Move PQC algos out of experimental in CMake

Frauschi · Frauschi · commit da94ea626512 · 2026-03-13T17:53:54.000+01:00
This has already been done long time in autoconf. User
now does not have to enable experimental features to use
PQC.
diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml
@@ -69,7 +69,7 @@ jobs:
             -DWOLFSSL_TICKET_NONCE_MALLOC:BOOL=yes -DWOLFSSL_TLS13:BOOL=yes -DWOLFSSL_TLSV12:BOOL=yes \
             -DWOLFSSL_TLSX:BOOL=yes -DWOLFSSL_TPM:BOOL=yes -DWOLFSSL_CLU:BOOL=yes -DWOLFSSL_USER_SETTINGS:BOOL=no \
             -DWOLFSSL_USER_SETTINGS_ASM:BOOL=no -DWOLFSSL_WOLFSSH:BOOL=ON -DWOLFSSL_X86_64_BUILD_ASM:BOOL=yes \
-            -DWOLFSSL_MLKEM=1 -DWOLFSSL_LMS=1 -DWOLFSSL_LMSSHA256192=1 -DWOLFSSL_EXPERIMENTAL=1 \
+            -DWOLFSSL_MLKEM:BOOL=yes -DWOLFSSL_LMS:BOOL=yes -DWOLFSSL_LMSSHA256192:BOOL=yes \
             -DWOLFSSL_X963KDF:BOOL=yes -DWOLFSSL_DILITHIUM:BOOL=yes -DWOLFSSL_PKCS11:BOOL=yes \
             -DWOLFSSL_ECCSI:BOOL=yes -DWOLFSSL_SAKKE:BOOL=yes -DWOLFSSL_SIPHASH:BOOL=yes \
             -DWOLFSSL_WC_RSA_DIRECT:BOOL=yes -DWOLFSSL_PUBLIC_MP:BOOL=yes \
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -612,11 +612,39 @@ add_option(WOLFSSL_MLKEM
     "Enable the wolfSSL PQ ML-KEM library (default: disabled)"
     "no" "yes;no")
 
+if (WOLFSSL_MLKEM)
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_HAVE_MLKEM")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_WC_MLKEM")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHA3")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHAKE128")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHAKE256")
+
+    set_wolfssl_definitions("WOLFSSL_HAVE_MLKEM" RESULT)
+    set_wolfssl_definitions("WOLFSSL_WC_MLKEM"   RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHA3"       RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHAKE128"   RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHAKE256"   RESULT)
+endif()
+
 # Dilithium
 add_option(WOLFSSL_DILITHIUM
     "Enable the wolfSSL PQ Dilithium (ML-DSA) implementation (default: disabled)"
     "no" "yes;no")
 
+if (WOLFSSL_DILITHIUM)
+    list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_DILITHIUM")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_WC_DILITHIUM")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHA3")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHAKE128")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHAKE256")
+
+    set_wolfssl_definitions("HAVE_DILITHIUM"       RESULT)
+    set_wolfssl_definitions("WOLFSSL_WC_DILITHIUM" RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHA3"         RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHAKE128"     RESULT)
+    set_wolfssl_definitions("WOLFSSL_SHAKE256"     RESULT)
+endif()
+
 # LMS
 add_option(WOLFSSL_LMS
     "Enable the PQ LMS Stateful Hash-based Signature Scheme (default: disabled)"
@@ -626,6 +654,22 @@ add_option(WOLFSSL_LMSSHA256192
     "Enable the LMS SHA_256_192 truncated variant (default: disabled)"
     "no" "yes;no")
 
+if (WOLFSSL_LMS)
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_HAVE_LMS")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_WC_LMS")
+
+    set_wolfssl_definitions("WOLFSSL_HAVE_LMS" RESULT)
+    set_wolfssl_definitions("WOLFSSL_WC_LMS"   RESULT)
+
+    if (WOLFSSL_LMSSHA256192)
+        list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_LMS_SHA256_192")
+        list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_NO_LMS_SHA256_256")
+
+        set_wolfssl_definitions("WOLFSSL_LMS_SHA256_192"    RESULT)
+        set_wolfssl_definitions("WOLFSSL_NO_LMS_SHA256_256" RESULT)
+    endif()
+endif()
+
 # Experimental features
 add_option(WOLFSSL_EXPERIMENTAL
     "Enable experimental features (default: disabled)"
@@ -666,77 +710,6 @@ if (WOLFSSL_EXPERIMENTAL)
         message(STATUS "Looking for WOLFSSL_OQS - not found")
     endif()
 
-    # Checking for experimental feature: WOLFSSL_MLKEM
-    message(STATUS "Looking for WOLFSSL_MLKEM")
-    if (WOLFSSL_MLKEM)
-        set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 1)
-
-        message(STATUS "Automatically set related requirements for ML-KEM:")
-        add_definitions("-DWOLFSSL_HAVE_MLKEM")
-        add_definitions("-DWOLFSSL_WC_MLKEM")
-        add_definitions("-DWOLFSSL_SHA3")
-        add_definitions("-DWOLFSSL_SHAKE128")
-        add_definitions("-DWOLFSSL_SHAKE256")
-
-        set_wolfssl_definitions("WOLFSSL_HAVE_MLKEM" RESULT)
-        set_wolfssl_definitions("WOLFSSL_WC_MLKEM"   RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHA3"       RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE128"   RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE256"   RESULT)
-        message(STATUS "Looking for WOLFSSL_MLKEM - found")
-    else()
-        message(STATUS "Looking for WOLFSSL_MLKEM - not found")
-    endif()
-
-    # Checking for experimental feature: WOLFSSL_LMS
-    message(STATUS "Looking for WOLFSSL_LMS")
-    if (WOLFSSL_LMS)
-        set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 2)
-
-        message(STATUS "Automatically set related requirements for LMS")
-        add_definitions("-DWOLFSSL_HAVE_LMS")
-        add_definitions("-DWOLFSSL_WC_LMS")
-        set_wolfssl_definitions("WOLFSSL_HAVE_LMS" RESULT)
-        set_wolfssl_definitions("WOLFSSL_WC_LMS"   RESULT)
-        message(STATUS "Looking for WOLFSSL_LMS - found")
-        # Checking for experimental feature: WOLFSSL_LMSSHA256192
-        if (WOLFSSL_LMSSHA256192)
-            message(STATUS "Automatically set related requirements for LMS SHA256-192")
-            add_definitions("-DWOLFSSL_LMS_SHA256_192")
-            add_definitions("-DWOLFSSL_NO_LMS_SHA256_256")
-            set_wolfssl_definitions("WOLFSSL_LMS_SHA256_192"    RESULT)
-            set_wolfssl_definitions("WOLFSSL_NO_LMS_SHA256_256" RESULT)
-            message(STATUS "Looking for WOLFSSL_LMSSHA256192 - found")
-        else()
-            message(STATUS "Looking for WOLFSSL_LMSSHA256192 - not found")
-        endif()
-    else()
-        message(STATUS "Looking for WOLFSSL_LMS - not found")
-    endif()
-
-    # Checking for experimental feature: Dilithium
-    message(STATUS "Looking for WOLFSSL_DILITHIUM")
-    if (WOLFSSL_DILITHIUM)
-        set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 1)
-
-        message(STATUS "Automatically set related requirements for Dilithium:")
-        add_definitions("-DHAVE_DILITHIUM")
-        add_definitions("-DWOLFSSL_WC_DILITHIUM")
-        add_definitions("-DWOLFSSL_SHA3")
-        add_definitions("-DWOLFSSL_SHAKE128")
-        add_definitions("-DWOLFSSL_SHAKE256")
-
-        message(STATUS "Automatically set related requirements for Dilithium:")
-        set_wolfssl_definitions("HAVE_DILITHIUM"       RESULT)
-        set_wolfssl_definitions("WOLFSSL_WC_DILITHIUM" RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHA3"         RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE128"     RESULT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE256"     RESULT)
-        message(STATUS "Looking for WOLFSSL_DILITHIUM - found")
-    else()
-        message(STATUS "Looking for WOLFSSL_DILITHIUM - not found")
-    endif()
-
     # Other experimental feature detection can be added here...
 
     # Were any experimental features found? Display a message.
@@ -759,12 +732,6 @@ else()
     if (WOLFSSL_OQS)
         message(FATAL_ERROR "Error: WOLFSSL_OQS requires WOLFSSL_EXPERIMENTAL at this time.")
     endif()
-    if(WOLFSSL_MLKEM)
-        message(FATAL_ERROR "Error: WOLFSSL_MLKEM requires WOLFSSL_EXPERIMENTAL at this time.")
-    endif()
-    if(WOLFSSL_DILITHIUM)
-        message(FATAL_ERROR "Error: WOLFSSL_DILITHIUM requires WOLFSSL_EXPERIMENTAL at this time.")
-    endif()
 endif()
 
 # LMS
