Skip to content

Add ML-KEM support #175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Frauschi wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add ML-KEM support #175

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
526ced1
Add ML-KEM (FIPS 203) post-quantum KEM support
Frauschi Mar 24, 2026
411a317
Fix ML-DSA context buffer: replace heap pointer with fixed-size array
Frauschi Mar 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/clang-tidy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ jobs:
- name: "NSS+TPM Build"
configure_flags: "--enable-nss --enable-tpm"
- name: "PKCS#11 V3.2 PQC Build"
configure_flags: "--enable-pkcs11v32 --enable-mldsa"
configure_flags: "--enable-pkcs11v32 --enable-mldsa --enable-mlkem"

steps:
# Checkout wolfPKCS11
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/cmake.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ jobs:
-DWOLFPKCS11_AESKEYWRAP:BOOL=yes -DWOLFPKCS11_AESCTR:BOOL=yes -DWOLFPKCS11_AESCCM:BOOL=yes \
-DWOLFPKCS11_AESECB:BOOL=yes -DWOLFPKCS11_AESCTS:BOOL=yes -DWOLFPKCS11_AESCMAC:BOOL=yes \
-DWOLFPKCS11_PBKDF2:BOOL=yes -DWOLFPKCS11_SHA3:BOOL=yes -DWOLFPKCS11_PKCS11_V3_0:BOOL=yes \
-DWOLFPKCS11_PKCS11_V3_2:BOOL=yes -DWOLFPKCS11_MLDSA:BOOL=yes \
-DWOLFPKCS11_PKCS11_V3_2:BOOL=yes -DWOLFPKCS11_MLDSA:BOOL=yes -DWOLFPKCS11_MLKEM:BOOL=yes \
-DCMAKE_MODULE_PATH="$GITHUB_WORKSPACE/install/${CMAKE_INSTALL_LIBDIR}" \
..
cmake --build .
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/sanitizer-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
- name: "NSS+TPM Build"
configure_flags: "--enable-nss --enable-tpm"
- name: "PKCS#11 V3.2 PQC Build"
configure_flags: "--enable-pkcs11v32 --enable-mldsa"
configure_flags: "--enable-pkcs11v32 --enable-mldsa --enable-mlkem"

steps:
#pull wolfPKCS11
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/unit-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,10 @@ jobs:
uses: ./.github/workflows/build-workflow.yml
with:
config: --enable-mldsa
mlkem:
uses: ./.github/workflows/build-workflow.yml
with:
config: --enable-mlkem
debug:
uses: ./.github/workflows/build-workflow.yml
with:
Expand Down
5 changes: 5 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,9 @@ tests/rsa_session_persistence_test
tests/debug_test
tests/token_path_test
tests/pkcs11v3test
tests/aes_cbc_pad_padding_test
tests/ecb_check_value_error_test
tests/find_objects_null_template_test
examples/add_aes_key
examples/add_hmac_key
examples/add_rsa_key
Expand All @@ -54,8 +57,10 @@ examples/obj_list
examples/slot_info
examples/token_info
store/wp11*
store/cbc_pad_padding_test
store/debug
store/empty_pin_test
store/find_null_test
store/object
store/pkcs11mtt
store/pkcs11test
Expand Down
32 changes: 31 additions & 1 deletion CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -474,12 +474,42 @@ endif()

if(WOLFPKCS11_MLDSA)
if(NOT WOLFPKCS11_PKCS11_V3_2)
message(FATAL_ERROR "ML-DSA requires PKCS#11 Version 3.2 support (enable WOLFPKCS11_PKCS11_V3_2)")
message(STATUS "ML-DSA requires PKCS#11 v3.2 support — enabling WOLFPKCS11_PKCS11_V3_2 automatically")
override_cache(WOLFPKCS11_PKCS11_V3_2 "yes")
if(NOT WOLFPKCS11_PKCS11_V3_0)
override_cache(WOLFPKCS11_PKCS11_V3_0 "yes")
list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_PKCS11_V3_0")
endif()
list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_PKCS11_V3_2")
endif()
list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_MLDSA")
endif()


# ML-KEM
add_option("WOLFPKCS11_MLKEM"
"Enable wolfPKCS11 ML-KEM support (default: disabled)"
"no" "yes;no"
)

if(NOT WOLFPKCS11_SHA3)
override_cache(WOLFPKCS11_MLKEM "no")
endif()

if(WOLFPKCS11_MLKEM)
if(NOT WOLFPKCS11_PKCS11_V3_2)
message(STATUS "ML-KEM requires PKCS#11 v3.2 support — enabling WOLFPKCS11_PKCS11_V3_2 automatically")
override_cache(WOLFPKCS11_PKCS11_V3_2 "yes")
if(NOT WOLFPKCS11_PKCS11_V3_0)
override_cache(WOLFPKCS11_PKCS11_V3_0 "yes")
list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_PKCS11_V3_0")
endif()
list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_PKCS11_V3_2")
endif()
list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_MLKEM")
endif()


# If wolfpkcs11/options.h exists, delete it to avoid
# a mixup with build/wolfpkcs11/options.h.
if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/wolfpkcs11/options.h")
Expand Down
13 changes: 12 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,16 @@ As ML-DSA is a feature of PKCS#11 version 3.2, support for that is required,
too. Hence, to enable all in wolfPKCS11, add `--enable-pkcs11v32 --enable-mldsa`
during the configure step.

### Optional: PQC ML-KEM Support

To have ML-KEM support in wolfPKCS11, configure wolfSSL with ML-KEM (FIPS 203)
support enabled, either by adding `--enable-mlkem` to `./configure` or by
setting `WOLFPKCS11_MLKEM` to `yes` in CMake.

As ML-KEM is a feature of PKCS#11 version 3.2, support for that is required,
too. Hence, to enable all in wolfPKCS11, add `--enable-pkcs11v32 --enable-mlkem`
during the configure step.

### Build options and defines

#### Define WOLFPKCS11_TPM_STORE
Expand Down Expand Up @@ -207,7 +217,8 @@ cmake -DCMAKE_PREFIX_PATH=/path/to/wolfssl/install ..
| `WOLFPKCS11_NSS` | `no` | NSS-specific modifications |
| `WOLFPKCS11_PKCS11_V3_0` | `yes` | PKCS#11 v3.0 support |
| `WOLFPKCS11_PKCS11_V3_2` | `no` | PKCS#11 v3.2 support |
| `WOLFPKCS11_MLDSA` | `no`| ML-DSA support |
| `WOLFPKCS11_MLDSA` | `no` | ML-DSA support |
| `WOLFPKCS11_MLKEM` | `no` | ML-KEM support |
| `WOLFPKCS11_EXAMPLES` | `yes` | Build examples |
| `WOLFPKCS11_TESTS` | `yes` | Build and register tests |
| `WOLFPKCS11_COVERAGE` | `no` | Code coverage support |
Expand Down
2 changes: 2 additions & 0 deletions cmake/options.h.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,8 @@ extern "C" {
#cmakedefine WOLFSSL_SHA3
#undef WOLFPKCS11_MLDSA
#cmakedefine WOLFPKCS11_MLDSA
#undef WOLFPKCS11_MLKEM
#cmakedefine WOLFPKCS11_MLKEM
#undef WOLFPKCS11_TPM
#cmakedefine WOLFPKCS11_TPM
#undef WOLFPKCS11_NSS
Expand Down
22 changes: 22 additions & 0 deletions configure.ac
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -537,6 +537,27 @@ then
AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_MLDSA"
fi

AC_ARG_ENABLE([mlkem],
[AS_HELP_STRING([--enable-mlkem],[Enable ML-KEM (default: disabled)])],
[ ENABLED_MLKEM=$enableval ],
[ ENABLED_MLKEM=no ]
)

if test "$ENABLED_SHA3" = "no"
then
echo "ML-KEM requires SHA-3 support (disabled), disabling ML-KEM"
ENABLED_MLKEM=no
fi

if test "$ENABLED_MLKEM" = "yes"
then
if test "$ENABLED_PKCS11V3_2" = "no"; then
ENABLED_PKCS11V3_2=yes
AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_PKCS11_V3_2"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_MLKEM"
fi


AM_CONDITIONAL([BUILD_STATIC],[test "x$enable_shared" = "xno"])

Expand Down Expand Up @@ -725,6 +746,7 @@ echo " * DH: $ENABLED_DH"
echo " * ECC: $ENABLED_ECC"
echo " * HKDF: $ENABLED_HKDF"
echo " * ML-DSA: $ENABLED_MLDSA"
echo " * ML-KEM: $ENABLED_MLKEM"
echo " * NSS modifications: $ENABLED_NSS"
echo " * Default token path: $WOLFPKCS11_DEFAULT_TOKEN_PATH"
echo " * PKCS#11 Version 3.0: $ENABLED_PKCS11V3_0"
Expand Down
Loading
Loading