wolfcrypt 0.1.0

RustCrypto trait implementations backed by wolfCrypt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369

//! ML-KEM (Module-Lattice Key Encapsulation Mechanism) backed by wolfCrypt.
//!
//! Implements NIST FIPS 203 ML-KEM at three security levels:
//!
//! | Level | Type | Security | Ciphertext | Public key |
//! |-------|------|----------|------------|------------|
//! | [`MlKem512`] | `WC_ML_KEM_512` | ~AES-128 equivalent | 768 B | 800 B |
//! | [`MlKem768`] | `WC_ML_KEM_768` | ~AES-192 equivalent | 1088 B | 1184 B |
//! | [`MlKem1024`] | `WC_ML_KEM_1024` | ~AES-256 equivalent | 1568 B | 1568 B |
//!
//! Use ML-KEM-768 for most applications (NIST's recommended level).
//! Use ML-KEM-1024 when policy requires AES-256-equivalent post-quantum
//! security.  ML-KEM-512 is the fastest but offers the lowest security
//! margin and may not be accepted by all compliance frameworks.
//!
//! Provides [`MlKemDecapsulationKey`] for key generation and decapsulation, and
//! [`MlKemEncapsulationKey`] for encapsulation using a public key.

use alloc::vec;
use alloc::vec::Vec;
use core::marker::PhantomData;
use core::ffi::c_int;
use core::ptr;

use zeroize::ZeroizeOnDrop;

use crate::error::{check, len_as_u32, WolfCryptError};
use wolfcrypt_rs::{
    wc_FreeRng, wc_InitRng,
    wc_MlKemKey_Decapsulate, wc_MlKemKey_Delete, wc_MlKemKey_Encapsulate,
    wc_MlKemKey_DecodePublicKey, wc_MlKemKey_EncodePublicKey,
    wc_MlKemKey_EncodePrivateKey,
    wc_MlKemKey_MakeKey, wc_MlKemKey_New,
    MlKemKey, WC_RNG, INVALID_DEVID,
    WC_ML_KEM_512, WC_ML_KEM_768, WC_ML_KEM_1024,
    WC_ML_KEM_SS_SZ,
    WC_ML_KEM_512_PUBLIC_KEY_SIZE, WC_ML_KEM_512_PRIVATE_KEY_SIZE, WC_ML_KEM_512_CIPHER_TEXT_SIZE,
    WC_ML_KEM_768_PUBLIC_KEY_SIZE, WC_ML_KEM_768_PRIVATE_KEY_SIZE, WC_ML_KEM_768_CIPHER_TEXT_SIZE,
    WC_ML_KEM_1024_PUBLIC_KEY_SIZE, WC_ML_KEM_1024_PRIVATE_KEY_SIZE, WC_ML_KEM_1024_CIPHER_TEXT_SIZE,
};

// ---------------------------------------------------------------------------
// Level trait and implementations
// ---------------------------------------------------------------------------

/// Trait that associates an ML-KEM security level with its type constant and
/// sizes as defined in NIST FIPS 203.
pub trait MlKemLevel: Send + 'static {
    /// wolfCrypt type constant (`WC_ML_KEM_512`, etc.).
    const TYPE: c_int;
    /// Public (encapsulation) key size in bytes.
    const PK_SIZE: usize;
    /// Private (decapsulation) key size in bytes.
    const SK_SIZE: usize;
    /// Ciphertext size in bytes.
    const CT_SIZE: usize;
    /// Shared secret size in bytes (always 32 for ML-KEM).
    const SS_SIZE: usize;
}

/// ML-KEM-512 (NIST security level 1).
pub struct MlKem512;

/// ML-KEM-768 (NIST security level 3).
pub struct MlKem768;

/// ML-KEM-1024 (NIST security level 5).
pub struct MlKem1024;

impl MlKemLevel for MlKem512 {
    const TYPE: c_int = WC_ML_KEM_512;
    const PK_SIZE: usize = WC_ML_KEM_512_PUBLIC_KEY_SIZE;
    const SK_SIZE: usize = WC_ML_KEM_512_PRIVATE_KEY_SIZE;
    const CT_SIZE: usize = WC_ML_KEM_512_CIPHER_TEXT_SIZE;
    const SS_SIZE: usize = WC_ML_KEM_SS_SZ;
}

impl MlKemLevel for MlKem768 {
    const TYPE: c_int = WC_ML_KEM_768;
    const PK_SIZE: usize = WC_ML_KEM_768_PUBLIC_KEY_SIZE;
    const SK_SIZE: usize = WC_ML_KEM_768_PRIVATE_KEY_SIZE;
    const CT_SIZE: usize = WC_ML_KEM_768_CIPHER_TEXT_SIZE;
    const SS_SIZE: usize = WC_ML_KEM_SS_SZ;
}

impl MlKemLevel for MlKem1024 {
    const TYPE: c_int = WC_ML_KEM_1024;
    const PK_SIZE: usize = WC_ML_KEM_1024_PUBLIC_KEY_SIZE;
    const SK_SIZE: usize = WC_ML_KEM_1024_PRIVATE_KEY_SIZE;
    const CT_SIZE: usize = WC_ML_KEM_1024_CIPHER_TEXT_SIZE;
    const SS_SIZE: usize = WC_ML_KEM_SS_SZ;
}

// ---------------------------------------------------------------------------
// SharedSecret
// ---------------------------------------------------------------------------

/// The shared secret produced by ML-KEM encapsulation/decapsulation (32 bytes).
#[derive(ZeroizeOnDrop)]
pub struct SharedSecret(#[zeroize(drop)] [u8; WC_ML_KEM_SS_SZ]);

impl SharedSecret {
    /// Return the raw shared-secret bytes.
    pub fn as_bytes(&self) -> &[u8] {
        &self.0
    }
}

impl PartialEq for SharedSecret {
    fn eq(&self, other: &Self) -> bool {
        // Constant-time comparison would be ideal, but for test ergonomics
        // a plain comparison suffices here (the secret is already exposed
        // via `as_bytes`).
        self.0 == other.0
    }
}
impl Eq for SharedSecret {}

// ---------------------------------------------------------------------------
// MlKemDecapsulationKey
// ---------------------------------------------------------------------------

/// An ML-KEM decapsulation (private) key backed by wolfCrypt.
///
/// Created via [`generate`](Self::generate), this key can produce its
/// corresponding [`MlKemEncapsulationKey`] and decapsulate ciphertexts.
pub struct MlKemDecapsulationKey<L: MlKemLevel> {
    key: *mut MlKemKey,
    rng: WC_RNG,
    _level: PhantomData<L>,
}

// SAFETY: `MlKemKey` and `WC_RNG` own independent state with no shared
// mutable globals; safe to move between threads.
unsafe impl<L: MlKemLevel> Send for MlKemDecapsulationKey<L> {}

impl<L: MlKemLevel> MlKemDecapsulationKey<L> {
    /// Generate a fresh ML-KEM keypair.
    pub fn generate() -> Result<Self, WolfCryptError> {
        // Allocate key on the heap via wolfCrypt.
        // SAFETY: `wc_MlKemKey_New` returns a heap-allocated key or null.
        let key = unsafe {
            wc_MlKemKey_New(L::TYPE, ptr::null_mut(), INVALID_DEVID)
        };
        if key.is_null() {
            return Err(WolfCryptError::ALLOC_FAILED);
        }

        // Initialise RNG for key generation.
        let mut rng = WC_RNG::zeroed();
        // SAFETY: `rng` is zeroed; `wc_InitRng` will fully initialise it.
        let rc = unsafe { wc_InitRng(&mut rng) };
        if rc != 0 {
            // Clean up the key on failure.
            unsafe { wc_MlKemKey_Delete(key, ptr::null_mut()); }
            return Err(WolfCryptError::Ffi { code: rc, func: "wc_InitRng" });
        }

        // Generate the keypair.
        // SAFETY: `key` is a valid heap-allocated MlKemKey, `rng` is
        // initialised.
        let rc = unsafe { wc_MlKemKey_MakeKey(key, &mut rng) };
        if rc != 0 {
            unsafe {
                wc_FreeRng(&mut rng);
                wc_MlKemKey_Delete(key, ptr::null_mut());
            }
            return Err(WolfCryptError::Ffi { code: rc, func: "wc_MlKemKey_MakeKey" });
        }

        Ok(Self { key, rng, _level: PhantomData })
    }

    /// Return the corresponding encapsulation (public) key.
    ///
    /// The public key bytes are exported from the private key and then
    /// imported into a new public-only key object.
    pub fn encapsulation_key(&self) -> Result<MlKemEncapsulationKey<L>, WolfCryptError> {
        let mut pk_buf = vec![0u8; L::PK_SIZE];

        // SAFETY: `self.key` is a fully-generated ML-KEM key. `pk_buf` is
        // `L::PK_SIZE` bytes.
        let rc = unsafe {
            wc_MlKemKey_EncodePublicKey(self.key, pk_buf.as_mut_ptr(), L::PK_SIZE as u32)
        };
        check(rc, "wc_MlKemKey_EncodePublicKey")?;

        MlKemEncapsulationKey::from_bytes(&pk_buf)
    }

    /// Export the raw public key bytes.
    pub fn public_key_bytes(&self) -> Result<Vec<u8>, WolfCryptError> {
        let mut pk_buf = vec![0u8; L::PK_SIZE];
        let rc = unsafe {
            wc_MlKemKey_EncodePublicKey(self.key, pk_buf.as_mut_ptr(), L::PK_SIZE as u32)
        };
        check(rc, "wc_MlKemKey_EncodePublicKey")?;
        Ok(pk_buf)
    }

    /// Export the raw private key bytes.
    ///
    /// The returned `Zeroizing<Vec<u8>>` automatically zeroizes the key
    /// material when dropped.
    pub fn private_key_bytes(&self) -> Result<zeroize::Zeroizing<Vec<u8>>, WolfCryptError> {
        let mut sk_buf = vec![0u8; L::SK_SIZE];
        let rc = unsafe {
            wc_MlKemKey_EncodePrivateKey(self.key, sk_buf.as_mut_ptr(), L::SK_SIZE as u32)
        };
        check(rc, "wc_MlKemKey_EncodePrivateKey")?;
        Ok(zeroize::Zeroizing::new(sk_buf))
    }

    /// Decapsulate a ciphertext to recover the shared secret.
    ///
    /// `ct` must be exactly `L::CT_SIZE` bytes.
    pub fn decapsulate(&self, ct: &[u8]) -> Result<SharedSecret, WolfCryptError> {
        if ct.len() != L::CT_SIZE {
            return Err(WolfCryptError::INVALID_INPUT);
        }

        let mut ss = [0u8; WC_ML_KEM_SS_SZ];

        // SAFETY: `self.key` holds a full keypair (private + public).
        // `ct` is exactly `L::CT_SIZE` bytes. `ss` is 32 bytes.
        let rc = unsafe {
            wc_MlKemKey_Decapsulate(self.key, ss.as_mut_ptr(), ct.as_ptr(), len_as_u32(ct.len()))
        };
        check(rc, "wc_MlKemKey_Decapsulate")?;

        Ok(SharedSecret(ss))
    }
}

impl<L: MlKemLevel> Drop for MlKemDecapsulationKey<L> {
    fn drop(&mut self) {
        // SAFETY: `self.key` was successfully allocated by `wc_MlKemKey_New`
        // and `self.rng` was initialised by `wc_InitRng`. Freed exactly once.
        unsafe {
            wc_MlKemKey_Delete(self.key, ptr::null_mut());
            wc_FreeRng(&mut self.rng);
        }
    }
}

// ---------------------------------------------------------------------------
// MlKemEncapsulationKey
// ---------------------------------------------------------------------------

/// An ML-KEM encapsulation (public) key backed by wolfCrypt.
///
/// Created from raw public key bytes via [`from_bytes`](Self::from_bytes) or
/// from a [`MlKemDecapsulationKey`] via its
/// [`encapsulation_key`](MlKemDecapsulationKey::encapsulation_key) method.
pub struct MlKemEncapsulationKey<L: MlKemLevel> {
    key: *mut MlKemKey,
    rng: WC_RNG,
    _level: PhantomData<L>,
}

// SAFETY: Same rationale as `MlKemDecapsulationKey`.
unsafe impl<L: MlKemLevel> Send for MlKemEncapsulationKey<L> {}

impl<L: MlKemLevel> MlKemEncapsulationKey<L> {
    /// Import an encapsulation key from raw public key bytes.
    ///
    /// `bytes` must be exactly `L::PK_SIZE` bytes.
    pub fn from_bytes(bytes: &[u8]) -> Result<Self, WolfCryptError> {
        if bytes.len() != L::PK_SIZE {
            return Err(WolfCryptError::INVALID_INPUT);
        }

        // Allocate a fresh key object.
        let key = unsafe {
            wc_MlKemKey_New(L::TYPE, ptr::null_mut(), INVALID_DEVID)
        };
        if key.is_null() {
            return Err(WolfCryptError::ALLOC_FAILED);
        }

        // Import the public key bytes.
        // SAFETY: `key` is a valid heap-allocated MlKemKey, `bytes` is
        // `L::PK_SIZE` bytes.
        let rc = unsafe {
            wc_MlKemKey_DecodePublicKey(key, bytes.as_ptr(), len_as_u32(bytes.len()))
        };
        if rc != 0 {
            unsafe { wc_MlKemKey_Delete(key, ptr::null_mut()); }
            return Err(WolfCryptError::Ffi { code: rc, func: "wc_MlKemKey_DecodePublicKey" });
        }

        // Initialise RNG for encapsulation.
        let mut rng = WC_RNG::zeroed();
        let rc = unsafe { wc_InitRng(&mut rng) };
        if rc != 0 {
            unsafe { wc_MlKemKey_Delete(key, ptr::null_mut()); }
            return Err(WolfCryptError::Ffi { code: rc, func: "wc_InitRng" });
        }

        Ok(Self { key, rng, _level: PhantomData })
    }

    /// Export the raw public key bytes.
    pub fn as_bytes(&self) -> Result<Vec<u8>, WolfCryptError> {
        let mut pk_buf = vec![0u8; L::PK_SIZE];
        let rc = unsafe {
            wc_MlKemKey_EncodePublicKey(self.key, pk_buf.as_mut_ptr(), L::PK_SIZE as u32)
        };
        check(rc, "wc_MlKemKey_EncodePublicKey")?;
        Ok(pk_buf)
    }

    /// Encapsulate: produce a ciphertext and shared secret.
    ///
    /// Returns `(ciphertext, shared_secret)` where the ciphertext should be
    /// sent to the holder of the decapsulation key.
    ///
    /// Takes `&mut self` because encapsulation mutates the internal RNG.
    /// Unlike the `Signer`/`Verifier` types (which use `UnsafeCell` to
    /// satisfy the trait-mandated `&self`), this method has no trait
    /// constraint, so `&mut self` is the honest signature.
    pub fn encapsulate(&mut self) -> Result<(Vec<u8>, SharedSecret), WolfCryptError> {
        let mut ct = vec![0u8; L::CT_SIZE];
        let mut ss = [0u8; WC_ML_KEM_SS_SZ];

        // SAFETY: `self.key` has a decoded public key. `ct` is `L::CT_SIZE`
        // bytes, `ss` is 32 bytes, `self.rng` is initialised.
        let rc = unsafe {
            wc_MlKemKey_Encapsulate(
                self.key,
                ct.as_mut_ptr(),
                ss.as_mut_ptr(),
                &mut self.rng,
            )
        };
        check(rc, "wc_MlKemKey_Encapsulate")?;

        Ok((ct, SharedSecret(ss)))
    }
}

impl<L: MlKemLevel> Drop for MlKemEncapsulationKey<L> {
    fn drop(&mut self) {
        // SAFETY: `self.key` was allocated by `wc_MlKemKey_New` and
        // `self.rng` by `wc_InitRng`. Freed exactly once.
        unsafe {
            wc_MlKemKey_Delete(self.key, ptr::null_mut());
            wc_FreeRng(&mut self.rng);
        }
    }
}

// ---------------------------------------------------------------------------
// Convenience type aliases
// ---------------------------------------------------------------------------

/// ML-KEM-512 decapsulation key.
pub type MlKem512DecapsulationKey = MlKemDecapsulationKey<MlKem512>;
/// ML-KEM-768 decapsulation key.
pub type MlKem768DecapsulationKey = MlKemDecapsulationKey<MlKem768>;
/// ML-KEM-1024 decapsulation key.
pub type MlKem1024DecapsulationKey = MlKemDecapsulationKey<MlKem1024>;

/// ML-KEM-512 encapsulation key.
pub type MlKem512EncapsulationKey = MlKemEncapsulationKey<MlKem512>;
/// ML-KEM-768 encapsulation key.
pub type MlKem768EncapsulationKey = MlKemEncapsulationKey<MlKem768>;
/// ML-KEM-1024 encapsulation key.
pub type MlKem1024EncapsulationKey = MlKemEncapsulationKey<MlKem1024>;