Add OpenLiteSpeed to oqs-demos (open-quantum-safe#167)

* Add openlitespeed to oqs-demos

README.md

@@ -16,7 +16,7 @@ Currently supported packages:
 | **curl**         | [Github: oqs-demos/curl](curl)         | [Dockerhub: openquantumsafe/curl](https://hub.docker.com/repository/docker/openquantumsafe/curl)                             |
 | **Apache httpd** | [Github: oqs-demos/httpd](httpd)       | [Dockerhub: openquantumsafe/httpd](https://hub.docker.com/repository/docker/openquantumsafe/httpd)                           |
 | **nginx**        | [Github: oqs-demos/nginx](nginx)       | [Dockerhub: openquantumsafe/nginx](https://hub.docker.com/repository/docker/openquantumsafe/nginx)                           |
-| **Chromium**     | [Github: oqs-demos/chromium](chromium) | [Binary for Ubuntu 20](https://github.com/open-quantum-safe/oqs-demos/releases/download/0.7.2/chromium-ubuntu-0.7.2.tgz) |
+| **Chromium** | [Github: oqs-demos/chromium](chromium) | [Binary for Ubuntu 20](https://github.com/open-quantum-safe/oqs-demos/releases/download/0.7.2/chromium-ubuntu-0.7.2.tgz) |
 | **HAproxy**      | [Github: oqs-demos/haproxy](haproxy)   | [Dockerhub: openquantumsafe/haproxy](https://hub.docker.com/repository/docker/openquantumsafe/haproxy)                       |
 | **OpenSSH**      | [Github: oqs-demos/openssh](openssh)   | [Dockerhub: openquantumsafe/openssh](https://hub.docker.com/repository/docker/openquantumsafe/openssh)                       |
 | **Wireshark**    | [Github: oqs-demos/wireshark](wireshark)   | [Dockerhub: openquantumsafe/wireshark](https://hub.docker.com/repository/docker/openquantumsafe/wireshark)                       |
@@ -25,6 +25,7 @@ Currently supported packages:
 | **Mosquitto**         | [Github: oqs-demos/mosquitto](mosquitto)       | [Dockerhub: openquantumsafe/mosquitto](https://hub.docker.com/repository/docker/openquantumsafe/mosquitto)               |
 | **OpenVPN**      | [Github: oqs-demos/openvpn](openvpn)   | [Dockerhub: openquantumsafe/openvpn](https://hub.docker.com/repository/docker/openquantumsafe/openvpn)                       |
 | **ngtcp2**         | [Github: oqs-demos/ngtcp2](ngtcp2)       | Dockerhub: [Server: openquantumsafe/ngtcp2-server](https://hub.docker.com/repository/docker/openquantumsafe/ngtcp2-server), [Client: openquantumsafe/ngtcp2-client](https://hub.docker.com/repository/docker/openquantumsafe/ngtcp2-client)                       |
+| **OpenLiteSpeed**         | [Github: oqs-demos/openlitespeed](openlitespeed)       | [ Dockerhub: openquantumsafe/openlitespeed](https://hub.docker.com/repository/docker/openquantumsafe/openlitespeed)                       |
 
 You can use the openssl (s_client), curl, Chromium and GNOME Web/epiphany clients with the Open Quantum Safe test server at https://test.openquantumsafe.org/.
 

openlitespeed/Dockerfile-server

@@ -0,0 +1,46 @@
+
+FROM ubuntu:focal as builder
+
+ENV TZ=Europe/Zurich
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Update apt software 
+RUN apt update
+
+# Install prerequisites
+RUN apt install git libz-dev libevent-dev cmake gcc ninja-build libunwind-dev pkg-config python3 python3-psutil golang-go -y
+
+WORKDIR /opt
+
+# Download openlitespeed repository
+RUN git clone https://github.com/litespeedtech/openlitespeed.git 
+
+COPY build.sh.patch /opt/
+COPY build_bssl.sh.patch /opt/
+
+# Apply patch to build.sh
+RUN cd openlitespeed && git apply --reject --whitespace=fix /opt/build.sh.patch 
+
+
+# Build and install openlitespeed
+RUN cd openlitespeed && ./build.sh &&  ./install.sh
+
+WORKDIR /root/
+
+# Configuring the server to expose CA.crt on port 80 and to enable QUIC on port 443
+COPY httpd_config.conf /usr/local/lsws/conf/
+
+FROM ubuntu:focal 
+
+ENV TZ=Europe/Zurich
+ENV DEBIAN_FRONTEND=noninteractive
+
+COPY --from=builder /usr/local/lsws/ /usr/local/lsws
+COPY --from=builder /usr/local/lib/liboqs.* /usr/local/lib
+
+RUN ldconfig
+
+RUN apt update && apt install -y openssl net-tools
+WORKDIR /root/
+
+COPY serverstart.sh .

openlitespeed/README.md

@@ -0,0 +1,45 @@
+OpenLiteSpeed
+===============
+[OpenLiteSpeed](https://github.com/litespeedtech/openlitespeed) is the Open Source edition of [LiteSpeed Web Server Enterprise](https://www.litespeedtech.com/). 
+More information about OpenLiteSpeed can be found [here](https://openlitespeed.org/).
+
+## Purpose 
+This directory contains a Dockerfile that builds [OpenLiteSpeed](https://github.com/litespeedtech/openlitespeed) with [OQS-BoringSSL](https://github.com/open-quantum-safe/boringssl), which allows OpenLiteSpeed to negotiate quantum-safe key exchange using [liboqs](https://github.com/open-quantum-safe/liboqs/).
+
+
+
+## Getting started
+
+## Server
+### Building
+Assuming Docker is [installed](https://docs.docker.com/install) the following command
+
+```
+docker build -t lsws -f Dockerfile-server .
+docker network create lsws-test
+docker run --network lsws-test --name lsws -it lsws bash
+```
+
+will run the container for the quantum-safe crypto (QSC) protected OpenLiteSpeed server on the docker network called lsws-test.
+
+### Usage
+Documentation for using the server docker image is contained in the separate [USAGE-server.md](USAGE-server.md) file.
+
+## Client
+
+The QUIC client from https://github.com/open-quantum-safe/oqs-demos/tree/main/quic can be used to test the post quantum key exchange.
+
+The following command
+
+```
+docker run --network lsws-test --name client -it openquantumsafe/msquic-reach bash
+```
+
+runs the container for the QSC-enabled QUIC client on the same network as the server.
+### Usage
+Documentation for using the client docker image is contained in the separate [USAGE-client.md](USAGE-client.md) file.
+
+
+## Disclaimer
+
+[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/openssl#limitations-and-security).

openlitespeed/USAGE-client.md

@@ -0,0 +1,46 @@
+## Purpose
+Extending the [the initial work by Igor Barshteyn](https://www.linkedin.com/pulse/quic-protocol-quantum-safe-cryptography-presenting-future-igor/) this image integrates quantum safe cryptography (QSC) into the [msquic](https://github.com/microsoft/msquic) software package to allow exercising all QSC algorithm combinations currently supported by the [OpenQuantumSafe](https://www.openquantumsafe.org) project.
+
+
+## Quick start
+Assuming Docker is [installed](https://docs.docker.com/install) the following command
+
+```
+docker run --network lsws-test  --name client -it openquantumsafe/msquic-reach bash
+```
+
+will run the container on the docker network called lsws-test (assuming it has already been created. If not, run `docker network create lsws-test`).
+
+
+### quicreach
+
+The CA certificate should first be downloaded from the server with 
+```
+wget <address>/CA.crt
+```
+
+For example, `wget lsws/CA.crt`
+
+To interact with the openlitespeed server, run 
+```
+SSL_CERT_FILE=CA.crt quicreach <address> --port <port> --stats
+```
+For example, `SSL_CERT_FILE=CA.crt quicreach lsws --port 443 --stats`
+
+The environment variable SSL_CERT_FILE should point to the location of the downloaded CA.crt.
+The address and port should correspond to those of the openlitespeed server.
+
+In order to change the list of algorithms, simply set the environment variable "TLS_DEFAULT_GROUPS" to a list of desired algorithms.
+[See list of quantum-safe key exchange algorithms which the OpenLiteSpeed server supports here](https://github.com/open-quantum-safe/boringssl#key-exchange).
+
+For example, 
+```
+SSL_CERT_FILE=CA.crt TLS_DEFAULT_GROUPS=kyber768:kyber512 quicreach <address> --port <port>
+```
+
+
+For more options, run `quicreach --help`
+
+## Disclaimer
+
+[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/openssl#limitations-and-security).

openlitespeed/USAGE-server.md

@@ -0,0 +1,42 @@
+## Purpose
+
+This is an [OpenLiteSpeed](https://github.com/litespeedtech/openlitespeed) docker image building on [OQS-BoringSSL](https://github.com/open-quantum-safe/boringssl), which allows OpenLiteSpeed to negotiate quantum-safe keys in TLS 1.3.
+
+
+## Quick start
+Assuming Docker is [installed](https://docs.docker.com/install) the following command
+
+```
+docker network create lsws-test
+docker run --network lsws-test --name lsws -it openquantumsafe/lsws bash
+```
+
+will run the container for the quantum-safe crypto (QSC) protected OpenLiteSpeed server on the docker network called lsws-test.
+
+Run the serverstart.sh script, `/root/serverstart.sh`, to generate certificate and key files and to start the server.
+
+To start the server, run `/usr/local/lsws/bin/lswsctrl start`. For more commands, run `/usr/local/lsws/bin/lswsctrl help`
+
+The document root is  `/usr/local/lsws/Example/html/` 
+
+The CA.crt file is hosted on port 80 and QUIC is enabled on port 443.
+
+### What is WebAdmin Console? 
+It is a GUI interface which makes OpenLiteSpeed configuration so much easier. It uses port 7080.
+
+The WebAdmin Console can be accessed through `your-server-ip:7080`
+For example `172.17.0.2:7080`
+Run `ifconfig` to find your IP address.
+
+To get your WebAdmin Console username and password, run `cat /usr/local/lsws/adminpasswd`
+To reset your WebAdmin Console credentials, run `/usr/local/lsws/admin/misc/admpass.sh`
+
+
+## List of supported key exchange algorithms
+[See list of supported quantum-safe key exchange algorithms here](https://github.com/open-quantum-safe/boringssl#key-exchange)
+
+
+
+## Disclaimer
+
+[THIS IS NOT FIT FOR PRODUCTION USE](https://github.com/open-quantum-safe/openssl#limitations-and-security).

openlitespeed/build.sh.patch

@@ -0,0 +1,23 @@
+diff --git a/build.sh b/build.sh
+index fee6cefb..1e72204f 100755
+--- a/build.sh
++++ b/build.sh
+@@ -514,7 +514,7 @@ if [ ! -d third-party ]; then
+     if [ "${ISLINUX}" != "yes" ] || [ "${ARCH}" != "x86_64" ] ; then
+         sed -i -e "s/psol/ /g"  ./build_ols.sh
+     fi
+-
++    git apply  --reject --whitespace=fix ../../build_bssl.sh.patch
+     ./build_ols.sh
+
+ fi
+@@ -549,6 +549,9 @@ if [ ! -d build ]; then
+ fi
+ cd build
+ cmake -DCMAKE_BUILD_TYPE=$BUILD ..
++# Add -loqs in link.txt
++sed -i ' 1 s/.*/&-loqs/' src/CMakeFiles/openlitespeed.dir/link.txt
++
+ jobs=$(nproc)
+ make -j${jobs}
+ cd ..

openlitespeed/build_bssl.sh.patch

@@ -0,0 +1,65 @@
+diff --git a/script/build_bssl.sh b/script/build_bssl.sh
+index cb7f229..60e0822 100755
+--- a/script/build_bssl.sh
++++ b/script/build_bssl.sh
+@@ -6,7 +6,11 @@ cd src
+
+
+ if [ ! -d "boringssl" ]; then
+-    git clone https://github.com/google/boringssl.git
++    # download boringssl and liboqs from oqs
++    echo "Downloading oqs boringssl"
++    git clone --branch master https://github.com/open-quantum-safe/boringssl.git
++
++    git clone --branch main --single-branch --depth 1 https://github.com/open-quantum-safe/liboqs.git
+ fi
+
+ if [ -d "go" ]; then
+@@ -17,9 +21,6 @@ echo $PATH
+ fi
+
+ cd boringssl
+-git reset --hard
+-git checkout master
+-git pull
+
+ #git checkout 49de1fc291
+ #git checkout bfe527fa35735e8e045cbfb42b012e13ca68f9cf
+@@ -27,7 +28,7 @@ git pull
+ #git checkout b117a3a0b7bd11fe6ebd503ec6b45d6b910b41a1
+ # HTTP/3 v1 and ID-34 support
+ #git checkout a2278d4d2cabe73f6663e3299ea7808edfa306b9
+-git checkout cf8d3ad3cea51cf7184307d54f465da62b7d8408
++# git checkout cf8d3ad3cea51cf7184307d54f465da62b7d8408
+
+ rm -rf build
+
+@@ -37,8 +38,13 @@ patch -p1 < ../../patches/boringssl/bssl_max_early_data_sz.patch
+ #patch -p1 < ../../patches/boringssl/bssl_no_eoed.patch
+ sed -i -e "s/-Werror//" CMakeLists.txt
+
+-mkdir build
+-cd build
++# Build liboqs both as shared and static library
++cd ../liboqs && mkdir build-static && cd build-static && cmake -G"Ninja" -DCMAKE_INSTALL_PREFIX=/opt/third-party/src/boringssl/oqs -DOQS_USE_OPENSSL=OFF .. && ninja && ninja install
++cd .. && mkdir build && cd build && cmake -G"Ninja" -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=/opt/third-party/src/boringssl/oqs -DOQS_USE_OPENSSL=OFF .. && ninja && ninja install
++
++cp /opt/third-party/src/liboqs/build/lib/liboqs.so.2 /usr/local/lib && ldconfig
++cd ../../boringssl && mkdir build && cd build
++
+ cmake ../ -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_FLAGS="-fPIC" -DCMAKE_CXX_FLAGS="-fPIC"
+ #cmake ../ -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_FLAGS="-fPIC -DOPENSSL_C11_ATOMIC" -DCMAKE_CXX_FLAGS="-fPIC -DOPENSSL_C11_ATOMIC"
+ make -j4
+@@ -50,9 +56,11 @@ make -j4
+ cd ..
+
+ cp crypto/libcrypto.a ../../../lib
+-cp ssl/libssl.a    ../../../lib
++cp ssl/libssl.a ../../../lib
+ cp decrepit/libdecrepit.a ../../../lib
++cp ../oqs/lib/liboqs* ../../../lib
+
+ cd ..
++cp -r oqs/include/oqs ../../include/
+ cp -r include/openssl ../../include/
+