openssl_quantum: init at 3.3.2 #364167
openssl_quantum: init at 3.3.2 #364167
Conversation
b4714ab to
2adb593
Compare
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review/3032/5043 |
|
@thillux @ulrikstrid Could you please take a look? |
I'm a bit low on bandwidth currently, I can try to find some time next week for a review. Ideally we should have a better way to load providers and engines so that we don't have to create custom packages when we want to add more providers. |
|
No worries, whenever you're free!
I'm not sure how this would be possible? The best thing I can think of is an "empty" default openssl package, for example named openssl_with_providers without any providers that it's possible to override later. |
|
I'll probably have time again to look at this starting next week. Is there any upcoming user of this in nixpkgs? Are there any other OpenSSL providers besides TPM 2.0, esdm and oqs we can build/test this with? I'm also not really happy with introducing a default package for every provider combination. Nevertheless, using providers should be made easier 👍. |
|
We probably should update master/unstable to OpenSSL 3.4.0 on the go, as this adds more CLI options for testing key encapsulation schemes. |
I'm not aware of any people in particular, but given that oqs-provider and liboqs were added recently, it does seem like there's at least some people who would find this useful.
Me neither :( unfortunately I don't know if there's a better way; Nix forces us to declare everything about the package, right?
Do you mean that should happen in this PR? |
Ideally we should have a |
No, I opened #372733 for this. |
2adb593 to
ec0ac17
Compare
ec0ac17 to
d53b472
Compare
e5751e2 to
9d2c973
Compare
|
Sorry, the PR accidentally closed after I force pushed the wrong commit!
Ah, I didn't realize that the problem was the extra provider package instead of the override being available on the normal openssl package. I've changed the code to match this suggestion, so now anyone can add their own providers with |
97057b4 to
10858f4
Compare
10858f4 to
3721994
Compare
|
Perhaps a way to configure openssl similar to the way different BLAS/LAPACK implementations are selected would be a good way to go about it? |
Reading over it, this implementation seems similar: somebody can use The only issue I have is with the handling of the config, which is not the nicest way to handle the config, but because it's a nonstandard format I don't see a better way. |
Is it not just an INI with a global section? |
It is, so I guess you could say it's standard (even though the INI format doesn't have a formal specification), but it doesn't seem like there's a way to convert to INI in Nix. It seems like there's only support for TOML. |
|
There is! :) Check out |
|
@spacekitteh Thanks for the recommendation! Do you know if there's a way to go the other way from INI -> Nix? Without it, modifying the config seems like it'll be just crudely appending to whatever's already there, or sed replacement. Another option might be to rewrite the entire config in Nix, which I feel is a significantly worse approach. |
4f1de91 to
b3e3efe
Compare
|
Hi everyone, I've updated the PR to include the INI format generator, and I think it's ready for review. If there's anything you would like me to change, I'd be happy to do so. |
Also format files for PR
b3e3efe to
7c0452e
Compare
|
@thillux @ulrikstrid If you're busy no worries, but is there anything you'd like me to change/fix up? |
Added openssl_quantum using oqs-provider. Adapted from my own repository. This is still standard openssl but with the added abililty to make quantum safe connections.
Post quantum cryptography is becoming more important as quantum computers become more powerful, so now that liboqs and oqs-provider are in nixpkgs, I thought I would add them to openssl as well. Maybe eventually this can even become the default openssl.
This package is the same as openssl_3_3 but with a modified configuration that points to oqs-provider so that openssl knows where to look. It also loads providers by default, so they are always active.
PQ functionality can be tested with
openssl list -providersopenssl list -kem-algorithmsopenssl list -signature-algorithmsResources
https://github.com/openssl/openssl/blob/master/README-PROVIDERS.md - About providers
https://github.com/open-quantum-safe/oqs-provider
https://www.nist.gov/cybersecurity/what-post-quantum-cryptography - Why post quantum cryptography is important now
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.