Skip to content
Snippets Groups Projects
Normal view Permalink
install.sh 6.81 KiB
Newer Older
  • Learn to ignore specific revisions
    • Bartolomeo Berend Müller's avatar
    WIP added minimal example to showcase usage of cquiche client
    Bartolomeo Berend Müller committed
    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 
    #!/bin/bash
set -ex

# Make sure to have a recent version of openssl installed by default. For example by having an up to date os version.

sudo apt update
sudo apt install -y git \
               build-essential \
               autoconf \
               automake \
               libtool \
               ninja-build \
               libssl-dev \
               libpcre3-dev \
               wget

NGINX_VERSION=1.26.1
CMAKE_VERSION=3.30
CMAKE_BUILD=0

mkdir -p tmp
cd tmp
ROOT=$(pwd)
INSTALL_DIR=${ROOT}/.local
OPENSSL_INSTALL=${ROOT}/.local/openssl

# Fetch all the files we need
wget https://cmake.org/files/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.${CMAKE_BUILD}-linux-x86_64.sh
# git clone --no-checkout --single-branch --branch openssl-3.4 https://github.com/openssl/openssl.git
# (cd openssl && git switch --detach tags/openssl-3.4.0)
git clone --no-checkout --single-branch --branch openssl-3.3.0+quic https://github.com/quictls/openssl.git quictls/openssl
(cd quictls/openssl && git switch --detach openssl-3.3.0+quic)
git clone --recursive https://github.com/cloudflare/quiche
git clone --no-checkout --single-branch --branch 0.10.1-release https://github.com/open-quantum-safe/liboqs.git
(cd liboqs && git switch --detach tags/0.10.1)
git clone --no-checkout --single-branch --branch main https://github.com/open-quantum-safe/oqs-provider.git
(cd oqs-provider && git switch --detach tags/0.6.1)
wget nginx.org/download/nginx-${NGINX_VERSION}.tar.gz && tar -zxvf nginx-${NGINX_VERSION}.tar.gz

# Install the latest CMake
mkdir -p ${INSTALL_DIR}/cmake
sh cmake-${CMAKE_VERSION}.${CMAKE_BUILD}-linux-x86_64.sh --skip-license --prefix=${INSTALL_DIR}/cmake


# # Patch openssl to have a large CRYPTO_RECV_BUF
# patch ${ROOT}/openssl/ssl/quic/quic_channel.c < ${ROOT}/../patches/openssl/quic_channel.c.patch

# Build OpenSSL so 'libcrypto.so' is avaiable for the build of liboqs. With Ubuntu 22.04 not longer needed.
(
    cd quictls/openssl
    # adds a runtime path to the executable, so it can find the libcrypto.so
    LDFLAGS="-Wl,-rpath -Wl,${OPENSSL_INSTALL}/lib64" ./Configure --prefix=${OPENSSL_INSTALL} --openssldir=${OPENSSL_INSTALL}/ssl
    # Commented out are the commands from https://github.com/open-quantum-safe/oqs-provider/blob/main/scripts/fullbuild.sh
    # export OSSL_PREFIX=`pwd`/.local
    # LDFLAGS="-Wl,-rpath -Wl,${OSSL_PREFIX}/lib64" ./config --prefix=$OSSL_PREFIX

    make && make install_sw install_ssldirs

    # NOTE maybe create a softlink if issue arises, something like
    # ln -s lib64 lib
)

# build liboqs
(
    cd liboqs
    # It needs the libcrypto library, either in .a or .so format, in 'openssl' it is .so and in 'openssl-source' it is .a
    # -- Found OpenSSL: /absolute-path-to/tmp/openssl/lib64/libcrypto.so (found suitable version "3.0.2", minimum required is "1.1.1")
    # NOTE here the enabled algorithms could be specified
    ${INSTALL_DIR}/cmake/bin/cmake -GNinja -DOPENSSL_ROOT_DIR=${OPENSSL_INSTALL} -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR}/liboqs -S . -B build
    cd build
    ninja && ninja install
)

(
    cd oqs-provider
    liboqs_DIR=${INSTALL_DIR}/liboqs ${INSTALL_DIR}/cmake/bin/cmake -DOPENSSL_ROOT_DIR=${OPENSSL_INSTALL} -S . -B build && ${INSTALL_DIR}/cmake/bin/cmake --build build
    # next command does not work, but is not needed maybe cuz we just copy the library???
    # maybe use --install-prefix for next command
    # cmake --install build --prefix ${ROOT}/oqs-provider/install
    cp build/lib/oqsprovider.so ${OPENSSL_INSTALL}/lib64/ossl-modules/
    # can also be installed to system
    # sudo cp /home/bebbo/own/master/benchmarking-pqc-in-quic/pq-tls-benchmark-framework/emulation-exp/code/tmp/oqs-provider/build/lib/oqsprovider.so /lib/x86_64-linux-gnu/ossl-modules
)

sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${OPENSSL_INSTALL}/ssl/openssl.cnf
sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${OPENSSL_INSTALL}/ssl/openssl.cnf

${OPENSSL_INSTALL}/bin/openssl version -d 

if [[ $(${OPENSSL_INSTALL}/bin/openssl version -d) != *"${OPENSSL_INSTALL}/ssl"* ]]; then
  echo "The output of 'openssl version -d' does not include the string ${OPENSSL_INSTALL}/ssl"
  exit 1
fi
if [[ $(${OPENSSL_INSTALL}/bin/openssl list -providers) != *"OpenSSL OQS Provider"* ]]; then
  echo "The output of 'openssl list -providers' does not include the string 'OpenSSL OQS Provider'"
  exit 1
fi
echo "Openssl seems to be installed correctly"


# build cquiche
(
    cd quiche
    # give cargo the context of the custom openssl (the pkgconfig file), so that it can find the correct libs
    PKG_CONFIG_PATH=${OPENSSL_INSTALL}/lib64/pkgconfig cargo build --features=openssl

    # how to find out if openssl is used or boringssl?
)





# # for nginx build
# # export OPENSSL_CONF=${OPENSSL_INSTALL}/ssl/openssl.cnf

# # apply patches to nginx source
# patch ${ROOT}/nginx-${NGINX_VERSION}/src/event/quic/ngx_event_quic_openssl_compat.c < ${ROOT}/../patches/nginx-${NGINX_VERSION}-patches/ngx_event_quic_openssl_compat.c.diff

# # build nginx with dynamically linked custom openssl
# # NOTE it may be that the first time nginx is built it is not linked correctly to the custom openssl, but just do it again, it should work
# (
#     cd nginx-${NGINX_VERSION}
#     # NOTE why --without-http_gzip_module
#     # -rpath with --enable-new-dtags makes it use RUNPATH which is evaluated after LD_LIBRARY_PATH (which is evaluated after RPATH)
#     # export LD_LIBRARY_PATH=${OPENSSL_INSTALL}/lib64:${LD_LIBRARY_PATH}
#     ./configure --prefix=${INSTALL_DIR}/nginx \
#                     --with-debug \
#                     --with-http_v2_module \
#                     --with-http_v3_module \
#                     --without-http_gzip_module \
#                     --with-http_ssl_module \
#                     --with-ld-opt="-Wl,--enable-new-dtags,-rpath,${OPENSSL_INSTALL}/lib64"
#                     # The --with-openssl builds openssl again, but we just want to link against it
#                     # --with-openssl=${ROOT}/openssl \
#                     # --with-cc-opt="-I ${OPENSSL_INSTALL}/include/openssl" \
#                     # --with-ld-opt="-L ${OPENSSL_INSTALL}/lib64"
#     # sed -i 's/libcrypto.a/libcrypto.a -loqs/g' objs/Makefile;
#     # NOTE why change this?
#     # sed -i 's/EVP_MD_CTX_create/EVP_MD_CTX_new/g; s/EVP_MD_CTX_destroy/EVP_MD_CTX_free/g' src/event/ngx_event_openssl.c
#     make && make install
# )

# # NOTE check with nginx -V and ldd if the openssl is linked correctly
# # it should show the path to the custom openssl
# # This only shows the correct path (if RUNPATH is not used), if the LD_LIBRARY_PATH env var is set correctly
# ${INSTALL_DIR}/nginx/sbin/nginx -V
# ldd ${INSTALL_DIR}/nginx/sbin/nginx
# readelf -d ${INSTALL_DIR}/nginx/sbin/nginx | grep 'R.*PATH'

# echo "You should see that nginx is linked against the custom openssl in tmp/.local/openssl"