fix openvpn integration (#336)

* fix openvpn integration

Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com>

---------

Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
Co-authored-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>

.github/workflows/openvpn.yml

@@ -73,7 +73,7 @@ jobs:
       - name: Test openvpn
         working-directory: ./openvpn
         run: |
-          sh ./test.sh dilithium5 p521_kyber1024
+          sh ./test.sh mldsa87 p521_mlkem1024
 
       - name: Push Docker image to registries
         if: env.push == 'true'

openvpn/Dockerfile

@@ -24,7 +24,7 @@ ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON"
 ARG MAKE_DEFINES="-j 4"
 
 # Default KEM algorithms to be utilized
-ARG KEM_ALGLIST="kyber768:p384_kyber768"
+ARG KEM_ALGLIST="mlkem768:p384_mlkem768"
 
 FROM debian:bullseye AS intermediate
 # Take in all global args
@@ -38,9 +38,9 @@ ARG MAKE_DEFINES
 ARG KEM_ALGLIST
 ARG OPENVPNDIR
 
-LABEL version "2"
+LABEL version="3"
 
-ENV DEBIAN_FRONTEND noninteractive
+ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt update && apt -y upgrade
 

openvpn/README.md

@@ -46,4 +46,4 @@ The default is conservative and known not to overload normal machines. If one ha
 
 Defines the list of QSC KEM algorithms to be supported by default. This value is colon separated and inserted into the system-wide `openssl.cnf` configuration file defining the behaviour of the OpenSSL3 library embedded into the OpenVPN code base.
 
-The default value is "kyber768:p384_kyber768". Any algorithm name(s) [supported by OQS OpenSSL 3 provider](https://github.com/open-quantum-safe/oqs-provider#algorithms) can be chosen instead.
+The default value is "mlkem768:p384_mlkem768". Any algorithm name(s) [supported by OQS OpenSSL 3 provider](https://github.com/open-quantum-safe/oqs-provider#algorithms) can be chosen instead.

openvpn/USAGE.md

@@ -20,7 +20,7 @@ The required scripting for generating all keys, certificates and configuration f
 
     docker run -e OQSSIGALG=$OQS_SIGALG -e SERVERFQDN=$OQS_SERVER -e CLIENTFQDN=$OQS_CLIENT -v $OQS_DATA:/config/openvpn --rm openquantumsafe/openvpn sh -c "cd /config/openvpn && createcerts_and_config.sh"
 
-This generates all required configuration information into the docker volume. The mandatory environment variables `SERVERFQDN` and `CLIENTFQDN` must contain the FQDN of the server and the client respectively running the instance. The optional environment variable `OQSSIGALG` may contain the name of any of the [supported OQS PQ signature algorithms](https://github.com/open-quantum-safe/oqs-provider#algorithms); if not set, the default value "dilithium3" is used for creation of client and server keys and certificates.
+This generates all required configuration information into the docker volume. The mandatory environment variables `SERVERFQDN` and `CLIENTFQDN` must contain the FQDN of the server and the client respectively running the instance. The optional environment variable `OQSSIGALG` may contain the name of any of the [supported OQS PQ signature algorithms](https://github.com/open-quantum-safe/oqs-provider#algorithms); if not set, the default value "mldsa65" is used for creation of client and server keys and certificates.
 
 Additionally, information for connecting to the server is generated into the file `/etc/openvpn/client.config` and can be used to connect to the server.
 
@@ -53,19 +53,19 @@ The last three commands clean up all data structures established.
 
 ## Advanced usage options
 
-The docker image has been pre-configured to use the quantum-safe crypto (QSC) algorithm family "Kyber" for key establishment. For TLS1.3 handshaking, the QSC algorithm "dilithium3" is configured by default, but for both algorithm types, any plain or hybrid QSC algorithm can be selected. For the full list of supported OQS KEM and signature algorithms see [here](https://github.com/open-quantum-safe/oqs-provider#algorithms).
+The docker image has been pre-configured to use the quantum-safe crypto (QSC) algorithm family "ML-KEM" for key establishment. For TLS1.3 handshaking, the QSC algorithm "mldsa65" is configured by default, but for both algorithm types, any plain or hybrid QSC algorithm can be selected. For the full list of supported OQS KEM and signature algorithms see [here](https://github.com/open-quantum-safe/oqs-provider#algorithms).
 
 ### TLS_GROUPS
 
 In order to change the list of algorithms, simply set the environment variable "TLS_GROUPS" to a list of desired algorithms, e.g.:
 
-    docker run -e TLS_GROUPS=p384_frodo976aes:kyber768 --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN openquantumsafe/openvpn
+    docker run -e TLS_GROUPS=p384_frodo976aes:mlkem768 --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN openquantumsafe/openvpn
 
 ### OQSSIGALG
 
 In order to change the signature algorithm used for performing the TLS authentication, the environment variable "OQSSIGALG" can be set to trigger creation of the required keys and certificates for the TLS1.3 handshake, e.g.:
 
-    docker run -e OQSSIGALG=p521_dilithium5 -e SERVERFQDN=$OQS_SERVER -e CLIENTFQDN=$OQS_CLIENT -v $OQS_DATA:/config/openvpn --rm openquantumsafe/openvpn sh -c "cd /config/openvpn && createcerts_and_config.sh"
+    docker run -e OQSSIGALG=p521_mldsa87 -e SERVERFQDN=$OQS_SERVER -e CLIENTFQDN=$OQS_CLIENT -v $OQS_DATA:/config/openvpn --rm openquantumsafe/openvpn sh -c "cd /config/openvpn && createcerts_and_config.sh"
 
 ## Disclaimer
 

openvpn/clientstart.sh

@@ -1,8 +1,5 @@
 #!/bin/bash
 
-mkdir -p /dev/net
-mknod /dev/net/tun c 10 200
-
 # KEMs chosen will be taken from the system-wide openssl.cnf file
 # overrule the colon-separated list by using the option --tls-groups
 

openvpn/createcerts_and_config.sh

@@ -2,7 +2,7 @@
 
 # if env var not set, chose default certificate signature algorithm
 if [ -z "$OQSSIGALG" ]; then
-   OQSSIGALG="dilithium3"
+   OQSSIGALG="mldsa65"
 fi
 
 if [ -z "$SERVERFQDN" ]; then

openvpn/openvpn-openssl.cnf

@@ -61,7 +61,7 @@ ssl_conf = ssl_sect
 system_default = system_default_sect
 
 [system_default_sect]
-Groups = kyber768:p384_kyber768
+Groups = mlkem768:p384_mlkem768
 
 
 # List of providers to load

openvpn/serverstart.sh

@@ -1,8 +1,5 @@
 #!/bin/bash
 
-mkdir -p /dev/net
-mknod /dev/net/tun c 10 200
-
 # Location of config files
 cd /etc/openvpn
 
@@ -11,7 +8,7 @@ cd /etc/openvpn
 
 # if env var not set, chose default certificate signature algorithm
 if [ -z "$OQSIGALG" ]; then
-   OQSSIGALG="dilithium3"
+   OQSSIGALG="mldsa65"
 fi
 
 if [ ! -f ca_cert.crt ]; then

openvpn/test.sh

@@ -47,12 +47,12 @@ echo "Starting test openvpn server and client"
 # OQS server & test client:
 if [ -z "$2" ]; then
    # use default TLS_GROUPS
-   docker run --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN $OQS_OPENVPN_DOCKERIMAGE
-   docker run --rm --name $OQS_CLIENT --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn --cap-add=NET_ADMIN -d $OQS_OPENVPN_DOCKERIMAGE clientstart.sh
+   docker run --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN --cap-add=MKNOD --device /dev/net/tun $OQS_OPENVPN_DOCKERIMAGE
+   docker run --rm --name $OQS_CLIENT --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn --cap-add=NET_ADMIN --cap-add=MKNOD --device /dev/net/tun -d $OQS_OPENVPN_DOCKERIMAGE clientstart.sh
 else
    # assume the first parameter to be (a list of) TLS_GROUPS to be utilized:
-   docker run -e TLS_GROUPS=$2 --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN oqs-openvpn
-   docker run -e TLS_GROUPS=$2 --rm --name $OQS_CLIENT --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn --cap-add=NET_ADMIN -d oqs-openvpn clientstart.sh
+   docker run -e TLS_GROUPS=$2 --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN --cap-add=MKNOD --device /dev/net/tun oqs-openvpn
+   docker run -e TLS_GROUPS=$2 --rm --name $OQS_CLIENT --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn --cap-add=NET_ADMIN --cap-add=MKNOD --device /dev/net/tun -d oqs-openvpn clientstart.sh
 fi
 
 # Allow time to start up