CVPN-1445 Add feature to build wolfssl with kyber only

kp-thomas-yau · kp-thomas-yau · commit ad3519d9557c · 2024-11-25T11:11:31.000+08:00
Added a new feature "kyber_only" to build with kyber only so that a kyber client can be built without any of the ML-KEM flags and thus preventing a kyber client to use ML-KEM after negotiation.
diff --git a/wolfssl-sys/Cargo.toml b/wolfssl-sys/Cargo.toml
@@ -23,6 +23,7 @@ test-case = "3.0"
 default = ["postquantum"]
 debug = []
 postquantum = []
+kyber_only = ["postquantum"]
 
 [[example]]
 name = "connect_pq"
diff --git a/wolfssl-sys/build.rs b/wolfssl-sys/build.rs
@@ -145,8 +145,13 @@ fn build_wolfssl(wolfssl_src: &Path) -> PathBuf {
     }
 
     if cfg!(feature = "postquantum") {
+        let flags = if cfg!(feature = "kyber_only") {
+            "all,original"
+        } else {
+            "all,original,ml-kem"
+        };
         // Enable Kyber
-        conf.enable("kyber", Some("all,original,ml-kem"))
+        conf.enable("kyber", Some(flags))
             // SHA3 is needed for using WolfSSL's implementation of Kyber/ML-KEM
             .enable("sha3", None);
     }
diff --git a/wolfssl-sys/src/lib.rs b/wolfssl-sys/src/lib.rs
@@ -20,7 +20,7 @@ mod tests {
 
     #[cfg(feature = "postquantum")]
     #[test_case(WOLFSSL_P521_KYBER_LEVEL5)]
-    #[test_case(WOLFSSL_P521_ML_KEM_1024)]
+    #[cfg_attr(not(feature = "kyber_only"), test_case(WOLFSSL_P521_ML_KEM_1024))]
     fn test_post_quantum_available(group: std::os::raw::c_uint) {
         unsafe {
             // Init WolfSSL
diff --git a/wolfssl/Cargo.toml b/wolfssl/Cargo.toml
@@ -12,6 +12,7 @@ keywords = ["wolfssl", "vpn", "lightway", "post-quantum", "cryptography"]
 default = ["postquantum"]
 postquantum = ["wolfssl-sys/postquantum"]
 debug = ["wolfssl-sys/debug"] # Note that application code must also call wolfssl::enable_debugging(true)
+kyber_only = ["wolfssl-sys/kyber_only"]
 
 [lints.rust]
 missing_docs = "deny"
diff --git a/wolfssl/src/lib.rs b/wolfssl/src/lib.rs
@@ -238,13 +238,13 @@ pub enum CurveGroup {
     P521KyberLevel5,
 
     /// `WOLFSSL_P256_ML_KEM_512`
-    #[cfg(feature = "postquantum")]
+    #[cfg(all(feature = "postquantum", not(feature = "kyber_only")))]
     P256MLKEM512,
     /// `WOLFSSL_P384_ML_KEM_768`
-    #[cfg(feature = "postquantum")]
+    #[cfg(all(feature = "postquantum", not(feature = "kyber_only")))]
     P384MLKEM768,
     /// `WOLFSSL_P521_ML_KEM_1024`
-    #[cfg(feature = "postquantum")]
+    #[cfg(all(feature = "postquantum", not(feature = "kyber_only")))]
     P521MLKEM1024,
 }
 
@@ -260,11 +260,11 @@ impl CurveGroup {
             P384KyberLevel3 => wolfssl_sys::WOLFSSL_P384_KYBER_LEVEL3,
             #[cfg(feature = "postquantum")]
             P521KyberLevel5 => wolfssl_sys::WOLFSSL_P521_KYBER_LEVEL5,
-            #[cfg(feature = "postquantum")]
+            #[cfg(all(feature = "postquantum", not(feature = "kyber_only")))]
             P256MLKEM512 => wolfssl_sys::WOLFSSL_P256_ML_KEM_512,
-            #[cfg(feature = "postquantum")]
+            #[cfg(all(feature = "postquantum", not(feature = "kyber_only")))]
             P384MLKEM768 => wolfssl_sys::WOLFSSL_P384_ML_KEM_768,
-            #[cfg(feature = "postquantum")]
+            #[cfg(all(feature = "postquantum", not(feature = "kyber_only")))]
             P521MLKEM1024 => wolfssl_sys::WOLFSSL_P521_ML_KEM_1024,
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -145,8 +145,13 @@ fn build_wolfssl(wolfssl_src: &Path) -> PathBuf {`
`145`	`145`	`}`
`146`	`146`
`147`	`147`	`if cfg!(feature = "postquantum") {`
	`148`	`+ let flags = if cfg!(feature = "kyber_only") {`
	`149`	`+ "all,original"`
	`150`	`+ } else {`
	`151`	`+ "all,original,ml-kem"`
	`152`	`+ };`
`148`	`153`	`// Enable Kyber`
`149`		`- conf.enable("kyber", Some("all,original,ml-kem"))`
	`154`	`+ conf.enable("kyber", Some(flags))`
`150`	`155`	`// SHA3 is needed for using WolfSSL's implementation of Kyber/ML-KEM`
`151`	`156`	`.enable("sha3", None);`
`152`	`157`	`}`