Update to PQ instructions.
Anthony Hu
parent
05c72fc757
commit
cf426ca8cd
10
README.md
10
README.md
|
|
@ -116,14 +116,14 @@ Testing is only supported on Linux with bash.
|
||||||
|
|
||||||
## Post-Quantum Algorithms
|
## Post-Quantum Algorithms
|
||||||
|
|
||||||
Starting with wolfSSL version 5.1.0 and nginx version 1.21.4, You can now enable the integration of liboqs in wolfSSL thus enabling post-quantum algorithms for your HTTPS connections over TLS 1.3.
|
You can now enable the use of post-quantum algorithms for your HTTPS connections over TLS 1.3.
|
||||||
|
|
||||||
First, you will need to build the OpenQuantumSafe group's liboqs and their fork of OpenSSL to generate the certificate chain that uses the post-quantum FALCON signature scheme. Instructions for that are in wolfSSL git repository's INSTALL file. Note that when you generate your certificates, you will need to add your IP address as a subject alternative name. See here for more details: https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
|
First, you will need to build the OpenQuantumSafe group's liboqs and their fork of OpenSSL to generate the certificate chain that uses ML-DSA signature scheme. Alternatively, for your convenience, we have already generated some test certificates and they can be found in the wolfSSL OSP repo in the oqs directory.
|
||||||
|
|
||||||
When building wolfSSL, you will need to add a couple extra flags:
|
When building wolfSSL, you will need to add a couple extra flags:
|
||||||
|
|
||||||
```
|
```
|
||||||
./configure --prefix=/usr/local --enable-nginx --with-liboqs
|
./configure --prefix=/usr/local --enable-nginx --enable-kyber --enable-dilithium
|
||||||
make all
|
make all
|
||||||
make check
|
make check
|
||||||
sudo make install
|
sudo make install
|
||||||
|
|
@ -138,8 +138,8 @@ Now that all the software is built and installed, you will need to add a section
|
||||||
listen 443 ssl;
|
listen 443 ssl;
|
||||||
server_name localhost;
|
server_name localhost;
|
||||||
|
|
||||||
ssl_certificate /path/to/falcon_level5_entity_cert.pem;
|
ssl_certificate /path/to/osp/oqs/mldsa87_entity_cert.pem
|
||||||
ssl_certificate_key /path/to/falcon_level5_entity_key.pem;
|
ssl_certificate_key /path/to/osp/oqs/mldsa87_entity_key.pem
|
||||||
|
|
||||||
ssl_session_cache shared:SSL:1m;
|
ssl_session_cache shared:SSL:1m;
|
||||||
ssl_session_timeout 5m;
|
ssl_session_timeout 5m;
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng
|
||||||
|
|
||||||
static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err,
|
static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err,
|
||||||
ngx_str_t *cert, STACK_OF(X509) **chain);
|
ngx_str_t *cert, STACK_OF(X509) **chain);
|
||||||
+ifndef HAVE_LIBOQS
|
+#ifndef HAVE_DILITHIUM
|
||||||
+/* In the case that HAVE_LIBOQS is defined, these functions are unused as we
|
+/* In the case that HAVE_DILITHIUM is defined, these functions are unused as we
|
||||||
+ * call SSL_CTX_use_PrivateKey_file() instead. */
|
+ * call SSL_CTX_use_PrivateKey_file() instead. */
|
||||||
static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
|
static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
|
||||||
ngx_str_t *key, ngx_array_t *passwords);
|
ngx_str_t *key, ngx_array_t *passwords);
|
||||||
|
|
@ -20,7 +20,7 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng
|
||||||
{
|
{
|
||||||
char *err;
|
char *err;
|
||||||
X509 *x509;
|
X509 *x509;
|
||||||
+#ifndef HAVE_LIBOQS
|
+#ifndef HAVE_DILITHIUM
|
||||||
EVP_PKEY *pkey;
|
EVP_PKEY *pkey;
|
||||||
+#endif
|
+#endif
|
||||||
STACK_OF(X509) *chain;
|
STACK_OF(X509) *chain;
|
||||||
|
|
@ -30,7 +30,7 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
+#ifdef HAVE_LIBOQS
|
+#ifdef HAVE_DILITHIUM
|
||||||
+ if (ngx_get_full_name(cf->pool, (ngx_str_t *) &ngx_cycle->conf_prefix,
|
+ if (ngx_get_full_name(cf->pool, (ngx_str_t *) &ngx_cycle->conf_prefix,
|
||||||
+ key) != NGX_OK) {
|
+ key) != NGX_OK) {
|
||||||
+ return NGX_OK;
|
+ return NGX_OK;
|
||||||
|
|
@ -59,7 +59,7 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng
|
||||||
{
|
{
|
||||||
char *err;
|
char *err;
|
||||||
X509 *x509;
|
X509 *x509;
|
||||||
+#ifndef HAVE_LIBOQS
|
+#ifndef HAVE_DILITHIUM
|
||||||
EVP_PKEY *pkey;
|
EVP_PKEY *pkey;
|
||||||
+#endif
|
+#endif
|
||||||
STACK_OF(X509) *chain;
|
STACK_OF(X509) *chain;
|
||||||
|
|
@ -69,7 +69,7 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
+#ifdef HAVE_LIBOQS
|
+#ifdef HAVE_DILITHIUM
|
||||||
+ if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix,
|
+ if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix,
|
||||||
+ key) != NGX_OK) {
|
+ key) != NGX_OK) {
|
||||||
+ return NGX_OK;
|
+ return NGX_OK;
|
||||||
|
|
@ -98,7 +98,7 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
+#ifndef HAVE_LIBOQS
|
+#ifndef HAVE_DILITHIUM
|
||||||
static EVP_PKEY *
|
static EVP_PKEY *
|
||||||
ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
|
ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
|
||||||
ngx_str_t *key, ngx_array_t *passwords)
|
ngx_str_t *key, ngx_array_t *passwords)
|
||||||
|
|
@ -109,7 +109,7 @@ diff -ur nginx-1.21.4/src/event/ngx_event_openssl.c nginx-1.21.4-pq/src/event/ng
|
||||||
+#endif
|
+#endif
|
||||||
|
|
||||||
|
|
||||||
+#ifndef HAVE_LIBOQS
|
+#ifndef HAVE_DILITHIUM
|
||||||
static int
|
static int
|
||||||
ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata)
|
ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata)
|
||||||
{
|
{
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue