Add ML-KEM and ML-DSA support by aidangarske · Pull Request #399 · wolfSSL/wolfProvider

aidangarske · 2026-05-23T05:56:36Z

ML-KEM (FIPS 203) and ML-DSA (FIPS 204) via wolfSSL backend.

Algorithms: ML-KEM-512/768/1024, ML-DSA-44/65/87

Opt-in: ./scripts/build-wolfprovider.sh --enable-pqc (adds --enable-mlkem --enable-dilithium --enable-experimental to wolfSSL). wolfProvider auto-detects from wolfSSL's options.h macros; older wolfSSL builds skip the PQC paths cleanly with no code changes here.

Validation: three independent paths cross-checked, all pass.

Internal unit tests (11 functions x 3 levels = 33 assertions) in make test
wolfProvider <-> OpenSSL 3.5 default provider (12 cross-pairs)
wolfProvider <-> wolfSSL direct wc_* API (12 cross-pairs)

CI: new wolfssl-versions-pqc.yml runs three matrix rows -- pre-PQC wolfSSL, latest stable, master -- and the three-way interop validator on the PQC-enabled rows.

Test plan

make test passes (all 11 PQC tests + existing suite)
./test/pqc_interop.test -- ALL PASS (24 cross-pairs)
Build against pre-PQC wolfSSL: PQC code paths skip, make test clean
CI green on all three matrix rows

…tion honoring

Frauschi

Some smaller findings. The biggest "issue" imo is the usage of the now old ML-DSA API instead of the new one. But moving this to the new one should be easy.

Frauschi · 2026-05-27T08:41:37Z

 | `--openssl-dir=/path` | Use existing OpenSSL installation |
 | `--replace-default` | Make wolfProvider the default provider |
 | `--enable-replace-default-testing` | Enable unit testing with replace-default |
+| `--enable-pqc` | Enable ML-KEM and ML-DSA post-quantum algorithms (adds `--enable-mlkem --enable-dilithium --enable-experimental` to wolfSSL). Requires wolfSSL post-v5.9.1-stable. |


Please use --enable-mldsa instead of --enable-dilithium going forward. Furthermore, both ML-KEM and ML-DSA don't require --enable-experimental anymore.

Frauschi · 2026-05-27T08:48:14Z

 | `--enable-pwdbased` | PKCS#12 support |
 | `--enable-hmac-copy` | Faster repeated HMAC with same key (wolfSSL 5.7.8+) |
 | `--enable-sp=yes,asm --enable-sp-math-all` | SP Integer maths |
+| `--enable-mlkem --enable-dilithium --enable-experimental` | ML-KEM and ML-DSA post-quantum algorithms (wolfSSL post-v5.9.1-stable). The `build-wolfprovider.sh --enable-pqc` flag sets these automatically. |


Same as above

Frauschi · 2026-05-27T08:50:06Z

+
+### Requirements
+
+- **wolfSSL**: post-v5.9.1-stable (i.e. v5.9.2-stable or master). Older releases lack the `wc_MlDsaKey_*` and `wc_dilithium_sign_ctx_msg` API surface that wolfProvider's PQC code uses.


wc_dilithium_sign_ctx_msg() is already present in 5.9.1, only the new wc_MlDsaKey_SignCtx() is not.

Frauschi · 2026-05-27T08:50:30Z

+./scripts/build-wolfprovider.sh --enable-pqc
+```
+
+This adds `--enable-mlkem --enable-dilithium --enable-experimental` to the wolfSSL configure step. wolfProvider auto-detects the resulting `WOLFSSL_HAVE_MLKEM` / `HAVE_DILITHIUM` macros via `include/wolfprovider/settings.h` (gated on `__has_include` of the corresponding wolfSSL headers) and registers the six PQC algorithms.


Same as above

Frauschi · 2026-05-27T08:50:57Z

+./scripts/build-wolfprovider.sh --enable-pqc
+```
+
+This adds `--enable-mlkem --enable-dilithium --enable-experimental` to the wolfSSL configure step. wolfProvider auto-detects the resulting `WOLFSSL_HAVE_MLKEM` / `HAVE_DILITHIUM` macros via `include/wolfprovider/settings.h` (gated on `__has_include` of the corresponding wolfSSL headers) and registers the six PQC algorithms.


WOLFSSL_HAVE_MLDSA instead of HAVE_DILITHIUM

Frauschi · 2026-05-27T09:00:09Z

@@ -0,0 +1,1055 @@
+/* wp_mldsa_kmgmt.c
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.


Just saw it here, but probably applies to all new files: shouldn't the copyright year be 2026?

Frauschi · 2026-05-27T09:01:06Z

+
+#ifdef WP_HAVE_MLDSA
+
+#include <wolfssl/wolfcrypt/dilithium.h>


use the new wc_mldsa.h header with the new canonical wc_MlDsaKey naming.

Frauschi · 2026-05-27T09:02:39Z

+ */
+struct wp_MlDsa {
+    /** wolfSSL ML-DSA key. */
+    MlDsaKey key;


Please use the new wc_MlDsaKey naming. This applies to most of the API naming in this file. AI should be easily capable of moving this to the new final ML-DSA API without effort.

I won't flag it anymore in the following occurences.

Frauschi · 2026-05-27T09:21:31Z

+
+    p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_BITS);
+    if ((p != NULL) &&
+            !OSSL_PARAM_set_int(p, (int)mldsa->data->pubKeySize * 8)) {


Question: Is this aligned with what native OpenSSL does for OSSL_PKEY_PARAM_BITS? I have never seen anyone using the public key size in bits for anything tbh..
But when this is the way OpenSSL does it, then it's fine, of course.

Frauschi · 2026-05-27T11:33:21Z

+    }
+
+    p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_BITS);
+    if ((p != NULL) && !OSSL_PARAM_set_int(p, (int)mlkem->data->pubKeySize * 8)) {


Same as the ML-DSA path: is this aligned with native OpenSSL? Really looks strange to me...

Frauschi · 2026-05-27T11:45:49Z

Jenkins retest this please

aidangarske added 7 commits May 22, 2026 22:08

Add PQC scaffolding: ML-KEM/ML-DSA macros, names, externs, build flag

aad005d

Add ML-KEM keymgmt and KEM dispatch for 512/768/1024

d203979

Add ML-DSA keymgmt and signature dispatch for 44/65/87

be25627

Add ML-KEM and ML-DSA unit tests + dupctx buffer copy fix

3df1a6f

Add PQC version-compat CI: pre-PQC, latest stable, master

f78fdb8

Add FIPS 204 ctx mode for ML-DSA + three-way interop validator in CI

c1b7c10

Add ML-KEM and ML-DSA raw key import/export roundtrip tests

60f2cd6

Copilot AI review requested due to automatic review settings May 23, 2026 05:56

Copilot started reviewing on behalf of aidangarske May 23, 2026 05:56 View session

This comment was marked as resolved.

Sign in to view

aidangarske added 2 commits May 22, 2026 23:11

Gate PQC macros on header availability via __has_include

dae5cd6

Address Copilot review + dynamic wolfSSL version matrix with PQC floor

0aec54f

aidangarske self-assigned this May 23, 2026

aidangarske added 7 commits May 22, 2026 23:47

Document ML-KEM and ML-DSA support in README and integration guide

618ad0a

Address Skoll review: input validation, consistency checks, dup selec…

39e677c

…tion honoring

Run PQC version matrix on draft PRs too (match wolfTPM behavior)

ef9ac48

Use wc_mlkem.h (mlkem.h removed on wolfssl master); drop absence check

ed58142

CI: diagnose OpenSSL default provider PQC support

0b04e5a

interop: use global lib ctx for default provider side (CI lib ctx fix)

371c4e6

CI: include lib64 in LD_LIBRARY_PATH so Linux finds the local libcrypto

f69c064

aidangarske marked this pull request as ready for review May 26, 2026 17:13

aidangarske requested review from ColtonWilley and Frauschi May 26, 2026 17:13

Frauschi requested changes May 27, 2026

View reviewed changes


		### Requirements

		- wolfSSL: post-v5.9.1-stable (i.e. v5.9.2-stable or master). Older releases lack the `wc_MlDsaKey_*` and `wc_dilithium_sign_ctx_msg` API surface that wolfProvider's PQC code uses.


		#ifdef WP_HAVE_MLDSA

		#include <wolfssl/wolfcrypt/dilithium.h>

Conversation

aidangarske commented May 23, 2026

Test plan

Uh oh!

This comment was marked as resolved.

Uh oh!

Frauschi left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Frauschi commented May 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants