install-prereqs-ubuntu.sh

#!/bin/bash
set -ex

# Make sure to have a recent version of openssl installed by default. For example by having an up to date os version.

sudo apt update
sudo apt install -y git \
               build-essential \
               autoconf \
               automake \
               libtool \
               ninja-build \
               libssl-dev \
               libpcre3-dev \
               wget

NGINX_VERSION=1.26.1
CMAKE_VERSION=3.30
CMAKE_BUILD=0

mkdir -p tmp
cd tmp
ROOT=$(pwd)
OPENSSL_INSTALL=${ROOT}/.local

# Fetch all the files we need
wget https://cmake.org/files/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.${CMAKE_BUILD}-linux-x86_64.sh
git clone --no-checkout --single-branch --branch master https://github.com/openssl/openssl.git
(cd openssl && git checkout 2a45839778955ffcab01918f10544d46e42f9a5b)
git clone --no-checkout --single-branch --branch main https://github.com/open-quantum-safe/liboqs.git
(cd liboqs && git checkout d2089c5017fc45f4dce2f6516b3e9ad337946600)
git clone --no-checkout --single-branch --branch main https://github.com/open-quantum-safe/oqs-provider.git
(cd oqs-provider && git checkout 8f37521d5e27ab4d1e0d69a4b4a5bd17927b24b9)
wget nginx.org/download/nginx-${NGINX_VERSION}.tar.gz && tar -zxvf nginx-${NGINX_VERSION}.tar.gz

# Install the latest CMake
mkdir cmake
sh cmake-${CMAKE_VERSION}.${CMAKE_BUILD}-linux-x86_64.sh --skip-license --prefix=${ROOT}/cmake



# Build OpenSSL so 'libcrypto.so' is avaiable for the build of liboqs. With Ubuntu 22.04 not longer needed.
(
    cd openssl
    # adds a runtime path to the executable, so it can find the libcrypto.so
    LDFLAGS="-Wl,-rpath -Wl,${OPENSSL_INSTALL}/lib64" ./Configure --prefix=${OPENSSL_INSTALL} --openssldir=${OPENSSL_INSTALL}/ssl
    # Commented out are the commands from https://github.com/open-quantum-safe/oqs-provider/blob/main/scripts/fullbuild.sh
    # export OSSL_PREFIX=`pwd`/.local
    # LDFLAGS="-Wl,-rpath -Wl,${OSSL_PREFIX}/lib64" ./config --prefix=$OSSL_PREFIX

    make && make install_sw install_ssldirs

    # NOTE maybe create a softlink if issue arises, something like
    # ln -s lib64 lib
)

# build liboqs
(
    cd liboqs
    # It needs the libcrypto library, either in .a or .so format, in 'openssl' it is .so and in 'openssl-source' it is .a
    # -- Found OpenSSL: /absolute-path-to/tmp/openssl/lib64/libcrypto.so (found suitable version "3.0.2", minimum required is "1.1.1")
    # NOTE here also the enabled algorithms could be specified
    cmake -GNinja -DOPENSSL_ROOT_DIR=${OPENSSL_INSTALL} -DCMAKE_INSTALL_PREFIX=${OPENSSL_INSTALL} -S . -B build
    cd build
    ninja && ninja install
)

(
    cd oqs-provider
    liboqs_DIR=${OPENSSL_INSTALL} cmake -DOPENSSL_ROOT_DIR=${OPENSSL_INSTALL} -S . -B build && cmake --build build
    # next command does not work, but is not needed maybe cuz we just copy the library???
    # maybe use --install-prefix for next command
    # cmake --install build --prefix ${ROOT}/oqs-provider/install
    cp build/lib/oqsprovider.so ${OPENSSL_INSTALL}/lib64/ossl-modules/
)

# NOTE the thing with the groups seems to be, cuz there was a limit in earlier versions
# export DEFAULT_GROUPS=x25519:x448:kyber512:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024:frodo976aes:hqc128:hqc192:hqc256:bikel1:bikel3:bikel5:p256_bikel1:p256_hqc128
sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${OPENSSL_INSTALL}/ssl/openssl.cnf
sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${OPENSSL_INSTALL}/ssl/openssl.cnf
# sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${OPENSSL_INSTALL}/ssl/openssl.cnf 
# sed -i "s/HOME\t\t\t= ./HOME\t\t= .\nDEFAULT_GROUPS\t= ${DEFAULT_GROUPS}/g" ${OPENSSL_INSTALL}/ssl/openssl.cnf

${OPENSSL_INSTALL}/bin/openssl version -d 

if [[ $(${OPENSSL_INSTALL}/bin/openssl version -d) != *"${OPENSSL_INSTALL}/ssl"* ]]; then
  echo "The output of 'openssl version -d' does not include the string ${OPENSSL_INSTALL}/ssl"
  exit 1
fi
if [[ $(${OPENSSL_INSTALL}/bin/openssl list -providers) != *"OpenSSL OQS Provider"* ]]; then
  echo "The output of 'openssl list -providers' does not include the string 'OpenSSL OQS Provider'"
  exit 1
fi
echo "Openssl seems to be installed correctly"

echo "EXITING EARLY"
exit 0
# TODO amend the rest of the script to above

# for nginx build
export OPENSSL_CONF=${OPENSSL_INSTALL}/ssl/openssl.cnf

# build nginx (which builds OQS-OpenSSL)
# NOTE openssl gets built a second time here, maybe this can be avoided
(
    cd nginx-${NGINX_VERSION}
    # NOTE why --without-http_gzip_module
    ./configure --prefix=${ROOT}/nginx \
                    --with-debug \
                    --with-http_v2_module \
                    --with-http_v3_module \
                    --without-http_gzip_module \
                    --with-http_ssl_module \
                    --with-openssl=${ROOT}/openssl \
                    --with-cc-opt="-I ${OPENSSL_INSTALL}/include" \
                    --with-ld-opt="-L ${OPENSSL_INSTALL}/lib64"
    # sed -i 's/libcrypto.a/libcrypto.a -loqs/g' objs/Makefile;
    # NOTE why change this?
    sed -i 's/EVP_MD_CTX_create/EVP_MD_CTX_new/g; s/EVP_MD_CTX_destroy/EVP_MD_CTX_free/g' src/event/ngx_event_openssl.c
    make && make install
)