update mosquitto

Co-authored-by: Dave Kelsey <[email protected]>

mosquitto/Dockerfile

@@ -1,20 +1,28 @@
-# This Dockerfile is made by Chia-Chin Chung <[email protected]>
-# Multi-stage build
+# Original Dockerfile made by Chia-Chin Chung <[email protected]>
+# Multi-stage build: First the full builder image:
 
-# Global build arguments:
+# define the openssl tag to be used
+ARG OPENSSL_TAG=openssl-3.3.2
 
-# define the installation paths
-ARG SOURCE_PATH="/usr/local/src"
-ARG OPENSSL_LIB_PATH="/usr/local/ssl"
+# define the liboqs tag to be used
+ARG LIBOQS_TAG=0.11.0
+
+# define the oqsprovider tag to be used
+ARG OQSPROVIDER_TAG=0.7.0
+
+# Default location where all binaries wind up:
+ARG INSTALLDIR=/opt/oqssa
 
 # liboqs build type variant; maximum portability of image:
 ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON"
 
-# openssl build defines (https://github.com/open-quantum-safe/openssl#build-options)
-ARG OPENSSL_BUILD_DEFINES="-DOQS_DEFAULT_GROUPS=kyber512:X25519:p384_kyber768"
+# Default KEM algorithms to be utilized
+ARG KEM_ALGLIST="kyber768:p384_kyber768"
 
-# define the QSC signature algorithm used for the certificates
-ARG SIG_ALG="dilithium2"
+# Default Signature algorithm to be used
+ARG SIG_ALG="dilithium3"
+
+ARG MOSQUITTO_TAG=v2.0.20
 
 # define IP addresses or Domain Name
 ARG BROKER_IP=localhost
@@ -24,57 +32,83 @@ ARG SUB_IP=localhost
 # choose the shell script(simple example)
 ARG EXAMPLE=broker-start.sh
 
-
 # First stage: the full build image:
-
-FROM ubuntu:20.04 AS builder
-# FROM debian:buster AS builder
+FROM ubuntu:22.04 AS builder
 
 # Set timezone
-ENV TZ=Asia/Taipei
+ARG TZ=Europe/London
 ENV DEBIAN_FRONTEND=noninteractive
 
-ARG SOURCE_PATH
-ARG OPENSSL_LIB_PATH
+ARG OPENSSL_TAG
+ARG LIBOQS_TAG
+ARG OQSPROVIDER_TAG
+ARG INSTALLDIR
+ARG HAPROXYDIR
 ARG LIBOQS_BUILD_DEFINES
-ARG OPENSSL_BUILD_DEFINES
+ARG KEM_ALGLIST
+ARG MOSQUITTO_TAG
 
 # Update image and install all prerequisites
-RUN apt update && apt install build-essential vim cmake gcc libtool libssl-dev make ninja-build git doxygen \
-        libcjson1 libcjson-dev uthash-dev libcunit1-dev libsqlite3-dev xsltproc docbook-xsl -y && apt clean
-
-# Get the fork of OQS-OpenSSL_1_1_1-stable
-WORKDIR $SOURCE_PATH
-RUN git clone --depth 1 --branch OQS-OpenSSL_1_1_1-stable https://github.com/open-quantum-safe/openssl.git OQS-OpenSSL
-
-# Get and build liboqs, then install it into a subdirectory inside the OQS-OpenSSL folder
-RUN git clone --depth 1 --branch main https://github.com/open-quantum-safe/liboqs.git liboqs && \
-    cd liboqs && mkdir build && cd build && \
-    cmake -GNinja $LIBOQS_BUILD_DEFINES -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=$SOURCE_PATH/OQS-OpenSSL/oqs .. && \
-    ninja && ninja install && echo "liboqs installed successfully" || exit 1
-
-# Build and install OQS-OpenSSL_1_1_1-stable
-WORKDIR $SOURCE_PATH/OQS-OpenSSL
-## OS type: x86_64, aarch64
-RUN ./Configure shared linux-x86_64 -lm --prefix=$OPENSSL_LIB_PATH/ \
-        --openssldir=$OPENSSL_LIB_PATH/ $OPENSSL_BUILD_DEFINES && \
-        make -j$(nproc) && make install && echo "OQS-OpenSSL installed successfully" || exit 1
-# RUN ./Configure shared no-asm linux-aarch64 -lm --prefix=$OPENSSL_LIB_PATH/ \
-#         --openssldir=$OPENSSL_LIB_PATH/ $OPENSSL_BUILD_DEFINES && \
-#         make -j$(nproc) && make install && echo "OQS-OpenSSL installed successfully" || exit 1
+RUN apt update && apt install -y build-essential \
+    cmake \
+    gcc \
+    libtool \
+    libssl-dev \
+    make \
+    ninja-build \
+    git \
+    doxygen \
+    libcjson1 \
+    libcjson-dev \
+    uthash-dev \
+    libcunit1-dev \
+    libsqlite3-dev \
+    xsltproc \
+    docbook-xsl && \
+    apt clean
+
+# get all sources
+WORKDIR /opt
+RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \
+    git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \
+    git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \
+    git clone --depth 1 --branch ${MOSQUITTO_TAG} https://github.com/eclipse/mosquitto.git
+
+# build liboqs
+WORKDIR /opt/liboqs
+RUN mkdir build && cd build && \
+    cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} && \
+    ninja install
+
+# build OpenSSL3
+WORKDIR /opt/openssl
+RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \
+    make -j $(nproc) && \
+    make install_sw install_ssldirs && \
+    if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \
+    if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi
+
+# set path to use 'new' openssl. Dyn libs have been properly linked in to match
+ENV PATH="${INSTALLDIR}/bin:${PATH}"
+
+# build & install provider (and activate by default)
+WORKDIR /opt/oqs-provider
+RUN ln -s ../openssl . && \
+    cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \
+    cmake --build _build  && cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && \
+    sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && \
+    sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && \
+    sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = ${KEM_ALGLIST}\n/g" /opt/oqssa/ssl/openssl.cnf
 
 # Build and install Mosquitto
-WORKDIR $SOURCE_PATH
-RUN git clone -b master https://github.com/eclipse/mosquitto.git mosquitto && cd mosquitto && \
-    make -j$(nproc) && make install && echo "Mosquitto installed successfully" || exit 1
-
+WORKDIR /opt/mosquitto
+RUN make -j$(nproc) && \
+    make install
 
 # Second stage: Only create minimal image:
+FROM ubuntu:22.04
+RUN apt update && apt install -y libcjson1
 
-FROM ubuntu:20.04
-# FROM debian:buster
-
-ARG OPENSSL_LIB_PATH
 ARG SIG_ALG
 ENV SIG_ALG=${SIG_ALG}
 ARG BROKER_IP
@@ -86,37 +120,38 @@ ENV SUB_IP=${SUB_IP}
 ARG EXAMPLE
 ENV EXAMPLE=${EXAMPLE}
 
-# Set the TLS_DEFAULT_GROUPS environment variable to permit selection of QSC KEMs(https://github.com/open-quantum-safe/openssl#build-options)
-ENV TLS_DEFAULT_GROUPS="kyber512"
+ARG KEM_ALGLIST
+# Set the TLS_DEFAULT_GROUPS environment variable to permit selection of QSC KEMs, by default the ones associated with the openssl configuration are chosen
+ENV TLS_DEFAULT_GROUPS=${KEM_ALGLIST}
+
+ARG INSTALLDIR
 
 # Copy files from the local storage to a destination in the Docker image
 WORKDIR /
 RUN mkdir test
 ADD . /test
 RUN chmod 777 /test/* && sed -i 's/\r//' /test/*
 
-# Only keep the necessary library contents in the final image
-# OQS-OpenSSL
-COPY --from=builder $OPENSSL_LIB_PATH  $OPENSSL_LIB_PATH
+# openssl
+COPY --from=builder ${INSTALLDIR} ${INSTALLDIR}
 # Mosquitto
 COPY --from=builder /usr/local/lib  /usr/local/lib
 COPY --from=builder /usr/local/bin  /usr/local/bin
 COPY --from=builder /usr/local/sbin  /usr/local/sbin
-COPY --from=builder /lib/x86_64-linux-gnu/libcjson.so.1 /lib/x86_64-linux-gnu
 
 # Dynamically link to mosquitto
 RUN ln -s /usr/local/lib/libmosquitto.so.1 /usr/lib/libmosquitto.so.1 && ldconfig
 
-# Dynamically link to OQS-OpenSSL library
-ENV LD_LIBRARY_PATH=$OPENSSL_LIB_PATH/lib
+# Dynamically link to Newly built OpenSSL
+ENV LD_LIBRARY_PATH=$INSTALLDIR/lib64
 
-# Set path 
-ENV PATH="/usr/local/bin:/usr/local/sbin:$OPENSSL_LIB_PATH/bin:$PATH"
+# Set path
+ENV PATH="/usr/local/bin:/usr/local/sbin:${INSTALLDIR}/bin:$PATH"
 
 # Generate the CA key and the cert
 RUN openssl req -x509 -new -newkey $SIG_ALG -keyout /test/CA.key -out /test/CA.crt -nodes -subj "/O=test-ca" -days 3650
 
-# MQTTS port 
+# MQTTS port
 EXPOSE 8883
 
 # Run shell script

mosquitto/README.md

@@ -1,16 +1,4 @@
-## Warning
-
-This integration is currently not supported due to [the end of life of oqs-openssl111](https://github.com/open-quantum-safe/openssl#warning). Feel free to vote this back into supported state by visiting [the discussion on the topic](https://github.com/orgs/open-quantum-safe/discussions/1602).
-
-## Purpose 
-
-This directory contains a Dockerfile that builds [Mosquitto](https://mosquitto.org) with the [OQS OpenSSL 1.1.1 fork](https://github.com/open-quantum-safe/openssl), which allows Mosquitto to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3.
-
-Work to further experiment with the quantum-safe algorithms using the MQTT protocol is ongoing. Questions, comments, corrections, improvements, and other contributions are welcome, e.g., via issues to this project.
-
-Thanks,
-
---Chia-Chin Chung
+This directory contains a Dockerfile that builds [Mosquitto](https://mosquitto.org) using OpenSSL v3 using the [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows `Moquitto` to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3.
 
 ## Background
 
@@ -22,14 +10,14 @@ The following provides some introduction to Mosquitto:
 
 - Introduction: [Beginners Guide To The MQTT Protocol](http://www.steves-internet-guide.com/mqtt/)
 - Usage: [Mosquitto MQTT Broker](http://www.steves-internet-guide.com/mosquitto-broker/), [Using The Mosquitto_pub and Mosquitto_sub MQTT Client Tools- Examples](http://www.steves-internet-guide.com/mosquitto_pub-sub-clients/)
-- Man pages: [Mosquitto Man Pages](https://mosquitto.org/documentation/) 
+- Man pages: [Mosquitto Man Pages](https://mosquitto.org/documentation/)
 
 ## Getting started
 
 [Install Docker](https://docs.docker.com/install) and run the following simplified commands in this directory:
 
-1. `docker build -t oqs-mosquitto-img .` This will generate the image with a default QSC algorithm (key exchange: kyber512, authentication: dilithium2 -- see Dockerfile to change).
-2. `docker run -it --rm --name oqs-mosquitto -p 8883:8883 oqs-mosquitto-img`
+1. `docker build -t oqs-mosquitto .` This will generate the image with a default QSC algorithm (key exchange: kyber768:p384_kyber768, authentication: dilithium3 -- see Dockerfile to change).
+2. `docker run -it --rm --name oqs-mosquitto -p 8883:8883 oqs-mosquitto`
 
 This will start a docker container that has mosquitto MQTT broker listening for TLS 1.3 connections on port 8883.
 
@@ -41,41 +29,39 @@ Complete information on how to use the image is [available in the separate file
 
 The Dockerfile allows for significant customization of the built image:
 
-### SOURCE_PATH
+### OPENSSL_TAG
 
-This defines the resultant location of the OQS-OpenSSL, liboqs and Mosquitto installatiions.
+Tag of `openssl` release to be used.
 
-By default this is '/usr/local/src'.
+### LIBOQS_TAG
 
-### OPENSSL_LIB_PATH
+Tag of `liboqs` release to be used.
 
-This defines the resultant location of the OQS-OpenSSL library installatiion.
+### OQSPROVIDER_TAG
 
-By default this is '/usr/local/ssl'.
+Tag of `oqsprovider` release to be used.
 
 ### LIBOQS_BUILD_DEFINES
 
 This permits changing the build options for the underlying library with the quantum safe algorithms. All possible options are documented [here](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs).
 
 By default, the image is built such as to have maximum portability regardless of CPU type and optimizations available, i.e. to run on the widest possible range of cloud machines.
 
-### OPENSSL_BUILD_DEFINES
-
-This permits changing the build options for the underlying openssl library containing the quantum safe algorithms. 
+### SIG_ALG
 
-The default setting defines a range of default algorithms suggested for key exchange. For more information see [the documentation](https://github.com/open-quantum-safe/openssl#default-algorithms-announced).
+This defines the quantum-safe cryptographic signature algorithm for the internally generated (demonstration) CA and server certificates.
 
-### KEM_ALG
+The default value is 'dilithium3' but can be set to any value documented [here](https://github.com/open-quantum-safe/oqs-provider#algorithms).
 
-This defines the quantum-safe cryptographic key exchange algorithm.
+### KEM_ALGLIST
 
-The default value is 'kyber512', but this value can be set to any value documented [here](https://github.com/open-quantum-safe/openssl#key-exchange).
+This defines the quantum-safe key exchange mechanisms to be supported.
 
-### SIG_ALG
+The default value is `p384_kyber768:kyber768` but can be set to any set of colon separated values documented [here](https://github.com/open-quantum-safe/oqs-provider#algorithms).
 
-This defines the quantum-safe cryptographic signature algorithm for the internally generated server and client certificates.
+### MOSQUITTO_TAG
 
-The default value is 'dilithium2' but can be set to any value documented [here](https://github.com/open-quantum-safe/openssl#authentication).
+These define the version of Mosquitto to use, currently set to v2.0.20
 
 ### BROKER_IP
 
@@ -100,7 +86,3 @@ By default this is 'localhost'.
 This defines which shell script to use. There are three shell scripts(broker-start.sh, publisher-start.sh, and subscriber-start.sh) that can be used in this directory.
 
 By default this is 'broker-start.sh'.
-
-## License
-
-All modifications to this repository are released under the same terms as OpenSSL, namely as described in the file [LICENSE](https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/LICENSE).

mosquitto/USAGE.md

@@ -1,6 +1,4 @@
-## Purpose 
-
-This is a [mosquitto](https://mosquitto.org) docker image building on the [OQS OpenSSL 1.1.1 fork](https://github.com/open-quantum-safe/openssl), which allows mosquitto to negotiate quantum-safe keys and use quantum-safe authentication using TLS 1.3.
+This directory contains a Dockerfile that builds [Mosquitto](https://mosquitto.org) using OpenSSL v3 using the [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows `Moquitto` to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3.
 
 ## Suggested use
 
@@ -11,23 +9,23 @@ To communicate between the server(broker) and the client(publisher and subscribe
 We can use docker network to do a simple test. A docker network named "mosquitto-test":
 
 Create a docker network and specify a network segment
-```
-docker network create --subnet=172.18.0.0/16 mosquitto-test
+```bash
+docker network create --subnet=174.18.0.0/16 mosquitto-test
 ```
 
 Run a Mosquitto MQTT broker
-```
-docker run --network mosquitto-test --ip 172.18.0.2 -it --rm --name oqs-mosquitto-broker -e "BROKER_IP=172.18.0.2" -e "EXAMPLE=broker-start.sh" oqs-mosquitto-img
+```bash
+docker run --network mosquitto-test --ip 174.18.0.2 -it --rm --name oqs-mosquitto-broker -e "BROKER_IP=174.18.0.2" -e "EXAMPLE=broker-start.sh" oqs-mosquitto
 ```
 
 Then run a Mosquitto MQTT subscriber
-```
-docker run --network mosquitto-test --ip 172.18.0.3 -it --rm --name oqs-mosquitto-subscriber -e "BROKER_IP=172.18.0.2" -e "SUB_IP=172.18.0.3" -e "EXAMPLE=subscriber-start.sh" oqs-mosquitto-img
+```bash
+docker run --network mosquitto-test --ip 174.18.0.3 -it --rm --name oqs-mosquitto-subscriber -e "BROKER_IP=174.18.0.2" -e "SUB_IP=174.18.0.3" -e "EXAMPLE=subscriber-start.sh" oqs-mosquitto
 ```
 
 Finally run a Mosquitto MQTT publisher
-```
-docker run --network mosquitto-test --ip 172.18.0.4 -it --rm --name oqs-mosquitto-publisher -e "BROKER_IP=172.18.0.2" -e "PUB_IP=172.18.0.4" -e "EXAMPLE=publisher-start.sh" oqs-mosquitto-img
+```bash
+docker run --network mosquitto-test --ip 174.18.0.4 -it --rm --name oqs-mosquitto-publisher -e "BROKER_IP=174.18.0.2" -e "PUB_IP=174.18.0.4" -e "EXAMPLE=publisher-start.sh" oqs-mosquitto
 ```
 
 According to these steps, we can do a simple MQTT test including a broker, a subscriber, and a publisher. If you want to do more experiments, you can use other options below.
@@ -38,22 +36,22 @@ By the way, the docker image has already generated a CA certificate and a CA key
 
 ### Authentication algorithm
 
-This mosquitto image supports all quantum-safe signature algorithms [presently supported by OQS-OpenSSL](https://github.com/open-quantum-safe/openssl#authentication). If you want to control with algorithm is actually used, you can set an environment variable when running the Docker container, e.g., requesting the Falcon512 variant:
+This mosquitto image is capable of supporting all quantum-safe signature algorithms listed [here](https://github.com/open-quantum-safe/oqs-provider#algorithms). If you want to control with algorithm is actually used, you can set an environment variable when running the Docker container, e.g., requesting the dilithium5 variant:
 
-```
-docker run -it --rm --name oqs-mosquitto-demo -p 8883:8883 -e "BROKER_IP=<ip-name-of-broker-testmachine>" -e "SIG_ALG=falcon512" oqs-mosquitto-img
+```bash
+docker run -it --rm --name oqs-mosquitto-demo -p 8883:8883 -e "BROKER_IP=<ip-name-of-broker-testmachine>" -e "SIG_ALG=dilithium5" oqs-mosquitto
 ```
 
 ### Set the TLS_DEFAULT_GROUPS
 
-`TLS_DEFAULT_GROUPS` is an environment variable that allows selection of QSC KEMs. This supports the colon-separated list of KEM algorithms. This option only works if the SSL_CTX_set1_groups_list API call has not been used. You can see [here](https://github.com/open-quantum-safe/openssl#build-options).
+`TLS_DEFAULT_GROUPS` is an environment variable that allows selection of QSC KEMs. This supports the colon-separated list of KEM algorithms. You can only select either the complete list or subset of what was defined in `KEM_ALGLIST` when the docker image was built.
 
 ### Change Mosquitto instructions or configurations
 
 There are three shell scripts(broker-start.sh, publisher-start.sh, and subscriber-start.sh) that can be used in this directory. Use subscriber as an example:
 
-```
-docker run -it --rm --name oqs-mosquitto-demo -p 8883:8883 -e "BROKER_IP=<ip-name-of-broker-testmachine>" -e "EXAMPLE=subscriber-start.sh" oqs-mosquitto-img
+```bash
+docker run -it --rm --name oqs-mosquitto-demo -p 8883:8883 -e "BROKER_IP=<ip-name-of-broker-testmachine>" -e "EXAMPLE=subscriber-start.sh" oqs-mosquitto
 ```
 
 If you want to change Mosquitto's instructions, you can modify instructions to what you want in these scripts. If you also want to change Mosquitto broker's configuration file, you can modify this to what you want in 'broker-start.sh'.