Last active
January 2, 2024 11:09
-
-
Save vkosuri/09a7e66a745d6cf3933e76100e5e729e to your computer and use it in GitHub Desktop.
Integrating OpenSSL with OQS Providers for Enhanced Quantum-Safe Security
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Enable error handling | |
| # set -x | |
| # Set up environment and variables | |
| INSTALLDIR_OPENSSL="/opt/ossl32" # openssl3.2 | |
| INSTALLDIR_LIBOQS="/opt/liboqs" | |
| INSTALLDIR_PROVIDER="/opt/oqs-provider" | |
| LIBOQS_BUILD_DEFINES="ON" | |
| OQS_ALGS_ENABLED="STD" | |
| OQS_MINIMAL_BUILD="KEM_kyber_768" | |
| MAKE_DEFINES="-j $(nproc)" # Use all available cores | |
| OSSL_MODULES="/opt/ossl32/lib64/ossl-modules/" | |
| OPENSSL_CONF="/opt/ossl32/ssl/openssl.cnf" | |
| OPENSSL_APP="/opt/ossl32/bin/openssl" | |
| SIG_ALG="dilithium3" | |
| KEM_ALG="x25519_kyber768" | |
| DEFAULT_GROUPS="P256:X25519:P384:FFDHE2048:FFDHE3072:FFDHE4096" | |
| # clenup dirs if exists | |
| echo "clenup dirs if exists" | |
| rm -rf /optbuild/liboqs /optbuild/openssl /optbuild/oqs-provider | |
| rm -rf ${INSTALLDIR_OPENSSL} ${INSTALLDIR_LIBOQS} ${INSTALLDIR_PROVIDER} /opt/certs | |
| # List of repositories and branches to clone | |
| repos=( | |
| "https://github.com/openssl/openssl.git openssl-3.2" | |
| "https://github.com/open-quantum-safe/liboqs 0.9.1" | |
| "https://github.com/open-quantum-safe/oqs-provider.git 0.5.3" | |
| ) | |
| # Function to clone a repository | |
| clone_repo() { | |
| repo_url=$(echo "$1" | awk '{print $1}') | |
| branch=$(echo "$1" | awk '{print $2}') | |
| if git clone --depth 1 --branch "$branch" "$repo_url"; then | |
| echo "Successfully cloned $repo_url" | |
| else | |
| echo "Error cloning $repo_url" >&2 | |
| exit 1 | |
| fi | |
| } | |
| # Export it so it's available to parallel | |
| export -f clone_repo | |
| mkdir -p /optbuild && cd /optbuild || exit | |
| # Call the function with xargs | |
| printf '%s\n' "${repos[@]}" | xargs -I {} -P 4 bash -c 'clone_repo "$@"' _ {} | |
| # Build OpenSSL | |
| cd openssl || exit | |
| LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR_OPENSSL}/lib64" ./config shared --prefix="${INSTALLDIR_OPENSSL}" | |
| make ${MAKE_DEFINES} 2>&1 >/dev/null | |
| make install 2>&1 >/dev/null | |
| if [ -d "${INSTALLDIR_OPENSSL}/lib64" ]; then | |
| ln -s "${INSTALLDIR_OPENSSL}/lib64" "${INSTALLDIR_OPENSSL}/lib" | |
| fi | |
| if [ -d "${INSTALLDIR_OPENSSL}/lib" ]; then | |
| ln -s "${INSTALLDIR_OPENSSL}/lib" "${INSTALLDIR_OPENSSL}/lib64" | |
| fi | |
| # Build liboqs | |
| cd /optbuild/liboqs || exit | |
| mkdir -p build | |
| cmake -B build \ | |
| -DCMAKE_ASM_FLAGS='-Wa,--noexecstack' \ | |
| -DOPENSSL_ROOT_DIR="${INSTALLDIR_OPENSSL}" \ | |
| -DOQS_ALGS_ENABLED="${OQS_ALGS_ENABLED}" \ | |
| -DOQS_DIST_BUILD="${LIBOQS_BUILD_DEFINES}" \ | |
| -DOQS_OPT_TARGET="generic" \ | |
| -DOQS_MINIMAL_BUILD="KEM_kyber_768;SIG_dilithium_3" | |
| cmake --build build --parallel $(nproc) | |
| cmake --build build --target install | |
| # Build oqs-provider | |
| cd /optbuild/oqs-provider || exit | |
| mkdir -p ${INSTALLDIR_PROVIDER} | |
| mkdir -p ${INSTALLDIR_PROVIDER}/build | |
| cmake -B ${INSTALLDIR_PROVIDER}/build \ | |
| -DOPENSSL_ROOT_DIR=${INSTALLDIR_OPENSSL} \ | |
| -DCMAKE_BUILD_TYPE=Release \ | |
| -DCMAKE_PREFIX_PATH=${INSTALLDIR_OPENSSL} \ | |
| -DOQS_KEM_ENCODERS="ON" \ | |
| -Dliboqs_DIR=${INSTALLDIR_LIBOQS} | |
| cmake --build ${INSTALLDIR_PROVIDER}/build --parallel $(nproc) | |
| cmake --install ${INSTALLDIR_PROVIDER}/build | |
| cp ${INSTALLDIR_PROVIDER}/build/lib/oqsprovider.so ${INSTALLDIR_OPENSSL}/lib64/ossl-modules | |
| sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf | |
| sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf | |
| sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf | |
| sed -i "s/HOME\t\t\t= ./HOME = .\nDEFAULT_GROUPS = P256:X25519:P384:FFDHE2048:FFDHE3072:FFDHE4096:x25519_kyber768/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf | |
| # verify | |
| $OPENSSL_APP version | |
| $OPENSSL_APP list -providers | |
| mkdir -p /opt/certs && cd /opt/certs | |
| $OPENSSL_APP req -x509 -new -newkey ${SIG_ALG} -keyout CA.key -out CA.crt -nodes -subj "/CN=oqstest CA" -days 365 | |
| $OPENSSL_APP req -new -newkey ${SIG_ALG} -keyout server.key -out server.csr -nodes -subj "/CN=localhost" | |
| $OPENSSL_APP x509 -req -in server.csr -out server.crt -CA CA.crt -CAkey CA.key -CAcreateserial -days 365 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment