Merge pull request #192 from expressvpn/CVPN-1554-remove-liboqs-and-use-new-wolfssl

CVPN-1554 Remove liboqs and use WolfSSL's implementations

Author: kp-thomas-yau

Cargo.lock

@@ -31,9 +31,6 @@ wildcards = "allow"
 highlight = "all"
 workspace-default-features = "allow"
 external-default-features = "allow"
-skip = [
-    { name = "bindgen", version = "0.68.1" },
-]
 
 [sources]
 unknown-registry = "deny"

deny.toml

@@ -16,21 +16,10 @@ bindgen = "0.70"
 autotools = "0.2"
 build-target = "0.4.0"
 
-[dependencies.oqs-sys]
-version = "0.9.1"
-default-features = false
-features = ["kyber"]
-optional = true
-
 [features]
-default = []
+default = ["postquantum"]
 debug = []
-postquantum = ["dep:oqs-sys"]
-
-
-[package.metadata.cargo-all-features]
-# Not an actual feature
-denylist = ["oqs-sys"]
+postquantum = []
 
 [[example]]
 name = "connect_pq"

wolfssl-sys/Cargo.toml

@@ -43,7 +43,13 @@ fn copy_wolfssl(dest: &Path) -> std::io::Result<PathBuf> {
 }
 
 const PATCH_DIR: &str = "patches";
-const PATCHES: &[&str] = &["disable-falcon-dilithium.patch"];
+const PATCHES: &[&str] = &[
+    "include-private-key-fields-for-kyber.patch",
+    "make-kyber-mlkem-available.patch",
+    "fix-kyber-mlkem-benchmark.patch",
+    "fix-mlkem-get-curve-name.patch",
+    "fix-kyber-get-curve-name.patch",
+];
 
 /**
  * Apply patch to wolfssl-src
@@ -90,6 +96,8 @@ fn build_wolfssl(wolfssl_src: &Path) -> PathBuf {
         .disable_shared()
         // Disable sys ca certificate store
         .disable("sys-ca-certs", None)
+        // Disable dilithium
+        .disable("dilithium", None)
         // Enable AES bitsliced implementation (cache attack safe)
         .enable("aes-bitsliced", None)
         // Enable Curve25519
@@ -118,7 +126,7 @@ fn build_wolfssl(wolfssl_src: &Path) -> PathBuf {
         .enable("supportedcurves", None)
         // Enable TLS/1.3
         .enable("tls13", None)
-        // Enable liboqs, etc
+        // Enable kyber, etc
         .enable("experimental", None)
         // CFLAGS
         .cflag("-g")
@@ -137,21 +145,10 @@ fn build_wolfssl(wolfssl_src: &Path) -> PathBuf {
     }
 
     if cfg!(feature = "postquantum") {
-        // Post Quantum support is provided by liboqs
-        if let Some(include) = std::env::var_os("DEP_OQS_ROOT") {
-            let oqs_path = Path::new(&include);
-            conf.cflag(format!(
-                "-I{}",
-                oqs_path.join("build/include/").to_str().unwrap()
-            ));
-            conf.ldflag(format!(
-                "-L{}",
-                oqs_path.join("build/lib/").to_str().unwrap()
-            ));
-            conf.with("liboqs", None);
-        } else {
-            panic!("Post Quantum requested but liboqs appears to be missing?");
-        }
+        // Enable Kyber
+        conf.enable("kyber", Some("all,original"))
+            // SHA3 is needed for using WolfSSL's implementation of Kyber/ML-KEM
+            .enable("sha3", None);
     }
 
     match build_target::target_arch().unwrap() {
@@ -291,10 +288,6 @@ fn main() -> std::io::Result<()> {
     // Tell cargo to tell rustc to link in WolfSSL
     println!("cargo:rustc-link-lib=static=wolfssl");
 
-    if cfg!(feature = "postquantum") {
-        println!("cargo:rustc-link-lib=static=oqs");
-    }
-
     println!(
         "cargo:rustc-link-search=native={}",
         wolfssl_install_dir.join("lib").to_str().unwrap()