Merge branch 'add-support-ml-kem'

CHANGELOG.md

@@ -19,6 +19,13 @@ Line wrap the file at 100 chars.                                              Th
 * **Fixed**: for any bug fixes.
 * **Security**: in case of vulnerabilities.
 
+## [Unreleased]
+### Added
+- Add support for using ML-KEM-1024 in exchange.
+### Changed
+- Change default value for argument `kem` into `cme-mlkem`.
+
+
 ## [1.0.4] - 2024-10-01
 ### Changed
 - Prevent upgrading an already upgraded tunnel.

README.md

@@ -1,5 +1,7 @@
 # wgephemeralpeer
 
+**Note for OpenWrt users: For building directly on the device, do a checkout of the revision tagged with `v1.0.4`.**
+
 This repository contains a library that can be used to negotiate ephemeral
 peers in the realm of Mullvad.
 
@@ -80,9 +82,15 @@ and subsequent attempts to establish a tunnel will fail.
 
 By setting the `-kem <kem>` flag, you can use one of the following key
 encapsulation methods when negotiating the preshared key. The default value is
-`cme-kyber`.
+`cme-mlkem`.
 
 - cme (Classic McEliece 460896 Round3)
+- mlkem (ML-KEM-1024)
+- cme-mlkem (Classic McEliece 460896 Round3 + ML-KEM-1024)
+- mlkem-cme (ML-KEM-1024 + Classic McEliece 460896 Round3)
+
+Obsolete methods that are still supported:
+
 - cme-kyber (Classic McEliece 460896 Round3 + Kyber1024)
 - kyber (Kyber1024)
 - kyber-cme (Kyber1024 + Classic McEliece 460896 Round3)

cmd/mullvad-upgrade-tunnel/main.go

@@ -14,7 +14,7 @@ var VERSION string
 
 func main() {
 	iface := flag.String("wg-interface", "", "wireguard interface")
-	kem := flag.String("kem", "cme-kyber", "key encapsulation methods to use when negotiating psk")
+	kem := flag.String("kem", "cme-mlkem", "key encapsulation methods to use when negotiating psk")
 	version := flag.Bool("version", false, "display version and exit")
 	flag.Parse()
 
@@ -64,6 +64,14 @@ func parseKem(kem string) ([]wgephemeralpeer.Option, error) {
 	case "kyber-cme":
 		k = append(k, wgephemeralpeer.WithKyber1024())
 		k = append(k, wgephemeralpeer.WithMcEliece460896Round3())
+	case "mlkem":
+		k = append(k, wgephemeralpeer.WithMLKEM1024())
+	case "cme-mlkem":
+		k = append(k, wgephemeralpeer.WithMcEliece460896Round3())
+		k = append(k, wgephemeralpeer.WithMLKEM1024())
+	case "mlkem-cme":
+		k = append(k, wgephemeralpeer.WithMLKEM1024())
+		k = append(k, wgephemeralpeer.WithMcEliece460896Round3())
 	default:
 		return nil, fmt.Errorf("unknown kem: %s", kem)
 	}

go.mod

@@ -1,11 +1,8 @@
 module github.com/mullvad/wgephemeralpeer
 
-// Use go 1.19 to ensure the application can be built on an OpenWrt device.
-// Bump once a newer package is available at:
-// https://openwrt.org/packages/pkgdata/golang
-go 1.19
+go 1.21
 
-replace github.com/cloudflare/circl => github.com/mullvad/circl v0.0.0-20240104174227-83b264e1de1f
+replace github.com/cloudflare/circl => github.com/mullvad/circl v0.0.0-20240930082155-0c072461a157
 
 require (
 	github.com/cloudflare/circl v1.3.7

go.sum

@@ -9,8 +9,9 @@ github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU
 github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
 github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
 github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721 h1:RlZweED6sbSArvlE924+mUcZuXKLBHA35U7LN621Bws=
-github.com/mullvad/circl v0.0.0-20240104174227-83b264e1de1f h1:YogYmnPRrB0tDPuFX8w2NWp10yobLCzsLUEew7Alfds=
-github.com/mullvad/circl v0.0.0-20240104174227-83b264e1de1f/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
+github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721/go.mod h1:Ickgr2WtCLZ2MDGd4Gr0geeCH5HybhRJbonOgQpvSxc=
+github.com/mullvad/circl v0.0.0-20240930082155-0c072461a157 h1:onkvLt87R9LmLAgvc/u+vf4/f2mTOgMd5UAGN3rxEzc=
+github.com/mullvad/circl v0.0.0-20240930082155-0c072461a157/go.mod h1:PDRU+oXvdD7KCtgKxW95M5Z8BpSCJXQORiZFnBQS5QU=
 golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
 golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
 golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=

grpc_test.go

@@ -0,0 +1,25 @@
+package wgephemeralpeer
+
+import (
+	"testing"
+
+	"github.com/cloudflare/circl/kem/kyber/kyber1024"
+	"github.com/cloudflare/circl/kem/mceliece/mceliece460896"
+	"github.com/cloudflare/circl/kem/mlkem/mlkem1024"
+)
+
+func TestCirclStringIdsAreUnchanged(t *testing.T) {
+	// This is required because we're embedding KEM string identifiers
+	// in the request that gets sent to the server.
+	// If identifiers in CIRCL were to change, requests would start failing
+	// inexplicably and everyone would be scratching their heads.
+	if mceliece460896.Scheme().Name() != "mceliece460896" {
+		t.Fatal("Identifier for CME has changed")
+	}
+	if kyber1024.Scheme().Name() != "Kyber1024" {
+		t.Fatal("Identifier for Kyber has changed")
+	}
+	if mlkem1024.Scheme().Name() != "ML-KEM-1024" {
+		t.Fatal("Identifier for ML-KEM has changed")
+	}
+}

options.go

@@ -18,6 +18,14 @@ func WithKyber1024() Option {
 	}
 }
 
+// WithMLKEM1024 uses the key encapsulation method ML-KEM-1024 when negotiating a
+// PSK for the ephemeral peer
+func WithMLKEM1024() Option {
+	return func(ep *ephemeralPeer) {
+		ep.kemSchemes = append(ep.kemSchemes, schemeMLKEM1024)
+	}
+}
+
 // WithDAITA enables DAITA on the ephemeral peer. DAITA hides patterns in the
 // VPN tunnel by generating dummy traffic and using a fixed packet size.
 // However, this is not supported in vanilla WireGuard so enabling this option

pq.go

@@ -6,6 +6,7 @@ import (
 	"github.com/cloudflare/circl/kem"
 	"github.com/cloudflare/circl/kem/kyber/kyber1024"
 	"github.com/cloudflare/circl/kem/mceliece/mceliece460896"
+	"github.com/cloudflare/circl/kem/mlkem/mlkem1024"
 )
 
 var (
@@ -15,6 +16,7 @@ var (
 var (
 	schemeMcEliece460896Round3 kem.Scheme = mceliece460896.Scheme()
 	schemeKyber1024            kem.Scheme = kyber1024.Scheme()
+	schemeMLKEM1024            kem.Scheme = mlkem1024.Scheme()
 )
 
 type pqkem struct {