change epiphany to use OpenSSL3/oqsprovider

epiphany/Dockerfile

@@ -12,15 +12,18 @@ RUN apt update && apt upgrade -y && apt install -y build-essential clang meson g
 
 WORKDIR /opt
 
-RUN git clone --branch main https://github.com/open-quantum-safe/liboqs.git && git clone --depth 1 --branch OQS-OpenSSL_1_1_1-stable https://github.com/open-quantum-safe/openssl ossl-src && git clone https://gitlab.gnome.org/GNOME/glib-networking.git
+RUN git clone --branch main https://github.com/open-quantum-safe/liboqs.git && git clone --depth 1 --branch master https://github.com/openssl/openssl ossl-src && git clone https://gitlab.gnome.org/GNOME/glib-networking.git && git clone --depth 1 --branch main https://github.com/open-quantum-safe/oqs-provider.git
 
 # make sure the liboqs library is distributable:
-RUN cd liboqs && mkdir build && cd build && cmake -GNinja -DOQS_DIST_BUILD=ON -DCMAKE_INSTALL_PREFIX=/opt/ossl-src/oqs .. && ninja && ninja install && cd ../..
+RUN cd liboqs && mkdir build && cd build && cmake -GNinja -DOQS_DIST_BUILD=ON -DCMAKE_INSTALL_PREFIX=/opt/liboqs .. && ninja && ninja install && cd ../..
+
+# build oqs-provider:
+RUN cd oqs-provider && cmake -GNinja -DOQS_DIST_BUILD=ON -Dliboqs_DIR=/opt/liboqs -S . -B _build && cd _build && ninja && ninja install && cd ../..
 
 RUN cd ossl-src && ./config no-shared -lm && make -j 2 && make install_sw && cd ..
 
 # build glib-networking such as to use (OQS-)OpenSSL and not GnuTLS:
-RUN cd glib-networking && git checkout 2.60.4 && mkdir build && cd build && PKG_CONFIG_PATH=${OSSLGIODIR}/lib/pkgconfig CPATH=${OSSLGIODIR}/include LIBRARY_PATH=${OSSLGIODIR}/lib  meson --prefix=${OSSLGIODIR} -Dopenssl=enabled -Dgnutls=disabled .. && CPATH=${OSSLGIODIR}/include ninja && ninja install
+RUN cd glib-networking && git checkout 2.72.2 && mkdir build && cd build && PKG_CONFIG_PATH=${OSSLGIODIR}/lib/pkgconfig CPATH=${OSSLGIODIR}/include LIBRARY_PATH=${OSSLGIODIR}/lib  meson --prefix=${OSSLGIODIR} -Dopenssl=enabled -Dgnutls=disabled .. && CPATH=${OSSLGIODIR}/include ninja && ninja install
 
 # obtain and register test.openquantumsafe.org and letsencrypt certs
 COPY certlink.sh /usr/local/ssl/certs/certlink.sh
@@ -35,13 +38,19 @@ RUN apt update && apt upgrade -y && apt install -y epiphany-browser
 
 COPY --from=intermediate ${OSSLGIODIR} ${OSSLGIODIR}
 COPY --from=intermediate /usr/local /usr/local
+# Move oqsprovider in place; for some unknown reason, GIO needs two locations for finding providers
+RUN rm -rf /usr/local/lib64/ossl-modules/ && ln -s /usr/lib/x86_64-linux-gnu/ossl-modules /usr/local/lib64/ossl-modules
+COPY --from=intermediate /usr/lib/x86_64-linux-gnu/ossl-modules /usr/local/lib64/ossl-modules
 
 # Run everything under a limited user account:
 RUN groupadd -g 1000 oqs && useradd -u 1000 -d /home/oqs -g oqs oqs 
 COPY openssl-client.cnf /home/oqs/openssl-client.cnf
 COPY startepiphany.sh /home/oqs/startepiphany.sh
 RUN chown -R oqs.oqs /home/oqs
 
+# certlink doesn't seem to work perfectly in this version of GIO, so use this "hardcore" method to install oqsCA for testing:
+RUN cp /usr/local/ssl/certs/oqsrootca.pem /usr/share/ca-certificates/oqsrootca.crt  && echo "oqsrootca.crt" >> /etc/ca-certificates.conf && update-ca-certificates
+
 USER oqs
 
 ENV OPENSSL_CONF=/home/oqs/openssl-client.cnf

epiphany/USAGE.md

@@ -2,7 +2,7 @@
 
 This docker image contains a version of the [GNOME Web/epiphany](https://github.com/GNOME/epiphany) web browser built to also properly execute quantum-safe crypto (QSC) TLS operations.
 
-To this end, it contains QSC algorithms implemented by [liboqs](https://github.com/open-quantum-safe/liboqs) and [OQS-OpenSSL](https://github.com/open-quantum-safe/openssl) developed as part of the [OpenQuantumSafe](https://openquantumsafe.org) project.
+To this end, it contains QSC algorithms implemented by [liboqs](https://github.com/open-quantum-safe/liboqs) and made available to OpenSSL(3) via [oqs-provider](https://github.com/open-quantum-safe/oqs-provider) developed as part of the [OpenQuantumSafe](https://openquantumsafe.org) project.
 
 The image is based on Ubuntu and requires the host to run the Unix X-Window system.
 
@@ -24,15 +24,14 @@ It might also be necessary to mount the ".Xauthority" file suitably:
 
 ## Suggested test
 
-Go to https://test.openquantumsafe.org where most quantum-safe algorithms that are still part of the NIST PQC competition are available for TLS interoperability testing.
+Go to https://test.openquantumsafe.org where all standardized and most of the quantum-safe algorithms that are still part of the NIST PQC competition are available for TLS interoperability testing.
 
-*Note:* By default, only the algorithms "p521_kyber1024:firesaber" are supported by the configuration built into this Docker image. This list can be arbitrarly extended by passing a colon-delimited list of any of the KEM algorithms supported by [OQS-OpenSSL](https://github.com/open-quantum-safe/openssl#key-exchange):
+*Note:* By default, only the algorithms "p521_kyber1024:kyber768:x25519" are supported by the configuration built into this Docker image. This list can be arbitrarly extended by passing a colon-delimited list of any of the KEM algorithms supported by [oqs-provider](https://github.com/open-quantum-safe/oqs-provider#kem-algorithms), e.g.:
 
-    docker run --net=host --privileged --env="DISPLAY" openquantumsafe/epiphany frodo640aes:sntrup761
+    docker run --net=host --privileged --env="DISPLAY" openquantumsafe/epiphany frodo640aes:kyber512
 
 This way, all algorithms available at their respective test ports can be trialed at https://test.openquantumsafe.org.
 
-
 ## Quantum-safe crypto server components
 
-If you want to set up a server running QSC algorithms, check out [OQS-httpd/Apache](https://hub.docker.com/repository/docker/openquantumsafe/httpd), [OQS-nginx](https://hub.docker.com/repository/docker/openquantumsafe/nginx) or [OQS-haproxy](https://hub.docker.com/repository/docker/openquantumsafe/haproxy).
+If you want to set up your own server running QSC algorithms, check out [OQS-httpd/Apache](https://hub.docker.com/repository/docker/openquantumsafe/httpd) or [OQS-nginx](https://hub.docker.com/repository/docker/openquantumsafe/nginx).

epiphany/openssl-client.cnf

@@ -2,9 +2,24 @@ openssl_conf = openssl_init
 
 [openssl_init]
 ssl_conf = ssl_sect
+providers = provider_sect
 
 [ssl_sect]
 system_default = system_default_sect
 
 [system_default_sect]
-Groups = p521_kyber1024:firesaber
+Groups = p521_kyber1024:kyber768:x25519
+
+[provider_sect]
+oqsprovider = oqsprovider_sect
+default = default_sect
+
+[default_sect]
+activate = 1
+
+#[fips_sect]
+#activate = 1
+
+[oqsprovider_sect]
+activate = 1
+

epiphany/startepiphany.sh

@@ -3,7 +3,7 @@
 cd /home/oqs
 
 if [ "$#" -gt 0 ]; then
-   sed -i "$ s/$/:$1/" openssl-client.cnf
+   sed -i "s/x25519/x25519:$1/g" openssl-client.cnf
 fi
 
 epiphany