-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVPN-1554 Remove liboqs and use WolfSSL's implementations #192
CVPN-1554 Remove liboqs and use WolfSSL's implementations #192
Conversation
Code coverage summary for 134071a:
✅ Region coverage 59% passes |
b5a6004
to
1a2ebf2
Compare
b6c883c
to
f6f46c1
Compare
f6f46c1
to
f651f99
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please add context around this renaming and removal of the part of the patch ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have replaced the patch with their PR fix: wolfSSL/wolfssl#8196
Since now we are removing liboqs
, HAVE_LIBOQS
would not be defined and the patch in settings.h
would not be compiled anyway.
f651f99
to
9b0c980
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes LGTM
Remove liboqs and enable WolfSSL's own Kyber implementation via the flags. See: wolfSSL/wolfssl#8183
We would use a patch to use WolfSSL's implementation of both Kyber and ML-KEM so that we can remove liboqs while maintaining support for Kyber at the moment. This patch uses commits and code changes from the following PR in WolfSSL: - wolfSSL/wolfssl#8143 - wolfSSL/wolfssl#8172 - wolfSSL/wolfssl#8183 - wolfSSL/wolfssl#8185
Disable dilithium explicitly so that we can reduce WolfSSL size as we are not using it at the moment.
Use the official fix from WolfSSL PR: wolfSSL/wolfssl#8196 instead of our own implementation to enable private key fields in key share entry when we are using post-quantum KEM.
9b0c980
to
ab01e98
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Add relevant tests and different ML-KEM groups to be used in the Lightway. The config flags can be found here: #192
Add relevant tests and different ML-KEM groups to be used in the Lightway. The config flags can be found here: #192
Add relevant tests and different ML-KEM groups to be used in the Lightway. The config flags can be found here: #192
Add relevant tests and different ML-KEM groups to be used in the Lightway. The config flags can be found here: #192
Description
This PR removes
liboqs
and would instead use WolfSSL's implementation of Kyber. Since WolfSSL would officially release their Kyber/ML-KEM implementations a few months later, we would use the git patch to essentially patch their PRs on top of the 5.7.4 release.The patch consists of the commits and code changes from the following PR from WolfSSL:
Configuration for enabling ML-KEM/Kyber:
./configure --enable-kyber
./configure --enable-kyber=all,ml-kem
./configure --enable-kyber=all,original
./configure --enable-kyber=all,original,ml-kem
./configure --enable-kyber=all,ml-kem,original
Testing
Tested with helium-cli, lightway clients (with and without liboqs)
See: https://polymoon.atlassian.net/browse/CVPN-1554?focusedCommentId=1351477
CI pipelines for
kp_lightway
,lightway
passed as wellhttps://github.com/expressvpn/lightway/pull/122