openssl_quantum: init at 3.3.2#364167
Conversation
b4714ab to
2adb593
Compare
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review/3032/5043 |
|
@thillux @ulrikstrid Could you please take a look? |
I'm a bit low on bandwidth currently, I can try to find some time next week for a review. Ideally we should have a better way to load providers and engines so that we don't have to create custom packages when we want to add more providers. |
|
No worries, whenever you're free!
I'm not sure how this would be possible? The best thing I can think of is an "empty" default openssl package, for example named openssl_with_providers without any providers that it's possible to override later. |
|
I'll probably have time again to look at this starting next week. Is there any upcoming user of this in nixpkgs? Are there any other OpenSSL providers besides TPM 2.0, esdm and oqs we can build/test this with? I'm also not really happy with introducing a default package for every provider combination. Nevertheless, using providers should be made easier 👍. |
|
We probably should update master/unstable to OpenSSL 3.4.0 on the go, as this adds more CLI options for testing key encapsulation schemes. |
I'm not aware of any people in particular, but given that oqs-provider and liboqs were added recently, it does seem like there's at least some people who would find this useful.
Me neither :( unfortunately I don't know if there's a better way; Nix forces us to declare everything about the package, right?
Do you mean that should happen in this PR? |
Ideally we should have a |
No, I opened #372733 for this. |
2adb593 to
ec0ac17
Compare
ec0ac17 to
d53b472
Compare
e5751e2 to
9d2c973
Compare
Is it not just an INI with a global section? |
It is, so I guess you could say it's standard (even though the INI format doesn't have a formal specification), but it doesn't seem like there's a way to convert to INI in Nix. It seems like there's only support for TOML. |
|
There is! :) Check out |
|
@spacekitteh Thanks for the recommendation! Do you know if there's a way to go the other way from INI -> Nix? Without it, modifying the config seems like it'll be just crudely appending to whatever's already there, or sed replacement. Another option might be to rewrite the entire config in Nix, which I feel is a significantly worse approach. |
4f1de91 to
b3e3efe
Compare
|
Hi everyone, I've updated the PR to include the INI format generator, and I think it's ready for review. If there's anything you would like me to change, I'd be happy to do so. |
b3e3efe to
7c0452e
Compare
|
@thillux @ulrikstrid If you're busy no worries, but is there anything you'd like me to change/fix up? |
ulrikstrid
left a comment
There was a problem hiding this comment.
I like this approach. It doesn't seem to trigger a mass-rebuild (openssl seems to be cached from what I can tell) so should be fine to merge to master
|
@thillux is there anything you'd like me to do to get this merged? |
|
Please rename to something like openssl-oqs, as OpenSSL already has upstream PQC support and the name should be no false distinguisher here. |
7c0452e to
7315704
Compare
7315704 to
cad7c12
Compare
|
I've updated the PR to match the name change you wanted. Is there anything else that should be changed? |
|
@siddharth-narayan For me this is good to go. I've just no commit rights here :) |
Added openssl_quantum using oqs-provider. Adapted from my own repository. This is still standard openssl but with the added abililty to make quantum safe connections.
Post quantum cryptography is becoming more important as quantum computers become more powerful, so now that liboqs and oqs-provider are in nixpkgs, I thought I would add them to openssl as well. Maybe eventually this can even become the default openssl.
This package is the same as openssl_3_3 but with a modified configuration that points to oqs-provider so that openssl knows where to look. It also loads providers by default, so they are always active.
PQ functionality can be tested with
openssl list -providersopenssl list -kem-algorithmsopenssl list -signature-algorithmsResources
https://github.com/openssl/openssl/blob/master/README-PROVIDERS.md - About providers
https://github.com/open-quantum-safe/oqs-provider
https://www.nist.gov/cybersecurity/what-post-quantum-cryptography - Why post quantum cryptography is important now
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.