CVPN-1554 Add patch to use WolfSSL Kyber and ML-KEM

We would use a patch to use WolfSSL's implementation of both Kyber and ML-KEM so that we can remove liboqs while maintaing support for Kyber at the moment. This patch uses commits and code changes from the following PR in WolfSSL: - wolfSSL/wolfssl#8143 - wolfSSL/wolfssl#8172 - wolfSSL/wolfssl#8183 - wolfSSL/wolfssl#8185
expressvpn · Nov 15, 2024 · f651f99 · f651f99
1 parent 94743cd
commit f651f99
Show file tree

Hide file tree

Showing 6 changed files with 3,564 additions and 20 deletions.
diff --git a/wolfssl-sys/build.rs b/wolfssl-sys/build.rs
@@ -43,7 +43,13 @@ fn copy_wolfssl(dest: &Path) -> std::io::Result<PathBuf> {
 }
 
 const PATCH_DIR: &str = "patches";
-const PATCHES: &[&str] = &["disable-falcon-dilithium.patch"];
+const PATCHES: &[&str] = &[
+    "enable-private-key-for-pqc.patch",
+    "make-kyber-mlkem-available.patch",
+    "fix-kyber-mlkem-benchmark.patch",
+    "fix-mlkem-get-curve-name.patch",
+    "fix-kyber-get-curve-name.patch",
+];
 
 /**
  * Apply patch to wolfssl-src
@@ -90,6 +96,8 @@ fn build_wolfssl(wolfssl_src: &Path) -> PathBuf {
         .disable_shared()
         // Disable sys ca certificate store
         .disable("sys-ca-certs", None)
+        // Disable dilithium
+        .disable("dilithium", None)
         // Enable AES bitsliced implementation (cache attack safe)
         .enable("aes-bitsliced", None)
         // Enable Curve25519

diff --git a/...ys/patches/disable-falcon-dilithium.patch → .../patches/enable-private-key-for-pqc.patch b/...ys/patches/disable-falcon-dilithium.patch → .../patches/enable-private-key-for-pqc.patch
@@ -11,22 +11,3 @@ index 390b21b54..98458c780 100644
      byte*                 privKey;   /* Private key - DH and PQ KEMs only */
      word32                privKeyLen;/* Only for PQ KEMs. */
  #endif
-diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
-index a4302c700..f1ddb2231 100644
---- a/wolfssl/wolfcrypt/settings.h
-+++ b/wolfssl/wolfcrypt/settings.h
-@@ -3351,10 +3351,10 @@ extern void uITRON4_free(void *p) ;
-  * group */
- #ifdef HAVE_LIBOQS
- #define HAVE_PQC
--#define HAVE_FALCON
--#ifndef HAVE_DILITHIUM
--    #define HAVE_DILITHIUM
--#endif
-+// #define HAVE_FALCON
-+// #ifndef HAVE_DILITHIUM
-+//     #define HAVE_DILITHIUM
-+// #endif
- #ifndef WOLFSSL_NO_SPHINCS
-     #define HAVE_SPHINCS
- #endif
diff --git a/wolfssl-sys/patches/fix-kyber-get-curve-name.patch b/wolfssl-sys/patches/fix-kyber-get-curve-name.patch
@@ -0,0 +1,40 @@
+From a8f88e38e24f7f3f0b5d2a552a59954594b79c08 Mon Sep 17 00:00:00 2001
+From: David Garske <[email protected]>
+Date: Thu, 14 Nov 2024 17:57:24 -0800
+Subject: [PATCH 4/4] Merge pull request #8185 from SparkiDev/kyber_fixes_4
+
+Kyber: Fix wolfSSL_get_curve_name()
+---
+ src/ssl.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/ssl.c b/src/ssl.c
+index edcd5d9df1..559c977c61 100644
+--- a/src/ssl.c
++++ b/src/ssl.c
+@@ -14602,19 +14602,19 @@ const char* wolfSSL_get_curve_name(WOLFSSL* ssl)
+         case WOLFSSL_P521_KYBER_LEVEL5:
+             return "P521_KYBER_LEVEL5";
+ #elif defined(WOLFSSL_WC_KYBER)
+-    #ifdef WOLFSSL_KYBER512
++    #ifndef WOLFSSL_NO_KYBER512
+         case WOLFSSL_KYBER_LEVEL1:
+             return "KYBER_LEVEL1";
+         case WOLFSSL_P256_KYBER_LEVEL1:
+             return "P256_KYBER_LEVEL1";
+     #endif
+-    #ifdef WOLFSSL_KYBER768
++    #ifndef WOLFSSL_NO_KYBER768
+         case WOLFSSL_KYBER_LEVEL3:
+             return "KYBER_LEVEL3";
+         case WOLFSSL_P384_KYBER_LEVEL3:
+             return "P384_KYBER_LEVEL3";
+     #endif
+-    #ifdef WOLFSSL_KYBER1024
++    #ifndef WOLFSSL_NO_KYBER1024
+         case WOLFSSL_KYBER_LEVEL5:
+             return "KYBER_LEVEL5";
+         case WOLFSSL_P521_KYBER_LEVEL5:
+-- 
+2.43.0
+
diff --git a/wolfssl-sys/patches/fix-kyber-mlkem-benchmark.patch b/wolfssl-sys/patches/fix-kyber-mlkem-benchmark.patch
@@ -0,0 +1,86 @@
+From 4d81279e8982840d47e1719a5a5ba827c930b5a2 Mon Sep 17 00:00:00 2001
+From: Daniel Pouzzner <[email protected]>
+Date: Mon, 11 Nov 2024 23:00:51 -0600
+Subject: [PATCH 2/4] Merge pull request #8172 from SparkiDev/kyber_bench_fix
+
+Kyber benchmark: allow ML-KEM and Kyber
+---
+ wolfcrypt/benchmark/benchmark.c | 41 +++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c
+index a242ad9f2b..2a8a511643 100644
+--- a/wolfcrypt/benchmark/benchmark.c
++++ b/wolfcrypt/benchmark/benchmark.c
+@@ -3652,6 +3652,24 @@ static void* benchmarks_do(void* args)
+
+ #ifdef WOLFSSL_HAVE_KYBER
+     if (bench_all || (bench_pq_asym_algs & BENCH_KYBER)) {
++#ifndef WOLFSSL_NO_ML_KEM
++    #ifdef WOLFSSL_KYBER512
++        if (bench_all || (bench_pq_asym_algs & BENCH_KYBER512)) {
++            bench_kyber(WC_ML_KEM_512);
++        }
++    #endif
++    #ifdef WOLFSSL_KYBER768
++        if (bench_all || (bench_pq_asym_algs & BENCH_KYBER768)) {
++            bench_kyber(WC_ML_KEM_768);
++        }
++    #endif
++    #ifdef WOLFSSL_KYBER1024
++        if (bench_all || (bench_pq_asym_algs & BENCH_KYBER1024)) {
++            bench_kyber(WC_ML_KEM_1024);
++        }
++    #endif
++#endif
++#ifdef WOLFSSL_KYBER_ORIGINAL
+     #ifdef WOLFSSL_KYBER512
+         if (bench_all || (bench_pq_asym_algs & BENCH_KYBER512)) {
+             bench_kyber(KYBER512);
+@@ -3667,6 +3685,7 @@ static void* benchmarks_do(void* args)
+             bench_kyber(KYBER1024);
+         }
+     #endif
++#endif
+     }
+ #endif
+
+@@ -9471,6 +9490,27 @@ void bench_kyber(int type)
+     int keySize = 0;
+
+     switch (type) {
++#ifndef WOLFSSL_NO_ML_KEM
++#ifdef WOLFSSL_WC_ML_KEM_512
++    case WC_ML_KEM_512:
++        name = "ML-KEM 512 ";
++        keySize = 128;
++        break;
++#endif
++#ifdef WOLFSSL_WC_ML_KEM_768
++    case WC_ML_KEM_768:
++        name = "ML-KEM 768 ";
++        keySize = 192;
++        break;
++#endif
++#ifdef WOLFSSL_WC_ML_KEM_1024
++    case WC_ML_KEM_1024:
++        name = "ML-KEM 1024 ";
++        keySize = 256;
++        break;
++#endif
++#endif
++#ifdef WOLFSSL_KYBER_ORIGINAL
+ #ifdef WOLFSSL_KYBER512
+     case KYBER512:
+         name = "KYBER512 ";
+@@ -9488,6 +9528,7 @@ void bench_kyber(int type)
+         name = "KYBER1024";
+         keySize = 256;
+         break;
++#endif
+ #endif
+     }
+
+-- 
+2.43.0
+
diff --git a/wolfssl-sys/patches/fix-mlkem-get-curve-name.patch b/wolfssl-sys/patches/fix-mlkem-get-curve-name.patch
@@ -0,0 +1,201 @@
+From bb3822635b481f00099374d4cc7358b8c90a01fd Mon Sep 17 00:00:00 2001
+From: Daniel Pouzzner <[email protected]>
+Date: Thu, 14 Nov 2024 12:47:09 -0600
+Subject: [PATCH 3/4] Merge pull request #8183 from SparkiDev/kyber_fixes_3
+
+Kyber: fixes to configure and wolfSSL_get_curve_name
+---
+ configure.ac | 13 +++++++++----
+ src/ssl.c    |  6 +++---
+ src/tls.c    | 24 ++++++++++++------------
+ tests/api.c  |  9 +++++++++
+ 4 files changed, 33 insertions(+), 19 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 94a1d33e02..56aa878fd9 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1276,7 +1276,7 @@ AC_ARG_ENABLE([kyber],
+     )
+
+ ENABLED_WC_KYBER=no
+-ENABLED_ML_KEM=yes
++ENABLED_ML_KEM=unset
+ for v in `echo $ENABLED_KYBER | tr "," " "`
+ do
+   case $v in
+@@ -1302,9 +1302,8 @@ do
+   original)
+     ENABLED_ORIGINAL=yes
+     ;;
+-  original-only)
+-    ENABLED_ORIGINAL=yes
+-    ENABLED_ML_KEM=no
++  ml-kem)
++    ENABLED_ML_KEM=yes
+     ;;
+   *)
+     AC_MSG_ERROR([Invalid choice for KYBER []: $ENABLED_KYBER.])
+@@ -1333,6 +1332,12 @@ then
+         if test "$ENABLED_KYBER1024" = ""; then
+             AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER1024"
+         fi
++        if test "$ENABLED_ML_KEM" = "unset"; then
++            ENABLED_ML_KEM=no
++        fi
++    fi
++    if test "$ENABLED_ML_KEM" = "unset"; then
++        ENABLED_ML_KEM=yes
+     fi
+     if test "$ENABLED_ML_KEM" = "yes"; then
+         if test "$ENABLED_KYBER512" = ""; then
+diff --git a/src/ssl.c b/src/ssl.c
+index d9a53dfd53..edcd5d9df1 100644
+--- a/src/ssl.c
++++ b/src/ssl.c
+@@ -14567,19 +14567,19 @@ const char* wolfSSL_get_curve_name(WOLFSSL* ssl)
+         case WOLFSSL_P521_ML_KEM_1024:
+             return "P521_ML_KEM_1024";
+ #elif defined(WOLFSSL_WC_KYBER)
+-    #ifdef WOLFSSL_WC_ML_KEM_512
++    #ifndef WOLFSSL_NO_ML_KEM_512
+         case WOLFSSL_ML_KEM_512:
+             return "ML_KEM_512";
+         case WOLFSSL_P256_ML_KEM_512:
+             return "P256_ML_KEM_512";
+     #endif
+-    #ifdef WOLFSSL_WC_ML_KEM_768
++    #ifndef WOLFSSL_NO_ML_KEM_768
+         case WOLFSSL_ML_KEM_768:
+             return "ML_KEM_768";
+         case WOLFSSL_P384_ML_KEM_768:
+             return "P384_ML_KEM_768";
+     #endif
+-    #ifdef WOLFSSL_WC_ML_KEM_1024
++    #ifndef WOLFSSL_NO_ML_KEM_1024
+         case WOLFSSL_ML_KEM_1024:
+             return "ML_KEM_1024";
+         case WOLFSSL_P521_ML_KEM_1024:
+diff --git a/src/tls.c b/src/tls.c
+index 0c69c079e3..25b7f03dfc 100644
+--- a/src/tls.c
++++ b/src/tls.c
+@@ -7983,17 +7983,17 @@ static int kyber_id2type(int id, int *type)
+
+     switch (id) {
+ #ifndef WOLFSSL_NO_ML_KEM
+-    #ifdef WOLFSSL_WC_ML_KEM_512
++    #ifndef WOLFSSL_NO_ML_KEM_512
+         case WOLFSSL_ML_KEM_512:
+             *type = WC_ML_KEM_512;
+             break;
+     #endif
+-    #ifdef WOLFSSL_WC_ML_KEM_768
++    #ifndef WOLFSSL_NO_ML_KEM_768
+         case WOLFSSL_ML_KEM_768:
+             *type = WC_ML_KEM_768;
+             break;
+     #endif
+-    #ifdef WOLFSSL_WC_ML_KEM_1024
++    #ifndef WOLFSSL_NO_ML_KEM_1024
+         case WOLFSSL_ML_KEM_1024:
+             *type = WC_ML_KEM_1024;
+             break;
+@@ -9693,15 +9693,15 @@ static int TLSX_KeyShare_IsSupported(int namedGroup)
+ #ifdef WOLFSSL_HAVE_KYBER
+ #ifndef WOLFSSL_NO_ML_KEM
+     #ifdef WOLFSSL_WC_KYBER
+-        #ifdef WOLFSSL_WC_ML_KEM_512
++        #ifndef WOLFSSL_NO_ML_KEM_512
+             case WOLFSSL_ML_KEM_512:
+             case WOLFSSL_P256_ML_KEM_512:
+         #endif
+-        #ifdef WOLFSSL_WC_ML_KEM_768
++        #ifndef WOLFSSL_NO_ML_KEM_768
+             case WOLFSSL_ML_KEM_768:
+             case WOLFSSL_P384_ML_KEM_768:
+         #endif
+-        #ifdef WOLFSSL_WC_ML_KEM_1024
++        #ifndef WOLFSSL_NO_ML_KEM_1024
+             case WOLFSSL_ML_KEM_1024:
+             case WOLFSSL_P521_ML_KEM_1024:
+         #endif
+@@ -9815,15 +9815,15 @@ static const word16 preferredGroup[] = {
+ #endif
+ #ifndef WOLFSSL_NO_ML_KEM
+ #ifdef WOLFSSL_WC_KYBER
+-    #ifdef WOLFSSL_WC_ML_KEM_512
++    #ifndef WOLFSSL_NO_ML_KEM_512
+     WOLFSSL_ML_KEM_512,
+     WOLFSSL_P256_ML_KEM_512,
+     #endif
+-    #ifdef WOLFSSL_WC_ML_KEM_768
++    #ifndef WOLFSSL_NO_ML_KEM_768
+     WOLFSSL_ML_KEM_768,
+     WOLFSSL_P384_ML_KEM_768,
+     #endif
+-    #ifdef WOLFSSL_WC_ML_KEM_1024
++    #ifndef WOLFSSL_NO_ML_KEM_1024
+     WOLFSSL_ML_KEM_1024,
+     WOLFSSL_P521_ML_KEM_1024,
+     #endif
+@@ -13473,7 +13473,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
+ #ifdef WOLFSSL_HAVE_KYBER
+ #ifndef WOLFSSL_NO_ML_KEM
+ #ifdef WOLFSSL_WC_KYBER
+-#ifdef WOLFSSL_WC_ML_KEM_512
++#ifndef WOLFSSL_NO_ML_KEM_512
+     if (ret == WOLFSSL_SUCCESS)
+         ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_512,
+                                      ssl->heap);
+@@ -13481,7 +13481,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
+         ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P256_ML_KEM_512,
+                                      ssl->heap);
+ #endif
+-#ifdef WOLFSSL_WC_ML_KEM_768
++#ifndef WOLFSSL_NO_ML_KEM_768
+     if (ret == WOLFSSL_SUCCESS)
+         ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_768,
+                                      ssl->heap);
+@@ -13489,7 +13489,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
+         ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P384_ML_KEM_768,
+                                      ssl->heap);
+ #endif
+-#ifdef WOLFSSL_WC_ML_KEM_1024
++#ifndef WOLFSSL_NO_ML_KEM_1024
+     if (ret == WOLFSSL_SUCCESS)
+         ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_1024,
+                                      ssl->heap);
+diff --git a/tests/api.c b/tests/api.c
+index 283ff6026e..82129aa561 100644
+--- a/tests/api.c
++++ b/tests/api.c
+@@ -95513,7 +95513,11 @@ static int test_dtls13_frag_ch_pq(void)
+     const char *test_str = "test";
+     int test_str_size;
+     byte buf[255];
++#ifdef WOLFSSL_KYBER_ORIGINAL
+     int group = WOLFSSL_KYBER_LEVEL5;
++#else
++    int group = WOLFSSL_ML_KEM_1024;
++#endif
+
+     XMEMSET(&test_ctx, 0, sizeof(test_ctx));
+     ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
+@@ -95523,8 +95527,13 @@ static int test_dtls13_frag_ch_pq(void)
+     ExpectIntEQ(wolfSSL_UseKeyShare(ssl_c, group), WOLFSSL_SUCCESS);
+     ExpectIntEQ(wolfSSL_dtls13_allow_ch_frag(ssl_s, 1), WOLFSSL_SUCCESS);
+     ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
++#ifdef WOLFSSL_KYBER_ORIGINAL
+     ExpectStrEQ(wolfSSL_get_curve_name(ssl_c), "KYBER_LEVEL5");
+     ExpectStrEQ(wolfSSL_get_curve_name(ssl_s), "KYBER_LEVEL5");
++#else
++    ExpectStrEQ(wolfSSL_get_curve_name(ssl_c), "ML_KEM_1024");
++    ExpectStrEQ(wolfSSL_get_curve_name(ssl_s), "ML_KEM_1024");
++#endif
+     test_str_size = XSTRLEN("test") + 1;
+     ExpectIntEQ(wolfSSL_write(ssl_c, test_str, test_str_size), test_str_size);
+     ExpectIntEQ(wolfSSL_read(ssl_s, buf, sizeof(buf)), test_str_size);
+-- 
+2.43.0
+