-
Notifications
You must be signed in to change notification settings - Fork 79
/
Copy pathDockerfile
executable file
·155 lines (130 loc) · 6.3 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
# This Dockerfile builds a Wireshark image with Open Quantum Safe (OQS) support.
# By integrating OQS, the resulting Wireshark build is capable of
# analyzing and handling post-quantum cryptographic protocols.
# Define the base versions and tags for dependencies
ARG UBUNTU_VERSION=24.04
ARG WIRESHARK_VERSION=4.4.1
ARG OPENSSL_TAG=3.4.0
ARG LIBOQS_TAG=0.11.0
ARG OQSPROVIDER_TAG=0.7.0
# Define Installation directory
ARG INSTALLDIR=/opt/oqs
# Stage 1: Building stage
FROM ubuntu:${UBUNTU_VERSION} AS build
LABEL version="2"
ENV DEBIAN_FRONTEND=noninteractive
ARG WIRESHARK_VERSION
ARG OPENSSL_TAG
ARG LIBOQS_TAG
ARG OQSPROVIDER_TAG
ARG INSTALLDIR
# Install essential build dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
build-essential libtool automake autoconf cmake ninja-build \
git wget ca-certificates \
python3 python3-pip python3-venv && \
apt-get clean && rm -rf /var/lib/apt/lists/*
WORKDIR /opt
# Set up isolated directories
# src for source files, build for compiling, and install for final binaries
RUN mkdir -p src/liboqs src/openssl src/oqs-provider src/wireshark \
build/liboqs build/openssl build/oqs-provider build/wireshark \
${INSTALLDIR}/lib ${INSTALLDIR}/bin ${INSTALLDIR}/ssl
# Download sources
WORKDIR /opt/src
RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs.git liboqs && \
git clone --depth 1 --branch openssl-${OPENSSL_TAG} https://github.com/openssl/openssl.git openssl && \
git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git oqs-provider && \
wget -O wireshark.tar.xz https://www.wireshark.org/download/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz && \
tar -xf wireshark.tar.xz --strip-components=1 -C wireshark && \
rm wireshark.tar.xz
# Build and install liboqs
WORKDIR /opt/build/liboqs
RUN cmake -G Ninja /opt/src/liboqs \
-D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/liboqs \
-D BUILD_SHARED_LIBS=ON \
-D OQS_USE_OPENSSL=OFF \
-D CMAKE_INSTALL_RPATH="${INSTALLDIR}/liboqs/lib" && \
ninja -j$(nproc) && ninja install
# Build OpenSSL integrated with liboqs
WORKDIR /opt/build/openssl
RUN LDFLAGS="-Wl,-rpath,${INSTALLDIR}/liboqs/lib" \
/opt/src/openssl/config \
--prefix=${INSTALLDIR}/openssl \
--openssldir=${INSTALLDIR}/ssl \
shared && \
make -j$(nproc) && \
make install_sw install_ssldirs
# Build OQS provider for OpenSSL integration
WORKDIR /opt/build/oqs-provider
RUN cmake -G Ninja \
-D OPENSSL_ROOT_DIR=${INSTALLDIR}/openssl \
-D CMAKE_PREFIX_PATH="${INSTALLDIR}/openssl;${INSTALLDIR}/liboqs" \
-D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/oqs-provider \
-D CMAKE_INSTALL_RPATH="${INSTALLDIR}/openssl/lib:${INSTALLDIR}/liboqs/lib" \
/opt/src/oqs-provider && \
ninja -j$(nproc) && \
mkdir -p ${INSTALLDIR}/openssl/lib/ossl-modules && \
cp /opt/build/oqs-provider/lib/oqsprovider.so ${INSTALLDIR}/openssl/lib/ossl-modules
# Set up OpenSSL to load the OQS provider
RUN CONFIG_FILE="${INSTALLDIR}/ssl/openssl.cnf" && \
sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" "$CONFIG_FILE" && \
sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" "$CONFIG_FILE"
# Using a script from Wireshark to install required build dependencies
WORKDIR /opt/src/wireshark
RUN ./tools/debian-setup.sh -y
# Generate `qsc.h`
WORKDIR ${INSTALLDIR}
RUN cp /opt/src/oqs-provider/oqs-template/generate.yml ${INSTALLDIR}
COPY generate_qsc_header.py ${INSTALLDIR}
COPY qsc_template.jinja2 ${INSTALLDIR}
COPY requirements.txt ${INSTALLDIR}
RUN python3 -m venv ${INSTALLDIR}/venv && \
. ${INSTALLDIR}/venv/bin/activate && \
pip install -r requirements.txt && \
python ${INSTALLDIR}/generate_qsc_header.py && \
deactivate
RUN cp ${INSTALLDIR}/qsc.h /opt/src/wireshark/epan/dissectors/
# Modify Wireshark source files for post-quantum definitions
WORKDIR /opt/src/wireshark
RUN sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-pkcs1.c && \
sed -i "s/#include \"config.h\"/#include \"config.h\"\n#include \"qsc.h\"/g" epan/dissectors/packet-tls-utils.c && \
sed -i "s/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");/oid_add_from_string(\"sha224\", \"2.16.840.1.101.3.4.2.4\");\nQSC_SIGS/g" epan/dissectors/packet-pkcs1.c && \
sed -i "s/ { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\// { 260\, \"ffdhe8192\" }\, \/\* RFC 7919 \*\/\nQSC_KEMS/g" epan/dissectors/packet-tls-utils.c && \
sed -i "s/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,/ { 0x080b\, \"rsa_pss_pss_sha512\" }\,\nQSC_SIG_CPS/g" epan/dissectors/packet-tls-utils.c
# Build and install Wireshark
WORKDIR /opt/build/wireshark
RUN cmake -G Ninja /opt/src/wireshark \
-D QT5=OFF \
-D QT6=ON \
-D CMAKE_BUILD_TYPE=Release \
-D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/wireshark \
-D CMAKE_PREFIX_PATH="${INSTALLDIR}/openssl;${INSTALLDIR}/liboqs" \
-D CMAKE_INSTALL_RPATH="${INSTALLDIR}/openssl/lib:${INSTALLDIR}/liboqs/lib" && \
ninja -j$(nproc) && ninja install
# Test integration of OQS provider with OpenSSL
WORKDIR /opt/src/oqs-provider
ENV OPENSSL_CONF=${INSTALLDIR}/ssl/openssl.cnf
ENV OPENSSL_MODULES=${INSTALLDIR}/openssl/lib/ossl-modules
RUN mkdir -p _build
RUN ./scripts/runtests.sh -j$(nproc)
# Stage 2: Minimal runtime image
FROM ubuntu:${UBUNTU_VERSION} AS runtime
ENV DEBIAN_FRONTEND=noninteractive
ARG INSTALLDIR
# Install necessary runtime dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
libc-ares2 pcaputils libssh-4 libgcrypt20 \
libglib2.0-0 libpcap0.8 libspeexdsp1 zlib1g \
libqt6core6 libqt6gui6 libqt6widgets6 libqt6printsupport6 \
libqt6core5compat6 libqt6dbus6 libqt6multimedia6 libgpg-error0 && \
apt-get clean && rm -rf /var/lib/apt/lists/*
ENV PATH="${INSTALLDIR}/wireshark/bin:${INSTALLDIR}/openssl/bin:${PATH}"
ENV OPENSSL_CONF=${INSTALLDIR}/ssl/openssl.cnf
ENV OPENSSL_MODULES=${INSTALLDIR}/openssl/lib/ossl-modules
# Copy essential files from build stage
COPY --from=build ${INSTALLDIR}/wireshark ${INSTALLDIR}/wireshark
COPY --from=build ${INSTALLDIR}/openssl ${INSTALLDIR}/openssl
COPY --from=build ${INSTALLDIR}/liboqs ${INSTALLDIR}/liboqs
COPY --from=build ${INSTALLDIR}/ssl ${INSTALLDIR}/ssl
CMD ["wireshark"]