From 11d34a742c8dce9dc6920fcab56b7bb7ef6dcba3 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Wed, 8 Jan 2025 12:44:06 +0100 Subject: [PATCH 1/2] Update to liboqs-0.12.0 & oqs-provider-0.8.0 - test server & nginx - curl Signed-off-by: Basil Hess --- curl/Dockerfile | 4 ++-- nginx/Dockerfile | 8 ++++---- nginx/fulltest/Dockerfile | 12 ++++++------ nginx/fulltest/build_ubuntu.sh | 4 ++-- nginx/fulltest/index-template | 2 +- 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/curl/Dockerfile b/curl/Dockerfile index 9bf11954..9dab3997 100644 --- a/curl/Dockerfile +++ b/curl/Dockerfile @@ -7,10 +7,10 @@ ARG ALPINE_VERSION=3.20 ARG OPENSSL_TAG=openssl-3.3.2 # define the liboqs tag to be used -ARG LIBOQS_TAG=0.11.0 +ARG LIBOQS_TAG=0.12.0 # define the oqsprovider tag to be used -ARG OQSPROVIDER_TAG=0.7.0 +ARG OQSPROVIDER_TAG=0.8.0 # define the Curl version to be baked in ARG CURL_VERSION=8.10.0 diff --git a/nginx/Dockerfile b/nginx/Dockerfile index e44233ab..227b7069 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -6,13 +6,13 @@ ARG ALPINE_VERSION=3.20 # define the openssl tag to be used -ARG OPENSSL_TAG=openssl-3.3.2 +ARG OPENSSL_TAG=openssl-3.4.0 # define the liboqs tag to be used -ARG LIBOQS_TAG=0.11.0 +ARG LIBOQS_TAG=0.12.0 # define the oqsprovider tag to be used -ARG OQSPROVIDER_TAG=0.7.0 +ARG OQSPROVIDER_TAG=0.8.0 # liboqs build type variant; maximum portability of image: ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON" @@ -27,7 +27,7 @@ ARG INSTALLDIR=${BASEDIR}/nginx ARG SIG_ALG="dilithium3" # defines the list of default groups to be activated in nginx-openssl config: -ARG DEFAULT_GROUPS=x25519:x448:kyber512:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024 +ARG DEFAULT_GROUPS=x25519:x448:prime256v1:secp384r1:secp521r1:kyber512:x25519_kyber768:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024:mlkem512:mlkem768:mlkem1024:X25519MLKEM768:SecP256r1MLKEM768 # define the nginx version to include ARG NGINX_VERSION=1.27.2 diff --git a/nginx/fulltest/Dockerfile b/nginx/fulltest/Dockerfile index 839f88e2..80494056 100644 --- a/nginx/fulltest/Dockerfile +++ b/nginx/fulltest/Dockerfile @@ -3,11 +3,11 @@ # First: global build arguments: # liboqs build type variant; maximum portability of image: -ARG LIBOQS_TAG=0.11.0 +ARG LIBOQS_TAG=0.12.0 -ARG OPENSSL_TAG=openssl-3.3.2 +ARG OPENSSL_TAG=openssl-3.4.0 -ARG OQSPROVIDER_TAG=0.6.1 +ARG OQSPROVIDER_TAG=0.8.0 ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON" @@ -20,13 +20,13 @@ ARG INSTALLDIR=${BASEDIR}/nginx ARG CONFIGDIR="/" # defines the QSC signature algorithm used for the certificates: -ARG SIG_ALG="dilithium3" +ARG SIG_ALG="mldsa44" # defines the list of default groups to be activated in nginx-openssl config: -ARG DEFAULT_GROUPS=x25519:x448:prime256v1:secp384r1:secp521r1:kyber512:x25519_kyber768:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024 +ARG DEFAULT_GROUPS=x25519:x448:prime256v1:secp384r1:secp521r1:kyber512:x25519_kyber768:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024:mlkem512:mlkem768:mlkem1024:X25519MLKEM768:SecP256r1MLKEM768 # define the nginx version to include -ARG NGINX_VERSION=1.27.2 +ARG NGINX_VERSION=1.27.3 # Define the degree of parallelism when building the image; leave the number away only if you know what you are doing ARG MAKE_DEFINES="-j" diff --git a/nginx/fulltest/build_ubuntu.sh b/nginx/fulltest/build_ubuntu.sh index c2797823..7f0c8b55 100755 --- a/nginx/fulltest/build_ubuntu.sh +++ b/nginx/fulltest/build_ubuntu.sh @@ -9,7 +9,7 @@ docker build --no-cache -t oqs-nginx-fulltest-provider . # Copy deployment tar from image -docker cp $(docker create oqs-nginx-fulltest-provider:latest):oqs-nginx-0.10.1.tgz . +docker cp $(docker create oqs-nginx-fulltest-provider:latest):oqs-nginx-0.12.0.tgz . # Copy root ca tar from image -docker cp $(docker create oqs-nginx-fulltest-provider:latest):oqs-testserver-rootca-0.10.1.tgz . +docker cp $(docker create oqs-nginx-fulltest-provider:latest):oqs-testserver-rootca-0.12.0.tgz . diff --git a/nginx/fulltest/index-template b/nginx/fulltest/index-template index 297b0893..a6ad71b3 100644 --- a/nginx/fulltest/index-template +++ b/nginx/fulltest/index-template @@ -83,7 +83,7 @@ tr:nth-child(even) {

For automated testing, a JSON file encoding all available SIG/KEM combinations and the respective ports where they can be found is available for download here. We explicitly want to warn that algorithm/port combinations are subject to change. Be sure to download the most current JSON file before testing.

-

Note: The designator "*" below for key exchange algorithms should not be understood that the port referenced supports any possible KEM, but only all those KEMs configured into the underlying nginx server as default groups. This can be set when building the server via the DEFAULT_GROUPS configuration option. The default algorithm list is: 

x25519:x448:prime256v1:secp384r1:secp521r1:kyber512:x25519_kyber768:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024.

+

Note: The designator "*" below for key exchange algorithms should not be understood that the port referenced supports any possible KEM, but only all those KEMs configured into the underlying nginx server as default groups. This can be set when building the server via the DEFAULT_GROUPS configuration option. The default algorithm list is: 

x25519:x448:prime256v1:secp384r1:secp521r1:kyber512:x25519_kyber768:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024:mlkem512:mlkem768:mlkem1024:X25519MLKEM768:SecP256r1MLKEM768.

From ea1344855038f3433f92680ed8f81fb15380256d Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Wed, 8 Jan 2025 15:34:17 +0100 Subject: [PATCH 2/2] update SIG_ALG & remove Kyber from DEFAULT_GROUPS in nginx & test server Signed-off-by: Basil Hess --- nginx/Dockerfile | 4 ++-- nginx/fulltest/Dockerfile | 7 +------ nginx/fulltest/index-template | 2 +- 3 files changed, 4 insertions(+), 9 deletions(-) diff --git a/nginx/Dockerfile b/nginx/Dockerfile index 227b7069..f07babce 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -24,10 +24,10 @@ ARG BASEDIR="/opt" ARG INSTALLDIR=${BASEDIR}/nginx # defines the QSC signature algorithm used for the certificates: -ARG SIG_ALG="dilithium3" +ARG SIG_ALG="mldsa65" # defines the list of default groups to be activated in nginx-openssl config: -ARG DEFAULT_GROUPS=x25519:x448:prime256v1:secp384r1:secp521r1:kyber512:x25519_kyber768:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024:mlkem512:mlkem768:mlkem1024:X25519MLKEM768:SecP256r1MLKEM768 +ARG DEFAULT_GROUPS=x25519:x448:prime256v1:secp384r1:secp521r1:mlkem512:mlkem768:mlkem1024:X25519MLKEM768:SecP256r1MLKEM768 # define the nginx version to include ARG NGINX_VERSION=1.27.2 diff --git a/nginx/fulltest/Dockerfile b/nginx/fulltest/Dockerfile index 80494056..745f97b2 100644 --- a/nginx/fulltest/Dockerfile +++ b/nginx/fulltest/Dockerfile @@ -19,11 +19,8 @@ ARG INSTALLDIR=${BASEDIR}/nginx ARG CONFIGDIR="/" -# defines the QSC signature algorithm used for the certificates: -ARG SIG_ALG="mldsa44" - # defines the list of default groups to be activated in nginx-openssl config: -ARG DEFAULT_GROUPS=x25519:x448:prime256v1:secp384r1:secp521r1:kyber512:x25519_kyber768:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024:mlkem512:mlkem768:mlkem1024:X25519MLKEM768:SecP256r1MLKEM768 +ARG DEFAULT_GROUPS=x25519:x448:prime256v1:secp384r1:secp521r1:mlkem512:mlkem768:mlkem1024:X25519MLKEM768:SecP256r1MLKEM768 # define the nginx version to include ARG NGINX_VERSION=1.27.3 @@ -44,7 +41,6 @@ ARG OPENSSL_TAG ARG OQSPROVIDER_TAG ARG LIBOQS_BUILD_DEFINES ARG INSTALLDIR -ARG SIG_ALG ARG NGINX_VERSION ARG MAKE_DEFINES ARG DEFAULT_GROUPS @@ -137,7 +133,6 @@ ARG LIBOQS_BUILD_DEFINES ARG LIBOQS_VERSION ARG INSTALLDIR ARG CAROOTDIR -ARG SIG_ALG ARG BASEDIR ARG OSSLDIR=${BASEDIR}/openssl/.openssl diff --git a/nginx/fulltest/index-template b/nginx/fulltest/index-template index a6ad71b3..f90cde93 100644 --- a/nginx/fulltest/index-template +++ b/nginx/fulltest/index-template @@ -83,7 +83,7 @@ tr:nth-child(even) {

For automated testing, a JSON file encoding all available SIG/KEM combinations and the respective ports where they can be found is available for download here. We explicitly want to warn that algorithm/port combinations are subject to change. Be sure to download the most current JSON file before testing.

-

Note: The designator "*" below for key exchange algorithms should not be understood that the port referenced supports any possible KEM, but only all those KEMs configured into the underlying nginx server as default groups. This can be set when building the server via the DEFAULT_GROUPS configuration option. The default algorithm list is: 

x25519:x448:prime256v1:secp384r1:secp521r1:kyber512:x25519_kyber768:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024:mlkem512:mlkem768:mlkem1024:X25519MLKEM768:SecP256r1MLKEM768.

+

Note: The designator "*" below for key exchange algorithms should not be understood that the port referenced supports any possible KEM, but only all those KEMs configured into the underlying nginx server as default groups. This can be set when building the server via the DEFAULT_GROUPS configuration option. The default algorithm list is: 

x25519:x448:prime256v1:secp384r1:secp521r1:mlkem512:mlkem768:mlkem1024:X25519MLKEM768:SecP256r1MLKEM768.