diff --git a/.circleci/config.yml b/.circleci/config.yml index 02f5fe71..550cb1ed 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -240,7 +240,7 @@ jobs: # all of them might exhaust memory docker build --build-arg MAKE_DEFINES="-j 18" -t oqs-curl . && docker build --build-arg MAKE_DEFINES="-j 18" --target dev -t oqs-curl-dev . && - docker build --build-arg MAKE_DEFINES="-j 18" --build-arg OPENSSL_TAG=master --build-arg LIBOQS_TAG=main --build-arg OQSPROVIDER_TAG=main -t oqs-curl-main . && + docker build --build-arg MAKE_DEFINES="-j 18" --build-arg OPENSSL_TAG=master --build-arg LIBOQS_TAG=main --build-arg OQSPROVIDER_TAG=main -t oqs-curl-main . working_directory: curl - run: name: Test Curl (dev) @@ -261,9 +261,9 @@ jobs: name: Test httpd using curl (dev) (main/master) command: | docker network create httpd-test-main && - docker run --network httpd-test-main --detach --rm --name oqs-httpd-main oqs-httpd-img-main && + docker run --network httpd-test-main --detach --rm --name oqs-httpd2 oqs-httpd-img-main && sleep 2 && - docker run --network httpd-test-main oqs-curl-main curl -k https://oqs-httpd:4433 --curves kyber768 + docker run --network httpd-test-main oqs-curl-main curl -k https://oqs-httpd2:4433 --curves kyber768 - when: condition: or: @@ -659,12 +659,12 @@ workflows: context: openquantumsafe #- ubuntu_x64_haproxy: # context: openquantumsafe - - ubuntu_x64_openvpn: - context: openquantumsafe + # - ubuntu_x64_openvpn: + # context: openquantumsafe #- ubuntu_x64_mosquitto: # context: openquantumsafe - - ubuntu_x64_ngtcp2: - context: openquantumsafe + # - ubuntu_x64_ngtcp2: + # context: openquantumsafe - ubuntu_x64_openssh: context: openquantumsafe # Disabled in CI as failing to conclude test properly as per @@ -676,5 +676,5 @@ workflows: # Disable as it takes too long on OQS CCI plan #- ubuntu_x64_envoy: # context: openquantumsafe - - ubuntu_x64_h2load: - context: openquantumsafe + # - ubuntu_x64_h2load: + # context: openquantumsafe diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml index 063d5343..bab9e881 100644 --- a/.github/workflows/docker-scan.yml +++ b/.github/workflows/docker-scan.yml @@ -23,8 +23,8 @@ jobs: # Required for Docker Scout uses: docker/login-action@v3.3.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build Docker Image run: | diff --git a/README.md b/README.md index bdf46a18..39b15d3f 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ In most cases, Dockerfiles encode the instructions for ease-of-use: Just do `doc As the level of interest in providing and maintaining these integrations for public consumption has fallen, the packages are tagged with the github monikers of the persons willing to keep supporting them or the term "Unmaintained". If that tag is listed, no CI and github support for the integration is available and the code shall be seen as a snapshot that once worked only. -We are explicitly soliciting contributors to maintain those integrations labelled "unsupported". +We are explicitly soliciting contributors to maintain those integrations labelled "Unmaintained". Currently available integrations at their respective support level: @@ -24,6 +24,7 @@ Currently available integrations at their respective support level: | **nginx** | [Github: oqs-demos/nginx](nginx) | [Dockerhub: openquantumsafe/nginx](https://hub.docker.com/repository/docker/openquantumsafe/nginx), [Dockerhub: openquantumsafe/nginx-quic](https://hub.docker.com/repository/docker/openquantumsafe/nginx-quic) | Maintained: @baentsch, @bhess, @pi-314159 | **Chromium** | [Github: oqs-demos/chromium](chromium) (limited support) | - | Maintained: @pi-314159 | **Locust** | [Github: oqs-demos/locust](locust) | - | Maintained: @davidgca +| **Wireshark** | [Github: oqs-demos/wireshark](wireshark) | [Dockerhub: openquantumsafe/wireshark](https://hub.docker.com/repository/docker/openquantumsafe/wireshark) | Maintained: @hayyaaf | **OpenSSH** | [Github: oqs-demos/openssh](openssh) | [Dockerhub: openquantumsafe/openssh](https://hub.docker.com/repository/docker/openquantumsafe/openssh) | Unmaintained | **OpenVPN** | [Github: oqs-demos/openvpn](openvpn) | [Dockerhub: openquantumsafe/openvpn](https://hub.docker.com/repository/docker/openquantumsafe/openvpn) | Unmaintained | **ngtcp2** | [Github: oqs-demos/ngtcp2](ngtcp2) | Dockerhub: [Server: openquantumsafe/ngtcp2-server](https://hub.docker.com/repository/docker/openquantumsafe/ngtcp2-server), [Client: openquantumsafe/ngtcp2-client](https://hub.docker.com/repository/docker/openquantumsafe/ngtcp2-client) | Unmaintained @@ -32,7 +33,6 @@ Currently available integrations at their respective support level: | **Mosquitto** | [Github: oqs-demos/mosquitto](mosquitto) | [Dockerhub: openquantumsafe/mosquitto](https://hub.docker.com/repository/docker/openquantumsafe/mosquitto) | Unmaintained | **Epiphany** | [Github: oqs-demos/epiphany](epiphany) | [Dockerhub: openquantumsafe/epiphany](https://hub.docker.com/repository/docker/openquantumsafe/epiphany) | Deprecated | **OpenLiteSpeed** | [Github: oqs-demos/openlitespeed](openlitespeed) | [ Dockerhub: openquantumsafe/openlitespeed](https://hub.docker.com/repository/docker/openquantumsafe/openlitespeed) | Deprecated -| **Wireshark** | [Github: oqs-demos/wireshark](wireshark) | [Dockerhub: openquantumsafe/wireshark](https://hub.docker.com/repository/docker/openquantumsafe/wireshark) | Deprecated | **Envoy** | [Github: oqs-demos/envoy](envoy) | [ Dockerhub: openquantumsafe/envoy](https://hub.docker.com/repository/docker/openquantumsafe/envoy) | Deprecated | **Unbound** | [Github: oqs-demos/unbound](unbound) | [ Dockerhub: openquantumsafe/unbound](https://hub.docker.com/repository/docker/openquantumsafe/unbound) | Deprecated @@ -64,6 +64,7 @@ All modifications to this repository are released under the same terms as [liboq Dan Rouhana (University of Washington) JT (Henan Raytonne Trading Company) David Gomez-Cambronero (Telefonica Innovacion digital) + Khalid Alraddady (linkedin.com/in/khalid-alraddady) ## Acknowledgments diff --git a/deprecated/README.md b/deprecated/README.md new file mode 100644 index 00000000..7d7706e0 --- /dev/null +++ b/deprecated/README.md @@ -0,0 +1,11 @@ +# Deprecated demos + +> [!Warning] +> Demos in this directory are longer supported, if you're interested in revitalizing a demo please submit a PR. + +Demos are considered deprecated when two factors are met, and can be un-deprecated by anyone willing to address them: + +1. **Out of date or broken**: Either the demo is still based on the old oqs openssl1.1.1 fork rather than openssl3 using the oqs provider or it is not in a working state. +2. **No interest or expertise**: The community has shown no interest in updating or maintaining the demo + +> **Note**: Demos that only meet factor 2 are considered Unmaintained, not Deprecated. diff --git a/envoy/Dockerfile b/deprecated/envoy/Dockerfile similarity index 100% rename from envoy/Dockerfile rename to deprecated/envoy/Dockerfile diff --git a/envoy/README.md b/deprecated/envoy/README.md similarity index 100% rename from envoy/README.md rename to deprecated/envoy/README.md diff --git a/envoy/USAGE.md b/deprecated/envoy/USAGE.md similarity index 100% rename from envoy/USAGE.md rename to deprecated/envoy/USAGE.md diff --git a/envoy/tls/Dockerfile b/deprecated/envoy/tls/Dockerfile similarity index 100% rename from envoy/tls/Dockerfile rename to deprecated/envoy/tls/Dockerfile diff --git a/envoy/tls/README.md b/deprecated/envoy/tls/README.md similarity index 100% rename from envoy/tls/README.md rename to deprecated/envoy/tls/README.md diff --git a/envoy/tls/certs/gen_cert.sh b/deprecated/envoy/tls/certs/gen_cert.sh similarity index 100% rename from envoy/tls/certs/gen_cert.sh rename to deprecated/envoy/tls/certs/gen_cert.sh diff --git a/envoy/tls/docker-compose.yaml b/deprecated/envoy/tls/docker-compose.yaml similarity index 100% rename from envoy/tls/docker-compose.yaml rename to deprecated/envoy/tls/docker-compose.yaml diff --git a/envoy/tls/envoy-https-http.yaml b/deprecated/envoy/tls/envoy-https-http.yaml similarity index 100% rename from envoy/tls/envoy-https-http.yaml rename to deprecated/envoy/tls/envoy-https-http.yaml diff --git a/envoy/tls/init.sh b/deprecated/envoy/tls/init.sh similarity index 100% rename from envoy/tls/init.sh rename to deprecated/envoy/tls/init.sh diff --git a/envoy/tls/kill.sh b/deprecated/envoy/tls/kill.sh similarity index 100% rename from envoy/tls/kill.sh rename to deprecated/envoy/tls/kill.sh diff --git a/envoy/tls/query.sh b/deprecated/envoy/tls/query.sh similarity index 100% rename from envoy/tls/query.sh rename to deprecated/envoy/tls/query.sh diff --git a/epiphany/Dockerfile b/deprecated/epiphany/Dockerfile similarity index 100% rename from epiphany/Dockerfile rename to deprecated/epiphany/Dockerfile diff --git a/epiphany/README.md b/deprecated/epiphany/README.md similarity index 100% rename from epiphany/README.md rename to deprecated/epiphany/README.md diff --git a/epiphany/USAGE.md b/deprecated/epiphany/USAGE.md similarity index 100% rename from epiphany/USAGE.md rename to deprecated/epiphany/USAGE.md diff --git a/epiphany/certlink.sh b/deprecated/epiphany/certlink.sh similarity index 100% rename from epiphany/certlink.sh rename to deprecated/epiphany/certlink.sh diff --git a/epiphany/openssl-client.cnf b/deprecated/epiphany/openssl-client.cnf similarity index 100% rename from epiphany/openssl-client.cnf rename to deprecated/epiphany/openssl-client.cnf diff --git a/epiphany/startepiphany.sh b/deprecated/epiphany/startepiphany.sh similarity index 100% rename from epiphany/startepiphany.sh rename to deprecated/epiphany/startepiphany.sh diff --git a/openlitespeed/Dockerfile-server b/deprecated/openlitespeed/Dockerfile-server similarity index 100% rename from openlitespeed/Dockerfile-server rename to deprecated/openlitespeed/Dockerfile-server diff --git a/openlitespeed/README.md b/deprecated/openlitespeed/README.md similarity index 100% rename from openlitespeed/README.md rename to deprecated/openlitespeed/README.md diff --git a/openlitespeed/USAGE-client.md b/deprecated/openlitespeed/USAGE-client.md similarity index 100% rename from openlitespeed/USAGE-client.md rename to deprecated/openlitespeed/USAGE-client.md diff --git a/openlitespeed/USAGE-server.md b/deprecated/openlitespeed/USAGE-server.md similarity index 100% rename from openlitespeed/USAGE-server.md rename to deprecated/openlitespeed/USAGE-server.md diff --git a/openlitespeed/build.sh.patch b/deprecated/openlitespeed/build.sh.patch similarity index 100% rename from openlitespeed/build.sh.patch rename to deprecated/openlitespeed/build.sh.patch diff --git a/openlitespeed/build_bssl.sh.patch b/deprecated/openlitespeed/build_bssl.sh.patch similarity index 100% rename from openlitespeed/build_bssl.sh.patch rename to deprecated/openlitespeed/build_bssl.sh.patch diff --git a/openlitespeed/httpd_config.conf b/deprecated/openlitespeed/httpd_config.conf similarity index 100% rename from openlitespeed/httpd_config.conf rename to deprecated/openlitespeed/httpd_config.conf diff --git a/openlitespeed/serverstart.sh b/deprecated/openlitespeed/serverstart.sh similarity index 100% rename from openlitespeed/serverstart.sh rename to deprecated/openlitespeed/serverstart.sh diff --git a/unbound/Dockerfile-getdns b/deprecated/unbound/Dockerfile-getdns similarity index 100% rename from unbound/Dockerfile-getdns rename to deprecated/unbound/Dockerfile-getdns diff --git a/unbound/Dockerfile-unbound b/deprecated/unbound/Dockerfile-unbound similarity index 100% rename from unbound/Dockerfile-unbound rename to deprecated/unbound/Dockerfile-unbound diff --git a/unbound/README.md b/deprecated/unbound/README.md similarity index 100% rename from unbound/README.md rename to deprecated/unbound/README.md diff --git a/unbound/USAGE-client.md b/deprecated/unbound/USAGE-client.md similarity index 100% rename from unbound/USAGE-client.md rename to deprecated/unbound/USAGE-client.md diff --git a/unbound/USAGE-server.md b/deprecated/unbound/USAGE-server.md similarity index 100% rename from unbound/USAGE-server.md rename to deprecated/unbound/USAGE-server.md diff --git a/unbound/unbound.sh b/deprecated/unbound/unbound.sh similarity index 100% rename from unbound/unbound.sh rename to deprecated/unbound/unbound.sh diff --git a/unbound/wireshark_screenshot.png b/deprecated/unbound/wireshark_screenshot.png similarity index 100% rename from unbound/wireshark_screenshot.png rename to deprecated/unbound/wireshark_screenshot.png diff --git a/httpd/Dockerfile b/httpd/Dockerfile index 5dc893d9..d41d7e65 100644 --- a/httpd/Dockerfile +++ b/httpd/Dockerfile @@ -40,7 +40,8 @@ ARG APRU_VERSION=1.6.3 ARG APR_MIRROR="https://dlcdn.apache.org" # Define the degree of parallelism when building the image; leave the number away only if you know what you are doing -ARG MAKE_DEFINES="-j 2" +# A CI system with less than 4 cores should be avoided +ARG MAKE_DEFINES="-j 4" FROM alpine:${ALPINE_VERSION} as intermediate diff --git a/wireshark/Dockerfile b/wireshark/Dockerfile index 1592cb22..10e2299e 100755 --- a/wireshark/Dockerfile +++ b/wireshark/Dockerfile @@ -1,75 +1,156 @@ -# Define the wireshark version to be baked in. -ARG WIRESHARK_VERSION=3.4.9 +# This Dockerfile builds a Wireshark image with Open Quantum Safe (OQS) support. +# By integrating OQS, the resulting Wireshark build is capable of +# analyzing and handling post-quantum cryptographic protocols. -# Define the SSL naming convention: One of "wolfssl" and "oqs" -ARG QSC_SSL_FLAVOR="oqs" +# Define the base versions and tags for dependencies +ARG UBUNTU_VERSION=24.04 +ARG WIRESHARK_VERSION=4.4.1 +ARG OPENSSL_TAG=3.4.0 +ARG LIBOQS_TAG=0.11.0 +ARG OQSPROVIDER_TAG=0.7.0 -FROM ubuntu as intermediate -ENV DEBIAN_FRONTEND noninteractive +# Define Installation directory +ARG INSTALLDIR=/opt/oqs +# Stage 1: Building stage +FROM ubuntu:${UBUNTU_VERSION} AS build + +LABEL version="2" + +ENV DEBIAN_FRONTEND=noninteractive ARG WIRESHARK_VERSION -ARG QSC_SSL_FLAVOR - -RUN apt update && apt upgrade -y - -# Get all software packages required for building wireshark: -RUN apt install -y gcc g++ \ - libtool \ - automake \ - autoconf \ - cmake \ - ninja-build \ - git \ - curl \ - perl \ - flex \ - bison \ - 2to3 python2-minimal python2 dh-python python-is-python3 \ - python3 \ - libssl-dev \ - libgcrypt-dev \ - libpcap-dev \ - libc-ares-dev \ - qtbase5-dev qttools5-dev-tools qttools5-dev qtmultimedia5-dev \ - wget \ - libssh-dev - -# Get the source and unpack it. -WORKDIR /tmp -RUN curl --output wireshark-${WIRESHARK_VERSION}.tar.xz https://2.na.dl.wireshark.org/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz && tar xmvf wireshark-${WIRESHARK_VERSION}.tar.xz - -WORKDIR /tmp/wireshark-${WIRESHARK_VERSION} - -COPY wolfssl-qsc.h wolfssl-qsc.h - -# Decide on QSC naming/ID mapping -RUN if [ "x$QSC_SSL_FLAVOR" = "xoqs" ] ; then \ - wget https://raw.githubusercontent.com/open-quantum-safe/openssl/OQS-OpenSSL_1_1_1-stable/qsc.h; \ -elif [ "x$QSC_SSL_FLAVOR" = "xwolfssl" ]; then \ - mv wolfssl-qsc.h qsc.h; \ -else \ - echo "Unknown naming convention in QSC_SSL_FLAVOR ($QSC_SSL_FLAVOR). Exiting."; \ - exit 1; \ -fi - -# Patch QSC-specific ids into wireshark code base -RUN cp qsc.h epan/dissectors && \ - sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-pkcs1.c && \ - sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-tls-utils.c && \ - sed -i "s/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");\nQSC_SIGS/g" epan/dissectors/packet-pkcs1.c && \ - sed -i "s/ { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\// { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\/\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c && \ - sed -i "s/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,\nQSC_SIG_CPS/g" epan/dissectors/packet-tls-utils.c - -# Build wireshark -RUN mkdir -p build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=/opt/wireshark .. && ninja && ninja install - -FROM ubuntu -ENV DEBIAN_FRONTEND noninteractive - -RUN apt update && apt upgrade -y && apt install -y qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libc-ares2 libqt5multimedia5 pcaputils libssh-dev - -# Only retain the ${INSTALLDIR} contents in the final image -COPY --from=intermediate /opt/wireshark /opt/wireshark - - -CMD /opt/wireshark/bin/wireshark +ARG OPENSSL_TAG +ARG LIBOQS_TAG +ARG OQSPROVIDER_TAG +ARG INSTALLDIR + +# Install essential build dependencies +RUN apt-get update && apt-get install -y --no-install-recommends \ + build-essential libtool automake autoconf cmake ninja-build \ + openssl libssl-dev git wget ca-certificates \ + python3 python3-pip python3-venv && \ + apt-get clean && rm -rf /var/lib/apt/lists/* + +WORKDIR /opt +# Set up isolated directories +# src for source files, build for compiling, and install for final binaries +RUN mkdir -p src/liboqs src/openssl src/oqs-provider src/wireshark \ + build/liboqs build/openssl build/oqs-provider build/wireshark \ + ${INSTALLDIR}/lib ${INSTALLDIR}/bin ${INSTALLDIR}/ssl + +# Download sources +WORKDIR /opt/src +RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs.git liboqs && \ + git clone --depth 1 --branch openssl-${OPENSSL_TAG} https://github.com/openssl/openssl.git openssl && \ + git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git oqs-provider && \ + wget -O wireshark.tar.xz https://www.wireshark.org/download/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz && \ + tar -xf wireshark.tar.xz --strip-components=1 -C wireshark && \ + rm wireshark.tar.xz + +# Build and install liboqs +WORKDIR /opt/build/liboqs +RUN cmake -G Ninja /opt/src/liboqs \ + -D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/liboqs \ + -D BUILD_SHARED_LIBS=ON \ + -D OQS_USE_OPENSSL=OFF \ + -D OQS_MINIMAL_BUILD="KEM_kyber_512;KEM_kyber_768;KEM_kyber_1024" \ + -D CMAKE_INSTALL_RPATH="${INSTALLDIR}/liboqs/lib" && \ + ninja -j$(nproc) && ninja install + +# Build OpenSSL integrated with liboqs +WORKDIR /opt/build/openssl +RUN LDFLAGS="-Wl,-rpath,${INSTALLDIR}/liboqs/lib" \ + /opt/src/openssl/config \ + --prefix=${INSTALLDIR}/openssl \ + --openssldir=${INSTALLDIR}/ssl \ + shared && \ + make -j$(nproc) && \ + make install_sw install_ssldirs + +# Build OQS provider for OpenSSL integration +WORKDIR /opt/build/oqs-provider +RUN cmake -G Ninja \ + -D OPENSSL_ROOT_DIR=${INSTALLDIR}/openssl \ + -D CMAKE_PREFIX_PATH="${INSTALLDIR}/openssl;${INSTALLDIR}/liboqs" \ + -D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/oqs-provider \ + -D CMAKE_INSTALL_RPATH="${INSTALLDIR}/openssl/lib:${INSTALLDIR}/liboqs/lib" \ + /opt/src/oqs-provider && \ + ninja -j$(nproc) && \ + mkdir -p ${INSTALLDIR}/openssl/lib/ossl-modules && \ + cp /opt/build/oqs-provider/lib/oqsprovider.so ${INSTALLDIR}/openssl/lib/ossl-modules + +# Set up OpenSSL to load the OQS provider +RUN CONFIG_FILE="${INSTALLDIR}/ssl/openssl.cnf" && \ + sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" "$CONFIG_FILE" && \ + sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" "$CONFIG_FILE" + +# Using a script from Wireshark to install required build dependencies +WORKDIR /opt/src/wireshark +RUN ./tools/debian-setup.sh -y + +# Generate `qsc.h` +WORKDIR ${INSTALLDIR} +RUN cp /opt/src/oqs-provider/oqs-template/generate.yml ${INSTALLDIR} +COPY generate_qsc_header.py ${INSTALLDIR} +COPY qsc_template.jinja2 ${INSTALLDIR} +COPY requirements.txt ${INSTALLDIR} + +RUN python3 -m venv ${INSTALLDIR}/venv && \ + . ${INSTALLDIR}/venv/bin/activate && \ + pip install -r requirements.txt && \ + python ${INSTALLDIR}/generate_qsc_header.py && \ + deactivate + +RUN cp ${INSTALLDIR}/qsc.h /opt/src/wireshark/epan/dissectors/ + +# Modify Wireshark source files for post-quantum definitions +WORKDIR /opt/src/wireshark +RUN sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-pkcs1.c && \ + sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-tls-utils.c && \ + sed -i "s/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");\nQSC_SIGS/g" epan/dissectors/packet-pkcs1.c && \ + sed -i "s/ { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\// { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\/\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c && \ + sed -i "s/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,\nQSC_SIG_CPS/g" epan/dissectors/packet-tls-utils.c + +# Build and install Wireshark +WORKDIR /opt/build/wireshark +RUN cmake -G Ninja /opt/src/wireshark \ + -D QT5=OFF \ + -D QT6=ON \ + -D CMAKE_BUILD_TYPE=Release \ + -D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/wireshark \ + -D CMAKE_PREFIX_PATH="${INSTALLDIR}/openssl;${INSTALLDIR}/liboqs" \ + -D CMAKE_INSTALL_RPATH="${INSTALLDIR}/openssl/lib:${INSTALLDIR}/liboqs/lib" && \ + ninja -j$(nproc) && ninja install + +# Test integration of OQS provider with OpenSSL +WORKDIR /opt/src/oqs-provider +ENV OPENSSL_CONF=${INSTALLDIR}/ssl/openssl.cnf +ENV OPENSSL_MODULES=${INSTALLDIR}/openssl/lib/ossl-modules +RUN mkdir -p _build +RUN ./scripts/runtests.sh -j$(nproc) + +# Stage 2: Minimal runtime image +FROM ubuntu:${UBUNTU_VERSION} AS runtime + +ENV DEBIAN_FRONTEND=noninteractive +ARG INSTALLDIR + +# Install necessary runtime dependencies +RUN apt-get update && apt-get install -y --no-install-recommends \ + libc-ares2 pcaputils libssh-4 libgcrypt20 \ + libglib2.0-0 libpcap0.8 libspeexdsp1 zlib1g \ + libqt6core6 libqt6gui6 libqt6widgets6 libqt6printsupport6 \ + libqt6core5compat6 libqt6dbus6 libqt6multimedia6 libgpg-error0 && \ + apt-get clean && rm -rf /var/lib/apt/lists/* + +ENV PATH="${INSTALLDIR}/wireshark/bin:${INSTALLDIR}/openssl/bin:${PATH}" +ENV OPENSSL_CONF=${INSTALLDIR}/ssl/openssl.cnf +ENV OPENSSL_MODULES=${INSTALLDIR}/openssl/lib/ossl-modules + +# Copy essential files from build stage +COPY --from=build ${INSTALLDIR}/wireshark ${INSTALLDIR}/wireshark +COPY --from=build ${INSTALLDIR}/openssl ${INSTALLDIR}/openssl +COPY --from=build ${INSTALLDIR}/liboqs ${INSTALLDIR}/liboqs +COPY --from=build ${INSTALLDIR}/ssl ${INSTALLDIR}/ssl + +CMD ["wireshark"] \ No newline at end of file diff --git a/wireshark/README.md b/wireshark/README.md index aa2806fd..619564cb 100644 --- a/wireshark/README.md +++ b/wireshark/README.md @@ -1,31 +1,81 @@ -# DEPRECATED +This project provides a Docker image to build [Wireshark](https://www.wireshark.org/) with quantum-safe cryptography +support through the [Open Quantum Safe (OQS) provider](https://github.com/open-quantum-safe/oqs-provider). This Docker +image allows Wireshark to analyze network traffic encrypted with post-quantum cryptographic protocols. -> [!Warning] -> This integration is currently not supported due to [the end of life of oqs-openssl111](https://github.com/open-quantum-safe/openssl#warning). +## System Requirements -This directory contains a Dockerfile that builds wireshark that is patched to understand the OIDs and codepoints in TLS 1.3 that are supported by OQS-OpenSSL. +- **Docker**: Ensure [Docker](https://docs.docker.com/get-docker/) is installed and running on your system. +- **X-Window System (for GUI Display)**: + - **Linux**: + - Run the following commands to allow Docker to access the display: + ``` + xhost +local + export DISPLAY=:0 + ``` + - **Windows**: + - Install an X server such as [VcXsrv](https://sourceforge.net/projects/vcxsrv/) and configure it with the + following options: + - **Disable access control** + - **Disable native OpenGL** + - In PowerShell, set the display environment variable: + ``` + $env:DISPLAY=":0" + ``` + - **macOS**: + - Install an X server, such as [XQuartz](https://www.xquartz.org), and start it. + - Run the following command in the terminal to allow Docker to access the display: + ``` + xhost + + ``` + - Set the display environment variable in the terminal: + ``` + export DISPLAY=:0 + ``` -## Quick start +**Notes**: -1) Be sure to have [docker installed](https://docs.docker.com/install). -2) Run `docker build -t openquantumsafe/wireshark .` to create an QSC-enabled (codepoint and OID aware) wireshark docker image. +- **macOS** support has not been tested yet. We welcome your feedback and suggestions. Please reach us through + the [oqs-demos issue section](https://github.com/open-quantum-safe/oqs-demos/issues). +- Replace `` with your system's IP address. Use `:0` as the default display port unless configured + otherwise. -## Usage +## Building Instructions + +Run the following commands to build and launch Wireshark with OQS support: + +``` +git clone https://github.com/open-quantum-safe/oqs-demos +cd oqs-demos/wireshark +docker build -t oqs-wireshark . +docker run --rm -it --net=host -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix oqs-wireshark +``` -Information how to use the image is [available in the separate file USAGE.md](USAGE.md). +### Explanation of Docker Options -## Build options +- `--net=host`: Shares the host network with the container. +- `-e DISPLAY`: Sets the display variable for GUI. +- `-v /tmp/.X11-unix:/tmp/.X11-unix`: Mounts the X11 Unix socket for GUI access. -The Dockerfile provided allows for customization of the image built: +## Project Components -### WIRESHARK_VERSION +1. **Dockerfile**: Builds Wireshark with OpenSSL, liboqs, and OQS provider. +2. **generate_qsc_header.py**: Processes `oqs-provider/oqs-template/generate.yml` with the `qsc_template.jinja2` to + generate `qsc.h`, + defining post-quantum KEMs and SIGs for Wireshark. + +## Usage -This permits changing the wireshark code base to be used. +For detailed usage instructions, refer to [USAGE.md](USAGE.md). -Tested default value is "3.4.9". +## Build Configuration and Updates -### QSC_SSL_FLAVOR +Customize the build using the following Dockerfile arguments: -Different quantum-safe TLS implementations have different names for the same algorithms. This option permits switching between them. Permitted values are "oqs" and "wolfssl". +- **`UBUNTU_VERSION`**: Specifies the Ubuntu version. +- **`WIRESHARK_VERSION`**: Defines the Wireshark version to build. +- **`OPENSSL_TAG`**: Sets the OpenSSL version to build. +- **`LIBOQS_TAG`**: Specifies the liboqs version to include. +- **`OQSPROVIDER_TAG`**: Defines the Open Quantum Safe provider version. +- **`INSTALLDIR`**: Sets the installation path for OQS libraries. -Default is "oqs". +To keep the build up-to-date, update the arguments as needed to include the latest versions. \ No newline at end of file diff --git a/wireshark/USAGE.md b/wireshark/USAGE.md index f0cacdfb..a191ff1b 100644 --- a/wireshark/USAGE.md +++ b/wireshark/USAGE.md @@ -1,43 +1,45 @@ -# OQS-wireshark +This project enables [Wireshark](https://www.wireshark.org/) to analyze network traffic encrypted with post-quantum +cryptographic protocols +support through the [Open Quantum Safe (OQS) provider](https://github.com/open-quantum-safe/oqs-provider). -This docker image contains a version of [wireshark](https://www.wireshark.org/) built to also properly display quantum-safe crypto (QSC) TLS operations. +## Running Wireshark -To this end, it contains references to algorithms supported by [liboqs](https://github.com/open-quantum-safe/liboqs) and [OQS-OpenSSL](https://github.com/open-quantum-safe/openssl) from the [OpenQuantumSafe](https://openquantumsafe.org) project. +You can run the Wireshark Docker container on Linux or Windows using the following command: -The image is based on Ubuntu and requires the host to run the Unix X-Window system. +``` +docker run --rm -it --net=host -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix oqs-wireshark +``` -## Quick start +Once Wireshark is running, you can [use it as you normally would](https://www.wireshark.org/docs/), +such as selecting a network interface to capture and analyze traffic. -Execute this command to open the wireshark window on your host: +**Note:** **macOS** support has not been tested yet. We welcome your feedback and suggestions. Please reach us through +the [oqs-demos issue section](https://github.com/open-quantum-safe/oqs-demos/issues). - docker run --net=host --privileged --env="DISPLAY" --volume="$HOME/.Xauthority:/root/.Xauthority:rw" openquantumsafe/wireshark +## Testing quantum-safe Protocols -Then proceed [using wireshark as usual](https://www.wireshark.org/docs/), e.g., by selecting a network interface to monitor/dissect. +### 1. Filter by Quantum-Safe Protocols -*Note*: You may need to grant permissions for Docker to access the X display: +Use the following Wireshark display filter to isolate quantum-safe TLS traffic: - xhost +si:localuser:$USER +``` +tls && ip.addr == +``` -## Suggested test +**Explanation:** +The filter isolates traffic that uses the TLS protocol to or from the specified IP +address. Replace `` with the resolved IP address (use tools +like `ping` to find the IP). -At https://test.openquantumsafe.org most quantum-safe algorithms that are still part of the NIST PQC competition are available for TLS interoperability testing. +### 2. Test Quantum-Safe Connections -As a client, we recommend using an OQS-enabled `curl` docker image that may be executed for a quick initial test as follows: +Run the following command to test a quantum-safe TLS connection: - docker run -it openquantumsafe/curl sh -c "curl -k https://test.openquantumsafe.org:6001 --curves frodo640aes" +``` +docker run -it openquantumsafe/curl sh -c "curl -k https://test.openquantumsafe.org:6069 --curves kyber1024" +``` -For more details regarding the client-side options, we recommend reviewing https://hub.docker.com/repository/docker/openquantumsafe/curl - -### Focus on quantum-safe data traffic - -In order to focus `wireshark` on the quantum safe TLS traffic generated by the above `curl` command, we recommend setting a wireshark display filter as follows - - ip.addr == 149.81.106.123 && tls - -which is the current IP address of the OQS interop test server at https://test.openquantumsafe.org. - -Other algorithms can be configured for use as per the [documentation for OQS-curl](https://hub.docker.com/repository/docker/openquantumsafe/curl) and the [OQS test server](https://test.openquantumsafe.org). - -When digging into the TLS traffic, the actual quantum-safe KEM algorithm requested can be seen within the Client and/or Server Hello messages (check "TLS->TLSv1.3 Record Layer->Handshake protocol->Extension: key share"). - -*Note:* `wireshark` might not recognize the TLS traffic as such due to the ports used at the OQS interoperability test server. In such case, enable the port of interest within the wireshark UI by adding it to the "SSL/TLS Ports" list (Edit->Preferences->Protocols->HTTP). +**Explanation:** +Replace `6069` with the port number and `kyber1024` with the name of the quantum-safe cryptographic +algorithm you wish to test. Refer to the [Open Quantum Safe test page](https://test.openquantumsafe.org/) for the full +list of supported protocols. \ No newline at end of file diff --git a/wireshark/build.sh b/wireshark/build.sh deleted file mode 100755 index 87ebe53e..00000000 --- a/wireshark/build.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/bash - -# Define the wireshark version to be used -WIRESHARK_VERSION=3.4.9 - -# Define the SSL naming convention: One of "wolfssl" and "oqs" -QSC_SSL_FLAVOR="oqs" - -if [ $QSC_SSL_FLAVOR == "oqs" ]; then - # Obtain OQS-specific ids - wget https://raw.githubusercontent.com/open-quantum-safe/openssl/OQS-OpenSSL_1_1_1-stable/qsc.h -elif [ $QSC_SSL_FLAVOR == "wolfssl" ]; then - mv wolfssl-qsc.h qsc.h -else - echo "Unknown naming convention. Exiting." - exit -1 -fi - -sudo apt update && apt upgrade -y - -# Get all software packages required for building wireshark: -sudo apt install -y gcc \ - libtool \ - automake \ - autoconf \ - cmake \ - ninja-build \ - git \ - curl \ - perl \ - flex \ - bison \ - python \ - python3 \ - libssl-dev \ - libgcrypt-dev \ - libpcap-dev \ - libc-ares-dev \ - qtbase5-dev qttools5-dev-tools qttools5-dev qtmultimedia5-dev \ - libssh-dev - -# Get the source and unpack it. -curl --output wireshark-${WIRESHARK_VERSION}.tar.xz https://2.na.dl.wireshark.org/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz -rm -rf wireshark-${WIRESHARK_VERSION} -tar xmvf wireshark-${WIRESHARK_VERSION}.tar.xz - -cd wireshark-${WIRESHARK_VERSION} - -# patch wireshark code base with IDs -cp ../qsc.h epan/dissectors && \ - sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-pkcs1.c && \ - sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-tls-utils.c && \ - sed -i "s/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");\nQSC_SIGS/g" epan/dissectors/packet-pkcs1.c && \ - sed -i "s/ { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\// { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\/\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c - sed -i "s/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c -# Build wireshark -mkdir -p build && cd build && cmake -GNinja .. && ninja - -# Install wireshark -# ninja install - diff --git a/wireshark/generate_qsc_header.py b/wireshark/generate_qsc_header.py new file mode 100644 index 00000000..61b7ea05 --- /dev/null +++ b/wireshark/generate_qsc_header.py @@ -0,0 +1,15 @@ +import yaml +from jinja2 import Environment, FileSystemLoader + +with open("generate.yml", "r") as file: + data = yaml.safe_load(file) + +env = Environment(loader=FileSystemLoader(".")) +template = env.get_template("qsc_template.jinja2") + +output = template.render(data=data) + +with open("qsc.h", "w") as output_file: + output_file.write(output) + +print("qsc.h has been successfully generated!") \ No newline at end of file diff --git a/wireshark/qsc_template.jinja2 b/wireshark/qsc_template.jinja2 new file mode 100644 index 00000000..443e133e --- /dev/null +++ b/wireshark/qsc_template.jinja2 @@ -0,0 +1,49 @@ +#ifndef QSC_H +#define QSC_H + +// (QSC_KEMS) +#define QSC_KEMS \ +{%- for kem in data.kems if kem.nid and kem.name_group %} + { {{- kem.nid -}},"{{- kem.name_group -}}"},\ {# Notice the removal of space before `}` #} + {%- if kem.nid_hybrid %} + { {{- kem.nid_hybrid -}},"p{{- kem.nid_hybrid|int('16')|length * 64 -}}_{{- kem.name_group -}}"},\ + {%- endif %} + {%- if kem.extra_nids %} + {%- for extra in kem.extra_nids.current if extra.nid and extra.hybrid_group %} + { {{- extra.nid -}},"{{- extra.hybrid_group -}}_{{- kem.name_group -}}"},\ + {%- endfor %} + {%- for extra in kem.extra_nids.old if extra.nid and extra.hybrid_group %} + { {{- extra.nid -}},"{{- extra.hybrid_group -}}_{{- kem.name_group -}}"},\ + {%- endfor %} + {%- endif %} +{%- endfor %} + + +// (QSC_SIGS) +#define QSC_SIGS \ +{%- for sig in data.sigs %} + {%- for variant in sig.variants if variant.oid and variant.name %} + oid_add_from_string("{{- variant.name -}}","{{- variant.oid -}}");\ + {%- if variant.mix_with %} + {%- for mix in variant.mix_with if mix.oid and mix.name %} + oid_add_from_string("{{- mix.name -}}_{{- variant.name -}}","{{- mix.oid -}}");\ + {%- endfor %} + {%- endif %} + {%- endfor %} +{%- endfor %} + + +// (QSC_SIG_CPS) +#define QSC_SIG_CPS \ +{%- for sig in data.sigs %} + {%- for variant in sig.variants if variant.code_point and variant.name %} + { {{- variant.code_point -}},"{{- variant.name -}}"},\ + {%- endfor %} + {%- for variant in sig.variants if variant.mix_with %} + {%- for mix in variant.mix_with if mix.code_point and mix.name %} + { {{- mix.code_point -}},"{{- mix.name -}}_{{- variant.name -}}"},\ + {%- endfor %} + {%- endfor %} +{%- endfor %} + +#endif // QSC_H diff --git a/wireshark/requirements.txt b/wireshark/requirements.txt new file mode 100644 index 00000000..c664af5e --- /dev/null +++ b/wireshark/requirements.txt @@ -0,0 +1,2 @@ +Jinja2 +PyYAML \ No newline at end of file diff --git a/wireshark/wolfssl-qsc.h b/wireshark/wolfssl-qsc.h deleted file mode 100644 index da21f895..00000000 --- a/wireshark/wolfssl-qsc.h +++ /dev/null @@ -1,36 +0,0 @@ -/* wolfSSL naming convention */ - -#define QSC_SIGS \ - oid_add_from_string("falcon_level1", "1.3.9999.3.1"); \ - oid_add_from_string("falcon_level5", "1.3.9999.3.4"); \ - oid_add_from_string("dilithium_level2", "1.3.6.1.4.1.2.267.7.4.4"); \ - oid_add_from_string("dilithium_level3", "1.3.6.1.4.1.2.267.7.6.5"); \ - oid_add_from_string("dilithium_level5", "1.3.6.1.4.1.2.267.7.8.7"); - -#define QSC_KEMS \ - { 532, "ntru_hps_level1" }, \ - { 533, "ntru_hps_level3" }, \ - { 534, "ntru_hps_level5" }, \ - { 535, "ntru_hrss_level3" }, \ - { 536, "saber_level1" }, \ - { 537, "saber_level3" }, \ - { 538, "saber_level5" }, \ - { 570, "kyber_level1" }, \ - { 572, "kyber_level3" }, \ - { 573, "kyber_level5" }, \ - { 12052, "p256_ntru_hps_level1" }, \ - { 12053, "p384_ntru_hps_level3" }, \ - { 12054, "p521_ntru_hps_level5" }, \ - { 12055, "p384_ntru_hrss_level3" }, \ - { 12056, "p256_saber_level1" }, \ - { 12057, "p384_saber_level3" }, \ - { 12058, "p521_saber_level5" }, \ - { 12090, "p256_kyber_level1" }, \ - { 12092, "p384_kyber_level3" }, \ - { 12093, "p521_kyber_level5" }, \ - { 0xfe0b, "falcon_level1" }, \ - { 0xfe0e, "falcon_level5" }, \ - { 0xfea0, "dilithium_level2" }, \ - { 0xfea3, "dilithium_level3" }, \ - { 0xfea5, "dilithium_level5" }, -