | 14 | Complete information how to use the image is [available in the separate file USAGE.md](USAGE.md). 15 | 16 | ## Build options 17 | 18 | The Dockerfile provided allows for significant customization of the image built: 19 | 20 | ### OPENSSL_TAG 21 | 22 | Tag of `openssl` release to be used. 23 | 24 | ### LIBOQS_TAG 25 | 26 | Tag of `liboqs` release to be used. 27 | 28 | ### OQSPROVIDER_TAG 29 | 30 | Tag of `oqsprovider` release to be used. 31 | 32 | ### LIBOQS_BUILD_DEFINES 33 | 34 | This permits changing the build options for the underlying library with the quantum safe algorithms. All possible options are documented [here](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs). 35 | 36 | By default, the image is built such as to have maximum portability regardless of CPU type and optimizations available, i.e. to run on the widest possible range of cloud machines. 37 | 38 | ### SIG_ALG 39 | 40 | This defines the quantum-safe cryptographic signature algorithm for the internally generated (demonstration) CA and server certificates. 41 | 42 | The default value is 'dilithium3' but can be set to any signature algorithm supported by [the oqs-provider](https://github.com/open-quantum-safe/oqs-provider#algorithms). 43 | 44 | ### DEFAULT_GROUPS 45 | 46 | This defines the set of (possibly PQ) TLS 1.3 groups announced by the running server. 47 | 48 | The default value is `x25519:x448:kyber512:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024` enabling all Kyber variants as well as two classic EC algorithms. Be sure to disable the latter if no classic crypto should be used by this `nginx` instance. For the full list of supported PQ KEM algorithms see [the oqs-provider algorithm documentation](https://github.com/open-quantum-safe/oqs-provider#algorithms). 49 | 50 | ### BASEDIR 51 | 52 | This defines the resultant base location of the installatiion. 53 | 54 | By default this is '/opt'. Changing this invalidates some paths in the [usage documentation](USAGE.md). 55 | 56 | ### INSTALLDIR 57 | 58 | This defines the resultant location of the installatiion. 59 | 60 | By default this is '/opt/nginx'. Changing this invalidates some paths in the [usage documentation](USAGE.md). 61 | 62 | ### NGINX_VERSION 63 | 64 | This defines the nginx software version to be build into the image. 65 | 66 | The default version set is known to work OK but one could try any value available [for download](https://nginx.org/en/download.html). 67 | 68 | ### MAKE_DEFINES 69 | 70 | Allow setting parameters to `make` operation, e.g., '-j nnn' where nnn defines the number of jobs run in parallel during build. 71 | 72 | The default is conservative and known not to overload normal machines. If one has a very powerful (many cores, >64GB RAM) machine, passing larger numbers (or only '-j' for maximum parallelism) speeds up building considerably. 73 | 74 | ### ALPINE_VERSION 75 | 76 | The version of the `alpine` docker image to to be used. 77 | -------------------------------------------------------------------------------- /nginx/fulltest/OsslAlgParser.scala: -------------------------------------------------------------------------------- 1 | // Parses the output of OpenSSL propquery security_bits from oqs-provider, 2 | // and generates a sorted array of signatures/kems to be used by genconfig.py 3 | object OsslAlgParser { 4 | import scala.annotation.tailrec 5 | 6 | val providerName = "oqsprovider" 7 | 8 | case class AlgSec(alg: String, seclevel: Int) { 9 | override def toString: String = s"('$alg', $seclevel)" 10 | } 11 | 12 | val defaultSigs = List(AlgSec("ecdsap256", 0), AlgSec("rsa3072", 0)) 13 | 14 | @tailrec def readLines(line: String, in: List[AlgSec], seclevel: Option[Int]): List[AlgSec] = line match { 15 | case null => 16 | in 17 | case l if l.contains("seclevel") => 18 | val newSeclevel = Some(l.split(":")(1).toInt) 19 | readLines(scala.io.StdIn.readLine(), in, newSeclevel) 20 | case l => 21 | val out = line.split(" @ ").map(_.trim) match { 22 | case i if i.length == 2 && i(1) == providerName => AlgSec(i(0), seclevel.get) :: in 23 | case _ => in 24 | } 25 | readLines(scala.io.StdIn.readLine(), out, seclevel) 26 | } 27 | 28 | def main(args: Array[String]): Unit = { 29 | if (args.length < 1) { 30 | println("Usage: ") 31 | System.exit(0) 32 | } 33 | val kemsig = args(0) 34 | val schemes = readLines(scala.io.StdIn.readLine(), List[AlgSec](), None) 35 | val sorted = schemes.sortBy(i => { 36 | val spl = i.alg.split("_") 37 | (spl.length, spl.last, spl.head) 38 | }) 39 | val fulllist = if (kemsig == "signatures") defaultSigs ++ sorted else sorted 40 | val schemeStr = s"$kemsig = [\n${fulllist.map(i => s" $i").mkString(",\n")}\n]" 41 | println(schemeStr) 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /nginx/fulltest/README.md: -------------------------------------------------------------------------------- 1 | # Scripts to generate OQS test server 2 | 3 | This folder contains all scripts to [build a QSC-enabled nginx server running on ubuntu](build_ubuntu.sh) as well as generating all configuration files for running an interoperability test server: Running [python3 genconfig.py](genconfig.py) generates a local/self-signed root CA, all QSC certificates signed by this root CA for the currently supported list of QSC algorithms and the required nginx-server configuration file for a server running at the configured TESTFQDN server address. 4 | 5 | *Note*: These scripts assume 6 | - coherent definition of test server FQDN as TESTFQDN in `genconfig.py` and `ext-csr.conf` files: By default "test.openquantumsafe.org" is set. 7 | - presence of oqs-openssl common definitions file `common.py` (as stored at https://raw.githubusercontent.com/open-quantum-safe/oqs-provider/main/scripts/common.py). 8 | - presence of Docker on the build machine to run the build process, the guest OS needs to be able to mount host directories for Docker (i.e. on Linux, SELinux permissions might be needed). 9 | - presence on the target deploy server (i.e., at the machine designated at TESTFQDN) of a properly deployed [LetsEncrypt server certificate](https://letsencrypt.org/getting-started). 10 | - (optional) presence of a root CA certificate and key in `rootca/CA.crt` and `rootca/CA.key`, respectively. If the directory `rootca` is not present on the build machine, a new root CA will be generated by the build script. 11 | 12 | By default, the server is built to a specific set of versions of `liboqs`, `openssl`, `oqs-provider` and `nginx`. These versions are encoded in `build-ubuntu.sh` and may be changed/upgraded there. 13 | 14 | ### HOWTO 15 | 16 | #### Build and deploy test server 17 | 18 | On build machine run 19 | 20 | ``` 21 | ./build-ubuntu.sh 22 | scp oqs-nginx-{LIBOQS_VERSION}.tgz yourid@yourserver:yourpath 23 | ``` 24 | 25 | At 'yourserver' run: 26 | ``` 27 | cd / && tar xzvf yourpath/oqs-nginx-{LIBOQS_VERSION}.tgz 28 | cd /opt/nginx 29 | /opt/nginx/sbin/nginx -c interop.conf 30 | ``` 31 | 32 | Note that, the oqs-nginx-{LIBOQS_VERSION}.tgz package contains all required configuration files and QSC certificates. **Unpacking the archive may overwrite an existing installation's configuration files. Use with care on a live server.** 33 | 34 | #### Activation 35 | 36 | Execute `OPENSSL_CONF=/opt/openssl/.openssl/ssl/openssl.cnf /opt/nginx/sbin/nginx -c /opt/nginx/interop.conf` to start the test server. 37 | 38 | *Note*: From nginx version 1.25.2, nginx does not try to load OpenSSL configuration if the --with-openssl option was used to build OpenSSL. We therefore have to set the `OPENSSL_CONF` environment variable when activating nginx. 39 | 40 | *Note*: As the server may open many ports, the server may need to be configured to permit this, e.g., using `ulimit -S -n 4096`. 41 | 42 | #### Test run 43 | 44 | The `testrun.sh` script runs test connections against all ports configured by the server. To run the script, execute `testrun.sh openquantumsafe/curl:`. The compatible `` tag corresponds to `LIBOQS_VERSION` configured in the [Dockerfile](https://github.com/open-quantum-safe/oqs-demos/blob/main/nginx/fulltest/Dockerfile). 45 | -------------------------------------------------------------------------------- /nginx/fulltest/build_ubuntu.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Runs a docker build and packages the results as a tgz. 4 | 5 | # Get dependency (available after PR#..) 6 | #wget https://raw.githubusercontent.com/open-quantum-safe/oqs-provider/main/scripts/common.py 7 | 8 | # Build package 9 | docker build --no-cache -t oqs-nginx-fulltest-provider . 10 | 11 | # Copy deployment tar from image 12 | docker cp $(docker create oqs-nginx-fulltest-provider:latest):oqs-nginx-0.12.0.tgz . 13 | 14 | # Copy root ca tar from image 15 | docker cp $(docker create oqs-nginx-fulltest-provider:latest):oqs-testserver-rootca-0.12.0.tgz . 16 | -------------------------------------------------------------------------------- /nginx/fulltest/chromium-template: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 21 | Open Quantum Safe interop test server for quantum-safe cryptography - Chromium overview 22 | 23 | 24 |

Open Quantum Safe interop test server for quantum-safe cryptography

25 |

Purpose

26 | 27 |

This server is an NGINX instance enhanced with support for quantum-safe cryptography (QSC) using software packages provided by the Open Quantum Safe project (OQS).

28 | 29 |

In order to provide a means for clients to test interoperability with this QSC-enhanced software and the QSC algorithms contained it features separate ports for all QSC signature/key exchange algorithm combinations supported by the current OQS distribution. This page focuses on the algorithms supported by the OQS-enabled Chromium browser build.

30 | 31 |

Specification details

32 | 33 |

This nginx server supports

34 |
    35 |
  • the TLS1.3 specification with QSC enhancement as specified in https://tools.ietf.org/html/draft-ietf-tls-hybrid-design-06
    • 36 |
  • Code points/curve IDs of KEM algorithms are implemented with the highest numbers available for each algorithm listed here.
    • 37 |
  • Code points/OIDs of SIG algorithms are implemented with the highest numbers available for each algorithm as listed here.
    • 38 |
39 | 40 |

This corresponds to the OQS release version LIBOQS_RELEASE and oqs-provider version OQSPROVIDER_RELEASE.

41 | 42 |

These specifications should not be taken as a standard, de facto and otherwise, and are subject to change at any time.

43 | 44 |

Use the OQS-enabled Chromium build to access this web page. As per the limitations concerning supported algorithms as documented here, only the KEM algorithm combinations listed below will function (P256_BIKEL1, P256_FRODO640AES, P256_KYBER90S512, P256_NTRU_HPS2048509, P256_LIGHTSABER) and no hybrid signature algorithms are supported. 45 | 46 |

More details are available at Github.

47 | 48 |

An alternative view to all supported algorithms is available at this web page.

49 | 50 |

Caveats

51 | 52 |
    53 |
  1. This test server by no means should be taken as containing production-ready software. See disclaimer. Its purpose is simply to provide a best-effort facility to allow anyone to "test-drive" QSC software packages including testing protocol level interoperability.
    2. 54 | 55 |
56 | 57 |

Certificates

58 | 59 |

Each test port provides TLS server authentication using a server certificate generated using the listed QSC-signature algorithm. All server certificates are signed by a common CA certificate using conventional (RSA) cryptography. This certificate is available for download here.

60 | 61 |

List of all supported QSC Signature / Key Exchange algorithms for use by OQS-enabled Chromium

62 | 63 |

The list below provides links to the entry points of all OQS signature / key exchange algorithm combinations supported by the OQS-Chromium build.

64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | -------------------------------------------------------------------------------- /nginx/fulltest/ext-csr.conf: -------------------------------------------------------------------------------- 1 | [req] 2 | distinguished_name = req_distinguished_name 3 | req_extensions = v3_req 4 | prompt = no 5 | 6 | [req_distinguished_name] 7 | CN = test.openquantumsafe.org 8 | 9 | [v3_intermediate_ca] 10 | basicConstraints = critical, CA:true, pathlen:0 11 | keyUsage = critical, digitalSignature, cRLSign, keyCertSign 12 | subjectKeyIdentifier = hash 13 | authorityKeyIdentifier = keyid:always 14 | certificatePolicies = 2.5.29.32.0 15 | extendedKeyUsage = clientAuth, serverAuth 16 | 17 | [v3_req] 18 | basicConstraints = critical, CA:FALSE 19 | keyUsage = critical, digitalSignature 20 | extendedKeyUsage = serverAuth 21 | subjectKeyIdentifier = hash 22 | authorityKeyIdentifier = keyid:always 23 | subjectAltName = @alt_names 24 | certificatePolicies=2.23.140.1.2.1 25 | 26 | [alt_names] 27 | DNS.1 = test.openquantumsafe.org 28 | -------------------------------------------------------------------------------- /nginx/fulltest/ngx_event_openssl.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c 2 | index c38aa27f1..82debe09b 100644 3 | --- a/src/event/ngx_event_openssl.c 4 | +++ b/src/event/ngx_event_openssl.c 5 | @@ -5102,17 +5102,31 @@ ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) 6 | #ifdef SSL_get_negotiated_group 7 | 8 | int nid; 9 | +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) 10 | + const char *grpname; 11 | +#endif 12 | 13 | nid = SSL_get_negotiated_group(c->ssl->connection); 14 | +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) 15 | + grpname = SSL_group_to_name(c->ssl->connection, nid); 16 | +#endif 17 | 18 | if (nid != NID_undef) { 19 | 20 | +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) 21 | + if (grpname != NULL) { 22 | + s->len = ngx_strlen(grpname); 23 | + s->data = (u_char *) grpname; 24 | + return NGX_OK; 25 | + } 26 | +#else 27 | if ((nid & TLSEXT_nid_unknown) == 0) { 28 | s->len = ngx_strlen(OBJ_nid2sn(nid)); 29 | s->data = (u_char *) OBJ_nid2sn(nid); 30 | return NGX_OK; 31 | } 32 | 33 | +#endif 34 | s->len = sizeof("0x0000") - 1; 35 | 36 | s->data = ngx_pnalloc(pool, s->len); 37 | @@ -5140,6 +5154,9 @@ ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) 38 | int *curves, n, i, nid; 39 | u_char *p; 40 | size_t len; 41 | +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) 42 | + const char *grpname; 43 | +#endif 44 | 45 | n = SSL_get1_curves(c->ssl->connection, NULL); 46 | 47 | @@ -5156,12 +5173,23 @@ ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) 48 | for (i = 0; i < n; i++) { 49 | nid = curves[i]; 50 | 51 | +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) 52 | + grpname = SSL_group_to_name(c->ssl->connection, nid); 53 | + 54 | + if (grpname == NULL) { 55 | + len += sizeof("0x0000") - 1; 56 | + 57 | + } else { 58 | + len += ngx_strlen(grpname); 59 | + } 60 | +#else 61 | if (nid & TLSEXT_nid_unknown) { 62 | len += sizeof("0x0000") - 1; 63 | 64 | } else { 65 | len += ngx_strlen(OBJ_nid2sn(nid)); 66 | } 67 | +#endif 68 | 69 | len += sizeof(":") - 1; 70 | } 71 | @@ -5176,12 +5204,22 @@ ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) 72 | for (i = 0; i < n; i++) { 73 | nid = curves[i]; 74 | 75 | +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) 76 | + grpname = SSL_group_to_name(c->ssl->connection, nid); 77 | + if (grpname == NULL) { 78 | + p = ngx_sprintf(p, "0x%04xd", nid & 0xffff); 79 | + 80 | + } else { 81 | + p = ngx_sprintf(p, "%s", grpname); 82 | + } 83 | +#else 84 | if (nid & TLSEXT_nid_unknown) { 85 | p = ngx_sprintf(p, "0x%04xd", nid & 0xffff); 86 | 87 | } else { 88 | p = ngx_sprintf(p, "%s", OBJ_nid2sn(nid)); 89 | } 90 | +#endif 91 | 92 | *p++ = ':'; 93 | } 94 | 95 | -------------------------------------------------------------------------------- /nginx/fulltest/success.htm: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Open Quantum Safe interop test server for quantum-safe cryptography 5 | 6 | 7 |

8 | Successfully connected using 9 | -! 10 |

11 | 12 | Client-side KEM algorithm(s) indicated: 13 | 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /nginx/fulltest/testrun.py: -------------------------------------------------------------------------------- 1 | import json 2 | import sys 3 | import subprocess 4 | import os 5 | 6 | # Parameter checks already done in shellscript 7 | 8 | with open("assignments.json", "r") as f: 9 | jsoncontents = f.read(); 10 | 11 | assignments = json.loads(jsoncontents) 12 | for sig in assignments: 13 | print("Testing %s:" % (sig)) 14 | for kem in assignments[sig]: 15 | # assemble testing command 16 | cmd = "docker run -v "+os.path.abspath(os.getcwd())+"/ca:/ca -it "+sys.argv[1]+" curl --cacert /ca/CA.crt https://test.openquantumsafe.org:"+str(assignments[sig][kem]) 17 | if kem!="*": # don't prescribe KEM 18 | cmd=cmd+" --curves "+kem 19 | dockerrun = subprocess.run(cmd.split(" "),stdout=subprocess.PIPE,stderr=subprocess.PIPE) 20 | if dockerrun.returncode != 0 or not (b"Successfully" in dockerrun.stdout): 21 | print("Error executing %s (Output: %s). Terminating." % (cmd, dockerrun.stdout)) 22 | exit(1) 23 | else: 24 | print(" Tested KEM %s successfully." % (kem)) 25 | print(" Successfully concluded testing "+sig) 26 | print("All tests successfully passed.") 27 | 28 | 29 | -------------------------------------------------------------------------------- /nginx/fulltest/testrun.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Arg1 is docker image to use as client 4 | if [ "$#" -ne 1 ]; then 5 | echo "Usage: ${0} . Exiting." 6 | exit 1 7 | fi 8 | 9 | # prepare test 10 | rm -rf ca assignments.json* 11 | mkdir ca 12 | # pull current CA cert 13 | cd ca 14 | wget https://test.openquantumsafe.org/CA.crt 15 | cd .. 16 | 17 | # pull list of algs/ports 18 | wget https://test.openquantumsafe.org/assignments.json 19 | 20 | # execute test 21 | python3 testrun.py ${1} 22 | -------------------------------------------------------------------------------- /nginx/nginx-conf/nginx-quic.conf: -------------------------------------------------------------------------------- 1 | 2 | #user nobody; 3 | worker_processes 1; 4 | 5 | events { 6 | worker_connections 1024; 7 | } 8 | 9 | http { 10 | include mime.types; 11 | default_type application/octet-stream; 12 | sendfile on; 13 | keepalive_timeout 65; 14 | gzip on; 15 | 16 | server { 17 | listen 443 ssl; 18 | listen 443 quic reuseport; 19 | listen [::]:443 ssl; 20 | listen [::]:443 quic reuseport; 21 | 22 | http2 on; 23 | http3 on; 24 | ssl_early_data on; 25 | quic_retry on; 26 | add_header Alt-Svc 'h3=":443"; ma=86400'; 27 | 28 | server_name host.docker.internal; 29 | ssl_certificate /certs/server.crt; 30 | ssl_certificate_key /certs/server.key; 31 | 32 | ssl_ecdh_curve 'mlkem1024:bikel3:x25519_frodo640shake'; 33 | 34 | location / { 35 | add_header Content-Type text/plain; 36 | return 200 'OK'; 37 | } 38 | 39 | ssl_session_timeout 1d; 40 | ssl_session_cache shared:MozSSL:10m; 41 | ssl_session_tickets off; 42 | ssl_protocols TLSv1.3; 43 | ssl_prefer_server_ciphers off; 44 | add_header Strict-Transport-Security "max-age=63072000" always; 45 | add_header X-Frame-Options "SAMEORIGIN" always; 46 | add_header X-XSS-Protection "1; mode=block" always; 47 | add_header X-Content-Type-Options "nosniff" always; 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /nginx/nginx-conf/nginx.conf: -------------------------------------------------------------------------------- 1 | 2 | #user nobody; 3 | worker_processes auto; 4 | 5 | #pid logs/nginx.pid; 6 | 7 | 8 | events { 9 | worker_connections 1024; 10 | } 11 | 12 | 13 | http { 14 | include ../conf/mime.types; 15 | default_type application/octet-stream; 16 | 17 | #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 18 | # '$status $body_bytes_sent "$http_referer" ' 19 | # '"$http_user_agent" "$http_x_forwarded_for"'; 20 | 21 | #access_log logs/access.log main; 22 | 23 | sendfile on; 24 | #tcp_nopush on; 25 | 26 | #keepalive_timeout 0; 27 | keepalive_timeout 65; 28 | 29 | #gzip on; 30 | 31 | # also start up plain server for test purposes but do not expose by default in docker image 32 | server { 33 | listen 8080; 34 | server_name localhost; 35 | 36 | #charset koi8-r; 37 | 38 | #access_log logs/host.access.log main; 39 | 40 | location / { 41 | root html; 42 | index index.html index.htm; 43 | } 44 | 45 | #error_page 404 /404.html; 46 | 47 | # redirect server error pages to the static page /50x.html 48 | # 49 | error_page 500 502 503 504 /50x.html; 50 | location = /50x.html { 51 | root html; 52 | } 53 | 54 | # proxy the PHP scripts to Apache listening on 127.0.0.1:80 55 | # 56 | #location ~ \.php$ { 57 | # proxy_pass http://127.0.0.1; 58 | #} 59 | 60 | # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 61 | # 62 | #location ~ \.php$ { 63 | # root html; 64 | # fastcgi_pass 127.0.0.1:9000; 65 | # fastcgi_index index.php; 66 | # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; 67 | # include fastcgi_params; 68 | #} 69 | 70 | # deny access to .htaccess files, if Apache's document root 71 | # concurs with nginx's one 72 | # 73 | #location ~ /\.ht { 74 | # deny all; 75 | #} 76 | } 77 | 78 | 79 | # another virtual host using mix of IP-, name-, and port-based configuration 80 | # 81 | #server { 82 | # listen 8000; 83 | # listen somename:8080; 84 | # server_name somename alias another.alias; 85 | 86 | # location / { 87 | # root html; 88 | # index index.html index.htm; 89 | # } 90 | #} 91 | 92 | 93 | # HTTPS server 94 | # 95 | server { 96 | listen 0.0.0.0:4433 ssl; 97 | 98 | access_log /opt/nginx/logs/access.log; 99 | error_log /opt/nginx/logs/error.log; 100 | 101 | ssl_certificate /opt/nginx/pki/server.crt; 102 | ssl_certificate_key /opt/nginx/pki/server.key; 103 | 104 | ssl_session_cache shared:SSL:1m; 105 | ssl_session_timeout 5m; 106 | 107 | ssl_protocols TLSv1.3; 108 | # You could select a subset of supported KEMs from https://github.com/open-quantum-safe/liboqs#supported-algorithms 109 | # Example (longer strings not supported by nginx!): 110 | # ssl_ecdh_curve oqs_kem_default:frodo976shake:frodo1344shake:p256_kyber512:kyber768:kyber1024:ntru_hps2048509:ntru_hps2048677:ntru_hrss701:lightsaber:saber:kyber512:X25519; 111 | 112 | location / { 113 | root html; 114 | index index.html index.htm; 115 | } 116 | } 117 | 118 | } 119 | -------------------------------------------------------------------------------- /ngtcp2/README.md: -------------------------------------------------------------------------------- 1 | ## Purpose 2 | This directory contains Dockerfiles that build the [ngtcp2](https://github.com/ngtcp2/ngtcp2) server and client with [quictls](https://github.com/quictls/openssl) and [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows ngtcp2 to negotiate quantum-safe keys in TLS 1.3. 3 | 4 | 5 | 6 | ## Getting started 7 | 8 | ## Server 9 | ### Building 10 | Assuming Docker is [installed](https://docs.docker.com/install) the following command 11 | 12 | ``` 13 | docker build -t ngtcp2-server -f Dockerfile-server . 14 | docker network create ngtcp2-test 15 | docker run -it --network ngtcp2-test --name ngtcp2server ngtcp2-server 16 | ``` 17 | 18 | will build and run the container for the quantum-safe crypto (QSC) protected ngtcp2 server on the Docker network called ngtcp2-test. 19 | 20 | ### Usage 21 | Documentation for using the server docker image is contained in the separate [USAGE-server.md](./USAGE-server.md) file. 22 | 23 | ## Client 24 | ### Building 25 | The following commands 26 | 27 | ``` 28 | docker build -t ngtcp2-client -f Dockerfile-client . 29 | docker run --network ngtcp2-test --name ngtcp2client -it ngtcp2-client sh 30 | ``` 31 | 32 | will build and run the container for the QSC-enabled ngtcp2 client on the same network as the server. 33 | ### Usage 34 | Documentation for using the client docker image is contained in the separate [USAGE-client.md](./USAGE-client.md) file. 35 | 36 | 37 | ## Disclaimer 38 | 39 | [THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). 40 | -------------------------------------------------------------------------------- /ngtcp2/USAGE-client.md: -------------------------------------------------------------------------------- 1 | ## Purpose 2 | 3 | This is a [ngtcp2](https://github.com/ngtcp2/ngtcp2) client docker image building on [quictls](https://github.com/quictls/openssl) and [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows ngtcp2 to negotiate quantum-safe keys in TLS 1.3. 4 | 5 | ## Quick start 6 | Assuming Docker is [installed](https://docs.docker.com/install) the following command 7 | 8 | ``` 9 | docker run --network ngtcp2-test --name ngtcp2client -it openquantumsafe/ngtcp2-client sh 10 | ``` 11 | 12 | will run the container for the quantum-safe crypto (QSC) protected ngtcp2 client on the docker network called ngtcp2-test (assuming it has already been created. If not, run `docker network create ngtcp2-test 13 | `). 14 | 15 | ### ngtcp2 client 16 | To interact with the ngtcp2 server, run 17 | ``` 18 | qtlsclient
[][--groups ] 19 | ``` 20 | 21 | For example, `qtlsclient ngtcp2server 6000 https://ngtcp2server --groups kyber512` 22 | 23 | By default the ngtcp2 client supports X25519, P-256, P-384 and P-521 for key exchange but any plain or hybrid QSC (Quantum-Safe Cryptography) algorithm can be selected. [See list of supported key exchange algorithms here](https://github.com/open-quantum-safe/oqs-provider#algorithms). 24 | 25 | 26 | If multiple algorithms are selected, they are separated with colons. 27 | For example, `--groups=kyber512:p256_bikel1` 28 | 29 | 30 | For more options, run `qtlsclient --help` 31 | 32 | ## Disclaimer 33 | 34 | [THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). 35 | -------------------------------------------------------------------------------- /ngtcp2/USAGE-server.md: -------------------------------------------------------------------------------- 1 | ## Purpose 2 | 3 | This is a [ngtcp2](https://github.com/ngtcp2/ngtcp2) server docker image building on [quictls](https://github.com/quictls/openssl) and [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows ngtcp2 to negotiate quantum-safe keys in TLS 1.3. 4 | 5 | 6 | ## Quick start 7 | Assuming Docker is [installed](https://docs.docker.com/install) the following command 8 | 9 | ``` 10 | docker network create ngtcp2-test 11 | docker run -it --network ngtcp2-test --name ngtcp2server openquantumsafe/ngtcp2-server 12 | ``` 13 | 14 | will run the container for the quantum-safe crypto (QSC) protected ngtcp2 server on port 6000 on the docker network called ngtcp2-test. 15 | The server will negotiate kyber512 by default. 16 | 17 | 18 | To specify other groups, set the KEM_ALG environment variable by running the ngtcp2 server container as follows 19 | ``` 20 | docker run -it --network ngtcp2-test --name ngtcp2server -e KEM_ALG=kyber512:p256_bikel1 openquantumsafe/ngtcp2-server 21 | ``` 22 | 23 | Alternatively, you can interact with the container using sh and start the server manually 24 | ```sh 25 | docker run -it --network ngtcp2-test --name ngtcp2server openquantumsafe/ngtcp2-server sh 26 | 27 | # if the container is already running, run the following command instead 28 | docker exec -it ngtcp2server sh 29 | ``` 30 | 31 | Once inside the container, start the server using 32 | ``` 33 | qtlsserver
--groups= 34 | ``` 35 | For example, 36 | ```sh 37 | qtlsserver "*" 6000 /certs/server.key /certs/server.crt --groups=kyber512 38 | ``` 39 | 40 | By default the ngtcp2 server supports X25519, P-256, P-384 and P-521 for key exchange but any plain or hybrid QSC (Quantum-Safe Cryptography) algorithm can be selected. [See list of supported key exchange algorithms here](https://github.com/open-quantum-safe/oqs-provider#algorithms). 41 | 42 | 43 | If multiple algorithms are selected, they are separated with colons. For example `--groups=kyber512:p256_bikel1` 44 | 45 | For more options, run `qtlsserver --help` 46 | 47 | 48 | ## Disclaimer 49 | 50 | [THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). 51 | -------------------------------------------------------------------------------- /ngtcp2/serverstart.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | # Optionally set KEM to one defined in https://github.com/open-quantum-safe/oqs-provider#algorithms 5 | if [ "x$KEM_ALG" == "x" ]; then 6 | export KEM_ALG=kyber512 7 | fi 8 | 9 | # Start ngtcp2 server accepting only the specified KEM_ALG 10 | qtlsserver --groups $KEM_ALG "*" 6000 /certs/server.key /certs/server.crt 11 | -------------------------------------------------------------------------------- /nodejs/README.md: -------------------------------------------------------------------------------- 1 | ## Purpose 2 | 3 | This directory contains a Dockerfile that builds [NodeJS](https://nodejs.org) with the [OQS OpenSSL 3 provider](https://github.com/open-quantum-safe/oqs-provider), which allows nodejs applications to perform quantum-safe TLS 1.3 handshakes using quantum-safe certificates. 4 | 5 | ## Getting started 6 | 7 | [Install Docker](https://docs.docker.com/install) and run the following commands in this directory: 8 | 9 | 1. `docker build -t oqs-nodejs .` 10 | 2. `sh ./test.sh` 11 | 12 | **IMPORTANT: The building of the oqs nodejs container image takes a very long time, upwards of 30 minutes depending on your machine and will use all available cores to do so** 13 | 14 | The following output is expected which shows a successful completion 15 | ``` 16 | Hello, World! 17 | ``` 18 | 19 | This will create an image which can then run nodejs applications. The test will use this image to run 2 nodejs applications, 1 as a server and the other as a client. It will create keys and certificates for use by the server, then the client will connect to the server using the mlkem768 KEM algorithm as it will also verify the quantum-safe certificate presented by the server. 20 | 21 | It is possible to change the KEM algorithm in the test but the server is coded to only use the default group list defined by the `KEM_ALGLIST` build argument of the docker file. You can change the signature algorithm in the `createcerts.sh` file to one of the signature algorithm name(s) [supported by OQS OpenSSL 3 provider](https://github.com/open-quantum-safe/oqs-provider#algorithms) 22 | 23 | 24 | Please note that the test script has only been tested to operate OK on Linux. 25 | 26 | 27 | ## Usage 28 | 29 | Complete information how to use the image is [available in the separate file USAGE.md](USAGE.md). 30 | 31 | ## Build options 32 | 33 | The Dockerfile provided allows for some customization of the image built: 34 | 35 | ### LIBOQS_TAG 36 | 37 | Tag of `liboqs` release to be used. Default "main". 38 | 39 | ### OQSPROVIDER_TAG 40 | 41 | Tag of `oqsprovider` release to be used. Default "main". 42 | 43 | ### KEM_ALGLIST 44 | 45 | Defines the list of QSC KEM algorithms to be supported by default. This value is colon separated and inserted into the system-wide `openssl.cnf` configuration file defining the behaviour of the OpenSSL3 library used by the NodeJS binary. 46 | 47 | The default value is "mlkem768:p384_mlkem768". Any algorithm name(s) [supported by OQS OpenSSL 3 provider](https://github.com/open-quantum-safe/oqs-provider#algorithms) can be chosen instead. 48 | -------------------------------------------------------------------------------- /nodejs/USAGE.md: -------------------------------------------------------------------------------- 1 | ## Purpose 2 | 3 | This directory contains a Dockerfile that builds [NodeJS](https://nodejs.org) with the [OQS OpenSSL 3 provider](https://github.com/open-quantum-safe/oqs-provider), which allows nodejs applications to perform quantum-safe TLS 1.3 handshakes using quantum-safe certificates. 4 | 5 | ## Quick start 6 | Assuming Docker is [installed](https://docs.docker.com/install), to try out a simple client server application 7 | 8 | - Ensure you have cloned this repository and change to the nodejs directory. 9 | - Execute the following to create an interactive docker container which makes the contents of this nodejs directory available to the container so that we can run a nodejs server 10 | 11 | ```bash 12 | docker run -it --rm -p 6443:8443 --name nodejs-server --entrypoint /bin/bash -v $PWD:/code openquantumsafe/nodejs 13 | # create a CA Root key, certificate and then create the server key and certificate 14 | /code/createcerts.sh 15 | # copy the ca certificate to the code directory so that it is available for the client 16 | cp ca_cert.crt /code 17 | # run the nodejs server 18 | node /code/testserver.js 19 | ``` 20 | 21 | - In another window (again ensuring you are in the nodejs directory of this cloned repository) execute the following to create an interactive container which makes the contents of this nodejs directory available to the container so that we can run a nodejs client. We run this on the host network so we can see the exposed port from the server container 22 | 23 | ```bash 24 | docker run -it --rm --network host --name nodejs-client --entrypoint /bin/bash -v $PWD:/code openquantumsafe/nodejs 25 | # run the client to show we get a response from the server 26 | node /code/client.js localhost 6443 /hello mlkem768 /code/ca_cert.crt 27 | ``` 28 | 29 | You should see the response from the server being output to the console 30 | 31 | ``` 32 | Hello, World! 33 | ``` 34 | 35 | - Once finished, you should remove the CA certificate stored on your host file system 36 | 37 | ```bash 38 | rm /code/ca_cert.crt` 39 | ``` 40 | 41 | - You can exit the running containers 42 | 43 | 44 | ## Disclaimer 45 | 46 | [THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/liboqs#limitations-and-security). 47 | -------------------------------------------------------------------------------- /nodejs/client.js: -------------------------------------------------------------------------------- 1 | const http2 = require('http2'); 2 | const fs = require('fs'); 3 | const { exit } = require('process'); 4 | 5 | // To run 6 | // node client.js 7 | // curves can be for example x25519 (legacy kem), mlkem1024 (qsc kem) 8 | const rootca = fs.readFileSync(process.argv[6]); 9 | const hostname = process.argv[2]; 10 | const port = process.argv[3]; 11 | const path = process.argv[4]; 12 | 13 | const sessionOptions = { 14 | ecdhCurve: process.argv[5], 15 | minVersion: 'TLSv1.3', 16 | ciphers: 'TLS_AES_256_GCM_SHA384', 17 | ca: rootca, 18 | }; 19 | 20 | const requestOptions = { 21 | method: 'GET', 22 | }; 23 | 24 | 25 | const session = http2.connect(`https://${hostname}:${port}`, sessionOptions); 26 | 27 | session.on('error', (err) => { 28 | console.error('Session Error:', err); 29 | exit(1); 30 | }); 31 | 32 | const req = session.request({':path': path}, requestOptions); 33 | req.end(); 34 | 35 | let data = ''; 36 | 37 | req.on('data', (chunk) => { 38 | data += chunk; 39 | }); 40 | 41 | req.on('end', () => { 42 | console.log(data); 43 | session.close(); 44 | }); 45 | 46 | req.on('error', (err) => { 47 | console.error('Request Error:', err); 48 | session.close(); 49 | exit(1); 50 | }); 51 | 52 | -------------------------------------------------------------------------------- /nodejs/createcerts.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # if env var not set, chose default certificate signature algorithm 4 | if [ -z "$OQSSIGALG" ]; then 5 | OQSSIGALG="mldsa65" 6 | fi 7 | 8 | if [ -z "$SERVERFQDN" ]; then 9 | SERVERFQDN=localhost 10 | echo "SERVERFQDN env var not set, using localhost" 11 | fi 12 | 13 | # Sanity clean-up: 14 | rm -rf server_key.key client_key.key ca_key.key ca_cert.crt client_cert.csr server_cert.csr client_cert.crt server.cert.crt 15 | 16 | echo "Creating all certs using $OQSSIGALG..." 17 | # generate keys 18 | openssl genpkey -algorithm $OQSSIGALG -out server_key.key && \ 19 | openssl genpkey -algorithm $OQSSIGALG -out ca_key.key && \ 20 | 21 | # generate ca cert 22 | # -config /usr/lib/ssl/openssl.cnf 23 | openssl req -key ca_key.key -x509 -subj "/CN=oqsopenvpntest CA" -out ca_cert.crt && \ 24 | 25 | # generate server cert 26 | HOSTFQDN=$SERVERFQDN openssl req -new -key server_key.key -subj "/CN=$SERVERFQDN" -out server_cert.csr && \ 27 | HOSTFQDN=$SERVERFQDN openssl x509 -req -in server_cert.csr -CA ca_cert.crt -CAkey ca_key.key -CAcreateserial -out server_cert.crt -extensions usr_cert 28 | -------------------------------------------------------------------------------- /nodejs/test.sh: -------------------------------------------------------------------------------- 1 | #! /bin/env bash 2 | oqs_node_image=oqs-nodejs 3 | oqs_curl_image=oqs-curl-generic 4 | set -e 5 | 6 | docker run -d --rm -p 6443:8443 --name nodejs-server --entrypoint /bin/bash -v $PWD:/code $oqs_node_image -c " 7 | /code/createcerts.sh 8 | cp ca_cert.crt /code 9 | node /code/testserver.js 10 | rm /code/ca_cert.crt" 11 | 12 | sleep 1s 13 | 14 | # test http2 nodejs client 15 | docker run --rm --entrypoint /bin/bash --name nodejs-client --network host -v $PWD:/code $oqs_node_image -c " 16 | set -e 17 | node /code/client.js localhost 6443 /hello mlkem768 /code/ca_cert.crt | grep World! 18 | " 19 | 20 | # test curl which only supports http1 client 21 | docker run --rm --name curl-client --network host -v $PWD:/code $oqs_curl_image curl -v --curves mlkem768 --cacert /code/ca_cert.crt https://localhost:6443/hello > response.txt 2>&1 22 | cat response.txt | grep "SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / mlkem768 / mldsa65" 23 | cat response.txt | grep World! 24 | 25 | # terminate the nodejs server 26 | docker run --rm --entrypoint /bin/bash --name nodejs-client --network host -v $PWD:/code $oqs_node_image -c " 27 | set -e 28 | node /code/client.js localhost 6443 /exit mlkem768 /code/ca_cert.crt 29 | " 30 | -------------------------------------------------------------------------------- /nodejs/testserver.js: -------------------------------------------------------------------------------- 1 | const http2 = require('http2'); 2 | const fs = require('fs'); 3 | 4 | const options = { 5 | key: fs.readFileSync('./server_key.key'), 6 | cert: fs.readFileSync('./server_cert.crt'), 7 | allowHTTP1: true, 8 | //could override the default openssl defined curves 9 | //ecdhCurve: 'X25519MLKEM768:mlkem1024:p521_mlkem1024:mlkem768:p384_mlkem768:mlkem512:p256_mlkem512:secp521r1:secp384r1:X25519:prime256v1:X448' 10 | }; 11 | 12 | const port = 8443; 13 | 14 | const server = http2.createSecureServer(options, (req, res) => { 15 | if (req.url === '/hello') { 16 | res.writeHead(200, { 'Content-Type': 'text/plain' }); 17 | res.end('Hello World!\n'); 18 | } else if (req.url === '/exit') { 19 | res.writeHead(200, { 'Content-Type': 'text/plain' }); 20 | res.end('Terminating Server\n'); 21 | setImmediate(() => {exit(0)}); 22 | 23 | } else { 24 | res.writeHead(404, { 'Content-Type': 'text/plain' }); 25 | res.end('Not Found'); 26 | } 27 | }); 28 | 29 | server.listen(port, () => { 30 | console.log('Server running at https://localhost:' + port); 31 | }); 32 | -------------------------------------------------------------------------------- /openssh/connect-test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | [[ $DEBUGLVL -gt 1 ]] && set -ex 4 | 5 | # Stop the sshd service that may was started before, otherwise it won't work with others than the default algorithms 6 | rc-service oqs-sshd stop 7 | 8 | # default options 9 | OPTIONS=${OPTIONS:="-q -o BatchMode=yes -o StrictHostKeyChecking=no"} 10 | 11 | SIG=${SIG_ALG:="ecdsa-nistp384-mldsa65"} 12 | KEM=${KEM_ALG:="ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org"} 13 | 14 | # Generate new identity keys, overwrite old keys 15 | SSH_DIR="/home/${OQS_USER}/.ssh" 16 | SIG_ID_FILE="${SSH_DIR}/id_${SIG//-/_}" 17 | echo "y" | su ${OQS_USER} -c "${OQS_INSTALL_DIR}/bin/ssh-keygen -t ssh-${SIG} -f ${SIG_ID_FILE} -N \"\" -q" 18 | echo "" 19 | cat ${SIG_ID_FILE}.pub >> ${SSH_DIR}/authorized_keys 20 | [[ $DEBUGLVL -gt 0 ]] && echo "Debug1: New identity key '${SIG_ID_FILE}(.pub)' created!" 21 | OPTIONS="${OPTIONS} -i ${SIG_ID_FILE}" 22 | 23 | eval "export CONNECT_TEST=true; serverstart.sh" 24 | 25 | # Evaluate if called as root 26 | if [ ${EUID} -eq 0 ]; then 27 | SSH_PREFIX="su ${OQS_USER} -c " 28 | fi 29 | 30 | # See if TEST_HOST was set, if not use default 31 | if [ "x${TEST_HOST}" == "x" ]; then 32 | TEST_HOST="localhost" 33 | fi 34 | 35 | # See if TEST_TIME was set, if not use default 36 | if [ "x${TEST_TIME}" == "x" ]; then 37 | TEST_TIME=60 38 | fi 39 | OPTIONS="${OPTIONS} -o ConnectTimeout=${TEST_TIME}" 40 | 41 | # Optionally set port 42 | # if left empty, the options defined in sshd_config will be used 43 | if [ "x$SERVER_PORT" != "x" ]; then 44 | OPTIONS="${OPTIONS} -p ${SERVER_PORT}" 45 | fi 46 | 47 | # Optionally set KEM to one defined in https://github.com/open-quantum-safe/openssh#key-exchange 48 | # if left empty, the options defined in sshd_config will be used 49 | if [ "x$KEM" != "x" ]; then 50 | OPTIONS="${OPTIONS} -o KexAlgorithms=${KEM}" 51 | fi 52 | 53 | # Optionally set SIG to one defined in https://github.com/open-quantum-safe/openssh#digital-signature 54 | # if left empty, the options defined in sshd_config will be used 55 | if [ "x$SIG" != "x" ]; then 56 | OPTIONS="${OPTIONS} -o HostKeyAlgorithms=ssh-${SIG} -o PubkeyAcceptedKeyTypes=ssh-${SIG}" 57 | fi 58 | 59 | CMD="ssh ${OPTIONS} ${TEST_HOST} 'exit 0'" 60 | [[ $DEBUGLVL -gt 0 ]] && echo "Debug1: $SSH_PREFIX\"$CMD\"" 61 | eval "$SSH_PREFIX\"$CMD\"" 62 | 63 | if [ $? -eq 0 ]; then 64 | echo "" 65 | echo "[ OK ] Connected to ${TEST_HOST} using ${KEM} and ${SIG}!" 66 | exit 0 67 | else 68 | echo "" 69 | echo "[FAIL] Could not connect to ${TEST_HOST} using ${KEM} and ${SIG}!" 70 | exit 1 71 | fi 72 | -------------------------------------------------------------------------------- /openssh/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | eval ${OQS_INSTALL_DIR}/scripts/key-gen.sh 3 | 4 | eval $@ 5 | -------------------------------------------------------------------------------- /openssh/key-gen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Check if root 4 | if [ "x${EUID}" != "x0" ]; then 5 | echo "Must be root! Aborting..." 6 | exit 1 7 | fi 8 | 9 | ################################################################################ 10 | # Get all active IDENTITY KEY files from ssh_config and generate a file for each 11 | ################################################################################ 12 | echo "Generating identity key files as configured in ${OQS_INSTALL_DIR}/ssh_config:" 13 | 14 | HOME_DIR="/home/${OQS_USER}" 15 | readarray ID_FILES <<< $(sed -n "s:^identityfile[ =]\+::Ip" ${OQS_INSTALL_DIR}/ssh_config | sed -n "s:\~:${HOME_DIR}:gp") 16 | readarray ID_ALGS <<< $(sed -n "s:^identityfile.\+/id_::Ip" ${OQS_INSTALL_DIR}/ssh_config) 17 | 18 | # Find longest name 19 | MAX_ALG_LEN=0 20 | for ALG in ${ID_ALGS[@]}; do 21 | if [ ${#ALG} -gt $MAX_ALG_LEN ]; then 22 | MAX_ALG_LEN=${#ALG} 23 | fi 24 | done 25 | MAX_FILE_LEN=0 26 | for FILE in ${ID_FILES[@]}; do 27 | if [ ${#FILE} -gt $MAX_FILE_LEN ]; then 28 | MAX_FILE_LEN=${#FILE} 29 | fi 30 | done 31 | 32 | # Generate a new identity key for each found host key algorithm 33 | for IDX in ${!ID_ALGS[@]}; do 34 | ALG=${ID_ALGS[$IDX]} 35 | ID_FILE=${ID_FILES[$IDX]:0:(-1)} # Cut off some weird trailing newline 36 | printf "\t%-$((MAX_ALG_LEN + 1))s" ${ALG^^} 37 | if [ -e $ID_FILE ]; then 38 | printf "exists @ %-$((MAX_LEN + 10))s --> SKIPPED\n" "$ID_FILE(.pub)" 39 | else 40 | CMD="su ${OQS_USER} -c \"${OQS_INSTALL_DIR}/bin/ssh-keygen -t $ALG -f $ID_FILE -N '' -q\"" 41 | # echo $CMD 42 | eval $CMD 2> /dev/null 43 | if [ $? -ne 0 ]; then 44 | echo "FAILED" 45 | else 46 | echo "generated @ $ID_FILE(.pub)" 47 | fi 48 | fi 49 | done 50 | 51 | ################################################################################ 52 | # Get all active HOST KEY files from ssh_config and generate a file for each ### 53 | ################################################################################ 54 | echo -e "\nGenerating host key files as configured in $OQS_INSTALL_DIR/sshd_config:" 55 | 56 | # Get algorithms from sshd_config 57 | readarray HOST_KEY_FILES <<< $(sed -n "s:^hostkey[ =]\+::Ip" ${OQS_INSTALL_DIR}/sshd_config) 58 | readarray HOST_KEY_ALGS <<< $(sed -n "s:^hostkey.*/ssh_host_::Ip" ${OQS_INSTALL_DIR}/sshd_config | sed -n "s:_key$::gp") 59 | 60 | # Find longest name 61 | MAX_ALG_LEN=0 62 | for ALG in ${HOST_KEY_ALGS[@]}; do 63 | if [ ${#ALG} -gt $MAX_ALG_LEN ]; then 64 | MAX_ALG_LEN=${#ALG} 65 | fi 66 | done 67 | MAX_FILE_LEN=0 68 | for FILE in ${HOST_KEY_FILES[@]}; do 69 | if [ ${#FILE} -gt $MAX_FILE_LEN ]; then 70 | MAX_FILE_LEN=${#FILE} 71 | fi 72 | done 73 | 74 | # Generate a new host key for each found host key algorithm 75 | for IDX in "${!HOST_KEY_ALGS[@]}"; do 76 | ALG=${HOST_KEY_ALGS[$IDX]} 77 | HOST_FILE=${HOST_KEY_FILES[$IDX]:0:(-1)} # Cut off some weird trailing newline 78 | printf "\t%-$((MAX_ALG_LEN + 1))s" ${ALG^^} 79 | if [ -e $HOST_FILE ]; then 80 | printf "exists @ %-$((MAX_FILE_LEN + 6))s --> SKIPPED\n" "$HOST_FILE(.pub)" 81 | else 82 | CMD="${OQS_INSTALL_DIR}/bin/ssh-keygen -t $ALG -f $HOST_FILE -N '' -q -h" 83 | #echo "Generating key via: $CMD" 84 | eval $CMD 2> /dev/null 85 | if [ $? -ne 0 ]; then 86 | echo "FAILED" 87 | else 88 | echo "generated @ $HOST_FILE(.pub)" 89 | RESTART_SSHD=yes 90 | fi 91 | fi 92 | done 93 | 94 | if [ "x$RESTART_SSHD" != "x" ]; then 95 | echo "" 96 | rc-service oqs-sshd restart 97 | else 98 | # make sure service is running 99 | echo "" 100 | rc-service oqs-sshd start 101 | fi 102 | -------------------------------------------------------------------------------- /openssh/oqs-sshd: -------------------------------------------------------------------------------- 1 | #!/sbin/openrc-run 2 | 3 | description="OQS-OpenSSH server" 4 | description_checkconfig="Verify configuration file" 5 | description_reload="Reload configuration" 6 | 7 | extra_commands="checkconfig" 8 | extra_started_commands="reload" 9 | 10 | OQS_INSTALL_DIR="/opt/oqs-ssh" 11 | 12 | # NOTE: SSHD_* variables are deprecated and will be removed in future! 13 | : ${sshd_disable_keygen:="${SSHD_DISABLE_KEYGEN:-"yes"}"} 14 | : ${cfgfile:=${SSHD_CONFIG:-"${SSHD_CONFDIR:-${OQS_INSTALL_DIR}}/sshd_config"}} 15 | 16 | pidfile="${SSHD_PIDFILE:-"/run/$RC_SVCNAME.pid"}" 17 | command="${SSHD_BINARY:-"${OQS_INSTALL_DIR}/sbin/sshd"}" 18 | command_args="${command_args:-${SSHD_OPTS:-}}" 19 | 20 | required_files="$cfgfile" 21 | 22 | depend() { 23 | use logger dns 24 | after entropy 25 | 26 | if [ "${rc_need+set}" = "set" ] ; then 27 | : # Do nothing, the user has explicitly set rc_need 28 | else 29 | local x warn_addr 30 | for x in $(awk '/^ListenAddress/{ print $2 }' "$cfgfile" 2>/dev/null) ; do 31 | case "$x" in 32 | 0.0.0.0|0.0.0.0:*) ;; 33 | ::|\[::\]*) ;; 34 | *) warn_addr="$warn_addr $x" ;; 35 | esac 36 | done 37 | if [ -n "$warn_addr" ] ; then 38 | need net 39 | ewarn "You are binding an interface in ListenAddress statement in your sshd_config!" 40 | ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd" 41 | ewarn "where FOO is the interface(s) providing the following address(es):" 42 | ewarn "$warn_addr" 43 | fi 44 | fi 45 | } 46 | 47 | checkconfig() { 48 | warn_deprecated_var SSHD_BINARY 49 | warn_deprecated_var SSHD_CONFDIR 50 | warn_deprecated_var SSHD_CONFIG cfgfile 51 | warn_deprecated_var SSHD_DISABLE_KEYGEN sshd_disable_keygen 52 | warn_deprecated_var SSHD_OPTS command_args 53 | warn_deprecated_var SSHD_PIDFILE 54 | 55 | if [ ! -d /var/empty ] ; then 56 | mkdir -p /var/empty || return 1 57 | fi 58 | 59 | if ! yesno "$sshd_disable_keygen"; then 60 | ssh-keygen -A || return 1 61 | fi 62 | 63 | [ "$pidfile" != "/run/oqs-sshd.pid" ] \ 64 | && command_args="$command_args -o PidFile=$pidfile" 65 | 66 | [ "$cfgfile" != "${OQS_INSTALL_DIR}/sshd_config" ] \ 67 | && command_args="$command_args -f $cfgfile" 68 | 69 | "$command" -t $command_args || return 1 70 | } 71 | 72 | start_pre() { 73 | checkconfig 74 | } 75 | 76 | stop() { 77 | if [ "${RC_CMD}" = "restart" ] ; then 78 | checkconfig || return 1 79 | fi 80 | 81 | ebegin "Stopping $RC_SVCNAME" 82 | start-stop-daemon --stop --exec "$command" \ 83 | --pidfile "$pidfile" --quiet 84 | eend $? 85 | 86 | if [ "$RC_RUNLEVEL" = "shutdown" ]; then 87 | _sshd_pids=$(pgrep "${command##*/}") 88 | if [ -n "$_sshd_pids" ]; then 89 | ebegin "Shutting down ssh connections" 90 | kill -TERM $_sshd_pids >/dev/null 2>&1 91 | eend 0 92 | fi 93 | fi 94 | } 95 | 96 | reload() { 97 | checkconfig || return 1 98 | 99 | ebegin "Reloading $RC_SVCNAME" 100 | start-stop-daemon --signal HUP \ 101 | --exec "$command" --pidfile "$pidfile" 102 | eend $? 103 | } 104 | 105 | warn_deprecated_var() { 106 | local varname="$1" 107 | local replacement="${2:-}" 108 | 109 | eval "test -n \"\$$varname\"" || return 0 110 | 111 | ewarn "Variable \$$varname is deprecated and will be removed in the future!" 112 | [ "$replacement" ] && ewarn "Use \$$replacement instead of \$$varname." ||: 113 | } 114 | -------------------------------------------------------------------------------- /openssh/serverstart.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | [[ $DEBUGLVL -gt 1 ]] && set -ex 4 | 5 | OPTIONS=${OPTIONS:=""} 6 | 7 | SIG=${SIG_ALG:="ecdsa-nistp384-mldsa65"} 8 | KEM=${KEM_ALG:="ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org"} 9 | 10 | # Optionally set port 11 | # if left empty, the options defined in sshd_config will be used 12 | if [ "x$SERVER_PORT" != "x" ]; then 13 | OPTIONS="${OPTIONS} -p ${SERVER_PORT}" 14 | fi 15 | 16 | # Optionally set KEM to one defined in https://github.com/open-quantum-safe/openssh#key-exchange 17 | # if left empty, the options defined in sshd_config will be used 18 | if [ "x$KEM" != "x" ]; then 19 | OPTIONS="${OPTIONS} -o KexAlgorithms=${KEM}" 20 | fi 21 | 22 | # Optionally set SIG to one defined in https://github.com/open-quantum-safe/openssh#digital-signature 23 | # if left empty, the options defined in sshd_config will be used 24 | if [ "x$SIG" != "x" ]; then 25 | OPTIONS="${OPTIONS} -o HostKeyAlgorithms=ssh-${SIG} -o PubkeyAcceptedKeyTypes=ssh-${SIG}" 26 | HOST_KEY_FILE="${OQS_INSTALL_DIR}/ssh_host_${SIG//-/_}_key" 27 | OPTIONS="${OPTIONS} -h ${HOST_KEY_FILE}" 28 | fi 29 | # Generate host keys 30 | # SSH_DIR="/home/${OQS_USER}/.ssh" 31 | HOST_KEY_FILE="${SSH_DIR}/ssh_host_${SIG//-/_}_key" 32 | echo "y" | ${OQS_INSTALL_DIR}/bin/ssh-keygen -t ssh-${SIG} -f ${OQS_INSTALL_DIR}/${HOST_KEY_FILE} -N "" -q 33 | echo "" 34 | # cat ${HOST_KEY_FILE}.pub >> ${SSH_DIR}/authorized_keys 35 | [[ $DEBUGLVL -gt 0 ]] && echo "Debug1: New host key '${HOST_KEY_FILE}(.pub)' created!" 36 | # OPTIONS="${OPTIONS} -i ${HOST_KEY_FILE}" 37 | 38 | 39 | # Start the OQS SSH Daemon with the configuration as in ${OQS_INSTALL_DIR}/sshd_config 40 | CMD="${OQS_INSTALL_DIR}/sbin/sshd ${OPTIONS}" 41 | [[ $DEBUGLVL -gt 0 ]] && echo $CMD 42 | eval $CMD 43 | 44 | # Open a shell for local experimentation if not testing the connection 45 | if [ "x${CONNECT_TEST}" == "x" ]; then 46 | sh 47 | fi 48 | -------------------------------------------------------------------------------- /openssh/ssh_config: -------------------------------------------------------------------------------- 1 | # $OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $ 2 | 3 | # This is the ssh client system-wide configuration file. See 4 | # ssh_config(5) for more information. This file provides defaults for 5 | # users, and the values can be changed in per-user configuration files 6 | # or on the command line. 7 | 8 | # Configuration data is parsed as follows: 9 | # 1. command line options 10 | # 2. user-specific file 11 | # 3. system-wide file 12 | # Any configuration value is only changed the first time it is set. 13 | # Thus, host-specific definitions should be at the beginning of the 14 | # configuration file, and defaults at the end. 15 | 16 | # Site-wide defaults for some commonly used options. For a comprehensive 17 | # list of available options, their meanings and defaults, please see the 18 | # ssh_config(5) man page. 19 | 20 | ############################################################################### 21 | #-- Settings for QUANTUM-SAFE key-exchange and authentication ----------------- 22 | ############################################################################### 23 | 24 | # Key-exchange algorithms 25 | KexAlgorithms ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org 26 | 27 | # The host key algorithms ssh accepts 28 | HostKeyAlgorithms ssh-ecdsa-nistp384-mldsa65 29 | 30 | # The algorithms used for public key authentication 31 | PubkeyAcceptedKeyTypes ssh-ecdsa-nistp384-mldsa65 32 | 33 | # Define how unknown host keys should be handled 34 | #StrictHostKeyChecking ask 35 | 36 | # The port ssh is connecting to per default 37 | Port 2222 38 | 39 | # All IdentityFile options, enabled ones should match PubkeyAcceptedKeyTypes 40 | # Uncomment line to enable corresponding algorithm 41 | # Also ensure corresponding algorithm is enabled in liboqs 42 | #IdentityFile ~/.ssh/id_rsa 43 | #IdentityFile ~/.ssh/id_dsa 44 | #IdentityFile ~/.ssh/id_ed25519 45 | 46 | #IdentityFile ~/.ssh/id_ssh-falcon512 47 | 48 | IdentityFile ~/.ssh/id_ssh-ecdsa-nistp384-mldsa65 49 | #IdentityFile ~/.ssh/id_ssh-ecdsa-nistp256-falcon512 50 | 51 | #IdentityFile ~/.ssh/id_ssh-rsa3072-falcon512 52 | 53 | ############################################################################### 54 | #-- Settings for CLASSICAL SSH ------------------------------------------------ 55 | ############################################################################### 56 | 57 | # Host * 58 | # ForwardAgent no 59 | # ForwardX11 no 60 | # PasswordAuthentication yes 61 | # HostbasedAuthentication no 62 | # GSSAPIAuthentication no 63 | # GSSAPIDelegateCredentials no 64 | # BatchMode no 65 | # CheckHostIP yes 66 | # AddressFamily any 67 | # ConnectTimeout 0 68 | # StrictHostKeyChecking ask 69 | # IdentityFile ~/.ssh/id_rsa 70 | # IdentityFile ~/.ssh/id_dsa 71 | # IdentityFile ~/.ssh/id_ecdsa 72 | # IdentityFile ~/.ssh/id_ed25519 73 | # Port 22 74 | # Protocol 2 75 | # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc 76 | # MACs hmac-md5,hmac-sha1,umac-64@openssh.com 77 | # EscapeChar ~ 78 | # Tunnel no 79 | # TunnelDevice any:any 80 | # PermitLocalCommand no 81 | # VisualHostKey no 82 | # ProxyCommand ssh -q -W %h:%p gateway.example.com 83 | # RekeyLimit 1G 1h 84 | # 85 | -------------------------------------------------------------------------------- /openssl3/README.md: -------------------------------------------------------------------------------- 1 | This directory contains a Dockerfile that builds OpenSSL3 master with the [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows openssl3 to use quantum-safe key exchange in TLS 1.3. 2 | 3 | ## Quick start 4 | 5 | 1) Be sure to have [docker installed](https://docs.docker.com/install). 6 | 2) Run `docker build -t oqs-ossl3 .` to create a post quantum-enabled OpenSSL3 image 7 | 3) To verify all components perform quantum-safe operations, first start the container with `docker run -it oqs-ossl3` thus starting an OQS-enabled TLS test server. 8 | 4) On the command prompt in the docker container query that server using `openssl s_client -connect localhost --groups kyber768 `. If all works, the last command returns all TLS information documenting use of OQS-enabled TLS. The parameter to the `--groups` argument is the KEM_ALG chosen when building the docker container ('kyber768' by default). 9 | 10 | *Note*: The last command creates a HTTP command window into the sample server. It can be exited either by typing CTRL-C or by issuing a valid command, e.g., `GET /`. The latter command will also return server-side information on the protocol and cryptographic methods used, e.g., the TLS 1.3 group actually used (kyber768 in this example). 11 | 12 | 13 | ## More details 14 | 15 | The Dockerfile 16 | - obtains all source code required for building the quantum-safe crypto (QSC) algorithms, the QSC-provider and OpenSSL3 (master). 17 | - builds all libraries and applications 18 | - by default starts an openssl (s_server) based test server. 19 | 20 | **Note for the interested**: The build process is two-stage with the final image only retaining all executables, libraries and include-files to utilize OQS-enabled openssl3. 21 | 22 | One runtime configuration option exists that can be optionally set via docker environment variable: 23 | 24 | Setting the key exchange mechanism (KEM): By setting 'KEM_ALG' 25 | to any of the [supported KEM algorithms built into OQS-OpenSSL](https://github.com/open-quantum-safe/oqs-provider#kem-algorithms) one can run TLS using a KEM other than the default algorithm 'kyber768'. Example: `docker run -e KEM_ALG=mlkem768 -it oqs-ossl3`. It is always necessary to also request use of this KEM algorithm by passing it to the invocation of `openssl s_client` with the `--groups` parameter, i.e. as such in the same example: `openssl s_client -connect localhost --groups mlkem768 `. 26 | 27 | ## Usage 28 | 29 | Information how to use the image is [available in the separate file USAGE.md](USAGE.md). 30 | 31 | ## Build options 32 | 33 | The Dockerfile provided allows for significant customization of the image built: 34 | 35 | ### OPENSSL_TAG 36 | 37 | Tag of `openssl` release to be used. 38 | 39 | ### LIBOQS_TAG 40 | 41 | Tag of `liboqs` release to be used. 42 | 43 | ### OQSPROVIDER_TAG 44 | 45 | Tag of `oqsprovider` release to be used. 46 | 47 | ### LIBOQS_BUILD_DEFINES 48 | 49 | This permits changing the build options for the underlying library with the quantum safe algorithms. All possible options are documented [here](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs). 50 | 51 | By default, the image is built such as to have maximum portability regardless of CPU type and optimizations available, i.e. to run on the widest possible range of cloud machines. 52 | 53 | ### INSTALLDIR 54 | 55 | This defines the resultant location of the software installatiion. 56 | 57 | By default this is '/opt/oqssa'. It is recommended to not change this. Also, all [usage documentation](USAGE.md) assumes this path. 58 | 59 | ### MAKE_DEFINES 60 | 61 | Allow setting parameters to `make` operation, e.g., '-j nnn' where nnn defines the number of jobs run in parallel during build. 62 | 63 | The default is conservative and known not to overload normal machines. If one has a very powerful (many cores, >64GB RAM) machine, passing larger numbers (or only '-j' for maximum parallelism) speeds up building considerably. 64 | 65 | ### ALPINE_VERSION 66 | 67 | The version of the `alpine` docker image to to be used. 68 | -------------------------------------------------------------------------------- /openssl3/USAGE.md: -------------------------------------------------------------------------------- 1 | # OQS-ossl3 2 | 3 | This docker image contains a version of [OpenSSL3](https://github.com/openssl/openssl) built and extended with a [provider enabling quantum-safe crypto (QSC) operations](https://github.com/open-quantum-safe/oqs-provider). 4 | 5 | To this end, it contains [liboqs](https://github.com/open-quantum-safe/liboqs) as well as [OpenSSL 3](https://github.com/openssl/openssl) and [oqs-provider](https://github.com/open-quantum-safe/oqs-provider) from the [OpenQuantumSafe](https://openquantumsafe.org) project. 6 | 7 | As different images providing the same base functionality may be available, e.g., for debug or performance-optimized operations, the image name `oqs-ossl3` is consistently used in the description below. Be sure to adapt it to the image you want to use. 8 | 9 | ## Quick start 10 | 11 | 1) With `docker run -it oqs-ossl3` start an OQS-enabled TLS test server. 12 | 2) On the command prompt in the docker container resulting from the first comment, one can query that server by issuing the command `openssl s_client -connect localhost --groups kyber768`. 13 | 14 | The latter command returns all TLS information documenting use of OQS-enabled TLS. The parameter to the `--groups` argument is [any Kex Exchange algorithm supported by OQS-OpenSSL](https://github.com/open-quantum-safe/oqs-provider#kem-algorithms). 15 | 16 | ## Retrieving data from other QSC-enabled TLS servers 17 | 18 | Beyond interacting with the built-in test server (utilizing `openssl s_server`) the image can also be used to retrieve data from any OQS-enabled TLS (1.3) server with the command `docker run -it oqs-ossl3 openssl s_client -connect --groups `. 19 | 20 | ## Limitations 21 | 22 | This image is limited in functionality as per the [open issues documented for oqs-provider](https://github.com/open-quantum-safe/oqs-provider/issues). It also is [not fit for productive use](https://github.com/open-quantum-safe/liboqs#limitations-and-security). 23 | -------------------------------------------------------------------------------- /openssl3/fulltest/testrun.py: -------------------------------------------------------------------------------- 1 | import json 2 | import sys 3 | import os 4 | import subprocess 5 | 6 | # Ensure correct usage 7 | if len(sys.argv) < 2: 8 | print("Usage: python testrun.py ") 9 | sys.exit(1) 10 | 11 | docker_image = sys.argv[1] 12 | 13 | # Load JSON file 14 | try: 15 | with open("assignments.json", "r") as f: 16 | assignments = json.load(f) 17 | except FileNotFoundError: 18 | print("Error: assignments.json not found.") 19 | sys.exit(1) 20 | except json.JSONDecodeError: 21 | print("Error: Failed to parse assignments.json.") 22 | sys.exit(1) 23 | 24 | # Iterate over signature algorithms and associated KEMs 25 | for sig, kems in assignments.items(): 26 | print(f"Testing {sig}:") 27 | for kem, port in kems.items(): 28 | # Construct the command 29 | cmd = [ 30 | "docker", "run", "-v", f"{os.path.abspath(os.getcwd())}/ca:/ca", "-it", docker_image, 31 | "sh", "-c", 32 | f"(echo 'GET /'; sleep 1) | openssl s_client -CAfile /ca/CA.crt -connect test.openquantumsafe.org:{port}" 33 | + (f" -groups {kem}" if kem != "*" else "") 34 | ] 35 | 36 | # Run the command 37 | try: 38 | result = subprocess.run(cmd, capture_output=True, text=True, check=True) 39 | output = result.stdout 40 | except subprocess.CalledProcessError as e: 41 | output = e.stderr 42 | 43 | # Evaluate output 44 | if "Successfully" not in output: 45 | print(f"Error testing {kem}:\n{output}\n") 46 | else: 47 | print(f" Tested KEM {kem} successfully.") 48 | 49 | print(f" Successfully concluded testing {sig}") 50 | break # TODO: Only test one signature until full support is available. 51 | 52 | print("All available tests successfully passed.") -------------------------------------------------------------------------------- /openssl3/fulltest/testrun.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | # Check if Docker image name is provided 5 | if [ "$#" -ne 1 ]; then 6 | echo "Error: Missing Docker image name." 7 | echo "Please provide the name of the Docker image to test." 8 | echo "You can check your available images using: docker images" 9 | echo "Usage: ${0} " 10 | exit 1 11 | fi 12 | 13 | DOCKER_IMAGE=$1 14 | TEST_DIR=$(mktemp -d) 15 | 16 | echo "Using test directory: $TEST_DIR" 17 | 18 | # Ensure required tools are installed 19 | if ! command -v wget &> /dev/null; then 20 | echo "Error: 'wget' is not installed. Please install it and try again." 21 | exit 1 22 | fi 23 | 24 | if ! command -v python3 &> /dev/null; then 25 | echo "Error: 'python3' is not installed. Please install it and try again." 26 | exit 1 27 | fi 28 | 29 | mkdir -p "$TEST_DIR/ca" 30 | cd "$TEST_DIR/ca" 31 | 32 | echo "Downloading CA certificate..." 33 | if ! wget -q https://test.openquantumsafe.org/CA.crt; then 34 | echo "Error: Failed to download CA.crt" 35 | exit 1 36 | fi 37 | cd .. 38 | 39 | echo "Downloading assignments.json..." 40 | if ! wget -q https://test.openquantumsafe.org/assignments.json; then 41 | echo "Error: Failed to download assignments.json" 42 | exit 1 43 | fi 44 | 45 | echo "Running tests with Docker image: $DOCKER_IMAGE" 46 | python3 testrun.py "$DOCKER_IMAGE" 47 | 48 | echo "Test run completed successfully." -------------------------------------------------------------------------------- /openssl3/serverstart.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | # Optionally set KEM to one defined in https://github.com/open-quantum-safe/oqs-provider#kem-algorithms 5 | if [ -z $KEM_ALG ]; then 6 | export KEM_ALG=kyber768 7 | fi 8 | 9 | # Start a TLS1.3 test server based on OpenSSL accepting only the specified KEM_ALG 10 | openssl s_server -cert /opt/test/server.crt -key /opt/test/server.key -groups $KEM_ALG -www -tls1_3 -accept localhost:4433& 11 | 12 | echo "Test server started for KEM $KEM_ALG at port 4433" 13 | 14 | # Open a shell for local experimentation 15 | if command -v bash > /dev/null; then bash; else sh; fi 16 | -------------------------------------------------------------------------------- /openvpn/README.md: -------------------------------------------------------------------------------- 1 | ## Purpose 2 | 3 | This directory contains a Dockerfile that builds [OpenVPN](https://openvpn.net) with the [OQS OpenSSL 3 provider](https://github.com/open-quantum-safe/oqs-provider), which configures openvpn to perform quantum-safe TLS 1.3 handshakes (KEM for key establishment and X.509 certificates/keys for mutual authentication). 4 | 5 | ## Getting started 6 | 7 | [Install Docker](https://docs.docker.com/install) and run the following commands in this directory: 8 | 9 | 1. `docker build -t oqs-openvpn .` 10 | 2. `sh ./test.sh` 11 | 12 | This will create an image for creating configurations, keys and certificates as well as running openvpn server(s) and client(s) within a docker network performing a quantum-safe key exchange via the Kyber768 (plain and hybrid) KEM algorithm. Any of the other [supported quantum safe KEM algorithms](https://github.com/open-quantum-safe/oqs-provider#algorithms) can be set via the parameter `--tls-groups` in the server and client startup scripts, e.g., by setting the "TLS_GROUPS" environment variable. 13 | 14 | Please note that the test script has only been tested to operate OK on Linux. 15 | 16 | 17 | ## Usage 18 | 19 | Complete information how to use the image is [available in the separate file USAGE.md](USAGE.md). 20 | 21 | ## Build options 22 | 23 | The Dockerfile provided allows for some customization of the image built: 24 | 25 | ### LIBOQS_TAG 26 | 27 | Tag of `liboqs` release to be used. Default "main". 28 | 29 | ### OQSPROVIDER_TAG 30 | 31 | Tag of `oqsprovider` release to be used. Default "main". 32 | 33 | ### LIBOQS_BUILD_DEFINES 34 | 35 | This permits changing the build options for the underlying library with the quantum safe algorithms. All possible options are documented [here](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs). 36 | 37 | By default, the image is built such as to have maximum portability regardless of CPU type and optimizations available, i.e. to run on the widest possible range of cloud machines. 38 | 39 | ### MAKE_DEFINES 40 | 41 | Allow setting parameters to `make` operation, e.g., '-j nnn' where nnn defines the number of jobs run in parallel during build. 42 | 43 | The default is conservative and known not to overload normal machines. If one has a very powerful (many cores, >64GB RAM) machine, passing larger numbers (or only '-j' for maximum parallelism) speeds up building considerably. 44 | 45 | ### KEM_ALGLIST 46 | 47 | Defines the list of QSC KEM algorithms to be supported by default. This value is colon separated and inserted into the system-wide `openssl.cnf` configuration file defining the behaviour of the OpenSSL3 library embedded into the OpenVPN code base. 48 | 49 | The default value is "mlkem768:p384_mlkem768". Any algorithm name(s) [supported by OQS OpenSSL 3 provider](https://github.com/open-quantum-safe/oqs-provider#algorithms) can be chosen instead. 50 | -------------------------------------------------------------------------------- /openvpn/client.config: -------------------------------------------------------------------------------- 1 | 2 | client 3 | 4 | # Reduce verbosity if you're not as curious as I am :) 5 | verb 5 6 | 7 | nobind 8 | dev tun 9 | remote-cert-tls server 10 | 11 | remote oqsopenvpnserver 1194 udp 12 | 13 | key client_key.key 14 | cert client_cert.crt 15 | ca ca_cert.crt 16 | 17 | # strictly necessary? 18 | #redirect-gateway def1 19 | 20 | status /tmp/openvpn-status.log 21 | -------------------------------------------------------------------------------- /openvpn/clientstart.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # KEMs chosen will be taken from the system-wide openssl.cnf file 4 | # overrule the colon-separated list by using the option --tls-groups 5 | 6 | # Location of config files: 7 | cd /etc/openvpn 8 | 9 | if [ ! -f ca_cert.crt ]; then 10 | echo "CA not found. Exiting." 11 | exit 1 12 | fi 13 | 14 | if [ -z "$TLS_GROUPS" ]; then 15 | openvpn --config client.config 16 | else 17 | openvpn --config client.config --tls-groups $TLS_GROUPS 18 | fi 19 | 20 | -------------------------------------------------------------------------------- /openvpn/createcerts_and_config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # if env var not set, chose default certificate signature algorithm 4 | if [ -z "$OQSSIGALG" ]; then 5 | OQSSIGALG="mldsa65" 6 | fi 7 | 8 | if [ -z "$SERVERFQDN" ]; then 9 | echo "SERVERFQDN env var not set. Exiting." 10 | exit 1 11 | fi 12 | 13 | if [ -z "$CLIENTFQDN" ]; then 14 | echo "CLIENTFQDN env var not set. Exiting." 15 | exit 1 16 | fi 17 | 18 | # Activate this if tunneling is not pre-enabled: 19 | #if [ ! -c /dev/net/tun ]; then 20 | # mkdir -p /dev/net 21 | # mknod /dev/net/tun c 10 200 22 | # chmod 600 /dev/net/tun 23 | #fi 24 | 25 | # Sanity clean-up: 26 | rm -rf server_key.key client_key.key ca_key.key ca_cert.crt client_cert.csr server_cert.csr client_cert.crt server.cert.crt 27 | 28 | echo "Creating all certs using $OQSSIGALG..." 29 | # First create certs with all extensions required by OpenVPN: 30 | openssl genpkey -algorithm $OQSSIGALG -out server_key.key && \ 31 | openssl genpkey -algorithm $OQSSIGALG -out client_key.key && \ 32 | openssl genpkey -algorithm $OQSSIGALG -out ca_key.key && \ 33 | openssl req -key ca_key.key -x509 -subj "/CN=oqsopenvpntest CA" -config /home/openvpn/openvpn-openssl.cnf -out ca_cert.crt && \ 34 | HOSTFQDN=$CLIENTFQDN openssl req -new -key client_key.key -subj "/CN=$CLIENTFQDN" -config /home/openvpn/openvpn-openssl.cnf -out client_cert.csr && \ 35 | HOSTFQDN=$CLIENTFQDN openssl x509 -req -in client_cert.csr -CA ca_cert.crt -CAkey ca_key.key -out client_cert.crt -extensions usr_cert -extfile /home/openvpn/openvpn-openssl.cnf && \ 36 | HOSTFQDN=$SERVERFQDN openssl req -new -key server_key.key -subj "/CN=$SERVERFQDN" -config /home/openvpn/openvpn-openssl.cnf -out server_cert.csr && \ 37 | HOSTFQDN=$SERVERFQDN openssl x509 -req -in server_cert.csr -CA ca_cert.crt -CAkey ca_key.key -CAcreateserial -out server_cert.crt -extensions usr_cert -extfile /home/openvpn/openvpn-openssl.cnf 38 | 39 | # Now bring config file from /home/openvpn properly changed to this directory 40 | cp /home/openvpn/server.config server.config 41 | sed -e "s/oqsopenvpnserver/$SERVERFQDN/g" /home/openvpn/client.config > client.config 42 | 43 | -------------------------------------------------------------------------------- /openvpn/server.config: -------------------------------------------------------------------------------- 1 | server 192.168.255.0 255.255.255.0 2 | # Reduce verbosity if you're not as curious as I am :) 3 | verb 5 4 | 5 | key server_key.key 6 | ca ca_cert.crt 7 | cert server_cert.crt 8 | dh none 9 | keepalive 10 60 10 | persist-key 11 | persist-tun 12 | 13 | proto udp 14 | # Rely on Docker to do port mapping, internally always 1194 15 | port 1194 16 | dev tun0 17 | status /tmp/openvpn-status.log 18 | 19 | user nobody 20 | group nogroup 21 | comp-lzo no 22 | 23 | ### Route Configurations Below 24 | route 192.168.254.0 255.255.255.0 25 | 26 | ### Push Configurations Below 27 | push "dhcp-option DNS 8.8.8.8" 28 | push "dhcp-option DNS 8.8.4.4" 29 | push "comp-lzo no" 30 | -------------------------------------------------------------------------------- /openvpn/serverstart.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Location of config files 4 | cd /etc/openvpn 5 | 6 | # KEMs chosen will be taken from the system-wide openssl.cnf file 7 | # overrule the colon-separated list by using the option --tls-groups 8 | 9 | # if env var not set, chose default certificate signature algorithm 10 | if [ -z "$OQSIGALG" ]; then 11 | OQSSIGALG="mldsa65" 12 | fi 13 | 14 | if [ ! -f ca_cert.crt ]; then 15 | echo "CA file missing. Generating using $OQSSIGALG as signature algorithm..." 16 | createcerts_and_config.sh $OQSSIGALG 17 | fi 18 | 19 | if [ -z "$TLS_GROUPS" ]; then 20 | openvpn --config server.config 21 | else 22 | openvpn --config server.config --tls-groups $TLS_GROUPS 23 | fi 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /openvpn/test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # name of OQS signature algorithm to use for TLS auth key/certs 4 | export OQS_SIGALG="p521_falcon1024" 5 | 6 | # name of volume to contain all certs and configs 7 | export OQS_DATA="ovpn-data-oqstest" 8 | 9 | # name of docker network to use for testing 10 | export OQS_NETWORK="oqsopenvpntestnet" 11 | 12 | # DNS name of test server 13 | export OQS_SERVER="oqsopenvpnserver" 14 | 15 | # DNS name of test client 16 | export OQS_CLIENT="oqsopenvpnclient" 17 | 18 | # name of docker image to run 19 | export OQS_OPENVPN_DOCKERIMAGE="oqs-openvpn" 20 | 21 | if [ ! -z "$1" ]; then 22 | export OQS_SIGALG=$1 23 | fi 24 | 25 | RC=0 26 | 27 | echo "Creating test volume $OQS_DATA and test network $OQS_NETWORK" 28 | docker volume create --name $OQS_DATA && docker network create $OQS_NETWORK 29 | 30 | if [ $? -ne 0 ]; then 31 | echo "Could not create volume and network. Exiting." 32 | exit 1 33 | fi 34 | echo "Test volume $OQS_DATA and test network $OQS_NETWORK created successfully" 35 | 36 | # use docker image to create certs and openvpn config 37 | echo "Creating test certs and config" 38 | docker run -e OQSSIGALG=$OQS_SIGALG -e SERVERFQDN=$OQS_SERVER -e CLIENTFQDN=$OQS_CLIENT -v $OQS_DATA:/config/openvpn --rm $OQS_OPENVPN_DOCKERIMAGE sh -c "cd /config/openvpn && createcerts_and_config.sh" 39 | 40 | if [ $? -ne 0 ]; then 41 | echo "Could not create certs and config correctly. Exiting." 42 | RC=1 43 | fi 44 | echo "Test certs and config created successfully" 45 | 46 | echo "Starting test openvpn server and client" 47 | # OQS server & test client: 48 | if [ -z "$2" ]; then 49 | # use default TLS_GROUPS 50 | docker run --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN --cap-add=MKNOD --device /dev/net/tun $OQS_OPENVPN_DOCKERIMAGE 51 | docker run --rm --name $OQS_CLIENT --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn --cap-add=NET_ADMIN --cap-add=MKNOD --device /dev/net/tun -d $OQS_OPENVPN_DOCKERIMAGE clientstart.sh 52 | else 53 | # assume the first parameter to be (a list of) TLS_GROUPS to be utilized: 54 | docker run -e TLS_GROUPS=$2 --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN --cap-add=MKNOD --device /dev/net/tun oqs-openvpn 55 | docker run -e TLS_GROUPS=$2 --rm --name $OQS_CLIENT --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn --cap-add=NET_ADMIN --cap-add=MKNOD --device /dev/net/tun -d oqs-openvpn clientstart.sh 56 | fi 57 | 58 | # Allow time to start up 59 | sleep 3 60 | echo "Startup completed, checking initialization worked OK" 61 | # Check that initialization went OK for both server and client: 62 | docker logs $OQS_SERVER | grep "Initialization Sequence Completed" 63 | if [ $? -ne 0 ]; then 64 | echo "Error initializing server." 65 | RC=1 66 | fi 67 | docker logs $OQS_CLIENT | grep "Initialization Sequence Completed" 68 | if [ $? -ne 0 ]; then 69 | echo "Error initializing client." 70 | RC=1 71 | fi 72 | 73 | # cleanup 74 | docker kill $OQS_SERVER $OQS_CLIENT 75 | docker network rm $OQS_NETWORK 76 | # Allow time to clean data structures 77 | sleep 3 78 | docker volume rm $OQS_DATA 79 | if [ $RC -eq 0 ]; then 80 | echo "Test completed successfully" 81 | else 82 | echo "Test failed." 83 | fi 84 | exit $RC 85 | -------------------------------------------------------------------------------- /scripts/buildnpush.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Helper script to build supported docker images for a specific liboqs/oqsprovider tag/branch and push to docker hub 4 | # It assumes the user has already successfully logged in to the docker hub namespace used 5 | 6 | # set to ascertain docker build cache is not used 7 | #export NOCACHE="--no-cache" 8 | 9 | # docker hub name space to push images to 10 | export OQS_REPO=openquantumsafe 11 | 12 | # docker image tag to set 13 | export RELEASE_TAG=0.9.2 14 | 15 | # liboqs release/tag/branch to build 16 | export LIBOQS_TAG=0.9.2 17 | # oqsprovider release/tag/branch to build 18 | export OQSPROVIDER_TAG=0.5.3 19 | 20 | cd curl && docker build $NOCACHE --build-arg LIBOQS_TAG=$LIBOQS_TAG --build-arg OQSPROVIDER_TAG=$OQSPROVIDER_TAG -t $OQS_REPO/curl:$RELEASE_TAG . && cd .. 21 | cd curl && docker build $NOCACHE --build-arg LIBOQS_TAG=$LIBOQS_TAG --build-arg OQSPROVIDER_TAG=$OQSPROVIDER_TAG --target dev -t $OQS_REPO/curl-dev:$RELEASE_TAG . && cd .. 22 | cd httpd && docker build $NOCACHE --build-arg LIBOQS_TAG=$LIBOQS_TAG --build-arg OQSPROVIDER_TAG=$OQSPROVIDER_TAG -t $OQS_REPO/httpd:$RELEASE_TAG . && cd .. 23 | cd nginx && docker build $NOCACHE --build-arg LIBOQS_TAG=$LIBOQS_TAG --build-arg OQSPROVIDER_TAG=$OQSPROVIDER_TAG -t $OQS_REPO/nginx:$RELEASE_TAG . && cd .. 24 | cd openssl3 && docker build $NOCACHE --build-arg LIBOQS_TAG=$LIBOQS_TAG --build-arg OQSPROVIDER_TAG=$OQSPROVIDER_TAG -t $OQS_REPO/oqs-openssl3:$RELEASE_TAG . && cd .. 25 | cd openvpn && docker build $NOCACHE --build-arg LIBOQS_TAG=$LIBOQS_TAG --build-arg OQSPROVIDER_TAG=$OQSPROVIDER_TAG -t $OQS_REPO/openvpn:$RELEASE_TAG . && cd .. 26 | cd epiphany && docker build $NOCACHE --build-arg LIBOQS_TAG=$LIBOQS_TAG --build-arg OQSPROVIDER_TAG=$OQSPROVIDER_TAG -t $OQS_REPO/epiphany:$RELEASE_TAG . && cd .. 27 | cd h2load && docker build $NOCACHE --build-arg LIBOQS_TAG=$LIBOQS_TAG --build-arg OQSPROVIDER_TAG=$OQSPROVIDER_TAG -t $OQS_REPO/h2load:$RELEASE_TAG . && cd .. 28 | cd ngtcp2 && docker build $NOCACHE --build-arg LIBOQS_TAG=$LIBOQS_TAG --build-arg OQSPROVIDER_TAG=$OQSPROVIDER_TAG -f Dockerfile-client -t $OQS_REPO/ngtcp2-client:$RELEASE_TAG . && cd .. 29 | cd ngtcp2 && docker build $NOCACHE --build-arg LIBOQS_TAG=$LIBOQS_TAG --build-arg OQSPROVIDER_TAG=$OQSPROVIDER_TAG -f Dockerfile-server -t $OQS_REPO/ngtcp2-server:$RELEASE_TAG . && cd .. 30 | 31 | docker push $OQS_REPO/curl:$RELEASE_TAG && docker push $OQS_REPO/curl-dev:$RELEASE_TAG && docker push $OQS_REPO/httpd:$RELEASE_TAG && docker push $OQS_REPO/nginx:$RELEASE_TAG && docker push $OQS_REPO/oqs-openssl3:$RELEASE_TAG && docker push $OQS_REPO/openvpn:$RELEASE_TAG && docker push $OQS_REPO/epiphany:$RELEASE_TAG && docker push $OQS_REPO/h2load:$RELEASE_TAG && docker push $OQS_REPO/ngtcp2-client:$RELEASE_TAG && docker push $OQS_REPO/ngtcp2-server:$RELEASE_TAG 32 | -------------------------------------------------------------------------------- /wireshark/README.md: -------------------------------------------------------------------------------- 1 | This project provides a Docker image to build [Wireshark](https://www.wireshark.org/) with quantum-safe cryptography 2 | support through the [Open Quantum Safe (OQS) provider](https://github.com/open-quantum-safe/oqs-provider). This Docker 3 | image allows Wireshark to analyze network traffic encrypted with post-quantum cryptographic protocols. 4 | 5 | ## System Requirements 6 | 7 | - **Docker**: Ensure [Docker](https://docs.docker.com/get-docker/) is installed and running on your system. 8 | - **X-Window System (for GUI Display)**: 9 | - **Linux**: 10 | - Run the following commands to allow Docker to access the display: 11 | ``` 12 | xhost +local 13 | export DISPLAY=:0 14 | ``` 15 | - **Windows**: 16 | - Install an X server such as [VcXsrv](https://sourceforge.net/projects/vcxsrv/) and configure it with the 17 | following options: 18 | - **Disable access control** 19 | - **Disable native OpenGL** 20 | - In PowerShell, set the display environment variable: 21 | ``` 22 | $env:DISPLAY=":0" 23 | ``` 24 | - **macOS**: 25 | - Ensure [XQuartz](https://www.xquartz.org) is installed and running. 26 | - Enable **"Allow connections from network clients"** under **XQuartz Preferences > Security**. 27 | - Run the following command in the terminal to allow Docker to access the display: 28 | ```sh 29 | xhost + 30 | ``` 31 | - Set the display environment variable in the terminal: 32 | ```sh 33 | export DISPLAY=host.docker.internal:0 34 | ``` 35 | **Notes:** 36 | - Every time you open XQuartz, you need to run `xhost +` and `export DISPLAY=host.docker.internal:0` again. 37 | - Replace `` with your system's IP address. Use `:0` as the default display port unless configured 38 | otherwise. 39 | ## Building Instructions 40 | 41 | Run the following commands to build and launch Wireshark with OQS support: 42 | 43 | ``` 44 | git clone https://github.com/open-quantum-safe/oqs-demos 45 | cd oqs-demos/wireshark 46 | docker build -t oqs-wireshark . 47 | docker run --rm -it --net=host -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix oqs-wireshark 48 | ``` 49 | 50 | ### Explanation of Docker Options 51 | 52 | - `--net=host`: Shares the host network with the container. 53 | - `-e DISPLAY`: Sets the display variable for GUI. 54 | - `-v /tmp/.X11-unix:/tmp/.X11-unix`: Mounts the X11 Unix socket for GUI access. 55 | 56 | ## Project Components 57 | 58 | 1. **Dockerfile**: Builds Wireshark with OpenSSL, liboqs, and OQS provider. 59 | 2. **generate_qsc_header.py**: Processes `oqs-provider/oqs-template/generate.yml` with the `qsc_template.jinja2` to 60 | generate `qsc.h`, 61 | defining post-quantum KEMs and SIGs for Wireshark. 62 | 63 | ## Usage 64 | 65 | For detailed usage instructions, refer to [USAGE.md](USAGE.md). 66 | 67 | ## Build Configuration and Updates 68 | 69 | Customize the build using the following Dockerfile arguments: 70 | 71 | - **`UBUNTU_VERSION`**: Specifies the Ubuntu version. 72 | - **`WIRESHARK_VERSION`**: Defines the Wireshark version to build. 73 | - **`OPENSSL_TAG`**: Sets the OpenSSL version to build. 74 | - **`LIBOQS_TAG`**: Specifies the liboqs version to include. 75 | - **`OQSPROVIDER_TAG`**: Defines the Open Quantum Safe provider version. 76 | - **`INSTALLDIR`**: Sets the installation path for OQS libraries. 77 | 78 | To keep the build up-to-date, update the arguments as needed to include the latest versions. -------------------------------------------------------------------------------- /wireshark/USAGE.md: -------------------------------------------------------------------------------- 1 | This project enables [Wireshark](https://www.wireshark.org/) to analyze network traffic encrypted with post-quantum 2 | cryptographic protocols 3 | support through the [Open Quantum Safe (OQS) provider](https://github.com/open-quantum-safe/oqs-provider). 4 | 5 | ## Running Wireshark 6 | 7 | You can run the Wireshark Docker container on Linux, Windows, or macOS using the following command: 8 | 9 | ``` 10 | docker run --rm -it --net=host -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix oqs-wireshark 11 | ``` 12 | 13 | Once Wireshark is running, you can [use it as you normally would](https://www.wireshark.org/docs/), 14 | such as selecting a network interface to capture and analyze traffic. 15 | 16 | ## Testing quantum-safe Protocols 17 | 18 | ### 1. Filter by Quantum-Safe Protocols 19 | 20 | Use the following Wireshark display filter to isolate quantum-safe TLS traffic: 21 | 22 | ``` 23 | tls && ip.addr == 24 | ``` 25 | 26 | **Explanation:** 27 | The filter isolates traffic that uses the TLS protocol to or from the specified IP 28 | address. Replace `` with the resolved IP address (use tools 29 | like `ping` to find the IP). 30 | 31 | ### 2. Test Quantum-Safe Connections 32 | 33 | Run the following command to test a quantum-safe TLS connection: 34 | 35 | ``` 36 | docker run --rm -it openquantumsafe/curl sh -c "curl -k https://test.openquantumsafe.org:6069 --curves kyber1024" 37 | ``` 38 | 39 | **Explanation:** 40 | Replace `6069` with the port number and `kyber1024` with the name of the quantum-safe cryptographic 41 | algorithm you wish to test. Refer to the [Open Quantum Safe test page](https://test.openquantumsafe.org/) for the full 42 | list of supported protocols. -------------------------------------------------------------------------------- /wireshark/generate_qsc_header.py: -------------------------------------------------------------------------------- 1 | import yaml 2 | from jinja2 import Environment, FileSystemLoader 3 | 4 | with open("generate.yml", "r") as file: 5 | data = yaml.safe_load(file) 6 | 7 | env = Environment(loader=FileSystemLoader(".")) 8 | template = env.get_template("qsc_template.jinja2") 9 | 10 | output = template.render(data=data) 11 | 12 | with open("qsc.h", "w") as output_file: 13 | output_file.write(output) 14 | 15 | print("qsc.h has been successfully generated!") -------------------------------------------------------------------------------- /wireshark/qsc_template.jinja2: -------------------------------------------------------------------------------- 1 | #ifndef QSC_H 2 | #define QSC_H 3 | 4 | // (QSC_KEMS) 5 | #define QSC_KEMS \ 6 | {%- for kem in data.kems if kem.nid and kem.name_group %} 7 | { {{- kem.nid -}},"{{- kem.name_group -}}"},\ {# Notice the removal of space before `}` #} 8 | {%- if kem.nid_hybrid %} 9 | { {{- kem.nid_hybrid -}},"p{{- kem.nid_hybrid|int('16')|length * 64 -}}_{{- kem.name_group -}}"},\ 10 | {%- endif %} 11 | {%- if kem.extra_nids %} 12 | {%- for extra in kem.extra_nids.current if extra.nid and extra.hybrid_group %} 13 | { {{- extra.nid -}},"{{- extra.hybrid_group -}}_{{- kem.name_group -}}"},\ 14 | {%- endfor %} 15 | {%- for extra in kem.extra_nids.old if extra.nid and extra.hybrid_group %} 16 | { {{- extra.nid -}},"{{- extra.hybrid_group -}}_{{- kem.name_group -}}"},\ 17 | {%- endfor %} 18 | {%- endif %} 19 | {%- endfor %} 20 | 21 | 22 | // (QSC_SIGS) 23 | #define QSC_SIGS \ 24 | {%- for sig in data.sigs %} 25 | {%- for variant in sig.variants if variant.oid and variant.name %} 26 | oid_add_from_string("{{- variant.name -}}","{{- variant.oid -}}");\ 27 | {%- if variant.mix_with %} 28 | {%- for mix in variant.mix_with if mix.oid and mix.name %} 29 | oid_add_from_string("{{- mix.name -}}_{{- variant.name -}}","{{- mix.oid -}}");\ 30 | {%- endfor %} 31 | {%- endif %} 32 | {%- endfor %} 33 | {%- endfor %} 34 | 35 | 36 | // (QSC_SIG_CPS) 37 | #define QSC_SIG_CPS \ 38 | {%- for sig in data.sigs %} 39 | {%- for variant in sig.variants if variant.code_point and variant.name %} 40 | { {{- variant.code_point -}},"{{- variant.name -}}"},\ 41 | {%- endfor %} 42 | {%- for variant in sig.variants if variant.mix_with %} 43 | {%- for mix in variant.mix_with if mix.code_point and mix.name %} 44 | { {{- mix.code_point -}},"{{- mix.name -}}_{{- variant.name -}}"},\ 45 | {%- endfor %} 46 | {%- endfor %} 47 | {%- endfor %} 48 | 49 | #endif // QSC_H 50 | -------------------------------------------------------------------------------- /wireshark/requirements.txt: -------------------------------------------------------------------------------- 1 | Jinja2 2 | PyYAML --------------------------------------------------------------------------------
Signature algorithmKey exchange algorithmPortLink