upgrade curl and move to openssl3

curl/Dockerfile

@@ -1,7 +1,7 @@
 # Multi-stage build: First the full builder image:
 
 # define the Curl version to be baked in
-ARG CURL_VERSION=7.73.0
+ARG CURL_VERSION=7.87.0
 
 # Default location where all binaries wind up:
 ARG INSTALLDIR=/opt/oqssa
@@ -13,10 +13,10 @@ ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON"
 ARG OPENSSL_BUILD_DEFINES="-DOQS_DEFAULT_GROUPS=p384_kyber768:X25519:kyber768"
 
 # Default root CA signature algorithm; can be set to any listed at https://github.com/open-quantum-safe/openssl#authentication
-ARG SIG_ALG="dilithium2"
+ARG SIG_ALG="dilithium3"
 
 # Define the degree of parallelism when building the image; leave the number away only if you know what you are doing
-ARG MAKE_DEFINES="-j 2"
+ARG MAKE_DEFINES="-j 4"
 
 
 FROM alpine:3.11 as intermediate
@@ -28,7 +28,7 @@ ARG OPENSSL_BUILD_DEFINES
 ARG SIG_ALG
 ARG MAKE_DEFINES
 
-LABEL version="2"
+LABEL version="3"
 
 ENV DEBIAN_FRONTEND noninteractive
 
@@ -39,29 +39,31 @@ RUN apk add build-base linux-headers \
             libtool automake autoconf cmake ninja \
             make \
             openssl openssl-dev \
-            git docker wget
+            git wget
 
 # get all sources
 WORKDIR /opt
 RUN git clone --depth 1 --branch main https://github.com/open-quantum-safe/liboqs && \
-    git clone --depth 1 --branch OQS-OpenSSL_1_1_1-stable https://github.com/open-quantum-safe/openssl ossl-src && \
+    git clone --depth 1 --branch master https://github.com/openssl/openssl.git && \
+    git clone --depth 1 --branch main https://github.com/open-quantum-safe/oqs-provider.git && \
     wget https://curl.haxx.se/download/curl-${CURL_VERSION}.tar.gz && tar -zxvf curl-${CURL_VERSION}.tar.gz;
 
-# build liboqs shared and static
+# build liboqs
 WORKDIR /opt/liboqs
-RUN mkdir build && cd build && cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=/opt/ossl-src/oqs && ninja install
-RUN mkdir build-static && cd build-static && cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DBUILD_SHARED_LIBS=OFF -DCMAKE_INSTALL_PREFIX=/opt/ossl-src/oqs && ninja install
+RUN mkdir build && cd build && cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} && ninja install
 
-# build OQS-OpenSSL
-WORKDIR /opt/ossl-src
-# curl looks for shared libraries
-# at ./configure time
-RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib" ./config shared ${OPENSSL_BUILD_DEFINES} --prefix=${INSTALLDIR} && \
-    make ${MAKE_DEFINES} && make install;
+# build OpenSSL3
+WORKDIR /opt/openssl
+RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \
+    make ${MAKE_DEFINES} && make install_sw install_ssldirs;
 
-# set path to use 'new' openssl & curl. Dyn libs have been properly linked in to match
+# set path to use 'new' openssl. Dyn libs have been properly linked in to match
 ENV PATH="${INSTALLDIR}/bin:${PATH}"
 
+# build & install provider (and activate by default)
+WORKDIR /opt/oqs-provider
+RUN ln -s ../openssl . && cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && cmake --build _build  && cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:KEM_ALG\n/g" /opt/oqssa/ssl/openssl.cnf && sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM alg if not set via environment variable\nKEM_ALG = kyber512\n\n# Use this in order to automatically load providers/g" /opt/oqssa/ssl/openssl.cnf
+
 # generate certificates for openssl s_server, which is what we will test curl against
 ENV OPENSSL=${INSTALLDIR}/bin/openssl
 ENV OPENSSL_CNF=${INSTALLDIR}/ssl/openssl.cnf
@@ -75,17 +77,16 @@ RUN set -x; \
 WORKDIR /opt/curl-${CURL_VERSION}
 
 # Download and integrate LetsEncrypt Root CA to CA bundle
-RUN wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt && cat ${INSTALLDIR}/bin/CA.crt >> letsencryptauthorityx3.pem.txt 
+RUN wget https://letsencrypt.org/certs/isrgrootx1.pem -O oqs-bundle.pem && cat ${INSTALLDIR}/bin/CA.crt >> oqs-bundle.pem 
 
 # For curl debugging enable it by adding the line below to the configure command:
 #                    --enable-debug \
 
-RUN env CPPFLAGS="-I/opt/ossl-src/oqs/include" \
-        LDFLAGS=-Wl,-R${INSTALLDIR}/lib  \
+RUN env LDFLAGS=-Wl,-R${INSTALLDIR}/lib64  \
         ./configure --prefix=${INSTALLDIR} \
                     --with-ca-bundle=${INSTALLDIR}/oqs-bundle.pem \
                     --with-ssl=${INSTALLDIR} && \
-    make ${MAKE_DEFINES} && make install && mv letsencryptauthorityx3.pem.txt ${INSTALLDIR}/oqs-bundle.pem;
+    make ${MAKE_DEFINES} && make install && mv oqs-bundle.pem ${INSTALLDIR};
 
 # Download current test.openquantumsafe.org test CA cert
 WORKDIR ${INSTALLDIR}
@@ -131,6 +132,9 @@ ARG INSTALLDIR
 
 WORKDIR /
 
+# Improve size some more: liboqs.a not needed during operation
+RUN rm ${INSTALLDIR}/lib64/liboqs*
+
 # Enable a normal user to create new server keys off set CA
 RUN addgroup -g 1000 -S oqs && adduser --uid 1000 -S oqs -G oqs && chown -R oqs.oqs /opt/test && chmod go+r ${INSTALLDIR}/bin/CA.key && chmod go+w ${INSTALLDIR}/bin/CA.srl
 

curl/README.md

@@ -1,4 +1,4 @@
-This directory contains a Dockerfile that builds curl with the [OQS OpenSSL 1.1.1 fork](https://github.com/open-quantum-safe/openssl), which allows curl to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3.
+This directory contains a Dockerfile that builds `curl` using OpenSSL v3 using the [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows `curl` to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3.
 
 ## Quick start
 
@@ -11,15 +11,15 @@ This directory contains a Dockerfile that builds curl with the [OQS OpenSSL 1.1.
 ## More details
 
 The Dockerfile 
-- obtains all source code required for building the quantum-safe crypto (QSC) algorithms, the QSC-enabled version of OpenSSL (v.1.1.1), curl (v.7.73.0) 
+- obtains all source code required for building the quantum-safe crypto (QSC) algorithms, the QSC-enabled oqs-provider, curl (v.7.87.0) and the latest OpenSSL (master) code
 - builds all libraries and applications
 - creates OQS-enabled certificate files for a mini-root certificate authority (CA) 
 - creates an OQS-enabled server certificate for running a `localhost` QSC-TLS server
 - by default starts an openssl (s_server) based test server.
 
-The signature algorithm for the certificates is set to `dilithium2` by default, but can be changed to any of the [supported OQS signature algorithms](https://github.com/open-quantum-safe/openssl#authentication) with the build argumemt to docker `--build-arg SIG_ALG=`*name-of-oqs-sig-algorithm*, e.g. as follows:
+The signature algorithm for the certificates is set to `dilithium3` by default, but can be changed to any of the [supported OQS signature algorithms](https://github.com/open-quantum-safe/oqs-provider#algorithms) with the build argumemt to docker `--build-arg SIG_ALG=`*name-of-oqs-sig-algorithm*, e.g. as follows:
 ```
-docker build -t oqs-curl --build-arg SIG_ALG=qteslapiii .
+docker build -t oqs-curl --build-arg SIG_ALG=p521_falcon1024 .
 ```
 
 **Note for the interested**: The build process is two-stage with the final image only retaining all executables, libraries and include-files to utilize OQS-enabled curl and openssl.

curl/USAGE.md

@@ -1,23 +1,23 @@
 # OQS-curl
 
-This docker image contains a version of [curl](https://curl.haxx.se) build to also utilize quantum-safe crypto (QSC) operations.
+This docker image contains a version of [curl](https://curl.haxx.se) configured to also utilize quantum-safe crypto (QSC) operations.
 
-To this end, it contains [liboqs](https://github.com/open-quantum-safe/liboqs) as well as [OQS-OpenSSL](https://github.com/open-quantum-safe/openssl) from the [OpenQuantumSafe](https://openquantumsafe.org) project.
+To this end, it contains [oqs-provider](https://github.com/open-quantum-safe/oqs-provider) from the [OpenQuantumSafe](https://openquantumsafe.org) project together with the latest OpenSSL (v3/master) code.
 
-As different images providing the same base functionality may be available, e.g., for debug or performance-optimized operations, the image name `oqs-curl` is consistently used in the description below. Be sure to adapt it to the image you want to use.
+As different images providing the same base functionality may be available, e.g., for debug or performance-optimized operations, the image name `openquantumsafe/curl` is consistently used in the description below. Be sure to adapt it to the image you want to use.
 
 ## Quick start
 
-1) With `docker run -it oqs-curl` start an OQS-enabled TLS test server.
+1) `docker run -it openquantumsafe/curl` starts an OQS-enabled TLS test server.
 2) On the command prompt in the docker container resulting from the first comment, one can query that server by issuing the command `curl --curves kyber512 https://localhost:4433`. 
 
-The latter command returns all TLS information documenting use of OQS-enabled TLS. The parameter to the `--curves` argument is [any Kex Exchange algorithm supported by OQS-OpenSSL](https://github.com/open-quantum-safe/openssl#key-exchange).
+The latter command returns all TLS information documenting use of OQS-enabled TLS. The parameter to the `--curves` argument is [any Kex Exchange algorithm supported by oqs-provider](https://github.com/open-quantum-safe/oqs-provider#algorithms).
 
 ## Retrieving data from other QSC-enabled TLS servers
 
-Beyond interacting with the built-in test server (utilizing `openssl s_server`) the image can also be used to retrieve data from any OQS-enabled TLS (1.3) server with the command `docker run -it oqs-curl curl <OQS-server URL>`.
+Beyond interacting with the built-in test server (utilizing `openssl s_server`) the image can also be used to retrieve data from any OQS-enabled TLS (1.3) server with the command `docker run -it openquantumsafe/curl curl <OQS-server URL>`.
 
-All standard `curl` parameters are available plus the option to explicitly request a specific OQS algorithm ("--curves") from the [supported KEX list](https://github.com/open-quantum-safe/openssl#key-exchange).
+All standard `curl` parameters are available plus the option to explicitly request a specific OQS algorithm ("--curves") from the [supported list of KEM algorithms](https://github.com/open-quantum-safe/oqs-provider#algorithms).
 
 
 ## Performance testing
@@ -29,13 +29,13 @@ The docker image can also be used to execute performance tests using the differe
 
 Simply start 
 ```
-docker run -it oqs-curl perftest.sh
+docker run -it openquantumsafe/curl perftest.sh
 ```
 to perform TLS handshakes for 200 seconds (TEST_TIME default value) using dilithium2 (SIG_ALG default value) and kyber512 (KEM_ALG default value) keys and certificates.
 
 A 'worked example' and more general alternative form of the command is
 ```
-docker run -e TEST_TIME=5 -e KEM_ALG=kyber768 -e SIG_ALG=dilithium3 -it oqs-curl perftest.sh
+docker run -e TEST_TIME=5 -e KEM_ALG=kyber768 -e SIG_ALG=dilithium3 -it openquantumsafe/curl perftest.sh
 ```
 runs TLS handshakes for 5 seconds exercizing `dilithium3` and `kyber768`. Again, all [supported QSC algorithms](https://github.com/open-quantum-safe/openssl#supported-algorithms) can be set here. Be sure to properly distinguish between SIGnature_ALGorithms and KEM(Key Exchange Mechanism)_ALGorithms.
 
@@ -44,11 +44,11 @@ runs TLS handshakes for 5 seconds exercizing `dilithium3` and `kyber768`. Again,
 
 Simply start 
 ```
-docker run -it oqs-curl openssl speed
+docker run -it openquantumsafe/curl openssl speed
 ```
 to run through all crypto algorithms built into and enabled in the docker image. This includes classic as well as quantum-safe algorithms side by side.
 
-If interested in performance of only specific algorithms, this can be done by providing parameters as usual for [openssl speed](https://www.openssl.org/docs/man1.1.1/man1/openssl-speed.html). The list of [supported OQS algorithms is accessible here](https://github.com/open-quantum-safe/openssl#supported-algorithms), so an example call would be `docker run -it oqs-curl openssl speed -seconds 2 kyber90s512`.
+If interested in performance of only specific algorithms, this can be done by providing parameters as usual for [openssl speed](https://www.openssl.org/docs/man1.1.1/man1/openssl-speed.html). The list of [currently supported OQS algorithms is accessible here](https://github.com/open-quantum-safe/oqs-provider#algorithms), so an example call would be `docker run -it openquantumsafe/curl openssl speed -seconds 2 kyber90s512`.
 
 #### Classic algorithm names for reference
 

curl/perftest.sh

@@ -44,4 +44,5 @@ openssl s_server -cert /opt/test/server.crt -key /opt/test/server.key -curves $K
 sleep 1
 
 # Run handshakes for $TEST_TIME seconds
-openssl s_time -curves $KEM_ALG -connect :4433 -new -time $TEST_TIME -verify 1 | grep connections
+# The env var KEM_ALG activates the required Group via the system openssl.cnf:
+openssl s_time -connect :4433 -new -time $TEST_TIME -verify 1 | grep connections

curl/serverstart.sh

@@ -6,7 +6,7 @@ if [ "x$KEM_ALG" == "x" ]; then
 	export KEM_ALG=kyber512
 fi
 
-# Optionally set server certificate alg to one defined in https://github.com/open-quantum-safe/openssl#authentication
+# Optionally set server certificate alg to one defined in https://github.com/open-quantum-safe/oqs-provider#algorithms
 # The root CA's signature alg remains as set when building the image
 if [ "x$SIG_ALG" != "x" ]; then
     cd /opt/oqssa/bin