-
-
Notifications
You must be signed in to change notification settings - Fork 14.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssl_quantum: init at 3.3.2 #364167
base: master
Are you sure you want to change the base?
openssl_quantum: init at 3.3.2 #364167
Conversation
b4714ab
to
2adb593
Compare
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review/3032/5043 |
@thillux @ulrikstrid Could you please take a look? |
I'm a bit low on bandwidth currently, I can try to find some time next week for a review. Ideally we should have a better way to load providers and engines so that we don't have to create custom packages when we want to add more providers. |
No worries, whenever you're free!
I'm not sure how this would be possible? The best thing I can think of is an "empty" default openssl package, for example named openssl_with_providers without any providers that it's possible to override later. |
I'll probably have time again to look at this starting next week. Is there any upcoming user of this in nixpkgs? Are there any other OpenSSL providers besides TPM 2.0, esdm and oqs we can build/test this with? I'm also not really happy with introducing a default package for every provider combination. Nevertheless, using providers should be made easier 👍. |
We probably should update master/unstable to OpenSSL 3.4.0 on the go, as this adds more CLI options for testing key encapsulation schemes. |
I'm not aware of any people in particular, but given that oqs-provider and liboqs were added recently, it does seem like there's at least some people who would find this useful.
Me neither :( unfortunately I don't know if there's a better way; Nix forces us to declare everything about the package, right?
Do you mean that should happen in this PR? |
Ideally we should have a |
No, I opened #372733 for this. |
2adb593
to
ec0ac17
Compare
ec0ac17
to
d53b472
Compare
e5751e2
to
9d2c973
Compare
Sorry, the PR accidentally closed after I force pushed the wrong commit!
Ah, I didn't realize that the problem was the extra provider package instead of the override being available on the normal openssl package. I've changed the code to match this suggestion, so now anyone can add their own providers with |
9d2c973
to
97057b4
Compare
Addded the ability to allow for providers with openssl. Added openssl_quantum using oqs-provider.
97057b4
to
10858f4
Compare
Added openssl_quantum using oqs-provider. Adapted from my own repository. This is still standard openssl but with the added abililty to make quantum safe connections.
Post quantum cryptography is becoming more important as quantum computers become more powerful, so now that liboqs and oqs-provider are in nixpkgs, I thought I would add them to openssl as well. Maybe eventually this can even become the default openssl.
This package is the same as openssl_3_3 but with a modified configuration that points to oqs-provider so that openssl knows where to look. It also loads providers by default, so they are always active.
PQ functionality can be tested with
openssl list -providers
openssl list -kem-algorithms
openssl list -signature-algorithms
Resources
https://github.com/openssl/openssl/blob/master/README-PROVIDERS.md - About providers
https://github.com/open-quantum-safe/oqs-provider
https://www.nist.gov/cybersecurity/what-post-quantum-cryptography - Why post quantum cryptography is important now
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.