install-prereqs-ubuntu.sh

#!/bin/bash
set -ex

# Make sure you have a recent version of rust installed.
# Make sure to have a recent version of openssl installed by default. For example by having an up to date os version.

sudo apt update
sudo apt install -y git \
               build-essential \
               autoconf \
               automake \
               libtool \
               ninja-build \
               libssl-dev \
               libpcre3-dev \
               wget \
               pkg-config 

NGINX_VERSION=1.26.1
CMAKE_VERSION=3.30
CMAKE_BUILD=0

mkdir -p tmp
cd tmp
ROOT=$(pwd)
INSTALL_DIR=${ROOT}/.local
OPENSSL_INSTALL=${ROOT}/.local/openssl
QUICTLS_OPENSSL_INSTALL=${ROOT}/.local/quictls-openssl

# Fetch all the files we need
wget https://cmake.org/files/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.${CMAKE_BUILD}-linux-x86_64.sh
# normal openssl
git clone --no-checkout --single-branch --branch openssl-3.4 https://github.com/openssl/openssl.git
(cd openssl && git switch --detach tags/openssl-3.4.0)
# openssl with boringssl quic interfaces
git clone --no-checkout --single-branch --branch openssl-3.1.7+quic https://github.com/quictls/openssl.git quictls-openssl
(cd quictls-openssl && git switch --detach openssl-3.1.7+quic)
git clone --recursive https://github.com/cloudflare/quiche
(cd quiche && git switch --detach tags/0.22.0)
git clone --no-checkout --single-branch --branch hqc-with-fixed-performance https://github.com/BartBBM/liboqs.git
(cd liboqs && git switch --detach hqc-with-fixed-performance) # this is 0.12.0
# git clone --no-checkout --single-branch --branch main https://github.com/open-quantum-safe/oqs-provider.git
git clone https://github.com/open-quantum-safe/oqs-provider.git
(cd oqs-provider && git switch --detach tags/0.8.0)
wget nginx.org/download/nginx-${NGINX_VERSION}.tar.gz && tar -zxvf nginx-${NGINX_VERSION}.tar.gz

# Install the latest CMake
mkdir -p ${INSTALL_DIR}/cmake
sh cmake-${CMAKE_VERSION}.${CMAKE_BUILD}-linux-x86_64.sh --skip-license --prefix=${INSTALL_DIR}/cmake


# Patch openssl to have a large CRYPTO_RECV_BUF
patch ${ROOT}/openssl/ssl/quic/quic_channel.c < ${ROOT}/../patches/openssl/quic_channel.c.patch

# Build OpenSSL so 'libcrypto.so' is avaiable for the build of liboqs. With Ubuntu 22.04 not longer needed.
(
    cd openssl
    # adds a runtime path to the executable, so it can find the libcrypto.so
    LDFLAGS="-Wl,-rpath -Wl,${OPENSSL_INSTALL}/lib64" ./Configure --prefix=${OPENSSL_INSTALL} --openssldir=${OPENSSL_INSTALL}/ssl
    # Commented out are the commands from https://github.com/open-quantum-safe/oqs-provider/blob/main/scripts/fullbuild.sh
    # export OSSL_PREFIX=`pwd`/.local
    # LDFLAGS="-Wl,-rpath -Wl,${OSSL_PREFIX}/lib64" ./config --prefix=$OSSL_PREFIX

    make && make install_sw install_ssldirs

    # NOTE maybe create a softlink if issue arises, something like
    # ln -s lib64 lib
)

(
    cd quictls-openssl
    LDFLAGS="-Wl,-rpath -Wl,${QUICTLS_OPENSSL_INSTALL}/lib64" ./Configure --prefix=${QUICTLS_OPENSSL_INSTALL} --openssldir=${QUICTLS_OPENSSL_INSTALL}/ssl
    make && make install_sw install_ssldirs
)

# build liboqs
(
    cd liboqs
    # It needs the libcrypto library, either in .a or .so format, in 'openssl' it is .so and in 'openssl-source' it is .a
    # -- Found OpenSSL: /absolute-path-to/tmp/openssl/lib64/libcrypto.so (found suitable version "3.0.2", minimum required is "1.1.1")
    # NOTE here the enabled algorithms could be specified
    ${INSTALL_DIR}/cmake/bin/cmake -GNinja -DOPENSSL_ROOT_DIR=${OPENSSL_INSTALL} -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR}/liboqs -DOQS_DIST_BUILD=OFF -S . -B build
    cd build
    ninja && ninja install
)

(
    cd oqs-provider
    liboqs_DIR=${INSTALL_DIR}/liboqs ${INSTALL_DIR}/cmake/bin/cmake -DOPENSSL_ROOT_DIR=${OPENSSL_INSTALL} -S . -B build && ${INSTALL_DIR}/cmake/bin/cmake --build build
    cp build/lib/oqsprovider.so ${OPENSSL_INSTALL}/lib64/ossl-modules/
    cp build/lib/oqsprovider.so ${QUICTLS_OPENSSL_INSTALL}/lib64/ossl-modules/
    # can also be installed to system
    # sudo cp tmp/oqs-provider/build/lib/oqsprovider.so /lib/x86_64-linux-gnu/ossl-modules
)

sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${OPENSSL_INSTALL}/ssl/openssl.cnf
sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${OPENSSL_INSTALL}/ssl/openssl.cnf

sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${QUICTLS_OPENSSL_INSTALL}/ssl/openssl.cnf
sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${QUICTLS_OPENSSL_INSTALL}/ssl/openssl.cnf

${OPENSSL_INSTALL}/bin/openssl version -d 

if [[ $(${OPENSSL_INSTALL}/bin/openssl version -d) != *"${OPENSSL_INSTALL}/ssl"* ]]; then
  echo "The output of 'openssl version -d' does not include the string ${OPENSSL_INSTALL}/ssl"
  exit 1
fi
if [[ $(${OPENSSL_INSTALL}/bin/openssl list -providers) != *"OpenSSL OQS Provider"* ]]; then
  echo "The output of 'openssl list -providers' does not include the string 'OpenSSL OQS Provider'"
  exit 1
fi
echo "Openssl seems to be installed correctly"

(
    cd quiche
    patch ${ROOT}/quiche/quiche/src/lib.rs < ${ROOT}/../patches/cquiche/lib.rs.diff
    patch ${ROOT}/quiche/quiche/src/tls/mod.rs < ${ROOT}/../patches/cquiche/mod.rs.diff

    # give cargo the context of the custom openssl (the pkgconfig file), so that it can find the correct libs
    PKG_CONFIG_PATH=${QUICTLS_OPENSSL_INSTALL}/lib64/pkgconfig cargo build --features=openssl
)

# apply patches to nginx source
patch ${ROOT}/nginx-${NGINX_VERSION}/src/event/quic/ngx_event_quic_openssl_compat.c < ${ROOT}/../patches/nginx-${NGINX_VERSION}-patches/ngx_event_quic_openssl_compat.c.diff
patch ${ROOT}/nginx-${NGINX_VERSION}/src/event/quic/ngx_event_quic.c < ${ROOT}/../patches/nginx-${NGINX_VERSION}-patches/ngx_event_quic.c.diff

# build nginx with dynamically linked custom openssl
# NOTE it may be that the first time nginx is built it is not linked correctly to the custom openssl, but just do it again, it should work
(
    cd nginx-${NGINX_VERSION}
    # NOTE why --without-http_gzip_module
    # -rpath with --enable-new-dtags makes it use RUNPATH which is evaluated after LD_LIBRARY_PATH (which is evaluated after RPATH)
    # export LD_LIBRARY_PATH=${OPENSSL_INSTALL}/lib64:${LD_LIBRARY_PATH}
    ./configure --prefix=${INSTALL_DIR}/nginx \
                    --with-debug \
                    --with-http_v2_module \
                    --with-http_v3_module \
                    --without-http_gzip_module \
                    --with-http_ssl_module \
                    --with-ld-opt="-Wl,--enable-new-dtags,-rpath,${OPENSSL_INSTALL}/lib64"
                    # The --with-openssl builds openssl again, but we just want to link against it
                    # --with-openssl=${ROOT}/openssl \
                    # --with-cc-opt="-I ${OPENSSL_INSTALL}/include/openssl" \
                    # --with-ld-opt="-L ${OPENSSL_INSTALL}/lib64"
    make && make install
)

# NOTE check with nginx -V and ldd if the openssl is linked correctly
# it should show the path to the custom openssl
# If RUNPATH is not used, this only shows the correct path, if the LD_LIBRARY_PATH env var is set correctly
# ${INSTALL_DIR}/nginx/sbin/nginx -V
# ldd ${INSTALL_DIR}/nginx/sbin/nginx
if grep -q "tmp/.local/openssl/lib64/libssl.so" <(ldd ${INSTALL_DIR}/nginx/sbin/nginx); then
  echo "String 'tmp/.local/openssl/lib64/libssl.so' found in ldd output."
fi
# readelf -d ${INSTALL_DIR}/nginx/sbin/nginx | grep 'R.*PATH'
if grep -q "tmp/.local/openssl/lib64" <(readelf -d ${INSTALL_DIR}/nginx/sbin/nginx | grep 'R.*PATH'); then
  echo "String 'tmp/.local/openssl/lib64' found in readelf output."
fi

echo "Installation done"