From 22ba91619df7c3d899a20549390e201986b9afde Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Mon, 23 Dec 2024 07:14:32 +0100 Subject: [PATCH] fix openvpn integration (#336) * fix openvpn integration Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --------- Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Co-authored-by: Spencer Wilson --- .github/workflows/openvpn.yml | 2 +- openvpn/Dockerfile | 6 +++--- openvpn/README.md | 2 +- openvpn/USAGE.md | 8 ++++---- openvpn/clientstart.sh | 3 --- openvpn/createcerts_and_config.sh | 2 +- openvpn/openvpn-openssl.cnf | 2 +- openvpn/serverstart.sh | 5 +---- openvpn/test.sh | 8 ++++---- 9 files changed, 16 insertions(+), 22 deletions(-) diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index 178b3135..67900603 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -73,7 +73,7 @@ jobs: - name: Test openvpn working-directory: ./openvpn run: | - sh ./test.sh dilithium5 p521_kyber1024 + sh ./test.sh mldsa87 p521_mlkem1024 - name: Push Docker image to registries if: env.push == 'true' diff --git a/openvpn/Dockerfile b/openvpn/Dockerfile index 890ca669..03cd890e 100644 --- a/openvpn/Dockerfile +++ b/openvpn/Dockerfile @@ -24,7 +24,7 @@ ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON" ARG MAKE_DEFINES="-j 4" # Default KEM algorithms to be utilized -ARG KEM_ALGLIST="kyber768:p384_kyber768" +ARG KEM_ALGLIST="mlkem768:p384_mlkem768" FROM debian:bullseye AS intermediate # Take in all global args @@ -38,9 +38,9 @@ ARG MAKE_DEFINES ARG KEM_ALGLIST ARG OPENVPNDIR -LABEL version "2" +LABEL version="3" -ENV DEBIAN_FRONTEND noninteractive +ENV DEBIAN_FRONTEND=noninteractive RUN apt update && apt -y upgrade diff --git a/openvpn/README.md b/openvpn/README.md index 7d74daad..b073103f 100644 --- a/openvpn/README.md +++ b/openvpn/README.md @@ -46,4 +46,4 @@ The default is conservative and known not to overload normal machines. If one ha Defines the list of QSC KEM algorithms to be supported by default. This value is colon separated and inserted into the system-wide `openssl.cnf` configuration file defining the behaviour of the OpenSSL3 library embedded into the OpenVPN code base. -The default value is "kyber768:p384_kyber768". Any algorithm name(s) [supported by OQS OpenSSL 3 provider](https://github.com/open-quantum-safe/oqs-provider#algorithms) can be chosen instead. +The default value is "mlkem768:p384_mlkem768". Any algorithm name(s) [supported by OQS OpenSSL 3 provider](https://github.com/open-quantum-safe/oqs-provider#algorithms) can be chosen instead. diff --git a/openvpn/USAGE.md b/openvpn/USAGE.md index 5cd6498f..ade9694c 100644 --- a/openvpn/USAGE.md +++ b/openvpn/USAGE.md @@ -20,7 +20,7 @@ The required scripting for generating all keys, certificates and configuration f docker run -e OQSSIGALG=$OQS_SIGALG -e SERVERFQDN=$OQS_SERVER -e CLIENTFQDN=$OQS_CLIENT -v $OQS_DATA:/config/openvpn --rm openquantumsafe/openvpn sh -c "cd /config/openvpn && createcerts_and_config.sh" -This generates all required configuration information into the docker volume. The mandatory environment variables `SERVERFQDN` and `CLIENTFQDN` must contain the FQDN of the server and the client respectively running the instance. The optional environment variable `OQSSIGALG` may contain the name of any of the [supported OQS PQ signature algorithms](https://github.com/open-quantum-safe/oqs-provider#algorithms); if not set, the default value "dilithium3" is used for creation of client and server keys and certificates. +This generates all required configuration information into the docker volume. The mandatory environment variables `SERVERFQDN` and `CLIENTFQDN` must contain the FQDN of the server and the client respectively running the instance. The optional environment variable `OQSSIGALG` may contain the name of any of the [supported OQS PQ signature algorithms](https://github.com/open-quantum-safe/oqs-provider#algorithms); if not set, the default value "mldsa65" is used for creation of client and server keys and certificates. Additionally, information for connecting to the server is generated into the file `/etc/openvpn/client.config` and can be used to connect to the server. @@ -53,19 +53,19 @@ The last three commands clean up all data structures established. ## Advanced usage options -The docker image has been pre-configured to use the quantum-safe crypto (QSC) algorithm family "Kyber" for key establishment. For TLS1.3 handshaking, the QSC algorithm "dilithium3" is configured by default, but for both algorithm types, any plain or hybrid QSC algorithm can be selected. For the full list of supported OQS KEM and signature algorithms see [here](https://github.com/open-quantum-safe/oqs-provider#algorithms). +The docker image has been pre-configured to use the quantum-safe crypto (QSC) algorithm family "ML-KEM" for key establishment. For TLS1.3 handshaking, the QSC algorithm "mldsa65" is configured by default, but for both algorithm types, any plain or hybrid QSC algorithm can be selected. For the full list of supported OQS KEM and signature algorithms see [here](https://github.com/open-quantum-safe/oqs-provider#algorithms). ### TLS_GROUPS In order to change the list of algorithms, simply set the environment variable "TLS_GROUPS" to a list of desired algorithms, e.g.: - docker run -e TLS_GROUPS=p384_frodo976aes:kyber768 --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN openquantumsafe/openvpn + docker run -e TLS_GROUPS=p384_frodo976aes:mlkem768 --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN openquantumsafe/openvpn ### OQSSIGALG In order to change the signature algorithm used for performing the TLS authentication, the environment variable "OQSSIGALG" can be set to trigger creation of the required keys and certificates for the TLS1.3 handshake, e.g.: - docker run -e OQSSIGALG=p521_dilithium5 -e SERVERFQDN=$OQS_SERVER -e CLIENTFQDN=$OQS_CLIENT -v $OQS_DATA:/config/openvpn --rm openquantumsafe/openvpn sh -c "cd /config/openvpn && createcerts_and_config.sh" + docker run -e OQSSIGALG=p521_mldsa87 -e SERVERFQDN=$OQS_SERVER -e CLIENTFQDN=$OQS_CLIENT -v $OQS_DATA:/config/openvpn --rm openquantumsafe/openvpn sh -c "cd /config/openvpn && createcerts_and_config.sh" ## Disclaimer diff --git a/openvpn/clientstart.sh b/openvpn/clientstart.sh index 22f2f62b..658a3911 100755 --- a/openvpn/clientstart.sh +++ b/openvpn/clientstart.sh @@ -1,8 +1,5 @@ #!/bin/bash -mkdir -p /dev/net -mknod /dev/net/tun c 10 200 - # KEMs chosen will be taken from the system-wide openssl.cnf file # overrule the colon-separated list by using the option --tls-groups diff --git a/openvpn/createcerts_and_config.sh b/openvpn/createcerts_and_config.sh index 616fd42b..4fd08db1 100755 --- a/openvpn/createcerts_and_config.sh +++ b/openvpn/createcerts_and_config.sh @@ -2,7 +2,7 @@ # if env var not set, chose default certificate signature algorithm if [ -z "$OQSSIGALG" ]; then - OQSSIGALG="dilithium3" + OQSSIGALG="mldsa65" fi if [ -z "$SERVERFQDN" ]; then diff --git a/openvpn/openvpn-openssl.cnf b/openvpn/openvpn-openssl.cnf index 073c10de..0e38f246 100644 --- a/openvpn/openvpn-openssl.cnf +++ b/openvpn/openvpn-openssl.cnf @@ -61,7 +61,7 @@ ssl_conf = ssl_sect system_default = system_default_sect [system_default_sect] -Groups = kyber768:p384_kyber768 +Groups = mlkem768:p384_mlkem768 # List of providers to load diff --git a/openvpn/serverstart.sh b/openvpn/serverstart.sh index c8276051..059d5aa3 100755 --- a/openvpn/serverstart.sh +++ b/openvpn/serverstart.sh @@ -1,8 +1,5 @@ #!/bin/bash -mkdir -p /dev/net -mknod /dev/net/tun c 10 200 - # Location of config files cd /etc/openvpn @@ -11,7 +8,7 @@ cd /etc/openvpn # if env var not set, chose default certificate signature algorithm if [ -z "$OQSIGALG" ]; then - OQSSIGALG="dilithium3" + OQSSIGALG="mldsa65" fi if [ ! -f ca_cert.crt ]; then diff --git a/openvpn/test.sh b/openvpn/test.sh index 1c7c1e0a..657c7a8f 100644 --- a/openvpn/test.sh +++ b/openvpn/test.sh @@ -47,12 +47,12 @@ echo "Starting test openvpn server and client" # OQS server & test client: if [ -z "$2" ]; then # use default TLS_GROUPS - docker run --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN $OQS_OPENVPN_DOCKERIMAGE - docker run --rm --name $OQS_CLIENT --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn --cap-add=NET_ADMIN -d $OQS_OPENVPN_DOCKERIMAGE clientstart.sh + docker run --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN --cap-add=MKNOD --device /dev/net/tun $OQS_OPENVPN_DOCKERIMAGE + docker run --rm --name $OQS_CLIENT --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn --cap-add=NET_ADMIN --cap-add=MKNOD --device /dev/net/tun -d $OQS_OPENVPN_DOCKERIMAGE clientstart.sh else # assume the first parameter to be (a list of) TLS_GROUPS to be utilized: - docker run -e TLS_GROUPS=$2 --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN oqs-openvpn - docker run -e TLS_GROUPS=$2 --rm --name $OQS_CLIENT --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn --cap-add=NET_ADMIN -d oqs-openvpn clientstart.sh + docker run -e TLS_GROUPS=$2 --rm --name $OQS_SERVER --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn -d --cap-add=NET_ADMIN --cap-add=MKNOD --device /dev/net/tun oqs-openvpn + docker run -e TLS_GROUPS=$2 --rm --name $OQS_CLIENT --net $OQS_NETWORK -v $OQS_DATA:/etc/openvpn --cap-add=NET_ADMIN --cap-add=MKNOD --device /dev/net/tun -d oqs-openvpn clientstart.sh fi # Allow time to start up