diff --git a/README.md b/README.md index 017310b..87980d3 100644 --- a/README.md +++ b/README.md @@ -116,14 +116,14 @@ Testing is only supported on Linux with bash. ## Post-Quantum Algorithms -Starting with wolfSSL version 5.1.0 and nginx version 1.21.4, You can now enable the integration of liboqs in wolfSSL thus enabling post-quantum algorithms for your HTTPS connections over TLS 1.3. +You can now enable the use of post-quantum algorithms for your HTTPS connections over TLS 1.3. -First, you will need to build the OpenQuantumSafe group's liboqs and their fork of OpenSSL to generate the certificate chain that uses the post-quantum FALCON signature scheme. Instructions for that are in wolfSSL git repository's INSTALL file. Note that when you generate your certificates, you will need to add your IP address as a subject alternative name. See here for more details: https://www.openssl.org/docs/manmaster/man5/x509v3_config.html +First, you will need to build the OpenQuantumSafe group's liboqs and their fork of OpenSSL to generate the certificate chain that uses ML-DSA signature scheme. Alternatively, for your convenience, we have already generated some test certificates and they can be found in the wolfSSL OSP repo in the oqs directory. When building wolfSSL, you will need to add a couple extra flags: ``` -./configure --prefix=/usr/local --enable-nginx --with-liboqs +./configure --prefix=/usr/local --enable-nginx --enable-kyber --enable-dilithium make all make check sudo make install @@ -138,8 +138,8 @@ Now that all the software is built and installed, you will need to add a section listen 443 ssl; server_name localhost; - ssl_certificate /path/to/falcon_level5_entity_cert.pem; - ssl_certificate_key /path/to/falcon_level5_entity_key.pem; + ssl_certificate /path/to/osp/oqs/mldsa87_entity_cert.pem + ssl_certificate_key /path/to/osp/oqs/mldsa87_entity_key.pem ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; diff --git a/nginx-1.21.4-pq.patch b/nginx-1.21.4-pq.patch index 38a4215..e726d9c 100644 --- a/nginx-1.21.4-pq.patch +++ b/nginx-1.21.4-pq.patch @@ -5,8 +5,8 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, STACK_OF(X509) **chain); -+ifndef HAVE_LIBOQS -+/* In the case that HAVE_LIBOQS is defined, these functions are unused as we ++#ifndef HAVE_DILITHIUM ++/* In the case that HAVE_DILITHIUM is defined, these functions are unused as we + * call SSL_CTX_use_PrivateKey_file() instead. */ static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, ngx_str_t *key, ngx_array_t *passwords); @@ -20,7 +20,7 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng { char *err; X509 *x509; -+#ifndef HAVE_LIBOQS ++#ifndef HAVE_DILITHIUM EVP_PKEY *pkey; +#endif STACK_OF(X509) *chain; @@ -30,7 +30,7 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng } #endif -+#ifdef HAVE_LIBOQS ++#ifdef HAVE_DILITHIUM + if (ngx_get_full_name(cf->pool, (ngx_str_t *) &ngx_cycle->conf_prefix, + key) != NGX_OK) { + return NGX_OK; @@ -59,7 +59,7 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng { char *err; X509 *x509; -+#ifndef HAVE_LIBOQS ++#ifndef HAVE_DILITHIUM EVP_PKEY *pkey; +#endif STACK_OF(X509) *chain; @@ -69,7 +69,7 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng #endif -+#ifdef HAVE_LIBOQS ++#ifdef HAVE_DILITHIUM + if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, + key) != NGX_OK) { + return NGX_OK; @@ -98,7 +98,7 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng } -+#ifndef HAVE_LIBOQS ++#ifndef HAVE_DILITHIUM static EVP_PKEY * ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, ngx_str_t *key, ngx_array_t *passwords) @@ -109,7 +109,7 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng +#endif -+#ifndef HAVE_LIBOQS ++#ifndef HAVE_DILITHIUM static int ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata) {