Merge pull request #195 from expressvpn/CVPN-1445-enable-mlkem-and-kyber

kp-thomas-yau · web-flow · commit 1e4035573d59 · 2024-11-26T14:22:42.000+08:00
CVPN-1445 Add ML-KEM groups
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/wolfssl-sys/Cargo.toml b/wolfssl-sys/Cargo.toml
@@ -16,10 +16,14 @@ bindgen = "0.70"
 autotools = "0.2"
 build-target = "0.4.0"
 
+[dev-dependencies]
+test-case = "3.0"
+
 [features]
 default = ["postquantum"]
 debug = []
 postquantum = []
+kyber_only = ["postquantum"]
 
 [[example]]
 name = "connect_pq"
diff --git a/wolfssl-sys/build.rs b/wolfssl-sys/build.rs
@@ -145,8 +145,13 @@ fn build_wolfssl(wolfssl_src: &Path) -> PathBuf {
     }
 
     if cfg!(feature = "postquantum") {
+        let flags = if cfg!(feature = "kyber_only") {
+            "all,original"
+        } else {
+            "all,original,ml-kem"
+        };
         // Enable Kyber
-        conf.enable("kyber", Some("all,original"))
+        conf.enable("kyber", Some(flags))
             // SHA3 is needed for using WolfSSL's implementation of Kyber/ML-KEM
             .enable("sha3", None);
     }
diff --git a/wolfssl-sys/src/lib.rs b/wolfssl-sys/src/lib.rs
@@ -7,6 +7,7 @@ pub use bindings::*;
 #[cfg(test)]
 mod tests {
     use std::os::raw::c_int;
+    use test_case::test_case;
 
     use super::*;
     #[test]
@@ -17,9 +18,10 @@ mod tests {
         }
     }
 
-    #[test]
     #[cfg(feature = "postquantum")]
-    fn test_post_quantum_available() {
+    #[test_case(WOLFSSL_P521_KYBER_LEVEL5)]
+    #[cfg_attr(not(feature = "kyber_only"), test_case(WOLFSSL_P521_ML_KEM_1024))]
+    fn test_post_quantum_available(group: std::os::raw::c_uint) {
         unsafe {
             // Init WolfSSL
             let res = wolfSSL_Init();
@@ -34,10 +36,9 @@ mod tests {
             // Create new SSL stream
             let ssl = wolfSSL_new(context);
 
-            // Enable Kyber
-            let res = wolfSSL_UseKeyShare(ssl, WOLFSSL_P521_KYBER_LEVEL5.try_into().unwrap());
+            let res = wolfSSL_UseKeyShare(ssl, group.try_into().unwrap());
 
-            // Check that Kyber was enabled
+            // Check that Kyber/ML-KEM was enabled
             assert_eq!(res, WOLFSSL_SUCCESS as c_int);
         }
     }
diff --git a/wolfssl/Cargo.toml b/wolfssl/Cargo.toml
@@ -12,6 +12,7 @@ keywords = ["wolfssl", "vpn", "lightway", "post-quantum", "cryptography"]
 default = ["postquantum"]
 postquantum = ["wolfssl-sys/postquantum"]
 debug = ["wolfssl-sys/debug"] # Note that application code must also call wolfssl::enable_debugging(true)
+kyber_only = ["wolfssl-sys/kyber_only"]
 
 [lints.rust]
 missing_docs = "deny"
diff --git a/wolfssl/src/lib.rs b/wolfssl/src/lib.rs
@@ -236,6 +236,16 @@ pub enum CurveGroup {
     /// `WOLFSSL_P521_KYBER_LEVEL5`
     #[cfg(feature = "postquantum")]
     P521KyberLevel5,
+
+    /// `WOLFSSL_P256_ML_KEM_512`
+    #[cfg(all(feature = "postquantum", not(feature = "kyber_only")))]
+    P256MLKEM512,
+    /// `WOLFSSL_P384_ML_KEM_768`
+    #[cfg(all(feature = "postquantum", not(feature = "kyber_only")))]
+    P384MLKEM768,
+    /// `WOLFSSL_P521_ML_KEM_1024`
+    #[cfg(all(feature = "postquantum", not(feature = "kyber_only")))]
+    P521MLKEM1024,
 }
 
 impl CurveGroup {
@@ -250,6 +260,12 @@ impl CurveGroup {
             P384KyberLevel3 => wolfssl_sys::WOLFSSL_P384_KYBER_LEVEL3,
             #[cfg(feature = "postquantum")]
             P521KyberLevel5 => wolfssl_sys::WOLFSSL_P521_KYBER_LEVEL5,
+            #[cfg(all(feature = "postquantum", not(feature = "kyber_only")))]
+            P256MLKEM512 => wolfssl_sys::WOLFSSL_P256_ML_KEM_512,
+            #[cfg(all(feature = "postquantum", not(feature = "kyber_only")))]
+            P384MLKEM768 => wolfssl_sys::WOLFSSL_P384_ML_KEM_768,
+            #[cfg(all(feature = "postquantum", not(feature = "kyber_only")))]
+            P521MLKEM1024 => wolfssl_sys::WOLFSSL_P521_ML_KEM_1024,
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -145,8 +145,13 @@ fn build_wolfssl(wolfssl_src: &Path) -> PathBuf {`
`145`	`145`	`}`
`146`	`146`
`147`	`147`	`if cfg!(feature = "postquantum") {`
	`148`	`+ let flags = if cfg!(feature = "kyber_only") {`
	`149`	`+ "all,original"`
	`150`	`+ } else {`
	`151`	`+ "all,original,ml-kem"`
	`152`	`+ };`
`148`	`153`	`// Enable Kyber`
`149`		`- conf.enable("kyber", Some("all,original"))`
	`154`	`+ conf.enable("kyber", Some(flags))`
`150`	`155`	`// SHA3 is needed for using WolfSSL's implementation of Kyber/ML-KEM`
`151`	`156`	`.enable("sha3", None);`
`152`	`157`	`}`