【密码学】自编译Chronium实现抗量子加密协议
我们,在之前的文章当中[1,2]已经,讲过了,如何将PQC算法集成到OpenSSL、NGINX、cURL当中,这里,因为我们知道,虽然Chrome已经开放了抗量子密码的特性,但是,所支持的算法终究还是有限的,然后呢,有一个开源的浏览器项目chromium,OQS团队呢,实际上也给出了具体的方案,但是,我这用起来,在Ubuntu上没有成功,然后心想着,这里patch的东西也不多[3],那么就自己来搞一下吧。
环境搭建
这里,我仅测试了在MacOS系统上成功了,其实Ubuntu我也编译成功了,但是报错了,由于我没有物理的机器,所以目前,没有办法排查。
❝
注意,最新代码,需要用到最新版本的XCode SDK, 否则会出现一些奇怪的编译bug,可以采用如下命令来查看。
❞
ls `xcode-select -p`/Platforms/MacOSX.platform/Developer/SDKs
输出如下,这里,我用的是15的sdk, 14会出现诡异错误,慎重选用,不保编译过,别问我咋知道的。
如果没有装的,自行安装,或者自行升级,相信用mac的应该不会陌生。
准备工作
首先,需要根据chromium的文档,来准备编译环境[2]。这里,需要根据要求来检查一下电脑的配置,推荐16g内存起步,当然我没有试过低内存的mac编译会不会oom,感兴趣的读者,可以自行尝试。目前在m1芯片,以及intel芯片都可以编译过。
安装depot_tools
下载,工具到某个位置,这个位置要记住,自己下载到了那里。
git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
添加环境变量,这里在.zshrc中添加上述工具
export PATH="/path/to/depot_tools:$PATH"
这里,最好是加到前面,编译结束之后,可以去掉,至于为啥呢,防止重名的工具产生影响,或者其他版本工具产生影响。
激活,新的环境变量。
source ~/.zshrc
下载源码
接下来,我们需要下载对应的源码,这里,我们直接搞最新的,问题不大。
mkdir ~/chromium && cd ~/chromium
注意,这里,要保证磁盘有剩余的空间,我这里,大约占用了40多g。
注意mac剩余磁盘大小,如果剩余太少,会导致系统极其卡顿。
fetch --nohooks --no-history chromium
这里,速度取决于网速,并且,没有太多额外的输出,耐心的等待一会儿,就下载完成了,这里我们没有必要要历史的记录,因此不要,可以极大提高下载速度。
如果执行过程中有提示gclient sync相关的错误,或者执行到这一步的时候网络请求超时了,重新执行一下gclient sync指令即可,我没试过,因为我下载的很顺利。
这里,目前,我的版本是
HEAD detached at 7fea069c60
到这里,源码就下载完成了,这里,我们不需要立刻编译一次试试,直接改代码,至于为啥,因为编译一次大约需要4个小时,可能因为我的电脑比较垃圾,当然,如果你时间充裕,可以考虑先编译下。
切换OQS-BoringSSL
这里,需要切换到OQS-BoringSSL,因为这里面支持了PQC算法,因此,我们需要提前换掉。
cd $CHROMIUM_ROOT/third_party/boringssl/src
git remote add oqs-bssl https://github.com/open-quantum-safe/boringssl
git fetch oqs-bssl
git checkout -b oqs-bssl-master 0599bb559d3be76a98f0940d494411b6a8e0b18e
注意,这里$CHROMIUM_ROOT是在下载路径的src下面,而不是chromium。
构建Build liboqs
按照,如下的方式操作。
git clone https://github.com/open-quantum-safe/liboqs.git && cd liboqs && git checkout 9aa2e1481cd0c242658ec8e92776741feabec163
mkdir build && cd build
cmake .. -G"Ninja" -DCMAKE_INSTALL_PREFIX=$CHROMIUM_ROOT/third_party/boringssl/src/oqs -DOQS_USE_OPENSSL=OFF -DCMAKE_BUILD_TYPE=Release -DCMAKE_OSX_DEPLOYMENT_TARGET=11.0
ninja && ninja install
注意,这里和[3]中有差异,添加了-DCMAKE_OSX_DEPLOYMENT_TARGET=11.0,否则会出现错误,具体原因参考[4]。这个,编译速度还是很快的,十几秒就结束了吧。
最终,可以看到如下的输出。
到这里,准备工作就做完了。
修改代码支持PQC
这里,不能直接按照[5]当中的patch文件运行,会报错,因为版本还有系统有些差异,因此需要手工根据,patch的文件,来改一下,这里简单说一下,需要改哪里。
net/cert/cert_verify_proc.cc
index a6ce9ec0ba..5739ce429c 100644
--- a/net/cert/cert_verify_proc.cc
+++ b/net/cert/cert_verify_proc.cc
@@ -89,6 +89,19 @@ const int kRsaKeySizes[] = {512, 768, 1024, 1536, 2048,
// return P-224, P-256, P-384, or P-521, and the verifier will reject P-224.
const int kEcdsaKeySizes[] = {163, 192, 224, 233, 256, 283, 384, 409, 521, 571};
+template<typename C, typename T>
+bool ArrayContains(C && c, T t) {
+ return std::find(std::begin(c), std::end(c), t) != std::end(c);
+}
+const X509Certificate::PublicKeyType OqsSigTypes[] = {
+ X509Certificate::kPublicKeyTypeDilithium,
+ X509Certificate::kPublicKeyTypeFalcon,
+ X509Certificate::kPublicKeyTypeMLDSA,
+ X509Certificate::kPublicKeyTypeSPHINCSSHA2,
+ X509Certificate::kPublicKeyTypeSPHINCSSHAKE,
+ X509Certificate::kPublicKeyTypeMAYO,
+ X509Certificate::kPublicKeyTypeCROSS};
+
const char* CertTypeToString(X509Certificate::PublicKeyType cert_type) {
switch (cert_type) {
case X509Certificate::kPublicKeyTypeUnknown:
@@ -97,6 +110,20 @@ const char* CertTypeToString(X509Certificate::PublicKeyType cert_type) {
return "RSA";
case X509Certificate::kPublicKeyTypeECDSA:
return "ECDSA";
+ case X509Certificate::kPublicKeyTypeDilithium:
+ return "Dilithium";
+ case X509Certificate::kPublicKeyTypeFalcon:
+ return "Falcon";
+ case X509Certificate::kPublicKeyTypeMLDSA:
+ return "ML-DSA";
+ case X509Certificate::kPublicKeyTypeSPHINCSSHA2:
+ return "SPHINCSSHA2";
+ case X509Certificate::kPublicKeyTypeSPHINCSSHAKE:
+ return "SPHINCSSHAKE";
+ case X509Certificate::kPublicKeyTypeMAYO:
+ return "MAYO";
+ case X509Certificate::kPublicKeyTypeCROSS:
+ return "CROSS";
}
NOTREACHED();
}
@@ -129,6 +156,8 @@ void RecordPublicKeyHistogram(const char* chain_position,
base::CustomHistogram::ArrayToCustomEnumRanges(kRsaKeySizes),
base::HistogramBase::kUmaTargetedHistogramFlag);
break;
+ default:
+ break;
}
counter->Add(size_bits);
}
@@ -167,7 +196,7 @@ bool ExaminePublicKeys(const scoped_refptr<X509Certificate>& cert,
cert->valid_expiry() >= kBaselineKeysizeEffectiveDate;
X509Certificate::GetPublicKeyInfo(cert->cert_buffer(), &size_bits, &type);
- if (should_histogram) {
+ if (!ArrayContains(OqsSigTypes, type) && should_histogram) {
RecordPublicKeyHistogram(kLeafCert, baseline_keysize_applies, size_bits,
type);
}
@@ -179,7 +208,7 @@ bool ExaminePublicKeys(const scoped_refptr<X509Certificate>& cert,
for (size_t i = 0; i < intermediates.size(); ++i) {
X509Certificate::GetPublicKeyInfo(intermediates[i].get(), &size_bits,
&type);
- if (should_histogram) {
+ if (!ArrayContains(OqsSigTypes, type) && should_histogram) {
RecordPublicKeyHistogram(
(i < intermediates.size() - 1) ? kIntermediateCert : kRootCert,
baseline_keysize_applies,
@@ -305,6 +334,37 @@ void RecordTrustAnchorHistogram(const HashValueVector& spki_hashes,
case bssl::SignatureAlgorithm::kRsaPssSha256:
case bssl::SignatureAlgorithm::kRsaPssSha384:
case bssl::SignatureAlgorithm::kRsaPssSha512:
+ case bssl::SignatureAlgorithm::kCrossrsdp128balanced:
+ case bssl::SignatureAlgorithm::kMayo1:
+ case bssl::SignatureAlgorithm::kDilithium2:
+ case bssl::SignatureAlgorithm::kMldsa44:
+ case bssl::SignatureAlgorithm::kP256_mldsa44:
+ case bssl::SignatureAlgorithm::kFalcon512:
+ case bssl::SignatureAlgorithm::kRsa3072_falcon512:
+ case bssl::SignatureAlgorithm::kFalconpadded512:
+ case bssl::SignatureAlgorithm::kSphincssha2128fsimple:
+ case bssl::SignatureAlgorithm::kSphincssha2128ssimple:
+ case bssl::SignatureAlgorithm::kSphincsshake128fsimple:
+ case bssl::SignatureAlgorithm::kSphincsshake128ssimple:
+ case bssl::SignatureAlgorithm::kMayo2:
+ case bssl::SignatureAlgorithm::kMayo3:
+ case bssl::SignatureAlgorithm::kDilithium3:
+ case bssl::SignatureAlgorithm::kMldsa65:
+ case bssl::SignatureAlgorithm::kP384_mldsa65:
+ case bssl::SignatureAlgorithm::kSphincssha2192fsimple:
+ case bssl::SignatureAlgorithm::kSphincssha2192ssimple:
+ case bssl::SignatureAlgorithm::kSphincsshake192fsimple:
+ case bssl::SignatureAlgorithm::kSphincsshake192ssimple:
+ case bssl::SignatureAlgorithm::kMayo5:
+ case bssl::SignatureAlgorithm::kDilithium5:
+ case bssl::SignatureAlgorithm::kMldsa87:
+ case bssl::SignatureAlgorithm::kP521_mldsa87:
+ case bssl::SignatureAlgorithm::kFalcon1024:
+ case bssl::SignatureAlgorithm::kFalconpadded1024:
+ case bssl::SignatureAlgorithm::kSphincssha2256fsimple:
+ case bssl::SignatureAlgorithm::kSphincssha2256ssimple:
+ case bssl::SignatureAlgorithm::kSphincsshake256fsimple:
+ case bssl::SignatureAlgorithm::kSphincsshake256ssimple:
return true;
}
net/cert/x509_certificate.cc
index 568f598029..8d51ee5376 100644
--- a/net/cert/x509_certificate.cc
+++ b/net/cert/x509_certificate.cc
@@ -629,6 +629,51 @@ void X509Certificate::GetPublicKeyInfo(const CRYPTO_BUFFER* cert_buffer,
case EVP_PKEY_EC:
*type = kPublicKeyTypeECDSA;
break;
+ case EVP_PKEY_MLDSA44:
+ case EVP_PKEY_P256_MLDSA44:
+ case EVP_PKEY_MLDSA65:
+ case EVP_PKEY_P384_MLDSA65:
+ case EVP_PKEY_MLDSA87:
+ case EVP_PKEY_P521_MLDSA87:
+ *type = kPublicKeyTypeMLDSA;
+ break;
+ case EVP_PKEY_DILITHIUM2:
+ case EVP_PKEY_DILITHIUM3:
+ case EVP_PKEY_DILITHIUM5:
+ *type = kPublicKeyTypeDilithium;
+ break;
+ case EVP_PKEY_FALCON512:
+ case EVP_PKEY_RSA3072_FALCON512:
+ case EVP_PKEY_FALCONPADDED512:
+ case EVP_PKEY_FALCON1024:
+ case EVP_PKEY_FALCONPADDED1024:
+ *type = kPublicKeyTypeFalcon;
+ break;
+ case EVP_PKEY_MAYO1:
+ case EVP_PKEY_MAYO2:
+ case EVP_PKEY_MAYO3:
+ case EVP_PKEY_MAYO5:
+ *type = kPublicKeyTypeMAYO;
+ break;
+ case EVP_PKEY_CROSSRSDP128BALANCED:
+ *type = kPublicKeyTypeCROSS;
+ break;
+ case EVP_PKEY_SPHINCSSHA2128FSIMPLE:
+ case EVP_PKEY_SPHINCSSHA2128SSIMPLE:
+ case EVP_PKEY_SPHINCSSHA2192FSIMPLE:
+ case EVP_PKEY_SPHINCSSHA2192SSIMPLE:
+ case EVP_PKEY_SPHINCSSHA2256FSIMPLE:
+ case EVP_PKEY_SPHINCSSHA2256SSIMPLE:
+ *type = kPublicKeyTypeSPHINCSSHA2;
+ break;
+ case EVP_PKEY_SPHINCSSHAKE128FSIMPLE:
+ case EVP_PKEY_SPHINCSSHAKE128SSIMPLE:
+ case EVP_PKEY_SPHINCSSHAKE192FSIMPLE:
+ case EVP_PKEY_SPHINCSSHAKE192SSIMPLE:
+ case EVP_PKEY_SPHINCSSHAKE256FSIMPLE:
+ case EVP_PKEY_SPHINCSSHAKE256SSIMPLE:
+ *type = kPublicKeyTypeSPHINCSSHAKE;
+ break;
}
*size_bits = base::saturated_cast<size_t>(EVP_PKEY_bits(pkey.get()));
}
net/cert/x509_certificate.h
index 60470fdd71..fd525c263d 100644
--- a/net/cert/x509_certificate.h
+++ b/net/cert/x509_certificate.h
@@ -45,6 +45,13 @@ class NET_EXPORT X509Certificate
kPublicKeyTypeUnknown,
kPublicKeyTypeRSA,
kPublicKeyTypeECDSA,
+ kPublicKeyTypeMAYO,
+ kPublicKeyTypeCROSS,
+ kPublicKeyTypeDilithium,
+ kPublicKeyTypeFalcon,
+ kPublicKeyTypeMLDSA,
+ kPublicKeyTypeSPHINCSSHA2,
+ kPublicKeyTypeSPHINCSSHAKE
};
enum Format {
net/quic/quic_session_pool.cc
index 5e748ae43c..a87820accc 100644
--- a/net/quic/quic_session_pool.cc
+++ b/net/quic/quic_session_pool.cc
@@ -429,12 +429,17 @@ QuicSessionPool::QuicCryptoClientConfigOwner::QuicCryptoClientConfigOwner(
base::Unretained(this)));
if (quic_session_pool_->ssl_config_service_->GetSSLContextConfig()
.PostQuantumKeyAgreementEnabled()) {
- uint16_t postquantum_group =
- base::FeatureList::IsEnabled(features::kUseMLKEM)
- ? SSL_GROUP_X25519_MLKEM768
- : SSL_GROUP_X25519_KYBER768_DRAFT00;
- config_.set_preferred_groups({postquantum_group, SSL_GROUP_X25519,
- SSL_GROUP_SECP256R1, SSL_GROUP_SECP384R1});
+ config_.set_preferred_groups({
+ // We temporarily enable both X25519_MLKEM768 and X25519_Kyber768
+ SSL_GROUP_X25519_MLKEM768, SSL_GROUP_X25519_KYBER768_DRAFT00,
+ SSL_GROUP_MLKEM512, SSL_GROUP_P256_MLKEM512, SSL_GROUP_X25519_MLKEM512, SSL_GROUP_MLKEM768, SSL_GROUP_P256_MLKEM768, SSL_GROUP_P384_MLKEM768, SSL_GROUP_MLKEM1024, SSL_GROUP_P384_MLKEM1024, SSL_GROUP_P521_MLKEM1024,
+ SSL_GROUP_FRODO640AES, SSL_GROUP_P256_FRODO640AES, SSL_GROUP_X25519_FRODO640AES, SSL_GROUP_FRODO976AES, SSL_GROUP_P384_FRODO976AES, SSL_GROUP_FRODO1344AES, SSL_GROUP_P521_FRODO1344AES,
+ SSL_GROUP_FRODO640SHAKE, SSL_GROUP_P256_FRODO640SHAKE, SSL_GROUP_X25519_FRODO640SHAKE, SSL_GROUP_FRODO976SHAKE, SSL_GROUP_P384_FRODO976SHAKE, SSL_GROUP_FRODO1344SHAKE, SSL_GROUP_P521_FRODO1344SHAKE,
+ SSL_GROUP_KYBER512, SSL_GROUP_P256_KYBER512, SSL_GROUP_X25519_KYBER512, SSL_GROUP_KYBER768, SSL_GROUP_P256_KYBER768, SSL_GROUP_P384_KYBER768, SSL_GROUP_KYBER1024, SSL_GROUP_P521_KYBER1024,
+ SSL_GROUP_BIKEL1, SSL_GROUP_P256_BIKEL1, SSL_GROUP_X25519_BIKEL1, SSL_GROUP_BIKEL3, SSL_GROUP_P384_BIKEL3, SSL_GROUP_BIKEL5, SSL_GROUP_P521_BIKEL5,
+ SSL_GROUP_HQC128, SSL_GROUP_P256_HQC128, SSL_GROUP_X25519_HQC128, SSL_GROUP_HQC192, SSL_GROUP_P384_HQC192, SSL_GROUP_HQC256, SSL_GROUP_P521_HQC256,
+ SSL_GROUP_X25519, SSL_GROUP_SECP256R1, SSL_GROUP_SECP384R1
+ });
}
}
QuicSessionPool::QuicCryptoClientConfigOwner::~QuicCryptoClientConfigOwner() {
net/socket/ssl_client_socket_impl.cc
index 568f598029..8d51ee5376 100644
--- a/net/cert/x509_certificate.cc
+++ b/net/cert/x509_certificate.cc
@@ -629,6 +629,51 @@ void X509Certificate::GetPublicKeyInfo(const CRYPTO_BUFFER* cert_buffer,
case EVP_PKEY_EC:
*type = kPublicKeyTypeECDSA;
break;
+ case EVP_PKEY_MLDSA44:
+ case EVP_PKEY_P256_MLDSA44:
+ case EVP_PKEY_MLDSA65:
+ case EVP_PKEY_P384_MLDSA65:
+ case EVP_PKEY_MLDSA87:
diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc
index 092f0193d2..9ff846064e 100644
--- a/net/socket/ssl_client_socket_impl.cc
+++ b/net/socket/ssl_client_socket_impl.cc
@@ -643,12 +643,16 @@ int SSLClientSocketImpl::Init() {
}
if (context_->config().PostQuantumKeyAgreementEnabled()) {
- const uint16_t postquantum_group =
- base::FeatureList::IsEnabled(features::kUseMLKEM)
- ? SSL_GROUP_X25519_MLKEM768
- : SSL_GROUP_X25519_KYBER768_DRAFT00;
- const uint16_t kGroups[] = {postquantum_group, SSL_GROUP_X25519,
- SSL_GROUP_SECP256R1, SSL_GROUP_SECP384R1};
+ const uint16_t kGroups[] = {
+ // We temporarily enable both X25519_MLKEM768 and X25519_Kyber768
+ SSL_GROUP_X25519_MLKEM768, SSL_GROUP_X25519_KYBER768_DRAFT00,
+ SSL_GROUP_MLKEM512, SSL_GROUP_P256_MLKEM512, SSL_GROUP_X25519_MLKEM512, SSL_GROUP_MLKEM768, SSL_GROUP_P256_MLKEM768, SSL_GROUP_P384_MLKEM768, SSL_GROUP_MLKEM1024, SSL_GROUP_P384_MLKEM1024, SSL_GROUP_P521_MLKEM1024,
+ SSL_GROUP_FRODO640AES, SSL_GROUP_P256_FRODO640AES, SSL_GROUP_X25519_FRODO640AES, SSL_GROUP_FRODO976AES, SSL_GROUP_P384_FRODO976AES, SSL_GROUP_FRODO1344AES, SSL_GROUP_P521_FRODO1344AES,
+ SSL_GROUP_FRODO640SHAKE, SSL_GROUP_P256_FRODO640SHAKE, SSL_GROUP_X25519_FRODO640SHAKE, SSL_GROUP_FRODO976SHAKE, SSL_GROUP_P384_FRODO976SHAKE, SSL_GROUP_FRODO1344SHAKE, SSL_GROUP_P521_FRODO1344SHAKE,
+ SSL_GROUP_KYBER512, SSL_GROUP_P256_KYBER512, SSL_GROUP_X25519_KYBER512, SSL_GROUP_KYBER768, SSL_GROUP_P256_KYBER768, SSL_GROUP_P384_KYBER768, SSL_GROUP_KYBER1024, SSL_GROUP_P521_KYBER1024,
+ SSL_GROUP_BIKEL1, SSL_GROUP_P256_BIKEL1, SSL_GROUP_X25519_BIKEL1, SSL_GROUP_BIKEL3, SSL_GROUP_P384_BIKEL3, SSL_GROUP_BIKEL5, SSL_GROUP_P521_BIKEL5,
+ SSL_GROUP_HQC128, SSL_GROUP_P256_HQC128, SSL_GROUP_X25519_HQC128, SSL_GROUP_HQC192, SSL_GROUP_P384_HQC192, SSL_GROUP_HQC256, SSL_GROUP_P521_HQC256,
+ SSL_GROUP_X25519, SSL_GROUP_SECP256R1, SSL_GROUP_SECP384R1};
if (!SSL_set1_group_ids(ssl_.get(), kGroups, std::size(kGroups))) {
return ERR_UNEXPECTED;
}
@@ -750,6 +754,13 @@ int SSLClientSocketImpl::Init() {
SSL_SIGN_RSA_PKCS1_SHA256, SSL_SIGN_ECDSA_SECP384R1_SHA384,
SSL_SIGN_RSA_PSS_RSAE_SHA384, SSL_SIGN_RSA_PKCS1_SHA384,
SSL_SIGN_RSA_PSS_RSAE_SHA512, SSL_SIGN_RSA_PKCS1_SHA512,
+ SSL_SIGN_MLDSA44, SSL_SIGN_P256_MLDSA44, SSL_SIGN_MLDSA65, SSL_SIGN_P384_MLDSA65, SSL_SIGN_MLDSA87, SSL_SIGN_P521_MLDSA87,
+ SSL_SIGN_FALCON512, SSL_SIGN_RSA3072_FALCON512, SSL_SIGN_FALCONPADDED512, SSL_SIGN_FALCON1024, SSL_SIGN_FALCONPADDED1024,
+ SSL_SIGN_MAYO1, SSL_SIGN_MAYO2, SSL_SIGN_MAYO3, SSL_SIGN_MAYO5,
+ SSL_SIGN_SPHINCSSHA2128FSIMPLE, SSL_SIGN_SPHINCSSHA2128SSIMPLE, SSL_SIGN_SPHINCSSHA2192FSIMPLE, SSL_SIGN_SPHINCSSHA2192SSIMPLE, SSL_SIGN_SPHINCSSHA2256FSIMPLE, SSL_SIGN_SPHINCSSHA2256SSIMPLE,
+ SSL_SIGN_SPHINCSSHAKE128FSIMPLE, SSL_SIGN_SPHINCSSHAKE128SSIMPLE, SSL_SIGN_SPHINCSSHAKE192FSIMPLE, SSL_SIGN_SPHINCSSHAKE192SSIMPLE, SSL_SIGN_SP
HINCSSHAKE256FSIMPLE, SSL_SIGN_SPHINCSSHAKE256SSIMPLE,
+ SSL_SIGN_CROSSRSDP128BALANCED,
+ SSL_SIGN_DILITHIUM2, SSL_SIGN_DILITHIUM3, SSL_SIGN_DILITHIUM5
};
if (!SSL_set_verify_algorithm_prefs(ssl_.get(), kVerifyPrefs,
std::size(kVerifyPrefs))) {
third_party/boringssl/BUILD.gn
index 12b2fb63dd..bbbd5d3db3 100644
--- a/third_party/boringssl/BUILD.gn
+++ b/third_party/boringssl/BUILD.gn
@@ -17,7 +17,7 @@ if (enable_rust) {
# Config for us and everybody else depending on BoringSSL.
config("external_config") {
- include_dirs = [ "src/include" ]
+ include_dirs = [ "src/include" , "src/oqs/include"]
if (is_component_build) {
defines = [ "BORINGSSL_SHARED_LIBRARY" ]
}
@@ -46,7 +46,7 @@ config("no_asm_config") {
# unexport pki_internal_headers.
all_sources = bcm_internal_headers + bcm_sources + crypto_internal_headers +
crypto_sources + ssl_internal_headers + ssl_sources + pki_sources
-all_headers = crypto_headers + ssl_headers + pki_headers + pki_internal_headers
+all_headers = crypto_headers + ssl_headers + pki_headers + pki_internal_headers + oqs_headers
if (enable_rust) {
rust_bindgen_generator("raw_bssl_sys_bindings") {
@@ -142,6 +142,7 @@ component("boringssl") {
sources = rebase_path(all_sources, ".", "src")
public = rebase_path(all_headers, ".", "src")
friend = [ ":*" ]
+ libs = [ "//third_party/boringssl/src/oqs/lib/liboqs.a" ]
deps = [ "//third_party/boringssl/src/third_party/fiat:fiat_license" ]
# Mark boringssl_asm as a public dependency so the OPENSSL_NO_ASM
这里,根据diff的结果,大家自行的修改一下,就可以了,这里就是根据原始的patch的文件进行修改的。
编译
运行,如下命令,进行编译
cd $CHROMIUM_ROOT
gn args out/Default
然后,添加如下的配置,到打开的编辑器当中。
is_debug = false
symbol_level = 0
enable_nacl = false
blink_symbol_level = 0
然后,保存配置文件,如果进入vim的话,那就是按下ESC,然后输入:wqa即可。
开始编译,运行
autoninja -C out/Default chrome
这一步,会运行比较长的时间,需要耐心等待,取决于电脑配置,我这里,大概编译了4个小时左右。
编译完成之后,可以在这个目录下,发现编译好的应用,这就成功了。
测试
这里,我们还是用[6],进行测试,随便打开一个。
到这里,我们就成功的将抗量子密码,加入到了,我们自己编译的浏览器当中。
总结
在Mac上,编译浏览器的过程还是比较顺利的,除了在之前,踩过的SDK版本过低的坑,接下来的,就都交给时间了,注意,这里代码,一定要确保,自己放进去的是对的,建议,好好检查下,别搞错了,否则,回去,修改对比,又是一件浪费时间的事情,好了,快乐的时光过得特别快,又到了说再见的时候了,咱们下次再见。
参考资料
-
https://mp.weixin.qq.com/s/hr7FOq5mWtMciBoymAxKZA -
https://mp.weixin.qq.com/s/3f29_0STOfQyyo7GLUpqWg -
https://github.com/open-quantum-safe/oqs-demos/blob/main/chromium/README-Linux.md -
https://chromium.googlesource.com/chromium/src/+/main/docs/mac_build_instructions.md -
https://github.com/open-quantum-safe/oqs-demos/pull/302 -
https://github.com/open-quantum-safe/oqs-demos/blob/main/chromium/oqs-Linux.patch -
https://test.openquantumsafe.org/
原文始发于微信公众号(Coder小Q):【密码学】自编译Chronium实现抗量子加密协议
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论