WolfSSL
/
wolfssl-nginx
mirror of https://github.com/wolfSSL/wolfssl-nginx.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Update to PQ instructions.

pull/29/head
Anthony Hu 2025-02-19 18:50:22 -05:00
parent 05c72fc757
commit cf426ca8cd
2 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@ -116,14 +116,14 @@ Testing is only supported on Linux with bash.
## Post-Quantum Algorithms
Starting with wolfSSL version 5.1.0 and nginx version 1.21.4, You can now enable the integration of liboqs in wolfSSL thus enabling post-quantum algorithms for your HTTPS connections over TLS 1.3.
You can now enable the use of post-quantum algorithms for your HTTPS connections over TLS 1.3.
First, you will need to build the OpenQuantumSafe group's liboqs and their fork of OpenSSL to generate the certificate chain that uses the post-quantum FALCON signature scheme. Instructions for that are in wolfSSL git repository's INSTALL file. Note that when you generate your certificates, you will need to add your IP address as a subject alternative name. See here for more details: https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
First, you will need to build the OpenQuantumSafe group's liboqs and their fork of OpenSSL to generate the certificate chain that uses ML-DSA signature scheme. Alternatively, for your convenience, we have already generated some test certificates and they can be found in the wolfSSL OSP repo in the oqs directory.
When building wolfSSL, you will need to add a couple extra flags:
```
./configure --prefix=/usr/local --enable-nginx --with-liboqs
./configure --prefix=/usr/local --enable-nginx --enable-kyber --enable-dilithium
make all
make check
sudo make install
@ -138,8 +138,8 @@ Now that all the software is built and installed, you will need to add a section
listen 443 ssl;
server_name localhost;
ssl_certificate /path/to/falcon_level5_entity_cert.pem;
ssl_certificate_key /path/to/falcon_level5_entity_key.pem;
ssl_certificate /path/to/osp/oqs/mldsa87_entity_cert.pem
ssl_certificate_key /path/to/osp/oqs/mldsa87_entity_key.pem
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

16
nginx-1.21.4-pq.patch
View File

@ -5,8 +5,8 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng
static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err,
ngx_str_t *cert, STACK_OF(X509) **chain);
+ifndef HAVE_LIBOQS
+/* In the case that HAVE_LIBOQS is defined, these functions are unused as we
+#ifndef HAVE_DILITHIUM
+/* In the case that HAVE_DILITHIUM is defined, these functions are unused as we
+ * call SSL_CTX_use_PrivateKey_file() instead. */
static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
ngx_str_t *key, ngx_array_t *passwords);
@ -20,7 +20,7 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng
{
char *err;
X509 *x509;
+#ifndef HAVE_LIBOQS
+#ifndef HAVE_DILITHIUM
EVP_PKEY *pkey;
+#endif
STACK_OF(X509) *chain;
@ -30,7 +30,7 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng
}
#endif
+#ifdef HAVE_LIBOQS
+#ifdef HAVE_DILITHIUM
+ if (ngx_get_full_name(cf->pool, (ngx_str_t *) &ngx_cycle->conf_prefix,
+ key) != NGX_OK) {
+ return NGX_OK;
@ -59,7 +59,7 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng
{
char *err;
X509 *x509;
+#ifndef HAVE_LIBOQS
+#ifndef HAVE_DILITHIUM
EVP_PKEY *pkey;
+#endif
STACK_OF(X509) *chain;
@ -69,7 +69,7 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng
#endif
+#ifdef HAVE_LIBOQS
+#ifdef HAVE_DILITHIUM
+ if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix,
+ key) != NGX_OK) {
+ return NGX_OK;
@ -98,7 +98,7 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng
}
+#ifndef HAVE_LIBOQS
+#ifndef HAVE_DILITHIUM
static EVP_PKEY *
ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
ngx_str_t *key, ngx_array_t *passwords)
@ -109,7 +109,7 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng
+#endif
+#ifndef HAVE_LIBOQS
+#ifndef HAVE_DILITHIUM
static int
ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata)
{