Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

openssl_quantum: init at 3.3.2 #364167

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

siddharth-narayan
Copy link
Contributor

@siddharth-narayan siddharth-narayan commented Dec 11, 2024

Added openssl_quantum using oqs-provider. Adapted from my own repository. This is still standard openssl but with the added abililty to make quantum safe connections.

Post quantum cryptography is becoming more important as quantum computers become more powerful, so now that liboqs and oqs-provider are in nixpkgs, I thought I would add them to openssl as well. Maybe eventually this can even become the default openssl.

This package is the same as openssl_3_3 but with a modified configuration that points to oqs-provider so that openssl knows where to look. It also loads providers by default, so they are always active.

PQ functionality can be tested with

  • openssl list -providers
  • openssl list -kem-algorithms
  • openssl list -signature-algorithms

Resources

https://github.com/openssl/openssl/blob/master/README-PROVIDERS.md - About providers
https://github.com/open-quantum-safe/oqs-provider
https://www.nist.gov/cybersecurity/what-post-quantum-cryptography - Why post quantum cryptography is important now

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/5043

@siddharth-narayan
Copy link
Contributor Author

@thillux @ulrikstrid Could you please take a look?

@ulrikstrid
Copy link
Member

@thillux @ulrikstrid Could you please take a look?

I'm a bit low on bandwidth currently, I can try to find some time next week for a review.

Ideally we should have a better way to load providers and engines so that we don't have to create custom packages when we want to add more providers.

@siddharth-narayan
Copy link
Contributor Author

siddharth-narayan commented Jan 5, 2025

No worries, whenever you're free!

Ideally we should have a better way to load providers and engines so that we don't have to create custom packages when we want to add more providers.

I'm not sure how this would be possible? The best thing I can think of is an "empty" default openssl package, for example named openssl_with_providers without any providers that it's possible to override later.

@thillux
Copy link
Contributor

thillux commented Jan 6, 2025

I'll probably have time again to look at this starting next week. Is there any upcoming user of this in nixpkgs? Are there any other OpenSSL providers besides TPM 2.0, esdm and oqs we can build/test this with?

I'm also not really happy with introducing a default package for every provider combination. Nevertheless, using providers should be made easier 👍.

@thillux
Copy link
Contributor

thillux commented Jan 6, 2025

We probably should update master/unstable to OpenSSL 3.4.0 on the go, as this adds more CLI options for testing key encapsulation schemes.

@siddharth-narayan
Copy link
Contributor Author

Is there any upcoming user of this in nixpkgs?

I'm not aware of any people in particular, but given that oqs-provider and liboqs were added recently, it does seem like there's at least some people who would find this useful.

Are there any other OpenSSL providers besides TPM 2.0, esdm and oqs we can build/test this with?

with-providers should work with any providers, although I don't know of any others

I'm also not really happy with introducing a default package for every provider combination.

Me neither :( unfortunately I don't know if there's a better way; Nix forces us to declare everything about the package, right?

We probably should update master/unstable to OpenSSL 3.4.0 on the go

Do you mean that should happen in this PR?

@ulrikstrid
Copy link
Member

I'm also not really happy with introducing a default package for every provider combination.

Ideally we should have a providers or something that we can pass a list of providers to add. openssl.override { providers = [ ... ]

@thillux
Copy link
Contributor

thillux commented Jan 10, 2025

We probably should update master/unstable to OpenSSL 3.4.0 on the go

Do you mean that should happen in this PR?

No, I opened #372733 for this.

@siddharth-narayan
Copy link
Contributor Author

Sorry, the PR accidentally closed after I force pushed the wrong commit!

I'm also not really happy with introducing a default package for every provider combination.

Ideally we should have a providers or something that we can pass a list of providers to add. openssl.override { providers = [ ... ]

Ah, I didn't realize that the problem was the extra provider package instead of the override being available on the normal openssl package. I've changed the code to match this suggestion, so now anyone can add their own providers with openssl.override

Addded the ability to allow for providers with openssl. Added openssl_quantum using oqs-provider.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants