Draft
Conversation
Frauschi
force-pushed
the
pqc_first
branch
10 times, most recently
from
cb08c65 to
0040099
Compare
dgarske
requested changes
Feb 5, 2026
Contributor
dgarske
left a comment
dgarske
left a comment
There was a problem hiding this comment.
CI is unhappy with some of the implicit casts I think:
from wolfcrypt/src/wc_mlkem.c:66:
wolfcrypt/src/wc_mlkem.c: In function 'wc_MlKemKey_MakeKeyWithRandom':
wolfcrypt/src/wc_mlkem.c:519:53: error: conversion to 'long unsigned int' from 'int' may change the sign of the result [-Werror=sign-conversion]
519 | e = (sword16*)XMALLOC((k + 1) * k * MLKEM_N * sizeof(sword16),
| ^
./wolfssl/wolfcrypt/types.h:790:33: note: in definition of macro 'XMALLOC'
790 | wolfSSL_Malloc((s)))
| ^
wolfcrypt/src/wc_mlkem.c:560:22: error: conversion from 'int' to 'byte' {aka 'unsigned char'} may change value [-Werror=conversion]
560 | buf[0] = k;
| ^
wolfcrypt/src/wc_mlkem.c: In function 'mlkemkey_encapsulate':
wolfcrypt/src/wc_mlkem.c:852:42: error: conversion to 'int' from 'unsigned int' may change the sign of the result [-Werror=sign-conversion]
852 | ret = mlkem_get_noise(&key->prf, k, y, e1, e2, r);
| ^
Contributor
Author
Yeah I already talked to @SparkiDev about these and I still have to fix them (trying to fix the other failing tests first). The ML-KEM source files haven't yet been under test with these conversion checks. |
Frauschi
force-pushed
the
pqc_first
branch
7 times, most recently
from
e33882d to
6bd2639
Compare
* Enable ML-KEM by default * Only allow three to-be-standardized hybrid PQ/T combinatations by default * Use X25519MLKEM768 as the default KeyShare in the ClientHello (if user does not override that) * Disable standalone ML-KEM in supported groups by default (enable with --enable-tls-mlkem-standalone) * Disable extra OQS-based hybrid PQ/T curves by default and gate behind --enable-experimental (enable with --enable-extra-pqc-hybrids) * Reorder the SupportedGroups extension to reflect the preferences * Reorder the preferredGroup array to also reflect the same preferences * Enable DTLS1.3 ClientHello fragmentation by default when both DTLS1.3 and ML-KEM are enabled * Fix memory leak in TLS server PQC handling in case of ECH * Ensure PQ/T hybrids are properly tested in unit tests
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR changes the following:
SECP256R1MLKEM768,X25519MLKEM768,SECP384R1MLKEM1024).X25519MLKEM768as the default KeyShare in the ClientHello (if user does not override that) ifCurve25519is enabled. Otherwise, useSECP384MLKEM1024orSECP256MLKEM768.--enable-tls-mlkem-standalone)--enable-experimental(enable with--enable-extra-pqc-hybrids)preferredGrouparray to also reflect the same preferencesThis also reflects the same behavior as OpenSSL has since version 3.5.
Currently a draft, as some tests regarding DTLS 1.3 and fragmentation fail.