From 6476622ee207560afa6c1a00a614d441ecddfd40 Mon Sep 17 00:00:00 2001 From: Adriano Sela Aviles Date: Fri, 1 May 2026 15:03:52 -0700 Subject: [PATCH] wgengine/wgcfg: propagate PQC capability into WG config Signed-off-by: Adriano Sela Aviles --- wgengine/wgcfg/config.go | 7 +++++++ wgengine/wgcfg/nmcfg/nmcfg.go | 8 ++++++++ wgengine/wgcfg/wgcfg_clone.go | 1 + 3 files changed, 16 insertions(+) diff --git a/wgengine/wgcfg/config.go b/wgengine/wgcfg/config.go index 5510b65b2..85e921cf5 100644 --- a/wgengine/wgcfg/config.go +++ b/wgengine/wgcfg/config.go @@ -23,6 +23,12 @@ type Config struct { DNS []netip.Addr Peers []Peer + // MLKEMEnabled enables the hybrid ML-KEM-768 + Noise_IKpsk2 WireGuard + // handshake (FIPS 203). When true the device uses message types 5/6 + // instead of the standard types 1/2. All nodes in the network must + // have this set identically. + MLKEMEnabled bool + // NetworkLogging enables network logging. // It is disabled if either ID is the zero value. // LogExitFlowEnabled indicates whether or not exit flows should be logged. @@ -39,6 +45,7 @@ func (c *Config) Equal(o *Config) bool { } return c.PrivateKey.Equal(o.PrivateKey) && c.MTU == o.MTU && + c.MLKEMEnabled == o.MLKEMEnabled && c.NetworkLogging == o.NetworkLogging && slices.Equal(c.Addresses, o.Addresses) && slices.Equal(c.DNS, o.DNS) && diff --git a/wgengine/wgcfg/nmcfg/nmcfg.go b/wgengine/wgcfg/nmcfg/nmcfg.go index f99b7b007..8355c9005 100644 --- a/wgengine/wgcfg/nmcfg/nmcfg.go +++ b/wgengine/wgcfg/nmcfg/nmcfg.go @@ -53,6 +53,14 @@ func WGCfg(pk key.NodePrivate, nm *netmap.NetworkMap, logf logger.Logf, flags ne Peers: make([]wgcfg.Peer, 0, len(nm.Peers)), } + // Enable hybrid ML-KEM-768 handshake when the control plane sets the + // NodeAttrPostQuantumCrypto capability on this node. All nodes in the + // tailnet must have this attribute for the network to function; the flag + // is network-wide and not per-peer. + if nm.SelfNode.Valid() { + cfg.MLKEMEnabled = nm.SelfNode.HasCap(tailcfg.NodeAttrPostQuantumCrypto) + } + // Setup log IDs for data plane audit logging. if nm.SelfNode.Valid() { canNetworkLog := nm.SelfNode.HasCap(tailcfg.CapabilityDataPlaneAuditLogs) diff --git a/wgengine/wgcfg/wgcfg_clone.go b/wgengine/wgcfg/wgcfg_clone.go index a8a212267..8e408f0d3 100644 --- a/wgengine/wgcfg/wgcfg_clone.go +++ b/wgengine/wgcfg/wgcfg_clone.go @@ -38,6 +38,7 @@ var _ConfigCloneNeedsRegeneration = Config(struct { MTU uint16 DNS []netip.Addr Peers []Peer + MLKEMEnabled bool NetworkLogging struct { NodeID logid.PrivateID DomainID logid.PrivateID